Routine List for Virus Creation Laboratory ------------------------------------------ This file contains a list of the routines inclueded with V.C.L. as it is shipped. Routines under the "Effect Procedures" are possible effects that your creation might have and are included in VCL.DAT. Routines listed under "Condition Functions" are functions that return a value in AX; they are used to test whether an effect should be called, and are also included in VCL.DAT. Routines found under "Internal Routines" are inside the VCL.EXE file, and may not be changed. They are called by V.C.L.-generated code depending on which options are set. They are documented here in case you decide to access them from a custom routine of your own. See the main documentation for V.C.L. (VCL.DOC) for more information about assembler routines and how to add them to V.C.L. ------------------------------------------------------------------------------- Effect Procedures ================= Procedure: beep Decription: Beeps the PC speaker. CX holds the number of times to beep. Procedure: change_ram Description: Changes the ammount of low (under 1 meg) memory the computer appears to have. DX holds the new ammout of memory, in kilobytes. This value remains unchanged through a warm-reboot, and when the computer is warm booted DOS will have less memory to use. Procedure: clear_screen Description: Clears the screen. There are no arguments. The BIOS is used to clear the screen. Procedure: cold_reboot Decription: Performs a cold reboot of the system. Naturally this procedure needs no parameters. Procedure: corrupt_file Description: Corrupts one or more files. DX points to the name of the file (wildcards allowed; all matching files in the current directory will be affected). The files are encrypted by whatever the BIOS clock is at the time, making them virtually unrecoverable. Procedure: disable_parallel Decription: Disables a parallel port. SI holds the port number (LPT1 = 1, LPT2 = 2, etc.). The port will no longer be usable (until the computer is rebooted) because it address (stored in a table) will be wiped over. Procedure: disable_prnt_scrn Description: Disables the Print Screen key. A flag in the BIOS is set so that it believes that something is already being printed, disabling the effect. Procedure: disable_serial Description: Disables a serial port. SI holds the port number (COM1 = 1, COM2 = 2, etc.). The port will no longer be usable (until the computer is rebooted) because its address (stored in a table) will be wiped over. Procedure: display_string Decription: Displays a string on the screen. SI points to the string, which must be NULL terminated (ASCII code 0). The string is displayed using the BIOS screen procedures, insuring that output will not be redirected. Besides, the DOS procedure is slower, and has to be terminated by a "$", which is incredibly lame. Procedure: drop_program Description: Drops a program into a file. DX points to the name of the file (wildcards allowed; if the file name is a wild card then all matchings file will be infected). SI points to a table: the first word is the number of bytes in the dropped program, the remaining bytes are the program itself. The attributes, file date/time, and size of the victim program are preserved, and read-only/system/hidden attributes will not stop this procedure from working. This procedure is used to insert a message or code into a victim program. This is useful for placing taunting messages in a file, or for dropping a live virus into someone's .EXE from a trojan horse. There are many uses. Procedure: erase_files Description: Erases one or more files. This procedure searches for the file descriptor; if a valid file is found it is erased and the process is repeated until no files are left. DX holds a pointer to an ASCIIZ string containing the file mask. The method of erasure is such that it is difficult to recover files deleted with this routine. Procedure: lock_up Description: Locks up the computer. The interrupt flag is cleared, disabling all interrupts, then the HLT command is used; this locks up the computer so that it may only be restarted with a cold reboot (achieved by either by turning off the computer and turning it on again or by pressing the "reset" button. There are no parameters needed (duh). Procedure: machine_gun Description: Clicks the PC speaker to simulate the sound of gun shots. Most of this code was stolen from the Parasite-2B Virus by Rock Steady, but I changed the delay procedure so that the time between shots would stay constant regardless of processor speed (on my 386-40 the original routine sounded like a buzz). Basically this routine just turns on and off the speaker quickly to make the clicking noise. The number of shots to fire is passed in CX. Procedure: out_port Description: Outs a value to a port. AX holds the value to out, DX holds the port number (0 - 65535). Procedure: out_random Description: Outs random values to all ports. This procedure retrieves the BIOS timer count, then outs the low byte of it into every single one of the 255 IO ports. This may do nothing, or it can cause disk writes or formats, crashes, timer problems, modem/printer problems, or all of the above. It just depends. Most likely *something* bad will happen, though usually just a crash. Procedure: play_tune Description: Plays a tune through the PC speaker. SI points to a table of alternating frequency/duration values (word-length). The frequency should be in hertz, the duration in clock ticks (18.2 clock ticks/second). The table must be terminated by a NULL (ASCII code 0). To produce a rest, used 0FFFFh as the frequency (this is acutually 65535 cycles/second, but human beings cannot hear frequencies that high, so a rest is generated). I've found that 6 ticks for a quarter- note works well (therefore 3 for an eighth-note, 12 for a half-note, etc.). A lot of the code in this routine was stolen from the sound() and nosound() procedures of Borland C++ v3.0. Procedure: print_string Description: Prints a string on the printer. The address of the string is passed in SI and the printer number is passed in DX (LPT1 = 0, LPT2 = 1, etc.). The string must be NULL terminated. If the printer is not on or does not exsist this function will fail, of course. Procedure: rom_basic Description: Drops the computer into ROM BASIC if he has a true IBM computer (ugh!). There is no escape from ROM BASIC other than a reboot, and trust me, it ain't much fun to play with (it's worse than even GWBASIC!). On compatibles this interrupt will usually display a message and hang the computer, or have no effect at all. Procedure: serial_string Description: Transmits a string to a serial port. DX holds the port number (0 = COM1, 1 = COM2, etc.) and SI points to the string, which must be NULL terminated. Remember that when transmiting Hayes command strings that you must include CR-LFs. (A special note: the Hayes string to turn off the modem speaker is "ATM0 L0 (enter)." This is quite useful when writing virii that call 1-900 numbers, for example...) Procedure: swap_parallels Description: Swaps two parallel ports, causing untold havock. BX holds the number of the first parallel port (LPT1 = 1, LPT2 = 2, etc.), and SI holds the number of the second parallel port. This effect lasts until the computer is rebooted. Procedure: swap_serials Description: Swaps two serial ports, causing untold havock. BX holds the number of the first serial port (COM1 = 1, COM2 = 2, etc.), and SI holds the number of the second serial port. This effect lasts until the computer is rebooted. Procedure: trash_disk Description: Trashes a disk by overwritting the FAT, Boot, Directories, etc. AX holds the drive number to trash (0 for A:, 1 for B:, etc.) and CX holds the number of sectors to overwrite, starting with sector 0. The sectors will be overwritten with whatever is in memory pointed to by ES:BX. During the disk write all external interrupts are disabled, preventing someone from pressing Ctrl-C or Ctrl-Alt-Del. Procedure: trash_disks Description: Trashes one or more disks by overwritting their FAT, Boot, Directories, etc. AX holds the starting drive number, (0 for A:, 1 for B:, etc.) and CX holds the number of sectors to overwrite, starting with sector 0. The sectors will be overwritten with whatever is in memory pointed to by ES:BX. During the disk write all external interrupts are disabled, preventing someone from pressing Ctrl-C or Ctrl-Alt-Del. All disks with a number less than or equal to AX will be affected (for example, to trash drives A through C, call trash_disks with AX = 2). Note that the drives are accessed in reverse order, insuring that any hard disks will be destroyed first, so if there are no valid floppies then it will still be too late for the victim to reset after he sees the drive lights go on. Procedure: uncrunch_ansi Description: Uncrunches and displays a run-length encoded ANSI produced by The Draw. This code is stolen from UNCRUNCH.ASM included with The Draw, but touched up a bit and re-commented. Data for this routine must be created using The Draw and saving to a packed ASM format. The offset to the data is passed in SI. CX holds the length of the ANSI (this can be found in IMAGEDATA_LENGTH of the code that The Draw produces; be sure to remove any equates that The Draw inserts into the code it produces). Procedure: warm_reboot Decription: Performs a warm reboot of the system. Naturally this procedure needs no parameters. ------------------------------------------------------------------------------ Condition Functions =================== Procedure: get_country Description: Returns the DOS country code in AX. (The codes correspond to the long-distance dialing prefixes for the respective countries. See your DOS reference manual or local phone book for a list of the country codes.) Procedure: get_cpu Description: Returns the model of the CPU installed. 8088s and 8086s return 86, 80286s 286, 80386s 386, and 80486s 486. Procedure: get_day Description: Returns the current day of the month (1 - 31) in AX. Procedure: get_dos_version Description: Returns the DOS version in AX. DOS versions before 2.0 return 0, while all others return the major version number * 100 + the minor version number (ex: a system running DOS 5.0 would return 500, a system running DOS 3.3 would return 330, etc.) Procedure: get_ems Description: Returns the ammout of expanded memory in AX. This value is in kilobytes of total (not available) EMS. Procedure: get_floppies Description: Returns the number of floppy drives installed (1 - 4) in AX. Procedure: get_game_port Description: Returns number of game ports installed (0 or 1) in AX. Procedure: get_hour Description: Returns the hour (0 - 23) in AX. Procedure: get_minute Description: Returns the current minute (0 - 59) in AX. Procedure: get_month Description: Returns the current month (1 - 12) in AX. Procedure: get_parallel Description: Returns the number of parallel ports in AX. Procedure: get_ram Description: Returns the ammount of RAM in AX. Note that this is only the ammount of base RAM (under 1 meg), and does not include EMS or XMS memory, and is in kilobytes. Procedure: get_random Description: Returns a random number (0 - 65535) in AX. The number is the lower word of the current BIOS timer tick count. Procedure: get_rollover Description: Returns the BIOS rollover flag (0 or 1), indicating whether the computer has been on for 24-hours continuously (one) or not (zero). Procedure: get_second Description: Returns the current second (0 - 59) in AX. Procedure: get_serial Description: Returns the number of serial ports (0 - 8) in AX. Procedure: get_weekday Description: Returns the number (0 for Sunday, 1 for Monday, etc.) of the current day of the week in AX. Procedure: get_year Description: Returns the current year (1980 - 2099) in AX. Procedure: infected_all Description: Returns 0 if all files have been infected, 1 if not. Note that this value applies to all searchable files, not neccessarily every file on the disk, and that this value is undefined if this is called before the search routine (ie: only use it in "after" routines). The value returned comes from the internal variable set_carry in the infect_file procedure. Procedure: is_4dos Description: Returns 0 if 4DOS is installed, 1 if it is not. ------------------------------------------------------------------------------ Internal Routines ================= Procedure: encrypt_code Description: Mutates the encryption/decryption code. A new key is chosen for the encryptor and the registers used in the routine are changed (SI and DI are alternately used as pointers to the encrypted code). Then the routine is copied into the heap, along with code to write the virus to the victim, and another copy (which decrypts the virus) is added afterwards. The whole long routine is then CALLed. The victim's file handle is passed to this routine in the BX register. Procedure: encrypt_decrypt Description: Encrypts or decrypts the code, depending on whether or not it is already encrypted. A simple XOR encryption scheme is used, but code is mutated slightly to prevent easy SCANing. Procedure: find_files Description: This routine is called by most search_files routines. It searches the current directory for the first valid file of the type who's mask is pointed to by DX. If a valid file is found then infect_file is called. If a file wasn't successfully infected then carry is set. Procedure: infect_file Description: Infects the file whose record is passed in the DTA. The method of infection depends on which option(s) were chosen by the user. The internal variable set_carry is set to zero if no files were able to be infected, and the carry flag set. Procedure: search_file Description: Searches for files to infect. If a valid file is found infect_file is called. The search method is defined by the user in the Options�Search Type dialog box. Procedure: stop_tracing Description: Locks the computer if someone is tracing through the program. Called whenever Stop Trace is set, this sets the interrupt vectors three and one (tracing interrupt) to a new vector which causes a system halt with all interrupts disabled. This frustrates anyone trying to step through your creation. If this fails then a short routine uses prefetch-queue changing to lock the keyboard if a debugger is running; under normal conditions nothing unusual happens. Some code for these routines was taken from Demogorgon's article "Concealment: Keep Your Code Hidden From Prying Eyes" in 40-Hex magazine volume #2, issue #2 (article #2). The sequal to that article, "Code Concealment" (in 40-Hex volume #2, issue #3, article #2), also by Demogorgon, provided inspiration for the prefetch-queue-alteration routine. These two articles provide great insight into methods of preventing tracing and disassembly and are highly recommended for people interested in the subject. Procedure: traverse Description: Traverses the directory tree looking for files to infect. If a valid file is found infect_file is called. This procedure is recursive, using about 128 bytes per call, one call per level of the directory tree. This procedure is only called when Options�Search Type is set to "Directory Tree." Carry is set if the search fails. Procedure: traverse_path Description: Traverses the DOS PATH variable looking for files to infect. If a valid file is found infect_file is called. This procedure is only called when Options�Search Type is set to "DOS PATH string." Carry is set if the search fails.